diff --git a/docs/macro_conversion_guide b/docs/macro_conversion_guide
index 871d4dc..3376e2a 100644
--- a/docs/macro_conversion_guide
+++ b/docs/macro_conversion_guide
@@ -31,7 +31,7 @@ auth_domtrans_chk_passwd($1)
# daemon: complete
#
optional_policy(`nscd',`
- nscd_use_socket($1)
+ nscd_socket_use($1)
')
#
@@ -45,6 +45,11 @@ domain_type($1)
# handled by appropriate interfaces
#
+# exec_type: complete
+#
+corecmd_executable_file($1)
+
+#
# file_type: complete
#
files_type($1)
@@ -119,19 +124,19 @@ optional_policy(`arpwatch',`
dontaudit mta_user_agent arpwatch_t:packet_socket { read write };
')
')
-optional_policy(`cron',`
+optional_policy(`
cron_sigchld($1)
cron_read_system_job_tmp_files($1)
')
-optional_policy(`logrotate',`
+optional_policy(`
logrotate_read_tmp_files($1)
')
#
# nscd_client_domain: complete
#
-optional_policy(`nscd',`
- nscd_use_socket($1)
+optional_policy(`
+ nscd_socket_use($1)
')
#
@@ -142,9 +147,7 @@ domain_interactive_fd($1)
#
# privlog: complete
#
-optional_policy(`logging',`
- logging_send_syslog_msg($1)
-')
+logging_send_syslog_msg($1)
#
# privmail: complete
@@ -367,9 +370,7 @@ term_create_pty($1_t,$1_devpts_t)
#
# can_exec_any(): complete
#
-corecmd_exec_bin($1)
-corecmd_exec_sbin($1)
-domain_exec_all_entry_files($1)
+corecmd_exec_all_executables($1)
files_exec_etc_files($1)
libs_use_ld_so($1)
libs_use_shared_libs($1)
@@ -643,11 +644,6 @@ sysnet_read_config($1)
allow $1 $2:dir { search getattr read };
allow $1 $2:{ file lnk_file } { read getattr };
allow $1 $2:process getattr;
-# We need to suppress this denial because procps tries to access
-# /proc/pid/environ and this now triggers a ptrace check in recent kernels
-# (2.4 and 2.6). Might want to change procps to not do this, or only if
-# running in a privileged domain.
-dontaudit $1 $2:process ptrace;
#
# can_ptrace():
@@ -787,24 +783,24 @@ kernel_list_proc($1_t)
kernel_read_proc_symlinks($1_t)
kernel_read_kernel_sysctls($1_t)
dev_read_sysfs($1_t)
+domain_use_interactive_fds($1_t)
fs_search_auto_mountpoints($1_t)
term_dontaudit_use_console($1_t)
-domain_use_interactive_fds($1_t)
init_use_fds($1_t)
-init_use_script_pty($1_t)
+init_use_script_ptys($1_t)
libs_use_ld_so($1_t)
libs_use_shared_libs($1_t)
logging_send_syslog_msg($1_t)
userdom_dontaudit_use_unpriv_user_fds($1_t)
ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_tty($1_t)
- term_dontaudit_use_generic_pty($1_t)
+ term_dontaudit_use_unallocated_ttys($1_t)
+ term_dontaudit_use_generic_ptys($1_t)
files_dontaudit_read_root_files($1_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole($1_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db($1_t)
')
@@ -820,32 +816,32 @@ dontaudit $1_t self:capability sys_tty_config;
allow $1_t self:process signal_perms;
allow $1_t $1_var_run_t:file create_file_perms;
allow $1_t $1_var_run_t:dir rw_dir_perms;
-files_pid_filetrans($1_t,$1_var_run_t)
+files_pid_filetrans($1_t,$1_var_run_t,file)
kernel_read_kernel_sysctls($1_t)
kernel_list_proc($1_t)
kernel_read_proc_symlinks($1_t)
dev_read_sysfs($1_t)
+domain_use_interactive_fds($1_t)
fs_getattr_all_fs($1_t)
fs_search_auto_mountpoints($1_t)
term_dontaudit_use_console($1_t)
-domain_use_interactive_fds($1_t)
init_use_fds($1_t)
-init_use_script_pty($1_t)
+init_use_script_ptys($1_t)
libs_use_ld_so($1_t)
libs_use_shared_libs($1_t)
logging_send_syslog_msg($1_t)
miscfiles_read_localization($1_t)
userdom_dontaudit_use_unpriv_user_fds($1_t)
userdom_dontaudit_search_sysadm_home_dirs($1_t)
-ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_tty($1_t)
- term_dontaudit_use_generic_pty($1_t)
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys($1_t)
+ term_dontaudit_use_generic_ptys($1_t)
files_dontaudit_read_root_files($1_t)
')
-optional_policy(`selinuxutil',`
+optional_policy(`
seutil_sigchld_newrole($1_t)
')
-optional_policy(`udev',`
+optional_policy(`
udev_read_db($1_t)
')
@@ -1044,7 +1040,7 @@ optional_policy(`nis',`
nis_use_ypbind($1_t)
')
optional_policy(`nscd',`
- nscd_use_socket($1_t)
+ nscd_socket_use($1_t)
')
#
@@ -1060,7 +1056,7 @@ libs_legacy_use_ld_so($1_t)
type $1_lock_t;
files_lock_file($1_lock_t)
allow $1_t $1_lock_t:file create_file_perms;
-files_lock_filetrans($1_t,$1_lock_t)
+files_lock_filetrans($1_t,$1_lock_t,file)
#
# log_domain(): complete
@@ -1068,7 +1064,7 @@ files_lock_filetrans($1_t,$1_lock_t)
type $1_log_t;
logging_log_file($1_log_t)
allow $1_t $1_log_t:file create_file_perms;
-logging_log_filetrans($1_t,$1_log_t)
+logging_log_filetrans($1_t,$1_log_t,file)
#
# logdir_domain(): complete
@@ -1230,7 +1226,7 @@ type $1_var_lib_t;
files_type($1_var_lib_t)
allow $1_t $1_var_lib_t:file create_file_perms;
allow $1_t $1_var_lib_t:dir rw_dir_perms;
-files_var_lib_filetrans($1_t,$1_var_lib_t)
+files_var_lib_filetrans($1_t,$1_var_lib_t,file)
#
# var_run_domain($1): complete
@@ -1239,7 +1235,7 @@ type $1_var_run_t;
files_pid_file($1_var_run_t)
allow $1_t $1_var_run_t:file create_file_perms;
allow $1_t $1_var_run_t:dir rw_dir_perms;
-files_pid_filetrans($1_t,$1_var_run_t)
+files_pid_filetrans($1_t,$1_var_run_t,file)
#
# var_run_domain($1,$2): complete
diff --git a/mls/COPYING b/mls/COPYING
deleted file mode 100644
index 5b6e7c6..0000000
--- a/mls/COPYING
+++ /dev/null
@@ -1,340 +0,0 @@
- GNU GENERAL PUBLIC LICENSE
- Version 2, June 1991
-
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.
- 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
- Preamble
-
- The licenses for most software are designed to take away your
-freedom to share and change it. By contrast, the GNU General Public
-License is intended to guarantee your freedom to share and change free
-software--to make sure the software is free for all its users. This
-General Public License applies to most of the Free Software
-Foundation's software and to any other program whose authors commit to
-using it. (Some other Free Software Foundation software is covered by
-the GNU Library General Public License instead.) You can apply it to
-your programs, too.
-
- When we speak of free software, we are referring to freedom, not
-price. Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-this service if you wish), that you receive source code or can get it
-if you want it, that you can change the software or use pieces of it
-in new free programs; and that you know you can do these things.
-
- To protect your rights, we need to make restrictions that forbid
-anyone to deny you these rights or to ask you to surrender the rights.
-These restrictions translate to certain responsibilities for you if you
-distribute copies of the software, or if you modify it.
-
- For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must give the recipients all the rights that
-you have. You must make sure that they, too, receive or can get the
-source code. And you must show them these terms so they know their
-rights.
-
- We protect your rights with two steps: (1) copyright the software, and
-(2) offer you this license which gives you legal permission to copy,
-distribute and/or modify the software.
-
- Also, for each author's protection and ours, we want to make certain
-that everyone understands that there is no warranty for this free
-software. If the software is modified by someone else and passed on, we
-want its recipients to know that what they have is not the original, so
-that any problems introduced by others will not reflect on the original
-authors' reputations.
-
- Finally, any free program is threatened constantly by software
-patents. We wish to avoid the danger that redistributors of a free
-program will individually obtain patent licenses, in effect making the
-program proprietary. To prevent this, we have made it clear that any
-patent must be licensed for everyone's free use or not licensed at all.
-
- The precise terms and conditions for copying, distribution and
-modification follow.
-�
- GNU GENERAL PUBLIC LICENSE
- TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
-
- 0. This License applies to any program or other work which contains
-a notice placed by the copyright holder saying it may be distributed
-under the terms of this General Public License. The "Program", below,
-refers to any such program or work, and a "work based on the Program"
-means either the Program or any derivative work under copyright law:
-that is to say, a work containing the Program or a portion of it,
-either verbatim or with modifications and/or translated into another
-language. (Hereinafter, translation is included without limitation in
-the term "modification".) Each licensee is addressed as "you".
-
-Activities other than copying, distribution and modification are not
-covered by this License; they are outside its scope. The act of
-running the Program is not restricted, and the output from the Program
-is covered only if its contents constitute a work based on the
-Program (independent of having been made by running the Program).
-Whether that is true depends on what the Program does.
-
- 1. You may copy and distribute verbatim copies of the Program's
-source code as you receive it, in any medium, provided that you
-conspicuously and appropriately publish on each copy an appropriate
-copyright notice and disclaimer of warranty; keep intact all the
-notices that refer to this License and to the absence of any warranty;
-and give any other recipients of the Program a copy of this License
-along with the Program.
-
-You may charge a fee for the physical act of transferring a copy, and
-you may at your option offer warranty protection in exchange for a fee.
-
- 2. You may modify your copy or copies of the Program or any portion
-of it, thus forming a work based on the Program, and copy and
-distribute such modifications or work under the terms of Section 1
-above, provided that you also meet all of these conditions:
-
- a) You must cause the modified files to carry prominent notices
- stating that you changed the files and the date of any change.
-
- b) You must cause any work that you distribute or publish, that in
- whole or in part contains or is derived from the Program or any
- part thereof, to be licensed as a whole at no charge to all third
- parties under the terms of this License.
-
- c) If the modified program normally reads commands interactively
- when run, you must cause it, when started running for such
- interactive use in the most ordinary way, to print or display an
- announcement including an appropriate copyright notice and a
- notice that there is no warranty (or else, saying that you provide
- a warranty) and that users may redistribute the program under
- these conditions, and telling the user how to view a copy of this
- License. (Exception: if the Program itself is interactive but
- does not normally print such an announcement, your work based on
- the Program is not required to print an announcement.)
-�
-These requirements apply to the modified work as a whole. If
-identifiable sections of that work are not derived from the Program,
-and can be reasonably considered independent and separate works in
-themselves, then this License, and its terms, do not apply to those
-sections when you distribute them as separate works. But when you
-distribute the same sections as part of a whole which is a work based
-on the Program, the distribution of the whole must be on the terms of
-this License, whose permissions for other licensees extend to the
-entire whole, and thus to each and every part regardless of who wrote it.
-
-Thus, it is not the intent of this section to claim rights or contest
-your rights to work written entirely by you; rather, the intent is to
-exercise the right to control the distribution of derivative or
-collective works based on the Program.
-
-In addition, mere aggregation of another work not based on the Program
-with the Program (or with a work based on the Program) on a volume of
-a storage or distribution medium does not bring the other work under
-the scope of this License.
-
- 3. You may copy and distribute the Program (or a work based on it,
-under Section 2) in object code or executable form under the terms of
-Sections 1 and 2 above provided that you also do one of the following:
-
- a) Accompany it with the complete corresponding machine-readable
- source code, which must be distributed under the terms of Sections
- 1 and 2 above on a medium customarily used for software interchange; or,
-
- b) Accompany it with a written offer, valid for at least three
- years, to give any third party, for a charge no more than your
- cost of physically performing source distribution, a complete
- machine-readable copy of the corresponding source code, to be
- distributed under the terms of Sections 1 and 2 above on a medium
- customarily used for software interchange; or,
-
- c) Accompany it with the information you received as to the offer
- to distribute corresponding source code. (This alternative is
- allowed only for noncommercial distribution and only if you
- received the program in object code or executable form with such
- an offer, in accord with Subsection b above.)
-
-The source code for a work means the preferred form of the work for
-making modifications to it. For an executable work, complete source
-code means all the source code for all modules it contains, plus any
-associated interface definition files, plus the scripts used to
-control compilation and installation of the executable. However, as a
-special exception, the source code distributed need not include
-anything that is normally distributed (in either source or binary
-form) with the major components (compiler, kernel, and so on) of the
-operating system on which the executable runs, unless that component
-itself accompanies the executable.
-
-If distribution of executable or object code is made by offering
-access to copy from a designated place, then offering equivalent
-access to copy the source code from the same place counts as
-distribution of the source code, even though third parties are not
-compelled to copy the source along with the object code.
-�
- 4. You may not copy, modify, sublicense, or distribute the Program
-except as expressly provided under this License. Any attempt
-otherwise to copy, modify, sublicense or distribute the Program is
-void, and will automatically terminate your rights under this License.
-However, parties who have received copies, or rights, from you under
-this License will not have their licenses terminated so long as such
-parties remain in full compliance.
-
- 5. You are not required to accept this License, since you have not
-signed it. However, nothing else grants you permission to modify or
-distribute the Program or its derivative works. These actions are
-prohibited by law if you do not accept this License. Therefore, by
-modifying or distributing the Program (or any work based on the
-Program), you indicate your acceptance of this License to do so, and
-all its terms and conditions for copying, distributing or modifying
-the Program or works based on it.
-
- 6. Each time you redistribute the Program (or any work based on the
-Program), the recipient automatically receives a license from the
-original licensor to copy, distribute or modify the Program subject to
-these terms and conditions. You may not impose any further
-restrictions on the recipients' exercise of the rights granted herein.
-You are not responsible for enforcing compliance by third parties to
-this License.
-
- 7. If, as a consequence of a court judgment or allegation of patent
-infringement or for any other reason (not limited to patent issues),
-conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License. If you cannot
-distribute so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you
-may not distribute the Program at all. For example, if a patent
-license would not permit royalty-free redistribution of the Program by
-all those who receive copies directly or indirectly through you, then
-the only way you could satisfy both it and this License would be to
-refrain entirely from distribution of the Program.
-
-If any portion of this section is held invalid or unenforceable under
-any particular circumstance, the balance of the section is intended to
-apply and the section as a whole is intended to apply in other
-circumstances.
-
-It is not the purpose of this section to induce you to infringe any
-patents or other property right claims or to contest validity of any
-such claims; this section has the sole purpose of protecting the
-integrity of the free software distribution system, which is
-implemented by public license practices. Many people have made
-generous contributions to the wide range of software distributed
-through that system in reliance on consistent application of that
-system; it is up to the author/donor to decide if he or she is willing
-to distribute software through any other system and a licensee cannot
-impose that choice.
-
-This section is intended to make thoroughly clear what is believed to
-be a consequence of the rest of this License.
-�
- 8. If the distribution and/or use of the Program is restricted in
-certain countries either by patents or by copyrighted interfaces, the
-original copyright holder who places the Program under this License
-may add an explicit geographical distribution limitation excluding
-those countries, so that distribution is permitted only in or among
-countries not thus excluded. In such case, this License incorporates
-the limitation as if written in the body of this License.
-
- 9. The Free Software Foundation may publish revised and/or new versions
-of the General Public License from time to time. Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-Each version is given a distinguishing version number. If the Program
-specifies a version number of this License which applies to it and "any
-later version", you have the option of following the terms and conditions
-either of that version or of any later version published by the Free
-Software Foundation. If the Program does not specify a version number of
-this License, you may choose any version ever published by the Free Software
-Foundation.
-
- 10. If you wish to incorporate parts of the Program into other free
-programs whose distribution conditions are different, write to the author
-to ask for permission. For software which is copyrighted by the Free
-Software Foundation, write to the Free Software Foundation; we sometimes
-make exceptions for this. Our decision will be guided by the two goals
-of preserving the free status of all derivatives of our free software and
-of promoting the sharing and reuse of software generally.
-
- NO WARRANTY
-
- 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
-FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
-OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
-PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
-OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
-TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
-PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
-REPAIR OR CORRECTION.
-
- 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
-REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
-INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
-OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
-TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
-YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
-PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGES.
-
- END OF TERMS AND CONDITIONS
-�
- How to Apply These Terms to Your New Programs
-
- If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
- To do so, attach the following notices to the program. It is safest
-to attach them to the start of each source file to most effectively
-convey the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
- <one line to give the program's name and a brief idea of what it does.>
- Copyright (C) <year> <name of author>
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
-
-
-Also add information on how to contact you by electronic and paper mail.
-
-If the program is interactive, make it output a short notice like this
-when it starts in an interactive mode:
-
- Gnomovision version 69, Copyright (C) year name of author
- Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
- This is free software, and you are welcome to redistribute it
- under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License. Of course, the commands you use may
-be called something other than `show w' and `show c'; they could even be
-mouse-clicks or menu items--whatever suits your program.
-
-You should also get your employer (if you work as a programmer) or your
-school, if any, to sign a "copyright disclaimer" for the program, if
-necessary. Here is a sample; alter the names:
-
- Yoyodyne, Inc., hereby disclaims all copyright interest in the program
- `Gnomovision' (which makes passes at compilers) written by James Hacker.
-
- <signature of Ty Coon>, 1 April 1989
- Ty Coon, President of Vice
-
-This General Public License does not permit incorporating your program into
-proprietary programs. If your program is a subroutine library, you may
-consider it more useful to permit linking proprietary applications with the
-library. If this is what you want to do, use the GNU Library General
-Public License instead of this License.
diff --git a/mls/ChangeLog b/mls/ChangeLog
deleted file mode 100644
index a2f029b..0000000
--- a/mls/ChangeLog
+++ /dev/null
@@ -1,434 +0,0 @@
-1.27.3 2005-11-17
- * Removed the seuser policy as suggested by Kevin Carr.
- * Removed unnecessary allow rule concerning tmpfs_t in the squid
- policy as suggested by Russell Coker.
- * Merged a patch from Jonathan Kim which modified the restorecon policy
- to use the secadmin attribute.
- * Merged a patch from Dan Walsh. Added avahi, exim, and yppasswdd
- policies. Added the unconfinedtrans attribute for domains that
- can transistion to unconfined_t. Added httpd_enable_ftp_server,
- allow_postgresql_use_pam, pppd_can_insmod, and allow_gssd_read_tmp
- booleans. Created a $1_disable_trans boolean used in the
- init_service_domain macro to specify whether init should
- transition to a new domain when executing. Included Chad Hanson's
- patch which adds the mls* attributes to more domains and makes
- other changes to support MLS. Included Russell Coker's patch
- which makes many changes to the sendmail policy. Added rules to
- allow initscripts to execute scripts that they generate. Added
- dbus support to the named policy. Made other fixes and cleanups
- to various policies including amanda, apache, bluetooth, pegasus,
- postfix, pppd, and slapd. Removed sendmail policy from targeted.
-1.27.2 2005-10-20
- * Merged patch from Chad Hanson. Modified MLS constraints.
- Provided comments for the MLS attributes.
- * Merged two patches from Thomas Bleher which made some minor
- fixes and cleanups.
- * Merged patches from Russell Coker. Added comments to some of the
- MLS attributes. Added the secure_mode_insmod boolean to determine
- whether the system permits loading policy, setting enforcing mode,
- and changing boolean values. Made minor fixes for the cdrecord_domain
- macro, application_domain, newrole_domain, and daemon_base_domain
- macros. Added rules to allow the mail server to access the user
- home directories in the targeted policy and allows the postfix
- showq program to do DNS lookups. Minor fixes for the MCS
- policy. Made other minor fixes and cleanups.
- * Merged patch from Dan Walsh. Added opencd, pegasus, readahead,
- and roundup policies. Created can_access_pty macro to handle pty
- output. Created nsswithch_domain macro for domains using
- nsswitch. Added mcs transition rules. Removed mqueue and added
- capifs genfscon entries. Added dhcpd and pegasus ports. Added
- domain transitions from login domains to pam_console and alsa
- domains. Added rules to allow the httpd and squid domains to
- relay more protocols. For the targeted policy, removed sysadm_r
- role from unconfined_t. Made other fixes and cleanups.
-1.27.1 2005-09-15
- * Merged small patches from Russell Coker for the apostrophe,
- dhcpc, fsadm, and setfiles policy.
- * Merged a patch from Russell Coker with some minor fixes to a
- multitude of policy files.
- * Merged patch from Dan Walsh from August 15th. Adds certwatch
- policy. Adds mcs support to Makefile. Adds mcs file which
- defines sensitivities and categories for the MSC policy. Creates
- an authentication_domain macro in global_macros.te for domains
- that use pam_authentication. Creates the anonymous_domain macro
- so that the ftpd, rsync, httpd, and smbd domains can share the
- ftpd_anon_t and ftpd_anon_rw_t types. Removes netifcon rules to
- start isolating individual ethernet devices. Changes vpnc from a
- daemon to an application_domain. Adds audit_control capability to
- crond_t. Adds dac_override and dac_read_search capabilities to
- fsadm_t to allow the manipulation of removable media. Adds
- read_sysctl macro to the base_passwd_domain macro. Adds rules to
- allow alsa_t to communicate with userspace. Allows networkmanager
- to communicate with isakmp_port and to use vpnc. For targeted
- policy, removes transitions of sysadm_t to apm_t, backup_t,
- bootloader_t, cardmgr_t, clockspeed_t, hwclock_t, and kudzu_t.
- Makes other minor cleanups and fixes.
-
-1.26 2005-09-06
- * Updated version for release.
-
-1.25.4 2005-08-10
- * Merged small patches from Russell Coker for the restorecon,
- kudzu, lvm, radvd, and spamassasin policies.
- * Added fs_use_trans rule for mqueue from Mark Gebhart to support
- the work he has done on providing SELinux support for mqueue.
- * Merged a patch from Dan Walsh. Removes the user_can_mount
- tunable. Adds disable_evolution_trans and disable_thunderbird_trans
- booleans. Adds the nscd_client_domain attribute to insmod_t.
- Removes the user_ping boolean from targeted policy. Adds
- hugetlbfs, inotifyfs, and mqueue filesystems to genfs_contexts.
- Adds the isakmp_port for vpnc. Creates the pptp daemon domain.
- Allows getty to run sbin_t for pppd. Allows initrc to write to
- default_t for booting. Allows Hotplug_t sys_rawio for prism54
- card at boot. Other minor fixes.
-
-1.25.3 2005-07-18
- * Merged patch from Dan Walsh. Adds auth_bool attribute to allow
- domains to have read access to shadow_t. Creates pppd_can_insmod
- boolean to control the loading of modem kernel modules. Allows
- nfs to export noexattrfile types. Allows unix_chpwd to access
- cert files and random devices for encryption purposes. Other
- minor cleanups and fixes.
-
-1.25.2 2005-07-11
- * Merged patch from Dan Walsh. Added allow_ptrace boolean to
- allow sysadm_t to ptrace and debug apps. Gives auth_chkpwd the
- audit_control and audit_write capabilities. Stops targeted policy
- from transitioning from unconfined_t to netutils. Allows cupsd to
- audit messages. Gives prelink the execheap, execmem, and execstack
- permissions by default. Adds can_winbind boolean and functions to
- better handle samba and winbind communications. Eliminates
- allow_execmod checks around texrel_shlib_t libraries. Other minor
- cleanups and fixes.
-
-1.25.1 2005-07-05
- * Moved role_tty_type_change, reach_sysadm, and priv_user macros
- from user.te to user_macros.te as suggested by Steve.
- * Modified admin_domain macro so autrace would work and removed
- privuser attribute for dhcpc as suggested by Russell Coker.
- * Merged rather large patch from Dan Walsh. Moves
- targeted/strict/mls policies closer together. Adds local.te for
- users to customize. Includes minor fixes to auditd, cups,
- cyrus_imapd, dhcpc, and dovecot. Includes Russell Coker's patch
- that defines all ports in network.te. Ports are always defined
- now, no ifdefs are used in network.te. Also includes Ivan
- Gyurdiev's user home directory policy patches. These patches add
- alsa, bonobo, ethereal, evolution, gconf, gnome, gnome_vfs,
- iceauth, orbit, and thunderbird policy. They create read_content,
- write_trusted, and write_untrusted macros in content.te. They
- create network_home, write_network_home, read_network_home,
- base_domain_ro_access, home_domain_access, home_domain, and
- home_domain_ro macros in home_macros.te. They also create
- $3_read_content, $3_write_content, and write_untrusted booleans.
-
-1.24 2005-06-20
- * Updated version for release.
-
-1.23.18 2005-05-31
- * Merged minor fixes to pppd.fc and courier.te by Russell Coker.
- * Removed devfsd policy as suggested by Russell Coker.
- * Merged patch from Dan Walsh. Includes beginnings of Ivan
- Gyurdiev's Font Config policy. Don't transition to fsadm_t from
- unconfined_t (sysadm_t) in targeted policy. Add support for
- debugfs in modutil. Allow automount to create and delete
- directories in /root and /home dirs. Move can_ypbind to
- chkpwd_macro.te. Allow useradd to create additional files and
- types via the skell mechanism. Other minor cleanups and fixes.
-
-1.23.17 2005-05-23
- * Merged minor fixes by Petre Rodan to the daemontools, dante,
- gpg, kerberos, and ucspi-tcp policies.
- * Merged minor fixes by Russell Coker to the bluetooth, crond,
- initrc, postfix, and udev policies. Modifies constraints so that
- newaliases can be run. Modifies types.fc so that objects in
- lost+found directories will not be relabled.
- * Modified fc rules for nvidia.
- * Added Chad Sellers policy for polyinstantiation support, which
- creates the polydir, polyparent, and polymember attributes. Also
- added the support_polyinstantiation tunable.
- * Merged patch from Dan Walsh. Includes mount_point attribute,
- read_font macros and some other policy fixes from Ivan Gyurdiev.
- Adds privkmsg and secadmfile attributes and ddcprobe policy.
- Removes the use_syslogng boolean. Many other minor fixes.
-
-1.23.16 2005-05-13
- * Added rdisc policy from Russell Coker.
- * Merged minor fix to named policy by Petre Rodan.
- * Merged minor fixes to policy from Russell Coker for kudzu,
- named, screen, setfiles, telnet, and xdm.
- * Merged minor fix to Makefile from Russell Coker.
-
-1.23.15 2005-05-06
- * Added tripwire and yam policy from David Hampton.
- * Merged minor fixes to amavid and a clarification to the
- httpdcontent attribute comments from David Hampton.
- * Merged patch from Dan Walsh. Includes fixes for restorecon,
- games, and postfix from Russell Coker. Adds support for debugfs.
- Restores support for reiserfs. Allows udev to work with tmpfs_t
- before /dev is labled. Removes transition from sysadm_t
- (unconfined_t) to ifconfig_t for the targeted policy. Other minor
- cleanups and fixes.
-
-1.23.14 2005-04-29
- * Added afs policy from Andrew Reisse.
- * Merged patch from Lorenzo Hernández García-Hierro which defines
- execstack and execheap permissions. The patch excludes these
- permissions from general_domain_access and updates the macros for
- X, legacy binaries, users, and unconfined domains.
- * Added nlmsg_relay permisison where netlink_audit_socket class is
- used. Added nlmsg_readpriv permission to auditd_t and auditctl_t.
- * Merged some minor cleanups from Russell Coker and David Hampton.
- * Merged patch from Dan Walsh. Many changes made to allow
- targeted policy to run closer to strict and now almost all of
- non-userspace is protected via SELinux. Kernel is now in
- unconfined_domain for targeted and runs as root:system_r:kernel_t.
- Added transitionbool to daemon_sub_domain, mainly to turn off
- httpd_suexec transitioning. Implemented web_client_domain
- name_connect rules. Added yp support for cups. Now the real
- hotplug, udev, initial_sid_contexts are used for the targeted
- policy. Other minor cleanups and fixes. Auditd fixes by Paul
- Moore.
-
-1.23.13 2005-04-22
- * Merged more changes from Dan Walsh to initrc_t for removal of
- unconfined_domain.
- * Merged Dan Walsh's split of auditd policy into auditd_t for the
- audit daemon and auditctl_t for the autoctl program.
- * Added use of name_connect to uncond_can_ypbind macro by Dan
- Walsh.
- * Merged other cleanup and fixes by Dan Walsh.
-
-1.23.12 2005-04-20
- * Merged Dan Walsh's Netlink changes to handle new auditing pam
- modules.
- * Merged Dan Walsh's patch removing the sysadmfile attribute from
- policy files to separate sysadm_t from secadm_t.
- * Added CVS and uucpd policy from Dan Walsh.
- * Cleanup by Dan Walsh to handle turning off unlimitedRC.
- * Merged Russell Coker's fixes to ntpd, postgrey, and named
- policy.
- * Cleanup of chkpwd_domain and added permissions to su_domain
- macro due to pam changes to support audit.
- * Added nlmsg_relay and nlmsg_readpriv permissions to the
- netlink_audit_socket class.
-
-1.23.11 2005-04-14
- * Merged Dan Walsh's separation of the security manager and system
- administrator.
- * Removed screensaver.te as suggested by Thomas Bleher
- * Cleanup of typealiases that are no longer used by Thomas Bleher.
- * Cleanup of fc files and additional rules for SuSE by Thomas
- Bleher.
- * Merged changes to auditd and named policy by Russell Coker.
- * Merged MLS change from Darrel Goeddel to support the policy
- hierarchy patch.
-
-1.23.10 2005-04-08
- * Removed pump.te, pump.fc, and targeted/domains/program/modutil.te
-
-1.23.9 2005-04-07
- * Merged diffs from Dan Walsh. Includes Ivan Gyurdiev's cleanup
- of x_client apps.
- * Added dmidecode policy from Ivan Gyurdiev.
-
-1.23.8 2005-04-05
- * Added netlink_kobject_uevent_socket class.
- * Removed empty files pump.te and pump.fc.
- * Added NetworkManager policy from Dan Walsh.
- * Merged Dan Walsh's major restructuring of Apache's policy.
-
-1.23.7 2005-04-04
- * Merged David Hampton's amavis and clamav cleanups.
- * Added David Hampton's dcc, pyzor, and razor policy.
-
-1.23.6 2005-04-01
- * Merged cleanup of the Makefile and other stuff from Dan Walsh.
- Dan's patch includes some desktop changes from Ivan Gyurdiev.
- * Merged Thomas Bleher's patches which increase the usage of
- lock_domain() and etc_domain(), changes var_lib_DOMAIN_t usage to
- DOMAIN_var_lib_t, and removes use of notdevfile_class_set where
- possible.
- * Merged Greg Norris's cleanup of fetchmail.
-
-1.23.5 2005-03-23
- * Added name_connect support from Dan Walsh.
- * Added httpd_unconfined_t from Dan Walsh.
- * Merged cleanup of assert.te to allow unresticted full access
- from Dan Walsh.
-
-1.23.4 2005-03-21
- * Merged diffs from Dan Walsh:
- * Cleanup of x_client_macro, tvtime, mozilla, and mplayer by Ivan
- Gyurdiev.
- * Added syslogng support to syslog.te.
-
-1.23.3 2005-03-15
- * Added policy for nx_server from Thomas Bleher.
- * Added policies for clockspeed, daemontools, djbdns, ucspi-tcp, and
- publicfile from Petre Rodan.
-
-1.23.2 2005-03-14
- * Merged diffs from Dan Walsh. Dan's patch includes Ivan Gyurdiev's
- gift policy.
- * Made sysadm_r the first role for root, so root's home will be labled
- as sysadm_home_dir_t instead of staff_home_dir_t.
- * Modified fs_use and Makefile to reflect jfs now supporting security
- xattrs.
-
-1.23.1 2005-03-10
- * Merged diffs from Dan Walsh. Dan's patch includes Ivan
- Gyurdiev's cleanup of homedir macros and more extensive use of
- read_sysctl()
-
-1.22 2005-03-09
- * Updated version for release.
-
-1.21 2005-02-24
- * Added secure_file_type attribute from Dan Walsh
- * Added access_terminal() macro from Ivan Gyurdiev
- * Updated capability access vector for audit capabilities.
- * Added mlsconvert Makefile target to help generate MLS policies
- (see selinux-doc/README.MLS for instructions).
- * Changed policy Makefile to still generate policy.18 as well,
- and use it for make load if the kernel doesn't support 19.
- * Merged enhanced MLS support from Darrel Goeddel (TCS).
- * Merged diffs from Dan Walsh, Russell Coker, and Greg Norris.
- * Merged man pages from Dan Walsh.
-
-1.20 2005-01-04
- * Merged diffs from Dan Walsh, Russell Coker, Thomas Bleher, and
- Petre Rodan.
- * Merged can_create() macro used for file_type_{,auto_}trans()
- from Thomas Bleher.
- * Merged dante and stunnel policy by Petre Rodan.
- * Merged $1_file_type attribute from Thomas Bleher.
- * Merged network_macros from Dan Walsh.
-
-1.18 2004-10-25
- * Merged diffs from Russell Coker and Dan Walsh.
- * Merged mkflask and mkaccess_vector patches from Ulrich Drepper.
- * Added reserved_port_t type and portcon entries to map all other
- reserved ports to this type.
- * Added distro_ prefix to distro tunables to avoid conflicts.
- * Merged diffs from Russell Coker.
-
-1.16 2004-08-16
- * Added nscd definitions.
- * Converted many tunables to policy booleans.
- * Added crontab permission.
- * Merged diffs from Dan Walsh.
- This included diffs from Thomas Bleher, Russell Coker, and Colin Walters as well.
- * Merged diffs from Russell Coker.
- * Adjusted constraints for crond restart.
- * Merged dbus/userspace object manager policy from Colin Walters.
- * Merged dbus definitions from Matthew Rickard.
- * Merged dnsmasq policy from Greg Norris.
- * Merged gpg-agent policy from Thomas Bleher.
-
-1.14 2004-06-28
- * Removed vmware-config.pl from vmware.fc.
- * Added crond entry to root_default_contexts.
- * Merged patch from Dan Walsh.
- * Merged mdadm and postfix changes from Colin Walters.
- * Merged reiserfs and rpm changes from Russell Coker.
- * Merged runaway .* glob fix from Valdis Kletnieks.
- * Merged diff from Dan Walsh.
- * Merged fine-grained netlink classes and permissions.
- * Merged changes for new /etc/selinux layout.
- * Changed mkaccess_vector.sh to provide stable order.
- * Merged diff from Dan Walsh.
- * Fix restorecon path in restorecon.fc.
- * Merged pax class and access vector definition from Joshua Brindle.
-
-1.12 2004-05-12
- * Added targeted policy.
- * Merged atd/at into crond/crontab domains.
- * Exclude bind mounts from relabeling to avoid aliasing.
- * Removed some obsolete types and remapped their initial SIDs to unlabeled.
- * Added SE-X related security classes and policy framework.
- * Added devnull initial SID and context.
- * Merged diffs from Fedora policy.
-
-1.10 2004-04-07
- * Merged ipv6 support from James Morris of RedHat.
- * Merged policy diffs from Dan Walsh.
- * Updated call to genhomedircon to reflect new usage.
- * Merged policy diffs from Dan Walsh and Russell Coker.
- * Removed config-users and config-services per Dan's request.
-
-1.8 2004-03-09
- * Merged genhomedircon patch from Karl MacMillan of Tresys.
- * Added restorecon domain.
- * Added unconfined_domain macro.
- * Added default_t for /.* file_contexts entry and replaced some
- uses of file_t with default_t in the policy.
- * Added su_restricted_domain() macro and use it for initrc_t.
- * Merged policy diffs from Dan Walsh and Russell Coker.
- These included a merge of an earlier patch by Chris PeBenito
- to rename the etc types to be consistent with other types.
-
-1.6 2004-02-18
- * Merged xfs support from Chris PeBenito.
- * Merged conditional rules for ping.te.
- * Defined setbool permission, added can_setbool macro.
- * Partial network policy cleanup.
- * Merged with Russell Coker's policy.
- * Renamed netscape macro and domain to mozilla and renamed
- ipchains domain to iptables for consistency with Russell.
- * Merged rhgb macro and domain from Russell Coker.
- * Merged tunable.te from Russell Coker.
- Only define direct_sysadm_daemon by default in our copy.
- * Added rootok permission to passwd class.
- * Merged Makefile change from Dan Walsh to generate /home
- file_contexts entries for staff users.
- * Added automatic role and domain transitions for init scripts and
- daemons. Added an optional third argument (nosysadm) to
- daemon_domain to omit the direct transition from sysadm_r when
- the same executable is also used as an application, in which
- case the daemon must be restarted via the init script to obtain
- the proper security context. Added system_r to the authorized roles
- for admin users at least until support for automatic user identity
- transitions exist so that a transition to system_u can be provided
- transparently.
- * Added support to su domain for using pam_selinux.
- Added entries to default_contexts for the su domains to
- provide reasonable defaults. Removed user_su_t.
- * Tighten restriction on user identity and role transitions in constraints.
- * Merged macro for newrole-like domains from Russell Coker.
- * Merged stub dbusd domain from Russell Coker.
- * Merged stub prelink domain from Dan Walsh.
- * Merged updated userhelper and config tool domains from Dan Walsh.
- * Added send_msg/recv_msg permissions to can_network macro.
- * Merged patch by Chris PeBenito for sshd subsystems.
- * Merged patch by Chris PeBenito for passing class to var_run_domain.
- * Merged patch by Yuichi Nakamura for append_log_domain macros.
- * Merged patch by Chris PeBenito for rpc_pipefs labeling.
- * Merged patch by Colin Walters to apply m4 once so that
- source file info is preserved for checkpolicy.
-
-1.4 2003-12-01
- * Merged patches from Russell Coker.
- * Revised networking permissions.
- * Added new node_bind permission.
- * Added new siginh, rlimitinh, and setrlimit permissions.
- * Added proc_t:file read permission for new is_selinux_enabled logic.
- * Added failsafe_context configuration file to appconfig.
- * Moved newrules.pl to policycoreutils, renamed to audit2allow.
- * Merged newrules.pl patch from Yuichi Nakamura.
-
-1.2 2003-09-30
- * More policy merging with Russell Coker.
- * Transferred newrules.pl script from the old SELinux.
- * Merged MLS configuration patch from Karl MacMillan of Tresys.
- * Limit staff_t to reading /proc entries for unpriv_userdomain.
- * Updated Makefile and spec file to allow non-root builds,
- based on patch by Paul Nasrat.
-
-1.1 2003-08-13
- * Merged Makefile check-all and te-includes patches from Colin Walters.
- * Merged x-debian-packages.patch from Colin Walters.
- * Folded read permission into domain_trans.
-
-1.0 2003-07-11
- * Initial public release.
-
diff --git a/mls/Makefile b/mls/Makefile
deleted file mode 100644
index 933e3d5..0000000
--- a/mls/Makefile
+++ /dev/null
@@ -1,356 +0,0 @@
-#
-# Makefile for the security policy.
-#
-# Targets:
-#
-# install - compile and install the policy configuration, and context files.
-# load - compile, install, and load the policy configuration.
-# reload - compile, install, and load/reload the policy configuration.
-# relabel - relabel filesystems based on the file contexts configuration.
-# policy - compile the policy configuration locally for testing/development.
-#
-# The default target is 'install'.
-#
-
-# Set to y if MLS is enabled in the policy.
-MLS=y
-
-# Set to y if MCS is enabled in the policy
-MCS=n
-
-FLASKDIR = flask/
-PREFIX = /usr
-BINDIR = $(PREFIX)/bin
-SBINDIR = $(PREFIX)/sbin
-LOADPOLICY = $(SBINDIR)/load_policy
-CHECKPOLICY = $(BINDIR)/checkpolicy
-GENHOMEDIRCON = $(SBINDIR)/genhomedircon
-SETFILES = $(SBINDIR)/setfiles
-VERS := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ')
-PREVERS := 20
-KERNVERS := $(shell cat /selinux/policyvers)
-MLSENABLED := $(shell cat /selinux/mls)
-POLICYVER := policy.$(VERS)
-TOPDIR = $(DESTDIR)/etc/selinux
-TYPE=mls
-
-INSTALLDIR = $(TOPDIR)/$(TYPE)
-POLICYPATH = $(INSTALLDIR)/policy
-SRCPATH = $(INSTALLDIR)/src
-USERPATH = $(INSTALLDIR)/users
-CONTEXTPATH = $(INSTALLDIR)/contexts
-LOADPATH = $(POLICYPATH)/$(POLICYVER)
-FCPATH = $(CONTEXTPATH)/files/file_contexts
-HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
-
-ALL_PROGRAM_MACROS := $(wildcard macros/program/*.te)
-ALL_MACROS := $(ALL_PROGRAM_MACROS) $(wildcard macros/*.te)
-ALL_TYPES := $(wildcard types/*.te)
-ALL_DOMAINS := $(wildcard domains/*.te domains/misc/*.te domains/program/*.te)
-ALLTEFILES := attrib.te tmp/program_used_flags.te $(ALL_MACROS) $(ALL_TYPES) $(ALL_DOMAINS) assert.te
-TE_RBAC_FILES := $(ALLTEFILES) rbac
-ALL_TUNABLES := $(wildcard tunables/*.tun )
-USER_FILES := users
-POLICYFILES = $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors)
-ifeq ($(MLS),y)
-POLICYFILES += mls
-CHECKPOLMLS += -M
-endif
-ifeq ($(MCS), y)
-POLICYFILES += mcs
-CHECKPOLMLS += -M
-endif
-DEFCONTEXTFILES = initial_sid_contexts fs_use genfs_contexts net_contexts
-POLICYFILES += $(ALL_TUNABLES) $(TE_RBAC_FILES)
-POLICYFILES += $(USER_FILES)
-POLICYFILES += constraints
-POLICYFILES += $(DEFCONTEXTFILES)
-CONTEXTFILES = $(DEFCONTEXTFILES)
-POLICY_DIRS = domains domains/program domains/misc macros macros/program
-
-UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te)
-
-FC = file_contexts/file_contexts
-HOMEDIR_TEMPLATE = file_contexts/homedir_template
-FCFILES=file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) file_contexts/distros.fc $(wildcard file_contexts/misc/*.fc)
-CONTEXTFILES += $(FCFILES)
-
-APPDIR=$(CONTEXTPATH)
-APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types port_types) $(CONTEXTPATH)/files/media
-CONTEXTFILES += $(wildcard appconfig/*_context*) appconfig/media
-
-ROOTFILES = $(addprefix $(APPDIR)/users/,root)
-
-all: policy
-
-tmp/valid_fc: $(LOADPATH) $(FC)
- @echo "Validating file contexts files ..."
- $(SETFILES) -q -c $(LOADPATH) $(FC)
- @touch tmp/valid_fc
-
-install: $(FCPATH) $(APPFILES) $(ROOTFILES) $(USERPATH)/local.users
-
-$(USERPATH)/system.users: $(ALL_TUNABLES) $(USER_FILES) policy.conf
- @mkdir -p $(USERPATH)
- @echo "# " > tmp/system.users
- @echo "# Do not edit this file. " >> tmp/system.users
- @echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users
- @echo "# Please edit local.users to make local changes." >> tmp/system.users
- @echo "#" >> tmp/system.users
- @m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USER_FILES) | grep -v "^#" >> tmp/system.users
- install -m 644 tmp/system.users $@
-
-$(USERPATH)/local.users: local.users
- @mkdir -p $(USERPATH)
- install -b -m 644 $< $@
-
-$(CONTEXTPATH)/files/media: appconfig/media
- @mkdir -p $(CONTEXTPATH)/files/
- install -m 644 $< $@
-
-$(APPDIR)/default_contexts: appconfig/default_contexts
- @mkdir -p $(APPDIR)
- install -m 644 $< $@
-
-$(APPDIR)/removable_context: appconfig/removable_context
- @mkdir -p $(APPDIR)
- install -m 644 $< $@
-
-$(APPDIR)/customizable_types: policy.conf
- @mkdir -p $(APPDIR)
- @grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
- install -m 644 tmp/customizable_types $@
-
-$(APPDIR)/port_types: policy.conf
- @mkdir -p $(APPDIR)
- @grep "^type .*port_type" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/port_types
- install -m 644 tmp/port_types $@
-
-$(APPDIR)/default_type: appconfig/default_type
- @mkdir -p $(APPDIR)
- install -m 644 $< $@
-
-$(APPDIR)/userhelper_context: appconfig/userhelper_context
- @mkdir -p $(APPDIR)
- install -m 644 $< $@
-
-$(APPDIR)/initrc_context: appconfig/initrc_context
- @mkdir -p $(APPDIR)
- install -m 644 $< $@
-
-$(APPDIR)/failsafe_context: appconfig/failsafe_context
- @mkdir -p $(APPDIR)
- install -m 644 $< $@
-
-$(APPDIR)/dbus_contexts: appconfig/dbus_contexts
- @mkdir -p $(APPDIR)
- install -m 644 $< $@
-
-$(APPDIR)/users/root: appconfig/root_default_contexts
- @mkdir -p $(APPDIR)/users
- install -m 644 $< $@
-
-$(LOADPATH): policy.conf $(CHECKPOLICY)
- @echo "Compiling policy ..."
- @mkdir -p $(POLICYPATH)
- $(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
-ifneq ($(VERS),$(PREVERS))
- $(CHECKPOLICY) $(CHECKPOLMLS) -c $(PREVERS) -o $(POLICYPATH)/policy.$(PREVERS) policy.conf
-endif
-
-# Note: Can't use install, so not sure how to deal with mode, user, and group
-# other than by default.
-
-policy: $(POLICYVER)
-
-$(POLICYVER): policy.conf $(FC) $(CHECKPOLICY)
- $(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
- @echo "Validating file contexts files ..."
- $(SETFILES) -q -c $(POLICYVER) $(FC)
-
-reload tmp/load: $(LOADPATH)
- @echo "Loading Policy ..."
- $(LOADPOLICY)
- touch tmp/load
-
-load: tmp/load $(FCPATH)
-
-enableaudit: policy.conf
- grep -v dontaudit policy.conf > policy.audit
- mv policy.audit policy.conf
-
-policy.conf: $(POLICYFILES) $(POLICY_DIRS)
- @echo "Building policy.conf ..."
- @mkdir -p tmp
- m4 $(M4PARAM) -Imacros -s $(POLICYFILES) > $@.tmp
- @mv $@.tmp $@
-
-install-src:
- rm -rf $(SRCPATH)/policy.old
- -mv $(SRCPATH)/policy $(SRCPATH)/policy.old
- @mkdir -p $(SRCPATH)/policy
- cp -R . $(SRCPATH)/policy
-
-tmp/program_used_flags.te: $(wildcard domains/program/*.te) domains/program
- @mkdir -p tmp
- ( cd domains/program/ ; for n in *.te ; do echo "define(\`$$n')"; done ) > $@.tmp
- ( cd domains/misc/ ; for n in *.te ; do echo "define(\`$$n')"; done ) >> $@.tmp
- mv $@.tmp $@
-
-FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs | reiserfs ).*rw/{print $$3}';`
-
-checklabels: $(SETFILES)
- $(SETFILES) -v -n $(FC) $(FILESYSTEMS)
-
-restorelabels: $(SETFILES)
- $(SETFILES) -v $(FC) $(FILESYSTEMS)
-
-relabel: $(FC) $(SETFILES)
- $(SETFILES) $(FC) $(FILESYSTEMS)
-
-file_contexts/misc:
- @mkdir -p file_contexts/misc
-
-$(FCPATH): tmp/valid_fc $(USERPATH)/system.users $(APPDIR)/customizable_types $(APPDIR)/port_types
- @echo "Installing file contexts files..."
- @mkdir -p $(CONTEXTPATH)/files
- install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
- install -m 644 $(FC) $(FCPATH)
- @$(GENHOMEDIRCON) -d $(TOPDIR) -t $(TYPE) $(USEPWD)
-
-$(FC): $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) domains/program domains/misc file_contexts/program file_contexts/misc users /etc/passwd
- @echo "Building file contexts files..."
- @m4 $(M4PARAM) $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) > $@.tmp
- @grep -v -e HOME -e ROLE -e USER $@.tmp > $@
- @grep -e HOME -e ROLE -e USER $@.tmp > $(HOMEDIR_TEMPLATE)
- @-rm $@.tmp
-
-# Create a tags-file for the policy:
-# we need exuberant ctags; unfortunately it is named differently on different distros, sigh...
-pathsearch = $(firstword $(wildcard $(addsuffix /$(1),$(subst :, ,$(PATH))))) # taken from make-docs
-CTAGS := $(call pathsearch,ctags-exuberant) # debian naming scheme
-ifeq ($(strip $(CTAGS)),)
-CTAGS := $(call pathsearch,ctags) # suse naming scheme
-endif
-
-tags: $(wildcard *.te types/*.te domains/*.te domains/misc/*.te domains/program/*.te domains/program/unused/*.te macros/*.te macros/program/*.te)
- @($(CTAGS) --version | grep -q Exuberant) || (echo ERROR: Need exuberant-ctags to function!; exit 1)
- @LC_ALL=C $(CTAGS) --langdef=te --langmap=te:..te \
- --regex-te='/^[ \t]*type[ \t]+(\w+)(,|;)/\1/t,type/' \
- --regex-te='/^[ \t]*typealias[ \t]+\w+[ \t+]+alias[ \t]+(\w+);/\1/t,type/' \
- --regex-te='/^[ \t]*attribute[ \t]+(\w+);/\1/a,attribute/' \
- --regex-te='/^[ \t]*define\(`(\w+)/\1/d,define/' \
- --regex-te='/^[ \t]*bool[ \t]+(\w+)/\1/b,bool/' $^
-
-clean:
- rm -f policy.conf $(POLICYVER)
- rm -f tags
- rm -f tmp/*
- rm -f $(FC)
- rm -f flask/*.h
-# for the policy regression tester
- find "domains/program/" -maxdepth 1 -type l -exec rm {} \; ; \
-
-# Policy regression tester.
-# Written by Colin Walters <walters@debian.org>
-cur_te = $(filter-out %/,$(subst /,/ ,$@))
-
-TESTED_TE_FILES := $(notdir $(UNUSED_TE_FILES))
-
-define compute_depends
- export TE_DEPENDS_$(1) := $(shell egrep '^#[[:space:]]*Depends: ' domains/program/unused/$(1) | head -1 | sed -e 's/^.*Depends: //')
-endef
-
-
-ifeq ($(TE_DEPENDS_DEFINED),)
-ifeq ($(MAKECMDGOALS),check-all)
- GENRULES := $(TESTED_TE_FILES)
- export TE_DEPENDS_DEFINED := yes
-else
- # Handle the case where checkunused/blah.te is run directly.
- ifneq ($(findstring checkunused/,$(MAKECMDGOALS)),)
- GENRULES := $(TESTED_TE_FILES)
- export TE_DEPENDS_DEFINED := yes
- endif
-endif
-endif
-
-# Test for a new enough version of GNU Make.
-$(eval have_eval := yes)
-ifneq ($(GENRULES),)
- ifeq ($(have_eval),)
-$(error Need GNU Make 3.80 or better!)
-Need GNU Make 3.80 or better
- endif
-endif
-$(foreach f,$(GENRULES),$(eval $(call compute_depends,$(f))))
-
-PHONIES :=
-
-define compute_presymlinks
-PHONIES += presymlink/$(1)
-presymlink/$(1):: $(patsubst %,presymlink/%,$(TE_DEPENDS_$(1)))
- @if ! test -L domains/program/$(1); then \
- cd domains/program && ln -s unused/$(1) .; \
- fi
-endef
-
-# Compute dependencies.
-$(foreach f,$(TESTED_TE_FILES),$(eval $(call compute_presymlinks,$(f))))
-
-PHONIES += $(patsubst %,checkunused/%,$(TESTED_TE_FILES))
-$(patsubst %,checkunused/%,$(TESTED_TE_FILES)) :: checkunused/% :
- @$(MAKE) -s clean
-
-$(patsubst %,checkunused/%,$(TESTED_TE_FILES)) :: checkunused/% : presymlink/%
- @if test -n "$(TE_DEPENDS_$(cur_te))"; then \
- echo "Dependencies for $(cur_te): $(TE_DEPENDS_$(cur_te))"; \
- fi
- @echo "Testing $(cur_te)...";
- @if ! make -s policy 1>/dev/null; then \
- echo "Testing $(cur_te)...FAILED"; \
- exit 1; \
- fi;
- @echo "Testing $(cur_te)...success."; \
-
-check-all:
- @for goal in $(patsubst %,checkunused/%,$(TESTED_TE_FILES)); do \
- $(MAKE) --no-print-directory $$goal; \
- done
-
-.PHONY: clean $(PHONIES)
-
-mlsconvert:
- @for file in $(CONTEXTFILES); do \
- echo "Converting $$file"; \
- sed -e 's/_t\b/_t:s0/g' $$file > $$file.new && \
- mv $$file.new $$file; \
- done
- @for file in $(USER_FILES); do \
- echo "Converting $$file"; \
- sed -e 's/;/ level s0 range s0 - s15:c0.c255;/' $$file > $$file.new && \
- mv $$file.new $$file; \
- done
- @sed -e '/sid kernel/s/s0/s0 - s15:c0.c255/' initial_sid_contexts > initial_sid_contexts.new && mv initial_sid_contexts.new initial_sid_contexts
- @echo "Enabling MLS in the Makefile"
- @sed "s/MLS=y/MLS=y/" Makefile > Makefile.new
- @mv Makefile.new Makefile
- @echo "Done"
-
-mcsconvert:
- @for file in $(CONTEXTFILES); do \
- echo "Converting $$file"; \
- sed -e 's/_t\b/_t:s0/g' $$file > $$file.new && \
- mv $$file.new $$file; \
- done
- @for file in $(USER_FILES); do \
- echo "Converting $$file"; \
- sed -r -e 's/\;/ level s0 range s0;/' $$file | \
- sed -r -e 's/(user (user_u|root|system_u).*);/\1 - s0:c0.c255;/' > $$file.new; \
- mv $$file.new $$file; \
- done
- @echo "Enabling MCS in the Makefile"
- @sed "s/MCS=n/MCS=y/" Makefile > Makefile.new
- @mv Makefile.new Makefile
- @echo "Done"
-
diff --git a/mls/README b/mls/README
deleted file mode 100644
index 6818b66..0000000
--- a/mls/README
+++ /dev/null
@@ -1,125 +0,0 @@
-The Makefile targets are:
-policy - compile the policy configuration.
-install - compile and install the policy configuration.
-load - compile, install, and load the policy configuration.
-relabel - relabel the filesystem.
-check-all - check individual additional policy files in domains/program/unused.
-checkunused/FILE.te - check individual file FILE from domains/program/unused.
-
-If you have configured MLS into your module, then set MLS=y in the
-Makefile prior to building the policy. Of course, you must have also
-built checkpolicy with MLS enabled.
-
-Three of the configuration files are independent of the particular
-security policy:
-1) flask/security_classes -
- This file has a simple declaration for each security class.
- The corresponding symbol definitions are in the automatically
- generated header file <selinux/flask.h>.
-
-2) flask/initial_sids -
- This file has a simple declaration for each initial SID.
- The corresponding symbol definitions are in the automatically
- generated header file <selinux/flask.h>.
-
-3) access_vectors -
- This file defines the access vectors. Common prefixes for
- access vectors may be defined at the beginning of the file.
- After the common prefixes are defined, an access vector
- may be defined for each security class.
- The corresponding symbol definitions are in the automatically
- generated header file <selinux/av_permissions.h>.
-
-In addition to being read by the security server, these configuration
-files are used during the kernel build to automatically generate
-symbol definitions used by the kernel for security classes, initial
-SIDs and permissions. Since the symbol definitions generated from
-these files are used during the kernel build, the values of existing
-security classes and permissions may not be modified by load_policy.
-However, new classes may be appended to the list of classes and new
-permissions may be appended to the list of permissions associated with
-each access vector definition.
-
-The policy-dependent configuration files are:
-1) tmp/all.te -
- This file defines the Type Enforcement (TE) configuration.
- This file is automatically generated from a collection of files.
-
- The macros subdirectory contains a collection of m4 macro definitions
- used by the TE configuration. The global_macros.te file contains global
- macros used throughout the configuration for common groupings of classes
- and permissions and for common sets of rules. The user_macros.te file
- contains macros used in defining user domains. The admin_macros.te file
- contains macros used in defining admin domains. The macros/program
- subdirectory contains macros that are used to instantiate derived domains
- for certain programs that encode information about both the calling user
- domain and the program, permitting the policy to maintain separation
- between different instances of the program.
-
- The types subdirectory contains several files with declarations for
- general types (types not associated with a particular domain) and
- some rules defining relationships among those types. Related types
- are grouped together into each file in this directory, e.g. all
- device type declarations are in the device.te file.
-
- The domains subdirectory contains several files and directories
- with declarations and rules for each domain. User domains are defined in
- user.te. Administrator domains are defined in admin.te. Domains for
- specific programs, including both system daemons and other programs, are
- in the .te files within the domains/program subdirectory. The domains/misc
- subdirectory is for miscellaneous domains such as the kernel domain and
- the kernel module loader domain.
-
- The assert.te file contains assertions that are checked after evaluating
- the entire TE configuration.
-
-2) rbac -
- This file defines the Role-Based Access Control (RBAC) configuration.
-
-3) mls -
- This file defines the Multi-Level Security (MLS) configuration.
-
-4) users -
- This file defines the users recognized by the security policy.
-
-5) constraints -
- This file defines additional constraints on permissions
- in the form of boolean expressions that must be satisfied in order
- for specified permissions to be granted. These constraints
- are used to further refine the type enforcement tables and
- the role allow rules. Typically, these constraints are used
- to restrict changes in user identity or role to certain domains.
-
-6) initial_sid_contexts -
- This file defines the security context for each initial SID.
- A security context consists of a user identity, a role, a type and
- optionally a MLS range if the MLS policy is enabled. If left unspecified,
- the high MLS level defaults to the low MLS level. The syntax of a valid
- security context is:
-
- user:role:type[:sensitivity[:category,...][-sensitivity[:category,...]]]
-
-7) fs_use -
- This file defines the labeling behavior for inodes in particular
- filesystem types.
-
-8) genfs_contexts -
- This file defines security contexts for files in filesystems that
- cannot support persistent label mappings or use one of the fixed
- labeling schemes specified in fs_use.
-
-8) net_contexts -
- This file defines the security contexts of network objects
- such as ports, interfaces, and nodes.
-
-9) file_contexts/{types.fc,program/*.fc}
- These files define the security contexts for persistent files.
-
-It is possible to test the security server functions on a given policy
-configuration by running the checkpolicy program with the -d option.
-This program is built from the same sources as the security server
-component of the kernel, so it may be used both to verify that a
-policy configuration will load successfully and to determine how the
-security server would respond if it were using that policy
-configuration. A menu-based interface is provided for calling any of
-the security server functions after the policy is loaded.
diff --git a/mls/VERSION b/mls/VERSION
deleted file mode 100644
index 3bae520..0000000
--- a/mls/VERSION
+++ /dev/null
@@ -1 +0,0 @@
-1.27.3
diff --git a/mls/appconfig/dbus_contexts b/mls/appconfig/dbus_contexts
deleted file mode 100644
index 116e684..0000000
--- a/mls/appconfig/dbus_contexts
+++ /dev/null
@@ -1,6 +0,0 @@
-<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
- "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
-<busconfig>
- <selinux>
- </selinux>
-</busconfig>
diff --git a/mls/appconfig/default_contexts b/mls/appconfig/default_contexts
deleted file mode 100644
index 5024209..0000000
--- a/mls/appconfig/default_contexts
+++ /dev/null
@@ -1,12 +0,0 @@
-system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
-system_r:local_login_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
-system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0
-system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
-system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 mailman_r:user_crond_t:s0
-system_r:xdm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
-staff_r:staff_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
-sysadm_r:sysadm_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
-user_r:user_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
-sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
-staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
-user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
diff --git a/mls/appconfig/default_type b/mls/appconfig/default_type
deleted file mode 100644
index af878bd..0000000
--- a/mls/appconfig/default_type
+++ /dev/null
@@ -1,4 +0,0 @@
-secadm_r:secadm_t
-sysadm_r:sysadm_t
-staff_r:staff_t
-user_r:user_t
diff --git a/mls/appconfig/failsafe_context b/mls/appconfig/failsafe_context
deleted file mode 100644
index 999abd9..0000000
--- a/mls/appconfig/failsafe_context
+++ /dev/null
@@ -1 +0,0 @@
-sysadm_r:sysadm_t:s0
diff --git a/mls/appconfig/initrc_context b/mls/appconfig/initrc_context
deleted file mode 100644
index 30ab971..0000000
--- a/mls/appconfig/initrc_context
+++ /dev/null
@@ -1 +0,0 @@
-system_u:system_r:initrc_t:s0
diff --git a/mls/appconfig/media b/mls/appconfig/media
deleted file mode 100644
index 81f3463..0000000
--- a/mls/appconfig/media
+++ /dev/null
@@ -1,3 +0,0 @@
-cdrom system_u:object_r:removable_device_t:s0
-floppy system_u:object_r:removable_device_t:s0
-disk system_u:object_r:fixed_disk_device_t:s0
diff --git a/mls/appconfig/removable_context b/mls/appconfig/removable_context
deleted file mode 100644
index 7fcc56e..0000000
--- a/mls/appconfig/removable_context
+++ /dev/null
@@ -1 +0,0 @@
-system_u:object_r:removable_t:s0
diff --git a/mls/appconfig/root_default_contexts b/mls/appconfig/root_default_contexts
deleted file mode 100644
index e9d95e8..0000000
--- a/mls/appconfig/root_default_contexts
+++ /dev/null
@@ -1,9 +0,0 @@
-system_r:local_login_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-system_r:crond_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
-staff_r:staff_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-user_r:user_su_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-#
-# Uncomment if you want to automatically login as sysadm_r
-#
-#system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
diff --git a/mls/appconfig/userhelper_context b/mls/appconfig/userhelper_context
deleted file mode 100644
index dc37a69..0000000
--- a/mls/appconfig/userhelper_context
+++ /dev/null
@@ -1 +0,0 @@
-system_u:sysadm_r:sysadm_t:s0
diff --git a/mls/assert.te b/mls/assert.te
deleted file mode 100644
index 02b2878..0000000
--- a/mls/assert.te
+++ /dev/null
@@ -1,156 +0,0 @@
-##############################
-#
-# Assertions for the type enforcement (TE) configuration.
-#
-
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-##################################
-#
-# Access vector assertions.
-#
-# An access vector assertion specifies permissions that should not be in
-# an access vector based on a source type, a target type, and a class.
-# If any of the specified permissions are in the corresponding access
-# vector, then the policy compiler will reject the policy configuration.
-# Currently, there is only one kind of access vector assertion, neverallow,
-# but support for the other kinds of vectors could be easily added. Access
-# vector assertions use the same syntax as access vector rules.
-#
-
-#
-# Verify that every type that can be entered by
-# a domain is also tagged as a domain.
-#
-neverallow domain ~domain:process { transition dyntransition };
-
-#
-# Verify that only the insmod_t and kernel_t domains
-# have the sys_module capability.
-#
-neverallow {domain -privsysmod -unrestricted } self:capability sys_module;
-
-#
-# Verify that executable types, the system dynamic loaders, and the
-# system shared libraries can only be modified by administrators.
-#
-neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin -unrestricted } { exec_type ld_so_t shlib_t }:file { write append unlink rename };
-neverallow {domain ifdef(`ldconfig.te', `-ldconfig_t') -change_context -admin -unrestricted } { exec_type ld_so_t shlib_t }:file relabelto;
-
-#
-# Verify that only appropriate domains can access /etc/shadow
-neverallow { domain -auth_bool -auth -auth_write -unrestricted } shadow_t:file ~getattr;
-neverallow { domain -auth_write -unrestricted } shadow_t:file ~r_file_perms;
-
-#
-# Verify that only appropriate domains can write to /etc (IE mess with
-# /etc/passwd)
-neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:dir ~rw_dir_perms;
-neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:lnk_file ~r_file_perms;
-neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:file ~{ execute_no_trans rx_file_perms };
-
-#
-# Verify that other system software can only be modified by administrators.
-#
-neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin -unrestricted } { lib_t bin_t sbin_t }:dir { add_name remove_name rename };
-neverallow { domain -kernel_t -admin -unrestricted } { lib_t bin_t sbin_t }:file { write append unlink rename };
-
-#
-# Verify that only certain domains have access to the raw disk devices.
-#
-neverallow { domain -fs_domain -unrestricted } fixed_disk_device_t:devfile_class_set { read write append };
-
-#
-# Verify that only the X server and klogd have access to memory devices.
-#
-neverallow { domain -privmem -unrestricted } memory_device_t:devfile_class_set { read write append };
-
-#
-# Verify that only domains with the privlog attribute can actually syslog
-#
-neverallow { domain -privlog -unrestricted } devlog_t:sock_file { read write append };
-
-#
-# Verify that /proc/kmsg is only accessible to klogd.
-#
-neverallow {domain -privkmsg -unrestricted } proc_kmsg_t:file ~stat_file_perms;
-
-#
-# Verify that /proc/kcore is inaccessible.
-#
-
-neverallow { domain -unrestricted } proc_kcore_t:file ~stat_file_perms;
-
-#
-# Verify that sysctl variables are only changeable
-# by initrc and administrators.
-#
-neverallow { domain -initrc_t -admin -kernel_t -insmod_t -unrestricted } sysctl_t:file { write append };
-neverallow { domain -initrc_t -admin -unrestricted } sysctl_fs_t:file { write append };
-neverallow { domain -admin -sysctl_kernel_writer -unrestricted } sysctl_kernel_t:file { write append };
-neverallow { domain -initrc_t -admin -sysctl_net_writer -unrestricted } sysctl_net_t:file { write append };
-neverallow { domain -initrc_t -admin -unrestricted } sysctl_net_unix_t:file { write append };
-neverallow { domain -initrc_t -admin -unrestricted } sysctl_vm_t:file { write append };
-neverallow { domain -initrc_t -admin -unrestricted } sysctl_dev_t:file { write append };
-neverallow { domain -initrc_t -admin -unrestricted } sysctl_modprobe_t:file { write append };
-
-#
-# Verify that certain domains are limited to only being
-# entered by their entrypoint types and to only executing
-# the dynamic loader without a transition to another domain.
-#
-
-define(`assert_execute', `
- ifelse($#, 0, ,
- $#, 1,
- ``neverallow $1_t ~$1_exec_t:file entrypoint; neverallow $1_t ~{ $1_exec_t ld_so_t }:file execute_no_trans;'',
- `assert_execute($1) assert_execute(shift($@))')')
-
-ifdef(`getty.te', `assert_execute(getty)')
-ifdef(`klogd.te', `assert_execute(klogd)')
-ifdef(`tcpd.te', `assert_execute(tcpd)')
-ifdef(`portmap.te', `assert_execute(portmap)')
-ifdef(`syslogd.te', `assert_execute(syslogd)')
-ifdef(`rpcd.te', `assert_execute(rpcd)')
-ifdef(`rlogind.te', `assert_execute(rlogind)')
-ifdef(`ypbind.te', `assert_execute(ypbind)')
-ifdef(`xfs.te', `assert_execute(xfs)')
-ifdef(`gpm.te', `assert_execute(gpm)')
-ifdef(`ifconfig.te', `assert_execute(ifconfig)')
-ifdef(`iptables.te', `assert_execute(iptables)')
-
-ifdef(`login.te', `
-neverallow { local_login_t remote_login_t } ~{ login_exec_t ifdef(`pam.te', `pam_exec_t') }:file entrypoint;
-neverallow { local_login_t remote_login_t } ~{ ld_so_t ifdef(`pam.te', `pam_exec_t') }:file execute_no_trans;
-')
-
-#
-# Verify that the passwd domain can only be entered by its
-# entrypoint type and can only execute the dynamic loader
-# and the ordinary passwd program without a transition to another domain.
-#
-ifdef(`passwd.te', `
-neverallow passwd_t ~passwd_exec_t:file entrypoint;
-neverallow sysadm_passwd_t ~admin_passwd_exec_t:file entrypoint;
-neverallow { passwd_t sysadm_passwd_t } ~{ bin_t sbin_t shell_exec_t ld_so_t }:file execute_no_trans;
-')
-
-#
-# Verify that only the admin domains and initrc_t have setenforce.
-#
-neverallow { domain -secadmin -initrc_t -unrestricted } security_t:security setenforce;
-
-#
-# Verify that only the kernel and load_policy_t have load_policy.
-#
-
-neverallow { domain -kernel_t -load_policy_t -unrestricted } security_t:security load_policy;
-
-#
-# for gross mistakes in policy
-neverallow * domain:dir ~r_dir_perms;
-neverallow * domain:file_class_set ~rw_file_perms;
-neverallow { domain unlabeled_t } file_type:process *;
-neverallow ~{ domain unlabeled_t } *:process *;
diff --git a/mls/attrib.te b/mls/attrib.te
deleted file mode 100644
index 44e2f70..0000000
--- a/mls/attrib.te
+++ /dev/null
@@ -1,562 +0,0 @@
-#
-# Declarations for type attributes.
-#
-
-# A type attribute can be used to identify a set of types with a similar
-# property. Each type can have any number of attributes, and each
-# attribute can be associated with any number of types. Attributes are
-# explicitly declared here, and can then be associated with particular
-# types in type declarations. Attribute names can then be used throughout
-# the configuration to express the set of types that are associated with
-# the attribute. Attributes have no implicit meaning to SELinux. The
-# meaning of all attributes are completely defined through their
-# usage within the configuration, but should be documented here as
-# comments preceding the attribute declaration.
-
-#####################
-# Attributes for MLS:
-#
-
-# Common Terminology
-# MLS Range: low-high
-# low referred to as "Effective Sensitivity Label (SL)"
-# high referred to as "Clearance SL"
-
-
-#
-# File System MLS attributes/privileges
-#
-# Grant MLS read access to files not dominated by the process Effective SL
-attribute mlsfileread;
-# Grant MLS read access to files dominated by the process Clearance SL
-attribute mlsfilereadtoclr;
-# Grant MLS write access to files not equal to the Effective SL
-attribute mlsfilewrite;
-# Grant MLS write access to files which dominate the process Effective SL
-# and are dominated by the process Clearance SL
-attribute mlsfilewritetoclr;
-# Grant MLS ability to change file label to a new label which dominates
-# the old label
-attribute mlsfileupgrade;
-# Grant MLS ability to change file label to a new label which is
-# dominated by or incomparable to the old label
-attribute mlsfiledowngrade;
-
-#
-# Network MLS attributes/privileges
-#
-# Grant MLS read access to packets not dominated by the process Effective SL
-attribute mlsnetread;
-# Grant MLS read access to packets dominated by the process Clearance SL
-attribute mlsnetreadtoclr;
-# Grant MLS write access to packets not equal to the Effective SL
-attribute mlsnetwrite;
-# Grant MLS write access to packets which dominate the Effective SL
-# and are dominated by the process Clearance SL
-attribute mlsnetwritetoclr;
-# Grant MLS read access to packets from hosts or interfaces which dominate
-# or incomparable to the process Effective SL
-attribute mlsnetrecvall;
-# Grant MLS ability to change socket label to a new label which dominates
-# the old label
-attribute mlsnetupgrade;
-# Grant MLS ability to change socket label to a new label which is
-# dominated by or incomparable to the old label
-attribute mlsnetdowngrade;
-
-#
-# IPC MLS attributes/privileges
-#
-# Grant MLS read access to IPC objects not dominated by the process Effective SL
-attribute mlsipcread;
-# Grant MLS read access to IPC objects dominated by the process Clearance SL
-attribute mlsipcreadtoclr;
-# Grant MLS write access to IPC objects not equal to the process Effective SL
-attribute mlsipcwrite;
-# Grant MLS write access to IPC objects which dominate the process Effective SL
-# and are dominated by the process Clearance SL
-attribute mlsipcwritetoclr;
-
-#
-# Process MLS attributes/privileges
-#
-# Grant MLS read access to processes not dominated by the process Effective SL
-attribute mlsprocread;
-# Grant MLS read access to processes dominated by the process Clearance SL
-attribute mlsprocreadtoclr;
-# Grant MLS write access to processes not equal to the Effective SL
-attribute mlsprocwrite;
-# Grant MLS write access to processes which dominate the process Effective SL
-# and are dominated by the process Clearance SL
-attribute mlsprocwritetoclr;
-# Grant MLS ability to change Effective SL or Clearance SL of process to a
-# label dominated by the Clearance SL
-attribute mlsprocsetsl;
-
-#
-# X Window MLS attributes/privileges
-#
-# Grant MLS read access to X objects not dominated by the process Effective SL
-attribute mlsxwinread;
-# Grant MLS read access to X objects dominated by the process Clearance SL
-attribute mlsxwinreadtoclr;
-# Grant MLS write access to X objects not equal to the process Effective SL
-attribute mlsxwinwrite;
-# Grant MLS write access to X objects which dominate the process Effective SL
-# and are dominated by the process Clearance SL
-attribute mlsxwinwritetoclr;
-# Grant MLS read access to X properties not dominated by
-# the process Effective SL
-attribute mlsxwinreadproperty;
-# Grant MLS write access to X properties not equal to the process Effective SL
-attribute mlsxwinwriteproperty;
-# Grant MLS read access to X colormaps not dominated by
-# the process Effective SL
-attribute mlsxwinreadcolormap;
-# Grant MLS write access to X colormaps not equal to the process Effective SL
-attribute mlsxwinwritecolormap;
-# Grant MLS write access to X xinputs not equal to the process Effective SL
-attribute mlsxwinwritexinput;
-
-# Grant MLS read/write access to objects which internally arbitrate MLS
-attribute mlstrustedobject;
-
-#
-# Both of the following attributes are needed for a range transition to succeed
-#
-# Grant ability for the current domain to change SL upon process transition
-attribute privrangetrans;
-# Grant ability for the new process domain to change SL upon process transition
-attribute mlsrangetrans;
-
-#########################
-# Attributes for domains:
-#
-
-# The domain attribute identifies every type that can be
-# assigned to a process. This attribute is used in TE rules
-# that should be applied to all domains, e.g. permitting
-# init to kill all processes.
-attribute domain;
-
-# The daemon attribute identifies domains for system processes created via
-# the daemon_domain, daemon_base_domain, and init_service_domain macros.
-attribute daemon;
-
-# The privuser attribute identifies every domain that can
-# change its SELinux user identity. This attribute is used
-# in the constraints configuration. NOTE: This attribute
-# is not required for domains that merely change the Linux
-# uid attributes, only for domains that must change the
-# SELinux user identity. Also note that this attribute makes
-# no sense without the privrole attribute.
-attribute privuser;
-
-# The privrole attribute identifies every domain that can
-# change its SELinux role. This attribute is used in the
-# constraints configuration.
-attribute privrole;
-
-# The userspace_objmgr attribute identifies every domain
-# which enforces its own policy.
-attribute userspace_objmgr;
-
-# The priv_system_role attribute identifies every domain that can
-# change role from a user role to system_r role, and identity from a user
-# identity to system_u. It is used in the constraints configuration.
-attribute priv_system_role;
-
-# The privowner attribute identifies every domain that can
-# assign a different SELinux user identity to a file, or that
-# can create a file with an identity that is not the same as the
-# process identity. This attribute is used in the constraints
-# configuration.
-attribute privowner;
-
-# The privlog attribute identifies every domain that can
-# communicate with syslogd through its Unix domain socket.
-# There is an assertion that other domains can not do it,
-# and an allow rule to permit it
-attribute privlog;
-
-# The privmodule attribute identifies every domain that can run
-# modprobe, there is an assertion that other domains can not do it,
-# and an allow rule to permit it
-attribute privmodule;
-
-# The privsysmod attribute identifies every domain that can have the
-# sys_module capability
-attribute privsysmod;
-
-# The privmem attribute identifies every domain that can
-# access kernel memory devices.
-# This attribute is used in the TE assertions to verify
-# that such access is limited to domains that are explicitly
-# tagged with this attribute.
-attribute privmem;
-
-# The privkmsg attribute identifies every domain that can
-# read kernel messages (/proc/kmsg)
-# This attribute is used in the TE assertions to verify
-# that such access is limited to domains that are explicitly
-# tagged with this attribute.
-attribute privkmsg;
-
-# The privfd attribute identifies every domain that should have
-# file handles inherited widely (IE sshd_t and getty_t).
-attribute privfd;
-
-# The privhome attribute identifies every domain that can create files under
-# regular user home directories in the regular context (IE act on behalf of
-# a user in writing regular files)
-attribute privhome;
-
-# The auth attribute identifies every domain that needs
-# to read /etc/shadow, and grants the permission.
-attribute auth;
-
-# The auth_bool attribute identifies every domain that can
-# read /etc/shadow if its boolean is set;
-attribute auth_bool;
-
-# The auth_write attribute identifies every domain that can have write or
-# relabel access to /etc/shadow, but does not grant it.
-attribute auth_write;
-
-# The auth_chkpwd attribute identifies every system domain that can
-# authenticate users by running unix_chkpwd
-attribute auth_chkpwd;
-
-# The change_context attribute identifies setfiles_t, restorecon_t, and other
-# system domains that change the context of most/all files on the system
-attribute change_context;
-
-# The etc_writer attribute identifies every domain that can write to etc_t
-attribute etc_writer;
-
-# The sysctl_kernel_writer attribute identifies domains that can write to
-# sysctl_kernel_t, in addition the admin attribute is permitted write access
-attribute sysctl_kernel_writer;
-
-# the sysctl_net_writer attribute identifies domains that can write to
-# sysctl_net_t files.
-attribute sysctl_net_writer;
-
-# The sysctl_type attribute identifies every type that is assigned
-# to a sysctl entry. This can be used in allow rules to grant
-# permissions to all sysctl entries without enumerating each individual
-# type, but should be used with care.
-attribute sysctl_type;
-
-# The admin attribute identifies every administrator domain.
-# It is used in TE assertions when verifying that only administrator
-# domains have certain permissions.
-# This attribute is presently associated with sysadm_t and
-# certain administrator utility domains.
-# XXX The use of this attribute should be reviewed for consistency.
-# XXX Might want to partition into several finer-grained attributes
-# XXX used in different assertions within assert.te.
-attribute admin;
-
-# The secadmin attribute identifies every security administrator domain.
-# It is used in TE assertions when verifying that only administrator
-# domains have certain permissions.
-# This attribute is presently associated with sysadm_t and secadm_t
-attribute secadmin;
-
-# The userdomain attribute identifies every user domain, presently
-# user_t and sysadm_t. It is used in TE rules that should be applied
-# to all user domains.
-attribute userdomain;
-
-# for a small domain that can only be used for newrole
-attribute user_mini_domain;
-
-# pty for the mini domain
-attribute mini_pty_type;
-
-# pty created by a server such as sshd
-attribute server_pty;
-
-# attribute for all non-administrative devpts types
-attribute userpty_type;
-
-# The user_tty_type identifies every type for a tty or pty owned by an
-# unpriviledged user
-attribute user_tty_type;
-
-# The admin_tty_type identifies every type for a tty or pty owned by a
-# priviledged user
-attribute admin_tty_type;
-
-# The user_crond_domain attribute identifies every user_crond domain, presently
-# user_crond_t and sysadm_crond_t. It is used in TE rules that should be
-# applied to all user domains.
-attribute user_crond_domain;
-
-# The unpriv_userdomain identifies non-administrative users (default user_t)
-attribute unpriv_userdomain;
-
-# This attribute is for the main user home directory for unpriv users
-attribute user_home_dir_type;
-
-# The gphdomain attribute identifies every gnome-pty-helper derived
-# domain. It is used in TE rules to permit inheritance and use of
-# descriptors created by these domains.
-attribute gphdomain;
-
-# The fs_domain identifies every domain that may directly access a fixed disk
-attribute fs_domain;
-
-# This attribute is for all domains for the userhelper program.
-attribute userhelperdomain;
-
-############################
-# Attributes for file types:
-#
-
-# The file_type attribute identifies all types assigned to files
-# in persistent filesystems. It is used in TE rules to permit
-# the association of all such file types with persistent filesystem
-# types, and to permit certain domains to access all such types as
-# appropriate.
-attribute file_type;
-
-# The secure_file_type attribute identifies files
-# which will be treated with a higer level of security.
-# Most domains will be prevented from manipulating files in this domain
-attribute secure_file_type;
-
-# The device_type attribute identifies all types assigned to device nodes
-attribute device_type;
-
-# The proc_fs attribute identifies all types that may be assigned to
-# files under /proc.
-attribute proc_fs;
-
-# The dev_fs attribute identifies all types that may be assigned to
-# files, sockets, or pipes under /dev.
-attribute dev_fs;
-
-# The sysadmfile attribute identifies all types assigned to files
-# that should be completely accessible to administrators. It is used
-# in TE rules to grant such access for administrator domains.
-attribute sysadmfile;
-
-# The secadmfile attribute identifies all types assigned to files
-# that should be only accessible to security administrators. It is used
-# in TE rules to grant such access for security administrator domains.
-attribute secadmfile;
-
-# The fs_type attribute identifies all types assigned to filesystems
-# (not limited to persistent filesystems).
-# It is used in TE rules to permit certain domains to mount
-# any filesystem and to permit most domains to obtain the
-# overall filesystem statistics.
-attribute fs_type;
-
-# The mount_point attribute identifies all types that can serve
-# as a mount point (for the mount binary). It is used in the mount
-# policy to grant mounton permission, and in other domains to grant
-# getattr permission over all the mount points.
-attribute mount_point;
-
-# The exec_type attribute identifies all types assigned
-# to entrypoint executables for domains. This attribute is
-# used in TE rules and assertions that should be applied to all
-# such executables.
-attribute exec_type;
-
-# The tmpfile attribute identifies all types assigned to temporary
-# files. This attribute is used in TE rules to grant certain
-# domains the ability to remove all such files (e.g. init, crond).
-attribute tmpfile;
-
-# The user_tmpfile attribute identifies all types associated with temporary
-# files for unpriv_userdomain domains.
-attribute user_tmpfile;
-
-# for the user_xserver_tmp_t etc
-attribute xserver_tmpfile;
-
-# The tmpfsfile attribute identifies all types defined for tmpfs
-# type transitions.
-# It is used in TE rules to grant certain domains the ability to
-# access all such files.
-attribute tmpfsfile;
-
-# The home_type attribute identifies all types assigned to home
-# directories. This attribute is used in TE rules to grant certain
-# domains the ability to access all home directory types.
-attribute home_type;
-
-# This attribute is for the main user home directory /home/user, to
-# distinguish it from sub-dirs. Often you want a process to be able to
-# read the user home directory but not read the regular directories under it.
-attribute home_dir_type;
-
-# The ttyfile attribute identifies all types assigned to ttys.
-# It is used in TE rules to grant certain domains the ability to
-# access all ttys.
-attribute ttyfile;
-
-# The ptyfile attribute identifies all types assigned to ptys.
-# It is used in TE rules to grant certain domains the ability to
-# access all ptys.
-attribute ptyfile;
-
-# The pidfile attribute identifies all types assigned to pid files.
-# It is used in TE rules to grant certain domains the ability to
-# access all such files.
-attribute pidfile;
-
-
-############################
-# Attributes for network types:
-#
-
-# The socket_type attribute identifies all types assigned to
-# kernel-created sockets. Ordinary sockets are assigned the
-# domain of the creating process.
-# XXX This attribute is unused. Remove?
-attribute socket_type;
-
-# Identifies all types assigned to port numbers to control binding.
-attribute port_type;
-
-# Identifies all types assigned to reserved port (<1024) numbers to control binding.
-attribute reserved_port_type;
-
-# Identifies all types assigned to network interfaces to control
-# operations on the interface (XXX obsolete, not supported via LSM)
-# and to control traffic sent or received on the interface.
-attribute netif_type;
-
-# Identifies all default types assigned to packets received
-# on network interfaces.
-attribute netmsg_type;
-
-# Identifies all types assigned to network nodes/hosts to control
-# traffic sent to or received from the node.
-attribute node_type;
-
-# Identifier for log files or directories that only exist for log files.
-attribute logfile;
-
-# Identifier for lock files (/var/lock/*) or directories that only exist for
-# lock files.
-attribute lockfile;
-
-
-
-##############################
-# Attributes for security policy types:
-#
-
-# The login_contexts attribute idenitifies the files used
-# to define default contexts for login types (e.g., login, cron).
-attribute login_contexts;
-
-# Identifier for a domain used by "sendmail -t" (IE user_mail_t,
-# sysadm_mail_t, etc)
-attribute user_mail_domain;
-
-# Identifies domains that can transition to system_mail_t
-attribute privmail;
-
-# Type for non-sysadm home directory
-attribute user_home_type;
-
-# For domains that are part of a mail server and need to read user files and
-# fifos, and inherit file handles to enable user email to get to the mail
-# spool
-attribute mta_user_agent;
-
-# For domains that are part of a mail server for delivering messages to the
-# user
-attribute mta_delivery_agent;
-
-# For domains that make outbound TCP port 25 connections to send mail from the
-# mail server.
-attribute mail_server_sender;
-
-# For a mail server process that takes TCP connections on port 25
-attribute mail_server_domain;
-
-# For web clients such as netscape and squid
-attribute web_client_domain;
-
-# For X Window System server domains
-attribute xserver;
-
-# For X Window System client domains
-attribute xclient;
-
-# For X Window System protocol extensions
-attribute xextension;
-
-# For X Window System property types
-attribute xproperty;
-
-#
-# For file systems that do not have extended attributes but need to be
-# r/w by users
-#
-attribute noexattrfile;
-
-#
-# For filetypes that the usercan read
-#
-attribute usercanread;
-
-#
-# For serial devices
-#
-attribute serial_device;
-
-# Attribute to designate unrestricted access
-attribute unrestricted;
-
-# Attribute to designate can transition to unconfined_t
-attribute unconfinedtrans;
-
-# For clients of nscd.
-attribute nscd_client_domain;
-
-# For clients of nscd that can use shmem interface.
-attribute nscd_shmem_domain;
-
-# For labeling of content for httpd. This attribute is only used by
-# the httpd_unified domain, which says treat all httpdcontent the
-# same. If you want content to be served in a "non-unified" system
-# you must specifically add "r_dir_file(httpd_t, your_content_t)" to
-# your policy.
-attribute httpdcontent;
-
-# For labeling of domains whos transition can be disabled
-attribute transitionbool;
-
-# For labelling daemons that should not have a range transition to "s0"
-# included in the daemon_base_domain macro
-attribute no_daemon_range_trans;
-
-# For labeling of file_context domains which users can change files to rather
-# then the default file context. These file_context can survive a relabeling
-# of the file system.
-attribute customizable;
-
-##############################
-# Attributes for polyinstatiation support:
-#
-
-# For labeling types that are to be polyinstantiated
-attribute polydir;
-
-# And for labeling the parent directories of those polyinstantiated directories
-# This is necessary for remounting the original in the parent to give
-# security aware apps access
-attribute polyparent;
-
-# And labeling for the member directories
-attribute polymember;
-
diff --git a/mls/constraints b/mls/constraints
deleted file mode 100644
index 46a9875..0000000
--- a/mls/constraints
+++ /dev/null
@@ -1,83 +0,0 @@
-#
-# Define m4 macros for the constraints
-#
-
-#
-# Define the constraints
-#
-# constrain class_set perm_set expression ;
-#
-# validatetrans class_set expression ;
-#
-# expression : ( expression )
-# | not expression
-# | expression and expression
-# | expression or expression
-# | u1 op u2
-# | r1 role_mls_op r2
-# | t1 op t2
-# | l1 role_mls_op l2
-# | l1 role_mls_op h2
-# | h1 role_mls_op l2
-# | h1 role_mls_op h2
-# | l1 role_mls_op h1
-# | l2 role_mls_op h2
-# | u1 op names
-# | u2 op names
-# | r1 op names
-# | r2 op names
-# | t1 op names
-# | t2 op names
-# | u3 op names (NOTE: this is only available for validatetrans)
-# | r3 op names (NOTE: this is only available for validatetrans)
-# | t3 op names (NOTE: this is only available for validatetrans)
-#
-# op : == | !=
-# role_mls_op : == | != | eq | dom | domby | incomp
-#
-# names : name | { name_list }
-# name_list : name | name_list name#
-#
-
-#
-# Restrict the ability to transition to other users
-# or roles to a few privileged types.
-#
-
-constrain process transition
- ( u1 == u2 or ( t1 == privuser and t2 == userdomain )
-ifdef(`crond.te', `
- or (t1 == crond_t and (t2 == user_crond_domain or u2 == system_u))
-')
-ifdef(`userhelper.te',
- `or (t1 == userhelperdomain)')
- or (t1 == priv_system_role and u2 == system_u )
- );
-
-constrain process transition
- ( r1 == r2 or ( t1 == privrole and t2 == userdomain )
-ifdef(`crond.te', `
- or (t1 == crond_t and t2 == user_crond_domain)
-')
-ifdef(`userhelper.te',
- `or (t1 == userhelperdomain)')
-ifdef(`postfix.te', `
-ifdef(`direct_sysadm_daemon',
- `or (t1 == sysadm_mail_t and t2 == system_mail_t and r2 == system_r )')
-')
- or (t1 == priv_system_role and r2 == system_r )
- );
-
-constrain process dyntransition
- ( u1 == u2 and r1 == r2);
-
-#
-# Restrict the ability to label objects with other
-# user identities to a few privileged types.
-#
-
-constrain dir_file_class_set { create relabelto relabelfrom }
- ( u1 == u2 or t1 == privowner );
-
-constrain socket_class_set { create relabelto relabelfrom }
- ( u1 == u2 or t1 == privowner );
diff --git a/mls/domains/admin.te b/mls/domains/admin.te
deleted file mode 100644
index 464cc91..0000000
--- a/mls/domains/admin.te
+++ /dev/null
@@ -1,43 +0,0 @@
-#DESC Admin - Domains for administrators.
-#
-#################################
-
-# sysadm_t is the system administrator domain.
-type sysadm_t, domain, privlog, privowner, admin, userdomain, web_client_domain, privhome, etc_writer, privmodule, nscd_client_domain
-ifdef(`direct_sysadm_daemon', `, priv_system_role, privrangetrans')
-; dnl end of sysadm_t type declaration
-
-allow privhome home_root_t:dir { getattr search };
-
-# system_r is authorized for sysadm_t for single-user mode.
-role system_r types sysadm_t;
-
-general_proc_read_access(sysadm_t)
-
-# sysadm_t is also granted permissions specific to administrator domains.
-admin_domain(sysadm)
-
-# for su
-allow sysadm_t userdomain:fd use;
-
-ifdef(`separate_secadm', `', `
-security_manager_domain(sysadm_t)
-')
-
-# Add/remove user home directories
-file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
-
-limited_user_role(secadm)
-typeattribute secadm_t admin;
-role secadm_r types secadm_t;
-security_manager_domain(secadm_t)
-r_dir_file(secadm_t, { var_t var_log_t })
-
-typeattribute secadm_tty_device_t admin_tty_type;
-typeattribute secadm_devpts_t admin_tty_type;
-
-bool allow_ptrace false;
-
-if (allow_ptrace) {
-can_ptrace(sysadm_t, domain)
-}
diff --git a/mls/domains/misc/auth-net.te b/mls/domains/misc/auth-net.te
deleted file mode 100644
index e954a9b..0000000
--- a/mls/domains/misc/auth-net.te
+++ /dev/null
@@ -1,3 +0,0 @@
-#DESC Policy for using network servers for authenticating users (IE PAM-LDAP)
-
-can_network(auth)
diff --git a/mls/domains/misc/fcron.te b/mls/domains/misc/fcron.te
deleted file mode 100644
index 57209be..0000000
--- a/mls/domains/misc/fcron.te
+++ /dev/null
@@ -1,30 +0,0 @@
-#DESC fcron - additions to cron policy for a more powerful cron program
-#
-# Domain for fcron, a more powerful cron program.
-#
-# Needs cron.te installed.
-#
-# Author: Russell Coker <russell@coker.com.au>
-
-# Use capabilities.
-allow crond_t self:capability { dac_override dac_read_search };
-
-# differences between r_dir_perms and rw_dir_perms
-allow crond_t cron_spool_t:dir { add_name remove_name write };
-
-ifdef(`mta.te', `
-# not sure why we need write access, but Postfix does not work without it
-# I will have to change fcron to avoid the need for this
-allow { system_mail_t mta_user_agent } cron_spool_t:file { read write getattr };
-')
-
-ifdef(`distro_debian', `
-can_exec(dpkg_t, crontab_exec_t)
-file_type_auto_trans(dpkg_t, cron_spool_t, sysadm_cron_spool_t, file)
-')
-
-rw_dir_create_file(crond_t, cron_spool_t)
-can_setfscreate(crond_t)
-
-# for /var/run/fcron.fifo
-file_type_auto_trans(crond_t, var_run_t, crond_var_run_t, sock_file)
diff --git a/mls/domains/misc/kernel.te b/mls/domains/misc/kernel.te
deleted file mode 100644
index 5b13c0f..0000000
--- a/mls/domains/misc/kernel.te
+++ /dev/null
@@ -1,75 +0,0 @@
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-#################################
-#
-# Rules for the kernel_t domain.
-#
-
-#
-# kernel_t is the domain of kernel threads.
-# It is also the target type when checking permissions in the system class.
-#
-type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod, etc_writer, privrangetrans ;
-role system_r types kernel_t;
-general_domain_access(kernel_t)
-general_proc_read_access(kernel_t)
-base_file_read_access(kernel_t)
-uses_shlib(kernel_t)
-can_exec(kernel_t, shell_exec_t)
-
-# Use capabilities.
-allow kernel_t self:capability *;
-
-r_dir_file(kernel_t, sysfs_t)
-allow kernel_t { usbfs_t usbdevfs_t }:dir search;
-
-# Run init in the init_t domain.
-domain_auto_trans(kernel_t, init_exec_t, init_t)
-
-ifdef(`mls_policy', `
-# run init with maximum MLS range
-range_transition kernel_t init_exec_t s0 - s15:c0.c255;
-')
-
-# Share state with the init process.
-allow kernel_t init_t:process share;
-
-# Mount and unmount file systems.
-allow kernel_t fs_type:filesystem mount_fs_perms;
-
-# Send signal to any process.
-allow kernel_t domain:process signal;
-allow kernel_t domain:dir search;
-
-# Access the console.
-allow kernel_t device_t:dir search;
-allow kernel_t console_device_t:chr_file rw_file_perms;
-
-# Access the initrd filesystem.
-allow kernel_t file_t:chr_file rw_file_perms;
-can_exec(kernel_t, file_t)
-ifdef(`chroot.te', `
-can_exec(kernel_t, chroot_exec_t)
-')
-allow kernel_t self:capability sys_chroot;
-
-allow kernel_t { unlabeled_t root_t file_t }:dir mounton;
-allow kernel_t unlabeled_t:fifo_file rw_file_perms;
-allow kernel_t file_t:dir rw_dir_perms;
-allow kernel_t file_t:blk_file create_file_perms;
-allow kernel_t { sysctl_t sysctl_kernel_t }:file { setattr rw_file_perms };
-
-# Lookup the policy.
-allow kernel_t policy_config_t:dir r_dir_perms;
-
-# Load the policy configuration.
-can_loadpol(kernel_t)
-
-# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
-can_exec(kernel_t, bin_t)
-
-ifdef(`targeted_policy', `
-unconfined_domain(kernel_t)
-')
diff --git a/mls/domains/misc/local.te b/mls/domains/misc/local.te
deleted file mode 100644
index cedba3c..0000000
--- a/mls/domains/misc/local.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# Local customization of existing policy should be done in this file.
-# If you are creating brand new policy for a new "target" domain, you
-# need to create a type enforcement (.te) file in domains/program
-# and a file context (.fc) file in file_context/program.
-
diff --git a/mls/domains/misc/startx.te b/mls/domains/misc/startx.te
deleted file mode 100644
index 16c4910..0000000
--- a/mls/domains/misc/startx.te
+++ /dev/null
@@ -1,7 +0,0 @@
-#DESC startx - policy for running an X server from a user domain
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-
-# Everything is in the macro files
-
diff --git a/mls/domains/misc/userspace_objmgr.te b/mls/domains/misc/userspace_objmgr.te
deleted file mode 100644
index ae3b205..0000000
--- a/mls/domains/misc/userspace_objmgr.te
+++ /dev/null
@@ -1,13 +0,0 @@
-#DESC Userspace Object Managers
-#
-#################################
-
-# Get our own security context.
-can_getcon(userspace_objmgr)
-# Get security decisions via selinuxfs.
-can_getsecurity(userspace_objmgr)
-# Read /etc/selinux
-r_dir_file(userspace_objmgr, { selinux_config_t default_context_t })
-# Receive notifications of policy reloads and enforcing status changes.
-allow userspace_objmgr self:netlink_selinux_socket { create bind read };
-
diff --git a/mls/domains/misc/xclient.te b/mls/domains/misc/xclient.te
deleted file mode 100644
index ae4552f..0000000
--- a/mls/domains/misc/xclient.te
+++ /dev/null
@@ -1,14 +0,0 @@
-#
-# Authors: Eamon Walsh <ewalsh@epoch.ncsc.mil>
-#
-
-#######################################
-#
-# Domains for the SELinux-enabled X Window System
-#
-
-#
-# Domain for all non-local X clients
-#
-type remote_xclient_t, domain;
-in_user_role(remote_xclient_t)
diff --git a/mls/domains/program/NetworkManager.te b/mls/domains/program/NetworkManager.te
deleted file mode 100644
index 922b4f5..0000000
--- a/mls/domains/program/NetworkManager.te
+++ /dev/null
@@ -1,122 +0,0 @@
-#DESC NetworkManager -
-#
-# Authors: Dan Walsh <dwalsh@redhat.com>
-#
-#
-
-#################################
-#
-# Rules for the NetworkManager_t domain.
-#
-# NetworkManager_t is the domain for the NetworkManager daemon.
-# NetworkManager_exec_t is the type of the NetworkManager executable.
-#
-daemon_domain(NetworkManager, `, nscd_client_domain, privsysmod, mlsfileread' )
-
-can_network(NetworkManager_t)
-allow NetworkManager_t port_type:tcp_socket name_connect;
-allow NetworkManager_t { isakmp_port_t dhcpc_port_t }:udp_socket name_bind;
-allow NetworkManager_t dhcpc_t:process signal;
-
-can_ypbind(NetworkManager_t)
-uses_shlib(NetworkManager_t)
-allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service sys_module ipc_lock};
-
-allow NetworkManager_t { random_device_t urandom_device_t }:chr_file { getattr read };
-
-allow NetworkManager_t self:process { setcap getsched };
-allow NetworkManager_t self:fifo_file rw_file_perms;
-allow NetworkManager_t self:unix_dgram_socket create_socket_perms;
-allow NetworkManager_t self:file { getattr read };
-allow NetworkManager_t self:packet_socket create_socket_perms;
-allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
-
-
-#
-# Communicate with Caching Name Server
-#
-ifdef(`named.te', `
-allow NetworkManager_t named_zone_t:dir search;
-rw_dir_create_file(NetworkManager_t, named_cache_t)
-domain_auto_trans(NetworkManager_t, named_exec_t, named_t)
-allow named_t NetworkManager_t:udp_socket { read write };
-allow named_t NetworkManager_t:netlink_route_socket { read write };
-allow NetworkManager_t named_t:process signal;
-allow named_t NetworkManager_t:packet_socket { read write };
-')
-
-allow NetworkManager_t selinux_config_t:dir search;
-allow NetworkManager_t selinux_config_t:file { getattr read };
-
-ifdef(`dbusd.te', `
-dbusd_client(system, NetworkManager)
-allow NetworkManager_t system_dbusd_t:dbus { acquire_svc send_msg };
-allow NetworkManager_t self:dbus send_msg;
-ifdef(`hald.te', `
-allow NetworkManager_t hald_t:dbus send_msg;
-allow hald_t NetworkManager_t:dbus send_msg;
-')
-allow NetworkManager_t initrc_t:dbus send_msg;
-allow initrc_t NetworkManager_t:dbus send_msg;
-ifdef(`targeted_policy', `
-allow NetworkManager_t unconfined_t:dbus send_msg;
-allow unconfined_t NetworkManager_t:dbus send_msg;
-')
-allow NetworkManager_t userdomain:dbus send_msg;
-allow userdomain NetworkManager_t:dbus send_msg;
-')
-
-allow NetworkManager_t usr_t:file { getattr read };
-
-ifdef(`ifconfig.te', `
-domain_auto_trans(NetworkManager_t, ifconfig_exec_t, ifconfig_t)
-')dnl end if def ifconfig
-
-allow NetworkManager_t { sbin_t bin_t }:dir search;
-allow NetworkManager_t bin_t:lnk_file read;
-can_exec(NetworkManager_t, { ls_exec_t sbin_t bin_t shell_exec_t })
-
-# in /etc created by NetworkManager will be labelled net_conf_t.
-file_type_auto_trans(NetworkManager_t, etc_t, net_conf_t, file)
-
-allow NetworkManager_t { etc_t etc_runtime_t }:file { getattr read };
-allow NetworkManager_t proc_t:file { getattr read };
-r_dir_file(NetworkManager_t, proc_net_t)
-
-allow NetworkManager_t { domain -unrestricted }:dir search;
-allow NetworkManager_t { domain -unrestricted }:file { getattr read };
-dontaudit NetworkManager_t unrestricted:dir search;
-dontaudit NetworkManager_t unrestricted:file { getattr read };
-
-allow NetworkManager_t howl_t:process signal;
-allow NetworkManager_t initrc_var_run_t:file { getattr read };
-
-ifdef(`modutil.te', `
-if (!secure_mode_insmod) {
-domain_auto_trans(NetworkManager_t, insmod_exec_t, insmod_t)
-}
-')
-
-allow NetworkManager_t self:netlink_route_socket r_netlink_socket_perms;
-# allow vpnc connections
-allow NetworkManager_t self:rawip_socket create_socket_perms;
-allow NetworkManager_t tun_tap_device_t:chr_file rw_file_perms;
-
-domain_auto_trans(NetworkManager_t, initrc_exec_t, initrc_t)
-domain_auto_trans(NetworkManager_t, dhcpc_exec_t, dhcpc_t)
-ifdef(`vpnc.te', `
-domain_auto_trans(NetworkManager_t, vpnc_exec_t, vpnc_t)
-')
-
-ifdef(`dhcpc.te', `
-allow NetworkManager_t dhcp_state_t:dir search;
-allow NetworkManager_t dhcpc_var_run_t:file { getattr read unlink };
-')
-allow NetworkManager_t var_lib_t:dir search;
-dontaudit NetworkManager_t user_tty_type:chr_file { read write };
-dontaudit NetworkManager_t security_t:dir search;
-
-ifdef(`consoletype.te', `
-can_exec(NetworkManager_t, consoletype_exec_t)
-')
-
diff --git a/mls/domains/program/acct.te b/mls/domains/program/acct.te
deleted file mode 100644
index bbb4fdc..0000000
--- a/mls/domains/program/acct.te
+++ /dev/null
@@ -1,66 +0,0 @@
-#DESC Acct - BSD process accounting
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: acct
-#
-
-#################################
-#
-# Rules for the acct_t domain.
-#
-# acct_exec_t is the type of the acct executable.
-#
-daemon_base_domain(acct)
-ifdef(`crond.te', `
-system_crond_entry(acct_exec_t, acct_t)
-
-# for monthly cron job
-file_type_auto_trans(acct_t, var_log_t, wtmp_t, file)
-')
-
-# for SSP
-allow acct_t urandom_device_t:chr_file read;
-
-type acct_data_t, file_type, logfile, sysadmfile;
-
-# not sure why we need this, the command "last" is reported as using it
-dontaudit acct_t self:capability kill;
-
-# gzip needs chown capability for some reason
-allow acct_t self:capability { chown fsetid sys_pacct };
-
-allow acct_t var_t:dir { getattr search };
-rw_dir_create_file(acct_t, acct_data_t)
-
-can_exec(acct_t, { shell_exec_t bin_t initrc_exec_t acct_exec_t })
-allow acct_t { bin_t sbin_t }:dir search;
-allow acct_t bin_t:lnk_file read;
-
-read_locale(acct_t)
-
-allow acct_t fs_t:filesystem getattr;
-
-allow acct_t self:unix_stream_socket create_socket_perms;
-
-allow acct_t self:fifo_file { read write getattr };
-
-allow acct_t { self proc_t }:file { read getattr };
-
-read_sysctl(acct_t)
-
-dontaudit acct_t sysadm_home_dir_t:dir { getattr search };
-
-# for nscd
-dontaudit acct_t var_run_t:dir search;
-
-
-allow acct_t devtty_t:chr_file { read write };
-
-allow acct_t { etc_t etc_runtime_t }:file { read getattr };
-
-ifdef(`logrotate.te', `
-domain_auto_trans(logrotate_t, acct_exec_t, acct_t)
-rw_dir_create_file(logrotate_t, acct_data_t)
-can_exec(logrotate_t, acct_data_t)
-')
-
diff --git a/mls/domains/program/alsa.te b/mls/domains/program/alsa.te
deleted file mode 100644
index ab80475..0000000
--- a/mls/domains/program/alsa.te
+++ /dev/null
@@ -1,24 +0,0 @@
-#DESC ainit - configuration tool for ALSA
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-#
-#
-type alsa_t, domain, privlog, daemon;
-type alsa_exec_t, file_type, sysadmfile, exec_type;
-uses_shlib(alsa_t)
-allow alsa_t { unpriv_userdomain self }:sem create_sem_perms;
-allow alsa_t { unpriv_userdomain self }:shm create_shm_perms;
-allow alsa_t self:unix_stream_socket create_stream_socket_perms;
-allow alsa_t self:unix_dgram_socket create_socket_perms;
-allow unpriv_userdomain alsa_t:sem { unix_read unix_write associate read write };
-allow unpriv_userdomain alsa_t:shm { unix_read unix_write create_shm_perms };
-
-type alsa_etc_rw_t, file_type, sysadmfile, usercanread;
-rw_dir_create_file(alsa_t,alsa_etc_rw_t)
-allow alsa_t self:capability { setgid setuid ipc_owner };
-dontaudit alsa_t self:capability sys_admin;
-allow alsa_t devpts_t:chr_file { read write };
-allow alsa_t etc_t:file { getattr read };
-domain_auto_trans(pam_console_t, alsa_exec_t, alsa_t)
-role system_r types alsa_t;
-read_locale(alsa_t)
diff --git a/mls/domains/program/amanda.te b/mls/domains/program/amanda.te
deleted file mode 100644
index 4b63f5f..0000000
--- a/mls/domains/program/amanda.te
+++ /dev/null
@@ -1,284 +0,0 @@
-#DESC Amanda - Automated backup program
-#
-# This policy file sets the rigths for amanda client started by inetd_t
-# and amrecover
-#
-# X-Debian-Packages: amanda-common amanda-server
-# Depends: inetd.te
-# Author : Carsten Grohmann <carstengrohmann@gmx.de>
-#
-# License : GPL
-#
-# last change: 27. August 2002
-#
-# state : complete and tested
-#
-# Hints :
-# - amanda.fc is the appendant file context file
-# - If you use amrecover please extract the files and directories to the
-# directory speficified in amanda.fc as type amanda_recover_dir_t.
-# - The type amanda_user_exec_t is defined to label the files but not used.
-# This configuration works only as an client and a amanda client does not need
-# this programs.
-#
-# Enhancements/Corrections:
-# - set tighter permissions to /bin/tar instead bin_t
-
-##############################################################################
-# AMANDA CLIENT DECLARATIONS
-##############################################################################
-
-# General declarations
-######################
-
-type amanda_t, domain, privlog, auth, fs_domain, nscd_client_domain;
-role system_r types amanda_t;
-
-# type for the amanda executables
-type amanda_exec_t, file_type, sysadmfile, exec_type;
-
-# type for the amanda executables started by inetd
-type amanda_inetd_exec_t, file_type, sysadmfile, exec_type;
-
-# type for amanda configurations files
-type amanda_config_t, file_type, sysadmfile;
-
-# type for files in /usr/lib/amanda
-type amanda_usr_lib_t, file_type, sysadmfile;
-
-# type for all files in /var/lib/amanda
-type amanda_var_lib_t, file_type, sysadmfile;
-
-# type for all files in /var/lib/amanda/gnutar-lists/
-type amanda_gnutarlists_t, file_type, sysadmfile;
-
-# type for user startable files
-type amanda_user_exec_t, file_type, sysadmfile, exec_type;
-
-# type for same awk and other scripts
-type amanda_script_exec_t, file_type, sysadmfile, exec_type;
-
-# type for the shell configuration files
-type amanda_shellconfig_t, file_type, sysadmfile;
-
-tmp_domain(amanda)
-
-# type for /etc/amandates
-type amanda_amandates_t, file_type, sysadmfile;
-
-# type for /etc/dumpdates
-type amanda_dumpdates_t, file_type, sysadmfile;
-
-# type for amanda data
-type amanda_data_t, file_type, sysadmfile;
-
-# Domain transitions
-####################
-
-domain_auto_trans(inetd_t, amanda_inetd_exec_t, amanda_t)
-
-
-##################
-# File permissions
-##################
-
-# configuration files -> read only
-allow amanda_t amanda_config_t:file { getattr read };
-
-# access to amanda_amandates_t
-allow amanda_t amanda_amandates_t:file { getattr lock read write };
-
-# access to amanda_dumpdates_t
-allow amanda_t amanda_dumpdates_t:file { getattr lock read write };
-
-# access to amandas data structure
-allow amanda_t amanda_data_t:dir { read search write };
-allow amanda_t amanda_data_t:file { read write };
-
-# access to proc_t
-allow amanda_t proc_t:file { getattr read };
-
-# access to etc_t and similar
-allow amanda_t etc_t:file { getattr read };
-allow amanda_t etc_runtime_t:file { getattr read };
-
-# access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists)
-rw_dir_create_file(amanda_t, amanda_gnutarlists_t)
-
-# access to device_t and similar
-allow amanda_t devtty_t:chr_file { read write };
-
-# access to fs_t
-allow amanda_t fs_t:filesystem getattr;
-
-# access to sysctl_kernel_t ( proc/sys/kernel/* )
-read_sysctl(amanda_t)
-
-#####################
-# process permissions
-#####################
-
-# Allow to use shared libs
-uses_shlib(amanda_t)
-
-# Allow to execute a amanda executable file
-allow amanda_t amanda_exec_t:file { execute execute_no_trans getattr read };
-
-# Allow to run a shell
-allow amanda_t shell_exec_t:file { execute execute_no_trans getattr read };
-
-# access to bin_t (tar)
-allow amanda_t bin_t:file { execute execute_no_trans };
-
-allow amanda_t self:capability { chown dac_override setuid };
-allow amanda_t self:process { fork sigchld setpgid signal };
-allow amanda_t self:dir search;
-allow amanda_t self:file { getattr read };
-
-
-###################################
-# Network and process communication
-###################################
-
-can_network_server(amanda_t);
-can_ypbind(amanda_t);
-can_exec(amanda_t, sbin_t);
-
-allow amanda_t self:fifo_file { getattr read write ioctl lock };
-allow amanda_t self:unix_stream_socket create_stream_socket_perms;
-allow amanda_t self:unix_dgram_socket create_socket_perms;
-
-
-##########################
-# Communication with inetd
-##########################
-
-allow amanda_t inetd_t:udp_socket { read write };
-
-
-###################
-# inetd permissions
-###################
-
-allow inetd_t amanda_usr_lib_t:dir search;
-
-
-########################
-# Access to to save data
-########################
-
-# access to user_home_t
-allow amanda_t user_home_type:file { getattr read };
-
-##############################################################################
-# AMANDA RECOVER DECLARATIONS
-##############################################################################
-
-
-# General declarations
-######################
-
-# type for amrecover
-type amanda_recover_t, domain;
-role sysadm_r types amanda_recover_t;
-role system_r types amanda_recover_t;
-
-# exec types for amrecover
-type amanda_recover_exec_t, file_type, sysadmfile, exec_type;
-
-# type for recover files ( restored data )
-type amanda_recover_dir_t, file_type, sysadmfile;
-file_type_auto_trans(amanda_recover_t, sysadm_home_dir_t, amanda_recover_dir_t)
-
-# domain transsition
-domain_auto_trans(sysadm_t, amanda_recover_exec_t, amanda_recover_t)
-
-# file type auto trans to write debug messages
-file_type_auto_trans(amanda_recover_t, tmp_t, amanda_tmp_t)
-
-
-# amanda recover process permissions
-####################################
-
-uses_shlib(amanda_recover_t)
-allow amanda_recover_t self:process { fork sigkill sigstop sigchld signal };
-allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override net_bind_service };
-can_exec(amanda_recover_t, shell_exec_t)
-allow amanda_recover_t privfd:fd use;
-
-
-# amrecover network and process communication
-#############################################
-
-can_network(amanda_recover_t);
-allow amanda_recover_t amanda_port_t:tcp_socket name_connect;
-can_ypbind(amanda_recover_t);
-read_locale(amanda_recover_t);
-
-allow amanda_recover_t self:fifo_file { getattr ioctl read write };
-allow amanda_recover_t self:unix_stream_socket { connect create read write };
-allow amanda_recover_t var_log_t:dir search;
-rw_dir_create_file(amanda_recover_t, amanda_log_t)
-
-# amrecover file permissions
-############################
-
-# access to etc_t and similar
-allow amanda_recover_t etc_t:dir search;
-allow amanda_recover_t etc_t:file { getattr read };
-allow amanda_recover_t etc_runtime_t:file { getattr read };
-
-# access to amanda_recover_dir_t
-allow amanda_recover_t amanda_recover_dir_t:dir { add_name remove_name search write };
-allow amanda_recover_t amanda_recover_dir_t:file { append create getattr setattr unlink };
-
-# access to var_t and var_run_t
-allow amanda_recover_t var_t:dir search;
-allow amanda_recover_t var_run_t:dir search;
-
-# access to proc_t
-allow amanda_recover_t proc_t:dir search;
-allow amanda_recover_t proc_t:file { getattr read };
-
-# access to sysctl_kernel_t
-read_sysctl(amanda_recover_t)
-
-# access to dev_t and similar
-allow amanda_recover_t device_t:dir search;
-allow amanda_recover_t devtty_t:chr_file { read write };
-allow amanda_recover_t null_device_t:chr_file { getattr write };
-
-# access to bin_t
-allow amanda_recover_t bin_t:file { execute execute_no_trans };
-
-# access to sysadm_home_t and sysadm_home_dir_t to start amrecover
-# in the sysadm home directory
-allow amanda_recover_t { sysadm_home_dir_t sysadm_home_t }:dir { search getattr };
-
-# access to use sysadm_tty_device_t (/dev/tty?)
-allow amanda_recover_t sysadm_tty_device_t:chr_file { getattr ioctl read write };
-
-# access to amanda_tmp_t and tmp_t
-allow amanda_recover_t amanda_tmp_t:dir { add_name remove_name search write };
-allow amanda_recover_t amanda_tmp_t:file { append create getattr setattr unlink };
-allow amanda_recover_t tmp_t:dir search;
-
-#
-# Rules to allow amanda to be run as a service in xinetd
-#
-allow inetd_t amanda_port_t:{ tcp_socket udp_socket } name_bind;
-
-#amanda needs to look at fs_type directories to decide whether it should backup
-allow amanda_t { fs_type file_type }:dir {getattr read search };
-allow amanda_t file_type:{ lnk_file file chr_file blk_file } {getattr read };
-allow amanda_t device_type:{ blk_file chr_file } getattr;
-allow amanda_t fixed_disk_device_t:blk_file read;
-domain_auto_trans(amanda_t, fsadm_exec_t, fsadm_t)
-
-allow amanda_t file_type:sock_file getattr;
-logdir_domain(amanda)
-
-dontaudit amanda_t proc_t:lnk_file read;
-dontaudit amanda_t unlabeled_t:file getattr;
-#amanda wants to check attributes on fifo_files
-allow amanda_t file_type:fifo_file getattr;
diff --git a/mls/domains/program/anaconda.te b/mls/domains/program/anaconda.te
deleted file mode 100644
index 175947d..0000000
--- a/mls/domains/program/anaconda.te
+++ /dev/null
@@ -1,48 +0,0 @@
-#DESC Anaconda - Red Hat Installation program
-#
-# Authors: Dan Walsh <dwalsh@redhat.com>
-#
-#
-
-#################################
-#
-# Rules for the anaconda_t domain.
-#
-# anaconda_t is the domain of the installation program
-#
-type anaconda_t, admin, etc_writer, fs_domain, privmem, auth_write, domain, privlog, privowner, privmodule, sysctl_kernel_writer;
-role system_r types anaconda_t;
-unconfined_domain(anaconda_t)
-
-role system_r types ldconfig_t;
-domain_auto_trans(anaconda_t, ldconfig_exec_t, ldconfig_t)
-
-# Run other rc scripts in the anaconda_t domain.
-domain_auto_trans(anaconda_t, initrc_exec_t, initrc_t)
-
-ifdef(`dmesg.te', `
-domain_auto_trans(anaconda_t, dmesg_exec_t, dmesg_t)
-')
-
-ifdef(`distro_redhat', `
-file_type_auto_trans(anaconda_t, boot_t, boot_runtime_t, file)
-')
-
-ifdef(`rpm.te', `
-# Access /var/lib/rpm.
-domain_auto_trans(anaconda_t, rpm_exec_t, rpm_t)
-')
-
-file_type_auto_trans(anaconda_t, var_log_t, var_log_ksyms_t, file)
-
-ifdef(`udev.te', `
-domain_auto_trans(anaconda_t, udev_exec_t, udev_t)
-')
-
-ifdef(`ssh-agent.te', `
-role system_r types sysadm_ssh_agent_t;
-domain_auto_trans(anaconda_t, ssh_agent_exec_t, sysadm_ssh_agent_t)
-')
-ifdef(`passwd.te', `
-domain_auto_trans(anaconda_t , admin_passwd_exec_t, sysadm_passwd_t)
-')
diff --git a/mls/domains/program/apache.te b/mls/domains/program/apache.te
deleted file mode 100644
index 1b9cab6..0000000
--- a/mls/domains/program/apache.te
+++ /dev/null
@@ -1,415 +0,0 @@
-#DESC Apache - Web server
-#
-# X-Debian-Packages: apache2-common apache
-#
-###############################################################################
-#
-# Policy file for running the Apache web server
-#
-# NOTES:
-# This policy will work with SUEXEC enabled as part of the Apache
-# configuration. However, the user CGI scripts will run under the
-# system_u:system_r:httpd_$1_script_t domain where $1 is the domain of the
-# of the creating user.
-#
-# The user CGI scripts must be labeled with the httpd_$1_script_exec_t
-# type, and the directory containing the scripts should also be labeled
-# with these types. This policy allows user_r role to perform that
-# relabeling. If it is desired that only sysadm_r should be able to relabel
-# the user CGI scripts, then relabel rule for user_r should be removed.
-#
-###############################################################################
-
-define(`httpd_home_dirs', `
-r_dir_file(httpd_t, $1)
-r_dir_file(httpd_suexec_t, $1)
-can_exec(httpd_suexec_t, $1)
-')
-
-bool httpd_unified false;
-
-# Allow httpd to use built in scripting (usually php)
-bool httpd_builtin_scripting false;
-
-# Allow httpd cgi support
-bool httpd_enable_cgi false;
-
-# Allow httpd to read home directories
-bool httpd_enable_homedirs false;
-
-# Run SSI execs in system CGI script domain.
-bool httpd_ssi_exec false;
-
-# Allow http daemon to communicate with the TTY
-bool httpd_tty_comm false;
-
-# Allow http daemon to tcp connect
-bool httpd_can_network_connect false;
-
-#########################################################
-# Apache types
-#########################################################
-# httpd_config_t is the type given to the configuration
-# files for apache /etc/httpd/conf
-#
-type httpd_config_t, file_type, sysadmfile;
-
-# httpd_modules_t is the type given to module files (libraries)
-# that come with Apache /etc/httpd/modules and /usr/lib/apache
-#
-type httpd_modules_t, file_type, sysadmfile;
-
-# httpd_cache_t is the type given to the /var/cache/httpd
-# directory and the files under that directory
-#
-type httpd_cache_t, file_type, sysadmfile;
-
-# httpd_exec_t is the type give to the httpd executable.
-#
-daemon_domain(httpd, `, privmail, nscd_client_domain')
-
-append_logdir_domain(httpd)
-#can read /etc/httpd/logs
-allow httpd_t httpd_log_t:lnk_file read;
-
-# For /etc/init.d/apache2 reload
-can_tcp_connect(httpd_t, httpd_t)
-
-can_tcp_connect(web_client_domain, httpd_t)
-
-can_exec(httpd_t, httpd_exec_t)
-file_type_auto_trans(httpd_t, var_run_t, httpd_var_run_t, sock_file)
-
-general_domain_access(httpd_t)
-
-allow httpd_t { random_device_t urandom_device_t }:chr_file { getattr ioctl read };
-
-read_sysctl(httpd_t)
-
-allow httpd_t crypt_device_t:chr_file rw_file_perms;
-
-# for modules that want to access /etc/mtab and /proc/meminfo
-allow httpd_t { proc_t etc_runtime_t }:file { getattr read };
-
-uses_shlib(httpd_t)
-allow httpd_t { usr_t lib_t }:file { getattr read ioctl };
-allow httpd_t usr_t:lnk_file { getattr read };
-
-# for apache2 memory mapped files
-var_lib_domain(httpd)
-
-# for tomcat
-r_dir_file(httpd_t, var_lib_t)
-
-# execute perl
-allow httpd_t { bin_t sbin_t }:dir r_dir_perms;
-can_exec(httpd_t, { bin_t sbin_t })
-allow httpd_t bin_t:lnk_file read;
-
-########################################
-# Set up networking
-########################################
-
-can_network_server(httpd_t)
-can_kerberos(httpd_t)
-can_resolve(httpd_t)
-nsswitch_domain(httpd_t)
-allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind;
-# allow httpd to connect to mysql/posgresql
-allow httpd_t { postgresql_port_t mysqld_port_t }:tcp_socket name_connect;
-# allow httpd to work as a relay
-allow httpd_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:tcp_socket name_connect;
-
-if (httpd_can_network_connect) {
-can_network_client(httpd_t)
-allow httpd_t port_type:tcp_socket name_connect;
-}
-
-##########################################
-# Legacy: remove when it's fixed #
-# Allow libphp5.so with text relocations #
-##########################################
-allow httpd_t texrel_shlib_t:file execmod;
-
-#########################################
-# Allow httpd to search users directories
-#########################################
-allow httpd_t home_root_t:dir { getattr search };
-dontaudit httpd_t sysadm_home_dir_t:dir getattr;
-
-############################################################################
-# Allow the httpd_t the capability to bind to a port and various other stuff
-############################################################################
-allow httpd_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
-dontaudit httpd_t self:capability net_admin;
-
-#################################################
-# Allow the httpd_t to read the web servers config files
-###################################################
-r_dir_file(httpd_t, httpd_config_t)
-# allow logrotate to read the config files for restart
-ifdef(`logrotate.te', `
-r_dir_file(logrotate_t, httpd_config_t)
-domain_auto_trans(logrotate_t, httpd_exec_t, httpd_t)
-allow logrotate_t httpd_t:process signull;
-')
-r_dir_file(initrc_t, httpd_config_t)
-##################################################
-
-###############################
-# Allow httpd_t to put files in /var/cache/httpd etc
-##############################
-create_dir_file(httpd_t, httpd_cache_t)
-
-###############################
-# Allow httpd_t to access the tmpfs file system
-##############################
-tmpfs_domain(httpd)
-
-#####################
-# Allow httpd_t to access
-# libraries for its modules
-###############################
-allow httpd_t httpd_modules_t:file rx_file_perms;
-allow httpd_t httpd_modules_t:dir r_dir_perms;
-allow httpd_t httpd_modules_t:lnk_file r_file_perms;
-
-######################################################################
-# Allow initrc_t to access the Apache modules directory.
-######################################################################
-allow initrc_t httpd_modules_t:dir r_dir_perms;
-
-##############################################
-# Allow httpd_t to have access to files
-# such as nisswitch.conf
-# need ioctl for php
-###############################################
-allow httpd_t etc_t:file { read getattr ioctl };
-allow httpd_t etc_t:lnk_file { getattr read };
-
-# setup the system domain for system CGI scripts
-apache_domain(sys)
-dontaudit httpd_sys_script_t httpd_config_t:dir search;
-
-# Run SSI execs in system CGI script domain.
-if (httpd_ssi_exec) {
-domain_auto_trans(httpd_t, shell_exec_t, httpd_sys_script_t)
-}
-allow httpd_sys_script_t httpd_t:tcp_socket { read write };
-
-##################################################
-#
-# PHP Directives
-##################################################
-
-type httpd_php_exec_t, file_type, sysadmfile, exec_type;
-type httpd_php_t, domain;
-
-# Transition from the user domain to this domain.
-domain_auto_trans(httpd_t, httpd_php_exec_t, httpd_php_t)
-
-# The system role is authorized for this domain.
-role system_r types httpd_php_t;
-
-general_domain_access(httpd_php_t)
-uses_shlib(httpd_php_t)
-can_exec(httpd_php_t, lib_t)
-
-# allow php to read and append to apache logfiles
-allow httpd_php_t httpd_log_t:file ra_file_perms;
-
-# access to /tmp
-tmp_domain(httpd)
-tmp_domain(httpd_php)
-
-# Creation of lock files for apache2
-lock_domain(httpd)
-
-# Allow apache to used public_content_t
-anonymous_domain(httpd)
-
-# connect to mysql
-ifdef(`mysqld.te', `
-can_unix_connect(httpd_php_t, mysqld_t)
-can_unix_connect(httpd_t, mysqld_t)
-can_unix_connect(httpd_sys_script_t, mysqld_t)
-allow httpd_php_t mysqld_var_run_t:dir search;
-allow httpd_php_t mysqld_var_run_t:sock_file write;
-allow { httpd_t httpd_sys_script_t } mysqld_db_t:dir search;
-allow { httpd_t httpd_sys_script_t } mysqld_db_t:sock_file rw_file_perms;
-allow { httpd_t httpd_sys_script_t } mysqld_var_run_t:sock_file rw_file_perms;
-')
-allow httpd_t bin_t:dir search;
-allow httpd_t sbin_t:dir search;
-allow httpd_t httpd_log_t:dir remove_name;
-
-read_fonts(httpd_t)
-
-allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
-
-allow httpd_t autofs_t:dir { search getattr };
-
-if (use_nfs_home_dirs && httpd_enable_homedirs) {
-httpd_home_dirs(nfs_t)
-}
-if (use_samba_home_dirs && httpd_enable_homedirs) {
-httpd_home_dirs(cifs_t)
-}
-
-#
-# Allow users to mount additional directories as http_source
-#
-allow httpd_t mnt_t:dir r_dir_perms;
-
-ifdef(`targeted_policy', `
-domain_auto_trans(unconfined_t, httpd_exec_t, httpd_t)
-typealias httpd_sys_content_t alias httpd_user_content_t;
-typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
-
-if (httpd_enable_homedirs) {
-allow { httpd_t httpd_sys_script_t httpd_suexec_t } user_home_dir_t:dir { getattr search };
-}
-') dnl targeted policy
-
-# We no longer call httpd_domain(sysadm), but need httpd_sysadm_content_t for file context
-typealias httpd_sys_content_t alias httpd_sysadm_content_t;
-
-ifdef(`distro_redhat', `
-#
-# mod_jk2 creates /var/log/httpd/jk2.shm to communicate with tomcat
-# This is a bug but it still exists in FC2
-#
-typealias httpd_log_t alias httpd_runtime_t;
-allow { httpd_t httpd_sys_script_t } httpd_runtime_t:file { getattr append };
-dontaudit httpd_t httpd_runtime_t:file ioctl;
-') dnl distro_redhat
-#
-# Customer reported the following
-#
-ifdef(`snmpd.te', `
-dontaudit httpd_t snmpd_var_lib_t:dir search;
-dontaudit httpd_t snmpd_var_lib_t:file { getattr write read };
-', `
-dontaudit httpd_t usr_t:dir write;
-')
-
-application_domain(httpd_helper)
-role system_r types httpd_helper_t;
-domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t)
-allow httpd_helper_t httpd_config_t:file { getattr read };
-allow httpd_helper_t httpd_log_t:file { append };
-
-########################################
-# When the admin starts the server, the server wants to access
-# the TTY or PTY associated with the session. The httpd appears
-# to run correctly without this permission, so the permission
-# are dontaudited here.
-##################################################
-
-if (httpd_tty_comm) {
-allow { httpd_t httpd_helper_t } devpts_t:dir search;
-ifdef(`targeted_policy', `
-allow { httpd_helper_t httpd_t } { devtty_t devpts_t }:chr_file rw_file_perms;
-')
-allow { httpd_t httpd_helper_t } admin_tty_type:chr_file rw_file_perms;
-} else {
-dontaudit httpd_t admin_tty_type:chr_file rw_file_perms;
-}
-
-read_sysctl(httpd_sys_script_t)
-allow httpd_sys_script_t var_lib_t:dir search;
-dontaudit httpd_t selinux_config_t:dir search;
-r_dir_file(httpd_t, cert_t)
-
-#
-# unconfined domain for apache scripts. Only to be used as a last resort
-#
-type httpd_unconfined_script_exec_t, file_type, sysadmfile, customizable;
-type httpd_unconfined_script_t, domain, nscd_client_domain;
-role system_r types httpd_unconfined_script_t;
-unconfined_domain(httpd_unconfined_script_t)
-
-# The following are types for SUEXEC,which runs user scripts as their
-# own user ID
-#
-daemon_sub_domain(httpd_t, httpd_suexec, `, transitionbool')
-allow httpd_t httpd_suexec_exec_t:file { getattr read };
-
-#########################################################
-# Permissions for running child processes and scripts
-##########################################################
-
-allow httpd_suexec_t self:capability { setuid setgid };
-
-dontaudit httpd_suexec_t var_run_t:dir search;
-allow httpd_suexec_t { var_t var_log_t }:dir search;
-allow httpd_suexec_t home_root_t:dir search;
-
-allow httpd_suexec_t httpd_log_t:dir ra_dir_perms;
-allow httpd_suexec_t httpd_log_t:file { create ra_file_perms };
-allow httpd_suexec_t httpd_t:fifo_file getattr;
-allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
-
-allow httpd_suexec_t etc_t:file { getattr read };
-read_locale(httpd_suexec_t)
-read_sysctl(httpd_suexec_t)
-allow httpd_suexec_t urandom_device_t:chr_file { getattr read };
-
-# for shell scripts
-allow httpd_suexec_t bin_t:dir search;
-allow httpd_suexec_t bin_t:lnk_file read;
-can_exec(httpd_suexec_t, { bin_t shell_exec_t })
-
-if (httpd_can_network_connect) {
-can_network(httpd_suexec_t)
-allow httpd_suexec_t port_type:tcp_socket name_connect;
-}
-
-can_ypbind(httpd_suexec_t)
-allow httpd_suexec_t { usr_t lib_t }:file { getattr read ioctl };
-
-allow httpd_suexec_t autofs_t:dir { search getattr };
-tmp_domain(httpd_suexec)
-
-if (httpd_enable_cgi && httpd_unified) {
-domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
-ifdef(`targeted_policy', `', `
-domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
-')
-}
-if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting) {
-domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
-create_dir_file(httpd_t, httpdcontent)
-}
-if (httpd_enable_cgi) {
-domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
-domain_auto_trans(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
-allow httpd_t httpd_unconfined_script_t:process { signal sigkill sigstop };
-allow httpd_t httpd_unconfined_script_exec_t:dir r_dir_perms;
-}
-
-#
-# Types for squirrelmail
-#
-type httpd_squirrelmail_t, file_type, sysadmfile;
-create_dir_file(httpd_t, httpd_squirrelmail_t)
-allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
-# File Type of squirrelmail attachments
-type squirrelmail_spool_t, file_type, sysadmfile, tmpfile;
-allow { httpd_t httpd_sys_script_t } var_spool_t:dir { getattr search };
-create_dir_file(httpd_t, squirrelmail_spool_t)
-r_dir_file(httpd_sys_script_t, squirrelmail_spool_t)
-
-ifdef(`mta.te', `
-# apache should set close-on-exec
-dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
-dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write };
-dontaudit system_mail_t httpd_log_t:file { append getattr };
-allow system_mail_t httpd_squirrelmail_t:file { append read };
-dontaudit system_mail_t httpd_t:tcp_socket { read write };
-')
-bool httpd_enable_ftp_server false;
-if (httpd_enable_ftp_server) {
-allow httpd_t ftp_port_t:tcp_socket name_bind;
-}
-
diff --git a/mls/domains/program/apmd.te b/mls/domains/program/apmd.te
deleted file mode 100644
index 82b4a4d..0000000
--- a/mls/domains/program/apmd.te
+++ /dev/null
@@ -1,157 +0,0 @@
-#DESC Apmd - Automatic Power Management daemon
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: apmd
-#
-
-#################################
-#
-# Rules for the apmd_t domain.
-#
-daemon_domain(apmd, `, privmodule, privmail, nscd_client_domain')
-
-# for SSP
-allow apmd_t urandom_device_t:chr_file read;
-
-type apm_t, domain, privlog;
-type apm_exec_t, file_type, sysadmfile, exec_type;
-ifdef(`targeted_policy', `', `
-domain_auto_trans(sysadm_t, apm_exec_t, apm_t)
-')
-uses_shlib(apm_t)
-allow apm_t privfd:fd use;
-allow apm_t admin_tty_type:chr_file rw_file_perms;
-allow apm_t device_t:dir search;
-allow apm_t self:capability { dac_override sys_admin };
-allow apm_t proc_t:dir search;
-allow apm_t proc_t:file r_file_perms;
-allow apm_t fs_t:filesystem getattr;
-allow apm_t apm_bios_t:chr_file rw_file_perms;
-role sysadm_r types apm_t;
-role system_r types apm_t;
-
-allow apmd_t device_t:lnk_file read;
-allow apmd_t proc_t:file { getattr read write };
-can_sysctl(apmd_t)
-allow apmd_t sysfs_t:file write;
-
-allow apmd_t self:unix_dgram_socket create_socket_perms;
-allow apmd_t self:unix_stream_socket create_stream_socket_perms;
-allow apmd_t self:fifo_file rw_file_perms;
-allow apmd_t { etc_runtime_t modules_conf_t }:file { getattr read };
-allow apmd_t etc_t:lnk_file read;
-
-# acpid wants a socket
-file_type_auto_trans(apmd_t, var_run_t, apmd_var_run_t, sock_file)
-
-# acpid also has a logfile
-log_domain(apmd)
-tmp_domain(apmd)
-
-ifdef(`distro_suse', `
-var_lib_domain(apmd)
-')
-
-allow apmd_t self:file { getattr read ioctl };
-allow apmd_t self:process getsession;
-
-# Use capabilities.
-allow apmd_t self:capability { sys_admin sys_nice sys_time kill };
-
-# controlling an orderly resume of PCMCIA requires creating device
-# nodes 254,{0,1,2} for some reason.
-allow apmd_t self:capability mknod;
-
-# Access /dev/apm_bios.
-allow apmd_t apm_bios_t:chr_file rw_file_perms;
-
-# Run helper programs.
-can_exec_any(apmd_t)
-
-# apmd calls hwclock.sh on suspend and resume
-allow apmd_t clock_device_t:chr_file r_file_perms;
-ifdef(`hwclock.te', `
-domain_auto_trans(apmd_t, hwclock_exec_t, hwclock_t)
-allow apmd_t adjtime_t:file rw_file_perms;
-allow hwclock_t apmd_log_t:file append;
-allow hwclock_t apmd_t:unix_stream_socket { read write };
-')
-
-
-# to quiet fuser and ps
-# setuid for fuser, dac* for ps
-dontaudit apmd_t self:capability { setuid dac_override dac_read_search };
-dontaudit apmd_t domain:socket_class_set getattr;
-dontaudit apmd_t { file_type fs_type }:notdevfile_class_set getattr;
-dontaudit apmd_t device_type:devfile_class_set getattr;
-dontaudit apmd_t home_type:dir { search getattr };
-dontaudit apmd_t domain:key_socket getattr;
-dontaudit apmd_t domain:dir search;
-
-ifdef(`distro_redhat', `
-can_exec(apmd_t, apmd_var_run_t)
-# for /var/lock/subsys/network
-lock_domain(apmd)
-
-# ifconfig_exec_t needs to be run in its own domain for Red Hat
-ifdef(`ifconfig.te', `domain_auto_trans(apmd_t, ifconfig_exec_t, ifconfig_t)')
-ifdef(`iptables.te', `domain_auto_trans(apmd_t, iptables_exec_t, iptables_t)')
-ifdef(`netutils.te', `domain_auto_trans(apmd_t, netutils_exec_t, netutils_t)')
-', `
-# for ifconfig which is run all the time
-dontaudit apmd_t sysctl_t:dir search;
-')
-
-ifdef(`udev.te', `
-allow apmd_t udev_t:file { getattr read };
-allow apmd_t udev_t:lnk_file { getattr read };
-')
-#
-# apmd tells the machine to shutdown requires the following
-#
-allow apmd_t initctl_t:fifo_file write;
-allow apmd_t initrc_var_run_t:file { read write lock };
-
-#
-# Allow it to run killof5 and pidof
-#
-typeattribute apmd_t unrestricted;
-r_dir_file(apmd_t, domain)
-
-# Same for apm/acpid scripts
-domain_auto_trans(apmd_t, initrc_exec_t, initrc_t)
-ifdef(`consoletype.te', `
-allow consoletype_t apmd_t:fd use;
-allow consoletype_t apmd_t:fifo_file write;
-')
-ifdef(`mount.te', `allow mount_t apmd_t:fd use;')
-ifdef(`crond.te', `
-domain_auto_trans(apmd_t, anacron_exec_t, system_crond_t)
-allow apmd_t crond_t:fifo_file { getattr read write ioctl };
-')
-
-# for a find /dev operation that gets /dev/shm
-dontaudit apmd_t tmpfs_t:dir r_dir_perms;
-dontaudit apmd_t selinux_config_t:dir search;
-allow apmd_t user_tty_type:chr_file rw_file_perms;
-# Access /dev/apm_bios.
-allow initrc_t apm_bios_t:chr_file { setattr getattr read };
-
-ifdef(`logrotate.te', `
-allow apmd_t logrotate_t:fd use;
-')dnl end if logrotate.te
-allow apmd_t devpts_t:dir { getattr search };
-allow apmd_t security_t:dir search;
-allow apmd_t usr_t:dir search;
-r_dir_file(apmd_t, hwdata_t)
-ifdef(`targeted_policy', `
-unconfined_domain(apmd_t)
-')
-
-ifdef(`NetworkManager.te', `
-ifdef(`dbusd.te', `
-allow apmd_t NetworkManager_t:dbus send_msg;
-allow NetworkManager_t apmd_t:dbus send_msg;
-')
-')
diff --git a/mls/domains/program/arpwatch.te b/mls/domains/program/arpwatch.te
deleted file mode 100644
index 3065800..0000000
--- a/mls/domains/program/arpwatch.te
+++ /dev/null
@@ -1,48 +0,0 @@
-#DESC arpwatch - keep track of ethernet/ip address pairings
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-#
-
-#################################
-#
-# Rules for the arpwatch_t domain.
-#
-# arpwatch_exec_t is the type of the arpwatch executable.
-#
-daemon_domain(arpwatch, `, privmail')
-
-# for files created by arpwatch
-type arpwatch_data_t, file_type, sysadmfile;
-create_dir_file(arpwatch_t,arpwatch_data_t)
-tmp_domain(arpwatch)
-
-allow arpwatch_t self:capability { net_admin net_raw setgid setuid };
-
-can_network_server(arpwatch_t)
-allow arpwatch_t self:netlink_route_socket r_netlink_socket_perms;
-allow arpwatch_t self:udp_socket create_socket_perms;
-allow arpwatch_t self:unix_dgram_socket create_socket_perms;
-allow arpwatch_t self:packet_socket create_socket_perms;
-allow arpwatch_t self:unix_stream_socket create_stream_socket_perms;
-
-allow arpwatch_t { sbin_t var_lib_t }:dir search;
-allow arpwatch_t sbin_t:lnk_file read;
-r_dir_file(arpwatch_t, etc_t)
-r_dir_file(arpwatch_t, usr_t)
-can_ypbind(arpwatch_t)
-
-ifdef(`qmail.te', `
-allow arpwatch_t bin_t:dir search;
-')
-
-ifdef(`distro_gentoo', `
-allow initrc_t arpwatch_data_t:dir { add_name write };
-allow initrc_t arpwatch_data_t:file create;
-')dnl end distro_gentoo
-
-# why is mail delivered to a directory of type arpwatch_data_t?
-allow mta_delivery_agent arpwatch_data_t:dir search;
-allow { system_mail_t mta_user_agent } arpwatch_tmp_t:file rw_file_perms;
-ifdef(`hide_broken_symptoms', `
-dontaudit { system_mail_t mta_user_agent } arpwatch_t:packet_socket { read write };
-')
diff --git a/mls/domains/program/auditd.te b/mls/domains/program/auditd.te
deleted file mode 100644
index 69b105a..0000000
--- a/mls/domains/program/auditd.te
+++ /dev/null
@@ -1,76 +0,0 @@
-#DESC auditd - System auditing daemon
-#
-# Authors: Colin Walters <walters@verbum.org>
-#
-# Some fixes by Paul Moore <paul.moore@hp.com>
-#
-define(`audit_manager_domain', `
-allow $1 auditd_etc_t:file rw_file_perms;
-create_dir_file($1, auditd_log_t)
-domain_auto_trans($1, auditctl_exec_t, auditctl_t)
-')
-
-daemon_domain(auditd)
-
-ifdef(`mls_policy', `
-# run at the highest MLS level
-typeattribute auditd_t mlsrangetrans;
-range_transition initrc_t auditd_exec_t s15:c0.c255;
-')
-
-allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
-allow auditd_t self:unix_dgram_socket create_socket_perms;
-allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource };
-allow auditd_t self:process setsched;
-allow auditd_t self:file { getattr read write };
-allow auditd_t etc_t:file { getattr read };
-
-# Do not use logdir_domain since this is a security file
-type auditd_log_t, file_type, secure_file_type;
-allow auditd_t var_log_t:dir search;
-rw_dir_create_file(auditd_t, auditd_log_t)
-
-can_exec(auditd_t, init_exec_t)
-allow auditd_t initctl_t:fifo_file write;
-
-ifdef(`targeted_policy', `
-dontaudit auditd_t unconfined_t:fifo_file read;
-')
-
-type auditctl_t, domain, privlog;
-type auditctl_exec_t, file_type, exec_type, sysadmfile;
-uses_shlib(auditctl_t)
-allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
-allow auditctl_t self:capability { audit_write audit_control };
-allow auditctl_t etc_t:file { getattr read };
-allow auditctl_t admin_tty_type:chr_file rw_file_perms;
-
-type auditd_etc_t, file_type, secure_file_type;
-allow { auditd_t auditctl_t } auditd_etc_t:file r_file_perms;
-allow initrc_t auditd_etc_t:file r_file_perms;
-
-role secadm_r types auditctl_t;
-role sysadm_r types auditctl_t;
-audit_manager_domain(secadm_t)
-
-ifdef(`targeted_policy', `', `
-ifdef(`separate_secadm', `', `
-audit_manager_domain(sysadm_t)
-')
-')
-
-role system_r types auditctl_t;
-domain_auto_trans(initrc_t, auditctl_exec_t, auditctl_t)
-
-dontaudit auditctl_t local_login_t:fd use;
-allow auditctl_t proc_t:dir search;
-allow auditctl_t sysctl_kernel_t:dir search;
-allow auditctl_t sysctl_kernel_t:file { getattr read };
-dontaudit auditctl_t init_t:fd use;
-allow auditctl_t initrc_devpts_t:chr_file { read write };
-allow auditctl_t privfd:fd use;
-
-
-allow auditd_t sbin_t:dir search;
-can_exec(auditd_t, sbin_t)
-allow auditd_t self:fifo_file rw_file_perms;
diff --git a/mls/domains/program/automount.te b/mls/domains/program/automount.te
deleted file mode 100644
index d1bb20e..0000000
--- a/mls/domains/program/automount.te
+++ /dev/null
@@ -1,79 +0,0 @@
-#DESC Automount - Automount daemon
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil>
-# Modified by Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: amd am-utils autofs
-#
-
-#################################
-#
-# Rules for the automount_t domain.
-#
-daemon_domain(automount)
-
-etc_domain(automount)
-
-# for SSP
-allow automount_t urandom_device_t:chr_file read;
-
-# for if the mount point is not labelled
-allow automount_t file_t:dir getattr;
-allow automount_t default_t:dir getattr;
-
-allow automount_t autofs_t:dir { create_dir_perms ioctl };
-allow automount_t fs_type:dir getattr;
-
-allow automount_t { etc_t etc_runtime_t }:file { getattr read };
-allow automount_t proc_t:file { getattr read };
-allow automount_t self:process { getpgid setpgid setsched };
-allow automount_t self:capability { sys_nice dac_override };
-allow automount_t self:unix_stream_socket create_socket_perms;
-allow automount_t self:unix_dgram_socket create_socket_perms;
-
-# because config files can be shell scripts
-can_exec(automount_t, { etc_t automount_etc_t })
-
-can_network_server(automount_t)
-can_resolve(automount_t)
-can_ypbind(automount_t)
-can_ldap(automount_t)
-
-ifdef(`fsadm.te', `
-domain_auto_trans(automount_t, fsadm_exec_t, fsadm_t)
-')
-
-lock_domain(automount)
-
-tmp_domain(automount)
-allow automount_t self:fifo_file rw_file_perms;
-
-# Run mount in the mount_t domain.
-domain_auto_trans(automount_t, mount_exec_t, mount_t)
-allow mount_t autofs_t:dir { search mounton read };
-allow mount_t automount_tmp_t:dir mounton;
-
-ifdef(`apmd.te',
-`domain_auto_trans(apmd_t, automount_exec_t, automount_t)
-can_exec(automount_t, bin_t)')
-
-allow automount_t { bin_t sbin_t }:dir search;
-can_exec(automount_t, mount_exec_t)
-can_exec(automount_t, shell_exec_t)
-
-allow mount_t autofs_t:dir getattr;
-dontaudit automount_t var_t:dir write;
-
-allow userdomain autofs_t:dir r_dir_perms;
-allow kernel_t autofs_t:dir { getattr ioctl read search };
-
-allow automount_t { boot_t home_root_t }:dir getattr;
-allow automount_t mnt_t:dir { getattr search };
-
-can_exec(initrc_t, automount_etc_t)
-
-# Allow automount to create and delete directories in / and /home
-file_type_auto_trans(automount_t, { root_t home_root_t }, automount_tmp_t, dir)
-
-allow automount_t var_lib_t:dir search;
-allow automount_t var_lib_nfs_t:dir search;
-
diff --git a/mls/domains/program/avahi.te b/mls/domains/program/avahi.te
deleted file mode 100644
index 861559d..0000000
--- a/mls/domains/program/avahi.te
+++ /dev/null
@@ -1,31 +0,0 @@
-#DESC avahi - mDNS/DNS-SD daemon implementing Apple’s ZeroConf architecture
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-#
-
-daemon_domain(avahi, `, privsysmod')
-r_dir_file(avahi_t, proc_net_t)
-can_network_server(avahi_t)
-can_ypbind(avahi_t)
-allow avahi_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow avahi_t self:unix_dgram_socket create_socket_perms;
-allow avahi_t self:capability { dac_override setgid chown kill setuid };
-allow avahi_t urandom_device_t:chr_file r_file_perms;
-allow avahi_t howl_port_t:{ udp_socket tcp_socket } name_bind;
-allow avahi_t self:fifo_file { read write };
-allow avahi_t self:netlink_route_socket r_netlink_socket_perms;
-allow avahi_t self:process setrlimit;
-allow avahi_t etc_t:file { getattr read };
-allow avahi_t initrc_t:process { signal signull };
-allow avahi_t system_dbusd_t:dbus { acquire_svc send_msg };
-allow avahi_t avahi_var_run_t:dir setattr;
-allow avahi_t avahi_var_run_t:sock_file create_file_perms;
-
-ifdef(`dbusd.te', `
-dbusd_client(system, avahi)
-ifdef(`targeted_policy', `
-allow avahi_t unconfined_t:dbus send_msg;
-allow unconfined_t avahi_t:dbus send_msg;
-')
-')
-
diff --git a/mls/domains/program/bluetooth.te b/mls/domains/program/bluetooth.te
deleted file mode 100644
index c6c5631..0000000
--- a/mls/domains/program/bluetooth.te
+++ /dev/null
@@ -1,116 +0,0 @@
-#DESC Bluetooth
-#
-# Authors: Dan Walsh
-# RH-Packages: Bluetooth
-#
-
-#################################
-#
-# Rules for the bluetooth_t domain.
-#
-daemon_domain(bluetooth)
-
-file_type_auto_trans(bluetooth_t, var_run_t, bluetooth_var_run_t, sock_file)
-file_type_auto_trans(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t)
-
-tmp_domain(bluetooth)
-var_lib_domain(bluetooth)
-
-# Use capabilities.
-allow bluetooth_t self:file read;
-allow bluetooth_t self:capability { net_admin net_raw sys_tty_config };
-allow bluetooth_t self:process getsched;
-allow bluetooth_t proc_t:file { getattr read };
-
-allow bluetooth_t self:shm create_shm_perms;
-
-lock_domain(bluetooth)
-
-# Use the network.
-can_network(bluetooth_t)
-can_ypbind(bluetooth_t)
-ifdef(`dbusd.te', `
-dbusd_client(system, bluetooth)
-allow bluetooth_t system_dbusd_t:dbus send_msg;
-')
-allow bluetooth_t self:socket create_stream_socket_perms;
-
-allow bluetooth_t self:unix_dgram_socket create_socket_perms;
-allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
-
-dontaudit bluetooth_t sysadm_devpts_t:chr_file { read write };
-
-# bluetooth_conf_t is the type of the /etc/bluetooth dir.
-type bluetooth_conf_t, file_type, sysadmfile;
-type bluetooth_conf_rw_t, file_type, sysadmfile;
-
-# Read /etc/bluetooth
-allow bluetooth_t bluetooth_conf_t:dir search;
-allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl };
-#/usr/sbin/hid2hci causes the following
-allow initrc_t usbfs_t:file { getattr read };
-allow bluetooth_t usbfs_t:dir r_dir_perms;
-allow bluetooth_t usbfs_t:file rw_file_perms;
-allow bluetooth_t bin_t:dir search;
-can_exec(bluetooth_t, { bin_t shell_exec_t })
-allow bluetooth_t bin_t:lnk_file read;
-
-#Handle bluetooth serial devices
-allow bluetooth_t tty_device_t:chr_file rw_file_perms;
-allow bluetooth_t self:fifo_file rw_file_perms;
-allow bluetooth_t { etc_t etc_runtime_t }:file { getattr read };
-r_dir_file(bluetooth_t, fonts_t)
-allow bluetooth_t urandom_device_t:chr_file r_file_perms;
-allow bluetooth_t usr_t:file { getattr read };
-
-application_domain(bluetooth_helper, `, nscd_client_domain')
-domain_auto_trans(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t)
-role system_r types bluetooth_helper_t;
-read_locale(bluetooth_helper_t)
-typeattribute bluetooth_helper_t unrestricted;
-r_dir_file(bluetooth_helper_t, domain)
-allow bluetooth_helper_t bin_t:dir { getattr search };
-can_exec(bluetooth_helper_t, { bin_t shell_exec_t })
-allow bluetooth_helper_t bin_t:lnk_file read;
-allow bluetooth_helper_t self:capability sys_nice;
-allow bluetooth_helper_t self:fifo_file rw_file_perms;
-allow bluetooth_helper_t self:process { fork getsched sigchld };
-allow bluetooth_helper_t self:shm create_shm_perms;
-allow bluetooth_helper_t self:unix_stream_socket create_stream_socket_perms;
-allow bluetooth_helper_t { etc_t etc_runtime_t }:file { getattr read };
-r_dir_file(bluetooth_helper_t, fonts_t)
-r_dir_file(bluetooth_helper_t, proc_t)
-read_sysctl(bluetooth_helper_t)
-allow bluetooth_helper_t tmp_t:dir search;
-allow bluetooth_helper_t usr_t:file { getattr read };
-allow bluetooth_helper_t home_dir_type:dir search;
-ifdef(`xserver.te', `
-allow bluetooth_helper_t xserver_log_t:dir search;
-allow bluetooth_helper_t xserver_log_t:file { getattr read };
-')
-ifdef(`targeted_policy', `
-allow bluetooth_helper_t tmp_t:sock_file { read write };
-allow bluetooth_helper_t tmpfs_t:file { read write };
-allow bluetooth_helper_t unconfined_t:unix_stream_socket connectto;
-allow bluetooth_t unconfined_t:dbus send_msg;
-allow unconfined_t bluetooth_t:dbus send_msg;
-', `
-ifdef(`xdm.te', `
-allow bluetooth_helper_t xdm_xserver_tmp_t:sock_file { read write };
-')
-allow bluetooth_t unpriv_userdomain:dbus send_msg;
-allow unpriv_userdomain bluetooth_t:dbus send_msg;
-')
-allow bluetooth_helper_t bluetooth_t:socket { read write };
-allow bluetooth_helper_t self:unix_dgram_socket create_socket_perms;
-allow bluetooth_helper_t self:unix_stream_socket connectto;
-tmp_domain(bluetooth_helper)
-allow bluetooth_helper_t urandom_device_t:chr_file r_file_perms;
-
-dontaudit bluetooth_helper_t default_t:dir { read search };
-dontaudit bluetooth_helper_t { devtty_t ttyfile }:chr_file { read write };
-dontaudit bluetooth_helper_t home_dir_type:dir r_dir_perms;
-ifdef(`xserver.te', `
-allow bluetooth_helper_t xserver_log_t:dir search;
-allow bluetooth_helper_t xserver_log_t:file { getattr read };
-')
diff --git a/mls/domains/program/bonobo.te b/mls/domains/program/bonobo.te
deleted file mode 100644
index c23f1d2..0000000
--- a/mls/domains/program/bonobo.te
+++ /dev/null
@@ -1,9 +0,0 @@
-# DESC - Bonobo Activation Server
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-# Type for executable
-type bonobo_exec_t, file_type, exec_type, sysadmfile;
-
-# Everything else is in macros/bonobo_macros.te
diff --git a/mls/domains/program/bootloader.te b/mls/domains/program/bootloader.te
deleted file mode 100644
index 37e1c19..0000000
--- a/mls/domains/program/bootloader.te
+++ /dev/null
@@ -1,167 +0,0 @@
-#DESC Bootloader - Lilo boot loader/manager
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: lilo
-#
-
-#################################
-#
-# Rules for the bootloader_t domain.
-#
-# bootloader_exec_t is the type of the bootloader executable.
-#
-type bootloader_t, domain, privlog, privmem, fs_domain, nscd_client_domain ifdef(`direct_sysadm_daemon', `, priv_system_role') ifdef(`distro_debian', `, privowner, admin');
-type bootloader_exec_t, file_type, sysadmfile, exec_type;
-etc_domain(bootloader)
-
-role sysadm_r types bootloader_t;
-role system_r types bootloader_t;
-
-allow bootloader_t var_t:dir search;
-create_append_log_file(bootloader_t, var_log_t)
-allow bootloader_t var_log_t:file write;
-
-# for nscd
-dontaudit bootloader_t var_run_t:dir search;
-
-ifdef(`targeted_policy', `', `
-domain_auto_trans(sysadm_t, bootloader_exec_t, bootloader_t)
-')
-allow bootloader_t { initrc_t privfd }:fd use;
-
-tmp_domain(bootloader, `, device_type', { dir file lnk_file chr_file blk_file })
-
-read_locale(bootloader_t)
-
-# for tune2fs
-file_type_auto_trans(bootloader_t, root_t, bootloader_tmp_t, file)
-
-# for /vmlinuz sym link
-allow bootloader_t root_t:lnk_file read;
-
-# lilo would need read access to get BIOS data
-allow bootloader_t proc_kcore_t:file getattr;
-
-allow bootloader_t { etc_t device_t }:dir r_dir_perms;
-allow bootloader_t etc_t:file r_file_perms;
-allow bootloader_t etc_t:lnk_file read;
-allow bootloader_t initctl_t:fifo_file getattr;
-uses_shlib(bootloader_t)
-
-ifdef(`distro_debian', `
-allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
-allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
-allow bootloader_t boot_t:file relabelfrom;
-allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto;
-allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms;
-allow bootloader_t usr_t:lnk_file read;
-allow bootloader_t tmpfs_t:dir r_dir_perms;
-allow bootloader_t initrc_var_run_t:dir r_dir_perms;
-allow bootloader_t var_lib_t:dir search;
-allow bootloader_t dpkg_var_lib_t:dir r_dir_perms;
-allow bootloader_t dpkg_var_lib_t:file { getattr read };
-# for /usr/share/initrd-tools/scripts
-can_exec(bootloader_t, usr_t)
-')
-
-allow bootloader_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms;
-dontaudit bootloader_t device_t:{ chr_file blk_file } rw_file_perms;
-allow bootloader_t device_t:lnk_file { getattr read };
-
-# LVM2 / Device Mapper's /dev/mapper/control
-# maybe we should change the labeling for this
-ifdef(`lvm.te', `
-allow bootloader_t lvm_control_t:chr_file rw_file_perms;
-domain_auto_trans(bootloader_t, lvm_exec_t, lvm_t)
-allow lvm_t bootloader_tmp_t:file rw_file_perms;
-r_dir_file(bootloader_t, lvm_etc_t)
-')
-
-# uncomment the following line if you use "lilo -p"
-#file_type_auto_trans(bootloader_t, etc_t, bootloader_etc_t, file);
-
-can_exec_any(bootloader_t)
-allow bootloader_t shell_exec_t:lnk_file read;
-allow bootloader_t { bin_t sbin_t }:dir search;
-allow bootloader_t { bin_t sbin_t }:lnk_file read;
-
-allow bootloader_t { modules_dep_t modules_object_t modules_conf_t }:file r_file_perms;
-allow bootloader_t modules_object_t:dir r_dir_perms;
-ifdef(`distro_redhat', `
-allow bootloader_t modules_object_t:lnk_file { getattr read };
-')
-
-# for ldd
-ifdef(`fsadm.te', `
-allow bootloader_t fsadm_exec_t:file { rx_file_perms execute_no_trans };
-')
-ifdef(`modutil.te', `
-allow bootloader_t insmod_exec_t:file { rx_file_perms execute_no_trans };
-')
-
-dontaudit bootloader_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
-
-allow bootloader_t boot_t:dir { create rw_dir_perms };
-allow bootloader_t boot_t:file create_file_perms;
-allow bootloader_t boot_t:lnk_file create_lnk_perms;
-
-allow bootloader_t load_policy_exec_t:file { getattr read };
-
-allow bootloader_t random_device_t:chr_file { getattr read };
-
-ifdef(`distro_redhat', `
-# for mke2fs
-domain_auto_trans(bootloader_t, mount_exec_t, mount_t);
-allow mount_t bootloader_tmp_t:dir mounton;
-
-# new file system defaults to file_t, granting file_t access is still bad.
-allow bootloader_t file_t:dir create_dir_perms;
-allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms;
-allow bootloader_t file_t:lnk_file create_lnk_perms;
-allow bootloader_t self:unix_stream_socket create_socket_perms;
-allow bootloader_t boot_runtime_t:file { read getattr unlink };
-
-# for memlock
-allow bootloader_t zero_device_t:chr_file { getattr read };
-allow bootloader_t self:capability ipc_lock;
-')
-
-allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown };
-# allow bootloader to get attributes of any device node
-allow bootloader_t { device_type ttyfile }:chr_file getattr;
-allow bootloader_t device_type:blk_file getattr;
-dontaudit bootloader_t devpts_t:dir create_dir_perms;
-
-allow bootloader_t self:process { fork signal_perms };
-allow bootloader_t self:lnk_file read;
-allow bootloader_t self:dir search;
-allow bootloader_t self:file { getattr read };
-allow bootloader_t self:fifo_file rw_file_perms;
-
-allow bootloader_t fs_t:filesystem getattr;
-
-allow bootloader_t proc_t:dir { getattr search };
-allow bootloader_t proc_t:file r_file_perms;
-allow bootloader_t proc_t:lnk_file { getattr read };
-allow bootloader_t proc_mdstat_t:file r_file_perms;
-allow bootloader_t self:dir { getattr search read };
-read_sysctl(bootloader_t)
-allow bootloader_t etc_runtime_t:file r_file_perms;
-
-allow bootloader_t devtty_t:chr_file rw_file_perms;
-allow bootloader_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
-allow bootloader_t initrc_t:fifo_file { read write };
-
-# for reading BIOS data
-allow bootloader_t memory_device_t:chr_file r_file_perms;
-
-allow bootloader_t policy_config_t:dir { search read };
-allow bootloader_t policy_config_t:file { getattr read };
-
-allow bootloader_t lib_t:file { getattr read };
-allow bootloader_t sysfs_t:dir getattr;
-allow bootloader_t urandom_device_t:chr_file read;
-allow bootloader_t { usr_t var_t }:file { getattr read };
-r_dir_file(bootloader_t, src_t)
-dontaudit bootloader_t selinux_config_t:dir search;
-dontaudit bootloader_t sysctl_t:dir search;
diff --git a/mls/domains/program/canna.te b/mls/domains/program/canna.te
deleted file mode 100644
index feb4e52..0000000
--- a/mls/domains/program/canna.te
+++ /dev/null
@@ -1,46 +0,0 @@
-#DESC canna - A Japanese character set input system.
-#
-# Authors: Dan Walsh <dwalsh@redhat.com>
-#
-#
-
-#################################
-#
-# Rules for the canna_t domain.
-#
-daemon_domain(canna)
-
-file_type_auto_trans(canna_t, var_run_t, canna_var_run_t, sock_file)
-
-logdir_domain(canna)
-var_lib_domain(canna)
-
-allow canna_t self:capability { setgid setuid net_bind_service };
-allow canna_t tmp_t:dir { search };
-allow canna_t self:unix_stream_socket { connectto create_stream_socket_perms};
-allow canna_t self:unix_dgram_socket create_stream_socket_perms;
-allow canna_t etc_t:file { getattr read };
-allow canna_t usr_t:file { getattr read };
-
-allow canna_t proc_t:file r_file_perms;
-allow canna_t etc_runtime_t:file r_file_perms;
-allow canna_t canna_var_lib_t:dir create;
-
-rw_dir_create_file(canna_t, canna_var_lib_t)
-
-can_network_tcp(canna_t)
-allow canna_t port_type:tcp_socket name_connect;
-can_ypbind(canna_t)
-
-allow userdomain canna_var_run_t:dir search;
-allow userdomain canna_var_run_t:sock_file write;
-can_unix_connect(userdomain, canna_t)
-
-ifdef(`i18n_input.te', `
-allow i18n_input_t canna_var_run_t:dir search;
-allow i18n_input_t canna_var_run_t:sock_file write;
-can_unix_connect(i18n_input_t, canna_t)
-')
-
-dontaudit canna_t kernel_t:fd use;
-dontaudit canna_t root_t:file read;
diff --git a/mls/domains/program/cardmgr.te b/mls/domains/program/cardmgr.te
deleted file mode 100644
index 8f78988..0000000
--- a/mls/domains/program/cardmgr.te
+++ /dev/null
@@ -1,90 +0,0 @@
-#DESC Cardmgr - PCMCIA control programs
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: pcmcia-cs
-#
-
-#################################
-#
-# Rules for the cardmgr_t domain.
-#
-daemon_domain(cardmgr, `, privmodule')
-
-# for SSP
-allow cardmgr_t urandom_device_t:chr_file read;
-
-type cardctl_exec_t, file_type, sysadmfile, exec_type;
-ifdef(`targeted_policy', `', `
-domain_auto_trans(sysadm_t, cardctl_exec_t, cardmgr_t)
-')
-role sysadm_r types cardmgr_t;
-allow cardmgr_t admin_tty_type:chr_file { read write };
-
-allow cardmgr_t sysfs_t:dir search;
-allow cardmgr_t home_root_t:dir search;
-
-# Use capabilities (net_admin for route), setuid for cardctl
-allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod };
-
-# for /etc/resolv.conf
-file_type_auto_trans(cardmgr_t, etc_t, net_conf_t, file)
-
-allow cardmgr_t etc_runtime_t:file { getattr read };
-
-allow cardmgr_t modules_object_t:dir search;
-allow cardmgr_t self:unix_dgram_socket create_socket_perms;
-allow cardmgr_t self:unix_stream_socket create_socket_perms;
-allow cardmgr_t self:fifo_file rw_file_perms;
-
-# Create stab file
-var_lib_domain(cardmgr)
-
-# for /var/lib/misc/pcmcia-scheme
-# would be better to have it in a different type if I knew how it was created..
-allow cardmgr_t var_lib_t:file { getattr read };
-
-# Create device files in /tmp.
-type cardmgr_dev_t, file_type, sysadmfile, tmpfile, device_type, dev_fs;
-file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file })
-
-# Create symbolic links in /dev.
-type cardmgr_lnk_t, file_type, sysadmfile;
-file_type_auto_trans(cardmgr_t, device_t, cardmgr_lnk_t, lnk_file)
-
-# Run a shell, normal commands, /etc/pcmcia scripts.
-can_exec_any(cardmgr_t)
-allow cardmgr_t etc_t:lnk_file read;
-
-# Run ifconfig.
-domain_auto_trans(cardmgr_t, ifconfig_exec_t, ifconfig_t)
-allow ifconfig_t cardmgr_t:fd use;
-
-allow cardmgr_t proc_t:file { getattr read ioctl };
-
-# Read /proc/PID directories for all domains (for fuser).
-can_ps(cardmgr_t, domain -unrestricted)
-dontaudit cardmgr_t unrestricted:dir search;
-
-allow cardmgr_t device_type:{ chr_file blk_file } getattr;
-allow cardmgr_t ttyfile:chr_file getattr;
-dontaudit cardmgr_t ptyfile:chr_file getattr;
-dontaudit cardmgr_t file_type:{ dir notdevfile_class_set } getattr;
-dontaudit cardmgr_t domain:{ fifo_file socket_class_set } getattr;
-dontaudit cardmgr_t proc_kmsg_t:file getattr;
-
-allow cardmgr_t tty_device_t:chr_file rw_file_perms;
-
-ifdef(`apmd.te', `
-domain_auto_trans(apmd_t, { cardctl_exec_t cardmgr_exec_t }, cardmgr_t)
-')
-
-ifdef(`hide_broken_symptoms', `
-dontaudit insmod_t cardmgr_dev_t:chr_file { read write };
-dontaudit ifconfig_t cardmgr_dev_t:chr_file { read write };
-')
-ifdef(`hald.te', `
-rw_dir_file(hald_t, cardmgr_var_run_t)
-allow hald_t cardmgr_var_run_t:chr_file create_file_perms;
-')
-allow cardmgr_t device_t:lnk_file { getattr read };
diff --git a/mls/domains/program/cdrecord.te b/mls/domains/program/cdrecord.te
deleted file mode 100644
index 6460090..0000000
--- a/mls/domains/program/cdrecord.te
+++ /dev/null
@@ -1,10 +0,0 @@
-# DESC cdrecord - record audio or data Compact Disks or Digital Versatile Disks from a master
-#
-# Author: Thomas Bleher <ThomasBleher@gmx.de>
-
-# Type for the cdrecord excutable.
-type cdrecord_exec_t, file_type, sysadmfile, exec_type;
-
-# everything else is in the cdrecord_domain macros in
-# macros/program/cdrecord_macros.te.
-
diff --git a/mls/domains/program/certwatch.te b/mls/domains/program/certwatch.te
deleted file mode 100644
index 2abb168..0000000
--- a/mls/domains/program/certwatch.te
+++ /dev/null
@@ -1,11 +0,0 @@
-#DESC certwatch - generate SSL certificate expiry warnings
-#
-# Domains for the certwatch process
-# Authors: Dan Walsh <dwalsh@redhat.com>,
-#
-application_domain(certwatch)
-role system_r types certwatch_t;
-r_dir_file(certwatch_t, cert_t)
-can_exec(certwatch_t, httpd_modules_t)
-system_crond_entry(certwatch_exec_t, certwatch_t)
-read_locale(certwatch_t)
diff --git a/mls/domains/program/checkpolicy.te b/mls/domains/program/checkpolicy.te
deleted file mode 100644
index 0cfa5a0..0000000
--- a/mls/domains/program/checkpolicy.te
+++ /dev/null
@@ -1,64 +0,0 @@
-#DESC Checkpolicy - SELinux policy compliler
-#
-# Authors: Frank Mayer, mayerf@tresys.com
-# X-Debian-Packages: checkpolicy
-#
-
-###########################
-#
-# checkpolicy_t is the domain type for checkpolicy
-# checkpolicy_exec_t if file type for the executable
-
-type checkpolicy_t, domain;
-role sysadm_r types checkpolicy_t;
-role system_r types checkpolicy_t;
-role secadm_r types checkpolicy_t;
-
-type checkpolicy_exec_t, file_type, exec_type, sysadmfile;
-
-##########################
-#
-# Rules
-
-domain_auto_trans(secadmin, checkpolicy_exec_t, checkpolicy_t)
-
-# able to create and modify binary policy files
-allow checkpolicy_t policy_config_t:dir rw_dir_perms;
-allow checkpolicy_t policy_config_t:file create_file_perms;
-
-###########################
-# constrain what checkpolicy can use as source files
-#
-
-# only allow read of policy source files
-allow checkpolicy_t policy_src_t:dir r_dir_perms;
-allow checkpolicy_t policy_src_t:{ file lnk_file } r_file_perms;
-
-# allow test policies to be created in src directories
-file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t, file)
-
-# directory search permissions for path to source and binary policy files
-allow checkpolicy_t root_t:dir search;
-allow checkpolicy_t etc_t:dir search;
-
-# Read the devpts root directory.
-allow checkpolicy_t devpts_t:dir r_dir_perms;
-ifdef(`sshd.te',
-`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
-
-# Other access
-allow checkpolicy_t { initrc_devpts_t admin_tty_type devtty_t }:chr_file { read write ioctl getattr };
-uses_shlib(checkpolicy_t)
-allow checkpolicy_t self:capability dac_override;
-
-##########################
-# Allow users to execute checkpolicy without a domain transition
-# so it can be used without privilege to write real binary policy file
-can_exec(unpriv_userdomain, checkpolicy_exec_t)
-
-allow checkpolicy_t { userdomain privfd }:fd use;
-
-allow checkpolicy_t fs_t:filesystem getattr;
-allow checkpolicy_t console_device_t:chr_file { read write };
-allow checkpolicy_t init_t:fd use;
-allow checkpolicy_t selinux_config_t:dir search;
diff --git a/mls/domains/program/chkpwd.te b/mls/domains/program/chkpwd.te
deleted file mode 100644
index 22ac7f2..0000000
--- a/mls/domains/program/chkpwd.te
+++ /dev/null
@@ -1,18 +0,0 @@
-#DESC Chkpwd - PAM password checking programs
-# X-Debian-Packages: libpam-modules
-#
-# Domains for the /sbin/.*_chkpwd utilities.
-#
-
-#
-# chkpwd_exec_t is the type of the /sbin/.*_chkpwd executables.
-#
-type chkpwd_exec_t, file_type, sysadmfile, exec_type;
-
-chkpwd_domain(system)
-dontaudit system_chkpwd_t privfd:fd use;
-role sysadm_r types system_chkpwd_t;
-in_user_role(system_chkpwd_t)
-
-# Everything else is in the chkpwd_domain macro in
-# macros/program/chkpwd_macros.te.
diff --git a/mls/domains/program/chroot.te b/mls/domains/program/chroot.te
deleted file mode 100644
index 8992c66..0000000
--- a/mls/domains/program/chroot.te
+++ /dev/null
@@ -1,21 +0,0 @@
-#DESC Chroot - Establish chroot environments
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages:
-#
-type chroot_exec_t, file_type, sysadmfile, exec_type;
-
-# For a chroot environment named potato that can be entered from user_t (so
-# the user can run an old version of Debian in a chroot), with the possibility
-# of user_devpts_t or user_tty_device_t being the controlling tty type for
-# administration. This also defines a mount_domain for the user (so they can
-# mount file systems).
-#chroot(user, potato)
-# For a chroot environment named apache that can be entered from initrc_t for
-# running a different version of apache.
-# initrc is a special case, uses the system_r role (usually appends "_r" to
-# the base name of the parent domain), and has sysadm_devpts_t and
-# sysadm_tty_device_t for the controlling terminal
-#chroot(initrc, apache)
-
-# the main code is in macros/program/chroot_macros.te
diff --git a/mls/domains/program/comsat.te b/mls/domains/program/comsat.te
deleted file mode 100644
index cd0e3f9..0000000
--- a/mls/domains/program/comsat.te
+++ /dev/null
@@ -1,20 +0,0 @@
-#DESC comsat - biff server
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-# Depends: inetd.te
-#
-
-#################################
-#
-# Rules for the comsat_t domain.
-#
-# comsat_exec_t is the type of the comsat executable.
-#
-
-inetd_child_domain(comsat, udp)
-allow comsat_t initrc_var_run_t:file r_file_perms;
-dontaudit comsat_t initrc_var_run_t:file write;
-allow comsat_t mail_spool_t:dir r_dir_perms;
-allow comsat_t mail_spool_t:lnk_file read;
-allow comsat_t var_spool_t:dir search;
-dontaudit comsat_t sysadm_tty_device_t:chr_file getattr;
diff --git a/mls/domains/program/consoletype.te b/mls/domains/program/consoletype.te
deleted file mode 100644
index b1cc126..0000000
--- a/mls/domains/program/consoletype.te
+++ /dev/null
@@ -1,65 +0,0 @@
-#DESC consoletype - determine the type of a console device
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages:
-#
-
-#################################
-#
-# Rules for the consoletype_t domain.
-#
-# consoletype_t is the domain for the consoletype program.
-# consoletype_exec_t is the type of the corresponding program.
-#
-type consoletype_t, domain, mlsfileread, mlsfilewrite;
-type consoletype_exec_t, file_type, sysadmfile, exec_type;
-
-role system_r types consoletype_t;
-
-uses_shlib(consoletype_t)
-general_domain_access(consoletype_t)
-
-ifdef(`targeted_policy', `', `
-domain_auto_trans(initrc_t, consoletype_exec_t, consoletype_t)
-
-ifdef(`xdm.te', `
-domain_auto_trans(xdm_t, consoletype_exec_t, consoletype_t)
-allow consoletype_t xdm_tmp_t:file { read write };
-')
-
-ifdef(`hotplug.te', `
-domain_auto_trans(hotplug_t, consoletype_exec_t, consoletype_t)
-')
-')
-
-allow consoletype_t {admin_tty_type tty_device_t devtty_t initrc_devpts_t }:chr_file rw_file_perms;
-
-allow consoletype_t { kernel_t init_t initrc_t privfd sysadm_t }:fd use;
-
-# Use capabilities.
-allow consoletype_t self:capability sys_admin;
-
-allow consoletype_t console_device_t:chr_file { getattr ioctl read write };
-allow consoletype_t initrc_t:fifo_file write;
-allow consoletype_t nfs_t:file write;
-allow consoletype_t sysadm_t:fifo_file rw_file_perms;
-
-ifdef(`lpd.te', `
-allow consoletype_t printconf_t:file { getattr read };
-')
-
-ifdef(`pam.te', `
-allow consoletype_t pam_var_run_t:file { getattr read };
-')
-ifdef(`distro_redhat', `
-allow consoletype_t tmpfs_t:chr_file rw_file_perms;
-')
-ifdef(`firstboot.te', `
-allow consoletype_t firstboot_t:fifo_file write;
-')
-dontaudit consoletype_t proc_t:dir search;
-dontaudit consoletype_t proc_t:file read;
-dontaudit consoletype_t root_t:file read;
-allow consoletype_t crond_t:fifo_file { read getattr ioctl };
-allow consoletype_t system_crond_t:fd use;
-allow consoletype_t fs_t:filesystem getattr;
diff --git a/mls/domains/program/cpucontrol.te b/mls/domains/program/cpucontrol.te
deleted file mode 100644
index 23a13b7..0000000
--- a/mls/domains/program/cpucontrol.te
+++ /dev/null
@@ -1,17 +0,0 @@
-#DESC cpucontrol - domain for microcode_ctl and other programs to control CPU
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-
-type cpucontrol_conf_t, file_type, sysadmfile;
-
-daemon_base_domain(cpucontrol)
-
-# Access cpu devices.
-allow cpucontrol_t cpu_device_t:chr_file rw_file_perms;
-allow cpucontrol_t device_t:lnk_file { getattr read };
-allow initrc_t cpu_device_t:chr_file getattr;
-
-allow cpucontrol_t self:capability sys_rawio;
-
-r_dir_file(cpucontrol_t, cpucontrol_conf_t)
diff --git a/mls/domains/program/cpuspeed.te b/mls/domains/program/cpuspeed.te
deleted file mode 100644
index b80f705..0000000
--- a/mls/domains/program/cpuspeed.te
+++ /dev/null
@@ -1,17 +0,0 @@
-#DESC cpuspeed - domain for microcode_ctl, powernowd, etc
-#
-# Authors: Russell Coker <russell@coker.com.au>
-# Thomas Bleher <ThomasBleher@gmx.de>
-#
-
-daemon_base_domain(cpuspeed)
-read_locale(cpuspeed_t)
-
-allow cpuspeed_t sysfs_t:dir search;
-allow cpuspeed_t sysfs_t:file rw_file_perms;
-allow cpuspeed_t proc_t:dir r_dir_perms;
-allow cpuspeed_t proc_t:file { getattr read };
-allow cpuspeed_t { etc_t etc_runtime_t }:file { getattr read };
-
-allow cpuspeed_t self:process setsched;
-allow cpuspeed_t self:unix_dgram_socket create_socket_perms;
diff --git a/mls/domains/program/crack.te b/mls/domains/program/crack.te
deleted file mode 100644
index 1706f6e..0000000
--- a/mls/domains/program/crack.te
+++ /dev/null
@@ -1,48 +0,0 @@
-#DESC Crack - Password cracking application
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: crack
-#
-
-#################################
-#
-# Rules for the crack_t domain.
-#
-# crack_exec_t is the type of the crack executable.
-#
-system_domain(crack)
-ifdef(`crond.te', `
-system_crond_entry(crack_exec_t, crack_t)
-')
-
-# for SSP
-allow crack_t urandom_device_t:chr_file read;
-
-type crack_db_t, file_type, sysadmfile, usercanread;
-allow crack_t var_t:dir search;
-rw_dir_create_file(crack_t, crack_db_t)
-
-allow crack_t device_t:dir search;
-allow crack_t devtty_t:chr_file rw_file_perms;
-allow crack_t self:fifo_file { read write getattr };
-
-tmp_domain(crack)
-
-# for dictionaries
-allow crack_t usr_t:file { getattr read };
-
-can_exec(crack_t, bin_t)
-allow crack_t { bin_t sbin_t }:dir search;
-
-allow crack_t self:process { fork signal_perms };
-
-allow crack_t proc_t:dir { read search };
-allow crack_t proc_t:file { read getattr };
-
-# read config files
-allow crack_t { etc_t etc_runtime_t }:file { getattr read };
-allow crack_t etc_t:dir r_dir_perms;
-
-allow crack_t fs_t:filesystem getattr;
-
-dontaudit crack_t sysadm_home_dir_t:dir { getattr search };
diff --git a/mls/domains/program/crond.te b/mls/domains/program/crond.te
deleted file mode 100644
index 4649348..0000000
--- a/mls/domains/program/crond.te
+++ /dev/null
@@ -1,214 +0,0 @@
-#DESC Crond - Crond daemon
-#
-# Domains for the top-level crond daemon process and
-# for system cron jobs. The domains for user cron jobs
-# are in macros/program/crond_macros.te.
-#
-# X-Debian-Packages: cron
-# Authors: Jonathan Crowley (MITRE) <jonathan@mitre.org>,
-# Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-# NB The constraints file has some entries for crond_t, this makes it
-# different from all other domains...
-
-# Domain for crond. It needs auth_chkpwd to check for locked accounts.
-daemon_domain(crond, `, privmail, auth_chkpwd, privfd, nscd_client_domain')
-
-# This domain is granted permissions common to most domains (including can_net)
-general_domain_access(crond_t)
-
-# Type for the anacron executable.
-type anacron_exec_t, file_type, sysadmfile, exec_type;
-
-# Type for temporary files.
-tmp_domain(crond)
-
-crond_domain(system)
-
-allow system_crond_t proc_mdstat_t:file { getattr read };
-allow system_crond_t proc_t:lnk_file read;
-allow system_crond_t proc_t:filesystem getattr;
-allow system_crond_t usbdevfs_t:filesystem getattr;
-
-ifdef(`mta.te', `
-allow mta_user_agent system_crond_t:fd use;
-')
-
-# read files in /etc
-allow system_crond_t etc_t:file r_file_perms;
-allow system_crond_t etc_runtime_t:file { getattr read };
-
-allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr;
-
-read_locale(crond_t)
-
-# Use capabilities.
-allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice audit_control };
-dontaudit crond_t self:capability sys_resource;
-
-# Get security policy decisions.
-can_getsecurity(crond_t)
-
-# for finding binaries and /bin/sh
-allow crond_t { bin_t sbin_t }:dir search;
-allow crond_t { bin_t sbin_t }:lnk_file read;
-
-# Read from /var/spool/cron.
-allow crond_t var_lib_t:dir search;
-allow crond_t var_spool_t:dir r_dir_perms;
-allow crond_t cron_spool_t:dir r_dir_perms;
-allow crond_t cron_spool_t:file r_file_perms;
-
-# Read /etc/security/default_contexts.
-r_dir_file(crond_t, default_context_t)
-
-allow crond_t etc_t:file { getattr read };
-allow crond_t etc_t:lnk_file read;
-
-allow crond_t default_t:dir search;
-
-# crond tries to search /root. Not sure why.
-allow crond_t sysadm_home_dir_t:dir r_dir_perms;
-
-# to search /home
-allow crond_t home_root_t:dir { getattr search };
-allow crond_t user_home_dir_type:dir r_dir_perms;
-
-# Run a shell.
-can_exec(crond_t, shell_exec_t)
-
-ifdef(`distro_redhat', `
-# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
-# via redirection of standard out.
-ifdef(`rpm.te', `
-allow crond_t rpm_log_t: file create_file_perms;
-
-system_crond_entry(rpm_exec_t, rpm_t)
-allow system_crond_t rpm_log_t:file create_file_perms;
-#read ahead wants to read this
-allow initrc_t system_cron_spool_t:file { getattr read };
-')
-')
-
-allow system_crond_t var_log_t:file r_file_perms;
-
-
-# Set exec context.
-can_setexec(crond_t)
-
-# Transition to this domain for anacron as well.
-# Still need to study anacron.
-domain_auto_trans(initrc_t, anacron_exec_t, system_crond_t)
-
-# Inherit and use descriptors from init for anacron.
-allow system_crond_t init_t:fd use;
-
-# Inherit and use descriptors from initrc for anacron.
-allow system_crond_t initrc_t:fd use;
-can_access_pty(system_crond_t, initrc)
-
-# Use capabilities.
-allow system_crond_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid };
-
-allow crond_t urandom_device_t:chr_file { getattr read };
-
-# Read the system crontabs.
-allow system_crond_t system_cron_spool_t:file r_file_perms;
-
-allow crond_t system_cron_spool_t:dir r_dir_perms;
-allow crond_t system_cron_spool_t:file r_file_perms;
-
-# Read from /var/spool/cron.
-allow system_crond_t cron_spool_t:dir r_dir_perms;
-allow system_crond_t cron_spool_t:file r_file_perms;
-
-# Write to /var/lib/slocate.db.
-allow system_crond_t var_lib_t:dir rw_dir_perms;
-allow system_crond_t var_lib_t:file create_file_perms;
-
-# Update whatis files.
-allow system_crond_t man_t:dir create_dir_perms;
-allow system_crond_t man_t:file create_file_perms;
-allow system_crond_t man_t:lnk_file read;
-
-# Write /var/lock/makewhatis.lock.
-lock_domain(system_crond)
-
-# for if /var/mail is a symlink
-allow { system_crond_t crond_t } mail_spool_t:lnk_file read;
-allow crond_t mail_spool_t:dir search;
-
-ifdef(`mta.te', `
-r_dir_file(system_mail_t, crond_tmp_t)
-')
-
-# Stat any file and search any directory for find.
-allow system_crond_t { file_type fs_type }:notdevfile_class_set getattr;
-allow system_crond_t device_type:{ chr_file blk_file } getattr;
-allow system_crond_t file_type:dir { read search getattr };
-
-# Create temporary files.
-type system_crond_tmp_t, file_type, sysadmfile, tmpfile;
-file_type_auto_trans(system_crond_t, { tmp_t crond_tmp_t }, system_crond_tmp_t)
-
-# /sbin/runlevel ask for w access to utmp, but will operate
-# correctly without it. Do not audit write denials to utmp.
-# /sbin/runlevel needs lock access however
-dontaudit system_crond_t initrc_var_run_t:file write;
-allow system_crond_t initrc_var_run_t:file { getattr read lock };
-
-# Access other spool directories like
-# /var/spool/anacron and /var/spool/slrnpull.
-allow system_crond_t var_spool_t:file create_file_perms;
-allow system_crond_t var_spool_t:dir rw_dir_perms;
-
-# Do not audit attempts to search unlabeled directories (e.g. slocate).
-dontaudit system_crond_t unlabeled_t:dir r_dir_perms;
-dontaudit system_crond_t unlabeled_t:file r_file_perms;
-
-#
-# reading /var/spool/cron/mailman
-#
-allow crond_t var_spool_t:file { getattr read };
-allow system_crond_t devpts_t:filesystem getattr;
-allow system_crond_t sysfs_t:filesystem getattr;
-allow system_crond_t tmpfs_t:filesystem getattr;
-allow system_crond_t rpc_pipefs_t:filesystem getattr;
-
-#
-# These rules are here to allow system cron jobs to su
-#
-ifdef(`su.te', `
-su_restricted_domain(system_crond,system)
-role system_r types system_crond_su_t;
-allow system_crond_su_t crond_t:fifo_file ioctl;
-')
-allow system_crond_t self:passwd rootok;
-#
-# prelink tells init to restart it self, we either need to allow or dontaudit
-#
-allow system_crond_t initctl_t:fifo_file write;
-dontaudit userdomain system_crond_t:fd use;
-
-r_dir_file(crond_t, selinux_config_t)
-
-# Allow system cron jobs to relabel filesystem for restoring file contexts.
-bool cron_can_relabel false;
-if (cron_can_relabel) {
-domain_auto_trans(system_crond_t, setfiles_exec_t, setfiles_t)
-} else {
-r_dir_file(system_crond_t, file_context_t)
-can_getsecurity(system_crond_t)
-}
-dontaudit system_crond_t removable_t:filesystem getattr;
-#
-# Required for webalizer
-#
-dontaudit crond_t self:capability sys_tty_config;
-ifdef(`apache.te', `
-allow system_crond_t { httpd_log_t httpd_config_t }:file { getattr read };
-allow system_crond_t httpd_modules_t:lnk_file read;
-# Needed for certwatch
-can_exec(system_crond_t, httpd_modules_t)
-')
diff --git a/mls/domains/program/crontab.te b/mls/domains/program/crontab.te
deleted file mode 100644
index 48b5fcc..0000000
--- a/mls/domains/program/crontab.te
+++ /dev/null
@@ -1,12 +0,0 @@
-#DESC Crontab - Crontab manipulation programs
-#
-# Domains for the crontab program.
-#
-# X-Debian-Packages: cron
-#
-
-# Type for the crontab executable.
-type crontab_exec_t, file_type, sysadmfile, exec_type;
-
-# Everything else is in the crontab_domain macro in
-# macros/program/crontab_macros.te.
diff --git a/mls/domains/program/cups.te b/mls/domains/program/cups.te
deleted file mode 100644
index 6bc5106..0000000
--- a/mls/domains/program/cups.te
+++ /dev/null
@@ -1,321 +0,0 @@
-#DESC Cups - Common Unix Printing System
-#
-# Created cups policy from lpd policy: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: cupsys cupsys-client cupsys-bsd
-# Depends: lpd.te lpr.te
-
-#################################
-#
-# Rules for the cupsd_t domain.
-#
-# cupsd_t is the domain of cupsd.
-# cupsd_exec_t is the type of the cupsd executable.
-#
-daemon_domain(cupsd, `, auth_chkpwd, nscd_client_domain')
-etcdir_domain(cupsd)
-type cupsd_rw_etc_t, file_type, sysadmfile, usercanread;
-
-can_network(cupsd_t)
-allow cupsd_t port_type:tcp_socket name_connect;
-logdir_domain(cupsd)
-
-tmp_domain(cupsd, `', { file dir fifo_file })
-
-allow cupsd_t devpts_t:dir search;
-
-allow cupsd_t device_t:lnk_file read;
-allow cupsd_t printer_device_t:chr_file rw_file_perms;
-allow cupsd_t urandom_device_t:chr_file { getattr read };
-dontaudit cupsd_t random_device_t:chr_file ioctl;
-
-# temporary solution, we need something better
-allow cupsd_t serial_device:chr_file rw_file_perms;
-
-r_dir_file(cupsd_t, usbdevfs_t)
-r_dir_file(cupsd_t, usbfs_t)
-
-ifdef(`logrotate.te', `
-domain_auto_trans(logrotate_t, cupsd_exec_t, cupsd_t)
-')
-
-ifdef(`inetd.te', `
-allow inetd_t printer_port_t:tcp_socket name_bind;
-domain_auto_trans(inetd_t, cupsd_exec_t, cupsd_t)
-')
-
-# write to spool
-allow cupsd_t var_spool_t:dir search;
-
-# this is not ideal, and allowing setattr access to cupsd_etc_t is wrong
-file_type_auto_trans(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
-file_type_auto_trans(cupsd_t, var_t, cupsd_rw_etc_t, { dir file })
-allow cupsd_t cupsd_rw_etc_t:dir { setattr rw_dir_perms };
-allow cupsd_t cupsd_etc_t:file setattr;
-allow cupsd_t cupsd_etc_t:dir setattr;
-
-allow cupsd_t { etc_t etc_runtime_t }:file { getattr read ioctl };
-can_exec(cupsd_t, initrc_exec_t)
-allow cupsd_t proc_t:file r_file_perms;
-allow cupsd_t proc_t:dir r_dir_perms;
-allow cupsd_t self:file { getattr read };
-read_sysctl(cupsd_t)
-allow cupsd_t sysctl_dev_t:dir search;
-allow cupsd_t sysctl_dev_t:file { getattr read };
-
-# for /etc/printcap
-dontaudit cupsd_t etc_t:file write;
-
-# allow cups to execute its backend scripts
-can_exec(cupsd_t, cupsd_exec_t)
-allow cupsd_t cupsd_exec_t:dir search;
-allow cupsd_t cupsd_exec_t:lnk_file read;
-allow cupsd_t reserved_port_t:tcp_socket name_bind;
-dontaudit cupsd_t reserved_port_type:tcp_socket name_bind;
-
-allow cupsd_t self:unix_stream_socket create_socket_perms;
-allow cupsd_t self:unix_dgram_socket create_socket_perms;
-allow cupsd_t self:fifo_file rw_file_perms;
-
-# Use capabilities.
-allow cupsd_t self:capability { dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config audit_write };
-dontaudit cupsd_t self:capability net_admin;
-
-#
-# /usr/lib/cups/backend/serial needs sys_admin
-# Need new context to run under???
-allow cupsd_t self:capability sys_admin;
-
-allow cupsd_t self:process setsched;
-
-# for /var/lib/defoma
-allow cupsd_t var_lib_t:dir search;
-r_dir_file(cupsd_t, readable_t)
-
-# Bind to the cups/ipp port (631).
-allow cupsd_t ipp_port_t:{ udp_socket tcp_socket } name_bind;
-
-can_tcp_connect(web_client_domain, cupsd_t)
-can_tcp_connect(cupsd_t, cupsd_t)
-
-# Send to portmap.
-ifdef(`portmap.te', `
-can_udp_send(cupsd_t, portmap_t)
-can_udp_send(portmap_t, cupsd_t)
-')
-
-# Write to /var/spool/cups.
-allow cupsd_t print_spool_t:dir { setattr rw_dir_perms };
-allow cupsd_t print_spool_t:file create_file_perms;
-allow cupsd_t print_spool_t:file rw_file_perms;
-
-# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
-allow cupsd_t { bin_t sbin_t }:dir { search getattr };
-allow cupsd_t bin_t:lnk_file read;
-can_exec(cupsd_t, { shell_exec_t bin_t sbin_t })
-
-# They will also invoke ghostscript, which needs to read fonts
-read_fonts(cupsd_t)
-
-# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
-allow cupsd_t lib_t:file { read getattr };
-
-# read python modules
-allow cupsd_t usr_t:{ file lnk_file } { read getattr ioctl };
-
-#
-# lots of errors generated requiring the following
-#
-allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-allow cupsd_t self:netlink_route_socket { r_netlink_socket_perms };
-
-#
-# Satisfy readahead
-#
-allow initrc_t cupsd_log_t:file { getattr read };
-r_dir_file(cupsd_t, var_t)
-
-r_dir_file(cupsd_t, usercanread)
-ifdef(`samba.te', `
-rw_dir_file(cupsd_t, samba_var_t)
-allow smbd_t cupsd_etc_t:dir search;
-')
-
-ifdef(`pam.te', `
-dontaudit cupsd_t pam_var_run_t:file { getattr read };
-')
-dontaudit cupsd_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
-# PTAL
-daemon_domain(ptal)
-etcdir_domain(ptal)
-
-file_type_auto_trans(ptal_t, var_run_t, ptal_var_run_t)
-allow ptal_t self:capability { chown sys_rawio };
-allow ptal_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
-allow ptal_t self:unix_stream_socket { listen accept };
-can_network_server_tcp(ptal_t)
-allow ptal_t ptal_port_t:tcp_socket name_bind;
-allow userdomain ptal_t:unix_stream_socket connectto;
-allow userdomain ptal_var_run_t:sock_file write;
-allow userdomain ptal_var_run_t:dir search;
-allow ptal_t self:fifo_file rw_file_perms;
-allow ptal_t device_t:dir read;
-allow ptal_t printer_device_t:chr_file rw_file_perms;
-allow initrc_t printer_device_t:chr_file getattr;
-allow ptal_t { etc_t etc_runtime_t }:file { getattr read };
-r_dir_file(ptal_t, usbdevfs_t)
-rw_dir_file(ptal_t, usbfs_t)
-allow cupsd_t ptal_var_run_t:sock_file { write setattr };
-allow cupsd_t ptal_t:unix_stream_socket connectto;
-allow cupsd_t ptal_var_run_t:dir search;
-dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
-
-allow initrc_t ptal_var_run_t:dir rmdir;
-allow initrc_t ptal_var_run_t:fifo_file unlink;
-
-
-# HPLIP
-daemon_domain(hplip)
-etcdir_domain(hplip)
-allow hplip_t etc_t:file r_file_perms;
-allow hplip_t etc_runtime_t:file { read getattr };
-allow hplip_t printer_device_t:chr_file rw_file_perms;
-allow cupsd_t hplip_var_run_t:file { read getattr };
-allow hplip_t cupsd_etc_t:dir search;
-can_network(hplip_t)
-allow hplip_t { hplip_port_t ipp_port_t }:tcp_socket name_connect;
-allow hplip_t hplip_port_t:tcp_socket name_bind;
-
-# Uses networking to talk to the daemons
-allow hplip_t self:unix_dgram_socket create_socket_perms;
-allow hplip_t self:unix_stream_socket create_socket_perms;
-allow hplip_t self:rawip_socket create_socket_perms;
-
-# for python
-can_exec(hplip_t, bin_t)
-allow hplip_t { sbin_t bin_t }:dir search;
-allow hplip_t self:file { getattr read };
-allow hplip_t proc_t:file r_file_perms;
-allow hplip_t urandom_device_t:chr_file { getattr read };
-allow hplip_t usr_t:{ file lnk_file } r_file_perms;
-allow hplip_t devpts_t:dir search;
-allow hplip_t devpts_t:chr_file { getattr ioctl };
-
-
-dontaudit cupsd_t selinux_config_t:dir search;
-dontaudit cupsd_t selinux_config_t:file { getattr read };
-
-allow cupsd_t printconf_t:file { getattr read };
-
-ifdef(`dbusd.te', `
-dbusd_client(system, cupsd)
-allow cupsd_t system_dbusd_t:dbus send_msg;
-allow cupsd_t userdomain:dbus send_msg;
-')
-
-# CUPS configuration daemon
-daemon_domain(cupsd_config, `, nscd_client_domain')
-
-allow cupsd_config_t devpts_t:dir search;
-allow cupsd_config_t devpts_t:chr_file { getattr ioctl };
-
-ifdef(`distro_redhat', `
-ifdef(`rpm.te', `
-allow cupsd_config_t rpm_var_lib_t:dir { getattr search };
-allow cupsd_config_t rpm_var_lib_t:file { getattr read };
-')
-allow cupsd_config_t initrc_exec_t:file getattr;
-')dnl end distro_redhat
-
-allow cupsd_config_t { etc_t etc_runtime_t net_conf_t }:file { getattr read };
-allow cupsd_config_t self:file { getattr read };
-
-allow cupsd_config_t proc_t:file { getattr read };
-allow cupsd_config_t cupsd_var_run_t:file { getattr read };
-allow cupsd_config_t cupsd_t:process { signal };
-allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read };
-can_ps(cupsd_config_t, cupsd_t)
-
-allow cupsd_config_t self:capability { chown sys_tty_config };
-
-rw_dir_create_file(cupsd_config_t, cupsd_etc_t)
-rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t)
-file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file)
-file_type_auto_trans(cupsd_config_t, var_t, cupsd_rw_etc_t, file)
-allow cupsd_config_t var_t:lnk_file read;
-
-can_network_tcp(cupsd_config_t)
-can_ypbind(cupsd_config_t)
-allow cupsd_config_t port_type:tcp_socket name_connect;
-can_tcp_connect(cupsd_config_t, cupsd_t)
-allow cupsd_config_t self:fifo_file rw_file_perms;
-
-allow cupsd_config_t self:unix_stream_socket create_socket_perms;
-allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
-ifdef(`dbusd.te', `
-dbusd_client(system, cupsd_config)
-allow cupsd_config_t userdomain:dbus send_msg;
-allow cupsd_config_t system_dbusd_t:dbus { send_msg acquire_svc };
-allow userdomain cupsd_config_t:dbus send_msg;
-')dnl end if dbusd.te
-
-ifdef(`hald.te', `
-
-ifdef(`dbusd.te', `
-allow { cupsd_t cupsd_config_t } hald_t:dbus send_msg;
-allow hald_t { cupsd_t cupsd_config_t }:dbus send_msg;
-')dnl end if dbusd.te
-
-allow hald_t cupsd_config_t:process signal;
-domain_auto_trans(hald_t, cupsd_config_exec_t, cupsd_config_t)
-
-') dnl end if hald.te
-
-
-can_exec(cupsd_config_t, { bin_t sbin_t shell_exec_t })
-ifdef(`hostname.te', `
-can_exec(cupsd_t, hostname_exec_t)
-can_exec(cupsd_config_t, hostname_exec_t)
-')
-allow cupsd_config_t { bin_t sbin_t }:dir { search getattr };
-allow cupsd_config_t { bin_t sbin_t }:lnk_file read;
-# killall causes the following
-dontaudit cupsd_config_t domain:dir { getattr search };
-dontaudit cupsd_config_t selinux_config_t:dir search;
-
-can_exec(cupsd_config_t, cupsd_config_exec_t)
-
-allow cupsd_config_t usr_t:file { getattr read };
-allow cupsd_config_t var_lib_t:dir { getattr search };
-allow cupsd_config_t rpm_var_lib_t:file { getattr read };
-allow cupsd_config_t printconf_t:file { getattr read };
-
-allow cupsd_config_t urandom_device_t:chr_file { getattr read };
-
-ifdef(`logrotate.te', `
-allow cupsd_config_t logrotate_t:fd use;
-')dnl end if logrotate.te
-allow cupsd_config_t system_crond_t:fd use;
-allow cupsd_config_t crond_t:fifo_file r_file_perms;
-allow cupsd_t crond_t:fifo_file read;
-allow cupsd_t crond_t:fd use;
-
-# Alternatives asks for this
-allow cupsd_config_t initrc_exec_t:file getattr;
-ifdef(`targeted_policy', `
-can_unix_connect(cupsd_t, initrc_t)
-allow cupsd_t initrc_t:dbus send_msg;
-allow initrc_t cupsd_t:dbus send_msg;
-allow { cupsd_config_t cupsd_t } unconfined_t:dbus send_msg;
-allow unconfined_t cupsd_config_t:dbus send_msg;
-allow { cupsd_t cupsd_config_t } unconfined_t:fifo_file read;
-')
-typealias printer_port_t alias cupsd_lpd_port_t;
-inetd_child_domain(cupsd_lpd)
-allow inetd_t printer_port_t:tcp_socket name_bind;
-r_dir_file(cupsd_lpd_t, cupsd_etc_t)
-r_dir_file(cupsd_lpd_t, cupsd_rw_etc_t)
-allow cupsd_lpd_t ipp_port_t:tcp_socket name_connect;
-ifdef(`use_mcs', `
-range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
-')
-
diff --git a/mls/domains/program/cvs.te b/mls/domains/program/cvs.te
deleted file mode 100644
index 503c809..0000000
--- a/mls/domains/program/cvs.te
+++ /dev/null
@@ -1,30 +0,0 @@
-#DESC cvs - Concurrent Versions System
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-#
-# Depends: inetd.te
-
-#################################
-#
-# Rules for the cvs_t domain.
-#
-# cvs_exec_t is the type of the cvs executable.
-#
-
-inetd_child_domain(cvs, tcp)
-typeattribute cvs_t privmail;
-typeattribute cvs_t auth_chkpwd;
-
-type cvs_data_t, file_type, sysadmfile, customizable;
-create_dir_file(cvs_t, cvs_data_t)
-can_exec(cvs_t, { bin_t sbin_t shell_exec_t })
-allow cvs_t bin_t:dir search;
-allow cvs_t { bin_t sbin_t }:lnk_file read;
-allow cvs_t etc_runtime_t:file { getattr read };
-allow system_mail_t cvs_data_t:file { getattr read };
-dontaudit cvs_t devtty_t:chr_file { read write };
-ifdef(`kerberos.te', `
-# Allow kerberos to work
-allow cvs_t { krb5_keytab_t krb5_conf_t }:file r_file_perms;
-dontaudit cvs_t krb5_conf_t:file write;
-')
diff --git a/mls/domains/program/cyrus.te b/mls/domains/program/cyrus.te
deleted file mode 100644
index 13b2f66..0000000
--- a/mls/domains/program/cyrus.te
+++ /dev/null
@@ -1,60 +0,0 @@
-#DESC cyrus-imapd
-#
-# Authors: Dan Walsh <dwalsh@redhat.com>
-#
-
-# cyrusd_exec_t is the type of the cyrusd executable.
-# cyrusd_key_t is the type of the cyrus private key files
-daemon_domain(cyrus)
-
-general_domain_access(cyrus_t)
-file_type_auto_trans(cyrus_t, var_run_t, cyrus_var_run_t, sock_file)
-
-type cyrus_var_lib_t, file_type, sysadmfile;
-
-allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
-allow cyrus_t self:process setrlimit;
-
-can_network(cyrus_t)
-allow cyrus_t port_type:tcp_socket name_connect;
-can_ypbind(cyrus_t)
-can_exec(cyrus_t, bin_t)
-allow cyrus_t cyrus_var_lib_t:dir create_dir_perms;
-allow cyrus_t cyrus_var_lib_t:{file sock_file lnk_file} create_file_perms;
-allow cyrus_t etc_t:file { getattr read };
-allow cyrus_t lib_t:file { execute execute_no_trans getattr read };
-read_locale(cyrus_t)
-read_sysctl(cyrus_t)
-tmp_domain(cyrus)
-allow cyrus_t { mail_port_t pop_port_t }:tcp_socket name_bind;
-allow cyrus_t proc_t:dir search;
-allow cyrus_t proc_t:file { getattr read };
-allow cyrus_t sysadm_devpts_t:chr_file { read write };
-
-allow cyrus_t var_lib_t:dir search;
-
-allow cyrus_t etc_runtime_t:file { read getattr };
-ifdef(`crond.te', `
-system_crond_entry(cyrus_exec_t, cyrus_t)
-allow system_crond_t cyrus_var_lib_t:dir rw_dir_perms;
-allow system_crond_t cyrus_var_lib_t:file create_file_perms;
-')
-create_dir_file(cyrus_t, mail_spool_t)
-allow cyrus_t var_spool_t:dir search;
-
-ifdef(`saslauthd.te', `
-allow cyrus_t saslauthd_var_run_t:dir search;
-allow cyrus_t saslauthd_var_run_t:sock_file { read write };
-allow cyrus_t saslauthd_t:unix_stream_socket { connectto };
-')
-
-r_dir_file(cyrus_t, cert_t)
-allow cyrus_t { urandom_device_t random_device_t }:chr_file { read getattr };
-
-ifdef(`postfix.te', `
-allow postfix_master_t cyrus_t:unix_stream_socket connectto;
-allow postfix_master_t var_lib_t:dir search;
-allow postfix_master_t cyrus_var_lib_t:dir search;
-allow postfix_master_t cyrus_var_lib_t:sock_file write;
-')
-
diff --git a/mls/domains/program/dbskkd.te b/mls/domains/program/dbskkd.te
deleted file mode 100644
index e75d90b..0000000
--- a/mls/domains/program/dbskkd.te
+++ /dev/null
@@ -1,14 +0,0 @@
-#DESC dbskkd - A dictionary server for the SKK Japanese input method system.
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-#
-
-#################################
-#
-# Rules for the dbskkd_t domain.
-#
-# dbskkd_exec_t is the type of the dbskkd executable.
-#
-# Depends: inetd.te
-
-inetd_child_domain(dbskkd)
diff --git a/mls/domains/program/dbusd.te b/mls/domains/program/dbusd.te
deleted file mode 100644
index acad4de..0000000
--- a/mls/domains/program/dbusd.te
+++ /dev/null
@@ -1,27 +0,0 @@
-#DESC dbus-daemon-1 server for dbus desktop bus protocol
-#
-# Author: Russell Coker <russell@coker.com.au>
-
-dbusd_domain(system)
-
-allow system_dbusd_t system_dbusd_var_run_t:sock_file create_file_perms;
-
-ifdef(`pamconsole.te', `
-r_dir_file(system_dbusd_t, pam_var_console_t)
-')
-
-# dac_override: /var/run/dbus is owned by messagebus on Debian
-allow system_dbusd_t self:capability { dac_override setgid setuid };
-nsswitch_domain(system_dbusd_t)
-
-# I expect we need more than this
-
-allow initrc_t system_dbusd_t:dbus { send_msg acquire_svc };
-allow initrc_t system_dbusd_t:unix_stream_socket connectto;
-allow initrc_t system_dbusd_var_run_t:sock_file write;
-
-can_exec(system_dbusd_t, sbin_t)
-allow system_dbusd_t self:fifo_file { read write };
-allow system_dbusd_t self:unix_stream_socket connectto;
-allow system_dbusd_t self:unix_stream_socket connectto;
-allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
diff --git a/mls/domains/program/ddcprobe.te b/mls/domains/program/ddcprobe.te
deleted file mode 100644
index 4087126..0000000
--- a/mls/domains/program/ddcprobe.te
+++ /dev/null
@@ -1,42 +0,0 @@
-#DESC ddcprobe - output ddcprobe results from kudzu
-#
-# Author: dan walsh <dwalsh@redhat.com>
-#
-
-type ddcprobe_t, domain, privmem;
-type ddcprobe_exec_t, file_type, exec_type, sysadmfile;
-
-# Allow execution by the sysadm
-role sysadm_r types ddcprobe_t;
-role system_r types ddcprobe_t;
-domain_auto_trans(sysadm_t, ddcprobe_exec_t, ddcprobe_t)
-
-uses_shlib(ddcprobe_t)
-
-# Allow terminal access
-access_terminal(ddcprobe_t, sysadm)
-
-# Allow ddcprobe to read /dev/mem
-allow ddcprobe_t memory_device_t:chr_file read;
-allow ddcprobe_t memory_device_t:chr_file { execute write };
-allow ddcprobe_t self:process execmem;
-allow ddcprobe_t zero_device_t:chr_file { execute read };
-
-allow ddcprobe_t proc_t:dir search;
-allow ddcprobe_t proc_t:file { getattr read };
-can_exec(ddcprobe_t, sbin_t)
-allow ddcprobe_t user_tty_type:chr_file rw_file_perms;
-allow ddcprobe_t userdomain:fd use;
-read_sysctl(ddcprobe_t)
-allow ddcprobe_t urandom_device_t:chr_file { getattr read };
-allow ddcprobe_t { bin_t sbin_t }:dir r_dir_perms;
-allow ddcprobe_t self:capability { sys_rawio sys_admin };
-
-allow ddcprobe_t { etc_t etc_runtime_t }:file { getattr read };
-allow ddcprobe_t kudzu_exec_t:file getattr;
-allow ddcprobe_t lib_t:file { getattr read };
-read_locale(ddcprobe_t)
-allow ddcprobe_t modules_object_t:dir search;
-allow ddcprobe_t modules_dep_t:file { getattr read };
-allow ddcprobe_t usr_t:file { getattr read };
-allow ddcprobe_t kernel_t:system syslog_console;
diff --git a/mls/domains/program/dhcpc.te b/mls/domains/program/dhcpc.te
deleted file mode 100644
index 83cbe81..0000000
--- a/mls/domains/program/dhcpc.te
+++ /dev/null
@@ -1,169 +0,0 @@
-#DESC DHCPC - DHCP client
-#
-# Authors: Wayne Salamon (NAI Labs) <wsalamon@tislabs.com>
-# Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: pump dhcp-client udhcpc
-#
-
-#################################
-#
-# Rules for the dhcpc_t domain.
-#
-# dhcpc_t is the domain for the client side of DHCP. dhcpcd, the DHCP
-# network configurator daemon started by /etc/sysconfig/network-scripts
-# rc scripts, runs in this domain.
-# dhcpc_exec_t is the type of the dhcpcd executable.
-# The dhcpc_t can be used for other DHCPC related files as well.
-#
-daemon_domain(dhcpc)
-
-# for SSP
-allow dhcpc_t urandom_device_t:chr_file read;
-
-can_network(dhcpc_t)
-allow dhcpc_t port_type:tcp_socket name_connect;
-can_ypbind(dhcpc_t)
-allow dhcpc_t self:unix_dgram_socket create_socket_perms;
-allow dhcpc_t self:unix_stream_socket create_socket_perms;
-allow dhcpc_t self:fifo_file rw_file_perms;
-
-allow dhcpc_t devpts_t:dir search;
-
-# for localization
-allow dhcpc_t lib_t:file { getattr read };
-
-ifdef(`consoletype.te', `
-domain_auto_trans(dhcpc_t, consoletype_exec_t, consoletype_t)
-')
-ifdef(`nscd.te', `
-domain_auto_trans(dhcpc_t, nscd_exec_t, nscd_t)
-allow dhcpc_t nscd_var_run_t:file { getattr read };
-')
-ifdef(`cardmgr.te', `
-domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
-allow cardmgr_t dhcpc_var_run_t:file { getattr read };
-allow cardmgr_t dhcpc_t:process signal_perms;
-allow cardmgr_t dhcpc_var_run_t:file unlink;
-allow dhcpc_t cardmgr_dev_t:chr_file { read write };
-')
-ifdef(`hotplug.te', `
-domain_auto_trans(hotplug_t, dhcpc_exec_t, dhcpc_t)
-allow hotplug_t dhcpc_t:process signal_perms;
-allow hotplug_t dhcpc_var_run_t:file { getattr read };
-allow hotplug_t dhcp_etc_t:file rw_file_perms;
-allow dhcpc_t hotplug_etc_t:dir { getattr search };
-ifdef(`distro_redhat', `
-domain_auto_trans(dhcpc_t, syslogd_exec_t, syslogd_t)
-')
-')dnl end hotplug.te
-
-# for the dhcp client to run ping to check IP addresses
-ifdef(`ping.te', `
-domain_auto_trans(dhcpc_t, ping_exec_t, ping_t)
-ifdef(`hotplug.te', `
-allow ping_t hotplug_t:fd use;
-') dnl end if hotplug
-ifdef(`cardmgr.te', `
-allow ping_t cardmgr_t:fd use;
-') dnl end if cardmgr
-', `
-allow dhcpc_t self:capability setuid;
-allow dhcpc_t self:rawip_socket create_socket_perms;
-') dnl end if ping
-
-ifdef(`dhcpd.te', `', `
-type dhcp_state_t, file_type, sysadmfile;
-type dhcp_etc_t, file_type, sysadmfile, usercanread;
-')
-type dhcpc_state_t, file_type, sysadmfile;
-
-allow dhcpc_t etc_t:lnk_file read;
-allow dhcpc_t { etc_t etc_runtime_t }:file { getattr read };
-allow dhcpc_t proc_net_t:dir search;
-allow dhcpc_t { proc_t proc_net_t }:file { getattr read };
-allow dhcpc_t self:file { getattr read };
-read_sysctl(dhcpc_t)
-allow dhcpc_t userdomain:fd use;
-ifdef(`run_init.te', `
-allow dhcpc_t run_init_t:fd use;
-')
-
-# Use capabilities
-allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config };
-
-# for access("/etc/bashrc", X_OK) on Red Hat
-dontaudit dhcpc_t self:capability { dac_read_search sys_module };
-
-# for udp port 68
-allow dhcpc_t dhcpc_port_t:udp_socket name_bind;
-
-# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
-# in /etc created by dhcpcd will be labelled net_conf_t.
-file_type_auto_trans(dhcpc_t, etc_t, net_conf_t, file)
-
-# Allow access to the dhcpc file types
-r_dir_file(dhcpc_t, dhcp_etc_t)
-allow dhcpc_t sbin_t:dir search;
-can_exec(dhcpc_t, { dhcpc_exec_t dhcp_etc_t sbin_t })
-ifdef(`distro_redhat', `
-can_exec(dhcpc_t, etc_t)
-allow initrc_t dhcp_etc_t:file rw_file_perms;
-')
-ifdef(`ifconfig.te', `
-domain_auto_trans(dhcpc_t, ifconfig_exec_t, ifconfig_t)
-')dnl end if def ifconfig
-
-
-tmp_domain(dhcpc)
-
-# Allow dhcpc_t to use packet sockets
-allow dhcpc_t self:packet_socket create_socket_perms;
-allow dhcpc_t var_lib_t:dir search;
-file_type_auto_trans(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
-rw_dir_create_file(dhcpc_t, dhcpc_state_t)
-allow dhcpc_t dhcp_state_t:file { getattr read };
-
-allow dhcpc_t bin_t:dir { getattr search };
-allow dhcpc_t bin_t:lnk_file read;
-can_exec(dhcpc_t, { bin_t shell_exec_t })
-
-ifdef(`hostname.te', `
-domain_auto_trans(dhcpc_t, hostname_exec_t, hostname_t)
-')
-dontaudit dhcpc_t { devpts_t ttyfile ptyfile tty_device_t }:chr_file rw_file_perms;
-allow dhcpc_t { userdomain kernel_t }:fd use;
-
-allow dhcpc_t home_root_t:dir search;
-allow initrc_t dhcpc_state_t:file { getattr read };
-dontaudit dhcpc_t var_lock_t:dir search;
-allow dhcpc_t self:netlink_route_socket r_netlink_socket_perms;
-dontaudit dhcpc_t domain:dir getattr;
-allow dhcpc_t initrc_var_run_t:file rw_file_perms;
-#
-# dhclient sometimes starts ypbind and ntdp
-#
-can_exec(dhcpc_t, initrc_exec_t)
-ifdef(`ypbind.te', `
-domain_auto_trans(dhcpc_t, ypbind_exec_t, ypbind_t)
-allow dhcpc_t ypbind_var_run_t:file { r_file_perms unlink };
-allow dhcpc_t ypbind_t:process signal;
-')
-ifdef(`ntpd.te', `
-domain_auto_trans(dhcpc_t, ntpd_exec_t, ntpd_t)
-')
-role sysadm_r types dhcpc_t;
-domain_auto_trans(sysadm_t, dhcpc_exec_t, dhcpc_t)
-ifdef(`dbusd.te', `
-dbusd_client(system, dhcpc)
-domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t)
-allow dhcpc_t system_dbusd_t:dbus { acquire_svc send_msg };
-allow dhcpc_t self:dbus send_msg;
-allow { NetworkManager_t initrc_t } dhcpc_t:dbus send_msg;
-allow dhcpc_t { NetworkManager_t initrc_t }:dbus send_msg;
-ifdef(`unconfined.te', `
-allow unconfined_t dhcpc_t:dbus send_msg;
-allow dhcpc_t unconfined_t:dbus send_msg;
-')dnl end ifdef unconfined.te
-')
-ifdef(`netutils.te', `domain_auto_trans(dhcpc_t, netutils_exec_t, netutils_t)')
-allow dhcpc_t locale_t:file write;
diff --git a/mls/domains/program/dhcpd.te b/mls/domains/program/dhcpd.te
deleted file mode 100644
index 137fbbf..0000000
--- a/mls/domains/program/dhcpd.te
+++ /dev/null
@@ -1,79 +0,0 @@
-#DESC DHCPD - DHCP server
-#
-# Author: Russell Coker <russell@coker.com.au>
-# based on the dhcpc_t policy from:
-# Wayne Salamon (NAI Labs) <wsalamon@tislabs.com>
-# X-Debian-Packages: dhcp dhcp3-server
-#
-
-#################################
-#
-# Rules for the dhcpd_t domain.
-#
-# dhcpd_t is the domain for the server side of DHCP. dhcpd, the DHCP
-# server daemon rc scripts, runs in this domain.
-# dhcpd_exec_t is the type of the dhcpdd executable.
-# The dhcpd_t can be used for other DHCPC related files as well.
-#
-daemon_domain(dhcpd, `, nscd_client_domain')
-
-# for UDP port 4011
-allow dhcpd_t pxe_port_t:udp_socket name_bind;
-
-type dhcp_etc_t, file_type, sysadmfile, usercanread;
-
-# Use the network.
-can_network(dhcpd_t)
-allow dhcpd_t port_type:tcp_socket name_connect;
-allow dhcpd_t dhcpd_port_t:{ tcp_socket udp_socket } name_bind;
-can_ypbind(dhcpd_t)
-allow dhcpd_t self:unix_dgram_socket create_socket_perms;
-allow dhcpd_t self:unix_stream_socket create_socket_perms;
-allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms;
-
-allow dhcpd_t var_lib_t:dir search;
-
-allow dhcpd_t devtty_t:chr_file { read write };
-
-# Use capabilities
-allow dhcpd_t self:capability { net_raw net_bind_service };
-dontaudit dhcpd_t self:capability net_admin;
-
-# Allow access to the dhcpd file types
-type dhcp_state_t, file_type, sysadmfile;
-type dhcpd_state_t, file_type, sysadmfile;
-allow dhcpd_t dhcp_etc_t:file { read getattr };
-allow dhcpd_t dhcp_etc_t:dir search;
-file_type_auto_trans(dhcpd_t, dhcp_state_t, dhcpd_state_t, file)
-rw_dir_create_file(dhcpd_t, dhcpd_state_t)
-
-allow dhcpd_t etc_t:lnk_file read;
-allow dhcpd_t { etc_t etc_runtime_t }:file r_file_perms;
-
-# Allow dhcpd_t programs to execute themselves and bin_t (uname etc)
-can_exec(dhcpd_t, { dhcpd_exec_t bin_t })
-
-# Allow dhcpd_t to use packet sockets
-allow dhcpd_t self:packet_socket create_socket_perms;
-allow dhcpd_t self:rawip_socket create_socket_perms;
-
-# allow to run utilities and scripts
-allow dhcpd_t { bin_t sbin_t }:dir r_dir_perms;
-allow dhcpd_t { bin_t sbin_t }:{ file lnk_file } rx_file_perms;
-allow dhcpd_t self:fifo_file { read write getattr };
-
-# allow reading /proc
-allow dhcpd_t proc_t:{ file lnk_file } r_file_perms;
-tmp_domain(dhcpd)
-
-ifdef(`distro_gentoo', `
-allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
-allow initrc_t dhcpd_state_t:file setattr;
-')
-r_dir_file(dhcpd_t, usr_t)
-allow dhcpd_t { urandom_device_t random_device_t }:chr_file r_file_perms;
-
-ifdef(`named.te', `
-allow dhcpd_t { named_conf_t named_zone_t }:dir search;
-allow dhcpd_t dnssec_t:file { getattr read };
-')
diff --git a/mls/domains/program/dictd.te b/mls/domains/program/dictd.te
deleted file mode 100644
index d610d07..0000000
--- a/mls/domains/program/dictd.te
+++ /dev/null
@@ -1,48 +0,0 @@
-#DESC Dictd - Dictionary daemon
-#
-# Authors: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: dictd
-#
-
-#################################
-#
-# Rules for the dictd_t domain.
-#
-# dictd_exec_t is the type of the dictd executable.
-#
-daemon_base_domain(dictd)
-type dictd_var_lib_t, file_type, sysadmfile;
-typealias dictd_var_lib_t alias var_lib_dictd_t;
-etc_domain(dictd)
-
-# for checking for nscd
-dontaudit dictd_t var_run_t:dir search;
-
-# read config files
-allow dictd_t { etc_t etc_runtime_t }:file r_file_perms;
-
-read_locale(dictd_t)
-
-allow dictd_t { var_t var_lib_t }:dir search;
-allow dictd_t dictd_var_lib_t:dir r_dir_perms;
-allow dictd_t dictd_var_lib_t:file r_file_perms;
-
-allow dictd_t self:capability { setuid setgid };
-
-allow dictd_t usr_t:file r_file_perms;
-
-allow dictd_t self:process { setpgid fork sigchld };
-
-allow dictd_t proc_t:file r_file_perms;
-
-allow dictd_t dict_port_t:tcp_socket name_bind;
-
-allow dictd_t devtty_t:chr_file rw_file_perms;
-
-allow dictd_t self:unix_stream_socket create_stream_socket_perms;
-
-can_network_server(dictd_t)
-can_ypbind(dictd_t)
-can_tcp_connect(userdomain, dictd_t)
-
-allow dictd_t fs_t:filesystem getattr;
diff --git a/mls/domains/program/dmesg.te b/mls/domains/program/dmesg.te
deleted file mode 100644
index 9f9392e..0000000
--- a/mls/domains/program/dmesg.te
+++ /dev/null
@@ -1,29 +0,0 @@
-#DESC dmesg - control kernel ring buffer
-#
-# Author: Dan Walsh dwalsh@redhat.com
-#
-# X-Debian-Packages: util-linux
-
-#################################
-#
-# Rules for the dmesg_t domain.
-#
-# dmesg_exec_t is the type of the dmesg executable.
-#
-# while sysadm_t has the sys_admin capability there is no point in using
-# dmesg_t when run from sysadm_t, so we use nosysadm.
-#
-daemon_base_domain(dmesg, , `nosysadm')
-
-#
-# Rules used for dmesg
-#
-allow dmesg_t self:capability sys_admin;
-allow dmesg_t kernel_t:system { syslog_read syslog_console syslog_mod };
-allow dmesg_t admin_tty_type:chr_file { getattr read write };
-allow dmesg_t sysadm_tty_device_t:chr_file ioctl;
-allow dmesg_t var_log_t:file { getattr write };
-read_locale(dmesg_t)
-
-# for when /usr is not mounted
-dontaudit dmesg_t file_t:dir search;
diff --git a/mls/domains/program/dmidecode.te b/mls/domains/program/dmidecode.te
deleted file mode 100644
index 05b93f7..0000000
--- a/mls/domains/program/dmidecode.te
+++ /dev/null
@@ -1,22 +0,0 @@
-#DESC dmidecode - decodes DMI data for x86/ia64 bioses
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-type dmidecode_t, domain, privmem;
-type dmidecode_exec_t, file_type, exec_type, sysadmfile;
-
-# Allow execution by the sysadm
-role sysadm_r types dmidecode_t;
-role system_r types dmidecode_t;
-domain_auto_trans(sysadm_t, dmidecode_exec_t, dmidecode_t)
-
-uses_shlib(dmidecode_t)
-
-# Allow terminal access
-access_terminal(dmidecode_t, sysadm)
-
-# Allow dmidecode to read /dev/mem
-allow dmidecode_t memory_device_t:chr_file read;
-
-allow dmidecode_t self:capability sys_rawio;
diff --git a/mls/domains/program/dovecot.te b/mls/domains/program/dovecot.te
deleted file mode 100644
index bd3873a..0000000
--- a/mls/domains/program/dovecot.te
+++ /dev/null
@@ -1,75 +0,0 @@
-#DESC Dovecot POP and IMAP servers
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: dovecot-imapd, dovecot-pop3d
-
-#
-# Main dovecot daemon
-#
-daemon_domain(dovecot, `, privhome')
-etc_domain(dovecot);
-
-allow dovecot_t dovecot_var_run_t:sock_file create_file_perms;
-
-can_exec(dovecot_t, dovecot_exec_t)
-
-type dovecot_cert_t, file_type, sysadmfile;
-type dovecot_passwd_t, file_type, sysadmfile;
-type dovecot_spool_t, file_type, sysadmfile;
-
-allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
-allow dovecot_t self:process setrlimit;
-can_network_tcp(dovecot_t)
-allow dovecot_t port_type:tcp_socket name_connect;
-can_ypbind(dovecot_t)
-allow dovecot_t self:unix_dgram_socket create_socket_perms;
-allow dovecot_t self:unix_stream_socket create_stream_socket_perms;
-can_unix_connect(dovecot_t, self)
-
-allow dovecot_t etc_t:file { getattr read };
-allow dovecot_t initrc_var_run_t:file getattr;
-allow dovecot_t bin_t:dir { getattr search };
-can_exec(dovecot_t, bin_t)
-
-allow dovecot_t pop_port_t:tcp_socket name_bind;
-allow dovecot_t urandom_device_t:chr_file { getattr read };
-allow dovecot_t cert_t:dir search;
-r_dir_file(dovecot_t, dovecot_cert_t)
-r_dir_file(dovecot_t, cert_t)
-
-allow dovecot_t { self proc_t }:file { getattr read };
-allow dovecot_t self:fifo_file rw_file_perms;
-
-can_kerberos(dovecot_t)
-
-allow dovecot_t tmp_t:dir search;
-rw_dir_create_file(dovecot_t, mail_spool_t)
-
-
-create_dir_file(dovecot_t, dovecot_spool_t)
-create_dir_file(mta_delivery_agent, dovecot_spool_t)
-allow dovecot_t mail_spool_t:lnk_file read;
-allow dovecot_t var_spool_t:dir { search };
-
-#
-# Dovecot auth daemon
-#
-daemon_sub_domain(dovecot_t, dovecot_auth, `, auth_chkpwd')
-can_ldap(dovecot_auth_t)
-can_ypbind(dovecot_auth_t)
-can_kerberos(dovecot_auth_t)
-can_resolve(dovecot_auth_t)
-allow dovecot_auth_t self:process { fork signal_perms };
-allow dovecot_auth_t self:capability { setgid setuid };
-allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
-allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
-allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
-allow dovecot_auth_t self:fifo_file rw_file_perms;
-allow dovecot_auth_t urandom_device_t:chr_file { getattr read };
-allow dovecot_auth_t etc_t:file { getattr read };
-allow dovecot_auth_t { self proc_t }:file { getattr read };
-read_locale(dovecot_auth_t)
-read_sysctl(dovecot_auth_t)
-allow dovecot_auth_t dovecot_passwd_t:file { getattr read };
-dontaudit dovecot_auth_t selinux_config_t:dir search;
-allow dovecot_auth_t etc_runtime_t:file { getattr read };
diff --git a/mls/domains/program/fetchmail.te b/mls/domains/program/fetchmail.te
deleted file mode 100644
index 225f08e..0000000
--- a/mls/domains/program/fetchmail.te
+++ /dev/null
@@ -1,32 +0,0 @@
-#DESC fetchmail - remote-mail retrieval utility
-#
-# Author: Greg Norris <haphazard@kc.rr.com>
-# X-Debian-Packages: fetchmail
-# Depends: mta.te
-#
-# Note: This policy is only required when running fetchmail in daemon mode.
-
-#################################
-#
-# Rules for the fetchmail_t domain.
-#
-daemon_domain(fetchmail);
-type fetchmail_etc_t, file_type, sysadmfile;
-type fetchmail_uidl_cache_t, file_type, sysadmfile;
-
-# misc. requirements
-allow fetchmail_t self:process setrlimit;
-
-# network-related goodies
-can_network_client_tcp(fetchmail_t, { dns_port_t pop_port_t smtp_port_t })
-can_network_udp(fetchmail_t, dns_port_t)
-allow fetchmail_t port_type:tcp_socket name_connect;
-
-allow fetchmail_t self:unix_dgram_socket create_socket_perms;
-allow fetchmail_t self:unix_stream_socket create_stream_socket_perms;
-
-# file access
-allow fetchmail_t etc_t:file r_file_perms;
-allow fetchmail_t fetchmail_etc_t:file r_file_perms;
-allow fetchmail_t mail_spool_t:dir search;
-file_type_auto_trans(fetchmail_t, mail_spool_t, fetchmail_uidl_cache_t, file)
diff --git a/mls/domains/program/fingerd.te b/mls/domains/program/fingerd.te
deleted file mode 100644
index 73fee16..0000000
--- a/mls/domains/program/fingerd.te
+++ /dev/null
@@ -1,80 +0,0 @@
-#DESC Fingerd - Finger daemon
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: fingerd cfingerd efingerd ffingerd
-#
-
-#################################
-#
-# Rules for the fingerd_t domain.
-#
-# fingerd_exec_t is the type of the fingerd executable.
-#
-daemon_domain(fingerd)
-
-etcdir_domain(fingerd)
-
-allow fingerd_t etc_t:lnk_file read;
-allow fingerd_t { etc_t etc_runtime_t }:file { read getattr };
-
-log_domain(fingerd)
-system_crond_entry(fingerd_exec_t, fingerd_t)
-ifdef(`logrotate.te', `can_exec(fingerd_t, logrotate_exec_t)')
-
-allow fingerd_t fingerd_port_t:tcp_socket name_bind;
-ifdef(`inetd.te', `
-allow inetd_t fingerd_port_t:tcp_socket name_bind;
-# can be run from inetd
-domain_auto_trans(inetd_t, fingerd_exec_t, fingerd_t)
-allow fingerd_t inetd_t:tcp_socket { read write getattr ioctl };
-')
-ifdef(`tcpd.te', `
-domain_auto_trans(tcpd_t, fingerd_exec_t, fingerd_t)
-')
-
-allow fingerd_t self:capability { setgid setuid };
-# for gzip from logrotate
-dontaudit fingerd_t self:capability fsetid;
-
-# cfingerd runs shell scripts
-allow fingerd_t { bin_t sbin_t }:dir search;
-allow fingerd_t bin_t:lnk_file read;
-can_exec(fingerd_t, { shell_exec_t bin_t sbin_t })
-allow fingerd_t devtty_t:chr_file { read write };
-
-allow fingerd_t { ttyfile ptyfile }:chr_file getattr;
-
-# Use the network.
-can_network_server(fingerd_t)
-can_ypbind(fingerd_t)
-
-allow fingerd_t self:unix_dgram_socket create_socket_perms;
-allow fingerd_t self:unix_stream_socket create_socket_perms;
-allow fingerd_t self:fifo_file { read write getattr };
-
-# allow any user domain to connect to the finger server
-can_tcp_connect(userdomain, fingerd_t)
-
-# for .finger, .plan. etc
-allow fingerd_t { home_root_t user_home_dir_type }:dir search;
-# should really have a different type for .plan etc
-allow fingerd_t user_home_type:file { getattr read };
-# stop it accessing sub-directories, prevents checking a Maildir for new mail,
-# have to change this when we create a type for Maildir
-dontaudit fingerd_t user_home_t:dir search;
-
-# for mail
-allow fingerd_t { var_spool_t mail_spool_t }:dir search;
-allow fingerd_t mail_spool_t:file getattr;
-allow fingerd_t mail_spool_t:lnk_file read;
-
-# see who is logged in and when users last logged in
-allow fingerd_t { initrc_var_run_t lastlog_t }:file { read getattr };
-dontaudit fingerd_t initrc_var_run_t:file lock;
-allow fingerd_t devpts_t:dir search;
-allow fingerd_t ptyfile:chr_file getattr;
-
-allow fingerd_t proc_t:file { read getattr };
-
-# for date command
-read_sysctl(fingerd_t)
diff --git a/mls/domains/program/firstboot.te b/mls/domains/program/firstboot.te
deleted file mode 100644
index e07bc43..0000000
--- a/mls/domains/program/firstboot.te
+++ /dev/null
@@ -1,131 +0,0 @@
-#DESC firstboot
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-# X-Debian-Packages: firstboot
-#
-
-#################################
-#
-# Rules for the firstboot_t domain.
-#
-# firstboot_exec_t is the type of the firstboot executable.
-#
-application_domain(firstboot,`, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, privuser, sysctl_kernel_writer')
-type firstboot_rw_t, file_type, sysadmfile;
-role system_r types firstboot_t;
-
-ifdef(`xserver.te', `
-domain_auto_trans(firstboot_t, xserver_exec_t, xdm_xserver_t)
-')
-
-etc_domain(firstboot)
-
-allow firstboot_t proc_t:file r_file_perms;
-
-allow firstboot_t urandom_device_t:chr_file { getattr read };
-allow firstboot_t proc_t:file { getattr read write };
-
-domain_auto_trans(initrc_t, firstboot_exec_t, firstboot_t)
-file_type_auto_trans(firstboot_t, etc_t, firstboot_rw_t, file)
-
-can_exec_any(firstboot_t)
-ifdef(`useradd.te',`
-domain_auto_trans(firstboot_t, useradd_exec_t, useradd_t)
-domain_auto_trans(firstboot_t, groupadd_exec_t, groupadd_t)
-')
-allow firstboot_t etc_runtime_t:file { getattr read };
-
-r_dir_file(firstboot_t, etc_t)
-
-allow firstboot_t firstboot_rw_t:dir create_dir_perms;
-allow firstboot_t firstboot_rw_t:file create_file_perms;
-allow firstboot_t self:fifo_file { getattr read write };
-allow firstboot_t self:process { fork sigchld };
-allow firstboot_t self:unix_stream_socket { connect create };
-allow firstboot_t initrc_exec_t:file { getattr read };
-allow firstboot_t initrc_var_run_t:file r_file_perms;
-allow firstboot_t lib_t:file { getattr read };
-allow firstboot_t local_login_t:fd use;
-read_locale(firstboot_t)
-
-allow firstboot_t proc_t:dir search;
-allow firstboot_t { devtty_t sysadm_tty_device_t }:chr_file rw_file_perms;
-allow firstboot_t usr_t:file r_file_perms;
-
-allow firstboot_t etc_t:file write;
-
-# Allow write to utmp file
-allow firstboot_t initrc_var_run_t:file write;
-
-ifdef(`samba.te', `
-rw_dir_file(firstboot_t, samba_etc_t)
-')
-
-dontaudit firstboot_t shadow_t:file getattr;
-
-role system_r types initrc_t;
-#role_transition firstboot_r initrc_exec_t system_r;
-domain_auto_trans(firstboot_t, initrc_exec_t, initrc_t)
-
-allow firstboot_t self:passwd rootok;
-
-ifdef(`userhelper.te', `
-role system_r types sysadm_userhelper_t;
-domain_auto_trans(firstboot_t, userhelper_exec_t, sysadm_userhelper_t)
-')
-
-ifdef(`consoletype.te', `
-allow consoletype_t devtty_t:chr_file { read write };
-allow consoletype_t etc_t:file { getattr read };
-allow consoletype_t firstboot_t:fd use;
-')
-
-allow firstboot_t etc_t:{ file lnk_file } create_file_perms;
-
-allow firstboot_t self:capability { dac_override setgid };
-allow firstboot_t self:dir search;
-allow firstboot_t self:file { read write };
-allow firstboot_t self:lnk_file read;
-can_setfscreate(firstboot_t)
-allow firstboot_t krb5_conf_t:file rw_file_perms;
-
-allow firstboot_t modules_conf_t:file { getattr read };
-allow firstboot_t modules_dep_t:file { getattr read };
-allow firstboot_t modules_object_t:dir search;
-allow firstboot_t port_t:tcp_socket { recv_msg send_msg };
-allow firstboot_t proc_t:lnk_file read;
-
-can_getsecurity(firstboot_t)
-
-dontaudit firstboot_t sysadm_t:process { noatsecure rlimitinh siginh transition };
-read_sysctl(firstboot_t)
-
-allow firstboot_t var_run_t:dir getattr;
-allow firstboot_t var_t:dir getattr;
-ifdef(`hostname.te', `
-allow hostname_t devtty_t:chr_file { read write };
-allow hostname_t firstboot_t:fd use;
-')
-ifdef(`iptables.te', `
-allow iptables_t devtty_t:chr_file { read write };
-allow iptables_t firstboot_t:fd use;
-allow iptables_t firstboot_t:fifo_file write;
-')
-can_network_server(firstboot_t)
-can_ypbind(firstboot_t)
-ifdef(`printconf.te', `
-can_exec(firstboot_t, printconf_t)
-')
-create_dir_file(firstboot_t, var_t)
-# Add/remove user home directories
-file_type_auto_trans(firstboot_t, home_root_t, user_home_dir_t, dir)
-file_type_auto_trans(firstboot_t, user_home_dir_t, user_home_t)
-
-#
-# The big hammer
-#
-unconfined_domain(firstboot_t)
-ifdef(`targeted_policy', `
-allow firstboot_t unconfined_t:process transition;
-')
-
diff --git a/mls/domains/program/fs_daemon.te b/mls/domains/program/fs_daemon.te
deleted file mode 100644
index 05c98a9..0000000
--- a/mls/domains/program/fs_daemon.te
+++ /dev/null
@@ -1,28 +0,0 @@
-#DESC file system daemons
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: smartmontools
-
-daemon_domain(fsdaemon, `, fs_domain, privmail')
-allow fsdaemon_t self:unix_dgram_socket create_socket_perms;
-allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms;
-
-# for config
-allow fsdaemon_t etc_t:file { getattr read };
-
-allow fsdaemon_t device_t:dir read;
-allow fsdaemon_t fixed_disk_device_t:blk_file rw_file_perms;
-allow fsdaemon_t self:capability { setgid sys_rawio sys_admin };
-allow fsdaemon_t etc_runtime_t:file { getattr read };
-
-allow fsdaemon_t proc_mdstat_t:file { getattr read };
-
-can_exec_any(fsdaemon_t)
-allow fsdaemon_t self:fifo_file rw_file_perms;
-can_network_udp(fsdaemon_t)
-tmp_domain(fsdaemon)
-allow system_mail_t fsdaemon_tmp_t:file { getattr ioctl read };
-
-dontaudit fsdaemon_t devpts_t:dir search;
-allow fsdaemon_t proc_t:file { getattr read };
-dontaudit system_mail_t fixed_disk_device_t:blk_file read;
diff --git a/mls/domains/program/fsadm.te b/mls/domains/program/fsadm.te
deleted file mode 100644
index 0bfbb68..0000000
--- a/mls/domains/program/fsadm.te
+++ /dev/null
@@ -1,123 +0,0 @@
-#DESC Fsadm - Disk and file system administration
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: util-linux e2fsprogs xfsprogs reiserfsprogs parted raidtools2 mount
-#
-
-#################################
-#
-# Rules for the fsadm_t domain.
-#
-# fsadm_t is the domain for disk and file system
-# administration.
-# fsadm_exec_t is the type of the corresponding programs.
-#
-type fsadm_t, domain, privlog, fs_domain, mlsfileread, mlsfilewrite;
-role system_r types fsadm_t;
-role sysadm_r types fsadm_t;
-
-general_domain_access(fsadm_t)
-
-# for swapon
-r_dir_file(fsadm_t, sysfs_t)
-
-# Read system information files in /proc.
-r_dir_file(fsadm_t, proc_t)
-
-# Read system variables in /proc/sys
-read_sysctl(fsadm_t)
-
-# for /dev/shm
-allow fsadm_t tmpfs_t:dir { getattr search };
-allow fsadm_t tmpfs_t:file { read write };
-
-base_file_read_access(fsadm_t)
-
-# Read /etc.
-r_dir_file(fsadm_t, etc_t)
-
-# Read module-related files.
-allow fsadm_t modules_conf_t:{ file lnk_file } r_file_perms;
-
-# Read /dev directories and any symbolic links.
-allow fsadm_t device_t:dir r_dir_perms;
-allow fsadm_t device_t:lnk_file r_file_perms;
-
-uses_shlib(fsadm_t)
-
-type fsadm_exec_t, file_type, sysadmfile, exec_type;
-domain_auto_trans(initrc_t, fsadm_exec_t, fsadm_t)
-ifdef(`targeted_policy', `', `
-domain_auto_trans(sysadm_t, fsadm_exec_t, fsadm_t)
-')
-tmp_domain(fsadm)
-
-# remount file system to apply changes
-allow fsadm_t fs_t:filesystem remount;
-
-allow fsadm_t fs_t:filesystem getattr;
-
-# mkreiserfs needs this
-allow fsadm_t proc_t:filesystem getattr;
-
-# mkreiserfs and other programs need this for UUID
-allow fsadm_t { urandom_device_t random_device_t }:chr_file { getattr read };
-
-# Use capabilities. ipc_lock is for losetup
-allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_override dac_read_search };
-
-# Write to /etc/mtab.
-file_type_auto_trans(fsadm_t, etc_t, etc_runtime_t, file)
-
-# Inherit and use descriptors from init.
-allow fsadm_t init_t:fd use;
-
-# Run other fs admin programs in the fsadm_t domain.
-can_exec(fsadm_t, fsadm_exec_t)
-
-# Access disk devices.
-allow fsadm_t fixed_disk_device_t:devfile_class_set rw_file_perms;
-allow fsadm_t removable_device_t:devfile_class_set rw_file_perms;
-allow fsadm_t scsi_generic_device_t:chr_file r_file_perms;
-
-# Access lost+found.
-allow fsadm_t lost_found_t:dir create_dir_perms;
-allow fsadm_t lost_found_t:{ file sock_file fifo_file } create_file_perms;
-allow fsadm_t lost_found_t:lnk_file create_lnk_perms;
-
-allow fsadm_t file_t:dir { search read getattr rmdir create };
-
-# Recreate /mnt/cdrom.
-allow fsadm_t mnt_t:dir { search read getattr rmdir create };
-
-# Recreate /dev/cdrom.
-allow fsadm_t device_t:dir rw_dir_perms;
-allow fsadm_t device_t:lnk_file { unlink create };
-
-# Enable swapping to devices and files
-allow fsadm_t swapfile_t:file { getattr swapon };
-allow fsadm_t fixed_disk_device_t:blk_file { getattr swapon };
-
-# Allow console log change (updfstab)
-allow fsadm_t kernel_t:system syslog_console;
-
-# Access terminals.
-can_access_pty(fsadm_t, initrc)
-allow fsadm_t { admin_tty_type devtty_t console_device_t }:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
-allow fsadm_t privfd:fd use;
-
-read_locale(fsadm_t)
-
-# for smartctl cron jobs
-system_crond_entry(fsadm_exec_t, fsadm_t)
-
-# Access to /initrd devices
-allow fsadm_t { file_t unlabeled_t }:dir rw_dir_perms;
-allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms;
-allow fsadm_t usbfs_t:dir { getattr search };
-allow fsadm_t ramfs_t:fifo_file rw_file_perms;
-allow fsadm_t device_type:chr_file getattr;
-
-# for tune2fs
-allow fsadm_t file_type:dir { getattr search };
diff --git a/mls/domains/program/ftpd.te b/mls/domains/program/ftpd.te
deleted file mode 100644
index b20252b..0000000
--- a/mls/domains/program/ftpd.te
+++ /dev/null
@@ -1,116 +0,0 @@
-#DESC Ftpd - Ftp daemon
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: proftpd-common bsd-ftpd ftpd vsftpd
-#
-
-#################################
-#
-# Rules for the ftpd_t domain
-#
-daemon_domain(ftpd, `, auth_chkpwd, nscd_client_domain')
-etc_domain(ftpd)
-
-can_network(ftpd_t)
-allow ftpd_t port_type:tcp_socket name_connect;
-allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
-allow ftpd_t self:unix_stream_socket create_socket_perms;
-allow ftpd_t self:process { getcap setcap setsched setrlimit };
-allow ftpd_t self:fifo_file rw_file_perms;
-
-allow ftpd_t bin_t:dir search;
-can_exec(ftpd_t, bin_t)
-allow ftpd_t bin_t:lnk_file read;
-read_sysctl(ftpd_t)
-
-allow ftpd_t urandom_device_t:chr_file { getattr read };
-
-ifdef(`crond.te', `
-system_crond_entry(ftpd_exec_t, ftpd_t)
-allow system_crond_t xferlog_t:file r_file_perms;
-can_exec(ftpd_t, { sbin_t shell_exec_t })
-allow ftpd_t usr_t:file { getattr read };
-ifdef(`logrotate.te', `
-can_exec(ftpd_t, logrotate_exec_t)
-')dnl end if logrotate.te
-')dnl end if crond.te
-
-allow ftpd_t ftp_data_port_t:tcp_socket name_bind;
-allow ftpd_t port_t:tcp_socket name_bind;
-
-# ftpd_lock_t is only needed when ftpd_is_daemon is true, but we cannot define types conditionally
-type ftpd_lock_t, file_type, sysadmfile, lockfile;
-
-# Allow ftpd to run directly without inetd.
-bool ftpd_is_daemon false;
-if (ftpd_is_daemon) {
-file_type_auto_trans(ftpd_t, var_lock_t, ftpd_lock_t, file)
-allow ftpd_t ftp_port_t:tcp_socket name_bind;
-can_tcp_connect(userdomain, ftpd_t)
-# Allows it to check exec privs on daemon
-allow inetd_t ftpd_exec_t:file x_file_perms;
-}
-ifdef(`inetd.te', `
-if (!ftpd_is_daemon) {
-ifdef(`tcpd.te', `domain_auto_trans(tcpd_t, ftpd_exec_t, ftpd_t)')
-domain_auto_trans(inetd_t, ftpd_exec_t, ftpd_t)
-
-# Use sockets inherited from inetd.
-allow ftpd_t inetd_t:fd use;
-allow ftpd_t inetd_t:tcp_socket rw_stream_socket_perms;
-
-# Send SIGCHLD to inetd on death.
-allow ftpd_t inetd_t:process sigchld;
-}
-') dnl end inetd.te
-
-# Access shared memory tmpfs instance.
-tmpfs_domain(ftpd)
-
-# Use capabilities.
-allow ftpd_t self:capability { chown fowner fsetid setgid setuid net_bind_service sys_chroot sys_nice sys_resource };
-
-# Append to /var/log/wtmp.
-allow ftpd_t wtmp_t:file { getattr append };
-#kerberized ftp requires the following
-allow ftpd_t wtmp_t:file { write lock };
-
-# Create and modify /var/log/xferlog.
-type xferlog_t, file_type, sysadmfile, logfile;
-file_type_auto_trans(ftpd_t, var_log_t, xferlog_t, file)
-
-# Execute /bin/ls (can comment this out for proftpd)
-# also may need rules to allow tar etc...
-can_exec(ftpd_t, ls_exec_t)
-
-allow initrc_t ftpd_etc_t:file { getattr read };
-allow ftpd_t { etc_t etc_runtime_t }:file { getattr read };
-allow ftpd_t proc_t:file { getattr read };
-
-dontaudit ftpd_t sysadm_home_dir_t:dir getattr;
-dontaudit ftpd_t selinux_config_t:dir search;
-allow ftpd_t autofs_t:dir search;
-allow ftpd_t self:file { getattr read };
-tmp_domain(ftpd)
-
-# Allow ftp to read/write files in the user home directories.
-bool ftp_home_dir false;
-
-if (ftp_home_dir) {
-# allow access to /home
-allow ftpd_t home_root_t:dir r_dir_perms;
-create_dir_file(ftpd_t, home_type)
-ifdef(`targeted_policy', `
-file_type_auto_trans(ftpd_t, user_home_dir_t, user_home_t)
-')
-}
-if (use_nfs_home_dirs && ftp_home_dir) {
- r_dir_file(ftpd_t, nfs_t)
-}
-if (use_samba_home_dirs && ftp_home_dir) {
- r_dir_file(ftpd_t, cifs_t)
-}
-dontaudit ftpd_t selinux_config_t:dir search;
-anonymous_domain(ftpd)
-
diff --git a/mls/domains/program/getty.te b/mls/domains/program/getty.te
deleted file mode 100644
index 8101b49..0000000
--- a/mls/domains/program/getty.te
+++ /dev/null
@@ -1,61 +0,0 @@
-#DESC Getty - Manage ttys
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: util-linux fbgetty mingetty mgetty rungetty
-#
-
-#################################
-#
-# Rules for the getty_t domain.
-#
-init_service_domain(getty, `, privfd, privmail, mlsfileread, mlsfilewrite')
-
-etcdir_domain(getty)
-
-allow getty_t console_device_t:chr_file setattr;
-
-tmp_domain(getty)
-log_domain(getty)
-
-allow getty_t { etc_t etc_runtime_t }:file { getattr read };
-allow getty_t etc_t:lnk_file read;
-allow getty_t self:process { getpgid getsession };
-allow getty_t self:unix_dgram_socket create_socket_perms;
-allow getty_t self:unix_stream_socket create_socket_perms;
-
-# Use capabilities.
-allow getty_t self:capability { dac_override chown sys_resource sys_tty_config };
-
-read_locale(getty_t)
-
-# Run login in local_login_t domain.
-allow getty_t { sbin_t bin_t }:dir search;
-domain_auto_trans(getty_t, login_exec_t, local_login_t)
-
-# Write to /var/run/utmp.
-allow getty_t { var_t var_run_t }:dir search;
-allow getty_t initrc_var_run_t:file rw_file_perms;
-
-# Write to /var/log/wtmp.
-allow getty_t wtmp_t:file rw_file_perms;
-
-# Chown, chmod, read and write ttys.
-allow getty_t tty_device_t:chr_file { setattr rw_file_perms };
-allow getty_t ttyfile:chr_file { setattr rw_file_perms };
-dontaudit getty_t initrc_devpts_t:chr_file rw_file_perms;
-
-# for error condition handling
-allow getty_t fs_t:filesystem getattr;
-
-lock_domain(getty)
-r_dir_file(getty_t, sysfs_t)
-# for mgetty
-var_run_domain(getty)
-allow getty_t self:capability { fowner fsetid };
-
-#
-# getty needs to be able to run pppd
-#
-ifdef(`pppd.te', `
-domain_auto_trans(getty_t, pppd_exec_t, pppd_t)
-')
diff --git a/mls/domains/program/gpg-agent.te b/mls/domains/program/gpg-agent.te
deleted file mode 100644
index 2942c6c..0000000
--- a/mls/domains/program/gpg-agent.te
+++ /dev/null
@@ -1,13 +0,0 @@
-#DESC gpg-agent - agent to securely store gpg-keys
-#
-# Author: Thomas Bleher <ThomasBleher@gmx.de>
-#
-
-# Type for the gpg-agent executable.
-type gpg_agent_exec_t, file_type, exec_type, sysadmfile;
-
-# type for the pinentry executable
-type pinentry_exec_t, file_type, exec_type, sysadmfile;
-
-# Everything else is in the gpg_agent_domain macro in
-# macros/program/gpg_agent_macros.te.
diff --git a/mls/domains/program/gpg.te b/mls/domains/program/gpg.te
deleted file mode 100644
index b9cadb5..0000000
--- a/mls/domains/program/gpg.te
+++ /dev/null
@@ -1,15 +0,0 @@
-#DESC GPG - Gnu Privacy Guard (PGP replacement)
-#
-# Authors: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: gnupg
-#
-
-# Type for gpg or pgp executables.
-type gpg_exec_t, file_type, sysadmfile, exec_type;
-type gpg_helper_exec_t, file_type, sysadmfile, exec_type;
-
-allow sysadm_gpg_t { home_root_t user_home_dir_type }:dir search;
-allow sysadm_gpg_t ptyfile:chr_file rw_file_perms;
-
-# Everything else is in the gpg_domain macro in
-# macros/program/gpg_macros.te.
diff --git a/mls/domains/program/gpm.te b/mls/domains/program/gpm.te
deleted file mode 100644
index ff81d69..0000000
--- a/mls/domains/program/gpm.te
+++ /dev/null
@@ -1,45 +0,0 @@
-#DESC Gpm - General Purpose Mouse driver
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: gpm
-#
-
-#################################
-#
-# Rules for the gpm_t domain.
-#
-# gpm_t is the domain of the console mouse server.
-# gpm_exec_t is the type of the console mouse server program.
-# gpmctl_t is the type of the Unix domain socket or pipe created
-# by the console mouse server.
-#
-daemon_domain(gpm)
-
-type gpmctl_t, file_type, sysadmfile, dev_fs;
-
-tmp_domain(gpm)
-
-# Allow to read the /etc/gpm/ conf files
-type gpm_conf_t, file_type, sysadmfile;
-r_dir_file(gpm_t, gpm_conf_t)
-
-# Use capabilities.
-allow gpm_t self:capability { setuid dac_override sys_admin sys_tty_config };
-
-# Create and bind to /dev/gpmctl.
-file_type_auto_trans(gpm_t, device_t, gpmctl_t, { sock_file fifo_file })
-allow gpm_t gpmctl_t:unix_stream_socket name_bind;
-allow gpm_t self:unix_dgram_socket create_socket_perms;
-allow gpm_t self:unix_stream_socket create_stream_socket_perms;
-
-# Read and write ttys.
-allow gpm_t tty_device_t:chr_file rw_file_perms;
-
-# Access the mouse.
-allow gpm_t { event_device_t mouse_device_t }:chr_file rw_file_perms;
-allow gpm_t device_t:lnk_file { getattr read };
-
-read_locale(gpm_t)
-
-allow initrc_t gpmctl_t:sock_file setattr;
-
diff --git a/mls/domains/program/hald.te b/mls/domains/program/hald.te
deleted file mode 100644
index a51709a..0000000
--- a/mls/domains/program/hald.te
+++ /dev/null
@@ -1,104 +0,0 @@
-#DESC hald - server for device info
-#
-# Author: Russell Coker <rcoker@redhat.com>
-# X-Debian-Packages:
-#
-
-#################################
-#
-# Rules for the hald_t domain.
-#
-# hald_exec_t is the type of the hald executable.
-#
-daemon_domain(hald, `, fs_domain, nscd_client_domain')
-
-can_exec_any(hald_t)
-
-allow hald_t { etc_t etc_runtime_t }:file { getattr read };
-allow hald_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow hald_t self:unix_dgram_socket create_socket_perms;
-
-ifdef(`dbusd.te', `
-allow hald_t system_dbusd_t:dbus { acquire_svc send_msg };
-dbusd_client(system, hald)
-allow hald_t self:dbus send_msg;
-')
-
-allow hald_t self:file { getattr read };
-allow hald_t proc_t:file rw_file_perms;
-
-allow hald_t { bin_t sbin_t }:dir search;
-allow hald_t self:fifo_file rw_file_perms;
-allow hald_t usr_t:file { getattr read };
-allow hald_t bin_t:file getattr;
-
-# For backwards compatibility with older kernels
-allow hald_t self:netlink_socket create_socket_perms;
-
-allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
-allow hald_t self:netlink_route_socket r_netlink_socket_perms;
-allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod sys_rawio };
-can_network_server(hald_t)
-can_ypbind(hald_t)
-
-allow hald_t device_t:lnk_file read;
-allow hald_t { fixed_disk_device_t removable_device_t }:blk_file { getattr read ioctl };
-allow hald_t removable_device_t:blk_file write;
-allow hald_t event_device_t:chr_file { getattr read ioctl };
-allow hald_t printer_device_t:chr_file rw_file_perms;
-allow hald_t urandom_device_t:chr_file read;
-allow hald_t mouse_device_t:chr_file r_file_perms;
-allow hald_t device_type:chr_file getattr;
-
-can_getsecurity(hald_t)
-
-ifdef(`updfstab.te', `
-domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t)
-allow updfstab_t hald_t:dbus send_msg;
-allow hald_t updfstab_t:dbus send_msg;
-')
-ifdef(`udev.te', `
-domain_auto_trans(hald_t, udev_exec_t, udev_t)
-allow udev_t hald_t:unix_dgram_socket sendto;
-allow hald_t udev_tbl_t:file { getattr read };
-')
-
-ifdef(`hotplug.te', `
-r_dir_file(hald_t, hotplug_etc_t)
-')
-allow hald_t fs_type:dir { search getattr };
-allow hald_t usbfs_t:dir r_dir_perms;
-allow hald_t { usbdevfs_t usbfs_t }:file rw_file_perms;
-allow hald_t bin_t:lnk_file read;
-r_dir_file(hald_t, { selinux_config_t default_context_t } )
-allow hald_t initrc_t:dbus send_msg;
-allow initrc_t hald_t:dbus send_msg;
-allow hald_t etc_runtime_t:file rw_file_perms;
-allow hald_t var_lib_t:dir search;
-allow hald_t device_t:dir create_dir_perms;
-allow hald_t device_t:chr_file create_file_perms;
-tmp_domain(hald)
-allow hald_t mnt_t:dir search;
-r_dir_file(hald_t, proc_net_t)
-
-# For /usr/libexec/hald-addon-acpi - writes to /var/run/acpid.socket
-ifdef(`apmd.te', `
-allow hald_t apmd_var_run_t:sock_file write;
-allow hald_t apmd_t:unix_stream_socket connectto;
-')
-
-# For /usr/libexec/hald-probe-smbios
-domain_auto_trans(hald_t, dmidecode_exec_t, dmidecode_t)
-
-# ??
-ifdef(`lvm.te', `
-allow hald_t lvm_control_t:chr_file r_file_perms;
-')
-ifdef(`targeted_policy', `
-allow unconfined_t hald_t:dbus send_msg;
-allow hald_t unconfined_t:dbus send_msg;
-')
-ifdef(`mount.te', `
-domain_auto_trans(hald_t, mount_exec_t, mount_t)
-')
-r_dir_file(hald_t, hwdata_t)
diff --git a/mls/domains/program/hostname.te b/mls/domains/program/hostname.te
deleted file mode 100644
index 2138baf..0000000
--- a/mls/domains/program/hostname.te
+++ /dev/null
@@ -1,28 +0,0 @@
-#DESC hostname - show or set the system host name
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: hostname
-
-# for setting the hostname
-daemon_core_rules(hostname, , nosysadm)
-allow hostname_t self:capability sys_admin;
-allow hostname_t etc_t:file { getattr read };
-
-allow hostname_t { user_tty_type admin_tty_type }:chr_file rw_file_perms;
-read_locale(hostname_t)
-can_resolve(hostname_t)
-allow hostname_t userdomain:fd use;
-dontaudit hostname_t kernel_t:fd use;
-allow hostname_t net_conf_t:file { getattr read };
-allow hostname_t self:unix_stream_socket create_stream_socket_perms;
-dontaudit hostname_t var_t:dir search;
-allow hostname_t fs_t:filesystem getattr;
-
-# for when /usr is not mounted
-dontaudit hostname_t file_t:dir search;
-
-ifdef(`distro_redhat', `
-allow hostname_t tmpfs_t:chr_file rw_file_perms;
-')
-can_access_pty(hostname_t, initrc)
-allow hostname_t initrc_t:fd use;
diff --git a/mls/domains/program/hotplug.te b/mls/domains/program/hotplug.te
deleted file mode 100644
index d966b4b..0000000
--- a/mls/domains/program/hotplug.te
+++ /dev/null
@@ -1,160 +0,0 @@
-#DESC Hotplug - Hardware event manager
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: hotplug
-#
-
-#################################
-#
-# Rules for the hotplug_t domain.
-#
-# hotplug_exec_t is the type of the hotplug executable.
-#
-ifdef(`unlimitedUtils', `
-daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, privmail, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer, nscd_client_domain')
-', `
-daemon_domain(hotplug, `, privmodule, privmail, nscd_client_domain')
-')
-
-etcdir_domain(hotplug)
-
-allow hotplug_t self:fifo_file { read write getattr ioctl };
-allow hotplug_t self:unix_dgram_socket create_socket_perms;
-allow hotplug_t self:unix_stream_socket create_socket_perms;
-allow hotplug_t self:udp_socket create_socket_perms;
-
-read_sysctl(hotplug_t)
-allow hotplug_t sysctl_net_t:dir r_dir_perms;
-allow hotplug_t sysctl_net_t:file { getattr read };
-
-# get info from /proc
-r_dir_file(hotplug_t, proc_t)
-allow hotplug_t self:file { getattr read ioctl };
-
-allow hotplug_t devtty_t:chr_file rw_file_perms;
-
-allow hotplug_t device_t:dir r_dir_perms;
-
-# for SSP
-allow hotplug_t urandom_device_t:chr_file read;
-
-allow hotplug_t { bin_t sbin_t }:dir search;
-allow hotplug_t { bin_t sbin_t }:lnk_file read;
-can_exec(hotplug_t, { hotplug_exec_t bin_t sbin_t ls_exec_t shell_exec_t hotplug_etc_t etc_t })
-ifdef(`hostname.te', `
-can_exec(hotplug_t, hostname_exec_t)
-dontaudit hostname_t hotplug_t:fd use;
-')
-ifdef(`netutils.te', `
-ifdef(`distro_redhat', `
-# for arping used for static IP addresses on PCMCIA ethernet
-domain_auto_trans(hotplug_t, netutils_exec_t, netutils_t)
-
-allow hotplug_t tmpfs_t:dir search;
-allow hotplug_t tmpfs_t:chr_file rw_file_perms;
-')dnl end if distro_redhat
-')dnl end if netutils.te
-
-allow initrc_t usbdevfs_t:file { getattr read ioctl };
-allow initrc_t modules_dep_t:file { getattr read ioctl };
-r_dir_file(hotplug_t, usbdevfs_t)
-allow hotplug_t usbfs_t:dir r_dir_perms;
-allow hotplug_t usbfs_t:file { getattr read };
-
-# read config files
-allow hotplug_t etc_t:dir r_dir_perms;
-allow hotplug_t etc_t:{ file lnk_file } r_file_perms;
-
-allow hotplug_t kernel_t:process { sigchld setpgid };
-
-ifdef(`distro_redhat', `
-allow hotplug_t var_lock_t:dir search;
-allow hotplug_t var_lock_t:file getattr;
-')
-
-ifdef(`hald.te', `
-allow hotplug_t hald_t:unix_dgram_socket sendto;
-allow hald_t hotplug_etc_t:dir search;
-allow hald_t hotplug_etc_t:file { getattr read };
-')
-
-# for killall
-allow hotplug_t self:process { getsession getattr };
-allow hotplug_t self:file getattr;
-
-domain_auto_trans(kernel_t, hotplug_exec_t, hotplug_t)
-ifdef(`mount.te', `
-domain_auto_trans(hotplug_t, mount_exec_t, mount_t)
-')
-domain_auto_trans(hotplug_t, ifconfig_exec_t, ifconfig_t)
-ifdef(`updfstab.te', `
-domain_auto_trans(hotplug_t, updfstab_exec_t, updfstab_t)
-')
-
-# init scripts run /etc/hotplug/usb.rc
-domain_auto_trans(initrc_t, hotplug_etc_t, hotplug_t)
-allow initrc_t hotplug_etc_t:dir r_dir_perms;
-
-ifdef(`iptables.te', `domain_auto_trans(hotplug_t, iptables_exec_t, iptables_t)')
-
-r_dir_file(hotplug_t, modules_object_t)
-allow hotplug_t modules_dep_t:file { getattr read ioctl };
-
-# for lsmod
-dontaudit hotplug_t self:capability { sys_module sys_admin };
-
-# for access("/etc/bashrc", X_OK) on Red Hat
-dontaudit hotplug_t self:capability { dac_override dac_read_search };
-
-ifdef(`fsadm.te', `
-domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t)
-')
-
-allow hotplug_t var_log_t:dir search;
-
-# for ps
-dontaudit hotplug_t domain:dir { getattr search };
-dontaudit hotplug_t { init_t kernel_t }:file read;
-ifdef(`initrc.te', `
-can_ps(hotplug_t, initrc_t)
-')
-
-# for when filesystems are not mounted early in the boot
-dontaudit hotplug_t file_t:dir { search getattr };
-
-# kernel threads inherit from shared descriptor table used by init
-dontaudit hotplug_t initctl_t:fifo_file { read write };
-
-# Read /usr/lib/gconv/.*
-allow hotplug_t lib_t:file { getattr read };
-
-allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
-allow hotplug_t sysfs_t:dir { getattr read search write };
-allow hotplug_t sysfs_t:file rw_file_perms;
-allow hotplug_t sysfs_t:lnk_file { getattr read };
-r_dir_file(hotplug_t, hwdata_t)
-allow hotplug_t udev_runtime_t:file rw_file_perms;
-ifdef(`lpd.te', `
-allow hotplug_t printer_device_t:chr_file setattr;
-')
-allow hotplug_t fixed_disk_device_t:blk_file setattr;
-allow hotplug_t removable_device_t:blk_file setattr;
-allow hotplug_t sound_device_t:chr_file setattr;
-
-ifdef(`udev.te', `
-domain_auto_trans(hotplug_t, { udev_exec_t udev_helper_exec_t }, udev_t)
-')
-
-file_type_auto_trans(hotplug_t, etc_t, etc_runtime_t, file)
-
-can_network_server(hotplug_t)
-can_ypbind(hotplug_t)
-dbusd_client(system, hotplug)
-
-# Allow hotplug (including /sbin/ifup-local) to start/stop services
-domain_auto_trans(hotplug_t, initrc_exec_t, initrc_t)
-
-allow { insmod_t kernel_t } hotplug_etc_t:dir { search getattr };
-allow hotplug_t self:netlink_route_socket r_netlink_socket_perms;
-
-dontaudit hotplug_t selinux_config_t:dir search;
diff --git a/mls/domains/program/howl.te b/mls/domains/program/howl.te
deleted file mode 100644
index ccb2fb1..0000000
--- a/mls/domains/program/howl.te
+++ /dev/null
@@ -1,21 +0,0 @@
-#DESC howl - port of Apple Rendezvous multicast DNS
-#
-# Author: Russell Coker <rcoker@redhat.com>
-#
-
-daemon_domain(howl, `, privsysmod')
-r_dir_file(howl_t, proc_net_t)
-can_network_server(howl_t)
-can_ypbind(howl_t)
-allow howl_t self:unix_dgram_socket create_socket_perms;
-allow howl_t self:capability { kill net_admin sys_module };
-
-allow howl_t self:fifo_file rw_file_perms;
-
-allow howl_t howl_port_t:{ udp_socket tcp_socket } name_bind;
-
-allow howl_t self:unix_dgram_socket create_socket_perms;
-
-allow howl_t etc_t:file { getattr read };
-allow howl_t initrc_var_run_t:file rw_file_perms;
-
diff --git a/mls/domains/program/hwclock.te b/mls/domains/program/hwclock.te
deleted file mode 100644
index e8beb31..0000000
--- a/mls/domains/program/hwclock.te
+++ /dev/null
@@ -1,50 +0,0 @@
-#DESC Hwclock - Hardware clock manager
-#
-# Author: David A. Wheeler <dwheeler@ida.org>
-# Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: util-linux
-#
-
-#################################
-#
-# Rules for the hwclock_t domain.
-# This domain moves time information between the "hardware clock"
-# (which runs when the system is off) and the "system clock",
-# and it stores adjustment values in /etc/adjtime so that errors in the
-# hardware clock are corrected.
-# Note that any errors from this domain are NOT recorded by the system logger,
-# because the system logger isnt running when this domain is active.
-#
-daemon_base_domain(hwclock)
-role sysadm_r types hwclock_t;
-ifdef(`targeted_policy', `', `
-domain_auto_trans(sysadm_t, hwclock_exec_t, hwclock_t)
-')
-type adjtime_t, file_type, sysadmfile;
-
-allow hwclock_t fs_t:filesystem getattr;
-
-read_locale(hwclock_t)
-
-# Give hwclock the capabilities it requires. dac_override is a surprise,
-# but hwclock does require it.
-allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config };
-
-# Allow hwclock to set the hardware clock.
-allow hwclock_t clock_device_t:devfile_class_set { setattr rw_file_perms };
-
-# Allow hwclock to store & retrieve correction factors.
-allow hwclock_t adjtime_t:file { setattr rw_file_perms };
-
-# Read and write console and ttys.
-allow hwclock_t tty_device_t:chr_file rw_file_perms;
-allow hwclock_t ttyfile:chr_file rw_file_perms;
-allow hwclock_t ptyfile:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow hwclock_t sysadm_gph_t:fd use;')
-
-read_locale(hwclock_t)
-
-# for when /usr is not mounted
-dontaudit hwclock_t file_t:dir search;
-allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-r_dir_file(hwclock_t, etc_t)
diff --git a/mls/domains/program/i18n_input.te b/mls/domains/program/i18n_input.te
deleted file mode 100644
index cdff6ca..0000000
--- a/mls/domains/program/i18n_input.te
+++ /dev/null
@@ -1,33 +0,0 @@
-# i18n_input.te
-# Security Policy for IIIMF htt server
-# Date: 2004, 12th April (Monday)
-
-# Establish i18n_input as a daemon
-daemon_domain(i18n_input)
-
-can_exec(i18n_input_t, i18n_input_exec_t)
-can_network(i18n_input_t)
-allow i18n_input_t port_type:tcp_socket name_connect;
-can_ypbind(i18n_input_t)
-
-can_tcp_connect(userdomain, i18n_input_t)
-can_unix_connect(i18n_input_t, initrc_t)
-
-allow i18n_input_t self:fifo_file rw_file_perms;
-allow i18n_input_t i18n_input_port_t:tcp_socket name_bind;
-
-allow i18n_input_t self:capability { kill setgid setuid };
-allow i18n_input_t self:process { setsched setpgid };
-
-allow i18n_input_t { bin_t sbin_t }:dir search;
-can_exec(i18n_input_t, bin_t)
-
-allow i18n_input_t etc_t:file r_file_perms;
-allow i18n_input_t self:unix_dgram_socket create_socket_perms;
-allow i18n_input_t self:unix_stream_socket create_stream_socket_perms;
-allow i18n_input_t i18n_input_var_run_t:dir create_dir_perms;
-allow i18n_input_t i18n_input_var_run_t:sock_file create_file_perms;
-allow i18n_input_t usr_t:file { getattr read };
-allow i18n_input_t home_root_t:dir search;
-allow i18n_input_t etc_runtime_t:file { getattr read };
-allow i18n_input_t proc_t:file { getattr read };
diff --git a/mls/domains/program/ifconfig.te b/mls/domains/program/ifconfig.te
deleted file mode 100644
index 6cccc32..0000000
--- a/mls/domains/program/ifconfig.te
+++ /dev/null
@@ -1,74 +0,0 @@
-#DESC Ifconfig - Configure network interfaces
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: net-tools
-#
-
-#################################
-#
-# Rules for the ifconfig_t domain.
-#
-# ifconfig_t is the domain for the ifconfig program.
-# ifconfig_exec_t is the type of the corresponding program.
-#
-type ifconfig_t, domain, privlog, privmodule;
-type ifconfig_exec_t, file_type, sysadmfile, exec_type;
-
-role system_r types ifconfig_t;
-role sysadm_r types ifconfig_t;
-
-uses_shlib(ifconfig_t)
-general_domain_access(ifconfig_t)
-
-domain_auto_trans(initrc_t, ifconfig_exec_t, ifconfig_t)
-ifdef(`targeted_policy', `', `
-domain_auto_trans(sysadm_t, ifconfig_exec_t, ifconfig_t)
-')
-
-# for /sbin/ip
-allow ifconfig_t self:packet_socket create_socket_perms;
-allow ifconfig_t self:netlink_route_socket rw_netlink_socket_perms;
-allow ifconfig_t self:tcp_socket { create ioctl };
-allow ifconfig_t etc_t:file { getattr read };
-
-allow ifconfig_t self:socket create_socket_perms;
-
-# Use capabilities.
-allow ifconfig_t self:capability { net_raw net_admin };
-dontaudit ifconfig_t self:capability sys_module;
-allow ifconfig_t self:capability sys_tty_config;
-
-# Inherit and use descriptors from init.
-allow ifconfig_t { kernel_t init_t }:fd use;
-
-# Access /proc
-r_dir_file(ifconfig_t, proc_t)
-r_dir_file(ifconfig_t, proc_net_t)
-
-allow ifconfig_t privfd:fd use;
-allow ifconfig_t run_init_t:fd use;
-
-# Create UDP sockets, necessary when called from dhcpc
-allow ifconfig_t self:udp_socket create_socket_perms;
-
-# Access terminals.
-can_access_pty(ifconfig_t, initrc)
-allow ifconfig_t { user_tty_type admin_tty_type }:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
-
-allow ifconfig_t tun_tap_device_t:chr_file { read write };
-
-# ifconfig attempts to search some sysctl entries.
-# Do not audit those attempts; comment out these rules if it is desired to
-# see the denials.
-allow ifconfig_t { sysctl_t sysctl_net_t }:dir search;
-
-allow ifconfig_t fs_t:filesystem getattr;
-
-read_locale(ifconfig_t)
-allow ifconfig_t lib_t:file { getattr read };
-
-rhgb_domain(ifconfig_t)
-allow ifconfig_t userdomain:fd use;
-dontaudit ifconfig_t root_t:file read;
-r_dir_file(ifconfig_t, sysfs_t)
diff --git a/mls/domains/program/inetd.te b/mls/domains/program/inetd.te
deleted file mode 100644
index 5c88ab3..0000000
--- a/mls/domains/program/inetd.te
+++ /dev/null
@@ -1,64 +0,0 @@
-#DESC Inetd - Internet services daemon
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# re-written with daemon_domain by Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: netkit-inetd openbsd-inetd xinetd
-#
-
-#################################
-#
-# Rules for the inetd_t domain and
-# the inetd_child_t domain.
-#
-
-daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' )
-
-can_network(inetd_t)
-allow inetd_t port_type:tcp_socket name_connect;
-allow inetd_t self:unix_dgram_socket create_socket_perms;
-allow inetd_t self:unix_stream_socket create_socket_perms;
-allow inetd_t self:fifo_file rw_file_perms;
-allow inetd_t etc_t:file { getattr read ioctl };
-allow inetd_t self:process setsched;
-
-log_domain(inetd)
-tmp_domain(inetd)
-
-# Use capabilities.
-allow inetd_t self:capability { setuid setgid net_bind_service };
-
-# allow any domain to connect to inetd
-can_tcp_connect(userdomain, inetd_t)
-
-# Run each daemon with a defined domain in its own domain.
-# These rules have been moved to the individual target domain .te files.
-
-# Run other daemons in the inetd_child_t domain.
-allow inetd_t { bin_t sbin_t }:dir search;
-allow inetd_t sbin_t:lnk_file read;
-
-# Bind to the telnet, ftp, rlogin and rsh ports.
-ifdef(`ftpd.te', `allow inetd_t ftp_port_t:tcp_socket name_bind;')
-ifdef(`rshd.te', `allow inetd_t rsh_port_t:tcp_socket name_bind;')
-ifdef(`talk.te', `
-allow inetd_t talk_port_t:tcp_socket name_bind;
-allow inetd_t ntalk_port_t:tcp_socket name_bind;
-')
-
-allow inetd_t auth_port_t:tcp_socket name_bind;
-# Communicate with the portmapper.
-ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)')
-
-
-inetd_child_domain(inetd_child)
-allow inetd_child_t proc_net_t:dir search;
-allow inetd_child_t proc_net_t:file { getattr read };
-
-ifdef(`unconfined.te', `
-domain_auto_trans(inetd_t, unconfined_exec_t, unconfined_t)
-')
-
-ifdef(`unlimitedInetd', `
-unconfined_domain(inetd_t)
-')
-
diff --git a/mls/domains/program/init.te b/mls/domains/program/init.te
deleted file mode 100644
index dc5c050..0000000
--- a/mls/domains/program/init.te
+++ /dev/null
@@ -1,147 +0,0 @@
-#DESC Init - Process initialization
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: sysvinit
-#
-
-#################################
-#
-# Rules for the init_t domain.
-#
-# init_t is the domain of the init process.
-# init_exec_t is the type of the init program.
-# initctl_t is the type of the named pipe created
-# by init during initialization. This pipe is used
-# to communicate with init.
-#
-type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain, mlsrangetrans, mlsfileread, mlsfilewrite, mlsprocwrite;
-role system_r types init_t;
-uses_shlib(init_t);
-type init_exec_t, file_type, sysadmfile, exec_type;
-type initctl_t, file_type, sysadmfile, dev_fs, mlstrustedobject;
-
-# for init to determine whether SE Linux is active so it can know whether to
-# activate it
-allow init_t security_t:dir search;
-allow init_t security_t:file { getattr read };
-
-# for mount points
-allow init_t file_t:dir search;
-
-# Use capabilities.
-allow init_t self:capability ~sys_module;
-
-# Run /etc/rc.sysinit, /etc/rc, /etc/rc.local in the initrc_t domain.
-domain_auto_trans(init_t, initrc_exec_t, initrc_t)
-
-# Run the shell in the sysadm_t domain for single-user mode.
-domain_auto_trans(init_t, shell_exec_t, sysadm_t)
-
-# Run /sbin/update in the init_t domain.
-can_exec(init_t, sbin_t)
-
-# Run init.
-can_exec(init_t, init_exec_t)
-
-# Run chroot from initrd scripts.
-ifdef(`chroot.te', `
-can_exec(init_t, chroot_exec_t)
-')
-
-# Create /dev/initctl.
-file_type_auto_trans(init_t, device_t, initctl_t, fifo_file)
-ifdef(`distro_redhat', `
-file_type_auto_trans(init_t, tmpfs_t, initctl_t, fifo_file)
-')
-
-# Create ioctl.save.
-file_type_auto_trans(init_t, etc_t, etc_runtime_t, file)
-
-# Update /etc/ld.so.cache
-allow init_t ld_so_cache_t:file rw_file_perms;
-
-# Allow access to log files
-allow init_t var_t:dir search;
-allow init_t var_log_t:dir search;
-allow init_t var_log_t:file rw_file_perms;
-
-read_locale(init_t)
-
-# Create unix sockets
-allow init_t self:unix_dgram_socket create_socket_perms;
-allow init_t self:unix_stream_socket create_socket_perms;
-allow init_t self:fifo_file rw_file_perms;
-
-# Permissions required for system startup
-allow init_t { bin_t sbin_t }:dir r_dir_perms;
-allow init_t { bin_t sbin_t }:{ file lnk_file } { read getattr lock ioctl };
-
-# allow init to fork
-allow init_t self:process { fork sigchld };
-
-# Modify utmp.
-allow init_t var_run_t:file rw_file_perms;
-allow init_t initrc_var_run_t:file { setattr rw_file_perms };
-can_unix_connect(init_t, initrc_t)
-
-# For /var/run/shutdown.pid.
-var_run_domain(init)
-
-# Shutdown permissions
-r_dir_file(init_t, proc_t)
-r_dir_file(init_t, self)
-allow init_t devpts_t:dir r_dir_perms;
-
-# Modify wtmp.
-allow init_t wtmp_t:file rw_file_perms;
-
-# Kill all processes.
-allow init_t domain:process signal_perms;
-
-# Allow all processes to send SIGCHLD to init.
-allow domain init_t:process { sigchld signull };
-
-# If you load a new policy that removes active domains, processes can
-# get stuck if you do not allow unlabeled processes to signal init
-# If you load an incompatible policy, you should probably reboot,
-# since you may have compromised system security.
-allow unlabeled_t init_t:process sigchld;
-
-# for loading policy
-allow init_t policy_config_t:file r_file_perms;
-
-# Set booleans.
-can_setbool(init_t)
-
-# Read and write the console and ttys.
-allow init_t { tty_device_t console_device_t } :chr_file rw_file_perms;
-ifdef(`distro_redhat', `
-allow init_t tmpfs_t:chr_file rw_file_perms;
-')
-allow init_t ttyfile:chr_file rw_file_perms;
-allow init_t ptyfile:chr_file rw_file_perms;
-
-# Run system executables.
-can_exec(init_t,bin_t)
-ifdef(`consoletype.te', `
-can_exec(init_t, consoletype_exec_t)
-')
-
-# Run /etc/X11/prefdm.
-can_exec(init_t,etc_t)
-
-allow init_t lib_t:file { getattr read };
-
-allow init_t devtty_t:chr_file { read write };
-allow init_t ramfs_t:dir search;
-allow init_t ramfs_t:sock_file write;
-r_dir_file(init_t, sysfs_t)
-
-r_dir_file(init_t, selinux_config_t)
-
-# file descriptors inherited from the rootfs.
-dontaudit init_t root_t:{ file chr_file } { read write };
-ifdef(`targeted_policy', `
-unconfined_domain(init_t)
-')
-
diff --git a/mls/domains/program/initrc.te b/mls/domains/program/initrc.te
deleted file mode 100644
index 683e1e3..0000000
--- a/mls/domains/program/initrc.te
+++ /dev/null
@@ -1,346 +0,0 @@
-#DESC Initrc - System initialization scripts
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: sysvinit policycoreutils
-#
-
-#################################
-#
-# Rules for the initrc_t domain.
-#
-# initrc_t is the domain of the init rc scripts.
-# initrc_exec_t is the type of the init program.
-#
-# do not use privmail for sendmail as it creates a type transition conflict
-type initrc_t, fs_domain, ifdef(`unlimitedRC', `admin, etc_writer, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain, mlsfileread, mlsfilewrite, mlsprocread, mlsprocwrite, privrangetrans;
-
-role system_r types initrc_t;
-uses_shlib(initrc_t);
-can_network(initrc_t)
-allow initrc_t port_type:tcp_socket name_connect;
-can_ypbind(initrc_t)
-type initrc_exec_t, file_type, sysadmfile, exec_type;
-
-# for halt to down interfaces
-allow initrc_t self:udp_socket create_socket_perms;
-
-# read files in /etc/init.d
-allow initrc_t etc_t:lnk_file r_file_perms;
-
-read_locale(initrc_t)
-
-r_dir_file(initrc_t, usr_t)
-
-# Read system information files in /proc.
-r_dir_file(initrc_t, { proc_t proc_net_t })
-allow initrc_t proc_mdstat_t:file { getattr read };
-
-# Allow IPC with self
-allow initrc_t self:unix_dgram_socket create_socket_perms;
-allow initrc_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow initrc_t self:fifo_file rw_file_perms;
-
-# Read the root directory of a usbdevfs filesystem, and
-# the devices and drivers files. Permit stating of the
-# device nodes, but nothing else.
-allow initrc_t usbdevfs_t:dir r_dir_perms;
-allow initrc_t usbdevfs_t:lnk_file r_file_perms;
-allow initrc_t usbdevfs_t:file getattr;
-allow initrc_t usbfs_t:dir r_dir_perms;
-allow initrc_t usbfs_t:file getattr;
-
-# allow initrc to fork and renice itself
-allow initrc_t self:process { fork sigchld getpgid setsched setpgid setrlimit getsched };
-
-# Can create ptys for open_init_pty
-can_create_pty(initrc)
-
-tmp_domain(initrc)
-#
-# Some initscripts generate scripts that they need to execute (ldap)
-#
-can_exec(initrc_t, initrc_tmp_t)
-
-var_run_domain(initrc)
-allow initrc_t var_run_t:{ file sock_file lnk_file } unlink;
-allow initrc_t var_run_t:dir { create rmdir };
-
-ifdef(`distro_debian', `
-allow initrc_t { etc_t device_t }:dir setattr;
-
-# for storing state under /dev/shm
-allow initrc_t tmpfs_t:dir setattr;
-file_type_auto_trans(initrc_t, tmpfs_t, initrc_var_run_t, dir)
-file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file)
-allow { initrc_var_run_t fixed_disk_device_t } tmpfs_t:filesystem associate;
-')
-
-allow initrc_t framebuf_device_t:chr_file r_file_perms;
-
-# Use capabilities.
-allow initrc_t self:capability ~{ sys_admin sys_module };
-
-# Use system operations.
-allow initrc_t kernel_t:system *;
-
-# Set values in /proc/sys.
-can_sysctl(initrc_t)
-
-# Run helper programs in the initrc_t domain.
-allow initrc_t {bin_t sbin_t }:dir r_dir_perms;
-allow initrc_t {bin_t sbin_t }:lnk_file read;
-can_exec(initrc_t, etc_t)
-can_exec(initrc_t, lib_t)
-can_exec(initrc_t, bin_t)
-can_exec(initrc_t, sbin_t)
-can_exec(initrc_t, exec_type)
-#
-# These rules are here to allow init scripts to su
-#
-ifdef(`su.te', `
-su_restricted_domain(initrc,system)
-role system_r types initrc_su_t;
-')
-allow initrc_t self:passwd rootok;
-
-# read /lib/modules
-allow initrc_t modules_object_t:dir { search read };
-
-# Read conf.modules.
-allow initrc_t modules_conf_t:file r_file_perms;
-
-# Run other rc scripts in the initrc_t domain.
-can_exec(initrc_t, initrc_exec_t)
-
-# Run init (telinit) in the initrc_t domain.
-can_exec(initrc_t, init_exec_t)
-
-# Communicate with the init process.
-allow initrc_t initctl_t:fifo_file rw_file_perms;
-
-# Read /proc/PID directories for all domains.
-r_dir_file(initrc_t, domain)
-allow initrc_t domain:process { getattr getsession };
-
-# Mount and unmount file systems.
-allow initrc_t fs_type:filesystem mount_fs_perms;
-allow initrc_t file_t:dir { read search getattr mounton };
-
-# during boot up initrc needs to do the following
-allow initrc_t default_t:dir { write read search getattr mounton };
-
-# rhgb-console writes to ramfs
-allow initrc_t ramfs_t:fifo_file write;
-
-# Create runtime files in /etc, e.g. /etc/mtab, /etc/HOSTNAME.
-file_type_auto_trans(initrc_t, etc_t, etc_runtime_t, file)
-
-# Update /etc/ld.so.cache.
-allow initrc_t ld_so_cache_t:file rw_file_perms;
-
-# Update /var/log/wtmp and /var/log/dmesg.
-allow initrc_t wtmp_t:file { setattr rw_file_perms };
-allow initrc_t var_log_t:dir rw_dir_perms;
-allow initrc_t var_log_t:file create_file_perms;
-allow initrc_t lastlog_t:file { setattr rw_file_perms };
-allow initrc_t logfile:file { read append };
-
-# remove old locks
-allow initrc_t lockfile:dir rw_dir_perms;
-allow initrc_t lockfile:file { getattr unlink };
-
-# Access /var/lib/random-seed.
-allow initrc_t var_lib_t:file rw_file_perms;
-allow initrc_t var_lib_t:file unlink;
-
-# Create lock file.
-allow initrc_t var_lock_t:dir create_dir_perms;
-allow initrc_t var_lock_t:file create_file_perms;
-
-# Set the clock.
-allow initrc_t clock_device_t:devfile_class_set rw_file_perms;
-
-# Kill all processes.
-allow initrc_t domain:process signal_perms;
-
-# Write to /dev/urandom.
-allow initrc_t { random_device_t urandom_device_t }:chr_file rw_file_perms;
-
-# for cryptsetup
-allow initrc_t fixed_disk_device_t:blk_file getattr;
-
-# Set device ownerships/modes.
-allow initrc_t framebuf_device_t:chr_file setattr;
-allow initrc_t misc_device_t:devfile_class_set setattr;
-allow initrc_t device_t:devfile_class_set setattr;
-allow initrc_t fixed_disk_device_t:devfile_class_set setattr;
-allow initrc_t removable_device_t:devfile_class_set setattr;
-allow initrc_t device_t:lnk_file read;
-allow initrc_t xconsole_device_t:fifo_file setattr;
-
-# Stat any file.
-allow initrc_t file_type:notdevfile_class_set getattr;
-allow initrc_t file_type:dir { search getattr };
-
-# Read and write console and ttys.
-allow initrc_t devtty_t:chr_file rw_file_perms;
-allow initrc_t console_device_t:chr_file rw_file_perms;
-allow initrc_t tty_device_t:chr_file rw_file_perms;
-allow initrc_t ttyfile:chr_file rw_file_perms;
-allow initrc_t ptyfile:chr_file rw_file_perms;
-
-# Reset tty labels.
-allow initrc_t ttyfile:chr_file relabelfrom;
-allow initrc_t tty_device_t:chr_file relabelto;
-
-ifdef(`distro_redhat', `
-# Create and read /boot/kernel.h and /boot/System.map.
-# Redhat systems typically create this file at boot time.
-allow initrc_t boot_t:lnk_file rw_file_perms;
-file_type_auto_trans(initrc_t, boot_t, boot_runtime_t, file)
-
-allow initrc_t tmpfs_t:chr_file rw_file_perms;
-allow initrc_t tmpfs_t:dir r_dir_perms;
-
-# Allow initrc domain to set the enforcing flag.
-can_setenforce(initrc_t)
-
-#
-# readahead asks for these
-#
-allow initrc_t etc_aliases_t:file { getattr read };
-allow initrc_t var_lib_nfs_t:file { getattr read };
-
-# for /halt /.autofsck and other flag files
-file_type_auto_trans({ initrc_t sysadm_t }, root_t, etc_runtime_t, file)
-
-file_type_auto_trans(initrc_t, device_t, fixed_disk_device_t, blk_file)
-allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
-allow initrc_t self:capability sys_admin;
-allow initrc_t device_t:dir create;
-# wants to delete /poweroff and other files
-allow initrc_t root_t:file unlink;
-# wants to read /.fonts directory
-allow initrc_t default_t:file { getattr read };
-ifdef(`xserver.te', `
-# wants to cleanup xserver log dir
-allow initrc_t xserver_log_t:dir rw_dir_perms;
-allow initrc_t xserver_log_t:file unlink;
-')
-')dnl end distro_redhat
-
-allow initrc_t system_map_t:{ file lnk_file } r_file_perms;
-allow initrc_t var_spool_t:file rw_file_perms;
-
-# Allow access to the sysadm TTYs. Note that this will give access to the
-# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-# started from init should be placed in their own domain.
-allow initrc_t admin_tty_type:chr_file rw_file_perms;
-
-# Access sound device and files.
-allow initrc_t sound_device_t:chr_file { setattr ioctl read write };
-
-# Read user home directories.
-allow initrc_t { home_root_t home_type }:dir r_dir_perms;
-allow initrc_t home_type:file r_file_perms;
-
-# Read and unlink /var/run/*.pid files.
-allow initrc_t pidfile:file { getattr read unlink };
-
-# for system start scripts
-allow initrc_t pidfile:dir { rmdir rw_dir_perms };
-allow initrc_t pidfile:sock_file unlink;
-
-rw_dir_create_file(initrc_t, var_lib_t)
-
-# allow start scripts to clean /tmp
-allow initrc_t { unlabeled_t tmpfile }:dir { rw_dir_perms rmdir };
-allow initrc_t { unlabeled_t tmpfile }:notdevfile_class_set { getattr unlink };
-
-# for lsof which is used by alsa shutdown
-dontaudit initrc_t domain:{ udp_socket tcp_socket fifo_file unix_dgram_socket } getattr;
-dontaudit initrc_t proc_kmsg_t:file getattr;
-
-#################################
-#
-# Rules for the run_init_t domain.
-#
-ifdef(`targeted_policy', `
-type run_init_exec_t, file_type, sysadmfile, exec_type;
-type run_init_t, domain;
-domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
-allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
-allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
-typeattribute initrc_t privuser;
-domain_trans(initrc_t, shell_exec_t, unconfined_t)
-allow initrc_t unconfined_t:system syslog_mod;
-', `
-run_program(sysadm_t, sysadm_r, init, initrc_exec_t, initrc_t)
-')
-allow initrc_t privfd:fd use;
-
-# Transition to system_r:initrc_t upon executing init scripts.
-ifdef(`direct_sysadm_daemon', `
-role_transition sysadm_r initrc_exec_t system_r;
-domain_auto_trans(sysadm_t, initrc_exec_t, initrc_t)
-ifdef(`mls_policy', `
-typeattribute initrc_t mlsrangetrans;
-range_transition sysadm_t initrc_exec_t s0 - s15:c0.c255;
-')
-')
-
-#
-# Shutting down xinet causes these
-#
-# Fam
-dontaudit initrc_t device_t:dir { read write };
-# Rsync
-dontaudit initrc_t mail_spool_t:lnk_file read;
-
-allow initrc_t sysfs_t:dir { getattr read search };
-allow initrc_t sysfs_t:file { getattr read write };
-allow initrc_t sysfs_t:lnk_file { getattr read };
-allow initrc_t udev_runtime_t:file rw_file_perms;
-allow initrc_t device_type:chr_file setattr;
-allow initrc_t binfmt_misc_fs_t:dir { getattr search };
-allow initrc_t binfmt_misc_fs_t:file { getattr ioctl write };
-
-# for lsof in shutdown scripts
-can_kerberos(initrc_t)
-
-#
-# Wants to remove udev.tbl
-#
-allow initrc_t device_t:dir rw_dir_perms;
-allow initrc_t device_t:lnk_file unlink;
-
-r_dir_file(initrc_t,selinux_config_t)
-
-ifdef(`unlimitedRC', `
-unconfined_domain(initrc_t)
-')
-#
-# initrc script does a cat /selinux/enforce
-#
-allow initrc_t security_t:dir { getattr search };
-allow initrc_t security_t:file { getattr read };
-
-# init script state
-type initrc_state_t, file_type, sysadmfile;
-create_dir_file(initrc_t,initrc_state_t)
-
-ifdef(`distro_gentoo', `
-# Gentoo integrated run_init+open_init_pty-runscript:
-domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
-')
-allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
-allow initrc_t device_t:lnk_file create_file_perms;
-ifdef(`dbusd.te', `
-allow initrc_t system_dbusd_var_run_t:sock_file write;
-')
-
-# Slapd needs to read cert files from its initscript
-r_dir_file(initrc_t, cert_t)
-ifdef(`use_mcs', `
-range_transition sysadm_t initrc_exec_t s0;
-')
diff --git a/mls/domains/program/innd.te b/mls/domains/program/innd.te
deleted file mode 100644
index 25047df..0000000
--- a/mls/domains/program/innd.te
+++ /dev/null
@@ -1,81 +0,0 @@
-#DESC INN - InterNetNews server
-#
-# Author: Faye Coker <faye@lurking-grue.org>
-# X-Debian-Packages: inn
-#
-################################
-
-# Types for the server port and news spool.
-#
-type news_spool_t, file_type, sysadmfile;
-
-
-# need privmail attribute so innd can access system_mail_t
-daemon_domain(innd, `, privmail')
-
-# allow innd to create files and directories of type news_spool_t
-create_dir_file(innd_t, news_spool_t)
-
-# allow user domains to read files and directories these types
-r_dir_file(userdomain, { news_spool_t innd_var_lib_t innd_etc_t })
-
-can_exec(initrc_t, innd_etc_t)
-can_exec(innd_t, { innd_exec_t bin_t shell_exec_t })
-ifdef(`hostname.te', `
-can_exec(innd_t, hostname_exec_t)
-')
-
-allow innd_t var_spool_t:dir { getattr search };
-
-can_network(innd_t)
-allow innd_t port_type:tcp_socket name_connect;
-can_ypbind(innd_t)
-
-can_unix_send( { innd_t sysadm_t }, { innd_t sysadm_t } )
-allow innd_t self:unix_dgram_socket create_socket_perms;
-allow innd_t self:unix_stream_socket create_stream_socket_perms;
-can_unix_connect(innd_t, self)
-
-allow innd_t self:fifo_file rw_file_perms;
-allow innd_t innd_port_t:tcp_socket name_bind;
-
-allow innd_t self:capability { dac_override kill setgid setuid net_bind_service };
-allow innd_t self:process setsched;
-
-allow innd_t { bin_t sbin_t }:dir search;
-allow innd_t usr_t:lnk_file read;
-allow innd_t usr_t:file { getattr read ioctl };
-allow innd_t lib_t:file ioctl;
-allow innd_t etc_t:file { getattr read };
-allow innd_t { proc_t etc_runtime_t }:file { getattr read };
-allow innd_t urandom_device_t:chr_file read;
-
-allow innd_t innd_var_run_t:sock_file create_file_perms;
-
-# allow innd to read directories of type innd_etc_t (/etc/news/(/.*)? and symbolic links with that type
-etcdir_domain(innd)
-
-# allow innd to create files under /var/log of type innd_log_t and have a directory for its own files that
-# it can write to
-logdir_domain(innd)
-
-# allow innd read-write directory permissions to /var/lib/news.
-var_lib_domain(innd)
-
-ifdef(`crond.te', `
-system_crond_entry(innd_exec_t, innd_t)
-allow system_crond_t innd_etc_t:file { getattr read };
-rw_dir_create_file(system_crond_t, innd_log_t)
-rw_dir_create_file(system_crond_t, innd_var_run_t)
-')
-
-ifdef(`syslogd.te', `
-allow syslogd_t innd_log_t:dir search;
-allow syslogd_t innd_log_t:file create_file_perms;
-')
-
-allow innd_t self:file { getattr read };
-dontaudit innd_t selinux_config_t:dir { search };
-allow system_crond_t innd_etc_t:file { getattr read };
-allow innd_t bin_t:lnk_file { read };
-allow innd_t sbin_t:lnk_file { read };
diff --git a/mls/domains/program/ipsec.te b/mls/domains/program/ipsec.te
deleted file mode 100644
index ea45a36..0000000
--- a/mls/domains/program/ipsec.te
+++ /dev/null
@@ -1,229 +0,0 @@
-#DESC ipsec - TCP/IP encryption
-#
-# Authors: Mark Westerman mark.westerman@westcam.com
-# massively butchered by paul krumviede <pwk@acm.org>
-# further massaged by Chris Vance <cvance@tislabs.com>
-# X-Debian-Packages: freeswan
-#
-########################################
-#
-# Rules for the ipsec_t domain.
-#
-# a domain for things that need access to the PF_KEY socket
-daemon_base_domain(ipsec, `, privlog')
-
-# type for ipsec configuration file(s) - not for keys
-type ipsec_conf_file_t, file_type, sysadmfile;
-
-# type for file(s) containing ipsec keys - RSA or preshared
-type ipsec_key_file_t, file_type, sysadmfile;
-
-# type for runtime files, including pluto.ctl
-# lots of strange stuff for the ipsec_var_run_t - need to check it
-var_run_domain(ipsec)
-
-type ipsec_mgmt_t, domain, privlog, admin, privmodule, nscd_client_domain;
-type ipsec_mgmt_exec_t, file_type, sysadmfile, exec_type;
-domain_auto_trans(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
-file_type_auto_trans(ipsec_mgmt_t, var_run_t, ipsec_var_run_t, sock_file)
-file_type_auto_trans(ipsec_t, var_run_t, ipsec_var_run_t, sock_file)
-file_type_auto_trans(ipsec_mgmt_t, etc_t, ipsec_key_file_t, file)
-
-allow ipsec_mgmt_t modules_object_t:dir search;
-allow ipsec_mgmt_t modules_object_t:file getattr;
-
-allow ipsec_t self:capability { net_admin net_bind_service };
-allow ipsec_t self:process signal;
-allow ipsec_t etc_t:lnk_file read;
-
-domain_auto_trans(ipsec_mgmt_t, ifconfig_exec_t, ifconfig_t)
-
-# Inherit and use descriptors from init.
-# allow access (for, e.g., klipsdebug) to console
-allow { ipsec_t ipsec_mgmt_t } console_device_t:chr_file rw_file_perms;
-allow { ipsec_t ipsec_mgmt_t } { init_t initrc_t privfd }:fd use;
-
-# I do not know where this pesky pipe is...
-allow ipsec_t initrc_t:fifo_file write;
-
-r_dir_file(ipsec_t, ipsec_conf_file_t)
-r_dir_file(ipsec_t, ipsec_key_file_t)
-allow ipsec_mgmt_t ipsec_conf_file_t:file { getattr read ioctl };
-rw_dir_create_file(ipsec_mgmt_t, ipsec_key_file_t)
-
-allow ipsec_t self:key_socket { create write read setopt };
-
-# for lsof
-allow sysadm_t ipsec_t:key_socket getattr;
-
-# the ipsec wrapper wants to run /usr/bin/logger (should we put
-# it in its own domain?)
-can_exec(ipsec_mgmt_t, bin_t)
-# logger, running in ipsec_mgmt_t needs to use sockets
-allow ipsec_mgmt_t self:unix_dgram_socket create_socket_perms;
-allow ipsec_mgmt_t ipsec_t:unix_dgram_socket create_socket_perms;
-
-# also need to run things like whack and shell scripts
-can_exec(ipsec_mgmt_t, ipsec_exec_t)
-can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
-allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
-can_exec(ipsec_mgmt_t, shell_exec_t)
-can_exec(ipsec_t, shell_exec_t)
-can_exec(ipsec_t, bin_t)
-can_exec(ipsec_t, ipsec_mgmt_exec_t)
-# now for a icky part...
-# pluto runs an updown script (by calling popen()!); as this is by default
-# a shell script, we need to find a way to make things work without
-# letting all sorts of stuff possibly be run...
-# so try flipping back into the ipsec_mgmt_t domain
-domain_auto_trans(ipsec_t, shell_exec_t, ipsec_mgmt_t)
-allow ipsec_mgmt_t ipsec_t:fd use;
-
-# the default updown script wants to run route
-can_exec(ipsec_mgmt_t, sbin_t)
-allow ipsec_mgmt_t sbin_t:lnk_file read;
-allow ipsec_mgmt_t self:capability { net_admin dac_override };
-
-# need access to /proc/sys/net/ipsec/icmp
-allow ipsec_mgmt_t sysctl_t:file write;
-allow ipsec_mgmt_t sysctl_net_t:dir search;
-allow ipsec_mgmt_t sysctl_net_t:file { write setattr };
-
-# whack needs to be able to read/write pluto.ctl
-allow ipsec_mgmt_t ipsec_var_run_t:sock_file { read write };
-# and it wants to connect to a socket...
-allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
-allow ipsec_mgmt_t ipsec_t:unix_stream_socket { connectto read write };
-
-# allow system administrator to use the ipsec script to look
-# at things (e.g., ipsec auto --status)
-# probably should create an ipsec_admin role for this kind of thing
-can_exec(sysadm_t, ipsec_mgmt_exec_t)
-allow sysadm_t ipsec_t:unix_stream_socket connectto;
-
-# _realsetup needs to be able to cat /var/run/pluto.pid,
-# run ps on that pid, and delete the file
-allow ipsec_mgmt_t ipsec_t:{ file lnk_file } r_file_perms;
-
-allow ipsec_mgmt_t boot_t:dir search;
-allow ipsec_mgmt_t system_map_t:file { read getattr };
-
-# denials when ps tries to search /proc. Do not audit these denials.
-dontaudit ipsec_mgmt_t domain:dir r_dir_perms;
-
-# suppress audit messages about unnecessary socket access
-dontaudit ipsec_mgmt_t domain:key_socket { read write };
-dontaudit ipsec_mgmt_t domain:udp_socket { read write };
-
-# from rbac
-role system_r types { ipsec_t ipsec_mgmt_t };
-
-# from initrc.te
-domain_auto_trans(initrc_t, ipsec_mgmt_exec_t, ipsec_mgmt_t)
-domain_auto_trans(initrc_t, ipsec_exec_t, ipsec_t)
-
-
-########## The following rules were added by cvance@tislabs.com ##########
-
-# allow pluto and startup scripts to access /dev/urandom
-allow { ipsec_t ipsec_mgmt_t } { urandom_device_t random_device_t }:chr_file r_file_perms;
-
-# allow pluto to access /proc/net/ipsec_eroute;
-general_proc_read_access(ipsec_t)
-general_proc_read_access(ipsec_mgmt_t)
-
-# allow pluto to search the root directory (not sure why, but mostly harmless)
-# Are these all really necessary?
-allow ipsec_t var_t:dir search;
-allow ipsec_t bin_t:dir search;
-allow ipsec_t device_t:dir { getattr search };
-allow ipsec_mgmt_t device_t:dir { getattr search read };
-dontaudit ipsec_mgmt_t tty_device_t:chr_file getattr;
-dontaudit ipsec_mgmt_t devpts_t:dir getattr;
-allow ipsec_mgmt_t etc_t:lnk_file read;
-allow ipsec_mgmt_t var_t:dir search;
-allow ipsec_mgmt_t sbin_t:dir search;
-allow ipsec_mgmt_t bin_t:dir search;
-allow ipsec_mgmt_t ipsec_var_run_t:file { getattr read };
-
-# Startup scripts
-# use libraries
-uses_shlib({ ipsec_t ipsec_mgmt_t })
-# Read and write /dev/tty
-allow ipsec_mgmt_t devtty_t:chr_file rw_file_perms;
-# fork
-allow ipsec_mgmt_t self:process fork;
-# startup script runs /bin/gawk with a pipe
-allow ipsec_mgmt_t self:fifo_file rw_file_perms;
-# read /etc/mtab Why?
-allow ipsec_mgmt_t etc_runtime_t:file { read getattr };
-# read link for /bin/sh
-allow { ipsec_t ipsec_mgmt_t } bin_t:lnk_file read;
-
-#
-allow ipsec_mgmt_t self:process { sigchld signal setrlimit };
-
-# Allow read/write access to /var/run/pluto.ctl
-allow ipsec_t self:unix_stream_socket {create setopt bind listen accept read write };
-
-# Pluto needs network access
-can_network_server(ipsec_t)
-can_ypbind(ipsec_t)
-allow ipsec_t self:unix_dgram_socket create_socket_perms;
-
-# for sleep
-allow ipsec_mgmt_t fs_t:filesystem getattr;
-
-# for the start script
-can_exec(ipsec_mgmt_t, etc_t)
-
-# allow access to /etc/localtime
-allow ipsec_mgmt_t etc_t:file { read getattr };
-allow ipsec_t etc_t:file { read getattr };
-
-# allow access to /dev/null
-allow ipsec_mgmt_t null_device_t:chr_file rw_file_perms;
-allow ipsec_t null_device_t:chr_file rw_file_perms;
-
-# Allow scripts to use /var/lock/subsys/ipsec
-lock_domain(ipsec_mgmt)
-
-# allow tncfg to create sockets
-allow ipsec_mgmt_t self:udp_socket { create ioctl };
-
-#When running ipsec auto --up <conname>
-allow ipsec_t self:process { fork sigchld };
-allow ipsec_t self:fifo_file { read getattr };
-
-# ideally it would not need this. It wants to write to /root/.rnd
-file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file)
-
-allow ipsec_mgmt_t { initrc_devpts_t admin_tty_type }:chr_file { getattr read write ioctl };
-allow ipsec_t initrc_devpts_t:chr_file { getattr read write };
-allow ipsec_mgmt_t self:lnk_file read;
-
-allow ipsec_mgmt_t self:capability { sys_tty_config dac_read_search };
-read_locale(ipsec_mgmt_t)
-var_run_domain(ipsec_mgmt)
-dontaudit ipsec_mgmt_t default_t:dir getattr;
-dontaudit ipsec_mgmt_t default_t:file getattr;
-allow ipsec_mgmt_t tmpfs_t:dir { getattr read };
-allow ipsec_mgmt_t self:key_socket { create setopt };
-can_exec(ipsec_mgmt_t, initrc_exec_t)
-allow ipsec_t self:netlink_xfrm_socket create_socket_perms;
-allow ipsec_t self:netlink_route_socket r_netlink_socket_perms;
-read_locale(ipsec_t)
-ifdef(`consoletype.te', `
-can_exec(ipsec_mgmt_t, consoletype_exec_t )
-')
-dontaudit ipsec_mgmt_t selinux_config_t:dir search;
-dontaudit ipsec_t ttyfile:chr_file { read write };
-allow ipsec_t self:capability { dac_override dac_read_search };
-allow ipsec_t { isakmp_port_t reserved_port_t }:udp_socket name_bind;
-allow ipsec_mgmt_t dev_fs:file_class_set getattr;
-dontaudit ipsec_mgmt_t device_t:lnk_file read;
-allow ipsec_mgmt_t self:{ tcp_socket udp_socket } create_socket_perms;
-allow ipsec_mgmt_t sysctl_net_t:file { getattr read };
-rw_dir_create_file(ipsec_mgmt_t, ipsec_var_run_t)
-rw_dir_create_file(initrc_t, ipsec_var_run_t)
-allow initrc_t ipsec_conf_file_t:file { getattr read ioctl };
diff --git a/mls/domains/program/iptables.te b/mls/domains/program/iptables.te
deleted file mode 100644
index 8d83280..0000000
--- a/mls/domains/program/iptables.te
+++ /dev/null
@@ -1,63 +0,0 @@
-#DESC Ipchains - IP packet filter administration
-#
-# Authors: Justin Smith <jsmith@mcs.drexel.edu>
-# Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: ipchains iptables
-#
-
-#
-# Rules for the iptables_t domain.
-#
-daemon_base_domain(iptables, `, privmodule')
-role sysadm_r types iptables_t;
-domain_auto_trans(sysadm_t, iptables_exec_t, iptables_t)
-
-ifdef(`modutil.te', `
-# for modprobe
-allow iptables_t sbin_t:dir search;
-allow iptables_t sbin_t:lnk_file read;
-')
-
-read_locale(iptables_t)
-
-# to allow rules to be saved on reboot
-allow iptables_t initrc_tmp_t:file rw_file_perms;
-
-domain_auto_trans(iptables_t, ifconfig_exec_t, ifconfig_t)
-allow iptables_t var_t:dir search;
-var_run_domain(iptables)
-
-allow iptables_t self:process { fork signal_perms };
-
-allow iptables_t { sysctl_t sysctl_kernel_t }:dir search;
-allow iptables_t sysctl_modprobe_t:file { getattr read };
-
-tmp_domain(iptables)
-
-# for iptables -L
-allow iptables_t self:unix_stream_socket create_socket_perms;
-can_resolve(iptables_t)
-can_ypbind(iptables_t)
-
-allow iptables_t iptables_exec_t:file execute_no_trans;
-allow iptables_t self:capability { net_admin net_raw };
-allow iptables_t self:rawip_socket create_socket_perms;
-
-allow iptables_t etc_t:file { getattr read };
-
-allow iptables_t fs_t:filesystem getattr;
-allow iptables_t { userdomain kernel_t }:fd use;
-
-# Access terminals.
-allow iptables_t admin_tty_type:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow iptables_t sysadm_gph_t:fd use;')
-
-allow iptables_t proc_t:file { getattr read };
-allow iptables_t proc_net_t:dir search;
-allow iptables_t proc_net_t:file { read getattr };
-
-# system-config-network appends to /var/log
-allow iptables_t var_log_t:file append;
-ifdef(`firstboot.te', `
-allow iptables_t firstboot_t:fifo_file write;
-')
diff --git a/mls/domains/program/irc.te b/mls/domains/program/irc.te
deleted file mode 100644
index 50c1122..0000000
--- a/mls/domains/program/irc.te
+++ /dev/null
@@ -1,12 +0,0 @@
-#DESC Irc - IRC client
-#
-# Domains for the irc program.
-# X-Debian-Packages: tinyirc ircii
-
-#
-# irc_exec_t is the type of the irc executable.
-#
-type irc_exec_t, file_type, sysadmfile, exec_type;
-
-# Everything else is in the irc_domain macro in
-# macros/program/irc_macros.te.
diff --git a/mls/domains/program/irqbalance.te b/mls/domains/program/irqbalance.te
deleted file mode 100644
index 35be192..0000000
--- a/mls/domains/program/irqbalance.te
+++ /dev/null
@@ -1,15 +0,0 @@
-#DESC IRQBALANCE - IRQ balance daemon
-#
-# Author: Ulrich Drepper <drepper@redhat.com>
-#
-
-#################################
-#
-# Rules for the irqbalance_t domain.
-#
-daemon_domain(irqbalance)
-
-# irqbalance needs access to /proc.
-allow irqbalance_t proc_t:file { read getattr };
-allow irqbalance_t sysctl_irq_t:dir r_dir_perms;
-allow irqbalance_t sysctl_irq_t:file rw_file_perms;
diff --git a/mls/domains/program/java.te b/mls/domains/program/java.te
deleted file mode 100644
index dfd0372..0000000
--- a/mls/domains/program/java.te
+++ /dev/null
@@ -1,14 +0,0 @@
-#DESC Java VM
-#
-# Authors: Dan Walsh <dwalsh@redhat.com>
-# X-Debian-Packages: java
-#
-
-# Type for the netscape, java or other browser executables.
-type java_exec_t, file_type, sysadmfile, exec_type;
-
-# Allow java executable stack
-bool allow_java_execstack false;
-
-# Everything else is in the java_domain macro in
-# macros/program/java_macros.te.
diff --git a/mls/domains/program/kerberos.te b/mls/domains/program/kerberos.te
deleted file mode 100644
index 19cc3c4..0000000
--- a/mls/domains/program/kerberos.te
+++ /dev/null
@@ -1,91 +0,0 @@
-#DESC Kerberos5 - MIT Kerberos5
-# supports krb5kdc and kadmind daemons
-# kinit, kdestroy, klist clients
-# ksu support not complete
-#
-# includes rules for OpenSSH daemon compiled with both
-# kerberos5 and SELinux support
-#
-# Not supported : telnetd, ftpd, kprop/kpropd daemons
-#
-# Author: Kerry Thompson <kerry@crypt.gen.nz>
-# Modified by Colin Walters <walters@redhat.com>
-#
-
-#################################
-#
-# Rules for the krb5kdc_t,kadmind_t domains.
-#
-daemon_domain(krb5kdc)
-daemon_domain(kadmind)
-
-can_exec(krb5kdc_t, krb5kdc_exec_t)
-can_exec(kadmind_t, kadmind_exec_t)
-
-# types for general configuration files in /etc
-type krb5_keytab_t, file_type, sysadmfile, secure_file_type;
-
-# types for KDC configs and principal file(s)
-type krb5kdc_conf_t, file_type, sysadmfile;
-type krb5kdc_principal_t, file_type, sysadmfile;
-
-# Use capabilities. Surplus capabilities may be allowed.
-allow krb5kdc_t self:capability { setuid setgid net_admin net_bind_service chown fowner dac_override sys_nice };
-allow kadmind_t self:capability { setuid setgid net_bind_service chown fowner dac_override sys_nice };
-
-# krb5kdc and kadmind can use network
-can_network_server( { krb5kdc_t kadmind_t } )
-can_ypbind( { krb5kdc_t kadmind_t } )
-
-# allow UDP transfer to/from any program
-can_udp_send(kerberos_port_t, krb5kdc_t)
-can_udp_send(krb5kdc_t, kerberos_port_t)
-can_tcp_connect(kerberos_port_t, krb5kdc_t)
-can_tcp_connect(kerberos_admin_port_t, kadmind_t)
-
-# Bind to the kerberos, kerberos-adm ports.
-allow krb5kdc_t kerberos_port_t:{ udp_socket tcp_socket } name_bind;
-allow kadmind_t kerberos_admin_port_t:{ udp_socket tcp_socket } name_bind;
-allow kadmind_t reserved_port_t:tcp_socket name_bind;
-dontaudit kadmind_t reserved_port_type:tcp_socket name_bind;
-
-#
-# Rules for Kerberos5 KDC daemon
-allow krb5kdc_t self:unix_dgram_socket create_socket_perms;
-allow krb5kdc_t self:unix_stream_socket create_socket_perms;
-allow kadmind_t self:unix_stream_socket create_socket_perms;
-allow krb5kdc_t krb5kdc_conf_t:dir search;
-allow krb5kdc_t krb5kdc_conf_t:file r_file_perms;
-allow krb5kdc_t krb5kdc_principal_t:file r_file_perms;
-dontaudit krb5kdc_t krb5kdc_principal_t:file write;
-allow krb5kdc_t locale_t:file { getattr read };
-dontaudit krb5kdc_t krb5kdc_conf_t:file write;
-allow { kadmind_t krb5kdc_t } etc_t:dir { getattr search };
-allow { kadmind_t krb5kdc_t } etc_t:file { getattr read };
-allow { kadmind_t krb5kdc_t } krb5_conf_t:file r_file_perms;
-dontaudit { kadmind_t krb5kdc_t } krb5_conf_t:file write;
-tmp_domain(krb5kdc)
-log_domain(krb5kdc)
-allow { kadmind_t krb5kdc_t } urandom_device_t:chr_file { getattr read };
-allow kadmind_t random_device_t:chr_file { getattr read };
-allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
-allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
-allow krb5kdc_t proc_t:dir r_dir_perms;
-allow krb5kdc_t proc_t:file { getattr read };
-
-#
-# Rules for Kerberos5 Kadmin daemon
-allow kadmind_t self:unix_dgram_socket { connect create write };
-allow kadmind_t krb5kdc_conf_t:dir search;
-allow kadmind_t krb5kdc_conf_t:file r_file_perms;
-allow kadmind_t krb5kdc_principal_t:file { getattr lock read write setattr };
-read_locale(kadmind_t)
-dontaudit kadmind_t krb5kdc_conf_t:file write;
-tmp_domain(kadmind)
-log_domain(kadmind)
-
-#
-# Allow user programs to talk to KDC
-allow krb5kdc_t userdomain:udp_socket recvfrom;
-allow userdomain krb5kdc_t:udp_socket recvfrom;
-allow initrc_t krb5_conf_t:file ioctl;
diff --git a/mls/domains/program/klogd.te b/mls/domains/program/klogd.te
deleted file mode 100644
index dd0b79c..0000000
--- a/mls/domains/program/klogd.te
+++ /dev/null
@@ -1,48 +0,0 @@
-#DESC Klogd - Kernel log daemon
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: klogd
-#
-
-#################################
-#
-# Rules for the klogd_t domain.
-#
-daemon_domain(klogd, `, privmem, privkmsg, mlsfileread')
-
-tmp_domain(klogd)
-allow klogd_t proc_t:dir r_dir_perms;
-allow klogd_t proc_t:lnk_file r_file_perms;
-allow klogd_t proc_t:file { getattr read };
-allow klogd_t self:dir r_dir_perms;
-allow klogd_t self:lnk_file r_file_perms;
-
-# read /etc/nsswitch.conf
-allow klogd_t etc_t:lnk_file read;
-allow klogd_t etc_t:file r_file_perms;
-
-read_locale(klogd_t)
-
-allow klogd_t etc_runtime_t:file { getattr read };
-
-# Create unix sockets
-allow klogd_t self:unix_dgram_socket create_socket_perms;
-
-# Use the sys_admin and sys_rawio capabilities.
-allow klogd_t self:capability { sys_admin sys_rawio };
-dontaudit klogd_t self:capability sys_resource;
-
-
-# Read /proc/kmsg and /dev/mem.
-allow klogd_t proc_kmsg_t:file r_file_perms;
-allow klogd_t memory_device_t:chr_file r_file_perms;
-
-# Control syslog and console logging
-allow klogd_t kernel_t:system { syslog_mod syslog_console };
-
-# Read /boot/System.map*
-allow klogd_t system_map_t:file r_file_perms;
-allow klogd_t boot_t:dir r_dir_perms;
-ifdef(`targeted_policy', `
-allow klogd_t unconfined_t:system syslog_mod;
-')
diff --git a/mls/domains/program/ktalkd.te b/mls/domains/program/ktalkd.te
deleted file mode 100644
index 7ae0109..0000000
--- a/mls/domains/program/ktalkd.te
+++ /dev/null
@@ -1,14 +0,0 @@
-#DESC ktalkd - KDE version of the talk server
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-#
-# Depends: inetd.te
-
-#################################
-#
-# Rules for the ktalkd_t domain.
-#
-# ktalkd_exec_t is the type of the ktalkd executable.
-#
-
-inetd_child_domain(ktalkd, udp)
diff --git a/mls/domains/program/kudzu.te b/mls/domains/program/kudzu.te
deleted file mode 100644
index 9b64f98..0000000
--- a/mls/domains/program/kudzu.te
+++ /dev/null
@@ -1,117 +0,0 @@
-#DESC kudzu - Red Hat utility to recognise new hardware
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-
-daemon_base_domain(kudzu, `, etc_writer, privmodule, sysctl_kernel_writer, fs_domain, privmem')
-
-read_locale(kudzu_t)
-
-# for /etc/sysconfig/hwconf - probably need a new type
-allow kudzu_t etc_runtime_t:file rw_file_perms;
-
-# for kmodule
-if (allow_execmem) {
-allow kudzu_t self:process execmem;
-}
-allow kudzu_t zero_device_t:chr_file rx_file_perms;
-allow kudzu_t memory_device_t:chr_file { read write execute };
-
-allow kudzu_t ramfs_t:dir search;
-allow kudzu_t ramfs_t:sock_file write;
-allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
-allow kudzu_t modules_conf_t:file { getattr read unlink rename };
-allow kudzu_t modules_object_t:dir r_dir_perms;
-allow kudzu_t { modules_object_t modules_dep_t }:file { getattr read };
-allow kudzu_t mouse_device_t:chr_file { read write };
-allow kudzu_t proc_net_t:dir r_dir_perms;
-allow kudzu_t { proc_net_t proc_t }:file { getattr read };
-allow kudzu_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms;
-allow kudzu_t scsi_generic_device_t:chr_file r_file_perms;
-allow kudzu_t { bin_t sbin_t }:dir { getattr search };
-allow kudzu_t { bin_t sbin_t }:lnk_file read;
-read_sysctl(kudzu_t)
-allow kudzu_t sysctl_dev_t:dir { getattr search read };
-allow kudzu_t sysctl_dev_t:file { getattr read };
-allow kudzu_t sysctl_kernel_t:file write;
-allow kudzu_t usbdevfs_t:dir search;
-allow kudzu_t usbdevfs_t:file { getattr read };
-allow kudzu_t usbfs_t:dir search;
-allow kudzu_t usbfs_t:file { getattr read };
-var_run_domain(kudzu)
-allow kudzu_t kernel_t:system syslog_console;
-allow kudzu_t self:udp_socket { create ioctl };
-allow kudzu_t var_lock_t:dir search;
-allow kudzu_t devpts_t:dir search;
-
-# so it can write messages to the console
-allow kudzu_t { tty_device_t devtty_t admin_tty_type }:chr_file rw_file_perms;
-
-role sysadm_r types kudzu_t;
-ifdef(`targeted_policy', `', `
-domain_auto_trans(sysadm_t, kudzu_exec_t, kudzu_t)
-')
-ifdef(`anaconda.te', `
-domain_auto_trans(anaconda_t, kudzu_exec_t, kudzu_t)
-')
-
-allow kudzu_t sysadm_home_dir_t:dir search;
-rw_dir_create_file(kudzu_t, etc_t)
-
-rw_dir_create_file(kudzu_t, mnt_t)
-can_exec(kudzu_t, { bin_t sbin_t init_exec_t })
-# Read /usr/lib/gconv/gconv-modules.*
-allow kudzu_t lib_t:file { read getattr };
-# Read /usr/share/hwdata/.* and /usr/share/terminfo/l/linux
-allow kudzu_t usr_t:file { read getattr };
-r_dir_file(kudzu_t, hwdata_t)
-
-# Communicate with rhgb-client.
-allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow kudzu_t self:unix_dgram_socket create_socket_perms;
-
-ifdef(`rhgb.te', `
-allow kudzu_t rhgb_t:unix_stream_socket connectto;
-')
-
-allow kudzu_t self:file { getattr read };
-allow kudzu_t self:fifo_file rw_file_perms;
-ifdef(`gpm.te', `
-allow kudzu_t gpmctl_t:sock_file getattr;
-')
-
-can_exec(kudzu_t, shell_exec_t)
-
-# Write to /proc/sys/kernel/hotplug. Why?
-allow kudzu_t sysctl_hotplug_t:file { read write };
-
-allow kudzu_t sysfs_t:dir { getattr read search };
-allow kudzu_t sysfs_t:file { getattr read };
-allow kudzu_t sysfs_t:lnk_file read;
-file_type_auto_trans(kudzu_t, etc_t, etc_runtime_t, file)
-allow kudzu_t tape_device_t:chr_file r_file_perms;
-tmp_domain(kudzu, `', `{ file dir chr_file }')
-
-# for file systems that are not yet mounted
-dontaudit kudzu_t file_t:dir search;
-ifdef(`lpd.te', `
-allow kudzu_t printconf_t:file { getattr read };
-')
-ifdef(`cups.te', `
-allow kudzu_t cupsd_rw_etc_t:dir r_dir_perms;
-')
-dontaudit kudzu_t src_t:dir search;
-ifdef(`xserver.te', `
-allow kudzu_t xserver_exec_t:file getattr;
-')
-
-ifdef(`userhelper.te', `
-role system_r types sysadm_userhelper_t;
-domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t)
-', `
-unconfined_domain(kudzu_t)
-')
-
-allow kudzu_t initrc_t:unix_stream_socket connectto;
-allow kudzu_t net_conf_t:file { getattr read };
-
diff --git a/mls/domains/program/ldconfig.te b/mls/domains/program/ldconfig.te
deleted file mode 100644
index fbb7688..0000000
--- a/mls/domains/program/ldconfig.te
+++ /dev/null
@@ -1,52 +0,0 @@
-#DESC Ldconfig - Configure dynamic linker bindings
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: libc6
-#
-
-#################################
-#
-# Rules for the ldconfig_t domain.
-#
-type ldconfig_t, domain, privlog, etc_writer;
-type ldconfig_exec_t, file_type, sysadmfile, exec_type;
-
-role sysadm_r types ldconfig_t;
-role system_r types ldconfig_t;
-
-domain_auto_trans({ sysadm_t initrc_t }, ldconfig_exec_t, ldconfig_t)
-dontaudit ldconfig_t device_t:dir search;
-can_access_pty(ldconfig_t, initrc)
-allow ldconfig_t admin_tty_type:chr_file rw_file_perms;
-allow ldconfig_t privfd:fd use;
-
-uses_shlib(ldconfig_t)
-
-file_type_auto_trans(ldconfig_t, etc_t, ld_so_cache_t, file)
-allow ldconfig_t lib_t:dir rw_dir_perms;
-allow ldconfig_t lib_t:lnk_file create_lnk_perms;
-
-allow ldconfig_t userdomain:fd use;
-# unlink for when /etc/ld.so.cache is mislabeled
-allow ldconfig_t etc_t:file { getattr read unlink };
-allow ldconfig_t etc_t:lnk_file read;
-
-allow ldconfig_t fs_t:filesystem getattr;
-allow ldconfig_t tmp_t:dir search;
-
-ifdef(`apache.te', `
-# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
-dontaudit ldconfig_t httpd_modules_t:dir search;
-')
-
-allow ldconfig_t { var_t var_lib_t }:dir search;
-allow ldconfig_t proc_t:file { getattr read };
-ifdef(`hide_broken_symptoms', `
-ifdef(`unconfined.te',`
-dontaudit ldconfig_t unconfined_t:tcp_socket { read write };
-');
-')dnl end hide_broken_symptoms
-ifdef(`targeted_policy', `
-allow ldconfig_t lib_t:file r_file_perms;
-unconfined_domain(ldconfig_t)
-')
diff --git a/mls/domains/program/load_policy.te b/mls/domains/program/load_policy.te
deleted file mode 100644
index 3d43900..0000000
--- a/mls/domains/program/load_policy.te
+++ /dev/null
@@ -1,65 +0,0 @@
-#DESC LoadPolicy - SELinux policy loading utilities
-#
-# Authors: Frank Mayer, mayerf@tresys.com
-# X-Debian-Packages: policycoreutils
-#
-
-###########################
-# load_policy_t is the domain type for load_policy
-# load_policy_exec_t is the file type for the executable
-
-# boolean to determine whether the system permits loading policy, setting
-# enforcing mode, and changing boolean values. Set this to true and you
-# have to reboot to set it back
-bool secure_mode_policyload false;
-
-type load_policy_t, domain;
-role sysadm_r types load_policy_t;
-role secadm_r types load_policy_t;
-role system_r types load_policy_t;
-
-type load_policy_exec_t, file_type, exec_type, sysadmfile;
-
-##########################
-#
-# Rules
-
-domain_auto_trans(secadmin, load_policy_exec_t, load_policy_t)
-
-allow load_policy_t console_device_t:chr_file { read write };
-
-# Reload the policy configuration (sysadm_t no longer has this ability)
-can_loadpol(load_policy_t)
-
-# Reset policy boolean values.
-can_setbool(load_policy_t)
-
-
-###########################
-# constrain from where load_policy can load a policy, specifically
-# policy_config_t files
-#
-
-# only allow read of policy config files
-allow load_policy_t policy_src_t:dir search;
-r_dir_file(load_policy_t, policy_config_t)
-r_dir_file(load_policy_t, selinux_config_t)
-
-# directory search permissions for path to binary policy files
-allow load_policy_t root_t:dir search;
-allow load_policy_t etc_t:dir search;
-
-# for mcs.conf
-allow load_policy_t etc_t:file { getattr read };
-
-# Other access
-can_access_pty(load_policy_t, initrc)
-allow load_policy_t { admin_tty_type devtty_t }:chr_file { read write ioctl getattr };
-uses_shlib(load_policy_t)
-allow load_policy_t self:capability dac_override;
-
-allow load_policy_t { userdomain privfd initrc_t }:fd use;
-
-allow load_policy_t fs_t:filesystem getattr;
-
-read_locale(load_policy_t)
diff --git a/mls/domains/program/loadkeys.te b/mls/domains/program/loadkeys.te
deleted file mode 100644
index 0959762..0000000
--- a/mls/domains/program/loadkeys.te
+++ /dev/null
@@ -1,45 +0,0 @@
-#DESC loadkeys - for changing to unicode at login time
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-# X-Debian-Packages: console-tools
-
-#
-# loadkeys_exec_t is the type of the wrapper
-#
-type loadkeys_exec_t, file_type, sysadmfile, exec_type;
-
-can_exec(initrc_t, loadkeys_exec_t)
-
-# Derived domain based on the calling user domain and the program.
-type loadkeys_t, domain;
-
-# Transition from the user domain to this domain.
-domain_auto_trans(unpriv_userdomain, loadkeys_exec_t, loadkeys_t)
-
-uses_shlib(loadkeys_t)
-dontaudit loadkeys_t proc_t:dir search;
-allow loadkeys_t proc_t:file { getattr read };
-allow loadkeys_t self:process { fork sigchld };
-
-allow loadkeys_t self:fifo_file rw_file_perms;
-allow loadkeys_t bin_t:dir search;
-allow loadkeys_t bin_t:lnk_file read;
-can_exec(loadkeys_t, { shell_exec_t bin_t })
-
-read_locale(loadkeys_t)
-
-dontaudit loadkeys_t etc_runtime_t:file { getattr read };
-
-# Use capabilities.
-allow loadkeys_t self:capability { setuid sys_tty_config };
-
-allow loadkeys_t local_login_t:fd use;
-allow loadkeys_t devtty_t:chr_file rw_file_perms;
-
-# The user role is authorized for this domain.
-in_user_role(loadkeys_t)
-
-# Write to the user domain tty.
-allow loadkeys_t ttyfile:chr_file rw_file_perms;
-
diff --git a/mls/domains/program/lockdev.te b/mls/domains/program/lockdev.te
deleted file mode 100644
index adb2a77..0000000
--- a/mls/domains/program/lockdev.te
+++ /dev/null
@@ -1,11 +0,0 @@
-#DESC Lockdev - libblockdev helper application
-#
-# Authors: Daniel Walsh <dwalsh@redhat.com>
-#
-
-
-# Type for the lockdev
-type lockdev_exec_t, file_type, sysadmfile, exec_type;
-
-# Everything else is in the lockdev_domain macro in
-# macros/program/lockdev_macros.te.
diff --git a/mls/domains/program/login.te b/mls/domains/program/login.te
deleted file mode 100644
index ad9fab0..0000000
--- a/mls/domains/program/login.te
+++ /dev/null
@@ -1,234 +0,0 @@
-#DESC Login - Local/remote login utilities
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# Macroised by Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: login
-#
-
-#################################
-#
-# Rules for the local_login_t domain
-# and the remote_login_t domain.
-#
-
-# $1 is the name of the domain (local or remote)
-define(`login_domain', `
-type $1_login_t, domain, privuser, privrole, privlog, auth_chkpwd, privowner, privfd, nscd_client_domain, mlsfileread, mlsfilewrite, mlsprocsetsl, mlsfileupgrade, mlsfiledowngrade;
-role system_r types $1_login_t;
-
-dontaudit $1_login_t shadow_t:file { getattr read };
-
-general_domain_access($1_login_t);
-
-# Read system information files in /proc.
-r_dir_file($1_login_t, proc_t)
-
-base_file_read_access($1_login_t)
-
-# Read directories and files with the readable_t type.
-# This type is a general type for "world"-readable files.
-allow $1_login_t readable_t:dir r_dir_perms;
-allow $1_login_t readable_t:notdevfile_class_set r_file_perms;
-
-# Read /var, /var/spool
-allow $1_login_t { var_t var_spool_t }:dir search;
-
-# for when /var/mail is a sym-link
-allow $1_login_t var_t:lnk_file read;
-
-# Read /etc.
-r_dir_file($1_login_t, etc_t)
-allow $1_login_t etc_runtime_t:{ file lnk_file } r_file_perms;
-
-read_locale($1_login_t)
-
-# for SSP/ProPolice
-allow $1_login_t urandom_device_t:chr_file { getattr read };
-
-# Read executable types.
-allow $1_login_t exec_type:{ file lnk_file } r_file_perms;
-
-# Read /dev directories and any symbolic links.
-allow $1_login_t device_t:dir r_dir_perms;
-allow $1_login_t device_t:lnk_file r_file_perms;
-
-uses_shlib($1_login_t);
-
-tmp_domain($1_login)
-
-ifdef(`pam.te', `
-can_exec($1_login_t, pam_exec_t)
-')
-
-ifdef(`pamconsole.te', `
-rw_dir_create_file($1_login_t, pam_var_console_t)
-domain_auto_trans($1_login_t, pam_console_exec_t, pam_console_t)
-')
-
-ifdef(`alsa.te', `
-domain_auto_trans($1_login_t, alsa_exec_t, alsa_t)
-')
-
-# Use capabilities
-allow $1_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
-allow $1_login_t self:process setrlimit;
-dontaudit $1_login_t sysfs_t:dir search;
-
-# Set exec context.
-can_setexec($1_login_t)
-
-allow $1_login_t autofs_t:dir { search read getattr };
-allow $1_login_t mnt_t:dir r_dir_perms;
-
-if (use_nfs_home_dirs) {
-r_dir_file($1_login_t, nfs_t)
-}
-
-if (use_samba_home_dirs) {
-r_dir_file($1_login_t, cifs_t)
-}
-
-# Login can polyinstantiate
-polyinstantiater($1_login_t)
-
-# FIXME: what is this for?
-ifdef(`xdm.te', `
-allow xdm_t $1_login_t:process signull;
-')
-
-ifdef(`crack.te', `
-allow $1_login_t crack_db_t:file r_file_perms;
-')
-
-# Permit login to search the user home directories.
-allow $1_login_t home_root_t:dir search;
-allow $1_login_t home_dir_type:dir search;
-
-# Write to /var/run/utmp.
-allow $1_login_t var_run_t:dir search;
-allow $1_login_t initrc_var_run_t:file rw_file_perms;
-
-# Write to /var/log/wtmp.
-allow $1_login_t var_log_t:dir search;
-allow $1_login_t wtmp_t:file rw_file_perms;
-
-# Write to /var/log/lastlog.
-allow $1_login_t lastlog_t:file rw_file_perms;
-
-# Write to /var/log/btmp
-allow $1_login_t faillog_t:file { lock append read write };
-
-# Search for mail spool file.
-allow $1_login_t mail_spool_t:dir r_dir_perms;
-allow $1_login_t mail_spool_t:file getattr;
-allow $1_login_t mail_spool_t:lnk_file read;
-
-# Get security policy decisions.
-can_getsecurity($1_login_t)
-
-# allow read access to default_contexts in /etc/security
-allow $1_login_t default_context_t:file r_file_perms;
-allow $1_login_t default_context_t:dir search;
-r_dir_file($1_login_t, selinux_config_t)
-
-allow $1_login_t mouse_device_t:chr_file { getattr setattr };
-
-ifdef(`targeted_policy',`
-unconfined_domain($1_login_t)
-domain_auto_trans($1_login_t, shell_exec_t, unconfined_t)
-')
-
-')dnl end login_domain macro
-#################################
-#
-# Rules for the local_login_t domain.
-#
-# local_login_t is the domain of a login process
-# spawned by getty.
-#
-# remote_login_t is the domain of a login process
-# spawned by rlogind.
-#
-# login_exec_t is the type of the login program
-#
-type login_exec_t, file_type, sysadmfile, exec_type;
-
-login_domain(local)
-
-# But also permit other user domains to be entered by login.
-login_spawn_domain(local_login, userdomain)
-
-# Do not audit denied attempts to access devices.
-dontaudit local_login_t fixed_disk_device_t:blk_file { getattr setattr };
-dontaudit local_login_t removable_device_t:blk_file { getattr setattr };
-dontaudit local_login_t device_t:{ chr_file blk_file lnk_file } { getattr setattr };
-dontaudit local_login_t misc_device_t:{ chr_file blk_file } { getattr setattr };
-dontaudit local_login_t framebuf_device_t:chr_file { getattr setattr read };
-dontaudit local_login_t apm_bios_t:chr_file { getattr setattr };
-dontaudit local_login_t v4l_device_t:chr_file { getattr setattr read };
-dontaudit local_login_t removable_device_t:chr_file { getattr setattr };
-dontaudit local_login_t scanner_device_t:chr_file { getattr setattr };
-
-# Do not audit denied attempts to access /mnt.
-dontaudit local_login_t mnt_t:dir r_dir_perms;
-
-
-# Create lock file.
-lock_domain(local_login)
-
-# Read and write ttys.
-allow local_login_t tty_device_t:chr_file { setattr rw_file_perms };
-allow local_login_t ttyfile:chr_file { setattr rw_file_perms };
-
-# Relabel ttys.
-allow local_login_t tty_device_t:chr_file { getattr relabelfrom relabelto };
-allow local_login_t ttyfile:chr_file { getattr relabelfrom relabelto };
-
-ifdef(`gpm.te',
-`allow local_login_t gpmctl_t:sock_file { getattr setattr };')
-
-# Allow setting of attributes on sound devices.
-allow local_login_t sound_device_t:chr_file { getattr setattr };
-
-# Allow setting of attributes on power management devices.
-allow local_login_t power_device_t:chr_file { getattr setattr };
-dontaudit local_login_t init_t:fd use;
-
-#################################
-#
-# Rules for the remote_login_t domain.
-#
-
-login_domain(remote)
-
-# Only permit unprivileged user domains to be entered via rlogin,
-# since very weak authentication is used.
-login_spawn_domain(remote_login, unpriv_userdomain)
-
-allow remote_login_t userpty_type:chr_file { setattr write };
-
-# Use the pty created by rlogind.
-ifdef(`rlogind.te', `
-can_access_pty(remote_login_t, rlogind)
-# Relabel ptys created by rlogind.
-allow remote_login_t rlogind_devpts_t:chr_file { setattr relabelfrom relabelto };
-')
-
-# Use the pty created by telnetd.
-ifdef(`telnetd.te', `
-can_access_pty(remote_login_t, telnetd)
-# Relabel ptys created by telnetd.
-allow remote_login_t telnetd_devpts_t:chr_file { setattr relabelfrom relabelto };
-')
-
-allow remote_login_t ptyfile:chr_file { getattr relabelfrom relabelto ioctl };
-allow remote_login_t fs_t:filesystem { getattr };
-
-# Allow remote login to resolve host names (passed in via the -h switch)
-can_resolve(remote_login_t)
-
-ifdef(`use_mcs', `
-ifdef(`getty.te', `
-range_transition getty_t login_exec_t s0 - s0:c0.c127;
-')
-')
diff --git a/mls/domains/program/logrotate.te b/mls/domains/program/logrotate.te
deleted file mode 100644
index 9f71da6..0000000
--- a/mls/domains/program/logrotate.te
+++ /dev/null
@@ -1,150 +0,0 @@
-#DESC Logrotate - Rotate log files
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> Timothy Fraser
-# Russell Coker <rcoker@redhat.com>
-# X-Debian-Packages: logrotate
-# Depends: crond.te
-#
-
-#################################
-#
-# Rules for the logrotate_t domain.
-#
-# logrotate_t is the domain for the logrotate program.
-# logrotate_exec_t is the type of the corresponding program.
-#
-type logrotate_t, domain, privowner, privmail, priv_system_role, nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade;
-role system_r types logrotate_t;
-role sysadm_r types logrotate_t;
-uses_shlib(logrotate_t)
-general_domain_access(logrotate_t)
-type logrotate_exec_t, file_type, sysadmfile, exec_type;
-
-system_crond_entry(logrotate_exec_t, logrotate_t)
-allow logrotate_t cron_spool_t:dir search;
-allow crond_t logrotate_var_lib_t:dir search;
-domain_auto_trans(sysadm_t, logrotate_exec_t, logrotate_t)
-allow logrotate_t self:unix_stream_socket create_socket_perms;
-allow logrotate_t devtty_t:chr_file rw_file_perms;
-
-ifdef(`distro_debian', `
-allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
-# for savelog
-can_exec(logrotate_t, logrotate_exec_t)
-')
-
-# for perl
-allow logrotate_t usr_t:file { getattr read ioctl };
-allow logrotate_t usr_t:lnk_file read;
-
-# access files in /etc
-allow logrotate_t etc_t:file { getattr read ioctl };
-allow logrotate_t etc_t:lnk_file { getattr read };
-allow logrotate_t etc_runtime_t:file r_file_perms;
-
-# it should not require this
-allow logrotate_t {staff_home_dir_t sysadm_home_dir_t}:dir { getattr read search };
-
-# create lock files
-lock_domain(logrotate)
-
-# Create temporary files.
-tmp_domain(logrotate)
-can_exec(logrotate_t, logrotate_tmp_t)
-
-# Run helper programs.
-allow logrotate_t { bin_t sbin_t }:dir r_dir_perms;
-allow logrotate_t { bin_t sbin_t }:lnk_file read;
-can_exec(logrotate_t, { bin_t sbin_t shell_exec_t ls_exec_t })
-
-# Read PID files.
-allow logrotate_t pidfile:file r_file_perms;
-
-# Read /proc/PID directories for all domains.
-read_sysctl(logrotate_t)
-allow logrotate_t proc_t:dir r_dir_perms;
-allow logrotate_t proc_t:{ file lnk_file } r_file_perms;
-allow logrotate_t domain:notdevfile_class_set r_file_perms;
-allow logrotate_t domain:dir r_dir_perms;
-allow logrotate_t exec_type:file getattr;
-
-# Read /dev directories and any symbolic links.
-allow logrotate_t device_t:dir r_dir_perms;
-allow logrotate_t device_t:lnk_file r_file_perms;
-
-# Signal processes.
-allow logrotate_t domain:process signal;
-
-# Modify /var/log and other log dirs.
-allow logrotate_t var_t:dir r_dir_perms;
-allow logrotate_t logfile:dir rw_dir_perms;
-allow logrotate_t logfile:lnk_file read;
-
-# Create, rename, and truncate log files.
-allow logrotate_t logfile:file create_file_perms;
-allow logrotate_t wtmp_t:file create_file_perms;
-ifdef(`squid.te', `
-allow squid_t { system_crond_t crond_t }:fd use;
-allow squid_t crond_t:fifo_file { read write };
-allow squid_t system_crond_t:fifo_file write;
-allow squid_t self:capability kill;
-')
-
-# Set a context other than the default one for newly created files.
-can_setfscreate(logrotate_t)
-
-# Change ownership on log files.
-allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
-# for mailx
-dontaudit logrotate_t self:capability { setuid setgid };
-
-ifdef(`mta.te', `
-allow { system_mail_t mta_user_agent } logrotate_tmp_t:file r_file_perms;
-')
-
-# Access /var/run
-allow logrotate_t var_run_t:dir r_dir_perms;
-
-# for /var/lib/logrotate.status and /var/lib/logcheck
-var_lib_domain(logrotate)
-allow logrotate_t logrotate_var_lib_t:dir create;
-
-# Write to /var/spool/slrnpull - should be moved into its own type.
-create_dir_file(logrotate_t, var_spool_t)
-
-allow logrotate_t urandom_device_t:chr_file { getattr read };
-
-# Access terminals.
-allow logrotate_t admin_tty_type:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow logrotate_t sysadm_gph_t:fd use;')
-allow logrotate_t privfd:fd use;
-
-# for /var/backups on Debian
-ifdef(`backup.te', `
-rw_dir_create_file(logrotate_t, backup_store_t)
-')
-
-read_locale(logrotate_t)
-
-allow logrotate_t fs_t:filesystem getattr;
-can_exec(logrotate_t, shell_exec_t)
-ifdef(`hostname.te', `can_exec(logrotate_t, hostname_exec_t)')
-can_exec(logrotate_t,logfile)
-allow logrotate_t net_conf_t:file { getattr read };
-
-ifdef(`consoletype.te', `
-can_exec(logrotate_t, consoletype_exec_t)
-dontaudit consoletype_t logrotate_t:fd use;
-')
-
-allow logrotate_t syslogd_t:unix_dgram_socket sendto;
-
-domain_auto_trans(logrotate_t, initrc_exec_t, initrc_t)
-
-# Supress libselinux initialization denials
-dontaudit logrotate_t selinux_config_t:dir search;
-dontaudit logrotate_t selinux_config_t:file { read getattr };
-
-# Allow selinux_getenforce
-allow logrotate_t security_t:dir search;
-allow logrotate_t security_t:file { getattr read };
diff --git a/mls/domains/program/lpd.te b/mls/domains/program/lpd.te
deleted file mode 100644
index 76cd44d..0000000
--- a/mls/domains/program/lpd.te
+++ /dev/null
@@ -1,161 +0,0 @@
-#DESC Lpd - Print server
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# Modified by David A. Wheeler <dwheeler@ida.org> for LPRng (Red Hat 7.1)
-# Modified by Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: lpr
-#
-
-#################################
-#
-# Rules for the lpd_t domain.
-#
-# lpd_t is the domain of lpd.
-# lpd_exec_t is the type of the lpd executable.
-# printer_t is the type of the Unix domain socket created
-# by lpd.
-#
-daemon_domain(lpd)
-
-allow lpd_t lpd_var_run_t:sock_file create_file_perms;
-
-read_fonts(lpd_t)
-
-type printer_t, file_type, sysadmfile, dev_fs;
-
-type printconf_t, file_type, sysadmfile; # Type for files in /usr/share/printconf.
-
-tmp_domain(lpd);
-
-# for postscript include files
-allow lpd_t usr_t:{ file lnk_file } { getattr read };
-
-# Allow checkpc to access the lpd spool so it can check & fix it.
-# This requires that /usr/sbin/checkpc have type checkpc_t.
-type checkpc_t, domain, privlog;
-role system_r types checkpc_t;
-uses_shlib(checkpc_t)
-can_network_client(checkpc_t)
-allow checkpc_t port_type:tcp_socket name_connect;
-can_ypbind(checkpc_t)
-log_domain(checkpc)
-type checkpc_exec_t, file_type, sysadmfile, exec_type;
-domain_auto_trans(initrc_t, checkpc_exec_t, checkpc_t)
-domain_auto_trans(sysadm_t, checkpc_exec_t, checkpc_t)
-role sysadm_r types checkpc_t;
-allow checkpc_t admin_tty_type:chr_file { read write };
-allow checkpc_t privfd:fd use;
-ifdef(`crond.te', `
-system_crond_entry(checkpc_exec_t, checkpc_t)
-')
-allow checkpc_t self:capability { setgid setuid dac_override };
-allow checkpc_t self:process { fork signal_perms };
-
-allow checkpc_t proc_t:dir search;
-allow checkpc_t proc_t:lnk_file read;
-allow checkpc_t proc_t:file { getattr read };
-r_dir_file(checkpc_t, self)
-allow checkpc_t self:unix_stream_socket create_socket_perms;
-
-allow checkpc_t { etc_t etc_runtime_t }:file { getattr read };
-allow checkpc_t etc_t:lnk_file read;
-
-allow checkpc_t { var_t var_spool_t }:dir { getattr search };
-allow checkpc_t print_spool_t:file { rw_file_perms unlink };
-allow checkpc_t print_spool_t:dir { read write search add_name remove_name getattr };
-allow checkpc_t device_t:dir search;
-allow checkpc_t printer_device_t:chr_file { getattr append };
-allow checkpc_t devtty_t:chr_file rw_file_perms;
-allow checkpc_t initrc_devpts_t:chr_file rw_file_perms;
-
-# Allow access to /dev/console through the fd:
-allow checkpc_t init_t:fd use;
-
-# This is less desirable, but checkpc demands /bin/bash and /bin/chown:
-allow checkpc_t { bin_t sbin_t }:dir search;
-allow checkpc_t bin_t:lnk_file read;
-can_exec(checkpc_t, shell_exec_t)
-can_exec(checkpc_t, bin_t)
-
-# bash wants access to /proc/meminfo
-allow lpd_t proc_t:file { getattr read };
-
-# gs-gnu wants to read some sysctl entries, it seems to work without though
-dontaudit lpd_t { sysctl_t sysctl_kernel_t }:dir search;
-
-# for defoma
-r_dir_file(lpd_t, var_lib_t)
-
-allow checkpc_t var_run_t:dir search;
-allow checkpc_t lpd_var_run_t:dir { search getattr };
-
-# This is needed to permit chown to read /var/spool/lpd/lp.
-# This is opens up security more than necessary; this means that ANYTHING
-# running in the initrc_t domain can read the printer spool directory.
-# Perhaps executing /etc/rc.d/init.d/lpd should transition
-# to domain lpd_t, instead of waiting for executing lpd.
-allow initrc_t print_spool_t:dir read;
-
-# for defoma
-r_dir_file(lpd_t, readable_t)
-
-# Use capabilities.
-allow lpd_t self:capability { setgid setuid net_bind_service dac_read_search dac_override chown fowner };
-
-# Use the network.
-can_network_server(lpd_t)
-can_ypbind(lpd_t)
-allow lpd_t self:fifo_file rw_file_perms;
-allow lpd_t self:unix_stream_socket create_stream_socket_perms;
-allow lpd_t self:unix_dgram_socket create_socket_perms;
-
-allow lpd_t self:file { getattr read };
-allow lpd_t etc_runtime_t:file { getattr read };
-
-# Bind to the printer port.
-allow lpd_t printer_port_t:tcp_socket name_bind;
-
-# Send to portmap.
-ifdef(`portmap.te', `can_udp_send(lpd_t, portmap_t)')
-
-ifdef(`ypbind.te',
-`# Connect to ypbind.
-can_tcp_connect(lpd_t, ypbind_t)')
-
-# Create and bind to /dev/printer.
-file_type_auto_trans(lpd_t, device_t, printer_t, lnk_file)
-allow lpd_t printer_t:unix_stream_socket name_bind;
-allow lpd_t printer_t:unix_dgram_socket name_bind;
-allow lpd_t printer_device_t:chr_file rw_file_perms;
-
-# Write to /var/spool/lpd.
-allow lpd_t var_spool_t:dir search;
-allow lpd_t print_spool_t:dir rw_dir_perms;
-allow lpd_t print_spool_t:file create_file_perms;
-allow lpd_t print_spool_t:file rw_file_perms;
-
-# Execute filter scripts.
-# can_exec(lpd_t, print_spool_t)
-
-# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
-allow lpd_t bin_t:dir search;
-allow lpd_t bin_t:lnk_file read;
-can_exec(lpd_t, { bin_t sbin_t shell_exec_t })
-
-# lpd must be able to execute the filter utilities in /usr/share/printconf.
-can_exec(lpd_t, printconf_t)
-allow lpd_t printconf_t:file rx_file_perms;
-allow lpd_t printconf_t:dir { getattr search read };
-
-# config files for lpd are of type etc_t, probably should change this
-allow lpd_t etc_t:file { getattr read };
-allow lpd_t etc_t:lnk_file read;
-
-# checkpc needs similar permissions.
-allow checkpc_t printconf_t:file getattr;
-allow checkpc_t printconf_t:dir { getattr search read };
-
-# Read printconf files.
-allow initrc_t printconf_t:dir r_dir_perms;
-allow initrc_t printconf_t:file r_file_perms;
-
diff --git a/mls/domains/program/lpr.te b/mls/domains/program/lpr.te
deleted file mode 100644
index d8ec0c0..0000000
--- a/mls/domains/program/lpr.te
+++ /dev/null
@@ -1,12 +0,0 @@
-#DESC Lpr - Print client
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: lpr lprng
-#
-
-
-# Type for the lpr, lpq, and lprm executables.
-type lpr_exec_t, file_type, sysadmfile, exec_type;
-
-# Everything else is in the lpr_domain macro in
-# macros/program/lpr_macros.te.
diff --git a/mls/domains/program/lvm.te b/mls/domains/program/lvm.te
deleted file mode 100644
index b2e47eb..0000000
--- a/mls/domains/program/lvm.te
+++ /dev/null
@@ -1,139 +0,0 @@
-#DESC LVM - Linux Volume Manager
-#
-# Author: Michael Kaufman <walker@screwage.com>
-# X-Debian-Packages: lvm10 lvm2 lvm-common
-#
-
-#################################
-#
-# Rules for the lvm_t domain.
-#
-# lvm_t is the domain for LVM administration.
-# lvm_exec_t is the type of the corresponding programs.
-# lvm_etc_t is for read-only LVM configuration files.
-# lvm_metadata_t is the type of LVM metadata files in /etc that are
-# modified at runtime.
-#
-type lvm_vg_t, file_type, sysadmfile;
-type lvm_metadata_t, file_type, sysadmfile;
-type lvm_control_t, device_type, dev_fs;
-etcdir_domain(lvm)
-lock_domain(lvm)
-allow lvm_t lvm_lock_t:dir rw_dir_perms;
-
-# needs privowner because it assigns the identity system_u to device nodes
-# but runs as the identity of the sysadmin
-daemon_base_domain(lvm, `, fs_domain, privowner')
-role sysadm_r types lvm_t;
-domain_auto_trans(sysadm_t, lvm_exec_t, lvm_t)
-
-# LVM will complain a lot if it cannot set its priority.
-allow lvm_t self:process setsched;
-
-allow lvm_t self:fifo_file rw_file_perms;
-allow lvm_t self:unix_dgram_socket create_socket_perms;
-
-r_dir_file(lvm_t, proc_t)
-allow lvm_t self:file rw_file_perms;
-
-# Read system variables in /proc/sys
-read_sysctl(lvm_t)
-
-# Read /sys/block. Device mapper metadata is kept there.
-r_dir_file(lvm_t, sysfs_t)
-
-allow lvm_t fs_t:filesystem getattr;
-
-# Read configuration files in /etc.
-allow lvm_t { etc_t etc_runtime_t }:file { getattr read };
-
-# LVM creates block devices in /dev/mapper or /dev/<vg>
-# depending on its version
-file_type_auto_trans(lvm_t, device_t, fixed_disk_device_t, blk_file)
-
-# LVM(2) needs to create directores (/dev/mapper, /dev/<vg>)
-# and links from /dev/<vg> to /dev/mapper/<vg>-<lv>
-allow lvm_t device_t:dir create_dir_perms;
-allow lvm_t device_t:lnk_file create_lnk_perms;
-
-# /lib/lvm-<version> holds the actual LVM binaries (and symlinks)
-allow lvm_t lvm_exec_t:dir search;
-allow lvm_t lvm_exec_t:{ file lnk_file } r_file_perms;
-
-tmp_domain(lvm)
-allow lvm_t { random_device_t urandom_device_t }:chr_file { getattr read ioctl };
-
-# DAC overrides and mknod for modifying /dev entries (vgmknodes)
-allow lvm_t self:capability { chown dac_override ipc_lock sys_admin sys_nice sys_resource mknod };
-
-# Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d
-file_type_auto_trans(lvm_t, { etc_t lvm_etc_t }, lvm_metadata_t, file)
-
-allow lvm_t lvm_metadata_t:dir rw_dir_perms;
-
-# Inherit and use descriptors from init.
-allow lvm_t init_t:fd use;
-
-# LVM is split into many individual binaries
-can_exec(lvm_t, lvm_exec_t)
-
-# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
-allow lvm_t fixed_disk_device_t:chr_file create_file_perms;
-
-# relabel devices
-allow lvm_t { default_context_t file_context_t }:dir search;
-allow lvm_t file_context_t:file { getattr read };
-can_getsecurity(lvm_t)
-allow lvm_t fixed_disk_device_t:blk_file { relabelfrom relabelto };
-allow lvm_t device_t:lnk_file { relabelfrom relabelto };
-
-# Access terminals.
-allow lvm_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
-allow lvm_t devtty_t:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow lvm_t sysadm_gph_t:fd use;')
-allow lvm_t privfd:fd use;
-allow lvm_t devpts_t:dir { search getattr read };
-
-read_locale(lvm_t)
-
-# LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
-dontaudit lvm_t device_type:{ chr_file blk_file } { getattr read };
-dontaudit lvm_t ttyfile:chr_file getattr;
-dontaudit lvm_t device_t:{ fifo_file dir chr_file blk_file } getattr;
-dontaudit lvm_t devpts_t:dir { getattr read };
-dontaudit lvm_t xconsole_device_t:fifo_file getattr;
-
-ifdef(`gpm.te', `
-dontaudit lvm_t gpmctl_t:sock_file getattr;
-')
-dontaudit lvm_t initctl_t:fifo_file getattr;
-allow lvm_t sbin_t:dir search;
-dontaudit lvm_t sbin_t:file { getattr read };
-allow lvm_t lvm_control_t:chr_file rw_file_perms;
-allow initrc_t lvm_control_t:chr_file { getattr read unlink };
-allow initrc_t device_t:chr_file create;
-var_run_domain(lvm)
-
-# for when /usr is not mounted
-dontaudit lvm_t file_t:dir search;
-
-allow lvm_t tmpfs_t:dir r_dir_perms;
-r_dir_file(lvm_t, selinux_config_t)
-
-# it has no reason to need this
-dontaudit lvm_t proc_kcore_t:file getattr;
-allow lvm_t var_t:dir { search getattr };
-allow lvm_t ramfs_t:filesystem unmount;
-
-# cluster LVM daemon
-daemon_domain(clvmd)
-can_network(clvmd_t)
-can_ypbind(clvmd_t)
-allow clvmd_t self:capability net_bind_service;
-allow clvmd_t self:socket create_socket_perms;
-allow clvmd_t self:fifo_file { read write };
-allow clvmd_t self:file { getattr read };
-allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow clvmd_t reserved_port_t:tcp_socket name_bind;
-dontaudit clvmd_t reserved_port_type:tcp_socket name_bind;
-dontaudit clvmd_t selinux_config_t:dir search;
diff --git a/mls/domains/program/mailman.te b/mls/domains/program/mailman.te
deleted file mode 100644
index 72fe6a7..0000000
--- a/mls/domains/program/mailman.te
+++ /dev/null
@@ -1,113 +0,0 @@
-#DESC Mailman - GNU Mailman mailing list manager
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: mailman
-
-type mailman_data_t, file_type, sysadmfile;
-type mailman_archive_t, file_type, sysadmfile;
-
-type mailman_log_t, file_type, sysadmfile, logfile;
-type mailman_lock_t, file_type, sysadmfile, lockfile;
-
-define(`mailman_domain', `
-type mailman_$1_t, domain, privlog $2;
-type mailman_$1_exec_t, file_type, sysadmfile, exec_type;
-role system_r types mailman_$1_t;
-file_type_auto_trans(mailman_$1_t, var_log_t, mailman_log_t, file)
-allow mailman_$1_t mailman_log_t:dir rw_dir_perms;
-create_dir_file(mailman_$1_t, mailman_data_t)
-uses_shlib(mailman_$1_t)
-can_exec_any(mailman_$1_t)
-read_sysctl(mailman_$1_t)
-allow mailman_$1_t proc_t:dir search;
-allow mailman_$1_t proc_t:file { read getattr };
-allow mailman_$1_t var_lib_t:dir r_dir_perms;
-allow mailman_$1_t var_lib_t:lnk_file read;
-allow mailman_$1_t device_t:dir search;
-allow mailman_$1_t etc_runtime_t:file { read getattr };
-read_locale(mailman_$1_t)
-file_type_auto_trans(mailman_$1_t, var_lock_t, mailman_lock_t, file)
-allow mailman_$1_t mailman_lock_t:dir rw_dir_perms;
-allow mailman_$1_t fs_t:filesystem getattr;
-can_network(mailman_$1_t)
-allow mailman_$1_t smtp_port_t:tcp_socket name_connect;
-can_ypbind(mailman_$1_t)
-allow mailman_$1_t self:{ unix_stream_socket unix_dgram_socket } create_socket_perms;
-allow mailman_$1_t var_t:dir r_dir_perms;
-tmp_domain(mailman_$1)
-')
-
-mailman_domain(queue, `, auth_chkpwd, nscd_client_domain')
-can_tcp_connect(mailman_queue_t, mail_server_domain)
-
-can_exec(mailman_queue_t, su_exec_t)
-allow mailman_queue_t self:capability { setgid setuid };
-allow mailman_queue_t self:fifo_file rw_file_perms;
-dontaudit mailman_queue_t var_run_t:dir search;
-allow mailman_queue_t proc_t:lnk_file { getattr read };
-
-# for su
-dontaudit mailman_queue_t selinux_config_t:dir search;
-allow mailman_queue_t self:dir search;
-allow mailman_queue_t self:file { getattr read };
-allow mailman_queue_t self:unix_dgram_socket create_socket_perms;
-allow mailman_queue_t self:lnk_file { getattr read };
-
-# some of the following could probably be changed to dontaudit, someone who
-# knows mailman well should test this out and send the changes
-allow mailman_queue_t sysadm_home_dir_t:dir { getattr search };
-
-mailman_domain(mail)
-dontaudit mailman_mail_t mta_delivery_agent:tcp_socket { read write };
-allow mailman_mail_t mta_delivery_agent:fd use;
-ifdef(`qmail.te', `
-allow mailman_mail_t qmail_spool_t:file { read ioctl getattr };
-# do we really need this?
-allow mailman_mail_t qmail_lspawn_t:fifo_file write;
-')
-
-create_dir_file(mailman_queue_t, mailman_archive_t)
-
-ifdef(`apache.te', `
-mailman_domain(cgi)
-can_tcp_connect(mailman_cgi_t, mail_server_domain)
-
-domain_auto_trans({ httpd_t httpd_suexec_t }, mailman_cgi_exec_t, mailman_cgi_t)
-# should have separate types for public and private archives
-r_dir_file(httpd_t, mailman_archive_t)
-create_dir_file(mailman_cgi_t, mailman_archive_t)
-allow httpd_t mailman_data_t:dir { getattr search };
-
-dontaudit mailman_cgi_t httpd_log_t:file append;
-allow httpd_t mailman_cgi_t:process signal;
-allow mailman_cgi_t httpd_t:process sigchld;
-allow mailman_cgi_t httpd_t:fd use;
-allow mailman_cgi_t httpd_t:fifo_file { getattr read write ioctl };
-allow mailman_cgi_t httpd_sys_script_t:dir search;
-allow mailman_cgi_t devtty_t:chr_file { read write };
-allow mailman_cgi_t self:process { fork sigchld };
-allow mailman_cgi_t var_spool_t:dir search;
-')
-
-allow mta_delivery_agent mailman_data_t:dir search;
-allow mta_delivery_agent mailman_data_t:lnk_file read;
-allow initrc_t mailman_data_t:lnk_file read;
-allow initrc_t mailman_data_t:dir r_dir_perms;
-domain_auto_trans({ mta_delivery_agent initrc_t }, mailman_mail_exec_t, mailman_mail_t)
-ifdef(`direct_sysadm_daemon', `
-domain_auto_trans(sysadm_t, mailman_mail_exec_t, mailman_mail_t)
-')
-allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
-
-system_crond_entry(mailman_queue_exec_t, mailman_queue_t)
-allow mailman_queue_t devtty_t:chr_file { read write };
-allow mailman_queue_t self:process { fork signal sigchld };
-allow mailman_queue_t self:netlink_route_socket r_netlink_socket_perms;
-
-# so MTA can access /var/lib/mailman/mail/wrapper
-allow mta_delivery_agent var_lib_t:dir search;
-
-# Handle mailman log files
-rw_dir_create_file(logrotate_t, mailman_log_t)
-allow logrotate_t mailman_data_t:dir search;
-can_exec(logrotate_t, mailman_mail_exec_t)
diff --git a/mls/domains/program/mdadm.te b/mls/domains/program/mdadm.te
deleted file mode 100644
index 47f82e2..0000000
--- a/mls/domains/program/mdadm.te
+++ /dev/null
@@ -1,43 +0,0 @@
-#DESC mdadm - Linux RAID tool
-#
-# Author: Colin Walters <walters@redhat.com>
-#
-
-daemon_base_domain(mdadm, `, fs_domain, privmail')
-role sysadm_r types mdadm_t;
-
-allow initrc_t mdadm_var_run_t:file create_file_perms;
-
-# Kernel filesystem permissions
-r_dir_file(mdadm_t, proc_t)
-allow mdadm_t proc_mdstat_t:file rw_file_perms;
-read_sysctl(mdadm_t)
-r_dir_file(mdadm_t, sysfs_t)
-
-# Configuration
-allow mdadm_t { etc_t etc_runtime_t }:file { getattr read };
-read_locale(mdadm_t)
-
-# Linux capabilities
-allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
-
-# Helper program access
-can_exec(mdadm_t, { bin_t sbin_t })
-
-# RAID block device access
-allow mdadm_t fixed_disk_device_t:blk_file create_file_perms;
-allow mdadm_t device_t:lnk_file { getattr read };
-
-# Ignore attempts to read every device file
-dontaudit mdadm_t device_type:{ chr_file blk_file } getattr;
-dontaudit mdadm_t device_t:{ fifo_file file dir chr_file blk_file } { read getattr };
-dontaudit mdadm_t devpts_t:dir r_dir_perms;
-
-# Ignore attempts to read/write sysadmin tty
-dontaudit mdadm_t sysadm_tty_device_t:chr_file rw_file_perms;
-
-# Other random ignores
-dontaudit mdadm_t tmpfs_t:dir r_dir_perms;
-dontaudit mdadm_t initctl_t:fifo_file getattr;
-var_run_domain(mdadm)
-allow mdadm_t var_t:dir { getattr search };
diff --git a/mls/domains/program/modutil.te b/mls/domains/program/modutil.te
deleted file mode 100644
index a934534..0000000
--- a/mls/domains/program/modutil.te
+++ /dev/null
@@ -1,243 +0,0 @@
-#DESC Modutil - Dynamic module utilities
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: modutils
-#
-
-#################################
-#
-# Rules for the module utility domains.
-#
-type modules_dep_t, file_type, sysadmfile;
-type modules_conf_t, file_type, sysadmfile;
-type modules_object_t, file_type, sysadmfile;
-
-
-ifdef(`IS_INITRD', `', `
-#################################
-#
-# Rules for the depmod_t domain.
-#
-type depmod_t, domain;
-role system_r types depmod_t;
-role sysadm_r types depmod_t;
-
-uses_shlib(depmod_t)
-
-r_dir_file(depmod_t, src_t)
-
-type depmod_exec_t, file_type, exec_type, sysadmfile;
-domain_auto_trans(initrc_t, depmod_exec_t, depmod_t)
-allow depmod_t { bin_t sbin_t }:dir search;
-can_exec(depmod_t, depmod_exec_t)
-ifdef(`targeted_policy', `', `
-domain_auto_trans(sysadm_t, depmod_exec_t, depmod_t)
-')
-
-# Inherit and use descriptors from init and login programs.
-allow depmod_t { init_t privfd }:fd use;
-
-allow depmod_t { etc_t etc_runtime_t }:file { getattr read };
-allow depmod_t { device_t proc_t }:dir search;
-allow depmod_t proc_t:file { getattr read };
-allow depmod_t fs_t:filesystem getattr;
-
-# read system.map
-allow depmod_t boot_t:dir search;
-allow depmod_t boot_t:file { getattr read };
-allow depmod_t system_map_t:file { getattr read };
-
-# Read conf.modules.
-allow depmod_t modules_conf_t:file r_file_perms;
-
-# Create modules.dep.
-file_type_auto_trans(depmod_t, modules_object_t, modules_dep_t, file)
-
-# Read module objects.
-allow depmod_t modules_object_t:dir r_dir_perms;
-allow depmod_t modules_object_t:{ file lnk_file } r_file_perms;
-allow depmod_t modules_object_t:file unlink;
-
-# Access terminals.
-can_access_pty(depmod_t, initrc)
-allow depmod_t { console_device_t admin_tty_type }:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
-
-# Read System.map from home directories.
-allow depmod_t { home_root_t staff_home_dir_t sysadm_home_dir_t }:dir r_dir_perms;
-r_dir_file(depmod_t, { staff_home_t sysadm_home_t })
-')dnl end IS_INITRD
-
-#################################
-#
-# Rules for the insmod_t domain.
-#
-
-type insmod_t, domain, privlog, sysctl_kernel_writer, privmem, privsysmod ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule' ), mlsfilewrite, nscd_client_domain
-;
-role system_r types insmod_t;
-role sysadm_r types insmod_t;
-type insmod_exec_t, file_type, exec_type, sysadmfile;
-
-bool secure_mode_insmod false;
-
-can_ypbind(insmod_t)
-
-ifdef(`unlimitedUtils', `
-unconfined_domain(insmod_t)
-')
-uses_shlib(insmod_t)
-read_locale(insmod_t)
-
-# for SSP
-allow insmod_t urandom_device_t:chr_file read;
-allow insmod_t lib_t:file { getattr read };
-
-allow insmod_t { bin_t sbin_t }:dir search;
-allow insmod_t { bin_t sbin_t }:lnk_file read;
-
-allow insmod_t self:dir search;
-allow insmod_t self:lnk_file read;
-
-allow insmod_t usr_t:file { getattr read };
-
-allow insmod_t privfd:fd use;
-can_access_pty(insmod_t, initrc)
-allow insmod_t admin_tty_type:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow insmod_t sysadm_gph_t:fd use;')
-
-allow insmod_t { agp_device_t apm_bios_t }:chr_file { read write };
-
-allow insmod_t sound_device_t:chr_file { read ioctl write };
-allow insmod_t zero_device_t:chr_file read;
-allow insmod_t memory_device_t:chr_file rw_file_perms;
-
-# Read module config and dependency information
-allow insmod_t { modules_conf_t modules_dep_t }:file { getattr read };
-
-# Read module objects.
-r_dir_file(insmod_t, modules_object_t)
-# for locking
-allow insmod_t modules_object_t:file write;
-
-allow insmod_t { var_t var_log_t }:dir search;
-ifdef(`xserver.te', `
-allow insmod_t xserver_log_t:file getattr;
-allow insmod_t xserver_misc_device_t:chr_file { read write };
-')
-rw_dir_create_file(insmod_t, var_log_ksyms_t)
-allow insmod_t { etc_t etc_runtime_t }:file { getattr read };
-
-allow insmod_t self:udp_socket create_socket_perms;
-allow insmod_t self:unix_dgram_socket create_socket_perms;
-allow insmod_t self:unix_stream_socket create_stream_socket_perms;
-allow insmod_t self:rawip_socket create_socket_perms;
-allow insmod_t self:capability { dac_override kill net_raw sys_tty_config };
-allow insmod_t domain:process signal;
-allow insmod_t self:process { fork signal_perms };
-allow insmod_t device_t:dir search;
-allow insmod_t etc_runtime_t:file { getattr read };
-
-# for loading modules at boot time
-allow insmod_t { init_t initrc_t }:fd use;
-allow insmod_t initrc_t:fifo_file { getattr read write };
-
-allow insmod_t fs_t:filesystem getattr;
-allow insmod_t sysfs_t:dir search;
-allow insmod_t { usbfs_t usbdevfs_t }:dir search;
-allow insmod_t { usbfs_t usbdevfs_t debugfs_t }:filesystem mount;
-r_dir_file(insmod_t, debugfs_t)
-
-# Rules for /proc/sys/kernel/tainted
-read_sysctl(insmod_t)
-allow insmod_t proc_t:dir search;
-allow insmod_t sysctl_kernel_t:file { setattr rw_file_perms };
-
-allow insmod_t proc_t:file rw_file_perms;
-allow insmod_t proc_t:lnk_file read;
-
-# Write to /proc/mtrr.
-allow insmod_t mtrr_device_t:file write;
-
-# Read /proc/sys/kernel/hotplug.
-allow insmod_t sysctl_hotplug_t:file { getattr read };
-
-allow insmod_t device_t:dir read;
-allow insmod_t devpts_t:dir { getattr search };
-
-if (!secure_mode_insmod) {
-domain_auto_trans(privmodule, insmod_exec_t, insmod_t)
-allow insmod_t self:capability sys_module;
-}dnl end if !secure_mode_insmod
-
-can_exec(insmod_t, { insmod_exec_t shell_exec_t bin_t sbin_t etc_t })
-allow insmod_t devtty_t:chr_file rw_file_perms;
-allow insmod_t privmodule:process sigchld;
-dontaudit sysadm_t self:capability sys_module;
-
-ifdef(`mount.te', `
-# Run mount in the mount_t domain.
-domain_auto_trans(insmod_t, mount_exec_t, mount_t)
-')
-# for when /var is not mounted early in the boot
-dontaudit insmod_t file_t:dir search;
-
-# for nscd
-dontaudit insmod_t var_run_t:dir search;
-
-ifdef(`crond.te', `
-rw_dir_create_file(system_crond_t, var_log_ksyms_t)
-')
-
-ifdef(`IS_INITRD', `', `
-#################################
-#
-# Rules for the update_modules_t domain.
-#
-type update_modules_t, domain, privlog;
-type update_modules_exec_t, file_type, exec_type, sysadmfile;
-
-role system_r types update_modules_t;
-role sysadm_r types update_modules_t;
-
-domain_auto_trans({ initrc_t sysadm_t }, update_modules_exec_t, update_modules_t)
-allow update_modules_t privfd:fd use;
-allow update_modules_t init_t:fd use;
-
-allow update_modules_t device_t:dir { getattr search };
-allow update_modules_t { console_device_t devtty_t }:chr_file rw_file_perms;
-can_access_pty(update_modules_t, initrc)
-allow update_modules_t admin_tty_type:chr_file rw_file_perms;
-
-can_exec(update_modules_t, insmod_exec_t)
-allow update_modules_t urandom_device_t:chr_file { getattr read };
-
-dontaudit update_modules_t sysadm_home_dir_t:dir search;
-
-uses_shlib(update_modules_t)
-read_locale(update_modules_t)
-allow update_modules_t lib_t:file { getattr read };
-allow update_modules_t self:process { fork sigchld };
-allow update_modules_t self:fifo_file rw_file_perms;
-allow update_modules_t self:file { getattr read };
-allow update_modules_t modules_dep_t:file rw_file_perms;
-file_type_auto_trans(update_modules_t, modules_object_t, modules_conf_t, file)
-domain_auto_trans(update_modules_t, depmod_exec_t, depmod_t)
-can_exec(update_modules_t, { shell_exec_t bin_t sbin_t update_modules_exec_t etc_t })
-allow update_modules_t { sbin_t bin_t }:lnk_file read;
-allow update_modules_t { sbin_t bin_t }:dir search;
-allow update_modules_t { etc_t etc_runtime_t }:file r_file_perms;
-allow update_modules_t etc_t:lnk_file read;
-allow update_modules_t fs_t:filesystem getattr;
-
-allow update_modules_t proc_t:dir search;
-allow update_modules_t proc_t:file r_file_perms;
-allow update_modules_t { self proc_t }:lnk_file read;
-read_sysctl(update_modules_t)
-allow update_modules_t self:dir search;
-allow update_modules_t self:unix_stream_socket create_socket_perms;
-
-file_type_auto_trans(update_modules_t, etc_t, modules_conf_t, file)
-
-tmp_domain(update_modules)
-')dnl end IS_INITRD
diff --git a/mls/domains/program/mount.te b/mls/domains/program/mount.te
deleted file mode 100644
index b76bf52..0000000
--- a/mls/domains/program/mount.te
+++ /dev/null
@@ -1,90 +0,0 @@
-#DESC Mount - Filesystem mount utilities
-#
-# Macros for mount
-#
-# Author: Brian May <bam@snoopy.apana.org.au>
-# X-Debian-Packages: mount
-#
-# based on the work of:
-# Mark Westerman mark.westerman@csoconline.com
-#
-
-type mount_exec_t, file_type, sysadmfile, exec_type;
-
-mount_domain(sysadm, mount, `, fs_domain, nscd_client_domain, mlsfileread, mlsfilewrite')
-mount_loopback_privs(sysadm, mount)
-role sysadm_r types mount_t;
-role system_r types mount_t;
-
-can_access_pty(mount_t, initrc)
-allow mount_t console_device_t:chr_file { read write };
-
-domain_auto_trans(initrc_t, mount_exec_t, mount_t)
-allow mount_t init_t:fd use;
-allow mount_t privfd:fd use;
-
-allow mount_t self:capability { dac_override ipc_lock sys_tty_config };
-allow mount_t self:process { fork signal_perms };
-
-allow mount_t file_type:dir search;
-
-# Access disk devices.
-allow mount_t fixed_disk_device_t:devfile_class_set rw_file_perms;
-allow mount_t removable_device_t:devfile_class_set rw_file_perms;
-allow mount_t device_t:lnk_file read;
-
-# for when /etc/mtab loses its type
-allow mount_t file_t:file { getattr read unlink };
-
-# Mount, remount and unmount file systems.
-allow mount_t fs_type:filesystem mount_fs_perms;
-allow mount_t mount_point:dir mounton;
-allow mount_t nfs_t:dir search;
-allow mount_t sysctl_t:dir search;
-
-allow mount_t root_t:filesystem unmount;
-
-can_portmap(mount_t)
-
-ifdef(`portmap.te', `
-# for nfs
-can_network(mount_t)
-allow mount_t port_type:tcp_socket name_connect;
-can_ypbind(mount_t)
-allow mount_t port_t:{ tcp_socket udp_socket } name_bind;
-allow mount_t reserved_port_t:{ tcp_socket udp_socket } name_bind;
-can_udp_send(mount_t, portmap_t)
-can_udp_send(portmap_t, mount_t)
-allow mount_t rpc_pipefs_t:dir search;
-')
-dontaudit mount_t reserved_port_type:{tcp_socket udp_socket} name_bind;
-
-#
-# required for mount.smbfs
-#
-allow mount_t sbin_t:lnk_file { getattr read };
-
-rhgb_domain(mount_t)
-
-# for localization
-allow mount_t lib_t:file { getattr read };
-allow mount_t autofs_t:dir read;
-allow mount_t fs_type:filesystem relabelfrom;
-#
-# This rule needs to be generalized. Only admin, initrc should have it.
-#
-allow mount_t file_type:filesystem { unmount mount relabelto };
-
-allow mount_t mnt_t:dir getattr;
-dontaudit mount_t kernel_t:fd use;
-allow mount_t userdomain:fd use;
-can_exec(mount_t, { sbin_t bin_t })
-allow mount_t device_t:dir r_dir_perms;
-allow mount_t tmpfs_t:chr_file { read write };
-
-# tries to read /init
-dontaudit mount_t root_t:file { getattr read };
-
-allow kernel_t mount_t:tcp_socket { read write };
-allow mount_t self:capability { setgid setuid };
-allow mount_t proc_t:lnk_file read;
diff --git a/mls/domains/program/mrtg.te b/mls/domains/program/mrtg.te
deleted file mode 100644
index e44889d..0000000
--- a/mls/domains/program/mrtg.te
+++ /dev/null
@@ -1,100 +0,0 @@
-#DESC MRTG - Network traffic graphing
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: mrtg
-#
-
-#################################
-#
-# Rules for the mrtg_t domain.
-#
-# mrtg_exec_t is the type of the mrtg executable.
-#
-daemon_base_domain(mrtg)
-
-allow mrtg_t fs_t:filesystem getattr;
-
-ifdef(`crond.te', `
-system_crond_entry(mrtg_exec_t, mrtg_t)
-allow system_crond_t mrtg_log_t:dir rw_dir_perms;
-allow system_crond_t mrtg_log_t:file { create append getattr };
-')
-
-allow mrtg_t usr_t:{ file lnk_file } { getattr read };
-dontaudit mrtg_t usr_t:file ioctl;
-
-logdir_domain(mrtg)
-etcdir_domain(mrtg)
-typealias mrtg_etc_t alias etc_mrtg_t;
-type mrtg_var_lib_t, file_type, sysadmfile;
-typealias mrtg_var_lib_t alias var_lib_mrtg_t;
-type mrtg_lock_t, file_type, sysadmfile, lockfile;
-r_dir_file(mrtg_t, lib_t)
-
-# Use the network.
-can_network_client(mrtg_t)
-allow mrtg_t port_type:tcp_socket name_connect;
-can_ypbind(mrtg_t)
-
-allow mrtg_t self:fifo_file { getattr read write ioctl };
-allow mrtg_t { admin_tty_type devtty_t }:chr_file rw_file_perms;
-allow mrtg_t urandom_device_t:chr_file { getattr read };
-allow mrtg_t self:unix_stream_socket create_socket_perms;
-ifdef(`apache.te', `
-rw_dir_create_file(mrtg_t, httpd_sys_content_t)
-')
-
-can_exec(mrtg_t, { shell_exec_t bin_t sbin_t })
-allow mrtg_t { bin_t sbin_t }:dir { getattr search };
-allow mrtg_t bin_t:lnk_file read;
-allow mrtg_t var_t:dir { getattr search };
-
-ifdef(`snmpd.te', `
-can_udp_send(mrtg_t, snmpd_t)
-can_udp_send(snmpd_t, mrtg_t)
-r_dir_file(mrtg_t, snmpd_var_lib_t)
-')
-
-allow mrtg_t proc_net_t:dir search;
-allow mrtg_t { proc_t proc_net_t }:file { read getattr };
-dontaudit mrtg_t proc_t:file ioctl;
-
-allow mrtg_t { var_lock_t var_lib_t }:dir search;
-rw_dir_create_file(mrtg_t, mrtg_var_lib_t)
-rw_dir_create_file(mrtg_t, mrtg_lock_t)
-ifdef(`distro_redhat', `
-file_type_auto_trans(mrtg_t, mrtg_etc_t, mrtg_lock_t, file)
-')
-
-# read config files
-allow mrtg_t etc_t:file { read getattr };
-dontaudit mrtg_t mrtg_etc_t:dir write;
-dontaudit mrtg_t mrtg_etc_t:file { write ioctl };
-read_locale(mrtg_t)
-
-# for /.autofsck
-dontaudit mrtg_t root_t:file getattr;
-
-dontaudit mrtg_t security_t:dir getattr;
-
-read_sysctl(mrtg_t)
-
-# for uptime
-allow mrtg_t var_run_t:dir search;
-allow mrtg_t initrc_var_run_t:file { getattr read };
-dontaudit mrtg_t initrc_var_run_t:file { write lock };
-allow mrtg_t etc_runtime_t:file { getattr read };
-
-allow mrtg_t tmp_t:dir getattr;
-
-# should not need this!
-dontaudit mrtg_t { staff_home_dir_t sysadm_home_dir_t }:dir { search read getattr };
-dontaudit mrtg_t { boot_t device_t file_t lost_found_t }:dir getattr;
-ifdef(`quota.te', `
-dontaudit mrtg_t quota_db_t:file getattr;
-')
-dontaudit mrtg_t root_t:lnk_file getattr;
-
-allow mrtg_t self:capability { setgid setuid };
-ifdef(`hostname.te', `can_exec(mrtg_t, hostname_exec_t)')
-allow mrtg_t var_spool_t:dir search;
diff --git a/mls/domains/program/mta.te b/mls/domains/program/mta.te
deleted file mode 100644
index 55e7ca9..0000000
--- a/mls/domains/program/mta.te
+++ /dev/null
@@ -1,81 +0,0 @@
-#DESC MTA - Mail agents
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: postfix exim sendmail sendmail-wide
-#
-# policy for all mail servers, including allowing user to send mail from the
-# command-line and for cron jobs to use sendmail -t
-
-#
-# sendmail_exec_t is the type of /usr/sbin/sendmail
-#
-# define sendmail_exec_t if sendmail.te does not do it for us
-ifdef(`sendmail.te', `', `
-type sendmail_exec_t, file_type, exec_type, sysadmfile;
-')
-
-# create a system_mail_t domain for daemons, init scripts, etc when they run
-# "mail user@domain"
-mail_domain(system)
-
-ifdef(`targeted_policy', `
-# rules are currently defined in sendmail.te, but it is not included in
-# targeted policy. We could move these rules permanantly here.
-ifdef(`postfix.te', `', `can_exec_any(system_mail_t)')
-allow system_mail_t self:dir search;
-allow system_mail_t self:lnk_file read;
-r_dir_file(system_mail_t, { proc_t proc_net_t })
-allow system_mail_t fs_t:filesystem getattr;
-allow system_mail_t { var_t var_spool_t }:dir getattr;
-create_dir_file(system_mail_t, mqueue_spool_t)
-create_dir_file(system_mail_t, mail_spool_t)
-allow system_mail_t mail_spool_t:fifo_file rw_file_perms;
-allow system_mail_t etc_mail_t:file { getattr read };
-
-# for reading .forward - maybe we need a new type for it?
-# also for delivering mail to maildir
-file_type_auto_trans(mta_delivery_agent, user_home_dir_t, user_home_t)
-', `
-ifdef(`sendmail.te', `
-# sendmail has an ugly design, the one process parses input from the user and
-# then does system things with it. But the sendmail_launch_t domain works
-# around this.
-domain_auto_trans(initrc_t, sendmail_exec_t, system_mail_t)
-')
-allow initrc_t sendmail_exec_t:lnk_file { getattr read };
-
-# allow the sysadmin to do "mail someone < /home/user/whatever"
-allow sysadm_mail_t user_home_dir_type:dir search;
-r_dir_file(sysadm_mail_t, user_home_type)
-')
-# for a mail server process that does things in response to a user command
-allow mta_user_agent userdomain:process sigchld;
-allow mta_user_agent { userdomain privfd }:fd use;
-ifdef(`crond.te', `
-allow mta_user_agent crond_t:process sigchld;
-')
-allow mta_user_agent sysadm_t:fifo_file { read write };
-
-allow { system_mail_t mta_user_agent } privmail:fd use;
-allow { system_mail_t mta_user_agent } privmail:process sigchld;
-allow { system_mail_t mta_user_agent } privmail:fifo_file { read write };
-allow { system_mail_t mta_user_agent } admin_tty_type:chr_file { read write };
-
-allow mta_delivery_agent home_root_t:dir { getattr search };
-
-# for /var/spool/mail
-ra_dir_create_file(mta_delivery_agent, mail_spool_t)
-
-# for piping mail to a command
-can_exec(mta_delivery_agent, shell_exec_t)
-allow mta_delivery_agent bin_t:dir search;
-allow mta_delivery_agent bin_t:lnk_file read;
-allow mta_delivery_agent devtty_t:chr_file rw_file_perms;
-allow mta_delivery_agent { etc_runtime_t proc_t }:file { getattr read };
-
-allow system_mail_t etc_runtime_t:file { getattr read };
-allow system_mail_t { random_device_t urandom_device_t }:chr_file { getattr read };
-ifdef(`targeted_policy', `
-typealias system_mail_t alias sysadm_mail_t;
-')
-
diff --git a/mls/domains/program/mysqld.te b/mls/domains/program/mysqld.te
deleted file mode 100644
index 637359f..0000000
--- a/mls/domains/program/mysqld.te
+++ /dev/null
@@ -1,94 +0,0 @@
-#DESC Mysqld - Database server
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: mysql-server
-#
-
-#################################
-#
-# Rules for the mysqld_t domain.
-#
-# mysqld_exec_t is the type of the mysqld executable.
-#
-daemon_domain(mysqld, `, nscd_client_domain')
-
-allow mysqld_t mysqld_port_t:tcp_socket { name_bind name_connect };
-
-allow mysqld_t mysqld_var_run_t:sock_file create_file_perms;
-
-etcdir_domain(mysqld)
-type mysqld_db_t, file_type, sysadmfile;
-
-log_domain(mysqld)
-
-# for temporary tables
-tmp_domain(mysqld)
-
-allow mysqld_t usr_t:file { getattr read };
-
-allow mysqld_t self:fifo_file { read write };
-allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
-allow initrc_t mysqld_t:unix_stream_socket connectto;
-allow initrc_t mysqld_var_run_t:sock_file write;
-
-allow initrc_t mysqld_log_t:file { write append setattr ioctl };
-
-allow mysqld_t self:capability { dac_override setgid setuid net_bind_service sys_resource };
-allow mysqld_t self:process { setrlimit setsched getsched };
-
-allow mysqld_t proc_t:file { getattr read };
-
-# Allow access to the mysqld databases
-create_dir_file(mysqld_t, mysqld_db_t)
-file_type_auto_trans(mysqld_t, var_lib_t, mysqld_db_t, { dir file })
-
-can_network(mysqld_t)
-can_ypbind(mysqld_t)
-
-# read config files
-r_dir_file(initrc_t, mysqld_etc_t)
-allow mysqld_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr };
-
-allow mysqld_t etc_t:dir search;
-
-read_sysctl(mysqld_t)
-
-can_unix_connect(sysadm_t, mysqld_t)
-
-# for /root/.my.cnf - should not be needed
-allow mysqld_t sysadm_home_dir_t:dir search;
-allow mysqld_t sysadm_home_t:file { read getattr };
-
-ifdef(`logrotate.te', `
-r_dir_file(logrotate_t, mysqld_etc_t)
-allow logrotate_t mysqld_db_t:dir search;
-allow logrotate_t mysqld_var_run_t:dir search;
-allow logrotate_t mysqld_var_run_t:sock_file write;
-can_unix_connect(logrotate_t, mysqld_t)
-')
-
-ifdef(`daemontools.te', `
-domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t)
-allow svc_start_t mysqld_t:process signal;
-svc_ipc_domain(mysqld_t)
-')dnl end ifdef daemontools
-
-ifdef(`distro_redhat', `
-allow initrc_t mysqld_db_t:dir create_dir_perms;
-
-# because Fedora has the sock_file in the database directory
-file_type_auto_trans(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
-')
-ifdef(`targeted_policy', `', `
-bool allow_user_mysql_connect false;
-
-if (allow_user_mysql_connect) {
-allow userdomain mysqld_var_run_t:dir search;
-allow userdomain mysqld_var_run_t:sock_file write;
-}
-')
-
-ifdef(`crond.te', `
-allow system_crond_t mysqld_etc_t:file { getattr read };
-')
-allow mysqld_t self:netlink_route_socket r_netlink_socket_perms;
diff --git a/mls/domains/program/named.te b/mls/domains/program/named.te
deleted file mode 100644
index 5a42877..0000000
--- a/mls/domains/program/named.te
+++ /dev/null
@@ -1,184 +0,0 @@
-#DESC BIND - Name server
-#
-# Authors: Yuichi Nakamura <ynakam@ori.hitachi-sk.co.jp>,
-# Russell Coker
-# X-Debian-Packages: bind bind9
-#
-#
-
-#################################
-#
-# Rules for the named_t domain.
-#
-
-daemon_domain(named, `, nscd_client_domain')
-tmp_domain(named)
-
-type named_checkconf_exec_t, file_type, exec_type, sysadmfile;
-domain_auto_trans(initrc_t, named_checkconf_exec_t, named_t)
-
-# For /var/run/ndc used in BIND 8
-file_type_auto_trans(named_t, var_run_t, named_var_run_t, sock_file)
-
-# ndc_t is the domain for the ndc program
-type ndc_t, domain, privlog, nscd_client_domain;
-role sysadm_r types ndc_t;
-role system_r types ndc_t;
-
-ifdef(`targeted_policy', `
-dontaudit ndc_t root_t:file { getattr read };
-dontaudit ndc_t unlabeled_t:file { getattr read };
-')
-
-can_exec(named_t, named_exec_t)
-allow named_t sbin_t:dir search;
-
-allow named_t self:process { setsched setcap setrlimit };
-
-# A type for configuration files of named.
-type named_conf_t, file_type, sysadmfile, mount_point;
-
-# for primary zone files
-type named_zone_t, file_type, sysadmfile;
-
-# for secondary zone files
-type named_cache_t, file_type, sysadmfile;
-
-# for DNSSEC key files
-type dnssec_t, file_type, sysadmfile, secure_file_type;
-allow { ndc_t named_t } dnssec_t:file { getattr read };
-
-# Use capabilities. Surplus capabilities may be allowed.
-allow named_t self:capability { chown dac_override fowner setgid setuid net_bind_service sys_chroot sys_nice sys_resource };
-
-allow named_t etc_t:file { getattr read };
-allow named_t etc_runtime_t:{ file lnk_file } { getattr read };
-
-#Named can use network
-can_network(named_t)
-allow named_t port_type:tcp_socket name_connect;
-can_ypbind(named_t)
-# allow UDP transfer to/from any program
-can_udp_send(domain, named_t)
-can_udp_send(named_t, domain)
-can_tcp_connect(domain, named_t)
-log_domain(named)
-
-# Bind to the named port.
-allow named_t dns_port_t:udp_socket name_bind;
-allow named_t { dns_port_t rndc_port_t }:tcp_socket name_bind;
-
-bool named_write_master_zones false;
-
-#read configuration files
-r_dir_file(named_t, named_conf_t)
-
-if (named_write_master_zones) {
-#create and modify zone files
-create_dir_file(named_t, named_zone_t)
-}
-#read zone files
-r_dir_file(named_t, named_zone_t)
-
-#write cache for secondary zones
-rw_dir_create_file(named_t, named_cache_t)
-
-allow named_t self:unix_stream_socket create_stream_socket_perms;
-allow named_t self:unix_dgram_socket create_socket_perms;
-allow named_t self:netlink_route_socket r_netlink_socket_perms;
-
-# Read sysctl kernel variables.
-read_sysctl(named_t)
-
-# Read /proc/cpuinfo and /proc/net
-r_dir_file(named_t, proc_t)
-r_dir_file(named_t, proc_net_t)
-
-# Read /dev/random.
-allow named_t device_t:dir r_dir_perms;
-allow named_t random_device_t:chr_file r_file_perms;
-
-# Use a pipe created by self.
-allow named_t self:fifo_file rw_file_perms;
-
-# Enable named dbus support:
-ifdef(`dbusd.te', `
-dbusd_client(system, named)
-domain_auto_trans(system_dbusd_t, named_exec_t, named_t)
-allow named_t system_dbusd_t:dbus { acquire_svc send_msg };
-allow named_t self:dbus send_msg;
-allow { NetworkManager_t dhcpc_t initrc_t } named_t:dbus send_msg;
-allow named_t { NetworkManager_t dhcpc_t initrc_t }:dbus send_msg;
-ifdef(`unconfined.te', `
-allow unconfined_t named_t:dbus send_msg;
-allow named_t unconfined_t:dbus send_msg;
-')
-')
-
-
-# Set own capabilities.
-#A type for /usr/sbin/ndc
-type ndc_exec_t, file_type,sysadmfile, exec_type;
-domain_auto_trans({ sysadm_t initrc_t }, ndc_exec_t, ndc_t)
-uses_shlib(ndc_t)
-can_network_client_tcp(ndc_t)
-allow ndc_t rndc_port_t:tcp_socket name_connect;
-can_ypbind(ndc_t)
-can_resolve(ndc_t)
-read_locale(ndc_t)
-can_tcp_connect(ndc_t, named_t)
-
-ifdef(`distro_redhat', `
-# for /etc/rndc.key
-allow { ndc_t initrc_t } named_conf_t:dir search;
-# Allow init script to cp localtime to named_conf_t
-allow initrc_t named_conf_t:file { setattr write };
-allow initrc_t named_conf_t:dir create_dir_perms;
-allow initrc_t var_run_t:lnk_file create_file_perms;
-ifdef(`automount.te', `
-# automount has no need to search the /proc file system for the named chroot
-dontaudit automount_t named_zone_t:dir search;
-')dnl end ifdef automount.te
-')dnl end ifdef distro_redhat
-
-allow { ndc_t initrc_t } named_conf_t:file { getattr read };
-
-allow ndc_t etc_t:dir r_dir_perms;
-allow ndc_t etc_t:file r_file_perms;
-allow ndc_t self:unix_stream_socket create_stream_socket_perms;
-allow ndc_t self:unix_stream_socket connect;
-allow ndc_t self:capability { dac_override net_admin };
-allow ndc_t var_t:dir search;
-allow ndc_t var_run_t:dir search;
-allow ndc_t named_var_run_t:sock_file rw_file_perms;
-allow ndc_t named_t:unix_stream_socket connectto;
-allow ndc_t { privfd init_t }:fd use;
-# seems to need read as well for some reason
-allow ndc_t { admin_tty_type initrc_devpts_t }:chr_file { getattr read write };
-allow ndc_t fs_t:filesystem getattr;
-
-# Read sysctl kernel variables.
-read_sysctl(ndc_t)
-
-allow ndc_t self:process { fork signal_perms };
-allow ndc_t self:fifo_file { read write getattr ioctl };
-allow ndc_t named_zone_t:dir search;
-
-# for chmod in start script
-dontaudit initrc_t named_var_run_t:dir setattr;
-
-# for ndc_t to be used for restart shell scripts
-ifdef(`ndc_shell_script', `
-system_crond_entry(ndc_exec_t, ndc_t)
-allow ndc_t devtty_t:chr_file { read write ioctl };
-allow ndc_t etc_runtime_t:file { getattr read };
-allow ndc_t proc_t:dir search;
-allow ndc_t proc_t:file { getattr read };
-can_exec(ndc_t, { bin_t sbin_t shell_exec_t })
-allow ndc_t named_var_run_t:file getattr;
-allow ndc_t named_zone_t:dir { read getattr };
-allow ndc_t named_zone_t:file getattr;
-dontaudit ndc_t sysadm_home_t:dir { getattr search read };
-')
-allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
-dontaudit ndc_t sysadm_tty_device_t:chr_file { ioctl };
diff --git a/mls/domains/program/netutils.te b/mls/domains/program/netutils.te
deleted file mode 100644
index 8dcbdf1..0000000
--- a/mls/domains/program/netutils.te
+++ /dev/null
@@ -1,64 +0,0 @@
-#DESC Netutils - Network utilities
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil>
-# X-Debian-Packages: netbase iputils arping tcpdump
-#
-
-#
-# Rules for the netutils_t domain.
-# This domain is for network utilities that require access to
-# special protocol families.
-#
-type netutils_t, domain, privlog;
-type netutils_exec_t, file_type, sysadmfile, exec_type;
-role system_r types netutils_t;
-role sysadm_r types netutils_t;
-
-uses_shlib(netutils_t)
-can_network(netutils_t)
-allow netutils_t port_type:tcp_socket name_connect;
-can_ypbind(netutils_t)
-tmp_domain(netutils)
-
-domain_auto_trans(initrc_t, netutils_exec_t, netutils_t)
-ifdef(`targeted_policy', `', `
-domain_auto_trans(sysadm_t, netutils_exec_t, netutils_t)
-')
-
-# Inherit and use descriptors from init.
-allow netutils_t { userdomain init_t }:fd use;
-
-allow netutils_t self:process { fork signal_perms };
-
-# Perform network administration operations and have raw access to the network.
-allow netutils_t self:capability { net_admin net_raw setuid setgid };
-
-# Create and use netlink sockets.
-allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
-
-# Create and use packet sockets.
-allow netutils_t self:packet_socket create_socket_perms;
-
-# Create and use UDP sockets.
-allow netutils_t self:udp_socket create_socket_perms;
-
-# Create and use TCP sockets.
-allow netutils_t self:tcp_socket create_socket_perms;
-
-allow netutils_t self:unix_stream_socket create_socket_perms;
-
-# Read certain files in /etc
-allow netutils_t etc_t:file r_file_perms;
-read_locale(netutils_t)
-
-allow netutils_t fs_t:filesystem getattr;
-
-# Access terminals.
-allow netutils_t privfd:fd use;
-can_access_pty(netutils_t, initrc)
-allow netutils_t admin_tty_type:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow netutils_t sysadm_gph_t:fd use;')
-allow netutils_t proc_t:dir search;
-
-# for nscd
-dontaudit netutils_t var_t:dir search;
diff --git a/mls/domains/program/newrole.te b/mls/domains/program/newrole.te
deleted file mode 100644
index 207274d..0000000
--- a/mls/domains/program/newrole.te
+++ /dev/null
@@ -1,24 +0,0 @@
-#DESC Newrole - SELinux utility to run a shell with a new role
-#
-# Authors: Anthony Colatrella (NSA)
-# Maintained by Stephen Smalley <sds@epoch.ncsc.mil>
-# X-Debian-Packages: policycoreutils
-#
-
-# secure mode means that newrole/sudo/su/userhelper cannot reach sysadm_t
-bool secure_mode false;
-
-type newrole_exec_t, file_type, exec_type, sysadmfile;
-domain_auto_trans(userdomain, newrole_exec_t, newrole_t)
-
-newrole_domain(newrole)
-
-# Write to utmp.
-allow newrole_t var_run_t:dir r_dir_perms;
-allow newrole_t initrc_var_run_t:file rw_file_perms;
-
-role secadm_r types newrole_t;
-
-ifdef(`targeted_policy', `
-typeattribute newrole_t unconfinedtrans;
-')
diff --git a/mls/domains/program/nscd.te b/mls/domains/program/nscd.te
deleted file mode 100644
index 8e899c7..0000000
--- a/mls/domains/program/nscd.te
+++ /dev/null
@@ -1,79 +0,0 @@
-#DESC NSCD - Name service cache daemon cache lookup of user-name
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: nscd
-#
-define(`nscd_socket_domain', `
-can_unix_connect($1, nscd_t)
-allow $1 nscd_var_run_t:sock_file rw_file_perms;
-allow $1 { var_run_t var_t }:dir search;
-allow $1 nscd_t:nscd { getpwd getgrp gethost };
-dontaudit $1 nscd_t:fd use;
-dontaudit $1 nscd_var_run_t:dir { search getattr };
-dontaudit $1 nscd_var_run_t:file { getattr read };
-dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
-')
-#################################
-#
-# Rules for the nscd_t domain.
-#
-# nscd is both the client program and the daemon.
-daemon_domain(nscd, `, userspace_objmgr')
-
-allow nscd_t etc_t:file r_file_perms;
-allow nscd_t etc_t:lnk_file read;
-can_network_client(nscd_t)
-allow nscd_t port_type:tcp_socket name_connect;
-can_ypbind(nscd_t)
-
-file_type_auto_trans(nscd_t, var_run_t, nscd_var_run_t, sock_file)
-
-allow nscd_t self:unix_stream_socket create_stream_socket_perms;
-
-nscd_socket_domain(nscd_client_domain)
-nscd_socket_domain(daemon)
-
-# Clients that are allowed to map the database via a fd obtained from nscd.
-nscd_socket_domain(nscd_shmem_domain)
-allow nscd_shmem_domain nscd_var_run_t:dir r_dir_perms;
-allow nscd_shmem_domain nscd_t:nscd { shmempwd shmemgrp shmemhost };
-# Receive fd from nscd and map the backing file with read access.
-allow nscd_shmem_domain nscd_t:fd use;
-
-# For client program operation, invoked from sysadm_t.
-# Transition occurs to nscd_t due to direct_sysadm_daemon.
-allow nscd_t self:nscd { admin getstat };
-allow nscd_t admin_tty_type:chr_file rw_file_perms;
-
-read_sysctl(nscd_t)
-allow nscd_t self:process { getattr setsched };
-allow nscd_t self:unix_dgram_socket create_socket_perms;
-allow nscd_t self:fifo_file { read write };
-allow nscd_t self:capability { kill setgid setuid net_bind_service };
-
-# for when /etc/passwd has just been updated and has the wrong type
-allow nscd_t shadow_t:file getattr;
-
-dontaudit nscd_t sysadm_home_dir_t:dir search;
-
-ifdef(`winbind.te', `
-#
-# Handle winbind for samba, Might only be needed for targeted policy
-#
-allow nscd_t winbind_var_run_t:sock_file { read write getattr };
-can_unix_connect(nscd_t, winbind_t)
-allow nscd_t samba_var_t:dir search;
-allow nscd_t winbind_var_run_t:dir { getattr search };
-')
-
-r_dir_file(nscd_t, selinux_config_t)
-can_getsecurity(nscd_t)
-allow nscd_t self:netlink_selinux_socket create_socket_perms;
-allow nscd_t self:netlink_route_socket r_netlink_socket_perms;
-allow nscd_t tmp_t:dir { search getattr };
-allow nscd_t tmp_t:lnk_file read;
-allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read };
-log_domain(nscd)
-r_dir_file(nscd_t, cert_t)
-allow nscd_t tun_tap_device_t:chr_file { read write };
-allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
diff --git a/mls/domains/program/ntpd.te b/mls/domains/program/ntpd.te
deleted file mode 100644
index 23042c4..0000000
--- a/mls/domains/program/ntpd.te
+++ /dev/null
@@ -1,88 +0,0 @@
-#DESC NTPD - Time synchronisation daemon
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: ntp ntp-simple
-#
-
-#################################
-#
-# Rules for the ntpd_t domain.
-#
-daemon_domain(ntpd, `, nscd_client_domain')
-type ntp_drift_t, file_type, sysadmfile;
-
-type ntpdate_exec_t, file_type, sysadmfile, exec_type;
-domain_auto_trans(initrc_t, ntpdate_exec_t, ntpd_t)
-
-logdir_domain(ntpd)
-
-allow ntpd_t var_lib_t:dir r_dir_perms;
-allow ntpd_t usr_t:file r_file_perms;
-# reading /usr/share/ssl/cert.pem requires
-allow ntpd_t usr_t:lnk_file read;
-allow ntpd_t ntp_drift_t:dir rw_dir_perms;
-allow ntpd_t ntp_drift_t:file create_file_perms;
-
-# for SSP
-allow ntpd_t urandom_device_t:chr_file { getattr read };
-
-# sys_resource and setrlimit is for locking memory
-allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time net_bind_service ipc_lock ipc_owner sys_chroot sys_nice sys_resource };
-dontaudit ntpd_t self:capability { fsetid net_admin };
-allow ntpd_t self:process { setcap setsched setrlimit };
-# ntpdate wants sys_nice
-
-# for some reason it creates a file in /tmp
-tmp_domain(ntpd)
-
-allow ntpd_t etc_t:dir r_dir_perms;
-allow ntpd_t etc_t:file { read getattr };
-
-# Use the network.
-can_network(ntpd_t)
-allow ntpd_t ntp_port_t:tcp_socket name_connect;
-can_ypbind(ntpd_t)
-allow ntpd_t ntp_port_t:udp_socket name_bind;
-allow sysadm_t ntp_port_t:udp_socket name_bind;
-allow ntpd_t self:unix_dgram_socket create_socket_perms;
-allow ntpd_t self:unix_stream_socket create_socket_perms;
-allow ntpd_t self:netlink_route_socket r_netlink_socket_perms;
-
-# so the start script can change firewall entries
-allow initrc_t net_conf_t:file { getattr read ioctl };
-
-# for cron jobs
-# system_crond_t is not right, cron is not doing what it should
-ifdef(`crond.te', `
-system_crond_entry(ntpdate_exec_t, ntpd_t)
-')
-
-can_exec(ntpd_t, initrc_exec_t)
-allow ntpd_t self:fifo_file { read write getattr };
-allow ntpd_t etc_runtime_t:file r_file_perms;
-can_exec(ntpd_t, { bin_t shell_exec_t sbin_t ls_exec_t ntpd_exec_t })
-allow ntpd_t { sbin_t bin_t }:dir search;
-allow ntpd_t bin_t:lnk_file read;
-read_sysctl(ntpd_t);
-allow ntpd_t proc_t:file r_file_perms;
-allow ntpd_t sysadm_home_dir_t:dir r_dir_perms;
-allow ntpd_t self:file { getattr read };
-dontaudit ntpd_t domain:dir search;
-ifdef(`logrotate.te', `
-can_exec(ntpd_t, logrotate_exec_t)
-')
-
-allow ntpd_t devtty_t:chr_file rw_file_perms;
-
-can_udp_send(ntpd_t, sysadm_t)
-can_udp_send(sysadm_t, ntpd_t)
-can_udp_send(ntpd_t, ntpd_t)
-ifdef(`firstboot.te', `
-dontaudit ntpd_t firstboot_t:fd use;
-')
-ifdef(`winbind.te', `
-allow ntpd_t winbind_var_run_t:dir r_dir_perms;
-allow ntpd_t winbind_var_run_t:sock_file rw_file_perms;
-')
-# For clock devices like wwvb1
-allow ntpd_t device_t:lnk_file read;
diff --git a/mls/domains/program/openct.te b/mls/domains/program/openct.te
deleted file mode 100644
index 244fc2f..0000000
--- a/mls/domains/program/openct.te
+++ /dev/null
@@ -1,16 +0,0 @@
-#DESC openct - read files in page cache
-#
-# Author: Dan Walsh (dwalsh@redhat.com)
-#
-
-#################################
-#
-# Declarations for openct
-#
-
-daemon_domain(openct)
-#
-# openct asks for these
-#
-rw_dir_file(openct_t, usbfs_t)
-allow openct_t etc_t:file r_file_perms;
diff --git a/mls/domains/program/orbit.te b/mls/domains/program/orbit.te
deleted file mode 100644
index dad353b..0000000
--- a/mls/domains/program/orbit.te
+++ /dev/null
@@ -1,7 +0,0 @@
-#
-# ORBit related types
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-# Look in orbit_macros.te
diff --git a/mls/domains/program/pam.te b/mls/domains/program/pam.te
deleted file mode 100644
index 2d71222..0000000
--- a/mls/domains/program/pam.te
+++ /dev/null
@@ -1,45 +0,0 @@
-#DESC Pam - PAM
-# X-Debian-Packages:
-#
-# /sbin/pam_timestamp_check
-type pam_exec_t, file_type, exec_type, sysadmfile;
-type pam_t, domain, privlog, nscd_client_domain;
-general_domain_access(pam_t);
-
-type pam_var_run_t, file_type, sysadmfile;
-allow pam_t pam_var_run_t:dir { search getattr read write remove_name };
-allow pam_t pam_var_run_t:file { getattr read unlink };
-
-role system_r types pam_t;
-in_user_role(pam_t)
-domain_auto_trans(userdomain, pam_exec_t, pam_t)
-
-uses_shlib(pam_t)
-# Read the devpts root directory.
-allow pam_t devpts_t:dir r_dir_perms;
-
-# Access terminals.
-allow pam_t { ttyfile ptyfile devtty_t }:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;')
-
-allow pam_t proc_t:dir search;
-allow pam_t proc_t:{ lnk_file file } { getattr read };
-
-# Read the /etc/nsswitch file
-allow pam_t etc_t:file r_file_perms;
-
-# Read /var/run.
-allow pam_t { var_t var_run_t }:dir r_dir_perms;
-tmp_domain(pam)
-
-allow pam_t local_login_t:fd use;
-dontaudit pam_t self:capability sys_tty_config;
-
-allow initrc_t pam_var_run_t:dir rw_dir_perms;
-allow initrc_t pam_var_run_t:file { getattr read unlink };
-dontaudit pam_t initrc_var_run_t:file rw_file_perms;
-
-# Supress xdm denial
-ifdef(`xdm.te', `
-dontaudit pam_t xdm_t:fd use;
-') dnl ifdef
diff --git a/mls/domains/program/pamconsole.te b/mls/domains/program/pamconsole.te
deleted file mode 100644
index 0610063..0000000
--- a/mls/domains/program/pamconsole.te
+++ /dev/null
@@ -1,52 +0,0 @@
-#DESC Pamconsole - PAM console
-# X-Debian-Packages:
-#
-# pam_console_apply
-
-daemon_base_domain(pam_console, `, nscd_client_domain, mlsfileread, mlsfilewrite')
-
-type pam_var_console_t, file_type, sysadmfile;
-
-allow pam_console_t etc_t:file { getattr read ioctl };
-allow pam_console_t self:unix_stream_socket create_stream_socket_perms;
-
-# Read /etc/mtab
-allow pam_console_t etc_runtime_t:file { read getattr };
-
-# Read /proc/meminfo
-allow pam_console_t proc_t:file { read getattr };
-
-allow pam_console_t self:capability { chown fowner fsetid };
-
-# Allow access to /dev/console through the fd:
-allow pam_console_t console_device_t:chr_file { read write setattr };
-allow pam_console_t { kernel_t init_t }:fd use;
-
-# for /var/run/console.lock checking
-allow pam_console_t { var_t var_run_t }:dir search;
-r_dir_file(pam_console_t, pam_var_console_t)
-dontaudit pam_console_t pam_var_console_t:file write;
-
-# Allow to set attributes on /dev entries
-allow pam_console_t device_t:dir { getattr read };
-allow pam_console_t device_t:lnk_file { getattr read };
-# mouse_device_t is for joy sticks
-allow pam_console_t { xserver_misc_device_t framebuf_device_t v4l_device_t apm_bios_t sound_device_t misc_device_t tty_device_t scanner_device_t mouse_device_t power_device_t removable_device_t scsi_generic_device_t }:chr_file { getattr setattr };
-allow pam_console_t { removable_device_t fixed_disk_device_t }:blk_file { getattr setattr };
-
-allow pam_console_t mnt_t:dir r_dir_perms;
-
-ifdef(`gpm.te', `
-allow pam_console_t gpmctl_t:sock_file { getattr setattr };
-')
-ifdef(`hotplug.te', `
-dontaudit pam_console_t hotplug_etc_t:dir search;
-allow pam_console_t hotplug_t:fd use;
-')
-ifdef(`xdm.te', `
-allow pam_console_t xdm_var_run_t:file { getattr read };
-')
-allow initrc_t pam_var_console_t:dir rw_dir_perms;
-allow initrc_t pam_var_console_t:file unlink;
-allow pam_console_t file_context_t:file { getattr read };
-nsswitch_domain(pam_console_t)
diff --git a/mls/domains/program/passwd.te b/mls/domains/program/passwd.te
deleted file mode 100644
index e002c09..0000000
--- a/mls/domains/program/passwd.te
+++ /dev/null
@@ -1,157 +0,0 @@
-#DESC Passwd - Password utilities
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: passwd
-#
-
-#################################
-#
-# Rules for the passwd_t domain.
-#
-define(`base_passwd_domain', `
-type $1_t, domain, privlog, $2;
-
-# for SSP
-allow $1_t urandom_device_t:chr_file read;
-
-allow $1_t self:process setrlimit;
-
-general_domain_access($1_t);
-uses_shlib($1_t);
-
-# Inherit and use descriptors from login.
-allow $1_t privfd:fd use;
-ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;')
-
-read_locale($1_t)
-
-allow $1_t fs_t:filesystem getattr;
-
-# allow checking if a shell is executable
-allow $1_t shell_exec_t:file execute;
-
-# Obtain contexts
-can_getsecurity($1_t)
-
-allow $1_t etc_t:file create_file_perms;
-
-# read /etc/mtab
-allow $1_t etc_runtime_t:file { getattr read };
-
-# Allow etc_t symlinks for /etc/alternatives on Debian.
-allow $1_t etc_t:lnk_file read;
-
-# Use capabilities.
-allow $1_t self:capability { chown dac_override fsetid setuid setgid sys_resource audit_control audit_write };
-
-# Access terminals.
-allow $1_t { ttyfile ptyfile }:chr_file rw_file_perms;
-allow $1_t devtty_t:chr_file rw_file_perms;
-
-dontaudit $1_t devpts_t:dir getattr;
-
-# /usr/bin/passwd asks for w access to utmp, but it will operate
-# correctly without it. Do not audit write denials to utmp.
-dontaudit $1_t initrc_var_run_t:file { read write };
-
-# user generally runs this from their home directory, so do not audit a search
-# on user home dir
-dontaudit $1_t { user_home_dir_type user_home_type }:dir search;
-
-# When the wrong current passwd is entered, passwd, for some reason,
-# attempts to access /proc and /dev, but handles failure appropriately. So
-# do not audit those denials.
-dontaudit $1_t { proc_t device_t }:dir { search read };
-
-allow $1_t device_t:dir getattr;
-read_sysctl($1_t)
-')
-
-#################################
-#
-# Rules for the passwd_t domain.
-#
-define(`passwd_domain', `
-base_passwd_domain($1, `auth_write, privowner')
-# Update /etc/shadow and /etc/passwd
-file_type_auto_trans($1_t, etc_t, shadow_t, file)
-allow $1_t { etc_t shadow_t }:file { relabelfrom relabelto };
-can_setfscreate($1_t)
-')
-
-passwd_domain(passwd)
-passwd_domain(sysadm_passwd)
-base_passwd_domain(chfn, `auth_chkpwd, etc_writer, privowner')
-can_setfscreate(chfn_t)
-
-# can exec /sbin/unix_chkpwd
-allow chfn_t { bin_t sbin_t }:dir search;
-
-# uses unix_chkpwd for checking passwords
-dontaudit chfn_t shadow_t:file read;
-allow chfn_t etc_t:dir rw_dir_perms;
-allow chfn_t etc_t:file create_file_perms;
-allow chfn_t proc_t:file { getattr read };
-allow chfn_t self:file write;
-
-in_user_role(passwd_t)
-in_user_role(chfn_t)
-role sysadm_r types passwd_t;
-role sysadm_r types sysadm_passwd_t;
-role sysadm_r types chfn_t;
-role system_r types passwd_t;
-role system_r types chfn_t;
-
-type admin_passwd_exec_t, file_type, sysadmfile;
-type passwd_exec_t, file_type, sysadmfile, exec_type;
-type chfn_exec_t, file_type, sysadmfile, exec_type;
-
-domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, passwd_exec_t, passwd_t)
-domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, chfn_exec_t, chfn_t)
-domain_auto_trans(sysadm_t, admin_passwd_exec_t, sysadm_passwd_t)
-
-dontaudit chfn_t var_t:dir search;
-
-ifdef(`crack.te', `
-allow passwd_t var_t:dir search;
-dontaudit passwd_t var_run_t:dir search;
-allow passwd_t crack_db_t:dir r_dir_perms;
-allow passwd_t crack_db_t:file r_file_perms;
-', `
-dontaudit passwd_t var_t:dir search;
-')
-
-# allow vipw to exec the editor
-allow sysadm_passwd_t { root_t bin_t sbin_t }:dir search;
-allow sysadm_passwd_t bin_t:lnk_file read;
-can_exec(sysadm_passwd_t, { shell_exec_t bin_t })
-r_dir_file(sysadm_passwd_t, usr_t)
-
-# allow vipw to create temporary files under /var/tmp/vi.recover
-allow sysadm_passwd_t var_t:dir search;
-tmp_domain(sysadm_passwd)
-# for vipw - vi looks in the root home directory for config
-dontaudit sysadm_passwd_t sysadm_home_dir_t:dir { getattr search };
-# for /etc/alternatives/vi
-allow sysadm_passwd_t etc_t:lnk_file read;
-
-# for nscd lookups
-dontaudit sysadm_passwd_t var_run_t:dir search;
-
-# for /proc/meminfo
-allow sysadm_passwd_t proc_t:file { getattr read };
-
-dontaudit { chfn_t passwd_t sysadm_passwd_t } selinux_config_t:dir search;
-dontaudit sysadm_passwd_t devpts_t:dir search;
-
-# make sure that getcon succeeds
-allow passwd_t userdomain:dir search;
-allow passwd_t userdomain:file { getattr read };
-allow passwd_t userdomain:process getattr;
-
-allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-
-ifdef(`targeted_policy', `
-role system_r types sysadm_passwd_t;
-allow sysadm_passwd_t devpts_t:chr_file rw_file_perms;
-')
diff --git a/mls/domains/program/pegasus.te b/mls/domains/program/pegasus.te
deleted file mode 100644
index 3272074..0000000
--- a/mls/domains/program/pegasus.te
+++ /dev/null
@@ -1,36 +0,0 @@
-#DESC pegasus - The Open Group Pegasus CIM/WBEM Server
-#
-# Author: Jason Vas Dias <jvdias@redhat.com>
-# Package: tog-pegasus
-#
-#################################
-#
-# Rules for the pegasus domain
-#
-daemon_domain(pegasus, `, nscd_client_domain, auth_chkpwd')
-type pegasus_data_t, file_type, sysadmfile;
-type pegasus_conf_t, file_type, sysadmfile;
-typealias sbin_t alias pegasus_conf_exec_t;
-type pegasus_mof_t, file_type, sysadmfile;
-allow pegasus_t self:capability { dac_override net_bind_service audit_write };
-can_network_tcp(pegasus_t);
-nsswitch_domain(pegasus_t);
-allow pegasus_t pegasus_var_run_t:sock_file { create setattr };
-allow pegasus_t self:unix_dgram_socket create_socket_perms;
-allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
-allow pegasus_t self:file { read getattr };
-allow pegasus_t self:fifo_file rw_file_perms;
-allow pegasus_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-allow pegasus_t { pegasus_http_port_t pegasus_https_port_t }:tcp_socket { name_bind name_connect };
-allow pegasus_t proc_t:file { getattr read };
-allow pegasus_t sysctl_vm_t:dir search;
-allow pegasus_t initrc_var_run_t:file { read write lock };
-allow pegasus_t urandom_device_t:chr_file { getattr read };
-r_dir_file(pegasus_t, etc_t)
-r_dir_file(pegasus_t, var_lib_t)
-r_dir_file(pegasus_t, pegasus_mof_t)
-allow pegasus_t pegasus_conf_t:file { link unlink };
-r_dir_file(pegasus_t, pegasus_conf_t)
-file_type_auto_trans(pegasus_t, pegasus_conf_t, pegasus_data_t)
-rw_dir_create_file(pegasus_t, pegasus_data_t)
-dontaudit pegasus_t selinux_config_t:dir search;
diff --git a/mls/domains/program/ping.te b/mls/domains/program/ping.te
deleted file mode 100644
index 0a0d94c..0000000
--- a/mls/domains/program/ping.te
+++ /dev/null
@@ -1,63 +0,0 @@
-#DESC Ping - Send ICMP messages to network hosts
-#
-# Author: David A. Wheeler <dwheeler@ida.org>
-# X-Debian-Packages: iputils-ping netkit-ping iputils-arping arping hping2
-#
-
-#################################
-#
-# Rules for the ping_t domain.
-#
-# ping_t is the domain for the ping program.
-# ping_exec_t is the type of the corresponding program.
-#
-type ping_t, domain, privlog, nscd_client_domain;
-role sysadm_r types ping_t;
-role system_r types ping_t;
-in_user_role(ping_t)
-type ping_exec_t, file_type, sysadmfile, exec_type;
-
-ifdef(`targeted_policy', `
- allow ping_t { devpts_t ttyfile ptyfile }:chr_file rw_file_perms;
-', `
-bool user_ping false;
-
-if (user_ping) {
- domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t)
- # allow access to the terminal
- allow ping_t { ttyfile ptyfile }:chr_file rw_file_perms;
- ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;')
-}
-')
-
-# Transition into this domain when you run this program.
-domain_auto_trans(sysadm_t, ping_exec_t, ping_t)
-domain_auto_trans(initrc_t, ping_exec_t, ping_t)
-
-uses_shlib(ping_t)
-can_network_client(ping_t)
-can_resolve(ping_t)
-can_ypbind(ping_t)
-allow ping_t etc_t:file { getattr read };
-allow ping_t self:unix_stream_socket create_socket_perms;
-
-# Let ping create raw ICMP packets.
-allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
-
-# Use capabilities.
-allow ping_t self:capability { net_raw setuid };
-
-# Access the terminal.
-allow ping_t admin_tty_type:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow ping_t sysadm_gph_t:fd use;')
-allow ping_t privfd:fd use;
-dontaudit ping_t fs_t:filesystem getattr;
-
-# it tries to access /var/run
-dontaudit ping_t var_t:dir search;
-dontaudit ping_t devtty_t:chr_file { read write };
-dontaudit ping_t self:capability sys_tty_config;
-ifdef(`hide_broken_symptoms', `
-dontaudit ping_t init_t:fd use;
-')
-
diff --git a/mls/domains/program/portmap.te b/mls/domains/program/portmap.te
deleted file mode 100644
index 54cad6f..0000000
--- a/mls/domains/program/portmap.te
+++ /dev/null
@@ -1,71 +0,0 @@
-#DESC Portmap - Maintain RPC program number map
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: portmap
-#
-
-
-
-#################################
-#
-# Rules for the portmap_t domain.
-#
-daemon_domain(portmap, `, nscd_client_domain')
-
-can_network(portmap_t)
-allow portmap_t port_type:tcp_socket name_connect;
-can_ypbind(portmap_t)
-allow portmap_t self:unix_dgram_socket create_socket_perms;
-allow portmap_t self:unix_stream_socket create_stream_socket_perms;
-
-tmp_domain(portmap)
-
-allow portmap_t portmap_port_t:{ udp_socket tcp_socket } name_bind;
-dontaudit portmap_t reserved_port_type:{ udp_socket tcp_socket } name_bind;
-
-# portmap binds to arbitary ports
-allow portmap_t port_t:{ udp_socket tcp_socket } name_bind;
-allow portmap_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
-
-allow portmap_t etc_t:file { getattr read };
-
-# Send to ypbind, initrc, rpc.statd, xinetd.
-ifdef(`ypbind.te',
-`can_udp_send(portmap_t, ypbind_t)')
-can_udp_send(portmap_t, { initrc_t init_t })
-can_udp_send(init_t, portmap_t)
-ifdef(`rpcd.te',
-`can_udp_send(portmap_t, rpcd_t)')
-ifdef(`inetd.te',
-`can_udp_send(portmap_t, inetd_t)')
-ifdef(`lpd.te',
-`can_udp_send(portmap_t, lpd_t)')
-ifdef(`tcpd.te', `
-can_udp_send(tcpd_t, portmap_t)
-')
-can_udp_send(portmap_t, kernel_t)
-can_udp_send(kernel_t, portmap_t)
-can_udp_send(sysadm_t, portmap_t)
-can_udp_send(portmap_t, sysadm_t)
-
-# Use capabilities
-allow portmap_t self:capability { net_bind_service setuid setgid };
-allow portmap_t self:netlink_route_socket r_netlink_socket_perms;
-
-application_domain(portmap_helper)
-role system_r types portmap_helper_t;
-domain_auto_trans(initrc_t, portmap_helper_exec_t, portmap_helper_t)
-dontaudit portmap_helper_t self:capability { net_admin };
-allow portmap_helper_t self:capability { net_bind_service };
-allow portmap_helper_t initrc_var_run_t:file rw_file_perms;
-file_type_auto_trans(portmap_helper_t, var_run_t, portmap_var_run_t, file)
-allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
-can_network(portmap_helper_t)
-allow portmap_helper_t port_type:tcp_socket name_connect;
-can_ypbind(portmap_helper_t)
-dontaudit portmap_helper_t admin_tty_type:chr_file rw_file_perms;
-allow portmap_helper_t etc_t:file { getattr read };
-dontaudit portmap_helper_t { userdomain privfd }:fd use;
-allow portmap_helper_t reserved_port_t:{ tcp_socket udp_socket } name_bind;
-dontaudit portmap_helper_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
diff --git a/mls/domains/program/postfix.te b/mls/domains/program/postfix.te
deleted file mode 100644
index 4f85e81..0000000
--- a/mls/domains/program/postfix.te
+++ /dev/null
@@ -1,373 +0,0 @@
-#DESC Postfix - Mail server
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: postfix
-# Depends: mta.te
-#
-
-# Type for files created during execution of postfix.
-type postfix_var_run_t, file_type, sysadmfile, pidfile;
-
-type postfix_etc_t, file_type, sysadmfile;
-type postfix_exec_t, file_type, sysadmfile, exec_type;
-type postfix_public_t, file_type, sysadmfile;
-type postfix_private_t, file_type, sysadmfile;
-type postfix_spool_t, file_type, sysadmfile;
-type postfix_spool_maildrop_t, file_type, sysadmfile;
-type postfix_spool_flush_t, file_type, sysadmfile;
-type postfix_prng_t, file_type, sysadmfile;
-
-# postfix needs this for newaliases
-allow { system_mail_t sysadm_mail_t } tmp_t:dir getattr;
-
-#################################
-#
-# Rules for the postfix_$1_t domain.
-#
-# postfix_$1_exec_t is the type of the postfix_$1 executables.
-#
-define(`postfix_domain', `
-daemon_core_rules(postfix_$1, `$2')
-allow postfix_$1_t self:process setpgid;
-allow postfix_$1_t postfix_master_t:process sigchld;
-allow postfix_master_t postfix_$1_t:process signal;
-
-allow postfix_$1_t { etc_t postfix_etc_t postfix_spool_t }:dir r_dir_perms;
-allow postfix_$1_t postfix_etc_t:file r_file_perms;
-read_locale(postfix_$1_t)
-allow postfix_$1_t etc_t:file { getattr read };
-allow postfix_$1_t self:unix_dgram_socket create_socket_perms;
-allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms;
-allow postfix_$1_t self:unix_stream_socket connectto;
-
-allow postfix_$1_t { sbin_t bin_t }:dir r_dir_perms;
-allow postfix_$1_t { bin_t usr_t }:lnk_file { getattr read };
-allow postfix_$1_t shell_exec_t:file rx_file_perms;
-allow postfix_$1_t { var_t var_spool_t }:dir { search getattr };
-allow postfix_$1_t postfix_exec_t:file rx_file_perms;
-allow postfix_$1_t devtty_t:chr_file rw_file_perms;
-allow postfix_$1_t etc_runtime_t:file r_file_perms;
-allow postfix_$1_t proc_t:dir r_dir_perms;
-allow postfix_$1_t proc_t:file r_file_perms;
-allow postfix_$1_t postfix_exec_t:dir r_dir_perms;
-allow postfix_$1_t fs_t:filesystem getattr;
-allow postfix_$1_t proc_net_t:dir search;
-allow postfix_$1_t proc_net_t:file { getattr read };
-can_exec(postfix_$1_t, postfix_$1_exec_t)
-r_dir_file(postfix_$1_t, cert_t)
-allow postfix_$1_t { urandom_device_t random_device_t }:chr_file { read getattr };
-
-allow postfix_$1_t tmp_t:dir getattr;
-
-file_type_auto_trans(postfix_$1_t, var_run_t, postfix_var_run_t, file)
-
-read_sysctl(postfix_$1_t)
-
-')dnl end postfix_domain
-
-ifdef(`crond.te',
-`allow system_mail_t crond_t:tcp_socket { read write create };')
-
-postfix_domain(master, `, mail_server_domain')
-rhgb_domain(postfix_master_t)
-
-# for a find command
-dontaudit postfix_master_t security_t:dir search;
-
-read_sysctl(postfix_master_t)
-
-ifdef(`targeted_policy', `
-bool postfix_disable_trans false;
-if (!postfix_disable_trans) {
-')
-domain_auto_trans(initrc_t, postfix_master_exec_t, postfix_master_t)
-allow initrc_t postfix_master_t:process { noatsecure siginh rlimitinh };
-
-domain_auto_trans(sysadm_t, postfix_master_exec_t, postfix_master_t)
-allow sysadm_t postfix_master_t:process { noatsecure siginh rlimitinh };
-ifdef(`targeted_policy', `', `
-role_transition sysadm_r postfix_master_exec_t system_r;
-')
-allow postfix_master_t postfix_etc_t:file rw_file_perms;
-dontaudit postfix_master_t admin_tty_type:chr_file { read write };
-allow postfix_master_t devpts_t:dir search;
-
-domain_auto_trans(sysadm_mail_t, postfix_master_exec_t, system_mail_t)
-allow system_mail_t sysadm_t:process sigchld;
-allow system_mail_t privfd:fd use;
-
-ifdef(`pppd.te', `
-domain_auto_trans(pppd_t, postfix_master_exec_t, postfix_master_t)
-')
-
-ifdef(`targeted_policy', `
-}
-')
-
-allow postfix_master_t privfd:fd use;
-ifdef(`newrole.te', `allow postfix_master_t newrole_t:process sigchld;')
-allow postfix_master_t initrc_devpts_t:chr_file rw_file_perms;
-
-# postfix does a "find" on startup for some reason - keep it quiet
-dontaudit postfix_master_t selinux_config_t:dir search;
-can_exec({ sysadm_mail_t system_mail_t }, postfix_master_exec_t)
-ifdef(`distro_redhat', `
-# compatability for old default main.cf
-file_type_auto_trans({ sysadm_mail_t system_mail_t postfix_master_t }, postfix_etc_t, etc_aliases_t)
-# for newer main.cf that uses /etc/aliases
-file_type_auto_trans(postfix_master_t, etc_t, etc_aliases_t)
-')
-file_type_auto_trans({ sysadm_mail_t system_mail_t }, etc_t, etc_aliases_t)
-allow postfix_master_t sendmail_exec_t:file r_file_perms;
-allow postfix_master_t sbin_t:lnk_file { getattr read };
-
-can_exec(postfix_master_t, { ls_exec_t sbin_t })
-allow postfix_master_t self:fifo_file rw_file_perms;
-allow postfix_master_t usr_t:file r_file_perms;
-can_exec(postfix_master_t, { shell_exec_t bin_t postfix_exec_t })
-# chown is to set the correct ownership of queue dirs
-allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
-allow postfix_master_t postfix_public_t:fifo_file create_file_perms;
-allow postfix_master_t postfix_public_t:sock_file create_file_perms;
-allow postfix_master_t postfix_public_t:dir rw_dir_perms;
-allow postfix_master_t postfix_private_t:dir rw_dir_perms;
-allow postfix_master_t postfix_private_t:sock_file create_file_perms;
-allow postfix_master_t postfix_private_t:fifo_file create_file_perms;
-can_network(postfix_master_t)
-allow postfix_master_t port_type:tcp_socket name_connect;
-can_ypbind(postfix_master_t)
-allow postfix_master_t { amavisd_send_port_t smtp_port_t }:tcp_socket name_bind;
-allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms;
-allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr };
-allow postfix_master_t postfix_prng_t:file getattr;
-allow postfix_master_t privfd:fd use;
-allow postfix_master_t etc_aliases_t:file rw_file_perms;
-allow postfix_master_t var_lib_t:dir search;
-
-ifdef(`saslauthd.te',`
-allow postfix_smtpd_t saslauthd_var_run_t:dir { search getattr };
-allow postfix_smtpd_t saslauthd_var_run_t:sock_file { read write };
-can_unix_connect(postfix_smtpd_t,saslauthd_t)
-')
-
-create_dir_file(postfix_master_t, postfix_spool_flush_t)
-allow postfix_master_t postfix_prng_t:file rw_file_perms;
-# for ls to get the current context
-allow postfix_master_t self:file { getattr read };
-
-# allow access to deferred queue and allow removing bogus incoming entries
-allow postfix_master_t postfix_spool_t:dir create_dir_perms;
-allow postfix_master_t postfix_spool_t:file create_file_perms;
-
-dontaudit postfix_master_t man_t:dir search;
-
-define(`postfix_server_domain', `
-postfix_domain($1, `$2')
-domain_auto_trans(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
-allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
-allow postfix_$1_t self:capability { setuid setgid dac_override };
-can_network_client(postfix_$1_t)
-allow postfix_$1_t port_type:tcp_socket name_connect;
-can_ypbind(postfix_$1_t)
-')
-
-postfix_server_domain(smtp, `, mail_server_sender')
-allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
-allow postfix_smtp_t { postfix_private_t postfix_public_t }:dir search;
-allow postfix_smtp_t { postfix_private_t postfix_public_t }:sock_file write;
-allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto;
-# if you have two different mail servers on the same host let them talk via
-# SMTP, also if one mail server wants to talk to itself then allow it and let
-# the SMTP protocol sort it out (SE Linux is not to prevent mail server
-# misconfiguration)
-can_tcp_connect(postfix_smtp_t, mail_server_domain)
-
-postfix_server_domain(smtpd)
-allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
-allow postfix_smtpd_t { postfix_private_t postfix_public_t }:dir search;
-allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file rw_file_perms;
-allow postfix_smtpd_t postfix_master_t:unix_stream_socket connectto;
-# for OpenSSL certificates
-r_dir_file(postfix_smtpd_t,usr_t)
-allow postfix_smtpd_t etc_aliases_t:file r_file_perms;
-allow postfix_smtpd_t self:file { getattr read };
-
-# for prng_exch
-allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
-
-allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms;
-
-postfix_server_domain(local, `, mta_delivery_agent')
-ifdef(`procmail.te', `
-domain_auto_trans(postfix_local_t, procmail_exec_t, procmail_t)
-# for a bug in the postfix local program
-dontaudit procmail_t postfix_local_t:tcp_socket { read write };
-dontaudit procmail_t postfix_master_t:fd use;
-')
-allow postfix_local_t etc_aliases_t:file r_file_perms;
-allow postfix_local_t self:fifo_file rw_file_perms;
-allow postfix_local_t self:process { setsched setrlimit };
-allow postfix_local_t postfix_spool_t:file rw_file_perms;
-# for .forward - maybe we need a new type for it?
-allow postfix_local_t postfix_private_t:dir search;
-allow postfix_local_t postfix_private_t:sock_file rw_file_perms;
-allow postfix_local_t postfix_master_t:unix_stream_socket connectto;
-allow postfix_local_t postfix_public_t:dir search;
-allow postfix_local_t postfix_public_t:sock_file write;
-tmp_domain(postfix_local)
-can_exec(postfix_local_t,{ shell_exec_t bin_t })
-ifdef(`spamc.te', `
-can_exec(postfix_local_t, spamc_exec_t)
-')
-allow postfix_local_t mail_spool_t:dir { remove_name };
-allow postfix_local_t mail_spool_t:file { unlink };
-# For reading spamassasin
-r_dir_file(postfix_local_t, etc_mail_t)
-
-define(`postfix_public_domain',`
-postfix_server_domain($1)
-allow postfix_$1_t postfix_public_t:dir search;
-')
-
-postfix_public_domain(cleanup)
-create_dir_file(postfix_cleanup_t, postfix_spool_t)
-allow postfix_cleanup_t postfix_public_t:fifo_file rw_file_perms;
-allow postfix_cleanup_t postfix_public_t:sock_file { getattr write };
-allow postfix_cleanup_t postfix_private_t:dir search;
-allow postfix_cleanup_t postfix_private_t:sock_file rw_file_perms;
-allow postfix_cleanup_t postfix_master_t:unix_stream_socket connectto;
-allow postfix_cleanup_t postfix_spool_bounce_t:dir r_dir_perms;
-allow postfix_cleanup_t self:process setrlimit;
-
-allow user_mail_domain postfix_spool_t:dir r_dir_perms;
-allow user_mail_domain postfix_etc_t:dir r_dir_perms;
-allow { user_mail_domain initrc_t } postfix_etc_t:file r_file_perms;
-allow user_mail_domain self:capability dac_override;
-
-define(`postfix_user_domain', `
-postfix_domain($1, `$2')
-domain_auto_trans(user_mail_domain, postfix_$1_exec_t, postfix_$1_t)
-in_user_role(postfix_$1_t)
-role sysadm_r types postfix_$1_t;
-allow postfix_$1_t userdomain:process sigchld;
-allow postfix_$1_t userdomain:fifo_file { write getattr };
-allow postfix_$1_t { userdomain privfd }:fd use;
-allow postfix_$1_t self:capability dac_override;
-')
-
-postfix_user_domain(postqueue)
-allow postfix_postqueue_t postfix_public_t:dir search;
-allow postfix_postqueue_t postfix_public_t:fifo_file getattr;
-allow postfix_postqueue_t self:udp_socket { create ioctl };
-allow postfix_postqueue_t self:tcp_socket create;
-allow postfix_master_t postfix_postqueue_exec_t:file getattr;
-domain_auto_trans(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
-allow postfix_postqueue_t initrc_t:process sigchld;
-allow postfix_postqueue_t initrc_t:fd use;
-
-# to write the mailq output, it really should not need read access!
-allow postfix_postqueue_t { ptyfile ttyfile }:chr_file { read write getattr };
-ifdef(`gnome-pty-helper.te', `allow postfix_postqueue_t user_gph_t:fd use;')
-
-# wants to write to /var/spool/postfix/public/showq
-allow postfix_postqueue_t postfix_public_t:sock_file rw_file_perms;
-allow postfix_postqueue_t postfix_master_t:unix_stream_socket connectto;
-# write to /var/spool/postfix/public/qmgr
-allow postfix_postqueue_t postfix_public_t:fifo_file write;
-dontaudit postfix_postqueue_t net_conf_t:file r_file_perms;
-
-postfix_user_domain(showq)
-# the following auto_trans is usually in postfix server domain
-domain_auto_trans(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
-can_resolve(postfix_showq_t)
-r_dir_file(postfix_showq_t, postfix_spool_maildrop_t)
-domain_auto_trans(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
-allow postfix_showq_t self:capability { setuid setgid };
-allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
-allow postfix_showq_t postfix_spool_t:file r_file_perms;
-allow postfix_showq_t self:tcp_socket create_socket_perms;
-allow postfix_showq_t { ttyfile ptyfile }:chr_file { read write };
-dontaudit postfix_showq_t net_conf_t:file r_file_perms;
-
-postfix_user_domain(postdrop, `, mta_user_agent')
-can_resolve(postfix_postdrop_t)
-allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms;
-allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms;
-allow postfix_postdrop_t user_mail_domain:unix_stream_socket rw_socket_perms;
-allow postfix_postdrop_t postfix_public_t:dir search;
-allow postfix_postdrop_t postfix_public_t:fifo_file rw_file_perms;
-dontaudit postfix_postdrop_t { ptyfile ttyfile }:chr_file { read write };
-dontaudit postfix_postdrop_t net_conf_t:file r_file_perms;
-allow postfix_master_t postfix_postdrop_exec_t:file getattr;
-ifdef(`crond.te',
-`allow postfix_postdrop_t { crond_t system_crond_t }:fd use;
-allow postfix_postdrop_t { crond_t system_crond_t }:fifo_file rw_file_perms;')
-# usually it does not need a UDP socket
-allow postfix_postdrop_t self:udp_socket create_socket_perms;
-allow postfix_postdrop_t self:tcp_socket create;
-allow postfix_postdrop_t self:capability sys_resource;
-allow postfix_postdrop_t self:tcp_socket create;
-
-postfix_public_domain(pickup)
-allow postfix_pickup_t postfix_public_t:fifo_file rw_file_perms;
-allow postfix_pickup_t postfix_public_t:sock_file rw_file_perms;
-allow postfix_pickup_t postfix_private_t:dir search;
-allow postfix_pickup_t postfix_private_t:sock_file write;
-allow postfix_pickup_t postfix_master_t:unix_stream_socket connectto;
-allow postfix_pickup_t postfix_spool_maildrop_t:dir rw_dir_perms;
-allow postfix_pickup_t postfix_spool_maildrop_t:file r_file_perms;
-allow postfix_pickup_t postfix_spool_maildrop_t:file unlink;
-allow postfix_pickup_t self:tcp_socket create_socket_perms;
-
-postfix_public_domain(qmgr)
-allow postfix_qmgr_t postfix_public_t:fifo_file rw_file_perms;
-allow postfix_qmgr_t postfix_public_t:sock_file write;
-allow postfix_qmgr_t postfix_private_t:dir search;
-allow postfix_qmgr_t postfix_private_t:sock_file rw_file_perms;
-allow postfix_qmgr_t postfix_master_t:unix_stream_socket connectto;
-
-# for /var/spool/postfix/active
-create_dir_file(postfix_qmgr_t, postfix_spool_t)
-
-postfix_public_domain(bounce)
-type postfix_spool_bounce_t, file_type, sysadmfile;
-create_dir_file(postfix_bounce_t, postfix_spool_bounce_t)
-create_dir_file(postfix_bounce_t, postfix_spool_t)
-allow postfix_master_t postfix_spool_bounce_t:dir create_dir_perms;
-allow postfix_master_t postfix_spool_bounce_t:file getattr;
-allow postfix_bounce_t self:capability dac_read_search;
-allow postfix_bounce_t postfix_public_t:sock_file write;
-allow postfix_bounce_t self:tcp_socket create_socket_perms;
-
-r_dir_file(postfix_qmgr_t, postfix_spool_bounce_t)
-
-postfix_public_domain(pipe)
-allow postfix_pipe_t postfix_spool_t:dir search;
-allow postfix_pipe_t postfix_spool_t:file rw_file_perms;
-allow postfix_pipe_t self:fifo_file { read write };
-allow postfix_pipe_t postfix_private_t:dir search;
-allow postfix_pipe_t postfix_private_t:sock_file write;
-ifdef(`procmail.te', `
-domain_auto_trans(postfix_pipe_t, procmail_exec_t, procmail_t)
-')
-ifdef(`sendmail.te', `
-r_dir_file(sendmail_t, postfix_etc_t)
-allow sendmail_t postfix_spool_t:dir search;
-')
-
-# Program for creating database files
-application_domain(postfix_map)
-base_file_read_access(postfix_map_t)
-allow postfix_map_t { etc_t etc_runtime_t }:{ file lnk_file } { getattr read };
-tmp_domain(postfix_map)
-create_dir_file(postfix_map_t, postfix_etc_t)
-allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
-dontaudit postfix_map_t proc_t:dir { getattr read search };
-dontaudit postfix_map_t local_login_t:fd use;
-allow postfix_master_t postfix_map_exec_t:file rx_file_perms;
-read_locale(postfix_map_t)
-allow postfix_map_t self:capability setgid;
-allow postfix_map_t self:unix_dgram_socket create_socket_perms;
-dontaudit postfix_map_t var_t:dir search;
-can_network_server(postfix_map_t)
-allow postfix_map_t port_type:tcp_socket name_connect;
diff --git a/mls/domains/program/postgresql.te b/mls/domains/program/postgresql.te
deleted file mode 100644
index 8ab14d0..0000000
--- a/mls/domains/program/postgresql.te
+++ /dev/null
@@ -1,145 +0,0 @@
-#DESC Postgresql - Database server
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: postgresql
-#
-
-#################################
-#
-# Rules for the postgresql_t domain.
-#
-# postgresql_exec_t is the type of the postgresql executable.
-#
-daemon_domain(postgresql)
-allow initrc_t postgresql_exec_t:lnk_file read;
-allow postgresql_t usr_t:file { getattr read };
-
-allow postgresql_t postgresql_var_run_t:sock_file create_file_perms;
-
-ifdef(`distro_debian', `
-can_exec(postgresql_t, initrc_exec_t)
-# gross hack
-domain_auto_trans(dpkg_t, postgresql_exec_t, postgresql_t)
-can_exec(postgresql_t, dpkg_exec_t)
-')
-
-dontaudit postgresql_t sysadm_home_dir_t:dir search;
-
-# quiet ps and killall
-dontaudit postgresql_t domain:dir { getattr search };
-
-# for currect directory of scripts
-allow postgresql_t { var_spool_t cron_spool_t }:dir search;
-
-# capability kill is for shutdown script
-allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config };
-dontaudit postgresql_t self:capability sys_admin;
-
-etcdir_domain(postgresql)
-type postgresql_db_t, file_type, sysadmfile;
-
-logdir_domain(postgresql)
-
-ifdef(`crond.te', `
-# allow crond to find /usr/lib/postgresql/bin/do.maintenance
-allow crond_t postgresql_db_t:dir search;
-system_crond_entry(postgresql_exec_t, postgresql_t)
-')
-
-tmp_domain(postgresql, `', `{ dir file sock_file }')
-file_type_auto_trans(postgresql_t, tmpfs_t, postgresql_tmp_t)
-
-# Use the network.
-can_network(postgresql_t)
-allow postgresql_t self:fifo_file { getattr read write ioctl };
-allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
-can_unix_connect(postgresql_t, self)
-allow postgresql_t self:unix_dgram_socket create_socket_perms;
-
-allow postgresql_t self:shm create_shm_perms;
-
-ifdef(`targeted_policy', `', `
-bool allow_user_postgresql_connect false;
-
-if (allow_user_postgresql_connect) {
-# allow any user domain to connect to the database server
-can_tcp_connect(userdomain, postgresql_t)
-allow userdomain postgresql_t:unix_stream_socket connectto;
-allow userdomain postgresql_var_run_t:sock_file write;
-allow userdomain postgresql_tmp_t:sock_file write;
-}
-')
-ifdef(`consoletype.te', `
-can_exec(postgresql_t, consoletype_exec_t)
-')
-
-ifdef(`hostname.te', `
-can_exec(postgresql_t, hostname_exec_t)
-')
-
-allow postgresql_t postgresql_port_t:tcp_socket name_bind;
-allow postgresql_t auth_port_t:tcp_socket name_connect;
-
-allow postgresql_t { proc_t self }:file { getattr read };
-
-# Allow access to the postgresql databases
-create_dir_file(postgresql_t, postgresql_db_t)
-file_type_auto_trans(postgresql_t, var_lib_t, postgresql_db_t)
-allow postgresql_t var_lib_t:dir { getattr search };
-
-# because postgresql start scripts are broken and put the pid file in the DB
-# directory
-rw_dir_file(initrc_t, postgresql_db_t)
-
-# read config files
-allow postgresql_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr };
-r_dir_file(initrc_t, postgresql_etc_t)
-
-allow postgresql_t etc_t:dir rw_dir_perms;
-
-read_sysctl(postgresql_t)
-
-allow postgresql_t devtty_t:chr_file { read write };
-allow postgresql_t devpts_t:dir search;
-
-allow postgresql_t { bin_t sbin_t }:dir search;
-allow postgresql_t { bin_t sbin_t }:lnk_file { getattr read };
-allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
-
-allow postgresql_t self:sem create_sem_perms;
-
-allow postgresql_t initrc_var_run_t:file { getattr read lock };
-dontaudit postgresql_t selinux_config_t:dir search;
-allow postgresql_t mail_spool_t:dir search;
-lock_domain(postgresql)
-can_exec(postgresql_t, { shell_exec_t bin_t postgresql_exec_t ls_exec_t } )
-ifdef(`apache.te', `
-#
-# Allow httpd to work with postgresql
-#
-allow httpd_t postgresql_tmp_t:sock_file rw_file_perms;
-can_unix_connect(httpd_t, postgresql_t)
-')
-
-ifdef(`distro_gentoo', `
-# "su - postgres ..." is called from initrc_t
-allow initrc_su_t postgresql_db_t:dir search;
-allow postgresql_t initrc_su_t:process sigchld;
-dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms;
-')
-
-dontaudit postgresql_t home_root_t:dir search;
-allow postgresql_t urandom_device_t:chr_file { getattr read };
-
-if (allow_execmem) {
-allow postgresql_t self:process execmem;
-}
-
-authentication_domain(postgresql_t)
-#
-# postgresql has pam support
-#
-bool allow_postgresql_use_pam false;
-if (allow_postgresql_use_pam) {
-domain_auto_trans(postgresql_t, chkpwd_exec_t, system_chkpwd_t)
-}
diff --git a/mls/domains/program/pppd.te b/mls/domains/program/pppd.te
deleted file mode 100644
index 33b9b8f..0000000
--- a/mls/domains/program/pppd.te
+++ /dev/null
@@ -1,153 +0,0 @@
-#DESC PPPD - PPP daemon
-#
-# Author: Russell Coker
-# X-Debian-Packages: ppp
-#
-
-#################################
-#
-# Rules for the pppd_t domain, et al.
-#
-# pppd_t is the domain for the pppd program.
-# pppd_exec_t is the type of the pppd executable.
-# pppd_secret_t is the type of the pap and chap password files
-#
-bool pppd_for_user false;
-
-daemon_domain(pppd, `, privmail, privsysmod, nscd_client_domain')
-type pppd_secret_t, file_type, sysadmfile;
-
-# Define a separate type for /etc/ppp
-etcdir_domain(pppd)
-# Define a separate type for writable files under /etc/ppp
-type pppd_etc_rw_t, file_type, sysadmfile;
-# Automatically label newly created files under /etc/ppp with this type
-file_type_auto_trans(pppd_t, pppd_etc_t, pppd_etc_rw_t, file)
-
-# for SSP
-allow pppd_t urandom_device_t:chr_file read;
-
-allow pppd_t sysfs_t:dir search;
-
-log_domain(pppd)
-
-# Use the network.
-can_network_server(pppd_t)
-can_ypbind(pppd_t)
-
-# Use capabilities.
-allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override sys_module };
-lock_domain(pppd)
-
-# Access secret files
-allow pppd_t pppd_secret_t:file r_file_perms;
-
-ifdef(`postfix.te', `
-allow pppd_t postfix_etc_t:dir search;
-allow pppd_t postfix_etc_t:file r_file_perms;
-allow pppd_t postfix_master_exec_t:file { getattr read };
-allow postfix_postqueue_t pppd_t:fd use;
-allow postfix_postqueue_t pppd_t:process sigchld;
-')
-
-# allow running ip-up and ip-down scripts and running chat.
-can_exec(pppd_t, { shell_exec_t bin_t sbin_t etc_t ifconfig_exec_t })
-allow pppd_t { bin_t sbin_t }:dir search;
-allow pppd_t { sbin_t bin_t }:lnk_file read;
-allow ifconfig_t pppd_t:fd use;
-
-# Access /dev/ppp.
-allow pppd_t ppp_device_t:chr_file rw_file_perms;
-allow pppd_t devtty_t:chr_file { read write };
-
-allow pppd_t self:unix_dgram_socket create_socket_perms;
-allow pppd_t self:unix_stream_socket create_socket_perms;
-
-allow pppd_t proc_t:dir search;
-allow pppd_t proc_t:{ file lnk_file } r_file_perms;
-allow pppd_t proc_net_t:dir { read search };
-allow pppd_t proc_net_t:file r_file_perms;
-
-allow pppd_t etc_runtime_t:file r_file_perms;
-
-allow pppd_t self:socket create_socket_perms;
-
-allow pppd_t tty_device_t:chr_file { setattr rw_file_perms };
-
-allow pppd_t devpts_t:dir search;
-allow pppd_t devpts_t:chr_file ioctl;
-
-# for scripts
-allow pppd_t self:fifo_file rw_file_perms;
-allow pppd_t etc_t:lnk_file read;
-
-# for ~/.ppprc - if it actually exists then you need some policy to read it
-allow pppd_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search;
-
-in_user_role(pppd_t)
-if (pppd_for_user) {
-# Run pppd in pppd_t by default for user
-domain_auto_trans(unpriv_userdomain, pppd_exec_t, pppd_t)
-allow unpriv_userdomain pppd_t:process signal;
-}
-
-# for pppoe
-can_create_pty(pppd)
-allow pppd_t self:file { read getattr };
-
-allow pppd_t self:packet_socket create_socket_perms;
-
-file_type_auto_trans(pppd_t, etc_t, net_conf_t, file)
-tmp_domain(pppd)
-allow pppd_t sysctl_net_t:dir search;
-allow pppd_t sysctl_net_t:file r_file_perms;
-allow pppd_t self:netlink_route_socket r_netlink_socket_perms;
-allow pppd_t initrc_var_run_t:file r_file_perms;
-dontaudit pppd_t initrc_var_run_t:file { lock write };
-
-# pppd needs to load kernel modules for certain modems
-ifdef(`modutil.te', `
-bool pppd_can_insmod false;
-typeattribute ifconfig_t privsysmod;
-
-if (pppd_can_insmod && !secure_mode_insmod) {
-domain_auto_trans(pppd_t, insmod_exec_t, insmod_t)
-allow ifconfig_t self:capability sys_module;
-}
-
-')
-
-daemon_domain(pptp, `, nscd_client_domain')
-can_network_client_tcp(pptp_t)
-allow pptp_t { reserved_port_type port_t }:tcp_socket name_connect;
-can_exec(pptp_t, hostname_exec_t)
-domain_auto_trans(pppd_t, pptp_exec_t, pptp_t)
-allow pptp_t self:rawip_socket create_socket_perms;
-allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow pptp_t self:unix_dgram_socket create_socket_perms;
-can_exec(pptp_t, pppd_etc_rw_t)
-allow pptp_t devpts_t:dir search;
-allow pptp_t pppd_devpts_t:chr_file rw_file_perms;
-allow pptp_t devpts_t:chr_file ioctl;
-r_dir_file(pptp_t, pppd_etc_rw_t)
-r_dir_file(pptp_t, pppd_etc_t)
-allow pppd_t pptp_t:process signal;
-allow pptp_t self:capability net_raw;
-allow pptp_t self:fifo_file { read write };
-allow pptp_t ptmx_t:chr_file rw_file_perms;
-log_domain(pptp)
-
-# Fix sockets
-allow pptp_t pptp_var_run_t:sock_file create_file_perms;
-
-# Allow pptp to append to pppd log files
-allow pptp_t pppd_log_t:file append;
-
-ifdef(`named.te', `
-dontaudit ndc_t pppd_t:fd use;
-')
-
-# Allow /etc/ppp/ip-{up,down} to run most anything
-type pppd_script_exec_t, file_type, sysadmfile;
-domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t)
-allow pppd_t initrc_t:process noatsecure;
diff --git a/mls/domains/program/prelink.te b/mls/domains/program/prelink.te
deleted file mode 100644
index 3ffa0d7..0000000
--- a/mls/domains/program/prelink.te
+++ /dev/null
@@ -1,50 +0,0 @@
-#DESC PRELINK - Security Enhanced version of the GNU Prelink
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-#
-
-#################################
-#
-# Rules for the prelink_t domain.
-#
-# prelink_exec_t is the type of the prelink executable.
-#
-daemon_base_domain(prelink, `, admin, privowner')
-
-allow prelink_t self:process { execheap execmem execstack };
-allow prelink_t texrel_shlib_t:file execmod;
-allow prelink_t fs_t:filesystem getattr;
-
-ifdef(`crond.te', `
-system_crond_entry(prelink_exec_t, prelink_t)
-allow system_crond_t prelink_log_t:dir rw_dir_perms;
-allow system_crond_t prelink_log_t:file create_file_perms;
-allow system_crond_t prelink_cache_t:file { getattr read unlink };
-allow prelink_t crond_log_t:file append;
-')
-
-logdir_domain(prelink)
-type etc_prelink_t, file_type, sysadmfile;
-type var_lock_prelink_t, file_type, sysadmfile, lockfile;
-
-allow prelink_t etc_prelink_t:file { getattr read };
-allow prelink_t file_type:dir rw_dir_perms;
-allow prelink_t file_type:lnk_file r_file_perms;
-allow prelink_t file_type:file getattr;
-allow prelink_t { ifdef(`amanda.te', `amanda_usr_lib_t') admin_passwd_exec_t ifdef(`apache.te', `httpd_modules_t') ifdef(`xserver.te', `xkb_var_lib_t') ld_so_t su_exec_t texrel_shlib_t shlib_t sbin_t bin_t lib_t exec_type }:file { create_file_perms execute relabelto relabelfrom };
-allow prelink_t ld_so_t:file execute_no_trans;
-
-allow prelink_t self:capability { chown dac_override fowner fsetid };
-allow prelink_t self:fifo_file rw_file_perms;
-allow prelink_t self:file { getattr read };
-dontaudit prelink_t sysctl_kernel_t:dir search;
-dontaudit prelink_t sysctl_t:dir search;
-allow prelink_t etc_runtime_t:file { getattr read };
-read_locale(prelink_t)
-allow prelink_t urandom_device_t:chr_file read;
-allow prelink_t proc_t:file { getattr read };
-#
-# prelink_cache_t is the type of /etc/prelink.cache.
-#
-type prelink_cache_t, file_type, sysadmfile;
-file_type_auto_trans(prelink_t, etc_t, prelink_cache_t, file)
diff --git a/mls/domains/program/privoxy.te b/mls/domains/program/privoxy.te
deleted file mode 100644
index b8a522d..0000000
--- a/mls/domains/program/privoxy.te
+++ /dev/null
@@ -1,27 +0,0 @@
-#DESC privoxy - privacy enhancing proxy
-#
-# Authors: Dan Walsh <dwalsh@redhat.com>
-#
-#
-
-#################################
-#
-# Rules for the privoxy_t domain.
-#
-daemon_domain(privoxy, `, web_client_domain')
-
-logdir_domain(privoxy)
-
-# Use capabilities.
-allow privoxy_t self:capability net_bind_service;
-
-# Use the network.
-can_network_tcp(privoxy_t)
-can_ypbind(privoxy_t)
-can_resolve(privoxy_t)
-allow privoxy_t http_cache_port_t:tcp_socket name_bind;
-allow privoxy_t etc_t:file { getattr read };
-allow privoxy_t self:capability { setgid setuid };
-allow privoxy_t self:unix_stream_socket create_socket_perms ;
-allow privoxy_t admin_tty_type:chr_file { read write };
-
diff --git a/mls/domains/program/procmail.te b/mls/domains/program/procmail.te
deleted file mode 100644
index 7616e34..0000000
--- a/mls/domains/program/procmail.te
+++ /dev/null
@@ -1,92 +0,0 @@
-#DESC Procmail - Mail delivery agent for mail servers
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: procmail
-#
-
-#################################
-#
-# Rules for the procmail_t domain.
-#
-# procmail_exec_t is the type of the procmail executable.
-#
-# privhome only works until we define a different type for maildir
-type procmail_t, domain, privlog, privhome, nscd_client_domain;
-type procmail_exec_t, file_type, sysadmfile, exec_type;
-
-role system_r types procmail_t;
-
-uses_shlib(procmail_t)
-allow procmail_t device_t:dir search;
-can_network(procmail_t)
-nsswitch_domain(procmail_t)
-allow procmail_t spamd_port_t:tcp_socket name_connect;
-
-allow procmail_t self:capability { sys_nice chown setuid setgid dac_override };
-
-allow procmail_t etc_t:dir r_dir_perms;
-allow procmail_t { etc_t etc_runtime_t }:file { getattr read };
-allow procmail_t etc_t:lnk_file read;
-read_locale(procmail_t)
-read_sysctl(procmail_t)
-
-allow procmail_t sysctl_t:dir search;
-
-allow procmail_t self:process { setsched fork sigchld signal };
-dontaudit procmail_t sbin_t:dir { getattr search };
-can_exec(procmail_t, { bin_t shell_exec_t })
-allow procmail_t bin_t:dir { getattr search };
-allow procmail_t bin_t:lnk_file read;
-allow procmail_t self:fifo_file rw_file_perms;
-
-allow procmail_t self:unix_stream_socket create_socket_perms;
-allow procmail_t self:unix_dgram_socket create_socket_perms;
-
-# for /var/mail
-rw_dir_create_file(procmail_t, mail_spool_t)
-
-allow procmail_t var_t:dir { getattr search };
-allow procmail_t var_spool_t:dir r_dir_perms;
-
-allow procmail_t fs_t:filesystem getattr;
-allow procmail_t { self proc_t }:dir search;
-allow procmail_t proc_t:file { getattr read };
-allow procmail_t { self proc_t }:lnk_file read;
-
-# for if /var/mail is a symlink to /var/spool/mail
-#allow procmail_t mail_spool_t:lnk_file r_file_perms;
-
-# for spamassasin
-allow procmail_t usr_t:file { getattr ioctl read };
-ifdef(`spamassassin.te', `
-can_exec(procmail_t, spamassassin_exec_t)
-allow procmail_t port_t:udp_socket name_bind;
-allow procmail_t tmp_t:dir getattr;
-')
-ifdef(`spamc.te', `
-can_exec(procmail_t, spamc_exec_t)
-')
-
-ifdef(`targeted_policy', `
-allow procmail_t port_t:udp_socket name_bind;
-allow procmail_t tmp_t:dir getattr;
-')
-
-# Search /var/run.
-allow procmail_t var_run_t:dir { getattr search };
-
-# Do not audit attempts to access /root.
-dontaudit procmail_t sysadm_home_dir_t:dir { getattr search };
-
-allow procmail_t devtty_t:chr_file { read write };
-
-allow procmail_t urandom_device_t:chr_file { getattr read };
-
-ifdef(`sendmail.te', `
-r_dir_file(procmail_t, etc_mail_t)
-allow procmail_t sendmail_t:tcp_socket { read write };
-')
-
-ifdef(`hide_broken_symptoms', `
-dontaudit procmail_t mqueue_spool_t:file { getattr read write };
-')
diff --git a/mls/domains/program/quota.te b/mls/domains/program/quota.te
deleted file mode 100644
index 7374053..0000000
--- a/mls/domains/program/quota.te
+++ /dev/null
@@ -1,59 +0,0 @@
-#DESC Quota - File system quota management utilities
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: quota quotatool
-#
-
-#################################
-#
-# Rules for the quota_t domain.
-#
-# needs auth attribute because it has read access to shadow_t because checkquota
-# is buggy
-daemon_base_domain(quota, `, auth, fs_domain')
-
-# so the administrator can run quotacheck
-domain_auto_trans(sysadm_t, quota_exec_t, quota_t)
-role sysadm_r types quota_t;
-allow quota_t admin_tty_type:chr_file { read write };
-
-type quota_flag_t, file_type, sysadmfile;
-type quota_db_t, file_type, sysadmfile;
-
-rw_dir_create_file(initrc_t, quota_flag_t)
-
-allow quota_t fs_t:filesystem { getattr quotaget quotamod remount };
-# quotacheck creates new quota_db_t files
-file_type_auto_trans(quota_t, { root_t home_root_t var_t usr_t src_t var_spool_t }, quota_db_t, file)
-# for some reason it wants dac_override not dac_read_search
-allow quota_t self:capability { sys_admin dac_override };
-allow quota_t file_type:{ fifo_file sock_file } getattr;
-allow quota_t file_t:file quotaon;
-
-# for quotacheck
-allow quota_t file_type:dir r_dir_perms;
-# The following line is apparently necessary, although read and
-# ioctl seem to be more than should be required.
-allow quota_t file_type:file { getattr read ioctl };
-allow quota_t file_type:{ fifo_file sock_file } getattr;
-allow quota_t file_type:lnk_file { read getattr };
-allow quota_t device_type:{ chr_file blk_file } getattr;
-
-allow quota_t fixed_disk_device_t:blk_file { getattr read };
-
-# for /quota.*
-allow quota_t quota_db_t:file { read write };
-dontaudit unpriv_userdomain quota_db_t:file getattr;
-allow quota_t quota_db_t:file quotaon;
-
-# Read /etc/mtab.
-allow quota_t etc_runtime_t:file { read getattr };
-
-allow quota_t device_t:dir r_dir_perms;
-allow quota_t fixed_disk_device_t:blk_file getattr;
-allow quota_t boot_t:dir r_dir_perms;
-allow quota_t sysctl_t:dir { getattr search };
-
-allow quota_t initrc_devpts_t:chr_file rw_file_perms;
-
-allow quota_t proc_t:file getattr;
diff --git a/mls/domains/program/radius.te b/mls/domains/program/radius.te
deleted file mode 100644
index 57eccc2..0000000
--- a/mls/domains/program/radius.te
+++ /dev/null
@@ -1,67 +0,0 @@
-#DESC RADIUS - Radius server
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: radiusd-cistron radiusd-livingston xtradius yardradius radiusd-freeradius
-#
-
-#################################
-#
-# Rules for the radiusd_t domain.
-#
-# radiusd_exec_t is the type of the radiusd executable.
-#
-daemon_domain(radiusd, `, auth_chkpwd')
-
-etcdir_domain(radiusd)
-
-system_crond_entry(radiusd_exec_t, radiusd_t)
-
-allow radiusd_t self:process setsched;
-
-allow radiusd_t proc_t:file { read getattr };
-
-dontaudit radiusd_t sysadm_home_dir_t:dir getattr;
-
-# allow pthreads to read kernel version
-read_sysctl(radiusd_t)
-
-# read config files
-allow radiusd_t etc_t:dir r_dir_perms;
-allow radiusd_t { etc_t etc_runtime_t }:file { read getattr };
-allow radiusd_t etc_t:lnk_file read;
-
-# write log files
-logdir_domain(radiusd)
-allow radiusd_t radiusd_log_t:dir create;
-
-allow radiusd_t usr_t:file r_file_perms;
-
-can_exec(radiusd_t, lib_t)
-can_exec(radiusd_t, { bin_t shell_exec_t })
-allow radiusd_t { bin_t sbin_t }:dir search;
-allow radiusd_t bin_t:lnk_file read;
-
-allow radiusd_t devtty_t:chr_file { read write };
-allow radiusd_t self:fifo_file rw_file_perms;
-# fsetid is for gzip which needs it when run from scripts
-# gzip also needs chown access to preserve GID for radwtmp files
-allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
-
-can_network_server(radiusd_t)
-can_ypbind(radiusd_t)
-allow radiusd_t { radius_port_t radacct_port_t }:udp_socket name_bind;
-
-# for RADIUS proxy port
-allow radiusd_t port_t:udp_socket name_bind;
-
-ifdef(`snmpd.te', `
-can_tcp_connect(radiusd_t, snmpd_t)
-')
-ifdef(`logrotate.te', `
-can_exec(radiusd_t, logrotate_exec_t)
-')
-can_udp_send(sysadm_t, radiusd_t)
-can_udp_send(radiusd_t, sysadm_t)
-
-allow radiusd_t self:unix_stream_socket create_stream_socket_perms;
-allow radiusd_t urandom_device_t:chr_file { getattr read };
diff --git a/mls/domains/program/radvd.te b/mls/domains/program/radvd.te
deleted file mode 100644
index 868ef8b..0000000
--- a/mls/domains/program/radvd.te
+++ /dev/null
@@ -1,30 +0,0 @@
-#DESC Radv - IPv6 route advisory daemon
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: radvd
-#
-
-#################################
-#
-# Rules for the radvd_t domain.
-#
-daemon_domain(radvd)
-
-etc_domain(radvd)
-allow radvd_t etc_t:file { getattr read };
-
-allow radvd_t self:{ rawip_socket unix_dgram_socket } rw_socket_perms;
-
-allow radvd_t self:capability { setgid setuid net_raw };
-allow radvd_t self:{ unix_dgram_socket rawip_socket } create;
-allow radvd_t self:unix_stream_socket create_socket_perms;
-
-can_network_server(radvd_t)
-can_ypbind(radvd_t)
-
-allow radvd_t { proc_t proc_net_t }:dir r_dir_perms;
-allow radvd_t { proc_t proc_net_t }:file { getattr read };
-allow radvd_t etc_t:lnk_file read;
-
-allow radvd_t sysctl_net_t:file r_file_perms;
-allow radvd_t sysctl_net_t:dir r_dir_perms;
diff --git a/mls/domains/program/rdisc.te b/mls/domains/program/rdisc.te
deleted file mode 100644
index 79331fa..0000000
--- a/mls/domains/program/rdisc.te
+++ /dev/null
@@ -1,13 +0,0 @@
-#DESC rdisc - network router discovery daemon
-#
-# Author: Russell Coker <russell@coker.com.au>
-
-daemon_base_domain(rdisc)
-allow rdisc_t self:unix_stream_socket create_stream_socket_perms;
-allow rdisc_t self:rawip_socket create_socket_perms;
-allow rdisc_t self:udp_socket create_socket_perms;
-allow rdisc_t self:capability net_raw;
-
-can_network_udp(rdisc_t)
-
-allow rdisc_t etc_t:file { getattr read };
diff --git a/mls/domains/program/readahead.te b/mls/domains/program/readahead.te
deleted file mode 100644
index dde8e37..0000000
--- a/mls/domains/program/readahead.te
+++ /dev/null
@@ -1,21 +0,0 @@
-#DESC readahead - read files in page cache
-#
-# Author: Dan Walsh (dwalsh@redhat.com)
-#
-
-#################################
-#
-# Declarations for readahead
-#
-
-daemon_domain(readahead)
-#
-# readahead asks for these
-#
-allow readahead_t { file_type -secure_file_type }:{ file lnk_file } { getattr read };
-allow readahead_t { file_type -secure_file_type }:dir r_dir_perms;
-dontaudit readahead_t shadow_t:file { getattr read };
-allow readahead_t { device_t device_type }:{ lnk_file chr_file blk_file } getattr;
-dontaudit readahead_t file_type:sock_file getattr;
-allow readahead_t proc_t:file { getattr read };
-dontaudit readahead_t device_type:blk_file read;
diff --git a/mls/domains/program/restorecon.te b/mls/domains/program/restorecon.te
deleted file mode 100644
index 27a012b..0000000
--- a/mls/domains/program/restorecon.te
+++ /dev/null
@@ -1,69 +0,0 @@
-#DESC restorecon - Restore or check the context of a file
-#
-# Authors: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: policycoreutils
-#
-
-#################################
-#
-# Rules for the restorecon_t domain.
-#
-# restorecon_exec_t is the type of the restorecon executable.
-#
-# needs auth_write attribute because it has relabelfrom/relabelto
-# access to shadow_t
-type restorecon_t, domain, privlog, privowner, auth_write, change_context, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade;
-type restorecon_exec_t, file_type, sysadmfile, exec_type;
-
-role system_r types restorecon_t;
-role sysadm_r types restorecon_t;
-role secadm_r types restorecon_t;
-
-can_access_pty(restorecon_t, initrc)
-allow restorecon_t { tty_device_t admin_tty_type user_tty_type devtty_t }:chr_file { read write ioctl };
-
-domain_auto_trans({ initrc_t secadmin }, restorecon_exec_t, restorecon_t)
-allow restorecon_t { userdomain init_t privfd }:fd use;
-
-uses_shlib(restorecon_t)
-allow restorecon_t self:capability { dac_override dac_read_search fowner };
-
-# for upgrading glibc and other shared objects - without this the upgrade
-# scripts will put things in a state such that restorecon can not be run!
-allow restorecon_t lib_t:file { read execute };
-
-# Get security policy decisions.
-can_getsecurity(restorecon_t)
-
-r_dir_file(restorecon_t, policy_config_t)
-
-allow restorecon_t file_type:dir r_dir_perms;
-allow restorecon_t file_type:{ dir file lnk_file sock_file fifo_file } { getattr relabelfrom relabelto };
-allow restorecon_t unlabeled_t:dir_file_class_set { getattr relabelfrom };
-allow restorecon_t unlabeled_t:dir read;
-allow restorecon_t { device_t device_type }:{ chr_file blk_file } { getattr relabelfrom relabelto };
-ifdef(`distro_redhat', `
-allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto };
-')
-ifdef(`dpkg.te', `
-domain_auto_trans(dpkg_t, restorecon_exec_t, restorecon_t)
-')
-
-allow restorecon_t ptyfile:chr_file getattr;
-
-allow restorecon_t fs_t:filesystem getattr;
-
-allow restorecon_t etc_runtime_t:file { getattr read };
-allow restorecon_t etc_t:file { getattr read };
-allow restorecon_t proc_t:file { getattr read };
-dontaudit restorecon_t proc_t:lnk_file { getattr read };
-
-allow restorecon_t device_t:file { read write };
-allow restorecon_t kernel_t:fd use;
-allow restorecon_t kernel_t:fifo_file { read write };
-allow restorecon_t kernel_t:unix_dgram_socket { read write };
-r_dir_file(restorecon_t, { selinux_config_t file_context_t default_context_t } )
-allow restorecon_t autofs_t:dir r_dir_perms;
-allow restorecon_t devpts_t:chr_file getattr;
-# need to restorecon /dev/pts during boot (from /etc/rc.d/rc.sysinit)
-allow restorecon_t devpts_t:dir { relabelfrom relabelto };
diff --git a/mls/domains/program/rlogind.te b/mls/domains/program/rlogind.te
deleted file mode 100644
index 88af4e4..0000000
--- a/mls/domains/program/rlogind.te
+++ /dev/null
@@ -1,40 +0,0 @@
-#DESC Rlogind - Remote login daemon
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: rsh-client rsh-redone-client
-# Depends: inetd.te
-#
-
-#################################
-#
-# Rules for the rlogind_t domain.
-#
-remote_login_daemon(rlogind)
-typeattribute rlogind_t auth_chkpwd;
-
-ifdef(`tcpd.te', `
-domain_auto_trans(tcpd_t, rlogind_exec_t, rlogind_t)
-')
-
-# for /usr/lib/telnetlogin
-can_exec(rlogind_t, rlogind_exec_t)
-
-# Use capabilities.
-allow rlogind_t self:capability { net_bind_service };
-
-# Run login in remote_login_t.
-allow remote_login_t inetd_t:fd use;
-allow remote_login_t inetd_t:tcp_socket rw_file_perms;
-
-# Send SIGCHLD to inetd on death.
-allow rlogind_t inetd_t:process sigchld;
-
-allow rlogind_t home_dir_type:dir search;
-allow rlogind_t home_type:file { getattr read };
-allow rlogind_t self:file { getattr read };
-allow rlogind_t default_t:dir search;
-typealias rlogind_port_t alias rlogin_port_t;
-read_sysctl(rlogind_t);
-ifdef(`kerberos.te', `
-allow rlogind_t krb5_keytab_t:file { getattr read };
-')
diff --git a/mls/domains/program/roundup.te b/mls/domains/program/roundup.te
deleted file mode 100644
index 4c3e97a..0000000
--- a/mls/domains/program/roundup.te
+++ /dev/null
@@ -1,29 +0,0 @@
-# Roundup Issue Tracking System
-#
-# Authors: W. Michael Petullo <redhat@flyn.org
-#
-daemon_domain(roundup)
-var_lib_domain(roundup)
-can_network(roundup_t)
-allow roundup_t http_cache_port_t:tcp_socket name_bind;
-allow roundup_t smtp_port_t:tcp_socket name_connect;
-
-# execute python
-allow roundup_t bin_t:dir r_dir_perms;
-can_exec(roundup_t, bin_t)
-allow roundup_t bin_t:lnk_file read;
-
-allow roundup_t self:capability { setgid setuid };
-
-allow roundup_t self:unix_stream_socket create_stream_socket_perms;
-
-ifdef(`mysqld.te', `
-allow roundup_t mysqld_db_t:dir search;
-allow roundup_t mysqld_var_run_t:sock_file write;
-allow roundup_t mysqld_t:unix_stream_socket connectto;
-')
-
-# /usr/share/mysql/charsets/Index.xml
-allow roundup_t usr_t:file { getattr read };
-allow roundup_t urandom_device_t:chr_file { getattr read };
-allow roundup_t etc_t:file { getattr read };
diff --git a/mls/domains/program/rpcd.te b/mls/domains/program/rpcd.te
deleted file mode 100644
index 8efa09c..0000000
--- a/mls/domains/program/rpcd.te
+++ /dev/null
@@ -1,167 +0,0 @@
-#DESC Rpcd - RPC daemon
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# Russell Coker <russell@coker.com.au>
-# Depends: portmap.te
-# X-Debian-Packages: nfs-common
-#
-
-#################################
-#
-# Rules for the rpcd_t and nfsd_t domain.
-#
-define(`rpc_domain', `
-ifdef(`targeted_policy', `
-daemon_base_domain($1, `, transitionbool')
-', `
-daemon_base_domain($1)
-')
-can_network($1_t)
-allow $1_t port_type:tcp_socket name_connect;
-can_ypbind($1_t)
-allow $1_t { etc_runtime_t etc_t }:file { getattr read };
-read_locale($1_t)
-allow $1_t self:capability net_bind_service;
-dontaudit $1_t self:capability net_admin;
-
-allow $1_t var_t:dir { getattr search };
-allow $1_t var_lib_t:dir search;
-allow $1_t var_lib_nfs_t:dir create_dir_perms;
-allow $1_t var_lib_nfs_t:file create_file_perms;
-# do not log when it tries to bind to a port belonging to another domain
-dontaudit $1_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
-allow $1_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
-allow $1_t self:netlink_route_socket r_netlink_socket_perms;
-allow $1_t self:unix_dgram_socket create_socket_perms;
-allow $1_t self:unix_stream_socket create_stream_socket_perms;
-# bind to arbitary unused ports
-allow $1_t port_t:{ tcp_socket udp_socket } name_bind;
-allow $1_t sysctl_rpc_t:dir search;
-allow $1_t sysctl_rpc_t:file rw_file_perms;
-')
-
-type exports_t, file_type, sysadmfile;
-dontaudit userdomain exports_t:file getattr;
-
-# rpcd_t is the domain of rpc daemons.
-# rpcd_exec_t is the type of rpc daemon programs.
-#
-rpc_domain(rpcd)
-var_run_domain(rpcd)
-allow rpcd_t rpcd_var_run_t:dir setattr;
-
-# for rpc.rquotad
-allow rpcd_t sysctl_t:dir r_dir_perms;
-allow rpcd_t self:fifo_file rw_file_perms;
-
-# rpcd_t needs to talk to the portmap_t domain
-can_udp_send(rpcd_t, portmap_t)
-
-allow initrc_t exports_t:file r_file_perms;
-ifdef(`distro_redhat', `
-allow rpcd_t self:capability { chown dac_override setgid setuid };
-# for /etc/rc.d/init.d/nfs to create /etc/exports
-allow initrc_t exports_t:file write;
-')
-
-allow rpcd_t self:file { getattr read };
-
-# nfs kernel server needs kernel UDP access. It is less risky and painful
-# to just give it everything.
-can_network_server(kernel_t)
-#can_udp_send(kernel_t, rpcd_t)
-#can_udp_send(rpcd_t, kernel_t)
-
-rpc_domain(nfsd)
-domain_auto_trans(sysadm_t, nfsd_exec_t, nfsd_t)
-role sysadm_r types nfsd_t;
-
-# for /proc/fs/nfs/exports - should we have a new type?
-allow nfsd_t proc_t:file r_file_perms;
-allow nfsd_t proc_net_t:dir search;
-allow nfsd_t exports_t:file { getattr read };
-
-allow nfsd_t nfsd_fs_t:filesystem mount;
-allow nfsd_t nfsd_fs_t:dir search;
-allow nfsd_t nfsd_fs_t:file rw_file_perms;
-allow initrc_t sysctl_rpc_t:dir search;
-allow initrc_t sysctl_rpc_t:file rw_file_perms;
-
-type nfsd_rw_t, file_type, sysadmfile, usercanread;
-type nfsd_ro_t, file_type, sysadmfile, usercanread;
-
-bool nfs_export_all_rw false;
-
-if(nfs_export_all_rw) {
-allow nfsd_t { noexattrfile file_type -shadow_t }:dir r_dir_perms;
-r_dir_file(kernel_t, noexattrfile)
-create_dir_file(kernel_t,{ file_type -shadow_t })
-}
-
-dontaudit kernel_t shadow_t:file getattr;
-
-bool nfs_export_all_ro false;
-
-if(nfs_export_all_ro) {
-allow nfsd_t { noexattrfile file_type -shadow_t }:dir r_dir_perms;
-r_dir_file(kernel_t,{ noexattrfile file_type -shadow_t })
-}
-
-allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms;
-create_dir_file(kernel_t, nfsd_rw_t);
-r_dir_file(kernel_t, nfsd_ro_t);
-
-allow kernel_t nfsd_t:udp_socket rw_socket_perms;
-can_udp_send(kernel_t, nfsd_t)
-can_udp_send(nfsd_t, kernel_t)
-
-# does not really need this, but it is easier to just allow it
-allow nfsd_t var_run_t:dir search;
-
-allow nfsd_t self:capability { sys_admin sys_resource };
-allow nfsd_t fs_type:filesystem getattr;
-
-can_udp_send(nfsd_t, portmap_t)
-can_udp_send(portmap_t, nfsd_t)
-
-can_tcp_connect(nfsd_t, portmap_t)
-
-# for exportfs and rpc.mountd
-allow nfsd_t tmp_t:dir getattr;
-
-r_dir_file(rpcd_t, rpc_pipefs_t)
-allow rpcd_t rpc_pipefs_t:sock_file { read write };
-dontaudit rpcd_t selinux_config_t:dir { search };
-allow rpcd_t proc_net_t:dir search;
-
-
-rpc_domain(gssd)
-can_kerberos(gssd_t)
-ifdef(`kerberos.te', `
-allow gssd_t krb5_keytab_t:file r_file_perms;
-')
-allow gssd_t urandom_device_t:chr_file { getattr read };
-r_dir_file(gssd_t, tmp_t)
-tmp_domain(gssd)
-allow gssd_t self:fifo_file { read write };
-r_dir_file(gssd_t, proc_net_t)
-allow gssd_t rpc_pipefs_t:dir r_dir_perms;
-allow gssd_t rpc_pipefs_t:sock_file { read write };
-allow gssd_t rpc_pipefs_t:file r_file_perms;
-allow gssd_t self:capability { dac_override dac_read_search setuid };
-allow nfsd_t devtty_t:chr_file rw_file_perms;
-allow rpcd_t devtty_t:chr_file rw_file_perms;
-
-bool allow_gssd_read_tmp true;
-if (allow_gssd_read_tmp) {
-#
-#needs to be able to udpate the kerberos ticket file
-#
-ifdef(`targeted_policy', `
-r_dir_file(gssd_t, tmp_t)
-allow gssd_t tmp_t:file write;
-', `
-r_dir_file(gssd_t, user_tmpfile)
-allow gssd_t user_tmpfile:file write;
-')
-}
diff --git a/mls/domains/program/rpm.te b/mls/domains/program/rpm.te
deleted file mode 100644
index d772da7..0000000
--- a/mls/domains/program/rpm.te
+++ /dev/null
@@ -1,260 +0,0 @@
-#DESC RPM - Red Hat package management
-#
-# X-Debian-Packages:
-#################################
-#
-# Rules for running the Redhat Package Manager (RPM) tools.
-#
-# rpm_t is the domain for rpm and related utilities in /usr/lib/rpm
-# rpm_exec_t is the type of the rpm executables.
-# rpm_log_t is the type for rpm log files (/var/log/rpmpkgs*)
-# rpm_var_lib_t is the type for rpm files in /var/lib
-#
-type rpm_t, domain, admin, etc_writer, privlog, privowner, privmem, priv_system_role, fs_domain, privfd, mlsfileread, mlsfilewrite, mlsfileupgrade;
-role system_r types rpm_t;
-uses_shlib(rpm_t)
-type rpm_exec_t, file_type, sysadmfile, exec_type;
-
-general_domain_access(rpm_t)
-can_ps(rpm_t, domain)
-allow rpm_t self:process setrlimit;
-system_crond_entry(rpm_exec_t, rpm_t)
-role sysadm_r types rpm_t;
-domain_auto_trans(sysadm_t, rpm_exec_t, rpm_t)
-
-type rpm_file_t, file_type, sysadmfile;
-
-tmp_domain(rpm)
-
-tmpfs_domain(rpm)
-
-log_domain(rpm)
-
-can_network(rpm_t)
-allow rpm_t port_type:tcp_socket name_connect;
-can_ypbind(rpm_t)
-
-# Allow the rpm domain to execute other programs
-can_exec_any(rpm_t)
-
-# Capabilties needed by rpm utils
-allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid net_bind_service sys_chroot sys_tty_config mknod };
-
-# Access /var/lib/rpm files
-var_lib_domain(rpm)
-allow userdomain var_lib_t:dir { getattr search };
-r_dir_file(userdomain, rpm_var_lib_t)
-r_dir_file(rpm_t, proc_t)
-
-allow rpm_t sysfs_t:dir r_dir_perms;
-allow rpm_t usbdevfs_t:dir r_dir_perms;
-
-# for installing kernel packages
-allow rpm_t fixed_disk_device_t:blk_file { getattr read };
-
-# Access terminals.
-allow rpm_t admin_tty_type:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow rpm_t sysadm_gph_t:fd use;')
-allow rpm_t privfd:fd use;
-allow rpm_t devtty_t:chr_file rw_file_perms;
-
-domain_auto_trans(rpm_t, ldconfig_exec_t, ldconfig_t)
-domain_auto_trans(rpm_t, initrc_exec_t, initrc_t)
-
-ifdef(`cups.te', `
-r_dir_file(cupsd_t, rpm_var_lib_t)
-allow cupsd_t initrc_exec_t:file { getattr read };
-domain_auto_trans(rpm_script_t, cupsd_exec_t, cupsd_t)
-')
-
-# for a bug in rm
-dontaudit initrc_t pidfile:file write;
-
-# bash tries to access a block device in the initrd
-dontaudit initrc_t unlabeled_t:blk_file getattr;
-
-# bash tries ioctl for some reason
-dontaudit initrc_t pidfile:file ioctl;
-
-allow rpm_t autofs_t:dir { search getattr };
-allow rpm_t autofs_t:filesystem getattr;
-allow rpm_script_t autofs_t:dir { search getattr };
-allow rpm_t devpts_t:dir { setattr r_dir_perms };
-allow rpm_t { devpts_t proc_t usbdevfs_t fs_t }:filesystem getattr;
-dontaudit rpm_t security_t:filesystem getattr;
-can_getcon(rpm_t)
-can_setfscreate(rpm_t)
-can_setexec(rpm_t)
-read_sysctl(rpm_t)
-general_domain_access(rpm_script_t)
-
-# read/write/create any files in the system
-allow rpm_t { file_type -shadow_t }:{ file lnk_file dir fifo_file sock_file } { relabelfrom relabelto };
-allow rpm_t { file_type - shadow_t }:dir create_dir_perms;
-allow rpm_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file } create_file_perms;
-allow rpm_t sysfs_t:filesystem getattr;
-allow rpm_t tmpfs_t:filesystem getattr;
-dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
-# needs rw permission to the directory for an rpm package that includes a mount
-# point
-allow rpm_t fs_type:dir { setattr rw_dir_perms };
-allow rpm_t fs_type:filesystem getattr;
-
-# allow compiling and loading new policy
-create_dir_file(rpm_t, { policy_src_t policy_config_t })
-
-can_getsecurity({ rpm_t rpm_script_t })
-dontaudit rpm_t shadow_t:file { getattr read };
-allow rpm_t urandom_device_t:chr_file read;
-allow rpm_t { device_t device_type }:{ chr_file blk_file } { create_file_perms relabelfrom relabelto };
-allow rpm_t ttyfile:chr_file unlink;
-allow rpm_script_t tty_device_t:chr_file getattr;
-allow rpm_script_t devpts_t:dir search;
-allow rpm_script_t {devpts_t devtty_t}:chr_file rw_file_perms;
-
-allow { insmod_t depmod_t } rpm_t:fifo_file rw_file_perms;
-
-type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, privmail, privrole, priv_system_role, mlsfileread, mlsfilewrite;
-# policy for rpm scriptlet
-role system_r types rpm_script_t;
-uses_shlib(rpm_script_t)
-read_locale(rpm_script_t)
-
-can_ps(rpm_script_t, domain)
-
-ifdef(`lpd.te', `
-can_exec(rpm_script_t, printconf_t)
-')
-
-read_sysctl(rpm_script_t)
-
-type rpm_script_exec_t, file_type, sysadmfile, exec_type;
-
-role sysadm_r types rpm_script_t;
-domain_trans(rpm_t, shell_exec_t, rpm_script_t)
-ifdef(`hide_broken_symptoms', `
-ifdef(`pamconsole.te', `
-domain_trans(rpm_t, pam_console_exec_t, rpm_script_t)
-')
-')
-
-tmp_domain(rpm_script)
-
-tmpfs_domain(rpm_script)
-
-# Allow the rpm domain to execute other programs
-can_exec_any(rpm_script_t)
-
-# Capabilties needed by rpm scripts utils
-allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
-
-# ideally we would not need this
-allow rpm_script_t { file_type - shadow_t }:dir create_dir_perms;
-allow rpm_script_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file } create_file_perms;
-allow rpm_script_t { device_t device_type }:{ chr_file blk_file } create_file_perms;
-
-# for kernel package installation
-ifdef(`mount.te', `
-allow mount_t rpm_t:fifo_file rw_file_perms;
-')
-
-# Commonly used from postinst scripts
-ifdef(`consoletype.te', `
-allow consoletype_t rpm_t:fifo_file r_file_perms;
-')
-ifdef(`crond.te', `
-allow crond_t rpm_t:fifo_file r_file_perms;
-')
-
-allow rpm_script_t proc_t:dir r_dir_perms;
-allow rpm_script_t proc_t:{ file lnk_file } r_file_perms;
-
-allow rpm_script_t devtty_t:chr_file rw_file_perms;
-allow rpm_script_t devpts_t:dir r_dir_perms;
-allow rpm_script_t admin_tty_type:chr_file rw_file_perms;
-allow rpm_script_t etc_runtime_t:file { getattr read };
-allow rpm_script_t privfd:fd use;
-allow rpm_script_t rpm_tmp_t:file { getattr read ioctl };
-
-allow rpm_script_t urandom_device_t:chr_file read;
-
-ifdef(`ssh-agent.te', `
-domain_auto_trans(rpm_script_t, ssh_agent_exec_t, sysadm_ssh_agent_t)
-')
-
-ifdef(`useradd.te', `
-domain_auto_trans(rpm_script_t, useradd_exec_t, useradd_t)
-domain_auto_trans(rpm_script_t, groupadd_exec_t, groupadd_t)
-role system_r types { useradd_t groupadd_t };
-allow { useradd_t groupadd_t } rpm_t:fd use;
-allow { useradd_t groupadd_t } rpm_t:fifo_file { read write };
-')
-
-domain_auto_trans(rpm_script_t, restorecon_exec_t, restorecon_t)
-
-domain_auto_trans(rpm_script_t, ldconfig_exec_t, ldconfig_t)
-domain_auto_trans(rpm_script_t, depmod_exec_t, depmod_t)
-role sysadm_r types initrc_t;
-domain_auto_trans(rpm_script_t, initrc_exec_t, initrc_t)
-ifdef(`bootloader.te', `
-domain_auto_trans(rpm_script_t, bootloader_exec_t, bootloader_t)
-allow bootloader_t rpm_t:fifo_file rw_file_perms;
-')
-
-domain_auto_trans(rpm_script_t, load_policy_exec_t, load_policy_t)
-
-rw_dir_file(rpm_script_t, nfs_t)
-allow rpm_script_t nfs_t:filesystem getattr;
-
-allow rpm_script_t fs_t:filesystem { getattr mount unmount };
-allow rpm_script_t rpm_script_tmp_t:dir mounton;
-can_exec(rpm_script_t, usr_t)
-can_exec(rpm_script_t, sbin_t)
-
-allow rpm_t mount_t:tcp_socket write;
-create_dir_file(rpm_t, nfs_t)
-allow rpm_t { removable_t nfs_t }:filesystem getattr;
-
-allow rpm_script_t userdomain:fd use;
-
-allow domain rpm_t:fifo_file r_file_perms;
-allow domain rpm_t:fd use;
-
-ifdef(`ssh.te', `
-allow sshd_t rpm_script_t:fd use;
-allow sshd_t rpm_t:fd use;
-')
-
-dontaudit rpm_script_t shadow_t:file getattr;
-allow rpm_script_t sysfs_t:dir r_dir_perms;
-
-ifdef(`prelink.te', `
-domain_auto_trans(rpm_t, prelink_exec_t, prelink_t)
-')
-
-allow rpm_t rpc_pipefs_t:dir search;
-allow rpm_script_t init_t:dir search;
-
-type rpmbuild_exec_t, file_type, sysadmfile, exec_type;
-type rpmbuild_t, domain;
-allow rpmbuild_t policy_config_t:dir search;
-allow rpmbuild_t policy_src_t:dir search;
-allow rpmbuild_t policy_src_t:file { getattr read };
-can_getsecurity(rpmbuild_t)
-
-allow rpm_script_t domain:process { signal signull };
-
-# Access /var/lib/rpm.
-allow initrc_t rpm_var_lib_t:dir rw_dir_perms;
-allow initrc_t rpm_var_lib_t:file create_file_perms;
-
-ifdef(`unlimitedRPM', `
-typeattribute rpm_t auth_write;
-unconfined_domain(rpm_t)
-typeattribute rpm_script_t auth_write;
-unconfined_domain(rpm_script_t)
-')
-if (allow_execmem) {
-allow rpm_script_t self:process execmem;
-}
-
diff --git a/mls/domains/program/rshd.te b/mls/domains/program/rshd.te
deleted file mode 100644
index 39976c5..0000000
--- a/mls/domains/program/rshd.te
+++ /dev/null
@@ -1,65 +0,0 @@
-#DESC RSHD - RSH daemon
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: rsh-server rsh-redone-server
-# Depends: inetd.te
-#
-
-#################################
-#
-# Rules for the rshd_t domain.
-#
-daemon_sub_domain(inetd_t, rshd, `, auth_chkpwd, privuser, privrole')
-
-ifdef(`tcpd.te', `
-domain_auto_trans(tcpd_t, rshd_exec_t, rshd_t)
-')
-
-# Use sockets inherited from inetd.
-allow rshd_t inetd_t:tcp_socket rw_stream_socket_perms;
-
-# Use capabilities.
-allow rshd_t self:capability { net_bind_service setuid setgid fowner fsetid chown dac_override};
-
-# Use the network.
-can_network_server(rshd_t)
-allow rshd_t rsh_port_t:tcp_socket name_bind;
-
-allow rshd_t etc_t:file { getattr read };
-read_locale(rshd_t)
-allow rshd_t self:unix_dgram_socket create_socket_perms;
-allow rshd_t self:unix_stream_socket create_stream_socket_perms;
-allow rshd_t { home_root_t home_dir_type }:dir { search getattr };
-can_kerberos(rshd_t)
-allow rshd_t { bin_t sbin_t tmp_t}:dir { search };
-allow rshd_t { bin_t sbin_t }:lnk_file r_file_perms;
-ifdef(`rlogind.te', `
-allow rshd_t rlogind_tmp_t:file rw_file_perms;
-')
-allow rshd_t urandom_device_t:chr_file { getattr read };
-
-# Read the user's .rhosts file.
-allow rshd_t home_type:file r_file_perms ;
-
-# Random reasons
-can_getsecurity(rshd_t)
-can_setexec(rshd_t)
-r_dir_file(rshd_t, selinux_config_t)
-r_dir_file(rshd_t, default_context_t)
-read_sysctl(rshd_t);
-
-if (use_nfs_home_dirs) {
-r_dir_file(rshd_t, nfs_t)
-}
-
-if (use_samba_home_dirs) {
-r_dir_file(rshd_t, cifs_t)
-}
-
-allow rshd_t self:process { fork signal setsched setpgid };
-allow rshd_t self:fifo_file rw_file_perms;
-
-ifdef(`targeted_policy', `
-unconfined_domain(rshd_t)
-domain_auto_trans(rshd_t,shell_exec_t,unconfined_t)
-')
diff --git a/mls/domains/program/rsync.te b/mls/domains/program/rsync.te
deleted file mode 100644
index bed52a3..0000000
--- a/mls/domains/program/rsync.te
+++ /dev/null
@@ -1,18 +0,0 @@
-#DESC rsync - flexible replacement for rcp
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-#
-# Depends: inetd.te
-
-#################################
-#
-# Rules for the rsync_t domain.
-#
-# rsync_exec_t is the type of the rsync executable.
-#
-
-inetd_child_domain(rsync)
-type rsync_data_t, file_type, sysadmfile;
-r_dir_file(rsync_t, rsync_data_t)
-anonymous_domain(rsync)
-allow rsync_t self:capability sys_chroot;
diff --git a/mls/domains/program/samba.te b/mls/domains/program/samba.te
deleted file mode 100644
index 2e7b587..0000000
--- a/mls/domains/program/samba.te
+++ /dev/null
@@ -1,226 +0,0 @@
-#DESC SAMBA - SMB file server
-#
-# Author: Ryan Bergauer (bergauer@rice.edu)
-# X-Debian-Packages: samba
-#
-
-#################################
-#
-# Declarations for Samba
-#
-
-daemon_domain(smbd, `, auth_chkpwd, nscd_client_domain')
-daemon_domain(nmbd)
-type samba_etc_t, file_type, sysadmfile, usercanread;
-type samba_log_t, file_type, sysadmfile, logfile;
-type samba_var_t, file_type, sysadmfile;
-type samba_share_t, file_type, sysadmfile, customizable;
-type samba_secrets_t, file_type, sysadmfile;
-
-# for /var/run/samba/messages.tdb
-allow smbd_t nmbd_var_run_t:file rw_file_perms;
-
-allow smbd_t self:process setrlimit;
-
-# not sure why it needs this
-tmp_domain(smbd)
-
-# Allow samba to search mnt_t for potential mounted dirs
-allow smbd_t mnt_t:dir r_dir_perms;
-
-ifdef(`crond.te', `
-allow system_crond_t samba_etc_t:file { read getattr lock };
-allow system_crond_t samba_log_t:file { read getattr lock };
-#allow system_crond_t samba_secrets_t:file { read getattr lock };
-')
-
-#################################
-#
-# Rules for the smbd_t domain.
-#
-
-# Permissions normally found in every_domain.
-general_domain_access(smbd_t)
-general_proc_read_access(smbd_t)
-
-allow smbd_t smbd_port_t:tcp_socket name_bind;
-
-# Use capabilities.
-allow smbd_t self:capability { fowner setgid setuid sys_resource net_bind_service lease dac_override dac_read_search };
-
-# Use the network.
-can_network(smbd_t)
-nsswitch_domain(smbd_t)
-can_kerberos(smbd_t)
-allow smbd_t { smbd_port_t ipp_port_t }:tcp_socket name_connect;
-
-allow smbd_t urandom_device_t:chr_file { getattr read };
-
-# Permissions for Samba files in /etc/samba
-# either allow read access to the directory or allow the auto_trans rule to
-# allow creation of the secrets.tdb file and the MACHINE.SID file
-#allow smbd_t samba_etc_t:dir { search getattr };
-file_type_auto_trans(smbd_t, samba_etc_t, samba_secrets_t, file)
-
-allow smbd_t { etc_t samba_etc_t etc_runtime_t }:file r_file_perms;
-
-# Permissions for Samba cache files in /var/cache/samba and /var/lib/samba
-allow smbd_t var_lib_t:dir search;
-create_dir_file(smbd_t, samba_var_t)
-
-# Needed for shared printers
-allow smbd_t var_spool_t:dir search;
-
-# Permissions to write log files.
-allow smbd_t samba_log_t:file { create ra_file_perms };
-allow smbd_t var_log_t:dir search;
-allow smbd_t samba_log_t:dir ra_dir_perms;
-dontaudit smbd_t samba_log_t:dir remove_name;
-
-ifdef(`hide_broken_symptoms', `
-dontaudit smbd_t { usbfs_t security_t devpts_t boot_t default_t tmpfs_t }:dir getattr;
-dontaudit smbd_t devpts_t:dir getattr;
-')
-allow smbd_t fs_t:filesystem quotaget;
-
-allow smbd_t usr_t:file { getattr read };
-
-# Access Samba shares.
-create_dir_file(smbd_t, samba_share_t)
-
-anonymous_domain(smbd)
-
-ifdef(`logrotate.te', `
-# the application should be changed
-can_exec(logrotate_t, samba_log_t)
-')
-#################################
-#
-# Rules for the nmbd_t domain.
-#
-
-# Permissions normally found in every_domain.
-general_domain_access(nmbd_t)
-general_proc_read_access(nmbd_t)
-
-allow nmbd_t nmbd_port_t:udp_socket name_bind;
-
-# Use capabilities.
-allow nmbd_t self:capability net_bind_service;
-
-# Use the network.
-can_network_server(nmbd_t)
-
-# Permissions for Samba files in /etc/samba
-allow nmbd_t samba_etc_t:file { getattr read };
-allow nmbd_t samba_etc_t:dir { search getattr };
-
-# Permissions for Samba cache files in /var/cache/samba
-allow nmbd_t samba_var_t:dir { write remove_name add_name lock getattr search };
-allow nmbd_t samba_var_t:file { lock unlink create write setattr read getattr rename };
-
-allow nmbd_t usr_t:file { getattr read };
-
-# Permissions to write log files.
-allow nmbd_t samba_log_t:file { create ra_file_perms };
-allow nmbd_t var_log_t:dir search;
-allow nmbd_t samba_log_t:dir ra_dir_perms;
-allow nmbd_t etc_t:file { getattr read };
-ifdef(`cups.te', `
-allow smbd_t cupsd_rw_etc_t:file { getattr read };
-')
-# Needed for winbindd
-allow smbd_t { samba_var_t smbd_var_run_t }:sock_file create_file_perms;
-
-# Support Samba sharing of home directories
-bool samba_enable_home_dirs false;
-
-ifdef(`mount.te', `
-#
-# Domain for running smbmount
-#
-
-# Derive from app. domain. Transition from mount.
-application_domain(smbmount, `, fs_domain, nscd_client_domain')
-domain_auto_trans(mount_t, smbmount_exec_t, smbmount_t)
-
-# Capabilities
-# FIXME: is all of this really necessary?
-allow smbmount_t self:capability { net_bind_service sys_rawio sys_admin dac_override chown };
-
-# Access samba config
-allow smbmount_t samba_etc_t:file r_file_perms;
-allow smbmount_t samba_etc_t:dir r_dir_perms;
-allow initrc_t samba_etc_t:file rw_file_perms;
-
-# Write samba log
-allow smbmount_t samba_log_t:file create_file_perms;
-allow smbmount_t samba_log_t:dir r_dir_perms;
-
-# Write stuff in var
-allow smbmount_t var_log_t:dir r_dir_perms;
-rw_dir_create_file(smbmount_t, samba_var_t)
-
-# Access mtab
-file_type_auto_trans(smbmount_t, etc_t, etc_runtime_t, file)
-
-# Read nsswitch.conf
-allow smbmount_t etc_t:file r_file_perms;
-
-# Networking
-can_network(smbmount_t)
-allow smbmount_t port_type:tcp_socket name_connect;
-can_ypbind(smbmount_t)
-allow smbmount_t self:unix_dgram_socket create_socket_perms;
-allow smbmount_t self:unix_stream_socket create_socket_perms;
-allow kernel_t smbmount_t:tcp_socket { read write };
-allow userdomain smbmount_t:tcp_socket write;
-
-# Proc
-# FIXME: is this necessary?
-r_dir_file(smbmount_t, proc_t)
-
-# Fork smbmnt
-allow smbmount_t bin_t:dir r_dir_perms;
-can_exec(smbmount_t, smbmount_exec_t)
-allow smbmount_t self:process { fork signal_perms };
-
-# Mount
-allow smbmount_t cifs_t:filesystem mount_fs_perms;
-allow smbmount_t cifs_t:dir r_dir_perms;
-allow smbmount_t mnt_t:dir r_dir_perms;
-allow smbmount_t mnt_t:dir mounton;
-
-# Terminal
-read_locale(smbmount_t)
-access_terminal(smbmount_t, sysadm)
-allow smbmount_t userdomain:fd use;
-allow smbmount_t local_login_t:fd use;
-')
-# Derive from app. domain. Transition from mount.
-application_domain(samba_net, `, nscd_client_domain')
-role system_r types samba_net_t;
-in_user_role(samba_net_t)
-file_type_auto_trans(samba_net_t, samba_etc_t, samba_secrets_t, file)
-read_locale(samba_net_t)
-allow samba_net_t samba_etc_t:file r_file_perms;
-r_dir_file(samba_net_t, samba_var_t)
-can_network_udp(samba_net_t)
-access_terminal(samba_net_t, sysadm)
-allow samba_net_t self:unix_dgram_socket create_socket_perms;
-allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
-rw_dir_create_file(samba_net_t, samba_var_t)
-allow samba_net_t etc_t:file { getattr read };
-can_network_client(samba_net_t)
-allow samba_net_t smbd_port_t:tcp_socket name_connect;
-can_ldap(samba_net_t)
-can_kerberos(samba_net_t)
-allow samba_net_t urandom_device_t:chr_file r_file_perms;
-allow samba_net_t proc_t:dir search;
-allow samba_net_t proc_t:lnk_file read;
-allow samba_net_t self:dir search;
-allow samba_net_t self:file read;
-allow samba_net_t self:process signal;
-tmp_domain(samba_net)
-dontaudit samba_net_t sysadm_home_dir_t:dir search;
-allow samba_net_t privfd:fd use;
diff --git a/mls/domains/program/saslauthd.te b/mls/domains/program/saslauthd.te
deleted file mode 100644
index f614094..0000000
--- a/mls/domains/program/saslauthd.te
+++ /dev/null
@@ -1,42 +0,0 @@
-#DESC saslauthd - Authentication daemon for SASL
-#
-# Author: Colin Walters <walters@verbum.org>
-#
-
-daemon_domain(saslauthd, `, auth_chkpwd, auth_bool')
-
-allow saslauthd_t self:fifo_file { read write };
-allow saslauthd_t self:unix_dgram_socket create_socket_perms;
-allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
-allow saslauthd_t saslauthd_var_run_t:sock_file create_file_perms;
-allow saslauthd_t var_lib_t:dir search;
-
-allow saslauthd_t etc_t:dir { getattr search };
-allow saslauthd_t etc_t:file r_file_perms;
-allow saslauthd_t net_conf_t:file r_file_perms;
-
-allow saslauthd_t self:file r_file_perms;
-allow saslauthd_t proc_t:file { getattr read };
-
-allow saslauthd_t urandom_device_t:chr_file { getattr read };
-
-# Needs investigation
-dontaudit saslauthd_t home_root_t:dir getattr;
-can_network_client_tcp(saslauthd_t)
-allow saslauthd_t pop_port_t:tcp_socket name_connect;
-
-bool allow_saslauthd_read_shadow false;
-
-if (allow_saslauthd_read_shadow) {
-allow saslauthd_t shadow_t:file r_file_perms;
-}
-dontaudit saslauthd_t selinux_config_t:dir search;
-dontaudit saslauthd_t selinux_config_t:file { getattr read };
-
-
-dontaudit saslauthd_t initrc_t:unix_stream_socket connectto;
-ifdef(`mysqld.te', `
-allow saslauthd_t mysqld_db_t:dir search;
-allow saslauthd_t mysqld_var_run_t:sock_file rw_file_perms;
-')
-dontaudit saslauthd_t self:capability setuid;
diff --git a/mls/domains/program/screen.te b/mls/domains/program/screen.te
deleted file mode 100644
index e9be1a0..0000000
--- a/mls/domains/program/screen.te
+++ /dev/null
@@ -1,13 +0,0 @@
-#DESC screen - Program to detach sessions
-#
-# X-Debian-Packages: screen
-# Domains for the screen program.
-
-#
-# screen_exec_t is the type of the screen executable.
-#
-type screen_exec_t, file_type, sysadmfile, exec_type;
-type screen_dir_t, file_type, sysadmfile, pidfile;
-
-# Everything else is in the screen_domain macro in
-# macros/program/screen_macros.te.
diff --git a/mls/domains/program/sendmail.te b/mls/domains/program/sendmail.te
deleted file mode 100644
index f3f9b71..0000000
--- a/mls/domains/program/sendmail.te
+++ /dev/null
@@ -1,136 +0,0 @@
-#DESC Sendmail - Mail server
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: sendmail sendmail-wide
-# Depends: mta.te
-#
-
-#################################
-#
-# Rules for the sendmail_t domain.
-#
-# sendmail_t is the domain for the sendmail
-# daemon started by the init rc scripts.
-#
-
-daemon_base_domain(sendmail_launch)
-
-allow sendmail_launch_t { etc_t proc_t etc_runtime_t self }:file { getattr read };
-allow sendmail_launch_t { bin_t sbin_t etc_t }:lnk_file { getattr read };
-allow sendmail_launch_t { bin_t sbin_t }:dir search;
-can_exec(sendmail_launch_t, { etc_t bin_t sbin_t shell_exec_t })
-access_terminal(sendmail_launch_t, sysadm)
-ifdef(`consoletype.te', `
-domain_auto_trans(sendmail_launch_t, consoletype_exec_t, consoletype_t)
-')
-read_locale(sendmail_launch_t)
-r_dir_file(sendmail_launch_t, etc_mail_t)
-allow sendmail_launch_t self:fifo_file rw_file_perms;
-allow sendmail_launch_t self:capability { chown kill sys_nice };
-allow sendmail_launch_t self:unix_stream_socket create_stream_socket_perms;
-can_ps(sendmail_launch_t, sendmail_t)
-dontaudit sendmail_launch_t domain:dir search;
-allow sendmail_launch_t sendmail_t:process signal;
-ifdef(`distro_redhat', `
-lock_domain(sendmail_launch)
-')
-dontaudit sendmail_launch_t mnt_t:dir search;
-allow sendmail_launch_t devpts_t:dir search;
-
-file_type_auto_trans(sendmail_launch_t, var_run_t, sendmail_var_run_t, file)
-
-daemon_core_rules(sendmail, `, nscd_client_domain, mta_delivery_agent, mail_server_domain, mail_server_sender')
-
-# stuff from daemon_domain and daemon_base_domain because we can not have an
-# automatic transition from initrc_t
-rhgb_domain(sendmail_t)
-read_sysctl(sendmail_t)
-domain_auto_trans(sendmail_launch_t, sendmail_exec_t, sendmail_t)
-allow sendmail_t privfd:fd use;
-allow { sendmail_t sendmail_launch_t } var_t:dir { getattr search };
-var_run_domain(sendmail)
-allow sendmail_t { ttyfile devtty_t }:chr_file rw_file_perms;
-dontaudit { sendmail_t sendmail_launch_t } sysadm_home_dir_t:dir search;
-read_locale(sendmail_t)
-allow sendmail_t fs_t:filesystem getattr;
-
-
-tmp_domain(sendmail)
-logdir_domain(sendmail)
-
-# Use capabilities
-allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config };
-
-# Use the network.
-can_network(sendmail_t)
-allow sendmail_t port_type:tcp_socket name_connect;
-can_ypbind(sendmail_t)
-
-allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
-allow sendmail_t self:unix_dgram_socket create_socket_perms;
-allow sendmail_t self:fifo_file rw_file_perms;
-
-# Bind to the SMTP port.
-allow sendmail_t smtp_port_t:tcp_socket name_bind;
-
-allow sendmail_t etc_t:file { getattr read };
-
-# Write to /etc/aliases and /etc/mail.
-allow sendmail_t etc_aliases_t:file { setattr rw_file_perms };
-
-allow sendmail_t etc_mail_t:dir rw_dir_perms;
-allow sendmail_t etc_mail_t:file create_file_perms;
-
-# Write to /var/spool/mail and /var/spool/mqueue.
-allow sendmail_t var_spool_t:dir { getattr search };
-allow sendmail_t mail_spool_t:dir rw_dir_perms;
-allow sendmail_t mail_spool_t:file create_file_perms;
-allow sendmail_t mqueue_spool_t:dir rw_dir_perms;
-allow sendmail_t mqueue_spool_t:file create_file_perms;
-allow sendmail_t urandom_device_t:chr_file { getattr read };
-
-# Read /usr/lib/sasl2/.*
-allow sendmail_t lib_t:file { getattr read };
-
-# When sendmail runs as user_mail_domain, it needs some extra permissions
-# to update /etc/mail/statistics.
-allow user_mail_domain etc_mail_t:file rw_file_perms;
-
-# Silently deny attempts to access /root.
-dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr search };
-
-# Run procmail in its own domain, if defined.
-ifdef(`procmail.te',`
-domain_auto_trans(sendmail_t, procmail_exec_t, procmail_t)
-domain_auto_trans(system_mail_t, procmail_exec_t, procmail_t)
-allow sendmail_t bin_t:dir { getattr search };
-')
-
-read_sysctl(sendmail_t)
-read_sysctl(system_mail_t)
-
-allow system_mail_t etc_mail_t:dir { getattr search };
-allow system_mail_t etc_runtime_t:file { getattr read };
-allow system_mail_t proc_t:dir search;
-allow system_mail_t proc_t:file { getattr read };
-allow system_mail_t proc_t:lnk_file read;
-dontaudit system_mail_t proc_net_t:dir search;
-allow system_mail_t fs_t:filesystem getattr;
-allow system_mail_t self:dir { getattr search };
-allow system_mail_t var_t:dir getattr;
-allow system_mail_t var_spool_t:dir getattr;
-dontaudit system_mail_t userpty_type:chr_file { getattr read write };
-
-# sendmail -q
-allow system_mail_t mqueue_spool_t:dir rw_dir_perms;
-allow system_mail_t mqueue_spool_t:file create_file_perms;
-
-ifdef(`crond.te', `
-dontaudit system_mail_t system_crond_tmp_t:file append;
-')
-dontaudit sendmail_t admin_tty_type:chr_file rw_file_perms;
-
-# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
-allow sendmail_t initrc_var_run_t:file { getattr read };
-dontaudit sendmail_t initrc_var_run_t:file { lock write };
-
diff --git a/mls/domains/program/setfiles.te b/mls/domains/program/setfiles.te
deleted file mode 100644
index 85bcd4c..0000000
--- a/mls/domains/program/setfiles.te
+++ /dev/null
@@ -1,66 +0,0 @@
-#DESC Setfiles - SELinux filesystem labeling utilities
-#
-# Authors: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: policycoreutils
-#
-
-#################################
-#
-# Rules for the setfiles_t domain.
-#
-# setfiles_exec_t is the type of the setfiles executable.
-#
-# needs auth_write attribute because it has relabelfrom/relabelto
-# access to shadow_t
-type setfiles_t, domain, privlog, privowner, auth_write, change_context, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade;
-type setfiles_exec_t, file_type, sysadmfile, exec_type;
-
-role system_r types setfiles_t;
-role sysadm_r types setfiles_t;
-role secadm_r types setfiles_t;
-
-ifdef(`distro_redhat', `
-domain_auto_trans(initrc_t, setfiles_exec_t, setfiles_t)
-')
-can_access_pty(hostname_t, initrc)
-allow setfiles_t { ttyfile ptyfile tty_device_t admin_tty_type devtty_t }:chr_file { read write ioctl };
-
-allow setfiles_t self:unix_dgram_socket create_socket_perms;
-
-domain_auto_trans(secadmin, setfiles_exec_t, setfiles_t)
-allow setfiles_t { userdomain privfd initrc_t init_t }:fd use;
-
-uses_shlib(setfiles_t)
-allow setfiles_t self:capability { dac_override dac_read_search fowner };
-
-# for upgrading glibc and other shared objects - without this the upgrade
-# scripts will put things in a state such that setfiles can not be run!
-allow setfiles_t lib_t:file { read execute };
-
-# Get security policy decisions.
-can_getsecurity(setfiles_t)
-
-r_dir_file(setfiles_t, { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t })
-
-allow setfiles_t file_type:dir r_dir_perms;
-allow setfiles_t { file_type unlabeled_t device_type }:dir_file_class_set { getattr relabelfrom };
-allow setfiles_t file_type:{ dir file lnk_file sock_file fifo_file } relabelto;
-allow setfiles_t unlabeled_t:dir read;
-allow setfiles_t { device_type device_t }:{ chr_file blk_file } { getattr relabelfrom relabelto };
-allow setfiles_t { ttyfile ptyfile }:chr_file getattr;
-# dontaudit access to ttyfile - we do not want setfiles to relabel our terminal
-dontaudit setfiles_t ttyfile:chr_file relabelfrom;
-
-allow setfiles_t fs_t:filesystem getattr;
-allow setfiles_t fs_type:dir r_dir_perms;
-
-read_locale(setfiles_t)
-
-allow setfiles_t etc_runtime_t:file { getattr read };
-allow setfiles_t etc_t:file { getattr read };
-allow setfiles_t proc_t:file { getattr read };
-dontaudit setfiles_t proc_t:lnk_file { getattr read };
-
-# for config files in a home directory
-allow setfiles_t home_type:file r_file_perms;
-dontaudit setfiles_t sysadm_tty_device_t:chr_file relabelfrom;
diff --git a/mls/domains/program/slapd.te b/mls/domains/program/slapd.te
deleted file mode 100644
index 4983870..0000000
--- a/mls/domains/program/slapd.te
+++ /dev/null
@@ -1,78 +0,0 @@
-#DESC Slapd - OpenLDAP server
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: slapd
-#
-
-#################################
-#
-# Rules for the slapd_t domain.
-#
-# slapd_exec_t is the type of the slapd executable.
-#
-daemon_domain(slapd)
-
-allow slapd_t ldap_port_t:tcp_socket name_bind;
-
-etc_domain(slapd)
-type slapd_db_t, file_type, sysadmfile;
-type slapd_replog_t, file_type, sysadmfile;
-
-tmp_domain(slapd)
-
-# Use the network.
-can_network(slapd_t)
-allow slapd_t port_type:tcp_socket name_connect;
-can_ypbind(slapd_t)
-allow slapd_t self:fifo_file rw_file_perms;
-allow slapd_t self:unix_stream_socket create_stream_socket_perms;
-file_type_auto_trans(slapd_t,var_run_t,slapd_var_run_t,sock_file)
-allow slapd_t self:unix_dgram_socket create_socket_perms;
-# allow any domain to connect to the LDAP server
-can_tcp_connect(domain, slapd_t)
-
-# Use capabilities should not need kill...
-allow slapd_t self:capability { kill setgid setuid net_bind_service net_raw dac_override dac_read_search };
-allow slapd_t self:process setsched;
-
-allow slapd_t proc_t:file r_file_perms;
-
-# Allow access to the slapd databases
-create_dir_file(slapd_t, slapd_db_t)
-allow initrc_t slapd_db_t:dir r_dir_perms;
-allow slapd_t var_lib_t:dir r_dir_perms;
-
-# Allow access to write the replication log (should tighten this)
-create_dir_file(slapd_t, slapd_replog_t)
-
-# read config files
-allow slapd_t etc_t:{ file lnk_file } { getattr read };
-allow slapd_t etc_runtime_t:file { getattr read };
-
-# for startup script
-allow initrc_t slapd_etc_t:file { getattr read };
-
-allow slapd_t etc_t:dir r_dir_perms;
-
-read_sysctl(slapd_t)
-
-allow slapd_t usr_t:{ lnk_file file } { read getattr };
-allow slapd_t urandom_device_t:chr_file { getattr read ioctl };
-allow slapd_t self:netlink_route_socket r_netlink_socket_perms;
-r_dir_file(slapd_t, cert_t)
-
-
-type slapd_cert_t, file_type, sysadmfile;
-allow slapd_t bin_t:dir search;
-can_exec(slapd_t, bin_t)
-r_dir_file(slapd_t, proc_net_t)
-allow slapd_t self:capability { chown sys_nice };
-allow slapd_t self:file { getattr read };
-allow slapd_t self:process { execstack getsched };
-allow slapd_t sysctl_net_t:dir r_dir_perms;
-lock_domain(slapd)
-create_dir_file(slapd_t, slapd_lock_t)
-dontaudit slapd_t devpts_t:dir search;
-rw_dir_create_file(slapd_t, slapd_cert_t)
-allow slapd_t usr_t:dir { add_name write };
-allow slapd_t usr_t:file { create write };
diff --git a/mls/domains/program/slocate.te b/mls/domains/program/slocate.te
deleted file mode 100644
index 8512aab..0000000
--- a/mls/domains/program/slocate.te
+++ /dev/null
@@ -1,77 +0,0 @@
-#DESC LOCATE - Security Enhanced version of the GNU Locate
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-#
-
-#################################
-#
-# Rules for the locate_t domain.
-#
-# locate_exec_t is the type of the locate executable.
-#
-daemon_base_domain(locate)
-role system_r types locate_t;
-role sysadm_r types locate_t;
-allow locate_t fs_t:filesystem getattr;
-
-ifdef(`crond.te', `
-system_crond_entry(locate_exec_t, locate_t)
-allow system_crond_t locate_log_t:dir rw_dir_perms;
-allow system_crond_t locate_log_t:file { create append getattr };
-allow system_crond_t locate_etc_t:file { getattr read };
-')
-
-allow locate_t { userpty_type admin_tty_type }:chr_file rw_file_perms;
-
-allow locate_t { fs_type file_type }:dir r_dir_perms;
-dontaudit locate_t sysctl_t:dir getattr;
-allow locate_t file_type:lnk_file r_file_perms;
-allow locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } getattr;
-dontaudit locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } read;
-dontaudit locate_t security_t:dir getattr;
-dontaudit locate_t shadow_t:file getattr;
-
-allow locate_t { ttyfile device_type device_t }:{ chr_file blk_file } getattr;
-allow locate_t unlabeled_t:dir_file_class_set getattr;
-allow locate_t unlabeled_t:dir read;
-
-logdir_domain(locate)
-etcdir_domain(locate)
-
-type locate_var_lib_t, file_type, sysadmfile;
-typealias locate_var_lib_t alias var_lib_locate_t;
-
-create_dir_file(locate_t, locate_var_lib_t)
-dontaudit locate_t sysadmfile:file getattr;
-
-allow locate_t proc_t:file { getattr read };
-allow locate_t self:unix_stream_socket create_socket_perms;
-#
-# Need to be able to exec renice
-#
-can_exec(locate_t, bin_t)
-
-dontaudit locate_t rpc_pipefs_t:dir r_dir_perms;
-dontaudit locate_t rpc_pipefs_t:file getattr;
-
-#
-# Read Mtab file
-#
-allow locate_t etc_runtime_t:file { getattr read };
-
-#
-# Read nsswitch file
-#
-allow locate_t etc_t:file { getattr read };
-dontaudit locate_t self:capability dac_override;
-allow locate_t self:capability dac_read_search;
-
-# sysadm_t runs locate in his own domain.
-# We use a type alias to simplify the rest of the policy,
-# which often refers to $1_locate_t for the user domains.
-typealias sysadm_t alias sysadm_locate_t;
-
-allow locate_t userdomain:fd use;
-ifdef(`cardmgr.te', `
-allow locate_t cardmgr_var_run_t:chr_file getattr;
-')
diff --git a/mls/domains/program/slrnpull.te b/mls/domains/program/slrnpull.te
deleted file mode 100644
index 25edb93..0000000
--- a/mls/domains/program/slrnpull.te
+++ /dev/null
@@ -1,24 +0,0 @@
-#DESC slrnpull
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-#
-
-#################################
-#
-# Rules for the slrnpull_t domain.
-#
-# slrnpull_exec_t is the type of the slrnpull executable.
-#
-daemon_domain(slrnpull)
-type slrnpull_spool_t, file_type, sysadmfile;
-
-log_domain(slrnpull)
-
-ifdef(`logrotate.te', `
-create_dir_file(logrotate_t, slrnpull_spool_t)
-')
-system_crond_entry(slrnpull_exec_t, slrnpull_t)
-allow userdomain slrnpull_spool_t:dir search;
-rw_dir_create_file(slrnpull_t, slrnpull_spool_t)
-allow slrnpull_t var_spool_t:dir search;
-allow slrnpull_t slrnpull_spool_t:dir create_dir_perms;
diff --git a/mls/domains/program/snmpd.te b/mls/domains/program/snmpd.te
deleted file mode 100644
index ea75c8d..0000000
--- a/mls/domains/program/snmpd.te
+++ /dev/null
@@ -1,85 +0,0 @@
-#DESC SNMPD - Simple Network Management Protocol daemon
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: snmpd
-#
-
-#################################
-#
-# Rules for the snmpd_t domain.
-#
-daemon_domain(snmpd, `, nscd_client_domain')
-
-#temp
-allow snmpd_t var_t:dir getattr;
-
-can_network_server(snmpd_t)
-can_ypbind(snmpd_t)
-
-allow snmpd_t snmp_port_t:{ udp_socket tcp_socket } name_bind;
-
-etc_domain(snmpd)
-
-# for the .index file
-var_lib_domain(snmpd)
-file_type_auto_trans(snmpd_t, var_t, snmpd_var_lib_t, { dir sock_file })
-file_type_auto_trans(snmpd_t, { usr_t var_t }, snmpd_var_lib_t, file)
-allow snmpd_t snmpd_var_lib_t:sock_file create_file_perms;
-
-log_domain(snmpd)
-# for /usr/share/snmp/mibs
-allow snmpd_t usr_t:file { getattr read };
-
-can_udp_send(sysadm_t, snmpd_t)
-can_udp_send(snmpd_t, sysadm_t)
-
-allow snmpd_t self:unix_dgram_socket create_socket_perms;
-allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
-allow snmpd_t etc_t:lnk_file read;
-allow snmpd_t { etc_t etc_runtime_t }:file r_file_perms;
-allow snmpd_t { random_device_t urandom_device_t }:chr_file { getattr read };
-allow snmpd_t self:capability { dac_override kill net_bind_service net_admin sys_nice sys_tty_config };
-
-allow snmpd_t proc_t:dir search;
-allow snmpd_t proc_t:file r_file_perms;
-allow snmpd_t self:file { getattr read };
-allow snmpd_t self:fifo_file rw_file_perms;
-allow snmpd_t { bin_t sbin_t }:dir search;
-can_exec(snmpd_t, { bin_t sbin_t shell_exec_t })
-
-ifdef(`distro_redhat', `
-ifdef(`rpm.te', `
-r_dir_file(snmpd_t, rpm_var_lib_t)
-dontaudit snmpd_t rpm_var_lib_t:dir write;
-dontaudit snmpd_t rpm_var_lib_t:file write;
-')
-')
-
-allow snmpd_t home_root_t:dir search;
-allow snmpd_t initrc_var_run_t:file r_file_perms;
-dontaudit snmpd_t initrc_var_run_t:file write;
-dontaudit snmpd_t rpc_pipefs_t:dir getattr;
-allow snmpd_t rpc_pipefs_t:dir getattr;
-read_sysctl(snmpd_t)
-allow snmpd_t sysctl_net_t:dir search;
-allow snmpd_t sysctl_net_t:file { getattr read };
-
-dontaudit snmpd_t { removable_device_t fixed_disk_device_t }:blk_file { getattr ioctl read };
-allow snmpd_t sysfs_t:dir { getattr read search };
-ifdef(`amanda.te', `
-dontaudit snmpd_t amanda_dumpdates_t:file { getattr read };
-')
-ifdef(`cupsd.te', `
-allow snmpd_t cupsd_rw_etc_t:file { getattr read };
-')
-allow snmpd_t var_lib_nfs_t:dir search;
-
-# needed in order to retrieve net traffic data
-allow snmpd_t proc_net_t:dir search;
-allow snmpd_t proc_net_t:file r_file_perms;
-
-allow snmpd_t domain:dir { getattr search };
-allow snmpd_t domain:file { getattr read };
-allow snmpd_t domain:process signull;
-
-dontaudit snmpd_t selinux_config_t:dir search;
diff --git a/mls/domains/program/sound.te b/mls/domains/program/sound.te
deleted file mode 100644
index 01f7355..0000000
--- a/mls/domains/program/sound.te
+++ /dev/null
@@ -1,26 +0,0 @@
-#DESC Sound - Sound utilities
-#
-# Authors: Mark Westerman <mark.westerman@.com>
-# X-Debian-Packages: esound
-#
-#################################
-#
-# Rules for the sound_t domain.
-#
-daemon_base_domain(sound)
-type sound_file_t, file_type, sysadmfile;
-allow initrc_t sound_file_t:file { getattr read };
-allow sound_t sound_file_t:file rw_file_perms;
-
-# Use capabilities.
-# Commented out by default.
-#allow sound_t self:capability { sys_admin sys_rawio sys_time dac_override };
-dontaudit sound_t self:capability { sys_admin sys_rawio sys_time dac_read_search dac_override };
-
-# Read and write the sound device.
-allow sound_t sound_device_t:chr_file rw_file_perms;
-
-# Read and write ttys.
-allow sound_t sysadm_tty_device_t:chr_file rw_file_perms;
-read_locale(sound_t)
-allow initrc_t sound_file_t:file { setattr write };
diff --git a/mls/domains/program/spamassassin.te b/mls/domains/program/spamassassin.te
deleted file mode 100644
index d08eaa3..0000000
--- a/mls/domains/program/spamassassin.te
+++ /dev/null
@@ -1,11 +0,0 @@
-#DESC Spamassassin
-#
-# Author: Colin Walters <walters@debian.org>
-# X-Debian-Packages: spamassassin
-#
-
-type spamassassin_exec_t, file_type, sysadmfile, exec_type;
-
-bool spamassasin_can_network false;
-
-# Everything else is in spamassassin_macros.te.
diff --git a/mls/domains/program/spamc.te b/mls/domains/program/spamc.te
deleted file mode 100644
index 9b49fbf..0000000
--- a/mls/domains/program/spamc.te
+++ /dev/null
@@ -1,10 +0,0 @@
-#DESC Spamc - Spamassassin client
-#
-# Author: Colin Walters <walters@debian.org>
-# X-Debian-Packages: spamc
-# Depends: spamassassin.te
-#
-
-type spamc_exec_t, file_type, sysadmfile, exec_type;
-
-# Everything else is in spamassassin_macros.te.
diff --git a/mls/domains/program/spamd.te b/mls/domains/program/spamd.te
deleted file mode 100644
index 26f2a5a..0000000
--- a/mls/domains/program/spamd.te
+++ /dev/null
@@ -1,57 +0,0 @@
-#DESC Spamd - Spamassassin daemon
-#
-# Author: Colin Walters <walters@debian.org>
-# X-Debian-Packages: spamassassin
-# Depends: spamassassin.te
-#
-
-daemon_domain(spamd)
-
-tmp_domain(spamd)
-
-general_domain_access(spamd_t)
-uses_shlib(spamd_t)
-read_sysctl(spamd_t)
-
-# Various Perl bits
-allow spamd_t lib_t:file rx_file_perms;
-dontaudit spamd_t shadow_t:file { getattr read };
-dontaudit spamd_t initrc_var_run_t:file { read write lock };
-dontaudit spamd_t sysadm_home_dir_t:dir { getattr search };
-
-can_network_server(spamd_t)
-allow spamd_t spamd_port_t:tcp_socket name_bind;
-allow spamd_t port_type:udp_socket name_bind;
-dontaudit spamd_t reserved_port_type:udp_socket name_bind;
-can_ypbind(spamd_t)
-can_resolve(spamd_t)
-allow spamd_t self:capability net_bind_service;
-
-allow spamd_t proc_t:file { getattr read };
-
-# Spamassassin, when run as root and using per-user config files,
-# setuids to the user running spamc. Comment this if you are not
-# using this ability.
-allow spamd_t self:capability { setuid setgid dac_override sys_tty_config };
-
-allow spamd_t { bin_t sbin_t }:dir { getattr search };
-can_exec(spamd_t, bin_t)
-
-ifdef(`sendmail.te', `
-allow spamd_t etc_mail_t:dir { getattr read search };
-allow spamd_t etc_mail_t:file { getattr ioctl read };
-')
-allow spamd_t { etc_t etc_runtime_t }:file { getattr ioctl read };
-
-ifdef(`amavis.te', `
-# for bayes tokens
-allow spamd_t var_lib_t:dir { getattr search };
-rw_dir_create_file(spamd_t, amavisd_lib_t)
-')
-
-allow spamd_t usr_t:file { getattr ioctl read };
-allow spamd_t usr_t:lnk_file { getattr read };
-allow spamd_t urandom_device_t:chr_file { getattr read };
-
-system_crond_entry(spamd_exec_t, spamd_t)
-ifdef(`targeted_policy', `home_domain_access(spamd_t, user)')
diff --git a/mls/domains/program/squid.te b/mls/domains/program/squid.te
deleted file mode 100644
index 141518b..0000000
--- a/mls/domains/program/squid.te
+++ /dev/null
@@ -1,84 +0,0 @@
-#DESC Squid - Web cache
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: squid
-#
-
-#################################
-#
-# Rules for the squid_t domain.
-#
-# squid_t is the domain the squid process runs in
-ifdef(`apache.te',`
-can_tcp_connect(squid_t, httpd_t)
-')
-bool squid_connect_any false;
-daemon_domain(squid, `, web_client_domain, nscd_client_domain')
-type squid_conf_t, file_type, sysadmfile;
-general_domain_access(squid_t)
-allow { squid_t initrc_t } squid_conf_t:file r_file_perms;
-allow squid_t squid_conf_t:dir r_dir_perms;
-allow squid_t squid_conf_t:lnk_file read;
-
-logdir_domain(squid)
-rw_dir_create_file(initrc_t, squid_log_t)
-
-allow squid_t usr_t:file { getattr read };
-
-# type for /var/cache/squid
-type squid_cache_t, file_type, sysadmfile;
-
-allow squid_t self:capability { setgid setuid net_bind_service dac_override };
-allow squid_t { etc_t etc_runtime_t }:file r_file_perms;
-allow squid_t etc_t:lnk_file read;
-allow squid_t self:unix_stream_socket create_socket_perms;
-allow squid_t self:unix_dgram_socket create_socket_perms;
-allow squid_t self:fifo_file rw_file_perms;
-
-read_sysctl(squid_t)
-
-allow squid_t devtty_t:chr_file rw_file_perms;
-
-allow squid_t { self proc_t }:file { read getattr };
-
-# for when we use /var/spool/cache
-allow squid_t var_spool_t:dir search;
-
-# Grant permissions to create, access, and delete cache files.
-# No type transitions required, as the files inherit the parent directory type.
-create_dir_file(squid_t, squid_cache_t)
-ifdef(`logrotate.te',
-`domain_auto_trans(logrotate_t, squid_exec_t, squid_t)')
-ifdef(`crond.te', `domain_auto_trans(system_crond_t, squid_exec_t, squid_t)')
-
-# Use the network
-can_network(squid_t)
-if (squid_connect_any) {
-allow squid_t port_type:tcp_socket name_connect;
-}
-can_ypbind(squid_t)
-can_tcp_connect(web_client_domain, squid_t)
-
-# tcp port 8080 and udp port 3130 is http_cache_port_t (see net_contexts)
-allow squid_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:{ tcp_socket udp_socket } name_bind;
-allow squid_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:tcp_socket name_connect;
-
-# to allow running programs from /usr/lib/squid (IE unlinkd)
-# also allow exec()ing itself
-can_exec(squid_t, { lib_t squid_exec_t bin_t sbin_t shell_exec_t } )
-allow squid_t { bin_t sbin_t }:dir search;
-allow squid_t { bin_t sbin_t }:lnk_file read;
-
-dontaudit squid_t { boot_t tmp_t home_root_t security_t devpts_t }:dir getattr;
-ifdef(`targeted_policy', `
-dontaudit squid_t tty_device_t:chr_file { read write };
-')
-allow squid_t urandom_device_t:chr_file { getattr read };
-
-#squid requires the following when run in diskd mode, the recommended setting
-r_dir_file(squid_t, cert_t)
-ifdef(`winbind.te', `
-domain_auto_trans(squid_t, winbind_helper_exec_t, winbind_helper_t)
-allow winbind_helper_t squid_t:tcp_socket rw_socket_perms;
-allow winbind_helper_t squid_log_t:file ra_file_perms;
-')
diff --git a/mls/domains/program/ssh-agent.te b/mls/domains/program/ssh-agent.te
deleted file mode 100644
index f2e3d84..0000000
--- a/mls/domains/program/ssh-agent.te
+++ /dev/null
@@ -1,13 +0,0 @@
-#DESC ssh-agent - agent to securely store ssh-keys
-#
-# Authors: Thomas Bleher <ThomasBleher@gmx.de>
-#
-# X-Debian-Packages: ssh
-#
-
-# Type for the ssh-agent executable.
-type ssh_agent_exec_t, file_type, exec_type, sysadmfile;
-
-# Everything else is in the ssh_agent_domain macro in
-# macros/program/ssh_agent_macros.te.
-
diff --git a/mls/domains/program/ssh.te b/mls/domains/program/ssh.te
deleted file mode 100644
index 367e4c7..0000000
--- a/mls/domains/program/ssh.te
+++ /dev/null
@@ -1,237 +0,0 @@
-#DESC SSH - SSH daemon
-#
-# Authors: Anthony Colatrella (NSA) <amcolat@epoch.ncsc.mil>
-# Stephen Smalley <sds@epoch.ncsc.mil>
-# Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: ssh
-#
-
-# Allow ssh logins as sysadm_r:sysadm_t
-bool ssh_sysadm_login false;
-
-# allow host key based authentication
-bool allow_ssh_keysign false;
-
-ifdef(`inetd.te', `
-# Allow ssh to run from inetd instead of as a daemon.
-bool run_ssh_inetd false;
-')
-
-# sshd_exec_t is the type of the sshd executable.
-# sshd_key_t is the type of the ssh private key files
-type sshd_exec_t, file_type, exec_type, sysadmfile;
-type sshd_key_t, file_type, sysadmfile;
-
-define(`sshd_program_domain', `
-# privowner is for changing the identity on the terminal device
-# privfd is for passing the terminal file handle to the user process
-# auth_chkpwd is for running unix_chkpwd and unix_verify.
-type $1_t, domain, privuser, privrole, privlog, privowner, privfd, auth_chkpwd, nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
-can_exec($1_t, sshd_exec_t)
-r_dir_file($1_t, self)
-role system_r types $1_t;
-dontaudit $1_t shadow_t:file { getattr read };
-uses_shlib($1_t)
-allow $1_t self:unix_dgram_socket create_socket_perms;
-allow $1_t self:unix_stream_socket create_stream_socket_perms;
-allow $1_t self:fifo_file rw_file_perms;
-allow $1_t self:process { fork sigchld signal setsched setrlimit };
-
-dontaudit $1_t self:lnk_file read;
-
-# do not allow statfs()
-dontaudit $1_t fs_type:filesystem getattr;
-
-allow $1_t bin_t:dir search;
-allow $1_t bin_t:lnk_file read;
-
-# for sshd subsystems, such as sftp-server.
-allow $1_t bin_t:file getattr;
-
-# Read /var.
-allow $1_t var_t:dir { getattr search };
-
-# Read /var/log.
-allow $1_t var_log_t:dir search;
-
-# Read /etc.
-allow $1_t etc_t:dir search;
-# ioctl is for pam_console
-dontaudit $1_t etc_t:file ioctl;
-allow $1_t etc_t:file { getattr read };
-allow $1_t etc_t:lnk_file { getattr read };
-allow $1_t etc_runtime_t:file { getattr read };
-
-# Read and write /dev/tty and /dev/null.
-allow $1_t devtty_t:chr_file rw_file_perms;
-allow $1_t { null_device_t zero_device_t }:chr_file rw_file_perms;
-
-# Read /dev/urandom
-allow $1_t urandom_device_t:chr_file { getattr read };
-
-can_network($1_t)
-allow $1_t port_type:tcp_socket name_connect;
-can_kerberos($1_t)
-
-allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
-allow $1_t { home_root_t home_dir_type }:dir { search getattr };
-if (use_nfs_home_dirs) {
-allow $1_t autofs_t:dir { search getattr };
-allow $1_t nfs_t:dir { search getattr };
-allow $1_t nfs_t:file { getattr read };
-}
-
-if (use_samba_home_dirs) {
-allow $1_t cifs_t:dir { search getattr };
-allow $1_t cifs_t:file { getattr read };
-}
-
-# Set exec context.
-can_setexec($1_t)
-
-# Update utmp.
-allow $1_t initrc_var_run_t:file rw_file_perms;
-
-# Update wtmp.
-allow $1_t wtmp_t:file rw_file_perms;
-
-# Get security policy decisions.
-can_getsecurity($1_t)
-
-# Allow read access to login context
-r_dir_file( $1_t, default_context_t)
-
-# Access key files
-allow $1_t sshd_key_t:file { getattr read };
-
-# Update /var/log/lastlog.
-allow $1_t lastlog_t:file rw_file_perms;
-
-read_locale($1_t)
-read_sysctl($1_t)
-
-# Can create ptys
-can_create_pty($1, `, server_pty')
-allow $1_t $1_devpts_t:chr_file { setattr getattr relabelfrom };
-dontaudit sshd_t userpty_type:chr_file relabelfrom;
-
-allow $1_t faillog_t:file { append getattr };
-allow $1_t sbin_t:file getattr;
-
-# Allow checking users mail at login
-allow $1_t { var_spool_t mail_spool_t }:dir search;
-allow $1_t mail_spool_t:lnk_file read;
-allow $1_t mail_spool_t:file getattr;
-')dnl end sshd_program_domain
-
-# macro for defining which domains a sshd can spawn
-# $1_t is the domain of the sshd, $2 is the domain to be spawned, $3 is the
-# type of the pty for the child
-define(`sshd_spawn_domain', `
-login_spawn_domain($1, $2)
-ifdef(`xauth.te', `
-domain_trans($1_t, xauth_exec_t, $2)
-')
-
-# Relabel and access ptys created by sshd
-# ioctl is necessary for logout() processing for utmp entry and for w to
-# display the tty.
-# some versions of sshd on the new SE Linux require setattr
-allow $1_t $3:chr_file { relabelto read write getattr ioctl setattr };
-
-# inheriting stream sockets is needed for "ssh host command" as no pty
-# is allocated
-allow $2 $1_t:unix_stream_socket rw_stream_socket_perms;
-')dnl end sshd_spawn_domain definition
-
-#################################
-#
-# Rules for the sshd_t domain, et al.
-#
-# sshd_t is the domain for the sshd program.
-# sshd_extern_t is the domain for ssh from outside our network
-#
-sshd_program_domain(sshd)
-if (ssh_sysadm_login) {
-allow sshd_t devpts_t:dir r_dir_perms;
-sshd_spawn_domain(sshd, userdomain, { sysadm_devpts_t userpty_type })
-} else {
-sshd_spawn_domain(sshd, unpriv_userdomain, userpty_type)
-}
-
-# for X forwarding
-allow sshd_t xserver_port_t:tcp_socket name_bind;
-
-r_dir_file(sshd_t, selinux_config_t)
-sshd_program_domain(sshd_extern)
-sshd_spawn_domain(sshd_extern, user_mini_domain, mini_pty_type)
-
-# for when the network connection breaks after running newrole -r sysadm_r
-dontaudit sshd_t sysadm_devpts_t:chr_file setattr;
-
-ifdef(`inetd.te', `
-if (run_ssh_inetd) {
-allow inetd_t ssh_port_t:tcp_socket name_bind;
-domain_auto_trans(inetd_t, sshd_exec_t, sshd_t)
-domain_trans(inetd_t, sshd_exec_t, sshd_extern_t)
-allow { sshd_t sshd_extern_t } inetd_t:tcp_socket rw_socket_perms;
-allow { sshd_t sshd_extern_t } var_run_t:dir { getattr search };
-allow { sshd_t sshd_extern_t } self:process signal;
-} else {
-')
-can_access_pty({ sshd_t sshd_extern_t }, initrc)
-allow { sshd_t sshd_extern_t } self:capability net_bind_service;
-allow { sshd_t sshd_extern_t } ssh_port_t:tcp_socket name_bind;
-
-# for port forwarding
-can_tcp_connect(userdomain, sshd_t)
-
-domain_auto_trans(initrc_t, sshd_exec_t, sshd_t)
-domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
-dontaudit initrc_t sshd_key_t:file { getattr read };
-
-# Inherit and use descriptors from init.
-allow { sshd_t sshd_extern_t } init_t:fd use;
-ifdef(`inetd.te', `
-}
-')
-
-# Create /var/run/sshd.pid
-var_run_domain(sshd)
-var_run_domain(sshd_extern)
-
-ifdef(`direct_sysadm_daemon', `
-# Direct execution by sysadm_r.
-domain_auto_trans(sysadm_t, sshd_exec_t, sshd_t)
-role_transition sysadm_r sshd_exec_t system_r;
-')
-
-undefine(`sshd_program_domain')
-
-# so a tunnel can point to another ssh tunnel...
-can_tcp_connect(sshd_t, sshd_t)
-
-tmp_domain(sshd, `', { dir file sock_file })
-ifdef(`pam.te', `
-can_exec(sshd_t, pam_exec_t)
-')
-
-# ssh_keygen_t is the type of the ssh-keygen program when run at install time
-# and by sysadm_t
-daemon_base_domain(ssh_keygen)
-allow ssh_keygen_t etc_t:file { getattr read };
-file_type_auto_trans(ssh_keygen_t, etc_t, sshd_key_t, file)
-
-# Type for the ssh executable.
-type ssh_exec_t, file_type, exec_type, sysadmfile;
-type ssh_keysign_exec_t, file_type, exec_type, sysadmfile;
-
-# Everything else is in the ssh_domain macro in
-# macros/program/ssh_macros.te.
-
-allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
-allow ssh_keygen_t sysadm_tty_device_t:chr_file { read write };
-allow ssh_keygen_t urandom_device_t:chr_file { getattr read };
-ifdef(`use_mcs', `
-range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
-')
diff --git a/mls/domains/program/stunnel.te b/mls/domains/program/stunnel.te
deleted file mode 100644
index 4dbfcec..0000000
--- a/mls/domains/program/stunnel.te
+++ /dev/null
@@ -1,33 +0,0 @@
-# DESC: selinux policy for stunnel
-#
-# Author: petre rodan <kaiowas@gentoo.org>
-#
-ifdef(`distro_gentoo', `
-
-daemon_domain(stunnel)
-
-can_network(stunnel_t)
-allow stunnel_t port_type:tcp_socket name_connect;
-
-allow stunnel_t self:capability { setgid setuid sys_chroot };
-allow stunnel_t self:fifo_file { read write };
-allow stunnel_t self:tcp_socket { read write };
-allow stunnel_t self:unix_stream_socket { connect create };
-
-r_dir_file(stunnel_t, etc_t)
-', `
-inetd_child_domain(stunnel, tcp)
-allow stunnel_t self:capability sys_chroot;
-
-bool stunnel_is_daemon false;
-if (stunnel_is_daemon) {
-# Policy to run stunnel as a daemon should go here.
-allow stunnel_t self:tcp_socket rw_stream_socket_perms;
-allow stunnel_t stunnel_port_t:tcp_socket name_bind;
-}
-')
-
-type stunnel_etc_t, file_type, sysadmfile;
-r_dir_file(stunnel_t, stunnel_etc_t)
-allow stunnel_t stunnel_port_t:tcp_socket { name_bind };
-
diff --git a/mls/domains/program/su.te b/mls/domains/program/su.te
deleted file mode 100644
index 5769d11..0000000
--- a/mls/domains/program/su.te
+++ /dev/null
@@ -1,26 +0,0 @@
-#DESC Su - Run shells with substitute user and group
-#
-# Domains for the su program.
-# X-Debian-Packages: login
-
-#
-# su_exec_t is the type of the su executable.
-#
-type su_exec_t, file_type, sysadmfile;
-
-allow sysadm_su_t user_home_dir_type:dir search;
-
-# Everything else is in the su_domain macro in
-# macros/program/su_macros.te.
-
-ifdef(`use_mcs', `
-ifdef(`targeted_policy', `
-range_transition unconfined_t su_exec_t s0 - s0:c0.c255;
-domain_auto_trans(unconfined_t, su_exec_t, sysadm_su_t)
-# allow user to suspend terminal
-allow sysadm_su_t unconfined_t:process signal;
-allow sysadm_su_t self:process { signal sigstop };
-can_exec(sysadm_su_t, bin_t)
-rw_dir_create_file(sysadm_su_t, home_dir_type)
-')
-')
diff --git a/mls/domains/program/sudo.te b/mls/domains/program/sudo.te
deleted file mode 100644
index a1fad31..0000000
--- a/mls/domains/program/sudo.te
+++ /dev/null
@@ -1,11 +0,0 @@
-#DESC sudo - execute a command as another user
-#
-# Authors: Dan Walsh, Russell Coker
-# Maintained by Dan Walsh <dwalsh@redhat.com>
-#
-
-# Type for the sudo executable.
-type sudo_exec_t, file_type, sysadmfile, exec_type;
-
-# Everything else is in the sudo_domain macro in
-# macros/program/sudo_macros.te.
diff --git a/mls/domains/program/sulogin.te b/mls/domains/program/sulogin.te
deleted file mode 100644
index 0bed085..0000000
--- a/mls/domains/program/sulogin.te
+++ /dev/null
@@ -1,56 +0,0 @@
-#DESC sulogin - Single-User login
-#
-# Authors: Dan Walsh <dwalsh@redhat.com>
-#
-# X-Debian-Packages: sysvinit
-
-#################################
-#
-# Rules for the sulogin_t domain
-#
-
-type sulogin_t, domain, privrole, privowner, privlog, privfd, privuser, auth;
-type sulogin_exec_t, file_type, exec_type, sysadmfile;
-role system_r types sulogin_t;
-
-general_domain_access(sulogin_t)
-
-domain_auto_trans({ initrc_t init_t }, sulogin_exec_t, sulogin_t)
-allow sulogin_t initrc_t:process getpgid;
-uses_shlib(sulogin_t)
-
-# suse and debian do not use pam with sulogin...
-ifdef(`distro_suse', `
-define(`sulogin_no_pam', `')
-')
-ifdef(`distro_debian', `
-define(`sulogin_no_pam', `')
-')
-
-ifdef(`sulogin_no_pam', `
-domain_auto_trans(sulogin_t, shell_exec_t, sysadm_t)
-allow sulogin_t init_t:process getpgid;
-allow sulogin_t self:capability sys_tty_config;
-', `
-domain_trans(sulogin_t, shell_exec_t, sysadm_t)
-allow sulogin_t shell_exec_t:file r_file_perms;
-
-can_setexec(sulogin_t)
-can_getsecurity(sulogin_t)
-')
-
-r_dir_file(sulogin_t, etc_t)
-
-allow sulogin_t bin_t:dir r_dir_perms;
-r_dir_file(sulogin_t, proc_t)
-allow sulogin_t root_t:dir search;
-
-allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write };
-allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
-allow sulogin_t default_context_t:dir search;
-allow sulogin_t default_context_t:file { getattr read };
-
-r_dir_file(sulogin_t, selinux_config_t)
-
-# because file systems are not mounted
-dontaudit sulogin_t file_t:dir search;
diff --git a/mls/domains/program/swat.te b/mls/domains/program/swat.te
deleted file mode 100644
index aa94d2f..0000000
--- a/mls/domains/program/swat.te
+++ /dev/null
@@ -1,14 +0,0 @@
-#DESC swat - Samba Web Administration Tool
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-#
-# Depends: inetd.te
-
-#################################
-#
-# Rules for the swat_t domain.
-#
-# swat_exec_t is the type of the swat executable.
-#
-
-inetd_child_domain(swat)
diff --git a/mls/domains/program/syslogd.te b/mls/domains/program/syslogd.te
deleted file mode 100644
index 8957fea..0000000
--- a/mls/domains/program/syslogd.te
+++ /dev/null
@@ -1,110 +0,0 @@
-#DESC Syslogd - System log daemon
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: sysklogd syslog-ng
-#
-
-#################################
-#
-# Rules for the syslogd_t domain.
-#
-# syslogd_t is the domain of syslogd.
-# syslogd_exec_t is the type of the syslogd executable.
-# devlog_t is the type of the Unix domain socket created
-# by syslogd.
-#
-ifdef(`klogd.te', `
-daemon_domain(syslogd, `, privkmsg, nscd_client_domain')
-', `
-daemon_domain(syslogd, `, privmem, privkmsg, nscd_client_domain')
-')
-
-# can_network is for the UDP socket
-can_network_udp(syslogd_t)
-can_ypbind(syslogd_t)
-
-r_dir_file(syslogd_t, sysfs_t)
-
-type devlog_t, file_type, sysadmfile, dev_fs, mlstrustedobject;
-
-# if something can log to syslog they should be able to log to the console
-allow privlog console_device_t:chr_file { ioctl read write getattr };
-
-tmp_domain(syslogd)
-
-# read files in /etc
-allow syslogd_t { etc_runtime_t etc_t }:file r_file_perms;
-
-# Use capabilities.
-allow syslogd_t self:capability { dac_override net_admin net_bind_service sys_resource sys_tty_config };
-
-# Modify/create log files.
-create_append_log_file(syslogd_t, var_log_t)
-
-# Create and bind to /dev/log or /var/run/log.
-file_type_auto_trans(syslogd_t, { device_t var_run_t }, devlog_t, sock_file)
-ifdef(`distro_suse', `
-# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
-file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file)
-')
-allow syslogd_t self:unix_dgram_socket create_socket_perms;
-allow syslogd_t self:unix_dgram_socket sendto;
-allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-allow syslogd_t self:fifo_file rw_file_perms;
-allow syslogd_t devlog_t:unix_stream_socket name_bind;
-allow syslogd_t devlog_t:unix_dgram_socket name_bind;
-# log to the xconsole
-allow syslogd_t xconsole_device_t:fifo_file { ioctl read write };
-
-# Domains with the privlog attribute may log to syslogd.
-allow privlog devlog_t:sock_file rw_file_perms;
-can_unix_send(privlog,syslogd_t)
-can_unix_connect(privlog,syslogd_t)
-# allow /dev/log to be a link elsewhere for chroot setup
-allow privlog devlog_t:lnk_file read;
-
-ifdef(`crond.te', `
-# for daemon re-start
-allow system_crond_t syslogd_t:lnk_file read;
-')
-
-ifdef(`logrotate.te', `
-allow logrotate_t syslogd_exec_t:file r_file_perms;
-')
-
-# for sending messages to logged in users
-allow syslogd_t initrc_var_run_t:file { read lock };
-dontaudit syslogd_t initrc_var_run_t:file write;
-allow syslogd_t ttyfile:chr_file { getattr write };
-
-#
-# Special case to handle crashes
-#
-allow syslogd_t { device_t file_t }:sock_file { getattr unlink };
-
-# Allow syslog to a terminal
-allow syslogd_t tty_device_t:chr_file { getattr write ioctl append };
-
-# Allow name_bind for remote logging
-allow syslogd_t syslogd_port_t:udp_socket name_bind;
-#
-# /initrd is not umounted before minilog starts
-#
-dontaudit syslogd_t file_t:dir search;
-allow syslogd_t { tmpfs_t devpts_t }:dir search;
-dontaudit syslogd_t unlabeled_t:file { getattr read };
-dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
-allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
-ifdef(`targeted_policy', `
-allow syslogd_t var_run_t:fifo_file { ioctl read write };
-allow syslogd_t ttyfile:chr_file { getattr write ioctl append };
-')
-
-# Allow access to /proc/kmsg for syslog-ng
-allow syslogd_t proc_t:dir search;
-allow syslogd_t proc_kmsg_t:file { getattr read };
-allow syslogd_t kernel_t:system { syslog_mod syslog_console };
-allow syslogd_t self:capability { sys_admin chown fsetid };
-allow syslogd_t var_log_t:dir { create setattr };
-allow syslogd_t syslogd_port_t:tcp_socket name_bind;
-allow syslogd_t rsh_port_t:tcp_socket name_connect;
diff --git a/mls/domains/program/sysstat.te b/mls/domains/program/sysstat.te
deleted file mode 100644
index f01da4c..0000000
--- a/mls/domains/program/sysstat.te
+++ /dev/null
@@ -1,65 +0,0 @@
-#DESC Sysstat - Sar and similar programs
-#
-# Authors: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: sysstat
-#
-
-#################################
-#
-# Rules for the sysstat_t domain.
-#
-# sysstat_exec_t is the type of the sysstat executable.
-#
-type sysstat_t, domain, privlog;
-type sysstat_exec_t, file_type, sysadmfile, exec_type;
-
-role system_r types sysstat_t;
-
-allow sysstat_t device_t:dir search;
-
-allow sysstat_t self:process { sigchld fork };
-
-#for date
-can_exec(sysstat_t, { sysstat_exec_t bin_t })
-allow sysstat_t bin_t:dir r_dir_perms;
-dontaudit sysstat_t sbin_t:dir search;
-
-dontaudit sysstat_t self:capability sys_admin;
-allow sysstat_t self:capability sys_resource;
-
-allow sysstat_t devtty_t:chr_file rw_file_perms;
-
-allow sysstat_t urandom_device_t:chr_file read;
-
-# for mtab
-allow sysstat_t etc_runtime_t:file { read getattr };
-# for fstab
-allow sysstat_t etc_t:file { read getattr };
-
-dontaudit sysstat_t sysadm_home_dir_t:dir r_dir_perms;
-
-allow sysstat_t self:fifo_file rw_file_perms;
-
-# Type for files created during execution of sysstatd.
-logdir_domain(sysstat)
-allow sysstat_t var_t:dir search;
-
-allow sysstat_t etc_t:dir r_dir_perms;
-read_locale(sysstat_t)
-
-allow sysstat_t fs_t:filesystem getattr;
-
-# get info from /proc
-allow sysstat_t { proc_t proc_net_t sysctl_kernel_t sysctl_t sysctl_fs_t sysctl_rpc_t }:dir r_dir_perms;
-allow sysstat_t { proc_t proc_net_t sysctl_kernel_t sysctl_t sysctl_fs_t sysctl_rpc_t }:file { read getattr };
-
-domain_auto_trans(initrc_t, sysstat_exec_t, sysstat_t)
-allow sysstat_t init_t:fd use;
-allow sysstat_t console_device_t:chr_file { read write };
-
-uses_shlib(sysstat_t)
-
-system_crond_entry(sysstat_exec_t, sysstat_t)
-allow system_crond_t sysstat_log_t:dir { write remove_name add_name };
-allow system_crond_t sysstat_log_t:file create_file_perms;
-allow sysstat_t initrc_devpts_t:chr_file { read write };
diff --git a/mls/domains/program/tcpd.te b/mls/domains/program/tcpd.te
deleted file mode 100644
index af135be..0000000
--- a/mls/domains/program/tcpd.te
+++ /dev/null
@@ -1,43 +0,0 @@
-#DESC Tcpd - Access control facilities from internet services
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: tcpd
-# Depends: inetd.te
-#
-
-#################################
-#
-# Rules for the tcpd_t domain.
-#
-type tcpd_t, domain, privlog;
-role system_r types tcpd_t;
-uses_shlib(tcpd_t)
-type tcpd_exec_t, file_type, sysadmfile, exec_type;
-domain_auto_trans(inetd_t, tcpd_exec_t, tcpd_t)
-
-allow tcpd_t fs_t:filesystem getattr;
-
-# no good reason for this, probably nscd
-dontaudit tcpd_t var_t:dir search;
-
-can_network_server(tcpd_t)
-can_ypbind(tcpd_t)
-allow tcpd_t self:unix_dgram_socket create_socket_perms;
-allow tcpd_t self:unix_stream_socket create_socket_perms;
-allow tcpd_t etc_t:file { getattr read };
-read_locale(tcpd_t)
-
-tmp_domain(tcpd)
-
-# Use sockets inherited from inetd.
-allow tcpd_t inetd_t:tcp_socket rw_stream_socket_perms;
-
-# Run each daemon with a defined domain in its own domain.
-# These rules have been moved to each target domain .te file.
-
-# Run other daemons in the inetd_child_t domain.
-allow tcpd_t { bin_t sbin_t }:dir search;
-domain_auto_trans(tcpd_t, inetd_child_exec_t, inetd_child_t)
-
-allow tcpd_t device_t:dir search;
diff --git a/mls/domains/program/telnetd.te b/mls/domains/program/telnetd.te
deleted file mode 100644
index bbbb2c1..0000000
--- a/mls/domains/program/telnetd.te
+++ /dev/null
@@ -1,10 +0,0 @@
-# telnet server daemon
-#
-
-#################################
-#
-# Rules for the telnetd_t domain
-#
-
-remote_login_daemon(telnetd)
-typealias telnetd_port_t alias telnet_port_t;
diff --git a/mls/domains/program/tftpd.te b/mls/domains/program/tftpd.te
deleted file mode 100644
index c749987..0000000
--- a/mls/domains/program/tftpd.te
+++ /dev/null
@@ -1,41 +0,0 @@
-#DESC TFTP - UDP based file server for boot loaders
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: tftpd atftpd
-# Depends: inetd.te
-#
-
-#################################
-#
-# Rules for the tftpd_t domain.
-#
-# tftpd_exec_t is the type of the tftpd executable.
-#
-daemon_domain(tftpd)
-
-# tftpdir_t is the type of files in the /tftpboot directories.
-type tftpdir_t, file_type, sysadmfile;
-r_dir_file(tftpd_t, tftpdir_t)
-
-domain_auto_trans(inetd_t, tftpd_exec_t, tftpd_t)
-
-# Use the network.
-can_network_udp(tftpd_t)
-allow tftpd_t tftp_port_t:udp_socket name_bind;
-ifdef(`inetd.te', `
-allow inetd_t tftp_port_t:udp_socket name_bind;
-')
-allow tftpd_t self:unix_dgram_socket create_socket_perms;
-allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
-
-# allow any domain to connect to the TFTP server
-allow tftpd_t inetd_t:udp_socket rw_socket_perms;
-
-# Use capabilities
-allow tftpd_t self:capability { setgid setuid net_bind_service sys_chroot };
-
-allow tftpd_t etc_t:dir r_dir_perms;
-allow tftpd_t etc_t:file r_file_perms;
-
-allow tftpd_t var_t:dir r_dir_perms;
-allow tftpd_t var_t:{ file lnk_file } r_file_perms;
diff --git a/mls/domains/program/timidity.te b/mls/domains/program/timidity.te
deleted file mode 100644
index e007d3f..0000000
--- a/mls/domains/program/timidity.te
+++ /dev/null
@@ -1,34 +0,0 @@
-# DESC timidity - MIDI to WAV converter and player
-#
-# Author: Thomas Bleher <ThomasBleher@gmx.de>
-#
-# Note: You only need this policy if you want to run timidity as a server
-
-daemon_base_domain(timidity)
-can_network_server(timidity_t)
-
-allow timidity_t device_t:lnk_file read;
-
-# read /usr/share/alsa/alsa.conf
-allow timidity_t usr_t:file { getattr read };
-# read /etc/esd.conf and /proc/cpuinfo
-allow timidity_t { etc_t proc_t }:file { getattr read };
-# read libartscbackend.la - should these be shlib_t?
-allow timidity_t lib_t:file { getattr read };
-
-allow timidity_t sound_device_t:chr_file { read write ioctl };
-
-# stupid timidity won't start if it can't search its current directory.
-# allow this so /etc/init.d/alsasound start works from /root
-allow timidity_t sysadm_home_dir_t:dir search;
-
-allow timidity_t tmp_t:dir search;
-tmpfs_domain(timidity)
-
-allow timidity_t self:shm create_shm_perms;
-
-allow timidity_t self:unix_stream_socket create_stream_socket_perms;
-
-allow timidity_t devpts_t:dir search;
-allow timidity_t self:capability { dac_override dac_read_search };
-allow timidity_t self:process getsched;
diff --git a/mls/domains/program/tmpreaper.te b/mls/domains/program/tmpreaper.te
deleted file mode 100644
index 8cd0fe9..0000000
--- a/mls/domains/program/tmpreaper.te
+++ /dev/null
@@ -1,33 +0,0 @@
-#DESC Tmpreaper - Monitor and maintain temporary files
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: tmpreaper
-#
-
-#################################
-#
-# Rules for the tmpreaper_t domain.
-#
-type tmpreaper_t, domain, privlog, mlsfileread, mlsfilewrite;
-type tmpreaper_exec_t, file_type, sysadmfile, exec_type;
-
-role system_r types tmpreaper_t;
-
-system_crond_entry(tmpreaper_exec_t, tmpreaper_t)
-uses_shlib(tmpreaper_t)
-# why does it need setattr?
-allow tmpreaper_t { man_t tmpfile }:dir { setattr rw_dir_perms rmdir };
-allow tmpreaper_t { man_t tmpfile }:notdevfile_class_set { getattr unlink };
-allow tmpreaper_t { home_type file_t }:notdevfile_class_set { getattr unlink };
-allow tmpreaper_t self:process { fork sigchld };
-allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
-allow tmpreaper_t fs_t:filesystem getattr;
-
-r_dir_file(tmpreaper_t, etc_t)
-allow tmpreaper_t var_t:dir { getattr search };
-r_dir_file(tmpreaper_t, var_lib_t)
-allow tmpreaper_t device_t:dir { getattr search };
-allow tmpreaper_t urandom_device_t:chr_file { getattr read };
-
-read_locale(tmpreaper_t)
-
diff --git a/mls/domains/program/traceroute.te b/mls/domains/program/traceroute.te
deleted file mode 100644
index af25e20..0000000
--- a/mls/domains/program/traceroute.te
+++ /dev/null
@@ -1,66 +0,0 @@
-#DESC Traceroute - Display network routes
-#
-# Author: Russell Coker <russell@coker.com.au>
-# based on the work of David A. Wheeler <dwheeler@ida.org>
-# X-Debian-Packages: traceroute lft
-#
-
-#################################
-#
-# Rules for the traceroute_t domain.
-#
-# traceroute_t is the domain for the traceroute program.
-# traceroute_exec_t is the type of the corresponding program.
-#
-type traceroute_t, domain, privlog, nscd_client_domain;
-role sysadm_r types traceroute_t;
-role system_r types traceroute_t;
-# for user_ping:
-in_user_role(traceroute_t)
-uses_shlib(traceroute_t)
-can_network_client(traceroute_t)
-allow traceroute_t port_type:tcp_socket name_connect;
-can_ypbind(traceroute_t)
-allow traceroute_t node_t:rawip_socket node_bind;
-type traceroute_exec_t, file_type, sysadmfile, exec_type;
-
-# Transition into this domain when you run this program.
-domain_auto_trans(initrc_t, traceroute_exec_t, traceroute_t)
-domain_auto_trans(sysadm_t, traceroute_exec_t, traceroute_t)
-
-allow traceroute_t etc_t:file { getattr read };
-
-# Use capabilities.
-allow traceroute_t self:capability { net_admin net_raw setuid setgid };
-
-allow traceroute_t self:rawip_socket create_socket_perms;
-allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
-allow traceroute_t self:unix_stream_socket create_socket_perms;
-allow traceroute_t device_t:dir search;
-
-# for lft
-allow traceroute_t self:packet_socket create_socket_perms;
-r_dir_file(traceroute_t, proc_t)
-r_dir_file(traceroute_t, proc_net_t)
-
-# Access the terminal.
-allow traceroute_t admin_tty_type:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow traceroute_t sysadm_gph_t:fd use;')
-allow traceroute_t privfd:fd use;
-
-# dont need this
-dontaudit traceroute_t fs_t:filesystem getattr;
-dontaudit traceroute_t var_t:dir search;
-
-ifdef(`ping.te', `
-if (user_ping) {
- domain_auto_trans(unpriv_userdomain, traceroute_exec_t, traceroute_t)
- # allow access to the terminal
- allow traceroute_t { ttyfile ptyfile }:chr_file rw_file_perms;
-}
-')
-#rules needed for nmap
-allow traceroute_t { urandom_device_t random_device_t }:chr_file r_file_perms;
-allow traceroute_t usr_t:file { getattr read };
-read_locale(traceroute_t)
-dontaudit traceroute_t userdomain:dir search;
diff --git a/mls/domains/program/udev.te b/mls/domains/program/udev.te
deleted file mode 100644
index cc5f7d4..0000000
--- a/mls/domains/program/udev.te
+++ /dev/null
@@ -1,152 +0,0 @@
-#DESC udev - Linux configurable dynamic device naming support
-#
-# Author: Dan Walsh dwalsh@redhat.com
-#
-
-#################################
-#
-# Rules for the udev_t domain.
-#
-# udev_exec_t is the type of the udev executable.
-#
-daemon_domain(udev, `, nscd_client_domain, privmodule, privmem, fs_domain, privfd, privowner, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocwrite')
-
-general_domain_access(udev_t)
-
-if (allow_execmem) {
-# for alsactl
-allow udev_t self:process execmem;
-}
-
-etc_domain(udev)
-type udev_helper_exec_t, file_type, sysadmfile, exec_type;
-can_exec_any(udev_t)
-
-#
-# Rules used for udev
-#
-type udev_tdb_t, file_type, sysadmfile, dev_fs;
-typealias udev_tdb_t alias udev_tbl_t;
-file_type_auto_trans(udev_t, device_t, udev_tdb_t, file)
-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_nice mknod net_raw net_admin sys_rawio sys_nice };
-allow udev_t self:file { getattr read };
-allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms};
-allow udev_t self:unix_dgram_socket create_socket_perms;
-allow udev_t self:fifo_file rw_file_perms;
-allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
-allow udev_t device_t:file { unlink rw_file_perms };
-allow udev_t device_t:sock_file create_file_perms;
-allow udev_t device_t:lnk_file create_lnk_perms;
-allow udev_t { device_t device_type }:{ chr_file blk_file } { relabelfrom relabelto create_file_perms };
-ifdef(`distro_redhat', `
-allow udev_t tmpfs_t:dir create_dir_perms;
-allow udev_t tmpfs_t:{ sock_file file } create_file_perms;
-allow udev_t tmpfs_t:lnk_file create_lnk_perms;
-allow udev_t tmpfs_t:{ chr_file blk_file } { relabelfrom relabelto create_file_perms };
-allow udev_t tmpfs_t:dir search;
-
-# for arping used for static IP addresses on PCMCIA ethernet
-domain_auto_trans(udev_t, netutils_exec_t, netutils_t)
-')
-allow udev_t etc_t:file { getattr read ioctl };
-allow udev_t { bin_t sbin_t }:dir r_dir_perms;
-allow udev_t { sbin_t bin_t }:lnk_file read;
-allow udev_t bin_t:lnk_file read;
-can_exec(udev_t, { shell_exec_t bin_t sbin_t etc_t } )
-can_exec(udev_t, udev_exec_t)
-rw_dir_file(udev_t, sysfs_t)
-allow udev_t sysadm_tty_device_t:chr_file { read write };
-
-# to read the file_contexts file
-r_dir_file(udev_t, { selinux_config_t file_context_t default_context_t } )
-
-allow udev_t policy_config_t:dir search;
-allow udev_t proc_t:file { getattr read ioctl };
-allow udev_t proc_kcore_t:file getattr;
-
-# Get security policy decisions.
-can_getsecurity(udev_t)
-
-# set file system create context
-can_setfscreate(udev_t)
-
-allow udev_t kernel_t:fd use;
-allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };
-allow udev_t kernel_t:process signal;
-
-allow udev_t initrc_var_run_t:file r_file_perms;
-dontaudit udev_t initrc_var_run_t:file write;
-
-domain_auto_trans(kernel_t, udev_exec_t, udev_t)
-domain_auto_trans(udev_t, restorecon_exec_t, restorecon_t)
-ifdef(`hide_broken_symptoms', `
-dontaudit restorecon_t udev_t:unix_dgram_socket { read write };
-')
-allow udev_t devpts_t:dir { getattr search };
-allow udev_t etc_runtime_t:file { getattr read };
-ifdef(`xdm.te', `
-allow udev_t xdm_var_run_t:file { getattr read };
-')
-
-ifdef(`hotplug.te', `
-r_dir_file(udev_t, hotplug_etc_t)
-')
-allow udev_t var_log_t:dir search;
-
-ifdef(`consoletype.te', `
-can_exec(udev_t, consoletype_exec_t)
-')
-ifdef(`pamconsole.te', `
-allow udev_t pam_var_console_t:dir search;
-allow udev_t pam_var_console_t:file { getattr read };
-domain_auto_trans(udev_t, pam_console_exec_t, pam_console_t)
-')
-allow udev_t var_lock_t:dir search;
-allow udev_t var_lock_t:file getattr;
-domain_auto_trans(udev_t, ifconfig_exec_t, ifconfig_t)
-ifdef(`hide_broken_symptoms', `
-dontaudit ifconfig_t udev_t:unix_dgram_socket { read write };
-')
-
-dontaudit udev_t file_t:dir search;
-ifdef(`dhcpc.te', `
-domain_auto_trans(udev_t, dhcpc_exec_t, dhcpc_t)
-')
-
-allow udev_t udev_helper_exec_t:dir r_dir_perms;
-
-dbusd_client(system, udev)
-
-allow udev_t device_t:dir { relabelfrom relabelto create_dir_perms };
-allow udev_t sysctl_dev_t:dir search;
-allow udev_t mnt_t:dir search;
-allow udev_t { sysctl_dev_t sysctl_modprobe_t sysctl_kernel_t sysctl_hotplug_t }:file { getattr read };
-allow udev_t self:rawip_socket create_socket_perms;
-dontaudit udev_t domain:dir r_dir_perms;
-dontaudit udev_t ttyfile:chr_file unlink;
-ifdef(`hotplug.te', `
-r_dir_file(udev_t, hotplug_var_run_t)
-')
-r_dir_file(udev_t, modules_object_t)
-#
-# Udev is now writing dhclient-eth*.conf* files.
-#
-ifdef(`dhcpd.te', `define(`use_dhcp')')
-ifdef(`dhcpc.te', `define(`use_dhcp')')
-ifdef(`use_dhcp', `
-allow udev_t dhcp_etc_t:file rw_file_perms;
-file_type_auto_trans(udev_t, etc_t, dhcp_etc_t, file)
-')
-r_dir_file(udev_t, domain)
-allow udev_t modules_dep_t:file r_file_perms;
-
-nsswitch_domain(udev_t)
-
-ifdef(`unlimitedUtils', `
-unconfined_domain(udev_t)
-')
-dontaudit hostname_t udev_t:fd use;
-ifdef(`use_mcs', `
-range_transition kernel_t udev_exec_t s0 - s0:c0.c255;
-range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
-')
diff --git a/mls/domains/program/unconfined.te b/mls/domains/program/unconfined.te
deleted file mode 100644
index 9497a3c..0000000
--- a/mls/domains/program/unconfined.te
+++ /dev/null
@@ -1,15 +0,0 @@
-#DESC Unconfined - Use to essentially disable SELinux for a particular program
-# This domain will be useful as a workaround for e.g. third-party daemon software
-# that has no policy, until one can be written for it.
-#
-# To use, label the executable with unconfined_exec_t, e.g.:
-# chcon -t unconfined_exec_t /usr/local/bin/appsrv
-# Or alternatively add it to /etc/security/selinux/src/policy/file_contexts/program/unconfined.fc
-
-type unconfined_t, domain, privlog, admin, privmem, fs_domain, auth_write;
-type unconfined_exec_t, file_type, sysadmfile, exec_type;
-role sysadm_r types unconfined_t;
-domain_auto_trans(sysadm_t, unconfined_exec_t, unconfined_t)
-role system_r types unconfined_t;
-domain_auto_trans(initrc_t, unconfined_exec_t, unconfined_t)
-unconfined_domain(unconfined_t)
diff --git a/mls/domains/program/unused/afs.te b/mls/domains/program/unused/afs.te
deleted file mode 100644
index 8bcab3b..0000000
--- a/mls/domains/program/unused/afs.te
+++ /dev/null
@@ -1,166 +0,0 @@
-#
-# Policy for AFS server
-#
-
-type afs_files_t, file_type;
-type afs_config_t, file_type, sysadmfile;
-type afs_logfile_t, file_type, logfile;
-type afs_dbdir_t, file_type;
-
-allow afs_files_t afs_files_t:filesystem associate;
-# df should show sizes
-allow sysadm_t afs_files_t:filesystem getattr;
-
-#
-# Macros for defining AFS server domains
-#
-
-define(`afs_server_domain',`
-type afs_$1server_t, domain $2;
-type afs_$1server_exec_t, file_type, sysadmfile;
-
-role system_r types afs_$1server_t;
-
-allow afs_$1server_t afs_config_t:file r_file_perms;
-allow afs_$1server_t afs_config_t:dir r_dir_perms;
-allow afs_$1server_t afs_logfile_t:file create_file_perms;
-allow afs_$1server_t afs_logfile_t:dir create_dir_perms;
-allow afs_$1server_t afs_$1_port_t:udp_socket name_bind;
-uses_shlib(afs_$1server_t)
-can_network(afs_$1server_t)
-read_locale(afs_$1server_t)
-
-dontaudit afs_$1server_t { var_t var_run_t }:file r_file_perms;
-dontaudit afs_$1server_t { var_t var_run_t }:dir r_dir_perms;
-dontaudit afs_$1server_t admin_tty_type:chr_file rw_file_perms;
-')
-
-define(`afs_under_bos',`
-domain_auto_trans(afs_bosserver_t, afs_$1server_exec_t, afs_$1server_t)
-allow afs_$1server_t self:unix_stream_socket create_stream_socket_perms;
-allow afs_$1server_t etc_t:{ file lnk_file } r_file_perms;
-allow afs_$1server_t net_conf_t:file r_file_perms;
-allow afs_bosserver_t afs_$1server_t:process signal_perms;
-')
-
-define(`afs_server_db',`
-type afs_$1_db_t, file_type;
-
-allow afs_$1server_t afs_$1_db_t:file create_file_perms;
-file_type_auto_trans(afs_$1server_t, afs_dbdir_t, afs_$1_db_t, file);
-')
-
-
-#
-# bosserver
-#
-
-afs_server_domain(`bos')
-base_file_read_access(afs_bosserver_t)
-
-domain_auto_trans(initrc_t, afs_bosserver_exec_t, afs_bosserver_t)
-
-allow afs_bosserver_t self:process { fork setsched signal_perms };
-allow afs_bosserver_t afs_bosserver_exec_t:file { execute_no_trans rx_file_perms };
-allow afs_bosserver_t afs_dbdir_t:dir { search read getattr };
-allow afs_bosserver_t afs_config_t:file create_file_perms;
-allow afs_bosserver_t afs_config_t:dir create_dir_perms;
-
-allow afs_bosserver_t etc_t:{file lnk_file} r_file_perms;
-allow afs_bosserver_t { devtty_t null_device_t zero_device_t }:chr_file rw_file_perms;
-allow afs_bosserver_t device_t:dir r_dir_perms;
-
-# allow sysadm to use bos
-allow afs_bosserver_t sysadm_t:udp_socket { sendto recvfrom };
-allow sysadm_t afs_bosserver_t:udp_socket { recvfrom sendto };
-
-#
-# fileserver, volserver, and salvager
-#
-
-afs_server_domain(`fs',`,privlog')
-afs_under_bos(`fs')
-
-base_file_read_access(afs_fsserver_t)
-file_type_auto_trans(afs_fsserver_t, afs_config_t, afs_files_t)
-
-allow afs_fsserver_t self:process { fork sigchld setsched signal_perms };
-allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice };
-allow afs_fsserver_t self:fifo_file { rw_file_perms };
-can_exec(afs_fsserver_t, afs_fsserver_exec_t)
-allow afs_fsserver_t afs_files_t:file create_file_perms;
-allow afs_fsserver_t afs_files_t:dir create_dir_perms;
-allow afs_fsserver_t afs_config_t:file create_file_perms;
-allow afs_fsserver_t afs_config_t:dir create_dir_perms;
-
-allow afs_fsserver_t afs_fs_port_t:tcp_socket name_bind;
-allow afs_fsserver_t { afs_files_t fs_t }:filesystem getattr;
-
-allow afs_fsserver_t { devtty_t null_device_t zero_device_t }:chr_file rw_file_perms;
-allow afs_fsserver_t device_t:dir r_dir_perms;
-allow afs_fsserver_t etc_runtime_t:{file lnk_file} r_file_perms;
-allow afs_fsserver_t { var_run_t var_t } :dir r_dir_perms;
-
-allow afs_fsserver_t proc_t:dir r_dir_perms;
-allow afs_fsserver_t { self proc_t } : { file lnk_file } r_file_perms;
-allow afs_fsserver_t { self proc_t } : dir r_dir_perms;
-
-# fs communicates with other servers
-allow afs_fsserver_t self:unix_dgram_socket create_socket_perms;
-allow afs_fsserver_t self:tcp_socket { connectto acceptfrom recvfrom };
-allow afs_fsserver_t self:udp_socket { sendto recvfrom };
-allow afs_fsserver_t { afs_vlserver_t afs_ptserver_t }:udp_socket { recvfrom };
-allow afs_fsserver_t sysadm_t:udp_socket { sendto recvfrom };
-allow sysadm_t afs_fsserver_t:udp_socket { recvfrom sendto };
-
-dontaudit afs_fsserver_t self:capability fsetid;
-dontaudit afs_fsserver_t console_device_t:chr_file rw_file_perms;
-dontaudit afs_fsserver_t initrc_t:fd use;
-dontaudit afs_fsserver_t mnt_t:dir search;
-
-
-#
-# kaserver
-#
-
-afs_server_domain(`ka')
-afs_under_bos(`ka')
-afs_server_db(`ka')
-
-base_file_read_access(afs_kaserver_t)
-
-allow afs_kaserver_t kerberos_port_t:udp_socket name_bind;
-allow afs_kaserver_t self:capability { net_bind_service };
-allow afs_kaserver_t afs_config_t:file create_file_perms;
-allow afs_kaserver_t afs_config_t:dir rw_dir_perms;
-
-# allow sysadm to use kas
-allow afs_kaserver_t sysadm_t:udp_socket { sendto recvfrom };
-allow sysadm_t afs_kaserver_t:udp_socket { recvfrom sendto };
-
-
-#
-# ptserver
-#
-
-afs_server_domain(`pt')
-afs_under_bos(`pt')
-afs_server_db(`pt')
-
-# allow users to use pts
-allow afs_ptserver_t userdomain:udp_socket { sendto recvfrom };
-allow userdomain afs_ptserver_t:udp_socket { recvfrom sendto };
-allow afs_ptserver_t afs_fsserver_t:udp_socket { recvfrom };
-
-
-#
-# vlserver
-#
-
-afs_server_domain(`vl')
-afs_under_bos(`vl')
-afs_server_db(`vl')
-
-allow afs_vlserver_t sysadm_t:udp_socket { sendto recvfrom };
-allow sysadm_t afs_vlserver_t:udp_socket { recvfrom sendto };
-allow afs_vlserver_t afs_fsserver_t:udp_socket { recvfrom };
diff --git a/mls/domains/program/unused/amavis.te b/mls/domains/program/unused/amavis.te
deleted file mode 100644
index 1e1752f..0000000
--- a/mls/domains/program/unused/amavis.te
+++ /dev/null
@@ -1,117 +0,0 @@
-#DESC Amavis - Anti-virus
-#
-# Author: Brian May <bam@snoopy.apana.org.au>
-# X-Debian-Packages: amavis-ng amavisd-new amavisd-new-milter amavisd-new-milter-helper
-# Depends: clamav.te
-#
-
-#################################
-#
-# Rules for the amavisd_t domain.
-#
-type amavisd_etc_t, file_type, sysadmfile;
-type amavisd_lib_t, file_type, sysadmfile;
-
-# Virus and spam found and quarantined.
-type amavisd_quarantine_t, file_type, sysadmfile, tmpfile;
-
-daemon_domain(amavisd)
-tmp_domain(amavisd)
-
-allow initrc_t amavisd_etc_t:file { getattr read };
-allow initrc_t amavisd_lib_t:dir { search read write rmdir remove_name unlink };
-allow initrc_t amavisd_lib_t:file unlink;
-allow initrc_t amavisd_var_run_t:dir setattr;
-allow amavisd_t self:capability { chown dac_override setgid setuid };
-dontaudit amavisd_t self:capability sys_tty_config;
-
-allow amavisd_t usr_t:{ file lnk_file } { getattr read };
-dontaudit amavisd_t usr_t:file ioctl;
-
-# networking
-can_network_server_tcp(amavisd_t, amavisd_recv_port_t)
-allow amavisd_t amavisd_recv_port_t:tcp_socket name_bind;
-allow mta_delivery_agent amavisd_recv_port_t:tcp_socket name_connect;
-# The next line doesn't work right so drop the port specification.
-#can_network_client_tcp(amavisd_t, amavisd_send_port_t)
-can_network_client_tcp(amavisd_t)
-allow amavisd_t amavisd_send_port_t:tcp_socket name_connect;
-can_resolve(amavisd_t);
-can_ypbind(amavisd_t);
-can_tcp_connect(mail_server_sender, amavisd_t);
-can_tcp_connect(amavisd_t, mail_server_domain)
-
-ifdef(`scannerdaemon.te', `
-can_tcp_connect(amavisd_t, scannerdaemon_t);
-allow scannerdaemon_t amavisd_lib_t:dir r_dir_perms;
-allow scannerdaemon_t amavisd_lib_t:file r_file_perms;
-')
-
-ifdef(`clamav.te', `
-clamscan_domain(amavisd)
-role system_r types amavisd_clamscan_t;
-domain_auto_trans(amavisd_t, clamscan_exec_t, amavisd_clamscan_t)
-allow amavisd_clamscan_t amavisd_lib_t:dir r_dir_perms;
-allow amavisd_clamscan_t amavisd_lib_t:file r_file_perms;
-can_clamd_connect(amavisd)
-allow clamd_t amavisd_lib_t:dir r_dir_perms;
-allow clamd_t amavisd_lib_t:file r_file_perms;
-')
-
-# DCC
-ifdef(`dcc.te', `
-allow dcc_client_t amavisd_lib_t:file r_file_perms;
-')
-
-# Pyzor
-ifdef(`pyzor.te',`
-domain_auto_trans(amavisd_t, pyzor_exec_t, pyzor_t)
-#allow pyzor_t amavisd_data_t:dir search;
-# Pyzor creates a temp file adjacent to the working file.
-create_dir_file(pyzor_t, amavisd_lib_t);
-')
-
-# SpamAssassin is executed from within amavisd, but needs to read its
-# config
-ifdef(`spamd.te', `
-r_dir_file(amavisd_t, etc_mail_t)
-')
-
-# Can create unix sockets
-allow amavisd_t self:unix_stream_socket create_stream_socket_perms;
-allow amavisd_t self:unix_dgram_socket create_socket_perms;
-allow amavisd_t self:fifo_file getattr;
-
-read_locale(amavisd_t)
-
-# Access config files (amavisd).
-allow amavisd_t amavisd_etc_t:file r_file_perms;
-
-log_domain(amavisd)
-
-# Access amavisd var/lib files.
-create_dir_file(amavisd_t, amavisd_lib_t)
-
-# Access amavisd quarantined files.
-create_dir_file(amavisd_t, amavisd_quarantine_t)
-
-# Run helper programs.
-can_exec_any(amavisd_t,bin_t)
-allow amavisd_t bin_t:dir { getattr search };
-allow amavisd_t sbin_t:dir search;
-allow amavisd_t var_lib_t:dir search;
-
-# allow access to files for scanning (required for amavis):
-allow clamd_t self:capability { dac_override dac_read_search };
-
-# unknown stuff
-allow amavisd_t self:fifo_file { ioctl read write };
-allow amavisd_t { random_device_t urandom_device_t }:chr_file read;
-allow amavisd_t proc_t:file { getattr read };
-allow amavisd_t etc_runtime_t:file { getattr read };
-
-# broken stuff
-dontaudit amavisd_t sysadm_home_dir_t:dir search;
-dontaudit amavisd_t shadow_t:file { getattr read };
-dontaudit amavisd_t sysadm_devpts_t:chr_file { read write };
-
diff --git a/mls/domains/program/unused/asterisk.te b/mls/domains/program/unused/asterisk.te
deleted file mode 100644
index 7ae5ffc..0000000
--- a/mls/domains/program/unused/asterisk.te
+++ /dev/null
@@ -1,56 +0,0 @@
-#DESC Asterisk IP telephony server
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-# X-Debian-Packages: asterisk
-
-daemon_domain(asterisk)
-allow asterisk_t asterisk_var_run_t:{ sock_file fifo_file } create_file_perms;
-allow initrc_t asterisk_var_run_t:fifo_file unlink;
-
-allow asterisk_t self:process setsched;
-allow asterisk_t self:fifo_file rw_file_perms;
-
-allow asterisk_t proc_t:file { getattr read };
-
-allow asterisk_t { bin_t sbin_t }:dir search;
-allow asterisk_t bin_t:lnk_file read;
-can_exec(asterisk_t, bin_t)
-
-etcdir_domain(asterisk)
-logdir_domain(asterisk)
-var_lib_domain(asterisk)
-
-allow asterisk_t asterisk_port_t:{ udp_socket tcp_socket } name_bind;
-
-# for VOIP voice channels.
-allow asterisk_t port_t:{ udp_socket tcp_socket } name_bind;
-
-allow asterisk_t device_t:lnk_file read;
-allow asterisk_t sound_device_t:chr_file rw_file_perms;
-
-type asterisk_spool_t, file_type, sysadmfile;
-create_dir_file(asterisk_t, asterisk_spool_t)
-allow asterisk_t var_spool_t:dir search;
-
-# demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm
-# are labeled usr_t
-allow asterisk_t usr_t:file r_file_perms;
-
-can_network_server(asterisk_t)
-can_ypbind(asterisk_t)
-allow asterisk_t etc_t:file { getattr read };
-
-allow asterisk_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow sysadm_t asterisk_t:unix_stream_socket { connectto rw_stream_socket_perms };
-allow asterisk_t self:sem create_sem_perms;
-allow asterisk_t self:shm create_shm_perms;
-
-# dac_override for /var/run/asterisk
-allow asterisk_t self:capability { dac_override setgid setuid sys_nice };
-
-# for shutdown
-dontaudit asterisk_t self:capability sys_tty_config;
-
-tmpfs_domain(asterisk)
-tmp_domain(asterisk)
diff --git a/mls/domains/program/unused/audio-entropyd.te b/mls/domains/program/unused/audio-entropyd.te
deleted file mode 100644
index 216108a..0000000
--- a/mls/domains/program/unused/audio-entropyd.te
+++ /dev/null
@@ -1,12 +0,0 @@
-#DESC audio-entropyd - Generate entropy from audio input
-#
-# Author: Chris PeBenito <pebenito@gentoo.org>
-#
-
-daemon_domain(entropyd)
-
-allow entropyd_t self:capability { ipc_lock sys_admin };
-
-allow entropyd_t random_device_t:chr_file rw_file_perms;
-allow entropyd_t device_t:dir r_dir_perms;
-allow entropyd_t sound_device_t:chr_file r_file_perms;
diff --git a/mls/domains/program/unused/authbind.te b/mls/domains/program/unused/authbind.te
deleted file mode 100644
index 6aabc3e..0000000
--- a/mls/domains/program/unused/authbind.te
+++ /dev/null
@@ -1,29 +0,0 @@
-#DESC Authbind - Program to bind to low ports as non-root
-#
-# Authors: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: authbind
-#
-
-#################################
-#
-# Rules for the authbind_t domain.
-#
-# authbind_exec_t is the type of the authbind executable.
-#
-type authbind_t, domain, privlog;
-type authbind_exec_t, file_type, sysadmfile, exec_type;
-
-role system_r types authbind_t;
-
-etcdir_domain(authbind)
-
-can_exec(authbind_t, authbind_etc_t)
-allow authbind_t etc_t:dir r_dir_perms;
-
-uses_shlib(authbind_t)
-
-allow authbind_t self:capability net_bind_service;
-
-allow authbind_t domain:fd use;
-
-allow authbind_t console_device_t:chr_file { read write };
diff --git a/mls/domains/program/unused/backup.te b/mls/domains/program/unused/backup.te
deleted file mode 100644
index 628527d..0000000
--- a/mls/domains/program/unused/backup.te
+++ /dev/null
@@ -1,62 +0,0 @@
-#DESC Backup - Backup scripts
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: dpkg
-#
-
-#################################
-#
-# Rules for the backup_t domain.
-#
-type backup_t, domain, privlog, auth;
-type backup_exec_t, file_type, sysadmfile, exec_type;
-
-type backup_store_t, file_type, sysadmfile;
-
-role system_r types backup_t;
-role sysadm_r types backup_t;
-
-ifdef(`targeted_policy', `', `
-domain_auto_trans(sysadm_t, backup_exec_t, backup_t)
-')
-allow backup_t privfd:fd use;
-ifdef(`crond.te', `
-system_crond_entry(backup_exec_t, backup_t)
-rw_dir_create_file(system_crond_t, backup_store_t)
-')
-
-# for SSP
-allow backup_t urandom_device_t:chr_file read;
-
-can_network_client(backup_t)
-allow backup_t port_type:tcp_socket name_connect;
-can_ypbind(backup_t)
-uses_shlib(backup_t)
-
-allow backup_t devtty_t:chr_file rw_file_perms;
-
-allow backup_t { file_type fs_type }:dir r_dir_perms;
-allow backup_t file_type:{ file lnk_file } r_file_perms;
-allow backup_t file_type:{ sock_file fifo_file } getattr;
-allow backup_t { device_t device_type ttyfile }:chr_file getattr;
-allow backup_t { device_t device_type }:blk_file getattr;
-allow backup_t var_t:file create_file_perms;
-
-allow backup_t proc_t:dir r_dir_perms;
-allow backup_t proc_t:file r_file_perms;
-allow backup_t proc_t:lnk_file { getattr read };
-read_sysctl(backup_t)
-
-allow backup_t self:fifo_file rw_file_perms;
-allow backup_t self:process { signal sigchld fork };
-allow backup_t self:capability dac_override;
-
-rw_dir_file(backup_t, backup_store_t)
-allow backup_t backup_store_t:file { create setattr };
-
-allow backup_t fs_t:filesystem getattr;
-
-allow backup_t self:unix_stream_socket create_socket_perms;
-
-can_exec(backup_t, bin_t)
-ifdef(`hostname.te', `can_exec(backup_t, hostname_exec_t)')
diff --git a/mls/domains/program/unused/calamaris.te b/mls/domains/program/unused/calamaris.te
deleted file mode 100644
index 1bfce36..0000000
--- a/mls/domains/program/unused/calamaris.te
+++ /dev/null
@@ -1,72 +0,0 @@
-#DESC Calamaris - Squid log analysis
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: calamaris
-# Depends: squid.te
-#
-
-#################################
-#
-# Rules for the calamaris_t domain.
-#
-# calamaris_t is the domain the calamaris process runs in
-
-system_domain(calamaris, `, privmail')
-
-ifdef(`crond.te', `
-system_crond_entry(calamaris_exec_t, calamaris_t)
-')
-
-allow calamaris_t { var_t var_run_t }:dir { getattr search };
-allow calamaris_t squid_log_t:dir search;
-allow calamaris_t squid_log_t:file { getattr read };
-allow calamaris_t { usr_t lib_t }:file { getattr read };
-allow calamaris_t usr_t:lnk_file { getattr read };
-dontaudit calamaris_t usr_t:file ioctl;
-
-type calamaris_www_t, file_type, sysadmfile;
-ifdef(`apache.te', `
-allow calamaris_t httpd_sys_content_t:dir search;
-')
-rw_dir_create_file(calamaris_t, calamaris_www_t)
-
-# for when squid has a different UID
-allow calamaris_t self:capability dac_override;
-
-logdir_domain(calamaris)
-
-allow calamaris_t device_t:dir search;
-allow calamaris_t devtty_t:chr_file { read write };
-
-allow calamaris_t urandom_device_t:chr_file { getattr read };
-
-allow calamaris_t self:process { fork signal_perms setsched };
-read_sysctl(calamaris_t)
-allow calamaris_t proc_t:dir search;
-allow calamaris_t proc_t:file { getattr read };
-allow calamaris_t { proc_t self }:lnk_file read;
-allow calamaris_t self:dir search;
-
-allow calamaris_t { bin_t sbin_t }:dir search;
-allow calamaris_t bin_t:lnk_file read;
-allow calamaris_t etc_runtime_t:file { getattr read };
-allow calamaris_t self:fifo_file { getattr read write ioctl };
-read_locale(calamaris_t)
-
-can_exec(calamaris_t, bin_t)
-allow calamaris_t self:unix_stream_socket create_stream_socket_perms;
-allow calamaris_t self:udp_socket create_socket_perms;
-allow calamaris_t etc_t:file { getattr read };
-allow calamaris_t etc_t:lnk_file read;
-dontaudit calamaris_t etc_t:file ioctl;
-dontaudit calamaris_t sysadm_home_dir_t:dir { getattr search };
-can_network_server(calamaris_t)
-can_ypbind(calamaris_t)
-ifdef(`named.te', `
-can_udp_send(calamaris_t, named_t)
-can_udp_send(named_t, calamaris_t)
-')
-
-ifdef(`apache.te', `
-r_dir_file(httpd_t, calamaris_www_t)
-')
diff --git a/mls/domains/program/unused/ciped.te b/mls/domains/program/unused/ciped.te
deleted file mode 100644
index 6fddf97..0000000
--- a/mls/domains/program/unused/ciped.te
+++ /dev/null
@@ -1,32 +0,0 @@
-
-
-daemon_base_domain(ciped)
-
-# for SSP
-allow ciped_t urandom_device_t:chr_file read;
-
-# cipe uses the afs3-bos port (udp 7007)
-allow ciped_t afs_bos_port_t:udp_socket name_bind;
-
-can_network_udp(ciped_t)
-can_ypbind(ciped_t)
-
-allow ciped_t devpts_t:dir search;
-allow ciped_t devtty_t:chr_file { read write };
-allow ciped_t etc_runtime_t:file { getattr read };
-allow ciped_t etc_t:file { getattr read };
-allow ciped_t proc_t:file { getattr read };
-allow ciped_t { bin_t sbin_t }:dir { getattr search read };
-allow ciped_t bin_t:lnk_file read;
-can_exec(ciped_t, { bin_t ciped_exec_t shell_exec_t })
-allow ciped_t self:fifo_file rw_file_perms;
-
-read_locale(ciped_t)
-
-allow ciped_t self:capability { net_admin ipc_lock sys_tty_config };
-allow ciped_t self:unix_dgram_socket create_socket_perms;
-allow ciped_t self:unix_stream_socket create_socket_perms;
-
-allow ciped_t random_device_t:chr_file { getattr read };
-
-dontaudit ciped_t var_t:dir search;
diff --git a/mls/domains/program/unused/clamav.te b/mls/domains/program/unused/clamav.te
deleted file mode 100644
index 3ef34ee..0000000
--- a/mls/domains/program/unused/clamav.te
+++ /dev/null
@@ -1,147 +0,0 @@
-#DESC CLAM - Anti-virus program
-#
-# Author: Brian May <bam@snoopy.apana.org.au>
-# X-Debian-Packages: clamav
-#
-
-#################################
-#
-# Rules for the clamscan_t domain.
-#
-
-# Virus database
-type clamav_var_lib_t, file_type, sysadmfile;
-
-# clamscan_t is the domain of the clamscan virus scanner
-type clamscan_exec_t, file_type, sysadmfile, exec_type;
-
-##########
-##########
-
-#
-# Freshclam
-#
-
-daemon_base_domain(freshclam, `, web_client_domain')
-read_locale(freshclam_t)
-
-# not sure why it needs this
-read_sysctl(freshclam_t)
-
-can_network_client_tcp(freshclam_t, http_port_t);
-allow freshclam_t http_port_t:tcp_socket name_connect;
-can_resolve(freshclam_t)
-can_ypbind(freshclam_t)
-
-# Access virus signatures
-allow freshclam_t { var_t var_lib_t }:dir search;
-rw_dir_create_file(freshclam_t, clamav_var_lib_t)
-
-allow freshclam_t devtty_t:chr_file { read write };
-allow freshclam_t devpts_t:dir search;
-allow freshclam_t etc_t:file { getattr read };
-allow freshclam_t proc_t:file { getattr read };
-
-allow freshclam_t urandom_device_t:chr_file { getattr read };
-dontaudit freshclam_t urandom_device_t:chr_file ioctl;
-
-# for nscd
-dontaudit freshclam_t var_run_t:dir search;
-
-# setuid/getuid used (although maybe not required...)
-allow freshclam_t self:capability { setgid setuid };
-
-allow freshclam_t sbin_t:dir search;
-
-# Allow notification to daemon that virus database has changed
-can_clamd_connect(freshclam)
-
-allow freshclam_t etc_runtime_t:file { read getattr };
-allow freshclam_t self:unix_stream_socket create_stream_socket_perms;
-allow freshclam_t self:unix_dgram_socket create_socket_perms;
-allow freshclam_t self:fifo_file rw_file_perms;
-
-# Log files for freshclam executable
-logdir_domain(freshclam)
-allow initrc_t freshclam_log_t:file append;
-
-# Pid files for freshclam
-allow initrc_t clamd_var_run_t:file { create setattr };
-
-system_crond_entry(freshclam_exec_t, freshclam_t)
-domain_auto_trans(logrotate_t, freshclam_exec_t, freshclam_t)
-
-domain_auto_trans(sysadm_t, freshclam_exec_t, freshclam_t)
-role sysadm_r types freshclam_t;
-
-create_dir_file(freshclam_t, clamd_var_run_t)
-
-##########
-##########
-
-#
-# Clamscan
-#
-
-# macros/program/clamav_macros.te.
-user_clamscan_domain(sysadm)
-
-##########
-##########
-
-#
-# Clamd
-#
-
-type clamd_sock_t, file_type, sysadmfile;
-
-# clamd executable
-daemon_domain(clamd)
-
-tmp_domain(clamd)
-
-# The dir containing the clamd log files is labelled freshclam_t
-logdir_domain(clamd)
-allow clamd_t freshclam_log_t:dir search;
-
-allow clamd_t self:capability { kill setgid setuid dac_override };
-
-# Give the clamd local communications socket a unique type
-ifdef(`distro_debian', `
-file_type_auto_trans(clamd_t, var_run_t, clamd_sock_t, sock_file)
-')
-ifdef(`distro_redhat', `
-file_type_auto_trans(clamd_t, clamd_var_run_t, clamd_sock_t, sock_file)
-')
-
-# Clamd can be configured to listen on a TCP port.
-can_network_server_tcp(clamd_t, clamd_port_t)
-allow clamd_t clamd_port_t:tcp_socket name_bind;
-can_resolve(clamd_t);
-
-allow clamd_t var_lib_t:dir search;
-r_dir_file(clamd_t, clamav_var_lib_t)
-r_dir_file(clamd_t, etc_t)
-# allow access /proc/sys/kernel/version
-read_sysctl(clamd_t)
-allow clamd_t self:unix_stream_socket create_stream_socket_perms;
-allow clamd_t self:unix_dgram_socket create_stream_socket_perms;
-allow clamd_t self:fifo_file rw_file_perms;
-
-allow clamd_t { random_device_t urandom_device_t }:chr_file { getattr read };
-dontaudit clamd_t { random_device_t urandom_device_t }:chr_file ioctl;
-
-
-##########
-##########
-
-#
-# Interaction with external programs
-#
-
-ifdef(`amavis.te',`
-allow amavisd_t clamd_var_run_t:dir search;
-allow amavisd_t clamd_t:unix_stream_socket connectto;
-allow amavisd_t clamd_sock_t:sock_file write;
-')
-
diff --git a/mls/domains/program/unused/clockspeed.te b/mls/domains/program/unused/clockspeed.te
deleted file mode 100644
index f79c314..0000000
--- a/mls/domains/program/unused/clockspeed.te
+++ /dev/null
@@ -1,26 +0,0 @@
-#DESC clockspeed - Simple network time protocol client
-#
-# Author Petre Rodan <kaiowas@gentoo.org>
-#
-
-daemon_base_domain(clockspeed)
-var_lib_domain(clockspeed)
-can_network(clockspeed_t)
-allow clockspeed_t port_type:tcp_socket name_connect;
-read_locale(clockspeed_t)
-
-allow clockspeed_t self:capability { sys_time net_bind_service };
-allow clockspeed_t self:unix_dgram_socket create_socket_perms;
-allow clockspeed_t self:unix_stream_socket create_socket_perms;
-allow clockspeed_t clockspeed_port_t:udp_socket name_bind;
-allow clockspeed_t domain:packet_socket recvfrom;
-
-allow clockspeed_t var_t:dir search;
-allow clockspeed_t clockspeed_var_lib_t:file create_file_perms;
-allow clockspeed_t clockspeed_var_lib_t:fifo_file create_file_perms;
-
-# sysadm can play with clockspeed
-role sysadm_r types clockspeed_t;
-ifdef(`targeted_policy', `', `
-domain_auto_trans( sysadm_t, clockspeed_exec_t, clockspeed_t)
-')
diff --git a/mls/domains/program/unused/courier.te b/mls/domains/program/unused/courier.te
deleted file mode 100644
index 75e42d3..0000000
--- a/mls/domains/program/unused/courier.te
+++ /dev/null
@@ -1,139 +0,0 @@
-#DESC Courier - POP and IMAP servers
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: courier-base
-#
-
-# Type for files created during execution of courier.
-type courier_var_run_t, file_type, sysadmfile, pidfile;
-type courier_var_lib_t, file_type, sysadmfile;
-
-type courier_etc_t, file_type, sysadmfile;
-
-# allow start scripts to read the config
-allow initrc_t courier_etc_t:file r_file_perms;
-
-type courier_exec_t, file_type, sysadmfile, exec_type;
-type sqwebmail_cron_exec_t, file_type, sysadmfile, exec_type;
-
-define(`courier_domain', `
-#################################
-#
-# Rules for the courier_$1_t domain.
-#
-# courier_$1_exec_t is the type of the courier_$1 executables.
-#
-daemon_base_domain(courier_$1, `$2')
-
-allow courier_$1_t var_run_t:dir search;
-rw_dir_create_file(courier_$1_t, courier_var_run_t)
-allow courier_$1_t courier_var_run_t:sock_file create_file_perms;
-
-# allow it to read config files etc
-allow courier_$1_t { courier_etc_t var_t }:dir r_dir_perms;
-allow courier_$1_t courier_etc_t:file r_file_perms;
-allow courier_$1_t etc_t:dir r_dir_perms;
-allow courier_$1_t etc_t:file r_file_perms;
-
-# execute scripts etc
-allow courier_$1_t { bin_t courier_$1_exec_t }:file rx_file_perms;
-allow courier_$1_t bin_t:dir r_dir_perms;
-allow courier_$1_t fs_t:filesystem getattr;
-
-# set process group and allow permissions over-ride
-allow courier_$1_t self:process setpgid;
-allow courier_$1_t self:capability dac_override;
-
-# Use the network.
-can_network_server(courier_$1_t)
-allow courier_$1_t self:fifo_file { read write getattr };
-allow courier_$1_t self:unix_stream_socket create_stream_socket_perms;
-allow courier_$1_t self:unix_dgram_socket create_socket_perms;
-
-allow courier_$1_t null_device_t:chr_file rw_file_perms;
-
-# allow it to log to /dev/tty
-allow courier_$1_t devtty_t:chr_file rw_file_perms;
-
-allow courier_$1_t { usr_t etc_runtime_t }:file r_file_perms;
-allow courier_$1_t usr_t:dir r_dir_perms;
-allow courier_$1_t root_t:dir r_dir_perms;
-can_exec(courier_$1_t, courier_$1_exec_t)
-can_exec(courier_$1_t, bin_t)
-allow courier_$1_t bin_t:dir search;
-
-allow courier_$1_t proc_t:dir r_dir_perms;
-allow courier_$1_t proc_t:file r_file_perms;
-
-')dnl
-
-courier_domain(authdaemon, `, auth_chkpwd')
-allow courier_authdaemon_t sbin_t:dir search;
-allow courier_authdaemon_t lib_t:file { read getattr };
-allow courier_authdaemon_t tmp_t:dir getattr;
-allow courier_authdaemon_t self:file { getattr read };
-read_locale(courier_authdaemon_t)
-can_exec(courier_authdaemon_t, courier_exec_t)
-dontaudit courier_authdaemon_t selinux_config_t:dir search;
-
-# for SSP
-allow courier_authdaemon_t urandom_device_t:chr_file read;
-
-# should not be needed!
-allow courier_authdaemon_t home_root_t:dir search;
-allow courier_authdaemon_t user_home_dir_type:dir search;
-dontaudit courier_authdaemon_t sysadm_home_dir_t:dir search;
-allow courier_authdaemon_t self:unix_stream_socket connectto;
-allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config };
-
-courier_domain(tcpd)
-allow courier_tcpd_t self:capability { kill net_bind_service };
-allow courier_tcpd_t pop_port_t:tcp_socket name_bind;
-allow courier_tcpd_t sbin_t:dir search;
-allow courier_tcpd_t var_lib_t:dir search;
-# for TLS
-allow courier_tcpd_t { random_device_t urandom_device_t }:chr_file { getattr read };
-read_locale(courier_tcpd_t)
-can_exec(courier_tcpd_t, courier_exec_t)
-allow courier_authdaemon_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
-allow courier_authdaemon_t courier_tcpd_t:process sigchld;
-
-can_tcp_connect(userdomain, courier_tcpd_t)
-rw_dir_create_file(courier_tcpd_t, courier_var_lib_t)
-
-# domain for pop and imap
-courier_domain(pop)
-read_locale(courier_pop_t)
-domain_auto_trans(courier_tcpd_t, courier_pop_exec_t, courier_pop_t)
-allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
-domain_auto_trans(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t)
-allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
-allow courier_authdaemon_t courier_tcpd_t:fd use;
-allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
-allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms;
-allow courier_pop_t courier_authdaemon_t:process sigchld;
-domain_auto_trans(courier_authdaemon_t, courier_pop_exec_t, courier_pop_t)
-
-# inherits file handle - should it?
-allow courier_pop_t courier_var_lib_t:file { read write };
-
-# do the actual work (read the Maildir)
-# imap needs to write files
-allow courier_pop_t home_root_t:dir { getattr search };
-allow courier_pop_t user_home_dir_type:dir { getattr search };
-# pop does not need to create subdirs, IMAP does
-#rw_dir_create_file(courier_pop_t, user_home_type)
-create_dir_file(courier_pop_t, user_home_type)
-
-# for calendaring
-courier_domain(pcp)
-
-allow courier_pcp_t self:capability { setuid setgid };
-allow courier_pcp_t random_device_t:chr_file r_file_perms;
-
-# for webmail
-courier_domain(sqwebmail)
-ifdef(`crond.te', `
-system_crond_entry(sqwebmail_cron_exec_t, courier_sqwebmail_t)
-')
-read_sysctl(courier_sqwebmail_t)
diff --git a/mls/domains/program/unused/daemontools.te b/mls/domains/program/unused/daemontools.te
deleted file mode 100644
index b24a58c..0000000
--- a/mls/domains/program/unused/daemontools.te
+++ /dev/null
@@ -1,203 +0,0 @@
-#DESC Daemontools - Tools for managing UNIX services
-#
-# Author: Petre Rodan <kaiowas@gentoo.org>
-# with the help of Chris PeBenito, Russell Coker and Tad Glines
-#
-
-#
-# selinux policy for daemontools
-# http://cr.yp.to/daemontools.html
-#
-# thanks for D. J. Bernstein and the NSA team for the great software
-# they provide
-#
-
-##############################################################
-# type definitions
-
-type svc_conf_t, file_type, sysadmfile;
-type svc_log_t, file_type, sysadmfile;
-type svc_svc_t, file_type, sysadmfile;
-
-
-##############################################################
-# Macros
-define(`svc_filedir_domain', `
-create_dir_file($1, svc_svc_t)
-file_type_auto_trans($1, svc_svc_t, svc_svc_t);
-')
-
-##############################################################
-# the domains
-daemon_base_domain(svc_script)
-svc_filedir_domain(svc_script_t)
-
-# part started by initrc_t
-daemon_base_domain(svc_start)
-domain_auto_trans(init_t, svc_start_exec_t, svc_start_t)
-svc_filedir_domain(svc_start_t)
-
-# also get here from svc_script_t
-domain_auto_trans(svc_script_t, svc_start_exec_t, svc_start_t)
-
-# the domain for /service/*/run and /service/*/log/run
-daemon_sub_domain(svc_start_t, svc_run)
-r_dir_file(svc_run_t, svc_conf_t)
-
-# the logger
-daemon_sub_domain(svc_run_t, svc_multilog)
-file_type_auto_trans(svc_multilog_t, svc_log_t, svc_log_t, file);
-
-######
-# rules for all those domains
-
-# sysadm can tweak svc_run_exec_t files
-allow sysadm_t svc_run_exec_t:file create_file_perms;
-
-# run_init can control svc_script_t and svc_start_t domains
-domain_auto_trans(run_init_t, svc_script_exec_t, svc_script_t)
-domain_auto_trans(run_init_t, svc_start_exec_t, svc_start_t)
-allow initrc_t { svc_script_exec_t svc_start_exec_t }:file entrypoint;
-svc_filedir_domain(initrc_t)
-
-# svc_start_t
-allow svc_start_t self:fifo_file rw_file_perms;
-allow svc_start_t self:capability kill;
-allow svc_start_t self:unix_stream_socket create_socket_perms;
-
-allow svc_start_t { bin_t sbin_t etc_t }:dir r_dir_perms;
-allow svc_start_t { bin_t sbin_t etc_t }:lnk_file r_file_perms;
-allow svc_start_t { etc_t etc_runtime_t }:file r_file_perms;
-allow svc_start_t { var_t var_run_t }:dir search;
-can_exec(svc_start_t, bin_t)
-can_exec(svc_start_t, shell_exec_t)
-allow svc_start_t svc_start_exec_t:file { rx_file_perms execute_no_trans };
-allow svc_start_t svc_run_t:process signal;
-dontaudit svc_start_t proc_t:file r_file_perms;
-dontaudit svc_start_t devtty_t:chr_file { read write };
-
-# svc script
-allow svc_script_t self:capability sys_admin;
-allow svc_script_t self:fifo_file { getattr read write };
-allow svc_script_t self:file r_file_perms;
-allow svc_script_t { bin_t sbin_t var_t }:dir r_dir_perms;
-allow svc_script_t bin_t:lnk_file r_file_perms;
-can_exec(svc_script_t, bin_t)
-can_exec(svc_script_t, shell_exec_t)
-allow svc_script_t proc_t:file r_file_perms;
-allow svc_script_t shell_exec_t:file rx_file_perms;
-allow svc_script_t devtty_t:chr_file rw_file_perms;
-allow svc_script_t etc_runtime_t:file r_file_perms;
-allow svc_script_t svc_run_exec_t:file r_file_perms;
-allow svc_script_t svc_script_exec_t:file execute_no_trans;
-allow svc_script_t sysctl_kernel_t:dir r_dir_perms;
-allow svc_script_t sysctl_kernel_t:file r_file_perms;
-
-# svc_run_t
-allow svc_run_t self:capability { setgid setuid chown fsetid };
-allow svc_run_t self:fifo_file rw_file_perms;
-allow svc_run_t self:file r_file_perms;
-allow svc_run_t self:process { fork setrlimit };
-allow svc_run_t self:unix_stream_socket create_stream_socket_perms;
-allow svc_run_t svc_svc_t:dir r_dir_perms;
-allow svc_run_t svc_svc_t:file r_file_perms;
-allow svc_run_t svc_run_exec_t:file { rx_file_perms execute_no_trans };
-allow svc_run_t { bin_t sbin_t etc_t }:dir r_dir_perms;
-allow svc_run_t { bin_t sbin_t etc_t }:lnk_file r_file_perms;
-allow svc_run_t { var_t var_run_t }:dir search;
-can_exec(svc_run_t, etc_t)
-can_exec(svc_run_t, lib_t)
-can_exec(svc_run_t, bin_t)
-can_exec(svc_run_t, sbin_t)
-can_exec(svc_run_t, ls_exec_t)
-can_exec(svc_run_t, shell_exec_t)
-allow svc_run_t devtty_t:chr_file rw_file_perms;
-allow svc_run_t etc_runtime_t:file r_file_perms;
-allow svc_run_t exec_type:{ file lnk_file } getattr;
-allow svc_run_t init_t:fd use;
-allow svc_run_t initrc_t:fd use;
-allow svc_run_t proc_t:file r_file_perms;
-allow svc_run_t sysctl_t:dir search;
-allow svc_run_t sysctl_kernel_t:dir r_dir_perms;
-allow svc_run_t sysctl_kernel_t:file r_file_perms;
-allow svc_run_t var_lib_t:dir r_dir_perms;
-
-# multilog creates /service/*/log/status
-allow svc_multilog_t svc_svc_t:dir { read search };
-allow svc_multilog_t svc_svc_t:file { append write };
-# writes to /var/log/*/*
-allow svc_multilog_t var_t:dir search;
-allow svc_multilog_t var_log_t:dir create_dir_perms;
-allow svc_multilog_t var_log_t:file create_file_perms;
-# misc
-allow svc_multilog_t init_t:fd use;
-allow svc_start_t svc_multilog_t:process signal;
-svc_ipc_domain(svc_multilog_t)
-
-################################################################
-# scripts that can be started by daemontools
-# keep it sorted please.
-
-ifdef(`apache.te', `
-domain_auto_trans(svc_run_t, httpd_exec_t, httpd_t)
-svc_ipc_domain(httpd_t)
-dontaudit httpd_t svc_svc_t:dir { search };
-')
-
-ifdef(`clamav.te', `
-domain_auto_trans(svc_run_t, clamd_exec_t, clamd_t)
-svc_ipc_domain(clamd_t)
-')
-
-ifdef(`clockspeed.te', `
-domain_auto_trans( svc_run_t, clockspeed_exec_t, clockspeed_t)
-svc_ipc_domain(clockspeed_t)
-r_dir_file(svc_run_t, clockspeed_var_lib_t)
-allow svc_run_t clockspeed_var_lib_t:fifo_file { rw_file_perms setattr };
-')
-
-ifdef(`dante.te', `
-domain_auto_trans( svc_run_t, dante_exec_t, dante_t);
-svc_ipc_domain(dante_t)
-')
-
-ifdef(`publicfile.te', `
-svc_ipc_domain(publicfile_t)
-')
-
-ifdef(`qmail.te', `
-allow svc_run_t qmail_start_exec_t:file rx_file_perms;
-domain_auto_trans(svc_run_t, qmail_start_exec_t, qmail_start_t)
-r_dir_file(svc_run_t, qmail_etc_t)
-svc_ipc_domain(qmail_send_t)
-svc_ipc_domain(qmail_start_t)
-svc_ipc_domain(qmail_queue_t)
-svc_ipc_domain(qmail_smtpd_t)
-')
-
-ifdef(`rsyncd.te', `
-domain_auto_trans(svc_run_t, rsyncd_exec_t, rsyncd_t)
-svc_ipc_domain(rsyncd_t)
-')
-
-ifdef(`spamd.te', `
-domain_auto_trans(svc_run_t, spamd_exec_t, spamd_t)
-svc_ipc_domain(spamd_t)
-')
-
-ifdef(`ssh.te', `
-domain_auto_trans(svc_run_t, sshd_exec_t, sshd_t)
-svc_ipc_domain(sshd_t)
-')
-
-ifdef(`stunnel.te', `
-domain_auto_trans( svc_run_t, stunnel_exec_t, stunnel_t)
-svc_ipc_domain(stunnel_t)
-')
-
-ifdef(`ucspi-tcp.te', `
-domain_auto_trans(svc_run_t, utcpserver_exec_t, utcpserver_t)
-allow svc_run_t utcpserver_t:process { signal };
-svc_ipc_domain(utcpserver_t)
-')
-
diff --git a/mls/domains/program/unused/dante.te b/mls/domains/program/unused/dante.te
deleted file mode 100644
index 70885ab..0000000
--- a/mls/domains/program/unused/dante.te
+++ /dev/null
@@ -1,23 +0,0 @@
-#DESC dante - socks daemon
-#
-# Author: petre rodan <kaiowas@gentoo.org>
-#
-
-type dante_conf_t, file_type, sysadmfile;
-
-daemon_domain(dante)
-can_network_server(dante_t)
-
-allow dante_t self:fifo_file { read write };
-allow dante_t self:capability { setuid setgid };
-allow dante_t self:unix_dgram_socket { connect create write };
-allow dante_t self:unix_stream_socket { connect create read setopt write };
-allow dante_t self:tcp_socket connect;
-
-allow dante_t socks_port_t:tcp_socket name_bind;
-
-allow dante_t { etc_t etc_runtime_t }:file r_file_perms;
-r_dir_file(dante_t, dante_conf_t)
-
-allow dante_t initrc_var_run_t:file { getattr write };
-
diff --git a/mls/domains/program/unused/dcc.te b/mls/domains/program/unused/dcc.te
deleted file mode 100644
index 4db79d0..0000000
--- a/mls/domains/program/unused/dcc.te
+++ /dev/null
@@ -1,251 +0,0 @@
-#
-# DCC - Distributed Checksum Clearinghouse
-# Author: David Hampton <hampton@employees.org>
-#
-#
-# NOTE: DCC has writeable files in /etc/dcc that should probably be in
-# /var/lib/dcc. For now this policy supports both directories being
-# writable.
-
-# Files common to all dcc programs
-type dcc_client_map_t, file_type, sysadmfile;
-type dcc_var_t, file_type, sysadmfile;
-type dcc_var_run_t, file_type, sysadmfile;
-
-
-##########
-##########
-
-#
-# common to all dcc variants
-#
-define(`dcc_common',`
-# Access files in /var/dcc. The map file can be updated
-r_dir_file($1_t, dcc_var_t)
-allow $1_t dcc_client_map_t:file rw_file_perms;
-
-# Read mtab, nsswitch and locale
-allow $1_t { etc_t etc_runtime_t }:file { getattr read };
-read_locale($1_t)
-
-#Networking
-can_resolve($1_t)
-ifelse($2, `server', `
-can_network_udp($1_t)
-', `
-can_network_udp($1_t, `dcc_port_t')
-')
-allow $1_t self:unix_dgram_socket create_socket_perms;
-
-# Create private temp files
-tmp_domain($1)
-
-# Triggered by a call to gethostid(2) in dcc client libs
-allow $1_t self:unix_stream_socket { connect create };
-
-allow $1_t sysadm_su_t:process { sigchld };
-allow $1_t dcc_script_t:fd use;
-
-dontaudit $1_t kernel_t:fd use;
-dontaudit $1_t root_t:file read;
-')
-
-allow initrc_t dcc_var_run_t:dir rw_dir_perms;
-
-
-##########
-##########
-
-#
-# dccd - Server daemon that can be accessed over the net
-#
-daemon_domain(dccd, `, privlog, nscd_client_domain')
-dcc_common(dccd, server);
-
-# Runs the dbclean program
-allow dccd_t bin_t:dir search;
-domain_auto_trans(dccd_t, dcc_dbclean_exec_t, dcc_dbclean_t)
-
-# The daemon needs to listen on the dcc ports
-allow dccd_t dcc_port_t:udp_socket name_bind;
-
-# Updating dcc_db, flod, ...
-create_dir_file(dccd_t, dcc_var_t);
-
-allow dccd_t self:capability net_admin;
-allow dccd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
-
-# Reading /proc/meminfo
-allow dccd_t proc_t:file { getattr read };
-
-
-#
-# cdcc - control dcc daemon
-#
-application_domain(cdcc, `, nscd_client_domain')
-role system_r types cdcc_t;
-dcc_common(cdcc)
-
-# suid program
-allow cdcc_t self:capability setuid;
-
-# Running from the command line
-allow cdcc_t sshd_t:fd use;
-allow cdcc_t sysadm_devpts_t:chr_file rw_file_perms;
-
-
-
-##########
-##########
-
-#
-# DCC Clients
-#
-
-#
-# dccifd - Spamassassin and general MTA persistent client
-#
-daemon_domain(dccifd, `, privlog, nscd_client_domain')
-dcc_common(dccifd);
-file_type_auto_trans(dccifd_t, dcc_var_run_t, dccifd_var_run_t, file)
-
-# Allow the domain to communicate with other processes
-allow dccifd_t self:unix_stream_socket create_stream_socket_perms;
-
-# Updating dcc_db, flod, ...
-create_dir_notdevfile(dccifd_t, dcc_var_t);
-
-# Updating map, ...
-allow dccifd_t dcc_client_map_t:file rw_file_perms;
-
-# dccifd communications socket
-type dccifd_sock_t, file_type, sysadmfile;
-file_type_auto_trans(dccifd_t, dcc_var_t, dccifd_sock_t, sock_file)
-
-# Reading /proc/meminfo
-allow dccifd_t proc_t:file { getattr read };
-
-
-#
-# dccm - sendmail milter client
-#
-daemon_domain(dccm, `, privlog, nscd_client_domain')
-dcc_common(dccm);
-file_type_auto_trans(dccm_t, dcc_var_run_t, dccm_var_run_t, file)
-
-# Allow the domain to communicate with other processes
-allow dccm_t self:unix_stream_socket create_stream_socket_perms;
-
-# Updating map, ...
-create_dir_notdevfile(dccm_t, dcc_var_t);
-allow dccm_t dcc_client_map_t:file rw_file_perms;
-
-# dccm communications socket
-type dccm_sock_t, file_type, sysadmfile;
-file_type_auto_trans(dccm_t, dcc_var_run_t, dccm_sock_t, sock_file)
-
-
-#
-# dccproc - dcc procmail interface
-#
-application_domain(dcc_client, `, privlog, nscd_client_domain')
-role system_r types dcc_client_t;
-dcc_common(dcc_client)
-
-# suid program
-allow dcc_client_t self:capability setuid;
-
-# Running from the command line
-allow dcc_client_t sshd_t:fd use;
-allow dcc_client_t sysadm_devpts_t:chr_file rw_file_perms;
-
-
-##########
-##########
-
-#
-# DCC Utilities
-#
-
-#
-# dbclean - database cleanup tool
-#
-application_domain(dcc_dbclean, `, nscd_client_domain')
-role system_r types dcc_dbclean_t;
-dcc_common(dcc_dbclean)
-
-# Updating various files.
-create_dir_file(dcc_dbclean_t, dcc_var_t);
-
-# wants to look at /proc/meminfo
-allow dcc_dbclean_t proc_t:dir search;
-allow dcc_dbclean_t proc_t:file { getattr read };
-
-# Running from the command line
-allow dcc_dbclean_t sshd_t:fd use;
-allow dcc_dbclean_t sysadm_devpts_t:chr_file rw_file_perms;
-
-##########
-##########
-
-#
-# DCC Startup scripts
-#
-# These are shell sccripts that start/stop/restart the various dcc
-# programs.
-#
-init_service_domain(dcc_script, `, nscd_client_domain')
-general_domain_access(dcc_script_t)
-general_proc_read_access(dcc_script_t)
-can_exec_any(dcc_script_t)
-dcc_common(dcc_script)
-
-# Allow calling the script from an init script (initrt_t)
-domain_auto_trans(initrc_t, dcc_script_exec_t, dcc_script_t)
-
-# Start up the daemon process. These scripts run 'su' to change to
-# the dcc user (even though the default dcc user is root).
-allow dcc_script_t self:capability setuid;
-su_restricted_domain(dcc_script, system)
-role system_r types dcc_script_su_t;
-domain_auto_trans(dcc_script_su_t, dccd_exec_t, dccd_t)
-domain_auto_trans(dcc_script_su_t, dccm_exec_t, dccm_t)
-domain_auto_trans(dcc_script_su_t, dccifd_exec_t, dccifd_t)
-
-# Stop the daemon process
-allow dcc_script_t { dccifd_t dccm_t }:process { sigkill signal };
-
-# Access various DCC files
-allow dcc_script_t { var_t var_run_t dcc_var_run_t}:dir { getattr search };
-allow dcc_script_t { dccifd_var_run_t dccm_var_run_t }:file { getattr read };
-
-allow { dcc_script_t dcc_script_su_t } initrc_t:fd use;
-allow { dcc_script_t dcc_script_su_t } devpts_t:dir search;
-allow { dcc_script_t dcc_script_su_t } initrc_devpts_t:chr_file rw_file_perms;
-allow dcc_script_t devtty_t:chr_file { read write };
-allow dcc_script_su_t sysadm_home_dir_t:dir search;
-allow dcc_script_su_t sysadm_t:process { noatsecure rlimitinh siginh transition };
-allow dcc_script_su_t initrc_devpts_t:chr_file { relabelfrom relabelto };
-
-dontaudit dcc_script_su_t kernel_t:fd use;
-dontaudit dcc_script_su_t root_t:file read;
-dontaudit dcc_script_t { home_root_t user_home_dir_t}:dir { getattr search };
-
-allow sysadm_t dcc_script_t:fd use;
-
-##########
-##########
-
-#
-# External spam checkers need to run and/or talk to DCC
-#
-define(`access_dcc',`
-domain_auto_trans($1_t, dcc_client_exec_t, dcc_client_t);
-allow $1_t dcc_var_t:dir search;
-allow $1_t dccifd_sock_t:sock_file { getattr write };
-allow $1_t dccifd_t:unix_stream_socket connectto;
-allow $1_t dcc_script_t:unix_stream_socket connectto;
-')
-
-ifdef(`amavis.te',`access_dcc(amavisd)')
-ifdef(`spamd.te',`access_dcc(spamd)')
diff --git a/mls/domains/program/unused/ddclient.te b/mls/domains/program/unused/ddclient.te
deleted file mode 100644
index 29255f3..0000000
--- a/mls/domains/program/unused/ddclient.te
+++ /dev/null
@@ -1,44 +0,0 @@
-#DESC ddclient - Update dynamic IP address at DynDNS.org
-#
-# Author: Greg Norris <haphazard@kc.rr.com>
-# X-Debian-Packages: ddclient
-#
-
-#################################
-#
-# Rules for the ddclient_t domain.
-#
-daemon_domain(ddclient);
-type ddclient_etc_t, file_type, sysadmfile;
-type ddclient_var_t, file_type, sysadmfile;
-log_domain(ddclient)
-var_lib_domain(ddclient)
-
-base_file_read_access(ddclient_t)
-can_exec(ddclient_t, { shell_exec_t bin_t })
-
-# ddclient can be launched by pppd
-ifdef(`pppd.te',`domain_auto_trans(pppd_t, ddclient_exec_t, ddclient_t)')
-
-# misc. requirements
-allow ddclient_t self:fifo_file rw_file_perms;
-allow ddclient_t self:socket create_socket_perms;
-allow ddclient_t etc_t:file { getattr read };
-allow ddclient_t etc_runtime_t:file r_file_perms;
-allow ddclient_t ifconfig_exec_t:file { rx_file_perms execute_no_trans };
-allow ddclient_t urandom_device_t:chr_file read;
-general_proc_read_access(ddclient_t)
-allow ddclient_t sysctl_net_t:dir search;
-
-# network-related goodies
-can_network_client(ddclient_t)
-allow ddclient_t port_type:tcp_socket name_connect;
-allow ddclient_t self:unix_dgram_socket create_socket_perms;
-allow ddclient_t self:unix_stream_socket create_socket_perms;
-
-# allow access to ddclient.conf and ddclient.cache
-allow ddclient_t ddclient_etc_t:file r_file_perms;
-file_type_auto_trans(ddclient_t, var_t, ddclient_var_t)
-dontaudit ddclient_t devpts_t:dir search;
-dontaudit ddclient_t { devtty_t admin_tty_type user_tty_type }:chr_file rw_file_perms;
-dontaudit httpd_t selinux_config_t:dir search;
diff --git a/mls/domains/program/unused/distcc.te b/mls/domains/program/unused/distcc.te
deleted file mode 100644
index 56034f9..0000000
--- a/mls/domains/program/unused/distcc.te
+++ /dev/null
@@ -1,34 +0,0 @@
-#DESC distcc - Distributed compiler daemon
-#
-# Author: Chris PeBenito <pebenito@gentoo.org>
-#
-
-daemon_domain(distccd)
-can_network_server(distccd_t)
-can_ypbind(distccd_t)
-log_domain(distccd)
-tmp_domain(distccd)
-
-allow distccd_t distccd_port_t:tcp_socket name_bind;
-allow distccd_t self:capability { setgid setuid };
-
-# distccd can renice
-allow distccd_t self:process setsched;
-
-# compiler stuff
-allow distccd_t { bin_t sbin_t }:dir { search getattr };
-allow distccd_t { bin_t sbin_t }:lnk_file { getattr read };
-can_exec(distccd_t,bin_t)
-can_exec(distccd_t,lib_t)
-
-# comm stuff
-allow distccd_t net_conf_t:file r_file_perms;
-allow distccd_t self:{ unix_stream_socket unix_dgram_socket } { create connect read write };
-allow distccd_t self:fifo_file { read write getattr };
-
-# config access
-allow distccd_t { etc_t etc_runtime_t }:file r_file_perms;
-allow distccd_t proc_t:file r_file_perms;
-
-allow distccd_t var_t:dir search;
-allow distccd_t admin_tty_type:chr_file { ioctl read write };
diff --git a/mls/domains/program/unused/djbdns.te b/mls/domains/program/unused/djbdns.te
deleted file mode 100644
index 3e11395..0000000
--- a/mls/domains/program/unused/djbdns.te
+++ /dev/null
@@ -1,46 +0,0 @@
-# DESC selinux policy for djbdns
-# http://cr.yp.to/djbdns.html
-#
-# Author: petre rodan <kaiowas@gentoo.org>
-#
-# this policy depends on ucspi-tcp and daemontools policies
-#
-
-ifdef(`daemontools.te', `
-ifdef(`ucspi-tcp.te', `
-
-define(`djbdns_daemon_domain', `
-type djbdns_$1_conf_t, file_type, sysadmfile;
-daemon_domain(djbdns_$1)
-domain_auto_trans( svc_run_t, djbdns_$1_exec_t, djbdns_$1_t)
-svc_ipc_domain(djbdns_$1_t)
-can_network(djbdns_$1_t)
-allow djbdns_$1_t port_type:tcp_socket name_connect;
-allow djbdns_$1_t dns_port_t:{ udp_socket tcp_socket } name_bind;
-allow djbdns_$1_t port_t:udp_socket name_bind;
-r_dir_file(djbdns_$1_t, djbdns_$1_conf_t)
-allow djbdns_$1_t self:capability { net_bind_service setgid setuid sys_chroot };
-allow djbdns_$1_t svc_svc_t:dir r_dir_perms;
-')
-
-define(`djbdns_tcpserver_domain', `
-type djbdns_$1_conf_t, file_type, sysadmfile;
-daemon_domain(djbdns_$1)
-domain_auto_trans(utcpserver_t, djbdns_$1_exec_t, djbdns_$1_t)
-svc_ipc_domain(djbdns_$1_t)
-allow utcpserver_t dns_port_t:{ udp_socket tcp_socket } name_bind;
-r_dir_file(djbdns_$1_t, djbdns_$1_conf_t)
-allow djbdns_$1_t utcpserver_t:tcp_socket { read write };
-')
-
-djbdns_daemon_domain(dnscache)
-# read seed file
-allow djbdns_dnscache_t svc_svc_t:file r_file_perms;
-
-djbdns_daemon_domain(tinydns)
-
-djbdns_tcpserver_domain(axfrdns)
-r_dir_file(djbdns_axfrdns_t, djbdns_tinydns_t)
-
-') dnl ifdef ucspi-tcp.te
-') dnl ifdef daemontools.te
diff --git a/mls/domains/program/unused/dnsmasq.te b/mls/domains/program/unused/dnsmasq.te
deleted file mode 100644
index bdef592..0000000
--- a/mls/domains/program/unused/dnsmasq.te
+++ /dev/null
@@ -1,38 +0,0 @@
-#DESC dnsmasq - DNS forwarder and DHCP server
-#
-# Author: Greg Norris <haphazard@kc.rr.com>
-# X-Debian-Packages: dnsmasq
-#
-
-#################################
-#
-# Rules for the dnsmasq_t domain.
-#
-daemon_domain(dnsmasq);
-type dnsmasq_lease_t, file_type, sysadmfile;
-
-# misc. requirements
-allow dnsmasq_t self:capability { setgid setuid net_bind_service net_raw };
-allow dnsmasq_t urandom_device_t:chr_file read;
-
-# network-related goodies
-can_network_server(dnsmasq_t)
-can_ypbind(dnsmasq_t)
-allow dnsmasq_t self:packet_socket create_socket_perms;
-allow dnsmasq_t self:rawip_socket create_socket_perms;
-allow dnsmasq_t self:unix_dgram_socket create_socket_perms;
-allow dnsmasq_t self:unix_stream_socket create_stream_socket_perms;
-
-# UDP ports 53 and 67
-allow dnsmasq_t dhcpd_port_t:udp_socket name_bind;
-allow dnsmasq_t dns_port_t:{ tcp_socket udp_socket } name_bind;
-
-# By default, dnsmasq binds to the wildcard address to listen for DNS requests.
-# Comment out the following entry if you do not want to allow this behaviour.
-allow dnsmasq_t node_inaddr_any_t:udp_socket node_bind;
-
-# allow access to dnsmasq.conf
-allow dnsmasq_t etc_t:file r_file_perms;
-
-# dhcp leases
-file_type_auto_trans(dnsmasq_t, var_lib_t, dnsmasq_lease_t, file)
diff --git a/mls/domains/program/unused/dpkg.te b/mls/domains/program/unused/dpkg.te
deleted file mode 100644
index 4feb508..0000000
--- a/mls/domains/program/unused/dpkg.te
+++ /dev/null
@@ -1,414 +0,0 @@
-#DESC Dpkg - Debian package manager
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: dpkg
-#
-
-#################################
-#
-# Rules for the dpkg_t domain.
-#
-type dpkg_t, domain, admin, privlog, privmail, etc_writer, privmodule;
-type dpkg_exec_t, file_type, sysadmfile, exec_type;
-type dpkg_var_lib_t, file_type, sysadmfile;
-type dpkg_etc_t, file_type, sysadmfile, usercanread;
-type dpkg_lock_t, file_type, sysadmfile;
-type debconf_cache_t, file_type, sysadmfile;
-
-tmp_domain(dpkg)
-can_setfscreate(dpkg_t)
-can_exec(dpkg_t, { dpkg_exec_t bin_t shell_exec_t dpkg_tmp_t ls_exec_t dpkg_var_lib_t dpkg_etc_t sbin_t lib_t fsadm_exec_t })
-
-ifdef(`load_policy.te', `
-domain_auto_trans(dpkg_t, load_policy_exec_t, load_policy_t)
-')
-ifdef(`rlogind.te', `
-# for ssh
-can_exec(dpkg_t, rlogind_exec_t)
-')
-can_exec(dpkg_t, { init_exec_t etc_t })
-ifdef(`hostname.te', `
-can_exec(dpkg_t, hostname_exec_t)
-')
-ifdef(`mta.te', `
-allow system_mail_t dpkg_tmp_t:file { getattr read };
-')
-ifdef(`logrotate.te', `
-allow logrotate_t dpkg_var_lib_t:file create_file_perms;
-')
-
-# for open office
-can_exec(dpkg_t, usr_t)
-
-allow { dpkg_t apt_t install_menu_t } urandom_device_t:chr_file read;
-
-# for upgrading policycoreutils and loading policy
-allow dpkg_t security_t:dir { getattr search };
-allow dpkg_t security_t:file { getattr read };
-
-ifdef(`setfiles.te',
-`domain_auto_trans(dpkg_t, setfiles_exec_t, setfiles_t)')
-ifdef(`nscd.te', `domain_auto_trans(dpkg_t, nscd_exec_t, nscd_t)')
-ifdef(`modutil.te', `
-domain_auto_trans(dpkg_t, update_modules_exec_t, update_modules_t)
-domain_auto_trans(dpkg_t, depmod_exec_t, depmod_t)
-
-# for touch
-allow initrc_t modules_dep_t:file write;
-')
-ifdef(`ipsec.te', `
-allow { ipsec_mgmt_t ipsec_t } dpkg_t:fd use;
-allow ipsec_mgmt_t dpkg_t:fifo_file write;
-allow ipsec_mgmt_t dpkg_tmp_t:file { getattr write };
-allow ipsec_t dpkg_t:fifo_file { read write };
-domain_auto_trans(dpkg_t, ipsec_mgmt_exec_t, ipsec_mgmt_t)
-')
-ifdef(`cardmgr.te', `
-allow cardmgr_t dpkg_t:fd use;
-allow cardmgr_t dpkg_t:fifo_file write;
-domain_auto_trans(dpkg_t, { cardctl_exec_t cardmgr_exec_t }, cardmgr_t)
-# for start-stop-daemon
-allow dpkg_t cardmgr_t:process signull;
-')
-ifdef(`mount.te', `
-domain_auto_trans(dpkg_t, mount_exec_t, mount_t)
-')
-ifdef(`mozilla.te', `
-# hate to do this, for mozilla install scripts
-can_exec(dpkg_t, mozilla_exec_t)
-')
-ifdef(`postfix.te', `
-domain_auto_trans(dpkg_t, postfix_master_exec_t, postfix_master_t)
-')
-ifdef(`apache.te', `
-domain_auto_trans(dpkg_t, httpd_exec_t, httpd_t)
-')
-ifdef(`named.te', `
-file_type_auto_trans(dpkg_t, named_zone_t, named_conf_t, file)
-')
-ifdef(`nsd.te', `
-allow nsd_crond_t initrc_t:fd use;
-allow nsd_crond_t initrc_devpts_t:chr_file { read write };
-domain_auto_trans(dpkg_t, nsd_exec_t, nsd_crond_t)
-')
-# because the syslogd package is broken and does not use the start scripts
-ifdef(`klogd.te', `
-domain_auto_trans(dpkg_t, klogd_exec_t, klogd_t)
-')
-ifdef(`syslogd.te', `
-domain_auto_trans(dpkg_t, syslogd_exec_t, syslogd_t)
-allow system_crond_t syslogd_t:dir search;
-allow system_crond_t syslogd_t:file { getattr read };
-allow system_crond_t syslogd_t:process signal;
-')
-# mysqld is broken too
-ifdef(`mysqld.te', `
-domain_auto_trans(dpkg_t, mysqld_exec_t, mysqld_t)
-can_unix_connect(dpkg_t, mysqld_t)
-allow mysqld_t dpkg_tmp_t:file { getattr read };
-')
-ifdef(`postgresql.te', `
-# because postgresql postinst creates scripts in /tmp and then runs them
-# also the init scripts do more than they should
-allow { initrc_t postgresql_t } dpkg_tmp_t:file write;
-# for "touch" when it tries to create the log file
-# this works for upgrades, maybe we should allow create access for first install
-allow initrc_t postgresql_log_t:file { write setattr };
-# for dumpall
-can_exec(postgresql_t, postgresql_db_t)
-')
-ifdef(`sysstat.te', `
-domain_auto_trans(dpkg_t, sysstat_exec_t, sysstat_t)
-')
-ifdef(`rpcd.te', `
-allow rpcd_t dpkg_t:fd use;
-allow rpcd_t dpkg_t:fifo_file { read write };
-')
-ifdef(`load_policy.te', `
-allow load_policy_t initrc_t:fifo_file { read write };
-')
-ifdef(`checkpolicy.te', `
-domain_auto_trans(dpkg_t, checkpolicy_exec_t, checkpolicy_t)
-role system_r types checkpolicy_t;
-allow checkpolicy_t initrc_t:fd use;
-allow checkpolicy_t initrc_t:fifo_file write;
-allow checkpolicy_t initrc_devpts_t:chr_file { read write };
-')
-ifdef(`amavis.te', `
-r_dir_file(initrc_t, dpkg_var_lib_t)
-')
-ifdef(`nessusd.te', `
-domain_auto_trans(dpkg_t, nessusd_exec_t, nessusd_t)
-')
-ifdef(`crack.te', `
-allow crack_t initrc_t:fd use;
-domain_auto_trans(dpkg_t, crack_exec_t, crack_t)
-')
-ifdef(`xdm.te', `
-domain_auto_trans(dpkg_t, xserver_exec_t, xdm_xserver_t)
-')
-ifdef(`clamav.te', `
-domain_auto_trans(dpkg_t, freshclam_exec_t, freshclam_t)
-')
-ifdef(`squid.te', `
-domain_auto_trans(dpkg_t, squid_exec_t, squid_t)
-')
-ifdef(`useradd.te', `
-domain_auto_trans(dpkg_t, useradd_exec_t, useradd_t)
-domain_auto_trans(dpkg_t, groupadd_exec_t, groupadd_t)
-role system_r types { useradd_t groupadd_t };
-')
-ifdef(`passwd.te', `
-domain_auto_trans(dpkg_t, chfn_exec_t, chfn_t)
-')
-ifdef(`ldconfig.te', `
-domain_auto_trans(dpkg_t, ldconfig_exec_t, ldconfig_t)
-')
-ifdef(`portmap.te', `
-# for pmap_dump
-domain_auto_trans(dpkg_t, portmap_exec_t, portmap_t)
-')
-
-# for apt
-type apt_t, domain, admin, privmail, web_client_domain;
-type apt_exec_t, file_type, sysadmfile, exec_type;
-type apt_var_lib_t, file_type, sysadmfile;
-type var_cache_apt_t, file_type, sysadmfile;
-etcdir_domain(apt)
-type apt_rw_etc_t, file_type, sysadmfile;
-tmp_domain(apt, `', `{ dir file lnk_file }')
-can_exec(apt_t, apt_tmp_t)
-ifdef(`crond.te', `
-allow system_crond_t apt_etc_t:file { getattr read };
-')
-
-rw_dir_create_file(apt_t, apt_rw_etc_t)
-
-allow { apt_t dpkg_t install_menu_t } device_t:dir { getattr search };
-
-dontaudit apt_t var_log_t:dir getattr;
-dontaudit apt_t var_run_t:dir search;
-
-# for rc files such as ~/.less
-r_dir_file(apt_t, sysadm_home_t)
-allow apt_t sysadm_home_dir_t:dir { search getattr };
-
-allow apt_t bin_t:lnk_file r_file_perms;
-
-rw_dir_create_file(apt_t, debconf_cache_t)
-r_dir_file(userdomain, debconf_cache_t)
-
-# for python
-read_sysctl(apt_t)
-read_sysctl(dpkg_t)
-
-allow dpkg_t console_device_t:chr_file rw_file_perms;
-
-allow apt_t self:unix_stream_socket create_socket_perms;
-
-allow dpkg_t domain:dir r_dir_perms;
-allow dpkg_t domain:{ file lnk_file } r_file_perms;
-
-# for shared objects that are not yet labelled (upgrades)
-allow { apt_t dpkg_t } lib_t:file execute;
-
-# when dpkg runs postinst scripts run them in initrc_t domain so that the
-# daemons are started in the correct context
-domain_auto_trans(dpkg_t, initrc_exec_t, initrc_t)
-
-ifdef(`bootloader.te', `
-domain_auto_trans(dpkg_t, bootloader_exec_t, bootloader_t)
-# for mkinitrd
-can_exec(bootloader_t, dpkg_exec_t)
-# for lilo to run dpkg
-allow bootloader_t dpkg_etc_t:file { getattr read };
-')
-
-# for kernel-image postinst
-dontaudit dpkg_t fixed_disk_device_t:blk_file read;
-
-# for /usr/lib/dpkg/controllib.pl calling getpwnam(3)
-dontaudit dpkg_t shadow_t:file { getattr read };
-
-# allow user domains to execute dpkg
-allow userdomain dpkg_exec_t:dir r_dir_perms;
-can_exec(userdomain, { dpkg_exec_t apt_exec_t })
-
-# allow everyone to read dpkg database
-allow userdomain var_lib_t:dir search;
-r_dir_file({ apt_t userdomain }, { dpkg_var_lib_t apt_var_lib_t var_cache_apt_t })
-
-# for /var/lib/dpkg/lock
-rw_dir_create_file(apt_t, dpkg_var_lib_t)
-
-ifdef(`crond.te', `
-rw_dir_create_file(system_crond_t, dpkg_var_lib_t)
-allow system_crond_t dpkg_etc_t:file r_file_perms;
-
-# for Debian cron job
-create_dir_file(system_crond_t, tetex_data_t)
-can_exec(dpkg_t, tetex_data_t)
-')
-
-r_dir_file(install_menu_t, { var_lib_t dpkg_var_lib_t lib_t })
-allow install_menu_t initrc_t:fifo_file { read write };
-allow { apt_t install_menu_t userdomain } dpkg_etc_t:file r_file_perms;
-can_exec(sysadm_t, dpkg_etc_t)
-
-# Inherit and use descriptors from open_init_pty
-allow { apt_t dpkg_t install_menu_t } initrc_t:fd use;
-dontaudit dpkg_t privfd:fd use;
-allow { apt_t dpkg_t install_menu_t } devpts_t:dir search;
-allow { apt_t dpkg_t install_menu_t } initrc_devpts_t:chr_file rw_file_perms;
-
-allow ifconfig_t dpkg_t:fd use;
-allow ifconfig_t dpkg_t:fifo_file { read write };
-
-uses_shlib({ dpkg_t apt_t })
-allow dpkg_t proc_t:dir r_dir_perms;
-allow dpkg_t proc_t:{ file lnk_file } r_file_perms;
-allow dpkg_t fs_t:filesystem getattr;
-
-allow dpkg_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_resource mknod linux_immutable };
-
-# for fgconsole - need policy for it
-allow dpkg_t self:capability sys_tty_config;
-
-allow dpkg_t self:unix_dgram_socket create_socket_perms;
-allow dpkg_t self:unix_stream_socket create_stream_socket_perms;
-can_unix_connect(dpkg_t, self)
-allow dpkg_t self:unix_dgram_socket sendto;
-allow dpkg_t self:unix_stream_socket connect;
-
-allow { dpkg_t apt_t } devtty_t:chr_file rw_file_perms;
-allow { dpkg_t apt_t } sysadm_tty_device_t:chr_file rw_file_perms;
-
-# dpkg really needs to be able to kill any process, unfortunate but true
-allow dpkg_t domain:process signal;
-allow dpkg_t sysadm_t:process sigchld;
-allow dpkg_t self:process { setpgid signal_perms fork getsched };
-
-# read/write/create any files in the system
-allow dpkg_t sysadmfile:dir create_dir_perms;
-allow dpkg_t sysadmfile:{ file fifo_file sock_file } create_file_perms;
-allow dpkg_t sysadmfile:lnk_file create_lnk_perms;
-allow dpkg_t device_type:{ chr_file blk_file } getattr;
-dontaudit dpkg_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
-allow dpkg_t proc_kmsg_t:file getattr;
-allow dpkg_t fs_type:dir getattr;
-
-# allow compiling and loading new policy
-create_dir_file(dpkg_t, { policy_src_t policy_config_t })
-
-# change to the apt_t domain on exec from dpkg_t (dselect)
-domain_auto_trans(dpkg_t, apt_exec_t, apt_t)
-
-# allow apt to change /var/lib/apt files
-allow apt_t { apt_var_lib_t var_cache_apt_t }:dir rw_dir_perms;
-allow apt_t { apt_var_lib_t var_cache_apt_t }:file create_file_perms;
-
-# allow apt to create /usr/lib/site-python/DebianControlParser.pyc
-rw_dir_create_file(apt_t, lib_t)
-
-# for apt-listbugs
-allow apt_t usr_t:file { getattr read ioctl };
-allow apt_t usr_t:lnk_file read;
-
-# allow /var/cache/apt/archives to be owned by non-root
-allow apt_t self:capability { chown dac_override fowner fsetid };
-
-can_exec(apt_t, { apt_exec_t bin_t sbin_t shell_exec_t })
-allow apt_t { bin_t sbin_t }:dir search;
-allow apt_t self:process { signal sigchld fork };
-allow apt_t sysadm_t:process sigchld;
-can_network({ apt_t dpkg_t })
-allow { apt_t dpkg_t } port_type:tcp_socket name_connect;
-can_ypbind({ apt_t dpkg_t })
-
-allow { apt_t dpkg_t } var_t:dir { search getattr };
-dontaudit apt_t { fs_type file_type }:dir getattr;
-allow { apt_t dpkg_t } { var_lib_t bin_t }:dir r_dir_perms;
-
-allow { apt_t dpkg_t } dpkg_lock_t:file { setattr rw_file_perms };
-
-# for /proc/meminfo and for "ps"
-allow apt_t { proc_t apt_t }:dir r_dir_perms;
-allow apt_t { proc_t apt_t }:{ file lnk_file } r_file_perms;
-allow apt_t self:fifo_file rw_file_perms;
-allow dpkg_t self:fifo_file rw_file_perms;
-
-allow apt_t etc_t:dir r_dir_perms;
-allow apt_t etc_t:file r_file_perms;
-allow apt_t etc_t:lnk_file read;
-read_locale(apt_t)
-r_dir_file(userdomain, apt_etc_t)
-
-# apt wants to check available disk space
-allow apt_t fs_t:filesystem getattr;
-allow apt_t etc_runtime_t:file r_file_perms;
-
-# auto transition from apt_t to dpkg_t because for 99% of Debian upgrades you
-# have apt run dpkg.
-# This means that getting apt_t access is almost as good as dpkg_t which has
-# as much power as sysadm_t...
-domain_auto_trans(apt_t, dpkg_exec_t, dpkg_t)
-
-# hack to allow update-menus/install-menu to manage menus
-type install_menu_t, domain, admin, etc_writer;
-type install_menu_exec_t, file_type, sysadmfile, exec_type;
-var_run_domain(install_menu)
-
-allow install_menu_t self:unix_stream_socket create_socket_perms;
-
-type debian_menu_t, file_type, sysadmfile;
-
-r_dir_file(userdomain, debian_menu_t)
-dontaudit install_menu_t sysadm_home_dir_t:dir search;
-create_dir_file(install_menu_t, debian_menu_t)
-allow install_menu_t dpkg_lock_t:file { setattr rw_file_perms };
-allow install_menu_t self:process signal;
-allow install_menu_t proc_t:dir search;
-allow install_menu_t proc_t:file r_file_perms;
-can_getcon(install_menu_t)
-can_exec(install_menu_t, { bin_t sbin_t shell_exec_t install_menu_exec_t dpkg_exec_t })
-allow install_menu_t { bin_t sbin_t }:dir search;
-allow install_menu_t bin_t:lnk_file read;
-
-# for menus
-allow install_menu_t usr_t:file r_file_perms;
-
-# for /etc/kde3/debian/kde-update-menu.sh
-can_exec(install_menu_t, etc_t)
-
-allow install_menu_t var_t:dir search;
-tmp_domain(install_menu)
-
-create_dir_file(install_menu_t, var_lib_t)
-ifdef(`xdm.te', `
-create_dir_file(install_menu_t, xdm_var_lib_t)
-')
-allow install_menu_t { var_spool_t etc_t }:dir rw_dir_perms;
-allow install_menu_t { var_spool_t etc_t }:file create_file_perms;
-allow install_menu_t self:fifo_file rw_file_perms;
-allow install_menu_t etc_runtime_t:file r_file_perms;
-allow install_menu_t devtty_t:chr_file rw_file_perms;
-allow install_menu_t fs_t:filesystem getattr;
-
-domain_auto_trans(dpkg_t, install_menu_exec_t, install_menu_t)
-allow dpkg_t install_menu_t:process signal_perms;
-
-allow install_menu_t privfd:fd use;
-uses_shlib(install_menu_t)
-
-allow install_menu_t self:process { fork sigchld };
-
-role system_r types { dpkg_t apt_t install_menu_t };
-
-#################################
-#
-# Rules for the run_deb_t domain.
-#
-#run_program(sysadm_t, sysadm_r, deb, dpkg_exec_t, dpkg_t)
-#domain_trans(run_deb_t, apt_exec_t, apt_t)
-domain_auto_trans(initrc_t, dpkg_exec_t, dpkg_t)
-domain_auto_trans(initrc_t, apt_exec_t, apt_t)
diff --git a/mls/domains/program/unused/ethereal.te b/mls/domains/program/unused/ethereal.te
deleted file mode 100644
index a56d321..0000000
--- a/mls/domains/program/unused/ethereal.te
+++ /dev/null
@@ -1,48 +0,0 @@
-# DESC - Ethereal
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-# Type for executables
-type tethereal_exec_t, file_type, exec_type, sysadmfile;
-type ethereal_exec_t, file_type, exec_type, sysadmfile;
-
-########################################################
-# Tethereal
-#
-
-# Type for program
-type tethereal_t, domain, nscd_client_domain;
-
-# Transition from sysadm type
-domain_auto_trans(sysadm_t, tethereal_exec_t, tethereal_t)
-role sysadm_r types tethereal_t;
-
-uses_shlib(tethereal_t)
-read_locale(tethereal_t)
-
-# Terminal output
-access_terminal(tethereal_t, sysadm)
-
-# /proc
-read_sysctl(tethereal_t)
-allow tethereal_t { self proc_t }:dir { read search getattr };
-allow tethereal_t { self proc_t }:{ file lnk_file } { read getattr };
-
-# Access root
-allow tethereal_t root_t:dir search;
-
-# Read ethereal files in /usr
-allow tethereal_t usr_t:file { read getattr };
-
-# /etc/nsswitch.conf
-allow tethereal_t etc_t:file { read getattr };
-
-# Ethereal sysadm rules
-ethereal_networking(tethereal)
-
-# FIXME: policy is incomplete
-
-#####################################
-# Ethereal (GNOME) policy can be found
-# in ethereal_macros.te
diff --git a/mls/domains/program/unused/evolution.te b/mls/domains/program/unused/evolution.te
deleted file mode 100644
index c8a045e..0000000
--- a/mls/domains/program/unused/evolution.te
+++ /dev/null
@@ -1,14 +0,0 @@
-# DESC - Evolution
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-# Type for executables
-type evolution_exec_t, file_type, exec_type, sysadmfile;
-type evolution_server_exec_t, file_type, exec_type, sysadmfile;
-type evolution_webcal_exec_t, file_type, exec_type, sysadmfile;
-type evolution_alarm_exec_t, file_type, exec_type, sysadmfile;
-type evolution_exchange_exec_t, file_type, exec_type, sysadmfile;
-
-# Everything else is in macros/evolution_macros.te
-bool disable_evolution_trans false;
diff --git a/mls/domains/program/unused/exim.te b/mls/domains/program/unused/exim.te
deleted file mode 100644
index ccc6555..0000000
--- a/mls/domains/program/unused/exim.te
+++ /dev/null
@@ -1,309 +0,0 @@
-#DESC Exim - Mail server
-#
-# Author: David Hampton <hampton@employees.org>
-# From postfix.te by Russell Coker <russell@coker.com.au>
-# Depends: mta.te
-#
-
-type exim_spool_t, file_type, sysadmfile;
-type exim_spool_db_t, file_type, sysadmfile;
-
-
-##########
-# Exim daemon
-##########
-daemon_domain(exim, `, mta_delivery_agent, mail_server_domain, mail_server_sender, nscd_client_domain, privlog, privhome', nosysadm)
-exim_common(exim);
-etcdir_domain(exim)
-logdir_domain(exim)
-########################################
-########################################
-role sysadm_r types exim_t;
-
-# Server side networking
-can_network_tcp(exim_t);
-allow exim_t { smtp_port_t amavisd_send_port_t }:tcp_socket name_bind;
-# The exim daemon gets to listen to mail coming back from amavisd
-# For identd lookups
-allow exim_t inetd_child_port_t:tcp_socket name_connect;
-allow exim_t self:unix_dgram_socket create_socket_perms;
-
-# Lock file between exim processes. Exim creates a lock file in /tmp
-# that doesn't transition to the exim_tmp_t domain for some reason,
-# thus the allow statement.
-tmp_domain(exim)
-allow exim_t tmp_t:file { getattr read };
-
-# Lock files for the actual mail delivery. Exim wants to create a
-# 'hitching post' file in the same directory as the delivery file.
-# These are the additiona privileges over and above what's defined for
-# an mta_delivery_agent. Additional privs for maildir mail files
-allow exim_t mail_spool_t:dir remove_name;
-allow exim_t mail_spool_t:file { link setattr unlink write rename };
-
-# For access to users .forward files
-allow exim_t home_dir_type:dir { getattr search };
-
-allow exim_t self:capability { dac_read_search net_bind_service };
-
-# Create exim spool files, update spool database
-create_dir_file(exim_t, exim_spool_t)
-rw_dir_file(exim_t, exim_spool_db_t)
-
-# Start daemon/child processes
-can_exec(exim_t, exim_exec_t)
-
-allow exim_t sbin_t:dir r_dir_perms;
-
-# Read aliases file
-allow exim_t etc_aliases_t:file r_file_perms;
-
-#
-allow exim_t devpts_t:chr_file getattr;
-
-ifdef(`crond.te', `
-system_crond_entry(exim_exec_t, exim_t)
-domain_auto_trans(crond_t, exim_exec_t, exim_t)
-allow exim_t system_crond_tmp_t:file { getattr read append };
-#logwatch
-allow system_crond_t exim_log_t:file read;
-')
-
-# For squirrelmail
-ifdef(`httpd.te', `
-domain_auto_trans(httpd_sys_script_t, exim_exec_t, exim_t)
-allow exim_t httpd_t:fd use;
-allow exim_t httpd_t:process sigchld;
-allow exim_t httpd_log_t:file { append getattr };
-allow exim_t httpd_squirrelmail_t:file { append read };
-allow exim_t httpd_t:fifo_file { read write getattr };
-allow exim_t httpd_t:tcp_socket { read write };
-')
-
-########################################
-########################################
-
-
-## --------------------------------------------------
-## exim_ro, exim_ro_net
-##
-## Many of the subsequent applications call exim for
-## the sole purpose of extracting configuration or
-## other information. Lock down the permissions on
-## these instances to be pretty much read-only
-## everything.
-##
-## One of the applications calls exim only to
-## determine whether an address is valid. It does
-## this by having exim attempt to deliver an empty
-## message, without doing the actual deliver.
-## These function are aplit out here to keep all the
-## access controls on exim itself in poe part of the
-## file.
-## --------------------------------------------------
-
-define(`exim_ro_base', `
-application_domain($1)
-role system_r types $1_t;
-read_sysctl($1_t)
-r_dir_file($1_t, etc_t) #for nsswitch.conf
-r_dir_file($1_t, var_spool_t)
-r_dir_file($1_t, exim_spool_t)
-allow $1_t devpts_t:chr_file { getattr read write };
-allow $1_t self:capability { dac_override setgid setuid };
-')
-
-exim_ro_base(exim_ro)
-dontaudit exim_ro_t self:unix_stream_socket { connect create };
-
-exim_ro_base(exim_ro_net)
-can_network(exim_ro_net_t)
-general_proc_read_access(exim_ro_net_t)
-read_locale(exim_ro_net_t)
-allow exim_ro_net_t mail_spool_t:dir search;
-allow exim_ro_net_t etc_aliases_t:file r_file_perms;
-allow exim_ro_net_t self:unix_stream_socket { create connect };
-
-
-
-
-## --------------------------------------------------
-## exim_helper_base
-##
-## Define the base attributes for an exim helper
-## program.
-## --------------------------------------------------
-define(`exim_helper_base',`
-application_domain($1)
-role system_r types $1_t;
-can_exec_any($1_t)
-
-allow $1_t devpts_t:dir search;
-
-# Needed for perl
-general_domain_access($1_t)
-general_proc_read_access($1_t)
-allow $1_t urandom_device_t:chr_file read;
-allow $1_t { devtty_t devpts_t }:chr_file { read write ioctl };
-read_locale($1_t)
-allow $1_t sbin_t:dir r_dir_perms;
-')
-
-
-
-
-## --------------------------------------------------
-## exim_helper_script_base
-## --------------------------------------------------
-define(`exim_helper_script_base',`
-exim_helper_base($1)
-
-# Needed for bash
-allow $1_t { devtty_t devpts_t }:chr_file { read write getattr };
-allow $1_t devpts_t:dir search;
-allow $1_t fs_t:filesystem getattr;
-rw_dir_create_file($1_t, tmp_t) # Script uses a "here" document
-dontaudit $1_t etc_runtime_t:file { getattr read }; # mtab
-dontaudit $1_t selinux_config_t:dir { search };
-dontaudit $1_t selinux_config_t:file { getattr read }; # mtab
-allow $1_t var_spool_t:dir search; # Needed to traverse to get to /var/spool/exim
-
-')
-
-
-## --------------------------------------------------
-## exicyclog
-## --------------------------------------------------
-
-exim_helper_script_base(exicyclog)
-allow exicyclog_t self:capability { dac_override setuid setgid };
-create_dir_file(exicyclog_t, exim_log_t)
-allow exicyclog_t var_t:dir r_dir_perms;
-allow exicyclog_t var_log_t:dir r_dir_perms;
-allow exicyclog_t exim_spool_t:dir r_dir_perms;
-
-
-
-
-## --------------------------------------------------
-## exigrep
-## --------------------------------------------------
-
-exim_helper_base(exigrep)
-allow exigrep_t self:capability dac_override;
-r_dir_file(exigrep_t, var_log_t)
-r_dir_file(exigrep_t, exim_log_t)
-
-
-
-
-## --------------------------------------------------
-## exipick
-## --------------------------------------------------
-
-exim_helper_base(exipick)
-domain_auto_trans(exipick_t, exim_exec_t, exim_ro_t)
-r_dir_file(exipick_t, var_spool_t)
-r_dir_file(exipick_t, exim_spool_t)
-allow exipick_t self:capability dac_override;
-
-
-
-
-## --------------------------------------------------
-## exiqgrep
-## --------------------------------------------------
-
-exim_helper_base(exiqgrep)
-domain_auto_trans(exiqgrep_t, exim_exec_t, exim_ro_t)
-
-
-
-application_domain(exim_lock)
-role system_r types exim_lock_t;
-
-
-## --------------------------------------------------
-## exiwhat
-## 1) Runs exim to extract config info
-## 2) Sends a signal to all running exim processes
-## 3) Collects the status files they drop in the spool directory
-## --------------------------------------------------
-
-exim_helper_script_base(exiwhat)
-domain_auto_trans(exiwhat_t, exim_exec_t, exim_ro_t)
-allow exiwhat_t exim_spool_t:dir { rw_dir_perms };
-allow exiwhat_t exim_spool_t:file { r_file_perms unlink };
-
-# killall
-r_dir_file(exiwhat_t, exim_t)
-r_dir_file(exiwhat_t, selinux_config_t)
-allow exiwhat_t exim_t:process signal;
-allow exiwhat_t self:capability { dac_override kill sys_nice };
-
-dontaudit exiwhat_t file_type:dir search;
-dontaudit exiwhat_t file_type:file { getattr read };
-
-# rm
-allow exiwhat_t devpts_t:chr_file ioctl;
-
-
-
-
-## --------------------------------------------------
-## exim_check_access
-## 1) Runs exim to simulate mail receipt
-## 2) Checks on whether the mail address is allowed from the ip address
-## --------------------------------------------------
-
-exim_helper_script_base(exim_checkaccess)
-domain_auto_trans(exim_checkaccess_t, exim_exec_t, exim_ro_net_t)
-allow exim_checkaccess_t exim_spool_t:dir { r_dir_perms };
-allow exim_checkaccess_t self:capability dac_override;
-
-
-
-
-
-## --------------------------------------------------
-## exim_helper
-## --------------------------------------------------
-application_domain(exim_helper)
-domain_auto_trans(exim_helper_t, exim_exec_t, exim_ro_t)
-can_exec(exim_helper_t, bin_t)
-role system_r types exim_helper_t;
-general_domain_access(exim_helper_t)
-read_locale(exim_helper_t)
-
-allow exim_helper_t { devtty_t devpts_t }:chr_file { read write };
-
-# Have to walk through /var/log to get to /var/log/exim
-allow exim_helper_t var_t:dir r_dir_perms;
-r_dir_file(exim_helper_t, exim_log_t)
-
-
-
-
-
-
-## --------------------------------------------------
-## exim database maintenance programs
-## exim_dump_db, exim_fixdb, exim_tidydb
-## --------------------------------------------------
-define(`exim_db_base',`
-application_domain($1)
-role system_r types $1_t;
-read_locale($1_t)
-general_proc_read_access($1_t)
-allow $1_t devpts_t:chr_file { getattr read write };
-allow $1_t self:capability { dac_override setgid setuid };
-allow $1_t tmp_t:dir { getattr };
-r_dir_file($1_t, var_spool_t)
-r_dir_file($1_t, exim_spool_t)
-r_dir_file($1_t, exim_spool_db_t)
-dontaudit $1_t etc_runtime_t:file { getattr read }; # mtab
-')
-
-exim_db_base(exim_db_ro)
-exim_db_base(exim_db_rw)
-rw_dir_file(exim_db_rw_t, exim_spool_db_t)
diff --git a/mls/domains/program/unused/fontconfig.te b/mls/domains/program/unused/fontconfig.te
deleted file mode 100644
index 836470a..0000000
--- a/mls/domains/program/unused/fontconfig.te
+++ /dev/null
@@ -1,7 +0,0 @@
-#
-# Fontconfig related types
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-# Look in fontconfig_macros.te
diff --git a/mls/domains/program/unused/games.te b/mls/domains/program/unused/games.te
deleted file mode 100644
index dee046c..0000000
--- a/mls/domains/program/unused/games.te
+++ /dev/null
@@ -1,20 +0,0 @@
-#DESC Games - Miscellaneous games
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: bsdgames
-#
-
-# type for shared data from games
-type games_data_t, file_type, sysadmfile;
-
-# domain games_t is for system operation of games, generic games daemons and
-# games recovery scripts, also defines games_exec_t
-daemon_domain(games,,nosysadm)
-rw_dir_create_file(games_t, games_data_t)
-r_dir_file(initrc_t, games_data_t)
-
-# Run in user_t
-bool disable_games_trans false;
-
-# Everything else is in the x_client_domain macro in
-# macros/program/x_client_macros.te.
diff --git a/mls/domains/program/unused/gatekeeper.te b/mls/domains/program/unused/gatekeeper.te
deleted file mode 100644
index a1b464e..0000000
--- a/mls/domains/program/unused/gatekeeper.te
+++ /dev/null
@@ -1,51 +0,0 @@
-#DESC Gatekeeper - OpenH.323 voice over IP gate-keeper
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: opengate openh323gk
-#
-
-#################################
-#
-# Rules for the gatekeeper_t domain.
-#
-# gatekeeper_exec_t is the type of the gk executable.
-#
-daemon_domain(gatekeeper)
-
-# for SSP
-allow gatekeeper_t urandom_device_t:chr_file read;
-
-etc_domain(gatekeeper)
-allow gatekeeper_t gatekeeper_etc_t:lnk_file { getattr read };
-logdir_domain(gatekeeper)
-
-# Use the network.
-can_network_server(gatekeeper_t)
-can_ypbind(gatekeeper_t)
-allow gatekeeper_t gatekeeper_port_t:{ udp_socket tcp_socket } name_bind;
-allow gatekeeper_t self:unix_stream_socket create_socket_perms;
-
-# for stupid symlinks
-tmp_domain(gatekeeper)
-
-# pthreads wants to know the kernel version
-read_sysctl(gatekeeper_t)
-
-allow gatekeeper_t etc_t:file { getattr read };
-
-allow gatekeeper_t etc_t:dir r_dir_perms;
-allow gatekeeper_t sbin_t:dir r_dir_perms;
-
-allow gatekeeper_t self:process setsched;
-allow gatekeeper_t self:fifo_file rw_file_perms;
-
-allow gatekeeper_t proc_t:file read;
-
-# for local users to run VOIP software
-can_udp_send(userdomain, gatekeeper_t)
-can_udp_send(gatekeeper_t, userdomain)
-can_tcp_connect(gatekeeper_t, userdomain)
-
-# this is crap, gk wants to create symlinks in /etc every time it starts and
-# remove them when it exits.
-#allow gatekeeper_t etc_t:dir rw_dir_perms;
diff --git a/mls/domains/program/unused/gconf.te b/mls/domains/program/unused/gconf.te
deleted file mode 100644
index e4dfa4b..0000000
--- a/mls/domains/program/unused/gconf.te
+++ /dev/null
@@ -1,12 +0,0 @@
-# DESC - GConf preference daemon
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-# Type for executable
-type gconfd_exec_t, file_type, exec_type, sysadmfile;
-
-# Type for /etc files
-type gconf_etc_t, file_type, sysadmfile;
-
-# Everything else is in macros/gconfd_macros.te
diff --git a/mls/domains/program/unused/gift.te b/mls/domains/program/unused/gift.te
deleted file mode 100644
index 9e9786e..0000000
--- a/mls/domains/program/unused/gift.te
+++ /dev/null
@@ -1,9 +0,0 @@
-# DESC - giFT file sharing tool
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-type gift_exec_t, file_type, exec_type, sysadmfile;
-type giftd_exec_t, file_type, exec_type, sysadmfile;
-
-# Everything else is in macros/program/gift_macros.te
diff --git a/mls/domains/program/unused/gnome-pty-helper.te b/mls/domains/program/unused/gnome-pty-helper.te
deleted file mode 100644
index 084aa68..0000000
--- a/mls/domains/program/unused/gnome-pty-helper.te
+++ /dev/null
@@ -1,11 +0,0 @@
-#DESC Gnome Terminal - Helper program for GNOME x-terms
-#
-# Domains for the gnome-pty-helper program.
-# X-Debian-Packages: gnome-terminal
-#
-
-# Type for the gnome-pty-helper executable.
-type gph_exec_t, file_type, sysadmfile, exec_type;
-
-# Everything else is in the gph_domain macro in
-# macros/program/gph_macros.te.
diff --git a/mls/domains/program/unused/gnome.te b/mls/domains/program/unused/gnome.te
deleted file mode 100644
index b45ea8e..0000000
--- a/mls/domains/program/unused/gnome.te
+++ /dev/null
@@ -1,7 +0,0 @@
-#
-# GNOME related types
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-# Look in gnome_macros.te
diff --git a/mls/domains/program/unused/gnome_vfs.te b/mls/domains/program/unused/gnome_vfs.te
deleted file mode 100644
index d4cabb6..0000000
--- a/mls/domains/program/unused/gnome_vfs.te
+++ /dev/null
@@ -1,9 +0,0 @@
-# DESC - GNOME VFS Daemon
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-# Type for executable
-type gnome_vfs_exec_t, file_type, exec_type, sysadmfile;
-
-# Everything else is in macros/gnome_vfs_macros.te
diff --git a/mls/domains/program/unused/iceauth.te b/mls/domains/program/unused/iceauth.te
deleted file mode 100644
index f41ad9e..0000000
--- a/mls/domains/program/unused/iceauth.te
+++ /dev/null
@@ -1,12 +0,0 @@
-#DESC ICEauth - ICE authority file utility
-#
-# Domains for the iceauth program.
-#
-# Author: Ivan Gyurdiev <gyurdiev@redhat.com>
-#
-# iceauth_exec_t is the type of the xauth executable.
-#
-type iceauth_exec_t, file_type, exec_type, sysadmfile;
-
-# Everything else is in the iceauth_domain macro in
-# macros/program/iceauth_macros.te.
diff --git a/mls/domains/program/unused/imazesrv.te b/mls/domains/program/unused/imazesrv.te
deleted file mode 100644
index 27bae3f..0000000
--- a/mls/domains/program/unused/imazesrv.te
+++ /dev/null
@@ -1,29 +0,0 @@
-#DESC Imazesrv - Imaze Server
-#
-# Author: Torsten Knodt <tk-selinux@datas-world.de>
-# based on games.te by Russell Coker <russell@coker.com.au>
-#
-
-# type for shared data from imazesrv
-type imazesrv_data_t, file_type, sysadmfile;
-type imazesrv_data_labs_t, file_type, sysadmfile;
-
-# domain imazesrv_t is for system operation of imazesrv
-# also defines imazesrv_exec_t
-daemon_domain(imazesrv)
-log_domain(imazesrv);
-
-r_dir_file(imazesrv_t, imazesrv_data_t)
-
-allow imazesrv_t imaze_port_t:tcp_socket name_bind;
-allow imazesrv_t imaze_port_t:udp_socket name_bind;
-
-create_append_log_file(imazesrv_t,imazesrv_log_t)
-
-can_network_server(imazesrv_t)
-
-allow imazesrv_t self:capability net_bind_service;
-
-r_dir_file(imazesrv_t, etc_t)
-
-general_domain_access(imazesrv_t)
diff --git a/mls/domains/program/unused/ircd.te b/mls/domains/program/unused/ircd.te
deleted file mode 100644
index c85390e..0000000
--- a/mls/domains/program/unused/ircd.te
+++ /dev/null
@@ -1,43 +0,0 @@
-#DESC Ircd - IRC server
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: ircd dancer-ircd ircd-hybrid ircd-irc2 ircd-ircu
-#
-
-#################################
-#
-# Rules for the ircd_t domain.
-#
-# ircd_exec_t is the type of the slapd executable.
-#
-daemon_domain(ircd)
-
-allow ircd_t ircd_port_t:tcp_socket name_bind;
-
-etcdir_domain(ircd)
-
-logdir_domain(ircd)
-
-var_lib_domain(ircd)
-
-# Use the network.
-can_network_server(ircd_t)
-can_ypbind(ircd_t)
-#allow ircd_t self:fifo_file { read write };
-allow ircd_t self:unix_stream_socket create_socket_perms;
-allow ircd_t self:unix_dgram_socket create_socket_perms;
-
-allow ircd_t devtty_t:chr_file rw_file_perms;
-
-allow ircd_t sbin_t:dir search;
-
-allow ircd_t proc_t:file { getattr read };
-
-# read config files
-allow ircd_t { etc_t etc_runtime_t }:file { getattr read };
-allow ircd_t etc_t:lnk_file read;
-
-ifdef(`logrotate.te', `
-allow logrotate_t ircd_var_run_t:dir search;
-allow logrotate_t ircd_var_run_t:file { getattr read };
-')
diff --git a/mls/domains/program/unused/jabberd.te b/mls/domains/program/unused/jabberd.te
deleted file mode 100644
index aed3b81..0000000
--- a/mls/domains/program/unused/jabberd.te
+++ /dev/null
@@ -1,29 +0,0 @@
-#DESC jabberd - Jabber daemon
-#
-# Author: Colin Walters <walters@verbum.org>
-# X-Debian-Packages: jabber
-
-daemon_domain(jabberd)
-logdir_domain(jabberd)
-var_lib_domain(jabberd)
-
-allow jabberd_t jabber_client_port_t:tcp_socket name_bind;
-allow jabberd_t jabber_interserver_port_t:tcp_socket name_bind;
-
-allow jabberd_t etc_t:lnk_file read;
-allow jabberd_t { etc_t etc_runtime_t }:file { read getattr };
-
-# For SSL
-allow jabberd_t random_device_t:file r_file_perms;
-
-can_network_server(jabberd_t)
-can_ypbind(jabberd_t)
-
-allow jabberd_t self:unix_dgram_socket create_socket_perms;
-allow jabberd_t self:unix_stream_socket create_socket_perms;
-allow jabberd_t self:fifo_file { read write getattr };
-
-allow jabberd_t self:capability dac_override;
-
-# allow any user domain to connect to jabber
-can_tcp_connect(userdomain, jabberd_t)
diff --git a/mls/domains/program/unused/lcd.te b/mls/domains/program/unused/lcd.te
deleted file mode 100644
index 2e2eddf..0000000
--- a/mls/domains/program/unused/lcd.te
+++ /dev/null
@@ -1,35 +0,0 @@
-#DESC lcd - program for Cobalt LCD device
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-
-#################################
-#
-# Rules for the lcd_t domain.
-#
-# lcd_t is the domain for the lcd program.
-# lcd_exec_t is the type of the corresponding program.
-#
-type lcd_t, domain, privlog;
-role sysadm_r types lcd_t;
-role system_r types lcd_t;
-uses_shlib(lcd_t)
-type lcd_exec_t, file_type, sysadmfile, exec_type;
-type lcd_device_t, file_type;
-
-# Transition into this domain when you run this program.
-domain_auto_trans(initrc_t, lcd_exec_t, lcd_t)
-domain_auto_trans(sysadm_t, lcd_exec_t, lcd_t)
-
-allow lcd_t lcd_device_t:chr_file rw_file_perms;
-
-# for /etc/locks/.lcd_lock
-lock_domain(lcd)
-allow lcd_t etc_t:lnk_file read;
-allow lcd_t var_t:dir search;
-
-# Access the terminal.
-allow lcd_t admin_tty_type:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow lcd_t sysadm_gph_t:fd use;')
-allow lcd_t privfd:fd use;
-
diff --git a/mls/domains/program/unused/lrrd.te b/mls/domains/program/unused/lrrd.te
deleted file mode 100644
index b1916f1..0000000
--- a/mls/domains/program/unused/lrrd.te
+++ /dev/null
@@ -1,68 +0,0 @@
-#DESC LRRD - network-wide load graphing
-#
-# Author: Erich Schubert <erich@debian.org>
-# X-Debian-Packages: lrrd-client, lrrd-server
-#
-
-#################################
-#
-# Rules for the lrrd_t domain.
-#
-# lrrd_exec_t is the type of the lrrd executable.
-#
-daemon_domain(lrrd)
-
-allow lrrd_t lrrd_var_run_t:sock_file create_file_perms;
-
-etcdir_domain(lrrd)
-type lrrd_var_lib_t, file_type, sysadmfile;
-
-log_domain(lrrd)
-tmp_domain(lrrd)
-
-# has cron jobs
-system_crond_entry(lrrd_exec_t, lrrd_t)
-allow crond_t lrrd_var_lib_t:dir search;
-
-# init script
-allow initrc_t lrrd_log_t:file { write append setattr ioctl };
-
-# allow to drop privileges and renice
-allow lrrd_t self:capability { setgid setuid };
-allow lrrd_t self:process { getsched setsched };
-
-allow lrrd_t urandom_device_t:chr_file { getattr read };
-allow lrrd_t proc_t:file { getattr read };
-allow lrrd_t usr_t:file { read ioctl };
-
-can_exec(lrrd_t, bin_t)
-allow lrrd_t bin_t:dir search;
-allow lrrd_t usr_t:lnk_file read;
-
-# Allow access to the lrrd databases
-create_dir_file(lrrd_t, lrrd_var_lib_t)
-allow lrrd_t var_lib_t:dir search;
-
-# read config files
-r_dir_file(initrc_t, lrrd_etc_t)
-allow lrrd_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr };
-# for accessing the output directory
-ifdef(`apache.te', `
-allow lrrd_t httpd_sys_content_t:dir search;
-')
-
-allow lrrd_t etc_t:dir search;
-
-can_unix_connect(sysadm_t, lrrd_t)
-can_unix_connect(lrrd_t, lrrd_t)
-can_unix_send(lrrd_t, lrrd_t)
-can_network_server(lrrd_t)
-can_ypbind(lrrd_t)
-
-ifdef(`logrotate.te', `
-r_dir_file(logrotate_t, lrrd_etc_t)
-allow logrotate_t lrrd_var_lib_t:dir search;
-allow logrotate_t lrrd_var_run_t:dir search;
-allow logrotate_t lrrd_var_run_t:sock_file write;
-can_unix_connect(logrotate_t, lrrd_t)
-')
diff --git a/mls/domains/program/unused/monopd.te b/mls/domains/program/unused/monopd.te
deleted file mode 100644
index 3512592..0000000
--- a/mls/domains/program/unused/monopd.te
+++ /dev/null
@@ -1,30 +0,0 @@
-#DESC MonopD - Monopoly Daemon
-#
-# Author: Torsten Knodt <tk-selinux@datas-world.de>
-# based on the dhcpd_t policy from:
-# Russell Coker <russell@coker.com.au>
-#
-
-#################################
-#
-# Rules for the monopd_t domain.
-#
-daemon_domain(monopd)
-etc_domain(monopd)
-typealias monopd_etc_t alias etc_monopd_t;
-
-type monopd_share_t, file_type, sysadmfile;
-typealias monopd_share_t alias share_monopd_t;
-
-# Use the network.
-can_network_server(monopd_t)
-can_ypbind(monopd_t)
-
-allow monopd_t monopd_port_t:tcp_socket name_bind;
-
-r_dir_file(monopd_t,share_monopd_t)
-
-allow monopd_t self:unix_dgram_socket create_socket_perms;
-allow monopd_t self:unix_stream_socket create_socket_perms;
-
-r_dir_file(monopd_t, etc_t)
diff --git a/mls/domains/program/unused/mozilla.te b/mls/domains/program/unused/mozilla.te
deleted file mode 100644
index f286ea0..0000000
--- a/mls/domains/program/unused/mozilla.te
+++ /dev/null
@@ -1,15 +0,0 @@
-#DESC Netscape - Web browser
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: mozilla
-#
-
-# Type for the netscape, mozilla or other browser executables.
-type mozilla_exec_t, file_type, sysadmfile, exec_type;
-type mozilla_conf_t, file_type, sysadmfile;
-
-# Run in user_t
-bool disable_mozilla_trans false;
-
-# Everything else is in the mozilla_domain macro in
-# macros/program/mozilla_macros.te.
diff --git a/mls/domains/program/unused/mplayer.te b/mls/domains/program/unused/mplayer.te
deleted file mode 100644
index 194c807..0000000
--- a/mls/domains/program/unused/mplayer.te
+++ /dev/null
@@ -1,15 +0,0 @@
-#DESC mplayer - media player
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-# Type for the mplayer executable.
-type mplayer_exec_t, file_type, exec_type, sysadmfile;
-type mencoder_exec_t, file_type, exec_type, sysadmfile;
-type mplayer_etc_t, file_type, sysadmfile;
-
-# Allow mplayer executable stack
-bool allow_mplayer_execstack false;
-
-# Everything else is in the mplayer_domain macro in
-# macros/program/mplayer_macros.te.
diff --git a/mls/domains/program/unused/nagios.te b/mls/domains/program/unused/nagios.te
deleted file mode 100644
index 9d540c8..0000000
--- a/mls/domains/program/unused/nagios.te
+++ /dev/null
@@ -1,90 +0,0 @@
-#DESC Net Saint / NAGIOS - network monitoring server
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: netsaint, nagios
-# Depends: mta.te
-#
-
-#################################
-#
-# Rules for the nagios_t domain.
-#
-# nagios_exec_t is the type of the netsaint/nagios executable.
-#
-daemon_domain(nagios, `, privmail')
-
-etcdir_domain(nagios)
-
-logdir_domain(nagios)
-allow nagios_t nagios_log_t:fifo_file create_file_perms;
-allow initrc_t nagios_log_t:dir rw_dir_perms;
-
-tmp_domain(nagios)
-allow system_mail_t nagios_tmp_t:file { getattr read };
-# for open file handles
-dontaudit system_mail_t nagios_etc_t:file read;
-dontaudit system_mail_t nagios_log_t:fifo_file read;
-
-# Use the network.
-allow nagios_t self:fifo_file rw_file_perms;
-allow nagios_t self:unix_stream_socket create_socket_perms;
-allow nagios_t self:unix_dgram_socket create_socket_perms;
-
-# Use capabilities
-allow nagios_t self:capability { dac_override setgid setuid };
-allow nagios_t self:process setpgid;
-
-allow nagios_t { bin_t sbin_t }:dir search;
-allow nagios_t bin_t:lnk_file read;
-can_exec(nagios_t, { shell_exec_t bin_t })
-
-allow nagios_t proc_t:file { getattr read };
-
-can_network_server(nagios_t)
-can_ypbind(nagios_t)
-
-# read config files
-allow nagios_t { etc_t etc_runtime_t }:file { getattr read };
-allow nagios_t etc_t:lnk_file read;
-
-allow nagios_t etc_t:dir r_dir_perms;
-
-# for ps
-r_dir_file(nagios_t, domain)
-allow nagios_t boot_t:dir search;
-allow nagios_t system_map_t:file { getattr read };
-
-# for who
-allow nagios_t initrc_var_run_t:file { getattr read lock };
-
-system_domain(nagios_cgi)
-allow nagios_cgi_t device_t:dir search;
-r_dir_file(nagios_cgi_t, nagios_etc_t)
-allow nagios_cgi_t var_log_t:dir search;
-r_dir_file(nagios_cgi_t, nagios_log_t)
-allow nagios_cgi_t self:process { fork signal_perms };
-allow nagios_cgi_t self:fifo_file rw_file_perms;
-allow nagios_cgi_t bin_t:dir search;
-can_exec(nagios_cgi_t, bin_t)
-read_locale(nagios_cgi_t)
-
-# for ps
-allow nagios_cgi_t { etc_runtime_t etc_t }:file { getattr read };
-r_dir_file(nagios_cgi_t, { proc_t self nagios_t })
-allow nagios_cgi_t boot_t:dir search;
-allow nagios_cgi_t system_map_t:file { getattr read };
-dontaudit nagios_cgi_t domain:dir getattr;
-allow nagios_cgi_t self:unix_stream_socket create_socket_perms;
-
-ifdef(`apache.te', `
-r_dir_file(httpd_t, nagios_etc_t)
-domain_auto_trans({ httpd_t httpd_suexec_t }, nagios_cgi_exec_t, nagios_cgi_t)
-allow nagios_cgi_t httpd_log_t:file append;
-')
-
-ifdef(`ping.te', `
-domain_auto_trans(nagios_t, ping_exec_t, ping_t)
-allow nagios_t ping_t:process { sigkill signal };
-dontaudit ping_t nagios_etc_t:file read;
-dontaudit ping_t nagios_log_t:fifo_file read;
-')
diff --git a/mls/domains/program/unused/nessusd.te b/mls/domains/program/unused/nessusd.te
deleted file mode 100644
index 65d89e1..0000000
--- a/mls/domains/program/unused/nessusd.te
+++ /dev/null
@@ -1,54 +0,0 @@
-#DESC Nessus network scanning daemon
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: nessus
-#
-
-#################################
-#
-# Rules for the nessusd_t domain.
-#
-# nessusd_exec_t is the type of the nessusd executable.
-#
-daemon_domain(nessusd)
-
-etc_domain(nessusd)
-type nessusd_db_t, file_type, sysadmfile;
-
-allow nessusd_t nessus_port_t:tcp_socket name_bind;
-
-#tmp_domain(nessusd)
-
-# Use the network.
-can_network(nessusd_t)
-allow nessusd_t port_type:tcp_socket name_connect;
-can_ypbind(nessusd_t)
-allow nessusd_t self:unix_stream_socket create_socket_perms;
-#allow nessusd_t self:unix_dgram_socket create_socket_perms;
-
-# why ioctl on /dev/urandom?
-allow nessusd_t random_device_t:chr_file { getattr read ioctl };
-allow nessusd_t self:{ rawip_socket packet_socket } create_socket_perms;
-allow nessusd_t self:capability net_raw;
-
-# for nmap etc
-allow nessusd_t { bin_t sbin_t }:dir search;
-allow nessusd_t bin_t:lnk_file read;
-can_exec(nessusd_t, bin_t)
-allow nessusd_t self:fifo_file { getattr read write };
-
-# allow user domains to connect to nessusd
-can_tcp_connect(userdomain, nessusd_t)
-
-allow nessusd_t self:process setsched;
-
-allow nessusd_t proc_t:file { getattr read };
-
-# Allow access to the nessusd authentication database
-create_dir_file(nessusd_t, nessusd_db_t)
-allow nessusd_t var_lib_t:dir r_dir_perms;
-
-# read config files
-allow nessusd_t { etc_t etc_runtime_t }:file r_file_perms;
-
-logdir_domain(nessusd)
diff --git a/mls/domains/program/unused/nrpe.te b/mls/domains/program/unused/nrpe.te
deleted file mode 100644
index 87d1a02..0000000
--- a/mls/domains/program/unused/nrpe.te
+++ /dev/null
@@ -1,40 +0,0 @@
-# DESC nrpe - Nagios Remote Plugin Execution
-#
-# Author: Thomas Bleher <ThomasBleher@gmx.de>
-#
-# Depends: tcpd.te
-# X-Debian-Packages: nagios-nrpe-server
-#
-# This policy assumes that nrpe is called from inetd
-
-daemon_base_domain(nrpe)
-ifdef(`tcpd.te', `
-domain_auto_trans(tcpd_t, nrpe_exec_t, nrpe_t)
-')
-domain_auto_trans(inetd_t, nrpe_exec_t, nrpe_t)
-
-allow nrpe_t urandom_device_t:chr_file { getattr ioctl read };
-
-allow nrpe_t self:fifo_file rw_file_perms;
-allow nrpe_t self:unix_dgram_socket create_socket_perms;
-# use sockets inherited from inetd
-allow nrpe_t inetd_t:tcp_socket { ioctl read write };
-allow nrpe_t devtty_t:chr_file { read write };
-
-allow nrpe_t self:process setpgid;
-
-etc_domain(nrpe)
-read_locale(nrpe_t)
-
-# permissions for the scripts executed by nrpe
-#
-# call shell programs
-can_exec(nrpe_t, { bin_t shell_exec_t ls_exec_t })
-allow nrpe_t { bin_t sbin_t }:dir search;
-# for /bin/sh
-allow nrpe_t bin_t:lnk_file read;
-
-# read /proc/meminfo, /proc/self/mounts and /etc/mtab
-allow nrpe_t { self proc_t etc_runtime_t }:file { getattr read };
-
-# you will have to add more permissions here, depending on the scripts you call!
diff --git a/mls/domains/program/unused/nsd.te b/mls/domains/program/unused/nsd.te
deleted file mode 100644
index 2aa35c5..0000000
--- a/mls/domains/program/unused/nsd.te
+++ /dev/null
@@ -1,102 +0,0 @@
-#DESC Authoritative only name server
-#
-# Author: Russell Coker
-# X-Debian-Packages: nsd
-#
-#
-
-#################################
-#
-# Rules for the nsd_t domain.
-#
-
-daemon_domain(nsd)
-
-# a type for nsd.db
-type nsd_db_t, file_type, sysadmfile;
-
-# for zone update cron job
-type nsd_crond_t, domain, privlog;
-role system_r types nsd_crond_t;
-uses_shlib(nsd_crond_t)
-can_network_client(nsd_crond_t)
-allow nsd_crond_t port_type:tcp_socket name_connect;
-can_ypbind(nsd_crond_t)
-allow nsd_crond_t self:unix_dgram_socket create_socket_perms;
-allow nsd_crond_t self:process { fork signal_perms };
-system_crond_entry(nsd_exec_t, nsd_crond_t)
-allow nsd_crond_t { proc_t etc_runtime_t }:file { getattr read };
-allow nsd_crond_t proc_t:lnk_file { getattr read };
-allow nsd_crond_t { bin_t sbin_t }:dir search;
-can_exec(nsd_crond_t, { nsd_exec_t bin_t sbin_t shell_exec_t })
-allow nsd_crond_t { bin_t sbin_t shell_exec_t }:file getattr;
-allow nsd_crond_t bin_t:lnk_file read;
-read_locale(nsd_crond_t)
-allow nsd_crond_t self:fifo_file rw_file_perms;
-# kill capability for root cron job and non-root daemon
-allow nsd_crond_t self:capability { dac_override kill };
-allow nsd_crond_t nsd_t:process signal;
-dontaudit nsd_crond_t sysadm_home_dir_t:dir { search getattr };
-dontaudit nsd_crond_t self:capability sys_nice;
-dontaudit nsd_crond_t domain:dir search;
-allow nsd_crond_t self:process setsched;
-can_ps(nsd_crond_t, nsd_t)
-
-file_type_auto_trans(nsd_crond_t, nsd_conf_t, nsd_zone_t, file)
-file_type_auto_trans({ nsd_t nsd_crond_t }, nsd_zone_t, nsd_db_t, file)
-allow nsd_crond_t var_lib_t:dir search;
-
-allow nsd_crond_t nsd_conf_t:file { getattr read ioctl };
-allow nsd_crond_t nsd_zone_t:dir rw_dir_perms;
-allow nsd_crond_t proc_t:dir r_dir_perms;
-allow nsd_crond_t device_t:dir search;
-allow nsd_crond_t devtty_t:chr_file rw_file_perms;
-allow nsd_crond_t etc_t:file { getattr read };
-allow nsd_crond_t etc_t:lnk_file read;
-allow nsd_crond_t { var_t var_run_t }:dir search;
-allow nsd_crond_t nsd_var_run_t:file { getattr read };
-
-# for SSP
-allow nsd_crond_t urandom_device_t:chr_file read;
-
-# A type for configuration files of nsd
-type nsd_conf_t, file_type, sysadmfile;
-# A type for zone files
-type nsd_zone_t, file_type, sysadmfile;
-
-r_dir_file(nsd_t, { nsd_conf_t nsd_zone_t })
-# zone files may be in /var/lib/nsd
-allow nsd_t var_lib_t:dir search;
-r_dir_file(initrc_t, nsd_conf_t)
-allow nsd_t etc_runtime_t:file { getattr read };
-allow nsd_t proc_t:file { getattr read };
-allow nsd_t { sbin_t bin_t }:dir search;
-can_exec(nsd_t, { nsd_exec_t bin_t })
-
-# Use capabilities. chown is for chowning /var/run/nsd.pid
-allow nsd_t self:capability { dac_override chown setuid setgid net_bind_service };
-
-allow nsd_t etc_t:{ file lnk_file } { getattr read };
-
-# nsd can use network
-can_network_server(nsd_t)
-can_ypbind(nsd_t)
-# allow client access from caching BIND
-ifdef(`named.te', `
-can_udp_send(named_t, nsd_t)
-can_udp_send(nsd_t, named_t)
-can_tcp_connect(named_t, nsd_t)
-')
-
-# if you want to allow all programs to contact the primary name server
-#can_udp_send(domain, nsd_t)
-#can_udp_send(nsd_t, domain)
-#can_tcp_connect(domain, nsd_t)
-
-# Bind to the named port.
-allow nsd_t dns_port_t:udp_socket name_bind;
-allow nsd_t dns_port_t:tcp_socket name_bind;
-
-allow nsd_t self:unix_stream_socket create_stream_socket_perms;
-allow nsd_t self:unix_dgram_socket create_socket_perms;
-
diff --git a/mls/domains/program/unused/nx_server.te b/mls/domains/program/unused/nx_server.te
deleted file mode 100644
index a6e723a..0000000
--- a/mls/domains/program/unused/nx_server.te
+++ /dev/null
@@ -1,70 +0,0 @@
-# DESC NX - NX Server
-#
-# Author: Thomas Bleher <ThomasBleher@gmx.de>
-#
-# Depends: sshd.te
-#
-
-# Type for the nxserver executable, called from ssh
-type nx_server_exec_t, file_type, sysadmfile, exec_type;
-
-# type of the nxserver; userdomain is needed so sshd can transition
-type nx_server_t, domain, userdomain;
-
-# we need an extra role because nxserver is called from sshd
-role nx_server_r types nx_server_t;
-allow system_r nx_server_r;
-domain_trans(sshd_t, nx_server_exec_t, nx_server_t)
-
-# not really sure if the additional attributes are needed, copied from userdomains
-can_create_pty(nx_server, `, userpty_type, user_tty_type')
-type_change nx_server_t server_pty:chr_file nx_server_devpts_t;
-
-uses_shlib(nx_server_t)
-read_locale(nx_server_t)
-
-tmp_domain(nx_server)
-var_run_domain(nx_server)
-
-# nxserver is a shell script --> call other programs
-can_exec(nx_server_t, { bin_t shell_exec_t })
-allow nx_server_t self:process { fork sigchld };
-allow nx_server_t self:fifo_file { getattr ioctl read write };
-allow nx_server_t bin_t:dir { getattr read search };
-allow nx_server_t bin_t:lnk_file read;
-
-r_dir_file(nx_server_t, proc_t)
-allow nx_server_t { etc_t etc_runtime_t }:file { getattr read };
-
-# we do not actually need this attribute or the types defined here,
-# but otherwise we cannot call the ssh_domain-macro
-attribute nx_server_file_type;
-type nx_server_home_dir_t alias nx_server_home_t;
-type nx_server_xauth_home_t;
-type nx_server_tty_device_t;
-type nx_server_gph_t;
-type nx_server_fonts_cache_t;
-type nx_server_fonts_t;
-type nx_server_fonts_config_t;
-type nx_server_gnome_settings_t;
-
-ssh_domain(nx_server)
-
-can_network_client(nx_server_t)
-allow nx_server_t port_type:tcp_socket name_connect;
-
-allow nx_server_t devtty_t:chr_file { read write };
-allow nx_server_t sysctl_kernel_t:dir search;
-allow nx_server_t sysctl_kernel_t:file { getattr read };
-allow nx_server_t urandom_device_t:chr_file read;
-# for reading the config files; maybe a separate type,
-# but users need to be able to also read the config
-allow nx_server_t usr_t:file { getattr read };
-
-dontaudit nx_server_t selinux_config_t:dir search;
-
-# clients already have create permissions; the nxclient wants to also have unlink rights
-allow userdomain xdm_tmp_t:sock_file unlink;
-# for a lockfile created by the client process
-allow nx_server_t user_tmpfile:file getattr;
-
diff --git a/mls/domains/program/unused/oav-update.te b/mls/domains/program/unused/oav-update.te
deleted file mode 100644
index a9843c6..0000000
--- a/mls/domains/program/unused/oav-update.te
+++ /dev/null
@@ -1,38 +0,0 @@
-#DESC Oav - Anti-virus update program
-#
-# Author: Brian May <bam@snoopy.apana.org.au>
-# X-Debian-Packages:
-#
-
-type oav_update_var_lib_t, file_type, sysadmfile;
-type oav_update_exec_t, file_type, sysadmfile, exec_type;
-type oav_update_etc_t, file_type, sysadmfile;
-
-# Derived domain based on the calling user domain and the program.
-type oav_update_t, domain, privlog;
-
-# Transition from the sysadm domain to the derived domain.
-role sysadm_r types oav_update_t;
-domain_auto_trans(sysadm_t, oav_update_exec_t, oav_update_t)
-
-# Transition from the sysadm domain to the derived domain.
-role system_r types oav_update_t;
-system_crond_entry(oav_update_exec_t, oav_update_t)
-
-# Uses shared librarys
-uses_shlib(oav_update_t)
-
-# Run helper programs.
-can_exec_any(oav_update_t,bin_t)
-
-# Can read /etc/oav-update/* files
-allow oav_update_t oav_update_etc_t:dir r_dir_perms;
-allow oav_update_t oav_update_etc_t:file r_file_perms;
-
-# Can read /var/lib/oav-update/current
-allow oav_update_t oav_update_var_lib_t:dir create_dir_perms;
-allow oav_update_t oav_update_var_lib_t:file create_file_perms;
-allow oav_update_t oav_update_var_lib_t:lnk_file r_file_perms;
-
-# Can download via network
-can_network_server(oav_update_t)
diff --git a/mls/domains/program/unused/openca-ca.te b/mls/domains/program/unused/openca-ca.te
deleted file mode 100644
index 411c61d..0000000
--- a/mls/domains/program/unused/openca-ca.te
+++ /dev/null
@@ -1,134 +0,0 @@
-#DESC OpenCA - Open Certificate Authority
-#
-# Author: Brian May <bam@snoopy.apana.org.au>
-# X-Debian-Packages:
-# Depends: apache.te
-#
-
-#################################
-#
-# domain for openCA cgi-bin scripts.
-#
-# Type that system CGI scripts run as
-#
-type openca_ca_t, domain;
-role system_r types openca_ca_t;
-uses_shlib(openca_ca_t)
-
-# Types that system CGI scripts on the disk are
-# labeled with
-#
-type openca_ca_exec_t, file_type, sysadmfile;
-
-# When the server starts the script it needs to get the proper context
-#
-domain_auto_trans(httpd_t, openca_ca_exec_t, openca_ca_t)
-
-#
-# Allow httpd daemon to search /usr/share/openca
-#
-allow httpd_t openca_usr_share_t:dir { getattr search };
-
-################################################################
-# Allow the web server to run scripts and serve pages
-##############################################################
-allow httpd_t bin_t:file { read execute }; # execute perl
-
-allow httpd_t openca_ca_exec_t:file {execute getattr read};
-allow httpd_t openca_ca_t:process {signal sigkill sigstop};
-allow httpd_t openca_ca_t:process transition;
-allow httpd_t openca_ca_exec_t:dir r_dir_perms;
-
-##################################################################
-# Allow the script to get the file descriptor from the http deamon
-# and send sigchild to http deamon
-#################################################################
-allow openca_ca_t httpd_t:process sigchld;
-allow openca_ca_t httpd_t:fd use;
-allow openca_ca_t httpd_t:fifo_file {getattr write};
-
-############################################
-# Allow scripts to append to http logs
-#########################################
-allow openca_ca_t httpd_log_t:file { append getattr };
-
-#############################################################
-# Allow the script access to the library files so it can run
-#############################################################
-can_exec(openca_ca_t, lib_t)
-
-########################################################################
-# The script needs to inherit the file descriptor and find the script it
-# needs to run
-########################################################################
-allow openca_ca_t initrc_t:fd use;
-allow openca_ca_t init_t:fd use;
-allow openca_ca_t default_t:dir r_dir_perms;
-allow openca_ca_t random_device_t:chr_file r_file_perms;
-
-#######################################################################
-# Allow the script to return its output
-######################################################################
-#allow openca_ca_t httpd_var_run_t: file rw_file_perms;
-allow openca_ca_t null_device_t: chr_file rw_file_perms;
-allow openca_ca_t httpd_cache_t: file rw_file_perms;
-
-###########################################################################
-# Allow the script interpreters to run the scripts. So
-# the perl executable will be able to run a perl script
-#########################################################################
-can_exec(openca_ca_t, bin_t)
-
-############################################################################
-# Allow the script process to search the cgi directory, and users directory
-##############################################################################
-allow openca_ca_t openca_ca_exec_t:dir search;
-
-#
-# Allow access to writeable files under /etc/openca
-#
-allow openca_ca_t openca_etc_writeable_t:file create_file_perms;
-allow openca_ca_t openca_etc_writeable_t:dir create_dir_perms;
-
-#
-# Allow access to other files under /etc/openca
-#
-allow openca_ca_t openca_etc_t:file r_file_perms;
-allow openca_ca_t openca_etc_t:dir r_dir_perms;
-
-#
-# Allow access to private CA key
-#
-allow openca_ca_t openca_var_lib_keys_t:file create_file_perms;
-allow openca_ca_t openca_var_lib_keys_t:dir create_dir_perms;
-
-#
-# Allow access to other /var/lib/openca files
-#
-allow openca_ca_t openca_var_lib_t:file create_file_perms;
-allow openca_ca_t openca_var_lib_t:dir create_dir_perms;
-
-#
-# Allow access to other /usr/share/openca files
-#
-allow openca_ca_t openca_usr_share_t:file r_file_perms;
-allow openca_ca_t openca_usr_share_t:lnk_file r_file_perms;
-allow openca_ca_t openca_usr_share_t:dir r_dir_perms;
-
-# /etc/openca standard files
-type openca_etc_t, file_type, sysadmfile;
-
-# /etc/openca template files
-type openca_etc_in_t, file_type, sysadmfile;
-
-# /etc/openca writeable (from CGI script) files
-type openca_etc_writeable_t, file_type, sysadmfile;
-
-# /var/lib/openca
-type openca_var_lib_t, file_type, sysadmfile;
-
-# /var/lib/openca/crypto/keys
-type openca_var_lib_keys_t, file_type, sysadmfile;
-
-# /usr/share/openca/crypto/keys
-type openca_usr_share_t, file_type, sysadmfile;
diff --git a/mls/domains/program/unused/openvpn.te b/mls/domains/program/unused/openvpn.te
deleted file mode 100644
index 0ab1317..0000000
--- a/mls/domains/program/unused/openvpn.te
+++ /dev/null
@@ -1,39 +0,0 @@
-#DESC OpenVPN - Firewall-friendly SSL-based VPN
-#
-# Author: Colin Walters <walters@verbum.org>
-#
-########################################
-#
-
-daemon_domain(openvpn)
-etcdir_domain(openvpn)
-
-allow openvpn_t { etc_t etc_runtime_t }:{ file lnk_file } r_file_perms;
-
-allow openvpn_t { random_device_t urandom_device_t }:chr_file { read getattr };
-allow openvpn_t devpts_t:dir { search getattr };
-allow openvpn_t tun_tap_device_t:chr_file rw_file_perms;
-allow openvpn_t proc_t:file { getattr read };
-
-allow openvpn_t self:unix_dgram_socket create_socket_perms;
-allow openvpn_t self:unix_stream_socket create_stream_socket_perms;
-allow openvpn_t self:unix_dgram_socket sendto;
-allow openvpn_t self:unix_stream_socket connectto;
-allow openvpn_t self:capability { net_admin setgid setuid };
-r_dir_file(openvpn_t, sysctl_net_t)
-
-can_network_server(openvpn_t)
-allow openvpn_t openvpn_port_t:udp_socket name_bind;
-
-# OpenVPN executes a lot of helper programs and scripts
-allow openvpn_t { bin_t sbin_t }:dir { search getattr };
-allow openvpn_t bin_t:lnk_file { getattr read };
-can_exec(openvpn_t, { bin_t sbin_t shell_exec_t })
-# Do not transition to ifconfig_t, since then it needs
-# permission to access openvpn_t:udp_socket, which seems
-# worse.
-can_exec(openvpn_t, ifconfig_exec_t)
-
-# The Fedora init script iterates over /etc/openvpn/*.conf, and
-# starts a daemon for each file.
-r_dir_file(initrc_t, openvpn_etc_t)
diff --git a/mls/domains/program/unused/perdition.te b/mls/domains/program/unused/perdition.te
deleted file mode 100644
index b95cb75..0000000
--- a/mls/domains/program/unused/perdition.te
+++ /dev/null
@@ -1,29 +0,0 @@
-#DESC Perdition POP and IMAP proxy
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: perdition
-#
-
-#################################
-#
-# Rules for the perdition_t domain.
-#
-daemon_domain(perdition)
-
-allow perdition_t pop_port_t:tcp_socket name_bind;
-
-etc_domain(perdition)
-
-# Use the network.
-can_network_server(perdition_t)
-allow perdition_t self:unix_stream_socket create_socket_perms;
-allow perdition_t self:unix_dgram_socket create_socket_perms;
-
-# allow any domain to connect to the proxy
-can_tcp_connect(userdomain, perdition_t)
-
-# Use capabilities
-allow perdition_t self:capability { setgid setuid net_bind_service };
-
-allow perdition_t etc_t:file { getattr read };
-allow perdition_t etc_t:lnk_file read;
diff --git a/mls/domains/program/unused/portslave.te b/mls/domains/program/unused/portslave.te
deleted file mode 100644
index 55dfad6..0000000
--- a/mls/domains/program/unused/portslave.te
+++ /dev/null
@@ -1,85 +0,0 @@
-#DESC Portslave - Terminal server software
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: portslave
-# Depends: pppd.te
-#
-
-#################################
-#
-# Rules for the portslave_t domain.
-#
-daemon_base_domain(portslave, `, privmail, auth_chkpwd')
-
-type portslave_etc_t, file_type, sysadmfile;
-
-general_domain_access(portslave_t)
-domain_auto_trans(init_t, portslave_exec_t, portslave_t)
-ifdef(`rlogind.te', `
-domain_auto_trans(rlogind_t, portslave_exec_t, portslave_t)
-')
-ifdef(`inetd.te', `
-domain_auto_trans(inetd_t, portslave_exec_t, portslave_t)
-allow portslave_t inetd_t:tcp_socket { getattr read write };
-')
-
-allow portslave_t { etc_t etc_runtime_t }:file { read getattr };
-read_locale(portslave_t)
-r_dir_file(portslave_t, portslave_etc_t)
-
-allow portslave_t pppd_etc_t:dir r_dir_perms;
-allow portslave_t pppd_etc_rw_t:file { getattr read };
-
-allow portslave_t proc_t:file { getattr read };
-
-allow portslave_t { var_t var_log_t devpts_t }:dir search;
-
-allow portslave_t devtty_t:chr_file { setattr rw_file_perms };
-
-allow portslave_t pppd_secret_t:file r_file_perms;
-
-can_network_server(portslave_t)
-allow portslave_t fs_t:filesystem getattr;
-ifdef(`radius.te', `
-can_udp_send(portslave_t, radiusd_t)
-can_udp_send(radiusd_t, portslave_t)
-')
-# for rlogin etc
-can_exec(portslave_t, { bin_t ssh_exec_t })
-# net_bind_service for rlogin
-allow portslave_t self:capability { net_bind_service sys_tty_config };
-# for ssh
-allow portslave_t urandom_device_t:chr_file read;
-ifdef(`sshd.te', `can_tcp_connect(portslave_t, sshd_t)')
-
-# for pppd
-allow portslave_t self:capability { setuid setgid net_admin fsetid };
-allow portslave_t ppp_device_t:chr_file rw_file_perms;
-
-# for ~/.ppprc - if it actually exists then you need some policy to read it
-allow portslave_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search;
-
-# for ctlportslave
-dontaudit portslave_t self:capability sys_admin;
-
-file_type_auto_trans(portslave_t, var_run_t, pppd_var_run_t, file)
-can_exec(portslave_t, { etc_t shell_exec_t })
-
-# Run login in local_login_t domain.
-#domain_auto_trans(portslave_t, login_exec_t, local_login_t)
-
-# Write to /var/run/utmp.
-allow portslave_t initrc_var_run_t:file rw_file_perms;
-
-# Write to /var/log/wtmp.
-allow portslave_t wtmp_t:file rw_file_perms;
-
-# Read and write ttys.
-allow portslave_t tty_device_t:chr_file { setattr rw_file_perms };
-allow portslave_t ttyfile:chr_file rw_file_perms;
-
-
-lock_domain(portslave)
-can_exec(portslave_t, pppd_exec_t)
-allow portslave_t { bin_t sbin_t }:dir search;
-allow portslave_t bin_t:lnk_file read;
diff --git a/mls/domains/program/unused/postgrey.te b/mls/domains/program/unused/postgrey.te
deleted file mode 100644
index f60e67b..0000000
--- a/mls/domains/program/unused/postgrey.te
+++ /dev/null
@@ -1,30 +0,0 @@
-#DESC postgrey - Postfix Grey-listing server
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: postgrey
-
-daemon_domain(postgrey)
-
-allow postgrey_t urandom_device_t:chr_file { getattr read };
-
-# for perl
-allow postgrey_t { bin_t sbin_t }:dir { getattr search };
-allow postgrey_t usr_t:{ file lnk_file } { getattr read };
-dontaudit postgrey_t usr_t:file ioctl;
-
-allow postgrey_t { etc_t etc_runtime_t }:file { getattr read };
-etcdir_domain(postgrey)
-
-can_network_server_tcp(postgrey_t)
-can_ypbind(postgrey_t)
-allow postgrey_t postgrey_port_t:tcp_socket name_bind;
-allow postgrey_t self:unix_dgram_socket create_socket_perms;
-allow postgrey_t self:unix_stream_socket create_stream_socket_perms;
-allow postgrey_t proc_t:file { getattr read };
-
-allow postgrey_t self:capability { chown setgid setuid };
-dontaudit postgrey_t self:capability sys_tty_config;
-
-var_lib_domain(postgrey)
-
-allow postgrey_t tmp_t:dir getattr;
diff --git a/mls/domains/program/unused/publicfile.te b/mls/domains/program/unused/publicfile.te
deleted file mode 100644
index b6a206b..0000000
--- a/mls/domains/program/unused/publicfile.te
+++ /dev/null
@@ -1,25 +0,0 @@
-#DESC Publicfile - HTTP and FTP file services
-# http://cr.yp.to/publicfile.html
-#
-# Author: petre rodan <kaiowas@gentoo.org>
-#
-# this policy depends on ucspi-tcp
-#
-
-daemon_domain(publicfile)
-type publicfile_content_t, file_type, sysadmfile;
-domain_auto_trans(initrc_t, publicfile_exec_t, publicfile_t)
-
-ifdef(`ucspi-tcp.te', `
-domain_auto_trans(utcpserver_t, publicfile_exec_t, publicfile_t)
-allow publicfile_t utcpserver_t:tcp_socket { read write };
-allow utcpserver_t { ftp_data_port_t ftp_port_t http_port_t }:tcp_socket name_bind;
-')
-
-allow publicfile_t initrc_t:tcp_socket { read write };
-
-allow publicfile_t self:capability { dac_override setgid setuid sys_chroot };
-
-r_dir_file(publicfile_t, publicfile_content_t)
-
-
diff --git a/mls/domains/program/unused/pxe.te b/mls/domains/program/unused/pxe.te
deleted file mode 100644
index 1515593..0000000
--- a/mls/domains/program/unused/pxe.te
+++ /dev/null
@@ -1,21 +0,0 @@
-#DESC PXE - a server for the PXE network boot protocol
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: pxe
-#
-
-#################################
-#
-# Rules for the pxe_t domain.
-#
-daemon_domain(pxe)
-
-allow pxe_t pxe_port_t:udp_socket name_bind;
-
-allow pxe_t etc_t:file { getattr read };
-
-allow pxe_t self:capability { chown setgid setuid };
-
-allow pxe_t zero_device_t:chr_file rw_file_perms;
-
-log_domain(pxe)
diff --git a/mls/domains/program/unused/pyzor.te b/mls/domains/program/unused/pyzor.te
deleted file mode 100644
index b0629ad..0000000
--- a/mls/domains/program/unused/pyzor.te
+++ /dev/null
@@ -1,57 +0,0 @@
-#
-# Pyzor - Pyzor is a collaborative, networked system to detect and
-# block spam using identifying digests of messages.
-#
-# Author: David Hampton <hampton@employees.org>
-#
-
-# NOTE: This policy is based upon the FC3 pyzor rpm from ATrpms.
-# Pyzor normally dumps everything into $HOME/.pyzor. By putting the
-# following line to the spamassassin config file:
-#
-# pyzor_options --homedir /etc/pyzor
-#
-# the various files will be put into appropriate directories.
-# (I.E. The log file into /var/log, etc.) This policy will work
-# either way.
-
-##########
-# pyzor daemon
-##########
-daemon_domain(pyzord, `, privlog, nscd_client_domain')
-pyzor_base_domain(pyzord)
-allow pyzord_t pyzor_port_t:udp_socket name_bind;
-home_domain_access(pyzord_t, sysadm, pyzor)
-log_domain(pyzord)
-
-# Read shared daemon/client config file
-r_dir_file(pyzord_t, pyzor_etc_t)
-
-# Write shared daemon/client data dir
-allow pyzord_t var_lib_t:dir search;
-create_dir_file(pyzord_t, pyzor_var_lib_t)
-
-##########
-# Pyzor query application - from system_r applictions
-##########
-type pyzor_t, domain, privlog, daemon;
-type pyzor_exec_t, file_type, sysadmfile, exec_type;
-role system_r types pyzor_t;
-
-pyzor_base_domain(pyzor)
-
-# System config/data files
-etcdir_domain(pyzor)
-var_lib_domain(pyzor)
-
-##########
-##########
-
-#
-# Some spam filters executes the pyzor code directly. Allow them access here.
-#
-ifdef(`spamd.te',`
-domain_auto_trans(spamd_t, pyzor_exec_t, pyzor_t);
-# pyzor needs access to the email spamassassin is checking
-allow pyzor_t spamd_tmp_t:file r_file_perms;
-')
diff --git a/mls/domains/program/unused/qmail.te b/mls/domains/program/unused/qmail.te
deleted file mode 100644
index 6c51cd7..0000000
--- a/mls/domains/program/unused/qmail.te
+++ /dev/null
@@ -1,197 +0,0 @@
-#DESC Qmail - Mail server
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: qmail-src qmail
-# Depends: inetd.te mta.te
-#
-
-
-# Type for files created during execution of qmail.
-type qmail_var_run_t, file_type, sysadmfile, pidfile;
-
-type qmail_etc_t, file_type, sysadmfile;
-
-allow inetd_t smtp_port_t:tcp_socket name_bind;
-
-type qmail_exec_t, file_type, sysadmfile, exec_type;
-type qmail_spool_t, file_type, sysadmfile;
-type var_qmail_t, file_type, sysadmfile;
-
-define(`qmaild_sub_domain', `
-daemon_sub_domain($1, $2, `$3')
-allow $2_t qmail_etc_t:dir { getattr search };
-allow $2_t qmail_etc_t:{ lnk_file file } { getattr read };
-allow $2_t { var_t var_spool_t }:dir search;
-allow $2_t console_device_t:chr_file rw_file_perms;
-allow $2_t fs_t:filesystem getattr;
-')
-
-#################################
-#
-# Rules for the qmail_$1_t domain.
-#
-# qmail_$1_exec_t is the type of the qmail_$1 executables.
-#
-define(`qmail_daemon_domain', `
-qmaild_sub_domain(qmail_start_t, qmail_$1, `$2')
-allow qmail_$1_t qmail_start_t:fifo_file { read write };
-')dnl
-
-
-daemon_base_domain(qmail_start)
-
-allow qmail_start_t self:capability { setgid setuid };
-allow qmail_start_t { bin_t sbin_t }:dir search;
-allow qmail_start_t qmail_etc_t:dir search;
-allow qmail_start_t qmail_etc_t:file { getattr read };
-can_exec(qmail_start_t, qmail_start_exec_t)
-allow qmail_start_t self:fifo_file { getattr read write };
-
-qmail_daemon_domain(lspawn, `, mta_delivery_agent')
-allow qmail_lspawn_t self:fifo_file { read write };
-allow qmail_lspawn_t self:capability { setuid setgid };
-allow qmail_lspawn_t self:process { fork signal_perms };
-allow qmail_lspawn_t sbin_t:dir search;
-can_exec(qmail_lspawn_t, qmail_exec_t)
-allow qmail_lspawn_t self:unix_stream_socket create_socket_perms;
-allow qmail_lspawn_t qmail_spool_t:dir search;
-allow qmail_lspawn_t qmail_spool_t:file { read getattr };
-allow qmail_lspawn_t etc_t:file { getattr read };
-allow qmail_lspawn_t tmp_t:dir getattr;
-dontaudit qmail_lspawn_t user_home_dir_type:dir { getattr search };
-
-qmail_daemon_domain(send, `, mail_server_sender')
-rw_dir_create_file(qmail_send_t, qmail_spool_t)
-allow qmail_send_t qmail_spool_t:fifo_file read;
-allow qmail_send_t self:process { fork signal_perms };
-allow qmail_send_t self:fifo_file write;
-domain_auto_trans(qmail_send_t, qmail_queue_exec_t, qmail_queue_t)
-allow qmail_send_t sbin_t:dir search;
-
-qmail_daemon_domain(splogger)
-allow qmail_splogger_t self:unix_dgram_socket create_socket_perms;
-allow qmail_splogger_t etc_t:lnk_file read;
-dontaudit qmail_splogger_t initrc_t:fd use;
-read_locale(qmail_splogger_t)
-
-qmail_daemon_domain(rspawn)
-allow qmail_rspawn_t qmail_spool_t:dir search;
-allow qmail_rspawn_t qmail_spool_t:file rw_file_perms;
-allow qmail_rspawn_t self:process { fork signal_perms };
-allow qmail_rspawn_t self:fifo_file read;
-allow qmail_rspawn_t { bin_t sbin_t }:dir search;
-
-qmaild_sub_domain(qmail_rspawn_t, qmail_remote)
-allow qmail_rspawn_t qmail_remote_exec_t:file { getattr read };
-can_network_server(qmail_remote_t)
-can_ypbind(qmail_remote_t)
-allow qmail_remote_t qmail_spool_t:dir search;
-allow qmail_remote_t qmail_spool_t:file rw_file_perms;
-allow qmail_remote_t self:tcp_socket create_socket_perms;
-allow qmail_remote_t self:udp_socket create_socket_perms;
-
-qmail_daemon_domain(clean)
-allow qmail_clean_t qmail_spool_t:dir rw_dir_perms;
-allow qmail_clean_t qmail_spool_t:file { unlink read getattr };
-
-# privhome will do until we get a separate maildir type
-qmaild_sub_domain(qmail_lspawn_t, qmail_local, `, privhome, mta_delivery_agent')
-allow qmail_lspawn_t qmail_local_exec_t:file { getattr read };
-allow qmail_local_t self:process { fork signal_perms };
-domain_auto_trans(qmail_local_t, qmail_queue_exec_t, qmail_queue_t)
-allow qmail_local_t qmail_queue_exec_t:file { getattr read };
-allow qmail_local_t qmail_spool_t:file { ioctl read };
-allow qmail_local_t self:fifo_file write;
-allow qmail_local_t sbin_t:dir search;
-allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
-allow qmail_local_t etc_t:file { getattr read };
-
-# for piping mail to a command
-can_exec(qmail_local_t, shell_exec_t)
-allow qmail_local_t bin_t:dir search;
-allow qmail_local_t bin_t:lnk_file read;
-allow qmail_local_t devtty_t:chr_file rw_file_perms;
-allow qmail_local_t { etc_runtime_t proc_t }:file { getattr read };
-
-ifdef(`tcpd.te', `
-qmaild_sub_domain(tcpd_t, qmail_tcp_env)
-# bug
-can_exec(tcpd_t, tcpd_exec_t)
-', `
-qmaild_sub_domain(inetd_t, qmail_tcp_env)
-')
-allow qmail_tcp_env_t inetd_t:fd use;
-allow qmail_tcp_env_t inetd_t:tcp_socket { read write getattr };
-allow qmail_tcp_env_t inetd_t:process sigchld;
-allow qmail_tcp_env_t sbin_t:dir search;
-can_network_server(qmail_tcp_env_t)
-can_ypbind(qmail_tcp_env_t)
-
-qmaild_sub_domain(qmail_tcp_env_t, qmail_smtpd)
-allow qmail_tcp_env_t qmail_smtpd_exec_t:file { getattr read };
-can_network_server(qmail_smtpd_t)
-can_ypbind(qmail_smtpd_t)
-allow qmail_smtpd_t inetd_t:fd use;
-allow qmail_smtpd_t inetd_t:tcp_socket { read write };
-allow qmail_smtpd_t inetd_t:process sigchld;
-allow qmail_smtpd_t self:process { fork signal_perms };
-allow qmail_smtpd_t self:fifo_file write;
-allow qmail_smtpd_t self:tcp_socket create_socket_perms;
-allow qmail_smtpd_t sbin_t:dir search;
-domain_auto_trans(qmail_smtpd_t, qmail_queue_exec_t, qmail_queue_t)
-allow qmail_smtpd_t qmail_queue_exec_t:file { getattr read };
-
-qmaild_sub_domain(user_mail_domain, qmail_inject, `, mta_user_agent')
-allow qmail_inject_t self:process { fork signal_perms };
-allow qmail_inject_t self:fifo_file write;
-allow qmail_inject_t sbin_t:dir search;
-role sysadm_r types qmail_inject_t;
-in_user_role(qmail_inject_t)
-
-qmaild_sub_domain(userdomain, qmail_qread, `, mta_user_agent')
-in_user_role(qmail_qread_t)
-role sysadm_r types qmail_qread_t;
-r_dir_file(qmail_qread_t, qmail_spool_t)
-allow qmail_qread_t self:capability dac_override;
-allow qmail_qread_t privfd:fd use;
-
-qmaild_sub_domain(qmail_inject_t, qmail_queue, `, mta_user_agent')
-role sysadm_r types qmail_queue_t;
-in_user_role(qmail_queue_t)
-allow qmail_inject_t qmail_queue_exec_t:file { getattr read };
-rw_dir_create_file(qmail_queue_t, qmail_spool_t)
-allow qmail_queue_t qmail_spool_t:fifo_file { read write };
-allow qmail_queue_t { qmail_start_t qmail_lspawn_t }:fd use;
-allow qmail_queue_t qmail_lspawn_t:fifo_file write;
-allow qmail_queue_t qmail_start_t:fifo_file { read write };
-allow qmail_queue_t privfd:fd use;
-allow qmail_queue_t crond_t:fifo_file { read write };
-allow qmail_queue_t inetd_t:fd use;
-allow qmail_queue_t inetd_t:tcp_socket { read write };
-allow qmail_queue_t sysadm_t:fd use;
-allow qmail_queue_t sysadm_t:fifo_file write;
-
-allow user_crond_domain qmail_etc_t:dir search;
-allow user_crond_domain qmail_etc_t:file { getattr read };
-
-qmaild_sub_domain(user_crond_domain, qmail_serialmail)
-in_user_role(qmail_serialmail_t)
-can_network_server(qmail_serialmail_t)
-can_ypbind(qmail_serialmail_t)
-can_exec(qmail_serialmail_t, qmail_serialmail_exec_t)
-allow qmail_serialmail_t self:process { fork signal_perms };
-allow qmail_serialmail_t proc_t:file { getattr read };
-allow qmail_serialmail_t etc_runtime_t:file { getattr read };
-allow qmail_serialmail_t home_root_t:dir search;
-allow qmail_serialmail_t user_home_dir_type:dir { search read getattr };
-rw_dir_create_file(qmail_serialmail_t, user_home_type)
-allow qmail_serialmail_t self:fifo_file { read write };
-allow qmail_serialmail_t self:udp_socket create_socket_perms;
-allow qmail_serialmail_t self:tcp_socket create_socket_perms;
-allow qmail_serialmail_t privfd:fd use;
-allow qmail_serialmail_t crond_t:fifo_file { read write ioctl };
-allow qmail_serialmail_t devtty_t:chr_file { read write };
-
-# for tcpclient
-can_exec(qmail_serialmail_t, bin_t)
-allow qmail_serialmail_t bin_t:dir search;
diff --git a/mls/domains/program/unused/razor.te b/mls/domains/program/unused/razor.te
deleted file mode 100644
index e88bb49..0000000
--- a/mls/domains/program/unused/razor.te
+++ /dev/null
@@ -1,53 +0,0 @@
-#
-# Razor - Vipul's Razor is a distributed, collaborative, spam
-# detection and filtering network.
-#
-# Author: David Hampton <hampton@employees.org>
-#
-
-# NOTE: This policy will work with either the ATrpms provided config
-# file in /etc/razor, or with the default of dumping everything into
-# $HOME/.razor.
-
-##########
-# Razor query application - from system_r applictions
-##########
-type razor_t, domain, privlog, daemon;
-type razor_exec_t, file_type, sysadmfile, exec_type;
-role system_r types razor_t;
-
-razor_base_domain(razor)
-
-# Razor config file directory. When invoked as razor-admin, it can
-# update files in this directory.
-etcdir_domain(razor)
-create_dir_file(razor_t, razor_etc_t);
-
-# Shared razor files updated freuently
-var_lib_domain(razor)
-
-# Log files
-log_domain(razor)
-allow razor_t var_log_t:dir search;
-ifdef(`logrotate.te', `
-allow logrotate_t razor_log_t:file r_file_perms;
-')
-
-##########
-##########
-
-#
-# Some spam filters executes the razor code directly. Allow them access here.
-#
-define(`razor_access',`
-r_dir_file($1, razor_etc_t)
-allow $1 var_log_t:dir search;
-allow $1 razor_log_t:file ra_file_perms;
-r_dir_file($1, razor_var_lib_t)
-r_dir_file($1, sysadm_razor_home_t)
-can_network_client_tcp($1, razor_port_t)
-allow $1 razor_port_t:tcp_socket name_connect;
-')
-
-ifdef(`spamd.te', `razor_access(spamd_t)');
-ifdef(`amavis.te', `razor_access(amavisd_t)');
diff --git a/mls/domains/program/unused/resmgrd.te b/mls/domains/program/unused/resmgrd.te
deleted file mode 100644
index 9224ad3..0000000
--- a/mls/domains/program/unused/resmgrd.te
+++ /dev/null
@@ -1,25 +0,0 @@
-# DESC resmgrd - resource manager daemon
-#
-# Author: Thomas Bleher <ThomasBleher@gmx.de>
-
-daemon_base_domain(resmgrd)
-var_run_domain(resmgrd, { file sock_file })
-etc_domain(resmgrd)
-read_locale(resmgrd_t)
-allow resmgrd_t self:capability { dac_override dac_read_search sys_admin sys_rawio };
-
-allow resmgrd_t etc_t:file { getattr read };
-allow resmgrd_t self:unix_stream_socket create_stream_socket_perms;
-allow resmgrd_t self:unix_dgram_socket create_socket_perms;
-
-# hardware access
-allow resmgrd_t device_t:lnk_file { getattr read };
-# not sure if it needs write access, needs to be investigated further...
-allow resmgrd_t removable_device_t:blk_file { getattr ioctl read write };
-allow resmgrd_t scsi_generic_device_t:chr_file { getattr ioctl read write };
-allow resmgrd_t scanner_device_t:chr_file { getattr };
-# I think a dontaudit should be enough there
-dontaudit resmgrd_t fixed_disk_device_t:blk_file { getattr ioctl read };
-
-# there is a macro can_resmgrd_connect() in macros/program/resmgrd_macros.te
-
diff --git a/mls/domains/program/unused/rhgb.te b/mls/domains/program/unused/rhgb.te
deleted file mode 100644
index 5d176e9..0000000
--- a/mls/domains/program/unused/rhgb.te
+++ /dev/null
@@ -1,100 +0,0 @@
-#DESC rhgb - Red Hat Graphical Boot
-#
-# Author: Russell Coker <russell@coker.com.au>
-# Depends: xdm.te gnome-pty-helper.te xserver.te
-
-daemon_base_domain(rhgb)
-
-allow rhgb_t { bin_t sbin_t }:dir search;
-allow rhgb_t bin_t:lnk_file read;
-
-domain_auto_trans(rhgb_t, shell_exec_t, initrc_t)
-domain_auto_trans(rhgb_t, xserver_exec_t, xdm_xserver_t)
-can_exec(rhgb_t, { bin_t sbin_t gph_exec_t })
-
-allow rhgb_t self:unix_stream_socket create_stream_socket_perms;
-allow rhgb_t self:fifo_file rw_file_perms;
-
-# for gnome-pty-helper
-gph_domain(rhgb, system)
-allow initrc_t rhgb_gph_t:fd use;
-
-allow rhgb_t proc_t:file { getattr read };
-
-allow rhgb_t devtty_t:chr_file { read write };
-allow rhgb_t tty_device_t:chr_file rw_file_perms;
-
-read_locale(rhgb_t)
-allow rhgb_t { etc_t etc_runtime_t }:file { getattr read };
-
-# for ramfs file systems
-allow rhgb_t ramfs_t:dir { setattr rw_dir_perms };
-allow rhgb_t ramfs_t:sock_file create_file_perms;
-allow rhgb_t ramfs_t:{ file fifo_file } create_file_perms;
-allow insmod_t ramfs_t:file write;
-allow insmod_t rhgb_t:fd use;
-
-allow rhgb_t ramfs_t:filesystem { mount unmount };
-allow rhgb_t mnt_t:dir { search mounton };
-allow rhgb_t self:capability { sys_admin sys_tty_config };
-dontaudit rhgb_t var_run_t:dir search;
-
-can_network_client(rhgb_t)
-allow rhgb_t port_type:tcp_socket name_connect;
-can_ypbind(rhgb_t)
-
-allow rhgb_t usr_t:{ file lnk_file } { getattr read };
-
-# for running setxkbmap
-r_dir_file(rhgb_t, xkb_var_lib_t)
-
-# for localization
-allow rhgb_t lib_t:file { getattr read };
-
-allow rhgb_t initctl_t:fifo_file write;
-
-ifdef(`hide_broken_symptoms', `
-# it should not do this
-dontaudit rhgb_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
-')dnl end hide_broken_symptoms
-
-can_create_pty(rhgb)
-
-allow rhgb_t self:shm create_shm_perms;
-allow xdm_xserver_t rhgb_t:shm rw_shm_perms;
-
-can_unix_connect(initrc_t, rhgb_t)
-tmpfs_domain(rhgb)
-allow xdm_xserver_t rhgb_tmpfs_t:file { read write };
-
-read_fonts(rhgb_t)
-
-# for nscd
-dontaudit rhgb_t var_t:dir search;
-
-ifdef(`hide_broken_symptoms', `
-# for a bug in the X server
-dontaudit insmod_t xdm_xserver_t:tcp_socket { read write };
-dontaudit insmod_t serial_device:chr_file { read write };
-dontaudit mount_t rhgb_gph_t:fd use;
-dontaudit mount_t rhgb_t:unix_stream_socket { read write };
-dontaudit mount_t ptmx_t:chr_file { read write };
-')dnl end hide_broken_symptoms
-
-ifdef(`firstboot.te', `
-allow rhgb_t firstboot_rw_t:file r_file_perms;
-')
-allow rhgb_t tmp_t:dir search;
-allow rhgb_t xdm_xserver_t:process sigkill;
-allow domain rhgb_devpts_t:chr_file { read write };
-ifdef(`fsadm.te', `
-dontaudit fsadm_t ramfs_t:fifo_file write;
-')
-allow rhgb_t xdm_xserver_tmp_t:file { getattr read };
-dontaudit rhgb_t default_t:file read;
-
-allow initrc_t ramfs_t:dir search;
-allow initrc_t ramfs_t:sock_file write;
-allow initrc_t rhgb_t:unix_stream_socket { read write };
-
-allow rhgb_t default_t:file { getattr read };
diff --git a/mls/domains/program/unused/rssh.te b/mls/domains/program/unused/rssh.te
deleted file mode 100644
index 73bab4a..0000000
--- a/mls/domains/program/unused/rssh.te
+++ /dev/null
@@ -1,13 +0,0 @@
-#DESC Rssh - Restricted (scp/sftp) only shell
-#
-# Authors: Colin Walters <walters@verbum.org>
-# X-Debian-Package: rssh
-#
-
-type rssh_exec_t, file_type, sysadmfile, exec_type;
-
-ifdef(`ssh.te',`
-allow sshd_t rssh_exec_t:file r_file_perms;
-')
-
-# See rssh_macros.te for the rest.
diff --git a/mls/domains/program/unused/scannerdaemon.te b/mls/domains/program/unused/scannerdaemon.te
deleted file mode 100644
index 6245e8b..0000000
--- a/mls/domains/program/unused/scannerdaemon.te
+++ /dev/null
@@ -1,58 +0,0 @@
-#DESC Scannerdaemon - Virus scanner daemon
-#
-# Author: Brian May <bam@snoopy.apana.org.au>
-# X-Debian-Packages:
-#
-
-#################################
-#
-# Rules for the scannerdaemon_t domain.
-#
-type scannerdaemon_etc_t, file_type, sysadmfile;
-
-#networking
-daemon_domain(scannerdaemon)
-can_network_server(scannerdaemon_t)
-ifdef(`postfix.te',
-`can_tcp_connect(postfix_bounce_t,scannerdaemon_t);')
-
-# for testing
-can_tcp_connect(sysadm_t,scannerdaemon_t)
-
-# Can create unix sockets
-allow scannerdaemon_t self:unix_stream_socket create_stream_socket_perms;
-
-# Access config files (libc6).
-allow scannerdaemon_t etc_t:file r_file_perms;
-allow scannerdaemon_t etc_t:lnk_file r_file_perms;
-allow scannerdaemon_t proc_t:file r_file_perms;
-allow scannerdaemon_t etc_runtime_t:file r_file_perms;
-
-# Access config files (scannerdaemon).
-allow scannerdaemon_t scannerdaemon_etc_t:file r_file_perms;
-
-# Access signature files.
-ifdef(`oav-update.te',`
-allow scannerdaemon_t oav_update_var_lib_t:dir r_dir_perms;
-allow scannerdaemon_t oav_update_var_lib_t:file r_file_perms;
-')
-
-log_domain(scannerdaemon)
-ifdef(`logrotate.te', `
-allow logrotate_t scannerdaemon_log_t:file create_file_perms;
-')
-
-# Can run kaffe
-# Run helper programs.
-can_exec_any(scannerdaemon_t)
-allow scannerdaemon_t var_lib_t:dir search;
-allow scannerdaemon_t { sbin_t bin_t }:dir search;
-allow scannerdaemon_t bin_t:lnk_file read;
-
-# unknown stuff
-allow scannerdaemon_t self:fifo_file { read write };
-
-# broken stuff
-dontaudit scannerdaemon_t sysadm_home_dir_t:dir search;
-dontaudit scannerdaemon_t devtty_t:chr_file { read write };
-dontaudit scannerdaemon_t shadow_t:file { read getattr };
diff --git a/mls/domains/program/unused/snort.te b/mls/domains/program/unused/snort.te
deleted file mode 100644
index 24188f6..0000000
--- a/mls/domains/program/unused/snort.te
+++ /dev/null
@@ -1,33 +0,0 @@
-#DESC Snort - Network sniffer
-#
-# Author: Shaun Savage <savages@pcez.com>
-# Modified by Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: snort-common
-#
-
-daemon_domain(snort)
-
-logdir_domain(snort)
-allow snort_t snort_log_t:dir create;
-can_network_server(snort_t)
-type snort_etc_t, file_type, sysadmfile;
-
-# Create temporary files.
-tmp_domain(snort)
-
-# use iptable netlink
-allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
-allow snort_t self:packet_socket create_socket_perms;
-allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
-
-r_dir_file(snort_t, snort_etc_t)
-allow snort_t etc_t:file { getattr read };
-allow snort_t etc_t:lnk_file read;
-
-allow snort_t self:unix_dgram_socket create_socket_perms;
-allow snort_t self:unix_stream_socket create_socket_perms;
-
-# for start script
-allow initrc_t snort_etc_t:file { getattr read };
-
-dontaudit snort_t { etc_runtime_t proc_t }:file { getattr read };
diff --git a/mls/domains/program/unused/sound-server.te b/mls/domains/program/unused/sound-server.te
deleted file mode 100644
index c84a1fa..0000000
--- a/mls/domains/program/unused/sound-server.te
+++ /dev/null
@@ -1,42 +0,0 @@
-#DESC sound server - for network audio server programs, nasd, yiff, etc
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-
-#################################
-#
-# Rules for the soundd_t domain.
-#
-# soundd_exec_t is the type of the soundd executable.
-#
-daemon_domain(soundd)
-
-allow soundd_t soundd_port_t:tcp_socket name_bind;
-
-type etc_soundd_t, file_type, sysadmfile;
-type soundd_state_t, file_type, sysadmfile;
-
-tmp_domain(soundd)
-rw_dir_create_file(soundd_t, soundd_state_t)
-
-allow soundd_t sound_device_t:chr_file rw_file_perms;
-allow soundd_t device_t:lnk_file read;
-
-# Use the network.
-can_network_server(soundd_t)
-allow soundd_t self:unix_stream_socket create_stream_socket_perms;
-allow soundd_t self:unix_dgram_socket create_socket_perms;
-# allow any domain to connect to the sound server
-can_tcp_connect(userdomain, soundd_t)
-
-allow soundd_t self:process setpgid;
-
-# read config files
-allow soundd_t { etc_t etc_runtime_t }:{ file lnk_file } r_file_perms;
-
-allow soundd_t etc_t:dir r_dir_perms;
-r_dir_file(soundd_t, etc_soundd_t)
-
-# for yiff - probably need some rules for the client support too
-allow soundd_t self:shm create_shm_perms;
-tmpfs_domain(soundd)
diff --git a/mls/domains/program/unused/speedmgmt.te b/mls/domains/program/unused/speedmgmt.te
deleted file mode 100644
index 6d399fb..0000000
--- a/mls/domains/program/unused/speedmgmt.te
+++ /dev/null
@@ -1,26 +0,0 @@
-#DESC Speedmgmt - Alcatel speedtouch USB ADSL modem
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-
-#################################
-#
-# Rules for the speedmgmt_t domain.
-#
-# speedmgmt_exec_t is the type of the speedmgmt executable.
-#
-daemon_domain(speedmgmt)
-tmp_domain(speedmgmt)
-
-# for accessing USB
-allow speedmgmt_t proc_t:dir r_dir_perms;
-allow speedmgmt_t usbdevfs_t:file rw_file_perms;
-allow speedmgmt_t usbdevfs_t:dir r_dir_perms;
-
-allow speedmgmt_t usr_t:file r_file_perms;
-
-allow speedmgmt_t self:unix_dgram_socket create_socket_perms;
-
-# allow time
-allow speedmgmt_t etc_t:dir r_dir_perms;
-allow speedmgmt_t etc_t:lnk_file r_file_perms;
diff --git a/mls/domains/program/unused/sxid.te b/mls/domains/program/unused/sxid.te
deleted file mode 100644
index a96c987..0000000
--- a/mls/domains/program/unused/sxid.te
+++ /dev/null
@@ -1,62 +0,0 @@
-#DESC Sxid - SUID/SGID program monitoring
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: sxid
-#
-
-#################################
-#
-# Rules for the sxid_t domain.
-#
-# sxid_exec_t is the type of the sxid executable.
-#
-daemon_base_domain(sxid, `, privmail')
-tmp_domain(sxid)
-
-allow sxid_t fs_t:filesystem getattr;
-
-ifdef(`crond.te', `
-system_crond_entry(sxid_exec_t, sxid_t)
-')
-#allow system_crond_t sxid_log_t:file create_file_perms;
-
-read_locale(sxid_t)
-
-can_exec(sxid_t, { shell_exec_t bin_t sbin_t mount_exec_t })
-allow sxid_t bin_t:lnk_file read;
-
-log_domain(sxid)
-
-allow sxid_t file_type:notdevfile_class_set getattr;
-allow sxid_t { device_t device_type }:{ chr_file blk_file } getattr;
-allow sxid_t ttyfile:chr_file getattr;
-allow sxid_t file_type:dir { getattr read search };
-allow sxid_t sysadmfile:file { getattr read };
-dontaudit sxid_t devpts_t:dir r_dir_perms;
-allow sxid_t fs_type:dir { getattr read search };
-
-# Use the network.
-can_network_server(sxid_t)
-allow sxid_t self:fifo_file rw_file_perms;
-allow sxid_t self:unix_stream_socket create_socket_perms;
-
-allow sxid_t { proc_t self }:{ file lnk_file } { read getattr };
-read_sysctl(sxid_t)
-allow sxid_t devtty_t:chr_file rw_file_perms;
-
-allow sxid_t self:capability { dac_override dac_read_search fsetid };
-dontaudit sxid_t self:capability { setuid setgid };
-
-ifdef(`mta.te', `
-# sxid leaves an open file handle to /proc/mounts
-dontaudit { system_mail_t mta_user_agent } sxid_t:file { read getattr };
-
-# allow mta to read the log files
-allow { system_mail_t mta_user_agent } { sxid_tmp_t sxid_log_t }:file { getattr read };
-# stop warnings if mailx is passed a read/write file handle
-dontaudit { system_mail_t mta_user_agent } { sxid_tmp_t sxid_log_t }:file write;
-')
-
-allow logrotate_t sxid_t:file { getattr write };
-
-dontaudit sxid_t security_t:dir { getattr read search };
diff --git a/mls/domains/program/unused/thunderbird.te b/mls/domains/program/unused/thunderbird.te
deleted file mode 100644
index c640f87..0000000
--- a/mls/domains/program/unused/thunderbird.te
+++ /dev/null
@@ -1,10 +0,0 @@
-# DESC - Thunderbird
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-# Type for executables
-type thunderbird_exec_t, file_type, exec_type, sysadmfile;
-
-# Everything else is in macros/thunderbird_macros.te
-bool disable_thunderbird_trans false;
diff --git a/mls/domains/program/unused/tinydns.te b/mls/domains/program/unused/tinydns.te
deleted file mode 100644
index a911b89..0000000
--- a/mls/domains/program/unused/tinydns.te
+++ /dev/null
@@ -1,58 +0,0 @@
-#DESC TINYDNS - Name server for djbdns
-#
-# Authors: Matthew J. Fanto <mattjf@uncompiled.com>
-#
-# Based off Named policy file written by
-# Yuichi Nakamura <ynakam@ori.hitachi-sk.co.jp>,
-# Russell Coker
-# X-Debian-Packages: djbdns-installer djbdns
-#
-#
-
-#################################
-#
-# Rules for the tinydns_t domain.
-#
-daemon_domain(tinydns)
-
-can_exec(tinydns_t, tinydns_exec_t)
-allow tinydns_t sbin_t:dir search;
-
-allow tinydns_t self:process setsched;
-
-# A type for configuration files of tinydns.
-type tinydns_conf_t, file_type, sysadmfile;
-
-# for primary zone files - the data file
-type tinydns_zone_t, file_type, sysadmfile;
-
-allow tinydns_t etc_t:file { getattr read };
-allow tinydns_t etc_runtime_t:{ file lnk_file } { getattr read };
-
-#tinydns can use network
-can_network_server(tinydns_t)
-allow tinydns_t dns_port_t:{ udp_socket tcp_socket } name_bind;
-# allow UDP transfer to/from any program
-can_udp_send(domain, tinydns_t)
-can_udp_send(tinydns_t, domain)
-# tinydns itself doesn't do zone transfers
-# so we do not need to have it tcp_connect
-
-#read configuration files
-r_dir_file(tinydns_t, tinydns_conf_t)
-
-r_dir_file(tinydns_t, tinydns_zone_t)
-
-# allow tinydns to create datagram sockets (udp)
-# allow tinydns_t self:unix_stream_socket create_stream_socket_perms;
-allow tinydns_t self:unix_dgram_socket create_socket_perms;
-
-# Read /dev/random.
-allow tinydns_t device_t:dir r_dir_perms;
-allow tinydns_t random_device_t:chr_file r_file_perms;
-
-# Set own capabilities.
-allow tinydns_t self:process setcap;
-
-# for chmod in start script
-dontaudit initrc_t tinydns_var_run_t:dir setattr;
diff --git a/mls/domains/program/unused/transproxy.te b/mls/domains/program/unused/transproxy.te
deleted file mode 100644
index e34b804..0000000
--- a/mls/domains/program/unused/transproxy.te
+++ /dev/null
@@ -1,36 +0,0 @@
-#DESC Transproxy - Transparent proxy for web access
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: transproxy
-#
-
-#################################
-#
-# Rules for the transproxy_t domain.
-#
-# transproxy_exec_t is the type of the transproxy executable.
-#
-daemon_domain(transproxy)
-
-# Use the network.
-can_network_server_tcp(transproxy_t)
-allow transproxy_t transproxy_port_t:tcp_socket name_bind;
-
-#allow transproxy_t self:fifo_file { read write };
-allow transproxy_t self:unix_stream_socket create_socket_perms;
-allow transproxy_t self:unix_dgram_socket create_socket_perms;
-
-# Use capabilities
-allow transproxy_t self:capability { setgid setuid };
-#allow transproxy_t self:process setsched;
-
-#allow transproxy_t proc_t:file r_file_perms;
-
-# read config files
-allow transproxy_t etc_t:lnk_file read;
-allow transproxy_t etc_t:file { read getattr };
-
-#allow transproxy_t etc_t:dir r_dir_perms;
-
-#read_sysctl(transproxy_t)
-
diff --git a/mls/domains/program/unused/tripwire.te b/mls/domains/program/unused/tripwire.te
deleted file mode 100644
index 9ee61e8..0000000
--- a/mls/domains/program/unused/tripwire.te
+++ /dev/null
@@ -1,139 +0,0 @@
-# DESC tripwire
-#
-# Author: David Hampton <hampton@employees.org>
-#
-
-# NOTE: Tripwire creates temp file in its current working directory.
-# This policy does not allow write access to home directories, so
-# users will need to either cd to a directory where they have write
-# permission, or set the TEMPDIRECTORY variable in the tripwire config
-# file. The latter is preferable, as then the file_type_auto_trans
-# rules will kick in and label the files as private to tripwire.
-
-
-# Common definitions
-type tripwire_report_t, file_type, sysadmfile;
-etcdir_domain(tripwire)
-var_lib_domain(tripwire)
-tmp_domain(tripwire)
-
-
-# Macro for defining tripwire domains
-define(`tripwire_domain',`
-application_domain($1, `, auth')
-role system_r types $1_t;
-
-# Allow access to common tripwire files
-allow $1_t tripwire_etc_t:file r_file_perms;
-allow $1_t tripwire_etc_t:dir r_dir_perms;
-allow $1_t tripwire_etc_t:lnk_file { getattr read };
-file_type_auto_trans($1_t, var_lib_t, tripwire_var_lib_t, file)
-allow $1_t tripwire_var_lib_t:dir rw_dir_perms;
-file_type_auto_trans($1_t, tmp_t, tripwire_tmp_t, `{ file dir }')
-
-allow $1_t self:process { fork sigchld };
-allow $1_t self:capability { setgid setuid dac_override };
-
-# Tripwire needs to read all files on the system
-general_proc_read_access($1_t)
-allow $1_t file_type:dir { search getattr read};
-allow $1_t file_type:{file chr_file lnk_file sock_file} {getattr read};
-allow $1_t file_type:fifo_file { getattr };
-allow $1_t device_type:file { getattr read };
-allow $1_t sysctl_t:dir { getattr read };
-allow $1_t {memory_device_t tty_device_t urandom_device_t zero_device_t}:chr_file getattr;
-
-# Tripwire report files
-create_dir_file($1_t, tripwire_report_t)
-
-# gethostid()?
-allow $1_t self:unix_stream_socket { connect create };
-
-# Running editor program (tripwire forks then runs bash which rins editor)
-can_exec($1_t, shell_exec_t)
-can_exec($1_t, bin_t)
-uses_shlib($1_t)
-
-allow $1_t self:dir search;
-allow $1_t self:file { getattr read };
-')
-
-
-##########
-##########
-
-#
-# When run by a user
-#
-tripwire_domain(`tripwire')
-
-# Running from the command line
-allow tripwire_t devpts_t:dir search;
-allow tripwire_t devtty_t:chr_file { read write };
-allow tripwire_t {sysadm_devpts_t user_devpts_t}:chr_file rw_file_perms;
-allow tripwire_t privfd:fd use;
-
-
-##########
-##########
-
-#
-# When run from cron
-#
-tripwire_domain(`tripwire_crond')
-system_crond_entry(tripwire_exec_t, tripwire_crond_t)
-domain_auto_trans(crond_t, tripwire_exec_t, tripwire_t)
-
-# Tripwire uses a temp file in the root home directory
-#create_dir_file(tripwire_crond_t, root_t)
-
-
-##########
-# Twadmin
-##########
-application_domain(twadmin)
-read_locale(twadmin_t)
-create_dir_file(twadmin_t, tripwire_etc_t)
-
-allow twadmin_t sysadm_tmp_t:file { getattr read write };
-
-# Running from the command line
-allow twadmin_t sshd_t:fd use;
-allow twadmin_t admin_tty_type:chr_file rw_file_perms;
-
-dontaudit twadmin_t { bin_t sbin_t }:dir search;
-dontaudit twadmin_t home_root_t:dir search;
-dontaudit twprint_t user_home_dir_t:dir search;
-
-
-##########
-# Twprint
-##########
-application_domain(twprint)
-read_locale(twprint_t)
-r_dir_file(twprint_t, tripwire_etc_t)
-allow twprint_t { var_t var_lib_t }:dir search;
-r_dir_file(twprint_t, tripwire_var_lib_t)
-r_dir_file(twprint_t, tripwire_report_t)
-
-# Running from the command line
-allow twprint_t sshd_t:fd use;
-allow twprint_t admin_tty_type:chr_file rw_file_perms;
-
-dontaudit twprint_t { bin_t sbin_t }:dir search;
-dontaudit twprint_t home_root_t:dir search;
-
-
-##########
-# Siggen
-##########
-application_domain(siggen, `, auth')
-read_locale(siggen_t)
-
-# Need permission to read files
-allow siggen_t file_type:dir { search getattr read};
-allow siggen_t file_type:file {getattr read};
-
-# Running from the command line
-allow siggen_t sshd_t:fd use;
-allow siggen_t admin_tty_type:chr_file rw_file_perms;
diff --git a/mls/domains/program/unused/tvtime.te b/mls/domains/program/unused/tvtime.te
deleted file mode 100644
index fa72021..0000000
--- a/mls/domains/program/unused/tvtime.te
+++ /dev/null
@@ -1,12 +0,0 @@
-#DESC tvtime - a high quality television application
-#
-# Domains for the tvtime program.
-# Author : Dan Walsh <dwalsh@redhat.com>
-#
-# tvtime_exec_t is the type of the tvtime executable.
-#
-type tvtime_exec_t, file_type, sysadmfile, exec_type;
-type tvtime_dir_t, file_type, sysadmfile, pidfile;
-
-# Everything else is in the tvtime_domain macro in
-# macros/program/tvtime_macros.te.
diff --git a/mls/domains/program/unused/ucspi-tcp.te b/mls/domains/program/unused/ucspi-tcp.te
deleted file mode 100644
index b2eeb5c..0000000
--- a/mls/domains/program/unused/ucspi-tcp.te
+++ /dev/null
@@ -1,49 +0,0 @@
-#DESC ucspi-tcp - TCP Server and Client Tools
-#
-# Author Petre Rodan <kaiowas@gentoo.org>
-# Andy Dustman (rblsmtp-related policy)
-#
-
-# http://cr.yp.to/ucspi-tcp.html
-
-daemon_base_domain(utcpserver)
-can_network(utcpserver_t)
-
-allow utcpserver_t etc_t:file r_file_perms;
-allow utcpserver_t { bin_t sbin_t var_t }:dir search;
-
-allow utcpserver_t self:capability { net_bind_service setgid setuid };
-allow utcpserver_t self:fifo_file { read write };
-allow utcpserver_t self:process { fork sigchld };
-
-allow utcpserver_t port_t:udp_socket name_bind;
-
-ifdef(`qmail.te', `
-domain_auto_trans(utcpserver_t, qmail_smtpd_exec_t, qmail_smtpd_t)
-allow utcpserver_t smtp_port_t:tcp_socket name_bind;
-allow qmail_smtpd_t utcpserver_t:tcp_socket { read write getattr };
-allow utcpserver_t qmail_etc_t:dir r_dir_perms;
-allow utcpserver_t qmail_etc_t:file r_file_perms;
-')
-
-daemon_base_domain(rblsmtpd)
-can_network(rblsmtpd_t)
-
-allow rblsmtpd_t self:process { fork sigchld };
-
-allow rblsmtpd_t etc_t:file r_file_perms;
-allow rblsmtpd_t { bin_t var_t }:dir search;
-allow rblsmtpd_t port_t:udp_socket name_bind;
-allow rblsmtpd_t utcpserver_t:tcp_socket { read write getattr };
-
-ifdef(`qmail.te', `
-domain_auto_trans(rblsmtpd_t, qmail_smtpd_exec_t, qmail_smtpd_t)
-allow qmail_queue_t rblsmtpd_t:fd use;
-')
-
-ifdef(`daemontools.te', `
-svc_ipc_domain(rblsmtpd_t)
-')
-
-domain_auto_trans(utcpserver_t, rblsmtpd_exec_t, rblsmtpd_t)
-
diff --git a/mls/domains/program/unused/uml.te b/mls/domains/program/unused/uml.te
deleted file mode 100644
index 75ae501..0000000
--- a/mls/domains/program/unused/uml.te
+++ /dev/null
@@ -1,14 +0,0 @@
-
-# Author: Russell Coker <russell@coker.com.au>
-#
-type uml_exec_t, file_type, sysadmfile, exec_type;
-type uml_ro_t, file_type, sysadmfile;
-
-# the main code is in macros/program/uml_macros.te
-
-daemon_domain(uml_switch)
-allow uml_switch_t self:unix_dgram_socket create_socket_perms;
-allow uml_switch_t self:unix_stream_socket create_stream_socket_perms;
-allow uml_switch_t uml_switch_var_run_t:sock_file create_file_perms;
-allow initrc_t uml_switch_var_run_t:sock_file setattr;
-rw_dir_create_file(initrc_t, uml_switch_var_run_t)
diff --git a/mls/domains/program/unused/uml_net.te b/mls/domains/program/unused/uml_net.te
deleted file mode 100644
index da3fe34..0000000
--- a/mls/domains/program/unused/uml_net.te
+++ /dev/null
@@ -1,30 +0,0 @@
-#DESC uml_net helper program for user-mode Linux
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-# WARNING: Do not install this file on any machine that has hostile users.
-
-type uml_net_t, domain, privlog;
-type uml_net_exec_t, file_type, sysadmfile, exec_type;
-in_user_role(uml_net_t)
-allow uml_net_t self:process { fork signal_perms };
-allow uml_net_t { bin_t sbin_t }:dir search;
-allow uml_net_t self:fifo_file { read write };
-allow uml_net_t device_t:dir search;
-allow uml_net_t self:udp_socket { create ioctl };
-uses_shlib(uml_net_t)
-allow uml_net_t devtty_t:chr_file { read write };
-allow uml_net_t etc_runtime_t:file { getattr read };
-allow uml_net_t etc_t:file { getattr read };
-allow uml_net_t { proc_t sysctl_t sysctl_net_t }:dir search;
-allow uml_net_t proc_t:file { getattr read };
-
-# if you want ip_forward to be set then you should set it yourself
-dontaudit uml_net_t { sysctl_t sysctl_net_t }:dir search;
-dontaudit uml_net_t sysctl_net_t:file write;
-
-dontaudit ifconfig_t uml_net_t:udp_socket { read write };
-dontaudit uml_net_t self:capability sys_module;
-
-allow uml_net_t tun_tap_device_t:chr_file { read write getattr ioctl };
-can_exec(uml_net_t, { shell_exec_t sbin_t })
diff --git a/mls/domains/program/unused/uptimed.te b/mls/domains/program/unused/uptimed.te
deleted file mode 100644
index 0c9b1c7..0000000
--- a/mls/domains/program/unused/uptimed.te
+++ /dev/null
@@ -1,37 +0,0 @@
-#DESC uptimed - a uptime daemon
-#
-# Author: Carsten Grohmann <carsten@securityenhancedlinux.de>
-#
-# Date: 19. June 2003
-#
-
-#################################
-#
-# General Types
-#
-
-type uptimed_spool_t, file_type, sysadmfile;
-
-#################################
-#
-# Rules for the uptimed_t domain.
-#
-daemon_domain(uptimed, `,privmail')
-etc_domain(uptimed)
-typealias uptimed_etc_t alias etc_uptimed_t;
-file_type_auto_trans(uptimed_t, var_spool_t, uptimed_spool_t)
-allow uptimed_t proc_t:file { getattr read };
-read_locale(uptimed_t)
-allow uptimed_t uptimed_spool_t:file create_file_perms;
-allow uptimed_t self:unix_dgram_socket create_socket_perms;
-
-# to send mail
-can_exec(uptimed_t, shell_exec_t)
-allow uptimed_t { bin_t sbin_t }:dir search;
-allow uptimed_t bin_t:lnk_file read;
-allow uptimed_t etc_runtime_t:file { getattr read };
-allow uptimed_t self:fifo_file { getattr write };
-
-# rules for uprecords - it runs in the user context
-allow userdomain uptimed_spool_t:dir search;
-allow userdomain uptimed_spool_t:file { getattr read };
diff --git a/mls/domains/program/unused/uwimapd.te b/mls/domains/program/unused/uwimapd.te
deleted file mode 100644
index f1f5831..0000000
--- a/mls/domains/program/unused/uwimapd.te
+++ /dev/null
@@ -1,47 +0,0 @@
-#DESC uw-imapd-ssl server
-#
-# Author: Ed Street <edstreet@street-tek.com>
-# X-Debian-Packages: uw-imapd (was uw-imapd-ssl)
-# Depends: inetd.te
-#
-
-daemon_domain(imapd, `, auth_chkpwd, privhome')
-tmp_domain(imapd)
-
-can_network_server_tcp(imapd_t)
-allow imapd_t port_type:tcp_socket name_connect;
-
-#declare our own services
-allow imapd_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
-allow imapd_t pop_port_t:tcp_socket name_bind;
-
-#declare this a socket from inetd
-allow imapd_t self:unix_dgram_socket { sendto create_socket_perms };
-allow imapd_t self:unix_stream_socket create_socket_perms;
-domain_auto_trans(inetd_t, imapd_exec_t, imapd_t)
-ifdef(`tcpd.te', `domain_auto_trans(tcpd_t, imapd_exec_t, imapd_t)')
-
-#friendly stuff we dont want to see :)
-dontaudit imapd_t bin_t:dir search;
-
-#read /etc/ for hostname nsswitch.conf
-allow imapd_t etc_t:file { getattr read };
-
-#socket i/o stuff
-allow imapd_t inetd_t:tcp_socket { read write ioctl getattr };
-
-#read resolv.conf
-allow imapd_t net_conf_t:file { getattr read };
-
-#urandom, for ssl
-allow imapd_t random_device_t:chr_file read;
-allow imapd_t urandom_device_t:chr_file { read getattr };
-
-allow imapd_t self:fifo_file rw_file_perms;
-
-#mail directory
-rw_dir_file(imapd_t, mail_spool_t)
-
-#home directory
-allow imapd_t home_root_t:dir search;
-allow imapd_t self:file { read getattr };
diff --git a/mls/domains/program/unused/vmware.te b/mls/domains/program/unused/vmware.te
deleted file mode 100644
index fcda9b8..0000000
--- a/mls/domains/program/unused/vmware.te
+++ /dev/null
@@ -1,52 +0,0 @@
-#DESC VMWare - Virtual machine
-#
-# Domains,types and permissions for running VMWare (the program) and for
-# running a SELinux system in a VMWare session (the VMWare-tools).
-#
-# Based on work contributed by Mark Westerman (mark.westerman@westcam.com),
-# modifications by NAI Labs.
-#
-# Domain is for the VMWare admin programs and daemons.
-# X-Debian-Packages:
-#
-# NOTE: The user vmware domain is provided separately in
-# macros/program/vmware_macros.te
-#
-# Next two domains are create by the daemon_domain() macro.
-# The vmware_t domain is for running VMWare daemons
-# The vmware_exec_t type is for the VMWare daemon and admin programs.
-#
-# quick hack making it privhome, should have a domain for each user in a macro
-daemon_domain(vmware, `, privhome')
-
-#
-# The vmware_user_exec_t type is for the user programs.
-#
-type vmware_user_exec_t, file_type, sysadmfile, exec_type;
-
-# Type for vmware devices.
-type vmware_device_t, device_type, dev_fs;
-
-# The sys configuration used for the /etc/vmware configuration files
-type vmware_sys_conf_t, file_type, sysadmfile;
-
-#########################################################################
-# Additional rules to start/stop VMWare
-#
-
-# Give init access to VMWare configuration files
-allow initrc_t vmware_sys_conf_t:file { ioctl read append };
-
-#
-# Rules added to kernel_t domain for VMWare to start up
-#
-# VMWare need access to pcmcia devices for network
-ifdef(`cardmgr.te', `
-allow kernel_t cardmgr_var_lib_t:dir { getattr search };
-allow kernel_t cardmgr_var_lib_t:file { getattr ioctl read };
-')
-
-# Vmware create network devices
-allow kernel_t self:capability net_admin;
-allow kernel_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
-allow kernel_t self:socket create;
diff --git a/mls/domains/program/unused/watchdog.te b/mls/domains/program/unused/watchdog.te
deleted file mode 100644
index 01ceea8..0000000
--- a/mls/domains/program/unused/watchdog.te
+++ /dev/null
@@ -1,55 +0,0 @@
-#DESC Watchdog - Software watchdog daemon
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: watchdog
-#
-
-#################################
-#
-# Rules for the watchdog_t domain.
-#
-
-daemon_domain(watchdog, `, privmail')
-type watchdog_device_t, device_type, dev_fs;
-
-allow watchdog_t self:process setsched;
-
-log_domain(watchdog)
-
-allow watchdog_t etc_t:file r_file_perms;
-allow watchdog_t etc_t:lnk_file read;
-allow watchdog_t self:unix_dgram_socket create_socket_perms;
-
-allow watchdog_t proc_t:file r_file_perms;
-
-allow watchdog_t self:capability { ipc_lock sys_pacct sys_nice sys_resource };
-allow watchdog_t self:fifo_file rw_file_perms;
-allow watchdog_t self:unix_stream_socket create_socket_perms;
-can_network(watchdog_t)
-allow watchdog_t port_type:tcp_socket name_connect;
-can_ypbind(watchdog_t)
-allow watchdog_t bin_t:dir search;
-allow watchdog_t bin_t:lnk_file read;
-allow watchdog_t init_t:process signal;
-allow watchdog_t kernel_t:process sigstop;
-
-allow watchdog_t watchdog_device_t:chr_file { getattr write };
-
-# for orderly shutdown
-can_exec(watchdog_t, shell_exec_t)
-allow watchdog_t domain:process { signal_perms getsession };
-allow watchdog_t self:capability kill;
-allow watchdog_t sbin_t:dir search;
-
-# for updating mtab on umount
-file_type_auto_trans(watchdog_t, etc_t, etc_runtime_t, file)
-
-allow watchdog_t self:capability { sys_admin net_admin sys_boot };
-allow watchdog_t fixed_disk_device_t:blk_file swapon;
-allow watchdog_t { proc_t fs_t }:filesystem unmount;
-
-# record the fact that we are going down
-allow watchdog_t wtmp_t:file append;
-
-# do not care about saving the random seed
-dontaudit watchdog_t { urandom_device_t random_device_t }:chr_file read;
diff --git a/mls/domains/program/unused/xauth.te b/mls/domains/program/unused/xauth.te
deleted file mode 100644
index 6382d77..0000000
--- a/mls/domains/program/unused/xauth.te
+++ /dev/null
@@ -1,13 +0,0 @@
-#DESC Xauth - X authority file utility
-#
-# Domains for the xauth program.
-# X-Debian-Packages: xbase-clients
-
-# Author: Russell Coker <russell@coker.com.au>
-#
-# xauth_exec_t is the type of the xauth executable.
-#
-type xauth_exec_t, file_type, sysadmfile, exec_type;
-
-# Everything else is in the xauth_domain macro in
-# macros/program/xauth_macros.te.
diff --git a/mls/domains/program/unused/xdm.te b/mls/domains/program/unused/xdm.te
deleted file mode 100644
index e3e9c8d..0000000
--- a/mls/domains/program/unused/xdm.te
+++ /dev/null
@@ -1,376 +0,0 @@
-#DESC XDM - X Display Manager
-#
-# Authors: Mark Westerman mark.westerman@westcam.com
-# Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: gdm xdm wdm kdm
-# Depends: xserver.te
-#
-# Some wdm-specific changes by Tom Vogt <tom@lemuria.org>
-#
-# Some alterations and documentation by Stephen Smalley <sds@epoch.ncsc.mil>
-#
-
-#################################
-#
-# Rules for the xdm_t domain.
-#
-# xdm_t is the domain of a X Display Manager process
-# spawned by getty.
-# xdm_exec_t is the type of the [xgkw]dm program
-#
-daemon_domain(xdm, `, privuser, privrole, auth_chkpwd, privowner, privmem, nscd_client_domain')
-
-# for running xdm from init
-domain_auto_trans(init_t, xdm_exec_t, xdm_t)
-
-allow xdm_t xdm_var_run_t:dir setattr;
-
-# for xdmctl
-allow xdm_t xdm_var_run_t:fifo_file create_file_perms;
-allow initrc_t xdm_var_run_t:fifo_file unlink;
-file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, fifo_file)
-file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, dir)
-
-tmp_domain(xdm, `', `{ file dir sock_file }')
-var_lib_domain(xdm)
-# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open
-# handle of a file inside the dir!!!
-allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
-dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
-allow xdm_xserver_t xdm_var_run_t:file { getattr read };
-type xsession_exec_t, file_type, sysadmfile, exec_type;
-type xdm_rw_etc_t, file_type, sysadmfile;
-typealias xdm_rw_etc_t alias etc_xdm_t;
-
-allow xdm_t default_context_t:dir search;
-allow xdm_t default_context_t:{ file lnk_file } { read getattr };
-
-can_network(xdm_t)
-allow xdm_t port_type:tcp_socket name_connect;
-allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow xdm_t self:unix_dgram_socket create_socket_perms;
-allow xdm_t self:fifo_file rw_file_perms;
-
-allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms;
-allow xdm_t xdm_xserver_t:process signal;
-can_unix_connect(xdm_t, xdm_xserver_t)
-allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms;
-allow xdm_t xdm_xserver_tmp_t:dir { setattr r_dir_perms };
-allow xdm_xserver_t xdm_t:process signal;
-# for reboot
-allow xdm_t initctl_t:fifo_file write;
-
-# init script wants to check if it needs to update windowmanagerlist
-allow initrc_t xdm_rw_etc_t:file { getattr read };
-ifdef(`distro_suse', `
-# set permissions on /tmp/.X11-unix
-allow initrc_t xdm_tmp_t:dir setattr;
-')
-
-#
-# Use capabilities.
-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner };
-
-allow xdm_t { urandom_device_t random_device_t }:chr_file { getattr read ioctl };
-
-# Transition to user domains for user sessions.
-domain_trans(xdm_t, xsession_exec_t, unpriv_userdomain)
-allow unpriv_userdomain xdm_xserver_t:unix_stream_socket connectto;
-allow unpriv_userdomain xdm_xserver_t:shm r_shm_perms;
-allow unpriv_userdomain xdm_xserver_t:fd use;
-allow unpriv_userdomain xdm_xserver_tmpfs_t:file { getattr read };
-allow xdm_xserver_t unpriv_userdomain:shm rw_shm_perms;
-allow xdm_xserver_t unpriv_userdomain:fd use;
-
-# Do not audit user access to the X log files due to file handle inheritance
-dontaudit unpriv_userdomain xserver_log_t:file { write append };
-
-# gnome-session creates socket under /tmp/.ICE-unix/
-allow unpriv_userdomain xdm_tmp_t:dir rw_dir_perms;
-allow unpriv_userdomain xdm_tmp_t:sock_file create;
-
-# Allow xdm logins as sysadm_r:sysadm_t
-bool xdm_sysadm_login false;
-if (xdm_sysadm_login) {
-domain_trans(xdm_t, xsession_exec_t, sysadm_t)
-allow sysadm_t xdm_xserver_t:unix_stream_socket connectto;
-allow sysadm_t xdm_xserver_t:shm r_shm_perms;
-allow sysadm_t xdm_xserver_t:fd use;
-allow sysadm_t xdm_xserver_tmpfs_t:file { getattr read };
-allow xdm_xserver_t sysadm_t:shm rw_shm_perms;
-allow xdm_xserver_t sysadm_t:fd use;
-}
-can_setexec(xdm_t)
-
-# Label pid and temporary files with derived types.
-rw_dir_create_file(xdm_xserver_t, xdm_tmp_t)
-allow xdm_xserver_t xdm_tmp_t:sock_file create_file_perms;
-
-# Run helper programs.
-allow xdm_t etc_t:file { getattr read };
-allow xdm_t bin_t:dir { getattr search };
-# lib_t is for running cpp
-can_exec(xdm_t, { shell_exec_t etc_t bin_t sbin_t lib_t })
-allow xdm_t { bin_t sbin_t }:lnk_file read;
-ifdef(`hostname.te', `can_exec(xdm_t, hostname_exec_t)')
-ifdef(`loadkeys.te', `can_exec(xdm_t, loadkeys_exec_t)')
-allow xdm_t xdm_xserver_t:process sigkill;
-allow xdm_t xdm_xserver_tmp_t:file unlink;
-
-# Access devices.
-allow xdm_t device_t:dir { read search };
-allow xdm_t console_device_t:chr_file setattr;
-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
-allow xdm_t framebuf_device_t:chr_file { getattr setattr };
-allow xdm_t mouse_device_t:chr_file { getattr setattr };
-allow xdm_t apm_bios_t:chr_file { setattr getattr read write };
-allow xdm_t dri_device_t:chr_file rw_file_perms;
-allow xdm_t device_t:dir rw_dir_perms;
-allow xdm_t agp_device_t:chr_file rw_file_perms;
-allow xdm_t { xserver_misc_device_t misc_device_t }:chr_file { setattr getattr };
-allow xdm_t v4l_device_t:chr_file { setattr getattr };
-allow xdm_t scanner_device_t:chr_file { setattr getattr };
-allow xdm_t tty_device_t:chr_file { ioctl read write setattr getattr };
-allow xdm_t device_t:lnk_file read;
-can_resmgrd_connect(xdm_t)
-
-# Access xdm log files.
-file_type_auto_trans(xdm_t, var_log_t, xserver_log_t, file)
-allow xdm_t xserver_log_t:dir rw_dir_perms;
-allow xdm_t xserver_log_t:dir setattr;
-# Access /var/gdm/.gdmfifo.
-allow xdm_t xserver_log_t:fifo_file create_file_perms;
-
-allow xdm_t self:shm create_shm_perms;
-allow { xdm_t unpriv_userdomain } xdm_xserver_t:unix_stream_socket connectto;
-allow { xdm_t unpriv_userdomain } xdm_xserver_t:shm rw_shm_perms;
-allow { xdm_t unpriv_userdomain } xdm_xserver_t:fd use;
-allow { xdm_t unpriv_userdomain } xdm_xserver_tmpfs_t:file { getattr read };
-allow xdm_xserver_t { xdm_t unpriv_userdomain }:shm rw_shm_perms;
-allow xdm_xserver_t { xdm_t unpriv_userdomain }:fd use;
-
-# Remove /tmp/.X11-unix/X0.
-allow xdm_t xdm_xserver_tmp_t:dir { remove_name write };
-allow xdm_t xdm_xserver_tmp_t:sock_file unlink;
-
-ifdef(`gpm.te', `
-# Talk to the console mouse server.
-allow xdm_t gpmctl_t:sock_file { getattr setattr write };
-allow xdm_t gpm_t:unix_stream_socket connectto;
-')
-
-allow xdm_t sysfs_t:dir search;
-
-# Update utmp and wtmp.
-allow xdm_t initrc_var_run_t: file { read write lock };
-allow xdm_t wtmp_t:file append;
-
-# Update lastlog.
-allow xdm_t lastlog_t:file rw_file_perms;
-
-# Ask the security server for SIDs for user sessions.
-can_getsecurity(xdm_t)
-
-tmpfs_domain(xdm)
-
-# Need to further investigate these permissions and
-# perhaps define derived types.
-allow xdm_t var_lib_t:dir { write search add_name remove_name create unlink };
-allow xdm_t var_lib_t:file { create write unlink };
-
-lock_domain(xdm)
-
-# Connect to xfs.
-ifdef(`xfs.te', `
-allow xdm_t xfs_tmp_t:dir search;
-allow xdm_t xfs_tmp_t:sock_file write;
-can_unix_connect(xdm_t, xfs_t)
-')
-
-allow xdm_t self:process { setpgid setsched };
-allow xdm_t etc_t:lnk_file read;
-allow xdm_t etc_runtime_t:file { getattr read };
-
-# wdm has its own config dir /etc/X11/wdm
-# this is ugly, daemons should not create files under /etc!
-allow xdm_t xdm_rw_etc_t:dir rw_dir_perms;
-allow xdm_t xdm_rw_etc_t:file create_file_perms;
-
-# Signal any user domain.
-allow xdm_t userdomain:process signal_perms;
-
-allow xdm_t proc_t:file { getattr read };
-
-read_sysctl(xdm_t)
-
-# Search /proc for any user domain processes.
-allow xdm_t userdomain:dir r_dir_perms;
-allow xdm_t userdomain:{ file lnk_file } r_file_perms;
-
-# Allow xdm access to the user domains
-allow xdm_t home_root_t:dir search;
-allow xdm_xserver_t home_root_t:dir search;
-
-# Do not audit denied attempts to access devices.
-dontaudit xdm_t {removable_device_t fixed_disk_device_t}:{ chr_file blk_file } {setattr rw_file_perms};
-dontaudit xdm_t device_t:file_class_set rw_file_perms;
-dontaudit xdm_t misc_device_t:file_class_set rw_file_perms;
-dontaudit xdm_t removable_device_t:file_class_set rw_file_perms;
-dontaudit xdm_t scsi_generic_device_t:file_class_set rw_file_perms;
-dontaudit xdm_t devpts_t:dir search;
-
-# Do not audit denied probes of /proc.
-dontaudit xdm_t domain:dir r_dir_perms;
-dontaudit xdm_t domain:{ file lnk_file } r_file_perms;
-
-# Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme...
-allow xdm_t usr_t:{ lnk_file file } { getattr read };
-
-# Read fonts
-read_fonts(xdm_t)
-
-# Do not audit attempts to write to index files under /usr
-dontaudit xdm_t usr_t:file write;
-
-# Do not audit access to /root
-dontaudit xdm_t sysadm_home_dir_t:dir { getattr search };
-
-# Do not audit user access to the X log files due to file handle inheritance
-dontaudit unpriv_userdomain xserver_log_t:file { write append };
-
-# Do not audit attempts to check whether user root has email
-dontaudit xdm_t { var_spool_t mail_spool_t }:dir search;
-dontaudit xdm_t mail_spool_t:file getattr;
-
-# Access sound device.
-allow xdm_t sound_device_t:chr_file { setattr getattr };
-
-# Allow setting of attributes on power management devices.
-allow xdm_t power_device_t:chr_file { getattr setattr };
-
-# Run the X server in a derived domain.
-xserver_domain(xdm)
-
-ifdef(`rhgb.te', `
-allow xdm_xserver_t ramfs_t:dir rw_dir_perms;
-allow xdm_xserver_t ramfs_t:file create_file_perms;
-allow rhgb_t xdm_xserver_t:process signal;
-')
-
-# Unrestricted inheritance.
-allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh };
-
-# Run xkbcomp.
-allow xdm_xserver_t var_lib_t:dir search;
-allow xdm_xserver_t xkb_var_lib_t:lnk_file read;
-can_exec(xdm_xserver_t, xkb_var_lib_t)
-
-# Insert video drivers.
-allow xdm_xserver_t self:capability mknod;
-allow xdm_xserver_t sysctl_modprobe_t:file { getattr read };
-domain_auto_trans(xdm_xserver_t, insmod_exec_t, insmod_t)
-allow insmod_t xserver_log_t:file write;
-allow insmod_t xdm_xserver_t:unix_stream_socket { read write };
-
-# Read /proc/dri/.*
-allow xdm_xserver_t proc_t:dir { search read };
-
-# Search /var/run.
-allow xdm_xserver_t var_run_t:dir search;
-
-# FIXME: After per user fonts are properly working
-# xdm_xserver_t may no longer have any reason
-# to read ROLE_home_t - examine this in more detail
-# (xauth?)
-
-# Search home directories.
-allow xdm_xserver_t user_home_type:dir search;
-allow xdm_xserver_t user_home_type:file { getattr read };
-
-if (use_nfs_home_dirs) {
-allow { xdm_t xdm_xserver_t } autofs_t:dir { search getattr };
-allow { xdm_t xdm_xserver_t } nfs_t:dir create_dir_perms;
-allow { xdm_t xdm_xserver_t } nfs_t:{file lnk_file} create_file_perms;
-can_exec(xdm_t, nfs_t)
-}
-
-if (use_samba_home_dirs) {
-allow { xdm_t xdm_xserver_t } cifs_t:dir create_dir_perms;
-allow { xdm_t xdm_xserver_t } cifs_t:{file lnk_file} create_file_perms;
-can_exec(xdm_t, cifs_t)
-}
-
-# for .dmrc
-allow xdm_t user_home_dir_type:dir { getattr search };
-allow xdm_t user_home_type:file { getattr read };
-
-ifdef(`support_polyinstatiation', `
-# xdm_t can polyinstantiate
-polyinstantiater(xdm_t)
-# xdm needs access for linking .X11-unix to poly /tmp
-allow xdm_t polymember:dir { add_name remove_name write };
-allow xdm_t polymember:lnk_file { create unlink };
-# xdm needs access for copying .Xauthority into new home
-allow xdm_t polymember:file { create getattr write };
-')
-
-allow xdm_t mnt_t:dir { getattr read search };
-#
-# Wants to delete .xsession-errors file
-#
-allow xdm_t user_home_type:file unlink;
-#
-# Should fix exec of pam_timestamp_check is not closing xdm file descriptor
-#
-ifdef(`pam.te', `
-allow xdm_t pam_var_run_t:dir create_dir_perms;
-allow xdm_t pam_var_run_t:file create_file_perms;
-allow pam_t xdm_t:fifo_file { getattr ioctl write };
-domain_auto_trans(xdm_t, pam_console_exec_t, pam_console_t)
-can_exec(xdm_t, pam_exec_t)
-# For pam_console
-rw_dir_create_file(xdm_t, pam_var_console_t)
-')
-
-# Pamconsole/alsa
-ifdef(`alsa.te', `
-domain_auto_trans(xdm_t, alsa_exec_t, alsa_t)
-') dnl ifdef
-
-allow xdm_t var_log_t:file { getattr read };
-allow xdm_t self:capability { sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process setrlimit;
-allow xdm_t wtmp_t:file { getattr read };
-
-domain_auto_trans(initrc_t, xserver_exec_t, xdm_xserver_t)
-#
-# Poweroff wants to create the /poweroff file when run from xdm
-#
-file_type_auto_trans(xdm_t, root_t, etc_runtime_t, file)
-
-#
-# xdm tries to bind to biff_port_t
-#
-dontaudit xdm_t port_type:tcp_socket name_bind;
-
-# VNC v4 module in X server
-allow xdm_xserver_t vnc_port_t:tcp_socket name_bind;
-ifdef(`crack.te', `
-allow xdm_t crack_db_t:file r_file_perms;
-')
-r_dir_file(xdm_t, selinux_config_t)
-
-# Run telinit->init to shutdown.
-can_exec(xdm_t, init_exec_t)
-allow xdm_t self:sem create_sem_perms;
-
-# Allow gdm to run gdm-binary
-can_exec(xdm_t, xdm_exec_t)
-
-# Supress permission check on .ICE-unix
-dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
-
-#### Also see xdm_macros.te
-ifdef(`use_mcs', `
-range_transition initrc_t xdm_exec_t s0 - s0:c0.c255;
-')
diff --git a/mls/domains/program/unused/xprint.te b/mls/domains/program/unused/xprint.te
deleted file mode 100644
index e1af323..0000000
--- a/mls/domains/program/unused/xprint.te
+++ /dev/null
@@ -1,50 +0,0 @@
-#DESC X print server
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: xprt-xprintorg
-#
-
-#################################
-#
-# Rules for the xprint_t domain.
-#
-# xprint_exec_t is the type of the xprint executable.
-#
-daemon_domain(xprint)
-
-allow initrc_t readable_t:dir r_dir_perms;
-allow initrc_t fonts_t:dir r_dir_perms;
-
-allow xprint_t var_lib_t:dir search;
-allow xprint_t fonts_t:dir r_dir_perms;
-allow xprint_t fonts_t:file { getattr read };
-
-allow xprint_t { bin_t sbin_t }:dir search;
-can_exec(xprint_t, { bin_t sbin_t ls_exec_t shell_exec_t })
-allow xprint_t bin_t:lnk_file { getattr read };
-
-allow xprint_t tmp_t:dir { getattr search };
-ifdef(`xdm.te', `
-allow xprint_t xdm_xserver_tmp_t:dir rw_dir_perms;
-allow xprint_t xdm_xserver_tmp_t:sock_file create_file_perms;
-')
-
-# Use the network.
-can_network_server(xprint_t)
-can_ypbind(xprint_t)
-allow xprint_t self:fifo_file rw_file_perms;
-allow xprint_t self:unix_stream_socket create_stream_socket_perms;
-
-allow xprint_t proc_t:file { getattr read };
-allow xprint_t self:file { getattr read };
-
-# read config files
-allow xprint_t { etc_t etc_runtime_t }:file { getattr read };
-ifdef(`cups.te', `
-allow xprint_t cupsd_etc_t:dir search;
-allow xprint_t cupsd_etc_t:file { getattr read };
-')
-
-r_dir_file(xprint_t, usr_t)
-
-allow xprint_t urandom_device_t:chr_file { getattr read };
diff --git a/mls/domains/program/unused/xserver.te b/mls/domains/program/unused/xserver.te
deleted file mode 100644
index cc2c493..0000000
--- a/mls/domains/program/unused/xserver.te
+++ /dev/null
@@ -1,20 +0,0 @@
-#DESC XServer - X Server
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: xserver-common xserver-xfree86
-#
-
-# Type for the executable used to start the X server, e.g. Xwrapper.
-type xserver_exec_t, file_type, sysadmfile, exec_type;
-
-# Type for the X server log file.
-type xserver_log_t, file_type, sysadmfile, logfile;
-
-# type for /var/lib/xkb
-type xkb_var_lib_t, file_type, sysadmfile, usercanread;
-typealias xkb_var_lib_t alias var_lib_xkb_t;
-
-# Everything else is in the xserver_domain macro in
-# macros/program/xserver_macros.te.
-
-allow initrc_t xserver_log_t:fifo_file { read write };
diff --git a/mls/domains/program/unused/yam.te b/mls/domains/program/unused/yam.te
deleted file mode 100644
index da85a8c..0000000
--- a/mls/domains/program/unused/yam.te
+++ /dev/null
@@ -1,149 +0,0 @@
-# DESC yam - Yum/Apt Mirroring
-#
-# Author: David Hampton <hampton@employees.org>
-#
-
-
-#
-# Yam downloads lots of files, indexes them, and makes them available
-# for upload. Define a type for these file.
-#
-type yam_content_t, file_type, sysadmfile, httpdcontent;
-
-
-#
-# Common definitions used by both the command line and the cron
-# invocation of yam.
-#
-define(`yam_common',`
-
-# Update the content being managed by yam.
-create_dir_file($1_t, yam_content_t)
-
-# Content can also be on ISO image files.
-r_dir_file($1_t, iso9660_t)
-
-# Need to go through /var to get to /var/yam
-# Go through /var/www to get to /var/www/yam
-allow $1_t var_t:dir { getattr search };
-allow $1_t httpd_sys_content_t:dir { getattr search };
-
-# Allow access to locale database, nsswitch, and mtab
-read_locale($1_t)
-allow $1_t etc_t:file { getattr read };
-allow $1_t etc_runtime_t:file { getattr read };
-
-# Python seems to need things from various places
-allow $1_t { bin_t sbin_t }:dir { search getattr };
-allow $1_t { bin_t sbin_t lib_t usr_t }:file { getattr read };
-allow $1_t bin_t:lnk_file read;
-
-# Python works fine without reading /proc/meminfo
-dontaudit $1_t proc_t:dir search;
-dontaudit $1_t proc_t:file { getattr read };
-
-# Yam wants to run rsync, lftp, mount, and a shell. Allow the latter
-# two here. Run rsync and lftp in the yam_t context so that we dont
-# have to give any other programs write access to the yam_t files.
-general_domain_access($1_t)
-can_exec($1_t, shell_exec_t)
-can_exec($1_t, rsync_exec_t)
-can_exec($1_t, bin_t)
-can_exec($1_t, usr_t) #/usr/share/createrepo/genpkgmetadata.py
-ifdef(`mount.te', `
-domain_auto_trans($1_t, mount_exec_t, mount_t)
-')
-
-# Rsync and lftp need to network. They also set files attributes to
-# match whats on the remote server.
-can_network_client($1_t)
-allow $1_t { http_port_t rsync_port_t }:tcp_socket name_connect;
-allow $1_t self:capability { chown fowner fsetid dac_override };
-allow $1_t self:process execmem;
-
-# access to sysctl_kernel_t ( proc/sys/kernel/* )
-read_sysctl($1_t)
-
-# Programs invoked to build package lists need various permissions.
-# genpkglist creates tmp files in /var/cache/apt/genpkglist
-allow $1_t var_t:file { getattr read write };
-allow $1_t var_t:dir read;
-# mktemp
-allow $1_t urandom_device_t:chr_file read;
-# mv
-allow $1_t proc_t:lnk_file read;
-allow $1_t selinux_config_t:dir search;
-allow $1_t selinux_config_t:file { getattr read };
-')
-
-
-##########
-##########
-
-#
-# Runnig yam from the command line
-#
-application_domain(yam, `, nscd_client_domain')
-role system_r types yam_t;
-yam_common(yam)
-etc_domain(yam)
-tmp_domain(yam)
-
-# Terminal access
-allow yam_t devpts_t:dir search;
-allow yam_t devtty_t:chr_file { read write };
-allow yam_t sshd_t:fd use;
-allow yam_t sysadm_devpts_t:chr_file { getattr ioctl read write };
-
-# Reading dotfiles...
-allow yam_t sysadm_home_dir_t:dir search; # /root
-allow yam_t sysadm_home_t:dir search; # /root/xxx
-allow yam_t home_root_t:dir search; # /home
-allow yam_t user_home_dir_t:dir r_dir_perms; # /home/user
-
-
-##########
-##########
-
-#
-# Running yam from cron
-#
-application_domain(yam_crond, `, nscd_client_domain')
-role system_r types yam_crond_t;
-ifdef(`crond.te', `
-system_crond_entry(yam_exec_t, yam_crond_t)
-')
-
-yam_common(yam_crond)
-allow yam_crond_t yam_etc_t:file r_file_perms;
-file_type_auto_trans(yam_crond_t, tmp_t, yam_tmp_t, `{ file dir }')
-
-allow yam_crond_t devtty_t:chr_file { read write };
-
-# Reading dotfiles...
-# LFTP uses a directory for its dotfiles
-allow yam_crond_t default_t:dir search;
-
-# Don't know why init tries to read this.
-allow initrc_t yam_etc_t:file { getattr read };
-
-
-##########
-##########
-
-# The whole point of this program is to make updates available on a
-# local web server. Allow apache access to these files.
-ifdef(`apache.te', `
-r_dir_file(httpd_t, yam_content_t)
-')
-
-ifdef(`webalizer.te', `
-dontaudit webalizer_t yam_content_t:dir search;
-')
-
-# Mount needs access to the yam directories in order to mount the ISO
-# files on a loobpack file system.
-ifdef(`mount.te', `
-allow mount_t yam_content_t:dir mounton;
-allow mount_t yam_content_t:file { read write };
-')
diff --git a/mls/domains/program/updfstab.te b/mls/domains/program/updfstab.te
deleted file mode 100644
index 82edf3d..0000000
--- a/mls/domains/program/updfstab.te
+++ /dev/null
@@ -1,81 +0,0 @@
-#DESC updfstab - Red Hat utility to change /etc/fstab
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-
-daemon_base_domain(updfstab, `, fs_domain, etc_writer')
-
-rw_dir_create_file(updfstab_t, etc_t)
-create_dir_file(updfstab_t, mnt_t)
-
-# Read /dev directories and modify sym-links
-allow updfstab_t device_t:dir rw_dir_perms;
-allow updfstab_t device_t:lnk_file create_file_perms;
-
-# Access disk devices.
-allow updfstab_t fixed_disk_device_t:blk_file rw_file_perms;
-allow updfstab_t removable_device_t:blk_file rw_file_perms;
-allow updfstab_t scsi_generic_device_t:chr_file rw_file_perms;
-
-# for /proc/partitions
-allow updfstab_t proc_t:file { getattr read };
-
-# for /proc/self/mounts
-r_dir_file(updfstab_t, self)
-
-# for /etc/mtab
-allow updfstab_t etc_runtime_t:file { getattr read };
-
-read_locale(updfstab_t)
-
-ifdef(`dbusd.te', `
-dbusd_client(system, updfstab)
-allow updfstab_t system_dbusd_t:dbus { send_msg };
-allow initrc_t updfstab_t:dbus send_msg;
-allow updfstab_t initrc_t:dbus send_msg;
-')
-
-# not sure what the sysctl_kernel_t file is, or why it wants to write it, so
-# I will not allow it
-read_sysctl(updfstab_t)
-dontaudit updfstab_t sysctl_kernel_t:file write;
-allow updfstab_t modules_conf_t:file { getattr read };
-allow updfstab_t sbin_t:dir search;
-allow updfstab_t sbin_t:lnk_file read;
-allow updfstab_t { var_t var_log_t }:dir search;
-
-allow updfstab_t kernel_t:fd use;
-
-allow updfstab_t self:unix_stream_socket create_stream_socket_perms;
-allow updfstab_t self:unix_dgram_socket create_socket_perms;
-
-ifdef(`modutil.te', `
-dnl domain_auto_trans(updfstab_t, insmod_exec_t, insmod_t)
-can_exec(updfstab_t, insmod_exec_t)
-allow updfstab_t modules_object_t:dir search;
-allow updfstab_t modules_dep_t:file { getattr read };
-')
-
-ifdef(`pamconsole.te', `
-domain_auto_trans(updfstab_t, pam_console_exec_t, pam_console_t)
-')
-allow updfstab_t kernel_t:system syslog_console;
-allow updfstab_t sysadm_tty_device_t:chr_file { read write };
-allow updfstab_t self:capability dac_override;
-dontaudit updfstab_t self:capability sys_admin;
-
-r_dir_file(updfstab_t, { selinux_config_t file_context_t default_context_t } )
-can_getsecurity(updfstab_t)
-
-allow updfstab_t { sbin_t bin_t }:dir { search getattr };
-dontaudit updfstab_t devtty_t:chr_file { read write };
-allow updfstab_t self:fifo_file { getattr read write ioctl };
-can_exec(updfstab_t, { sbin_t bin_t ls_exec_t } )
-dontaudit updfstab_t home_root_t:dir { getattr search };
-dontaudit updfstab_t { home_dir_type home_type }:dir search;
-allow updfstab_t fs_t:filesystem { getattr };
-allow updfstab_t tmpfs_t:dir getattr;
-ifdef(`hald.te', `
-can_unix_connect(updfstab_t, hald_t)
-')
-
diff --git a/mls/domains/program/usbmodules.te b/mls/domains/program/usbmodules.te
deleted file mode 100644
index f76f56b..0000000
--- a/mls/domains/program/usbmodules.te
+++ /dev/null
@@ -1,35 +0,0 @@
-#DESC USBModules - List kernel modules for USB devices
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages:
-#
-
-#################################
-#
-# Rules for the usbmodules_t domain.
-#
-type usbmodules_t, domain, privlog;
-type usbmodules_exec_t, file_type, sysadmfile, exec_type;
-
-in_user_role(usbmodules_t)
-role sysadm_r types usbmodules_t;
-role system_r types usbmodules_t;
-
-domain_auto_trans(initrc_t, usbmodules_exec_t, usbmodules_t)
-ifdef(`hotplug.te',`
-domain_auto_trans(hotplug_t, usbmodules_exec_t, usbmodules_t)
-allow usbmodules_t hotplug_etc_t:file r_file_perms;
-allow usbmodules_t hotplug_etc_t:dir search;
-')
-allow usbmodules_t init_t:fd use;
-allow usbmodules_t console_device_t:chr_file { read write };
-
-uses_shlib(usbmodules_t)
-
-# allow usb device access
-allow usbmodules_t usbdevfs_t:file rw_file_perms;
-
-allow usbmodules_t { etc_t modules_object_t proc_t usbdevfs_t }:dir r_dir_perms;
-
-# needs etc_t read access for the hotplug config, maybe should have a new type
-allow usbmodules_t { etc_t modules_dep_t }:file r_file_perms;
diff --git a/mls/domains/program/useradd.te b/mls/domains/program/useradd.te
deleted file mode 100644
index 1df38af..0000000
--- a/mls/domains/program/useradd.te
+++ /dev/null
@@ -1,108 +0,0 @@
-#DESC Useradd - Manage system user accounts
-#
-# Authors: Chris Vance <cvance@tislabs.com> David Caplan <dac@tresys.com>
-# Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: passwd
-#
-
-#################################
-#
-# Rules for the useradd_t and groupadd_t domains.
-#
-# useradd_t is the domain of the useradd/userdel programs.
-# groupadd_t is for adding groups (can not create home dirs)
-#
-define(`user_group_add_program', `
-type $1_t, domain, privlog, auth_write, privowner, nscd_client_domain;
-role sysadm_r types $1_t;
-role system_r types $1_t;
-
-general_domain_access($1_t)
-uses_shlib($1_t)
-
-type $1_exec_t, file_type, sysadmfile, exec_type;
-domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
-domain_auto_trans(initrc_t, $1_exec_t, $1_t)
-
-# Use capabilities.
-allow $1_t self:capability { dac_override chown kill };
-
-# Allow access to context for shadow file
-can_getsecurity($1_t)
-
-# Inherit and use descriptors from login.
-allow $1_t { init_t privfd }:fd use;
-
-# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
-allow $1_t { bin_t sbin_t }:dir r_dir_perms;
-can_exec($1_t, { bin_t sbin_t })
-
-# Update /etc/shadow and /etc/passwd
-file_type_auto_trans($1_t, etc_t, shadow_t, file)
-allow $1_t etc_t:file create_file_perms;
-
-# some apps ask for these accesses, but seems to work regardless
-dontaudit $1_t var_run_t:dir search;
-r_dir_file($1_t, selinux_config_t)
-
-# Set fscreate context.
-can_setfscreate($1_t)
-
-allow $1_t { etc_t shadow_t }:file { relabelfrom relabelto };
-
-read_locale($1_t)
-
-# useradd/userdel request read/write for /var/log/lastlog, and read of /dev,
-# but will operate without them.
-dontaudit $1_t { device_t var_t var_log_t }:dir search;
-
-# For userdel and groupadd
-allow $1_t fs_t:filesystem getattr;
-
-# Access terminals.
-allow $1_t ttyfile:chr_file rw_file_perms;
-allow $1_t ptyfile:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;')
-
-# for when /root is the cwd
-dontaudit $1_t sysadm_home_dir_t:dir search;
-nsswitch_domain($1_t)
-
-allow $1_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
-')
-user_group_add_program(useradd)
-allow useradd_t lastlog_t:file { getattr read write };
-
-# for getting the number of groups
-read_sysctl(useradd_t)
-
-# Add/remove user home directories
-file_type_auto_trans(useradd_t, home_root_t, user_home_dir_t, dir)
-file_type_auto_trans(useradd_t, user_home_dir_t, user_home_t)
-
-# create/delete mail spool file in /var/mail
-allow useradd_t var_spool_t:dir search;
-allow useradd_t mail_spool_t:dir { search write add_name remove_name };
-allow useradd_t mail_spool_t:file create_file_perms;
-# /var/mail is a link to /var/spool/mail
-allow useradd_t mail_spool_t:lnk_file read;
-
-allow useradd_t self:capability { fowner fsetid setuid sys_resource };
-can_exec(useradd_t, shell_exec_t)
-
-# /usr/bin/userdel locks the user being deleted, allow write access to utmp
-allow useradd_t initrc_var_run_t:file { read write lock };
-
-user_group_add_program(groupadd)
-
-dontaudit groupadd_t self:capability fsetid;
-
-allow groupadd_t self:capability { setuid sys_resource };
-allow groupadd_t self:process setrlimit;
-allow groupadd_t initrc_var_run_t:file r_file_perms;
-dontaudit groupadd_t initrc_var_run_t:file write;
-
-allow useradd_t default_context_t:dir search;
-allow useradd_t file_context_t:dir search;
-allow useradd_t file_context_t:file { getattr read };
-allow useradd_t var_lib_t:dir search;
diff --git a/mls/domains/program/userhelper.te b/mls/domains/program/userhelper.te
deleted file mode 100644
index cab6c70..0000000
--- a/mls/domains/program/userhelper.te
+++ /dev/null
@@ -1,22 +0,0 @@
-#DESC Userhelper - SELinux utility to run a shell with a new role
-#
-# Authors: Dan Walsh (Red Hat)
-# Maintained by Dan Walsh <dwalsh@redhat.com>
-#
-
-#################################
-#
-# Rules for the userhelper_t domain.
-#
-# userhelper_exec_t is the type of the userhelper executable.
-# userhelper_conf_t is the type of the userhelper configuration files.
-#
-type userhelper_exec_t, file_type, exec_type, sysadmfile;
-type userhelper_conf_t, file_type, sysadmfile;
-
-# Everything else is in the userhelper_domain macro in
-# macros/program/userhelper_macros.te.
-
-ifdef(`xdm.te', `
-dontaudit xdm_t userhelper_conf_t:dir search;
-')
diff --git a/mls/domains/program/usernetctl.te b/mls/domains/program/usernetctl.te
deleted file mode 100644
index 6a2c64f..0000000
--- a/mls/domains/program/usernetctl.te
+++ /dev/null
@@ -1,64 +0,0 @@
-#DESC usernetctl - User network interface configuration helper
-#
-# Author: Colin Walters <walters@redhat.com>
-
-type usernetctl_exec_t, file_type, sysadmfile, exec_type;
-
-type usernetctl_t, domain, privfd;
-
-if (user_net_control) {
-domain_auto_trans(userdomain, usernetctl_exec_t, usernetctl_t)
-} else {
-can_exec(userdomain, usernetctl_exec_t)
-}
-in_user_role(usernetctl_t)
-role sysadm_r types usernetctl_t;
-
-define(`usernetctl_transition',`
-domain_auto_trans(usernetctl_t, $1_exec_t, $1_t)
-in_user_role($1_t)
-allow $1_t userpty_type:chr_file { getattr read write };
-')
-
-ifdef(`ifconfig.te',`
-usernetctl_transition(ifconfig)
-')
-ifdef(`iptables.te',`
-usernetctl_transition(iptables)
-')
-ifdef(`dhcpc.te',`
-usernetctl_transition(dhcpc)
-allow usernetctl_t dhcp_etc_t:file ra_file_perms;
-')
-ifdef(`modutil.te',`
-usernetctl_transition(insmod)
-')
-ifdef(`consoletype.te',`
-usernetctl_transition(consoletype)
-')
-ifdef(`hostname.te',`
-usernetctl_transition(hostname)
-')
-
-allow usernetctl_t self:capability { setuid setgid dac_override };
-
-base_file_read_access(usernetctl_t)
-base_pty_perms(usernetctl)
-allow usernetctl_t devtty_t:chr_file rw_file_perms;
-uses_shlib(usernetctl_t)
-read_locale(usernetctl_t)
-general_domain_access(usernetctl_t)
-
-r_dir_file(usernetctl_t, proc_t)
-dontaudit usernetctl_t { domain - usernetctl_t }:dir search;
-
-allow usernetctl_t userpty_type:chr_file rw_file_perms;
-
-can_exec(usernetctl_t, { bin_t sbin_t shell_exec_t usernetctl_exec_t})
-can_exec(usernetctl_t, etc_t)
-
-r_dir_file(usernetctl_t, etc_t)
-allow usernetctl_t { var_t var_run_t }:dir { getattr read search };
-allow usernetctl_t etc_runtime_t:file r_file_perms;
-allow usernetctl_t net_conf_t:file r_file_perms;
-
diff --git a/mls/domains/program/utempter.te b/mls/domains/program/utempter.te
deleted file mode 100644
index 92b443f..0000000
--- a/mls/domains/program/utempter.te
+++ /dev/null
@@ -1,51 +0,0 @@
-#DESC Utempter - Privileged helper for utmp/wtmp updates
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages:
-#
-
-#################################
-#
-# Rules for the utempter_t domain.
-#
-# This is the domain for the utempter program. utempter is
-# executed by xterm to update utmp and wtmp.
-# utempter_exec_t is the type of the utempter binary.
-#
-type utempter_t, domain, nscd_client_domain;
-in_user_role(utempter_t)
-role sysadm_r types utempter_t;
-uses_shlib(utempter_t)
-type utempter_exec_t, file_type, sysadmfile, exec_type;
-domain_auto_trans(userdomain, utempter_exec_t, utempter_t)
-
-allow utempter_t urandom_device_t:chr_file { getattr read };
-
-# Use capabilities.
-allow utempter_t self:capability setgid;
-
-allow utempter_t etc_t:file { getattr read };
-
-# Update /var/run/utmp and /var/log/wtmp.
-allow utempter_t initrc_var_run_t:file rw_file_perms;
-allow utempter_t var_log_t:dir search;
-allow utempter_t wtmp_t:file rw_file_perms;
-
-# dontaudit access to /dev/ptmx.
-dontaudit utempter_t ptmx_t:chr_file rw_file_perms;
-dontaudit utempter_t sysadm_devpts_t:chr_file { read write };
-
-# Allow utemper to write to /tmp/.xses-*
-allow utempter_t user_tmpfile:file { getattr write append };
-
-# Inherit and use descriptors from login.
-allow utempter_t privfd:fd use;
-ifdef(`xdm.te', `can_pipe_xdm(utempter_t)')
-
-allow utempter_t self:unix_stream_socket create_stream_socket_perms;
-
-# Access terminals.
-allow utempter_t ttyfile:chr_file getattr;
-allow utempter_t ptyfile:chr_file getattr;
-allow utempter_t devpts_t:dir search;
-dontaudit utempter_t {ttyfile ptyfile}:chr_file { read write };
diff --git a/mls/domains/program/uucpd.te b/mls/domains/program/uucpd.te
deleted file mode 100644
index 05791bd..0000000
--- a/mls/domains/program/uucpd.te
+++ /dev/null
@@ -1,24 +0,0 @@
-#DESC uucpd - UUCP file transfer daemon
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-#
-# Depends: inetd.te
-
-#################################
-#
-# Rules for the uucpd_t domain.
-#
-# uucpd_exec_t is the type of the uucpd executable.
-#
-
-inetd_child_domain(uucpd, tcp)
-type uucpd_rw_t, file_type, sysadmfile;
-type uucpd_ro_t, file_type, sysadmfile;
-type uucpd_spool_t, file_type, sysadmfile;
-create_dir_file(uucpd_t, uucpd_rw_t)
-r_dir_file(uucpd_t, uucpd_ro_t)
-allow uucpd_t sbin_t:dir search;
-can_exec(uucpd_t, sbin_t)
-logdir_domain(uucpd)
-allow uucpd_t var_spool_t:dir search;
-create_dir_file(uucpd_t, uucpd_spool_t)
diff --git a/mls/domains/program/vpnc.te b/mls/domains/program/vpnc.te
deleted file mode 100644
index 01ddac1..0000000
--- a/mls/domains/program/vpnc.te
+++ /dev/null
@@ -1,62 +0,0 @@
-#DESC vpnc
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-#
-
-#################################
-#
-# Rules for the vpnc_t domain, et al.
-#
-# vpnc_t is the domain for the vpnc program.
-# vpnc_exec_t is the type of the vpnc executable.
-#
-application_domain(vpnc, `, sysctl_net_writer, nscd_client_domain')
-
-allow vpnc_t { random_device_t urandom_device_t }:chr_file { getattr read };
-
-# Use the network.
-can_network(vpnc_t)
-allow vpnc_t port_type:tcp_socket name_connect;
-allow vpnc_t isakmp_port_t:udp_socket name_bind;
-
-can_ypbind(vpnc_t)
-allow vpnc_t self:socket create_socket_perms;
-
-# Use capabilities.
-allow vpnc_t self:capability { net_admin ipc_lock net_bind_service net_raw };
-
-allow vpnc_t devpts_t:dir search;
-allow vpnc_t etc_t:file { getattr read };
-allow vpnc_t tun_tap_device_t:chr_file { ioctl read write };
-allow vpnc_t self:rawip_socket create_socket_perms;
-allow vpnc_t self:unix_dgram_socket create_socket_perms;
-allow vpnc_t self:unix_stream_socket create_socket_perms;
-allow vpnc_t { devtty_t user_tty_type admin_tty_type }:chr_file rw_file_perms;
-allow vpnc_t port_t:udp_socket name_bind;
-allow vpnc_t etc_runtime_t:file { getattr read };
-allow vpnc_t proc_t:file { getattr read };
-dontaudit vpnc_t selinux_config_t:dir search;
-can_exec(vpnc_t, {bin_t sbin_t ifconfig_exec_t shell_exec_t })
-allow vpnc_t sysctl_net_t:dir search;
-allow vpnc_t sysctl_net_t:file write;
-allow vpnc_t sbin_t:dir search;
-allow vpnc_t bin_t:dir search;
-allow vpnc_t bin_t:lnk_file read;
-allow vpnc_t self:dir search;
-r_dir_file(vpnc_t, proc_t)
-r_dir_file(vpnc_t, proc_net_t)
-tmp_domain(vpnc)
-allow vpnc_t self:fifo_file { getattr ioctl read write };
-allow vpnc_t self:file { getattr read };
-allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
-file_type_auto_trans(vpnc_t, etc_t, net_conf_t, file)
-allow vpnc_t etc_t:file { execute execute_no_trans ioctl };
-dontaudit vpnc_t home_root_t:dir search;
-dontaudit vpnc_t user_home_dir_type:dir search;
-var_run_domain(vpnc)
-allow vpnc_t userdomain:fd use;
-r_dir_file(vpnc_t, sysfs_t)
-allow vpnc_t self:process { fork sigchld };
-read_locale(vpnc_t)
-read_sysctl(vpnc_t)
-allow vpnc_t fs_t:filesystem getattr;
diff --git a/mls/domains/program/webalizer.te b/mls/domains/program/webalizer.te
deleted file mode 100644
index c1f38bd..0000000
--- a/mls/domains/program/webalizer.te
+++ /dev/null
@@ -1,51 +0,0 @@
-# DESC webalizer - webalizer
-#
-# Author: Yuichi Nakamura (ynakam @ selinux.gr.jp)
-#
-# Depends: apache.te
-
-application_domain(webalizer, `, nscd_client_domain')
-# to use from cron
-system_crond_entry(webalizer_exec_t,webalizer_t)
-role system_r types webalizer_t;
-
-##type definision
-# type for usage file
-type webalizer_usage_t,file_type,sysadmfile;
-# type for /var/lib/webalizer
-type webalizer_write_t,file_type,sysadmfile;
-# type for webalizer.conf
-etc_domain(webalizer)
-
-#read apache log
-allow webalizer_t var_log_t:dir r_dir_perms;
-r_dir_file(webalizer_t, httpd_log_t)
-ifdef(`ftpd.te', `
-allow webalizer_t xferlog_t:file { getattr read };
-')
-
-#r/w /var/lib/webalizer
-var_lib_domain(webalizer)
-
-#read /var/www/usage
-create_dir_file(webalizer_t, httpd_sys_content_t)
-
-#read system files under /etc
-allow webalizer_t { etc_t etc_runtime_t }:file { getattr read };
-read_locale(webalizer_t)
-
-# can use tmp file
-tmp_domain(webalizer)
-
-# can read /proc
-read_sysctl(webalizer_t)
-allow webalizer_t proc_t:dir search;
-allow webalizer_t proc_t:file r_file_perms;
-
-# network
-can_network_server(webalizer_t)
-
-#process communication inside webalizer itself
-general_domain_access(webalizer_t)
-
-allow webalizer_t self:capability dac_override;
diff --git a/mls/domains/program/winbind.te b/mls/domains/program/winbind.te
deleted file mode 100644
index 7b9e5e9..0000000
--- a/mls/domains/program/winbind.te
+++ /dev/null
@@ -1,50 +0,0 @@
-#DESC winbind - Name Service Switch daemon for resolving names from NT servers
-#
-# Author: Dan Walsh (dwalsh@redhat.com)
-#
-
-#################################
-#
-# Declarations for winbind
-#
-
-daemon_domain(winbind, `, privhome, auth_chkpwd, nscd_client_domain')
-log_domain(winbind)
-tmp_domain(winbind)
-allow winbind_t etc_t:file r_file_perms;
-allow winbind_t etc_t:lnk_file read;
-can_network(winbind_t)
-allow winbind_t smbd_port_t:tcp_socket name_connect;
-can_resolve(winbind_t)
-
-ifdef(`samba.te', `', `
-type samba_etc_t, file_type, sysadmfile, usercanread;
-type samba_log_t, file_type, sysadmfile, logfile;
-type samba_var_t, file_type, sysadmfile;
-type samba_secrets_t, file_type, sysadmfile;
-')
-file_type_auto_trans(winbind_t, samba_etc_t, samba_secrets_t, file)
-rw_dir_create_file(winbind_t, samba_log_t)
-allow winbind_t samba_secrets_t:file rw_file_perms;
-allow winbind_t self:unix_dgram_socket create_socket_perms;
-allow winbind_t self:unix_stream_socket create_stream_socket_perms;
-allow winbind_t urandom_device_t:chr_file { getattr read };
-allow winbind_t self:fifo_file { read write };
-rw_dir_create_file(winbind_t, samba_var_t)
-can_kerberos(winbind_t)
-allow winbind_t self:netlink_route_socket r_netlink_socket_perms;
-allow winbind_t winbind_var_run_t:sock_file create_file_perms;
-allow initrc_t winbind_var_run_t:file r_file_perms;
-
-application_domain(winbind_helper, `, nscd_client_domain')
-role system_r types winbind_helper_t;
-access_terminal(winbind_helper_t, sysadm)
-read_locale(winbind_helper_t)
-r_dir_file(winbind_helper_t, samba_etc_t)
-r_dir_file(winbind_t, samba_etc_t)
-allow winbind_helper_t self:unix_dgram_socket create_socket_perms;
-allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms;
-allow winbind_helper_t samba_var_t:dir search;
-allow winbind_helper_t winbind_var_run_t:dir r_dir_perms;
-can_winbind(winbind_helper_t)
-allow winbind_helper_t privfd:fd use;
diff --git a/mls/domains/program/xfs.te b/mls/domains/program/xfs.te
deleted file mode 100644
index 04302cd..0000000
--- a/mls/domains/program/xfs.te
+++ /dev/null
@@ -1,49 +0,0 @@
-#DESC XFS - X Font Server
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: xfs
-#
-
-#################################
-#
-# Rules for the xfs_t domain.
-#
-# xfs_t is the domain of the X font server.
-# xfs_exec_t is the type of the xfs executable.
-#
-daemon_domain(xfs)
-
-# for /tmp/.font-unix/fs7100
-ifdef(`distro_debian', `
-type xfs_tmp_t, file_type, sysadmfile, tmpfile;
-allow xfs_t tmp_t:dir search;
-file_type_auto_trans(xfs_t, initrc_tmp_t, xfs_tmp_t, sock_file)
-', `
-tmp_domain(xfs, `', `{dir sock_file}')
-')
-
-allow xfs_t { etc_t etc_runtime_t }:file { getattr read };
-allow xfs_t proc_t:file { getattr read };
-
-allow xfs_t self:process setpgid;
-can_ypbind(xfs_t)
-
-# Use capabilities.
-allow xfs_t self:capability { setgid setuid };
-
-# Bind to /tmp/.font-unix/fs-1.
-allow xfs_t xfs_tmp_t:unix_stream_socket name_bind;
-allow xfs_t self:unix_stream_socket create_stream_socket_perms;
-allow xfs_t self:unix_dgram_socket create_socket_perms;
-
-# Read fonts
-read_fonts(xfs_t)
-
-# Unlink the xfs socket.
-allow initrc_t xfs_tmp_t:dir rw_dir_perms;
-allow initrc_t xfs_tmp_t:dir rmdir;
-allow initrc_t xfs_tmp_t:sock_file { read getattr unlink };
-allow initrc_t fonts_t:dir create_dir_perms;
-allow initrc_t fonts_t:file create_file_perms;
-
diff --git a/mls/domains/program/ypbind.te b/mls/domains/program/ypbind.te
deleted file mode 100644
index ed7c3f8..0000000
--- a/mls/domains/program/ypbind.te
+++ /dev/null
@@ -1,44 +0,0 @@
-#DESC Ypbind - NIS/YP
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: nis
-# Depends: portmap.te named.te
-#
-
-#################################
-#
-# Rules for the ypbind_t domain.
-#
-daemon_domain(ypbind)
-
-tmp_domain(ypbind)
-
-# Use capabilities.
-allow ypbind_t self:capability { net_bind_service };
-dontaudit ypbind_t self:capability net_admin;
-
-# Use the network.
-can_network(ypbind_t)
-allow ypbind_t port_type:tcp_socket name_connect;
-allow ypbind_t port_t:{ tcp_socket udp_socket } name_bind;
-
-allow ypbind_t self:fifo_file rw_file_perms;
-
-read_sysctl(ypbind_t)
-
-# Send to portmap and initrc.
-can_udp_send(ypbind_t, portmap_t)
-can_udp_send(ypbind_t, initrc_t)
-
-# Read and write /var/yp.
-allow ypbind_t var_yp_t:dir rw_dir_perms;
-allow ypbind_t var_yp_t:file create_file_perms;
-allow initrc_t var_yp_t:dir { getattr read };
-allow ypbind_t etc_t:file { getattr read };
-allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
-allow ypbind_t self:netlink_route_socket r_netlink_socket_perms;
-allow ypbind_t reserved_port_t:{ tcp_socket udp_socket } name_bind;
-dontaudit ypbind_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
-can_udp_send(initrc_t, ypbind_t)
-
diff --git a/mls/domains/program/yppasswdd.te b/mls/domains/program/yppasswdd.te
deleted file mode 100644
index b7588a2..0000000
--- a/mls/domains/program/yppasswdd.te
+++ /dev/null
@@ -1,40 +0,0 @@
-#DESC yppassdd - NIS password update daemon
-#
-# Authors: Dan Walsh <dwalsh@redhat.com>
-# Depends: portmap.te
-#
-
-#################################
-#
-# Rules for the yppasswdd_t domain.
-#
-daemon_domain(yppasswdd, `, auth_write, privowner')
-
-# Use capabilities.
-allow yppasswdd_t self:capability { net_bind_service };
-
-# Use the network.
-can_network_server(yppasswdd_t)
-
-read_sysctl(yppasswdd_t)
-
-# Send to portmap and initrc.
-can_udp_send(yppasswdd_t, portmap_t)
-can_udp_send(yppasswdd_t, initrc_t)
-
-allow yppasswdd_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
-dontaudit yppasswdd_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
-allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms;
-
-allow yppasswdd_t { etc_t etc_runtime_t }:file { getattr read };
-allow yppasswdd_t self:unix_dgram_socket create_socket_perms;
-allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms;
-file_type_auto_trans(yppasswdd_t, etc_t, shadow_t, file)
-allow yppasswdd_t { etc_t shadow_t }:file { relabelfrom relabelto };
-can_setfscreate(yppasswdd_t)
-allow yppasswdd_t proc_t:file getattr;
-allow yppasswdd_t { bin_t sbin_t }:dir search;
-allow yppasswdd_t bin_t:lnk_file read;
-can_exec(yppasswdd_t, { bin_t shell_exec_t hostname_exec_t })
-allow yppasswdd_t self:fifo_file rw_file_perms;
-rw_dir_create_file(yppasswdd_t, var_yp_t)
diff --git a/mls/domains/program/ypserv.te b/mls/domains/program/ypserv.te
deleted file mode 100644
index b9d95fb..0000000
--- a/mls/domains/program/ypserv.te
+++ /dev/null
@@ -1,50 +0,0 @@
-#DESC Ypserv - NIS/YP
-#
-# Authors: Dan Walsh <dwalsh@redhat.com>
-# Depends: portmap.te
-#
-
-#################################
-#
-# Rules for the ypserv_t domain.
-#
-daemon_domain(ypserv)
-
-tmp_domain(ypserv)
-
-# Use capabilities.
-allow ypserv_t self:capability { net_bind_service };
-
-# Use the network.
-can_network_server(ypserv_t)
-
-allow ypserv_t self:fifo_file rw_file_perms;
-
-read_sysctl(ypserv_t)
-
-# Send to portmap and initrc.
-can_udp_send(ypserv_t, portmap_t)
-can_udp_send(ypserv_t, initrc_t)
-
-type ypserv_conf_t, file_type, sysadmfile;
-
-# Read and write /var/yp.
-allow ypserv_t var_yp_t:dir rw_dir_perms;
-allow ypserv_t var_yp_t:file create_file_perms;
-allow ypserv_t ypserv_conf_t:file { getattr read };
-allow ypserv_t self:unix_dgram_socket create_socket_perms;
-allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
-ifdef(`rpcd.te', `
-allow rpcd_t ypserv_conf_t:file { getattr read };
-')
-allow ypserv_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
-dontaudit ypserv_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
-can_exec(ypserv_t, bin_t)
-
-application_domain(ypxfr, `, nscd_client_domain')
-can_network_client(ypxfr_t)
-allow ypxfr_t etc_t:file { getattr read };
-allow ypxfr_t portmap_port_t:tcp_socket name_connect;
-allow ypxfr_t reserved_port_t:tcp_socket name_connect;
-dontaudit ypxfr_t reserved_port_type:tcp_socket name_connect;
-allow ypxfr_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/mls/domains/program/zebra.te b/mls/domains/program/zebra.te
deleted file mode 100644
index 0cf4e24..0000000
--- a/mls/domains/program/zebra.te
+++ /dev/null
@@ -1,32 +0,0 @@
-#DESC Zebra - BGP server
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: zebra
-#
-
-daemon_domain(zebra, `, sysctl_net_writer')
-type zebra_conf_t, file_type, sysadmfile;
-r_dir_file({ initrc_t zebra_t }, zebra_conf_t)
-
-can_network_server(zebra_t)
-can_ypbind(zebra_t)
-allow zebra_t { etc_t etc_runtime_t }:file { getattr read };
-
-allow zebra_t self:process setcap;
-allow zebra_t self:capability { setgid setuid net_bind_service net_admin net_raw };
-file_type_auto_trans(zebra_t, var_run_t, zebra_var_run_t, sock_file)
-
-logdir_domain(zebra)
-
-# /tmp/.bgpd is such a bad idea!
-tmp_domain(zebra, `', sock_file)
-
-allow zebra_t self:unix_dgram_socket create_socket_perms;
-allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow zebra_t self:rawip_socket create_socket_perms;
-allow zebra_t self:netlink_route_socket rw_netlink_socket_perms;
-allow zebra_t zebra_port_t:tcp_socket name_bind;
-
-allow zebra_t proc_t:file { getattr read };
-allow zebra_t { sysctl_t sysctl_net_t }:dir search;
-allow zebra_t sysctl_net_t:file rw_file_perms;
diff --git a/mls/domains/user.te b/mls/domains/user.te
deleted file mode 100644
index d86e5d4..0000000
--- a/mls/domains/user.te
+++ /dev/null
@@ -1,108 +0,0 @@
-#DESC User - Domains for ordinary users.
-#
-#################################
-
-# Booleans for user domains.
-
-# Allow applications to read untrusted content
-# If this is disallowed, Internet content has
-# to be manually relabeled for read access to be granted
-bool read_untrusted_content false;
-
-# Allow applications to write untrusted content
-# If this is disallowed, no Internet content
-# will be stored.
-bool write_untrusted_content false;
-
-# Allow users to read system messages.
-bool user_dmesg false;
-
-# Support NFS home directories
-bool use_nfs_home_dirs false;
-
-# Allow making anonymous memory executable, e.g.
-# for runtime-code generation or executable stack.
-bool allow_execmem false;
-
-# Allow making the stack executable via mprotect.
-# Also requires allow_execmem.
-bool allow_execstack false;
-
-# Allow making a modified private file mapping executable (text relocation).
-bool allow_execmod false;
-
-# Support SAMBA home directories
-bool use_samba_home_dirs false;
-
-# Allow users to run TCP servers (bind to ports and accept connection from
-# the same domain and outside users) disabling this forces FTP passive mode
-# and may change other protocols
-bool user_tcp_server false;
-
-# Allow system to run with NIS
-bool allow_ypbind false;
-
-# Allow system to run with kerberos
-bool allow_kerberos false;
-
-# Allow users to rw usb devices
-bool user_rw_usb false;
-
-# Allow users to control network interfaces (also needs USERCTL=true)
-bool user_net_control false;
-
-# Allow regular users direct mouse access
-bool user_direct_mouse false;
-
-# Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY)
-bool user_rw_noexattrfile false;
-
-# Allow reading of default_t files.
-bool read_default_t false;
-
-# Allow staff_r users to search the sysadm home dir and read
-# files (such as ~/.bashrc)
-bool staff_read_sysadm_file false;
-
-
-full_user_role(user)
-
-ifdef(`user_canbe_sysadm', `
-reach_sysadm(user)
-role_tty_type_change(user, sysadm)
-')
-
-# Do not add any rules referring to user_t to this file! That will break
-# support for multiple user roles.
-
-# a role for staff that allows seeing all domains and control over the user_t
-# domain
-full_user_role(staff)
-
-priv_user(staff)
-# if adding new user roles make sure you edit the in_user_role macro in
-# macros/user_macros.te to match
-
-# lots of user programs accidentally search /root, and also the admin often
-# logs in as UID=0 domain=user_t...
-dontaudit unpriv_userdomain { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
-
-#
-# Allow the user roles to transition
-# into each other.
-role_tty_type_change(sysadm, user)
-role_tty_type_change(staff, sysadm)
-role_tty_type_change(sysadm, staff)
-role_tty_type_change(sysadm, secadm)
-role_tty_type_change(staff, secadm)
-
-# "ps aux" and "ls -l /dev/pts" make too much noise without this
-dontaudit unpriv_userdomain ptyfile:chr_file getattr;
-
-# to allow w to display everyone...
-bool user_ttyfile_stat false;
-
-if (user_ttyfile_stat) {
-allow userdomain ttyfile:chr_file getattr;
-}
-
diff --git a/mls/file_contexts/distros.fc b/mls/file_contexts/distros.fc
deleted file mode 100644
index 33c7f5e..0000000
--- a/mls/file_contexts/distros.fc
+++ /dev/null
@@ -1,164 +0,0 @@
-ifdef(`distro_redhat', `
-/usr/share/system-config-network(/netconfig)?/[^/]+\.py -- system_u:object_r:bin_t:s0
-/etc/sysconfig/networking/profiles/.*/resolv\.conf -- system_u:object_r:net_conf_t:s0
-/etc/sysconfig/network-scripts/.*resolv\.conf -- system_u:object_r:net_conf_t:s0
-/usr/share/rhn/rhn_applet/applet\.py -- system_u:object_r:bin_t:s0
-/usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- system_u:object_r:shlib_t:s0
-/usr/share/rhn/rhn_applet/needed-packages\.py -- system_u:object_r:bin_t:s0
-/usr/share/authconfig/authconfig-gtk\.py -- system_u:object_r:bin_t:s0
-/usr/share/hwbrowser/hwbrowser -- system_u:object_r:bin_t:s0
-/usr/share/system-config-httpd/system-config-httpd -- system_u:object_r:bin_t:s0
-/usr/share/system-config-services/system-config-services -- system_u:object_r:bin_t:s0
-/usr/share/system-logviewer/system-logviewer\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-lvm/system-config-lvm.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-date/system-config-date\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-display/system-config-display -- system_u:object_r:bin_t:s0
-/usr/share/system-config-keyboard/system-config-keyboard -- system_u:object_r:bin_t:s0
-/usr/share/system-config-language/system-config-language -- system_u:object_r:bin_t:s0
-/usr/share/system-config-mouse/system-config-mouse -- system_u:object_r:bin_t:s0
-/usr/share/system-config-netboot/system-config-netboot\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-netboot/pxeos\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-netboot/pxeboot\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-nfs/system-config-nfs\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-rootpassword/system-config-rootpassword -- system_u:object_r:bin_t:s0
-/usr/share/system-config-samba/system-config-samba\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-services/serviceconf\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-soundcard/system-config-soundcard -- system_u:object_r:bin_t:s0
-/usr/share/system-config-users/system-config-users -- system_u:object_r:bin_t:s0
-/usr/share/switchdesk/switchdesk-gui\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-network/neat-control\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-nfs/nfs-export\.py -- system_u:object_r:bin_t:s0
-/usr/share/pydict/pydict\.py -- system_u:object_r:bin_t:s0
-/usr/share/cvs/contrib/rcs2log -- system_u:object_r:bin_t:s0
-/usr/share/pwlib/make/ptlib-config -- system_u:object_r:bin_t:s0
-/usr/share/texmf/web2c/mktexdir -- system_u:object_r:bin_t:s0
-/usr/share/texmf/web2c/mktexnam -- system_u:object_r:bin_t:s0
-/usr/share/texmf/web2c/mktexupd -- system_u:object_r:bin_t:s0
-/etc/rhgb(/.*)? -d system_u:object_r:mnt_t:s0
-/usr/share/ssl/misc(/.*)? system_u:object_r:bin_t:s0
-#
-# /emul/ia32-linux/usr
-#
-/emul(/.*)? system_u:object_r:usr_t:s0
-/emul/ia32-linux/usr(/.*)?/lib(/.*)? system_u:object_r:lib_t:s0
-/emul/ia32-linux/usr(/.*)?/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0
-/emul/ia32-linux/usr(/.*)?/java/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0
-/emul/ia32-linux/usr(/.*)?/java/.*\.jar -- system_u:object_r:shlib_t:s0
-/emul/ia32-linux/usr(/.*)?/java/.*\.jsa -- system_u:object_r:shlib_t:s0
-/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t:s0
-/emul/ia32-linux/usr(/.*)?/bin(/.*)? system_u:object_r:bin_t:s0
-/emul/ia32-linux/usr(/.*)?/Bin(/.*)? system_u:object_r:bin_t:s0
-/emul/ia32-linux/usr(/.*)?/sbin(/.*)? system_u:object_r:sbin_t:s0
-/emul/ia32-linux/usr/libexec(/.*)? system_u:object_r:bin_t:s0
-# /emul/ia32-linux/lib
-/emul/ia32-linux/lib(/.*)? system_u:object_r:lib_t:s0
-/emul/ia32-linux/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0
-/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t:s0
-# /emul/ia32-linux/bin
-/emul/ia32-linux/bin(/.*)? system_u:object_r:bin_t:s0
-# /emul/ia32-linux/sbin
-/emul/ia32-linux/sbin(/.*)? system_u:object_r:sbin_t:s0
-
-ifdef(`dbusd.te', `', `
-/var/run/dbus(/.*)? system_u:object_r:system_dbusd_var_run_t:s0
-')
-
-# The following are libraries with text relocations in need of execmod permissions
-# Some of them should be fixed and removed from this list
-
-# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
-# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
-/usr/lib/gstreamer-.*/libgstffmpeg\.so.* -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/gstreamer-.*/libgsthermescolorspace\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/gstreamer-.*/libgstmms\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libstdc\+\+\.so\.2\.7\.2\.8 -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libg\+\+\.so\.2\.7\.2\.8 -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libglide3\.so.* -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libdv\.so.* -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/helix/plugins/oggfformat\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/helix/plugins/theorarend\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/helix/plugins/vorbisrend\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/helix/codecs/colorcvt\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/helix/codecs/cvt1\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libSDL-.*\.so.* -- system_u:object_r:texrel_shlib_t:s0
-/usr/X11R6/lib/modules/dri/.*\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/X11R6/lib/libOSMesa\.so.* -- system_u:object_r:texrel_shlib_t:s0
-/usr/X11R6/lib/libfglrx_gamma\.so.* -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libHermes\.so.* -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/valgrind/hp2ps -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/valgrind/stage2 -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/valgrind/vg.*\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/.*/libxpcom_core.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/.*/program(/.*)? system_u:object_r:bin_t:s0
-/usr/lib/.*/program/.*\.so.* system_u:object_r:shlib_t:s0
-/usr/lib/.*/program/libicudata\.so.* -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/.*/program/libsts645li\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/.*/program/libvclplug_gen645li\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/.*/program/libwrp645li\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/.*/program/libswd680li\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib(64)?/.*/program/librecentfile\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib(64)?/.*/program/libsvx680li\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib(64)?/.*/program/libsoffice\.so -- system_u:object_r:texrel_shlib_t:s0
-
-# Fedora Extras packages: ladspa, imlib2, ocaml
-/usr/lib/ladspa/analogue_osc_1416\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/bandpass_a_iir_1893\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/bandpass_iir_1892\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/butterworth_1902\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/fm_osc_1415\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/gsm_1215\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/gverb_1216\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/hermes_filter_1200\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/highpass_iir_1890\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/lowpass_iir_1891\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/notch_iir_1894\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/pitch_scale_1193\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/pitch_scale_1194\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/sc1_1425\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/sc2_1426\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/sc3_1427\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/sc4_1882\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/se4_1883\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libImlib2\.so.* -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ocaml/stublibs/dllnums\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/httpd/modules/libphp5\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/php/modules/.*\.so -- system_u:object_r:texrel_shlib_t:s0
-
-# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
-/usr/lib/xmms/Input/libmpg123\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libpostproc\.so.* -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libavformat-.*\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libavcodec-.*\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libxvidcore\.so.* -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/xine/plugins/.*\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libgsm\.so.* -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libmp3lame\.so.* -- system_u:object_r:texrel_shlib_t:s0
-
-# Flash plugin, Macromedia
-HOME_DIR/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t:s0
-
-# Jai, Sun Microsystems (Jpackage SPRM)
-/usr/lib/libmlib_jai\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libdivxdecore.so.0 -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libdivxencore.so.0 -- system_u:object_r:texrel_shlib_t:s0
-
-# Java, Sun Microsystems (JPackage SRPM)
-/usr/.*/jre/lib/i386/libdeploy.so -- system_u:object_r:texrel_shlib_t:s0
-
-/usr(/.*)?/Reader/intellinux/plug_ins/.*\.api -- system_u:object_r:shlib_t:s0
-/usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api -- system_u:object_r:texrel_shlib_t:s0
-/usr(/.*)?/Reader/intellinux/plug_ins/EScript\.api -- system_u:object_r:texrel_shlib_t:s0
-/usr(/.*)?/Reader/intellinux/SPPlugins/ADMPlugin\.apl -- system_u:object_r:texrel_shlib_t:s0
-')
-
-ifdef(`distro_suse', `
-/var/lib/samba/bin/.+ system_u:object_r:bin_t:s0
-/var/lib/samba/bin/.*\.so(\.[^/]*)* -l system_u:object_r:lib_t:s0
-/usr/lib/samba/classic/.* -- system_u:object_r:bin_t:s0
-/usr/lib/samba/classic/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0
-/success -- system_u:object_r:etc_runtime_t:s0
-/etc/defkeymap\.map -- system_u:object_r:etc_runtime_t:s0
-')
diff --git a/mls/file_contexts/homedir_template b/mls/file_contexts/homedir_template
deleted file mode 100644
index 6c7695a..0000000
--- a/mls/file_contexts/homedir_template
+++ /dev/null
@@ -1,21 +0,0 @@
-# HOME_ROOT expands to all valid home directory prefixes found in /etc/passwd
-# HOME_DIR expands to each users home directory,
-# and to HOME_ROOT/[^/]+ for each HOME_ROOT.
-# ROLE expands to each users role when role != user_r, and to "user" otherwise.
-HOME_ROOT -d system_u:object_r:home_root_t:s0
-HOME_DIR -d system_u:object_r:ROLE_home_dir_t:s0-s15:c0.c255
-HOME_DIR/.+ <<none>>
-HOME_ROOT/\.journal <<none>>
-HOME_ROOT/lost\+found -d system_u:object_r:lost_found_t:s15:c0.c255
-HOME_ROOT/lost\+found/.* <<none>>
-HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_t:s0
-HOME_DIR/\.gnupg(/.+)? system_u:object_r:ROLE_gpg_secret_t:s0
-HOME_DIR/\.ircmotd -- system_u:object_r:ROLE_irc_home_t:s0
-/tmp/orbit-USER(-.*)? -d system_u:object_r:ROLE_orbit_tmp_t:s0
-/tmp/orbit-USER(-.*)?/linc.* -s <<none>>
-/tmp/orbit-USER(-.*)?/bonobo.* -- system_u:object_r:ROLE_orbit_tmp_t:s0
-HOME_ROOT/a?quota\.(user|group) -- system_u:object_r:quota_db_t:s0
-HOME_DIR/\.screenrc -- system_u:object_r:ROLE_screen_ro_home_t:s0
-HOME_DIR/\.spamassassin(/.*)? system_u:object_r:ROLE_spamassassin_home_t:s0
-HOME_DIR/\.ssh(/.*)? system_u:object_r:ROLE_home_ssh_t:s0
-HOME_DIR/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t:s0
diff --git a/mls/file_contexts/program/NetworkManager.fc b/mls/file_contexts/program/NetworkManager.fc
deleted file mode 100644
index cb57584..0000000
--- a/mls/file_contexts/program/NetworkManager.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# NetworkManager
-/usr/bin/NetworkManager -- system_u:object_r:NetworkManager_exec_t:s0
diff --git a/mls/file_contexts/program/acct.fc b/mls/file_contexts/program/acct.fc
deleted file mode 100644
index 78622bd..0000000
--- a/mls/file_contexts/program/acct.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# berkeley process accounting
-/sbin/accton -- system_u:object_r:acct_exec_t:s0
-/usr/sbin/accton -- system_u:object_r:acct_exec_t:s0
-/var/account(/.*)? system_u:object_r:acct_data_t:s0
-/etc/cron\.(daily|monthly)/acct -- system_u:object_r:acct_exec_t:s0
diff --git a/mls/file_contexts/program/afs.fc b/mls/file_contexts/program/afs.fc
deleted file mode 100644
index fb49f33..0000000
--- a/mls/file_contexts/program/afs.fc
+++ /dev/null
@@ -1,20 +0,0 @@
-# afs
-/usr/afs/bin/bosserver -- system_u:object_r:afs_bosserver_exec_t
-/usr/afs/bin/kaserver -- system_u:object_r:afs_kaserver_exec_t
-/usr/afs/bin/vlserver -- system_u:object_r:afs_vlserver_exec_t
-/usr/afs/bin/ptserver -- system_u:object_r:afs_ptserver_exec_t
-/usr/afs/bin/fileserver -- system_u:object_r:afs_fsserver_exec_t
-/usr/afs/bin/volserver -- system_u:object_r:afs_fsserver_exec_t
-/usr/afs/bin/salvager -- system_u:object_r:afs_fsserver_exec_t
-
-/usr/afs/logs(/.*)? system_u:object_r:afs_logfile_t
-/usr/afs/etc(/.*)? system_u:object_r:afs_config_t
-/usr/afs/local(/.*)? system_u:object_r:afs_config_t
-/usr/afs/db -d system_u:object_r:afs_dbdir_t
-/usr/afs/db/pr.* -- system_u:object_r:afs_pt_db_t
-/usr/afs/db/ka.* -- system_u:object_r:afs_ka_db_t
-/usr/afs/db/vl.* -- system_u:object_r:afs_vl_db_t
-
-/vicepa system_u:object_r:afs_files_t
-/vicepb system_u:object_r:afs_files_t
-/vicepc system_u:object_r:afs_files_t
diff --git a/mls/file_contexts/program/alsa.fc b/mls/file_contexts/program/alsa.fc
deleted file mode 100644
index ce56849..0000000
--- a/mls/file_contexts/program/alsa.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-#DESC ainit - configuration tool for ALSA
-/usr/bin/ainit -- system_u:object_r:alsa_exec_t:s0
-/etc/alsa/pcm(/.*)? system_u:object_r:alsa_etc_rw_t:s0
diff --git a/mls/file_contexts/program/amanda.fc b/mls/file_contexts/program/amanda.fc
deleted file mode 100644
index 917b41a..0000000
--- a/mls/file_contexts/program/amanda.fc
+++ /dev/null
@@ -1,70 +0,0 @@
-#
-# Author: Carsten Grohmann <carstengrohmann@gmx.de>
-#
-
-# amanda
-/etc/amanda(/.*)? system_u:object_r:amanda_config_t:s0
-/etc/amanda/.*/tapelist(/.*)? system_u:object_r:amanda_data_t:s0
-/etc/amandates system_u:object_r:amanda_amandates_t:s0
-/etc/dumpdates system_u:object_r:amanda_dumpdates_t:s0
-/root/restore -d system_u:object_r:amanda_recover_dir_t:s0
-/tmp/amanda(/.*)? system_u:object_r:amanda_tmp_t:s0
-/usr/lib(64)?/amanda -d system_u:object_r:amanda_usr_lib_t:s0
-/usr/lib(64)?/amanda/amandad -- system_u:object_r:amanda_inetd_exec_t:s0
-/usr/lib(64)?/amanda/amcat\.awk -- system_u:object_r:amanda_script_exec_t:s0
-/usr/lib(64)?/amanda/amcleanupdisk -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/amidxtaped -- system_u:object_r:amanda_inetd_exec_t:s0
-/usr/lib(64)?/amanda/amindexd -- system_u:object_r:amanda_inetd_exec_t:s0
-/usr/lib(64)?/amanda/amlogroll -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/amplot\.awk -- system_u:object_r:amanda_script_exec_t:s0
-/usr/lib(64)?/amanda/amplot\.g -- system_u:object_r:amanda_script_exec_t:s0
-/usr/lib(64)?/amanda/amplot\.gp -- system_u:object_r:amanda_script_exec_t:s0
-/usr/lib(64)?/amanda/amtrmidx -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/amtrmlog -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/calcsize -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/chg-chio -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/chg-chs -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/chg-manual -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/chg-mtx -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/chg-multi -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/chg-rth -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/chg-scsi -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/chg-zd-mtx -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/driver -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/dumper -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/killpgrp -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/patch-system -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/planner -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/rundump -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/runtar -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/selfcheck -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/sendbackup -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/sendsize -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/taper -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/versionsuffix -- system_u:object_r:amanda_exec_t:s0
-/usr/sbin/amadmin -- system_u:object_r:amanda_user_exec_t:s0
-/usr/sbin/amcheck -- system_u:object_r:amanda_user_exec_t:s0
-/usr/sbin/amcheckdb -- system_u:object_r:amanda_user_exec_t:s0
-/usr/sbin/amcleanup -- system_u:object_r:amanda_user_exec_t:s0
-/usr/sbin/amdump -- system_u:object_r:amanda_user_exec_t:s0
-/usr/sbin/amflush -- system_u:object_r:amanda_user_exec_t:s0
-/usr/sbin/amgetconf -- system_u:object_r:amanda_user_exec_t:s0
-/usr/sbin/amlabel -- system_u:object_r:amanda_user_exec_t:s0
-/usr/sbin/amoverview -- system_u:object_r:amanda_user_exec_t:s0
-/usr/sbin/amplot -- system_u:object_r:amanda_user_exec_t:s0
-/usr/sbin/amrecover -- system_u:object_r:amanda_recover_exec_t:s0
-/usr/sbin/amreport -- system_u:object_r:amanda_user_exec_t:s0
-/usr/sbin/amrestore -- system_u:object_r:amanda_user_exec_t:s0
-/usr/sbin/amrmtape -- system_u:object_r:amanda_user_exec_t:s0
-/usr/sbin/amstatus -- system_u:object_r:amanda_user_exec_t:s0
-/usr/sbin/amtape -- system_u:object_r:amanda_user_exec_t:s0
-/usr/sbin/amtoc -- system_u:object_r:amanda_user_exec_t:s0
-/usr/sbin/amverify -- system_u:object_r:amanda_user_exec_t:s0
-/var/lib/amanda -d system_u:object_r:amanda_var_lib_t:s0
-/var/lib/amanda/\.amandahosts -- system_u:object_r:amanda_config_t:s0
-/var/lib/amanda/\.bashrc -- system_u:object_r:amanda_shellconfig_t:s0
-/var/lib/amanda/\.profile -- system_u:object_r:amanda_shellconfig_t:s0
-/var/lib/amanda/disklist -- system_u:object_r:amanda_data_t:s0
-/var/lib/amanda/gnutar-lists(/.*)? system_u:object_r:amanda_gnutarlists_t:s0
-/var/lib/amanda/index system_u:object_r:amanda_data_t:s0
-/var/log/amanda(/.*)? system_u:object_r:amanda_log_t:s0
diff --git a/mls/file_contexts/program/amavis.fc b/mls/file_contexts/program/amavis.fc
deleted file mode 100644
index 366da33..0000000
--- a/mls/file_contexts/program/amavis.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-# amavis
-/usr/sbin/amavisd.* -- system_u:object_r:amavisd_exec_t
-/etc/amavisd\.conf -- system_u:object_r:amavisd_etc_t
-/var/log/amavisd\.log -- system_u:object_r:amavisd_log_t
-/var/lib/amavis(/.*)? system_u:object_r:amavisd_lib_t
-/var/run/amavis(/.*)? system_u:object_r:amavisd_var_run_t
-/var/amavis(/.*)? system_u:object_r:amavisd_lib_t
-/var/virusmails(/.*)? system_u:object_r:amavisd_quarantine_t
diff --git a/mls/file_contexts/program/anaconda.fc b/mls/file_contexts/program/anaconda.fc
deleted file mode 100644
index a0cbc0e..0000000
--- a/mls/file_contexts/program/anaconda.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-#
-# Anaconda file context
-# currently anaconda does not have any file context since it is started during install
-# This is a placeholder to stop makefile from complaining
-#
diff --git a/mls/file_contexts/program/apache.fc b/mls/file_contexts/program/apache.fc
deleted file mode 100644
index a3bf8f4..0000000
--- a/mls/file_contexts/program/apache.fc
+++ /dev/null
@@ -1,61 +0,0 @@
-# apache
-HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_t:s0
-/var/www(/.*)? system_u:object_r:httpd_sys_content_t:s0
-/srv/([^/]*/)?www(/.*)? system_u:object_r:httpd_sys_content_t:s0
-/var/www/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0
-/usr/lib/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0
-/var/www/perl(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0
-/var/www/icons(/.*)? system_u:object_r:httpd_sys_content_t:s0
-/var/cache/httpd(/.*)? system_u:object_r:httpd_cache_t:s0
-/var/cache/php-eaccelerator(/.*)? system_u:object_r:httpd_cache_t:s0
-/var/cache/php-mmcache(/.*)? system_u:object_r:httpd_cache_t:s0
-/var/cache/mason(/.*)? system_u:object_r:httpd_cache_t:s0
-/var/cache/rt3(/.*)? system_u:object_r:httpd_cache_t:s0
-/etc/httpd -d system_u:object_r:httpd_config_t:s0
-/etc/httpd/conf.* system_u:object_r:httpd_config_t:s0
-/etc/httpd/logs system_u:object_r:httpd_log_t:s0
-/etc/httpd/modules system_u:object_r:httpd_modules_t:s0
-/etc/apache(2)?(/.*)? system_u:object_r:httpd_config_t:s0
-/etc/vhosts -- system_u:object_r:httpd_config_t:s0
-/usr/lib(64)?/apache(/.*)? system_u:object_r:httpd_modules_t:s0
-/usr/lib(64)?/apache2/modules(/.*)? system_u:object_r:httpd_modules_t:s0
-/usr/lib(64)?/httpd(/.*)? system_u:object_r:httpd_modules_t:s0
-/usr/sbin/httpd(\.worker)? -- system_u:object_r:httpd_exec_t:s0
-/usr/sbin/apache(2)? -- system_u:object_r:httpd_exec_t:s0
-/usr/sbin/suexec -- system_u:object_r:httpd_suexec_exec_t:s0
-/usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- system_u:object_r:httpd_suexec_exec_t:s0
-/usr/lib(64)?/apache(2)?/suexec(2)? -- system_u:object_r:httpd_suexec_exec_t:s0
-/var/log/httpd(/.*)? system_u:object_r:httpd_log_t:s0
-/var/log/apache(2)?(/.*)? system_u:object_r:httpd_log_t:s0
-/var/log/cgiwrap\.log.* -- system_u:object_r:httpd_log_t:s0
-/var/cache/ssl.*\.sem -- system_u:object_r:httpd_cache_t:s0
-/var/cache/mod_ssl(/.*)? system_u:object_r:httpd_cache_t:s0
-/var/run/apache.* system_u:object_r:httpd_var_run_t:s0
-/var/lib/httpd(/.*)? system_u:object_r:httpd_var_lib_t:s0
-/var/lib/dav(/.*)? system_u:object_r:httpd_var_lib_t:s0
-/var/lib/php/session(/.*)? system_u:object_r:httpd_var_run_t:s0
-/etc/apache-ssl(2)?(/.*)? system_u:object_r:httpd_config_t:s0
-/usr/lib/apache-ssl/.+ -- system_u:object_r:httpd_exec_t:s0
-/usr/sbin/apache-ssl(2)? -- system_u:object_r:httpd_exec_t:s0
-/var/log/apache-ssl(2)?(/.*)? system_u:object_r:httpd_log_t:s0
-/var/run/gcache_port -s system_u:object_r:httpd_var_run_t:s0
-ifdef(`distro_debian', `
-/var/log/horde2(/.*)? system_u:object_r:httpd_log_t:s0
-')
-ifdef(`distro_suse', `
-# suse puts shell scripts there :-(
-/usr/share/apache2/[^/]* -- system_u:object_r:bin_t:s0
-/usr/sbin/httpd2-.* -- system_u:object_r:httpd_exec_t:s0
-')
-/var/lib/squirrelmail/prefs(/.*)? system_u:object_r:httpd_squirrelmail_t:s0
-/var/spool/squirrelmail(/.*)? system_u:object_r:squirrelmail_spool_t:s0
-/usr/bin/htsslpass -- system_u:object_r:httpd_helper_exec_t:s0
-/usr/share/htdig(/.*)? system_u:object_r:httpd_sys_content_t:s0
-/var/lib/htdig(/.*)? system_u:object_r:httpd_sys_content_t:s0
-/etc/htdig(/.*)? system_u:object_r:httpd_sys_content_t:s0
-/var/spool/gosa(/.*)? system_u:object_r:httpd_sys_script_rw_t:s0
-ifdef(`targeted_policy', `', `
-/var/spool/cron/apache -- system_u:object_r:user_cron_spool_t:s0
-')
-/usr/sbin/apachectl -- system_u:object_r:initrc_exec_t:s0
-
diff --git a/mls/file_contexts/program/apmd.fc b/mls/file_contexts/program/apmd.fc
deleted file mode 100644
index 6554b52..0000000
--- a/mls/file_contexts/program/apmd.fc
+++ /dev/null
@@ -1,14 +0,0 @@
-# apmd
-/usr/sbin/apmd -- system_u:object_r:apmd_exec_t:s0
-/usr/sbin/acpid -- system_u:object_r:apmd_exec_t:s0
-/usr/sbin/powersaved -- system_u:object_r:apmd_exec_t:s0
-/usr/bin/apm -- system_u:object_r:apm_exec_t:s0
-/var/run/apmd\.pid -- system_u:object_r:apmd_var_run_t:s0
-/var/run/\.?acpid\.socket -s system_u:object_r:apmd_var_run_t:s0
-/var/run/powersaved\.pid -- system_u:object_r:apmd_var_run_t:s0
-/var/run/powersave_socket -s system_u:object_r:apmd_var_run_t:s0
-/var/log/acpid -- system_u:object_r:apmd_log_t:s0
-ifdef(`distro_suse', `
-/var/lib/acpi(/.*)? system_u:object_r:apmd_var_lib_t:s0
-')
-
diff --git a/mls/file_contexts/program/arpwatch.fc b/mls/file_contexts/program/arpwatch.fc
deleted file mode 100644
index 4869940..0000000
--- a/mls/file_contexts/program/arpwatch.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# arpwatch - keep track of ethernet/ip address pairings
-/usr/sbin/arpwatch -- system_u:object_r:arpwatch_exec_t:s0
-/var/arpwatch(/.*)? system_u:object_r:arpwatch_data_t:s0
-/var/lib/arpwatch(/.*)? system_u:object_r:arpwatch_data_t:s0
diff --git a/mls/file_contexts/program/asterisk.fc b/mls/file_contexts/program/asterisk.fc
deleted file mode 100644
index 6f4eb4b..0000000
--- a/mls/file_contexts/program/asterisk.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-# asterisk
-/usr/sbin/asterisk -- system_u:object_r:asterisk_exec_t
-/var/run/asterisk(/.*)? system_u:object_r:asterisk_var_run_t
-/etc/asterisk(/.*)? system_u:object_r:asterisk_etc_t
-/var/log/asterisk(/.*)? system_u:object_r:asterisk_log_t
-/var/lib/asterisk(/.*)? system_u:object_r:asterisk_var_lib_t
-/var/spool/asterisk(/.*)? system_u:object_r:asterisk_spool_t
diff --git a/mls/file_contexts/program/audio-entropyd.fc b/mls/file_contexts/program/audio-entropyd.fc
deleted file mode 100644
index a8f616a..0000000
--- a/mls/file_contexts/program/audio-entropyd.fc
+++ /dev/null
@@ -1 +0,0 @@
-/usr/sbin/audio-entropyd -- system_u:object_r:entropyd_exec_t
diff --git a/mls/file_contexts/program/auditd.fc b/mls/file_contexts/program/auditd.fc
deleted file mode 100644
index d01ff76..0000000
--- a/mls/file_contexts/program/auditd.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-# auditd
-/sbin/auditctl -- system_u:object_r:auditctl_exec_t:s0
-/sbin/auditd -- system_u:object_r:auditd_exec_t:s0
-/var/log/audit.log -- system_u:object_r:auditd_log_t:s15:c0.c255
-/var/log/audit(/.*)? system_u:object_r:auditd_log_t:s15:c0.c255
-/etc/auditd.conf -- system_u:object_r:auditd_etc_t:s0
-/etc/audit.rules -- system_u:object_r:auditd_etc_t:s0
-
diff --git a/mls/file_contexts/program/authbind.fc b/mls/file_contexts/program/authbind.fc
deleted file mode 100644
index 9fed63e..0000000
--- a/mls/file_contexts/program/authbind.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# authbind
-/etc/authbind(/.*)? system_u:object_r:authbind_etc_t
-/usr/lib(64)?/authbind/helper -- system_u:object_r:authbind_exec_t
diff --git a/mls/file_contexts/program/automount.fc b/mls/file_contexts/program/automount.fc
deleted file mode 100644
index 8952107..0000000
--- a/mls/file_contexts/program/automount.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# automount
-/usr/sbin/automount -- system_u:object_r:automount_exec_t:s0
-/etc/apm/event\.d/autofs -- system_u:object_r:automount_exec_t:s0
-/var/run/autofs(/.*)? system_u:object_r:automount_var_run_t:s0
-/etc/auto\..+ -- system_u:object_r:automount_etc_t:s0
diff --git a/mls/file_contexts/program/avahi.fc b/mls/file_contexts/program/avahi.fc
deleted file mode 100644
index fa6e00e..0000000
--- a/mls/file_contexts/program/avahi.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-#DESC avahi - mDNS/DNS-SD daemon implementing Apple’s ZeroConf architecture
-/usr/sbin/avahi-daemon -- system_u:object_r:avahi_exec_t:s0
-/usr/sbin/avahi-dnsconfd -- system_u:object_r:avahi_exec_t:s0
-/var/run/avahi-daemon(/.*)? system_u:object_r:avahi_var_run_t:s0
diff --git a/mls/file_contexts/program/backup.fc b/mls/file_contexts/program/backup.fc
deleted file mode 100644
index ed82809..0000000
--- a/mls/file_contexts/program/backup.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# backup
-# label programs that do backups to other files on disk (IE a cron job that
-# calls tar) in backup_exec_t and label the directory for storing them as
-# backup_store_t, Debian uses /var/backups
-#/usr/local/bin/backup-script -- system_u:object_r:backup_exec_t
-/var/backups(/.*)? system_u:object_r:backup_store_t
diff --git a/mls/file_contexts/program/bluetooth.fc b/mls/file_contexts/program/bluetooth.fc
deleted file mode 100644
index 6c5aac3..0000000
--- a/mls/file_contexts/program/bluetooth.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-# bluetooth
-/etc/bluetooth(/.*)? system_u:object_r:bluetooth_conf_t:s0
-/etc/bluetooth/link_key system_u:object_r:bluetooth_conf_rw_t:s0
-/usr/bin/rfcomm -- system_u:object_r:bluetooth_exec_t:s0
-/usr/sbin/hcid -- system_u:object_r:bluetooth_exec_t:s0
-/usr/sbin/sdpd -- system_u:object_r:bluetooth_exec_t:s0
-/usr/sbin/hciattach -- system_u:object_r:bluetooth_exec_t:s0
-/var/run/sdp -s system_u:object_r:bluetooth_var_run_t:s0
-/usr/sbin/hid2hci -- system_u:object_r:bluetooth_exec_t:s0
-/usr/bin/blue.*pin -- system_u:object_r:bluetooth_helper_exec_t:s0
-/var/lib/bluetooth(/.*)? system_u:object_r:bluetooth_var_lib_t:s0
diff --git a/mls/file_contexts/program/bonobo.fc b/mls/file_contexts/program/bonobo.fc
deleted file mode 100644
index 23d2214..0000000
--- a/mls/file_contexts/program/bonobo.fc
+++ /dev/null
@@ -1 +0,0 @@
-/usr/libexec/bonobo-activation-server -- system_u:object_r:bonobo_exec_t:s0
diff --git a/mls/file_contexts/program/bootloader.fc b/mls/file_contexts/program/bootloader.fc
deleted file mode 100644
index bce2ff8..0000000
--- a/mls/file_contexts/program/bootloader.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-# bootloader
-/etc/lilo\.conf.* -- system_u:object_r:bootloader_etc_t:s0
-/initrd\.img.* -l system_u:object_r:boot_t:s0
-/sbin/lilo.* -- system_u:object_r:bootloader_exec_t:s0
-/sbin/grub.* -- system_u:object_r:bootloader_exec_t:s0
-/vmlinuz.* -l system_u:object_r:boot_t:s0
-/usr/sbin/mkinitrd -- system_u:object_r:bootloader_exec_t:s0
-/sbin/mkinitrd -- system_u:object_r:bootloader_exec_t:s0
-/etc/mkinitrd/scripts/.* -- system_u:object_r:bootloader_exec_t:s0
-/sbin/ybin.* -- system_u:object_r:bootloader_exec_t:s0
-/etc/yaboot\.conf.* -- system_u:object_r:bootloader_etc_t:s0
diff --git a/mls/file_contexts/program/calamaris.fc b/mls/file_contexts/program/calamaris.fc
deleted file mode 100644
index 36d8c87..0000000
--- a/mls/file_contexts/program/calamaris.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# squid
-/etc/cron\.daily/calamaris -- system_u:object_r:calamaris_exec_t
-/var/www/calamaris(/.*)? system_u:object_r:calamaris_www_t
-/var/log/calamaris(/.*)? system_u:object_r:calamaris_log_t
diff --git a/mls/file_contexts/program/canna.fc b/mls/file_contexts/program/canna.fc
deleted file mode 100644
index aada263..0000000
--- a/mls/file_contexts/program/canna.fc
+++ /dev/null
@@ -1,12 +0,0 @@
-# canna.fc
-/usr/sbin/cannaserver -- system_u:object_r:canna_exec_t:s0
-/usr/sbin/jserver -- system_u:object_r:canna_exec_t:s0
-/usr/bin/cannaping -- system_u:object_r:canna_exec_t:s0
-/usr/bin/catdic -- system_u:object_r:canna_exec_t:s0
-/var/log/canna(/.*)? system_u:object_r:canna_log_t:s0
-/var/log/wnn(/.*)? system_u:object_r:canna_log_t:s0
-/var/lib/canna/dic(/.*)? system_u:object_r:canna_var_lib_t:s0
-/var/lib/wnn/dic(/.*)? system_u:object_r:canna_var_lib_t:s0
-/var/run/\.iroha_unix -d system_u:object_r:canna_var_run_t:s0
-/var/run/\.iroha_unix/.* -s system_u:object_r:canna_var_run_t:s0
-/var/run/wnn-unix(/.*) system_u:object_r:canna_var_run_t:s0
diff --git a/mls/file_contexts/program/cardmgr.fc b/mls/file_contexts/program/cardmgr.fc
deleted file mode 100644
index 1dc5187..0000000
--- a/mls/file_contexts/program/cardmgr.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-# cardmgr
-/sbin/cardmgr -- system_u:object_r:cardmgr_exec_t:s0
-/sbin/cardctl -- system_u:object_r:cardctl_exec_t:s0
-/var/run/stab -- system_u:object_r:cardmgr_var_run_t:s0
-/var/run/cardmgr\.pid -- system_u:object_r:cardmgr_var_run_t:s0
-/etc/apm/event\.d/pcmcia -- system_u:object_r:cardmgr_exec_t:s0
-/var/lib/pcmcia(/.*)? system_u:object_r:cardmgr_var_run_t:s0
diff --git a/mls/file_contexts/program/cdrecord.fc b/mls/file_contexts/program/cdrecord.fc
deleted file mode 100644
index c29a00c..0000000
--- a/mls/file_contexts/program/cdrecord.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# cdrecord
-/usr/bin/cdrecord -- system_u:object_r:cdrecord_exec_t:s0
-
diff --git a/mls/file_contexts/program/certwatch.fc b/mls/file_contexts/program/certwatch.fc
deleted file mode 100644
index 8c955ee..0000000
--- a/mls/file_contexts/program/certwatch.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# certwatch.fc
-/usr/bin/certwatch -- system_u:object_r:certwatch_exec_t:s0
-
diff --git a/mls/file_contexts/program/checkpolicy.fc b/mls/file_contexts/program/checkpolicy.fc
deleted file mode 100644
index dddeecf..0000000
--- a/mls/file_contexts/program/checkpolicy.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# checkpolicy
-/usr/bin/checkpolicy -- system_u:object_r:checkpolicy_exec_t:s0
diff --git a/mls/file_contexts/program/chkpwd.fc b/mls/file_contexts/program/chkpwd.fc
deleted file mode 100644
index 5f253f7..0000000
--- a/mls/file_contexts/program/chkpwd.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# chkpwd
-/sbin/unix_chkpwd -- system_u:object_r:chkpwd_exec_t:s0
-/sbin/unix_verify -- system_u:object_r:chkpwd_exec_t:s0
-ifdef(`distro_suse', `
-/sbin/unix2_chkpwd -- system_u:object_r:chkpwd_exec_t:s0
-')
diff --git a/mls/file_contexts/program/chroot.fc b/mls/file_contexts/program/chroot.fc
deleted file mode 100644
index a23cd81..0000000
--- a/mls/file_contexts/program/chroot.fc
+++ /dev/null
@@ -1 +0,0 @@
-/usr/sbin/chroot -- system_u:object_r:chroot_exec_t:s0
diff --git a/mls/file_contexts/program/ciped.fc b/mls/file_contexts/program/ciped.fc
deleted file mode 100644
index e3a12a1..0000000
--- a/mls/file_contexts/program/ciped.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-/usr/sbin/ciped.* -- system_u:object_r:ciped_exec_t
-/etc/cipe/ip-up.* -- system_u:object_r:bin_t
-/etc/cipe/ip-down.* -- system_u:object_r:bin_t
diff --git a/mls/file_contexts/program/clamav.fc b/mls/file_contexts/program/clamav.fc
deleted file mode 100644
index 90c898c..0000000
--- a/mls/file_contexts/program/clamav.fc
+++ /dev/null
@@ -1,15 +0,0 @@
-# clamscan
-/usr/bin/clamscan -- system_u:object_r:clamscan_exec_t
-/usr/bin/freshclam -- system_u:object_r:freshclam_exec_t
-/usr/sbin/clamav-freshclam-handledaemon -- system_u:object_r:freshclam_exec_t
-/usr/sbin/clamd -- system_u:object_r:clamd_exec_t
-/var/lib/clamav(/.*)? system_u:object_r:clamav_var_lib_t
-/var/log/clam-update\.log -- system_u:object_r:freshclam_log_t
-/var/log/clamav-freshclam\.log.* -- system_u:object_r:freshclam_log_t
-/var/log/clamav(/.*)? system_u:object_r:freshclam_log_t
-/var/log/clamav/clamd\.log.* -- system_u:object_r:clamd_log_t
-/var/log/clamav/freshclam\.log.* -- system_u:object_r:freshclam_log_t
-/var/run/clamd\.ctl -s system_u:object_r:clamd_sock_t
-/var/run/clamd\.pid -- system_u:object_r:clamd_var_run_t
-/var/run/clamav(/.*)? system_u:object_r:clamd_var_run_t
-/var/run/clamav/clamd\.sock -s system_u:object_r:clamd_sock_t
diff --git a/mls/file_contexts/program/clockspeed.fc b/mls/file_contexts/program/clockspeed.fc
deleted file mode 100644
index e00cd56..0000000
--- a/mls/file_contexts/program/clockspeed.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-# clockspeed
-/usr/bin/clockspeed -- system_u:object_r:clockspeed_exec_t
-/usr/bin/clockadd -- system_u:object_r:clockspeed_exec_t
-/usr/bin/clockview -- system_u:object_r:clockspeed_exec_t
-/usr/bin/sntpclock -- system_u:object_r:clockspeed_exec_t
-/usr/bin/taiclock -- system_u:object_r:clockspeed_exec_t
-/usr/bin/taiclockd -- system_u:object_r:clockspeed_exec_t
-/usr/sbin/ntpclockset -- system_u:object_r:clockspeed_exec_t
-
-/var/lib/clockspeed(/.*)? system_u:object_r:clockspeed_var_lib_t
-
diff --git a/mls/file_contexts/program/compat.fc b/mls/file_contexts/program/compat.fc
deleted file mode 100644
index d64b892..0000000
--- a/mls/file_contexts/program/compat.fc
+++ /dev/null
@@ -1,66 +0,0 @@
-ifdef(`setfiles.te', `', `
-# setfiles
-/usr/sbin/setfiles.* -- system_u:object_r:setfiles_exec_t
-')
-
-ifdef(`mount.te', `', `
-# mount
-/bin/mount.* -- system_u:object_r:mount_exec_t
-/bin/umount.* -- system_u:object_r:mount_exec_t
-')
-ifdef(`loadkeys.te', `', `
-# loadkeys
-/bin/unikeys -- system_u:object_r:loadkeys_exec_t
-/bin/loadkeys -- system_u:object_r:loadkeys_exec_t
-')
-ifdef(`dmesg.te', `', `
-# dmesg
-/bin/dmesg -- system_u:object_r:dmesg_exec_t
-')
-ifdef(`fsadm.te', `', `
-# fs admin utilities
-/sbin/fsck.* -- system_u:object_r:fsadm_exec_t
-/sbin/mkfs.* -- system_u:object_r:fsadm_exec_t
-/sbin/e2fsck -- system_u:object_r:fsadm_exec_t
-/sbin/mkdosfs -- system_u:object_r:fsadm_exec_t
-/sbin/dosfsck -- system_u:object_r:fsadm_exec_t
-/sbin/reiserfs(ck|tune) -- system_u:object_r:fsadm_exec_t
-/sbin/mkreiserfs -- system_u:object_r:fsadm_exec_t
-/sbin/resize.*fs -- system_u:object_r:fsadm_exec_t
-/sbin/e2label -- system_u:object_r:fsadm_exec_t
-/sbin/findfs -- system_u:object_r:fsadm_exec_t
-/sbin/mkfs -- system_u:object_r:fsadm_exec_t
-/sbin/mke2fs -- system_u:object_r:fsadm_exec_t
-/sbin/mkswap -- system_u:object_r:fsadm_exec_t
-/sbin/scsi_info -- system_u:object_r:fsadm_exec_t
-/sbin/sfdisk -- system_u:object_r:fsadm_exec_t
-/sbin/cfdisk -- system_u:object_r:fsadm_exec_t
-/sbin/fdisk -- system_u:object_r:fsadm_exec_t
-/sbin/parted -- system_u:object_r:fsadm_exec_t
-/sbin/tune2fs -- system_u:object_r:fsadm_exec_t
-/sbin/dumpe2fs -- system_u:object_r:fsadm_exec_t
-/sbin/swapon.* -- system_u:object_r:fsadm_exec_t
-/sbin/hdparm -- system_u:object_r:fsadm_exec_t
-/sbin/raidstart -- system_u:object_r:fsadm_exec_t
-/sbin/mkraid -- system_u:object_r:fsadm_exec_t
-/sbin/dmraid -- system_u:object_r:fsadm_exec_t
-/sbin/blockdev -- system_u:object_r:fsadm_exec_t
-/sbin/losetup.* -- system_u:object_r:fsadm_exec_t
-/sbin/jfs_.* -- system_u:object_r:fsadm_exec_t
-/sbin/lsraid -- system_u:object_r:fsadm_exec_t
-/usr/sbin/smartctl -- system_u:object_r:fsadm_exec_t
-/sbin/install-mbr -- system_u:object_r:fsadm_exec_t
-/usr/bin/scsi_unique_id -- system_u:object_r:fsadm_exec_t
-/usr/bin/raw -- system_u:object_r:fsadm_exec_t
-/sbin/partx -- system_u:object_r:fsadm_exec_t
-/usr/bin/partition_uuid -- system_u:object_r:fsadm_exec_t
-/sbin/partprobe -- system_u:object_r:fsadm_exec_t
-')
-ifdef(`lvm.te', `', `
-/sbin/lvm.static -- system_u:object_r:lvm_exec_t
-')
-ifdef(`kudzu.te', `', `
-# kudzu
-/usr/sbin/kudzu -- system_u:object_r:kudzu_exec_t
-/sbin/kmodule -- system_u:object_r:kudzu_exec_t
-')
diff --git a/mls/file_contexts/program/comsat.fc b/mls/file_contexts/program/comsat.fc
deleted file mode 100644
index 3704901..0000000
--- a/mls/file_contexts/program/comsat.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# biff server
-/usr/sbin/in\.comsat -- system_u:object_r:comsat_exec_t:s0
diff --git a/mls/file_contexts/program/consoletype.fc b/mls/file_contexts/program/consoletype.fc
deleted file mode 100644
index 1258f57..0000000
--- a/mls/file_contexts/program/consoletype.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# consoletype
-/sbin/consoletype -- system_u:object_r:consoletype_exec_t:s0
diff --git a/mls/file_contexts/program/courier.fc b/mls/file_contexts/program/courier.fc
deleted file mode 100644
index 16f6adb..0000000
--- a/mls/file_contexts/program/courier.fc
+++ /dev/null
@@ -1,18 +0,0 @@
-# courier pop, imap, and webmail
-/usr/lib(64)?/courier(/.*)? system_u:object_r:bin_t
-/usr/lib(64)?/courier/rootcerts(/.*)? system_u:object_r:courier_etc_t
-/usr/lib(64)?/courier/authlib/.* -- system_u:object_r:courier_authdaemon_exec_t
-/usr/lib(64)?/courier/courier/.* -- system_u:object_r:courier_exec_t
-/usr/lib(64)?/courier/courier/courierpop.* -- system_u:object_r:courier_pop_exec_t
-/usr/lib(64)?/courier/courier/imaplogin -- system_u:object_r:courier_pop_exec_t
-/usr/lib(64)?/courier/courier/pcpd -- system_u:object_r:courier_pcp_exec_t
-/usr/lib(64)?/courier/imapd -- system_u:object_r:courier_pop_exec_t
-/usr/lib(64)?/courier/pop3d -- system_u:object_r:courier_pop_exec_t
-/usr/lib(64)?/courier/sqwebmail/cleancache\.pl -- system_u:object_r:sqwebmail_cron_exec_t
-/var/lib/courier(/.*)? system_u:object_r:courier_var_lib_t
-/usr/bin/imapd -- system_u:object_r:courier_pop_exec_t
-/usr/sbin/courierlogger -- system_u:object_r:courier_exec_t
-/usr/sbin/courierldapaliasd -- system_u:object_r:courier_exec_t
-/usr/sbin/couriertcpd -- system_u:object_r:courier_tcpd_exec_t
-/var/run/courier(/.*)? system_u:object_r:courier_var_run_t
-/etc/courier(/.*)? system_u:object_r:courier_etc_t
diff --git a/mls/file_contexts/program/cpucontrol.fc b/mls/file_contexts/program/cpucontrol.fc
deleted file mode 100644
index e7e488a..0000000
--- a/mls/file_contexts/program/cpucontrol.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# cpucontrol
-/sbin/microcode_ctl -- system_u:object_r:cpucontrol_exec_t:s0
-/etc/firmware/.* -- system_u:object_r:cpucontrol_conf_t:s0
diff --git a/mls/file_contexts/program/cpuspeed.fc b/mls/file_contexts/program/cpuspeed.fc
deleted file mode 100644
index 5e91f55..0000000
--- a/mls/file_contexts/program/cpuspeed.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# cpuspeed
-/usr/sbin/cpuspeed -- system_u:object_r:cpuspeed_exec_t:s0
-/usr/sbin/powernowd -- system_u:object_r:cpuspeed_exec_t:s0
diff --git a/mls/file_contexts/program/crack.fc b/mls/file_contexts/program/crack.fc
deleted file mode 100644
index 18b5371..0000000
--- a/mls/file_contexts/program/crack.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# crack - for password checking
-/usr/sbin/cracklib-[a-z]* -- system_u:object_r:crack_exec_t:s0
-/usr/sbin/crack_[a-z]* -- system_u:object_r:crack_exec_t:s0
-/var/cache/cracklib(/.*)? system_u:object_r:crack_db_t:s0
-/usr/lib(64)?/cracklib_dict.* -- system_u:object_r:crack_db_t:s0
-/usr/share/cracklib(/.*)? system_u:object_r:crack_db_t:s0
diff --git a/mls/file_contexts/program/crond.fc b/mls/file_contexts/program/crond.fc
deleted file mode 100644
index 3ee6ee5..0000000
--- a/mls/file_contexts/program/crond.fc
+++ /dev/null
@@ -1,34 +0,0 @@
-# crond
-/etc/crontab -- system_u:object_r:system_cron_spool_t:s0
-/etc/cron\.d(/.*)? system_u:object_r:system_cron_spool_t:s0
-/usr/sbin/cron(d)? -- system_u:object_r:crond_exec_t:s0
-/usr/sbin/anacron -- system_u:object_r:anacron_exec_t:s0
-/var/spool/cron -d system_u:object_r:cron_spool_t:s0
-/var/spool/cron/crontabs -d system_u:object_r:cron_spool_t:s0
-/var/spool/cron/crontabs/.* -- <<none>>
-/var/spool/cron/crontabs/root -- system_u:object_r:sysadm_cron_spool_t:s0
-/var/spool/cron/root -- system_u:object_r:sysadm_cron_spool_t:s0
-/var/spool/cron/[^/]* -- <<none>>
-/var/run/crond\.reboot -- system_u:object_r:crond_var_run_t:s0
-/var/run/crond?\.pid -- system_u:object_r:crond_var_run_t:s0
-# fcron
-/usr/sbin/fcron -- system_u:object_r:crond_exec_t:s0
-/var/spool/fcron -d system_u:object_r:cron_spool_t:s0
-/var/spool/fcron/.* <<none>>
-/var/spool/fcron/systab\.orig -- system_u:object_r:system_cron_spool_t:s0
-/var/spool/fcron/systab -- system_u:object_r:system_cron_spool_t:s0
-/var/spool/fcron/new\.systab -- system_u:object_r:system_cron_spool_t:s0
-/var/run/fcron\.fifo -s system_u:object_r:crond_var_run_t:s0
-/var/run/fcron\.pid -- system_u:object_r:crond_var_run_t:s0
-# atd
-/usr/sbin/atd -- system_u:object_r:crond_exec_t:s0
-/var/spool/at -d system_u:object_r:cron_spool_t:s0
-/var/spool/at/spool -d system_u:object_r:cron_spool_t:s0
-/var/spool/at/[^/]* -- <<none>>
-/var/run/atd\.pid -- system_u:object_r:crond_var_run_t:s0
-ifdef(`distro_suse', `
-/usr/lib/cron/run-crons -- system_u:object_r:bin_t:s0
-/var/spool/cron/lastrun -d system_u:object_r:crond_tmp_t:s0
-/var/spool/cron/lastrun/[^/]* -- <<none>>
-/var/spool/cron/tabs -d system_u:object_r:cron_spool_t:s0
-')
diff --git a/mls/file_contexts/program/crontab.fc b/mls/file_contexts/program/crontab.fc
deleted file mode 100644
index e0ee359..0000000
--- a/mls/file_contexts/program/crontab.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# crontab
-/usr/bin/(f)?crontab -- system_u:object_r:crontab_exec_t:s0
-/usr/bin/at -- system_u:object_r:crontab_exec_t:s0
diff --git a/mls/file_contexts/program/cups.fc b/mls/file_contexts/program/cups.fc
deleted file mode 100644
index fea8ef0..0000000
--- a/mls/file_contexts/program/cups.fc
+++ /dev/null
@@ -1,46 +0,0 @@
-# cups printing
-/etc/cups(/.*)? system_u:object_r:cupsd_etc_t:s0
-/usr/share/cups(/.*)? system_u:object_r:cupsd_etc_t:s0
-/etc/alchemist/namespace/printconf(/.*)? system_u:object_r:cupsd_rw_etc_t:s0
-/var/cache/alchemist/printconf.* system_u:object_r:cupsd_rw_etc_t:s0
-/etc/cups/client\.conf -- system_u:object_r:etc_t:s0
-/etc/cups/cupsd\.conf.* -- system_u:object_r:cupsd_rw_etc_t:s0
-/etc/cups/classes\.conf.* -- system_u:object_r:cupsd_rw_etc_t:s0
-/etc/cups/lpoptions -- system_u:object_r:cupsd_rw_etc_t:s0
-/etc/cups/printers\.conf.* -- system_u:object_r:cupsd_rw_etc_t:s0
-/etc/cups/ppd/.* -- system_u:object_r:cupsd_rw_etc_t:s0
-/etc/cups/certs -d system_u:object_r:cupsd_rw_etc_t:s0
-/etc/cups/certs/.* -- system_u:object_r:cupsd_rw_etc_t:s0
-/var/lib/cups/certs -d system_u:object_r:cupsd_rw_etc_t:s0
-/var/lib/cups/certs/.* -- system_u:object_r:cupsd_rw_etc_t:s0
-/etc/cups/ppds\.dat -- system_u:object_r:cupsd_rw_etc_t:s0
-/etc/cups/lpoptions.* -- system_u:object_r:cupsd_rw_etc_t:s0
-/etc/printcap.* -- system_u:object_r:cupsd_rw_etc_t:s0
-/usr/lib(64)?/cups/backend/.* -- system_u:object_r:cupsd_exec_t:s0
-/usr/lib(64)?/cups/daemon/.* -- system_u:object_r:cupsd_exec_t:s0
-/usr/lib(64)?/cups/daemon/cups-lpd -- system_u:object_r:cupsd_lpd_exec_t:s0
-/usr/sbin/cupsd -- system_u:object_r:cupsd_exec_t:s0
-ifdef(`hald.te', `
-# cupsd_config depends on hald
-/usr/bin/cups-config-daemon -- system_u:object_r:cupsd_config_exec_t:s0
-/usr/sbin/hal_lpadmin -- system_u:object_r:cupsd_config_exec_t:s0
-/usr/sbin/printconf-backend -- system_u:object_r:cupsd_config_exec_t:s0
-')
-/var/log/cups(/.*)? system_u:object_r:cupsd_log_t:s0
-/var/log/turboprint_cups\.log.* -- system_u:object_r:cupsd_log_t:s0
-/var/spool/cups(/.*)? system_u:object_r:print_spool_t:s0
-/var/run/cups/printcap -- system_u:object_r:cupsd_var_run_t:s0
-/usr/lib(64)?/cups/filter/.* -- system_u:object_r:bin_t:s0
-/usr/lib(64)?/cups/cgi-bin/.* -- system_u:object_r:bin_t:s0
-/usr/sbin/ptal-printd -- system_u:object_r:ptal_exec_t:s0
-/usr/sbin/ptal-mlcd -- system_u:object_r:ptal_exec_t:s0
-/usr/sbin/ptal-photod -- system_u:object_r:ptal_exec_t:s0
-/var/run/ptal-printd(/.*)? system_u:object_r:ptal_var_run_t:s0
-/var/run/ptal-mlcd(/.*)? system_u:object_r:ptal_var_run_t:s0
-/etc/hp(/.*)? system_u:object_r:hplip_etc_t:s0
-/usr/sbin/hpiod -- system_u:object_r:hplip_exec_t:s0
-/usr/share/hplip/hpssd.py -- system_u:object_r:hplip_exec_t:s0
-/usr/share/foomatic/db/oldprinterids -- system_u:object_r:cupsd_rw_etc_t:s0
-/var/cache/foomatic(/.*)? -- system_u:object_r:cupsd_rw_etc_t:s0
-/var/run/hp.*\.pid -- system_u:object_r:hplip_var_run_t:s0
-/var/run/hp.*\.port -- system_u:object_r:hplip_var_run_t:s0
diff --git a/mls/file_contexts/program/cvs.fc b/mls/file_contexts/program/cvs.fc
deleted file mode 100644
index 8aa1edc..0000000
--- a/mls/file_contexts/program/cvs.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# cvs program
-/usr/bin/cvs -- system_u:object_r:cvs_exec_t:s0
diff --git a/mls/file_contexts/program/cyrus.fc b/mls/file_contexts/program/cyrus.fc
deleted file mode 100644
index f415273..0000000
--- a/mls/file_contexts/program/cyrus.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# cyrus
-/var/lib/imap(/.*)? system_u:object_r:cyrus_var_lib_t:s0
-/usr/lib(64)?/cyrus-imapd/.* -- system_u:object_r:bin_t:s0
-/usr/lib(64)?/cyrus-imapd/cyrus-master -- system_u:object_r:cyrus_exec_t:s0
-/var/spool/imap(/.*)? system_u:object_r:mail_spool_t:s0
diff --git a/mls/file_contexts/program/daemontools.fc b/mls/file_contexts/program/daemontools.fc
deleted file mode 100644
index c2642ed..0000000
--- a/mls/file_contexts/program/daemontools.fc
+++ /dev/null
@@ -1,54 +0,0 @@
-# daemontools
-
-/var/service/.* system_u:object_r:svc_svc_t
-
-# symlinks to /var/service/*
-/service(/.*)? system_u:object_r:svc_svc_t
-
-# supervise scripts
-/usr/bin/svc-add -- system_u:object_r:svc_script_exec_t
-/usr/bin/svc-isdown -- system_u:object_r:svc_script_exec_t
-/usr/bin/svc-isup -- system_u:object_r:svc_script_exec_t
-/usr/bin/svc-remove -- system_u:object_r:svc_script_exec_t
-/usr/bin/svc-start -- system_u:object_r:svc_script_exec_t
-/usr/bin/svc-status -- system_u:object_r:svc_script_exec_t
-/usr/bin/svc-stop -- system_u:object_r:svc_script_exec_t
-/usr/bin/svc-waitdown -- system_u:object_r:svc_script_exec_t
-/usr/bin/svc-waitup -- system_u:object_r:svc_script_exec_t
-
-# supervise init binaries
-# these programs read/write to /service/*/supervise/* and /service/*/log/supervise/*
-/usr/bin/svc -- system_u:object_r:svc_start_exec_t
-/usr/bin/svscan -- system_u:object_r:svc_start_exec_t
-/usr/bin/svscanboot -- system_u:object_r:svc_start_exec_t
-/usr/bin/svok -- system_u:object_r:svc_start_exec_t
-/usr/bin/supervise -- system_u:object_r:svc_start_exec_t
-
-# starting scripts
-/var/service/.*/run.* system_u:object_r:svc_run_exec_t
-/var/service/.*/log/run system_u:object_r:svc_run_exec_t
-
-# configurations
-/var/service/.*/env(/.*)? system_u:object_r:svc_conf_t
-
-# log
-/var/service/.*/log/main(/.*)? system_u:object_r:svc_log_t
-
-# programs that impose a given environment to daemons
-/usr/bin/softlimit -- system_u:object_r:svc_run_exec_t
-/usr/bin/setuidgid -- system_u:object_r:svc_run_exec_t
-/usr/bin/envuidgid -- system_u:object_r:svc_run_exec_t
-/usr/bin/envdir -- system_u:object_r:svc_run_exec_t
-/usr/bin/setlock -- system_u:object_r:svc_run_exec_t
-
-# helper programs
-/usr/bin/fghack -- system_u:object_r:svc_run_exec_t
-/usr/bin/pgrphack -- system_u:object_r:svc_run_exec_t
-
-/var/run/svscan\.pid -- system_u:object_r:initrc_var_run_t
-# daemontools logger # writes to service/*/log/main/ and /var/log/*/
-/usr/bin/multilog -- system_u:object_r:svc_multilog_exec_t
-
-/sbin/svcinit -- system_u:object_r:initrc_exec_t
-/sbin/runsvcscript\.sh -- system_u:object_r:initrc_exec_t
-
diff --git a/mls/file_contexts/program/dante.fc b/mls/file_contexts/program/dante.fc
deleted file mode 100644
index ce7f335..0000000
--- a/mls/file_contexts/program/dante.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# dante
-/usr/sbin/sockd -- system_u:object_r:dante_exec_t
-/etc/socks(/.*)? system_u:object_r:dante_conf_t
-/var/run/sockd.pid -- system_u:object_r:dante_var_run_t
diff --git a/mls/file_contexts/program/dbskkd.fc b/mls/file_contexts/program/dbskkd.fc
deleted file mode 100644
index 4f2d72f..0000000
--- a/mls/file_contexts/program/dbskkd.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# A dictionary server for the SKK Japanese input method system.
-/usr/sbin/dbskkd-cdb -- system_u:object_r:dbskkd_exec_t:s0
diff --git a/mls/file_contexts/program/dbusd.fc b/mls/file_contexts/program/dbusd.fc
deleted file mode 100644
index ea4e065..0000000
--- a/mls/file_contexts/program/dbusd.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-/usr/bin/dbus-daemon(-1)? -- system_u:object_r:system_dbusd_exec_t:s0
-/etc/dbus-1(/.*)? system_u:object_r:etc_dbusd_t:s0
-/var/run/dbus(/.*)? system_u:object_r:system_dbusd_var_run_t:s0
diff --git a/mls/file_contexts/program/dcc.fc b/mls/file_contexts/program/dcc.fc
deleted file mode 100644
index a6b1372..0000000
--- a/mls/file_contexts/program/dcc.fc
+++ /dev/null
@@ -1,17 +0,0 @@
-# DCC
-/etc/dcc(/.*)? system_u:object_r:dcc_var_t
-/etc/dcc/map -- system_u:object_r:dcc_client_map_t
-/etc/dcc/dccifd -s system_u:object_r:dccifd_sock_t
-/usr/bin/cdcc system_u:object_r:cdcc_exec_t
-/usr/bin/dccproc system_u:object_r:dcc_client_exec_t
-/usr/libexec/dcc/dbclean system_u:object_r:dcc_dbclean_exec_t
-/usr/libexec/dcc/dccd system_u:object_r:dccd_exec_t
-/usr/libexec/dcc/dccifd system_u:object_r:dccifd_exec_t
-/usr/libexec/dcc/dccm system_u:object_r:dccm_exec_t
-/usr/libexec/dcc/start-.* system_u:object_r:dcc_script_exec_t
-/usr/libexec/dcc/stop-.* system_u:object_r:dcc_script_exec_t
-/var/dcc(/.*)? system_u:object_r:dcc_var_t
-/var/dcc/map -- system_u:object_r:dcc_client_map_t
-/var/run/dcc system_u:object_r:dcc_var_run_t
-/var/run/dcc/map -- system_u:object_r:dcc_client_map_t
-/var/run/dcc/dccifd -s system_u:object_r:dccifd_sock_t
diff --git a/mls/file_contexts/program/ddclient.fc b/mls/file_contexts/program/ddclient.fc
deleted file mode 100644
index 83ee3d2..0000000
--- a/mls/file_contexts/program/ddclient.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-# ddclient
-/etc/ddclient\.conf -- system_u:object_r:ddclient_etc_t
-/usr/sbin/ddclient -- system_u:object_r:ddclient_exec_t
-/var/cache/ddclient(/.*)? system_u:object_r:ddclient_var_t
-/var/run/ddclient\.pid -- system_u:object_r:ddclient_var_run_t
-# ddt - Dynamic DNS client
-/usr/sbin/ddtcd -- system_u:object_r:ddclient_exec_t
-/var/run/ddtcd\.pid -- system_u:object_r:ddclient_var_run_t
-/etc/ddtcd\.conf -- system_u:object_r:ddclient_etc_t
-/var/lib/ddt-client(/.*)? system_u:object_r:ddclient_var_lib_t
-/var/log/ddtcd\.log.* -- system_u:object_r:ddclient_log_t
diff --git a/mls/file_contexts/program/ddcprobe.fc b/mls/file_contexts/program/ddcprobe.fc
deleted file mode 100644
index 8879280..0000000
--- a/mls/file_contexts/program/ddcprobe.fc
+++ /dev/null
@@ -1 +0,0 @@
-/usr/sbin/ddcprobe -- system_u:object_r:ddcprobe_exec_t:s0
diff --git a/mls/file_contexts/program/dhcpc.fc b/mls/file_contexts/program/dhcpc.fc
deleted file mode 100644
index e892abe..0000000
--- a/mls/file_contexts/program/dhcpc.fc
+++ /dev/null
@@ -1,19 +0,0 @@
-# dhcpcd
-/etc/dhcpc.* system_u:object_r:dhcp_etc_t:s0
-/etc/dhcp3?/dhclient.* system_u:object_r:dhcp_etc_t:s0
-/etc/dhclient.*conf -- system_u:object_r:dhcp_etc_t:s0
-/etc/dhclient-script -- system_u:object_r:dhcp_etc_t:s0
-/sbin/dhcpcd -- system_u:object_r:dhcpc_exec_t:s0
-/sbin/dhcdbd -- system_u:object_r:dhcpc_exec_t:s0
-/sbin/dhclient.* -- system_u:object_r:dhcpc_exec_t:s0
-/var/lib/dhcp(3)?/dhclient.* system_u:object_r:dhcpc_state_t:s0
-/var/lib/dhcpcd(/.*)? system_u:object_r:dhcpc_state_t:s0
-/var/lib/dhclient(/.*)? system_u:object_r:dhcpc_state_t:s0
-/var/run/dhclient.*\.pid -- system_u:object_r:dhcpc_var_run_t:s0
-/var/run/dhclient.*\.leases -- system_u:object_r:dhcpc_var_run_t:s0
-# pump
-/sbin/pump -- system_u:object_r:dhcpc_exec_t:s0
-ifdef(`dhcp_defined', `', `
-/var/lib/dhcp(3)? -d system_u:object_r:dhcp_state_t:s0
-define(`dhcp_defined')
-')
diff --git a/mls/file_contexts/program/dhcpd.fc b/mls/file_contexts/program/dhcpd.fc
deleted file mode 100644
index a03636f..0000000
--- a/mls/file_contexts/program/dhcpd.fc
+++ /dev/null
@@ -1,32 +0,0 @@
-# dhcpd
-/etc/dhcpd\.conf -- system_u:object_r:dhcp_etc_t:s0
-/etc/dhcp3(/.*)? system_u:object_r:dhcp_etc_t:s0
-/usr/sbin/dhcpd.* -- system_u:object_r:dhcpd_exec_t:s0
-/var/lib/dhcp([3d])?/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t:s0
-/var/run/dhcpd\.pid -- system_u:object_r:dhcpd_var_run_t:s0
-ifdef(`dhcp_defined', `', `
-/var/lib/dhcp([3d])? -d system_u:object_r:dhcp_state_t:s0
-define(`dhcp_defined')
-')
-/var/lib/dhcp/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t:s0
-/var/lib/dhcpd(/.*)? system_u:object_r:dhcpd_state_t:s0
-ifdef(`distro_gentoo', `
-/etc/dhcp -d system_u:object_r:dhcp_etc_t:s0
-/etc/dhcp(/.*)? -- system_u:object_r:dhcp_etc_t:s0
-/var/run/dhcp/dhcpd\.pid -- system_u:object_r:dhcpd_var_run_t:s0
-
-# for the chroot setup
-/chroot/dhcp -d system_u:object_r:root_t:s0
-/chroot/dhcp/dev -d system_u:object_r:device_t:s0
-/chroot/dhcp/etc -d system_u:object_r:etc_t:s0
-/chroot/dhcp/etc/dhcp -d system_u:object_r:dhcp_etc_t:s0
-/chroot/dhcp/etc/dhcp(/.*)? -- system_u:object_r:dhcp_etc_t:s0
-/chroot/dhcp/usr/sbin/dhcpd -- system_u:object_r:dhcpd_exec_t:s0
-/chroot/dhcp/var -d system_u:object_r:var_t:s0
-/chroot/dhcp/var/run -d system_u:object_r:var_run_t:s0
-/chroot/dhcp/var/lib -d system_u:object_r:var_lib_t:s0
-/chroot/dhcp/var/lib/dhcp -d system_u:object_r:dhcp_state_t:s0
-/chroot/dhcp/var/lib/dhcp/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t:s0
-/chroot/dhcp/var/run/dhcp/dhcpd\.pid -- system_u:object_r:dhcpd_state_t:s0
-')
-
diff --git a/mls/file_contexts/program/dictd.fc b/mls/file_contexts/program/dictd.fc
deleted file mode 100644
index b089863..0000000
--- a/mls/file_contexts/program/dictd.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# dictd
-/etc/dictd\.conf -- system_u:object_r:dictd_etc_t:s0
-/usr/sbin/dictd -- system_u:object_r:dictd_exec_t:s0
-/var/lib/dictd(/.*)? system_u:object_r:dictd_var_lib_t:s0
diff --git a/mls/file_contexts/program/distcc.fc b/mls/file_contexts/program/distcc.fc
deleted file mode 100644
index 3ab9797..0000000
--- a/mls/file_contexts/program/distcc.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# distcc
-/usr/bin/distccd -- system_u:object_r:distccd_exec_t
diff --git a/mls/file_contexts/program/djbdns.fc b/mls/file_contexts/program/djbdns.fc
deleted file mode 100644
index 6174b9f..0000000
--- a/mls/file_contexts/program/djbdns.fc
+++ /dev/null
@@ -1,26 +0,0 @@
-#djbdns
-/usr/bin/dnscache -- system_u:object_r:djbdns_dnscache_exec_t
-/usr/bin/tinydns -- system_u:object_r:djbdns_tinydns_exec_t
-/usr/bin/axfrdns -- system_u:object_r:djbdns_axfrdns_exec_t
-
-/var/dnscache[a-z]?(/.*)? system_u:object_r:svc_svc_t
-/var/dnscache[a-z]?/run -- system_u:object_r:svc_run_exec_t
-/var/dnscache[a-z]?/log/run -- system_u:object_r:svc_run_exec_t
-/var/dnscache[a-z]?/env(/.*)? system_u:object_r:svc_conf_t
-/var/dnscache[a-z]?/root(/.*)? system_u:object_r:djbdns_dnscache_conf_t
-/var/dnscache[a-z]?/log/main(/.*)? system_u:object_r:var_log_t
-
-/var/tinydns(/.*)? system_u:object_r:svc_svc_t
-/var/tinydns/run -- system_u:object_r:svc_run_exec_t
-/var/tinydns/log/run -- system_u:object_r:svc_run_exec_t
-/var/tinydns/env(/.*)? system_u:object_r:svc_conf_t
-/var/tinydns/root(/.*)? system_u:object_r:djbdns_tinydns_conf_t
-/var/tinydns/log/main(/.*)? system_u:object_r:var_log_t
-
-/var/axfrdns(/.*)? system_u:object_r:svc_svc_t
-/var/axfrdns/run -- system_u:object_r:svc_run_exec_t
-/var/axfrdns/log/run -- system_u:object_r:svc_run_exec_t
-/var/axfrdns/env(/.*)? system_u:object_r:svc_conf_t
-/var/axfrdns/root(/.*)? system_u:object_r:djbdns_axfrdns_conf_t
-/var/axfrdns/log/main(/.*)? system_u:object_r:var_log_t
-
diff --git a/mls/file_contexts/program/dmesg.fc b/mls/file_contexts/program/dmesg.fc
deleted file mode 100644
index 938875b..0000000
--- a/mls/file_contexts/program/dmesg.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# dmesg
-/bin/dmesg -- system_u:object_r:dmesg_exec_t:s0
diff --git a/mls/file_contexts/program/dmidecode.fc b/mls/file_contexts/program/dmidecode.fc
deleted file mode 100644
index 7b02fd5..0000000
--- a/mls/file_contexts/program/dmidecode.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# dmidecode
-/usr/sbin/dmidecode -- system_u:object_r:dmidecode_exec_t:s0
-/usr/sbin/ownership -- system_u:object_r:dmidecode_exec_t:s0
-/usr/sbin/vpddecode -- system_u:object_r:dmidecode_exec_t:s0
diff --git a/mls/file_contexts/program/dnsmasq.fc b/mls/file_contexts/program/dnsmasq.fc
deleted file mode 100644
index e1b1c35..0000000
--- a/mls/file_contexts/program/dnsmasq.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# dnsmasq
-/usr/sbin/dnsmasq -- system_u:object_r:dnsmasq_exec_t
-/var/lib/misc/dnsmasq\.leases -- system_u:object_r:dnsmasq_lease_t
-/var/run/dnsmasq\.pid -- system_u:object_r:dnsmasq_var_run_t
diff --git a/mls/file_contexts/program/dovecot.fc b/mls/file_contexts/program/dovecot.fc
deleted file mode 100644
index bc45b9d..0000000
--- a/mls/file_contexts/program/dovecot.fc
+++ /dev/null
@@ -1,16 +0,0 @@
-# for Dovecot POP and IMAP server
-/etc/dovecot.conf.* system_u:object_r:dovecot_etc_t:s0
-/etc/dovecot.passwd.* system_u:object_r:dovecot_passwd_t:s0
-/usr/sbin/dovecot -- system_u:object_r:dovecot_exec_t:s0
-ifdef(`distro_redhat', `
-/usr/libexec/dovecot/dovecot-auth -- system_u:object_r:dovecot_auth_exec_t:s0
-')
-ifdef(`distro_debian', `
-/usr/lib/dovecot/dovecot-auth -- system_u:object_r:dovecot_auth_exec_t:s0
-')
-/usr/share/ssl/certs/dovecot\.pem -- system_u:object_r:dovecot_cert_t:s0
-/usr/share/ssl/private/dovecot\.pem -- system_u:object_r:dovecot_cert_t:s0
-/etc/pki/dovecot(/.*)? system_u:object_r:dovecot_cert_t:s0
-/var/run/dovecot(-login)?(/.*)? system_u:object_r:dovecot_var_run_t:s0
-/usr/lib(64)?/dovecot/.+ -- system_u:object_r:bin_t:s0
-/var/spool/dovecot(/.*)? system_u:object_r:dovecot_spool_t:s0
diff --git a/mls/file_contexts/program/dpkg.fc b/mls/file_contexts/program/dpkg.fc
deleted file mode 100644
index f0f56f6..0000000
--- a/mls/file_contexts/program/dpkg.fc
+++ /dev/null
@@ -1,49 +0,0 @@
-# dpkg/dselect/apt
-/etc/apt(/.*)? system_u:object_r:apt_etc_t
-/etc/apt/listbugs(/.*)? system_u:object_r:apt_rw_etc_t
-/usr/bin/apt-cache -- system_u:object_r:apt_exec_t
-/usr/bin/apt-config -- system_u:object_r:apt_exec_t
-/usr/bin/apt-get -- system_u:object_r:apt_exec_t
-/usr/bin/dpkg -- system_u:object_r:dpkg_exec_t
-/usr/sbin/dpkg-reconfigure -- system_u:object_r:dpkg_exec_t
-/usr/bin/dselect -- system_u:object_r:dpkg_exec_t
-/usr/bin/aptitude -- system_u:object_r:dpkg_exec_t
-/usr/bin/update-menus -- system_u:object_r:install_menu_exec_t
-/usr/lib(64)?/apt/methods/.+ -- system_u:object_r:apt_exec_t
-/usr/lib(64)?/man-db(/.*)? system_u:object_r:bin_t
-/usr/lib(64)?/dpkg/.+ -- system_u:object_r:dpkg_exec_t
-/usr/sbin/dpkg-preconfigure -- system_u:object_r:dpkg_exec_t
-/usr/sbin/install-menu -- system_u:object_r:install_menu_exec_t
-/usr/share/applnk(/.*)? system_u:object_r:debian_menu_t
-/usr/share/debconf/.+ -- system_u:object_r:dpkg_exec_t
-/usr/share/debiandoc-sgml/saspconvert -- system_u:object_r:bin_t
-/usr/share/lintian/.+ -- system_u:object_r:bin_t
-/usr/share/kernel-package/.+ -- system_u:object_r:bin_t
-/usr/share/smartmontools/selftests -- system_u:object_r:bin_t
-/usr/share/bug/[^/]+ -- system_u:object_r:bin_t
-/var/cache/apt(/.*)? system_u:object_r:var_cache_apt_t
-/var/cache/apt-listbugs(/.*)? system_u:object_r:var_cache_apt_t
-/var/lib/apt(/.*)? system_u:object_r:apt_var_lib_t
-/var/state/apt(/.*)? system_u:object_r:apt_var_lib_t
-/var/lib/dpkg(/.*)? system_u:object_r:dpkg_var_lib_t
-/var/lib/dpkg/(meth)?lock -- system_u:object_r:dpkg_lock_t
-/var/lib/kde(/.*)? system_u:object_r:debian_menu_t
-/var/spool/kdeapplnk(/.*)? system_u:object_r:debian_menu_t
-/var/cache/debconf(/.*)? system_u:object_r:debconf_cache_t
-/etc/dpkg/.+ -- system_u:object_r:dpkg_etc_t
-/etc/menu-methods/.* -- system_u:object_r:install_menu_exec_t
-/usr/share/console/getkmapchoice\.pl -- system_u:object_r:bin_t
-/var/run/update-menus\.pid -- system_u:object_r:install_menu_var_run_t
-/usr/share/dlint/digparse -- system_u:object_r:bin_t
-/usr/share/gimp/1\.2/user_install -- system_u:object_r:bin_t
-/usr/share/openoffice\.org-debian-files/install-hook -- system_u:object_r:bin_t
-/var/lib/defoma(/.*)? system_u:object_r:fonts_t
-/usr/lib(64)?/doc-rfc/register-doc-rfc-docs -- system_u:object_r:bin_t
-/usr/share/intltool-debian/.* -- system_u:object_r:bin_t
-/usr/share/po-debconf/intltool-merge -- system_u:object_r:bin_t
-/usr/share/linuxdoc-tools/sgmlswhich -- system_u:object_r:bin_t
-/usr/share/shorewall/.* -- system_u:object_r:bin_t
-/usr/share/reportbug/.* -- system_u:object_r:bin_t
-/etc/network/ifstate.* -- system_u:object_r:etc_runtime_t
-/usr/lib(64)?/gconf2/gconfd-2 -- system_u:object_r:bin_t
-/bin/mountpoint -- system_u:object_r:fsadm_exec_t
diff --git a/mls/file_contexts/program/ethereal.fc b/mls/file_contexts/program/ethereal.fc
deleted file mode 100644
index abe9b02..0000000
--- a/mls/file_contexts/program/ethereal.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-/usr/sbin/tethereal.* -- system_u:object_r:tethereal_exec_t
-/usr/sbin/ethereal.* -- system_u:object_r:ethereal_exec_t
-HOME_DIR/\.ethereal(/.*)? system_u:object_r:ROLE_ethereal_home_t
diff --git a/mls/file_contexts/program/evolution.fc b/mls/file_contexts/program/evolution.fc
deleted file mode 100644
index 1a3bf38..0000000
--- a/mls/file_contexts/program/evolution.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-/usr/bin/evolution.* -- system_u:object_r:evolution_exec_t
-/usr/libexec/evolution/.*evolution-alarm-notify.* -- system_u:object_r:evolution_alarm_exec_t
-/usr/libexec/evolution/.*evolution-exchange-storage.* -- system_u:object_r:evolution_exchange_exec_t
-/usr/libexec/evolution-data-server.* -- system_u:object_r:evolution_server_exec_t
-/usr/libexec/evolution-webcal.* -- system_u:object_r:evolution_webcal_exec_t
-HOME_DIR/\.evolution(/.*)? system_u:object_r:ROLE_evolution_home_t
-HOME_DIR/\.camel_certs(/.*)? system_u:object_r:ROLE_evolution_home_t
-/tmp/\.exchange-USER(/.*)? system_u:object_r:ROLE_evolution_exchange_tmp_t
diff --git a/mls/file_contexts/program/exim.fc b/mls/file_contexts/program/exim.fc
deleted file mode 100644
index 26f6bac..0000000
--- a/mls/file_contexts/program/exim.fc
+++ /dev/null
@@ -1,18 +0,0 @@
-# exim
-/usr/sbin/exicyclog -- system_u:object_r:exicyclog_exec_t
-/usr/sbin/exigrep -- system_u:object_r:exigrep_exec_t
-/usr/sbin/exim_checkaccess -- system_u:object_r:exim_checkaccess_exec_t
-/usr/sbin/exim_dumpdb -- system_u:object_r:exim_db_ro_exec_t
-/usr/sbin/exim_fixdb -- system_u:object_r:exim_db_rw_exec_t
-/usr/sbin/exim_lock -- system_u:object_r:exim_helper_exec_t
-/usr/sbin/exim_tidydb -- system_u:object_r:exim_db_rw_exec_t
-/usr/sbin/exinext -- system_u:object_r:exim_helper_exec_t
-/usr/sbin/exipick -- system_u:object_r:exipick_exec_t
-/usr/sbin/exiqgrep -- system_u:object_r:exiqgrep_exec_t
-/usr/sbin/exim -- system_u:object_r:exim_exec_t
-/usr/sbin/exiwhat -- system_u:object_r:exiwhat_exec_t
-/var/spool/exim(/.*)? system_u:object_r:exim_spool_t
-/var/spool/exim/db(/.*)? system_u:object_r:exim_spool_db_t
-/var/spool/exim/msglog(/.*)? system_u:object_r:exim_log_t
-/var/run/exim.pid -- system_u:object_r:exim_var_run_t
-/var/log/exim(/.*)? system_u:object_r:exim_log_t
diff --git a/mls/file_contexts/program/fetchmail.fc b/mls/file_contexts/program/fetchmail.fc
deleted file mode 100644
index 9ac51a2..0000000
--- a/mls/file_contexts/program/fetchmail.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# fetchmail
-/etc/fetchmailrc -- system_u:object_r:fetchmail_etc_t:s0
-/usr/bin/fetchmail -- system_u:object_r:fetchmail_exec_t:s0
-/var/run/fetchmail/.* -- system_u:object_r:fetchmail_var_run_t:s0
-/var/mail/\.fetchmail-UIDL-cache -- system_u:object_r:fetchmail_uidl_cache_t:s0
diff --git a/mls/file_contexts/program/fingerd.fc b/mls/file_contexts/program/fingerd.fc
deleted file mode 100644
index f7ed20d..0000000
--- a/mls/file_contexts/program/fingerd.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# fingerd
-/usr/sbin/in\.fingerd -- system_u:object_r:fingerd_exec_t:s0
-/usr/sbin/[cef]fingerd -- system_u:object_r:fingerd_exec_t:s0
-/etc/cron\.weekly/(c)?fingerd -- system_u:object_r:fingerd_exec_t:s0
-/etc/cfingerd(/.*)? system_u:object_r:fingerd_etc_t:s0
-/var/log/cfingerd\.log.* -- system_u:object_r:fingerd_log_t:s0
diff --git a/mls/file_contexts/program/firstboot.fc b/mls/file_contexts/program/firstboot.fc
deleted file mode 100644
index 9a087ed..0000000
--- a/mls/file_contexts/program/firstboot.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# firstboot
-/usr/sbin/firstboot -- system_u:object_r:firstboot_exec_t:s0
-/usr/share/firstboot system_u:object_r:firstboot_rw_t:s0
-/usr/share/firstboot/firstboot\.py -- system_u:object_r:firstboot_exec_t:s0
diff --git a/mls/file_contexts/program/fontconfig.fc b/mls/file_contexts/program/fontconfig.fc
deleted file mode 100644
index d8a8dc9..0000000
--- a/mls/file_contexts/program/fontconfig.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-HOME_DIR/\.fonts.conf -- system_u:object_r:ROLE_fonts_config_t
-HOME_DIR/\.fonts(/.*)? system_u:object_r:ROLE_fonts_t
-HOME_DIR/\.fonts/auto(/.*)? system_u:object_r:ROLE_fonts_cache_t
-HOME_DIR/\.fonts.cache-.* -- system_u:object_r:ROLE_fonts_cache_t
diff --git a/mls/file_contexts/program/fs_daemon.fc b/mls/file_contexts/program/fs_daemon.fc
deleted file mode 100644
index 1e086fd..0000000
--- a/mls/file_contexts/program/fs_daemon.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# fs admin daemons
-/usr/sbin/smartd -- system_u:object_r:fsdaemon_exec_t:s0
-/var/run/smartd\.pid -- system_u:object_r:fsdaemon_var_run_t:s0
-/etc/smartd\.conf -- system_u:object_r:etc_runtime_t:s0
diff --git a/mls/file_contexts/program/fsadm.fc b/mls/file_contexts/program/fsadm.fc
deleted file mode 100644
index 4601a39..0000000
--- a/mls/file_contexts/program/fsadm.fc
+++ /dev/null
@@ -1,40 +0,0 @@
-# fs admin utilities
-/sbin/fsck.* -- system_u:object_r:fsadm_exec_t:s0
-/sbin/mkfs.* -- system_u:object_r:fsadm_exec_t:s0
-/sbin/mkfs\.cramfs -- system_u:object_r:sbin_t:s0
-/sbin/e2fsck -- system_u:object_r:fsadm_exec_t:s0
-/sbin/mkdosfs -- system_u:object_r:fsadm_exec_t:s0
-/sbin/dosfsck -- system_u:object_r:fsadm_exec_t:s0
-/sbin/reiserfs(ck|tune) -- system_u:object_r:fsadm_exec_t:s0
-/sbin/mkreiserfs -- system_u:object_r:fsadm_exec_t:s0
-/sbin/resize.*fs -- system_u:object_r:fsadm_exec_t:s0
-/sbin/e2label -- system_u:object_r:fsadm_exec_t:s0
-/sbin/findfs -- system_u:object_r:fsadm_exec_t:s0
-/sbin/mkfs -- system_u:object_r:fsadm_exec_t:s0
-/sbin/mke2fs -- system_u:object_r:fsadm_exec_t:s0
-/sbin/mkswap -- system_u:object_r:fsadm_exec_t:s0
-/sbin/scsi_info -- system_u:object_r:fsadm_exec_t:s0
-/sbin/sfdisk -- system_u:object_r:fsadm_exec_t:s0
-/sbin/cfdisk -- system_u:object_r:fsadm_exec_t:s0
-/sbin/fdisk -- system_u:object_r:fsadm_exec_t:s0
-/sbin/parted -- system_u:object_r:fsadm_exec_t:s0
-/sbin/tune2fs -- system_u:object_r:fsadm_exec_t:s0
-/sbin/dumpe2fs -- system_u:object_r:fsadm_exec_t:s0
-/sbin/dump -- system_u:object_r:fsadm_exec_t:s0
-/sbin/swapon.* -- system_u:object_r:fsadm_exec_t:s0
-/sbin/hdparm -- system_u:object_r:fsadm_exec_t:s0
-/sbin/raidstart -- system_u:object_r:fsadm_exec_t:s0
-/sbin/raidautorun -- system_u:object_r:fsadm_exec_t:s0
-/sbin/mkraid -- system_u:object_r:fsadm_exec_t:s0
-/sbin/blockdev -- system_u:object_r:fsadm_exec_t:s0
-/sbin/losetup.* -- system_u:object_r:fsadm_exec_t:s0
-/sbin/jfs_.* -- system_u:object_r:fsadm_exec_t:s0
-/sbin/lsraid -- system_u:object_r:fsadm_exec_t:s0
-/usr/sbin/smartctl -- system_u:object_r:fsadm_exec_t:s0
-/sbin/install-mbr -- system_u:object_r:fsadm_exec_t:s0
-/usr/bin/scsi_unique_id -- system_u:object_r:fsadm_exec_t:s0
-/usr/bin/raw -- system_u:object_r:fsadm_exec_t:s0
-/sbin/partx -- system_u:object_r:fsadm_exec_t:s0
-/usr/bin/partition_uuid -- system_u:object_r:fsadm_exec_t:s0
-/sbin/partprobe -- system_u:object_r:fsadm_exec_t:s0
-/usr/bin/syslinux -- system_u:object_r:fsadm_exec_t:s0
diff --git a/mls/file_contexts/program/ftpd.fc b/mls/file_contexts/program/ftpd.fc
deleted file mode 100644
index 92a8c3e..0000000
--- a/mls/file_contexts/program/ftpd.fc
+++ /dev/null
@@ -1,17 +0,0 @@
-# ftpd
-/usr/sbin/in\.ftpd -- system_u:object_r:ftpd_exec_t:s0
-/usr/sbin/proftpd -- system_u:object_r:ftpd_exec_t:s0
-/usr/sbin/muddleftpd -- system_u:object_r:ftpd_exec_t:s0
-/usr/sbin/ftpwho -- system_u:object_r:ftpd_exec_t:s0
-/usr/kerberos/sbin/ftpd -- system_u:object_r:ftpd_exec_t:s0
-/usr/sbin/vsftpd -- system_u:object_r:ftpd_exec_t:s0
-/etc/proftpd\.conf -- system_u:object_r:ftpd_etc_t:s0
-/var/run/proftpd/proftpd-inetd -- system_u:object_r:ftpd_var_run_t:s0
-/var/run/proftpd/proftpd\.scoreboard -- system_u:object_r:ftpd_var_run_t:s0
-/var/log/muddleftpd\.log.* -- system_u:object_r:xferlog_t:s0
-/var/log/xferlog.* -- system_u:object_r:xferlog_t:s0
-/var/log/vsftpd.* -- system_u:object_r:xferlog_t:s0
-/var/log/xferreport.* -- system_u:object_r:xferlog_t:s0
-/etc/cron\.monthly/proftpd -- system_u:object_r:ftpd_exec_t:s0
-/var/ftp(/.*)? system_u:object_r:public_content_t:s0
-/srv/([^/]*/)?ftp(/.*)? system_u:object_r:public_content_t:s0
diff --git a/mls/file_contexts/program/games.fc b/mls/file_contexts/program/games.fc
deleted file mode 100644
index 3465eee..0000000
--- a/mls/file_contexts/program/games.fc
+++ /dev/null
@@ -1,61 +0,0 @@
-# games
-/usr/lib/games(/.*)? system_u:object_r:games_exec_t
-/var/lib/games(/.*)? system_u:object_r:games_data_t
-ifdef(`distro_debian', `
-/usr/games/.* -- system_u:object_r:games_exec_t
-/var/games(/.*)? system_u:object_r:games_data_t
-', `
-/usr/bin/micq -- system_u:object_r:games_exec_t
-/usr/bin/blackjack -- system_u:object_r:games_exec_t
-/usr/bin/gataxx -- system_u:object_r:games_exec_t
-/usr/bin/glines -- system_u:object_r:games_exec_t
-/usr/bin/gnect -- system_u:object_r:games_exec_t
-/usr/bin/gnibbles -- system_u:object_r:games_exec_t
-/usr/bin/gnobots2 -- system_u:object_r:games_exec_t
-/usr/bin/gnome-stones -- system_u:object_r:games_exec_t
-/usr/bin/gnomine -- system_u:object_r:games_exec_t
-/usr/bin/gnotravex -- system_u:object_r:games_exec_t
-/usr/bin/gnotski -- system_u:object_r:games_exec_t
-/usr/bin/gtali -- system_u:object_r:games_exec_t
-/usr/bin/iagno -- system_u:object_r:games_exec_t
-/usr/bin/mahjongg -- system_u:object_r:games_exec_t
-/usr/bin/same-gnome -- system_u:object_r:games_exec_t
-/usr/bin/sol -- system_u:object_r:games_exec_t
-/usr/bin/atlantik -- system_u:object_r:games_exec_t
-/usr/bin/kasteroids -- system_u:object_r:games_exec_t
-/usr/bin/katomic -- system_u:object_r:games_exec_t
-/usr/bin/kbackgammon -- system_u:object_r:games_exec_t
-/usr/bin/kbattleship -- system_u:object_r:games_exec_t
-/usr/bin/kblackbox -- system_u:object_r:games_exec_t
-/usr/bin/kbounce -- system_u:object_r:games_exec_t
-/usr/bin/kenolaba -- system_u:object_r:games_exec_t
-/usr/bin/kfouleggs -- system_u:object_r:games_exec_t
-/usr/bin/kgoldrunner -- system_u:object_r:games_exec_t
-/usr/bin/kjumpingcube -- system_u:object_r:games_exec_t
-/usr/bin/klickety -- system_u:object_r:games_exec_t
-/usr/bin/klines -- system_u:object_r:games_exec_t
-/usr/bin/kmahjongg -- system_u:object_r:games_exec_t
-/usr/bin/kmines -- system_u:object_r:games_exec_t
-/usr/bin/kolf -- system_u:object_r:games_exec_t
-/usr/bin/konquest -- system_u:object_r:games_exec_t
-/usr/bin/kpat -- system_u:object_r:games_exec_t
-/usr/bin/kpoker -- system_u:object_r:games_exec_t
-/usr/bin/kreversi -- system_u:object_r:games_exec_t
-/usr/bin/ksame -- system_u:object_r:games_exec_t
-/usr/bin/kshisen -- system_u:object_r:games_exec_t
-/usr/bin/ksirtet -- system_u:object_r:games_exec_t
-/usr/bin/ksmiletris -- system_u:object_r:games_exec_t
-/usr/bin/ksnake -- system_u:object_r:games_exec_t
-/usr/bin/ksokoban -- system_u:object_r:games_exec_t
-/usr/bin/kspaceduel -- system_u:object_r:games_exec_t
-/usr/bin/ktron -- system_u:object_r:games_exec_t
-/usr/bin/ktuberling -- system_u:object_r:games_exec_t
-/usr/bin/kwin4 -- system_u:object_r:games_exec_t
-/usr/bin/kwin4proc -- system_u:object_r:games_exec_t
-/usr/bin/lskat -- system_u:object_r:games_exec_t
-/usr/bin/lskatproc -- system_u:object_r:games_exec_t
-/usr/bin/Maelstrom -- system_u:object_r:games_exec_t
-/usr/bin/civclient.* -- system_u:object_r:games_exec_t
-/usr/bin/civserver.* -- system_u:object_r:games_exec_t
-')dnl end non-Debian section
-
diff --git a/mls/file_contexts/program/gatekeeper.fc b/mls/file_contexts/program/gatekeeper.fc
deleted file mode 100644
index e51491a..0000000
--- a/mls/file_contexts/program/gatekeeper.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-# gatekeeper
-/etc/gatekeeper\.ini -- system_u:object_r:gatekeeper_etc_t
-/usr/sbin/gk -- system_u:object_r:gatekeeper_exec_t
-/usr/sbin/gnugk -- system_u:object_r:gatekeeper_exec_t
-/var/run/gk\.pid -- system_u:object_r:gatekeeper_var_run_t
-/var/run/gnugk(/.*)? system_u:object_r:gatekeeper_var_run_t
-/var/log/gnugk(/.*)? system_u:object_r:gatekeeper_log_t
diff --git a/mls/file_contexts/program/gconf.fc b/mls/file_contexts/program/gconf.fc
deleted file mode 100644
index 3ee63e0..0000000
--- a/mls/file_contexts/program/gconf.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-/usr/libexec/gconfd-2 -- system_u:object_r:gconfd_exec_t
-/etc/gconf(/.*)? system_u:object_r:gconf_etc_t
-HOME_DIR/\.gconf(/.*)? system_u:object_r:ROLE_gconfd_home_t
-HOME_DIR/\.gconfd(/.*)? system_u:object_r:ROLE_gconfd_home_t
-/tmp/gconfd-USER(/.*)? system_u:object_r:ROLE_gconfd_tmp_t
diff --git a/mls/file_contexts/program/getty.fc b/mls/file_contexts/program/getty.fc
deleted file mode 100644
index 19b7e64..0000000
--- a/mls/file_contexts/program/getty.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# getty
-/sbin/.*getty -- system_u:object_r:getty_exec_t:s0
-/etc/mgetty(/.*)? system_u:object_r:getty_etc_t:s0
-/var/run/mgetty\.pid.* -- system_u:object_r:getty_var_run_t:s0
-/var/log/mgetty\.log.* -- system_u:object_r:getty_log_t:s0
diff --git a/mls/file_contexts/program/gift.fc b/mls/file_contexts/program/gift.fc
deleted file mode 100644
index 88ed5f2..0000000
--- a/mls/file_contexts/program/gift.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-/usr/(local/)?bin/giftd -- system_u:object_r:giftd_exec_t
-/usr/(local/)?bin/giftui -- system_u:object_r:gift_exec_t
-/usr/(local/)?bin/giFToxic -- system_u:object_r:gift_exec_t
-/usr/(local/)?bin/apollon -- system_u:object_r:gift_exec_t
-HOME_DIR/\.giFT(/.*)? system_u:object_r:ROLE_gift_home_t
diff --git a/mls/file_contexts/program/gnome-pty-helper.fc b/mls/file_contexts/program/gnome-pty-helper.fc
deleted file mode 100644
index 24a0b1b..0000000
--- a/mls/file_contexts/program/gnome-pty-helper.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# gnome-pty-helper
-/usr/sbin/gnome-pty-helper -- system_u:object_r:gph_exec_t
-/usr/lib(64)?/vte/gnome-pty-helper -- system_u:object_r:gph_exec_t
diff --git a/mls/file_contexts/program/gnome.fc b/mls/file_contexts/program/gnome.fc
deleted file mode 100644
index 670c86f..0000000
--- a/mls/file_contexts/program/gnome.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-# FIXME: add a lot more GNOME folders
-HOME_DIR/\.gnome(2)?(/.*)? system_u:object_r:ROLE_gnome_settings_t
-HOME_DIR/\.gnome(2)?_private(/.*)? system_u:object_r:ROLE_gnome_secret_t
-ifdef(`evolution.te', `
-HOME_DIR/\.gnome(2)?_private/Evolution -- system_u:object_r:ROLE_evolution_secret_t
-')
-HOME_DIR/\.gnome(2)?/share/fonts(/.*)? system_u:object_r:ROLE_fonts_t
-HOME_DIR/\.gnome(2)?/share/cursor-fonts(/.*)? system_u:object_r:ROLE_fonts_t
diff --git a/mls/file_contexts/program/gnome_vfs.fc b/mls/file_contexts/program/gnome_vfs.fc
deleted file mode 100644
index f945d59..0000000
--- a/mls/file_contexts/program/gnome_vfs.fc
+++ /dev/null
@@ -1 +0,0 @@
-/usr/libexec/gnome-vfs-daemon -- system_u:object_r:gnome_vfs_exec_t
diff --git a/mls/file_contexts/program/gpg-agent.fc b/mls/file_contexts/program/gpg-agent.fc
deleted file mode 100644
index a8a7603..0000000
--- a/mls/file_contexts/program/gpg-agent.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# gpg-agent
-/usr/bin/gpg-agent -- system_u:object_r:gpg_agent_exec_t:s0
-/usr/bin/pinentry.* -- system_u:object_r:pinentry_exec_t:s0
diff --git a/mls/file_contexts/program/gpg.fc b/mls/file_contexts/program/gpg.fc
deleted file mode 100644
index b820755..0000000
--- a/mls/file_contexts/program/gpg.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-# gpg
-HOME_DIR/\.gnupg(/.+)? system_u:object_r:ROLE_gpg_secret_t:s0
-/usr/bin/gpg(2)? -- system_u:object_r:gpg_exec_t:s0
-/usr/bin/kgpg -- system_u:object_r:gpg_exec_t:s0
-/usr/lib/gnupg/.* -- system_u:object_r:gpg_exec_t:s0
-/usr/lib/gnupg/gpgkeys.* -- system_u:object_r:gpg_helper_exec_t:s0
-
diff --git a/mls/file_contexts/program/gpm.fc b/mls/file_contexts/program/gpm.fc
deleted file mode 100644
index 1210518..0000000
--- a/mls/file_contexts/program/gpm.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# gpm
-/dev/gpmctl -s system_u:object_r:gpmctl_t:s0
-/dev/gpmdata -p system_u:object_r:gpmctl_t:s0
-/usr/sbin/gpm -- system_u:object_r:gpm_exec_t:s0
-/etc/gpm(/.*)? system_u:object_r:gpm_conf_t:s0
diff --git a/mls/file_contexts/program/groupadd.fc b/mls/file_contexts/program/groupadd.fc
deleted file mode 100644
index e69de29..0000000
--- a/mls/file_contexts/program/groupadd.fc
+++ /dev/null
diff --git a/mls/file_contexts/program/hald.fc b/mls/file_contexts/program/hald.fc
deleted file mode 100644
index b57463d..0000000
--- a/mls/file_contexts/program/hald.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# hald - hardware information daemon
-/usr/sbin/hald -- system_u:object_r:hald_exec_t:s0
-/usr/libexec/hal-hotplug-map -- system_u:object_r:hald_exec_t:s0
-/etc/hal/device\.d/printer_remove\.hal -- system_u:object_r:hald_exec_t:s0
-/etc/hal/capability\.d/printer_update\.hal -- system_u:object_r:hald_exec_t:s0
-/usr/share/hal/device-manager/hal-device-manager -- system_u:object_r:bin_t:s0
diff --git a/mls/file_contexts/program/hostname.fc b/mls/file_contexts/program/hostname.fc
deleted file mode 100644
index 01a957a..0000000
--- a/mls/file_contexts/program/hostname.fc
+++ /dev/null
@@ -1 +0,0 @@
-/bin/hostname -- system_u:object_r:hostname_exec_t:s0
diff --git a/mls/file_contexts/program/hotplug.fc b/mls/file_contexts/program/hotplug.fc
deleted file mode 100644
index 05c6504..0000000
--- a/mls/file_contexts/program/hotplug.fc
+++ /dev/null
@@ -1,13 +0,0 @@
-# hotplug
-/etc/hotplug(/.*)? system_u:object_r:hotplug_etc_t:s0
-/sbin/hotplug -- system_u:object_r:hotplug_exec_t:s0
-/sbin/netplugd -- system_u:object_r:hotplug_exec_t:s0
-/etc/hotplug\.d/.* -- system_u:object_r:hotplug_exec_t:s0
-/etc/hotplug\.d/default/default.* system_u:object_r:sbin_t:s0
-/etc/netplug\.d(/.*)? system_u:object_r:sbin_t:s0
-/etc/hotplug/.*agent -- system_u:object_r:sbin_t:s0
-/etc/hotplug/.*rc -- system_u:object_r:sbin_t:s0
-/etc/hotplug/hotplug\.functions -- system_u:object_r:sbin_t:s0
-/var/run/usb(/.*)? system_u:object_r:hotplug_var_run_t:s0
-/var/run/hotplug(/.*)? system_u:object_r:hotplug_var_run_t:s0
-/etc/hotplug/firmware.agent -- system_u:object_r:hotplug_exec_t:s0
diff --git a/mls/file_contexts/program/howl.fc b/mls/file_contexts/program/howl.fc
deleted file mode 100644
index 4546ac1..0000000
--- a/mls/file_contexts/program/howl.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-/usr/bin/nifd -- system_u:object_r:howl_exec_t:s0
-/usr/bin/mDNSResponder -- system_u:object_r:howl_exec_t:s0
-/var/run/nifd\.pid -- system_u:object_r:howl_var_run_t:s0
diff --git a/mls/file_contexts/program/hwclock.fc b/mls/file_contexts/program/hwclock.fc
deleted file mode 100644
index 9d0d909..0000000
--- a/mls/file_contexts/program/hwclock.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# hwclock
-/sbin/hwclock -- system_u:object_r:hwclock_exec_t:s0
-/etc/adjtime -- system_u:object_r:adjtime_t:s0
diff --git a/mls/file_contexts/program/i18n_input.fc b/mls/file_contexts/program/i18n_input.fc
deleted file mode 100644
index 66cea53..0000000
--- a/mls/file_contexts/program/i18n_input.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-# i18n_input.fc
-/usr/sbin/htt -- system_u:object_r:i18n_input_exec_t:s0
-/usr/sbin/htt_server -- system_u:object_r:i18n_input_exec_t:s0
-/usr/bin/iiimd\.bin -- system_u:object_r:i18n_input_exec_t:s0
-/usr/bin/httx -- system_u:object_r:i18n_input_exec_t:s0
-/usr/bin/htt_xbe -- system_u:object_r:i18n_input_exec_t:s0
-/usr/bin/iiimx -- system_u:object_r:i18n_input_exec_t:s0
-/usr/lib/iiim/iiim-xbe -- system_u:object_r:i18n_input_exec_t:s0
-/usr/lib(64)?/im/.*\.so.* -- system_u:object_r:shlib_t:s0
-/usr/lib(64)?/iiim/.*\.so.* -- system_u:object_r:shlib_t:s0
-/var/run/iiim(/.*)? system_u:object_r:i18n_input_var_run_t:s0
diff --git a/mls/file_contexts/program/iceauth.fc b/mls/file_contexts/program/iceauth.fc
deleted file mode 100644
index 31bf1f3..0000000
--- a/mls/file_contexts/program/iceauth.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# iceauth
-/usr/X11R6/bin/iceauth -- system_u:object_r:iceauth_exec_t
-HOME_DIR/\.ICEauthority.* -- system_u:object_r:ROLE_iceauth_home_t
diff --git a/mls/file_contexts/program/ifconfig.fc b/mls/file_contexts/program/ifconfig.fc
deleted file mode 100644
index 22d52ed..0000000
--- a/mls/file_contexts/program/ifconfig.fc
+++ /dev/null
@@ -1,12 +0,0 @@
-# ifconfig
-/sbin/ifconfig -- system_u:object_r:ifconfig_exec_t:s0
-/sbin/iwconfig -- system_u:object_r:ifconfig_exec_t:s0
-/sbin/ip -- system_u:object_r:ifconfig_exec_t:s0
-/sbin/tc -- system_u:object_r:ifconfig_exec_t:s0
-/usr/sbin/tc -- system_u:object_r:ifconfig_exec_t:s0
-/bin/ip -- system_u:object_r:ifconfig_exec_t:s0
-/sbin/ethtool -- system_u:object_r:ifconfig_exec_t:s0
-/sbin/mii-tool -- system_u:object_r:ifconfig_exec_t:s0
-/sbin/ipx_interface -- system_u:object_r:ifconfig_exec_t:s0
-/sbin/ipx_configure -- system_u:object_r:ifconfig_exec_t:s0
-/sbin/ipx_internal_net -- system_u:object_r:ifconfig_exec_t:s0
diff --git a/mls/file_contexts/program/imazesrv.fc b/mls/file_contexts/program/imazesrv.fc
deleted file mode 100644
index dae194e..0000000
--- a/mls/file_contexts/program/imazesrv.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# imazesrv
-/usr/share/games/imaze(/.*)? system_u:object_r:imazesrv_data_t
-/usr/games/imazesrv -- system_u:object_r:imazesrv_exec_t
-/var/log/imaze\.log -- system_u:object_r:imazesrv_log_t
diff --git a/mls/file_contexts/program/inetd.fc b/mls/file_contexts/program/inetd.fc
deleted file mode 100644
index d066e36..0000000
--- a/mls/file_contexts/program/inetd.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-# inetd
-/usr/sbin/inetd -- system_u:object_r:inetd_exec_t:s0
-/usr/sbin/xinetd -- system_u:object_r:inetd_exec_t:s0
-/usr/sbin/rlinetd -- system_u:object_r:inetd_exec_t:s0
-/usr/sbin/identd -- system_u:object_r:inetd_child_exec_t:s0
-/usr/sbin/in\..*d -- system_u:object_r:inetd_child_exec_t:s0
-/var/log/(x)?inetd\.log -- system_u:object_r:inetd_log_t:s0
-/var/run/inetd\.pid -- system_u:object_r:inetd_var_run_t:s0
diff --git a/mls/file_contexts/program/init.fc b/mls/file_contexts/program/init.fc
deleted file mode 100644
index cdf424f..0000000
--- a/mls/file_contexts/program/init.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# init
-/dev/initctl -p system_u:object_r:initctl_t:s0
-/sbin/init -- system_u:object_r:init_exec_t:s0
diff --git a/mls/file_contexts/program/initrc.fc b/mls/file_contexts/program/initrc.fc
deleted file mode 100644
index 65a1dba..0000000
--- a/mls/file_contexts/program/initrc.fc
+++ /dev/null
@@ -1,48 +0,0 @@
-# init rc scripts
-ifdef(`targeted_policy', `
-/etc/X11/prefdm -- system_u:object_r:bin_t:s0
-', `
-/etc/X11/prefdm -- system_u:object_r:initrc_exec_t:s0
-')
-/etc/rc\.d/rc -- system_u:object_r:initrc_exec_t:s0
-/etc/rc\.d/rc\.sysinit -- system_u:object_r:initrc_exec_t:s0
-/etc/rc\.d/rc\.local -- system_u:object_r:initrc_exec_t:s0
-/etc/rc\.d/init\.d/.* -- system_u:object_r:initrc_exec_t:s0
-/etc/rc\.d/init\.d/functions -- system_u:object_r:etc_t:s0
-/etc/init\.d/.* -- system_u:object_r:initrc_exec_t:s0
-/etc/init\.d/functions -- system_u:object_r:etc_t:s0
-/var/run/utmp -- system_u:object_r:initrc_var_run_t:s0
-/var/run/runlevel\.dir system_u:object_r:initrc_var_run_t:s0
-/var/run/random-seed -- system_u:object_r:initrc_var_run_t:s0
-/var/run/setmixer_flag -- system_u:object_r:initrc_var_run_t:s0
-ifdef(`distro_suse', `
-/var/run/sysconfig(/.*)? system_u:object_r:initrc_var_run_t:s0
-/var/run/keymap -- system_u:object_r:initrc_var_run_t:s0
-/var/run/numlock-on -- system_u:object_r:initrc_var_run_t:s0
-/var/run/setleds-on -- system_u:object_r:initrc_var_run_t:s0
-/var/run/bootsplashctl -p system_u:object_r:initrc_var_run_t:s0
-/etc/init\.d/\.depend.* -- system_u:object_r:etc_runtime_t:s0
-')
-
-ifdef(`distro_gentoo', `
-/sbin/rc -- system_u:object_r:initrc_exec_t:s0
-/sbin/runscript -- system_u:object_r:initrc_exec_t:s0
-/sbin/runscript\.sh -- system_u:object_r:initrc_exec_t:s0
-/var/lib/init\.d(/.*)? system_u:object_r:initrc_state_t:s0
-')
-
-# run_init
-/usr/sbin/run_init -- system_u:object_r:run_init_exec_t:s0
-/usr/sbin/open_init_pty -- system_u:object_r:initrc_exec_t:s0
-/etc/nologin.* -- system_u:object_r:etc_runtime_t:s0
-/etc/nohotplug -- system_u:object_r:etc_runtime_t:s0
-ifdef(`distro_redhat', `
-/halt -- system_u:object_r:etc_runtime_t:s0
-/fastboot -- system_u:object_r:etc_runtime_t:s0
-/fsckoptions -- system_u:object_r:etc_runtime_t:s0
-/forcefsck -- system_u:object_r:etc_runtime_t:s0
-/poweroff -- system_u:object_r:etc_runtime_t:s0
-/\.autofsck -- system_u:object_r:etc_runtime_t:s0
-/\.autorelabel -- system_u:object_r:etc_runtime_t:s0
-')
-
diff --git a/mls/file_contexts/program/innd.fc b/mls/file_contexts/program/innd.fc
deleted file mode 100644
index c8646ea..0000000
--- a/mls/file_contexts/program/innd.fc
+++ /dev/null
@@ -1,50 +0,0 @@
-# innd
-/usr/sbin/innd.* -- system_u:object_r:innd_exec_t:s0
-/usr/bin/rpost -- system_u:object_r:innd_exec_t:s0
-/usr/bin/suck -- system_u:object_r:innd_exec_t:s0
-/var/run/innd(/.*)? system_u:object_r:innd_var_run_t:s0
-/etc/news(/.*)? system_u:object_r:innd_etc_t:s0
-/etc/news/boot -- system_u:object_r:innd_exec_t:s0
-/var/spool/news(/.*)? system_u:object_r:news_spool_t:s0
-/var/log/news(/.*)? system_u:object_r:innd_log_t:s0
-/var/lib/news(/.*)? system_u:object_r:innd_var_lib_t:s0
-/var/run/news(/.*)? system_u:object_r:innd_var_run_t:s0
-/usr/sbin/in\.nnrpd -- system_u:object_r:innd_exec_t:s0
-/usr/bin/inews -- system_u:object_r:innd_exec_t:s0
-/usr/bin/rnews -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin(/.*)? system_u:object_r:bin_t:s0
-/usr/lib(64)?/news/bin/innd -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/actsync -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/archive -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/batcher -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/buffchan -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/controlchan -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/convdate -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/ctlinnd -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/cvtbatch -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/expire -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/expireover -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/fastrm -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/filechan -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/getlist -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/grephistory -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/inews -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/innconfval -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/inndf -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/inndstart -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/innfeed -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/innxbatch -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/innxmit -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/makedbz -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/makehistory -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/newsrequeue -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/nnrpd -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/nntpget -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/ovdb_recover -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/overchan -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/prunehistory -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/rnews -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/shlock -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/shrinkfile -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/sm -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/startinnfeed -- system_u:object_r:innd_exec_t:s0
diff --git a/mls/file_contexts/program/ipsec.fc b/mls/file_contexts/program/ipsec.fc
deleted file mode 100644
index cb4c966..0000000
--- a/mls/file_contexts/program/ipsec.fc
+++ /dev/null
@@ -1,32 +0,0 @@
-# IPSEC utilities and daemon.
-
-/etc/ipsec\.secrets -- system_u:object_r:ipsec_key_file_t:s0
-/etc/ipsec\.conf -- system_u:object_r:ipsec_conf_file_t:s0
-/etc/ipsec\.d(/.*)? system_u:object_r:ipsec_key_file_t:s0
-/etc/ipsec\.d/examples(/.*)? system_u:object_r:etc_t:s0
-/usr/lib(64)?/ipsec/.* -- system_u:object_r:sbin_t:s0
-/usr/lib(64)?/ipsec/_plutoload -- system_u:object_r:ipsec_mgmt_exec_t:s0
-/usr/lib(64)?/ipsec/_plutorun -- system_u:object_r:ipsec_mgmt_exec_t:s0
-/usr/local/lib(64)?/ipsec/.* -- system_u:object_r:sbin_t:s0
-/usr/libexec/ipsec/eroute -- system_u:object_r:ipsec_exec_t:s0
-/usr/lib(64)?/ipsec/eroute -- system_u:object_r:ipsec_exec_t:s0
-/usr/local/lib(64)?/ipsec/eroute -- system_u:object_r:ipsec_exec_t:s0
-/usr/libexec/ipsec/klipsdebug -- system_u:object_r:ipsec_exec_t:s0
-/usr/lib(64)?/ipsec/klipsdebug -- system_u:object_r:ipsec_exec_t:s0
-/usr/local/lib(64)?/ipsec/klipsdebug -- system_u:object_r:ipsec_exec_t:s0
-/usr/libexec/ipsec/pluto -- system_u:object_r:ipsec_exec_t:s0
-/usr/lib(64)?/ipsec/pluto -- system_u:object_r:ipsec_exec_t:s0
-/usr/local/lib(64)?/ipsec/pluto -- system_u:object_r:ipsec_exec_t:s0
-/usr/libexec/ipsec/spi -- system_u:object_r:ipsec_exec_t:s0
-/usr/lib(64)?/ipsec/spi -- system_u:object_r:ipsec_exec_t:s0
-/usr/local/lib(64)?/ipsec/spi -- system_u:object_r:ipsec_exec_t:s0
-/var/run/pluto(/.*)? system_u:object_r:ipsec_var_run_t:s0
-/var/racoon(/.*)? system_u:object_r:ipsec_var_run_t:s0
-
-# Kame
-/usr/sbin/racoon -- system_u:object_r:ipsec_exec_t:s0
-/usr/sbin/setkey -- system_u:object_r:ipsec_exec_t:s0
-/sbin/setkey -- system_u:object_r:ipsec_exec_t:s0
-/etc/racoon(/.*)? system_u:object_r:ipsec_conf_file_t:s0
-/etc/racoon/certs(/.*)? system_u:object_r:ipsec_key_file_t:s0
-/etc/racoon/psk\.txt -- system_u:object_r:ipsec_key_file_t:s0
diff --git a/mls/file_contexts/program/iptables.fc b/mls/file_contexts/program/iptables.fc
deleted file mode 100644
index c55fd08..0000000
--- a/mls/file_contexts/program/iptables.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-# iptables
-/sbin/ipchains.* -- system_u:object_r:iptables_exec_t:s0
-/sbin/iptables.* -- system_u:object_r:iptables_exec_t:s0
-/sbin/ip6tables.* -- system_u:object_r:iptables_exec_t:s0
-/usr/sbin/ipchains.* -- system_u:object_r:iptables_exec_t:s0
-/usr/sbin/iptables.* -- system_u:object_r:iptables_exec_t:s0
-/usr/sbin/ip6tables.* -- system_u:object_r:iptables_exec_t:s0
-
diff --git a/mls/file_contexts/program/irc.fc b/mls/file_contexts/program/irc.fc
deleted file mode 100644
index 586977b..0000000
--- a/mls/file_contexts/program/irc.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# irc clients
-/usr/bin/[st]irc -- system_u:object_r:irc_exec_t:s0
-/usr/bin/ircII -- system_u:object_r:irc_exec_t:s0
-/usr/bin/tinyirc -- system_u:object_r:irc_exec_t:s0
-HOME_DIR/\.ircmotd -- system_u:object_r:ROLE_irc_home_t:s0
diff --git a/mls/file_contexts/program/ircd.fc b/mls/file_contexts/program/ircd.fc
deleted file mode 100644
index 2ef668c..0000000
--- a/mls/file_contexts/program/ircd.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# ircd - irc server
-/usr/sbin/(dancer-)?ircd -- system_u:object_r:ircd_exec_t
-/etc/(dancer-)?ircd(/.*)? system_u:object_r:ircd_etc_t
-/var/log/(dancer-)?ircd(/.*)? system_u:object_r:ircd_log_t
-/var/lib/dancer-ircd(/.*)? system_u:object_r:ircd_var_lib_t
-/var/run/dancer-ircd(/.*)? system_u:object_r:ircd_var_run_t
diff --git a/mls/file_contexts/program/irqbalance.fc b/mls/file_contexts/program/irqbalance.fc
deleted file mode 100644
index 15b5004..0000000
--- a/mls/file_contexts/program/irqbalance.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# irqbalance
-/usr/sbin/irqbalance -- system_u:object_r:irqbalance_exec_t:s0
diff --git a/mls/file_contexts/program/jabberd.fc b/mls/file_contexts/program/jabberd.fc
deleted file mode 100644
index c614cb8..0000000
--- a/mls/file_contexts/program/jabberd.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# jabberd
-/usr/sbin/jabberd -- system_u:object_r:jabberd_exec_t
-/var/lib/jabber(/.*)? system_u:object_r:jabberd_var_lib_t
-/var/log/jabber(/.*)? system_u:object_r:jabberd_log_t
diff --git a/mls/file_contexts/program/java.fc b/mls/file_contexts/program/java.fc
deleted file mode 100644
index 0513971..0000000
--- a/mls/file_contexts/program/java.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# java
-/usr(/.*)?/bin/java.* -- system_u:object_r:java_exec_t:s0
diff --git a/mls/file_contexts/program/kerberos.fc b/mls/file_contexts/program/kerberos.fc
deleted file mode 100644
index 2faebe0..0000000
--- a/mls/file_contexts/program/kerberos.fc
+++ /dev/null
@@ -1,20 +0,0 @@
-# MIT Kerberos krbkdc, kadmind
-/etc/krb5\.keytab system_u:object_r:krb5_keytab_t:s0
-/usr(/local)?(/kerberos)?/sbin/krb5kdc -- system_u:object_r:krb5kdc_exec_t:s0
-/usr(/local)?(/kerberos)?/sbin/kadmind -- system_u:object_r:kadmind_exec_t:s0
-/var/kerberos/krb5kdc(/.*)? system_u:object_r:krb5kdc_conf_t:s0
-/usr/local/var/krb5kdc(/.*)? system_u:object_r:krb5kdc_conf_t:s0
-/var/kerberos/krb5kdc/principal.* system_u:object_r:krb5kdc_principal_t:s0
-/usr/local/var/krb5kdc/principal.* system_u:object_r:krb5kdc_principal_t:s0
-/var/log/krb5kdc\.log system_u:object_r:krb5kdc_log_t:s0
-/var/log/kadmind\.log system_u:object_r:kadmind_log_t:s0
-/usr(/local)?/bin/ksu -- system_u:object_r:su_exec_t:s0
-
-# gentoo file locations
-/usr/sbin/krb5kdc -- system_u:object_r:krb5kdc_exec_t:s0
-/usr/sbin/kadmind -- system_u:object_r:kadmind_exec_t:s0
-/etc/krb5kdc(/.*)? system_u:object_r:krb5kdc_conf_t:s0
-/etc/krb5kdc/principal.* system_u:object_r:krb5kdc_principal_t:s0
-/etc/krb5kdc/kadm5.keytab -- system_u:object_r:krb5_keytab_t:s0
-/var/log/kadmin.log -- system_u:object_r:kadmind_log_t:s0
-
diff --git a/mls/file_contexts/program/klogd.fc b/mls/file_contexts/program/klogd.fc
deleted file mode 100644
index 5fcdf29..0000000
--- a/mls/file_contexts/program/klogd.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# klogd
-/sbin/klogd -- system_u:object_r:klogd_exec_t:s0
-/usr/sbin/klogd -- system_u:object_r:klogd_exec_t:s0
-/var/run/klogd\.pid -- system_u:object_r:klogd_var_run_t:s0
diff --git a/mls/file_contexts/program/ktalkd.fc b/mls/file_contexts/program/ktalkd.fc
deleted file mode 100644
index 33973fd..0000000
--- a/mls/file_contexts/program/ktalkd.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# kde talk daemon
-/usr/bin/ktalkd -- system_u:object_r:ktalkd_exec_t:s0
diff --git a/mls/file_contexts/program/kudzu.fc b/mls/file_contexts/program/kudzu.fc
deleted file mode 100644
index 3602a30..0000000
--- a/mls/file_contexts/program/kudzu.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# kudzu
-(/usr)?/sbin/kudzu -- system_u:object_r:kudzu_exec_t:s0
-/sbin/kmodule -- system_u:object_r:kudzu_exec_t:s0
-/var/run/Xconfig -- root:object_r:kudzu_var_run_t:s0
diff --git a/mls/file_contexts/program/lcd.fc b/mls/file_contexts/program/lcd.fc
deleted file mode 100644
index 4294d44..0000000
--- a/mls/file_contexts/program/lcd.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# lcd
-/usr/sbin/lcd.* -- system_u:object_r:lcd_exec_t
diff --git a/mls/file_contexts/program/ldconfig.fc b/mls/file_contexts/program/ldconfig.fc
deleted file mode 100644
index 1f82fcf..0000000
--- a/mls/file_contexts/program/ldconfig.fc
+++ /dev/null
@@ -1 +0,0 @@
-/sbin/ldconfig -- system_u:object_r:ldconfig_exec_t:s0
diff --git a/mls/file_contexts/program/load_policy.fc b/mls/file_contexts/program/load_policy.fc
deleted file mode 100644
index a4c98ce..0000000
--- a/mls/file_contexts/program/load_policy.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# load_policy
-/usr/sbin/load_policy -- system_u:object_r:load_policy_exec_t:s0
-/sbin/load_policy -- system_u:object_r:load_policy_exec_t:s0
diff --git a/mls/file_contexts/program/loadkeys.fc b/mls/file_contexts/program/loadkeys.fc
deleted file mode 100644
index ebe1cfc..0000000
--- a/mls/file_contexts/program/loadkeys.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# loadkeys
-/bin/unikeys -- system_u:object_r:loadkeys_exec_t:s0
-/bin/loadkeys -- system_u:object_r:loadkeys_exec_t:s0
diff --git a/mls/file_contexts/program/lockdev.fc b/mls/file_contexts/program/lockdev.fc
deleted file mode 100644
index b917bf7..0000000
--- a/mls/file_contexts/program/lockdev.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# lockdev
-/usr/sbin/lockdev -- system_u:object_r:lockdev_exec_t:s0
diff --git a/mls/file_contexts/program/login.fc b/mls/file_contexts/program/login.fc
deleted file mode 100644
index ab8bf1a..0000000
--- a/mls/file_contexts/program/login.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# login
-/bin/login -- system_u:object_r:login_exec_t:s0
-/usr/kerberos/sbin/login\.krb5 -- system_u:object_r:login_exec_t:s0
diff --git a/mls/file_contexts/program/logrotate.fc b/mls/file_contexts/program/logrotate.fc
deleted file mode 100644
index 85b6ee7..0000000
--- a/mls/file_contexts/program/logrotate.fc
+++ /dev/null
@@ -1,13 +0,0 @@
-# logrotate
-/usr/sbin/logrotate -- system_u:object_r:logrotate_exec_t:s0
-/usr/sbin/logcheck -- system_u:object_r:logrotate_exec_t:s0
-ifdef(`distro_debian', `
-/usr/bin/savelog -- system_u:object_r:logrotate_exec_t:s0
-/var/lib/logrotate(/.*)? system_u:object_r:logrotate_var_lib_t:s0
-', `
-/var/lib/logrotate\.status -- system_u:object_r:logrotate_var_lib_t:s0
-')
-/etc/cron\.(daily|weekly)/sysklogd -- system_u:object_r:logrotate_exec_t:s0
-/var/lib/logcheck(/.*)? system_u:object_r:logrotate_var_lib_t:s0
-# using a hard-coded name under /var/tmp is a bug - new version fixes it
-/var/tmp/logcheck -d system_u:object_r:logrotate_tmp_t:s0
diff --git a/mls/file_contexts/program/lpd.fc b/mls/file_contexts/program/lpd.fc
deleted file mode 100644
index da61bf4..0000000
--- a/mls/file_contexts/program/lpd.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-# lpd
-/dev/printer -s system_u:object_r:printer_t:s0
-/usr/sbin/lpd -- system_u:object_r:lpd_exec_t:s0
-/usr/sbin/checkpc -- system_u:object_r:checkpc_exec_t:s0
-/var/spool/lpd(/.*)? system_u:object_r:print_spool_t:s0
-/usr/share/printconf/.* -- system_u:object_r:printconf_t:s0
-/usr/share/printconf/util/print\.py -- system_u:object_r:bin_t:s0
-/var/run/lprng(/.*)? system_u:object_r:lpd_var_run_t:s0
diff --git a/mls/file_contexts/program/lpr.fc b/mls/file_contexts/program/lpr.fc
deleted file mode 100644
index a2725c7..0000000
--- a/mls/file_contexts/program/lpr.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# lp utilities.
-/usr/bin/lpr(\.cups)? -- system_u:object_r:lpr_exec_t:s0
-/usr/bin/lpq(\.cups)? -- system_u:object_r:lpr_exec_t:s0
-/usr/bin/lprm(\.cups)? -- system_u:object_r:lpr_exec_t:s0
diff --git a/mls/file_contexts/program/lrrd.fc b/mls/file_contexts/program/lrrd.fc
deleted file mode 100644
index 08494fc..0000000
--- a/mls/file_contexts/program/lrrd.fc
+++ /dev/null
@@ -1,10 +0,0 @@
-# lrrd
-/usr/bin/lrrd-.* -- system_u:object_r:lrrd_exec_t
-/usr/sbin/lrrd-.* -- system_u:object_r:lrrd_exec_t
-/usr/share/lrrd/lrrd-.* -- system_u:object_r:lrrd_exec_t
-/usr/share/lrrd/plugins/.* -- system_u:object_r:lrrd_exec_t
-/var/run/lrrd(/.*)? system_u:object_r:lrrd_var_run_t
-/var/log/lrrd.* -- system_u:object_r:lrrd_log_t
-/var/lib/lrrd(/.*)? system_u:object_r:lrrd_var_lib_t
-/var/www/lrrd(/.*)? system_u:object_r:lrrd_var_lib_t
-/etc/lrrd(/.*)? system_u:object_r:lrrd_etc_t
diff --git a/mls/file_contexts/program/lvm.fc b/mls/file_contexts/program/lvm.fc
deleted file mode 100644
index baa6ce1..0000000
--- a/mls/file_contexts/program/lvm.fc
+++ /dev/null
@@ -1,69 +0,0 @@
-# lvm
-/sbin/lvmiopversion -- system_u:object_r:lvm_exec_t:s0
-/etc/lvm(/.*)? system_u:object_r:lvm_etc_t:s0
-/etc/lvm/\.cache -- system_u:object_r:lvm_metadata_t:s0
-/etc/lvm/archive(/.*)? system_u:object_r:lvm_metadata_t:s0
-/etc/lvm/backup(/.*)? system_u:object_r:lvm_metadata_t:s0
-/etc/lvmtab(/.*)? system_u:object_r:lvm_metadata_t:s0
-/etc/lvmtab\.d(/.*)? system_u:object_r:lvm_metadata_t:s0
-# LVM creates lock files in /var before /var is mounted
-# configure LVM to put lockfiles in /etc/lvm/lock instead
-# for this policy to work (unless you have no separate /var)
-/etc/lvm/lock(/.*)? system_u:object_r:lvm_lock_t:s0
-/var/lock/lvm(/.*)? system_u:object_r:lvm_lock_t:s0
-/dev/lvm -c system_u:object_r:fixed_disk_device_t:s0
-/dev/mapper/control -c system_u:object_r:lvm_control_t:s0
-/lib/lvm-10/.* -- system_u:object_r:lvm_exec_t:s0
-/lib/lvm-200/.* -- system_u:object_r:lvm_exec_t:s0
-/sbin/e2fsadm -- system_u:object_r:lvm_exec_t:s0
-/sbin/lvchange -- system_u:object_r:lvm_exec_t:s0
-/sbin/lvcreate -- system_u:object_r:lvm_exec_t:s0
-/sbin/lvdisplay -- system_u:object_r:lvm_exec_t:s0
-/sbin/lvextend -- system_u:object_r:lvm_exec_t:s0
-/sbin/lvmchange -- system_u:object_r:lvm_exec_t:s0
-/sbin/lvmdiskscan -- system_u:object_r:lvm_exec_t:s0
-/sbin/lvmsadc -- system_u:object_r:lvm_exec_t:s0
-/sbin/lvmsar -- system_u:object_r:lvm_exec_t:s0
-/sbin/lvreduce -- system_u:object_r:lvm_exec_t:s0
-/sbin/lvremove -- system_u:object_r:lvm_exec_t:s0
-/sbin/lvrename -- system_u:object_r:lvm_exec_t:s0
-/sbin/lvscan -- system_u:object_r:lvm_exec_t:s0
-/sbin/pvchange -- system_u:object_r:lvm_exec_t:s0
-/sbin/pvcreate -- system_u:object_r:lvm_exec_t:s0
-/sbin/pvdata -- system_u:object_r:lvm_exec_t:s0
-/sbin/pvdisplay -- system_u:object_r:lvm_exec_t:s0
-/sbin/pvmove -- system_u:object_r:lvm_exec_t:s0
-/sbin/pvscan -- system_u:object_r:lvm_exec_t:s0
-/sbin/vgcfgbackup -- system_u:object_r:lvm_exec_t:s0
-/sbin/vgcfgrestore -- system_u:object_r:lvm_exec_t:s0
-/sbin/vgchange -- system_u:object_r:lvm_exec_t:s0
-/sbin/vgchange\.static -- system_u:object_r:lvm_exec_t:s0
-/sbin/vgck -- system_u:object_r:lvm_exec_t:s0
-/sbin/vgcreate -- system_u:object_r:lvm_exec_t:s0
-/sbin/vgdisplay -- system_u:object_r:lvm_exec_t:s0
-/sbin/vgexport -- system_u:object_r:lvm_exec_t:s0
-/sbin/vgextend -- system_u:object_r:lvm_exec_t:s0
-/sbin/vgimport -- system_u:object_r:lvm_exec_t:s0
-/sbin/vgmerge -- system_u:object_r:lvm_exec_t:s0
-/sbin/vgmknodes -- system_u:object_r:lvm_exec_t:s0
-/sbin/vgreduce -- system_u:object_r:lvm_exec_t:s0
-/sbin/vgremove -- system_u:object_r:lvm_exec_t:s0
-/sbin/vgrename -- system_u:object_r:lvm_exec_t:s0
-/sbin/vgscan -- system_u:object_r:lvm_exec_t:s0
-/sbin/vgscan\.static -- system_u:object_r:lvm_exec_t:s0
-/sbin/vgsplit -- system_u:object_r:lvm_exec_t:s0
-/sbin/vgwrapper -- system_u:object_r:lvm_exec_t:s0
-/sbin/cryptsetup -- system_u:object_r:lvm_exec_t:s0
-/sbin/dmsetup -- system_u:object_r:lvm_exec_t:s0
-/sbin/dmsetup\.static -- system_u:object_r:lvm_exec_t:s0
-/sbin/lvm -- system_u:object_r:lvm_exec_t:s0
-/sbin/lvm\.static -- system_u:object_r:lvm_exec_t:s0
-/usr/sbin/lvm -- system_u:object_r:lvm_exec_t:s0
-/sbin/lvresize -- system_u:object_r:lvm_exec_t:s0
-/sbin/lvs -- system_u:object_r:lvm_exec_t:s0
-/sbin/pvremove -- system_u:object_r:lvm_exec_t:s0
-/sbin/pvs -- system_u:object_r:lvm_exec_t:s0
-/sbin/vgs -- system_u:object_r:lvm_exec_t:s0
-/sbin/multipathd -- system_u:object_r:lvm_exec_t:s0
-/var/cache/multipathd(/.*)? system_u:object_r:lvm_metadata_t:s0
-/usr/sbin/clvmd -- system_u:object_r:clvmd_exec_t:s0
diff --git a/mls/file_contexts/program/mailman.fc b/mls/file_contexts/program/mailman.fc
deleted file mode 100644
index d8d5b4b..0000000
--- a/mls/file_contexts/program/mailman.fc
+++ /dev/null
@@ -1,24 +0,0 @@
-# mailman list server
-/var/lib/mailman(/.*)? system_u:object_r:mailman_data_t:s0
-/var/log/mailman(/.*)? system_u:object_r:mailman_log_t:s0
-/usr/lib/mailman/cron/.* -- system_u:object_r:mailman_queue_exec_t:s0
-/usr/lib/mailman/bin/mailmanctl -- system_u:object_r:mailman_mail_exec_t:s0
-/var/run/mailman(/.*)? system_u:object_r:mailman_lock_t:s0
-/var/lib/mailman/archives(/.*)? system_u:object_r:mailman_archive_t:s0
-
-ifdef(`distro_debian', `
-/usr/lib/cgi-bin/mailman/.* -- system_u:object_r:mailman_cgi_exec_t:s0
-/usr/lib/mailman/mail/wrapper -- system_u:object_r:mailman_mail_exec_t:s0
-/usr/mailman/mail/wrapper -- system_u:object_r:mailman_mail_exec_t:s0
-/etc/cron\.daily/mailman -- system_u:object_r:mailman_queue_exec_t:s0
-/etc/cron\.monthly/mailman -- system_u:object_r:mailman_queue_exec_t:s0
-')
-
-ifdef(`distro_redhat', `
-/usr/lib/mailman/cgi-bin/.* -- system_u:object_r:mailman_cgi_exec_t:s0
-/var/lock/mailman(/.*)? system_u:object_r:mailman_lock_t:s0
-/usr/lib/mailman/scripts/mailman -- system_u:object_r:mailman_mail_exec_t:s0
-/usr/lib/mailman/bin/qrunner -- system_u:object_r:mailman_queue_exec_t:s0
-/etc/mailman(/.*)? system_u:object_r:mailman_data_t:s0
-/var/spool/mailman(/.*)? system_u:object_r:mailman_data_t:s0
-')
diff --git a/mls/file_contexts/program/mdadm.fc b/mls/file_contexts/program/mdadm.fc
deleted file mode 100644
index 61ebacd..0000000
--- a/mls/file_contexts/program/mdadm.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# mdadm - manage MD devices aka Linux Software Raid.
-/sbin/mdmpd -- system_u:object_r:mdadm_exec_t:s0
-/sbin/mdadm -- system_u:object_r:mdadm_exec_t:s0
-/var/run/mdadm(/.*)? system_u:object_r:mdadm_var_run_t:s0
diff --git a/mls/file_contexts/program/modutil.fc b/mls/file_contexts/program/modutil.fc
deleted file mode 100644
index 0c88179..0000000
--- a/mls/file_contexts/program/modutil.fc
+++ /dev/null
@@ -1,14 +0,0 @@
-# module utilities
-/etc/modules\.conf.* -- system_u:object_r:modules_conf_t:s0
-/etc/modprobe\.conf.* -- system_u:object_r:modules_conf_t:s0
-/lib(64)?/modules/modprobe\.conf -- system_u:object_r:modules_conf_t:s0
-/lib(64)?/modules(/.*)? system_u:object_r:modules_object_t:s0
-/lib(64)?/modules/[^/]+/modules\..+ -- system_u:object_r:modules_dep_t:s0
-/lib(64)?/modules/modprobe\.conf.* -- system_u:object_r:modules_conf_t:s0
-/sbin/depmod.* -- system_u:object_r:depmod_exec_t:s0
-/sbin/modprobe.* -- system_u:object_r:insmod_exec_t:s0
-/sbin/insmod.* -- system_u:object_r:insmod_exec_t:s0
-/sbin/insmod_ksymoops_clean -- system_u:object_r:sbin_t:s0
-/sbin/rmmod.* -- system_u:object_r:insmod_exec_t:s0
-/sbin/update-modules -- system_u:object_r:update_modules_exec_t:s0
-/sbin/generate-modprobe\.conf -- system_u:object_r:update_modules_exec_t:s0
diff --git a/mls/file_contexts/program/monopd.fc b/mls/file_contexts/program/monopd.fc
deleted file mode 100644
index 457493e..0000000
--- a/mls/file_contexts/program/monopd.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# monopd
-/etc/monopd\.conf -- system_u:object_r:monopd_etc_t
-/usr/sbin/monopd -- system_u:object_r:monopd_exec_t
-/usr/share/monopd/games(/.*)? system_u:object_r:monopd_share_t
diff --git a/mls/file_contexts/program/mount.fc b/mls/file_contexts/program/mount.fc
deleted file mode 100644
index 93b7874..0000000
--- a/mls/file_contexts/program/mount.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# mount
-/bin/mount.* -- system_u:object_r:mount_exec_t:s0
-/bin/umount.* -- system_u:object_r:mount_exec_t:s0
diff --git a/mls/file_contexts/program/mozilla.fc b/mls/file_contexts/program/mozilla.fc
deleted file mode 100644
index 2b533a6..0000000
--- a/mls/file_contexts/program/mozilla.fc
+++ /dev/null
@@ -1,21 +0,0 @@
-# netscape/mozilla
-HOME_DIR/\.galeon(/.*)? system_u:object_r:ROLE_mozilla_home_t
-HOME_DIR/\.netscape(/.*)? system_u:object_r:ROLE_mozilla_home_t
-HOME_DIR/\.mozilla(/.*)? system_u:object_r:ROLE_mozilla_home_t
-HOME_DIR/\.phoenix(/.*)? system_u:object_r:ROLE_mozilla_home_t
-HOME_DIR/\.java(/.*)? system_u:object_r:ROLE_mozilla_home_t
-/usr/bin/netscape -- system_u:object_r:mozilla_exec_t
-/usr/bin/mozilla -- system_u:object_r:mozilla_exec_t
-/usr/bin/mozilla-snapshot -- system_u:object_r:mozilla_exec_t
-/usr/bin/epiphany-bin -- system_u:object_r:mozilla_exec_t
-/usr/bin/mozilla-[0-9].* -- system_u:object_r:mozilla_exec_t
-/usr/bin/mozilla-bin-[0-9].* -- system_u:object_r:mozilla_exec_t
-/usr/lib(64)?/galeon/galeon -- system_u:object_r:mozilla_exec_t
-/usr/lib(64)?/netscape/.+/communicator/communicator-smotif\.real -- system_u:object_r:mozilla_exec_t
-/usr/lib(64)?/netscape/base-4/wrapper -- system_u:object_r:mozilla_exec_t
-/usr/lib(64)?/mozilla[^/]*/reg.+ -- system_u:object_r:mozilla_exec_t
-/usr/lib(64)?/mozilla[^/]*/mozilla-.* -- system_u:object_r:mozilla_exec_t
-/usr/lib(64)?/firefox[^/]*/mozilla-.* -- system_u:object_r:mozilla_exec_t
-/usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- system_u:object_r:mozilla_exec_t
-/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- system_u:object_r:bin_t
-/etc/mozpluggerrc system_u:object_r:mozilla_conf_t
diff --git a/mls/file_contexts/program/mplayer.fc b/mls/file_contexts/program/mplayer.fc
deleted file mode 100644
index 10465aa..0000000
--- a/mls/file_contexts/program/mplayer.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# mplayer
-/usr/bin/mplayer -- system_u:object_r:mplayer_exec_t
-/usr/bin/mencoder -- system_u:object_r:mencoder_exec_t
-
-/etc/mplayer(/.*)? system_u:object_r:mplayer_etc_t
-HOME_DIR/\.mplayer(/.*)? system_u:object_r:ROLE_mplayer_home_t
diff --git a/mls/file_contexts/program/mrtg.fc b/mls/file_contexts/program/mrtg.fc
deleted file mode 100644
index ed68c4e..0000000
--- a/mls/file_contexts/program/mrtg.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-# mrtg - traffic grapher
-/usr/bin/mrtg -- system_u:object_r:mrtg_exec_t:s0
-/var/lib/mrtg(/.*)? system_u:object_r:mrtg_var_lib_t:s0
-/var/lock/mrtg(/.*)? system_u:object_r:mrtg_lock_t:s0
-/etc/mrtg.* system_u:object_r:mrtg_etc_t:s0
-/etc/mrtg/mrtg\.ok -- system_u:object_r:mrtg_lock_t:s0
-/var/log/mrtg(/.*)? system_u:object_r:mrtg_log_t:s0
diff --git a/mls/file_contexts/program/mta.fc b/mls/file_contexts/program/mta.fc
deleted file mode 100644
index 68b30e8..0000000
--- a/mls/file_contexts/program/mta.fc
+++ /dev/null
@@ -1,12 +0,0 @@
-# types for general mail servers
-/usr/sbin/sendmail(.sendmail)? -- system_u:object_r:sendmail_exec_t:s0
-/usr/lib(64)?/sendmail -- system_u:object_r:sendmail_exec_t:s0
-/etc/aliases -- system_u:object_r:etc_aliases_t:s0
-/etc/aliases\.db -- system_u:object_r:etc_aliases_t:s0
-/var/spool/mail(/.*)? system_u:object_r:mail_spool_t:s0
-/var/mail(/.*)? system_u:object_r:mail_spool_t:s0
-ifdef(`postfix.te', `', `
-/usr/sbin/sendmail.postfix -- system_u:object_r:sendmail_exec_t:s0
-/var/spool/postfix(/.*)? system_u:object_r:mail_spool_t:s0
-')
-
diff --git a/mls/file_contexts/program/mysqld.fc b/mls/file_contexts/program/mysqld.fc
deleted file mode 100644
index 22933da..0000000
--- a/mls/file_contexts/program/mysqld.fc
+++ /dev/null
@@ -1,12 +0,0 @@
-# mysql database server
-/usr/sbin/mysqld(-max)? -- system_u:object_r:mysqld_exec_t:s0
-/usr/libexec/mysqld -- system_u:object_r:mysqld_exec_t:s0
-/var/run/mysqld(/.*)? system_u:object_r:mysqld_var_run_t:s0
-/var/log/mysql.* -- system_u:object_r:mysqld_log_t:s0
-/var/lib/mysql(/.*)? system_u:object_r:mysqld_db_t:s0
-/var/lib/mysql/mysql\.sock -s system_u:object_r:mysqld_var_run_t:s0
-/etc/my\.cnf -- system_u:object_r:mysqld_etc_t:s0
-/etc/mysql(/.*)? system_u:object_r:mysqld_etc_t:s0
-ifdef(`distro_debian', `
-/etc/mysql/debian-start -- system_u:object_r:bin_t:s0
-')
diff --git a/mls/file_contexts/program/nagios.fc b/mls/file_contexts/program/nagios.fc
deleted file mode 100644
index 6a8a22d..0000000
--- a/mls/file_contexts/program/nagios.fc
+++ /dev/null
@@ -1,15 +0,0 @@
-# nagios - network monitoring server
-/var/log/netsaint(/.*)? system_u:object_r:nagios_log_t
-/usr/lib(64)?/netsaint/plugins(/.*)? system_u:object_r:bin_t
-/usr/lib(64)?/cgi-bin/netsaint/.+ -- system_u:object_r:nagios_cgi_exec_t
-# nagios
-ifdef(`distro_debian', `
-/usr/sbin/nagios -- system_u:object_r:nagios_exec_t
-/usr/lib/cgi-bin/nagios/.+ -- system_u:object_r:nagios_cgi_exec_t
-', `
-/usr/bin/nagios -- system_u:object_r:nagios_exec_t
-/usr/lib(64)?/nagios/cgi/.+ -- system_u:object_r:nagios_cgi_exec_t
-')
-/etc/nagios(/.*)? system_u:object_r:nagios_etc_t
-/var/log/nagios(/.*)? system_u:object_r:nagios_log_t
-/usr/lib(64)?/nagios/plugins(/.*)? system_u:object_r:bin_t
diff --git a/mls/file_contexts/program/named.fc b/mls/file_contexts/program/named.fc
deleted file mode 100644
index b94d641..0000000
--- a/mls/file_contexts/program/named.fc
+++ /dev/null
@@ -1,49 +0,0 @@
-# named
-ifdef(`distro_redhat', `
-/var/named(/.*)? system_u:object_r:named_zone_t:s0
-/var/named/slaves(/.*)? system_u:object_r:named_cache_t:s0
-/var/named/data(/.*)? system_u:object_r:named_cache_t:s0
-/etc/named\.conf -- system_u:object_r:named_conf_t:s0
-') dnl end distro_redhat
-
-ifdef(`distro_debian', `
-/etc/bind(/.*)? system_u:object_r:named_zone_t:s0
-/etc/bind/named\.conf -- system_u:object_r:named_conf_t:s0
-/etc/bind/rndc\.key -- system_u:object_r:dnssec_t:s0
-/var/cache/bind(/.*)? system_u:object_r:named_cache_t:s0
-') dnl distro_debian
-
-/etc/rndc.* -- system_u:object_r:named_conf_t:s0
-/etc/rndc\.key -- system_u:object_r:dnssec_t:s0
-/usr/sbin/named -- system_u:object_r:named_exec_t:s0
-/usr/sbin/named-checkconf -- system_u:object_r:named_checkconf_exec_t:s0
-/usr/sbin/r?ndc -- system_u:object_r:ndc_exec_t:s0
-/var/run/ndc -s system_u:object_r:named_var_run_t:s0
-/var/run/bind(/.*)? system_u:object_r:named_var_run_t:s0
-/var/run/named(/.*)? system_u:object_r:named_var_run_t:s0
-/usr/sbin/lwresd -- system_u:object_r:named_exec_t:s0
-/var/log/named.* -- system_u:object_r:named_log_t:s0
-
-ifdef(`distro_redhat', `
-/var/named/named\.ca -- system_u:object_r:named_conf_t:s0
-/var/named/chroot(/.*)? system_u:object_r:named_conf_t:s0
-/var/named/chroot/dev/null -c system_u:object_r:null_device_t:s0
-/var/named/chroot/dev/random -c system_u:object_r:random_device_t:s0
-/var/named/chroot/dev/zero -c system_u:object_r:zero_device_t:s0
-/var/named/chroot/etc(/.*)? system_u:object_r:named_conf_t:s0
-/var/named/chroot/etc/rndc.key -- system_u:object_r:dnssec_t:s0
-/var/named/chroot/var/run/named.* system_u:object_r:named_var_run_t:s0
-/var/named/chroot/var/tmp(/.*)? system_u:object_r:named_cache_t:s0
-/var/named/chroot/var/named(/.*)? system_u:object_r:named_zone_t:s0
-/var/named/chroot/var/named/slaves(/.*)? system_u:object_r:named_cache_t:s0
-/var/named/chroot/var/named/data(/.*)? system_u:object_r:named_cache_t:s0
-/var/named/chroot/var/named/named\.ca -- system_u:object_r:named_conf_t:s0
-') dnl distro_redhat
-
-ifdef(`distro_gentoo', `
-/etc/bind(/.*)? system_u:object_r:named_zone_t:s0
-/etc/bind/named\.conf -- system_u:object_r:named_conf_t:s0
-/etc/bind/rndc\.key -- system_u:object_r:dnssec_t:s0
-/var/bind(/.*)? system_u:object_r:named_cache_t:s0
-/var/bind/pri(/.*)? system_u:object_r:named_zone_t:s0
-') dnl distro_gentoo
diff --git a/mls/file_contexts/program/nessusd.fc b/mls/file_contexts/program/nessusd.fc
deleted file mode 100644
index adec00b..0000000
--- a/mls/file_contexts/program/nessusd.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# nessusd - network scanning server
-/usr/sbin/nessusd -- system_u:object_r:nessusd_exec_t
-/usr/lib(64)?/nessus/plugins/.* -- system_u:object_r:nessusd_exec_t
-/var/lib/nessus(/.*)? system_u:object_r:nessusd_db_t
-/var/log/nessus(/.*)? system_u:object_r:nessusd_log_t
-/etc/nessus/nessusd\.conf -- system_u:object_r:nessusd_etc_t
diff --git a/mls/file_contexts/program/netutils.fc b/mls/file_contexts/program/netutils.fc
deleted file mode 100644
index a6ae5d5..0000000
--- a/mls/file_contexts/program/netutils.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# network utilities
-/sbin/arping -- system_u:object_r:netutils_exec_t:s0
-/usr/sbin/tcpdump -- system_u:object_r:netutils_exec_t:s0
-/etc/network/ifstate -- system_u:object_r:etc_runtime_t:s0
diff --git a/mls/file_contexts/program/newrole.fc b/mls/file_contexts/program/newrole.fc
deleted file mode 100644
index 6b03678..0000000
--- a/mls/file_contexts/program/newrole.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# newrole
-/usr/bin/newrole -- system_u:object_r:newrole_exec_t:s0
diff --git a/mls/file_contexts/program/nrpe.fc b/mls/file_contexts/program/nrpe.fc
deleted file mode 100644
index 6523cc3..0000000
--- a/mls/file_contexts/program/nrpe.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-# nrpe
-/usr/bin/nrpe -- system_u:object_r:nrpe_exec_t
-/etc/nagios/nrpe\.cfg -- system_u:object_r:nrpe_etc_t
-ifdef(`nagios.te', `', `
-/usr/lib(64)?/netsaint/plugins(/.*)? system_u:object_r:bin_t
-/usr/lib(64)?/nagios/plugins(/.*)? system_u:object_r:bin_t
-')
diff --git a/mls/file_contexts/program/nscd.fc b/mls/file_contexts/program/nscd.fc
deleted file mode 100644
index aa8af5b..0000000
--- a/mls/file_contexts/program/nscd.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-# nscd
-/usr/sbin/nscd -- system_u:object_r:nscd_exec_t:s0
-/var/run/\.nscd_socket -s system_u:object_r:nscd_var_run_t:s0
-/var/run/nscd\.pid -- system_u:object_r:nscd_var_run_t:s0
-/var/db/nscd(/.*)? system_u:object_r:nscd_var_run_t:s0
-/var/run/nscd(/.*)? system_u:object_r:nscd_var_run_t:s0
-/var/log/nscd\.log.* -- system_u:object_r:nscd_log_t:s0
diff --git a/mls/file_contexts/program/nsd.fc b/mls/file_contexts/program/nsd.fc
deleted file mode 100644
index 43b49fe..0000000
--- a/mls/file_contexts/program/nsd.fc
+++ /dev/null
@@ -1,12 +0,0 @@
-# nsd
-/etc/nsd(/.*)? system_u:object_r:nsd_conf_t
-/etc/nsd/primary(/.*)? system_u:object_r:nsd_zone_t
-/etc/nsd/secondary(/.*)? system_u:object_r:nsd_zone_t
-/etc/nsd/nsd\.db -- system_u:object_r:nsd_db_t
-/var/lib/nsd(/.*)? system_u:object_r:nsd_zone_t
-/var/lib/nsd/nsd\.db -- system_u:object_r:nsd_db_t
-/usr/sbin/nsd -- system_u:object_r:nsd_exec_t
-/usr/sbin/nsdc -- system_u:object_r:nsd_exec_t
-/usr/sbin/nsd-notify -- system_u:object_r:nsd_exec_t
-/usr/sbin/zonec -- system_u:object_r:nsd_exec_t
-/var/run/nsd\.pid -- system_u:object_r:nsd_var_run_t
diff --git a/mls/file_contexts/program/ntpd.fc b/mls/file_contexts/program/ntpd.fc
deleted file mode 100644
index b9040bb..0000000
--- a/mls/file_contexts/program/ntpd.fc
+++ /dev/null
@@ -1,12 +0,0 @@
-/var/lib/ntp(/.*)? system_u:object_r:ntp_drift_t:s0
-/etc/ntp/data(/.*)? system_u:object_r:ntp_drift_t:s0
-/etc/ntp(d)?\.conf.* -- system_u:object_r:net_conf_t:s0
-/etc/ntp/step-tickers.* -- system_u:object_r:net_conf_t:s0
-/usr/sbin/ntpd -- system_u:object_r:ntpd_exec_t:s0
-/usr/sbin/ntpdate -- system_u:object_r:ntpdate_exec_t:s0
-/var/log/ntpstats(/.*)? system_u:object_r:ntpd_log_t:s0
-/var/log/ntp.* -- system_u:object_r:ntpd_log_t:s0
-/var/log/xntpd.* -- system_u:object_r:ntpd_log_t:s0
-/var/run/ntpd\.pid -- system_u:object_r:ntpd_var_run_t:s0
-/etc/cron\.(daily|weekly)/ntp-simple -- system_u:object_r:ntpd_exec_t:s0
-/etc/cron\.(daily|weekly)/ntp-server -- system_u:object_r:ntpd_exec_t:s0
diff --git a/mls/file_contexts/program/nx_server.fc b/mls/file_contexts/program/nx_server.fc
deleted file mode 100644
index d993646..0000000
--- a/mls/file_contexts/program/nx_server.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# nx
-/opt/NX/bin/nxserver -- system_u:object_r:nx_server_exec_t
-/opt/NX/var(/.*)? system_u:object_r:nx_server_var_run_t
-/opt/NX/home/nx/\.ssh(/.*)? system_u:object_r:nx_server_home_ssh_t
-
diff --git a/mls/file_contexts/program/oav-update.fc b/mls/file_contexts/program/oav-update.fc
deleted file mode 100644
index 5e88a02..0000000
--- a/mls/file_contexts/program/oav-update.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-/var/lib/oav-virussignatures -- system_u:object_r:oav_update_var_lib_t
-/var/lib/oav-update(/.*)? system_u:object_r:oav_update_var_lib_t
-/usr/sbin/oav-update -- system_u:object_r:oav_update_exec_t
-/etc/oav-update(/.*)? system_u:object_r:oav_update_etc_t
diff --git a/mls/file_contexts/program/openca-ca.fc b/mls/file_contexts/program/openca-ca.fc
deleted file mode 100644
index 99ddefe..0000000
--- a/mls/file_contexts/program/openca-ca.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-/etc/openca(/.*)? system_u:object_r:openca_etc_t
-/etc/openca/rbac(/.*)? system_u:object_r:openca_etc_writeable_t
-/etc/openca/*.\.in(/.*)? system_u:object_r:openca_etc_in_t
-/var/lib/openca(/.*)? system_u:object_r:openca_var_lib_t
-/var/lib/openca/crypto/keys(/.*)? system_u:object_r:openca_var_lib_keys_t
-/usr/share/openca(/.*)? system_u:object_r:openca_usr_share_t
-/usr/share/openca/htdocs(/.*)? system_u:object_r:httpd_sys_content_t
-/usr/share/openca/cgi-bin/ca/.+ -- system_u:object_r:openca_ca_exec_t
diff --git a/mls/file_contexts/program/openca-common.fc b/mls/file_contexts/program/openca-common.fc
deleted file mode 100644
index b75952f..0000000
--- a/mls/file_contexts/program/openca-common.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-/etc/openca(/.*)? system_u:object_r:openca_etc_t
-/etc/openca/rbac(/.*)? system_u:object_r:openca_etc_writeable_t
-/etc/openca/*.\.in(/.*)? system_u:object_r:openca_etc_in_t
-/var/lib/openca(/.*)? system_u:object_r:openca_var_lib_t
-/var/lib/openca/crypto/keys(/.*)? system_u:object_r:openca_var_lib_keys_t
-/usr/share/openca(/.*)? system_u:object_r:openca_usr_share_t
-/usr/share/openca/htdocs(/.*)? system_u:object_r:httpd_sys_content_t
diff --git a/mls/file_contexts/program/openct.fc b/mls/file_contexts/program/openct.fc
deleted file mode 100644
index 5f1db4b..0000000
--- a/mls/file_contexts/program/openct.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-/usr/sbin/openct-control -- system_u:object_r:openct_exec_t:s0
-/var/run/openct(/.*)? system_u:object_r:openct_var_run_t:s0
diff --git a/mls/file_contexts/program/openvpn.fc b/mls/file_contexts/program/openvpn.fc
deleted file mode 100644
index 34b2992..0000000
--- a/mls/file_contexts/program/openvpn.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# OpenVPN
-
-/etc/openvpn/.* -- system_u:object_r:openvpn_etc_t
-/usr/sbin/openvpn -- system_u:object_r:openvpn_exec_t
diff --git a/mls/file_contexts/program/orbit.fc b/mls/file_contexts/program/orbit.fc
deleted file mode 100644
index 9ff0bc8..0000000
--- a/mls/file_contexts/program/orbit.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-/tmp/orbit-USER(-.*)? -d system_u:object_r:ROLE_orbit_tmp_t:s0
-/tmp/orbit-USER(-.*)?/linc.* -s <<none>>
-/tmp/orbit-USER(-.*)?/bonobo.* -- system_u:object_r:ROLE_orbit_tmp_t:s0
diff --git a/mls/file_contexts/program/pam.fc b/mls/file_contexts/program/pam.fc
deleted file mode 100644
index ad51a01..0000000
--- a/mls/file_contexts/program/pam.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-/var/run/sudo(/.*)? system_u:object_r:pam_var_run_t:s0
-/sbin/pam_timestamp_check -- system_u:object_r:pam_exec_t:s0
-/lib(64)?/security/pam_krb5/pam_krb5_storetmp -- system_u:object_r:pam_exec_t:s0
diff --git a/mls/file_contexts/program/pamconsole.fc b/mls/file_contexts/program/pamconsole.fc
deleted file mode 100644
index 633977d..0000000
--- a/mls/file_contexts/program/pamconsole.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# pam_console_apply
-/sbin/pam_console_apply -- system_u:object_r:pam_console_exec_t:s0
-/var/run/console(/.*)? system_u:object_r:pam_var_console_t:s0
diff --git a/mls/file_contexts/program/passwd.fc b/mls/file_contexts/program/passwd.fc
deleted file mode 100644
index 823f931..0000000
--- a/mls/file_contexts/program/passwd.fc
+++ /dev/null
@@ -1,13 +0,0 @@
-# spasswd
-/usr/bin/passwd -- system_u:object_r:passwd_exec_t:s0
-/usr/bin/chage -- system_u:object_r:passwd_exec_t:s0
-/usr/bin/chsh -- system_u:object_r:chfn_exec_t:s0
-/usr/bin/chfn -- system_u:object_r:chfn_exec_t:s0
-/usr/sbin/vipw -- system_u:object_r:admin_passwd_exec_t:s0
-/usr/sbin/vigr -- system_u:object_r:admin_passwd_exec_t:s0
-/usr/bin/vipw -- system_u:object_r:admin_passwd_exec_t:s0
-/usr/bin/vigr -- system_u:object_r:admin_passwd_exec_t:s0
-/usr/sbin/pwconv -- system_u:object_r:admin_passwd_exec_t:s0
-/usr/sbin/pwunconv -- system_u:object_r:admin_passwd_exec_t:s0
-/usr/sbin/grpconv -- system_u:object_r:admin_passwd_exec_t:s0
-/usr/sbin/grpunconv -- system_u:object_r:admin_passwd_exec_t:s0
diff --git a/mls/file_contexts/program/pegasus.fc b/mls/file_contexts/program/pegasus.fc
deleted file mode 100644
index f4b9f15..0000000
--- a/mls/file_contexts/program/pegasus.fc
+++ /dev/null
@@ -1,9 +0,0 @@
-# File Contexts for The Open Group Pegasus (tog-pegasus) cimserver
-/usr/sbin/cimserver -- system_u:object_r:pegasus_exec_t:s0
-/usr/sbin/init_repository -- system_u:object_r:pegasus_exec_t:s0
-/etc/Pegasus(/.*)? system_u:object_r:pegasus_conf_t:s0
-/var/lib/Pegasus(/.*)? system_u:object_r:pegasus_data_t:s0
-/var/run/tog-pegasus(/.*)? system_u:object_r:pegasus_var_run_t:s0
-/usr/share/Pegasus/mof(/.*)?/.*\.mof system_u:object_r:pegasus_mof_t:s0
-/etc/Pegasus/pegasus_current.conf system_u:object_r:pegasus_data_t:s0
-
diff --git a/mls/file_contexts/program/perdition.fc b/mls/file_contexts/program/perdition.fc
deleted file mode 100644
index a2d2adb..0000000
--- a/mls/file_contexts/program/perdition.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# perdition POP and IMAP proxy
-/usr/sbin/perdition -- system_u:object_r:perdition_exec_t
-/etc/perdition(/.*)? system_u:object_r:perdition_etc_t
diff --git a/mls/file_contexts/program/ping.fc b/mls/file_contexts/program/ping.fc
deleted file mode 100644
index a4ed8cb..0000000
--- a/mls/file_contexts/program/ping.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# ping
-/bin/ping.* -- system_u:object_r:ping_exec_t:s0
-/usr/sbin/hping2 -- system_u:object_r:ping_exec_t:s0
diff --git a/mls/file_contexts/program/portmap.fc b/mls/file_contexts/program/portmap.fc
deleted file mode 100644
index 60da994..0000000
--- a/mls/file_contexts/program/portmap.fc
+++ /dev/null
@@ -1,10 +0,0 @@
-# portmap
-/sbin/portmap -- system_u:object_r:portmap_exec_t:s0
-ifdef(`distro_debian', `
-/sbin/pmap_dump -- system_u:object_r:portmap_helper_exec_t:s0
-/sbin/pmap_set -- system_u:object_r:portmap_helper_exec_t:s0
-', `
-/usr/sbin/pmap_dump -- system_u:object_r:portmap_helper_exec_t:s0
-/usr/sbin/pmap_set -- system_u:object_r:portmap_helper_exec_t:s0
-')
-/var/run/portmap.upgrade-state -- system_u:object_r:portmap_var_run_t:s0
diff --git a/mls/file_contexts/program/portslave.fc b/mls/file_contexts/program/portslave.fc
deleted file mode 100644
index 873334d..0000000
--- a/mls/file_contexts/program/portslave.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# portslave
-/usr/sbin/portslave -- system_u:object_r:portslave_exec_t
-/usr/sbin/ctlportslave -- system_u:object_r:portslave_exec_t
-/etc/portslave(/.*)? system_u:object_r:portslave_etc_t
-/var/run/radius\.(id|seq) -- system_u:object_r:pppd_var_run_t
diff --git a/mls/file_contexts/program/postfix.fc b/mls/file_contexts/program/postfix.fc
deleted file mode 100644
index 300da75..0000000
--- a/mls/file_contexts/program/postfix.fc
+++ /dev/null
@@ -1,59 +0,0 @@
-# postfix
-/etc/postfix(/.*)? system_u:object_r:postfix_etc_t:s0
-ifdef(`distro_redhat', `
-/etc/postfix/aliases.* system_u:object_r:etc_aliases_t:s0
-/usr/libexec/postfix/.* -- system_u:object_r:postfix_exec_t:s0
-/usr/libexec/postfix/cleanup -- system_u:object_r:postfix_cleanup_exec_t:s0
-/usr/libexec/postfix/local -- system_u:object_r:postfix_local_exec_t:s0
-/usr/libexec/postfix/master -- system_u:object_r:postfix_master_exec_t:s0
-/usr/libexec/postfix/pickup -- system_u:object_r:postfix_pickup_exec_t:s0
-/usr/libexec/postfix/(n)?qmgr -- system_u:object_r:postfix_qmgr_exec_t:s0
-/usr/libexec/postfix/showq -- system_u:object_r:postfix_showq_exec_t:s0
-/usr/libexec/postfix/smtp -- system_u:object_r:postfix_smtp_exec_t:s0
-/usr/libexec/postfix/scache -- system_u:object_r:postfix_smtp_exec_t:s0
-/usr/libexec/postfix/smtpd -- system_u:object_r:postfix_smtpd_exec_t:s0
-/usr/libexec/postfix/bounce -- system_u:object_r:postfix_bounce_exec_t:s0
-/usr/libexec/postfix/pipe -- system_u:object_r:postfix_pipe_exec_t:s0
-', `
-/usr/lib/postfix/.* -- system_u:object_r:postfix_exec_t:s0
-/usr/lib/postfix/cleanup -- system_u:object_r:postfix_cleanup_exec_t:s0
-/usr/lib/postfix/local -- system_u:object_r:postfix_local_exec_t:s0
-/usr/lib/postfix/master -- system_u:object_r:postfix_master_exec_t:s0
-/usr/lib/postfix/pickup -- system_u:object_r:postfix_pickup_exec_t:s0
-/usr/lib/postfix/(n)?qmgr -- system_u:object_r:postfix_qmgr_exec_t:s0
-/usr/lib/postfix/showq -- system_u:object_r:postfix_showq_exec_t:s0
-/usr/lib/postfix/smtp -- system_u:object_r:postfix_smtp_exec_t:s0
-/usr/lib/postfix/scache -- system_u:object_r:postfix_smtp_exec_t:s0
-/usr/lib/postfix/smtpd -- system_u:object_r:postfix_smtpd_exec_t:s0
-/usr/lib/postfix/bounce -- system_u:object_r:postfix_bounce_exec_t:s0
-/usr/lib/postfix/pipe -- system_u:object_r:postfix_pipe_exec_t:s0
-')
-/etc/postfix/postfix-script.* -- system_u:object_r:postfix_exec_t:s0
-/etc/postfix/prng_exch -- system_u:object_r:postfix_prng_t:s0
-/usr/sbin/postalias -- system_u:object_r:postfix_master_exec_t:s0
-/usr/sbin/postcat -- system_u:object_r:postfix_master_exec_t:s0
-/usr/sbin/postdrop -- system_u:object_r:postfix_postdrop_exec_t:s0
-/usr/sbin/postfix -- system_u:object_r:postfix_master_exec_t:s0
-/usr/sbin/postkick -- system_u:object_r:postfix_master_exec_t:s0
-/usr/sbin/postlock -- system_u:object_r:postfix_master_exec_t:s0
-/usr/sbin/postlog -- system_u:object_r:postfix_master_exec_t:s0
-/usr/sbin/postmap -- system_u:object_r:postfix_map_exec_t:s0
-/usr/sbin/postqueue -- system_u:object_r:postfix_postqueue_exec_t:s0
-/usr/sbin/postsuper -- system_u:object_r:postfix_master_exec_t:s0
-/usr/sbin/rmail -- system_u:object_r:sendmail_exec_t:s0
-/usr/sbin/sendmail.postfix -- system_u:object_r:sendmail_exec_t:s0
-/var/spool/postfix(/.*)? system_u:object_r:postfix_spool_t:s0
-/var/spool/postfix/maildrop(/.*)? system_u:object_r:postfix_spool_maildrop_t:s0
-/var/spool/postfix/pid -d system_u:object_r:var_run_t:s0
-/var/spool/postfix/pid/.* system_u:object_r:postfix_var_run_t:s0
-/var/spool/postfix/private(/.*)? system_u:object_r:postfix_private_t:s0
-/var/spool/postfix/public(/.*)? system_u:object_r:postfix_public_t:s0
-/var/spool/postfix/bounce(/.*)? system_u:object_r:postfix_spool_bounce_t:s0
-/var/spool/postfix/flush(/.*)? system_u:object_r:postfix_spool_flush_t:s0
-/var/spool/postfix/etc(/.*)? system_u:object_r:etc_t:s0
-/var/spool/postfix/lib(64)?(/.*)? system_u:object_r:lib_t:s0
-/var/spool/postfix/usr(/.*)? system_u:object_r:lib_t:s0
-/var/spool/postfix/lib(64)?/ld.*\.so.* -- system_u:object_r:ld_so_t:s0
-/var/spool/postfix/lib(64)?/lib.*\.so.* -- system_u:object_r:shlib_t:s0
-/var/spool/postfix/lib(64)?/[^/]*/lib.*\.so.* -- system_u:object_r:shlib_t:s0
-/var/spool/postfix/lib(64)?/devfsd/.*\.so.* -- system_u:object_r:shlib_t:s0
diff --git a/mls/file_contexts/program/postgresql.fc b/mls/file_contexts/program/postgresql.fc
deleted file mode 100644
index 635a74a..0000000
--- a/mls/file_contexts/program/postgresql.fc
+++ /dev/null
@@ -1,20 +0,0 @@
-# postgresql - database server
-/usr/lib(64)?/postgresql/bin/.* -- system_u:object_r:postgresql_exec_t:s0
-/usr/bin/postgres -- system_u:object_r:postgresql_exec_t:s0
-/usr/bin/initdb -- system_u:object_r:postgresql_exec_t:s0
-
-/var/lib/postgres(ql)?(/.*)? system_u:object_r:postgresql_db_t:s0
-/var/lib/pgsql/data(/.*)? system_u:object_r:postgresql_db_t:s0
-/var/run/postgresql(/.*)? system_u:object_r:postgresql_var_run_t:s0
-/etc/postgresql(/.*)? system_u:object_r:postgresql_etc_t:s0
-/var/log/postgres\.log.* -- system_u:object_r:postgresql_log_t:s0
-/var/log/postgresql(/.*)? system_u:object_r:postgresql_log_t:s0
-/var/lib/pgsql/pgstartup.log system_u:object_r:postgresql_log_t:s0
-/usr/lib/pgsql/test/regres(/.*)? system_u:object_r:postgresql_db_t:s0
-/usr/lib/pgsql/test/regress/.*\.so -- system_u:object_r:shlib_t:s0
-/usr/lib/pgsql/test/regress/.*\.sh -- system_u:object_r:bin_t:s0
-/usr/lib/pgsql/test/regress/pg_regress -- system_u:object_r:postgresql_exec_t:s0
-ifdef(`distro_redhat', `
-/usr/share/jonas/pgsql(/.*)? system_u:object_r:postgresql_db_t:s0
-/var/log/rhdb/rhdb(/.*)? system_u:object_r:postgresql_log_t:s0
-')
diff --git a/mls/file_contexts/program/postgrey.fc b/mls/file_contexts/program/postgrey.fc
deleted file mode 100644
index 89e43fd..0000000
--- a/mls/file_contexts/program/postgrey.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# postgrey - postfix grey-listing server
-/usr/sbin/postgrey -- system_u:object_r:postgrey_exec_t
-/var/run/postgrey\.pid -- system_u:object_r:postgrey_var_run_t
-/etc/postgrey(/.*)? system_u:object_r:postgrey_etc_t
-/var/lib/postgrey(/.*)? system_u:object_r:postgrey_var_lib_t
diff --git a/mls/file_contexts/program/pppd.fc b/mls/file_contexts/program/pppd.fc
deleted file mode 100644
index 87e3cb7..0000000
--- a/mls/file_contexts/program/pppd.fc
+++ /dev/null
@@ -1,25 +0,0 @@
-# pppd
-/usr/sbin/pppd -- system_u:object_r:pppd_exec_t:s0
-/usr/sbin/pptp -- system_u:object_r:pptp_exec_t:s0
-/usr/sbin/ipppd -- system_u:object_r:pppd_exec_t:s0
-/dev/ppp -c system_u:object_r:ppp_device_t:s0
-/dev/pppox.* -c system_u:object_r:ppp_device_t:s0
-/dev/ippp.* -c system_u:object_r:ppp_device_t:s0
-/var/run/pppd[0-9]*\.tdb -- system_u:object_r:pppd_var_run_t:s0
-/var/run/ppp(/.*)? system_u:object_r:pppd_var_run_t:s0
-/etc/ppp -d system_u:object_r:pppd_etc_t:s0
-/etc/ppp/.* -- system_u:object_r:pppd_etc_rw_t:s0
-/etc/ppp/.*secrets -- system_u:object_r:pppd_secret_t:s0
-/var/run/(i)?ppp.*pid -- system_u:object_r:pppd_var_run_t:s0
-/var/log/ppp-connect-errors.* -- system_u:object_r:pppd_log_t:s0
-/var/log/ppp/.* -- system_u:object_r:pppd_log_t:s0
-/etc/ppp/ip-down\..* -- system_u:object_r:bin_t:s0
-/etc/ppp/ip-up\..* -- system_u:object_r:bin_t:s0
-/etc/ppp/ipv6-up\..* -- system_u:object_r:bin_t:s0
-/etc/ppp/ipv6-down\..* -- system_u:object_r:bin_t:s0
-/etc/ppp/plugins/rp-pppoe\.so -- system_u:object_r:shlib_t:s0
-/etc/ppp/resolv\.conf -- system_u:object_r:pppd_etc_rw_t:s0
-# Fix pptp sockets
-/var/run/pptp(/.*)? system_u:object_r:pptp_var_run_t:s0
-# Fix /etc/ppp {up,down} family scripts (see man pppd)
-/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- system_u:object_r:pppd_script_exec_t:s0
diff --git a/mls/file_contexts/program/prelink.fc b/mls/file_contexts/program/prelink.fc
deleted file mode 100644
index fca98ee..0000000
--- a/mls/file_contexts/program/prelink.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-# prelink - prelink ELF shared libraries and binaries to speed up startup time
-/usr/sbin/prelink -- system_u:object_r:prelink_exec_t:s0
-ifdef(`distro_debian', `
-/usr/sbin/prelink\.bin -- system_u:object_r:prelink_exec_t:s0
-')
-/etc/prelink\.conf -- system_u:object_r:etc_prelink_t:s0
-/var/log/prelink\.log -- system_u:object_r:prelink_log_t:s0
-/etc/prelink\.cache -- system_u:object_r:prelink_cache_t:s0
diff --git a/mls/file_contexts/program/privoxy.fc b/mls/file_contexts/program/privoxy.fc
deleted file mode 100644
index d8d5647..0000000
--- a/mls/file_contexts/program/privoxy.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# privoxy
-/usr/sbin/privoxy -- system_u:object_r:privoxy_exec_t:s0
-/var/log/privoxy(/.*)? system_u:object_r:privoxy_log_t:s0
diff --git a/mls/file_contexts/program/procmail.fc b/mls/file_contexts/program/procmail.fc
deleted file mode 100644
index f231527..0000000
--- a/mls/file_contexts/program/procmail.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# procmail
-/usr/bin/procmail -- system_u:object_r:procmail_exec_t:s0
diff --git a/mls/file_contexts/program/publicfile.fc b/mls/file_contexts/program/publicfile.fc
deleted file mode 100644
index dc32249..0000000
--- a/mls/file_contexts/program/publicfile.fc
+++ /dev/null
@@ -1,9 +0,0 @@
-
-/usr/bin/ftpd -- system_u:object_r:publicfile_exec_t
-/usr/bin/httpd -- system_u:object_r:publicfile_exec_t
-/usr/bin/publicfile-conf -- system_u:object_r:publicfile_exec_t
-
-# this is the place where online content located
-# set this to suit your needs
-#/var/www(/.*)? system_u:object_r:publicfile_content_t
-
diff --git a/mls/file_contexts/program/pxe.fc b/mls/file_contexts/program/pxe.fc
deleted file mode 100644
index 165076a..0000000
--- a/mls/file_contexts/program/pxe.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# pxe network boot server
-/usr/sbin/pxe -- system_u:object_r:pxe_exec_t
-/var/log/pxe\.log -- system_u:object_r:pxe_log_t
-/var/run/pxe\.pid -- system_u:object_r:pxe_var_run_t
-
diff --git a/mls/file_contexts/program/pyzor.fc b/mls/file_contexts/program/pyzor.fc
deleted file mode 100644
index ff62295..0000000
--- a/mls/file_contexts/program/pyzor.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-/etc/pyzor(/.*)? system_u:object_r:pyzor_etc_t
-/usr/bin/pyzor -- system_u:object_r:pyzor_exec_t
-/usr/bin/pyzord -- system_u:object_r:pyzord_exec_t
-/var/lib/pyzord(/.*)? system_u:object_r:pyzor_var_lib_t
-/var/log/pyzord.log -- system_u:object_r:pyzord_log_t
-HOME_DIR/\.pyzor(/.*)? system_u:object_r:ROLE_pyzor_home_t
diff --git a/mls/file_contexts/program/qmail.fc b/mls/file_contexts/program/qmail.fc
deleted file mode 100644
index 7704ed7..0000000
--- a/mls/file_contexts/program/qmail.fc
+++ /dev/null
@@ -1,38 +0,0 @@
-# qmail - Debian locations
-/etc/qmail(/.*)? system_u:object_r:qmail_etc_t
-/var/qmail(/.*)? system_u:object_r:qmail_etc_t
-/var/spool/qmail(/.*)? system_u:object_r:qmail_spool_t
-/usr/sbin/qmail-start -- system_u:object_r:qmail_start_exec_t
-/usr/sbin/qmail-lspawn -- system_u:object_r:qmail_lspawn_exec_t
-/usr/bin/tcp-env -- system_u:object_r:qmail_tcp_env_exec_t
-/usr/sbin/qmail-inject -- system_u:object_r:qmail_inject_exec_t
-/usr/sbin/qmail-smtpd -- system_u:object_r:qmail_smtpd_exec_t
-/usr/sbin/qmail-queue -- system_u:object_r:qmail_queue_exec_t
-/usr/sbin/qmail-local -- system_u:object_r:qmail_local_exec_t
-/usr/sbin/qmail-clean -- system_u:object_r:qmail_clean_exec_t
-/usr/sbin/qmail-send -- system_u:object_r:qmail_send_exec_t
-/usr/sbin/qmail-rspawn -- system_u:object_r:qmail_rspawn_exec_t
-/usr/sbin/qmail-remote -- system_u:object_r:qmail_remote_exec_t
-/usr/sbin/qmail-qread -- system_u:object_r:qmail_qread_exec_t
-/usr/sbin/splogger -- system_u:object_r:qmail_splogger_exec_t
-/usr/sbin/qmail-getpw -- system_u:object_r:qmail_exec_t
-/usr/local/bin/serialmail/.* -- system_u:object_r:qmail_serialmail_exec_t
-# qmail - djb locations
-/var/qmail/control(/.*)? system_u:object_r:qmail_etc_t
-/var/qmail/bin -d system_u:object_r:bin_t
-/var/qmail/queue(/.*)? system_u:object_r:qmail_spool_t
-/var/qmail/bin/qmail-lspawn -- system_u:object_r:qmail_lspawn_exec_t
-/var/qmail/bin/tcp-env -- system_u:object_r:qmail_tcp_env_exec_t
-/var/qmail/bin/qmail-inject -- system_u:object_r:qmail_inject_exec_t
-/var/qmail/bin/qmail-smtpd -- system_u:object_r:qmail_smtpd_exec_t
-/var/qmail/bin/qmail-queue -- system_u:object_r:qmail_queue_exec_t
-/var/qmail/bin/qmail-local -- system_u:object_r:qmail_local_exec_t
-/var/qmail/bin/qmail-clean -- system_u:object_r:qmail_clean_exec_t
-/var/qmail/bin/qmail-send -- system_u:object_r:qmail_send_exec_t
-/var/qmail/bin/qmail-rspawn -- system_u:object_r:qmail_rspawn_exec_t
-/var/qmail/bin/qmail-remote -- system_u:object_r:qmail_remote_exec_t
-/var/qmail/bin/qmail-qread -- system_u:object_r:qmail_qread_exec_t
-/var/qmail/bin/qmail-start -- system_u:object_r:qmail_start_exec_t
-/var/qmail/rc -- system_u:object_r:bin_t
-/var/qmail/bin/splogger -- system_u:object_r:qmail_splogger_exec_t
-/var/qmail/bin/qmail-getpw -- system_u:object_r:qmail_exec_t
diff --git a/mls/file_contexts/program/quota.fc b/mls/file_contexts/program/quota.fc
deleted file mode 100644
index 8aa74f1..0000000
--- a/mls/file_contexts/program/quota.fc
+++ /dev/null
@@ -1,10 +0,0 @@
-# quota system
-/var/lib/quota(/.*)? system_u:object_r:quota_flag_t:s0
-/sbin/quota(check|on) -- system_u:object_r:quota_exec_t:s0
-ifdef(`distro_redhat', `
-/usr/sbin/convertquota -- system_u:object_r:quota_exec_t:s0
-', `
-/sbin/convertquota -- system_u:object_r:quota_exec_t:s0
-')
-HOME_ROOT/a?quota\.(user|group) -- system_u:object_r:quota_db_t:s0
-/var/a?quota\.(user|group) -- system_u:object_r:quota_db_t:s0
diff --git a/mls/file_contexts/program/radius.fc b/mls/file_contexts/program/radius.fc
deleted file mode 100644
index e3b9d51..0000000
--- a/mls/file_contexts/program/radius.fc
+++ /dev/null
@@ -1,15 +0,0 @@
-# radius
-/etc/raddb(/.*)? system_u:object_r:radiusd_etc_t:s0
-/usr/sbin/radiusd -- system_u:object_r:radiusd_exec_t:s0
-/usr/sbin/freeradius -- system_u:object_r:radiusd_exec_t:s0
-/var/log/radiusd-freeradius(/.*)? system_u:object_r:radiusd_log_t:s0
-/var/log/radius\.log.* -- system_u:object_r:radiusd_log_t:s0
-/var/log/radius(/.*)? system_u:object_r:radiusd_log_t:s0
-/var/log/freeradius(/.*)? system_u:object_r:radiusd_log_t:s0
-/var/log/radacct(/.*)? system_u:object_r:radiusd_log_t:s0
-/var/log/radutmp -- system_u:object_r:radiusd_log_t:s0
-/var/log/radwtmp.* -- system_u:object_r:radiusd_log_t:s0
-/etc/cron\.(daily|monthly)/radiusd -- system_u:object_r:radiusd_exec_t:s0
-/etc/cron\.(daily|weekly|monthly)/freeradius -- system_u:object_r:radiusd_exec_t:s0
-/var/run/radiusd\.pid -- system_u:object_r:radiusd_var_run_t:s0
-/var/run/radiusd(/.*)? system_u:object_r:radiusd_var_run_t:s0
diff --git a/mls/file_contexts/program/radvd.fc b/mls/file_contexts/program/radvd.fc
deleted file mode 100644
index ab6bc47..0000000
--- a/mls/file_contexts/program/radvd.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# radvd
-/etc/radvd\.conf -- system_u:object_r:radvd_etc_t:s0
-/usr/sbin/radvd -- system_u:object_r:radvd_exec_t:s0
-/var/run/radvd\.pid -- system_u:object_r:radvd_var_run_t:s0
-/var/run/radvd(/.*)? system_u:object_r:radvd_var_run_t:s0
diff --git a/mls/file_contexts/program/razor.fc b/mls/file_contexts/program/razor.fc
deleted file mode 100644
index f3f1346..0000000
--- a/mls/file_contexts/program/razor.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# razor
-/etc/razor(/.*)? system_u:object_r:razor_etc_t
-/usr/bin/razor.* system_u:object_r:razor_exec_t
-/var/lib/razor(/.*)? system_u:object_r:razor_var_lib_t
-/var/log/razor-agent.log system_u:object_r:razor_log_t
-HOME_DIR/\.razor(/.*)? system_u:object_r:ROLE_razor_home_t
diff --git a/mls/file_contexts/program/rdisc.fc b/mls/file_contexts/program/rdisc.fc
deleted file mode 100644
index f3ec427..0000000
--- a/mls/file_contexts/program/rdisc.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# rdisc
-/sbin/rdisc system_u:object_r:rdisc_exec_t:s0
diff --git a/mls/file_contexts/program/readahead.fc b/mls/file_contexts/program/readahead.fc
deleted file mode 100644
index 16362a4..0000000
--- a/mls/file_contexts/program/readahead.fc
+++ /dev/null
@@ -1 +0,0 @@
-/usr/sbin/readahead -- system_u:object_r:readahead_exec_t:s0
diff --git a/mls/file_contexts/program/resmgrd.fc b/mls/file_contexts/program/resmgrd.fc
deleted file mode 100644
index bee4680..0000000
--- a/mls/file_contexts/program/resmgrd.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# resmgrd
-/sbin/resmgrd -- system_u:object_r:resmgrd_exec_t
-/etc/resmgr\.conf -- system_u:object_r:resmgrd_etc_t
-/var/run/resmgr\.pid -- system_u:object_r:resmgrd_var_run_t
-/var/run/\.resmgr_socket -s system_u:object_r:resmgrd_var_run_t
-
diff --git a/mls/file_contexts/program/restorecon.fc b/mls/file_contexts/program/restorecon.fc
deleted file mode 100644
index cd62c78..0000000
--- a/mls/file_contexts/program/restorecon.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# restorecon
-/sbin/restorecon -- system_u:object_r:restorecon_exec_t:s0
diff --git a/mls/file_contexts/program/rhgb.fc b/mls/file_contexts/program/rhgb.fc
deleted file mode 100644
index 118972e..0000000
--- a/mls/file_contexts/program/rhgb.fc
+++ /dev/null
@@ -1 +0,0 @@
-/usr/bin/rhgb -- system_u:object_r:rhgb_exec_t
diff --git a/mls/file_contexts/program/rlogind.fc b/mls/file_contexts/program/rlogind.fc
deleted file mode 100644
index ce68e2c..0000000
--- a/mls/file_contexts/program/rlogind.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# rlogind and telnetd
-/usr/sbin/in\.rlogind -- system_u:object_r:rlogind_exec_t:s0
-/usr/lib(64)?/telnetlogin -- system_u:object_r:rlogind_exec_t:s0
-/usr/kerberos/sbin/klogind -- system_u:object_r:rlogind_exec_t:s0
diff --git a/mls/file_contexts/program/roundup.fc b/mls/file_contexts/program/roundup.fc
deleted file mode 100644
index 394359f..0000000
--- a/mls/file_contexts/program/roundup.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-/usr/bin/roundup-server -- system_u:object_r:roundup_exec_t:s0
-/var/lib/roundup(/.*)? -- system_u:object_r:roundup_var_lib_t:s0
diff --git a/mls/file_contexts/program/rpcd.fc b/mls/file_contexts/program/rpcd.fc
deleted file mode 100644
index 916cd25..0000000
--- a/mls/file_contexts/program/rpcd.fc
+++ /dev/null
@@ -1,12 +0,0 @@
-# RPC daemons
-/sbin/rpc\..* -- system_u:object_r:rpcd_exec_t:s0
-/usr/sbin/rpc.idmapd -- system_u:object_r:rpcd_exec_t:s0
-/usr/sbin/rpc\.nfsd -- system_u:object_r:nfsd_exec_t:s0
-/usr/sbin/exportfs -- system_u:object_r:nfsd_exec_t:s0
-/usr/sbin/rpc\.gssd -- system_u:object_r:gssd_exec_t:s0
-/usr/sbin/rpc\.svcgssd -- system_u:object_r:gssd_exec_t:s0
-/usr/sbin/rpc\.mountd -- system_u:object_r:nfsd_exec_t:s0
-/var/run/rpc\.statd\.pid -- system_u:object_r:rpcd_var_run_t:s0
-/var/run/rpc\.statd(/.*)? system_u:object_r:rpcd_var_run_t:s0
-/etc/exports -- system_u:object_r:exports_t:s0
-
diff --git a/mls/file_contexts/program/rpm.fc b/mls/file_contexts/program/rpm.fc
deleted file mode 100644
index 494fbcf..0000000
--- a/mls/file_contexts/program/rpm.fc
+++ /dev/null
@@ -1,29 +0,0 @@
-# rpm
-/var/lib/rpm(/.*)? system_u:object_r:rpm_var_lib_t:s0
-/var/lib/alternatives(/.*)? system_u:object_r:rpm_var_lib_t:s0
-/bin/rpm -- system_u:object_r:rpm_exec_t:s0
-/usr/bin/yum -- system_u:object_r:rpm_exec_t:s0
-/usr/bin/apt-get -- system_u:object_r:rpm_exec_t:s0
-/usr/bin/apt-shell -- system_u:object_r:rpm_exec_t:s0
-/usr/bin/synaptic -- system_u:object_r:rpm_exec_t:s0
-/usr/lib(64)?/rpm/rpmd -- system_u:object_r:bin_t:s0
-/usr/lib(64)?/rpm/rpmq -- system_u:object_r:bin_t:s0
-/usr/lib(64)?/rpm/rpmk -- system_u:object_r:bin_t:s0
-/usr/lib(64)?/rpm/rpmv -- system_u:object_r:bin_t:s0
-/var/log/rpmpkgs.* -- system_u:object_r:rpm_log_t:s0
-/var/log/yum\.log -- system_u:object_r:rpm_log_t:s0
-ifdef(`distro_redhat', `
-/usr/sbin/up2date -- system_u:object_r:rpm_exec_t:s0
-/usr/sbin/rhn_check -- system_u:object_r:rpm_exec_t:s0
-')
-# SuSE
-ifdef(`distro_suse', `
-/usr/bin/online_update -- system_u:object_r:rpm_exec_t:s0
-/sbin/yast2 -- system_u:object_r:rpm_exec_t:s0
-/var/lib/YaST2(/.*)? system_u:object_r:rpm_var_lib_t:s0
-/var/log/YaST2(/.*)? system_u:object_r:rpm_log_t:s0
-')
-
-ifdef(`mls_policy', `
-/sbin/cpio -- system_u:object_r:rpm_exec_t:s0
-')
diff --git a/mls/file_contexts/program/rshd.fc b/mls/file_contexts/program/rshd.fc
deleted file mode 100644
index a7141fe..0000000
--- a/mls/file_contexts/program/rshd.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# rshd.
-/usr/sbin/in\.rshd -- system_u:object_r:rshd_exec_t:s0
-/usr/sbin/in\.rexecd -- system_u:object_r:rshd_exec_t:s0
-/usr/kerberos/sbin/kshd -- system_u:object_r:rshd_exec_t:s0
diff --git a/mls/file_contexts/program/rssh.fc b/mls/file_contexts/program/rssh.fc
deleted file mode 100644
index 16ec3a3..0000000
--- a/mls/file_contexts/program/rssh.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# rssh
-/usr/bin/rssh -- system_u:object_r:rssh_exec_t
diff --git a/mls/file_contexts/program/rsync.fc b/mls/file_contexts/program/rsync.fc
deleted file mode 100644
index edb25f3..0000000
--- a/mls/file_contexts/program/rsync.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# rsync program
-/usr/bin/rsync -- system_u:object_r:rsync_exec_t:s0
-/srv/([^/]*/)?rsync(/.*)? system_u:object_r:public_content_t:s0
diff --git a/mls/file_contexts/program/samba.fc b/mls/file_contexts/program/samba.fc
deleted file mode 100644
index 204eb3f..0000000
--- a/mls/file_contexts/program/samba.fc
+++ /dev/null
@@ -1,26 +0,0 @@
-# samba scripts
-/usr/sbin/smbd -- system_u:object_r:smbd_exec_t:s0
-/usr/sbin/nmbd -- system_u:object_r:nmbd_exec_t:s0
-/usr/bin/net -- system_u:object_r:samba_net_exec_t:s0
-/etc/samba(/.*)? system_u:object_r:samba_etc_t:s0
-/var/log/samba(/.*)? system_u:object_r:samba_log_t:s0
-/var/cache/samba(/.*)? system_u:object_r:samba_var_t:s0
-/var/lib/samba(/.*)? system_u:object_r:samba_var_t:s0
-/etc/samba/secrets\.tdb -- system_u:object_r:samba_secrets_t:s0
-/etc/samba/MACHINE\.SID -- system_u:object_r:samba_secrets_t:s0
-# samba really wants write access to smbpasswd
-/etc/samba/smbpasswd -- system_u:object_r:samba_secrets_t:s0
-/var/run/samba/locking\.tdb -- system_u:object_r:smbd_var_run_t:s0
-/var/run/samba/connections\.tdb -- system_u:object_r:smbd_var_run_t:s0
-/var/run/samba/sessionid\.tdb -- system_u:object_r:smbd_var_run_t:s0
-/var/run/samba/brlock\.tdb -- system_u:object_r:smbd_var_run_t:s0
-/var/run/samba/namelist\.debug -- system_u:object_r:nmbd_var_run_t:s0
-/var/run/samba/messages\.tdb -- system_u:object_r:nmbd_var_run_t:s0
-/var/run/samba/unexpected\.tdb -- system_u:object_r:nmbd_var_run_t:s0
-/var/run/samba/smbd\.pid -- system_u:object_r:smbd_var_run_t:s0
-/var/run/samba/nmbd\.pid -- system_u:object_r:nmbd_var_run_t:s0
-/var/spool/samba(/.*)? system_u:object_r:samba_var_t:s0
-ifdef(`mount.te', `
-/usr/bin/smbmount -- system_u:object_r:smbmount_exec_t:s0
-/usr/bin/smbmnt -- system_u:object_r:smbmount_exec_t:s0
-')
diff --git a/mls/file_contexts/program/saslauthd.fc b/mls/file_contexts/program/saslauthd.fc
deleted file mode 100644
index a8275a6..0000000
--- a/mls/file_contexts/program/saslauthd.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# saslauthd
-/usr/sbin/saslauthd -- system_u:object_r:saslauthd_exec_t:s0
-/var/run/saslauthd(/.*)? system_u:object_r:saslauthd_var_run_t:s0
diff --git a/mls/file_contexts/program/scannerdaemon.fc b/mls/file_contexts/program/scannerdaemon.fc
deleted file mode 100644
index a43bf87..0000000
--- a/mls/file_contexts/program/scannerdaemon.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# scannerdaemon
-/usr/sbin/scannerdaemon -- system_u:object_r:scannerdaemon_exec_t
-/etc/scannerdaemon/scannerdaemon\.conf -- system_u:object_r:scannerdaemon_etc_t
-/var/log/scannerdaemon\.log -- system_u:object_r:scannerdaemon_log_t
diff --git a/mls/file_contexts/program/screen.fc b/mls/file_contexts/program/screen.fc
deleted file mode 100644
index 401072a..0000000
--- a/mls/file_contexts/program/screen.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# screen
-/usr/bin/screen -- system_u:object_r:screen_exec_t:s0
-HOME_DIR/\.screenrc -- system_u:object_r:ROLE_screen_ro_home_t:s0
-/var/run/screens?/S-[^/]+ -d system_u:object_r:screen_dir_t:s0
-/var/run/screens?/S-[^/]+/.* <<none>>
diff --git a/mls/file_contexts/program/sendmail.fc b/mls/file_contexts/program/sendmail.fc
deleted file mode 100644
index 8b9164d..0000000
--- a/mls/file_contexts/program/sendmail.fc
+++ /dev/null
@@ -1,13 +0,0 @@
-# sendmail
-/etc/mail(/.*)? system_u:object_r:etc_mail_t:s0
-/var/log/sendmail\.st -- system_u:object_r:sendmail_log_t:s0
-/var/log/mail(/.*)? system_u:object_r:sendmail_log_t:s0
-/var/run/sendmail\.pid -- system_u:object_r:sendmail_var_run_t:s0
-/var/run/sm-client\.pid -- system_u:object_r:sendmail_var_run_t:s0
-ifdef(`distro_redhat', `
-/etc/rc.d/init.d/sendmail -- system_u:object_r:sendmail_launch_exec_t:s0
-/var/lock/subsys/sm-client -- system_u:object_r:sendmail_launch_lock_t:s0
-/var/lock/subsys/sendmail -- system_u:object_r:sendmail_launch_lock_t:s0
-', `
-/etc/init.d/sendmail -- system_u:object_r:sendmail_launch_exec_t:s0
-')
diff --git a/mls/file_contexts/program/setfiles.fc b/mls/file_contexts/program/setfiles.fc
deleted file mode 100644
index 45e245b..0000000
--- a/mls/file_contexts/program/setfiles.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# setfiles
-/usr/sbin/setfiles.* -- system_u:object_r:setfiles_exec_t:s0
-
diff --git a/mls/file_contexts/program/slapd.fc b/mls/file_contexts/program/slapd.fc
deleted file mode 100644
index 4a5ff0d..0000000
--- a/mls/file_contexts/program/slapd.fc
+++ /dev/null
@@ -1,19 +0,0 @@
-# slapd - ldap server
-/usr/sbin/slapd -- system_u:object_r:slapd_exec_t:s0
-/var/lib/ldap(/.*)? system_u:object_r:slapd_db_t:s0
-/var/lib/ldap/replog(/.*)? system_u:object_r:slapd_replog_t:s0
-/var/run/slapd\.args -- system_u:object_r:slapd_var_run_t:s0
-/etc/ldap/slapd\.conf -- system_u:object_r:slapd_etc_t:s0
-/var/run/slapd\.pid -- system_u:object_r:slapd_var_run_t:s0
-/var/run/ldapi -s system_u:object_r:slapd_var_run_t:s0
-/opt/(fedora|redhat)-ds(/.*)?/bin/slapd/server/ns-slapd -- system_u:object_r:slapd_exec_t:s0
-/opt/(fedora|redhat)-ds/slapd-[^/]+/logs(/.*)? system_u:object_r:slapd_var_run_t:s0
-/opt/(fedora|redhat)-ds/slapd-[^/]+/locks(/.*)? system_u:object_r:slapd_lock_t:s0
-/opt/(fedora|redhat)-ds/slapd-[^/]+/tmp(/.*)? system_u:object_r:slapd_var_run_t:s0
-/opt/(fedora|redhat)-ds/slapd-[^/]+/config(/.*)? system_u:object_r:slapd_var_run_t:s0
-/opt/(fedora|redhat)-ds/slapd-[^/]+/db(/.*)? system_u:object_r:slapd_db_t:s0
-/opt/(fedora|redhat)-ds/slapd-[^/]+/bak(/.*)? system_u:object_r:slapd_db_t:s0
-/opt/(fedora|redhat)-ds/slapd-[^/]+/start-slapd system_u:object_r:initrc_exec_t:s0
-/opt/(fedora|redhat)-ds/slapd-[^/]+/stop-slapd system_u:object_r:initrc_exec_t:s0
-/opt/(fedora|redhat)-ds/alias(/.*)? system_u:object_r:slapd_cert_t:s0
-/opt/(fedora|redhat)-ds/alias/[^/]+so.* system_u:object_r:shlib_t:s0
diff --git a/mls/file_contexts/program/slocate.fc b/mls/file_contexts/program/slocate.fc
deleted file mode 100644
index 5baa3b2..0000000
--- a/mls/file_contexts/program/slocate.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# locate - file locater
-/usr/bin/s?locate -- system_u:object_r:locate_exec_t:s0
-/var/lib/[sm]locate(/.*)? system_u:object_r:locate_var_lib_t:s0
-/etc/updatedb\.conf -- system_u:object_r:locate_etc_t:s0
diff --git a/mls/file_contexts/program/slrnpull.fc b/mls/file_contexts/program/slrnpull.fc
deleted file mode 100644
index e05abc8..0000000
--- a/mls/file_contexts/program/slrnpull.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# slrnpull
-/usr/bin/slrnpull -- system_u:object_r:slrnpull_exec_t:s0
-/var/spool/slrnpull(/.*)? system_u:object_r:slrnpull_spool_t:s0
diff --git a/mls/file_contexts/program/snmpd.fc b/mls/file_contexts/program/snmpd.fc
deleted file mode 100644
index c81b3fe..0000000
--- a/mls/file_contexts/program/snmpd.fc
+++ /dev/null
@@ -1,10 +0,0 @@
-# snmpd
-/usr/sbin/snmp(trap)?d -- system_u:object_r:snmpd_exec_t:s0
-/var/lib/snmp(/.*)? system_u:object_r:snmpd_var_lib_t:s0
-/var/lib/net-snmp(/.*)? system_u:object_r:snmpd_var_lib_t:s0
-/etc/snmp/snmp(trap)?d\.conf -- system_u:object_r:snmpd_etc_t:s0
-/usr/share/snmp/mibs/\.index -- system_u:object_r:snmpd_var_lib_t:s0
-/var/run/snmpd\.pid -- system_u:object_r:snmpd_var_run_t:s0
-/var/run/snmpd -d system_u:object_r:snmpd_var_run_t:s0
-/var/net-snmp(/.*) system_u:object_r:snmpd_var_lib_t:s0
-/var/log/snmpd\.log -- system_u:object_r:snmpd_log_t:s0
diff --git a/mls/file_contexts/program/snort.fc b/mls/file_contexts/program/snort.fc
deleted file mode 100644
index a40670c..0000000
--- a/mls/file_contexts/program/snort.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# SNORT
-/usr/(s)?bin/snort -- system_u:object_r:snort_exec_t
-/etc/snort(/.*)? system_u:object_r:snort_etc_t
-/var/log/snort(/.*)? system_u:object_r:snort_log_t
diff --git a/mls/file_contexts/program/sound-server.fc b/mls/file_contexts/program/sound-server.fc
deleted file mode 100644
index dfa8245..0000000
--- a/mls/file_contexts/program/sound-server.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-# sound servers, nas, yiff, etc
-/usr/sbin/yiff -- system_u:object_r:soundd_exec_t
-/usr/bin/nasd -- system_u:object_r:soundd_exec_t
-/usr/bin/gpe-soundserver -- system_u:object_r:soundd_exec_t
-/etc/nas(/.*)? system_u:object_r:etc_soundd_t
-/etc/yiff(/.*)? system_u:object_r:etc_soundd_t
-/var/state/yiff(/.*)? system_u:object_r:soundd_state_t
-/var/run/yiff-[0-9]+\.pid -- system_u:object_r:soundd_var_run_t
diff --git a/mls/file_contexts/program/sound.fc b/mls/file_contexts/program/sound.fc
deleted file mode 100644
index 4226dc3..0000000
--- a/mls/file_contexts/program/sound.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# sound
-/bin/aumix-minimal -- system_u:object_r:sound_exec_t:s0
-/etc/\.aumixrc -- system_u:object_r:sound_file_t:s0
diff --git a/mls/file_contexts/program/spamassassin.fc b/mls/file_contexts/program/spamassassin.fc
deleted file mode 100644
index 6896485..0000000
--- a/mls/file_contexts/program/spamassassin.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# spamassasin
-/usr/bin/spamassassin -- system_u:object_r:spamassassin_exec_t:s0
-HOME_DIR/\.spamassassin(/.*)? system_u:object_r:ROLE_spamassassin_home_t:s0
diff --git a/mls/file_contexts/program/spamc.fc b/mls/file_contexts/program/spamc.fc
deleted file mode 100644
index 1168d40..0000000
--- a/mls/file_contexts/program/spamc.fc
+++ /dev/null
@@ -1 +0,0 @@
-/usr/bin/spamc -- system_u:object_r:spamc_exec_t:s0
diff --git a/mls/file_contexts/program/spamd.fc b/mls/file_contexts/program/spamd.fc
deleted file mode 100644
index 8c9add8..0000000
--- a/mls/file_contexts/program/spamd.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-/usr/sbin/spamd -- system_u:object_r:spamd_exec_t:s0
-/usr/bin/spamd -- system_u:object_r:spamd_exec_t:s0
-/usr/bin/sa-learn -- system_u:object_r:spamd_exec_t:s0
diff --git a/mls/file_contexts/program/speedmgmt.fc b/mls/file_contexts/program/speedmgmt.fc
deleted file mode 100644
index 486906e..0000000
--- a/mls/file_contexts/program/speedmgmt.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# speedmgmt
-/usr/sbin/speedmgmt -- system_u:object_r:speedmgmt_exec_t
diff --git a/mls/file_contexts/program/squid.fc b/mls/file_contexts/program/squid.fc
deleted file mode 100644
index 03f291b..0000000
--- a/mls/file_contexts/program/squid.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-# squid
-/usr/sbin/squid -- system_u:object_r:squid_exec_t:s0
-/var/cache/squid(/.*)? system_u:object_r:squid_cache_t:s0
-/var/spool/squid(/.*)? system_u:object_r:squid_cache_t:s0
-/var/log/squid(/.*)? system_u:object_r:squid_log_t:s0
-/etc/squid(/.*)? system_u:object_r:squid_conf_t:s0
-/var/run/squid\.pid -- system_u:object_r:squid_var_run_t:s0
-/usr/share/squid(/.*)? system_u:object_r:squid_conf_t:s0
-ifdef(`apache.te', `
-/usr/lib/squid/cachemgr.cgi -- system_u:object_r:httpd_exec_t:s0
-')
diff --git a/mls/file_contexts/program/ssh-agent.fc b/mls/file_contexts/program/ssh-agent.fc
deleted file mode 100644
index 90a4603..0000000
--- a/mls/file_contexts/program/ssh-agent.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# ssh-agent
-/usr/bin/ssh-agent -- system_u:object_r:ssh_agent_exec_t:s0
diff --git a/mls/file_contexts/program/ssh.fc b/mls/file_contexts/program/ssh.fc
deleted file mode 100644
index 4ccba2e..0000000
--- a/mls/file_contexts/program/ssh.fc
+++ /dev/null
@@ -1,21 +0,0 @@
-# ssh
-/usr/bin/ssh -- system_u:object_r:ssh_exec_t:s0
-/usr/libexec/openssh/ssh-keysign -- system_u:object_r:ssh_keysign_exec_t:s0
-/usr/bin/ssh-keygen -- system_u:object_r:ssh_keygen_exec_t:s0
-# sshd
-/etc/ssh/primes -- system_u:object_r:sshd_key_t:s0
-/etc/ssh/ssh_host_key -- system_u:object_r:sshd_key_t:s0
-/etc/ssh/ssh_host_dsa_key -- system_u:object_r:sshd_key_t:s0
-/etc/ssh/ssh_host_rsa_key -- system_u:object_r:sshd_key_t:s0
-/usr/sbin/sshd -- system_u:object_r:sshd_exec_t:s0
-/var/run/sshd\.init\.pid -- system_u:object_r:sshd_var_run_t:s0
-# subsystems
-/usr/lib(64)?/misc/sftp-server -- system_u:object_r:bin_t:s0
-/usr/libexec/openssh/sftp-server -- system_u:object_r:bin_t:s0
-/usr/lib(64)?/sftp-server -- system_u:object_r:bin_t:s0
-ifdef(`distro_suse', `
-/usr/lib(64)?/ssh/.* -- system_u:object_r:bin_t:s0
-')
-ifdef(`targeted_policy', `', `
-HOME_DIR/\.ssh(/.*)? system_u:object_r:ROLE_home_ssh_t:s0
-')
diff --git a/mls/file_contexts/program/stunnel.fc b/mls/file_contexts/program/stunnel.fc
deleted file mode 100644
index 2f0798c..0000000
--- a/mls/file_contexts/program/stunnel.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-/usr/sbin/stunnel -- system_u:object_r:stunnel_exec_t:s0
-/etc/stunnel(/.*)? system_u:object_r:stunnel_etc_t:s0
-/var/run/stunnel(/.*)? system_u:object_r:stunnel_var_run_t:s0
diff --git a/mls/file_contexts/program/su.fc b/mls/file_contexts/program/su.fc
deleted file mode 100644
index 8712b4b..0000000
--- a/mls/file_contexts/program/su.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# su
-/bin/su -- system_u:object_r:su_exec_t:s0
diff --git a/mls/file_contexts/program/sudo.fc b/mls/file_contexts/program/sudo.fc
deleted file mode 100644
index ecaf228..0000000
--- a/mls/file_contexts/program/sudo.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# sudo
-/usr/bin/sudo(edit)? -- system_u:object_r:sudo_exec_t:s0
-
diff --git a/mls/file_contexts/program/sulogin.fc b/mls/file_contexts/program/sulogin.fc
deleted file mode 100644
index bb2bc51..0000000
--- a/mls/file_contexts/program/sulogin.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# sulogin
-/sbin/sulogin -- system_u:object_r:sulogin_exec_t:s0
diff --git a/mls/file_contexts/program/swat.fc b/mls/file_contexts/program/swat.fc
deleted file mode 100644
index e75e1e3..0000000
--- a/mls/file_contexts/program/swat.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# samba management tool
-/usr/sbin/swat -- system_u:object_r:swat_exec_t:s0
diff --git a/mls/file_contexts/program/sxid.fc b/mls/file_contexts/program/sxid.fc
deleted file mode 100644
index e9126bc..0000000
--- a/mls/file_contexts/program/sxid.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# sxid - ldap server
-/usr/bin/sxid -- system_u:object_r:sxid_exec_t
-/var/log/sxid\.log.* -- system_u:object_r:sxid_log_t
-/var/log/setuid\.today.* -- system_u:object_r:sxid_log_t
-/usr/sbin/checksecurity\.se -- system_u:object_r:sxid_exec_t
-/var/log/setuid.* -- system_u:object_r:sxid_log_t
diff --git a/mls/file_contexts/program/syslogd.fc b/mls/file_contexts/program/syslogd.fc
deleted file mode 100644
index d0fb0a4..0000000
--- a/mls/file_contexts/program/syslogd.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-# syslogd
-/sbin/syslogd -- system_u:object_r:syslogd_exec_t:s0
-/sbin/minilogd -- system_u:object_r:syslogd_exec_t:s0
-/usr/sbin/syslogd -- system_u:object_r:syslogd_exec_t:s0
-/sbin/syslog-ng -- system_u:object_r:syslogd_exec_t:s0
-/dev/log -s system_u:object_r:devlog_t:s0
-/var/run/log -s system_u:object_r:devlog_t:s0
-ifdef(`distro_suse', `
-/var/lib/stunnel/dev/log -s system_u:object_r:devlog_t:s0
-')
-/var/run/syslogd\.pid -- system_u:object_r:syslogd_var_run_t:s0
diff --git a/mls/file_contexts/program/sysstat.fc b/mls/file_contexts/program/sysstat.fc
deleted file mode 100644
index 1b5e5e7..0000000
--- a/mls/file_contexts/program/sysstat.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-# sysstat and other sar programs
-/usr/lib(64)?/atsar/atsa.* -- system_u:object_r:sysstat_exec_t:s0
-/usr/lib(64)?/sysstat/sa.* -- system_u:object_r:sysstat_exec_t:s0
-/usr/lib(64)?/sa/sadc -- system_u:object_r:sysstat_exec_t:s0
-/var/log/atsar(/.*)? system_u:object_r:sysstat_log_t:s0
-/var/log/sysstat(/.*)? system_u:object_r:sysstat_log_t:s0
-/var/log/sa(/.*)? system_u:object_r:sysstat_log_t:s0
diff --git a/mls/file_contexts/program/tcpd.fc b/mls/file_contexts/program/tcpd.fc
deleted file mode 100644
index 7215d91..0000000
--- a/mls/file_contexts/program/tcpd.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# tcpd
-/usr/sbin/tcpd -- system_u:object_r:tcpd_exec_t:s0
diff --git a/mls/file_contexts/program/telnetd.fc b/mls/file_contexts/program/telnetd.fc
deleted file mode 100644
index 15587a2..0000000
--- a/mls/file_contexts/program/telnetd.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# telnetd
-/usr/sbin/in\.telnetd -- system_u:object_r:telnetd_exec_t:s0
-/usr/kerberos/sbin/telnetd -- system_u:object_r:telnetd_exec_t:s0
diff --git a/mls/file_contexts/program/tftpd.fc b/mls/file_contexts/program/tftpd.fc
deleted file mode 100644
index 1e503b9..0000000
--- a/mls/file_contexts/program/tftpd.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# tftpd
-/usr/sbin/in\.tftpd -- system_u:object_r:tftpd_exec_t:s0
-/usr/sbin/atftpd -- system_u:object_r:tftpd_exec_t:s0
-/tftpboot(/.*)? system_u:object_r:tftpdir_t:s0
diff --git a/mls/file_contexts/program/thunderbird.fc b/mls/file_contexts/program/thunderbird.fc
deleted file mode 100644
index ca37346..0000000
--- a/mls/file_contexts/program/thunderbird.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-/usr/bin/thunderbird.* -- system_u:object_r:thunderbird_exec_t
-HOME_DIR/\.thunderbird(/.*)? system_u:object_r:ROLE_thunderbird_home_t
diff --git a/mls/file_contexts/program/timidity.fc b/mls/file_contexts/program/timidity.fc
deleted file mode 100644
index 84221fa..0000000
--- a/mls/file_contexts/program/timidity.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# timidity
-/usr/bin/timidity -- system_u:object_r:timidity_exec_t:s0
diff --git a/mls/file_contexts/program/tinydns.fc b/mls/file_contexts/program/tinydns.fc
deleted file mode 100644
index 10ea1a3..0000000
--- a/mls/file_contexts/program/tinydns.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# tinydns
-/etc/tinydns(/.*)? system_u:object_r:tinydns_conf_t
-/etc/tinydns/root/data* -- system_u:object_r:tinydns_zone_t
-/usr/bin/tinydns* -- system_u:object_r:tinydns_exec_t
-#/var/log/dns/tinydns(/.*) system_u:object_r:tinydns_log_t
-#/var/lib/svscan(/.*) system_u:object_r:tinydns_svscan_t
diff --git a/mls/file_contexts/program/tmpreaper.fc b/mls/file_contexts/program/tmpreaper.fc
deleted file mode 100644
index 796037a..0000000
--- a/mls/file_contexts/program/tmpreaper.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# tmpreaper or tmpwatch
-/usr/sbin/tmpreaper -- system_u:object_r:tmpreaper_exec_t:s0
-/usr/sbin/tmpwatch -- system_u:object_r:tmpreaper_exec_t:s0
diff --git a/mls/file_contexts/program/traceroute.fc b/mls/file_contexts/program/traceroute.fc
deleted file mode 100644
index 634dbe9..0000000
--- a/mls/file_contexts/program/traceroute.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# traceroute
-/bin/traceroute.* -- system_u:object_r:traceroute_exec_t:s0
-/bin/tracepath.* -- system_u:object_r:traceroute_exec_t:s0
-/usr/(s)?bin/traceroute.* -- system_u:object_r:traceroute_exec_t:s0
-/usr/bin/lft -- system_u:object_r:traceroute_exec_t:s0
-/usr/bin/nmap -- system_u:object_r:traceroute_exec_t:s0
diff --git a/mls/file_contexts/program/transproxy.fc b/mls/file_contexts/program/transproxy.fc
deleted file mode 100644
index 2027eea..0000000
--- a/mls/file_contexts/program/transproxy.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# transproxy - http transperant proxy
-/usr/sbin/tproxy -- system_u:object_r:transproxy_exec_t
-/var/run/tproxy\.pid -- system_u:object_r:transproxy_var_run_t
diff --git a/mls/file_contexts/program/tripwire.fc b/mls/file_contexts/program/tripwire.fc
deleted file mode 100644
index 88afc34..0000000
--- a/mls/file_contexts/program/tripwire.fc
+++ /dev/null
@@ -1,9 +0,0 @@
-# tripwire
-/etc/tripwire(/.*)? system_u:object_r:tripwire_etc_t
-/usr/sbin/siggen system_u:object_r:siggen_exec_t
-/usr/sbin/tripwire system_u:object_r:tripwire_exec_t
-/usr/sbin/tripwire-setup-keyfiles system_u:object_r:bin_t
-/usr/sbin/twadmin system_u:object_r:twadmin_exec_t
-/usr/sbin/twprint system_u:object_r:twprint_exec_t
-/var/lib/tripwire(/.*)? system_u:object_r:tripwire_var_lib_t
-/var/lib/tripwire/report(/.*)? system_u:object_r:tripwire_report_t
diff --git a/mls/file_contexts/program/tvtime.fc b/mls/file_contexts/program/tvtime.fc
deleted file mode 100644
index 0969e96..0000000
--- a/mls/file_contexts/program/tvtime.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# tvtime
-/usr/bin/tvtime -- system_u:object_r:tvtime_exec_t
-
diff --git a/mls/file_contexts/program/ucspi-tcp.fc b/mls/file_contexts/program/ucspi-tcp.fc
deleted file mode 100644
index 448c1ab..0000000
--- a/mls/file_contexts/program/ucspi-tcp.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-#ucspi-tcp
-/usr/bin/tcpserver -- system_u:object_r:utcpserver_exec_t
-/usr/bin/rblsmtpd -- system_u:object_r:rblsmtpd_exec_t
diff --git a/mls/file_contexts/program/udev.fc b/mls/file_contexts/program/udev.fc
deleted file mode 100644
index 0df162f..0000000
--- a/mls/file_contexts/program/udev.fc
+++ /dev/null
@@ -1,14 +0,0 @@
-# udev
-/sbin/udevsend -- system_u:object_r:udev_exec_t:s0
-/sbin/udev -- system_u:object_r:udev_exec_t:s0
-/sbin/udevd -- system_u:object_r:udev_exec_t:s0
-/sbin/start_udev -- system_u:object_r:udev_exec_t:s0
-/sbin/udevstart -- system_u:object_r:udev_exec_t:s0
-/usr/bin/udevinfo -- system_u:object_r:udev_exec_t:s0
-/etc/dev\.d/.+ -- system_u:object_r:udev_helper_exec_t:s0
-/etc/udev/scripts/.+ -- system_u:object_r:udev_helper_exec_t:s0
-/etc/udev/devices/.* system_u:object_r:device_t:s0
-/etc/hotplug\.d/default/udev.* -- system_u:object_r:udev_helper_exec_t:s0
-/dev/udev\.tbl -- system_u:object_r:udev_tbl_t:s0
-/dev/\.udevdb(/.*)? -- system_u:object_r:udev_tdb_t:s0
-/sbin/wait_for_sysfs -- system_u:object_r:udev_exec_t:s0
diff --git a/mls/file_contexts/program/uml.fc b/mls/file_contexts/program/uml.fc
deleted file mode 100644
index dc1621d..0000000
--- a/mls/file_contexts/program/uml.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# User Mode Linux
-/usr/bin/uml_switch -- system_u:object_r:uml_switch_exec_t
-/var/run/uml-utilities(/.*)? system_u:object_r:uml_switch_var_run_t
-HOME_DIR/\.uml(/.*)? system_u:object_r:ROLE_uml_rw_t
diff --git a/mls/file_contexts/program/uml_net.fc b/mls/file_contexts/program/uml_net.fc
deleted file mode 100644
index 67aa1f2..0000000
--- a/mls/file_contexts/program/uml_net.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# User Mode Linux
-# WARNING: Do not install this file on any machine that has hostile users.
-/usr/lib(64)?/uml/uml_net -- system_u:object_r:uml_net_exec_t
diff --git a/mls/file_contexts/program/unconfined.fc b/mls/file_contexts/program/unconfined.fc
deleted file mode 100644
index 5e289fa..0000000
--- a/mls/file_contexts/program/unconfined.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# Add programs here which should not be confined by SELinux
-# e.g.:
-# /usr/local/bin/appsrv -- system_u:object_r:unconfined_exec_t:s0
diff --git a/mls/file_contexts/program/updfstab.fc b/mls/file_contexts/program/updfstab.fc
deleted file mode 100644
index f6ac1d9..0000000
--- a/mls/file_contexts/program/updfstab.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# updfstab
-/usr/sbin/updfstab -- system_u:object_r:updfstab_exec_t:s0
-/usr/sbin/fstab-sync -- system_u:object_r:updfstab_exec_t:s0
diff --git a/mls/file_contexts/program/uptimed.fc b/mls/file_contexts/program/uptimed.fc
deleted file mode 100644
index f80ccb4..0000000
--- a/mls/file_contexts/program/uptimed.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# uptimed
-/etc/uptimed\.conf -- system_u:object_r:uptimed_etc_t
-/usr/sbin/uptimed -- system_u:object_r:uptimed_exec_t
-/var/spool/uptimed(/.*)? system_u:object_r:uptimed_spool_t
diff --git a/mls/file_contexts/program/usbmodules.fc b/mls/file_contexts/program/usbmodules.fc
deleted file mode 100644
index 1ab2742..0000000
--- a/mls/file_contexts/program/usbmodules.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# usbmodules
-/usr/sbin/usbmodules -- system_u:object_r:usbmodules_exec_t:s0
-/sbin/usbmodules -- system_u:object_r:usbmodules_exec_t:s0
diff --git a/mls/file_contexts/program/useradd.fc b/mls/file_contexts/program/useradd.fc
deleted file mode 100644
index c7bb659..0000000
--- a/mls/file_contexts/program/useradd.fc
+++ /dev/null
@@ -1,10 +0,0 @@
-#useradd
-/usr/sbin/usermod -- system_u:object_r:useradd_exec_t:s0
-/usr/sbin/useradd -- system_u:object_r:useradd_exec_t:s0
-/usr/sbin/userdel -- system_u:object_r:useradd_exec_t:s0
-#groupadd
-/usr/sbin/groupmod -- system_u:object_r:groupadd_exec_t:s0
-/usr/sbin/groupadd -- system_u:object_r:groupadd_exec_t:s0
-/usr/sbin/groupdel -- system_u:object_r:groupadd_exec_t:s0
-/usr/bin/gpasswd -- system_u:object_r:groupadd_exec_t:s0
-/usr/sbin/gpasswd -- system_u:object_r:groupadd_exec_t:s0
diff --git a/mls/file_contexts/program/userhelper.fc b/mls/file_contexts/program/userhelper.fc
deleted file mode 100644
index 319c82a..0000000
--- a/mls/file_contexts/program/userhelper.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-/etc/security/console.apps(/.*)? system_u:object_r:userhelper_conf_t:s0
-/usr/sbin/userhelper -- system_u:object_r:userhelper_exec_t:s0
diff --git a/mls/file_contexts/program/usernetctl.fc b/mls/file_contexts/program/usernetctl.fc
deleted file mode 100644
index 728a65c..0000000
--- a/mls/file_contexts/program/usernetctl.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# usernetctl
-/usr/sbin/usernetctl -- system_u:object_r:usernetctl_exec_t:s0
diff --git a/mls/file_contexts/program/utempter.fc b/mls/file_contexts/program/utempter.fc
deleted file mode 100644
index 922bc2a..0000000
--- a/mls/file_contexts/program/utempter.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# utempter
-/usr/sbin/utempter -- system_u:object_r:utempter_exec_t:s0
diff --git a/mls/file_contexts/program/uucpd.fc b/mls/file_contexts/program/uucpd.fc
deleted file mode 100644
index a359cc3..0000000
--- a/mls/file_contexts/program/uucpd.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# uucico program
-/usr/sbin/uucico -- system_u:object_r:uucpd_exec_t:s0
-/var/spool/uucp(/.*)? system_u:object_r:uucpd_spool_t:s0
-/var/spool/uucppublic(/.*)? system_u:object_r:uucpd_spool_t:s0
-/var/log/uucp(/.*)? system_u:object_r:uucpd_log_t:s0
diff --git a/mls/file_contexts/program/uwimapd.fc b/mls/file_contexts/program/uwimapd.fc
deleted file mode 100644
index 00f9073..0000000
--- a/mls/file_contexts/program/uwimapd.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# uw-imapd and uw-imapd-ssl
-/usr/sbin/imapd -- system_u:object_r:imapd_exec_t
diff --git a/mls/file_contexts/program/vmware.fc b/mls/file_contexts/program/vmware.fc
deleted file mode 100644
index d015988..0000000
--- a/mls/file_contexts/program/vmware.fc
+++ /dev/null
@@ -1,42 +0,0 @@
-#
-# File contexts for VMWare.
-# Contributed by Mark Westerman (mark.westerman@westcam.com)
-# Changes made by NAI Labs.
-# Tested with VMWare 3.1
-#
-/usr/bin/vmnet-bridge -- system_u:object_r:vmware_exec_t
-/usr/bin/vmnet-dhcpd -- system_u:object_r:vmware_exec_t
-/usr/bin/vmnet-natd -- system_u:object_r:vmware_exec_t
-/usr/bin/vmnet-netifup -- system_u:object_r:vmware_exec_t
-/usr/bin/vmnet-sniffer -- system_u:object_r:vmware_exec_t
-/usr/bin/vmware-nmbd -- system_u:object_r:vmware_exec_t
-/usr/bin/vmware-ping -- system_u:object_r:vmware_exec_t
-/usr/bin/vmware-smbd -- system_u:object_r:vmware_exec_t
-/usr/bin/vmware-smbpasswd -- system_u:object_r:vmware_exec_t
-/usr/bin/vmware-smbpasswd\.bin -- system_u:object_r:vmware_exec_t
-/usr/bin/vmware-wizard -- system_u:object_r:vmware_user_exec_t
-/usr/bin/vmware -- system_u:object_r:vmware_user_exec_t
-
-/dev/vmmon -c system_u:object_r:vmware_device_t
-/dev/vmnet.* -c system_u:object_r:vmware_device_t
-/dev/plex86 -c system_u:object_r:vmware_device_t
-
-/etc/vmware.*(/.*)? system_u:object_r:vmware_sys_conf_t
-/usr/lib(64)?/vmware/config -- system_u:object_r:vmware_sys_conf_t
-
-/usr/lib(64)?/vmware/bin/vmware-mks -- system_u:object_r:vmware_user_exec_t
-/usr/lib(64)?/vmware/bin/vmware-ui -- system_u:object_r:vmware_user_exec_t
-
-#
-# This is only an example of how to protect vmware session configuration
-# files. A general user can execute vmware and start a vmware session
-# but the user can not modify the session configuration information
-#/usr/local/vmware(/.*)? system_u:object_r:vmware_user_file_t
-#/usr/local/vmware/[^/]*/.*\.cfg -- system_u:object_r:vmware_user_conf_t
-
-# The rules below assume that the user VMWare virtual disks are in the
-# ~/vmware, and the preferences and license files are in ~/.vmware.
-#
-HOME_DIR/\.vmware(/.*)? system_u:object_r:ROLE_vmware_file_t
-HOME_DIR/vmware(/.*)? system_u:object_r:ROLE_vmware_file_t
-HOME_DIR/\.vmware[^/]*/.*\.cfg -- system_u:object_r:ROLE_vmware_conf_t
diff --git a/mls/file_contexts/program/vpnc.fc b/mls/file_contexts/program/vpnc.fc
deleted file mode 100644
index 66a6271..0000000
--- a/mls/file_contexts/program/vpnc.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# vpnc
-/usr/sbin/vpnc -- system_u:object_r:vpnc_exec_t:s0
-/sbin/vpnc -- system_u:object_r:vpnc_exec_t:s0
-/etc/vpnc/vpnc-script -- system_u:object_r:bin_t:s0
diff --git a/mls/file_contexts/program/watchdog.fc b/mls/file_contexts/program/watchdog.fc
deleted file mode 100644
index d7a8c7f..0000000
--- a/mls/file_contexts/program/watchdog.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# watchdog
-/usr/sbin/watchdog -- system_u:object_r:watchdog_exec_t
-/dev/watchdog -c system_u:object_r:watchdog_device_t
-/var/log/watchdog(/.*)? system_u:object_r:watchdog_log_t
-/var/run/watchdog\.pid -- system_u:object_r:watchdog_var_run_t
diff --git a/mls/file_contexts/program/webalizer.fc b/mls/file_contexts/program/webalizer.fc
deleted file mode 100644
index 7244932..0000000
--- a/mls/file_contexts/program/webalizer.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-#
-/usr/bin/webalizer -- system_u:object_r:webalizer_exec_t:s0
-/var/lib/webalizer(/.*) system_u:object_r:webalizer_var_lib_t:s0
diff --git a/mls/file_contexts/program/winbind.fc b/mls/file_contexts/program/winbind.fc
deleted file mode 100644
index b1d9d57..0000000
--- a/mls/file_contexts/program/winbind.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-/usr/sbin/winbindd -- system_u:object_r:winbind_exec_t:s0
-/var/run/winbindd(/.*)? system_u:object_r:winbind_var_run_t:s0
-ifdef(`samba.te', `', `
-/var/log/samba(/.*)? system_u:object_r:samba_log_t:s0
-/etc/samba(/.*)? system_u:object_r:samba_etc_t:s0
-/etc/samba/secrets\.tdb -- system_u:object_r:samba_secrets_t:s0
-/etc/samba/MACHINE\.SID -- system_u:object_r:samba_secrets_t:s0
-/var/cache/samba(/.*)? system_u:object_r:samba_var_t:s0
-')
-/var/cache/samba/winbindd_privileged(/.*)? system_u:object_r:winbind_var_run_t:s0
-/usr/bin/ntlm_auth -- system_u:object_r:winbind_helper_exec_t:s0
diff --git a/mls/file_contexts/program/xauth.fc b/mls/file_contexts/program/xauth.fc
deleted file mode 100644
index 055fc2f..0000000
--- a/mls/file_contexts/program/xauth.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# xauth
-/usr/X11R6/bin/xauth -- system_u:object_r:xauth_exec_t
-HOME_DIR/\.xauth.* -- system_u:object_r:ROLE_xauth_home_t
-HOME_DIR/\.Xauthority.* -- system_u:object_r:ROLE_xauth_home_t
diff --git a/mls/file_contexts/program/xdm.fc b/mls/file_contexts/program/xdm.fc
deleted file mode 100644
index 16c2d7d..0000000
--- a/mls/file_contexts/program/xdm.fc
+++ /dev/null
@@ -1,40 +0,0 @@
-# X Display Manager
-/usr/bin/[xgkw]dm -- system_u:object_r:xdm_exec_t
-/usr/X11R6/bin/[xgkw]dm -- system_u:object_r:xdm_exec_t
-/opt/kde3/bin/kdm -- system_u:object_r:xdm_exec_t
-/usr/bin/gpe-dm -- system_u:object_r:xdm_exec_t
-/usr/(s)?bin/gdm-binary -- system_u:object_r:xdm_exec_t
-/var/[xgk]dm(/.*)? system_u:object_r:xserver_log_t
-/usr/var/[xgkw]dm(/.*)? system_u:object_r:xserver_log_t
-/var/log/[kw]dm\.log -- system_u:object_r:xserver_log_t
-/var/log/gdm(/.*)? system_u:object_r:xserver_log_t
-/tmp/\.X0-lock -- system_u:object_r:xdm_xserver_tmp_t
-/etc/X11/Xsession[^/]* -- system_u:object_r:xsession_exec_t
-/etc/X11/wdm(/.*)? system_u:object_r:xdm_rw_etc_t
-/etc/X11/wdm/Xsetup.* -- system_u:object_r:xsession_exec_t
-/etc/X11/wdm/Xstartup.* -- system_u:object_r:xsession_exec_t
-/etc/X11/[wx]dm/Xreset.* -- system_u:object_r:xsession_exec_t
-/etc/X11/[wx]dm/Xsession -- system_u:object_r:xsession_exec_t
-/etc/kde/kdm/Xsession -- system_u:object_r:xsession_exec_t
-/var/run/xdmctl(/.*)? system_u:object_r:xdm_var_run_t
-/var/run/xdm\.pid -- system_u:object_r:xdm_var_run_t
-/var/lib/[xkw]dm(/.*)? system_u:object_r:xdm_var_lib_t
-ifdef(`distro_suse', `
-/var/lib/pam_devperm/:0 -- system_u:object_r:xdm_var_lib_t
-')
-
-#
-# Additional Xsession scripts
-#
-/etc/X11/xdm/GiveConsole -- system_u:object_r:bin_t
-/etc/X11/xdm/TakeConsole -- system_u:object_r:bin_t
-/etc/X11/xdm/Xsetup_0 -- system_u:object_r:bin_t
-/etc/X11/xinit(/.*)? system_u:object_r:bin_t
-#
-# Rules for kde login
-#
-/etc/kde3?/kdm/Xstartup -- system_u:object_r:xsession_exec_t
-/etc/kde3?/kdm/Xreset -- system_u:object_r:xsession_exec_t
-/etc/kde3?/kdm/Xsession -- system_u:object_r:xsession_exec_t
-/etc/kde3?/kdm/backgroundrc system_u:object_r:xdm_var_run_t
-/usr/lib(64)?/qt-.*/etc/settings(/.*)? system_u:object_r:xdm_var_run_t
diff --git a/mls/file_contexts/program/xfs.fc b/mls/file_contexts/program/xfs.fc
deleted file mode 100644
index dc1881f..0000000
--- a/mls/file_contexts/program/xfs.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# xfs
-/tmp/\.font-unix(/.*)? system_u:object_r:xfs_tmp_t:s0
-/usr/X11R6/bin/xfs -- system_u:object_r:xfs_exec_t:s0
-/usr/X11R6/bin/xfs-xtt -- system_u:object_r:xfs_exec_t:s0
-/usr/bin/xfstt -- system_u:object_r:xfs_exec_t:s0
diff --git a/mls/file_contexts/program/xprint.fc b/mls/file_contexts/program/xprint.fc
deleted file mode 100644
index 3c72a77..0000000
--- a/mls/file_contexts/program/xprint.fc
+++ /dev/null
@@ -1 +0,0 @@
-/usr/bin/Xprt -- system_u:object_r:xprint_exec_t
diff --git a/mls/file_contexts/program/xserver.fc b/mls/file_contexts/program/xserver.fc
deleted file mode 100644
index 3d48a6f..0000000
--- a/mls/file_contexts/program/xserver.fc
+++ /dev/null
@@ -1,17 +0,0 @@
-# X server
-/usr/X11R6/bin/Xwrapper -- system_u:object_r:xserver_exec_t
-/usr/X11R6/bin/X -- system_u:object_r:xserver_exec_t
-/usr/X11R6/bin/XFree86 -- system_u:object_r:xserver_exec_t
-/usr/X11R6/bin/Xorg -- system_u:object_r:xserver_exec_t
-/usr/X11R6/bin/Xipaq -- system_u:object_r:xserver_exec_t
-/var/lib/xkb(/.*)? system_u:object_r:xkb_var_lib_t
-/usr/X11R6/lib/X11/xkb -d system_u:object_r:xkb_var_lib_t
-/usr/X11R6/lib/X11/xkb/.* -- system_u:object_r:xkb_var_lib_t
-/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- system_u:object_r:bin_t
-/var/log/XFree86.* -- system_u:object_r:xserver_log_t
-/var/log/Xorg.* -- system_u:object_r:xserver_log_t
-/etc/init\.d/xfree86-common -- system_u:object_r:xserver_exec_t
-/tmp/\.X11-unix -d system_u:object_r:xdm_tmp_t
-/tmp/\.X11-unix/.* -s <<none>>
-/tmp/\.ICE-unix -d system_u:object_r:ice_tmp_t
-/tmp/\.ICE-unix/.* -s <<none>>
diff --git a/mls/file_contexts/program/yam.fc b/mls/file_contexts/program/yam.fc
deleted file mode 100644
index 023b740..0000000
--- a/mls/file_contexts/program/yam.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# yam
-/etc/yam.conf -- system_u:object_r:yam_etc_t
-/usr/bin/yam system_u:object_r:yam_exec_t
-/var/yam(/.*)? system_u:object_r:yam_content_t
-/var/www/yam(/.*)? system_u:object_r:yam_content_t
diff --git a/mls/file_contexts/program/ypbind.fc b/mls/file_contexts/program/ypbind.fc
deleted file mode 100644
index f9f6ff8..0000000
--- a/mls/file_contexts/program/ypbind.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# ypbind
-/sbin/ypbind -- system_u:object_r:ypbind_exec_t:s0
diff --git a/mls/file_contexts/program/yppasswdd.fc b/mls/file_contexts/program/yppasswdd.fc
deleted file mode 100644
index b70c5a0..0000000
--- a/mls/file_contexts/program/yppasswdd.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# yppasswd
-/usr/sbin/rpc.yppasswdd -- system_u:object_r:yppasswdd_exec_t:s0
diff --git a/mls/file_contexts/program/ypserv.fc b/mls/file_contexts/program/ypserv.fc
deleted file mode 100644
index 023746f..0000000
--- a/mls/file_contexts/program/ypserv.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# ypserv
-/usr/sbin/ypserv -- system_u:object_r:ypserv_exec_t:s0
-/usr/lib/yp/.+ -- system_u:object_r:bin_t:s0
-/etc/ypserv\.conf -- system_u:object_r:ypserv_conf_t:s0
diff --git a/mls/file_contexts/program/zebra.fc b/mls/file_contexts/program/zebra.fc
deleted file mode 100644
index 328f987..0000000
--- a/mls/file_contexts/program/zebra.fc
+++ /dev/null
@@ -1,13 +0,0 @@
-# Zebra - BGP daemon
-/usr/sbin/zebra -- system_u:object_r:zebra_exec_t:s0
-/usr/sbin/bgpd -- system_u:object_r:zebra_exec_t:s0
-/var/log/zebra(/.*)? system_u:object_r:zebra_log_t:s0
-/etc/zebra(/.*)? system_u:object_r:zebra_conf_t:s0
-/var/run/\.zserv -s system_u:object_r:zebra_var_run_t:s0
-/var/run/\.zebra -s system_u:object_r:zebra_var_run_t:s0
-# Quagga
-/usr/sbin/rip.* -- system_u:object_r:zebra_exec_t:s0
-/usr/sbin/ospf.* -- system_u:object_r:zebra_exec_t:s0
-/etc/quagga(/.*)? system_u:object_r:zebra_conf_t:s0
-/var/log/quagga(/.*)? system_u:object_r:zebra_log_t:s0
-/var/run/quagga(/.*)? system_u:object_r:zebra_var_run_t:s0
diff --git a/mls/file_contexts/types.fc b/mls/file_contexts/types.fc
deleted file mode 100644
index b80644c..0000000
--- a/mls/file_contexts/types.fc
+++ /dev/null
@@ -1,523 +0,0 @@
-#
-# This file describes the security contexts to be applied to files
-# when the security policy is installed. The setfiles program
-# reads this file and labels files accordingly.
-#
-# Each specification has the form:
-# regexp [ -type ] ( context | <<none>> )
-#
-# By default, the regexp is an anchored match on both ends (i.e. a
-# caret (^) is prepended and a dollar sign ($) is appended automatically).
-# This default may be overridden by using .* at the beginning and/or
-# end of the regular expression.
-#
-# The optional type field specifies the file type as shown in the mode
-# field by ls, e.g. use -d to match only directories or -- to match only
-# regular files.
-#
-# The value of <<none> may be used to indicate that matching files
-# should not be relabeled.
-#
-# The last matching specification is used.
-#
-# If there are multiple hard links to a file that match
-# different specifications and those specifications indicate
-# different security contexts, then a warning is displayed
-# but the file is still labeled based on the last matching
-# specification other than <<none>>.
-#
-# Some of the files listed here get re-created during boot and therefore
-# need type transition rules to retain the correct type. These files are
-# listed here anyway so that if the setfiles program is used on a running
-# system it does not relabel them to something we do not want. An example of
-# this is /var/run/utmp.
-#
-
-#
-# The security context for all files not otherwise specified.
-#
-/.* system_u:object_r:default_t:s0
-
-#
-# The root directory.
-#
-/ -d system_u:object_r:root_t:s0
-
-#
-# Ordinary user home directories.
-# HOME_ROOT expands to all valid home directory prefixes found in /etc/passwd
-# HOME_DIR expands to each users home directory,
-# and to HOME_ROOT/[^/]+ for each HOME_ROOT.
-# ROLE expands to each users role when role != user_r, and to "user" otherwise.
-#
-HOME_ROOT -d system_u:object_r:home_root_t:s0
-HOME_DIR -d system_u:object_r:ROLE_home_dir_t:s0-s15:c0.c255
-HOME_DIR/.+ <<none>>
-
-/root/\.default_contexts -- system_u:object_r:default_context_t:s0
-
-#
-# Mount points; do not relabel subdirectories, since
-# we do not want to change any removable media by default.
-/mnt(/[^/]*)? -d system_u:object_r:mnt_t:s0
-/mnt/[^/]*/.* <<none>>
-/media(/[^/]*)? -d system_u:object_r:mnt_t:s0
-/media/[^/]*/.* <<none>>
-
-#
-# /var
-#
-/var(/.*)? system_u:object_r:var_t:s0
-/var/cache/man(/.*)? system_u:object_r:man_t:s0
-/var/yp(/.*)? system_u:object_r:var_yp_t:s0
-/var/lib(/.*)? system_u:object_r:var_lib_t:s0
-/var/lib/nfs(/.*)? system_u:object_r:var_lib_nfs_t:s0
-/var/lib/abl(/.*)? system_u:object_r:var_auth_t:s0
-/var/lib/texmf(/.*)? system_u:object_r:tetex_data_t:s0
-/var/cache/fonts(/.*)? system_u:object_r:tetex_data_t:s0
-/var/lock(/.*)? system_u:object_r:var_lock_t:s0
-/var/tmp -d system_u:object_r:tmp_t:s0-s15:c0.c255
-/var/tmp/.* <<none>>
-/var/tmp/vi\.recover -d system_u:object_r:tmp_t:s0
-/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
-/var/mailman/bin(/.*)? system_u:object_r:bin_t:s0
-/var/mailman/pythonlib(/.*)?/.*\.so(\..*)? -- system_u:object_r:shlib_t:s0
-
-#
-# /var/ftp
-#
-/var/ftp/bin(/.*)? system_u:object_r:bin_t:s0
-/var/ftp/bin/ls -- system_u:object_r:ls_exec_t:s0
-/var/ftp/lib(64)?(/.*)? system_u:object_r:lib_t:s0
-/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t:s0
-/var/ftp/lib(64)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0
-/var/ftp/etc(/.*)? system_u:object_r:etc_t:s0
-
-#
-# /bin
-#
-/bin(/.*)? system_u:object_r:bin_t:s0
-/bin/tcsh -- system_u:object_r:shell_exec_t:s0
-/bin/bash -- system_u:object_r:shell_exec_t:s0
-/bin/bash2 -- system_u:object_r:shell_exec_t:s0
-/bin/sash -- system_u:object_r:shell_exec_t:s0
-/bin/d?ash -- system_u:object_r:shell_exec_t:s0
-/bin/zsh.* -- system_u:object_r:shell_exec_t:s0
-/usr/sbin/sesh -- system_u:object_r:shell_exec_t:s0
-/bin/ls -- system_u:object_r:ls_exec_t:s0
-
-#
-# /boot
-#
-/boot(/.*)? system_u:object_r:boot_t:s0
-/boot/System\.map(-.*)? system_u:object_r:system_map_t:s0
-
-#
-# /dev
-#
-/dev(/.*)? system_u:object_r:device_t:s0
-/dev/pts -d system_u:object_r:devpts_t:s0-s15:c0.c255
-/dev/pts(/.*)? <<none>>
-/dev/cpu/.* -c system_u:object_r:cpu_device_t:s0
-/dev/microcode -c system_u:object_r:cpu_device_t:s0
-/dev/MAKEDEV -- system_u:object_r:sbin_t:s0
-/dev/null -c system_u:object_r:null_device_t:s0
-/dev/full -c system_u:object_r:null_device_t:s0
-/dev/zero -c system_u:object_r:zero_device_t:s0
-/dev/console -c system_u:object_r:console_device_t:s0
-/dev/xconsole -p system_u:object_r:xconsole_device_t:s0
-/dev/(kmem|mem|port) -c system_u:object_r:memory_device_t:s15:c0.c255
-/dev/nvram -c system_u:object_r:memory_device_t:s0
-/dev/random -c system_u:object_r:random_device_t:s0
-/dev/urandom -c system_u:object_r:urandom_device_t:s0
-/dev/adb.* -c system_u:object_r:tty_device_t:s0
-/dev/capi.* -c system_u:object_r:tty_device_t:s0
-/dev/dcbri[0-9]+ -c system_u:object_r:tty_device_t:s0
-/dev/irlpt[0-9]+ -c system_u:object_r:printer_device_t:s0
-/dev/ircomm[0-9]+ -c system_u:object_r:tty_device_t:s0
-/dev/rfcomm[0-9]+ -c system_u:object_r:tty_device_t:s0
-/dev/isdn.* -c system_u:object_r:tty_device_t:s0
-/dev/.*tty[^/]* -c system_u:object_r:tty_device_t:s0
-/dev/[pt]ty[abcdepqrstuvwxyz][0-9a-f] -c system_u:object_r:bsdpty_device_t:s0
-/dev/cu.* -c system_u:object_r:tty_device_t:s0
-/dev/vcs[^/]* -c system_u:object_r:tty_device_t:s0
-/dev/ip2[^/]* -c system_u:object_r:tty_device_t:s0
-/dev/hvc.* -c system_u:object_r:tty_device_t:s0
-/dev/hvsi.* -c system_u:object_r:tty_device_t:s0
-/dev/ttySG.* -c system_u:object_r:tty_device_t:s0
-/dev/tty -c system_u:object_r:devtty_t:s0
-/dev/lp.* -c system_u:object_r:printer_device_t:s0
-/dev/par.* -c system_u:object_r:printer_device_t:s0
-/dev/usb/lp.* -c system_u:object_r:printer_device_t:s0
-/dev/usblp.* -c system_u:object_r:printer_device_t:s0
-ifdef(`distro_redhat', `
-/dev/root -b system_u:object_r:fixed_disk_device_t:s15:c0.c255
-')
-/dev/[shmx]d[^/]* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255
-/dev/dm-[0-9]+ -b system_u:object_r:fixed_disk_device_t:s15:c0.c255
-/dev/sg[0-9]+ -c system_u:object_r:scsi_generic_device_t:s0
-/dev/rd.* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255
-/dev/i2o/hd[^/]* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255
-/dev/ubd[^/]* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255
-/dev/cciss/[^/]* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255
-/dev/mapper/.* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255
-/dev/ida/[^/]* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255
-/dev/dasd[^/]* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255
-/dev/flash[^/]* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255
-/dev/nb[^/]+ -b system_u:object_r:fixed_disk_device_t:s15:c0.c255
-/dev/ataraid/.* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255
-/dev/loop.* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255
-/dev/net/.* -c system_u:object_r:tun_tap_device_t:s0
-/dev/ram.* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255
-/dev/rawctl -c system_u:object_r:fixed_disk_device_t:s15:c0.c255
-/dev/raw/raw[0-9]+ -c system_u:object_r:fixed_disk_device_t:s15:c0.c255
-/dev/scramdisk/.* -b system_u:object_r:fixed_disk_device_t:s15:c0.c255
-/dev/initrd -b system_u:object_r:fixed_disk_device_t:s15:c0.c255
-/dev/jsfd -b system_u:object_r:fixed_disk_device_t:s15:c0.c255
-/dev/js.* -c system_u:object_r:mouse_device_t:s0
-/dev/jsflash -c system_u:object_r:fixed_disk_device_t:s15:c0.c255
-/dev/xvd.* -b system_u:object_r:fixed_disk_device_t:s0
-/dev/s(cd|r)[^/]* -b system_u:object_r:removable_device_t:s0
-/dev/usb/rio500 -c system_u:object_r:removable_device_t:s0
-/dev/fd[^/]+ -b system_u:object_r:removable_device_t:s0
-# I think a parallel port disk is a removable device...
-/dev/pd[a-d][^/]* -b system_u:object_r:removable_device_t:s0
-/dev/p[fg][0-3] -b system_u:object_r:removable_device_t:s0
-/dev/aztcd -b system_u:object_r:removable_device_t:s0
-/dev/bpcd -b system_u:object_r:removable_device_t:s0
-/dev/gscd -b system_u:object_r:removable_device_t:s0
-/dev/hitcd -b system_u:object_r:removable_device_t:s0
-/dev/pcd[0-3] -b system_u:object_r:removable_device_t:s0
-/dev/mcdx? -b system_u:object_r:removable_device_t:s0
-/dev/cdu.* -b system_u:object_r:removable_device_t:s0
-/dev/cm20.* -b system_u:object_r:removable_device_t:s0
-/dev/optcd -b system_u:object_r:removable_device_t:s0
-/dev/sbpcd.* -b system_u:object_r:removable_device_t:s0
-/dev/sjcd -b system_u:object_r:removable_device_t:s0
-/dev/sonycd -b system_u:object_r:removable_device_t:s0
-# parallel port ATAPI generic device
-/dev/pg[0-3] -c system_u:object_r:removable_device_t:s0
-/dev/rtc -c system_u:object_r:clock_device_t:s0
-/dev/psaux -c system_u:object_r:mouse_device_t:s0
-/dev/atibm -c system_u:object_r:mouse_device_t:s0
-/dev/logibm -c system_u:object_r:mouse_device_t:s0
-/dev/.*mouse.* -c system_u:object_r:mouse_device_t:s0
-/dev/input/.*mouse.* -c system_u:object_r:mouse_device_t:s0
-/dev/input/event.* -c system_u:object_r:event_device_t:s0
-/dev/input/mice -c system_u:object_r:mouse_device_t:s0
-/dev/input/js.* -c system_u:object_r:mouse_device_t:s0
-/dev/ptmx -c system_u:object_r:ptmx_t:s0
-/dev/sequencer -c system_u:object_r:misc_device_t:s0
-/dev/fb[0-9]* -c system_u:object_r:framebuf_device_t:s0
-/dev/apm_bios -c system_u:object_r:apm_bios_t:s0
-/dev/cpu/mtrr -c system_u:object_r:mtrr_device_t:s0
-/dev/pmu -c system_u:object_r:power_device_t:s0
-/dev/(radio|video|vbi|vtx).* -c system_u:object_r:v4l_device_t:s0
-/dev/winradio. -c system_u:object_r:v4l_device_t:s0
-/dev/vttuner -c system_u:object_r:v4l_device_t:s0
-/dev/tlk[0-3] -c system_u:object_r:v4l_device_t:s0
-/dev/adsp -c system_u:object_r:sound_device_t:s0
-/dev/mixer.* -c system_u:object_r:sound_device_t:s0
-/dev/dsp.* -c system_u:object_r:sound_device_t:s0
-/dev/audio.* -c system_u:object_r:sound_device_t:s0
-/dev/r?midi.* -c system_u:object_r:sound_device_t:s0
-/dev/sequencer2 -c system_u:object_r:sound_device_t:s0
-/dev/smpte.* -c system_u:object_r:sound_device_t:s0
-/dev/sndstat -c system_u:object_r:sound_device_t:s0
-/dev/beep -c system_u:object_r:sound_device_t:s0
-/dev/patmgr[01] -c system_u:object_r:sound_device_t:s0
-/dev/mpu401.* -c system_u:object_r:sound_device_t:s0
-/dev/srnd[0-7] -c system_u:object_r:sound_device_t:s0
-/dev/aload.* -c system_u:object_r:sound_device_t:s0
-/dev/amidi.* -c system_u:object_r:sound_device_t:s0
-/dev/amixer.* -c system_u:object_r:sound_device_t:s0
-/dev/snd/.* -c system_u:object_r:sound_device_t:s0
-/dev/n?[hs]t[0-9].* -c system_u:object_r:tape_device_t:s0
-/dev/n?(raw)?[qr]ft[0-3] -c system_u:object_r:tape_device_t:s0
-/dev/n?z?qft[0-3] -c system_u:object_r:tape_device_t:s0
-/dev/n?tpqic[12].* -c system_u:object_r:tape_device_t:s0
-/dev/ht[0-1] -b system_u:object_r:tape_device_t:s0
-/dev/n?osst[0-3].* -c system_u:object_r:tape_device_t:s0
-/dev/n?pt[0-9]+ -c system_u:object_r:tape_device_t:s0
-/dev/tape.* -c system_u:object_r:tape_device_t:s0
-ifdef(`distro_suse', `
-/dev/usbscanner -c system_u:object_r:scanner_device_t:s0
-')
-/dev/usb/scanner.* -c system_u:object_r:scanner_device_t:s0
-/dev/usb/dc2xx.* -c system_u:object_r:scanner_device_t:s0
-/dev/usb/mdc800.* -c system_u:object_r:scanner_device_t:s0
-/dev/usb/tty.* -c system_u:object_r:usbtty_device_t:s0
-/dev/mmetfgrab -c system_u:object_r:scanner_device_t:s0
-/dev/nvidia.* -c system_u:object_r:xserver_misc_device_t:s0
-/dev/dri/.+ -c system_u:object_r:dri_device_t:s0
-/dev/radeon -c system_u:object_r:dri_device_t:s0
-/dev/agpgart -c system_u:object_r:agp_device_t:s0
-/dev/z90crypt -c system_u:object_r:crypt_device_t:s0
-
-#
-# Misc
-#
-/proc(/.*)? <<none>>
-/sys(/.*)? <<none>>
-/selinux(/.*)? <<none>>
-
-#
-# /opt
-#
-/opt(/.*)? system_u:object_r:usr_t:s0
-/opt(/.*)?/lib(64)?(/.*)? system_u:object_r:lib_t:s0
-/opt(/.*)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0
-/opt(/.*)?/libexec(/.*)? system_u:object_r:bin_t:s0
-/opt(/.*)?/bin(/.*)? system_u:object_r:bin_t:s0
-/opt(/.*)?/sbin(/.*)? system_u:object_r:sbin_t:s0
-/opt(/.*)?/man(/.*)? system_u:object_r:man_t:s0
-/opt(/.*)?/var/lib(64)?(/.*)? system_u:object_r:var_lib_t:s0
-
-#
-# /etc
-#
-/etc(/.*)? system_u:object_r:etc_t:s0
-/var/db/.*\.db -- system_u:object_r:etc_t:s0
-/etc/\.pwd\.lock -- system_u:object_r:shadow_t:s0
-/etc/passwd\.lock -- system_u:object_r:shadow_t:s0
-/etc/group\.lock -- system_u:object_r:shadow_t:s0
-/etc/shadow.* -- system_u:object_r:shadow_t:s0
-/etc/gshadow.* -- system_u:object_r:shadow_t:s0
-/var/db/shadow.* -- system_u:object_r:shadow_t:s0
-/etc/blkid\.tab.* -- system_u:object_r:etc_runtime_t:s0
-/etc/fstab\.REVOKE -- system_u:object_r:etc_runtime_t:s0
-/etc/\.fstab\.hal\..+ -- system_u:object_r:etc_runtime_t:s0
-/etc/HOSTNAME -- system_u:object_r:etc_runtime_t:s0
-/etc/ioctl\.save -- system_u:object_r:etc_runtime_t:s0
-/etc/mtab -- system_u:object_r:etc_runtime_t:s0
-/etc/motd -- system_u:object_r:etc_runtime_t:s0
-/etc/issue -- system_u:object_r:etc_runtime_t:s0
-/etc/issue\.net -- system_u:object_r:etc_runtime_t:s0
-/etc/sysconfig/hwconf -- system_u:object_r:etc_runtime_t:s0
-/etc/sysconfig/iptables\.save -- system_u:object_r:etc_runtime_t:s0
-/etc/sysconfig/firstboot -- system_u:object_r:etc_runtime_t:s0
-/etc/asound\.state -- system_u:object_r:etc_runtime_t:s0
-/etc/ptal/ptal-printd-like -- system_u:object_r:etc_runtime_t:s0
-ifdef(`distro_gentoo', `
-/etc/profile\.env -- system_u:object_r:etc_runtime_t:s0
-/etc/csh\.env -- system_u:object_r:etc_runtime_t:s0
-/etc/env\.d/.* -- system_u:object_r:etc_runtime_t:s0
-')
-/etc/ld\.so\.cache -- system_u:object_r:ld_so_cache_t:s0
-/etc/ld\.so\.preload -- system_u:object_r:ld_so_cache_t:s0
-/etc/yp\.conf.* -- system_u:object_r:net_conf_t:s0
-/etc/resolv\.conf.* -- system_u:object_r:net_conf_t:s0
-
-/etc/selinux(/.*)? system_u:object_r:selinux_config_t:s0
-/etc/selinux/([^/]*/)?seusers -- system_u:object_r:selinux_config_t:s15:c0.c255
-/etc/selinux/([^/]*/)?users(/.*)? system_u:object_r:selinux_config_t:s15:c0.c255
-/etc/selinux/([^/]*/)?policy(/.*)? system_u:object_r:policy_config_t:s15:c0.c255
-/etc/selinux/([^/]*/)?src(/.*)? system_u:object_r:policy_src_t:s15:c0.c255
-/etc/selinux/([^/]*/)?contexts(/.*)? system_u:object_r:default_context_t:s0
-/etc/selinux/([^/]*/)?contexts/files(/.*)? system_u:object_r:file_context_t:s15:c0.c255
-
-
-#
-# /lib(64)?
-#
-/lib(64)?(/.*)? system_u:object_r:lib_t:s0
-/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0
-/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t:s0
-
-#
-# /sbin
-#
-/sbin(/.*)? system_u:object_r:sbin_t:s0
-
-#
-# /tmp
-#
-/tmp -d system_u:object_r:tmp_t:s0-s15:c0.c255
-/tmp/.* <<none>>
-
-#
-# /usr
-#
-/usr(/.*)? system_u:object_r:usr_t:s0
-/usr(/.*)?/lib(64)?(/.*)? system_u:object_r:lib_t:s0
-/usr(/.*)?/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0
-/usr/lib/win32/.* -- system_u:object_r:shlib_t:s0
-/usr(/.*)?/java/.*\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t:s0
-/usr(/.*)?/java/.*\.jar -- system_u:object_r:shlib_t:s0
-/usr(/.*)?/java/.*\.jsa -- system_u:object_r:shlib_t:s0
-/usr(/.*)?/HelixPlayer/.*\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t:s0
-/usr(/.*)?/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t:s0
-/usr(/.*)?/bin(/.*)? system_u:object_r:bin_t:s0
-/usr(/.*)?/Bin(/.*)? system_u:object_r:bin_t:s0
-/usr(/.*)?/sbin(/.*)? system_u:object_r:sbin_t:s0
-/usr/etc(/.*)? system_u:object_r:etc_t:s0
-/usr/inclu.e(/.*)? system_u:object_r:usr_t:s0
-/usr/libexec(/.*)? system_u:object_r:bin_t:s0
-/usr/src(/.*)? system_u:object_r:src_t:s0
-/usr/tmp -d system_u:object_r:tmp_t:s0-s15:c0.c255
-/usr/tmp/.* <<none>>
-/usr/man(/.*)? system_u:object_r:man_t:s0
-/usr/share/man(/.*)? system_u:object_r:man_t:s0
-/usr/share/mc/extfs/.* -- system_u:object_r:bin_t:s0
-/usr/share(/.*)?/lib(64)?(/.*)? system_u:object_r:usr_t:s0
-/usr/share/ssl/certs(/.*)? system_u:object_r:cert_t:s0
-/usr/share/ssl/private(/.*)? system_u:object_r:cert_t:s0
-
-# nvidia share libraries
-/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t:s0
-/usr(/.*)?/nvidia/.*\.so(\..*)? -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t:s0
-/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- system_u:object_r:texrel_shlib_t:s0
-
-# libGL
-/usr/X11R6/lib/libGL\.so.* -- system_u:object_r:texrel_shlib_t:s0
-
-ifdef(`distro_debian', `
-/usr/share/selinux(/.*)? system_u:object_r:policy_src_t:s0
-')
-ifdef(`distro_gentoo', `
-/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? system_u:object_r:bin_t:s0
-')
-
-#
-# /usr/lib(64)?
-#
-/usr/lib(64)?/perl5/man(/.*)? system_u:object_r:man_t:s0
-/usr/lib(64)?/selinux(/.*)? system_u:object_r:policy_src_t:s0
-/usr/lib(64)?/emacsen-common/.* system_u:object_r:bin_t:s0
-
-#
-# /usr/local
-#
-/usr/local/etc(/.*)? system_u:object_r:etc_t:s0
-/usr/local/src(/.*)? system_u:object_r:src_t:s0
-/usr/local/man(/.*)? system_u:object_r:man_t:s0
-/usr/local/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0
-/usr/(local/)?lib/wine/.*\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/(local/)?lib/libfame-.*\.so.* -- system_u:object_r:texrel_shlib_t:s0
-
-
-#
-# /usr/X11R6/man
-#
-/usr/X11R6/man(/.*)? system_u:object_r:man_t:s0
-
-#
-# Fonts dir
-#
-/usr/X11R6/lib/X11/fonts(/.*)? system_u:object_r:fonts_t:s0
-ifdef(`distro_debian', `
-/var/lib/msttcorefonts(/.*)? system_u:object_r:fonts_t:s0
-')
-/usr/share/fonts(/.*)? system_u:object_r:fonts_t:s0
-/usr/share/ghostscript/fonts(/.*)? system_u:object_r:fonts_t:s0
-/usr/local/share/fonts(/.*)? system_u:object_r:fonts_t:s0
-
-#
-# /var/run
-#
-/var/run -d system_u:object_r:var_run_t:s0-s15:c0.c255
-/var/run/.*\.*pid <<none>>
-/var/run/.* system_u:object_r:var_run_t:s0
-
-#
-# /var/spool
-#
-/var/spool(/.*)? system_u:object_r:var_spool_t:s0
-/var/spool/texmf(/.*)? system_u:object_r:tetex_data_t:s0
-/var/spool/(client)?mqueue(/.*)? system_u:object_r:mqueue_spool_t:s0
-
-#
-# /var/log
-#
-/var/log(/.*)? system_u:object_r:var_log_t:s0
-/var/log/wtmp.* -- system_u:object_r:wtmp_t:s0
-/var/log/btmp.* -- system_u:object_r:faillog_t:s0
-/var/log/faillog -- system_u:object_r:faillog_t:s0
-/var/log/ksyms.* -- system_u:object_r:var_log_ksyms_t:s0
-/var/log/dmesg -- system_u:object_r:var_log_t:s0
-/var/log/lastlog -- system_u:object_r:lastlog_t:s0
-/var/log/ksymoops(/.*)? system_u:object_r:var_log_ksyms_t:s0
-/var/log/syslog -- system_u:object_r:var_log_t:s0
-
-#
-# Journal files
-#
-/\.journal <<none>>
-/usr/\.journal <<none>>
-/boot/\.journal <<none>>
-HOME_ROOT/\.journal <<none>>
-/var/\.journal <<none>>
-/tmp/\.journal <<none>>
-/usr/local/\.journal <<none>>
-
-#
-# Lost and found directories.
-#
-/lost\+found -d system_u:object_r:lost_found_t:s15:c0.c255
-/lost\+found/.* <<none>>
-/usr/lost\+found -d system_u:object_r:lost_found_t:s15:c0.c255
-/usr/lost\+found/.* <<none>>
-/boot/lost\+found -d system_u:object_r:lost_found_t:s15:c0.c255
-/boot/lost\+found/.* <<none>>
-HOME_ROOT/lost\+found -d system_u:object_r:lost_found_t:s15:c0.c255
-HOME_ROOT/lost\+found/.* <<none>>
-/var/lost\+found -d system_u:object_r:lost_found_t:s15:c0.c255
-/var/lost\+found/.* <<none>>
-/tmp/lost\+found -d system_u:object_r:lost_found_t:s15:c0.c255
-/tmp/lost\+found/.* <<none>>
-/var/tmp/lost\+found -d system_u:object_r:lost_found_t:s15:c0.c255
-/var/tmp/lost\+found/.* <<none>>
-/usr/local/lost\+found -d system_u:object_r:lost_found_t:s15:c0.c255
-/usr/local/lost\+found/.* <<none>>
-
-#
-# system localization
-#
-/usr/share/zoneinfo(/.*)? system_u:object_r:locale_t:s0
-/usr/share/locale(/.*)? system_u:object_r:locale_t:s0
-/usr/lib/locale(/.*)? system_u:object_r:locale_t:s0
-/etc/localtime -- system_u:object_r:locale_t:s0
-/etc/localtime -l system_u:object_r:etc_t:s0
-/etc/pki(/.*)? system_u:object_r:cert_t:s0
-
-#
-# Gnu Cash
-#
-/usr/share/gnucash/finance-quote-check -- system_u:object_r:bin_t:s0
-/usr/share/gnucash/finance-quote-helper -- system_u:object_r:bin_t:s0
-
-#
-# Turboprint
-#
-/usr/share/turboprint/lib(/.*)? -- system_u:object_r:bin_t:s0
-/usr/share/hwdata(/.*)? system_u:object_r:hwdata_t:s0
-
-#
-# initrd mount point, only used during boot
-#
-/initrd -d system_u:object_r:root_t:s0
-
-#
-# The krb5.conf file is always being tested for writability, so
-# we defined a type to dontaudit
-#
-/etc/krb5\.conf -- system_u:object_r:krb5_conf_t:s0
-
-#
-# Thunderbird
-#
-/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- system_u:object_r:bin_t:s0
-/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- system_u:object_r:bin_t:s0
-/usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- system_u:object_r:bin_t:s0
-/usr/lib(64)?/[^/]*/run-mozilla\.sh -- system_u:object_r:bin_t:s0
-/usr/lib(64)?/[^/]*/mozilla-xremote-client -- system_u:object_r:bin_t:s0
-
-#
-# /srv
-#
-/srv(/.*)? system_u:object_r:var_t:s0
-
-/etc/sysconfig/network-scripts/ifup-.* -- system_u:object_r:bin_t:s0
-/etc/sysconfig/network-scripts/ifdown-.* -- system_u:object_r:bin_t:s0
diff --git a/mls/flask/Makefile b/mls/flask/Makefile
deleted file mode 100644
index 970b9fe..0000000
--- a/mls/flask/Makefile
+++ /dev/null
@@ -1,41 +0,0 @@
-# flask needs to know where to export the libselinux headers.
-LIBSEL ?= ../../libselinux
-
-# flask needs to know where to export the kernel headers.
-LINUXDIR ?= ../../../linux-2.6
-
-AWK = awk
-
-CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
- else if [ -x /bin/bash ]; then echo /bin/bash; \
- else echo sh; fi ; fi)
-
-FLASK_H_DEPEND = security_classes initial_sids
-AV_H_DEPEND = access_vectors
-
-FLASK_H_FILES = class_to_string.h flask.h initial_sid_to_string.h
-AV_H_FILES = av_inherit.h common_perm_to_string.h av_perm_to_string.h av_permissions.h
-ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES)
-
-all: $(ALL_H_FILES)
-
-$(FLASK_H_FILES): $(FLASK_H_DEPEND)
- $(CONFIG_SHELL) mkflask.sh $(AWK) $(FLASK_H_DEPEND)
-
-$(AV_H_FILES): $(AV_H_DEPEND)
- $(CONFIG_SHELL) mkaccess_vector.sh $(AWK) $(AV_H_DEPEND)
-
-tolib: all
- install -m 644 flask.h av_permissions.h $(LIBSEL)/include/selinux
- install -m 644 class_to_string.h av_inherit.h common_perm_to_string.h av_perm_to_string.h $(LIBSEL)/src
-
-tokern: all
- install -m 644 $(ALL_H_FILES) $(LINUXDIR)/security/selinux/include
-
-install: all
-
-relabel:
-
-clean:
- rm -f $(FLASK_H_FILES)
- rm -f $(AV_H_FILES)
diff --git a/mls/flask/access_vectors b/mls/flask/access_vectors
deleted file mode 100644
index dc20463..0000000
--- a/mls/flask/access_vectors
+++ /dev/null
@@ -1,608 +0,0 @@
-#
-# Define common prefixes for access vectors
-#
-# common common_name { permission_name ... }
-
-
-#
-# Define a common prefix for file access vectors.
-#
-
-common file
-{
- ioctl
- read
- write
- create
- getattr
- setattr
- lock
- relabelfrom
- relabelto
- append
- unlink
- link
- rename
- execute
- swapon
- quotaon
- mounton
-}
-
-
-#
-# Define a common prefix for socket access vectors.
-#
-
-common socket
-{
-# inherited from file
- ioctl
- read
- write
- create
- getattr
- setattr
- lock
- relabelfrom
- relabelto
- append
-# socket-specific
- bind
- connect
- listen
- accept
- getopt
- setopt
- shutdown
- recvfrom
- sendto
- recv_msg
- send_msg
- name_bind
-}
-
-#
-# Define a common prefix for ipc access vectors.
-#
-
-common ipc
-{
- create
- destroy
- getattr
- setattr
- read
- write
- associate
- unix_read
- unix_write
-}
-
-#
-# Define the access vectors.
-#
-# class class_name [ inherits common_name ] { permission_name ... }
-
-
-#
-# Define the access vector interpretation for file-related objects.
-#
-
-class filesystem
-{
- mount
- remount
- unmount
- getattr
- relabelfrom
- relabelto
- transition
- associate
- quotamod
- quotaget
-}
-
-class dir
-inherits file
-{
- add_name
- remove_name
- reparent
- search
- rmdir
-}
-
-class file
-inherits file
-{
- execute_no_trans
- entrypoint
- execmod
-}
-
-class lnk_file
-inherits file
-
-class chr_file
-inherits file
-{
- execute_no_trans
- entrypoint
- execmod
-}
-
-class blk_file
-inherits file
-
-class sock_file
-inherits file
-
-class fifo_file
-inherits file
-
-class fd
-{
- use
-}
-
-
-#
-# Define the access vector interpretation for network-related objects.
-#
-
-class socket
-inherits socket
-
-class tcp_socket
-inherits socket
-{
- connectto
- newconn
- acceptfrom
- node_bind
- name_connect
-}
-
-class udp_socket
-inherits socket
-{
- node_bind
-}
-
-class rawip_socket
-inherits socket
-{
- node_bind
-}
-
-class node
-{
- tcp_recv
- tcp_send
- udp_recv
- udp_send
- rawip_recv
- rawip_send
- enforce_dest
-}
-
-class netif
-{
- tcp_recv
- tcp_send
- udp_recv
- udp_send
- rawip_recv
- rawip_send
-}
-
-class netlink_socket
-inherits socket
-
-class packet_socket
-inherits socket
-
-class key_socket
-inherits socket
-
-class unix_stream_socket
-inherits socket
-{
- connectto
- newconn
- acceptfrom
-}
-
-class unix_dgram_socket
-inherits socket
-
-
-#
-# Define the access vector interpretation for process-related objects
-#
-
-class process
-{
- fork
- transition
- sigchld # commonly granted from child to parent
- sigkill # cannot be caught or ignored
- sigstop # cannot be caught or ignored
- signull # for kill(pid, 0)
- signal # all other signals
- ptrace
- getsched
- setsched
- getsession
- getpgid
- setpgid
- getcap
- setcap
- share
- getattr
- setexec
- setfscreate
- noatsecure
- siginh
- setrlimit
- rlimitinh
- dyntransition
- setcurrent
- execmem
- execstack
- execheap
-}
-
-
-#
-# Define the access vector interpretation for ipc-related objects
-#
-
-class ipc
-inherits ipc
-
-class sem
-inherits ipc
-
-class msgq
-inherits ipc
-{
- enqueue
-}
-
-class msg
-{
- send
- receive
-}
-
-class shm
-inherits ipc
-{
- lock
-}
-
-
-#
-# Define the access vector interpretation for the security server.
-#
-
-class security
-{
- compute_av
- compute_create
- compute_member
- check_context
- load_policy
- compute_relabel
- compute_user
- setenforce # was avc_toggle in system class
- setbool
- setsecparam
- setcheckreqprot
-}
-
-
-#
-# Define the access vector interpretation for system operations.
-#
-
-class system
-{
- ipc_info
- syslog_read
- syslog_mod
- syslog_console
-}
-
-#
-# Define the access vector interpretation for controling capabilies
-#
-
-class capability
-{
- # The capabilities are defined in include/linux/capability.h
- # Care should be taken to ensure that these are consistent with
- # those definitions. (Order matters)
-
- chown
- dac_override
- dac_read_search
- fowner
- fsetid
- kill
- setgid
- setuid
- setpcap
- linux_immutable
- net_bind_service
- net_broadcast
- net_admin
- net_raw
- ipc_lock
- ipc_owner
- sys_module
- sys_rawio
- sys_chroot
- sys_ptrace
- sys_pacct
- sys_admin
- sys_boot
- sys_nice
- sys_resource
- sys_time
- sys_tty_config
- mknod
- lease
- audit_write
- audit_control
-}
-
-
-#
-# Define the access vector interpretation for controlling
-# changes to passwd information.
-#
-class passwd
-{
- passwd # change another user passwd
- chfn # change another user finger info
- chsh # change another user shell
- rootok # pam_rootok check (skip auth)
- crontab # crontab on another user
-}
-
-#
-# SE-X Windows stuff
-#
-class drawable
-{
- create
- destroy
- draw
- copy
- getattr
-}
-
-class gc
-{
- create
- free
- getattr
- setattr
-}
-
-class window
-{
- addchild
- create
- destroy
- map
- unmap
- chstack
- chproplist
- chprop
- listprop
- getattr
- setattr
- setfocus
- move
- chselection
- chparent
- ctrllife
- enumerate
- transparent
- mousemotion
- clientcomevent
- inputevent
- drawevent
- windowchangeevent
- windowchangerequest
- serverchangeevent
- extensionevent
-}
-
-class font
-{
- load
- free
- getattr
- use
-}
-
-class colormap
-{
- create
- free
- install
- uninstall
- list
- read
- store
- getattr
- setattr
-}
-
-class property
-{
- create
- free
- read
- write
-}
-
-class cursor
-{
- create
- createglyph
- free
- assign
- setattr
-}
-
-class xclient
-{
- kill
-}
-
-class xinput
-{
- lookup
- getattr
- setattr
- setfocus
- warppointer
- activegrab
- passivegrab
- ungrab
- bell
- mousemotion
- relabelinput
-}
-
-class xserver
-{
- screensaver
- gethostlist
- sethostlist
- getfontpath
- setfontpath
- getattr
- grab
- ungrab
-}
-
-class xextension
-{
- query
- use
-}
-
-#
-# Define the access vector interpretation for controlling
-# PaX flags
-#
-class pax
-{
- pageexec # Paging based non-executable pages
- emutramp # Emulate trampolines
- mprotect # Restrict mprotect()
- randmmap # Randomize mmap() base
- randexec # Randomize ET_EXEC base
- segmexec # Segmentation based non-executable pages
-}
-
-#
-# Extended Netlink classes
-#
-class netlink_route_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_firewall_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_tcpdiag_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_nflog_socket
-inherits socket
-
-class netlink_xfrm_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_selinux_socket
-inherits socket
-
-class netlink_audit_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
- nlmsg_relay
- nlmsg_readpriv
-}
-
-class netlink_ip6fw_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_dnrt_socket
-inherits socket
-
-# Define the access vector interpretation for controlling
-# access and communication through the D-BUS messaging
-# system.
-#
-class dbus
-{
- acquire_svc
- send_msg
-}
-
-# Define the access vector interpretation for controlling
-# access through the name service cache daemon (nscd).
-#
-class nscd
-{
- getpwd
- getgrp
- gethost
- getstat
- admin
- shmempwd
- shmemgrp
- shmemhost
-}
-
-# Define the access vector interpretation for controlling
-# access to IPSec network data by association
-#
-class association
-{
- sendto
- recvfrom
-}
-
-# Updated Netlink class for KOBJECT_UEVENT family.
-class netlink_kobject_uevent_socket
-inherits socket
diff --git a/mls/flask/initial_sids b/mls/flask/initial_sids
deleted file mode 100644
index 95894eb..0000000
--- a/mls/flask/initial_sids
+++ /dev/null
@@ -1,35 +0,0 @@
-# FLASK
-
-#
-# Define initial security identifiers
-#
-
-sid kernel
-sid security
-sid unlabeled
-sid fs
-sid file
-sid file_labels
-sid init
-sid any_socket
-sid port
-sid netif
-sid netmsg
-sid node
-sid igmp_packet
-sid icmp_socket
-sid tcp_socket
-sid sysctl_modprobe
-sid sysctl
-sid sysctl_fs
-sid sysctl_kernel
-sid sysctl_net
-sid sysctl_net_unix
-sid sysctl_vm
-sid sysctl_dev
-sid kmod
-sid policy
-sid scmp_packet
-sid devnull
-
-# FLASK
diff --git a/mls/flask/mkaccess_vector.sh b/mls/flask/mkaccess_vector.sh
deleted file mode 100644
index b5da734..0000000
--- a/mls/flask/mkaccess_vector.sh
+++ /dev/null
@@ -1,227 +0,0 @@
-#!/bin/sh -
-#
-
-# FLASK
-
-set -e
-
-awk=$1
-shift
-
-# output files
-av_permissions="av_permissions.h"
-av_inherit="av_inherit.h"
-common_perm_to_string="common_perm_to_string.h"
-av_perm_to_string="av_perm_to_string.h"
-
-cat $* | $awk "
-BEGIN {
- outfile = \"$av_permissions\"
- inheritfile = \"$av_inherit\"
- cpermfile = \"$common_perm_to_string\"
- avpermfile = \"$av_perm_to_string\"
- "'
- nextstate = "COMMON_OR_AV";
- printf("/* This file is automatically generated. Do not edit. */\n") > outfile;
- printf("/* This file is automatically generated. Do not edit. */\n") > inheritfile;
- printf("/* This file is automatically generated. Do not edit. */\n") > cpermfile;
- printf("/* This file is automatically generated. Do not edit. */\n") > avpermfile;
-;
- }
-/^[ \t]*#/ {
- next;
- }
-$1 == "common" {
- if (nextstate != "COMMON_OR_AV")
- {
- printf("Parse error: Unexpected COMMON definition on line %d\n", NR);
- next;
- }
-
- if ($2 in common_defined)
- {
- printf("Duplicate COMMON definition for %s on line %d.\n", $2, NR);
- next;
- }
- common_defined[$2] = 1;
-
- tclass = $2;
- common_name = $2;
- permission = 1;
-
- printf("TB_(common_%s_perm_to_string)\n", $2) > cpermfile;
-
- nextstate = "COMMON-OPENBRACKET";
- next;
- }
-$1 == "class" {
- if (nextstate != "COMMON_OR_AV" &&
- nextstate != "CLASS_OR_CLASS-OPENBRACKET")
- {
- printf("Parse error: Unexpected class definition on line %d\n", NR);
- next;
- }
-
- tclass = $2;
-
- if (tclass in av_defined)
- {
- printf("Duplicate access vector definition for %s on line %d\n", tclass, NR);
- next;
- }
- av_defined[tclass] = 1;
-
- inherits = "";
- permission = 1;
-
- nextstate = "INHERITS_OR_CLASS-OPENBRACKET";
- next;
- }
-$1 == "inherits" {
- if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET")
- {
- printf("Parse error: Unexpected INHERITS definition on line %d\n", NR);
- next;
- }
-
- if (!($2 in common_defined))
- {
- printf("COMMON %s is not defined (line %d).\n", $2, NR);
- next;
- }
-
- inherits = $2;
- permission = common_base[$2];
-
- for (combined in common_perms)
- {
- split(combined,separate, SUBSEP);
- if (separate[1] == inherits)
- {
- inherited_perms[common_perms[combined]] = separate[2];
- }
- }
-
- j = 1;
- for (i in inherited_perms) {
- ind[j] = i + 0;
- j++;
- }
- n = asort(ind);
- for (i = 1; i <= n; i++) {
- perm = inherited_perms[ind[i]];
- printf("#define %s__%s", toupper(tclass), toupper(perm)) > outfile;
- spaces = 40 - (length(perm) + length(tclass));
- if (spaces < 1)
- spaces = 1;
- for (j = 0; j < spaces; j++)
- printf(" ") > outfile;
- printf("0x%08xUL\n", ind[i]) > outfile;
- }
- printf("\n") > outfile;
- for (i in ind) delete ind[i];
- for (i in inherited_perms) delete inherited_perms[i];
-
- printf(" S_(SECCLASS_%s, %s, 0x%08xUL)\n", toupper(tclass), inherits, permission) > inheritfile;
-
- nextstate = "CLASS_OR_CLASS-OPENBRACKET";
- next;
- }
-$1 == "{" {
- if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET" &&
- nextstate != "CLASS_OR_CLASS-OPENBRACKET" &&
- nextstate != "COMMON-OPENBRACKET")
- {
- printf("Parse error: Unexpected { on line %d\n", NR);
- next;
- }
-
- if (nextstate == "INHERITS_OR_CLASS-OPENBRACKET")
- nextstate = "CLASS-CLOSEBRACKET";
-
- if (nextstate == "CLASS_OR_CLASS-OPENBRACKET")
- nextstate = "CLASS-CLOSEBRACKET";
-
- if (nextstate == "COMMON-OPENBRACKET")
- nextstate = "COMMON-CLOSEBRACKET";
- }
-/[a-z][a-z_]*/ {
- if (nextstate != "COMMON-CLOSEBRACKET" &&
- nextstate != "CLASS-CLOSEBRACKET")
- {
- printf("Parse error: Unexpected symbol %s on line %d\n", $1, NR);
- next;
- }
-
- if (nextstate == "COMMON-CLOSEBRACKET")
- {
- if ((common_name,$1) in common_perms)
- {
- printf("Duplicate permission %s for common %s on line %d.\n", $1, common_name, NR);
- next;
- }
-
- common_perms[common_name,$1] = permission;
-
- printf("#define COMMON_%s__%s", toupper(common_name), toupper($1)) > outfile;
-
- printf(" S_(\"%s\")\n", $1) > cpermfile;
- }
- else
- {
- if ((tclass,$1) in av_perms)
- {
- printf("Duplicate permission %s for %s on line %d.\n", $1, tclass, NR);
- next;
- }
-
- av_perms[tclass,$1] = permission;
-
- if (inherits != "")
- {
- if ((inherits,$1) in common_perms)
- {
- printf("Permission %s in %s on line %d conflicts with common permission.\n", $1, tclass, inherits, NR);
- next;
- }
- }
-
- printf("#define %s__%s", toupper(tclass), toupper($1)) > outfile;
-
- printf(" S_(SECCLASS_%s, %s__%s, \"%s\")\n", toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile;
- }
-
- spaces = 40 - (length($1) + length(tclass));
- if (spaces < 1)
- spaces = 1;
-
- for (i = 0; i < spaces; i++)
- printf(" ") > outfile;
- printf("0x%08xUL\n", permission) > outfile;
- permission = permission * 2;
- }
-$1 == "}" {
- if (nextstate != "CLASS-CLOSEBRACKET" &&
- nextstate != "COMMON-CLOSEBRACKET")
- {
- printf("Parse error: Unexpected } on line %d\n", NR);
- next;
- }
-
- if (nextstate == "COMMON-CLOSEBRACKET")
- {
- common_base[common_name] = permission;
- printf("TE_(common_%s_perm_to_string)\n\n", common_name) > cpermfile;
- }
-
- printf("\n") > outfile;
-
- nextstate = "COMMON_OR_AV";
- }
-END {
- if (nextstate != "COMMON_OR_AV" && nextstate != "CLASS_OR_CLASS-OPENBRACKET")
- printf("Parse error: Unexpected end of file\n");
-
- }'
-
-# FLASK
diff --git a/mls/flask/mkflask.sh b/mls/flask/mkflask.sh
deleted file mode 100644
index 9c84754..0000000
--- a/mls/flask/mkflask.sh
+++ /dev/null
@@ -1,95 +0,0 @@
-#!/bin/sh -
-#
-
-# FLASK
-
-set -e
-
-awk=$1
-shift 1
-
-# output file
-output_file="flask.h"
-debug_file="class_to_string.h"
-debug_file2="initial_sid_to_string.h"
-
-cat $* | $awk "
-BEGIN {
- outfile = \"$output_file\"
- debugfile = \"$debug_file\"
- debugfile2 = \"$debug_file2\"
- "'
- nextstate = "CLASS";
-
- printf("/* This file is automatically generated. Do not edit. */\n") > outfile;
-
- printf("#ifndef _SELINUX_FLASK_H_\n") > outfile;
- printf("#define _SELINUX_FLASK_H_\n") > outfile;
- printf("\n/*\n * Security object class definitions\n */\n") > outfile;
- printf("/* This file is automatically generated. Do not edit. */\n") > debugfile;
- printf("/*\n * Security object class definitions\n */\n") > debugfile;
- printf(" S_(\"null\")\n") > debugfile;
- printf("/* This file is automatically generated. Do not edit. */\n") > debugfile2;
- printf("static char *initial_sid_to_string[] =\n{\n") > debugfile2;
- printf(" \"null\",\n") > debugfile2;
- }
-/^[ \t]*#/ {
- next;
- }
-$1 == "class" {
- if (nextstate != "CLASS")
- {
- printf("Parse error: Unexpected class definition on line %d\n", NR);
- next;
- }
-
- if ($2 in class_found)
- {
- printf("Duplicate class definition for %s on line %d.\n", $2, NR);
- next;
- }
- class_found[$2] = 1;
-
- class_value++;
-
- printf("#define SECCLASS_%s", toupper($2)) > outfile;
- for (i = 0; i < 40 - length($2); i++)
- printf(" ") > outfile;
- printf("%d\n", class_value) > outfile;
-
- printf(" S_(\"%s\")\n", $2) > debugfile;
- }
-$1 == "sid" {
- if (nextstate == "CLASS")
- {
- nextstate = "SID";
- printf("\n/*\n * Security identifier indices for initial entities\n */\n") > outfile;
- }
-
- if ($2 in sid_found)
- {
- printf("Duplicate SID definition for %s on line %d.\n", $2, NR);
- next;
- }
- sid_found[$2] = 1;
- sid_value++;
-
- printf("#define SECINITSID_%s", toupper($2)) > outfile;
- for (i = 0; i < 37 - length($2); i++)
- printf(" ") > outfile;
- printf("%d\n", sid_value) > outfile;
- printf(" \"%s\",\n", $2) > debugfile2;
- }
-END {
- if (nextstate != "SID")
- printf("Parse error: Unexpected end of file\n");
-
- printf("\n#define SECINITSID_NUM") > outfile;
- for (i = 0; i < 34; i++)
- printf(" ") > outfile;
- printf("%d\n", sid_value) > outfile;
- printf("\n#endif\n") > outfile;
- printf("};\n\n") > debugfile2;
- }'
-
-# FLASK
diff --git a/mls/flask/security_classes b/mls/flask/security_classes
deleted file mode 100644
index 2669c30..0000000
--- a/mls/flask/security_classes
+++ /dev/null
@@ -1,86 +0,0 @@
-# FLASK
-
-#
-# Define the security object classes
-#
-
-class security
-class process
-class system
-class capability
-
-# file-related classes
-class filesystem
-class file
-class dir
-class fd
-class lnk_file
-class chr_file
-class blk_file
-class sock_file
-class fifo_file
-
-# network-related classes
-class socket
-class tcp_socket
-class udp_socket
-class rawip_socket
-class node
-class netif
-class netlink_socket
-class packet_socket
-class key_socket
-class unix_stream_socket
-class unix_dgram_socket
-
-# sysv-ipc-related classes
-class sem
-class msg
-class msgq
-class shm
-class ipc
-
-#
-# userspace object manager classes
-#
-
-# passwd/chfn/chsh
-class passwd
-
-# SE-X Windows stuff
-class drawable
-class window
-class gc
-class font
-class colormap
-class property
-class cursor
-class xclient
-class xinput
-class xserver
-class xextension
-
-# pax flags
-class pax
-
-# extended netlink sockets
-class netlink_route_socket
-class netlink_firewall_socket
-class netlink_tcpdiag_socket
-class netlink_nflog_socket
-class netlink_xfrm_socket
-class netlink_selinux_socket
-class netlink_audit_socket
-class netlink_ip6fw_socket
-class netlink_dnrt_socket
-
-class dbus
-class nscd
-
-# IPSec association
-class association
-
-# Updated Netlink class for KOBJECT_UEVENT family.
-class netlink_kobject_uevent_socket
-
-# FLASK
diff --git a/mls/fs_use b/mls/fs_use
deleted file mode 100644
index d884039..0000000
--- a/mls/fs_use
+++ /dev/null
@@ -1,33 +0,0 @@
-#
-# Define the labeling behavior for inodes in particular filesystem types.
-# This information was formerly hardcoded in the SELinux module.
-
-# Use xattrs for the following filesystem types.
-# Requires that a security xattr handler exist for the filesystem.
-fs_use_xattr ext2 system_u:object_r:fs_t:s0;
-fs_use_xattr ext3 system_u:object_r:fs_t:s0;
-fs_use_xattr xfs system_u:object_r:fs_t:s0;
-fs_use_xattr jfs system_u:object_r:fs_t:s0;
-fs_use_xattr reiserfs system_u:object_r:fs_t:s0;
-
-# Use the allocating task SID to label inodes in the following filesystem
-# types, and label the filesystem itself with the specified context.
-# This is appropriate for pseudo filesystems that represent objects
-# like pipes and sockets, so that these objects are labeled with the same
-# type as the creating task.
-fs_use_task pipefs system_u:object_r:fs_t:s0;
-fs_use_task sockfs system_u:object_r:fs_t:s0;
-
-# Use a transition SID based on the allocating task SID and the
-# filesystem SID to label inodes in the following filesystem types,
-# and label the filesystem itself with the specified context.
-# This is appropriate for pseudo filesystems like devpts and tmpfs
-# where we want to label objects with a derived type.
-fs_use_trans devpts system_u:object_r:devpts_t:s0;
-fs_use_trans tmpfs system_u:object_r:tmpfs_t:s0;
-fs_use_trans shm system_u:object_r:tmpfs_t:s0;
-fs_use_trans mqueue system_u:object_r:tmpfs_t:s0;
-
-# The separate genfs_contexts configuration can be used for filesystem
-# types that cannot support persistent label mappings or use
-# one of the fixed label schemes specified here.
diff --git a/mls/genfs_contexts b/mls/genfs_contexts
deleted file mode 100644
index b9d5bc2..0000000
--- a/mls/genfs_contexts
+++ /dev/null
@@ -1,108 +0,0 @@
-# FLASK
-
-#
-# Security contexts for files in filesystems that
-# cannot support xattr or use one of the fixed labeling schemes
-# specified in fs_use.
-#
-# Each specifications has the form:
-# genfscon fstype pathname-prefix [ -type ] context
-#
-# The entry with the longest matching pathname prefix is used.
-# / refers to the root directory of the file system, and
-# everything is specified relative to this root directory.
-# If there is no entry with a matching pathname prefix, then
-# the unlabeled initial SID is used.
-#
-# The optional type field specifies the file type as shown in the mode
-# field by ls, e.g. use -c to match only character device files, -b
-# to match only block device files.
-#
-# Except for proc, in 2.6 other filesystems are limited to a single entry (/)
-# that covers all entries in the filesystem with a default file context.
-# For proc, a pathname can be reliably generated from the proc_dir_entry
-# tree. The proc /sys entries are used for both proc inodes and for sysctl(2)
-# calls. /proc/PID entries are automatically labeled based on the associated
-# process.
-#
-# Support for other filesystem types requires corresponding code to be
-# added to the kernel, either as an xattr handler in the filesystem
-# implementation (preferred, and necessary if you want to access the labels
-# from userspace) or as logic in the SELinux module.
-
-# proc (excluding /proc/PID)
-genfscon proc / system_u:object_r:proc_t:s0
-genfscon proc /kmsg system_u:object_r:proc_kmsg_t:s15:c0.c255
-genfscon proc /kcore system_u:object_r:proc_kcore_t:s15:c0.c255
-genfscon proc /mdstat system_u:object_r:proc_mdstat_t:s0
-genfscon proc /mtrr system_u:object_r:mtrr_device_t:s0
-genfscon proc /net system_u:object_r:proc_net_t:s0
-genfscon proc /sysvipc system_u:object_r:proc_t:s0
-genfscon proc /sys system_u:object_r:sysctl_t:s0
-genfscon proc /sys/kernel system_u:object_r:sysctl_kernel_t:s0
-genfscon proc /sys/kernel/modprobe system_u:object_r:sysctl_modprobe_t:s0
-genfscon proc /sys/kernel/hotplug system_u:object_r:sysctl_hotplug_t:s0
-genfscon proc /sys/net system_u:object_r:sysctl_net_t:s0
-genfscon proc /sys/net/unix system_u:object_r:sysctl_net_unix_t:s0
-genfscon proc /sys/vm system_u:object_r:sysctl_vm_t:s0
-genfscon proc /sys/dev system_u:object_r:sysctl_dev_t:s0
-genfscon proc /net/rpc system_u:object_r:sysctl_rpc_t:s0
-genfscon proc /irq system_u:object_r:sysctl_irq_t:s0
-
-# rootfs
-genfscon rootfs / system_u:object_r:root_t:s0
-
-# sysfs
-genfscon sysfs / system_u:object_r:sysfs_t:s0
-
-# selinuxfs
-genfscon selinuxfs / system_u:object_r:security_t:s0
-
-# autofs
-genfscon autofs / system_u:object_r:autofs_t:s0
-genfscon automount / system_u:object_r:autofs_t:s0
-
-# usbdevfs
-genfscon usbdevfs / system_u:object_r:usbdevfs_t:s0
-
-# iso9660
-genfscon iso9660 / system_u:object_r:iso9660_t:s0
-genfscon udf / system_u:object_r:iso9660_t:s0
-
-# romfs
-genfscon romfs / system_u:object_r:romfs_t:s0
-genfscon cramfs / system_u:object_r:romfs_t:s0
-
-# ramfs
-genfscon ramfs / system_u:object_r:ramfs_t:s0
-
-# vfat, msdos
-genfscon vfat / system_u:object_r:dosfs_t:s0
-genfscon msdos / system_u:object_r:dosfs_t:s0
-genfscon fat / system_u:object_r:dosfs_t:s0
-genfscon ntfs / system_u:object_r:dosfs_t:s0
-
-# samba
-genfscon cifs / system_u:object_r:cifs_t:s0
-genfscon smbfs / system_u:object_r:cifs_t:s0
-
-# nfs
-genfscon nfs / system_u:object_r:nfs_t:s0
-genfscon nfs4 / system_u:object_r:nfs_t:s0
-genfscon afs / system_u:object_r:nfs_t:s0
-
-genfscon debugfs / system_u:object_r:debugfs_t:s0
-genfscon inotifyfs / system_u:object_r:inotifyfs_t:s0
-genfscon hugetlbfs / system_u:object_r:hugetlbfs_t:s0
-genfscon capifs / system_u:object_r:capifs_t:s0
-genfscon configfs / system_u:object_r:configfs_t:s0
-
-# needs more work
-genfscon eventpollfs / system_u:object_r:eventpollfs_t:s0
-genfscon futexfs / system_u:object_r:futexfs_t:s0
-genfscon bdev / system_u:object_r:bdev_t:s0
-genfscon usbfs / system_u:object_r:usbfs_t:s0
-genfscon nfsd / system_u:object_r:nfsd_fs_t:s0
-genfscon rpc_pipefs / system_u:object_r:rpc_pipefs_t:s0
-genfscon binfmt_misc / system_u:object_r:binfmt_misc_fs_t:s0
-
diff --git a/mls/initial_sid_contexts b/mls/initial_sid_contexts
deleted file mode 100644
index 53a3504..0000000
--- a/mls/initial_sid_contexts
+++ /dev/null
@@ -1,46 +0,0 @@
-# FLASK
-
-#
-# Define the security context for each initial SID
-# sid sidname context
-
-sid kernel system_u:system_r:kernel_t:s15:c0.c255
-sid security system_u:object_r:security_t:s15:c0.c255
-sid unlabeled system_u:object_r:unlabeled_t:s15:c0.c255
-sid fs system_u:object_r:fs_t:s0
-sid file system_u:object_r:file_t:s0
-# Persistent label mapping is gone. This initial SID can be removed.
-sid file_labels system_u:object_r:unlabeled_t:s15:c0.c255
-# init_t is still used, but an initial SID is no longer required.
-sid init system_u:object_r:unlabeled_t:s15:c0.c255
-# any_socket is no longer used.
-sid any_socket system_u:object_r:unlabeled_t:s15:c0.c255
-sid port system_u:object_r:port_t:s0
-sid netif system_u:object_r:netif_t:s0
-# netmsg is no longer used.
-sid netmsg system_u:object_r:unlabeled_t:s15:c0.c255
-sid node system_u:object_r:node_t:s0
-# These sockets are now labeled with the kernel SID,
-# and do not require their own initial SIDs.
-sid igmp_packet system_u:object_r:unlabeled_t:s15:c0.c255
-sid icmp_socket system_u:object_r:unlabeled_t:s15:c0.c255
-sid tcp_socket system_u:object_r:unlabeled_t:s15:c0.c255
-# Most of the sysctl SIDs are now computed at runtime
-# from genfs_contexts, so the corresponding initial SIDs
-# are no longer required.
-sid sysctl_modprobe system_u:object_r:unlabeled_t:s15:c0.c255
-# But we still need the base sysctl initial SID as a default.
-sid sysctl system_u:object_r:sysctl_t:s0
-sid sysctl_fs system_u:object_r:unlabeled_t:s15:c0.c255
-sid sysctl_kernel system_u:object_r:unlabeled_t:s15:c0.c255
-sid sysctl_net system_u:object_r:unlabeled_t:s15:c0.c255
-sid sysctl_net_unix system_u:object_r:unlabeled_t:s15:c0.c255
-sid sysctl_vm system_u:object_r:unlabeled_t:s15:c0.c255
-sid sysctl_dev system_u:object_r:unlabeled_t:s15:c0.c255
-# No longer used, can be removed.
-sid kmod system_u:object_r:unlabeled_t:s15:c0.c255
-sid policy system_u:object_r:unlabeled_t:s15:c0.c255
-sid scmp_packet system_u:object_r:unlabeled_t:s15:c0.c255
-sid devnull system_u:object_r:null_device_t:s0
-
-# FLASK
diff --git a/mls/local.users b/mls/local.users
deleted file mode 100644
index 6dd04d6..0000000
--- a/mls/local.users
+++ /dev/null
@@ -1,21 +0,0 @@
-##################################
-#
-# User configuration.
-#
-# This file defines additional users recognized by the system security policy.
-# Only the user identities defined in this file and the system.users file
-# may be used as the user attribute in a security context.
-#
-# Each user has a set of roles that may be entered by processes
-# with the users identity. The syntax of a user declaration is:
-#
-# user username roles role_set [ level default_level range allowed_range ];
-#
-# The MLS default level and allowed range should only be specified if
-# MLS was enabled in the policy.
-
-# sample for administrative user
-# user jadmin roles { staff_r sysadm_r system_r };
-
-# sample for regular user
-#user jdoe roles { user_r };
diff --git a/mls/macros/admin_macros.te b/mls/macros/admin_macros.te
deleted file mode 100644
index aaa816e..0000000
--- a/mls/macros/admin_macros.te
+++ /dev/null
@@ -1,227 +0,0 @@
-#
-# Macros for all admin domains.
-#
-
-#
-# admin_domain(domain_prefix)
-#
-# Define derived types and rules for an administrator domain.
-#
-# The type declaration and role authorization for the domain must be
-# provided separately. Likewise, domain transitions into this domain
-# must be specified separately. If the every_domain() rules are desired,
-# then these rules must also be specified separately.
-#
-undefine(`admin_domain')
-define(`admin_domain',`
-# Type for home directory.
-attribute $1_file_type;
-type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type;
-type $1_home_t, file_type, sysadmfile, home_type, $1_file_type;
-
-# Type and access for pty devices.
-can_create_pty($1, `, admin_tty_type')
-
-# Transition manually for { lnk sock fifo }. The rest is in content macros.
-tmp_domain_notrans($1, `, $1_file_type')
-file_type_auto_trans($1_t, tmp_t, $1_tmp_t, { lnk_file sock_file fifo_file })
-allow $1_t $1_tmp_t:{ dir file } { relabelto relabelfrom };
-
-# Type for tty devices.
-type $1_tty_device_t, sysadmfile, ttyfile, dev_fs, admin_tty_type;
-
-# Inherit rules for ordinary users.
-base_user_domain($1)
-access_removable_media($1_t)
-
-allow $1_t self:capability setuid;
-
-ifdef(`su.te', `su_domain($1)')
-ifdef(`userhelper.te', `userhelper_domain($1)')
-ifdef(`sudo.te', `sudo_domain($1)')
-
-# Let admin stat the shadow file.
-allow $1_t shadow_t:file getattr;
-
-ifdef(`crond.te', `
-allow $1_crond_t var_log_t:file r_file_perms;
-')
-
-# Allow system log read
-allow $1_t kernel_t:system syslog_read;
-
-# Allow autrace
-# allow sysadm_t self:netlink_audit_socket nlmsg_readpriv;
-
-# Use capabilities other than sys_module.
-allow $1_t self:capability ~sys_module;
-
-# Use system operations.
-allow $1_t kernel_t:system *;
-
-# Set password information for other users.
-allow $1_t self:passwd { passwd chfn chsh };
-
-# Skip authentication when pam_rootok is specified.
-allow $1_t self:passwd rootok;
-
-# Manipulate other user crontab.
-allow $1_t self:passwd crontab;
-can_getsecurity(sysadm_crontab_t)
-
-# Change system parameters.
-can_sysctl($1_t)
-
-# Create and use all files that have the sysadmfile attribute.
-allow $1_t sysadmfile:{ file sock_file fifo_file } create_file_perms;
-allow $1_t sysadmfile:lnk_file create_lnk_perms;
-allow $1_t sysadmfile:dir create_dir_perms;
-
-# for lsof
-allow $1_t mtrr_device_t:file getattr;
-allow $1_t fs_type:dir getattr;
-
-# Access removable devices.
-allow $1_t removable_device_t:devfile_class_set rw_file_perms;
-
-# Communicate with the init process.
-allow $1_t initctl_t:fifo_file rw_file_perms;
-
-# Examine all processes.
-can_ps($1_t, domain)
-
-# allow renice
-allow $1_t domain:process setsched;
-
-# Send signals to all processes.
-allow $1_t { domain unlabeled_t }:process signal_perms;
-
-# Access all user terminals.
-allow $1_t tty_device_t:chr_file rw_file_perms;
-allow $1_t ttyfile:chr_file rw_file_perms;
-allow $1_t ptyfile:chr_file rw_file_perms;
-allow $1_t serial_device:chr_file setattr;
-
-# allow setting up tunnels
-allow $1_t tun_tap_device_t:chr_file rw_file_perms;
-
-# run ls -l /dev
-allow $1_t device_t:dir r_dir_perms;
-allow $1_t { device_t device_type }:{ chr_file blk_file } getattr;
-allow $1_t ptyfile:chr_file getattr;
-
-# Run programs from staff home directories.
-# Not ideal, but typical if users want to login as both sysadm_t or staff_t.
-can_exec($1_t, staff_home_t)
-
-# Run programs from /usr/src.
-can_exec($1_t, src_t)
-
-# Relabel all files.
-# Actually this will not allow relabeling ALL files unless you change
-# sysadmfile to file_type (and change the assertion in assert.te that
-# only auth_write can relabel shadow_t)
-allow $1_t sysadmfile:dir { getattr read search relabelfrom relabelto };
-allow $1_t sysadmfile:notdevfile_class_set { getattr relabelfrom relabelto };
-
-ifdef(`startx.te', `
-ifdef(`xserver.te', `
-# Create files in /tmp/.X11-unix with our X servers derived
-# tmp type rather than user_xserver_tmp_t.
-file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file)
-')dnl end xserver.te
-')dnl end startx.te
-
-ifdef(`xdm.te', `
-ifdef(`xauth.te', `
-if (xdm_sysadm_login) {
-allow xdm_t $1_home_t:lnk_file read;
-allow xdm_t $1_home_t:dir search;
-}
-can_pipe_xdm($1_t)
-')dnl end ifdef xauth.te
-')dnl end ifdef xdm.te
-
-#
-# A user who is authorized for sysadm_t may nonetheless have
-# a home directory labeled with user_home_t if the user is expected
-# to login in either user_t or sysadm_t. Hence, the derived domains
-# for programs need to be able to access user_home_t.
-#
-
-# Allow our gph domain to write to .xsession-errors.
-ifdef(`gnome-pty-helper.te', `
-allow $1_gph_t user_home_dir_type:dir rw_dir_perms;
-allow $1_gph_t user_home_type:file create_file_perms;
-')
-
-# Allow our crontab domain to unlink a user cron spool file.
-ifdef(`crontab.te',
-`allow $1_crontab_t user_cron_spool_t:file unlink;')
-
-# for the administrator to run TCP servers directly
-can_tcp_connect($1_t, $1_t)
-allow $1_t port_t:tcp_socket name_bind;
-
-# Connect data port to ftpd.
-ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)')
-
-# Connect second port to rshd.
-ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)')
-
-#
-# Allow sysadm to execute quota commands against filesystems and files.
-#
-allow $1_t fs_type:filesystem quotamod;
-
-# Grant read and write access to /dev/console.
-allow $1_t console_device_t:chr_file rw_file_perms;
-
-# Allow MAKEDEV to work
-allow $1_t device_t:dir rw_dir_perms;
-allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
-allow $1_t device_t:lnk_file { create read };
-
-# for lsof
-allow $1_t domain:socket_class_set getattr;
-allow $1_t eventpollfs_t:file getattr;
-')
-
-define(`security_manager_domain', `
-
-typeattribute $1 secadmin;
-# Allow administrator domains to set the enforcing flag.
-can_setenforce($1)
-
-# Allow administrator domains to set policy booleans.
-can_setbool($1)
-
-# Get security policy decisions.
-can_getsecurity($1)
-
-# Allow administrator domains to set security parameters
-can_setsecparam($1)
-
-# Run admin programs that require different permissions in their own domain.
-# These rules were moved into the appropriate program domain file.
-
-# added by mayerf@tresys.com
-# The following rules are temporary until such time that a complete
-# policy management infrastructure is in place so that an administrator
-# cannot directly manipulate policy files with arbitrary programs.
-#
-allow $1 secadmfile:file { relabelto relabelfrom create_file_perms };
-allow $1 secadmfile:lnk_file { relabelto relabelfrom create_lnk_perms };
-allow $1 secadmfile:dir { relabelto relabelfrom create_dir_perms };
-
-# Set an exec context, e.g. for runcon.
-can_setexec($1)
-
-# Set a context other than the default one for newly created files.
-can_setfscreate($1)
-
-allow $1 self:netlink_audit_socket nlmsg_readpriv;
-
-')
-
-
diff --git a/mls/macros/base_user_macros.te b/mls/macros/base_user_macros.te
deleted file mode 100644
index cecbaf7..0000000
--- a/mls/macros/base_user_macros.te
+++ /dev/null
@@ -1,397 +0,0 @@
-#
-# Macros for all user login domains.
-#
-
-#
-# base_user_domain(domain_prefix)
-#
-# Define derived types and rules for an ordinary user domain.
-#
-# The type declaration and role authorization for the domain must be
-# provided separately. Likewise, domain transitions into this domain
-# must be specified separately.
-#
-
-# base_user_domain() is also called by the admin_domain() macro
-undefine(`base_user_domain')
-define(`base_user_domain', `
-
-# Type for network-obtained content
-type $1_untrusted_content_t, file_type, $1_file_type, sysadmfile, customizable, polymember;
-type $1_untrusted_content_tmp_t, file_type, $1_file_type, sysadmfile, tmpfile, customizable, polymember;
-
-# Allow user to relabel untrusted content
-allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { create_dir_perms relabelto relabelfrom };
-allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename };
-
-# Read content
-read_content($1_t, $1)
-
-# Write trusted content. This includes proper transition
-# for /home, and /tmp, so no other transition is necessary (or allowed)
-write_trusted($1_t, $1)
-
-# Maybe the home directory is networked
-network_home($1_t)
-
-# Transition for { lnk, fifo, sock }. The rest is covered by write_trusted.
-# Relabel files in the home directory
-file_type_auto_trans($1_t, $1_home_dir_t, $1_home_t, { fifo_file sock_file lnk_file });
-allow $1_t $1_home_t:{ notdevfile_class_set dir } { relabelfrom relabelto };
-can_setfscreate($1_t)
-
-ifdef(`ftpd.te' , `
-if (ftpd_is_daemon) {
-file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
-}
-')
-
-allow $1_t self:capability { setgid chown fowner };
-dontaudit $1_t self:capability { sys_nice fsetid };
-
-# $1_r is authorized for $1_t for the initial login domain.
-role $1_r types $1_t;
-allow system_r $1_r;
-
-r_dir_file($1_t, usercanread)
-
-# Grant permissions within the domain.
-general_domain_access($1_t)
-
-if (allow_execmem) {
-# Allow making anonymous memory executable, e.g.
-# for runtime-code generation or executable stack.
-allow $1_t self:process execmem;
-}
-
-if (allow_execmem && allow_execstack) {
-# Allow making the stack executable via mprotect.
-allow $1_t self:process execstack;
-}
-
-# Allow text relocations on system shared libraries, e.g. libGL.
-allow $1_t texrel_shlib_t:file execmod;
-
-#
-# kdeinit wants this access
-#
-allow $1_t device_t:dir { getattr search };
-
-# Find CDROM devices
-r_dir_file($1_t, sysctl_dev_t)
-# for eject
-allow $1_t fixed_disk_device_t:blk_file getattr;
-
-allow $1_t fs_type:dir getattr;
-
-allow $1_t event_device_t:chr_file { getattr read ioctl };
-
-# open office is looking for the following
-allow $1_t dri_device_t:chr_file getattr;
-dontaudit $1_t dri_device_t:chr_file rw_file_perms;
-
-# Supress ls denials:
-# getattr() - ls -l
-# search_dir() - symlink path resolution
-# read_dir() - deep ls: ls parent/...
-
-dontaudit_getattr($1_t)
-dontaudit_search_dir($1_t)
-dontaudit_read_dir($1_t)
-
-# allow ptrace
-can_ptrace($1_t, $1_t)
-
-# Allow user to run restorecon and relabel files
-can_getsecurity($1_t)
-r_dir_file($1_t, default_context_t)
-r_dir_file($1_t, file_context_t)
-
-allow $1_t usbtty_device_t:chr_file read;
-
-# GNOME checks for usb and other devices
-rw_dir_file($1_t,usbfs_t)
-
-can_exec($1_t, noexattrfile)
-# Bind to a Unix domain socket in /tmp.
-allow $1_t $1_tmp_t:unix_stream_socket name_bind;
-
-# Use the type when relabeling terminal devices.
-type_change $1_t tty_device_t:chr_file $1_tty_device_t;
-
-# Debian login is from shadow utils and does not allow resetting the perms.
-# have to fix this!
-type_change $1_t ttyfile:chr_file $1_tty_device_t;
-
-# for running TeX programs
-r_dir_file($1_t, tetex_data_t)
-can_exec($1_t, tetex_data_t)
-
-# Use the type when relabeling pty devices.
-type_change $1_t server_pty:chr_file $1_devpts_t;
-
-tmpfs_domain($1)
-
-ifdef(`cardmgr.te', `
-# to allow monitoring of pcmcia status
-allow $1_t cardmgr_var_run_t:file { getattr read };
-')
-
-# Modify mail spool file.
-allow $1_t mail_spool_t:dir r_dir_perms;
-allow $1_t mail_spool_t:file rw_file_perms;
-allow $1_t mail_spool_t:lnk_file read;
-
-#
-# Allow graphical boot to check battery lifespan
-#
-ifdef(`apmd.te', `
-allow $1_t apmd_t:unix_stream_socket connectto;
-allow $1_t apmd_var_run_t:sock_file write;
-')
-
-#
-# Allow the query of filesystem quotas
-#
-allow $1_t fs_type:filesystem quotaget;
-
-# Run helper programs.
-can_exec_any($1_t)
-# Run programs developed by other users in the same domain.
-can_exec($1_t, $1_home_t)
-can_exec($1_t, $1_tmp_t)
-
-# Run user programs that require different permissions in their own domain.
-# These rules were moved into the individual program domains.
-
-# Instantiate derived domains for a number of programs.
-# These derived domains encode both information about the calling
-# user domain and the program, and allow us to maintain separation
-# between different instances of the program being run by different
-# user domains.
-ifdef(`gnome-pty-helper.te', `gph_domain($1, $1)')
-ifdef(`chkpwd.te', `chkpwd_domain($1)')
-ifdef(`fingerd.te', `fingerd_macro($1)')
-ifdef(`mta.te', `mail_domain($1)')
-ifdef(`exim.te', `exim_user_domain($1)')
-ifdef(`crontab.te', `crontab_domain($1)')
-
-ifdef(`screen.te', `screen_domain($1)')
-ifdef(`tvtime.te', `tvtime_domain($1)')
-ifdef(`mozilla.te', `mozilla_domain($1)')
-ifdef(`thunderbird.te', `thunderbird_domain($1)')
-ifdef(`samba.te', `samba_domain($1)')
-ifdef(`gpg.te', `gpg_domain($1)')
-ifdef(`xauth.te', `xauth_domain($1)')
-ifdef(`iceauth.te', `iceauth_domain($1)')
-ifdef(`startx.te', `xserver_domain($1)')
-ifdef(`lpr.te', `lpr_domain($1)')
-ifdef(`ssh.te', `ssh_domain($1)')
-ifdef(`irc.te', `irc_domain($1)')
-ifdef(`using_spamassassin', `spamassassin_domain($1)')
-ifdef(`pyzor.te', `pyzor_domain($1)')
-ifdef(`razor.te', `razor_domain($1)')
-ifdef(`uml.te', `uml_domain($1)')
-ifdef(`cdrecord.te', `cdrecord_domain($1)')
-ifdef(`mplayer.te', `mplayer_domains($1)')
-
-fontconfig_domain($1)
-
-# GNOME
-ifdef(`gnome.te', `
-gnome_domain($1)
-ifdef(`games.te', `games_domain($1)')
-ifdef(`gift.te', `gift_domains($1)')
-ifdef(`evolution.te', `evolution_domains($1)')
-ifdef(`ethereal.te', `ethereal_domain($1)')
-')
-
-# ICE communication channel
-ice_domain($1, $1)
-
-# ORBit communication channel (independent of GNOME)
-orbit_domain($1, $1)
-
-# Instantiate a derived domain for user cron jobs.
-ifdef(`crond.te', `crond_domain($1)')
-
-ifdef(`vmware.te', `vmware_domain($1)')
-
-if (user_direct_mouse) {
-# Read the mouse.
-allow $1_t mouse_device_t:chr_file r_file_perms;
-}
-# Access other miscellaneous devices.
-allow $1_t misc_device_t:{ chr_file blk_file } rw_file_perms;
-allow $1_t device_t:lnk_file { getattr read };
-
-can_resmgrd_connect($1_t)
-
-#
-# evolution and gnome-session try to create a netlink socket
-#
-dontaudit $1_t self:netlink_socket create_socket_perms;
-dontaudit $1_t self:netlink_route_socket create_netlink_socket_perms;
-
-# Use the network.
-can_network($1_t)
-allow $1_t port_type:tcp_socket name_connect;
-can_ypbind($1_t)
-can_winbind($1_t)
-
-ifdef(`pamconsole.te', `
-allow $1_t pam_var_console_t:dir search;
-')
-
-allow $1_t var_lock_t:dir search;
-
-# Grant permissions to access the system DBus
-ifdef(`dbusd.te', `
-dbusd_client(system, $1)
-can_network_server_tcp($1_dbusd_t)
-allow $1_dbusd_t reserved_port_t:tcp_socket name_bind;
-
-allow $1_t system_dbusd_t:dbus { send_msg acquire_svc };
-dbusd_client($1, $1)
-allow $1_t $1_dbusd_t:dbus { send_msg acquire_svc };
-dbusd_domain($1)
-ifdef(`hald.te', `
-allow $1_t hald_t:dbus send_msg;
-allow hald_t $1_t:dbus send_msg;
-') dnl end ifdef hald.te
-') dnl end ifdef dbus.te
-
-# allow port_t name binding for UDP because it is not very usable otherwise
-allow $1_t port_t:udp_socket name_bind;
-
-# Gnome pannel binds to the following
-ifdef(`cups.te', `
-allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file { read getattr };
-')
-
-# for perl
-dontaudit $1_t net_conf_t:file ioctl;
-
-# Communicate within the domain.
-can_udp_send($1_t, self)
-
-# Connect to inetd.
-ifdef(`inetd.te', `
-can_tcp_connect($1_t, inetd_t)
-can_udp_send($1_t, inetd_t)
-can_udp_send(inetd_t, $1_t)
-')
-
-# Connect to portmap.
-ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)')
-
-# Inherit and use sockets from inetd
-ifdef(`inetd.te', `
-allow $1_t inetd_t:fd use;
-allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;')
-
-# Very permissive allowing every domain to see every type.
-allow $1_t kernel_t:system ipc_info;
-
-# When the user domain runs ps, there will be a number of access
-# denials when ps tries to search /proc. Do not audit these denials.
-dontaudit $1_t domain:dir r_dir_perms;
-dontaudit $1_t domain:notdevfile_class_set r_file_perms;
-dontaudit $1_t domain:process { getattr getsession };
-#
-# Cups daemon running as user tries to write /etc/printcap
-#
-dontaudit $1_t usr_t:file setattr;
-
-# Use X
-x_client_domain($1, $1)
-
-ifdef(`xserver.te', `
-allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms;
-')
-
-ifdef(`xdm.te', `
-# Connect to the X server run by the X Display Manager.
-can_unix_connect($1_t, xdm_t)
-# certain apps want to read xdm.pid file
-r_dir_file($1_t, xdm_var_run_t)
-allow $1_t xdm_var_lib_t:file { getattr read };
-allow xdm_t $1_home_dir_t:dir getattr;
-ifdef(`xauth.te', `
-file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file)
-')
-
-')dnl end ifdef xdm.te
-
-# Access the sound device.
-allow $1_t sound_device_t:chr_file { getattr read write ioctl };
-
-# Access the power device.
-allow $1_t power_device_t:chr_file { getattr read write ioctl };
-
-allow $1_t var_log_t:dir { getattr search };
-dontaudit $1_t logfile:file getattr;
-
-# Check to see if cdrom is mounted
-allow $1_t mnt_t:dir { getattr search };
-
-# Get attributes of file systems.
-allow $1_t fs_type:filesystem getattr;
-
-# Read and write /dev/tty and /dev/null.
-allow $1_t devtty_t:chr_file rw_file_perms;
-allow $1_t null_device_t:chr_file rw_file_perms;
-allow $1_t zero_device_t:chr_file { rw_file_perms execute };
-allow $1_t { random_device_t urandom_device_t }:chr_file ra_file_perms;
-#
-# Added to allow reading of cdrom
-#
-allow $1_t rpc_pipefs_t:dir getattr;
-allow $1_t nfsd_fs_t:dir getattr;
-allow $1_t binfmt_misc_fs_t:dir getattr;
-
-# /initrd is left mounted, various programs try to look at it
-dontaudit $1_t ramfs_t:dir getattr;
-
-#
-# Emacs wants this access
-#
-allow $1_t wtmp_t:file r_file_perms;
-dontaudit $1_t wtmp_t:file write;
-
-# Read the devpts root directory.
-allow $1_t devpts_t:dir r_dir_perms;
-
-r_dir_file($1_t, src_t)
-
-# Allow user to read default_t files
-# This is different from reading default_t content,
-# because it also includes sockets, fifos, and links
-
-if (read_default_t) {
-allow $1_t default_t:dir r_dir_perms;
-allow $1_t default_t:notdevfile_class_set r_file_perms;
-}
-
-# Read fonts
-read_fonts($1_t, $1)
-
-read_sysctl($1_t);
-
-#
-# Caused by su - init scripts
-#
-dontaudit $1_t initrc_devpts_t:chr_file { ioctl read write };
-
-#
-# Running ifconfig as a user generates the following
-#
-dontaudit $1_t self:socket create;
-dontaudit $1_t sysctl_net_t:dir search;
-
-ifdef(`rpcd.te', `
-create_dir_file($1_t, nfsd_rw_t)
-')
-
-')dnl end base_user_domain macro
-
diff --git a/mls/macros/content_macros.te b/mls/macros/content_macros.te
deleted file mode 100644
index fb36d46..0000000
--- a/mls/macros/content_macros.te
+++ /dev/null
@@ -1,188 +0,0 @@
-# Content access macros
-
-# FIXME: After nested booleans are supported, replace NFS/CIFS
-# w/ read_network_home, and write_network_home macros from global
-
-# FIXME: If true/false constant booleans are supported, replace
-# ugly $3 ifdefs with if(true), if(false)...
-
-# FIXME: Do we want write to imply read?
-
-############################################################
-# read_content(domain, role_prefix, bool_prefix)
-#
-# Allow the given domain to read content.
-# Content may be trusted or untrusted,
-# Reading anything is subject to a controlling boolean based on bool_prefix.
-# Reading untrusted content is additionally subject to read_untrusted_content
-# Reading default_t is additionally subject to read_default_t
-
-define(`read_content', `
-
-# Declare controlling boolean
-ifelse($3, `', `', `
-ifdef(`$3_read_content_defined', `', `
-define(`$3_read_content_defined')
-bool $3_read_content false;
-') dnl ifdef
-') dnl ifelse
-
-# Handle nfs home dirs
-ifelse($3, `',
-`if (use_nfs_home_dirs) { ',
-`if ($3_read_content && use_nfs_home_dirs) {')
-allow $1 { autofs_t home_root_t }:dir { read search getattr };
-r_dir_file($1, nfs_t)
-} else {
-dontaudit $1 { autofs_t home_root_t }:dir { read search getattr };
-dontaudit $1 nfs_t:file r_file_perms;
-dontaudit $1 nfs_t:dir r_dir_perms;
-}
-
-# Handle samba home dirs
-ifelse($3, `',
-`if (use_samba_home_dirs) { ',
-`if ($3_read_content && use_samba_home_dirs) {')
-allow $1 { autofs_t home_root_t }:dir { read search getattr };
-r_dir_file($1, cifs_t)
-} else {
-dontaudit $1 { autofs_t home_root_t }:dir { read search getattr };
-dontaudit $1 cifs_t:file r_file_perms;
-dontaudit $1 cifs_t:dir r_dir_perms;
-}
-
-# Handle removable media, /tmp, and /home
-ifelse($3, `', `',
-`if ($3_read_content) {')
-allow $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search };
-r_dir_file($1, { $2_tmp_t $2_home_t } )
-ifdef(`mls_policy', `', `
-r_dir_file($1, removable_t)
-')
-
-ifelse($3, `', `',
-`} else {
-dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search };
-dontaudit $1 { removable_t $2_tmp_t $2_home_t }:dir r_dir_perms;
-dontaudit $1 { removable_t $2_tmp_t $2_home_t }:file r_file_perms;
-}')
-
-# Handle default_t content
-ifelse($3, `',
-`if (read_default_t) { ',
-`if ($3_read_content && read_default_t) {')
-r_dir_file($1, default_t)
-} else {
-dontaudit $1 default_t:file r_file_perms;
-dontaudit $1 default_t:dir r_dir_perms;
-}
-
-# Handle untrusted content
-ifelse($3, `',
-`if (read_untrusted_content) { ',
-`if ($3_read_content && read_untrusted_content) {')
-allow $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search };
-r_dir_file($1, { $2_untrusted_content_t $2_untrusted_content_tmp_t })
-} else {
-dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search };
-dontaudit $1 { $2_untrusted_content_t $2_untrusted_content_tmp_t }:dir r_dir_perms;
-dontaudit $1 { $2_untrusted_content_t $2_untrusted_content_tmp_t }:file r_file_perms;
-}
-') dnl read_content
-
-#################################################
-# write_trusted(domain, role_prefix, bool_prefix)
-#
-# Allow the given domain to write trusted content.
-# This is subject to a controlling boolean based
-# on bool_prefix.
-
-define(`write_trusted', `
-
-# Declare controlling boolean
-ifelse($3, `', `', `
-ifdef(`$3_write_content_defined', `', `
-define(`$3_write_content_defined')
-bool $3_write_content false;
-') dnl ifdef
-') dnl ifelse
-
-# Handle nfs homedirs
-ifelse($3, `',
-`if (use_nfs_home_dirs) { ',
-`if ($3_write_content && use_nfs_home_dirs) {')
-allow $1 { autofs_t home_root_t }:dir { read search getattr };
-create_dir_file($1, nfs_t)
-} else {
-dontaudit $1 { autofs_t home_root_t }:dir { read search getattr };
-dontaudit $1 nfs_t:file create_file_perms;
-dontaudit $1 nfs_t:dir create_dir_perms;
-}
-
-# Handle samba homedirs
-ifelse($3, `',
-`if (use_samba_home_dirs) { ',
-`if ($3_write_content && use_samba_home_dirs) {')
-allow $1 { autofs_t home_root_t }:dir { read search getattr };
-create_dir_file($1, cifs_t)
-} else {
-dontaudit $1 { autofs_t home_root_t }:dir { read search getattr };
-dontaudit $1 cifs_t:file create_file_perms;
-dontaudit $1 cifs_t:dir create_dir_perms;
-}
-
-# Handle /tmp and /home
-ifelse($3, `', `',
-`if ($3_write_content) {')
-allow $1 home_root_t:dir { read getattr search };
-file_type_auto_trans($1, tmp_t, $2_tmp_t, { dir file });
-file_type_auto_trans($1, $2_home_dir_t, $2_home_t, { dir file });
-ifelse($3, `', `',
-`} else {
-dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search };
-dontaudit $1 { $2_tmp_t $2_home_t }:file create_file_perms;
-dontaudit $1 { $2_tmp_t $2_home_t }:dir create_dir_perms;
-}')
-
-') dnl write_trusted
-
-#########################################
-# write_untrusted(domain, role_prefix)
-#
-# Allow the given domain to write untrusted content.
-# This is subject to the global boolean write_untrusted.
-
-define(`write_untrusted', `
-
-# Handle nfs homedirs
-if (write_untrusted_content && use_nfs_home_dirs) {
-allow $1 { autofs_t home_root_t }:dir { read search getattr };
-create_dir_file($1, nfs_t)
-} else {
-dontaudit $1 { autofs_t home_root_t }:dir { read search getattr };
-dontaudit $1 nfs_t:file create_file_perms;
-dontaudit $1 nfs_t:dir create_dir_perms;
-}
-
-# Handle samba homedirs
-if (write_untrusted_content && use_samba_home_dirs) {
-allow $1 { autofs_t home_root_t }:dir { read search getattr };
-create_dir_file($1, cifs_t)
-} else {
-dontaudit $1 { autofs_t home_root_t }:dir { read search getattr };
-dontaudit $1 cifs_t:file create_file_perms;
-dontaudit $1 cifs_t:dir create_dir_perms;
-}
-
-# Handle /tmp and /home
-if (write_untrusted_content) {
-allow $1 home_root_t:dir { read getattr search };
-file_type_auto_trans($1, { tmp_t $2_tmp_t }, $2_untrusted_content_tmp_t, { dir file })
-file_type_auto_trans($1, { $2_home_dir_t $2_home_t }, $2_untrusted_content_t, { dir file })
-} else {
-dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search };
-dontaudit $1 { $2_tmp_t $2_home_t }:file create_file_perms;
-dontaudit $1 { $2_tmp_t $2_home_t }:dir create_dir_perms;
-}
-
-') dnl write_untrusted
diff --git a/mls/macros/core_macros.te b/mls/macros/core_macros.te
deleted file mode 100644
index 6bae8bf..0000000
--- a/mls/macros/core_macros.te
+++ /dev/null
@@ -1,706 +0,0 @@
-
-##############################
-#
-# core macros for the type enforcement (TE) configuration.
-#
-
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil>, Timothy Fraser
-# Howard Holm (NSA) <hdholm@epoch.ncsc.mil>
-# Russell Coker <russell@coker.com.au>
-#
-
-#################################
-#
-# Macros for groups of classes and
-# groups of permissions.
-#
-
-#
-# All directory and file classes
-#
-define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }')
-
-#
-# All non-directory file classes.
-#
-define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }')
-
-#
-# Non-device file classes.
-#
-define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
-
-#
-# Device file classes.
-#
-define(`devfile_class_set', `{ chr_file blk_file }')
-
-#
-# All socket classes.
-#
-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket }')
-
-
-#
-# Datagram socket classes.
-#
-define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
-
-#
-# Stream socket classes.
-#
-define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
-
-#
-# Unprivileged socket classes (exclude rawip, netlink, packet).
-#
-define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
-
-
-#
-# Permissions for getting file attributes.
-#
-define(`stat_file_perms', `{ getattr }')
-
-#
-# Permissions for executing files.
-#
-define(`x_file_perms', `{ getattr execute }')
-
-#
-# Permissions for reading files and their attributes.
-#
-define(`r_file_perms', `{ read getattr lock ioctl }')
-
-#
-# Permissions for reading and executing files.
-#
-define(`rx_file_perms', `{ read getattr lock execute ioctl }')
-
-#
-# Permissions for reading and writing files and their attributes.
-#
-define(`rw_file_perms', `{ ioctl read getattr lock write append }')
-
-#
-# Permissions for reading and appending to files.
-#
-define(`ra_file_perms', `{ ioctl read getattr lock append }')
-
-#
-# Permissions for linking, unlinking and renaming files.
-#
-define(`link_file_perms', `{ getattr link unlink rename }')
-
-#
-# Permissions for creating lnk_files.
-#
-define(`create_lnk_perms', `{ create read getattr setattr link unlink rename }')
-
-#
-# Permissions for creating and using files.
-#
-define(`create_file_perms', `{ create ioctl read getattr lock write setattr append link unlink rename }')
-
-#
-# Permissions for reading directories and their attributes.
-#
-define(`r_dir_perms', `{ read getattr lock search ioctl }')
-
-#
-# Permissions for reading and writing directories and their attributes.
-#
-define(`rw_dir_perms', `{ read getattr lock search ioctl add_name remove_name write }')
-
-#
-# Permissions for reading and adding names to directories.
-#
-define(`ra_dir_perms', `{ read getattr lock search ioctl add_name write }')
-
-
-#
-# Permissions for creating and using directories.
-#
-define(`create_dir_perms', `{ create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }')
-
-#
-# Permissions to mount and unmount file systems.
-#
-define(`mount_fs_perms', `{ mount remount unmount getattr }')
-
-#
-# Permissions for using sockets.
-#
-define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
-
-#
-# Permissions for creating and using sockets.
-#
-define(`create_socket_perms', `{ create rw_socket_perms }')
-
-#
-# Permissions for using stream sockets.
-#
-define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
-
-#
-# Permissions for creating and using stream sockets.
-#
-define(`create_stream_socket_perms', `{ create_socket_perms listen accept }')
-
-#
-# Permissions for creating and using sockets.
-#
-define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
-
-#
-# Permissions for creating and using sockets.
-#
-define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }')
-
-
-#
-# Permissions for creating and using netlink sockets.
-#
-define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
-
-#
-# Permissions for using netlink sockets for operations that modify state.
-#
-define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
-
-#
-# Permissions for using netlink sockets for operations that observe state.
-#
-define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }')
-
-#
-# Permissions for sending all signals.
-#
-define(`signal_perms', `{ sigchld sigkill sigstop signull signal }')
-
-#
-# Permissions for sending and receiving network packets.
-#
-define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }')
-
-#
-# Permissions for using System V IPC
-#
-define(`r_sem_perms', `{ associate getattr read unix_read }')
-define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }')
-define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }')
-define(`r_msgq_perms', `{ associate getattr read unix_read }')
-define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }')
-define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }')
-define(`r_shm_perms', `{ associate getattr read unix_read }')
-define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }')
-define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }')
-
-#################################
-#
-# Macros for type transition rules and
-# access vector rules.
-#
-
-#
-# Simple combinations for reading and writing both
-# directories and files.
-#
-define(`r_dir_file', `
-allow $1 $2:dir r_dir_perms;
-allow $1 $2:file r_file_perms;
-allow $1 $2:lnk_file { getattr read };
-')
-
-define(`rw_dir_file', `
-allow $1 $2:dir rw_dir_perms;
-allow $1 $2:file rw_file_perms;
-allow $1 $2:lnk_file { getattr read };
-')
-
-define(`ra_dir_file', `
-allow $1 $2:dir ra_dir_perms;
-allow $1 $2:file ra_file_perms;
-allow $1 $2:lnk_file { getattr read };
-')
-
-define(`ra_dir_create_file', `
-allow $1 $2:dir ra_dir_perms;
-allow $1 $2:file { create ra_file_perms };
-allow $1 $2:lnk_file { create read getattr };
-')
-
-define(`rw_dir_create_file', `
-allow $1 $2:dir rw_dir_perms;
-allow $1 $2:file create_file_perms;
-allow $1 $2:lnk_file create_lnk_perms;
-')
-
-define(`create_dir_file', `
-allow $1 $2:dir create_dir_perms;
-allow $1 $2:file create_file_perms;
-allow $1 $2:lnk_file create_lnk_perms;
-')
-
-define(`create_dir_notdevfile', `
-allow $1 $2:dir create_dir_perms;
-allow $1 $2:{ file sock_file fifo_file } create_file_perms;
-allow $1 $2:lnk_file create_lnk_perms;
-')
-
-define(`create_append_log_file', `
-allow $1 $2:dir { read getattr search add_name write };
-allow $1 $2:file { create ioctl getattr setattr append link };
-')
-
-##################################
-#
-# can_ps(domain1, domain2)
-#
-# Authorize domain1 to see /proc entries for domain2 (see it in ps output)
-#
-define(`can_ps',`
-allow $1 $2:dir { search getattr read };
-allow $1 $2:{ file lnk_file } { read getattr };
-allow $1 $2:process getattr;
-# We need to suppress this denial because procps tries to access
-# /proc/pid/environ and this now triggers a ptrace check in recent kernels
-# (2.4 and 2.6). Might want to change procps to not do this, or only if
-# running in a privileged domain.
-dontaudit $1 $2:process ptrace;
-')
-
-##################################
-#
-# can_getsecurity(domain)
-#
-# Authorize a domain to get security policy decisions.
-#
-define(`can_getsecurity',`
-# Get the selinuxfs mount point via /proc/self/mounts.
-allow $1 proc_t:dir search;
-allow $1 proc_t:{ file lnk_file } { getattr read };
-allow $1 self:dir search;
-allow $1 self:file { getattr read };
-# Access selinuxfs.
-allow $1 security_t:dir { read search getattr };
-allow $1 security_t:file { getattr read write };
-allow $1 security_t:security { check_context compute_av compute_create compute_relabel compute_user };
-')
-
-##################################
-#
-# can_setenforce(domain)
-#
-# Authorize a domain to set the enforcing flag.
-# Due to its sensitivity, always audit this permission.
-#
-define(`can_setenforce',`
-# Get the selinuxfs mount point via /proc/self/mounts.
-allow $1 proc_t:dir search;
-allow $1 proc_t:lnk_file read;
-allow $1 self:dir search;
-allow $1 self:file { getattr read };
-# Access selinuxfs.
-allow $1 security_t:dir { read search getattr };
-allow $1 security_t:file { getattr read write };
-if (!secure_mode_policyload) {
-allow $1 security_t:security setenforce;
-auditallow $1 security_t:security setenforce;
-}dnl end if !secure_mode_policyload
-')
-
-##################################
-#
-# can_setbool(domain)
-#
-# Authorize a domain to set a policy boolean.
-# Due to its sensitivity, always audit this permission.
-#
-define(`can_setbool',`
-# Get the selinuxfs mount point via /proc/self/mounts.
-allow $1 proc_t:dir search;
-allow $1 proc_t:lnk_file read;
-allow $1 self:dir search;
-allow $1 self:file { getattr read };
-# Access selinuxfs.
-allow $1 security_t:dir { read search getattr };
-allow $1 security_t:file { getattr read write };
-if (!secure_mode_policyload) {
-allow $1 security_t:security setbool;
-auditallow $1 security_t:security setbool;
-}dnl end if !secure_mode_policyload
-')
-
-##################################
-#
-# can_setsecparam(domain)
-#
-# Authorize a domain to set security parameters.
-# Due to its sensitivity, always audit this permission.
-#
-define(`can_setsecparam',`
-# Get the selinuxfs mount point via /proc/self/mounts.
-allow $1 proc_t:dir search;
-allow $1 proc_t:lnk_file read;
-allow $1 self:dir search;
-allow $1 self:file { getattr read };
-# Access selinuxfs.
-allow $1 security_t:dir { read search getattr };
-allow $1 security_t:file { getattr read write };
-allow $1 security_t:security setsecparam;
-auditallow $1 security_t:security setsecparam;
-')
-
-##################################
-#
-# can_loadpol(domain)
-#
-# Authorize a domain to load a policy configuration.
-# Due to its sensitivity, always audit this permission.
-#
-define(`can_loadpol',`
-# Get the selinuxfs mount point via /proc/self/mounts.
-allow $1 proc_t:dir search;
-allow $1 proc_t:lnk_file read;
-allow $1 proc_t:file { getattr read };
-allow $1 self:dir search;
-allow $1 self:file { getattr read };
-# Access selinuxfs.
-allow $1 security_t:dir { read search getattr };
-allow $1 security_t:file { getattr read write };
-if (!secure_mode_policyload) {
-allow $1 security_t:security load_policy;
-auditallow $1 security_t:security load_policy;
-}dnl end if !secure_mode_policyload
-')
-
-#################################
-#
-# domain_trans(parent_domain, program_type, child_domain)
-#
-# Permissions for transitioning to a new domain.
-#
-
-define(`domain_trans',`
-
-#
-# Allow the process to transition to the new domain.
-#
-allow $1 $3:process transition;
-
-#
-# Do not audit when glibc secure mode is enabled upon the transition.
-#
-dontaudit $1 $3:process noatsecure;
-
-#
-# Do not audit when signal-related state is cleared upon the transition.
-#
-dontaudit $1 $3:process siginh;
-
-#
-# Do not audit when resource limits are reset upon the transition.
-#
-dontaudit $1 $3:process rlimitinh;
-
-#
-# Allow the process to execute the program.
-#
-allow $1 $2:file { read x_file_perms };
-
-#
-# Allow the process to reap the new domain.
-#
-allow $3 $1:process sigchld;
-
-#
-# Allow the new domain to inherit and use file
-# descriptions from the creating process and vice versa.
-#
-allow $3 $1:fd use;
-allow $1 $3:fd use;
-
-#
-# Allow the new domain to write back to the old domain via a pipe.
-#
-allow $3 $1:fifo_file rw_file_perms;
-
-#
-# Allow the new domain to read and execute the program.
-#
-allow $3 $2:file rx_file_perms;
-
-#
-# Allow the new domain to be entered via the program.
-#
-allow $3 $2:file entrypoint;
-')
-
-#################################
-#
-# domain_auto_trans(parent_domain, program_type, child_domain)
-#
-# Define a default domain transition and allow it.
-#
-define(`domain_auto_trans',`
-domain_trans($1,$2,$3)
-type_transition $1 $2:process $3;
-')
-
-#################################
-#
-# can_ptrace(domain, domain)
-#
-# Permissions for running ptrace (strace or gdb) on another domain
-#
-define(`can_ptrace',`
-allow $1 $2:process ptrace;
-allow $2 $1:process sigchld;
-')
-
-#################################
-#
-# can_exec(domain, type)
-#
-# Permissions for executing programs with
-# a specified type without changing domains.
-#
-define(`can_exec',`
-allow $1 $2:file { rx_file_perms execute_no_trans };
-')
-
-# this is an internal macro used by can_create
-define(`can_create_internal', `
-ifelse(`$3', `dir', `
-allow $1 $2:$3 create_dir_perms;
-', `$3', `lnk_file', `
-allow $1 $2:$3 create_lnk_perms;
-', `
-allow $1 $2:$3 create_file_perms;
-')dnl end if dir
-')dnl end can_create_internal
-
-
-#################################
-#
-# can_create(domain, file_type, object_class)
-#
-# Permissions for creating files of the specified type and class
-#
-define(`can_create', `
-ifelse(regexp($3, `\w'), -1, `', `
-can_create_internal($1, $2, regexp($3, `\(\w+\)', `\1'))
-
-can_create($1, $2, regexp($3, `\w+\(.*\)', `\1'))
-')
-')
-#################################
-#
-# file_type_trans(domain, dir_type, file_type)
-#
-# Permissions for transitioning to a new file type.
-#
-
-define(`file_type_trans',`
-
-#
-# Allow the process to modify the directory.
-#
-allow $1 $2:dir rw_dir_perms;
-
-#
-# Allow the process to create the file.
-#
-ifelse(`$4', `', `
-can_create($1, $3, `{ file lnk_file sock_file fifo_file dir }')
-', `
-can_create($1, $3, $4)
-')dnl end if param 4 specified
-
-')
-
-#################################
-#
-# file_type_auto_trans(creator_domain, parent_directory_type, file_type, object_class)
-#
-# the object class will default to notdevfile_class_set if not specified as
-# the fourth parameter
-#
-# Define a default file type transition and allow it.
-#
-define(`file_type_auto_trans',`
-ifelse(`$4', `', `
-file_type_trans($1,$2,$3)
-type_transition $1 $2:dir $3;
-type_transition $1 $2:notdevfile_class_set $3;
-', `
-file_type_trans($1,$2,$3,$4)
-type_transition $1 $2:$4 $3;
-')dnl end ifelse
-
-')
-
-
-#################################
-#
-# can_unix_connect(client, server)
-#
-# Permissions for establishing a Unix stream connection.
-#
-define(`can_unix_connect',`
-allow $1 $2:unix_stream_socket connectto;
-')
-
-#################################
-#
-# can_unix_send(sender, receiver)
-#
-# Permissions for sending Unix datagrams.
-#
-define(`can_unix_send',`
-allow $1 $2:unix_dgram_socket sendto;
-')
-
-#################################
-#
-# can_tcp_connect(client, server)
-#
-# Permissions for establishing a TCP connection.
-# Irrelevant until we have labeled networking.
-#
-define(`can_tcp_connect',`
-#allow $1 $2:tcp_socket { connectto recvfrom };
-#allow $2 $1:tcp_socket { acceptfrom recvfrom };
-#allow $2 kernel_t:tcp_socket recvfrom;
-#allow $1 kernel_t:tcp_socket recvfrom;
-')
-
-#################################
-#
-# can_udp_send(sender, receiver)
-#
-# Permissions for sending/receiving UDP datagrams.
-# Irrelevant until we have labeled networking.
-#
-define(`can_udp_send',`
-#allow $1 $2:udp_socket sendto;
-#allow $2 $1:udp_socket recvfrom;
-')
-
-
-##################################
-#
-# base_pty_perms(domain_prefix)
-#
-# Base permissions used for can_create_pty() and can_create_other_pty()
-#
-define(`base_pty_perms', `
-# Access the pty master multiplexer.
-allow $1_t ptmx_t:chr_file rw_file_perms;
-
-allow $1_t devpts_t:filesystem getattr;
-
-# allow searching /dev/pts
-allow $1_t devpts_t:dir { getattr read search };
-
-# ignore old BSD pty devices
-dontaudit $1_t bsdpty_device_t:chr_file { getattr read write };
-')
-
-
-##################################
-#
-# pty_slave_label(domain_prefix, attributes)
-#
-# give access to a slave pty but do not allow creating new ptys
-#
-define(`pty_slave_label', `
-type $1_devpts_t, file_type, sysadmfile, ptyfile $2;
-
-# Allow the pty to be associated with the file system.
-allow $1_devpts_t devpts_t:filesystem associate;
-
-# Label pty files with a derived type.
-type_transition $1_t devpts_t:chr_file $1_devpts_t;
-
-# allow searching /dev/pts
-allow $1_t devpts_t:dir { getattr read search };
-
-# Read and write my pty files.
-allow $1_t $1_devpts_t:chr_file { setattr rw_file_perms };
-')
-
-
-##################################
-#
-# can_create_pty(domain_prefix, attributes)
-#
-# Permissions for creating ptys.
-#
-define(`can_create_pty',`
-base_pty_perms($1)
-pty_slave_label($1, `$2')
-')
-
-
-##################################
-#
-# can_create_other_pty(domain_prefix,other_domain)
-#
-# Permissions for creating ptys for another domain.
-#
-define(`can_create_other_pty',`
-base_pty_perms($1)
-# Label pty files with a derived type.
-type_transition $1_t devpts_t:chr_file $2_devpts_t;
-
-# Read and write pty files.
-allow $1_t $2_devpts_t:chr_file { setattr rw_file_perms };
-')
-
-
-#
-# general_domain_access(domain)
-#
-# Grant permissions within the domain.
-# This includes permissions to processes, /proc/PID files,
-# file descriptors, pipes, Unix sockets, and System V IPC objects
-# labeled with the domain.
-#
-define(`general_domain_access',`
-# Access other processes in the same domain.
-# Omits ptrace, setcurrent, setexec, setfscreate, setrlimit, execmem, execstack and execheap.
-# These must be granted separately if desired.
-allow $1 self:process ~{ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap};
-
-# Access /proc/PID files for processes in the same domain.
-allow $1 self:dir r_dir_perms;
-allow $1 self:notdevfile_class_set r_file_perms;
-
-# Access file descriptions, pipes, and sockets
-# created by processes in the same domain.
-allow $1 self:fd *;
-allow $1 self:fifo_file rw_file_perms;
-allow $1 self:unix_dgram_socket create_socket_perms;
-allow $1 self:unix_stream_socket create_stream_socket_perms;
-
-# Allow the domain to communicate with other processes in the same domain.
-allow $1 self:unix_dgram_socket sendto;
-allow $1 self:unix_stream_socket connectto;
-
-# Access System V IPC objects created by processes in the same domain.
-allow $1 self:sem create_sem_perms;
-allow $1 self:msg { send receive };
-allow $1 self:msgq create_msgq_perms;
-allow $1 self:shm create_shm_perms;
-allow $1 unpriv_userdomain:fd use;
-#
-# Every app is asking for ypbind so I am adding this here,
-# eventually this should become can_nsswitch
-#
-can_ypbind($1)
-allow $1 autofs_t:dir { search getattr };
-')dnl end general_domain_access
diff --git a/mls/macros/global_macros.te b/mls/macros/global_macros.te
deleted file mode 100644
index 277ab49..0000000
--- a/mls/macros/global_macros.te
+++ /dev/null
@@ -1,772 +0,0 @@
-##############################
-#
-# Global macros for the type enforcement (TE) configuration.
-#
-
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# Howard Holm (NSA) <hdholm@epoch.ncsc.mil>
-# Russell Coker <russell@coker.com.au>
-#
-#
-#
-
-##################################
-#
-# can_setexec(domain)
-#
-# Authorize a domain to set its exec context
-# (via /proc/pid/attr/exec).
-#
-define(`can_setexec',`
-allow $1 self:process setexec;
-allow $1 proc_t:dir search;
-allow $1 proc_t:{ file lnk_file } read;
-allow $1 self:dir search;
-allow $1 self:file { getattr read write };
-')
-
-##################################
-#
-# can_getcon(domain)
-#
-# Authorize a domain to get its context
-# (via /proc/pid/attr/current).
-#
-define(`can_getcon',`
-allow $1 proc_t:dir search;
-allow $1 proc_t:{ file lnk_file } read;
-allow $1 self:dir search;
-allow $1 self:file { getattr read };
-allow $1 self:process getattr;
-')
-
-##################################
-#
-# can_setcon(domain)
-#
-# Authorize a domain to set its current context
-# (via /proc/pid/attr/current).
-#
-define(`can_setcon',`
-allow $1 self:process setcurrent;
-allow $1 proc_t:dir search;
-allow $1 proc_t:{ file lnk_file } read;
-allow $1 self:dir search;
-allow $1 self:file { getattr read write };
-')
-
-##################################
-# read_sysctl(domain)
-#
-# Permissions for reading sysctl variables.
-# If the second parameter is full, allow
-# reading of any sysctl variables, else only
-# sysctl_kernel_t.
-#
-define(`read_sysctl', `
-# Read system variables in /sys.
-ifelse($2,`full', `
-allow $1 sysctl_type:dir r_dir_perms;
-allow $1 sysctl_type:file r_file_perms;
-', `
-allow $1 sysctl_t:dir search;
-allow $1 sysctl_kernel_t:dir search;
-allow $1 sysctl_kernel_t:file { getattr read };
-')
-
-')dnl read_sysctl
-
-##################################
-#
-# can_setfscreate(domain)
-#
-# Authorize a domain to set its fscreate context
-# (via /proc/pid/attr/fscreate).
-#
-define(`can_setfscreate',`
-allow $1 self:process setfscreate;
-allow $1 proc_t:dir search;
-allow $1 proc_t:{ file lnk_file } read;
-allow $1 self:dir search;
-allow $1 self:file { getattr read write };
-')
-
-#################################
-#
-# uses_shlib(domain)
-#
-# Permissions for using shared libraries.
-#
-define(`uses_shlib',`
-allow $1 { root_t usr_t lib_t etc_t }:dir r_dir_perms;
-allow $1 lib_t:lnk_file r_file_perms;
-allow $1 ld_so_t:file rx_file_perms;
-#allow $1 ld_so_t:file execute_no_trans;
-allow $1 ld_so_t:lnk_file r_file_perms;
-allow $1 { texrel_shlib_t shlib_t }:file rx_file_perms;
-allow $1 { texrel_shlib_t shlib_t }:lnk_file r_file_perms;
-allow $1 texrel_shlib_t:file execmod;
-allow $1 ld_so_cache_t:file r_file_perms;
-allow $1 device_t:dir search;
-allow $1 null_device_t:chr_file rw_file_perms;
-')
-
-#################################
-#
-# can_exec_any(domain)
-#
-# Permissions for executing a variety
-# of executable types.
-#
-define(`can_exec_any',`
-allow $1 { bin_t sbin_t lib_t etc_t }:dir r_dir_perms;
-allow $1 { bin_t sbin_t etc_t }:lnk_file { getattr read };
-uses_shlib($1)
-can_exec($1, etc_t)
-can_exec($1, lib_t)
-can_exec($1, bin_t)
-can_exec($1, sbin_t)
-can_exec($1, exec_type)
-can_exec($1, ld_so_t)
-')
-
-
-#################################
-#
-# can_sysctl(domain)
-#
-# Permissions for modifying sysctl parameters.
-#
-define(`can_sysctl',`
-allow $1 sysctl_type:dir r_dir_perms;
-allow $1 sysctl_type:file { setattr rw_file_perms };
-')
-
-
-##################################
-#
-# read_locale(domain)
-#
-# Permissions for reading the locale data,
-# /etc/localtime and the files that it links to
-#
-define(`read_locale', `
-allow $1 etc_t:lnk_file read;
-allow $1 lib_t:file r_file_perms;
-r_dir_file($1, locale_t)
-')
-
-define(`can_access_pty', `
-allow $1 devpts_t:dir r_dir_perms;
-allow $1 $2_devpts_t:chr_file rw_file_perms;
-')
-
-###################################
-#
-# access_terminal(domain, typeprefix)
-#
-# Permissions for accessing the terminal
-#
-define(`access_terminal', `
-allow $1 $2_tty_device_t:chr_file { read write getattr ioctl };
-allow $1 devtty_t:chr_file { read write getattr ioctl };
-can_access_pty($1, $2)
-')
-
-#
-# general_proc_read_access(domain)
-#
-# Grant read/search permissions to most of /proc, excluding
-# the /proc/PID directories and the /proc/kmsg and /proc/kcore files.
-# The general_domain_access macro grants access to the domain /proc/PID
-# directories, but not to other domains. Only permissions to stat
-# are granted for /proc/kmsg and /proc/kcore, since these files are more
-# sensitive.
-#
-define(`general_proc_read_access',`
-# Read system information files in /proc.
-r_dir_file($1, proc_t)
-r_dir_file($1, proc_net_t)
-allow $1 proc_mdstat_t:file r_file_perms;
-
-# Stat /proc/kmsg and /proc/kcore.
-allow $1 proc_fs:file stat_file_perms;
-
-# Read system variables in /proc/sys.
-read_sysctl($1)
-')
-
-#
-# base_file_read_access(domain)
-#
-# Grant read/search permissions to a few system file types.
-#
-define(`base_file_read_access',`
-# Read /.
-allow $1 root_t:dir r_dir_perms;
-allow $1 root_t:notdevfile_class_set r_file_perms;
-
-# Read /home.
-allow $1 home_root_t:dir r_dir_perms;
-
-# Read /usr.
-allow $1 usr_t:dir r_dir_perms;
-allow $1 usr_t:notdevfile_class_set r_file_perms;
-
-# Read bin and sbin directories.
-allow $1 bin_t:dir r_dir_perms;
-allow $1 bin_t:notdevfile_class_set r_file_perms;
-allow $1 sbin_t:dir r_dir_perms;
-allow $1 sbin_t:notdevfile_class_set r_file_perms;
-read_sysctl($1)
-
-r_dir_file($1, selinux_config_t)
-
-if (read_default_t) {
-#
-# Read default_t
-#.
-allow $1 default_t:dir r_dir_perms;
-allow $1 default_t:notdevfile_class_set r_file_perms;
-}
-
-')
-
-#######################
-# daemon_core_rules(domain_prefix, attribs)
-#
-# Define the core rules for a daemon, used by both daemon_base_domain() and
-# init_service_domain().
-# Attribs is the list of attributes which must start with "," if it is not empty
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-define(`daemon_core_rules', `
-type $1_t, domain, privlog, daemon $2;
-type $1_exec_t, file_type, sysadmfile, exec_type;
-dontaudit $1_t self:capability sys_tty_config;
-
-role system_r types $1_t;
-
-# Inherit and use descriptors from init.
-allow $1_t init_t:fd use;
-allow $1_t init_t:process sigchld;
-allow $1_t self:process { signal_perms fork };
-
-uses_shlib($1_t)
-
-allow $1_t { self proc_t }:dir r_dir_perms;
-allow $1_t { self proc_t }:lnk_file { getattr read };
-
-allow $1_t device_t:dir r_dir_perms;
-ifdef(`udev.te', `
-allow $1_t udev_tdb_t:file r_file_perms;
-')dnl end if udev.te
-allow $1_t null_device_t:chr_file rw_file_perms;
-dontaudit $1_t console_device_t:chr_file rw_file_perms;
-dontaudit $1_t unpriv_userdomain:fd use;
-
-r_dir_file($1_t, sysfs_t)
-
-allow $1_t autofs_t:dir { search getattr };
-ifdef(`targeted_policy', `
-dontaudit $1_t { tty_device_t devpts_t }:chr_file { read write };
-dontaudit $1_t root_t:file { getattr read };
-')dnl end if targeted_policy
-
-')dnl end macro daemon_core_rules
-
-#######################
-# init_service_domain(domain_prefix, attribs)
-#
-# Define a domain for a program that is run from init
-# Attribs is the list of attributes which must start with "," if it is not empty
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-define(`init_service_domain', `
-daemon_core_rules($1, `$2')
-bool $1_disable_trans false;
-if ($1_disable_trans) {
-can_exec(init_t, $1_exec_t)
-} else {
-domain_auto_trans(init_t, $1_exec_t, $1_t)
-}
-')dnl
-
-#######################
-# daemon_base_domain(domain_prefix, attribs)
-#
-# Define a daemon domain with a base set of type declarations
-# and permissions that are common to most daemons.
-# attribs is the list of attributes which must start with "," if it is not empty
-# nosysadm may be given as an optional third parameter, to specify that the
-# sysadmin should not transition to the domain when directly calling the executable
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-define(`daemon_base_domain', `
-daemon_core_rules($1, `$2')
-
-rhgb_domain($1_t)
-
-read_sysctl($1_t)
-
-ifdef(`direct_sysadm_daemon', `
-dontaudit $1_t admin_tty_type:chr_file rw_file_perms;
-')
-
-#
-# Allows user to define a tunable to disable domain transition
-#
-ifelse(index(`$2',`transitionbool'), -1, `', `
-bool $1_disable_trans false;
-if ($1_disable_trans) {
-can_exec(initrc_t, $1_exec_t)
-can_exec(sysadm_t, $1_exec_t)
-} else {
-') dnl transitionbool
-domain_auto_trans(initrc_t, $1_exec_t, $1_t)
-
-allow initrc_t $1_t:process { noatsecure siginh rlimitinh };
-ifdef(`direct_sysadm_daemon', `
-ifelse(`$3', `nosysadm', `', `
-domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
-allow sysadm_t $1_t:process { noatsecure siginh rlimitinh };
-')dnl end nosysadm
-')dnl end direct_sysadm_daemon
-ifelse(index(`$2', `transitionbool'), -1, `', `
-}
-') dnl end transitionbool
-ifdef(`direct_sysadm_daemon', `
-ifelse(`$3', `nosysadm', `', `
-role_transition sysadm_r $1_exec_t system_r;
-')dnl end nosysadm
-')dnl end direct_sysadm_daemon
-
-allow $1_t privfd:fd use;
-ifdef(`newrole.te', `allow $1_t newrole_t:process sigchld;')
-allow $1_t initrc_devpts_t:chr_file rw_file_perms;
-')dnl
-
-# allow a domain to create its own files under /var/run and to create files
-# in directories that are created for it. $2 is an optional list of
-# classes to use; default is file.
-define(`var_run_domain', `
-type $1_var_run_t, file_type, sysadmfile, pidfile;
-
-ifelse(`$2', `', `
-file_type_auto_trans($1_t, var_run_t, $1_var_run_t, file)
-', `
-file_type_auto_trans($1_t, var_run_t, $1_var_run_t, $2)
-')
-allow $1_t var_t:dir search;
-allow $1_t $1_var_run_t:dir rw_dir_perms;
-')
-
-#######################
-# daemon_domain(domain_prefix, attribs)
-#
-# see daemon_base_domain for calling details
-# daemon_domain defines some additional privileges needed by many domains,
-# like pid files and locale support
-
-define(`daemon_domain', `
-ifdef(`targeted_policy', `
-daemon_base_domain($1, `$2, transitionbool', $3)
-', `
-daemon_base_domain($1, `$2', $3)
-')
-# Create pid file.
-allow $1_t var_t:dir { getattr search };
-var_run_domain($1)
-
-allow $1_t devtty_t:chr_file rw_file_perms;
-
-# for daemons that look at /root on startup
-dontaudit $1_t sysadm_home_dir_t:dir search;
-
-# for df
-allow $1_t fs_type:filesystem getattr;
-allow $1_t removable_t:filesystem getattr;
-
-read_locale($1_t)
-
-# for localization
-allow $1_t lib_t:file { getattr read };
-')dnl end daemon_domain macro
-
-define(`uses_authbind',
-`domain_auto_trans($1, authbind_exec_t, authbind_t)
-allow authbind_t $1:process sigchld;
-allow authbind_t $1:fd use;
-allow authbind_t $1:{ tcp_socket udp_socket } rw_socket_perms;
-')
-
-# define a sub-domain, $1_t is the parent domain, $2 is the name
-# of the sub-domain.
-#
-define(`daemon_sub_domain', `
-# $1 is the parent domain (or domains), $2_t is the child domain,
-# and $3 is any attributes to apply to the child
-type $2_t, domain, privlog, daemon $3;
-type $2_exec_t, file_type, sysadmfile, exec_type;
-
-role system_r types $2_t;
-
-ifelse(index(`$3',`transitionbool'), -1, `
-
-domain_auto_trans($1, $2_exec_t, $2_t)
-
-', `
-
-bool $2_disable_trans false;
-
-if (! $2_disable_trans) {
-domain_auto_trans($1, $2_exec_t, $2_t)
-}
-
-');
-# Inherit and use descriptors from parent.
-allow $2_t $1:fd use;
-allow $2_t $1:process sigchld;
-
-allow $2_t self:process signal_perms;
-
-uses_shlib($2_t)
-
-allow $2_t { self proc_t }:dir r_dir_perms;
-allow $2_t { self proc_t }:lnk_file read;
-
-allow $2_t device_t:dir getattr;
-')
-
-# grant access to /tmp
-# by default, only plain files and dirs may be stored there.
-# This can be overridden with a third parameter
-define(`tmp_domain', `
-type $1_tmp_t, file_type, sysadmfile, polymember, tmpfile $2;
-ifelse($3, `',
-`file_type_auto_trans($1_t, tmp_t, $1_tmp_t, `{ file dir }')',
-`file_type_auto_trans($1_t, tmp_t, $1_tmp_t, `$3')')
-')
-
-# grant access to /tmp. Do not perform an automatic transition.
-define(`tmp_domain_notrans', `
-type $1_tmp_t, file_type, sysadmfile, polymember, tmpfile $2;
-')
-
-define(`tmpfs_domain', `
-ifdef(`$1_tmpfs_t_defined',`', `
-define(`$1_tmpfs_t_defined')
-type $1_tmpfs_t, file_type, sysadmfile, tmpfsfile;
-# Use this type when creating tmpfs/shm objects.
-file_type_auto_trans($1_t, tmpfs_t, $1_tmpfs_t)
-allow $1_tmpfs_t tmpfs_t:filesystem associate;
-')
-')
-
-define(`var_lib_domain', `
-type $1_var_lib_t, file_type, sysadmfile;
-file_type_auto_trans($1_t, var_lib_t, $1_var_lib_t, file)
-allow $1_t $1_var_lib_t:dir rw_dir_perms;
-')
-
-define(`log_domain', `
-type $1_log_t, file_type, sysadmfile, logfile;
-file_type_auto_trans($1_t, var_log_t, $1_log_t, file)
-')
-
-define(`logdir_domain', `
-log_domain($1)
-allow $1_t $1_log_t:dir { setattr rw_dir_perms };
-')
-
-define(`etc_domain', `
-type $1_etc_t, file_type, sysadmfile, usercanread;
-allow $1_t $1_etc_t:file r_file_perms;
-')
-
-define(`etcdir_domain', `
-etc_domain($1)
-allow $1_t $1_etc_t:dir r_dir_perms;
-allow $1_t $1_etc_t:lnk_file { getattr read };
-')
-
-define(`append_log_domain', `
-type $1_log_t, file_type, sysadmfile, logfile;
-allow $1_t var_log_t:dir ra_dir_perms;
-allow $1_t $1_log_t:file { create ra_file_perms };
-type_transition $1_t var_log_t:file $1_log_t;
-')
-
-define(`append_logdir_domain', `
-append_log_domain($1)
-allow $1_t $1_log_t:dir { setattr ra_dir_perms };
-')
-
-define(`lock_domain', `
-type $1_lock_t, file_type, sysadmfile, lockfile;
-file_type_auto_trans($1_t, var_lock_t, $1_lock_t, file)
-')
-
-#######################
-# application_domain(domain_prefix)
-#
-# Define a domain with a base set of type declarations
-# and permissions that are common to simple applications.
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-define(`application_domain', `
-type $1_t, domain, privlog $2;
-type $1_exec_t, file_type, sysadmfile, exec_type;
-role sysadm_r types $1_t;
-ifdef(`targeted_policy', `
-role system_r types $1_t;
-')
-domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
-uses_shlib($1_t)
-')
-
-define(`system_domain', `
-type $1_t, domain, privlog $2;
-type $1_exec_t, file_type, sysadmfile, exec_type;
-role system_r types $1_t;
-uses_shlib($1_t)
-allow $1_t etc_t:dir r_dir_perms;
-')
-
-# Dontaudit macros to prevent flooding the log
-
-define(`dontaudit_getattr', `
-dontaudit $1 file_type - secure_file_type:dir_file_class_set getattr;
-dontaudit $1 unlabeled_t:dir_file_class_set getattr;
-dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir_file_class_set getattr;
-')dnl end dontaudit_getattr
-
-define(`dontaudit_search_dir', `
-dontaudit $1 file_type - secure_file_type:dir search;
-dontaudit $1 unlabeled_t:dir search;
-dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir search;
-')dnl end dontaudit_search_dir
-
-define(`dontaudit_read_dir', `
-dontaudit $1 file_type - secure_file_type:dir read;
-dontaudit $1 unlabeled_t:dir read;
-dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir read;
-')dnl end dontaudit_read_dir
-
-# Define legacy_domain for legacy binaries (java)
-# "legacy" binary == lacks PT_GNU_STACK header, i.e. built with an old
-# toolchain. They cause the kernel to automatically start translating all
-# read protection requests to read|execute for backward compatibility on
-# x86. They will all need execmem and execmod, including execmod to
-# shlib_t and ld_so_t unlike non-legacy binaries.
-
-define(`legacy_domain', `
-allow $1_t self:process { execmem execstack };
-allow $1_t { texrel_shlib_t shlib_t }:file execmod;
-allow $1_t ld_so_t:file execmod;
-allow $1_t ld_so_cache_t:file execute;
-')
-
-
-# Allow domain to perform polyinstantiation functions
-# polyinstantiater(domain)
-
-define(`polyinstantiater', `
-
-ifdef(`support_polyinstantiation', `
-# Need to give access to /selinux/member
-allow $1 security_t:security compute_member;
-
-# Need to give access to the directories to be polyinstantiated
-allow $1 polydir:dir { getattr mounton add_name create setattr write search };
-
-# Need to give access to the polyinstantiated subdirectories
-allow $1 polymember:dir {getattr search };
-
-# Need to give access to parent directories where original
-# is remounted for polyinstantiation aware programs (like gdm)
-allow $1 polyparent:dir { getattr mounton };
-
-# Need to give permission to create directories where applicable
-allow $1 polymember: dir { create setattr };
-allow $1 polydir: dir { write add_name };
-allow $1 self:process setfscreate;
-allow $1 polyparent:dir { write add_name };
-# Default type for mountpoints
-allow $1 poly_t:dir { create mounton };
-
-# Need sys_admin capability for mounting
-allow $1 self:capability sys_admin;
-')dnl end else support_polyinstantiation
-
-')dnl end polyinstantiater
-
-#
-# Domain that is allow to read anonymous data off the network
-# without providing authentication.
-# Also define boolean to allow anonymous writing
-#
-define(`anonymous_domain', `
-r_dir_file($1_t, { public_content_t public_content_rw_t } )
-bool allow_$1_anon_write false;
-if (allow_$1_anon_write) {
-create_dir_file($1_t,public_content_rw_t)
-}
-')
-#
-# Define a domain that can do anything, so that it is
-# effectively unconfined by the SELinux policy. This
-# means that it is only restricted by the normal Linux
-# protections. Note that you may need to add further rules
-# to allow other domains to interact with this domain as expected,
-# since this macro only allows the specified domain to act upon
-# all other domains and types, not vice versa.
-#
-define(`unconfined_domain', `
-
-typeattribute $1 unrestricted;
-typeattribute $1 privuser;
-
-# Mount/unmount any filesystem.
-allow $1 fs_type:filesystem *;
-
-# Mount/unmount any filesystem with the context= option.
-allow $1 file_type:filesystem *;
-
-# Create/access any file in a labeled filesystem;
-allow $1 file_type:{ file chr_file } ~execmod;
-allow $1 file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
-allow $1 sysctl_t:{ dir file } *;
-allow $1 device_type:devfile_class_set *;
-allow $1 mtrr_device_t:file *;
-
-# Create/access other files. fs_type is to pick up various
-# pseudo filesystem types that are applied to both the filesystem
-# and its files.
-allow $1 { unlabeled_t fs_type }:dir_file_class_set *;
-allow $1 proc_fs:{ dir file } *;
-
-# For /proc/pid
-r_dir_file($1,domain)
-# Write access is for setting attributes under /proc/self/attr.
-allow $1 self:file rw_file_perms;
-
-# Read and write sysctls.
-can_sysctl($1)
-
-# Access the network.
-allow $1 node_type:node *;
-allow $1 netif_type:netif *;
-allow $1 port_type:{ tcp_socket udp_socket } { send_msg recv_msg };
-allow $1 port_type:tcp_socket name_connect;
-
-# Bind to any network address.
-allow $1 port_type:{ rawip_socket tcp_socket udp_socket } name_bind;
-allow $1 node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
-allow $1 file_type:{ unix_stream_socket unix_dgram_socket } name_bind;
-
-# Use/sendto/connectto sockets created by any domain.
-allow $1 domain:{ socket_class_set socket key_socket } *;
-
-# Use descriptors and pipes created by any domain.
-allow $1 domain:fd use;
-allow $1 domain:fifo_file rw_file_perms;
-
-# Act upon any other process.
-allow $1 domain:process ~{ transition dyntransition execmem };
-# Transition to myself, to make get_ordered_context_list happy.
-allow $1 self:process transition;
-
-if (allow_execmem) {
-# Allow making anonymous memory executable, e.g.
-# for runtime-code generation or executable stack.
-allow $1 self:process execmem;
-}
-
-if (allow_execmem && allow_execstack) {
-# Allow making the stack executable via mprotect.
-allow $1 self:process execstack;
-}
-
-if (allow_execmod) {
-# Allow text relocations on system shared libraries, e.g. libGL.
-ifdef(`targeted_policy', `
-allow $1 file_type:file execmod;
-', `
-allow $1 texrel_shlib_t:file execmod;
-allow $1 home_type:file execmod;
-')
-}
-
-# Create/access any System V IPC objects.
-allow $1 domain:{ sem msgq shm } *;
-allow $1 domain:msg { send receive };
-
-# Access the security API.
-if (!secure_mode_policyload) {
-allow $1 security_t:security *;
-auditallow $1 security_t:security { load_policy setenforce setbool };
-}dnl end if !secure_mode_policyload
-
-# Perform certain system operations that lacked individual capabilities.
-allow $1 kernel_t:system *;
-
-# Use any Linux capability.
-allow $1 self:capability *;
-
-# Set user information and skip authentication.
-allow $1 self:passwd *;
-
-# Communicate via dbusd.
-allow $1 self:dbus *;
-ifdef(`dbusd.te', `
-allow $1 system_dbusd_t:dbus *;
-')
-
-# Get info via nscd.
-allow $1 self:nscd *;
-ifdef(`nscd.te', `
-allow $1 nscd_t:nscd *;
-')
-
-')dnl end unconfined_domain
-
-
-define(`access_removable_media', `
-
-can_exec($1, { removable_t noexattrfile } )
-if (user_rw_noexattrfile) {
-create_dir_file($1, noexattrfile)
-create_dir_file($1, removable_t)
-# Write floppies
-allow $1 removable_device_t:blk_file rw_file_perms;
-allow $1 usbtty_device_t:chr_file write;
-} else {
-r_dir_file($1, noexattrfile)
-r_dir_file($1, removable_t)
-allow $1 removable_device_t:blk_file r_file_perms;
-}
-allow $1 removable_t:filesystem getattr;
-
-')
-
-define(`authentication_domain', `
-can_ypbind($1)
-can_kerberos($1)
-can_ldap($1)
-can_resolve($1)
-can_winbind($1)
-r_dir_file($1, cert_t)
-allow $1 { random_device_t urandom_device_t }:chr_file { getattr read };
-allow $1 self:capability { audit_write audit_control };
-dontaudit $1 shadow_t:file { getattr read };
-allow $1 sbin_t:dir search;
-allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-allow $1 var_lib_t:dir r_dir_perms;
-rw_dir_file($1, var_auth_t)
-')
diff --git a/mls/macros/home_macros.te b/mls/macros/home_macros.te
deleted file mode 100644
index e780425..0000000
--- a/mls/macros/home_macros.te
+++ /dev/null
@@ -1,139 +0,0 @@
-# Home macros
-
-################################################
-# network_home(source)
-#
-# Allows source domain to use a network home
-# This includes privileges of create and execute
-# as well as the ability to create sockets and fifo
-
-define(`network_home', `
-allow $1 autofs_t:dir { search getattr };
-
-if (use_nfs_home_dirs) {
-create_dir_file($1, nfs_t)
-can_exec($1, nfs_t)
-allow $1 nfs_t:{ sock_file fifo_file } create_file_perms;
-}
-
-if (use_samba_home_dirs) {
-create_dir_file($1, cifs_t)
-can_exec($1, cifs_t)
-allow $1 cifs_t:{ sock_file fifo_file } create_file_perms;
-}
-') dnl network_home
-
-################################################
-# write_network_home(source)
-#
-# Allows source domain to create directories and
-# files on network file system
-
-define(`write_network_home', `
-allow $1 home_root_t:dir search;
-
-if (use_nfs_home_dirs) {
-create_dir_file($1, nfs_t)
-}
-if (use_samba_home_dirs) {
-create_dir_file($1, cifs_t)
-}
-allow $1 autofs_t:dir { search getattr };
-') dnl write_network_home
-
-################################################
-# read_network_home(source)
-#
-# Allows source domain to read directories and
-# files on network file system
-
-define(`read_network_home', `
-allow $1 home_root_t:dir search;
-
-if (use_nfs_home_dirs) {
-r_dir_file($1, nfs_t)
-}
-if (use_samba_home_dirs) {
-r_dir_file($1, cifs_t)
-}
-allow $1 autofs_t:dir { search getattr };
-') dnl read_network_home
-
-##################################################
-# home_domain_ro_access(source, user, app)
-#
-# Gives source access to the read-only home
-# domain of app for the given user type
-
-define(`home_domain_ro_access', `
-allow $1 { home_root_t $2_home_dir_t }:dir { search getattr };
-read_network_home($1)
-ifelse($3, `', `
-r_dir_file($1, $2_home_t)
-', `
-r_dir_file($1, $2_$3_ro_home_t)
-')
-') dnl home_domain_ro_access
-
-#################################################
-# home_domain_access(source, user, app)
-#
-# Gives source full access to the home
-# domain of app for the given user type
-#
-# Requires transition in caller
-
-define(`home_domain_access', `
-allow $1 { home_root_t $2_home_dir_t }:dir { search getattr };
-write_network_home($1)
-ifelse($3, `', `
-file_type_auto_trans($1, $2_home_dir_t, $2_home_t)
-create_dir_file($1, $2_home_t)
-', `
-create_dir_file($1, $2_$3_home_t)
-')
-') dnl home_domain_access
-
-####################################################################
-# home_domain (prefix, app)
-#
-# Creates a domain in the prefix home where an application can
-# store its settings. It is accessible by the prefix domain.
-#
-# Requires transition in caller
-
-define(`home_domain', `
-
-# Declare home domain
-type $1_$2_home_t, file_type, $1_file_type, sysadmfile, polymember;
-typealias $1_$2_home_t alias $1_$2_rw_t;
-
-# User side access
-create_dir_file($1_t, $1_$2_home_t)
-allow $1_t $1_$2_home_t:{ dir file lnk_file } { relabelfrom relabelto };
-
-# App side access
-home_domain_access($1_$2_t, $1, $2)
-')
-
-####################################################################
-# home_domain_ro (user, app)
-#
-# Creates a read-only domain in the user home where an application can
-# store its settings. It is fully accessible by the user, but
-# it is read-only for the application.
-#
-
-define(`home_domain_ro', `
-
-# Declare home domain
-type $1_$2_ro_home_t, file_type, $1_file_type, sysadmfile;
-typealias $1_$2_ro_home_t alias $1_$2_ro_t;
-
-# User side access
-create_dir_file($1_t, $1_$2_ro_home_t)
-allow $1_t $1_$2_ro_home_t:{ dir file lnk_file } { relabelfrom relabelto };
-
-# App side access
-home_domain_ro_access($1_$2_t, $1, $2)
-')
diff --git a/mls/macros/mini_user_macros.te b/mls/macros/mini_user_macros.te
deleted file mode 100644
index 9f7d994..0000000
--- a/mls/macros/mini_user_macros.te
+++ /dev/null
@@ -1,57 +0,0 @@
-#
-# Macros for all user login domains.
-#
-
-#
-# mini_user_domain(domain_prefix)
-#
-# Define derived types and rules for a minimal privs user domain named
-# $1_mini_t which is permitted to be in $1_r role and transition to $1_t.
-#
-undefine(`mini_user_domain')
-define(`mini_user_domain',`
-# user_t/$1_t is an unprivileged users domain.
-type $1_mini_t, domain, user_mini_domain;
-
-# for ~/.bash_profile and other files that the mini domain should be allowed
-# to read (but not write)
-type $1_home_mini_t, file_type, sysadmfile;
-allow $1_t $1_home_mini_t:file { create_file_perms relabelto relabelfrom };
-allow $1_mini_t $1_home_mini_t:file r_file_perms;
-
-# $1_r is authorized for $1_mini_t for the initial login domain.
-role $1_r types $1_mini_t;
-uses_shlib($1_mini_t)
-pty_slave_label($1_mini, `, userpty_type, mini_pty_type')
-
-allow $1_mini_t devtty_t:chr_file rw_file_perms;
-allow $1_mini_t { etc_t etc_runtime_t }:file { getattr read };
-dontaudit $1_mini_t proc_t:dir { getattr search };
-allow $1_mini_t self:unix_stream_socket create_socket_perms;
-allow $1_mini_t self:fifo_file rw_file_perms;
-allow $1_mini_t self:process { fork sigchld setpgid };
-dontaudit $1_mini_t var_t:dir search;
-allow $1_mini_t { bin_t sbin_t }:dir search;
-
-dontaudit $1_mini_t device_t:dir { getattr read };
-dontaudit $1_mini_t devpts_t:dir { getattr read };
-dontaudit $1_mini_t proc_t:lnk_file read;
-
-can_exec($1_mini_t, bin_t)
-allow $1_mini_t { home_root_t $1_home_dir_t }:dir search;
-dontaudit $1_mini_t home_root_t:dir getattr;
-dontaudit $1_mini_t $1_home_dir_t:dir { getattr read };
-dontaudit $1_mini_t $1_home_t:file { append getattr read write };
-
-dontaudit $1_mini_t fs_t:filesystem getattr;
-
-type_change $1_mini_t $1_mini_devpts_t:chr_file $1_devpts_t;
-# uncomment this if using mini domains for console logins
-#type_change $1_mini_t $1_tty_device_t:chr_file $1_tty_device_t;
-
-type_change $1_mini_t server_pty:chr_file $1_mini_devpts_t;
-type_change $1_t $1_mini_devpts_t:chr_file $1_devpts_t;
-
-domain_auto_trans($1_mini_t, newrole_exec_t, newrole_t)
-')dnl end mini_user_domain definition
-
diff --git a/mls/macros/network_macros.te b/mls/macros/network_macros.te
deleted file mode 100644
index 3d7bd06..0000000
--- a/mls/macros/network_macros.te
+++ /dev/null
@@ -1,191 +0,0 @@
-#################################
-#
-# can_network(domain)
-#
-# Permissions for accessing the network.
-# See types/network.te for the network types.
-# See net_contexts for security contexts for network entities.
-#
-define(`base_can_network',`
-#
-# Allow the domain to create and use $2 sockets.
-# Other kinds of sockets must be separately authorized for use.
-allow $1 self:$2_socket connected_socket_perms;
-
-#
-# Allow the domain to send or receive using any network interface.
-# netif_type is a type attribute for all network interface types.
-#
-allow $1 netif_t:netif { $2_recv $2_send rawip_send rawip_recv };
-
-#
-# Allow the domain to send to or receive from any node.
-# node_type is a type attribute for all node types.
-#
-allow $1 node_type:node { $2_send rawip_send };
-allow $1 node_type:node { $2_recv rawip_recv };
-
-#
-# Allow the domain to send to or receive from any port.
-# port_type is a type attribute for all port types.
-#
-ifelse($3, `', `
-allow $1 port_type:$2_socket { send_msg recv_msg };
-', `
-allow $1 $3:$2_socket { send_msg recv_msg };
-')
-
-# XXX Allow binding to any node type. Remove once
-# individual rules have been added to all domains that
-# bind sockets.
-allow $1 node_type:$2_socket node_bind;
-#
-# Allow access to network files including /etc/resolv.conf
-#
-allow $1 net_conf_t:file r_file_perms;
-')dnl end can_network definition
-
-#################################
-#
-# can_network_server_tcp(domain)
-#
-# Permissions for accessing a tcp network.
-# See types/network.te for the network types.
-# See net_contexts for security contexts for network entities.
-#
-define(`can_network_server_tcp',`
-base_can_network($1, tcp, `$2')
-allow $1 self:tcp_socket { listen accept };
-')
-
-#################################
-#
-# can_network_client_tcp(domain)
-#
-# Permissions for accessing a tcp network.
-# See types/network.te for the network types.
-# See net_contexts for security contexts for network entities.
-#
-define(`can_network_client_tcp',`
-base_can_network($1, tcp, `$2')
-allow $1 self:tcp_socket { connect };
-')
-
-#################################
-#
-# can_network_tcp(domain)
-#
-# Permissions for accessing the network.
-# See types/network.te for the network types.
-# See net_contexts for security contexts for network entities.
-#
-define(`can_network_tcp',`
-
-can_network_server_tcp($1, `$2')
-can_network_client_tcp($1, `$2')
-
-')
-
-#################################
-#
-# can_network_udp(domain)
-#
-# Permissions for accessing the network.
-# See types/network.te for the network types.
-# See net_contexts for security contexts for network entities.
-#
-define(`can_network_udp',`
-base_can_network($1, udp, `$2')
-allow $1 self:udp_socket { connect };
-')
-
-#################################
-#
-# can_network_server(domain)
-#
-# Permissions for accessing the network.
-# See types/network.te for the network types.
-# See net_contexts for security contexts for network entities.
-#
-define(`can_network_server',`
-
-can_network_server_tcp($1, `$2')
-can_network_udp($1, `$2')
-
-')dnl end can_network_server definition
-
-
-#################################
-#
-# can_network_client(domain)
-#
-# Permissions for accessing the network.
-# See types/network.te for the network types.
-# See net_contexts for security contexts for network entities.
-#
-define(`can_network_client',`
-
-can_network_client_tcp($1, `$2')
-can_network_udp($1, `$2')
-
-')dnl end can_network_client definition
-
-#################################
-#
-# can_network(domain)
-#
-# Permissions for accessing the network.
-# See types/network.te for the network types.
-# See net_contexts for security contexts for network entities.
-#
-define(`can_network',`
-
-can_network_tcp($1, `$2')
-can_network_udp($1, `$2')
-
-ifdef(`mount.te', `
-#
-# Allow the domain to send NFS client requests via the socket
-# created by mount.
-#
-allow $1 mount_t:udp_socket rw_socket_perms;
-')
-
-')dnl end can_network definition
-
-define(`can_resolve',`
-can_network_client($1, `dns_port_t')
-allow $1 dns_port_t:tcp_socket name_connect;
-')
-
-define(`can_portmap',`
-can_network_client($1, `portmap_port_t')
-allow $1 portmap_port_t:tcp_socket name_connect;
-')
-
-define(`can_ldap',`
-can_network_client_tcp($1, `ldap_port_t')
-allow $1 ldap_port_t:tcp_socket name_connect;
-')
-
-define(`can_winbind',`
-ifdef(`winbind.te', `
-allow $1 winbind_var_run_t:dir { getattr search };
-allow $1 winbind_t:unix_stream_socket connectto;
-allow $1 winbind_var_run_t:sock_file { getattr read write };
-')
-')
-
-
-#################################
-#
-# nsswitch_domain(domain)
-#
-# Permissions for looking up uid/username mapping via nsswitch
-#
-define(`nsswitch_domain', `
-can_resolve($1)
-can_ypbind($1)
-can_ldap($1)
-can_winbind($1)
-')
diff --git a/mls/macros/program/apache_macros.te b/mls/macros/program/apache_macros.te
deleted file mode 100644
index a1422be..0000000
--- a/mls/macros/program/apache_macros.te
+++ /dev/null
@@ -1,205 +0,0 @@
-
-define(`apache_domain', `
-
-#This type is for webpages
-#
-type httpd_$1_content_t, file_type, httpdcontent, sysadmfile, customizable;
-
-# This type is used for .htaccess files
-#
-type httpd_$1_htaccess_t, file_type, sysadmfile, customizable;
-allow httpd_t httpd_$1_htaccess_t: file r_file_perms;
-
-# This type is used for executable scripts files
-#
-type httpd_$1_script_exec_t, file_type, sysadmfile, customizable;
-
-# Type that CGI scripts run as
-type httpd_$1_script_t, domain, privmail, nscd_client_domain;
-role system_r types httpd_$1_script_t;
-uses_shlib(httpd_$1_script_t)
-
-if (httpd_enable_cgi) {
-domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
-allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
-allow httpd_t httpd_$1_script_exec_t:dir r_dir_perms;
-allow httpd_t httpd_$1_script_exec_t:file r_file_perms;
-
-allow httpd_$1_script_t httpd_t:fd use;
-allow httpd_$1_script_t httpd_t:process sigchld;
-
-allow httpd_$1_script_t { usr_t lib_t }:file { getattr read ioctl };
-allow httpd_$1_script_t usr_t:lnk_file { getattr read };
-
-allow httpd_$1_script_t self:process { fork signal_perms };
-
-allow httpd_$1_script_t devtty_t:chr_file { getattr read write };
-allow httpd_$1_script_t urandom_device_t:chr_file { getattr read };
-allow httpd_$1_script_t etc_runtime_t:file { getattr read };
-read_locale(httpd_$1_script_t)
-allow httpd_$1_script_t fs_t:filesystem getattr;
-allow httpd_$1_script_t self:unix_stream_socket { create_stream_socket_perms connectto };
-
-allow httpd_$1_script_t { self proc_t }:file r_file_perms;
-allow httpd_$1_script_t { self proc_t }:dir r_dir_perms;
-allow httpd_$1_script_t { self proc_t }:lnk_file read;
-
-allow httpd_$1_script_t device_t:dir { getattr search };
-allow httpd_$1_script_t null_device_t:chr_file rw_file_perms;
-}
-
-if (httpd_enable_cgi && httpd_can_network_connect) {
-can_network_client(httpd_$1_script_t)
-allow httpd_$1_script_t port_type:tcp_socket name_connect;
-}
-
-ifdef(`ypbind.te', `
-if (httpd_enable_cgi && allow_ypbind) {
-uncond_can_ypbind(httpd_$1_script_t)
-}
-')
-# The following are the only areas that
-# scripts can read, read/write, or append to
-#
-type httpd_$1_script_ro_t, file_type, httpdcontent, sysadmfile, customizable;
-type httpd_$1_script_rw_t, file_type, httpdcontent, sysadmfile, customizable;
-type httpd_$1_script_ra_t, file_type, httpdcontent, sysadmfile, customizable;
-file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t)
-
-#########################################################
-# Permissions for running child processes and scripts
-##########################################################
-allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir { getattr search };
-
-domain_auto_trans(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
-
-allow httpd_$1_script_t httpd_t:fifo_file write;
-
-allow httpd_$1_script_t self:fifo_file rw_file_perms;
-
-allow httpd_$1_script_t { urandom_device_t random_device_t }:chr_file r_file_perms;
-
-###########################################################################
-# Allow the script interpreters to run the scripts. So
-# the perl executable will be able to run a perl script
-#########################################################################
-allow httpd_$1_script_t httpd_$1_script_exec_t:dir r_dir_perms;
-can_exec_any(httpd_$1_script_t)
-
-allow httpd_$1_script_t etc_t:file { getattr read };
-dontaudit httpd_$1_script_t selinux_config_t:dir search;
-
-############################################################################
-# Allow the script process to search the cgi directory, and users directory
-##############################################################################
-allow httpd_$1_script_t httpd_$1_script_exec_t:dir { search getattr };
-can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
-allow httpd_$1_script_t home_root_t:dir { getattr search };
-allow httpd_$1_script_t httpd_$1_content_t:dir { getattr search };
-
-#############################################################################
-# Allow the scripts to read, read/write, append to the specified directories
-# or files
-############################################################################
-read_fonts(httpd_$1_script_t)
-r_dir_file(httpd_$1_script_t, httpd_$1_script_ro_t)
-create_dir_file(httpd_$1_script_t, httpd_$1_script_rw_t)
-allow httpd_$1_script_t httpd_$1_script_rw_t:sock_file rw_file_perms;
-ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t)
-anonymous_domain(httpd_$1_script)
-
-if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
-create_dir_file(httpd_$1_script_t, httpdcontent)
-can_exec(httpd_$1_script_t, httpdcontent)
-}
-
-#
-# If a user starts a script by hand it gets the proper context
-#
-ifdef(`targeted_policy', `', `
-if (httpd_enable_cgi) {
-domain_auto_trans(sysadm_t, httpd_$1_script_exec_t, httpd_$1_script_t)
-}
-')
-role sysadm_r types httpd_$1_script_t;
-
-dontaudit httpd_$1_script_t sysctl_kernel_t:dir search;
-dontaudit httpd_$1_script_t sysctl_t:dir search;
-
-############################################
-# Allow scripts to append to http logs
-#########################################
-allow httpd_$1_script_t { var_t var_log_t httpd_log_t }:dir search;
-allow httpd_$1_script_t httpd_log_t:file { getattr append };
-
-# apache should set close-on-exec
-dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
-
-################################################################
-# Allow the web server to run scripts and serve pages
-##############################################################
-if (httpd_builtin_scripting) {
-r_dir_file(httpd_t, httpd_$1_script_ro_t)
-create_dir_file(httpd_t, httpd_$1_script_rw_t)
-allow httpd_t httpd_$1_script_rw_t:sock_file rw_file_perms;
-ra_dir_file(httpd_t, httpd_$1_script_ra_t)
-r_dir_file(httpd_t, httpd_$1_content_t)
-}
-
-')
-define(`apache_user_domain', `
-
-apache_domain($1)
-
-typeattribute httpd_$1_content_t $1_file_type;
-
-if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
-domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t)
-}
-
-if (httpd_enable_cgi ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
-# If a user starts a script by hand it gets the proper context
-domain_auto_trans($1_t, httpd_$1_script_exec_t, httpd_$1_script_t)
-}
-role $1_r types httpd_$1_script_t;
-
-#######################################
-# Allow user to create or edit web content
-#########################################
-
-create_dir_file($1_t, { httpd_$1_content_t httpd_$1_script_exec_t })
-allow $1_t { httpd_$1_content_t httpd_$1_script_exec_t }:{ dir file lnk_file } { relabelto relabelfrom };
-
-######################################################################
-# Allow the user to create htaccess files
-#####################################################################
-
-allow $1_t httpd_$1_htaccess_t:file { create_file_perms relabelto relabelfrom };
-
-#########################################################################
-# Allow user to create files or directories
-# that scripts are able to read, write, or append to
-###########################################################################
-
-create_dir_file($1_t, { httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t })
-allow $1_t { httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:{ file dir lnk_file } { relabelto relabelfrom };
-
-# allow accessing files/dirs below the users home dir
-if (httpd_enable_homedirs) {
-allow { httpd_t httpd_suexec_t httpd_$1_script_t } $1_home_dir_t:dir { getattr search };
-ifdef(`nfs_home_dirs', `
-r_dir_file(httpd_$1_script_t, nfs_t)
-')dnl end if nfs_home_dirs
-}
-ifdef(`crond.te', `
-create_dir_file($1_crond_t, httpd_$1_content_t)
-')
-
-ifdef(`ftpd.te', `
-if (ftp_home_dir) {
-create_dir_file(ftpd_t, httpd_$1_content_t)
-}
-')
-
-
-')
diff --git a/mls/macros/program/bonobo_macros.te b/mls/macros/program/bonobo_macros.te
deleted file mode 100644
index 4c3fdac..0000000
--- a/mls/macros/program/bonobo_macros.te
+++ /dev/null
@@ -1,117 +0,0 @@
-#
-# Bonobo
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-# bonobo_domain(role_prefix) - invoke per role
-# bonobo_client(app_prefix, role_prefix) - invoke per client app
-# bonobo_connect(type1_prefix, type2_prefix) -
-# connect two bonobo clients, the channel is bidirectional
-
-######################
-
-define(`bonobo_domain', `
-
-# Protect against double inclusion for faster compile
-ifdef(`bonobo_domain_$1', `', `
-define(`bonobo_domain_$1')
-
-# Type for daemon
-type $1_bonobo_t, domain, nscd_client_domain;
-
-# Transition from caller
-domain_auto_trans($1_t, bonobo_exec_t, $1_bonobo_t)
-role $1_r types $1_bonobo_t;
-
-# Shared libraries, gconv-modules
-uses_shlib($1_bonobo_t)
-allow $1_bonobo_t lib_t:file r_file_perms;
-
-read_locale($1_bonobo_t)
-read_sysctl($1_bonobo_t)
-
-# Session management
-# FIXME: More specific context is needed for gnome-session
-ice_connect($1_bonobo, $1)
-
-# nsswitch.conf
-allow $1_bonobo_t etc_t:file { read getattr };
-
-# Fork to start apps
-allow $1_bonobo_t self:process { fork sigchld setpgid getsched signal };
-allow $1_bonobo_t self:fifo_file rw_file_perms;
-
-# ???
-allow $1_bonobo_t root_t:dir search;
-allow $1_bonobo_t home_root_t:dir search;
-allow $1_bonobo_t $1_home_dir_t:dir search;
-
-# libexec ???
-allow $1_bonobo_t bin_t:dir search;
-
-# ORBit sockets for bonobo
-orbit_domain($1_bonobo, $1)
-
-# Bonobo can launch evolution
-ifdef(`evolution.te', `
-domain_auto_trans($1_bonobo_t, evolution_exec_t, $1_evolution_t)
-domain_auto_trans($1_bonobo_t, evolution_alarm_exec_t, $1_evolution_alarm_t)
-domain_auto_trans($1_bonobo_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
-domain_auto_trans($1_bonobo_t, evolution_server_exec_t, $1_evolution_server_t)
-domain_auto_trans($1_bonobo_t, evolution_exchange_exec_t, $1_evolution_exchange_t)
-')
-
-# Bonobo can launch GNOME vfs daemon
-ifdef(`gnome_vfs.te', `
-domain_auto_trans($1_bonobo_t, gnome_vfs_exec_t, $1_gnome_vfs_t)
-')
-
-# Transition to ROLE_t on bin_t apps
-# FIXME: The goal is to get rid of this rule, as it
-# defeats the purpose of a separate domain. It is only
-# here temporarily, since bonobo runs as ROLE_t by default anyway
-domain_auto_trans($1_bonobo_t, bin_t, $1_t)
-
-can_pipe_xdm($1_bonobo_t)
-
-') dnl ifdef bonobo_domain_args
-') dnl bonobo_domain
-
-#####################
-
-define(`bonobo_client', `
-
-# Protect against double inclusion for faster compile
-ifdef(`bonobo_client_$1_$2', `', `
-define(`bonobo_client_$1_$2')
-# Connect over bonobo
-bonobo_connect($1, $2_gconfd, $1)
-
-# Create ORBit sockets
-orbit_domain($1, $2)
-
-# Connect to bonobo
-orbit_connect($1, $2_bonobo)
-orbit_connect($2_bonobo, $1)
-
-# Lock /tmp/bonobo-activation-register.lock
-# Stat /tmp/bonobo-activation-server.ior
-# FIXME: this should probably be of type $2_bonobo..
-# Note that this is file, not sock_file
-allow $1_t $2_orbit_tmp_t:file { getattr read write lock };
-
-domain_auto_trans($1_t, bonobo_exec_t, $2_bonobo_t)
-
-') dnl ifdef bonobo_client_args
-') dnl bonobo_client
-
-#####################
-
-define(`bonobo_connect', `
-
-# FIXME: Should there be a macro for unidirectional conn. ?
-
-orbit_connect($1, $2)
-orbit_connect($2, $1)
-
-') dnl bonobo_connect
diff --git a/mls/macros/program/cdrecord_macros.te b/mls/macros/program/cdrecord_macros.te
deleted file mode 100644
index 72d3f4f..0000000
--- a/mls/macros/program/cdrecord_macros.te
+++ /dev/null
@@ -1,53 +0,0 @@
-# macros for the cdrecord domain
-# Author: Thomas Bleher <ThomasBleher@gmx.de>
-
-define(`cdrecord_domain', `
-type $1_cdrecord_t, domain, privlog;
-
-domain_auto_trans($1_t, cdrecord_exec_t, $1_cdrecord_t)
-
-# The user role is authorized for this domain.
-role $1_r types $1_cdrecord_t;
-
-uses_shlib($1_cdrecord_t)
-read_locale($1_cdrecord_t)
-
-# allow ps to show cdrecord and allow the user to kill it
-can_ps($1_t, $1_cdrecord_t)
-allow $1_t $1_cdrecord_t:process signal;
-
-# write to the user domain tty.
-access_terminal($1_cdrecord_t, $1)
-allow $1_cdrecord_t privfd:fd use;
-
-allow $1_cdrecord_t $1_t:unix_stream_socket { getattr read write ioctl };
-
-allow $1_cdrecord_t self:unix_dgram_socket create_socket_perms;
-allow $1_cdrecord_t self:unix_stream_socket create_stream_socket_perms;
-
-can_resmgrd_connect($1_cdrecord_t)
-
-read_content($1_cdrecord_t, $1, cdrecord)
-
-allow $1_cdrecord_t etc_t:file { getattr read };
-
-# allow searching for cdrom-drive
-allow $1_cdrecord_t device_t:dir r_dir_perms;
-allow $1_cdrecord_t device_t:lnk_file { getattr read };
-
-# allow cdrecord to write the CD
-allow $1_cdrecord_t removable_device_t:blk_file { getattr read write ioctl };
-allow $1_cdrecord_t scsi_generic_device_t:chr_file { getattr read write ioctl };
-
-allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
-allow $1_cdrecord_t self:process { getsched setsched fork sigchld sigkill };
-can_access_pty($1_cdrecord_t, $1)
-allow $1_cdrecord_t $1_home_t:dir search;
-allow $1_cdrecord_t $1_home_dir_t:dir r_dir_perms;
-allow $1_cdrecord_t $1_home_t:file r_file_perms;
-if (use_nfs_home_dirs) {
-allow $1_cdrecord_t mnt_t:dir search;
-r_dir_file($1_cdrecord_t, nfs_t)
-}
-')
-
diff --git a/mls/macros/program/chkpwd_macros.te b/mls/macros/program/chkpwd_macros.te
deleted file mode 100644
index 2151d85..0000000
--- a/mls/macros/program/chkpwd_macros.te
+++ /dev/null
@@ -1,72 +0,0 @@
-#
-# Macros for chkpwd domains.
-#
-
-#
-# chkpwd_domain(domain_prefix)
-#
-# Define a derived domain for the *_chkpwd program when executed
-# by a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/su.te.
-#
-undefine(`chkpwd_domain')
-ifdef(`chkpwd.te', `
-define(`chkpwd_domain',`
-# Derived domain based on the calling user domain and the program.
-type $1_chkpwd_t, domain, privlog, nscd_client_domain, auth;
-
-role $1_r types $1_chkpwd_t;
-
-# read /selinux/mls
-allow $1_chkpwd_t security_t:dir search;
-allow $1_chkpwd_t security_t:file read;
-# is_selinux_enabled
-allow $1_chkpwd_t proc_t:file read;
-
-can_getcon($1_chkpwd_t)
-authentication_domain($1_chkpwd_t)
-
-ifelse($1, system, `
-domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t)
-dontaudit system_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
-authentication_domain(auth_chkpwd)
-', `
-domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
-
-# Write to the user domain tty.
-access_terminal($1_chkpwd_t, $1)
-
-allow $1_chkpwd_t privfd:fd use;
-
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;')
-
-# Inherit and use descriptors from newrole.
-ifdef(`newrole.te', `allow $1_chkpwd_t newrole_t:fd use;')
-')
-
-uses_shlib($1_chkpwd_t)
-allow $1_chkpwd_t etc_t:file { getattr read };
-allow $1_chkpwd_t self:unix_dgram_socket create_socket_perms;
-allow $1_chkpwd_t self:unix_stream_socket create_socket_perms;
-read_locale($1_chkpwd_t)
-
-# Use capabilities.
-allow $1_chkpwd_t self:capability setuid;
-r_dir_file($1_chkpwd_t, selinux_config_t)
-
-# for nscd
-ifdef(`nscd.te', `', `
-dontaudit $1_chkpwd_t var_t:dir search;
-')
-
-dontaudit $1_chkpwd_t fs_t:filesystem getattr;
-')
-
-', `
-
-define(`chkpwd_domain',`')
-
-')
diff --git a/mls/macros/program/chroot_macros.te b/mls/macros/program/chroot_macros.te
deleted file mode 100644
index 47ca86b..0000000
--- a/mls/macros/program/chroot_macros.te
+++ /dev/null
@@ -1,131 +0,0 @@
-
-# macro for chroot environments
-# Author Russell Coker
-
-# chroot(initial_domain, basename, role, tty_device_type)
-define(`chroot', `
-
-ifelse(`$1', `initrc', `
-define(`chroot_role', `system_r')
-define(`chroot_tty_device', `{ console_device_t admin_tty_type }')
-define(`chroot_mount_domain', `mount_t')
-define(`chroot_fd_use', `{ privfd init_t }')
-', `
-define(`chroot_role', `$1_r')
-define(`chroot_tty_device', `{ $1_devpts_t $1_tty_device_t }')
-define(`chroot_fd_use', `privfd')
-
-# allow mounting /proc and /dev
-ifdef(`$1_mount_def', `', `
-mount_domain($1, $1_mount)
-role chroot_role types $1_mount_t;
-')
-define(`chroot_mount_domain', `$1_mount_t')
-ifdef(`ssh.te', `
-can_tcp_connect($1_ssh_t, $2_t)
-')dnl end ssh
-')dnl end ifelse initrc
-
-# types for read-only and read-write files in the chroot
-type $2_ro_t, file_type, sysadmfile, home_type, user_home_type;
-type $2_rw_t, file_type, sysadmfile, home_type, user_home_type;
-# type like $2_ro_t but that triggers a transition from $2_super_t to $2_t
-# when you execute it
-type $2_dropdown_t, file_type, sysadmfile, home_type, user_home_type;
-
-allow chroot_mount_domain { $2_rw_t $2_ro_t }:dir { getattr search mounton };
-allow chroot_mount_domain { $2_rw_t $2_ro_t }:file { getattr mounton };
-
-# entry point for $2_super_t
-type $2_super_entry_t, file_type, sysadmfile, home_type, user_home_type;
-# $2_t is the base domain, has full access to $2_rw_t files
-type $2_t, domain;
-# $2_super_t is the super-chroot domain, can also write to $2_ro_t
-# but still can not access outside the chroot
-type $2_super_t, domain;
-allow $2_super_t chroot_tty_device:chr_file rw_file_perms;
-
-ifdef(`$1_chroot_def', `', `
-dnl can not have this defined twice
-define(`$1_chroot_def')
-
-allow chroot_mount_domain { proc_t device_t fs_t }:filesystem { mount unmount };
-
-# $1_chroot_t is the domain for /usr/sbin/chroot
-type $1_chroot_t, domain;
-
-# allow $1_chroot_t to write to the tty device
-allow $1_chroot_t chroot_tty_device:chr_file rw_file_perms;
-allow $1_chroot_t chroot_fd_use:fd use;
-allow { $1_chroot_t $2_t $2_super_t } $1_t:fd use;
-
-role chroot_role types $1_chroot_t;
-uses_shlib($1_chroot_t)
-allow $1_chroot_t self:capability sys_chroot;
-allow $1_t $1_chroot_t:dir { search getattr read };
-allow $1_t $1_chroot_t:{ file lnk_file } { read getattr };
-domain_auto_trans($1_t, chroot_exec_t, $1_chroot_t)
-allow $1_chroot_t fs_t:filesystem getattr;
-')dnl End conditional
-
-role chroot_role types { $2_t $2_super_t };
-
-# allow ps to show processes and allow killing them
-allow $1_t { $2_super_t $2_t }:dir { search getattr read };
-allow $1_t { $2_super_t $2_t }:{ file lnk_file } { read getattr };
-allow $1_t { $2_super_t $2_t }:process signal_perms;
-allow $2_super_t $2_t:dir { search getattr read };
-allow $2_super_t $2_t:{ file lnk_file } { read getattr };
-allow { $1_t $2_super_t } $2_t:process { signal_perms ptrace };
-allow $1_t $2_super_t:process { signal_perms ptrace };
-allow sysadm_t { $2_super_t $2_t }:process { signal_perms ptrace };
-
-allow { $2_super_t $2_t } { fs_t device_t }:filesystem getattr;
-allow { $2_super_t $2_t } device_t:dir { search getattr };
-allow { $2_super_t $2_t } devtty_t:chr_file rw_file_perms;
-allow { $2_super_t $2_t } random_device_t:chr_file r_file_perms;
-allow { $2_super_t $2_t } self:capability { fowner chown fsetid setgid setuid net_bind_service sys_tty_config };
-allow $2_super_t self:capability sys_ptrace;
-
-can_tcp_connect($2_super_t, $2_t)
-allow { $2_super_t $2_t } $2_rw_t:sock_file create_file_perms;
-
-# quiet ps and killall
-dontaudit { $2_super_t $2_t } domain:dir { search getattr };
-
-# allow $2_t to write to the owner tty device (should remove this)
-allow $2_t chroot_tty_device:chr_file { read write };
-
-r_dir_file($1_chroot_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t })
-can_exec($2_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t })
-can_exec($2_super_t, { $2_ro_t $2_super_entry_t })
-create_dir_notdevfile($2_super_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t })
-# $2_super_t transitions to $2_t when it executes
-# any file that $2_t can write
-domain_auto_trans($2_super_t, { $2_rw_t $2_dropdown_t }, $2_t)
-allow $1_chroot_t { $2_ro_t $2_rw_t }:lnk_file read;
-r_dir_file($2_t, { $2_ro_t $2_super_entry_t $2_dropdown_t })
-create_dir_notdevfile($2_t, $2_rw_t)
-allow $2_t $2_rw_t:fifo_file create_file_perms;
-allow $2_t $2_ro_t:fifo_file rw_file_perms;
-allow { $1_t $2_super_t } { $2_rw_t $2_ro_t }:fifo_file create_file_perms;
-create_dir_notdevfile($1_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t })
-can_exec($1_t, { $2_ro_t $2_dropdown_t })
-domain_auto_trans($1_chroot_t, { $2_ro_t $2_rw_t $2_dropdown_t }, $2_t)
-domain_auto_trans($1_chroot_t, $2_super_entry_t, $2_super_t)
-allow { $1_t $2_super_t } { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t }:{ dir notdevfile_class_set } { relabelfrom relabelto };
-general_proc_read_access({ $2_t $2_super_t })
-general_domain_access({ $2_t $2_super_t })
-can_create_pty($2)
-can_create_pty($2_super)
-can_network({ $2_t $2_super_t })
-allow { $2_t $2_super_t } port_type:tcp_socket name_connect;
-allow { $2_t $2_super_t } null_device_t:chr_file rw_file_perms;
-allow $2_super_t { $2_rw_t $2_ro_t }:{ dir file } mounton;
-allow { $2_t $2_super_t } self:capability { dac_override kill };
-
-undefine(`chroot_role')
-undefine(`chroot_tty_device')
-undefine(`chroot_mount_domain')
-undefine(`chroot_fd_use')
-')
diff --git a/mls/macros/program/clamav_macros.te b/mls/macros/program/clamav_macros.te
deleted file mode 100644
index bc15930..0000000
--- a/mls/macros/program/clamav_macros.te
+++ /dev/null
@@ -1,58 +0,0 @@
-#
-# Macros for clamscan
-#
-# Author: Brian May <bam@snoopy.apana.org.au>
-#
-
-#
-# can_clamd_connect(domain_prefix)
-#
-# Define a domain that can access clamd
-#
-define(`can_clamd_connect',`
-allow $1_t clamd_var_run_t:dir search;
-allow $1_t clamd_var_run_t:sock_file write;
-allow $1_t clamd_sock_t:sock_file write;
-can_unix_connect($1_t, clamd_t)
-')
-
-# clamscan_domain(domain_prefix)
-#
-# Define a derived domain for the clamscan program when executed
-#
-define(`clamscan_domain', `
-# Derived domain based on the calling user domain and the program.
-type $1_clamscan_t, domain, privlog;
-
-# Uses shared librarys
-uses_shlib($1_clamscan_t)
-allow $1_clamscan_t fs_t:filesystem getattr;
-r_dir_file($1_clamscan_t, etc_t)
-read_locale($1_clamscan_t)
-
-# Access virus signatures
-allow $1_clamscan_t var_lib_t:dir search;
-r_dir_file($1_clamscan_t, clamav_var_lib_t)
-
-# Allow temp files
-tmp_domain($1_clamscan)
-
-# Why is this required?
-allow $1_clamscan_t proc_t:dir r_dir_perms;
-allow $1_clamscan_t proc_t:file r_file_perms;
-read_sysctl($1_clamscan_t)
-allow $1_clamscan_t self:unix_stream_socket { connect create read write };
-')
-
-define(`user_clamscan_domain',`
-clamscan_domain($1)
-role $1_r types $1_clamscan_t;
-domain_auto_trans($1_t, clamscan_exec_t, $1_clamscan_t)
-access_terminal($1_clamscan_t, $1)
-r_dir_file($1_clamscan_t,$1_home_t);
-r_dir_file($1_clamscan_t,$1_home_dir_t);
-allow $1_clamscan_t $1_home_t:file r_file_perms;
-allow $1_clamscan_t privfd:fd use;
-ifdef(`gnome-pty-helper.te', `allow $1_clamscan_t $1_gph_t:fd use;')
-')
-
diff --git a/mls/macros/program/crond_macros.te b/mls/macros/program/crond_macros.te
deleted file mode 100644
index 5e61d7d..0000000
--- a/mls/macros/program/crond_macros.te
+++ /dev/null
@@ -1,126 +0,0 @@
-#
-# Macros for crond domains.
-#
-
-#
-# Authors: Jonathan Crowley (MITRE) <jonathan@mitre.org>,
-# Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# Russell Coker <rcoker@redhat.com>
-#
-
-#
-# crond_domain(domain_prefix)
-#
-# Define a derived domain for cron jobs executed by crond on behalf
-# of a user domain. These domains are separate from the top-level domain
-# defined for the crond daemon and the domain defined for system cron jobs,
-# which are specified in domains/program/crond.te.
-#
-undefine(`crond_domain')
-define(`crond_domain',`
-# Derived domain for user cron jobs, user user_crond_domain if not system
-ifelse(`system', `$1', `
-type $1_crond_t, domain, privlog, privmail, nscd_client_domain;
-', `
-type $1_crond_t, domain, user_crond_domain;
-
-# Access user files and dirs.
-allow $1_crond_t home_root_t:dir search;
-file_type_auto_trans($1_crond_t, $1_home_dir_t, $1_home_t)
-
-# Run scripts in user home directory and access shared libs.
-can_exec($1_crond_t, $1_home_t)
-
-file_type_auto_trans($1_crond_t, tmp_t, $1_tmp_t)
-')
-r_dir_file($1_crond_t, selinux_config_t)
-
-# Type of user crontabs once moved to cron spool.
-type $1_cron_spool_t, file_type, sysadmfile;
-
-ifdef(`fcron.te', `
-allow crond_t $1_cron_spool_t:file create_file_perms;
-')
-
-allow $1_crond_t urandom_device_t:chr_file { getattr read };
-
-allow $1_crond_t usr_t:file { getattr ioctl read };
-allow $1_crond_t usr_t:lnk_file read;
-
-# Permit a transition from the crond_t domain to this domain.
-# The transition is requested explicitly by the modified crond
-# via execve_secure. There is no way to set up an automatic
-# transition, since crontabs are configuration files, not executables.
-domain_trans(crond_t, shell_exec_t, $1_crond_t)
-
-ifdef(`mta.te', `
-domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t)
-allow $1_crond_t sendmail_exec_t:lnk_file { getattr read };
-
-# $1_mail_t should only be reading from the cron fifo not needing to write
-dontaudit $1_mail_t crond_t:fifo_file write;
-allow mta_user_agent $1_crond_t:fd use;
-')
-
-# The user role is authorized for this domain.
-role $1_r types $1_crond_t;
-
-# This domain is granted permissions common to most domains.
-can_network($1_crond_t)
-allow $1_crond_t port_type:tcp_socket name_connect;
-can_ypbind($1_crond_t)
-r_dir_file($1_crond_t, self)
-allow $1_crond_t self:fifo_file rw_file_perms;
-allow $1_crond_t self:unix_stream_socket create_stream_socket_perms;
-allow $1_crond_t self:unix_dgram_socket create_socket_perms;
-allow $1_crond_t etc_runtime_t:file { getattr read };
-allow $1_crond_t self:process { fork signal_perms setsched };
-allow $1_crond_t proc_t:dir r_dir_perms;
-allow $1_crond_t proc_t:file { getattr read ioctl };
-read_locale($1_crond_t)
-read_sysctl($1_crond_t)
-allow $1_crond_t var_spool_t:dir search;
-allow $1_crond_t fs_type:filesystem getattr;
-
-allow $1_crond_t devtty_t:chr_file { read write };
-allow $1_crond_t var_t:dir r_dir_perms;
-allow $1_crond_t var_t:file { getattr read ioctl };
-allow $1_crond_t var_log_t:dir search;
-
-# Use capabilities.
-allow $1_crond_t self:capability dac_override;
-
-# Inherit and use descriptors from initrc - I think this is wrong
-#allow $1_crond_t initrc_t:fd use;
-
-#
-# Since crontab files are not directly executed,
-# crond must ensure that the crontab file has
-# a type that is appropriate for the domain of
-# the user cron job. It performs an entrypoint
-# permission check for this purpose.
-#
-allow $1_crond_t $1_cron_spool_t:file entrypoint;
-
-# Run helper programs.
-can_exec_any($1_crond_t)
-
-# ps does not need to access /boot when run from cron
-dontaudit $1_crond_t boot_t:dir search;
-# quiet other ps operations
-dontaudit $1_crond_t domain:dir { getattr search };
-# for nscd
-dontaudit $1_crond_t var_run_t:dir search;
-')
-
-# When system_crond_t domain executes a type $1 executable then transition to
-# domain $2, allow $2 to interact with crond_t as well.
-define(`system_crond_entry', `
-ifdef(`crond.te', `
-domain_auto_trans(system_crond_t, $1, $2)
-allow $2 crond_t:fifo_file { getattr read write ioctl };
-# a rule for privfd may make this obsolete
-allow $2 crond_t:fd use;
-allow $2 crond_t:process sigchld;
-')dnl end ifdef
-')dnl end system_crond_entry
diff --git a/mls/macros/program/crontab_macros.te b/mls/macros/program/crontab_macros.te
deleted file mode 100644
index a18d80f..0000000
--- a/mls/macros/program/crontab_macros.te
+++ /dev/null
@@ -1,102 +0,0 @@
-#
-# Macros for crontab domains.
-#
-
-#
-# Authors: Jonathan Crowley (MITRE) <jonathan@mitre.org>
-# Revised by Stephen Smalley <sds@epoch.ncsc.mil>
-#
-
-#
-# crontab_domain(domain_prefix)
-#
-# Define a derived domain for the crontab program when executed by
-# a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/crontab.te.
-#
-undefine(`crontab_domain')
-define(`crontab_domain',`
-# Derived domain based on the calling user domain and the program.
-type $1_crontab_t, domain, privlog;
-
-# Transition from the user domain to the derived domain.
-domain_auto_trans($1_t, crontab_exec_t, $1_crontab_t)
-
-can_ps($1_t, $1_crontab_t)
-
-# for ^Z
-allow $1_t $1_crontab_t:process signal;
-
-# The user role is authorized for this domain.
-role $1_r types $1_crontab_t;
-
-uses_shlib($1_crontab_t)
-allow $1_crontab_t etc_t:file { getattr read };
-allow $1_crontab_t self:unix_stream_socket create_socket_perms;
-allow $1_crontab_t self:unix_dgram_socket create_socket_perms;
-read_locale($1_crontab_t)
-
-# Use capabilities dac_override is to create the file in the directory
-# under /tmp
-allow $1_crontab_t self:capability { setuid setgid chown dac_override };
-
-# Type for temporary files.
-file_type_auto_trans($1_crontab_t, tmp_t, $1_tmp_t, { dir file })
-
-# Use the type when creating files in /var/spool/cron.
-allow sysadm_crontab_t $1_cron_spool_t:file { getattr read };
-allow $1_crontab_t { var_t var_spool_t }:dir { getattr search };
-file_type_auto_trans($1_crontab_t, cron_spool_t, $1_cron_spool_t, file)
-allow $1_crontab_t self:process { fork signal_perms };
-ifdef(`fcron.te', `
-# fcron wants an instant update of a crontab change for the administrator
-# also crontab does a security check for crontab -u
-ifelse(`$1', `sysadm', `
-allow $1_crontab_t crond_t:process signal;
-can_setfscreate($1_crontab_t)
-', `
-dontaudit $1_crontab_t crond_t:process signal;
-')dnl end ifelse
-')dnl end ifdef fcron
-
-# for the checks used by crontab -u
-dontaudit $1_crontab_t security_t:dir search;
-allow $1_crontab_t proc_t:dir search;
-allow $1_crontab_t proc_t:{ file lnk_file } { getattr read };
-allow $1_crontab_t selinux_config_t:dir search;
-allow $1_crontab_t selinux_config_t:file { getattr read };
-dontaudit $1_crontab_t self:dir search;
-
-# crontab signals crond by updating the mtime on the spooldir
-allow $1_crontab_t cron_spool_t:dir setattr;
-# Allow crond to read those crontabs in cron spool.
-allow crond_t $1_cron_spool_t:file r_file_perms;
-
-# Run helper programs as $1_t
-allow $1_crontab_t { bin_t sbin_t }:dir search;
-allow $1_crontab_t bin_t:lnk_file read;
-domain_auto_trans($1_crontab_t, { bin_t sbin_t shell_exec_t }, $1_t)
-
-# Read user crontabs
-allow $1_crontab_t { $1_home_t $1_home_dir_t }:dir r_dir_perms;
-allow $1_crontab_t $1_home_t:file r_file_perms;
-dontaudit $1_crontab_t $1_home_dir_t:dir write;
-
-# Access the cron log file.
-allow $1_crontab_t crond_log_t:file r_file_perms;
-allow $1_crontab_t crond_log_t:file append;
-
-# Access terminals.
-allow $1_crontab_t device_t:dir search;
-access_terminal($1_crontab_t, $1);
-
-allow $1_crontab_t fs_t:filesystem getattr;
-
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te', `allow $1_crontab_t $1_gph_t:fd use;')
-allow $1_crontab_t privfd:fd use;
-
-dontaudit $1_crontab_t var_run_t:dir search;
-')
diff --git a/mls/macros/program/daemontools_macros.te b/mls/macros/program/daemontools_macros.te
deleted file mode 100644
index 94c4f8e..0000000
--- a/mls/macros/program/daemontools_macros.te
+++ /dev/null
@@ -1,11 +0,0 @@
-ifdef(`daemontools.te', `
-
-define(`svc_ipc_domain',`
-allow $1 svc_start_t:process sigchld;
-allow $1 svc_start_t:fd use;
-allow $1 svc_start_t:fifo_file { read write getattr };
-allow svc_start_t $1:process signal;
-')
-
-') dnl ifdef daemontools
-
diff --git a/mls/macros/program/dbusd_macros.te b/mls/macros/program/dbusd_macros.te
deleted file mode 100644
index 2e542a0..0000000
--- a/mls/macros/program/dbusd_macros.te
+++ /dev/null
@@ -1,90 +0,0 @@
-#
-# Macros for Dbus
-#
-# Author: Colin Walters <walters@redhat.com>
-
-# dbusd_domain(domain_prefix)
-#
-# Define a derived domain for the DBus daemon.
-
-define(`dbusd_domain', `
-ifelse(`system', `$1',`
-daemon_domain(system_dbusd, `, userspace_objmgr, nscd_client_domain', `nosysadm')
-# For backwards compatibility
-typealias system_dbusd_t alias dbusd_t;
-type etc_dbusd_t, file_type, sysadmfile;
-',`
-type $1_dbusd_t, domain, privlog, nscd_client_domain, userspace_objmgr;
-role $1_r types $1_dbusd_t;
-domain_auto_trans($1_t, system_dbusd_exec_t, $1_dbusd_t)
-read_locale($1_dbusd_t)
-allow $1_t $1_dbusd_t:process { sigkill signal };
-allow $1_dbusd_t self:process { sigkill signal };
-dontaudit $1_dbusd_t var_t:dir { getattr search };
-')dnl end ifelse system
-
-base_file_read_access($1_dbusd_t)
-uses_shlib($1_dbusd_t)
-allow $1_dbusd_t etc_t:file { getattr read };
-r_dir_file($1_dbusd_t, etc_dbusd_t)
-tmp_domain($1_dbusd)
-allow $1_dbusd_t self:process fork;
-can_pipe_xdm($1_dbusd_t)
-
-allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
-allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
-
-allow $1_dbusd_t urandom_device_t:chr_file { getattr read };
-allow $1_dbusd_t self:file { getattr read write };
-allow $1_dbusd_t proc_t:file read;
-
-can_getsecurity($1_dbusd_t)
-r_dir_file($1_dbusd_t, default_context_t)
-allow $1_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
-
-ifdef(`pamconsole.te', `
-r_dir_file($1_dbusd_t, pam_var_console_t)
-')
-
-allow $1_dbusd_t self:dbus { send_msg acquire_svc };
-
-')dnl end dbusd_domain definition
-
-# dbusd_client(dbus_type, domain_prefix)
-# Example: dbusd_client_domain(system, user)
-#
-# Define a new derived domain for connecting to dbus_type
-# from domain_prefix_t.
-undefine(`dbusd_client')
-define(`dbusd_client',`
-
-ifdef(`dbusd.te',`
-# Derived type used for connection
-type $2_dbusd_$1_t;
-type_change $2_t $1_dbusd_t:dbus $2_dbusd_$1_t;
-
-# SE-DBus specific permissions
-allow $2_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
-
-# For connecting to the bus
-allow $2_t $1_dbusd_t:unix_stream_socket connectto;
-
-ifelse(`system', `$1', `
-allow { $2_t } { var_run_t system_dbusd_var_run_t }:dir search;
-allow { $2_t } system_dbusd_var_run_t:sock_file write;
-',`') dnl endif system
-') dnl endif dbusd.te
-')
-
-# can_dbusd_converse(dbus_type, domain_prefix_a, domain_prefix_b)
-# Example: can_dbusd_converse(system, hald, updfstab)
-# Example: can_dbusd_converse(session, user, user)
-define(`can_dbusd_converse',`')
-ifdef(`dbusd.te',`
-undefine(`can_dbusd_converse')
-define(`can_dbusd_converse',`
-allow $2_dbusd_$1_t $3_dbusd_$1_t:dbus { send_msg };
-allow $3_dbusd_$1_t $2_dbusd_$1_t:dbus { send_msg };
-') dnl endif dbusd.te
-')
diff --git a/mls/macros/program/ethereal_macros.te b/mls/macros/program/ethereal_macros.te
deleted file mode 100644
index 36f1a96..0000000
--- a/mls/macros/program/ethereal_macros.te
+++ /dev/null
@@ -1,82 +0,0 @@
-# DESC - Ethereal
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-#############################################################
-# ethereal_networking(app_prefix) -
-# restricted ethereal rules (sysadm only)
-#
-
-define(`ethereal_networking', `
-
-# Create various types of sockets
-allow $1_t self:netlink_route_socket create_netlink_socket_perms;
-allow $1_t self:udp_socket create_socket_perms;
-allow $1_t self:packet_socket create_socket_perms;
-allow $1_t self:unix_stream_socket create_stream_socket_perms;
-allow $1_t self:tcp_socket create_socket_perms;
-
-allow $1_t self:capability { dac_override dac_read_search net_raw setgid setuid };
-
-# Resolve names via DNS
-can_resolve($1_t)
-
-') dnl ethereal_networking
-
-########################################################
-# Ethereal (GNOME)
-#
-
-define(`ethereal_domain', `
-
-# Type for program
-type $1_ethereal_t, domain, nscd_client_domain;
-
-# Transition from sysadm type
-domain_auto_trans($1_t, ethereal_exec_t, $1_ethereal_t)
-role $1_r types $1_ethereal_t;
-
-# Manual transition from userhelper
-ifdef(`userhelper.te', `
-allow userhelperdomain $1_ethereal_t:process { transition siginh rlimitinh noatsecure };
-allow $1_ethereal_t userhelperdomain:fd use;
-allow $1_ethereal_t userhelperdomain:process sigchld;
-') dnl userhelper
-
-# X, GNOME
-x_client_domain($1_ethereal, $1)
-gnome_application($1_ethereal, $1)
-gnome_file_dialog($1_ethereal, $1)
-
-# Why does it write this?
-ifdef(`snmpd.te', `
-dontaudit sysadm_ethereal_t snmpd_var_lib_t:file write;
-')
-
-# /home/.ethereal
-home_domain($1, ethereal)
-file_type_auto_trans($1_ethereal_t, $1_home_dir_t, $1_ethereal_home_t, dir)
-
-# Enable restricted networking rules for sysadm - this is shared w/ tethereal
-ifelse($1, `sysadm', `
-ethereal_networking($1_ethereal)
-
-# Ethereal tries to write to user terminal
-dontaudit sysadm_ethereal_t user_tty_type:chr_file { read write };
-dontaudit sysadm_ethereal_t unpriv_userdomain:fd use;
-', `')
-
-# Store temporary files
-tmp_domain($1_ethereal)
-
-# Re-execute itself (why?)
-can_exec($1_ethereal_t, ethereal_exec_t)
-allow $1_ethereal_t sbin_t:dir search;
-
-# Supress .local denials until properly implemented
-dontaudit $1_ethereal_t $1_home_t:dir search;
-
-# FIXME: policy is incomplete
-
-') dnl ethereal_domain
diff --git a/mls/macros/program/evolution_macros.te b/mls/macros/program/evolution_macros.te
deleted file mode 100644
index 37fc087..0000000
--- a/mls/macros/program/evolution_macros.te
+++ /dev/null
@@ -1,234 +0,0 @@
-#
-# Evolution
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-################################################
-# evolution_common(app_prefix,role_prefix)
-#
-define(`evolution_common', `
-
-# Gnome common stuff
-gnome_application($1, $2)
-
-# Stat root
-allow $1_t root_t:dir search;
-
-# Access null device
-allow $1_t null_device_t:chr_file rw_file_perms;
-
-# FIXME: suppress access to .local/.icons/.themes until properly implemented
-dontaudit $1_t $2_home_t:dir r_dir_perms;
-
-# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
-# until properly implemented
-dontaudit $1_t $2_home_t:file r_file_perms;
-
-') dnl evolution_common
-
-#######################################
-# evolution_data_server(role_prefix)
-#
-
-define(`evolution_data_server', `
-
-# Type for daemon
-type $1_evolution_server_t, domain, nscd_client_domain;
-
-# Transition from user type
-if (! disable_evolution_trans) {
-domain_auto_trans($1_t, evolution_server_exec_t, $1_evolution_server_t)
-}
-role $1_r types $1_evolution_server_t;
-
-# Evolution common stuff
-evolution_common($1_evolution_server, $1)
-
-# Access evolution home
-home_domain_access($1_evolution_server_t, $1, evolution)
-
-# Talks to exchange
-bonobo_connect($1_evolution_server, $1_evolution_exchange)
-
-can_exec($1_evolution_server_t, shell_exec_t)
-
-# Obtain weather data via http (read server name from xml file in /usr)
-allow $1_evolution_server_t usr_t:file r_file_perms;
-can_resolve($1_evolution_server_t)
-can_network_client_tcp($1_evolution_server_t, { http_port_t http_cache_port_t } )
-allow $1_evolution_server_t { http_cache_port_t http_port_t }:tcp_socket name_connect;
-
-# Talk to ldap (address book)
-can_network_client_tcp($1_evolution_server_t, ldap_port_t)
-allow $1_evolution_server_t ldap_port_t:tcp_socket name_connect;
-
-# Look in /etc/pki
-r_dir_file($1_evolution_server_t, cert_t)
-
-') dnl evolution_data_server
-
-#######################################
-# evolution_webcal(role_prefix)
-#
-
-define(`evolution_webcal', `
-
-# Type for program
-type $1_evolution_webcal_t, domain, nscd_client_domain;
-
-# Transition from user type
-domain_auto_trans($1_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
-role $1_r types $1_evolution_webcal_t;
-
-# X/evolution common stuff
-x_client_domain($1_evolution_webcal, $1)
-evolution_common($1_evolution_webcal, $1)
-
-# Search home directory (?)
-allow $1_evolution_webcal_t $1_home_dir_t:dir search;
-
-# Networking capability - connect to website and handle ics link
-# FIXME: is this necessary ?
-can_resolve($1_evolution_webcal_t);
-can_network_client_tcp($1_evolution_webcal_t, { http_port_t http_cache_port_t } )
-allow $1_evolution_webcal_t { http_cache_port_t http_port_t } :tcp_socket name_connect;
-
-') dnl evolution_webcal
-
-#######################################
-# evolution_alarm(role_prefix)
-#
-define(`evolution_alarm', `
-
-# Type for program
-type $1_evolution_alarm_t, domain, nscd_client_domain;
-
-# Transition from user type
-domain_auto_trans($1_t, evolution_alarm_exec_t, $1_evolution_alarm_t)
-role $1_r types $1_evolution_alarm_t;
-
-# Common evolution stuff, X
-evolution_common($1_evolution_alarm, $1)
-x_client_domain($1_evolution_alarm, $1)
-
-# Connect to exchange, e-d-s
-bonobo_connect($1_evolution_alarm, $1_evolution_server)
-bonobo_connect($1_evolution_alarm, $1_evolution_exchange)
-
-# Access evolution home
-home_domain_access($1_evolution_alarm_t, $1, evolution)
-
-') dnl evolution_alarm
-
-########################################
-# evolution_exchange(role_prefix)
-#
-define(`evolution_exchange', `
-
-# Type for program
-type $1_evolution_exchange_t, domain, nscd_client_domain;
-
-# Transition from user type
-domain_auto_trans($1_t, evolution_exchange_exec_t, $1_evolution_exchange_t)
-role $1_r types $1_evolution_exchange_t;
-
-# Common evolution stuff, X
-evolution_common($1_evolution_exchange, $1)
-x_client_domain($1_evolution_exchange, $1)
-
-# Access evolution home
-home_domain_access($1_evolution_exchange_t, $1, evolution)
-
-# /tmp/.exchange-$USER
-tmp_domain($1_evolution_exchange)
-
-# Allow netstat
-allow $1_evolution_exchange_t bin_t:dir search;
-can_exec($1_evolution_exchange_t, bin_t)
-r_dir_file($1_evolution_exchange_t, proc_net_t)
-allow $1_evolution_exchange_t sysctl_net_t:dir search;
-allow $1_evolution_exchange_t self:{ udp_socket tcp_socket } create_socket_perms;
-
-# Clock applet talks to exchange (FIXME: Needs policy)
-bonobo_connect($1, $1_evolution_exchange)
-
-# FIXME: policy incomplete
-
-') dnl evolution_exchange
-
-#######################################
-# evolution_domain(role_prefix)
-#
-
-define(`evolution_domain', `
-
-# Type for program
-type $1_evolution_t, domain, nscd_client_domain, privlog;
-
-# Transition from user type
-domain_auto_trans($1_t, evolution_exec_t, $1_evolution_t)
-role $1_r types $1_evolution_t;
-
-# X, mail, evolution common stuff
-x_client_domain($1_evolution, $1)
-mail_client_domain($1_evolution, $1)
-gnome_file_dialog($1_evolution, $1)
-evolution_common($1_evolution, $1)
-
-# Connect to e-d-s, exchange, alarm
-bonobo_connect($1_evolution, $1_evolution_server)
-bonobo_connect($1_evolution, $1_evolution_exchange)
-bonobo_connect($1_evolution, $1_evolution_alarm)
-
-# Access .evolution
-home_domain($1, evolution)
-
-# Store passwords in .gnome2_private
-gnome_private_store($1_evolution, $1)
-
-# Run various programs
-allow $1_evolution_t { bin_t sbin_t }:dir r_dir_perms;
-allow $1_evolution_t { self bin_t }:lnk_file r_file_perms;
-
-### Junk mail filtering (start spamd)
-ifdef(`spamd.te', `
-# Start the spam daemon
-domain_auto_trans($1_evolution_t, spamd_exec_t, spamd_t)
-role $1_r types spamd_t;
-
-# Write pid file and socket in ~/.evolution/cache/tmp
-file_type_auto_trans(spamd_t, $1_evolution_home_t, spamd_tmp_t, { file sock_file })
-
-# Allow evolution to signal the daemon
-# FIXME: Now evolution can read spamd temp files
-allow $1_evolution_t spamd_tmp_t:file r_file_perms;
-allow $1_evolution_t spamd_t:process signal;
-dontaudit $1_evolution_t spamd_tmp_t:sock_file getattr;
-') dnl spamd.te
-
-### Junk mail filtering (start spamc)
-ifdef(`spamc.te', `
-domain_auto_trans($1_evolution_t, spamc_exec_t, $1_spamc_t)
-
-# Allow connection to spamd socket above
-allow $1_spamc_t $1_evolution_home_t:dir search;
-') dnl spamc.te
-
-### Junk mail filtering (start spamassassin)
-ifdef(`spamassassin.te', `
-domain_auto_trans($1_evolution_t, spamassassin_exec_t, $1_spamassassin_t)
-') dnl spamassasin.te
-
-') dnl evolution_domain
-
-#################################
-# evolution_domains(role_prefix)
-
-define(`evolution_domains', `
-evolution_domain($1)
-evolution_data_server($1)
-evolution_webcal($1)
-evolution_alarm($1)
-evolution_exchange($1)
-') dnl end evolution_domains
diff --git a/mls/macros/program/exim_macros.te b/mls/macros/program/exim_macros.te
deleted file mode 100644
index 610ca15..0000000
--- a/mls/macros/program/exim_macros.te
+++ /dev/null
@@ -1,75 +0,0 @@
-#DESC Exim - Mail server
-#
-# Author: David Hampton <hampton@employees.org>
-# From postfix.te by Russell Coker <russell@coker.com.au>
-# Depends: mta.te
-#
-
-##########
-# Permissions common to the exim daemon, and exim invoked by a user to
-# send a file
-##########
-define(`exim_common',`
-
-# Networking - All instances need to talk to other mail hosts and
-# amavisd
-can_network_tcp($1_t);
-allow $1_t smtp_port_t:tcp_socket name_connect;
-## can_network_client_tcp($1_t, smtp_port_t);
-## ifdef(`amavis.te', `
-## can_network_client_tcp($1_t, amavisd_recv_port_t);
-## allow $1_t amavisd_recv_port_t:tcp_socket { recv_msg send_msg };
-## ')
-can_resolve($1_t);
-
-# Exim forks children to do its work.
-general_domain_access($1_t)
-
-# Certs and SSL
-r_dir_file($1_t, cert_t)
-allow $1_t { random_device_t urandom_device_t }:chr_file r_file_perms;
-
-general_proc_read_access($1_t)
-read_locale($1_t)
-
-allow $1_t etc_t:file { getattr read };
-allow $1_t sbin_t:dir search;
-allow $1_t tmp_t:dir getattr;
-allow $1_t self:fifo_file { read write };
-can_exec($1_t, exim_exec_t)
-allow $1_t self:capability { chown fowner dac_override setgid setuid };
-allow $1_t self:process setrlimit;
-
-# Have to walk through /var/xxx to get to /var/xxx/exim
-allow $1_t var_log_t:dir search;
-allow $1_t var_spool_t:dir search;
-
-# Exim creates a spool file per message
-create_dir_file($1_t, exim_spool_t);
-# It also creates a log file per message
-create_dir_file($1_t, exim_log_t);
-# The database is modified by every message
-allow $1_t exim_spool_db_t:dir search;
-allow $1_t exim_spool_db_t:file rw_file_perms;
-
-# Checking the existence of mailman lists
-allow $1_t mailman_data_t:file getattr;
-
-# Trying to read mtab
-dontaudit $1_t etc_runtime_t:file { getattr read };
-')
-
-
-define(`exim_user_domain',`
-########################################
-########################################
-application_domain(exim_$1, `, mta_delivery_agent, mail_server_domain, mail_server_sender, nscd_client_domain, privlog');
-in_user_role(exim_$1_t)
-domain_auto_trans($1_t, exim_exec_t, exim_$1_t)
-exim_common(exim_$1)
-role $1_r types exim_$1_t;
-allow exim_$1_t $1_tmp_t:file { getattr read };
-allow exim_$1_t $1_devpts_t:chr_file rw_file_perms;
-allow exim_$1_t sshd_t:fd use;
-')
-
diff --git a/mls/macros/program/fingerd_macros.te b/mls/macros/program/fingerd_macros.te
deleted file mode 100644
index fd56ca7..0000000
--- a/mls/macros/program/fingerd_macros.te
+++ /dev/null
@@ -1,15 +0,0 @@
-#
-# Macro for fingerd
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-
-#
-# fingerd_macro(domain_prefix)
-#
-# allow fingerd to create a fingerlog file in the user home dir
-#
-define(`fingerd_macro', `
-type $1_home_fingerlog_t, file_type, sysadmfile, $1_file_type;
-file_type_auto_trans(fingerd_t, $1_home_dir_t, $1_home_fingerlog_t)
-')
diff --git a/mls/macros/program/fontconfig_macros.te b/mls/macros/program/fontconfig_macros.te
deleted file mode 100644
index 7f4a56d..0000000
--- a/mls/macros/program/fontconfig_macros.te
+++ /dev/null
@@ -1,52 +0,0 @@
-#
-# Fontconfig related types
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-# fontconfig_domain(role_prefix) - create fontconfig domain
-#
-# read_fonts(domain, role_prefix) -
-# allow domain to read fonts, optionally per/user
-#
-
-define(`fontconfig_domain', `
-
-type $1_fonts_t, file_type, $1_file_type, sysadmfile;
-type $1_fonts_config_t, file_type, $1_file_type, sysadmfile;
-type $1_fonts_cache_t, file_type, $1_file_type, sysadmfile;
-
-create_dir_file($1_t, $1_fonts_t)
-allow $1_t $1_fonts_t:{ dir file } { relabelto relabelfrom };
-
-create_dir_file($1_t, $1_fonts_config_t)
-allow $1_t $1_fonts_config_t:file { relabelto relabelfrom };
-
-# For startup relabel
-allow $1_t $1_fonts_cache_t:{ dir file } { relabelto relabelfrom };
-
-') dnl fontconfig_domain
-
-####################
-
-define(`read_fonts', `
-
-# Read global fonts and font config
-r_dir_file($1, fonts_t)
-r_dir_file($1, etc_t)
-
-ifelse(`$2', `', `', `
-
-# Manipulate the global font cache
-create_dir_file($1, $2_fonts_cache_t)
-
-# Read per user fonts and font config
-r_dir_file($1, $2_fonts_t)
-r_dir_file($1, $2_fonts_config_t)
-
-# There are some fonts in .gnome2
-ifdef(`gnome.te', `
-allow $1 $2_gnome_settings_t:dir { getattr search };
-')
-
-') dnl ifelse
-') dnl read_fonts
diff --git a/mls/macros/program/games_domain.te b/mls/macros/program/games_domain.te
deleted file mode 100644
index d4c1d05..0000000
--- a/mls/macros/program/games_domain.te
+++ /dev/null
@@ -1,89 +0,0 @@
-#DESC games
-#
-# Macros for games
-#
-#
-# Authors: Dan Walsh <dwalsh@redhat.com>
-#
-#
-# games_domain(domain_prefix)
-#
-#
-define(`games_domain', `
-
-type $1_games_t, domain, nscd_client_domain;
-
-# Type transition
-if (! disable_games_trans) {
-domain_auto_trans($1_t, games_exec_t, $1_games_t)
-}
-can_exec($1_games_t, games_exec_t)
-role $1_r types $1_games_t;
-
-can_create_pty($1_games)
-
-# X access, GNOME, /tmp files
-x_client_domain($1_games, $1)
-tmp_domain($1_games, `', { dir notdevfile_class_set })
-gnome_application($1_games, $1)
-gnome_file_dialog($1_games, $1)
-
-# Games seem to need this
-if (allow_execmem) {
-allow $1_games_t self:process execmem;
-}
-
-allow $1_games_t texrel_shlib_t:file execmod;
-allow $1_games_t var_t:dir { search getattr };
-rw_dir_create_file($1_games_t, games_data_t)
-allow $1_games_t sound_device_t:chr_file rw_file_perms;
-can_udp_send($1_games_t, $1_games_t)
-can_tcp_connect($1_games_t, $1_games_t)
-
-# Access /home/user/.gnome2
-# FIXME: Change to use per app types
-create_dir_file($1_games_t, $1_gnome_settings_t)
-
-# FIXME: why is this necessary - ORBit?
-# ORBit works differently now
-create_dir_file($1_games_t, $1_tmp_t)
-allow $1_games_t $1_tmp_t:sock_file create_file_perms;
-can_unix_connect($1_t, $1_games_t)
-can_unix_connect($1_games_t, $1_t)
-
-ifdef(`xdm.te', `
-allow $1_games_t xdm_tmp_t:dir rw_dir_perms;
-allow $1_games_t xdm_tmp_t:sock_file create_file_perms;
-allow $1_games_t xdm_var_lib_t:file { getattr read };
-')dnl end if xdm.te
-
-allow $1_games_t var_lib_t:dir search;
-r_dir_file($1_games_t, man_t)
-allow $1_games_t { proc_t self }:dir search;
-allow $1_games_t { proc_t self }:{ file lnk_file } { read getattr };
-ifdef(`mozilla.te', `
-dontaudit $1_games_t $1_mozilla_t:unix_stream_socket connectto;
-')
-allow $1_games_t event_device_t:chr_file getattr;
-allow $1_games_t mouse_device_t:chr_file getattr;
-
-allow $1_games_t self:file { getattr read };
-allow $1_games_t self:sem create_sem_perms;
-
-allow $1_games_t { bin_t sbin_t }:dir { getattr search };
-can_exec($1_games_t, { shell_exec_t bin_t utempter_exec_t })
-allow $1_games_t bin_t:lnk_file read;
-
-dontaudit $1_games_t var_run_t:dir search;
-dontaudit $1_games_t initrc_var_run_t:file { read write };
-dontaudit $1_games_t var_log_t:dir search;
-
-can_network($1_games_t)
-allow $1_games_t port_t:tcp_socket name_bind;
-allow $1_games_t port_t:tcp_socket name_connect;
-
-# Suppress .icons denial until properly implemented
-dontaudit $1_games_t $1_home_t:dir read;
-
-')dnl end macro definition
-
diff --git a/mls/macros/program/gconf_macros.te b/mls/macros/program/gconf_macros.te
deleted file mode 100644
index 6f97ca3..0000000
--- a/mls/macros/program/gconf_macros.te
+++ /dev/null
@@ -1,57 +0,0 @@
-#
-# GConfd daemon
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-#######################################
-# gconfd_domain(role_prefix)
-#
-
-define(`gconfd_domain', `
-
-# Type for daemon
-type $1_gconfd_t, domain, nscd_client_domain, privlog;
-
-gnome_application($1_gconfd, $1)
-
-# Transition from user type
-domain_auto_trans($1_t, gconfd_exec_t, $1_gconfd_t)
-role $1_r types $1_gconfd_t;
-
-allow $1_gconfd_t self:process { signal getsched };
-
-# Access .gconfd and .gconf
-home_domain($1, gconfd)
-file_type_auto_trans($1_gconfd_t, $1_home_dir_t, $1_gconfd_home_t, dir)
-
-# Access /etc/gconf
-r_dir_file($1_gconfd_t, gconf_etc_t)
-
-# /tmp/gconfd-USER
-tmp_domain($1_gconfd)
-
-can_pipe_xdm($1_gconfd_t)
-ifdef(`xdm.te', `
-allow xdm_t $1_gconfd_t:process signal;
-')
-
-') dnl gconf_domain
-
-#####################################
-# gconf_client(prefix, role_prefix)
-#
-
-define(`gconf_client', `
-
-# Launch the daemon if necessary
-domain_auto_trans($1_t, gconfd_exec_t, $2_gconfd_t)
-
-# Connect over bonobo
-bonobo_connect($1, $2_gconfd)
-
-# Read lock/ior
-allow $1_t $2_gconfd_tmp_t:dir { getattr search };
-allow $1_t $2_gconfd_tmp_t:file { getattr read };
-
-') dnl gconf_client
diff --git a/mls/macros/program/gift_macros.te b/mls/macros/program/gift_macros.te
deleted file mode 100644
index d8e39e2..0000000
--- a/mls/macros/program/gift_macros.te
+++ /dev/null
@@ -1,104 +0,0 @@
-#
-# Macros for giFT
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-# gift_domains(domain_prefix)
-# declares a domain for giftui and giftd
-
-#########################
-# gift_domain(user) #
-#########################
-
-define(`gift_domain', `
-
-# Type transition
-type $1_gift_t, domain, nscd_client_domain;
-domain_auto_trans($1_t, gift_exec_t, $1_gift_t)
-role $1_r types $1_gift_t;
-
-# X access, Home files, GNOME, /tmp
-x_client_domain($1_gift, $1)
-gnome_application($1_gift, $1)
-home_domain($1, gift)
-file_type_auto_trans($1_gift_t, $1_home_dir_t, $1_gift_home_t, dir)
-
-# Allow the user domain to signal/ps.
-can_ps($1_t, $1_gift_t)
-allow $1_t $1_gift_t:process signal_perms;
-
-# Launch gift daemon
-allow $1_gift_t bin_t:dir search;
-domain_auto_trans($1_gift_t, giftd_exec_t, $1_giftd_t)
-
-# Connect to gift daemon
-can_network_client_tcp($1_gift_t, giftd_port_t)
-allow $1_gift_t giftd_port_t:tcp_socket name_connect;
-
-# Read /proc/meminfo
-allow $1_gift_t proc_t:dir search;
-allow $1_gift_t proc_t:file { getattr read };
-
-# giftui looks in .icons, .themes.
-dontaudit $1_gift_t $1_home_t:dir { getattr read search };
-dontaudit $1_gift_t $1_home_t:file { getattr read };
-
-') dnl gift_domain
-
-##########################
-# giftd_domain(user) #
-##########################
-
-define(`giftd_domain', `
-
-type $1_giftd_t, domain;
-
-# Transition from user type
-domain_auto_trans($1_t, giftd_exec_t, $1_giftd_t)
-role $1_r types $1_giftd_t;
-
-# Self permissions, allow fork
-allow $1_giftd_t self:process { fork signal sigchld setsched };
-allow $1_giftd_t self:unix_stream_socket create_socket_perms;
-
-read_sysctl($1_giftd_t)
-read_locale($1_giftd_t)
-uses_shlib($1_giftd_t)
-access_terminal($1_giftd_t, $1)
-
-# Read /proc/meminfo
-allow $1_giftd_t proc_t:dir search;
-allow $1_giftd_t proc_t:file { getattr read };
-
-# Read /etc/mtab
-allow $1_giftd_t etc_runtime_t:file { getattr read };
-
-# Access home domain
-home_domain_access($1_giftd_t, $1, gift)
-file_type_auto_trans($1_gift_t, $1_home_dir_t, $1_gift_home_t, dir)
-
-# Serve content on various p2p networks. Ports can be random.
-can_network_server($1_giftd_t)
-allow $1_giftd_t self:udp_socket listen;
-allow $1_giftd_t port_type:{ tcp_socket udp_socket } name_bind;
-
-# Connect to various p2p networks. Ports can be random.
-can_network_client($1_giftd_t)
-allow $1_giftd_t port_type:tcp_socket name_connect;
-
-# Plugins
-r_dir_file($1_giftd_t, usr_t)
-
-# Connect to xdm
-can_pipe_xdm($1_giftd_t)
-
-') dnl giftd_domain
-
-##########################
-# gift_domains(user) #
-##########################
-
-define(`gift_domains', `
-gift_domain($1)
-giftd_domain($1)
-') dnl gift_domains
diff --git a/mls/macros/program/gnome_macros.te b/mls/macros/program/gnome_macros.te
deleted file mode 100644
index 5d31af5..0000000
--- a/mls/macros/program/gnome_macros.te
+++ /dev/null
@@ -1,115 +0,0 @@
-#
-# GNOME related types
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-# gnome_domain(role_prefix) - create GNOME domain (run for each role)
-# gnome_application(app_prefix, role_prefix) - common stuff for gnome apps
-# gnome_file_dialog(role_prefix) - gnome file dialog rules
-# gnome_private_store(app_prefix, role_prefix) - store private files in .gnome2_private
-
-define(`gnome_domain', `
-
-# Types for .gnome2 and .gnome2_private.
-# For backwards compatibility, allow unrestricted
-# access from ROLE_t. However, content inside
-# *should* be labeled per application eventually.
-# For .gnome2_private, use the private_store macro below.
-
-type $1_gnome_settings_t, file_type, $1_file_type, sysadmfile;
-create_dir_file($1_t, $1_gnome_settings_t)
-allow $1_t $1_gnome_settings_t:{ dir file } { relabelfrom relabelto };
-
-type $1_gnome_secret_t, file_type, $1_file_type, sysadmfile;
-create_dir_file($1_t, $1_gnome_secret_t)
-allow $1_t $1_gnome_secret_t:{ dir file } { relabelfrom relabelto };
-
-# GConf domain
-gconfd_domain($1)
-gconf_client($1, $1)
-
-# Bonobo-activation-server
-bonobo_domain($1)
-bonobo_client($1, $1)
-
-# GNOME vfs daemon
-gnome_vfs_domain($1)
-gnome_vfs_client($1, $1)
-
-# ICE is necessary for session management
-ice_domain($1, $1)
-
-')
-
-#################################
-
-define(`gnome_application', `
-
-# If launched from a terminal
-access_terminal($1_t, $2)
-
-# Forking is generally okay
-allow $1_t self:process { sigchld sigkill signal setrlimit getsched setsched fork };
-allow $1_t self:fifo_file rw_file_perms;
-
-# Shlib, locale, sysctl, proc
-uses_shlib($1_t)
-read_locale($1_t)
-read_sysctl($1_t)
-
-allow $1_t { self proc_t }:dir { search read getattr };
-allow $1_t { self proc_t }:{ file lnk_file } { read getattr };
-
-# Most gnome apps use bonobo
-bonobo_client($1, $2)
-
-# Within-process bonobo-activation of components
-bonobo_connect($1, $1)
-
-# Session management happens over ICE
-# FIXME: More specific context is needed for gnome-session
-ice_connect($1, $2)
-
-# Most talk to GConf
-gconf_client($1, $2)
-
-# Allow getattr/read/search of .gnome2 and .gnome2_private
-# Reading files should *not* be allowed - instead, more specific
-# types should be created to handle such requests
-allow $1_t { $2_gnome_settings_t $2_gnome_secret_t }:dir r_dir_perms;
-
-# Access /etc/mtab, /etc/nsswitch.conf
-allow $1_t etc_t:file { read getattr };
-allow $1_t etc_runtime_t:file { read getattr };
-
-# Themes, gtkrc
-allow $1_t usr_t:{ file lnk_file } r_file_perms;
-
-') dnl gnome_application
-
-################################
-
-define(`gnome_file_dialog', `
-
-# GNOME Open/Save As dialogs
-dontaudit_getattr($1_t)
-dontaudit_search_dir($1_t)
-
-# Bonobo connection to gnome_vfs daemon
-bonobo_connect($1, $2_gnome_vfs)
-
-') dnl gnome_file_dialog
-
-################################
-
-define(`gnome_private_store', `
-
-# Type for storing secret data
-# (different from home, not directly accessible from ROLE_t)
-type $1_secret_t, file_type, $2_file_type, sysadmfile;
-
-# Put secret files in .gnome2_private
-file_type_auto_trans($1_t, $2_gnome_secret_t, $1_secret_t, file);
-allow $2_t $1_secret_t:file unlink;
-
-') dnl gnome_private_store
diff --git a/mls/macros/program/gnome_vfs_macros.te b/mls/macros/program/gnome_vfs_macros.te
deleted file mode 100644
index 8ff5c28..0000000
--- a/mls/macros/program/gnome_vfs_macros.te
+++ /dev/null
@@ -1,55 +0,0 @@
-#
-# GNOME VFS daemon
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-#######################################
-# gnome_vfs_domain(role_prefix)
-#
-
-define(`gnome_vfs_domain', `
-
-# Type for daemon
-type $1_gnome_vfs_t, domain, nscd_client_domain;
-
-# GNOME, dbus
-gnome_application($1_gnome_vfs, $1)
-dbusd_client(system, $1_gnome_vfs)
-allow $1_gnome_vfs_t system_dbusd_t:dbus send_msg;
-ifdef(`hald.te', `
-allow $1_gnome_vfs_t hald_t:dbus send_msg;
-allow hald_t $1_gnome_vfs_t:dbus send_msg;
-')
-
-# Transition from user type
-domain_auto_trans($1_t, gnome_vfs_exec_t, $1_gnome_vfs_t)
-role $1_r types $1_gnome_vfs_t;
-
-# Stat top level directories on mount_points (check free space?)
-allow $1_gnome_vfs_t { fs_type default_t boot_t home_root_t device_t }:dir getattr;
-
-# Search path to /home (??)
-allow $1_gnome_vfs_t home_root_t:dir search;
-allow $1_gnome_vfs_t $1_home_dir_t:dir search;
-
-# Search path to rpc_pipefs mount point (??)
-allow $1_gnome_vfs_t var_lib_nfs_t:dir search;
-allow $1_gnome_vfs_t var_lib_t:dir search;
-
-# Search libexec (??)
-allow $1_gnome_vfs_t bin_t:dir search;
-can_exec($1_gnome_vfs_t, bin_t)
-
-') dnl gnome_vfs_domain
-
-#####################################
-# gnome_vfs_client(prefix, role_prefix)
-#
-
-define(`gnome_vfs_client', `
-
-# Connect over bonobo
-bonobo_connect($1, $2_gnome_vfs)
-
-') dnl gnome_vfs_client
diff --git a/mls/macros/program/gpg_agent_macros.te b/mls/macros/program/gpg_agent_macros.te
deleted file mode 100644
index f7ad8b0..0000000
--- a/mls/macros/program/gpg_agent_macros.te
+++ /dev/null
@@ -1,125 +0,0 @@
-#
-# Macros for gpg agent
-#
-# Author: Thomas Bleher <ThomasBleher@gmx.de>
-#
-#
-# gpg_agent_domain(domain_prefix)
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/gpg-agent.te.
-#
-define(`gpg_agent_domain',`
-# Define a derived domain for the gpg-agent program when executed
-# by a user domain.
-# Derived domain based on the calling user domain and the program.
-type $1_gpg_agent_t, domain;
-
-# Transition from the user domain to the derived domain.
-domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t)
-
-# The user role is authorized for this domain.
-role $1_r types $1_gpg_agent_t;
-
-allow $1_gpg_agent_t privfd:fd use;
-
-# Write to the user domain tty.
-access_terminal($1_gpg_agent_t, $1)
-
-# Allow the user shell to signal the gpg-agent program.
-allow $1_t $1_gpg_agent_t:process { signal sigkill };
-# allow ps to show gpg-agent
-can_ps($1_t, $1_gpg_agent_t)
-
-uses_shlib($1_gpg_agent_t)
-read_locale($1_gpg_agent_t)
-
-# rlimit: gpg-agent wants to prevent coredumps
-allow $1_gpg_agent_t self:process { setrlimit fork sigchld };
-
-allow $1_gpg_agent_t { self proc_t }:dir search;
-allow $1_gpg_agent_t { self proc_t }:lnk_file read;
-
-allow $1_gpg_agent_t device_t:dir { getattr read };
-
-# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
-allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search;
-create_dir_file($1_gpg_agent_t, $1_gpg_secret_t)
-if (use_nfs_home_dirs) {
-create_dir_file($1_gpg_agent_t, nfs_t)
-}
-if (use_samba_home_dirs) {
-create_dir_file($1_gpg_agent_t, cifs_t)
-}
-
-allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms;
-allow $1_gpg_agent_t self:fifo_file { getattr read write };
-
-# create /tmp files
-tmp_domain($1_gpg_agent, `', `{ file dir sock_file }')
-
-# gpg connect
-allow $1_gpg_t $1_gpg_agent_tmp_t:dir search;
-allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write;
-can_unix_connect($1_gpg_t, $1_gpg_agent_t)
-
-# policy for pinentry
-# ===================
-# we need to allow gpg-agent to call pinentry so it can get the passphrase
-# from the user.
-# Please note that I didnt use the x_client_domain-macro as it gives too
-# much permissions
-type $1_gpg_pinentry_t, domain;
-role $1_r types $1_gpg_pinentry_t;
-
-allow $1_gpg_agent_t bin_t:dir search;
-domain_auto_trans($1_gpg_agent_t, pinentry_exec_t, $1_gpg_pinentry_t)
-
-uses_shlib($1_gpg_pinentry_t)
-read_locale($1_gpg_pinentry_t)
-
-allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
-allow $1_gpg_pinentry_t self:fifo_file { getattr read write };
-
-ifdef(`xdm.te', `
-allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search;
-allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write };
-can_unix_connect($1_gpg_pinentry_t, xdm_xserver_t)
-')dnl end ig xdm.te
-
-read_fonts($1_gpg_pinentry_t, $1)
-# read kde font cache
-allow $1_gpg_pinentry_t usr_t:file { getattr read };
-
-allow $1_gpg_pinentry_t { proc_t self }:dir search;
-allow $1_gpg_pinentry_t { proc_t self }:lnk_file read;
-# read /proc/meminfo
-allow $1_gpg_pinentry_t proc_t:file read;
-
-allow $1_gpg_pinentry_t { tmp_t home_root_t }:dir { getattr search };
-
-# for .Xauthority
-allow $1_gpg_pinentry_t $1_home_dir_t:dir { getattr search };
-allow $1_gpg_pinentry_t $1_home_t:file { getattr read };
-# wants to put some lock files into the user home dir, seems to work fine without
-dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write };
-dontaudit $1_gpg_pinentry_t $1_home_t:file write;
-if (use_nfs_home_dirs) {
-allow $1_gpg_pinentry_t nfs_t:dir { getattr search };
-allow $1_gpg_pinentry_t nfs_t:file { getattr read };
-dontaudit $1_gpg_pinentry_t nfs_t:dir { read write };
-dontaudit $1_gpg_pinentry_t nfs_t:file write;
-}
-if (use_samba_home_dirs) {
-allow $1_gpg_pinentry_t cifs_t:dir { getattr search };
-allow $1_gpg_pinentry_t cifs_t:file { getattr read };
-dontaudit $1_gpg_pinentry_t cifs_t:dir { read write };
-dontaudit $1_gpg_pinentry_t cifs_t:file write;
-}
-
-# read /etc/X11/qtrc
-allow $1_gpg_pinentry_t etc_t:file { getattr read };
-
-dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t bin_t }:dir { getattr search };
-
-')dnl end if gpg_agent
diff --git a/mls/macros/program/gpg_macros.te b/mls/macros/program/gpg_macros.te
deleted file mode 100644
index 9dba8f7..0000000
--- a/mls/macros/program/gpg_macros.te
+++ /dev/null
@@ -1,113 +0,0 @@
-#
-# Macros for gpg and pgp
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-# based on the work of:
-# Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-#
-# gpg_domain(domain_prefix)
-#
-# Define a derived domain for the gpg/pgp program when executed by
-# a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/gpg.te.
-#
-define(`gpg_domain', `
-# Derived domain based on the calling user domain and the program.
-type $1_gpg_t, domain, privlog;
-type $1_gpg_secret_t, file_type, $1_file_type, sysadmfile;
-
-# Transition from the user domain to the derived domain.
-domain_auto_trans($1_t, gpg_exec_t, $1_gpg_t)
-role $1_r types $1_gpg_t;
-
-can_network($1_gpg_t)
-allow $1_gpg_t port_type:tcp_socket name_connect;
-can_ypbind($1_gpg_t)
-
-# for a bug in kmail
-dontaudit $1_gpg_t $1_t:unix_stream_socket { getattr read write };
-
-allow $1_gpg_t device_t:dir r_dir_perms;
-allow $1_gpg_t { random_device_t urandom_device_t }:chr_file r_file_perms;
-
-allow $1_gpg_t etc_t:file r_file_perms;
-
-allow $1_gpg_t self:unix_stream_socket create_stream_socket_perms;
-allow $1_gpg_t self:tcp_socket create_stream_socket_perms;
-
-access_terminal($1_gpg_t, $1)
-ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;')
-
-# Inherit and use descriptors
-allow $1_gpg_t { privfd $1_t }:fd use;
-allow { $1_t $1_gpg_t } $1_gpg_t:process signal;
-
-# setrlimit is for ulimit -c 0
-allow $1_gpg_t self:process { setrlimit setcap setpgid };
-
-# allow ps to show gpg
-can_ps($1_t, $1_gpg_t)
-
-uses_shlib($1_gpg_t)
-
-# Access .gnupg
-rw_dir_create_file($1_gpg_t, $1_gpg_secret_t)
-
-# Read content to encrypt/decrypt/sign
-read_content($1_gpg_t, $1)
-
-# Write content to encrypt/decrypt/sign
-write_trusted($1_gpg_t, $1)
-
-allow $1_gpg_t self:capability { ipc_lock setuid };
-
-allow $1_gpg_t { etc_t usr_t }:dir r_dir_perms;
-allow $1_gpg_t fs_t:filesystem getattr;
-allow $1_gpg_t usr_t:file r_file_perms;
-read_locale($1_gpg_t)
-
-dontaudit $1_gpg_t var_t:dir search;
-
-ifdef(`gpg-agent.te', `gpg_agent_domain($1)')
-
-# for helper programs (which automatically fetch keys)
-# Note: this is only tested with the hkp interface. If you use eg the
-# mail interface you will likely need additional permissions.
-type $1_gpg_helper_t, domain;
-role $1_r types $1_gpg_helper_t;
-
-domain_auto_trans($1_gpg_t, gpg_helper_exec_t, $1_gpg_helper_t)
-uses_shlib($1_gpg_helper_t)
-
-# allow gpg to fork so it can call the helpers
-allow $1_gpg_t self:process { fork sigchld };
-allow $1_gpg_t self:fifo_file { getattr read write };
-
-dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
-if (use_nfs_home_dirs) {
-dontaudit $1_gpg_helper_t nfs_t:file { read write };
-}
-if (use_samba_home_dirs) {
-dontaudit $1_gpg_helper_t cifs_t:file { read write };
-}
-
-# communicate with the user
-allow $1_gpg_helper_t $1_t:fd use;
-allow $1_gpg_helper_t $1_t:fifo_file write;
-# get keys from the network
-can_network_client($1_gpg_helper_t)
-allow $1_gpg_helper_t port_type:tcp_socket name_connect;
-allow $1_gpg_helper_t etc_t:file { getattr read };
-allow $1_gpg_helper_t urandom_device_t:chr_file read;
-allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
-# for nscd
-dontaudit $1_gpg_helper_t var_t:dir search;
-
-can_pipe_xdm($1_gpg_t)
-
-')dnl end gpg_domain definition
diff --git a/mls/macros/program/gph_macros.te b/mls/macros/program/gph_macros.te
deleted file mode 100644
index d784fcc..0000000
--- a/mls/macros/program/gph_macros.te
+++ /dev/null
@@ -1,85 +0,0 @@
-#
-# Macros for gnome-pty-helper domains.
-#
-
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-#
-# gph_domain(domain_prefix, role_prefix)
-#
-# Define a derived domain for the gnome-pty-helper program when
-# executed by a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/gnome-pty-helper.te.
-#
-# The *_gph_t domains are for the gnome_pty_helper program.
-# This program is executed by gnome-terminal to handle
-# updates to utmp and wtmp. In this regard, it is similar
-# to utempter. However, unlike utempter, gnome-pty-helper
-# also creates the pty file for the terminal program.
-# There is one *_gph_t domain for each user domain.
-#
-undefine(`gph_domain')
-define(`gph_domain',`
-# Derived domain based on the calling user domain and the program.
-type $1_gph_t, domain, gphdomain, nscd_client_domain;
-
-# Transition from the user domain to the derived domain.
-domain_auto_trans($1_t, gph_exec_t, $1_gph_t)
-
-# The user role is authorized for this domain.
-role $2_r types $1_gph_t;
-
-# This domain is granted permissions common to most domains.
-uses_shlib($1_gph_t)
-
-# Use capabilities.
-allow $1_gph_t self:capability { chown fsetid setgid setuid };
-
-# Update /var/run/utmp and /var/log/wtmp.
-allow $1_gph_t { var_t var_run_t }:dir search;
-allow $1_gph_t initrc_var_run_t:file rw_file_perms;
-allow $1_gph_t wtmp_t:file rw_file_perms;
-
-# Allow gph to rw to stream sockets of appropriate user type.
-# (Need this so gnome-pty-helper can pass pty fd to parent
-# gnome-terminal which is running in a user domain.)
-allow $1_gph_t $1_t:unix_stream_socket rw_stream_socket_perms;
-
-allow $1_gph_t self:unix_stream_socket create_stream_socket_perms;
-
-# Allow user domain to use pty fd from gnome-pty-helper.
-allow $1_t $1_gph_t:fd use;
-
-# Use the network, e.g. for NIS lookups.
-can_resolve($1_gph_t)
-can_ypbind($1_gph_t)
-
-allow $1_gph_t etc_t:file { getattr read };
-
-# Added by David A. Wheeler:
-# Allow gnome-pty-helper to update /var/log/lastlog
-# (the gnome-pty-helper in Red Hat Linux 7.1 does this):
-allow $1_gph_t lastlog_t:file rw_file_perms;
-allow $1_gph_t var_log_t:dir search;
-allow $1_t $1_gph_t:process signal;
-
-ifelse($2, `system', `
-# Create ptys for the system
-can_create_other_pty($1_gph, initrc)
-', `
-# Create ptys for the user domain.
-can_create_other_pty($1_gph, $1)
-
-# Read and write the users tty.
-allow $1_gph_t $1_tty_device_t:chr_file rw_file_perms;
-
-# Allow gnome-pty-helper to write the .xsession-errors file.
-allow $1_gph_t home_root_t:dir search;
-allow $1_gph_t $1_home_t:dir { search add_name };
-allow $1_gph_t $1_home_t:file { create write };
-')dnl end ifelse system
-')dnl end macro
diff --git a/mls/macros/program/i18n_input_macros.te b/mls/macros/program/i18n_input_macros.te
deleted file mode 100644
index 58699fc..0000000
--- a/mls/macros/program/i18n_input_macros.te
+++ /dev/null
@@ -1,21 +0,0 @@
-#
-# Macros for i18n_input
-#
-
-#
-# Authors: Dan Walsh <dwalsh@redhat.com>
-#
-
-#
-# i18n_input_domain(domain)
-#
-ifdef(`i18n_input.te', `
-define(`i18n_input_domain', `
-allow i18n_input_t $1_home_dir_t:dir { getattr search };
-r_dir_file(i18n_input_t, $1_home_t)
-if (use_nfs_home_dirs) { r_dir_file(i18n_input_t, nfs_t) }
-if (use_samba_home_dirs) { r_dir_file(i18n_input_t, cifs_t) }
-')
-')
-
-
diff --git a/mls/macros/program/ice_macros.te b/mls/macros/program/ice_macros.te
deleted file mode 100644
index b373496..0000000
--- a/mls/macros/program/ice_macros.te
+++ /dev/null
@@ -1,38 +0,0 @@
-#
-# ICE related types
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-# ice_domain(prefix, role) - create ICE sockets
-# ice_connect(type1_prefix, type2_prefix) - allow communication through ICE sockets
-
-define(`ice_domain', `
-ifdef(`$1_ice_tmp_t_defined',`', `
-define(`$1_ice_tmp_t_defined')
-
-# Type for ICE sockets
-type $1_ice_tmp_t, file_type, $1_file_type, sysadmfile, tmpfile;
-file_type_auto_trans($1_t, ice_tmp_t, $1_ice_tmp_t)
-
-# Create the sockets
-allow $1_t self:unix_stream_socket create_stream_socket_perms;
-allow $1_t self:unix_dgram_socket create_socket_perms;
-
-# FIXME: How does iceauth tie in?
-
-')
-')
-
-# FIXME: Should this be bidirectional?
-# Adding only unidirectional for now.
-
-define(`ice_connect', `
-
-# Read .ICEauthority file
-allow $1_t $2_iceauth_home_t:file { read getattr };
-
-can_unix_connect($1_t, $2_t)
-allow $1_t ice_tmp_t:dir r_dir_perms;
-allow $1_t $2_ice_tmp_t:sock_file { read write };
-allow $1_t $2_t:unix_stream_socket { read write };
-')
diff --git a/mls/macros/program/iceauth_macros.te b/mls/macros/program/iceauth_macros.te
deleted file mode 100644
index cc7e804..0000000
--- a/mls/macros/program/iceauth_macros.te
+++ /dev/null
@@ -1,40 +0,0 @@
-#
-# Macros for iceauth domains.
-#
-# Author: Ivan Gyurdiev <gyurdiev@redhat.com>
-#
-# iceauth_domain(domain_prefix)
-
-define(`iceauth_domain',`
-
-# Program type
-type $1_iceauth_t, domain;
-
-# Transition from the user domain to this domain.
-domain_auto_trans($1_t, iceauth_exec_t, $1_iceauth_t)
-role $1_r types $1_iceauth_t;
-
-# Store .ICEauthority files
-home_domain($1, iceauth)
-file_type_auto_trans($1_iceauth_t, $1_home_dir_t, $1_iceauth_home_t, file)
-
-# Supress xdm trying to restore .ICEauthority permissions
-ifdef(`xdm.te', `
-dontaudit xdm_t $1_iceauth_home_t:file r_file_perms;
-')
-
-# /root
-allow $1_iceauth_t root_t:dir search;
-
-# Terminal output
-access_terminal($1_iceauth_t, $1)
-
-uses_shlib($1_iceauth_t)
-
-# ???
-allow $1_iceauth_t etc_t:dir search;
-allow $1_iceauth_t usr_t:dir search;
-
-# FIXME: policy is incomplete
-
-')dnl end xauth_domain macro
diff --git a/mls/macros/program/inetd_macros.te b/mls/macros/program/inetd_macros.te
deleted file mode 100644
index e5c4eed..0000000
--- a/mls/macros/program/inetd_macros.te
+++ /dev/null
@@ -1,97 +0,0 @@
-#################################
-#
-# Rules for the $1_t domain.
-#
-# $1_t is a general domain for daemons started
-# by inetd that do not have their own individual domains yet.
-# $1_exec_t is the type of the corresponding
-# programs.
-#
-define(`inetd_child_domain', `
-type $1_t, domain, privlog, nscd_client_domain;
-role system_r types $1_t;
-
-#
-# Allows user to define a tunable to disable domain transition
-#
-bool $1_disable_trans false;
-if ($1_disable_trans) {
-can_exec(initrc_t, $1_exec_t)
-can_exec(sysadm_t, $1_exec_t)
-} else {
-domain_auto_trans(inetd_t, $1_exec_t, $1_t)
-allow inetd_t $1_t:process sigkill;
-}
-
-can_network_server($1_t)
-can_ypbind($1_t)
-uses_shlib($1_t)
-allow $1_t self:unix_dgram_socket create_socket_perms;
-allow $1_t self:unix_stream_socket create_socket_perms;
-allow $1_t self:fifo_file rw_file_perms;
-type $1_exec_t, file_type, sysadmfile, exec_type;
-read_locale($1_t)
-allow $1_t device_t:dir search;
-allow $1_t proc_t:dir search;
-allow $1_t proc_t:{ file lnk_file } { getattr read };
-allow $1_t self:process { fork signal_perms };
-allow $1_t fs_t:filesystem getattr;
-
-read_sysctl($1_t)
-
-allow $1_t etc_t:file { getattr read };
-
-tmp_domain($1)
-allow $1_t var_t:dir search;
-var_run_domain($1)
-
-# Inherit and use descriptors from inetd.
-allow $1_t inetd_t:fd use;
-
-# for identd
-allow $1_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow $1_t self:capability { setuid setgid };
-allow $1_t home_root_t:dir search;
-allow $1_t self:dir search;
-allow $1_t self:{ lnk_file file } { getattr read };
-can_kerberos($1_t)
-allow $1_t urandom_device_t:chr_file r_file_perms;
-# Use sockets inherited from inetd.
-ifelse($2, `', `
-allow inetd_t $1_port_t:udp_socket name_bind;
-allow $1_t inetd_t:udp_socket rw_socket_perms;
-allow inetd_t $1_port_t:tcp_socket name_bind;
-allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
-')
-ifelse($2, tcp, `
-allow inetd_t $1_port_t:tcp_socket name_bind;
-allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
-')
-ifelse($2, udp, `
-allow inetd_t $1_port_t:udp_socket name_bind;
-allow $1_t inetd_t:udp_socket rw_socket_perms;
-')
-r_dir_file($1_t, proc_net_t)
-')
-define(`remote_login_daemon', `
-inetd_child_domain($1)
-
-# Execute /bin/login on a new PTY
-allow $1_t { bin_t sbin_t }:dir search;
-domain_auto_trans($1_t, login_exec_t, remote_login_t)
-can_create_pty($1, `, server_pty, userpty_type')
-allow $1_t self:capability { fsetid chown fowner sys_tty_config dac_override } ;
-
-# Append to /var/log/wtmp.
-allow $1_t var_log_t:dir search;
-allow $1_t wtmp_t:file rw_file_perms;
-allow $1_t initrc_var_run_t:file rw_file_perms;
-
-# Allow reading of /etc/issue.net
-allow $1_t etc_runtime_t:file r_file_perms;
-
-# Allow krb5 $1 to use fork and open /dev/tty for use
-allow $1_t userpty_type:chr_file setattr;
-allow $1_t devtty_t:chr_file rw_file_perms;
-dontaudit $1_t selinux_config_t:dir search;
-')
diff --git a/mls/macros/program/irc_macros.te b/mls/macros/program/irc_macros.te
deleted file mode 100644
index 3adaef7..0000000
--- a/mls/macros/program/irc_macros.te
+++ /dev/null
@@ -1,85 +0,0 @@
-#
-# Macros for irc domains.
-#
-
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-
-#
-# irc_domain(domain_prefix)
-#
-# Define a derived domain for the irc program when executed
-# by a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/irc.te.
-#
-undefine(`irc_domain')
-ifdef(`irc.te', `
-define(`irc_domain',`
-
-# Home domain
-home_domain($1, irc)
-file_type_auto_trans($1_irc_t, $1_home_dir_t, $1_irc_home_t, dir)
-
-# Derived domain based on the calling user domain and the program.
-type $1_irc_t, domain;
-type $1_irc_exec_t, file_type, sysadmfile, $1_file_type;
-
-allow $1_t $1_irc_exec_t:file { relabelfrom relabelto create_file_perms };
-
-# Transition from the user domain to this domain.
-domain_auto_trans($1_t, { irc_exec_t $1_irc_exec_t }, $1_irc_t)
-
-# The user role is authorized for this domain.
-role $1_r types $1_irc_t;
-
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te', `allow $1_irc_t $1_gph_t:fd use;')
-
-# Inherit and use descriptors from newrole.
-ifdef(`newrole.te', `allow $1_irc_t newrole_t:fd use;')
-
-# allow ps to show irc
-can_ps($1_t, $1_irc_t)
-allow $1_t $1_irc_t:process signal;
-
-# Use the network.
-can_network_client($1_irc_t)
-allow $1_irc_t port_type:tcp_socket name_connect;
-can_ypbind($1_irc_t)
-
-allow $1_irc_t usr_t:file { getattr read };
-
-access_terminal($1_irc_t, $1)
-uses_shlib($1_irc_t)
-allow $1_irc_t etc_t:file { read getattr };
-read_locale($1_irc_t)
-allow $1_irc_t fs_t:filesystem getattr;
-allow $1_irc_t var_t:dir search;
-allow $1_irc_t device_t:dir search;
-allow $1_irc_t self:unix_stream_socket create_stream_socket_perms;
-allow $1_irc_t privfd:fd use;
-allow $1_irc_t proc_t:dir search;
-allow $1_irc_t { self proc_t }:lnk_file read;
-allow $1_irc_t self:dir search;
-dontaudit $1_irc_t var_run_t:dir search;
-
-# allow utmp access
-allow $1_irc_t initrc_var_run_t:file { getattr read };
-dontaudit $1_irc_t initrc_var_run_t:file lock;
-
-# access files under /tmp
-file_type_auto_trans($1_irc_t, tmp_t, $1_tmp_t)
-
-ifdef(`ircd.te', `
-can_tcp_connect($1_irc_t, ircd_t)
-')dnl end ifdef irc.te
-')dnl end macro definition
-
-', `
-
-define(`irc_domain',`')
-
-')dnl end ifdef irc.te
diff --git a/mls/macros/program/java_macros.te b/mls/macros/program/java_macros.te
deleted file mode 100644
index 874d6dc..0000000
--- a/mls/macros/program/java_macros.te
+++ /dev/null
@@ -1,93 +0,0 @@
-#
-# Authors: Dan Walsh <dwalsh@redhat.com>
-#
-# Macros for javaplugin (java plugin) domains.
-#
-#
-# javaplugin_domain(domain_prefix, role)
-#
-# Define a derived domain for the javaplugin program when executed by
-# a web browser.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/java.te.
-#
-define(`javaplugin_domain',`
-type $1_javaplugin_t, domain, privlog , nscd_client_domain, transitionbool;
-
-# The user role is authorized for this domain.
-role $2_r types $1_javaplugin_t;
-domain_auto_trans($1_t, java_exec_t, $1_javaplugin_t)
-
-allow $1_javaplugin_t sound_device_t:chr_file rw_file_perms;
-# Unrestricted inheritance from the caller.
-allow $1_t $1_javaplugin_t:process { noatsecure siginh rlimitinh };
-allow $1_javaplugin_t $1_t:process signull;
-
-can_unix_connect($1_javaplugin_t, $1_t)
-allow $1_javaplugin_t $1_t:unix_stream_socket { read write };
-
-# This domain is granted permissions common to most domains (including can_net)
-can_network_client($1_javaplugin_t)
-allow $1_javaplugin_t port_type:tcp_socket name_connect;
-can_ypbind($1_javaplugin_t)
-allow $1_javaplugin_t self:process { fork signal_perms getsched setsched };
-allow $1_javaplugin_t self:fifo_file rw_file_perms;
-allow $1_javaplugin_t etc_runtime_t:file { getattr read };
-allow $1_javaplugin_t fs_t:filesystem getattr;
-r_dir_file($1_javaplugin_t, { proc_t proc_net_t })
-allow $1_javaplugin_t self:dir search;
-allow $1_javaplugin_t self:lnk_file read;
-allow $1_javaplugin_t self:file { getattr read };
-
-read_sysctl($1_javaplugin_t)
-allow $1_javaplugin_t sysctl_vm_t:dir search;
-
-tmp_domain($1_javaplugin)
-read_fonts($1_javaplugin_t, $2)
-r_dir_file($1_javaplugin_t,{ usr_t etc_t })
-
-# Search bin directory under javaplugin for javaplugin executable
-allow $1_javaplugin_t bin_t:dir search;
-can_exec($1_javaplugin_t, java_exec_t)
-
-# libdeploy.so legacy
-allow $1_javaplugin_t texrel_shlib_t:file execmod;
-if (allow_execmem) {
-allow $1_javaplugin_t self:process execmem;
-}
-
-# Connect to X server
-x_client_domain($1_javaplugin, $2)
-
-uses_shlib($1_javaplugin_t)
-read_locale($1_javaplugin_t)
-rw_dir_file($1_javaplugin_t, $1_home_t)
-
-if (allow_java_execstack) {
-legacy_domain($1_javaplugin)
-allow $1_javaplugin_t lib_t:file execute;
-allow $1_javaplugin_t locale_t:file execute;
-allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute;
-allow $1_javaplugin_t fonts_t:file execute;
-allow $1_javaplugin_t sound_device_t:chr_file execute;
-}
-
-allow $1_javaplugin_t { random_device_t urandom_device_t }:chr_file ra_file_perms;
-
-allow $1_javaplugin_t home_root_t:dir { getattr search };
-file_type_auto_trans($1_javaplugin_t, $2_home_dir_t, $1_home_t)
-allow $1_javaplugin_t $2_xauth_home_t:file { getattr read };
-allow $1_javaplugin_t $2_tmp_t:sock_file write;
-allow $1_javaplugin_t $2_t:fd use;
-
-allow $1_javaplugin_t var_t:dir getattr;
-allow $1_javaplugin_t var_lib_t:dir { getattr search };
-
-dontaudit $1_javaplugin_t $2_devpts_t:chr_file { read write };
-dontaudit $1_javaplugin_t sysadm_devpts_t:chr_file { read write };
-dontaudit $1_javaplugin_t devtty_t:chr_file { read write };
-dontaudit $1_javaplugin_t tmpfs_t:file { execute read write };
-dontaudit $1_javaplugin_t $1_home_t:file { execute setattr };
-
-')
diff --git a/mls/macros/program/kerberos_macros.te b/mls/macros/program/kerberos_macros.te
deleted file mode 100644
index 91850d3..0000000
--- a/mls/macros/program/kerberos_macros.te
+++ /dev/null
@@ -1,11 +0,0 @@
-define(`can_kerberos',`
-ifdef(`kerberos.te',`
-if (allow_kerberos) {
-can_network_client($1, `kerberos_port_t')
-allow $1 kerberos_port_t:tcp_socket name_connect;
-can_resolve($1)
-}
-') dnl kerberos.te
-dontaudit $1 krb5_conf_t:file write;
-allow $1 krb5_conf_t:file { getattr read };
-')
diff --git a/mls/macros/program/lockdev_macros.te b/mls/macros/program/lockdev_macros.te
deleted file mode 100644
index 28f7c01..0000000
--- a/mls/macros/program/lockdev_macros.te
+++ /dev/null
@@ -1,46 +0,0 @@
-#
-# Macros for lockdev domains.
-#
-
-#
-# Authors: Daniel Walsh <dwalsh@redhat.com>
-#
-
-#
-# lockdev_domain(domain_prefix)
-#
-# Define a derived domain for the lockdev programs when executed
-# by a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/lockdev.te.
-#
-undefine(`lockdev_domain')
-define(`lockdev_domain',`
-# Derived domain based on the calling user domain and the program
-type $1_lockdev_t, domain, privlog;
-# Transition from the user domain to the derived domain.
-domain_auto_trans($1_t, lockdev_exec_t, $1_lockdev_t)
-
-# The user role is authorized for this domain.
-role $1_r types $1_lockdev_t;
-# Use capabilities.
-allow $1_lockdev_t self:capability setgid;
-allow $1_lockdev_t $1_t:process signull;
-
-allow $1_lockdev_t var_t:dir search;
-
-lock_domain($1_lockdev)
-
-r_dir_file($1_lockdev_t, lockfile)
-
-allow $1_lockdev_t device_t:dir search;
-allow $1_lockdev_t null_device_t:chr_file rw_file_perms;
-access_terminal($1_lockdev_t, $1)
-dontaudit $1_lockdev_t root_t:dir search;
-
-uses_shlib($1_lockdev_t)
-allow $1_lockdev_t fs_t:filesystem getattr;
-
-')dnl end macro definition
-
diff --git a/mls/macros/program/login_macros.te b/mls/macros/program/login_macros.te
deleted file mode 100644
index 0d0993c..0000000
--- a/mls/macros/program/login_macros.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# Macros for login type programs (/bin/login, sshd, etc).
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-
-define(`login_spawn_domain', `
-domain_trans($1_t, shell_exec_t, $2)
-
-# Signal the user domains.
-allow $1_t $2:process signal;
-')
diff --git a/mls/macros/program/lpr_macros.te b/mls/macros/program/lpr_macros.te
deleted file mode 100644
index d8b3b31..0000000
--- a/mls/macros/program/lpr_macros.te
+++ /dev/null
@@ -1,117 +0,0 @@
-#
-# Macros for lpr domains.
-#
-
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-#
-# lpr_domain(domain_prefix)
-#
-# Define a derived domain for the lpr/lpq/lprm programs when executed
-# by a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/lpr.te.
-#
-undefine(`lpr_domain')
-define(`lpr_domain',`
-# Derived domain based on the calling user domain and the program
-type $1_lpr_t, domain, privlog, nscd_client_domain;
-
-# Transition from the user domain to the derived domain.
-domain_auto_trans($1_t, lpr_exec_t, $1_lpr_t)
-
-allow $1_t $1_lpr_t:process signull;
-
-# allow using shared objects, accessing root dir, etc
-uses_shlib($1_lpr_t)
-
-read_locale($1_lpr_t)
-
-# The user role is authorized for this domain.
-role $1_r types $1_lpr_t;
-
-# This domain is granted permissions common to most domains (including can_net)
-can_network_client($1_lpr_t)
-allow $1_lpr_t port_type:tcp_socket name_connect;
-can_ypbind($1_lpr_t)
-
-# Use capabilities.
-allow $1_lpr_t self:capability { setuid dac_override net_bind_service chown };
-
-allow $1_lpr_t self:unix_stream_socket create_stream_socket_perms;
-
-# for lpd config files (should have a new type)
-r_dir_file($1_lpr_t, etc_t)
-
-# for test print
-r_dir_file($1_lpr_t, usr_t)
-ifdef(`lpd.te', `
-r_dir_file($1_lpr_t, printconf_t)
-')
-
-tmp_domain($1_lpr)
-
-# Type for spool files.
-type $1_print_spool_t, file_type, sysadmfile;
-# Use this type when creating files in /var/spool/lpd and /var/spool/cups.
-file_type_auto_trans($1_lpr_t, print_spool_t, $1_print_spool_t, file)
-allow $1_lpr_t var_spool_t:dir search;
-
-# for /dev/null
-allow $1_lpr_t device_t:dir search;
-
-# Access the terminal.
-access_terminal($1_lpr_t, $1)
-
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te', `allow $1_lpr_t $1_gph_t:fd use;')
-allow $1_lpr_t privfd:fd use;
-
-# Read user files.
-read_content(sysadm_lpr_t, $1)
-read_content($1_lpr_t, $1)
-
-# Read and write shared files in the spool directory.
-allow $1_lpr_t print_spool_t:file rw_file_perms;
-
-# lpr can run in lightweight mode, without a local print spooler. If the
-# lpd policy is present, grant some permissions for this domain and the lpd
-# domain to interact.
-ifdef(`lpd.te', `
-allow $1_lpr_t { var_t var_run_t }:dir search;
-allow $1_lpr_t lpd_var_run_t:dir search;
-allow $1_lpr_t lpd_var_run_t:sock_file write;
-
-# Allow lpd to read, rename, and unlink spool files.
-allow lpd_t $1_print_spool_t:file r_file_perms;
-allow lpd_t $1_print_spool_t:file link_file_perms;
-
-# Connect to lpd via a Unix domain socket.
-allow $1_lpr_t printer_t:sock_file rw_file_perms;
-can_unix_connect($1_lpr_t, lpd_t)
-dontaudit $1_lpr_t $1_t:unix_stream_socket { read write };
-
-# Connect to lpd via a TCP socket.
-can_tcp_connect($1_lpr_t, lpd_t)
-
-allow $1_lpr_t fs_t:filesystem getattr;
-# Send SIGHUP to lpd.
-allow $1_lpr_t lpd_t:process signal;
-
-')dnl end if lpd.te
-
-ifdef(`xdm.te', `
-can_pipe_xdm($1_lpr_t)
-')
-
-ifdef(`cups.te', `
-allow { $1_lpr_t $1_t } cupsd_etc_t:dir search;
-allow $1_lpr_t { cupsd_etc_t cupsd_rw_etc_t }:file { getattr read };
-can_tcp_connect({ $1_lpr_t $1_t }, cupsd_t)
-')dnl end ifdef cups.te
-
-')dnl end macro definition
-
diff --git a/mls/macros/program/mail_client_macros.te b/mls/macros/program/mail_client_macros.te
deleted file mode 100644
index da22a62..0000000
--- a/mls/macros/program/mail_client_macros.te
+++ /dev/null
@@ -1,68 +0,0 @@
-#
-# Shared macro for mail clients
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-########################################
-# mail_client_domain(client, role_prefix)
-#
-
-define(`mail_client_domain', `
-
-# Allow netstat
-# Startup shellscripts
-allow $1_t bin_t:dir r_dir_perms;
-allow $1_t bin_t:lnk_file r_file_perms;
-can_exec($1_t, bin_t)
-r_dir_file($1_t, proc_net_t)
-allow $1_t sysctl_net_t:dir search;
-
-# Allow DNS
-can_resolve($1_t)
-
-# Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing)
-can_ypbind($1_t)
-can_network_client_tcp($1_t, { pop_port_t smtp_port_t innd_port_t ldap_port_t ipp_port_t })
-allow $1_t { pop_port_t smtp_port_t innd_port_t ldap_port_t ipp_port_t }:tcp_socket name_connect;
-
-# Allow printing the mail
-ifdef(`cups.te',`
-allow $1_t cupsd_etc_t:dir r_dir_perms;
-allow $1_t cupsd_rw_etc_t:file r_file_perms;
-')
-ifdef(`lpr.te', `
-domain_auto_trans($1_t, lpr_exec_t, $2_lpr_t)
-')
-
-# Attachments
-read_content($1_t, $2, mail)
-
-# Save mail
-write_untrusted($1_t, $2)
-
-# Encrypt mail
-ifdef(`gpg.te', `
-domain_auto_trans($1_t, gpg_exec_t, $2_gpg_t)
-allow $1_t $2_gpg_t:process signal;
-')
-
-# Start links in web browser
-ifdef(`mozilla.te', `
-can_exec($1_t, shell_exec_t)
-domain_auto_trans($1_t, mozilla_exec_t, $2_mozilla_t)
-')
-ifdef(`dbusd.te', `
-dbusd_client(system, $1)
-allow $1_t system_dbusd_t:dbus send_msg;
-dbusd_client($2, $1)
-allow $1_t $2_dbusd_t:dbus send_msg;
-ifdef(`cups.te', `
-allow cupsd_t $1_t:dbus send_msg;
-')
-')
-# Allow the user domain to signal/ps.
-can_ps($2_t, $1_t)
-allow $2_t $1_t:process signal_perms;
-
-')
diff --git a/mls/macros/program/mount_macros.te b/mls/macros/program/mount_macros.te
deleted file mode 100644
index 0aa0577..0000000
--- a/mls/macros/program/mount_macros.te
+++ /dev/null
@@ -1,90 +0,0 @@
-#
-# Macros for mount
-#
-# Author: Brian May <bam@snoopy.apana.org.au>
-# Extended by Russell Coker <russell@coker.com.au>
-#
-
-#
-# mount_domain(domain_prefix,dst_domain_prefix)
-#
-# Define a derived domain for the mount program for anyone.
-#
-define(`mount_domain', `
-#
-# Rules for the $2_t domain, used by the $1_t domain.
-#
-# $2_t is the domain for the mount process.
-#
-# This macro will not be included by all users and it may be included twice if
-# called from other macros, so we need protection for this do not call this
-# macro if $2_def is defined
-define(`$2_def', `')
-#
-type $2_t, domain, privlog $3, nscd_client_domain;
-
-allow $2_t sysfs_t:dir search;
-
-uses_shlib($2_t)
-
-role $1_r types $2_t;
-# when mount is run by $1 goto $2_t domain
-domain_auto_trans($1_t, mount_exec_t, $2_t)
-
-allow $2_t proc_t:dir search;
-allow $2_t proc_t:file { getattr read };
-
-#
-# Allow mounting of cdrom by user
-#
-allow $2_t device_type:blk_file getattr;
-
-tmp_domain($2)
-
-# Use capabilities.
-allow $2_t self:capability { net_bind_service sys_rawio sys_admin dac_override chown };
-
-allow $2_t self:unix_stream_socket create_socket_perms;
-
-# Create and modify /etc/mtab.
-file_type_auto_trans($2_t, etc_t, etc_runtime_t, file)
-
-allow $2_t etc_t:file { getattr read };
-
-read_locale($2_t)
-
-allow $2_t home_root_t:dir search;
-allow $2_t $1_home_dir_t:dir search;
-allow $2_t noexattrfile:filesystem { mount unmount };
-allow $2_t fs_t:filesystem getattr;
-allow $2_t removable_t:filesystem { mount unmount };
-allow $2_t mnt_t:dir { mounton search };
-allow $2_t sbin_t:dir search;
-
-# Access the terminal.
-access_terminal($2_t, $1)
-ifdef(`gnome-pty-helper.te', `allow $2_t $1_gph_t:fd use;')
-allow $2_t var_t:dir search;
-allow $2_t var_run_t:dir search;
-
-ifdef(`distro_redhat',`
-ifdef(`pamconsole.te',`
-r_dir_file($2_t,pam_var_console_t)
-# mount config by default sets fscontext=removable_t
-allow $2_t dosfs_t:filesystem relabelfrom;
-') dnl end pamconsole.te
-') dnl end distro_redhat
-') dnl end mount_domain
-
-# mount_loopback_privs(domain_prefix,dst_domain_prefix)
-#
-# Add loopback mounting privileges to a particular derived
-# mount domain.
-#
-define(`mount_loopback_privs',`
-type $1_$2_source_t, file_type, sysadmfile, $1_file_type;
-allow $1_t $1_$2_source_t:file create_file_perms;
-allow $1_t $1_$2_source_t:file { relabelto relabelfrom };
-allow $2_t $1_$2_source_t:file rw_file_perms;
-')
-
diff --git a/mls/macros/program/mozilla_macros.te b/mls/macros/program/mozilla_macros.te
deleted file mode 100644
index cc8afb0..0000000
--- a/mls/macros/program/mozilla_macros.te
+++ /dev/null
@@ -1,157 +0,0 @@
-#
-# Macros for mozilla/mozilla (or other browser) domains.
-#
-
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-#
-# mozilla_domain(domain_prefix)
-#
-# Define a derived domain for the mozilla/mozilla program when executed by
-# a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/mozilla.te.
-#
-
-# FIXME: Rules were removed to centralize policy in a gnome_app macro
-# A similar thing might be necessary for mozilla compiled without GNOME
-# support (is this possible?).
-
-define(`mozilla_domain',`
-
-type $1_mozilla_t, domain, web_client_domain, nscd_client_domain, privlog;
-
-# Type transition
-if (! disable_mozilla_trans) {
-domain_auto_trans($1_t, mozilla_exec_t, $1_mozilla_t)
-}
-role $1_r types $1_mozilla_t;
-
-# X access, Home files
-home_domain($1, mozilla)
-x_client_domain($1_mozilla, $1)
-
-# GNOME integration
-ifdef(`gnome.te', `
-gnome_application($1_mozilla, $1)
-gnome_file_dialog($1_mozilla, $1)
-')
-
-# Look for plugins
-allow $1_mozilla_t bin_t:dir { getattr read search };
-
-# Browse the web, connect to printer
-can_resolve($1_mozilla_t)
-can_network_client_tcp($1_mozilla_t, { http_port_t http_cache_port_t ftp_port_t ipp_port_t } )
-allow $1_mozilla_t { http_port_t http_cache_port_t ftp_port_t ipp_port_t }:tcp_socket name_connect;
-
-# Should not need other ports
-dontaudit $1_mozilla_t port_t:tcp_socket { name_connect name_bind };
-
-allow $1_mozilla_t sound_device_t:chr_file rw_file_perms;
-dontaudit $1_mozilla_t dri_device_t:chr_file rw_file_perms;
-
-# Unrestricted inheritance from the caller.
-allow $1_t $1_mozilla_t:process { noatsecure siginh rlimitinh };
-allow $1_mozilla_t $1_t:process signull;
-
-# Allow the user domain to signal/ps.
-can_ps($1_t, $1_mozilla_t)
-allow $1_t $1_mozilla_t:process signal_perms;
-
-# Access /proc, sysctl
-allow $1_mozilla_t proc_t:dir search;
-allow $1_mozilla_t proc_t:file { getattr read };
-allow $1_mozilla_t proc_t:lnk_file read;
-allow $1_mozilla_t sysctl_net_t:dir search;
-allow $1_mozilla_t sysctl_t:dir search;
-
-# /var/lib
-allow $1_mozilla_t var_lib_t:dir search;
-allow $1_mozilla_t var_lib_t:file { getattr read };
-
-# Self permissions
-allow $1_mozilla_t self:socket create_socket_perms;
-allow $1_mozilla_t self:file { getattr read };
-allow $1_mozilla_t self:sem create_sem_perms;
-
-# for bash - old mozilla binary
-can_exec($1_mozilla_t, mozilla_exec_t)
-can_exec($1_mozilla_t, shell_exec_t)
-can_exec($1_mozilla_t, bin_t)
-allow $1_mozilla_t bin_t:lnk_file read;
-allow $1_mozilla_t device_t:dir r_dir_perms;
-allow $1_mozilla_t self:dir search;
-allow $1_mozilla_t self:lnk_file read;
-r_dir_file($1_mozilla_t, proc_net_t)
-
-# interacting with gstreamer
-r_dir_file($1_mozilla_t, var_t)
-
-# Uploads, local html
-read_content($1_mozilla_t, $1, mozilla)
-
-# Save web pages
-write_untrusted($1_mozilla_t, $1)
-
-# Mozpluggerrc
-allow $1_mozilla_t mozilla_conf_t:file r_file_perms;
-
-######### Java plugin
-ifdef(`java.te', `
-javaplugin_domain($1_mozilla, $1)
-') dnl java.te
-
-######### Print web content
-ifdef(`cups.te', `
-allow $1_mozilla_t cupsd_etc_t:dir search;
-allow $1_mozilla_t cupsd_rw_etc_t:file { getattr read };
-')
-ifdef(`lpr.te', `
-domain_auto_trans($1_mozilla_t, lpr_exec_t, $1_lpr_t)
-dontaudit $1_lpr_t $1_mozilla_home_t:file { read write };
-dontaudit $1_lpr_t $1_mozilla_t:tcp_socket { read write };
-') dnl if lpr.te
-
-######### Launch mplayer
-ifdef(`mplayer.te', `
-domain_auto_trans($1_mozilla_t, mplayer_exec_t, $1_mplayer_t)
-dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write };
-dontaudit $1_mplayer_t $1_mozilla_t:unix_stream_socket { read write };
-dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write };
-')dnl end if mplayer.te
-
-######### Launch email client, and make webcal links work
-ifdef(`evolution.te', `
-domain_auto_trans($1_mozilla_t, evolution_exec_t, $1_evolution_t)
-domain_auto_trans($1_mozilla_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
-') dnl if evolution.te
-
-ifdef(`thunderbird.te', `
-domain_auto_trans($1_mozilla_t, thunderbird_exec_t, $1_thunderbird_t)
-') dnl if evolution.te
-
-if (allow_execmem) {
-allow $1_mozilla_t self:process { execmem execstack };
-}
-allow $1_mozilla_t texrel_shlib_t:file execmod;
-
-ifdef(`dbusd.te', `
-dbusd_client(system, $1_mozilla)
-allow $1_mozilla_t system_dbusd_t:dbus send_msg;
-ifdef(`cups.te', `
-allow cupsd_t $1_mozilla_t:dbus send_msg;
-')
-')
-
-ifdef(`apache.te', `
-ifelse($1, sysadm, `', `
-r_dir_file($1_mozilla_t, { httpd_$1_script_exec_t httpd_$1_content_t })
-')
-')
-
-')dnl end mozilla macro
-
diff --git a/mls/macros/program/mplayer_macros.te b/mls/macros/program/mplayer_macros.te
deleted file mode 100644
index 6d06757..0000000
--- a/mls/macros/program/mplayer_macros.te
+++ /dev/null
@@ -1,159 +0,0 @@
-#
-# Macros for mplayer
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-# mplayer_domains(user) declares domains for mplayer, gmplayer,
-# and mencoder
-
-#####################################################
-# mplayer_common(role_prefix, mplayer_domain) #
-#####################################################
-
-define(`mplayer_common',`
-
-# Read global config
-r_dir_file($1_$2_t, mplayer_etc_t)
-
-# Allow the user domain to signal/ps.
-can_ps($1_t, $1_$2_t)
-allow $1_t $1_$2_t:process signal_perms;
-
-# Read data in /usr/share (fonts, icons..)
-r_dir_file($1_$2_t, usr_t)
-
-# Read /proc files and directories
-# Necessary for /proc/meminfo, /proc/cpuinfo, etc..
-allow $1_$2_t proc_t:dir search;
-allow $1_$2_t proc_t:file { getattr read };
-
-# Sysctl on kernel version
-read_sysctl($1_$2_t)
-
-# Allow ps, shared libs, locale, terminal access
-can_ps($1_t, $1_$2_t)
-uses_shlib($1_$2_t)
-read_locale($1_$2_t)
-access_terminal($1_$2_t, $1)
-
-# Required for win32 binary loader
-allow $1_$2_t zero_device_t:chr_file { read write execute };
-if (allow_execmem) {
-allow $1_$2_t self:process execmem;
-}
-
-if (allow_execmod) {
-allow $1_$2_t zero_device_t:chr_file execmod;
-}
-allow $1_$2_t texrel_shlib_t:file execmod;
-
-# Access to DVD/CD/V4L
-allow $1_$2_t device_t:dir r_dir_perms;
-allow $1_$2_t device_t:lnk_file { getattr read };
-allow $1_$2_t removable_device_t:blk_file { getattr read };
-allow $1_$2_t v4l_device_t:chr_file { getattr read };
-
-# Legacy domain issues
-if (allow_mplayer_execstack) {
-legacy_domain($1_$2)
-allow $1_$2_t lib_t:file execute;
-allow $1_$2_t locale_t:file execute;
-allow $1_$2_t sound_device_t:chr_file execute;
-}
-')
-
-###################################
-# mplayer_domain(role_prefix) #
-###################################
-
-define(`mplayer_domain',`
-
-type $1_mplayer_t, domain, nscd_client_domain;
-
-# Type transition
-domain_auto_trans($1_t, mplayer_exec_t, $1_mplayer_t)
-role $1_r types $1_mplayer_t;
-
-# Home access, X access
-home_domain($1, mplayer)
-x_client_domain($1_mplayer, $1)
-
-# Mplayer common stuff
-mplayer_common($1, mplayer)
-
-# Fork
-allow $1_mplayer_t self:process { fork signal_perms getsched };
-allow $1_mplayer_t self:fifo_file rw_file_perms;
-
-# Audio, alsa.conf
-allow $1_mplayer_t sound_device_t:chr_file rw_file_perms;
-allow $1_mplayer_t etc_t:file { getattr read };
-r_dir_file($1_mplayer_t, alsa_etc_rw_t);
-
-# RTC clock
-allow $1_mplayer_t clock_device_t:chr_file { ioctl read };
-
-# Legacy domain issues
-if (allow_mplayer_execstack) {
-allow $1_mplayer_t $1_mplayer_tmpfs_t:file execute;
-}
-
-#======gmplayer gui==========#
-# File dialogs
-dontaudit_getattr($1_mplayer_t)
-dontaudit_read_dir($1_mplayer_t)
-dontaudit_search_dir($1_mplayer_t)
-
-# Unfortunately the ancient file dialog starts in /
-allow $1_mplayer_t home_root_t:dir read;
-
-# Read /etc/mtab
-allow $1_mplayer_t etc_runtime_t:file { read getattr };
-
-# Run bash/sed (??)
-allow $1_mplayer_t bin_t:dir search;
-allow $1_mplayer_t bin_t:lnk_file read;
-can_exec($1_mplayer_t, bin_t)
-can_exec($1_mplayer_t, shell_exec_t)
-#============================#
-
-# Read songs
-read_content($1_mplayer_t, $1)
-
-') dnl end mplayer_domain
-
-###################################
-# mencoder_domain(role_prefix) #
-###################################
-
-define(`mencoder_domain',`
-
-type $1_mencoder_t, domain;
-
-# Type transition
-domain_auto_trans($1_t, mencoder_exec_t, $1_mencoder_t)
-role $1_r types $1_mencoder_t;
-
-# Access mplayer home domain
-home_domain_access($1_mencoder_t, $1, mplayer)
-
-# Mplayer common stuff
-mplayer_common($1, mencoder)
-
-# Read content to encode
-read_content($1_mencoder_t, $1)
-
-# Save encoded files
-write_trusted($1_mencoder_t, $1)
-
-') dnl end mencoder_domain
-
-#############################
-# mplayer_domains(role) #
-#############################
-
-define(`mplayer_domains', `
-mplayer_domain($1)
-mencoder_domain($1)
-') dnl end mplayer_domains
-
diff --git a/mls/macros/program/mta_macros.te b/mls/macros/program/mta_macros.te
deleted file mode 100644
index b221f54..0000000
--- a/mls/macros/program/mta_macros.te
+++ /dev/null
@@ -1,121 +0,0 @@
-# Macros for MTA domains.
-#
-
-#
-# Author: Russell Coker <russell@coker.com.au>
-# Based on the work of: Stephen Smalley <sds@epoch.ncsc.mil>
-# Timothy Fraser
-#
-
-#
-# mail_domain(domain_prefix)
-#
-# Define a derived domain for the sendmail program when executed by
-# a user domain to send outgoing mail. These domains are separate and
-# independent of the domain used for the sendmail daemon process.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/mta.te.
-#
-undefine(`mail_domain')
-define(`mail_domain',`
-# Derived domain based on the calling user domain and the program.
-type $1_mail_t, domain, privlog, user_mail_domain, nscd_client_domain;
-
-ifdef(`sendmail.te', `
-sendmail_user_domain($1)
-')
-
-can_exec($1_mail_t, sendmail_exec_t)
-allow $1_mail_t sendmail_exec_t:lnk_file { getattr read };
-
-# The user role is authorized for this domain.
-role $1_r types $1_mail_t;
-
-uses_shlib($1_mail_t)
-can_network_client_tcp($1_mail_t)
-allow $1_mail_t { smtp_port_t port_type }:tcp_socket name_connect;
-can_resolve($1_mail_t)
-can_ypbind($1_mail_t)
-allow $1_mail_t self:unix_dgram_socket create_socket_perms;
-allow $1_mail_t self:unix_stream_socket create_socket_perms;
-
-read_locale($1_mail_t)
-read_sysctl($1_mail_t)
-allow $1_mail_t device_t:dir search;
-allow $1_mail_t { var_t var_spool_t }:dir search;
-allow $1_mail_t self:process { fork signal_perms setrlimit };
-allow $1_mail_t sbin_t:dir search;
-
-# It wants to check for nscd
-dontaudit $1_mail_t var_run_t:dir search;
-
-# Use capabilities
-allow $1_mail_t self:capability { setuid setgid chown };
-
-# Execute procmail.
-can_exec($1_mail_t, bin_t)
-ifdef(`procmail.te',`
-can_exec($1_mail_t, procmail_exec_t)')
-
-ifelse(`$1', `system', `
-# Transition from a system domain to the derived domain.
-domain_auto_trans(privmail, sendmail_exec_t, system_mail_t)
-allow privmail sendmail_exec_t:lnk_file { getattr read };
-
-ifdef(`crond.te', `
-# Read cron temporary files.
-allow system_mail_t system_crond_tmp_t:file { read getattr ioctl };
-allow mta_user_agent system_crond_tmp_t:file { read getattr };
-')
-can_access_pty(system_mail_t, initrc)
-
-', `
-# For when the user wants to send mail via port 25 localhost
-can_tcp_connect($1_t, mail_server_domain)
-
-# Transition from the user domain to the derived domain.
-domain_auto_trans($1_t, sendmail_exec_t, $1_mail_t)
-allow $1_t sendmail_exec_t:lnk_file { getattr read };
-
-# Read user temporary files.
-allow $1_mail_t $1_tmp_t:file r_file_perms;
-dontaudit $1_mail_t $1_tmp_t:file append;
-ifdef(`postfix.te', `
-# postfix seems to need write access if the file handle is opened read/write
-allow $1_mail_t $1_tmp_t:file write;
-')dnl end if postfix
-
-allow mta_user_agent $1_tmp_t:file { read getattr };
-
-# Write to the user domain tty.
-access_terminal(mta_user_agent, $1)
-access_terminal($1_mail_t, $1)
-
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;')
-allow $1_mail_t privfd:fd use;
-
-# Create dead.letter in user home directories.
-file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file)
-
-if (use_samba_home_dirs) {
-rw_dir_create_file($1_mail_t, cifs_t)
-}
-
-# if you do not want to allow dead.letter then use the following instead
-#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms;
-#allow $1_mail_t $1_home_t:file r_file_perms;
-
-# for reading .forward - maybe we need a new type for it?
-# also for delivering mail to maildir
-file_type_auto_trans(mta_delivery_agent, $1_home_dir_t, $1_home_t)
-')dnl end if system
-
-allow $1_mail_t etc_t:file { getattr read };
-ifdef(`qmail.te', `
-allow $1_mail_t qmail_etc_t:dir search;
-allow $1_mail_t qmail_etc_t:{ file lnk_file } read;
-')dnl end if qmail
-
-')
diff --git a/mls/macros/program/newrole_macros.te b/mls/macros/program/newrole_macros.te
deleted file mode 100644
index 0d52282..0000000
--- a/mls/macros/program/newrole_macros.te
+++ /dev/null
@@ -1,97 +0,0 @@
-# Authors: Anthony Colatrella (NSA) Stephen Smalley <sds@epoch.ncsc.mil>
-# Russell Coker <russell@coker.com.au>
-
-# This macro defines the rules for a newrole like program, it is used by
-# newrole.te and sudo.te, but may be used by other policy at some later time.
-
-define(`newrole_domain', `
-# Rules for the $1_t domain.
-#
-# $1_t is the domain for the program.
-# $1_exec_t is the type of the executable.
-#
-type $1_t, domain, privrole, privowner, privlog, auth_chkpwd, nscd_client_domain, privfd, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl $2;
-in_user_role($1_t)
-role sysadm_r types $1_t;
-
-general_domain_access($1_t);
-
-uses_shlib($1_t)
-read_locale($1_t)
-read_sysctl($1_t)
-
-allow $1_t self:netlink_audit_socket { create bind write nlmsg_read read };
-
-# for when the user types "exec newrole" at the command line
-allow $1_t privfd:process sigchld;
-
-# Inherit descriptors from the current session.
-allow $1_t privfd:fd use;
-
-# Execute /sbin/pwdb_chkpwd to check the password.
-allow $1_t sbin_t:dir r_dir_perms;
-
-# Execute shells
-allow $1_t bin_t:dir r_dir_perms;
-allow $1_t bin_t:lnk_file read;
-allow $1_t shell_exec_t:file r_file_perms;
-
-allow $1_t urandom_device_t:chr_file { getattr read };
-
-# Allow $1_t to transition to user domains.
-domain_trans($1_t, shell_exec_t, unpriv_userdomain)
-if(!secure_mode)
-{
- # if we are not in secure mode then we can transition to sysadm_t
- domain_trans($1_t, shell_exec_t, sysadm_t)
-}
-
-can_setexec($1_t)
-
-allow $1_t autofs_t:dir search;
-
-# Use capabilities.
-allow $1_t self:capability { fowner setuid setgid net_bind_service dac_override };
-
-# Read the devpts root directory.
-allow $1_t devpts_t:dir r_dir_perms;
-
-# Read the /etc/security/default_type file
-r_dir_file($1_t, default_context_t)
-r_dir_file($1_t, selinux_config_t)
-allow $1_t etc_t:file r_file_perms;
-
-# Read /var.
-r_dir_file($1_t, var_t)
-
-# Read /dev directories and any symbolic links.
-allow $1_t device_t:dir r_dir_perms;
-
-# Relabel terminals.
-allow $1_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto };
-
-# Access terminals.
-allow $1_t { ttyfile ptyfile devtty_t }:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;')
-
-ifdef(`distro_debian', `
-# for /etc/alternatives
-allow $1_t etc_t:lnk_file read;
-')
-
-#
-# Allow newrole to obtain contexts to relabel TTYs
-#
-can_getsecurity($1_t)
-
-allow $1_t fs_t:filesystem getattr;
-
-# for some PAM modules and for cwd
-dontaudit $1_t { home_root_t home_type }:dir search;
-
-allow $1_t proc_t:dir search;
-allow $1_t proc_t:file { getattr read };
-
-# for when the network connection is killed
-dontaudit unpriv_userdomain $1_t:process signal;
-')
diff --git a/mls/macros/program/orbit_macros.te b/mls/macros/program/orbit_macros.te
deleted file mode 100644
index b2dd5d1..0000000
--- a/mls/macros/program/orbit_macros.te
+++ /dev/null
@@ -1,44 +0,0 @@
-#
-# ORBit related types
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-# orbit_domain(prefix, role_prefix) - create ORBit sockets
-# orbit_connect(type1_prefix, type2_prefix)
-# - allow communication through ORBit sockets from type1 to type2
-
-define(`orbit_domain', `
-
-# Protect against double inclusion for speed and correctness
-ifdef(`orbit_domain_$1_$2', `', `
-define(`orbit_domain_$1_$2')
-
-# Relabel directory (startup script)
-allow $1_t $1_orbit_tmp_t:{ dir file } { relabelfrom relabelto };
-
-# Type for ORBit sockets
-type $1_orbit_tmp_t, file_type, $2_file_type, sysadmfile, tmpfile;
-file_type_auto_trans($1_t, $2_orbit_tmp_t, $1_orbit_tmp_t)
-allow $1_t tmp_t:dir { read search getattr };
-
-# Create the sockets
-allow $1_t self:unix_stream_socket create_stream_socket_perms;
-allow $1_t self:unix_dgram_socket create_socket_perms;
-
-# Use random device(s)
-allow $1_t { random_device_t urandom_device_t }:chr_file { read getattr ioctl };
-
-# Why do they do that?
-dontaudit $1_t $2_orbit_tmp_t:dir setattr;
-
-') dnl ifdef orbit_domain_args
-') dnl orbit_domain
-
-##########################
-
-define(`orbit_connect', `
-
-can_unix_connect($1_t, $2_t)
-allow $1_t $2_orbit_tmp_t:sock_file write;
-
-') dnl orbit_connect
diff --git a/mls/macros/program/pyzor_macros.te b/mls/macros/program/pyzor_macros.te
deleted file mode 100644
index af67d30..0000000
--- a/mls/macros/program/pyzor_macros.te
+++ /dev/null
@@ -1,69 +0,0 @@
-#
-# Pyzor - Pyzor is a collaborative, networked system to detect and
-# block spam using identifying digests of messages.
-#
-# Author: David Hampton <hampton@employees.org>
-#
-
-##########
-# common definitions for pyzord and all flavors of pyzor
-##########
-define(`pyzor_base_domain',`
-
-# Networking
-can_network_client_tcp($1_t, http_port_t);
-can_network_udp($1_t, pyzor_port_t);
-can_resolve($1_t);
-
-general_proc_read_access($1_t)
-
-tmp_domain($1)
-
-allow $1_t bin_t:dir { getattr search };
-allow $1_t bin_t:file getattr;
-allow $1_t lib_t:file { getattr read };
-allow $1_t { var_t var_lib_t var_run_t }:dir search;
-uses_shlib($1_t)
-
-# Python does a getattr on this file
-allow $1_t pyzor_exec_t:file getattr;
-
-# mktemp and other randoms
-allow $1_t { random_device_t urandom_device_t }:chr_file r_file_perms;
-
-# Allow access to various files in the /etc/directory including mtab
-# and nsswitch
-allow $1_t { etc_t etc_runtime_t }:file { getattr read };
-read_locale($1_t)
-')
-
-
-#
-# Define a user domain for a pyzor
-#
-# Note: expects to be called with an argument of user, sysadm
-
-define(`pyzor_domain',`
-type $1_pyzor_t, domain, privlog, nscd_client_domain;
-role $1_r types $1_pyzor_t;
-domain_auto_trans($1_t, pyzor_exec_t, $1_pyzor_t)
-
-pyzor_base_domain($1_pyzor)
-
-# Per-user config/data files
-home_domain($1, pyzor)
-file_type_auto_trans($1_pyzor_t, $1_home_dir_t, $1_pyzor_home_t, dir)
-
-# System config files
-r_dir_file($1_pyzor_t, pyzor_etc_t)
-
-# System data files
-r_dir_file($1_pyzor_t, pyzor_var_lib_t);
-
-allow $1_pyzor_t self:unix_stream_socket create_stream_socket_perms;
-
-# Allow pyzor to be run by hand. Needed by any action other than
-# invocation from a spam filter.
-can_access_pty($1_pyzor_t, $1)
-allow $1_pyzor_t sshd_t:fd use;
-')
diff --git a/mls/macros/program/razor_macros.te b/mls/macros/program/razor_macros.te
deleted file mode 100644
index e4c7c55..0000000
--- a/mls/macros/program/razor_macros.te
+++ /dev/null
@@ -1,75 +0,0 @@
-#
-# Razor - Razor is a collaborative, networked system to detect and
-# block spam using identifying digests of messages.
-#
-# Author: David Hampton <hampton@employees.org>
-#
-
-##########
-# common definitions for razord and all flavors of razor
-##########
-define(`razor_base_domain',`
-
-# Razor is one executable and several symlinks
-allow $1_t razor_exec_t:{ file lnk_file } { getattr read };
-
-# Networking
-can_network_client_tcp($1_t, razor_port_t)
-can_resolve($1_t);
-
-general_proc_read_access($1_t)
-
-# Read system config file
-r_dir_file($1_t, razor_etc_t)
-
-# Update razor common files
-file_type_auto_trans($1_t, var_log_t, razor_log_t, file)
-create_dir_file($1_t, razor_log_t)
-allow $1_t var_lib_t:dir search;
-create_dir_file($1_t, razor_var_lib_t)
-
-allow $1_t bin_t:dir { getattr search };
-allow $1_t bin_t:file getattr;
-allow $1_t lib_t:file { getattr read };
-allow $1_t { var_t var_run_t }:dir search;
-uses_shlib($1_t)
-
-# Razor forks other programs to do part of its work.
-general_domain_access($1_t)
-can_exec($1_t, bin_t)
-
-# mktemp and other randoms
-allow $1_t { random_device_t urandom_device_t }:chr_file r_file_perms;
-
-# Allow access to various files in the /etc/directory including mtab
-# and nsswitch
-allow $1_t { etc_t etc_runtime_t }:file { getattr read };
-read_locale($1_t)
-')
-
-
-#
-# Define a user domain for a razor
-#
-# Note: expects to be called with an argument of user, sysadm
-
-define(`razor_domain',`
-type $1_razor_t, domain, privlog, nscd_client_domain;
-role $1_r types $1_razor_t;
-domain_auto_trans($1_t, razor_exec_t, $1_razor_t)
-
-razor_base_domain($1_razor)
-
-# Per-user config/data files
-home_domain($1, razor)
-file_type_auto_trans($1_razor_t, $1_home_dir_t, $1_razor_home_t, dir)
-
-tmp_domain($1_razor)
-
-allow $1_razor_t self:unix_stream_socket create_stream_socket_perms;
-
-# Allow razor to be run by hand. Needed by any action other than
-# invocation from a spam filter.
-can_access_pty($1_razor_t, $1)
-allow $1_razor_t sshd_t:fd use;
-')
diff --git a/mls/macros/program/resmgrd_macros.te b/mls/macros/program/resmgrd_macros.te
deleted file mode 100644
index ec0ac60..0000000
--- a/mls/macros/program/resmgrd_macros.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# Macro for resmgrd
-
-define(`can_resmgrd_connect', `
-ifdef(`resmgrd.te', `
-allow $1 resmgrd_t:unix_stream_socket connectto;
-allow $1 { var_t var_run_t }:dir search;
-allow $1 resmgrd_var_run_t:sock_file write;
-allow $1 resmgrd_t:fd use;
-')
-')
-
diff --git a/mls/macros/program/rhgb_macros.te b/mls/macros/program/rhgb_macros.te
deleted file mode 100644
index 9700fba..0000000
--- a/mls/macros/program/rhgb_macros.te
+++ /dev/null
@@ -1,8 +0,0 @@
-
-define(`rhgb_domain', `
-ifdef(`rhgb.te', `
-allow $1 rhgb_t:process sigchld;
-allow $1 rhgb_t:fd use;
-allow $1 rhgb_t:fifo_file { read write };
-')dnl end ifdef
-')
diff --git a/mls/macros/program/rssh_macros.te b/mls/macros/program/rssh_macros.te
deleted file mode 100644
index 33fbdb5..0000000
--- a/mls/macros/program/rssh_macros.te
+++ /dev/null
@@ -1,58 +0,0 @@
-#
-# Macros for Rssh domains
-#
-# Author: Colin Walters <walters@verbum.org>
-#
-
-#
-# rssh_domain(domain_prefix)
-#
-# Define a specific rssh domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/rssh.te.
-#
-undefine(`rssh_domain')
-ifdef(`rssh.te', `
-define(`rssh_domain',`
-type rssh_$1_t, domain, userdomain, privlog, privfd;
-role rssh_$1_r types rssh_$1_t;
-allow system_r rssh_$1_r;
-
-type rssh_$1_rw_t, file_type, sysadmfile, $1_file_type;
-type rssh_$1_ro_t, file_type, sysadmfile, $1_file_type;
-
-general_domain_access(rssh_$1_t);
-uses_shlib(rssh_$1_t);
-base_file_read_access(rssh_$1_t);
-allow rssh_$1_t var_t:dir r_dir_perms;
-r_dir_file(rssh_$1_t, etc_t);
-allow rssh_$1_t etc_runtime_t:file { getattr read };
-r_dir_file(rssh_$1_t, locale_t);
-can_exec(rssh_$1_t, bin_t);
-
-allow rssh_$1_t proc_t:dir { getattr search };
-allow rssh_$1_t proc_t:lnk_file { getattr read };
-
-r_dir_file(rssh_$1_t, rssh_$1_ro_t);
-create_dir_file(rssh_$1_t, rssh_$1_rw_t);
-
-can_create_pty(rssh_$1, `, userpty_type, user_tty_type')
-# Use the type when relabeling pty devices.
-type_change rssh_$1_t server_pty:chr_file rssh_$1_devpts_t;
-
-ifdef(`ssh.te',`
-allow rssh_$1_t sshd_t:fd use;
-allow rssh_$1_t sshd_t:tcp_socket rw_stream_socket_perms;
-allow rssh_$1_t sshd_t:unix_stream_socket rw_stream_socket_perms;
-# For reading /home/user/.ssh
-r_dir_file(sshd_t, rssh_$1_ro_t);
-domain_trans(sshd_t, rssh_exec_t, rssh_$1_t);
-')
-')
-
-', `
-
-define(`rssh_domain',`')
-
-')
diff --git a/mls/macros/program/run_program_macros.te b/mls/macros/program/run_program_macros.te
deleted file mode 100644
index c98bbee..0000000
--- a/mls/macros/program/run_program_macros.te
+++ /dev/null
@@ -1,73 +0,0 @@
-
-# $1 is the source domain (or domains), $2 is the source role (or roles) and $3
-# is the base name for the domain to run. $1 is normally sysadm_t, and $2 is
-# normally sysadm_r. $4 is the type of program to run and $5 is the domain to
-# transition to.
-# sample usage:
-# run_program(sysadm_t, sysadm_r, init, etc_t, initrc_t)
-#
-# if you have several users who run the same run_init type program for
-# different purposes (think of a run_db program used by several database
-# administrators to start several databases) then you can list all the source
-# domains in $1, all the source roles in $2, but you may not want to list all
-# types of programs to run in $4 and target domains in $5 (as that may permit
-# entering a domain from the wrong type). In such a situation just specify
-# one value for each of $4 and $5 and have some rules such as the following:
-# domain_trans(run_whatever_t, whatever_exec_t, whatever_t)
-
-define(`run_program', `
-type run_$3_exec_t, file_type, exec_type, sysadmfile;
-
-# domain for program to run in, needs to change role (priv_system_role), change
-# identity to system_u (privuser), log failures to syslog (privlog) and
-# authenticate users
-type run_$3_t, domain, priv_system_role, privuser, privlog;
-domain_auto_trans($1, run_$3_exec_t, run_$3_t)
-role $2 types run_$3_t;
-
-domain_auto_trans(run_$3_t, chkpwd_exec_t, sysadm_chkpwd_t)
-dontaudit run_$3_t shadow_t:file getattr;
-
-# for utmp
-allow run_$3_t initrc_var_run_t:file rw_file_perms;
-allow run_$3_t admin_tty_type:chr_file rw_file_perms;
-
-dontaudit run_$3_t devpts_t:dir { getattr read };
-dontaudit run_$3_t device_t:dir read;
-
-# for auth_chkpwd
-dontaudit run_$3_t shadow_t:file read;
-allow run_$3_t self:process { fork sigchld };
-allow run_$3_t self:fifo_file rw_file_perms;
-allow run_$3_t self:capability setuid;
-allow run_$3_t self:lnk_file read;
-
-# often the administrator runs such programs from a directory that is owned
-# by a different user or has restrictive SE permissions, do not want to audit
-# the failed access to the current directory
-dontaudit run_$3_t file_type:dir search;
-dontaudit run_$3_t self:capability { dac_override dac_read_search };
-
-allow run_$3_t bin_t:lnk_file read;
-can_exec(run_$3_t, { bin_t shell_exec_t })
-ifdef(`chkpwd.te', `
-can_exec(run_$3_t, chkpwd_exec_t)
-')
-
-domain_trans(run_$3_t, $4, $5)
-can_setexec(run_$3_t)
-
-allow run_$3_t privfd:fd use;
-uses_shlib(run_$3_t)
-allow run_$3_t lib_t:file { getattr read };
-can_getsecurity(run_$3_t)
-r_dir_file(run_$3_t,selinux_config_t)
-r_dir_file(run_$3_t,default_context_t)
-allow run_$3_t self:unix_stream_socket create_socket_perms;
-allow run_$3_t self:unix_dgram_socket create_socket_perms;
-allow run_$3_t etc_t:file { getattr read };
-read_locale(run_$3_t)
-allow run_$3_t fs_t:filesystem getattr;
-allow run_$3_t { bin_t sbin_t }:dir search;
-dontaudit run_$3_t device_t:dir { getattr search };
-')
diff --git a/mls/macros/program/samba_macros.te b/mls/macros/program/samba_macros.te
deleted file mode 100644
index d766784..0000000
--- a/mls/macros/program/samba_macros.te
+++ /dev/null
@@ -1,30 +0,0 @@
-#
-# Macros for samba domains.
-#
-
-#
-# Authors: Dan Walsh <dwalsh@redhat.com>
-#
-
-#
-# samba_domain(domain_prefix)
-#
-# Define a derived domain for the samba program when executed
-# by a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/samba.te.
-#
-undefine(`samba_domain')
-ifdef(`samba.te', `
-define(`samba_domain',`
-if ( samba_enable_home_dirs ) {
-allow smbd_t home_root_t:dir r_dir_perms;
-file_type_auto_trans(smbd_t, $1_home_dir_t, $1_home_t)
-dontaudit smbd_t $1_file_type:dir_file_class_set getattr;
-}
-')
-', `
-define(`samba_domain',`')
-
-')dnl end if samba.te
diff --git a/mls/macros/program/screen_macros.te b/mls/macros/program/screen_macros.te
deleted file mode 100644
index e81a90a..0000000
--- a/mls/macros/program/screen_macros.te
+++ /dev/null
@@ -1,113 +0,0 @@
-#
-# Macros for screen domains.
-#
-
-#
-# Author: Russell Coker <russell@coker.com.au>
-# Based on the work of Stephen Smalley <sds@epoch.ncsc.mil>
-# and Timothy Fraser
-#
-
-#
-# screen_domain(domain_prefix)
-#
-# Define a derived domain for the screen program when executed
-# by a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/screen.te.
-#
-undefine(`screen_domain')
-ifdef(`screen.te', `
-define(`screen_domain',`
-# Derived domain based on the calling user domain and the program.
-type $1_screen_t, domain, privlog, privfd, nscd_client_domain;
-
-# Transition from the user domain to this domain.
-domain_auto_trans($1_t, screen_exec_t, $1_screen_t)
-
-tmp_domain($1_screen, `', `{ dir file fifo_file }')
-base_file_read_access($1_screen_t)
-# The user role is authorized for this domain.
-role $1_r types $1_screen_t;
-
-uses_shlib($1_screen_t)
-
-# for SSP
-allow $1_screen_t urandom_device_t:chr_file read;
-
-# Revert to the user domain when a shell is executed.
-domain_auto_trans($1_screen_t, { shell_exec_t bin_t }, $1_t)
-domain_auto_trans($1_screen_t, $1_home_t, $1_t)
-if (use_nfs_home_dirs) {
-domain_auto_trans($1_screen_t, nfs_t, $1_t)
-}
-if (use_samba_home_dirs) {
-domain_auto_trans($1_screen_t, cifs_t, $1_t)
-}
-
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te', `allow $1_screen_t $1_gph_t:fd use;')
-
-home_domain_ro($1, screen)
-
-allow $1_screen_t privfd:fd use;
-
-# Write to utmp.
-allow $1_screen_t initrc_var_run_t:file rw_file_perms;
-ifdef(`utempter.te', `
-dontaudit $1_screen_t utempter_exec_t:file execute;
-')
-
-# create pty devices
-can_create_other_pty($1_screen, $1)
-allow $1_screen_t $1_tty_device_t:chr_file rw_file_perms;
-allow $1_screen_t device_t:dir { getattr read };
-
-allow $1_screen_t fs_t:filesystem getattr;
-
-# Create fifo
-allow $1_screen_t var_t:dir search;
-file_type_auto_trans($1_screen_t, var_run_t, screen_dir_t, dir)
-type $1_screen_var_run_t, file_type, sysadmfile, pidfile;
-file_type_auto_trans($1_screen_t, screen_dir_t, $1_screen_var_run_t, fifo_file)
-
-allow $1_screen_t self:process { fork signal_perms };
-allow $1_t $1_screen_t:process signal;
-allow $1_screen_t $1_t:process signal;
-allow $1_screen_t self:capability { setuid setgid fsetid };
-
-dontaudit $1_screen_t shadow_t:file read;
-
-allow $1_screen_t tmp_t:dir search;
-can_network($1_screen_t)
-allow $1_screen_t port_type:tcp_socket name_connect;
-can_ypbind($1_screen_t)
-
-# get stats
-allow $1_screen_t proc_t:dir search;
-allow $1_screen_t proc_t:file { getattr read };
-allow $1_screen_t proc_t:lnk_file read;
-allow $1_screen_t etc_t:{ file lnk_file } { read getattr };
-allow $1_screen_t self:dir { search read };
-allow $1_screen_t self:lnk_file read;
-allow $1_screen_t device_t:dir search;
-allow $1_screen_t { home_root_t $1_home_dir_t }:dir search;
-
-# Internal screen networking
-allow $1_screen_t self:fd use;
-allow $1_screen_t self:unix_stream_socket create_socket_perms;
-allow $1_screen_t self:unix_dgram_socket create_socket_perms;
-
-allow $1_screen_t bin_t:dir search;
-allow $1_screen_t bin_t:lnk_file read;
-read_locale($1_screen_t)
-
-dontaudit $1_screen_t file_type:{ chr_file blk_file } getattr;
-')dnl end screen_domain
-
-', `
-
-define(`screen_domain',`')
-
-')
diff --git a/mls/macros/program/sendmail_macros.te b/mls/macros/program/sendmail_macros.te
deleted file mode 100644
index 540e0a2..0000000
--- a/mls/macros/program/sendmail_macros.te
+++ /dev/null
@@ -1,56 +0,0 @@
-#
-# Macros for sendmail domains.
-#
-
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# Russell Coker <russell@coker.com.au>
-#
-
-#
-# sendmail_user_domain(domain_prefix)
-#
-# Define a derived domain for the sendmail program when executed by
-# a user domain to send outgoing mail. These domains are separate and
-# independent of the domain used for the sendmail daemon process.
-#
-undefine(`sendmail_user_domain')
-define(`sendmail_user_domain', `
-
-# Use capabilities
-allow $1_mail_t self:capability net_bind_service;
-
-tmp_domain($1_mail)
-
-# Write to /var/spool/mail and /var/spool/mqueue.
-allow $1_mail_t mail_spool_t:dir rw_dir_perms;
-allow $1_mail_t mail_spool_t:file create_file_perms;
-allow $1_mail_t mqueue_spool_t:dir rw_dir_perms;
-allow $1_mail_t mqueue_spool_t:file create_file_perms;
-
-# Write to /var/log/sendmail.st
-file_type_auto_trans($1_mail_t, var_log_t, sendmail_log_t)
-
-allow $1_mail_t etc_mail_t:dir { getattr search };
-
-allow $1_mail_t { var_t var_spool_t }:dir getattr;
-
-allow $1_mail_t etc_runtime_t:file { getattr read };
-
-# Check available space.
-allow $1_mail_t fs_t:filesystem getattr;
-
-allow $1_mail_t sysctl_kernel_t:dir search;
-
-ifelse(`$1', `sysadm', `
-allow $1_mail_t proc_t:dir { getattr search };
-allow $1_mail_t proc_t:{ lnk_file file } { getattr read };
-dontaudit $1_mail_t proc_net_t:dir search;
-allow $1_mail_t sysctl_kernel_t:file { getattr read };
-allow $1_mail_t etc_runtime_t:file { getattr read };
-', `
-dontaudit $1_mail_t proc_t:dir search;
-dontaudit $1_mail_t sysctl_kernel_t:file read;
-')dnl end if sysadm
-')
-
diff --git a/mls/macros/program/slocate_macros.te b/mls/macros/program/slocate_macros.te
deleted file mode 100644
index 115022b..0000000
--- a/mls/macros/program/slocate_macros.te
+++ /dev/null
@@ -1,64 +0,0 @@
-#
-# Macros for locate domains.
-#
-
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-
-#
-# locate_domain(domain_prefix)
-#
-# Define a derived domain for the locate program when executed
-# by a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/locate.te.
-#
-undefine(`locate_domain')
-ifdef(`slocate.te', `
-define(`locate_domain',`
-# Derived domain based on the calling user domain and the program.
-type $1_locate_t, domain;
-
-allow $1_locate_t self:process signal;
-
-allow $1_locate_t etc_t:file { getattr read };
-allow $1_locate_t self:unix_stream_socket create_socket_perms;
-r_dir_file($1_locate_t,locate_var_lib_t)
-allow $1_locate_t var_lib_t:dir search;
-
-# Transition from the user domain to this domain.
-domain_auto_trans($1_t, locate_exec_t, $1_locate_t)
-
-# The user role is authorized for this domain.
-role $1_r types $1_locate_t;
-
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te', `
-allow $1_locate_t $1_gph_t:fd use;
-')
-
-allow $1_locate_t privfd:fd use;
-
-# allow ps to show locate
-can_ps($1_t, $1_locate_t)
-allow $1_t $1_locate_t:process signal;
-
-uses_shlib($1_locate_t)
-access_terminal($1_locate_t, $1)
-
-allow $1_locate_t { home_root_t $1_home_dir_t $1_file_type }:dir { getattr search };
-allow $1_locate_t $1_file_type:{ file lnk_file } { getattr read };
-
-base_file_read_access($1_locate_t)
-r_dir_file($1_locate_t, { etc_t lib_t var_t })
-dontaudit $1_locate_t { fs_type file_type }:dir r_dir_perms;
-dontaudit $1_locate_t { fs_type file_type -shadow_t}:file { getattr read };
-')
-
-', `
-
-define(`locate_domain',`')
-
-')
diff --git a/mls/macros/program/spamassassin_macros.te b/mls/macros/program/spamassassin_macros.te
deleted file mode 100644
index c85cfc7..0000000
--- a/mls/macros/program/spamassassin_macros.te
+++ /dev/null
@@ -1,128 +0,0 @@
-#
-# Macros for spamassassin domains.
-#
-# Author: Colin Walters <walters@verbum.org>
-
-# spamassassin_domain(domain_prefix)
-#
-# Define derived domains for various spamassassin tools when executed
-# by a user domain.
-#
-# The type declarations for the executable types of these programs are
-# provided separately in domains/program/spamassassin.te and
-# domains/program/spamc.te.
-#
-undefine(`spamassassin_domain')
-ifdef(`spamassassin.te', `define(`using_spamassassin', `')')
-ifdef(`spamd.te', `define(`using_spamassassin', `')')
-ifdef(`spamc.te', `define(`using_spamassassin', `')')
-
-ifdef(`using_spamassassin',`
-
-#######
-# Macros used internally in these spamassassin macros.
-#
-
-###
-# Define a domain for a spamassassin-like program (spamc/spamassassin).
-#
-# Note: most of this should really be in a generic macro like
-# base_user_program($1, foo)
-define(`spamassassin_program_domain',`
-type $1_$2_t, domain, privlog $3;
-domain_auto_trans($1_t, $2_exec_t, $1_$2_t)
-
-role $1_r types $1_$2_t;
-general_domain_access($1_$2_t)
-
-base_file_read_access($1_$2_t)
-r_dir_file($1_$2_t, etc_t)
-ifdef(`sendmail.te', `
-r_dir_file($1_$2_t, etc_mail_t)
-')
-allow $1_$2_t etc_runtime_t:file r_file_perms;
-uses_shlib($1_$2_t)
-read_locale($1_$2_t)
-dontaudit $1_$2_t var_t:dir search;
-tmp_domain($1_$2)
-allow $1_$2_t privfd:fd use;
-allow $1_$2_t userpty_type:chr_file rw_file_perms;
-') dnl end spamassassin_program_domain
-
-###
-# Give privileges to a domain for accessing ~/.spamassassin
-# and a few other misc things like /dev/random.
-# This is granted to /usr/bin/spamassassin and
-# /usr/sbin/spamd, but NOT spamc (because it does not need it).
-#
-define(`spamassassin_agent_privs',`
-allow $1 home_root_t:dir r_dir_perms;
-file_type_auto_trans($1, $2_home_dir_t, $2_spamassassin_home_t)
-create_dir_file($1, $2_spamassassin_home_t)
-
-allow $1 urandom_device_t:chr_file r_file_perms;
-')
-
-#######
-# Define the main spamassassin macro. This itself creates a
-# domain for /usr/bin/spamassassin, and also spamc/spamd if
-# applicable.
-#
-define(`spamassassin_domain',`
-spamassassin_program_domain($1, spamassassin)
-
-# For perl libraries.
-allow $1_spamassassin_t lib_t:file rx_file_perms;
-# Ignore perl digging in /proc and /var.
-dontaudit $1_spamassassin_t proc_t:dir search;
-dontaudit $1_spamassassin_t proc_t:lnk_file read;
-dontaudit $1_spamassassin_t { sysctl_t sysctl_kernel_t }:dir search;
-
-# For ~/.spamassassin
-home_domain($1, spamassassin)
-file_type_auto_trans($1_spamassassin_t, $1_home_dir_t, $1_spamassassin_home_t, dir)
-
-spamassassin_agent_privs($1_spamassassin_t, $1)
-
-can_resolve($1_spamassassin_t)
-# set tunable if you have spamassassin do DNS lookups
-if (spamassasin_can_network) {
-can_network($1_spamassassin_t)
-allow $1_spamassassin_t port_type:tcp_socket name_connect;
-}
-if (spamassasin_can_network && allow_ypbind) {
-uncond_can_ypbind($1_spamassassin_t)
-}
-###
-# Define the domain for /usr/bin/spamc
-#
-ifdef(`spamc.te',`
-spamassassin_program_domain($1, spamc, `, nscd_client_domain')
-can_network($1_spamc_t)
-allow $1_spamc_t port_type:tcp_socket name_connect;
-can_ypbind($1_spamc_t)
-
-# Allow connecting to a local spamd
-ifdef(`spamd.te',`
-can_tcp_connect($1_spamc_t, spamd_t)
-can_unix_connect($1_spamc_t, spamd_t)
-allow $1_spamc_t spamd_tmp_t:sock_file rw_file_perms;
-') dnl endif spamd.te
-') dnl endif spamc.te
-
-###
-# Define the domain for /usr/sbin/spamd
-#
-ifdef(`spamd.te',`
-
-spamassassin_agent_privs(spamd_t, $1)
-
-') dnl endif spamd.te
-
-') dnl end spamassassin_domain
-
-', `
-
-define(`spamassassin_domain',`')
-
-')
diff --git a/mls/macros/program/ssh_agent_macros.te b/mls/macros/program/ssh_agent_macros.te
deleted file mode 100644
index 7215f5c..0000000
--- a/mls/macros/program/ssh_agent_macros.te
+++ /dev/null
@@ -1,117 +0,0 @@
-#
-# Macros for ssh agent
-#
-
-#
-# Author: Thomas Bleher <ThomasBleher@gmx.de>
-#
-
-#
-# ssh_agent_domain(domain_prefix)
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/ssh-agent.te.
-#
-define(`ssh_agent_domain',`
-# Define a derived domain for the ssh-agent program when executed
-# by a user domain.
-# Derived domain based on the calling user domain and the program.
-type $1_ssh_agent_t, domain, privlog;
-
-# Transition from the user domain to the derived domain.
-domain_auto_trans($1_t, ssh_agent_exec_t, $1_ssh_agent_t)
-
-# The user role is authorized for this domain.
-role $1_r types $1_ssh_agent_t;
-
-allow $1_ssh_agent_t privfd:fd use;
-
-# Write to the user domain tty.
-access_terminal($1_ssh_agent_t, $1)
-
-# Allow the user shell to signal the ssh program.
-allow $1_t $1_ssh_agent_t:process signal;
-# allow ps to show ssh
-can_ps($1_t, $1_ssh_agent_t)
-
-can_ypbind($1_ssh_agent_t)
-if (use_nfs_home_dirs) {
-allow $1_ssh_agent_t autofs_t:dir { search getattr };
-rw_dir_create_file($1_ssh_agent_t, nfs_t)
-}
-if (use_samba_home_dirs) {
-rw_dir_create_file($1_ssh_agent_t, cifs_t)
-}
-
-uses_shlib($1_ssh_agent_t)
-read_locale($1_ssh_agent_t)
-
-allow $1_ssh_agent_t proc_t:dir search;
-dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read };
-dontaudit $1_ssh_agent_t selinux_config_t:dir search;
-dontaudit $1_ssh_agent_t selinux_config_t:file { read getattr };
-read_sysctl($1_ssh_agent_t)
-
-# Access the ssh temporary files. Should we have an own type here
-# to which only ssh, ssh-agent and ssh-add have access?
-allow $1_ssh_agent_t $1_tmp_t:dir r_dir_perms;
-file_type_auto_trans($1_ssh_agent_t, tmp_t, $1_tmp_t)
-allow $1_ssh_agent_t self:unix_stream_socket create_stream_socket_perms;
-allow $1_ssh_agent_t self:unix_dgram_socket create_socket_perms;
-
-allow $1_ssh_agent_t self:process { fork sigchld setrlimit };
-allow $1_ssh_agent_t self:capability setgid;
-
-# access the random devices
-allow $1_ssh_agent_t { random_device_t urandom_device_t }:chr_file { getattr read };
-
-# for ssh-add
-can_unix_connect($1_t, $1_ssh_agent_t)
-
-# transition back to normal privs upon exec
-domain_auto_trans($1_ssh_agent_t, { bin_t shell_exec_t $1_home_t }, $1_t)
-if (use_nfs_home_dirs) {
-domain_auto_trans($1_ssh_agent_t, nfs_t, $1_t)
-}
-if (use_samba_home_dirs) {
-domain_auto_trans($1_ssh_agent_t, cifs_t, $1_t)
-}
-allow $1_ssh_agent_t bin_t:dir search;
-
-# allow reading of /usr/bin/X11 (is a symlink)
-allow $1_ssh_agent_t bin_t:lnk_file read;
-
-allow $1_ssh_agent_t { $1_ssh_agent_t $1_t }:process signull;
-
-allow $1_ssh_agent_t { home_root_t $1_home_dir_t }:dir search;
-
-allow $1_ssh_t $1_tmp_t:sock_file write;
-allow $1_ssh_t $1_t:unix_stream_socket connectto;
-allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto;
-
-ifdef(`xdm.te', `
-can_pipe_xdm($1_ssh_agent_t)
-
-# kdm: sigchld
-allow $1_ssh_agent_t xdm_t:process sigchld;
-')
-
-#
-# Allow command to ssh-agent > ~/.ssh_agent
-#
-allow $1_ssh_agent_t $1_home_t:file rw_file_perms;
-allow $1_ssh_agent_t $1_tmp_t:file rw_file_perms;
-
-allow $1_ssh_agent_t etc_runtime_t:file { getattr read };
-allow $1_ssh_agent_t etc_t:file { getattr read };
-allow $1_ssh_agent_t lib_t:file { getattr read };
-
-allow $1_ssh_agent_t self:dir search;
-allow $1_ssh_agent_t self:file { getattr read };
-
-# Allow the ssh program to communicate with ssh-agent.
-allow $1_ssh_t $1_tmp_t:sock_file write;
-allow $1_ssh_t $1_t:unix_stream_socket connectto;
-allow $1_ssh_t sshd_t:unix_stream_socket connectto;
-')dnl end if ssh_agent
-
diff --git a/mls/macros/program/ssh_macros.te b/mls/macros/program/ssh_macros.te
deleted file mode 100644
index 0f6549f..0000000
--- a/mls/macros/program/ssh_macros.te
+++ /dev/null
@@ -1,168 +0,0 @@
-#
-# Macros for ssh domains.
-#
-
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil>
-# Russell Coker <russell@coker.com.au>
-# Thomas Bleher <ThomasBleher@gmx.de>
-#
-
-#
-# ssh_domain(domain_prefix)
-#
-# Define a derived domain for the ssh program when executed
-# by a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/ssh.te.
-#
-undefine(`ssh_domain')
-ifdef(`ssh.te', `
-define(`ssh_domain',`
-# Derived domain based on the calling user domain and the program.
-type $1_ssh_t, domain, privlog, nscd_client_domain;
-type $1_home_ssh_t, file_type, $1_file_type, sysadmfile;
-
-allow $1_ssh_t autofs_t:dir { search getattr };
-if (use_nfs_home_dirs) {
-create_dir_file($1_ssh_t, nfs_t)
-}
-if (use_samba_home_dirs) {
-create_dir_file($1_ssh_t, cifs_t)
-}
-
-# Transition from the user domain to the derived domain.
-domain_auto_trans($1_t, ssh_exec_t, $1_ssh_t)
-
-# The user role is authorized for this domain.
-role $1_r types $1_ssh_t;
-
-# Grant permissions within the domain.
-general_domain_access($1_ssh_t)
-
-# Use descriptors created by sshd
-allow $1_ssh_t privfd:fd use;
-
-uses_shlib($1_ssh_t)
-read_locale($1_ssh_t)
-
-# Get attributes of file systems.
-allow $1_ssh_t fs_type:filesystem getattr;
-
-base_file_read_access($1_ssh_t)
-
-# Read /var.
-r_dir_file($1_ssh_t, var_t)
-
-# Read /var/run, /var/log.
-allow $1_ssh_t var_run_t:dir r_dir_perms;
-allow $1_ssh_t var_run_t:{ file lnk_file } r_file_perms;
-allow $1_ssh_t var_log_t:dir r_dir_perms;
-allow $1_ssh_t var_log_t:{ file lnk_file } r_file_perms;
-
-# Read /etc.
-r_dir_file($1_ssh_t, etc_t)
-allow $1_ssh_t etc_runtime_t:{ file lnk_file } r_file_perms;
-
-# Read /dev directories and any symbolic links.
-allow $1_ssh_t device_t:dir r_dir_perms;
-allow $1_ssh_t device_t:lnk_file r_file_perms;
-
-# Read /dev/urandom.
-allow $1_ssh_t urandom_device_t:chr_file r_file_perms;
-
-# Read and write /dev/null.
-allow $1_ssh_t { null_device_t zero_device_t }:chr_file rw_file_perms;
-
-# Grant permissions needed to create TCP and UDP sockets and
-# to access the network.
-can_network_client_tcp($1_ssh_t)
-allow $1_ssh_t ssh_port_t:tcp_socket name_connect;
-can_resolve($1_ssh_t)
-can_ypbind($1_ssh_t)
-can_kerberos($1_ssh_t)
-
-# for port forwarding
-if (user_tcp_server) {
-allow $1_ssh_t port_t:tcp_socket name_bind;
-}
-
-# Use capabilities.
-allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };
-
-# run helper programs - needed eg for x11-ssh-askpass
-can_exec($1_ssh_t, { shell_exec_t bin_t })
-
-# Read the ssh key file.
-allow $1_ssh_t sshd_key_t:file r_file_perms;
-
-# Access the ssh temporary files.
-file_type_auto_trans($1_ssh_t, tmp_t, sshd_tmp_t)
-allow $1_ssh_t $1_tmp_t:dir r_dir_perms;
-
-# for rsync
-allow $1_ssh_t $1_t:unix_stream_socket rw_socket_perms;
-
-# Access the users .ssh directory.
-file_type_auto_trans({ sysadm_ssh_t $1_ssh_t }, $1_home_dir_t, $1_home_ssh_t, dir)
-file_type_auto_trans($1_ssh_t, $1_home_dir_t, $1_home_ssh_t, sock_file)
-allow $1_t $1_home_ssh_t:sock_file create_file_perms;
-allow { sysadm_ssh_t $1_ssh_t } $1_home_ssh_t:file create_file_perms;
-allow { sysadm_ssh_t $1_ssh_t } $1_home_ssh_t:lnk_file { getattr read };
-dontaudit $1_ssh_t $1_home_t:dir { getattr search };
-r_dir_file({ sshd_t sshd_extern_t }, $1_home_ssh_t)
-rw_dir_create_file($1_t, $1_home_ssh_t)
-
-# for /bin/sh used to execute xauth
-dontaudit $1_ssh_t proc_t:dir search;
-dontaudit $1_ssh_t proc_t:{ lnk_file file } { getattr read };
-
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te', `allow $1_ssh_t $1_gph_t:fd use;')
-
-# Write to the user domain tty.
-access_terminal($1_ssh_t, $1)
-
-# Allow the user shell to signal the ssh program.
-allow $1_t $1_ssh_t:process signal;
-# allow ps to show ssh
-can_ps($1_t, $1_ssh_t)
-
-# Connect to X server
-x_client_domain($1_ssh, $1)
-
-ifdef(`ssh-agent.te', `
-ssh_agent_domain($1)
-')dnl end if ssh_agent.te
-
-#allow ssh to access keys stored on removable media
-# Should we have a boolean around this?
-allow $1_ssh_t mnt_t:dir search;
-r_dir_file($1_ssh_t, removable_t)
-
-type $1_ssh_keysign_t, domain, nscd_client_domain;
-role $1_r types $1_ssh_keysign_t;
-
-if (allow_ssh_keysign) {
-domain_auto_trans($1_ssh_t, ssh_keysign_exec_t, $1_ssh_keysign_t)
-allow $1_ssh_keysign_t sshd_key_t:file { getattr read };
-allow $1_ssh_keysign_t self:capability { setgid setuid };
-allow $1_ssh_keysign_t urandom_device_t:chr_file r_file_perms;
-uses_shlib($1_ssh_keysign_t)
-dontaudit $1_ssh_keysign_t selinux_config_t:dir search;
-dontaudit $1_ssh_keysign_t proc_t:dir search;
-dontaudit $1_ssh_keysign_t proc_t:{ lnk_file file } { getattr read };
-allow $1_ssh_keysign_t usr_t:dir search;
-allow $1_ssh_keysign_t etc_t:file { getattr read };
-allow $1_ssh_keysign_t self:dir search;
-allow $1_ssh_keysign_t self:file { getattr read };
-allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms;
-}
-
-')dnl end macro definition
-', `
-
-define(`ssh_domain',`')
-
-')dnl end if ssh.te
diff --git a/mls/macros/program/su_macros.te b/mls/macros/program/su_macros.te
deleted file mode 100644
index 206f58e..0000000
--- a/mls/macros/program/su_macros.te
+++ /dev/null
@@ -1,188 +0,0 @@
-#
-# Macros for su domains.
-#
-
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-#
-# su_domain(domain_prefix)
-#
-# Define a derived domain for the su program when executed
-# by a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/su.te.
-#
-
-undefine(`su_restricted_domain')
-undefine(`su_mini_domain')
-undefine(`su_domain')
-ifdef(`su.te', `
-
-define(`su_restricted_domain', `
-# Derived domain based on the calling user domain and the program.
-type $1_su_t, domain, privlog, privrole, privuser, privowner, privfd, nscd_client_domain;
-ifdef(`support_polyinstantiation', `
-typeattribute $1_su_t mlsfileread;
-typeattribute $1_su_t mlsfilewrite;
-typeattribute $1_su_t mlsfileupgrade;
-typeattribute $1_su_t mlsfiledowngrade;
-typeattribute $1_su_t mlsprocsetsl;
-')
-
-# for SSP
-allow $1_su_t urandom_device_t:chr_file { getattr read };
-
-# Transition from the user domain to this domain.
-domain_auto_trans($1_t, su_exec_t, $1_su_t)
-
-allow $1_su_t sbin_t:dir search;
-
-uses_shlib($1_su_t)
-allow $1_su_t etc_t:file { getattr read };
-read_locale($1_su_t)
-read_sysctl($1_su_t)
-allow $1_su_t self:unix_dgram_socket { connect create write };
-allow $1_su_t self:unix_stream_socket create_stream_socket_perms;
-allow $1_su_t self:fifo_file rw_file_perms;
-allow $1_su_t proc_t:dir search;
-allow $1_su_t proc_t:lnk_file read;
-r_dir_file($1_su_t, self)
-allow $1_su_t proc_t:file read;
-allow $1_su_t self:process { setsched setrlimit };
-allow $1_su_t device_t:dir search;
-allow $1_su_t self:process { fork sigchld };
-nsswitch_domain($1_su_t)
-r_dir_file($1_su_t, selinux_config_t)
-
-dontaudit $1_su_t shadow_t:file { getattr read };
-dontaudit $1_su_t home_root_t:dir search;
-dontaudit $1_su_t init_t:fd use;
-allow $1_su_t var_lib_t:dir search;
-allow $1_t $1_su_t:process signal;
-
-ifdef(`crond.te', `
-allow $1_su_t crond_t:fifo_file read;
-')
-
-# Use capabilities.
-allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource audit_control audit_write };
-dontaudit $1_su_t self:capability sys_tty_config;
-#
-# Caused by su - init scripts
-#
-dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
-
-# By default, revert to the calling domain when a shell is executed.
-domain_auto_trans($1_su_t, shell_exec_t, $1_t)
-allow $1_su_t bin_t:dir search;
-allow $1_su_t bin_t:lnk_file read;
-
-# But also allow transitions to unprivileged user domains.
-domain_trans($1_su_t, shell_exec_t, unpriv_userdomain)
-can_setexec($1_su_t)
-
-# Get security decisions
-can_getsecurity($1_su_t)
-r_dir_file($1_su_t, default_context_t)
-
-allow $1_su_t privfd:fd use;
-
-# Write to utmp.
-allow $1_su_t { var_t var_run_t }:dir search;
-allow $1_su_t initrc_var_run_t:file rw_file_perms;
-can_kerberos($1_su_t)
-
-ifdef(`chkpwd.te', `
-domain_auto_trans($1_su_t, chkpwd_exec_t, $2_chkpwd_t)
-')
-
-allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
-
-') dnl end su_restricted_domain
-
-define(`su_mini_domain', `
-su_restricted_domain($1,$1)
-if(!secure_mode)
-{
- # if we are not in secure mode then we can transition to sysadm_t
- domain_trans($1_su_t, shell_exec_t, sysadm_t)
-}
-
-# Relabel ttys and ptys.
-allow $1_su_t device_t:dir { getattr read search };
-allow $1_su_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto };
-
-# Close and re-open ttys and ptys to get the fd into the correct domain.
-allow $1_su_t { ttyfile ptyfile }:chr_file { read write };
-
-')dnl end su_mini_domain
-
-define(`su_domain', `
-su_mini_domain($1)
-
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te', `allow $1_su_t $1_gph_t:fd use;')
-
-# The user role is authorized for this domain.
-role $1_r types $1_su_t;
-
-# Write to the user domain tty.
-access_terminal($1_su_t, $1)
-
-allow $1_su_t { home_root_t $1_home_dir_t }:dir search;
-allow $1_su_t $1_home_t:file create_file_perms;
-ifdef(`user_canbe_sysadm', `
-allow $1_su_t home_dir_type:dir { search write };
-', `
-dontaudit $1_su_t home_dir_type:dir { search write };
-')
-
-allow $1_su_t autofs_t:dir { search getattr };
-if (use_nfs_home_dirs) {
-allow $1_su_t nfs_t:dir search;
-}
-if (use_samba_home_dirs) {
-allow $1_su_t cifs_t:dir search;
-}
-
-ifdef(`support_polyinstantiation', `
-# Su can polyinstantiate
-polyinstantiater($1_su_t)
-# Su has to unmount polyinstantiated directories (like home)
-# that should not be polyinstantiated under the new user
-allow $1_su_t fs_t:filesystem unmount;
-# Su needs additional permission to mount over a previous mount
-allow $1_su_t polymember:dir mounton;
-')
-
-# Modify .Xauthority file (via xauth program).
-ifdef(`xauth.te', `
-file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
-file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file)
-file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file)
-domain_auto_trans($1_su_t, xauth_exec_t, $1_xauth_t)
-')
-
-ifdef(`cyrus.te', `
-allow $1_su_t cyrus_var_lib_t:dir search;
-')
-ifdef(`ssh.te', `
-# Access sshd cookie files.
-allow $1_su_t sshd_tmp_t:dir rw_dir_perms;
-allow $1_su_t sshd_tmp_t:file rw_file_perms;
-file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t)
-')
-
-allow $1_su_t var_lib_t:dir search;
-dontaudit $1_su_t init_t:fd use;
-')dnl end su_domain
-
-', `
-
-define(`su_domain',`')
-
-')
-
diff --git a/mls/macros/program/sudo_macros.te b/mls/macros/program/sudo_macros.te
deleted file mode 100644
index b2b4e1c..0000000
--- a/mls/macros/program/sudo_macros.te
+++ /dev/null
@@ -1,34 +0,0 @@
-# Authors: Dan Walsh, Russell Coker
-# Maintained by Dan Walsh <dwalsh@redhat.com>
-define(`sudo_domain',`
-newrole_domain($1_sudo, `, privuser')
-
-# By default, revert to the calling domain when a shell is executed.
-domain_auto_trans($1_sudo_t, shell_exec_t, $1_t)
-
-ifdef(`mta.te', `
-domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t)
-allow $1_mail_t $1_sudo_t:fifo_file rw_file_perms;
-')
-
-allow $1_sudo_t self:capability sys_resource;
-
-allow $1_sudo_t self:process setrlimit;
-
-ifdef(`pam.te', `
-allow $1_sudo_t pam_var_run_t:dir create_dir_perms;
-allow $1_sudo_t pam_var_run_t:file create_file_perms;
-')
-
-allow $1_sudo_t initrc_var_run_t:file rw_file_perms;
-allow $1_sudo_t sysctl_t:dir search;
-allow $1_sudo_t { su_exec_t etc_t lib_t usr_t bin_t sbin_t exec_type } :file getattr;
-allow $1_sudo_t { su_exec_t etc_t lib_t usr_t bin_t sbin_t exec_type } :lnk_file { getattr read };
-read_sysctl($1_sudo_t)
-
-allow $1_sudo_t var_run_t:dir search;
-r_dir_file($1_sudo_t, default_context_t)
-rw_dir_create_file($1_sudo_t, $1_tmp_t)
-rw_dir_create_file($1_sudo_t, $1_home_t)
-domain_auto_trans($1_t, sudo_exec_t, $1_sudo_t)
-')
diff --git a/mls/macros/program/thunderbird_macros.te b/mls/macros/program/thunderbird_macros.te
deleted file mode 100644
index 2c0711d..0000000
--- a/mls/macros/program/thunderbird_macros.te
+++ /dev/null
@@ -1,60 +0,0 @@
-#
-# Thunderbird
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-#######################################
-# thunderbird_domain(role_prefix)
-#
-
-# FIXME: Rules were removed to centralize policy in a gnome_app macro
-# A similar thing might be necessary for mozilla compiled without GNOME
-# support (is this possible?).
-
-define(`thunderbird_domain', `
-
-# Type for program
-type $1_thunderbird_t, domain, nscd_client_domain;
-
-# Transition from user type
-if (! disable_thunderbird_trans) {
-domain_auto_trans($1_t, thunderbird_exec_t, $1_thunderbird_t)
-}
-role $1_r types $1_thunderbird_t;
-
-# FIXME: Why does it try to do that?
-dontaudit $1_thunderbird_t evolution_exec_t:file { getattr execute };
-
-# Why is thunderbird looking in .mozilla ?
-# FIXME: there are legitimate uses of invoking the browser - about -> release notes
-dontaudit $1_thunderbird_t $1_mozilla_home_t:dir search;
-
-# .kde/....gtkrc
-# FIXME: support properly
-dontaudit $1_thunderbird_t $1_home_t:file { getattr read };
-
-# X, mail common stuff
-x_client_domain($1_thunderbird, $1)
-mail_client_domain($1_thunderbird, $1)
-
-allow $1_thunderbird_t self:process signull;
-allow $1_thunderbird_t fs_t:filesystem getattr;
-
-# GNOME support
-ifdef(`gnome.te', `
-gnome_application($1_thunderbird, $1)
-gnome_file_dialog($1_thunderbird, $1)
-allow $1_thunderbird_t $1_gnome_settings_t:file { read write };
-')
-
-# Access ~/.thunderbird
-home_domain($1, thunderbird)
-
-# RSS feeds
-can_network_client_tcp($1_thunderbird_t, http_port_t)
-allow $1_thunderbird_t http_port_t:tcp_socket name_connect;
-
-allow $1_thunderbird_t self:process { execheap execmem execstack };
-
-')
diff --git a/mls/macros/program/tvtime_macros.te b/mls/macros/program/tvtime_macros.te
deleted file mode 100644
index d965ae1..0000000
--- a/mls/macros/program/tvtime_macros.te
+++ /dev/null
@@ -1,64 +0,0 @@
-#
-# Macros for tvtime domains.
-#
-
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-#
-
-#
-# tvtime_domain(domain_prefix)
-#
-# Define a derived domain for the tvtime program when executed
-# by a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/tvtime.te.
-#
-undefine(`tvtime_domain')
-ifdef(`tvtime.te', `
-define(`tvtime_domain',`
-
-# Type transition
-type $1_tvtime_t, domain, nscd_client_domain;
-domain_auto_trans($1_t, tvtime_exec_t, $1_tvtime_t)
-role $1_r types $1_tvtime_t;
-
-# X access, Home files
-home_domain($1, tvtime)
-file_type_auto_trans($1_tvtime_t, $1_home_dir_t, $1_tvtime_home_t, dir)
-x_client_domain($1_tvtime, $1)
-
-uses_shlib($1_tvtime_t)
-read_locale($1_tvtime_t)
-read_sysctl($1_tvtime_t)
-access_terminal($1_tvtime_t, $1)
-
-# Allow the user domain to signal/ps.
-can_ps($1_t, $1_tvtime_t)
-allow $1_t $1_tvtime_t:process signal_perms;
-
-# Read /etc/tvtime
-allow $1_tvtime_t etc_t:file { getattr read };
-
-# Tmp files
-tmp_domain($1_tvtime, `', `{ file dir fifo_file }')
-
-allow $1_tvtime_t urandom_device_t:chr_file read;
-allow $1_tvtime_t clock_device_t:chr_file { ioctl read };
-allow $1_tvtime_t kernel_t:system ipc_info;
-allow $1_tvtime_t sound_device_t:chr_file { ioctl read };
-allow $1_tvtime_t $1_home_t:dir { getattr read search };
-allow $1_tvtime_t $1_home_t:file { getattr read };
-allow $1_tvtime_t self:capability { setuid sys_nice sys_resource };
-allow $1_tvtime_t self:process setsched;
-allow $1_tvtime_t usr_t:file { getattr read };
-
-')dnl end tvtime_domain
-
-', `
-
-define(`tvtime_domain',`')
-
-')
-
diff --git a/mls/macros/program/uml_macros.te b/mls/macros/program/uml_macros.te
deleted file mode 100644
index bc635f8..0000000
--- a/mls/macros/program/uml_macros.te
+++ /dev/null
@@ -1,137 +0,0 @@
-#
-# Macros for uml domains.
-#
-
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-
-#
-# uml_domain(domain_prefix)
-#
-# Define a derived domain for the uml program when executed
-# by a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/uml.te.
-#
-undefine(`uml_domain')
-ifdef(`uml.te', `
-define(`uml_domain',`
-
-# Derived domain based on the calling user domain and the program.
-type $1_uml_t, domain;
-type $1_uml_exec_t, file_type, sysadmfile, $1_file_type;
-type $1_uml_ro_t, file_type, sysadmfile, $1_file_type;
-type $1_uml_rw_t, file_type, sysadmfile, $1_file_type;
-
-# for X
-ifdef(`startx.te', `
-ifelse($1, sysadm, `', `
-ifdef(`xdm.te', `
-allow $1_uml_t xdm_xserver_tmp_t:dir search;
-')dnl end if xdm.te
-allow $1_uml_t $1_xserver_tmp_t:sock_file write;
-can_unix_connect($1_uml_t, $1_xserver_t)
-')dnl end ifelse sysadm
-')dnl end ifdef startx
-
-allow $1_t { $1_uml_ro_t $1_uml_rw_t }:{ file sock_file fifo_file } { relabelfrom relabelto create_file_perms };
-allow $1_t $1_uml_exec_t:file { relabelfrom relabelto create_file_perms };
-allow $1_t { $1_uml_ro_t $1_uml_rw_t }:lnk_file { relabelfrom relabelto create_lnk_perms };
-allow $1_t { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }:dir { relabelfrom relabelto create_dir_perms };
-r_dir_file($1_t, uml_ro_t)
-
-# Transition from the user domain to this domain.
-domain_auto_trans($1_t, { uml_exec_t $1_uml_exec_t }, $1_uml_t)
-can_exec($1_uml_t, { uml_exec_t $1_uml_exec_t })
-
-# The user role is authorized for this domain.
-role $1_r types $1_uml_t;
-
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te', `allow $1_uml_t $1_gph_t:fd use;')
-
-# Inherit and use descriptors from newrole.
-ifdef(`newrole.te', `allow $1_uml_t newrole_t:fd use;')
-
-# allow ps, ptrace, signal
-can_ps($1_t, $1_uml_t)
-can_ptrace($1_t, $1_uml_t)
-allow $1_t $1_uml_t:process signal_perms;
-
-# allow the UML thing to happen
-allow $1_uml_t self:process { fork signal_perms ptrace };
-can_create_pty($1_uml)
-allow $1_uml_t root_t:dir search;
-tmp_domain($1_uml)
-can_exec($1_uml_t, $1_uml_tmp_t)
-tmpfs_domain($1_uml)
-can_exec($1_uml_t, $1_uml_tmpfs_t)
-create_dir_file($1_t, $1_uml_tmp_t)
-allow $1_t $1_uml_tmp_t:sock_file create_file_perms;
-allow $1_uml_t self:fifo_file rw_file_perms;
-allow $1_uml_t fs_t:filesystem getattr;
-
-allow $1_uml_t tun_tap_device_t:chr_file { read write ioctl };
-
-ifdef(`uml_net.te', `
-# for uml_net
-domain_auto_trans($1_uml_t, uml_net_exec_t, uml_net_t)
-allow uml_net_t $1_uml_t:unix_stream_socket { read write };
-allow uml_net_t $1_uml_t:unix_dgram_socket { read write };
-dontaudit uml_net_t privfd:fd use;
-can_access_pty(uml_net_t, $1_uml)
-dontaudit uml_net_t $1_uml_rw_t:dir { getattr search };
-')dnl end ifdef uml_net.te
-
-# for mconsole
-allow { $1_t $1_uml_t } $1_uml_t:unix_dgram_socket sendto;
-allow $1_uml_t $1_t:unix_dgram_socket sendto;
-
-# Use the network.
-can_network($1_uml_t)
-allow $1_uml_t port_type:tcp_socket name_connect;
-can_ypbind($1_uml_t)
-
-# for xterm
-uses_shlib($1_uml_t)
-can_exec($1_uml_t, { bin_t sbin_t lib_t })
-allow $1_uml_t { bin_t sbin_t }:dir search;
-allow $1_uml_t etc_t:file { getattr read };
-dontaudit $1_uml_t etc_runtime_t:file read;
-can_tcp_connect($1_uml_t, sshd_t)
-ifdef(`xauth.te', `
-allow $1_uml_t $1_xauth_home_t:file { getattr read };
-')
-allow $1_uml_t var_run_t:dir search;
-allow $1_uml_t initrc_var_run_t:file { getattr read };
-dontaudit $1_uml_t initrc_var_run_t:file { write lock };
-
-allow $1_uml_t device_t:dir search;
-allow $1_uml_t self:unix_stream_socket create_stream_socket_perms;
-allow $1_uml_t self:unix_dgram_socket create_socket_perms;
-allow $1_uml_t privfd:fd use;
-allow $1_uml_t proc_t:dir search;
-allow $1_uml_t proc_t:file { getattr read };
-
-# for SKAS - need something better
-allow $1_uml_t proc_t:file write;
-
-# Write to the user domain tty.
-access_terminal($1_uml_t, $1)
-
-# access config files
-allow $1_uml_t home_root_t:dir search;
-file_type_auto_trans($1_uml_t, $1_home_dir_t, $1_uml_rw_t)
-r_dir_file($1_uml_t, { $1_uml_ro_t uml_ro_t })
-
-# putting uml data under /var is usual...
-allow $1_uml_t var_t:dir search;
-')dnl end macro definition
-
-', `
-
-define(`uml_domain',`')
-
-')
diff --git a/mls/macros/program/userhelper_macros.te b/mls/macros/program/userhelper_macros.te
deleted file mode 100644
index 2c715d3..0000000
--- a/mls/macros/program/userhelper_macros.te
+++ /dev/null
@@ -1,142 +0,0 @@
-#DESC Userhelper - SELinux utility to run a shell with a new role
-#
-# Authors: Dan Walsh (Red Hat)
-# Maintained by Dan Walsh <dwalsh@redhat.com>
-#
-
-#
-# userhelper_domain(domain_prefix)
-#
-# Define a derived domain for the userhelper/userhelper program when executed by
-# a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/userhelper.te.
-#
-define(`userhelper_domain',`
-type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd, privuser, nscd_client_domain;
-
-in_user_role($1_userhelper_t)
-role sysadm_r types $1_userhelper_t;
-
-ifelse($1, sysadm, `
-typealias sysadm_userhelper_t alias userhelper_t;
-domain_auto_trans(initrc_t, userhelper_exec_t, sysadm_userhelper_t)
-')
-
-general_domain_access($1_userhelper_t);
-
-uses_shlib($1_userhelper_t)
-read_locale($1_userhelper_t)
-read_sysctl($1_userhelper_t)
-
-# for when the user types "exec userhelper" at the command line
-allow $1_userhelper_t privfd:process sigchld;
-
-domain_auto_trans($1_t, userhelper_exec_t, $1_userhelper_t)
-
-# Inherit descriptors from the current session.
-allow $1_userhelper_t { init_t privfd }:fd use;
-
-can_exec($1_userhelper_t, { bin_t sbin_t userhelper_exec_t })
-
-# Execute shells
-allow $1_userhelper_t { sbin_t bin_t }:dir r_dir_perms;
-allow $1_userhelper_t { sbin_t bin_t }:lnk_file read;
-allow $1_userhelper_t shell_exec_t:file r_file_perms;
-
-# By default, revert to the calling domain when a program is executed.
-domain_auto_trans($1_userhelper_t, { bin_t sbin_t }, $1_t)
-
-# Allow $1_userhelper_t to transition to user domains.
-domain_trans($1_userhelper_t, { bin_t sbin_t exec_type }, unpriv_userdomain)
-if (!secure_mode) {
- # if we are not in secure mode then we can transition to sysadm_t
- domain_trans($1_userhelper_t, { bin_t sbin_t exec_type }, sysadm_t)
-}
-can_setexec($1_userhelper_t)
-
-ifdef(`distro_redhat', `
-ifdef(`rpm.te', `
-# Allow transitioning to rpm_t, for up2date
-allow $1_userhelper_t rpm_t:process { transition siginh rlimitinh noatsecure };
-')
-')
-
-# Use capabilities.
-allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config };
-
-# Write to utmp.
-file_type_auto_trans($1_userhelper_t, var_run_t, initrc_var_run_t, file)
-
-# Read the devpts root directory.
-allow $1_userhelper_t devpts_t:dir r_dir_perms;
-
-# Read the /etc/security/default_type file
-allow $1_userhelper_t etc_t:file r_file_perms;
-
-# Read /var.
-r_dir_file($1_userhelper_t, var_t)
-
-# Read /dev directories and any symbolic links.
-allow $1_userhelper_t device_t:dir r_dir_perms;
-
-# Relabel terminals.
-allow $1_userhelper_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto };
-
-# Access terminals.
-allow $1_userhelper_t { ttyfile ptyfile devtty_t }:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow $1_userhelper_t gphdomain:fd use;')
-
-#
-# Allow $1_userhelper to obtain contexts to relabel TTYs
-#
-can_getsecurity($1_userhelper_t)
-
-allow $1_userhelper_t fs_t:filesystem getattr;
-
-# for some PAM modules and for cwd
-allow $1_userhelper_t { home_root_t $1_home_dir_t }:dir search;
-
-allow $1_userhelper_t proc_t:dir search;
-allow $1_userhelper_t proc_t:file { getattr read };
-
-# for when the network connection is killed
-dontaudit unpriv_userdomain $1_userhelper_t:process signal;
-
-allow $1_userhelper_t userhelper_conf_t:file rw_file_perms;
-allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms;
-
-ifdef(`pam.te', `
-allow $1_userhelper_t pam_var_run_t:dir create_dir_perms;
-allow $1_userhelper_t pam_var_run_t:file create_file_perms;
-')
-
-allow $1_userhelper_t urandom_device_t:chr_file { getattr read };
-
-allow $1_userhelper_t autofs_t:dir search;
-role system_r types $1_userhelper_t;
-r_dir_file($1_userhelper_t, nfs_t)
-
-ifdef(`xdm.te', `
-can_pipe_xdm($1_userhelper_t)
-allow $1_userhelper_t xdm_var_run_t:dir search;
-')
-
-r_dir_file($1_userhelper_t, selinux_config_t)
-r_dir_file($1_userhelper_t, default_context_t)
-
-ifdef(`xauth.te', `
-domain_auto_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t)
-allow $1_userhelper_t $1_xauth_home_t:file { getattr read };
-')
-
-ifdef(`pamconsole.te', `
-allow $1_userhelper_t pam_var_console_t:dir { search };
-')
-
-ifdef(`mozilla.te', `
-domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t)
-')
-
-')dnl end userhelper macro
diff --git a/mls/macros/program/vmware_macros.te b/mls/macros/program/vmware_macros.te
deleted file mode 100644
index bb0914a..0000000
--- a/mls/macros/program/vmware_macros.te
+++ /dev/null
@@ -1,128 +0,0 @@
-# Macro for vmware
-#
-# Based on work contributed by Mark Westerman (mark.westerman@westcam.com),
-# modifications by NAI Labs.
-#
-# Turned into a macro by Thomas Bleher <ThomasBleher@gmx.de>
-#
-# vmware_domain(domain_prefix)
-#
-# Define a derived domain for the vmware program when executed by
-# a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/vmware.te. This file also
-# implements a separate domain vmware_t.
-#
-
-define(`vmware_domain', `
-
-# Domain for the user applications to run in.
-type $1_vmware_t, domain, privmem;
-
-role $1_r types $1_vmware_t;
-
-# The user file type is for files created when the user is running VMWare
-type $1_vmware_file_t, $1_file_type, file_type, sysadmfile;
-
-# The user file type for the VMWare configuration files
-type $1_vmware_conf_t, $1_file_type, file_type, sysadmfile;
-
-#############################################################
-# User rules for running VMWare
-#
-# Transition to VMWare user domain
-domain_auto_trans($1_t, vmware_user_exec_t, $1_vmware_t)
-can_exec($1_vmware_t, vmware_user_exec_t)
-uses_shlib($1_vmware_t)
-var_run_domain($1_vmware)
-
-general_domain_access($1_vmware_t);
-
-# Capabilities needed by VMWare for the user execution. This seems a
-# bit too much, so be careful.
-allow $1_vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio };
-
-# Access to ttys
-allow $1_vmware_t vmware_device_t:chr_file rw_file_perms;
-allow $1_vmware_t $1_tty_device_t:chr_file rw_file_perms;
-allow $1_vmware_t privfd:fd use;
-
-# Access /proc
-r_dir_file($1_vmware_t, proc_t)
-allow $1_vmware_t proc_net_t:dir search;
-allow $1_vmware_t proc_net_t:file { getattr read };
-
-# Access to some files in the user home directory
-r_dir_file($1_vmware_t, $1_home_t)
-
-# Access to runtime files for user
-allow $1_vmware_t $1_vmware_file_t:dir rw_dir_perms;
-allow $1_vmware_t $1_vmware_file_t:file create_file_perms;
-allow $1_vmware_t $1_vmware_conf_t:file create_file_perms;
-
-# Allow read access to /etc/vmware and /usr/lib/vmware configuration files
-r_dir_file($1_vmware_t, vmware_sys_conf_t)
-
-# Allow $1_vmware_t to read/write files in the tmp dir
-tmp_domain($1_vmware)
-allow $1_vmware_t $1_vmware_tmp_t:file execute;
-
-# Allow read access to several paths
-r_dir_file($1_vmware_t, etc_t)
-allow $1_vmware_t etc_runtime_t:file r_file_perms;
-allow $1_vmware_t device_t:dir r_dir_perms;
-allow $1_vmware_t var_t:dir r_dir_perms;
-allow $1_vmware_t tmpfs_t:file rw_file_perms;
-
-# Allow vmware to write to ~/.vmware
-rw_dir_create_file($1_vmware_t, $1_vmware_file_t)
-
-#
-# This is bad; VMWare needs execute permission to the .cfg file for the
-# configuration to run.
-#
-allow $1_vmware_t $1_vmware_conf_t:file execute;
-
-# Access X11 config files
-allow $1_vmware_t lib_t:file r_file_perms;
-
-# Access components of VMWare in /usr/lib/vmware/bin by default
-allow $1_vmware_t bin_t:dir r_dir_perms;
-
-# Allow access to lp port (Need to create an lp device domain )
-allow $1_vmware_t device_t:chr_file r_file_perms;
-
-# Allow access to /dev/mem
-allow $1_vmware_t memory_device_t:chr_file { read write };
-
-# Allow access to mouse
-allow $1_vmware_t mouse_device_t:chr_file r_file_perms;
-
-# Allow access the sound device
-allow $1_vmware_t sound_device_t:chr_file { ioctl write };
-
-# Allow removable media and devices
-allow $1_vmware_t removable_device_t:blk_file r_file_perms;
-allow $1_vmware_t device_t:lnk_file read;
-
-# Allow access to the real time clock device
-allow $1_vmware_t clock_device_t:chr_file read;
-
-# Allow to attach to Xserver, and Xserver to attach back
-ifdef(`gnome-pty-helper.te', `
-allow $1_vmware_t $1_gph_t:fd use;
-')
-ifdef(`startx.te', `
-allow $1_vmware_t $1_xserver_tmp_t:sock_file { unlink write };
-allow $1_vmware_t $1_xserver_tmp_t:dir search;
-allow $1_vmware_t $1_xserver_t:unix_stream_socket connectto;
-allow $1_xserver_t $1_vmware_t:shm r_shm_perms;
-allow $1_xserver_t $1_vmware_t:fd use;
-')
-
-# Allow filesystem read access
-allow $1_vmware_t fs_t:filesystem getattr;
-
-')
-
diff --git a/mls/macros/program/x_client_macros.te b/mls/macros/program/x_client_macros.te
deleted file mode 100644
index adce9f0..0000000
--- a/mls/macros/program/x_client_macros.te
+++ /dev/null
@@ -1,96 +0,0 @@
-#
-# Macros for X client programs
-#
-
-#
-# Author: Russell Coker <russell@coker.com.au>
-# Based on the work of Stephen Smalley <sds@epoch.ncsc.mil>
-# and Timothy Fraser
-#
-
-# Allows clients to write to the X server's shm
-bool allow_write_xshm false;
-
-define(`xsession_domain', `
-
-# Connect to xserver
-can_unix_connect($1_t, $2_xserver_t)
-
-# Read /tmp/.X0-lock
-allow $1_t $2_xserver_tmp_t:file { getattr read };
-
-# Signal Xserver
-allow $1_t $2_xserver_t:process signal;
-
-# Xserver read/write client shm
-allow $2_xserver_t $1_t:fd use;
-allow $2_xserver_t $1_t:shm rw_shm_perms;
-allow $2_xserver_t $1_tmpfs_t:file rw_file_perms;
-
-# Client read xserver shm
-allow $1_t $2_xserver_t:fd use;
-allow $1_t $2_xserver_t:shm r_shm_perms;
-allow $1_t $2_xserver_tmpfs_t:file r_file_perms;
-
-# Client write xserver shm
-if (allow_write_xshm) {
-allow $1_t $2_xserver_t:shm rw_shm_perms;
-allow $1_t $2_xserver_tmpfs_t:file rw_file_perms;
-}
-
-')
-
-#
-# x_client_domain(client, role)
-#
-# Defines common X access rules for the client domain
-#
-define(`x_client_domain',`
-
-# Create socket to communicate with X server
-allow $1_t self:unix_dgram_socket create_socket_perms;
-allow $1_t self:unix_stream_socket { connectto create_stream_socket_perms };
-
-# Read .Xauthority file
-ifdef(`xauth.te',`
-allow $1_t home_root_t:dir { search getattr };
-allow $1_t $2_home_dir_t:dir { search getattr };
-allow $1_t $2_xauth_home_t:file { getattr read };
-')
-
-# for .xsession-errors
-dontaudit $1_t $2_home_t:file write;
-
-# for X over a ssh tunnel
-ifdef(`ssh.te', `
-can_tcp_connect($1_t, sshd_t)
-')
-
-# Use a separate type for tmpfs/shm pseudo files.
-tmpfs_domain($1)
-allow $1_t self:shm create_shm_perms;
-
-# allow X client to read all font files
-read_fonts($1_t, $2)
-
-# Allow connections to X server.
-ifdef(`xserver.te', `
-allow $1_t tmp_t:dir search;
-
-ifdef(`xdm.te', `
-xsession_domain($1, xdm)
-
-# for when /tmp/.X11-unix is created by the system
-can_pipe_xdm($1_t)
-allow $1_t xdm_tmp_t:dir search;
-allow $1_t xdm_tmp_t:sock_file { read write };
-dontaudit $1_t xdm_t:tcp_socket { read write };
-')
-
-ifdef(`startx.te', `
-xsession_domain($1, $2)
-')dnl end startx
-
-')dnl end xserver
-
-')dnl end x_client macro
diff --git a/mls/macros/program/xauth_macros.te b/mls/macros/program/xauth_macros.te
deleted file mode 100644
index ca7a5ee..0000000
--- a/mls/macros/program/xauth_macros.te
+++ /dev/null
@@ -1,83 +0,0 @@
-#
-# Macros for xauth domains.
-#
-
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-
-#
-# xauth_domain(domain_prefix)
-#
-# Define a derived domain for the xauth program when executed
-# by a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/xauth.te.
-#
-undefine(`xauth_domain')
-ifdef(`xauth.te', `
-define(`xauth_domain',`
-# Derived domain based on the calling user domain and the program.
-type $1_xauth_t, domain;
-
-allow $1_xauth_t self:process signal;
-
-home_domain($1, xauth)
-file_type_auto_trans($1_xauth_t, $1_home_dir_t, $1_xauth_home_t, file)
-
-# Transition from the user domain to this domain.
-domain_auto_trans($1_t, xauth_exec_t, $1_xauth_t)
-ifdef(`ssh.te', `
-domain_auto_trans($1_ssh_t, xauth_exec_t, $1_xauth_t)
-allow $1_xauth_t sshd_t:fifo_file { getattr read };
-dontaudit $1_xauth_t $1_ssh_t:tcp_socket { read write };
-allow $1_xauth_t sshd_t:process sigchld;
-')dnl end if ssh
-
-# The user role is authorized for this domain.
-role $1_r types $1_xauth_t;
-
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te', `
-allow $1_xauth_t $1_gph_t:fd use;
-')
-
-allow $1_xauth_t privfd:fd use;
-allow $1_xauth_t ptmx_t:chr_file { read write };
-
-# allow ps to show xauth
-can_ps($1_t, $1_xauth_t)
-allow $1_t $1_xauth_t:process signal;
-
-uses_shlib($1_xauth_t)
-
-# allow DNS lookups...
-can_resolve($1_xauth_t)
-can_ypbind($1_xauth_t)
-ifdef(`named.te', `
-can_udp_send($1_xauth_t, named_t)
-can_udp_send(named_t, $1_xauth_t)
-')dnl end if named.te
-
-allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms;
-allow $1_xauth_t etc_t:file { getattr read };
-allow $1_xauth_t fs_t:filesystem getattr;
-
-# Write to the user domain tty.
-access_terminal($1_xauth_t, $1)
-
-# Scan /var/run.
-allow $1_xauth_t var_t:dir search;
-allow $1_xauth_t var_run_t:dir search;
-
-tmp_domain($1_xauth)
-allow $1_xauth_t $1_tmp_t:file { getattr ioctl read };
-
-')dnl end xauth_domain macro
-
-', `
-
-define(`xauth_domain',`')
-
-')dnl end if xauth.te
diff --git a/mls/macros/program/xdm_macros.te b/mls/macros/program/xdm_macros.te
deleted file mode 100644
index bea127f..0000000
--- a/mls/macros/program/xdm_macros.te
+++ /dev/null
@@ -1,13 +0,0 @@
-########################################
-#
-# can_pipe_xdm(domain)
-#
-# Allow communication to xdm over a pipe
-#
-
-define(`can_pipe_xdm', `
-ifdef(`xdm.te', `
-allow $1 xdm_t:fd use;
-allow $1 xdm_t:fifo_file { getattr read write ioctl };
-')
-') dnl can_pipe_xdm
diff --git a/mls/macros/program/xserver_macros.te b/mls/macros/program/xserver_macros.te
deleted file mode 100644
index e2eaf82..0000000
--- a/mls/macros/program/xserver_macros.te
+++ /dev/null
@@ -1,274 +0,0 @@
-#
-# Macros for X server domains.
-#
-
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-#################################
-#
-# xserver_domain(domain_prefix)
-#
-# Define a derived domain for the X server when executed
-# by a user domain (e.g. via startx). See the xdm_t domain
-# in domains/program/xdm.te if using an X Display Manager.
-#
-# The type declarations for the executable type for this program
-# and the log type are provided separately in domains/program/xserver.te.
-#
-# FIXME! The X server requires far too many privileges.
-#
-undefine(`xserver_domain')
-ifdef(`xserver.te', `
-
-define(`xserver_domain',`
-# Derived domain based on the calling user domain and the program.
-ifdef(`distro_redhat', `
-type $1_xserver_t, domain, privlog, privmem, privmodule, nscd_client_domain;
-allow $1_xserver_t sysctl_modprobe_t:file { getattr read };
-ifdef(`rpm.te', `
-allow $1_xserver_t rpm_t:shm { unix_read unix_write read write associate getattr };
-allow $1_xserver_t rpm_tmpfs_t:file { read write };
-allow $1_xserver_t rpm_t:fd use;
-')
-
-', `
-type $1_xserver_t, domain, privlog, privmem, nscd_client_domain;
-')
-
-# for SSP
-allow $1_xserver_t urandom_device_t:chr_file { getattr read ioctl };
-
-# Transition from the user domain to this domain.
-ifelse($1, xdm, `
-ifdef(`xdm.te', `
-domain_auto_trans(xdm_t, xserver_exec_t, xdm_xserver_t)
-')
-', `
-domain_auto_trans($1_t, xserver_exec_t, $1_xserver_t)
-')dnl end ifelse xdm
-can_exec($1_xserver_t, xserver_exec_t)
-
-uses_shlib($1_xserver_t)
-
-allow $1_xserver_t texrel_shlib_t:file execmod;
-
-can_network($1_xserver_t)
-allow $1_xserver_t port_type:tcp_socket name_connect;
-can_ypbind($1_xserver_t)
-allow $1_xserver_t xserver_port_t:tcp_socket name_bind;
-
-# for access within the domain
-general_domain_access($1_xserver_t)
-
-allow $1_xserver_t self:process execmem;
-# Until the X module loader is fixed.
-allow $1_xserver_t self:process execheap;
-
-allow $1_xserver_t etc_runtime_t:file { getattr read };
-
-ifelse($1, xdm, `
-# The system role is authorised for the xdm and initrc domains
-role system_r types xdm_xserver_t;
-
-allow xdm_xserver_t init_t:fd use;
-
-dontaudit xdm_xserver_t home_dir_type:dir { read search };
-
-# Read all global and per user fonts
-read_fonts($1_xserver_t, sysadm)
-read_fonts($1_xserver_t, staff)
-read_fonts($1_xserver_t, user)
-
-', `
-# The user role is authorized for this domain.
-role $1_r types $1_xserver_t;
-
-allow $1_xserver_t getty_t:fd use;
-allow $1_xserver_t local_login_t:fd use;
-allow $1_xserver_t $1_tty_device_t:chr_file { setattr rw_file_perms };
-
-allow $1_xserver_t $1_tmpfs_t:file rw_file_perms;
-allow $1_t $1_xserver_tmpfs_t:file rw_file_perms;
-
-can_unix_connect($1_t, $1_xserver_t)
-
-# Read fonts
-read_fonts($1_xserver_t, $1)
-
-# Access the home directory.
-allow $1_xserver_t home_root_t:dir search;
-allow $1_xserver_t $1_home_dir_t:dir { getattr search };
-
-ifdef(`xauth.te', `
-domain_auto_trans($1_xserver_t, xauth_exec_t, $1_xauth_t)
-allow $1_xserver_t $1_xauth_home_t:file { getattr read };
-', `
-allow $1_xserver_t $1_home_t:file { getattr read };
-')dnl end ifdef xauth
-ifdef(`userhelper.te', `
-allow $1_xserver_t userhelper_conf_t:dir search;
-')dnl end ifdef userhelper
-')dnl end ifelse xdm
-
-allow $1_xserver_t self:process setsched;
-
-allow $1_xserver_t fs_t:filesystem getattr;
-
-# Xorg wants to check if kernel is tainted
-read_sysctl($1_xserver_t)
-
-# Use capabilities.
-# allow setuid/setgid for the wrapper program to change UID
-# sys_rawio is for iopl access - should not be needed for frame-buffer
-# sys_admin, locking shared mem? chowning IPC message queues or semaphores?
-# admin of APM bios?
-# sys_nice is so that the X server can set a negative nice value
-allow $1_xserver_t self:capability { dac_override fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
-allow $1_xserver_t nfs_t:dir { getattr search };
-
-# memory_device_t access is needed if not using the frame buffer
-#dontaudit $1_xserver_t memory_device_t:chr_file read;
-allow $1_xserver_t memory_device_t:chr_file { rw_file_perms execute };
-# net_bind_service is needed if you want your X server to allow TCP connections
-# from other hosts, EG an XDM serving a network of X terms
-# if you want good security you do not want this
-# not sure why some people want chown, fsetid, and sys_tty_config.
-#allow $1_xserver_t self:capability { net_bind_service chown fsetid sys_tty_config };
-dontaudit $1_xserver_t self:capability chown;
-
-# for nscd
-dontaudit $1_xserver_t var_run_t:dir search;
-
-allow $1_xserver_t mtrr_device_t:file rw_file_perms;
-allow $1_xserver_t apm_bios_t:chr_file rw_file_perms;
-allow $1_xserver_t framebuf_device_t:chr_file rw_file_perms;
-allow $1_xserver_t device_t:lnk_file { getattr read };
-allow $1_xserver_t devtty_t:chr_file rw_file_perms;
-allow $1_xserver_t zero_device_t:chr_file { read write execute };
-
-# Type for temporary files.
-tmp_domain($1_xserver, `', `{ dir file sock_file }')
-file_type_auto_trans($1_xserver_t, xdm_xserver_tmp_t, $1_xserver_tmp_t, sock_file)
-
-ifelse($1, xdm, `
-ifdef(`xdm.te', `
-allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms;
-allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
-allow xdm_t $1_xserver_t:process signal;
-can_unix_connect(xdm_t, xdm_xserver_t)
-allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms;
-allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms;
-allow xdm_xserver_t xdm_t:process signal;
-allow xdm_xserver_t xdm_t:shm rw_shm_perms;
-allow xdm_t xdm_xserver_t:shm rw_shm_perms;
-dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write };
-')
-', `
-allow $1_t xdm_xserver_tmp_t:dir r_dir_perms;
-allow $1_t xdm_xserver_t:unix_stream_socket connectto;
-allow $1_t $1_xserver_t:process signal;
-
-# Allow the user domain to connect to the X server.
-can_unix_connect($1_t, $1_xserver_t)
-allow $1_t $1_xserver_tmp_t:sock_file rw_file_perms;
-allow $1_t $1_xserver_tmp_t:dir r_dir_perms;
-ifdef(`xdm.te', `
-allow $1_t xdm_tmp_t:sock_file unlink;
-allow $1_xserver_t xdm_var_run_t:dir search;
-')
-
-# Signal the user domain.
-allow $1_xserver_t $1_t:process signal;
-
-# Communicate via System V shared memory.
-allow $1_xserver_t $1_t:shm rw_shm_perms;
-allow $1_t $1_xserver_t:shm rw_shm_perms;
-allow $1_xserver_t initrc_t:shm rw_shm_perms;
-
-')dnl end ifelse xdm
-
-# Create files in /var/log with the xserver_log_t type.
-allow $1_xserver_t var_t:dir search;
-file_type_auto_trans($1_xserver_t, var_log_t, xserver_log_t, file)
-allow $1_xserver_t xserver_log_t:dir r_dir_perms;
-
-# Access AGP device.
-allow $1_xserver_t agp_device_t:chr_file rw_file_perms;
-
-# for other device nodes such as the NVidia binary-only driver
-allow $1_xserver_t xserver_misc_device_t:chr_file rw_file_perms;
-
-# Access /proc/mtrr
-allow $1_xserver_t proc_t:file rw_file_perms;
-allow $1_xserver_t proc_t:lnk_file { getattr read };
-
-# Access /proc/sys/dev
-allow $1_xserver_t sysctl_dev_t:dir search;
-allow $1_xserver_t sysctl_dev_t:file { getattr read };
-# Access /proc/bus/pci
-allow $1_xserver_t proc_t:dir r_dir_perms;
-
-# Create and access /dev/dri devices.
-allow $1_xserver_t device_t:dir { create setattr };
-file_type_auto_trans($1_xserver_t, device_t, dri_device_t, chr_file)
-# brought on by rhgb
-allow $1_xserver_t mnt_t:dir search;
-
-allow $1_xserver_t tty_device_t:chr_file { setattr rw_file_perms };
-
-# Run helper programs in $1_xserver_t.
-allow $1_xserver_t { bin_t sbin_t }:dir search;
-allow $1_xserver_t etc_t:{ file lnk_file } { getattr read };
-allow $1_xserver_t bin_t:lnk_file read;
-can_exec($1_xserver_t, { bin_t shell_exec_t })
-
-# Connect to xfs.
-ifdef(`xfs.te', `
-can_unix_connect($1_xserver_t, xfs_t)
-allow $1_xserver_t xfs_tmp_t:dir r_dir_perms;
-allow $1_xserver_t xfs_tmp_t:sock_file rw_file_perms;
-
-# Bind to the X server socket in /tmp.
-allow $1_xserver_t $1_xserver_tmp_t:unix_stream_socket name_bind;
-')
-
-read_locale($1_xserver_t)
-
-# Type for tmpfs/shm files.
-tmpfs_domain($1_xserver)
-ifelse($1, xdm, `
-ifdef(`xdm.te', `
-allow xdm_xserver_t xdm_t:shm rw_shm_perms;
-allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms;
-')
-', `
-allow $1_xserver_t $1_t:shm rw_shm_perms;
-rw_dir_file($1_xserver_t, $1_tmpfs_t)
-')dnl end ifelse xdm
-
-
-r_dir_file($1_xserver_t,sysfs_t)
-
-# Use the mouse.
-allow $1_xserver_t mouse_device_t:chr_file rw_file_perms;
-# Allow xserver to read events - the synaptics touchpad
-# driver reads raw events
-allow $1_xserver_t event_device_t:chr_file rw_file_perms;
-ifdef(`pamconsole.te', `
-allow $1_xserver_t pam_var_console_t:dir search;
-')
-dontaudit $1_xserver_t selinux_config_t:dir search;
-
-allow $1_xserver_t var_lib_t:dir search;
-rw_dir_create_file($1_xserver_t, xkb_var_lib_t)
-
-')dnl end macro definition
-
-', `
-
-define(`xserver_domain',`')
-
-')
-
diff --git a/mls/macros/program/ypbind_macros.te b/mls/macros/program/ypbind_macros.te
deleted file mode 100644
index 04a8f1d..0000000
--- a/mls/macros/program/ypbind_macros.te
+++ /dev/null
@@ -1,19 +0,0 @@
-define(`uncond_can_ypbind', `
-can_network($1)
-r_dir_file($1,var_yp_t)
-allow $1 { reserved_port_t port_t }:{ tcp_socket udp_socket } name_bind;
-allow $1 { portmap_port_t reserved_port_t port_t }:tcp_socket name_connect;
-dontaudit $1 self:capability net_bind_service;
-dontaudit $1 reserved_port_type:tcp_socket name_connect;
-dontaudit $1 reserved_port_type:{ tcp_socket udp_socket } name_bind;
-')
-
-define(`can_ypbind', `
-ifdef(`ypbind.te', `
-if (allow_ypbind) {
-uncond_can_ypbind($1)
-} else {
-dontaudit $1 var_yp_t:dir search;
-}
-') dnl ypbind.te
-') dnl can_ypbind
diff --git a/mls/macros/user_macros.te b/mls/macros/user_macros.te
deleted file mode 100644
index 5575e64..0000000
--- a/mls/macros/user_macros.te
+++ /dev/null
@@ -1,326 +0,0 @@
-#
-# Macros for all user login domains.
-#
-
-# role_tty_type_change(starting_role, ending_role)
-#
-# change from role $1_r to $2_r and relabel tty appropriately
-#
-
-undefine(`role_tty_type_change')
-define(`role_tty_type_change', `
-allow $1_r $2_r;
-type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
-type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
-# avoid annoying messages on terminal hangup
-dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
-')
-
-#
-# reach_sysadm(user)
-#
-# Reach sysadm_t via programs like userhelper/sudo/su
-#
-
-undefine(`reach_sysadm')
-define(`reach_sysadm', `
-ifdef(`userhelper.te', `userhelper_domain($1)')
-ifdef(`sudo.te', `sudo_domain($1)')
-ifdef(`su.te', `
-su_domain($1)
-# When an ordinary user domain runs su, su may try to
-# update the /root/.Xauthority file, and the user shell may
-# try to update the shell history. This is not allowed, but
-# we dont need to audit it.
-dontaudit $1_su_t { sysadm_home_dir_t staff_home_dir_t }:dir search;
-dontaudit $1_su_t { sysadm_home_t staff_home_t }:dir rw_dir_perms;
-dontaudit $1_su_t { sysadm_home_t staff_home_t }:file create_file_perms;
-') dnl ifdef su.te
-ifdef(`xauth.te', `
-file_type_auto_trans($1_xauth_t, sysadm_home_dir_t, sysadm_xauth_home_t,file)
-ifdef(`userhelper.te', `
-file_type_auto_trans($1_userhelper_t, sysadm_home_dir_t, sysadm_xauth_home_t,file)
-') dnl userhelper.te
-') dnl xauth.te
-') dnl reach_sysadm
-
-#
-# priv_user(user)
-#
-# Privileged user domain
-#
-
-undefine(`priv_user')
-define(`priv_user', `
-# Reach sysadm_t
-reach_sysadm($1)
-
-# Read file_contexts for rpm and get security decisions.
-r_dir_file($1_t, file_context_t)
-can_getsecurity($1_t)
-
-# Signal and see information about unprivileged user domains.
-allow $1_t unpriv_userdomain:process signal_perms;
-can_ps($1_t, unpriv_userdomain)
-allow $1_t { ttyfile ptyfile tty_device_t }:chr_file getattr;
-
-# Read /root files if boolean is enabled.
-if (staff_read_sysadm_file) {
-allow $1_t sysadm_home_dir_t:dir { getattr search };
-allow $1_t sysadm_home_t:file { getattr read };
-}
-
-') dnl priv_user
-
-#
-# user_domain(domain_prefix)
-#
-# Define derived types and rules for an ordinary user domain.
-#
-# The type declaration and role authorization for the domain must be
-# provided separately. Likewise, domain transitions into this domain
-# must be specified separately.
-#
-
-# user_domain() is also called by the admin_domain() macro
-undefine(`user_domain')
-define(`user_domain', `
-# Use capabilities
-
-# Type for home directory.
-type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type, polydir;
-type $1_home_t, file_type, sysadmfile, home_type, user_home_type, $1_file_type, polymember;
-
-# Transition manually for { lnk sock fifo }. The rest is in content macros.
-tmp_domain_notrans($1, `, user_tmpfile, $1_file_type')
-file_type_auto_trans($1_t, tmp_t, $1_tmp_t, { lnk_file sock_file fifo_file })
-allow $1_t $1_tmp_t:{ dir file } { relabelto relabelfrom };
-
-ifdef(`support_polyinstantiation', `
-type_member $1_t tmp_t:dir $1_tmp_t;
-type_member $1_t $1_home_dir_t:dir $1_home_t;
-')
-
-base_user_domain($1)
-ifdef(`mls_policy', `', `
-access_removable_media($1_t)
-')
-
-# do not allow privhome access to sysadm_home_dir_t
-file_type_auto_trans(privhome, $1_home_dir_t, $1_home_t)
-
-allow $1_t boot_t:dir { getattr search };
-dontaudit $1_t boot_t:lnk_file read;
-dontaudit $1_t boot_t:file read;
-allow $1_t system_map_t:file { getattr read };
-
-# Instantiate derived domains for a number of programs.
-# These derived domains encode both information about the calling
-# user domain and the program, and allow us to maintain separation
-# between different instances of the program being run by different
-# user domains.
-ifelse($1, sysadm, `',`
-ifdef(`apache.te', `apache_user_domain($1)')
-ifdef(`i18n_input.te', `i18n_input_domain($1)')
-ifdef(`spamd.te', `home_domain_ro_access(spamd_t, $1)')
-')
-ifdef(`slocate.te', `locate_domain($1)')
-ifdef(`lockdev.te', `lockdev_domain($1)')
-
-can_kerberos($1_t)
-# allow port_t name binding for UDP because it is not very usable otherwise
-allow $1_t port_t:udp_socket name_bind;
-
-#
-# Need the following rule to allow users to run vpnc
-#
-ifdef(`xserver.te', `
-allow $1_t xserver_port_t:tcp_socket name_bind;
-')
-
-# Allow users to run TCP servers (bind to ports and accept connection from
-# the same domain and outside users) disabling this forces FTP passive mode
-# and may change other protocols
-if (user_tcp_server) {
-allow $1_t port_t:tcp_socket name_bind;
-}
-# port access is audited even if dac would not have allowed it, so dontaudit it here
-dontaudit $1_t { reserved_port_type reserved_port_t }:tcp_socket name_bind;
-
-# Allow system log read
-if (user_dmesg) {
-allow $1_t kernel_t:system syslog_read;
-} else {
-# else do not log it
-dontaudit $1_t kernel_t:system syslog_read;
-}
-
-# Allow read access to utmp.
-allow $1_t initrc_var_run_t:file { getattr read lock };
-# The library functions always try to open read-write first,
-# then fall back to read-only if it fails.
-# Do not audit write denials to utmp to avoid the noise.
-dontaudit $1_t initrc_var_run_t:file write;
-
-
-# do not audit read on disk devices
-dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read;
-
-ifdef(`xdm.te', `
-allow xdm_t $1_home_t:lnk_file read;
-allow xdm_t $1_home_t:dir search;
-#
-# Changing this to dontaudit should cause the .xsession-errors file to be written to /tmp
-#
-dontaudit xdm_t $1_home_t:file rw_file_perms;
-')dnl end ifdef xdm.te
-
-ifdef(`ftpd.te', `
-if (ftp_home_dir) {
-file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
-}
-')dnl end ifdef ftpd
-
-
-')dnl end user_domain macro
-
-
-###########################################################################
-#
-# Domains for ordinary users.
-#
-undefine(`limited_user_role')
-define(`limited_user_role', `
-# user_t/$1_t is an unprivileged users domain.
-type $1_t, domain, userdomain, unpriv_userdomain, nscd_client_domain, privfd;
-
-#Type for tty devices.
-type $1_tty_device_t, sysadmfile, ttyfile, user_tty_type, dev_fs;
-# Type and access for pty devices.
-can_create_pty($1, `, userpty_type, user_tty_type')
-
-# Access ttys.
-allow $1_t privfd:fd use;
-allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
-
-# Grant read/search permissions to some of /proc.
-r_dir_file($1_t, proc_t)
-# netstat needs to access proc_net_t; if you want to hide this info use dontaudit here instead
-r_dir_file($1_t, proc_net_t)
-
-base_file_read_access($1_t)
-
-# Execute from the system shared libraries.
-uses_shlib($1_t)
-
-# Read /etc.
-r_dir_file($1_t, etc_t)
-allow $1_t etc_runtime_t:file r_file_perms;
-allow $1_t etc_runtime_t:lnk_file { getattr read };
-
-allow $1_t self:process { fork sigchld setpgid signal_perms };
-
-# read localization information
-read_locale($1_t)
-
-read_sysctl($1_t)
-can_exec($1_t, { bin_t sbin_t shell_exec_t ls_exec_t })
-
-allow $1_t self:dir search;
-allow $1_t self:file { getattr read };
-allow $1_t self:fifo_file rw_file_perms;
-
-allow $1_t self:lnk_file read;
-allow $1_t self:unix_stream_socket create_socket_perms;
-allow $1_t urandom_device_t:chr_file { getattr read };
-dontaudit $1_t { var_spool_t var_log_t }:dir search;
-
-# Read /dev directories and any symbolic links.
-allow $1_t device_t:dir r_dir_perms;
-allow $1_t device_t:lnk_file { getattr read };
-allow $1_t devtty_t:chr_file { read write };
-
-')
-
-undefine(`full_user_role')
-define(`full_user_role', `
-
-limited_user_role($1)
-
-typeattribute $1_t web_client_domain;
-
-attribute $1_file_type;
-
-ifdef(`useradd.te', `
-# Useradd relabels /etc/skel files so needs these privs
-allow useradd_t $1_file_type:dir create_dir_perms;
-allow useradd_t $1_file_type:notdevfile_class_set create_file_perms;
-')
-
-can_exec($1_t, usr_t)
-
-# Read directories and files with the readable_t type.
-# This type is a general type for "world"-readable files.
-allow $1_t readable_t:dir r_dir_perms;
-allow $1_t readable_t:notdevfile_class_set r_file_perms;
-
-# Stat lost+found.
-allow $1_t lost_found_t:dir getattr;
-
-# Read /var, /var/spool, /var/run.
-r_dir_file($1_t, var_t)
-# what about pipes and sockets under /var/spool?
-r_dir_file($1_t, var_spool_t)
-r_dir_file($1_t, var_run_t)
-allow $1_t var_lib_t:dir r_dir_perms;
-allow $1_t var_lib_t:file { getattr read };
-
-# for running depmod as part of the kernel packaging process
-allow $1_t modules_conf_t:file { getattr read };
-
-# Read man directories and files.
-r_dir_file($1_t, man_t)
-
-# Allow users to rw usb devices
-if (user_rw_usb) {
-rw_dir_create_file($1_t,usbdevfs_t)
-} else {
-r_dir_file($1_t,usbdevfs_t)
-}
-
-r_dir_file($1_t,sysfs_t)
-
-# Do not audit write denials to /etc/ld.so.cache.
-dontaudit $1_t ld_so_cache_t:file write;
-
-# $1_t is also granted permissions specific to user domains.
-user_domain($1)
-
-dontaudit $1_t sysadm_home_t:file { read append };
-
-ifdef(`syslogd.te', `
-# Some programs that are left in $1_t will try to connect
-# to syslogd, but we do not want to let them generate log messages.
-# Do not audit.
-dontaudit $1_t devlog_t:sock_file { read write };
-dontaudit $1_t syslogd_t:unix_dgram_socket sendto;
-')
-
-# Stop warnings about access to /dev/console
-dontaudit $1_t init_t:fd use;
-dontaudit $1_t initrc_t:fd use;
-allow $1_t initrc_t:fifo_file write;
-
-#
-# Rules used to associate a homedir as a mountpoint
-#
-allow $1_home_t self:filesystem associate;
-allow $1_file_type $1_home_t:filesystem associate;
-')
-
-undefine(`in_user_role')
-define(`in_user_role', `
-role user_r types $1;
-role staff_r types $1;
-')
-
diff --git a/mls/mcs b/mls/mcs
deleted file mode 100644
index 8a04ae8..0000000
--- a/mls/mcs
+++ /dev/null
@@ -1,162 +0,0 @@
-#
-# Define sensitivities
-#
-# Each sensitivity has a name and zero or more aliases.
-#
-# MCS is single-sensitivity.
-#
-sensitivity s0;
-
-#
-# Define the ordering of the sensitivity levels (least to greatest)
-#
-dominance { s0 }
-
-
-#
-# Define the categories
-#
-# Each category has a name and zero or more aliases.
-#
-category c0; category c1; category c2; category c3;
-category c4; category c5; category c6; category c7;
-category c8; category c9; category c10; category c11;
-category c12; category c13; category c14; category c15;
-category c16; category c17; category c18; category c19;
-category c20; category c21; category c22; category c23;
-category c24; category c25; category c26; category c27;
-category c28; category c29; category c30; category c31;
-category c32; category c33; category c34; category c35;
-category c36; category c37; category c38; category c39;
-category c40; category c41; category c42; category c43;
-category c44; category c45; category c46; category c47;
-category c48; category c49; category c50; category c51;
-category c52; category c53; category c54; category c55;
-category c56; category c57; category c58; category c59;
-category c60; category c61; category c62; category c63;
-category c64; category c65; category c66; category c67;
-category c68; category c69; category c70; category c71;
-category c72; category c73; category c74; category c75;
-category c76; category c77; category c78; category c79;
-category c80; category c81; category c82; category c83;
-category c84; category c85; category c86; category c87;
-category c88; category c89; category c90; category c91;
-category c92; category c93; category c94; category c95;
-category c96; category c97; category c98; category c99;
-category c100; category c101; category c102; category c103;
-category c104; category c105; category c106; category c107;
-category c108; category c109; category c110; category c111;
-category c112; category c113; category c114; category c115;
-category c116; category c117; category c118; category c119;
-category c120; category c121; category c122; category c123;
-category c124; category c125; category c126; category c127;
-category c128; category c129; category c130; category c131;
-category c132; category c133; category c134; category c135;
-category c136; category c137; category c138; category c139;
-category c140; category c141; category c142; category c143;
-category c144; category c145; category c146; category c147;
-category c148; category c149; category c150; category c151;
-category c152; category c153; category c154; category c155;
-category c156; category c157; category c158; category c159;
-category c160; category c161; category c162; category c163;
-category c164; category c165; category c166; category c167;
-category c168; category c169; category c170; category c171;
-category c172; category c173; category c174; category c175;
-category c176; category c177; category c178; category c179;
-category c180; category c181; category c182; category c183;
-category c184; category c185; category c186; category c187;
-category c188; category c189; category c190; category c191;
-category c192; category c193; category c194; category c195;
-category c196; category c197; category c198; category c199;
-category c200; category c201; category c202; category c203;
-category c204; category c205; category c206; category c207;
-category c208; category c209; category c210; category c211;
-category c212; category c213; category c214; category c215;
-category c216; category c217; category c218; category c219;
-category c220; category c221; category c222; category c223;
-category c224; category c225; category c226; category c227;
-category c228; category c229; category c230; category c231;
-category c232; category c233; category c234; category c235;
-category c236; category c237; category c238; category c239;
-category c240; category c241; category c242; category c243;
-category c244; category c245; category c246; category c247;
-category c248; category c249; category c250; category c251;
-category c252; category c253; category c254; category c255;
-
-
-#
-# Each MCS level specifies a sensitivity and zero or more categories which may
-# be associated with that sensitivity.
-#
-level s0:c0.c255;
-
-#
-# Define the MCS policy
-#
-# mlsconstrain class_set perm_set expression ;
-#
-# mlsvalidatetrans class_set expression ;
-#
-# expression : ( expression )
-# | not expression
-# | expression and expression
-# | expression or expression
-# | u1 op u2
-# | r1 role_mls_op r2
-# | t1 op t2
-# | l1 role_mls_op l2
-# | l1 role_mls_op h2
-# | h1 role_mls_op l2
-# | h1 role_mls_op h2
-# | l1 role_mls_op h1
-# | l2 role_mls_op h2
-# | u1 op names
-# | u2 op names
-# | r1 op names
-# | r2 op names
-# | t1 op names
-# | t2 op names
-# | u3 op names (NOTE: this is only available for mlsvalidatetrans)
-# | r3 op names (NOTE: this is only available for mlsvalidatetrans)
-# | t3 op names (NOTE: this is only available for mlsvalidatetrans)
-#
-# op : == | !=
-# role_mls_op : == | != | eq | dom | domby | incomp
-#
-# names : name | { name_list }
-# name_list : name | name_list name
-#
-
-#
-# MCS policy for the file classes
-#
-# Constrain file access so that the high range of the process dominates
-# the high range of the file. We use the high range of the process so
-# that processes can always simply run at s0.
-#
-# Only files are constrained by MCS at this stage.
-#
-mlsconstrain file { write setattr append unlink link rename
- create ioctl lock execute } (h1 dom h2);
-
-mlsconstrain file { read } ((h1 dom h2) or
- ( t1 == mlsfileread ));
-
-
-# new file labels must be dominated by the relabeling subject's clearance
-mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom relabelto }
- ( h1 dom h2 );
-
-define(`nogetattr_file_perms', `{ create ioctl read lock write setattr append
-link unlink rename relabelfrom relabelto }')
-
-define(`nogetattr_dir_perms', `{ create read lock setattr ioctl link unlink
-rename search add_name remove_name reparent write rmdir relabelfrom
-relabelto }')
-
-# XXX
-#
-# For some reason, we need to reference the mlsfileread attribute
-# or we get a build error. Below is a dummy entry to do this.
-mlsconstrain xextension query ( t1 == mlsfileread );
-
diff --git a/mls/mls b/mls/mls
deleted file mode 100644
index c7d04ef..0000000
--- a/mls/mls
+++ /dev/null
@@ -1,665 +0,0 @@
-#
-# Define sensitivities
-#
-# Each sensitivity has a name and zero or more aliases.
-#
-sensitivity s0;
-sensitivity s1;
-sensitivity s2;
-sensitivity s3;
-sensitivity s4;
-sensitivity s5;
-sensitivity s6;
-sensitivity s7;
-sensitivity s8;
-sensitivity s9;
-sensitivity s10;
-sensitivity s11;
-sensitivity s12;
-sensitivity s13;
-sensitivity s14;
-sensitivity s15;
-
-#
-# Define the ordering of the sensitivity levels (least to greatest)
-#
-dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 }
-
-
-#
-# Define the categories
-#
-# Each category has a name and zero or more aliases.
-#
-category c0; category c1; category c2; category c3;
-category c4; category c5; category c6; category c7;
-category c8; category c9; category c10; category c11;
-category c12; category c13; category c14; category c15;
-category c16; category c17; category c18; category c19;
-category c20; category c21; category c22; category c23;
-category c24; category c25; category c26; category c27;
-category c28; category c29; category c30; category c31;
-category c32; category c33; category c34; category c35;
-category c36; category c37; category c38; category c39;
-category c40; category c41; category c42; category c43;
-category c44; category c45; category c46; category c47;
-category c48; category c49; category c50; category c51;
-category c52; category c53; category c54; category c55;
-category c56; category c57; category c58; category c59;
-category c60; category c61; category c62; category c63;
-category c64; category c65; category c66; category c67;
-category c68; category c69; category c70; category c71;
-category c72; category c73; category c74; category c75;
-category c76; category c77; category c78; category c79;
-category c80; category c81; category c82; category c83;
-category c84; category c85; category c86; category c87;
-category c88; category c89; category c90; category c91;
-category c92; category c93; category c94; category c95;
-category c96; category c97; category c98; category c99;
-category c100; category c101; category c102; category c103;
-category c104; category c105; category c106; category c107;
-category c108; category c109; category c110; category c111;
-category c112; category c113; category c114; category c115;
-category c116; category c117; category c118; category c119;
-category c120; category c121; category c122; category c123;
-category c124; category c125; category c126; category c127;
-category c128; category c129; category c130; category c131;
-category c132; category c133; category c134; category c135;
-category c136; category c137; category c138; category c139;
-category c140; category c141; category c142; category c143;
-category c144; category c145; category c146; category c147;
-category c148; category c149; category c150; category c151;
-category c152; category c153; category c154; category c155;
-category c156; category c157; category c158; category c159;
-category c160; category c161; category c162; category c163;
-category c164; category c165; category c166; category c167;
-category c168; category c169; category c170; category c171;
-category c172; category c173; category c174; category c175;
-category c176; category c177; category c178; category c179;
-category c180; category c181; category c182; category c183;
-category c184; category c185; category c186; category c187;
-category c188; category c189; category c190; category c191;
-category c192; category c193; category c194; category c195;
-category c196; category c197; category c198; category c199;
-category c200; category c201; category c202; category c203;
-category c204; category c205; category c206; category c207;
-category c208; category c209; category c210; category c211;
-category c212; category c213; category c214; category c215;
-category c216; category c217; category c218; category c219;
-category c220; category c221; category c222; category c223;
-category c224; category c225; category c226; category c227;
-category c228; category c229; category c230; category c231;
-category c232; category c233; category c234; category c235;
-category c236; category c237; category c238; category c239;
-category c240; category c241; category c242; category c243;
-category c244; category c245; category c246; category c247;
-category c248; category c249; category c250; category c251;
-category c252; category c253; category c254; category c255;
-
-
-#
-# Each MLS level specifies a sensitivity and zero or more categories which may
-# be associated with that sensitivity.
-#
-level s0:c0.c255;
-level s1:c0.c255;
-level s2:c0.c255;
-level s3:c0.c255;
-level s4:c0.c255;
-level s5:c0.c255;
-level s6:c0.c255;
-level s7:c0.c255;
-level s8:c0.c255;
-level s9:c0.c255;
-level s10:c0.c255;
-level s11:c0.c255;
-level s12:c0.c255;
-level s13:c0.c255;
-level s14:c0.c255;
-level s15:c0.c255;
-
-
-#
-# Define the MLS policy
-#
-# mlsconstrain class_set perm_set expression ;
-#
-# mlsvalidatetrans class_set expression ;
-#
-# expression : ( expression )
-# | not expression
-# | expression and expression
-# | expression or expression
-# | u1 op u2
-# | r1 role_mls_op r2
-# | t1 op t2
-# | l1 role_mls_op l2
-# | l1 role_mls_op h2
-# | h1 role_mls_op l2
-# | h1 role_mls_op h2
-# | l1 role_mls_op h1
-# | l2 role_mls_op h2
-# | u1 op names
-# | u2 op names
-# | r1 op names
-# | r2 op names
-# | t1 op names
-# | t2 op names
-# | u3 op names (NOTE: this is only available for mlsvalidatetrans)
-# | r3 op names (NOTE: this is only available for mlsvalidatetrans)
-# | t3 op names (NOTE: this is only available for mlsvalidatetrans)
-#
-# op : == | !=
-# role_mls_op : == | != | eq | dom | domby | incomp
-#
-# names : name | { name_list }
-# name_list : name | name_list name
-#
-
-#
-# MLS policy for the file classes
-#
-
-# make sure these file classes are "single level"
-mlsconstrain { file lnk_file fifo_file } { create relabelto }
- ( l2 eq h2 );
-
-# new file labels must be dominated by the relabeling subject's clearance
-mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto
- ( h1 dom h2 );
-
-# the file "read" ops (note the check is dominance of the low level)
-mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute }
- (( l1 dom l2 ) or
- (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsfileread ) or
- ( t2 == mlstrustedobject ));
-
-mlsconstrain dir search
- (( l1 dom l2 ) or
- (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsfileread ) or
- ( t2 == mlstrustedobject ));
-
-# the "single level" file "write" ops
-mlsconstrain { file lnk_file fifo_file } { write create setattr relabelfrom append unlink link rename mounton }
- (( l1 eq l2 ) or
- (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsfilewrite ) or
- ( t2 == mlstrustedobject ));
-
-# the "ranged" file "write" ops
-mlsconstrain { dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton }
- ((( l1 dom l2 ) and ( l1 domby h2 )) or
- (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsfilewrite ) or
- ( t2 == mlstrustedobject ));
-
-mlsconstrain dir { add_name remove_name reparent rmdir }
- ((( l1 dom l2 ) and ( l1 domby h2 )) or
- (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsfilewrite ) or
- ( t2 == mlstrustedobject ));
-
-# these access vectors have no MLS restrictions
-# { dir file lnk_file chr_file blk_file sock_file fifo_file } { ioctl lock swapon quotaon }
-#
-# { file chr_file } { execute_no_trans entrypoint execmod }
-
-# the file upgrade/downgrade rule
-mlsvalidatetrans { dir file lnk_file chr_file blk_file sock_file fifo_file }
- ((( l1 eq l2 ) or
- (( t3 == mlsfileupgrade ) and ( l1 domby l2 )) or
- (( t3 == mlsfiledowngrade ) and ( l1 dom l2 )) or
- (( t3 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and
- (( h1 eq h2 ) or
- (( t3 == mlsfileupgrade ) and ( h1 domby h2 )) or
- (( t3 == mlsfiledowngrade ) and ( h1 dom h2 )) or
- (( t3 == mlsfiledowngrade ) and ( h1 incomp h2 ))));
-
-# create can also require the upgrade/downgrade checks if the creating process
-# has used setfscreate (note that both the high and low level of the object
-# default to the process' sensitivity level)
-mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create
- ((( l1 eq l2 ) or
- (( t1 == mlsfileupgrade ) and ( l1 domby l2 )) or
- (( t1 == mlsfiledowngrade ) and ( l1 dom l2 )) or
- (( t1 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and
- (( l1 eq h2 ) or
- (( t1 == mlsfileupgrade ) and ( l1 domby h2 )) or
- (( t1 == mlsfiledowngrade ) and ( l1 dom h2 )) or
- (( t1 == mlsfiledowngrade ) and ( l1 incomp h2 ))));
-
-
-
-
-#
-# MLS policy for the filesystem class
-#
-
-# new filesystem labels must be dominated by the relabeling subject's clearance
-mlsconstrain filesystem relabelto
- ( h1 dom h2 );
-
-# the filesystem "read" ops (implicit single level)
-mlsconstrain filesystem { getattr quotaget }
- (( l1 dom l2 ) or
- (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsfileread ));
-
-# all the filesystem "write" ops (implicit single level)
-mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
- (( l1 eq l2 ) or
- (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsfilewrite ));
-
-# these access vectors have no MLS restrictions
-# filesystem { transition associate }
-
-
-
-
-#
-# MLS policy for the socket classes
-#
-
-# new socket labels must be dominated by the relabeling subject's clearance
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
- ( h1 dom h2 );
-
-# the socket "read" ops (note the check is dominance of the low level)
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recvfrom recv_msg }
- (( l1 dom l2 ) or
- (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsnetread ));
-
-mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_read
- (( l1 dom l2 ) or
- (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsnetread ));
-
-# the socket "write" ops
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown }
- ((( l1 dom l2 ) and ( l1 domby h2 )) or
- (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsnetwrite ));
-
-# these access vectors have no MLS restrictions
-# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }
-#
-# { tcp_socket udp_socket rawip_socket } node_bind
-#
-# { tcp_socket unix_stream_socket } { connectto newconn acceptfrom }
-#
-# { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write
-#
-
-
-
-
-#
-# MLS policy for the ipc classes
-#
-
-# the ipc "read" ops (implicit single level)
-mlsconstrain { ipc sem msgq shm } { getattr read unix_read }
- (( l1 dom l2 ) or
- (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsipcread ));
-
-mlsconstrain msg receive
- (( l1 dom l2 ) or
- (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsipcread ));
-
-# the ipc "write" ops (implicit single level)
-mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write }
- (( l1 eq l2 ) or
- (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsipcwrite ));
-
-mlsconstrain msgq enqueue
- (( l1 eq l2 ) or
- (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsipcwrite ));
-
-mlsconstrain shm lock
- (( l1 eq l2 ) or
- (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsipcwrite ));
-
-mlsconstrain msg send
- (( l1 eq l2 ) or
- (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsipcwrite ));
-
-# these access vectors have no MLS restrictions
-# { ipc sem msgq shm } associate
-
-
-
-
-#
-# MLS policy for the fd class
-#
-
-# these access vectors have no MLS restrictions
-# fd use
-
-
-
-
-#
-# MLS policy for the network object classes
-#
-
-# the netif/node "read" ops (implicit single level socket doing the read)
-# (note the check is dominance of the low level)
-mlsconstrain { node netif } { tcp_recv udp_recv rawip_recv }
- (( l1 dom l2 ) or ( t1 == mlsnetrecvall ));
-
-# the netif/node "write" ops (implicit single level socket doing the write)
-mlsconstrain { netif node } { tcp_send udp_send rawip_send }
- (( l1 dom l2 ) and ( l1 domby h2 ));
-
-# these access vectors have no MLS restrictions
-# { netif node } { enforce_dest }
-
-
-
-
-#
-# MLS policy for the process class
-#
-
-# new process labels must be dominated by the relabeling subject's clearance
-# and sensitivity level changes require privilege
-mlsconstrain process transition
- (( h1 dom h2 ) and
- (( l1 eq l2 ) or ( t1 == mlsprocsetsl ) or
- (( t1 == privrangetrans ) and ( t2 == mlsrangetrans ))));
-mlsconstrain process dyntransition
- (( h1 dom h2 ) and
- (( l1 eq l2 ) or ( t1 == mlsprocsetsl )));
-
-# all the process "read" ops
-mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
- (( l1 dom l2 ) or
- (( t1 == mlsprocreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsprocread ));
-
-# all the process "write" ops (note the check is equality on the low level)
-mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec setfscreate setcurrent ptrace share }
- (( l1 eq l2 ) or
- (( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsprocwrite ));
-
-# these access vectors have no MLS restrictions
-# process { fork sigchld signull noatsecure siginh setrlimit rlimitinh execmem }
-
-
-
-
-#
-# MLS policy for the security class
-#
-
-# these access vectors have no MLS restrictions
-# security *
-
-
-
-
-#
-# MLS policy for the system class
-#
-
-# these access vectors have no MLS restrictions
-# system *
-
-
-
-
-#
-# MLS policy for the capability class
-#
-
-# these access vectors have no MLS restrictions
-# capability *
-
-
-
-
-#
-# MLS policy for the passwd class
-#
-
-# these access vectors have no MLS restrictions
-# passwd *
-
-
-
-
-#
-# MLS policy for the drawable class
-#
-
-# the drawable "read" ops (implicit single level)
-mlsconstrain drawable { getattr copy }
- (( l1 dom l2 ) or
- (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsxwinread ));
-
-# the drawable "write" ops (implicit single level)
-mlsconstrain drawable { create destroy draw copy }
- (( l1 eq l2 ) or
- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsxwinwrite ));
-
-
-
-
-#
-# MLS policy for the gc class
-#
-
-# the gc "read" ops (implicit single level)
-mlsconstrain gc getattr
- (( l1 dom l2 ) or
- (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsxwinread ));
-
-# the gc "write" ops (implicit single level)
-mlsconstrain gc { create free setattr }
- (( l1 eq l2 ) or
- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsxwinwrite ));
-
-
-
-
-#
-# MLS policy for the window class
-#
-
-# the window "read" ops (implicit single level)
-mlsconstrain window { listprop getattr enumerate mousemotion inputevent drawevent windowchangeevent windowchangerequest serverchangeevent extensionevent }
- (( l1 dom l2 ) or
- (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsxwinread ));
-
-# the window "write" ops (implicit single level)
-mlsconstrain window { addchild create destroy chstack chproplist chprop setattr setfocus move chselection chparent ctrllife transparent clientcomevent }
- (( l1 eq l2 ) or
- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsxwinwrite ) or
- ( t2 == mlstrustedobject ));
-
-# these access vectors have no MLS restrictions
-# window { map unmap }
-
-
-
-
-#
-# MLS policy for the font class
-#
-
-# the font "read" ops (implicit single level)
-mlsconstrain font { load getattr }
- (( l1 dom l2 ) or
- (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsxwinread ));
-
-# the font "write" ops (implicit single level)
-mlsconstrain font free
- (( l1 eq l2 ) or
- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsxwinwrite ));
-
-# these access vectors have no MLS restrictions
-# font use
-
-
-
-
-#
-# MLS policy for the colormap class
-#
-
-# the colormap "read" ops (implicit single level)
-mlsconstrain colormap { list read getattr }
- (( l1 dom l2 ) or
- (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsxwinreadcolormap ) or
- ( t1 == mlsxwinread ));
-
-# the colormap "write" ops (implicit single level)
-mlsconstrain colormap { create free install uninstall store setattr }
- (( l1 eq l2 ) or
- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsxwinwritecolormap ) or
- ( t1 == mlsxwinwrite ));
-
-
-
-
-#
-# MLS policy for the property class
-#
-
-# the property "read" ops (implicit single level)
-mlsconstrain property { read }
- (( l1 dom l2 ) or
- (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsxwinreadproperty ) or
- ( t1 == mlsxwinread ));
-
-# the property "write" ops (implicit single level)
-mlsconstrain property { create free write }
- (( l1 eq l2 ) or
- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsxwinwriteproperty ) or
- ( t1 == mlsxwinwrite ));
-
-
-
-
-#
-# MLS policy for the cursor class
-#
-
-# the cursor "write" ops (implicit single level)
-mlsconstrain cursor { create createglyph free assign setattr }
- (( l1 eq l2 ) or
- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsxwinwrite ));
-
-
-
-
-#
-# MLS policy for the xclient class
-#
-
-# the xclient "write" ops (implicit single level)
-mlsconstrain xclient kill
- (( l1 eq l2 ) or
- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsxwinwrite ));
-
-
-
-
-#
-# MLS policy for the xinput class
-#
-
-# these access vectors have no MLS restrictions
-# xinput ~{ relabelinput setattr }
-
-# the xinput "write" ops (implicit single level)
-mlsconstrain xinput { setattr relabelinput }
- (( l1 eq l2 ) or
- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsxwinwritexinput ) or
- ( t1 == mlsxwinwrite ));
-
-
-
-
-#
-# MLS policy for the xserver class
-#
-
-# these access vectors have no MLS restrictions
-# xserver *
-
-
-
-
-#
-# MLS policy for the xextension class
-#
-
-# these access vectors have no MLS restrictions
-# xextension { query use }
-
-
-#
-# MLS policy for the pax class
-#
-
-# these access vectors have no MLS restrictions
-# pax { pageexec emutramp mprotect randmmap randexec segmexec }
-
-
-
-
-#
-# MLS policy for the dbus class
-#
-
-# these access vectors have no MLS restrictions
-# dbus { acquire_svc send_msg }
-
-
-
-
-#
-# MLS policy for the nscd class
-#
-
-# these access vectors have no MLS restrictions
-# nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost }
-
-
-
-
-#
-# MLS policy for the association class
-#
-
-# these access vectors have no MLS restrictions
-# association { sendto recvfrom }
-
diff --git a/mls/net_contexts b/mls/net_contexts
deleted file mode 100644
index c15f994..0000000
--- a/mls/net_contexts
+++ /dev/null
@@ -1,251 +0,0 @@
-# FLASK
-
-#
-# Security contexts for network entities
-# If no context is specified, then a default initial SID is used.
-#
-
-# Modified by Reino Wallin <reino@oribium.com>
-# Multi NIC, and IPSEC features
-
-# Modified by Russell Coker
-# ifdefs to encapsulate domains, and many additional port contexts
-
-#
-# Port numbers (default = initial SID "port")
-#
-# protocol number context
-# protocol low-high context
-#
-portcon tcp 7 system_u:object_r:inetd_child_port_t:s0
-portcon udp 7 system_u:object_r:inetd_child_port_t:s0
-portcon tcp 9 system_u:object_r:inetd_child_port_t:s0
-portcon udp 9 system_u:object_r:inetd_child_port_t:s0
-portcon tcp 13 system_u:object_r:inetd_child_port_t:s0
-portcon udp 13 system_u:object_r:inetd_child_port_t:s0
-portcon tcp 19 system_u:object_r:inetd_child_port_t:s0
-portcon udp 19 system_u:object_r:inetd_child_port_t:s0
-portcon tcp 37 system_u:object_r:inetd_child_port_t:s0
-portcon udp 37 system_u:object_r:inetd_child_port_t:s0
-portcon tcp 113 system_u:object_r:auth_port_t:s0
-portcon tcp 512 system_u:object_r:inetd_child_port_t:s0
-portcon tcp 543 system_u:object_r:inetd_child_port_t:s0
-portcon tcp 544 system_u:object_r:inetd_child_port_t:s0
-portcon tcp 891 system_u:object_r:inetd_child_port_t:s0
-portcon udp 891 system_u:object_r:inetd_child_port_t:s0
-portcon tcp 892 system_u:object_r:inetd_child_port_t:s0
-portcon udp 892 system_u:object_r:inetd_child_port_t:s0
-portcon tcp 2105 system_u:object_r:inetd_child_port_t:s0
-portcon tcp 20 system_u:object_r:ftp_data_port_t:s0
-portcon tcp 21 system_u:object_r:ftp_port_t:s0
-portcon tcp 22 system_u:object_r:ssh_port_t:s0
-portcon tcp 23 system_u:object_r:telnetd_port_t:s0
-
-portcon tcp 25 system_u:object_r:smtp_port_t:s0
-portcon tcp 465 system_u:object_r:smtp_port_t:s0
-portcon tcp 587 system_u:object_r:smtp_port_t:s0
-
-portcon udp 500 system_u:object_r:isakmp_port_t:s0
-portcon udp 53 system_u:object_r:dns_port_t:s0
-portcon tcp 53 system_u:object_r:dns_port_t:s0
-
-portcon udp 67 system_u:object_r:dhcpd_port_t:s0
-portcon udp 647 system_u:object_r:dhcpd_port_t:s0
-portcon tcp 647 system_u:object_r:dhcpd_port_t:s0
-portcon udp 847 system_u:object_r:dhcpd_port_t:s0
-portcon tcp 847 system_u:object_r:dhcpd_port_t:s0
-portcon udp 68 system_u:object_r:dhcpc_port_t:s0
-portcon udp 70 system_u:object_r:gopher_port_t:s0
-portcon tcp 70 system_u:object_r:gopher_port_t:s0
-
-portcon udp 69 system_u:object_r:tftp_port_t:s0
-portcon tcp 79 system_u:object_r:fingerd_port_t:s0
-
-portcon tcp 80 system_u:object_r:http_port_t:s0
-portcon tcp 443 system_u:object_r:http_port_t:s0
-portcon tcp 488 system_u:object_r:http_port_t:s0
-portcon tcp 8008 system_u:object_r:http_port_t:s0
-portcon tcp 8090 system_u:object_r:http_port_t:s0
-
-portcon tcp 106 system_u:object_r:pop_port_t:s0
-portcon tcp 109 system_u:object_r:pop_port_t:s0
-portcon tcp 110 system_u:object_r:pop_port_t:s0
-portcon tcp 143 system_u:object_r:pop_port_t:s0
-portcon tcp 220 system_u:object_r:pop_port_t:s0
-portcon tcp 993 system_u:object_r:pop_port_t:s0
-portcon tcp 995 system_u:object_r:pop_port_t:s0
-portcon tcp 1109 system_u:object_r:pop_port_t:s0
-
-portcon udp 111 system_u:object_r:portmap_port_t:s0
-portcon tcp 111 system_u:object_r:portmap_port_t:s0
-
-portcon tcp 119 system_u:object_r:innd_port_t:s0
-portcon udp 123 system_u:object_r:ntp_port_t:s0
-
-portcon tcp 137 system_u:object_r:smbd_port_t:s0
-portcon udp 137 system_u:object_r:nmbd_port_t:s0
-portcon tcp 138 system_u:object_r:smbd_port_t:s0
-portcon udp 138 system_u:object_r:nmbd_port_t:s0
-portcon tcp 139 system_u:object_r:smbd_port_t:s0
-portcon udp 139 system_u:object_r:nmbd_port_t:s0
-portcon tcp 445 system_u:object_r:smbd_port_t:s0
-
-portcon udp 161 system_u:object_r:snmp_port_t:s0
-portcon udp 162 system_u:object_r:snmp_port_t:s0
-portcon tcp 199 system_u:object_r:snmp_port_t:s0
-portcon udp 512 system_u:object_r:comsat_port_t:s0
-
-portcon tcp 389 system_u:object_r:ldap_port_t:s0
-portcon udp 389 system_u:object_r:ldap_port_t:s0
-portcon tcp 636 system_u:object_r:ldap_port_t:s0
-portcon udp 636 system_u:object_r:ldap_port_t:s0
-
-portcon tcp 513 system_u:object_r:rlogind_port_t:s0
-portcon tcp 514 system_u:object_r:rsh_port_t:s0
-
-portcon tcp 515 system_u:object_r:printer_port_t:s0
-portcon udp 514 system_u:object_r:syslogd_port_t:s0
-portcon udp 517 system_u:object_r:ktalkd_port_t:s0
-portcon udp 518 system_u:object_r:ktalkd_port_t:s0
-portcon tcp 631 system_u:object_r:ipp_port_t:s0
-portcon udp 631 system_u:object_r:ipp_port_t:s0
-portcon tcp 88 system_u:object_r:kerberos_port_t:s0
-portcon udp 88 system_u:object_r:kerberos_port_t:s0
-portcon tcp 464 system_u:object_r:kerberos_admin_port_t:s0
-portcon udp 464 system_u:object_r:kerberos_admin_port_t:s0
-portcon tcp 749 system_u:object_r:kerberos_admin_port_t:s0
-portcon tcp 750 system_u:object_r:kerberos_port_t:s0
-portcon udp 750 system_u:object_r:kerberos_port_t:s0
-portcon tcp 783 system_u:object_r:spamd_port_t:s0
-portcon tcp 540 system_u:object_r:uucpd_port_t:s0
-portcon tcp 2401 system_u:object_r:cvs_port_t:s0
-portcon udp 2401 system_u:object_r:cvs_port_t:s0
-portcon tcp 873 system_u:object_r:rsync_port_t:s0
-portcon udp 873 system_u:object_r:rsync_port_t:s0
-portcon tcp 901 system_u:object_r:swat_port_t:s0
-portcon tcp 953 system_u:object_r:rndc_port_t:s0
-portcon tcp 1213 system_u:object_r:giftd_port_t:s0
-portcon tcp 1241 system_u:object_r:nessus_port_t:s0
-portcon tcp 1234 system_u:object_r:monopd_port_t:s0
-portcon udp 1645 system_u:object_r:radius_port_t:s0
-portcon udp 1646 system_u:object_r:radacct_port_t:s0
-portcon udp 1812 system_u:object_r:radius_port_t:s0
-portcon udp 1813 system_u:object_r:radacct_port_t:s0
-portcon udp 1718 system_u:object_r:gatekeeper_port_t:s0
-portcon udp 1719 system_u:object_r:gatekeeper_port_t:s0
-portcon tcp 1721 system_u:object_r:gatekeeper_port_t:s0
-portcon tcp 7000 system_u:object_r:gatekeeper_port_t:s0
-portcon tcp 2040 system_u:object_r:afs_fs_port_t:s0
-portcon udp 7000 system_u:object_r:afs_fs_port_t:s0
-portcon udp 7002 system_u:object_r:afs_pt_port_t:s0
-portcon udp 7003 system_u:object_r:afs_vl_port_t:s0
-portcon udp 7004 system_u:object_r:afs_ka_port_t:s0
-portcon udp 7005 system_u:object_r:afs_fs_port_t:s0
-portcon udp 7007 system_u:object_r:afs_bos_port_t:s0
-portcon tcp 1720 system_u:object_r:asterisk_port_t:s0
-portcon udp 2427 system_u:object_r:asterisk_port_t:s0
-portcon udp 2727 system_u:object_r:asterisk_port_t:s0
-portcon udp 4569 system_u:object_r:asterisk_port_t:s0
-portcon udp 5060 system_u:object_r:asterisk_port_t:s0
-portcon tcp 2000 system_u:object_r:mail_port_t:s0
-portcon tcp 2601 system_u:object_r:zebra_port_t:s0
-portcon tcp 2605 system_u:object_r:zebra_port_t:s0
-portcon tcp 2628 system_u:object_r:dict_port_t:s0
-portcon tcp 3306 system_u:object_r:mysqld_port_t:s0
-portcon tcp 3632 system_u:object_r:distccd_port_t:s0
-portcon udp 4011 system_u:object_r:pxe_port_t:s0
-portcon udp 5000 system_u:object_r:openvpn_port_t:s0
-portcon tcp 5323 system_u:object_r:imaze_port_t:s0
-portcon udp 5323 system_u:object_r:imaze_port_t:s0
-portcon tcp 5335 system_u:object_r:howl_port_t:s0
-portcon udp 5353 system_u:object_r:howl_port_t:s0
-portcon tcp 5222 system_u:object_r:jabber_client_port_t:s0
-portcon tcp 5223 system_u:object_r:jabber_client_port_t:s0
-portcon tcp 5269 system_u:object_r:jabber_interserver_port_t:s0
-portcon tcp 5432 system_u:object_r:postgresql_port_t:s0
-portcon tcp 5666 system_u:object_r:inetd_child_port_t:s0
-portcon tcp 5703 system_u:object_r:ptal_port_t:s0
-portcon tcp 9290 system_u:object_r:hplip_port_t:s0
-portcon tcp 9291 system_u:object_r:hplip_port_t:s0
-portcon tcp 9292 system_u:object_r:hplip_port_t:s0
-portcon tcp 50000 system_u:object_r:hplip_port_t:s0
-portcon tcp 50002 system_u:object_r:hplip_port_t:s0
-portcon tcp 5900 system_u:object_r:vnc_port_t:s0
-portcon tcp 5988 system_u:object_r:pegasus_http_port_t:s0
-portcon tcp 5989 system_u:object_r:pegasus_https_port_t:s0
-portcon tcp 6000 system_u:object_r:xserver_port_t:s0
-portcon tcp 6001 system_u:object_r:xserver_port_t:s0
-portcon tcp 6002 system_u:object_r:xserver_port_t:s0
-portcon tcp 6003 system_u:object_r:xserver_port_t:s0
-portcon tcp 6004 system_u:object_r:xserver_port_t:s0
-portcon tcp 6005 system_u:object_r:xserver_port_t:s0
-portcon tcp 6006 system_u:object_r:xserver_port_t:s0
-portcon tcp 6007 system_u:object_r:xserver_port_t:s0
-portcon tcp 6008 system_u:object_r:xserver_port_t:s0
-portcon tcp 6009 system_u:object_r:xserver_port_t:s0
-portcon tcp 6010 system_u:object_r:xserver_port_t:s0
-portcon tcp 6011 system_u:object_r:xserver_port_t:s0
-portcon tcp 6012 system_u:object_r:xserver_port_t:s0
-portcon tcp 6013 system_u:object_r:xserver_port_t:s0
-portcon tcp 6014 system_u:object_r:xserver_port_t:s0
-portcon tcp 6015 system_u:object_r:xserver_port_t:s0
-portcon tcp 6016 system_u:object_r:xserver_port_t:s0
-portcon tcp 6017 system_u:object_r:xserver_port_t:s0
-portcon tcp 6018 system_u:object_r:xserver_port_t:s0
-portcon tcp 6019 system_u:object_r:xserver_port_t:s0
-portcon tcp 6667 system_u:object_r:ircd_port_t:s0
-portcon tcp 8000 system_u:object_r:soundd_port_t:s0
-# 9433 is for YIFF
-portcon tcp 9433 system_u:object_r:soundd_port_t:s0
-portcon tcp 3128 system_u:object_r:http_cache_port_t:s0
-portcon tcp 8080 system_u:object_r:http_cache_port_t:s0
-portcon udp 3130 system_u:object_r:http_cache_port_t:s0
-# 8118 is for privoxy
-portcon tcp 8118 system_u:object_r:http_cache_port_t:s0
-
-portcon udp 4041 system_u:object_r:clockspeed_port_t:s0
-portcon tcp 8081 system_u:object_r:transproxy_port_t:s0
-portcon udp 10080 system_u:object_r:amanda_port_t:s0
-portcon tcp 10080 system_u:object_r:amanda_port_t:s0
-portcon udp 10081 system_u:object_r:amanda_port_t:s0
-portcon tcp 10081 system_u:object_r:amanda_port_t:s0
-portcon tcp 10082 system_u:object_r:amanda_port_t:s0
-portcon tcp 10083 system_u:object_r:amanda_port_t:s0
-portcon tcp 60000 system_u:object_r:postgrey_port_t:s0
-
-portcon tcp 10024 system_u:object_r:amavisd_recv_port_t:s0
-portcon tcp 10025 system_u:object_r:amavisd_send_port_t:s0
-portcon tcp 3310 system_u:object_r:clamd_port_t:s0
-portcon udp 6276 system_u:object_r:dcc_port_t:s0
-portcon udp 6277 system_u:object_r:dcc_port_t:s0
-portcon udp 24441 system_u:object_r:pyzor_port_t:s0
-portcon tcp 2703 system_u:object_r:razor_port_t:s0
-portcon tcp 8021 system_u:object_r:zope_port_t:s0
-
-# Defaults for reserved ports. Earlier portcon entries take precedence;
-# these entries just cover any remaining reserved ports not otherwise
-# declared or omitted due to removal of a domain.
-portcon tcp 1-1023 system_u:object_r:reserved_port_t:s0
-portcon udp 1-1023 system_u:object_r:reserved_port_t:s0
-
-# Network interfaces (default = initial SID "netif" and "netmsg")
-#
-# interface netif_context default_msg_context
-#
-netifcon lo system_u:object_r:netif_lo_t:s0 - s15:c0.c255 system_u:object_r:unlabeled_t:s0
-
-# Nodes (default = initial SID "node")
-#
-# address mask context
-#
-nodecon 127.0.0.1 255.255.255.255 system_u:object_r:node_lo_t:s0 - s15:c0.c255
-nodecon 0.0.0.0 255.255.255.255 system_u:object_r:node_inaddr_any_t:s0
-nodecon :: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system_u:object_r:node_unspec_t:s0
-nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system_u:object_r:node_lo_t:s0
-nodecon ff00:: ff00:: system_u:object_r:node_multicast_t:s0
-nodecon fe80:: ffff:ffff:ffff:ffff:: system_u:object_r:node_link_local_t:s0
-nodecon fec0:: ffc0:: system_u:object_r:node_site_local_t:s0
-nodecon :: ffff:ffff:ffff:ffff:ffff:ffff:: system_u:object_r:node_compat_ipv4_t:s0
-nodecon ::ffff:0000:0000 ffff:ffff:ffff:ffff:ffff:ffff:: system_u:object_r:node_mapped_ipv4_t:s0
-
-# FLASK
diff --git a/mls/rbac b/mls/rbac
deleted file mode 100644
index 708f70d..0000000
--- a/mls/rbac
+++ /dev/null
@@ -1,33 +0,0 @@
-################################################
-#
-# Role-based access control (RBAC) configuration.
-#
-
-# The RBAC configuration was originally centralized in this
-# file, but has been decomposed into individual role declarations,
-# role allow rules, and role transition rules throughout the TE
-# configuration to support easy removal or adding of domains without
-# modifying a centralized file each time. This also allowed the macros
-# to properly instantiate role declarations and rules for domains.
-# Hence, this file is largely unused, except for miscellaneous
-# role allow rules.
-
-########################################
-#
-# Role allow rules.
-#
-# A role allow rule specifies the allowable
-# transitions between roles on an execve.
-# If no rule is specified, then the change in
-# roles will not be permitted. Additional
-# controls over role transitions based on the
-# type of the process may be specified through
-# the constraints file.
-#
-# The syntax of a role allow rule is:
-# allow current_role new_role ;
-#
-# Allow the admin role to transition to the system
-# role for run_init.
-#
-allow sysadm_r system_r;
diff --git a/mls/tunables/distro.tun b/mls/tunables/distro.tun
deleted file mode 100644
index 00b6eca..0000000
--- a/mls/tunables/distro.tun
+++ /dev/null
@@ -1,14 +0,0 @@
-# Distro-specific customizations.
-
-# Comment out all but the one that matches your distro.
-# The policy .te files can then wrap distro-specific customizations with
-# appropriate ifdefs.
-
-
-define(`distro_redhat')
-
-dnl define(`distro_suse')
-
-dnl define(`distro_gentoo')
-
-dnl define(`distro_debian')
diff --git a/mls/tunables/tunable.tun b/mls/tunables/tunable.tun
deleted file mode 100644
index 35dd15e..0000000
--- a/mls/tunables/tunable.tun
+++ /dev/null
@@ -1,35 +0,0 @@
-# Allow rpm to run unconfined.
-define(`unlimitedRPM')
-
-# Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
-
-# Allow rc scripts to run unconfined, including any daemon
-# started by an rc script that does not have a domain transition
-# explicitly defined.
-dnl define(`unlimitedRC')
-
-# Allow sysadm_t to directly start daemons
-dnl define(`direct_sysadm_daemon')
-
-# Do not allow sysadm_t to be in the security manager domain
-define(`separate_secadm')
-
-# Do not audit things that we know to be broken but which
-# are not security risks
-define(`hide_broken_symptoms')
-
-# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
-# Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
-
-# Allow xinetd to run unconfined, including any services it starts
-# that do not have a domain transition explicitly defined.
-dnl define(`unlimitedInetd')
-
-# for ndc_t to be used for restart shell scripts
-dnl define(`ndc_shell_script')
-
-# Enable Polyinstantiation support
-dnl define(`support_polyinstatiation')
-define(`mls_policy')
diff --git a/mls/types/device.te b/mls/types/device.te
deleted file mode 100644
index aee0a4c..0000000
--- a/mls/types/device.te
+++ /dev/null
@@ -1,163 +0,0 @@
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-############################################
-#
-# Device types
-#
-
-#
-# device_t is the type of /dev.
-#
-type device_t, file_type, mount_point, dev_fs;
-
-#
-# null_device_t is the type of /dev/null.
-#
-type null_device_t, device_type, dev_fs, mlstrustedobject;
-
-#
-# zero_device_t is the type of /dev/zero.
-#
-type zero_device_t, device_type, dev_fs, mlstrustedobject;
-
-#
-# console_device_t is the type of /dev/console.
-#
-type console_device_t, device_type, dev_fs;
-
-#
-# xconsole_device_t is the type of /dev/xconsole
-type xconsole_device_t, file_type, dev_fs;
-
-#
-# memory_device_t is the type of /dev/kmem,
-# /dev/mem, and /dev/port.
-#
-type memory_device_t, device_type, dev_fs;
-
-#
-# random_device_t is the type of /dev/random
-# urandom_device_t is the type of /dev/urandom
-#
-type random_device_t, device_type, dev_fs;
-type urandom_device_t, device_type, dev_fs;
-
-#
-# devtty_t is the type of /dev/tty.
-#
-type devtty_t, device_type, dev_fs, mlstrustedobject;
-
-#
-# tty_device_t is the type of /dev/*tty*
-#
-type tty_device_t, serial_device, device_type, dev_fs;
-
-#
-# bsdpty_device_t is the type of /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f]
-type bsdpty_device_t, device_type, dev_fs;
-
-#
-# usbtty_device_t is the type of /dev/usr/tty*
-#
-type usbtty_device_t, serial_device, device_type, dev_fs;
-
-#
-# printer_device_t is the type for printer devices
-#
-type printer_device_t, device_type, dev_fs;
-
-#
-# fixed_disk_device_t is the type of
-# /dev/hd* and /dev/sd*.
-#
-type fixed_disk_device_t, device_type, dev_fs;
-
-#
-# scsi_generic_device_t is the type of /dev/sg*
-# it gives access to ALL SCSI devices (both fixed and removable)
-#
-type scsi_generic_device_t, device_type, dev_fs;
-
-#
-# removable_device_t is the type of
-# /dev/scd* and /dev/fd*.
-#
-type removable_device_t, device_type, dev_fs;
-
-#
-# clock_device_t is the type of
-# /dev/rtc.
-#
-type clock_device_t, device_type, dev_fs;
-
-#
-# tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/*
-#
-type tun_tap_device_t, device_type, dev_fs;
-
-#
-# misc_device_t is the type of miscellaneous devices.
-# XXX: FIXME! Appropriate access to these devices need to be identified.
-#
-type misc_device_t, device_type, dev_fs;
-
-#
-# A more general type for mouse devices.
-#
-type mouse_device_t, device_type, dev_fs;
-
-#
-# For generic /dev/input/event* event devices
-#
-type event_device_t, device_type, dev_fs;
-
-#
-# Not sure what these devices are for, but X wants access to them.
-#
-type agp_device_t, device_type, dev_fs;
-type dri_device_t, device_type, dev_fs;
-
-# Type for sound devices.
-type sound_device_t, device_type, dev_fs;
-
-# Type for /dev/ppp.
-type ppp_device_t, device_type, dev_fs;
-
-# Type for frame buffer /dev/fb/*
-type framebuf_device_t, device_type, dev_fs;
-
-# Type for /dev/.devfsd
-type devfs_control_t, device_type, dev_fs;
-
-# Type for /dev/cpu/mtrr and /proc/mtrr
-type mtrr_device_t, device_type, dev_fs, proc_fs;
-
-# Type for /dev/pmu
-type power_device_t, device_type, dev_fs;
-
-# Type for /dev/apm_bios
-type apm_bios_t, device_type, dev_fs;
-
-# Type for v4l
-type v4l_device_t, device_type, dev_fs;
-
-# tape drives
-type tape_device_t, device_type, dev_fs;
-
-# scanners
-type scanner_device_t, device_type, dev_fs;
-
-# cpu control devices /dev/cpu/0/*
-type cpu_device_t, device_type, dev_fs;
-
-# for other device nodes such as the NVidia binary-only driver
-type xserver_misc_device_t, device_type, dev_fs;
-
-# for the IBM zSeries z90crypt hardware ssl accelorator
-type crypt_device_t, device_type, dev_fs;
-
-
-
-
diff --git a/mls/types/devpts.te b/mls/types/devpts.te
deleted file mode 100644
index c6982ac..0000000
--- a/mls/types/devpts.te
+++ /dev/null
@@ -1,23 +0,0 @@
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-############################################
-#
-# Devpts types
-#
-
-#
-# ptmx_t is the type for /dev/ptmx.
-#
-type ptmx_t, sysadmfile, device_type, dev_fs, mlstrustedobject;
-
-#
-# devpts_t is the type of the devpts file system and
-# the type of the root directory of the file system.
-#
-type devpts_t, mount_point, fs_type;
-
-ifdef(`targeted_policy', `
-typeattribute devpts_t ttyfile;
-')
diff --git a/mls/types/file.te b/mls/types/file.te
deleted file mode 100644
index fc03dcd..0000000
--- a/mls/types/file.te
+++ /dev/null
@@ -1,326 +0,0 @@
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-#######################################
-#
-# General file-related types
-#
-
-#
-# unlabeled_t is the type of unlabeled objects.
-# Objects that have no known labeling information or that
-# have labels that are no longer valid are treated as having this type.
-#
-type unlabeled_t, sysadmfile;
-
-#
-# fs_t is the default type for conventional filesystems.
-#
-type fs_t, fs_type;
-
-# needs more work
-type eventpollfs_t, fs_type;
-type futexfs_t, fs_type;
-type bdev_t, fs_type;
-type usbfs_t, mount_point, fs_type;
-type nfsd_fs_t, fs_type;
-type rpc_pipefs_t, fs_type;
-type binfmt_misc_fs_t, mount_point, fs_type;
-
-#
-# file_t is the default type of a file that has not yet been
-# assigned an extended attribute (EA) value (when using a filesystem
-# that supports EAs).
-#
-type file_t, file_type, mount_point, sysadmfile;
-
-# default_t is the default type for files that do not
-# match any specification in the file_contexts configuration
-# other than the generic /.* specification.
-type default_t, file_type, mount_point, sysadmfile;
-
-#
-# root_t is the type for the root directory.
-#
-type root_t, file_type, mount_point, polyparent, sysadmfile;
-
-#
-# mnt_t is the type for mount points such as /mnt/cdrom
-type mnt_t, file_type, mount_point, sysadmfile;
-
-#
-# home_root_t is the type for the directory where user home directories
-# are created
-#
-type home_root_t, file_type, mount_point, polyparent, sysadmfile;
-
-#
-# lost_found_t is the type for the lost+found directories.
-#
-type lost_found_t, file_type, sysadmfile;
-
-#
-# boot_t is the type for files in /boot,
-# including the kernel.
-#
-type boot_t, file_type, mount_point, sysadmfile;
-# system_map_t is for the system.map files in /boot
-type system_map_t, file_type, sysadmfile;
-
-#
-# boot_runtime_t is the type for /boot/kernel.h,
-# which is automatically generated at boot time.
-# only for red hat
-type boot_runtime_t, file_type, sysadmfile;
-
-#
-# tmp_t is the type of /tmp and /var/tmp.
-#
-type tmp_t, file_type, mount_point, sysadmfile, polydir, tmpfile;
-
-#
-# etc_t is the type of the system etc directories.
-#
-type etc_t, file_type, sysadmfile;
-
-# etc_mail_t is the type of /etc/mail.
-type etc_mail_t, file_type, sysadmfile, usercanread;
-
-#
-# shadow_t is the type of the /etc/shadow file
-#
-type shadow_t, file_type, secure_file_type;
-allow auth shadow_t:file { getattr read };
-
-#
-# ld_so_cache_t is the type of /etc/ld.so.cache.
-#
-type ld_so_cache_t, file_type, sysadmfile;
-
-#
-# etc_runtime_t is the type of various
-# files in /etc that are automatically
-# generated during initialization.
-#
-type etc_runtime_t, file_type, sysadmfile;
-
-#
-# fonts_runtime_t is the type of various
-# fonts files in /usr that are automatically
-# generated during initialization.
-#
-type fonts_t, file_type, sysadmfile, usercanread;
-
-#
-# etc_aliases_t is the type of the aliases database.
-#
-type etc_aliases_t, file_type, sysadmfile;
-
-# net_conf_t is the type of the /etc/resolv.conf file.
-# all DHCP clients and PPP need write access to this file.
-type net_conf_t, file_type, sysadmfile;
-
-#
-# lib_t is the type of files in the system lib directories.
-#
-type lib_t, file_type, sysadmfile;
-
-#
-# shlib_t is the type of shared objects in the system lib
-# directories.
-#
-ifdef(`targeted_policy', `
-typealias lib_t alias shlib_t;
-', `
-type shlib_t, file_type, sysadmfile;
-')
-
-#
-# texrel_shlib_t is the type of shared objects in the system lib
-# directories, which require text relocation.
-#
-ifdef(`targeted_policy', `
-typealias lib_t alias texrel_shlib_t;
-', `
-type texrel_shlib_t, file_type, sysadmfile;
-')
-
-# ld_so_t is the type of the system dynamic loaders.
-#
-type ld_so_t, file_type, sysadmfile;
-
-#
-# bin_t is the type of files in the system bin directories.
-#
-type bin_t, file_type, sysadmfile;
-
-#
-# cert_t is the type of files in the system certs directories.
-#
-type cert_t, file_type, sysadmfile, secure_file_type;
-
-#
-# ls_exec_t is the type of the ls program.
-#
-type ls_exec_t, file_type, exec_type, sysadmfile;
-
-#
-# shell_exec_t is the type of user shells such as /bin/bash.
-#
-type shell_exec_t, file_type, exec_type, sysadmfile;
-
-#
-# sbin_t is the type of files in the system sbin directories.
-#
-type sbin_t, file_type, sysadmfile;
-
-#
-# usr_t is the type for /usr.
-#
-type usr_t, file_type, mount_point, sysadmfile;
-
-#
-# src_t is the type of files in the system src directories.
-#
-type src_t, file_type, mount_point, sysadmfile;
-
-#
-# var_t is the type for /var.
-#
-type var_t, file_type, mount_point, sysadmfile;
-
-#
-# Types for subdirectories of /var.
-#
-type var_run_t, file_type, sysadmfile;
-type var_log_t, file_type, sysadmfile, logfile;
-typealias var_log_t alias crond_log_t;
-type faillog_t, file_type, sysadmfile, logfile;
-type var_lock_t, file_type, sysadmfile, lockfile;
-type var_lib_t, mount_point, file_type, sysadmfile;
-type var_auth_t, file_type, sysadmfile;
-# for /var/{spool,lib}/texmf index files
-type tetex_data_t, file_type, sysadmfile, tmpfile;
-type var_spool_t, file_type, sysadmfile, tmpfile;
-type var_yp_t, file_type, sysadmfile;
-
-# Type for /var/log/ksyms.
-type var_log_ksyms_t, file_type, sysadmfile, logfile;
-
-# Type for /var/log/lastlog.
-type lastlog_t, file_type, sysadmfile, logfile;
-
-# Type for /var/lib/nfs.
-type var_lib_nfs_t, file_type, mount_point, sysadmfile, usercanread;
-
-#
-# wtmp_t is the type of /var/log/wtmp.
-#
-type wtmp_t, file_type, sysadmfile, logfile;
-
-#
-# cron_spool_t is the type for /var/spool/cron.
-#
-type cron_spool_t, file_type, sysadmfile;
-
-#
-# print_spool_t is the type for /var/spool/lpd and /var/spool/cups.
-#
-type print_spool_t, file_type, sysadmfile, tmpfile;
-
-#
-# mail_spool_t is the type for /var/spool/mail.
-#
-type mail_spool_t, file_type, sysadmfile;
-
-#
-# mqueue_spool_t is the type for /var/spool/mqueue.
-#
-type mqueue_spool_t, file_type, sysadmfile;
-
-#
-# man_t is the type for the man directories.
-#
-type man_t, file_type, sysadmfile;
-typealias man_t alias catman_t;
-
-#
-# readable_t is a general type for
-# files that are readable by all domains.
-#
-type readable_t, file_type, sysadmfile;
-
-#
-# Base type for the tests directory.
-#
-type test_file_t, file_type, sysadmfile;
-
-#
-# poly_t is the type for the polyinstantiated directories.
-#
-type poly_t, file_type, sysadmfile;
-
-#
-# swapfile_t is for swap files
-#
-type swapfile_t, file_type, sysadmfile;
-
-#
-# locale_t is the type for system localization
-#
-type locale_t, file_type, sysadmfile;
-
-#
-# Allow each file type to be associated with
-# the default file system type.
-#
-allow { file_type device_type ttyfile } fs_t:filesystem associate;
-
-type tmpfs_t, file_type, mount_point, sysadmfile, fs_type;
-allow { logfile tmpfs_t tmpfile home_type } tmpfs_t:filesystem associate;
-allow { logfile tmpfile home_type } tmp_t:filesystem associate;
-ifdef(`distro_redhat', `
-allow { dev_fs ttyfile } { tmpfs_t tmp_t }:filesystem associate;
-')
-
-type autofs_t, fs_type, noexattrfile, sysadmfile;
-type usbdevfs_t, fs_type, mount_point, noexattrfile, sysadmfile;
-type sysfs_t, mount_point, fs_type, sysadmfile;
-type iso9660_t, fs_type, noexattrfile, sysadmfile;
-type romfs_t, fs_type, sysadmfile;
-type ramfs_t, fs_type, sysadmfile;
-type dosfs_t, fs_type, noexattrfile, sysadmfile;
-type hugetlbfs_t, mount_point, fs_type, sysadmfile;
-typealias file_t alias mqueue_t;
-
-# udev_runtime_t is the type of the udev table file
-type udev_runtime_t, file_type, sysadmfile;
-
-# krb5_conf_t is the type of the /etc/krb5.conf file
-type krb5_conf_t, file_type, sysadmfile;
-
-type cifs_t, fs_type, noexattrfile, sysadmfile;
-type debugfs_t, fs_type, sysadmfile;
-type configfs_t, fs_type, sysadmfile;
-type inotifyfs_t, fs_type, sysadmfile;
-type capifs_t, fs_type, sysadmfile;
-
-# removable_t is the default type of all removable media
-type removable_t, file_type, sysadmfile, usercanread;
-allow file_type removable_t:filesystem associate;
-allow file_type noexattrfile:filesystem associate;
-
-# Type for anonymous FTP data, used by ftp and rsync
-type public_content_t, file_type, sysadmfile, customizable;
-type public_content_rw_t, file_type, sysadmfile, customizable;
-typealias public_content_t alias ftpd_anon_t;
-typealias public_content_rw_t alias ftpd_anon_rw_t;
-
-# type for /tmp/.ICE-unix
-type ice_tmp_t, file_type, sysadmfile, tmpfile;
-
-# type for /usr/share/hwdata
-type hwdata_t, file_type, sysadmfile;
-allow { fs_type file_type } self:filesystem associate;
-
diff --git a/mls/types/network.te b/mls/types/network.te
deleted file mode 100644
index c5965fd..0000000
--- a/mls/types/network.te
+++ /dev/null
@@ -1,179 +0,0 @@
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-# Modified by Reino Wallin <reino@oribium.com>
-# Multi NIC, and IPSEC features
-
-# Modified by Russell Coker
-# Move port types to their respective domains, add ifdefs, other cleanups.
-
-type xserver_port_t, port_type;
-#
-# Defines used by the te files need to be defined outside of net_constraints
-#
-type rsh_port_t, port_type, reserved_port_type;
-type dns_port_t, port_type, reserved_port_type;
-type smtp_port_t, port_type, reserved_port_type;
-type dhcpd_port_t, port_type, reserved_port_type;
-type smbd_port_t, port_type, reserved_port_type;
-type nmbd_port_t, port_type, reserved_port_type;
-type http_cache_port_t, port_type;
-type http_port_t, port_type, reserved_port_type;
-type ipp_port_t, port_type, reserved_port_type;
-type gopher_port_t, port_type, reserved_port_type;
-type isakmp_port_t, port_type, reserved_port_type;
-
-allow web_client_domain { http_cache_port_t http_port_t }:tcp_socket name_connect;
-type pop_port_t, port_type, reserved_port_type;
-
-type ftp_port_t, port_type, reserved_port_type;
-type ftp_data_port_t, port_type, reserved_port_type;
-
-############################################
-#
-# Network types
-#
-
-#
-# mail_port_t is for generic mail ports shared by different mail servers
-#
-type mail_port_t, port_type;
-
-#
-# Ports used to communicate with kerberos server
-#
-type kerberos_port_t, port_type, reserved_port_type;
-type kerberos_admin_port_t, port_type, reserved_port_type;
-
-#
-# Ports used to communicate with portmap server
-#
-type portmap_port_t, port_type, reserved_port_type;
-
-#
-# Ports used to communicate with ldap server
-#
-type ldap_port_t, port_type, reserved_port_type;
-
-#
-# port_t is the default type of INET port numbers.
-# The *_port_t types are used for specific port
-# numbers in net_contexts or net_contexts.mls.
-#
-type port_t, port_type;
-
-# reserved_port_t is the default type for INET reserved ports
-# that are not otherwise mapped to a specific port type.
-type reserved_port_t, port_type;
-
-#
-# netif_t is the default type of network interfaces.
-# The netif_*_t types are used for specific network
-# interfaces in net_contexts or net_contexts.mls.
-#
-type netif_t, netif_type;
-type netif_lo_t, netif_type;
-
-
-#
-# node_t is the default type of network nodes.
-# The node_*_t types are used for specific network
-# nodes in net_contexts or net_contexts.mls.
-#
-type node_t, node_type;
-type node_lo_t, node_type;
-type node_internal_t, node_type;
-type node_inaddr_any_t, node_type;
-type node_unspec_t, node_type;
-type node_link_local_t, node_type;
-type node_site_local_t, node_type;
-type node_multicast_t, node_type;
-type node_mapped_ipv4_t, node_type;
-type node_compat_ipv4_t, node_type;
-
-# Kernel-generated traffic, e.g. ICMP replies.
-allow kernel_t netif_type:netif { rawip_send rawip_recv };
-allow kernel_t node_type:node { rawip_send rawip_recv };
-
-# Kernel-generated traffic, e.g. TCP resets.
-allow kernel_t netif_type:netif { tcp_send tcp_recv };
-allow kernel_t node_type:node { tcp_send tcp_recv };
-type radius_port_t, port_type;
-type radacct_port_t, port_type;
-type rndc_port_t, port_type, reserved_port_type;
-type tftp_port_t, port_type, reserved_port_type;
-type printer_port_t, port_type, reserved_port_type;
-type mysqld_port_t, port_type;
-type postgresql_port_t, port_type;
-type ptal_port_t, port_type;
-type howl_port_t, port_type;
-type dict_port_t, port_type;
-type syslogd_port_t, port_type, reserved_port_type;
-type spamd_port_t, port_type, reserved_port_type;
-type ssh_port_t, port_type, reserved_port_type;
-type pxe_port_t, port_type;
-type amanda_port_t, port_type;
-type fingerd_port_t, port_type, reserved_port_type;
-type dhcpc_port_t, port_type, reserved_port_type;
-type ntp_port_t, port_type, reserved_port_type;
-type stunnel_port_t, port_type;
-type zebra_port_t, port_type;
-type i18n_input_port_t, port_type;
-type vnc_port_t, port_type;
-type pegasus_http_port_t, port_type;
-type pegasus_https_port_t, port_type;
-type openvpn_port_t, port_type;
-type clamd_port_t, port_type;
-type transproxy_port_t, port_type;
-type clockspeed_port_t, port_type;
-type pyzor_port_t, port_type;
-type postgrey_port_t, port_type;
-type asterisk_port_t, port_type;
-type utcpserver_port_t, port_type;
-type nessus_port_t, port_type;
-type razor_port_t, port_type;
-type distccd_port_t, port_type;
-type socks_port_t, port_type;
-type gatekeeper_port_t, port_type;
-type dcc_port_t, port_type;
-type lrrd_port_t, port_type;
-type jabber_client_port_t, port_type;
-type jabber_interserver_port_t, port_type;
-type ircd_port_t, port_type;
-type giftd_port_t, port_type;
-type soundd_port_t, port_type;
-type imaze_port_t, port_type;
-type monopd_port_t, port_type;
-# Differentiate between the port where amavisd receives mail, and the
-# port where it returns cleaned mail back to the MTA.
-type amavisd_recv_port_t, port_type;
-type amavisd_send_port_t, port_type;
-type innd_port_t, port_type, reserved_port_type;
-type snmp_port_t, port_type, reserved_port_type;
-type biff_port_t, port_type, reserved_port_type;
-type hplip_port_t, port_type;
-
-#inetd_child_ports
-
-type rlogind_port_t, port_type, reserved_port_type;
-type telnetd_port_t, port_type, reserved_port_type;
-type comsat_port_t, port_type, reserved_port_type;
-type cvs_port_t, port_type;
-type dbskkd_port_t, port_type;
-type inetd_child_port_t, port_type, reserved_port_type;
-type ktalkd_port_t, port_type, reserved_port_type;
-type rsync_port_t, port_type, reserved_port_type;
-type uucpd_port_t, port_type, reserved_port_type;
-type swat_port_t, port_type, reserved_port_type;
-type zope_port_t, port_type;
-type auth_port_t, port_type, reserved_port_type;
-
-# afs ports
-
-type afs_fs_port_t, port_type;
-type afs_pt_port_t, port_type;
-type afs_vl_port_t, port_type;
-type afs_ka_port_t, port_type;
-type afs_bos_port_t, port_type;
-
diff --git a/mls/types/nfs.te b/mls/types/nfs.te
deleted file mode 100644
index e6dd6e0..0000000
--- a/mls/types/nfs.te
+++ /dev/null
@@ -1,21 +0,0 @@
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-#############################################
-#
-# NFS types
-#
-
-#
-# nfs_t is the default type for NFS file systems
-# and their files.
-# The nfs_*_t types are used for specific NFS
-# servers in net_contexts or net_contexts.mls.
-#
-type nfs_t, mount_point, fs_type;
-
-#
-# Allow NFS files to be associated with an NFS file system.
-#
-allow file_type nfs_t:filesystem associate;
diff --git a/mls/types/procfs.te b/mls/types/procfs.te
deleted file mode 100644
index 20703ac..0000000
--- a/mls/types/procfs.te
+++ /dev/null
@@ -1,50 +0,0 @@
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-############################################
-#
-# Procfs types
-#
-
-#
-# proc_t is the type of /proc.
-# proc_kmsg_t is the type of /proc/kmsg.
-# proc_kcore_t is the type of /proc/kcore.
-# proc_mdstat_t is the type of /proc/mdstat.
-# proc_net_t is the type of /proc/net.
-#
-type proc_t, fs_type, mount_point, proc_fs;
-type proc_kmsg_t, proc_fs;
-type proc_kcore_t, proc_fs;
-type proc_mdstat_t, proc_fs;
-type proc_net_t, proc_fs;
-
-#
-# sysctl_t is the type of /proc/sys.
-# sysctl_fs_t is the type of /proc/sys/fs.
-# sysctl_kernel_t is the type of /proc/sys/kernel.
-# sysctl_modprobe_t is the type of /proc/sys/kernel/modprobe.
-# sysctl_hotplug_t is the type of /proc/sys/kernel/hotplug.
-# sysctl_net_t is the type of /proc/sys/net.
-# sysctl_net_unix_t is the type of /proc/sys/net/unix.
-# sysctl_vm_t is the type of /proc/sys/vm.
-# sysctl_dev_t is the type of /proc/sys/dev.
-# sysctl_rpc_t is the type of /proc/net/rpc.
-#
-# These types are applied to both the entries in
-# /proc/sys and the corresponding sysctl parameters.
-#
-type sysctl_t, mount_point, sysctl_type;
-type sysctl_fs_t, sysctl_type;
-type sysctl_kernel_t, sysctl_type;
-type sysctl_modprobe_t, sysctl_type;
-type sysctl_hotplug_t, sysctl_type;
-type sysctl_net_t, sysctl_type;
-type sysctl_net_unix_t, sysctl_type;
-type sysctl_vm_t, sysctl_type;
-type sysctl_dev_t, sysctl_type;
-type sysctl_rpc_t, sysctl_type;
-type sysctl_irq_t, sysctl_type;
-
-
diff --git a/mls/types/security.te b/mls/types/security.te
deleted file mode 100644
index cc1574f..0000000
--- a/mls/types/security.te
+++ /dev/null
@@ -1,60 +0,0 @@
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-############################################
-#
-# Security types
-#
-
-#
-# security_t is the target type when checking
-# the permissions in the security class. It is also
-# applied to selinuxfs inodes.
-#
-type security_t, mount_point, fs_type, mlstrustedobject;
-dontaudit domain security_t:dir search;
-dontaudit domain security_t:file { getattr read };
-
-#
-# policy_config_t is the type of /etc/security/selinux/*
-# the security server policy configuration.
-#
-type policy_config_t, file_type, secadmfile;
-# Since libselinux attempts to read these by default, most domains
-# do not need it.
-dontaudit domain selinux_config_t:dir search;
-dontaudit domain selinux_config_t:file { getattr read };
-
-#
-# policy_src_t is the type of the policy source
-# files.
-#
-type policy_src_t, file_type, secadmfile;
-
-
-#
-# default_context_t is the type applied to
-# /etc/selinux/*/contexts/*
-#
-type default_context_t, file_type, login_contexts, secadmfile;
-
-#
-# file_context_t is the type applied to
-# /etc/selinux/*/contexts/files
-#
-type file_context_t, file_type, secadmfile;
-
-#
-# no_access_t is the type for objects that should
-# only be accessed administratively.
-#
-type no_access_t, file_type, sysadmfile;
-
-#
-# selinux_config_t is the type applied to
-# /etc/selinux/config
-#
-type selinux_config_t, file_type, secadmfile;
-
-
diff --git a/mls/types/x.te b/mls/types/x.te
deleted file mode 100644
index 0cee314..0000000
--- a/mls/types/x.te
+++ /dev/null
@@ -1,32 +0,0 @@
-#
-# Authors: Eamon Walsh <ewalsh@epoch.ncsc.mil>
-#
-
-#######################################
-#
-# Types for the SELinux-enabled X Window System
-#
-
-#
-# X protocol extension types. The SELinux extension in the X server
-# has a hardcoded table that maps actual extension names to these types.
-#
-type accelgraphics_ext_t, xextension;
-type debug_ext_t, xextension;
-type font_ext_t, xextension;
-type input_ext_t, xextension;
-type screensaver_ext_t, xextension;
-type security_ext_t, xextension;
-type shmem_ext_t, xextension;
-type std_ext_t, xextension;
-type sync_ext_t, xextension;
-type unknown_ext_t, xextension;
-type video_ext_t, xextension;
-type windowmgr_ext_t, xextension;
-
-#
-# X property types. The SELinux extension in the X server has a
-# hardcoded table that maps actual extension names to these types.
-#
-type wm_property_t, xproperty;
-type unknown_property_t, xproperty;
diff --git a/mls/users b/mls/users
deleted file mode 100644
index 058c5fb..0000000
--- a/mls/users
+++ /dev/null
@@ -1,57 +0,0 @@
-##################################
-#
-# User configuration.
-#
-# This file defines each user recognized by the system security policy.
-# Only the user identities defined in this file may be used as the
-# user attribute in a security context.
-#
-# Each user has a set of roles that may be entered by processes
-# with the users identity. The syntax of a user declaration is:
-#
-# user username roles role_set [ level default_level range allowed_range ] level s0 range s0 - s15:c0.c255;
-#
-# The MLS default level and allowed range should only be specified if
-# MLS was enabled in the policy.
-
-#
-# system_u is the user identity for system processes and objects.
-# There should be no corresponding Unix user identity for system_u,
-# and a user process should never be assigned the system_u user
-# identity.
-#
-user system_u roles system_r level s0 range s0 - s15:c0.c255;
-
-#
-# user_u is a generic user identity for Linux users who have no
-# SELinux user identity defined. The modified daemons will use
-# this user identity in the security context if there is no matching
-# SELinux user identity for a Linux user. If you do not want to
-# permit any access to such users, then remove this entry.
-#
-user user_u roles { user_r } level s0 range s0 - s0;
-
-#
-# The following users correspond to Unix identities.
-# These identities are typically assigned as the user attribute
-# when login starts the user shell. Users with access to the sysadm_r
-# role should use the staff_r role instead of the user_r role when
-# not in the sysadm_r.
-#
-
-# The sysadm_r user also needs to be permitted system_r if we are to allow
-# direct execution of daemons
-user root roles { sysadm_r staff_r secadm_r ifdef(`direct_sysadm_daemon', `system_r') } level s0 range s0 - s15:c0.c255;
-
-# sample for administrative user
-#user jadmin roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', `system_r') } level s0 range s0 - s15:c0.c255;
-
-# sample for regular user
-#user jdoe roles { user_r } level s0 range s0 - s15:c0.c255;
-
-#
-# The following users correspond to special Unix identities
-#
-ifdef(`nx_server.te', `
-user nx roles nx_server_r level s0 range s0 - s15:c0.c255;
-')
diff --git a/strict/COPYING b/strict/COPYING
deleted file mode 100644
index 5b6e7c6..0000000
--- a/strict/COPYING
+++ /dev/null
@@ -1,340 +0,0 @@
- GNU GENERAL PUBLIC LICENSE
- Version 2, June 1991
-
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.
- 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
- Preamble
-
- The licenses for most software are designed to take away your
-freedom to share and change it. By contrast, the GNU General Public
-License is intended to guarantee your freedom to share and change free
-software--to make sure the software is free for all its users. This
-General Public License applies to most of the Free Software
-Foundation's software and to any other program whose authors commit to
-using it. (Some other Free Software Foundation software is covered by
-the GNU Library General Public License instead.) You can apply it to
-your programs, too.
-
- When we speak of free software, we are referring to freedom, not
-price. Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-this service if you wish), that you receive source code or can get it
-if you want it, that you can change the software or use pieces of it
-in new free programs; and that you know you can do these things.
-
- To protect your rights, we need to make restrictions that forbid
-anyone to deny you these rights or to ask you to surrender the rights.
-These restrictions translate to certain responsibilities for you if you
-distribute copies of the software, or if you modify it.
-
- For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must give the recipients all the rights that
-you have. You must make sure that they, too, receive or can get the
-source code. And you must show them these terms so they know their
-rights.
-
- We protect your rights with two steps: (1) copyright the software, and
-(2) offer you this license which gives you legal permission to copy,
-distribute and/or modify the software.
-
- Also, for each author's protection and ours, we want to make certain
-that everyone understands that there is no warranty for this free
-software. If the software is modified by someone else and passed on, we
-want its recipients to know that what they have is not the original, so
-that any problems introduced by others will not reflect on the original
-authors' reputations.
-
- Finally, any free program is threatened constantly by software
-patents. We wish to avoid the danger that redistributors of a free
-program will individually obtain patent licenses, in effect making the
-program proprietary. To prevent this, we have made it clear that any
-patent must be licensed for everyone's free use or not licensed at all.
-
- The precise terms and conditions for copying, distribution and
-modification follow.
-�
- GNU GENERAL PUBLIC LICENSE
- TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
-
- 0. This License applies to any program or other work which contains
-a notice placed by the copyright holder saying it may be distributed
-under the terms of this General Public License. The "Program", below,
-refers to any such program or work, and a "work based on the Program"
-means either the Program or any derivative work under copyright law:
-that is to say, a work containing the Program or a portion of it,
-either verbatim or with modifications and/or translated into another
-language. (Hereinafter, translation is included without limitation in
-the term "modification".) Each licensee is addressed as "you".
-
-Activities other than copying, distribution and modification are not
-covered by this License; they are outside its scope. The act of
-running the Program is not restricted, and the output from the Program
-is covered only if its contents constitute a work based on the
-Program (independent of having been made by running the Program).
-Whether that is true depends on what the Program does.
-
- 1. You may copy and distribute verbatim copies of the Program's
-source code as you receive it, in any medium, provided that you
-conspicuously and appropriately publish on each copy an appropriate
-copyright notice and disclaimer of warranty; keep intact all the
-notices that refer to this License and to the absence of any warranty;
-and give any other recipients of the Program a copy of this License
-along with the Program.
-
-You may charge a fee for the physical act of transferring a copy, and
-you may at your option offer warranty protection in exchange for a fee.
-
- 2. You may modify your copy or copies of the Program or any portion
-of it, thus forming a work based on the Program, and copy and
-distribute such modifications or work under the terms of Section 1
-above, provided that you also meet all of these conditions:
-
- a) You must cause the modified files to carry prominent notices
- stating that you changed the files and the date of any change.
-
- b) You must cause any work that you distribute or publish, that in
- whole or in part contains or is derived from the Program or any
- part thereof, to be licensed as a whole at no charge to all third
- parties under the terms of this License.
-
- c) If the modified program normally reads commands interactively
- when run, you must cause it, when started running for such
- interactive use in the most ordinary way, to print or display an
- announcement including an appropriate copyright notice and a
- notice that there is no warranty (or else, saying that you provide
- a warranty) and that users may redistribute the program under
- these conditions, and telling the user how to view a copy of this
- License. (Exception: if the Program itself is interactive but
- does not normally print such an announcement, your work based on
- the Program is not required to print an announcement.)
-�
-These requirements apply to the modified work as a whole. If
-identifiable sections of that work are not derived from the Program,
-and can be reasonably considered independent and separate works in
-themselves, then this License, and its terms, do not apply to those
-sections when you distribute them as separate works. But when you
-distribute the same sections as part of a whole which is a work based
-on the Program, the distribution of the whole must be on the terms of
-this License, whose permissions for other licensees extend to the
-entire whole, and thus to each and every part regardless of who wrote it.
-
-Thus, it is not the intent of this section to claim rights or contest
-your rights to work written entirely by you; rather, the intent is to
-exercise the right to control the distribution of derivative or
-collective works based on the Program.
-
-In addition, mere aggregation of another work not based on the Program
-with the Program (or with a work based on the Program) on a volume of
-a storage or distribution medium does not bring the other work under
-the scope of this License.
-
- 3. You may copy and distribute the Program (or a work based on it,
-under Section 2) in object code or executable form under the terms of
-Sections 1 and 2 above provided that you also do one of the following:
-
- a) Accompany it with the complete corresponding machine-readable
- source code, which must be distributed under the terms of Sections
- 1 and 2 above on a medium customarily used for software interchange; or,
-
- b) Accompany it with a written offer, valid for at least three
- years, to give any third party, for a charge no more than your
- cost of physically performing source distribution, a complete
- machine-readable copy of the corresponding source code, to be
- distributed under the terms of Sections 1 and 2 above on a medium
- customarily used for software interchange; or,
-
- c) Accompany it with the information you received as to the offer
- to distribute corresponding source code. (This alternative is
- allowed only for noncommercial distribution and only if you
- received the program in object code or executable form with such
- an offer, in accord with Subsection b above.)
-
-The source code for a work means the preferred form of the work for
-making modifications to it. For an executable work, complete source
-code means all the source code for all modules it contains, plus any
-associated interface definition files, plus the scripts used to
-control compilation and installation of the executable. However, as a
-special exception, the source code distributed need not include
-anything that is normally distributed (in either source or binary
-form) with the major components (compiler, kernel, and so on) of the
-operating system on which the executable runs, unless that component
-itself accompanies the executable.
-
-If distribution of executable or object code is made by offering
-access to copy from a designated place, then offering equivalent
-access to copy the source code from the same place counts as
-distribution of the source code, even though third parties are not
-compelled to copy the source along with the object code.
-�
- 4. You may not copy, modify, sublicense, or distribute the Program
-except as expressly provided under this License. Any attempt
-otherwise to copy, modify, sublicense or distribute the Program is
-void, and will automatically terminate your rights under this License.
-However, parties who have received copies, or rights, from you under
-this License will not have their licenses terminated so long as such
-parties remain in full compliance.
-
- 5. You are not required to accept this License, since you have not
-signed it. However, nothing else grants you permission to modify or
-distribute the Program or its derivative works. These actions are
-prohibited by law if you do not accept this License. Therefore, by
-modifying or distributing the Program (or any work based on the
-Program), you indicate your acceptance of this License to do so, and
-all its terms and conditions for copying, distributing or modifying
-the Program or works based on it.
-
- 6. Each time you redistribute the Program (or any work based on the
-Program), the recipient automatically receives a license from the
-original licensor to copy, distribute or modify the Program subject to
-these terms and conditions. You may not impose any further
-restrictions on the recipients' exercise of the rights granted herein.
-You are not responsible for enforcing compliance by third parties to
-this License.
-
- 7. If, as a consequence of a court judgment or allegation of patent
-infringement or for any other reason (not limited to patent issues),
-conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License. If you cannot
-distribute so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you
-may not distribute the Program at all. For example, if a patent
-license would not permit royalty-free redistribution of the Program by
-all those who receive copies directly or indirectly through you, then
-the only way you could satisfy both it and this License would be to
-refrain entirely from distribution of the Program.
-
-If any portion of this section is held invalid or unenforceable under
-any particular circumstance, the balance of the section is intended to
-apply and the section as a whole is intended to apply in other
-circumstances.
-
-It is not the purpose of this section to induce you to infringe any
-patents or other property right claims or to contest validity of any
-such claims; this section has the sole purpose of protecting the
-integrity of the free software distribution system, which is
-implemented by public license practices. Many people have made
-generous contributions to the wide range of software distributed
-through that system in reliance on consistent application of that
-system; it is up to the author/donor to decide if he or she is willing
-to distribute software through any other system and a licensee cannot
-impose that choice.
-
-This section is intended to make thoroughly clear what is believed to
-be a consequence of the rest of this License.
-�
- 8. If the distribution and/or use of the Program is restricted in
-certain countries either by patents or by copyrighted interfaces, the
-original copyright holder who places the Program under this License
-may add an explicit geographical distribution limitation excluding
-those countries, so that distribution is permitted only in or among
-countries not thus excluded. In such case, this License incorporates
-the limitation as if written in the body of this License.
-
- 9. The Free Software Foundation may publish revised and/or new versions
-of the General Public License from time to time. Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-Each version is given a distinguishing version number. If the Program
-specifies a version number of this License which applies to it and "any
-later version", you have the option of following the terms and conditions
-either of that version or of any later version published by the Free
-Software Foundation. If the Program does not specify a version number of
-this License, you may choose any version ever published by the Free Software
-Foundation.
-
- 10. If you wish to incorporate parts of the Program into other free
-programs whose distribution conditions are different, write to the author
-to ask for permission. For software which is copyrighted by the Free
-Software Foundation, write to the Free Software Foundation; we sometimes
-make exceptions for this. Our decision will be guided by the two goals
-of preserving the free status of all derivatives of our free software and
-of promoting the sharing and reuse of software generally.
-
- NO WARRANTY
-
- 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
-FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
-OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
-PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
-OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
-TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
-PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
-REPAIR OR CORRECTION.
-
- 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
-REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
-INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
-OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
-TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
-YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
-PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGES.
-
- END OF TERMS AND CONDITIONS
-�
- How to Apply These Terms to Your New Programs
-
- If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
- To do so, attach the following notices to the program. It is safest
-to attach them to the start of each source file to most effectively
-convey the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
- <one line to give the program's name and a brief idea of what it does.>
- Copyright (C) <year> <name of author>
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
-
-
-Also add information on how to contact you by electronic and paper mail.
-
-If the program is interactive, make it output a short notice like this
-when it starts in an interactive mode:
-
- Gnomovision version 69, Copyright (C) year name of author
- Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
- This is free software, and you are welcome to redistribute it
- under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License. Of course, the commands you use may
-be called something other than `show w' and `show c'; they could even be
-mouse-clicks or menu items--whatever suits your program.
-
-You should also get your employer (if you work as a programmer) or your
-school, if any, to sign a "copyright disclaimer" for the program, if
-necessary. Here is a sample; alter the names:
-
- Yoyodyne, Inc., hereby disclaims all copyright interest in the program
- `Gnomovision' (which makes passes at compilers) written by James Hacker.
-
- <signature of Ty Coon>, 1 April 1989
- Ty Coon, President of Vice
-
-This General Public License does not permit incorporating your program into
-proprietary programs. If your program is a subroutine library, you may
-consider it more useful to permit linking proprietary applications with the
-library. If this is what you want to do, use the GNU Library General
-Public License instead of this License.
diff --git a/strict/ChangeLog b/strict/ChangeLog
deleted file mode 100644
index db9833c..0000000
--- a/strict/ChangeLog
+++ /dev/null
@@ -1,391 +0,0 @@
-1.27.1 2005-09-15
- * Merged small patches from Russell Coker for the apostrophe,
- dhcpc, fsadm, and setfiles policy.
- * Merged a patch from Russell Coker with some minor fixes to a
- multitude of policy files.
- * Merged patch from Dan Walsh from August 15th. Adds certwatch
- policy. Adds mcs support to Makefile. Adds mcs file which
- defines sensitivities and categories for the MSC policy. Creates
- an authentication_domain macro in global_macros.te for domains
- that use pam_authentication. Creates the anonymous_domain macro
- so that the ftpd, rsync, httpd, and smbd domains can share the
- ftpd_anon_t and ftpd_anon_rw_t types. Removes netifcon rules to
- start isolating individual ethernet devices. Changes vpnc from a
- daemon to an application_domain. Adds audit_control capability to
- crond_t. Adds dac_override and dac_read_search capabilities to
- fsadm_t to allow the manipulation of removable media. Adds
- read_sysctl macro to the base_passwd_domain macro. Adds rules to
- allow alsa_t to communicate with userspace. Allows networkmanager
- to communicate with isakmp_port and to use vpnc. For targeted
- policy, removes transitions of sysadm_t to apm_t, backup_t,
- bootloader_t, cardmgr_t, clockspeed_t, hwclock_t, and kudzu_t.
- Makes other minor cleanups and fixes.
-
-1.26 2005-09-06
- * Updated version for release.
-
-1.25.4 2005-08-10
- * Merged small patches from Russell Coker for the restorecon,
- kudzu, lvm, radvd, and spamassasin policies.
- * Added fs_use_trans rule for mqueue from Mark Gebhart to support
- the work he has done on providing SELinux support for mqueue.
- * Merged a patch from Dan Walsh. Removes the user_can_mount
- tunable. Adds disable_evolution_trans and disable_thunderbird_trans
- booleans. Adds the nscd_client_domain attribute to insmod_t.
- Removes the user_ping boolean from targeted policy. Adds
- hugetlbfs, inotifyfs, and mqueue filesystems to genfs_contexts.
- Adds the isakmp_port for vpnc. Creates the pptp daemon domain.
- Allows getty to run sbin_t for pppd. Allows initrc to write to
- default_t for booting. Allows Hotplug_t sys_rawio for prism54
- card at boot. Other minor fixes.
-
-1.25.3 2005-07-18
- * Merged patch from Dan Walsh. Adds auth_bool attribute to allow
- domains to have read access to shadow_t. Creates pppd_can_insmod
- boolean to control the loading of modem kernel modules. Allows
- nfs to export noexattrfile types. Allows unix_chpwd to access
- cert files and random devices for encryption purposes. Other
- minor cleanups and fixes.
-
-1.25.2 2005-07-11
- * Merged patch from Dan Walsh. Added allow_ptrace boolean to
- allow sysadm_t to ptrace and debug apps. Gives auth_chkpwd the
- audit_control and audit_write capabilities. Stops targeted policy
- from transitioning from unconfined_t to netutils. Allows cupsd to
- audit messages. Gives prelink the execheap, execmem, and execstack
- permissions by default. Adds can_winbind boolean and functions to
- better handle samba and winbind communications. Eliminates
- allow_execmod checks around texrel_shlib_t libraries. Other minor
- cleanups and fixes.
-
-1.25.1 2005-07-05
- * Moved role_tty_type_change, reach_sysadm, and priv_user macros
- from user.te to user_macros.te as suggested by Steve.
- * Modified admin_domain macro so autrace would work and removed
- privuser attribute for dhcpc as suggested by Russell Coker.
- * Merged rather large patch from Dan Walsh. Moves
- targeted/strict/mls policies closer together. Adds local.te for
- users to customize. Includes minor fixes to auditd, cups,
- cyrus_imapd, dhcpc, and dovecot. Includes Russell Coker's patch
- that defines all ports in network.te. Ports are always defined
- now, no ifdefs are used in network.te. Also includes Ivan
- Gyurdiev's user home directory policy patches. These patches add
- alsa, bonobo, ethereal, evolution, gconf, gnome, gnome_vfs,
- iceauth, orbit, and thunderbird policy. They create read_content,
- write_trusted, and write_untrusted macros in content.te. They
- create network_home, write_network_home, read_network_home,
- base_domain_ro_access, home_domain_access, home_domain, and
- home_domain_ro macros in home_macros.te. They also create
- $3_read_content, $3_write_content, and write_untrusted booleans.
-
-1.24 2005-06-20
- * Updated version for release.
-
-1.23.18 2005-05-31
- * Merged minor fixes to pppd.fc and courier.te by Russell Coker.
- * Removed devfsd policy as suggested by Russell Coker.
- * Merged patch from Dan Walsh. Includes beginnings of Ivan
- Gyurdiev's Font Config policy. Don't transition to fsadm_t from
- unconfined_t (sysadm_t) in targeted policy. Add support for
- debugfs in modutil. Allow automount to create and delete
- directories in /root and /home dirs. Move can_ypbind to
- chkpwd_macro.te. Allow useradd to create additional files and
- types via the skell mechanism. Other minor cleanups and fixes.
-
-1.23.17 2005-05-23
- * Merged minor fixes by Petre Rodan to the daemontools, dante,
- gpg, kerberos, and ucspi-tcp policies.
- * Merged minor fixes by Russell Coker to the bluetooth, crond,
- initrc, postfix, and udev policies. Modifies constraints so that
- newaliases can be run. Modifies types.fc so that objects in
- lost+found directories will not be relabled.
- * Modified fc rules for nvidia.
- * Added Chad Sellers policy for polyinstantiation support, which
- creates the polydir, polyparent, and polymember attributes. Also
- added the support_polyinstantiation tunable.
- * Merged patch from Dan Walsh. Includes mount_point attribute,
- read_font macros and some other policy fixes from Ivan Gyurdiev.
- Adds privkmsg and secadmfile attributes and ddcprobe policy.
- Removes the use_syslogng boolean. Many other minor fixes.
-
-1.23.16 2005-05-13
- * Added rdisc policy from Russell Coker.
- * Merged minor fix to named policy by Petre Rodan.
- * Merged minor fixes to policy from Russell Coker for kudzu,
- named, screen, setfiles, telnet, and xdm.
- * Merged minor fix to Makefile from Russell Coker.
-
-1.23.15 2005-05-06
- * Added tripwire and yam policy from David Hampton.
- * Merged minor fixes to amavid and a clarification to the
- httpdcontent attribute comments from David Hampton.
- * Merged patch from Dan Walsh. Includes fixes for restorecon,
- games, and postfix from Russell Coker. Adds support for debugfs.
- Restores support for reiserfs. Allows udev to work with tmpfs_t
- before /dev is labled. Removes transition from sysadm_t
- (unconfined_t) to ifconfig_t for the targeted policy. Other minor
- cleanups and fixes.
-
-1.23.14 2005-04-29
- * Added afs policy from Andrew Reisse.
- * Merged patch from Lorenzo Hernández García-Hierro which defines
- execstack and execheap permissions. The patch excludes these
- permissions from general_domain_access and updates the macros for
- X, legacy binaries, users, and unconfined domains.
- * Added nlmsg_relay permisison where netlink_audit_socket class is
- used. Added nlmsg_readpriv permission to auditd_t and auditctl_t.
- * Merged some minor cleanups from Russell Coker and David Hampton.
- * Merged patch from Dan Walsh. Many changes made to allow
- targeted policy to run closer to strict and now almost all of
- non-userspace is protected via SELinux. Kernel is now in
- unconfined_domain for targeted and runs as root:system_r:kernel_t.
- Added transitionbool to daemon_sub_domain, mainly to turn off
- httpd_suexec transitioning. Implemented web_client_domain
- name_connect rules. Added yp support for cups. Now the real
- hotplug, udev, initial_sid_contexts are used for the targeted
- policy. Other minor cleanups and fixes. Auditd fixes by Paul
- Moore.
-
-1.23.13 2005-04-22
- * Merged more changes from Dan Walsh to initrc_t for removal of
- unconfined_domain.
- * Merged Dan Walsh's split of auditd policy into auditd_t for the
- audit daemon and auditctl_t for the autoctl program.
- * Added use of name_connect to uncond_can_ypbind macro by Dan
- Walsh.
- * Merged other cleanup and fixes by Dan Walsh.
-
-1.23.12 2005-04-20
- * Merged Dan Walsh's Netlink changes to handle new auditing pam
- modules.
- * Merged Dan Walsh's patch removing the sysadmfile attribute from
- policy files to separate sysadm_t from secadm_t.
- * Added CVS and uucpd policy from Dan Walsh.
- * Cleanup by Dan Walsh to handle turning off unlimitedRC.
- * Merged Russell Coker's fixes to ntpd, postgrey, and named
- policy.
- * Cleanup of chkpwd_domain and added permissions to su_domain
- macro due to pam changes to support audit.
- * Added nlmsg_relay and nlmsg_readpriv permissions to the
- netlink_audit_socket class.
-
-1.23.11 2005-04-14
- * Merged Dan Walsh's separation of the security manager and system
- administrator.
- * Removed screensaver.te as suggested by Thomas Bleher
- * Cleanup of typealiases that are no longer used by Thomas Bleher.
- * Cleanup of fc files and additional rules for SuSE by Thomas
- Bleher.
- * Merged changes to auditd and named policy by Russell Coker.
- * Merged MLS change from Darrel Goeddel to support the policy
- hierarchy patch.
-
-1.23.10 2005-04-08
- * Removed pump.te, pump.fc, and targeted/domains/program/modutil.te
-
-1.23.9 2005-04-07
- * Merged diffs from Dan Walsh. Includes Ivan Gyurdiev's cleanup
- of x_client apps.
- * Added dmidecode policy from Ivan Gyurdiev.
-
-1.23.8 2005-04-05
- * Added netlink_kobject_uevent_socket class.
- * Removed empty files pump.te and pump.fc.
- * Added NetworkManager policy from Dan Walsh.
- * Merged Dan Walsh's major restructuring of Apache's policy.
-
-1.23.7 2005-04-04
- * Merged David Hampton's amavis and clamav cleanups.
- * Added David Hampton's dcc, pyzor, and razor policy.
-
-1.23.6 2005-04-01
- * Merged cleanup of the Makefile and other stuff from Dan Walsh.
- Dan's patch includes some desktop changes from Ivan Gyurdiev.
- * Merged Thomas Bleher's patches which increase the usage of
- lock_domain() and etc_domain(), changes var_lib_DOMAIN_t usage to
- DOMAIN_var_lib_t, and removes use of notdevfile_class_set where
- possible.
- * Merged Greg Norris's cleanup of fetchmail.
-
-1.23.5 2005-03-23
- * Added name_connect support from Dan Walsh.
- * Added httpd_unconfined_t from Dan Walsh.
- * Merged cleanup of assert.te to allow unresticted full access
- from Dan Walsh.
-
-1.23.4 2005-03-21
- * Merged diffs from Dan Walsh:
- * Cleanup of x_client_macro, tvtime, mozilla, and mplayer by Ivan
- Gyurdiev.
- * Added syslogng support to syslog.te.
-
-1.23.3 2005-03-15
- * Added policy for nx_server from Thomas Bleher.
- * Added policies for clockspeed, daemontools, djbdns, ucspi-tcp, and
- publicfile from Petre Rodan.
-
-1.23.2 2005-03-14
- * Merged diffs from Dan Walsh. Dan's patch includes Ivan Gyurdiev's
- gift policy.
- * Made sysadm_r the first role for root, so root's home will be labled
- as sysadm_home_dir_t instead of staff_home_dir_t.
- * Modified fs_use and Makefile to reflect jfs now supporting security
- xattrs.
-
-1.23.1 2005-03-10
- * Merged diffs from Dan Walsh. Dan's patch includes Ivan
- Gyurdiev's cleanup of homedir macros and more extensive use of
- read_sysctl()
-
-1.22 2005-03-09
- * Updated version for release.
-
-1.21 2005-02-24
- * Added secure_file_type attribute from Dan Walsh
- * Added access_terminal() macro from Ivan Gyurdiev
- * Updated capability access vector for audit capabilities.
- * Added mlsconvert Makefile target to help generate MLS policies
- (see selinux-doc/README.MLS for instructions).
- * Changed policy Makefile to still generate policy.18 as well,
- and use it for make load if the kernel doesn't support 19.
- * Merged enhanced MLS support from Darrel Goeddel (TCS).
- * Merged diffs from Dan Walsh, Russell Coker, and Greg Norris.
- * Merged man pages from Dan Walsh.
-
-1.20 2005-01-04
- * Merged diffs from Dan Walsh, Russell Coker, Thomas Bleher, and
- Petre Rodan.
- * Merged can_create() macro used for file_type_{,auto_}trans()
- from Thomas Bleher.
- * Merged dante and stunnel policy by Petre Rodan.
- * Merged $1_file_type attribute from Thomas Bleher.
- * Merged network_macros from Dan Walsh.
-
-1.18 2004-10-25
- * Merged diffs from Russell Coker and Dan Walsh.
- * Merged mkflask and mkaccess_vector patches from Ulrich Drepper.
- * Added reserved_port_t type and portcon entries to map all other
- reserved ports to this type.
- * Added distro_ prefix to distro tunables to avoid conflicts.
- * Merged diffs from Russell Coker.
-
-1.16 2004-08-16
- * Added nscd definitions.
- * Converted many tunables to policy booleans.
- * Added crontab permission.
- * Merged diffs from Dan Walsh.
- This included diffs from Thomas Bleher, Russell Coker, and Colin Walters as well.
- * Merged diffs from Russell Coker.
- * Adjusted constraints for crond restart.
- * Merged dbus/userspace object manager policy from Colin Walters.
- * Merged dbus definitions from Matthew Rickard.
- * Merged dnsmasq policy from Greg Norris.
- * Merged gpg-agent policy from Thomas Bleher.
-
-1.14 2004-06-28
- * Removed vmware-config.pl from vmware.fc.
- * Added crond entry to root_default_contexts.
- * Merged patch from Dan Walsh.
- * Merged mdadm and postfix changes from Colin Walters.
- * Merged reiserfs and rpm changes from Russell Coker.
- * Merged runaway .* glob fix from Valdis Kletnieks.
- * Merged diff from Dan Walsh.
- * Merged fine-grained netlink classes and permissions.
- * Merged changes for new /etc/selinux layout.
- * Changed mkaccess_vector.sh to provide stable order.
- * Merged diff from Dan Walsh.
- * Fix restorecon path in restorecon.fc.
- * Merged pax class and access vector definition from Joshua Brindle.
-
-1.12 2004-05-12
- * Added targeted policy.
- * Merged atd/at into crond/crontab domains.
- * Exclude bind mounts from relabeling to avoid aliasing.
- * Removed some obsolete types and remapped their initial SIDs to unlabeled.
- * Added SE-X related security classes and policy framework.
- * Added devnull initial SID and context.
- * Merged diffs from Fedora policy.
-
-1.10 2004-04-07
- * Merged ipv6 support from James Morris of RedHat.
- * Merged policy diffs from Dan Walsh.
- * Updated call to genhomedircon to reflect new usage.
- * Merged policy diffs from Dan Walsh and Russell Coker.
- * Removed config-users and config-services per Dan's request.
-
-1.8 2004-03-09
- * Merged genhomedircon patch from Karl MacMillan of Tresys.
- * Added restorecon domain.
- * Added unconfined_domain macro.
- * Added default_t for /.* file_contexts entry and replaced some
- uses of file_t with default_t in the policy.
- * Added su_restricted_domain() macro and use it for initrc_t.
- * Merged policy diffs from Dan Walsh and Russell Coker.
- These included a merge of an earlier patch by Chris PeBenito
- to rename the etc types to be consistent with other types.
-
-1.6 2004-02-18
- * Merged xfs support from Chris PeBenito.
- * Merged conditional rules for ping.te.
- * Defined setbool permission, added can_setbool macro.
- * Partial network policy cleanup.
- * Merged with Russell Coker's policy.
- * Renamed netscape macro and domain to mozilla and renamed
- ipchains domain to iptables for consistency with Russell.
- * Merged rhgb macro and domain from Russell Coker.
- * Merged tunable.te from Russell Coker.
- Only define direct_sysadm_daemon by default in our copy.
- * Added rootok permission to passwd class.
- * Merged Makefile change from Dan Walsh to generate /home
- file_contexts entries for staff users.
- * Added automatic role and domain transitions for init scripts and
- daemons. Added an optional third argument (nosysadm) to
- daemon_domain to omit the direct transition from sysadm_r when
- the same executable is also used as an application, in which
- case the daemon must be restarted via the init script to obtain
- the proper security context. Added system_r to the authorized roles
- for admin users at least until support for automatic user identity
- transitions exist so that a transition to system_u can be provided
- transparently.
- * Added support to su domain for using pam_selinux.
- Added entries to default_contexts for the su domains to
- provide reasonable defaults. Removed user_su_t.
- * Tighten restriction on user identity and role transitions in constraints.
- * Merged macro for newrole-like domains from Russell Coker.
- * Merged stub dbusd domain from Russell Coker.
- * Merged stub prelink domain from Dan Walsh.
- * Merged updated userhelper and config tool domains from Dan Walsh.
- * Added send_msg/recv_msg permissions to can_network macro.
- * Merged patch by Chris PeBenito for sshd subsystems.
- * Merged patch by Chris PeBenito for passing class to var_run_domain.
- * Merged patch by Yuichi Nakamura for append_log_domain macros.
- * Merged patch by Chris PeBenito for rpc_pipefs labeling.
- * Merged patch by Colin Walters to apply m4 once so that
- source file info is preserved for checkpolicy.
-
-1.4 2003-12-01
- * Merged patches from Russell Coker.
- * Revised networking permissions.
- * Added new node_bind permission.
- * Added new siginh, rlimitinh, and setrlimit permissions.
- * Added proc_t:file read permission for new is_selinux_enabled logic.
- * Added failsafe_context configuration file to appconfig.
- * Moved newrules.pl to policycoreutils, renamed to audit2allow.
- * Merged newrules.pl patch from Yuichi Nakamura.
-
-1.2 2003-09-30
- * More policy merging with Russell Coker.
- * Transferred newrules.pl script from the old SELinux.
- * Merged MLS configuration patch from Karl MacMillan of Tresys.
- * Limit staff_t to reading /proc entries for unpriv_userdomain.
- * Updated Makefile and spec file to allow non-root builds,
- based on patch by Paul Nasrat.
-
-1.1 2003-08-13
- * Merged Makefile check-all and te-includes patches from Colin Walters.
- * Merged x-debian-packages.patch from Colin Walters.
- * Folded read permission into domain_trans.
-
-1.0 2003-07-11
- * Initial public release.
-
diff --git a/strict/Makefile b/strict/Makefile
deleted file mode 100644
index fac8cab..0000000
--- a/strict/Makefile
+++ /dev/null
@@ -1,366 +0,0 @@
-#
-# Makefile for the security policy.
-#
-# Targets:
-#
-# install - compile and install the policy configuration, and context files.
-# load - compile, install, and load the policy configuration.
-# reload - compile, install, and load/reload the policy configuration.
-# relabel - relabel filesystems based on the file contexts configuration.
-# policy - compile the policy configuration locally for testing/development.
-#
-# The default target is 'install'.
-#
-
-# Set to y if MLS is enabled in the policy.
-MLS=n
-
-# Set to y if MCS is enabled in the policy
-MCS=n
-
-FLASKDIR = flask/
-PREFIX = /usr
-BINDIR = $(PREFIX)/bin
-SBINDIR = $(PREFIX)/sbin
-LOADPOLICY = $(SBINDIR)/load_policy
-CHECKPOLICY = $(BINDIR)/checkpolicy
-GENHOMEDIRCON = $(SBINDIR)/genhomedircon
-SETFILES = $(SBINDIR)/setfiles
-VERS := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ')
-PREVERS := 19
-KERNVERS := $(shell cat /selinux/policyvers)
-POLICYVER := policy.$(VERS)
-TOPDIR = $(DESTDIR)/etc/selinux
-TYPE=strict
-ifeq ($(MLS),y)
-TYPE=mls
-endif
-ifeq ($(MCS),y)
-TYPE=mcs
-endif
-
-INSTALLDIR = $(TOPDIR)/$(TYPE)
-POLICYPATH = $(INSTALLDIR)/policy
-SRCPATH = $(INSTALLDIR)/src
-USERPATH = $(INSTALLDIR)/users
-CONTEXTPATH = $(INSTALLDIR)/contexts
-LOADPATH = $(POLICYPATH)/$(POLICYVER)
-FCPATH = $(CONTEXTPATH)/files/file_contexts
-HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
-
-ALL_PROGRAM_MACROS := $(wildcard macros/program/*.te)
-ALL_MACROS := $(ALL_PROGRAM_MACROS) $(wildcard macros/*.te)
-ALL_TYPES := $(wildcard types/*.te)
-ALL_DOMAINS := $(wildcard domains/*.te domains/misc/*.te domains/program/*.te)
-ALLTEFILES := attrib.te tmp/program_used_flags.te $(ALL_MACROS) $(ALL_TYPES) $(ALL_DOMAINS) assert.te
-TE_RBAC_FILES := $(ALLTEFILES) rbac
-ALL_TUNABLES := $(wildcard tunables/*.tun )
-USER_FILES := users
-POLICYFILES = $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors)
-ifeq ($(MLS),y)
-POLICYFILES += mls
-CHECKPOLMLS += -M
-endif
-ifeq ($(MCS), y)
-POLICYFILES += mcs
-CHECKPOLMLS += -M
-endif
-DEFCONTEXTFILES = initial_sid_contexts fs_use genfs_contexts net_contexts
-POLICYFILES += $(ALL_TUNABLES) $(TE_RBAC_FILES)
-POLICYFILES += $(USER_FILES)
-POLICYFILES += constraints
-POLICYFILES += $(DEFCONTEXTFILES)
-CONTEXTFILES = $(DEFCONTEXTFILES)
-POLICY_DIRS = domains domains/program domains/misc macros macros/program
-
-UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te)
-
-FC = file_contexts/file_contexts
-HOMEDIR_TEMPLATE = file_contexts/homedir_template
-FCFILES=file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) file_contexts/distros.fc $(wildcard file_contexts/misc/*.fc)
-CONTEXTFILES += $(FCFILES)
-
-APPDIR=$(CONTEXTPATH)
-APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types port_types) $(CONTEXTPATH)/files/media
-CONTEXTFILES += $(wildcard appconfig/*_context*) appconfig/media
-
-ROOTFILES = $(addprefix $(APPDIR)/users/,root)
-
-all: policy
-
-tmp/valid_fc: $(LOADPATH) $(FC)
- @echo "Validating file contexts files ..."
- $(SETFILES) -q -c $(LOADPATH) $(FC)
- @touch tmp/valid_fc
-
-install: $(FCPATH) $(APPFILES) $(ROOTFILES) $(USERPATH)/local.users
-
-$(USERPATH)/system.users: $(ALL_TUNABLES) $(USER_FILES) policy.conf
- @mkdir -p $(USERPATH)
- @echo "# " > tmp/system.users
- @echo "# Do not edit this file. " >> tmp/system.users
- @echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users
- @echo "# Please edit local.users to make local changes." >> tmp/system.users
- @echo "#" >> tmp/system.users
- @m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USER_FILES) | grep -v "^#" >> tmp/system.users
- install -m 644 tmp/system.users $@
-
-$(USERPATH)/local.users: local.users
- @mkdir -p $(USERPATH)
- install -b -m 644 $< $@
-
-$(CONTEXTPATH)/files/media: appconfig/media
- @mkdir -p $(CONTEXTPATH)/files/
- install -m 644 $< $@
-
-$(APPDIR)/default_contexts: appconfig/default_contexts
- @mkdir -p $(APPDIR)
- install -m 644 $< $@
-
-$(APPDIR)/removable_context: appconfig/removable_context
- @mkdir -p $(APPDIR)
- install -m 644 $< $@
-
-$(APPDIR)/customizable_types: policy.conf
- @mkdir -p $(APPDIR)
- @grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
- install -m 644 tmp/customizable_types $@
-
-$(APPDIR)/port_types: policy.conf
- @mkdir -p $(APPDIR)
- @grep "^type .*port_type" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/port_types
- install -m 644 tmp/port_types $@
-
-$(APPDIR)/default_type: appconfig/default_type
- @mkdir -p $(APPDIR)
- install -m 644 $< $@
-
-$(APPDIR)/userhelper_context: appconfig/userhelper_context
- @mkdir -p $(APPDIR)
- install -m 644 $< $@
-
-$(APPDIR)/initrc_context: appconfig/initrc_context
- @mkdir -p $(APPDIR)
- install -m 644 $< $@
-
-$(APPDIR)/failsafe_context: appconfig/failsafe_context
- @mkdir -p $(APPDIR)
- install -m 644 $< $@
-
-$(APPDIR)/dbus_contexts: appconfig/dbus_contexts
- @mkdir -p $(APPDIR)
- install -m 644 $< $@
-
-$(APPDIR)/users/root: appconfig/root_default_contexts
- @mkdir -p $(APPDIR)/users
- install -m 644 $< $@
-
-$(LOADPATH): policy.conf $(CHECKPOLICY)
- @echo "Compiling policy ..."
- @mkdir -p $(POLICYPATH)
- $(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
-ifneq ($(VERS),$(PREVERS))
- $(CHECKPOLICY) -c $(PREVERS) -o $(POLICYPATH)/policy.$(PREVERS) policy.conf
-endif
-
-# Note: Can't use install, so not sure how to deal with mode, user, and group
-# other than by default.
-
-policy: $(POLICYVER)
-
-$(POLICYVER): policy.conf $(FC) $(CHECKPOLICY)
- $(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
- @echo "Validating file contexts files ..."
- $(SETFILES) -q -c $(POLICYVER) $(FC)
-
-reload tmp/load: $(LOADPATH)
- @echo "Loading Policy ..."
-ifeq ($(VERS), $(KERNVERS))
- $(LOADPOLICY) $(LOADPATH)
-else
- $(LOADPOLICY) $(POLICYPATH)/policy.$(PREVERS)
-endif
- touch tmp/load
-
-load: tmp/load $(FCPATH)
-
-enableaudit: policy.conf
- grep -v dontaudit policy.conf > policy.audit
- mv policy.audit policy.conf
-
-policy.conf: $(POLICYFILES) $(POLICY_DIRS)
- @echo "Building policy.conf ..."
- @mkdir -p tmp
- m4 $(M4PARAM) -Imacros -s $(POLICYFILES) > $@.tmp
- @mv $@.tmp $@
-
-install-src:
- rm -rf $(SRCPATH)/policy.old
- -mv $(SRCPATH)/policy $(SRCPATH)/policy.old
- @mkdir -p $(SRCPATH)/policy
- cp -R . $(SRCPATH)/policy
-
-tmp/program_used_flags.te: $(wildcard domains/program/*.te) domains/program
- @mkdir -p tmp
- ( cd domains/program/ ; for n in *.te ; do echo "define(\`$$n')"; done ) > $@.tmp
- ( cd domains/misc/ ; for n in *.te ; do echo "define(\`$$n')"; done ) >> $@.tmp
- mv $@.tmp $@
-
-FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs | reiserfs ).*rw/{print $$3}';`
-
-checklabels: $(SETFILES)
- $(SETFILES) -v -n $(FC) $(FILESYSTEMS)
-
-restorelabels: $(SETFILES)
- $(SETFILES) -v $(FC) $(FILESYSTEMS)
-
-relabel: $(FC) $(SETFILES)
- $(SETFILES) $(FC) $(FILESYSTEMS)
-
-file_contexts/misc:
- @mkdir -p file_contexts/misc
-
-$(FCPATH): tmp/valid_fc $(USERPATH)/system.users $(APPDIR)/customizable_types $(APPDIR)/port_types
- @echo "Installing file contexts files..."
- @mkdir -p $(CONTEXTPATH)/files
- install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
- install -m 644 $(FC) $(FCPATH)
- @$(GENHOMEDIRCON) -d $(TOPDIR) -t $(TYPE) $(USEPWD)
-
-$(FC): $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) domains/program domains/misc file_contexts/program file_contexts/misc users /etc/passwd
- @echo "Building file contexts files..."
- @m4 $(M4PARAM) $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) > $@.tmp
- @grep -v -e HOME -e ROLE -e USER $@.tmp > $@
- @grep -e HOME -e ROLE -e USER $@.tmp > $(HOMEDIR_TEMPLATE)
- @-rm $@.tmp
-
-# Create a tags-file for the policy:
-# we need exuberant ctags; unfortunately it is named differently on different distros, sigh...
-pathsearch = $(firstword $(wildcard $(addsuffix /$(1),$(subst :, ,$(PATH))))) # taken from make-docs
-CTAGS := $(call pathsearch,ctags-exuberant) # debian naming scheme
-ifeq ($(strip $(CTAGS)),)
-CTAGS := $(call pathsearch,ctags) # suse naming scheme
-endif
-
-tags: $(wildcard *.te types/*.te domains/*.te domains/misc/*.te domains/program/*.te domains/program/unused/*.te macros/*.te macros/program/*.te)
- @($(CTAGS) --version | grep -q Exuberant) || (echo ERROR: Need exuberant-ctags to function!; exit 1)
- @LC_ALL=C $(CTAGS) --langdef=te --langmap=te:..te \
- --regex-te='/^[ \t]*type[ \t]+(\w+)(,|;)/\1/t,type/' \
- --regex-te='/^[ \t]*typealias[ \t]+\w+[ \t+]+alias[ \t]+(\w+);/\1/t,type/' \
- --regex-te='/^[ \t]*attribute[ \t]+(\w+);/\1/a,attribute/' \
- --regex-te='/^[ \t]*define\(`(\w+)/\1/d,define/' \
- --regex-te='/^[ \t]*bool[ \t]+(\w+)/\1/b,bool/' $^
-
-clean:
- rm -f policy.conf $(POLICYVER)
- rm -f tags
- rm -f tmp/*
- rm -f $(FC)
- rm -f flask/*.h
-# for the policy regression tester
- find "domains/program/" -maxdepth 1 -type l -exec rm {} \; ; \
-
-# Policy regression tester.
-# Written by Colin Walters <walters@debian.org>
-cur_te = $(filter-out %/,$(subst /,/ ,$@))
-
-TESTED_TE_FILES := $(notdir $(UNUSED_TE_FILES))
-
-define compute_depends
- export TE_DEPENDS_$(1) := $(shell egrep '^#[[:space:]]*Depends: ' domains/program/unused/$(1) | head -1 | sed -e 's/^.*Depends: //')
-endef
-
-
-ifeq ($(TE_DEPENDS_DEFINED),)
-ifeq ($(MAKECMDGOALS),check-all)
- GENRULES := $(TESTED_TE_FILES)
- export TE_DEPENDS_DEFINED := yes
-else
- # Handle the case where checkunused/blah.te is run directly.
- ifneq ($(findstring checkunused/,$(MAKECMDGOALS)),)
- GENRULES := $(TESTED_TE_FILES)
- export TE_DEPENDS_DEFINED := yes
- endif
-endif
-endif
-
-# Test for a new enough version of GNU Make.
-$(eval have_eval := yes)
-ifneq ($(GENRULES),)
- ifeq ($(have_eval),)
-$(error Need GNU Make 3.80 or better!)
-Need GNU Make 3.80 or better
- endif
-endif
-$(foreach f,$(GENRULES),$(eval $(call compute_depends,$(f))))
-
-PHONIES :=
-
-define compute_presymlinks
-PHONIES += presymlink/$(1)
-presymlink/$(1):: $(patsubst %,presymlink/%,$(TE_DEPENDS_$(1)))
- @if ! test -L domains/program/$(1); then \
- cd domains/program && ln -s unused/$(1) .; \
- fi
-endef
-
-# Compute dependencies.
-$(foreach f,$(TESTED_TE_FILES),$(eval $(call compute_presymlinks,$(f))))
-
-PHONIES += $(patsubst %,checkunused/%,$(TESTED_TE_FILES))
-$(patsubst %,checkunused/%,$(TESTED_TE_FILES)) :: checkunused/% :
- @$(MAKE) -s clean
-
-$(patsubst %,checkunused/%,$(TESTED_TE_FILES)) :: checkunused/% : presymlink/%
- @if test -n "$(TE_DEPENDS_$(cur_te))"; then \
- echo "Dependencies for $(cur_te): $(TE_DEPENDS_$(cur_te))"; \
- fi
- @echo "Testing $(cur_te)...";
- @if ! make -s policy 1>/dev/null; then \
- echo "Testing $(cur_te)...FAILED"; \
- exit 1; \
- fi;
- @echo "Testing $(cur_te)...success."; \
-
-check-all:
- @for goal in $(patsubst %,checkunused/%,$(TESTED_TE_FILES)); do \
- $(MAKE) --no-print-directory $$goal; \
- done
-
-.PHONY: clean $(PHONIES)
-
-mlsconvert:
- @for file in $(CONTEXTFILES); do \
- echo "Converting $$file"; \
- sed -e 's/_t\b/_t:s0/g' $$file > $$file.new && \
- mv $$file.new $$file; \
- done
- @for file in $(USER_FILES); do \
- echo "Converting $$file"; \
- sed -e 's/;/ level s0 range s0 - s9:c0.c127;/' $$file > $$file.new && \
- mv $$file.new $$file; \
- done
- @sed -e '/sid kernel/s/s0/s0 - s9:c0.c127/' initial_sid_contexts > initial_sid_contexts.new && mv initial_sid_contexts.new initial_sid_contexts
- @echo "Enabling MLS in the Makefile"
- @sed "s/MLS=n/MLS=y/" Makefile > Makefile.new
- @mv Makefile.new Makefile
- @echo "Done"
-
-mcsconvert:
- @for file in $(CONTEXTFILES); do \
- echo "Converting $$file"; \
- sed -e 's/_t\b/_t:s0/g' $$file > $$file.new && \
- mv $$file.new $$file; \
- done
- @for file in $(USER_FILES); do \
- echo "Converting $$file"; \
- sed -r -e 's/\;/ level s0 range s0;/' $$file | \
- sed -r -e 's/(user (root|system_u).*);/\1 - s0:c0.c127;/' > $$file.new; \
- mv $$file.new $$file; \
- done
- @sed -e '/sid kernel/s/s0/s0 - s0:c0.c127/' initial_sid_contexts > initial_sid_contexts.new && mv initial_sid_contexts.new initial_sid_contexts
- @echo "Enabling MCS in the Makefile"
- @sed "s/MCS=y/MCS=y/" Makefile > Makefile.new
- @mv Makefile.new Makefile
- @echo "Done"
-
diff --git a/strict/README b/strict/README
deleted file mode 100644
index 6818b66..0000000
--- a/strict/README
+++ /dev/null
@@ -1,125 +0,0 @@
-The Makefile targets are:
-policy - compile the policy configuration.
-install - compile and install the policy configuration.
-load - compile, install, and load the policy configuration.
-relabel - relabel the filesystem.
-check-all - check individual additional policy files in domains/program/unused.
-checkunused/FILE.te - check individual file FILE from domains/program/unused.
-
-If you have configured MLS into your module, then set MLS=y in the
-Makefile prior to building the policy. Of course, you must have also
-built checkpolicy with MLS enabled.
-
-Three of the configuration files are independent of the particular
-security policy:
-1) flask/security_classes -
- This file has a simple declaration for each security class.
- The corresponding symbol definitions are in the automatically
- generated header file <selinux/flask.h>.
-
-2) flask/initial_sids -
- This file has a simple declaration for each initial SID.
- The corresponding symbol definitions are in the automatically
- generated header file <selinux/flask.h>.
-
-3) access_vectors -
- This file defines the access vectors. Common prefixes for
- access vectors may be defined at the beginning of the file.
- After the common prefixes are defined, an access vector
- may be defined for each security class.
- The corresponding symbol definitions are in the automatically
- generated header file <selinux/av_permissions.h>.
-
-In addition to being read by the security server, these configuration
-files are used during the kernel build to automatically generate
-symbol definitions used by the kernel for security classes, initial
-SIDs and permissions. Since the symbol definitions generated from
-these files are used during the kernel build, the values of existing
-security classes and permissions may not be modified by load_policy.
-However, new classes may be appended to the list of classes and new
-permissions may be appended to the list of permissions associated with
-each access vector definition.
-
-The policy-dependent configuration files are:
-1) tmp/all.te -
- This file defines the Type Enforcement (TE) configuration.
- This file is automatically generated from a collection of files.
-
- The macros subdirectory contains a collection of m4 macro definitions
- used by the TE configuration. The global_macros.te file contains global
- macros used throughout the configuration for common groupings of classes
- and permissions and for common sets of rules. The user_macros.te file
- contains macros used in defining user domains. The admin_macros.te file
- contains macros used in defining admin domains. The macros/program
- subdirectory contains macros that are used to instantiate derived domains
- for certain programs that encode information about both the calling user
- domain and the program, permitting the policy to maintain separation
- between different instances of the program.
-
- The types subdirectory contains several files with declarations for
- general types (types not associated with a particular domain) and
- some rules defining relationships among those types. Related types
- are grouped together into each file in this directory, e.g. all
- device type declarations are in the device.te file.
-
- The domains subdirectory contains several files and directories
- with declarations and rules for each domain. User domains are defined in
- user.te. Administrator domains are defined in admin.te. Domains for
- specific programs, including both system daemons and other programs, are
- in the .te files within the domains/program subdirectory. The domains/misc
- subdirectory is for miscellaneous domains such as the kernel domain and
- the kernel module loader domain.
-
- The assert.te file contains assertions that are checked after evaluating
- the entire TE configuration.
-
-2) rbac -
- This file defines the Role-Based Access Control (RBAC) configuration.
-
-3) mls -
- This file defines the Multi-Level Security (MLS) configuration.
-
-4) users -
- This file defines the users recognized by the security policy.
-
-5) constraints -
- This file defines additional constraints on permissions
- in the form of boolean expressions that must be satisfied in order
- for specified permissions to be granted. These constraints
- are used to further refine the type enforcement tables and
- the role allow rules. Typically, these constraints are used
- to restrict changes in user identity or role to certain domains.
-
-6) initial_sid_contexts -
- This file defines the security context for each initial SID.
- A security context consists of a user identity, a role, a type and
- optionally a MLS range if the MLS policy is enabled. If left unspecified,
- the high MLS level defaults to the low MLS level. The syntax of a valid
- security context is:
-
- user:role:type[:sensitivity[:category,...][-sensitivity[:category,...]]]
-
-7) fs_use -
- This file defines the labeling behavior for inodes in particular
- filesystem types.
-
-8) genfs_contexts -
- This file defines security contexts for files in filesystems that
- cannot support persistent label mappings or use one of the fixed
- labeling schemes specified in fs_use.
-
-8) net_contexts -
- This file defines the security contexts of network objects
- such as ports, interfaces, and nodes.
-
-9) file_contexts/{types.fc,program/*.fc}
- These files define the security contexts for persistent files.
-
-It is possible to test the security server functions on a given policy
-configuration by running the checkpolicy program with the -d option.
-This program is built from the same sources as the security server
-component of the kernel, so it may be used both to verify that a
-policy configuration will load successfully and to determine how the
-security server would respond if it were using that policy
-configuration. A menu-based interface is provided for calling any of
-the security server functions after the policy is loaded.
diff --git a/strict/VERSION b/strict/VERSION
deleted file mode 100644
index 08002f8..0000000
--- a/strict/VERSION
+++ /dev/null
@@ -1 +0,0 @@
-1.27.1
diff --git a/strict/appconfig/dbus_contexts b/strict/appconfig/dbus_contexts
deleted file mode 100644
index 116e684..0000000
--- a/strict/appconfig/dbus_contexts
+++ /dev/null
@@ -1,6 +0,0 @@
-<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
- "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
-<busconfig>
- <selinux>
- </selinux>
-</busconfig>
diff --git a/strict/appconfig/default_contexts b/strict/appconfig/default_contexts
deleted file mode 100644
index e778f50..0000000
--- a/strict/appconfig/default_contexts
+++ /dev/null
@@ -1,12 +0,0 @@
-system_r:sulogin_t sysadm_r:sysadm_t
-system_r:local_login_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
-system_r:remote_login_t user_r:user_t staff_r:staff_t
-system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
-system_r:crond_t user_r:user_crond_t staff_r:staff_crond_t sysadm_r:sysadm_crond_t system_r:system_crond_t mailman_r:user_crond_t
-system_r:xdm_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
-staff_r:staff_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
-sysadm_r:sysadm_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
-user_r:user_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
-sysadm_r:sysadm_sudo_t sysadm_r:sysadm_t
-staff_r:staff_sudo_t sysadm_r:sysadm_t staff_r:staff_t
-user_r:user_sudo_t sysadm_r:sysadm_t user_r:user_t
diff --git a/strict/appconfig/default_type b/strict/appconfig/default_type
deleted file mode 100644
index af878bd..0000000
--- a/strict/appconfig/default_type
+++ /dev/null
@@ -1,4 +0,0 @@
-secadm_r:secadm_t
-sysadm_r:sysadm_t
-staff_r:staff_t
-user_r:user_t
diff --git a/strict/appconfig/failsafe_context b/strict/appconfig/failsafe_context
deleted file mode 100644
index 2f96c9f..0000000
--- a/strict/appconfig/failsafe_context
+++ /dev/null
@@ -1 +0,0 @@
-sysadm_r:sysadm_t
diff --git a/strict/appconfig/initrc_context b/strict/appconfig/initrc_context
deleted file mode 100644
index 7fcf70b..0000000
--- a/strict/appconfig/initrc_context
+++ /dev/null
@@ -1 +0,0 @@
-system_u:system_r:initrc_t
diff --git a/strict/appconfig/media b/strict/appconfig/media
deleted file mode 100644
index de2a652..0000000
--- a/strict/appconfig/media
+++ /dev/null
@@ -1,3 +0,0 @@
-cdrom system_u:object_r:removable_device_t
-floppy system_u:object_r:removable_device_t
-disk system_u:object_r:fixed_disk_device_t
diff --git a/strict/appconfig/removable_context b/strict/appconfig/removable_context
deleted file mode 100644
index d4921f0..0000000
--- a/strict/appconfig/removable_context
+++ /dev/null
@@ -1 +0,0 @@
-system_u:object_r:removable_t
diff --git a/strict/appconfig/root_default_contexts b/strict/appconfig/root_default_contexts
deleted file mode 100644
index acdcc08..0000000
--- a/strict/appconfig/root_default_contexts
+++ /dev/null
@@ -1,9 +0,0 @@
-system_r:local_login_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
-system_r:crond_t sysadm_r:sysadm_crond_t staff_r:staff_crond_t user_r:user_crond_t
-staff_r:staff_su_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
-sysadm_r:sysadm_su_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
-user_r:user_su_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
-#
-# Uncomment if you want to automatically login as sysadm_r
-#
-#system_r:sshd_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
diff --git a/strict/appconfig/userhelper_context b/strict/appconfig/userhelper_context
deleted file mode 100644
index 081e93b..0000000
--- a/strict/appconfig/userhelper_context
+++ /dev/null
@@ -1 +0,0 @@
-system_u:sysadm_r:sysadm_t
diff --git a/strict/assert.te b/strict/assert.te
deleted file mode 100644
index 02b2878..0000000
--- a/strict/assert.te
+++ /dev/null
@@ -1,156 +0,0 @@
-##############################
-#
-# Assertions for the type enforcement (TE) configuration.
-#
-
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-##################################
-#
-# Access vector assertions.
-#
-# An access vector assertion specifies permissions that should not be in
-# an access vector based on a source type, a target type, and a class.
-# If any of the specified permissions are in the corresponding access
-# vector, then the policy compiler will reject the policy configuration.
-# Currently, there is only one kind of access vector assertion, neverallow,
-# but support for the other kinds of vectors could be easily added. Access
-# vector assertions use the same syntax as access vector rules.
-#
-
-#
-# Verify that every type that can be entered by
-# a domain is also tagged as a domain.
-#
-neverallow domain ~domain:process { transition dyntransition };
-
-#
-# Verify that only the insmod_t and kernel_t domains
-# have the sys_module capability.
-#
-neverallow {domain -privsysmod -unrestricted } self:capability sys_module;
-
-#
-# Verify that executable types, the system dynamic loaders, and the
-# system shared libraries can only be modified by administrators.
-#
-neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin -unrestricted } { exec_type ld_so_t shlib_t }:file { write append unlink rename };
-neverallow {domain ifdef(`ldconfig.te', `-ldconfig_t') -change_context -admin -unrestricted } { exec_type ld_so_t shlib_t }:file relabelto;
-
-#
-# Verify that only appropriate domains can access /etc/shadow
-neverallow { domain -auth_bool -auth -auth_write -unrestricted } shadow_t:file ~getattr;
-neverallow { domain -auth_write -unrestricted } shadow_t:file ~r_file_perms;
-
-#
-# Verify that only appropriate domains can write to /etc (IE mess with
-# /etc/passwd)
-neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:dir ~rw_dir_perms;
-neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:lnk_file ~r_file_perms;
-neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:file ~{ execute_no_trans rx_file_perms };
-
-#
-# Verify that other system software can only be modified by administrators.
-#
-neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin -unrestricted } { lib_t bin_t sbin_t }:dir { add_name remove_name rename };
-neverallow { domain -kernel_t -admin -unrestricted } { lib_t bin_t sbin_t }:file { write append unlink rename };
-
-#
-# Verify that only certain domains have access to the raw disk devices.
-#
-neverallow { domain -fs_domain -unrestricted } fixed_disk_device_t:devfile_class_set { read write append };
-
-#
-# Verify that only the X server and klogd have access to memory devices.
-#
-neverallow { domain -privmem -unrestricted } memory_device_t:devfile_class_set { read write append };
-
-#
-# Verify that only domains with the privlog attribute can actually syslog
-#
-neverallow { domain -privlog -unrestricted } devlog_t:sock_file { read write append };
-
-#
-# Verify that /proc/kmsg is only accessible to klogd.
-#
-neverallow {domain -privkmsg -unrestricted } proc_kmsg_t:file ~stat_file_perms;
-
-#
-# Verify that /proc/kcore is inaccessible.
-#
-
-neverallow { domain -unrestricted } proc_kcore_t:file ~stat_file_perms;
-
-#
-# Verify that sysctl variables are only changeable
-# by initrc and administrators.
-#
-neverallow { domain -initrc_t -admin -kernel_t -insmod_t -unrestricted } sysctl_t:file { write append };
-neverallow { domain -initrc_t -admin -unrestricted } sysctl_fs_t:file { write append };
-neverallow { domain -admin -sysctl_kernel_writer -unrestricted } sysctl_kernel_t:file { write append };
-neverallow { domain -initrc_t -admin -sysctl_net_writer -unrestricted } sysctl_net_t:file { write append };
-neverallow { domain -initrc_t -admin -unrestricted } sysctl_net_unix_t:file { write append };
-neverallow { domain -initrc_t -admin -unrestricted } sysctl_vm_t:file { write append };
-neverallow { domain -initrc_t -admin -unrestricted } sysctl_dev_t:file { write append };
-neverallow { domain -initrc_t -admin -unrestricted } sysctl_modprobe_t:file { write append };
-
-#
-# Verify that certain domains are limited to only being
-# entered by their entrypoint types and to only executing
-# the dynamic loader without a transition to another domain.
-#
-
-define(`assert_execute', `
- ifelse($#, 0, ,
- $#, 1,
- ``neverallow $1_t ~$1_exec_t:file entrypoint; neverallow $1_t ~{ $1_exec_t ld_so_t }:file execute_no_trans;'',
- `assert_execute($1) assert_execute(shift($@))')')
-
-ifdef(`getty.te', `assert_execute(getty)')
-ifdef(`klogd.te', `assert_execute(klogd)')
-ifdef(`tcpd.te', `assert_execute(tcpd)')
-ifdef(`portmap.te', `assert_execute(portmap)')
-ifdef(`syslogd.te', `assert_execute(syslogd)')
-ifdef(`rpcd.te', `assert_execute(rpcd)')
-ifdef(`rlogind.te', `assert_execute(rlogind)')
-ifdef(`ypbind.te', `assert_execute(ypbind)')
-ifdef(`xfs.te', `assert_execute(xfs)')
-ifdef(`gpm.te', `assert_execute(gpm)')
-ifdef(`ifconfig.te', `assert_execute(ifconfig)')
-ifdef(`iptables.te', `assert_execute(iptables)')
-
-ifdef(`login.te', `
-neverallow { local_login_t remote_login_t } ~{ login_exec_t ifdef(`pam.te', `pam_exec_t') }:file entrypoint;
-neverallow { local_login_t remote_login_t } ~{ ld_so_t ifdef(`pam.te', `pam_exec_t') }:file execute_no_trans;
-')
-
-#
-# Verify that the passwd domain can only be entered by its
-# entrypoint type and can only execute the dynamic loader
-# and the ordinary passwd program without a transition to another domain.
-#
-ifdef(`passwd.te', `
-neverallow passwd_t ~passwd_exec_t:file entrypoint;
-neverallow sysadm_passwd_t ~admin_passwd_exec_t:file entrypoint;
-neverallow { passwd_t sysadm_passwd_t } ~{ bin_t sbin_t shell_exec_t ld_so_t }:file execute_no_trans;
-')
-
-#
-# Verify that only the admin domains and initrc_t have setenforce.
-#
-neverallow { domain -secadmin -initrc_t -unrestricted } security_t:security setenforce;
-
-#
-# Verify that only the kernel and load_policy_t have load_policy.
-#
-
-neverallow { domain -kernel_t -load_policy_t -unrestricted } security_t:security load_policy;
-
-#
-# for gross mistakes in policy
-neverallow * domain:dir ~r_dir_perms;
-neverallow * domain:file_class_set ~rw_file_perms;
-neverallow { domain unlabeled_t } file_type:process *;
-neverallow ~{ domain unlabeled_t } *:process *;
diff --git a/strict/attrib.te b/strict/attrib.te
deleted file mode 100644
index 459e7cc..0000000
--- a/strict/attrib.te
+++ /dev/null
@@ -1,484 +0,0 @@
-#
-# Declarations for type attributes.
-#
-
-# A type attribute can be used to identify a set of types with a similar
-# property. Each type can have any number of attributes, and each
-# attribute can be associated with any number of types. Attributes are
-# explicitly declared here, and can then be associated with particular
-# types in type declarations. Attribute names can then be used throughout
-# the configuration to express the set of types that are associated with
-# the attribute. Except for the MLS attributes, attributes have no implicit
-# meaning to SELinux. The meaning of all other attributes are completely
-# defined through their usage within the configuration, but should be
-# documented here as comments preceding the attribute declaration.
-
-#####################
-# Attributes for MLS:
-#
-
-attribute mlsfileread;
-attribute mlsfilereadtoclr;
-attribute mlsfilewrite;
-attribute mlsfilewritetoclr;
-attribute mlsfileupgrade;
-attribute mlsfiledowngrade;
-
-attribute mlsnetread;
-attribute mlsnetreadtoclr;
-attribute mlsnetwrite;
-attribute mlsnetwritetoclr;
-attribute mlsnetupgrade;
-attribute mlsnetdowngrade;
-attribute mlsnetrecvall;
-
-attribute mlsipcread;
-attribute mlsipcreadtoclr;
-attribute mlsipcwrite;
-attribute mlsipcwritetoclr;
-
-attribute mlsprocread;
-attribute mlsprocreadtoclr;
-attribute mlsprocwrite;
-attribute mlsprocwritetoclr;
-attribute mlsprocsetsl;
-
-attribute mlsxwinread;
-attribute mlsxwinreadtoclr;
-attribute mlsxwinwrite;
-attribute mlsxwinwritetoclr;
-attribute mlsxwinupgrade;
-attribute mlsxwindowngrade;
-
-attribute mlstrustedobject;
-
-attribute privrangetrans;
-attribute mlsrangetrans;
-
-#########################
-# Attributes for domains:
-#
-
-# The domain attribute identifies every type that can be
-# assigned to a process. This attribute is used in TE rules
-# that should be applied to all domains, e.g. permitting
-# init to kill all processes.
-attribute domain;
-
-# The daemon attribute identifies domains for system processes created via
-# the daemon_domain, daemon_base_domain, and init_service_domain macros.
-attribute daemon;
-
-# The privuser attribute identifies every domain that can
-# change its SELinux user identity. This attribute is used
-# in the constraints configuration. NOTE: This attribute
-# is not required for domains that merely change the Linux
-# uid attributes, only for domains that must change the
-# SELinux user identity. Also note that this attribute makes
-# no sense without the privrole attribute.
-attribute privuser;
-
-# The privrole attribute identifies every domain that can
-# change its SELinux role. This attribute is used in the
-# constraints configuration.
-attribute privrole;
-
-# The userspace_objmgr attribute identifies every domain
-# which enforces its own policy.
-attribute userspace_objmgr;
-
-# The priv_system_role attribute identifies every domain that can
-# change role from a user role to system_r role, and identity from a user
-# identity to system_u. It is used in the constraints configuration.
-attribute priv_system_role;
-
-# The privowner attribute identifies every domain that can
-# assign a different SELinux user identity to a file, or that
-# can create a file with an identity that is not the same as the
-# process identity. This attribute is used in the constraints
-# configuration.
-attribute privowner;
-
-# The privlog attribute identifies every domain that can
-# communicate with syslogd through its Unix domain socket.
-# There is an assertion that other domains can not do it,
-# and an allow rule to permit it
-attribute privlog;
-
-# The privmodule attribute identifies every domain that can run
-# modprobe, there is an assertion that other domains can not do it,
-# and an allow rule to permit it
-attribute privmodule;
-
-# The privsysmod attribute identifies every domain that can have the
-# sys_module capability
-attribute privsysmod;
-
-# The privmem attribute identifies every domain that can
-# access kernel memory devices.
-# This attribute is used in the TE assertions to verify
-# that such access is limited to domains that are explicitly
-# tagged with this attribute.
-attribute privmem;
-
-# The privkmsg attribute identifies every domain that can
-# read kernel messages (/proc/kmsg)
-# This attribute is used in the TE assertions to verify
-# that such access is limited to domains that are explicitly
-# tagged with this attribute.
-attribute privkmsg;
-
-# The privfd attribute identifies every domain that should have
-# file handles inherited widely (IE sshd_t and getty_t).
-attribute privfd;
-
-# The privhome attribute identifies every domain that can create files under
-# regular user home directories in the regular context (IE act on behalf of
-# a user in writing regular files)
-attribute privhome;
-
-# The auth attribute identifies every domain that needs
-# to read /etc/shadow, and grants the permission.
-attribute auth;
-
-# The auth_bool attribute identifies every domain that can
-# read /etc/shadow if its boolean is set;
-attribute auth_bool;
-
-# The auth_write attribute identifies every domain that can have write or
-# relabel access to /etc/shadow, but does not grant it.
-attribute auth_write;
-
-# The auth_chkpwd attribute identifies every system domain that can
-# authenticate users by running unix_chkpwd
-attribute auth_chkpwd;
-
-# The change_context attribute identifies setfiles_t, restorecon_t, and other
-# system domains that change the context of most/all files on the system
-attribute change_context;
-
-# The etc_writer attribute identifies every domain that can write to etc_t
-attribute etc_writer;
-
-# The sysctl_kernel_writer attribute identifies domains that can write to
-# sysctl_kernel_t, in addition the admin attribute is permitted write access
-attribute sysctl_kernel_writer;
-
-# the sysctl_net_writer attribute identifies domains that can write to
-# sysctl_net_t files.
-attribute sysctl_net_writer;
-
-# The sysctl_type attribute identifies every type that is assigned
-# to a sysctl entry. This can be used in allow rules to grant
-# permissions to all sysctl entries without enumerating each individual
-# type, but should be used with care.
-attribute sysctl_type;
-
-# The admin attribute identifies every administrator domain.
-# It is used in TE assertions when verifying that only administrator
-# domains have certain permissions.
-# This attribute is presently associated with sysadm_t and
-# certain administrator utility domains.
-# XXX The use of this attribute should be reviewed for consistency.
-# XXX Might want to partition into several finer-grained attributes
-# XXX used in different assertions within assert.te.
-attribute admin;
-
-# The secadmin attribute identifies every security administrator domain.
-# It is used in TE assertions when verifying that only administrator
-# domains have certain permissions.
-# This attribute is presently associated with sysadm_t and secadm_t
-attribute secadmin;
-
-# The userdomain attribute identifies every user domain, presently
-# user_t and sysadm_t. It is used in TE rules that should be applied
-# to all user domains.
-attribute userdomain;
-
-# for a small domain that can only be used for newrole
-attribute user_mini_domain;
-
-# pty for the mini domain
-attribute mini_pty_type;
-
-# pty created by a server such as sshd
-attribute server_pty;
-
-# attribute for all non-administrative devpts types
-attribute userpty_type;
-
-# The user_tty_type identifies every type for a tty or pty owned by an
-# unpriviledged user
-attribute user_tty_type;
-
-# The admin_tty_type identifies every type for a tty or pty owned by a
-# priviledged user
-attribute admin_tty_type;
-
-# The user_crond_domain attribute identifies every user_crond domain, presently
-# user_crond_t and sysadm_crond_t. It is used in TE rules that should be
-# applied to all user domains.
-attribute user_crond_domain;
-
-# The unpriv_userdomain identifies non-administrative users (default user_t)
-attribute unpriv_userdomain;
-
-# This attribute is for the main user home directory for unpriv users
-attribute user_home_dir_type;
-
-# The gphdomain attribute identifies every gnome-pty-helper derived
-# domain. It is used in TE rules to permit inheritance and use of
-# descriptors created by these domains.
-attribute gphdomain;
-
-# The fs_domain identifies every domain that may directly access a fixed disk
-attribute fs_domain;
-
-# This attribute is for all domains for the userhelper program.
-attribute userhelperdomain;
-
-############################
-# Attributes for file types:
-#
-
-# The file_type attribute identifies all types assigned to files
-# in persistent filesystems. It is used in TE rules to permit
-# the association of all such file types with persistent filesystem
-# types, and to permit certain domains to access all such types as
-# appropriate.
-attribute file_type;
-
-# The secure_file_type attribute identifies files
-# which will be treated with a higer level of security.
-# Most domains will be prevented from manipulating files in this domain
-attribute secure_file_type;
-
-# The device_type attribute identifies all types assigned to device nodes
-attribute device_type;
-
-# The proc_fs attribute identifies all types that may be assigned to
-# files under /proc.
-attribute proc_fs;
-
-# The dev_fs attribute identifies all types that may be assigned to
-# files, sockets, or pipes under /dev.
-attribute dev_fs;
-
-# The sysadmfile attribute identifies all types assigned to files
-# that should be completely accessible to administrators. It is used
-# in TE rules to grant such access for administrator domains.
-attribute sysadmfile;
-
-# The secadmfile attribute identifies all types assigned to files
-# that should be only accessible to security administrators. It is used
-# in TE rules to grant such access for security administrator domains.
-attribute secadmfile;
-
-# The fs_type attribute identifies all types assigned to filesystems
-# (not limited to persistent filesystems).
-# It is used in TE rules to permit certain domains to mount
-# any filesystem and to permit most domains to obtain the
-# overall filesystem statistics.
-attribute fs_type;
-
-# The mount_point attribute identifies all types that can serve
-# as a mount point (for the mount binary). It is used in the mount
-# policy to grant mounton permission, and in other domains to grant
-# getattr permission over all the mount points.
-attribute mount_point;
-
-# The exec_type attribute identifies all types assigned
-# to entrypoint executables for domains. This attribute is
-# used in TE rules and assertions that should be applied to all
-# such executables.
-attribute exec_type;
-
-# The tmpfile attribute identifies all types assigned to temporary
-# files. This attribute is used in TE rules to grant certain
-# domains the ability to remove all such files (e.g. init, crond).
-attribute tmpfile;
-
-# The user_tmpfile attribute identifies all types associated with temporary
-# files for unpriv_userdomain domains.
-attribute user_tmpfile;
-
-# for the user_xserver_tmp_t etc
-attribute xserver_tmpfile;
-
-# The tmpfsfile attribute identifies all types defined for tmpfs
-# type transitions.
-# It is used in TE rules to grant certain domains the ability to
-# access all such files.
-attribute tmpfsfile;
-
-# The home_type attribute identifies all types assigned to home
-# directories. This attribute is used in TE rules to grant certain
-# domains the ability to access all home directory types.
-attribute home_type;
-
-# This attribute is for the main user home directory /home/user, to
-# distinguish it from sub-dirs. Often you want a process to be able to
-# read the user home directory but not read the regular directories under it.
-attribute home_dir_type;
-
-# The ttyfile attribute identifies all types assigned to ttys.
-# It is used in TE rules to grant certain domains the ability to
-# access all ttys.
-attribute ttyfile;
-
-# The ptyfile attribute identifies all types assigned to ptys.
-# It is used in TE rules to grant certain domains the ability to
-# access all ptys.
-attribute ptyfile;
-
-# The pidfile attribute identifies all types assigned to pid files.
-# It is used in TE rules to grant certain domains the ability to
-# access all such files.
-attribute pidfile;
-
-
-############################
-# Attributes for network types:
-#
-
-# The socket_type attribute identifies all types assigned to
-# kernel-created sockets. Ordinary sockets are assigned the
-# domain of the creating process.
-# XXX This attribute is unused. Remove?
-attribute socket_type;
-
-# Identifies all types assigned to port numbers to control binding.
-attribute port_type;
-
-# Identifies all types assigned to reserved port (<1024) numbers to control binding.
-attribute reserved_port_type;
-
-# Identifies all types assigned to network interfaces to control
-# operations on the interface (XXX obsolete, not supported via LSM)
-# and to control traffic sent or received on the interface.
-attribute netif_type;
-
-# Identifies all default types assigned to packets received
-# on network interfaces.
-attribute netmsg_type;
-
-# Identifies all types assigned to network nodes/hosts to control
-# traffic sent to or received from the node.
-attribute node_type;
-
-# Identifier for log files or directories that only exist for log files.
-attribute logfile;
-
-# Identifier for lock files (/var/lock/*) or directories that only exist for
-# lock files.
-attribute lockfile;
-
-
-
-##############################
-# Attributes for security policy types:
-#
-
-# The login_contexts attribute idenitifies the files used
-# to define default contexts for login types (e.g., login, cron).
-attribute login_contexts;
-
-# Identifier for a domain used by "sendmail -t" (IE user_mail_t,
-# sysadm_mail_t, etc)
-attribute user_mail_domain;
-
-# Identifies domains that can transition to system_mail_t
-attribute privmail;
-
-# Type for non-sysadm home directory
-attribute user_home_type;
-
-# For domains that are part of a mail server and need to read user files and
-# fifos, and inherit file handles to enable user email to get to the mail
-# spool
-attribute mta_user_agent;
-
-# For domains that are part of a mail server for delivering messages to the
-# user
-attribute mta_delivery_agent;
-
-# For domains that make outbound TCP port 25 connections to send mail from the
-# mail server.
-attribute mail_server_sender;
-
-# For a mail server process that takes TCP connections on port 25
-attribute mail_server_domain;
-
-# For web clients such as netscape and squid
-attribute web_client_domain;
-
-# For X Window System server domains
-attribute xserver;
-
-# For X Window System client domains
-attribute xclient;
-
-# For X Window System protocol extensions
-attribute xextension;
-
-# For X Window System property types
-attribute xproperty;
-
-#
-# For file systems that do not have extended attributes but need to be
-# r/w by users
-#
-attribute noexattrfile;
-
-#
-# For filetypes that the usercan read
-#
-attribute usercanread;
-
-#
-# For serial devices
-#
-attribute serial_device;
-
-# Attribute to designate unrestricted access
-attribute unrestricted;
-
-# Attribute to designate can transition to unconfined_t
-attribute unconfinedtrans;
-
-# For clients of nscd.
-attribute nscd_client_domain;
-
-# For clients of nscd that can use shmem interface.
-attribute nscd_shmem_domain;
-
-# For labeling of content for httpd. This attribute is only used by
-# the httpd_unified domain, which says treat all httpdcontent the
-# same. If you want content to be served in a "non-unified" system
-# you must specifically add "r_dir_file(httpd_t, your_content_t)" to
-# your policy.
-attribute httpdcontent;
-
-# For labeling of domains whos transition can be disabled
-attribute transitionbool;
-
-# For labeling of file_context domains which users can change files to rather
-# then the default file context. These file_context can survive a relabeling
-# of the file system.
-attribute customizable;
-
-##############################
-# Attributes for polyinstatiation support:
-#
-
-# For labeling types that are to be polyinstantiated
-attribute polydir;
-
-# And for labeling the parent directories of those polyinstantiated directories
-# This is necessary for remounting the original in the parent to give
-# security aware apps access
-attribute polyparent;
-
-# And labeling for the member directories
-attribute polymember;
-
diff --git a/strict/constraints b/strict/constraints
deleted file mode 100644
index 46a9875..0000000
--- a/strict/constraints
+++ /dev/null
@@ -1,83 +0,0 @@
-#
-# Define m4 macros for the constraints
-#
-
-#
-# Define the constraints
-#
-# constrain class_set perm_set expression ;
-#
-# validatetrans class_set expression ;
-#
-# expression : ( expression )
-# | not expression
-# | expression and expression
-# | expression or expression
-# | u1 op u2
-# | r1 role_mls_op r2
-# | t1 op t2
-# | l1 role_mls_op l2
-# | l1 role_mls_op h2
-# | h1 role_mls_op l2
-# | h1 role_mls_op h2
-# | l1 role_mls_op h1
-# | l2 role_mls_op h2
-# | u1 op names
-# | u2 op names
-# | r1 op names
-# | r2 op names
-# | t1 op names
-# | t2 op names
-# | u3 op names (NOTE: this is only available for validatetrans)
-# | r3 op names (NOTE: this is only available for validatetrans)
-# | t3 op names (NOTE: this is only available for validatetrans)
-#
-# op : == | !=
-# role_mls_op : == | != | eq | dom | domby | incomp
-#
-# names : name | { name_list }
-# name_list : name | name_list name#
-#
-
-#
-# Restrict the ability to transition to other users
-# or roles to a few privileged types.
-#
-
-constrain process transition
- ( u1 == u2 or ( t1 == privuser and t2 == userdomain )
-ifdef(`crond.te', `
- or (t1 == crond_t and (t2 == user_crond_domain or u2 == system_u))
-')
-ifdef(`userhelper.te',
- `or (t1 == userhelperdomain)')
- or (t1 == priv_system_role and u2 == system_u )
- );
-
-constrain process transition
- ( r1 == r2 or ( t1 == privrole and t2 == userdomain )
-ifdef(`crond.te', `
- or (t1 == crond_t and t2 == user_crond_domain)
-')
-ifdef(`userhelper.te',
- `or (t1 == userhelperdomain)')
-ifdef(`postfix.te', `
-ifdef(`direct_sysadm_daemon',
- `or (t1 == sysadm_mail_t and t2 == system_mail_t and r2 == system_r )')
-')
- or (t1 == priv_system_role and r2 == system_r )
- );
-
-constrain process dyntransition
- ( u1 == u2 and r1 == r2);
-
-#
-# Restrict the ability to label objects with other
-# user identities to a few privileged types.
-#
-
-constrain dir_file_class_set { create relabelto relabelfrom }
- ( u1 == u2 or t1 == privowner );
-
-constrain socket_class_set { create relabelto relabelfrom }
- ( u1 == u2 or t1 == privowner );
diff --git a/strict/domains/admin.te b/strict/domains/admin.te
deleted file mode 100644
index bc29a78..0000000
--- a/strict/domains/admin.te
+++ /dev/null
@@ -1,43 +0,0 @@
-#DESC Admin - Domains for administrators.
-#
-#################################
-
-# sysadm_t is the system administrator domain.
-type sysadm_t, domain, privlog, privowner, admin, userdomain, web_client_domain, privhome, etc_writer, privmodule, nscd_client_domain
-ifdef(`direct_sysadm_daemon', `, priv_system_role')
-; dnl end of sysadm_t type declaration
-
-allow privhome home_root_t:dir { getattr search };
-
-# system_r is authorized for sysadm_t for single-user mode.
-role system_r types sysadm_t;
-
-general_proc_read_access(sysadm_t)
-
-# sysadm_t is also granted permissions specific to administrator domains.
-admin_domain(sysadm)
-
-# for su
-allow sysadm_t userdomain:fd use;
-
-ifdef(`separate_secadm', `', `
-security_manager_domain(sysadm_t)
-')
-
-# Add/remove user home directories
-file_type_auto_trans(sysadm_t, home_root_t, user_home_dir_t, dir)
-
-limited_user_role(secadm)
-typeattribute secadm_t admin;
-role secadm_r types secadm_t;
-security_manager_domain(secadm_t)
-r_dir_file(secadm_t, { var_t var_log_t })
-
-typeattribute secadm_tty_device_t admin_tty_type;
-typeattribute secadm_devpts_t admin_tty_type;
-
-bool allow_ptrace false;
-
-if (allow_ptrace) {
-can_ptrace(sysadm_t, domain)
-}
diff --git a/strict/domains/misc/auth-net.te b/strict/domains/misc/auth-net.te
deleted file mode 100644
index e954a9b..0000000
--- a/strict/domains/misc/auth-net.te
+++ /dev/null
@@ -1,3 +0,0 @@
-#DESC Policy for using network servers for authenticating users (IE PAM-LDAP)
-
-can_network(auth)
diff --git a/strict/domains/misc/fcron.te b/strict/domains/misc/fcron.te
deleted file mode 100644
index 57209be..0000000
--- a/strict/domains/misc/fcron.te
+++ /dev/null
@@ -1,30 +0,0 @@
-#DESC fcron - additions to cron policy for a more powerful cron program
-#
-# Domain for fcron, a more powerful cron program.
-#
-# Needs cron.te installed.
-#
-# Author: Russell Coker <russell@coker.com.au>
-
-# Use capabilities.
-allow crond_t self:capability { dac_override dac_read_search };
-
-# differences between r_dir_perms and rw_dir_perms
-allow crond_t cron_spool_t:dir { add_name remove_name write };
-
-ifdef(`mta.te', `
-# not sure why we need write access, but Postfix does not work without it
-# I will have to change fcron to avoid the need for this
-allow { system_mail_t mta_user_agent } cron_spool_t:file { read write getattr };
-')
-
-ifdef(`distro_debian', `
-can_exec(dpkg_t, crontab_exec_t)
-file_type_auto_trans(dpkg_t, cron_spool_t, sysadm_cron_spool_t, file)
-')
-
-rw_dir_create_file(crond_t, cron_spool_t)
-can_setfscreate(crond_t)
-
-# for /var/run/fcron.fifo
-file_type_auto_trans(crond_t, var_run_t, crond_var_run_t, sock_file)
diff --git a/strict/domains/misc/kernel.te b/strict/domains/misc/kernel.te
deleted file mode 100644
index c0d017c..0000000
--- a/strict/domains/misc/kernel.te
+++ /dev/null
@@ -1,75 +0,0 @@
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-#################################
-#
-# Rules for the kernel_t domain.
-#
-
-#
-# kernel_t is the domain of kernel threads.
-# It is also the target type when checking permissions in the system class.
-#
-type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod, etc_writer, privrangetrans ;
-role system_r types kernel_t;
-general_domain_access(kernel_t)
-general_proc_read_access(kernel_t)
-base_file_read_access(kernel_t)
-uses_shlib(kernel_t)
-can_exec(kernel_t, shell_exec_t)
-
-# Use capabilities.
-allow kernel_t self:capability *;
-
-r_dir_file(kernel_t, sysfs_t)
-allow kernel_t { usbfs_t usbdevfs_t }:dir search;
-
-# Run init in the init_t domain.
-domain_auto_trans(kernel_t, init_exec_t, init_t)
-
-ifdef(`mls_policy', `
-# run init with maximum MLS range
-range_transition kernel_t init_exec_t s0 - s9:c0.c255;
-')
-
-# Share state with the init process.
-allow kernel_t init_t:process share;
-
-# Mount and unmount file systems.
-allow kernel_t fs_type:filesystem mount_fs_perms;
-
-# Send signal to any process.
-allow kernel_t domain:process signal;
-allow kernel_t domain:dir search;
-
-# Access the console.
-allow kernel_t device_t:dir search;
-allow kernel_t console_device_t:chr_file rw_file_perms;
-
-# Access the initrd filesystem.
-allow kernel_t file_t:chr_file rw_file_perms;
-can_exec(kernel_t, file_t)
-ifdef(`chroot.te', `
-can_exec(kernel_t, chroot_exec_t)
-')
-allow kernel_t self:capability sys_chroot;
-
-allow kernel_t { unlabeled_t root_t file_t }:dir mounton;
-allow kernel_t unlabeled_t:fifo_file rw_file_perms;
-allow kernel_t file_t:dir rw_dir_perms;
-allow kernel_t file_t:blk_file create_file_perms;
-allow kernel_t { sysctl_t sysctl_kernel_t }:file { setattr rw_file_perms };
-
-# Lookup the policy.
-allow kernel_t policy_config_t:dir r_dir_perms;
-
-# Load the policy configuration.
-can_loadpol(kernel_t)
-
-# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
-can_exec(kernel_t, bin_t)
-
-ifdef(`targeted_policy', `
-unconfined_domain(kernel_t)
-')
diff --git a/strict/domains/misc/local.te b/strict/domains/misc/local.te
deleted file mode 100644
index cedba3c..0000000
--- a/strict/domains/misc/local.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# Local customization of existing policy should be done in this file.
-# If you are creating brand new policy for a new "target" domain, you
-# need to create a type enforcement (.te) file in domains/program
-# and a file context (.fc) file in file_context/program.
-
diff --git a/strict/domains/misc/startx.te b/strict/domains/misc/startx.te
deleted file mode 100644
index 16c4910..0000000
--- a/strict/domains/misc/startx.te
+++ /dev/null
@@ -1,7 +0,0 @@
-#DESC startx - policy for running an X server from a user domain
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-
-# Everything is in the macro files
-
diff --git a/strict/domains/misc/userspace_objmgr.te b/strict/domains/misc/userspace_objmgr.te
deleted file mode 100644
index ae3b205..0000000
--- a/strict/domains/misc/userspace_objmgr.te
+++ /dev/null
@@ -1,13 +0,0 @@
-#DESC Userspace Object Managers
-#
-#################################
-
-# Get our own security context.
-can_getcon(userspace_objmgr)
-# Get security decisions via selinuxfs.
-can_getsecurity(userspace_objmgr)
-# Read /etc/selinux
-r_dir_file(userspace_objmgr, { selinux_config_t default_context_t })
-# Receive notifications of policy reloads and enforcing status changes.
-allow userspace_objmgr self:netlink_selinux_socket { create bind read };
-
diff --git a/strict/domains/misc/xclient.te b/strict/domains/misc/xclient.te
deleted file mode 100644
index ae4552f..0000000
--- a/strict/domains/misc/xclient.te
+++ /dev/null
@@ -1,14 +0,0 @@
-#
-# Authors: Eamon Walsh <ewalsh@epoch.ncsc.mil>
-#
-
-#######################################
-#
-# Domains for the SELinux-enabled X Window System
-#
-
-#
-# Domain for all non-local X clients
-#
-type remote_xclient_t, domain;
-in_user_role(remote_xclient_t)
diff --git a/strict/domains/program/NetworkManager.te b/strict/domains/program/NetworkManager.te
deleted file mode 100644
index e4efdd6..0000000
--- a/strict/domains/program/NetworkManager.te
+++ /dev/null
@@ -1,112 +0,0 @@
-#DESC NetworkManager -
-#
-# Authors: Dan Walsh <dwalsh@redhat.com>
-#
-#
-
-#################################
-#
-# Rules for the NetworkManager_t domain.
-#
-# NetworkManager_t is the domain for the NetworkManager daemon.
-# NetworkManager_exec_t is the type of the NetworkManager executable.
-#
-daemon_domain(NetworkManager, `, nscd_client_domain, privsysmod, mlsfileread' )
-
-can_network(NetworkManager_t)
-allow NetworkManager_t port_type:tcp_socket name_connect;
-allow NetworkManager_t { isakmp_port_t dhcpc_port_t }:udp_socket name_bind;
-allow NetworkManager_t dhcpc_t:process signal;
-
-can_ypbind(NetworkManager_t)
-uses_shlib(NetworkManager_t)
-allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service sys_module ipc_lock};
-
-allow NetworkManager_t { random_device_t urandom_device_t }:chr_file { getattr read };
-
-allow NetworkManager_t self:process { setcap getsched };
-allow NetworkManager_t self:fifo_file rw_file_perms;
-allow NetworkManager_t self:unix_dgram_socket create_socket_perms;
-allow NetworkManager_t self:file { getattr read };
-allow NetworkManager_t self:packet_socket create_socket_perms;
-allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
-
-
-#
-# Communicate with Caching Name Server
-#
-ifdef(`named.te', `
-allow NetworkManager_t named_zone_t:dir search;
-rw_dir_create_file(NetworkManager_t, named_cache_t)
-domain_auto_trans(NetworkManager_t, named_exec_t, named_t)
-allow named_t NetworkManager_t:udp_socket { read write };
-allow named_t NetworkManager_t:netlink_route_socket { read write };
-allow NetworkManager_t named_t:process signal;
-allow named_t NetworkManager_t:packet_socket { read write };
-')
-
-allow NetworkManager_t selinux_config_t:dir search;
-allow NetworkManager_t selinux_config_t:file { getattr read };
-
-ifdef(`dbusd.te', `
-dbusd_client(system, NetworkManager)
-allow NetworkManager_t system_dbusd_t:dbus { acquire_svc send_msg };
-allow NetworkManager_t self:dbus send_msg;
-ifdef(`hald.te', `
-allow NetworkManager_t hald_t:dbus send_msg;
-allow hald_t NetworkManager_t:dbus send_msg;
-')
-allow NetworkManager_t initrc_t:dbus send_msg;
-allow initrc_t NetworkManager_t:dbus send_msg;
-ifdef(`targeted_policy', `
-allow NetworkManager_t unconfined_t:dbus send_msg;
-allow unconfined_t NetworkManager_t:dbus send_msg;
-')
-allow NetworkManager_t userdomain:dbus send_msg;
-allow userdomain NetworkManager_t:dbus send_msg;
-')
-
-allow NetworkManager_t usr_t:file { getattr read };
-
-ifdef(`ifconfig.te', `
-domain_auto_trans(NetworkManager_t, ifconfig_exec_t, ifconfig_t)
-')dnl end if def ifconfig
-
-allow NetworkManager_t { sbin_t bin_t }:dir search;
-allow NetworkManager_t bin_t:lnk_file read;
-can_exec(NetworkManager_t, { ls_exec_t sbin_t bin_t shell_exec_t })
-
-# in /etc created by NetworkManager will be labelled net_conf_t.
-file_type_auto_trans(NetworkManager_t, etc_t, net_conf_t, file)
-
-allow NetworkManager_t { etc_t etc_runtime_t }:file { getattr read };
-allow NetworkManager_t proc_t:file { getattr read };
-r_dir_file(NetworkManager_t, proc_net_t)
-
-allow NetworkManager_t { domain -unrestricted }:dir search;
-allow NetworkManager_t { domain -unrestricted }:file { getattr read };
-dontaudit NetworkManager_t unrestricted:dir search;
-dontaudit NetworkManager_t unrestricted:file { getattr read };
-
-allow NetworkManager_t howl_t:process signal;
-allow NetworkManager_t initrc_var_run_t:file { getattr read };
-
-domain_auto_trans(NetworkManager_t, insmod_exec_t, insmod_t)
-allow NetworkManager_t self:netlink_route_socket r_netlink_socket_perms;
-# allow vpnc connections
-allow NetworkManager_t self:rawip_socket create_socket_perms;
-allow NetworkManager_t tun_tap_device_t:chr_file rw_file_perms;
-
-domain_auto_trans(NetworkManager_t, initrc_exec_t, initrc_t)
-domain_auto_trans(NetworkManager_t, dhcpc_exec_t, dhcpc_t)
-ifdef(`vpnc.te', `
-domain_auto_trans(NetworkManager_t, vpnc_exec_t, vpnc_t)
-')
-
-ifdef(`dhcpc.te', `
-allow NetworkManager_t dhcp_state_t:dir search;
-allow NetworkManager_t dhcpc_var_run_t:file { getattr read unlink };
-')
-allow NetworkManager_t var_lib_t:dir search;
-dontaudit NetworkManager_t user_tty_type:chr_file { read write };
-dontaudit NetworkManager_t security_t:dir search;
diff --git a/strict/domains/program/acct.te b/strict/domains/program/acct.te
deleted file mode 100644
index bbb4fdc..0000000
--- a/strict/domains/program/acct.te
+++ /dev/null
@@ -1,66 +0,0 @@
-#DESC Acct - BSD process accounting
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: acct
-#
-
-#################################
-#
-# Rules for the acct_t domain.
-#
-# acct_exec_t is the type of the acct executable.
-#
-daemon_base_domain(acct)
-ifdef(`crond.te', `
-system_crond_entry(acct_exec_t, acct_t)
-
-# for monthly cron job
-file_type_auto_trans(acct_t, var_log_t, wtmp_t, file)
-')
-
-# for SSP
-allow acct_t urandom_device_t:chr_file read;
-
-type acct_data_t, file_type, logfile, sysadmfile;
-
-# not sure why we need this, the command "last" is reported as using it
-dontaudit acct_t self:capability kill;
-
-# gzip needs chown capability for some reason
-allow acct_t self:capability { chown fsetid sys_pacct };
-
-allow acct_t var_t:dir { getattr search };
-rw_dir_create_file(acct_t, acct_data_t)
-
-can_exec(acct_t, { shell_exec_t bin_t initrc_exec_t acct_exec_t })
-allow acct_t { bin_t sbin_t }:dir search;
-allow acct_t bin_t:lnk_file read;
-
-read_locale(acct_t)
-
-allow acct_t fs_t:filesystem getattr;
-
-allow acct_t self:unix_stream_socket create_socket_perms;
-
-allow acct_t self:fifo_file { read write getattr };
-
-allow acct_t { self proc_t }:file { read getattr };
-
-read_sysctl(acct_t)
-
-dontaudit acct_t sysadm_home_dir_t:dir { getattr search };
-
-# for nscd
-dontaudit acct_t var_run_t:dir search;
-
-
-allow acct_t devtty_t:chr_file { read write };
-
-allow acct_t { etc_t etc_runtime_t }:file { read getattr };
-
-ifdef(`logrotate.te', `
-domain_auto_trans(logrotate_t, acct_exec_t, acct_t)
-rw_dir_create_file(logrotate_t, acct_data_t)
-can_exec(logrotate_t, acct_data_t)
-')
-
diff --git a/strict/domains/program/alsa.te b/strict/domains/program/alsa.te
deleted file mode 100644
index ab80475..0000000
--- a/strict/domains/program/alsa.te
+++ /dev/null
@@ -1,24 +0,0 @@
-#DESC ainit - configuration tool for ALSA
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-#
-#
-type alsa_t, domain, privlog, daemon;
-type alsa_exec_t, file_type, sysadmfile, exec_type;
-uses_shlib(alsa_t)
-allow alsa_t { unpriv_userdomain self }:sem create_sem_perms;
-allow alsa_t { unpriv_userdomain self }:shm create_shm_perms;
-allow alsa_t self:unix_stream_socket create_stream_socket_perms;
-allow alsa_t self:unix_dgram_socket create_socket_perms;
-allow unpriv_userdomain alsa_t:sem { unix_read unix_write associate read write };
-allow unpriv_userdomain alsa_t:shm { unix_read unix_write create_shm_perms };
-
-type alsa_etc_rw_t, file_type, sysadmfile, usercanread;
-rw_dir_create_file(alsa_t,alsa_etc_rw_t)
-allow alsa_t self:capability { setgid setuid ipc_owner };
-dontaudit alsa_t self:capability sys_admin;
-allow alsa_t devpts_t:chr_file { read write };
-allow alsa_t etc_t:file { getattr read };
-domain_auto_trans(pam_console_t, alsa_exec_t, alsa_t)
-role system_r types alsa_t;
-read_locale(alsa_t)
diff --git a/strict/domains/program/amanda.te b/strict/domains/program/amanda.te
deleted file mode 100644
index 4b63f5f..0000000
--- a/strict/domains/program/amanda.te
+++ /dev/null
@@ -1,284 +0,0 @@
-#DESC Amanda - Automated backup program
-#
-# This policy file sets the rigths for amanda client started by inetd_t
-# and amrecover
-#
-# X-Debian-Packages: amanda-common amanda-server
-# Depends: inetd.te
-# Author : Carsten Grohmann <carstengrohmann@gmx.de>
-#
-# License : GPL
-#
-# last change: 27. August 2002
-#
-# state : complete and tested
-#
-# Hints :
-# - amanda.fc is the appendant file context file
-# - If you use amrecover please extract the files and directories to the
-# directory speficified in amanda.fc as type amanda_recover_dir_t.
-# - The type amanda_user_exec_t is defined to label the files but not used.
-# This configuration works only as an client and a amanda client does not need
-# this programs.
-#
-# Enhancements/Corrections:
-# - set tighter permissions to /bin/tar instead bin_t
-
-##############################################################################
-# AMANDA CLIENT DECLARATIONS
-##############################################################################
-
-# General declarations
-######################
-
-type amanda_t, domain, privlog, auth, fs_domain, nscd_client_domain;
-role system_r types amanda_t;
-
-# type for the amanda executables
-type amanda_exec_t, file_type, sysadmfile, exec_type;
-
-# type for the amanda executables started by inetd
-type amanda_inetd_exec_t, file_type, sysadmfile, exec_type;
-
-# type for amanda configurations files
-type amanda_config_t, file_type, sysadmfile;
-
-# type for files in /usr/lib/amanda
-type amanda_usr_lib_t, file_type, sysadmfile;
-
-# type for all files in /var/lib/amanda
-type amanda_var_lib_t, file_type, sysadmfile;
-
-# type for all files in /var/lib/amanda/gnutar-lists/
-type amanda_gnutarlists_t, file_type, sysadmfile;
-
-# type for user startable files
-type amanda_user_exec_t, file_type, sysadmfile, exec_type;
-
-# type for same awk and other scripts
-type amanda_script_exec_t, file_type, sysadmfile, exec_type;
-
-# type for the shell configuration files
-type amanda_shellconfig_t, file_type, sysadmfile;
-
-tmp_domain(amanda)
-
-# type for /etc/amandates
-type amanda_amandates_t, file_type, sysadmfile;
-
-# type for /etc/dumpdates
-type amanda_dumpdates_t, file_type, sysadmfile;
-
-# type for amanda data
-type amanda_data_t, file_type, sysadmfile;
-
-# Domain transitions
-####################
-
-domain_auto_trans(inetd_t, amanda_inetd_exec_t, amanda_t)
-
-
-##################
-# File permissions
-##################
-
-# configuration files -> read only
-allow amanda_t amanda_config_t:file { getattr read };
-
-# access to amanda_amandates_t
-allow amanda_t amanda_amandates_t:file { getattr lock read write };
-
-# access to amanda_dumpdates_t
-allow amanda_t amanda_dumpdates_t:file { getattr lock read write };
-
-# access to amandas data structure
-allow amanda_t amanda_data_t:dir { read search write };
-allow amanda_t amanda_data_t:file { read write };
-
-# access to proc_t
-allow amanda_t proc_t:file { getattr read };
-
-# access to etc_t and similar
-allow amanda_t etc_t:file { getattr read };
-allow amanda_t etc_runtime_t:file { getattr read };
-
-# access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists)
-rw_dir_create_file(amanda_t, amanda_gnutarlists_t)
-
-# access to device_t and similar
-allow amanda_t devtty_t:chr_file { read write };
-
-# access to fs_t
-allow amanda_t fs_t:filesystem getattr;
-
-# access to sysctl_kernel_t ( proc/sys/kernel/* )
-read_sysctl(amanda_t)
-
-#####################
-# process permissions
-#####################
-
-# Allow to use shared libs
-uses_shlib(amanda_t)
-
-# Allow to execute a amanda executable file
-allow amanda_t amanda_exec_t:file { execute execute_no_trans getattr read };
-
-# Allow to run a shell
-allow amanda_t shell_exec_t:file { execute execute_no_trans getattr read };
-
-# access to bin_t (tar)
-allow amanda_t bin_t:file { execute execute_no_trans };
-
-allow amanda_t self:capability { chown dac_override setuid };
-allow amanda_t self:process { fork sigchld setpgid signal };
-allow amanda_t self:dir search;
-allow amanda_t self:file { getattr read };
-
-
-###################################
-# Network and process communication
-###################################
-
-can_network_server(amanda_t);
-can_ypbind(amanda_t);
-can_exec(amanda_t, sbin_t);
-
-allow amanda_t self:fifo_file { getattr read write ioctl lock };
-allow amanda_t self:unix_stream_socket create_stream_socket_perms;
-allow amanda_t self:unix_dgram_socket create_socket_perms;
-
-
-##########################
-# Communication with inetd
-##########################
-
-allow amanda_t inetd_t:udp_socket { read write };
-
-
-###################
-# inetd permissions
-###################
-
-allow inetd_t amanda_usr_lib_t:dir search;
-
-
-########################
-# Access to to save data
-########################
-
-# access to user_home_t
-allow amanda_t user_home_type:file { getattr read };
-
-##############################################################################
-# AMANDA RECOVER DECLARATIONS
-##############################################################################
-
-
-# General declarations
-######################
-
-# type for amrecover
-type amanda_recover_t, domain;
-role sysadm_r types amanda_recover_t;
-role system_r types amanda_recover_t;
-
-# exec types for amrecover
-type amanda_recover_exec_t, file_type, sysadmfile, exec_type;
-
-# type for recover files ( restored data )
-type amanda_recover_dir_t, file_type, sysadmfile;
-file_type_auto_trans(amanda_recover_t, sysadm_home_dir_t, amanda_recover_dir_t)
-
-# domain transsition
-domain_auto_trans(sysadm_t, amanda_recover_exec_t, amanda_recover_t)
-
-# file type auto trans to write debug messages
-file_type_auto_trans(amanda_recover_t, tmp_t, amanda_tmp_t)
-
-
-# amanda recover process permissions
-####################################
-
-uses_shlib(amanda_recover_t)
-allow amanda_recover_t self:process { fork sigkill sigstop sigchld signal };
-allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override net_bind_service };
-can_exec(amanda_recover_t, shell_exec_t)
-allow amanda_recover_t privfd:fd use;
-
-
-# amrecover network and process communication
-#############################################
-
-can_network(amanda_recover_t);
-allow amanda_recover_t amanda_port_t:tcp_socket name_connect;
-can_ypbind(amanda_recover_t);
-read_locale(amanda_recover_t);
-
-allow amanda_recover_t self:fifo_file { getattr ioctl read write };
-allow amanda_recover_t self:unix_stream_socket { connect create read write };
-allow amanda_recover_t var_log_t:dir search;
-rw_dir_create_file(amanda_recover_t, amanda_log_t)
-
-# amrecover file permissions
-############################
-
-# access to etc_t and similar
-allow amanda_recover_t etc_t:dir search;
-allow amanda_recover_t etc_t:file { getattr read };
-allow amanda_recover_t etc_runtime_t:file { getattr read };
-
-# access to amanda_recover_dir_t
-allow amanda_recover_t amanda_recover_dir_t:dir { add_name remove_name search write };
-allow amanda_recover_t amanda_recover_dir_t:file { append create getattr setattr unlink };
-
-# access to var_t and var_run_t
-allow amanda_recover_t var_t:dir search;
-allow amanda_recover_t var_run_t:dir search;
-
-# access to proc_t
-allow amanda_recover_t proc_t:dir search;
-allow amanda_recover_t proc_t:file { getattr read };
-
-# access to sysctl_kernel_t
-read_sysctl(amanda_recover_t)
-
-# access to dev_t and similar
-allow amanda_recover_t device_t:dir search;
-allow amanda_recover_t devtty_t:chr_file { read write };
-allow amanda_recover_t null_device_t:chr_file { getattr write };
-
-# access to bin_t
-allow amanda_recover_t bin_t:file { execute execute_no_trans };
-
-# access to sysadm_home_t and sysadm_home_dir_t to start amrecover
-# in the sysadm home directory
-allow amanda_recover_t { sysadm_home_dir_t sysadm_home_t }:dir { search getattr };
-
-# access to use sysadm_tty_device_t (/dev/tty?)
-allow amanda_recover_t sysadm_tty_device_t:chr_file { getattr ioctl read write };
-
-# access to amanda_tmp_t and tmp_t
-allow amanda_recover_t amanda_tmp_t:dir { add_name remove_name search write };
-allow amanda_recover_t amanda_tmp_t:file { append create getattr setattr unlink };
-allow amanda_recover_t tmp_t:dir search;
-
-#
-# Rules to allow amanda to be run as a service in xinetd
-#
-allow inetd_t amanda_port_t:{ tcp_socket udp_socket } name_bind;
-
-#amanda needs to look at fs_type directories to decide whether it should backup
-allow amanda_t { fs_type file_type }:dir {getattr read search };
-allow amanda_t file_type:{ lnk_file file chr_file blk_file } {getattr read };
-allow amanda_t device_type:{ blk_file chr_file } getattr;
-allow amanda_t fixed_disk_device_t:blk_file read;
-domain_auto_trans(amanda_t, fsadm_exec_t, fsadm_t)
-
-allow amanda_t file_type:sock_file getattr;
-logdir_domain(amanda)
-
-dontaudit amanda_t proc_t:lnk_file read;
-dontaudit amanda_t unlabeled_t:file getattr;
-#amanda wants to check attributes on fifo_files
-allow amanda_t file_type:fifo_file getattr;
diff --git a/strict/domains/program/anaconda.te b/strict/domains/program/anaconda.te
deleted file mode 100644
index 175947d..0000000
--- a/strict/domains/program/anaconda.te
+++ /dev/null
@@ -1,48 +0,0 @@
-#DESC Anaconda - Red Hat Installation program
-#
-# Authors: Dan Walsh <dwalsh@redhat.com>
-#
-#
-
-#################################
-#
-# Rules for the anaconda_t domain.
-#
-# anaconda_t is the domain of the installation program
-#
-type anaconda_t, admin, etc_writer, fs_domain, privmem, auth_write, domain, privlog, privowner, privmodule, sysctl_kernel_writer;
-role system_r types anaconda_t;
-unconfined_domain(anaconda_t)
-
-role system_r types ldconfig_t;
-domain_auto_trans(anaconda_t, ldconfig_exec_t, ldconfig_t)
-
-# Run other rc scripts in the anaconda_t domain.
-domain_auto_trans(anaconda_t, initrc_exec_t, initrc_t)
-
-ifdef(`dmesg.te', `
-domain_auto_trans(anaconda_t, dmesg_exec_t, dmesg_t)
-')
-
-ifdef(`distro_redhat', `
-file_type_auto_trans(anaconda_t, boot_t, boot_runtime_t, file)
-')
-
-ifdef(`rpm.te', `
-# Access /var/lib/rpm.
-domain_auto_trans(anaconda_t, rpm_exec_t, rpm_t)
-')
-
-file_type_auto_trans(anaconda_t, var_log_t, var_log_ksyms_t, file)
-
-ifdef(`udev.te', `
-domain_auto_trans(anaconda_t, udev_exec_t, udev_t)
-')
-
-ifdef(`ssh-agent.te', `
-role system_r types sysadm_ssh_agent_t;
-domain_auto_trans(anaconda_t, ssh_agent_exec_t, sysadm_ssh_agent_t)
-')
-ifdef(`passwd.te', `
-domain_auto_trans(anaconda_t , admin_passwd_exec_t, sysadm_passwd_t)
-')
diff --git a/strict/domains/program/apache.te b/strict/domains/program/apache.te
deleted file mode 100644
index 116069b..0000000
--- a/strict/domains/program/apache.te
+++ /dev/null
@@ -1,409 +0,0 @@
-#DESC Apache - Web server
-#
-# X-Debian-Packages: apache2-common apache
-#
-###############################################################################
-#
-# Policy file for running the Apache web server
-#
-# NOTES:
-# This policy will work with SUEXEC enabled as part of the Apache
-# configuration. However, the user CGI scripts will run under the
-# system_u:system_r:httpd_$1_script_t domain where $1 is the domain of the
-# of the creating user.
-#
-# The user CGI scripts must be labeled with the httpd_$1_script_exec_t
-# type, and the directory containing the scripts should also be labeled
-# with these types. This policy allows user_r role to perform that
-# relabeling. If it is desired that only sysadm_r should be able to relabel
-# the user CGI scripts, then relabel rule for user_r should be removed.
-#
-###############################################################################
-
-define(`httpd_home_dirs', `
-r_dir_file(httpd_t, $1)
-r_dir_file(httpd_suexec_t, $1)
-can_exec(httpd_suexec_t, $1)
-')
-
-bool httpd_unified false;
-
-# Allow httpd to use built in scripting (usually php)
-bool httpd_builtin_scripting false;
-
-# Allow httpd cgi support
-bool httpd_enable_cgi false;
-
-# Allow httpd to read home directories
-bool httpd_enable_homedirs false;
-
-# Run SSI execs in system CGI script domain.
-bool httpd_ssi_exec false;
-
-# Allow http daemon to communicate with the TTY
-bool httpd_tty_comm false;
-
-# Allow http daemon to tcp connect
-bool httpd_can_network_connect false;
-
-#########################################################
-# Apache types
-#########################################################
-# httpd_config_t is the type given to the configuration
-# files for apache /etc/httpd/conf
-#
-type httpd_config_t, file_type, sysadmfile;
-
-# httpd_modules_t is the type given to module files (libraries)
-# that come with Apache /etc/httpd/modules and /usr/lib/apache
-#
-type httpd_modules_t, file_type, sysadmfile;
-
-# httpd_cache_t is the type given to the /var/cache/httpd
-# directory and the files under that directory
-#
-type httpd_cache_t, file_type, sysadmfile;
-
-# httpd_exec_t is the type give to the httpd executable.
-#
-daemon_domain(httpd, `, privmail, nscd_client_domain')
-
-append_logdir_domain(httpd)
-#can read /etc/httpd/logs
-allow httpd_t httpd_log_t:lnk_file read;
-
-# For /etc/init.d/apache2 reload
-can_tcp_connect(httpd_t, httpd_t)
-
-can_tcp_connect(web_client_domain, httpd_t)
-
-can_exec(httpd_t, httpd_exec_t)
-file_type_auto_trans(httpd_t, var_run_t, httpd_var_run_t, sock_file)
-
-general_domain_access(httpd_t)
-
-allow httpd_t { random_device_t urandom_device_t }:chr_file { getattr ioctl read };
-
-read_sysctl(httpd_t)
-
-allow httpd_t crypt_device_t:chr_file rw_file_perms;
-
-# for modules that want to access /etc/mtab and /proc/meminfo
-allow httpd_t { proc_t etc_runtime_t }:file { getattr read };
-
-uses_shlib(httpd_t)
-allow httpd_t { usr_t lib_t }:file { getattr read ioctl };
-allow httpd_t usr_t:lnk_file { getattr read };
-
-# for apache2 memory mapped files
-var_lib_domain(httpd)
-
-# for tomcat
-r_dir_file(httpd_t, var_lib_t)
-
-# execute perl
-allow httpd_t { bin_t sbin_t }:dir r_dir_perms;
-can_exec(httpd_t, { bin_t sbin_t })
-allow httpd_t bin_t:lnk_file read;
-
-########################################
-# Set up networking
-########################################
-
-can_network_server(httpd_t)
-can_kerberos(httpd_t)
-can_resolve(httpd_t)
-nsswitch_domain(httpd_t)
-allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind;
-# allow httpd to connect to mysql/posgresql
-allow httpd_t { postgresql_port_t mysqld_port_t }:tcp_socket name_connect;
-# allow httpd to work as a relay
-allow httpd_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:tcp_socket name_connect;
-
-if (httpd_can_network_connect) {
-can_network_client(httpd_t)
-allow httpd_t port_type:tcp_socket name_connect;
-}
-
-##########################################
-# Legacy: remove when it's fixed #
-# Allow libphp5.so with text relocations #
-##########################################
-allow httpd_t texrel_shlib_t:file execmod;
-
-#########################################
-# Allow httpd to search users directories
-#########################################
-allow httpd_t home_root_t:dir { getattr search };
-dontaudit httpd_t sysadm_home_dir_t:dir getattr;
-
-############################################################################
-# Allow the httpd_t the capability to bind to a port and various other stuff
-############################################################################
-allow httpd_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
-dontaudit httpd_t self:capability net_admin;
-
-#################################################
-# Allow the httpd_t to read the web servers config files
-###################################################
-r_dir_file(httpd_t, httpd_config_t)
-# allow logrotate to read the config files for restart
-ifdef(`logrotate.te', `
-r_dir_file(logrotate_t, httpd_config_t)
-domain_auto_trans(logrotate_t, httpd_exec_t, httpd_t)
-allow logrotate_t httpd_t:process signull;
-')
-r_dir_file(initrc_t, httpd_config_t)
-##################################################
-
-###############################
-# Allow httpd_t to put files in /var/cache/httpd etc
-##############################
-create_dir_file(httpd_t, httpd_cache_t)
-
-###############################
-# Allow httpd_t to access the tmpfs file system
-##############################
-tmpfs_domain(httpd)
-
-#####################
-# Allow httpd_t to access
-# libraries for its modules
-###############################
-allow httpd_t httpd_modules_t:file rx_file_perms;
-allow httpd_t httpd_modules_t:dir r_dir_perms;
-allow httpd_t httpd_modules_t:lnk_file r_file_perms;
-
-######################################################################
-# Allow initrc_t to access the Apache modules directory.
-######################################################################
-allow initrc_t httpd_modules_t:dir r_dir_perms;
-
-##############################################
-# Allow httpd_t to have access to files
-# such as nisswitch.conf
-# need ioctl for php
-###############################################
-allow httpd_t etc_t:file { read getattr ioctl };
-allow httpd_t etc_t:lnk_file { getattr read };
-
-# setup the system domain for system CGI scripts
-apache_domain(sys)
-dontaudit httpd_sys_script_t httpd_config_t:dir search;
-
-# Run SSI execs in system CGI script domain.
-if (httpd_ssi_exec) {
-domain_auto_trans(httpd_t, shell_exec_t, httpd_sys_script_t)
-}
-allow httpd_sys_script_t httpd_t:tcp_socket { read write };
-
-##################################################
-#
-# PHP Directives
-##################################################
-
-type httpd_php_exec_t, file_type, sysadmfile, exec_type;
-type httpd_php_t, domain;
-
-# Transition from the user domain to this domain.
-domain_auto_trans(httpd_t, httpd_php_exec_t, httpd_php_t)
-
-# The system role is authorized for this domain.
-role system_r types httpd_php_t;
-
-general_domain_access(httpd_php_t)
-uses_shlib(httpd_php_t)
-can_exec(httpd_php_t, lib_t)
-
-# allow php to read and append to apache logfiles
-allow httpd_php_t httpd_log_t:file ra_file_perms;
-
-# access to /tmp
-tmp_domain(httpd)
-tmp_domain(httpd_php)
-
-# Creation of lock files for apache2
-lock_domain(httpd)
-
-# Allow apache to used public_content_t
-anonymous_domain(httpd)
-
-# connect to mysql
-ifdef(`mysqld.te', `
-can_unix_connect(httpd_php_t, mysqld_t)
-can_unix_connect(httpd_t, mysqld_t)
-can_unix_connect(httpd_sys_script_t, mysqld_t)
-allow httpd_php_t mysqld_var_run_t:dir search;
-allow httpd_php_t mysqld_var_run_t:sock_file write;
-allow { httpd_t httpd_sys_script_t } mysqld_db_t:dir search;
-allow { httpd_t httpd_sys_script_t } mysqld_db_t:sock_file rw_file_perms;
-allow { httpd_t httpd_sys_script_t } mysqld_var_run_t:sock_file rw_file_perms;
-')
-allow httpd_t bin_t:dir search;
-allow httpd_t sbin_t:dir search;
-allow httpd_t httpd_log_t:dir remove_name;
-
-read_fonts(httpd_t)
-
-allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
-
-allow httpd_t autofs_t:dir { search getattr };
-
-if (use_nfs_home_dirs && httpd_enable_homedirs) {
-httpd_home_dirs(nfs_t)
-}
-if (use_samba_home_dirs && httpd_enable_homedirs) {
-httpd_home_dirs(cifs_t)
-}
-
-#
-# Allow users to mount additional directories as http_source
-#
-allow httpd_t mnt_t:dir r_dir_perms;
-
-ifdef(`targeted_policy', `
-typealias httpd_sys_content_t alias httpd_user_content_t;
-typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
-
-if (httpd_enable_homedirs) {
-allow { httpd_t httpd_sys_script_t httpd_suexec_t } user_home_dir_t:dir { getattr search };
-}
-') dnl targeted policy
-
-# We no longer call httpd_domain(sysadm), but need httpd_sysadm_content_t for file context
-typealias httpd_sys_content_t alias httpd_sysadm_content_t;
-
-ifdef(`distro_redhat', `
-#
-# mod_jk2 creates /var/log/httpd/jk2.shm to communicate with tomcat
-# This is a bug but it still exists in FC2
-#
-typealias httpd_log_t alias httpd_runtime_t;
-allow { httpd_t httpd_sys_script_t } httpd_runtime_t:file { getattr append };
-dontaudit httpd_t httpd_runtime_t:file ioctl;
-') dnl distro_redhat
-#
-# Customer reported the following
-#
-ifdef(`snmpd.te', `
-dontaudit httpd_t snmpd_var_lib_t:dir search;
-dontaudit httpd_t snmpd_var_lib_t:file { getattr write read };
-', `
-dontaudit httpd_t usr_t:dir write;
-')
-
-application_domain(httpd_helper)
-role system_r types httpd_helper_t;
-domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t)
-allow httpd_helper_t httpd_config_t:file { getattr read };
-allow httpd_helper_t httpd_log_t:file { append };
-
-########################################
-# When the admin starts the server, the server wants to access
-# the TTY or PTY associated with the session. The httpd appears
-# to run correctly without this permission, so the permission
-# are dontaudited here.
-##################################################
-
-if (httpd_tty_comm) {
-allow { httpd_t httpd_helper_t } devpts_t:dir search;
-ifdef(`targeted_policy', `
-allow { httpd_helper_t httpd_t } { devtty_t devpts_t }:chr_file rw_file_perms;
-')
-allow { httpd_t httpd_helper_t } admin_tty_type:chr_file rw_file_perms;
-} else {
-dontaudit httpd_t admin_tty_type:chr_file rw_file_perms;
-}
-
-read_sysctl(httpd_sys_script_t)
-allow httpd_sys_script_t var_lib_t:dir search;
-dontaudit httpd_t selinux_config_t:dir search;
-r_dir_file(httpd_t, cert_t)
-
-#
-# unconfined domain for apache scripts. Only to be used as a last resort
-#
-type httpd_unconfined_script_exec_t, file_type, sysadmfile, customizable;
-type httpd_unconfined_script_t, domain, nscd_client_domain;
-role system_r types httpd_unconfined_script_t;
-unconfined_domain(httpd_unconfined_script_t)
-
-# The following are types for SUEXEC,which runs user scripts as their
-# own user ID
-#
-daemon_sub_domain(httpd_t, httpd_suexec, `, transitionbool')
-allow httpd_t httpd_suexec_exec_t:file { getattr read };
-
-#########################################################
-# Permissions for running child processes and scripts
-##########################################################
-
-allow httpd_suexec_t self:capability { setuid setgid };
-
-dontaudit httpd_suexec_t var_run_t:dir search;
-allow httpd_suexec_t { var_t var_log_t }:dir search;
-allow httpd_suexec_t home_root_t:dir search;
-
-allow httpd_suexec_t httpd_log_t:dir ra_dir_perms;
-allow httpd_suexec_t httpd_log_t:file { create ra_file_perms };
-allow httpd_suexec_t httpd_t:fifo_file getattr;
-allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
-
-allow httpd_suexec_t etc_t:file { getattr read };
-read_locale(httpd_suexec_t)
-read_sysctl(httpd_suexec_t)
-allow httpd_suexec_t urandom_device_t:chr_file { getattr read };
-
-# for shell scripts
-allow httpd_suexec_t bin_t:dir search;
-allow httpd_suexec_t bin_t:lnk_file read;
-can_exec(httpd_suexec_t, { bin_t shell_exec_t })
-
-if (httpd_can_network_connect) {
-can_network(httpd_suexec_t)
-allow httpd_suexec_t port_type:tcp_socket name_connect;
-}
-
-can_ypbind(httpd_suexec_t)
-allow httpd_suexec_t { usr_t lib_t }:file { getattr read ioctl };
-
-allow httpd_suexec_t autofs_t:dir { search getattr };
-tmp_domain(httpd_suexec)
-
-if (httpd_enable_cgi && httpd_unified) {
-domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
-ifdef(`targeted_policy', `', `
-domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
-')
-}
-if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting) {
-domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
-create_dir_file(httpd_t, httpdcontent)
-}
-if (httpd_enable_cgi) {
-domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
-domain_auto_trans(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
-allow httpd_t httpd_unconfined_script_t:process { signal sigkill sigstop };
-allow httpd_t httpd_unconfined_script_exec_t:dir r_dir_perms;
-}
-
-#
-# Types for squirrelmail
-#
-type httpd_squirrelmail_t, file_type, sysadmfile;
-create_dir_file(httpd_t, httpd_squirrelmail_t)
-allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
-# File Type of squirrelmail attachments
-type squirrelmail_spool_t, file_type, sysadmfile, tmpfile;
-allow { httpd_t httpd_sys_script_t } var_spool_t:dir { getattr search };
-create_dir_file(httpd_t, squirrelmail_spool_t)
-r_dir_file(httpd_sys_script_t, squirrelmail_spool_t)
-
-ifdef(`mta.te', `
-# apache should set close-on-exec
-dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
-dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write };
-dontaudit system_mail_t httpd_log_t:file { append getattr };
-allow system_mail_t httpd_squirrelmail_t:file { append read };
-dontaudit system_mail_t httpd_t:tcp_socket { read write };
-')
diff --git a/strict/domains/program/apmd.te b/strict/domains/program/apmd.te
deleted file mode 100644
index 8394e24..0000000
--- a/strict/domains/program/apmd.te
+++ /dev/null
@@ -1,155 +0,0 @@
-#DESC Apmd - Automatic Power Management daemon
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: apmd
-#
-
-#################################
-#
-# Rules for the apmd_t domain.
-#
-daemon_domain(apmd, `, privmodule, nscd_client_domain')
-
-# for SSP
-allow apmd_t urandom_device_t:chr_file read;
-
-type apm_t, domain, privlog;
-type apm_exec_t, file_type, sysadmfile, exec_type;
-ifdef(`targeted_policy', `', `
-domain_auto_trans(sysadm_t, apm_exec_t, apm_t)
-')
-uses_shlib(apm_t)
-allow apm_t privfd:fd use;
-allow apm_t admin_tty_type:chr_file rw_file_perms;
-allow apm_t device_t:dir search;
-allow apm_t self:capability { dac_override sys_admin };
-allow apm_t proc_t:dir search;
-allow apm_t proc_t:file r_file_perms;
-allow apm_t fs_t:filesystem getattr;
-allow apm_t apm_bios_t:chr_file rw_file_perms;
-role sysadm_r types apm_t;
-role system_r types apm_t;
-
-allow apmd_t device_t:lnk_file read;
-allow apmd_t proc_t:file { getattr read write };
-can_sysctl(apmd_t)
-allow apmd_t sysfs_t:file write;
-
-allow apmd_t self:unix_dgram_socket create_socket_perms;
-allow apmd_t self:unix_stream_socket create_stream_socket_perms;
-allow apmd_t self:fifo_file rw_file_perms;
-allow apmd_t { etc_runtime_t modules_conf_t }:file { getattr read };
-allow apmd_t etc_t:lnk_file read;
-
-# acpid wants a socket
-file_type_auto_trans(apmd_t, var_run_t, apmd_var_run_t, sock_file)
-
-# acpid also has a logfile
-log_domain(apmd)
-tmp_domain(apmd)
-
-ifdef(`distro_suse', `
-var_lib_domain(apmd)
-')
-
-allow apmd_t self:file { getattr read ioctl };
-allow apmd_t self:process getsession;
-
-# Use capabilities.
-allow apmd_t self:capability { sys_admin sys_nice sys_time kill };
-
-# controlling an orderly resume of PCMCIA requires creating device
-# nodes 254,{0,1,2} for some reason.
-allow apmd_t self:capability mknod;
-
-# Access /dev/apm_bios.
-allow apmd_t apm_bios_t:chr_file rw_file_perms;
-
-# Run helper programs.
-can_exec_any(apmd_t)
-
-# apmd calls hwclock.sh on suspend and resume
-allow apmd_t clock_device_t:chr_file r_file_perms;
-ifdef(`hwclock.te', `
-domain_auto_trans(apmd_t, hwclock_exec_t, hwclock_t)
-allow apmd_t adjtime_t:file rw_file_perms;
-allow hwclock_t apmd_log_t:file append;
-allow hwclock_t apmd_t:unix_stream_socket { read write };
-')
-
-
-# to quiet fuser and ps
-# setuid for fuser, dac* for ps
-dontaudit apmd_t self:capability { setuid dac_override dac_read_search };
-dontaudit apmd_t domain:socket_class_set getattr;
-dontaudit apmd_t { file_type fs_type }:notdevfile_class_set getattr;
-dontaudit apmd_t device_type:devfile_class_set getattr;
-dontaudit apmd_t home_type:dir { search getattr };
-dontaudit apmd_t domain:key_socket getattr;
-dontaudit apmd_t domain:dir search;
-
-ifdef(`distro_redhat', `
-can_exec(apmd_t, apmd_var_run_t)
-# for /var/lock/subsys/network
-lock_domain(apmd)
-
-# ifconfig_exec_t needs to be run in its own domain for Red Hat
-ifdef(`ifconfig.te', `domain_auto_trans(apmd_t, ifconfig_exec_t, ifconfig_t)')
-ifdef(`iptables.te', `domain_auto_trans(apmd_t, iptables_exec_t, iptables_t)')
-ifdef(`netutils.te', `domain_auto_trans(apmd_t, netutils_exec_t, netutils_t)')
-', `
-# for ifconfig which is run all the time
-dontaudit apmd_t sysctl_t:dir search;
-')
-
-ifdef(`udev.te', `
-allow apmd_t udev_t:file { getattr read };
-allow apmd_t udev_t:lnk_file { getattr read };
-')
-#
-# apmd tells the machine to shutdown requires the following
-#
-allow apmd_t initctl_t:fifo_file write;
-allow apmd_t initrc_var_run_t:file { read write lock };
-
-#
-# Allow it to run killof5 and pidof
-#
-typeattribute apmd_t unrestricted;
-r_dir_file(apmd_t, domain)
-
-# Same for apm/acpid scripts
-domain_auto_trans(apmd_t, initrc_exec_t, initrc_t)
-ifdef(`consoletype.te', `
-allow consoletype_t apmd_t:fd use;
-allow consoletype_t apmd_t:fifo_file write;
-')
-ifdef(`mount.te', `allow mount_t apmd_t:fd use;')
-ifdef(`crond.te', `
-domain_auto_trans(apmd_t, anacron_exec_t, system_crond_t)
-allow apmd_t crond_t:fifo_file { getattr read write ioctl };
-')
-
-ifdef(`mta.te', `
-domain_auto_trans(apmd_t, sendmail_exec_t, system_mail_t)
-')
-
-# for a find /dev operation that gets /dev/shm
-dontaudit apmd_t tmpfs_t:dir r_dir_perms;
-dontaudit apmd_t selinux_config_t:dir search;
-allow apmd_t user_tty_type:chr_file rw_file_perms;
-# Access /dev/apm_bios.
-allow initrc_t apm_bios_t:chr_file { setattr getattr read };
-
-ifdef(`logrotate.te', `
-allow apmd_t logrotate_t:fd use;
-')dnl end if logrotate.te
-allow apmd_t devpts_t:dir { getattr search };
-allow apmd_t security_t:dir search;
-allow apmd_t usr_t:dir search;
-r_dir_file(apmd_t, hwdata_t)
-ifdef(`targeted_policy', `
-unconfined_domain(apmd_t)
-')
-
diff --git a/strict/domains/program/arpwatch.te b/strict/domains/program/arpwatch.te
deleted file mode 100644
index 3065800..0000000
--- a/strict/domains/program/arpwatch.te
+++ /dev/null
@@ -1,48 +0,0 @@
-#DESC arpwatch - keep track of ethernet/ip address pairings
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-#
-
-#################################
-#
-# Rules for the arpwatch_t domain.
-#
-# arpwatch_exec_t is the type of the arpwatch executable.
-#
-daemon_domain(arpwatch, `, privmail')
-
-# for files created by arpwatch
-type arpwatch_data_t, file_type, sysadmfile;
-create_dir_file(arpwatch_t,arpwatch_data_t)
-tmp_domain(arpwatch)
-
-allow arpwatch_t self:capability { net_admin net_raw setgid setuid };
-
-can_network_server(arpwatch_t)
-allow arpwatch_t self:netlink_route_socket r_netlink_socket_perms;
-allow arpwatch_t self:udp_socket create_socket_perms;
-allow arpwatch_t self:unix_dgram_socket create_socket_perms;
-allow arpwatch_t self:packet_socket create_socket_perms;
-allow arpwatch_t self:unix_stream_socket create_stream_socket_perms;
-
-allow arpwatch_t { sbin_t var_lib_t }:dir search;
-allow arpwatch_t sbin_t:lnk_file read;
-r_dir_file(arpwatch_t, etc_t)
-r_dir_file(arpwatch_t, usr_t)
-can_ypbind(arpwatch_t)
-
-ifdef(`qmail.te', `
-allow arpwatch_t bin_t:dir search;
-')
-
-ifdef(`distro_gentoo', `
-allow initrc_t arpwatch_data_t:dir { add_name write };
-allow initrc_t arpwatch_data_t:file create;
-')dnl end distro_gentoo
-
-# why is mail delivered to a directory of type arpwatch_data_t?
-allow mta_delivery_agent arpwatch_data_t:dir search;
-allow { system_mail_t mta_user_agent } arpwatch_tmp_t:file rw_file_perms;
-ifdef(`hide_broken_symptoms', `
-dontaudit { system_mail_t mta_user_agent } arpwatch_t:packet_socket { read write };
-')
diff --git a/strict/domains/program/auditd.te b/strict/domains/program/auditd.te
deleted file mode 100644
index 3dd15a7..0000000
--- a/strict/domains/program/auditd.te
+++ /dev/null
@@ -1,69 +0,0 @@
-#DESC auditd - System auditing daemon
-#
-# Authors: Colin Walters <walters@verbum.org>
-#
-# Some fixes by Paul Moore <paul.moore@hp.com>
-#
-define(`audit_manager_domain', `
-allow $1 auditd_etc_t:file rw_file_perms;
-create_dir_file($1, auditd_log_t)
-domain_auto_trans($1, auditctl_exec_t, auditctl_t)
-')
-
-daemon_domain(auditd)
-
-allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
-allow auditd_t self:unix_dgram_socket create_socket_perms;
-allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource };
-allow auditd_t self:process setsched;
-allow auditd_t self:file { getattr read write };
-allow auditd_t etc_t:file { getattr read };
-
-# Do not use logdir_domain since this is a security file
-type auditd_log_t, file_type, secure_file_type;
-allow auditd_t var_log_t:dir search;
-rw_dir_create_file(auditd_t, auditd_log_t)
-
-can_exec(auditd_t, init_exec_t)
-allow auditd_t initctl_t:fifo_file write;
-
-ifdef(`targeted_policy', `
-dontaudit auditd_t unconfined_t:fifo_file read;
-')
-
-type auditctl_t, domain, privlog;
-type auditctl_exec_t, file_type, exec_type, sysadmfile;
-uses_shlib(auditctl_t)
-allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
-allow auditctl_t self:capability { audit_write audit_control };
-allow auditctl_t etc_t:file { getattr read };
-allow auditctl_t admin_tty_type:chr_file rw_file_perms;
-
-type auditd_etc_t, file_type, secure_file_type;
-allow { auditd_t auditctl_t } auditd_etc_t:file r_file_perms;
-allow initrc_t auditd_etc_t:file r_file_perms;
-
-role secadm_r types auditctl_t;
-role sysadm_r types auditctl_t;
-audit_manager_domain(secadm_t)
-
-ifdef(`targeted_policy', `', `
-ifdef(`separate_secadm', `', `
-audit_manager_domain(sysadm_t)
-')
-')
-
-role system_r types auditctl_t;
-domain_auto_trans(initrc_t, auditctl_exec_t, auditctl_t)
-
-dontaudit auditctl_t local_login_t:fd use;
-allow auditctl_t proc_t:dir search;
-allow auditctl_t sysctl_kernel_t:dir search;
-allow auditctl_t sysctl_kernel_t:file { getattr read };
-dontaudit auditctl_t init_t:fd use;
-allow auditctl_t initrc_devpts_t:chr_file { read write };
-allow auditctl_t privfd:fd use;
-
-
-allow auditd_t sbin_t:dir search;
-can_exec(auditd_t, sbin_t)
diff --git a/strict/domains/program/automount.te b/strict/domains/program/automount.te
deleted file mode 100644
index d1bb20e..0000000
--- a/strict/domains/program/automount.te
+++ /dev/null
@@ -1,79 +0,0 @@
-#DESC Automount - Automount daemon
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil>
-# Modified by Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: amd am-utils autofs
-#
-
-#################################
-#
-# Rules for the automount_t domain.
-#
-daemon_domain(automount)
-
-etc_domain(automount)
-
-# for SSP
-allow automount_t urandom_device_t:chr_file read;
-
-# for if the mount point is not labelled
-allow automount_t file_t:dir getattr;
-allow automount_t default_t:dir getattr;
-
-allow automount_t autofs_t:dir { create_dir_perms ioctl };
-allow automount_t fs_type:dir getattr;
-
-allow automount_t { etc_t etc_runtime_t }:file { getattr read };
-allow automount_t proc_t:file { getattr read };
-allow automount_t self:process { getpgid setpgid setsched };
-allow automount_t self:capability { sys_nice dac_override };
-allow automount_t self:unix_stream_socket create_socket_perms;
-allow automount_t self:unix_dgram_socket create_socket_perms;
-
-# because config files can be shell scripts
-can_exec(automount_t, { etc_t automount_etc_t })
-
-can_network_server(automount_t)
-can_resolve(automount_t)
-can_ypbind(automount_t)
-can_ldap(automount_t)
-
-ifdef(`fsadm.te', `
-domain_auto_trans(automount_t, fsadm_exec_t, fsadm_t)
-')
-
-lock_domain(automount)
-
-tmp_domain(automount)
-allow automount_t self:fifo_file rw_file_perms;
-
-# Run mount in the mount_t domain.
-domain_auto_trans(automount_t, mount_exec_t, mount_t)
-allow mount_t autofs_t:dir { search mounton read };
-allow mount_t automount_tmp_t:dir mounton;
-
-ifdef(`apmd.te',
-`domain_auto_trans(apmd_t, automount_exec_t, automount_t)
-can_exec(automount_t, bin_t)')
-
-allow automount_t { bin_t sbin_t }:dir search;
-can_exec(automount_t, mount_exec_t)
-can_exec(automount_t, shell_exec_t)
-
-allow mount_t autofs_t:dir getattr;
-dontaudit automount_t var_t:dir write;
-
-allow userdomain autofs_t:dir r_dir_perms;
-allow kernel_t autofs_t:dir { getattr ioctl read search };
-
-allow automount_t { boot_t home_root_t }:dir getattr;
-allow automount_t mnt_t:dir { getattr search };
-
-can_exec(initrc_t, automount_etc_t)
-
-# Allow automount to create and delete directories in / and /home
-file_type_auto_trans(automount_t, { root_t home_root_t }, automount_tmp_t, dir)
-
-allow automount_t var_lib_t:dir search;
-allow automount_t var_lib_nfs_t:dir search;
-
diff --git a/strict/domains/program/bluetooth.te b/strict/domains/program/bluetooth.te
deleted file mode 100644
index c25544d..0000000
--- a/strict/domains/program/bluetooth.te
+++ /dev/null
@@ -1,107 +0,0 @@
-#DESC Bluetooth
-#
-# Authors: Dan Walsh
-# RH-Packages: Bluetooth
-#
-
-#################################
-#
-# Rules for the bluetooth_t domain.
-#
-daemon_domain(bluetooth)
-
-file_type_auto_trans(bluetooth_t, var_run_t, bluetooth_var_run_t, sock_file)
-file_type_auto_trans(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t)
-
-tmp_domain(bluetooth)
-var_lib_domain(bluetooth)
-
-# Use capabilities.
-allow bluetooth_t self:file read;
-allow bluetooth_t self:capability { net_admin net_raw sys_tty_config };
-allow bluetooth_t self:process getsched;
-allow bluetooth_t proc_t:file { getattr read };
-
-allow bluetooth_t self:shm create_shm_perms;
-
-lock_domain(bluetooth)
-
-# Use the network.
-can_network(bluetooth_t)
-can_ypbind(bluetooth_t)
-ifdef(`dbusd.te', `
-dbusd_client(system, bluetooth)
-allow bluetooth_t system_dbusd_t:dbus send_msg;
-')
-allow bluetooth_t self:socket create_stream_socket_perms;
-
-allow bluetooth_t self:unix_dgram_socket create_socket_perms;
-allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
-
-dontaudit bluetooth_t sysadm_devpts_t:chr_file { read write };
-
-# bluetooth_conf_t is the type of the /etc/bluetooth dir.
-type bluetooth_conf_t, file_type, sysadmfile;
-type bluetooth_conf_rw_t, file_type, sysadmfile;
-
-# Read /etc/bluetooth
-allow bluetooth_t bluetooth_conf_t:dir search;
-allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl };
-#/usr/sbin/hid2hci causes the following
-allow initrc_t usbfs_t:file { getattr read };
-allow bluetooth_t usbfs_t:dir r_dir_perms;
-allow bluetooth_t usbfs_t:file rw_file_perms;
-allow bluetooth_t bin_t:dir search;
-can_exec(bluetooth_t, { bin_t shell_exec_t })
-allow bluetooth_t bin_t:lnk_file read;
-
-#Handle bluetooth serial devices
-allow bluetooth_t tty_device_t:chr_file rw_file_perms;
-allow bluetooth_t self:fifo_file rw_file_perms;
-allow bluetooth_t { etc_t etc_runtime_t }:file { getattr read };
-r_dir_file(bluetooth_t, fonts_t)
-allow bluetooth_t urandom_device_t:chr_file r_file_perms;
-allow bluetooth_t usr_t:file { getattr read };
-
-application_domain(bluetooth_helper, `, nscd_client_domain')
-domain_auto_trans(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t)
-role system_r types bluetooth_helper_t;
-read_locale(bluetooth_helper_t)
-typeattribute bluetooth_helper_t unrestricted;
-r_dir_file(bluetooth_helper_t, domain)
-allow bluetooth_helper_t bin_t:dir { getattr search };
-can_exec(bluetooth_helper_t, { bin_t shell_exec_t })
-allow bluetooth_helper_t bin_t:lnk_file read;
-allow bluetooth_helper_t self:capability sys_nice;
-allow bluetooth_helper_t self:fifo_file rw_file_perms;
-allow bluetooth_helper_t self:process fork;
-allow bluetooth_helper_t self:shm create_shm_perms;
-allow bluetooth_helper_t self:unix_stream_socket create_stream_socket_perms;
-allow bluetooth_helper_t { etc_t etc_runtime_t }:file { getattr read };
-r_dir_file(bluetooth_helper_t, fonts_t)
-r_dir_file(bluetooth_helper_t, proc_t)
-read_sysctl(bluetooth_helper_t)
-allow bluetooth_helper_t tmp_t:dir search;
-allow bluetooth_helper_t usr_t:file { getattr read };
-allow bluetooth_helper_t home_dir_type:dir search;
-ifdef(`xserver.te', `
-allow bluetooth_helper_t xserver_log_t:dir search;
-allow bluetooth_helper_t xserver_log_t:file { getattr read };
-')
-ifdef(`targeted_policy', `
-allow bluetooth_helper_t tmp_t:sock_file { read write };
-allow bluetooth_helper_t tmpfs_t:file { read write };
-allow bluetooth_helper_t unconfined_t:unix_stream_socket connectto;
-allow bluetooth_t unconfined_t:dbus send_msg;
-allow unconfined_t bluetooth_t:dbus send_msg;
-', `
-ifdef(`xdm.te', `
-allow bluetooth_helper_t xdm_xserver_tmp_t:sock_file { read write };
-')
-allow bluetooth_t unpriv_userdomain:dbus send_msg;
-allow unpriv_userdomain bluetooth_t:dbus send_msg;
-')
-allow bluetooth_helper_t bluetooth_t:socket { read write };
-
-dontaudit bluetooth_helper_t default_t:dir { read search };
-dontaudit bluetooth_helper_t { devtty_t ttyfile }:chr_file { read write };
diff --git a/strict/domains/program/bonobo.te b/strict/domains/program/bonobo.te
deleted file mode 100644
index c23f1d2..0000000
--- a/strict/domains/program/bonobo.te
+++ /dev/null
@@ -1,9 +0,0 @@
-# DESC - Bonobo Activation Server
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-# Type for executable
-type bonobo_exec_t, file_type, exec_type, sysadmfile;
-
-# Everything else is in macros/bonobo_macros.te
diff --git a/strict/domains/program/bootloader.te b/strict/domains/program/bootloader.te
deleted file mode 100644
index 37e1c19..0000000
--- a/strict/domains/program/bootloader.te
+++ /dev/null
@@ -1,167 +0,0 @@
-#DESC Bootloader - Lilo boot loader/manager
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: lilo
-#
-
-#################################
-#
-# Rules for the bootloader_t domain.
-#
-# bootloader_exec_t is the type of the bootloader executable.
-#
-type bootloader_t, domain, privlog, privmem, fs_domain, nscd_client_domain ifdef(`direct_sysadm_daemon', `, priv_system_role') ifdef(`distro_debian', `, privowner, admin');
-type bootloader_exec_t, file_type, sysadmfile, exec_type;
-etc_domain(bootloader)
-
-role sysadm_r types bootloader_t;
-role system_r types bootloader_t;
-
-allow bootloader_t var_t:dir search;
-create_append_log_file(bootloader_t, var_log_t)
-allow bootloader_t var_log_t:file write;
-
-# for nscd
-dontaudit bootloader_t var_run_t:dir search;
-
-ifdef(`targeted_policy', `', `
-domain_auto_trans(sysadm_t, bootloader_exec_t, bootloader_t)
-')
-allow bootloader_t { initrc_t privfd }:fd use;
-
-tmp_domain(bootloader, `, device_type', { dir file lnk_file chr_file blk_file })
-
-read_locale(bootloader_t)
-
-# for tune2fs
-file_type_auto_trans(bootloader_t, root_t, bootloader_tmp_t, file)
-
-# for /vmlinuz sym link
-allow bootloader_t root_t:lnk_file read;
-
-# lilo would need read access to get BIOS data
-allow bootloader_t proc_kcore_t:file getattr;
-
-allow bootloader_t { etc_t device_t }:dir r_dir_perms;
-allow bootloader_t etc_t:file r_file_perms;
-allow bootloader_t etc_t:lnk_file read;
-allow bootloader_t initctl_t:fifo_file getattr;
-uses_shlib(bootloader_t)
-
-ifdef(`distro_debian', `
-allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
-allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
-allow bootloader_t boot_t:file relabelfrom;
-allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto;
-allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms;
-allow bootloader_t usr_t:lnk_file read;
-allow bootloader_t tmpfs_t:dir r_dir_perms;
-allow bootloader_t initrc_var_run_t:dir r_dir_perms;
-allow bootloader_t var_lib_t:dir search;
-allow bootloader_t dpkg_var_lib_t:dir r_dir_perms;
-allow bootloader_t dpkg_var_lib_t:file { getattr read };
-# for /usr/share/initrd-tools/scripts
-can_exec(bootloader_t, usr_t)
-')
-
-allow bootloader_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms;
-dontaudit bootloader_t device_t:{ chr_file blk_file } rw_file_perms;
-allow bootloader_t device_t:lnk_file { getattr read };
-
-# LVM2 / Device Mapper's /dev/mapper/control
-# maybe we should change the labeling for this
-ifdef(`lvm.te', `
-allow bootloader_t lvm_control_t:chr_file rw_file_perms;
-domain_auto_trans(bootloader_t, lvm_exec_t, lvm_t)
-allow lvm_t bootloader_tmp_t:file rw_file_perms;
-r_dir_file(bootloader_t, lvm_etc_t)
-')
-
-# uncomment the following line if you use "lilo -p"
-#file_type_auto_trans(bootloader_t, etc_t, bootloader_etc_t, file);
-
-can_exec_any(bootloader_t)
-allow bootloader_t shell_exec_t:lnk_file read;
-allow bootloader_t { bin_t sbin_t }:dir search;
-allow bootloader_t { bin_t sbin_t }:lnk_file read;
-
-allow bootloader_t { modules_dep_t modules_object_t modules_conf_t }:file r_file_perms;
-allow bootloader_t modules_object_t:dir r_dir_perms;
-ifdef(`distro_redhat', `
-allow bootloader_t modules_object_t:lnk_file { getattr read };
-')
-
-# for ldd
-ifdef(`fsadm.te', `
-allow bootloader_t fsadm_exec_t:file { rx_file_perms execute_no_trans };
-')
-ifdef(`modutil.te', `
-allow bootloader_t insmod_exec_t:file { rx_file_perms execute_no_trans };
-')
-
-dontaudit bootloader_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
-
-allow bootloader_t boot_t:dir { create rw_dir_perms };
-allow bootloader_t boot_t:file create_file_perms;
-allow bootloader_t boot_t:lnk_file create_lnk_perms;
-
-allow bootloader_t load_policy_exec_t:file { getattr read };
-
-allow bootloader_t random_device_t:chr_file { getattr read };
-
-ifdef(`distro_redhat', `
-# for mke2fs
-domain_auto_trans(bootloader_t, mount_exec_t, mount_t);
-allow mount_t bootloader_tmp_t:dir mounton;
-
-# new file system defaults to file_t, granting file_t access is still bad.
-allow bootloader_t file_t:dir create_dir_perms;
-allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms;
-allow bootloader_t file_t:lnk_file create_lnk_perms;
-allow bootloader_t self:unix_stream_socket create_socket_perms;
-allow bootloader_t boot_runtime_t:file { read getattr unlink };
-
-# for memlock
-allow bootloader_t zero_device_t:chr_file { getattr read };
-allow bootloader_t self:capability ipc_lock;
-')
-
-allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown };
-# allow bootloader to get attributes of any device node
-allow bootloader_t { device_type ttyfile }:chr_file getattr;
-allow bootloader_t device_type:blk_file getattr;
-dontaudit bootloader_t devpts_t:dir create_dir_perms;
-
-allow bootloader_t self:process { fork signal_perms };
-allow bootloader_t self:lnk_file read;
-allow bootloader_t self:dir search;
-allow bootloader_t self:file { getattr read };
-allow bootloader_t self:fifo_file rw_file_perms;
-
-allow bootloader_t fs_t:filesystem getattr;
-
-allow bootloader_t proc_t:dir { getattr search };
-allow bootloader_t proc_t:file r_file_perms;
-allow bootloader_t proc_t:lnk_file { getattr read };
-allow bootloader_t proc_mdstat_t:file r_file_perms;
-allow bootloader_t self:dir { getattr search read };
-read_sysctl(bootloader_t)
-allow bootloader_t etc_runtime_t:file r_file_perms;
-
-allow bootloader_t devtty_t:chr_file rw_file_perms;
-allow bootloader_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
-allow bootloader_t initrc_t:fifo_file { read write };
-
-# for reading BIOS data
-allow bootloader_t memory_device_t:chr_file r_file_perms;
-
-allow bootloader_t policy_config_t:dir { search read };
-allow bootloader_t policy_config_t:file { getattr read };
-
-allow bootloader_t lib_t:file { getattr read };
-allow bootloader_t sysfs_t:dir getattr;
-allow bootloader_t urandom_device_t:chr_file read;
-allow bootloader_t { usr_t var_t }:file { getattr read };
-r_dir_file(bootloader_t, src_t)
-dontaudit bootloader_t selinux_config_t:dir search;
-dontaudit bootloader_t sysctl_t:dir search;
diff --git a/strict/domains/program/canna.te b/strict/domains/program/canna.te
deleted file mode 100644
index feb4e52..0000000
--- a/strict/domains/program/canna.te
+++ /dev/null
@@ -1,46 +0,0 @@
-#DESC canna - A Japanese character set input system.
-#
-# Authors: Dan Walsh <dwalsh@redhat.com>
-#
-#
-
-#################################
-#
-# Rules for the canna_t domain.
-#
-daemon_domain(canna)
-
-file_type_auto_trans(canna_t, var_run_t, canna_var_run_t, sock_file)
-
-logdir_domain(canna)
-var_lib_domain(canna)
-
-allow canna_t self:capability { setgid setuid net_bind_service };
-allow canna_t tmp_t:dir { search };
-allow canna_t self:unix_stream_socket { connectto create_stream_socket_perms};
-allow canna_t self:unix_dgram_socket create_stream_socket_perms;
-allow canna_t etc_t:file { getattr read };
-allow canna_t usr_t:file { getattr read };
-
-allow canna_t proc_t:file r_file_perms;
-allow canna_t etc_runtime_t:file r_file_perms;
-allow canna_t canna_var_lib_t:dir create;
-
-rw_dir_create_file(canna_t, canna_var_lib_t)
-
-can_network_tcp(canna_t)
-allow canna_t port_type:tcp_socket name_connect;
-can_ypbind(canna_t)
-
-allow userdomain canna_var_run_t:dir search;
-allow userdomain canna_var_run_t:sock_file write;
-can_unix_connect(userdomain, canna_t)
-
-ifdef(`i18n_input.te', `
-allow i18n_input_t canna_var_run_t:dir search;
-allow i18n_input_t canna_var_run_t:sock_file write;
-can_unix_connect(i18n_input_t, canna_t)
-')
-
-dontaudit canna_t kernel_t:fd use;
-dontaudit canna_t root_t:file read;
diff --git a/strict/domains/program/cardmgr.te b/strict/domains/program/cardmgr.te
deleted file mode 100644
index 8f78988..0000000
--- a/strict/domains/program/cardmgr.te
+++ /dev/null
@@ -1,90 +0,0 @@
-#DESC Cardmgr - PCMCIA control programs
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: pcmcia-cs
-#
-
-#################################
-#
-# Rules for the cardmgr_t domain.
-#
-daemon_domain(cardmgr, `, privmodule')
-
-# for SSP
-allow cardmgr_t urandom_device_t:chr_file read;
-
-type cardctl_exec_t, file_type, sysadmfile, exec_type;
-ifdef(`targeted_policy', `', `
-domain_auto_trans(sysadm_t, cardctl_exec_t, cardmgr_t)
-')
-role sysadm_r types cardmgr_t;
-allow cardmgr_t admin_tty_type:chr_file { read write };
-
-allow cardmgr_t sysfs_t:dir search;
-allow cardmgr_t home_root_t:dir search;
-
-# Use capabilities (net_admin for route), setuid for cardctl
-allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod };
-
-# for /etc/resolv.conf
-file_type_auto_trans(cardmgr_t, etc_t, net_conf_t, file)
-
-allow cardmgr_t etc_runtime_t:file { getattr read };
-
-allow cardmgr_t modules_object_t:dir search;
-allow cardmgr_t self:unix_dgram_socket create_socket_perms;
-allow cardmgr_t self:unix_stream_socket create_socket_perms;
-allow cardmgr_t self:fifo_file rw_file_perms;
-
-# Create stab file
-var_lib_domain(cardmgr)
-
-# for /var/lib/misc/pcmcia-scheme
-# would be better to have it in a different type if I knew how it was created..
-allow cardmgr_t var_lib_t:file { getattr read };
-
-# Create device files in /tmp.
-type cardmgr_dev_t, file_type, sysadmfile, tmpfile, device_type, dev_fs;
-file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file })
-
-# Create symbolic links in /dev.
-type cardmgr_lnk_t, file_type, sysadmfile;
-file_type_auto_trans(cardmgr_t, device_t, cardmgr_lnk_t, lnk_file)
-
-# Run a shell, normal commands, /etc/pcmcia scripts.
-can_exec_any(cardmgr_t)
-allow cardmgr_t etc_t:lnk_file read;
-
-# Run ifconfig.
-domain_auto_trans(cardmgr_t, ifconfig_exec_t, ifconfig_t)
-allow ifconfig_t cardmgr_t:fd use;
-
-allow cardmgr_t proc_t:file { getattr read ioctl };
-
-# Read /proc/PID directories for all domains (for fuser).
-can_ps(cardmgr_t, domain -unrestricted)
-dontaudit cardmgr_t unrestricted:dir search;
-
-allow cardmgr_t device_type:{ chr_file blk_file } getattr;
-allow cardmgr_t ttyfile:chr_file getattr;
-dontaudit cardmgr_t ptyfile:chr_file getattr;
-dontaudit cardmgr_t file_type:{ dir notdevfile_class_set } getattr;
-dontaudit cardmgr_t domain:{ fifo_file socket_class_set } getattr;
-dontaudit cardmgr_t proc_kmsg_t:file getattr;
-
-allow cardmgr_t tty_device_t:chr_file rw_file_perms;
-
-ifdef(`apmd.te', `
-domain_auto_trans(apmd_t, { cardctl_exec_t cardmgr_exec_t }, cardmgr_t)
-')
-
-ifdef(`hide_broken_symptoms', `
-dontaudit insmod_t cardmgr_dev_t:chr_file { read write };
-dontaudit ifconfig_t cardmgr_dev_t:chr_file { read write };
-')
-ifdef(`hald.te', `
-rw_dir_file(hald_t, cardmgr_var_run_t)
-allow hald_t cardmgr_var_run_t:chr_file create_file_perms;
-')
-allow cardmgr_t device_t:lnk_file { getattr read };
diff --git a/strict/domains/program/cdrecord.te b/strict/domains/program/cdrecord.te
deleted file mode 100644
index 6460090..0000000
--- a/strict/domains/program/cdrecord.te
+++ /dev/null
@@ -1,10 +0,0 @@
-# DESC cdrecord - record audio or data Compact Disks or Digital Versatile Disks from a master
-#
-# Author: Thomas Bleher <ThomasBleher@gmx.de>
-
-# Type for the cdrecord excutable.
-type cdrecord_exec_t, file_type, sysadmfile, exec_type;
-
-# everything else is in the cdrecord_domain macros in
-# macros/program/cdrecord_macros.te.
-
diff --git a/strict/domains/program/certwatch.te b/strict/domains/program/certwatch.te
deleted file mode 100644
index 2abb168..0000000
--- a/strict/domains/program/certwatch.te
+++ /dev/null
@@ -1,11 +0,0 @@
-#DESC certwatch - generate SSL certificate expiry warnings
-#
-# Domains for the certwatch process
-# Authors: Dan Walsh <dwalsh@redhat.com>,
-#
-application_domain(certwatch)
-role system_r types certwatch_t;
-r_dir_file(certwatch_t, cert_t)
-can_exec(certwatch_t, httpd_modules_t)
-system_crond_entry(certwatch_exec_t, certwatch_t)
-read_locale(certwatch_t)
diff --git a/strict/domains/program/checkpolicy.te b/strict/domains/program/checkpolicy.te
deleted file mode 100644
index 0cfa5a0..0000000
--- a/strict/domains/program/checkpolicy.te
+++ /dev/null
@@ -1,64 +0,0 @@
-#DESC Checkpolicy - SELinux policy compliler
-#
-# Authors: Frank Mayer, mayerf@tresys.com
-# X-Debian-Packages: checkpolicy
-#
-
-###########################
-#
-# checkpolicy_t is the domain type for checkpolicy
-# checkpolicy_exec_t if file type for the executable
-
-type checkpolicy_t, domain;
-role sysadm_r types checkpolicy_t;
-role system_r types checkpolicy_t;
-role secadm_r types checkpolicy_t;
-
-type checkpolicy_exec_t, file_type, exec_type, sysadmfile;
-
-##########################
-#
-# Rules
-
-domain_auto_trans(secadmin, checkpolicy_exec_t, checkpolicy_t)
-
-# able to create and modify binary policy files
-allow checkpolicy_t policy_config_t:dir rw_dir_perms;
-allow checkpolicy_t policy_config_t:file create_file_perms;
-
-###########################
-# constrain what checkpolicy can use as source files
-#
-
-# only allow read of policy source files
-allow checkpolicy_t policy_src_t:dir r_dir_perms;
-allow checkpolicy_t policy_src_t:{ file lnk_file } r_file_perms;
-
-# allow test policies to be created in src directories
-file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t, file)
-
-# directory search permissions for path to source and binary policy files
-allow checkpolicy_t root_t:dir search;
-allow checkpolicy_t etc_t:dir search;
-
-# Read the devpts root directory.
-allow checkpolicy_t devpts_t:dir r_dir_perms;
-ifdef(`sshd.te',
-`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
-
-# Other access
-allow checkpolicy_t { initrc_devpts_t admin_tty_type devtty_t }:chr_file { read write ioctl getattr };
-uses_shlib(checkpolicy_t)
-allow checkpolicy_t self:capability dac_override;
-
-##########################
-# Allow users to execute checkpolicy without a domain transition
-# so it can be used without privilege to write real binary policy file
-can_exec(unpriv_userdomain, checkpolicy_exec_t)
-
-allow checkpolicy_t { userdomain privfd }:fd use;
-
-allow checkpolicy_t fs_t:filesystem getattr;
-allow checkpolicy_t console_device_t:chr_file { read write };
-allow checkpolicy_t init_t:fd use;
-allow checkpolicy_t selinux_config_t:dir search;
diff --git a/strict/domains/program/chkpwd.te b/strict/domains/program/chkpwd.te
deleted file mode 100644
index 22ac7f2..0000000
--- a/strict/domains/program/chkpwd.te
+++ /dev/null
@@ -1,18 +0,0 @@
-#DESC Chkpwd - PAM password checking programs
-# X-Debian-Packages: libpam-modules
-#
-# Domains for the /sbin/.*_chkpwd utilities.
-#
-
-#
-# chkpwd_exec_t is the type of the /sbin/.*_chkpwd executables.
-#
-type chkpwd_exec_t, file_type, sysadmfile, exec_type;
-
-chkpwd_domain(system)
-dontaudit system_chkpwd_t privfd:fd use;
-role sysadm_r types system_chkpwd_t;
-in_user_role(system_chkpwd_t)
-
-# Everything else is in the chkpwd_domain macro in
-# macros/program/chkpwd_macros.te.
diff --git a/strict/domains/program/chroot.te b/strict/domains/program/chroot.te
deleted file mode 100644
index 8992c66..0000000
--- a/strict/domains/program/chroot.te
+++ /dev/null
@@ -1,21 +0,0 @@
-#DESC Chroot - Establish chroot environments
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages:
-#
-type chroot_exec_t, file_type, sysadmfile, exec_type;
-
-# For a chroot environment named potato that can be entered from user_t (so
-# the user can run an old version of Debian in a chroot), with the possibility
-# of user_devpts_t or user_tty_device_t being the controlling tty type for
-# administration. This also defines a mount_domain for the user (so they can
-# mount file systems).
-#chroot(user, potato)
-# For a chroot environment named apache that can be entered from initrc_t for
-# running a different version of apache.
-# initrc is a special case, uses the system_r role (usually appends "_r" to
-# the base name of the parent domain), and has sysadm_devpts_t and
-# sysadm_tty_device_t for the controlling terminal
-#chroot(initrc, apache)
-
-# the main code is in macros/program/chroot_macros.te
diff --git a/strict/domains/program/comsat.te b/strict/domains/program/comsat.te
deleted file mode 100644
index cd0e3f9..0000000
--- a/strict/domains/program/comsat.te
+++ /dev/null
@@ -1,20 +0,0 @@
-#DESC comsat - biff server
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-# Depends: inetd.te
-#
-
-#################################
-#
-# Rules for the comsat_t domain.
-#
-# comsat_exec_t is the type of the comsat executable.
-#
-
-inetd_child_domain(comsat, udp)
-allow comsat_t initrc_var_run_t:file r_file_perms;
-dontaudit comsat_t initrc_var_run_t:file write;
-allow comsat_t mail_spool_t:dir r_dir_perms;
-allow comsat_t mail_spool_t:lnk_file read;
-allow comsat_t var_spool_t:dir search;
-dontaudit comsat_t sysadm_tty_device_t:chr_file getattr;
diff --git a/strict/domains/program/consoletype.te b/strict/domains/program/consoletype.te
deleted file mode 100644
index b1cc126..0000000
--- a/strict/domains/program/consoletype.te
+++ /dev/null
@@ -1,65 +0,0 @@
-#DESC consoletype - determine the type of a console device
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages:
-#
-
-#################################
-#
-# Rules for the consoletype_t domain.
-#
-# consoletype_t is the domain for the consoletype program.
-# consoletype_exec_t is the type of the corresponding program.
-#
-type consoletype_t, domain, mlsfileread, mlsfilewrite;
-type consoletype_exec_t, file_type, sysadmfile, exec_type;
-
-role system_r types consoletype_t;
-
-uses_shlib(consoletype_t)
-general_domain_access(consoletype_t)
-
-ifdef(`targeted_policy', `', `
-domain_auto_trans(initrc_t, consoletype_exec_t, consoletype_t)
-
-ifdef(`xdm.te', `
-domain_auto_trans(xdm_t, consoletype_exec_t, consoletype_t)
-allow consoletype_t xdm_tmp_t:file { read write };
-')
-
-ifdef(`hotplug.te', `
-domain_auto_trans(hotplug_t, consoletype_exec_t, consoletype_t)
-')
-')
-
-allow consoletype_t {admin_tty_type tty_device_t devtty_t initrc_devpts_t }:chr_file rw_file_perms;
-
-allow consoletype_t { kernel_t init_t initrc_t privfd sysadm_t }:fd use;
-
-# Use capabilities.
-allow consoletype_t self:capability sys_admin;
-
-allow consoletype_t console_device_t:chr_file { getattr ioctl read write };
-allow consoletype_t initrc_t:fifo_file write;
-allow consoletype_t nfs_t:file write;
-allow consoletype_t sysadm_t:fifo_file rw_file_perms;
-
-ifdef(`lpd.te', `
-allow consoletype_t printconf_t:file { getattr read };
-')
-
-ifdef(`pam.te', `
-allow consoletype_t pam_var_run_t:file { getattr read };
-')
-ifdef(`distro_redhat', `
-allow consoletype_t tmpfs_t:chr_file rw_file_perms;
-')
-ifdef(`firstboot.te', `
-allow consoletype_t firstboot_t:fifo_file write;
-')
-dontaudit consoletype_t proc_t:dir search;
-dontaudit consoletype_t proc_t:file read;
-dontaudit consoletype_t root_t:file read;
-allow consoletype_t crond_t:fifo_file { read getattr ioctl };
-allow consoletype_t system_crond_t:fd use;
-allow consoletype_t fs_t:filesystem getattr;
diff --git a/strict/domains/program/cpucontrol.te b/strict/domains/program/cpucontrol.te
deleted file mode 100644
index 23a13b7..0000000
--- a/strict/domains/program/cpucontrol.te
+++ /dev/null
@@ -1,17 +0,0 @@
-#DESC cpucontrol - domain for microcode_ctl and other programs to control CPU
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-
-type cpucontrol_conf_t, file_type, sysadmfile;
-
-daemon_base_domain(cpucontrol)
-
-# Access cpu devices.
-allow cpucontrol_t cpu_device_t:chr_file rw_file_perms;
-allow cpucontrol_t device_t:lnk_file { getattr read };
-allow initrc_t cpu_device_t:chr_file getattr;
-
-allow cpucontrol_t self:capability sys_rawio;
-
-r_dir_file(cpucontrol_t, cpucontrol_conf_t)
diff --git a/strict/domains/program/cpuspeed.te b/strict/domains/program/cpuspeed.te
deleted file mode 100644
index b80f705..0000000
--- a/strict/domains/program/cpuspeed.te
+++ /dev/null
@@ -1,17 +0,0 @@
-#DESC cpuspeed - domain for microcode_ctl, powernowd, etc
-#
-# Authors: Russell Coker <russell@coker.com.au>
-# Thomas Bleher <ThomasBleher@gmx.de>
-#
-
-daemon_base_domain(cpuspeed)
-read_locale(cpuspeed_t)
-
-allow cpuspeed_t sysfs_t:dir search;
-allow cpuspeed_t sysfs_t:file rw_file_perms;
-allow cpuspeed_t proc_t:dir r_dir_perms;
-allow cpuspeed_t proc_t:file { getattr read };
-allow cpuspeed_t { etc_t etc_runtime_t }:file { getattr read };
-
-allow cpuspeed_t self:process setsched;
-allow cpuspeed_t self:unix_dgram_socket create_socket_perms;
diff --git a/strict/domains/program/crack.te b/strict/domains/program/crack.te
deleted file mode 100644
index 1706f6e..0000000
--- a/strict/domains/program/crack.te
+++ /dev/null
@@ -1,48 +0,0 @@
-#DESC Crack - Password cracking application
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: crack
-#
-
-#################################
-#
-# Rules for the crack_t domain.
-#
-# crack_exec_t is the type of the crack executable.
-#
-system_domain(crack)
-ifdef(`crond.te', `
-system_crond_entry(crack_exec_t, crack_t)
-')
-
-# for SSP
-allow crack_t urandom_device_t:chr_file read;
-
-type crack_db_t, file_type, sysadmfile, usercanread;
-allow crack_t var_t:dir search;
-rw_dir_create_file(crack_t, crack_db_t)
-
-allow crack_t device_t:dir search;
-allow crack_t devtty_t:chr_file rw_file_perms;
-allow crack_t self:fifo_file { read write getattr };
-
-tmp_domain(crack)
-
-# for dictionaries
-allow crack_t usr_t:file { getattr read };
-
-can_exec(crack_t, bin_t)
-allow crack_t { bin_t sbin_t }:dir search;
-
-allow crack_t self:process { fork signal_perms };
-
-allow crack_t proc_t:dir { read search };
-allow crack_t proc_t:file { read getattr };
-
-# read config files
-allow crack_t { etc_t etc_runtime_t }:file { getattr read };
-allow crack_t etc_t:dir r_dir_perms;
-
-allow crack_t fs_t:filesystem getattr;
-
-dontaudit crack_t sysadm_home_dir_t:dir { getattr search };
diff --git a/strict/domains/program/crond.te b/strict/domains/program/crond.te
deleted file mode 100644
index 4649348..0000000
--- a/strict/domains/program/crond.te
+++ /dev/null
@@ -1,214 +0,0 @@
-#DESC Crond - Crond daemon
-#
-# Domains for the top-level crond daemon process and
-# for system cron jobs. The domains for user cron jobs
-# are in macros/program/crond_macros.te.
-#
-# X-Debian-Packages: cron
-# Authors: Jonathan Crowley (MITRE) <jonathan@mitre.org>,
-# Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-# NB The constraints file has some entries for crond_t, this makes it
-# different from all other domains...
-
-# Domain for crond. It needs auth_chkpwd to check for locked accounts.
-daemon_domain(crond, `, privmail, auth_chkpwd, privfd, nscd_client_domain')
-
-# This domain is granted permissions common to most domains (including can_net)
-general_domain_access(crond_t)
-
-# Type for the anacron executable.
-type anacron_exec_t, file_type, sysadmfile, exec_type;
-
-# Type for temporary files.
-tmp_domain(crond)
-
-crond_domain(system)
-
-allow system_crond_t proc_mdstat_t:file { getattr read };
-allow system_crond_t proc_t:lnk_file read;
-allow system_crond_t proc_t:filesystem getattr;
-allow system_crond_t usbdevfs_t:filesystem getattr;
-
-ifdef(`mta.te', `
-allow mta_user_agent system_crond_t:fd use;
-')
-
-# read files in /etc
-allow system_crond_t etc_t:file r_file_perms;
-allow system_crond_t etc_runtime_t:file { getattr read };
-
-allow system_crond_t { sysfs_t rpc_pipefs_t }:dir getattr;
-
-read_locale(crond_t)
-
-# Use capabilities.
-allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice audit_control };
-dontaudit crond_t self:capability sys_resource;
-
-# Get security policy decisions.
-can_getsecurity(crond_t)
-
-# for finding binaries and /bin/sh
-allow crond_t { bin_t sbin_t }:dir search;
-allow crond_t { bin_t sbin_t }:lnk_file read;
-
-# Read from /var/spool/cron.
-allow crond_t var_lib_t:dir search;
-allow crond_t var_spool_t:dir r_dir_perms;
-allow crond_t cron_spool_t:dir r_dir_perms;
-allow crond_t cron_spool_t:file r_file_perms;
-
-# Read /etc/security/default_contexts.
-r_dir_file(crond_t, default_context_t)
-
-allow crond_t etc_t:file { getattr read };
-allow crond_t etc_t:lnk_file read;
-
-allow crond_t default_t:dir search;
-
-# crond tries to search /root. Not sure why.
-allow crond_t sysadm_home_dir_t:dir r_dir_perms;
-
-# to search /home
-allow crond_t home_root_t:dir { getattr search };
-allow crond_t user_home_dir_type:dir r_dir_perms;
-
-# Run a shell.
-can_exec(crond_t, shell_exec_t)
-
-ifdef(`distro_redhat', `
-# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
-# via redirection of standard out.
-ifdef(`rpm.te', `
-allow crond_t rpm_log_t: file create_file_perms;
-
-system_crond_entry(rpm_exec_t, rpm_t)
-allow system_crond_t rpm_log_t:file create_file_perms;
-#read ahead wants to read this
-allow initrc_t system_cron_spool_t:file { getattr read };
-')
-')
-
-allow system_crond_t var_log_t:file r_file_perms;
-
-
-# Set exec context.
-can_setexec(crond_t)
-
-# Transition to this domain for anacron as well.
-# Still need to study anacron.
-domain_auto_trans(initrc_t, anacron_exec_t, system_crond_t)
-
-# Inherit and use descriptors from init for anacron.
-allow system_crond_t init_t:fd use;
-
-# Inherit and use descriptors from initrc for anacron.
-allow system_crond_t initrc_t:fd use;
-can_access_pty(system_crond_t, initrc)
-
-# Use capabilities.
-allow system_crond_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid };
-
-allow crond_t urandom_device_t:chr_file { getattr read };
-
-# Read the system crontabs.
-allow system_crond_t system_cron_spool_t:file r_file_perms;
-
-allow crond_t system_cron_spool_t:dir r_dir_perms;
-allow crond_t system_cron_spool_t:file r_file_perms;
-
-# Read from /var/spool/cron.
-allow system_crond_t cron_spool_t:dir r_dir_perms;
-allow system_crond_t cron_spool_t:file r_file_perms;
-
-# Write to /var/lib/slocate.db.
-allow system_crond_t var_lib_t:dir rw_dir_perms;
-allow system_crond_t var_lib_t:file create_file_perms;
-
-# Update whatis files.
-allow system_crond_t man_t:dir create_dir_perms;
-allow system_crond_t man_t:file create_file_perms;
-allow system_crond_t man_t:lnk_file read;
-
-# Write /var/lock/makewhatis.lock.
-lock_domain(system_crond)
-
-# for if /var/mail is a symlink
-allow { system_crond_t crond_t } mail_spool_t:lnk_file read;
-allow crond_t mail_spool_t:dir search;
-
-ifdef(`mta.te', `
-r_dir_file(system_mail_t, crond_tmp_t)
-')
-
-# Stat any file and search any directory for find.
-allow system_crond_t { file_type fs_type }:notdevfile_class_set getattr;
-allow system_crond_t device_type:{ chr_file blk_file } getattr;
-allow system_crond_t file_type:dir { read search getattr };
-
-# Create temporary files.
-type system_crond_tmp_t, file_type, sysadmfile, tmpfile;
-file_type_auto_trans(system_crond_t, { tmp_t crond_tmp_t }, system_crond_tmp_t)
-
-# /sbin/runlevel ask for w access to utmp, but will operate
-# correctly without it. Do not audit write denials to utmp.
-# /sbin/runlevel needs lock access however
-dontaudit system_crond_t initrc_var_run_t:file write;
-allow system_crond_t initrc_var_run_t:file { getattr read lock };
-
-# Access other spool directories like
-# /var/spool/anacron and /var/spool/slrnpull.
-allow system_crond_t var_spool_t:file create_file_perms;
-allow system_crond_t var_spool_t:dir rw_dir_perms;
-
-# Do not audit attempts to search unlabeled directories (e.g. slocate).
-dontaudit system_crond_t unlabeled_t:dir r_dir_perms;
-dontaudit system_crond_t unlabeled_t:file r_file_perms;
-
-#
-# reading /var/spool/cron/mailman
-#
-allow crond_t var_spool_t:file { getattr read };
-allow system_crond_t devpts_t:filesystem getattr;
-allow system_crond_t sysfs_t:filesystem getattr;
-allow system_crond_t tmpfs_t:filesystem getattr;
-allow system_crond_t rpc_pipefs_t:filesystem getattr;
-
-#
-# These rules are here to allow system cron jobs to su
-#
-ifdef(`su.te', `
-su_restricted_domain(system_crond,system)
-role system_r types system_crond_su_t;
-allow system_crond_su_t crond_t:fifo_file ioctl;
-')
-allow system_crond_t self:passwd rootok;
-#
-# prelink tells init to restart it self, we either need to allow or dontaudit
-#
-allow system_crond_t initctl_t:fifo_file write;
-dontaudit userdomain system_crond_t:fd use;
-
-r_dir_file(crond_t, selinux_config_t)
-
-# Allow system cron jobs to relabel filesystem for restoring file contexts.
-bool cron_can_relabel false;
-if (cron_can_relabel) {
-domain_auto_trans(system_crond_t, setfiles_exec_t, setfiles_t)
-} else {
-r_dir_file(system_crond_t, file_context_t)
-can_getsecurity(system_crond_t)
-}
-dontaudit system_crond_t removable_t:filesystem getattr;
-#
-# Required for webalizer
-#
-dontaudit crond_t self:capability sys_tty_config;
-ifdef(`apache.te', `
-allow system_crond_t { httpd_log_t httpd_config_t }:file { getattr read };
-allow system_crond_t httpd_modules_t:lnk_file read;
-# Needed for certwatch
-can_exec(system_crond_t, httpd_modules_t)
-')
diff --git a/strict/domains/program/crontab.te b/strict/domains/program/crontab.te
deleted file mode 100644
index 48b5fcc..0000000
--- a/strict/domains/program/crontab.te
+++ /dev/null
@@ -1,12 +0,0 @@
-#DESC Crontab - Crontab manipulation programs
-#
-# Domains for the crontab program.
-#
-# X-Debian-Packages: cron
-#
-
-# Type for the crontab executable.
-type crontab_exec_t, file_type, sysadmfile, exec_type;
-
-# Everything else is in the crontab_domain macro in
-# macros/program/crontab_macros.te.
diff --git a/strict/domains/program/cups.te b/strict/domains/program/cups.te
deleted file mode 100644
index a152ac3..0000000
--- a/strict/domains/program/cups.te
+++ /dev/null
@@ -1,321 +0,0 @@
-#DESC Cups - Common Unix Printing System
-#
-# Created cups policy from lpd policy: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: cupsys cupsys-client cupsys-bsd
-# Depends: lpd.te lpr.te
-
-#################################
-#
-# Rules for the cupsd_t domain.
-#
-# cupsd_t is the domain of cupsd.
-# cupsd_exec_t is the type of the cupsd executable.
-#
-daemon_domain(cupsd, `, auth_chkpwd, nscd_client_domain')
-etcdir_domain(cupsd)
-type cupsd_rw_etc_t, file_type, sysadmfile, usercanread;
-
-can_network(cupsd_t)
-allow cupsd_t port_type:tcp_socket name_connect;
-logdir_domain(cupsd)
-
-tmp_domain(cupsd, `', { file dir fifo_file })
-
-allow cupsd_t devpts_t:dir search;
-
-allow cupsd_t device_t:lnk_file read;
-allow cupsd_t printer_device_t:chr_file rw_file_perms;
-allow cupsd_t urandom_device_t:chr_file { getattr read };
-dontaudit cupsd_t random_device_t:chr_file ioctl;
-
-# temporary solution, we need something better
-allow cupsd_t serial_device:chr_file rw_file_perms;
-
-r_dir_file(cupsd_t, usbdevfs_t)
-r_dir_file(cupsd_t, usbfs_t)
-
-ifdef(`logrotate.te', `
-domain_auto_trans(logrotate_t, cupsd_exec_t, cupsd_t)
-')
-
-ifdef(`inetd.te', `
-allow inetd_t printer_port_t:tcp_socket name_bind;
-domain_auto_trans(inetd_t, cupsd_exec_t, cupsd_t)
-')
-
-# write to spool
-allow cupsd_t var_spool_t:dir search;
-
-# this is not ideal, and allowing setattr access to cupsd_etc_t is wrong
-file_type_auto_trans(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
-file_type_auto_trans(cupsd_t, var_t, cupsd_rw_etc_t, file)
-allow cupsd_t cupsd_rw_etc_t:dir { setattr rw_dir_perms };
-allow cupsd_t cupsd_etc_t:file setattr;
-allow cupsd_t cupsd_etc_t:dir setattr;
-
-allow cupsd_t { etc_t etc_runtime_t }:file { getattr read ioctl };
-can_exec(cupsd_t, initrc_exec_t)
-allow cupsd_t proc_t:file r_file_perms;
-allow cupsd_t proc_t:dir r_dir_perms;
-allow cupsd_t self:file { getattr read };
-read_sysctl(cupsd_t)
-allow cupsd_t sysctl_dev_t:dir search;
-allow cupsd_t sysctl_dev_t:file { getattr read };
-
-# for /etc/printcap
-dontaudit cupsd_t etc_t:file write;
-
-# allow cups to execute its backend scripts
-can_exec(cupsd_t, cupsd_exec_t)
-allow cupsd_t cupsd_exec_t:dir search;
-allow cupsd_t cupsd_exec_t:lnk_file read;
-allow cupsd_t reserved_port_t:tcp_socket name_bind;
-dontaudit cupsd_t reserved_port_type:tcp_socket name_bind;
-
-allow cupsd_t self:unix_stream_socket create_socket_perms;
-allow cupsd_t self:unix_dgram_socket create_socket_perms;
-allow cupsd_t self:fifo_file rw_file_perms;
-
-# Use capabilities.
-allow cupsd_t self:capability { dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config audit_write };
-dontaudit cupsd_t self:capability net_admin;
-
-#
-# /usr/lib/cups/backend/serial needs sys_admin
-# Need new context to run under???
-allow cupsd_t self:capability sys_admin;
-
-allow cupsd_t self:process setsched;
-
-# for /var/lib/defoma
-allow cupsd_t var_lib_t:dir search;
-r_dir_file(cupsd_t, readable_t)
-
-# Bind to the cups/ipp port (631).
-allow cupsd_t ipp_port_t:{ udp_socket tcp_socket } name_bind;
-
-can_tcp_connect(web_client_domain, cupsd_t)
-can_tcp_connect(cupsd_t, cupsd_t)
-
-# Send to portmap.
-ifdef(`portmap.te', `
-can_udp_send(cupsd_t, portmap_t)
-can_udp_send(portmap_t, cupsd_t)
-')
-
-# Write to /var/spool/cups.
-allow cupsd_t print_spool_t:dir { setattr rw_dir_perms };
-allow cupsd_t print_spool_t:file create_file_perms;
-allow cupsd_t print_spool_t:file rw_file_perms;
-
-# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
-allow cupsd_t { bin_t sbin_t }:dir { search getattr };
-allow cupsd_t bin_t:lnk_file read;
-can_exec(cupsd_t, { shell_exec_t bin_t sbin_t })
-
-# They will also invoke ghostscript, which needs to read fonts
-read_fonts(cupsd_t)
-
-# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
-allow cupsd_t lib_t:file { read getattr };
-
-# read python modules
-allow cupsd_t usr_t:{ file lnk_file } { read getattr ioctl };
-
-#
-# lots of errors generated requiring the following
-#
-allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-allow cupsd_t self:netlink_route_socket { r_netlink_socket_perms };
-
-#
-# Satisfy readahead
-#
-allow initrc_t cupsd_log_t:file { getattr read };
-r_dir_file(cupsd_t, var_t)
-
-r_dir_file(cupsd_t, usercanread)
-ifdef(`samba.te', `
-rw_dir_file(cupsd_t, samba_var_t)
-allow smbd_t cupsd_etc_t:dir search;
-')
-
-ifdef(`pam.te', `
-dontaudit cupsd_t pam_var_run_t:file { getattr read };
-')
-dontaudit cupsd_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
-# PTAL
-daemon_domain(ptal)
-etcdir_domain(ptal)
-
-file_type_auto_trans(ptal_t, var_run_t, ptal_var_run_t)
-allow ptal_t self:capability { chown sys_rawio };
-allow ptal_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
-allow ptal_t self:unix_stream_socket { listen accept };
-can_network_server_tcp(ptal_t)
-allow ptal_t ptal_port_t:tcp_socket name_bind;
-allow userdomain ptal_t:unix_stream_socket connectto;
-allow userdomain ptal_var_run_t:sock_file write;
-allow userdomain ptal_var_run_t:dir search;
-allow ptal_t self:fifo_file rw_file_perms;
-allow ptal_t device_t:dir read;
-allow ptal_t printer_device_t:chr_file rw_file_perms;
-allow initrc_t printer_device_t:chr_file getattr;
-allow ptal_t { etc_t etc_runtime_t }:file { getattr read };
-r_dir_file(ptal_t, usbdevfs_t)
-rw_dir_file(ptal_t, usbfs_t)
-allow cupsd_t ptal_var_run_t:sock_file { write setattr };
-allow cupsd_t ptal_t:unix_stream_socket connectto;
-allow cupsd_t ptal_var_run_t:dir search;
-dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
-
-allow initrc_t ptal_var_run_t:dir rmdir;
-allow initrc_t ptal_var_run_t:fifo_file unlink;
-
-
-# HPLIP
-daemon_domain(hplip)
-etcdir_domain(hplip)
-allow hplip_t etc_t:file r_file_perms;
-allow hplip_t etc_runtime_t:file { read getattr };
-allow hplip_t printer_device_t:chr_file rw_file_perms;
-allow cupsd_t hplip_var_run_t:file { read getattr };
-allow hplip_t cupsd_etc_t:dir search;
-can_network(hplip_t)
-allow hplip_t { hplip_port_t ipp_port_t }:tcp_socket name_connect;
-allow hplip_t hplip_port_t:tcp_socket name_bind;
-
-# Uses networking to talk to the daemons
-allow hplip_t self:unix_dgram_socket create_socket_perms;
-allow hplip_t self:unix_stream_socket create_socket_perms;
-allow hplip_t self:rawip_socket create_socket_perms;
-
-# for python
-can_exec(hplip_t, bin_t)
-allow hplip_t { sbin_t bin_t }:dir search;
-allow hplip_t self:file { getattr read };
-allow hplip_t proc_t:file r_file_perms;
-allow hplip_t urandom_device_t:chr_file { getattr read };
-allow hplip_t usr_t:{ file lnk_file } r_file_perms;
-allow hplip_t devpts_t:dir search;
-allow hplip_t devpts_t:chr_file { getattr ioctl };
-
-
-dontaudit cupsd_t selinux_config_t:dir search;
-dontaudit cupsd_t selinux_config_t:file { getattr read };
-
-allow cupsd_t printconf_t:file { getattr read };
-
-ifdef(`dbusd.te', `
-dbusd_client(system, cupsd)
-allow cupsd_t system_dbusd_t:dbus send_msg;
-allow cupsd_t userdomain:dbus send_msg;
-')
-
-# CUPS configuration daemon
-daemon_domain(cupsd_config, `, nscd_client_domain')
-
-allow cupsd_config_t devpts_t:dir search;
-allow cupsd_config_t devpts_t:chr_file { getattr ioctl };
-
-ifdef(`distro_redhat', `
-ifdef(`rpm.te', `
-allow cupsd_config_t rpm_var_lib_t:dir { getattr search };
-allow cupsd_config_t rpm_var_lib_t:file { getattr read };
-')
-allow cupsd_config_t initrc_exec_t:file getattr;
-')dnl end distro_redhat
-
-allow cupsd_config_t { etc_t etc_runtime_t net_conf_t }:file { getattr read };
-allow cupsd_config_t self:file { getattr read };
-
-allow cupsd_config_t proc_t:file { getattr read };
-allow cupsd_config_t cupsd_var_run_t:file { getattr read };
-allow cupsd_config_t cupsd_t:process { signal };
-allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read };
-can_ps(cupsd_config_t, cupsd_t)
-
-allow cupsd_config_t self:capability { chown sys_tty_config };
-
-rw_dir_create_file(cupsd_config_t, cupsd_etc_t)
-rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t)
-file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file)
-file_type_auto_trans(cupsd_config_t, var_t, cupsd_rw_etc_t, file)
-allow cupsd_config_t var_t:lnk_file read;
-
-can_network_tcp(cupsd_config_t)
-can_ypbind(cupsd_config_t)
-allow cupsd_config_t port_type:tcp_socket name_connect;
-can_tcp_connect(cupsd_config_t, cupsd_t)
-allow cupsd_config_t self:fifo_file rw_file_perms;
-
-allow cupsd_config_t self:unix_stream_socket create_socket_perms;
-allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
-ifdef(`dbusd.te', `
-dbusd_client(system, cupsd_config)
-allow cupsd_config_t userdomain:dbus send_msg;
-allow cupsd_config_t system_dbusd_t:dbus { send_msg acquire_svc };
-allow userdomain cupsd_config_t:dbus send_msg;
-')dnl end if dbusd.te
-
-ifdef(`hald.te', `
-
-ifdef(`dbusd.te', `
-allow { cupsd_t cupsd_config_t } hald_t:dbus send_msg;
-allow hald_t { cupsd_t cupsd_config_t }:dbus send_msg;
-')dnl end if dbusd.te
-
-allow hald_t cupsd_config_t:process signal;
-domain_auto_trans(hald_t, cupsd_config_exec_t, cupsd_config_t)
-
-') dnl end if hald.te
-
-
-can_exec(cupsd_config_t, { bin_t sbin_t shell_exec_t })
-ifdef(`hostname.te', `
-can_exec(cupsd_t, hostname_exec_t)
-can_exec(cupsd_config_t, hostname_exec_t)
-')
-allow cupsd_config_t { bin_t sbin_t }:dir { search getattr };
-allow cupsd_config_t { bin_t sbin_t }:lnk_file read;
-# killall causes the following
-dontaudit cupsd_config_t domain:dir { getattr search };
-dontaudit cupsd_config_t selinux_config_t:dir search;
-
-can_exec(cupsd_config_t, cupsd_config_exec_t)
-
-allow cupsd_config_t usr_t:file { getattr read };
-allow cupsd_config_t var_lib_t:dir { getattr search };
-allow cupsd_config_t rpm_var_lib_t:file { getattr read };
-allow cupsd_config_t printconf_t:file { getattr read };
-
-allow cupsd_config_t urandom_device_t:chr_file { getattr read };
-
-ifdef(`logrotate.te', `
-allow cupsd_config_t logrotate_t:fd use;
-')dnl end if logrotate.te
-allow cupsd_config_t system_crond_t:fd use;
-allow cupsd_config_t crond_t:fifo_file r_file_perms;
-allow cupsd_t crond_t:fifo_file read;
-allow cupsd_t crond_t:fd use;
-
-# Alternatives asks for this
-allow cupsd_config_t initrc_exec_t:file getattr;
-ifdef(`targeted_policy', `
-can_unix_connect(cupsd_t, initrc_t)
-allow cupsd_t initrc_t:dbus send_msg;
-allow initrc_t cupsd_t:dbus send_msg;
-allow { cupsd_config_t cupsd_t } unconfined_t:dbus send_msg;
-allow unconfined_t cupsd_config_t:dbus send_msg;
-allow { cupsd_t cupsd_config_t } unconfined_t:fifo_file read;
-')
-typealias printer_port_t alias cupsd_lpd_port_t;
-inetd_child_domain(cupsd_lpd)
-allow inetd_t printer_port_t:tcp_socket name_bind;
-r_dir_file(cupsd_lpd_t, cupsd_etc_t)
-r_dir_file(cupsd_lpd_t, cupsd_rw_etc_t)
-allow cupsd_lpd_t ipp_port_t:tcp_socket name_connect;
-ifdef(`use_mcs', `
-range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
-')
-
diff --git a/strict/domains/program/cvs.te b/strict/domains/program/cvs.te
deleted file mode 100644
index 3f3e63c..0000000
--- a/strict/domains/program/cvs.te
+++ /dev/null
@@ -1,31 +0,0 @@
-#DESC cvs - Concurrent Versions System
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-#
-# Depends: inetd.te
-
-#################################
-#
-# Rules for the cvs_t domain.
-#
-# cvs_exec_t is the type of the cvs executable.
-#
-
-inetd_child_domain(cvs, tcp)
-typeattribute cvs_t privmail;
-typeattribute cvs_t auth_chkpwd;
-
-type cvs_data_t, file_type, sysadmfile, customizable;
-create_dir_file(cvs_t, cvs_data_t)
-can_exec(cvs_t, { bin_t sbin_t shell_exec_t })
-allow cvs_t bin_t:dir search;
-allow cvs_t { bin_t sbin_t }:lnk_file read;
-allow cvs_t etc_runtime_t:file { getattr read };
-allow system_mail_t cvs_data_t:file { getattr read };
-dontaudit cvs_t devtty_t:chr_file { read write };
-ifdef(`kerberos.te', `
-# Allow kerberos to work
-allow cvs_t { krb5_keytab_t krb5_conf_t }:file r_file_perms;
-dontaudit cvs_t krb5_conf_t:file write;
-')
-
diff --git a/strict/domains/program/cyrus.te b/strict/domains/program/cyrus.te
deleted file mode 100644
index a423235..0000000
--- a/strict/domains/program/cyrus.te
+++ /dev/null
@@ -1,52 +0,0 @@
-#DESC cyrus-imapd
-#
-# Authors: Dan Walsh <dwalsh@redhat.com>
-#
-
-# cyrusd_exec_t is the type of the cyrusd executable.
-# cyrusd_key_t is the type of the cyrus private key files
-daemon_domain(cyrus)
-
-general_domain_access(cyrus_t)
-file_type_auto_trans(cyrus_t, var_run_t, cyrus_var_run_t, sock_file)
-
-type cyrus_var_lib_t, file_type, sysadmfile;
-
-allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
-allow cyrus_t self:process setrlimit;
-
-can_network(cyrus_t)
-allow cyrus_t port_type:tcp_socket name_connect;
-can_ypbind(cyrus_t)
-can_exec(cyrus_t, bin_t)
-allow cyrus_t cyrus_var_lib_t:dir create_dir_perms;
-allow cyrus_t cyrus_var_lib_t:{file sock_file lnk_file} create_file_perms;
-allow cyrus_t etc_t:file { getattr read };
-allow cyrus_t lib_t:file { execute execute_no_trans getattr read };
-read_locale(cyrus_t)
-read_sysctl(cyrus_t)
-tmp_domain(cyrus)
-allow cyrus_t { mail_port_t pop_port_t }:tcp_socket name_bind;
-allow cyrus_t proc_t:dir search;
-allow cyrus_t proc_t:file { getattr read };
-allow cyrus_t sysadm_devpts_t:chr_file { read write };
-
-allow cyrus_t var_lib_t:dir search;
-
-allow cyrus_t etc_runtime_t:file { read getattr };
-ifdef(`crond.te', `
-system_crond_entry(cyrus_exec_t, cyrus_t)
-allow system_crond_t cyrus_var_lib_t:dir rw_dir_perms;
-allow system_crond_t cyrus_var_lib_t:file create_file_perms;
-')
-create_dir_file(cyrus_t, mail_spool_t)
-allow cyrus_t var_spool_t:dir search;
-
-ifdef(`saslauthd.te', `
-allow cyrus_t saslauthd_var_run_t:dir search;
-allow cyrus_t saslauthd_var_run_t:sock_file { read write };
-allow cyrus_t saslauthd_t:unix_stream_socket { connectto };
-')
-
-r_dir_file(cyrus_t, cert_t)
-allow cyrus_t { urandom_device_t random_device_t }:chr_file { read getattr };
diff --git a/strict/domains/program/dbskkd.te b/strict/domains/program/dbskkd.te
deleted file mode 100644
index e75d90b..0000000
--- a/strict/domains/program/dbskkd.te
+++ /dev/null
@@ -1,14 +0,0 @@
-#DESC dbskkd - A dictionary server for the SKK Japanese input method system.
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-#
-
-#################################
-#
-# Rules for the dbskkd_t domain.
-#
-# dbskkd_exec_t is the type of the dbskkd executable.
-#
-# Depends: inetd.te
-
-inetd_child_domain(dbskkd)
diff --git a/strict/domains/program/dbusd.te b/strict/domains/program/dbusd.te
deleted file mode 100644
index acad4de..0000000
--- a/strict/domains/program/dbusd.te
+++ /dev/null
@@ -1,27 +0,0 @@
-#DESC dbus-daemon-1 server for dbus desktop bus protocol
-#
-# Author: Russell Coker <russell@coker.com.au>
-
-dbusd_domain(system)
-
-allow system_dbusd_t system_dbusd_var_run_t:sock_file create_file_perms;
-
-ifdef(`pamconsole.te', `
-r_dir_file(system_dbusd_t, pam_var_console_t)
-')
-
-# dac_override: /var/run/dbus is owned by messagebus on Debian
-allow system_dbusd_t self:capability { dac_override setgid setuid };
-nsswitch_domain(system_dbusd_t)
-
-# I expect we need more than this
-
-allow initrc_t system_dbusd_t:dbus { send_msg acquire_svc };
-allow initrc_t system_dbusd_t:unix_stream_socket connectto;
-allow initrc_t system_dbusd_var_run_t:sock_file write;
-
-can_exec(system_dbusd_t, sbin_t)
-allow system_dbusd_t self:fifo_file { read write };
-allow system_dbusd_t self:unix_stream_socket connectto;
-allow system_dbusd_t self:unix_stream_socket connectto;
-allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
diff --git a/strict/domains/program/ddcprobe.te b/strict/domains/program/ddcprobe.te
deleted file mode 100644
index 4087126..0000000
--- a/strict/domains/program/ddcprobe.te
+++ /dev/null
@@ -1,42 +0,0 @@
-#DESC ddcprobe - output ddcprobe results from kudzu
-#
-# Author: dan walsh <dwalsh@redhat.com>
-#
-
-type ddcprobe_t, domain, privmem;
-type ddcprobe_exec_t, file_type, exec_type, sysadmfile;
-
-# Allow execution by the sysadm
-role sysadm_r types ddcprobe_t;
-role system_r types ddcprobe_t;
-domain_auto_trans(sysadm_t, ddcprobe_exec_t, ddcprobe_t)
-
-uses_shlib(ddcprobe_t)
-
-# Allow terminal access
-access_terminal(ddcprobe_t, sysadm)
-
-# Allow ddcprobe to read /dev/mem
-allow ddcprobe_t memory_device_t:chr_file read;
-allow ddcprobe_t memory_device_t:chr_file { execute write };
-allow ddcprobe_t self:process execmem;
-allow ddcprobe_t zero_device_t:chr_file { execute read };
-
-allow ddcprobe_t proc_t:dir search;
-allow ddcprobe_t proc_t:file { getattr read };
-can_exec(ddcprobe_t, sbin_t)
-allow ddcprobe_t user_tty_type:chr_file rw_file_perms;
-allow ddcprobe_t userdomain:fd use;
-read_sysctl(ddcprobe_t)
-allow ddcprobe_t urandom_device_t:chr_file { getattr read };
-allow ddcprobe_t { bin_t sbin_t }:dir r_dir_perms;
-allow ddcprobe_t self:capability { sys_rawio sys_admin };
-
-allow ddcprobe_t { etc_t etc_runtime_t }:file { getattr read };
-allow ddcprobe_t kudzu_exec_t:file getattr;
-allow ddcprobe_t lib_t:file { getattr read };
-read_locale(ddcprobe_t)
-allow ddcprobe_t modules_object_t:dir search;
-allow ddcprobe_t modules_dep_t:file { getattr read };
-allow ddcprobe_t usr_t:file { getattr read };
-allow ddcprobe_t kernel_t:system syslog_console;
diff --git a/strict/domains/program/dhcpc.te b/strict/domains/program/dhcpc.te
deleted file mode 100644
index 2fff8f5..0000000
--- a/strict/domains/program/dhcpc.te
+++ /dev/null
@@ -1,166 +0,0 @@
-#DESC DHCPC - DHCP client
-#
-# Authors: Wayne Salamon (NAI Labs) <wsalamon@tislabs.com>
-# Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: pump dhcp-client udhcpc
-#
-
-#################################
-#
-# Rules for the dhcpc_t domain.
-#
-# dhcpc_t is the domain for the client side of DHCP. dhcpcd, the DHCP
-# network configurator daemon started by /etc/sysconfig/network-scripts
-# rc scripts, runs in this domain.
-# dhcpc_exec_t is the type of the dhcpcd executable.
-# The dhcpc_t can be used for other DHCPC related files as well.
-#
-daemon_domain(dhcpc)
-
-# for SSP
-allow dhcpc_t urandom_device_t:chr_file read;
-
-can_network(dhcpc_t)
-allow dhcpc_t port_type:tcp_socket name_connect;
-can_ypbind(dhcpc_t)
-allow dhcpc_t self:unix_dgram_socket create_socket_perms;
-allow dhcpc_t self:unix_stream_socket create_socket_perms;
-allow dhcpc_t self:fifo_file rw_file_perms;
-
-allow dhcpc_t devpts_t:dir search;
-
-# for localization
-allow dhcpc_t lib_t:file { getattr read };
-
-ifdef(`consoletype.te', `
-domain_auto_trans(dhcpc_t, consoletype_exec_t, consoletype_t)
-')
-ifdef(`nscd.te', `
-domain_auto_trans(dhcpc_t, nscd_exec_t, nscd_t)
-allow dhcpc_t nscd_var_run_t:file { getattr read };
-')
-ifdef(`cardmgr.te', `
-domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
-allow cardmgr_t dhcpc_var_run_t:file { getattr read };
-allow cardmgr_t dhcpc_t:process signal_perms;
-allow cardmgr_t dhcpc_var_run_t:file unlink;
-allow dhcpc_t cardmgr_dev_t:chr_file { read write };
-')
-ifdef(`hotplug.te', `
-domain_auto_trans(hotplug_t, dhcpc_exec_t, dhcpc_t)
-allow hotplug_t dhcpc_t:process signal_perms;
-allow hotplug_t dhcpc_var_run_t:file { getattr read };
-allow hotplug_t dhcp_etc_t:file rw_file_perms;
-allow dhcpc_t hotplug_etc_t:dir { getattr search };
-ifdef(`distro_redhat', `
-domain_auto_trans(dhcpc_t, syslogd_exec_t, syslogd_t)
-')
-')dnl end hotplug.te
-
-# for the dhcp client to run ping to check IP addresses
-ifdef(`ping.te', `
-domain_auto_trans(dhcpc_t, ping_exec_t, ping_t)
-ifdef(`hotplug.te', `
-allow ping_t hotplug_t:fd use;
-') dnl end if hotplug
-ifdef(`cardmgr.te', `
-allow ping_t cardmgr_t:fd use;
-') dnl end if cardmgr
-', `
-allow dhcpc_t self:capability setuid;
-allow dhcpc_t self:rawip_socket create_socket_perms;
-') dnl end if ping
-
-ifdef(`dhcpd.te', `', `
-type dhcp_state_t, file_type, sysadmfile;
-type dhcp_etc_t, file_type, sysadmfile, usercanread;
-')
-type dhcpc_state_t, file_type, sysadmfile;
-
-allow dhcpc_t etc_t:lnk_file read;
-allow dhcpc_t { etc_t etc_runtime_t }:file { getattr read };
-allow dhcpc_t proc_net_t:dir search;
-allow dhcpc_t { proc_t proc_net_t }:file { getattr read };
-allow dhcpc_t self:file { getattr read };
-read_sysctl(dhcpc_t)
-allow dhcpc_t userdomain:fd use;
-ifdef(`run_init.te', `
-allow dhcpc_t run_init_t:fd use;
-')
-
-# Use capabilities
-allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config };
-
-# for access("/etc/bashrc", X_OK) on Red Hat
-dontaudit dhcpc_t self:capability { dac_read_search sys_module };
-
-# for udp port 68
-allow dhcpc_t dhcpc_port_t:udp_socket name_bind;
-
-# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
-# in /etc created by dhcpcd will be labelled net_conf_t.
-file_type_auto_trans(dhcpc_t, etc_t, net_conf_t, file)
-
-# Allow access to the dhcpc file types
-r_dir_file(dhcpc_t, dhcp_etc_t)
-allow dhcpc_t sbin_t:dir search;
-can_exec(dhcpc_t, { dhcpc_exec_t dhcp_etc_t sbin_t })
-ifdef(`distro_redhat', `
-can_exec(dhcpc_t, etc_t)
-allow initrc_t dhcp_etc_t:file rw_file_perms;
-')
-ifdef(`ifconfig.te', `
-domain_auto_trans(dhcpc_t, ifconfig_exec_t, ifconfig_t)
-')dnl end if def ifconfig
-
-
-tmp_domain(dhcpc)
-
-# Allow dhcpc_t to use packet sockets
-allow dhcpc_t self:packet_socket create_socket_perms;
-allow dhcpc_t var_lib_t:dir search;
-file_type_auto_trans(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
-allow dhcpc_t dhcp_state_t:file { getattr read };
-
-allow dhcpc_t bin_t:dir { getattr search };
-allow dhcpc_t bin_t:lnk_file read;
-can_exec(dhcpc_t, { bin_t shell_exec_t })
-
-ifdef(`hostname.te', `
-domain_auto_trans(dhcpc_t, hostname_exec_t, hostname_t)
-')
-dontaudit dhcpc_t { devpts_t ttyfile ptyfile tty_device_t }:chr_file rw_file_perms;
-allow dhcpc_t { userdomain kernel_t }:fd use;
-
-allow dhcpc_t home_root_t:dir search;
-allow initrc_t dhcpc_state_t:file { getattr read };
-dontaudit dhcpc_t var_lock_t:dir search;
-allow dhcpc_t self:netlink_route_socket r_netlink_socket_perms;
-dontaudit dhcpc_t domain:dir getattr;
-allow dhcpc_t initrc_var_run_t:file rw_file_perms;
-#
-# dhclient sometimes starts ypbind and ntdp
-#
-can_exec(dhcpc_t, initrc_exec_t)
-ifdef(`ypbind.te', `
-domain_auto_trans(dhcpc_t, ypbind_exec_t, ypbind_t)
-allow dhcpc_t ypbind_var_run_t:file { r_file_perms unlink };
-allow dhcpc_t ypbind_t:process signal;
-')
-ifdef(`ntpd.te', `
-domain_auto_trans(dhcpc_t, ntpd_exec_t, ntpd_t)
-')
-role sysadm_r types dhcpc_t;
-domain_auto_trans(sysadm_t, dhcpc_exec_t, dhcpc_t)
-ifdef(`dbusd.te', `
-dbusd_client(system, dhcpc)
-domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t)
-allow dhcpc_t system_dbusd_t:dbus { acquire_svc send_msg };
-allow dhcpc_t self:dbus send_msg;
-allow { NetworkManager_t initrc_t } dhcpc_t:dbus send_msg;
-allow dhcpc_t { NetworkManager_t initrc_t }:dbus send_msg;
-ifdef(`unconfined.te', `
-allow unconfined_t dhcpc_t:dbus send_msg;
-allow dhcpc_t unconfined_t:dbus send_msg;
-')
-')
diff --git a/strict/domains/program/dhcpd.te b/strict/domains/program/dhcpd.te
deleted file mode 100644
index e276af2..0000000
--- a/strict/domains/program/dhcpd.te
+++ /dev/null
@@ -1,78 +0,0 @@
-#DESC DHCPD - DHCP server
-#
-# Author: Russell Coker <russell@coker.com.au>
-# based on the dhcpc_t policy from:
-# Wayne Salamon (NAI Labs) <wsalamon@tislabs.com>
-# X-Debian-Packages: dhcp dhcp3-server
-#
-
-#################################
-#
-# Rules for the dhcpd_t domain.
-#
-# dhcpd_t is the domain for the server side of DHCP. dhcpd, the DHCP
-# server daemon rc scripts, runs in this domain.
-# dhcpd_exec_t is the type of the dhcpdd executable.
-# The dhcpd_t can be used for other DHCPC related files as well.
-#
-daemon_domain(dhcpd, `, nscd_client_domain')
-
-# for UDP port 4011
-allow dhcpd_t pxe_port_t:udp_socket name_bind;
-
-type dhcp_etc_t, file_type, sysadmfile, usercanread;
-
-# Use the network.
-can_network(dhcpd_t)
-allow dhcpd_t port_type:tcp_socket name_connect;
-allow dhcpd_t dhcpd_port_t:{ tcp_socket udp_socket } name_bind;
-can_ypbind(dhcpd_t)
-allow dhcpd_t self:unix_dgram_socket create_socket_perms;
-allow dhcpd_t self:unix_stream_socket create_socket_perms;
-allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms;
-
-allow dhcpd_t var_lib_t:dir search;
-
-allow dhcpd_t devtty_t:chr_file { read write };
-
-# Use capabilities
-allow dhcpd_t self:capability { net_raw net_bind_service };
-dontaudit dhcpd_t self:capability net_admin;
-
-# Allow access to the dhcpd file types
-type dhcp_state_t, file_type, sysadmfile;
-type dhcpd_state_t, file_type, sysadmfile;
-allow dhcpd_t dhcp_etc_t:file { read getattr };
-allow dhcpd_t dhcp_etc_t:dir search;
-file_type_auto_trans(dhcpd_t, dhcp_state_t, dhcpd_state_t, file)
-
-allow dhcpd_t etc_t:lnk_file read;
-allow dhcpd_t { etc_t etc_runtime_t }:file r_file_perms;
-
-# Allow dhcpd_t programs to execute themselves and bin_t (uname etc)
-can_exec(dhcpd_t, { dhcpd_exec_t bin_t })
-
-# Allow dhcpd_t to use packet sockets
-allow dhcpd_t self:packet_socket create_socket_perms;
-allow dhcpd_t self:rawip_socket create_socket_perms;
-
-# allow to run utilities and scripts
-allow dhcpd_t { bin_t sbin_t }:dir r_dir_perms;
-allow dhcpd_t { bin_t sbin_t }:{ file lnk_file } rx_file_perms;
-allow dhcpd_t self:fifo_file { read write getattr };
-
-# allow reading /proc
-allow dhcpd_t proc_t:{ file lnk_file } r_file_perms;
-tmp_domain(dhcpd)
-
-ifdef(`distro_gentoo', `
-allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
-allow initrc_t dhcpd_state_t:file setattr;
-')
-r_dir_file(dhcpd_t, usr_t)
-allow dhcpd_t { urandom_device_t random_device_t }:chr_file r_file_perms;
-
-ifdef(`named.te', `
-allow dhcpd_t { named_conf_t named_zone_t }:dir search;
-allow dhcpd_t dnssec_t:file { getattr read };
-')
diff --git a/strict/domains/program/dictd.te b/strict/domains/program/dictd.te
deleted file mode 100644
index d610d07..0000000
--- a/strict/domains/program/dictd.te
+++ /dev/null
@@ -1,48 +0,0 @@
-#DESC Dictd - Dictionary daemon
-#
-# Authors: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: dictd
-#
-
-#################################
-#
-# Rules for the dictd_t domain.
-#
-# dictd_exec_t is the type of the dictd executable.
-#
-daemon_base_domain(dictd)
-type dictd_var_lib_t, file_type, sysadmfile;
-typealias dictd_var_lib_t alias var_lib_dictd_t;
-etc_domain(dictd)
-
-# for checking for nscd
-dontaudit dictd_t var_run_t:dir search;
-
-# read config files
-allow dictd_t { etc_t etc_runtime_t }:file r_file_perms;
-
-read_locale(dictd_t)
-
-allow dictd_t { var_t var_lib_t }:dir search;
-allow dictd_t dictd_var_lib_t:dir r_dir_perms;
-allow dictd_t dictd_var_lib_t:file r_file_perms;
-
-allow dictd_t self:capability { setuid setgid };
-
-allow dictd_t usr_t:file r_file_perms;
-
-allow dictd_t self:process { setpgid fork sigchld };
-
-allow dictd_t proc_t:file r_file_perms;
-
-allow dictd_t dict_port_t:tcp_socket name_bind;
-
-allow dictd_t devtty_t:chr_file rw_file_perms;
-
-allow dictd_t self:unix_stream_socket create_stream_socket_perms;
-
-can_network_server(dictd_t)
-can_ypbind(dictd_t)
-can_tcp_connect(userdomain, dictd_t)
-
-allow dictd_t fs_t:filesystem getattr;
diff --git a/strict/domains/program/dmesg.te b/strict/domains/program/dmesg.te
deleted file mode 100644
index 9f9392e..0000000
--- a/strict/domains/program/dmesg.te
+++ /dev/null
@@ -1,29 +0,0 @@
-#DESC dmesg - control kernel ring buffer
-#
-# Author: Dan Walsh dwalsh@redhat.com
-#
-# X-Debian-Packages: util-linux
-
-#################################
-#
-# Rules for the dmesg_t domain.
-#
-# dmesg_exec_t is the type of the dmesg executable.
-#
-# while sysadm_t has the sys_admin capability there is no point in using
-# dmesg_t when run from sysadm_t, so we use nosysadm.
-#
-daemon_base_domain(dmesg, , `nosysadm')
-
-#
-# Rules used for dmesg
-#
-allow dmesg_t self:capability sys_admin;
-allow dmesg_t kernel_t:system { syslog_read syslog_console syslog_mod };
-allow dmesg_t admin_tty_type:chr_file { getattr read write };
-allow dmesg_t sysadm_tty_device_t:chr_file ioctl;
-allow dmesg_t var_log_t:file { getattr write };
-read_locale(dmesg_t)
-
-# for when /usr is not mounted
-dontaudit dmesg_t file_t:dir search;
diff --git a/strict/domains/program/dmidecode.te b/strict/domains/program/dmidecode.te
deleted file mode 100644
index 05b93f7..0000000
--- a/strict/domains/program/dmidecode.te
+++ /dev/null
@@ -1,22 +0,0 @@
-#DESC dmidecode - decodes DMI data for x86/ia64 bioses
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-type dmidecode_t, domain, privmem;
-type dmidecode_exec_t, file_type, exec_type, sysadmfile;
-
-# Allow execution by the sysadm
-role sysadm_r types dmidecode_t;
-role system_r types dmidecode_t;
-domain_auto_trans(sysadm_t, dmidecode_exec_t, dmidecode_t)
-
-uses_shlib(dmidecode_t)
-
-# Allow terminal access
-access_terminal(dmidecode_t, sysadm)
-
-# Allow dmidecode to read /dev/mem
-allow dmidecode_t memory_device_t:chr_file read;
-
-allow dmidecode_t self:capability sys_rawio;
diff --git a/strict/domains/program/dovecot.te b/strict/domains/program/dovecot.te
deleted file mode 100644
index eb7a30e..0000000
--- a/strict/domains/program/dovecot.te
+++ /dev/null
@@ -1,75 +0,0 @@
-#DESC Dovecot POP and IMAP servers
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: dovecot-imapd, dovecot-pop3d
-
-#
-# Main dovecot daemon
-#
-daemon_domain(dovecot, `, privhome')
-etc_domain(dovecot);
-
-allow dovecot_t dovecot_var_run_t:sock_file create_file_perms;
-
-can_exec(dovecot_t, dovecot_exec_t)
-
-type dovecot_cert_t, file_type, sysadmfile;
-type dovecot_passwd_t, file_type, sysadmfile;
-type dovecot_spool_t, file_type, sysadmfile;
-
-allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
-allow dovecot_t self:process setrlimit;
-can_network_tcp(dovecot_t)
-allow dovecot_t port_type:tcp_socket name_connect;
-can_ypbind(dovecot_t)
-allow dovecot_t self:unix_dgram_socket create_socket_perms;
-allow dovecot_t self:unix_stream_socket create_stream_socket_perms;
-can_unix_connect(dovecot_t, self)
-
-allow dovecot_t etc_t:file { getattr read };
-allow dovecot_t initrc_var_run_t:file getattr;
-allow dovecot_t bin_t:dir { getattr search };
-can_exec(dovecot_t, bin_t)
-
-allow dovecot_t pop_port_t:tcp_socket name_bind;
-allow dovecot_t urandom_device_t:chr_file { getattr read };
-allow dovecot_t cert_t:dir search;
-r_dir_file(dovecot_t, dovecot_cert_t)
-r_dir_file(dovecot_t, cert_t)
-
-allow dovecot_t { self proc_t }:file { getattr read };
-allow dovecot_t self:fifo_file rw_file_perms;
-
-can_kerberos(dovecot_t)
-
-allow dovecot_t tmp_t:dir search;
-rw_dir_create_file(dovecot_t, mail_spool_t)
-
-
-create_dir_file(dovecot_t, dovecot_spool_t)
-create_dir_file(mta_delivery_agent, dovecot_spool_t)
-allow dovecot_t mail_spool_t:lnk_file read;
-allow dovecot_t var_spool_t:dir { search };
-
-#
-# Dovecot auth daemon
-#
-daemon_sub_domain(dovecot_t, dovecot_auth, `, auth_chkpwd')
-can_ldap(dovecot_auth_t)
-can_ypbind(dovecot_auth_t)
-can_kerberos(dovecot_auth_t)
-can_resolve(dovecot_auth_t)
-allow dovecot_auth_t self:process { fork signal_perms };
-allow dovecot_auth_t self:capability { setgid setuid };
-allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
-allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
-allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
-allow dovecot_auth_t self:fifo_file rw_file_perms;
-allow dovecot_auth_t urandom_device_t:chr_file { getattr read };
-allow dovecot_auth_t etc_t:file { getattr read };
-allow dovecot_auth_t { self proc_t }:file { getattr read };
-read_locale(dovecot_auth_t)
-read_sysctl(dovecot_auth_t)
-allow dovecot_auth_t dovecot_passwd_t:file { getattr read };
-dontaudit dovecot_auth_t selinux_config_t:dir search;
-
diff --git a/strict/domains/program/ethereal.te b/strict/domains/program/ethereal.te
deleted file mode 100644
index a56d321..0000000
--- a/strict/domains/program/ethereal.te
+++ /dev/null
@@ -1,48 +0,0 @@
-# DESC - Ethereal
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-# Type for executables
-type tethereal_exec_t, file_type, exec_type, sysadmfile;
-type ethereal_exec_t, file_type, exec_type, sysadmfile;
-
-########################################################
-# Tethereal
-#
-
-# Type for program
-type tethereal_t, domain, nscd_client_domain;
-
-# Transition from sysadm type
-domain_auto_trans(sysadm_t, tethereal_exec_t, tethereal_t)
-role sysadm_r types tethereal_t;
-
-uses_shlib(tethereal_t)
-read_locale(tethereal_t)
-
-# Terminal output
-access_terminal(tethereal_t, sysadm)
-
-# /proc
-read_sysctl(tethereal_t)
-allow tethereal_t { self proc_t }:dir { read search getattr };
-allow tethereal_t { self proc_t }:{ file lnk_file } { read getattr };
-
-# Access root
-allow tethereal_t root_t:dir search;
-
-# Read ethereal files in /usr
-allow tethereal_t usr_t:file { read getattr };
-
-# /etc/nsswitch.conf
-allow tethereal_t etc_t:file { read getattr };
-
-# Ethereal sysadm rules
-ethereal_networking(tethereal)
-
-# FIXME: policy is incomplete
-
-#####################################
-# Ethereal (GNOME) policy can be found
-# in ethereal_macros.te
diff --git a/strict/domains/program/evolution.te b/strict/domains/program/evolution.te
deleted file mode 100644
index c8a045e..0000000
--- a/strict/domains/program/evolution.te
+++ /dev/null
@@ -1,14 +0,0 @@
-# DESC - Evolution
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-# Type for executables
-type evolution_exec_t, file_type, exec_type, sysadmfile;
-type evolution_server_exec_t, file_type, exec_type, sysadmfile;
-type evolution_webcal_exec_t, file_type, exec_type, sysadmfile;
-type evolution_alarm_exec_t, file_type, exec_type, sysadmfile;
-type evolution_exchange_exec_t, file_type, exec_type, sysadmfile;
-
-# Everything else is in macros/evolution_macros.te
-bool disable_evolution_trans false;
diff --git a/strict/domains/program/fetchmail.te b/strict/domains/program/fetchmail.te
deleted file mode 100644
index 225f08e..0000000
--- a/strict/domains/program/fetchmail.te
+++ /dev/null
@@ -1,32 +0,0 @@
-#DESC fetchmail - remote-mail retrieval utility
-#
-# Author: Greg Norris <haphazard@kc.rr.com>
-# X-Debian-Packages: fetchmail
-# Depends: mta.te
-#
-# Note: This policy is only required when running fetchmail in daemon mode.
-
-#################################
-#
-# Rules for the fetchmail_t domain.
-#
-daemon_domain(fetchmail);
-type fetchmail_etc_t, file_type, sysadmfile;
-type fetchmail_uidl_cache_t, file_type, sysadmfile;
-
-# misc. requirements
-allow fetchmail_t self:process setrlimit;
-
-# network-related goodies
-can_network_client_tcp(fetchmail_t, { dns_port_t pop_port_t smtp_port_t })
-can_network_udp(fetchmail_t, dns_port_t)
-allow fetchmail_t port_type:tcp_socket name_connect;
-
-allow fetchmail_t self:unix_dgram_socket create_socket_perms;
-allow fetchmail_t self:unix_stream_socket create_stream_socket_perms;
-
-# file access
-allow fetchmail_t etc_t:file r_file_perms;
-allow fetchmail_t fetchmail_etc_t:file r_file_perms;
-allow fetchmail_t mail_spool_t:dir search;
-file_type_auto_trans(fetchmail_t, mail_spool_t, fetchmail_uidl_cache_t, file)
diff --git a/strict/domains/program/fingerd.te b/strict/domains/program/fingerd.te
deleted file mode 100644
index 73fee16..0000000
--- a/strict/domains/program/fingerd.te
+++ /dev/null
@@ -1,80 +0,0 @@
-#DESC Fingerd - Finger daemon
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: fingerd cfingerd efingerd ffingerd
-#
-
-#################################
-#
-# Rules for the fingerd_t domain.
-#
-# fingerd_exec_t is the type of the fingerd executable.
-#
-daemon_domain(fingerd)
-
-etcdir_domain(fingerd)
-
-allow fingerd_t etc_t:lnk_file read;
-allow fingerd_t { etc_t etc_runtime_t }:file { read getattr };
-
-log_domain(fingerd)
-system_crond_entry(fingerd_exec_t, fingerd_t)
-ifdef(`logrotate.te', `can_exec(fingerd_t, logrotate_exec_t)')
-
-allow fingerd_t fingerd_port_t:tcp_socket name_bind;
-ifdef(`inetd.te', `
-allow inetd_t fingerd_port_t:tcp_socket name_bind;
-# can be run from inetd
-domain_auto_trans(inetd_t, fingerd_exec_t, fingerd_t)
-allow fingerd_t inetd_t:tcp_socket { read write getattr ioctl };
-')
-ifdef(`tcpd.te', `
-domain_auto_trans(tcpd_t, fingerd_exec_t, fingerd_t)
-')
-
-allow fingerd_t self:capability { setgid setuid };
-# for gzip from logrotate
-dontaudit fingerd_t self:capability fsetid;
-
-# cfingerd runs shell scripts
-allow fingerd_t { bin_t sbin_t }:dir search;
-allow fingerd_t bin_t:lnk_file read;
-can_exec(fingerd_t, { shell_exec_t bin_t sbin_t })
-allow fingerd_t devtty_t:chr_file { read write };
-
-allow fingerd_t { ttyfile ptyfile }:chr_file getattr;
-
-# Use the network.
-can_network_server(fingerd_t)
-can_ypbind(fingerd_t)
-
-allow fingerd_t self:unix_dgram_socket create_socket_perms;
-allow fingerd_t self:unix_stream_socket create_socket_perms;
-allow fingerd_t self:fifo_file { read write getattr };
-
-# allow any user domain to connect to the finger server
-can_tcp_connect(userdomain, fingerd_t)
-
-# for .finger, .plan. etc
-allow fingerd_t { home_root_t user_home_dir_type }:dir search;
-# should really have a different type for .plan etc
-allow fingerd_t user_home_type:file { getattr read };
-# stop it accessing sub-directories, prevents checking a Maildir for new mail,
-# have to change this when we create a type for Maildir
-dontaudit fingerd_t user_home_t:dir search;
-
-# for mail
-allow fingerd_t { var_spool_t mail_spool_t }:dir search;
-allow fingerd_t mail_spool_t:file getattr;
-allow fingerd_t mail_spool_t:lnk_file read;
-
-# see who is logged in and when users last logged in
-allow fingerd_t { initrc_var_run_t lastlog_t }:file { read getattr };
-dontaudit fingerd_t initrc_var_run_t:file lock;
-allow fingerd_t devpts_t:dir search;
-allow fingerd_t ptyfile:chr_file getattr;
-
-allow fingerd_t proc_t:file { read getattr };
-
-# for date command
-read_sysctl(fingerd_t)
diff --git a/strict/domains/program/firstboot.te b/strict/domains/program/firstboot.te
deleted file mode 100644
index e07bc43..0000000
--- a/strict/domains/program/firstboot.te
+++ /dev/null
@@ -1,131 +0,0 @@
-#DESC firstboot
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-# X-Debian-Packages: firstboot
-#
-
-#################################
-#
-# Rules for the firstboot_t domain.
-#
-# firstboot_exec_t is the type of the firstboot executable.
-#
-application_domain(firstboot,`, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, privuser, sysctl_kernel_writer')
-type firstboot_rw_t, file_type, sysadmfile;
-role system_r types firstboot_t;
-
-ifdef(`xserver.te', `
-domain_auto_trans(firstboot_t, xserver_exec_t, xdm_xserver_t)
-')
-
-etc_domain(firstboot)
-
-allow firstboot_t proc_t:file r_file_perms;
-
-allow firstboot_t urandom_device_t:chr_file { getattr read };
-allow firstboot_t proc_t:file { getattr read write };
-
-domain_auto_trans(initrc_t, firstboot_exec_t, firstboot_t)
-file_type_auto_trans(firstboot_t, etc_t, firstboot_rw_t, file)
-
-can_exec_any(firstboot_t)
-ifdef(`useradd.te',`
-domain_auto_trans(firstboot_t, useradd_exec_t, useradd_t)
-domain_auto_trans(firstboot_t, groupadd_exec_t, groupadd_t)
-')
-allow firstboot_t etc_runtime_t:file { getattr read };
-
-r_dir_file(firstboot_t, etc_t)
-
-allow firstboot_t firstboot_rw_t:dir create_dir_perms;
-allow firstboot_t firstboot_rw_t:file create_file_perms;
-allow firstboot_t self:fifo_file { getattr read write };
-allow firstboot_t self:process { fork sigchld };
-allow firstboot_t self:unix_stream_socket { connect create };
-allow firstboot_t initrc_exec_t:file { getattr read };
-allow firstboot_t initrc_var_run_t:file r_file_perms;
-allow firstboot_t lib_t:file { getattr read };
-allow firstboot_t local_login_t:fd use;
-read_locale(firstboot_t)
-
-allow firstboot_t proc_t:dir search;
-allow firstboot_t { devtty_t sysadm_tty_device_t }:chr_file rw_file_perms;
-allow firstboot_t usr_t:file r_file_perms;
-
-allow firstboot_t etc_t:file write;
-
-# Allow write to utmp file
-allow firstboot_t initrc_var_run_t:file write;
-
-ifdef(`samba.te', `
-rw_dir_file(firstboot_t, samba_etc_t)
-')
-
-dontaudit firstboot_t shadow_t:file getattr;
-
-role system_r types initrc_t;
-#role_transition firstboot_r initrc_exec_t system_r;
-domain_auto_trans(firstboot_t, initrc_exec_t, initrc_t)
-
-allow firstboot_t self:passwd rootok;
-
-ifdef(`userhelper.te', `
-role system_r types sysadm_userhelper_t;
-domain_auto_trans(firstboot_t, userhelper_exec_t, sysadm_userhelper_t)
-')
-
-ifdef(`consoletype.te', `
-allow consoletype_t devtty_t:chr_file { read write };
-allow consoletype_t etc_t:file { getattr read };
-allow consoletype_t firstboot_t:fd use;
-')
-
-allow firstboot_t etc_t:{ file lnk_file } create_file_perms;
-
-allow firstboot_t self:capability { dac_override setgid };
-allow firstboot_t self:dir search;
-allow firstboot_t self:file { read write };
-allow firstboot_t self:lnk_file read;
-can_setfscreate(firstboot_t)
-allow firstboot_t krb5_conf_t:file rw_file_perms;
-
-allow firstboot_t modules_conf_t:file { getattr read };
-allow firstboot_t modules_dep_t:file { getattr read };
-allow firstboot_t modules_object_t:dir search;
-allow firstboot_t port_t:tcp_socket { recv_msg send_msg };
-allow firstboot_t proc_t:lnk_file read;
-
-can_getsecurity(firstboot_t)
-
-dontaudit firstboot_t sysadm_t:process { noatsecure rlimitinh siginh transition };
-read_sysctl(firstboot_t)
-
-allow firstboot_t var_run_t:dir getattr;
-allow firstboot_t var_t:dir getattr;
-ifdef(`hostname.te', `
-allow hostname_t devtty_t:chr_file { read write };
-allow hostname_t firstboot_t:fd use;
-')
-ifdef(`iptables.te', `
-allow iptables_t devtty_t:chr_file { read write };
-allow iptables_t firstboot_t:fd use;
-allow iptables_t firstboot_t:fifo_file write;
-')
-can_network_server(firstboot_t)
-can_ypbind(firstboot_t)
-ifdef(`printconf.te', `
-can_exec(firstboot_t, printconf_t)
-')
-create_dir_file(firstboot_t, var_t)
-# Add/remove user home directories
-file_type_auto_trans(firstboot_t, home_root_t, user_home_dir_t, dir)
-file_type_auto_trans(firstboot_t, user_home_dir_t, user_home_t)
-
-#
-# The big hammer
-#
-unconfined_domain(firstboot_t)
-ifdef(`targeted_policy', `
-allow firstboot_t unconfined_t:process transition;
-')
-
diff --git a/strict/domains/program/fontconfig.te b/strict/domains/program/fontconfig.te
deleted file mode 100644
index 836470a..0000000
--- a/strict/domains/program/fontconfig.te
+++ /dev/null
@@ -1,7 +0,0 @@
-#
-# Fontconfig related types
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-# Look in fontconfig_macros.te
diff --git a/strict/domains/program/fs_daemon.te b/strict/domains/program/fs_daemon.te
deleted file mode 100644
index 05c98a9..0000000
--- a/strict/domains/program/fs_daemon.te
+++ /dev/null
@@ -1,28 +0,0 @@
-#DESC file system daemons
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: smartmontools
-
-daemon_domain(fsdaemon, `, fs_domain, privmail')
-allow fsdaemon_t self:unix_dgram_socket create_socket_perms;
-allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms;
-
-# for config
-allow fsdaemon_t etc_t:file { getattr read };
-
-allow fsdaemon_t device_t:dir read;
-allow fsdaemon_t fixed_disk_device_t:blk_file rw_file_perms;
-allow fsdaemon_t self:capability { setgid sys_rawio sys_admin };
-allow fsdaemon_t etc_runtime_t:file { getattr read };
-
-allow fsdaemon_t proc_mdstat_t:file { getattr read };
-
-can_exec_any(fsdaemon_t)
-allow fsdaemon_t self:fifo_file rw_file_perms;
-can_network_udp(fsdaemon_t)
-tmp_domain(fsdaemon)
-allow system_mail_t fsdaemon_tmp_t:file { getattr ioctl read };
-
-dontaudit fsdaemon_t devpts_t:dir search;
-allow fsdaemon_t proc_t:file { getattr read };
-dontaudit system_mail_t fixed_disk_device_t:blk_file read;
diff --git a/strict/domains/program/fsadm.te b/strict/domains/program/fsadm.te
deleted file mode 100644
index 1d01c3d..0000000
--- a/strict/domains/program/fsadm.te
+++ /dev/null
@@ -1,123 +0,0 @@
-#DESC Fsadm - Disk and file system administration
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: util-linux e2fsprogs xfsprogs reiserfsprogs parted raidtools2 mount
-#
-
-#################################
-#
-# Rules for the fsadm_t domain.
-#
-# fsadm_t is the domain for disk and file system
-# administration.
-# fsadm_exec_t is the type of the corresponding programs.
-#
-type fsadm_t, domain, privlog, fs_domain, mlsfileread;
-role system_r types fsadm_t;
-role sysadm_r types fsadm_t;
-
-general_domain_access(fsadm_t)
-
-# for swapon
-r_dir_file(fsadm_t, sysfs_t)
-
-# Read system information files in /proc.
-r_dir_file(fsadm_t, proc_t)
-
-# Read system variables in /proc/sys
-read_sysctl(fsadm_t)
-
-# for /dev/shm
-allow fsadm_t tmpfs_t:dir { getattr search };
-allow fsadm_t tmpfs_t:file { read write };
-
-base_file_read_access(fsadm_t)
-
-# Read /etc.
-r_dir_file(fsadm_t, etc_t)
-
-# Read module-related files.
-allow fsadm_t modules_conf_t:{ file lnk_file } r_file_perms;
-
-# Read /dev directories and any symbolic links.
-allow fsadm_t device_t:dir r_dir_perms;
-allow fsadm_t device_t:lnk_file r_file_perms;
-
-uses_shlib(fsadm_t)
-
-type fsadm_exec_t, file_type, sysadmfile, exec_type;
-domain_auto_trans(initrc_t, fsadm_exec_t, fsadm_t)
-ifdef(`targeted_policy', `', `
-domain_auto_trans(sysadm_t, fsadm_exec_t, fsadm_t)
-')
-tmp_domain(fsadm)
-
-# remount file system to apply changes
-allow fsadm_t fs_t:filesystem remount;
-
-allow fsadm_t fs_t:filesystem getattr;
-
-# mkreiserfs needs this
-allow fsadm_t proc_t:filesystem getattr;
-
-# mkreiserfs and other programs need this for UUID
-allow fsadm_t { urandom_device_t random_device_t }:chr_file { getattr read };
-
-# Use capabilities. ipc_lock is for losetup
-allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_override dac_read_search };
-
-# Write to /etc/mtab.
-file_type_auto_trans(fsadm_t, etc_t, etc_runtime_t, file)
-
-# Inherit and use descriptors from init.
-allow fsadm_t init_t:fd use;
-
-# Run other fs admin programs in the fsadm_t domain.
-can_exec(fsadm_t, fsadm_exec_t)
-
-# Access disk devices.
-allow fsadm_t fixed_disk_device_t:devfile_class_set rw_file_perms;
-allow fsadm_t removable_device_t:devfile_class_set rw_file_perms;
-allow fsadm_t scsi_generic_device_t:chr_file r_file_perms;
-
-# Access lost+found.
-allow fsadm_t lost_found_t:dir create_dir_perms;
-allow fsadm_t lost_found_t:{ file sock_file fifo_file } create_file_perms;
-allow fsadm_t lost_found_t:lnk_file create_lnk_perms;
-
-allow fsadm_t file_t:dir { search read getattr rmdir create };
-
-# Recreate /mnt/cdrom.
-allow fsadm_t mnt_t:dir { search read getattr rmdir create };
-
-# Recreate /dev/cdrom.
-allow fsadm_t device_t:dir rw_dir_perms;
-allow fsadm_t device_t:lnk_file { unlink create };
-
-# Enable swapping to devices and files
-allow fsadm_t swapfile_t:file { getattr swapon };
-allow fsadm_t fixed_disk_device_t:blk_file { getattr swapon };
-
-# Allow console log change (updfstab)
-allow fsadm_t kernel_t:system syslog_console;
-
-# Access terminals.
-can_access_pty(fsadm_t, initrc)
-allow fsadm_t { admin_tty_type devtty_t console_device_t }:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
-allow fsadm_t privfd:fd use;
-
-read_locale(fsadm_t)
-
-# for smartctl cron jobs
-system_crond_entry(fsadm_exec_t, fsadm_t)
-
-# Access to /initrd devices
-allow fsadm_t { file_t unlabeled_t }:dir rw_dir_perms;
-allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms;
-allow fsadm_t usbfs_t:dir { getattr search };
-allow fsadm_t ramfs_t:fifo_file rw_file_perms;
-allow fsadm_t device_type:chr_file getattr;
-
-# for tune2fs
-allow fsadm_t file_type:dir { getattr search };
diff --git a/strict/domains/program/ftpd.te b/strict/domains/program/ftpd.te
deleted file mode 100644
index b20252b..0000000
--- a/strict/domains/program/ftpd.te
+++ /dev/null
@@ -1,116 +0,0 @@
-#DESC Ftpd - Ftp daemon
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: proftpd-common bsd-ftpd ftpd vsftpd
-#
-
-#################################
-#
-# Rules for the ftpd_t domain
-#
-daemon_domain(ftpd, `, auth_chkpwd, nscd_client_domain')
-etc_domain(ftpd)
-
-can_network(ftpd_t)
-allow ftpd_t port_type:tcp_socket name_connect;
-allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
-allow ftpd_t self:unix_stream_socket create_socket_perms;
-allow ftpd_t self:process { getcap setcap setsched setrlimit };
-allow ftpd_t self:fifo_file rw_file_perms;
-
-allow ftpd_t bin_t:dir search;
-can_exec(ftpd_t, bin_t)
-allow ftpd_t bin_t:lnk_file read;
-read_sysctl(ftpd_t)
-
-allow ftpd_t urandom_device_t:chr_file { getattr read };
-
-ifdef(`crond.te', `
-system_crond_entry(ftpd_exec_t, ftpd_t)
-allow system_crond_t xferlog_t:file r_file_perms;
-can_exec(ftpd_t, { sbin_t shell_exec_t })
-allow ftpd_t usr_t:file { getattr read };
-ifdef(`logrotate.te', `
-can_exec(ftpd_t, logrotate_exec_t)
-')dnl end if logrotate.te
-')dnl end if crond.te
-
-allow ftpd_t ftp_data_port_t:tcp_socket name_bind;
-allow ftpd_t port_t:tcp_socket name_bind;
-
-# ftpd_lock_t is only needed when ftpd_is_daemon is true, but we cannot define types conditionally
-type ftpd_lock_t, file_type, sysadmfile, lockfile;
-
-# Allow ftpd to run directly without inetd.
-bool ftpd_is_daemon false;
-if (ftpd_is_daemon) {
-file_type_auto_trans(ftpd_t, var_lock_t, ftpd_lock_t, file)
-allow ftpd_t ftp_port_t:tcp_socket name_bind;
-can_tcp_connect(userdomain, ftpd_t)
-# Allows it to check exec privs on daemon
-allow inetd_t ftpd_exec_t:file x_file_perms;
-}
-ifdef(`inetd.te', `
-if (!ftpd_is_daemon) {
-ifdef(`tcpd.te', `domain_auto_trans(tcpd_t, ftpd_exec_t, ftpd_t)')
-domain_auto_trans(inetd_t, ftpd_exec_t, ftpd_t)
-
-# Use sockets inherited from inetd.
-allow ftpd_t inetd_t:fd use;
-allow ftpd_t inetd_t:tcp_socket rw_stream_socket_perms;
-
-# Send SIGCHLD to inetd on death.
-allow ftpd_t inetd_t:process sigchld;
-}
-') dnl end inetd.te
-
-# Access shared memory tmpfs instance.
-tmpfs_domain(ftpd)
-
-# Use capabilities.
-allow ftpd_t self:capability { chown fowner fsetid setgid setuid net_bind_service sys_chroot sys_nice sys_resource };
-
-# Append to /var/log/wtmp.
-allow ftpd_t wtmp_t:file { getattr append };
-#kerberized ftp requires the following
-allow ftpd_t wtmp_t:file { write lock };
-
-# Create and modify /var/log/xferlog.
-type xferlog_t, file_type, sysadmfile, logfile;
-file_type_auto_trans(ftpd_t, var_log_t, xferlog_t, file)
-
-# Execute /bin/ls (can comment this out for proftpd)
-# also may need rules to allow tar etc...
-can_exec(ftpd_t, ls_exec_t)
-
-allow initrc_t ftpd_etc_t:file { getattr read };
-allow ftpd_t { etc_t etc_runtime_t }:file { getattr read };
-allow ftpd_t proc_t:file { getattr read };
-
-dontaudit ftpd_t sysadm_home_dir_t:dir getattr;
-dontaudit ftpd_t selinux_config_t:dir search;
-allow ftpd_t autofs_t:dir search;
-allow ftpd_t self:file { getattr read };
-tmp_domain(ftpd)
-
-# Allow ftp to read/write files in the user home directories.
-bool ftp_home_dir false;
-
-if (ftp_home_dir) {
-# allow access to /home
-allow ftpd_t home_root_t:dir r_dir_perms;
-create_dir_file(ftpd_t, home_type)
-ifdef(`targeted_policy', `
-file_type_auto_trans(ftpd_t, user_home_dir_t, user_home_t)
-')
-}
-if (use_nfs_home_dirs && ftp_home_dir) {
- r_dir_file(ftpd_t, nfs_t)
-}
-if (use_samba_home_dirs && ftp_home_dir) {
- r_dir_file(ftpd_t, cifs_t)
-}
-dontaudit ftpd_t selinux_config_t:dir search;
-anonymous_domain(ftpd)
-
diff --git a/strict/domains/program/games.te b/strict/domains/program/games.te
deleted file mode 100644
index dee046c..0000000
--- a/strict/domains/program/games.te
+++ /dev/null
@@ -1,20 +0,0 @@
-#DESC Games - Miscellaneous games
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: bsdgames
-#
-
-# type for shared data from games
-type games_data_t, file_type, sysadmfile;
-
-# domain games_t is for system operation of games, generic games daemons and
-# games recovery scripts, also defines games_exec_t
-daemon_domain(games,,nosysadm)
-rw_dir_create_file(games_t, games_data_t)
-r_dir_file(initrc_t, games_data_t)
-
-# Run in user_t
-bool disable_games_trans false;
-
-# Everything else is in the x_client_domain macro in
-# macros/program/x_client_macros.te.
diff --git a/strict/domains/program/gconf.te b/strict/domains/program/gconf.te
deleted file mode 100644
index e4dfa4b..0000000
--- a/strict/domains/program/gconf.te
+++ /dev/null
@@ -1,12 +0,0 @@
-# DESC - GConf preference daemon
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-# Type for executable
-type gconfd_exec_t, file_type, exec_type, sysadmfile;
-
-# Type for /etc files
-type gconf_etc_t, file_type, sysadmfile;
-
-# Everything else is in macros/gconfd_macros.te
diff --git a/strict/domains/program/getty.te b/strict/domains/program/getty.te
deleted file mode 100644
index 7899aec..0000000
--- a/strict/domains/program/getty.te
+++ /dev/null
@@ -1,61 +0,0 @@
-#DESC Getty - Manage ttys
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: util-linux fbgetty mingetty mgetty rungetty
-#
-
-#################################
-#
-# Rules for the getty_t domain.
-#
-init_service_domain(getty, `, privfd')
-
-etcdir_domain(getty)
-
-allow getty_t console_device_t:chr_file setattr;
-
-tmp_domain(getty)
-log_domain(getty)
-
-allow getty_t { etc_t etc_runtime_t }:file { getattr read };
-allow getty_t etc_t:lnk_file read;
-allow getty_t self:process { getpgid getsession };
-allow getty_t self:unix_dgram_socket create_socket_perms;
-allow getty_t self:unix_stream_socket create_socket_perms;
-
-# Use capabilities.
-allow getty_t self:capability { dac_override chown sys_resource sys_tty_config };
-
-read_locale(getty_t)
-
-# Run login in local_login_t domain.
-allow getty_t { sbin_t bin_t }:dir search;
-domain_auto_trans(getty_t, login_exec_t, local_login_t)
-
-# Write to /var/run/utmp.
-allow getty_t { var_t var_run_t }:dir search;
-allow getty_t initrc_var_run_t:file rw_file_perms;
-
-# Write to /var/log/wtmp.
-allow getty_t wtmp_t:file rw_file_perms;
-
-# Chown, chmod, read and write ttys.
-allow getty_t tty_device_t:chr_file { setattr rw_file_perms };
-allow getty_t ttyfile:chr_file { setattr rw_file_perms };
-dontaudit getty_t initrc_devpts_t:chr_file rw_file_perms;
-
-# for error condition handling
-allow getty_t fs_t:filesystem getattr;
-
-lock_domain(getty)
-r_dir_file(getty_t, sysfs_t)
-# for mgetty
-var_run_domain(getty)
-allow getty_t self:capability { fowner fsetid };
-
-#
-# getty needs to be able to run pppd
-#
-ifdef(`pppd.te', `
-domain_auto_trans(getty_t, pppd_exec_t, pppd_t)
-')
diff --git a/strict/domains/program/gnome-pty-helper.te b/strict/domains/program/gnome-pty-helper.te
deleted file mode 100644
index 084aa68..0000000
--- a/strict/domains/program/gnome-pty-helper.te
+++ /dev/null
@@ -1,11 +0,0 @@
-#DESC Gnome Terminal - Helper program for GNOME x-terms
-#
-# Domains for the gnome-pty-helper program.
-# X-Debian-Packages: gnome-terminal
-#
-
-# Type for the gnome-pty-helper executable.
-type gph_exec_t, file_type, sysadmfile, exec_type;
-
-# Everything else is in the gph_domain macro in
-# macros/program/gph_macros.te.
diff --git a/strict/domains/program/gnome.te b/strict/domains/program/gnome.te
deleted file mode 100644
index b45ea8e..0000000
--- a/strict/domains/program/gnome.te
+++ /dev/null
@@ -1,7 +0,0 @@
-#
-# GNOME related types
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-# Look in gnome_macros.te
diff --git a/strict/domains/program/gnome_vfs.te b/strict/domains/program/gnome_vfs.te
deleted file mode 100644
index d4cabb6..0000000
--- a/strict/domains/program/gnome_vfs.te
+++ /dev/null
@@ -1,9 +0,0 @@
-# DESC - GNOME VFS Daemon
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-# Type for executable
-type gnome_vfs_exec_t, file_type, exec_type, sysadmfile;
-
-# Everything else is in macros/gnome_vfs_macros.te
diff --git a/strict/domains/program/gpg-agent.te b/strict/domains/program/gpg-agent.te
deleted file mode 100644
index 2942c6c..0000000
--- a/strict/domains/program/gpg-agent.te
+++ /dev/null
@@ -1,13 +0,0 @@
-#DESC gpg-agent - agent to securely store gpg-keys
-#
-# Author: Thomas Bleher <ThomasBleher@gmx.de>
-#
-
-# Type for the gpg-agent executable.
-type gpg_agent_exec_t, file_type, exec_type, sysadmfile;
-
-# type for the pinentry executable
-type pinentry_exec_t, file_type, exec_type, sysadmfile;
-
-# Everything else is in the gpg_agent_domain macro in
-# macros/program/gpg_agent_macros.te.
diff --git a/strict/domains/program/gpg.te b/strict/domains/program/gpg.te
deleted file mode 100644
index b9cadb5..0000000
--- a/strict/domains/program/gpg.te
+++ /dev/null
@@ -1,15 +0,0 @@
-#DESC GPG - Gnu Privacy Guard (PGP replacement)
-#
-# Authors: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: gnupg
-#
-
-# Type for gpg or pgp executables.
-type gpg_exec_t, file_type, sysadmfile, exec_type;
-type gpg_helper_exec_t, file_type, sysadmfile, exec_type;
-
-allow sysadm_gpg_t { home_root_t user_home_dir_type }:dir search;
-allow sysadm_gpg_t ptyfile:chr_file rw_file_perms;
-
-# Everything else is in the gpg_domain macro in
-# macros/program/gpg_macros.te.
diff --git a/strict/domains/program/gpm.te b/strict/domains/program/gpm.te
deleted file mode 100644
index ff81d69..0000000
--- a/strict/domains/program/gpm.te
+++ /dev/null
@@ -1,45 +0,0 @@
-#DESC Gpm - General Purpose Mouse driver
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: gpm
-#
-
-#################################
-#
-# Rules for the gpm_t domain.
-#
-# gpm_t is the domain of the console mouse server.
-# gpm_exec_t is the type of the console mouse server program.
-# gpmctl_t is the type of the Unix domain socket or pipe created
-# by the console mouse server.
-#
-daemon_domain(gpm)
-
-type gpmctl_t, file_type, sysadmfile, dev_fs;
-
-tmp_domain(gpm)
-
-# Allow to read the /etc/gpm/ conf files
-type gpm_conf_t, file_type, sysadmfile;
-r_dir_file(gpm_t, gpm_conf_t)
-
-# Use capabilities.
-allow gpm_t self:capability { setuid dac_override sys_admin sys_tty_config };
-
-# Create and bind to /dev/gpmctl.
-file_type_auto_trans(gpm_t, device_t, gpmctl_t, { sock_file fifo_file })
-allow gpm_t gpmctl_t:unix_stream_socket name_bind;
-allow gpm_t self:unix_dgram_socket create_socket_perms;
-allow gpm_t self:unix_stream_socket create_stream_socket_perms;
-
-# Read and write ttys.
-allow gpm_t tty_device_t:chr_file rw_file_perms;
-
-# Access the mouse.
-allow gpm_t { event_device_t mouse_device_t }:chr_file rw_file_perms;
-allow gpm_t device_t:lnk_file { getattr read };
-
-read_locale(gpm_t)
-
-allow initrc_t gpmctl_t:sock_file setattr;
-
diff --git a/strict/domains/program/hald.te b/strict/domains/program/hald.te
deleted file mode 100644
index a51709a..0000000
--- a/strict/domains/program/hald.te
+++ /dev/null
@@ -1,104 +0,0 @@
-#DESC hald - server for device info
-#
-# Author: Russell Coker <rcoker@redhat.com>
-# X-Debian-Packages:
-#
-
-#################################
-#
-# Rules for the hald_t domain.
-#
-# hald_exec_t is the type of the hald executable.
-#
-daemon_domain(hald, `, fs_domain, nscd_client_domain')
-
-can_exec_any(hald_t)
-
-allow hald_t { etc_t etc_runtime_t }:file { getattr read };
-allow hald_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow hald_t self:unix_dgram_socket create_socket_perms;
-
-ifdef(`dbusd.te', `
-allow hald_t system_dbusd_t:dbus { acquire_svc send_msg };
-dbusd_client(system, hald)
-allow hald_t self:dbus send_msg;
-')
-
-allow hald_t self:file { getattr read };
-allow hald_t proc_t:file rw_file_perms;
-
-allow hald_t { bin_t sbin_t }:dir search;
-allow hald_t self:fifo_file rw_file_perms;
-allow hald_t usr_t:file { getattr read };
-allow hald_t bin_t:file getattr;
-
-# For backwards compatibility with older kernels
-allow hald_t self:netlink_socket create_socket_perms;
-
-allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
-allow hald_t self:netlink_route_socket r_netlink_socket_perms;
-allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod sys_rawio };
-can_network_server(hald_t)
-can_ypbind(hald_t)
-
-allow hald_t device_t:lnk_file read;
-allow hald_t { fixed_disk_device_t removable_device_t }:blk_file { getattr read ioctl };
-allow hald_t removable_device_t:blk_file write;
-allow hald_t event_device_t:chr_file { getattr read ioctl };
-allow hald_t printer_device_t:chr_file rw_file_perms;
-allow hald_t urandom_device_t:chr_file read;
-allow hald_t mouse_device_t:chr_file r_file_perms;
-allow hald_t device_type:chr_file getattr;
-
-can_getsecurity(hald_t)
-
-ifdef(`updfstab.te', `
-domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t)
-allow updfstab_t hald_t:dbus send_msg;
-allow hald_t updfstab_t:dbus send_msg;
-')
-ifdef(`udev.te', `
-domain_auto_trans(hald_t, udev_exec_t, udev_t)
-allow udev_t hald_t:unix_dgram_socket sendto;
-allow hald_t udev_tbl_t:file { getattr read };
-')
-
-ifdef(`hotplug.te', `
-r_dir_file(hald_t, hotplug_etc_t)
-')
-allow hald_t fs_type:dir { search getattr };
-allow hald_t usbfs_t:dir r_dir_perms;
-allow hald_t { usbdevfs_t usbfs_t }:file rw_file_perms;
-allow hald_t bin_t:lnk_file read;
-r_dir_file(hald_t, { selinux_config_t default_context_t } )
-allow hald_t initrc_t:dbus send_msg;
-allow initrc_t hald_t:dbus send_msg;
-allow hald_t etc_runtime_t:file rw_file_perms;
-allow hald_t var_lib_t:dir search;
-allow hald_t device_t:dir create_dir_perms;
-allow hald_t device_t:chr_file create_file_perms;
-tmp_domain(hald)
-allow hald_t mnt_t:dir search;
-r_dir_file(hald_t, proc_net_t)
-
-# For /usr/libexec/hald-addon-acpi - writes to /var/run/acpid.socket
-ifdef(`apmd.te', `
-allow hald_t apmd_var_run_t:sock_file write;
-allow hald_t apmd_t:unix_stream_socket connectto;
-')
-
-# For /usr/libexec/hald-probe-smbios
-domain_auto_trans(hald_t, dmidecode_exec_t, dmidecode_t)
-
-# ??
-ifdef(`lvm.te', `
-allow hald_t lvm_control_t:chr_file r_file_perms;
-')
-ifdef(`targeted_policy', `
-allow unconfined_t hald_t:dbus send_msg;
-allow hald_t unconfined_t:dbus send_msg;
-')
-ifdef(`mount.te', `
-domain_auto_trans(hald_t, mount_exec_t, mount_t)
-')
-r_dir_file(hald_t, hwdata_t)
diff --git a/strict/domains/program/hostname.te b/strict/domains/program/hostname.te
deleted file mode 100644
index 2138baf..0000000
--- a/strict/domains/program/hostname.te
+++ /dev/null
@@ -1,28 +0,0 @@
-#DESC hostname - show or set the system host name
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: hostname
-
-# for setting the hostname
-daemon_core_rules(hostname, , nosysadm)
-allow hostname_t self:capability sys_admin;
-allow hostname_t etc_t:file { getattr read };
-
-allow hostname_t { user_tty_type admin_tty_type }:chr_file rw_file_perms;
-read_locale(hostname_t)
-can_resolve(hostname_t)
-allow hostname_t userdomain:fd use;
-dontaudit hostname_t kernel_t:fd use;
-allow hostname_t net_conf_t:file { getattr read };
-allow hostname_t self:unix_stream_socket create_stream_socket_perms;
-dontaudit hostname_t var_t:dir search;
-allow hostname_t fs_t:filesystem getattr;
-
-# for when /usr is not mounted
-dontaudit hostname_t file_t:dir search;
-
-ifdef(`distro_redhat', `
-allow hostname_t tmpfs_t:chr_file rw_file_perms;
-')
-can_access_pty(hostname_t, initrc)
-allow hostname_t initrc_t:fd use;
diff --git a/strict/domains/program/hotplug.te b/strict/domains/program/hotplug.te
deleted file mode 100644
index a6d8fbe..0000000
--- a/strict/domains/program/hotplug.te
+++ /dev/null
@@ -1,163 +0,0 @@
-#DESC Hotplug - Hardware event manager
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: hotplug
-#
-
-#################################
-#
-# Rules for the hotplug_t domain.
-#
-# hotplug_exec_t is the type of the hotplug executable.
-#
-ifdef(`unlimitedUtils', `
-daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer, nscd_client_domain')
-', `
-daemon_domain(hotplug, `, privmodule, nscd_client_domain')
-')
-
-etcdir_domain(hotplug)
-
-allow hotplug_t self:fifo_file { read write getattr ioctl };
-allow hotplug_t self:unix_dgram_socket create_socket_perms;
-allow hotplug_t self:unix_stream_socket create_socket_perms;
-allow hotplug_t self:udp_socket create_socket_perms;
-
-read_sysctl(hotplug_t)
-allow hotplug_t sysctl_net_t:dir r_dir_perms;
-allow hotplug_t sysctl_net_t:file { getattr read };
-
-# get info from /proc
-r_dir_file(hotplug_t, proc_t)
-allow hotplug_t self:file { getattr read ioctl };
-
-allow hotplug_t devtty_t:chr_file rw_file_perms;
-
-allow hotplug_t device_t:dir r_dir_perms;
-
-# for SSP
-allow hotplug_t urandom_device_t:chr_file read;
-
-allow hotplug_t { bin_t sbin_t }:dir search;
-allow hotplug_t { bin_t sbin_t }:lnk_file read;
-can_exec(hotplug_t, { hotplug_exec_t bin_t sbin_t ls_exec_t shell_exec_t hotplug_etc_t etc_t })
-ifdef(`hostname.te', `
-can_exec(hotplug_t, hostname_exec_t)
-dontaudit hostname_t hotplug_t:fd use;
-')
-ifdef(`netutils.te', `
-ifdef(`distro_redhat', `
-# for arping used for static IP addresses on PCMCIA ethernet
-domain_auto_trans(hotplug_t, netutils_exec_t, netutils_t)
-
-allow hotplug_t tmpfs_t:dir search;
-allow hotplug_t tmpfs_t:chr_file rw_file_perms;
-')dnl end if distro_redhat
-')dnl end if netutils.te
-
-allow initrc_t usbdevfs_t:file { getattr read ioctl };
-allow initrc_t modules_dep_t:file { getattr read ioctl };
-r_dir_file(hotplug_t, usbdevfs_t)
-allow hotplug_t usbfs_t:dir r_dir_perms;
-allow hotplug_t usbfs_t:file { getattr read };
-
-# read config files
-allow hotplug_t etc_t:dir r_dir_perms;
-allow hotplug_t etc_t:{ file lnk_file } r_file_perms;
-
-allow hotplug_t kernel_t:process { sigchld setpgid };
-
-ifdef(`distro_redhat', `
-allow hotplug_t var_lock_t:dir search;
-allow hotplug_t var_lock_t:file getattr;
-')
-
-ifdef(`hald.te', `
-allow hotplug_t hald_t:unix_dgram_socket sendto;
-allow hald_t hotplug_etc_t:dir search;
-allow hald_t hotplug_etc_t:file { getattr read };
-')
-
-# for killall
-allow hotplug_t self:process { getsession getattr };
-allow hotplug_t self:file getattr;
-
-domain_auto_trans(kernel_t, hotplug_exec_t, hotplug_t)
-ifdef(`mount.te', `
-domain_auto_trans(hotplug_t, mount_exec_t, mount_t)
-')
-domain_auto_trans(hotplug_t, ifconfig_exec_t, ifconfig_t)
-ifdef(`updfstab.te', `
-domain_auto_trans(hotplug_t, updfstab_exec_t, updfstab_t)
-')
-
-# init scripts run /etc/hotplug/usb.rc
-domain_auto_trans(initrc_t, hotplug_etc_t, hotplug_t)
-allow initrc_t hotplug_etc_t:dir r_dir_perms;
-
-ifdef(`iptables.te', `domain_auto_trans(hotplug_t, iptables_exec_t, iptables_t)')
-
-r_dir_file(hotplug_t, modules_object_t)
-allow hotplug_t modules_dep_t:file { getattr read ioctl };
-
-# for lsmod
-dontaudit hotplug_t self:capability { sys_module sys_admin };
-
-# for access("/etc/bashrc", X_OK) on Red Hat
-dontaudit hotplug_t self:capability { dac_override dac_read_search };
-
-ifdef(`fsadm.te', `
-domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t)
-')
-
-allow hotplug_t var_log_t:dir search;
-
-# for ps
-dontaudit hotplug_t domain:dir { getattr search };
-dontaudit hotplug_t { init_t kernel_t }:file read;
-ifdef(`initrc.te', `
-can_ps(hotplug_t, initrc_t)
-')
-
-# for when filesystems are not mounted early in the boot
-dontaudit hotplug_t file_t:dir { search getattr };
-
-# kernel threads inherit from shared descriptor table used by init
-dontaudit hotplug_t initctl_t:fifo_file { read write };
-
-# Read /usr/lib/gconv/.*
-allow hotplug_t lib_t:file { getattr read };
-
-allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
-allow hotplug_t sysfs_t:dir { getattr read search write };
-allow hotplug_t sysfs_t:file rw_file_perms;
-allow hotplug_t sysfs_t:lnk_file { getattr read };
-r_dir_file(hotplug_t, hwdata_t)
-allow hotplug_t udev_runtime_t:file rw_file_perms;
-ifdef(`lpd.te', `
-allow hotplug_t printer_device_t:chr_file setattr;
-')
-allow hotplug_t fixed_disk_device_t:blk_file setattr;
-allow hotplug_t removable_device_t:blk_file setattr;
-allow hotplug_t sound_device_t:chr_file setattr;
-
-ifdef(`udev.te', `
-domain_auto_trans(hotplug_t, { udev_exec_t udev_helper_exec_t }, udev_t)
-')
-
-file_type_auto_trans(hotplug_t, etc_t, etc_runtime_t, file)
-
-can_network_server(hotplug_t)
-can_ypbind(hotplug_t)
-dbusd_client(system, hotplug)
-
-# Allow hotplug (including /sbin/ifup-local) to start/stop services and # run sendmail -q
-domain_auto_trans(hotplug_t, initrc_exec_t, initrc_t)
-ifdef(`mta.te', `
-domain_auto_trans(hotplug_t, sendmail_exec_t, system_mail_t)
-')
-
-allow { insmod_t kernel_t } hotplug_etc_t:dir { search getattr };
-allow hotplug_t self:netlink_route_socket r_netlink_socket_perms;
-
-dontaudit hotplug_t selinux_config_t:dir search;
diff --git a/strict/domains/program/howl.te b/strict/domains/program/howl.te
deleted file mode 100644
index ccb2fb1..0000000
--- a/strict/domains/program/howl.te
+++ /dev/null
@@ -1,21 +0,0 @@
-#DESC howl - port of Apple Rendezvous multicast DNS
-#
-# Author: Russell Coker <rcoker@redhat.com>
-#
-
-daemon_domain(howl, `, privsysmod')
-r_dir_file(howl_t, proc_net_t)
-can_network_server(howl_t)
-can_ypbind(howl_t)
-allow howl_t self:unix_dgram_socket create_socket_perms;
-allow howl_t self:capability { kill net_admin sys_module };
-
-allow howl_t self:fifo_file rw_file_perms;
-
-allow howl_t howl_port_t:{ udp_socket tcp_socket } name_bind;
-
-allow howl_t self:unix_dgram_socket create_socket_perms;
-
-allow howl_t etc_t:file { getattr read };
-allow howl_t initrc_var_run_t:file rw_file_perms;
-
diff --git a/strict/domains/program/hwclock.te b/strict/domains/program/hwclock.te
deleted file mode 100644
index dab39ee..0000000
--- a/strict/domains/program/hwclock.te
+++ /dev/null
@@ -1,49 +0,0 @@
-#DESC Hwclock - Hardware clock manager
-#
-# Author: David A. Wheeler <dwheeler@ida.org>
-# Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: util-linux
-#
-
-#################################
-#
-# Rules for the hwclock_t domain.
-# This domain moves time information between the "hardware clock"
-# (which runs when the system is off) and the "system clock",
-# and it stores adjustment values in /etc/adjtime so that errors in the
-# hardware clock are corrected.
-# Note that any errors from this domain are NOT recorded by the system logger,
-# because the system logger isnt running when this domain is active.
-#
-daemon_base_domain(hwclock)
-role sysadm_r types hwclock_t;
-ifdef(`targeted_policy', `', `
-domain_auto_trans(sysadm_t, hwclock_exec_t, hwclock_t)
-')
-type adjtime_t, file_type, sysadmfile;
-allow hwclock_t fs_t:filesystem getattr;
-
-read_locale(hwclock_t)
-
-# Give hwclock the capabilities it requires. dac_override is a surprise,
-# but hwclock does require it.
-allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config };
-
-# Allow hwclock to set the hardware clock.
-allow hwclock_t clock_device_t:devfile_class_set { setattr rw_file_perms };
-
-# Allow hwclock to store & retrieve correction factors.
-allow hwclock_t adjtime_t:file { setattr rw_file_perms };
-
-# Read and write console and ttys.
-allow hwclock_t tty_device_t:chr_file rw_file_perms;
-allow hwclock_t ttyfile:chr_file rw_file_perms;
-allow hwclock_t ptyfile:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow hwclock_t sysadm_gph_t:fd use;')
-
-read_locale(hwclock_t)
-
-# for when /usr is not mounted
-dontaudit hwclock_t file_t:dir search;
-allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-r_dir_file(hwclock_t, etc_t)
diff --git a/strict/domains/program/i18n_input.te b/strict/domains/program/i18n_input.te
deleted file mode 100644
index cdff6ca..0000000
--- a/strict/domains/program/i18n_input.te
+++ /dev/null
@@ -1,33 +0,0 @@
-# i18n_input.te
-# Security Policy for IIIMF htt server
-# Date: 2004, 12th April (Monday)
-
-# Establish i18n_input as a daemon
-daemon_domain(i18n_input)
-
-can_exec(i18n_input_t, i18n_input_exec_t)
-can_network(i18n_input_t)
-allow i18n_input_t port_type:tcp_socket name_connect;
-can_ypbind(i18n_input_t)
-
-can_tcp_connect(userdomain, i18n_input_t)
-can_unix_connect(i18n_input_t, initrc_t)
-
-allow i18n_input_t self:fifo_file rw_file_perms;
-allow i18n_input_t i18n_input_port_t:tcp_socket name_bind;
-
-allow i18n_input_t self:capability { kill setgid setuid };
-allow i18n_input_t self:process { setsched setpgid };
-
-allow i18n_input_t { bin_t sbin_t }:dir search;
-can_exec(i18n_input_t, bin_t)
-
-allow i18n_input_t etc_t:file r_file_perms;
-allow i18n_input_t self:unix_dgram_socket create_socket_perms;
-allow i18n_input_t self:unix_stream_socket create_stream_socket_perms;
-allow i18n_input_t i18n_input_var_run_t:dir create_dir_perms;
-allow i18n_input_t i18n_input_var_run_t:sock_file create_file_perms;
-allow i18n_input_t usr_t:file { getattr read };
-allow i18n_input_t home_root_t:dir search;
-allow i18n_input_t etc_runtime_t:file { getattr read };
-allow i18n_input_t proc_t:file { getattr read };
diff --git a/strict/domains/program/iceauth.te b/strict/domains/program/iceauth.te
deleted file mode 100644
index f41ad9e..0000000
--- a/strict/domains/program/iceauth.te
+++ /dev/null
@@ -1,12 +0,0 @@
-#DESC ICEauth - ICE authority file utility
-#
-# Domains for the iceauth program.
-#
-# Author: Ivan Gyurdiev <gyurdiev@redhat.com>
-#
-# iceauth_exec_t is the type of the xauth executable.
-#
-type iceauth_exec_t, file_type, exec_type, sysadmfile;
-
-# Everything else is in the iceauth_domain macro in
-# macros/program/iceauth_macros.te.
diff --git a/strict/domains/program/ifconfig.te b/strict/domains/program/ifconfig.te
deleted file mode 100644
index 6cccc32..0000000
--- a/strict/domains/program/ifconfig.te
+++ /dev/null
@@ -1,74 +0,0 @@
-#DESC Ifconfig - Configure network interfaces
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: net-tools
-#
-
-#################################
-#
-# Rules for the ifconfig_t domain.
-#
-# ifconfig_t is the domain for the ifconfig program.
-# ifconfig_exec_t is the type of the corresponding program.
-#
-type ifconfig_t, domain, privlog, privmodule;
-type ifconfig_exec_t, file_type, sysadmfile, exec_type;
-
-role system_r types ifconfig_t;
-role sysadm_r types ifconfig_t;
-
-uses_shlib(ifconfig_t)
-general_domain_access(ifconfig_t)
-
-domain_auto_trans(initrc_t, ifconfig_exec_t, ifconfig_t)
-ifdef(`targeted_policy', `', `
-domain_auto_trans(sysadm_t, ifconfig_exec_t, ifconfig_t)
-')
-
-# for /sbin/ip
-allow ifconfig_t self:packet_socket create_socket_perms;
-allow ifconfig_t self:netlink_route_socket rw_netlink_socket_perms;
-allow ifconfig_t self:tcp_socket { create ioctl };
-allow ifconfig_t etc_t:file { getattr read };
-
-allow ifconfig_t self:socket create_socket_perms;
-
-# Use capabilities.
-allow ifconfig_t self:capability { net_raw net_admin };
-dontaudit ifconfig_t self:capability sys_module;
-allow ifconfig_t self:capability sys_tty_config;
-
-# Inherit and use descriptors from init.
-allow ifconfig_t { kernel_t init_t }:fd use;
-
-# Access /proc
-r_dir_file(ifconfig_t, proc_t)
-r_dir_file(ifconfig_t, proc_net_t)
-
-allow ifconfig_t privfd:fd use;
-allow ifconfig_t run_init_t:fd use;
-
-# Create UDP sockets, necessary when called from dhcpc
-allow ifconfig_t self:udp_socket create_socket_perms;
-
-# Access terminals.
-can_access_pty(ifconfig_t, initrc)
-allow ifconfig_t { user_tty_type admin_tty_type }:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
-
-allow ifconfig_t tun_tap_device_t:chr_file { read write };
-
-# ifconfig attempts to search some sysctl entries.
-# Do not audit those attempts; comment out these rules if it is desired to
-# see the denials.
-allow ifconfig_t { sysctl_t sysctl_net_t }:dir search;
-
-allow ifconfig_t fs_t:filesystem getattr;
-
-read_locale(ifconfig_t)
-allow ifconfig_t lib_t:file { getattr read };
-
-rhgb_domain(ifconfig_t)
-allow ifconfig_t userdomain:fd use;
-dontaudit ifconfig_t root_t:file read;
-r_dir_file(ifconfig_t, sysfs_t)
diff --git a/strict/domains/program/inetd.te b/strict/domains/program/inetd.te
deleted file mode 100644
index 5c88ab3..0000000
--- a/strict/domains/program/inetd.te
+++ /dev/null
@@ -1,64 +0,0 @@
-#DESC Inetd - Internet services daemon
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# re-written with daemon_domain by Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: netkit-inetd openbsd-inetd xinetd
-#
-
-#################################
-#
-# Rules for the inetd_t domain and
-# the inetd_child_t domain.
-#
-
-daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' )
-
-can_network(inetd_t)
-allow inetd_t port_type:tcp_socket name_connect;
-allow inetd_t self:unix_dgram_socket create_socket_perms;
-allow inetd_t self:unix_stream_socket create_socket_perms;
-allow inetd_t self:fifo_file rw_file_perms;
-allow inetd_t etc_t:file { getattr read ioctl };
-allow inetd_t self:process setsched;
-
-log_domain(inetd)
-tmp_domain(inetd)
-
-# Use capabilities.
-allow inetd_t self:capability { setuid setgid net_bind_service };
-
-# allow any domain to connect to inetd
-can_tcp_connect(userdomain, inetd_t)
-
-# Run each daemon with a defined domain in its own domain.
-# These rules have been moved to the individual target domain .te files.
-
-# Run other daemons in the inetd_child_t domain.
-allow inetd_t { bin_t sbin_t }:dir search;
-allow inetd_t sbin_t:lnk_file read;
-
-# Bind to the telnet, ftp, rlogin and rsh ports.
-ifdef(`ftpd.te', `allow inetd_t ftp_port_t:tcp_socket name_bind;')
-ifdef(`rshd.te', `allow inetd_t rsh_port_t:tcp_socket name_bind;')
-ifdef(`talk.te', `
-allow inetd_t talk_port_t:tcp_socket name_bind;
-allow inetd_t ntalk_port_t:tcp_socket name_bind;
-')
-
-allow inetd_t auth_port_t:tcp_socket name_bind;
-# Communicate with the portmapper.
-ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)')
-
-
-inetd_child_domain(inetd_child)
-allow inetd_child_t proc_net_t:dir search;
-allow inetd_child_t proc_net_t:file { getattr read };
-
-ifdef(`unconfined.te', `
-domain_auto_trans(inetd_t, unconfined_exec_t, unconfined_t)
-')
-
-ifdef(`unlimitedInetd', `
-unconfined_domain(inetd_t)
-')
-
diff --git a/strict/domains/program/init.te b/strict/domains/program/init.te
deleted file mode 100644
index 185e0ba..0000000
--- a/strict/domains/program/init.te
+++ /dev/null
@@ -1,147 +0,0 @@
-#DESC Init - Process initialization
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: sysvinit
-#
-
-#################################
-#
-# Rules for the init_t domain.
-#
-# init_t is the domain of the init process.
-# init_exec_t is the type of the init program.
-# initctl_t is the type of the named pipe created
-# by init during initialization. This pipe is used
-# to communicate with init.
-#
-type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain, mlsrangetrans, mlsfileread, mlsfilewrite;
-role system_r types init_t;
-uses_shlib(init_t);
-type init_exec_t, file_type, sysadmfile, exec_type;
-type initctl_t, file_type, sysadmfile, dev_fs, mlstrustedobject;
-
-# for init to determine whether SE Linux is active so it can know whether to
-# activate it
-allow init_t security_t:dir search;
-allow init_t security_t:file { getattr read };
-
-# for mount points
-allow init_t file_t:dir search;
-
-# Use capabilities.
-allow init_t self:capability ~sys_module;
-
-# Run /etc/rc.sysinit, /etc/rc, /etc/rc.local in the initrc_t domain.
-domain_auto_trans(init_t, initrc_exec_t, initrc_t)
-
-# Run the shell in the sysadm_t domain for single-user mode.
-domain_auto_trans(init_t, shell_exec_t, sysadm_t)
-
-# Run /sbin/update in the init_t domain.
-can_exec(init_t, sbin_t)
-
-# Run init.
-can_exec(init_t, init_exec_t)
-
-# Run chroot from initrd scripts.
-ifdef(`chroot.te', `
-can_exec(init_t, chroot_exec_t)
-')
-
-# Create /dev/initctl.
-file_type_auto_trans(init_t, device_t, initctl_t, fifo_file)
-ifdef(`distro_redhat', `
-file_type_auto_trans(init_t, tmpfs_t, initctl_t, fifo_file)
-')
-
-# Create ioctl.save.
-file_type_auto_trans(init_t, etc_t, etc_runtime_t, file)
-
-# Update /etc/ld.so.cache
-allow init_t ld_so_cache_t:file rw_file_perms;
-
-# Allow access to log files
-allow init_t var_t:dir search;
-allow init_t var_log_t:dir search;
-allow init_t var_log_t:file rw_file_perms;
-
-read_locale(init_t)
-
-# Create unix sockets
-allow init_t self:unix_dgram_socket create_socket_perms;
-allow init_t self:unix_stream_socket create_socket_perms;
-allow init_t self:fifo_file rw_file_perms;
-
-# Permissions required for system startup
-allow init_t { bin_t sbin_t }:dir r_dir_perms;
-allow init_t { bin_t sbin_t }:{ file lnk_file } { read getattr lock ioctl };
-
-# allow init to fork
-allow init_t self:process { fork sigchld };
-
-# Modify utmp.
-allow init_t var_run_t:file rw_file_perms;
-allow init_t initrc_var_run_t:file { setattr rw_file_perms };
-can_unix_connect(init_t, initrc_t)
-
-# For /var/run/shutdown.pid.
-var_run_domain(init)
-
-# Shutdown permissions
-r_dir_file(init_t, proc_t)
-r_dir_file(init_t, self)
-allow init_t devpts_t:dir r_dir_perms;
-
-# Modify wtmp.
-allow init_t wtmp_t:file rw_file_perms;
-
-# Kill all processes.
-allow init_t domain:process signal_perms;
-
-# Allow all processes to send SIGCHLD to init.
-allow domain init_t:process { sigchld signull };
-
-# If you load a new policy that removes active domains, processes can
-# get stuck if you do not allow unlabeled processes to signal init
-# If you load an incompatible policy, you should probably reboot,
-# since you may have compromised system security.
-allow unlabeled_t init_t:process sigchld;
-
-# for loading policy
-allow init_t policy_config_t:file r_file_perms;
-
-# Set booleans.
-can_setbool(init_t)
-
-# Read and write the console and ttys.
-allow init_t { tty_device_t console_device_t } :chr_file rw_file_perms;
-ifdef(`distro_redhat', `
-allow init_t tmpfs_t:chr_file rw_file_perms;
-')
-allow init_t ttyfile:chr_file rw_file_perms;
-allow init_t ptyfile:chr_file rw_file_perms;
-
-# Run system executables.
-can_exec(init_t,bin_t)
-ifdef(`consoletype.te', `
-can_exec(init_t, consoletype_exec_t)
-')
-
-# Run /etc/X11/prefdm.
-can_exec(init_t,etc_t)
-
-allow init_t lib_t:file { getattr read };
-
-allow init_t devtty_t:chr_file { read write };
-allow init_t ramfs_t:dir search;
-allow init_t ramfs_t:sock_file write;
-r_dir_file(init_t, sysfs_t)
-
-r_dir_file(init_t, selinux_config_t)
-
-# file descriptors inherited from the rootfs.
-dontaudit init_t root_t:{ file chr_file } { read write };
-ifdef(`targeted_policy', `
-unconfined_domain(init_t)
-')
-
diff --git a/strict/domains/program/initrc.te b/strict/domains/program/initrc.te
deleted file mode 100644
index c66d876..0000000
--- a/strict/domains/program/initrc.te
+++ /dev/null
@@ -1,339 +0,0 @@
-#DESC Initrc - System initialization scripts
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: sysvinit policycoreutils
-#
-
-#################################
-#
-# Rules for the initrc_t domain.
-#
-# initrc_t is the domain of the init rc scripts.
-# initrc_exec_t is the type of the init program.
-#
-# do not use privmail for sendmail as it creates a type transition conflict
-type initrc_t, fs_domain, ifdef(`unlimitedRC', `admin, etc_writer, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain, mlsfileread, mlsfilewrite, mlsprocread, mlsprocwrite;
-
-role system_r types initrc_t;
-uses_shlib(initrc_t);
-can_network(initrc_t)
-allow initrc_t port_type:tcp_socket name_connect;
-can_ypbind(initrc_t)
-type initrc_exec_t, file_type, sysadmfile, exec_type;
-
-# for halt to down interfaces
-allow initrc_t self:udp_socket create_socket_perms;
-
-# read files in /etc/init.d
-allow initrc_t etc_t:lnk_file r_file_perms;
-
-read_locale(initrc_t)
-
-r_dir_file(initrc_t, usr_t)
-
-# Read system information files in /proc.
-r_dir_file(initrc_t, { proc_t proc_net_t })
-allow initrc_t proc_mdstat_t:file { getattr read };
-
-# Allow IPC with self
-allow initrc_t self:unix_dgram_socket create_socket_perms;
-allow initrc_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow initrc_t self:fifo_file rw_file_perms;
-
-# Read the root directory of a usbdevfs filesystem, and
-# the devices and drivers files. Permit stating of the
-# device nodes, but nothing else.
-allow initrc_t usbdevfs_t:dir r_dir_perms;
-allow initrc_t usbdevfs_t:lnk_file r_file_perms;
-allow initrc_t usbdevfs_t:file getattr;
-allow initrc_t usbfs_t:dir r_dir_perms;
-allow initrc_t usbfs_t:file getattr;
-
-# allow initrc to fork and renice itself
-allow initrc_t self:process { fork sigchld getpgid setsched setpgid setrlimit getsched };
-
-# Can create ptys for open_init_pty
-can_create_pty(initrc)
-
-tmp_domain(initrc)
-#
-# Some initscripts generate scripts that they need to execute (ldap)
-#
-can_exec(initrc_t, initrc_tmp_t)
-
-var_run_domain(initrc)
-allow initrc_t var_run_t:{ file sock_file lnk_file } unlink;
-allow initrc_t var_run_t:dir { create rmdir };
-
-ifdef(`distro_debian', `
-allow initrc_t { etc_t device_t }:dir setattr;
-
-# for storing state under /dev/shm
-allow initrc_t tmpfs_t:dir setattr;
-file_type_auto_trans(initrc_t, tmpfs_t, initrc_var_run_t, dir)
-file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file)
-allow { initrc_var_run_t fixed_disk_device_t } tmpfs_t:filesystem associate;
-')
-
-allow initrc_t framebuf_device_t:chr_file r_file_perms;
-
-# Use capabilities.
-allow initrc_t self:capability ~{ sys_admin sys_module };
-
-# Use system operations.
-allow initrc_t kernel_t:system *;
-
-# Set values in /proc/sys.
-can_sysctl(initrc_t)
-
-# Run helper programs in the initrc_t domain.
-allow initrc_t {bin_t sbin_t }:dir r_dir_perms;
-allow initrc_t {bin_t sbin_t }:lnk_file read;
-can_exec(initrc_t, etc_t)
-can_exec(initrc_t, lib_t)
-can_exec(initrc_t, bin_t)
-can_exec(initrc_t, sbin_t)
-can_exec(initrc_t, exec_type)
-#
-# These rules are here to allow init scripts to su
-#
-ifdef(`su.te', `
-su_restricted_domain(initrc,system)
-role system_r types initrc_su_t;
-')
-allow initrc_t self:passwd rootok;
-
-# read /lib/modules
-allow initrc_t modules_object_t:dir { search read };
-
-# Read conf.modules.
-allow initrc_t modules_conf_t:file r_file_perms;
-
-# Run other rc scripts in the initrc_t domain.
-can_exec(initrc_t, initrc_exec_t)
-
-# Run init (telinit) in the initrc_t domain.
-can_exec(initrc_t, init_exec_t)
-
-# Communicate with the init process.
-allow initrc_t initctl_t:fifo_file rw_file_perms;
-
-# Read /proc/PID directories for all domains.
-r_dir_file(initrc_t, domain)
-allow initrc_t domain:process { getattr getsession };
-
-# Mount and unmount file systems.
-allow initrc_t fs_type:filesystem mount_fs_perms;
-allow initrc_t file_t:dir { read search getattr mounton };
-
-# during boot up initrc needs to do the following
-allow initrc_t default_t:dir { write read search getattr mounton };
-
-# rhgb-console writes to ramfs
-allow initrc_t ramfs_t:fifo_file write;
-
-# Create runtime files in /etc, e.g. /etc/mtab, /etc/HOSTNAME.
-file_type_auto_trans(initrc_t, etc_t, etc_runtime_t, file)
-
-# Update /etc/ld.so.cache.
-allow initrc_t ld_so_cache_t:file rw_file_perms;
-
-# Update /var/log/wtmp and /var/log/dmesg.
-allow initrc_t wtmp_t:file { setattr rw_file_perms };
-allow initrc_t var_log_t:dir rw_dir_perms;
-allow initrc_t var_log_t:file create_file_perms;
-allow initrc_t lastlog_t:file { setattr rw_file_perms };
-allow initrc_t logfile:file { read append };
-
-# remove old locks
-allow initrc_t lockfile:dir rw_dir_perms;
-allow initrc_t lockfile:file { getattr unlink };
-
-# Access /var/lib/random-seed.
-allow initrc_t var_lib_t:file rw_file_perms;
-allow initrc_t var_lib_t:file unlink;
-
-# Create lock file.
-allow initrc_t var_lock_t:dir create_dir_perms;
-allow initrc_t var_lock_t:file create_file_perms;
-
-# Set the clock.
-allow initrc_t clock_device_t:devfile_class_set rw_file_perms;
-
-# Kill all processes.
-allow initrc_t domain:process signal_perms;
-
-# Write to /dev/urandom.
-allow initrc_t { random_device_t urandom_device_t }:chr_file rw_file_perms;
-
-# for cryptsetup
-allow initrc_t fixed_disk_device_t:blk_file getattr;
-
-# Set device ownerships/modes.
-allow initrc_t framebuf_device_t:chr_file setattr;
-allow initrc_t misc_device_t:devfile_class_set setattr;
-allow initrc_t device_t:devfile_class_set setattr;
-allow initrc_t fixed_disk_device_t:devfile_class_set setattr;
-allow initrc_t removable_device_t:devfile_class_set setattr;
-allow initrc_t device_t:lnk_file read;
-allow initrc_t xconsole_device_t:fifo_file setattr;
-
-# Stat any file.
-allow initrc_t file_type:notdevfile_class_set getattr;
-allow initrc_t file_type:dir { search getattr };
-
-# Read and write console and ttys.
-allow initrc_t devtty_t:chr_file rw_file_perms;
-allow initrc_t console_device_t:chr_file rw_file_perms;
-allow initrc_t tty_device_t:chr_file rw_file_perms;
-allow initrc_t ttyfile:chr_file rw_file_perms;
-allow initrc_t ptyfile:chr_file rw_file_perms;
-
-# Reset tty labels.
-allow initrc_t ttyfile:chr_file relabelfrom;
-allow initrc_t tty_device_t:chr_file relabelto;
-
-ifdef(`distro_redhat', `
-# Create and read /boot/kernel.h and /boot/System.map.
-# Redhat systems typically create this file at boot time.
-allow initrc_t boot_t:lnk_file rw_file_perms;
-file_type_auto_trans(initrc_t, boot_t, boot_runtime_t, file)
-
-allow initrc_t tmpfs_t:chr_file rw_file_perms;
-allow initrc_t tmpfs_t:dir r_dir_perms;
-
-# Allow initrc domain to set the enforcing flag.
-can_setenforce(initrc_t)
-
-#
-# readahead asks for these
-#
-allow initrc_t etc_aliases_t:file { getattr read };
-allow initrc_t var_lib_nfs_t:file { getattr read };
-
-# for /halt /.autofsck and other flag files
-file_type_auto_trans({ initrc_t sysadm_t }, root_t, etc_runtime_t, file)
-
-file_type_auto_trans(initrc_t, device_t, fixed_disk_device_t, blk_file)
-allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
-allow initrc_t self:capability sys_admin;
-allow initrc_t device_t:dir create;
-# wants to delete /poweroff and other files
-allow initrc_t root_t:file unlink;
-# wants to read /.fonts directory
-allow initrc_t default_t:file { getattr read };
-ifdef(`xserver.te', `
-# wants to cleanup xserver log dir
-allow initrc_t xserver_log_t:dir rw_dir_perms;
-allow initrc_t xserver_log_t:file unlink;
-')
-')dnl end distro_redhat
-
-allow initrc_t system_map_t:{ file lnk_file } r_file_perms;
-allow initrc_t var_spool_t:file rw_file_perms;
-
-# Allow access to the sysadm TTYs. Note that this will give access to the
-# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-# started from init should be placed in their own domain.
-allow initrc_t admin_tty_type:chr_file rw_file_perms;
-
-# Access sound device and files.
-allow initrc_t sound_device_t:chr_file { setattr ioctl read write };
-
-# Read user home directories.
-allow initrc_t { home_root_t home_type }:dir r_dir_perms;
-allow initrc_t home_type:file r_file_perms;
-
-# Read and unlink /var/run/*.pid files.
-allow initrc_t pidfile:file { getattr read unlink };
-
-# for system start scripts
-allow initrc_t pidfile:dir { rmdir rw_dir_perms };
-allow initrc_t pidfile:sock_file unlink;
-
-rw_dir_create_file(initrc_t, var_lib_t)
-
-# allow start scripts to clean /tmp
-allow initrc_t { unlabeled_t tmpfile }:dir { rw_dir_perms rmdir };
-allow initrc_t { unlabeled_t tmpfile }:notdevfile_class_set { getattr unlink };
-
-# for lsof which is used by alsa shutdown
-dontaudit initrc_t domain:{ udp_socket tcp_socket fifo_file unix_dgram_socket } getattr;
-dontaudit initrc_t proc_kmsg_t:file getattr;
-
-#################################
-#
-# Rules for the run_init_t domain.
-#
-ifdef(`targeted_policy', `
-type run_init_exec_t, file_type, sysadmfile, exec_type;
-type run_init_t, domain;
-domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
-allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
-allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
-typeattribute initrc_t privuser;
-domain_trans(initrc_t, shell_exec_t, unconfined_t)
-allow initrc_t unconfined_t:system syslog_mod;
-', `
-run_program(sysadm_t, sysadm_r, init, initrc_exec_t, initrc_t)
-')
-allow initrc_t privfd:fd use;
-
-# Transition to system_r:initrc_t upon executing init scripts.
-ifdef(`direct_sysadm_daemon', `
-role_transition sysadm_r initrc_exec_t system_r;
-domain_auto_trans(sysadm_t, initrc_exec_t, initrc_t)
-')
-
-#
-# Shutting down xinet causes these
-#
-# Fam
-dontaudit initrc_t device_t:dir { read write };
-# Rsync
-dontaudit initrc_t mail_spool_t:lnk_file read;
-
-allow initrc_t sysfs_t:dir { getattr read search };
-allow initrc_t sysfs_t:file { getattr read write };
-allow initrc_t sysfs_t:lnk_file { getattr read };
-allow initrc_t udev_runtime_t:file rw_file_perms;
-allow initrc_t device_type:chr_file setattr;
-allow initrc_t binfmt_misc_fs_t:dir { getattr search };
-allow initrc_t binfmt_misc_fs_t:file { getattr ioctl write };
-
-# for lsof in shutdown scripts
-can_kerberos(initrc_t)
-
-#
-# Wants to remove udev.tbl
-#
-allow initrc_t device_t:dir rw_dir_perms;
-allow initrc_t device_t:lnk_file unlink;
-
-r_dir_file(initrc_t,selinux_config_t)
-
-ifdef(`unlimitedRC', `
-unconfined_domain(initrc_t)
-')
-#
-# initrc script does a cat /selinux/enforce
-#
-allow initrc_t security_t:dir { getattr search };
-allow initrc_t security_t:file { getattr read };
-
-# init script state
-type initrc_state_t, file_type, sysadmfile;
-create_dir_file(initrc_t,initrc_state_t)
-
-ifdef(`distro_gentoo', `
-# Gentoo integrated run_init+open_init_pty-runscript:
-domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
-')
-allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
-allow initrc_t device_t:lnk_file create_file_perms;
-ifdef(`dbusd.te', `
-allow initrc_t system_dbusd_var_run_t:sock_file write;
-')
-
-# Slapd needs to read cert files from its initscript
-r_dir_file(initrc_t, cert_t)
diff --git a/strict/domains/program/innd.te b/strict/domains/program/innd.te
deleted file mode 100644
index 25047df..0000000
--- a/strict/domains/program/innd.te
+++ /dev/null
@@ -1,81 +0,0 @@
-#DESC INN - InterNetNews server
-#
-# Author: Faye Coker <faye@lurking-grue.org>
-# X-Debian-Packages: inn
-#
-################################
-
-# Types for the server port and news spool.
-#
-type news_spool_t, file_type, sysadmfile;
-
-
-# need privmail attribute so innd can access system_mail_t
-daemon_domain(innd, `, privmail')
-
-# allow innd to create files and directories of type news_spool_t
-create_dir_file(innd_t, news_spool_t)
-
-# allow user domains to read files and directories these types
-r_dir_file(userdomain, { news_spool_t innd_var_lib_t innd_etc_t })
-
-can_exec(initrc_t, innd_etc_t)
-can_exec(innd_t, { innd_exec_t bin_t shell_exec_t })
-ifdef(`hostname.te', `
-can_exec(innd_t, hostname_exec_t)
-')
-
-allow innd_t var_spool_t:dir { getattr search };
-
-can_network(innd_t)
-allow innd_t port_type:tcp_socket name_connect;
-can_ypbind(innd_t)
-
-can_unix_send( { innd_t sysadm_t }, { innd_t sysadm_t } )
-allow innd_t self:unix_dgram_socket create_socket_perms;
-allow innd_t self:unix_stream_socket create_stream_socket_perms;
-can_unix_connect(innd_t, self)
-
-allow innd_t self:fifo_file rw_file_perms;
-allow innd_t innd_port_t:tcp_socket name_bind;
-
-allow innd_t self:capability { dac_override kill setgid setuid net_bind_service };
-allow innd_t self:process setsched;
-
-allow innd_t { bin_t sbin_t }:dir search;
-allow innd_t usr_t:lnk_file read;
-allow innd_t usr_t:file { getattr read ioctl };
-allow innd_t lib_t:file ioctl;
-allow innd_t etc_t:file { getattr read };
-allow innd_t { proc_t etc_runtime_t }:file { getattr read };
-allow innd_t urandom_device_t:chr_file read;
-
-allow innd_t innd_var_run_t:sock_file create_file_perms;
-
-# allow innd to read directories of type innd_etc_t (/etc/news/(/.*)? and symbolic links with that type
-etcdir_domain(innd)
-
-# allow innd to create files under /var/log of type innd_log_t and have a directory for its own files that
-# it can write to
-logdir_domain(innd)
-
-# allow innd read-write directory permissions to /var/lib/news.
-var_lib_domain(innd)
-
-ifdef(`crond.te', `
-system_crond_entry(innd_exec_t, innd_t)
-allow system_crond_t innd_etc_t:file { getattr read };
-rw_dir_create_file(system_crond_t, innd_log_t)
-rw_dir_create_file(system_crond_t, innd_var_run_t)
-')
-
-ifdef(`syslogd.te', `
-allow syslogd_t innd_log_t:dir search;
-allow syslogd_t innd_log_t:file create_file_perms;
-')
-
-allow innd_t self:file { getattr read };
-dontaudit innd_t selinux_config_t:dir { search };
-allow system_crond_t innd_etc_t:file { getattr read };
-allow innd_t bin_t:lnk_file { read };
-allow innd_t sbin_t:lnk_file { read };
diff --git a/strict/domains/program/ipsec.te b/strict/domains/program/ipsec.te
deleted file mode 100644
index ea45a36..0000000
--- a/strict/domains/program/ipsec.te
+++ /dev/null
@@ -1,229 +0,0 @@
-#DESC ipsec - TCP/IP encryption
-#
-# Authors: Mark Westerman mark.westerman@westcam.com
-# massively butchered by paul krumviede <pwk@acm.org>
-# further massaged by Chris Vance <cvance@tislabs.com>
-# X-Debian-Packages: freeswan
-#
-########################################
-#
-# Rules for the ipsec_t domain.
-#
-# a domain for things that need access to the PF_KEY socket
-daemon_base_domain(ipsec, `, privlog')
-
-# type for ipsec configuration file(s) - not for keys
-type ipsec_conf_file_t, file_type, sysadmfile;
-
-# type for file(s) containing ipsec keys - RSA or preshared
-type ipsec_key_file_t, file_type, sysadmfile;
-
-# type for runtime files, including pluto.ctl
-# lots of strange stuff for the ipsec_var_run_t - need to check it
-var_run_domain(ipsec)
-
-type ipsec_mgmt_t, domain, privlog, admin, privmodule, nscd_client_domain;
-type ipsec_mgmt_exec_t, file_type, sysadmfile, exec_type;
-domain_auto_trans(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
-file_type_auto_trans(ipsec_mgmt_t, var_run_t, ipsec_var_run_t, sock_file)
-file_type_auto_trans(ipsec_t, var_run_t, ipsec_var_run_t, sock_file)
-file_type_auto_trans(ipsec_mgmt_t, etc_t, ipsec_key_file_t, file)
-
-allow ipsec_mgmt_t modules_object_t:dir search;
-allow ipsec_mgmt_t modules_object_t:file getattr;
-
-allow ipsec_t self:capability { net_admin net_bind_service };
-allow ipsec_t self:process signal;
-allow ipsec_t etc_t:lnk_file read;
-
-domain_auto_trans(ipsec_mgmt_t, ifconfig_exec_t, ifconfig_t)
-
-# Inherit and use descriptors from init.
-# allow access (for, e.g., klipsdebug) to console
-allow { ipsec_t ipsec_mgmt_t } console_device_t:chr_file rw_file_perms;
-allow { ipsec_t ipsec_mgmt_t } { init_t initrc_t privfd }:fd use;
-
-# I do not know where this pesky pipe is...
-allow ipsec_t initrc_t:fifo_file write;
-
-r_dir_file(ipsec_t, ipsec_conf_file_t)
-r_dir_file(ipsec_t, ipsec_key_file_t)
-allow ipsec_mgmt_t ipsec_conf_file_t:file { getattr read ioctl };
-rw_dir_create_file(ipsec_mgmt_t, ipsec_key_file_t)
-
-allow ipsec_t self:key_socket { create write read setopt };
-
-# for lsof
-allow sysadm_t ipsec_t:key_socket getattr;
-
-# the ipsec wrapper wants to run /usr/bin/logger (should we put
-# it in its own domain?)
-can_exec(ipsec_mgmt_t, bin_t)
-# logger, running in ipsec_mgmt_t needs to use sockets
-allow ipsec_mgmt_t self:unix_dgram_socket create_socket_perms;
-allow ipsec_mgmt_t ipsec_t:unix_dgram_socket create_socket_perms;
-
-# also need to run things like whack and shell scripts
-can_exec(ipsec_mgmt_t, ipsec_exec_t)
-can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
-allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
-can_exec(ipsec_mgmt_t, shell_exec_t)
-can_exec(ipsec_t, shell_exec_t)
-can_exec(ipsec_t, bin_t)
-can_exec(ipsec_t, ipsec_mgmt_exec_t)
-# now for a icky part...
-# pluto runs an updown script (by calling popen()!); as this is by default
-# a shell script, we need to find a way to make things work without
-# letting all sorts of stuff possibly be run...
-# so try flipping back into the ipsec_mgmt_t domain
-domain_auto_trans(ipsec_t, shell_exec_t, ipsec_mgmt_t)
-allow ipsec_mgmt_t ipsec_t:fd use;
-
-# the default updown script wants to run route
-can_exec(ipsec_mgmt_t, sbin_t)
-allow ipsec_mgmt_t sbin_t:lnk_file read;
-allow ipsec_mgmt_t self:capability { net_admin dac_override };
-
-# need access to /proc/sys/net/ipsec/icmp
-allow ipsec_mgmt_t sysctl_t:file write;
-allow ipsec_mgmt_t sysctl_net_t:dir search;
-allow ipsec_mgmt_t sysctl_net_t:file { write setattr };
-
-# whack needs to be able to read/write pluto.ctl
-allow ipsec_mgmt_t ipsec_var_run_t:sock_file { read write };
-# and it wants to connect to a socket...
-allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
-allow ipsec_mgmt_t ipsec_t:unix_stream_socket { connectto read write };
-
-# allow system administrator to use the ipsec script to look
-# at things (e.g., ipsec auto --status)
-# probably should create an ipsec_admin role for this kind of thing
-can_exec(sysadm_t, ipsec_mgmt_exec_t)
-allow sysadm_t ipsec_t:unix_stream_socket connectto;
-
-# _realsetup needs to be able to cat /var/run/pluto.pid,
-# run ps on that pid, and delete the file
-allow ipsec_mgmt_t ipsec_t:{ file lnk_file } r_file_perms;
-
-allow ipsec_mgmt_t boot_t:dir search;
-allow ipsec_mgmt_t system_map_t:file { read getattr };
-
-# denials when ps tries to search /proc. Do not audit these denials.
-dontaudit ipsec_mgmt_t domain:dir r_dir_perms;
-
-# suppress audit messages about unnecessary socket access
-dontaudit ipsec_mgmt_t domain:key_socket { read write };
-dontaudit ipsec_mgmt_t domain:udp_socket { read write };
-
-# from rbac
-role system_r types { ipsec_t ipsec_mgmt_t };
-
-# from initrc.te
-domain_auto_trans(initrc_t, ipsec_mgmt_exec_t, ipsec_mgmt_t)
-domain_auto_trans(initrc_t, ipsec_exec_t, ipsec_t)
-
-
-########## The following rules were added by cvance@tislabs.com ##########
-
-# allow pluto and startup scripts to access /dev/urandom
-allow { ipsec_t ipsec_mgmt_t } { urandom_device_t random_device_t }:chr_file r_file_perms;
-
-# allow pluto to access /proc/net/ipsec_eroute;
-general_proc_read_access(ipsec_t)
-general_proc_read_access(ipsec_mgmt_t)
-
-# allow pluto to search the root directory (not sure why, but mostly harmless)
-# Are these all really necessary?
-allow ipsec_t var_t:dir search;
-allow ipsec_t bin_t:dir search;
-allow ipsec_t device_t:dir { getattr search };
-allow ipsec_mgmt_t device_t:dir { getattr search read };
-dontaudit ipsec_mgmt_t tty_device_t:chr_file getattr;
-dontaudit ipsec_mgmt_t devpts_t:dir getattr;
-allow ipsec_mgmt_t etc_t:lnk_file read;
-allow ipsec_mgmt_t var_t:dir search;
-allow ipsec_mgmt_t sbin_t:dir search;
-allow ipsec_mgmt_t bin_t:dir search;
-allow ipsec_mgmt_t ipsec_var_run_t:file { getattr read };
-
-# Startup scripts
-# use libraries
-uses_shlib({ ipsec_t ipsec_mgmt_t })
-# Read and write /dev/tty
-allow ipsec_mgmt_t devtty_t:chr_file rw_file_perms;
-# fork
-allow ipsec_mgmt_t self:process fork;
-# startup script runs /bin/gawk with a pipe
-allow ipsec_mgmt_t self:fifo_file rw_file_perms;
-# read /etc/mtab Why?
-allow ipsec_mgmt_t etc_runtime_t:file { read getattr };
-# read link for /bin/sh
-allow { ipsec_t ipsec_mgmt_t } bin_t:lnk_file read;
-
-#
-allow ipsec_mgmt_t self:process { sigchld signal setrlimit };
-
-# Allow read/write access to /var/run/pluto.ctl
-allow ipsec_t self:unix_stream_socket {create setopt bind listen accept read write };
-
-# Pluto needs network access
-can_network_server(ipsec_t)
-can_ypbind(ipsec_t)
-allow ipsec_t self:unix_dgram_socket create_socket_perms;
-
-# for sleep
-allow ipsec_mgmt_t fs_t:filesystem getattr;
-
-# for the start script
-can_exec(ipsec_mgmt_t, etc_t)
-
-# allow access to /etc/localtime
-allow ipsec_mgmt_t etc_t:file { read getattr };
-allow ipsec_t etc_t:file { read getattr };
-
-# allow access to /dev/null
-allow ipsec_mgmt_t null_device_t:chr_file rw_file_perms;
-allow ipsec_t null_device_t:chr_file rw_file_perms;
-
-# Allow scripts to use /var/lock/subsys/ipsec
-lock_domain(ipsec_mgmt)
-
-# allow tncfg to create sockets
-allow ipsec_mgmt_t self:udp_socket { create ioctl };
-
-#When running ipsec auto --up <conname>
-allow ipsec_t self:process { fork sigchld };
-allow ipsec_t self:fifo_file { read getattr };
-
-# ideally it would not need this. It wants to write to /root/.rnd
-file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file)
-
-allow ipsec_mgmt_t { initrc_devpts_t admin_tty_type }:chr_file { getattr read write ioctl };
-allow ipsec_t initrc_devpts_t:chr_file { getattr read write };
-allow ipsec_mgmt_t self:lnk_file read;
-
-allow ipsec_mgmt_t self:capability { sys_tty_config dac_read_search };
-read_locale(ipsec_mgmt_t)
-var_run_domain(ipsec_mgmt)
-dontaudit ipsec_mgmt_t default_t:dir getattr;
-dontaudit ipsec_mgmt_t default_t:file getattr;
-allow ipsec_mgmt_t tmpfs_t:dir { getattr read };
-allow ipsec_mgmt_t self:key_socket { create setopt };
-can_exec(ipsec_mgmt_t, initrc_exec_t)
-allow ipsec_t self:netlink_xfrm_socket create_socket_perms;
-allow ipsec_t self:netlink_route_socket r_netlink_socket_perms;
-read_locale(ipsec_t)
-ifdef(`consoletype.te', `
-can_exec(ipsec_mgmt_t, consoletype_exec_t )
-')
-dontaudit ipsec_mgmt_t selinux_config_t:dir search;
-dontaudit ipsec_t ttyfile:chr_file { read write };
-allow ipsec_t self:capability { dac_override dac_read_search };
-allow ipsec_t { isakmp_port_t reserved_port_t }:udp_socket name_bind;
-allow ipsec_mgmt_t dev_fs:file_class_set getattr;
-dontaudit ipsec_mgmt_t device_t:lnk_file read;
-allow ipsec_mgmt_t self:{ tcp_socket udp_socket } create_socket_perms;
-allow ipsec_mgmt_t sysctl_net_t:file { getattr read };
-rw_dir_create_file(ipsec_mgmt_t, ipsec_var_run_t)
-rw_dir_create_file(initrc_t, ipsec_var_run_t)
-allow initrc_t ipsec_conf_file_t:file { getattr read ioctl };
diff --git a/strict/domains/program/iptables.te b/strict/domains/program/iptables.te
deleted file mode 100644
index 8d83280..0000000
--- a/strict/domains/program/iptables.te
+++ /dev/null
@@ -1,63 +0,0 @@
-#DESC Ipchains - IP packet filter administration
-#
-# Authors: Justin Smith <jsmith@mcs.drexel.edu>
-# Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: ipchains iptables
-#
-
-#
-# Rules for the iptables_t domain.
-#
-daemon_base_domain(iptables, `, privmodule')
-role sysadm_r types iptables_t;
-domain_auto_trans(sysadm_t, iptables_exec_t, iptables_t)
-
-ifdef(`modutil.te', `
-# for modprobe
-allow iptables_t sbin_t:dir search;
-allow iptables_t sbin_t:lnk_file read;
-')
-
-read_locale(iptables_t)
-
-# to allow rules to be saved on reboot
-allow iptables_t initrc_tmp_t:file rw_file_perms;
-
-domain_auto_trans(iptables_t, ifconfig_exec_t, ifconfig_t)
-allow iptables_t var_t:dir search;
-var_run_domain(iptables)
-
-allow iptables_t self:process { fork signal_perms };
-
-allow iptables_t { sysctl_t sysctl_kernel_t }:dir search;
-allow iptables_t sysctl_modprobe_t:file { getattr read };
-
-tmp_domain(iptables)
-
-# for iptables -L
-allow iptables_t self:unix_stream_socket create_socket_perms;
-can_resolve(iptables_t)
-can_ypbind(iptables_t)
-
-allow iptables_t iptables_exec_t:file execute_no_trans;
-allow iptables_t self:capability { net_admin net_raw };
-allow iptables_t self:rawip_socket create_socket_perms;
-
-allow iptables_t etc_t:file { getattr read };
-
-allow iptables_t fs_t:filesystem getattr;
-allow iptables_t { userdomain kernel_t }:fd use;
-
-# Access terminals.
-allow iptables_t admin_tty_type:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow iptables_t sysadm_gph_t:fd use;')
-
-allow iptables_t proc_t:file { getattr read };
-allow iptables_t proc_net_t:dir search;
-allow iptables_t proc_net_t:file { read getattr };
-
-# system-config-network appends to /var/log
-allow iptables_t var_log_t:file append;
-ifdef(`firstboot.te', `
-allow iptables_t firstboot_t:fifo_file write;
-')
diff --git a/strict/domains/program/irc.te b/strict/domains/program/irc.te
deleted file mode 100644
index 50c1122..0000000
--- a/strict/domains/program/irc.te
+++ /dev/null
@@ -1,12 +0,0 @@
-#DESC Irc - IRC client
-#
-# Domains for the irc program.
-# X-Debian-Packages: tinyirc ircii
-
-#
-# irc_exec_t is the type of the irc executable.
-#
-type irc_exec_t, file_type, sysadmfile, exec_type;
-
-# Everything else is in the irc_domain macro in
-# macros/program/irc_macros.te.
diff --git a/strict/domains/program/irqbalance.te b/strict/domains/program/irqbalance.te
deleted file mode 100644
index 35be192..0000000
--- a/strict/domains/program/irqbalance.te
+++ /dev/null
@@ -1,15 +0,0 @@
-#DESC IRQBALANCE - IRQ balance daemon
-#
-# Author: Ulrich Drepper <drepper@redhat.com>
-#
-
-#################################
-#
-# Rules for the irqbalance_t domain.
-#
-daemon_domain(irqbalance)
-
-# irqbalance needs access to /proc.
-allow irqbalance_t proc_t:file { read getattr };
-allow irqbalance_t sysctl_irq_t:dir r_dir_perms;
-allow irqbalance_t sysctl_irq_t:file rw_file_perms;
diff --git a/strict/domains/program/java.te b/strict/domains/program/java.te
deleted file mode 100644
index dfd0372..0000000
--- a/strict/domains/program/java.te
+++ /dev/null
@@ -1,14 +0,0 @@
-#DESC Java VM
-#
-# Authors: Dan Walsh <dwalsh@redhat.com>
-# X-Debian-Packages: java
-#
-
-# Type for the netscape, java or other browser executables.
-type java_exec_t, file_type, sysadmfile, exec_type;
-
-# Allow java executable stack
-bool allow_java_execstack false;
-
-# Everything else is in the java_domain macro in
-# macros/program/java_macros.te.
diff --git a/strict/domains/program/kerberos.te b/strict/domains/program/kerberos.te
deleted file mode 100644
index 19cc3c4..0000000
--- a/strict/domains/program/kerberos.te
+++ /dev/null
@@ -1,91 +0,0 @@
-#DESC Kerberos5 - MIT Kerberos5
-# supports krb5kdc and kadmind daemons
-# kinit, kdestroy, klist clients
-# ksu support not complete
-#
-# includes rules for OpenSSH daemon compiled with both
-# kerberos5 and SELinux support
-#
-# Not supported : telnetd, ftpd, kprop/kpropd daemons
-#
-# Author: Kerry Thompson <kerry@crypt.gen.nz>
-# Modified by Colin Walters <walters@redhat.com>
-#
-
-#################################
-#
-# Rules for the krb5kdc_t,kadmind_t domains.
-#
-daemon_domain(krb5kdc)
-daemon_domain(kadmind)
-
-can_exec(krb5kdc_t, krb5kdc_exec_t)
-can_exec(kadmind_t, kadmind_exec_t)
-
-# types for general configuration files in /etc
-type krb5_keytab_t, file_type, sysadmfile, secure_file_type;
-
-# types for KDC configs and principal file(s)
-type krb5kdc_conf_t, file_type, sysadmfile;
-type krb5kdc_principal_t, file_type, sysadmfile;
-
-# Use capabilities. Surplus capabilities may be allowed.
-allow krb5kdc_t self:capability { setuid setgid net_admin net_bind_service chown fowner dac_override sys_nice };
-allow kadmind_t self:capability { setuid setgid net_bind_service chown fowner dac_override sys_nice };
-
-# krb5kdc and kadmind can use network
-can_network_server( { krb5kdc_t kadmind_t } )
-can_ypbind( { krb5kdc_t kadmind_t } )
-
-# allow UDP transfer to/from any program
-can_udp_send(kerberos_port_t, krb5kdc_t)
-can_udp_send(krb5kdc_t, kerberos_port_t)
-can_tcp_connect(kerberos_port_t, krb5kdc_t)
-can_tcp_connect(kerberos_admin_port_t, kadmind_t)
-
-# Bind to the kerberos, kerberos-adm ports.
-allow krb5kdc_t kerberos_port_t:{ udp_socket tcp_socket } name_bind;
-allow kadmind_t kerberos_admin_port_t:{ udp_socket tcp_socket } name_bind;
-allow kadmind_t reserved_port_t:tcp_socket name_bind;
-dontaudit kadmind_t reserved_port_type:tcp_socket name_bind;
-
-#
-# Rules for Kerberos5 KDC daemon
-allow krb5kdc_t self:unix_dgram_socket create_socket_perms;
-allow krb5kdc_t self:unix_stream_socket create_socket_perms;
-allow kadmind_t self:unix_stream_socket create_socket_perms;
-allow krb5kdc_t krb5kdc_conf_t:dir search;
-allow krb5kdc_t krb5kdc_conf_t:file r_file_perms;
-allow krb5kdc_t krb5kdc_principal_t:file r_file_perms;
-dontaudit krb5kdc_t krb5kdc_principal_t:file write;
-allow krb5kdc_t locale_t:file { getattr read };
-dontaudit krb5kdc_t krb5kdc_conf_t:file write;
-allow { kadmind_t krb5kdc_t } etc_t:dir { getattr search };
-allow { kadmind_t krb5kdc_t } etc_t:file { getattr read };
-allow { kadmind_t krb5kdc_t } krb5_conf_t:file r_file_perms;
-dontaudit { kadmind_t krb5kdc_t } krb5_conf_t:file write;
-tmp_domain(krb5kdc)
-log_domain(krb5kdc)
-allow { kadmind_t krb5kdc_t } urandom_device_t:chr_file { getattr read };
-allow kadmind_t random_device_t:chr_file { getattr read };
-allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
-allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
-allow krb5kdc_t proc_t:dir r_dir_perms;
-allow krb5kdc_t proc_t:file { getattr read };
-
-#
-# Rules for Kerberos5 Kadmin daemon
-allow kadmind_t self:unix_dgram_socket { connect create write };
-allow kadmind_t krb5kdc_conf_t:dir search;
-allow kadmind_t krb5kdc_conf_t:file r_file_perms;
-allow kadmind_t krb5kdc_principal_t:file { getattr lock read write setattr };
-read_locale(kadmind_t)
-dontaudit kadmind_t krb5kdc_conf_t:file write;
-tmp_domain(kadmind)
-log_domain(kadmind)
-
-#
-# Allow user programs to talk to KDC
-allow krb5kdc_t userdomain:udp_socket recvfrom;
-allow userdomain krb5kdc_t:udp_socket recvfrom;
-allow initrc_t krb5_conf_t:file ioctl;
diff --git a/strict/domains/program/klogd.te b/strict/domains/program/klogd.te
deleted file mode 100644
index dd0b79c..0000000
--- a/strict/domains/program/klogd.te
+++ /dev/null
@@ -1,48 +0,0 @@
-#DESC Klogd - Kernel log daemon
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: klogd
-#
-
-#################################
-#
-# Rules for the klogd_t domain.
-#
-daemon_domain(klogd, `, privmem, privkmsg, mlsfileread')
-
-tmp_domain(klogd)
-allow klogd_t proc_t:dir r_dir_perms;
-allow klogd_t proc_t:lnk_file r_file_perms;
-allow klogd_t proc_t:file { getattr read };
-allow klogd_t self:dir r_dir_perms;
-allow klogd_t self:lnk_file r_file_perms;
-
-# read /etc/nsswitch.conf
-allow klogd_t etc_t:lnk_file read;
-allow klogd_t etc_t:file r_file_perms;
-
-read_locale(klogd_t)
-
-allow klogd_t etc_runtime_t:file { getattr read };
-
-# Create unix sockets
-allow klogd_t self:unix_dgram_socket create_socket_perms;
-
-# Use the sys_admin and sys_rawio capabilities.
-allow klogd_t self:capability { sys_admin sys_rawio };
-dontaudit klogd_t self:capability sys_resource;
-
-
-# Read /proc/kmsg and /dev/mem.
-allow klogd_t proc_kmsg_t:file r_file_perms;
-allow klogd_t memory_device_t:chr_file r_file_perms;
-
-# Control syslog and console logging
-allow klogd_t kernel_t:system { syslog_mod syslog_console };
-
-# Read /boot/System.map*
-allow klogd_t system_map_t:file r_file_perms;
-allow klogd_t boot_t:dir r_dir_perms;
-ifdef(`targeted_policy', `
-allow klogd_t unconfined_t:system syslog_mod;
-')
diff --git a/strict/domains/program/ktalkd.te b/strict/domains/program/ktalkd.te
deleted file mode 100644
index 7ae0109..0000000
--- a/strict/domains/program/ktalkd.te
+++ /dev/null
@@ -1,14 +0,0 @@
-#DESC ktalkd - KDE version of the talk server
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-#
-# Depends: inetd.te
-
-#################################
-#
-# Rules for the ktalkd_t domain.
-#
-# ktalkd_exec_t is the type of the ktalkd executable.
-#
-
-inetd_child_domain(ktalkd, udp)
diff --git a/strict/domains/program/kudzu.te b/strict/domains/program/kudzu.te
deleted file mode 100644
index 149b222..0000000
--- a/strict/domains/program/kudzu.te
+++ /dev/null
@@ -1,115 +0,0 @@
-#DESC kudzu - Red Hat utility to recognise new hardware
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-
-daemon_base_domain(kudzu, `, etc_writer, privmodule, sysctl_kernel_writer, fs_domain, privmem')
-
-read_locale(kudzu_t)
-
-# for /etc/sysconfig/hwconf - probably need a new type
-allow kudzu_t etc_runtime_t:file rw_file_perms;
-
-# for kmodule
-if (allow_execmem) {
-allow kudzu_t self:process execmem;
-}
-allow kudzu_t zero_device_t:chr_file rx_file_perms;
-allow kudzu_t memory_device_t:chr_file { read write execute };
-
-allow kudzu_t ramfs_t:dir search;
-allow kudzu_t ramfs_t:sock_file write;
-allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
-allow kudzu_t modules_conf_t:file { getattr read unlink rename };
-allow kudzu_t modules_object_t:dir r_dir_perms;
-allow kudzu_t { modules_object_t modules_dep_t }:file { getattr read };
-allow kudzu_t mouse_device_t:chr_file { read write };
-allow kudzu_t proc_net_t:dir r_dir_perms;
-allow kudzu_t { proc_net_t proc_t }:file { getattr read };
-allow kudzu_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms;
-allow kudzu_t scsi_generic_device_t:chr_file r_file_perms;
-allow kudzu_t { bin_t sbin_t }:dir { getattr search };
-allow kudzu_t { bin_t sbin_t }:lnk_file read;
-read_sysctl(kudzu_t)
-allow kudzu_t sysctl_dev_t:dir { getattr search read };
-allow kudzu_t sysctl_dev_t:file { getattr read };
-allow kudzu_t sysctl_kernel_t:file write;
-allow kudzu_t usbdevfs_t:dir search;
-allow kudzu_t usbdevfs_t:file { getattr read };
-allow kudzu_t usbfs_t:dir search;
-allow kudzu_t usbfs_t:file { getattr read };
-var_run_domain(kudzu)
-allow kudzu_t kernel_t:system syslog_console;
-allow kudzu_t self:udp_socket { create ioctl };
-allow kudzu_t var_lock_t:dir search;
-allow kudzu_t devpts_t:dir search;
-
-# so it can write messages to the console
-allow kudzu_t { tty_device_t devtty_t admin_tty_type }:chr_file rw_file_perms;
-
-role sysadm_r types kudzu_t;
-ifdef(`targeted_policy', `', `
-domain_auto_trans(sysadm_t, kudzu_exec_t, kudzu_t)
-')
-ifdef(`anaconda.te', `
-domain_auto_trans(anaconda_t, kudzu_exec_t, kudzu_t)
-')
-
-allow kudzu_t sysadm_home_dir_t:dir search;
-rw_dir_create_file(kudzu_t, etc_t)
-
-rw_dir_create_file(kudzu_t, mnt_t)
-can_exec(kudzu_t, { bin_t sbin_t init_exec_t })
-# Read /usr/lib/gconv/gconv-modules.*
-allow kudzu_t lib_t:file { read getattr };
-# Read /usr/share/hwdata/.* and /usr/share/terminfo/l/linux
-allow kudzu_t usr_t:file { read getattr };
-r_dir_file(kudzu_t, hwdata_t)
-
-# Communicate with rhgb-client.
-allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow kudzu_t self:unix_dgram_socket create_socket_perms;
-
-ifdef(`rhgb.te', `
-allow kudzu_t rhgb_t:unix_stream_socket connectto;
-')
-
-allow kudzu_t self:file { getattr read };
-allow kudzu_t self:fifo_file rw_file_perms;
-ifdef(`gpm.te', `
-allow kudzu_t gpmctl_t:sock_file getattr;
-')
-
-can_exec(kudzu_t, shell_exec_t)
-
-# Write to /proc/sys/kernel/hotplug. Why?
-allow kudzu_t sysctl_hotplug_t:file { read write };
-
-allow kudzu_t sysfs_t:dir { getattr read search };
-allow kudzu_t sysfs_t:file { getattr read };
-allow kudzu_t sysfs_t:lnk_file read;
-file_type_auto_trans(kudzu_t, etc_t, etc_runtime_t, file)
-allow kudzu_t tape_device_t:chr_file r_file_perms;
-tmp_domain(kudzu, `', `{ file dir chr_file }')
-
-# for file systems that are not yet mounted
-dontaudit kudzu_t file_t:dir search;
-ifdef(`lpd.te', `
-allow kudzu_t printconf_t:file { getattr read };
-')
-ifdef(`cups.te', `
-allow kudzu_t cupsd_rw_etc_t:dir r_dir_perms;
-')
-dontaudit kudzu_t src_t:dir search;
-ifdef(`xserver.te', `
-allow kudzu_t xserver_exec_t:file getattr;
-')
-
-ifdef(`userhelper.te', `
-role system_r types sysadm_userhelper_t;
-domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t)
-')
-
-allow kudzu_t initrc_t:unix_stream_socket connectto;
-allow kudzu_t net_conf_t:file { getattr read };
-
diff --git a/strict/domains/program/ldconfig.te b/strict/domains/program/ldconfig.te
deleted file mode 100644
index fbb7688..0000000
--- a/strict/domains/program/ldconfig.te
+++ /dev/null
@@ -1,52 +0,0 @@
-#DESC Ldconfig - Configure dynamic linker bindings
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: libc6
-#
-
-#################################
-#
-# Rules for the ldconfig_t domain.
-#
-type ldconfig_t, domain, privlog, etc_writer;
-type ldconfig_exec_t, file_type, sysadmfile, exec_type;
-
-role sysadm_r types ldconfig_t;
-role system_r types ldconfig_t;
-
-domain_auto_trans({ sysadm_t initrc_t }, ldconfig_exec_t, ldconfig_t)
-dontaudit ldconfig_t device_t:dir search;
-can_access_pty(ldconfig_t, initrc)
-allow ldconfig_t admin_tty_type:chr_file rw_file_perms;
-allow ldconfig_t privfd:fd use;
-
-uses_shlib(ldconfig_t)
-
-file_type_auto_trans(ldconfig_t, etc_t, ld_so_cache_t, file)
-allow ldconfig_t lib_t:dir rw_dir_perms;
-allow ldconfig_t lib_t:lnk_file create_lnk_perms;
-
-allow ldconfig_t userdomain:fd use;
-# unlink for when /etc/ld.so.cache is mislabeled
-allow ldconfig_t etc_t:file { getattr read unlink };
-allow ldconfig_t etc_t:lnk_file read;
-
-allow ldconfig_t fs_t:filesystem getattr;
-allow ldconfig_t tmp_t:dir search;
-
-ifdef(`apache.te', `
-# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
-dontaudit ldconfig_t httpd_modules_t:dir search;
-')
-
-allow ldconfig_t { var_t var_lib_t }:dir search;
-allow ldconfig_t proc_t:file { getattr read };
-ifdef(`hide_broken_symptoms', `
-ifdef(`unconfined.te',`
-dontaudit ldconfig_t unconfined_t:tcp_socket { read write };
-');
-')dnl end hide_broken_symptoms
-ifdef(`targeted_policy', `
-allow ldconfig_t lib_t:file r_file_perms;
-unconfined_domain(ldconfig_t)
-')
diff --git a/strict/domains/program/load_policy.te b/strict/domains/program/load_policy.te
deleted file mode 100644
index 7ff7a61..0000000
--- a/strict/domains/program/load_policy.te
+++ /dev/null
@@ -1,61 +0,0 @@
-#DESC LoadPolicy - SELinux policy loading utilities
-#
-# Authors: Frank Mayer, mayerf@tresys.com
-# X-Debian-Packages: policycoreutils
-#
-
-###########################
-# load_policy_t is the domain type for load_policy
-# load_policy_exec_t is the file type for the executable
-
-
-type load_policy_t, domain;
-role sysadm_r types load_policy_t;
-role secadm_r types load_policy_t;
-role system_r types load_policy_t;
-
-type load_policy_exec_t, file_type, exec_type, sysadmfile;
-
-##########################
-#
-# Rules
-
-domain_auto_trans(secadmin, load_policy_exec_t, load_policy_t)
-
-allow load_policy_t console_device_t:chr_file { read write };
-
-# Reload the policy configuration (sysadm_t no longer has this ability)
-can_loadpol(load_policy_t)
-
-# Reset policy boolean values.
-can_setbool(load_policy_t)
-
-
-###########################
-# constrain from where load_policy can load a policy, specifically
-# policy_config_t files
-#
-
-# only allow read of policy config files
-allow load_policy_t policy_src_t:dir search;
-r_dir_file(load_policy_t, policy_config_t)
-r_dir_file(load_policy_t, selinux_config_t)
-
-# directory search permissions for path to binary policy files
-allow load_policy_t root_t:dir search;
-allow load_policy_t etc_t:dir search;
-
-# for mcs.conf
-allow load_policy_t etc_t:file { getattr read };
-
-# Other access
-can_access_pty(load_policy_t, initrc)
-allow load_policy_t { admin_tty_type devtty_t }:chr_file { read write ioctl getattr };
-uses_shlib(load_policy_t)
-allow load_policy_t self:capability dac_override;
-
-allow load_policy_t { userdomain privfd initrc_t }:fd use;
-
-allow load_policy_t fs_t:filesystem getattr;
-
-read_locale(load_policy_t)
diff --git a/strict/domains/program/loadkeys.te b/strict/domains/program/loadkeys.te
deleted file mode 100644
index 0959762..0000000
--- a/strict/domains/program/loadkeys.te
+++ /dev/null
@@ -1,45 +0,0 @@
-#DESC loadkeys - for changing to unicode at login time
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-# X-Debian-Packages: console-tools
-
-#
-# loadkeys_exec_t is the type of the wrapper
-#
-type loadkeys_exec_t, file_type, sysadmfile, exec_type;
-
-can_exec(initrc_t, loadkeys_exec_t)
-
-# Derived domain based on the calling user domain and the program.
-type loadkeys_t, domain;
-
-# Transition from the user domain to this domain.
-domain_auto_trans(unpriv_userdomain, loadkeys_exec_t, loadkeys_t)
-
-uses_shlib(loadkeys_t)
-dontaudit loadkeys_t proc_t:dir search;
-allow loadkeys_t proc_t:file { getattr read };
-allow loadkeys_t self:process { fork sigchld };
-
-allow loadkeys_t self:fifo_file rw_file_perms;
-allow loadkeys_t bin_t:dir search;
-allow loadkeys_t bin_t:lnk_file read;
-can_exec(loadkeys_t, { shell_exec_t bin_t })
-
-read_locale(loadkeys_t)
-
-dontaudit loadkeys_t etc_runtime_t:file { getattr read };
-
-# Use capabilities.
-allow loadkeys_t self:capability { setuid sys_tty_config };
-
-allow loadkeys_t local_login_t:fd use;
-allow loadkeys_t devtty_t:chr_file rw_file_perms;
-
-# The user role is authorized for this domain.
-in_user_role(loadkeys_t)
-
-# Write to the user domain tty.
-allow loadkeys_t ttyfile:chr_file rw_file_perms;
-
diff --git a/strict/domains/program/lockdev.te b/strict/domains/program/lockdev.te
deleted file mode 100644
index adb2a77..0000000
--- a/strict/domains/program/lockdev.te
+++ /dev/null
@@ -1,11 +0,0 @@
-#DESC Lockdev - libblockdev helper application
-#
-# Authors: Daniel Walsh <dwalsh@redhat.com>
-#
-
-
-# Type for the lockdev
-type lockdev_exec_t, file_type, sysadmfile, exec_type;
-
-# Everything else is in the lockdev_domain macro in
-# macros/program/lockdev_macros.te.
diff --git a/strict/domains/program/login.te b/strict/domains/program/login.te
deleted file mode 100644
index 289879b..0000000
--- a/strict/domains/program/login.te
+++ /dev/null
@@ -1,234 +0,0 @@
-#DESC Login - Local/remote login utilities
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# Macroised by Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: login
-#
-
-#################################
-#
-# Rules for the local_login_t domain
-# and the remote_login_t domain.
-#
-
-# $1 is the name of the domain (local or remote)
-define(`login_domain', `
-type $1_login_t, domain, privuser, privrole, privlog, auth_chkpwd, privowner, privfd, nscd_client_domain, mlsfilewrite, mlsprocsetsl, mlsfileupgrade, mlsfiledowngrade;
-role system_r types $1_login_t;
-
-dontaudit $1_login_t shadow_t:file { getattr read };
-
-general_domain_access($1_login_t);
-
-# Read system information files in /proc.
-r_dir_file($1_login_t, proc_t)
-
-base_file_read_access($1_login_t)
-
-# Read directories and files with the readable_t type.
-# This type is a general type for "world"-readable files.
-allow $1_login_t readable_t:dir r_dir_perms;
-allow $1_login_t readable_t:notdevfile_class_set r_file_perms;
-
-# Read /var, /var/spool
-allow $1_login_t { var_t var_spool_t }:dir search;
-
-# for when /var/mail is a sym-link
-allow $1_login_t var_t:lnk_file read;
-
-# Read /etc.
-r_dir_file($1_login_t, etc_t)
-allow $1_login_t etc_runtime_t:{ file lnk_file } r_file_perms;
-
-read_locale($1_login_t)
-
-# for SSP/ProPolice
-allow $1_login_t urandom_device_t:chr_file { getattr read };
-
-# Read executable types.
-allow $1_login_t exec_type:{ file lnk_file } r_file_perms;
-
-# Read /dev directories and any symbolic links.
-allow $1_login_t device_t:dir r_dir_perms;
-allow $1_login_t device_t:lnk_file r_file_perms;
-
-uses_shlib($1_login_t);
-
-tmp_domain($1_login)
-
-ifdef(`pam.te', `
-can_exec($1_login_t, pam_exec_t)
-')
-
-ifdef(`pamconsole.te', `
-rw_dir_create_file($1_login_t, pam_var_console_t)
-domain_auto_trans($1_login_t, pam_console_exec_t, pam_console_t)
-')
-
-ifdef(`alsa.te', `
-domain_auto_trans($1_login_t, alsa_exec_t, alsa_t)
-')
-
-# Use capabilities
-allow $1_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
-allow $1_login_t self:process setrlimit;
-dontaudit $1_login_t sysfs_t:dir search;
-
-# Set exec context.
-can_setexec($1_login_t)
-
-allow $1_login_t autofs_t:dir { search read getattr };
-allow $1_login_t mnt_t:dir r_dir_perms;
-
-if (use_nfs_home_dirs) {
-r_dir_file($1_login_t, nfs_t)
-}
-
-if (use_samba_home_dirs) {
-r_dir_file($1_login_t, cifs_t)
-}
-
-# Login can polyinstantiate
-polyinstantiater($1_login_t)
-
-# FIXME: what is this for?
-ifdef(`xdm.te', `
-allow xdm_t $1_login_t:process signull;
-')
-
-ifdef(`crack.te', `
-allow $1_login_t crack_db_t:file r_file_perms;
-')
-
-# Permit login to search the user home directories.
-allow $1_login_t home_root_t:dir search;
-allow $1_login_t home_dir_type:dir search;
-
-# Write to /var/run/utmp.
-allow $1_login_t var_run_t:dir search;
-allow $1_login_t initrc_var_run_t:file rw_file_perms;
-
-# Write to /var/log/wtmp.
-allow $1_login_t var_log_t:dir search;
-allow $1_login_t wtmp_t:file rw_file_perms;
-
-# Write to /var/log/lastlog.
-allow $1_login_t lastlog_t:file rw_file_perms;
-
-# Write to /var/log/btmp
-allow $1_login_t faillog_t:file { lock append read write };
-
-# Search for mail spool file.
-allow $1_login_t mail_spool_t:dir r_dir_perms;
-allow $1_login_t mail_spool_t:file getattr;
-allow $1_login_t mail_spool_t:lnk_file read;
-
-# Get security policy decisions.
-can_getsecurity($1_login_t)
-
-# allow read access to default_contexts in /etc/security
-allow $1_login_t default_context_t:file r_file_perms;
-allow $1_login_t default_context_t:dir search;
-r_dir_file($1_login_t, selinux_config_t)
-
-allow $1_login_t mouse_device_t:chr_file { getattr setattr };
-
-ifdef(`targeted_policy',`
-unconfined_domain($1_login_t)
-domain_auto_trans($1_login_t, shell_exec_t, unconfined_t)
-')
-
-')dnl end login_domain macro
-#################################
-#
-# Rules for the local_login_t domain.
-#
-# local_login_t is the domain of a login process
-# spawned by getty.
-#
-# remote_login_t is the domain of a login process
-# spawned by rlogind.
-#
-# login_exec_t is the type of the login program
-#
-type login_exec_t, file_type, sysadmfile, exec_type;
-
-login_domain(local)
-
-# But also permit other user domains to be entered by login.
-login_spawn_domain(local_login, userdomain)
-
-# Do not audit denied attempts to access devices.
-dontaudit local_login_t fixed_disk_device_t:blk_file { getattr setattr };
-dontaudit local_login_t removable_device_t:blk_file { getattr setattr };
-dontaudit local_login_t device_t:{ chr_file blk_file lnk_file } { getattr setattr };
-dontaudit local_login_t misc_device_t:{ chr_file blk_file } { getattr setattr };
-dontaudit local_login_t framebuf_device_t:chr_file { getattr setattr read };
-dontaudit local_login_t apm_bios_t:chr_file { getattr setattr };
-dontaudit local_login_t v4l_device_t:chr_file { getattr setattr read };
-dontaudit local_login_t removable_device_t:chr_file { getattr setattr };
-dontaudit local_login_t scanner_device_t:chr_file { getattr setattr };
-
-# Do not audit denied attempts to access /mnt.
-dontaudit local_login_t mnt_t:dir r_dir_perms;
-
-
-# Create lock file.
-lock_domain(local_login)
-
-# Read and write ttys.
-allow local_login_t tty_device_t:chr_file { setattr rw_file_perms };
-allow local_login_t ttyfile:chr_file { setattr rw_file_perms };
-
-# Relabel ttys.
-allow local_login_t tty_device_t:chr_file { getattr relabelfrom relabelto };
-allow local_login_t ttyfile:chr_file { getattr relabelfrom relabelto };
-
-ifdef(`gpm.te',
-`allow local_login_t gpmctl_t:sock_file { getattr setattr };')
-
-# Allow setting of attributes on sound devices.
-allow local_login_t sound_device_t:chr_file { getattr setattr };
-
-# Allow setting of attributes on power management devices.
-allow local_login_t power_device_t:chr_file { getattr setattr };
-dontaudit local_login_t init_t:fd use;
-
-#################################
-#
-# Rules for the remote_login_t domain.
-#
-
-login_domain(remote)
-
-# Only permit unprivileged user domains to be entered via rlogin,
-# since very weak authentication is used.
-login_spawn_domain(remote_login, unpriv_userdomain)
-
-allow remote_login_t userpty_type:chr_file { setattr write };
-
-# Use the pty created by rlogind.
-ifdef(`rlogind.te', `
-can_access_pty(remote_login_t, rlogind)
-# Relabel ptys created by rlogind.
-allow remote_login_t rlogind_devpts_t:chr_file { setattr relabelfrom relabelto };
-')
-
-# Use the pty created by telnetd.
-ifdef(`telnetd.te', `
-can_access_pty(remote_login_t, telnetd)
-# Relabel ptys created by telnetd.
-allow remote_login_t telnetd_devpts_t:chr_file { setattr relabelfrom relabelto };
-')
-
-allow remote_login_t ptyfile:chr_file { getattr relabelfrom relabelto ioctl };
-allow remote_login_t fs_t:filesystem { getattr };
-
-# Allow remote login to resolve host names (passed in via the -h switch)
-can_resolve(remote_login_t)
-
-ifdef(`use_mcs', `
-ifdef(`getty.te', `
-range_transition getty_t login_exec_t s0 - s0:c0.c255;
-')
-')
diff --git a/strict/domains/program/logrotate.te b/strict/domains/program/logrotate.te
deleted file mode 100644
index d568a5f..0000000
--- a/strict/domains/program/logrotate.te
+++ /dev/null
@@ -1,150 +0,0 @@
-#DESC Logrotate - Rotate log files
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> Timothy Fraser
-# Russell Coker <rcoker@redhat.com>
-# X-Debian-Packages: logrotate
-# Depends: crond.te
-#
-
-#################################
-#
-# Rules for the logrotate_t domain.
-#
-# logrotate_t is the domain for the logrotate program.
-# logrotate_exec_t is the type of the corresponding program.
-#
-type logrotate_t, domain, privowner, privmail, priv_system_role, nscd_client_domain;
-role system_r types logrotate_t;
-role sysadm_r types logrotate_t;
-uses_shlib(logrotate_t)
-general_domain_access(logrotate_t)
-type logrotate_exec_t, file_type, sysadmfile, exec_type;
-
-system_crond_entry(logrotate_exec_t, logrotate_t)
-allow logrotate_t cron_spool_t:dir search;
-allow crond_t logrotate_var_lib_t:dir search;
-domain_auto_trans(sysadm_t, logrotate_exec_t, logrotate_t)
-allow logrotate_t self:unix_stream_socket create_socket_perms;
-allow logrotate_t devtty_t:chr_file rw_file_perms;
-
-ifdef(`distro_debian', `
-allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
-# for savelog
-can_exec(logrotate_t, logrotate_exec_t)
-')
-
-# for perl
-allow logrotate_t usr_t:file { getattr read ioctl };
-allow logrotate_t usr_t:lnk_file read;
-
-# access files in /etc
-allow logrotate_t etc_t:file { getattr read ioctl };
-allow logrotate_t etc_t:lnk_file { getattr read };
-allow logrotate_t etc_runtime_t:file r_file_perms;
-
-# it should not require this
-allow logrotate_t {staff_home_dir_t sysadm_home_dir_t}:dir { getattr read search };
-
-# create lock files
-lock_domain(logrotate)
-
-# Create temporary files.
-tmp_domain(logrotate)
-can_exec(logrotate_t, logrotate_tmp_t)
-
-# Run helper programs.
-allow logrotate_t { bin_t sbin_t }:dir r_dir_perms;
-allow logrotate_t { bin_t sbin_t }:lnk_file read;
-can_exec(logrotate_t, { bin_t sbin_t shell_exec_t ls_exec_t })
-
-# Read PID files.
-allow logrotate_t pidfile:file r_file_perms;
-
-# Read /proc/PID directories for all domains.
-read_sysctl(logrotate_t)
-allow logrotate_t proc_t:dir r_dir_perms;
-allow logrotate_t proc_t:{ file lnk_file } r_file_perms;
-allow logrotate_t domain:notdevfile_class_set r_file_perms;
-allow logrotate_t domain:dir r_dir_perms;
-allow logrotate_t exec_type:file getattr;
-
-# Read /dev directories and any symbolic links.
-allow logrotate_t device_t:dir r_dir_perms;
-allow logrotate_t device_t:lnk_file r_file_perms;
-
-# Signal processes.
-allow logrotate_t domain:process signal;
-
-# Modify /var/log and other log dirs.
-allow logrotate_t var_t:dir r_dir_perms;
-allow logrotate_t logfile:dir rw_dir_perms;
-allow logrotate_t logfile:lnk_file read;
-
-# Create, rename, and truncate log files.
-allow logrotate_t logfile:file create_file_perms;
-allow logrotate_t wtmp_t:file create_file_perms;
-ifdef(`squid.te', `
-allow squid_t { system_crond_t crond_t }:fd use;
-allow squid_t crond_t:fifo_file { read write };
-allow squid_t system_crond_t:fifo_file write;
-allow squid_t self:capability kill;
-')
-
-# Set a context other than the default one for newly created files.
-can_setfscreate(logrotate_t)
-
-# Change ownership on log files.
-allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
-# for mailx
-dontaudit logrotate_t self:capability { setuid setgid };
-
-ifdef(`mta.te', `
-allow { system_mail_t mta_user_agent } logrotate_tmp_t:file r_file_perms;
-')
-
-# Access /var/run
-allow logrotate_t var_run_t:dir r_dir_perms;
-
-# for /var/lib/logrotate.status and /var/lib/logcheck
-var_lib_domain(logrotate)
-allow logrotate_t logrotate_var_lib_t:dir create;
-
-# Write to /var/spool/slrnpull - should be moved into its own type.
-create_dir_file(logrotate_t, var_spool_t)
-
-allow logrotate_t urandom_device_t:chr_file { getattr read };
-
-# Access terminals.
-allow logrotate_t admin_tty_type:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow logrotate_t sysadm_gph_t:fd use;')
-allow logrotate_t privfd:fd use;
-
-# for /var/backups on Debian
-ifdef(`backup.te', `
-rw_dir_create_file(logrotate_t, backup_store_t)
-')
-
-read_locale(logrotate_t)
-
-allow logrotate_t fs_t:filesystem getattr;
-can_exec(logrotate_t, shell_exec_t)
-ifdef(`hostname.te', `can_exec(logrotate_t, hostname_exec_t)')
-can_exec(logrotate_t,logfile)
-allow logrotate_t net_conf_t:file { getattr read };
-
-ifdef(`consoletype.te', `
-can_exec(logrotate_t, consoletype_exec_t)
-dontaudit consoletype_t logrotate_t:fd use;
-')
-
-allow logrotate_t syslogd_t:unix_dgram_socket sendto;
-
-domain_auto_trans(logrotate_t, initrc_exec_t, initrc_t)
-
-# Supress libselinux initialization denials
-dontaudit logrotate_t selinux_config_t:dir search;
-dontaudit logrotate_t selinux_config_t:file { read getattr };
-
-# Allow selinux_getenforce
-allow logrotate_t security_t:dir search;
-allow logrotate_t security_t:file { getattr read };
diff --git a/strict/domains/program/lpd.te b/strict/domains/program/lpd.te
deleted file mode 100644
index 76cd44d..0000000
--- a/strict/domains/program/lpd.te
+++ /dev/null
@@ -1,161 +0,0 @@
-#DESC Lpd - Print server
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# Modified by David A. Wheeler <dwheeler@ida.org> for LPRng (Red Hat 7.1)
-# Modified by Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: lpr
-#
-
-#################################
-#
-# Rules for the lpd_t domain.
-#
-# lpd_t is the domain of lpd.
-# lpd_exec_t is the type of the lpd executable.
-# printer_t is the type of the Unix domain socket created
-# by lpd.
-#
-daemon_domain(lpd)
-
-allow lpd_t lpd_var_run_t:sock_file create_file_perms;
-
-read_fonts(lpd_t)
-
-type printer_t, file_type, sysadmfile, dev_fs;
-
-type printconf_t, file_type, sysadmfile; # Type for files in /usr/share/printconf.
-
-tmp_domain(lpd);
-
-# for postscript include files
-allow lpd_t usr_t:{ file lnk_file } { getattr read };
-
-# Allow checkpc to access the lpd spool so it can check & fix it.
-# This requires that /usr/sbin/checkpc have type checkpc_t.
-type checkpc_t, domain, privlog;
-role system_r types checkpc_t;
-uses_shlib(checkpc_t)
-can_network_client(checkpc_t)
-allow checkpc_t port_type:tcp_socket name_connect;
-can_ypbind(checkpc_t)
-log_domain(checkpc)
-type checkpc_exec_t, file_type, sysadmfile, exec_type;
-domain_auto_trans(initrc_t, checkpc_exec_t, checkpc_t)
-domain_auto_trans(sysadm_t, checkpc_exec_t, checkpc_t)
-role sysadm_r types checkpc_t;
-allow checkpc_t admin_tty_type:chr_file { read write };
-allow checkpc_t privfd:fd use;
-ifdef(`crond.te', `
-system_crond_entry(checkpc_exec_t, checkpc_t)
-')
-allow checkpc_t self:capability { setgid setuid dac_override };
-allow checkpc_t self:process { fork signal_perms };
-
-allow checkpc_t proc_t:dir search;
-allow checkpc_t proc_t:lnk_file read;
-allow checkpc_t proc_t:file { getattr read };
-r_dir_file(checkpc_t, self)
-allow checkpc_t self:unix_stream_socket create_socket_perms;
-
-allow checkpc_t { etc_t etc_runtime_t }:file { getattr read };
-allow checkpc_t etc_t:lnk_file read;
-
-allow checkpc_t { var_t var_spool_t }:dir { getattr search };
-allow checkpc_t print_spool_t:file { rw_file_perms unlink };
-allow checkpc_t print_spool_t:dir { read write search add_name remove_name getattr };
-allow checkpc_t device_t:dir search;
-allow checkpc_t printer_device_t:chr_file { getattr append };
-allow checkpc_t devtty_t:chr_file rw_file_perms;
-allow checkpc_t initrc_devpts_t:chr_file rw_file_perms;
-
-# Allow access to /dev/console through the fd:
-allow checkpc_t init_t:fd use;
-
-# This is less desirable, but checkpc demands /bin/bash and /bin/chown:
-allow checkpc_t { bin_t sbin_t }:dir search;
-allow checkpc_t bin_t:lnk_file read;
-can_exec(checkpc_t, shell_exec_t)
-can_exec(checkpc_t, bin_t)
-
-# bash wants access to /proc/meminfo
-allow lpd_t proc_t:file { getattr read };
-
-# gs-gnu wants to read some sysctl entries, it seems to work without though
-dontaudit lpd_t { sysctl_t sysctl_kernel_t }:dir search;
-
-# for defoma
-r_dir_file(lpd_t, var_lib_t)
-
-allow checkpc_t var_run_t:dir search;
-allow checkpc_t lpd_var_run_t:dir { search getattr };
-
-# This is needed to permit chown to read /var/spool/lpd/lp.
-# This is opens up security more than necessary; this means that ANYTHING
-# running in the initrc_t domain can read the printer spool directory.
-# Perhaps executing /etc/rc.d/init.d/lpd should transition
-# to domain lpd_t, instead of waiting for executing lpd.
-allow initrc_t print_spool_t:dir read;
-
-# for defoma
-r_dir_file(lpd_t, readable_t)
-
-# Use capabilities.
-allow lpd_t self:capability { setgid setuid net_bind_service dac_read_search dac_override chown fowner };
-
-# Use the network.
-can_network_server(lpd_t)
-can_ypbind(lpd_t)
-allow lpd_t self:fifo_file rw_file_perms;
-allow lpd_t self:unix_stream_socket create_stream_socket_perms;
-allow lpd_t self:unix_dgram_socket create_socket_perms;
-
-allow lpd_t self:file { getattr read };
-allow lpd_t etc_runtime_t:file { getattr read };
-
-# Bind to the printer port.
-allow lpd_t printer_port_t:tcp_socket name_bind;
-
-# Send to portmap.
-ifdef(`portmap.te', `can_udp_send(lpd_t, portmap_t)')
-
-ifdef(`ypbind.te',
-`# Connect to ypbind.
-can_tcp_connect(lpd_t, ypbind_t)')
-
-# Create and bind to /dev/printer.
-file_type_auto_trans(lpd_t, device_t, printer_t, lnk_file)
-allow lpd_t printer_t:unix_stream_socket name_bind;
-allow lpd_t printer_t:unix_dgram_socket name_bind;
-allow lpd_t printer_device_t:chr_file rw_file_perms;
-
-# Write to /var/spool/lpd.
-allow lpd_t var_spool_t:dir search;
-allow lpd_t print_spool_t:dir rw_dir_perms;
-allow lpd_t print_spool_t:file create_file_perms;
-allow lpd_t print_spool_t:file rw_file_perms;
-
-# Execute filter scripts.
-# can_exec(lpd_t, print_spool_t)
-
-# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
-allow lpd_t bin_t:dir search;
-allow lpd_t bin_t:lnk_file read;
-can_exec(lpd_t, { bin_t sbin_t shell_exec_t })
-
-# lpd must be able to execute the filter utilities in /usr/share/printconf.
-can_exec(lpd_t, printconf_t)
-allow lpd_t printconf_t:file rx_file_perms;
-allow lpd_t printconf_t:dir { getattr search read };
-
-# config files for lpd are of type etc_t, probably should change this
-allow lpd_t etc_t:file { getattr read };
-allow lpd_t etc_t:lnk_file read;
-
-# checkpc needs similar permissions.
-allow checkpc_t printconf_t:file getattr;
-allow checkpc_t printconf_t:dir { getattr search read };
-
-# Read printconf files.
-allow initrc_t printconf_t:dir r_dir_perms;
-allow initrc_t printconf_t:file r_file_perms;
-
diff --git a/strict/domains/program/lpr.te b/strict/domains/program/lpr.te
deleted file mode 100644
index d8ec0c0..0000000
--- a/strict/domains/program/lpr.te
+++ /dev/null
@@ -1,12 +0,0 @@
-#DESC Lpr - Print client
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: lpr lprng
-#
-
-
-# Type for the lpr, lpq, and lprm executables.
-type lpr_exec_t, file_type, sysadmfile, exec_type;
-
-# Everything else is in the lpr_domain macro in
-# macros/program/lpr_macros.te.
diff --git a/strict/domains/program/lvm.te b/strict/domains/program/lvm.te
deleted file mode 100644
index b2e47eb..0000000
--- a/strict/domains/program/lvm.te
+++ /dev/null
@@ -1,139 +0,0 @@
-#DESC LVM - Linux Volume Manager
-#
-# Author: Michael Kaufman <walker@screwage.com>
-# X-Debian-Packages: lvm10 lvm2 lvm-common
-#
-
-#################################
-#
-# Rules for the lvm_t domain.
-#
-# lvm_t is the domain for LVM administration.
-# lvm_exec_t is the type of the corresponding programs.
-# lvm_etc_t is for read-only LVM configuration files.
-# lvm_metadata_t is the type of LVM metadata files in /etc that are
-# modified at runtime.
-#
-type lvm_vg_t, file_type, sysadmfile;
-type lvm_metadata_t, file_type, sysadmfile;
-type lvm_control_t, device_type, dev_fs;
-etcdir_domain(lvm)
-lock_domain(lvm)
-allow lvm_t lvm_lock_t:dir rw_dir_perms;
-
-# needs privowner because it assigns the identity system_u to device nodes
-# but runs as the identity of the sysadmin
-daemon_base_domain(lvm, `, fs_domain, privowner')
-role sysadm_r types lvm_t;
-domain_auto_trans(sysadm_t, lvm_exec_t, lvm_t)
-
-# LVM will complain a lot if it cannot set its priority.
-allow lvm_t self:process setsched;
-
-allow lvm_t self:fifo_file rw_file_perms;
-allow lvm_t self:unix_dgram_socket create_socket_perms;
-
-r_dir_file(lvm_t, proc_t)
-allow lvm_t self:file rw_file_perms;
-
-# Read system variables in /proc/sys
-read_sysctl(lvm_t)
-
-# Read /sys/block. Device mapper metadata is kept there.
-r_dir_file(lvm_t, sysfs_t)
-
-allow lvm_t fs_t:filesystem getattr;
-
-# Read configuration files in /etc.
-allow lvm_t { etc_t etc_runtime_t }:file { getattr read };
-
-# LVM creates block devices in /dev/mapper or /dev/<vg>
-# depending on its version
-file_type_auto_trans(lvm_t, device_t, fixed_disk_device_t, blk_file)
-
-# LVM(2) needs to create directores (/dev/mapper, /dev/<vg>)
-# and links from /dev/<vg> to /dev/mapper/<vg>-<lv>
-allow lvm_t device_t:dir create_dir_perms;
-allow lvm_t device_t:lnk_file create_lnk_perms;
-
-# /lib/lvm-<version> holds the actual LVM binaries (and symlinks)
-allow lvm_t lvm_exec_t:dir search;
-allow lvm_t lvm_exec_t:{ file lnk_file } r_file_perms;
-
-tmp_domain(lvm)
-allow lvm_t { random_device_t urandom_device_t }:chr_file { getattr read ioctl };
-
-# DAC overrides and mknod for modifying /dev entries (vgmknodes)
-allow lvm_t self:capability { chown dac_override ipc_lock sys_admin sys_nice sys_resource mknod };
-
-# Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d
-file_type_auto_trans(lvm_t, { etc_t lvm_etc_t }, lvm_metadata_t, file)
-
-allow lvm_t lvm_metadata_t:dir rw_dir_perms;
-
-# Inherit and use descriptors from init.
-allow lvm_t init_t:fd use;
-
-# LVM is split into many individual binaries
-can_exec(lvm_t, lvm_exec_t)
-
-# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
-allow lvm_t fixed_disk_device_t:chr_file create_file_perms;
-
-# relabel devices
-allow lvm_t { default_context_t file_context_t }:dir search;
-allow lvm_t file_context_t:file { getattr read };
-can_getsecurity(lvm_t)
-allow lvm_t fixed_disk_device_t:blk_file { relabelfrom relabelto };
-allow lvm_t device_t:lnk_file { relabelfrom relabelto };
-
-# Access terminals.
-allow lvm_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
-allow lvm_t devtty_t:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow lvm_t sysadm_gph_t:fd use;')
-allow lvm_t privfd:fd use;
-allow lvm_t devpts_t:dir { search getattr read };
-
-read_locale(lvm_t)
-
-# LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
-dontaudit lvm_t device_type:{ chr_file blk_file } { getattr read };
-dontaudit lvm_t ttyfile:chr_file getattr;
-dontaudit lvm_t device_t:{ fifo_file dir chr_file blk_file } getattr;
-dontaudit lvm_t devpts_t:dir { getattr read };
-dontaudit lvm_t xconsole_device_t:fifo_file getattr;
-
-ifdef(`gpm.te', `
-dontaudit lvm_t gpmctl_t:sock_file getattr;
-')
-dontaudit lvm_t initctl_t:fifo_file getattr;
-allow lvm_t sbin_t:dir search;
-dontaudit lvm_t sbin_t:file { getattr read };
-allow lvm_t lvm_control_t:chr_file rw_file_perms;
-allow initrc_t lvm_control_t:chr_file { getattr read unlink };
-allow initrc_t device_t:chr_file create;
-var_run_domain(lvm)
-
-# for when /usr is not mounted
-dontaudit lvm_t file_t:dir search;
-
-allow lvm_t tmpfs_t:dir r_dir_perms;
-r_dir_file(lvm_t, selinux_config_t)
-
-# it has no reason to need this
-dontaudit lvm_t proc_kcore_t:file getattr;
-allow lvm_t var_t:dir { search getattr };
-allow lvm_t ramfs_t:filesystem unmount;
-
-# cluster LVM daemon
-daemon_domain(clvmd)
-can_network(clvmd_t)
-can_ypbind(clvmd_t)
-allow clvmd_t self:capability net_bind_service;
-allow clvmd_t self:socket create_socket_perms;
-allow clvmd_t self:fifo_file { read write };
-allow clvmd_t self:file { getattr read };
-allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow clvmd_t reserved_port_t:tcp_socket name_bind;
-dontaudit clvmd_t reserved_port_type:tcp_socket name_bind;
-dontaudit clvmd_t selinux_config_t:dir search;
diff --git a/strict/domains/program/mailman.te b/strict/domains/program/mailman.te
deleted file mode 100644
index 72fe6a7..0000000
--- a/strict/domains/program/mailman.te
+++ /dev/null
@@ -1,113 +0,0 @@
-#DESC Mailman - GNU Mailman mailing list manager
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: mailman
-
-type mailman_data_t, file_type, sysadmfile;
-type mailman_archive_t, file_type, sysadmfile;
-
-type mailman_log_t, file_type, sysadmfile, logfile;
-type mailman_lock_t, file_type, sysadmfile, lockfile;
-
-define(`mailman_domain', `
-type mailman_$1_t, domain, privlog $2;
-type mailman_$1_exec_t, file_type, sysadmfile, exec_type;
-role system_r types mailman_$1_t;
-file_type_auto_trans(mailman_$1_t, var_log_t, mailman_log_t, file)
-allow mailman_$1_t mailman_log_t:dir rw_dir_perms;
-create_dir_file(mailman_$1_t, mailman_data_t)
-uses_shlib(mailman_$1_t)
-can_exec_any(mailman_$1_t)
-read_sysctl(mailman_$1_t)
-allow mailman_$1_t proc_t:dir search;
-allow mailman_$1_t proc_t:file { read getattr };
-allow mailman_$1_t var_lib_t:dir r_dir_perms;
-allow mailman_$1_t var_lib_t:lnk_file read;
-allow mailman_$1_t device_t:dir search;
-allow mailman_$1_t etc_runtime_t:file { read getattr };
-read_locale(mailman_$1_t)
-file_type_auto_trans(mailman_$1_t, var_lock_t, mailman_lock_t, file)
-allow mailman_$1_t mailman_lock_t:dir rw_dir_perms;
-allow mailman_$1_t fs_t:filesystem getattr;
-can_network(mailman_$1_t)
-allow mailman_$1_t smtp_port_t:tcp_socket name_connect;
-can_ypbind(mailman_$1_t)
-allow mailman_$1_t self:{ unix_stream_socket unix_dgram_socket } create_socket_perms;
-allow mailman_$1_t var_t:dir r_dir_perms;
-tmp_domain(mailman_$1)
-')
-
-mailman_domain(queue, `, auth_chkpwd, nscd_client_domain')
-can_tcp_connect(mailman_queue_t, mail_server_domain)
-
-can_exec(mailman_queue_t, su_exec_t)
-allow mailman_queue_t self:capability { setgid setuid };
-allow mailman_queue_t self:fifo_file rw_file_perms;
-dontaudit mailman_queue_t var_run_t:dir search;
-allow mailman_queue_t proc_t:lnk_file { getattr read };
-
-# for su
-dontaudit mailman_queue_t selinux_config_t:dir search;
-allow mailman_queue_t self:dir search;
-allow mailman_queue_t self:file { getattr read };
-allow mailman_queue_t self:unix_dgram_socket create_socket_perms;
-allow mailman_queue_t self:lnk_file { getattr read };
-
-# some of the following could probably be changed to dontaudit, someone who
-# knows mailman well should test this out and send the changes
-allow mailman_queue_t sysadm_home_dir_t:dir { getattr search };
-
-mailman_domain(mail)
-dontaudit mailman_mail_t mta_delivery_agent:tcp_socket { read write };
-allow mailman_mail_t mta_delivery_agent:fd use;
-ifdef(`qmail.te', `
-allow mailman_mail_t qmail_spool_t:file { read ioctl getattr };
-# do we really need this?
-allow mailman_mail_t qmail_lspawn_t:fifo_file write;
-')
-
-create_dir_file(mailman_queue_t, mailman_archive_t)
-
-ifdef(`apache.te', `
-mailman_domain(cgi)
-can_tcp_connect(mailman_cgi_t, mail_server_domain)
-
-domain_auto_trans({ httpd_t httpd_suexec_t }, mailman_cgi_exec_t, mailman_cgi_t)
-# should have separate types for public and private archives
-r_dir_file(httpd_t, mailman_archive_t)
-create_dir_file(mailman_cgi_t, mailman_archive_t)
-allow httpd_t mailman_data_t:dir { getattr search };
-
-dontaudit mailman_cgi_t httpd_log_t:file append;
-allow httpd_t mailman_cgi_t:process signal;
-allow mailman_cgi_t httpd_t:process sigchld;
-allow mailman_cgi_t httpd_t:fd use;
-allow mailman_cgi_t httpd_t:fifo_file { getattr read write ioctl };
-allow mailman_cgi_t httpd_sys_script_t:dir search;
-allow mailman_cgi_t devtty_t:chr_file { read write };
-allow mailman_cgi_t self:process { fork sigchld };
-allow mailman_cgi_t var_spool_t:dir search;
-')
-
-allow mta_delivery_agent mailman_data_t:dir search;
-allow mta_delivery_agent mailman_data_t:lnk_file read;
-allow initrc_t mailman_data_t:lnk_file read;
-allow initrc_t mailman_data_t:dir r_dir_perms;
-domain_auto_trans({ mta_delivery_agent initrc_t }, mailman_mail_exec_t, mailman_mail_t)
-ifdef(`direct_sysadm_daemon', `
-domain_auto_trans(sysadm_t, mailman_mail_exec_t, mailman_mail_t)
-')
-allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
-
-system_crond_entry(mailman_queue_exec_t, mailman_queue_t)
-allow mailman_queue_t devtty_t:chr_file { read write };
-allow mailman_queue_t self:process { fork signal sigchld };
-allow mailman_queue_t self:netlink_route_socket r_netlink_socket_perms;
-
-# so MTA can access /var/lib/mailman/mail/wrapper
-allow mta_delivery_agent var_lib_t:dir search;
-
-# Handle mailman log files
-rw_dir_create_file(logrotate_t, mailman_log_t)
-allow logrotate_t mailman_data_t:dir search;
-can_exec(logrotate_t, mailman_mail_exec_t)
diff --git a/strict/domains/program/mdadm.te b/strict/domains/program/mdadm.te
deleted file mode 100644
index 47f82e2..0000000
--- a/strict/domains/program/mdadm.te
+++ /dev/null
@@ -1,43 +0,0 @@
-#DESC mdadm - Linux RAID tool
-#
-# Author: Colin Walters <walters@redhat.com>
-#
-
-daemon_base_domain(mdadm, `, fs_domain, privmail')
-role sysadm_r types mdadm_t;
-
-allow initrc_t mdadm_var_run_t:file create_file_perms;
-
-# Kernel filesystem permissions
-r_dir_file(mdadm_t, proc_t)
-allow mdadm_t proc_mdstat_t:file rw_file_perms;
-read_sysctl(mdadm_t)
-r_dir_file(mdadm_t, sysfs_t)
-
-# Configuration
-allow mdadm_t { etc_t etc_runtime_t }:file { getattr read };
-read_locale(mdadm_t)
-
-# Linux capabilities
-allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
-
-# Helper program access
-can_exec(mdadm_t, { bin_t sbin_t })
-
-# RAID block device access
-allow mdadm_t fixed_disk_device_t:blk_file create_file_perms;
-allow mdadm_t device_t:lnk_file { getattr read };
-
-# Ignore attempts to read every device file
-dontaudit mdadm_t device_type:{ chr_file blk_file } getattr;
-dontaudit mdadm_t device_t:{ fifo_file file dir chr_file blk_file } { read getattr };
-dontaudit mdadm_t devpts_t:dir r_dir_perms;
-
-# Ignore attempts to read/write sysadmin tty
-dontaudit mdadm_t sysadm_tty_device_t:chr_file rw_file_perms;
-
-# Other random ignores
-dontaudit mdadm_t tmpfs_t:dir r_dir_perms;
-dontaudit mdadm_t initctl_t:fifo_file getattr;
-var_run_domain(mdadm)
-allow mdadm_t var_t:dir { getattr search };
diff --git a/strict/domains/program/modutil.te b/strict/domains/program/modutil.te
deleted file mode 100644
index f69f2bb..0000000
--- a/strict/domains/program/modutil.te
+++ /dev/null
@@ -1,236 +0,0 @@
-#DESC Modutil - Dynamic module utilities
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: modutils
-#
-
-#################################
-#
-# Rules for the module utility domains.
-#
-type modules_dep_t, file_type, sysadmfile;
-type modules_conf_t, file_type, sysadmfile;
-type modules_object_t, file_type, sysadmfile;
-
-
-ifdef(`IS_INITRD', `', `
-#################################
-#
-# Rules for the depmod_t domain.
-#
-type depmod_t, domain;
-role system_r types depmod_t;
-role sysadm_r types depmod_t;
-
-uses_shlib(depmod_t)
-
-r_dir_file(depmod_t, src_t)
-
-type depmod_exec_t, file_type, exec_type, sysadmfile;
-domain_auto_trans(initrc_t, depmod_exec_t, depmod_t)
-allow depmod_t { bin_t sbin_t }:dir search;
-can_exec(depmod_t, depmod_exec_t)
-ifdef(`targeted_policy', `', `
-domain_auto_trans(sysadm_t, depmod_exec_t, depmod_t)
-')
-
-# Inherit and use descriptors from init and login programs.
-allow depmod_t { init_t privfd }:fd use;
-
-allow depmod_t { etc_t etc_runtime_t }:file { getattr read };
-allow depmod_t { device_t proc_t }:dir search;
-allow depmod_t proc_t:file { getattr read };
-allow depmod_t fs_t:filesystem getattr;
-
-# read system.map
-allow depmod_t boot_t:dir search;
-allow depmod_t boot_t:file { getattr read };
-allow depmod_t system_map_t:file { getattr read };
-
-# Read conf.modules.
-allow depmod_t modules_conf_t:file r_file_perms;
-
-# Create modules.dep.
-file_type_auto_trans(depmod_t, modules_object_t, modules_dep_t, file)
-
-# Read module objects.
-allow depmod_t modules_object_t:dir r_dir_perms;
-allow depmod_t modules_object_t:{ file lnk_file } r_file_perms;
-allow depmod_t modules_object_t:file unlink;
-
-# Access terminals.
-can_access_pty(depmod_t, initrc)
-allow depmod_t { console_device_t admin_tty_type }:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
-
-# Read System.map from home directories.
-allow depmod_t { home_root_t staff_home_dir_t sysadm_home_dir_t }:dir r_dir_perms;
-r_dir_file(depmod_t, { staff_home_t sysadm_home_t })
-')dnl end IS_INITRD
-
-#################################
-#
-# Rules for the insmod_t domain.
-#
-
-type insmod_t, domain, privlog, sysctl_kernel_writer, privmem, privsysmod ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule' ), mlsfilewrite, nscd_client_domain
-;
-role system_r types insmod_t;
-role sysadm_r types insmod_t;
-
-ifdef(`unlimitedUtils', `
-unconfined_domain(insmod_t)
-')
-can_ypbind(insmod_t)
-uses_shlib(insmod_t)
-read_locale(insmod_t)
-
-# for SSP
-allow insmod_t urandom_device_t:chr_file read;
-allow insmod_t lib_t:file { getattr read };
-
-allow insmod_t { bin_t sbin_t }:dir search;
-allow insmod_t { bin_t sbin_t }:lnk_file read;
-
-allow insmod_t self:dir search;
-allow insmod_t self:lnk_file read;
-
-allow insmod_t usr_t:file { getattr read };
-
-allow insmod_t privfd:fd use;
-can_access_pty(insmod_t, initrc)
-allow insmod_t admin_tty_type:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow insmod_t sysadm_gph_t:fd use;')
-
-allow insmod_t { agp_device_t apm_bios_t }:chr_file { read write };
-
-allow insmod_t sound_device_t:chr_file { read ioctl write };
-allow insmod_t zero_device_t:chr_file read;
-allow insmod_t memory_device_t:chr_file rw_file_perms;
-
-# Read module config and dependency information
-allow insmod_t { modules_conf_t modules_dep_t }:file { getattr read };
-
-# Read module objects.
-r_dir_file(insmod_t, modules_object_t)
-# for locking
-allow insmod_t modules_object_t:file write;
-
-allow insmod_t { var_t var_log_t }:dir search;
-ifdef(`xserver.te', `
-allow insmod_t xserver_log_t:file getattr;
-allow insmod_t xserver_misc_device_t:chr_file { read write };
-')
-rw_dir_create_file(insmod_t, var_log_ksyms_t)
-allow insmod_t { etc_t etc_runtime_t }:file { getattr read };
-
-allow insmod_t self:udp_socket create_socket_perms;
-allow insmod_t self:unix_dgram_socket create_socket_perms;
-allow insmod_t self:unix_stream_socket create_stream_socket_perms;
-allow insmod_t self:rawip_socket create_socket_perms;
-allow insmod_t self:capability { dac_override kill net_raw sys_module sys_tty_config };
-allow insmod_t domain:process signal;
-allow insmod_t self:process { fork signal_perms };
-allow insmod_t device_t:dir search;
-allow insmod_t etc_runtime_t:file { getattr read };
-
-# for loading modules at boot time
-allow insmod_t { init_t initrc_t }:fd use;
-allow insmod_t initrc_t:fifo_file { getattr read write };
-
-allow insmod_t fs_t:filesystem getattr;
-allow insmod_t sysfs_t:dir search;
-allow insmod_t { usbfs_t usbdevfs_t }:dir search;
-allow insmod_t { usbfs_t usbdevfs_t debugfs_t }:filesystem mount;
-r_dir_file(insmod_t, debugfs_t)
-
-# Rules for /proc/sys/kernel/tainted
-read_sysctl(insmod_t)
-allow insmod_t proc_t:dir search;
-allow insmod_t sysctl_kernel_t:file { setattr rw_file_perms };
-
-allow insmod_t proc_t:file rw_file_perms;
-allow insmod_t proc_t:lnk_file read;
-
-# Write to /proc/mtrr.
-allow insmod_t mtrr_device_t:file write;
-
-# Read /proc/sys/kernel/hotplug.
-allow insmod_t sysctl_hotplug_t:file { getattr read };
-
-allow insmod_t device_t:dir read;
-allow insmod_t devpts_t:dir { getattr search };
-
-type insmod_exec_t, file_type, exec_type, sysadmfile;
-domain_auto_trans(privmodule, insmod_exec_t, insmod_t)
-can_exec(insmod_t, { insmod_exec_t shell_exec_t bin_t sbin_t etc_t })
-allow insmod_t devtty_t:chr_file rw_file_perms;
-allow insmod_t privmodule:process sigchld;
-dontaudit sysadm_t self:capability sys_module;
-
-ifdef(`mount.te', `
-# Run mount in the mount_t domain.
-domain_auto_trans(insmod_t, mount_exec_t, mount_t)
-')
-# for when /var is not mounted early in the boot
-dontaudit insmod_t file_t:dir search;
-
-# for nscd
-dontaudit insmod_t var_run_t:dir search;
-
-ifdef(`crond.te', `
-rw_dir_create_file(system_crond_t, var_log_ksyms_t)
-')
-
-ifdef(`IS_INITRD', `', `
-#################################
-#
-# Rules for the update_modules_t domain.
-#
-type update_modules_t, domain, privlog;
-type update_modules_exec_t, file_type, exec_type, sysadmfile;
-
-role system_r types update_modules_t;
-role sysadm_r types update_modules_t;
-
-domain_auto_trans({ initrc_t sysadm_t }, update_modules_exec_t, update_modules_t)
-allow update_modules_t privfd:fd use;
-allow update_modules_t init_t:fd use;
-
-allow update_modules_t device_t:dir { getattr search };
-allow update_modules_t { console_device_t devtty_t }:chr_file rw_file_perms;
-can_access_pty(update_modules_t, initrc)
-allow update_modules_t admin_tty_type:chr_file rw_file_perms;
-
-can_exec(update_modules_t, insmod_exec_t)
-allow update_modules_t urandom_device_t:chr_file { getattr read };
-
-dontaudit update_modules_t sysadm_home_dir_t:dir search;
-
-uses_shlib(update_modules_t)
-read_locale(update_modules_t)
-allow update_modules_t lib_t:file { getattr read };
-allow update_modules_t self:process { fork sigchld };
-allow update_modules_t self:fifo_file rw_file_perms;
-allow update_modules_t self:file { getattr read };
-allow update_modules_t modules_dep_t:file rw_file_perms;
-file_type_auto_trans(update_modules_t, modules_object_t, modules_conf_t, file)
-domain_auto_trans(update_modules_t, depmod_exec_t, depmod_t)
-can_exec(update_modules_t, { shell_exec_t bin_t sbin_t update_modules_exec_t etc_t })
-allow update_modules_t { sbin_t bin_t }:lnk_file read;
-allow update_modules_t { sbin_t bin_t }:dir search;
-allow update_modules_t { etc_t etc_runtime_t }:file r_file_perms;
-allow update_modules_t etc_t:lnk_file read;
-allow update_modules_t fs_t:filesystem getattr;
-
-allow update_modules_t proc_t:dir search;
-allow update_modules_t proc_t:file r_file_perms;
-allow update_modules_t { self proc_t }:lnk_file read;
-read_sysctl(update_modules_t)
-allow update_modules_t self:dir search;
-allow update_modules_t self:unix_stream_socket create_socket_perms;
-
-file_type_auto_trans(update_modules_t, etc_t, modules_conf_t, file)
-
-tmp_domain(update_modules)
-')dnl end IS_INITRD
diff --git a/strict/domains/program/mount.te b/strict/domains/program/mount.te
deleted file mode 100644
index e78f7fe..0000000
--- a/strict/domains/program/mount.te
+++ /dev/null
@@ -1,91 +0,0 @@
-#DESC Mount - Filesystem mount utilities
-#
-# Macros for mount
-#
-# Author: Brian May <bam@snoopy.apana.org.au>
-# X-Debian-Packages: mount
-#
-# based on the work of:
-# Mark Westerman mark.westerman@csoconline.com
-#
-
-type mount_exec_t, file_type, sysadmfile, exec_type;
-
-mount_domain(sysadm, mount, `, fs_domain, nscd_client_domain, mlsfileread, mlsfilewrite')
-mount_loopback_privs(sysadm, mount)
-role sysadm_r types mount_t;
-role system_r types mount_t;
-
-can_access_pty(mount_t, initrc)
-allow mount_t console_device_t:chr_file { read write };
-
-domain_auto_trans(initrc_t, mount_exec_t, mount_t)
-allow mount_t init_t:fd use;
-allow mount_t privfd:fd use;
-
-allow mount_t self:capability { dac_override ipc_lock sys_tty_config };
-allow mount_t self:process { fork signal_perms };
-
-allow mount_t file_type:dir search;
-
-# Access disk devices.
-allow mount_t fixed_disk_device_t:devfile_class_set rw_file_perms;
-allow mount_t removable_device_t:devfile_class_set rw_file_perms;
-allow mount_t device_t:lnk_file read;
-
-# for when /etc/mtab loses its type
-allow mount_t file_t:file { getattr read unlink };
-
-# Mount, remount and unmount file systems.
-allow mount_t fs_type:filesystem mount_fs_perms;
-allow mount_t mount_point:dir mounton;
-allow mount_t nfs_t:dir search;
-allow mount_t sysctl_t:dir search;
-
-allow mount_t root_t:filesystem unmount;
-
-can_portmap(mount_t)
-
-ifdef(`portmap.te', `
-# for nfs
-can_network(mount_t)
-allow mount_t port_type:tcp_socket name_connect;
-can_ypbind(mount_t)
-allow mount_t port_t:{ tcp_socket udp_socket } name_bind;
-allow mount_t reserved_port_t:{ tcp_socket udp_socket } name_bind;
-can_udp_send(mount_t, portmap_t)
-can_udp_send(portmap_t, mount_t)
-allow mount_t rpc_pipefs_t:dir search;
-')
-dontaudit mount_t reserved_port_type:{tcp_socket udp_socket} name_bind;
-
-#
-# required for mount.smbfs
-#
-allow mount_t sbin_t:lnk_file { getattr read };
-
-rhgb_domain(mount_t)
-
-# for localization
-allow mount_t lib_t:file { getattr read };
-allow mount_t autofs_t:dir read;
-allow mount_t fs_type:filesystem relabelfrom;
-#
-# This rule needs to be generalized. Only admin, initrc should have it.
-#
-allow mount_t file_type:filesystem { unmount mount relabelto };
-
-allow mount_t mnt_t:dir getattr;
-dontaudit mount_t kernel_t:fd use;
-allow mount_t userdomain:fd use;
-can_exec(mount_t, { sbin_t bin_t })
-allow mount_t device_t:dir r_dir_perms;
-allow mount_t tmpfs_t:chr_file { read write };
-
-# tries to read /init
-dontaudit mount_t root_t:file { getattr read };
-
-allow kernel_t mount_t:tcp_socket { read write };
-allow mount_t self:capability { setgid setuid };
-allow user_t mount_t:tcp_socket write;
-allow mount_t proc_t:lnk_file read;
diff --git a/strict/domains/program/mozilla.te b/strict/domains/program/mozilla.te
deleted file mode 100644
index f286ea0..0000000
--- a/strict/domains/program/mozilla.te
+++ /dev/null
@@ -1,15 +0,0 @@
-#DESC Netscape - Web browser
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: mozilla
-#
-
-# Type for the netscape, mozilla or other browser executables.
-type mozilla_exec_t, file_type, sysadmfile, exec_type;
-type mozilla_conf_t, file_type, sysadmfile;
-
-# Run in user_t
-bool disable_mozilla_trans false;
-
-# Everything else is in the mozilla_domain macro in
-# macros/program/mozilla_macros.te.
diff --git a/strict/domains/program/mplayer.te b/strict/domains/program/mplayer.te
deleted file mode 100644
index 194c807..0000000
--- a/strict/domains/program/mplayer.te
+++ /dev/null
@@ -1,15 +0,0 @@
-#DESC mplayer - media player
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-# Type for the mplayer executable.
-type mplayer_exec_t, file_type, exec_type, sysadmfile;
-type mencoder_exec_t, file_type, exec_type, sysadmfile;
-type mplayer_etc_t, file_type, sysadmfile;
-
-# Allow mplayer executable stack
-bool allow_mplayer_execstack false;
-
-# Everything else is in the mplayer_domain macro in
-# macros/program/mplayer_macros.te.
diff --git a/strict/domains/program/mrtg.te b/strict/domains/program/mrtg.te
deleted file mode 100644
index e44889d..0000000
--- a/strict/domains/program/mrtg.te
+++ /dev/null
@@ -1,100 +0,0 @@
-#DESC MRTG - Network traffic graphing
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: mrtg
-#
-
-#################################
-#
-# Rules for the mrtg_t domain.
-#
-# mrtg_exec_t is the type of the mrtg executable.
-#
-daemon_base_domain(mrtg)
-
-allow mrtg_t fs_t:filesystem getattr;
-
-ifdef(`crond.te', `
-system_crond_entry(mrtg_exec_t, mrtg_t)
-allow system_crond_t mrtg_log_t:dir rw_dir_perms;
-allow system_crond_t mrtg_log_t:file { create append getattr };
-')
-
-allow mrtg_t usr_t:{ file lnk_file } { getattr read };
-dontaudit mrtg_t usr_t:file ioctl;
-
-logdir_domain(mrtg)
-etcdir_domain(mrtg)
-typealias mrtg_etc_t alias etc_mrtg_t;
-type mrtg_var_lib_t, file_type, sysadmfile;
-typealias mrtg_var_lib_t alias var_lib_mrtg_t;
-type mrtg_lock_t, file_type, sysadmfile, lockfile;
-r_dir_file(mrtg_t, lib_t)
-
-# Use the network.
-can_network_client(mrtg_t)
-allow mrtg_t port_type:tcp_socket name_connect;
-can_ypbind(mrtg_t)
-
-allow mrtg_t self:fifo_file { getattr read write ioctl };
-allow mrtg_t { admin_tty_type devtty_t }:chr_file rw_file_perms;
-allow mrtg_t urandom_device_t:chr_file { getattr read };
-allow mrtg_t self:unix_stream_socket create_socket_perms;
-ifdef(`apache.te', `
-rw_dir_create_file(mrtg_t, httpd_sys_content_t)
-')
-
-can_exec(mrtg_t, { shell_exec_t bin_t sbin_t })
-allow mrtg_t { bin_t sbin_t }:dir { getattr search };
-allow mrtg_t bin_t:lnk_file read;
-allow mrtg_t var_t:dir { getattr search };
-
-ifdef(`snmpd.te', `
-can_udp_send(mrtg_t, snmpd_t)
-can_udp_send(snmpd_t, mrtg_t)
-r_dir_file(mrtg_t, snmpd_var_lib_t)
-')
-
-allow mrtg_t proc_net_t:dir search;
-allow mrtg_t { proc_t proc_net_t }:file { read getattr };
-dontaudit mrtg_t proc_t:file ioctl;
-
-allow mrtg_t { var_lock_t var_lib_t }:dir search;
-rw_dir_create_file(mrtg_t, mrtg_var_lib_t)
-rw_dir_create_file(mrtg_t, mrtg_lock_t)
-ifdef(`distro_redhat', `
-file_type_auto_trans(mrtg_t, mrtg_etc_t, mrtg_lock_t, file)
-')
-
-# read config files
-allow mrtg_t etc_t:file { read getattr };
-dontaudit mrtg_t mrtg_etc_t:dir write;
-dontaudit mrtg_t mrtg_etc_t:file { write ioctl };
-read_locale(mrtg_t)
-
-# for /.autofsck
-dontaudit mrtg_t root_t:file getattr;
-
-dontaudit mrtg_t security_t:dir getattr;
-
-read_sysctl(mrtg_t)
-
-# for uptime
-allow mrtg_t var_run_t:dir search;
-allow mrtg_t initrc_var_run_t:file { getattr read };
-dontaudit mrtg_t initrc_var_run_t:file { write lock };
-allow mrtg_t etc_runtime_t:file { getattr read };
-
-allow mrtg_t tmp_t:dir getattr;
-
-# should not need this!
-dontaudit mrtg_t { staff_home_dir_t sysadm_home_dir_t }:dir { search read getattr };
-dontaudit mrtg_t { boot_t device_t file_t lost_found_t }:dir getattr;
-ifdef(`quota.te', `
-dontaudit mrtg_t quota_db_t:file getattr;
-')
-dontaudit mrtg_t root_t:lnk_file getattr;
-
-allow mrtg_t self:capability { setgid setuid };
-ifdef(`hostname.te', `can_exec(mrtg_t, hostname_exec_t)')
-allow mrtg_t var_spool_t:dir search;
diff --git a/strict/domains/program/mta.te b/strict/domains/program/mta.te
deleted file mode 100644
index 89a7bb9..0000000
--- a/strict/domains/program/mta.te
+++ /dev/null
@@ -1,78 +0,0 @@
-#DESC MTA - Mail agents
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: postfix exim sendmail sendmail-wide
-#
-# policy for all mail servers, including allowing user to send mail from the
-# command-line and for cron jobs to use sendmail -t
-
-#
-# sendmail_exec_t is the type of /usr/sbin/sendmail
-#
-# define sendmail_exec_t if sendmail.te does not do it for us
-ifdef(`sendmail.te', `', `
-type sendmail_exec_t, file_type, exec_type, sysadmfile;
-')
-
-# create a system_mail_t domain for daemons, init scripts, etc when they run
-# "mail user@domain"
-mail_domain(system)
-
-ifdef(`targeted_policy', `
-# rules are currently defined in sendmail.te, but it is not included in
-# targeted policy. We could move these rules permanantly here.
-ifdef(`postfix.te', `', `can_exec_any(system_mail_t)')
-allow system_mail_t self:dir search;
-allow system_mail_t self:lnk_file read;
-r_dir_file(system_mail_t, { proc_t proc_net_t })
-allow system_mail_t fs_t:filesystem getattr;
-allow system_mail_t { var_t var_spool_t }:dir getattr;
-create_dir_file(system_mail_t, mqueue_spool_t)
-create_dir_file(system_mail_t, mail_spool_t)
-allow system_mail_t mail_spool_t:fifo_file rw_file_perms;
-allow system_mail_t etc_mail_t:file { getattr read };
-', `
-ifdef(`sendmail.te', `
-# sendmail has an ugly design, the one process parses input from the user and
-# then does system things with it.
-domain_auto_trans(initrc_t, sendmail_exec_t, sendmail_t)
-', `
-domain_auto_trans(initrc_t, sendmail_exec_t, system_mail_t)
-')
-allow initrc_t sendmail_exec_t:lnk_file { getattr read };
-
-# allow the sysadmin to do "mail someone < /home/user/whatever"
-allow sysadm_mail_t user_home_dir_type:dir search;
-r_dir_file(sysadm_mail_t, user_home_type)
-')
-# for a mail server process that does things in response to a user command
-allow mta_user_agent userdomain:process sigchld;
-allow mta_user_agent { userdomain privfd }:fd use;
-ifdef(`crond.te', `
-allow mta_user_agent crond_t:process sigchld;
-')
-allow mta_user_agent sysadm_t:fifo_file { read write };
-
-allow { system_mail_t mta_user_agent } privmail:fd use;
-allow { system_mail_t mta_user_agent } privmail:process sigchld;
-allow { system_mail_t mta_user_agent } privmail:fifo_file { read write };
-allow { system_mail_t mta_user_agent } admin_tty_type:chr_file { read write };
-
-allow mta_delivery_agent home_root_t:dir { getattr search };
-
-# for /var/spool/mail
-ra_dir_create_file(mta_delivery_agent, mail_spool_t)
-
-# for piping mail to a command
-can_exec(mta_delivery_agent, shell_exec_t)
-allow mta_delivery_agent bin_t:dir search;
-allow mta_delivery_agent bin_t:lnk_file read;
-allow mta_delivery_agent devtty_t:chr_file rw_file_perms;
-allow mta_delivery_agent { etc_runtime_t proc_t }:file { getattr read };
-
-allow system_mail_t etc_runtime_t:file { getattr read };
-allow system_mail_t { random_device_t urandom_device_t }:chr_file { getattr read };
-ifdef(`targeted_policy', `
-typealias system_mail_t alias sysadm_mail_t;
-')
-
diff --git a/strict/domains/program/mysqld.te b/strict/domains/program/mysqld.te
deleted file mode 100644
index 2047b44..0000000
--- a/strict/domains/program/mysqld.te
+++ /dev/null
@@ -1,94 +0,0 @@
-#DESC Mysqld - Database server
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: mysql-server
-#
-
-#################################
-#
-# Rules for the mysqld_t domain.
-#
-# mysqld_exec_t is the type of the mysqld executable.
-#
-daemon_domain(mysqld, `, nscd_client_domain')
-
-allow mysqld_t mysqld_port_t:tcp_socket { name_bind name_connect };
-
-allow mysqld_t mysqld_var_run_t:sock_file create_file_perms;
-
-etcdir_domain(mysqld)
-type mysqld_db_t, file_type, sysadmfile;
-
-log_domain(mysqld)
-
-# for temporary tables
-tmp_domain(mysqld)
-
-allow mysqld_t usr_t:file { getattr read };
-
-allow mysqld_t self:fifo_file { read write };
-allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
-allow initrc_t mysqld_t:unix_stream_socket connectto;
-allow initrc_t mysqld_var_run_t:sock_file write;
-
-allow initrc_t mysqld_log_t:file { write append setattr ioctl };
-
-allow mysqld_t self:capability { dac_override setgid setuid net_bind_service };
-allow mysqld_t self:process { setsched getsched };
-
-allow mysqld_t proc_t:file { getattr read };
-
-# Allow access to the mysqld databases
-create_dir_file(mysqld_t, mysqld_db_t)
-allow mysqld_t var_lib_t:dir { getattr search };
-
-can_network(mysqld_t)
-can_ypbind(mysqld_t)
-
-# read config files
-r_dir_file(initrc_t, mysqld_etc_t)
-allow mysqld_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr };
-
-allow mysqld_t etc_t:dir search;
-
-read_sysctl(mysqld_t)
-
-can_unix_connect(sysadm_t, mysqld_t)
-
-# for /root/.my.cnf - should not be needed
-allow mysqld_t sysadm_home_dir_t:dir search;
-allow mysqld_t sysadm_home_t:file { read getattr };
-
-ifdef(`logrotate.te', `
-r_dir_file(logrotate_t, mysqld_etc_t)
-allow logrotate_t mysqld_db_t:dir search;
-allow logrotate_t mysqld_var_run_t:dir search;
-allow logrotate_t mysqld_var_run_t:sock_file write;
-can_unix_connect(logrotate_t, mysqld_t)
-')
-
-ifdef(`daemontools.te', `
-domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t)
-allow svc_start_t mysqld_t:process signal;
-svc_ipc_domain(mysqld_t)
-')dnl end ifdef daemontools
-
-ifdef(`distro_redhat', `
-allow initrc_t mysqld_db_t:dir create_dir_perms;
-
-# because Fedora has the sock_file in the database directory
-file_type_auto_trans(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
-')
-ifdef(`targeted_policy', `', `
-bool allow_user_mysql_connect false;
-
-if (allow_user_mysql_connect) {
-allow userdomain mysqld_var_run_t:dir search;
-allow userdomain mysqld_var_run_t:sock_file write;
-}
-')
-
-allow mysqld_t self:netlink_route_socket r_netlink_socket_perms;
-ifdef(`crond.te', `
-allow system_crond_t mysqld_etc_t:file { getattr read };
-')
diff --git a/strict/domains/program/named.te b/strict/domains/program/named.te
deleted file mode 100644
index b3d9508..0000000
--- a/strict/domains/program/named.te
+++ /dev/null
@@ -1,171 +0,0 @@
-#DESC BIND - Name server
-#
-# Authors: Yuichi Nakamura <ynakam@ori.hitachi-sk.co.jp>,
-# Russell Coker
-# X-Debian-Packages: bind bind9
-#
-#
-
-#################################
-#
-# Rules for the named_t domain.
-#
-
-daemon_domain(named, `, nscd_client_domain')
-tmp_domain(named)
-
-type named_checkconf_exec_t, file_type, exec_type, sysadmfile;
-domain_auto_trans(initrc_t, named_checkconf_exec_t, named_t)
-
-# For /var/run/ndc used in BIND 8
-file_type_auto_trans(named_t, var_run_t, named_var_run_t, sock_file)
-
-# ndc_t is the domain for the ndc program
-type ndc_t, domain, privlog, nscd_client_domain;
-role sysadm_r types ndc_t;
-role system_r types ndc_t;
-
-ifdef(`targeted_policy', `
-dontaudit ndc_t root_t:file { getattr read };
-dontaudit ndc_t unlabeled_t:file { getattr read };
-')
-
-can_exec(named_t, named_exec_t)
-allow named_t sbin_t:dir search;
-
-allow named_t self:process { setsched setcap setrlimit };
-
-# A type for configuration files of named.
-type named_conf_t, file_type, sysadmfile, mount_point;
-
-# for primary zone files
-type named_zone_t, file_type, sysadmfile;
-
-# for secondary zone files
-type named_cache_t, file_type, sysadmfile;
-
-# for DNSSEC key files
-type dnssec_t, file_type, sysadmfile, secure_file_type;
-allow { ndc_t named_t } dnssec_t:file { getattr read };
-
-# Use capabilities. Surplus capabilities may be allowed.
-allow named_t self:capability { chown dac_override fowner setgid setuid net_bind_service sys_chroot sys_nice sys_resource };
-
-allow named_t etc_t:file { getattr read };
-allow named_t etc_runtime_t:{ file lnk_file } { getattr read };
-
-#Named can use network
-can_network(named_t)
-allow named_t port_type:tcp_socket name_connect;
-can_ypbind(named_t)
-# allow UDP transfer to/from any program
-can_udp_send(domain, named_t)
-can_udp_send(named_t, domain)
-can_tcp_connect(domain, named_t)
-log_domain(named)
-
-# Bind to the named port.
-allow named_t dns_port_t:udp_socket name_bind;
-allow named_t { dns_port_t rndc_port_t }:tcp_socket name_bind;
-
-bool named_write_master_zones false;
-
-#read configuration files
-r_dir_file(named_t, named_conf_t)
-
-if (named_write_master_zones) {
-#create and modify zone files
-create_dir_file(named_t, named_zone_t)
-}
-#read zone files
-r_dir_file(named_t, named_zone_t)
-
-#write cache for secondary zones
-rw_dir_create_file(named_t, named_cache_t)
-
-allow named_t self:unix_stream_socket create_stream_socket_perms;
-allow named_t self:unix_dgram_socket create_socket_perms;
-allow named_t self:netlink_route_socket r_netlink_socket_perms;
-
-# Read sysctl kernel variables.
-read_sysctl(named_t)
-
-# Read /proc/cpuinfo and /proc/net
-r_dir_file(named_t, proc_t)
-r_dir_file(named_t, proc_net_t)
-
-# Read /dev/random.
-allow named_t device_t:dir r_dir_perms;
-allow named_t random_device_t:chr_file r_file_perms;
-
-# Use a pipe created by self.
-allow named_t self:fifo_file rw_file_perms;
-
-# Enable named dbus support:
-ifdef(`dbusd.te', `
-dbusd_client(system, named)
-domain_auto_trans(system_dbusd_t, named_exec_t, named_t)
-allow named_t system_dbusd_t:dbus { acquire_svc send_msg };
-allow named_t self:dbus send_msg;
-')
-
-# Set own capabilities.
-#A type for /usr/sbin/ndc
-type ndc_exec_t, file_type,sysadmfile, exec_type;
-domain_auto_trans({ sysadm_t initrc_t }, ndc_exec_t, ndc_t)
-uses_shlib(ndc_t)
-can_network_client_tcp(ndc_t)
-allow ndc_t rndc_port_t:tcp_socket name_connect;
-can_ypbind(ndc_t)
-can_resolve(ndc_t)
-read_locale(ndc_t)
-can_tcp_connect(ndc_t, named_t)
-
-ifdef(`distro_redhat', `
-# for /etc/rndc.key
-allow { ndc_t initrc_t } named_conf_t:dir search;
-# Allow init script to cp localtime to named_conf_t
-allow initrc_t named_conf_t:file { setattr write };
-allow initrc_t named_conf_t:dir create_dir_perms;
-')
-allow { ndc_t initrc_t } named_conf_t:file { getattr read };
-
-allow ndc_t etc_t:dir r_dir_perms;
-allow ndc_t etc_t:file r_file_perms;
-allow ndc_t self:unix_stream_socket create_stream_socket_perms;
-allow ndc_t self:unix_stream_socket connect;
-allow ndc_t self:capability { dac_override net_admin };
-allow ndc_t var_t:dir search;
-allow ndc_t var_run_t:dir search;
-allow ndc_t named_var_run_t:sock_file rw_file_perms;
-allow ndc_t named_t:unix_stream_socket connectto;
-allow ndc_t { privfd init_t }:fd use;
-# seems to need read as well for some reason
-allow ndc_t { admin_tty_type initrc_devpts_t }:chr_file { getattr read write };
-allow ndc_t fs_t:filesystem getattr;
-
-# Read sysctl kernel variables.
-read_sysctl(ndc_t)
-
-allow ndc_t self:process { fork signal_perms };
-allow ndc_t self:fifo_file { read write getattr ioctl };
-allow ndc_t named_zone_t:dir search;
-
-# for chmod in start script
-dontaudit initrc_t named_var_run_t:dir setattr;
-
-# for ndc_t to be used for restart shell scripts
-ifdef(`ndc_shell_script', `
-system_crond_entry(ndc_exec_t, ndc_t)
-allow ndc_t devtty_t:chr_file { read write ioctl };
-allow ndc_t etc_runtime_t:file { getattr read };
-allow ndc_t proc_t:dir search;
-allow ndc_t proc_t:file { getattr read };
-can_exec(ndc_t, { bin_t sbin_t shell_exec_t })
-allow ndc_t named_var_run_t:file getattr;
-allow ndc_t named_zone_t:dir { read getattr };
-allow ndc_t named_zone_t:file getattr;
-dontaudit ndc_t sysadm_home_t:dir { getattr search read };
-')
-allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
-dontaudit ndc_t sysadm_tty_device_t:chr_file { ioctl };
diff --git a/strict/domains/program/netutils.te b/strict/domains/program/netutils.te
deleted file mode 100644
index 8dcbdf1..0000000
--- a/strict/domains/program/netutils.te
+++ /dev/null
@@ -1,64 +0,0 @@
-#DESC Netutils - Network utilities
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil>
-# X-Debian-Packages: netbase iputils arping tcpdump
-#
-
-#
-# Rules for the netutils_t domain.
-# This domain is for network utilities that require access to
-# special protocol families.
-#
-type netutils_t, domain, privlog;
-type netutils_exec_t, file_type, sysadmfile, exec_type;
-role system_r types netutils_t;
-role sysadm_r types netutils_t;
-
-uses_shlib(netutils_t)
-can_network(netutils_t)
-allow netutils_t port_type:tcp_socket name_connect;
-can_ypbind(netutils_t)
-tmp_domain(netutils)
-
-domain_auto_trans(initrc_t, netutils_exec_t, netutils_t)
-ifdef(`targeted_policy', `', `
-domain_auto_trans(sysadm_t, netutils_exec_t, netutils_t)
-')
-
-# Inherit and use descriptors from init.
-allow netutils_t { userdomain init_t }:fd use;
-
-allow netutils_t self:process { fork signal_perms };
-
-# Perform network administration operations and have raw access to the network.
-allow netutils_t self:capability { net_admin net_raw setuid setgid };
-
-# Create and use netlink sockets.
-allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
-
-# Create and use packet sockets.
-allow netutils_t self:packet_socket create_socket_perms;
-
-# Create and use UDP sockets.
-allow netutils_t self:udp_socket create_socket_perms;
-
-# Create and use TCP sockets.
-allow netutils_t self:tcp_socket create_socket_perms;
-
-allow netutils_t self:unix_stream_socket create_socket_perms;
-
-# Read certain files in /etc
-allow netutils_t etc_t:file r_file_perms;
-read_locale(netutils_t)
-
-allow netutils_t fs_t:filesystem getattr;
-
-# Access terminals.
-allow netutils_t privfd:fd use;
-can_access_pty(netutils_t, initrc)
-allow netutils_t admin_tty_type:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow netutils_t sysadm_gph_t:fd use;')
-allow netutils_t proc_t:dir search;
-
-# for nscd
-dontaudit netutils_t var_t:dir search;
diff --git a/strict/domains/program/newrole.te b/strict/domains/program/newrole.te
deleted file mode 100644
index 207274d..0000000
--- a/strict/domains/program/newrole.te
+++ /dev/null
@@ -1,24 +0,0 @@
-#DESC Newrole - SELinux utility to run a shell with a new role
-#
-# Authors: Anthony Colatrella (NSA)
-# Maintained by Stephen Smalley <sds@epoch.ncsc.mil>
-# X-Debian-Packages: policycoreutils
-#
-
-# secure mode means that newrole/sudo/su/userhelper cannot reach sysadm_t
-bool secure_mode false;
-
-type newrole_exec_t, file_type, exec_type, sysadmfile;
-domain_auto_trans(userdomain, newrole_exec_t, newrole_t)
-
-newrole_domain(newrole)
-
-# Write to utmp.
-allow newrole_t var_run_t:dir r_dir_perms;
-allow newrole_t initrc_var_run_t:file rw_file_perms;
-
-role secadm_r types newrole_t;
-
-ifdef(`targeted_policy', `
-typeattribute newrole_t unconfinedtrans;
-')
diff --git a/strict/domains/program/nscd.te b/strict/domains/program/nscd.te
deleted file mode 100644
index 8e899c7..0000000
--- a/strict/domains/program/nscd.te
+++ /dev/null
@@ -1,79 +0,0 @@
-#DESC NSCD - Name service cache daemon cache lookup of user-name
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: nscd
-#
-define(`nscd_socket_domain', `
-can_unix_connect($1, nscd_t)
-allow $1 nscd_var_run_t:sock_file rw_file_perms;
-allow $1 { var_run_t var_t }:dir search;
-allow $1 nscd_t:nscd { getpwd getgrp gethost };
-dontaudit $1 nscd_t:fd use;
-dontaudit $1 nscd_var_run_t:dir { search getattr };
-dontaudit $1 nscd_var_run_t:file { getattr read };
-dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
-')
-#################################
-#
-# Rules for the nscd_t domain.
-#
-# nscd is both the client program and the daemon.
-daemon_domain(nscd, `, userspace_objmgr')
-
-allow nscd_t etc_t:file r_file_perms;
-allow nscd_t etc_t:lnk_file read;
-can_network_client(nscd_t)
-allow nscd_t port_type:tcp_socket name_connect;
-can_ypbind(nscd_t)
-
-file_type_auto_trans(nscd_t, var_run_t, nscd_var_run_t, sock_file)
-
-allow nscd_t self:unix_stream_socket create_stream_socket_perms;
-
-nscd_socket_domain(nscd_client_domain)
-nscd_socket_domain(daemon)
-
-# Clients that are allowed to map the database via a fd obtained from nscd.
-nscd_socket_domain(nscd_shmem_domain)
-allow nscd_shmem_domain nscd_var_run_t:dir r_dir_perms;
-allow nscd_shmem_domain nscd_t:nscd { shmempwd shmemgrp shmemhost };
-# Receive fd from nscd and map the backing file with read access.
-allow nscd_shmem_domain nscd_t:fd use;
-
-# For client program operation, invoked from sysadm_t.
-# Transition occurs to nscd_t due to direct_sysadm_daemon.
-allow nscd_t self:nscd { admin getstat };
-allow nscd_t admin_tty_type:chr_file rw_file_perms;
-
-read_sysctl(nscd_t)
-allow nscd_t self:process { getattr setsched };
-allow nscd_t self:unix_dgram_socket create_socket_perms;
-allow nscd_t self:fifo_file { read write };
-allow nscd_t self:capability { kill setgid setuid net_bind_service };
-
-# for when /etc/passwd has just been updated and has the wrong type
-allow nscd_t shadow_t:file getattr;
-
-dontaudit nscd_t sysadm_home_dir_t:dir search;
-
-ifdef(`winbind.te', `
-#
-# Handle winbind for samba, Might only be needed for targeted policy
-#
-allow nscd_t winbind_var_run_t:sock_file { read write getattr };
-can_unix_connect(nscd_t, winbind_t)
-allow nscd_t samba_var_t:dir search;
-allow nscd_t winbind_var_run_t:dir { getattr search };
-')
-
-r_dir_file(nscd_t, selinux_config_t)
-can_getsecurity(nscd_t)
-allow nscd_t self:netlink_selinux_socket create_socket_perms;
-allow nscd_t self:netlink_route_socket r_netlink_socket_perms;
-allow nscd_t tmp_t:dir { search getattr };
-allow nscd_t tmp_t:lnk_file read;
-allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read };
-log_domain(nscd)
-r_dir_file(nscd_t, cert_t)
-allow nscd_t tun_tap_device_t:chr_file { read write };
-allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
diff --git a/strict/domains/program/ntpd.te b/strict/domains/program/ntpd.te
deleted file mode 100644
index 9916a6a..0000000
--- a/strict/domains/program/ntpd.te
+++ /dev/null
@@ -1,88 +0,0 @@
-#DESC NTPD - Time synchronisation daemon
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: ntp ntp-simple
-#
-
-#################################
-#
-# Rules for the ntpd_t domain.
-#
-daemon_domain(ntpd, `, nscd_client_domain')
-type ntp_drift_t, file_type, sysadmfile;
-
-type ntpdate_exec_t, file_type, sysadmfile, exec_type;
-domain_auto_trans(initrc_t, ntpdate_exec_t, ntpd_t)
-
-logdir_domain(ntpd)
-
-allow ntpd_t var_lib_t:dir r_dir_perms;
-allow ntpd_t usr_t:file r_file_perms;
-# reading /usr/share/ssl/cert.pem requires
-allow ntpd_t usr_t:lnk_file read;
-allow ntpd_t ntp_drift_t:dir rw_dir_perms;
-allow ntpd_t ntp_drift_t:file create_file_perms;
-
-# for SSP
-allow ntpd_t urandom_device_t:chr_file { getattr read };
-
-# sys_resource and setrlimit is for locking memory
-allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot sys_nice sys_resource };
-dontaudit ntpd_t self:capability { fsetid net_admin };
-allow ntpd_t self:process { setcap setsched setrlimit };
-# ntpdate wants sys_nice
-
-# for some reason it creates a file in /tmp
-tmp_domain(ntpd)
-
-allow ntpd_t etc_t:dir r_dir_perms;
-allow ntpd_t etc_t:file { read getattr };
-
-# Use the network.
-can_network(ntpd_t)
-allow ntpd_t ntp_port_t:tcp_socket name_connect;
-can_ypbind(ntpd_t)
-allow ntpd_t ntp_port_t:udp_socket name_bind;
-allow sysadm_t ntp_port_t:udp_socket name_bind;
-allow ntpd_t self:unix_dgram_socket create_socket_perms;
-allow ntpd_t self:unix_stream_socket create_socket_perms;
-allow ntpd_t self:netlink_route_socket r_netlink_socket_perms;
-
-# so the start script can change firewall entries
-allow initrc_t net_conf_t:file { getattr read ioctl };
-
-# for cron jobs
-# system_crond_t is not right, cron is not doing what it should
-ifdef(`crond.te', `
-system_crond_entry(ntpdate_exec_t, ntpd_t)
-')
-
-can_exec(ntpd_t, initrc_exec_t)
-allow ntpd_t self:fifo_file { read write getattr };
-allow ntpd_t etc_runtime_t:file r_file_perms;
-can_exec(ntpd_t, { bin_t shell_exec_t sbin_t ls_exec_t ntpd_exec_t })
-allow ntpd_t { sbin_t bin_t }:dir search;
-allow ntpd_t bin_t:lnk_file read;
-read_sysctl(ntpd_t);
-allow ntpd_t proc_t:file r_file_perms;
-allow ntpd_t sysadm_home_dir_t:dir r_dir_perms;
-allow ntpd_t self:file { getattr read };
-dontaudit ntpd_t domain:dir search;
-ifdef(`logrotate.te', `
-can_exec(ntpd_t, logrotate_exec_t)
-')
-
-allow ntpd_t devtty_t:chr_file rw_file_perms;
-
-can_udp_send(ntpd_t, sysadm_t)
-can_udp_send(sysadm_t, ntpd_t)
-can_udp_send(ntpd_t, ntpd_t)
-ifdef(`firstboot.te', `
-dontaudit ntpd_t firstboot_t:fd use;
-')
-ifdef(`winbind.te', `
-allow ntpd_t winbind_var_run_t:dir r_dir_perms;
-allow ntpd_t winbind_var_run_t:sock_file rw_file_perms;
-')
-# For clock devices like wwvb1
-allow ntpd_t device_t:lnk_file read;
diff --git a/strict/domains/program/openct.te b/strict/domains/program/openct.te
deleted file mode 100644
index 244fc2f..0000000
--- a/strict/domains/program/openct.te
+++ /dev/null
@@ -1,16 +0,0 @@
-#DESC openct - read files in page cache
-#
-# Author: Dan Walsh (dwalsh@redhat.com)
-#
-
-#################################
-#
-# Declarations for openct
-#
-
-daemon_domain(openct)
-#
-# openct asks for these
-#
-rw_dir_file(openct_t, usbfs_t)
-allow openct_t etc_t:file r_file_perms;
diff --git a/strict/domains/program/orbit.te b/strict/domains/program/orbit.te
deleted file mode 100644
index dad353b..0000000
--- a/strict/domains/program/orbit.te
+++ /dev/null
@@ -1,7 +0,0 @@
-#
-# ORBit related types
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-# Look in orbit_macros.te
diff --git a/strict/domains/program/pam.te b/strict/domains/program/pam.te
deleted file mode 100644
index 2d71222..0000000
--- a/strict/domains/program/pam.te
+++ /dev/null
@@ -1,45 +0,0 @@
-#DESC Pam - PAM
-# X-Debian-Packages:
-#
-# /sbin/pam_timestamp_check
-type pam_exec_t, file_type, exec_type, sysadmfile;
-type pam_t, domain, privlog, nscd_client_domain;
-general_domain_access(pam_t);
-
-type pam_var_run_t, file_type, sysadmfile;
-allow pam_t pam_var_run_t:dir { search getattr read write remove_name };
-allow pam_t pam_var_run_t:file { getattr read unlink };
-
-role system_r types pam_t;
-in_user_role(pam_t)
-domain_auto_trans(userdomain, pam_exec_t, pam_t)
-
-uses_shlib(pam_t)
-# Read the devpts root directory.
-allow pam_t devpts_t:dir r_dir_perms;
-
-# Access terminals.
-allow pam_t { ttyfile ptyfile devtty_t }:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;')
-
-allow pam_t proc_t:dir search;
-allow pam_t proc_t:{ lnk_file file } { getattr read };
-
-# Read the /etc/nsswitch file
-allow pam_t etc_t:file r_file_perms;
-
-# Read /var/run.
-allow pam_t { var_t var_run_t }:dir r_dir_perms;
-tmp_domain(pam)
-
-allow pam_t local_login_t:fd use;
-dontaudit pam_t self:capability sys_tty_config;
-
-allow initrc_t pam_var_run_t:dir rw_dir_perms;
-allow initrc_t pam_var_run_t:file { getattr read unlink };
-dontaudit pam_t initrc_var_run_t:file rw_file_perms;
-
-# Supress xdm denial
-ifdef(`xdm.te', `
-dontaudit pam_t xdm_t:fd use;
-') dnl ifdef
diff --git a/strict/domains/program/pamconsole.te b/strict/domains/program/pamconsole.te
deleted file mode 100644
index 11c1994..0000000
--- a/strict/domains/program/pamconsole.te
+++ /dev/null
@@ -1,52 +0,0 @@
-#DESC Pamconsole - PAM console
-# X-Debian-Packages:
-#
-# pam_console_apply
-
-daemon_base_domain(pam_console, `, nscd_client_domain, mlsfileread')
-
-type pam_var_console_t, file_type, sysadmfile;
-
-allow pam_console_t etc_t:file { getattr read ioctl };
-allow pam_console_t self:unix_stream_socket create_stream_socket_perms;
-
-# Read /etc/mtab
-allow pam_console_t etc_runtime_t:file { read getattr };
-
-# Read /proc/meminfo
-allow pam_console_t proc_t:file { read getattr };
-
-allow pam_console_t self:capability { chown fowner fsetid };
-
-# Allow access to /dev/console through the fd:
-allow pam_console_t console_device_t:chr_file { read write setattr };
-allow pam_console_t { kernel_t init_t }:fd use;
-
-# for /var/run/console.lock checking
-allow pam_console_t { var_t var_run_t }:dir search;
-r_dir_file(pam_console_t, pam_var_console_t)
-dontaudit pam_console_t pam_var_console_t:file write;
-
-# Allow to set attributes on /dev entries
-allow pam_console_t device_t:dir { getattr read };
-allow pam_console_t device_t:lnk_file { getattr read };
-# mouse_device_t is for joy sticks
-allow pam_console_t { xserver_misc_device_t framebuf_device_t v4l_device_t apm_bios_t sound_device_t misc_device_t tty_device_t scanner_device_t mouse_device_t power_device_t removable_device_t scsi_generic_device_t }:chr_file { getattr setattr };
-allow pam_console_t { removable_device_t fixed_disk_device_t }:blk_file { getattr setattr };
-
-allow pam_console_t mnt_t:dir r_dir_perms;
-
-ifdef(`gpm.te', `
-allow pam_console_t gpmctl_t:sock_file { getattr setattr };
-')
-ifdef(`hotplug.te', `
-dontaudit pam_console_t hotplug_etc_t:dir search;
-allow pam_console_t hotplug_t:fd use;
-')
-ifdef(`xdm.te', `
-allow pam_console_t xdm_var_run_t:file { getattr read };
-')
-allow initrc_t pam_var_console_t:dir rw_dir_perms;
-allow initrc_t pam_var_console_t:file unlink;
-allow pam_console_t file_context_t:file { getattr read };
-nsswitch_domain(pam_console_t)
diff --git a/strict/domains/program/passwd.te b/strict/domains/program/passwd.te
deleted file mode 100644
index 30d7f86..0000000
--- a/strict/domains/program/passwd.te
+++ /dev/null
@@ -1,156 +0,0 @@
-#DESC Passwd - Password utilities
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: passwd
-#
-
-#################################
-#
-# Rules for the passwd_t domain.
-#
-define(`base_passwd_domain', `
-type $1_t, domain, privlog, $2;
-
-# for SSP
-allow $1_t urandom_device_t:chr_file read;
-
-allow $1_t self:process setrlimit;
-
-general_domain_access($1_t);
-uses_shlib($1_t);
-
-# Inherit and use descriptors from login.
-allow $1_t privfd:fd use;
-ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;')
-
-read_locale($1_t)
-
-allow $1_t fs_t:filesystem getattr;
-
-# allow checking if a shell is executable
-allow $1_t shell_exec_t:file execute;
-
-# Obtain contexts
-can_getsecurity($1_t)
-
-allow $1_t etc_t:file create_file_perms;
-
-# read /etc/mtab
-allow $1_t etc_runtime_t:file { getattr read };
-
-# Allow etc_t symlinks for /etc/alternatives on Debian.
-allow $1_t etc_t:lnk_file read;
-
-# Use capabilities.
-allow $1_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
-
-# Access terminals.
-allow $1_t { ttyfile ptyfile }:chr_file rw_file_perms;
-allow $1_t devtty_t:chr_file rw_file_perms;
-
-dontaudit $1_t devpts_t:dir getattr;
-
-# /usr/bin/passwd asks for w access to utmp, but it will operate
-# correctly without it. Do not audit write denials to utmp.
-dontaudit $1_t initrc_var_run_t:file { read write };
-
-# user generally runs this from their home directory, so do not audit a search
-# on user home dir
-dontaudit $1_t { user_home_dir_type user_home_type }:dir search;
-
-# When the wrong current passwd is entered, passwd, for some reason,
-# attempts to access /proc and /dev, but handles failure appropriately. So
-# do not audit those denials.
-dontaudit $1_t { proc_t device_t }:dir { search read };
-
-allow $1_t device_t:dir getattr;
-read_sysctl($1_t)
-')
-
-#################################
-#
-# Rules for the passwd_t domain.
-#
-define(`passwd_domain', `
-base_passwd_domain($1, `auth_write, privowner')
-# Update /etc/shadow and /etc/passwd
-file_type_auto_trans($1_t, etc_t, shadow_t, file)
-allow $1_t { etc_t shadow_t }:file { relabelfrom relabelto };
-can_setfscreate($1_t)
-')
-
-passwd_domain(passwd)
-passwd_domain(sysadm_passwd)
-base_passwd_domain(chfn, `auth_chkpwd, etc_writer, privowner')
-can_setfscreate(chfn_t)
-
-# can exec /sbin/unix_chkpwd
-allow chfn_t { bin_t sbin_t }:dir search;
-
-# uses unix_chkpwd for checking passwords
-dontaudit chfn_t shadow_t:file read;
-allow chfn_t etc_t:dir rw_dir_perms;
-allow chfn_t etc_t:file create_file_perms;
-allow chfn_t proc_t:file { getattr read };
-allow chfn_t self:file write;
-
-in_user_role(passwd_t)
-in_user_role(chfn_t)
-role sysadm_r types passwd_t;
-role sysadm_r types sysadm_passwd_t;
-role sysadm_r types chfn_t;
-role system_r types passwd_t;
-role system_r types chfn_t;
-
-type admin_passwd_exec_t, file_type, sysadmfile;
-type passwd_exec_t, file_type, sysadmfile, exec_type;
-type chfn_exec_t, file_type, sysadmfile, exec_type;
-
-domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, passwd_exec_t, passwd_t)
-domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, chfn_exec_t, chfn_t)
-domain_auto_trans(sysadm_t, admin_passwd_exec_t, sysadm_passwd_t)
-
-dontaudit chfn_t var_t:dir search;
-
-ifdef(`crack.te', `
-allow passwd_t var_t:dir search;
-dontaudit passwd_t var_run_t:dir search;
-allow passwd_t crack_db_t:dir r_dir_perms;
-allow passwd_t crack_db_t:file r_file_perms;
-', `
-dontaudit passwd_t var_t:dir search;
-')
-
-# allow vipw to exec the editor
-allow sysadm_passwd_t { root_t bin_t sbin_t }:dir search;
-allow sysadm_passwd_t bin_t:lnk_file read;
-can_exec(sysadm_passwd_t, { shell_exec_t bin_t })
-r_dir_file(sysadm_passwd_t, usr_t)
-
-# allow vipw to create temporary files under /var/tmp/vi.recover
-allow sysadm_passwd_t var_t:dir search;
-tmp_domain(sysadm_passwd)
-# for vipw - vi looks in the root home directory for config
-dontaudit sysadm_passwd_t sysadm_home_dir_t:dir { getattr search };
-# for /etc/alternatives/vi
-allow sysadm_passwd_t etc_t:lnk_file read;
-
-# for nscd lookups
-dontaudit sysadm_passwd_t var_run_t:dir search;
-
-# for /proc/meminfo
-allow sysadm_passwd_t proc_t:file { getattr read };
-
-dontaudit { chfn_t passwd_t sysadm_passwd_t } selinux_config_t:dir search;
-dontaudit sysadm_passwd_t devpts_t:dir search;
-
-# make sure that getcon succeeds
-allow passwd_t userdomain:dir search;
-allow passwd_t userdomain:file { getattr read };
-allow passwd_t userdomain:process getattr;
-
-allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-
-ifdef(`targeted_policy', `
-role system_r types sysadm_passwd_t;
-')
diff --git a/strict/domains/program/pegasus.te b/strict/domains/program/pegasus.te
deleted file mode 100644
index e2b557e..0000000
--- a/strict/domains/program/pegasus.te
+++ /dev/null
@@ -1,37 +0,0 @@
-#DESC pegasus - The Open Group Pegasus CIM/WBEM Server
-#
-# Author: Jason Vas Dias <jvdias@redhat.com>
-# Package: tog-pegasus
-#
-#################################
-#
-# Rules for the pegasus domain
-#
-daemon_domain(pegasus, `, nscd_client_domain, auth')
-type pegasus_data_t, file_type, sysadmfile;
-type pegasus_conf_t, file_type, sysadmfile;
-type pegasus_mof_t, file_type, sysadmfile;
-type pegasus_conf_exec_t, file_type, exec_type, sysadmfile;
-allow pegasus_t self:capability { dac_override net_bind_service audit_write };
-can_network_tcp(pegasus_t);
-nsswitch_domain(pegasus_t);
-allow pegasus_t pegasus_var_run_t:sock_file { create setattr };
-allow pegasus_t self:unix_dgram_socket create_socket_perms;
-allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
-allow pegasus_t self:file { read getattr };
-allow pegasus_t self:fifo_file rw_file_perms;
-allow pegasus_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-allow pegasus_t { pegasus_http_port_t pegasus_https_port_t }:tcp_socket { name_bind name_connect };
-allow pegasus_t proc_t:file { getattr read };
-allow pegasus_t sysctl_vm_t:dir search;
-allow pegasus_t initrc_var_run_t:file { read write lock };
-allow pegasus_t urandom_device_t:chr_file { getattr read };
-r_dir_file(pegasus_t, etc_t)
-r_dir_file(pegasus_t, var_lib_t)
-r_dir_file(pegasus_t, pegasus_mof_t)
-rw_dir_create_file(pegasus_t, pegasus_conf_t)
-rw_dir_create_file(pegasus_t, pegasus_data_t)
-rw_dir_create_file(pegasus_conf_exec_t, pegasus_conf_t)
-allow pegasus_t shadow_t:file { getattr read };
-dontaudit pegasus_t selinux_config_t:dir search;
-
diff --git a/strict/domains/program/ping.te b/strict/domains/program/ping.te
deleted file mode 100644
index 6461c51..0000000
--- a/strict/domains/program/ping.te
+++ /dev/null
@@ -1,64 +0,0 @@
-#DESC Ping - Send ICMP messages to network hosts
-#
-# Author: David A. Wheeler <dwheeler@ida.org>
-# X-Debian-Packages: iputils-ping netkit-ping iputils-arping arping hping2
-#
-
-#################################
-#
-# Rules for the ping_t domain.
-#
-# ping_t is the domain for the ping program.
-# ping_exec_t is the type of the corresponding program.
-#
-type ping_t, domain, privlog, nscd_client_domain;
-role sysadm_r types ping_t;
-role system_r types ping_t;
-in_user_role(ping_t)
-type ping_exec_t, file_type, sysadmfile, exec_type;
-
-ifdef(`targeted_policy', `
- allow ping_t { devpts_t ttyfile ptyfile }:chr_file rw_file_perms;
-', `
-bool user_ping false;
-
-if (user_ping) {
- domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t)
- # allow access to the terminal
- allow ping_t { ttyfile ptyfile }:chr_file rw_file_perms;
- ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;')
-}
-')
-
-# Transition into this domain when you run this program.
-domain_auto_trans(sysadm_t, ping_exec_t, ping_t)
-domain_auto_trans(initrc_t, ping_exec_t, ping_t)
-
-uses_shlib(ping_t)
-can_network_client(ping_t)
-can_resolve(ping_t)
-allow ping_t dns_port_t:tcp_socket name_connect;
-can_ypbind(ping_t)
-allow ping_t etc_t:file { getattr read };
-allow ping_t self:unix_stream_socket create_socket_perms;
-
-# Let ping create raw ICMP packets.
-allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
-
-# Use capabilities.
-allow ping_t self:capability { net_raw setuid };
-
-# Access the terminal.
-allow ping_t admin_tty_type:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow ping_t sysadm_gph_t:fd use;')
-allow ping_t privfd:fd use;
-dontaudit ping_t fs_t:filesystem getattr;
-
-# it tries to access /var/run
-dontaudit ping_t var_t:dir search;
-dontaudit ping_t devtty_t:chr_file { read write };
-dontaudit ping_t self:capability sys_tty_config;
-ifdef(`hide_broken_symptoms', `
-dontaudit ping_t init_t:fd use;
-')
-
diff --git a/strict/domains/program/portmap.te b/strict/domains/program/portmap.te
deleted file mode 100644
index 54cad6f..0000000
--- a/strict/domains/program/portmap.te
+++ /dev/null
@@ -1,71 +0,0 @@
-#DESC Portmap - Maintain RPC program number map
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: portmap
-#
-
-
-
-#################################
-#
-# Rules for the portmap_t domain.
-#
-daemon_domain(portmap, `, nscd_client_domain')
-
-can_network(portmap_t)
-allow portmap_t port_type:tcp_socket name_connect;
-can_ypbind(portmap_t)
-allow portmap_t self:unix_dgram_socket create_socket_perms;
-allow portmap_t self:unix_stream_socket create_stream_socket_perms;
-
-tmp_domain(portmap)
-
-allow portmap_t portmap_port_t:{ udp_socket tcp_socket } name_bind;
-dontaudit portmap_t reserved_port_type:{ udp_socket tcp_socket } name_bind;
-
-# portmap binds to arbitary ports
-allow portmap_t port_t:{ udp_socket tcp_socket } name_bind;
-allow portmap_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
-
-allow portmap_t etc_t:file { getattr read };
-
-# Send to ypbind, initrc, rpc.statd, xinetd.
-ifdef(`ypbind.te',
-`can_udp_send(portmap_t, ypbind_t)')
-can_udp_send(portmap_t, { initrc_t init_t })
-can_udp_send(init_t, portmap_t)
-ifdef(`rpcd.te',
-`can_udp_send(portmap_t, rpcd_t)')
-ifdef(`inetd.te',
-`can_udp_send(portmap_t, inetd_t)')
-ifdef(`lpd.te',
-`can_udp_send(portmap_t, lpd_t)')
-ifdef(`tcpd.te', `
-can_udp_send(tcpd_t, portmap_t)
-')
-can_udp_send(portmap_t, kernel_t)
-can_udp_send(kernel_t, portmap_t)
-can_udp_send(sysadm_t, portmap_t)
-can_udp_send(portmap_t, sysadm_t)
-
-# Use capabilities
-allow portmap_t self:capability { net_bind_service setuid setgid };
-allow portmap_t self:netlink_route_socket r_netlink_socket_perms;
-
-application_domain(portmap_helper)
-role system_r types portmap_helper_t;
-domain_auto_trans(initrc_t, portmap_helper_exec_t, portmap_helper_t)
-dontaudit portmap_helper_t self:capability { net_admin };
-allow portmap_helper_t self:capability { net_bind_service };
-allow portmap_helper_t initrc_var_run_t:file rw_file_perms;
-file_type_auto_trans(portmap_helper_t, var_run_t, portmap_var_run_t, file)
-allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
-can_network(portmap_helper_t)
-allow portmap_helper_t port_type:tcp_socket name_connect;
-can_ypbind(portmap_helper_t)
-dontaudit portmap_helper_t admin_tty_type:chr_file rw_file_perms;
-allow portmap_helper_t etc_t:file { getattr read };
-dontaudit portmap_helper_t { userdomain privfd }:fd use;
-allow portmap_helper_t reserved_port_t:{ tcp_socket udp_socket } name_bind;
-dontaudit portmap_helper_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
diff --git a/strict/domains/program/postfix.te b/strict/domains/program/postfix.te
deleted file mode 100644
index 5d24e5f..0000000
--- a/strict/domains/program/postfix.te
+++ /dev/null
@@ -1,356 +0,0 @@
-#DESC Postfix - Mail server
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: postfix
-# Depends: mta.te
-#
-
-# Type for files created during execution of postfix.
-type postfix_var_run_t, file_type, sysadmfile, pidfile;
-
-type postfix_etc_t, file_type, sysadmfile;
-type postfix_exec_t, file_type, sysadmfile, exec_type;
-type postfix_public_t, file_type, sysadmfile;
-type postfix_private_t, file_type, sysadmfile;
-type postfix_spool_t, file_type, sysadmfile;
-type postfix_spool_maildrop_t, file_type, sysadmfile;
-type postfix_spool_flush_t, file_type, sysadmfile;
-type postfix_prng_t, file_type, sysadmfile;
-
-# postfix needs this for newaliases
-allow { system_mail_t sysadm_mail_t } tmp_t:dir getattr;
-
-#################################
-#
-# Rules for the postfix_$1_t domain.
-#
-# postfix_$1_exec_t is the type of the postfix_$1 executables.
-#
-define(`postfix_domain', `
-daemon_core_rules(postfix_$1, `$2')
-allow postfix_$1_t self:process setpgid;
-allow postfix_$1_t postfix_master_t:process sigchld;
-allow postfix_master_t postfix_$1_t:process signal;
-
-allow postfix_$1_t { etc_t postfix_etc_t postfix_spool_t }:dir r_dir_perms;
-allow postfix_$1_t postfix_etc_t:file r_file_perms;
-read_locale(postfix_$1_t)
-allow postfix_$1_t etc_t:file { getattr read };
-allow postfix_$1_t self:unix_dgram_socket create_socket_perms;
-allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms;
-allow postfix_$1_t self:unix_stream_socket connectto;
-
-allow postfix_$1_t { sbin_t bin_t }:dir r_dir_perms;
-allow postfix_$1_t { bin_t usr_t }:lnk_file { getattr read };
-allow postfix_$1_t shell_exec_t:file rx_file_perms;
-allow postfix_$1_t { var_t var_spool_t }:dir { search getattr };
-allow postfix_$1_t postfix_exec_t:file rx_file_perms;
-allow postfix_$1_t devtty_t:chr_file rw_file_perms;
-allow postfix_$1_t etc_runtime_t:file r_file_perms;
-allow postfix_$1_t proc_t:dir r_dir_perms;
-allow postfix_$1_t proc_t:file r_file_perms;
-allow postfix_$1_t postfix_exec_t:dir r_dir_perms;
-allow postfix_$1_t fs_t:filesystem getattr;
-allow postfix_$1_t proc_net_t:dir search;
-allow postfix_$1_t proc_net_t:file { getattr read };
-can_exec(postfix_$1_t, postfix_$1_exec_t)
-r_dir_file(postfix_$1_t, cert_t)
-allow postfix_$1_t { urandom_device_t random_device_t }:chr_file { read getattr };
-
-allow postfix_$1_t tmp_t:dir getattr;
-
-file_type_auto_trans(postfix_$1_t, var_run_t, postfix_var_run_t, file)
-
-read_sysctl(postfix_$1_t)
-
-')dnl end postfix_domain
-
-ifdef(`crond.te',
-`allow system_mail_t crond_t:tcp_socket { read write create };')
-
-postfix_domain(master, `, mail_server_domain')
-rhgb_domain(postfix_master_t)
-
-# for a find command
-dontaudit postfix_master_t security_t:dir search;
-
-read_sysctl(postfix_master_t)
-
-domain_auto_trans(initrc_t, postfix_master_exec_t, postfix_master_t)
-allow initrc_t postfix_master_t:process { noatsecure siginh rlimitinh };
-
-ifdef(`direct_sysadm_daemon', `
-
-domain_auto_trans(sysadm_t, postfix_master_exec_t, postfix_master_t)
-allow sysadm_t postfix_master_t:process { noatsecure siginh rlimitinh };
-role_transition sysadm_r postfix_master_exec_t system_r;
-allow postfix_master_t postfix_etc_t:file rw_file_perms;
-dontaudit postfix_master_t admin_tty_type:chr_file { read write };
-allow postfix_master_t devpts_t:dir search;
-
-domain_auto_trans(sysadm_mail_t, postfix_master_exec_t, system_mail_t)
-allow system_mail_t sysadm_t:process sigchld;
-allow system_mail_t privfd:fd use;
-
-')dnl end direct_sysadm_daemon
-
-allow postfix_master_t privfd:fd use;
-ifdef(`newrole.te', `allow postfix_master_t newrole_t:process sigchld;')
-allow postfix_master_t initrc_devpts_t:chr_file rw_file_perms;
-
-# postfix does a "find" on startup for some reason - keep it quiet
-dontaudit postfix_master_t selinux_config_t:dir search;
-can_exec({ sysadm_mail_t system_mail_t }, postfix_master_exec_t)
-ifdef(`distro_redhat', `
-# compatability for old default main.cf
-file_type_auto_trans({ sysadm_mail_t system_mail_t postfix_master_t }, postfix_etc_t, etc_aliases_t)
-# for newer main.cf that uses /etc/aliases
-file_type_auto_trans(postfix_master_t, etc_t, etc_aliases_t)
-')
-file_type_auto_trans({ sysadm_mail_t system_mail_t }, etc_t, etc_aliases_t)
-allow postfix_master_t sendmail_exec_t:file r_file_perms;
-allow postfix_master_t sbin_t:lnk_file { getattr read };
-ifdef(`pppd.te', `
-domain_auto_trans(pppd_t, postfix_master_exec_t, postfix_master_t)
-')
-can_exec(postfix_master_t, { ls_exec_t sbin_t })
-allow postfix_master_t self:fifo_file rw_file_perms;
-allow postfix_master_t usr_t:file r_file_perms;
-can_exec(postfix_master_t, { shell_exec_t bin_t postfix_exec_t })
-# chown is to set the correct ownership of queue dirs
-allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
-allow postfix_master_t postfix_public_t:fifo_file create_file_perms;
-allow postfix_master_t postfix_public_t:sock_file create_file_perms;
-allow postfix_master_t postfix_public_t:dir rw_dir_perms;
-allow postfix_master_t postfix_private_t:dir rw_dir_perms;
-allow postfix_master_t postfix_private_t:sock_file create_file_perms;
-allow postfix_master_t postfix_private_t:fifo_file create_file_perms;
-can_network(postfix_master_t)
-allow postfix_master_t port_type:tcp_socket name_connect;
-can_ypbind(postfix_master_t)
-allow postfix_master_t { amavisd_send_port_t smtp_port_t }:tcp_socket name_bind;
-allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms;
-allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr };
-allow postfix_master_t postfix_prng_t:file getattr;
-allow postfix_master_t privfd:fd use;
-allow postfix_master_t etc_aliases_t:file rw_file_perms;
-
-ifdef(`saslauthd.te',`
-allow postfix_smtpd_t saslauthd_var_run_t:dir { search getattr };
-allow postfix_smtpd_t saslauthd_var_run_t:sock_file { read write };
-can_unix_connect(postfix_smtpd_t,saslauthd_t)
-')
-
-create_dir_file(postfix_master_t, postfix_spool_flush_t)
-allow postfix_master_t postfix_prng_t:file rw_file_perms;
-# for ls to get the current context
-allow postfix_master_t self:file { getattr read };
-
-# allow access to deferred queue and allow removing bogus incoming entries
-allow postfix_master_t postfix_spool_t:dir create_dir_perms;
-allow postfix_master_t postfix_spool_t:file create_file_perms;
-
-dontaudit postfix_master_t man_t:dir search;
-
-define(`postfix_server_domain', `
-postfix_domain($1, `$2')
-domain_auto_trans(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
-allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
-allow postfix_$1_t self:capability { setuid setgid dac_override };
-can_network_client(postfix_$1_t)
-allow postfix_$1_t port_type:tcp_socket name_connect;
-can_ypbind(postfix_$1_t)
-')
-
-postfix_server_domain(smtp, `, mail_server_sender')
-allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
-allow postfix_smtp_t { postfix_private_t postfix_public_t }:dir search;
-allow postfix_smtp_t { postfix_private_t postfix_public_t }:sock_file write;
-allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto;
-# if you have two different mail servers on the same host let them talk via
-# SMTP, also if one mail server wants to talk to itself then allow it and let
-# the SMTP protocol sort it out (SE Linux is not to prevent mail server
-# misconfiguration)
-can_tcp_connect(postfix_smtp_t, mail_server_domain)
-
-postfix_server_domain(smtpd)
-allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
-allow postfix_smtpd_t { postfix_private_t postfix_public_t }:dir search;
-allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file rw_file_perms;
-allow postfix_smtpd_t postfix_master_t:unix_stream_socket connectto;
-# for OpenSSL certificates
-r_dir_file(postfix_smtpd_t,usr_t)
-allow postfix_smtpd_t etc_aliases_t:file r_file_perms;
-allow postfix_smtpd_t self:file { getattr read };
-
-# for prng_exch
-allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
-allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms;
-
-postfix_server_domain(local, `, mta_delivery_agent')
-ifdef(`procmail.te', `
-domain_auto_trans(postfix_local_t, procmail_exec_t, procmail_t)
-# for a bug in the postfix local program
-dontaudit procmail_t postfix_local_t:tcp_socket { read write };
-dontaudit procmail_t postfix_master_t:fd use;
-')
-allow postfix_local_t etc_aliases_t:file r_file_perms;
-allow postfix_local_t self:fifo_file rw_file_perms;
-allow postfix_local_t self:process { setsched setrlimit };
-allow postfix_local_t postfix_spool_t:file rw_file_perms;
-# for .forward - maybe we need a new type for it?
-allow postfix_local_t postfix_private_t:dir search;
-allow postfix_local_t postfix_private_t:sock_file rw_file_perms;
-allow postfix_local_t postfix_master_t:unix_stream_socket connectto;
-allow postfix_local_t postfix_public_t:dir search;
-allow postfix_local_t postfix_public_t:sock_file write;
-can_exec(postfix_local_t, shell_exec_t)
-
-define(`postfix_public_domain',`
-postfix_server_domain($1)
-allow postfix_$1_t postfix_public_t:dir search;
-')
-
-postfix_public_domain(cleanup)
-create_dir_file(postfix_cleanup_t, postfix_spool_t)
-allow postfix_cleanup_t postfix_public_t:fifo_file rw_file_perms;
-allow postfix_cleanup_t postfix_public_t:sock_file { getattr write };
-allow postfix_cleanup_t postfix_private_t:dir search;
-allow postfix_cleanup_t postfix_private_t:sock_file rw_file_perms;
-allow postfix_cleanup_t postfix_master_t:unix_stream_socket connectto;
-allow postfix_cleanup_t postfix_spool_bounce_t:dir r_dir_perms;
-allow postfix_cleanup_t self:process setrlimit;
-
-allow user_mail_domain postfix_spool_t:dir r_dir_perms;
-allow user_mail_domain postfix_etc_t:dir r_dir_perms;
-allow { user_mail_domain initrc_t } postfix_etc_t:file r_file_perms;
-allow user_mail_domain self:capability dac_override;
-
-define(`postfix_user_domain', `
-postfix_domain($1, `$2')
-domain_auto_trans(user_mail_domain, postfix_$1_exec_t, postfix_$1_t)
-in_user_role(postfix_$1_t)
-role sysadm_r types postfix_$1_t;
-allow postfix_$1_t userdomain:process sigchld;
-allow postfix_$1_t userdomain:fifo_file { write getattr };
-allow postfix_$1_t { userdomain privfd }:fd use;
-allow postfix_$1_t self:capability dac_override;
-')
-
-postfix_user_domain(postqueue)
-allow postfix_postqueue_t postfix_public_t:dir search;
-allow postfix_postqueue_t postfix_public_t:fifo_file getattr;
-allow postfix_postqueue_t self:udp_socket { create ioctl };
-allow postfix_postqueue_t self:tcp_socket create;
-allow postfix_master_t postfix_postqueue_exec_t:file getattr;
-domain_auto_trans(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
-allow postfix_postqueue_t initrc_t:process sigchld;
-allow postfix_postqueue_t initrc_t:fd use;
-
-# to write the mailq output, it really should not need read access!
-allow postfix_postqueue_t { ptyfile ttyfile }:chr_file { read write getattr };
-ifdef(`gnome-pty-helper.te', `allow postfix_postqueue_t user_gph_t:fd use;')
-
-# wants to write to /var/spool/postfix/public/showq
-allow postfix_postqueue_t postfix_public_t:sock_file rw_file_perms;
-allow postfix_postqueue_t postfix_master_t:unix_stream_socket connectto;
-# write to /var/spool/postfix/public/qmgr
-allow postfix_postqueue_t postfix_public_t:fifo_file write;
-dontaudit postfix_postqueue_t net_conf_t:file r_file_perms;
-
-postfix_user_domain(showq)
-# the following auto_trans is usually in postfix server domain
-domain_auto_trans(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
-can_resolve(postfix_showq_t)
-r_dir_file(postfix_showq_t, postfix_spool_maildrop_t)
-domain_auto_trans(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
-allow postfix_showq_t self:capability { setuid setgid };
-allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
-allow postfix_showq_t postfix_spool_t:file r_file_perms;
-allow postfix_showq_t self:tcp_socket create_socket_perms;
-allow postfix_showq_t { ttyfile ptyfile }:chr_file { read write };
-dontaudit postfix_showq_t net_conf_t:file r_file_perms;
-
-postfix_user_domain(postdrop, `, mta_user_agent')
-allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms;
-allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms;
-allow postfix_postdrop_t user_mail_domain:unix_stream_socket rw_socket_perms;
-allow postfix_postdrop_t postfix_public_t:dir search;
-allow postfix_postdrop_t postfix_public_t:fifo_file rw_file_perms;
-dontaudit postfix_postdrop_t { ptyfile ttyfile }:chr_file { read write };
-dontaudit postfix_postdrop_t net_conf_t:file r_file_perms;
-allow postfix_master_t postfix_postdrop_exec_t:file getattr;
-ifdef(`crond.te',
-`allow postfix_postdrop_t { crond_t system_crond_t }:fd use;
-allow postfix_postdrop_t { crond_t system_crond_t }:fifo_file rw_file_perms;')
-# usually it does not need a UDP socket
-allow postfix_postdrop_t self:udp_socket create_socket_perms;
-allow postfix_postdrop_t self:tcp_socket create;
-allow postfix_postdrop_t self:capability sys_resource;
-
-postfix_public_domain(pickup)
-allow postfix_pickup_t postfix_public_t:fifo_file rw_file_perms;
-allow postfix_pickup_t postfix_public_t:sock_file rw_file_perms;
-allow postfix_pickup_t postfix_private_t:dir search;
-allow postfix_pickup_t postfix_private_t:sock_file write;
-allow postfix_pickup_t postfix_master_t:unix_stream_socket connectto;
-allow postfix_pickup_t postfix_spool_maildrop_t:dir rw_dir_perms;
-allow postfix_pickup_t postfix_spool_maildrop_t:file r_file_perms;
-allow postfix_pickup_t postfix_spool_maildrop_t:file unlink;
-allow postfix_pickup_t self:tcp_socket create_socket_perms;
-
-postfix_public_domain(qmgr)
-allow postfix_qmgr_t postfix_public_t:fifo_file rw_file_perms;
-allow postfix_qmgr_t postfix_public_t:sock_file write;
-allow postfix_qmgr_t postfix_private_t:dir search;
-allow postfix_qmgr_t postfix_private_t:sock_file rw_file_perms;
-allow postfix_qmgr_t postfix_master_t:unix_stream_socket connectto;
-
-# for /var/spool/postfix/active
-create_dir_file(postfix_qmgr_t, postfix_spool_t)
-
-postfix_public_domain(bounce)
-type postfix_spool_bounce_t, file_type, sysadmfile;
-create_dir_file(postfix_bounce_t, postfix_spool_bounce_t)
-create_dir_file(postfix_bounce_t, postfix_spool_t)
-allow postfix_master_t postfix_spool_bounce_t:dir create_dir_perms;
-allow postfix_master_t postfix_spool_bounce_t:file getattr;
-allow postfix_bounce_t self:capability dac_read_search;
-allow postfix_bounce_t postfix_public_t:sock_file write;
-allow postfix_bounce_t self:tcp_socket create_socket_perms;
-
-r_dir_file(postfix_qmgr_t, postfix_spool_bounce_t)
-
-postfix_public_domain(pipe)
-allow postfix_pipe_t postfix_spool_t:dir search;
-allow postfix_pipe_t postfix_spool_t:file rw_file_perms;
-allow postfix_pipe_t self:fifo_file { read write };
-allow postfix_pipe_t postfix_private_t:dir search;
-allow postfix_pipe_t postfix_private_t:sock_file write;
-ifdef(`procmail.te', `
-domain_auto_trans(postfix_pipe_t, procmail_exec_t, procmail_t)
-')
-ifdef(`sendmail.te', `
-r_dir_file(sendmail_t, postfix_etc_t)
-allow sendmail_t postfix_spool_t:dir search;
-')
-
-# Program for creating database files
-application_domain(postfix_map)
-base_file_read_access(postfix_map_t)
-allow postfix_map_t { etc_t etc_runtime_t }:{ file lnk_file } { getattr read };
-tmp_domain(postfix_map)
-create_dir_file(postfix_map_t, postfix_etc_t)
-allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
-dontaudit postfix_map_t proc_t:dir { getattr read search };
-dontaudit postfix_map_t local_login_t:fd use;
-allow postfix_master_t postfix_map_exec_t:file rx_file_perms;
-read_locale(postfix_map_t)
-allow postfix_map_t self:capability setgid;
-allow postfix_map_t self:unix_dgram_socket create_socket_perms;
-dontaudit postfix_map_t var_t:dir search;
-can_network_server(postfix_map_t)
-allow postfix_map_t port_type:tcp_socket name_connect;
-allow postfix_local_t mail_spool_t:dir { remove_name };
-allow postfix_local_t mail_spool_t:file { unlink };
-can_exec(postfix_local_t, bin_t)
diff --git a/strict/domains/program/postgresql.te b/strict/domains/program/postgresql.te
deleted file mode 100644
index a86d9d4..0000000
--- a/strict/domains/program/postgresql.te
+++ /dev/null
@@ -1,138 +0,0 @@
-#DESC Postgresql - Database server
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: postgresql
-#
-
-#################################
-#
-# Rules for the postgresql_t domain.
-#
-# postgresql_exec_t is the type of the postgresql executable.
-#
-daemon_domain(postgresql)
-allow initrc_t postgresql_exec_t:lnk_file read;
-allow postgresql_t usr_t:file { getattr read };
-
-allow postgresql_t postgresql_var_run_t:sock_file create_file_perms;
-
-ifdef(`distro_debian', `
-can_exec(postgresql_t, initrc_exec_t)
-# gross hack
-domain_auto_trans(dpkg_t, postgresql_exec_t, postgresql_t)
-can_exec(postgresql_t, dpkg_exec_t)
-')
-
-dontaudit postgresql_t sysadm_home_dir_t:dir search;
-
-# quiet ps and killall
-dontaudit postgresql_t domain:dir { getattr search };
-
-# for currect directory of scripts
-allow postgresql_t { var_spool_t cron_spool_t }:dir search;
-
-# capability kill is for shutdown script
-allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config };
-dontaudit postgresql_t self:capability sys_admin;
-
-etcdir_domain(postgresql)
-type postgresql_db_t, file_type, sysadmfile;
-
-logdir_domain(postgresql)
-
-ifdef(`crond.te', `
-# allow crond to find /usr/lib/postgresql/bin/do.maintenance
-allow crond_t postgresql_db_t:dir search;
-system_crond_entry(postgresql_exec_t, postgresql_t)
-')
-
-tmp_domain(postgresql, `', `{ dir file sock_file }')
-file_type_auto_trans(postgresql_t, tmpfs_t, postgresql_tmp_t)
-
-# Use the network.
-can_network(postgresql_t)
-can_ypbind(postgresql_t)
-allow postgresql_t self:fifo_file { getattr read write ioctl };
-allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
-can_unix_connect(postgresql_t, self)
-allow postgresql_t self:unix_dgram_socket create_socket_perms;
-
-allow postgresql_t self:shm create_shm_perms;
-
-ifdef(`targeted_policy', `', `
-bool allow_user_postgresql_connect false;
-
-if (allow_user_postgresql_connect) {
-# allow any user domain to connect to the database server
-can_tcp_connect(userdomain, postgresql_t)
-allow userdomain postgresql_t:unix_stream_socket connectto;
-allow userdomain postgresql_var_run_t:sock_file write;
-allow userdomain postgresql_tmp_t:sock_file write;
-}
-')
-ifdef(`consoletype.te', `
-can_exec(postgresql_t, consoletype_exec_t)
-')
-
-ifdef(`hostname.te', `
-can_exec(postgresql_t, hostname_exec_t)
-')
-
-allow postgresql_t postgresql_port_t:tcp_socket name_bind;
-allow postgresql_t auth_port_t:tcp_socket name_connect;
-
-allow postgresql_t { proc_t self }:file { getattr read };
-
-# Allow access to the postgresql databases
-create_dir_file(postgresql_t, postgresql_db_t)
-file_type_auto_trans(postgresql_t, var_lib_t, postgresql_db_t)
-allow postgresql_t var_lib_t:dir { getattr search };
-
-# because postgresql start scripts are broken and put the pid file in the DB
-# directory
-rw_dir_file(initrc_t, postgresql_db_t)
-
-# read config files
-allow postgresql_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr };
-r_dir_file(initrc_t, postgresql_etc_t)
-
-allow postgresql_t etc_t:dir rw_dir_perms;
-
-read_sysctl(postgresql_t)
-
-allow postgresql_t devtty_t:chr_file { read write };
-allow postgresql_t devpts_t:dir search;
-
-allow postgresql_t { bin_t sbin_t }:dir search;
-allow postgresql_t { bin_t sbin_t }:lnk_file { getattr read };
-allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
-
-allow postgresql_t self:sem create_sem_perms;
-
-allow postgresql_t initrc_var_run_t:file { getattr read lock };
-dontaudit postgresql_t selinux_config_t:dir search;
-allow postgresql_t mail_spool_t:dir search;
-lock_domain(postgresql)
-can_exec(postgresql_t, { shell_exec_t bin_t postgresql_exec_t ls_exec_t } )
-ifdef(`apache.te', `
-#
-# Allow httpd to work with postgresql
-#
-allow httpd_t postgresql_tmp_t:sock_file rw_file_perms;
-can_unix_connect(httpd_t, postgresql_t)
-')
-
-ifdef(`distro_gentoo', `
-# "su - postgres ..." is called from initrc_t
-allow initrc_su_t postgresql_db_t:dir search;
-allow postgresql_t initrc_su_t:process sigchld;
-dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms;
-')
-
-dontaudit postgresql_t home_root_t:dir search;
-can_kerberos(postgresql_t)
-allow postgresql_t urandom_device_t:chr_file { getattr read };
-
-if (allow_execmem) {
-allow postgresql_t self:process execmem;
-}
diff --git a/strict/domains/program/pppd.te b/strict/domains/program/pppd.te
deleted file mode 100644
index 8499da7..0000000
--- a/strict/domains/program/pppd.te
+++ /dev/null
@@ -1,148 +0,0 @@
-#DESC PPPD - PPP daemon
-#
-# Author: Russell Coker
-# X-Debian-Packages: ppp
-#
-
-#################################
-#
-# Rules for the pppd_t domain, et al.
-#
-# pppd_t is the domain for the pppd program.
-# pppd_exec_t is the type of the pppd executable.
-# pppd_secret_t is the type of the pap and chap password files
-#
-bool pppd_for_user false;
-
-daemon_domain(pppd, `, privmail, privsysmod, nscd_client_domain')
-type pppd_secret_t, file_type, sysadmfile;
-
-# Define a separate type for /etc/ppp
-etcdir_domain(pppd)
-# Define a separate type for writable files under /etc/ppp
-type pppd_etc_rw_t, file_type, sysadmfile;
-# Automatically label newly created files under /etc/ppp with this type
-file_type_auto_trans(pppd_t, pppd_etc_t, pppd_etc_rw_t, file)
-
-# for SSP
-allow pppd_t urandom_device_t:chr_file read;
-
-allow pppd_t sysfs_t:dir search;
-
-log_domain(pppd)
-
-# Use the network.
-can_network_server(pppd_t)
-can_ypbind(pppd_t)
-
-# Use capabilities.
-allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override sys_module };
-lock_domain(pppd)
-
-# Access secret files
-allow pppd_t pppd_secret_t:file r_file_perms;
-
-ifdef(`postfix.te', `
-allow pppd_t postfix_etc_t:dir search;
-allow pppd_t postfix_etc_t:file r_file_perms;
-allow pppd_t postfix_master_exec_t:file { getattr read };
-allow postfix_postqueue_t pppd_t:fd use;
-allow postfix_postqueue_t pppd_t:process sigchld;
-')
-
-# allow running ip-up and ip-down scripts and running chat.
-can_exec(pppd_t, { shell_exec_t bin_t sbin_t etc_t ifconfig_exec_t })
-allow pppd_t { bin_t sbin_t }:dir search;
-allow pppd_t { sbin_t bin_t }:lnk_file read;
-allow ifconfig_t pppd_t:fd use;
-
-# Access /dev/ppp.
-allow pppd_t ppp_device_t:chr_file rw_file_perms;
-allow pppd_t devtty_t:chr_file { read write };
-
-allow pppd_t self:unix_dgram_socket create_socket_perms;
-allow pppd_t self:unix_stream_socket create_socket_perms;
-
-allow pppd_t proc_t:dir search;
-allow pppd_t proc_t:{ file lnk_file } r_file_perms;
-allow pppd_t proc_net_t:dir { read search };
-allow pppd_t proc_net_t:file r_file_perms;
-
-allow pppd_t etc_runtime_t:file r_file_perms;
-
-allow pppd_t self:socket create_socket_perms;
-
-allow pppd_t tty_device_t:chr_file { setattr rw_file_perms };
-
-allow pppd_t devpts_t:dir search;
-
-# for scripts
-allow pppd_t self:fifo_file rw_file_perms;
-allow pppd_t etc_t:lnk_file read;
-
-# for ~/.ppprc - if it actually exists then you need some policy to read it
-allow pppd_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search;
-
-in_user_role(pppd_t)
-if (pppd_for_user) {
-# Run pppd in pppd_t by default for user
-domain_auto_trans(unpriv_userdomain, pppd_exec_t, pppd_t)
-allow unpriv_userdomain pppd_t:process signal;
-}
-
-# for pppoe
-can_create_pty(pppd)
-allow pppd_t self:file { read getattr };
-
-allow pppd_t self:packet_socket create_socket_perms;
-
-file_type_auto_trans(pppd_t, etc_t, net_conf_t, file)
-tmp_domain(pppd)
-allow pppd_t sysctl_net_t:dir search;
-allow pppd_t sysctl_net_t:file r_file_perms;
-allow pppd_t self:netlink_route_socket r_netlink_socket_perms;
-allow pppd_t initrc_var_run_t:file r_file_perms;
-dontaudit pppd_t initrc_var_run_t:file { lock write };
-
-# pppd needs to load kernel modules for certain modems
-bool pppd_can_insmod false;
-if (pppd_can_insmod) {
-ifdef(`modutil.te', `
-domain_auto_trans(pppd_t, insmod_exec_t, insmod_t)
-')
-}
-
-daemon_domain(pptp, `, nscd_client_domain')
-can_network_client_tcp(pptp_t)
-allow pptp_t { reserved_port_type port_t }:tcp_socket name_connect;
-can_exec(pptp_t, hostname_exec_t)
-domain_auto_trans(pppd_t, pptp_exec_t, pptp_t)
-allow pptp_t self:rawip_socket create_socket_perms;
-allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow pptp_t self:unix_dgram_socket create_socket_perms;
-can_exec(pptp_t, pppd_etc_rw_t)
-allow pptp_t devpts_t:chr_file ioctl;
-r_dir_file(pptp_t, pppd_etc_rw_t)
-r_dir_file(pptp_t, pppd_etc_t)
-allow pptp_t devpts_t:dir search;
-allow pppd_t devpts_t:chr_file ioctl;
-allow pppd_t pptp_t:process signal;
-allow pptp_t self:capability net_raw;
-allow pptp_t self:fifo_file { read write };
-allow pptp_t ptmx_t:chr_file rw_file_perms;
-log_domain(pptp)
-
-# Fix sockets
-allow pptp_t pptp_var_run_t:sock_file create_file_perms;
-
-# Allow pptp to append to pppd log files
-allow pptp_t pppd_log_t:file append;
-
-ifdef(`named.te', `
-dontaudit ndc_t pppd_t:fd use;
-')
-
-# Allow /etc/ppp/ip-{up,down} to run most anything
-type pppd_script_exec_t, file_type, sysadmfile;
-domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t)
-allow pppd_t initrc_t:process noatsecure;
diff --git a/strict/domains/program/prelink.te b/strict/domains/program/prelink.te
deleted file mode 100644
index 3ffa0d7..0000000
--- a/strict/domains/program/prelink.te
+++ /dev/null
@@ -1,50 +0,0 @@
-#DESC PRELINK - Security Enhanced version of the GNU Prelink
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-#
-
-#################################
-#
-# Rules for the prelink_t domain.
-#
-# prelink_exec_t is the type of the prelink executable.
-#
-daemon_base_domain(prelink, `, admin, privowner')
-
-allow prelink_t self:process { execheap execmem execstack };
-allow prelink_t texrel_shlib_t:file execmod;
-allow prelink_t fs_t:filesystem getattr;
-
-ifdef(`crond.te', `
-system_crond_entry(prelink_exec_t, prelink_t)
-allow system_crond_t prelink_log_t:dir rw_dir_perms;
-allow system_crond_t prelink_log_t:file create_file_perms;
-allow system_crond_t prelink_cache_t:file { getattr read unlink };
-allow prelink_t crond_log_t:file append;
-')
-
-logdir_domain(prelink)
-type etc_prelink_t, file_type, sysadmfile;
-type var_lock_prelink_t, file_type, sysadmfile, lockfile;
-
-allow prelink_t etc_prelink_t:file { getattr read };
-allow prelink_t file_type:dir rw_dir_perms;
-allow prelink_t file_type:lnk_file r_file_perms;
-allow prelink_t file_type:file getattr;
-allow prelink_t { ifdef(`amanda.te', `amanda_usr_lib_t') admin_passwd_exec_t ifdef(`apache.te', `httpd_modules_t') ifdef(`xserver.te', `xkb_var_lib_t') ld_so_t su_exec_t texrel_shlib_t shlib_t sbin_t bin_t lib_t exec_type }:file { create_file_perms execute relabelto relabelfrom };
-allow prelink_t ld_so_t:file execute_no_trans;
-
-allow prelink_t self:capability { chown dac_override fowner fsetid };
-allow prelink_t self:fifo_file rw_file_perms;
-allow prelink_t self:file { getattr read };
-dontaudit prelink_t sysctl_kernel_t:dir search;
-dontaudit prelink_t sysctl_t:dir search;
-allow prelink_t etc_runtime_t:file { getattr read };
-read_locale(prelink_t)
-allow prelink_t urandom_device_t:chr_file read;
-allow prelink_t proc_t:file { getattr read };
-#
-# prelink_cache_t is the type of /etc/prelink.cache.
-#
-type prelink_cache_t, file_type, sysadmfile;
-file_type_auto_trans(prelink_t, etc_t, prelink_cache_t, file)
diff --git a/strict/domains/program/privoxy.te b/strict/domains/program/privoxy.te
deleted file mode 100644
index b8a522d..0000000
--- a/strict/domains/program/privoxy.te
+++ /dev/null
@@ -1,27 +0,0 @@
-#DESC privoxy - privacy enhancing proxy
-#
-# Authors: Dan Walsh <dwalsh@redhat.com>
-#
-#
-
-#################################
-#
-# Rules for the privoxy_t domain.
-#
-daemon_domain(privoxy, `, web_client_domain')
-
-logdir_domain(privoxy)
-
-# Use capabilities.
-allow privoxy_t self:capability net_bind_service;
-
-# Use the network.
-can_network_tcp(privoxy_t)
-can_ypbind(privoxy_t)
-can_resolve(privoxy_t)
-allow privoxy_t http_cache_port_t:tcp_socket name_bind;
-allow privoxy_t etc_t:file { getattr read };
-allow privoxy_t self:capability { setgid setuid };
-allow privoxy_t self:unix_stream_socket create_socket_perms ;
-allow privoxy_t admin_tty_type:chr_file { read write };
-
diff --git a/strict/domains/program/procmail.te b/strict/domains/program/procmail.te
deleted file mode 100644
index fbf044d..0000000
--- a/strict/domains/program/procmail.te
+++ /dev/null
@@ -1,89 +0,0 @@
-#DESC Procmail - Mail delivery agent for mail servers
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: procmail
-#
-
-#################################
-#
-# Rules for the procmail_t domain.
-#
-# procmail_exec_t is the type of the procmail executable.
-#
-# privhome only works until we define a different type for maildir
-type procmail_t, domain, privlog, privhome, nscd_client_domain;
-type procmail_exec_t, file_type, sysadmfile, exec_type;
-
-role system_r types procmail_t;
-
-uses_shlib(procmail_t)
-allow procmail_t device_t:dir search;
-can_network_server(procmail_t)
-nsswitch_domain(procmail_t)
-
-allow procmail_t self:capability { sys_nice chown setuid setgid dac_override };
-
-allow procmail_t etc_t:dir r_dir_perms;
-allow procmail_t { etc_t etc_runtime_t }:file { getattr read };
-allow procmail_t etc_t:lnk_file read;
-read_locale(procmail_t)
-read_sysctl(procmail_t)
-
-allow procmail_t sysctl_t:dir search;
-
-allow procmail_t self:process { setsched fork sigchld signal };
-dontaudit procmail_t sbin_t:dir { getattr search };
-can_exec(procmail_t, { bin_t shell_exec_t })
-allow procmail_t bin_t:dir { getattr search };
-allow procmail_t bin_t:lnk_file read;
-allow procmail_t self:fifo_file rw_file_perms;
-
-allow procmail_t self:unix_stream_socket create_socket_perms;
-allow procmail_t self:unix_dgram_socket create_socket_perms;
-
-# for /var/mail
-rw_dir_create_file(procmail_t, mail_spool_t)
-
-allow procmail_t var_t:dir { getattr search };
-allow procmail_t var_spool_t:dir r_dir_perms;
-
-allow procmail_t fs_t:filesystem getattr;
-allow procmail_t { self proc_t }:dir search;
-allow procmail_t proc_t:file { getattr read };
-allow procmail_t { self proc_t }:lnk_file read;
-
-# for if /var/mail is a symlink to /var/spool/mail
-#allow procmail_t mail_spool_t:lnk_file r_file_perms;
-
-# for spamassasin
-allow procmail_t usr_t:file { getattr ioctl read };
-ifdef(`spamassassin.te', `
-can_exec(procmail_t, spamassassin_exec_t)
-can_resolve(procmail_t)
-allow procmail_t port_t:udp_socket name_bind;
-allow procmail_t tmp_t:dir getattr;
-')
-ifdef(`targeted_policy', `
-can_resolve(procmail_t)
-allow procmail_t port_t:udp_socket name_bind;
-allow procmail_t tmp_t:dir getattr;
-')
-
-# Search /var/run.
-allow procmail_t var_run_t:dir { getattr search };
-
-# Do not audit attempts to access /root.
-dontaudit procmail_t sysadm_home_dir_t:dir { getattr search };
-
-allow procmail_t devtty_t:chr_file { read write };
-
-allow procmail_t urandom_device_t:chr_file { getattr read };
-
-ifdef(`sendmail.te', `
-r_dir_file(procmail_t, etc_mail_t)
-allow procmail_t sendmail_t:tcp_socket { read write };
-')
-
-ifdef(`hide_broken_symptoms', `
-dontaudit procmail_t mqueue_spool_t:file { getattr read write };
-')
diff --git a/strict/domains/program/quota.te b/strict/domains/program/quota.te
deleted file mode 100644
index 7374053..0000000
--- a/strict/domains/program/quota.te
+++ /dev/null
@@ -1,59 +0,0 @@
-#DESC Quota - File system quota management utilities
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: quota quotatool
-#
-
-#################################
-#
-# Rules for the quota_t domain.
-#
-# needs auth attribute because it has read access to shadow_t because checkquota
-# is buggy
-daemon_base_domain(quota, `, auth, fs_domain')
-
-# so the administrator can run quotacheck
-domain_auto_trans(sysadm_t, quota_exec_t, quota_t)
-role sysadm_r types quota_t;
-allow quota_t admin_tty_type:chr_file { read write };
-
-type quota_flag_t, file_type, sysadmfile;
-type quota_db_t, file_type, sysadmfile;
-
-rw_dir_create_file(initrc_t, quota_flag_t)
-
-allow quota_t fs_t:filesystem { getattr quotaget quotamod remount };
-# quotacheck creates new quota_db_t files
-file_type_auto_trans(quota_t, { root_t home_root_t var_t usr_t src_t var_spool_t }, quota_db_t, file)
-# for some reason it wants dac_override not dac_read_search
-allow quota_t self:capability { sys_admin dac_override };
-allow quota_t file_type:{ fifo_file sock_file } getattr;
-allow quota_t file_t:file quotaon;
-
-# for quotacheck
-allow quota_t file_type:dir r_dir_perms;
-# The following line is apparently necessary, although read and
-# ioctl seem to be more than should be required.
-allow quota_t file_type:file { getattr read ioctl };
-allow quota_t file_type:{ fifo_file sock_file } getattr;
-allow quota_t file_type:lnk_file { read getattr };
-allow quota_t device_type:{ chr_file blk_file } getattr;
-
-allow quota_t fixed_disk_device_t:blk_file { getattr read };
-
-# for /quota.*
-allow quota_t quota_db_t:file { read write };
-dontaudit unpriv_userdomain quota_db_t:file getattr;
-allow quota_t quota_db_t:file quotaon;
-
-# Read /etc/mtab.
-allow quota_t etc_runtime_t:file { read getattr };
-
-allow quota_t device_t:dir r_dir_perms;
-allow quota_t fixed_disk_device_t:blk_file getattr;
-allow quota_t boot_t:dir r_dir_perms;
-allow quota_t sysctl_t:dir { getattr search };
-
-allow quota_t initrc_devpts_t:chr_file rw_file_perms;
-
-allow quota_t proc_t:file getattr;
diff --git a/strict/domains/program/radius.te b/strict/domains/program/radius.te
deleted file mode 100644
index 5d02923..0000000
--- a/strict/domains/program/radius.te
+++ /dev/null
@@ -1,66 +0,0 @@
-#DESC RADIUS - Radius server
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: radiusd-cistron radiusd-livingston xtradius yardradius radiusd-freeradius
-#
-
-#################################
-#
-# Rules for the radiusd_t domain.
-#
-# radiusd_exec_t is the type of the radiusd executable.
-#
-daemon_domain(radiusd, `, auth')
-
-etcdir_domain(radiusd)
-
-system_crond_entry(radiusd_exec_t, radiusd_t)
-
-allow radiusd_t self:process setsched;
-
-allow radiusd_t proc_t:file { read getattr };
-
-dontaudit radiusd_t sysadm_home_dir_t:dir getattr;
-
-# allow pthreads to read kernel version
-read_sysctl(radiusd_t)
-
-# read config files
-allow radiusd_t etc_t:dir r_dir_perms;
-allow radiusd_t { etc_t etc_runtime_t }:file { read getattr };
-allow radiusd_t etc_t:lnk_file read;
-
-# write log files
-logdir_domain(radiusd)
-allow radiusd_t radiusd_log_t:dir create;
-
-allow radiusd_t usr_t:file r_file_perms;
-
-can_exec(radiusd_t, lib_t)
-can_exec(radiusd_t, { bin_t shell_exec_t })
-allow radiusd_t { bin_t sbin_t }:dir search;
-allow radiusd_t bin_t:lnk_file read;
-
-allow radiusd_t devtty_t:chr_file { read write };
-allow radiusd_t self:fifo_file rw_file_perms;
-# fsetid is for gzip which needs it when run from scripts
-# gzip also needs chown access to preserve GID for radwtmp files
-allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
-
-can_network_server(radiusd_t)
-can_ypbind(radiusd_t)
-allow radiusd_t { radius_port_t radacct_port_t }:udp_socket name_bind;
-
-# for RADIUS proxy port
-allow radiusd_t port_t:udp_socket name_bind;
-
-ifdef(`snmpd.te', `
-can_tcp_connect(radiusd_t, snmpd_t)
-')
-ifdef(`logrotate.te', `
-can_exec(radiusd_t, logrotate_exec_t)
-')
-can_udp_send(sysadm_t, radiusd_t)
-can_udp_send(radiusd_t, sysadm_t)
-
-allow radiusd_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/strict/domains/program/radvd.te b/strict/domains/program/radvd.te
deleted file mode 100644
index 868ef8b..0000000
--- a/strict/domains/program/radvd.te
+++ /dev/null
@@ -1,30 +0,0 @@
-#DESC Radv - IPv6 route advisory daemon
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: radvd
-#
-
-#################################
-#
-# Rules for the radvd_t domain.
-#
-daemon_domain(radvd)
-
-etc_domain(radvd)
-allow radvd_t etc_t:file { getattr read };
-
-allow radvd_t self:{ rawip_socket unix_dgram_socket } rw_socket_perms;
-
-allow radvd_t self:capability { setgid setuid net_raw };
-allow radvd_t self:{ unix_dgram_socket rawip_socket } create;
-allow radvd_t self:unix_stream_socket create_socket_perms;
-
-can_network_server(radvd_t)
-can_ypbind(radvd_t)
-
-allow radvd_t { proc_t proc_net_t }:dir r_dir_perms;
-allow radvd_t { proc_t proc_net_t }:file { getattr read };
-allow radvd_t etc_t:lnk_file read;
-
-allow radvd_t sysctl_net_t:file r_file_perms;
-allow radvd_t sysctl_net_t:dir r_dir_perms;
diff --git a/strict/domains/program/rdisc.te b/strict/domains/program/rdisc.te
deleted file mode 100644
index 79331fa..0000000
--- a/strict/domains/program/rdisc.te
+++ /dev/null
@@ -1,13 +0,0 @@
-#DESC rdisc - network router discovery daemon
-#
-# Author: Russell Coker <russell@coker.com.au>
-
-daemon_base_domain(rdisc)
-allow rdisc_t self:unix_stream_socket create_stream_socket_perms;
-allow rdisc_t self:rawip_socket create_socket_perms;
-allow rdisc_t self:udp_socket create_socket_perms;
-allow rdisc_t self:capability net_raw;
-
-can_network_udp(rdisc_t)
-
-allow rdisc_t etc_t:file { getattr read };
diff --git a/strict/domains/program/readahead.te b/strict/domains/program/readahead.te
deleted file mode 100644
index dde8e37..0000000
--- a/strict/domains/program/readahead.te
+++ /dev/null
@@ -1,21 +0,0 @@
-#DESC readahead - read files in page cache
-#
-# Author: Dan Walsh (dwalsh@redhat.com)
-#
-
-#################################
-#
-# Declarations for readahead
-#
-
-daemon_domain(readahead)
-#
-# readahead asks for these
-#
-allow readahead_t { file_type -secure_file_type }:{ file lnk_file } { getattr read };
-allow readahead_t { file_type -secure_file_type }:dir r_dir_perms;
-dontaudit readahead_t shadow_t:file { getattr read };
-allow readahead_t { device_t device_type }:{ lnk_file chr_file blk_file } getattr;
-dontaudit readahead_t file_type:sock_file getattr;
-allow readahead_t proc_t:file { getattr read };
-dontaudit readahead_t device_type:blk_file read;
diff --git a/strict/domains/program/restorecon.te b/strict/domains/program/restorecon.te
deleted file mode 100644
index 52fff2f..0000000
--- a/strict/domains/program/restorecon.te
+++ /dev/null
@@ -1,66 +0,0 @@
-#DESC restorecon - Restore or check the context of a file
-#
-# Authors: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: policycoreutils
-#
-
-#################################
-#
-# Rules for the restorecon_t domain.
-#
-# restorecon_exec_t is the type of the restorecon executable.
-#
-# needs auth_write attribute because it has relabelfrom/relabelto
-# access to shadow_t
-type restorecon_t, domain, privlog, privowner, auth_write, change_context, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade;
-type restorecon_exec_t, file_type, sysadmfile, exec_type;
-
-role system_r types restorecon_t;
-role sysadm_r types restorecon_t;
-role secadm_r types restorecon_t;
-
-can_access_pty(restorecon_t, initrc)
-allow restorecon_t { tty_device_t admin_tty_type user_tty_type devtty_t }:chr_file { read write ioctl };
-
-domain_auto_trans({ initrc_t sysadm_t secadm_t }, restorecon_exec_t, restorecon_t)
-allow restorecon_t { userdomain init_t privfd }:fd use;
-
-uses_shlib(restorecon_t)
-allow restorecon_t self:capability { dac_override dac_read_search fowner };
-
-# for upgrading glibc and other shared objects - without this the upgrade
-# scripts will put things in a state such that restorecon can not be run!
-allow restorecon_t lib_t:file { read execute };
-
-# Get security policy decisions.
-can_getsecurity(restorecon_t)
-
-r_dir_file(restorecon_t, policy_config_t)
-
-allow restorecon_t file_type:dir r_dir_perms;
-allow restorecon_t file_type:{ dir file lnk_file sock_file fifo_file } { getattr relabelfrom relabelto };
-allow restorecon_t unlabeled_t:dir_file_class_set { getattr relabelfrom };
-allow restorecon_t unlabeled_t:dir read;
-allow restorecon_t { device_t device_type }:{ chr_file blk_file } { getattr relabelfrom relabelto };
-ifdef(`distro_redhat', `
-allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto };
-')
-ifdef(`dpkg.te', `
-domain_auto_trans(dpkg_t, restorecon_exec_t, restorecon_t)
-')
-
-allow restorecon_t ptyfile:chr_file getattr;
-
-allow restorecon_t fs_t:filesystem getattr;
-
-allow restorecon_t etc_runtime_t:file { getattr read };
-allow restorecon_t etc_t:file { getattr read };
-allow restorecon_t proc_t:file { getattr read };
-dontaudit restorecon_t proc_t:lnk_file { getattr read };
-
-allow restorecon_t device_t:file { read write };
-allow restorecon_t kernel_t:fd use;
-allow restorecon_t kernel_t:fifo_file { read write };
-allow restorecon_t kernel_t:unix_dgram_socket { read write };
-r_dir_file(restorecon_t, { selinux_config_t file_context_t default_context_t } )
-allow restorecon_t autofs_t:dir search;
diff --git a/strict/domains/program/rhgb.te b/strict/domains/program/rhgb.te
deleted file mode 100644
index 5d176e9..0000000
--- a/strict/domains/program/rhgb.te
+++ /dev/null
@@ -1,100 +0,0 @@
-#DESC rhgb - Red Hat Graphical Boot
-#
-# Author: Russell Coker <russell@coker.com.au>
-# Depends: xdm.te gnome-pty-helper.te xserver.te
-
-daemon_base_domain(rhgb)
-
-allow rhgb_t { bin_t sbin_t }:dir search;
-allow rhgb_t bin_t:lnk_file read;
-
-domain_auto_trans(rhgb_t, shell_exec_t, initrc_t)
-domain_auto_trans(rhgb_t, xserver_exec_t, xdm_xserver_t)
-can_exec(rhgb_t, { bin_t sbin_t gph_exec_t })
-
-allow rhgb_t self:unix_stream_socket create_stream_socket_perms;
-allow rhgb_t self:fifo_file rw_file_perms;
-
-# for gnome-pty-helper
-gph_domain(rhgb, system)
-allow initrc_t rhgb_gph_t:fd use;
-
-allow rhgb_t proc_t:file { getattr read };
-
-allow rhgb_t devtty_t:chr_file { read write };
-allow rhgb_t tty_device_t:chr_file rw_file_perms;
-
-read_locale(rhgb_t)
-allow rhgb_t { etc_t etc_runtime_t }:file { getattr read };
-
-# for ramfs file systems
-allow rhgb_t ramfs_t:dir { setattr rw_dir_perms };
-allow rhgb_t ramfs_t:sock_file create_file_perms;
-allow rhgb_t ramfs_t:{ file fifo_file } create_file_perms;
-allow insmod_t ramfs_t:file write;
-allow insmod_t rhgb_t:fd use;
-
-allow rhgb_t ramfs_t:filesystem { mount unmount };
-allow rhgb_t mnt_t:dir { search mounton };
-allow rhgb_t self:capability { sys_admin sys_tty_config };
-dontaudit rhgb_t var_run_t:dir search;
-
-can_network_client(rhgb_t)
-allow rhgb_t port_type:tcp_socket name_connect;
-can_ypbind(rhgb_t)
-
-allow rhgb_t usr_t:{ file lnk_file } { getattr read };
-
-# for running setxkbmap
-r_dir_file(rhgb_t, xkb_var_lib_t)
-
-# for localization
-allow rhgb_t lib_t:file { getattr read };
-
-allow rhgb_t initctl_t:fifo_file write;
-
-ifdef(`hide_broken_symptoms', `
-# it should not do this
-dontaudit rhgb_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
-')dnl end hide_broken_symptoms
-
-can_create_pty(rhgb)
-
-allow rhgb_t self:shm create_shm_perms;
-allow xdm_xserver_t rhgb_t:shm rw_shm_perms;
-
-can_unix_connect(initrc_t, rhgb_t)
-tmpfs_domain(rhgb)
-allow xdm_xserver_t rhgb_tmpfs_t:file { read write };
-
-read_fonts(rhgb_t)
-
-# for nscd
-dontaudit rhgb_t var_t:dir search;
-
-ifdef(`hide_broken_symptoms', `
-# for a bug in the X server
-dontaudit insmod_t xdm_xserver_t:tcp_socket { read write };
-dontaudit insmod_t serial_device:chr_file { read write };
-dontaudit mount_t rhgb_gph_t:fd use;
-dontaudit mount_t rhgb_t:unix_stream_socket { read write };
-dontaudit mount_t ptmx_t:chr_file { read write };
-')dnl end hide_broken_symptoms
-
-ifdef(`firstboot.te', `
-allow rhgb_t firstboot_rw_t:file r_file_perms;
-')
-allow rhgb_t tmp_t:dir search;
-allow rhgb_t xdm_xserver_t:process sigkill;
-allow domain rhgb_devpts_t:chr_file { read write };
-ifdef(`fsadm.te', `
-dontaudit fsadm_t ramfs_t:fifo_file write;
-')
-allow rhgb_t xdm_xserver_tmp_t:file { getattr read };
-dontaudit rhgb_t default_t:file read;
-
-allow initrc_t ramfs_t:dir search;
-allow initrc_t ramfs_t:sock_file write;
-allow initrc_t rhgb_t:unix_stream_socket { read write };
-
-allow rhgb_t default_t:file { getattr read };
diff --git a/strict/domains/program/rlogind.te b/strict/domains/program/rlogind.te
deleted file mode 100644
index 88af4e4..0000000
--- a/strict/domains/program/rlogind.te
+++ /dev/null
@@ -1,40 +0,0 @@
-#DESC Rlogind - Remote login daemon
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: rsh-client rsh-redone-client
-# Depends: inetd.te
-#
-
-#################################
-#
-# Rules for the rlogind_t domain.
-#
-remote_login_daemon(rlogind)
-typeattribute rlogind_t auth_chkpwd;
-
-ifdef(`tcpd.te', `
-domain_auto_trans(tcpd_t, rlogind_exec_t, rlogind_t)
-')
-
-# for /usr/lib/telnetlogin
-can_exec(rlogind_t, rlogind_exec_t)
-
-# Use capabilities.
-allow rlogind_t self:capability { net_bind_service };
-
-# Run login in remote_login_t.
-allow remote_login_t inetd_t:fd use;
-allow remote_login_t inetd_t:tcp_socket rw_file_perms;
-
-# Send SIGCHLD to inetd on death.
-allow rlogind_t inetd_t:process sigchld;
-
-allow rlogind_t home_dir_type:dir search;
-allow rlogind_t home_type:file { getattr read };
-allow rlogind_t self:file { getattr read };
-allow rlogind_t default_t:dir search;
-typealias rlogind_port_t alias rlogin_port_t;
-read_sysctl(rlogind_t);
-ifdef(`kerberos.te', `
-allow rlogind_t krb5_keytab_t:file { getattr read };
-')
diff --git a/strict/domains/program/roundup.te b/strict/domains/program/roundup.te
deleted file mode 100644
index 4c3e97a..0000000
--- a/strict/domains/program/roundup.te
+++ /dev/null
@@ -1,29 +0,0 @@
-# Roundup Issue Tracking System
-#
-# Authors: W. Michael Petullo <redhat@flyn.org
-#
-daemon_domain(roundup)
-var_lib_domain(roundup)
-can_network(roundup_t)
-allow roundup_t http_cache_port_t:tcp_socket name_bind;
-allow roundup_t smtp_port_t:tcp_socket name_connect;
-
-# execute python
-allow roundup_t bin_t:dir r_dir_perms;
-can_exec(roundup_t, bin_t)
-allow roundup_t bin_t:lnk_file read;
-
-allow roundup_t self:capability { setgid setuid };
-
-allow roundup_t self:unix_stream_socket create_stream_socket_perms;
-
-ifdef(`mysqld.te', `
-allow roundup_t mysqld_db_t:dir search;
-allow roundup_t mysqld_var_run_t:sock_file write;
-allow roundup_t mysqld_t:unix_stream_socket connectto;
-')
-
-# /usr/share/mysql/charsets/Index.xml
-allow roundup_t usr_t:file { getattr read };
-allow roundup_t urandom_device_t:chr_file { getattr read };
-allow roundup_t etc_t:file { getattr read };
diff --git a/strict/domains/program/rpcd.te b/strict/domains/program/rpcd.te
deleted file mode 100644
index 91b8354..0000000
--- a/strict/domains/program/rpcd.te
+++ /dev/null
@@ -1,162 +0,0 @@
-#DESC Rpcd - RPC daemon
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# Russell Coker <russell@coker.com.au>
-# Depends: portmap.te
-# X-Debian-Packages: nfs-common
-#
-
-#################################
-#
-# Rules for the rpcd_t and nfsd_t domain.
-#
-define(`rpc_domain', `
-ifdef(`targeted_policy', `
-daemon_base_domain($1, `, transitionbool')
-', `
-daemon_base_domain($1)
-')
-can_network($1_t)
-allow $1_t port_type:tcp_socket name_connect;
-can_ypbind($1_t)
-allow $1_t { etc_runtime_t etc_t }:file { getattr read };
-read_locale($1_t)
-allow $1_t self:capability net_bind_service;
-dontaudit $1_t self:capability net_admin;
-
-allow $1_t var_t:dir { getattr search };
-allow $1_t var_lib_t:dir search;
-allow $1_t var_lib_nfs_t:dir create_dir_perms;
-allow $1_t var_lib_nfs_t:file create_file_perms;
-# do not log when it tries to bind to a port belonging to another domain
-dontaudit $1_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
-allow $1_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
-allow $1_t self:netlink_route_socket r_netlink_socket_perms;
-allow $1_t self:unix_dgram_socket create_socket_perms;
-allow $1_t self:unix_stream_socket create_stream_socket_perms;
-# bind to arbitary unused ports
-allow $1_t port_t:{ tcp_socket udp_socket } name_bind;
-allow $1_t sysctl_rpc_t:dir search;
-allow $1_t sysctl_rpc_t:file rw_file_perms;
-')
-
-type exports_t, file_type, sysadmfile;
-dontaudit userdomain exports_t:file getattr;
-
-# rpcd_t is the domain of rpc daemons.
-# rpcd_exec_t is the type of rpc daemon programs.
-#
-rpc_domain(rpcd)
-var_run_domain(rpcd)
-allow rpcd_t rpcd_var_run_t:dir setattr;
-
-# for rpc.rquotad
-allow rpcd_t sysctl_t:dir r_dir_perms;
-allow rpcd_t self:fifo_file rw_file_perms;
-
-# rpcd_t needs to talk to the portmap_t domain
-can_udp_send(rpcd_t, portmap_t)
-
-allow initrc_t exports_t:file r_file_perms;
-ifdef(`distro_redhat', `
-allow rpcd_t self:capability { chown dac_override setgid setuid };
-# for /etc/rc.d/init.d/nfs to create /etc/exports
-allow initrc_t exports_t:file write;
-')
-
-allow rpcd_t self:file { getattr read };
-
-# nfs kernel server needs kernel UDP access. It is less risky and painful
-# to just give it everything.
-can_network_server(kernel_t)
-#can_udp_send(kernel_t, rpcd_t)
-#can_udp_send(rpcd_t, kernel_t)
-
-rpc_domain(nfsd)
-domain_auto_trans(sysadm_t, nfsd_exec_t, nfsd_t)
-role sysadm_r types nfsd_t;
-
-# for /proc/fs/nfs/exports - should we have a new type?
-allow nfsd_t proc_t:file r_file_perms;
-allow nfsd_t proc_net_t:dir search;
-allow nfsd_t exports_t:file { getattr read };
-
-allow nfsd_t nfsd_fs_t:filesystem mount;
-allow nfsd_t nfsd_fs_t:dir search;
-allow nfsd_t nfsd_fs_t:file rw_file_perms;
-allow initrc_t sysctl_rpc_t:dir search;
-allow initrc_t sysctl_rpc_t:file rw_file_perms;
-
-type nfsd_rw_t, file_type, sysadmfile, usercanread;
-type nfsd_ro_t, file_type, sysadmfile, usercanread;
-
-bool nfs_export_all_rw false;
-
-if(nfs_export_all_rw) {
-allow nfsd_t { noexattrfile file_type -shadow_t }:dir r_dir_perms;
-r_dir_file(kernel_t, noexattrfile)
-create_dir_file(kernel_t,{ file_type -shadow_t })
-}
-
-dontaudit kernel_t shadow_t:file getattr;
-
-bool nfs_export_all_ro false;
-
-if(nfs_export_all_ro) {
-allow nfsd_t { noexattrfile file_type -shadow_t }:dir r_dir_perms;
-r_dir_file(kernel_t,{ noexattrfile file_type -shadow_t })
-}
-
-allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms;
-create_dir_file(kernel_t, nfsd_rw_t);
-r_dir_file(kernel_t, nfsd_ro_t);
-
-allow kernel_t nfsd_t:udp_socket rw_socket_perms;
-can_udp_send(kernel_t, nfsd_t)
-can_udp_send(nfsd_t, kernel_t)
-
-# does not really need this, but it is easier to just allow it
-allow nfsd_t var_run_t:dir search;
-
-allow nfsd_t self:capability { sys_admin sys_resource };
-allow nfsd_t fs_type:filesystem getattr;
-
-can_udp_send(nfsd_t, portmap_t)
-can_udp_send(portmap_t, nfsd_t)
-
-can_tcp_connect(nfsd_t, portmap_t)
-
-# for exportfs and rpc.mountd
-allow nfsd_t tmp_t:dir getattr;
-
-r_dir_file(rpcd_t, rpc_pipefs_t)
-allow rpcd_t rpc_pipefs_t:sock_file { read write };
-dontaudit rpcd_t selinux_config_t:dir { search };
-allow rpcd_t proc_net_t:dir search;
-
-
-rpc_domain(gssd)
-can_kerberos(gssd_t)
-ifdef(`kerberos.te', `
-allow gssd_t krb5_keytab_t:file r_file_perms;
-')
-allow gssd_t urandom_device_t:chr_file { getattr read };
-r_dir_file(gssd_t, tmp_t)
-tmp_domain(gssd)
-allow gssd_t self:fifo_file { read write };
-r_dir_file(gssd_t, proc_net_t)
-allow gssd_t rpc_pipefs_t:dir r_dir_perms;
-allow gssd_t rpc_pipefs_t:sock_file { read write };
-allow gssd_t rpc_pipefs_t:file r_file_perms;
-allow gssd_t self:capability { dac_override dac_read_search setuid };
-allow nfsd_t devtty_t:chr_file rw_file_perms;
-allow rpcd_t devtty_t:chr_file rw_file_perms;
-
-bool allow_gssd_read_tmp true;
-if (allow_gssd_read_tmp) {
-ifdef(`targeted_policy', `
-r_dir_file(gssd_t, tmp_t)
-', `
-r_dir_file(gssd_t, user_tmpfile)
-')
-}
diff --git a/strict/domains/program/rpm.te b/strict/domains/program/rpm.te
deleted file mode 100644
index 8405e84..0000000
--- a/strict/domains/program/rpm.te
+++ /dev/null
@@ -1,260 +0,0 @@
-#DESC RPM - Red Hat package management
-#
-# X-Debian-Packages:
-#################################
-#
-# Rules for running the Redhat Package Manager (RPM) tools.
-#
-# rpm_t is the domain for rpm and related utilities in /usr/lib/rpm
-# rpm_exec_t is the type of the rpm executables.
-# rpm_log_t is the type for rpm log files (/var/log/rpmpkgs*)
-# rpm_var_lib_t is the type for rpm files in /var/lib
-#
-type rpm_t, domain, admin, etc_writer, privlog, privowner, privmem, priv_system_role, fs_domain, privfd;
-role system_r types rpm_t;
-uses_shlib(rpm_t)
-type rpm_exec_t, file_type, sysadmfile, exec_type;
-
-general_domain_access(rpm_t)
-can_ps(rpm_t, domain)
-allow rpm_t self:process setrlimit;
-system_crond_entry(rpm_exec_t, rpm_t)
-role sysadm_r types rpm_t;
-domain_auto_trans(sysadm_t, rpm_exec_t, rpm_t)
-
-type rpm_file_t, file_type, sysadmfile;
-
-tmp_domain(rpm)
-
-tmpfs_domain(rpm)
-
-log_domain(rpm)
-
-can_network(rpm_t)
-allow rpm_t port_type:tcp_socket name_connect;
-can_ypbind(rpm_t)
-
-# Allow the rpm domain to execute other programs
-can_exec_any(rpm_t)
-
-# Capabilties needed by rpm utils
-allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid net_bind_service sys_chroot sys_tty_config mknod };
-
-# Access /var/lib/rpm files
-var_lib_domain(rpm)
-allow userdomain var_lib_t:dir { getattr search };
-r_dir_file(userdomain, rpm_var_lib_t)
-r_dir_file(rpm_t, proc_t)
-
-allow rpm_t sysfs_t:dir r_dir_perms;
-allow rpm_t usbdevfs_t:dir r_dir_perms;
-
-# for installing kernel packages
-allow rpm_t fixed_disk_device_t:blk_file { getattr read };
-
-# Access terminals.
-allow rpm_t admin_tty_type:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow rpm_t sysadm_gph_t:fd use;')
-allow rpm_t privfd:fd use;
-allow rpm_t devtty_t:chr_file rw_file_perms;
-
-domain_auto_trans(rpm_t, ldconfig_exec_t, ldconfig_t)
-domain_auto_trans(rpm_t, initrc_exec_t, initrc_t)
-
-ifdef(`cups.te', `
-r_dir_file(cupsd_t, rpm_var_lib_t)
-allow cupsd_t initrc_exec_t:file { getattr read };
-domain_auto_trans(rpm_script_t, cupsd_exec_t, cupsd_t)
-')
-
-# for a bug in rm
-dontaudit initrc_t pidfile:file write;
-
-# bash tries to access a block device in the initrd
-dontaudit initrc_t unlabeled_t:blk_file getattr;
-
-# bash tries ioctl for some reason
-dontaudit initrc_t pidfile:file ioctl;
-
-allow rpm_t autofs_t:dir { search getattr };
-allow rpm_t autofs_t:filesystem getattr;
-allow rpm_script_t autofs_t:dir { search getattr };
-allow rpm_t devpts_t:dir { setattr r_dir_perms };
-allow rpm_t { devpts_t proc_t usbdevfs_t fs_t }:filesystem getattr;
-dontaudit rpm_t security_t:filesystem getattr;
-can_getcon(rpm_t)
-can_setfscreate(rpm_t)
-can_setexec(rpm_t)
-read_sysctl(rpm_t)
-general_domain_access(rpm_script_t)
-
-# read/write/create any files in the system
-allow rpm_t { file_type -shadow_t }:{ file lnk_file dir fifo_file sock_file } { relabelfrom relabelto };
-allow rpm_t { file_type - shadow_t }:dir create_dir_perms;
-allow rpm_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file } create_file_perms;
-allow rpm_t sysfs_t:filesystem getattr;
-allow rpm_t tmpfs_t:filesystem getattr;
-dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
-# needs rw permission to the directory for an rpm package that includes a mount
-# point
-allow rpm_t fs_type:dir { setattr rw_dir_perms };
-allow rpm_t fs_type:filesystem getattr;
-
-# allow compiling and loading new policy
-create_dir_file(rpm_t, { policy_src_t policy_config_t })
-
-can_getsecurity({ rpm_t rpm_script_t })
-dontaudit rpm_t shadow_t:file { getattr read };
-allow rpm_t urandom_device_t:chr_file read;
-allow rpm_t { device_t device_type }:{ chr_file blk_file } { create_file_perms relabelfrom relabelto };
-allow rpm_t ttyfile:chr_file unlink;
-allow rpm_script_t tty_device_t:chr_file getattr;
-allow rpm_script_t devpts_t:dir search;
-allow rpm_script_t {devpts_t devtty_t}:chr_file rw_file_perms;
-
-allow { insmod_t depmod_t } rpm_t:fifo_file rw_file_perms;
-
-type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, privrole, priv_system_role;
-# policy for rpm scriptlet
-role system_r types rpm_script_t;
-uses_shlib(rpm_script_t)
-read_locale(rpm_script_t)
-
-can_ps(rpm_script_t, domain)
-
-ifdef(`lpd.te', `
-can_exec(rpm_script_t, printconf_t)
-')
-
-read_sysctl(rpm_script_t)
-
-type rpm_script_exec_t, file_type, sysadmfile, exec_type;
-
-role sysadm_r types rpm_script_t;
-domain_trans(rpm_t, shell_exec_t, rpm_script_t)
-ifdef(`hide_broken_symptoms', `
-ifdef(`pamconsole.te', `
-domain_trans(rpm_t, pam_console_exec_t, rpm_script_t)
-')
-')
-
-tmp_domain(rpm_script)
-
-tmpfs_domain(rpm_script)
-
-# Allow the rpm domain to execute other programs
-can_exec_any(rpm_script_t)
-
-# Capabilties needed by rpm scripts utils
-allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
-
-# ideally we would not need this
-allow rpm_script_t { file_type - shadow_t }:dir create_dir_perms;
-allow rpm_script_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file } create_file_perms;
-allow rpm_script_t { device_t device_type }:{ chr_file blk_file } create_file_perms;
-
-# for kernel package installation
-ifdef(`mount.te', `
-allow mount_t rpm_t:fifo_file rw_file_perms;
-')
-
-# Commonly used from postinst scripts
-ifdef(`consoletype.te', `
-allow consoletype_t rpm_t:fifo_file r_file_perms;
-')
-ifdef(`crond.te', `
-allow crond_t rpm_t:fifo_file r_file_perms;
-')
-
-allow rpm_script_t proc_t:dir r_dir_perms;
-allow rpm_script_t proc_t:{ file lnk_file } r_file_perms;
-
-allow rpm_script_t devtty_t:chr_file rw_file_perms;
-allow rpm_script_t devpts_t:dir r_dir_perms;
-allow rpm_script_t admin_tty_type:chr_file rw_file_perms;
-allow rpm_script_t etc_runtime_t:file { getattr read };
-allow rpm_script_t privfd:fd use;
-allow rpm_script_t rpm_tmp_t:file { getattr read ioctl };
-
-allow rpm_script_t urandom_device_t:chr_file read;
-
-ifdef(`ssh-agent.te', `
-domain_auto_trans(rpm_script_t, ssh_agent_exec_t, sysadm_ssh_agent_t)
-')
-
-ifdef(`useradd.te', `
-domain_auto_trans(rpm_script_t, useradd_exec_t, useradd_t)
-domain_auto_trans(rpm_script_t, groupadd_exec_t, groupadd_t)
-role system_r types { useradd_t groupadd_t };
-allow { useradd_t groupadd_t } rpm_t:fd use;
-allow { useradd_t groupadd_t } rpm_t:fifo_file { read write };
-')
-
-domain_auto_trans(rpm_script_t, restorecon_exec_t, restorecon_t)
-
-domain_auto_trans(rpm_script_t, ldconfig_exec_t, ldconfig_t)
-domain_auto_trans(rpm_script_t, depmod_exec_t, depmod_t)
-role sysadm_r types initrc_t;
-domain_auto_trans(rpm_script_t, initrc_exec_t, initrc_t)
-ifdef(`bootloader.te', `
-domain_auto_trans(rpm_script_t, bootloader_exec_t, bootloader_t)
-allow bootloader_t rpm_t:fifo_file rw_file_perms;
-')
-
-domain_auto_trans(rpm_script_t, load_policy_exec_t, load_policy_t)
-
-rw_dir_file(rpm_script_t, nfs_t)
-allow rpm_script_t nfs_t:filesystem getattr;
-
-allow rpm_script_t fs_t:filesystem { getattr mount unmount };
-allow rpm_script_t rpm_script_tmp_t:dir mounton;
-can_exec(rpm_script_t, usr_t)
-can_exec(rpm_script_t, sbin_t)
-
-allow rpm_t mount_t:tcp_socket write;
-create_dir_file(rpm_t, nfs_t)
-allow rpm_t { removable_t nfs_t }:filesystem getattr;
-
-allow rpm_script_t userdomain:fd use;
-
-allow domain rpm_t:fifo_file r_file_perms;
-allow domain rpm_t:fd use;
-
-ifdef(`ssh.te', `
-allow sshd_t rpm_script_t:fd use;
-allow sshd_t rpm_t:fd use;
-')
-
-dontaudit rpm_script_t shadow_t:file getattr;
-allow rpm_script_t sysfs_t:dir r_dir_perms;
-
-ifdef(`prelink.te', `
-domain_auto_trans(rpm_t, prelink_exec_t, prelink_t)
-')
-
-allow rpm_t rpc_pipefs_t:dir search;
-allow rpm_script_t init_t:dir search;
-
-type rpmbuild_exec_t, file_type, sysadmfile, exec_type;
-type rpmbuild_t, domain;
-allow rpmbuild_t policy_config_t:dir search;
-allow rpmbuild_t policy_src_t:dir search;
-allow rpmbuild_t policy_src_t:file { getattr read };
-can_getsecurity(rpmbuild_t)
-
-allow rpm_script_t domain:process { signal signull };
-
-# Access /var/lib/rpm.
-allow initrc_t rpm_var_lib_t:dir rw_dir_perms;
-allow initrc_t rpm_var_lib_t:file create_file_perms;
-
-ifdef(`unlimitedRPM', `
-typeattribute rpm_t auth_write;
-unconfined_domain(rpm_t)
-typeattribute rpm_script_t auth_write;
-unconfined_domain(rpm_script_t)
-')
-if (allow_execmem) {
-allow rpm_script_t self:process execmem;
-}
-
diff --git a/strict/domains/program/rshd.te b/strict/domains/program/rshd.te
deleted file mode 100644
index 39976c5..0000000
--- a/strict/domains/program/rshd.te
+++ /dev/null
@@ -1,65 +0,0 @@
-#DESC RSHD - RSH daemon
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: rsh-server rsh-redone-server
-# Depends: inetd.te
-#
-
-#################################
-#
-# Rules for the rshd_t domain.
-#
-daemon_sub_domain(inetd_t, rshd, `, auth_chkpwd, privuser, privrole')
-
-ifdef(`tcpd.te', `
-domain_auto_trans(tcpd_t, rshd_exec_t, rshd_t)
-')
-
-# Use sockets inherited from inetd.
-allow rshd_t inetd_t:tcp_socket rw_stream_socket_perms;
-
-# Use capabilities.
-allow rshd_t self:capability { net_bind_service setuid setgid fowner fsetid chown dac_override};
-
-# Use the network.
-can_network_server(rshd_t)
-allow rshd_t rsh_port_t:tcp_socket name_bind;
-
-allow rshd_t etc_t:file { getattr read };
-read_locale(rshd_t)
-allow rshd_t self:unix_dgram_socket create_socket_perms;
-allow rshd_t self:unix_stream_socket create_stream_socket_perms;
-allow rshd_t { home_root_t home_dir_type }:dir { search getattr };
-can_kerberos(rshd_t)
-allow rshd_t { bin_t sbin_t tmp_t}:dir { search };
-allow rshd_t { bin_t sbin_t }:lnk_file r_file_perms;
-ifdef(`rlogind.te', `
-allow rshd_t rlogind_tmp_t:file rw_file_perms;
-')
-allow rshd_t urandom_device_t:chr_file { getattr read };
-
-# Read the user's .rhosts file.
-allow rshd_t home_type:file r_file_perms ;
-
-# Random reasons
-can_getsecurity(rshd_t)
-can_setexec(rshd_t)
-r_dir_file(rshd_t, selinux_config_t)
-r_dir_file(rshd_t, default_context_t)
-read_sysctl(rshd_t);
-
-if (use_nfs_home_dirs) {
-r_dir_file(rshd_t, nfs_t)
-}
-
-if (use_samba_home_dirs) {
-r_dir_file(rshd_t, cifs_t)
-}
-
-allow rshd_t self:process { fork signal setsched setpgid };
-allow rshd_t self:fifo_file rw_file_perms;
-
-ifdef(`targeted_policy', `
-unconfined_domain(rshd_t)
-domain_auto_trans(rshd_t,shell_exec_t,unconfined_t)
-')
diff --git a/strict/domains/program/rsync.te b/strict/domains/program/rsync.te
deleted file mode 100644
index bed52a3..0000000
--- a/strict/domains/program/rsync.te
+++ /dev/null
@@ -1,18 +0,0 @@
-#DESC rsync - flexible replacement for rcp
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-#
-# Depends: inetd.te
-
-#################################
-#
-# Rules for the rsync_t domain.
-#
-# rsync_exec_t is the type of the rsync executable.
-#
-
-inetd_child_domain(rsync)
-type rsync_data_t, file_type, sysadmfile;
-r_dir_file(rsync_t, rsync_data_t)
-anonymous_domain(rsync)
-allow rsync_t self:capability sys_chroot;
diff --git a/strict/domains/program/samba.te b/strict/domains/program/samba.te
deleted file mode 100644
index 4193f73..0000000
--- a/strict/domains/program/samba.te
+++ /dev/null
@@ -1,225 +0,0 @@
-#DESC SAMBA - SMB file server
-#
-# Author: Ryan Bergauer (bergauer@rice.edu)
-# X-Debian-Packages: samba
-#
-
-#################################
-#
-# Declarations for Samba
-#
-
-daemon_domain(smbd, `, auth_chkpwd, nscd_client_domain')
-daemon_domain(nmbd)
-type samba_etc_t, file_type, sysadmfile, usercanread;
-type samba_log_t, file_type, sysadmfile, logfile;
-type samba_var_t, file_type, sysadmfile;
-type samba_share_t, file_type, sysadmfile, customizable;
-type samba_secrets_t, file_type, sysadmfile;
-
-# for /var/run/samba/messages.tdb
-allow smbd_t nmbd_var_run_t:file rw_file_perms;
-
-allow smbd_t self:process setrlimit;
-
-# not sure why it needs this
-tmp_domain(smbd)
-
-# Allow samba to search mnt_t for potential mounted dirs
-allow smbd_t mnt_t:dir r_dir_perms;
-
-ifdef(`crond.te', `
-allow system_crond_t samba_etc_t:file { read getattr lock };
-allow system_crond_t samba_log_t:file { read getattr lock };
-#allow system_crond_t samba_secrets_t:file { read getattr lock };
-')
-
-#################################
-#
-# Rules for the smbd_t domain.
-#
-
-# Permissions normally found in every_domain.
-general_domain_access(smbd_t)
-general_proc_read_access(smbd_t)
-
-allow smbd_t smbd_port_t:tcp_socket name_bind;
-
-# Use capabilities.
-allow smbd_t self:capability { setgid setuid sys_resource net_bind_service lease dac_override dac_read_search };
-
-# Use the network.
-can_network(smbd_t)
-nsswitch_domain(smbd_t)
-can_kerberos(smbd_t)
-allow smbd_t { smbd_port_t ipp_port_t }:tcp_socket name_connect;
-
-allow smbd_t urandom_device_t:chr_file { getattr read };
-
-# Permissions for Samba files in /etc/samba
-# either allow read access to the directory or allow the auto_trans rule to
-# allow creation of the secrets.tdb file and the MACHINE.SID file
-#allow smbd_t samba_etc_t:dir { search getattr };
-file_type_auto_trans(smbd_t, samba_etc_t, samba_secrets_t, file)
-
-allow smbd_t { etc_t samba_etc_t etc_runtime_t }:file r_file_perms;
-
-# Permissions for Samba cache files in /var/cache/samba and /var/lib/samba
-allow smbd_t var_lib_t:dir search;
-create_dir_file(smbd_t, samba_var_t)
-
-# Needed for shared printers
-allow smbd_t var_spool_t:dir search;
-
-# Permissions to write log files.
-allow smbd_t samba_log_t:file { create ra_file_perms };
-allow smbd_t var_log_t:dir search;
-allow smbd_t samba_log_t:dir ra_dir_perms;
-dontaudit smbd_t samba_log_t:dir remove_name;
-
-ifdef(`hide_broken_symptoms', `
-dontaudit smbd_t { devpts_t boot_t default_t tmpfs_t }:dir getattr;
-dontaudit smbd_t devpts_t:dir getattr;
-')
-allow smbd_t fs_t:filesystem quotaget;
-
-allow smbd_t usr_t:file { getattr read };
-
-# Access Samba shares.
-create_dir_file(smbd_t, samba_share_t)
-anonymous_domain(smbd)
-
-ifdef(`logrotate.te', `
-# the application should be changed
-can_exec(logrotate_t, samba_log_t)
-')
-#################################
-#
-# Rules for the nmbd_t domain.
-#
-
-# Permissions normally found in every_domain.
-general_domain_access(nmbd_t)
-general_proc_read_access(nmbd_t)
-
-allow nmbd_t nmbd_port_t:udp_socket name_bind;
-
-# Use capabilities.
-allow nmbd_t self:capability net_bind_service;
-
-# Use the network.
-can_network_server(nmbd_t)
-
-# Permissions for Samba files in /etc/samba
-allow nmbd_t samba_etc_t:file { getattr read };
-allow nmbd_t samba_etc_t:dir { search getattr };
-
-# Permissions for Samba cache files in /var/cache/samba
-allow nmbd_t samba_var_t:dir { write remove_name add_name lock getattr search };
-allow nmbd_t samba_var_t:file { lock unlink create write setattr read getattr rename };
-
-allow nmbd_t usr_t:file { getattr read };
-
-# Permissions to write log files.
-allow nmbd_t samba_log_t:file { create ra_file_perms };
-allow nmbd_t var_log_t:dir search;
-allow nmbd_t samba_log_t:dir ra_dir_perms;
-allow nmbd_t etc_t:file { getattr read };
-ifdef(`cups.te', `
-allow smbd_t cupsd_rw_etc_t:file { getattr read };
-')
-# Needed for winbindd
-allow smbd_t { samba_var_t smbd_var_run_t }:sock_file create_file_perms;
-
-# Support Samba sharing of home directories
-bool samba_enable_home_dirs false;
-
-ifdef(`mount.te', `
-#
-# Domain for running smbmount
-#
-
-# Derive from app. domain. Transition from mount.
-application_domain(smbmount, `, fs_domain, nscd_client_domain')
-domain_auto_trans(mount_t, smbmount_exec_t, smbmount_t)
-
-# Capabilities
-# FIXME: is all of this really necessary?
-allow smbmount_t self:capability { net_bind_service sys_rawio sys_admin dac_override chown };
-
-# Access samba config
-allow smbmount_t samba_etc_t:file r_file_perms;
-allow smbmount_t samba_etc_t:dir r_dir_perms;
-allow initrc_t samba_etc_t:file rw_file_perms;
-
-# Write samba log
-allow smbmount_t samba_log_t:file create_file_perms;
-allow smbmount_t samba_log_t:dir r_dir_perms;
-
-# Write stuff in var
-allow smbmount_t var_log_t:dir r_dir_perms;
-rw_dir_create_file(smbmount_t, samba_var_t)
-
-# Access mtab
-file_type_auto_trans(smbmount_t, etc_t, etc_runtime_t, file)
-
-# Read nsswitch.conf
-allow smbmount_t etc_t:file r_file_perms;
-
-# Networking
-can_network(smbmount_t)
-allow smbmount_t port_type:tcp_socket name_connect;
-can_ypbind(smbmount_t)
-allow smbmount_t self:unix_dgram_socket create_socket_perms;
-allow smbmount_t self:unix_stream_socket create_socket_perms;
-allow kernel_t smbmount_t:tcp_socket { read write };
-allow userdomain smbmount_t:tcp_socket write;
-
-# Proc
-# FIXME: is this necessary?
-r_dir_file(smbmount_t, proc_t)
-
-# Fork smbmnt
-allow smbmount_t bin_t:dir r_dir_perms;
-can_exec(smbmount_t, smbmount_exec_t)
-allow smbmount_t self:process { fork signal_perms };
-
-# Mount
-allow smbmount_t cifs_t:filesystem mount_fs_perms;
-allow smbmount_t cifs_t:dir r_dir_perms;
-allow smbmount_t mnt_t:dir r_dir_perms;
-allow smbmount_t mnt_t:dir mounton;
-
-# Terminal
-read_locale(smbmount_t)
-access_terminal(smbmount_t, sysadm)
-allow smbmount_t userdomain:fd use;
-allow smbmount_t local_login_t:fd use;
-')
-# Derive from app. domain. Transition from mount.
-application_domain(samba_net, `, nscd_client_domain')
-role system_r types samba_net_t;
-in_user_role(samba_net_t)
-file_type_auto_trans(samba_net_t, samba_etc_t, samba_secrets_t, file)
-read_locale(samba_net_t)
-allow samba_net_t samba_etc_t:file r_file_perms;
-r_dir_file(samba_net_t, samba_var_t)
-can_network_udp(samba_net_t)
-access_terminal(samba_net_t, sysadm)
-allow samba_net_t self:unix_dgram_socket create_socket_perms;
-allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
-rw_dir_create_file(samba_net_t, samba_var_t)
-allow samba_net_t etc_t:file { getattr read };
-can_network_client(samba_net_t)
-allow samba_net_t smbd_port_t:tcp_socket name_connect;
-can_ldap(samba_net_t)
-can_kerberos(samba_net_t)
-allow samba_net_t urandom_device_t:chr_file r_file_perms;
-allow samba_net_t proc_t:dir search;
-allow samba_net_t proc_t:lnk_file read;
-allow samba_net_t self:dir search;
-allow samba_net_t self:file read;
-allow samba_net_t self:process signal;
-tmp_domain(samba_net)
-dontaudit samba_net_t sysadm_home_dir_t:dir search;
-allow samba_net_t privfd:fd use;
diff --git a/strict/domains/program/saslauthd.te b/strict/domains/program/saslauthd.te
deleted file mode 100644
index 8786dd1..0000000
--- a/strict/domains/program/saslauthd.te
+++ /dev/null
@@ -1,41 +0,0 @@
-#DESC saslauthd - Authentication daemon for SASL
-#
-# Author: Colin Walters <walters@verbum.org>
-#
-
-daemon_domain(saslauthd, `, auth_chkpwd, auth_bool')
-
-allow saslauthd_t self:fifo_file { read write };
-allow saslauthd_t self:unix_dgram_socket create_socket_perms;
-allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
-allow saslauthd_t saslauthd_var_run_t:sock_file create_file_perms;
-allow saslauthd_t var_lib_t:dir search;
-
-allow saslauthd_t etc_t:dir { getattr search };
-allow saslauthd_t etc_t:file r_file_perms;
-allow saslauthd_t net_conf_t:file r_file_perms;
-
-allow saslauthd_t self:file r_file_perms;
-allow saslauthd_t proc_t:file { getattr read };
-
-allow saslauthd_t urandom_device_t:chr_file { getattr read };
-
-# Needs investigation
-dontaudit saslauthd_t home_root_t:dir getattr;
-can_network_client_tcp(saslauthd_t)
-allow saslauthd_t pop_port_t:tcp_socket name_connect;
-
-bool allow_saslauthd_read_shadow false;
-
-if (allow_saslauthd_read_shadow) {
-allow saslauthd_t shadow_t:file r_file_perms;
-}
-dontaudit saslauthd_t selinux_config_t:dir search;
-dontaudit saslauthd_t selinux_config_t:file { getattr read };
-
-
-dontaudit saslauthd_t initrc_t:unix_stream_socket connectto;
-ifdef(`mysqld.te', `
-allow saslauthd_t mysqld_db_t:dir search;
-allow saslauthd_t mysqld_var_run_t:sock_file rw_file_perms;
-')
diff --git a/strict/domains/program/screen.te b/strict/domains/program/screen.te
deleted file mode 100644
index e9be1a0..0000000
--- a/strict/domains/program/screen.te
+++ /dev/null
@@ -1,13 +0,0 @@
-#DESC screen - Program to detach sessions
-#
-# X-Debian-Packages: screen
-# Domains for the screen program.
-
-#
-# screen_exec_t is the type of the screen executable.
-#
-type screen_exec_t, file_type, sysadmfile, exec_type;
-type screen_dir_t, file_type, sysadmfile, pidfile;
-
-# Everything else is in the screen_domain macro in
-# macros/program/screen_macros.te.
diff --git a/strict/domains/program/sendmail.te b/strict/domains/program/sendmail.te
deleted file mode 100644
index 2ee8d2d..0000000
--- a/strict/domains/program/sendmail.te
+++ /dev/null
@@ -1,112 +0,0 @@
-#DESC Sendmail - Mail server
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: sendmail sendmail-wide
-# Depends: mta.te
-#
-
-#################################
-#
-# Rules for the sendmail_t domain.
-#
-# sendmail_t is the domain for the sendmail
-# daemon started by the init rc scripts.
-#
-
-# etc_mail_t is the type of /etc/mail.
-type etc_mail_t, file_type, sysadmfile, usercanread;
-
-daemon_domain(sendmail, `, nscd_client_domain, mta_delivery_agent, mail_server_domain, mail_server_sender', nosysadm)
-
-tmp_domain(sendmail)
-logdir_domain(sendmail)
-
-# Use capabilities
-allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config };
-
-# Use the network.
-can_network(sendmail_t)
-allow sendmail_t port_type:tcp_socket name_connect;
-can_ypbind(sendmail_t)
-
-allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
-allow sendmail_t self:unix_dgram_socket create_socket_perms;
-allow sendmail_t self:fifo_file rw_file_perms;
-
-# Bind to the SMTP port.
-allow sendmail_t smtp_port_t:tcp_socket name_bind;
-
-allow sendmail_t etc_t:file { getattr read };
-
-# Write to /etc/aliases and /etc/mail.
-allow sendmail_t etc_aliases_t:file { setattr rw_file_perms };
-#
-# Need this transition to create /etc/aliases.db
-#
-ifdef(`distro_redhat', `
-ifdef(`rpm.te', `
-domain_auto_trans(rpm_script_t, sendmail_exec_t, system_mail_t)
-')
-')
-
-allow sendmail_t etc_mail_t:dir rw_dir_perms;
-allow sendmail_t etc_mail_t:file create_file_perms;
-# for the start script to run make -C /etc/mail
-allow initrc_t etc_mail_t:dir rw_dir_perms;
-allow initrc_t etc_mail_t:file create_file_perms;
-allow system_mail_t initrc_t:fd use;
-allow system_mail_t initrc_t:fifo_file write;
-
-# Write to /var/spool/mail and /var/spool/mqueue.
-allow sendmail_t var_spool_t:dir { getattr search };
-allow sendmail_t mail_spool_t:dir rw_dir_perms;
-allow sendmail_t mail_spool_t:file create_file_perms;
-allow sendmail_t mqueue_spool_t:dir rw_dir_perms;
-allow sendmail_t mqueue_spool_t:file create_file_perms;
-allow sendmail_t urandom_device_t:chr_file { getattr read };
-
-# Read /usr/lib/sasl2/.*
-allow sendmail_t lib_t:file { getattr read };
-
-# When sendmail runs as user_mail_domain, it needs some extra permissions
-# to update /etc/mail/statistics.
-allow user_mail_domain etc_mail_t:file rw_file_perms;
-
-# Silently deny attempts to access /root.
-dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr search };
-
-# Run procmail in its own domain, if defined.
-ifdef(`procmail.te',`
-domain_auto_trans(sendmail_t, procmail_exec_t, procmail_t)
-domain_auto_trans(system_mail_t, procmail_exec_t, procmail_t)
-allow sendmail_t bin_t:dir { getattr search };
-')
-
-read_sysctl(sendmail_t)
-read_sysctl(system_mail_t)
-
-allow system_mail_t etc_mail_t:dir { getattr search };
-allow system_mail_t etc_runtime_t:file { getattr read };
-allow system_mail_t proc_t:dir search;
-allow system_mail_t proc_t:file { getattr read };
-allow system_mail_t proc_t:lnk_file read;
-dontaudit system_mail_t proc_net_t:dir search;
-allow system_mail_t fs_t:filesystem getattr;
-allow system_mail_t self:dir { getattr search };
-allow system_mail_t var_t:dir getattr;
-allow system_mail_t var_spool_t:dir getattr;
-dontaudit system_mail_t userpty_type:chr_file { getattr read write };
-
-# sendmail -q
-allow system_mail_t mqueue_spool_t:dir rw_dir_perms;
-allow system_mail_t mqueue_spool_t:file create_file_perms;
-
-ifdef(`crond.te', `
-dontaudit system_mail_t system_crond_tmp_t:file append;
-')
-dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
-
-# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
-allow sendmail_t initrc_var_run_t:file { getattr read };
-dontaudit sendmail_t initrc_var_run_t:file { lock write };
-
diff --git a/strict/domains/program/setfiles.te b/strict/domains/program/setfiles.te
deleted file mode 100644
index 85bcd4c..0000000
--- a/strict/domains/program/setfiles.te
+++ /dev/null
@@ -1,66 +0,0 @@
-#DESC Setfiles - SELinux filesystem labeling utilities
-#
-# Authors: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: policycoreutils
-#
-
-#################################
-#
-# Rules for the setfiles_t domain.
-#
-# setfiles_exec_t is the type of the setfiles executable.
-#
-# needs auth_write attribute because it has relabelfrom/relabelto
-# access to shadow_t
-type setfiles_t, domain, privlog, privowner, auth_write, change_context, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade;
-type setfiles_exec_t, file_type, sysadmfile, exec_type;
-
-role system_r types setfiles_t;
-role sysadm_r types setfiles_t;
-role secadm_r types setfiles_t;
-
-ifdef(`distro_redhat', `
-domain_auto_trans(initrc_t, setfiles_exec_t, setfiles_t)
-')
-can_access_pty(hostname_t, initrc)
-allow setfiles_t { ttyfile ptyfile tty_device_t admin_tty_type devtty_t }:chr_file { read write ioctl };
-
-allow setfiles_t self:unix_dgram_socket create_socket_perms;
-
-domain_auto_trans(secadmin, setfiles_exec_t, setfiles_t)
-allow setfiles_t { userdomain privfd initrc_t init_t }:fd use;
-
-uses_shlib(setfiles_t)
-allow setfiles_t self:capability { dac_override dac_read_search fowner };
-
-# for upgrading glibc and other shared objects - without this the upgrade
-# scripts will put things in a state such that setfiles can not be run!
-allow setfiles_t lib_t:file { read execute };
-
-# Get security policy decisions.
-can_getsecurity(setfiles_t)
-
-r_dir_file(setfiles_t, { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t })
-
-allow setfiles_t file_type:dir r_dir_perms;
-allow setfiles_t { file_type unlabeled_t device_type }:dir_file_class_set { getattr relabelfrom };
-allow setfiles_t file_type:{ dir file lnk_file sock_file fifo_file } relabelto;
-allow setfiles_t unlabeled_t:dir read;
-allow setfiles_t { device_type device_t }:{ chr_file blk_file } { getattr relabelfrom relabelto };
-allow setfiles_t { ttyfile ptyfile }:chr_file getattr;
-# dontaudit access to ttyfile - we do not want setfiles to relabel our terminal
-dontaudit setfiles_t ttyfile:chr_file relabelfrom;
-
-allow setfiles_t fs_t:filesystem getattr;
-allow setfiles_t fs_type:dir r_dir_perms;
-
-read_locale(setfiles_t)
-
-allow setfiles_t etc_runtime_t:file { getattr read };
-allow setfiles_t etc_t:file { getattr read };
-allow setfiles_t proc_t:file { getattr read };
-dontaudit setfiles_t proc_t:lnk_file { getattr read };
-
-# for config files in a home directory
-allow setfiles_t home_type:file r_file_perms;
-dontaudit setfiles_t sysadm_tty_device_t:chr_file relabelfrom;
diff --git a/strict/domains/program/slapd.te b/strict/domains/program/slapd.te
deleted file mode 100644
index dd9e416..0000000
--- a/strict/domains/program/slapd.te
+++ /dev/null
@@ -1,61 +0,0 @@
-#DESC Slapd - OpenLDAP server
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: slapd
-#
-
-#################################
-#
-# Rules for the slapd_t domain.
-#
-# slapd_exec_t is the type of the slapd executable.
-#
-daemon_domain(slapd)
-
-allow slapd_t ldap_port_t:tcp_socket name_bind;
-
-etc_domain(slapd)
-type slapd_db_t, file_type, sysadmfile;
-type slapd_replog_t, file_type, sysadmfile;
-
-tmp_domain(slapd)
-
-# Use the network.
-can_network(slapd_t)
-allow slapd_t port_type:tcp_socket name_connect;
-can_ypbind(slapd_t)
-allow slapd_t self:fifo_file { read write };
-allow slapd_t self:unix_stream_socket create_socket_perms;
-allow slapd_t self:unix_dgram_socket create_socket_perms;
-# allow any domain to connect to the LDAP server
-can_tcp_connect(domain, slapd_t)
-
-# Use capabilities should not need kill...
-allow slapd_t self:capability { kill setgid setuid net_bind_service net_raw dac_override dac_read_search };
-allow slapd_t self:process setsched;
-
-allow slapd_t proc_t:file r_file_perms;
-
-# Allow access to the slapd databases
-create_dir_file(slapd_t, slapd_db_t)
-allow initrc_t slapd_db_t:dir r_dir_perms;
-allow slapd_t var_lib_t:dir r_dir_perms;
-
-# Allow access to write the replication log (should tighten this)
-create_dir_file(slapd_t, slapd_replog_t)
-
-# read config files
-allow slapd_t etc_t:{ file lnk_file } { getattr read };
-allow slapd_t etc_runtime_t:file { getattr read };
-
-# for startup script
-allow initrc_t slapd_etc_t:file { getattr read };
-
-allow slapd_t etc_t:dir r_dir_perms;
-
-read_sysctl(slapd_t)
-
-allow slapd_t usr_t:file { read getattr };
-allow slapd_t urandom_device_t:chr_file { getattr read };
-allow slapd_t self:netlink_route_socket r_netlink_socket_perms;
-r_dir_file(slapd_t, cert_t)
diff --git a/strict/domains/program/slocate.te b/strict/domains/program/slocate.te
deleted file mode 100644
index 8512aab..0000000
--- a/strict/domains/program/slocate.te
+++ /dev/null
@@ -1,77 +0,0 @@
-#DESC LOCATE - Security Enhanced version of the GNU Locate
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-#
-
-#################################
-#
-# Rules for the locate_t domain.
-#
-# locate_exec_t is the type of the locate executable.
-#
-daemon_base_domain(locate)
-role system_r types locate_t;
-role sysadm_r types locate_t;
-allow locate_t fs_t:filesystem getattr;
-
-ifdef(`crond.te', `
-system_crond_entry(locate_exec_t, locate_t)
-allow system_crond_t locate_log_t:dir rw_dir_perms;
-allow system_crond_t locate_log_t:file { create append getattr };
-allow system_crond_t locate_etc_t:file { getattr read };
-')
-
-allow locate_t { userpty_type admin_tty_type }:chr_file rw_file_perms;
-
-allow locate_t { fs_type file_type }:dir r_dir_perms;
-dontaudit locate_t sysctl_t:dir getattr;
-allow locate_t file_type:lnk_file r_file_perms;
-allow locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } getattr;
-dontaudit locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } read;
-dontaudit locate_t security_t:dir getattr;
-dontaudit locate_t shadow_t:file getattr;
-
-allow locate_t { ttyfile device_type device_t }:{ chr_file blk_file } getattr;
-allow locate_t unlabeled_t:dir_file_class_set getattr;
-allow locate_t unlabeled_t:dir read;
-
-logdir_domain(locate)
-etcdir_domain(locate)
-
-type locate_var_lib_t, file_type, sysadmfile;
-typealias locate_var_lib_t alias var_lib_locate_t;
-
-create_dir_file(locate_t, locate_var_lib_t)
-dontaudit locate_t sysadmfile:file getattr;
-
-allow locate_t proc_t:file { getattr read };
-allow locate_t self:unix_stream_socket create_socket_perms;
-#
-# Need to be able to exec renice
-#
-can_exec(locate_t, bin_t)
-
-dontaudit locate_t rpc_pipefs_t:dir r_dir_perms;
-dontaudit locate_t rpc_pipefs_t:file getattr;
-
-#
-# Read Mtab file
-#
-allow locate_t etc_runtime_t:file { getattr read };
-
-#
-# Read nsswitch file
-#
-allow locate_t etc_t:file { getattr read };
-dontaudit locate_t self:capability dac_override;
-allow locate_t self:capability dac_read_search;
-
-# sysadm_t runs locate in his own domain.
-# We use a type alias to simplify the rest of the policy,
-# which often refers to $1_locate_t for the user domains.
-typealias sysadm_t alias sysadm_locate_t;
-
-allow locate_t userdomain:fd use;
-ifdef(`cardmgr.te', `
-allow locate_t cardmgr_var_run_t:chr_file getattr;
-')
diff --git a/strict/domains/program/slrnpull.te b/strict/domains/program/slrnpull.te
deleted file mode 100644
index 25edb93..0000000
--- a/strict/domains/program/slrnpull.te
+++ /dev/null
@@ -1,24 +0,0 @@
-#DESC slrnpull
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-#
-
-#################################
-#
-# Rules for the slrnpull_t domain.
-#
-# slrnpull_exec_t is the type of the slrnpull executable.
-#
-daemon_domain(slrnpull)
-type slrnpull_spool_t, file_type, sysadmfile;
-
-log_domain(slrnpull)
-
-ifdef(`logrotate.te', `
-create_dir_file(logrotate_t, slrnpull_spool_t)
-')
-system_crond_entry(slrnpull_exec_t, slrnpull_t)
-allow userdomain slrnpull_spool_t:dir search;
-rw_dir_create_file(slrnpull_t, slrnpull_spool_t)
-allow slrnpull_t var_spool_t:dir search;
-allow slrnpull_t slrnpull_spool_t:dir create_dir_perms;
diff --git a/strict/domains/program/snmpd.te b/strict/domains/program/snmpd.te
deleted file mode 100644
index ea75c8d..0000000
--- a/strict/domains/program/snmpd.te
+++ /dev/null
@@ -1,85 +0,0 @@
-#DESC SNMPD - Simple Network Management Protocol daemon
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: snmpd
-#
-
-#################################
-#
-# Rules for the snmpd_t domain.
-#
-daemon_domain(snmpd, `, nscd_client_domain')
-
-#temp
-allow snmpd_t var_t:dir getattr;
-
-can_network_server(snmpd_t)
-can_ypbind(snmpd_t)
-
-allow snmpd_t snmp_port_t:{ udp_socket tcp_socket } name_bind;
-
-etc_domain(snmpd)
-
-# for the .index file
-var_lib_domain(snmpd)
-file_type_auto_trans(snmpd_t, var_t, snmpd_var_lib_t, { dir sock_file })
-file_type_auto_trans(snmpd_t, { usr_t var_t }, snmpd_var_lib_t, file)
-allow snmpd_t snmpd_var_lib_t:sock_file create_file_perms;
-
-log_domain(snmpd)
-# for /usr/share/snmp/mibs
-allow snmpd_t usr_t:file { getattr read };
-
-can_udp_send(sysadm_t, snmpd_t)
-can_udp_send(snmpd_t, sysadm_t)
-
-allow snmpd_t self:unix_dgram_socket create_socket_perms;
-allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
-allow snmpd_t etc_t:lnk_file read;
-allow snmpd_t { etc_t etc_runtime_t }:file r_file_perms;
-allow snmpd_t { random_device_t urandom_device_t }:chr_file { getattr read };
-allow snmpd_t self:capability { dac_override kill net_bind_service net_admin sys_nice sys_tty_config };
-
-allow snmpd_t proc_t:dir search;
-allow snmpd_t proc_t:file r_file_perms;
-allow snmpd_t self:file { getattr read };
-allow snmpd_t self:fifo_file rw_file_perms;
-allow snmpd_t { bin_t sbin_t }:dir search;
-can_exec(snmpd_t, { bin_t sbin_t shell_exec_t })
-
-ifdef(`distro_redhat', `
-ifdef(`rpm.te', `
-r_dir_file(snmpd_t, rpm_var_lib_t)
-dontaudit snmpd_t rpm_var_lib_t:dir write;
-dontaudit snmpd_t rpm_var_lib_t:file write;
-')
-')
-
-allow snmpd_t home_root_t:dir search;
-allow snmpd_t initrc_var_run_t:file r_file_perms;
-dontaudit snmpd_t initrc_var_run_t:file write;
-dontaudit snmpd_t rpc_pipefs_t:dir getattr;
-allow snmpd_t rpc_pipefs_t:dir getattr;
-read_sysctl(snmpd_t)
-allow snmpd_t sysctl_net_t:dir search;
-allow snmpd_t sysctl_net_t:file { getattr read };
-
-dontaudit snmpd_t { removable_device_t fixed_disk_device_t }:blk_file { getattr ioctl read };
-allow snmpd_t sysfs_t:dir { getattr read search };
-ifdef(`amanda.te', `
-dontaudit snmpd_t amanda_dumpdates_t:file { getattr read };
-')
-ifdef(`cupsd.te', `
-allow snmpd_t cupsd_rw_etc_t:file { getattr read };
-')
-allow snmpd_t var_lib_nfs_t:dir search;
-
-# needed in order to retrieve net traffic data
-allow snmpd_t proc_net_t:dir search;
-allow snmpd_t proc_net_t:file r_file_perms;
-
-allow snmpd_t domain:dir { getattr search };
-allow snmpd_t domain:file { getattr read };
-allow snmpd_t domain:process signull;
-
-dontaudit snmpd_t selinux_config_t:dir search;
diff --git a/strict/domains/program/sound.te b/strict/domains/program/sound.te
deleted file mode 100644
index 01f7355..0000000
--- a/strict/domains/program/sound.te
+++ /dev/null
@@ -1,26 +0,0 @@
-#DESC Sound - Sound utilities
-#
-# Authors: Mark Westerman <mark.westerman@.com>
-# X-Debian-Packages: esound
-#
-#################################
-#
-# Rules for the sound_t domain.
-#
-daemon_base_domain(sound)
-type sound_file_t, file_type, sysadmfile;
-allow initrc_t sound_file_t:file { getattr read };
-allow sound_t sound_file_t:file rw_file_perms;
-
-# Use capabilities.
-# Commented out by default.
-#allow sound_t self:capability { sys_admin sys_rawio sys_time dac_override };
-dontaudit sound_t self:capability { sys_admin sys_rawio sys_time dac_read_search dac_override };
-
-# Read and write the sound device.
-allow sound_t sound_device_t:chr_file rw_file_perms;
-
-# Read and write ttys.
-allow sound_t sysadm_tty_device_t:chr_file rw_file_perms;
-read_locale(sound_t)
-allow initrc_t sound_file_t:file { setattr write };
diff --git a/strict/domains/program/spamassassin.te b/strict/domains/program/spamassassin.te
deleted file mode 100644
index d08eaa3..0000000
--- a/strict/domains/program/spamassassin.te
+++ /dev/null
@@ -1,11 +0,0 @@
-#DESC Spamassassin
-#
-# Author: Colin Walters <walters@debian.org>
-# X-Debian-Packages: spamassassin
-#
-
-type spamassassin_exec_t, file_type, sysadmfile, exec_type;
-
-bool spamassasin_can_network false;
-
-# Everything else is in spamassassin_macros.te.
diff --git a/strict/domains/program/spamc.te b/strict/domains/program/spamc.te
deleted file mode 100644
index 9b49fbf..0000000
--- a/strict/domains/program/spamc.te
+++ /dev/null
@@ -1,10 +0,0 @@
-#DESC Spamc - Spamassassin client
-#
-# Author: Colin Walters <walters@debian.org>
-# X-Debian-Packages: spamc
-# Depends: spamassassin.te
-#
-
-type spamc_exec_t, file_type, sysadmfile, exec_type;
-
-# Everything else is in spamassassin_macros.te.
diff --git a/strict/domains/program/spamd.te b/strict/domains/program/spamd.te
deleted file mode 100644
index 01283ca..0000000
--- a/strict/domains/program/spamd.te
+++ /dev/null
@@ -1,71 +0,0 @@
-#DESC Spamd - Spamassassin daemon
-#
-# Author: Colin Walters <walters@debian.org>
-# X-Debian-Packages: spamassassin
-# Depends: spamassassin.te
-#
-
-daemon_domain(spamd)
-
-tmp_domain(spamd)
-
-allow spamd_t spamd_port_t:tcp_socket name_bind;
-
-general_domain_access(spamd_t)
-uses_shlib(spamd_t)
-can_ypbind(spamd_t)
-read_sysctl(spamd_t)
-
-# Various Perl bits
-allow spamd_t lib_t:file rx_file_perms;
-dontaudit spamd_t shadow_t:file { getattr read };
-dontaudit spamd_t initrc_var_run_t:file { read write lock };
-dontaudit spamd_t sysadm_home_dir_t:dir getattr;
-
-can_network_server(spamd_t)
-allow spamd_t self:capability net_bind_service;
-
-allow spamd_t proc_t:file { getattr read };
-
-# Spamassassin, when run as root and using per-user config files,
-# setuids to the user running spamc. Comment this if you are not
-# using this ability.
-allow spamd_t self:capability { setuid setgid dac_override sys_tty_config };
-
-allow spamd_t { bin_t sbin_t }:dir { getattr search };
-can_exec(spamd_t, bin_t)
-
-ifdef(`sendmail.te', `
-allow spamd_t etc_mail_t:dir { getattr read search };
-allow spamd_t etc_mail_t:file { getattr ioctl read };
-')
-allow spamd_t { etc_t etc_runtime_t }:file { getattr ioctl read };
-
-ifdef(`amavis.te', `
-# for bayes tokens
-allow spamd_t var_lib_t:dir { getattr search };
-rw_dir_create_file(spamd_t, amavisd_lib_t)
-')
-
-allow spamd_t usr_t:file { getattr ioctl read };
-allow spamd_t usr_t:lnk_file { getattr read };
-allow spamd_t urandom_device_t:chr_file { getattr read };
-
-system_crond_entry(spamd_exec_t, spamd_t)
-
-allow spamd_t autofs_t:dir { search getattr };
-
-if (use_nfs_home_dirs) {
-allow spamd_t nfs_t:dir rw_dir_perms;
-allow spamd_t nfs_t:file create_file_perms;
-}
-
-if (use_samba_home_dirs) {
-allow spamd_t cifs_t:dir rw_dir_perms;
-allow spamd_t cifs_t:file create_file_perms;
-}
-
-allow spamd_t home_root_t:dir getattr;
-allow spamd_t user_home_dir_type:dir { search getattr };
-
-
diff --git a/strict/domains/program/squid.te b/strict/domains/program/squid.te
deleted file mode 100644
index 1727186..0000000
--- a/strict/domains/program/squid.te
+++ /dev/null
@@ -1,85 +0,0 @@
-#DESC Squid - Web cache
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: squid
-#
-
-#################################
-#
-# Rules for the squid_t domain.
-#
-# squid_t is the domain the squid process runs in
-ifdef(`apache.te',`
-can_tcp_connect(squid_t, httpd_t)
-')
-bool squid_connect_any false;
-daemon_domain(squid, `, web_client_domain, nscd_client_domain')
-type squid_conf_t, file_type, sysadmfile;
-general_domain_access(squid_t)
-allow { squid_t initrc_t } squid_conf_t:file r_file_perms;
-allow squid_t squid_conf_t:dir r_dir_perms;
-allow squid_t squid_conf_t:lnk_file read;
-
-logdir_domain(squid)
-rw_dir_create_file(initrc_t, squid_log_t)
-
-allow squid_t usr_t:file { getattr read };
-
-# type for /var/cache/squid
-type squid_cache_t, file_type, sysadmfile;
-
-allow squid_t self:capability { setgid setuid net_bind_service dac_override };
-allow squid_t { etc_t etc_runtime_t }:file r_file_perms;
-allow squid_t etc_t:lnk_file read;
-allow squid_t self:unix_stream_socket create_socket_perms;
-allow squid_t self:unix_dgram_socket create_socket_perms;
-allow squid_t self:fifo_file rw_file_perms;
-
-read_sysctl(squid_t)
-
-allow squid_t devtty_t:chr_file rw_file_perms;
-
-allow squid_t { self proc_t }:file { read getattr };
-
-# for when we use /var/spool/cache
-allow squid_t var_spool_t:dir search;
-
-# Grant permissions to create, access, and delete cache files.
-# No type transitions required, as the files inherit the parent directory type.
-create_dir_file(squid_t, squid_cache_t)
-ifdef(`logrotate.te',
-`domain_auto_trans(logrotate_t, squid_exec_t, squid_t)')
-ifdef(`crond.te', `domain_auto_trans(system_crond_t, squid_exec_t, squid_t)')
-
-# Use the network
-can_network(squid_t)
-if (squid_connect_any) {
-allow squid_t port_type:tcp_socket name_connect;
-}
-can_ypbind(squid_t)
-can_tcp_connect(web_client_domain, squid_t)
-
-# tcp port 8080 and udp port 3130 is http_cache_port_t (see net_contexts)
-allow squid_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:{ tcp_socket udp_socket } name_bind;
-allow squid_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:tcp_socket name_connect;
-
-# to allow running programs from /usr/lib/squid (IE unlinkd)
-# also allow exec()ing itself
-can_exec(squid_t, { lib_t squid_exec_t bin_t sbin_t shell_exec_t } )
-allow squid_t { bin_t sbin_t }:dir search;
-allow squid_t { bin_t sbin_t }:lnk_file read;
-
-dontaudit squid_t { boot_t tmp_t home_root_t security_t devpts_t }:dir getattr;
-ifdef(`targeted_policy', `
-dontaudit squid_t tty_device_t:chr_file { read write };
-')
-allow squid_t urandom_device_t:chr_file { getattr read };
-
-#squid requires the following when run in diskd mode, the recommended setting
-allow squid_t tmpfs_t:file { read write };
-r_dir_file(squid_t, cert_t)
-ifdef(`winbind.te', `
-domain_auto_trans(squid_t, winbind_helper_exec_t, winbind_helper_t)
-allow winbind_helper_t squid_t:tcp_socket rw_socket_perms;
-allow winbind_helper_t squid_log_t:file ra_file_perms;
-')
diff --git a/strict/domains/program/ssh-agent.te b/strict/domains/program/ssh-agent.te
deleted file mode 100644
index f2e3d84..0000000
--- a/strict/domains/program/ssh-agent.te
+++ /dev/null
@@ -1,13 +0,0 @@
-#DESC ssh-agent - agent to securely store ssh-keys
-#
-# Authors: Thomas Bleher <ThomasBleher@gmx.de>
-#
-# X-Debian-Packages: ssh
-#
-
-# Type for the ssh-agent executable.
-type ssh_agent_exec_t, file_type, exec_type, sysadmfile;
-
-# Everything else is in the ssh_agent_domain macro in
-# macros/program/ssh_agent_macros.te.
-
diff --git a/strict/domains/program/ssh.te b/strict/domains/program/ssh.te
deleted file mode 100644
index 367e4c7..0000000
--- a/strict/domains/program/ssh.te
+++ /dev/null
@@ -1,237 +0,0 @@
-#DESC SSH - SSH daemon
-#
-# Authors: Anthony Colatrella (NSA) <amcolat@epoch.ncsc.mil>
-# Stephen Smalley <sds@epoch.ncsc.mil>
-# Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: ssh
-#
-
-# Allow ssh logins as sysadm_r:sysadm_t
-bool ssh_sysadm_login false;
-
-# allow host key based authentication
-bool allow_ssh_keysign false;
-
-ifdef(`inetd.te', `
-# Allow ssh to run from inetd instead of as a daemon.
-bool run_ssh_inetd false;
-')
-
-# sshd_exec_t is the type of the sshd executable.
-# sshd_key_t is the type of the ssh private key files
-type sshd_exec_t, file_type, exec_type, sysadmfile;
-type sshd_key_t, file_type, sysadmfile;
-
-define(`sshd_program_domain', `
-# privowner is for changing the identity on the terminal device
-# privfd is for passing the terminal file handle to the user process
-# auth_chkpwd is for running unix_chkpwd and unix_verify.
-type $1_t, domain, privuser, privrole, privlog, privowner, privfd, auth_chkpwd, nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
-can_exec($1_t, sshd_exec_t)
-r_dir_file($1_t, self)
-role system_r types $1_t;
-dontaudit $1_t shadow_t:file { getattr read };
-uses_shlib($1_t)
-allow $1_t self:unix_dgram_socket create_socket_perms;
-allow $1_t self:unix_stream_socket create_stream_socket_perms;
-allow $1_t self:fifo_file rw_file_perms;
-allow $1_t self:process { fork sigchld signal setsched setrlimit };
-
-dontaudit $1_t self:lnk_file read;
-
-# do not allow statfs()
-dontaudit $1_t fs_type:filesystem getattr;
-
-allow $1_t bin_t:dir search;
-allow $1_t bin_t:lnk_file read;
-
-# for sshd subsystems, such as sftp-server.
-allow $1_t bin_t:file getattr;
-
-# Read /var.
-allow $1_t var_t:dir { getattr search };
-
-# Read /var/log.
-allow $1_t var_log_t:dir search;
-
-# Read /etc.
-allow $1_t etc_t:dir search;
-# ioctl is for pam_console
-dontaudit $1_t etc_t:file ioctl;
-allow $1_t etc_t:file { getattr read };
-allow $1_t etc_t:lnk_file { getattr read };
-allow $1_t etc_runtime_t:file { getattr read };
-
-# Read and write /dev/tty and /dev/null.
-allow $1_t devtty_t:chr_file rw_file_perms;
-allow $1_t { null_device_t zero_device_t }:chr_file rw_file_perms;
-
-# Read /dev/urandom
-allow $1_t urandom_device_t:chr_file { getattr read };
-
-can_network($1_t)
-allow $1_t port_type:tcp_socket name_connect;
-can_kerberos($1_t)
-
-allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
-allow $1_t { home_root_t home_dir_type }:dir { search getattr };
-if (use_nfs_home_dirs) {
-allow $1_t autofs_t:dir { search getattr };
-allow $1_t nfs_t:dir { search getattr };
-allow $1_t nfs_t:file { getattr read };
-}
-
-if (use_samba_home_dirs) {
-allow $1_t cifs_t:dir { search getattr };
-allow $1_t cifs_t:file { getattr read };
-}
-
-# Set exec context.
-can_setexec($1_t)
-
-# Update utmp.
-allow $1_t initrc_var_run_t:file rw_file_perms;
-
-# Update wtmp.
-allow $1_t wtmp_t:file rw_file_perms;
-
-# Get security policy decisions.
-can_getsecurity($1_t)
-
-# Allow read access to login context
-r_dir_file( $1_t, default_context_t)
-
-# Access key files
-allow $1_t sshd_key_t:file { getattr read };
-
-# Update /var/log/lastlog.
-allow $1_t lastlog_t:file rw_file_perms;
-
-read_locale($1_t)
-read_sysctl($1_t)
-
-# Can create ptys
-can_create_pty($1, `, server_pty')
-allow $1_t $1_devpts_t:chr_file { setattr getattr relabelfrom };
-dontaudit sshd_t userpty_type:chr_file relabelfrom;
-
-allow $1_t faillog_t:file { append getattr };
-allow $1_t sbin_t:file getattr;
-
-# Allow checking users mail at login
-allow $1_t { var_spool_t mail_spool_t }:dir search;
-allow $1_t mail_spool_t:lnk_file read;
-allow $1_t mail_spool_t:file getattr;
-')dnl end sshd_program_domain
-
-# macro for defining which domains a sshd can spawn
-# $1_t is the domain of the sshd, $2 is the domain to be spawned, $3 is the
-# type of the pty for the child
-define(`sshd_spawn_domain', `
-login_spawn_domain($1, $2)
-ifdef(`xauth.te', `
-domain_trans($1_t, xauth_exec_t, $2)
-')
-
-# Relabel and access ptys created by sshd
-# ioctl is necessary for logout() processing for utmp entry and for w to
-# display the tty.
-# some versions of sshd on the new SE Linux require setattr
-allow $1_t $3:chr_file { relabelto read write getattr ioctl setattr };
-
-# inheriting stream sockets is needed for "ssh host command" as no pty
-# is allocated
-allow $2 $1_t:unix_stream_socket rw_stream_socket_perms;
-')dnl end sshd_spawn_domain definition
-
-#################################
-#
-# Rules for the sshd_t domain, et al.
-#
-# sshd_t is the domain for the sshd program.
-# sshd_extern_t is the domain for ssh from outside our network
-#
-sshd_program_domain(sshd)
-if (ssh_sysadm_login) {
-allow sshd_t devpts_t:dir r_dir_perms;
-sshd_spawn_domain(sshd, userdomain, { sysadm_devpts_t userpty_type })
-} else {
-sshd_spawn_domain(sshd, unpriv_userdomain, userpty_type)
-}
-
-# for X forwarding
-allow sshd_t xserver_port_t:tcp_socket name_bind;
-
-r_dir_file(sshd_t, selinux_config_t)
-sshd_program_domain(sshd_extern)
-sshd_spawn_domain(sshd_extern, user_mini_domain, mini_pty_type)
-
-# for when the network connection breaks after running newrole -r sysadm_r
-dontaudit sshd_t sysadm_devpts_t:chr_file setattr;
-
-ifdef(`inetd.te', `
-if (run_ssh_inetd) {
-allow inetd_t ssh_port_t:tcp_socket name_bind;
-domain_auto_trans(inetd_t, sshd_exec_t, sshd_t)
-domain_trans(inetd_t, sshd_exec_t, sshd_extern_t)
-allow { sshd_t sshd_extern_t } inetd_t:tcp_socket rw_socket_perms;
-allow { sshd_t sshd_extern_t } var_run_t:dir { getattr search };
-allow { sshd_t sshd_extern_t } self:process signal;
-} else {
-')
-can_access_pty({ sshd_t sshd_extern_t }, initrc)
-allow { sshd_t sshd_extern_t } self:capability net_bind_service;
-allow { sshd_t sshd_extern_t } ssh_port_t:tcp_socket name_bind;
-
-# for port forwarding
-can_tcp_connect(userdomain, sshd_t)
-
-domain_auto_trans(initrc_t, sshd_exec_t, sshd_t)
-domain_trans(initrc_t, sshd_exec_t, sshd_extern_t)
-dontaudit initrc_t sshd_key_t:file { getattr read };
-
-# Inherit and use descriptors from init.
-allow { sshd_t sshd_extern_t } init_t:fd use;
-ifdef(`inetd.te', `
-}
-')
-
-# Create /var/run/sshd.pid
-var_run_domain(sshd)
-var_run_domain(sshd_extern)
-
-ifdef(`direct_sysadm_daemon', `
-# Direct execution by sysadm_r.
-domain_auto_trans(sysadm_t, sshd_exec_t, sshd_t)
-role_transition sysadm_r sshd_exec_t system_r;
-')
-
-undefine(`sshd_program_domain')
-
-# so a tunnel can point to another ssh tunnel...
-can_tcp_connect(sshd_t, sshd_t)
-
-tmp_domain(sshd, `', { dir file sock_file })
-ifdef(`pam.te', `
-can_exec(sshd_t, pam_exec_t)
-')
-
-# ssh_keygen_t is the type of the ssh-keygen program when run at install time
-# and by sysadm_t
-daemon_base_domain(ssh_keygen)
-allow ssh_keygen_t etc_t:file { getattr read };
-file_type_auto_trans(ssh_keygen_t, etc_t, sshd_key_t, file)
-
-# Type for the ssh executable.
-type ssh_exec_t, file_type, exec_type, sysadmfile;
-type ssh_keysign_exec_t, file_type, exec_type, sysadmfile;
-
-# Everything else is in the ssh_domain macro in
-# macros/program/ssh_macros.te.
-
-allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
-allow ssh_keygen_t sysadm_tty_device_t:chr_file { read write };
-allow ssh_keygen_t urandom_device_t:chr_file { getattr read };
-ifdef(`use_mcs', `
-range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
-')
diff --git a/strict/domains/program/stunnel.te b/strict/domains/program/stunnel.te
deleted file mode 100644
index 4dbfcec..0000000
--- a/strict/domains/program/stunnel.te
+++ /dev/null
@@ -1,33 +0,0 @@
-# DESC: selinux policy for stunnel
-#
-# Author: petre rodan <kaiowas@gentoo.org>
-#
-ifdef(`distro_gentoo', `
-
-daemon_domain(stunnel)
-
-can_network(stunnel_t)
-allow stunnel_t port_type:tcp_socket name_connect;
-
-allow stunnel_t self:capability { setgid setuid sys_chroot };
-allow stunnel_t self:fifo_file { read write };
-allow stunnel_t self:tcp_socket { read write };
-allow stunnel_t self:unix_stream_socket { connect create };
-
-r_dir_file(stunnel_t, etc_t)
-', `
-inetd_child_domain(stunnel, tcp)
-allow stunnel_t self:capability sys_chroot;
-
-bool stunnel_is_daemon false;
-if (stunnel_is_daemon) {
-# Policy to run stunnel as a daemon should go here.
-allow stunnel_t self:tcp_socket rw_stream_socket_perms;
-allow stunnel_t stunnel_port_t:tcp_socket name_bind;
-}
-')
-
-type stunnel_etc_t, file_type, sysadmfile;
-r_dir_file(stunnel_t, stunnel_etc_t)
-allow stunnel_t stunnel_port_t:tcp_socket { name_bind };
-
diff --git a/strict/domains/program/su.te b/strict/domains/program/su.te
deleted file mode 100644
index 6d39909..0000000
--- a/strict/domains/program/su.te
+++ /dev/null
@@ -1,23 +0,0 @@
-#DESC Su - Run shells with substitute user and group
-#
-# Domains for the su program.
-# X-Debian-Packages: login
-
-#
-# su_exec_t is the type of the su executable.
-#
-type su_exec_t, file_type, sysadmfile;
-
-allow sysadm_su_t user_home_dir_type:dir search;
-
-# Everything else is in the su_domain macro in
-# macros/program/su_macros.te.
-
-ifdef(`use_mcs', `
-ifdef(`targeted_policy', `
-range_transition unconfined_t su_exec_t s0 - s0:c0.c255;
-domain_auto_trans(unconfined_t, su_exec_t, sysadm_su_t)
-can_exec(sysadm_su_t, bin_t)
-rw_dir_create_file(sysadm_su_t, home_dir_type)
-')
-')
diff --git a/strict/domains/program/sudo.te b/strict/domains/program/sudo.te
deleted file mode 100644
index a1fad31..0000000
--- a/strict/domains/program/sudo.te
+++ /dev/null
@@ -1,11 +0,0 @@
-#DESC sudo - execute a command as another user
-#
-# Authors: Dan Walsh, Russell Coker
-# Maintained by Dan Walsh <dwalsh@redhat.com>
-#
-
-# Type for the sudo executable.
-type sudo_exec_t, file_type, sysadmfile, exec_type;
-
-# Everything else is in the sudo_domain macro in
-# macros/program/sudo_macros.te.
diff --git a/strict/domains/program/sulogin.te b/strict/domains/program/sulogin.te
deleted file mode 100644
index 0bed085..0000000
--- a/strict/domains/program/sulogin.te
+++ /dev/null
@@ -1,56 +0,0 @@
-#DESC sulogin - Single-User login
-#
-# Authors: Dan Walsh <dwalsh@redhat.com>
-#
-# X-Debian-Packages: sysvinit
-
-#################################
-#
-# Rules for the sulogin_t domain
-#
-
-type sulogin_t, domain, privrole, privowner, privlog, privfd, privuser, auth;
-type sulogin_exec_t, file_type, exec_type, sysadmfile;
-role system_r types sulogin_t;
-
-general_domain_access(sulogin_t)
-
-domain_auto_trans({ initrc_t init_t }, sulogin_exec_t, sulogin_t)
-allow sulogin_t initrc_t:process getpgid;
-uses_shlib(sulogin_t)
-
-# suse and debian do not use pam with sulogin...
-ifdef(`distro_suse', `
-define(`sulogin_no_pam', `')
-')
-ifdef(`distro_debian', `
-define(`sulogin_no_pam', `')
-')
-
-ifdef(`sulogin_no_pam', `
-domain_auto_trans(sulogin_t, shell_exec_t, sysadm_t)
-allow sulogin_t init_t:process getpgid;
-allow sulogin_t self:capability sys_tty_config;
-', `
-domain_trans(sulogin_t, shell_exec_t, sysadm_t)
-allow sulogin_t shell_exec_t:file r_file_perms;
-
-can_setexec(sulogin_t)
-can_getsecurity(sulogin_t)
-')
-
-r_dir_file(sulogin_t, etc_t)
-
-allow sulogin_t bin_t:dir r_dir_perms;
-r_dir_file(sulogin_t, proc_t)
-allow sulogin_t root_t:dir search;
-
-allow sulogin_t sysadm_devpts_t:chr_file { getattr ioctl read write };
-allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
-allow sulogin_t default_context_t:dir search;
-allow sulogin_t default_context_t:file { getattr read };
-
-r_dir_file(sulogin_t, selinux_config_t)
-
-# because file systems are not mounted
-dontaudit sulogin_t file_t:dir search;
diff --git a/strict/domains/program/swat.te b/strict/domains/program/swat.te
deleted file mode 100644
index aa94d2f..0000000
--- a/strict/domains/program/swat.te
+++ /dev/null
@@ -1,14 +0,0 @@
-#DESC swat - Samba Web Administration Tool
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-#
-# Depends: inetd.te
-
-#################################
-#
-# Rules for the swat_t domain.
-#
-# swat_exec_t is the type of the swat executable.
-#
-
-inetd_child_domain(swat)
diff --git a/strict/domains/program/syslogd.te b/strict/domains/program/syslogd.te
deleted file mode 100644
index be427ec..0000000
--- a/strict/domains/program/syslogd.te
+++ /dev/null
@@ -1,109 +0,0 @@
-#DESC Syslogd - System log daemon
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: sysklogd syslog-ng
-#
-
-#################################
-#
-# Rules for the syslogd_t domain.
-#
-# syslogd_t is the domain of syslogd.
-# syslogd_exec_t is the type of the syslogd executable.
-# devlog_t is the type of the Unix domain socket created
-# by syslogd.
-#
-ifdef(`klogd.te', `
-daemon_domain(syslogd, `, privkmsg, nscd_client_domain')
-', `
-daemon_domain(syslogd, `, privmem, privkmsg, nscd_client_domain')
-')
-
-# can_network is for the UDP socket
-can_network_udp(syslogd_t)
-can_ypbind(syslogd_t)
-
-r_dir_file(syslogd_t, sysfs_t)
-
-type devlog_t, file_type, sysadmfile, dev_fs, mlstrustedobject;
-
-# if something can log to syslog they should be able to log to the console
-allow privlog console_device_t:chr_file { ioctl read write getattr };
-
-tmp_domain(syslogd)
-
-# read files in /etc
-allow syslogd_t { etc_runtime_t etc_t }:file r_file_perms;
-
-# Use capabilities.
-allow syslogd_t self:capability { dac_override net_admin net_bind_service sys_resource sys_tty_config };
-
-# Modify/create log files.
-create_append_log_file(syslogd_t, var_log_t)
-
-# Create and bind to /dev/log or /var/run/log.
-file_type_auto_trans(syslogd_t, { device_t var_run_t }, devlog_t, sock_file)
-ifdef(`distro_suse', `
-# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
-file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file)
-')
-allow syslogd_t self:unix_dgram_socket create_socket_perms;
-allow syslogd_t self:unix_dgram_socket sendto;
-allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-allow syslogd_t self:fifo_file rw_file_perms;
-allow syslogd_t devlog_t:unix_stream_socket name_bind;
-allow syslogd_t devlog_t:unix_dgram_socket name_bind;
-# log to the xconsole
-allow syslogd_t xconsole_device_t:fifo_file { ioctl read write };
-
-# Domains with the privlog attribute may log to syslogd.
-allow privlog devlog_t:sock_file rw_file_perms;
-can_unix_send(privlog,syslogd_t)
-can_unix_connect(privlog,syslogd_t)
-# allow /dev/log to be a link elsewhere for chroot setup
-allow privlog devlog_t:lnk_file read;
-
-ifdef(`crond.te', `
-# for daemon re-start
-allow system_crond_t syslogd_t:lnk_file read;
-')
-
-ifdef(`logrotate.te', `
-allow logrotate_t syslogd_exec_t:file r_file_perms;
-')
-
-# for sending messages to logged in users
-allow syslogd_t initrc_var_run_t:file { read lock };
-dontaudit syslogd_t initrc_var_run_t:file write;
-allow syslogd_t ttyfile:chr_file { getattr write };
-
-#
-# Special case to handle crashes
-#
-allow syslogd_t { device_t file_t }:sock_file { getattr unlink };
-
-# Allow syslog to a terminal
-allow syslogd_t tty_device_t:chr_file { getattr write ioctl append };
-
-# Allow name_bind for remote logging
-allow syslogd_t syslogd_port_t:udp_socket name_bind;
-#
-# /initrd is not umounted before minilog starts
-#
-dontaudit syslogd_t file_t:dir search;
-allow syslogd_t { tmpfs_t devpts_t }:dir search;
-dontaudit syslogd_t unlabeled_t:file { getattr read };
-dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
-allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
-ifdef(`targeted_policy', `
-allow syslogd_t var_run_t:fifo_file { ioctl read write };
-')
-
-# Allow access to /proc/kmsg for syslog-ng
-allow syslogd_t proc_t:dir search;
-allow syslogd_t proc_kmsg_t:file { getattr read };
-allow syslogd_t kernel_t:system { syslog_mod syslog_console };
-allow syslogd_t self:capability { sys_admin chown fsetid };
-allow syslogd_t var_log_t:dir { create setattr };
-allow syslogd_t syslogd_port_t:tcp_socket name_bind;
-allow syslogd_t rsh_port_t:tcp_socket name_connect;
diff --git a/strict/domains/program/sysstat.te b/strict/domains/program/sysstat.te
deleted file mode 100644
index f01da4c..0000000
--- a/strict/domains/program/sysstat.te
+++ /dev/null
@@ -1,65 +0,0 @@
-#DESC Sysstat - Sar and similar programs
-#
-# Authors: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: sysstat
-#
-
-#################################
-#
-# Rules for the sysstat_t domain.
-#
-# sysstat_exec_t is the type of the sysstat executable.
-#
-type sysstat_t, domain, privlog;
-type sysstat_exec_t, file_type, sysadmfile, exec_type;
-
-role system_r types sysstat_t;
-
-allow sysstat_t device_t:dir search;
-
-allow sysstat_t self:process { sigchld fork };
-
-#for date
-can_exec(sysstat_t, { sysstat_exec_t bin_t })
-allow sysstat_t bin_t:dir r_dir_perms;
-dontaudit sysstat_t sbin_t:dir search;
-
-dontaudit sysstat_t self:capability sys_admin;
-allow sysstat_t self:capability sys_resource;
-
-allow sysstat_t devtty_t:chr_file rw_file_perms;
-
-allow sysstat_t urandom_device_t:chr_file read;
-
-# for mtab
-allow sysstat_t etc_runtime_t:file { read getattr };
-# for fstab
-allow sysstat_t etc_t:file { read getattr };
-
-dontaudit sysstat_t sysadm_home_dir_t:dir r_dir_perms;
-
-allow sysstat_t self:fifo_file rw_file_perms;
-
-# Type for files created during execution of sysstatd.
-logdir_domain(sysstat)
-allow sysstat_t var_t:dir search;
-
-allow sysstat_t etc_t:dir r_dir_perms;
-read_locale(sysstat_t)
-
-allow sysstat_t fs_t:filesystem getattr;
-
-# get info from /proc
-allow sysstat_t { proc_t proc_net_t sysctl_kernel_t sysctl_t sysctl_fs_t sysctl_rpc_t }:dir r_dir_perms;
-allow sysstat_t { proc_t proc_net_t sysctl_kernel_t sysctl_t sysctl_fs_t sysctl_rpc_t }:file { read getattr };
-
-domain_auto_trans(initrc_t, sysstat_exec_t, sysstat_t)
-allow sysstat_t init_t:fd use;
-allow sysstat_t console_device_t:chr_file { read write };
-
-uses_shlib(sysstat_t)
-
-system_crond_entry(sysstat_exec_t, sysstat_t)
-allow system_crond_t sysstat_log_t:dir { write remove_name add_name };
-allow system_crond_t sysstat_log_t:file create_file_perms;
-allow sysstat_t initrc_devpts_t:chr_file { read write };
diff --git a/strict/domains/program/tcpd.te b/strict/domains/program/tcpd.te
deleted file mode 100644
index af135be..0000000
--- a/strict/domains/program/tcpd.te
+++ /dev/null
@@ -1,43 +0,0 @@
-#DESC Tcpd - Access control facilities from internet services
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: tcpd
-# Depends: inetd.te
-#
-
-#################################
-#
-# Rules for the tcpd_t domain.
-#
-type tcpd_t, domain, privlog;
-role system_r types tcpd_t;
-uses_shlib(tcpd_t)
-type tcpd_exec_t, file_type, sysadmfile, exec_type;
-domain_auto_trans(inetd_t, tcpd_exec_t, tcpd_t)
-
-allow tcpd_t fs_t:filesystem getattr;
-
-# no good reason for this, probably nscd
-dontaudit tcpd_t var_t:dir search;
-
-can_network_server(tcpd_t)
-can_ypbind(tcpd_t)
-allow tcpd_t self:unix_dgram_socket create_socket_perms;
-allow tcpd_t self:unix_stream_socket create_socket_perms;
-allow tcpd_t etc_t:file { getattr read };
-read_locale(tcpd_t)
-
-tmp_domain(tcpd)
-
-# Use sockets inherited from inetd.
-allow tcpd_t inetd_t:tcp_socket rw_stream_socket_perms;
-
-# Run each daemon with a defined domain in its own domain.
-# These rules have been moved to each target domain .te file.
-
-# Run other daemons in the inetd_child_t domain.
-allow tcpd_t { bin_t sbin_t }:dir search;
-domain_auto_trans(tcpd_t, inetd_child_exec_t, inetd_child_t)
-
-allow tcpd_t device_t:dir search;
diff --git a/strict/domains/program/telnetd.te b/strict/domains/program/telnetd.te
deleted file mode 100644
index bbbb2c1..0000000
--- a/strict/domains/program/telnetd.te
+++ /dev/null
@@ -1,10 +0,0 @@
-# telnet server daemon
-#
-
-#################################
-#
-# Rules for the telnetd_t domain
-#
-
-remote_login_daemon(telnetd)
-typealias telnetd_port_t alias telnet_port_t;
diff --git a/strict/domains/program/tftpd.te b/strict/domains/program/tftpd.te
deleted file mode 100644
index c749987..0000000
--- a/strict/domains/program/tftpd.te
+++ /dev/null
@@ -1,41 +0,0 @@
-#DESC TFTP - UDP based file server for boot loaders
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: tftpd atftpd
-# Depends: inetd.te
-#
-
-#################################
-#
-# Rules for the tftpd_t domain.
-#
-# tftpd_exec_t is the type of the tftpd executable.
-#
-daemon_domain(tftpd)
-
-# tftpdir_t is the type of files in the /tftpboot directories.
-type tftpdir_t, file_type, sysadmfile;
-r_dir_file(tftpd_t, tftpdir_t)
-
-domain_auto_trans(inetd_t, tftpd_exec_t, tftpd_t)
-
-# Use the network.
-can_network_udp(tftpd_t)
-allow tftpd_t tftp_port_t:udp_socket name_bind;
-ifdef(`inetd.te', `
-allow inetd_t tftp_port_t:udp_socket name_bind;
-')
-allow tftpd_t self:unix_dgram_socket create_socket_perms;
-allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
-
-# allow any domain to connect to the TFTP server
-allow tftpd_t inetd_t:udp_socket rw_socket_perms;
-
-# Use capabilities
-allow tftpd_t self:capability { setgid setuid net_bind_service sys_chroot };
-
-allow tftpd_t etc_t:dir r_dir_perms;
-allow tftpd_t etc_t:file r_file_perms;
-
-allow tftpd_t var_t:dir r_dir_perms;
-allow tftpd_t var_t:{ file lnk_file } r_file_perms;
diff --git a/strict/domains/program/thunderbird.te b/strict/domains/program/thunderbird.te
deleted file mode 100644
index c640f87..0000000
--- a/strict/domains/program/thunderbird.te
+++ /dev/null
@@ -1,10 +0,0 @@
-# DESC - Thunderbird
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-# Type for executables
-type thunderbird_exec_t, file_type, exec_type, sysadmfile;
-
-# Everything else is in macros/thunderbird_macros.te
-bool disable_thunderbird_trans false;
diff --git a/strict/domains/program/timidity.te b/strict/domains/program/timidity.te
deleted file mode 100644
index e007d3f..0000000
--- a/strict/domains/program/timidity.te
+++ /dev/null
@@ -1,34 +0,0 @@
-# DESC timidity - MIDI to WAV converter and player
-#
-# Author: Thomas Bleher <ThomasBleher@gmx.de>
-#
-# Note: You only need this policy if you want to run timidity as a server
-
-daemon_base_domain(timidity)
-can_network_server(timidity_t)
-
-allow timidity_t device_t:lnk_file read;
-
-# read /usr/share/alsa/alsa.conf
-allow timidity_t usr_t:file { getattr read };
-# read /etc/esd.conf and /proc/cpuinfo
-allow timidity_t { etc_t proc_t }:file { getattr read };
-# read libartscbackend.la - should these be shlib_t?
-allow timidity_t lib_t:file { getattr read };
-
-allow timidity_t sound_device_t:chr_file { read write ioctl };
-
-# stupid timidity won't start if it can't search its current directory.
-# allow this so /etc/init.d/alsasound start works from /root
-allow timidity_t sysadm_home_dir_t:dir search;
-
-allow timidity_t tmp_t:dir search;
-tmpfs_domain(timidity)
-
-allow timidity_t self:shm create_shm_perms;
-
-allow timidity_t self:unix_stream_socket create_stream_socket_perms;
-
-allow timidity_t devpts_t:dir search;
-allow timidity_t self:capability { dac_override dac_read_search };
-allow timidity_t self:process getsched;
diff --git a/strict/domains/program/tmpreaper.te b/strict/domains/program/tmpreaper.te
deleted file mode 100644
index 2373a50..0000000
--- a/strict/domains/program/tmpreaper.te
+++ /dev/null
@@ -1,33 +0,0 @@
-#DESC Tmpreaper - Monitor and maintain temporary files
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: tmpreaper
-#
-
-#################################
-#
-# Rules for the tmpreaper_t domain.
-#
-type tmpreaper_t, domain, privlog;
-type tmpreaper_exec_t, file_type, sysadmfile, exec_type;
-
-role system_r types tmpreaper_t;
-
-system_crond_entry(tmpreaper_exec_t, tmpreaper_t)
-uses_shlib(tmpreaper_t)
-# why does it need setattr?
-allow tmpreaper_t { man_t tmpfile }:dir { setattr rw_dir_perms rmdir };
-allow tmpreaper_t { man_t tmpfile }:notdevfile_class_set { getattr unlink };
-allow tmpreaper_t { home_type file_t }:notdevfile_class_set { getattr unlink };
-allow tmpreaper_t self:process { fork sigchld };
-allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
-allow tmpreaper_t fs_t:filesystem getattr;
-
-r_dir_file(tmpreaper_t, etc_t)
-allow tmpreaper_t var_t:dir { getattr search };
-r_dir_file(tmpreaper_t, var_lib_t)
-allow tmpreaper_t device_t:dir { getattr search };
-allow tmpreaper_t urandom_device_t:chr_file { getattr read };
-
-read_locale(tmpreaper_t)
-
diff --git a/strict/domains/program/traceroute.te b/strict/domains/program/traceroute.te
deleted file mode 100644
index af25e20..0000000
--- a/strict/domains/program/traceroute.te
+++ /dev/null
@@ -1,66 +0,0 @@
-#DESC Traceroute - Display network routes
-#
-# Author: Russell Coker <russell@coker.com.au>
-# based on the work of David A. Wheeler <dwheeler@ida.org>
-# X-Debian-Packages: traceroute lft
-#
-
-#################################
-#
-# Rules for the traceroute_t domain.
-#
-# traceroute_t is the domain for the traceroute program.
-# traceroute_exec_t is the type of the corresponding program.
-#
-type traceroute_t, domain, privlog, nscd_client_domain;
-role sysadm_r types traceroute_t;
-role system_r types traceroute_t;
-# for user_ping:
-in_user_role(traceroute_t)
-uses_shlib(traceroute_t)
-can_network_client(traceroute_t)
-allow traceroute_t port_type:tcp_socket name_connect;
-can_ypbind(traceroute_t)
-allow traceroute_t node_t:rawip_socket node_bind;
-type traceroute_exec_t, file_type, sysadmfile, exec_type;
-
-# Transition into this domain when you run this program.
-domain_auto_trans(initrc_t, traceroute_exec_t, traceroute_t)
-domain_auto_trans(sysadm_t, traceroute_exec_t, traceroute_t)
-
-allow traceroute_t etc_t:file { getattr read };
-
-# Use capabilities.
-allow traceroute_t self:capability { net_admin net_raw setuid setgid };
-
-allow traceroute_t self:rawip_socket create_socket_perms;
-allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
-allow traceroute_t self:unix_stream_socket create_socket_perms;
-allow traceroute_t device_t:dir search;
-
-# for lft
-allow traceroute_t self:packet_socket create_socket_perms;
-r_dir_file(traceroute_t, proc_t)
-r_dir_file(traceroute_t, proc_net_t)
-
-# Access the terminal.
-allow traceroute_t admin_tty_type:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow traceroute_t sysadm_gph_t:fd use;')
-allow traceroute_t privfd:fd use;
-
-# dont need this
-dontaudit traceroute_t fs_t:filesystem getattr;
-dontaudit traceroute_t var_t:dir search;
-
-ifdef(`ping.te', `
-if (user_ping) {
- domain_auto_trans(unpriv_userdomain, traceroute_exec_t, traceroute_t)
- # allow access to the terminal
- allow traceroute_t { ttyfile ptyfile }:chr_file rw_file_perms;
-}
-')
-#rules needed for nmap
-allow traceroute_t { urandom_device_t random_device_t }:chr_file r_file_perms;
-allow traceroute_t usr_t:file { getattr read };
-read_locale(traceroute_t)
-dontaudit traceroute_t userdomain:dir search;
diff --git a/strict/domains/program/tvtime.te b/strict/domains/program/tvtime.te
deleted file mode 100644
index fa72021..0000000
--- a/strict/domains/program/tvtime.te
+++ /dev/null
@@ -1,12 +0,0 @@
-#DESC tvtime - a high quality television application
-#
-# Domains for the tvtime program.
-# Author : Dan Walsh <dwalsh@redhat.com>
-#
-# tvtime_exec_t is the type of the tvtime executable.
-#
-type tvtime_exec_t, file_type, sysadmfile, exec_type;
-type tvtime_dir_t, file_type, sysadmfile, pidfile;
-
-# Everything else is in the tvtime_domain macro in
-# macros/program/tvtime_macros.te.
diff --git a/strict/domains/program/udev.te b/strict/domains/program/udev.te
deleted file mode 100644
index cc5f7d4..0000000
--- a/strict/domains/program/udev.te
+++ /dev/null
@@ -1,152 +0,0 @@
-#DESC udev - Linux configurable dynamic device naming support
-#
-# Author: Dan Walsh dwalsh@redhat.com
-#
-
-#################################
-#
-# Rules for the udev_t domain.
-#
-# udev_exec_t is the type of the udev executable.
-#
-daemon_domain(udev, `, nscd_client_domain, privmodule, privmem, fs_domain, privfd, privowner, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocwrite')
-
-general_domain_access(udev_t)
-
-if (allow_execmem) {
-# for alsactl
-allow udev_t self:process execmem;
-}
-
-etc_domain(udev)
-type udev_helper_exec_t, file_type, sysadmfile, exec_type;
-can_exec_any(udev_t)
-
-#
-# Rules used for udev
-#
-type udev_tdb_t, file_type, sysadmfile, dev_fs;
-typealias udev_tdb_t alias udev_tbl_t;
-file_type_auto_trans(udev_t, device_t, udev_tdb_t, file)
-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_nice mknod net_raw net_admin sys_rawio sys_nice };
-allow udev_t self:file { getattr read };
-allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms};
-allow udev_t self:unix_dgram_socket create_socket_perms;
-allow udev_t self:fifo_file rw_file_perms;
-allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
-allow udev_t device_t:file { unlink rw_file_perms };
-allow udev_t device_t:sock_file create_file_perms;
-allow udev_t device_t:lnk_file create_lnk_perms;
-allow udev_t { device_t device_type }:{ chr_file blk_file } { relabelfrom relabelto create_file_perms };
-ifdef(`distro_redhat', `
-allow udev_t tmpfs_t:dir create_dir_perms;
-allow udev_t tmpfs_t:{ sock_file file } create_file_perms;
-allow udev_t tmpfs_t:lnk_file create_lnk_perms;
-allow udev_t tmpfs_t:{ chr_file blk_file } { relabelfrom relabelto create_file_perms };
-allow udev_t tmpfs_t:dir search;
-
-# for arping used for static IP addresses on PCMCIA ethernet
-domain_auto_trans(udev_t, netutils_exec_t, netutils_t)
-')
-allow udev_t etc_t:file { getattr read ioctl };
-allow udev_t { bin_t sbin_t }:dir r_dir_perms;
-allow udev_t { sbin_t bin_t }:lnk_file read;
-allow udev_t bin_t:lnk_file read;
-can_exec(udev_t, { shell_exec_t bin_t sbin_t etc_t } )
-can_exec(udev_t, udev_exec_t)
-rw_dir_file(udev_t, sysfs_t)
-allow udev_t sysadm_tty_device_t:chr_file { read write };
-
-# to read the file_contexts file
-r_dir_file(udev_t, { selinux_config_t file_context_t default_context_t } )
-
-allow udev_t policy_config_t:dir search;
-allow udev_t proc_t:file { getattr read ioctl };
-allow udev_t proc_kcore_t:file getattr;
-
-# Get security policy decisions.
-can_getsecurity(udev_t)
-
-# set file system create context
-can_setfscreate(udev_t)
-
-allow udev_t kernel_t:fd use;
-allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };
-allow udev_t kernel_t:process signal;
-
-allow udev_t initrc_var_run_t:file r_file_perms;
-dontaudit udev_t initrc_var_run_t:file write;
-
-domain_auto_trans(kernel_t, udev_exec_t, udev_t)
-domain_auto_trans(udev_t, restorecon_exec_t, restorecon_t)
-ifdef(`hide_broken_symptoms', `
-dontaudit restorecon_t udev_t:unix_dgram_socket { read write };
-')
-allow udev_t devpts_t:dir { getattr search };
-allow udev_t etc_runtime_t:file { getattr read };
-ifdef(`xdm.te', `
-allow udev_t xdm_var_run_t:file { getattr read };
-')
-
-ifdef(`hotplug.te', `
-r_dir_file(udev_t, hotplug_etc_t)
-')
-allow udev_t var_log_t:dir search;
-
-ifdef(`consoletype.te', `
-can_exec(udev_t, consoletype_exec_t)
-')
-ifdef(`pamconsole.te', `
-allow udev_t pam_var_console_t:dir search;
-allow udev_t pam_var_console_t:file { getattr read };
-domain_auto_trans(udev_t, pam_console_exec_t, pam_console_t)
-')
-allow udev_t var_lock_t:dir search;
-allow udev_t var_lock_t:file getattr;
-domain_auto_trans(udev_t, ifconfig_exec_t, ifconfig_t)
-ifdef(`hide_broken_symptoms', `
-dontaudit ifconfig_t udev_t:unix_dgram_socket { read write };
-')
-
-dontaudit udev_t file_t:dir search;
-ifdef(`dhcpc.te', `
-domain_auto_trans(udev_t, dhcpc_exec_t, dhcpc_t)
-')
-
-allow udev_t udev_helper_exec_t:dir r_dir_perms;
-
-dbusd_client(system, udev)
-
-allow udev_t device_t:dir { relabelfrom relabelto create_dir_perms };
-allow udev_t sysctl_dev_t:dir search;
-allow udev_t mnt_t:dir search;
-allow udev_t { sysctl_dev_t sysctl_modprobe_t sysctl_kernel_t sysctl_hotplug_t }:file { getattr read };
-allow udev_t self:rawip_socket create_socket_perms;
-dontaudit udev_t domain:dir r_dir_perms;
-dontaudit udev_t ttyfile:chr_file unlink;
-ifdef(`hotplug.te', `
-r_dir_file(udev_t, hotplug_var_run_t)
-')
-r_dir_file(udev_t, modules_object_t)
-#
-# Udev is now writing dhclient-eth*.conf* files.
-#
-ifdef(`dhcpd.te', `define(`use_dhcp')')
-ifdef(`dhcpc.te', `define(`use_dhcp')')
-ifdef(`use_dhcp', `
-allow udev_t dhcp_etc_t:file rw_file_perms;
-file_type_auto_trans(udev_t, etc_t, dhcp_etc_t, file)
-')
-r_dir_file(udev_t, domain)
-allow udev_t modules_dep_t:file r_file_perms;
-
-nsswitch_domain(udev_t)
-
-ifdef(`unlimitedUtils', `
-unconfined_domain(udev_t)
-')
-dontaudit hostname_t udev_t:fd use;
-ifdef(`use_mcs', `
-range_transition kernel_t udev_exec_t s0 - s0:c0.c255;
-range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
-')
diff --git a/strict/domains/program/uml.te b/strict/domains/program/uml.te
deleted file mode 100644
index 75ae501..0000000
--- a/strict/domains/program/uml.te
+++ /dev/null
@@ -1,14 +0,0 @@
-
-# Author: Russell Coker <russell@coker.com.au>
-#
-type uml_exec_t, file_type, sysadmfile, exec_type;
-type uml_ro_t, file_type, sysadmfile;
-
-# the main code is in macros/program/uml_macros.te
-
-daemon_domain(uml_switch)
-allow uml_switch_t self:unix_dgram_socket create_socket_perms;
-allow uml_switch_t self:unix_stream_socket create_stream_socket_perms;
-allow uml_switch_t uml_switch_var_run_t:sock_file create_file_perms;
-allow initrc_t uml_switch_var_run_t:sock_file setattr;
-rw_dir_create_file(initrc_t, uml_switch_var_run_t)
diff --git a/strict/domains/program/unconfined.te b/strict/domains/program/unconfined.te
deleted file mode 100644
index 9497a3c..0000000
--- a/strict/domains/program/unconfined.te
+++ /dev/null
@@ -1,15 +0,0 @@
-#DESC Unconfined - Use to essentially disable SELinux for a particular program
-# This domain will be useful as a workaround for e.g. third-party daemon software
-# that has no policy, until one can be written for it.
-#
-# To use, label the executable with unconfined_exec_t, e.g.:
-# chcon -t unconfined_exec_t /usr/local/bin/appsrv
-# Or alternatively add it to /etc/security/selinux/src/policy/file_contexts/program/unconfined.fc
-
-type unconfined_t, domain, privlog, admin, privmem, fs_domain, auth_write;
-type unconfined_exec_t, file_type, sysadmfile, exec_type;
-role sysadm_r types unconfined_t;
-domain_auto_trans(sysadm_t, unconfined_exec_t, unconfined_t)
-role system_r types unconfined_t;
-domain_auto_trans(initrc_t, unconfined_exec_t, unconfined_t)
-unconfined_domain(unconfined_t)
diff --git a/strict/domains/program/unused/afs.te b/strict/domains/program/unused/afs.te
deleted file mode 100644
index 8bcab3b..0000000
--- a/strict/domains/program/unused/afs.te
+++ /dev/null
@@ -1,166 +0,0 @@
-#
-# Policy for AFS server
-#
-
-type afs_files_t, file_type;
-type afs_config_t, file_type, sysadmfile;
-type afs_logfile_t, file_type, logfile;
-type afs_dbdir_t, file_type;
-
-allow afs_files_t afs_files_t:filesystem associate;
-# df should show sizes
-allow sysadm_t afs_files_t:filesystem getattr;
-
-#
-# Macros for defining AFS server domains
-#
-
-define(`afs_server_domain',`
-type afs_$1server_t, domain $2;
-type afs_$1server_exec_t, file_type, sysadmfile;
-
-role system_r types afs_$1server_t;
-
-allow afs_$1server_t afs_config_t:file r_file_perms;
-allow afs_$1server_t afs_config_t:dir r_dir_perms;
-allow afs_$1server_t afs_logfile_t:file create_file_perms;
-allow afs_$1server_t afs_logfile_t:dir create_dir_perms;
-allow afs_$1server_t afs_$1_port_t:udp_socket name_bind;
-uses_shlib(afs_$1server_t)
-can_network(afs_$1server_t)
-read_locale(afs_$1server_t)
-
-dontaudit afs_$1server_t { var_t var_run_t }:file r_file_perms;
-dontaudit afs_$1server_t { var_t var_run_t }:dir r_dir_perms;
-dontaudit afs_$1server_t admin_tty_type:chr_file rw_file_perms;
-')
-
-define(`afs_under_bos',`
-domain_auto_trans(afs_bosserver_t, afs_$1server_exec_t, afs_$1server_t)
-allow afs_$1server_t self:unix_stream_socket create_stream_socket_perms;
-allow afs_$1server_t etc_t:{ file lnk_file } r_file_perms;
-allow afs_$1server_t net_conf_t:file r_file_perms;
-allow afs_bosserver_t afs_$1server_t:process signal_perms;
-')
-
-define(`afs_server_db',`
-type afs_$1_db_t, file_type;
-
-allow afs_$1server_t afs_$1_db_t:file create_file_perms;
-file_type_auto_trans(afs_$1server_t, afs_dbdir_t, afs_$1_db_t, file);
-')
-
-
-#
-# bosserver
-#
-
-afs_server_domain(`bos')
-base_file_read_access(afs_bosserver_t)
-
-domain_auto_trans(initrc_t, afs_bosserver_exec_t, afs_bosserver_t)
-
-allow afs_bosserver_t self:process { fork setsched signal_perms };
-allow afs_bosserver_t afs_bosserver_exec_t:file { execute_no_trans rx_file_perms };
-allow afs_bosserver_t afs_dbdir_t:dir { search read getattr };
-allow afs_bosserver_t afs_config_t:file create_file_perms;
-allow afs_bosserver_t afs_config_t:dir create_dir_perms;
-
-allow afs_bosserver_t etc_t:{file lnk_file} r_file_perms;
-allow afs_bosserver_t { devtty_t null_device_t zero_device_t }:chr_file rw_file_perms;
-allow afs_bosserver_t device_t:dir r_dir_perms;
-
-# allow sysadm to use bos
-allow afs_bosserver_t sysadm_t:udp_socket { sendto recvfrom };
-allow sysadm_t afs_bosserver_t:udp_socket { recvfrom sendto };
-
-#
-# fileserver, volserver, and salvager
-#
-
-afs_server_domain(`fs',`,privlog')
-afs_under_bos(`fs')
-
-base_file_read_access(afs_fsserver_t)
-file_type_auto_trans(afs_fsserver_t, afs_config_t, afs_files_t)
-
-allow afs_fsserver_t self:process { fork sigchld setsched signal_perms };
-allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice };
-allow afs_fsserver_t self:fifo_file { rw_file_perms };
-can_exec(afs_fsserver_t, afs_fsserver_exec_t)
-allow afs_fsserver_t afs_files_t:file create_file_perms;
-allow afs_fsserver_t afs_files_t:dir create_dir_perms;
-allow afs_fsserver_t afs_config_t:file create_file_perms;
-allow afs_fsserver_t afs_config_t:dir create_dir_perms;
-
-allow afs_fsserver_t afs_fs_port_t:tcp_socket name_bind;
-allow afs_fsserver_t { afs_files_t fs_t }:filesystem getattr;
-
-allow afs_fsserver_t { devtty_t null_device_t zero_device_t }:chr_file rw_file_perms;
-allow afs_fsserver_t device_t:dir r_dir_perms;
-allow afs_fsserver_t etc_runtime_t:{file lnk_file} r_file_perms;
-allow afs_fsserver_t { var_run_t var_t } :dir r_dir_perms;
-
-allow afs_fsserver_t proc_t:dir r_dir_perms;
-allow afs_fsserver_t { self proc_t } : { file lnk_file } r_file_perms;
-allow afs_fsserver_t { self proc_t } : dir r_dir_perms;
-
-# fs communicates with other servers
-allow afs_fsserver_t self:unix_dgram_socket create_socket_perms;
-allow afs_fsserver_t self:tcp_socket { connectto acceptfrom recvfrom };
-allow afs_fsserver_t self:udp_socket { sendto recvfrom };
-allow afs_fsserver_t { afs_vlserver_t afs_ptserver_t }:udp_socket { recvfrom };
-allow afs_fsserver_t sysadm_t:udp_socket { sendto recvfrom };
-allow sysadm_t afs_fsserver_t:udp_socket { recvfrom sendto };
-
-dontaudit afs_fsserver_t self:capability fsetid;
-dontaudit afs_fsserver_t console_device_t:chr_file rw_file_perms;
-dontaudit afs_fsserver_t initrc_t:fd use;
-dontaudit afs_fsserver_t mnt_t:dir search;
-
-
-#
-# kaserver
-#
-
-afs_server_domain(`ka')
-afs_under_bos(`ka')
-afs_server_db(`ka')
-
-base_file_read_access(afs_kaserver_t)
-
-allow afs_kaserver_t kerberos_port_t:udp_socket name_bind;
-allow afs_kaserver_t self:capability { net_bind_service };
-allow afs_kaserver_t afs_config_t:file create_file_perms;
-allow afs_kaserver_t afs_config_t:dir rw_dir_perms;
-
-# allow sysadm to use kas
-allow afs_kaserver_t sysadm_t:udp_socket { sendto recvfrom };
-allow sysadm_t afs_kaserver_t:udp_socket { recvfrom sendto };
-
-
-#
-# ptserver
-#
-
-afs_server_domain(`pt')
-afs_under_bos(`pt')
-afs_server_db(`pt')
-
-# allow users to use pts
-allow afs_ptserver_t userdomain:udp_socket { sendto recvfrom };
-allow userdomain afs_ptserver_t:udp_socket { recvfrom sendto };
-allow afs_ptserver_t afs_fsserver_t:udp_socket { recvfrom };
-
-
-#
-# vlserver
-#
-
-afs_server_domain(`vl')
-afs_under_bos(`vl')
-afs_server_db(`vl')
-
-allow afs_vlserver_t sysadm_t:udp_socket { sendto recvfrom };
-allow sysadm_t afs_vlserver_t:udp_socket { recvfrom sendto };
-allow afs_vlserver_t afs_fsserver_t:udp_socket { recvfrom };
diff --git a/strict/domains/program/unused/amavis.te b/strict/domains/program/unused/amavis.te
deleted file mode 100644
index 1e1752f..0000000
--- a/strict/domains/program/unused/amavis.te
+++ /dev/null
@@ -1,117 +0,0 @@
-#DESC Amavis - Anti-virus
-#
-# Author: Brian May <bam@snoopy.apana.org.au>
-# X-Debian-Packages: amavis-ng amavisd-new amavisd-new-milter amavisd-new-milter-helper
-# Depends: clamav.te
-#
-
-#################################
-#
-# Rules for the amavisd_t domain.
-#
-type amavisd_etc_t, file_type, sysadmfile;
-type amavisd_lib_t, file_type, sysadmfile;
-
-# Virus and spam found and quarantined.
-type amavisd_quarantine_t, file_type, sysadmfile, tmpfile;
-
-daemon_domain(amavisd)
-tmp_domain(amavisd)
-
-allow initrc_t amavisd_etc_t:file { getattr read };
-allow initrc_t amavisd_lib_t:dir { search read write rmdir remove_name unlink };
-allow initrc_t amavisd_lib_t:file unlink;
-allow initrc_t amavisd_var_run_t:dir setattr;
-allow amavisd_t self:capability { chown dac_override setgid setuid };
-dontaudit amavisd_t self:capability sys_tty_config;
-
-allow amavisd_t usr_t:{ file lnk_file } { getattr read };
-dontaudit amavisd_t usr_t:file ioctl;
-
-# networking
-can_network_server_tcp(amavisd_t, amavisd_recv_port_t)
-allow amavisd_t amavisd_recv_port_t:tcp_socket name_bind;
-allow mta_delivery_agent amavisd_recv_port_t:tcp_socket name_connect;
-# The next line doesn't work right so drop the port specification.
-#can_network_client_tcp(amavisd_t, amavisd_send_port_t)
-can_network_client_tcp(amavisd_t)
-allow amavisd_t amavisd_send_port_t:tcp_socket name_connect;
-can_resolve(amavisd_t);
-can_ypbind(amavisd_t);
-can_tcp_connect(mail_server_sender, amavisd_t);
-can_tcp_connect(amavisd_t, mail_server_domain)
-
-ifdef(`scannerdaemon.te', `
-can_tcp_connect(amavisd_t, scannerdaemon_t);
-allow scannerdaemon_t amavisd_lib_t:dir r_dir_perms;
-allow scannerdaemon_t amavisd_lib_t:file r_file_perms;
-')
-
-ifdef(`clamav.te', `
-clamscan_domain(amavisd)
-role system_r types amavisd_clamscan_t;
-domain_auto_trans(amavisd_t, clamscan_exec_t, amavisd_clamscan_t)
-allow amavisd_clamscan_t amavisd_lib_t:dir r_dir_perms;
-allow amavisd_clamscan_t amavisd_lib_t:file r_file_perms;
-can_clamd_connect(amavisd)
-allow clamd_t amavisd_lib_t:dir r_dir_perms;
-allow clamd_t amavisd_lib_t:file r_file_perms;
-')
-
-# DCC
-ifdef(`dcc.te', `
-allow dcc_client_t amavisd_lib_t:file r_file_perms;
-')
-
-# Pyzor
-ifdef(`pyzor.te',`
-domain_auto_trans(amavisd_t, pyzor_exec_t, pyzor_t)
-#allow pyzor_t amavisd_data_t:dir search;
-# Pyzor creates a temp file adjacent to the working file.
-create_dir_file(pyzor_t, amavisd_lib_t);
-')
-
-# SpamAssassin is executed from within amavisd, but needs to read its
-# config
-ifdef(`spamd.te', `
-r_dir_file(amavisd_t, etc_mail_t)
-')
-
-# Can create unix sockets
-allow amavisd_t self:unix_stream_socket create_stream_socket_perms;
-allow amavisd_t self:unix_dgram_socket create_socket_perms;
-allow amavisd_t self:fifo_file getattr;
-
-read_locale(amavisd_t)
-
-# Access config files (amavisd).
-allow amavisd_t amavisd_etc_t:file r_file_perms;
-
-log_domain(amavisd)
-
-# Access amavisd var/lib files.
-create_dir_file(amavisd_t, amavisd_lib_t)
-
-# Access amavisd quarantined files.
-create_dir_file(amavisd_t, amavisd_quarantine_t)
-
-# Run helper programs.
-can_exec_any(amavisd_t,bin_t)
-allow amavisd_t bin_t:dir { getattr search };
-allow amavisd_t sbin_t:dir search;
-allow amavisd_t var_lib_t:dir search;
-
-# allow access to files for scanning (required for amavis):
-allow clamd_t self:capability { dac_override dac_read_search };
-
-# unknown stuff
-allow amavisd_t self:fifo_file { ioctl read write };
-allow amavisd_t { random_device_t urandom_device_t }:chr_file read;
-allow amavisd_t proc_t:file { getattr read };
-allow amavisd_t etc_runtime_t:file { getattr read };
-
-# broken stuff
-dontaudit amavisd_t sysadm_home_dir_t:dir search;
-dontaudit amavisd_t shadow_t:file { getattr read };
-dontaudit amavisd_t sysadm_devpts_t:chr_file { read write };
-
diff --git a/strict/domains/program/unused/asterisk.te b/strict/domains/program/unused/asterisk.te
deleted file mode 100644
index 7ae5ffc..0000000
--- a/strict/domains/program/unused/asterisk.te
+++ /dev/null
@@ -1,56 +0,0 @@
-#DESC Asterisk IP telephony server
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-# X-Debian-Packages: asterisk
-
-daemon_domain(asterisk)
-allow asterisk_t asterisk_var_run_t:{ sock_file fifo_file } create_file_perms;
-allow initrc_t asterisk_var_run_t:fifo_file unlink;
-
-allow asterisk_t self:process setsched;
-allow asterisk_t self:fifo_file rw_file_perms;
-
-allow asterisk_t proc_t:file { getattr read };
-
-allow asterisk_t { bin_t sbin_t }:dir search;
-allow asterisk_t bin_t:lnk_file read;
-can_exec(asterisk_t, bin_t)
-
-etcdir_domain(asterisk)
-logdir_domain(asterisk)
-var_lib_domain(asterisk)
-
-allow asterisk_t asterisk_port_t:{ udp_socket tcp_socket } name_bind;
-
-# for VOIP voice channels.
-allow asterisk_t port_t:{ udp_socket tcp_socket } name_bind;
-
-allow asterisk_t device_t:lnk_file read;
-allow asterisk_t sound_device_t:chr_file rw_file_perms;
-
-type asterisk_spool_t, file_type, sysadmfile;
-create_dir_file(asterisk_t, asterisk_spool_t)
-allow asterisk_t var_spool_t:dir search;
-
-# demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm
-# are labeled usr_t
-allow asterisk_t usr_t:file r_file_perms;
-
-can_network_server(asterisk_t)
-can_ypbind(asterisk_t)
-allow asterisk_t etc_t:file { getattr read };
-
-allow asterisk_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow sysadm_t asterisk_t:unix_stream_socket { connectto rw_stream_socket_perms };
-allow asterisk_t self:sem create_sem_perms;
-allow asterisk_t self:shm create_shm_perms;
-
-# dac_override for /var/run/asterisk
-allow asterisk_t self:capability { dac_override setgid setuid sys_nice };
-
-# for shutdown
-dontaudit asterisk_t self:capability sys_tty_config;
-
-tmpfs_domain(asterisk)
-tmp_domain(asterisk)
diff --git a/strict/domains/program/unused/audio-entropyd.te b/strict/domains/program/unused/audio-entropyd.te
deleted file mode 100644
index 216108a..0000000
--- a/strict/domains/program/unused/audio-entropyd.te
+++ /dev/null
@@ -1,12 +0,0 @@
-#DESC audio-entropyd - Generate entropy from audio input
-#
-# Author: Chris PeBenito <pebenito@gentoo.org>
-#
-
-daemon_domain(entropyd)
-
-allow entropyd_t self:capability { ipc_lock sys_admin };
-
-allow entropyd_t random_device_t:chr_file rw_file_perms;
-allow entropyd_t device_t:dir r_dir_perms;
-allow entropyd_t sound_device_t:chr_file r_file_perms;
diff --git a/strict/domains/program/unused/authbind.te b/strict/domains/program/unused/authbind.te
deleted file mode 100644
index 6aabc3e..0000000
--- a/strict/domains/program/unused/authbind.te
+++ /dev/null
@@ -1,29 +0,0 @@
-#DESC Authbind - Program to bind to low ports as non-root
-#
-# Authors: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: authbind
-#
-
-#################################
-#
-# Rules for the authbind_t domain.
-#
-# authbind_exec_t is the type of the authbind executable.
-#
-type authbind_t, domain, privlog;
-type authbind_exec_t, file_type, sysadmfile, exec_type;
-
-role system_r types authbind_t;
-
-etcdir_domain(authbind)
-
-can_exec(authbind_t, authbind_etc_t)
-allow authbind_t etc_t:dir r_dir_perms;
-
-uses_shlib(authbind_t)
-
-allow authbind_t self:capability net_bind_service;
-
-allow authbind_t domain:fd use;
-
-allow authbind_t console_device_t:chr_file { read write };
diff --git a/strict/domains/program/unused/backup.te b/strict/domains/program/unused/backup.te
deleted file mode 100644
index 628527d..0000000
--- a/strict/domains/program/unused/backup.te
+++ /dev/null
@@ -1,62 +0,0 @@
-#DESC Backup - Backup scripts
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: dpkg
-#
-
-#################################
-#
-# Rules for the backup_t domain.
-#
-type backup_t, domain, privlog, auth;
-type backup_exec_t, file_type, sysadmfile, exec_type;
-
-type backup_store_t, file_type, sysadmfile;
-
-role system_r types backup_t;
-role sysadm_r types backup_t;
-
-ifdef(`targeted_policy', `', `
-domain_auto_trans(sysadm_t, backup_exec_t, backup_t)
-')
-allow backup_t privfd:fd use;
-ifdef(`crond.te', `
-system_crond_entry(backup_exec_t, backup_t)
-rw_dir_create_file(system_crond_t, backup_store_t)
-')
-
-# for SSP
-allow backup_t urandom_device_t:chr_file read;
-
-can_network_client(backup_t)
-allow backup_t port_type:tcp_socket name_connect;
-can_ypbind(backup_t)
-uses_shlib(backup_t)
-
-allow backup_t devtty_t:chr_file rw_file_perms;
-
-allow backup_t { file_type fs_type }:dir r_dir_perms;
-allow backup_t file_type:{ file lnk_file } r_file_perms;
-allow backup_t file_type:{ sock_file fifo_file } getattr;
-allow backup_t { device_t device_type ttyfile }:chr_file getattr;
-allow backup_t { device_t device_type }:blk_file getattr;
-allow backup_t var_t:file create_file_perms;
-
-allow backup_t proc_t:dir r_dir_perms;
-allow backup_t proc_t:file r_file_perms;
-allow backup_t proc_t:lnk_file { getattr read };
-read_sysctl(backup_t)
-
-allow backup_t self:fifo_file rw_file_perms;
-allow backup_t self:process { signal sigchld fork };
-allow backup_t self:capability dac_override;
-
-rw_dir_file(backup_t, backup_store_t)
-allow backup_t backup_store_t:file { create setattr };
-
-allow backup_t fs_t:filesystem getattr;
-
-allow backup_t self:unix_stream_socket create_socket_perms;
-
-can_exec(backup_t, bin_t)
-ifdef(`hostname.te', `can_exec(backup_t, hostname_exec_t)')
diff --git a/strict/domains/program/unused/calamaris.te b/strict/domains/program/unused/calamaris.te
deleted file mode 100644
index 1bfce36..0000000
--- a/strict/domains/program/unused/calamaris.te
+++ /dev/null
@@ -1,72 +0,0 @@
-#DESC Calamaris - Squid log analysis
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: calamaris
-# Depends: squid.te
-#
-
-#################################
-#
-# Rules for the calamaris_t domain.
-#
-# calamaris_t is the domain the calamaris process runs in
-
-system_domain(calamaris, `, privmail')
-
-ifdef(`crond.te', `
-system_crond_entry(calamaris_exec_t, calamaris_t)
-')
-
-allow calamaris_t { var_t var_run_t }:dir { getattr search };
-allow calamaris_t squid_log_t:dir search;
-allow calamaris_t squid_log_t:file { getattr read };
-allow calamaris_t { usr_t lib_t }:file { getattr read };
-allow calamaris_t usr_t:lnk_file { getattr read };
-dontaudit calamaris_t usr_t:file ioctl;
-
-type calamaris_www_t, file_type, sysadmfile;
-ifdef(`apache.te', `
-allow calamaris_t httpd_sys_content_t:dir search;
-')
-rw_dir_create_file(calamaris_t, calamaris_www_t)
-
-# for when squid has a different UID
-allow calamaris_t self:capability dac_override;
-
-logdir_domain(calamaris)
-
-allow calamaris_t device_t:dir search;
-allow calamaris_t devtty_t:chr_file { read write };
-
-allow calamaris_t urandom_device_t:chr_file { getattr read };
-
-allow calamaris_t self:process { fork signal_perms setsched };
-read_sysctl(calamaris_t)
-allow calamaris_t proc_t:dir search;
-allow calamaris_t proc_t:file { getattr read };
-allow calamaris_t { proc_t self }:lnk_file read;
-allow calamaris_t self:dir search;
-
-allow calamaris_t { bin_t sbin_t }:dir search;
-allow calamaris_t bin_t:lnk_file read;
-allow calamaris_t etc_runtime_t:file { getattr read };
-allow calamaris_t self:fifo_file { getattr read write ioctl };
-read_locale(calamaris_t)
-
-can_exec(calamaris_t, bin_t)
-allow calamaris_t self:unix_stream_socket create_stream_socket_perms;
-allow calamaris_t self:udp_socket create_socket_perms;
-allow calamaris_t etc_t:file { getattr read };
-allow calamaris_t etc_t:lnk_file read;
-dontaudit calamaris_t etc_t:file ioctl;
-dontaudit calamaris_t sysadm_home_dir_t:dir { getattr search };
-can_network_server(calamaris_t)
-can_ypbind(calamaris_t)
-ifdef(`named.te', `
-can_udp_send(calamaris_t, named_t)
-can_udp_send(named_t, calamaris_t)
-')
-
-ifdef(`apache.te', `
-r_dir_file(httpd_t, calamaris_www_t)
-')
diff --git a/strict/domains/program/unused/ciped.te b/strict/domains/program/unused/ciped.te
deleted file mode 100644
index 6fddf97..0000000
--- a/strict/domains/program/unused/ciped.te
+++ /dev/null
@@ -1,32 +0,0 @@
-
-
-daemon_base_domain(ciped)
-
-# for SSP
-allow ciped_t urandom_device_t:chr_file read;
-
-# cipe uses the afs3-bos port (udp 7007)
-allow ciped_t afs_bos_port_t:udp_socket name_bind;
-
-can_network_udp(ciped_t)
-can_ypbind(ciped_t)
-
-allow ciped_t devpts_t:dir search;
-allow ciped_t devtty_t:chr_file { read write };
-allow ciped_t etc_runtime_t:file { getattr read };
-allow ciped_t etc_t:file { getattr read };
-allow ciped_t proc_t:file { getattr read };
-allow ciped_t { bin_t sbin_t }:dir { getattr search read };
-allow ciped_t bin_t:lnk_file read;
-can_exec(ciped_t, { bin_t ciped_exec_t shell_exec_t })
-allow ciped_t self:fifo_file rw_file_perms;
-
-read_locale(ciped_t)
-
-allow ciped_t self:capability { net_admin ipc_lock sys_tty_config };
-allow ciped_t self:unix_dgram_socket create_socket_perms;
-allow ciped_t self:unix_stream_socket create_socket_perms;
-
-allow ciped_t random_device_t:chr_file { getattr read };
-
-dontaudit ciped_t var_t:dir search;
diff --git a/strict/domains/program/unused/clamav.te b/strict/domains/program/unused/clamav.te
deleted file mode 100644
index 3ef34ee..0000000
--- a/strict/domains/program/unused/clamav.te
+++ /dev/null
@@ -1,147 +0,0 @@
-#DESC CLAM - Anti-virus program
-#
-# Author: Brian May <bam@snoopy.apana.org.au>
-# X-Debian-Packages: clamav
-#
-
-#################################
-#
-# Rules for the clamscan_t domain.
-#
-
-# Virus database
-type clamav_var_lib_t, file_type, sysadmfile;
-
-# clamscan_t is the domain of the clamscan virus scanner
-type clamscan_exec_t, file_type, sysadmfile, exec_type;
-
-##########
-##########
-
-#
-# Freshclam
-#
-
-daemon_base_domain(freshclam, `, web_client_domain')
-read_locale(freshclam_t)
-
-# not sure why it needs this
-read_sysctl(freshclam_t)
-
-can_network_client_tcp(freshclam_t, http_port_t);
-allow freshclam_t http_port_t:tcp_socket name_connect;
-can_resolve(freshclam_t)
-can_ypbind(freshclam_t)
-
-# Access virus signatures
-allow freshclam_t { var_t var_lib_t }:dir search;
-rw_dir_create_file(freshclam_t, clamav_var_lib_t)
-
-allow freshclam_t devtty_t:chr_file { read write };
-allow freshclam_t devpts_t:dir search;
-allow freshclam_t etc_t:file { getattr read };
-allow freshclam_t proc_t:file { getattr read };
-
-allow freshclam_t urandom_device_t:chr_file { getattr read };
-dontaudit freshclam_t urandom_device_t:chr_file ioctl;
-
-# for nscd
-dontaudit freshclam_t var_run_t:dir search;
-
-# setuid/getuid used (although maybe not required...)
-allow freshclam_t self:capability { setgid setuid };
-
-allow freshclam_t sbin_t:dir search;
-
-# Allow notification to daemon that virus database has changed
-can_clamd_connect(freshclam)
-
-allow freshclam_t etc_runtime_t:file { read getattr };
-allow freshclam_t self:unix_stream_socket create_stream_socket_perms;
-allow freshclam_t self:unix_dgram_socket create_socket_perms;
-allow freshclam_t self:fifo_file rw_file_perms;
-
-# Log files for freshclam executable
-logdir_domain(freshclam)
-allow initrc_t freshclam_log_t:file append;
-
-# Pid files for freshclam
-allow initrc_t clamd_var_run_t:file { create setattr };
-
-system_crond_entry(freshclam_exec_t, freshclam_t)
-domain_auto_trans(logrotate_t, freshclam_exec_t, freshclam_t)
-
-domain_auto_trans(sysadm_t, freshclam_exec_t, freshclam_t)
-role sysadm_r types freshclam_t;
-
-create_dir_file(freshclam_t, clamd_var_run_t)
-
-##########
-##########
-
-#
-# Clamscan
-#
-
-# macros/program/clamav_macros.te.
-user_clamscan_domain(sysadm)
-
-##########
-##########
-
-#
-# Clamd
-#
-
-type clamd_sock_t, file_type, sysadmfile;
-
-# clamd executable
-daemon_domain(clamd)
-
-tmp_domain(clamd)
-
-# The dir containing the clamd log files is labelled freshclam_t
-logdir_domain(clamd)
-allow clamd_t freshclam_log_t:dir search;
-
-allow clamd_t self:capability { kill setgid setuid dac_override };
-
-# Give the clamd local communications socket a unique type
-ifdef(`distro_debian', `
-file_type_auto_trans(clamd_t, var_run_t, clamd_sock_t, sock_file)
-')
-ifdef(`distro_redhat', `
-file_type_auto_trans(clamd_t, clamd_var_run_t, clamd_sock_t, sock_file)
-')
-
-# Clamd can be configured to listen on a TCP port.
-can_network_server_tcp(clamd_t, clamd_port_t)
-allow clamd_t clamd_port_t:tcp_socket name_bind;
-can_resolve(clamd_t);
-
-allow clamd_t var_lib_t:dir search;
-r_dir_file(clamd_t, clamav_var_lib_t)
-r_dir_file(clamd_t, etc_t)
-# allow access /proc/sys/kernel/version
-read_sysctl(clamd_t)
-allow clamd_t self:unix_stream_socket create_stream_socket_perms;
-allow clamd_t self:unix_dgram_socket create_stream_socket_perms;
-allow clamd_t self:fifo_file rw_file_perms;
-
-allow clamd_t { random_device_t urandom_device_t }:chr_file { getattr read };
-dontaudit clamd_t { random_device_t urandom_device_t }:chr_file ioctl;
-
-
-##########
-##########
-
-#
-# Interaction with external programs
-#
-
-ifdef(`amavis.te',`
-allow amavisd_t clamd_var_run_t:dir search;
-allow amavisd_t clamd_t:unix_stream_socket connectto;
-allow amavisd_t clamd_sock_t:sock_file write;
-')
-
diff --git a/strict/domains/program/unused/clockspeed.te b/strict/domains/program/unused/clockspeed.te
deleted file mode 100644
index f79c314..0000000
--- a/strict/domains/program/unused/clockspeed.te
+++ /dev/null
@@ -1,26 +0,0 @@
-#DESC clockspeed - Simple network time protocol client
-#
-# Author Petre Rodan <kaiowas@gentoo.org>
-#
-
-daemon_base_domain(clockspeed)
-var_lib_domain(clockspeed)
-can_network(clockspeed_t)
-allow clockspeed_t port_type:tcp_socket name_connect;
-read_locale(clockspeed_t)
-
-allow clockspeed_t self:capability { sys_time net_bind_service };
-allow clockspeed_t self:unix_dgram_socket create_socket_perms;
-allow clockspeed_t self:unix_stream_socket create_socket_perms;
-allow clockspeed_t clockspeed_port_t:udp_socket name_bind;
-allow clockspeed_t domain:packet_socket recvfrom;
-
-allow clockspeed_t var_t:dir search;
-allow clockspeed_t clockspeed_var_lib_t:file create_file_perms;
-allow clockspeed_t clockspeed_var_lib_t:fifo_file create_file_perms;
-
-# sysadm can play with clockspeed
-role sysadm_r types clockspeed_t;
-ifdef(`targeted_policy', `', `
-domain_auto_trans( sysadm_t, clockspeed_exec_t, clockspeed_t)
-')
diff --git a/strict/domains/program/unused/courier.te b/strict/domains/program/unused/courier.te
deleted file mode 100644
index 75e42d3..0000000
--- a/strict/domains/program/unused/courier.te
+++ /dev/null
@@ -1,139 +0,0 @@
-#DESC Courier - POP and IMAP servers
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: courier-base
-#
-
-# Type for files created during execution of courier.
-type courier_var_run_t, file_type, sysadmfile, pidfile;
-type courier_var_lib_t, file_type, sysadmfile;
-
-type courier_etc_t, file_type, sysadmfile;
-
-# allow start scripts to read the config
-allow initrc_t courier_etc_t:file r_file_perms;
-
-type courier_exec_t, file_type, sysadmfile, exec_type;
-type sqwebmail_cron_exec_t, file_type, sysadmfile, exec_type;
-
-define(`courier_domain', `
-#################################
-#
-# Rules for the courier_$1_t domain.
-#
-# courier_$1_exec_t is the type of the courier_$1 executables.
-#
-daemon_base_domain(courier_$1, `$2')
-
-allow courier_$1_t var_run_t:dir search;
-rw_dir_create_file(courier_$1_t, courier_var_run_t)
-allow courier_$1_t courier_var_run_t:sock_file create_file_perms;
-
-# allow it to read config files etc
-allow courier_$1_t { courier_etc_t var_t }:dir r_dir_perms;
-allow courier_$1_t courier_etc_t:file r_file_perms;
-allow courier_$1_t etc_t:dir r_dir_perms;
-allow courier_$1_t etc_t:file r_file_perms;
-
-# execute scripts etc
-allow courier_$1_t { bin_t courier_$1_exec_t }:file rx_file_perms;
-allow courier_$1_t bin_t:dir r_dir_perms;
-allow courier_$1_t fs_t:filesystem getattr;
-
-# set process group and allow permissions over-ride
-allow courier_$1_t self:process setpgid;
-allow courier_$1_t self:capability dac_override;
-
-# Use the network.
-can_network_server(courier_$1_t)
-allow courier_$1_t self:fifo_file { read write getattr };
-allow courier_$1_t self:unix_stream_socket create_stream_socket_perms;
-allow courier_$1_t self:unix_dgram_socket create_socket_perms;
-
-allow courier_$1_t null_device_t:chr_file rw_file_perms;
-
-# allow it to log to /dev/tty
-allow courier_$1_t devtty_t:chr_file rw_file_perms;
-
-allow courier_$1_t { usr_t etc_runtime_t }:file r_file_perms;
-allow courier_$1_t usr_t:dir r_dir_perms;
-allow courier_$1_t root_t:dir r_dir_perms;
-can_exec(courier_$1_t, courier_$1_exec_t)
-can_exec(courier_$1_t, bin_t)
-allow courier_$1_t bin_t:dir search;
-
-allow courier_$1_t proc_t:dir r_dir_perms;
-allow courier_$1_t proc_t:file r_file_perms;
-
-')dnl
-
-courier_domain(authdaemon, `, auth_chkpwd')
-allow courier_authdaemon_t sbin_t:dir search;
-allow courier_authdaemon_t lib_t:file { read getattr };
-allow courier_authdaemon_t tmp_t:dir getattr;
-allow courier_authdaemon_t self:file { getattr read };
-read_locale(courier_authdaemon_t)
-can_exec(courier_authdaemon_t, courier_exec_t)
-dontaudit courier_authdaemon_t selinux_config_t:dir search;
-
-# for SSP
-allow courier_authdaemon_t urandom_device_t:chr_file read;
-
-# should not be needed!
-allow courier_authdaemon_t home_root_t:dir search;
-allow courier_authdaemon_t user_home_dir_type:dir search;
-dontaudit courier_authdaemon_t sysadm_home_dir_t:dir search;
-allow courier_authdaemon_t self:unix_stream_socket connectto;
-allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config };
-
-courier_domain(tcpd)
-allow courier_tcpd_t self:capability { kill net_bind_service };
-allow courier_tcpd_t pop_port_t:tcp_socket name_bind;
-allow courier_tcpd_t sbin_t:dir search;
-allow courier_tcpd_t var_lib_t:dir search;
-# for TLS
-allow courier_tcpd_t { random_device_t urandom_device_t }:chr_file { getattr read };
-read_locale(courier_tcpd_t)
-can_exec(courier_tcpd_t, courier_exec_t)
-allow courier_authdaemon_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
-allow courier_authdaemon_t courier_tcpd_t:process sigchld;
-
-can_tcp_connect(userdomain, courier_tcpd_t)
-rw_dir_create_file(courier_tcpd_t, courier_var_lib_t)
-
-# domain for pop and imap
-courier_domain(pop)
-read_locale(courier_pop_t)
-domain_auto_trans(courier_tcpd_t, courier_pop_exec_t, courier_pop_t)
-allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
-domain_auto_trans(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t)
-allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
-allow courier_authdaemon_t courier_tcpd_t:fd use;
-allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
-allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms;
-allow courier_pop_t courier_authdaemon_t:process sigchld;
-domain_auto_trans(courier_authdaemon_t, courier_pop_exec_t, courier_pop_t)
-
-# inherits file handle - should it?
-allow courier_pop_t courier_var_lib_t:file { read write };
-
-# do the actual work (read the Maildir)
-# imap needs to write files
-allow courier_pop_t home_root_t:dir { getattr search };
-allow courier_pop_t user_home_dir_type:dir { getattr search };
-# pop does not need to create subdirs, IMAP does
-#rw_dir_create_file(courier_pop_t, user_home_type)
-create_dir_file(courier_pop_t, user_home_type)
-
-# for calendaring
-courier_domain(pcp)
-
-allow courier_pcp_t self:capability { setuid setgid };
-allow courier_pcp_t random_device_t:chr_file r_file_perms;
-
-# for webmail
-courier_domain(sqwebmail)
-ifdef(`crond.te', `
-system_crond_entry(sqwebmail_cron_exec_t, courier_sqwebmail_t)
-')
-read_sysctl(courier_sqwebmail_t)
diff --git a/strict/domains/program/unused/daemontools.te b/strict/domains/program/unused/daemontools.te
deleted file mode 100644
index b24a58c..0000000
--- a/strict/domains/program/unused/daemontools.te
+++ /dev/null
@@ -1,203 +0,0 @@
-#DESC Daemontools - Tools for managing UNIX services
-#
-# Author: Petre Rodan <kaiowas@gentoo.org>
-# with the help of Chris PeBenito, Russell Coker and Tad Glines
-#
-
-#
-# selinux policy for daemontools
-# http://cr.yp.to/daemontools.html
-#
-# thanks for D. J. Bernstein and the NSA team for the great software
-# they provide
-#
-
-##############################################################
-# type definitions
-
-type svc_conf_t, file_type, sysadmfile;
-type svc_log_t, file_type, sysadmfile;
-type svc_svc_t, file_type, sysadmfile;
-
-
-##############################################################
-# Macros
-define(`svc_filedir_domain', `
-create_dir_file($1, svc_svc_t)
-file_type_auto_trans($1, svc_svc_t, svc_svc_t);
-')
-
-##############################################################
-# the domains
-daemon_base_domain(svc_script)
-svc_filedir_domain(svc_script_t)
-
-# part started by initrc_t
-daemon_base_domain(svc_start)
-domain_auto_trans(init_t, svc_start_exec_t, svc_start_t)
-svc_filedir_domain(svc_start_t)
-
-# also get here from svc_script_t
-domain_auto_trans(svc_script_t, svc_start_exec_t, svc_start_t)
-
-# the domain for /service/*/run and /service/*/log/run
-daemon_sub_domain(svc_start_t, svc_run)
-r_dir_file(svc_run_t, svc_conf_t)
-
-# the logger
-daemon_sub_domain(svc_run_t, svc_multilog)
-file_type_auto_trans(svc_multilog_t, svc_log_t, svc_log_t, file);
-
-######
-# rules for all those domains
-
-# sysadm can tweak svc_run_exec_t files
-allow sysadm_t svc_run_exec_t:file create_file_perms;
-
-# run_init can control svc_script_t and svc_start_t domains
-domain_auto_trans(run_init_t, svc_script_exec_t, svc_script_t)
-domain_auto_trans(run_init_t, svc_start_exec_t, svc_start_t)
-allow initrc_t { svc_script_exec_t svc_start_exec_t }:file entrypoint;
-svc_filedir_domain(initrc_t)
-
-# svc_start_t
-allow svc_start_t self:fifo_file rw_file_perms;
-allow svc_start_t self:capability kill;
-allow svc_start_t self:unix_stream_socket create_socket_perms;
-
-allow svc_start_t { bin_t sbin_t etc_t }:dir r_dir_perms;
-allow svc_start_t { bin_t sbin_t etc_t }:lnk_file r_file_perms;
-allow svc_start_t { etc_t etc_runtime_t }:file r_file_perms;
-allow svc_start_t { var_t var_run_t }:dir search;
-can_exec(svc_start_t, bin_t)
-can_exec(svc_start_t, shell_exec_t)
-allow svc_start_t svc_start_exec_t:file { rx_file_perms execute_no_trans };
-allow svc_start_t svc_run_t:process signal;
-dontaudit svc_start_t proc_t:file r_file_perms;
-dontaudit svc_start_t devtty_t:chr_file { read write };
-
-# svc script
-allow svc_script_t self:capability sys_admin;
-allow svc_script_t self:fifo_file { getattr read write };
-allow svc_script_t self:file r_file_perms;
-allow svc_script_t { bin_t sbin_t var_t }:dir r_dir_perms;
-allow svc_script_t bin_t:lnk_file r_file_perms;
-can_exec(svc_script_t, bin_t)
-can_exec(svc_script_t, shell_exec_t)
-allow svc_script_t proc_t:file r_file_perms;
-allow svc_script_t shell_exec_t:file rx_file_perms;
-allow svc_script_t devtty_t:chr_file rw_file_perms;
-allow svc_script_t etc_runtime_t:file r_file_perms;
-allow svc_script_t svc_run_exec_t:file r_file_perms;
-allow svc_script_t svc_script_exec_t:file execute_no_trans;
-allow svc_script_t sysctl_kernel_t:dir r_dir_perms;
-allow svc_script_t sysctl_kernel_t:file r_file_perms;
-
-# svc_run_t
-allow svc_run_t self:capability { setgid setuid chown fsetid };
-allow svc_run_t self:fifo_file rw_file_perms;
-allow svc_run_t self:file r_file_perms;
-allow svc_run_t self:process { fork setrlimit };
-allow svc_run_t self:unix_stream_socket create_stream_socket_perms;
-allow svc_run_t svc_svc_t:dir r_dir_perms;
-allow svc_run_t svc_svc_t:file r_file_perms;
-allow svc_run_t svc_run_exec_t:file { rx_file_perms execute_no_trans };
-allow svc_run_t { bin_t sbin_t etc_t }:dir r_dir_perms;
-allow svc_run_t { bin_t sbin_t etc_t }:lnk_file r_file_perms;
-allow svc_run_t { var_t var_run_t }:dir search;
-can_exec(svc_run_t, etc_t)
-can_exec(svc_run_t, lib_t)
-can_exec(svc_run_t, bin_t)
-can_exec(svc_run_t, sbin_t)
-can_exec(svc_run_t, ls_exec_t)
-can_exec(svc_run_t, shell_exec_t)
-allow svc_run_t devtty_t:chr_file rw_file_perms;
-allow svc_run_t etc_runtime_t:file r_file_perms;
-allow svc_run_t exec_type:{ file lnk_file } getattr;
-allow svc_run_t init_t:fd use;
-allow svc_run_t initrc_t:fd use;
-allow svc_run_t proc_t:file r_file_perms;
-allow svc_run_t sysctl_t:dir search;
-allow svc_run_t sysctl_kernel_t:dir r_dir_perms;
-allow svc_run_t sysctl_kernel_t:file r_file_perms;
-allow svc_run_t var_lib_t:dir r_dir_perms;
-
-# multilog creates /service/*/log/status
-allow svc_multilog_t svc_svc_t:dir { read search };
-allow svc_multilog_t svc_svc_t:file { append write };
-# writes to /var/log/*/*
-allow svc_multilog_t var_t:dir search;
-allow svc_multilog_t var_log_t:dir create_dir_perms;
-allow svc_multilog_t var_log_t:file create_file_perms;
-# misc
-allow svc_multilog_t init_t:fd use;
-allow svc_start_t svc_multilog_t:process signal;
-svc_ipc_domain(svc_multilog_t)
-
-################################################################
-# scripts that can be started by daemontools
-# keep it sorted please.
-
-ifdef(`apache.te', `
-domain_auto_trans(svc_run_t, httpd_exec_t, httpd_t)
-svc_ipc_domain(httpd_t)
-dontaudit httpd_t svc_svc_t:dir { search };
-')
-
-ifdef(`clamav.te', `
-domain_auto_trans(svc_run_t, clamd_exec_t, clamd_t)
-svc_ipc_domain(clamd_t)
-')
-
-ifdef(`clockspeed.te', `
-domain_auto_trans( svc_run_t, clockspeed_exec_t, clockspeed_t)
-svc_ipc_domain(clockspeed_t)
-r_dir_file(svc_run_t, clockspeed_var_lib_t)
-allow svc_run_t clockspeed_var_lib_t:fifo_file { rw_file_perms setattr };
-')
-
-ifdef(`dante.te', `
-domain_auto_trans( svc_run_t, dante_exec_t, dante_t);
-svc_ipc_domain(dante_t)
-')
-
-ifdef(`publicfile.te', `
-svc_ipc_domain(publicfile_t)
-')
-
-ifdef(`qmail.te', `
-allow svc_run_t qmail_start_exec_t:file rx_file_perms;
-domain_auto_trans(svc_run_t, qmail_start_exec_t, qmail_start_t)
-r_dir_file(svc_run_t, qmail_etc_t)
-svc_ipc_domain(qmail_send_t)
-svc_ipc_domain(qmail_start_t)
-svc_ipc_domain(qmail_queue_t)
-svc_ipc_domain(qmail_smtpd_t)
-')
-
-ifdef(`rsyncd.te', `
-domain_auto_trans(svc_run_t, rsyncd_exec_t, rsyncd_t)
-svc_ipc_domain(rsyncd_t)
-')
-
-ifdef(`spamd.te', `
-domain_auto_trans(svc_run_t, spamd_exec_t, spamd_t)
-svc_ipc_domain(spamd_t)
-')
-
-ifdef(`ssh.te', `
-domain_auto_trans(svc_run_t, sshd_exec_t, sshd_t)
-svc_ipc_domain(sshd_t)
-')
-
-ifdef(`stunnel.te', `
-domain_auto_trans( svc_run_t, stunnel_exec_t, stunnel_t)
-svc_ipc_domain(stunnel_t)
-')
-
-ifdef(`ucspi-tcp.te', `
-domain_auto_trans(svc_run_t, utcpserver_exec_t, utcpserver_t)
-allow svc_run_t utcpserver_t:process { signal };
-svc_ipc_domain(utcpserver_t)
-')
-
diff --git a/strict/domains/program/unused/dante.te b/strict/domains/program/unused/dante.te
deleted file mode 100644
index 70885ab..0000000
--- a/strict/domains/program/unused/dante.te
+++ /dev/null
@@ -1,23 +0,0 @@
-#DESC dante - socks daemon
-#
-# Author: petre rodan <kaiowas@gentoo.org>
-#
-
-type dante_conf_t, file_type, sysadmfile;
-
-daemon_domain(dante)
-can_network_server(dante_t)
-
-allow dante_t self:fifo_file { read write };
-allow dante_t self:capability { setuid setgid };
-allow dante_t self:unix_dgram_socket { connect create write };
-allow dante_t self:unix_stream_socket { connect create read setopt write };
-allow dante_t self:tcp_socket connect;
-
-allow dante_t socks_port_t:tcp_socket name_bind;
-
-allow dante_t { etc_t etc_runtime_t }:file r_file_perms;
-r_dir_file(dante_t, dante_conf_t)
-
-allow dante_t initrc_var_run_t:file { getattr write };
-
diff --git a/strict/domains/program/unused/dcc.te b/strict/domains/program/unused/dcc.te
deleted file mode 100644
index 598d929..0000000
--- a/strict/domains/program/unused/dcc.te
+++ /dev/null
@@ -1,252 +0,0 @@
-#
-# DCC - Distributed Checksum Clearinghouse
-# Author: David Hampton <hampton@employees.org>
-#
-#
-# NOTE: DCC has writeable files in /etc/dcc that should probably be in
-# /var/lib/dcc. For now this policy supports both directories being
-# writable.
-
-# Files common to all dcc programs
-type dcc_client_map_t, file_type, sysadmfile;
-type dcc_var_t, file_type, sysadmfile;
-type dcc_var_run_t, file_type, sysadmfile;
-
-
-##########
-##########
-
-#
-# common to all dcc variants
-#
-define(`dcc_common',`
-# Access files in /var/dcc. The map file can be updated
-r_dir_file($1_t, dcc_var_t)
-allow $1_t dcc_client_map_t:file rw_file_perms;
-
-# Read mtab, nsswitch and locale
-allow $1_t { etc_t etc_runtime_t }:file { getattr read };
-read_locale($1_t)
-
-#Networking
-can_resolve($1_t)
-ifelse($2, `server', `
-can_network_udp($1_t)
-', `
-can_network_udp($1_t, `dcc_port_t')
-')
-allow $1_t self:unix_dgram_socket create_socket_perms;
-
-# Create private temp files
-tmp_domain($1)
-
-# Triggered by a call to gethostid(2) in dcc client libs
-allow $1_t self:unix_stream_socket { connect create };
-
-allow $1_t sysadm_su_t:process { sigchld };
-allow $1_t dcc_script_t:fd use;
-
-dontaudit $1_t kernel_t:fd use;
-dontaudit $1_t root_t:file read;
-')
-
-allow initrc_t dcc_var_run_t:dir rw_dir_perms;
-
-
-##########
-##########
-
-#
-# dccd - Server daemon that can be accessed over the net
-#
-daemon_domain(dccd, `, privlog, nscd_client_domain')
-dcc_common(dccd, server);
-
-# Runs the dbclean program
-allow dccd_t bin_t:dir search;
-domain_auto_trans(dccd_t, dcc_dbclean_exec_t, dcc_dbclean_t)
-
-# The daemon needs to listen on the dcc ports
-allow dccd_t dcc_port_t:udp_socket name_bind;
-
-# Updating dcc_db, flod, ...
-create_dir_file(dccd_t, dcc_var_t);
-
-allow dccd_t self:capability net_admin;
-allow dccd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
-
-# Reading /proc/meminfo
-allow dccd_t proc_t:file { getattr read };
-
-
-#
-# cdcc - control dcc daemon
-#
-application_domain(cdcc, `, nscd_client_domain')
-role system_r types cdcc_t;
-dcc_common(cdcc)
-
-# suid program
-allow cdcc_t self:capability setuid;
-
-# Running from the command line
-allow cdcc_t sshd_t:fd use;
-allow cdcc_t sysadm_devpts_t:chr_file rw_file_perms;
-
-
-
-##########
-##########
-
-#
-# DCC Clients
-#
-
-#
-# dccifd - Spamassassin and general MTA persistent client
-#
-daemon_domain(dccifd, `, privlog, nscd_client_domain')
-dcc_common(dccifd);
-file_type_auto_trans(dccifd_t, dcc_var_run_t, dccifd_var_run_t, file)
-
-# Allow the domain to communicate with other processes
-allow dccifd_t self:unix_stream_socket create_stream_socket_perms;
-
-# Updating dcc_db, flod, ...
-create_dir_notdevfile(dccifd_t, dcc_var_t);
-
-# Updating map, ...
-allow dccifd_t dcc_client_map_t:file rw_file_perms;
-
-# dccifd communications socket
-type dccifd_sock_t, file_type, sysadmfile;
-file_type_auto_trans(dccifd_t, dcc_var_t, dccifd_sock_t, sock_file)
-
-# Reading /proc/meminfo
-allow dccifd_t proc_t:file { getattr read };
-
-
-#
-# dccm - sendmail milter client
-#
-daemon_domain(dccm, `, privlog, nscd_client_domain')
-dcc_common(dccm);
-file_type_auto_trans(dccm_t, dcc_var_run_t, dccm_var_run_t, file)
-
-# Allow the domain to communicate with other processes
-allow dccm_t self:unix_stream_socket create_stream_socket_perms;
-
-# Updating map, ...
-create_dir_notdevfile(dccm_t, dcc_var_t);
-allow dccm_t dcc_client_map_t:file rw_file_perms;
-
-# dccm communications socket
-type dccm_sock_t, file_type, sysadmfile;
-file_type_auto_trans(dccm_t, dcc_var_run_t, dccm_sock_t, sock_file)
-
-
-#
-# dccproc - dcc procmail interface
-#
-application_domain(dcc_client, `, privlog, nscd_client_domain')
-role system_r types dcc_client_t;
-dcc_common(dcc_client)
-
-# suid program
-allow dcc_client_t self:capability setuid;
-
-# Running from the command line
-allow dcc_client_t sshd_t:fd use;
-allow dcc_client_t sysadm_devpts_t:chr_file rw_file_perms;
-
-
-##########
-##########
-
-#
-# DCC Utilities
-#
-
-#
-# dbclean - database cleanup tool
-#
-application_domain(dcc_dbclean, `, nscd_client_domain')
-role system_r types dcc_dbclean_t;
-dcc_common(dcc_dbclean)
-
-# Updating various files.
-create_dir_file(dcc_dbclean_t, dcc_var_t);
-
-# wants to look at /proc/meminfo
-allow dcc_dbclean_t proc_t:dir search;
-allow dcc_dbclean_t proc_t:file { getattr read };
-
-# Running from the command line
-allow dcc_dbclean_t sshd_t:fd use;
-allow dcc_dbclean_t sysadm_devpts_t:chr_file rw_file_perms;
-
-##########
-##########
-
-#
-# DCC Startup scripts
-#
-# These are shell sccripts that start/stop/restart the various dcc
-# programs.
-#
-init_service_domain(dcc_script, `, nscd_client_domain')
-general_domain_access(dcc_script_t)
-general_proc_read_access(dcc_script_t)
-can_exec_any(dcc_script_t)
-dcc_common(dcc_script)
-
-# Allow calling the script from an init script (initrt_t) or from
-# rc.local (staff_t)
-domain_auto_trans({ initrc_t staff_t }, dcc_script_exec_t, dcc_script_t)
-
-# Start up the daemon process. These scripts run 'su' to change to
-# the dcc user (even though the default dcc user is root).
-allow dcc_script_t self:capability setuid;
-su_restricted_domain(dcc_script, system)
-role system_r types dcc_script_su_t;
-domain_auto_trans(dcc_script_su_t, dccd_exec_t, dccd_t)
-domain_auto_trans(dcc_script_su_t, dccm_exec_t, dccm_t)
-domain_auto_trans(dcc_script_su_t, dccifd_exec_t, dccifd_t)
-
-# Stop the daemon process
-allow dcc_script_t { dccifd_t dccm_t }:process { sigkill signal };
-
-# Access various DCC files
-allow dcc_script_t { var_t var_run_t dcc_var_run_t}:dir { getattr search };
-allow dcc_script_t { dccifd_var_run_t dccm_var_run_t }:file { getattr read };
-
-allow { dcc_script_t dcc_script_su_t } initrc_t:fd use;
-allow { dcc_script_t dcc_script_su_t } devpts_t:dir search;
-allow { dcc_script_t dcc_script_su_t } initrc_devpts_t:chr_file rw_file_perms;
-allow dcc_script_t devtty_t:chr_file { read write };
-allow dcc_script_su_t sysadm_home_dir_t:dir search;
-allow dcc_script_su_t sysadm_t:process { noatsecure rlimitinh siginh transition };
-allow dcc_script_su_t initrc_devpts_t:chr_file { relabelfrom relabelto };
-
-dontaudit dcc_script_su_t kernel_t:fd use;
-dontaudit dcc_script_su_t root_t:file read;
-dontaudit dcc_script_t { home_root_t user_home_dir_t}:dir { getattr search };
-
-allow sysadm_t dcc_script_t:fd use;
-
-##########
-##########
-
-#
-# External spam checkers need to run and/or talk to DCC
-#
-define(`access_dcc',`
-domain_auto_trans($1_t, dcc_client_exec_t, dcc_client_t);
-allow $1_t dcc_var_t:dir search;
-allow $1_t dccifd_sock_t:sock_file { getattr write };
-allow $1_t dccifd_t:unix_stream_socket connectto;
-allow $1_t dcc_script_t:unix_stream_socket connectto;
-')
-
-ifdef(`amavis.te',`access_dcc(amavisd)')
-ifdef(`spamd.te',`access_dcc(spamd)')
diff --git a/strict/domains/program/unused/ddclient.te b/strict/domains/program/unused/ddclient.te
deleted file mode 100644
index 29255f3..0000000
--- a/strict/domains/program/unused/ddclient.te
+++ /dev/null
@@ -1,44 +0,0 @@
-#DESC ddclient - Update dynamic IP address at DynDNS.org
-#
-# Author: Greg Norris <haphazard@kc.rr.com>
-# X-Debian-Packages: ddclient
-#
-
-#################################
-#
-# Rules for the ddclient_t domain.
-#
-daemon_domain(ddclient);
-type ddclient_etc_t, file_type, sysadmfile;
-type ddclient_var_t, file_type, sysadmfile;
-log_domain(ddclient)
-var_lib_domain(ddclient)
-
-base_file_read_access(ddclient_t)
-can_exec(ddclient_t, { shell_exec_t bin_t })
-
-# ddclient can be launched by pppd
-ifdef(`pppd.te',`domain_auto_trans(pppd_t, ddclient_exec_t, ddclient_t)')
-
-# misc. requirements
-allow ddclient_t self:fifo_file rw_file_perms;
-allow ddclient_t self:socket create_socket_perms;
-allow ddclient_t etc_t:file { getattr read };
-allow ddclient_t etc_runtime_t:file r_file_perms;
-allow ddclient_t ifconfig_exec_t:file { rx_file_perms execute_no_trans };
-allow ddclient_t urandom_device_t:chr_file read;
-general_proc_read_access(ddclient_t)
-allow ddclient_t sysctl_net_t:dir search;
-
-# network-related goodies
-can_network_client(ddclient_t)
-allow ddclient_t port_type:tcp_socket name_connect;
-allow ddclient_t self:unix_dgram_socket create_socket_perms;
-allow ddclient_t self:unix_stream_socket create_socket_perms;
-
-# allow access to ddclient.conf and ddclient.cache
-allow ddclient_t ddclient_etc_t:file r_file_perms;
-file_type_auto_trans(ddclient_t, var_t, ddclient_var_t)
-dontaudit ddclient_t devpts_t:dir search;
-dontaudit ddclient_t { devtty_t admin_tty_type user_tty_type }:chr_file rw_file_perms;
-dontaudit httpd_t selinux_config_t:dir search;
diff --git a/strict/domains/program/unused/distcc.te b/strict/domains/program/unused/distcc.te
deleted file mode 100644
index 56034f9..0000000
--- a/strict/domains/program/unused/distcc.te
+++ /dev/null
@@ -1,34 +0,0 @@
-#DESC distcc - Distributed compiler daemon
-#
-# Author: Chris PeBenito <pebenito@gentoo.org>
-#
-
-daemon_domain(distccd)
-can_network_server(distccd_t)
-can_ypbind(distccd_t)
-log_domain(distccd)
-tmp_domain(distccd)
-
-allow distccd_t distccd_port_t:tcp_socket name_bind;
-allow distccd_t self:capability { setgid setuid };
-
-# distccd can renice
-allow distccd_t self:process setsched;
-
-# compiler stuff
-allow distccd_t { bin_t sbin_t }:dir { search getattr };
-allow distccd_t { bin_t sbin_t }:lnk_file { getattr read };
-can_exec(distccd_t,bin_t)
-can_exec(distccd_t,lib_t)
-
-# comm stuff
-allow distccd_t net_conf_t:file r_file_perms;
-allow distccd_t self:{ unix_stream_socket unix_dgram_socket } { create connect read write };
-allow distccd_t self:fifo_file { read write getattr };
-
-# config access
-allow distccd_t { etc_t etc_runtime_t }:file r_file_perms;
-allow distccd_t proc_t:file r_file_perms;
-
-allow distccd_t var_t:dir search;
-allow distccd_t admin_tty_type:chr_file { ioctl read write };
diff --git a/strict/domains/program/unused/djbdns.te b/strict/domains/program/unused/djbdns.te
deleted file mode 100644
index 3e11395..0000000
--- a/strict/domains/program/unused/djbdns.te
+++ /dev/null
@@ -1,46 +0,0 @@
-# DESC selinux policy for djbdns
-# http://cr.yp.to/djbdns.html
-#
-# Author: petre rodan <kaiowas@gentoo.org>
-#
-# this policy depends on ucspi-tcp and daemontools policies
-#
-
-ifdef(`daemontools.te', `
-ifdef(`ucspi-tcp.te', `
-
-define(`djbdns_daemon_domain', `
-type djbdns_$1_conf_t, file_type, sysadmfile;
-daemon_domain(djbdns_$1)
-domain_auto_trans( svc_run_t, djbdns_$1_exec_t, djbdns_$1_t)
-svc_ipc_domain(djbdns_$1_t)
-can_network(djbdns_$1_t)
-allow djbdns_$1_t port_type:tcp_socket name_connect;
-allow djbdns_$1_t dns_port_t:{ udp_socket tcp_socket } name_bind;
-allow djbdns_$1_t port_t:udp_socket name_bind;
-r_dir_file(djbdns_$1_t, djbdns_$1_conf_t)
-allow djbdns_$1_t self:capability { net_bind_service setgid setuid sys_chroot };
-allow djbdns_$1_t svc_svc_t:dir r_dir_perms;
-')
-
-define(`djbdns_tcpserver_domain', `
-type djbdns_$1_conf_t, file_type, sysadmfile;
-daemon_domain(djbdns_$1)
-domain_auto_trans(utcpserver_t, djbdns_$1_exec_t, djbdns_$1_t)
-svc_ipc_domain(djbdns_$1_t)
-allow utcpserver_t dns_port_t:{ udp_socket tcp_socket } name_bind;
-r_dir_file(djbdns_$1_t, djbdns_$1_conf_t)
-allow djbdns_$1_t utcpserver_t:tcp_socket { read write };
-')
-
-djbdns_daemon_domain(dnscache)
-# read seed file
-allow djbdns_dnscache_t svc_svc_t:file r_file_perms;
-
-djbdns_daemon_domain(tinydns)
-
-djbdns_tcpserver_domain(axfrdns)
-r_dir_file(djbdns_axfrdns_t, djbdns_tinydns_t)
-
-') dnl ifdef ucspi-tcp.te
-') dnl ifdef daemontools.te
diff --git a/strict/domains/program/unused/dnsmasq.te b/strict/domains/program/unused/dnsmasq.te
deleted file mode 100644
index bdef592..0000000
--- a/strict/domains/program/unused/dnsmasq.te
+++ /dev/null
@@ -1,38 +0,0 @@
-#DESC dnsmasq - DNS forwarder and DHCP server
-#
-# Author: Greg Norris <haphazard@kc.rr.com>
-# X-Debian-Packages: dnsmasq
-#
-
-#################################
-#
-# Rules for the dnsmasq_t domain.
-#
-daemon_domain(dnsmasq);
-type dnsmasq_lease_t, file_type, sysadmfile;
-
-# misc. requirements
-allow dnsmasq_t self:capability { setgid setuid net_bind_service net_raw };
-allow dnsmasq_t urandom_device_t:chr_file read;
-
-# network-related goodies
-can_network_server(dnsmasq_t)
-can_ypbind(dnsmasq_t)
-allow dnsmasq_t self:packet_socket create_socket_perms;
-allow dnsmasq_t self:rawip_socket create_socket_perms;
-allow dnsmasq_t self:unix_dgram_socket create_socket_perms;
-allow dnsmasq_t self:unix_stream_socket create_stream_socket_perms;
-
-# UDP ports 53 and 67
-allow dnsmasq_t dhcpd_port_t:udp_socket name_bind;
-allow dnsmasq_t dns_port_t:{ tcp_socket udp_socket } name_bind;
-
-# By default, dnsmasq binds to the wildcard address to listen for DNS requests.
-# Comment out the following entry if you do not want to allow this behaviour.
-allow dnsmasq_t node_inaddr_any_t:udp_socket node_bind;
-
-# allow access to dnsmasq.conf
-allow dnsmasq_t etc_t:file r_file_perms;
-
-# dhcp leases
-file_type_auto_trans(dnsmasq_t, var_lib_t, dnsmasq_lease_t, file)
diff --git a/strict/domains/program/unused/dpkg.te b/strict/domains/program/unused/dpkg.te
deleted file mode 100644
index 4feb508..0000000
--- a/strict/domains/program/unused/dpkg.te
+++ /dev/null
@@ -1,414 +0,0 @@
-#DESC Dpkg - Debian package manager
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: dpkg
-#
-
-#################################
-#
-# Rules for the dpkg_t domain.
-#
-type dpkg_t, domain, admin, privlog, privmail, etc_writer, privmodule;
-type dpkg_exec_t, file_type, sysadmfile, exec_type;
-type dpkg_var_lib_t, file_type, sysadmfile;
-type dpkg_etc_t, file_type, sysadmfile, usercanread;
-type dpkg_lock_t, file_type, sysadmfile;
-type debconf_cache_t, file_type, sysadmfile;
-
-tmp_domain(dpkg)
-can_setfscreate(dpkg_t)
-can_exec(dpkg_t, { dpkg_exec_t bin_t shell_exec_t dpkg_tmp_t ls_exec_t dpkg_var_lib_t dpkg_etc_t sbin_t lib_t fsadm_exec_t })
-
-ifdef(`load_policy.te', `
-domain_auto_trans(dpkg_t, load_policy_exec_t, load_policy_t)
-')
-ifdef(`rlogind.te', `
-# for ssh
-can_exec(dpkg_t, rlogind_exec_t)
-')
-can_exec(dpkg_t, { init_exec_t etc_t })
-ifdef(`hostname.te', `
-can_exec(dpkg_t, hostname_exec_t)
-')
-ifdef(`mta.te', `
-allow system_mail_t dpkg_tmp_t:file { getattr read };
-')
-ifdef(`logrotate.te', `
-allow logrotate_t dpkg_var_lib_t:file create_file_perms;
-')
-
-# for open office
-can_exec(dpkg_t, usr_t)
-
-allow { dpkg_t apt_t install_menu_t } urandom_device_t:chr_file read;
-
-# for upgrading policycoreutils and loading policy
-allow dpkg_t security_t:dir { getattr search };
-allow dpkg_t security_t:file { getattr read };
-
-ifdef(`setfiles.te',
-`domain_auto_trans(dpkg_t, setfiles_exec_t, setfiles_t)')
-ifdef(`nscd.te', `domain_auto_trans(dpkg_t, nscd_exec_t, nscd_t)')
-ifdef(`modutil.te', `
-domain_auto_trans(dpkg_t, update_modules_exec_t, update_modules_t)
-domain_auto_trans(dpkg_t, depmod_exec_t, depmod_t)
-
-# for touch
-allow initrc_t modules_dep_t:file write;
-')
-ifdef(`ipsec.te', `
-allow { ipsec_mgmt_t ipsec_t } dpkg_t:fd use;
-allow ipsec_mgmt_t dpkg_t:fifo_file write;
-allow ipsec_mgmt_t dpkg_tmp_t:file { getattr write };
-allow ipsec_t dpkg_t:fifo_file { read write };
-domain_auto_trans(dpkg_t, ipsec_mgmt_exec_t, ipsec_mgmt_t)
-')
-ifdef(`cardmgr.te', `
-allow cardmgr_t dpkg_t:fd use;
-allow cardmgr_t dpkg_t:fifo_file write;
-domain_auto_trans(dpkg_t, { cardctl_exec_t cardmgr_exec_t }, cardmgr_t)
-# for start-stop-daemon
-allow dpkg_t cardmgr_t:process signull;
-')
-ifdef(`mount.te', `
-domain_auto_trans(dpkg_t, mount_exec_t, mount_t)
-')
-ifdef(`mozilla.te', `
-# hate to do this, for mozilla install scripts
-can_exec(dpkg_t, mozilla_exec_t)
-')
-ifdef(`postfix.te', `
-domain_auto_trans(dpkg_t, postfix_master_exec_t, postfix_master_t)
-')
-ifdef(`apache.te', `
-domain_auto_trans(dpkg_t, httpd_exec_t, httpd_t)
-')
-ifdef(`named.te', `
-file_type_auto_trans(dpkg_t, named_zone_t, named_conf_t, file)
-')
-ifdef(`nsd.te', `
-allow nsd_crond_t initrc_t:fd use;
-allow nsd_crond_t initrc_devpts_t:chr_file { read write };
-domain_auto_trans(dpkg_t, nsd_exec_t, nsd_crond_t)
-')
-# because the syslogd package is broken and does not use the start scripts
-ifdef(`klogd.te', `
-domain_auto_trans(dpkg_t, klogd_exec_t, klogd_t)
-')
-ifdef(`syslogd.te', `
-domain_auto_trans(dpkg_t, syslogd_exec_t, syslogd_t)
-allow system_crond_t syslogd_t:dir search;
-allow system_crond_t syslogd_t:file { getattr read };
-allow system_crond_t syslogd_t:process signal;
-')
-# mysqld is broken too
-ifdef(`mysqld.te', `
-domain_auto_trans(dpkg_t, mysqld_exec_t, mysqld_t)
-can_unix_connect(dpkg_t, mysqld_t)
-allow mysqld_t dpkg_tmp_t:file { getattr read };
-')
-ifdef(`postgresql.te', `
-# because postgresql postinst creates scripts in /tmp and then runs them
-# also the init scripts do more than they should
-allow { initrc_t postgresql_t } dpkg_tmp_t:file write;
-# for "touch" when it tries to create the log file
-# this works for upgrades, maybe we should allow create access for first install
-allow initrc_t postgresql_log_t:file { write setattr };
-# for dumpall
-can_exec(postgresql_t, postgresql_db_t)
-')
-ifdef(`sysstat.te', `
-domain_auto_trans(dpkg_t, sysstat_exec_t, sysstat_t)
-')
-ifdef(`rpcd.te', `
-allow rpcd_t dpkg_t:fd use;
-allow rpcd_t dpkg_t:fifo_file { read write };
-')
-ifdef(`load_policy.te', `
-allow load_policy_t initrc_t:fifo_file { read write };
-')
-ifdef(`checkpolicy.te', `
-domain_auto_trans(dpkg_t, checkpolicy_exec_t, checkpolicy_t)
-role system_r types checkpolicy_t;
-allow checkpolicy_t initrc_t:fd use;
-allow checkpolicy_t initrc_t:fifo_file write;
-allow checkpolicy_t initrc_devpts_t:chr_file { read write };
-')
-ifdef(`amavis.te', `
-r_dir_file(initrc_t, dpkg_var_lib_t)
-')
-ifdef(`nessusd.te', `
-domain_auto_trans(dpkg_t, nessusd_exec_t, nessusd_t)
-')
-ifdef(`crack.te', `
-allow crack_t initrc_t:fd use;
-domain_auto_trans(dpkg_t, crack_exec_t, crack_t)
-')
-ifdef(`xdm.te', `
-domain_auto_trans(dpkg_t, xserver_exec_t, xdm_xserver_t)
-')
-ifdef(`clamav.te', `
-domain_auto_trans(dpkg_t, freshclam_exec_t, freshclam_t)
-')
-ifdef(`squid.te', `
-domain_auto_trans(dpkg_t, squid_exec_t, squid_t)
-')
-ifdef(`useradd.te', `
-domain_auto_trans(dpkg_t, useradd_exec_t, useradd_t)
-domain_auto_trans(dpkg_t, groupadd_exec_t, groupadd_t)
-role system_r types { useradd_t groupadd_t };
-')
-ifdef(`passwd.te', `
-domain_auto_trans(dpkg_t, chfn_exec_t, chfn_t)
-')
-ifdef(`ldconfig.te', `
-domain_auto_trans(dpkg_t, ldconfig_exec_t, ldconfig_t)
-')
-ifdef(`portmap.te', `
-# for pmap_dump
-domain_auto_trans(dpkg_t, portmap_exec_t, portmap_t)
-')
-
-# for apt
-type apt_t, domain, admin, privmail, web_client_domain;
-type apt_exec_t, file_type, sysadmfile, exec_type;
-type apt_var_lib_t, file_type, sysadmfile;
-type var_cache_apt_t, file_type, sysadmfile;
-etcdir_domain(apt)
-type apt_rw_etc_t, file_type, sysadmfile;
-tmp_domain(apt, `', `{ dir file lnk_file }')
-can_exec(apt_t, apt_tmp_t)
-ifdef(`crond.te', `
-allow system_crond_t apt_etc_t:file { getattr read };
-')
-
-rw_dir_create_file(apt_t, apt_rw_etc_t)
-
-allow { apt_t dpkg_t install_menu_t } device_t:dir { getattr search };
-
-dontaudit apt_t var_log_t:dir getattr;
-dontaudit apt_t var_run_t:dir search;
-
-# for rc files such as ~/.less
-r_dir_file(apt_t, sysadm_home_t)
-allow apt_t sysadm_home_dir_t:dir { search getattr };
-
-allow apt_t bin_t:lnk_file r_file_perms;
-
-rw_dir_create_file(apt_t, debconf_cache_t)
-r_dir_file(userdomain, debconf_cache_t)
-
-# for python
-read_sysctl(apt_t)
-read_sysctl(dpkg_t)
-
-allow dpkg_t console_device_t:chr_file rw_file_perms;
-
-allow apt_t self:unix_stream_socket create_socket_perms;
-
-allow dpkg_t domain:dir r_dir_perms;
-allow dpkg_t domain:{ file lnk_file } r_file_perms;
-
-# for shared objects that are not yet labelled (upgrades)
-allow { apt_t dpkg_t } lib_t:file execute;
-
-# when dpkg runs postinst scripts run them in initrc_t domain so that the
-# daemons are started in the correct context
-domain_auto_trans(dpkg_t, initrc_exec_t, initrc_t)
-
-ifdef(`bootloader.te', `
-domain_auto_trans(dpkg_t, bootloader_exec_t, bootloader_t)
-# for mkinitrd
-can_exec(bootloader_t, dpkg_exec_t)
-# for lilo to run dpkg
-allow bootloader_t dpkg_etc_t:file { getattr read };
-')
-
-# for kernel-image postinst
-dontaudit dpkg_t fixed_disk_device_t:blk_file read;
-
-# for /usr/lib/dpkg/controllib.pl calling getpwnam(3)
-dontaudit dpkg_t shadow_t:file { getattr read };
-
-# allow user domains to execute dpkg
-allow userdomain dpkg_exec_t:dir r_dir_perms;
-can_exec(userdomain, { dpkg_exec_t apt_exec_t })
-
-# allow everyone to read dpkg database
-allow userdomain var_lib_t:dir search;
-r_dir_file({ apt_t userdomain }, { dpkg_var_lib_t apt_var_lib_t var_cache_apt_t })
-
-# for /var/lib/dpkg/lock
-rw_dir_create_file(apt_t, dpkg_var_lib_t)
-
-ifdef(`crond.te', `
-rw_dir_create_file(system_crond_t, dpkg_var_lib_t)
-allow system_crond_t dpkg_etc_t:file r_file_perms;
-
-# for Debian cron job
-create_dir_file(system_crond_t, tetex_data_t)
-can_exec(dpkg_t, tetex_data_t)
-')
-
-r_dir_file(install_menu_t, { var_lib_t dpkg_var_lib_t lib_t })
-allow install_menu_t initrc_t:fifo_file { read write };
-allow { apt_t install_menu_t userdomain } dpkg_etc_t:file r_file_perms;
-can_exec(sysadm_t, dpkg_etc_t)
-
-# Inherit and use descriptors from open_init_pty
-allow { apt_t dpkg_t install_menu_t } initrc_t:fd use;
-dontaudit dpkg_t privfd:fd use;
-allow { apt_t dpkg_t install_menu_t } devpts_t:dir search;
-allow { apt_t dpkg_t install_menu_t } initrc_devpts_t:chr_file rw_file_perms;
-
-allow ifconfig_t dpkg_t:fd use;
-allow ifconfig_t dpkg_t:fifo_file { read write };
-
-uses_shlib({ dpkg_t apt_t })
-allow dpkg_t proc_t:dir r_dir_perms;
-allow dpkg_t proc_t:{ file lnk_file } r_file_perms;
-allow dpkg_t fs_t:filesystem getattr;
-
-allow dpkg_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_resource mknod linux_immutable };
-
-# for fgconsole - need policy for it
-allow dpkg_t self:capability sys_tty_config;
-
-allow dpkg_t self:unix_dgram_socket create_socket_perms;
-allow dpkg_t self:unix_stream_socket create_stream_socket_perms;
-can_unix_connect(dpkg_t, self)
-allow dpkg_t self:unix_dgram_socket sendto;
-allow dpkg_t self:unix_stream_socket connect;
-
-allow { dpkg_t apt_t } devtty_t:chr_file rw_file_perms;
-allow { dpkg_t apt_t } sysadm_tty_device_t:chr_file rw_file_perms;
-
-# dpkg really needs to be able to kill any process, unfortunate but true
-allow dpkg_t domain:process signal;
-allow dpkg_t sysadm_t:process sigchld;
-allow dpkg_t self:process { setpgid signal_perms fork getsched };
-
-# read/write/create any files in the system
-allow dpkg_t sysadmfile:dir create_dir_perms;
-allow dpkg_t sysadmfile:{ file fifo_file sock_file } create_file_perms;
-allow dpkg_t sysadmfile:lnk_file create_lnk_perms;
-allow dpkg_t device_type:{ chr_file blk_file } getattr;
-dontaudit dpkg_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
-allow dpkg_t proc_kmsg_t:file getattr;
-allow dpkg_t fs_type:dir getattr;
-
-# allow compiling and loading new policy
-create_dir_file(dpkg_t, { policy_src_t policy_config_t })
-
-# change to the apt_t domain on exec from dpkg_t (dselect)
-domain_auto_trans(dpkg_t, apt_exec_t, apt_t)
-
-# allow apt to change /var/lib/apt files
-allow apt_t { apt_var_lib_t var_cache_apt_t }:dir rw_dir_perms;
-allow apt_t { apt_var_lib_t var_cache_apt_t }:file create_file_perms;
-
-# allow apt to create /usr/lib/site-python/DebianControlParser.pyc
-rw_dir_create_file(apt_t, lib_t)
-
-# for apt-listbugs
-allow apt_t usr_t:file { getattr read ioctl };
-allow apt_t usr_t:lnk_file read;
-
-# allow /var/cache/apt/archives to be owned by non-root
-allow apt_t self:capability { chown dac_override fowner fsetid };
-
-can_exec(apt_t, { apt_exec_t bin_t sbin_t shell_exec_t })
-allow apt_t { bin_t sbin_t }:dir search;
-allow apt_t self:process { signal sigchld fork };
-allow apt_t sysadm_t:process sigchld;
-can_network({ apt_t dpkg_t })
-allow { apt_t dpkg_t } port_type:tcp_socket name_connect;
-can_ypbind({ apt_t dpkg_t })
-
-allow { apt_t dpkg_t } var_t:dir { search getattr };
-dontaudit apt_t { fs_type file_type }:dir getattr;
-allow { apt_t dpkg_t } { var_lib_t bin_t }:dir r_dir_perms;
-
-allow { apt_t dpkg_t } dpkg_lock_t:file { setattr rw_file_perms };
-
-# for /proc/meminfo and for "ps"
-allow apt_t { proc_t apt_t }:dir r_dir_perms;
-allow apt_t { proc_t apt_t }:{ file lnk_file } r_file_perms;
-allow apt_t self:fifo_file rw_file_perms;
-allow dpkg_t self:fifo_file rw_file_perms;
-
-allow apt_t etc_t:dir r_dir_perms;
-allow apt_t etc_t:file r_file_perms;
-allow apt_t etc_t:lnk_file read;
-read_locale(apt_t)
-r_dir_file(userdomain, apt_etc_t)
-
-# apt wants to check available disk space
-allow apt_t fs_t:filesystem getattr;
-allow apt_t etc_runtime_t:file r_file_perms;
-
-# auto transition from apt_t to dpkg_t because for 99% of Debian upgrades you
-# have apt run dpkg.
-# This means that getting apt_t access is almost as good as dpkg_t which has
-# as much power as sysadm_t...
-domain_auto_trans(apt_t, dpkg_exec_t, dpkg_t)
-
-# hack to allow update-menus/install-menu to manage menus
-type install_menu_t, domain, admin, etc_writer;
-type install_menu_exec_t, file_type, sysadmfile, exec_type;
-var_run_domain(install_menu)
-
-allow install_menu_t self:unix_stream_socket create_socket_perms;
-
-type debian_menu_t, file_type, sysadmfile;
-
-r_dir_file(userdomain, debian_menu_t)
-dontaudit install_menu_t sysadm_home_dir_t:dir search;
-create_dir_file(install_menu_t, debian_menu_t)
-allow install_menu_t dpkg_lock_t:file { setattr rw_file_perms };
-allow install_menu_t self:process signal;
-allow install_menu_t proc_t:dir search;
-allow install_menu_t proc_t:file r_file_perms;
-can_getcon(install_menu_t)
-can_exec(install_menu_t, { bin_t sbin_t shell_exec_t install_menu_exec_t dpkg_exec_t })
-allow install_menu_t { bin_t sbin_t }:dir search;
-allow install_menu_t bin_t:lnk_file read;
-
-# for menus
-allow install_menu_t usr_t:file r_file_perms;
-
-# for /etc/kde3/debian/kde-update-menu.sh
-can_exec(install_menu_t, etc_t)
-
-allow install_menu_t var_t:dir search;
-tmp_domain(install_menu)
-
-create_dir_file(install_menu_t, var_lib_t)
-ifdef(`xdm.te', `
-create_dir_file(install_menu_t, xdm_var_lib_t)
-')
-allow install_menu_t { var_spool_t etc_t }:dir rw_dir_perms;
-allow install_menu_t { var_spool_t etc_t }:file create_file_perms;
-allow install_menu_t self:fifo_file rw_file_perms;
-allow install_menu_t etc_runtime_t:file r_file_perms;
-allow install_menu_t devtty_t:chr_file rw_file_perms;
-allow install_menu_t fs_t:filesystem getattr;
-
-domain_auto_trans(dpkg_t, install_menu_exec_t, install_menu_t)
-allow dpkg_t install_menu_t:process signal_perms;
-
-allow install_menu_t privfd:fd use;
-uses_shlib(install_menu_t)
-
-allow install_menu_t self:process { fork sigchld };
-
-role system_r types { dpkg_t apt_t install_menu_t };
-
-#################################
-#
-# Rules for the run_deb_t domain.
-#
-#run_program(sysadm_t, sysadm_r, deb, dpkg_exec_t, dpkg_t)
-#domain_trans(run_deb_t, apt_exec_t, apt_t)
-domain_auto_trans(initrc_t, dpkg_exec_t, dpkg_t)
-domain_auto_trans(initrc_t, apt_exec_t, apt_t)
diff --git a/strict/domains/program/unused/gatekeeper.te b/strict/domains/program/unused/gatekeeper.te
deleted file mode 100644
index a1b464e..0000000
--- a/strict/domains/program/unused/gatekeeper.te
+++ /dev/null
@@ -1,51 +0,0 @@
-#DESC Gatekeeper - OpenH.323 voice over IP gate-keeper
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: opengate openh323gk
-#
-
-#################################
-#
-# Rules for the gatekeeper_t domain.
-#
-# gatekeeper_exec_t is the type of the gk executable.
-#
-daemon_domain(gatekeeper)
-
-# for SSP
-allow gatekeeper_t urandom_device_t:chr_file read;
-
-etc_domain(gatekeeper)
-allow gatekeeper_t gatekeeper_etc_t:lnk_file { getattr read };
-logdir_domain(gatekeeper)
-
-# Use the network.
-can_network_server(gatekeeper_t)
-can_ypbind(gatekeeper_t)
-allow gatekeeper_t gatekeeper_port_t:{ udp_socket tcp_socket } name_bind;
-allow gatekeeper_t self:unix_stream_socket create_socket_perms;
-
-# for stupid symlinks
-tmp_domain(gatekeeper)
-
-# pthreads wants to know the kernel version
-read_sysctl(gatekeeper_t)
-
-allow gatekeeper_t etc_t:file { getattr read };
-
-allow gatekeeper_t etc_t:dir r_dir_perms;
-allow gatekeeper_t sbin_t:dir r_dir_perms;
-
-allow gatekeeper_t self:process setsched;
-allow gatekeeper_t self:fifo_file rw_file_perms;
-
-allow gatekeeper_t proc_t:file read;
-
-# for local users to run VOIP software
-can_udp_send(userdomain, gatekeeper_t)
-can_udp_send(gatekeeper_t, userdomain)
-can_tcp_connect(gatekeeper_t, userdomain)
-
-# this is crap, gk wants to create symlinks in /etc every time it starts and
-# remove them when it exits.
-#allow gatekeeper_t etc_t:dir rw_dir_perms;
diff --git a/strict/domains/program/unused/gift.te b/strict/domains/program/unused/gift.te
deleted file mode 100644
index 9e9786e..0000000
--- a/strict/domains/program/unused/gift.te
+++ /dev/null
@@ -1,9 +0,0 @@
-# DESC - giFT file sharing tool
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-type gift_exec_t, file_type, exec_type, sysadmfile;
-type giftd_exec_t, file_type, exec_type, sysadmfile;
-
-# Everything else is in macros/program/gift_macros.te
diff --git a/strict/domains/program/unused/imazesrv.te b/strict/domains/program/unused/imazesrv.te
deleted file mode 100644
index 27bae3f..0000000
--- a/strict/domains/program/unused/imazesrv.te
+++ /dev/null
@@ -1,29 +0,0 @@
-#DESC Imazesrv - Imaze Server
-#
-# Author: Torsten Knodt <tk-selinux@datas-world.de>
-# based on games.te by Russell Coker <russell@coker.com.au>
-#
-
-# type for shared data from imazesrv
-type imazesrv_data_t, file_type, sysadmfile;
-type imazesrv_data_labs_t, file_type, sysadmfile;
-
-# domain imazesrv_t is for system operation of imazesrv
-# also defines imazesrv_exec_t
-daemon_domain(imazesrv)
-log_domain(imazesrv);
-
-r_dir_file(imazesrv_t, imazesrv_data_t)
-
-allow imazesrv_t imaze_port_t:tcp_socket name_bind;
-allow imazesrv_t imaze_port_t:udp_socket name_bind;
-
-create_append_log_file(imazesrv_t,imazesrv_log_t)
-
-can_network_server(imazesrv_t)
-
-allow imazesrv_t self:capability net_bind_service;
-
-r_dir_file(imazesrv_t, etc_t)
-
-general_domain_access(imazesrv_t)
diff --git a/strict/domains/program/unused/ircd.te b/strict/domains/program/unused/ircd.te
deleted file mode 100644
index c85390e..0000000
--- a/strict/domains/program/unused/ircd.te
+++ /dev/null
@@ -1,43 +0,0 @@
-#DESC Ircd - IRC server
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: ircd dancer-ircd ircd-hybrid ircd-irc2 ircd-ircu
-#
-
-#################################
-#
-# Rules for the ircd_t domain.
-#
-# ircd_exec_t is the type of the slapd executable.
-#
-daemon_domain(ircd)
-
-allow ircd_t ircd_port_t:tcp_socket name_bind;
-
-etcdir_domain(ircd)
-
-logdir_domain(ircd)
-
-var_lib_domain(ircd)
-
-# Use the network.
-can_network_server(ircd_t)
-can_ypbind(ircd_t)
-#allow ircd_t self:fifo_file { read write };
-allow ircd_t self:unix_stream_socket create_socket_perms;
-allow ircd_t self:unix_dgram_socket create_socket_perms;
-
-allow ircd_t devtty_t:chr_file rw_file_perms;
-
-allow ircd_t sbin_t:dir search;
-
-allow ircd_t proc_t:file { getattr read };
-
-# read config files
-allow ircd_t { etc_t etc_runtime_t }:file { getattr read };
-allow ircd_t etc_t:lnk_file read;
-
-ifdef(`logrotate.te', `
-allow logrotate_t ircd_var_run_t:dir search;
-allow logrotate_t ircd_var_run_t:file { getattr read };
-')
diff --git a/strict/domains/program/unused/jabberd.te b/strict/domains/program/unused/jabberd.te
deleted file mode 100644
index aed3b81..0000000
--- a/strict/domains/program/unused/jabberd.te
+++ /dev/null
@@ -1,29 +0,0 @@
-#DESC jabberd - Jabber daemon
-#
-# Author: Colin Walters <walters@verbum.org>
-# X-Debian-Packages: jabber
-
-daemon_domain(jabberd)
-logdir_domain(jabberd)
-var_lib_domain(jabberd)
-
-allow jabberd_t jabber_client_port_t:tcp_socket name_bind;
-allow jabberd_t jabber_interserver_port_t:tcp_socket name_bind;
-
-allow jabberd_t etc_t:lnk_file read;
-allow jabberd_t { etc_t etc_runtime_t }:file { read getattr };
-
-# For SSL
-allow jabberd_t random_device_t:file r_file_perms;
-
-can_network_server(jabberd_t)
-can_ypbind(jabberd_t)
-
-allow jabberd_t self:unix_dgram_socket create_socket_perms;
-allow jabberd_t self:unix_stream_socket create_socket_perms;
-allow jabberd_t self:fifo_file { read write getattr };
-
-allow jabberd_t self:capability dac_override;
-
-# allow any user domain to connect to jabber
-can_tcp_connect(userdomain, jabberd_t)
diff --git a/strict/domains/program/unused/lcd.te b/strict/domains/program/unused/lcd.te
deleted file mode 100644
index 2e2eddf..0000000
--- a/strict/domains/program/unused/lcd.te
+++ /dev/null
@@ -1,35 +0,0 @@
-#DESC lcd - program for Cobalt LCD device
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-
-#################################
-#
-# Rules for the lcd_t domain.
-#
-# lcd_t is the domain for the lcd program.
-# lcd_exec_t is the type of the corresponding program.
-#
-type lcd_t, domain, privlog;
-role sysadm_r types lcd_t;
-role system_r types lcd_t;
-uses_shlib(lcd_t)
-type lcd_exec_t, file_type, sysadmfile, exec_type;
-type lcd_device_t, file_type;
-
-# Transition into this domain when you run this program.
-domain_auto_trans(initrc_t, lcd_exec_t, lcd_t)
-domain_auto_trans(sysadm_t, lcd_exec_t, lcd_t)
-
-allow lcd_t lcd_device_t:chr_file rw_file_perms;
-
-# for /etc/locks/.lcd_lock
-lock_domain(lcd)
-allow lcd_t etc_t:lnk_file read;
-allow lcd_t var_t:dir search;
-
-# Access the terminal.
-allow lcd_t admin_tty_type:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow lcd_t sysadm_gph_t:fd use;')
-allow lcd_t privfd:fd use;
-
diff --git a/strict/domains/program/unused/lrrd.te b/strict/domains/program/unused/lrrd.te
deleted file mode 100644
index b1916f1..0000000
--- a/strict/domains/program/unused/lrrd.te
+++ /dev/null
@@ -1,68 +0,0 @@
-#DESC LRRD - network-wide load graphing
-#
-# Author: Erich Schubert <erich@debian.org>
-# X-Debian-Packages: lrrd-client, lrrd-server
-#
-
-#################################
-#
-# Rules for the lrrd_t domain.
-#
-# lrrd_exec_t is the type of the lrrd executable.
-#
-daemon_domain(lrrd)
-
-allow lrrd_t lrrd_var_run_t:sock_file create_file_perms;
-
-etcdir_domain(lrrd)
-type lrrd_var_lib_t, file_type, sysadmfile;
-
-log_domain(lrrd)
-tmp_domain(lrrd)
-
-# has cron jobs
-system_crond_entry(lrrd_exec_t, lrrd_t)
-allow crond_t lrrd_var_lib_t:dir search;
-
-# init script
-allow initrc_t lrrd_log_t:file { write append setattr ioctl };
-
-# allow to drop privileges and renice
-allow lrrd_t self:capability { setgid setuid };
-allow lrrd_t self:process { getsched setsched };
-
-allow lrrd_t urandom_device_t:chr_file { getattr read };
-allow lrrd_t proc_t:file { getattr read };
-allow lrrd_t usr_t:file { read ioctl };
-
-can_exec(lrrd_t, bin_t)
-allow lrrd_t bin_t:dir search;
-allow lrrd_t usr_t:lnk_file read;
-
-# Allow access to the lrrd databases
-create_dir_file(lrrd_t, lrrd_var_lib_t)
-allow lrrd_t var_lib_t:dir search;
-
-# read config files
-r_dir_file(initrc_t, lrrd_etc_t)
-allow lrrd_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr };
-# for accessing the output directory
-ifdef(`apache.te', `
-allow lrrd_t httpd_sys_content_t:dir search;
-')
-
-allow lrrd_t etc_t:dir search;
-
-can_unix_connect(sysadm_t, lrrd_t)
-can_unix_connect(lrrd_t, lrrd_t)
-can_unix_send(lrrd_t, lrrd_t)
-can_network_server(lrrd_t)
-can_ypbind(lrrd_t)
-
-ifdef(`logrotate.te', `
-r_dir_file(logrotate_t, lrrd_etc_t)
-allow logrotate_t lrrd_var_lib_t:dir search;
-allow logrotate_t lrrd_var_run_t:dir search;
-allow logrotate_t lrrd_var_run_t:sock_file write;
-can_unix_connect(logrotate_t, lrrd_t)
-')
diff --git a/strict/domains/program/unused/monopd.te b/strict/domains/program/unused/monopd.te
deleted file mode 100644
index 3512592..0000000
--- a/strict/domains/program/unused/monopd.te
+++ /dev/null
@@ -1,30 +0,0 @@
-#DESC MonopD - Monopoly Daemon
-#
-# Author: Torsten Knodt <tk-selinux@datas-world.de>
-# based on the dhcpd_t policy from:
-# Russell Coker <russell@coker.com.au>
-#
-
-#################################
-#
-# Rules for the monopd_t domain.
-#
-daemon_domain(monopd)
-etc_domain(monopd)
-typealias monopd_etc_t alias etc_monopd_t;
-
-type monopd_share_t, file_type, sysadmfile;
-typealias monopd_share_t alias share_monopd_t;
-
-# Use the network.
-can_network_server(monopd_t)
-can_ypbind(monopd_t)
-
-allow monopd_t monopd_port_t:tcp_socket name_bind;
-
-r_dir_file(monopd_t,share_monopd_t)
-
-allow monopd_t self:unix_dgram_socket create_socket_perms;
-allow monopd_t self:unix_stream_socket create_socket_perms;
-
-r_dir_file(monopd_t, etc_t)
diff --git a/strict/domains/program/unused/nagios.te b/strict/domains/program/unused/nagios.te
deleted file mode 100644
index 9d540c8..0000000
--- a/strict/domains/program/unused/nagios.te
+++ /dev/null
@@ -1,90 +0,0 @@
-#DESC Net Saint / NAGIOS - network monitoring server
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: netsaint, nagios
-# Depends: mta.te
-#
-
-#################################
-#
-# Rules for the nagios_t domain.
-#
-# nagios_exec_t is the type of the netsaint/nagios executable.
-#
-daemon_domain(nagios, `, privmail')
-
-etcdir_domain(nagios)
-
-logdir_domain(nagios)
-allow nagios_t nagios_log_t:fifo_file create_file_perms;
-allow initrc_t nagios_log_t:dir rw_dir_perms;
-
-tmp_domain(nagios)
-allow system_mail_t nagios_tmp_t:file { getattr read };
-# for open file handles
-dontaudit system_mail_t nagios_etc_t:file read;
-dontaudit system_mail_t nagios_log_t:fifo_file read;
-
-# Use the network.
-allow nagios_t self:fifo_file rw_file_perms;
-allow nagios_t self:unix_stream_socket create_socket_perms;
-allow nagios_t self:unix_dgram_socket create_socket_perms;
-
-# Use capabilities
-allow nagios_t self:capability { dac_override setgid setuid };
-allow nagios_t self:process setpgid;
-
-allow nagios_t { bin_t sbin_t }:dir search;
-allow nagios_t bin_t:lnk_file read;
-can_exec(nagios_t, { shell_exec_t bin_t })
-
-allow nagios_t proc_t:file { getattr read };
-
-can_network_server(nagios_t)
-can_ypbind(nagios_t)
-
-# read config files
-allow nagios_t { etc_t etc_runtime_t }:file { getattr read };
-allow nagios_t etc_t:lnk_file read;
-
-allow nagios_t etc_t:dir r_dir_perms;
-
-# for ps
-r_dir_file(nagios_t, domain)
-allow nagios_t boot_t:dir search;
-allow nagios_t system_map_t:file { getattr read };
-
-# for who
-allow nagios_t initrc_var_run_t:file { getattr read lock };
-
-system_domain(nagios_cgi)
-allow nagios_cgi_t device_t:dir search;
-r_dir_file(nagios_cgi_t, nagios_etc_t)
-allow nagios_cgi_t var_log_t:dir search;
-r_dir_file(nagios_cgi_t, nagios_log_t)
-allow nagios_cgi_t self:process { fork signal_perms };
-allow nagios_cgi_t self:fifo_file rw_file_perms;
-allow nagios_cgi_t bin_t:dir search;
-can_exec(nagios_cgi_t, bin_t)
-read_locale(nagios_cgi_t)
-
-# for ps
-allow nagios_cgi_t { etc_runtime_t etc_t }:file { getattr read };
-r_dir_file(nagios_cgi_t, { proc_t self nagios_t })
-allow nagios_cgi_t boot_t:dir search;
-allow nagios_cgi_t system_map_t:file { getattr read };
-dontaudit nagios_cgi_t domain:dir getattr;
-allow nagios_cgi_t self:unix_stream_socket create_socket_perms;
-
-ifdef(`apache.te', `
-r_dir_file(httpd_t, nagios_etc_t)
-domain_auto_trans({ httpd_t httpd_suexec_t }, nagios_cgi_exec_t, nagios_cgi_t)
-allow nagios_cgi_t httpd_log_t:file append;
-')
-
-ifdef(`ping.te', `
-domain_auto_trans(nagios_t, ping_exec_t, ping_t)
-allow nagios_t ping_t:process { sigkill signal };
-dontaudit ping_t nagios_etc_t:file read;
-dontaudit ping_t nagios_log_t:fifo_file read;
-')
diff --git a/strict/domains/program/unused/nessusd.te b/strict/domains/program/unused/nessusd.te
deleted file mode 100644
index 65d89e1..0000000
--- a/strict/domains/program/unused/nessusd.te
+++ /dev/null
@@ -1,54 +0,0 @@
-#DESC Nessus network scanning daemon
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: nessus
-#
-
-#################################
-#
-# Rules for the nessusd_t domain.
-#
-# nessusd_exec_t is the type of the nessusd executable.
-#
-daemon_domain(nessusd)
-
-etc_domain(nessusd)
-type nessusd_db_t, file_type, sysadmfile;
-
-allow nessusd_t nessus_port_t:tcp_socket name_bind;
-
-#tmp_domain(nessusd)
-
-# Use the network.
-can_network(nessusd_t)
-allow nessusd_t port_type:tcp_socket name_connect;
-can_ypbind(nessusd_t)
-allow nessusd_t self:unix_stream_socket create_socket_perms;
-#allow nessusd_t self:unix_dgram_socket create_socket_perms;
-
-# why ioctl on /dev/urandom?
-allow nessusd_t random_device_t:chr_file { getattr read ioctl };
-allow nessusd_t self:{ rawip_socket packet_socket } create_socket_perms;
-allow nessusd_t self:capability net_raw;
-
-# for nmap etc
-allow nessusd_t { bin_t sbin_t }:dir search;
-allow nessusd_t bin_t:lnk_file read;
-can_exec(nessusd_t, bin_t)
-allow nessusd_t self:fifo_file { getattr read write };
-
-# allow user domains to connect to nessusd
-can_tcp_connect(userdomain, nessusd_t)
-
-allow nessusd_t self:process setsched;
-
-allow nessusd_t proc_t:file { getattr read };
-
-# Allow access to the nessusd authentication database
-create_dir_file(nessusd_t, nessusd_db_t)
-allow nessusd_t var_lib_t:dir r_dir_perms;
-
-# read config files
-allow nessusd_t { etc_t etc_runtime_t }:file r_file_perms;
-
-logdir_domain(nessusd)
diff --git a/strict/domains/program/unused/nrpe.te b/strict/domains/program/unused/nrpe.te
deleted file mode 100644
index 87d1a02..0000000
--- a/strict/domains/program/unused/nrpe.te
+++ /dev/null
@@ -1,40 +0,0 @@
-# DESC nrpe - Nagios Remote Plugin Execution
-#
-# Author: Thomas Bleher <ThomasBleher@gmx.de>
-#
-# Depends: tcpd.te
-# X-Debian-Packages: nagios-nrpe-server
-#
-# This policy assumes that nrpe is called from inetd
-
-daemon_base_domain(nrpe)
-ifdef(`tcpd.te', `
-domain_auto_trans(tcpd_t, nrpe_exec_t, nrpe_t)
-')
-domain_auto_trans(inetd_t, nrpe_exec_t, nrpe_t)
-
-allow nrpe_t urandom_device_t:chr_file { getattr ioctl read };
-
-allow nrpe_t self:fifo_file rw_file_perms;
-allow nrpe_t self:unix_dgram_socket create_socket_perms;
-# use sockets inherited from inetd
-allow nrpe_t inetd_t:tcp_socket { ioctl read write };
-allow nrpe_t devtty_t:chr_file { read write };
-
-allow nrpe_t self:process setpgid;
-
-etc_domain(nrpe)
-read_locale(nrpe_t)
-
-# permissions for the scripts executed by nrpe
-#
-# call shell programs
-can_exec(nrpe_t, { bin_t shell_exec_t ls_exec_t })
-allow nrpe_t { bin_t sbin_t }:dir search;
-# for /bin/sh
-allow nrpe_t bin_t:lnk_file read;
-
-# read /proc/meminfo, /proc/self/mounts and /etc/mtab
-allow nrpe_t { self proc_t etc_runtime_t }:file { getattr read };
-
-# you will have to add more permissions here, depending on the scripts you call!
diff --git a/strict/domains/program/unused/nsd.te b/strict/domains/program/unused/nsd.te
deleted file mode 100644
index 2aa35c5..0000000
--- a/strict/domains/program/unused/nsd.te
+++ /dev/null
@@ -1,102 +0,0 @@
-#DESC Authoritative only name server
-#
-# Author: Russell Coker
-# X-Debian-Packages: nsd
-#
-#
-
-#################################
-#
-# Rules for the nsd_t domain.
-#
-
-daemon_domain(nsd)
-
-# a type for nsd.db
-type nsd_db_t, file_type, sysadmfile;
-
-# for zone update cron job
-type nsd_crond_t, domain, privlog;
-role system_r types nsd_crond_t;
-uses_shlib(nsd_crond_t)
-can_network_client(nsd_crond_t)
-allow nsd_crond_t port_type:tcp_socket name_connect;
-can_ypbind(nsd_crond_t)
-allow nsd_crond_t self:unix_dgram_socket create_socket_perms;
-allow nsd_crond_t self:process { fork signal_perms };
-system_crond_entry(nsd_exec_t, nsd_crond_t)
-allow nsd_crond_t { proc_t etc_runtime_t }:file { getattr read };
-allow nsd_crond_t proc_t:lnk_file { getattr read };
-allow nsd_crond_t { bin_t sbin_t }:dir search;
-can_exec(nsd_crond_t, { nsd_exec_t bin_t sbin_t shell_exec_t })
-allow nsd_crond_t { bin_t sbin_t shell_exec_t }:file getattr;
-allow nsd_crond_t bin_t:lnk_file read;
-read_locale(nsd_crond_t)
-allow nsd_crond_t self:fifo_file rw_file_perms;
-# kill capability for root cron job and non-root daemon
-allow nsd_crond_t self:capability { dac_override kill };
-allow nsd_crond_t nsd_t:process signal;
-dontaudit nsd_crond_t sysadm_home_dir_t:dir { search getattr };
-dontaudit nsd_crond_t self:capability sys_nice;
-dontaudit nsd_crond_t domain:dir search;
-allow nsd_crond_t self:process setsched;
-can_ps(nsd_crond_t, nsd_t)
-
-file_type_auto_trans(nsd_crond_t, nsd_conf_t, nsd_zone_t, file)
-file_type_auto_trans({ nsd_t nsd_crond_t }, nsd_zone_t, nsd_db_t, file)
-allow nsd_crond_t var_lib_t:dir search;
-
-allow nsd_crond_t nsd_conf_t:file { getattr read ioctl };
-allow nsd_crond_t nsd_zone_t:dir rw_dir_perms;
-allow nsd_crond_t proc_t:dir r_dir_perms;
-allow nsd_crond_t device_t:dir search;
-allow nsd_crond_t devtty_t:chr_file rw_file_perms;
-allow nsd_crond_t etc_t:file { getattr read };
-allow nsd_crond_t etc_t:lnk_file read;
-allow nsd_crond_t { var_t var_run_t }:dir search;
-allow nsd_crond_t nsd_var_run_t:file { getattr read };
-
-# for SSP
-allow nsd_crond_t urandom_device_t:chr_file read;
-
-# A type for configuration files of nsd
-type nsd_conf_t, file_type, sysadmfile;
-# A type for zone files
-type nsd_zone_t, file_type, sysadmfile;
-
-r_dir_file(nsd_t, { nsd_conf_t nsd_zone_t })
-# zone files may be in /var/lib/nsd
-allow nsd_t var_lib_t:dir search;
-r_dir_file(initrc_t, nsd_conf_t)
-allow nsd_t etc_runtime_t:file { getattr read };
-allow nsd_t proc_t:file { getattr read };
-allow nsd_t { sbin_t bin_t }:dir search;
-can_exec(nsd_t, { nsd_exec_t bin_t })
-
-# Use capabilities. chown is for chowning /var/run/nsd.pid
-allow nsd_t self:capability { dac_override chown setuid setgid net_bind_service };
-
-allow nsd_t etc_t:{ file lnk_file } { getattr read };
-
-# nsd can use network
-can_network_server(nsd_t)
-can_ypbind(nsd_t)
-# allow client access from caching BIND
-ifdef(`named.te', `
-can_udp_send(named_t, nsd_t)
-can_udp_send(nsd_t, named_t)
-can_tcp_connect(named_t, nsd_t)
-')
-
-# if you want to allow all programs to contact the primary name server
-#can_udp_send(domain, nsd_t)
-#can_udp_send(nsd_t, domain)
-#can_tcp_connect(domain, nsd_t)
-
-# Bind to the named port.
-allow nsd_t dns_port_t:udp_socket name_bind;
-allow nsd_t dns_port_t:tcp_socket name_bind;
-
-allow nsd_t self:unix_stream_socket create_stream_socket_perms;
-allow nsd_t self:unix_dgram_socket create_socket_perms;
-
diff --git a/strict/domains/program/unused/nx_server.te b/strict/domains/program/unused/nx_server.te
deleted file mode 100644
index a6e723a..0000000
--- a/strict/domains/program/unused/nx_server.te
+++ /dev/null
@@ -1,70 +0,0 @@
-# DESC NX - NX Server
-#
-# Author: Thomas Bleher <ThomasBleher@gmx.de>
-#
-# Depends: sshd.te
-#
-
-# Type for the nxserver executable, called from ssh
-type nx_server_exec_t, file_type, sysadmfile, exec_type;
-
-# type of the nxserver; userdomain is needed so sshd can transition
-type nx_server_t, domain, userdomain;
-
-# we need an extra role because nxserver is called from sshd
-role nx_server_r types nx_server_t;
-allow system_r nx_server_r;
-domain_trans(sshd_t, nx_server_exec_t, nx_server_t)
-
-# not really sure if the additional attributes are needed, copied from userdomains
-can_create_pty(nx_server, `, userpty_type, user_tty_type')
-type_change nx_server_t server_pty:chr_file nx_server_devpts_t;
-
-uses_shlib(nx_server_t)
-read_locale(nx_server_t)
-
-tmp_domain(nx_server)
-var_run_domain(nx_server)
-
-# nxserver is a shell script --> call other programs
-can_exec(nx_server_t, { bin_t shell_exec_t })
-allow nx_server_t self:process { fork sigchld };
-allow nx_server_t self:fifo_file { getattr ioctl read write };
-allow nx_server_t bin_t:dir { getattr read search };
-allow nx_server_t bin_t:lnk_file read;
-
-r_dir_file(nx_server_t, proc_t)
-allow nx_server_t { etc_t etc_runtime_t }:file { getattr read };
-
-# we do not actually need this attribute or the types defined here,
-# but otherwise we cannot call the ssh_domain-macro
-attribute nx_server_file_type;
-type nx_server_home_dir_t alias nx_server_home_t;
-type nx_server_xauth_home_t;
-type nx_server_tty_device_t;
-type nx_server_gph_t;
-type nx_server_fonts_cache_t;
-type nx_server_fonts_t;
-type nx_server_fonts_config_t;
-type nx_server_gnome_settings_t;
-
-ssh_domain(nx_server)
-
-can_network_client(nx_server_t)
-allow nx_server_t port_type:tcp_socket name_connect;
-
-allow nx_server_t devtty_t:chr_file { read write };
-allow nx_server_t sysctl_kernel_t:dir search;
-allow nx_server_t sysctl_kernel_t:file { getattr read };
-allow nx_server_t urandom_device_t:chr_file read;
-# for reading the config files; maybe a separate type,
-# but users need to be able to also read the config
-allow nx_server_t usr_t:file { getattr read };
-
-dontaudit nx_server_t selinux_config_t:dir search;
-
-# clients already have create permissions; the nxclient wants to also have unlink rights
-allow userdomain xdm_tmp_t:sock_file unlink;
-# for a lockfile created by the client process
-allow nx_server_t user_tmpfile:file getattr;
-
diff --git a/strict/domains/program/unused/oav-update.te b/strict/domains/program/unused/oav-update.te
deleted file mode 100644
index a9843c6..0000000
--- a/strict/domains/program/unused/oav-update.te
+++ /dev/null
@@ -1,38 +0,0 @@
-#DESC Oav - Anti-virus update program
-#
-# Author: Brian May <bam@snoopy.apana.org.au>
-# X-Debian-Packages:
-#
-
-type oav_update_var_lib_t, file_type, sysadmfile;
-type oav_update_exec_t, file_type, sysadmfile, exec_type;
-type oav_update_etc_t, file_type, sysadmfile;
-
-# Derived domain based on the calling user domain and the program.
-type oav_update_t, domain, privlog;
-
-# Transition from the sysadm domain to the derived domain.
-role sysadm_r types oav_update_t;
-domain_auto_trans(sysadm_t, oav_update_exec_t, oav_update_t)
-
-# Transition from the sysadm domain to the derived domain.
-role system_r types oav_update_t;
-system_crond_entry(oav_update_exec_t, oav_update_t)
-
-# Uses shared librarys
-uses_shlib(oav_update_t)
-
-# Run helper programs.
-can_exec_any(oav_update_t,bin_t)
-
-# Can read /etc/oav-update/* files
-allow oav_update_t oav_update_etc_t:dir r_dir_perms;
-allow oav_update_t oav_update_etc_t:file r_file_perms;
-
-# Can read /var/lib/oav-update/current
-allow oav_update_t oav_update_var_lib_t:dir create_dir_perms;
-allow oav_update_t oav_update_var_lib_t:file create_file_perms;
-allow oav_update_t oav_update_var_lib_t:lnk_file r_file_perms;
-
-# Can download via network
-can_network_server(oav_update_t)
diff --git a/strict/domains/program/unused/openca-ca.te b/strict/domains/program/unused/openca-ca.te
deleted file mode 100644
index 411c61d..0000000
--- a/strict/domains/program/unused/openca-ca.te
+++ /dev/null
@@ -1,134 +0,0 @@
-#DESC OpenCA - Open Certificate Authority
-#
-# Author: Brian May <bam@snoopy.apana.org.au>
-# X-Debian-Packages:
-# Depends: apache.te
-#
-
-#################################
-#
-# domain for openCA cgi-bin scripts.
-#
-# Type that system CGI scripts run as
-#
-type openca_ca_t, domain;
-role system_r types openca_ca_t;
-uses_shlib(openca_ca_t)
-
-# Types that system CGI scripts on the disk are
-# labeled with
-#
-type openca_ca_exec_t, file_type, sysadmfile;
-
-# When the server starts the script it needs to get the proper context
-#
-domain_auto_trans(httpd_t, openca_ca_exec_t, openca_ca_t)
-
-#
-# Allow httpd daemon to search /usr/share/openca
-#
-allow httpd_t openca_usr_share_t:dir { getattr search };
-
-################################################################
-# Allow the web server to run scripts and serve pages
-##############################################################
-allow httpd_t bin_t:file { read execute }; # execute perl
-
-allow httpd_t openca_ca_exec_t:file {execute getattr read};
-allow httpd_t openca_ca_t:process {signal sigkill sigstop};
-allow httpd_t openca_ca_t:process transition;
-allow httpd_t openca_ca_exec_t:dir r_dir_perms;
-
-##################################################################
-# Allow the script to get the file descriptor from the http deamon
-# and send sigchild to http deamon
-#################################################################
-allow openca_ca_t httpd_t:process sigchld;
-allow openca_ca_t httpd_t:fd use;
-allow openca_ca_t httpd_t:fifo_file {getattr write};
-
-############################################
-# Allow scripts to append to http logs
-#########################################
-allow openca_ca_t httpd_log_t:file { append getattr };
-
-#############################################################
-# Allow the script access to the library files so it can run
-#############################################################
-can_exec(openca_ca_t, lib_t)
-
-########################################################################
-# The script needs to inherit the file descriptor and find the script it
-# needs to run
-########################################################################
-allow openca_ca_t initrc_t:fd use;
-allow openca_ca_t init_t:fd use;
-allow openca_ca_t default_t:dir r_dir_perms;
-allow openca_ca_t random_device_t:chr_file r_file_perms;
-
-#######################################################################
-# Allow the script to return its output
-######################################################################
-#allow openca_ca_t httpd_var_run_t: file rw_file_perms;
-allow openca_ca_t null_device_t: chr_file rw_file_perms;
-allow openca_ca_t httpd_cache_t: file rw_file_perms;
-
-###########################################################################
-# Allow the script interpreters to run the scripts. So
-# the perl executable will be able to run a perl script
-#########################################################################
-can_exec(openca_ca_t, bin_t)
-
-############################################################################
-# Allow the script process to search the cgi directory, and users directory
-##############################################################################
-allow openca_ca_t openca_ca_exec_t:dir search;
-
-#
-# Allow access to writeable files under /etc/openca
-#
-allow openca_ca_t openca_etc_writeable_t:file create_file_perms;
-allow openca_ca_t openca_etc_writeable_t:dir create_dir_perms;
-
-#
-# Allow access to other files under /etc/openca
-#
-allow openca_ca_t openca_etc_t:file r_file_perms;
-allow openca_ca_t openca_etc_t:dir r_dir_perms;
-
-#
-# Allow access to private CA key
-#
-allow openca_ca_t openca_var_lib_keys_t:file create_file_perms;
-allow openca_ca_t openca_var_lib_keys_t:dir create_dir_perms;
-
-#
-# Allow access to other /var/lib/openca files
-#
-allow openca_ca_t openca_var_lib_t:file create_file_perms;
-allow openca_ca_t openca_var_lib_t:dir create_dir_perms;
-
-#
-# Allow access to other /usr/share/openca files
-#
-allow openca_ca_t openca_usr_share_t:file r_file_perms;
-allow openca_ca_t openca_usr_share_t:lnk_file r_file_perms;
-allow openca_ca_t openca_usr_share_t:dir r_dir_perms;
-
-# /etc/openca standard files
-type openca_etc_t, file_type, sysadmfile;
-
-# /etc/openca template files
-type openca_etc_in_t, file_type, sysadmfile;
-
-# /etc/openca writeable (from CGI script) files
-type openca_etc_writeable_t, file_type, sysadmfile;
-
-# /var/lib/openca
-type openca_var_lib_t, file_type, sysadmfile;
-
-# /var/lib/openca/crypto/keys
-type openca_var_lib_keys_t, file_type, sysadmfile;
-
-# /usr/share/openca/crypto/keys
-type openca_usr_share_t, file_type, sysadmfile;
diff --git a/strict/domains/program/unused/openvpn.te b/strict/domains/program/unused/openvpn.te
deleted file mode 100644
index 0ab1317..0000000
--- a/strict/domains/program/unused/openvpn.te
+++ /dev/null
@@ -1,39 +0,0 @@
-#DESC OpenVPN - Firewall-friendly SSL-based VPN
-#
-# Author: Colin Walters <walters@verbum.org>
-#
-########################################
-#
-
-daemon_domain(openvpn)
-etcdir_domain(openvpn)
-
-allow openvpn_t { etc_t etc_runtime_t }:{ file lnk_file } r_file_perms;
-
-allow openvpn_t { random_device_t urandom_device_t }:chr_file { read getattr };
-allow openvpn_t devpts_t:dir { search getattr };
-allow openvpn_t tun_tap_device_t:chr_file rw_file_perms;
-allow openvpn_t proc_t:file { getattr read };
-
-allow openvpn_t self:unix_dgram_socket create_socket_perms;
-allow openvpn_t self:unix_stream_socket create_stream_socket_perms;
-allow openvpn_t self:unix_dgram_socket sendto;
-allow openvpn_t self:unix_stream_socket connectto;
-allow openvpn_t self:capability { net_admin setgid setuid };
-r_dir_file(openvpn_t, sysctl_net_t)
-
-can_network_server(openvpn_t)
-allow openvpn_t openvpn_port_t:udp_socket name_bind;
-
-# OpenVPN executes a lot of helper programs and scripts
-allow openvpn_t { bin_t sbin_t }:dir { search getattr };
-allow openvpn_t bin_t:lnk_file { getattr read };
-can_exec(openvpn_t, { bin_t sbin_t shell_exec_t })
-# Do not transition to ifconfig_t, since then it needs
-# permission to access openvpn_t:udp_socket, which seems
-# worse.
-can_exec(openvpn_t, ifconfig_exec_t)
-
-# The Fedora init script iterates over /etc/openvpn/*.conf, and
-# starts a daemon for each file.
-r_dir_file(initrc_t, openvpn_etc_t)
diff --git a/strict/domains/program/unused/perdition.te b/strict/domains/program/unused/perdition.te
deleted file mode 100644
index b95cb75..0000000
--- a/strict/domains/program/unused/perdition.te
+++ /dev/null
@@ -1,29 +0,0 @@
-#DESC Perdition POP and IMAP proxy
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: perdition
-#
-
-#################################
-#
-# Rules for the perdition_t domain.
-#
-daemon_domain(perdition)
-
-allow perdition_t pop_port_t:tcp_socket name_bind;
-
-etc_domain(perdition)
-
-# Use the network.
-can_network_server(perdition_t)
-allow perdition_t self:unix_stream_socket create_socket_perms;
-allow perdition_t self:unix_dgram_socket create_socket_perms;
-
-# allow any domain to connect to the proxy
-can_tcp_connect(userdomain, perdition_t)
-
-# Use capabilities
-allow perdition_t self:capability { setgid setuid net_bind_service };
-
-allow perdition_t etc_t:file { getattr read };
-allow perdition_t etc_t:lnk_file read;
diff --git a/strict/domains/program/unused/portslave.te b/strict/domains/program/unused/portslave.te
deleted file mode 100644
index 55dfad6..0000000
--- a/strict/domains/program/unused/portslave.te
+++ /dev/null
@@ -1,85 +0,0 @@
-#DESC Portslave - Terminal server software
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: portslave
-# Depends: pppd.te
-#
-
-#################################
-#
-# Rules for the portslave_t domain.
-#
-daemon_base_domain(portslave, `, privmail, auth_chkpwd')
-
-type portslave_etc_t, file_type, sysadmfile;
-
-general_domain_access(portslave_t)
-domain_auto_trans(init_t, portslave_exec_t, portslave_t)
-ifdef(`rlogind.te', `
-domain_auto_trans(rlogind_t, portslave_exec_t, portslave_t)
-')
-ifdef(`inetd.te', `
-domain_auto_trans(inetd_t, portslave_exec_t, portslave_t)
-allow portslave_t inetd_t:tcp_socket { getattr read write };
-')
-
-allow portslave_t { etc_t etc_runtime_t }:file { read getattr };
-read_locale(portslave_t)
-r_dir_file(portslave_t, portslave_etc_t)
-
-allow portslave_t pppd_etc_t:dir r_dir_perms;
-allow portslave_t pppd_etc_rw_t:file { getattr read };
-
-allow portslave_t proc_t:file { getattr read };
-
-allow portslave_t { var_t var_log_t devpts_t }:dir search;
-
-allow portslave_t devtty_t:chr_file { setattr rw_file_perms };
-
-allow portslave_t pppd_secret_t:file r_file_perms;
-
-can_network_server(portslave_t)
-allow portslave_t fs_t:filesystem getattr;
-ifdef(`radius.te', `
-can_udp_send(portslave_t, radiusd_t)
-can_udp_send(radiusd_t, portslave_t)
-')
-# for rlogin etc
-can_exec(portslave_t, { bin_t ssh_exec_t })
-# net_bind_service for rlogin
-allow portslave_t self:capability { net_bind_service sys_tty_config };
-# for ssh
-allow portslave_t urandom_device_t:chr_file read;
-ifdef(`sshd.te', `can_tcp_connect(portslave_t, sshd_t)')
-
-# for pppd
-allow portslave_t self:capability { setuid setgid net_admin fsetid };
-allow portslave_t ppp_device_t:chr_file rw_file_perms;
-
-# for ~/.ppprc - if it actually exists then you need some policy to read it
-allow portslave_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search;
-
-# for ctlportslave
-dontaudit portslave_t self:capability sys_admin;
-
-file_type_auto_trans(portslave_t, var_run_t, pppd_var_run_t, file)
-can_exec(portslave_t, { etc_t shell_exec_t })
-
-# Run login in local_login_t domain.
-#domain_auto_trans(portslave_t, login_exec_t, local_login_t)
-
-# Write to /var/run/utmp.
-allow portslave_t initrc_var_run_t:file rw_file_perms;
-
-# Write to /var/log/wtmp.
-allow portslave_t wtmp_t:file rw_file_perms;
-
-# Read and write ttys.
-allow portslave_t tty_device_t:chr_file { setattr rw_file_perms };
-allow portslave_t ttyfile:chr_file rw_file_perms;
-
-
-lock_domain(portslave)
-can_exec(portslave_t, pppd_exec_t)
-allow portslave_t { bin_t sbin_t }:dir search;
-allow portslave_t bin_t:lnk_file read;
diff --git a/strict/domains/program/unused/postgrey.te b/strict/domains/program/unused/postgrey.te
deleted file mode 100644
index f60e67b..0000000
--- a/strict/domains/program/unused/postgrey.te
+++ /dev/null
@@ -1,30 +0,0 @@
-#DESC postgrey - Postfix Grey-listing server
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: postgrey
-
-daemon_domain(postgrey)
-
-allow postgrey_t urandom_device_t:chr_file { getattr read };
-
-# for perl
-allow postgrey_t { bin_t sbin_t }:dir { getattr search };
-allow postgrey_t usr_t:{ file lnk_file } { getattr read };
-dontaudit postgrey_t usr_t:file ioctl;
-
-allow postgrey_t { etc_t etc_runtime_t }:file { getattr read };
-etcdir_domain(postgrey)
-
-can_network_server_tcp(postgrey_t)
-can_ypbind(postgrey_t)
-allow postgrey_t postgrey_port_t:tcp_socket name_bind;
-allow postgrey_t self:unix_dgram_socket create_socket_perms;
-allow postgrey_t self:unix_stream_socket create_stream_socket_perms;
-allow postgrey_t proc_t:file { getattr read };
-
-allow postgrey_t self:capability { chown setgid setuid };
-dontaudit postgrey_t self:capability sys_tty_config;
-
-var_lib_domain(postgrey)
-
-allow postgrey_t tmp_t:dir getattr;
diff --git a/strict/domains/program/unused/publicfile.te b/strict/domains/program/unused/publicfile.te
deleted file mode 100644
index b6a206b..0000000
--- a/strict/domains/program/unused/publicfile.te
+++ /dev/null
@@ -1,25 +0,0 @@
-#DESC Publicfile - HTTP and FTP file services
-# http://cr.yp.to/publicfile.html
-#
-# Author: petre rodan <kaiowas@gentoo.org>
-#
-# this policy depends on ucspi-tcp
-#
-
-daemon_domain(publicfile)
-type publicfile_content_t, file_type, sysadmfile;
-domain_auto_trans(initrc_t, publicfile_exec_t, publicfile_t)
-
-ifdef(`ucspi-tcp.te', `
-domain_auto_trans(utcpserver_t, publicfile_exec_t, publicfile_t)
-allow publicfile_t utcpserver_t:tcp_socket { read write };
-allow utcpserver_t { ftp_data_port_t ftp_port_t http_port_t }:tcp_socket name_bind;
-')
-
-allow publicfile_t initrc_t:tcp_socket { read write };
-
-allow publicfile_t self:capability { dac_override setgid setuid sys_chroot };
-
-r_dir_file(publicfile_t, publicfile_content_t)
-
-
diff --git a/strict/domains/program/unused/pxe.te b/strict/domains/program/unused/pxe.te
deleted file mode 100644
index 1515593..0000000
--- a/strict/domains/program/unused/pxe.te
+++ /dev/null
@@ -1,21 +0,0 @@
-#DESC PXE - a server for the PXE network boot protocol
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: pxe
-#
-
-#################################
-#
-# Rules for the pxe_t domain.
-#
-daemon_domain(pxe)
-
-allow pxe_t pxe_port_t:udp_socket name_bind;
-
-allow pxe_t etc_t:file { getattr read };
-
-allow pxe_t self:capability { chown setgid setuid };
-
-allow pxe_t zero_device_t:chr_file rw_file_perms;
-
-log_domain(pxe)
diff --git a/strict/domains/program/unused/pyzor.te b/strict/domains/program/unused/pyzor.te
deleted file mode 100644
index b0629ad..0000000
--- a/strict/domains/program/unused/pyzor.te
+++ /dev/null
@@ -1,57 +0,0 @@
-#
-# Pyzor - Pyzor is a collaborative, networked system to detect and
-# block spam using identifying digests of messages.
-#
-# Author: David Hampton <hampton@employees.org>
-#
-
-# NOTE: This policy is based upon the FC3 pyzor rpm from ATrpms.
-# Pyzor normally dumps everything into $HOME/.pyzor. By putting the
-# following line to the spamassassin config file:
-#
-# pyzor_options --homedir /etc/pyzor
-#
-# the various files will be put into appropriate directories.
-# (I.E. The log file into /var/log, etc.) This policy will work
-# either way.
-
-##########
-# pyzor daemon
-##########
-daemon_domain(pyzord, `, privlog, nscd_client_domain')
-pyzor_base_domain(pyzord)
-allow pyzord_t pyzor_port_t:udp_socket name_bind;
-home_domain_access(pyzord_t, sysadm, pyzor)
-log_domain(pyzord)
-
-# Read shared daemon/client config file
-r_dir_file(pyzord_t, pyzor_etc_t)
-
-# Write shared daemon/client data dir
-allow pyzord_t var_lib_t:dir search;
-create_dir_file(pyzord_t, pyzor_var_lib_t)
-
-##########
-# Pyzor query application - from system_r applictions
-##########
-type pyzor_t, domain, privlog, daemon;
-type pyzor_exec_t, file_type, sysadmfile, exec_type;
-role system_r types pyzor_t;
-
-pyzor_base_domain(pyzor)
-
-# System config/data files
-etcdir_domain(pyzor)
-var_lib_domain(pyzor)
-
-##########
-##########
-
-#
-# Some spam filters executes the pyzor code directly. Allow them access here.
-#
-ifdef(`spamd.te',`
-domain_auto_trans(spamd_t, pyzor_exec_t, pyzor_t);
-# pyzor needs access to the email spamassassin is checking
-allow pyzor_t spamd_tmp_t:file r_file_perms;
-')
diff --git a/strict/domains/program/unused/qmail.te b/strict/domains/program/unused/qmail.te
deleted file mode 100644
index 6c51cd7..0000000
--- a/strict/domains/program/unused/qmail.te
+++ /dev/null
@@ -1,197 +0,0 @@
-#DESC Qmail - Mail server
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: qmail-src qmail
-# Depends: inetd.te mta.te
-#
-
-
-# Type for files created during execution of qmail.
-type qmail_var_run_t, file_type, sysadmfile, pidfile;
-
-type qmail_etc_t, file_type, sysadmfile;
-
-allow inetd_t smtp_port_t:tcp_socket name_bind;
-
-type qmail_exec_t, file_type, sysadmfile, exec_type;
-type qmail_spool_t, file_type, sysadmfile;
-type var_qmail_t, file_type, sysadmfile;
-
-define(`qmaild_sub_domain', `
-daemon_sub_domain($1, $2, `$3')
-allow $2_t qmail_etc_t:dir { getattr search };
-allow $2_t qmail_etc_t:{ lnk_file file } { getattr read };
-allow $2_t { var_t var_spool_t }:dir search;
-allow $2_t console_device_t:chr_file rw_file_perms;
-allow $2_t fs_t:filesystem getattr;
-')
-
-#################################
-#
-# Rules for the qmail_$1_t domain.
-#
-# qmail_$1_exec_t is the type of the qmail_$1 executables.
-#
-define(`qmail_daemon_domain', `
-qmaild_sub_domain(qmail_start_t, qmail_$1, `$2')
-allow qmail_$1_t qmail_start_t:fifo_file { read write };
-')dnl
-
-
-daemon_base_domain(qmail_start)
-
-allow qmail_start_t self:capability { setgid setuid };
-allow qmail_start_t { bin_t sbin_t }:dir search;
-allow qmail_start_t qmail_etc_t:dir search;
-allow qmail_start_t qmail_etc_t:file { getattr read };
-can_exec(qmail_start_t, qmail_start_exec_t)
-allow qmail_start_t self:fifo_file { getattr read write };
-
-qmail_daemon_domain(lspawn, `, mta_delivery_agent')
-allow qmail_lspawn_t self:fifo_file { read write };
-allow qmail_lspawn_t self:capability { setuid setgid };
-allow qmail_lspawn_t self:process { fork signal_perms };
-allow qmail_lspawn_t sbin_t:dir search;
-can_exec(qmail_lspawn_t, qmail_exec_t)
-allow qmail_lspawn_t self:unix_stream_socket create_socket_perms;
-allow qmail_lspawn_t qmail_spool_t:dir search;
-allow qmail_lspawn_t qmail_spool_t:file { read getattr };
-allow qmail_lspawn_t etc_t:file { getattr read };
-allow qmail_lspawn_t tmp_t:dir getattr;
-dontaudit qmail_lspawn_t user_home_dir_type:dir { getattr search };
-
-qmail_daemon_domain(send, `, mail_server_sender')
-rw_dir_create_file(qmail_send_t, qmail_spool_t)
-allow qmail_send_t qmail_spool_t:fifo_file read;
-allow qmail_send_t self:process { fork signal_perms };
-allow qmail_send_t self:fifo_file write;
-domain_auto_trans(qmail_send_t, qmail_queue_exec_t, qmail_queue_t)
-allow qmail_send_t sbin_t:dir search;
-
-qmail_daemon_domain(splogger)
-allow qmail_splogger_t self:unix_dgram_socket create_socket_perms;
-allow qmail_splogger_t etc_t:lnk_file read;
-dontaudit qmail_splogger_t initrc_t:fd use;
-read_locale(qmail_splogger_t)
-
-qmail_daemon_domain(rspawn)
-allow qmail_rspawn_t qmail_spool_t:dir search;
-allow qmail_rspawn_t qmail_spool_t:file rw_file_perms;
-allow qmail_rspawn_t self:process { fork signal_perms };
-allow qmail_rspawn_t self:fifo_file read;
-allow qmail_rspawn_t { bin_t sbin_t }:dir search;
-
-qmaild_sub_domain(qmail_rspawn_t, qmail_remote)
-allow qmail_rspawn_t qmail_remote_exec_t:file { getattr read };
-can_network_server(qmail_remote_t)
-can_ypbind(qmail_remote_t)
-allow qmail_remote_t qmail_spool_t:dir search;
-allow qmail_remote_t qmail_spool_t:file rw_file_perms;
-allow qmail_remote_t self:tcp_socket create_socket_perms;
-allow qmail_remote_t self:udp_socket create_socket_perms;
-
-qmail_daemon_domain(clean)
-allow qmail_clean_t qmail_spool_t:dir rw_dir_perms;
-allow qmail_clean_t qmail_spool_t:file { unlink read getattr };
-
-# privhome will do until we get a separate maildir type
-qmaild_sub_domain(qmail_lspawn_t, qmail_local, `, privhome, mta_delivery_agent')
-allow qmail_lspawn_t qmail_local_exec_t:file { getattr read };
-allow qmail_local_t self:process { fork signal_perms };
-domain_auto_trans(qmail_local_t, qmail_queue_exec_t, qmail_queue_t)
-allow qmail_local_t qmail_queue_exec_t:file { getattr read };
-allow qmail_local_t qmail_spool_t:file { ioctl read };
-allow qmail_local_t self:fifo_file write;
-allow qmail_local_t sbin_t:dir search;
-allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
-allow qmail_local_t etc_t:file { getattr read };
-
-# for piping mail to a command
-can_exec(qmail_local_t, shell_exec_t)
-allow qmail_local_t bin_t:dir search;
-allow qmail_local_t bin_t:lnk_file read;
-allow qmail_local_t devtty_t:chr_file rw_file_perms;
-allow qmail_local_t { etc_runtime_t proc_t }:file { getattr read };
-
-ifdef(`tcpd.te', `
-qmaild_sub_domain(tcpd_t, qmail_tcp_env)
-# bug
-can_exec(tcpd_t, tcpd_exec_t)
-', `
-qmaild_sub_domain(inetd_t, qmail_tcp_env)
-')
-allow qmail_tcp_env_t inetd_t:fd use;
-allow qmail_tcp_env_t inetd_t:tcp_socket { read write getattr };
-allow qmail_tcp_env_t inetd_t:process sigchld;
-allow qmail_tcp_env_t sbin_t:dir search;
-can_network_server(qmail_tcp_env_t)
-can_ypbind(qmail_tcp_env_t)
-
-qmaild_sub_domain(qmail_tcp_env_t, qmail_smtpd)
-allow qmail_tcp_env_t qmail_smtpd_exec_t:file { getattr read };
-can_network_server(qmail_smtpd_t)
-can_ypbind(qmail_smtpd_t)
-allow qmail_smtpd_t inetd_t:fd use;
-allow qmail_smtpd_t inetd_t:tcp_socket { read write };
-allow qmail_smtpd_t inetd_t:process sigchld;
-allow qmail_smtpd_t self:process { fork signal_perms };
-allow qmail_smtpd_t self:fifo_file write;
-allow qmail_smtpd_t self:tcp_socket create_socket_perms;
-allow qmail_smtpd_t sbin_t:dir search;
-domain_auto_trans(qmail_smtpd_t, qmail_queue_exec_t, qmail_queue_t)
-allow qmail_smtpd_t qmail_queue_exec_t:file { getattr read };
-
-qmaild_sub_domain(user_mail_domain, qmail_inject, `, mta_user_agent')
-allow qmail_inject_t self:process { fork signal_perms };
-allow qmail_inject_t self:fifo_file write;
-allow qmail_inject_t sbin_t:dir search;
-role sysadm_r types qmail_inject_t;
-in_user_role(qmail_inject_t)
-
-qmaild_sub_domain(userdomain, qmail_qread, `, mta_user_agent')
-in_user_role(qmail_qread_t)
-role sysadm_r types qmail_qread_t;
-r_dir_file(qmail_qread_t, qmail_spool_t)
-allow qmail_qread_t self:capability dac_override;
-allow qmail_qread_t privfd:fd use;
-
-qmaild_sub_domain(qmail_inject_t, qmail_queue, `, mta_user_agent')
-role sysadm_r types qmail_queue_t;
-in_user_role(qmail_queue_t)
-allow qmail_inject_t qmail_queue_exec_t:file { getattr read };
-rw_dir_create_file(qmail_queue_t, qmail_spool_t)
-allow qmail_queue_t qmail_spool_t:fifo_file { read write };
-allow qmail_queue_t { qmail_start_t qmail_lspawn_t }:fd use;
-allow qmail_queue_t qmail_lspawn_t:fifo_file write;
-allow qmail_queue_t qmail_start_t:fifo_file { read write };
-allow qmail_queue_t privfd:fd use;
-allow qmail_queue_t crond_t:fifo_file { read write };
-allow qmail_queue_t inetd_t:fd use;
-allow qmail_queue_t inetd_t:tcp_socket { read write };
-allow qmail_queue_t sysadm_t:fd use;
-allow qmail_queue_t sysadm_t:fifo_file write;
-
-allow user_crond_domain qmail_etc_t:dir search;
-allow user_crond_domain qmail_etc_t:file { getattr read };
-
-qmaild_sub_domain(user_crond_domain, qmail_serialmail)
-in_user_role(qmail_serialmail_t)
-can_network_server(qmail_serialmail_t)
-can_ypbind(qmail_serialmail_t)
-can_exec(qmail_serialmail_t, qmail_serialmail_exec_t)
-allow qmail_serialmail_t self:process { fork signal_perms };
-allow qmail_serialmail_t proc_t:file { getattr read };
-allow qmail_serialmail_t etc_runtime_t:file { getattr read };
-allow qmail_serialmail_t home_root_t:dir search;
-allow qmail_serialmail_t user_home_dir_type:dir { search read getattr };
-rw_dir_create_file(qmail_serialmail_t, user_home_type)
-allow qmail_serialmail_t self:fifo_file { read write };
-allow qmail_serialmail_t self:udp_socket create_socket_perms;
-allow qmail_serialmail_t self:tcp_socket create_socket_perms;
-allow qmail_serialmail_t privfd:fd use;
-allow qmail_serialmail_t crond_t:fifo_file { read write ioctl };
-allow qmail_serialmail_t devtty_t:chr_file { read write };
-
-# for tcpclient
-can_exec(qmail_serialmail_t, bin_t)
-allow qmail_serialmail_t bin_t:dir search;
diff --git a/strict/domains/program/unused/razor.te b/strict/domains/program/unused/razor.te
deleted file mode 100644
index e88bb49..0000000
--- a/strict/domains/program/unused/razor.te
+++ /dev/null
@@ -1,53 +0,0 @@
-#
-# Razor - Vipul's Razor is a distributed, collaborative, spam
-# detection and filtering network.
-#
-# Author: David Hampton <hampton@employees.org>
-#
-
-# NOTE: This policy will work with either the ATrpms provided config
-# file in /etc/razor, or with the default of dumping everything into
-# $HOME/.razor.
-
-##########
-# Razor query application - from system_r applictions
-##########
-type razor_t, domain, privlog, daemon;
-type razor_exec_t, file_type, sysadmfile, exec_type;
-role system_r types razor_t;
-
-razor_base_domain(razor)
-
-# Razor config file directory. When invoked as razor-admin, it can
-# update files in this directory.
-etcdir_domain(razor)
-create_dir_file(razor_t, razor_etc_t);
-
-# Shared razor files updated freuently
-var_lib_domain(razor)
-
-# Log files
-log_domain(razor)
-allow razor_t var_log_t:dir search;
-ifdef(`logrotate.te', `
-allow logrotate_t razor_log_t:file r_file_perms;
-')
-
-##########
-##########
-
-#
-# Some spam filters executes the razor code directly. Allow them access here.
-#
-define(`razor_access',`
-r_dir_file($1, razor_etc_t)
-allow $1 var_log_t:dir search;
-allow $1 razor_log_t:file ra_file_perms;
-r_dir_file($1, razor_var_lib_t)
-r_dir_file($1, sysadm_razor_home_t)
-can_network_client_tcp($1, razor_port_t)
-allow $1 razor_port_t:tcp_socket name_connect;
-')
-
-ifdef(`spamd.te', `razor_access(spamd_t)');
-ifdef(`amavis.te', `razor_access(amavisd_t)');
diff --git a/strict/domains/program/unused/resmgrd.te b/strict/domains/program/unused/resmgrd.te
deleted file mode 100644
index 9224ad3..0000000
--- a/strict/domains/program/unused/resmgrd.te
+++ /dev/null
@@ -1,25 +0,0 @@
-# DESC resmgrd - resource manager daemon
-#
-# Author: Thomas Bleher <ThomasBleher@gmx.de>
-
-daemon_base_domain(resmgrd)
-var_run_domain(resmgrd, { file sock_file })
-etc_domain(resmgrd)
-read_locale(resmgrd_t)
-allow resmgrd_t self:capability { dac_override dac_read_search sys_admin sys_rawio };
-
-allow resmgrd_t etc_t:file { getattr read };
-allow resmgrd_t self:unix_stream_socket create_stream_socket_perms;
-allow resmgrd_t self:unix_dgram_socket create_socket_perms;
-
-# hardware access
-allow resmgrd_t device_t:lnk_file { getattr read };
-# not sure if it needs write access, needs to be investigated further...
-allow resmgrd_t removable_device_t:blk_file { getattr ioctl read write };
-allow resmgrd_t scsi_generic_device_t:chr_file { getattr ioctl read write };
-allow resmgrd_t scanner_device_t:chr_file { getattr };
-# I think a dontaudit should be enough there
-dontaudit resmgrd_t fixed_disk_device_t:blk_file { getattr ioctl read };
-
-# there is a macro can_resmgrd_connect() in macros/program/resmgrd_macros.te
-
diff --git a/strict/domains/program/unused/rssh.te b/strict/domains/program/unused/rssh.te
deleted file mode 100644
index 73bab4a..0000000
--- a/strict/domains/program/unused/rssh.te
+++ /dev/null
@@ -1,13 +0,0 @@
-#DESC Rssh - Restricted (scp/sftp) only shell
-#
-# Authors: Colin Walters <walters@verbum.org>
-# X-Debian-Package: rssh
-#
-
-type rssh_exec_t, file_type, sysadmfile, exec_type;
-
-ifdef(`ssh.te',`
-allow sshd_t rssh_exec_t:file r_file_perms;
-')
-
-# See rssh_macros.te for the rest.
diff --git a/strict/domains/program/unused/scannerdaemon.te b/strict/domains/program/unused/scannerdaemon.te
deleted file mode 100644
index 6245e8b..0000000
--- a/strict/domains/program/unused/scannerdaemon.te
+++ /dev/null
@@ -1,58 +0,0 @@
-#DESC Scannerdaemon - Virus scanner daemon
-#
-# Author: Brian May <bam@snoopy.apana.org.au>
-# X-Debian-Packages:
-#
-
-#################################
-#
-# Rules for the scannerdaemon_t domain.
-#
-type scannerdaemon_etc_t, file_type, sysadmfile;
-
-#networking
-daemon_domain(scannerdaemon)
-can_network_server(scannerdaemon_t)
-ifdef(`postfix.te',
-`can_tcp_connect(postfix_bounce_t,scannerdaemon_t);')
-
-# for testing
-can_tcp_connect(sysadm_t,scannerdaemon_t)
-
-# Can create unix sockets
-allow scannerdaemon_t self:unix_stream_socket create_stream_socket_perms;
-
-# Access config files (libc6).
-allow scannerdaemon_t etc_t:file r_file_perms;
-allow scannerdaemon_t etc_t:lnk_file r_file_perms;
-allow scannerdaemon_t proc_t:file r_file_perms;
-allow scannerdaemon_t etc_runtime_t:file r_file_perms;
-
-# Access config files (scannerdaemon).
-allow scannerdaemon_t scannerdaemon_etc_t:file r_file_perms;
-
-# Access signature files.
-ifdef(`oav-update.te',`
-allow scannerdaemon_t oav_update_var_lib_t:dir r_dir_perms;
-allow scannerdaemon_t oav_update_var_lib_t:file r_file_perms;
-')
-
-log_domain(scannerdaemon)
-ifdef(`logrotate.te', `
-allow logrotate_t scannerdaemon_log_t:file create_file_perms;
-')
-
-# Can run kaffe
-# Run helper programs.
-can_exec_any(scannerdaemon_t)
-allow scannerdaemon_t var_lib_t:dir search;
-allow scannerdaemon_t { sbin_t bin_t }:dir search;
-allow scannerdaemon_t bin_t:lnk_file read;
-
-# unknown stuff
-allow scannerdaemon_t self:fifo_file { read write };
-
-# broken stuff
-dontaudit scannerdaemon_t sysadm_home_dir_t:dir search;
-dontaudit scannerdaemon_t devtty_t:chr_file { read write };
-dontaudit scannerdaemon_t shadow_t:file { read getattr };
diff --git a/strict/domains/program/unused/seuser.te b/strict/domains/program/unused/seuser.te
deleted file mode 100644
index dc87742..0000000
--- a/strict/domains/program/unused/seuser.te
+++ /dev/null
@@ -1,148 +0,0 @@
-#DESC SE Linux User Manager (seuser)
-#DEPENDS checkpolicy.te load_policy.te
-#
-# Authors: don.patterson@tresys.com, mayerf@tresys.com
-# Additions: wsalamon@tislabs.com, dac@tresys.com
-
-#
-
-#################################
-#
-# Rules for the seuser_t domain.
-#
-# seuser_t is the domain of the seuser application when it is executed.
-# seuser_conf_t is the type of the seuser configuration file.
-# seuser_exec_t is the type of the seuser executable.
-# seuser_tmp_t is the type of the temporary file(s) created by seuser.
-#
-##############################################
-# Define types, and typical rules including
-# access to execute and transition
-##############################################
-
-# Defined seuser types
-type seuser_t, domain, privhome ;
-type seuser_conf_t, file_type, sysadmfile ;
-type seuser_exec_t, file_type, sysadmfile, exec_type ;
-tmp_domain(seuser)
-
-# Authorize roles
-role sysadm_r types seuser_t ;
-
-# Allow sysadm_t to run with privilege
-domain_auto_trans(sysadm_t, seuser_exec_t, seuser_t)
-
-# Grant the new domain permissions to many common operations
-# FIX: Should be more resticted than this.
-#every_domain(seuser_t)
-allow seuser_t self:process { fork sigchld };
-allow seuser_t self:fifo_file read;
-allow seuser_t self:unix_stream_socket {create connect};
-allow seuser_t self:dir search;
-allow seuser_t self:file { read getattr };
-
-allow seuser_t etc_t:dir search;
-allow seuser_t etc_t:{lnk_file file} { read getattr};
-read_locale(seuser_t)
-allow seuser_t { var_run_t var_t}:dir search;
-
-uses_shlib(seuser_t)
-
-allow seuser_t devtty_t:chr_file {read write };
-allow seuser_t proc_t:dir search;
-allow seuser_t proc_t:{lnk_file file} { getattr read };
-
-allow seuser_t root_t:dir search;
-allow seuser_t staff_home_dir_t:dir search;
-allow seuser_t home_root_t:dir { getattr search };
-allow seuser_t staff_home_dir_t:dir getattr;
-allow seuser_t default_t:file {read getattr};
-
-allow seuser_t bin_t:dir { getattr search read} ;
-allow seuser_t bin_t:lnk_file { read getattr };
-allow seuser_t sbin_t:dir search;
-
-# Inherit and use descriptors from login.
-allow seuser_t privfd:fd use;
-
-###############################################
-
-# Use capabilities to self
-allow seuser_t self:capability { dac_override setuid setgid } ;
-
-# Grant the seuser domain ability to change passwords for a user.
-allow seuser_t self:passwd { passwd chfn chsh } ;
-
-# Read permissions for seuser.conf file
-allow seuser_t seuser_conf_t:file r_file_perms ;
-
-
-###################################################################
-# Policy section: Define the ability to change and load policies
-###################################################################
-
-# seuser_t domain needs to transition to the checkpolicy and loadpolicy
-# domains in order to install and load new policies.
-domain_auto_trans(seuser_t, checkpolicy_exec_t, checkpolicy_t)
-domain_auto_trans(seuser_t, load_policy_exec_t, load_policy_t)
-
-# allow load_policy and checkpolicy domains access to seuser_tmp_t
-# files in order for their stdout/stderr able to be put into
-# seuser's tmp files.
-#
-# Since both these domains carefully try to limit where the
-# assoicated program can read from, we won't use the standard
-# rw_file_perm macro, but instead only grant the minimum needed
-# to redirect output, write and getattr.
-allow checkpolicy_t seuser_tmp_t:file { getattr write } ;
-allow load_policy_t seuser_tmp_t:file { getattr write } ;
-allow useradd_t seuser_tmp_t:file { getattr write } ;
-
-
-# FIX: Temporarily allow seuser_t permissions for executing programs with a
-# bint_t type without changing domains. We have to give seuser_t the following
-# access because we use the policy make process to build new plicy.conf files.
-# At some point, a new policy management infrastructure should remove the ability
-# to modify policy source files with arbitrary progams
-#
-can_exec(seuser_t, bin_t)
-can_exec(seuser_t, shell_exec_t)
-
-
-# Read/write permission to the login context files in /etc/security
-allow seuser_t login_contexts:file create_file_perms ;
-
-# Read/write permission to the policy source and its' directory
-allow seuser_t policy_src_t:dir create_dir_perms ;
-allow seuser_t policy_src_t:file create_file_perms ;
-
-# Allow search and stat for policy_config_t
-allow seuser_t policy_config_t:dir { search getattr } ;
-allow seuser_t policy_config_t:file stat_file_perms;
-
-
-#ifdef(`xserver.te', `
-############################################################
-# Xserver section - To support our GUI interface,
-############################################################
-# Permission to create files in /tmp/.X11-Unix
-#allow seuser_t sysadm_xserver_tmp_t:dir search ;
-#allow seuser_t sysadm_xserver_tmp_t:sock_file write ;
-#allow seuser_t user_xserver_tmp_t:dir search ;
-#allow seuser_t user_xserver_tmp_t:sock_file write ;
-
-# Permission to establish a Unix stream connection to X server
-#can_unix_connect(seuser_t, user_xserver_t)
-#can_unix_connect(seuser_t, sysadm_xserver_t)
-#')
-ifdef(`xdm.te', `
-can_unix_connect(seuser_t, xdm_xserver_t)
-')
-
-# seuser_t domain needs execute access to the library files so that it can run.
-can_exec(seuser_t, lib_t)
-
-# Access ttys
-allow seuser_t sysadm_tty_device_t:chr_file rw_file_perms ;
-allow seuser_t sysadm_devpts_t:chr_file rw_file_perms ;
-
diff --git a/strict/domains/program/unused/snort.te b/strict/domains/program/unused/snort.te
deleted file mode 100644
index 24188f6..0000000
--- a/strict/domains/program/unused/snort.te
+++ /dev/null
@@ -1,33 +0,0 @@
-#DESC Snort - Network sniffer
-#
-# Author: Shaun Savage <savages@pcez.com>
-# Modified by Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: snort-common
-#
-
-daemon_domain(snort)
-
-logdir_domain(snort)
-allow snort_t snort_log_t:dir create;
-can_network_server(snort_t)
-type snort_etc_t, file_type, sysadmfile;
-
-# Create temporary files.
-tmp_domain(snort)
-
-# use iptable netlink
-allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
-allow snort_t self:packet_socket create_socket_perms;
-allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
-
-r_dir_file(snort_t, snort_etc_t)
-allow snort_t etc_t:file { getattr read };
-allow snort_t etc_t:lnk_file read;
-
-allow snort_t self:unix_dgram_socket create_socket_perms;
-allow snort_t self:unix_stream_socket create_socket_perms;
-
-# for start script
-allow initrc_t snort_etc_t:file { getattr read };
-
-dontaudit snort_t { etc_runtime_t proc_t }:file { getattr read };
diff --git a/strict/domains/program/unused/sound-server.te b/strict/domains/program/unused/sound-server.te
deleted file mode 100644
index c84a1fa..0000000
--- a/strict/domains/program/unused/sound-server.te
+++ /dev/null
@@ -1,42 +0,0 @@
-#DESC sound server - for network audio server programs, nasd, yiff, etc
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-
-#################################
-#
-# Rules for the soundd_t domain.
-#
-# soundd_exec_t is the type of the soundd executable.
-#
-daemon_domain(soundd)
-
-allow soundd_t soundd_port_t:tcp_socket name_bind;
-
-type etc_soundd_t, file_type, sysadmfile;
-type soundd_state_t, file_type, sysadmfile;
-
-tmp_domain(soundd)
-rw_dir_create_file(soundd_t, soundd_state_t)
-
-allow soundd_t sound_device_t:chr_file rw_file_perms;
-allow soundd_t device_t:lnk_file read;
-
-# Use the network.
-can_network_server(soundd_t)
-allow soundd_t self:unix_stream_socket create_stream_socket_perms;
-allow soundd_t self:unix_dgram_socket create_socket_perms;
-# allow any domain to connect to the sound server
-can_tcp_connect(userdomain, soundd_t)
-
-allow soundd_t self:process setpgid;
-
-# read config files
-allow soundd_t { etc_t etc_runtime_t }:{ file lnk_file } r_file_perms;
-
-allow soundd_t etc_t:dir r_dir_perms;
-r_dir_file(soundd_t, etc_soundd_t)
-
-# for yiff - probably need some rules for the client support too
-allow soundd_t self:shm create_shm_perms;
-tmpfs_domain(soundd)
diff --git a/strict/domains/program/unused/speedmgmt.te b/strict/domains/program/unused/speedmgmt.te
deleted file mode 100644
index 6d399fb..0000000
--- a/strict/domains/program/unused/speedmgmt.te
+++ /dev/null
@@ -1,26 +0,0 @@
-#DESC Speedmgmt - Alcatel speedtouch USB ADSL modem
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-
-#################################
-#
-# Rules for the speedmgmt_t domain.
-#
-# speedmgmt_exec_t is the type of the speedmgmt executable.
-#
-daemon_domain(speedmgmt)
-tmp_domain(speedmgmt)
-
-# for accessing USB
-allow speedmgmt_t proc_t:dir r_dir_perms;
-allow speedmgmt_t usbdevfs_t:file rw_file_perms;
-allow speedmgmt_t usbdevfs_t:dir r_dir_perms;
-
-allow speedmgmt_t usr_t:file r_file_perms;
-
-allow speedmgmt_t self:unix_dgram_socket create_socket_perms;
-
-# allow time
-allow speedmgmt_t etc_t:dir r_dir_perms;
-allow speedmgmt_t etc_t:lnk_file r_file_perms;
diff --git a/strict/domains/program/unused/sxid.te b/strict/domains/program/unused/sxid.te
deleted file mode 100644
index a96c987..0000000
--- a/strict/domains/program/unused/sxid.te
+++ /dev/null
@@ -1,62 +0,0 @@
-#DESC Sxid - SUID/SGID program monitoring
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: sxid
-#
-
-#################################
-#
-# Rules for the sxid_t domain.
-#
-# sxid_exec_t is the type of the sxid executable.
-#
-daemon_base_domain(sxid, `, privmail')
-tmp_domain(sxid)
-
-allow sxid_t fs_t:filesystem getattr;
-
-ifdef(`crond.te', `
-system_crond_entry(sxid_exec_t, sxid_t)
-')
-#allow system_crond_t sxid_log_t:file create_file_perms;
-
-read_locale(sxid_t)
-
-can_exec(sxid_t, { shell_exec_t bin_t sbin_t mount_exec_t })
-allow sxid_t bin_t:lnk_file read;
-
-log_domain(sxid)
-
-allow sxid_t file_type:notdevfile_class_set getattr;
-allow sxid_t { device_t device_type }:{ chr_file blk_file } getattr;
-allow sxid_t ttyfile:chr_file getattr;
-allow sxid_t file_type:dir { getattr read search };
-allow sxid_t sysadmfile:file { getattr read };
-dontaudit sxid_t devpts_t:dir r_dir_perms;
-allow sxid_t fs_type:dir { getattr read search };
-
-# Use the network.
-can_network_server(sxid_t)
-allow sxid_t self:fifo_file rw_file_perms;
-allow sxid_t self:unix_stream_socket create_socket_perms;
-
-allow sxid_t { proc_t self }:{ file lnk_file } { read getattr };
-read_sysctl(sxid_t)
-allow sxid_t devtty_t:chr_file rw_file_perms;
-
-allow sxid_t self:capability { dac_override dac_read_search fsetid };
-dontaudit sxid_t self:capability { setuid setgid };
-
-ifdef(`mta.te', `
-# sxid leaves an open file handle to /proc/mounts
-dontaudit { system_mail_t mta_user_agent } sxid_t:file { read getattr };
-
-# allow mta to read the log files
-allow { system_mail_t mta_user_agent } { sxid_tmp_t sxid_log_t }:file { getattr read };
-# stop warnings if mailx is passed a read/write file handle
-dontaudit { system_mail_t mta_user_agent } { sxid_tmp_t sxid_log_t }:file write;
-')
-
-allow logrotate_t sxid_t:file { getattr write };
-
-dontaudit sxid_t security_t:dir { getattr read search };
diff --git a/strict/domains/program/unused/tinydns.te b/strict/domains/program/unused/tinydns.te
deleted file mode 100644
index a911b89..0000000
--- a/strict/domains/program/unused/tinydns.te
+++ /dev/null
@@ -1,58 +0,0 @@
-#DESC TINYDNS - Name server for djbdns
-#
-# Authors: Matthew J. Fanto <mattjf@uncompiled.com>
-#
-# Based off Named policy file written by
-# Yuichi Nakamura <ynakam@ori.hitachi-sk.co.jp>,
-# Russell Coker
-# X-Debian-Packages: djbdns-installer djbdns
-#
-#
-
-#################################
-#
-# Rules for the tinydns_t domain.
-#
-daemon_domain(tinydns)
-
-can_exec(tinydns_t, tinydns_exec_t)
-allow tinydns_t sbin_t:dir search;
-
-allow tinydns_t self:process setsched;
-
-# A type for configuration files of tinydns.
-type tinydns_conf_t, file_type, sysadmfile;
-
-# for primary zone files - the data file
-type tinydns_zone_t, file_type, sysadmfile;
-
-allow tinydns_t etc_t:file { getattr read };
-allow tinydns_t etc_runtime_t:{ file lnk_file } { getattr read };
-
-#tinydns can use network
-can_network_server(tinydns_t)
-allow tinydns_t dns_port_t:{ udp_socket tcp_socket } name_bind;
-# allow UDP transfer to/from any program
-can_udp_send(domain, tinydns_t)
-can_udp_send(tinydns_t, domain)
-# tinydns itself doesn't do zone transfers
-# so we do not need to have it tcp_connect
-
-#read configuration files
-r_dir_file(tinydns_t, tinydns_conf_t)
-
-r_dir_file(tinydns_t, tinydns_zone_t)
-
-# allow tinydns to create datagram sockets (udp)
-# allow tinydns_t self:unix_stream_socket create_stream_socket_perms;
-allow tinydns_t self:unix_dgram_socket create_socket_perms;
-
-# Read /dev/random.
-allow tinydns_t device_t:dir r_dir_perms;
-allow tinydns_t random_device_t:chr_file r_file_perms;
-
-# Set own capabilities.
-allow tinydns_t self:process setcap;
-
-# for chmod in start script
-dontaudit initrc_t tinydns_var_run_t:dir setattr;
diff --git a/strict/domains/program/unused/transproxy.te b/strict/domains/program/unused/transproxy.te
deleted file mode 100644
index e34b804..0000000
--- a/strict/domains/program/unused/transproxy.te
+++ /dev/null
@@ -1,36 +0,0 @@
-#DESC Transproxy - Transparent proxy for web access
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: transproxy
-#
-
-#################################
-#
-# Rules for the transproxy_t domain.
-#
-# transproxy_exec_t is the type of the transproxy executable.
-#
-daemon_domain(transproxy)
-
-# Use the network.
-can_network_server_tcp(transproxy_t)
-allow transproxy_t transproxy_port_t:tcp_socket name_bind;
-
-#allow transproxy_t self:fifo_file { read write };
-allow transproxy_t self:unix_stream_socket create_socket_perms;
-allow transproxy_t self:unix_dgram_socket create_socket_perms;
-
-# Use capabilities
-allow transproxy_t self:capability { setgid setuid };
-#allow transproxy_t self:process setsched;
-
-#allow transproxy_t proc_t:file r_file_perms;
-
-# read config files
-allow transproxy_t etc_t:lnk_file read;
-allow transproxy_t etc_t:file { read getattr };
-
-#allow transproxy_t etc_t:dir r_dir_perms;
-
-#read_sysctl(transproxy_t)
-
diff --git a/strict/domains/program/unused/tripwire.te b/strict/domains/program/unused/tripwire.te
deleted file mode 100644
index 9ee61e8..0000000
--- a/strict/domains/program/unused/tripwire.te
+++ /dev/null
@@ -1,139 +0,0 @@
-# DESC tripwire
-#
-# Author: David Hampton <hampton@employees.org>
-#
-
-# NOTE: Tripwire creates temp file in its current working directory.
-# This policy does not allow write access to home directories, so
-# users will need to either cd to a directory where they have write
-# permission, or set the TEMPDIRECTORY variable in the tripwire config
-# file. The latter is preferable, as then the file_type_auto_trans
-# rules will kick in and label the files as private to tripwire.
-
-
-# Common definitions
-type tripwire_report_t, file_type, sysadmfile;
-etcdir_domain(tripwire)
-var_lib_domain(tripwire)
-tmp_domain(tripwire)
-
-
-# Macro for defining tripwire domains
-define(`tripwire_domain',`
-application_domain($1, `, auth')
-role system_r types $1_t;
-
-# Allow access to common tripwire files
-allow $1_t tripwire_etc_t:file r_file_perms;
-allow $1_t tripwire_etc_t:dir r_dir_perms;
-allow $1_t tripwire_etc_t:lnk_file { getattr read };
-file_type_auto_trans($1_t, var_lib_t, tripwire_var_lib_t, file)
-allow $1_t tripwire_var_lib_t:dir rw_dir_perms;
-file_type_auto_trans($1_t, tmp_t, tripwire_tmp_t, `{ file dir }')
-
-allow $1_t self:process { fork sigchld };
-allow $1_t self:capability { setgid setuid dac_override };
-
-# Tripwire needs to read all files on the system
-general_proc_read_access($1_t)
-allow $1_t file_type:dir { search getattr read};
-allow $1_t file_type:{file chr_file lnk_file sock_file} {getattr read};
-allow $1_t file_type:fifo_file { getattr };
-allow $1_t device_type:file { getattr read };
-allow $1_t sysctl_t:dir { getattr read };
-allow $1_t {memory_device_t tty_device_t urandom_device_t zero_device_t}:chr_file getattr;
-
-# Tripwire report files
-create_dir_file($1_t, tripwire_report_t)
-
-# gethostid()?
-allow $1_t self:unix_stream_socket { connect create };
-
-# Running editor program (tripwire forks then runs bash which rins editor)
-can_exec($1_t, shell_exec_t)
-can_exec($1_t, bin_t)
-uses_shlib($1_t)
-
-allow $1_t self:dir search;
-allow $1_t self:file { getattr read };
-')
-
-
-##########
-##########
-
-#
-# When run by a user
-#
-tripwire_domain(`tripwire')
-
-# Running from the command line
-allow tripwire_t devpts_t:dir search;
-allow tripwire_t devtty_t:chr_file { read write };
-allow tripwire_t {sysadm_devpts_t user_devpts_t}:chr_file rw_file_perms;
-allow tripwire_t privfd:fd use;
-
-
-##########
-##########
-
-#
-# When run from cron
-#
-tripwire_domain(`tripwire_crond')
-system_crond_entry(tripwire_exec_t, tripwire_crond_t)
-domain_auto_trans(crond_t, tripwire_exec_t, tripwire_t)
-
-# Tripwire uses a temp file in the root home directory
-#create_dir_file(tripwire_crond_t, root_t)
-
-
-##########
-# Twadmin
-##########
-application_domain(twadmin)
-read_locale(twadmin_t)
-create_dir_file(twadmin_t, tripwire_etc_t)
-
-allow twadmin_t sysadm_tmp_t:file { getattr read write };
-
-# Running from the command line
-allow twadmin_t sshd_t:fd use;
-allow twadmin_t admin_tty_type:chr_file rw_file_perms;
-
-dontaudit twadmin_t { bin_t sbin_t }:dir search;
-dontaudit twadmin_t home_root_t:dir search;
-dontaudit twprint_t user_home_dir_t:dir search;
-
-
-##########
-# Twprint
-##########
-application_domain(twprint)
-read_locale(twprint_t)
-r_dir_file(twprint_t, tripwire_etc_t)
-allow twprint_t { var_t var_lib_t }:dir search;
-r_dir_file(twprint_t, tripwire_var_lib_t)
-r_dir_file(twprint_t, tripwire_report_t)
-
-# Running from the command line
-allow twprint_t sshd_t:fd use;
-allow twprint_t admin_tty_type:chr_file rw_file_perms;
-
-dontaudit twprint_t { bin_t sbin_t }:dir search;
-dontaudit twprint_t home_root_t:dir search;
-
-
-##########
-# Siggen
-##########
-application_domain(siggen, `, auth')
-read_locale(siggen_t)
-
-# Need permission to read files
-allow siggen_t file_type:dir { search getattr read};
-allow siggen_t file_type:file {getattr read};
-
-# Running from the command line
-allow siggen_t sshd_t:fd use;
-allow siggen_t admin_tty_type:chr_file rw_file_perms;
diff --git a/strict/domains/program/unused/ucspi-tcp.te b/strict/domains/program/unused/ucspi-tcp.te
deleted file mode 100644
index b2eeb5c..0000000
--- a/strict/domains/program/unused/ucspi-tcp.te
+++ /dev/null
@@ -1,49 +0,0 @@
-#DESC ucspi-tcp - TCP Server and Client Tools
-#
-# Author Petre Rodan <kaiowas@gentoo.org>
-# Andy Dustman (rblsmtp-related policy)
-#
-
-# http://cr.yp.to/ucspi-tcp.html
-
-daemon_base_domain(utcpserver)
-can_network(utcpserver_t)
-
-allow utcpserver_t etc_t:file r_file_perms;
-allow utcpserver_t { bin_t sbin_t var_t }:dir search;
-
-allow utcpserver_t self:capability { net_bind_service setgid setuid };
-allow utcpserver_t self:fifo_file { read write };
-allow utcpserver_t self:process { fork sigchld };
-
-allow utcpserver_t port_t:udp_socket name_bind;
-
-ifdef(`qmail.te', `
-domain_auto_trans(utcpserver_t, qmail_smtpd_exec_t, qmail_smtpd_t)
-allow utcpserver_t smtp_port_t:tcp_socket name_bind;
-allow qmail_smtpd_t utcpserver_t:tcp_socket { read write getattr };
-allow utcpserver_t qmail_etc_t:dir r_dir_perms;
-allow utcpserver_t qmail_etc_t:file r_file_perms;
-')
-
-daemon_base_domain(rblsmtpd)
-can_network(rblsmtpd_t)
-
-allow rblsmtpd_t self:process { fork sigchld };
-
-allow rblsmtpd_t etc_t:file r_file_perms;
-allow rblsmtpd_t { bin_t var_t }:dir search;
-allow rblsmtpd_t port_t:udp_socket name_bind;
-allow rblsmtpd_t utcpserver_t:tcp_socket { read write getattr };
-
-ifdef(`qmail.te', `
-domain_auto_trans(rblsmtpd_t, qmail_smtpd_exec_t, qmail_smtpd_t)
-allow qmail_queue_t rblsmtpd_t:fd use;
-')
-
-ifdef(`daemontools.te', `
-svc_ipc_domain(rblsmtpd_t)
-')
-
-domain_auto_trans(utcpserver_t, rblsmtpd_exec_t, rblsmtpd_t)
-
diff --git a/strict/domains/program/unused/uml_net.te b/strict/domains/program/unused/uml_net.te
deleted file mode 100644
index da3fe34..0000000
--- a/strict/domains/program/unused/uml_net.te
+++ /dev/null
@@ -1,30 +0,0 @@
-#DESC uml_net helper program for user-mode Linux
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-# WARNING: Do not install this file on any machine that has hostile users.
-
-type uml_net_t, domain, privlog;
-type uml_net_exec_t, file_type, sysadmfile, exec_type;
-in_user_role(uml_net_t)
-allow uml_net_t self:process { fork signal_perms };
-allow uml_net_t { bin_t sbin_t }:dir search;
-allow uml_net_t self:fifo_file { read write };
-allow uml_net_t device_t:dir search;
-allow uml_net_t self:udp_socket { create ioctl };
-uses_shlib(uml_net_t)
-allow uml_net_t devtty_t:chr_file { read write };
-allow uml_net_t etc_runtime_t:file { getattr read };
-allow uml_net_t etc_t:file { getattr read };
-allow uml_net_t { proc_t sysctl_t sysctl_net_t }:dir search;
-allow uml_net_t proc_t:file { getattr read };
-
-# if you want ip_forward to be set then you should set it yourself
-dontaudit uml_net_t { sysctl_t sysctl_net_t }:dir search;
-dontaudit uml_net_t sysctl_net_t:file write;
-
-dontaudit ifconfig_t uml_net_t:udp_socket { read write };
-dontaudit uml_net_t self:capability sys_module;
-
-allow uml_net_t tun_tap_device_t:chr_file { read write getattr ioctl };
-can_exec(uml_net_t, { shell_exec_t sbin_t })
diff --git a/strict/domains/program/unused/uptimed.te b/strict/domains/program/unused/uptimed.te
deleted file mode 100644
index 0c9b1c7..0000000
--- a/strict/domains/program/unused/uptimed.te
+++ /dev/null
@@ -1,37 +0,0 @@
-#DESC uptimed - a uptime daemon
-#
-# Author: Carsten Grohmann <carsten@securityenhancedlinux.de>
-#
-# Date: 19. June 2003
-#
-
-#################################
-#
-# General Types
-#
-
-type uptimed_spool_t, file_type, sysadmfile;
-
-#################################
-#
-# Rules for the uptimed_t domain.
-#
-daemon_domain(uptimed, `,privmail')
-etc_domain(uptimed)
-typealias uptimed_etc_t alias etc_uptimed_t;
-file_type_auto_trans(uptimed_t, var_spool_t, uptimed_spool_t)
-allow uptimed_t proc_t:file { getattr read };
-read_locale(uptimed_t)
-allow uptimed_t uptimed_spool_t:file create_file_perms;
-allow uptimed_t self:unix_dgram_socket create_socket_perms;
-
-# to send mail
-can_exec(uptimed_t, shell_exec_t)
-allow uptimed_t { bin_t sbin_t }:dir search;
-allow uptimed_t bin_t:lnk_file read;
-allow uptimed_t etc_runtime_t:file { getattr read };
-allow uptimed_t self:fifo_file { getattr write };
-
-# rules for uprecords - it runs in the user context
-allow userdomain uptimed_spool_t:dir search;
-allow userdomain uptimed_spool_t:file { getattr read };
diff --git a/strict/domains/program/unused/uwimapd.te b/strict/domains/program/unused/uwimapd.te
deleted file mode 100644
index f1f5831..0000000
--- a/strict/domains/program/unused/uwimapd.te
+++ /dev/null
@@ -1,47 +0,0 @@
-#DESC uw-imapd-ssl server
-#
-# Author: Ed Street <edstreet@street-tek.com>
-# X-Debian-Packages: uw-imapd (was uw-imapd-ssl)
-# Depends: inetd.te
-#
-
-daemon_domain(imapd, `, auth_chkpwd, privhome')
-tmp_domain(imapd)
-
-can_network_server_tcp(imapd_t)
-allow imapd_t port_type:tcp_socket name_connect;
-
-#declare our own services
-allow imapd_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
-allow imapd_t pop_port_t:tcp_socket name_bind;
-
-#declare this a socket from inetd
-allow imapd_t self:unix_dgram_socket { sendto create_socket_perms };
-allow imapd_t self:unix_stream_socket create_socket_perms;
-domain_auto_trans(inetd_t, imapd_exec_t, imapd_t)
-ifdef(`tcpd.te', `domain_auto_trans(tcpd_t, imapd_exec_t, imapd_t)')
-
-#friendly stuff we dont want to see :)
-dontaudit imapd_t bin_t:dir search;
-
-#read /etc/ for hostname nsswitch.conf
-allow imapd_t etc_t:file { getattr read };
-
-#socket i/o stuff
-allow imapd_t inetd_t:tcp_socket { read write ioctl getattr };
-
-#read resolv.conf
-allow imapd_t net_conf_t:file { getattr read };
-
-#urandom, for ssl
-allow imapd_t random_device_t:chr_file read;
-allow imapd_t urandom_device_t:chr_file { read getattr };
-
-allow imapd_t self:fifo_file rw_file_perms;
-
-#mail directory
-rw_dir_file(imapd_t, mail_spool_t)
-
-#home directory
-allow imapd_t home_root_t:dir search;
-allow imapd_t self:file { read getattr };
diff --git a/strict/domains/program/unused/watchdog.te b/strict/domains/program/unused/watchdog.te
deleted file mode 100644
index 01ceea8..0000000
--- a/strict/domains/program/unused/watchdog.te
+++ /dev/null
@@ -1,55 +0,0 @@
-#DESC Watchdog - Software watchdog daemon
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: watchdog
-#
-
-#################################
-#
-# Rules for the watchdog_t domain.
-#
-
-daemon_domain(watchdog, `, privmail')
-type watchdog_device_t, device_type, dev_fs;
-
-allow watchdog_t self:process setsched;
-
-log_domain(watchdog)
-
-allow watchdog_t etc_t:file r_file_perms;
-allow watchdog_t etc_t:lnk_file read;
-allow watchdog_t self:unix_dgram_socket create_socket_perms;
-
-allow watchdog_t proc_t:file r_file_perms;
-
-allow watchdog_t self:capability { ipc_lock sys_pacct sys_nice sys_resource };
-allow watchdog_t self:fifo_file rw_file_perms;
-allow watchdog_t self:unix_stream_socket create_socket_perms;
-can_network(watchdog_t)
-allow watchdog_t port_type:tcp_socket name_connect;
-can_ypbind(watchdog_t)
-allow watchdog_t bin_t:dir search;
-allow watchdog_t bin_t:lnk_file read;
-allow watchdog_t init_t:process signal;
-allow watchdog_t kernel_t:process sigstop;
-
-allow watchdog_t watchdog_device_t:chr_file { getattr write };
-
-# for orderly shutdown
-can_exec(watchdog_t, shell_exec_t)
-allow watchdog_t domain:process { signal_perms getsession };
-allow watchdog_t self:capability kill;
-allow watchdog_t sbin_t:dir search;
-
-# for updating mtab on umount
-file_type_auto_trans(watchdog_t, etc_t, etc_runtime_t, file)
-
-allow watchdog_t self:capability { sys_admin net_admin sys_boot };
-allow watchdog_t fixed_disk_device_t:blk_file swapon;
-allow watchdog_t { proc_t fs_t }:filesystem unmount;
-
-# record the fact that we are going down
-allow watchdog_t wtmp_t:file append;
-
-# do not care about saving the random seed
-dontaudit watchdog_t { urandom_device_t random_device_t }:chr_file read;
diff --git a/strict/domains/program/unused/xprint.te b/strict/domains/program/unused/xprint.te
deleted file mode 100644
index e1af323..0000000
--- a/strict/domains/program/unused/xprint.te
+++ /dev/null
@@ -1,50 +0,0 @@
-#DESC X print server
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: xprt-xprintorg
-#
-
-#################################
-#
-# Rules for the xprint_t domain.
-#
-# xprint_exec_t is the type of the xprint executable.
-#
-daemon_domain(xprint)
-
-allow initrc_t readable_t:dir r_dir_perms;
-allow initrc_t fonts_t:dir r_dir_perms;
-
-allow xprint_t var_lib_t:dir search;
-allow xprint_t fonts_t:dir r_dir_perms;
-allow xprint_t fonts_t:file { getattr read };
-
-allow xprint_t { bin_t sbin_t }:dir search;
-can_exec(xprint_t, { bin_t sbin_t ls_exec_t shell_exec_t })
-allow xprint_t bin_t:lnk_file { getattr read };
-
-allow xprint_t tmp_t:dir { getattr search };
-ifdef(`xdm.te', `
-allow xprint_t xdm_xserver_tmp_t:dir rw_dir_perms;
-allow xprint_t xdm_xserver_tmp_t:sock_file create_file_perms;
-')
-
-# Use the network.
-can_network_server(xprint_t)
-can_ypbind(xprint_t)
-allow xprint_t self:fifo_file rw_file_perms;
-allow xprint_t self:unix_stream_socket create_stream_socket_perms;
-
-allow xprint_t proc_t:file { getattr read };
-allow xprint_t self:file { getattr read };
-
-# read config files
-allow xprint_t { etc_t etc_runtime_t }:file { getattr read };
-ifdef(`cups.te', `
-allow xprint_t cupsd_etc_t:dir search;
-allow xprint_t cupsd_etc_t:file { getattr read };
-')
-
-r_dir_file(xprint_t, usr_t)
-
-allow xprint_t urandom_device_t:chr_file { getattr read };
diff --git a/strict/domains/program/unused/yam.te b/strict/domains/program/unused/yam.te
deleted file mode 100644
index da85a8c..0000000
--- a/strict/domains/program/unused/yam.te
+++ /dev/null
@@ -1,149 +0,0 @@
-# DESC yam - Yum/Apt Mirroring
-#
-# Author: David Hampton <hampton@employees.org>
-#
-
-
-#
-# Yam downloads lots of files, indexes them, and makes them available
-# for upload. Define a type for these file.
-#
-type yam_content_t, file_type, sysadmfile, httpdcontent;
-
-
-#
-# Common definitions used by both the command line and the cron
-# invocation of yam.
-#
-define(`yam_common',`
-
-# Update the content being managed by yam.
-create_dir_file($1_t, yam_content_t)
-
-# Content can also be on ISO image files.
-r_dir_file($1_t, iso9660_t)
-
-# Need to go through /var to get to /var/yam
-# Go through /var/www to get to /var/www/yam
-allow $1_t var_t:dir { getattr search };
-allow $1_t httpd_sys_content_t:dir { getattr search };
-
-# Allow access to locale database, nsswitch, and mtab
-read_locale($1_t)
-allow $1_t etc_t:file { getattr read };
-allow $1_t etc_runtime_t:file { getattr read };
-
-# Python seems to need things from various places
-allow $1_t { bin_t sbin_t }:dir { search getattr };
-allow $1_t { bin_t sbin_t lib_t usr_t }:file { getattr read };
-allow $1_t bin_t:lnk_file read;
-
-# Python works fine without reading /proc/meminfo
-dontaudit $1_t proc_t:dir search;
-dontaudit $1_t proc_t:file { getattr read };
-
-# Yam wants to run rsync, lftp, mount, and a shell. Allow the latter
-# two here. Run rsync and lftp in the yam_t context so that we dont
-# have to give any other programs write access to the yam_t files.
-general_domain_access($1_t)
-can_exec($1_t, shell_exec_t)
-can_exec($1_t, rsync_exec_t)
-can_exec($1_t, bin_t)
-can_exec($1_t, usr_t) #/usr/share/createrepo/genpkgmetadata.py
-ifdef(`mount.te', `
-domain_auto_trans($1_t, mount_exec_t, mount_t)
-')
-
-# Rsync and lftp need to network. They also set files attributes to
-# match whats on the remote server.
-can_network_client($1_t)
-allow $1_t { http_port_t rsync_port_t }:tcp_socket name_connect;
-allow $1_t self:capability { chown fowner fsetid dac_override };
-allow $1_t self:process execmem;
-
-# access to sysctl_kernel_t ( proc/sys/kernel/* )
-read_sysctl($1_t)
-
-# Programs invoked to build package lists need various permissions.
-# genpkglist creates tmp files in /var/cache/apt/genpkglist
-allow $1_t var_t:file { getattr read write };
-allow $1_t var_t:dir read;
-# mktemp
-allow $1_t urandom_device_t:chr_file read;
-# mv
-allow $1_t proc_t:lnk_file read;
-allow $1_t selinux_config_t:dir search;
-allow $1_t selinux_config_t:file { getattr read };
-')
-
-
-##########
-##########
-
-#
-# Runnig yam from the command line
-#
-application_domain(yam, `, nscd_client_domain')
-role system_r types yam_t;
-yam_common(yam)
-etc_domain(yam)
-tmp_domain(yam)
-
-# Terminal access
-allow yam_t devpts_t:dir search;
-allow yam_t devtty_t:chr_file { read write };
-allow yam_t sshd_t:fd use;
-allow yam_t sysadm_devpts_t:chr_file { getattr ioctl read write };
-
-# Reading dotfiles...
-allow yam_t sysadm_home_dir_t:dir search; # /root
-allow yam_t sysadm_home_t:dir search; # /root/xxx
-allow yam_t home_root_t:dir search; # /home
-allow yam_t user_home_dir_t:dir r_dir_perms; # /home/user
-
-
-##########
-##########
-
-#
-# Running yam from cron
-#
-application_domain(yam_crond, `, nscd_client_domain')
-role system_r types yam_crond_t;
-ifdef(`crond.te', `
-system_crond_entry(yam_exec_t, yam_crond_t)
-')
-
-yam_common(yam_crond)
-allow yam_crond_t yam_etc_t:file r_file_perms;
-file_type_auto_trans(yam_crond_t, tmp_t, yam_tmp_t, `{ file dir }')
-
-allow yam_crond_t devtty_t:chr_file { read write };
-
-# Reading dotfiles...
-# LFTP uses a directory for its dotfiles
-allow yam_crond_t default_t:dir search;
-
-# Don't know why init tries to read this.
-allow initrc_t yam_etc_t:file { getattr read };
-
-
-##########
-##########
-
-# The whole point of this program is to make updates available on a
-# local web server. Allow apache access to these files.
-ifdef(`apache.te', `
-r_dir_file(httpd_t, yam_content_t)
-')
-
-ifdef(`webalizer.te', `
-dontaudit webalizer_t yam_content_t:dir search;
-')
-
-# Mount needs access to the yam directories in order to mount the ISO
-# files on a loobpack file system.
-ifdef(`mount.te', `
-allow mount_t yam_content_t:dir mounton;
-allow mount_t yam_content_t:file { read write };
-')
diff --git a/strict/domains/program/updfstab.te b/strict/domains/program/updfstab.te
deleted file mode 100644
index 82edf3d..0000000
--- a/strict/domains/program/updfstab.te
+++ /dev/null
@@ -1,81 +0,0 @@
-#DESC updfstab - Red Hat utility to change /etc/fstab
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-
-daemon_base_domain(updfstab, `, fs_domain, etc_writer')
-
-rw_dir_create_file(updfstab_t, etc_t)
-create_dir_file(updfstab_t, mnt_t)
-
-# Read /dev directories and modify sym-links
-allow updfstab_t device_t:dir rw_dir_perms;
-allow updfstab_t device_t:lnk_file create_file_perms;
-
-# Access disk devices.
-allow updfstab_t fixed_disk_device_t:blk_file rw_file_perms;
-allow updfstab_t removable_device_t:blk_file rw_file_perms;
-allow updfstab_t scsi_generic_device_t:chr_file rw_file_perms;
-
-# for /proc/partitions
-allow updfstab_t proc_t:file { getattr read };
-
-# for /proc/self/mounts
-r_dir_file(updfstab_t, self)
-
-# for /etc/mtab
-allow updfstab_t etc_runtime_t:file { getattr read };
-
-read_locale(updfstab_t)
-
-ifdef(`dbusd.te', `
-dbusd_client(system, updfstab)
-allow updfstab_t system_dbusd_t:dbus { send_msg };
-allow initrc_t updfstab_t:dbus send_msg;
-allow updfstab_t initrc_t:dbus send_msg;
-')
-
-# not sure what the sysctl_kernel_t file is, or why it wants to write it, so
-# I will not allow it
-read_sysctl(updfstab_t)
-dontaudit updfstab_t sysctl_kernel_t:file write;
-allow updfstab_t modules_conf_t:file { getattr read };
-allow updfstab_t sbin_t:dir search;
-allow updfstab_t sbin_t:lnk_file read;
-allow updfstab_t { var_t var_log_t }:dir search;
-
-allow updfstab_t kernel_t:fd use;
-
-allow updfstab_t self:unix_stream_socket create_stream_socket_perms;
-allow updfstab_t self:unix_dgram_socket create_socket_perms;
-
-ifdef(`modutil.te', `
-dnl domain_auto_trans(updfstab_t, insmod_exec_t, insmod_t)
-can_exec(updfstab_t, insmod_exec_t)
-allow updfstab_t modules_object_t:dir search;
-allow updfstab_t modules_dep_t:file { getattr read };
-')
-
-ifdef(`pamconsole.te', `
-domain_auto_trans(updfstab_t, pam_console_exec_t, pam_console_t)
-')
-allow updfstab_t kernel_t:system syslog_console;
-allow updfstab_t sysadm_tty_device_t:chr_file { read write };
-allow updfstab_t self:capability dac_override;
-dontaudit updfstab_t self:capability sys_admin;
-
-r_dir_file(updfstab_t, { selinux_config_t file_context_t default_context_t } )
-can_getsecurity(updfstab_t)
-
-allow updfstab_t { sbin_t bin_t }:dir { search getattr };
-dontaudit updfstab_t devtty_t:chr_file { read write };
-allow updfstab_t self:fifo_file { getattr read write ioctl };
-can_exec(updfstab_t, { sbin_t bin_t ls_exec_t } )
-dontaudit updfstab_t home_root_t:dir { getattr search };
-dontaudit updfstab_t { home_dir_type home_type }:dir search;
-allow updfstab_t fs_t:filesystem { getattr };
-allow updfstab_t tmpfs_t:dir getattr;
-ifdef(`hald.te', `
-can_unix_connect(updfstab_t, hald_t)
-')
-
diff --git a/strict/domains/program/usbmodules.te b/strict/domains/program/usbmodules.te
deleted file mode 100644
index f76f56b..0000000
--- a/strict/domains/program/usbmodules.te
+++ /dev/null
@@ -1,35 +0,0 @@
-#DESC USBModules - List kernel modules for USB devices
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages:
-#
-
-#################################
-#
-# Rules for the usbmodules_t domain.
-#
-type usbmodules_t, domain, privlog;
-type usbmodules_exec_t, file_type, sysadmfile, exec_type;
-
-in_user_role(usbmodules_t)
-role sysadm_r types usbmodules_t;
-role system_r types usbmodules_t;
-
-domain_auto_trans(initrc_t, usbmodules_exec_t, usbmodules_t)
-ifdef(`hotplug.te',`
-domain_auto_trans(hotplug_t, usbmodules_exec_t, usbmodules_t)
-allow usbmodules_t hotplug_etc_t:file r_file_perms;
-allow usbmodules_t hotplug_etc_t:dir search;
-')
-allow usbmodules_t init_t:fd use;
-allow usbmodules_t console_device_t:chr_file { read write };
-
-uses_shlib(usbmodules_t)
-
-# allow usb device access
-allow usbmodules_t usbdevfs_t:file rw_file_perms;
-
-allow usbmodules_t { etc_t modules_object_t proc_t usbdevfs_t }:dir r_dir_perms;
-
-# needs etc_t read access for the hotplug config, maybe should have a new type
-allow usbmodules_t { etc_t modules_dep_t }:file r_file_perms;
diff --git a/strict/domains/program/useradd.te b/strict/domains/program/useradd.te
deleted file mode 100644
index 1df38af..0000000
--- a/strict/domains/program/useradd.te
+++ /dev/null
@@ -1,108 +0,0 @@
-#DESC Useradd - Manage system user accounts
-#
-# Authors: Chris Vance <cvance@tislabs.com> David Caplan <dac@tresys.com>
-# Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: passwd
-#
-
-#################################
-#
-# Rules for the useradd_t and groupadd_t domains.
-#
-# useradd_t is the domain of the useradd/userdel programs.
-# groupadd_t is for adding groups (can not create home dirs)
-#
-define(`user_group_add_program', `
-type $1_t, domain, privlog, auth_write, privowner, nscd_client_domain;
-role sysadm_r types $1_t;
-role system_r types $1_t;
-
-general_domain_access($1_t)
-uses_shlib($1_t)
-
-type $1_exec_t, file_type, sysadmfile, exec_type;
-domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
-domain_auto_trans(initrc_t, $1_exec_t, $1_t)
-
-# Use capabilities.
-allow $1_t self:capability { dac_override chown kill };
-
-# Allow access to context for shadow file
-can_getsecurity($1_t)
-
-# Inherit and use descriptors from login.
-allow $1_t { init_t privfd }:fd use;
-
-# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
-allow $1_t { bin_t sbin_t }:dir r_dir_perms;
-can_exec($1_t, { bin_t sbin_t })
-
-# Update /etc/shadow and /etc/passwd
-file_type_auto_trans($1_t, etc_t, shadow_t, file)
-allow $1_t etc_t:file create_file_perms;
-
-# some apps ask for these accesses, but seems to work regardless
-dontaudit $1_t var_run_t:dir search;
-r_dir_file($1_t, selinux_config_t)
-
-# Set fscreate context.
-can_setfscreate($1_t)
-
-allow $1_t { etc_t shadow_t }:file { relabelfrom relabelto };
-
-read_locale($1_t)
-
-# useradd/userdel request read/write for /var/log/lastlog, and read of /dev,
-# but will operate without them.
-dontaudit $1_t { device_t var_t var_log_t }:dir search;
-
-# For userdel and groupadd
-allow $1_t fs_t:filesystem getattr;
-
-# Access terminals.
-allow $1_t ttyfile:chr_file rw_file_perms;
-allow $1_t ptyfile:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;')
-
-# for when /root is the cwd
-dontaudit $1_t sysadm_home_dir_t:dir search;
-nsswitch_domain($1_t)
-
-allow $1_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
-')
-user_group_add_program(useradd)
-allow useradd_t lastlog_t:file { getattr read write };
-
-# for getting the number of groups
-read_sysctl(useradd_t)
-
-# Add/remove user home directories
-file_type_auto_trans(useradd_t, home_root_t, user_home_dir_t, dir)
-file_type_auto_trans(useradd_t, user_home_dir_t, user_home_t)
-
-# create/delete mail spool file in /var/mail
-allow useradd_t var_spool_t:dir search;
-allow useradd_t mail_spool_t:dir { search write add_name remove_name };
-allow useradd_t mail_spool_t:file create_file_perms;
-# /var/mail is a link to /var/spool/mail
-allow useradd_t mail_spool_t:lnk_file read;
-
-allow useradd_t self:capability { fowner fsetid setuid sys_resource };
-can_exec(useradd_t, shell_exec_t)
-
-# /usr/bin/userdel locks the user being deleted, allow write access to utmp
-allow useradd_t initrc_var_run_t:file { read write lock };
-
-user_group_add_program(groupadd)
-
-dontaudit groupadd_t self:capability fsetid;
-
-allow groupadd_t self:capability { setuid sys_resource };
-allow groupadd_t self:process setrlimit;
-allow groupadd_t initrc_var_run_t:file r_file_perms;
-dontaudit groupadd_t initrc_var_run_t:file write;
-
-allow useradd_t default_context_t:dir search;
-allow useradd_t file_context_t:dir search;
-allow useradd_t file_context_t:file { getattr read };
-allow useradd_t var_lib_t:dir search;
diff --git a/strict/domains/program/userhelper.te b/strict/domains/program/userhelper.te
deleted file mode 100644
index cab6c70..0000000
--- a/strict/domains/program/userhelper.te
+++ /dev/null
@@ -1,22 +0,0 @@
-#DESC Userhelper - SELinux utility to run a shell with a new role
-#
-# Authors: Dan Walsh (Red Hat)
-# Maintained by Dan Walsh <dwalsh@redhat.com>
-#
-
-#################################
-#
-# Rules for the userhelper_t domain.
-#
-# userhelper_exec_t is the type of the userhelper executable.
-# userhelper_conf_t is the type of the userhelper configuration files.
-#
-type userhelper_exec_t, file_type, exec_type, sysadmfile;
-type userhelper_conf_t, file_type, sysadmfile;
-
-# Everything else is in the userhelper_domain macro in
-# macros/program/userhelper_macros.te.
-
-ifdef(`xdm.te', `
-dontaudit xdm_t userhelper_conf_t:dir search;
-')
diff --git a/strict/domains/program/usernetctl.te b/strict/domains/program/usernetctl.te
deleted file mode 100644
index 6a2c64f..0000000
--- a/strict/domains/program/usernetctl.te
+++ /dev/null
@@ -1,64 +0,0 @@
-#DESC usernetctl - User network interface configuration helper
-#
-# Author: Colin Walters <walters@redhat.com>
-
-type usernetctl_exec_t, file_type, sysadmfile, exec_type;
-
-type usernetctl_t, domain, privfd;
-
-if (user_net_control) {
-domain_auto_trans(userdomain, usernetctl_exec_t, usernetctl_t)
-} else {
-can_exec(userdomain, usernetctl_exec_t)
-}
-in_user_role(usernetctl_t)
-role sysadm_r types usernetctl_t;
-
-define(`usernetctl_transition',`
-domain_auto_trans(usernetctl_t, $1_exec_t, $1_t)
-in_user_role($1_t)
-allow $1_t userpty_type:chr_file { getattr read write };
-')
-
-ifdef(`ifconfig.te',`
-usernetctl_transition(ifconfig)
-')
-ifdef(`iptables.te',`
-usernetctl_transition(iptables)
-')
-ifdef(`dhcpc.te',`
-usernetctl_transition(dhcpc)
-allow usernetctl_t dhcp_etc_t:file ra_file_perms;
-')
-ifdef(`modutil.te',`
-usernetctl_transition(insmod)
-')
-ifdef(`consoletype.te',`
-usernetctl_transition(consoletype)
-')
-ifdef(`hostname.te',`
-usernetctl_transition(hostname)
-')
-
-allow usernetctl_t self:capability { setuid setgid dac_override };
-
-base_file_read_access(usernetctl_t)
-base_pty_perms(usernetctl)
-allow usernetctl_t devtty_t:chr_file rw_file_perms;
-uses_shlib(usernetctl_t)
-read_locale(usernetctl_t)
-general_domain_access(usernetctl_t)
-
-r_dir_file(usernetctl_t, proc_t)
-dontaudit usernetctl_t { domain - usernetctl_t }:dir search;
-
-allow usernetctl_t userpty_type:chr_file rw_file_perms;
-
-can_exec(usernetctl_t, { bin_t sbin_t shell_exec_t usernetctl_exec_t})
-can_exec(usernetctl_t, etc_t)
-
-r_dir_file(usernetctl_t, etc_t)
-allow usernetctl_t { var_t var_run_t }:dir { getattr read search };
-allow usernetctl_t etc_runtime_t:file r_file_perms;
-allow usernetctl_t net_conf_t:file r_file_perms;
-
diff --git a/strict/domains/program/utempter.te b/strict/domains/program/utempter.te
deleted file mode 100644
index 92b443f..0000000
--- a/strict/domains/program/utempter.te
+++ /dev/null
@@ -1,51 +0,0 @@
-#DESC Utempter - Privileged helper for utmp/wtmp updates
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages:
-#
-
-#################################
-#
-# Rules for the utempter_t domain.
-#
-# This is the domain for the utempter program. utempter is
-# executed by xterm to update utmp and wtmp.
-# utempter_exec_t is the type of the utempter binary.
-#
-type utempter_t, domain, nscd_client_domain;
-in_user_role(utempter_t)
-role sysadm_r types utempter_t;
-uses_shlib(utempter_t)
-type utempter_exec_t, file_type, sysadmfile, exec_type;
-domain_auto_trans(userdomain, utempter_exec_t, utempter_t)
-
-allow utempter_t urandom_device_t:chr_file { getattr read };
-
-# Use capabilities.
-allow utempter_t self:capability setgid;
-
-allow utempter_t etc_t:file { getattr read };
-
-# Update /var/run/utmp and /var/log/wtmp.
-allow utempter_t initrc_var_run_t:file rw_file_perms;
-allow utempter_t var_log_t:dir search;
-allow utempter_t wtmp_t:file rw_file_perms;
-
-# dontaudit access to /dev/ptmx.
-dontaudit utempter_t ptmx_t:chr_file rw_file_perms;
-dontaudit utempter_t sysadm_devpts_t:chr_file { read write };
-
-# Allow utemper to write to /tmp/.xses-*
-allow utempter_t user_tmpfile:file { getattr write append };
-
-# Inherit and use descriptors from login.
-allow utempter_t privfd:fd use;
-ifdef(`xdm.te', `can_pipe_xdm(utempter_t)')
-
-allow utempter_t self:unix_stream_socket create_stream_socket_perms;
-
-# Access terminals.
-allow utempter_t ttyfile:chr_file getattr;
-allow utempter_t ptyfile:chr_file getattr;
-allow utempter_t devpts_t:dir search;
-dontaudit utempter_t {ttyfile ptyfile}:chr_file { read write };
diff --git a/strict/domains/program/uucpd.te b/strict/domains/program/uucpd.te
deleted file mode 100644
index 05791bd..0000000
--- a/strict/domains/program/uucpd.te
+++ /dev/null
@@ -1,24 +0,0 @@
-#DESC uucpd - UUCP file transfer daemon
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-#
-# Depends: inetd.te
-
-#################################
-#
-# Rules for the uucpd_t domain.
-#
-# uucpd_exec_t is the type of the uucpd executable.
-#
-
-inetd_child_domain(uucpd, tcp)
-type uucpd_rw_t, file_type, sysadmfile;
-type uucpd_ro_t, file_type, sysadmfile;
-type uucpd_spool_t, file_type, sysadmfile;
-create_dir_file(uucpd_t, uucpd_rw_t)
-r_dir_file(uucpd_t, uucpd_ro_t)
-allow uucpd_t sbin_t:dir search;
-can_exec(uucpd_t, sbin_t)
-logdir_domain(uucpd)
-allow uucpd_t var_spool_t:dir search;
-create_dir_file(uucpd_t, uucpd_spool_t)
diff --git a/strict/domains/program/vmware.te b/strict/domains/program/vmware.te
deleted file mode 100644
index fcda9b8..0000000
--- a/strict/domains/program/vmware.te
+++ /dev/null
@@ -1,52 +0,0 @@
-#DESC VMWare - Virtual machine
-#
-# Domains,types and permissions for running VMWare (the program) and for
-# running a SELinux system in a VMWare session (the VMWare-tools).
-#
-# Based on work contributed by Mark Westerman (mark.westerman@westcam.com),
-# modifications by NAI Labs.
-#
-# Domain is for the VMWare admin programs and daemons.
-# X-Debian-Packages:
-#
-# NOTE: The user vmware domain is provided separately in
-# macros/program/vmware_macros.te
-#
-# Next two domains are create by the daemon_domain() macro.
-# The vmware_t domain is for running VMWare daemons
-# The vmware_exec_t type is for the VMWare daemon and admin programs.
-#
-# quick hack making it privhome, should have a domain for each user in a macro
-daemon_domain(vmware, `, privhome')
-
-#
-# The vmware_user_exec_t type is for the user programs.
-#
-type vmware_user_exec_t, file_type, sysadmfile, exec_type;
-
-# Type for vmware devices.
-type vmware_device_t, device_type, dev_fs;
-
-# The sys configuration used for the /etc/vmware configuration files
-type vmware_sys_conf_t, file_type, sysadmfile;
-
-#########################################################################
-# Additional rules to start/stop VMWare
-#
-
-# Give init access to VMWare configuration files
-allow initrc_t vmware_sys_conf_t:file { ioctl read append };
-
-#
-# Rules added to kernel_t domain for VMWare to start up
-#
-# VMWare need access to pcmcia devices for network
-ifdef(`cardmgr.te', `
-allow kernel_t cardmgr_var_lib_t:dir { getattr search };
-allow kernel_t cardmgr_var_lib_t:file { getattr ioctl read };
-')
-
-# Vmware create network devices
-allow kernel_t self:capability net_admin;
-allow kernel_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
-allow kernel_t self:socket create;
diff --git a/strict/domains/program/vpnc.te b/strict/domains/program/vpnc.te
deleted file mode 100644
index 01ddac1..0000000
--- a/strict/domains/program/vpnc.te
+++ /dev/null
@@ -1,62 +0,0 @@
-#DESC vpnc
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-#
-
-#################################
-#
-# Rules for the vpnc_t domain, et al.
-#
-# vpnc_t is the domain for the vpnc program.
-# vpnc_exec_t is the type of the vpnc executable.
-#
-application_domain(vpnc, `, sysctl_net_writer, nscd_client_domain')
-
-allow vpnc_t { random_device_t urandom_device_t }:chr_file { getattr read };
-
-# Use the network.
-can_network(vpnc_t)
-allow vpnc_t port_type:tcp_socket name_connect;
-allow vpnc_t isakmp_port_t:udp_socket name_bind;
-
-can_ypbind(vpnc_t)
-allow vpnc_t self:socket create_socket_perms;
-
-# Use capabilities.
-allow vpnc_t self:capability { net_admin ipc_lock net_bind_service net_raw };
-
-allow vpnc_t devpts_t:dir search;
-allow vpnc_t etc_t:file { getattr read };
-allow vpnc_t tun_tap_device_t:chr_file { ioctl read write };
-allow vpnc_t self:rawip_socket create_socket_perms;
-allow vpnc_t self:unix_dgram_socket create_socket_perms;
-allow vpnc_t self:unix_stream_socket create_socket_perms;
-allow vpnc_t { devtty_t user_tty_type admin_tty_type }:chr_file rw_file_perms;
-allow vpnc_t port_t:udp_socket name_bind;
-allow vpnc_t etc_runtime_t:file { getattr read };
-allow vpnc_t proc_t:file { getattr read };
-dontaudit vpnc_t selinux_config_t:dir search;
-can_exec(vpnc_t, {bin_t sbin_t ifconfig_exec_t shell_exec_t })
-allow vpnc_t sysctl_net_t:dir search;
-allow vpnc_t sysctl_net_t:file write;
-allow vpnc_t sbin_t:dir search;
-allow vpnc_t bin_t:dir search;
-allow vpnc_t bin_t:lnk_file read;
-allow vpnc_t self:dir search;
-r_dir_file(vpnc_t, proc_t)
-r_dir_file(vpnc_t, proc_net_t)
-tmp_domain(vpnc)
-allow vpnc_t self:fifo_file { getattr ioctl read write };
-allow vpnc_t self:file { getattr read };
-allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
-file_type_auto_trans(vpnc_t, etc_t, net_conf_t, file)
-allow vpnc_t etc_t:file { execute execute_no_trans ioctl };
-dontaudit vpnc_t home_root_t:dir search;
-dontaudit vpnc_t user_home_dir_type:dir search;
-var_run_domain(vpnc)
-allow vpnc_t userdomain:fd use;
-r_dir_file(vpnc_t, sysfs_t)
-allow vpnc_t self:process { fork sigchld };
-read_locale(vpnc_t)
-read_sysctl(vpnc_t)
-allow vpnc_t fs_t:filesystem getattr;
diff --git a/strict/domains/program/webalizer.te b/strict/domains/program/webalizer.te
deleted file mode 100644
index c1f38bd..0000000
--- a/strict/domains/program/webalizer.te
+++ /dev/null
@@ -1,51 +0,0 @@
-# DESC webalizer - webalizer
-#
-# Author: Yuichi Nakamura (ynakam @ selinux.gr.jp)
-#
-# Depends: apache.te
-
-application_domain(webalizer, `, nscd_client_domain')
-# to use from cron
-system_crond_entry(webalizer_exec_t,webalizer_t)
-role system_r types webalizer_t;
-
-##type definision
-# type for usage file
-type webalizer_usage_t,file_type,sysadmfile;
-# type for /var/lib/webalizer
-type webalizer_write_t,file_type,sysadmfile;
-# type for webalizer.conf
-etc_domain(webalizer)
-
-#read apache log
-allow webalizer_t var_log_t:dir r_dir_perms;
-r_dir_file(webalizer_t, httpd_log_t)
-ifdef(`ftpd.te', `
-allow webalizer_t xferlog_t:file { getattr read };
-')
-
-#r/w /var/lib/webalizer
-var_lib_domain(webalizer)
-
-#read /var/www/usage
-create_dir_file(webalizer_t, httpd_sys_content_t)
-
-#read system files under /etc
-allow webalizer_t { etc_t etc_runtime_t }:file { getattr read };
-read_locale(webalizer_t)
-
-# can use tmp file
-tmp_domain(webalizer)
-
-# can read /proc
-read_sysctl(webalizer_t)
-allow webalizer_t proc_t:dir search;
-allow webalizer_t proc_t:file r_file_perms;
-
-# network
-can_network_server(webalizer_t)
-
-#process communication inside webalizer itself
-general_domain_access(webalizer_t)
-
-allow webalizer_t self:capability dac_override;
diff --git a/strict/domains/program/winbind.te b/strict/domains/program/winbind.te
deleted file mode 100644
index 7b9e5e9..0000000
--- a/strict/domains/program/winbind.te
+++ /dev/null
@@ -1,50 +0,0 @@
-#DESC winbind - Name Service Switch daemon for resolving names from NT servers
-#
-# Author: Dan Walsh (dwalsh@redhat.com)
-#
-
-#################################
-#
-# Declarations for winbind
-#
-
-daemon_domain(winbind, `, privhome, auth_chkpwd, nscd_client_domain')
-log_domain(winbind)
-tmp_domain(winbind)
-allow winbind_t etc_t:file r_file_perms;
-allow winbind_t etc_t:lnk_file read;
-can_network(winbind_t)
-allow winbind_t smbd_port_t:tcp_socket name_connect;
-can_resolve(winbind_t)
-
-ifdef(`samba.te', `', `
-type samba_etc_t, file_type, sysadmfile, usercanread;
-type samba_log_t, file_type, sysadmfile, logfile;
-type samba_var_t, file_type, sysadmfile;
-type samba_secrets_t, file_type, sysadmfile;
-')
-file_type_auto_trans(winbind_t, samba_etc_t, samba_secrets_t, file)
-rw_dir_create_file(winbind_t, samba_log_t)
-allow winbind_t samba_secrets_t:file rw_file_perms;
-allow winbind_t self:unix_dgram_socket create_socket_perms;
-allow winbind_t self:unix_stream_socket create_stream_socket_perms;
-allow winbind_t urandom_device_t:chr_file { getattr read };
-allow winbind_t self:fifo_file { read write };
-rw_dir_create_file(winbind_t, samba_var_t)
-can_kerberos(winbind_t)
-allow winbind_t self:netlink_route_socket r_netlink_socket_perms;
-allow winbind_t winbind_var_run_t:sock_file create_file_perms;
-allow initrc_t winbind_var_run_t:file r_file_perms;
-
-application_domain(winbind_helper, `, nscd_client_domain')
-role system_r types winbind_helper_t;
-access_terminal(winbind_helper_t, sysadm)
-read_locale(winbind_helper_t)
-r_dir_file(winbind_helper_t, samba_etc_t)
-r_dir_file(winbind_t, samba_etc_t)
-allow winbind_helper_t self:unix_dgram_socket create_socket_perms;
-allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms;
-allow winbind_helper_t samba_var_t:dir search;
-allow winbind_helper_t winbind_var_run_t:dir r_dir_perms;
-can_winbind(winbind_helper_t)
-allow winbind_helper_t privfd:fd use;
diff --git a/strict/domains/program/xauth.te b/strict/domains/program/xauth.te
deleted file mode 100644
index 6382d77..0000000
--- a/strict/domains/program/xauth.te
+++ /dev/null
@@ -1,13 +0,0 @@
-#DESC Xauth - X authority file utility
-#
-# Domains for the xauth program.
-# X-Debian-Packages: xbase-clients
-
-# Author: Russell Coker <russell@coker.com.au>
-#
-# xauth_exec_t is the type of the xauth executable.
-#
-type xauth_exec_t, file_type, sysadmfile, exec_type;
-
-# Everything else is in the xauth_domain macro in
-# macros/program/xauth_macros.te.
diff --git a/strict/domains/program/xdm.te b/strict/domains/program/xdm.te
deleted file mode 100644
index e3e9c8d..0000000
--- a/strict/domains/program/xdm.te
+++ /dev/null
@@ -1,376 +0,0 @@
-#DESC XDM - X Display Manager
-#
-# Authors: Mark Westerman mark.westerman@westcam.com
-# Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: gdm xdm wdm kdm
-# Depends: xserver.te
-#
-# Some wdm-specific changes by Tom Vogt <tom@lemuria.org>
-#
-# Some alterations and documentation by Stephen Smalley <sds@epoch.ncsc.mil>
-#
-
-#################################
-#
-# Rules for the xdm_t domain.
-#
-# xdm_t is the domain of a X Display Manager process
-# spawned by getty.
-# xdm_exec_t is the type of the [xgkw]dm program
-#
-daemon_domain(xdm, `, privuser, privrole, auth_chkpwd, privowner, privmem, nscd_client_domain')
-
-# for running xdm from init
-domain_auto_trans(init_t, xdm_exec_t, xdm_t)
-
-allow xdm_t xdm_var_run_t:dir setattr;
-
-# for xdmctl
-allow xdm_t xdm_var_run_t:fifo_file create_file_perms;
-allow initrc_t xdm_var_run_t:fifo_file unlink;
-file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, fifo_file)
-file_type_auto_trans(xdm_t, var_run_t, xdm_var_run_t, dir)
-
-tmp_domain(xdm, `', `{ file dir sock_file }')
-var_lib_domain(xdm)
-# NB we do NOT allow xdm_xserver_t xdm_var_lib_t:dir, only access to an open
-# handle of a file inside the dir!!!
-allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
-dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
-allow xdm_xserver_t xdm_var_run_t:file { getattr read };
-type xsession_exec_t, file_type, sysadmfile, exec_type;
-type xdm_rw_etc_t, file_type, sysadmfile;
-typealias xdm_rw_etc_t alias etc_xdm_t;
-
-allow xdm_t default_context_t:dir search;
-allow xdm_t default_context_t:{ file lnk_file } { read getattr };
-
-can_network(xdm_t)
-allow xdm_t port_type:tcp_socket name_connect;
-allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow xdm_t self:unix_dgram_socket create_socket_perms;
-allow xdm_t self:fifo_file rw_file_perms;
-
-allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms;
-allow xdm_t xdm_xserver_t:process signal;
-can_unix_connect(xdm_t, xdm_xserver_t)
-allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms;
-allow xdm_t xdm_xserver_tmp_t:dir { setattr r_dir_perms };
-allow xdm_xserver_t xdm_t:process signal;
-# for reboot
-allow xdm_t initctl_t:fifo_file write;
-
-# init script wants to check if it needs to update windowmanagerlist
-allow initrc_t xdm_rw_etc_t:file { getattr read };
-ifdef(`distro_suse', `
-# set permissions on /tmp/.X11-unix
-allow initrc_t xdm_tmp_t:dir setattr;
-')
-
-#
-# Use capabilities.
-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner };
-
-allow xdm_t { urandom_device_t random_device_t }:chr_file { getattr read ioctl };
-
-# Transition to user domains for user sessions.
-domain_trans(xdm_t, xsession_exec_t, unpriv_userdomain)
-allow unpriv_userdomain xdm_xserver_t:unix_stream_socket connectto;
-allow unpriv_userdomain xdm_xserver_t:shm r_shm_perms;
-allow unpriv_userdomain xdm_xserver_t:fd use;
-allow unpriv_userdomain xdm_xserver_tmpfs_t:file { getattr read };
-allow xdm_xserver_t unpriv_userdomain:shm rw_shm_perms;
-allow xdm_xserver_t unpriv_userdomain:fd use;
-
-# Do not audit user access to the X log files due to file handle inheritance
-dontaudit unpriv_userdomain xserver_log_t:file { write append };
-
-# gnome-session creates socket under /tmp/.ICE-unix/
-allow unpriv_userdomain xdm_tmp_t:dir rw_dir_perms;
-allow unpriv_userdomain xdm_tmp_t:sock_file create;
-
-# Allow xdm logins as sysadm_r:sysadm_t
-bool xdm_sysadm_login false;
-if (xdm_sysadm_login) {
-domain_trans(xdm_t, xsession_exec_t, sysadm_t)
-allow sysadm_t xdm_xserver_t:unix_stream_socket connectto;
-allow sysadm_t xdm_xserver_t:shm r_shm_perms;
-allow sysadm_t xdm_xserver_t:fd use;
-allow sysadm_t xdm_xserver_tmpfs_t:file { getattr read };
-allow xdm_xserver_t sysadm_t:shm rw_shm_perms;
-allow xdm_xserver_t sysadm_t:fd use;
-}
-can_setexec(xdm_t)
-
-# Label pid and temporary files with derived types.
-rw_dir_create_file(xdm_xserver_t, xdm_tmp_t)
-allow xdm_xserver_t xdm_tmp_t:sock_file create_file_perms;
-
-# Run helper programs.
-allow xdm_t etc_t:file { getattr read };
-allow xdm_t bin_t:dir { getattr search };
-# lib_t is for running cpp
-can_exec(xdm_t, { shell_exec_t etc_t bin_t sbin_t lib_t })
-allow xdm_t { bin_t sbin_t }:lnk_file read;
-ifdef(`hostname.te', `can_exec(xdm_t, hostname_exec_t)')
-ifdef(`loadkeys.te', `can_exec(xdm_t, loadkeys_exec_t)')
-allow xdm_t xdm_xserver_t:process sigkill;
-allow xdm_t xdm_xserver_tmp_t:file unlink;
-
-# Access devices.
-allow xdm_t device_t:dir { read search };
-allow xdm_t console_device_t:chr_file setattr;
-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
-allow xdm_t framebuf_device_t:chr_file { getattr setattr };
-allow xdm_t mouse_device_t:chr_file { getattr setattr };
-allow xdm_t apm_bios_t:chr_file { setattr getattr read write };
-allow xdm_t dri_device_t:chr_file rw_file_perms;
-allow xdm_t device_t:dir rw_dir_perms;
-allow xdm_t agp_device_t:chr_file rw_file_perms;
-allow xdm_t { xserver_misc_device_t misc_device_t }:chr_file { setattr getattr };
-allow xdm_t v4l_device_t:chr_file { setattr getattr };
-allow xdm_t scanner_device_t:chr_file { setattr getattr };
-allow xdm_t tty_device_t:chr_file { ioctl read write setattr getattr };
-allow xdm_t device_t:lnk_file read;
-can_resmgrd_connect(xdm_t)
-
-# Access xdm log files.
-file_type_auto_trans(xdm_t, var_log_t, xserver_log_t, file)
-allow xdm_t xserver_log_t:dir rw_dir_perms;
-allow xdm_t xserver_log_t:dir setattr;
-# Access /var/gdm/.gdmfifo.
-allow xdm_t xserver_log_t:fifo_file create_file_perms;
-
-allow xdm_t self:shm create_shm_perms;
-allow { xdm_t unpriv_userdomain } xdm_xserver_t:unix_stream_socket connectto;
-allow { xdm_t unpriv_userdomain } xdm_xserver_t:shm rw_shm_perms;
-allow { xdm_t unpriv_userdomain } xdm_xserver_t:fd use;
-allow { xdm_t unpriv_userdomain } xdm_xserver_tmpfs_t:file { getattr read };
-allow xdm_xserver_t { xdm_t unpriv_userdomain }:shm rw_shm_perms;
-allow xdm_xserver_t { xdm_t unpriv_userdomain }:fd use;
-
-# Remove /tmp/.X11-unix/X0.
-allow xdm_t xdm_xserver_tmp_t:dir { remove_name write };
-allow xdm_t xdm_xserver_tmp_t:sock_file unlink;
-
-ifdef(`gpm.te', `
-# Talk to the console mouse server.
-allow xdm_t gpmctl_t:sock_file { getattr setattr write };
-allow xdm_t gpm_t:unix_stream_socket connectto;
-')
-
-allow xdm_t sysfs_t:dir search;
-
-# Update utmp and wtmp.
-allow xdm_t initrc_var_run_t: file { read write lock };
-allow xdm_t wtmp_t:file append;
-
-# Update lastlog.
-allow xdm_t lastlog_t:file rw_file_perms;
-
-# Ask the security server for SIDs for user sessions.
-can_getsecurity(xdm_t)
-
-tmpfs_domain(xdm)
-
-# Need to further investigate these permissions and
-# perhaps define derived types.
-allow xdm_t var_lib_t:dir { write search add_name remove_name create unlink };
-allow xdm_t var_lib_t:file { create write unlink };
-
-lock_domain(xdm)
-
-# Connect to xfs.
-ifdef(`xfs.te', `
-allow xdm_t xfs_tmp_t:dir search;
-allow xdm_t xfs_tmp_t:sock_file write;
-can_unix_connect(xdm_t, xfs_t)
-')
-
-allow xdm_t self:process { setpgid setsched };
-allow xdm_t etc_t:lnk_file read;
-allow xdm_t etc_runtime_t:file { getattr read };
-
-# wdm has its own config dir /etc/X11/wdm
-# this is ugly, daemons should not create files under /etc!
-allow xdm_t xdm_rw_etc_t:dir rw_dir_perms;
-allow xdm_t xdm_rw_etc_t:file create_file_perms;
-
-# Signal any user domain.
-allow xdm_t userdomain:process signal_perms;
-
-allow xdm_t proc_t:file { getattr read };
-
-read_sysctl(xdm_t)
-
-# Search /proc for any user domain processes.
-allow xdm_t userdomain:dir r_dir_perms;
-allow xdm_t userdomain:{ file lnk_file } r_file_perms;
-
-# Allow xdm access to the user domains
-allow xdm_t home_root_t:dir search;
-allow xdm_xserver_t home_root_t:dir search;
-
-# Do not audit denied attempts to access devices.
-dontaudit xdm_t {removable_device_t fixed_disk_device_t}:{ chr_file blk_file } {setattr rw_file_perms};
-dontaudit xdm_t device_t:file_class_set rw_file_perms;
-dontaudit xdm_t misc_device_t:file_class_set rw_file_perms;
-dontaudit xdm_t removable_device_t:file_class_set rw_file_perms;
-dontaudit xdm_t scsi_generic_device_t:file_class_set rw_file_perms;
-dontaudit xdm_t devpts_t:dir search;
-
-# Do not audit denied probes of /proc.
-dontaudit xdm_t domain:dir r_dir_perms;
-dontaudit xdm_t domain:{ file lnk_file } r_file_perms;
-
-# Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme...
-allow xdm_t usr_t:{ lnk_file file } { getattr read };
-
-# Read fonts
-read_fonts(xdm_t)
-
-# Do not audit attempts to write to index files under /usr
-dontaudit xdm_t usr_t:file write;
-
-# Do not audit access to /root
-dontaudit xdm_t sysadm_home_dir_t:dir { getattr search };
-
-# Do not audit user access to the X log files due to file handle inheritance
-dontaudit unpriv_userdomain xserver_log_t:file { write append };
-
-# Do not audit attempts to check whether user root has email
-dontaudit xdm_t { var_spool_t mail_spool_t }:dir search;
-dontaudit xdm_t mail_spool_t:file getattr;
-
-# Access sound device.
-allow xdm_t sound_device_t:chr_file { setattr getattr };
-
-# Allow setting of attributes on power management devices.
-allow xdm_t power_device_t:chr_file { getattr setattr };
-
-# Run the X server in a derived domain.
-xserver_domain(xdm)
-
-ifdef(`rhgb.te', `
-allow xdm_xserver_t ramfs_t:dir rw_dir_perms;
-allow xdm_xserver_t ramfs_t:file create_file_perms;
-allow rhgb_t xdm_xserver_t:process signal;
-')
-
-# Unrestricted inheritance.
-allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh };
-
-# Run xkbcomp.
-allow xdm_xserver_t var_lib_t:dir search;
-allow xdm_xserver_t xkb_var_lib_t:lnk_file read;
-can_exec(xdm_xserver_t, xkb_var_lib_t)
-
-# Insert video drivers.
-allow xdm_xserver_t self:capability mknod;
-allow xdm_xserver_t sysctl_modprobe_t:file { getattr read };
-domain_auto_trans(xdm_xserver_t, insmod_exec_t, insmod_t)
-allow insmod_t xserver_log_t:file write;
-allow insmod_t xdm_xserver_t:unix_stream_socket { read write };
-
-# Read /proc/dri/.*
-allow xdm_xserver_t proc_t:dir { search read };
-
-# Search /var/run.
-allow xdm_xserver_t var_run_t:dir search;
-
-# FIXME: After per user fonts are properly working
-# xdm_xserver_t may no longer have any reason
-# to read ROLE_home_t - examine this in more detail
-# (xauth?)
-
-# Search home directories.
-allow xdm_xserver_t user_home_type:dir search;
-allow xdm_xserver_t user_home_type:file { getattr read };
-
-if (use_nfs_home_dirs) {
-allow { xdm_t xdm_xserver_t } autofs_t:dir { search getattr };
-allow { xdm_t xdm_xserver_t } nfs_t:dir create_dir_perms;
-allow { xdm_t xdm_xserver_t } nfs_t:{file lnk_file} create_file_perms;
-can_exec(xdm_t, nfs_t)
-}
-
-if (use_samba_home_dirs) {
-allow { xdm_t xdm_xserver_t } cifs_t:dir create_dir_perms;
-allow { xdm_t xdm_xserver_t } cifs_t:{file lnk_file} create_file_perms;
-can_exec(xdm_t, cifs_t)
-}
-
-# for .dmrc
-allow xdm_t user_home_dir_type:dir { getattr search };
-allow xdm_t user_home_type:file { getattr read };
-
-ifdef(`support_polyinstatiation', `
-# xdm_t can polyinstantiate
-polyinstantiater(xdm_t)
-# xdm needs access for linking .X11-unix to poly /tmp
-allow xdm_t polymember:dir { add_name remove_name write };
-allow xdm_t polymember:lnk_file { create unlink };
-# xdm needs access for copying .Xauthority into new home
-allow xdm_t polymember:file { create getattr write };
-')
-
-allow xdm_t mnt_t:dir { getattr read search };
-#
-# Wants to delete .xsession-errors file
-#
-allow xdm_t user_home_type:file unlink;
-#
-# Should fix exec of pam_timestamp_check is not closing xdm file descriptor
-#
-ifdef(`pam.te', `
-allow xdm_t pam_var_run_t:dir create_dir_perms;
-allow xdm_t pam_var_run_t:file create_file_perms;
-allow pam_t xdm_t:fifo_file { getattr ioctl write };
-domain_auto_trans(xdm_t, pam_console_exec_t, pam_console_t)
-can_exec(xdm_t, pam_exec_t)
-# For pam_console
-rw_dir_create_file(xdm_t, pam_var_console_t)
-')
-
-# Pamconsole/alsa
-ifdef(`alsa.te', `
-domain_auto_trans(xdm_t, alsa_exec_t, alsa_t)
-') dnl ifdef
-
-allow xdm_t var_log_t:file { getattr read };
-allow xdm_t self:capability { sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process setrlimit;
-allow xdm_t wtmp_t:file { getattr read };
-
-domain_auto_trans(initrc_t, xserver_exec_t, xdm_xserver_t)
-#
-# Poweroff wants to create the /poweroff file when run from xdm
-#
-file_type_auto_trans(xdm_t, root_t, etc_runtime_t, file)
-
-#
-# xdm tries to bind to biff_port_t
-#
-dontaudit xdm_t port_type:tcp_socket name_bind;
-
-# VNC v4 module in X server
-allow xdm_xserver_t vnc_port_t:tcp_socket name_bind;
-ifdef(`crack.te', `
-allow xdm_t crack_db_t:file r_file_perms;
-')
-r_dir_file(xdm_t, selinux_config_t)
-
-# Run telinit->init to shutdown.
-can_exec(xdm_t, init_exec_t)
-allow xdm_t self:sem create_sem_perms;
-
-# Allow gdm to run gdm-binary
-can_exec(xdm_t, xdm_exec_t)
-
-# Supress permission check on .ICE-unix
-dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
-
-#### Also see xdm_macros.te
-ifdef(`use_mcs', `
-range_transition initrc_t xdm_exec_t s0 - s0:c0.c255;
-')
diff --git a/strict/domains/program/xfs.te b/strict/domains/program/xfs.te
deleted file mode 100644
index 04302cd..0000000
--- a/strict/domains/program/xfs.te
+++ /dev/null
@@ -1,49 +0,0 @@
-#DESC XFS - X Font Server
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: xfs
-#
-
-#################################
-#
-# Rules for the xfs_t domain.
-#
-# xfs_t is the domain of the X font server.
-# xfs_exec_t is the type of the xfs executable.
-#
-daemon_domain(xfs)
-
-# for /tmp/.font-unix/fs7100
-ifdef(`distro_debian', `
-type xfs_tmp_t, file_type, sysadmfile, tmpfile;
-allow xfs_t tmp_t:dir search;
-file_type_auto_trans(xfs_t, initrc_tmp_t, xfs_tmp_t, sock_file)
-', `
-tmp_domain(xfs, `', `{dir sock_file}')
-')
-
-allow xfs_t { etc_t etc_runtime_t }:file { getattr read };
-allow xfs_t proc_t:file { getattr read };
-
-allow xfs_t self:process setpgid;
-can_ypbind(xfs_t)
-
-# Use capabilities.
-allow xfs_t self:capability { setgid setuid };
-
-# Bind to /tmp/.font-unix/fs-1.
-allow xfs_t xfs_tmp_t:unix_stream_socket name_bind;
-allow xfs_t self:unix_stream_socket create_stream_socket_perms;
-allow xfs_t self:unix_dgram_socket create_socket_perms;
-
-# Read fonts
-read_fonts(xfs_t)
-
-# Unlink the xfs socket.
-allow initrc_t xfs_tmp_t:dir rw_dir_perms;
-allow initrc_t xfs_tmp_t:dir rmdir;
-allow initrc_t xfs_tmp_t:sock_file { read getattr unlink };
-allow initrc_t fonts_t:dir create_dir_perms;
-allow initrc_t fonts_t:file create_file_perms;
-
diff --git a/strict/domains/program/xserver.te b/strict/domains/program/xserver.te
deleted file mode 100644
index cc2c493..0000000
--- a/strict/domains/program/xserver.te
+++ /dev/null
@@ -1,20 +0,0 @@
-#DESC XServer - X Server
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: xserver-common xserver-xfree86
-#
-
-# Type for the executable used to start the X server, e.g. Xwrapper.
-type xserver_exec_t, file_type, sysadmfile, exec_type;
-
-# Type for the X server log file.
-type xserver_log_t, file_type, sysadmfile, logfile;
-
-# type for /var/lib/xkb
-type xkb_var_lib_t, file_type, sysadmfile, usercanread;
-typealias xkb_var_lib_t alias var_lib_xkb_t;
-
-# Everything else is in the xserver_domain macro in
-# macros/program/xserver_macros.te.
-
-allow initrc_t xserver_log_t:fifo_file { read write };
diff --git a/strict/domains/program/ypbind.te b/strict/domains/program/ypbind.te
deleted file mode 100644
index ed7c3f8..0000000
--- a/strict/domains/program/ypbind.te
+++ /dev/null
@@ -1,44 +0,0 @@
-#DESC Ypbind - NIS/YP
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: nis
-# Depends: portmap.te named.te
-#
-
-#################################
-#
-# Rules for the ypbind_t domain.
-#
-daemon_domain(ypbind)
-
-tmp_domain(ypbind)
-
-# Use capabilities.
-allow ypbind_t self:capability { net_bind_service };
-dontaudit ypbind_t self:capability net_admin;
-
-# Use the network.
-can_network(ypbind_t)
-allow ypbind_t port_type:tcp_socket name_connect;
-allow ypbind_t port_t:{ tcp_socket udp_socket } name_bind;
-
-allow ypbind_t self:fifo_file rw_file_perms;
-
-read_sysctl(ypbind_t)
-
-# Send to portmap and initrc.
-can_udp_send(ypbind_t, portmap_t)
-can_udp_send(ypbind_t, initrc_t)
-
-# Read and write /var/yp.
-allow ypbind_t var_yp_t:dir rw_dir_perms;
-allow ypbind_t var_yp_t:file create_file_perms;
-allow initrc_t var_yp_t:dir { getattr read };
-allow ypbind_t etc_t:file { getattr read };
-allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
-allow ypbind_t self:netlink_route_socket r_netlink_socket_perms;
-allow ypbind_t reserved_port_t:{ tcp_socket udp_socket } name_bind;
-dontaudit ypbind_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
-can_udp_send(initrc_t, ypbind_t)
-
diff --git a/strict/domains/program/yppasswdd.te b/strict/domains/program/yppasswdd.te
deleted file mode 100644
index b7588a2..0000000
--- a/strict/domains/program/yppasswdd.te
+++ /dev/null
@@ -1,40 +0,0 @@
-#DESC yppassdd - NIS password update daemon
-#
-# Authors: Dan Walsh <dwalsh@redhat.com>
-# Depends: portmap.te
-#
-
-#################################
-#
-# Rules for the yppasswdd_t domain.
-#
-daemon_domain(yppasswdd, `, auth_write, privowner')
-
-# Use capabilities.
-allow yppasswdd_t self:capability { net_bind_service };
-
-# Use the network.
-can_network_server(yppasswdd_t)
-
-read_sysctl(yppasswdd_t)
-
-# Send to portmap and initrc.
-can_udp_send(yppasswdd_t, portmap_t)
-can_udp_send(yppasswdd_t, initrc_t)
-
-allow yppasswdd_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
-dontaudit yppasswdd_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
-allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms;
-
-allow yppasswdd_t { etc_t etc_runtime_t }:file { getattr read };
-allow yppasswdd_t self:unix_dgram_socket create_socket_perms;
-allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms;
-file_type_auto_trans(yppasswdd_t, etc_t, shadow_t, file)
-allow yppasswdd_t { etc_t shadow_t }:file { relabelfrom relabelto };
-can_setfscreate(yppasswdd_t)
-allow yppasswdd_t proc_t:file getattr;
-allow yppasswdd_t { bin_t sbin_t }:dir search;
-allow yppasswdd_t bin_t:lnk_file read;
-can_exec(yppasswdd_t, { bin_t shell_exec_t hostname_exec_t })
-allow yppasswdd_t self:fifo_file rw_file_perms;
-rw_dir_create_file(yppasswdd_t, var_yp_t)
diff --git a/strict/domains/program/ypserv.te b/strict/domains/program/ypserv.te
deleted file mode 100644
index 1ecc731..0000000
--- a/strict/domains/program/ypserv.te
+++ /dev/null
@@ -1,42 +0,0 @@
-#DESC Ypserv - NIS/YP
-#
-# Authors: Dan Walsh <dwalsh@redhat.com>
-# Depends: portmap.te
-#
-
-#################################
-#
-# Rules for the ypserv_t domain.
-#
-daemon_domain(ypserv)
-
-tmp_domain(ypserv)
-
-# Use capabilities.
-allow ypserv_t self:capability { net_bind_service };
-
-# Use the network.
-can_network_server(ypserv_t)
-
-allow ypserv_t self:fifo_file rw_file_perms;
-
-read_sysctl(ypserv_t)
-
-# Send to portmap and initrc.
-can_udp_send(ypserv_t, portmap_t)
-can_udp_send(ypserv_t, initrc_t)
-
-type ypserv_conf_t, file_type, sysadmfile;
-
-# Read and write /var/yp.
-allow ypserv_t var_yp_t:dir rw_dir_perms;
-allow ypserv_t var_yp_t:file create_file_perms;
-allow ypserv_t ypserv_conf_t:file { getattr read };
-allow ypserv_t self:unix_dgram_socket create_socket_perms;
-allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
-ifdef(`rpcd.te', `
-allow rpcd_t ypserv_conf_t:file { getattr read };
-')
-allow ypserv_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
-dontaudit ypserv_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
-can_exec(ypserv_t, bin_t)
diff --git a/strict/domains/program/zebra.te b/strict/domains/program/zebra.te
deleted file mode 100644
index 640c621..0000000
--- a/strict/domains/program/zebra.te
+++ /dev/null
@@ -1,32 +0,0 @@
-#DESC Zebra - BGP server
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: zebra
-#
-
-daemon_domain(zebra, `, sysctl_net_writer')
-type zebra_conf_t, file_type, sysadmfile;
-r_dir_file({ initrc_t zebra_t }, zebra_conf_t)
-
-can_network_server(zebra_t)
-can_ypbind(zebra_t)
-allow zebra_t { etc_t etc_runtime_t }:file { getattr read };
-
-allow zebra_t self:process setcap;
-allow zebra_t self:capability { setgid setuid net_bind_service net_admin net_raw };
-file_type_auto_trans(zebra_t, var_run_t, zebra_var_run_t, sock_file)
-
-logdir_domain(zebra)
-
-# /tmp/.bgpd is such a bad idea!
-tmp_domain(zebra, `', sock_file)
-
-allow zebra_t self:unix_dgram_socket create_socket_perms;
-allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow zebra_t self:rawip_socket create_socket_perms;
-allow zebra_t self:netlink_route_socket r_netlink_socket_perms;
-allow zebra_t zebra_port_t:tcp_socket name_bind;
-
-allow zebra_t proc_t:file { getattr read };
-allow zebra_t { sysctl_t sysctl_net_t }:dir search;
-allow zebra_t sysctl_net_t:file rw_file_perms;
diff --git a/strict/domains/user.te b/strict/domains/user.te
deleted file mode 100644
index d86e5d4..0000000
--- a/strict/domains/user.te
+++ /dev/null
@@ -1,108 +0,0 @@
-#DESC User - Domains for ordinary users.
-#
-#################################
-
-# Booleans for user domains.
-
-# Allow applications to read untrusted content
-# If this is disallowed, Internet content has
-# to be manually relabeled for read access to be granted
-bool read_untrusted_content false;
-
-# Allow applications to write untrusted content
-# If this is disallowed, no Internet content
-# will be stored.
-bool write_untrusted_content false;
-
-# Allow users to read system messages.
-bool user_dmesg false;
-
-# Support NFS home directories
-bool use_nfs_home_dirs false;
-
-# Allow making anonymous memory executable, e.g.
-# for runtime-code generation or executable stack.
-bool allow_execmem false;
-
-# Allow making the stack executable via mprotect.
-# Also requires allow_execmem.
-bool allow_execstack false;
-
-# Allow making a modified private file mapping executable (text relocation).
-bool allow_execmod false;
-
-# Support SAMBA home directories
-bool use_samba_home_dirs false;
-
-# Allow users to run TCP servers (bind to ports and accept connection from
-# the same domain and outside users) disabling this forces FTP passive mode
-# and may change other protocols
-bool user_tcp_server false;
-
-# Allow system to run with NIS
-bool allow_ypbind false;
-
-# Allow system to run with kerberos
-bool allow_kerberos false;
-
-# Allow users to rw usb devices
-bool user_rw_usb false;
-
-# Allow users to control network interfaces (also needs USERCTL=true)
-bool user_net_control false;
-
-# Allow regular users direct mouse access
-bool user_direct_mouse false;
-
-# Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY)
-bool user_rw_noexattrfile false;
-
-# Allow reading of default_t files.
-bool read_default_t false;
-
-# Allow staff_r users to search the sysadm home dir and read
-# files (such as ~/.bashrc)
-bool staff_read_sysadm_file false;
-
-
-full_user_role(user)
-
-ifdef(`user_canbe_sysadm', `
-reach_sysadm(user)
-role_tty_type_change(user, sysadm)
-')
-
-# Do not add any rules referring to user_t to this file! That will break
-# support for multiple user roles.
-
-# a role for staff that allows seeing all domains and control over the user_t
-# domain
-full_user_role(staff)
-
-priv_user(staff)
-# if adding new user roles make sure you edit the in_user_role macro in
-# macros/user_macros.te to match
-
-# lots of user programs accidentally search /root, and also the admin often
-# logs in as UID=0 domain=user_t...
-dontaudit unpriv_userdomain { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
-
-#
-# Allow the user roles to transition
-# into each other.
-role_tty_type_change(sysadm, user)
-role_tty_type_change(staff, sysadm)
-role_tty_type_change(sysadm, staff)
-role_tty_type_change(sysadm, secadm)
-role_tty_type_change(staff, secadm)
-
-# "ps aux" and "ls -l /dev/pts" make too much noise without this
-dontaudit unpriv_userdomain ptyfile:chr_file getattr;
-
-# to allow w to display everyone...
-bool user_ttyfile_stat false;
-
-if (user_ttyfile_stat) {
-allow userdomain ttyfile:chr_file getattr;
-}
-
diff --git a/strict/file_contexts/distros.fc b/strict/file_contexts/distros.fc
deleted file mode 100644
index 6024f6a..0000000
--- a/strict/file_contexts/distros.fc
+++ /dev/null
@@ -1,164 +0,0 @@
-ifdef(`distro_redhat', `
-/usr/share/system-config-network(/netconfig)?/[^/]+\.py -- system_u:object_r:bin_t
-/etc/sysconfig/networking/profiles/.*/resolv\.conf -- system_u:object_r:net_conf_t
-/etc/sysconfig/network-scripts/.*resolv\.conf -- system_u:object_r:net_conf_t
-/usr/share/rhn/rhn_applet/applet\.py -- system_u:object_r:bin_t
-/usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- system_u:object_r:shlib_t
-/usr/share/rhn/rhn_applet/needed-packages\.py -- system_u:object_r:bin_t
-/usr/share/authconfig/authconfig-gtk\.py -- system_u:object_r:bin_t
-/usr/share/hwbrowser/hwbrowser -- system_u:object_r:bin_t
-/usr/share/system-config-httpd/system-config-httpd -- system_u:object_r:bin_t
-/usr/share/system-config-services/system-config-services -- system_u:object_r:bin_t
-/usr/share/system-logviewer/system-logviewer\.py -- system_u:object_r:bin_t
-/usr/share/system-config-lvm/system-config-lvm.py -- system_u:object_r:bin_t
-/usr/share/system-config-date/system-config-date\.py -- system_u:object_r:bin_t
-/usr/share/system-config-display/system-config-display -- system_u:object_r:bin_t
-/usr/share/system-config-keyboard/system-config-keyboard -- system_u:object_r:bin_t
-/usr/share/system-config-language/system-config-language -- system_u:object_r:bin_t
-/usr/share/system-config-mouse/system-config-mouse -- system_u:object_r:bin_t
-/usr/share/system-config-netboot/system-config-netboot\.py -- system_u:object_r:bin_t
-/usr/share/system-config-netboot/pxeos\.py -- system_u:object_r:bin_t
-/usr/share/system-config-netboot/pxeboot\.py -- system_u:object_r:bin_t
-/usr/share/system-config-nfs/system-config-nfs\.py -- system_u:object_r:bin_t
-/usr/share/system-config-rootpassword/system-config-rootpassword -- system_u:object_r:bin_t
-/usr/share/system-config-samba/system-config-samba\.py -- system_u:object_r:bin_t
-/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- system_u:object_r:bin_t
-/usr/share/system-config-services/serviceconf\.py -- system_u:object_r:bin_t
-/usr/share/system-config-soundcard/system-config-soundcard -- system_u:object_r:bin_t
-/usr/share/system-config-users/system-config-users -- system_u:object_r:bin_t
-/usr/share/switchdesk/switchdesk-gui\.py -- system_u:object_r:bin_t
-/usr/share/system-config-network/neat-control\.py -- system_u:object_r:bin_t
-/usr/share/system-config-nfs/nfs-export\.py -- system_u:object_r:bin_t
-/usr/share/pydict/pydict\.py -- system_u:object_r:bin_t
-/usr/share/cvs/contrib/rcs2log -- system_u:object_r:bin_t
-/usr/share/pwlib/make/ptlib-config -- system_u:object_r:bin_t
-/usr/share/texmf/web2c/mktexdir -- system_u:object_r:bin_t
-/usr/share/texmf/web2c/mktexnam -- system_u:object_r:bin_t
-/usr/share/texmf/web2c/mktexupd -- system_u:object_r:bin_t
-/etc/rhgb(/.*)? -d system_u:object_r:mnt_t
-/usr/share/ssl/misc(/.*)? system_u:object_r:bin_t
-#
-# /emul/ia32-linux/usr
-#
-/emul(/.*)? system_u:object_r:usr_t
-/emul/ia32-linux/usr(/.*)?/lib(/.*)? system_u:object_r:lib_t
-/emul/ia32-linux/usr(/.*)?/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
-/emul/ia32-linux/usr(/.*)?/java/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
-/emul/ia32-linux/usr(/.*)?/java/.*\.jar -- system_u:object_r:shlib_t
-/emul/ia32-linux/usr(/.*)?/java/.*\.jsa -- system_u:object_r:shlib_t
-/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t
-/emul/ia32-linux/usr(/.*)?/bin(/.*)? system_u:object_r:bin_t
-/emul/ia32-linux/usr(/.*)?/Bin(/.*)? system_u:object_r:bin_t
-/emul/ia32-linux/usr(/.*)?/sbin(/.*)? system_u:object_r:sbin_t
-/emul/ia32-linux/usr/libexec(/.*)? system_u:object_r:bin_t
-# /emul/ia32-linux/lib
-/emul/ia32-linux/lib(/.*)? system_u:object_r:lib_t
-/emul/ia32-linux/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
-/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t
-# /emul/ia32-linux/bin
-/emul/ia32-linux/bin(/.*)? system_u:object_r:bin_t
-# /emul/ia32-linux/sbin
-/emul/ia32-linux/sbin(/.*)? system_u:object_r:sbin_t
-
-ifdef(`dbusd.te', `', `
-/var/run/dbus(/.*)? system_u:object_r:system_dbusd_var_run_t
-')
-
-# The following are libraries with text relocations in need of execmod permissions
-# Some of them should be fixed and removed from this list
-
-# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
-# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
-/usr/lib/gstreamer-.*/libgstffmpeg\.so.* -- system_u:object_r:texrel_shlib_t
-/usr/lib/gstreamer-.*/libgsthermescolorspace\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/gstreamer-.*/libgstmms\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/libstdc\+\+\.so\.2\.7\.2\.8 -- system_u:object_r:texrel_shlib_t
-/usr/lib/libg\+\+\.so\.2\.7\.2\.8 -- system_u:object_r:texrel_shlib_t
-/usr/lib/libglide3\.so.* -- system_u:object_r:texrel_shlib_t
-/usr/lib/libdv\.so.* -- system_u:object_r:texrel_shlib_t
-/usr/lib/helix/plugins/oggfformat\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/helix/plugins/theorarend\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/helix/plugins/vorbisrend\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/helix/codecs/colorcvt\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/helix/codecs/cvt1\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/libSDL-.*\.so.* -- system_u:object_r:texrel_shlib_t
-/usr/X11R6/lib/modules/dri/.*\.so -- system_u:object_r:texrel_shlib_t
-/usr/X11R6/lib/libOSMesa\.so.* -- system_u:object_r:texrel_shlib_t
-/usr/X11R6/lib/libfglrx_gamma\.so.* -- system_u:object_r:texrel_shlib_t
-/usr/lib/libHermes\.so.* -- system_u:object_r:texrel_shlib_t
-/usr/lib/valgrind/hp2ps -- system_u:object_r:texrel_shlib_t
-/usr/lib/valgrind/stage2 -- system_u:object_r:texrel_shlib_t
-/usr/lib/valgrind/vg.*\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/.*/libxpcom_core.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/.*/program(/.*)? system_u:object_r:bin_t
-/usr/lib/.*/program/.*\.so.* system_u:object_r:shlib_t
-/usr/lib/.*/program/libicudata\.so.* -- system_u:object_r:texrel_shlib_t
-/usr/lib/.*/program/libsts645li\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/.*/program/libvclplug_gen645li\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/.*/program/libwrp645li\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/.*/program/libswd680li\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib(64)?/.*/program/librecentfile\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib(64)?/.*/program/libsvx680li\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib(64)?/.*/program/libsoffice\.so -- system_u:object_r:texrel_shlib_t
-
-# Fedora Extras packages: ladspa, imlib2, ocaml
-/usr/lib/ladspa/analogue_osc_1416\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/ladspa/bandpass_a_iir_1893\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/ladspa/bandpass_iir_1892\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/ladspa/butterworth_1902\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/ladspa/fm_osc_1415\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/ladspa/gsm_1215\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/ladspa/gverb_1216\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/ladspa/hermes_filter_1200\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/ladspa/highpass_iir_1890\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/ladspa/lowpass_iir_1891\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/ladspa/notch_iir_1894\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/ladspa/pitch_scale_1193\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/ladspa/pitch_scale_1194\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/ladspa/sc1_1425\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/ladspa/sc2_1426\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/ladspa/sc3_1427\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/ladspa/sc4_1882\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/ladspa/se4_1883\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/libImlib2\.so.* -- system_u:object_r:texrel_shlib_t
-/usr/lib/ocaml/stublibs/dllnums\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/httpd/modules/libphp5\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/php/modules/.*\.so -- system_u:object_r:texrel_shlib_t
-
-# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
-/usr/lib/xmms/Input/libmpg123\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/libpostproc\.so.* -- system_u:object_r:texrel_shlib_t
-/usr/lib/libavformat-.*\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/libavcodec-.*\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/libxvidcore\.so.* -- system_u:object_r:texrel_shlib_t
-/usr/lib/xine/plugins/.*\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/libgsm\.so.* -- system_u:object_r:texrel_shlib_t
-/usr/lib/libmp3lame\.so.* -- system_u:object_r:texrel_shlib_t
-
-# Flash plugin, Macromedia
-HOME_DIR/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t
-/usr/lib/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t
-
-# Jai, Sun Microsystems (Jpackage SPRM)
-/usr/lib/libmlib_jai\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/libdivxdecore.so.0 -- system_u:object_r:texrel_shlib_t
-/usr/lib/libdivxencore.so.0 -- system_u:object_r:texrel_shlib_t
-
-# Java, Sun Microsystems (JPackage SRPM)
-/usr/.*/jre/lib/i386/libdeploy.so -- system_u:object_r:texrel_shlib_t
-
-/usr(/.*)?/Reader/intellinux/plug_ins/.*\.api -- system_u:object_r:shlib_t
-/usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api -- system_u:object_r:texrel_shlib_t
-/usr(/.*)?/Reader/intellinux/plug_ins/EScript\.api -- system_u:object_r:texrel_shlib_t
-/usr(/.*)?/Reader/intellinux/SPPlugins/ADMPlugin\.apl -- system_u:object_r:texrel_shlib_t
-')
-
-ifdef(`distro_suse', `
-/var/lib/samba/bin/.+ system_u:object_r:bin_t
-/var/lib/samba/bin/.*\.so(\.[^/]*)* -l system_u:object_r:lib_t
-/usr/lib/samba/classic/.* -- system_u:object_r:bin_t
-/usr/lib/samba/classic/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
-/success -- system_u:object_r:etc_runtime_t
-/etc/defkeymap\.map -- system_u:object_r:etc_runtime_t
-')
diff --git a/strict/file_contexts/program/NetworkManager.fc b/strict/file_contexts/program/NetworkManager.fc
deleted file mode 100644
index 99ea03d..0000000
--- a/strict/file_contexts/program/NetworkManager.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# NetworkManager
-/usr/bin/NetworkManager -- system_u:object_r:NetworkManager_exec_t
diff --git a/strict/file_contexts/program/acct.fc b/strict/file_contexts/program/acct.fc
deleted file mode 100644
index 7616d8b..0000000
--- a/strict/file_contexts/program/acct.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# berkeley process accounting
-/sbin/accton -- system_u:object_r:acct_exec_t
-/usr/sbin/accton -- system_u:object_r:acct_exec_t
-/var/account(/.*)? system_u:object_r:acct_data_t
-/etc/cron\.(daily|monthly)/acct -- system_u:object_r:acct_exec_t
diff --git a/strict/file_contexts/program/afs.fc b/strict/file_contexts/program/afs.fc
deleted file mode 100644
index fb49f33..0000000
--- a/strict/file_contexts/program/afs.fc
+++ /dev/null
@@ -1,20 +0,0 @@
-# afs
-/usr/afs/bin/bosserver -- system_u:object_r:afs_bosserver_exec_t
-/usr/afs/bin/kaserver -- system_u:object_r:afs_kaserver_exec_t
-/usr/afs/bin/vlserver -- system_u:object_r:afs_vlserver_exec_t
-/usr/afs/bin/ptserver -- system_u:object_r:afs_ptserver_exec_t
-/usr/afs/bin/fileserver -- system_u:object_r:afs_fsserver_exec_t
-/usr/afs/bin/volserver -- system_u:object_r:afs_fsserver_exec_t
-/usr/afs/bin/salvager -- system_u:object_r:afs_fsserver_exec_t
-
-/usr/afs/logs(/.*)? system_u:object_r:afs_logfile_t
-/usr/afs/etc(/.*)? system_u:object_r:afs_config_t
-/usr/afs/local(/.*)? system_u:object_r:afs_config_t
-/usr/afs/db -d system_u:object_r:afs_dbdir_t
-/usr/afs/db/pr.* -- system_u:object_r:afs_pt_db_t
-/usr/afs/db/ka.* -- system_u:object_r:afs_ka_db_t
-/usr/afs/db/vl.* -- system_u:object_r:afs_vl_db_t
-
-/vicepa system_u:object_r:afs_files_t
-/vicepb system_u:object_r:afs_files_t
-/vicepc system_u:object_r:afs_files_t
diff --git a/strict/file_contexts/program/alsa.fc b/strict/file_contexts/program/alsa.fc
deleted file mode 100644
index 837b071..0000000
--- a/strict/file_contexts/program/alsa.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-#DESC ainit - configuration tool for ALSA
-/usr/bin/ainit -- system_u:object_r:alsa_exec_t
-/etc/alsa/pcm(/.*)? system_u:object_r:alsa_etc_rw_t
diff --git a/strict/file_contexts/program/amanda.fc b/strict/file_contexts/program/amanda.fc
deleted file mode 100644
index 09dd2fe..0000000
--- a/strict/file_contexts/program/amanda.fc
+++ /dev/null
@@ -1,70 +0,0 @@
-#
-# Author: Carsten Grohmann <carstengrohmann@gmx.de>
-#
-
-# amanda
-/etc/amanda(/.*)? system_u:object_r:amanda_config_t
-/etc/amanda/.*/tapelist(/.*)? system_u:object_r:amanda_data_t
-/etc/amandates system_u:object_r:amanda_amandates_t
-/etc/dumpdates system_u:object_r:amanda_dumpdates_t
-/root/restore -d system_u:object_r:amanda_recover_dir_t
-/tmp/amanda(/.*)? system_u:object_r:amanda_tmp_t
-/usr/lib(64)?/amanda -d system_u:object_r:amanda_usr_lib_t
-/usr/lib(64)?/amanda/amandad -- system_u:object_r:amanda_inetd_exec_t
-/usr/lib(64)?/amanda/amcat\.awk -- system_u:object_r:amanda_script_exec_t
-/usr/lib(64)?/amanda/amcleanupdisk -- system_u:object_r:amanda_exec_t
-/usr/lib(64)?/amanda/amidxtaped -- system_u:object_r:amanda_inetd_exec_t
-/usr/lib(64)?/amanda/amindexd -- system_u:object_r:amanda_inetd_exec_t
-/usr/lib(64)?/amanda/amlogroll -- system_u:object_r:amanda_exec_t
-/usr/lib(64)?/amanda/amplot\.awk -- system_u:object_r:amanda_script_exec_t
-/usr/lib(64)?/amanda/amplot\.g -- system_u:object_r:amanda_script_exec_t
-/usr/lib(64)?/amanda/amplot\.gp -- system_u:object_r:amanda_script_exec_t
-/usr/lib(64)?/amanda/amtrmidx -- system_u:object_r:amanda_exec_t
-/usr/lib(64)?/amanda/amtrmlog -- system_u:object_r:amanda_exec_t
-/usr/lib(64)?/amanda/calcsize -- system_u:object_r:amanda_exec_t
-/usr/lib(64)?/amanda/chg-chio -- system_u:object_r:amanda_exec_t
-/usr/lib(64)?/amanda/chg-chs -- system_u:object_r:amanda_exec_t
-/usr/lib(64)?/amanda/chg-manual -- system_u:object_r:amanda_exec_t
-/usr/lib(64)?/amanda/chg-mtx -- system_u:object_r:amanda_exec_t
-/usr/lib(64)?/amanda/chg-multi -- system_u:object_r:amanda_exec_t
-/usr/lib(64)?/amanda/chg-rth -- system_u:object_r:amanda_exec_t
-/usr/lib(64)?/amanda/chg-scsi -- system_u:object_r:amanda_exec_t
-/usr/lib(64)?/amanda/chg-zd-mtx -- system_u:object_r:amanda_exec_t
-/usr/lib(64)?/amanda/driver -- system_u:object_r:amanda_exec_t
-/usr/lib(64)?/amanda/dumper -- system_u:object_r:amanda_exec_t
-/usr/lib(64)?/amanda/killpgrp -- system_u:object_r:amanda_exec_t
-/usr/lib(64)?/amanda/patch-system -- system_u:object_r:amanda_exec_t
-/usr/lib(64)?/amanda/planner -- system_u:object_r:amanda_exec_t
-/usr/lib(64)?/amanda/rundump -- system_u:object_r:amanda_exec_t
-/usr/lib(64)?/amanda/runtar -- system_u:object_r:amanda_exec_t
-/usr/lib(64)?/amanda/selfcheck -- system_u:object_r:amanda_exec_t
-/usr/lib(64)?/amanda/sendbackup -- system_u:object_r:amanda_exec_t
-/usr/lib(64)?/amanda/sendsize -- system_u:object_r:amanda_exec_t
-/usr/lib(64)?/amanda/taper -- system_u:object_r:amanda_exec_t
-/usr/lib(64)?/amanda/versionsuffix -- system_u:object_r:amanda_exec_t
-/usr/sbin/amadmin -- system_u:object_r:amanda_user_exec_t
-/usr/sbin/amcheck -- system_u:object_r:amanda_user_exec_t
-/usr/sbin/amcheckdb -- system_u:object_r:amanda_user_exec_t
-/usr/sbin/amcleanup -- system_u:object_r:amanda_user_exec_t
-/usr/sbin/amdump -- system_u:object_r:amanda_user_exec_t
-/usr/sbin/amflush -- system_u:object_r:amanda_user_exec_t
-/usr/sbin/amgetconf -- system_u:object_r:amanda_user_exec_t
-/usr/sbin/amlabel -- system_u:object_r:amanda_user_exec_t
-/usr/sbin/amoverview -- system_u:object_r:amanda_user_exec_t
-/usr/sbin/amplot -- system_u:object_r:amanda_user_exec_t
-/usr/sbin/amrecover -- system_u:object_r:amanda_recover_exec_t
-/usr/sbin/amreport -- system_u:object_r:amanda_user_exec_t
-/usr/sbin/amrestore -- system_u:object_r:amanda_user_exec_t
-/usr/sbin/amrmtape -- system_u:object_r:amanda_user_exec_t
-/usr/sbin/amstatus -- system_u:object_r:amanda_user_exec_t
-/usr/sbin/amtape -- system_u:object_r:amanda_user_exec_t
-/usr/sbin/amtoc -- system_u:object_r:amanda_user_exec_t
-/usr/sbin/amverify -- system_u:object_r:amanda_user_exec_t
-/var/lib/amanda -d system_u:object_r:amanda_var_lib_t
-/var/lib/amanda/\.amandahosts -- system_u:object_r:amanda_config_t
-/var/lib/amanda/\.bashrc -- system_u:object_r:amanda_shellconfig_t
-/var/lib/amanda/\.profile -- system_u:object_r:amanda_shellconfig_t
-/var/lib/amanda/disklist -- system_u:object_r:amanda_data_t
-/var/lib/amanda/gnutar-lists(/.*)? system_u:object_r:amanda_gnutarlists_t
-/var/lib/amanda/index system_u:object_r:amanda_data_t
-/var/log/amanda(/.*)? system_u:object_r:amanda_log_t
diff --git a/strict/file_contexts/program/amavis.fc b/strict/file_contexts/program/amavis.fc
deleted file mode 100644
index 366da33..0000000
--- a/strict/file_contexts/program/amavis.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-# amavis
-/usr/sbin/amavisd.* -- system_u:object_r:amavisd_exec_t
-/etc/amavisd\.conf -- system_u:object_r:amavisd_etc_t
-/var/log/amavisd\.log -- system_u:object_r:amavisd_log_t
-/var/lib/amavis(/.*)? system_u:object_r:amavisd_lib_t
-/var/run/amavis(/.*)? system_u:object_r:amavisd_var_run_t
-/var/amavis(/.*)? system_u:object_r:amavisd_lib_t
-/var/virusmails(/.*)? system_u:object_r:amavisd_quarantine_t
diff --git a/strict/file_contexts/program/anaconda.fc b/strict/file_contexts/program/anaconda.fc
deleted file mode 100644
index a0cbc0e..0000000
--- a/strict/file_contexts/program/anaconda.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-#
-# Anaconda file context
-# currently anaconda does not have any file context since it is started during install
-# This is a placeholder to stop makefile from complaining
-#
diff --git a/strict/file_contexts/program/apache.fc b/strict/file_contexts/program/apache.fc
deleted file mode 100644
index 96c5b3a..0000000
--- a/strict/file_contexts/program/apache.fc
+++ /dev/null
@@ -1,58 +0,0 @@
-# apache
-HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_t
-/var/www(/.*)? system_u:object_r:httpd_sys_content_t
-/srv/([^/]*/)?www(/.*)? system_u:object_r:httpd_sys_content_t
-/var/www/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t
-/usr/lib/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t
-/var/www/perl(/.*)? system_u:object_r:httpd_sys_script_exec_t
-/var/www/icons(/.*)? system_u:object_r:httpd_sys_content_t
-/var/cache/httpd(/.*)? system_u:object_r:httpd_cache_t
-/var/cache/php-eaccelerator(/.*)? system_u:object_r:httpd_cache_t
-/var/cache/php-mmcache(/.*)? system_u:object_r:httpd_cache_t
-/etc/httpd -d system_u:object_r:httpd_config_t
-/etc/httpd/conf.* system_u:object_r:httpd_config_t
-/etc/httpd/logs system_u:object_r:httpd_log_t
-/etc/httpd/modules system_u:object_r:httpd_modules_t
-/etc/apache(2)?(/.*)? system_u:object_r:httpd_config_t
-/etc/vhosts -- system_u:object_r:httpd_config_t
-/usr/lib(64)?/apache(/.*)? system_u:object_r:httpd_modules_t
-/usr/lib(64)?/apache2/modules(/.*)? system_u:object_r:httpd_modules_t
-/usr/lib(64)?/httpd(/.*)? system_u:object_r:httpd_modules_t
-/usr/sbin/httpd(\.worker)? -- system_u:object_r:httpd_exec_t
-/usr/sbin/apache(2)? -- system_u:object_r:httpd_exec_t
-/usr/sbin/suexec -- system_u:object_r:httpd_suexec_exec_t
-/usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- system_u:object_r:httpd_suexec_exec_t
-/usr/lib(64)?/apache(2)?/suexec(2)? -- system_u:object_r:httpd_suexec_exec_t
-/var/log/httpd(/.*)? system_u:object_r:httpd_log_t
-/var/log/apache(2)?(/.*)? system_u:object_r:httpd_log_t
-/var/log/cgiwrap\.log.* -- system_u:object_r:httpd_log_t
-/var/cache/ssl.*\.sem -- system_u:object_r:httpd_cache_t
-/var/cache/mod_ssl(/.*)? system_u:object_r:httpd_cache_t
-/var/run/apache.* system_u:object_r:httpd_var_run_t
-/var/lib/httpd(/.*)? system_u:object_r:httpd_var_lib_t
-/var/lib/php/session(/.*)? system_u:object_r:httpd_var_run_t
-/etc/apache-ssl(2)?(/.*)? system_u:object_r:httpd_config_t
-/usr/lib/apache-ssl/.+ -- system_u:object_r:httpd_exec_t
-/usr/sbin/apache-ssl(2)? -- system_u:object_r:httpd_exec_t
-/var/log/apache-ssl(2)?(/.*)? system_u:object_r:httpd_log_t
-/var/run/gcache_port -s system_u:object_r:httpd_var_run_t
-ifdef(`distro_debian', `
-/var/log/horde2(/.*)? system_u:object_r:httpd_log_t
-')
-ifdef(`distro_suse', `
-# suse puts shell scripts there :-(
-/usr/share/apache2/[^/]* -- system_u:object_r:bin_t
-/usr/sbin/httpd2-.* -- system_u:object_r:httpd_exec_t
-')
-/var/lib/squirrelmail/prefs(/.*)? system_u:object_r:httpd_squirrelmail_t
-/var/spool/squirrelmail(/.*)? system_u:object_r:squirrelmail_spool_t
-/usr/bin/htsslpass -- system_u:object_r:httpd_helper_exec_t
-/usr/share/htdig(/.*)? system_u:object_r:httpd_sys_content_t
-/var/lib/htdig(/.*)? system_u:object_r:httpd_sys_content_t
-/etc/htdig(/.*)? system_u:object_r:httpd_sys_content_t
-/var/spool/gosa(/.*)? system_u:object_r:httpd_sys_script_rw_t
-ifdef(`targeted_policy', `', `
-/var/spool/cron/apache -- system_u:object_r:user_cron_spool_t
-')
-/usr/sbin/apachectl -- system_u:object_r:initrc_exec_t
-
diff --git a/strict/file_contexts/program/apmd.fc b/strict/file_contexts/program/apmd.fc
deleted file mode 100644
index 9e6ce0d..0000000
--- a/strict/file_contexts/program/apmd.fc
+++ /dev/null
@@ -1,14 +0,0 @@
-# apmd
-/usr/sbin/apmd -- system_u:object_r:apmd_exec_t
-/usr/sbin/acpid -- system_u:object_r:apmd_exec_t
-/usr/sbin/powersaved -- system_u:object_r:apmd_exec_t
-/usr/bin/apm -- system_u:object_r:apm_exec_t
-/var/run/apmd\.pid -- system_u:object_r:apmd_var_run_t
-/var/run/\.?acpid\.socket -s system_u:object_r:apmd_var_run_t
-/var/run/powersaved\.pid -- system_u:object_r:apmd_var_run_t
-/var/run/powersave_socket -s system_u:object_r:apmd_var_run_t
-/var/log/acpid -- system_u:object_r:apmd_log_t
-ifdef(`distro_suse', `
-/var/lib/acpi(/.*)? system_u:object_r:apmd_var_lib_t
-')
-
diff --git a/strict/file_contexts/program/arpwatch.fc b/strict/file_contexts/program/arpwatch.fc
deleted file mode 100644
index 5b2aa5a..0000000
--- a/strict/file_contexts/program/arpwatch.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# arpwatch - keep track of ethernet/ip address pairings
-/usr/sbin/arpwatch -- system_u:object_r:arpwatch_exec_t
-/var/arpwatch(/.*)? system_u:object_r:arpwatch_data_t
-/var/lib/arpwatch(/.*)? system_u:object_r:arpwatch_data_t
diff --git a/strict/file_contexts/program/asterisk.fc b/strict/file_contexts/program/asterisk.fc
deleted file mode 100644
index 6f4eb4b..0000000
--- a/strict/file_contexts/program/asterisk.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-# asterisk
-/usr/sbin/asterisk -- system_u:object_r:asterisk_exec_t
-/var/run/asterisk(/.*)? system_u:object_r:asterisk_var_run_t
-/etc/asterisk(/.*)? system_u:object_r:asterisk_etc_t
-/var/log/asterisk(/.*)? system_u:object_r:asterisk_log_t
-/var/lib/asterisk(/.*)? system_u:object_r:asterisk_var_lib_t
-/var/spool/asterisk(/.*)? system_u:object_r:asterisk_spool_t
diff --git a/strict/file_contexts/program/audio-entropyd.fc b/strict/file_contexts/program/audio-entropyd.fc
deleted file mode 100644
index a8f616a..0000000
--- a/strict/file_contexts/program/audio-entropyd.fc
+++ /dev/null
@@ -1 +0,0 @@
-/usr/sbin/audio-entropyd -- system_u:object_r:entropyd_exec_t
diff --git a/strict/file_contexts/program/auditd.fc b/strict/file_contexts/program/auditd.fc
deleted file mode 100644
index a87077b..0000000
--- a/strict/file_contexts/program/auditd.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-# auditd
-/sbin/auditctl -- system_u:object_r:auditctl_exec_t
-/sbin/auditd -- system_u:object_r:auditd_exec_t
-/var/log/audit.log -- system_u:object_r:auditd_log_t
-/var/log/audit(/.*)? system_u:object_r:auditd_log_t
-/etc/auditd.conf -- system_u:object_r:auditd_etc_t
-/etc/audit.rules -- system_u:object_r:auditd_etc_t
-
diff --git a/strict/file_contexts/program/authbind.fc b/strict/file_contexts/program/authbind.fc
deleted file mode 100644
index 9fed63e..0000000
--- a/strict/file_contexts/program/authbind.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# authbind
-/etc/authbind(/.*)? system_u:object_r:authbind_etc_t
-/usr/lib(64)?/authbind/helper -- system_u:object_r:authbind_exec_t
diff --git a/strict/file_contexts/program/automount.fc b/strict/file_contexts/program/automount.fc
deleted file mode 100644
index f7b56f7..0000000
--- a/strict/file_contexts/program/automount.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# automount
-/usr/sbin/automount -- system_u:object_r:automount_exec_t
-/etc/apm/event\.d/autofs -- system_u:object_r:automount_exec_t
-/var/run/autofs(/.*)? system_u:object_r:automount_var_run_t
-/etc/auto\..+ -- system_u:object_r:automount_etc_t
diff --git a/strict/file_contexts/program/backup.fc b/strict/file_contexts/program/backup.fc
deleted file mode 100644
index ed82809..0000000
--- a/strict/file_contexts/program/backup.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# backup
-# label programs that do backups to other files on disk (IE a cron job that
-# calls tar) in backup_exec_t and label the directory for storing them as
-# backup_store_t, Debian uses /var/backups
-#/usr/local/bin/backup-script -- system_u:object_r:backup_exec_t
-/var/backups(/.*)? system_u:object_r:backup_store_t
diff --git a/strict/file_contexts/program/bluetooth.fc b/strict/file_contexts/program/bluetooth.fc
deleted file mode 100644
index da6b056..0000000
--- a/strict/file_contexts/program/bluetooth.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-# bluetooth
-/etc/bluetooth(/.*)? system_u:object_r:bluetooth_conf_t
-/etc/bluetooth/link_key system_u:object_r:bluetooth_conf_rw_t
-/usr/bin/rfcomm -- system_u:object_r:bluetooth_exec_t
-/usr/sbin/hcid -- system_u:object_r:bluetooth_exec_t
-/usr/sbin/sdpd -- system_u:object_r:bluetooth_exec_t
-/usr/sbin/hciattach -- system_u:object_r:bluetooth_exec_t
-/var/run/sdp -s system_u:object_r:bluetooth_var_run_t
-/usr/sbin/hid2hci -- system_u:object_r:bluetooth_exec_t
-/usr/bin/blue.*pin -- system_u:object_r:bluetooth_helper_exec_t
-/var/lib/bluetooth(/.*)? system_u:object_r:bluetooth_var_lib_t
diff --git a/strict/file_contexts/program/bonobo.fc b/strict/file_contexts/program/bonobo.fc
deleted file mode 100644
index 9c27b25..0000000
--- a/strict/file_contexts/program/bonobo.fc
+++ /dev/null
@@ -1 +0,0 @@
-/usr/libexec/bonobo-activation-server -- system_u:object_r:bonobo_exec_t
diff --git a/strict/file_contexts/program/bootloader.fc b/strict/file_contexts/program/bootloader.fc
deleted file mode 100644
index 90f8e85..0000000
--- a/strict/file_contexts/program/bootloader.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-# bootloader
-/etc/lilo\.conf.* -- system_u:object_r:bootloader_etc_t
-/initrd\.img.* -l system_u:object_r:boot_t
-/sbin/lilo.* -- system_u:object_r:bootloader_exec_t
-/sbin/grub.* -- system_u:object_r:bootloader_exec_t
-/vmlinuz.* -l system_u:object_r:boot_t
-/usr/sbin/mkinitrd -- system_u:object_r:bootloader_exec_t
-/sbin/mkinitrd -- system_u:object_r:bootloader_exec_t
-/etc/mkinitrd/scripts/.* -- system_u:object_r:bootloader_exec_t
-/sbin/ybin.* -- system_u:object_r:bootloader_exec_t
-/etc/yaboot\.conf.* -- system_u:object_r:bootloader_etc_t
diff --git a/strict/file_contexts/program/calamaris.fc b/strict/file_contexts/program/calamaris.fc
deleted file mode 100644
index 36d8c87..0000000
--- a/strict/file_contexts/program/calamaris.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# squid
-/etc/cron\.daily/calamaris -- system_u:object_r:calamaris_exec_t
-/var/www/calamaris(/.*)? system_u:object_r:calamaris_www_t
-/var/log/calamaris(/.*)? system_u:object_r:calamaris_log_t
diff --git a/strict/file_contexts/program/canna.fc b/strict/file_contexts/program/canna.fc
deleted file mode 100644
index 4b207a8..0000000
--- a/strict/file_contexts/program/canna.fc
+++ /dev/null
@@ -1,12 +0,0 @@
-# canna.fc
-/usr/sbin/cannaserver -- system_u:object_r:canna_exec_t
-/usr/sbin/jserver -- system_u:object_r:canna_exec_t
-/usr/bin/cannaping -- system_u:object_r:canna_exec_t
-/usr/bin/catdic -- system_u:object_r:canna_exec_t
-/var/log/canna(/.*)? system_u:object_r:canna_log_t
-/var/log/wnn(/.*)? system_u:object_r:canna_log_t
-/var/lib/canna/dic(/.*)? system_u:object_r:canna_var_lib_t
-/var/lib/wnn/dic(/.*)? system_u:object_r:canna_var_lib_t
-/var/run/\.iroha_unix -d system_u:object_r:canna_var_run_t
-/var/run/\.iroha_unix/.* -s system_u:object_r:canna_var_run_t
-/var/run/wnn-unix(/.*) system_u:object_r:canna_var_run_t
diff --git a/strict/file_contexts/program/cardmgr.fc b/strict/file_contexts/program/cardmgr.fc
deleted file mode 100644
index 2e4b109..0000000
--- a/strict/file_contexts/program/cardmgr.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-# cardmgr
-/sbin/cardmgr -- system_u:object_r:cardmgr_exec_t
-/sbin/cardctl -- system_u:object_r:cardctl_exec_t
-/var/run/stab -- system_u:object_r:cardmgr_var_run_t
-/var/run/cardmgr\.pid -- system_u:object_r:cardmgr_var_run_t
-/etc/apm/event\.d/pcmcia -- system_u:object_r:cardmgr_exec_t
-/var/lib/pcmcia(/.*)? system_u:object_r:cardmgr_var_run_t
diff --git a/strict/file_contexts/program/cdrecord.fc b/strict/file_contexts/program/cdrecord.fc
deleted file mode 100644
index d03d3bc..0000000
--- a/strict/file_contexts/program/cdrecord.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# cdrecord
-/usr/bin/cdrecord -- system_u:object_r:cdrecord_exec_t
-
diff --git a/strict/file_contexts/program/certwatch.fc b/strict/file_contexts/program/certwatch.fc
deleted file mode 100644
index 20bb8ca..0000000
--- a/strict/file_contexts/program/certwatch.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# certwatch.fc
-/usr/bin/certwatch -- system_u:object_r:certwatch_exec_t
-
diff --git a/strict/file_contexts/program/checkpolicy.fc b/strict/file_contexts/program/checkpolicy.fc
deleted file mode 100644
index 8c0c732..0000000
--- a/strict/file_contexts/program/checkpolicy.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# checkpolicy
-/usr/bin/checkpolicy -- system_u:object_r:checkpolicy_exec_t
diff --git a/strict/file_contexts/program/chkpwd.fc b/strict/file_contexts/program/chkpwd.fc
deleted file mode 100644
index 444e3e5..0000000
--- a/strict/file_contexts/program/chkpwd.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# chkpwd
-/sbin/unix_chkpwd -- system_u:object_r:chkpwd_exec_t
-/sbin/unix_verify -- system_u:object_r:chkpwd_exec_t
-ifdef(`distro_suse', `
-/sbin/unix2_chkpwd -- system_u:object_r:chkpwd_exec_t
-')
diff --git a/strict/file_contexts/program/chroot.fc b/strict/file_contexts/program/chroot.fc
deleted file mode 100644
index aa61acc..0000000
--- a/strict/file_contexts/program/chroot.fc
+++ /dev/null
@@ -1 +0,0 @@
-/usr/sbin/chroot -- system_u:object_r:chroot_exec_t
diff --git a/strict/file_contexts/program/ciped.fc b/strict/file_contexts/program/ciped.fc
deleted file mode 100644
index e3a12a1..0000000
--- a/strict/file_contexts/program/ciped.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-/usr/sbin/ciped.* -- system_u:object_r:ciped_exec_t
-/etc/cipe/ip-up.* -- system_u:object_r:bin_t
-/etc/cipe/ip-down.* -- system_u:object_r:bin_t
diff --git a/strict/file_contexts/program/clamav.fc b/strict/file_contexts/program/clamav.fc
deleted file mode 100644
index 90c898c..0000000
--- a/strict/file_contexts/program/clamav.fc
+++ /dev/null
@@ -1,15 +0,0 @@
-# clamscan
-/usr/bin/clamscan -- system_u:object_r:clamscan_exec_t
-/usr/bin/freshclam -- system_u:object_r:freshclam_exec_t
-/usr/sbin/clamav-freshclam-handledaemon -- system_u:object_r:freshclam_exec_t
-/usr/sbin/clamd -- system_u:object_r:clamd_exec_t
-/var/lib/clamav(/.*)? system_u:object_r:clamav_var_lib_t
-/var/log/clam-update\.log -- system_u:object_r:freshclam_log_t
-/var/log/clamav-freshclam\.log.* -- system_u:object_r:freshclam_log_t
-/var/log/clamav(/.*)? system_u:object_r:freshclam_log_t
-/var/log/clamav/clamd\.log.* -- system_u:object_r:clamd_log_t
-/var/log/clamav/freshclam\.log.* -- system_u:object_r:freshclam_log_t
-/var/run/clamd\.ctl -s system_u:object_r:clamd_sock_t
-/var/run/clamd\.pid -- system_u:object_r:clamd_var_run_t
-/var/run/clamav(/.*)? system_u:object_r:clamd_var_run_t
-/var/run/clamav/clamd\.sock -s system_u:object_r:clamd_sock_t
diff --git a/strict/file_contexts/program/clockspeed.fc b/strict/file_contexts/program/clockspeed.fc
deleted file mode 100644
index e00cd56..0000000
--- a/strict/file_contexts/program/clockspeed.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-# clockspeed
-/usr/bin/clockspeed -- system_u:object_r:clockspeed_exec_t
-/usr/bin/clockadd -- system_u:object_r:clockspeed_exec_t
-/usr/bin/clockview -- system_u:object_r:clockspeed_exec_t
-/usr/bin/sntpclock -- system_u:object_r:clockspeed_exec_t
-/usr/bin/taiclock -- system_u:object_r:clockspeed_exec_t
-/usr/bin/taiclockd -- system_u:object_r:clockspeed_exec_t
-/usr/sbin/ntpclockset -- system_u:object_r:clockspeed_exec_t
-
-/var/lib/clockspeed(/.*)? system_u:object_r:clockspeed_var_lib_t
-
diff --git a/strict/file_contexts/program/compat.fc b/strict/file_contexts/program/compat.fc
deleted file mode 100644
index ba15f45..0000000
--- a/strict/file_contexts/program/compat.fc
+++ /dev/null
@@ -1,62 +0,0 @@
-ifdef(`setfiles.te', `', `
-# setfiles
-/usr/sbin/setfiles.* -- system_u:object_r:setfiles_exec_t
-')
-
-ifdef(`mount.te', `', `
-# mount
-/bin/mount.* -- system_u:object_r:mount_exec_t
-/bin/umount.* -- system_u:object_r:mount_exec_t
-')
-ifdef(`loadkeys.te', `', `
-# loadkeys
-/bin/unikeys -- system_u:object_r:loadkeys_exec_t
-/bin/loadkeys -- system_u:object_r:loadkeys_exec_t
-')
-ifdef(`dmesg.te', `', `
-# dmesg
-/bin/dmesg -- system_u:object_r:dmesg_exec_t
-')
-ifdef(`fsadm.te', `', `
-# fs admin utilities
-/sbin/fsck.* -- system_u:object_r:fsadm_exec_t
-/sbin/mkfs.* -- system_u:object_r:fsadm_exec_t
-/sbin/e2fsck -- system_u:object_r:fsadm_exec_t
-/sbin/mkdosfs -- system_u:object_r:fsadm_exec_t
-/sbin/dosfsck -- system_u:object_r:fsadm_exec_t
-/sbin/reiserfs(ck|tune) -- system_u:object_r:fsadm_exec_t
-/sbin/mkreiserfs -- system_u:object_r:fsadm_exec_t
-/sbin/resize.*fs -- system_u:object_r:fsadm_exec_t
-/sbin/e2label -- system_u:object_r:fsadm_exec_t
-/sbin/findfs -- system_u:object_r:fsadm_exec_t
-/sbin/mkfs -- system_u:object_r:fsadm_exec_t
-/sbin/mke2fs -- system_u:object_r:fsadm_exec_t
-/sbin/mkswap -- system_u:object_r:fsadm_exec_t
-/sbin/scsi_info -- system_u:object_r:fsadm_exec_t
-/sbin/sfdisk -- system_u:object_r:fsadm_exec_t
-/sbin/cfdisk -- system_u:object_r:fsadm_exec_t
-/sbin/fdisk -- system_u:object_r:fsadm_exec_t
-/sbin/parted -- system_u:object_r:fsadm_exec_t
-/sbin/tune2fs -- system_u:object_r:fsadm_exec_t
-/sbin/dumpe2fs -- system_u:object_r:fsadm_exec_t
-/sbin/swapon.* -- system_u:object_r:fsadm_exec_t
-/sbin/hdparm -- system_u:object_r:fsadm_exec_t
-/sbin/raidstart -- system_u:object_r:fsadm_exec_t
-/sbin/mkraid -- system_u:object_r:fsadm_exec_t
-/sbin/blockdev -- system_u:object_r:fsadm_exec_t
-/sbin/losetup.* -- system_u:object_r:fsadm_exec_t
-/sbin/jfs_.* -- system_u:object_r:fsadm_exec_t
-/sbin/lsraid -- system_u:object_r:fsadm_exec_t
-/usr/sbin/smartctl -- system_u:object_r:fsadm_exec_t
-/sbin/install-mbr -- system_u:object_r:fsadm_exec_t
-/usr/bin/scsi_unique_id -- system_u:object_r:fsadm_exec_t
-/usr/bin/raw -- system_u:object_r:fsadm_exec_t
-/sbin/partx -- system_u:object_r:fsadm_exec_t
-/usr/bin/partition_uuid -- system_u:object_r:fsadm_exec_t
-/sbin/partprobe -- system_u:object_r:fsadm_exec_t
-')
-ifdef(`kudzu.te', `', `
-# kudzu
-/usr/sbin/kudzu -- system_u:object_r:kudzu_exec_t
-/sbin/kmodule -- system_u:object_r:kudzu_exec_t
-')
diff --git a/strict/file_contexts/program/comsat.fc b/strict/file_contexts/program/comsat.fc
deleted file mode 100644
index 7026d56..0000000
--- a/strict/file_contexts/program/comsat.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# biff server
-/usr/sbin/in\.comsat -- system_u:object_r:comsat_exec_t
diff --git a/strict/file_contexts/program/consoletype.fc b/strict/file_contexts/program/consoletype.fc
deleted file mode 100644
index f310f37..0000000
--- a/strict/file_contexts/program/consoletype.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# consoletype
-/sbin/consoletype -- system_u:object_r:consoletype_exec_t
diff --git a/strict/file_contexts/program/courier.fc b/strict/file_contexts/program/courier.fc
deleted file mode 100644
index 16f6adb..0000000
--- a/strict/file_contexts/program/courier.fc
+++ /dev/null
@@ -1,18 +0,0 @@
-# courier pop, imap, and webmail
-/usr/lib(64)?/courier(/.*)? system_u:object_r:bin_t
-/usr/lib(64)?/courier/rootcerts(/.*)? system_u:object_r:courier_etc_t
-/usr/lib(64)?/courier/authlib/.* -- system_u:object_r:courier_authdaemon_exec_t
-/usr/lib(64)?/courier/courier/.* -- system_u:object_r:courier_exec_t
-/usr/lib(64)?/courier/courier/courierpop.* -- system_u:object_r:courier_pop_exec_t
-/usr/lib(64)?/courier/courier/imaplogin -- system_u:object_r:courier_pop_exec_t
-/usr/lib(64)?/courier/courier/pcpd -- system_u:object_r:courier_pcp_exec_t
-/usr/lib(64)?/courier/imapd -- system_u:object_r:courier_pop_exec_t
-/usr/lib(64)?/courier/pop3d -- system_u:object_r:courier_pop_exec_t
-/usr/lib(64)?/courier/sqwebmail/cleancache\.pl -- system_u:object_r:sqwebmail_cron_exec_t
-/var/lib/courier(/.*)? system_u:object_r:courier_var_lib_t
-/usr/bin/imapd -- system_u:object_r:courier_pop_exec_t
-/usr/sbin/courierlogger -- system_u:object_r:courier_exec_t
-/usr/sbin/courierldapaliasd -- system_u:object_r:courier_exec_t
-/usr/sbin/couriertcpd -- system_u:object_r:courier_tcpd_exec_t
-/var/run/courier(/.*)? system_u:object_r:courier_var_run_t
-/etc/courier(/.*)? system_u:object_r:courier_etc_t
diff --git a/strict/file_contexts/program/cpucontrol.fc b/strict/file_contexts/program/cpucontrol.fc
deleted file mode 100644
index e2275c6..0000000
--- a/strict/file_contexts/program/cpucontrol.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# cpucontrol
-/sbin/microcode_ctl -- system_u:object_r:cpucontrol_exec_t
-/etc/firmware/.* -- system_u:object_r:cpucontrol_conf_t
diff --git a/strict/file_contexts/program/cpuspeed.fc b/strict/file_contexts/program/cpuspeed.fc
deleted file mode 100644
index 60d8465..0000000
--- a/strict/file_contexts/program/cpuspeed.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# cpuspeed
-/usr/sbin/cpuspeed -- system_u:object_r:cpuspeed_exec_t
-/usr/sbin/powernowd -- system_u:object_r:cpuspeed_exec_t
diff --git a/strict/file_contexts/program/crack.fc b/strict/file_contexts/program/crack.fc
deleted file mode 100644
index 7d99136..0000000
--- a/strict/file_contexts/program/crack.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# crack - for password checking
-/usr/sbin/cracklib-[a-z]* -- system_u:object_r:crack_exec_t
-/usr/sbin/crack_[a-z]* -- system_u:object_r:crack_exec_t
-/var/cache/cracklib(/.*)? system_u:object_r:crack_db_t
-/usr/lib(64)?/cracklib_dict.* -- system_u:object_r:crack_db_t
-/usr/share/cracklib(/.*)? system_u:object_r:crack_db_t
diff --git a/strict/file_contexts/program/crond.fc b/strict/file_contexts/program/crond.fc
deleted file mode 100644
index 3a46659..0000000
--- a/strict/file_contexts/program/crond.fc
+++ /dev/null
@@ -1,34 +0,0 @@
-# crond
-/etc/crontab -- system_u:object_r:system_cron_spool_t
-/etc/cron\.d(/.*)? system_u:object_r:system_cron_spool_t
-/usr/sbin/cron(d)? -- system_u:object_r:crond_exec_t
-/usr/sbin/anacron -- system_u:object_r:anacron_exec_t
-/var/spool/cron -d system_u:object_r:cron_spool_t
-/var/spool/cron/crontabs -d system_u:object_r:cron_spool_t
-/var/spool/cron/crontabs/.* -- <<none>>
-/var/spool/cron/crontabs/root -- system_u:object_r:sysadm_cron_spool_t
-/var/spool/cron/root -- system_u:object_r:sysadm_cron_spool_t
-/var/spool/cron/[^/]* -- <<none>>
-/var/run/crond\.reboot -- system_u:object_r:crond_var_run_t
-/var/run/crond?\.pid -- system_u:object_r:crond_var_run_t
-# fcron
-/usr/sbin/fcron -- system_u:object_r:crond_exec_t
-/var/spool/fcron -d system_u:object_r:cron_spool_t
-/var/spool/fcron/.* <<none>>
-/var/spool/fcron/systab\.orig -- system_u:object_r:system_cron_spool_t
-/var/spool/fcron/systab -- system_u:object_r:system_cron_spool_t
-/var/spool/fcron/new\.systab -- system_u:object_r:system_cron_spool_t
-/var/run/fcron\.fifo -s system_u:object_r:crond_var_run_t
-/var/run/fcron\.pid -- system_u:object_r:crond_var_run_t
-# atd
-/usr/sbin/atd -- system_u:object_r:crond_exec_t
-/var/spool/at -d system_u:object_r:cron_spool_t
-/var/spool/at/spool -d system_u:object_r:cron_spool_t
-/var/spool/at/[^/]* -- <<none>>
-/var/run/atd\.pid -- system_u:object_r:crond_var_run_t
-ifdef(`distro_suse', `
-/usr/lib/cron/run-crons -- system_u:object_r:bin_t
-/var/spool/cron/lastrun -d system_u:object_r:crond_tmp_t
-/var/spool/cron/lastrun/[^/]* -- <<none>>
-/var/spool/cron/tabs -d system_u:object_r:cron_spool_t
-')
diff --git a/strict/file_contexts/program/crontab.fc b/strict/file_contexts/program/crontab.fc
deleted file mode 100644
index 5c18699..0000000
--- a/strict/file_contexts/program/crontab.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# crontab
-/usr/bin/(f)?crontab -- system_u:object_r:crontab_exec_t
-/usr/bin/at -- system_u:object_r:crontab_exec_t
diff --git a/strict/file_contexts/program/cups.fc b/strict/file_contexts/program/cups.fc
deleted file mode 100644
index 26ae56f..0000000
--- a/strict/file_contexts/program/cups.fc
+++ /dev/null
@@ -1,46 +0,0 @@
-# cups printing
-/etc/cups(/.*)? system_u:object_r:cupsd_etc_t
-/usr/share/cups(/.*)? system_u:object_r:cupsd_etc_t
-/etc/alchemist/namespace/printconf(/.*)? system_u:object_r:cupsd_rw_etc_t
-/var/cache/alchemist/printconf.* system_u:object_r:cupsd_rw_etc_t
-/etc/cups/client\.conf -- system_u:object_r:etc_t
-/etc/cups/cupsd\.conf.* -- system_u:object_r:cupsd_rw_etc_t
-/etc/cups/classes\.conf.* -- system_u:object_r:cupsd_rw_etc_t
-/etc/cups/lpoptions -- system_u:object_r:cupsd_rw_etc_t
-/etc/cups/printers\.conf.* -- system_u:object_r:cupsd_rw_etc_t
-/etc/cups/ppd/.* -- system_u:object_r:cupsd_rw_etc_t
-/etc/cups/certs -d system_u:object_r:cupsd_rw_etc_t
-/etc/cups/certs/.* -- system_u:object_r:cupsd_rw_etc_t
-/var/lib/cups/certs -d system_u:object_r:cupsd_rw_etc_t
-/var/lib/cups/certs/.* -- system_u:object_r:cupsd_rw_etc_t
-/etc/cups/ppds\.dat -- system_u:object_r:cupsd_rw_etc_t
-/etc/cups/lpoptions.* -- system_u:object_r:cupsd_rw_etc_t
-/etc/printcap.* -- system_u:object_r:cupsd_rw_etc_t
-/usr/lib(64)?/cups/backend/.* -- system_u:object_r:cupsd_exec_t
-/usr/lib(64)?/cups/daemon/.* -- system_u:object_r:cupsd_exec_t
-/usr/lib(64)?/cups/daemon/cups-lpd -- system_u:object_r:cupsd_lpd_exec_t
-/usr/sbin/cupsd -- system_u:object_r:cupsd_exec_t
-ifdef(`hald.te', `
-# cupsd_config depends on hald
-/usr/bin/cups-config-daemon -- system_u:object_r:cupsd_config_exec_t
-/usr/sbin/hal_lpadmin -- system_u:object_r:cupsd_config_exec_t
-/usr/sbin/printconf-backend -- system_u:object_r:cupsd_config_exec_t
-')
-/var/log/cups(/.*)? system_u:object_r:cupsd_log_t
-/var/log/turboprint_cups\.log.* -- system_u:object_r:cupsd_log_t
-/var/spool/cups(/.*)? system_u:object_r:print_spool_t
-/var/run/cups/printcap -- system_u:object_r:cupsd_var_run_t
-/usr/lib(64)?/cups/filter/.* -- system_u:object_r:bin_t
-/usr/lib(64)?/cups/cgi-bin/.* -- system_u:object_r:bin_t
-/usr/sbin/ptal-printd -- system_u:object_r:ptal_exec_t
-/usr/sbin/ptal-mlcd -- system_u:object_r:ptal_exec_t
-/usr/sbin/ptal-photod -- system_u:object_r:ptal_exec_t
-/var/run/ptal-printd(/.*)? system_u:object_r:ptal_var_run_t
-/var/run/ptal-mlcd(/.*)? system_u:object_r:ptal_var_run_t
-/etc/hp(/.*)? system_u:object_r:hplip_etc_t
-/usr/sbin/hpiod -- system_u:object_r:hplip_exec_t
-/usr/share/hplip/hpssd.py -- system_u:object_r:hplip_exec_t
-/usr/share/foomatic/db/oldprinterids -- system_u:object_r:cupsd_rw_etc_t
-/var/cache/foomatic(/.*)? -- system_u:object_r:cupsd_rw_etc_t
-/var/run/hp.*\.pid -- system_u:object_r:hplip_var_run_t
-/var/run/hp.*\.port -- system_u:object_r:hplip_var_run_t
diff --git a/strict/file_contexts/program/cvs.fc b/strict/file_contexts/program/cvs.fc
deleted file mode 100644
index ce38032..0000000
--- a/strict/file_contexts/program/cvs.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# cvs program
-/usr/bin/cvs -- system_u:object_r:cvs_exec_t
diff --git a/strict/file_contexts/program/cyrus.fc b/strict/file_contexts/program/cyrus.fc
deleted file mode 100644
index 71a9026..0000000
--- a/strict/file_contexts/program/cyrus.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# cyrus
-/var/lib/imap(/.*)? system_u:object_r:cyrus_var_lib_t
-/usr/lib(64)?/cyrus-imapd/.* -- system_u:object_r:bin_t
-/usr/lib(64)?/cyrus-imapd/cyrus-master -- system_u:object_r:cyrus_exec_t
-/var/spool/imap(/.*)? system_u:object_r:mail_spool_t
diff --git a/strict/file_contexts/program/daemontools.fc b/strict/file_contexts/program/daemontools.fc
deleted file mode 100644
index c2642ed..0000000
--- a/strict/file_contexts/program/daemontools.fc
+++ /dev/null
@@ -1,54 +0,0 @@
-# daemontools
-
-/var/service/.* system_u:object_r:svc_svc_t
-
-# symlinks to /var/service/*
-/service(/.*)? system_u:object_r:svc_svc_t
-
-# supervise scripts
-/usr/bin/svc-add -- system_u:object_r:svc_script_exec_t
-/usr/bin/svc-isdown -- system_u:object_r:svc_script_exec_t
-/usr/bin/svc-isup -- system_u:object_r:svc_script_exec_t
-/usr/bin/svc-remove -- system_u:object_r:svc_script_exec_t
-/usr/bin/svc-start -- system_u:object_r:svc_script_exec_t
-/usr/bin/svc-status -- system_u:object_r:svc_script_exec_t
-/usr/bin/svc-stop -- system_u:object_r:svc_script_exec_t
-/usr/bin/svc-waitdown -- system_u:object_r:svc_script_exec_t
-/usr/bin/svc-waitup -- system_u:object_r:svc_script_exec_t
-
-# supervise init binaries
-# these programs read/write to /service/*/supervise/* and /service/*/log/supervise/*
-/usr/bin/svc -- system_u:object_r:svc_start_exec_t
-/usr/bin/svscan -- system_u:object_r:svc_start_exec_t
-/usr/bin/svscanboot -- system_u:object_r:svc_start_exec_t
-/usr/bin/svok -- system_u:object_r:svc_start_exec_t
-/usr/bin/supervise -- system_u:object_r:svc_start_exec_t
-
-# starting scripts
-/var/service/.*/run.* system_u:object_r:svc_run_exec_t
-/var/service/.*/log/run system_u:object_r:svc_run_exec_t
-
-# configurations
-/var/service/.*/env(/.*)? system_u:object_r:svc_conf_t
-
-# log
-/var/service/.*/log/main(/.*)? system_u:object_r:svc_log_t
-
-# programs that impose a given environment to daemons
-/usr/bin/softlimit -- system_u:object_r:svc_run_exec_t
-/usr/bin/setuidgid -- system_u:object_r:svc_run_exec_t
-/usr/bin/envuidgid -- system_u:object_r:svc_run_exec_t
-/usr/bin/envdir -- system_u:object_r:svc_run_exec_t
-/usr/bin/setlock -- system_u:object_r:svc_run_exec_t
-
-# helper programs
-/usr/bin/fghack -- system_u:object_r:svc_run_exec_t
-/usr/bin/pgrphack -- system_u:object_r:svc_run_exec_t
-
-/var/run/svscan\.pid -- system_u:object_r:initrc_var_run_t
-# daemontools logger # writes to service/*/log/main/ and /var/log/*/
-/usr/bin/multilog -- system_u:object_r:svc_multilog_exec_t
-
-/sbin/svcinit -- system_u:object_r:initrc_exec_t
-/sbin/runsvcscript\.sh -- system_u:object_r:initrc_exec_t
-
diff --git a/strict/file_contexts/program/dante.fc b/strict/file_contexts/program/dante.fc
deleted file mode 100644
index ce7f335..0000000
--- a/strict/file_contexts/program/dante.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# dante
-/usr/sbin/sockd -- system_u:object_r:dante_exec_t
-/etc/socks(/.*)? system_u:object_r:dante_conf_t
-/var/run/sockd.pid -- system_u:object_r:dante_var_run_t
diff --git a/strict/file_contexts/program/dbskkd.fc b/strict/file_contexts/program/dbskkd.fc
deleted file mode 100644
index 77ff4f1..0000000
--- a/strict/file_contexts/program/dbskkd.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# A dictionary server for the SKK Japanese input method system.
-/usr/sbin/dbskkd-cdb -- system_u:object_r:dbskkd_exec_t
diff --git a/strict/file_contexts/program/dbusd.fc b/strict/file_contexts/program/dbusd.fc
deleted file mode 100644
index 9f56c33..0000000
--- a/strict/file_contexts/program/dbusd.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-/usr/bin/dbus-daemon(-1)? -- system_u:object_r:system_dbusd_exec_t
-/etc/dbus-1(/.*)? system_u:object_r:etc_dbusd_t
-/var/run/dbus(/.*)? system_u:object_r:system_dbusd_var_run_t
diff --git a/strict/file_contexts/program/dcc.fc b/strict/file_contexts/program/dcc.fc
deleted file mode 100644
index a6b1372..0000000
--- a/strict/file_contexts/program/dcc.fc
+++ /dev/null
@@ -1,17 +0,0 @@
-# DCC
-/etc/dcc(/.*)? system_u:object_r:dcc_var_t
-/etc/dcc/map -- system_u:object_r:dcc_client_map_t
-/etc/dcc/dccifd -s system_u:object_r:dccifd_sock_t
-/usr/bin/cdcc system_u:object_r:cdcc_exec_t
-/usr/bin/dccproc system_u:object_r:dcc_client_exec_t
-/usr/libexec/dcc/dbclean system_u:object_r:dcc_dbclean_exec_t
-/usr/libexec/dcc/dccd system_u:object_r:dccd_exec_t
-/usr/libexec/dcc/dccifd system_u:object_r:dccifd_exec_t
-/usr/libexec/dcc/dccm system_u:object_r:dccm_exec_t
-/usr/libexec/dcc/start-.* system_u:object_r:dcc_script_exec_t
-/usr/libexec/dcc/stop-.* system_u:object_r:dcc_script_exec_t
-/var/dcc(/.*)? system_u:object_r:dcc_var_t
-/var/dcc/map -- system_u:object_r:dcc_client_map_t
-/var/run/dcc system_u:object_r:dcc_var_run_t
-/var/run/dcc/map -- system_u:object_r:dcc_client_map_t
-/var/run/dcc/dccifd -s system_u:object_r:dccifd_sock_t
diff --git a/strict/file_contexts/program/ddclient.fc b/strict/file_contexts/program/ddclient.fc
deleted file mode 100644
index 83ee3d2..0000000
--- a/strict/file_contexts/program/ddclient.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-# ddclient
-/etc/ddclient\.conf -- system_u:object_r:ddclient_etc_t
-/usr/sbin/ddclient -- system_u:object_r:ddclient_exec_t
-/var/cache/ddclient(/.*)? system_u:object_r:ddclient_var_t
-/var/run/ddclient\.pid -- system_u:object_r:ddclient_var_run_t
-# ddt - Dynamic DNS client
-/usr/sbin/ddtcd -- system_u:object_r:ddclient_exec_t
-/var/run/ddtcd\.pid -- system_u:object_r:ddclient_var_run_t
-/etc/ddtcd\.conf -- system_u:object_r:ddclient_etc_t
-/var/lib/ddt-client(/.*)? system_u:object_r:ddclient_var_lib_t
-/var/log/ddtcd\.log.* -- system_u:object_r:ddclient_log_t
diff --git a/strict/file_contexts/program/ddcprobe.fc b/strict/file_contexts/program/ddcprobe.fc
deleted file mode 100644
index 4313349..0000000
--- a/strict/file_contexts/program/ddcprobe.fc
+++ /dev/null
@@ -1 +0,0 @@
-/usr/sbin/ddcprobe -- system_u:object_r:ddcprobe_exec_t
diff --git a/strict/file_contexts/program/dhcpc.fc b/strict/file_contexts/program/dhcpc.fc
deleted file mode 100644
index a035faa..0000000
--- a/strict/file_contexts/program/dhcpc.fc
+++ /dev/null
@@ -1,19 +0,0 @@
-# dhcpcd
-/etc/dhcpc.* system_u:object_r:dhcp_etc_t
-/etc/dhcp3?/dhclient.* system_u:object_r:dhcp_etc_t
-/etc/dhclient.*conf -- system_u:object_r:dhcp_etc_t
-/etc/dhclient-script -- system_u:object_r:dhcp_etc_t
-/sbin/dhcpcd -- system_u:object_r:dhcpc_exec_t
-/sbin/dhcdbd -- system_u:object_r:dhcpc_exec_t
-/sbin/dhclient.* -- system_u:object_r:dhcpc_exec_t
-/var/lib/dhcp(3)?/dhclient.* system_u:object_r:dhcpc_state_t
-/var/lib/dhcpcd(/.*)? system_u:object_r:dhcpc_state_t
-/var/lib/dhclient(/.*)? system_u:object_r:dhcpc_state_t
-/var/run/dhclient.*\.pid -- system_u:object_r:dhcpc_var_run_t
-/var/run/dhclient.*\.leases -- system_u:object_r:dhcpc_var_run_t
-# pump
-/sbin/pump -- system_u:object_r:dhcpc_exec_t
-ifdef(`dhcp_defined', `', `
-/var/lib/dhcp(3)? -d system_u:object_r:dhcp_state_t
-define(`dhcp_defined')
-')
diff --git a/strict/file_contexts/program/dhcpd.fc b/strict/file_contexts/program/dhcpd.fc
deleted file mode 100644
index d26d56d..0000000
--- a/strict/file_contexts/program/dhcpd.fc
+++ /dev/null
@@ -1,34 +0,0 @@
-# dhcpd
-/etc/dhcpd\.conf -- system_u:object_r:dhcp_etc_t
-/etc/dhcp3(/.*)? system_u:object_r:dhcp_etc_t
-/usr/sbin/dhcpd.* -- system_u:object_r:dhcpd_exec_t
-/var/lib/dhcp(3)?/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t
-/var/run/dhcpd\.pid -- system_u:object_r:dhcpd_var_run_t
-ifdef(`dhcp_defined', `', `
-/var/lib/dhcp(3)? -d system_u:object_r:dhcp_state_t
-define(`dhcp_defined')
-')
-
-ifdef(`distro_gentoo', `
-/etc/dhcp -d system_u:object_r:dhcp_etc_t
-/etc/dhcp(/.*)? -- system_u:object_r:dhcp_etc_t
-/var/lib/dhcp -d system_u:object_r:dhcp_state_t
-/var/lib/dhcpd(/.*)? system_u:object_r:dhcpd_state_t
-/var/lib/dhcp/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t
-/var/run/dhcp/dhcpd\.pid -- system_u:object_r:dhcpd_var_run_t
-
-# for the chroot setup
-/chroot/dhcp -d system_u:object_r:root_t
-/chroot/dhcp/dev -d system_u:object_r:device_t
-/chroot/dhcp/etc -d system_u:object_r:etc_t
-/chroot/dhcp/etc/dhcp -d system_u:object_r:dhcp_etc_t
-/chroot/dhcp/etc/dhcp(/.*)? -- system_u:object_r:dhcp_etc_t
-/chroot/dhcp/usr/sbin/dhcpd -- system_u:object_r:dhcpd_exec_t
-/chroot/dhcp/var -d system_u:object_r:var_t
-/chroot/dhcp/var/run -d system_u:object_r:var_run_t
-/chroot/dhcp/var/lib -d system_u:object_r:var_lib_t
-/chroot/dhcp/var/lib/dhcp -d system_u:object_r:dhcp_state_t
-/chroot/dhcp/var/lib/dhcp/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t
-/chroot/dhcp/var/run/dhcp/dhcpd\.pid -- system_u:object_r:dhcpd_state_t
-')
-
diff --git a/strict/file_contexts/program/dictd.fc b/strict/file_contexts/program/dictd.fc
deleted file mode 100644
index 0d97d0a..0000000
--- a/strict/file_contexts/program/dictd.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# dictd
-/etc/dictd\.conf -- system_u:object_r:dictd_etc_t
-/usr/sbin/dictd -- system_u:object_r:dictd_exec_t
-/var/lib/dictd(/.*)? system_u:object_r:dictd_var_lib_t
diff --git a/strict/file_contexts/program/distcc.fc b/strict/file_contexts/program/distcc.fc
deleted file mode 100644
index 3ab9797..0000000
--- a/strict/file_contexts/program/distcc.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# distcc
-/usr/bin/distccd -- system_u:object_r:distccd_exec_t
diff --git a/strict/file_contexts/program/djbdns.fc b/strict/file_contexts/program/djbdns.fc
deleted file mode 100644
index 6174b9f..0000000
--- a/strict/file_contexts/program/djbdns.fc
+++ /dev/null
@@ -1,26 +0,0 @@
-#djbdns
-/usr/bin/dnscache -- system_u:object_r:djbdns_dnscache_exec_t
-/usr/bin/tinydns -- system_u:object_r:djbdns_tinydns_exec_t
-/usr/bin/axfrdns -- system_u:object_r:djbdns_axfrdns_exec_t
-
-/var/dnscache[a-z]?(/.*)? system_u:object_r:svc_svc_t
-/var/dnscache[a-z]?/run -- system_u:object_r:svc_run_exec_t
-/var/dnscache[a-z]?/log/run -- system_u:object_r:svc_run_exec_t
-/var/dnscache[a-z]?/env(/.*)? system_u:object_r:svc_conf_t
-/var/dnscache[a-z]?/root(/.*)? system_u:object_r:djbdns_dnscache_conf_t
-/var/dnscache[a-z]?/log/main(/.*)? system_u:object_r:var_log_t
-
-/var/tinydns(/.*)? system_u:object_r:svc_svc_t
-/var/tinydns/run -- system_u:object_r:svc_run_exec_t
-/var/tinydns/log/run -- system_u:object_r:svc_run_exec_t
-/var/tinydns/env(/.*)? system_u:object_r:svc_conf_t
-/var/tinydns/root(/.*)? system_u:object_r:djbdns_tinydns_conf_t
-/var/tinydns/log/main(/.*)? system_u:object_r:var_log_t
-
-/var/axfrdns(/.*)? system_u:object_r:svc_svc_t
-/var/axfrdns/run -- system_u:object_r:svc_run_exec_t
-/var/axfrdns/log/run -- system_u:object_r:svc_run_exec_t
-/var/axfrdns/env(/.*)? system_u:object_r:svc_conf_t
-/var/axfrdns/root(/.*)? system_u:object_r:djbdns_axfrdns_conf_t
-/var/axfrdns/log/main(/.*)? system_u:object_r:var_log_t
-
diff --git a/strict/file_contexts/program/dmesg.fc b/strict/file_contexts/program/dmesg.fc
deleted file mode 100644
index 2df5752..0000000
--- a/strict/file_contexts/program/dmesg.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# dmesg
-/bin/dmesg -- system_u:object_r:dmesg_exec_t
diff --git a/strict/file_contexts/program/dmidecode.fc b/strict/file_contexts/program/dmidecode.fc
deleted file mode 100644
index b5ce71b..0000000
--- a/strict/file_contexts/program/dmidecode.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# dmidecode
-/usr/sbin/dmidecode -- system_u:object_r:dmidecode_exec_t
-/usr/sbin/ownership -- system_u:object_r:dmidecode_exec_t
-/usr/sbin/vpddecode -- system_u:object_r:dmidecode_exec_t
diff --git a/strict/file_contexts/program/dnsmasq.fc b/strict/file_contexts/program/dnsmasq.fc
deleted file mode 100644
index e1b1c35..0000000
--- a/strict/file_contexts/program/dnsmasq.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# dnsmasq
-/usr/sbin/dnsmasq -- system_u:object_r:dnsmasq_exec_t
-/var/lib/misc/dnsmasq\.leases -- system_u:object_r:dnsmasq_lease_t
-/var/run/dnsmasq\.pid -- system_u:object_r:dnsmasq_var_run_t
diff --git a/strict/file_contexts/program/dovecot.fc b/strict/file_contexts/program/dovecot.fc
deleted file mode 100644
index 75a65dd..0000000
--- a/strict/file_contexts/program/dovecot.fc
+++ /dev/null
@@ -1,16 +0,0 @@
-# for Dovecot POP and IMAP server
-/etc/dovecot.conf.* system_u:object_r:dovecot_etc_t
-/etc/dovecot.passwd.* system_u:object_r:dovecot_passwd_t
-/usr/sbin/dovecot -- system_u:object_r:dovecot_exec_t
-ifdef(`distro_redhat', `
-/usr/libexec/dovecot/dovecot-auth -- system_u:object_r:dovecot_auth_exec_t
-')
-ifdef(`distro_debian', `
-/usr/lib/dovecot/dovecot-auth -- system_u:object_r:dovecot_auth_exec_t
-')
-/usr/share/ssl/certs/dovecot\.pem -- system_u:object_r:dovecot_cert_t
-/usr/share/ssl/private/dovecot\.pem -- system_u:object_r:dovecot_cert_t
-/etc/pki/dovecot(/.*)? system_u:object_r:dovecot_cert_t
-/var/run/dovecot(-login)?(/.*)? system_u:object_r:dovecot_var_run_t
-/usr/lib(64)?/dovecot/.+ -- system_u:object_r:bin_t
-/var/spool/dovecot(/.*)? system_u:object_r:dovecot_spool_t
diff --git a/strict/file_contexts/program/dpkg.fc b/strict/file_contexts/program/dpkg.fc
deleted file mode 100644
index f0f56f6..0000000
--- a/strict/file_contexts/program/dpkg.fc
+++ /dev/null
@@ -1,49 +0,0 @@
-# dpkg/dselect/apt
-/etc/apt(/.*)? system_u:object_r:apt_etc_t
-/etc/apt/listbugs(/.*)? system_u:object_r:apt_rw_etc_t
-/usr/bin/apt-cache -- system_u:object_r:apt_exec_t
-/usr/bin/apt-config -- system_u:object_r:apt_exec_t
-/usr/bin/apt-get -- system_u:object_r:apt_exec_t
-/usr/bin/dpkg -- system_u:object_r:dpkg_exec_t
-/usr/sbin/dpkg-reconfigure -- system_u:object_r:dpkg_exec_t
-/usr/bin/dselect -- system_u:object_r:dpkg_exec_t
-/usr/bin/aptitude -- system_u:object_r:dpkg_exec_t
-/usr/bin/update-menus -- system_u:object_r:install_menu_exec_t
-/usr/lib(64)?/apt/methods/.+ -- system_u:object_r:apt_exec_t
-/usr/lib(64)?/man-db(/.*)? system_u:object_r:bin_t
-/usr/lib(64)?/dpkg/.+ -- system_u:object_r:dpkg_exec_t
-/usr/sbin/dpkg-preconfigure -- system_u:object_r:dpkg_exec_t
-/usr/sbin/install-menu -- system_u:object_r:install_menu_exec_t
-/usr/share/applnk(/.*)? system_u:object_r:debian_menu_t
-/usr/share/debconf/.+ -- system_u:object_r:dpkg_exec_t
-/usr/share/debiandoc-sgml/saspconvert -- system_u:object_r:bin_t
-/usr/share/lintian/.+ -- system_u:object_r:bin_t
-/usr/share/kernel-package/.+ -- system_u:object_r:bin_t
-/usr/share/smartmontools/selftests -- system_u:object_r:bin_t
-/usr/share/bug/[^/]+ -- system_u:object_r:bin_t
-/var/cache/apt(/.*)? system_u:object_r:var_cache_apt_t
-/var/cache/apt-listbugs(/.*)? system_u:object_r:var_cache_apt_t
-/var/lib/apt(/.*)? system_u:object_r:apt_var_lib_t
-/var/state/apt(/.*)? system_u:object_r:apt_var_lib_t
-/var/lib/dpkg(/.*)? system_u:object_r:dpkg_var_lib_t
-/var/lib/dpkg/(meth)?lock -- system_u:object_r:dpkg_lock_t
-/var/lib/kde(/.*)? system_u:object_r:debian_menu_t
-/var/spool/kdeapplnk(/.*)? system_u:object_r:debian_menu_t
-/var/cache/debconf(/.*)? system_u:object_r:debconf_cache_t
-/etc/dpkg/.+ -- system_u:object_r:dpkg_etc_t
-/etc/menu-methods/.* -- system_u:object_r:install_menu_exec_t
-/usr/share/console/getkmapchoice\.pl -- system_u:object_r:bin_t
-/var/run/update-menus\.pid -- system_u:object_r:install_menu_var_run_t
-/usr/share/dlint/digparse -- system_u:object_r:bin_t
-/usr/share/gimp/1\.2/user_install -- system_u:object_r:bin_t
-/usr/share/openoffice\.org-debian-files/install-hook -- system_u:object_r:bin_t
-/var/lib/defoma(/.*)? system_u:object_r:fonts_t
-/usr/lib(64)?/doc-rfc/register-doc-rfc-docs -- system_u:object_r:bin_t
-/usr/share/intltool-debian/.* -- system_u:object_r:bin_t
-/usr/share/po-debconf/intltool-merge -- system_u:object_r:bin_t
-/usr/share/linuxdoc-tools/sgmlswhich -- system_u:object_r:bin_t
-/usr/share/shorewall/.* -- system_u:object_r:bin_t
-/usr/share/reportbug/.* -- system_u:object_r:bin_t
-/etc/network/ifstate.* -- system_u:object_r:etc_runtime_t
-/usr/lib(64)?/gconf2/gconfd-2 -- system_u:object_r:bin_t
-/bin/mountpoint -- system_u:object_r:fsadm_exec_t
diff --git a/strict/file_contexts/program/ethereal.fc b/strict/file_contexts/program/ethereal.fc
deleted file mode 100644
index ba1af85..0000000
--- a/strict/file_contexts/program/ethereal.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-/usr/sbin/tethereal.* -- system_u:object_r:tethereal_exec_t
-/usr/sbin/ethereal.* -- system_u:object_r:ethereal_exec_t
-HOME_DIR/\.ethereal(/.*)? system_u:object_r:ROLE_ethereal_home_t
diff --git a/strict/file_contexts/program/evolution.fc b/strict/file_contexts/program/evolution.fc
deleted file mode 100644
index 1a3bf38..0000000
--- a/strict/file_contexts/program/evolution.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-/usr/bin/evolution.* -- system_u:object_r:evolution_exec_t
-/usr/libexec/evolution/.*evolution-alarm-notify.* -- system_u:object_r:evolution_alarm_exec_t
-/usr/libexec/evolution/.*evolution-exchange-storage.* -- system_u:object_r:evolution_exchange_exec_t
-/usr/libexec/evolution-data-server.* -- system_u:object_r:evolution_server_exec_t
-/usr/libexec/evolution-webcal.* -- system_u:object_r:evolution_webcal_exec_t
-HOME_DIR/\.evolution(/.*)? system_u:object_r:ROLE_evolution_home_t
-HOME_DIR/\.camel_certs(/.*)? system_u:object_r:ROLE_evolution_home_t
-/tmp/\.exchange-USER(/.*)? system_u:object_r:ROLE_evolution_exchange_tmp_t
diff --git a/strict/file_contexts/program/fetchmail.fc b/strict/file_contexts/program/fetchmail.fc
deleted file mode 100644
index 5186172..0000000
--- a/strict/file_contexts/program/fetchmail.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# fetchmail
-/etc/fetchmailrc -- system_u:object_r:fetchmail_etc_t
-/usr/bin/fetchmail -- system_u:object_r:fetchmail_exec_t
-/var/run/fetchmail/.* -- system_u:object_r:fetchmail_var_run_t
-/var/mail/\.fetchmail-UIDL-cache -- system_u:object_r:fetchmail_uidl_cache_t
diff --git a/strict/file_contexts/program/fingerd.fc b/strict/file_contexts/program/fingerd.fc
deleted file mode 100644
index 59cc062..0000000
--- a/strict/file_contexts/program/fingerd.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# fingerd
-/usr/sbin/in\.fingerd -- system_u:object_r:fingerd_exec_t
-/usr/sbin/[cef]fingerd -- system_u:object_r:fingerd_exec_t
-/etc/cron\.weekly/(c)?fingerd -- system_u:object_r:fingerd_exec_t
-/etc/cfingerd(/.*)? system_u:object_r:fingerd_etc_t
-/var/log/cfingerd\.log.* -- system_u:object_r:fingerd_log_t
diff --git a/strict/file_contexts/program/firstboot.fc b/strict/file_contexts/program/firstboot.fc
deleted file mode 100644
index ae3179d..0000000
--- a/strict/file_contexts/program/firstboot.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# firstboot
-/usr/sbin/firstboot -- system_u:object_r:firstboot_exec_t
-/usr/share/firstboot system_u:object_r:firstboot_rw_t
-/usr/share/firstboot/firstboot\.py -- system_u:object_r:firstboot_exec_t
diff --git a/strict/file_contexts/program/fontconfig.fc b/strict/file_contexts/program/fontconfig.fc
deleted file mode 100644
index d8a8dc9..0000000
--- a/strict/file_contexts/program/fontconfig.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-HOME_DIR/\.fonts.conf -- system_u:object_r:ROLE_fonts_config_t
-HOME_DIR/\.fonts(/.*)? system_u:object_r:ROLE_fonts_t
-HOME_DIR/\.fonts/auto(/.*)? system_u:object_r:ROLE_fonts_cache_t
-HOME_DIR/\.fonts.cache-.* -- system_u:object_r:ROLE_fonts_cache_t
diff --git a/strict/file_contexts/program/fs_daemon.fc b/strict/file_contexts/program/fs_daemon.fc
deleted file mode 100644
index 19ac531..0000000
--- a/strict/file_contexts/program/fs_daemon.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# fs admin daemons
-/usr/sbin/smartd -- system_u:object_r:fsdaemon_exec_t
-/var/run/smartd\.pid -- system_u:object_r:fsdaemon_var_run_t
-/etc/smartd\.conf -- system_u:object_r:etc_runtime_t
diff --git a/strict/file_contexts/program/fsadm.fc b/strict/file_contexts/program/fsadm.fc
deleted file mode 100644
index 9b81537..0000000
--- a/strict/file_contexts/program/fsadm.fc
+++ /dev/null
@@ -1,40 +0,0 @@
-# fs admin utilities
-/sbin/fsck.* -- system_u:object_r:fsadm_exec_t
-/sbin/mkfs.* -- system_u:object_r:fsadm_exec_t
-/sbin/mkfs\.cramfs -- system_u:object_r:sbin_t
-/sbin/e2fsck -- system_u:object_r:fsadm_exec_t
-/sbin/mkdosfs -- system_u:object_r:fsadm_exec_t
-/sbin/dosfsck -- system_u:object_r:fsadm_exec_t
-/sbin/reiserfs(ck|tune) -- system_u:object_r:fsadm_exec_t
-/sbin/mkreiserfs -- system_u:object_r:fsadm_exec_t
-/sbin/resize.*fs -- system_u:object_r:fsadm_exec_t
-/sbin/e2label -- system_u:object_r:fsadm_exec_t
-/sbin/findfs -- system_u:object_r:fsadm_exec_t
-/sbin/mkfs -- system_u:object_r:fsadm_exec_t
-/sbin/mke2fs -- system_u:object_r:fsadm_exec_t
-/sbin/mkswap -- system_u:object_r:fsadm_exec_t
-/sbin/scsi_info -- system_u:object_r:fsadm_exec_t
-/sbin/sfdisk -- system_u:object_r:fsadm_exec_t
-/sbin/cfdisk -- system_u:object_r:fsadm_exec_t
-/sbin/fdisk -- system_u:object_r:fsadm_exec_t
-/sbin/parted -- system_u:object_r:fsadm_exec_t
-/sbin/tune2fs -- system_u:object_r:fsadm_exec_t
-/sbin/dumpe2fs -- system_u:object_r:fsadm_exec_t
-/sbin/dump -- system_u:object_r:fsadm_exec_t
-/sbin/swapon.* -- system_u:object_r:fsadm_exec_t
-/sbin/hdparm -- system_u:object_r:fsadm_exec_t
-/sbin/raidstart -- system_u:object_r:fsadm_exec_t
-/sbin/raidautorun -- system_u:object_r:fsadm_exec_t
-/sbin/mkraid -- system_u:object_r:fsadm_exec_t
-/sbin/blockdev -- system_u:object_r:fsadm_exec_t
-/sbin/losetup.* -- system_u:object_r:fsadm_exec_t
-/sbin/jfs_.* -- system_u:object_r:fsadm_exec_t
-/sbin/lsraid -- system_u:object_r:fsadm_exec_t
-/usr/sbin/smartctl -- system_u:object_r:fsadm_exec_t
-/sbin/install-mbr -- system_u:object_r:fsadm_exec_t
-/usr/bin/scsi_unique_id -- system_u:object_r:fsadm_exec_t
-/usr/bin/raw -- system_u:object_r:fsadm_exec_t
-/sbin/partx -- system_u:object_r:fsadm_exec_t
-/usr/bin/partition_uuid -- system_u:object_r:fsadm_exec_t
-/sbin/partprobe -- system_u:object_r:fsadm_exec_t
-/usr/bin/syslinux -- system_u:object_r:fsadm_exec_t
diff --git a/strict/file_contexts/program/ftpd.fc b/strict/file_contexts/program/ftpd.fc
deleted file mode 100644
index c75f7f1..0000000
--- a/strict/file_contexts/program/ftpd.fc
+++ /dev/null
@@ -1,17 +0,0 @@
-# ftpd
-/usr/sbin/in\.ftpd -- system_u:object_r:ftpd_exec_t
-/usr/sbin/proftpd -- system_u:object_r:ftpd_exec_t
-/usr/sbin/muddleftpd -- system_u:object_r:ftpd_exec_t
-/usr/sbin/ftpwho -- system_u:object_r:ftpd_exec_t
-/usr/kerberos/sbin/ftpd -- system_u:object_r:ftpd_exec_t
-/usr/sbin/vsftpd -- system_u:object_r:ftpd_exec_t
-/etc/proftpd\.conf -- system_u:object_r:ftpd_etc_t
-/var/run/proftpd/proftpd-inetd -- system_u:object_r:ftpd_var_run_t
-/var/run/proftpd/proftpd\.scoreboard -- system_u:object_r:ftpd_var_run_t
-/var/log/muddleftpd\.log.* -- system_u:object_r:xferlog_t
-/var/log/xferlog.* -- system_u:object_r:xferlog_t
-/var/log/vsftpd.* -- system_u:object_r:xferlog_t
-/var/log/xferreport.* -- system_u:object_r:xferlog_t
-/etc/cron\.monthly/proftpd -- system_u:object_r:ftpd_exec_t
-/var/ftp(/.*)? system_u:object_r:public_content_t
-/srv/([^/]*/)?ftp(/.*)? system_u:object_r:public_content_t
diff --git a/strict/file_contexts/program/games.fc b/strict/file_contexts/program/games.fc
deleted file mode 100644
index 3465eee..0000000
--- a/strict/file_contexts/program/games.fc
+++ /dev/null
@@ -1,61 +0,0 @@
-# games
-/usr/lib/games(/.*)? system_u:object_r:games_exec_t
-/var/lib/games(/.*)? system_u:object_r:games_data_t
-ifdef(`distro_debian', `
-/usr/games/.* -- system_u:object_r:games_exec_t
-/var/games(/.*)? system_u:object_r:games_data_t
-', `
-/usr/bin/micq -- system_u:object_r:games_exec_t
-/usr/bin/blackjack -- system_u:object_r:games_exec_t
-/usr/bin/gataxx -- system_u:object_r:games_exec_t
-/usr/bin/glines -- system_u:object_r:games_exec_t
-/usr/bin/gnect -- system_u:object_r:games_exec_t
-/usr/bin/gnibbles -- system_u:object_r:games_exec_t
-/usr/bin/gnobots2 -- system_u:object_r:games_exec_t
-/usr/bin/gnome-stones -- system_u:object_r:games_exec_t
-/usr/bin/gnomine -- system_u:object_r:games_exec_t
-/usr/bin/gnotravex -- system_u:object_r:games_exec_t
-/usr/bin/gnotski -- system_u:object_r:games_exec_t
-/usr/bin/gtali -- system_u:object_r:games_exec_t
-/usr/bin/iagno -- system_u:object_r:games_exec_t
-/usr/bin/mahjongg -- system_u:object_r:games_exec_t
-/usr/bin/same-gnome -- system_u:object_r:games_exec_t
-/usr/bin/sol -- system_u:object_r:games_exec_t
-/usr/bin/atlantik -- system_u:object_r:games_exec_t
-/usr/bin/kasteroids -- system_u:object_r:games_exec_t
-/usr/bin/katomic -- system_u:object_r:games_exec_t
-/usr/bin/kbackgammon -- system_u:object_r:games_exec_t
-/usr/bin/kbattleship -- system_u:object_r:games_exec_t
-/usr/bin/kblackbox -- system_u:object_r:games_exec_t
-/usr/bin/kbounce -- system_u:object_r:games_exec_t
-/usr/bin/kenolaba -- system_u:object_r:games_exec_t
-/usr/bin/kfouleggs -- system_u:object_r:games_exec_t
-/usr/bin/kgoldrunner -- system_u:object_r:games_exec_t
-/usr/bin/kjumpingcube -- system_u:object_r:games_exec_t
-/usr/bin/klickety -- system_u:object_r:games_exec_t
-/usr/bin/klines -- system_u:object_r:games_exec_t
-/usr/bin/kmahjongg -- system_u:object_r:games_exec_t
-/usr/bin/kmines -- system_u:object_r:games_exec_t
-/usr/bin/kolf -- system_u:object_r:games_exec_t
-/usr/bin/konquest -- system_u:object_r:games_exec_t
-/usr/bin/kpat -- system_u:object_r:games_exec_t
-/usr/bin/kpoker -- system_u:object_r:games_exec_t
-/usr/bin/kreversi -- system_u:object_r:games_exec_t
-/usr/bin/ksame -- system_u:object_r:games_exec_t
-/usr/bin/kshisen -- system_u:object_r:games_exec_t
-/usr/bin/ksirtet -- system_u:object_r:games_exec_t
-/usr/bin/ksmiletris -- system_u:object_r:games_exec_t
-/usr/bin/ksnake -- system_u:object_r:games_exec_t
-/usr/bin/ksokoban -- system_u:object_r:games_exec_t
-/usr/bin/kspaceduel -- system_u:object_r:games_exec_t
-/usr/bin/ktron -- system_u:object_r:games_exec_t
-/usr/bin/ktuberling -- system_u:object_r:games_exec_t
-/usr/bin/kwin4 -- system_u:object_r:games_exec_t
-/usr/bin/kwin4proc -- system_u:object_r:games_exec_t
-/usr/bin/lskat -- system_u:object_r:games_exec_t
-/usr/bin/lskatproc -- system_u:object_r:games_exec_t
-/usr/bin/Maelstrom -- system_u:object_r:games_exec_t
-/usr/bin/civclient.* -- system_u:object_r:games_exec_t
-/usr/bin/civserver.* -- system_u:object_r:games_exec_t
-')dnl end non-Debian section
-
diff --git a/strict/file_contexts/program/gatekeeper.fc b/strict/file_contexts/program/gatekeeper.fc
deleted file mode 100644
index e51491a..0000000
--- a/strict/file_contexts/program/gatekeeper.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-# gatekeeper
-/etc/gatekeeper\.ini -- system_u:object_r:gatekeeper_etc_t
-/usr/sbin/gk -- system_u:object_r:gatekeeper_exec_t
-/usr/sbin/gnugk -- system_u:object_r:gatekeeper_exec_t
-/var/run/gk\.pid -- system_u:object_r:gatekeeper_var_run_t
-/var/run/gnugk(/.*)? system_u:object_r:gatekeeper_var_run_t
-/var/log/gnugk(/.*)? system_u:object_r:gatekeeper_log_t
diff --git a/strict/file_contexts/program/gconf.fc b/strict/file_contexts/program/gconf.fc
deleted file mode 100644
index 3ee63e0..0000000
--- a/strict/file_contexts/program/gconf.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-/usr/libexec/gconfd-2 -- system_u:object_r:gconfd_exec_t
-/etc/gconf(/.*)? system_u:object_r:gconf_etc_t
-HOME_DIR/\.gconf(/.*)? system_u:object_r:ROLE_gconfd_home_t
-HOME_DIR/\.gconfd(/.*)? system_u:object_r:ROLE_gconfd_home_t
-/tmp/gconfd-USER(/.*)? system_u:object_r:ROLE_gconfd_tmp_t
diff --git a/strict/file_contexts/program/getty.fc b/strict/file_contexts/program/getty.fc
deleted file mode 100644
index 0da4b32..0000000
--- a/strict/file_contexts/program/getty.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# getty
-/sbin/.*getty -- system_u:object_r:getty_exec_t
-/etc/mgetty(/.*)? system_u:object_r:getty_etc_t
-/var/run/mgetty\.pid.* -- system_u:object_r:getty_var_run_t
-/var/log/mgetty\.log.* -- system_u:object_r:getty_log_t
diff --git a/strict/file_contexts/program/gift.fc b/strict/file_contexts/program/gift.fc
deleted file mode 100644
index 88ed5f2..0000000
--- a/strict/file_contexts/program/gift.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-/usr/(local/)?bin/giftd -- system_u:object_r:giftd_exec_t
-/usr/(local/)?bin/giftui -- system_u:object_r:gift_exec_t
-/usr/(local/)?bin/giFToxic -- system_u:object_r:gift_exec_t
-/usr/(local/)?bin/apollon -- system_u:object_r:gift_exec_t
-HOME_DIR/\.giFT(/.*)? system_u:object_r:ROLE_gift_home_t
diff --git a/strict/file_contexts/program/gnome-pty-helper.fc b/strict/file_contexts/program/gnome-pty-helper.fc
deleted file mode 100644
index 24a0b1b..0000000
--- a/strict/file_contexts/program/gnome-pty-helper.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# gnome-pty-helper
-/usr/sbin/gnome-pty-helper -- system_u:object_r:gph_exec_t
-/usr/lib(64)?/vte/gnome-pty-helper -- system_u:object_r:gph_exec_t
diff --git a/strict/file_contexts/program/gnome.fc b/strict/file_contexts/program/gnome.fc
deleted file mode 100644
index 670c86f..0000000
--- a/strict/file_contexts/program/gnome.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-# FIXME: add a lot more GNOME folders
-HOME_DIR/\.gnome(2)?(/.*)? system_u:object_r:ROLE_gnome_settings_t
-HOME_DIR/\.gnome(2)?_private(/.*)? system_u:object_r:ROLE_gnome_secret_t
-ifdef(`evolution.te', `
-HOME_DIR/\.gnome(2)?_private/Evolution -- system_u:object_r:ROLE_evolution_secret_t
-')
-HOME_DIR/\.gnome(2)?/share/fonts(/.*)? system_u:object_r:ROLE_fonts_t
-HOME_DIR/\.gnome(2)?/share/cursor-fonts(/.*)? system_u:object_r:ROLE_fonts_t
diff --git a/strict/file_contexts/program/gnome_vfs.fc b/strict/file_contexts/program/gnome_vfs.fc
deleted file mode 100644
index f945d59..0000000
--- a/strict/file_contexts/program/gnome_vfs.fc
+++ /dev/null
@@ -1 +0,0 @@
-/usr/libexec/gnome-vfs-daemon -- system_u:object_r:gnome_vfs_exec_t
diff --git a/strict/file_contexts/program/gpg-agent.fc b/strict/file_contexts/program/gpg-agent.fc
deleted file mode 100644
index bb25b63..0000000
--- a/strict/file_contexts/program/gpg-agent.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# gpg-agent
-/usr/bin/gpg-agent -- system_u:object_r:gpg_agent_exec_t
-/usr/bin/pinentry.* -- system_u:object_r:pinentry_exec_t
diff --git a/strict/file_contexts/program/gpg.fc b/strict/file_contexts/program/gpg.fc
deleted file mode 100644
index 650df0c..0000000
--- a/strict/file_contexts/program/gpg.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-# gpg
-HOME_DIR/\.gnupg(/.+)? system_u:object_r:ROLE_gpg_secret_t
-/usr/bin/gpg(2)? -- system_u:object_r:gpg_exec_t
-/usr/bin/kgpg -- system_u:object_r:gpg_exec_t
-/usr/lib/gnupg/.* -- system_u:object_r:gpg_exec_t
-/usr/lib/gnupg/gpgkeys.* -- system_u:object_r:gpg_helper_exec_t
-
diff --git a/strict/file_contexts/program/gpm.fc b/strict/file_contexts/program/gpm.fc
deleted file mode 100644
index b681881..0000000
--- a/strict/file_contexts/program/gpm.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# gpm
-/dev/gpmctl -s system_u:object_r:gpmctl_t
-/dev/gpmdata -p system_u:object_r:gpmctl_t
-/usr/sbin/gpm -- system_u:object_r:gpm_exec_t
-/etc/gpm(/.*)? system_u:object_r:gpm_conf_t
diff --git a/strict/file_contexts/program/groupadd.fc b/strict/file_contexts/program/groupadd.fc
deleted file mode 100644
index e69de29..0000000
--- a/strict/file_contexts/program/groupadd.fc
+++ /dev/null
diff --git a/strict/file_contexts/program/hald.fc b/strict/file_contexts/program/hald.fc
deleted file mode 100644
index ca142cf..0000000
--- a/strict/file_contexts/program/hald.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# hald - hardware information daemon
-/usr/sbin/hald -- system_u:object_r:hald_exec_t
-/usr/libexec/hal-hotplug-map -- system_u:object_r:hald_exec_t
-/etc/hal/device\.d/printer_remove\.hal -- system_u:object_r:hald_exec_t
-/etc/hal/capability\.d/printer_update\.hal -- system_u:object_r:hald_exec_t
-/usr/share/hal/device-manager/hal-device-manager -- system_u:object_r:bin_t
diff --git a/strict/file_contexts/program/hostname.fc b/strict/file_contexts/program/hostname.fc
deleted file mode 100644
index 685e74e..0000000
--- a/strict/file_contexts/program/hostname.fc
+++ /dev/null
@@ -1 +0,0 @@
-/bin/hostname -- system_u:object_r:hostname_exec_t
diff --git a/strict/file_contexts/program/hotplug.fc b/strict/file_contexts/program/hotplug.fc
deleted file mode 100644
index 78f844b..0000000
--- a/strict/file_contexts/program/hotplug.fc
+++ /dev/null
@@ -1,13 +0,0 @@
-# hotplug
-/etc/hotplug(/.*)? system_u:object_r:hotplug_etc_t
-/sbin/hotplug -- system_u:object_r:hotplug_exec_t
-/sbin/netplugd -- system_u:object_r:hotplug_exec_t
-/etc/hotplug\.d/.* -- system_u:object_r:hotplug_exec_t
-/etc/hotplug\.d/default/default.* system_u:object_r:sbin_t
-/etc/netplug\.d(/.*)? system_u:object_r:sbin_t
-/etc/hotplug/.*agent -- system_u:object_r:sbin_t
-/etc/hotplug/.*rc -- system_u:object_r:sbin_t
-/etc/hotplug/hotplug\.functions -- system_u:object_r:sbin_t
-/var/run/usb(/.*)? system_u:object_r:hotplug_var_run_t
-/var/run/hotplug(/.*)? system_u:object_r:hotplug_var_run_t
-/etc/hotplug/firmware.agent -- system_u:object_r:hotplug_exec_t
diff --git a/strict/file_contexts/program/howl.fc b/strict/file_contexts/program/howl.fc
deleted file mode 100644
index bbdb03f..0000000
--- a/strict/file_contexts/program/howl.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-/usr/bin/nifd -- system_u:object_r:howl_exec_t
-/usr/bin/mDNSResponder -- system_u:object_r:howl_exec_t
-/var/run/nifd\.pid -- system_u:object_r:howl_var_run_t
diff --git a/strict/file_contexts/program/hwclock.fc b/strict/file_contexts/program/hwclock.fc
deleted file mode 100644
index 2193e15..0000000
--- a/strict/file_contexts/program/hwclock.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# hwclock
-/sbin/hwclock -- system_u:object_r:hwclock_exec_t
-/etc/adjtime -- system_u:object_r:adjtime_t
diff --git a/strict/file_contexts/program/i18n_input.fc b/strict/file_contexts/program/i18n_input.fc
deleted file mode 100644
index 5403e2b..0000000
--- a/strict/file_contexts/program/i18n_input.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-# i18n_input.fc
-/usr/sbin/htt -- system_u:object_r:i18n_input_exec_t
-/usr/sbin/htt_server -- system_u:object_r:i18n_input_exec_t
-/usr/bin/iiimd\.bin -- system_u:object_r:i18n_input_exec_t
-/usr/bin/httx -- system_u:object_r:i18n_input_exec_t
-/usr/bin/htt_xbe -- system_u:object_r:i18n_input_exec_t
-/usr/bin/iiimx -- system_u:object_r:i18n_input_exec_t
-/usr/lib/iiim/iiim-xbe -- system_u:object_r:i18n_input_exec_t
-/usr/lib(64)?/im/.*\.so.* -- system_u:object_r:shlib_t
-/usr/lib(64)?/iiim/.*\.so.* -- system_u:object_r:shlib_t
-/var/run/iiim(/.*)? system_u:object_r:i18n_input_var_run_t
diff --git a/strict/file_contexts/program/iceauth.fc b/strict/file_contexts/program/iceauth.fc
deleted file mode 100644
index 31bf1f3..0000000
--- a/strict/file_contexts/program/iceauth.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# iceauth
-/usr/X11R6/bin/iceauth -- system_u:object_r:iceauth_exec_t
-HOME_DIR/\.ICEauthority.* -- system_u:object_r:ROLE_iceauth_home_t
diff --git a/strict/file_contexts/program/ifconfig.fc b/strict/file_contexts/program/ifconfig.fc
deleted file mode 100644
index 547558e..0000000
--- a/strict/file_contexts/program/ifconfig.fc
+++ /dev/null
@@ -1,12 +0,0 @@
-# ifconfig
-/sbin/ifconfig -- system_u:object_r:ifconfig_exec_t
-/sbin/iwconfig -- system_u:object_r:ifconfig_exec_t
-/sbin/ip -- system_u:object_r:ifconfig_exec_t
-/sbin/tc -- system_u:object_r:ifconfig_exec_t
-/usr/sbin/tc -- system_u:object_r:ifconfig_exec_t
-/bin/ip -- system_u:object_r:ifconfig_exec_t
-/sbin/ethtool -- system_u:object_r:ifconfig_exec_t
-/sbin/mii-tool -- system_u:object_r:ifconfig_exec_t
-/sbin/ipx_interface -- system_u:object_r:ifconfig_exec_t
-/sbin/ipx_configure -- system_u:object_r:ifconfig_exec_t
-/sbin/ipx_internal_net -- system_u:object_r:ifconfig_exec_t
diff --git a/strict/file_contexts/program/imazesrv.fc b/strict/file_contexts/program/imazesrv.fc
deleted file mode 100644
index dae194e..0000000
--- a/strict/file_contexts/program/imazesrv.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# imazesrv
-/usr/share/games/imaze(/.*)? system_u:object_r:imazesrv_data_t
-/usr/games/imazesrv -- system_u:object_r:imazesrv_exec_t
-/var/log/imaze\.log -- system_u:object_r:imazesrv_log_t
diff --git a/strict/file_contexts/program/inetd.fc b/strict/file_contexts/program/inetd.fc
deleted file mode 100644
index 64b8c6c..0000000
--- a/strict/file_contexts/program/inetd.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-# inetd
-/usr/sbin/inetd -- system_u:object_r:inetd_exec_t
-/usr/sbin/xinetd -- system_u:object_r:inetd_exec_t
-/usr/sbin/rlinetd -- system_u:object_r:inetd_exec_t
-/usr/sbin/identd -- system_u:object_r:inetd_child_exec_t
-/usr/sbin/in\..*d -- system_u:object_r:inetd_child_exec_t
-/var/log/(x)?inetd\.log -- system_u:object_r:inetd_log_t
-/var/run/inetd\.pid -- system_u:object_r:inetd_var_run_t
diff --git a/strict/file_contexts/program/init.fc b/strict/file_contexts/program/init.fc
deleted file mode 100644
index 6342ad4..0000000
--- a/strict/file_contexts/program/init.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# init
-/dev/initctl -p system_u:object_r:initctl_t
-/sbin/init -- system_u:object_r:init_exec_t
diff --git a/strict/file_contexts/program/initrc.fc b/strict/file_contexts/program/initrc.fc
deleted file mode 100644
index 45ea6cf..0000000
--- a/strict/file_contexts/program/initrc.fc
+++ /dev/null
@@ -1,48 +0,0 @@
-# init rc scripts
-ifdef(`targeted_policy', `
-/etc/X11/prefdm -- system_u:object_r:bin_t
-', `
-/etc/X11/prefdm -- system_u:object_r:initrc_exec_t
-')
-/etc/rc\.d/rc -- system_u:object_r:initrc_exec_t
-/etc/rc\.d/rc\.sysinit -- system_u:object_r:initrc_exec_t
-/etc/rc\.d/rc\.local -- system_u:object_r:initrc_exec_t
-/etc/rc\.d/init\.d/.* -- system_u:object_r:initrc_exec_t
-/etc/rc\.d/init\.d/functions -- system_u:object_r:etc_t
-/etc/init\.d/.* -- system_u:object_r:initrc_exec_t
-/etc/init\.d/functions -- system_u:object_r:etc_t
-/var/run/utmp -- system_u:object_r:initrc_var_run_t
-/var/run/runlevel\.dir system_u:object_r:initrc_var_run_t
-/var/run/random-seed -- system_u:object_r:initrc_var_run_t
-/var/run/setmixer_flag -- system_u:object_r:initrc_var_run_t
-ifdef(`distro_suse', `
-/var/run/sysconfig(/.*)? system_u:object_r:initrc_var_run_t
-/var/run/keymap -- system_u:object_r:initrc_var_run_t
-/var/run/numlock-on -- system_u:object_r:initrc_var_run_t
-/var/run/setleds-on -- system_u:object_r:initrc_var_run_t
-/var/run/bootsplashctl -p system_u:object_r:initrc_var_run_t
-/etc/init\.d/\.depend.* -- system_u:object_r:etc_runtime_t
-')
-
-ifdef(`distro_gentoo', `
-/sbin/rc -- system_u:object_r:initrc_exec_t
-/sbin/runscript -- system_u:object_r:initrc_exec_t
-/sbin/runscript\.sh -- system_u:object_r:initrc_exec_t
-/var/lib/init\.d(/.*)? system_u:object_r:initrc_state_t
-')
-
-# run_init
-/usr/sbin/run_init -- system_u:object_r:run_init_exec_t
-/usr/sbin/open_init_pty -- system_u:object_r:initrc_exec_t
-/etc/nologin.* -- system_u:object_r:etc_runtime_t
-/etc/nohotplug -- system_u:object_r:etc_runtime_t
-ifdef(`distro_redhat', `
-/halt -- system_u:object_r:etc_runtime_t
-/fastboot -- system_u:object_r:etc_runtime_t
-/fsckoptions -- system_u:object_r:etc_runtime_t
-/forcefsck -- system_u:object_r:etc_runtime_t
-/poweroff -- system_u:object_r:etc_runtime_t
-/\.autofsck -- system_u:object_r:etc_runtime_t
-/\.autorelabel -- system_u:object_r:etc_runtime_t
-')
-
diff --git a/strict/file_contexts/program/innd.fc b/strict/file_contexts/program/innd.fc
deleted file mode 100644
index f0413f9..0000000
--- a/strict/file_contexts/program/innd.fc
+++ /dev/null
@@ -1,49 +0,0 @@
-# innd
-/usr/sbin/innd.* -- system_u:object_r:innd_exec_t
-/usr/bin/rpost -- system_u:object_r:innd_exec_t
-/usr/bin/suck -- system_u:object_r:innd_exec_t
-/var/run/innd(/.*)? system_u:object_r:innd_var_run_t
-/etc/news(/.*)? system_u:object_r:innd_etc_t
-/etc/news/boot -- system_u:object_r:innd_exec_t
-/var/spool/news(/.*)? system_u:object_r:news_spool_t
-/var/log/news(/.*)? system_u:object_r:innd_log_t
-/var/lib/news(/.*)? system_u:object_r:innd_var_lib_t
-/var/run/news(/.*)? system_u:object_r:innd_var_run_t
-/usr/sbin/in\.nnrpd -- system_u:object_r:innd_exec_t
-/usr/bin/inews -- system_u:object_r:innd_exec_t
-/usr/bin/rnews -- system_u:object_r:innd_exec_t
-/usr/lib(64)?/news/bin(/.*)? system_u:object_r:bin_t
-/usr/lib(64)?/news/bin/innd -- system_u:object_r:innd_exec_t
-/usr/lib(64)?/news/bin/actsync -- system_u:object_r:innd_exec_t
-/usr/lib(64)?/news/bin/archive -- system_u:object_r:innd_exec_t
-/usr/lib(64)?/news/bin/batcher -- system_u:object_r:innd_exec_t
-/usr/lib(64)?/news/bin/buffchan -- system_u:object_r:innd_exec_t
-/usr/lib(64)?/news/bin/convdate -- system_u:object_r:innd_exec_t
-/usr/lib(64)?/news/bin/ctlinnd -- system_u:object_r:innd_exec_t
-/usr/lib(64)?/news/bin/cvtbatch -- system_u:object_r:innd_exec_t
-/usr/lib(64)?/news/bin/expire -- system_u:object_r:innd_exec_t
-/usr/lib(64)?/news/bin/expireover -- system_u:object_r:innd_exec_t
-/usr/lib(64)?/news/bin/fastrm -- system_u:object_r:innd_exec_t
-/usr/lib(64)?/news/bin/filechan -- system_u:object_r:innd_exec_t
-/usr/lib(64)?/news/bin/getlist -- system_u:object_r:innd_exec_t
-/usr/lib(64)?/news/bin/grephistory -- system_u:object_r:innd_exec_t
-/usr/lib(64)?/news/bin/inews -- system_u:object_r:innd_exec_t
-/usr/lib(64)?/news/bin/innconfval -- system_u:object_r:innd_exec_t
-/usr/lib(64)?/news/bin/inndf -- system_u:object_r:innd_exec_t
-/usr/lib(64)?/news/bin/inndstart -- system_u:object_r:innd_exec_t
-/usr/lib(64)?/news/bin/innfeed -- system_u:object_r:innd_exec_t
-/usr/lib(64)?/news/bin/innxbatch -- system_u:object_r:innd_exec_t
-/usr/lib(64)?/news/bin/innxmit -- system_u:object_r:innd_exec_t
-/usr/lib(64)?/news/bin/makedbz -- system_u:object_r:innd_exec_t
-/usr/lib(64)?/news/bin/makehistory -- system_u:object_r:innd_exec_t
-/usr/lib(64)?/news/bin/newsrequeue -- system_u:object_r:innd_exec_t
-/usr/lib(64)?/news/bin/nnrpd -- system_u:object_r:innd_exec_t
-/usr/lib(64)?/news/bin/nntpget -- system_u:object_r:innd_exec_t
-/usr/lib(64)?/news/bin/ovdb_recover -- system_u:object_r:innd_exec_t
-/usr/lib(64)?/news/bin/overchan -- system_u:object_r:innd_exec_t
-/usr/lib(64)?/news/bin/prunehistory -- system_u:object_r:innd_exec_t
-/usr/lib(64)?/news/bin/rnews -- system_u:object_r:innd_exec_t
-/usr/lib(64)?/news/bin/shlock -- system_u:object_r:innd_exec_t
-/usr/lib(64)?/news/bin/shrinkfile -- system_u:object_r:innd_exec_t
-/usr/lib(64)?/news/bin/sm -- system_u:object_r:innd_exec_t
-/usr/lib(64)?/news/bin/startinnfeed -- system_u:object_r:innd_exec_t
diff --git a/strict/file_contexts/program/ipsec.fc b/strict/file_contexts/program/ipsec.fc
deleted file mode 100644
index e915b75..0000000
--- a/strict/file_contexts/program/ipsec.fc
+++ /dev/null
@@ -1,32 +0,0 @@
-# IPSEC utilities and daemon.
-
-/etc/ipsec\.secrets -- system_u:object_r:ipsec_key_file_t
-/etc/ipsec\.conf -- system_u:object_r:ipsec_conf_file_t
-/etc/ipsec\.d(/.*)? system_u:object_r:ipsec_key_file_t
-/etc/ipsec\.d/examples(/.*)? system_u:object_r:etc_t
-/usr/lib(64)?/ipsec/.* -- system_u:object_r:sbin_t
-/usr/lib(64)?/ipsec/_plutoload -- system_u:object_r:ipsec_mgmt_exec_t
-/usr/lib(64)?/ipsec/_plutorun -- system_u:object_r:ipsec_mgmt_exec_t
-/usr/local/lib(64)?/ipsec/.* -- system_u:object_r:sbin_t
-/usr/libexec/ipsec/eroute -- system_u:object_r:ipsec_exec_t
-/usr/lib(64)?/ipsec/eroute -- system_u:object_r:ipsec_exec_t
-/usr/local/lib(64)?/ipsec/eroute -- system_u:object_r:ipsec_exec_t
-/usr/libexec/ipsec/klipsdebug -- system_u:object_r:ipsec_exec_t
-/usr/lib(64)?/ipsec/klipsdebug -- system_u:object_r:ipsec_exec_t
-/usr/local/lib(64)?/ipsec/klipsdebug -- system_u:object_r:ipsec_exec_t
-/usr/libexec/ipsec/pluto -- system_u:object_r:ipsec_exec_t
-/usr/lib(64)?/ipsec/pluto -- system_u:object_r:ipsec_exec_t
-/usr/local/lib(64)?/ipsec/pluto -- system_u:object_r:ipsec_exec_t
-/usr/libexec/ipsec/spi -- system_u:object_r:ipsec_exec_t
-/usr/lib(64)?/ipsec/spi -- system_u:object_r:ipsec_exec_t
-/usr/local/lib(64)?/ipsec/spi -- system_u:object_r:ipsec_exec_t
-/var/run/pluto(/.*)? system_u:object_r:ipsec_var_run_t
-/var/racoon(/.*)? system_u:object_r:ipsec_var_run_t
-
-# Kame
-/usr/sbin/racoon -- system_u:object_r:ipsec_exec_t
-/usr/sbin/setkey -- system_u:object_r:ipsec_exec_t
-/sbin/setkey -- system_u:object_r:ipsec_exec_t
-/etc/racoon(/.*)? system_u:object_r:ipsec_conf_file_t
-/etc/racoon/certs(/.*)? system_u:object_r:ipsec_key_file_t
-/etc/racoon/psk\.txt -- system_u:object_r:ipsec_key_file_t
diff --git a/strict/file_contexts/program/iptables.fc b/strict/file_contexts/program/iptables.fc
deleted file mode 100644
index 3dcde2e..0000000
--- a/strict/file_contexts/program/iptables.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-# iptables
-/sbin/ipchains.* -- system_u:object_r:iptables_exec_t
-/sbin/iptables.* -- system_u:object_r:iptables_exec_t
-/sbin/ip6tables.* -- system_u:object_r:iptables_exec_t
-/usr/sbin/ipchains.* -- system_u:object_r:iptables_exec_t
-/usr/sbin/iptables.* -- system_u:object_r:iptables_exec_t
-/usr/sbin/ip6tables.* -- system_u:object_r:iptables_exec_t
-
diff --git a/strict/file_contexts/program/irc.fc b/strict/file_contexts/program/irc.fc
deleted file mode 100644
index 9f52efb..0000000
--- a/strict/file_contexts/program/irc.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# irc clients
-/usr/bin/[st]irc -- system_u:object_r:irc_exec_t
-/usr/bin/ircII -- system_u:object_r:irc_exec_t
-/usr/bin/tinyirc -- system_u:object_r:irc_exec_t
-HOME_DIR/\.ircmotd -- system_u:object_r:ROLE_irc_home_t
diff --git a/strict/file_contexts/program/ircd.fc b/strict/file_contexts/program/ircd.fc
deleted file mode 100644
index 2ef668c..0000000
--- a/strict/file_contexts/program/ircd.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# ircd - irc server
-/usr/sbin/(dancer-)?ircd -- system_u:object_r:ircd_exec_t
-/etc/(dancer-)?ircd(/.*)? system_u:object_r:ircd_etc_t
-/var/log/(dancer-)?ircd(/.*)? system_u:object_r:ircd_log_t
-/var/lib/dancer-ircd(/.*)? system_u:object_r:ircd_var_lib_t
-/var/run/dancer-ircd(/.*)? system_u:object_r:ircd_var_run_t
diff --git a/strict/file_contexts/program/irqbalance.fc b/strict/file_contexts/program/irqbalance.fc
deleted file mode 100644
index c849491..0000000
--- a/strict/file_contexts/program/irqbalance.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# irqbalance
-/usr/sbin/irqbalance -- system_u:object_r:irqbalance_exec_t
diff --git a/strict/file_contexts/program/jabberd.fc b/strict/file_contexts/program/jabberd.fc
deleted file mode 100644
index c614cb8..0000000
--- a/strict/file_contexts/program/jabberd.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# jabberd
-/usr/sbin/jabberd -- system_u:object_r:jabberd_exec_t
-/var/lib/jabber(/.*)? system_u:object_r:jabberd_var_lib_t
-/var/log/jabber(/.*)? system_u:object_r:jabberd_log_t
diff --git a/strict/file_contexts/program/java.fc b/strict/file_contexts/program/java.fc
deleted file mode 100644
index 8edf85b..0000000
--- a/strict/file_contexts/program/java.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# java
-/usr(/.*)?/bin/java.* -- system_u:object_r:java_exec_t
diff --git a/strict/file_contexts/program/kerberos.fc b/strict/file_contexts/program/kerberos.fc
deleted file mode 100644
index 050ecb3..0000000
--- a/strict/file_contexts/program/kerberos.fc
+++ /dev/null
@@ -1,20 +0,0 @@
-# MIT Kerberos krbkdc, kadmind
-/etc/krb5\.keytab system_u:object_r:krb5_keytab_t
-/usr(/local)?(/kerberos)?/sbin/krb5kdc -- system_u:object_r:krb5kdc_exec_t
-/usr(/local)?(/kerberos)?/sbin/kadmind -- system_u:object_r:kadmind_exec_t
-/var/kerberos/krb5kdc(/.*)? system_u:object_r:krb5kdc_conf_t
-/usr/local/var/krb5kdc(/.*)? system_u:object_r:krb5kdc_conf_t
-/var/kerberos/krb5kdc/principal.* system_u:object_r:krb5kdc_principal_t
-/usr/local/var/krb5kdc/principal.* system_u:object_r:krb5kdc_principal_t
-/var/log/krb5kdc\.log system_u:object_r:krb5kdc_log_t
-/var/log/kadmind\.log system_u:object_r:kadmind_log_t
-/usr(/local)?/bin/ksu -- system_u:object_r:su_exec_t
-
-# gentoo file locations
-/usr/sbin/krb5kdc -- system_u:object_r:krb5kdc_exec_t
-/usr/sbin/kadmind -- system_u:object_r:kadmind_exec_t
-/etc/krb5kdc(/.*)? system_u:object_r:krb5kdc_conf_t
-/etc/krb5kdc/principal.* system_u:object_r:krb5kdc_principal_t
-/etc/krb5kdc/kadm5.keytab -- system_u:object_r:krb5_keytab_t
-/var/log/kadmin.log -- system_u:object_r:kadmind_log_t
-
diff --git a/strict/file_contexts/program/klogd.fc b/strict/file_contexts/program/klogd.fc
deleted file mode 100644
index c06679d..0000000
--- a/strict/file_contexts/program/klogd.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# klogd
-/sbin/klogd -- system_u:object_r:klogd_exec_t
-/usr/sbin/klogd -- system_u:object_r:klogd_exec_t
-/var/run/klogd\.pid -- system_u:object_r:klogd_var_run_t
diff --git a/strict/file_contexts/program/ktalkd.fc b/strict/file_contexts/program/ktalkd.fc
deleted file mode 100644
index 525c7a2..0000000
--- a/strict/file_contexts/program/ktalkd.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# kde talk daemon
-/usr/bin/ktalkd -- system_u:object_r:ktalkd_exec_t
diff --git a/strict/file_contexts/program/kudzu.fc b/strict/file_contexts/program/kudzu.fc
deleted file mode 100644
index c75870a..0000000
--- a/strict/file_contexts/program/kudzu.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# kudzu
-/usr/sbin/kudzu -- system_u:object_r:kudzu_exec_t
-/sbin/kmodule -- system_u:object_r:kudzu_exec_t
-/var/run/Xconfig -- root:object_r:kudzu_var_run_t
diff --git a/strict/file_contexts/program/lcd.fc b/strict/file_contexts/program/lcd.fc
deleted file mode 100644
index 4294d44..0000000
--- a/strict/file_contexts/program/lcd.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# lcd
-/usr/sbin/lcd.* -- system_u:object_r:lcd_exec_t
diff --git a/strict/file_contexts/program/ldconfig.fc b/strict/file_contexts/program/ldconfig.fc
deleted file mode 100644
index 040a60a..0000000
--- a/strict/file_contexts/program/ldconfig.fc
+++ /dev/null
@@ -1 +0,0 @@
-/sbin/ldconfig -- system_u:object_r:ldconfig_exec_t
diff --git a/strict/file_contexts/program/load_policy.fc b/strict/file_contexts/program/load_policy.fc
deleted file mode 100644
index 5a8981c..0000000
--- a/strict/file_contexts/program/load_policy.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# load_policy
-/usr/sbin/load_policy -- system_u:object_r:load_policy_exec_t
-/sbin/load_policy -- system_u:object_r:load_policy_exec_t
diff --git a/strict/file_contexts/program/loadkeys.fc b/strict/file_contexts/program/loadkeys.fc
deleted file mode 100644
index f440f3c..0000000
--- a/strict/file_contexts/program/loadkeys.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# loadkeys
-/bin/unikeys -- system_u:object_r:loadkeys_exec_t
-/bin/loadkeys -- system_u:object_r:loadkeys_exec_t
diff --git a/strict/file_contexts/program/lockdev.fc b/strict/file_contexts/program/lockdev.fc
deleted file mode 100644
index 9185bec..0000000
--- a/strict/file_contexts/program/lockdev.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# lockdev
-/usr/sbin/lockdev -- system_u:object_r:lockdev_exec_t
diff --git a/strict/file_contexts/program/login.fc b/strict/file_contexts/program/login.fc
deleted file mode 100644
index 2f0ea0c..0000000
--- a/strict/file_contexts/program/login.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# login
-/bin/login -- system_u:object_r:login_exec_t
-/usr/kerberos/sbin/login\.krb5 -- system_u:object_r:login_exec_t
diff --git a/strict/file_contexts/program/logrotate.fc b/strict/file_contexts/program/logrotate.fc
deleted file mode 100644
index a7c9ea3..0000000
--- a/strict/file_contexts/program/logrotate.fc
+++ /dev/null
@@ -1,13 +0,0 @@
-# logrotate
-/usr/sbin/logrotate -- system_u:object_r:logrotate_exec_t
-/usr/sbin/logcheck -- system_u:object_r:logrotate_exec_t
-ifdef(`distro_debian', `
-/usr/bin/savelog -- system_u:object_r:logrotate_exec_t
-/var/lib/logrotate(/.*)? system_u:object_r:logrotate_var_lib_t
-', `
-/var/lib/logrotate\.status -- system_u:object_r:logrotate_var_lib_t
-')
-/etc/cron\.(daily|weekly)/sysklogd -- system_u:object_r:logrotate_exec_t
-/var/lib/logcheck(/.*)? system_u:object_r:logrotate_var_lib_t
-# using a hard-coded name under /var/tmp is a bug - new version fixes it
-/var/tmp/logcheck -d system_u:object_r:logrotate_tmp_t
diff --git a/strict/file_contexts/program/lpd.fc b/strict/file_contexts/program/lpd.fc
deleted file mode 100644
index eb9f8d9..0000000
--- a/strict/file_contexts/program/lpd.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-# lpd
-/dev/printer -s system_u:object_r:printer_t
-/usr/sbin/lpd -- system_u:object_r:lpd_exec_t
-/usr/sbin/checkpc -- system_u:object_r:checkpc_exec_t
-/var/spool/lpd(/.*)? system_u:object_r:print_spool_t
-/usr/share/printconf/.* -- system_u:object_r:printconf_t
-/usr/share/printconf/util/print\.py -- system_u:object_r:bin_t
-/var/run/lprng(/.*)? system_u:object_r:lpd_var_run_t
diff --git a/strict/file_contexts/program/lpr.fc b/strict/file_contexts/program/lpr.fc
deleted file mode 100644
index 618ddcc..0000000
--- a/strict/file_contexts/program/lpr.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# lp utilities.
-/usr/bin/lpr(\.cups)? -- system_u:object_r:lpr_exec_t
-/usr/bin/lpq(\.cups)? -- system_u:object_r:lpr_exec_t
-/usr/bin/lprm(\.cups)? -- system_u:object_r:lpr_exec_t
diff --git a/strict/file_contexts/program/lrrd.fc b/strict/file_contexts/program/lrrd.fc
deleted file mode 100644
index 08494fc..0000000
--- a/strict/file_contexts/program/lrrd.fc
+++ /dev/null
@@ -1,10 +0,0 @@
-# lrrd
-/usr/bin/lrrd-.* -- system_u:object_r:lrrd_exec_t
-/usr/sbin/lrrd-.* -- system_u:object_r:lrrd_exec_t
-/usr/share/lrrd/lrrd-.* -- system_u:object_r:lrrd_exec_t
-/usr/share/lrrd/plugins/.* -- system_u:object_r:lrrd_exec_t
-/var/run/lrrd(/.*)? system_u:object_r:lrrd_var_run_t
-/var/log/lrrd.* -- system_u:object_r:lrrd_log_t
-/var/lib/lrrd(/.*)? system_u:object_r:lrrd_var_lib_t
-/var/www/lrrd(/.*)? system_u:object_r:lrrd_var_lib_t
-/etc/lrrd(/.*)? system_u:object_r:lrrd_etc_t
diff --git a/strict/file_contexts/program/lvm.fc b/strict/file_contexts/program/lvm.fc
deleted file mode 100644
index 648beb0..0000000
--- a/strict/file_contexts/program/lvm.fc
+++ /dev/null
@@ -1,69 +0,0 @@
-# lvm
-/sbin/lvmiopversion -- system_u:object_r:lvm_exec_t
-/etc/lvm(/.*)? system_u:object_r:lvm_etc_t
-/etc/lvm/\.cache -- system_u:object_r:lvm_metadata_t
-/etc/lvm/archive(/.*)? system_u:object_r:lvm_metadata_t
-/etc/lvm/backup(/.*)? system_u:object_r:lvm_metadata_t
-/etc/lvmtab(/.*)? system_u:object_r:lvm_metadata_t
-/etc/lvmtab\.d(/.*)? system_u:object_r:lvm_metadata_t
-# LVM creates lock files in /var before /var is mounted
-# configure LVM to put lockfiles in /etc/lvm/lock instead
-# for this policy to work (unless you have no separate /var)
-/etc/lvm/lock(/.*)? system_u:object_r:lvm_lock_t
-/var/lock/lvm(/.*)? system_u:object_r:lvm_lock_t
-/dev/lvm -c system_u:object_r:fixed_disk_device_t
-/dev/mapper/control -c system_u:object_r:lvm_control_t
-/lib/lvm-10/.* -- system_u:object_r:lvm_exec_t
-/lib/lvm-200/.* -- system_u:object_r:lvm_exec_t
-/sbin/e2fsadm -- system_u:object_r:lvm_exec_t
-/sbin/lvchange -- system_u:object_r:lvm_exec_t
-/sbin/lvcreate -- system_u:object_r:lvm_exec_t
-/sbin/lvdisplay -- system_u:object_r:lvm_exec_t
-/sbin/lvextend -- system_u:object_r:lvm_exec_t
-/sbin/lvmchange -- system_u:object_r:lvm_exec_t
-/sbin/lvmdiskscan -- system_u:object_r:lvm_exec_t
-/sbin/lvmsadc -- system_u:object_r:lvm_exec_t
-/sbin/lvmsar -- system_u:object_r:lvm_exec_t
-/sbin/lvreduce -- system_u:object_r:lvm_exec_t
-/sbin/lvremove -- system_u:object_r:lvm_exec_t
-/sbin/lvrename -- system_u:object_r:lvm_exec_t
-/sbin/lvscan -- system_u:object_r:lvm_exec_t
-/sbin/pvchange -- system_u:object_r:lvm_exec_t
-/sbin/pvcreate -- system_u:object_r:lvm_exec_t
-/sbin/pvdata -- system_u:object_r:lvm_exec_t
-/sbin/pvdisplay -- system_u:object_r:lvm_exec_t
-/sbin/pvmove -- system_u:object_r:lvm_exec_t
-/sbin/pvscan -- system_u:object_r:lvm_exec_t
-/sbin/vgcfgbackup -- system_u:object_r:lvm_exec_t
-/sbin/vgcfgrestore -- system_u:object_r:lvm_exec_t
-/sbin/vgchange -- system_u:object_r:lvm_exec_t
-/sbin/vgchange\.static -- system_u:object_r:lvm_exec_t
-/sbin/vgck -- system_u:object_r:lvm_exec_t
-/sbin/vgcreate -- system_u:object_r:lvm_exec_t
-/sbin/vgdisplay -- system_u:object_r:lvm_exec_t
-/sbin/vgexport -- system_u:object_r:lvm_exec_t
-/sbin/vgextend -- system_u:object_r:lvm_exec_t
-/sbin/vgimport -- system_u:object_r:lvm_exec_t
-/sbin/vgmerge -- system_u:object_r:lvm_exec_t
-/sbin/vgmknodes -- system_u:object_r:lvm_exec_t
-/sbin/vgreduce -- system_u:object_r:lvm_exec_t
-/sbin/vgremove -- system_u:object_r:lvm_exec_t
-/sbin/vgrename -- system_u:object_r:lvm_exec_t
-/sbin/vgscan -- system_u:object_r:lvm_exec_t
-/sbin/vgscan\.static -- system_u:object_r:lvm_exec_t
-/sbin/vgsplit -- system_u:object_r:lvm_exec_t
-/sbin/vgwrapper -- system_u:object_r:lvm_exec_t
-/sbin/cryptsetup -- system_u:object_r:lvm_exec_t
-/sbin/dmsetup -- system_u:object_r:lvm_exec_t
-/sbin/dmsetup\.static -- system_u:object_r:lvm_exec_t
-/sbin/lvm -- system_u:object_r:lvm_exec_t
-/sbin/lvm\.static -- system_u:object_r:lvm_exec_t
-/usr/sbin/lvm -- system_u:object_r:lvm_exec_t
-/sbin/lvresize -- system_u:object_r:lvm_exec_t
-/sbin/lvs -- system_u:object_r:lvm_exec_t
-/sbin/pvremove -- system_u:object_r:lvm_exec_t
-/sbin/pvs -- system_u:object_r:lvm_exec_t
-/sbin/vgs -- system_u:object_r:lvm_exec_t
-/sbin/multipathd -- system_u:object_r:lvm_exec_t
-/var/cache/multipathd(/.*)? system_u:object_r:lvm_metadata_t
-/usr/sbin/clvmd -- system_u:object_r:clvmd_exec_t
diff --git a/strict/file_contexts/program/mailman.fc b/strict/file_contexts/program/mailman.fc
deleted file mode 100644
index 68fa8dd..0000000
--- a/strict/file_contexts/program/mailman.fc
+++ /dev/null
@@ -1,24 +0,0 @@
-# mailman list server
-/var/lib/mailman(/.*)? system_u:object_r:mailman_data_t
-/var/log/mailman(/.*)? system_u:object_r:mailman_log_t
-/usr/lib/mailman/cron/.* -- system_u:object_r:mailman_queue_exec_t
-/usr/lib/mailman/bin/mailmanctl -- system_u:object_r:mailman_mail_exec_t
-/var/run/mailman(/.*)? system_u:object_r:mailman_lock_t
-/var/lib/mailman/archives(/.*)? system_u:object_r:mailman_archive_t
-
-ifdef(`distro_debian', `
-/usr/lib/cgi-bin/mailman/.* -- system_u:object_r:mailman_cgi_exec_t
-/usr/lib/mailman/mail/wrapper -- system_u:object_r:mailman_mail_exec_t
-/usr/mailman/mail/wrapper -- system_u:object_r:mailman_mail_exec_t
-/etc/cron\.daily/mailman -- system_u:object_r:mailman_queue_exec_t
-/etc/cron\.monthly/mailman -- system_u:object_r:mailman_queue_exec_t
-')
-
-ifdef(`distro_redhat', `
-/usr/lib/mailman/cgi-bin/.* -- system_u:object_r:mailman_cgi_exec_t
-/var/lock/mailman(/.*)? system_u:object_r:mailman_lock_t
-/usr/lib/mailman/scripts/mailman -- system_u:object_r:mailman_mail_exec_t
-/usr/lib/mailman/bin/qrunner -- system_u:object_r:mailman_queue_exec_t
-/etc/mailman(/.*)? system_u:object_r:mailman_data_t
-/var/spool/mailman(/.*)? system_u:object_r:mailman_data_t
-')
diff --git a/strict/file_contexts/program/mdadm.fc b/strict/file_contexts/program/mdadm.fc
deleted file mode 100644
index 6f295ca..0000000
--- a/strict/file_contexts/program/mdadm.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# mdadm - manage MD devices aka Linux Software Raid.
-/sbin/mdmpd -- system_u:object_r:mdadm_exec_t
-/sbin/mdadm -- system_u:object_r:mdadm_exec_t
-/var/run/mdadm(/.*)? system_u:object_r:mdadm_var_run_t
diff --git a/strict/file_contexts/program/modutil.fc b/strict/file_contexts/program/modutil.fc
deleted file mode 100644
index 8fd81e1..0000000
--- a/strict/file_contexts/program/modutil.fc
+++ /dev/null
@@ -1,14 +0,0 @@
-# module utilities
-/etc/modules\.conf.* -- system_u:object_r:modules_conf_t
-/etc/modprobe\.conf.* -- system_u:object_r:modules_conf_t
-/lib(64)?/modules/modprobe\.conf -- system_u:object_r:modules_conf_t
-/lib(64)?/modules(/.*)? system_u:object_r:modules_object_t
-/lib(64)?/modules/[^/]+/modules\..+ -- system_u:object_r:modules_dep_t
-/lib(64)?/modules/modprobe\.conf.* -- system_u:object_r:modules_conf_t
-/sbin/depmod.* -- system_u:object_r:depmod_exec_t
-/sbin/modprobe.* -- system_u:object_r:insmod_exec_t
-/sbin/insmod.* -- system_u:object_r:insmod_exec_t
-/sbin/insmod_ksymoops_clean -- system_u:object_r:sbin_t
-/sbin/rmmod.* -- system_u:object_r:insmod_exec_t
-/sbin/update-modules -- system_u:object_r:update_modules_exec_t
-/sbin/generate-modprobe\.conf -- system_u:object_r:update_modules_exec_t
diff --git a/strict/file_contexts/program/monopd.fc b/strict/file_contexts/program/monopd.fc
deleted file mode 100644
index 457493e..0000000
--- a/strict/file_contexts/program/monopd.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# monopd
-/etc/monopd\.conf -- system_u:object_r:monopd_etc_t
-/usr/sbin/monopd -- system_u:object_r:monopd_exec_t
-/usr/share/monopd/games(/.*)? system_u:object_r:monopd_share_t
diff --git a/strict/file_contexts/program/mount.fc b/strict/file_contexts/program/mount.fc
deleted file mode 100644
index 7b1ca14..0000000
--- a/strict/file_contexts/program/mount.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# mount
-/bin/mount.* -- system_u:object_r:mount_exec_t
-/bin/umount.* -- system_u:object_r:mount_exec_t
diff --git a/strict/file_contexts/program/mozilla.fc b/strict/file_contexts/program/mozilla.fc
deleted file mode 100644
index 2b533a6..0000000
--- a/strict/file_contexts/program/mozilla.fc
+++ /dev/null
@@ -1,21 +0,0 @@
-# netscape/mozilla
-HOME_DIR/\.galeon(/.*)? system_u:object_r:ROLE_mozilla_home_t
-HOME_DIR/\.netscape(/.*)? system_u:object_r:ROLE_mozilla_home_t
-HOME_DIR/\.mozilla(/.*)? system_u:object_r:ROLE_mozilla_home_t
-HOME_DIR/\.phoenix(/.*)? system_u:object_r:ROLE_mozilla_home_t
-HOME_DIR/\.java(/.*)? system_u:object_r:ROLE_mozilla_home_t
-/usr/bin/netscape -- system_u:object_r:mozilla_exec_t
-/usr/bin/mozilla -- system_u:object_r:mozilla_exec_t
-/usr/bin/mozilla-snapshot -- system_u:object_r:mozilla_exec_t
-/usr/bin/epiphany-bin -- system_u:object_r:mozilla_exec_t
-/usr/bin/mozilla-[0-9].* -- system_u:object_r:mozilla_exec_t
-/usr/bin/mozilla-bin-[0-9].* -- system_u:object_r:mozilla_exec_t
-/usr/lib(64)?/galeon/galeon -- system_u:object_r:mozilla_exec_t
-/usr/lib(64)?/netscape/.+/communicator/communicator-smotif\.real -- system_u:object_r:mozilla_exec_t
-/usr/lib(64)?/netscape/base-4/wrapper -- system_u:object_r:mozilla_exec_t
-/usr/lib(64)?/mozilla[^/]*/reg.+ -- system_u:object_r:mozilla_exec_t
-/usr/lib(64)?/mozilla[^/]*/mozilla-.* -- system_u:object_r:mozilla_exec_t
-/usr/lib(64)?/firefox[^/]*/mozilla-.* -- system_u:object_r:mozilla_exec_t
-/usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- system_u:object_r:mozilla_exec_t
-/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- system_u:object_r:bin_t
-/etc/mozpluggerrc system_u:object_r:mozilla_conf_t
diff --git a/strict/file_contexts/program/mplayer.fc b/strict/file_contexts/program/mplayer.fc
deleted file mode 100644
index 10465aa..0000000
--- a/strict/file_contexts/program/mplayer.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# mplayer
-/usr/bin/mplayer -- system_u:object_r:mplayer_exec_t
-/usr/bin/mencoder -- system_u:object_r:mencoder_exec_t
-
-/etc/mplayer(/.*)? system_u:object_r:mplayer_etc_t
-HOME_DIR/\.mplayer(/.*)? system_u:object_r:ROLE_mplayer_home_t
diff --git a/strict/file_contexts/program/mrtg.fc b/strict/file_contexts/program/mrtg.fc
deleted file mode 100644
index adfecff..0000000
--- a/strict/file_contexts/program/mrtg.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-# mrtg - traffic grapher
-/usr/bin/mrtg -- system_u:object_r:mrtg_exec_t
-/var/lib/mrtg(/.*)? system_u:object_r:mrtg_var_lib_t
-/var/lock/mrtg(/.*)? system_u:object_r:mrtg_lock_t
-/etc/mrtg.* system_u:object_r:mrtg_etc_t
-/etc/mrtg/mrtg\.ok -- system_u:object_r:mrtg_lock_t
-/var/log/mrtg(/.*)? system_u:object_r:mrtg_log_t
diff --git a/strict/file_contexts/program/mta.fc b/strict/file_contexts/program/mta.fc
deleted file mode 100644
index 88aa3f6..0000000
--- a/strict/file_contexts/program/mta.fc
+++ /dev/null
@@ -1,12 +0,0 @@
-# types for general mail servers
-/usr/sbin/sendmail(.sendmail)? -- system_u:object_r:sendmail_exec_t
-/usr/lib(64)?/sendmail -- system_u:object_r:sendmail_exec_t
-/etc/aliases -- system_u:object_r:etc_aliases_t
-/etc/aliases\.db -- system_u:object_r:etc_aliases_t
-/var/spool/mail(/.*)? system_u:object_r:mail_spool_t
-/var/mail(/.*)? system_u:object_r:mail_spool_t
-ifdef(`postfix.te', `', `
-/usr/sbin/sendmail.postfix -- system_u:object_r:sendmail_exec_t
-/var/spool/postfix(/.*)? system_u:object_r:mail_spool_t
-')
-
diff --git a/strict/file_contexts/program/mysqld.fc b/strict/file_contexts/program/mysqld.fc
deleted file mode 100644
index 0ad8746..0000000
--- a/strict/file_contexts/program/mysqld.fc
+++ /dev/null
@@ -1,12 +0,0 @@
-# mysql database server
-/usr/sbin/mysqld(-max)? -- system_u:object_r:mysqld_exec_t
-/usr/libexec/mysqld -- system_u:object_r:mysqld_exec_t
-/var/run/mysqld(/.*)? system_u:object_r:mysqld_var_run_t
-/var/log/mysql.* -- system_u:object_r:mysqld_log_t
-/var/lib/mysql(/.*)? system_u:object_r:mysqld_db_t
-/var/lib/mysql/mysql\.sock -s system_u:object_r:mysqld_var_run_t
-/etc/my\.cnf -- system_u:object_r:mysqld_etc_t
-/etc/mysql(/.*)? system_u:object_r:mysqld_etc_t
-ifdef(`distro_debian', `
-/etc/mysql/debian-start -- system_u:object_r:bin_t
-')
diff --git a/strict/file_contexts/program/nagios.fc b/strict/file_contexts/program/nagios.fc
deleted file mode 100644
index 6a8a22d..0000000
--- a/strict/file_contexts/program/nagios.fc
+++ /dev/null
@@ -1,15 +0,0 @@
-# nagios - network monitoring server
-/var/log/netsaint(/.*)? system_u:object_r:nagios_log_t
-/usr/lib(64)?/netsaint/plugins(/.*)? system_u:object_r:bin_t
-/usr/lib(64)?/cgi-bin/netsaint/.+ -- system_u:object_r:nagios_cgi_exec_t
-# nagios
-ifdef(`distro_debian', `
-/usr/sbin/nagios -- system_u:object_r:nagios_exec_t
-/usr/lib/cgi-bin/nagios/.+ -- system_u:object_r:nagios_cgi_exec_t
-', `
-/usr/bin/nagios -- system_u:object_r:nagios_exec_t
-/usr/lib(64)?/nagios/cgi/.+ -- system_u:object_r:nagios_cgi_exec_t
-')
-/etc/nagios(/.*)? system_u:object_r:nagios_etc_t
-/var/log/nagios(/.*)? system_u:object_r:nagios_log_t
-/usr/lib(64)?/nagios/plugins(/.*)? system_u:object_r:bin_t
diff --git a/strict/file_contexts/program/named.fc b/strict/file_contexts/program/named.fc
deleted file mode 100644
index edcbe3e..0000000
--- a/strict/file_contexts/program/named.fc
+++ /dev/null
@@ -1,49 +0,0 @@
-# named
-ifdef(`distro_redhat', `
-/var/named(/.*)? system_u:object_r:named_zone_t
-/var/named/slaves(/.*)? system_u:object_r:named_cache_t
-/var/named/data(/.*)? system_u:object_r:named_cache_t
-/etc/named\.conf -- system_u:object_r:named_conf_t
-') dnl end distro_redhat
-
-ifdef(`distro_debian', `
-/etc/bind(/.*)? system_u:object_r:named_zone_t
-/etc/bind/named\.conf -- system_u:object_r:named_conf_t
-/etc/bind/rndc\.key -- system_u:object_r:dnssec_t
-/var/cache/bind(/.*)? system_u:object_r:named_cache_t
-') dnl distro_debian
-
-/etc/rndc.* -- system_u:object_r:named_conf_t
-/etc/rndc\.key -- system_u:object_r:dnssec_t
-/usr/sbin/named -- system_u:object_r:named_exec_t
-/usr/sbin/named-checkconf -- system_u:object_r:named_checkconf_exec_t
-/usr/sbin/r?ndc -- system_u:object_r:ndc_exec_t
-/var/run/ndc -s system_u:object_r:named_var_run_t
-/var/run/bind(/.*)? system_u:object_r:named_var_run_t
-/var/run/named(/.*)? system_u:object_r:named_var_run_t
-/usr/sbin/lwresd -- system_u:object_r:named_exec_t
-/var/log/named.* -- system_u:object_r:named_log_t
-
-ifdef(`distro_redhat', `
-/var/named/named\.ca -- system_u:object_r:named_conf_t
-/var/named/chroot(/.*)? system_u:object_r:named_conf_t
-/var/named/chroot/dev/null -c system_u:object_r:null_device_t
-/var/named/chroot/dev/random -c system_u:object_r:random_device_t
-/var/named/chroot/dev/zero -c system_u:object_r:zero_device_t
-/var/named/chroot/etc(/.*)? system_u:object_r:named_conf_t
-/var/named/chroot/etc/rndc.key -- system_u:object_r:dnssec_t
-/var/named/chroot/var/run/named.* system_u:object_r:named_var_run_t
-/var/named/chroot/var/tmp(/.*)? system_u:object_r:named_cache_t
-/var/named/chroot/var/named(/.*)? system_u:object_r:named_zone_t
-/var/named/chroot/var/named/slaves(/.*)? system_u:object_r:named_cache_t
-/var/named/chroot/var/named/data(/.*)? system_u:object_r:named_cache_t
-/var/named/chroot/var/named/named\.ca -- system_u:object_r:named_conf_t
-') dnl distro_redhat
-
-ifdef(`distro_gentoo', `
-/etc/bind(/.*)? system_u:object_r:named_zone_t
-/etc/bind/named\.conf -- system_u:object_r:named_conf_t
-/etc/bind/rndc\.key -- system_u:object_r:dnssec_t
-/var/bind(/.*)? system_u:object_r:named_cache_t
-/var/bind/pri(/.*)? system_u:object_r:named_zone_t
-') dnl distro_gentoo
diff --git a/strict/file_contexts/program/nessusd.fc b/strict/file_contexts/program/nessusd.fc
deleted file mode 100644
index adec00b..0000000
--- a/strict/file_contexts/program/nessusd.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# nessusd - network scanning server
-/usr/sbin/nessusd -- system_u:object_r:nessusd_exec_t
-/usr/lib(64)?/nessus/plugins/.* -- system_u:object_r:nessusd_exec_t
-/var/lib/nessus(/.*)? system_u:object_r:nessusd_db_t
-/var/log/nessus(/.*)? system_u:object_r:nessusd_log_t
-/etc/nessus/nessusd\.conf -- system_u:object_r:nessusd_etc_t
diff --git a/strict/file_contexts/program/netutils.fc b/strict/file_contexts/program/netutils.fc
deleted file mode 100644
index 7aa0694..0000000
--- a/strict/file_contexts/program/netutils.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# network utilities
-/sbin/arping -- system_u:object_r:netutils_exec_t
-/usr/sbin/tcpdump -- system_u:object_r:netutils_exec_t
-/etc/network/ifstate -- system_u:object_r:etc_runtime_t
diff --git a/strict/file_contexts/program/newrole.fc b/strict/file_contexts/program/newrole.fc
deleted file mode 100644
index 5535bde..0000000
--- a/strict/file_contexts/program/newrole.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# newrole
-/usr/bin/newrole -- system_u:object_r:newrole_exec_t
diff --git a/strict/file_contexts/program/nrpe.fc b/strict/file_contexts/program/nrpe.fc
deleted file mode 100644
index 6523cc3..0000000
--- a/strict/file_contexts/program/nrpe.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-# nrpe
-/usr/bin/nrpe -- system_u:object_r:nrpe_exec_t
-/etc/nagios/nrpe\.cfg -- system_u:object_r:nrpe_etc_t
-ifdef(`nagios.te', `', `
-/usr/lib(64)?/netsaint/plugins(/.*)? system_u:object_r:bin_t
-/usr/lib(64)?/nagios/plugins(/.*)? system_u:object_r:bin_t
-')
diff --git a/strict/file_contexts/program/nscd.fc b/strict/file_contexts/program/nscd.fc
deleted file mode 100644
index 5c39b46..0000000
--- a/strict/file_contexts/program/nscd.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-# nscd
-/usr/sbin/nscd -- system_u:object_r:nscd_exec_t
-/var/run/\.nscd_socket -s system_u:object_r:nscd_var_run_t
-/var/run/nscd\.pid -- system_u:object_r:nscd_var_run_t
-/var/db/nscd(/.*)? system_u:object_r:nscd_var_run_t
-/var/run/nscd(/.*)? system_u:object_r:nscd_var_run_t
-/var/log/nscd\.log.* -- system_u:object_r:nscd_log_t
diff --git a/strict/file_contexts/program/nsd.fc b/strict/file_contexts/program/nsd.fc
deleted file mode 100644
index 43b49fe..0000000
--- a/strict/file_contexts/program/nsd.fc
+++ /dev/null
@@ -1,12 +0,0 @@
-# nsd
-/etc/nsd(/.*)? system_u:object_r:nsd_conf_t
-/etc/nsd/primary(/.*)? system_u:object_r:nsd_zone_t
-/etc/nsd/secondary(/.*)? system_u:object_r:nsd_zone_t
-/etc/nsd/nsd\.db -- system_u:object_r:nsd_db_t
-/var/lib/nsd(/.*)? system_u:object_r:nsd_zone_t
-/var/lib/nsd/nsd\.db -- system_u:object_r:nsd_db_t
-/usr/sbin/nsd -- system_u:object_r:nsd_exec_t
-/usr/sbin/nsdc -- system_u:object_r:nsd_exec_t
-/usr/sbin/nsd-notify -- system_u:object_r:nsd_exec_t
-/usr/sbin/zonec -- system_u:object_r:nsd_exec_t
-/var/run/nsd\.pid -- system_u:object_r:nsd_var_run_t
diff --git a/strict/file_contexts/program/ntpd.fc b/strict/file_contexts/program/ntpd.fc
deleted file mode 100644
index 84dd7b9..0000000
--- a/strict/file_contexts/program/ntpd.fc
+++ /dev/null
@@ -1,12 +0,0 @@
-/var/lib/ntp(/.*)? system_u:object_r:ntp_drift_t
-/etc/ntp/data(/.*)? system_u:object_r:ntp_drift_t
-/etc/ntp(d)?\.conf.* -- system_u:object_r:net_conf_t
-/etc/ntp/step-tickers.* -- system_u:object_r:net_conf_t
-/usr/sbin/ntpd -- system_u:object_r:ntpd_exec_t
-/usr/sbin/ntpdate -- system_u:object_r:ntpdate_exec_t
-/var/log/ntpstats(/.*)? system_u:object_r:ntpd_log_t
-/var/log/ntp.* -- system_u:object_r:ntpd_log_t
-/var/log/xntpd.* -- system_u:object_r:ntpd_log_t
-/var/run/ntpd\.pid -- system_u:object_r:ntpd_var_run_t
-/etc/cron\.(daily|weekly)/ntp-simple -- system_u:object_r:ntpd_exec_t
-/etc/cron\.(daily|weekly)/ntp-server -- system_u:object_r:ntpd_exec_t
diff --git a/strict/file_contexts/program/nx_server.fc b/strict/file_contexts/program/nx_server.fc
deleted file mode 100644
index d993646..0000000
--- a/strict/file_contexts/program/nx_server.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# nx
-/opt/NX/bin/nxserver -- system_u:object_r:nx_server_exec_t
-/opt/NX/var(/.*)? system_u:object_r:nx_server_var_run_t
-/opt/NX/home/nx/\.ssh(/.*)? system_u:object_r:nx_server_home_ssh_t
-
diff --git a/strict/file_contexts/program/oav-update.fc b/strict/file_contexts/program/oav-update.fc
deleted file mode 100644
index 5e88a02..0000000
--- a/strict/file_contexts/program/oav-update.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-/var/lib/oav-virussignatures -- system_u:object_r:oav_update_var_lib_t
-/var/lib/oav-update(/.*)? system_u:object_r:oav_update_var_lib_t
-/usr/sbin/oav-update -- system_u:object_r:oav_update_exec_t
-/etc/oav-update(/.*)? system_u:object_r:oav_update_etc_t
diff --git a/strict/file_contexts/program/openca-ca.fc b/strict/file_contexts/program/openca-ca.fc
deleted file mode 100644
index 99ddefe..0000000
--- a/strict/file_contexts/program/openca-ca.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-/etc/openca(/.*)? system_u:object_r:openca_etc_t
-/etc/openca/rbac(/.*)? system_u:object_r:openca_etc_writeable_t
-/etc/openca/*.\.in(/.*)? system_u:object_r:openca_etc_in_t
-/var/lib/openca(/.*)? system_u:object_r:openca_var_lib_t
-/var/lib/openca/crypto/keys(/.*)? system_u:object_r:openca_var_lib_keys_t
-/usr/share/openca(/.*)? system_u:object_r:openca_usr_share_t
-/usr/share/openca/htdocs(/.*)? system_u:object_r:httpd_sys_content_t
-/usr/share/openca/cgi-bin/ca/.+ -- system_u:object_r:openca_ca_exec_t
diff --git a/strict/file_contexts/program/openca-common.fc b/strict/file_contexts/program/openca-common.fc
deleted file mode 100644
index b75952f..0000000
--- a/strict/file_contexts/program/openca-common.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-/etc/openca(/.*)? system_u:object_r:openca_etc_t
-/etc/openca/rbac(/.*)? system_u:object_r:openca_etc_writeable_t
-/etc/openca/*.\.in(/.*)? system_u:object_r:openca_etc_in_t
-/var/lib/openca(/.*)? system_u:object_r:openca_var_lib_t
-/var/lib/openca/crypto/keys(/.*)? system_u:object_r:openca_var_lib_keys_t
-/usr/share/openca(/.*)? system_u:object_r:openca_usr_share_t
-/usr/share/openca/htdocs(/.*)? system_u:object_r:httpd_sys_content_t
diff --git a/strict/file_contexts/program/openct.fc b/strict/file_contexts/program/openct.fc
deleted file mode 100644
index 43d656e..0000000
--- a/strict/file_contexts/program/openct.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-/usr/sbin/openct-control -- system_u:object_r:openct_exec_t
-/var/run/openct(/.*)? system_u:object_r:openct_var_run_t
diff --git a/strict/file_contexts/program/openvpn.fc b/strict/file_contexts/program/openvpn.fc
deleted file mode 100644
index 34b2992..0000000
--- a/strict/file_contexts/program/openvpn.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# OpenVPN
-
-/etc/openvpn/.* -- system_u:object_r:openvpn_etc_t
-/usr/sbin/openvpn -- system_u:object_r:openvpn_exec_t
diff --git a/strict/file_contexts/program/orbit.fc b/strict/file_contexts/program/orbit.fc
deleted file mode 100644
index 4afbc83..0000000
--- a/strict/file_contexts/program/orbit.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-/tmp/orbit-USER(-.*)? -d system_u:object_r:ROLE_orbit_tmp_t
-/tmp/orbit-USER(-.*)?/linc.* -s <<none>>
-/tmp/orbit-USER(-.*)?/bonobo.* -- system_u:object_r:ROLE_orbit_tmp_t
diff --git a/strict/file_contexts/program/pam.fc b/strict/file_contexts/program/pam.fc
deleted file mode 100644
index 7209276..0000000
--- a/strict/file_contexts/program/pam.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-/var/run/sudo(/.*)? system_u:object_r:pam_var_run_t
-/sbin/pam_timestamp_check -- system_u:object_r:pam_exec_t
-/lib(64)?/security/pam_krb5/pam_krb5_storetmp -- system_u:object_r:pam_exec_t
diff --git a/strict/file_contexts/program/pamconsole.fc b/strict/file_contexts/program/pamconsole.fc
deleted file mode 100644
index 75c8c55..0000000
--- a/strict/file_contexts/program/pamconsole.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# pam_console_apply
-/sbin/pam_console_apply -- system_u:object_r:pam_console_exec_t
-/var/run/console(/.*)? system_u:object_r:pam_var_console_t
diff --git a/strict/file_contexts/program/passwd.fc b/strict/file_contexts/program/passwd.fc
deleted file mode 100644
index e8d3d06..0000000
--- a/strict/file_contexts/program/passwd.fc
+++ /dev/null
@@ -1,13 +0,0 @@
-# spasswd
-/usr/bin/passwd -- system_u:object_r:passwd_exec_t
-/usr/bin/chage -- system_u:object_r:passwd_exec_t
-/usr/bin/chsh -- system_u:object_r:chfn_exec_t
-/usr/bin/chfn -- system_u:object_r:chfn_exec_t
-/usr/sbin/vipw -- system_u:object_r:admin_passwd_exec_t
-/usr/sbin/vigr -- system_u:object_r:admin_passwd_exec_t
-/usr/bin/vipw -- system_u:object_r:admin_passwd_exec_t
-/usr/bin/vigr -- system_u:object_r:admin_passwd_exec_t
-/usr/sbin/pwconv -- system_u:object_r:admin_passwd_exec_t
-/usr/sbin/pwunconv -- system_u:object_r:admin_passwd_exec_t
-/usr/sbin/grpconv -- system_u:object_r:admin_passwd_exec_t
-/usr/sbin/grpunconv -- system_u:object_r:admin_passwd_exec_t
diff --git a/strict/file_contexts/program/pegasus.fc b/strict/file_contexts/program/pegasus.fc
deleted file mode 100644
index d81b968..0000000
--- a/strict/file_contexts/program/pegasus.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-# File Contexts for The Open Group Pegasus (tog-pegasus) cimserver
-/usr/sbin/cimserver -- system_u:object_r:pegasus_exec_t
-/usr/sbin/cimconfig -- system_u:object_r:pegasus_conf_exec_t
-/usr/sbin/cimuser -- system_u:object_r:pegasus_conf_exec_t
-/usr/sbin/cimauth -- system_u:object_r:pegasus_conf_exec_t
-/usr/sbin/init_repository -- system_u:object_r:pegasus_exec_t
-/usr/lib(64)?/Pegasus/providers/.*\.so.* system_u:object_r:shlib_t
-/etc/Pegasus(/.*)? system_u:object_r:pegasus_conf_t
-/var/lib/Pegasus(/.*)? system_u:object_r:pegasus_data_t
-/var/run/tog-pegasus(/.*)? system_u:object_r:pegasus_var_run_t
-/usr/share/Pegasus/mof(/.*)?/.*\.mof system_u:object_r:pegasus_mof_t
diff --git a/strict/file_contexts/program/perdition.fc b/strict/file_contexts/program/perdition.fc
deleted file mode 100644
index a2d2adb..0000000
--- a/strict/file_contexts/program/perdition.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# perdition POP and IMAP proxy
-/usr/sbin/perdition -- system_u:object_r:perdition_exec_t
-/etc/perdition(/.*)? system_u:object_r:perdition_etc_t
diff --git a/strict/file_contexts/program/ping.fc b/strict/file_contexts/program/ping.fc
deleted file mode 100644
index f37874f..0000000
--- a/strict/file_contexts/program/ping.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# ping
-/bin/ping.* -- system_u:object_r:ping_exec_t
-/usr/sbin/hping2 -- system_u:object_r:ping_exec_t
diff --git a/strict/file_contexts/program/portmap.fc b/strict/file_contexts/program/portmap.fc
deleted file mode 100644
index 4417c85..0000000
--- a/strict/file_contexts/program/portmap.fc
+++ /dev/null
@@ -1,10 +0,0 @@
-# portmap
-/sbin/portmap -- system_u:object_r:portmap_exec_t
-ifdef(`distro_debian', `
-/sbin/pmap_dump -- system_u:object_r:portmap_helper_exec_t
-/sbin/pmap_set -- system_u:object_r:portmap_helper_exec_t
-', `
-/usr/sbin/pmap_dump -- system_u:object_r:portmap_helper_exec_t
-/usr/sbin/pmap_set -- system_u:object_r:portmap_helper_exec_t
-')
-/var/run/portmap.upgrade-state -- system_u:object_r:portmap_var_run_t
diff --git a/strict/file_contexts/program/portslave.fc b/strict/file_contexts/program/portslave.fc
deleted file mode 100644
index 873334d..0000000
--- a/strict/file_contexts/program/portslave.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# portslave
-/usr/sbin/portslave -- system_u:object_r:portslave_exec_t
-/usr/sbin/ctlportslave -- system_u:object_r:portslave_exec_t
-/etc/portslave(/.*)? system_u:object_r:portslave_etc_t
-/var/run/radius\.(id|seq) -- system_u:object_r:pppd_var_run_t
diff --git a/strict/file_contexts/program/postfix.fc b/strict/file_contexts/program/postfix.fc
deleted file mode 100644
index 0e96508..0000000
--- a/strict/file_contexts/program/postfix.fc
+++ /dev/null
@@ -1,59 +0,0 @@
-# postfix
-/etc/postfix(/.*)? system_u:object_r:postfix_etc_t
-ifdef(`distro_redhat', `
-/etc/postfix/aliases.* system_u:object_r:etc_aliases_t
-/usr/libexec/postfix/.* -- system_u:object_r:postfix_exec_t
-/usr/libexec/postfix/cleanup -- system_u:object_r:postfix_cleanup_exec_t
-/usr/libexec/postfix/local -- system_u:object_r:postfix_local_exec_t
-/usr/libexec/postfix/master -- system_u:object_r:postfix_master_exec_t
-/usr/libexec/postfix/pickup -- system_u:object_r:postfix_pickup_exec_t
-/usr/libexec/postfix/(n)?qmgr -- system_u:object_r:postfix_qmgr_exec_t
-/usr/libexec/postfix/showq -- system_u:object_r:postfix_showq_exec_t
-/usr/libexec/postfix/smtp -- system_u:object_r:postfix_smtp_exec_t
-/usr/libexec/postfix/scache -- system_u:object_r:postfix_smtp_exec_t
-/usr/libexec/postfix/smtpd -- system_u:object_r:postfix_smtpd_exec_t
-/usr/libexec/postfix/bounce -- system_u:object_r:postfix_bounce_exec_t
-/usr/libexec/postfix/pipe -- system_u:object_r:postfix_pipe_exec_t
-', `
-/usr/lib/postfix/.* -- system_u:object_r:postfix_exec_t
-/usr/lib/postfix/cleanup -- system_u:object_r:postfix_cleanup_exec_t
-/usr/lib/postfix/local -- system_u:object_r:postfix_local_exec_t
-/usr/lib/postfix/master -- system_u:object_r:postfix_master_exec_t
-/usr/lib/postfix/pickup -- system_u:object_r:postfix_pickup_exec_t
-/usr/lib/postfix/(n)?qmgr -- system_u:object_r:postfix_qmgr_exec_t
-/usr/lib/postfix/showq -- system_u:object_r:postfix_showq_exec_t
-/usr/lib/postfix/smtp -- system_u:object_r:postfix_smtp_exec_t
-/usr/lib/postfix/scache -- system_u:object_r:postfix_smtp_exec_t
-/usr/lib/postfix/smtpd -- system_u:object_r:postfix_smtpd_exec_t
-/usr/lib/postfix/bounce -- system_u:object_r:postfix_bounce_exec_t
-/usr/lib/postfix/pipe -- system_u:object_r:postfix_pipe_exec_t
-')
-/etc/postfix/postfix-script.* -- system_u:object_r:postfix_exec_t
-/etc/postfix/prng_exch -- system_u:object_r:postfix_prng_t
-/usr/sbin/postalias -- system_u:object_r:postfix_master_exec_t
-/usr/sbin/postcat -- system_u:object_r:postfix_master_exec_t
-/usr/sbin/postdrop -- system_u:object_r:postfix_postdrop_exec_t
-/usr/sbin/postfix -- system_u:object_r:postfix_master_exec_t
-/usr/sbin/postkick -- system_u:object_r:postfix_master_exec_t
-/usr/sbin/postlock -- system_u:object_r:postfix_master_exec_t
-/usr/sbin/postlog -- system_u:object_r:postfix_master_exec_t
-/usr/sbin/postmap -- system_u:object_r:postfix_map_exec_t
-/usr/sbin/postqueue -- system_u:object_r:postfix_postqueue_exec_t
-/usr/sbin/postsuper -- system_u:object_r:postfix_master_exec_t
-/usr/sbin/rmail -- system_u:object_r:sendmail_exec_t
-/usr/sbin/sendmail.postfix -- system_u:object_r:sendmail_exec_t
-/var/spool/postfix(/.*)? system_u:object_r:postfix_spool_t
-/var/spool/postfix/maildrop(/.*)? system_u:object_r:postfix_spool_maildrop_t
-/var/spool/postfix/pid -d system_u:object_r:var_run_t
-/var/spool/postfix/pid/.* system_u:object_r:postfix_var_run_t
-/var/spool/postfix/private(/.*)? system_u:object_r:postfix_private_t
-/var/spool/postfix/public(/.*)? system_u:object_r:postfix_public_t
-/var/spool/postfix/bounce(/.*)? system_u:object_r:postfix_spool_bounce_t
-/var/spool/postfix/flush(/.*)? system_u:object_r:postfix_spool_flush_t
-/var/spool/postfix/etc(/.*)? system_u:object_r:etc_t
-/var/spool/postfix/lib(64)?(/.*)? system_u:object_r:lib_t
-/var/spool/postfix/usr(/.*)? system_u:object_r:lib_t
-/var/spool/postfix/lib(64)?/ld.*\.so.* -- system_u:object_r:ld_so_t
-/var/spool/postfix/lib(64)?/lib.*\.so.* -- system_u:object_r:shlib_t
-/var/spool/postfix/lib(64)?/[^/]*/lib.*\.so.* -- system_u:object_r:shlib_t
-/var/spool/postfix/lib(64)?/devfsd/.*\.so.* -- system_u:object_r:shlib_t
diff --git a/strict/file_contexts/program/postgresql.fc b/strict/file_contexts/program/postgresql.fc
deleted file mode 100644
index dc644c1..0000000
--- a/strict/file_contexts/program/postgresql.fc
+++ /dev/null
@@ -1,20 +0,0 @@
-# postgresql - database server
-/usr/lib(64)?/postgresql/bin/.* -- system_u:object_r:postgresql_exec_t
-/usr/bin/postgres -- system_u:object_r:postgresql_exec_t
-/usr/bin/initdb -- system_u:object_r:postgresql_exec_t
-
-/var/lib/postgres(ql)?(/.*)? system_u:object_r:postgresql_db_t
-/var/lib/pgsql/data(/.*)? system_u:object_r:postgresql_db_t
-/var/run/postgresql(/.*)? system_u:object_r:postgresql_var_run_t
-/etc/postgresql(/.*)? system_u:object_r:postgresql_etc_t
-/var/log/postgres\.log.* -- system_u:object_r:postgresql_log_t
-/var/log/postgresql(/.*)? system_u:object_r:postgresql_log_t
-/var/lib/pgsql/pgstartup.log system_u:object_r:postgresql_log_t
-/usr/lib/pgsql/test/regres(/.*)? system_u:object_r:postgresql_db_t
-/usr/lib/pgsql/test/regress/.*\.so -- system_u:object_r:shlib_t
-/usr/lib/pgsql/test/regress/.*\.sh -- system_u:object_r:bin_t
-/usr/lib/pgsql/test/regress/pg_regress -- system_u:object_r:postgresql_exec_t
-ifdef(`distro_redhat', `
-/usr/share/jonas/pgsql(/.*)? system_u:object_r:postgresql_db_t
-/var/log/rhdb/rhdb(/.*)? system_u:object_r:postgresql_log_t
-')
diff --git a/strict/file_contexts/program/postgrey.fc b/strict/file_contexts/program/postgrey.fc
deleted file mode 100644
index 89e43fd..0000000
--- a/strict/file_contexts/program/postgrey.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# postgrey - postfix grey-listing server
-/usr/sbin/postgrey -- system_u:object_r:postgrey_exec_t
-/var/run/postgrey\.pid -- system_u:object_r:postgrey_var_run_t
-/etc/postgrey(/.*)? system_u:object_r:postgrey_etc_t
-/var/lib/postgrey(/.*)? system_u:object_r:postgrey_var_lib_t
diff --git a/strict/file_contexts/program/pppd.fc b/strict/file_contexts/program/pppd.fc
deleted file mode 100644
index 02ae668..0000000
--- a/strict/file_contexts/program/pppd.fc
+++ /dev/null
@@ -1,25 +0,0 @@
-# pppd
-/usr/sbin/pppd -- system_u:object_r:pppd_exec_t
-/usr/sbin/pptp -- system_u:object_r:pptp_exec_t
-/usr/sbin/ipppd -- system_u:object_r:pppd_exec_t
-/dev/ppp -c system_u:object_r:ppp_device_t
-/dev/pppox.* -c system_u:object_r:ppp_device_t
-/dev/ippp.* -c system_u:object_r:ppp_device_t
-/var/run/pppd[0-9]*\.tdb -- system_u:object_r:pppd_var_run_t
-/var/run/ppp(/.*)? system_u:object_r:pppd_var_run_t
-/etc/ppp -d system_u:object_r:pppd_etc_t
-/etc/ppp/.* -- system_u:object_r:pppd_etc_rw_t
-/etc/ppp/.*secrets -- system_u:object_r:pppd_secret_t
-/var/run/(i)?ppp.*pid -- system_u:object_r:pppd_var_run_t
-/var/log/ppp-connect-errors.* -- system_u:object_r:pppd_log_t
-/var/log/ppp/.* -- system_u:object_r:pppd_log_t
-/etc/ppp/ip-down\..* -- system_u:object_r:bin_t
-/etc/ppp/ip-up\..* -- system_u:object_r:bin_t
-/etc/ppp/ipv6-up\..* -- system_u:object_r:bin_t
-/etc/ppp/ipv6-down\..* -- system_u:object_r:bin_t
-/etc/ppp/plugins/rp-pppoe\.so -- system_u:object_r:shlib_t
-/etc/ppp/resolv\.conf -- system_u:object_r:pppd_etc_rw_t
-# Fix pptp sockets
-/var/run/pptp(/.*)? system_u:object_r:pptp_var_run_t
-# Fix /etc/ppp {up,down} family scripts (see man pppd)
-/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- system_u:object_r:pppd_script_exec_t
diff --git a/strict/file_contexts/program/prelink.fc b/strict/file_contexts/program/prelink.fc
deleted file mode 100644
index 331e315..0000000
--- a/strict/file_contexts/program/prelink.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-# prelink - prelink ELF shared libraries and binaries to speed up startup time
-/usr/sbin/prelink -- system_u:object_r:prelink_exec_t
-ifdef(`distro_debian', `
-/usr/sbin/prelink\.bin -- system_u:object_r:prelink_exec_t
-')
-/etc/prelink\.conf -- system_u:object_r:etc_prelink_t
-/var/log/prelink\.log -- system_u:object_r:prelink_log_t
-/etc/prelink\.cache -- system_u:object_r:prelink_cache_t
diff --git a/strict/file_contexts/program/privoxy.fc b/strict/file_contexts/program/privoxy.fc
deleted file mode 100644
index 84427ab..0000000
--- a/strict/file_contexts/program/privoxy.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# privoxy
-/usr/sbin/privoxy -- system_u:object_r:privoxy_exec_t
-/var/log/privoxy(/.*)? system_u:object_r:privoxy_log_t
diff --git a/strict/file_contexts/program/procmail.fc b/strict/file_contexts/program/procmail.fc
deleted file mode 100644
index 543602d..0000000
--- a/strict/file_contexts/program/procmail.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# procmail
-/usr/bin/procmail -- system_u:object_r:procmail_exec_t
diff --git a/strict/file_contexts/program/publicfile.fc b/strict/file_contexts/program/publicfile.fc
deleted file mode 100644
index dc32249..0000000
--- a/strict/file_contexts/program/publicfile.fc
+++ /dev/null
@@ -1,9 +0,0 @@
-
-/usr/bin/ftpd -- system_u:object_r:publicfile_exec_t
-/usr/bin/httpd -- system_u:object_r:publicfile_exec_t
-/usr/bin/publicfile-conf -- system_u:object_r:publicfile_exec_t
-
-# this is the place where online content located
-# set this to suit your needs
-#/var/www(/.*)? system_u:object_r:publicfile_content_t
-
diff --git a/strict/file_contexts/program/pxe.fc b/strict/file_contexts/program/pxe.fc
deleted file mode 100644
index 165076a..0000000
--- a/strict/file_contexts/program/pxe.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# pxe network boot server
-/usr/sbin/pxe -- system_u:object_r:pxe_exec_t
-/var/log/pxe\.log -- system_u:object_r:pxe_log_t
-/var/run/pxe\.pid -- system_u:object_r:pxe_var_run_t
-
diff --git a/strict/file_contexts/program/pyzor.fc b/strict/file_contexts/program/pyzor.fc
deleted file mode 100644
index ff62295..0000000
--- a/strict/file_contexts/program/pyzor.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-/etc/pyzor(/.*)? system_u:object_r:pyzor_etc_t
-/usr/bin/pyzor -- system_u:object_r:pyzor_exec_t
-/usr/bin/pyzord -- system_u:object_r:pyzord_exec_t
-/var/lib/pyzord(/.*)? system_u:object_r:pyzor_var_lib_t
-/var/log/pyzord.log -- system_u:object_r:pyzord_log_t
-HOME_DIR/\.pyzor(/.*)? system_u:object_r:ROLE_pyzor_home_t
diff --git a/strict/file_contexts/program/qmail.fc b/strict/file_contexts/program/qmail.fc
deleted file mode 100644
index 7704ed7..0000000
--- a/strict/file_contexts/program/qmail.fc
+++ /dev/null
@@ -1,38 +0,0 @@
-# qmail - Debian locations
-/etc/qmail(/.*)? system_u:object_r:qmail_etc_t
-/var/qmail(/.*)? system_u:object_r:qmail_etc_t
-/var/spool/qmail(/.*)? system_u:object_r:qmail_spool_t
-/usr/sbin/qmail-start -- system_u:object_r:qmail_start_exec_t
-/usr/sbin/qmail-lspawn -- system_u:object_r:qmail_lspawn_exec_t
-/usr/bin/tcp-env -- system_u:object_r:qmail_tcp_env_exec_t
-/usr/sbin/qmail-inject -- system_u:object_r:qmail_inject_exec_t
-/usr/sbin/qmail-smtpd -- system_u:object_r:qmail_smtpd_exec_t
-/usr/sbin/qmail-queue -- system_u:object_r:qmail_queue_exec_t
-/usr/sbin/qmail-local -- system_u:object_r:qmail_local_exec_t
-/usr/sbin/qmail-clean -- system_u:object_r:qmail_clean_exec_t
-/usr/sbin/qmail-send -- system_u:object_r:qmail_send_exec_t
-/usr/sbin/qmail-rspawn -- system_u:object_r:qmail_rspawn_exec_t
-/usr/sbin/qmail-remote -- system_u:object_r:qmail_remote_exec_t
-/usr/sbin/qmail-qread -- system_u:object_r:qmail_qread_exec_t
-/usr/sbin/splogger -- system_u:object_r:qmail_splogger_exec_t
-/usr/sbin/qmail-getpw -- system_u:object_r:qmail_exec_t
-/usr/local/bin/serialmail/.* -- system_u:object_r:qmail_serialmail_exec_t
-# qmail - djb locations
-/var/qmail/control(/.*)? system_u:object_r:qmail_etc_t
-/var/qmail/bin -d system_u:object_r:bin_t
-/var/qmail/queue(/.*)? system_u:object_r:qmail_spool_t
-/var/qmail/bin/qmail-lspawn -- system_u:object_r:qmail_lspawn_exec_t
-/var/qmail/bin/tcp-env -- system_u:object_r:qmail_tcp_env_exec_t
-/var/qmail/bin/qmail-inject -- system_u:object_r:qmail_inject_exec_t
-/var/qmail/bin/qmail-smtpd -- system_u:object_r:qmail_smtpd_exec_t
-/var/qmail/bin/qmail-queue -- system_u:object_r:qmail_queue_exec_t
-/var/qmail/bin/qmail-local -- system_u:object_r:qmail_local_exec_t
-/var/qmail/bin/qmail-clean -- system_u:object_r:qmail_clean_exec_t
-/var/qmail/bin/qmail-send -- system_u:object_r:qmail_send_exec_t
-/var/qmail/bin/qmail-rspawn -- system_u:object_r:qmail_rspawn_exec_t
-/var/qmail/bin/qmail-remote -- system_u:object_r:qmail_remote_exec_t
-/var/qmail/bin/qmail-qread -- system_u:object_r:qmail_qread_exec_t
-/var/qmail/bin/qmail-start -- system_u:object_r:qmail_start_exec_t
-/var/qmail/rc -- system_u:object_r:bin_t
-/var/qmail/bin/splogger -- system_u:object_r:qmail_splogger_exec_t
-/var/qmail/bin/qmail-getpw -- system_u:object_r:qmail_exec_t
diff --git a/strict/file_contexts/program/quota.fc b/strict/file_contexts/program/quota.fc
deleted file mode 100644
index f91f1a4..0000000
--- a/strict/file_contexts/program/quota.fc
+++ /dev/null
@@ -1,10 +0,0 @@
-# quota system
-/var/lib/quota(/.*)? system_u:object_r:quota_flag_t
-/sbin/quota(check|on) -- system_u:object_r:quota_exec_t
-ifdef(`distro_redhat', `
-/usr/sbin/convertquota -- system_u:object_r:quota_exec_t
-', `
-/sbin/convertquota -- system_u:object_r:quota_exec_t
-')
-HOME_ROOT/a?quota\.(user|group) -- system_u:object_r:quota_db_t
-/var/a?quota\.(user|group) -- system_u:object_r:quota_db_t
diff --git a/strict/file_contexts/program/radius.fc b/strict/file_contexts/program/radius.fc
deleted file mode 100644
index bd25d6d..0000000
--- a/strict/file_contexts/program/radius.fc
+++ /dev/null
@@ -1,15 +0,0 @@
-# radius
-/etc/raddb(/.*)? system_u:object_r:radiusd_etc_t
-/usr/sbin/radiusd -- system_u:object_r:radiusd_exec_t
-/usr/sbin/freeradius -- system_u:object_r:radiusd_exec_t
-/var/log/radiusd-freeradius(/.*)? system_u:object_r:radiusd_log_t
-/var/log/radius\.log.* -- system_u:object_r:radiusd_log_t
-/var/log/radius(/.*)? system_u:object_r:radiusd_log_t
-/var/log/freeradius(/.*)? system_u:object_r:radiusd_log_t
-/var/log/radacct(/.*)? system_u:object_r:radiusd_log_t
-/var/log/radutmp -- system_u:object_r:radiusd_log_t
-/var/log/radwtmp.* -- system_u:object_r:radiusd_log_t
-/etc/cron\.(daily|monthly)/radiusd -- system_u:object_r:radiusd_exec_t
-/etc/cron\.(daily|weekly|monthly)/freeradius -- system_u:object_r:radiusd_exec_t
-/var/run/radiusd\.pid -- system_u:object_r:radiusd_var_run_t
-/var/run/radiusd(/.*)? system_u:object_r:radiusd_var_run_t
diff --git a/strict/file_contexts/program/radvd.fc b/strict/file_contexts/program/radvd.fc
deleted file mode 100644
index 5000383..0000000
--- a/strict/file_contexts/program/radvd.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# radvd
-/etc/radvd\.conf -- system_u:object_r:radvd_etc_t
-/usr/sbin/radvd -- system_u:object_r:radvd_exec_t
-/var/run/radvd\.pid -- system_u:object_r:radvd_var_run_t
-/var/run/radvd(/.*)? system_u:object_r:radvd_var_run_t
diff --git a/strict/file_contexts/program/razor.fc b/strict/file_contexts/program/razor.fc
deleted file mode 100644
index f3f1346..0000000
--- a/strict/file_contexts/program/razor.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# razor
-/etc/razor(/.*)? system_u:object_r:razor_etc_t
-/usr/bin/razor.* system_u:object_r:razor_exec_t
-/var/lib/razor(/.*)? system_u:object_r:razor_var_lib_t
-/var/log/razor-agent.log system_u:object_r:razor_log_t
-HOME_DIR/\.razor(/.*)? system_u:object_r:ROLE_razor_home_t
diff --git a/strict/file_contexts/program/rdisc.fc b/strict/file_contexts/program/rdisc.fc
deleted file mode 100644
index d3f9dcf..0000000
--- a/strict/file_contexts/program/rdisc.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# rdisc
-/sbin/rdisc system_u:object_r:rdisc_exec_t
diff --git a/strict/file_contexts/program/readahead.fc b/strict/file_contexts/program/readahead.fc
deleted file mode 100644
index 0755fef..0000000
--- a/strict/file_contexts/program/readahead.fc
+++ /dev/null
@@ -1 +0,0 @@
-/usr/sbin/readahead -- system_u:object_r:readahead_exec_t
diff --git a/strict/file_contexts/program/resmgrd.fc b/strict/file_contexts/program/resmgrd.fc
deleted file mode 100644
index bee4680..0000000
--- a/strict/file_contexts/program/resmgrd.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# resmgrd
-/sbin/resmgrd -- system_u:object_r:resmgrd_exec_t
-/etc/resmgr\.conf -- system_u:object_r:resmgrd_etc_t
-/var/run/resmgr\.pid -- system_u:object_r:resmgrd_var_run_t
-/var/run/\.resmgr_socket -s system_u:object_r:resmgrd_var_run_t
-
diff --git a/strict/file_contexts/program/restorecon.fc b/strict/file_contexts/program/restorecon.fc
deleted file mode 100644
index 6509a11..0000000
--- a/strict/file_contexts/program/restorecon.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# restorecon
-/sbin/restorecon -- system_u:object_r:restorecon_exec_t
diff --git a/strict/file_contexts/program/rhgb.fc b/strict/file_contexts/program/rhgb.fc
deleted file mode 100644
index 118972e..0000000
--- a/strict/file_contexts/program/rhgb.fc
+++ /dev/null
@@ -1 +0,0 @@
-/usr/bin/rhgb -- system_u:object_r:rhgb_exec_t
diff --git a/strict/file_contexts/program/rlogind.fc b/strict/file_contexts/program/rlogind.fc
deleted file mode 100644
index bc73319..0000000
--- a/strict/file_contexts/program/rlogind.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# rlogind and telnetd
-/usr/sbin/in\.rlogind -- system_u:object_r:rlogind_exec_t
-/usr/lib(64)?/telnetlogin -- system_u:object_r:rlogind_exec_t
-/usr/kerberos/sbin/klogind -- system_u:object_r:rlogind_exec_t
diff --git a/strict/file_contexts/program/roundup.fc b/strict/file_contexts/program/roundup.fc
deleted file mode 100644
index 99b2700..0000000
--- a/strict/file_contexts/program/roundup.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-/usr/bin/roundup-server -- system_u:object_r:roundup_exec_t
-/var/lib/roundup(/.*)? -- system_u:object_r:roundup_var_lib_t
diff --git a/strict/file_contexts/program/rpcd.fc b/strict/file_contexts/program/rpcd.fc
deleted file mode 100644
index 60bb3f3..0000000
--- a/strict/file_contexts/program/rpcd.fc
+++ /dev/null
@@ -1,12 +0,0 @@
-# RPC daemons
-/sbin/rpc\..* -- system_u:object_r:rpcd_exec_t
-/usr/sbin/rpc.idmapd -- system_u:object_r:rpcd_exec_t
-/usr/sbin/rpc\.nfsd -- system_u:object_r:nfsd_exec_t
-/usr/sbin/exportfs -- system_u:object_r:nfsd_exec_t
-/usr/sbin/rpc\.gssd -- system_u:object_r:gssd_exec_t
-/usr/sbin/rpc\.svcgssd -- system_u:object_r:gssd_exec_t
-/usr/sbin/rpc\.mountd -- system_u:object_r:nfsd_exec_t
-/var/run/rpc\.statd\.pid -- system_u:object_r:rpcd_var_run_t
-/var/run/rpc\.statd(/.*)? system_u:object_r:rpcd_var_run_t
-/etc/exports -- system_u:object_r:exports_t
-
diff --git a/strict/file_contexts/program/rpm.fc b/strict/file_contexts/program/rpm.fc
deleted file mode 100644
index c659e65..0000000
--- a/strict/file_contexts/program/rpm.fc
+++ /dev/null
@@ -1,29 +0,0 @@
-# rpm
-/var/lib/rpm(/.*)? system_u:object_r:rpm_var_lib_t
-/var/lib/alternatives(/.*)? system_u:object_r:rpm_var_lib_t
-/bin/rpm -- system_u:object_r:rpm_exec_t
-/usr/bin/yum -- system_u:object_r:rpm_exec_t
-/usr/bin/apt-get -- system_u:object_r:rpm_exec_t
-/usr/bin/apt-shell -- system_u:object_r:rpm_exec_t
-/usr/bin/synaptic -- system_u:object_r:rpm_exec_t
-/usr/lib(64)?/rpm/rpmd -- system_u:object_r:bin_t
-/usr/lib(64)?/rpm/rpmq -- system_u:object_r:bin_t
-/usr/lib(64)?/rpm/rpmk -- system_u:object_r:bin_t
-/usr/lib(64)?/rpm/rpmv -- system_u:object_r:bin_t
-/var/log/rpmpkgs.* -- system_u:object_r:rpm_log_t
-/var/log/yum\.log -- system_u:object_r:rpm_log_t
-ifdef(`distro_redhat', `
-/usr/sbin/up2date -- system_u:object_r:rpm_exec_t
-/usr/sbin/rhn_check -- system_u:object_r:rpm_exec_t
-')
-# SuSE
-ifdef(`distro_suse', `
-/usr/bin/online_update -- system_u:object_r:rpm_exec_t
-/sbin/yast2 -- system_u:object_r:rpm_exec_t
-/var/lib/YaST2(/.*)? system_u:object_r:rpm_var_lib_t
-/var/log/YaST2(/.*)? system_u:object_r:rpm_log_t
-')
-
-ifdef(`mls_policy', `
-/sbin/cpio -- system_u:object_r:rpm_exec_t
-')
diff --git a/strict/file_contexts/program/rshd.fc b/strict/file_contexts/program/rshd.fc
deleted file mode 100644
index 7f3be6d..0000000
--- a/strict/file_contexts/program/rshd.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# rshd.
-/usr/sbin/in\.rshd -- system_u:object_r:rshd_exec_t
-/usr/kerberos/sbin/kshd -- system_u:object_r:rshd_exec_t
diff --git a/strict/file_contexts/program/rssh.fc b/strict/file_contexts/program/rssh.fc
deleted file mode 100644
index 16ec3a3..0000000
--- a/strict/file_contexts/program/rssh.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# rssh
-/usr/bin/rssh -- system_u:object_r:rssh_exec_t
diff --git a/strict/file_contexts/program/rsync.fc b/strict/file_contexts/program/rsync.fc
deleted file mode 100644
index 9bce3d5..0000000
--- a/strict/file_contexts/program/rsync.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# rsync program
-/usr/bin/rsync -- system_u:object_r:rsync_exec_t
-/srv/([^/]*/)?rsync(/.*)? system_u:object_r:public_content_t
diff --git a/strict/file_contexts/program/samba.fc b/strict/file_contexts/program/samba.fc
deleted file mode 100644
index 5ac7c2f..0000000
--- a/strict/file_contexts/program/samba.fc
+++ /dev/null
@@ -1,26 +0,0 @@
-# samba scripts
-/usr/sbin/smbd -- system_u:object_r:smbd_exec_t
-/usr/sbin/nmbd -- system_u:object_r:nmbd_exec_t
-/usr/bin/net -- system_u:object_r:samba_net_exec_t
-/etc/samba(/.*)? system_u:object_r:samba_etc_t
-/var/log/samba(/.*)? system_u:object_r:samba_log_t
-/var/cache/samba(/.*)? system_u:object_r:samba_var_t
-/var/lib/samba(/.*)? system_u:object_r:samba_var_t
-/etc/samba/secrets\.tdb -- system_u:object_r:samba_secrets_t
-/etc/samba/MACHINE\.SID -- system_u:object_r:samba_secrets_t
-# samba really wants write access to smbpasswd
-/etc/samba/smbpasswd -- system_u:object_r:samba_secrets_t
-/var/run/samba/locking\.tdb -- system_u:object_r:smbd_var_run_t
-/var/run/samba/connections\.tdb -- system_u:object_r:smbd_var_run_t
-/var/run/samba/sessionid\.tdb -- system_u:object_r:smbd_var_run_t
-/var/run/samba/brlock\.tdb -- system_u:object_r:smbd_var_run_t
-/var/run/samba/namelist\.debug -- system_u:object_r:nmbd_var_run_t
-/var/run/samba/messages\.tdb -- system_u:object_r:nmbd_var_run_t
-/var/run/samba/unexpected\.tdb -- system_u:object_r:nmbd_var_run_t
-/var/run/samba/smbd\.pid -- system_u:object_r:smbd_var_run_t
-/var/run/samba/nmbd\.pid -- system_u:object_r:nmbd_var_run_t
-/var/spool/samba(/.*)? system_u:object_r:samba_var_t
-ifdef(`mount.te', `
-/usr/bin/smbmount -- system_u:object_r:smbmount_exec_t
-/usr/bin/smbmnt -- system_u:object_r:smbmount_exec_t
-')
diff --git a/strict/file_contexts/program/saslauthd.fc b/strict/file_contexts/program/saslauthd.fc
deleted file mode 100644
index 7b2460e..0000000
--- a/strict/file_contexts/program/saslauthd.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# saslauthd
-/usr/sbin/saslauthd -- system_u:object_r:saslauthd_exec_t
-/var/run/saslauthd(/.*)? system_u:object_r:saslauthd_var_run_t
diff --git a/strict/file_contexts/program/scannerdaemon.fc b/strict/file_contexts/program/scannerdaemon.fc
deleted file mode 100644
index a43bf87..0000000
--- a/strict/file_contexts/program/scannerdaemon.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# scannerdaemon
-/usr/sbin/scannerdaemon -- system_u:object_r:scannerdaemon_exec_t
-/etc/scannerdaemon/scannerdaemon\.conf -- system_u:object_r:scannerdaemon_etc_t
-/var/log/scannerdaemon\.log -- system_u:object_r:scannerdaemon_log_t
diff --git a/strict/file_contexts/program/screen.fc b/strict/file_contexts/program/screen.fc
deleted file mode 100644
index 0e6e78d..0000000
--- a/strict/file_contexts/program/screen.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# screen
-/usr/bin/screen -- system_u:object_r:screen_exec_t
-HOME_DIR/\.screenrc -- system_u:object_r:ROLE_screen_ro_home_t
-/var/run/screens?/S-[^/]+ -d system_u:object_r:screen_dir_t
-/var/run/screens?/S-[^/]+/.* <<none>>
diff --git a/strict/file_contexts/program/sendmail.fc b/strict/file_contexts/program/sendmail.fc
deleted file mode 100644
index 0fce2ef..0000000
--- a/strict/file_contexts/program/sendmail.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# sendmail
-/etc/mail(/.*)? system_u:object_r:etc_mail_t
-/var/log/sendmail\.st -- system_u:object_r:sendmail_log_t
-/var/log/mail(/.*)? system_u:object_r:sendmail_log_t
-/var/run/sendmail\.pid -- system_u:object_r:sendmail_var_run_t
-/var/run/sm-client\.pid -- system_u:object_r:sendmail_var_run_t
diff --git a/strict/file_contexts/program/setfiles.fc b/strict/file_contexts/program/setfiles.fc
deleted file mode 100644
index c247763..0000000
--- a/strict/file_contexts/program/setfiles.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# setfiles
-/usr/sbin/setfiles.* -- system_u:object_r:setfiles_exec_t
-
diff --git a/strict/file_contexts/program/seuser.fc b/strict/file_contexts/program/seuser.fc
deleted file mode 100644
index 0c7f71b..0000000
--- a/strict/file_contexts/program/seuser.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# seuser
-/usr/bin/seuser -- system_u:object_r:seuser_exec_t
-/usr/apol/seuser\.conf system_u:object_r:seuser_conf_t
-
diff --git a/strict/file_contexts/program/slapd.fc b/strict/file_contexts/program/slapd.fc
deleted file mode 100644
index 956f441..0000000
--- a/strict/file_contexts/program/slapd.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-# slapd - ldap server
-/usr/sbin/slapd -- system_u:object_r:slapd_exec_t
-/var/lib/ldap(/.*)? system_u:object_r:slapd_db_t
-/var/lib/ldap/replog(/.*)? system_u:object_r:slapd_replog_t
-/var/run/slapd\.args -- system_u:object_r:slapd_var_run_t
-/etc/ldap/slapd\.conf -- system_u:object_r:slapd_etc_t
-/var/run/slapd\.pid -- system_u:object_r:slapd_var_run_t
diff --git a/strict/file_contexts/program/slocate.fc b/strict/file_contexts/program/slocate.fc
deleted file mode 100644
index 1796c77..0000000
--- a/strict/file_contexts/program/slocate.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# locate - file locater
-/usr/bin/slocate -- system_u:object_r:locate_exec_t
-/var/lib/slocate(/.*)? system_u:object_r:locate_var_lib_t
-/etc/updatedb\.conf -- system_u:object_r:locate_etc_t
diff --git a/strict/file_contexts/program/slrnpull.fc b/strict/file_contexts/program/slrnpull.fc
deleted file mode 100644
index 4c0d36c..0000000
--- a/strict/file_contexts/program/slrnpull.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# slrnpull
-/usr/bin/slrnpull -- system_u:object_r:slrnpull_exec_t
-/var/spool/slrnpull(/.*)? system_u:object_r:slrnpull_spool_t
diff --git a/strict/file_contexts/program/snmpd.fc b/strict/file_contexts/program/snmpd.fc
deleted file mode 100644
index fcad862..0000000
--- a/strict/file_contexts/program/snmpd.fc
+++ /dev/null
@@ -1,10 +0,0 @@
-# snmpd
-/usr/sbin/snmp(trap)?d -- system_u:object_r:snmpd_exec_t
-/var/lib/snmp(/.*)? system_u:object_r:snmpd_var_lib_t
-/var/lib/net-snmp(/.*)? system_u:object_r:snmpd_var_lib_t
-/etc/snmp/snmp(trap)?d\.conf -- system_u:object_r:snmpd_etc_t
-/usr/share/snmp/mibs/\.index -- system_u:object_r:snmpd_var_lib_t
-/var/run/snmpd\.pid -- system_u:object_r:snmpd_var_run_t
-/var/run/snmpd -d system_u:object_r:snmpd_var_run_t
-/var/net-snmp(/.*) system_u:object_r:snmpd_var_lib_t
-/var/log/snmpd\.log -- system_u:object_r:snmpd_log_t
diff --git a/strict/file_contexts/program/snort.fc b/strict/file_contexts/program/snort.fc
deleted file mode 100644
index a40670c..0000000
--- a/strict/file_contexts/program/snort.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# SNORT
-/usr/(s)?bin/snort -- system_u:object_r:snort_exec_t
-/etc/snort(/.*)? system_u:object_r:snort_etc_t
-/var/log/snort(/.*)? system_u:object_r:snort_log_t
diff --git a/strict/file_contexts/program/sound-server.fc b/strict/file_contexts/program/sound-server.fc
deleted file mode 100644
index dfa8245..0000000
--- a/strict/file_contexts/program/sound-server.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-# sound servers, nas, yiff, etc
-/usr/sbin/yiff -- system_u:object_r:soundd_exec_t
-/usr/bin/nasd -- system_u:object_r:soundd_exec_t
-/usr/bin/gpe-soundserver -- system_u:object_r:soundd_exec_t
-/etc/nas(/.*)? system_u:object_r:etc_soundd_t
-/etc/yiff(/.*)? system_u:object_r:etc_soundd_t
-/var/state/yiff(/.*)? system_u:object_r:soundd_state_t
-/var/run/yiff-[0-9]+\.pid -- system_u:object_r:soundd_var_run_t
diff --git a/strict/file_contexts/program/sound.fc b/strict/file_contexts/program/sound.fc
deleted file mode 100644
index 5e6b0d1..0000000
--- a/strict/file_contexts/program/sound.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# sound
-/bin/aumix-minimal -- system_u:object_r:sound_exec_t
-/etc/\.aumixrc -- system_u:object_r:sound_file_t
diff --git a/strict/file_contexts/program/spamassassin.fc b/strict/file_contexts/program/spamassassin.fc
deleted file mode 100644
index a85b8b1..0000000
--- a/strict/file_contexts/program/spamassassin.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# spamassasin
-/usr/bin/spamassassin -- system_u:object_r:spamassassin_exec_t
-HOME_DIR/\.spamassassin(/.*)? system_u:object_r:ROLE_spamassassin_home_t
diff --git a/strict/file_contexts/program/spamc.fc b/strict/file_contexts/program/spamc.fc
deleted file mode 100644
index bf5d033..0000000
--- a/strict/file_contexts/program/spamc.fc
+++ /dev/null
@@ -1 +0,0 @@
-/usr/bin/spamc -- system_u:object_r:spamc_exec_t
diff --git a/strict/file_contexts/program/spamd.fc b/strict/file_contexts/program/spamd.fc
deleted file mode 100644
index c2f6ee6..0000000
--- a/strict/file_contexts/program/spamd.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-/usr/sbin/spamd -- system_u:object_r:spamd_exec_t
-/usr/bin/spamd -- system_u:object_r:spamd_exec_t
-/usr/bin/sa-learn -- system_u:object_r:spamd_exec_t
diff --git a/strict/file_contexts/program/speedmgmt.fc b/strict/file_contexts/program/speedmgmt.fc
deleted file mode 100644
index 486906e..0000000
--- a/strict/file_contexts/program/speedmgmt.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# speedmgmt
-/usr/sbin/speedmgmt -- system_u:object_r:speedmgmt_exec_t
diff --git a/strict/file_contexts/program/squid.fc b/strict/file_contexts/program/squid.fc
deleted file mode 100644
index 36fb201..0000000
--- a/strict/file_contexts/program/squid.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-# squid
-/usr/sbin/squid -- system_u:object_r:squid_exec_t
-/var/cache/squid(/.*)? system_u:object_r:squid_cache_t
-/var/spool/squid(/.*)? system_u:object_r:squid_cache_t
-/var/log/squid(/.*)? system_u:object_r:squid_log_t
-/etc/squid(/.*)? system_u:object_r:squid_conf_t
-/var/run/squid\.pid -- system_u:object_r:squid_var_run_t
-/usr/share/squid(/.*)? system_u:object_r:squid_conf_t
diff --git a/strict/file_contexts/program/ssh-agent.fc b/strict/file_contexts/program/ssh-agent.fc
deleted file mode 100644
index 512eb47..0000000
--- a/strict/file_contexts/program/ssh-agent.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# ssh-agent
-/usr/bin/ssh-agent -- system_u:object_r:ssh_agent_exec_t
diff --git a/strict/file_contexts/program/ssh.fc b/strict/file_contexts/program/ssh.fc
deleted file mode 100644
index 3cd1d0c..0000000
--- a/strict/file_contexts/program/ssh.fc
+++ /dev/null
@@ -1,21 +0,0 @@
-# ssh
-/usr/bin/ssh -- system_u:object_r:ssh_exec_t
-/usr/libexec/openssh/ssh-keysign -- system_u:object_r:ssh_keysign_exec_t
-/usr/bin/ssh-keygen -- system_u:object_r:ssh_keygen_exec_t
-# sshd
-/etc/ssh/primes -- system_u:object_r:sshd_key_t
-/etc/ssh/ssh_host_key -- system_u:object_r:sshd_key_t
-/etc/ssh/ssh_host_dsa_key -- system_u:object_r:sshd_key_t
-/etc/ssh/ssh_host_rsa_key -- system_u:object_r:sshd_key_t
-/usr/sbin/sshd -- system_u:object_r:sshd_exec_t
-/var/run/sshd\.init\.pid -- system_u:object_r:sshd_var_run_t
-# subsystems
-/usr/lib(64)?/misc/sftp-server -- system_u:object_r:bin_t
-/usr/libexec/openssh/sftp-server -- system_u:object_r:bin_t
-/usr/lib(64)?/sftp-server -- system_u:object_r:bin_t
-ifdef(`distro_suse', `
-/usr/lib(64)?/ssh/.* -- system_u:object_r:bin_t
-')
-ifdef(`targeted_policy', `', `
-HOME_DIR/\.ssh(/.*)? system_u:object_r:ROLE_home_ssh_t
-')
diff --git a/strict/file_contexts/program/stunnel.fc b/strict/file_contexts/program/stunnel.fc
deleted file mode 100644
index b48384a..0000000
--- a/strict/file_contexts/program/stunnel.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-/usr/sbin/stunnel -- system_u:object_r:stunnel_exec_t
-/etc/stunnel(/.*)? system_u:object_r:stunnel_etc_t
-/var/run/stunnel(/.*)? system_u:object_r:stunnel_var_run_t
diff --git a/strict/file_contexts/program/su.fc b/strict/file_contexts/program/su.fc
deleted file mode 100644
index 1413dfe..0000000
--- a/strict/file_contexts/program/su.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# su
-/bin/su -- system_u:object_r:su_exec_t
diff --git a/strict/file_contexts/program/sudo.fc b/strict/file_contexts/program/sudo.fc
deleted file mode 100644
index d733894..0000000
--- a/strict/file_contexts/program/sudo.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# sudo
-/usr/bin/sudo(edit)? -- system_u:object_r:sudo_exec_t
-
diff --git a/strict/file_contexts/program/sulogin.fc b/strict/file_contexts/program/sulogin.fc
deleted file mode 100644
index eb719dc..0000000
--- a/strict/file_contexts/program/sulogin.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# sulogin
-/sbin/sulogin -- system_u:object_r:sulogin_exec_t
diff --git a/strict/file_contexts/program/swat.fc b/strict/file_contexts/program/swat.fc
deleted file mode 100644
index 721c229..0000000
--- a/strict/file_contexts/program/swat.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# samba management tool
-/usr/sbin/swat -- system_u:object_r:swat_exec_t
diff --git a/strict/file_contexts/program/sxid.fc b/strict/file_contexts/program/sxid.fc
deleted file mode 100644
index e9126bc..0000000
--- a/strict/file_contexts/program/sxid.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# sxid - ldap server
-/usr/bin/sxid -- system_u:object_r:sxid_exec_t
-/var/log/sxid\.log.* -- system_u:object_r:sxid_log_t
-/var/log/setuid\.today.* -- system_u:object_r:sxid_log_t
-/usr/sbin/checksecurity\.se -- system_u:object_r:sxid_exec_t
-/var/log/setuid.* -- system_u:object_r:sxid_log_t
diff --git a/strict/file_contexts/program/syslogd.fc b/strict/file_contexts/program/syslogd.fc
deleted file mode 100644
index 7a01720..0000000
--- a/strict/file_contexts/program/syslogd.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-# syslogd
-/sbin/syslogd -- system_u:object_r:syslogd_exec_t
-/sbin/minilogd -- system_u:object_r:syslogd_exec_t
-/usr/sbin/syslogd -- system_u:object_r:syslogd_exec_t
-/sbin/syslog-ng -- system_u:object_r:syslogd_exec_t
-/dev/log -s system_u:object_r:devlog_t
-/var/run/log -s system_u:object_r:devlog_t
-ifdef(`distro_suse', `
-/var/lib/stunnel/dev/log -s system_u:object_r:devlog_t
-')
-/var/run/syslogd\.pid -- system_u:object_r:syslogd_var_run_t
diff --git a/strict/file_contexts/program/sysstat.fc b/strict/file_contexts/program/sysstat.fc
deleted file mode 100644
index 2637b68..0000000
--- a/strict/file_contexts/program/sysstat.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-# sysstat and other sar programs
-/usr/lib(64)?/atsar/atsa.* -- system_u:object_r:sysstat_exec_t
-/usr/lib(64)?/sysstat/sa.* -- system_u:object_r:sysstat_exec_t
-/usr/lib(64)?/sa/sadc -- system_u:object_r:sysstat_exec_t
-/var/log/atsar(/.*)? system_u:object_r:sysstat_log_t
-/var/log/sysstat(/.*)? system_u:object_r:sysstat_log_t
-/var/log/sa(/.*)? system_u:object_r:sysstat_log_t
diff --git a/strict/file_contexts/program/tcpd.fc b/strict/file_contexts/program/tcpd.fc
deleted file mode 100644
index 2e84aa8..0000000
--- a/strict/file_contexts/program/tcpd.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# tcpd
-/usr/sbin/tcpd -- system_u:object_r:tcpd_exec_t
diff --git a/strict/file_contexts/program/telnetd.fc b/strict/file_contexts/program/telnetd.fc
deleted file mode 100644
index 6b998d1..0000000
--- a/strict/file_contexts/program/telnetd.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# telnetd
-/usr/sbin/in\.telnetd -- system_u:object_r:telnetd_exec_t
-/usr/kerberos/sbin/telnetd -- system_u:object_r:telnetd_exec_t
diff --git a/strict/file_contexts/program/tftpd.fc b/strict/file_contexts/program/tftpd.fc
deleted file mode 100644
index f8bf244..0000000
--- a/strict/file_contexts/program/tftpd.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# tftpd
-/usr/sbin/in\.tftpd -- system_u:object_r:tftpd_exec_t
-/usr/sbin/atftpd -- system_u:object_r:tftpd_exec_t
-/tftpboot(/.*)? system_u:object_r:tftpdir_t
diff --git a/strict/file_contexts/program/thunderbird.fc b/strict/file_contexts/program/thunderbird.fc
deleted file mode 100644
index ca37346..0000000
--- a/strict/file_contexts/program/thunderbird.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-/usr/bin/thunderbird.* -- system_u:object_r:thunderbird_exec_t
-HOME_DIR/\.thunderbird(/.*)? system_u:object_r:ROLE_thunderbird_home_t
diff --git a/strict/file_contexts/program/timidity.fc b/strict/file_contexts/program/timidity.fc
deleted file mode 100644
index 2b44dce..0000000
--- a/strict/file_contexts/program/timidity.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# timidity
-/usr/bin/timidity -- system_u:object_r:timidity_exec_t
diff --git a/strict/file_contexts/program/tinydns.fc b/strict/file_contexts/program/tinydns.fc
deleted file mode 100644
index 10ea1a3..0000000
--- a/strict/file_contexts/program/tinydns.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# tinydns
-/etc/tinydns(/.*)? system_u:object_r:tinydns_conf_t
-/etc/tinydns/root/data* -- system_u:object_r:tinydns_zone_t
-/usr/bin/tinydns* -- system_u:object_r:tinydns_exec_t
-#/var/log/dns/tinydns(/.*) system_u:object_r:tinydns_log_t
-#/var/lib/svscan(/.*) system_u:object_r:tinydns_svscan_t
diff --git a/strict/file_contexts/program/tmpreaper.fc b/strict/file_contexts/program/tmpreaper.fc
deleted file mode 100644
index d8ed96e..0000000
--- a/strict/file_contexts/program/tmpreaper.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# tmpreaper or tmpwatch
-/usr/sbin/tmpreaper -- system_u:object_r:tmpreaper_exec_t
-/usr/sbin/tmpwatch -- system_u:object_r:tmpreaper_exec_t
diff --git a/strict/file_contexts/program/traceroute.fc b/strict/file_contexts/program/traceroute.fc
deleted file mode 100644
index 66a6c5f..0000000
--- a/strict/file_contexts/program/traceroute.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# traceroute
-/bin/traceroute.* -- system_u:object_r:traceroute_exec_t
-/bin/tracepath.* -- system_u:object_r:traceroute_exec_t
-/usr/(s)?bin/traceroute.* -- system_u:object_r:traceroute_exec_t
-/usr/bin/lft -- system_u:object_r:traceroute_exec_t
-/usr/bin/nmap -- system_u:object_r:traceroute_exec_t
diff --git a/strict/file_contexts/program/transproxy.fc b/strict/file_contexts/program/transproxy.fc
deleted file mode 100644
index 2027eea..0000000
--- a/strict/file_contexts/program/transproxy.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# transproxy - http transperant proxy
-/usr/sbin/tproxy -- system_u:object_r:transproxy_exec_t
-/var/run/tproxy\.pid -- system_u:object_r:transproxy_var_run_t
diff --git a/strict/file_contexts/program/tripwire.fc b/strict/file_contexts/program/tripwire.fc
deleted file mode 100644
index 88afc34..0000000
--- a/strict/file_contexts/program/tripwire.fc
+++ /dev/null
@@ -1,9 +0,0 @@
-# tripwire
-/etc/tripwire(/.*)? system_u:object_r:tripwire_etc_t
-/usr/sbin/siggen system_u:object_r:siggen_exec_t
-/usr/sbin/tripwire system_u:object_r:tripwire_exec_t
-/usr/sbin/tripwire-setup-keyfiles system_u:object_r:bin_t
-/usr/sbin/twadmin system_u:object_r:twadmin_exec_t
-/usr/sbin/twprint system_u:object_r:twprint_exec_t
-/var/lib/tripwire(/.*)? system_u:object_r:tripwire_var_lib_t
-/var/lib/tripwire/report(/.*)? system_u:object_r:tripwire_report_t
diff --git a/strict/file_contexts/program/tvtime.fc b/strict/file_contexts/program/tvtime.fc
deleted file mode 100644
index 0969e96..0000000
--- a/strict/file_contexts/program/tvtime.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# tvtime
-/usr/bin/tvtime -- system_u:object_r:tvtime_exec_t
-
diff --git a/strict/file_contexts/program/ucspi-tcp.fc b/strict/file_contexts/program/ucspi-tcp.fc
deleted file mode 100644
index 448c1ab..0000000
--- a/strict/file_contexts/program/ucspi-tcp.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-#ucspi-tcp
-/usr/bin/tcpserver -- system_u:object_r:utcpserver_exec_t
-/usr/bin/rblsmtpd -- system_u:object_r:rblsmtpd_exec_t
diff --git a/strict/file_contexts/program/udev.fc b/strict/file_contexts/program/udev.fc
deleted file mode 100644
index 0b6c719..0000000
--- a/strict/file_contexts/program/udev.fc
+++ /dev/null
@@ -1,14 +0,0 @@
-# udev
-/sbin/udevsend -- system_u:object_r:udev_exec_t
-/sbin/udev -- system_u:object_r:udev_exec_t
-/sbin/udevd -- system_u:object_r:udev_exec_t
-/sbin/start_udev -- system_u:object_r:udev_exec_t
-/sbin/udevstart -- system_u:object_r:udev_exec_t
-/usr/bin/udevinfo -- system_u:object_r:udev_exec_t
-/etc/dev\.d/.+ -- system_u:object_r:udev_helper_exec_t
-/etc/udev/scripts/.+ -- system_u:object_r:udev_helper_exec_t
-/etc/udev/devices/.* system_u:object_r:device_t
-/etc/hotplug\.d/default/udev.* -- system_u:object_r:udev_helper_exec_t
-/dev/udev\.tbl -- system_u:object_r:udev_tbl_t
-/dev/\.udevdb(/.*)? -- system_u:object_r:udev_tdb_t
-/sbin/wait_for_sysfs -- system_u:object_r:udev_exec_t
diff --git a/strict/file_contexts/program/uml.fc b/strict/file_contexts/program/uml.fc
deleted file mode 100644
index dc1621d..0000000
--- a/strict/file_contexts/program/uml.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# User Mode Linux
-/usr/bin/uml_switch -- system_u:object_r:uml_switch_exec_t
-/var/run/uml-utilities(/.*)? system_u:object_r:uml_switch_var_run_t
-HOME_DIR/\.uml(/.*)? system_u:object_r:ROLE_uml_rw_t
diff --git a/strict/file_contexts/program/uml_net.fc b/strict/file_contexts/program/uml_net.fc
deleted file mode 100644
index 67aa1f2..0000000
--- a/strict/file_contexts/program/uml_net.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# User Mode Linux
-# WARNING: Do not install this file on any machine that has hostile users.
-/usr/lib(64)?/uml/uml_net -- system_u:object_r:uml_net_exec_t
diff --git a/strict/file_contexts/program/unconfined.fc b/strict/file_contexts/program/unconfined.fc
deleted file mode 100644
index c3a6c12..0000000
--- a/strict/file_contexts/program/unconfined.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# Add programs here which should not be confined by SELinux
-# e.g.:
-# /usr/local/bin/appsrv -- system_u:object_r:unconfined_exec_t
diff --git a/strict/file_contexts/program/updfstab.fc b/strict/file_contexts/program/updfstab.fc
deleted file mode 100644
index dec049f..0000000
--- a/strict/file_contexts/program/updfstab.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# updfstab
-/usr/sbin/updfstab -- system_u:object_r:updfstab_exec_t
-/usr/sbin/fstab-sync -- system_u:object_r:updfstab_exec_t
diff --git a/strict/file_contexts/program/uptimed.fc b/strict/file_contexts/program/uptimed.fc
deleted file mode 100644
index f80ccb4..0000000
--- a/strict/file_contexts/program/uptimed.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# uptimed
-/etc/uptimed\.conf -- system_u:object_r:uptimed_etc_t
-/usr/sbin/uptimed -- system_u:object_r:uptimed_exec_t
-/var/spool/uptimed(/.*)? system_u:object_r:uptimed_spool_t
diff --git a/strict/file_contexts/program/usbmodules.fc b/strict/file_contexts/program/usbmodules.fc
deleted file mode 100644
index 52e03a4..0000000
--- a/strict/file_contexts/program/usbmodules.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# usbmodules
-/usr/sbin/usbmodules -- system_u:object_r:usbmodules_exec_t
-/sbin/usbmodules -- system_u:object_r:usbmodules_exec_t
diff --git a/strict/file_contexts/program/useradd.fc b/strict/file_contexts/program/useradd.fc
deleted file mode 100644
index b29351b..0000000
--- a/strict/file_contexts/program/useradd.fc
+++ /dev/null
@@ -1,10 +0,0 @@
-#useradd
-/usr/sbin/usermod -- system_u:object_r:useradd_exec_t
-/usr/sbin/useradd -- system_u:object_r:useradd_exec_t
-/usr/sbin/userdel -- system_u:object_r:useradd_exec_t
-#groupadd
-/usr/sbin/groupmod -- system_u:object_r:groupadd_exec_t
-/usr/sbin/groupadd -- system_u:object_r:groupadd_exec_t
-/usr/sbin/groupdel -- system_u:object_r:groupadd_exec_t
-/usr/bin/gpasswd -- system_u:object_r:groupadd_exec_t
-/usr/sbin/gpasswd -- system_u:object_r:groupadd_exec_t
diff --git a/strict/file_contexts/program/userhelper.fc b/strict/file_contexts/program/userhelper.fc
deleted file mode 100644
index 8623456..0000000
--- a/strict/file_contexts/program/userhelper.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-/etc/security/console.apps(/.*)? system_u:object_r:userhelper_conf_t
-/usr/sbin/userhelper -- system_u:object_r:userhelper_exec_t
diff --git a/strict/file_contexts/program/usernetctl.fc b/strict/file_contexts/program/usernetctl.fc
deleted file mode 100644
index b9ef00f..0000000
--- a/strict/file_contexts/program/usernetctl.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# usernetctl
-/usr/sbin/usernetctl -- system_u:object_r:usernetctl_exec_t
diff --git a/strict/file_contexts/program/utempter.fc b/strict/file_contexts/program/utempter.fc
deleted file mode 100644
index 4e6670a..0000000
--- a/strict/file_contexts/program/utempter.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# utempter
-/usr/sbin/utempter -- system_u:object_r:utempter_exec_t
diff --git a/strict/file_contexts/program/uucpd.fc b/strict/file_contexts/program/uucpd.fc
deleted file mode 100644
index db5a257..0000000
--- a/strict/file_contexts/program/uucpd.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# uucico program
-/usr/sbin/uucico -- system_u:object_r:uucpd_exec_t
-/var/spool/uucp(/.*)? system_u:object_r:uucpd_spool_t
-/var/spool/uucppublic(/.*)? system_u:object_r:uucpd_spool_t
-/var/log/uucp(/.*)? system_u:object_r:uucpd_log_t
diff --git a/strict/file_contexts/program/uwimapd.fc b/strict/file_contexts/program/uwimapd.fc
deleted file mode 100644
index 00f9073..0000000
--- a/strict/file_contexts/program/uwimapd.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# uw-imapd and uw-imapd-ssl
-/usr/sbin/imapd -- system_u:object_r:imapd_exec_t
diff --git a/strict/file_contexts/program/vmware.fc b/strict/file_contexts/program/vmware.fc
deleted file mode 100644
index d015988..0000000
--- a/strict/file_contexts/program/vmware.fc
+++ /dev/null
@@ -1,42 +0,0 @@
-#
-# File contexts for VMWare.
-# Contributed by Mark Westerman (mark.westerman@westcam.com)
-# Changes made by NAI Labs.
-# Tested with VMWare 3.1
-#
-/usr/bin/vmnet-bridge -- system_u:object_r:vmware_exec_t
-/usr/bin/vmnet-dhcpd -- system_u:object_r:vmware_exec_t
-/usr/bin/vmnet-natd -- system_u:object_r:vmware_exec_t
-/usr/bin/vmnet-netifup -- system_u:object_r:vmware_exec_t
-/usr/bin/vmnet-sniffer -- system_u:object_r:vmware_exec_t
-/usr/bin/vmware-nmbd -- system_u:object_r:vmware_exec_t
-/usr/bin/vmware-ping -- system_u:object_r:vmware_exec_t
-/usr/bin/vmware-smbd -- system_u:object_r:vmware_exec_t
-/usr/bin/vmware-smbpasswd -- system_u:object_r:vmware_exec_t
-/usr/bin/vmware-smbpasswd\.bin -- system_u:object_r:vmware_exec_t
-/usr/bin/vmware-wizard -- system_u:object_r:vmware_user_exec_t
-/usr/bin/vmware -- system_u:object_r:vmware_user_exec_t
-
-/dev/vmmon -c system_u:object_r:vmware_device_t
-/dev/vmnet.* -c system_u:object_r:vmware_device_t
-/dev/plex86 -c system_u:object_r:vmware_device_t
-
-/etc/vmware.*(/.*)? system_u:object_r:vmware_sys_conf_t
-/usr/lib(64)?/vmware/config -- system_u:object_r:vmware_sys_conf_t
-
-/usr/lib(64)?/vmware/bin/vmware-mks -- system_u:object_r:vmware_user_exec_t
-/usr/lib(64)?/vmware/bin/vmware-ui -- system_u:object_r:vmware_user_exec_t
-
-#
-# This is only an example of how to protect vmware session configuration
-# files. A general user can execute vmware and start a vmware session
-# but the user can not modify the session configuration information
-#/usr/local/vmware(/.*)? system_u:object_r:vmware_user_file_t
-#/usr/local/vmware/[^/]*/.*\.cfg -- system_u:object_r:vmware_user_conf_t
-
-# The rules below assume that the user VMWare virtual disks are in the
-# ~/vmware, and the preferences and license files are in ~/.vmware.
-#
-HOME_DIR/\.vmware(/.*)? system_u:object_r:ROLE_vmware_file_t
-HOME_DIR/vmware(/.*)? system_u:object_r:ROLE_vmware_file_t
-HOME_DIR/\.vmware[^/]*/.*\.cfg -- system_u:object_r:ROLE_vmware_conf_t
diff --git a/strict/file_contexts/program/vpnc.fc b/strict/file_contexts/program/vpnc.fc
deleted file mode 100644
index afaea76..0000000
--- a/strict/file_contexts/program/vpnc.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# vpnc
-/usr/sbin/vpnc -- system_u:object_r:vpnc_exec_t
-/sbin/vpnc -- system_u:object_r:vpnc_exec_t
-/etc/vpnc/vpnc-script -- system_u:object_r:bin_t
diff --git a/strict/file_contexts/program/watchdog.fc b/strict/file_contexts/program/watchdog.fc
deleted file mode 100644
index d7a8c7f..0000000
--- a/strict/file_contexts/program/watchdog.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# watchdog
-/usr/sbin/watchdog -- system_u:object_r:watchdog_exec_t
-/dev/watchdog -c system_u:object_r:watchdog_device_t
-/var/log/watchdog(/.*)? system_u:object_r:watchdog_log_t
-/var/run/watchdog\.pid -- system_u:object_r:watchdog_var_run_t
diff --git a/strict/file_contexts/program/webalizer.fc b/strict/file_contexts/program/webalizer.fc
deleted file mode 100644
index 5c11bcf..0000000
--- a/strict/file_contexts/program/webalizer.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-#
-/usr/bin/webalizer -- system_u:object_r:webalizer_exec_t
-/var/lib/webalizer(/.*) system_u:object_r:webalizer_var_lib_t
diff --git a/strict/file_contexts/program/winbind.fc b/strict/file_contexts/program/winbind.fc
deleted file mode 100644
index 9486f91..0000000
--- a/strict/file_contexts/program/winbind.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-/usr/sbin/winbindd -- system_u:object_r:winbind_exec_t
-/var/run/winbindd(/.*)? system_u:object_r:winbind_var_run_t
-ifdef(`samba.te', `', `
-/var/log/samba(/.*)? system_u:object_r:samba_log_t
-/etc/samba(/.*)? system_u:object_r:samba_etc_t
-/etc/samba/secrets\.tdb -- system_u:object_r:samba_secrets_t
-/etc/samba/MACHINE\.SID -- system_u:object_r:samba_secrets_t
-/var/cache/samba(/.*)? system_u:object_r:samba_var_t
-')
-/var/cache/samba/winbindd_privileged(/.*)? system_u:object_r:winbind_var_run_t
-/usr/bin/ntlm_auth -- system_u:object_r:winbind_helper_exec_t
diff --git a/strict/file_contexts/program/xauth.fc b/strict/file_contexts/program/xauth.fc
deleted file mode 100644
index 055fc2f..0000000
--- a/strict/file_contexts/program/xauth.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# xauth
-/usr/X11R6/bin/xauth -- system_u:object_r:xauth_exec_t
-HOME_DIR/\.xauth.* -- system_u:object_r:ROLE_xauth_home_t
-HOME_DIR/\.Xauthority.* -- system_u:object_r:ROLE_xauth_home_t
diff --git a/strict/file_contexts/program/xdm.fc b/strict/file_contexts/program/xdm.fc
deleted file mode 100644
index 16c2d7d..0000000
--- a/strict/file_contexts/program/xdm.fc
+++ /dev/null
@@ -1,40 +0,0 @@
-# X Display Manager
-/usr/bin/[xgkw]dm -- system_u:object_r:xdm_exec_t
-/usr/X11R6/bin/[xgkw]dm -- system_u:object_r:xdm_exec_t
-/opt/kde3/bin/kdm -- system_u:object_r:xdm_exec_t
-/usr/bin/gpe-dm -- system_u:object_r:xdm_exec_t
-/usr/(s)?bin/gdm-binary -- system_u:object_r:xdm_exec_t
-/var/[xgk]dm(/.*)? system_u:object_r:xserver_log_t
-/usr/var/[xgkw]dm(/.*)? system_u:object_r:xserver_log_t
-/var/log/[kw]dm\.log -- system_u:object_r:xserver_log_t
-/var/log/gdm(/.*)? system_u:object_r:xserver_log_t
-/tmp/\.X0-lock -- system_u:object_r:xdm_xserver_tmp_t
-/etc/X11/Xsession[^/]* -- system_u:object_r:xsession_exec_t
-/etc/X11/wdm(/.*)? system_u:object_r:xdm_rw_etc_t
-/etc/X11/wdm/Xsetup.* -- system_u:object_r:xsession_exec_t
-/etc/X11/wdm/Xstartup.* -- system_u:object_r:xsession_exec_t
-/etc/X11/[wx]dm/Xreset.* -- system_u:object_r:xsession_exec_t
-/etc/X11/[wx]dm/Xsession -- system_u:object_r:xsession_exec_t
-/etc/kde/kdm/Xsession -- system_u:object_r:xsession_exec_t
-/var/run/xdmctl(/.*)? system_u:object_r:xdm_var_run_t
-/var/run/xdm\.pid -- system_u:object_r:xdm_var_run_t
-/var/lib/[xkw]dm(/.*)? system_u:object_r:xdm_var_lib_t
-ifdef(`distro_suse', `
-/var/lib/pam_devperm/:0 -- system_u:object_r:xdm_var_lib_t
-')
-
-#
-# Additional Xsession scripts
-#
-/etc/X11/xdm/GiveConsole -- system_u:object_r:bin_t
-/etc/X11/xdm/TakeConsole -- system_u:object_r:bin_t
-/etc/X11/xdm/Xsetup_0 -- system_u:object_r:bin_t
-/etc/X11/xinit(/.*)? system_u:object_r:bin_t
-#
-# Rules for kde login
-#
-/etc/kde3?/kdm/Xstartup -- system_u:object_r:xsession_exec_t
-/etc/kde3?/kdm/Xreset -- system_u:object_r:xsession_exec_t
-/etc/kde3?/kdm/Xsession -- system_u:object_r:xsession_exec_t
-/etc/kde3?/kdm/backgroundrc system_u:object_r:xdm_var_run_t
-/usr/lib(64)?/qt-.*/etc/settings(/.*)? system_u:object_r:xdm_var_run_t
diff --git a/strict/file_contexts/program/xfs.fc b/strict/file_contexts/program/xfs.fc
deleted file mode 100644
index 9edae3f..0000000
--- a/strict/file_contexts/program/xfs.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# xfs
-/tmp/\.font-unix(/.*)? system_u:object_r:xfs_tmp_t
-/usr/X11R6/bin/xfs -- system_u:object_r:xfs_exec_t
-/usr/X11R6/bin/xfs-xtt -- system_u:object_r:xfs_exec_t
-/usr/bin/xfstt -- system_u:object_r:xfs_exec_t
diff --git a/strict/file_contexts/program/xprint.fc b/strict/file_contexts/program/xprint.fc
deleted file mode 100644
index 3c72a77..0000000
--- a/strict/file_contexts/program/xprint.fc
+++ /dev/null
@@ -1 +0,0 @@
-/usr/bin/Xprt -- system_u:object_r:xprint_exec_t
diff --git a/strict/file_contexts/program/xserver.fc b/strict/file_contexts/program/xserver.fc
deleted file mode 100644
index 3d48a6f..0000000
--- a/strict/file_contexts/program/xserver.fc
+++ /dev/null
@@ -1,17 +0,0 @@
-# X server
-/usr/X11R6/bin/Xwrapper -- system_u:object_r:xserver_exec_t
-/usr/X11R6/bin/X -- system_u:object_r:xserver_exec_t
-/usr/X11R6/bin/XFree86 -- system_u:object_r:xserver_exec_t
-/usr/X11R6/bin/Xorg -- system_u:object_r:xserver_exec_t
-/usr/X11R6/bin/Xipaq -- system_u:object_r:xserver_exec_t
-/var/lib/xkb(/.*)? system_u:object_r:xkb_var_lib_t
-/usr/X11R6/lib/X11/xkb -d system_u:object_r:xkb_var_lib_t
-/usr/X11R6/lib/X11/xkb/.* -- system_u:object_r:xkb_var_lib_t
-/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- system_u:object_r:bin_t
-/var/log/XFree86.* -- system_u:object_r:xserver_log_t
-/var/log/Xorg.* -- system_u:object_r:xserver_log_t
-/etc/init\.d/xfree86-common -- system_u:object_r:xserver_exec_t
-/tmp/\.X11-unix -d system_u:object_r:xdm_tmp_t
-/tmp/\.X11-unix/.* -s <<none>>
-/tmp/\.ICE-unix -d system_u:object_r:ice_tmp_t
-/tmp/\.ICE-unix/.* -s <<none>>
diff --git a/strict/file_contexts/program/yam.fc b/strict/file_contexts/program/yam.fc
deleted file mode 100644
index 023b740..0000000
--- a/strict/file_contexts/program/yam.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# yam
-/etc/yam.conf -- system_u:object_r:yam_etc_t
-/usr/bin/yam system_u:object_r:yam_exec_t
-/var/yam(/.*)? system_u:object_r:yam_content_t
-/var/www/yam(/.*)? system_u:object_r:yam_content_t
diff --git a/strict/file_contexts/program/ypbind.fc b/strict/file_contexts/program/ypbind.fc
deleted file mode 100644
index c700d92..0000000
--- a/strict/file_contexts/program/ypbind.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# ypbind
-/sbin/ypbind -- system_u:object_r:ypbind_exec_t
diff --git a/strict/file_contexts/program/yppasswdd.fc b/strict/file_contexts/program/yppasswdd.fc
deleted file mode 100644
index e390bd8..0000000
--- a/strict/file_contexts/program/yppasswdd.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# yppasswd
-/usr/sbin/rpc.yppasswdd -- system_u:object_r:yppasswdd_exec_t
diff --git a/strict/file_contexts/program/ypserv.fc b/strict/file_contexts/program/ypserv.fc
deleted file mode 100644
index 519a5a4..0000000
--- a/strict/file_contexts/program/ypserv.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# ypserv
-/usr/sbin/ypserv -- system_u:object_r:ypserv_exec_t
-/usr/lib/yp/.+ -- system_u:object_r:bin_t
-/etc/ypserv\.conf -- system_u:object_r:ypserv_conf_t
diff --git a/strict/file_contexts/program/zebra.fc b/strict/file_contexts/program/zebra.fc
deleted file mode 100644
index e524355..0000000
--- a/strict/file_contexts/program/zebra.fc
+++ /dev/null
@@ -1,13 +0,0 @@
-# Zebra - BGP daemon
-/usr/sbin/zebra -- system_u:object_r:zebra_exec_t
-/usr/sbin/bgpd -- system_u:object_r:zebra_exec_t
-/var/log/zebra(/.*)? system_u:object_r:zebra_log_t
-/etc/zebra(/.*)? system_u:object_r:zebra_conf_t
-/var/run/\.zserv -s system_u:object_r:zebra_var_run_t
-/var/run/\.zebra -s system_u:object_r:zebra_var_run_t
-# Quagga
-/usr/sbin/rip.* -- system_u:object_r:zebra_exec_t
-/usr/sbin/ospf.* -- system_u:object_r:zebra_exec_t
-/etc/quagga(/.*)? system_u:object_r:zebra_conf_t
-/var/log/quagga(/.*)? system_u:object_r:zebra_log_t
-/var/run/quagga(/.*)? system_u:object_r:zebra_var_run_t
diff --git a/strict/file_contexts/types.fc b/strict/file_contexts/types.fc
deleted file mode 100644
index d8fe1b6..0000000
--- a/strict/file_contexts/types.fc
+++ /dev/null
@@ -1,515 +0,0 @@
-#
-# This file describes the security contexts to be applied to files
-# when the security policy is installed. The setfiles program
-# reads this file and labels files accordingly.
-#
-# Each specification has the form:
-# regexp [ -type ] ( context | <<none>> )
-#
-# By default, the regexp is an anchored match on both ends (i.e. a
-# caret (^) is prepended and a dollar sign ($) is appended automatically).
-# This default may be overridden by using .* at the beginning and/or
-# end of the regular expression.
-#
-# The optional type field specifies the file type as shown in the mode
-# field by ls, e.g. use -d to match only directories or -- to match only
-# regular files.
-#
-# The value of <<none> may be used to indicate that matching files
-# should not be relabeled.
-#
-# The last matching specification is used.
-#
-# If there are multiple hard links to a file that match
-# different specifications and those specifications indicate
-# different security contexts, then a warning is displayed
-# but the file is still labeled based on the last matching
-# specification other than <<none>>.
-#
-# Some of the files listed here get re-created during boot and therefore
-# need type transition rules to retain the correct type. These files are
-# listed here anyway so that if the setfiles program is used on a running
-# system it does not relabel them to something we do not want. An example of
-# this is /var/run/utmp.
-#
-
-#
-# The security context for all files not otherwise specified.
-#
-/.* system_u:object_r:default_t
-
-#
-# The root directory.
-#
-/ -d system_u:object_r:root_t
-
-#
-# Ordinary user home directories.
-# HOME_ROOT expands to all valid home directory prefixes found in /etc/passwd
-# HOME_DIR expands to each users home directory,
-# and to HOME_ROOT/[^/]+ for each HOME_ROOT.
-# ROLE expands to each users role when role != user_r, and to "user" otherwise.
-#
-HOME_ROOT -d system_u:object_r:home_root_t
-HOME_DIR -d system_u:object_r:ROLE_home_dir_t
-HOME_DIR/.+ system_u:object_r:ROLE_home_t
-
-/root/\.default_contexts -- system_u:object_r:default_context_t
-
-#
-# Mount points; do not relabel subdirectories, since
-# we do not want to change any removable media by default.
-/mnt(/[^/]*)? -d system_u:object_r:mnt_t
-/mnt/[^/]*/.* <<none>>
-/media(/[^/]*)? -d system_u:object_r:mnt_t
-/media/[^/]*/.* <<none>>
-
-#
-# /var
-#
-/var(/.*)? system_u:object_r:var_t
-/var/cache/man(/.*)? system_u:object_r:man_t
-/var/yp(/.*)? system_u:object_r:var_yp_t
-/var/lib(/.*)? system_u:object_r:var_lib_t
-/var/lib/nfs(/.*)? system_u:object_r:var_lib_nfs_t
-/var/lib/texmf(/.*)? system_u:object_r:tetex_data_t
-/var/cache/fonts(/.*)? system_u:object_r:tetex_data_t
-/var/lock(/.*)? system_u:object_r:var_lock_t
-/var/tmp -d system_u:object_r:tmp_t
-/var/tmp/.* <<none>>
-/var/tmp/vi\.recover -d system_u:object_r:tmp_t
-/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
-/var/mailman/bin(/.*)? system_u:object_r:bin_t
-/var/mailman/pythonlib(/.*)?/.*\.so(\..*)? -- system_u:object_r:shlib_t
-
-#
-# /var/ftp
-#
-/var/ftp/bin(/.*)? system_u:object_r:bin_t
-/var/ftp/bin/ls -- system_u:object_r:ls_exec_t
-/var/ftp/lib(64)?(/.*)? system_u:object_r:lib_t
-/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t
-/var/ftp/lib(64)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
-/var/ftp/etc(/.*)? system_u:object_r:etc_t
-
-#
-# /bin
-#
-/bin(/.*)? system_u:object_r:bin_t
-/bin/tcsh -- system_u:object_r:shell_exec_t
-/bin/bash -- system_u:object_r:shell_exec_t
-/bin/bash2 -- system_u:object_r:shell_exec_t
-/bin/sash -- system_u:object_r:shell_exec_t
-/bin/d?ash -- system_u:object_r:shell_exec_t
-/bin/zsh.* -- system_u:object_r:shell_exec_t
-/usr/sbin/sesh -- system_u:object_r:shell_exec_t
-/bin/ls -- system_u:object_r:ls_exec_t
-
-#
-# /boot
-#
-/boot(/.*)? system_u:object_r:boot_t
-/boot/System\.map(-.*)? system_u:object_r:system_map_t
-
-#
-# /dev
-#
-/dev(/.*)? system_u:object_r:device_t
-/dev/pts(/.*)? <<none>>
-/dev/cpu/.* -c system_u:object_r:cpu_device_t
-/dev/microcode -c system_u:object_r:cpu_device_t
-/dev/MAKEDEV -- system_u:object_r:sbin_t
-/dev/null -c system_u:object_r:null_device_t
-/dev/full -c system_u:object_r:null_device_t
-/dev/zero -c system_u:object_r:zero_device_t
-/dev/console -c system_u:object_r:console_device_t
-/dev/xconsole -p system_u:object_r:xconsole_device_t
-/dev/(kmem|mem|port) -c system_u:object_r:memory_device_t
-/dev/nvram -c system_u:object_r:memory_device_t
-/dev/random -c system_u:object_r:random_device_t
-/dev/urandom -c system_u:object_r:urandom_device_t
-/dev/adb.* -c system_u:object_r:tty_device_t
-/dev/capi.* -c system_u:object_r:tty_device_t
-/dev/dcbri[0-9]+ -c system_u:object_r:tty_device_t
-/dev/irlpt[0-9]+ -c system_u:object_r:printer_device_t
-/dev/ircomm[0-9]+ -c system_u:object_r:tty_device_t
-/dev/rfcomm[0-9]+ -c system_u:object_r:tty_device_t
-/dev/isdn.* -c system_u:object_r:tty_device_t
-/dev/.*tty[^/]* -c system_u:object_r:tty_device_t
-/dev/[pt]ty[abcdepqrstuvwxyz][0-9a-f] -c system_u:object_r:bsdpty_device_t
-/dev/cu.* -c system_u:object_r:tty_device_t
-/dev/vcs[^/]* -c system_u:object_r:tty_device_t
-/dev/ip2[^/]* -c system_u:object_r:tty_device_t
-/dev/hvc.* -c system_u:object_r:tty_device_t
-/dev/hvsi.* -c system_u:object_r:tty_device_t
-/dev/ttySG.* -c system_u:object_r:tty_device_t
-/dev/tty -c system_u:object_r:devtty_t
-/dev/lp.* -c system_u:object_r:printer_device_t
-/dev/par.* -c system_u:object_r:printer_device_t
-/dev/usb/lp.* -c system_u:object_r:printer_device_t
-/dev/usblp.* -c system_u:object_r:printer_device_t
-ifdef(`distro_redhat', `
-/dev/root -b system_u:object_r:fixed_disk_device_t
-')
-/dev/[shmx]d[^/]* -b system_u:object_r:fixed_disk_device_t
-/dev/dm-[0-9]+ -b system_u:object_r:fixed_disk_device_t
-/dev/sg[0-9]+ -c system_u:object_r:scsi_generic_device_t
-/dev/rd.* -b system_u:object_r:fixed_disk_device_t
-/dev/i2o/hd[^/]* -b system_u:object_r:fixed_disk_device_t
-/dev/ubd[^/]* -b system_u:object_r:fixed_disk_device_t
-/dev/cciss/[^/]* -b system_u:object_r:fixed_disk_device_t
-/dev/mapper/.* -b system_u:object_r:fixed_disk_device_t
-/dev/ida/[^/]* -b system_u:object_r:fixed_disk_device_t
-/dev/dasd[^/]* -b system_u:object_r:fixed_disk_device_t
-/dev/flash[^/]* -b system_u:object_r:fixed_disk_device_t
-/dev/nb[^/]+ -b system_u:object_r:fixed_disk_device_t
-/dev/ataraid/.* -b system_u:object_r:fixed_disk_device_t
-/dev/loop.* -b system_u:object_r:fixed_disk_device_t
-/dev/net/.* -c system_u:object_r:tun_tap_device_t
-/dev/ram.* -b system_u:object_r:fixed_disk_device_t
-/dev/rawctl -c system_u:object_r:fixed_disk_device_t
-/dev/raw/raw[0-9]+ -c system_u:object_r:fixed_disk_device_t
-/dev/scramdisk/.* -b system_u:object_r:fixed_disk_device_t
-/dev/initrd -b system_u:object_r:fixed_disk_device_t
-/dev/jsfd -b system_u:object_r:fixed_disk_device_t
-/dev/js.* -c system_u:object_r:mouse_device_t
-/dev/jsflash -c system_u:object_r:fixed_disk_device_t
-/dev/s(cd|r)[^/]* -b system_u:object_r:removable_device_t
-/dev/usb/rio500 -c system_u:object_r:removable_device_t
-/dev/fd[^/]+ -b system_u:object_r:removable_device_t
-# I think a parallel port disk is a removable device...
-/dev/pd[a-d][^/]* -b system_u:object_r:removable_device_t
-/dev/p[fg][0-3] -b system_u:object_r:removable_device_t
-/dev/aztcd -b system_u:object_r:removable_device_t
-/dev/bpcd -b system_u:object_r:removable_device_t
-/dev/gscd -b system_u:object_r:removable_device_t
-/dev/hitcd -b system_u:object_r:removable_device_t
-/dev/pcd[0-3] -b system_u:object_r:removable_device_t
-/dev/mcdx? -b system_u:object_r:removable_device_t
-/dev/cdu.* -b system_u:object_r:removable_device_t
-/dev/cm20.* -b system_u:object_r:removable_device_t
-/dev/optcd -b system_u:object_r:removable_device_t
-/dev/sbpcd.* -b system_u:object_r:removable_device_t
-/dev/sjcd -b system_u:object_r:removable_device_t
-/dev/sonycd -b system_u:object_r:removable_device_t
-# parallel port ATAPI generic device
-/dev/pg[0-3] -c system_u:object_r:removable_device_t
-/dev/rtc -c system_u:object_r:clock_device_t
-/dev/psaux -c system_u:object_r:mouse_device_t
-/dev/atibm -c system_u:object_r:mouse_device_t
-/dev/logibm -c system_u:object_r:mouse_device_t
-/dev/.*mouse.* -c system_u:object_r:mouse_device_t
-/dev/input/.*mouse.* -c system_u:object_r:mouse_device_t
-/dev/input/event.* -c system_u:object_r:event_device_t
-/dev/input/mice -c system_u:object_r:mouse_device_t
-/dev/input/js.* -c system_u:object_r:mouse_device_t
-/dev/ptmx -c system_u:object_r:ptmx_t
-/dev/sequencer -c system_u:object_r:misc_device_t
-/dev/fb[0-9]* -c system_u:object_r:framebuf_device_t
-/dev/apm_bios -c system_u:object_r:apm_bios_t
-/dev/cpu/mtrr -c system_u:object_r:mtrr_device_t
-/dev/pmu -c system_u:object_r:power_device_t
-/dev/(radio|video|vbi|vtx).* -c system_u:object_r:v4l_device_t
-/dev/winradio. -c system_u:object_r:v4l_device_t
-/dev/vttuner -c system_u:object_r:v4l_device_t
-/dev/tlk[0-3] -c system_u:object_r:v4l_device_t
-/dev/adsp -c system_u:object_r:sound_device_t
-/dev/mixer.* -c system_u:object_r:sound_device_t
-/dev/dsp.* -c system_u:object_r:sound_device_t
-/dev/audio.* -c system_u:object_r:sound_device_t
-/dev/r?midi.* -c system_u:object_r:sound_device_t
-/dev/sequencer2 -c system_u:object_r:sound_device_t
-/dev/smpte.* -c system_u:object_r:sound_device_t
-/dev/sndstat -c system_u:object_r:sound_device_t
-/dev/beep -c system_u:object_r:sound_device_t
-/dev/patmgr[01] -c system_u:object_r:sound_device_t
-/dev/mpu401.* -c system_u:object_r:sound_device_t
-/dev/srnd[0-7] -c system_u:object_r:sound_device_t
-/dev/aload.* -c system_u:object_r:sound_device_t
-/dev/amidi.* -c system_u:object_r:sound_device_t
-/dev/amixer.* -c system_u:object_r:sound_device_t
-/dev/snd/.* -c system_u:object_r:sound_device_t
-/dev/n?[hs]t[0-9].* -c system_u:object_r:tape_device_t
-/dev/n?(raw)?[qr]ft[0-3] -c system_u:object_r:tape_device_t
-/dev/n?z?qft[0-3] -c system_u:object_r:tape_device_t
-/dev/n?tpqic[12].* -c system_u:object_r:tape_device_t
-/dev/ht[0-1] -b system_u:object_r:tape_device_t
-/dev/n?osst[0-3].* -c system_u:object_r:tape_device_t
-/dev/n?pt[0-9]+ -c system_u:object_r:tape_device_t
-/dev/tape.* -c system_u:object_r:tape_device_t
-ifdef(`distro_suse', `
-/dev/usbscanner -c system_u:object_r:scanner_device_t
-')
-/dev/usb/scanner.* -c system_u:object_r:scanner_device_t
-/dev/usb/dc2xx.* -c system_u:object_r:scanner_device_t
-/dev/usb/mdc800.* -c system_u:object_r:scanner_device_t
-/dev/usb/tty.* -c system_u:object_r:usbtty_device_t
-/dev/mmetfgrab -c system_u:object_r:scanner_device_t
-/dev/nvidia.* -c system_u:object_r:xserver_misc_device_t
-/dev/dri/.+ -c system_u:object_r:dri_device_t
-/dev/radeon -c system_u:object_r:dri_device_t
-/dev/agpgart -c system_u:object_r:agp_device_t
-/dev/z90crypt -c system_u:object_r:crypt_device_t
-
-#
-# Misc
-#
-/proc(/.*)? <<none>>
-/sys(/.*)? <<none>>
-/selinux(/.*)? <<none>>
-
-#
-# /opt
-#
-/opt(/.*)? system_u:object_r:usr_t
-/opt(/.*)?/lib(64)?(/.*)? system_u:object_r:lib_t
-/opt(/.*)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
-/opt(/.*)?/libexec(/.*)? system_u:object_r:bin_t
-/opt(/.*)?/bin(/.*)? system_u:object_r:bin_t
-/opt(/.*)?/sbin(/.*)? system_u:object_r:sbin_t
-/opt(/.*)?/man(/.*)? system_u:object_r:man_t
-/opt(/.*)?/var/lib(64)?(/.*)? system_u:object_r:var_lib_t
-
-#
-# /etc
-#
-/etc(/.*)? system_u:object_r:etc_t
-/var/db/.*\.db -- system_u:object_r:etc_t
-/etc/\.pwd\.lock -- system_u:object_r:shadow_t
-/etc/passwd\.lock -- system_u:object_r:shadow_t
-/etc/group\.lock -- system_u:object_r:shadow_t
-/etc/shadow.* -- system_u:object_r:shadow_t
-/etc/gshadow.* -- system_u:object_r:shadow_t
-/var/db/shadow.* -- system_u:object_r:shadow_t
-/etc/blkid\.tab.* -- system_u:object_r:etc_runtime_t
-/etc/fstab\.REVOKE -- system_u:object_r:etc_runtime_t
-/etc/\.fstab\.hal\..+ -- system_u:object_r:etc_runtime_t
-/etc/HOSTNAME -- system_u:object_r:etc_runtime_t
-/etc/ioctl\.save -- system_u:object_r:etc_runtime_t
-/etc/mtab -- system_u:object_r:etc_runtime_t
-/etc/motd -- system_u:object_r:etc_runtime_t
-/etc/issue -- system_u:object_r:etc_runtime_t
-/etc/issue\.net -- system_u:object_r:etc_runtime_t
-/etc/sysconfig/hwconf -- system_u:object_r:etc_runtime_t
-/etc/sysconfig/iptables\.save -- system_u:object_r:etc_runtime_t
-/etc/sysconfig/firstboot -- system_u:object_r:etc_runtime_t
-/etc/asound\.state -- system_u:object_r:etc_runtime_t
-/etc/ptal/ptal-printd-like -- system_u:object_r:etc_runtime_t
-ifdef(`distro_gentoo', `
-/etc/profile\.env -- system_u:object_r:etc_runtime_t
-/etc/csh\.env -- system_u:object_r:etc_runtime_t
-/etc/env\.d/.* -- system_u:object_r:etc_runtime_t
-')
-/etc/ld\.so\.cache -- system_u:object_r:ld_so_cache_t
-/etc/ld\.so\.preload -- system_u:object_r:ld_so_cache_t
-/etc/yp\.conf.* -- system_u:object_r:net_conf_t
-/etc/resolv\.conf.* -- system_u:object_r:net_conf_t
-
-/etc/selinux(/.*)? system_u:object_r:selinux_config_t
-/etc/selinux/([^/]*/)?policy(/.*)? system_u:object_r:policy_config_t
-/etc/selinux/([^/]*/)?src(/.*)? system_u:object_r:policy_src_t
-/etc/selinux/([^/]*/)?contexts(/.*)? system_u:object_r:default_context_t
-/etc/selinux/([^/]*/)?contexts/files(/.*)? system_u:object_r:file_context_t
-
-
-#
-# /lib(64)?
-#
-/lib(64)?(/.*)? system_u:object_r:lib_t
-/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
-/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t
-
-#
-# /sbin
-#
-/sbin(/.*)? system_u:object_r:sbin_t
-
-#
-# /tmp
-#
-/tmp -d system_u:object_r:tmp_t
-/tmp/.* <<none>>
-
-#
-# /usr
-#
-/usr(/.*)? system_u:object_r:usr_t
-/usr(/.*)?/lib(64)?(/.*)? system_u:object_r:lib_t
-/usr(/.*)?/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
-/usr/lib/win32/.* -- system_u:object_r:shlib_t
-/usr(/.*)?/java/.*\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t
-/usr(/.*)?/java/.*\.jar -- system_u:object_r:shlib_t
-/usr(/.*)?/java/.*\.jsa -- system_u:object_r:shlib_t
-/usr(/.*)?/HelixPlayer/.*\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t
-/usr(/.*)?/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t
-/usr(/.*)?/bin(/.*)? system_u:object_r:bin_t
-/usr(/.*)?/Bin(/.*)? system_u:object_r:bin_t
-/usr(/.*)?/sbin(/.*)? system_u:object_r:sbin_t
-/usr/etc(/.*)? system_u:object_r:etc_t
-/usr/inclu.e(/.*)? system_u:object_r:usr_t
-/usr/libexec(/.*)? system_u:object_r:bin_t
-/usr/src(/.*)? system_u:object_r:src_t
-/usr/tmp -d system_u:object_r:tmp_t
-/usr/tmp/.* <<none>>
-/usr/man(/.*)? system_u:object_r:man_t
-/usr/share/man(/.*)? system_u:object_r:man_t
-/usr/share/mc/extfs/.* -- system_u:object_r:bin_t
-/usr/share(/.*)?/lib(64)?(/.*)? system_u:object_r:usr_t
-/usr/share/ssl/certs(/.*)? system_u:object_r:cert_t
-/usr/share/ssl/private(/.*)? system_u:object_r:cert_t
-
-# nvidia share libraries
-/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t
-/usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t
-/usr(/.*)?/nvidia/.*\.so(\..*)? -- system_u:object_r:texrel_shlib_t
-/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t
-/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- system_u:object_r:texrel_shlib_t
-
-# libGL
-/usr/X11R6/lib/libGL\.so.* -- system_u:object_r:texrel_shlib_t
-
-ifdef(`distro_debian', `
-/usr/share/selinux(/.*)? system_u:object_r:policy_src_t
-')
-ifdef(`distro_gentoo', `
-/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? system_u:object_r:bin_t
-')
-
-#
-# /usr/lib(64)?
-#
-/usr/lib(64)?/perl5/man(/.*)? system_u:object_r:man_t
-/usr/lib(64)?/selinux(/.*)? system_u:object_r:policy_src_t
-/usr/lib(64)?/emacsen-common/.* system_u:object_r:bin_t
-
-#
-# /usr/local
-#
-/usr/local/etc(/.*)? system_u:object_r:etc_t
-/usr/local/src(/.*)? system_u:object_r:src_t
-/usr/local/man(/.*)? system_u:object_r:man_t
-/usr/local/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
-/usr/(local/)?lib/wine/.*\.so -- system_u:object_r:texrel_shlib_t
-/usr/(local/)?lib/libfame-.*\.so.* -- system_u:object_r:texrel_shlib_t
-
-
-#
-# /usr/X11R6/man
-#
-/usr/X11R6/man(/.*)? system_u:object_r:man_t
-
-#
-# Fonts dir
-#
-/usr/X11R6/lib/X11/fonts(/.*)? system_u:object_r:fonts_t
-ifdef(`distro_debian', `
-/var/lib/msttcorefonts(/.*)? system_u:object_r:fonts_t
-')
-/usr/share/fonts(/.*)? system_u:object_r:fonts_t
-/usr/share/ghostscript/fonts(/.*)? system_u:object_r:fonts_t
-/usr/local/share/fonts(/.*)? system_u:object_r:fonts_t
-
-#
-# /var/run
-#
-/var/run(/.*)? system_u:object_r:var_run_t
-/var/run/.*\.*pid <<none>>
-
-#
-# /var/spool
-#
-/var/spool(/.*)? system_u:object_r:var_spool_t
-/var/spool/texmf(/.*)? system_u:object_r:tetex_data_t
-/var/spool/(client)?mqueue(/.*)? system_u:object_r:mqueue_spool_t
-
-#
-# /var/log
-#
-/var/log(/.*)? system_u:object_r:var_log_t
-/var/log/wtmp.* -- system_u:object_r:wtmp_t
-/var/log/btmp.* -- system_u:object_r:faillog_t
-/var/log/faillog -- system_u:object_r:faillog_t
-/var/log/ksyms.* -- system_u:object_r:var_log_ksyms_t
-/var/log/dmesg -- system_u:object_r:var_log_t
-/var/log/lastlog -- system_u:object_r:lastlog_t
-/var/log/ksymoops(/.*)? system_u:object_r:var_log_ksyms_t
-/var/log/syslog -- system_u:object_r:var_log_t
-
-#
-# Journal files
-#
-/\.journal <<none>>
-/usr/\.journal <<none>>
-/boot/\.journal <<none>>
-HOME_ROOT/\.journal <<none>>
-/var/\.journal <<none>>
-/tmp/\.journal <<none>>
-/usr/local/\.journal <<none>>
-
-#
-# Lost and found directories.
-#
-/lost\+found -d system_u:object_r:lost_found_t
-/lost\+found/.* <<none>>
-/usr/lost\+found -d system_u:object_r:lost_found_t
-/usr/lost\+found/.* <<none>>
-/boot/lost\+found -d system_u:object_r:lost_found_t
-/boot/lost\+found/.* <<none>>
-HOME_ROOT/lost\+found -d system_u:object_r:lost_found_t
-HOME_ROOT/lost\+found/.* <<none>>
-/var/lost\+found -d system_u:object_r:lost_found_t
-/var/lost\+found/.* <<none>>
-/tmp/lost\+found -d system_u:object_r:lost_found_t
-/tmp/lost\+found/.* <<none>>
-/var/tmp/lost\+found -d system_u:object_r:lost_found_t
-/var/tmp/lost\+found/.* <<none>>
-/usr/local/lost\+found -d system_u:object_r:lost_found_t
-/usr/local/lost\+found/.* <<none>>
-
-#
-# system localization
-#
-/usr/share/zoneinfo(/.*)? system_u:object_r:locale_t
-/usr/share/locale(/.*)? system_u:object_r:locale_t
-/usr/lib/locale(/.*)? system_u:object_r:locale_t
-/etc/localtime -- system_u:object_r:locale_t
-/etc/localtime -l system_u:object_r:etc_t
-/etc/pki(/.*)? system_u:object_r:cert_t
-
-#
-# Gnu Cash
-#
-/usr/share/gnucash/finance-quote-check -- system_u:object_r:bin_t
-/usr/share/gnucash/finance-quote-helper -- system_u:object_r:bin_t
-
-#
-# Turboprint
-#
-/usr/share/turboprint/lib(/.*)? -- system_u:object_r:bin_t
-/usr/share/hwdata(/.*)? system_u:object_r:hwdata_t
-
-#
-# initrd mount point, only used during boot
-#
-/initrd -d system_u:object_r:root_t
-
-#
-# The krb5.conf file is always being tested for writability, so
-# we defined a type to dontaudit
-#
-/etc/krb5\.conf -- system_u:object_r:krb5_conf_t
-
-#
-# Thunderbird
-#
-/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- system_u:object_r:bin_t
-/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- system_u:object_r:bin_t
-/usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- system_u:object_r:bin_t
-/usr/lib(64)?/[^/]*/run-mozilla\.sh -- system_u:object_r:bin_t
-/usr/lib(64)?/[^/]*/mozilla-xremote-client -- system_u:object_r:bin_t
-
-#
-# /srv
-#
-/srv(/.*)? system_u:object_r:var_t
-
diff --git a/strict/flask/Makefile b/strict/flask/Makefile
deleted file mode 100644
index 970b9fe..0000000
--- a/strict/flask/Makefile
+++ /dev/null
@@ -1,41 +0,0 @@
-# flask needs to know where to export the libselinux headers.
-LIBSEL ?= ../../libselinux
-
-# flask needs to know where to export the kernel headers.
-LINUXDIR ?= ../../../linux-2.6
-
-AWK = awk
-
-CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
- else if [ -x /bin/bash ]; then echo /bin/bash; \
- else echo sh; fi ; fi)
-
-FLASK_H_DEPEND = security_classes initial_sids
-AV_H_DEPEND = access_vectors
-
-FLASK_H_FILES = class_to_string.h flask.h initial_sid_to_string.h
-AV_H_FILES = av_inherit.h common_perm_to_string.h av_perm_to_string.h av_permissions.h
-ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES)
-
-all: $(ALL_H_FILES)
-
-$(FLASK_H_FILES): $(FLASK_H_DEPEND)
- $(CONFIG_SHELL) mkflask.sh $(AWK) $(FLASK_H_DEPEND)
-
-$(AV_H_FILES): $(AV_H_DEPEND)
- $(CONFIG_SHELL) mkaccess_vector.sh $(AWK) $(AV_H_DEPEND)
-
-tolib: all
- install -m 644 flask.h av_permissions.h $(LIBSEL)/include/selinux
- install -m 644 class_to_string.h av_inherit.h common_perm_to_string.h av_perm_to_string.h $(LIBSEL)/src
-
-tokern: all
- install -m 644 $(ALL_H_FILES) $(LINUXDIR)/security/selinux/include
-
-install: all
-
-relabel:
-
-clean:
- rm -f $(FLASK_H_FILES)
- rm -f $(AV_H_FILES)
diff --git a/strict/flask/access_vectors b/strict/flask/access_vectors
deleted file mode 100644
index dc20463..0000000
--- a/strict/flask/access_vectors
+++ /dev/null
@@ -1,608 +0,0 @@
-#
-# Define common prefixes for access vectors
-#
-# common common_name { permission_name ... }
-
-
-#
-# Define a common prefix for file access vectors.
-#
-
-common file
-{
- ioctl
- read
- write
- create
- getattr
- setattr
- lock
- relabelfrom
- relabelto
- append
- unlink
- link
- rename
- execute
- swapon
- quotaon
- mounton
-}
-
-
-#
-# Define a common prefix for socket access vectors.
-#
-
-common socket
-{
-# inherited from file
- ioctl
- read
- write
- create
- getattr
- setattr
- lock
- relabelfrom
- relabelto
- append
-# socket-specific
- bind
- connect
- listen
- accept
- getopt
- setopt
- shutdown
- recvfrom
- sendto
- recv_msg
- send_msg
- name_bind
-}
-
-#
-# Define a common prefix for ipc access vectors.
-#
-
-common ipc
-{
- create
- destroy
- getattr
- setattr
- read
- write
- associate
- unix_read
- unix_write
-}
-
-#
-# Define the access vectors.
-#
-# class class_name [ inherits common_name ] { permission_name ... }
-
-
-#
-# Define the access vector interpretation for file-related objects.
-#
-
-class filesystem
-{
- mount
- remount
- unmount
- getattr
- relabelfrom
- relabelto
- transition
- associate
- quotamod
- quotaget
-}
-
-class dir
-inherits file
-{
- add_name
- remove_name
- reparent
- search
- rmdir
-}
-
-class file
-inherits file
-{
- execute_no_trans
- entrypoint
- execmod
-}
-
-class lnk_file
-inherits file
-
-class chr_file
-inherits file
-{
- execute_no_trans
- entrypoint
- execmod
-}
-
-class blk_file
-inherits file
-
-class sock_file
-inherits file
-
-class fifo_file
-inherits file
-
-class fd
-{
- use
-}
-
-
-#
-# Define the access vector interpretation for network-related objects.
-#
-
-class socket
-inherits socket
-
-class tcp_socket
-inherits socket
-{
- connectto
- newconn
- acceptfrom
- node_bind
- name_connect
-}
-
-class udp_socket
-inherits socket
-{
- node_bind
-}
-
-class rawip_socket
-inherits socket
-{
- node_bind
-}
-
-class node
-{
- tcp_recv
- tcp_send
- udp_recv
- udp_send
- rawip_recv
- rawip_send
- enforce_dest
-}
-
-class netif
-{
- tcp_recv
- tcp_send
- udp_recv
- udp_send
- rawip_recv
- rawip_send
-}
-
-class netlink_socket
-inherits socket
-
-class packet_socket
-inherits socket
-
-class key_socket
-inherits socket
-
-class unix_stream_socket
-inherits socket
-{
- connectto
- newconn
- acceptfrom
-}
-
-class unix_dgram_socket
-inherits socket
-
-
-#
-# Define the access vector interpretation for process-related objects
-#
-
-class process
-{
- fork
- transition
- sigchld # commonly granted from child to parent
- sigkill # cannot be caught or ignored
- sigstop # cannot be caught or ignored
- signull # for kill(pid, 0)
- signal # all other signals
- ptrace
- getsched
- setsched
- getsession
- getpgid
- setpgid
- getcap
- setcap
- share
- getattr
- setexec
- setfscreate
- noatsecure
- siginh
- setrlimit
- rlimitinh
- dyntransition
- setcurrent
- execmem
- execstack
- execheap
-}
-
-
-#
-# Define the access vector interpretation for ipc-related objects
-#
-
-class ipc
-inherits ipc
-
-class sem
-inherits ipc
-
-class msgq
-inherits ipc
-{
- enqueue
-}
-
-class msg
-{
- send
- receive
-}
-
-class shm
-inherits ipc
-{
- lock
-}
-
-
-#
-# Define the access vector interpretation for the security server.
-#
-
-class security
-{
- compute_av
- compute_create
- compute_member
- check_context
- load_policy
- compute_relabel
- compute_user
- setenforce # was avc_toggle in system class
- setbool
- setsecparam
- setcheckreqprot
-}
-
-
-#
-# Define the access vector interpretation for system operations.
-#
-
-class system
-{
- ipc_info
- syslog_read
- syslog_mod
- syslog_console
-}
-
-#
-# Define the access vector interpretation for controling capabilies
-#
-
-class capability
-{
- # The capabilities are defined in include/linux/capability.h
- # Care should be taken to ensure that these are consistent with
- # those definitions. (Order matters)
-
- chown
- dac_override
- dac_read_search
- fowner
- fsetid
- kill
- setgid
- setuid
- setpcap
- linux_immutable
- net_bind_service
- net_broadcast
- net_admin
- net_raw
- ipc_lock
- ipc_owner
- sys_module
- sys_rawio
- sys_chroot
- sys_ptrace
- sys_pacct
- sys_admin
- sys_boot
- sys_nice
- sys_resource
- sys_time
- sys_tty_config
- mknod
- lease
- audit_write
- audit_control
-}
-
-
-#
-# Define the access vector interpretation for controlling
-# changes to passwd information.
-#
-class passwd
-{
- passwd # change another user passwd
- chfn # change another user finger info
- chsh # change another user shell
- rootok # pam_rootok check (skip auth)
- crontab # crontab on another user
-}
-
-#
-# SE-X Windows stuff
-#
-class drawable
-{
- create
- destroy
- draw
- copy
- getattr
-}
-
-class gc
-{
- create
- free
- getattr
- setattr
-}
-
-class window
-{
- addchild
- create
- destroy
- map
- unmap
- chstack
- chproplist
- chprop
- listprop
- getattr
- setattr
- setfocus
- move
- chselection
- chparent
- ctrllife
- enumerate
- transparent
- mousemotion
- clientcomevent
- inputevent
- drawevent
- windowchangeevent
- windowchangerequest
- serverchangeevent
- extensionevent
-}
-
-class font
-{
- load
- free
- getattr
- use
-}
-
-class colormap
-{
- create
- free
- install
- uninstall
- list
- read
- store
- getattr
- setattr
-}
-
-class property
-{
- create
- free
- read
- write
-}
-
-class cursor
-{
- create
- createglyph
- free
- assign
- setattr
-}
-
-class xclient
-{
- kill
-}
-
-class xinput
-{
- lookup
- getattr
- setattr
- setfocus
- warppointer
- activegrab
- passivegrab
- ungrab
- bell
- mousemotion
- relabelinput
-}
-
-class xserver
-{
- screensaver
- gethostlist
- sethostlist
- getfontpath
- setfontpath
- getattr
- grab
- ungrab
-}
-
-class xextension
-{
- query
- use
-}
-
-#
-# Define the access vector interpretation for controlling
-# PaX flags
-#
-class pax
-{
- pageexec # Paging based non-executable pages
- emutramp # Emulate trampolines
- mprotect # Restrict mprotect()
- randmmap # Randomize mmap() base
- randexec # Randomize ET_EXEC base
- segmexec # Segmentation based non-executable pages
-}
-
-#
-# Extended Netlink classes
-#
-class netlink_route_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_firewall_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_tcpdiag_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_nflog_socket
-inherits socket
-
-class netlink_xfrm_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_selinux_socket
-inherits socket
-
-class netlink_audit_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
- nlmsg_relay
- nlmsg_readpriv
-}
-
-class netlink_ip6fw_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_dnrt_socket
-inherits socket
-
-# Define the access vector interpretation for controlling
-# access and communication through the D-BUS messaging
-# system.
-#
-class dbus
-{
- acquire_svc
- send_msg
-}
-
-# Define the access vector interpretation for controlling
-# access through the name service cache daemon (nscd).
-#
-class nscd
-{
- getpwd
- getgrp
- gethost
- getstat
- admin
- shmempwd
- shmemgrp
- shmemhost
-}
-
-# Define the access vector interpretation for controlling
-# access to IPSec network data by association
-#
-class association
-{
- sendto
- recvfrom
-}
-
-# Updated Netlink class for KOBJECT_UEVENT family.
-class netlink_kobject_uevent_socket
-inherits socket
diff --git a/strict/flask/initial_sids b/strict/flask/initial_sids
deleted file mode 100644
index 95894eb..0000000
--- a/strict/flask/initial_sids
+++ /dev/null
@@ -1,35 +0,0 @@
-# FLASK
-
-#
-# Define initial security identifiers
-#
-
-sid kernel
-sid security
-sid unlabeled
-sid fs
-sid file
-sid file_labels
-sid init
-sid any_socket
-sid port
-sid netif
-sid netmsg
-sid node
-sid igmp_packet
-sid icmp_socket
-sid tcp_socket
-sid sysctl_modprobe
-sid sysctl
-sid sysctl_fs
-sid sysctl_kernel
-sid sysctl_net
-sid sysctl_net_unix
-sid sysctl_vm
-sid sysctl_dev
-sid kmod
-sid policy
-sid scmp_packet
-sid devnull
-
-# FLASK
diff --git a/strict/flask/mkaccess_vector.sh b/strict/flask/mkaccess_vector.sh
deleted file mode 100644
index b5da734..0000000
--- a/strict/flask/mkaccess_vector.sh
+++ /dev/null
@@ -1,227 +0,0 @@
-#!/bin/sh -
-#
-
-# FLASK
-
-set -e
-
-awk=$1
-shift
-
-# output files
-av_permissions="av_permissions.h"
-av_inherit="av_inherit.h"
-common_perm_to_string="common_perm_to_string.h"
-av_perm_to_string="av_perm_to_string.h"
-
-cat $* | $awk "
-BEGIN {
- outfile = \"$av_permissions\"
- inheritfile = \"$av_inherit\"
- cpermfile = \"$common_perm_to_string\"
- avpermfile = \"$av_perm_to_string\"
- "'
- nextstate = "COMMON_OR_AV";
- printf("/* This file is automatically generated. Do not edit. */\n") > outfile;
- printf("/* This file is automatically generated. Do not edit. */\n") > inheritfile;
- printf("/* This file is automatically generated. Do not edit. */\n") > cpermfile;
- printf("/* This file is automatically generated. Do not edit. */\n") > avpermfile;
-;
- }
-/^[ \t]*#/ {
- next;
- }
-$1 == "common" {
- if (nextstate != "COMMON_OR_AV")
- {
- printf("Parse error: Unexpected COMMON definition on line %d\n", NR);
- next;
- }
-
- if ($2 in common_defined)
- {
- printf("Duplicate COMMON definition for %s on line %d.\n", $2, NR);
- next;
- }
- common_defined[$2] = 1;
-
- tclass = $2;
- common_name = $2;
- permission = 1;
-
- printf("TB_(common_%s_perm_to_string)\n", $2) > cpermfile;
-
- nextstate = "COMMON-OPENBRACKET";
- next;
- }
-$1 == "class" {
- if (nextstate != "COMMON_OR_AV" &&
- nextstate != "CLASS_OR_CLASS-OPENBRACKET")
- {
- printf("Parse error: Unexpected class definition on line %d\n", NR);
- next;
- }
-
- tclass = $2;
-
- if (tclass in av_defined)
- {
- printf("Duplicate access vector definition for %s on line %d\n", tclass, NR);
- next;
- }
- av_defined[tclass] = 1;
-
- inherits = "";
- permission = 1;
-
- nextstate = "INHERITS_OR_CLASS-OPENBRACKET";
- next;
- }
-$1 == "inherits" {
- if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET")
- {
- printf("Parse error: Unexpected INHERITS definition on line %d\n", NR);
- next;
- }
-
- if (!($2 in common_defined))
- {
- printf("COMMON %s is not defined (line %d).\n", $2, NR);
- next;
- }
-
- inherits = $2;
- permission = common_base[$2];
-
- for (combined in common_perms)
- {
- split(combined,separate, SUBSEP);
- if (separate[1] == inherits)
- {
- inherited_perms[common_perms[combined]] = separate[2];
- }
- }
-
- j = 1;
- for (i in inherited_perms) {
- ind[j] = i + 0;
- j++;
- }
- n = asort(ind);
- for (i = 1; i <= n; i++) {
- perm = inherited_perms[ind[i]];
- printf("#define %s__%s", toupper(tclass), toupper(perm)) > outfile;
- spaces = 40 - (length(perm) + length(tclass));
- if (spaces < 1)
- spaces = 1;
- for (j = 0; j < spaces; j++)
- printf(" ") > outfile;
- printf("0x%08xUL\n", ind[i]) > outfile;
- }
- printf("\n") > outfile;
- for (i in ind) delete ind[i];
- for (i in inherited_perms) delete inherited_perms[i];
-
- printf(" S_(SECCLASS_%s, %s, 0x%08xUL)\n", toupper(tclass), inherits, permission) > inheritfile;
-
- nextstate = "CLASS_OR_CLASS-OPENBRACKET";
- next;
- }
-$1 == "{" {
- if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET" &&
- nextstate != "CLASS_OR_CLASS-OPENBRACKET" &&
- nextstate != "COMMON-OPENBRACKET")
- {
- printf("Parse error: Unexpected { on line %d\n", NR);
- next;
- }
-
- if (nextstate == "INHERITS_OR_CLASS-OPENBRACKET")
- nextstate = "CLASS-CLOSEBRACKET";
-
- if (nextstate == "CLASS_OR_CLASS-OPENBRACKET")
- nextstate = "CLASS-CLOSEBRACKET";
-
- if (nextstate == "COMMON-OPENBRACKET")
- nextstate = "COMMON-CLOSEBRACKET";
- }
-/[a-z][a-z_]*/ {
- if (nextstate != "COMMON-CLOSEBRACKET" &&
- nextstate != "CLASS-CLOSEBRACKET")
- {
- printf("Parse error: Unexpected symbol %s on line %d\n", $1, NR);
- next;
- }
-
- if (nextstate == "COMMON-CLOSEBRACKET")
- {
- if ((common_name,$1) in common_perms)
- {
- printf("Duplicate permission %s for common %s on line %d.\n", $1, common_name, NR);
- next;
- }
-
- common_perms[common_name,$1] = permission;
-
- printf("#define COMMON_%s__%s", toupper(common_name), toupper($1)) > outfile;
-
- printf(" S_(\"%s\")\n", $1) > cpermfile;
- }
- else
- {
- if ((tclass,$1) in av_perms)
- {
- printf("Duplicate permission %s for %s on line %d.\n", $1, tclass, NR);
- next;
- }
-
- av_perms[tclass,$1] = permission;
-
- if (inherits != "")
- {
- if ((inherits,$1) in common_perms)
- {
- printf("Permission %s in %s on line %d conflicts with common permission.\n", $1, tclass, inherits, NR);
- next;
- }
- }
-
- printf("#define %s__%s", toupper(tclass), toupper($1)) > outfile;
-
- printf(" S_(SECCLASS_%s, %s__%s, \"%s\")\n", toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile;
- }
-
- spaces = 40 - (length($1) + length(tclass));
- if (spaces < 1)
- spaces = 1;
-
- for (i = 0; i < spaces; i++)
- printf(" ") > outfile;
- printf("0x%08xUL\n", permission) > outfile;
- permission = permission * 2;
- }
-$1 == "}" {
- if (nextstate != "CLASS-CLOSEBRACKET" &&
- nextstate != "COMMON-CLOSEBRACKET")
- {
- printf("Parse error: Unexpected } on line %d\n", NR);
- next;
- }
-
- if (nextstate == "COMMON-CLOSEBRACKET")
- {
- common_base[common_name] = permission;
- printf("TE_(common_%s_perm_to_string)\n\n", common_name) > cpermfile;
- }
-
- printf("\n") > outfile;
-
- nextstate = "COMMON_OR_AV";
- }
-END {
- if (nextstate != "COMMON_OR_AV" && nextstate != "CLASS_OR_CLASS-OPENBRACKET")
- printf("Parse error: Unexpected end of file\n");
-
- }'
-
-# FLASK
diff --git a/strict/flask/mkflask.sh b/strict/flask/mkflask.sh
deleted file mode 100644
index 9c84754..0000000
--- a/strict/flask/mkflask.sh
+++ /dev/null
@@ -1,95 +0,0 @@
-#!/bin/sh -
-#
-
-# FLASK
-
-set -e
-
-awk=$1
-shift 1
-
-# output file
-output_file="flask.h"
-debug_file="class_to_string.h"
-debug_file2="initial_sid_to_string.h"
-
-cat $* | $awk "
-BEGIN {
- outfile = \"$output_file\"
- debugfile = \"$debug_file\"
- debugfile2 = \"$debug_file2\"
- "'
- nextstate = "CLASS";
-
- printf("/* This file is automatically generated. Do not edit. */\n") > outfile;
-
- printf("#ifndef _SELINUX_FLASK_H_\n") > outfile;
- printf("#define _SELINUX_FLASK_H_\n") > outfile;
- printf("\n/*\n * Security object class definitions\n */\n") > outfile;
- printf("/* This file is automatically generated. Do not edit. */\n") > debugfile;
- printf("/*\n * Security object class definitions\n */\n") > debugfile;
- printf(" S_(\"null\")\n") > debugfile;
- printf("/* This file is automatically generated. Do not edit. */\n") > debugfile2;
- printf("static char *initial_sid_to_string[] =\n{\n") > debugfile2;
- printf(" \"null\",\n") > debugfile2;
- }
-/^[ \t]*#/ {
- next;
- }
-$1 == "class" {
- if (nextstate != "CLASS")
- {
- printf("Parse error: Unexpected class definition on line %d\n", NR);
- next;
- }
-
- if ($2 in class_found)
- {
- printf("Duplicate class definition for %s on line %d.\n", $2, NR);
- next;
- }
- class_found[$2] = 1;
-
- class_value++;
-
- printf("#define SECCLASS_%s", toupper($2)) > outfile;
- for (i = 0; i < 40 - length($2); i++)
- printf(" ") > outfile;
- printf("%d\n", class_value) > outfile;
-
- printf(" S_(\"%s\")\n", $2) > debugfile;
- }
-$1 == "sid" {
- if (nextstate == "CLASS")
- {
- nextstate = "SID";
- printf("\n/*\n * Security identifier indices for initial entities\n */\n") > outfile;
- }
-
- if ($2 in sid_found)
- {
- printf("Duplicate SID definition for %s on line %d.\n", $2, NR);
- next;
- }
- sid_found[$2] = 1;
- sid_value++;
-
- printf("#define SECINITSID_%s", toupper($2)) > outfile;
- for (i = 0; i < 37 - length($2); i++)
- printf(" ") > outfile;
- printf("%d\n", sid_value) > outfile;
- printf(" \"%s\",\n", $2) > debugfile2;
- }
-END {
- if (nextstate != "SID")
- printf("Parse error: Unexpected end of file\n");
-
- printf("\n#define SECINITSID_NUM") > outfile;
- for (i = 0; i < 34; i++)
- printf(" ") > outfile;
- printf("%d\n", sid_value) > outfile;
- printf("\n#endif\n") > outfile;
- printf("};\n\n") > debugfile2;
- }'
-
-# FLASK
diff --git a/strict/flask/security_classes b/strict/flask/security_classes
deleted file mode 100644
index 2669c30..0000000
--- a/strict/flask/security_classes
+++ /dev/null
@@ -1,86 +0,0 @@
-# FLASK
-
-#
-# Define the security object classes
-#
-
-class security
-class process
-class system
-class capability
-
-# file-related classes
-class filesystem
-class file
-class dir
-class fd
-class lnk_file
-class chr_file
-class blk_file
-class sock_file
-class fifo_file
-
-# network-related classes
-class socket
-class tcp_socket
-class udp_socket
-class rawip_socket
-class node
-class netif
-class netlink_socket
-class packet_socket
-class key_socket
-class unix_stream_socket
-class unix_dgram_socket
-
-# sysv-ipc-related classes
-class sem
-class msg
-class msgq
-class shm
-class ipc
-
-#
-# userspace object manager classes
-#
-
-# passwd/chfn/chsh
-class passwd
-
-# SE-X Windows stuff
-class drawable
-class window
-class gc
-class font
-class colormap
-class property
-class cursor
-class xclient
-class xinput
-class xserver
-class xextension
-
-# pax flags
-class pax
-
-# extended netlink sockets
-class netlink_route_socket
-class netlink_firewall_socket
-class netlink_tcpdiag_socket
-class netlink_nflog_socket
-class netlink_xfrm_socket
-class netlink_selinux_socket
-class netlink_audit_socket
-class netlink_ip6fw_socket
-class netlink_dnrt_socket
-
-class dbus
-class nscd
-
-# IPSec association
-class association
-
-# Updated Netlink class for KOBJECT_UEVENT family.
-class netlink_kobject_uevent_socket
-
-# FLASK
diff --git a/strict/fs_use b/strict/fs_use
deleted file mode 100644
index 1dec535..0000000
--- a/strict/fs_use
+++ /dev/null
@@ -1,33 +0,0 @@
-#
-# Define the labeling behavior for inodes in particular filesystem types.
-# This information was formerly hardcoded in the SELinux module.
-
-# Use xattrs for the following filesystem types.
-# Requires that a security xattr handler exist for the filesystem.
-fs_use_xattr ext2 system_u:object_r:fs_t;
-fs_use_xattr ext3 system_u:object_r:fs_t;
-fs_use_xattr xfs system_u:object_r:fs_t;
-fs_use_xattr jfs system_u:object_r:fs_t;
-fs_use_xattr reiserfs system_u:object_r:fs_t;
-
-# Use the allocating task SID to label inodes in the following filesystem
-# types, and label the filesystem itself with the specified context.
-# This is appropriate for pseudo filesystems that represent objects
-# like pipes and sockets, so that these objects are labeled with the same
-# type as the creating task.
-fs_use_task pipefs system_u:object_r:fs_t;
-fs_use_task sockfs system_u:object_r:fs_t;
-
-# Use a transition SID based on the allocating task SID and the
-# filesystem SID to label inodes in the following filesystem types,
-# and label the filesystem itself with the specified context.
-# This is appropriate for pseudo filesystems like devpts and tmpfs
-# where we want to label objects with a derived type.
-fs_use_trans devpts system_u:object_r:devpts_t;
-fs_use_trans tmpfs system_u:object_r:tmpfs_t;
-fs_use_trans shm system_u:object_r:tmpfs_t;
-fs_use_trans mqueue system_u:object_r:tmpfs_t;
-
-# The separate genfs_contexts configuration can be used for filesystem
-# types that cannot support persistent label mappings or use
-# one of the fixed label schemes specified here.
diff --git a/strict/genfs_contexts b/strict/genfs_contexts
deleted file mode 100644
index 11c16d4..0000000
--- a/strict/genfs_contexts
+++ /dev/null
@@ -1,107 +0,0 @@
-# FLASK
-
-#
-# Security contexts for files in filesystems that
-# cannot support xattr or use one of the fixed labeling schemes
-# specified in fs_use.
-#
-# Each specifications has the form:
-# genfscon fstype pathname-prefix [ -type ] context
-#
-# The entry with the longest matching pathname prefix is used.
-# / refers to the root directory of the file system, and
-# everything is specified relative to this root directory.
-# If there is no entry with a matching pathname prefix, then
-# the unlabeled initial SID is used.
-#
-# The optional type field specifies the file type as shown in the mode
-# field by ls, e.g. use -c to match only character device files, -b
-# to match only block device files.
-#
-# Except for proc, in 2.6 other filesystems are limited to a single entry (/)
-# that covers all entries in the filesystem with a default file context.
-# For proc, a pathname can be reliably generated from the proc_dir_entry
-# tree. The proc /sys entries are used for both proc inodes and for sysctl(2)
-# calls. /proc/PID entries are automatically labeled based on the associated
-# process.
-#
-# Support for other filesystem types requires corresponding code to be
-# added to the kernel, either as an xattr handler in the filesystem
-# implementation (preferred, and necessary if you want to access the labels
-# from userspace) or as logic in the SELinux module.
-
-# proc (excluding /proc/PID)
-genfscon proc / system_u:object_r:proc_t
-genfscon proc /kmsg system_u:object_r:proc_kmsg_t
-genfscon proc /kcore system_u:object_r:proc_kcore_t
-genfscon proc /mdstat system_u:object_r:proc_mdstat_t
-genfscon proc /mtrr system_u:object_r:mtrr_device_t
-genfscon proc /net system_u:object_r:proc_net_t
-genfscon proc /sysvipc system_u:object_r:proc_t
-genfscon proc /sys system_u:object_r:sysctl_t
-genfscon proc /sys/kernel system_u:object_r:sysctl_kernel_t
-genfscon proc /sys/kernel/modprobe system_u:object_r:sysctl_modprobe_t
-genfscon proc /sys/kernel/hotplug system_u:object_r:sysctl_hotplug_t
-genfscon proc /sys/net system_u:object_r:sysctl_net_t
-genfscon proc /sys/net/unix system_u:object_r:sysctl_net_unix_t
-genfscon proc /sys/vm system_u:object_r:sysctl_vm_t
-genfscon proc /sys/dev system_u:object_r:sysctl_dev_t
-genfscon proc /net/rpc system_u:object_r:sysctl_rpc_t
-genfscon proc /irq system_u:object_r:sysctl_irq_t
-
-# rootfs
-genfscon rootfs / system_u:object_r:root_t
-
-# sysfs
-genfscon sysfs / system_u:object_r:sysfs_t
-
-# selinuxfs
-genfscon selinuxfs / system_u:object_r:security_t
-
-# autofs
-genfscon autofs / system_u:object_r:autofs_t
-genfscon automount / system_u:object_r:autofs_t
-
-# usbdevfs
-genfscon usbdevfs / system_u:object_r:usbdevfs_t
-
-# iso9660
-genfscon iso9660 / system_u:object_r:iso9660_t
-genfscon udf / system_u:object_r:iso9660_t
-
-# romfs
-genfscon romfs / system_u:object_r:romfs_t
-genfscon cramfs / system_u:object_r:romfs_t
-
-# ramfs
-genfscon ramfs / system_u:object_r:ramfs_t
-
-# vfat, msdos
-genfscon vfat / system_u:object_r:dosfs_t
-genfscon msdos / system_u:object_r:dosfs_t
-genfscon fat / system_u:object_r:dosfs_t
-genfscon ntfs / system_u:object_r:dosfs_t
-
-# samba
-genfscon cifs / system_u:object_r:cifs_t
-genfscon smbfs / system_u:object_r:cifs_t
-
-# nfs
-genfscon nfs / system_u:object_r:nfs_t
-genfscon nfs4 / system_u:object_r:nfs_t
-genfscon afs / system_u:object_r:nfs_t
-
-genfscon debugfs / system_u:object_r:debugfs_t
-genfscon inotifyfs / system_u:object_r:inotifyfs_t
-genfscon hugetlbfs / system_u:object_r:hugetlbfs_t
-genfscon capifs / system_u:object_r:capifs_t
-
-# needs more work
-genfscon eventpollfs / system_u:object_r:eventpollfs_t
-genfscon futexfs / system_u:object_r:futexfs_t
-genfscon bdev / system_u:object_r:bdev_t
-genfscon usbfs / system_u:object_r:usbfs_t
-genfscon nfsd / system_u:object_r:nfsd_fs_t
-genfscon rpc_pipefs / system_u:object_r:rpc_pipefs_t
-genfscon binfmt_misc / system_u:object_r:binfmt_misc_fs_t
-
diff --git a/strict/initial_sid_contexts b/strict/initial_sid_contexts
deleted file mode 100644
index e276f3f..0000000
--- a/strict/initial_sid_contexts
+++ /dev/null
@@ -1,46 +0,0 @@
-# FLASK
-
-#
-# Define the security context for each initial SID
-# sid sidname context
-
-sid kernel system_u:system_r:kernel_t
-sid security system_u:object_r:security_t
-sid unlabeled system_u:object_r:unlabeled_t
-sid fs system_u:object_r:fs_t
-sid file system_u:object_r:file_t
-# Persistent label mapping is gone. This initial SID can be removed.
-sid file_labels system_u:object_r:unlabeled_t
-# init_t is still used, but an initial SID is no longer required.
-sid init system_u:object_r:unlabeled_t
-# any_socket is no longer used.
-sid any_socket system_u:object_r:unlabeled_t
-sid port system_u:object_r:port_t
-sid netif system_u:object_r:netif_t
-# netmsg is no longer used.
-sid netmsg system_u:object_r:unlabeled_t
-sid node system_u:object_r:node_t
-# These sockets are now labeled with the kernel SID,
-# and do not require their own initial SIDs.
-sid igmp_packet system_u:object_r:unlabeled_t
-sid icmp_socket system_u:object_r:unlabeled_t
-sid tcp_socket system_u:object_r:unlabeled_t
-# Most of the sysctl SIDs are now computed at runtime
-# from genfs_contexts, so the corresponding initial SIDs
-# are no longer required.
-sid sysctl_modprobe system_u:object_r:unlabeled_t
-# But we still need the base sysctl initial SID as a default.
-sid sysctl system_u:object_r:sysctl_t
-sid sysctl_fs system_u:object_r:unlabeled_t
-sid sysctl_kernel system_u:object_r:unlabeled_t
-sid sysctl_net system_u:object_r:unlabeled_t
-sid sysctl_net_unix system_u:object_r:unlabeled_t
-sid sysctl_vm system_u:object_r:unlabeled_t
-sid sysctl_dev system_u:object_r:unlabeled_t
-# No longer used, can be removed.
-sid kmod system_u:object_r:unlabeled_t
-sid policy system_u:object_r:unlabeled_t
-sid scmp_packet system_u:object_r:unlabeled_t
-sid devnull system_u:object_r:null_device_t
-
-# FLASK
diff --git a/strict/local.users b/strict/local.users
deleted file mode 100644
index 6dd04d6..0000000
--- a/strict/local.users
+++ /dev/null
@@ -1,21 +0,0 @@
-##################################
-#
-# User configuration.
-#
-# This file defines additional users recognized by the system security policy.
-# Only the user identities defined in this file and the system.users file
-# may be used as the user attribute in a security context.
-#
-# Each user has a set of roles that may be entered by processes
-# with the users identity. The syntax of a user declaration is:
-#
-# user username roles role_set [ level default_level range allowed_range ];
-#
-# The MLS default level and allowed range should only be specified if
-# MLS was enabled in the policy.
-
-# sample for administrative user
-# user jadmin roles { staff_r sysadm_r system_r };
-
-# sample for regular user
-#user jdoe roles { user_r };
diff --git a/strict/macros/admin_macros.te b/strict/macros/admin_macros.te
deleted file mode 100644
index aaa816e..0000000
--- a/strict/macros/admin_macros.te
+++ /dev/null
@@ -1,227 +0,0 @@
-#
-# Macros for all admin domains.
-#
-
-#
-# admin_domain(domain_prefix)
-#
-# Define derived types and rules for an administrator domain.
-#
-# The type declaration and role authorization for the domain must be
-# provided separately. Likewise, domain transitions into this domain
-# must be specified separately. If the every_domain() rules are desired,
-# then these rules must also be specified separately.
-#
-undefine(`admin_domain')
-define(`admin_domain',`
-# Type for home directory.
-attribute $1_file_type;
-type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type;
-type $1_home_t, file_type, sysadmfile, home_type, $1_file_type;
-
-# Type and access for pty devices.
-can_create_pty($1, `, admin_tty_type')
-
-# Transition manually for { lnk sock fifo }. The rest is in content macros.
-tmp_domain_notrans($1, `, $1_file_type')
-file_type_auto_trans($1_t, tmp_t, $1_tmp_t, { lnk_file sock_file fifo_file })
-allow $1_t $1_tmp_t:{ dir file } { relabelto relabelfrom };
-
-# Type for tty devices.
-type $1_tty_device_t, sysadmfile, ttyfile, dev_fs, admin_tty_type;
-
-# Inherit rules for ordinary users.
-base_user_domain($1)
-access_removable_media($1_t)
-
-allow $1_t self:capability setuid;
-
-ifdef(`su.te', `su_domain($1)')
-ifdef(`userhelper.te', `userhelper_domain($1)')
-ifdef(`sudo.te', `sudo_domain($1)')
-
-# Let admin stat the shadow file.
-allow $1_t shadow_t:file getattr;
-
-ifdef(`crond.te', `
-allow $1_crond_t var_log_t:file r_file_perms;
-')
-
-# Allow system log read
-allow $1_t kernel_t:system syslog_read;
-
-# Allow autrace
-# allow sysadm_t self:netlink_audit_socket nlmsg_readpriv;
-
-# Use capabilities other than sys_module.
-allow $1_t self:capability ~sys_module;
-
-# Use system operations.
-allow $1_t kernel_t:system *;
-
-# Set password information for other users.
-allow $1_t self:passwd { passwd chfn chsh };
-
-# Skip authentication when pam_rootok is specified.
-allow $1_t self:passwd rootok;
-
-# Manipulate other user crontab.
-allow $1_t self:passwd crontab;
-can_getsecurity(sysadm_crontab_t)
-
-# Change system parameters.
-can_sysctl($1_t)
-
-# Create and use all files that have the sysadmfile attribute.
-allow $1_t sysadmfile:{ file sock_file fifo_file } create_file_perms;
-allow $1_t sysadmfile:lnk_file create_lnk_perms;
-allow $1_t sysadmfile:dir create_dir_perms;
-
-# for lsof
-allow $1_t mtrr_device_t:file getattr;
-allow $1_t fs_type:dir getattr;
-
-# Access removable devices.
-allow $1_t removable_device_t:devfile_class_set rw_file_perms;
-
-# Communicate with the init process.
-allow $1_t initctl_t:fifo_file rw_file_perms;
-
-# Examine all processes.
-can_ps($1_t, domain)
-
-# allow renice
-allow $1_t domain:process setsched;
-
-# Send signals to all processes.
-allow $1_t { domain unlabeled_t }:process signal_perms;
-
-# Access all user terminals.
-allow $1_t tty_device_t:chr_file rw_file_perms;
-allow $1_t ttyfile:chr_file rw_file_perms;
-allow $1_t ptyfile:chr_file rw_file_perms;
-allow $1_t serial_device:chr_file setattr;
-
-# allow setting up tunnels
-allow $1_t tun_tap_device_t:chr_file rw_file_perms;
-
-# run ls -l /dev
-allow $1_t device_t:dir r_dir_perms;
-allow $1_t { device_t device_type }:{ chr_file blk_file } getattr;
-allow $1_t ptyfile:chr_file getattr;
-
-# Run programs from staff home directories.
-# Not ideal, but typical if users want to login as both sysadm_t or staff_t.
-can_exec($1_t, staff_home_t)
-
-# Run programs from /usr/src.
-can_exec($1_t, src_t)
-
-# Relabel all files.
-# Actually this will not allow relabeling ALL files unless you change
-# sysadmfile to file_type (and change the assertion in assert.te that
-# only auth_write can relabel shadow_t)
-allow $1_t sysadmfile:dir { getattr read search relabelfrom relabelto };
-allow $1_t sysadmfile:notdevfile_class_set { getattr relabelfrom relabelto };
-
-ifdef(`startx.te', `
-ifdef(`xserver.te', `
-# Create files in /tmp/.X11-unix with our X servers derived
-# tmp type rather than user_xserver_tmp_t.
-file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file)
-')dnl end xserver.te
-')dnl end startx.te
-
-ifdef(`xdm.te', `
-ifdef(`xauth.te', `
-if (xdm_sysadm_login) {
-allow xdm_t $1_home_t:lnk_file read;
-allow xdm_t $1_home_t:dir search;
-}
-can_pipe_xdm($1_t)
-')dnl end ifdef xauth.te
-')dnl end ifdef xdm.te
-
-#
-# A user who is authorized for sysadm_t may nonetheless have
-# a home directory labeled with user_home_t if the user is expected
-# to login in either user_t or sysadm_t. Hence, the derived domains
-# for programs need to be able to access user_home_t.
-#
-
-# Allow our gph domain to write to .xsession-errors.
-ifdef(`gnome-pty-helper.te', `
-allow $1_gph_t user_home_dir_type:dir rw_dir_perms;
-allow $1_gph_t user_home_type:file create_file_perms;
-')
-
-# Allow our crontab domain to unlink a user cron spool file.
-ifdef(`crontab.te',
-`allow $1_crontab_t user_cron_spool_t:file unlink;')
-
-# for the administrator to run TCP servers directly
-can_tcp_connect($1_t, $1_t)
-allow $1_t port_t:tcp_socket name_bind;
-
-# Connect data port to ftpd.
-ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)')
-
-# Connect second port to rshd.
-ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)')
-
-#
-# Allow sysadm to execute quota commands against filesystems and files.
-#
-allow $1_t fs_type:filesystem quotamod;
-
-# Grant read and write access to /dev/console.
-allow $1_t console_device_t:chr_file rw_file_perms;
-
-# Allow MAKEDEV to work
-allow $1_t device_t:dir rw_dir_perms;
-allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
-allow $1_t device_t:lnk_file { create read };
-
-# for lsof
-allow $1_t domain:socket_class_set getattr;
-allow $1_t eventpollfs_t:file getattr;
-')
-
-define(`security_manager_domain', `
-
-typeattribute $1 secadmin;
-# Allow administrator domains to set the enforcing flag.
-can_setenforce($1)
-
-# Allow administrator domains to set policy booleans.
-can_setbool($1)
-
-# Get security policy decisions.
-can_getsecurity($1)
-
-# Allow administrator domains to set security parameters
-can_setsecparam($1)
-
-# Run admin programs that require different permissions in their own domain.
-# These rules were moved into the appropriate program domain file.
-
-# added by mayerf@tresys.com
-# The following rules are temporary until such time that a complete
-# policy management infrastructure is in place so that an administrator
-# cannot directly manipulate policy files with arbitrary programs.
-#
-allow $1 secadmfile:file { relabelto relabelfrom create_file_perms };
-allow $1 secadmfile:lnk_file { relabelto relabelfrom create_lnk_perms };
-allow $1 secadmfile:dir { relabelto relabelfrom create_dir_perms };
-
-# Set an exec context, e.g. for runcon.
-can_setexec($1)
-
-# Set a context other than the default one for newly created files.
-can_setfscreate($1)
-
-allow $1 self:netlink_audit_socket nlmsg_readpriv;
-
-')
-
-
diff --git a/strict/macros/base_user_macros.te b/strict/macros/base_user_macros.te
deleted file mode 100644
index 4c5b36a..0000000
--- a/strict/macros/base_user_macros.te
+++ /dev/null
@@ -1,396 +0,0 @@
-#
-# Macros for all user login domains.
-#
-
-#
-# base_user_domain(domain_prefix)
-#
-# Define derived types and rules for an ordinary user domain.
-#
-# The type declaration and role authorization for the domain must be
-# provided separately. Likewise, domain transitions into this domain
-# must be specified separately.
-#
-
-# base_user_domain() is also called by the admin_domain() macro
-undefine(`base_user_domain')
-define(`base_user_domain', `
-
-# Type for network-obtained content
-type $1_untrusted_content_t, file_type, $1_file_type, sysadmfile, customizable, polymember;
-type $1_untrusted_content_tmp_t, file_type, $1_file_type, sysadmfile, tmpfile, customizable, polymember;
-
-# Allow user to relabel untrusted content
-allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { create_dir_perms relabelto relabelfrom };
-allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename };
-
-# Read content
-read_content($1_t, $1)
-
-# Write trusted content. This includes proper transition
-# for /home, and /tmp, so no other transition is necessary (or allowed)
-write_trusted($1_t, $1)
-
-# Maybe the home directory is networked
-network_home($1_t)
-
-# Transition for { lnk, fifo, sock }. The rest is covered by write_trusted.
-# Relabel files in the home directory
-file_type_auto_trans($1_t, $1_home_dir_t, $1_home_t, { fifo_file sock_file lnk_file });
-allow $1_t $1_home_t:{ notdevfile_class_set dir } { relabelfrom relabelto };
-can_setfscreate($1_t)
-
-ifdef(`ftpd.te' , `
-if (ftpd_is_daemon) {
-file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
-}
-')
-
-allow $1_t self:capability { setgid chown fowner };
-dontaudit $1_t self:capability { sys_nice fsetid };
-
-# $1_r is authorized for $1_t for the initial login domain.
-role $1_r types $1_t;
-allow system_r $1_r;
-
-r_dir_file($1_t, usercanread)
-
-# Grant permissions within the domain.
-general_domain_access($1_t)
-
-if (allow_execmem) {
-# Allow making anonymous memory executable, e.g.
-# for runtime-code generation or executable stack.
-allow $1_t self:process execmem;
-}
-
-if (allow_execmem && allow_execstack) {
-# Allow making the stack executable via mprotect.
-allow $1_t self:process execstack;
-}
-
-# Allow text relocations on system shared libraries, e.g. libGL.
-allow $1_t texrel_shlib_t:file execmod;
-
-#
-# kdeinit wants this access
-#
-allow $1_t device_t:dir { getattr search };
-
-# Find CDROM devices
-r_dir_file($1_t, sysctl_dev_t)
-# for eject
-allow $1_t fixed_disk_device_t:blk_file getattr;
-
-allow $1_t fs_type:dir getattr;
-
-allow $1_t event_device_t:chr_file { getattr read ioctl };
-
-# open office is looking for the following
-allow $1_t dri_device_t:chr_file getattr;
-dontaudit $1_t dri_device_t:chr_file rw_file_perms;
-
-# Supress ls denials:
-# getattr() - ls -l
-# search_dir() - symlink path resolution
-# read_dir() - deep ls: ls parent/...
-
-dontaudit_getattr($1_t)
-dontaudit_search_dir($1_t)
-dontaudit_read_dir($1_t)
-
-# allow ptrace
-can_ptrace($1_t, $1_t)
-
-# Allow user to run restorecon and relabel files
-can_getsecurity($1_t)
-r_dir_file($1_t, default_context_t)
-r_dir_file($1_t, file_context_t)
-
-allow $1_t usbtty_device_t:chr_file read;
-
-# GNOME checks for usb and other devices
-rw_dir_file($1_t,usbfs_t)
-
-can_exec($1_t, noexattrfile)
-# Bind to a Unix domain socket in /tmp.
-allow $1_t $1_tmp_t:unix_stream_socket name_bind;
-
-# Use the type when relabeling terminal devices.
-type_change $1_t tty_device_t:chr_file $1_tty_device_t;
-
-# Debian login is from shadow utils and does not allow resetting the perms.
-# have to fix this!
-type_change $1_t ttyfile:chr_file $1_tty_device_t;
-
-# for running TeX programs
-r_dir_file($1_t, tetex_data_t)
-can_exec($1_t, tetex_data_t)
-
-# Use the type when relabeling pty devices.
-type_change $1_t server_pty:chr_file $1_devpts_t;
-
-tmpfs_domain($1)
-
-ifdef(`cardmgr.te', `
-# to allow monitoring of pcmcia status
-allow $1_t cardmgr_var_run_t:file { getattr read };
-')
-
-# Modify mail spool file.
-allow $1_t mail_spool_t:dir r_dir_perms;
-allow $1_t mail_spool_t:file rw_file_perms;
-allow $1_t mail_spool_t:lnk_file read;
-
-#
-# Allow graphical boot to check battery lifespan
-#
-ifdef(`apmd.te', `
-allow $1_t apmd_t:unix_stream_socket connectto;
-allow $1_t apmd_var_run_t:sock_file write;
-')
-
-#
-# Allow the query of filesystem quotas
-#
-allow $1_t fs_type:filesystem quotaget;
-
-# Run helper programs.
-can_exec_any($1_t)
-# Run programs developed by other users in the same domain.
-can_exec($1_t, $1_home_t)
-can_exec($1_t, $1_tmp_t)
-
-# Run user programs that require different permissions in their own domain.
-# These rules were moved into the individual program domains.
-
-# Instantiate derived domains for a number of programs.
-# These derived domains encode both information about the calling
-# user domain and the program, and allow us to maintain separation
-# between different instances of the program being run by different
-# user domains.
-ifdef(`gnome-pty-helper.te', `gph_domain($1, $1)')
-ifdef(`chkpwd.te', `chkpwd_domain($1)')
-ifdef(`fingerd.te', `fingerd_macro($1)')
-ifdef(`mta.te', `mail_domain($1)')
-ifdef(`crontab.te', `crontab_domain($1)')
-
-ifdef(`screen.te', `screen_domain($1)')
-ifdef(`tvtime.te', `tvtime_domain($1)')
-ifdef(`mozilla.te', `mozilla_domain($1)')
-ifdef(`thunderbird.te', `thunderbird_domain($1)')
-ifdef(`samba.te', `samba_domain($1)')
-ifdef(`gpg.te', `gpg_domain($1)')
-ifdef(`xauth.te', `xauth_domain($1)')
-ifdef(`iceauth.te', `iceauth_domain($1)')
-ifdef(`startx.te', `xserver_domain($1)')
-ifdef(`lpr.te', `lpr_domain($1)')
-ifdef(`ssh.te', `ssh_domain($1)')
-ifdef(`irc.te', `irc_domain($1)')
-ifdef(`using_spamassassin', `spamassassin_domain($1)')
-ifdef(`pyzor.te', `pyzor_domain($1)')
-ifdef(`razor.te', `razor_domain($1)')
-ifdef(`uml.te', `uml_domain($1)')
-ifdef(`cdrecord.te', `cdrecord_domain($1)')
-ifdef(`mplayer.te', `mplayer_domains($1)')
-
-fontconfig_domain($1)
-
-# GNOME
-ifdef(`gnome.te', `
-gnome_domain($1)
-ifdef(`games.te', `games_domain($1)')
-ifdef(`gift.te', `gift_domains($1)')
-ifdef(`evolution.te', `evolution_domains($1)')
-ifdef(`ethereal.te', `ethereal_domain($1)')
-')
-
-# ICE communication channel
-ice_domain($1, $1)
-
-# ORBit communication channel (independent of GNOME)
-orbit_domain($1, $1)
-
-# Instantiate a derived domain for user cron jobs.
-ifdef(`crond.te', `crond_domain($1)')
-
-ifdef(`vmware.te', `vmware_domain($1)')
-
-if (user_direct_mouse) {
-# Read the mouse.
-allow $1_t mouse_device_t:chr_file r_file_perms;
-}
-# Access other miscellaneous devices.
-allow $1_t misc_device_t:{ chr_file blk_file } rw_file_perms;
-allow $1_t device_t:lnk_file { getattr read };
-
-can_resmgrd_connect($1_t)
-
-#
-# evolution and gnome-session try to create a netlink socket
-#
-dontaudit $1_t self:netlink_socket create_socket_perms;
-dontaudit $1_t self:netlink_route_socket create_netlink_socket_perms;
-
-# Use the network.
-can_network($1_t)
-allow $1_t port_type:tcp_socket name_connect;
-can_ypbind($1_t)
-can_winbind($1_t)
-
-ifdef(`pamconsole.te', `
-allow $1_t pam_var_console_t:dir search;
-')
-
-allow $1_t var_lock_t:dir search;
-
-# Grant permissions to access the system DBus
-ifdef(`dbusd.te', `
-dbusd_client(system, $1)
-can_network_server_tcp($1_dbusd_t)
-allow $1_dbusd_t reserved_port_t:tcp_socket name_bind;
-
-allow $1_t system_dbusd_t:dbus { send_msg acquire_svc };
-dbusd_client($1, $1)
-allow $1_t $1_dbusd_t:dbus { send_msg acquire_svc };
-dbusd_domain($1)
-ifdef(`hald.te', `
-allow $1_t hald_t:dbus send_msg;
-allow hald_t $1_t:dbus send_msg;
-') dnl end ifdef hald.te
-') dnl end ifdef dbus.te
-
-# allow port_t name binding for UDP because it is not very usable otherwise
-allow $1_t port_t:udp_socket name_bind;
-
-# Gnome pannel binds to the following
-ifdef(`cups.te', `
-allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file { read getattr };
-')
-
-# for perl
-dontaudit $1_t net_conf_t:file ioctl;
-
-# Communicate within the domain.
-can_udp_send($1_t, self)
-
-# Connect to inetd.
-ifdef(`inetd.te', `
-can_tcp_connect($1_t, inetd_t)
-can_udp_send($1_t, inetd_t)
-can_udp_send(inetd_t, $1_t)
-')
-
-# Connect to portmap.
-ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)')
-
-# Inherit and use sockets from inetd
-ifdef(`inetd.te', `
-allow $1_t inetd_t:fd use;
-allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;')
-
-# Very permissive allowing every domain to see every type.
-allow $1_t kernel_t:system ipc_info;
-
-# When the user domain runs ps, there will be a number of access
-# denials when ps tries to search /proc. Do not audit these denials.
-dontaudit $1_t domain:dir r_dir_perms;
-dontaudit $1_t domain:notdevfile_class_set r_file_perms;
-dontaudit $1_t domain:process { getattr getsession };
-#
-# Cups daemon running as user tries to write /etc/printcap
-#
-dontaudit $1_t usr_t:file setattr;
-
-# Use X
-x_client_domain($1, $1)
-
-ifdef(`xserver.te', `
-allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms;
-')
-
-ifdef(`xdm.te', `
-# Connect to the X server run by the X Display Manager.
-can_unix_connect($1_t, xdm_t)
-# certain apps want to read xdm.pid file
-r_dir_file($1_t, xdm_var_run_t)
-allow $1_t xdm_var_lib_t:file { getattr read };
-allow xdm_t $1_home_dir_t:dir getattr;
-ifdef(`xauth.te', `
-file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file)
-')
-
-')dnl end ifdef xdm.te
-
-# Access the sound device.
-allow $1_t sound_device_t:chr_file { getattr read write ioctl };
-
-# Access the power device.
-allow $1_t power_device_t:chr_file { getattr read write ioctl };
-
-allow $1_t var_log_t:dir { getattr search };
-dontaudit $1_t logfile:file getattr;
-
-# Check to see if cdrom is mounted
-allow $1_t mnt_t:dir { getattr search };
-
-# Get attributes of file systems.
-allow $1_t fs_type:filesystem getattr;
-
-# Read and write /dev/tty and /dev/null.
-allow $1_t devtty_t:chr_file rw_file_perms;
-allow $1_t null_device_t:chr_file rw_file_perms;
-allow $1_t zero_device_t:chr_file { rw_file_perms execute };
-allow $1_t { random_device_t urandom_device_t }:chr_file ra_file_perms;
-#
-# Added to allow reading of cdrom
-#
-allow $1_t rpc_pipefs_t:dir getattr;
-allow $1_t nfsd_fs_t:dir getattr;
-allow $1_t binfmt_misc_fs_t:dir getattr;
-
-# /initrd is left mounted, various programs try to look at it
-dontaudit $1_t ramfs_t:dir getattr;
-
-#
-# Emacs wants this access
-#
-allow $1_t wtmp_t:file r_file_perms;
-dontaudit $1_t wtmp_t:file write;
-
-# Read the devpts root directory.
-allow $1_t devpts_t:dir r_dir_perms;
-
-r_dir_file($1_t, src_t)
-
-# Allow user to read default_t files
-# This is different from reading default_t content,
-# because it also includes sockets, fifos, and links
-
-if (read_default_t) {
-allow $1_t default_t:dir r_dir_perms;
-allow $1_t default_t:notdevfile_class_set r_file_perms;
-}
-
-# Read fonts
-read_fonts($1_t, $1)
-
-read_sysctl($1_t);
-
-#
-# Caused by su - init scripts
-#
-dontaudit $1_t initrc_devpts_t:chr_file { ioctl read write };
-
-#
-# Running ifconfig as a user generates the following
-#
-dontaudit $1_t self:socket create;
-dontaudit $1_t sysctl_net_t:dir search;
-
-ifdef(`rpcd.te', `
-create_dir_file($1_t, nfsd_rw_t)
-')
-
-')dnl end base_user_domain macro
-
diff --git a/strict/macros/content_macros.te b/strict/macros/content_macros.te
deleted file mode 100644
index fb36d46..0000000
--- a/strict/macros/content_macros.te
+++ /dev/null
@@ -1,188 +0,0 @@
-# Content access macros
-
-# FIXME: After nested booleans are supported, replace NFS/CIFS
-# w/ read_network_home, and write_network_home macros from global
-
-# FIXME: If true/false constant booleans are supported, replace
-# ugly $3 ifdefs with if(true), if(false)...
-
-# FIXME: Do we want write to imply read?
-
-############################################################
-# read_content(domain, role_prefix, bool_prefix)
-#
-# Allow the given domain to read content.
-# Content may be trusted or untrusted,
-# Reading anything is subject to a controlling boolean based on bool_prefix.
-# Reading untrusted content is additionally subject to read_untrusted_content
-# Reading default_t is additionally subject to read_default_t
-
-define(`read_content', `
-
-# Declare controlling boolean
-ifelse($3, `', `', `
-ifdef(`$3_read_content_defined', `', `
-define(`$3_read_content_defined')
-bool $3_read_content false;
-') dnl ifdef
-') dnl ifelse
-
-# Handle nfs home dirs
-ifelse($3, `',
-`if (use_nfs_home_dirs) { ',
-`if ($3_read_content && use_nfs_home_dirs) {')
-allow $1 { autofs_t home_root_t }:dir { read search getattr };
-r_dir_file($1, nfs_t)
-} else {
-dontaudit $1 { autofs_t home_root_t }:dir { read search getattr };
-dontaudit $1 nfs_t:file r_file_perms;
-dontaudit $1 nfs_t:dir r_dir_perms;
-}
-
-# Handle samba home dirs
-ifelse($3, `',
-`if (use_samba_home_dirs) { ',
-`if ($3_read_content && use_samba_home_dirs) {')
-allow $1 { autofs_t home_root_t }:dir { read search getattr };
-r_dir_file($1, cifs_t)
-} else {
-dontaudit $1 { autofs_t home_root_t }:dir { read search getattr };
-dontaudit $1 cifs_t:file r_file_perms;
-dontaudit $1 cifs_t:dir r_dir_perms;
-}
-
-# Handle removable media, /tmp, and /home
-ifelse($3, `', `',
-`if ($3_read_content) {')
-allow $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search };
-r_dir_file($1, { $2_tmp_t $2_home_t } )
-ifdef(`mls_policy', `', `
-r_dir_file($1, removable_t)
-')
-
-ifelse($3, `', `',
-`} else {
-dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search };
-dontaudit $1 { removable_t $2_tmp_t $2_home_t }:dir r_dir_perms;
-dontaudit $1 { removable_t $2_tmp_t $2_home_t }:file r_file_perms;
-}')
-
-# Handle default_t content
-ifelse($3, `',
-`if (read_default_t) { ',
-`if ($3_read_content && read_default_t) {')
-r_dir_file($1, default_t)
-} else {
-dontaudit $1 default_t:file r_file_perms;
-dontaudit $1 default_t:dir r_dir_perms;
-}
-
-# Handle untrusted content
-ifelse($3, `',
-`if (read_untrusted_content) { ',
-`if ($3_read_content && read_untrusted_content) {')
-allow $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search };
-r_dir_file($1, { $2_untrusted_content_t $2_untrusted_content_tmp_t })
-} else {
-dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search };
-dontaudit $1 { $2_untrusted_content_t $2_untrusted_content_tmp_t }:dir r_dir_perms;
-dontaudit $1 { $2_untrusted_content_t $2_untrusted_content_tmp_t }:file r_file_perms;
-}
-') dnl read_content
-
-#################################################
-# write_trusted(domain, role_prefix, bool_prefix)
-#
-# Allow the given domain to write trusted content.
-# This is subject to a controlling boolean based
-# on bool_prefix.
-
-define(`write_trusted', `
-
-# Declare controlling boolean
-ifelse($3, `', `', `
-ifdef(`$3_write_content_defined', `', `
-define(`$3_write_content_defined')
-bool $3_write_content false;
-') dnl ifdef
-') dnl ifelse
-
-# Handle nfs homedirs
-ifelse($3, `',
-`if (use_nfs_home_dirs) { ',
-`if ($3_write_content && use_nfs_home_dirs) {')
-allow $1 { autofs_t home_root_t }:dir { read search getattr };
-create_dir_file($1, nfs_t)
-} else {
-dontaudit $1 { autofs_t home_root_t }:dir { read search getattr };
-dontaudit $1 nfs_t:file create_file_perms;
-dontaudit $1 nfs_t:dir create_dir_perms;
-}
-
-# Handle samba homedirs
-ifelse($3, `',
-`if (use_samba_home_dirs) { ',
-`if ($3_write_content && use_samba_home_dirs) {')
-allow $1 { autofs_t home_root_t }:dir { read search getattr };
-create_dir_file($1, cifs_t)
-} else {
-dontaudit $1 { autofs_t home_root_t }:dir { read search getattr };
-dontaudit $1 cifs_t:file create_file_perms;
-dontaudit $1 cifs_t:dir create_dir_perms;
-}
-
-# Handle /tmp and /home
-ifelse($3, `', `',
-`if ($3_write_content) {')
-allow $1 home_root_t:dir { read getattr search };
-file_type_auto_trans($1, tmp_t, $2_tmp_t, { dir file });
-file_type_auto_trans($1, $2_home_dir_t, $2_home_t, { dir file });
-ifelse($3, `', `',
-`} else {
-dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search };
-dontaudit $1 { $2_tmp_t $2_home_t }:file create_file_perms;
-dontaudit $1 { $2_tmp_t $2_home_t }:dir create_dir_perms;
-}')
-
-') dnl write_trusted
-
-#########################################
-# write_untrusted(domain, role_prefix)
-#
-# Allow the given domain to write untrusted content.
-# This is subject to the global boolean write_untrusted.
-
-define(`write_untrusted', `
-
-# Handle nfs homedirs
-if (write_untrusted_content && use_nfs_home_dirs) {
-allow $1 { autofs_t home_root_t }:dir { read search getattr };
-create_dir_file($1, nfs_t)
-} else {
-dontaudit $1 { autofs_t home_root_t }:dir { read search getattr };
-dontaudit $1 nfs_t:file create_file_perms;
-dontaudit $1 nfs_t:dir create_dir_perms;
-}
-
-# Handle samba homedirs
-if (write_untrusted_content && use_samba_home_dirs) {
-allow $1 { autofs_t home_root_t }:dir { read search getattr };
-create_dir_file($1, cifs_t)
-} else {
-dontaudit $1 { autofs_t home_root_t }:dir { read search getattr };
-dontaudit $1 cifs_t:file create_file_perms;
-dontaudit $1 cifs_t:dir create_dir_perms;
-}
-
-# Handle /tmp and /home
-if (write_untrusted_content) {
-allow $1 home_root_t:dir { read getattr search };
-file_type_auto_trans($1, { tmp_t $2_tmp_t }, $2_untrusted_content_tmp_t, { dir file })
-file_type_auto_trans($1, { $2_home_dir_t $2_home_t }, $2_untrusted_content_t, { dir file })
-} else {
-dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search };
-dontaudit $1 { $2_tmp_t $2_home_t }:file create_file_perms;
-dontaudit $1 { $2_tmp_t $2_home_t }:dir create_dir_perms;
-}
-
-') dnl write_untrusted
diff --git a/strict/macros/core_macros.te b/strict/macros/core_macros.te
deleted file mode 100644
index 4a5900a..0000000
--- a/strict/macros/core_macros.te
+++ /dev/null
@@ -1,700 +0,0 @@
-
-##############################
-#
-# core macros for the type enforcement (TE) configuration.
-#
-
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil>, Timothy Fraser
-# Howard Holm (NSA) <hdholm@epoch.ncsc.mil>
-# Russell Coker <russell@coker.com.au>
-#
-
-#################################
-#
-# Macros for groups of classes and
-# groups of permissions.
-#
-
-#
-# All directory and file classes
-#
-define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }')
-
-#
-# All non-directory file classes.
-#
-define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }')
-
-#
-# Non-device file classes.
-#
-define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
-
-#
-# Device file classes.
-#
-define(`devfile_class_set', `{ chr_file blk_file }')
-
-#
-# All socket classes.
-#
-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket }')
-
-
-#
-# Datagram socket classes.
-#
-define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
-
-#
-# Stream socket classes.
-#
-define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
-
-#
-# Unprivileged socket classes (exclude rawip, netlink, packet).
-#
-define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
-
-
-#
-# Permissions for getting file attributes.
-#
-define(`stat_file_perms', `{ getattr }')
-
-#
-# Permissions for executing files.
-#
-define(`x_file_perms', `{ getattr execute }')
-
-#
-# Permissions for reading files and their attributes.
-#
-define(`r_file_perms', `{ read getattr lock ioctl }')
-
-#
-# Permissions for reading and executing files.
-#
-define(`rx_file_perms', `{ read getattr lock execute ioctl }')
-
-#
-# Permissions for reading and writing files and their attributes.
-#
-define(`rw_file_perms', `{ ioctl read getattr lock write append }')
-
-#
-# Permissions for reading and appending to files.
-#
-define(`ra_file_perms', `{ ioctl read getattr lock append }')
-
-#
-# Permissions for linking, unlinking and renaming files.
-#
-define(`link_file_perms', `{ getattr link unlink rename }')
-
-#
-# Permissions for creating lnk_files.
-#
-define(`create_lnk_perms', `{ create read getattr setattr link unlink rename }')
-
-#
-# Permissions for creating and using files.
-#
-define(`create_file_perms', `{ create ioctl read getattr lock write setattr append link unlink rename }')
-
-#
-# Permissions for reading directories and their attributes.
-#
-define(`r_dir_perms', `{ read getattr lock search ioctl }')
-
-#
-# Permissions for reading and writing directories and their attributes.
-#
-define(`rw_dir_perms', `{ read getattr lock search ioctl add_name remove_name write }')
-
-#
-# Permissions for reading and adding names to directories.
-#
-define(`ra_dir_perms', `{ read getattr lock search ioctl add_name write }')
-
-
-#
-# Permissions for creating and using directories.
-#
-define(`create_dir_perms', `{ create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }')
-
-#
-# Permissions to mount and unmount file systems.
-#
-define(`mount_fs_perms', `{ mount remount unmount getattr }')
-
-#
-# Permissions for using sockets.
-#
-define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
-
-#
-# Permissions for creating and using sockets.
-#
-define(`create_socket_perms', `{ create rw_socket_perms }')
-
-#
-# Permissions for using stream sockets.
-#
-define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
-
-#
-# Permissions for creating and using stream sockets.
-#
-define(`create_stream_socket_perms', `{ create_socket_perms listen accept }')
-
-#
-# Permissions for creating and using sockets.
-#
-define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
-
-#
-# Permissions for creating and using sockets.
-#
-define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }')
-
-
-#
-# Permissions for creating and using netlink sockets.
-#
-define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
-
-#
-# Permissions for using netlink sockets for operations that modify state.
-#
-define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
-
-#
-# Permissions for using netlink sockets for operations that observe state.
-#
-define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }')
-
-#
-# Permissions for sending all signals.
-#
-define(`signal_perms', `{ sigchld sigkill sigstop signull signal }')
-
-#
-# Permissions for sending and receiving network packets.
-#
-define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }')
-
-#
-# Permissions for using System V IPC
-#
-define(`r_sem_perms', `{ associate getattr read unix_read }')
-define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }')
-define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }')
-define(`r_msgq_perms', `{ associate getattr read unix_read }')
-define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }')
-define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }')
-define(`r_shm_perms', `{ associate getattr read unix_read }')
-define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }')
-define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }')
-
-#################################
-#
-# Macros for type transition rules and
-# access vector rules.
-#
-
-#
-# Simple combinations for reading and writing both
-# directories and files.
-#
-define(`r_dir_file', `
-allow $1 $2:dir r_dir_perms;
-allow $1 $2:file r_file_perms;
-allow $1 $2:lnk_file { getattr read };
-')
-
-define(`rw_dir_file', `
-allow $1 $2:dir rw_dir_perms;
-allow $1 $2:file rw_file_perms;
-allow $1 $2:lnk_file { getattr read };
-')
-
-define(`ra_dir_file', `
-allow $1 $2:dir ra_dir_perms;
-allow $1 $2:file ra_file_perms;
-allow $1 $2:lnk_file { getattr read };
-')
-
-define(`ra_dir_create_file', `
-allow $1 $2:dir ra_dir_perms;
-allow $1 $2:file { create ra_file_perms };
-allow $1 $2:lnk_file { create read getattr };
-')
-
-define(`rw_dir_create_file', `
-allow $1 $2:dir rw_dir_perms;
-allow $1 $2:file create_file_perms;
-allow $1 $2:lnk_file create_lnk_perms;
-')
-
-define(`create_dir_file', `
-allow $1 $2:dir create_dir_perms;
-allow $1 $2:file create_file_perms;
-allow $1 $2:lnk_file create_lnk_perms;
-')
-
-define(`create_dir_notdevfile', `
-allow $1 $2:dir create_dir_perms;
-allow $1 $2:{ file sock_file fifo_file } create_file_perms;
-allow $1 $2:lnk_file create_lnk_perms;
-')
-
-define(`create_append_log_file', `
-allow $1 $2:dir { read getattr search add_name write };
-allow $1 $2:file { create ioctl getattr setattr append link };
-')
-
-##################################
-#
-# can_ps(domain1, domain2)
-#
-# Authorize domain1 to see /proc entries for domain2 (see it in ps output)
-#
-define(`can_ps',`
-allow $1 $2:dir { search getattr read };
-allow $1 $2:{ file lnk_file } { read getattr };
-allow $1 $2:process getattr;
-# We need to suppress this denial because procps tries to access
-# /proc/pid/environ and this now triggers a ptrace check in recent kernels
-# (2.4 and 2.6). Might want to change procps to not do this, or only if
-# running in a privileged domain.
-dontaudit $1 $2:process ptrace;
-')
-
-##################################
-#
-# can_getsecurity(domain)
-#
-# Authorize a domain to get security policy decisions.
-#
-define(`can_getsecurity',`
-# Get the selinuxfs mount point via /proc/self/mounts.
-allow $1 proc_t:dir search;
-allow $1 proc_t:{ file lnk_file } { getattr read };
-allow $1 self:dir search;
-allow $1 self:file { getattr read };
-# Access selinuxfs.
-allow $1 security_t:dir { read search getattr };
-allow $1 security_t:file { getattr read write };
-allow $1 security_t:security { check_context compute_av compute_create compute_relabel compute_user };
-')
-
-##################################
-#
-# can_setenforce(domain)
-#
-# Authorize a domain to set the enforcing flag.
-# Due to its sensitivity, always audit this permission.
-#
-define(`can_setenforce',`
-# Get the selinuxfs mount point via /proc/self/mounts.
-allow $1 proc_t:dir search;
-allow $1 proc_t:lnk_file read;
-allow $1 self:dir search;
-allow $1 self:file { getattr read };
-# Access selinuxfs.
-allow $1 security_t:dir { read search getattr };
-allow $1 security_t:file { getattr read write };
-allow $1 security_t:security setenforce;
-auditallow $1 security_t:security setenforce;
-')
-
-##################################
-#
-# can_setbool(domain)
-#
-# Authorize a domain to set a policy boolean.
-# Due to its sensitivity, always audit this permission.
-#
-define(`can_setbool',`
-# Get the selinuxfs mount point via /proc/self/mounts.
-allow $1 proc_t:dir search;
-allow $1 proc_t:lnk_file read;
-allow $1 self:dir search;
-allow $1 self:file { getattr read };
-# Access selinuxfs.
-allow $1 security_t:dir { read search getattr };
-allow $1 security_t:file { getattr read write };
-allow $1 security_t:security setbool;
-auditallow $1 security_t:security setbool;
-')
-
-##################################
-#
-# can_setsecparam(domain)
-#
-# Authorize a domain to set security parameters.
-# Due to its sensitivity, always audit this permission.
-#
-define(`can_setsecparam',`
-# Get the selinuxfs mount point via /proc/self/mounts.
-allow $1 proc_t:dir search;
-allow $1 proc_t:lnk_file read;
-allow $1 self:dir search;
-allow $1 self:file { getattr read };
-# Access selinuxfs.
-allow $1 security_t:dir { read search getattr };
-allow $1 security_t:file { getattr read write };
-allow $1 security_t:security setsecparam;
-auditallow $1 security_t:security setsecparam;
-')
-
-##################################
-#
-# can_loadpol(domain)
-#
-# Authorize a domain to load a policy configuration.
-# Due to its sensitivity, always audit this permission.
-#
-define(`can_loadpol',`
-# Get the selinuxfs mount point via /proc/self/mounts.
-allow $1 proc_t:dir search;
-allow $1 proc_t:lnk_file read;
-allow $1 proc_t:file { getattr read };
-allow $1 self:dir search;
-allow $1 self:file { getattr read };
-# Access selinuxfs.
-allow $1 security_t:dir { read search getattr };
-allow $1 security_t:file { getattr read write };
-allow $1 security_t:security load_policy;
-auditallow $1 security_t:security load_policy;
-')
-
-#################################
-#
-# domain_trans(parent_domain, program_type, child_domain)
-#
-# Permissions for transitioning to a new domain.
-#
-
-define(`domain_trans',`
-
-#
-# Allow the process to transition to the new domain.
-#
-allow $1 $3:process transition;
-
-#
-# Do not audit when glibc secure mode is enabled upon the transition.
-#
-dontaudit $1 $3:process noatsecure;
-
-#
-# Do not audit when signal-related state is cleared upon the transition.
-#
-dontaudit $1 $3:process siginh;
-
-#
-# Do not audit when resource limits are reset upon the transition.
-#
-dontaudit $1 $3:process rlimitinh;
-
-#
-# Allow the process to execute the program.
-#
-allow $1 $2:file { read x_file_perms };
-
-#
-# Allow the process to reap the new domain.
-#
-allow $3 $1:process sigchld;
-
-#
-# Allow the new domain to inherit and use file
-# descriptions from the creating process and vice versa.
-#
-allow $3 $1:fd use;
-allow $1 $3:fd use;
-
-#
-# Allow the new domain to write back to the old domain via a pipe.
-#
-allow $3 $1:fifo_file rw_file_perms;
-
-#
-# Allow the new domain to read and execute the program.
-#
-allow $3 $2:file rx_file_perms;
-
-#
-# Allow the new domain to be entered via the program.
-#
-allow $3 $2:file entrypoint;
-')
-
-#################################
-#
-# domain_auto_trans(parent_domain, program_type, child_domain)
-#
-# Define a default domain transition and allow it.
-#
-define(`domain_auto_trans',`
-domain_trans($1,$2,$3)
-type_transition $1 $2:process $3;
-')
-
-#################################
-#
-# can_ptrace(domain, domain)
-#
-# Permissions for running ptrace (strace or gdb) on another domain
-#
-define(`can_ptrace',`
-allow $1 $2:process ptrace;
-allow $2 $1:process sigchld;
-')
-
-#################################
-#
-# can_exec(domain, type)
-#
-# Permissions for executing programs with
-# a specified type without changing domains.
-#
-define(`can_exec',`
-allow $1 $2:file { rx_file_perms execute_no_trans };
-')
-
-# this is an internal macro used by can_create
-define(`can_create_internal', `
-ifelse(`$3', `dir', `
-allow $1 $2:$3 create_dir_perms;
-', `$3', `lnk_file', `
-allow $1 $2:$3 create_lnk_perms;
-', `
-allow $1 $2:$3 create_file_perms;
-')dnl end if dir
-')dnl end can_create_internal
-
-
-#################################
-#
-# can_create(domain, file_type, object_class)
-#
-# Permissions for creating files of the specified type and class
-#
-define(`can_create', `
-ifelse(regexp($3, `\w'), -1, `', `
-can_create_internal($1, $2, regexp($3, `\(\w+\)', `\1'))
-
-can_create($1, $2, regexp($3, `\w+\(.*\)', `\1'))
-')
-')
-#################################
-#
-# file_type_trans(domain, dir_type, file_type)
-#
-# Permissions for transitioning to a new file type.
-#
-
-define(`file_type_trans',`
-
-#
-# Allow the process to modify the directory.
-#
-allow $1 $2:dir rw_dir_perms;
-
-#
-# Allow the process to create the file.
-#
-ifelse(`$4', `', `
-can_create($1, $3, `{ file lnk_file sock_file fifo_file dir }')
-', `
-can_create($1, $3, $4)
-')dnl end if param 4 specified
-
-')
-
-#################################
-#
-# file_type_auto_trans(creator_domain, parent_directory_type, file_type, object_class)
-#
-# the object class will default to notdevfile_class_set if not specified as
-# the fourth parameter
-#
-# Define a default file type transition and allow it.
-#
-define(`file_type_auto_trans',`
-ifelse(`$4', `', `
-file_type_trans($1,$2,$3)
-type_transition $1 $2:dir $3;
-type_transition $1 $2:notdevfile_class_set $3;
-', `
-file_type_trans($1,$2,$3,$4)
-type_transition $1 $2:$4 $3;
-')dnl end ifelse
-
-')
-
-
-#################################
-#
-# can_unix_connect(client, server)
-#
-# Permissions for establishing a Unix stream connection.
-#
-define(`can_unix_connect',`
-allow $1 $2:unix_stream_socket connectto;
-')
-
-#################################
-#
-# can_unix_send(sender, receiver)
-#
-# Permissions for sending Unix datagrams.
-#
-define(`can_unix_send',`
-allow $1 $2:unix_dgram_socket sendto;
-')
-
-#################################
-#
-# can_tcp_connect(client, server)
-#
-# Permissions for establishing a TCP connection.
-# Irrelevant until we have labeled networking.
-#
-define(`can_tcp_connect',`
-#allow $1 $2:tcp_socket { connectto recvfrom };
-#allow $2 $1:tcp_socket { acceptfrom recvfrom };
-#allow $2 kernel_t:tcp_socket recvfrom;
-#allow $1 kernel_t:tcp_socket recvfrom;
-')
-
-#################################
-#
-# can_udp_send(sender, receiver)
-#
-# Permissions for sending/receiving UDP datagrams.
-# Irrelevant until we have labeled networking.
-#
-define(`can_udp_send',`
-#allow $1 $2:udp_socket sendto;
-#allow $2 $1:udp_socket recvfrom;
-')
-
-
-##################################
-#
-# base_pty_perms(domain_prefix)
-#
-# Base permissions used for can_create_pty() and can_create_other_pty()
-#
-define(`base_pty_perms', `
-# Access the pty master multiplexer.
-allow $1_t ptmx_t:chr_file rw_file_perms;
-
-allow $1_t devpts_t:filesystem getattr;
-
-# allow searching /dev/pts
-allow $1_t devpts_t:dir { getattr read search };
-
-# ignore old BSD pty devices
-dontaudit $1_t bsdpty_device_t:chr_file { getattr read write };
-')
-
-
-##################################
-#
-# pty_slave_label(domain_prefix, attributes)
-#
-# give access to a slave pty but do not allow creating new ptys
-#
-define(`pty_slave_label', `
-type $1_devpts_t, file_type, sysadmfile, ptyfile $2;
-
-# Allow the pty to be associated with the file system.
-allow $1_devpts_t devpts_t:filesystem associate;
-
-# Label pty files with a derived type.
-type_transition $1_t devpts_t:chr_file $1_devpts_t;
-
-# allow searching /dev/pts
-allow $1_t devpts_t:dir { getattr read search };
-
-# Read and write my pty files.
-allow $1_t $1_devpts_t:chr_file { setattr rw_file_perms };
-')
-
-
-##################################
-#
-# can_create_pty(domain_prefix, attributes)
-#
-# Permissions for creating ptys.
-#
-define(`can_create_pty',`
-base_pty_perms($1)
-pty_slave_label($1, `$2')
-')
-
-
-##################################
-#
-# can_create_other_pty(domain_prefix,other_domain)
-#
-# Permissions for creating ptys for another domain.
-#
-define(`can_create_other_pty',`
-base_pty_perms($1)
-# Label pty files with a derived type.
-type_transition $1_t devpts_t:chr_file $2_devpts_t;
-
-# Read and write pty files.
-allow $1_t $2_devpts_t:chr_file { setattr rw_file_perms };
-')
-
-
-#
-# general_domain_access(domain)
-#
-# Grant permissions within the domain.
-# This includes permissions to processes, /proc/PID files,
-# file descriptors, pipes, Unix sockets, and System V IPC objects
-# labeled with the domain.
-#
-define(`general_domain_access',`
-# Access other processes in the same domain.
-# Omits ptrace, setcurrent, setexec, setfscreate, setrlimit, execmem, execstack and execheap.
-# These must be granted separately if desired.
-allow $1 self:process ~{ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap};
-
-# Access /proc/PID files for processes in the same domain.
-allow $1 self:dir r_dir_perms;
-allow $1 self:notdevfile_class_set r_file_perms;
-
-# Access file descriptions, pipes, and sockets
-# created by processes in the same domain.
-allow $1 self:fd *;
-allow $1 self:fifo_file rw_file_perms;
-allow $1 self:unix_dgram_socket create_socket_perms;
-allow $1 self:unix_stream_socket create_stream_socket_perms;
-
-# Allow the domain to communicate with other processes in the same domain.
-allow $1 self:unix_dgram_socket sendto;
-allow $1 self:unix_stream_socket connectto;
-
-# Access System V IPC objects created by processes in the same domain.
-allow $1 self:sem create_sem_perms;
-allow $1 self:msg { send receive };
-allow $1 self:msgq create_msgq_perms;
-allow $1 self:shm create_shm_perms;
-allow $1 unpriv_userdomain:fd use;
-#
-# Every app is asking for ypbind so I am adding this here,
-# eventually this should become can_nsswitch
-#
-can_ypbind($1)
-allow $1 autofs_t:dir { search getattr };
-')dnl end general_domain_access
diff --git a/strict/macros/global_macros.te b/strict/macros/global_macros.te
deleted file mode 100644
index 54dce1d..0000000
--- a/strict/macros/global_macros.te
+++ /dev/null
@@ -1,761 +0,0 @@
-##############################
-#
-# Global macros for the type enforcement (TE) configuration.
-#
-
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# Howard Holm (NSA) <hdholm@epoch.ncsc.mil>
-# Russell Coker <russell@coker.com.au>
-#
-#
-#
-
-##################################
-#
-# can_setexec(domain)
-#
-# Authorize a domain to set its exec context
-# (via /proc/pid/attr/exec).
-#
-define(`can_setexec',`
-allow $1 self:process setexec;
-allow $1 proc_t:dir search;
-allow $1 proc_t:{ file lnk_file } read;
-allow $1 self:dir search;
-allow $1 self:file { getattr read write };
-')
-
-##################################
-#
-# can_getcon(domain)
-#
-# Authorize a domain to get its context
-# (via /proc/pid/attr/current).
-#
-define(`can_getcon',`
-allow $1 proc_t:dir search;
-allow $1 proc_t:{ file lnk_file } read;
-allow $1 self:dir search;
-allow $1 self:file { getattr read };
-allow $1 self:process getattr;
-')
-
-##################################
-#
-# can_setcon(domain)
-#
-# Authorize a domain to set its current context
-# (via /proc/pid/attr/current).
-#
-define(`can_setcon',`
-allow $1 self:process setcurrent;
-allow $1 proc_t:dir search;
-allow $1 proc_t:{ file lnk_file } read;
-allow $1 self:dir search;
-allow $1 self:file { getattr read write };
-')
-
-##################################
-# read_sysctl(domain)
-#
-# Permissions for reading sysctl variables.
-# If the second parameter is full, allow
-# reading of any sysctl variables, else only
-# sysctl_kernel_t.
-#
-define(`read_sysctl', `
-# Read system variables in /sys.
-ifelse($2,`full', `
-allow $1 sysctl_type:dir r_dir_perms;
-allow $1 sysctl_type:file r_file_perms;
-', `
-allow $1 sysctl_t:dir search;
-allow $1 sysctl_kernel_t:dir search;
-allow $1 sysctl_kernel_t:file { getattr read };
-')
-
-')dnl read_sysctl
-
-##################################
-#
-# can_setfscreate(domain)
-#
-# Authorize a domain to set its fscreate context
-# (via /proc/pid/attr/fscreate).
-#
-define(`can_setfscreate',`
-allow $1 self:process setfscreate;
-allow $1 proc_t:dir search;
-allow $1 proc_t:{ file lnk_file } read;
-allow $1 self:dir search;
-allow $1 self:file { getattr read write };
-')
-
-#################################
-#
-# uses_shlib(domain)
-#
-# Permissions for using shared libraries.
-#
-define(`uses_shlib',`
-allow $1 { root_t usr_t lib_t etc_t }:dir r_dir_perms;
-allow $1 lib_t:lnk_file r_file_perms;
-allow $1 ld_so_t:file rx_file_perms;
-#allow $1 ld_so_t:file execute_no_trans;
-allow $1 ld_so_t:lnk_file r_file_perms;
-allow $1 { texrel_shlib_t shlib_t }:file rx_file_perms;
-allow $1 { texrel_shlib_t shlib_t }:lnk_file r_file_perms;
-allow $1 texrel_shlib_t:file execmod;
-allow $1 ld_so_cache_t:file r_file_perms;
-allow $1 device_t:dir search;
-allow $1 null_device_t:chr_file rw_file_perms;
-')
-
-#################################
-#
-# can_exec_any(domain)
-#
-# Permissions for executing a variety
-# of executable types.
-#
-define(`can_exec_any',`
-allow $1 { bin_t sbin_t lib_t etc_t }:dir r_dir_perms;
-allow $1 { bin_t sbin_t etc_t }:lnk_file { getattr read };
-uses_shlib($1)
-can_exec($1, etc_t)
-can_exec($1, lib_t)
-can_exec($1, bin_t)
-can_exec($1, sbin_t)
-can_exec($1, exec_type)
-can_exec($1, ld_so_t)
-')
-
-
-#################################
-#
-# can_sysctl(domain)
-#
-# Permissions for modifying sysctl parameters.
-#
-define(`can_sysctl',`
-allow $1 sysctl_type:dir r_dir_perms;
-allow $1 sysctl_type:file { setattr rw_file_perms };
-')
-
-
-##################################
-#
-# read_locale(domain)
-#
-# Permissions for reading the locale data,
-# /etc/localtime and the files that it links to
-#
-define(`read_locale', `
-allow $1 etc_t:lnk_file read;
-allow $1 lib_t:file r_file_perms;
-r_dir_file($1, locale_t)
-')
-
-define(`can_access_pty', `
-allow $1 devpts_t:dir r_dir_perms;
-allow $1 $2_devpts_t:chr_file rw_file_perms;
-')
-
-###################################
-#
-# access_terminal(domain, typeprefix)
-#
-# Permissions for accessing the terminal
-#
-define(`access_terminal', `
-allow $1 $2_tty_device_t:chr_file { read write getattr ioctl };
-allow $1 devtty_t:chr_file { read write getattr ioctl };
-can_access_pty($1, $2)
-')
-
-#
-# general_proc_read_access(domain)
-#
-# Grant read/search permissions to most of /proc, excluding
-# the /proc/PID directories and the /proc/kmsg and /proc/kcore files.
-# The general_domain_access macro grants access to the domain /proc/PID
-# directories, but not to other domains. Only permissions to stat
-# are granted for /proc/kmsg and /proc/kcore, since these files are more
-# sensitive.
-#
-define(`general_proc_read_access',`
-# Read system information files in /proc.
-r_dir_file($1, proc_t)
-r_dir_file($1, proc_net_t)
-allow $1 proc_mdstat_t:file r_file_perms;
-
-# Stat /proc/kmsg and /proc/kcore.
-allow $1 proc_fs:file stat_file_perms;
-
-# Read system variables in /proc/sys.
-read_sysctl($1)
-')
-
-#
-# base_file_read_access(domain)
-#
-# Grant read/search permissions to a few system file types.
-#
-define(`base_file_read_access',`
-# Read /.
-allow $1 root_t:dir r_dir_perms;
-allow $1 root_t:notdevfile_class_set r_file_perms;
-
-# Read /home.
-allow $1 home_root_t:dir r_dir_perms;
-
-# Read /usr.
-allow $1 usr_t:dir r_dir_perms;
-allow $1 usr_t:notdevfile_class_set r_file_perms;
-
-# Read bin and sbin directories.
-allow $1 bin_t:dir r_dir_perms;
-allow $1 bin_t:notdevfile_class_set r_file_perms;
-allow $1 sbin_t:dir r_dir_perms;
-allow $1 sbin_t:notdevfile_class_set r_file_perms;
-read_sysctl($1)
-
-r_dir_file($1, selinux_config_t)
-
-if (read_default_t) {
-#
-# Read default_t
-#.
-allow $1 default_t:dir r_dir_perms;
-allow $1 default_t:notdevfile_class_set r_file_perms;
-}
-
-')
-
-#######################
-# daemon_core_rules(domain_prefix, attribs)
-#
-# Define the core rules for a daemon, used by both daemon_base_domain() and
-# init_service_domain().
-# Attribs is the list of attributes which must start with "," if it is not empty
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-define(`daemon_core_rules', `
-type $1_t, domain, privlog, daemon $2;
-type $1_exec_t, file_type, sysadmfile, exec_type;
-dontaudit $1_t self:capability sys_tty_config;
-
-role system_r types $1_t;
-
-# Inherit and use descriptors from init.
-allow $1_t init_t:fd use;
-allow $1_t init_t:process sigchld;
-allow $1_t self:process { signal_perms fork };
-
-uses_shlib($1_t)
-
-allow $1_t { self proc_t }:dir r_dir_perms;
-allow $1_t { self proc_t }:lnk_file { getattr read };
-
-allow $1_t device_t:dir r_dir_perms;
-ifdef(`udev.te', `
-allow $1_t udev_tdb_t:file r_file_perms;
-')dnl end if udev.te
-allow $1_t null_device_t:chr_file rw_file_perms;
-dontaudit $1_t console_device_t:chr_file rw_file_perms;
-dontaudit $1_t unpriv_userdomain:fd use;
-
-r_dir_file($1_t, sysfs_t)
-
-allow $1_t autofs_t:dir { search getattr };
-ifdef(`targeted_policy', `
-dontaudit $1_t { tty_device_t devpts_t }:chr_file { read write };
-dontaudit $1_t root_t:file { getattr read };
-')dnl end if targeted_policy
-
-')dnl end macro daemon_core_rules
-
-#######################
-# init_service_domain(domain_prefix, attribs)
-#
-# Define a domain for a program that is run from init
-# Attribs is the list of attributes which must start with "," if it is not empty
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-define(`init_service_domain', `
-daemon_core_rules($1, `$2')
-
-domain_auto_trans(init_t, $1_exec_t, $1_t)
-')dnl
-
-#######################
-# daemon_base_domain(domain_prefix, attribs)
-#
-# Define a daemon domain with a base set of type declarations
-# and permissions that are common to most daemons.
-# attribs is the list of attributes which must start with "," if it is not empty
-# nosysadm may be given as an optional third parameter, to specify that the
-# sysadmin should not transition to the domain when directly calling the executable
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-define(`daemon_base_domain', `
-daemon_core_rules($1, `$2')
-
-rhgb_domain($1_t)
-
-read_sysctl($1_t)
-
-ifdef(`direct_sysadm_daemon', `
-dontaudit $1_t admin_tty_type:chr_file rw_file_perms;
-')
-
-#
-# Allows user to define a tunable to disable domain transition
-#
-ifelse(index(`$2',`transitionbool'), -1, `', `
-bool $1_disable_trans false;
-if ($1_disable_trans) {
-can_exec(initrc_t, $1_exec_t)
-can_exec(sysadm_t, $1_exec_t)
-} else {
-') dnl transitionbool
-domain_auto_trans(initrc_t, $1_exec_t, $1_t)
-allow initrc_t $1_t:process { noatsecure siginh rlimitinh };
-ifdef(`direct_sysadm_daemon', `
-ifelse(`$3', `nosysadm', `', `
-domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
-allow sysadm_t $1_t:process { noatsecure siginh rlimitinh };
-')dnl end direct_sysadm_daemon
-')dnl end nosysadm
-ifelse(index(`$2', `transitionbool'), -1, `', `
-}
-') dnl end transitionbool
-ifdef(`direct_sysadm_daemon', `
-ifelse(`$3', `nosysadm', `', `
-role_transition sysadm_r $1_exec_t system_r;
-')dnl end nosysadm
-')dnl end direct_sysadm_daemon
-
-allow $1_t privfd:fd use;
-ifdef(`newrole.te', `allow $1_t newrole_t:process sigchld;')
-allow $1_t initrc_devpts_t:chr_file rw_file_perms;
-')dnl
-
-# allow a domain to create its own files under /var/run and to create files
-# in directories that are created for it. $2 is an optional list of
-# classes to use; default is file.
-define(`var_run_domain', `
-type $1_var_run_t, file_type, sysadmfile, pidfile;
-
-ifelse(`$2', `', `
-file_type_auto_trans($1_t, var_run_t, $1_var_run_t, file)
-', `
-file_type_auto_trans($1_t, var_run_t, $1_var_run_t, $2)
-')
-allow $1_t var_t:dir search;
-allow $1_t $1_var_run_t:dir rw_dir_perms;
-')
-
-#######################
-# daemon_domain(domain_prefix, attribs)
-#
-# see daemon_base_domain for calling details
-# daemon_domain defines some additional privileges needed by many domains,
-# like pid files and locale support
-
-define(`daemon_domain', `
-ifdef(`targeted_policy', `
-daemon_base_domain($1, `$2, transitionbool', $3)
-', `
-daemon_base_domain($1, `$2', $3)
-')
-# Create pid file.
-allow $1_t var_t:dir { getattr search };
-var_run_domain($1)
-
-allow $1_t devtty_t:chr_file rw_file_perms;
-
-# for daemons that look at /root on startup
-dontaudit $1_t sysadm_home_dir_t:dir search;
-
-# for df
-allow $1_t fs_type:filesystem getattr;
-allow $1_t removable_t:filesystem getattr;
-
-read_locale($1_t)
-
-# for localization
-allow $1_t lib_t:file { getattr read };
-')dnl end daemon_domain macro
-
-define(`uses_authbind',
-`domain_auto_trans($1, authbind_exec_t, authbind_t)
-allow authbind_t $1:process sigchld;
-allow authbind_t $1:fd use;
-allow authbind_t $1:{ tcp_socket udp_socket } rw_socket_perms;
-')
-
-# define a sub-domain, $1_t is the parent domain, $2 is the name
-# of the sub-domain.
-#
-define(`daemon_sub_domain', `
-# $1 is the parent domain (or domains), $2_t is the child domain,
-# and $3 is any attributes to apply to the child
-type $2_t, domain, privlog, daemon $3;
-type $2_exec_t, file_type, sysadmfile, exec_type;
-
-role system_r types $2_t;
-
-ifelse(index(`$3',`transitionbool'), -1, `
-
-domain_auto_trans($1, $2_exec_t, $2_t)
-
-', `
-
-bool $2_disable_trans false;
-
-if (! $2_disable_trans) {
-domain_auto_trans($1, $2_exec_t, $2_t)
-}
-
-');
-# Inherit and use descriptors from parent.
-allow $2_t $1:fd use;
-allow $2_t $1:process sigchld;
-
-allow $2_t self:process signal_perms;
-
-uses_shlib($2_t)
-
-allow $2_t { self proc_t }:dir r_dir_perms;
-allow $2_t { self proc_t }:lnk_file read;
-
-allow $2_t device_t:dir getattr;
-')
-
-# grant access to /tmp
-# by default, only plain files and dirs may be stored there.
-# This can be overridden with a third parameter
-define(`tmp_domain', `
-type $1_tmp_t, file_type, sysadmfile, polymember, tmpfile $2;
-ifelse($3, `',
-`file_type_auto_trans($1_t, tmp_t, $1_tmp_t, `{ file dir }')',
-`file_type_auto_trans($1_t, tmp_t, $1_tmp_t, `$3')')
-')
-
-# grant access to /tmp. Do not perform an automatic transition.
-define(`tmp_domain_notrans', `
-type $1_tmp_t, file_type, sysadmfile, polymember, tmpfile $2;
-')
-
-define(`tmpfs_domain', `
-ifdef(`$1_tmpfs_t_defined',`', `
-define(`$1_tmpfs_t_defined')
-type $1_tmpfs_t, file_type, sysadmfile, tmpfsfile;
-# Use this type when creating tmpfs/shm objects.
-file_type_auto_trans($1_t, tmpfs_t, $1_tmpfs_t)
-allow $1_tmpfs_t tmpfs_t:filesystem associate;
-')
-')
-
-define(`var_lib_domain', `
-type $1_var_lib_t, file_type, sysadmfile;
-file_type_auto_trans($1_t, var_lib_t, $1_var_lib_t, file)
-allow $1_t $1_var_lib_t:dir rw_dir_perms;
-')
-
-define(`log_domain', `
-type $1_log_t, file_type, sysadmfile, logfile;
-file_type_auto_trans($1_t, var_log_t, $1_log_t, file)
-')
-
-define(`logdir_domain', `
-log_domain($1)
-allow $1_t $1_log_t:dir { setattr rw_dir_perms };
-')
-
-define(`etc_domain', `
-type $1_etc_t, file_type, sysadmfile, usercanread;
-allow $1_t $1_etc_t:file r_file_perms;
-')
-
-define(`etcdir_domain', `
-etc_domain($1)
-allow $1_t $1_etc_t:dir r_dir_perms;
-allow $1_t $1_etc_t:lnk_file { getattr read };
-')
-
-define(`append_log_domain', `
-type $1_log_t, file_type, sysadmfile, logfile;
-allow $1_t var_log_t:dir ra_dir_perms;
-allow $1_t $1_log_t:file { create ra_file_perms };
-type_transition $1_t var_log_t:file $1_log_t;
-')
-
-define(`append_logdir_domain', `
-append_log_domain($1)
-allow $1_t $1_log_t:dir { setattr ra_dir_perms };
-')
-
-define(`lock_domain', `
-type $1_lock_t, file_type, sysadmfile, lockfile;
-file_type_auto_trans($1_t, var_lock_t, $1_lock_t, file)
-')
-
-#######################
-# application_domain(domain_prefix)
-#
-# Define a domain with a base set of type declarations
-# and permissions that are common to simple applications.
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-define(`application_domain', `
-type $1_t, domain, privlog $2;
-type $1_exec_t, file_type, sysadmfile, exec_type;
-role sysadm_r types $1_t;
-ifdef(`targeted_policy', `
-role system_r types $1_t;
-')
-domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
-uses_shlib($1_t)
-')
-
-define(`system_domain', `
-type $1_t, domain, privlog $2;
-type $1_exec_t, file_type, sysadmfile, exec_type;
-role system_r types $1_t;
-uses_shlib($1_t)
-allow $1_t etc_t:dir r_dir_perms;
-')
-
-# Dontaudit macros to prevent flooding the log
-
-define(`dontaudit_getattr', `
-dontaudit $1 file_type - secure_file_type:dir_file_class_set getattr;
-dontaudit $1 unlabeled_t:dir_file_class_set getattr;
-dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir_file_class_set getattr;
-')dnl end dontaudit_getattr
-
-define(`dontaudit_search_dir', `
-dontaudit $1 file_type - secure_file_type:dir search;
-dontaudit $1 unlabeled_t:dir search;
-dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir search;
-')dnl end dontaudit_search_dir
-
-define(`dontaudit_read_dir', `
-dontaudit $1 file_type - secure_file_type:dir read;
-dontaudit $1 unlabeled_t:dir read;
-dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir read;
-')dnl end dontaudit_read_dir
-
-# Define legacy_domain for legacy binaries (java)
-# "legacy" binary == lacks PT_GNU_STACK header, i.e. built with an old
-# toolchain. They cause the kernel to automatically start translating all
-# read protection requests to read|execute for backward compatibility on
-# x86. They will all need execmem and execmod, including execmod to
-# shlib_t and ld_so_t unlike non-legacy binaries.
-
-define(`legacy_domain', `
-allow $1_t self:process { execmem execstack };
-allow $1_t { texrel_shlib_t shlib_t }:file execmod;
-allow $1_t ld_so_t:file execmod;
-allow $1_t ld_so_cache_t:file execute;
-')
-
-
-# Allow domain to perform polyinstantiation functions
-# polyinstantiater(domain)
-
-define(`polyinstantiater', `
-
-ifdef(`support_polyinstantiation', `
-# Need to give access to /selinux/member
-allow $1 security_t:security compute_member;
-
-# Need to give access to the directories to be polyinstantiated
-allow $1 polydir:dir { getattr mounton add_name create setattr write search };
-
-# Need to give access to the polyinstantiated subdirectories
-allow $1 polymember:dir {getattr search };
-
-# Need to give access to parent directories where original
-# is remounted for polyinstantiation aware programs (like gdm)
-allow $1 polyparent:dir { getattr mounton };
-
-# Need to give permission to create directories where applicable
-allow $1 polymember: dir { create setattr };
-allow $1 polydir: dir { write add_name };
-allow $1 self:process setfscreate;
-allow $1 polyparent:dir { write add_name };
-# Default type for mountpoints
-allow $1 poly_t:dir { create mounton };
-
-# Need sys_admin capability for mounting
-allow $1 self:capability sys_admin;
-')dnl end else support_polyinstantiation
-
-')dnl end polyinstantiater
-
-#
-# Domain that is allow to read anonymous data off the network
-# without providing authentication.
-# Also define boolean to allow anonymous writing
-#
-define(`anonymous_domain', `
-r_dir_file($1_t, { public_content_t public_content_rw_t } )
-bool allow_$1_anon_write false;
-if (allow_$1_anon_write) {
-create_dir_file($1_t,public_content_rw_t)
-}
-')
-#
-# Define a domain that can do anything, so that it is
-# effectively unconfined by the SELinux policy. This
-# means that it is only restricted by the normal Linux
-# protections. Note that you may need to add further rules
-# to allow other domains to interact with this domain as expected,
-# since this macro only allows the specified domain to act upon
-# all other domains and types, not vice versa.
-#
-define(`unconfined_domain', `
-
-typeattribute $1 unrestricted;
-typeattribute $1 privuser;
-
-# Mount/unmount any filesystem.
-allow $1 fs_type:filesystem *;
-
-# Mount/unmount any filesystem with the context= option.
-allow $1 file_type:filesystem *;
-
-# Create/access any file in a labeled filesystem;
-allow $1 file_type:{ file chr_file } ~execmod;
-allow $1 file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
-allow $1 sysctl_t:{ dir file } *;
-allow $1 device_type:devfile_class_set *;
-allow $1 mtrr_device_t:file *;
-
-# Create/access other files. fs_type is to pick up various
-# pseudo filesystem types that are applied to both the filesystem
-# and its files.
-allow $1 { unlabeled_t fs_type }:dir_file_class_set *;
-allow $1 proc_fs:{ dir file } *;
-
-# For /proc/pid
-r_dir_file($1,domain)
-# Write access is for setting attributes under /proc/self/attr.
-allow $1 self:file rw_file_perms;
-
-# Read and write sysctls.
-can_sysctl($1)
-
-# Access the network.
-allow $1 node_type:node *;
-allow $1 netif_type:netif *;
-allow $1 port_type:{ tcp_socket udp_socket } { send_msg recv_msg };
-allow $1 port_type:tcp_socket name_connect;
-
-# Bind to any network address.
-allow $1 port_type:{ tcp_socket udp_socket } name_bind;
-allow $1 node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
-allow $1 file_type:{ unix_stream_socket unix_dgram_socket } name_bind;
-
-# Use/sendto/connectto sockets created by any domain.
-allow $1 domain:{ socket_class_set socket key_socket } *;
-
-# Use descriptors and pipes created by any domain.
-allow $1 domain:fd use;
-allow $1 domain:fifo_file rw_file_perms;
-
-# Act upon any other process.
-allow $1 domain:process ~{ transition dyntransition execmem };
-# Transition to myself, to make get_ordered_context_list happy.
-allow $1 self:process transition;
-
-if (allow_execmem) {
-# Allow making anonymous memory executable, e.g.
-# for runtime-code generation or executable stack.
-allow $1 self:process execmem;
-}
-
-if (allow_execmem && allow_execstack) {
-# Allow making the stack executable via mprotect.
-allow $1 self:process execstack;
-}
-
-if (allow_execmod) {
-# Allow text relocations on system shared libraries, e.g. libGL.
-ifdef(`targeted_policy', `
-allow $1 file_type:file execmod;
-', `
-allow $1 texrel_shlib_t:file execmod;
-allow $1 home_type:file execmod;
-')
-}
-
-# Create/access any System V IPC objects.
-allow $1 domain:{ sem msgq shm } *;
-allow $1 domain:msg { send receive };
-
-# Access the security API.
-allow $1 security_t:security *;
-auditallow $1 security_t:security { load_policy setenforce setbool };
-
-# Perform certain system operations that lacked individual capabilities.
-allow $1 kernel_t:system *;
-
-# Use any Linux capability.
-allow $1 self:capability *;
-
-# Set user information and skip authentication.
-allow $1 self:passwd *;
-
-# Communicate via dbusd.
-allow $1 self:dbus *;
-ifdef(`dbusd.te', `
-allow $1 system_dbusd_t:dbus *;
-')
-
-# Get info via nscd.
-allow $1 self:nscd *;
-ifdef(`nscd.te', `
-allow $1 nscd_t:nscd *;
-')
-
-')dnl end unconfined_domain
-
-
-define(`access_removable_media', `
-
-can_exec($1, { removable_t noexattrfile } )
-if (user_rw_noexattrfile) {
-create_dir_file($1, noexattrfile)
-create_dir_file($1, removable_t)
-# Write floppies
-allow $1 removable_device_t:blk_file rw_file_perms;
-allow $1 usbtty_device_t:chr_file write;
-} else {
-r_dir_file($1, noexattrfile)
-r_dir_file($1, removable_t)
-allow $1 removable_device_t:blk_file r_file_perms;
-}
-allow $1 removable_t:filesystem getattr;
-
-')
-
-define(`authentication_domain', `
-can_ypbind($1)
-can_kerberos($1)
-can_ldap($1)
-can_resolve($1)
-can_winbind($1)
-r_dir_file($1, cert_t)
-allow $1 { random_device_t urandom_device_t }:chr_file { getattr read };
-allow $1 self:capability { audit_write audit_control };
-dontaudit $1 shadow_t:file { getattr read };
-')
diff --git a/strict/macros/home_macros.te b/strict/macros/home_macros.te
deleted file mode 100644
index 033b32f..0000000
--- a/strict/macros/home_macros.te
+++ /dev/null
@@ -1,130 +0,0 @@
-# Home macros
-
-################################################
-# network_home(source)
-#
-# Allows source domain to use a network home
-# This includes privileges of create and execute
-# as well as the ability to create sockets and fifo
-
-define(`network_home', `
-allow $1 autofs_t:dir { search getattr };
-
-if (use_nfs_home_dirs) {
-create_dir_file($1, nfs_t)
-can_exec($1, nfs_t)
-allow $1 nfs_t:{ sock_file fifo_file } create_file_perms;
-}
-
-if (use_samba_home_dirs) {
-create_dir_file($1, cifs_t)
-can_exec($1, cifs_t)
-allow $1 cifs_t:{ sock_file fifo_file } create_file_perms;
-}
-') dnl network_home
-
-################################################
-# write_network_home(source)
-#
-# Allows source domain to create directories and
-# files on network file system
-
-define(`write_network_home', `
-allow $1 home_root_t:dir search;
-
-if (use_nfs_home_dirs) {
-create_dir_file($1, nfs_t)
-}
-if (use_samba_home_dirs) {
-create_dir_file($1, cifs_t)
-}
-allow $1 autofs_t:dir { search getattr };
-') dnl write_network_home
-
-################################################
-# read_network_home(source)
-#
-# Allows source domain to read directories and
-# files on network file system
-
-define(`read_network_home', `
-allow $1 home_root_t:dir search;
-
-if (use_nfs_home_dirs) {
-r_dir_file($1, nfs_t)
-}
-if (use_samba_home_dirs) {
-r_dir_file($1, cifs_t)
-}
-allow $1 autofs_t:dir { search getattr };
-') dnl read_network_home
-
-##################################################
-# home_domain_ro_access(source, user, app)
-#
-# Gives source access to the read-only home
-# domain of app for the given user type
-
-define(`home_domain_ro_access', `
-allow $1 { home_root_t $2_home_dir_t }:dir { search getattr };
-read_network_home($1)
-r_dir_file($1, $2_$3_ro_home_t)
-') dnl home_domain_ro_access
-
-#################################################
-# home_domain_access(source, user, app)
-#
-# Gives source full access to the home
-# domain of app for the given user type
-#
-# Requires transition in caller
-
-define(`home_domain_access', `
-allow $1 { home_root_t $2_home_dir_t }:dir { search getattr };
-write_network_home($1)
-create_dir_file($1, $2_$3_home_t)
-') dnl home_domain_access
-
-####################################################################
-# home_domain (prefix, app)
-#
-# Creates a domain in the prefix home where an application can
-# store its settings. It is accessible by the prefix domain.
-#
-# Requires transition in caller
-
-define(`home_domain', `
-
-# Declare home domain
-type $1_$2_home_t, file_type, $1_file_type, sysadmfile, polymember;
-typealias $1_$2_home_t alias $1_$2_rw_t;
-
-# User side access
-create_dir_file($1_t, $1_$2_home_t)
-allow $1_t $1_$2_home_t:{ dir file lnk_file } { relabelfrom relabelto };
-
-# App side access
-home_domain_access($1_$2_t, $1, $2)
-')
-
-####################################################################
-# home_domain_ro (user, app)
-#
-# Creates a read-only domain in the user home where an application can
-# store its settings. It is fully accessible by the user, but
-# it is read-only for the application.
-#
-
-define(`home_domain_ro', `
-
-# Declare home domain
-type $1_$2_ro_home_t, file_type, $1_file_type, sysadmfile;
-typealias $1_$2_ro_home_t alias $1_$2_ro_t;
-
-# User side access
-create_dir_file($1_t, $1_$2_ro_home_t)
-allow $1_t $1_$2_ro_home_t:{ dir file lnk_file } { relabelfrom relabelto };
-
-# App side access
-home_domain_ro_access($1_$2_t, $1, $2)
-')
diff --git a/strict/macros/mini_user_macros.te b/strict/macros/mini_user_macros.te
deleted file mode 100644
index 9f7d994..0000000
--- a/strict/macros/mini_user_macros.te
+++ /dev/null
@@ -1,57 +0,0 @@
-#
-# Macros for all user login domains.
-#
-
-#
-# mini_user_domain(domain_prefix)
-#
-# Define derived types and rules for a minimal privs user domain named
-# $1_mini_t which is permitted to be in $1_r role and transition to $1_t.
-#
-undefine(`mini_user_domain')
-define(`mini_user_domain',`
-# user_t/$1_t is an unprivileged users domain.
-type $1_mini_t, domain, user_mini_domain;
-
-# for ~/.bash_profile and other files that the mini domain should be allowed
-# to read (but not write)
-type $1_home_mini_t, file_type, sysadmfile;
-allow $1_t $1_home_mini_t:file { create_file_perms relabelto relabelfrom };
-allow $1_mini_t $1_home_mini_t:file r_file_perms;
-
-# $1_r is authorized for $1_mini_t for the initial login domain.
-role $1_r types $1_mini_t;
-uses_shlib($1_mini_t)
-pty_slave_label($1_mini, `, userpty_type, mini_pty_type')
-
-allow $1_mini_t devtty_t:chr_file rw_file_perms;
-allow $1_mini_t { etc_t etc_runtime_t }:file { getattr read };
-dontaudit $1_mini_t proc_t:dir { getattr search };
-allow $1_mini_t self:unix_stream_socket create_socket_perms;
-allow $1_mini_t self:fifo_file rw_file_perms;
-allow $1_mini_t self:process { fork sigchld setpgid };
-dontaudit $1_mini_t var_t:dir search;
-allow $1_mini_t { bin_t sbin_t }:dir search;
-
-dontaudit $1_mini_t device_t:dir { getattr read };
-dontaudit $1_mini_t devpts_t:dir { getattr read };
-dontaudit $1_mini_t proc_t:lnk_file read;
-
-can_exec($1_mini_t, bin_t)
-allow $1_mini_t { home_root_t $1_home_dir_t }:dir search;
-dontaudit $1_mini_t home_root_t:dir getattr;
-dontaudit $1_mini_t $1_home_dir_t:dir { getattr read };
-dontaudit $1_mini_t $1_home_t:file { append getattr read write };
-
-dontaudit $1_mini_t fs_t:filesystem getattr;
-
-type_change $1_mini_t $1_mini_devpts_t:chr_file $1_devpts_t;
-# uncomment this if using mini domains for console logins
-#type_change $1_mini_t $1_tty_device_t:chr_file $1_tty_device_t;
-
-type_change $1_mini_t server_pty:chr_file $1_mini_devpts_t;
-type_change $1_t $1_mini_devpts_t:chr_file $1_devpts_t;
-
-domain_auto_trans($1_mini_t, newrole_exec_t, newrole_t)
-')dnl end mini_user_domain definition
-
diff --git a/strict/macros/network_macros.te b/strict/macros/network_macros.te
deleted file mode 100644
index 8e8b05a..0000000
--- a/strict/macros/network_macros.te
+++ /dev/null
@@ -1,190 +0,0 @@
-#################################
-#
-# can_network(domain)
-#
-# Permissions for accessing the network.
-# See types/network.te for the network types.
-# See net_contexts for security contexts for network entities.
-#
-define(`base_can_network',`
-#
-# Allow the domain to create and use $2 sockets.
-# Other kinds of sockets must be separately authorized for use.
-allow $1 self:$2_socket connected_socket_perms;
-
-#
-# Allow the domain to send or receive using any network interface.
-# netif_type is a type attribute for all network interface types.
-#
-allow $1 netif_t:netif { $2_recv $2_send rawip_send rawip_recv };
-#
-# Allow the domain to send to or receive from any node.
-# node_type is a type attribute for all node types.
-#
-allow $1 node_type:node { $2_send rawip_send };
-allow $1 node_type:node { $2_recv rawip_recv };
-
-#
-# Allow the domain to send to or receive from any port.
-# port_type is a type attribute for all port types.
-#
-ifelse($3, `', `
-allow $1 port_type:$2_socket { send_msg recv_msg };
-', `
-allow $1 $3:$2_socket { send_msg recv_msg };
-')
-
-# XXX Allow binding to any node type. Remove once
-# individual rules have been added to all domains that
-# bind sockets.
-allow $1 node_type:$2_socket node_bind;
-#
-# Allow access to network files including /etc/resolv.conf
-#
-allow $1 net_conf_t:file r_file_perms;
-')dnl end can_network definition
-
-#################################
-#
-# can_network_server_tcp(domain)
-#
-# Permissions for accessing a tcp network.
-# See types/network.te for the network types.
-# See net_contexts for security contexts for network entities.
-#
-define(`can_network_server_tcp',`
-base_can_network($1, tcp, `$2')
-allow $1 self:tcp_socket { listen accept };
-')
-
-#################################
-#
-# can_network_client_tcp(domain)
-#
-# Permissions for accessing a tcp network.
-# See types/network.te for the network types.
-# See net_contexts for security contexts for network entities.
-#
-define(`can_network_client_tcp',`
-base_can_network($1, tcp, `$2')
-allow $1 self:tcp_socket { connect };
-')
-
-#################################
-#
-# can_network_tcp(domain)
-#
-# Permissions for accessing the network.
-# See types/network.te for the network types.
-# See net_contexts for security contexts for network entities.
-#
-define(`can_network_tcp',`
-
-can_network_server_tcp($1, `$2')
-can_network_client_tcp($1, `$2')
-
-')
-
-#################################
-#
-# can_network_udp(domain)
-#
-# Permissions for accessing the network.
-# See types/network.te for the network types.
-# See net_contexts for security contexts for network entities.
-#
-define(`can_network_udp',`
-base_can_network($1, udp, `$2')
-allow $1 self:udp_socket { connect };
-')
-
-#################################
-#
-# can_network_server(domain)
-#
-# Permissions for accessing the network.
-# See types/network.te for the network types.
-# See net_contexts for security contexts for network entities.
-#
-define(`can_network_server',`
-
-can_network_server_tcp($1, `$2')
-can_network_udp($1, `$2')
-
-')dnl end can_network_server definition
-
-
-#################################
-#
-# can_network_client(domain)
-#
-# Permissions for accessing the network.
-# See types/network.te for the network types.
-# See net_contexts for security contexts for network entities.
-#
-define(`can_network_client',`
-
-can_network_client_tcp($1, `$2')
-can_network_udp($1, `$2')
-
-')dnl end can_network_client definition
-
-#################################
-#
-# can_network(domain)
-#
-# Permissions for accessing the network.
-# See types/network.te for the network types.
-# See net_contexts for security contexts for network entities.
-#
-define(`can_network',`
-
-can_network_tcp($1, `$2')
-can_network_udp($1, `$2')
-
-ifdef(`mount.te', `
-#
-# Allow the domain to send NFS client requests via the socket
-# created by mount.
-#
-allow $1 mount_t:udp_socket rw_socket_perms;
-')
-
-')dnl end can_network definition
-
-define(`can_resolve',`
-can_network_client($1, `dns_port_t')
-allow $1 dns_port_t:tcp_socket name_connect;
-')
-
-define(`can_portmap',`
-can_network_client($1, `portmap_port_t')
-allow $1 portmap_port_t:tcp_socket name_connect;
-')
-
-define(`can_ldap',`
-can_network_client_tcp($1, `ldap_port_t')
-allow $1 ldap_port_t:tcp_socket name_connect;
-')
-
-define(`can_winbind',`
-ifdef(`winbind.te', `
-allow $1 winbind_var_run_t:dir { getattr search };
-allow $1 winbind_t:unix_stream_socket connectto;
-allow $1 winbind_var_run_t:sock_file { getattr read write };
-')
-')
-
-
-#################################
-#
-# nsswitch_domain(domain)
-#
-# Permissions for looking up uid/username mapping via nsswitch
-#
-define(`nsswitch_domain', `
-can_resolve($1)
-can_ypbind($1)
-can_ldap($1)
-can_winbind($1)
-')
diff --git a/strict/macros/program/apache_macros.te b/strict/macros/program/apache_macros.te
deleted file mode 100644
index ea98391..0000000
--- a/strict/macros/program/apache_macros.te
+++ /dev/null
@@ -1,197 +0,0 @@
-
-define(`apache_domain', `
-
-#This type is for webpages
-#
-type httpd_$1_content_t, file_type, httpdcontent, sysadmfile, customizable;
-
-# This type is used for .htaccess files
-#
-type httpd_$1_htaccess_t, file_type, sysadmfile, customizable;
-allow httpd_t httpd_$1_htaccess_t: file r_file_perms;
-
-# This type is used for executable scripts files
-#
-type httpd_$1_script_exec_t, file_type, sysadmfile, customizable;
-
-# Type that CGI scripts run as
-type httpd_$1_script_t, domain, privmail, nscd_client_domain;
-role system_r types httpd_$1_script_t;
-uses_shlib(httpd_$1_script_t)
-
-if (httpd_enable_cgi) {
-domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
-allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
-allow httpd_t httpd_$1_script_exec_t:dir r_dir_perms;
-allow httpd_t httpd_$1_script_exec_t:file r_file_perms;
-
-allow httpd_$1_script_t httpd_t:fd use;
-allow httpd_$1_script_t httpd_t:process sigchld;
-
-allow httpd_$1_script_t { usr_t lib_t }:file { getattr read ioctl };
-allow httpd_$1_script_t usr_t:lnk_file { getattr read };
-
-allow httpd_$1_script_t self:process { fork signal_perms };
-
-allow httpd_$1_script_t devtty_t:chr_file { getattr read write };
-allow httpd_$1_script_t urandom_device_t:chr_file { getattr read };
-allow httpd_$1_script_t etc_runtime_t:file { getattr read };
-read_locale(httpd_$1_script_t)
-allow httpd_$1_script_t fs_t:filesystem getattr;
-allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
-
-allow httpd_$1_script_t { self proc_t }:file r_file_perms;
-allow httpd_$1_script_t { self proc_t }:dir r_dir_perms;
-allow httpd_$1_script_t { self proc_t }:lnk_file read;
-
-allow httpd_$1_script_t device_t:dir { getattr search };
-allow httpd_$1_script_t null_device_t:chr_file rw_file_perms;
-}
-
-if (httpd_enable_cgi && httpd_can_network_connect) {
-can_network(httpd_$1_script_t)
-allow httpd_$1_script_t port_type:tcp_socket name_connect;
-}
-
-ifdef(`ypbind.te', `
-if (httpd_enable_cgi && allow_ypbind) {
-uncond_can_ypbind(httpd_$1_script_t)
-}
-')
-# The following are the only areas that
-# scripts can read, read/write, or append to
-#
-type httpd_$1_script_ro_t, file_type, httpdcontent, sysadmfile, customizable;
-type httpd_$1_script_rw_t, file_type, httpdcontent, sysadmfile, customizable;
-type httpd_$1_script_ra_t, file_type, httpdcontent, sysadmfile, customizable;
-file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t)
-
-#########################################################
-# Permissions for running child processes and scripts
-##########################################################
-allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir { getattr search };
-
-domain_auto_trans(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
-
-allow httpd_$1_script_t httpd_t:fifo_file write;
-
-allow httpd_$1_script_t self:fifo_file rw_file_perms;
-
-allow httpd_$1_script_t { urandom_device_t random_device_t }:chr_file r_file_perms;
-
-###########################################################################
-# Allow the script interpreters to run the scripts. So
-# the perl executable will be able to run a perl script
-#########################################################################
-can_exec_any(httpd_$1_script_t)
-
-allow httpd_$1_script_t etc_t:file { getattr read };
-dontaudit httpd_$1_script_t selinux_config_t:dir search;
-
-############################################################################
-# Allow the script process to search the cgi directory, and users directory
-##############################################################################
-allow httpd_$1_script_t httpd_$1_script_exec_t:dir { search getattr };
-can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
-allow httpd_$1_script_t home_root_t:dir { getattr search };
-allow httpd_$1_script_t httpd_$1_content_t:dir { getattr search };
-
-#############################################################################
-# Allow the scripts to read, read/write, append to the specified directories
-# or files
-############################################################################
-read_fonts(httpd_$1_script_t)
-r_dir_file(httpd_$1_script_t, httpd_$1_script_ro_t)
-create_dir_file(httpd_$1_script_t, httpd_$1_script_rw_t)
-allow httpd_$1_script_t httpd_$1_script_rw_t:sock_file rw_file_perms;
-ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t)
-anonymous_domain(httpd_$1_script)
-
-if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
-create_dir_file(httpd_$1_script_t, httpdcontent)
-can_exec(httpd_$1_script_t, httpdcontent)
-}
-
-#
-# If a user starts a script by hand it gets the proper context
-#
-ifdef(`targeted_policy', `', `
-if (httpd_enable_cgi) {
-domain_auto_trans(sysadm_t, httpd_$1_script_exec_t, httpd_$1_script_t)
-}
-')
-role sysadm_r types httpd_$1_script_t;
-
-dontaudit httpd_$1_script_t sysctl_kernel_t:dir search;
-dontaudit httpd_$1_script_t sysctl_t:dir search;
-
-############################################
-# Allow scripts to append to http logs
-#########################################
-allow httpd_$1_script_t { var_t var_log_t httpd_log_t }:dir search;
-allow httpd_$1_script_t httpd_log_t:file { getattr append };
-
-# apache should set close-on-exec
-dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
-
-################################################################
-# Allow the web server to run scripts and serve pages
-##############################################################
-if (httpd_builtin_scripting) {
-r_dir_file(httpd_t, httpd_$1_script_ro_t)
-create_dir_file(httpd_t, httpd_$1_script_rw_t)
-allow httpd_t httpd_$1_script_rw_t:sock_file rw_file_perms;
-ra_dir_file(httpd_t, httpd_$1_script_ra_t)
-r_dir_file(httpd_t, httpd_$1_content_t)
-}
-
-')
-define(`apache_user_domain', `
-
-apache_domain($1)
-
-typeattribute httpd_$1_content_t $1_file_type;
-
-if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
-domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t)
-}
-
-if (httpd_enable_cgi ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
-# If a user starts a script by hand it gets the proper context
-domain_auto_trans($1_t, httpd_$1_script_exec_t, httpd_$1_script_t)
-}
-role $1_r types httpd_$1_script_t;
-
-#######################################
-# Allow user to create or edit web content
-#########################################
-
-create_dir_file($1_t, { httpd_$1_content_t httpd_$1_script_exec_t })
-allow $1_t { httpd_$1_content_t httpd_$1_script_exec_t }:{ dir file lnk_file } { relabelto relabelfrom };
-
-######################################################################
-# Allow the user to create htaccess files
-#####################################################################
-
-allow $1_t httpd_$1_htaccess_t:file { create_file_perms relabelto relabelfrom };
-
-#########################################################################
-# Allow user to create files or directories
-# that scripts are able to read, write, or append to
-###########################################################################
-
-create_dir_file($1_t, { httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t })
-allow $1_t { httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:{ file dir lnk_file } { relabelto relabelfrom };
-
-# allow accessing files/dirs below the users home dir
-if (httpd_enable_homedirs) {
-allow { httpd_t httpd_suexec_t httpd_$1_script_t } $1_home_dir_t:dir { getattr search };
-ifdef(`nfs_home_dirs', `
-r_dir_file(httpd_$1_script_t, nfs_t)
-')dnl end if nfs_home_dirs
-}
-ifdef(`crond.te', `
-create_dir_file($1_crond_t, httpd_$1_content_t)
-')
-
-')
diff --git a/strict/macros/program/bonobo_macros.te b/strict/macros/program/bonobo_macros.te
deleted file mode 100644
index e76cf3a..0000000
--- a/strict/macros/program/bonobo_macros.te
+++ /dev/null
@@ -1,119 +0,0 @@
-#
-# Bonobo
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-# bonobo_domain(role_prefix) - invoke per role
-# bonobo_client(app_prefix, role_prefix) - invoke per client app
-# bonobo_connect(type1_prefix, type2_prefix) -
-# connect two bonobo clients, the channel is bidirectional
-
-######################
-
-define(`bonobo_domain', `
-
-# Protect against double inclusion for faster compile
-ifdef(`bonobo_domain_$1', `', `
-define(`bonobo_domain_$1')
-
-# Type for daemon
-type $1_bonobo_t, domain, nscd_client_domain;
-
-# Transition from caller
-domain_auto_trans($1_t, bonobo_exec_t, $1_bonobo_t)
-role $1_r types $1_bonobo_t;
-
-# Shared libraries, gconv-modules
-uses_shlib($1_bonobo_t)
-allow $1_bonobo_t lib_t:file r_file_perms;
-
-read_locale($1_bonobo_t)
-read_sysctl($1_bonobo_t)
-
-# Session management
-# FIXME: More specific context is needed for gnome-session
-ice_connect($1_bonobo, $1)
-
-# nsswitch.conf
-allow $1_bonobo_t etc_t:file { read getattr };
-
-# Fork to start apps
-allow $1_bonobo_t self:process { fork sigchld setpgid getsched signal };
-allow $1_bonobo_t self:fifo_file rw_file_perms;
-
-# ???
-allow $1_bonobo_t root_t:dir search;
-allow $1_bonobo_t home_root_t:dir search;
-allow $1_bonobo_t $1_home_dir_t:dir search;
-
-# libexec ???
-allow $1_bonobo_t bin_t:dir search;
-
-# ORBit sockets for bonobo
-orbit_domain($1_bonobo, $1)
-
-# Bonobo can launch evolution
-ifdef(`evolution.te', `
-domain_auto_trans($1_bonobo_t, evolution_exec_t, $1_evolution_t)
-domain_auto_trans($1_bonobo_t, evolution_alarm_exec_t, $1_evolution_alarm_t)
-domain_auto_trans($1_bonobo_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
-domain_auto_trans($1_bonobo_t, evolution_server_exec_t, $1_evolution_server_t)
-domain_auto_trans($1_bonobo_t, evolution_exchange_exec_t, $1_evolution_exchange_t)
-')
-
-# Bonobo can launch GNOME vfs daemon
-ifdef(`gnome_vfs.te', `
-domain_auto_trans($1_bonobo_t, gnome_vfs_exec_t, $1_gnome_vfs_t)
-')
-
-# Transition to ROLE_t on bin_t apps
-# FIXME: The goal is to get rid of this rule, as it
-# defeats the purpose of a separate domain. It is only
-# here temporarily, since bonobo runs as ROLE_t by default anyway
-domain_auto_trans($1_bonobo_t, bin_t, $1_t)
-
-ifdef(`xdm.te', `
-can_pipe_xdm($1_bonobo_t)
-')
-
-') dnl ifdef bonobo_domain_args
-') dnl bonobo_domain
-
-#####################
-
-define(`bonobo_client', `
-
-# Protect against double inclusion for faster compile
-ifdef(`bonobo_client_$1_$2', `', `
-define(`bonobo_client_$1_$2')
-# Connect over bonobo
-bonobo_connect($1, $2_gconfd, $1)
-
-# Create ORBit sockets
-orbit_domain($1, $2)
-
-# Connect to bonobo
-orbit_connect($1, $2_bonobo)
-orbit_connect($2_bonobo, $1)
-
-# Lock /tmp/bonobo-activation-register.lock
-# Stat /tmp/bonobo-activation-server.ior
-# FIXME: this should probably be of type $2_bonobo..
-# Note that this is file, not sock_file
-allow $1_t $2_orbit_tmp_t:file { getattr read write lock };
-
-domain_auto_trans($1_t, bonobo_exec_t, $2_bonobo_t)
-
-') dnl ifdef bonobo_client_args
-') dnl bonobo_client
-
-#####################
-
-define(`bonobo_connect', `
-
-# FIXME: Should there be a macro for unidirectional conn. ?
-
-orbit_connect($1, $2)
-orbit_connect($2, $1)
-
-') dnl bonobo_connect
diff --git a/strict/macros/program/cdrecord_macros.te b/strict/macros/program/cdrecord_macros.te
deleted file mode 100644
index fc1fc95..0000000
--- a/strict/macros/program/cdrecord_macros.te
+++ /dev/null
@@ -1,49 +0,0 @@
-# macros for the cdrecord domain
-# Author: Thomas Bleher <ThomasBleher@gmx.de>
-
-define(`cdrecord_domain', `
-type $1_cdrecord_t, domain, privlog;
-
-domain_auto_trans($1_t, cdrecord_exec_t, $1_cdrecord_t)
-
-# The user role is authorized for this domain.
-role $1_r types $1_cdrecord_t;
-
-uses_shlib($1_cdrecord_t)
-read_locale($1_cdrecord_t)
-
-# allow ps to show cdrecord and allow the user to kill it
-can_ps($1_t, $1_cdrecord_t)
-allow $1_t $1_cdrecord_t:process signal;
-
-# write to the user domain tty.
-access_terminal($1_cdrecord_t, $1)
-allow $1_cdrecord_t privfd:fd use;
-
-allow $1_cdrecord_t $1_t:unix_stream_socket { getattr read write ioctl };
-
-allow $1_cdrecord_t self:unix_dgram_socket create_socket_perms;
-allow $1_cdrecord_t self:unix_stream_socket create_stream_socket_perms;
-
-can_resmgrd_connect($1_cdrecord_t)
-
-read_content($1_cdrecord_t, $1, cdrecord)
-
-allow $1_cdrecord_t etc_t:file { getattr read };
-
-# allow searching for cdrom-drive
-allow $1_cdrecord_t device_t:dir r_dir_perms;
-allow $1_cdrecord_t device_t:lnk_file { getattr read };
-
-# allow cdrecord to write the CD
-allow $1_cdrecord_t removable_device_t:blk_file { getattr read write ioctl };
-allow $1_cdrecord_t scsi_generic_device_t:chr_file { getattr read write ioctl };
-
-allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
-allow $1_cdrecord_t self:process { getsched setsched fork sigchld sigkill };
-can_access_pty($1_cdrecord_t, $1)
-allow $1_cdrecord_t $1_home_t:dir search;
-allow $1_cdrecord_t $1_home_dir_t:dir r_dir_perms;
-allow $1_cdrecord_t $1_home_t:file r_file_perms;
-')
-
diff --git a/strict/macros/program/chkpwd_macros.te b/strict/macros/program/chkpwd_macros.te
deleted file mode 100644
index 34f1948..0000000
--- a/strict/macros/program/chkpwd_macros.te
+++ /dev/null
@@ -1,74 +0,0 @@
-#
-# Macros for chkpwd domains.
-#
-
-#
-# chkpwd_domain(domain_prefix)
-#
-# Define a derived domain for the *_chkpwd program when executed
-# by a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/su.te.
-#
-undefine(`chkpwd_domain')
-ifdef(`chkpwd.te', `
-define(`chkpwd_domain',`
-# Derived domain based on the calling user domain and the program.
-type $1_chkpwd_t, domain, privlog, nscd_client_domain, auth;
-
-role $1_r types $1_chkpwd_t;
-
-# is_selinux_enabled
-allow $1_chkpwd_t proc_t:file read;
-
-can_getcon($1_chkpwd_t)
-authentication_domain($1_chkpwd_t)
-
-ifelse($1, system, `
-domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t)
-allow auth_chkpwd sbin_t:dir search;
-allow auth_chkpwd self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-
-dontaudit system_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
-authentication_domain(auth_chkpwd)
-', `
-domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
-allow $1_t sbin_t:dir search;
-allow $1_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-
-# Write to the user domain tty.
-access_terminal($1_chkpwd_t, $1)
-
-allow $1_chkpwd_t privfd:fd use;
-
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;')
-
-# Inherit and use descriptors from newrole.
-ifdef(`newrole.te', `allow $1_chkpwd_t newrole_t:fd use;')
-')
-
-uses_shlib($1_chkpwd_t)
-allow $1_chkpwd_t etc_t:file { getattr read };
-allow $1_chkpwd_t self:unix_dgram_socket create_socket_perms;
-allow $1_chkpwd_t self:unix_stream_socket create_socket_perms;
-read_locale($1_chkpwd_t)
-
-# Use capabilities.
-allow $1_chkpwd_t self:capability setuid;
-r_dir_file($1_chkpwd_t, selinux_config_t)
-
-# for nscd
-ifdef(`nscd.te', `', `
-dontaudit $1_chkpwd_t var_t:dir search;
-')
-
-dontaudit $1_chkpwd_t fs_t:filesystem getattr;
-')
-
-', `
-
-define(`chkpwd_domain',`')
-
-')
diff --git a/strict/macros/program/chroot_macros.te b/strict/macros/program/chroot_macros.te
deleted file mode 100644
index 47ca86b..0000000
--- a/strict/macros/program/chroot_macros.te
+++ /dev/null
@@ -1,131 +0,0 @@
-
-# macro for chroot environments
-# Author Russell Coker
-
-# chroot(initial_domain, basename, role, tty_device_type)
-define(`chroot', `
-
-ifelse(`$1', `initrc', `
-define(`chroot_role', `system_r')
-define(`chroot_tty_device', `{ console_device_t admin_tty_type }')
-define(`chroot_mount_domain', `mount_t')
-define(`chroot_fd_use', `{ privfd init_t }')
-', `
-define(`chroot_role', `$1_r')
-define(`chroot_tty_device', `{ $1_devpts_t $1_tty_device_t }')
-define(`chroot_fd_use', `privfd')
-
-# allow mounting /proc and /dev
-ifdef(`$1_mount_def', `', `
-mount_domain($1, $1_mount)
-role chroot_role types $1_mount_t;
-')
-define(`chroot_mount_domain', `$1_mount_t')
-ifdef(`ssh.te', `
-can_tcp_connect($1_ssh_t, $2_t)
-')dnl end ssh
-')dnl end ifelse initrc
-
-# types for read-only and read-write files in the chroot
-type $2_ro_t, file_type, sysadmfile, home_type, user_home_type;
-type $2_rw_t, file_type, sysadmfile, home_type, user_home_type;
-# type like $2_ro_t but that triggers a transition from $2_super_t to $2_t
-# when you execute it
-type $2_dropdown_t, file_type, sysadmfile, home_type, user_home_type;
-
-allow chroot_mount_domain { $2_rw_t $2_ro_t }:dir { getattr search mounton };
-allow chroot_mount_domain { $2_rw_t $2_ro_t }:file { getattr mounton };
-
-# entry point for $2_super_t
-type $2_super_entry_t, file_type, sysadmfile, home_type, user_home_type;
-# $2_t is the base domain, has full access to $2_rw_t files
-type $2_t, domain;
-# $2_super_t is the super-chroot domain, can also write to $2_ro_t
-# but still can not access outside the chroot
-type $2_super_t, domain;
-allow $2_super_t chroot_tty_device:chr_file rw_file_perms;
-
-ifdef(`$1_chroot_def', `', `
-dnl can not have this defined twice
-define(`$1_chroot_def')
-
-allow chroot_mount_domain { proc_t device_t fs_t }:filesystem { mount unmount };
-
-# $1_chroot_t is the domain for /usr/sbin/chroot
-type $1_chroot_t, domain;
-
-# allow $1_chroot_t to write to the tty device
-allow $1_chroot_t chroot_tty_device:chr_file rw_file_perms;
-allow $1_chroot_t chroot_fd_use:fd use;
-allow { $1_chroot_t $2_t $2_super_t } $1_t:fd use;
-
-role chroot_role types $1_chroot_t;
-uses_shlib($1_chroot_t)
-allow $1_chroot_t self:capability sys_chroot;
-allow $1_t $1_chroot_t:dir { search getattr read };
-allow $1_t $1_chroot_t:{ file lnk_file } { read getattr };
-domain_auto_trans($1_t, chroot_exec_t, $1_chroot_t)
-allow $1_chroot_t fs_t:filesystem getattr;
-')dnl End conditional
-
-role chroot_role types { $2_t $2_super_t };
-
-# allow ps to show processes and allow killing them
-allow $1_t { $2_super_t $2_t }:dir { search getattr read };
-allow $1_t { $2_super_t $2_t }:{ file lnk_file } { read getattr };
-allow $1_t { $2_super_t $2_t }:process signal_perms;
-allow $2_super_t $2_t:dir { search getattr read };
-allow $2_super_t $2_t:{ file lnk_file } { read getattr };
-allow { $1_t $2_super_t } $2_t:process { signal_perms ptrace };
-allow $1_t $2_super_t:process { signal_perms ptrace };
-allow sysadm_t { $2_super_t $2_t }:process { signal_perms ptrace };
-
-allow { $2_super_t $2_t } { fs_t device_t }:filesystem getattr;
-allow { $2_super_t $2_t } device_t:dir { search getattr };
-allow { $2_super_t $2_t } devtty_t:chr_file rw_file_perms;
-allow { $2_super_t $2_t } random_device_t:chr_file r_file_perms;
-allow { $2_super_t $2_t } self:capability { fowner chown fsetid setgid setuid net_bind_service sys_tty_config };
-allow $2_super_t self:capability sys_ptrace;
-
-can_tcp_connect($2_super_t, $2_t)
-allow { $2_super_t $2_t } $2_rw_t:sock_file create_file_perms;
-
-# quiet ps and killall
-dontaudit { $2_super_t $2_t } domain:dir { search getattr };
-
-# allow $2_t to write to the owner tty device (should remove this)
-allow $2_t chroot_tty_device:chr_file { read write };
-
-r_dir_file($1_chroot_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t })
-can_exec($2_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t })
-can_exec($2_super_t, { $2_ro_t $2_super_entry_t })
-create_dir_notdevfile($2_super_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t })
-# $2_super_t transitions to $2_t when it executes
-# any file that $2_t can write
-domain_auto_trans($2_super_t, { $2_rw_t $2_dropdown_t }, $2_t)
-allow $1_chroot_t { $2_ro_t $2_rw_t }:lnk_file read;
-r_dir_file($2_t, { $2_ro_t $2_super_entry_t $2_dropdown_t })
-create_dir_notdevfile($2_t, $2_rw_t)
-allow $2_t $2_rw_t:fifo_file create_file_perms;
-allow $2_t $2_ro_t:fifo_file rw_file_perms;
-allow { $1_t $2_super_t } { $2_rw_t $2_ro_t }:fifo_file create_file_perms;
-create_dir_notdevfile($1_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t })
-can_exec($1_t, { $2_ro_t $2_dropdown_t })
-domain_auto_trans($1_chroot_t, { $2_ro_t $2_rw_t $2_dropdown_t }, $2_t)
-domain_auto_trans($1_chroot_t, $2_super_entry_t, $2_super_t)
-allow { $1_t $2_super_t } { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t }:{ dir notdevfile_class_set } { relabelfrom relabelto };
-general_proc_read_access({ $2_t $2_super_t })
-general_domain_access({ $2_t $2_super_t })
-can_create_pty($2)
-can_create_pty($2_super)
-can_network({ $2_t $2_super_t })
-allow { $2_t $2_super_t } port_type:tcp_socket name_connect;
-allow { $2_t $2_super_t } null_device_t:chr_file rw_file_perms;
-allow $2_super_t { $2_rw_t $2_ro_t }:{ dir file } mounton;
-allow { $2_t $2_super_t } self:capability { dac_override kill };
-
-undefine(`chroot_role')
-undefine(`chroot_tty_device')
-undefine(`chroot_mount_domain')
-undefine(`chroot_fd_use')
-')
diff --git a/strict/macros/program/clamav_macros.te b/strict/macros/program/clamav_macros.te
deleted file mode 100644
index bc15930..0000000
--- a/strict/macros/program/clamav_macros.te
+++ /dev/null
@@ -1,58 +0,0 @@
-#
-# Macros for clamscan
-#
-# Author: Brian May <bam@snoopy.apana.org.au>
-#
-
-#
-# can_clamd_connect(domain_prefix)
-#
-# Define a domain that can access clamd
-#
-define(`can_clamd_connect',`
-allow $1_t clamd_var_run_t:dir search;
-allow $1_t clamd_var_run_t:sock_file write;
-allow $1_t clamd_sock_t:sock_file write;
-can_unix_connect($1_t, clamd_t)
-')
-
-# clamscan_domain(domain_prefix)
-#
-# Define a derived domain for the clamscan program when executed
-#
-define(`clamscan_domain', `
-# Derived domain based on the calling user domain and the program.
-type $1_clamscan_t, domain, privlog;
-
-# Uses shared librarys
-uses_shlib($1_clamscan_t)
-allow $1_clamscan_t fs_t:filesystem getattr;
-r_dir_file($1_clamscan_t, etc_t)
-read_locale($1_clamscan_t)
-
-# Access virus signatures
-allow $1_clamscan_t var_lib_t:dir search;
-r_dir_file($1_clamscan_t, clamav_var_lib_t)
-
-# Allow temp files
-tmp_domain($1_clamscan)
-
-# Why is this required?
-allow $1_clamscan_t proc_t:dir r_dir_perms;
-allow $1_clamscan_t proc_t:file r_file_perms;
-read_sysctl($1_clamscan_t)
-allow $1_clamscan_t self:unix_stream_socket { connect create read write };
-')
-
-define(`user_clamscan_domain',`
-clamscan_domain($1)
-role $1_r types $1_clamscan_t;
-domain_auto_trans($1_t, clamscan_exec_t, $1_clamscan_t)
-access_terminal($1_clamscan_t, $1)
-r_dir_file($1_clamscan_t,$1_home_t);
-r_dir_file($1_clamscan_t,$1_home_dir_t);
-allow $1_clamscan_t $1_home_t:file r_file_perms;
-allow $1_clamscan_t privfd:fd use;
-ifdef(`gnome-pty-helper.te', `allow $1_clamscan_t $1_gph_t:fd use;')
-')
-
diff --git a/strict/macros/program/crond_macros.te b/strict/macros/program/crond_macros.te
deleted file mode 100644
index 5e61d7d..0000000
--- a/strict/macros/program/crond_macros.te
+++ /dev/null
@@ -1,126 +0,0 @@
-#
-# Macros for crond domains.
-#
-
-#
-# Authors: Jonathan Crowley (MITRE) <jonathan@mitre.org>,
-# Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# Russell Coker <rcoker@redhat.com>
-#
-
-#
-# crond_domain(domain_prefix)
-#
-# Define a derived domain for cron jobs executed by crond on behalf
-# of a user domain. These domains are separate from the top-level domain
-# defined for the crond daemon and the domain defined for system cron jobs,
-# which are specified in domains/program/crond.te.
-#
-undefine(`crond_domain')
-define(`crond_domain',`
-# Derived domain for user cron jobs, user user_crond_domain if not system
-ifelse(`system', `$1', `
-type $1_crond_t, domain, privlog, privmail, nscd_client_domain;
-', `
-type $1_crond_t, domain, user_crond_domain;
-
-# Access user files and dirs.
-allow $1_crond_t home_root_t:dir search;
-file_type_auto_trans($1_crond_t, $1_home_dir_t, $1_home_t)
-
-# Run scripts in user home directory and access shared libs.
-can_exec($1_crond_t, $1_home_t)
-
-file_type_auto_trans($1_crond_t, tmp_t, $1_tmp_t)
-')
-r_dir_file($1_crond_t, selinux_config_t)
-
-# Type of user crontabs once moved to cron spool.
-type $1_cron_spool_t, file_type, sysadmfile;
-
-ifdef(`fcron.te', `
-allow crond_t $1_cron_spool_t:file create_file_perms;
-')
-
-allow $1_crond_t urandom_device_t:chr_file { getattr read };
-
-allow $1_crond_t usr_t:file { getattr ioctl read };
-allow $1_crond_t usr_t:lnk_file read;
-
-# Permit a transition from the crond_t domain to this domain.
-# The transition is requested explicitly by the modified crond
-# via execve_secure. There is no way to set up an automatic
-# transition, since crontabs are configuration files, not executables.
-domain_trans(crond_t, shell_exec_t, $1_crond_t)
-
-ifdef(`mta.te', `
-domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t)
-allow $1_crond_t sendmail_exec_t:lnk_file { getattr read };
-
-# $1_mail_t should only be reading from the cron fifo not needing to write
-dontaudit $1_mail_t crond_t:fifo_file write;
-allow mta_user_agent $1_crond_t:fd use;
-')
-
-# The user role is authorized for this domain.
-role $1_r types $1_crond_t;
-
-# This domain is granted permissions common to most domains.
-can_network($1_crond_t)
-allow $1_crond_t port_type:tcp_socket name_connect;
-can_ypbind($1_crond_t)
-r_dir_file($1_crond_t, self)
-allow $1_crond_t self:fifo_file rw_file_perms;
-allow $1_crond_t self:unix_stream_socket create_stream_socket_perms;
-allow $1_crond_t self:unix_dgram_socket create_socket_perms;
-allow $1_crond_t etc_runtime_t:file { getattr read };
-allow $1_crond_t self:process { fork signal_perms setsched };
-allow $1_crond_t proc_t:dir r_dir_perms;
-allow $1_crond_t proc_t:file { getattr read ioctl };
-read_locale($1_crond_t)
-read_sysctl($1_crond_t)
-allow $1_crond_t var_spool_t:dir search;
-allow $1_crond_t fs_type:filesystem getattr;
-
-allow $1_crond_t devtty_t:chr_file { read write };
-allow $1_crond_t var_t:dir r_dir_perms;
-allow $1_crond_t var_t:file { getattr read ioctl };
-allow $1_crond_t var_log_t:dir search;
-
-# Use capabilities.
-allow $1_crond_t self:capability dac_override;
-
-# Inherit and use descriptors from initrc - I think this is wrong
-#allow $1_crond_t initrc_t:fd use;
-
-#
-# Since crontab files are not directly executed,
-# crond must ensure that the crontab file has
-# a type that is appropriate for the domain of
-# the user cron job. It performs an entrypoint
-# permission check for this purpose.
-#
-allow $1_crond_t $1_cron_spool_t:file entrypoint;
-
-# Run helper programs.
-can_exec_any($1_crond_t)
-
-# ps does not need to access /boot when run from cron
-dontaudit $1_crond_t boot_t:dir search;
-# quiet other ps operations
-dontaudit $1_crond_t domain:dir { getattr search };
-# for nscd
-dontaudit $1_crond_t var_run_t:dir search;
-')
-
-# When system_crond_t domain executes a type $1 executable then transition to
-# domain $2, allow $2 to interact with crond_t as well.
-define(`system_crond_entry', `
-ifdef(`crond.te', `
-domain_auto_trans(system_crond_t, $1, $2)
-allow $2 crond_t:fifo_file { getattr read write ioctl };
-# a rule for privfd may make this obsolete
-allow $2 crond_t:fd use;
-allow $2 crond_t:process sigchld;
-')dnl end ifdef
-')dnl end system_crond_entry
diff --git a/strict/macros/program/crontab_macros.te b/strict/macros/program/crontab_macros.te
deleted file mode 100644
index 50d5ee5..0000000
--- a/strict/macros/program/crontab_macros.te
+++ /dev/null
@@ -1,102 +0,0 @@
-#
-# Macros for crontab domains.
-#
-
-#
-# Authors: Jonathan Crowley (MITRE) <jonathan@mitre.org>
-# Revised by Stephen Smalley <sds@epoch.ncsc.mil>
-#
-
-#
-# crontab_domain(domain_prefix)
-#
-# Define a derived domain for the crontab program when executed by
-# a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/crontab.te.
-#
-undefine(`crontab_domain')
-define(`crontab_domain',`
-# Derived domain based on the calling user domain and the program.
-type $1_crontab_t, domain, privlog;
-
-# Transition from the user domain to the derived domain.
-domain_auto_trans($1_t, crontab_exec_t, $1_crontab_t)
-
-can_ps($1_t, $1_crontab_t)
-
-# for ^Z
-allow $1_t $1_crontab_t:process signal;
-
-# The user role is authorized for this domain.
-role $1_r types $1_crontab_t;
-
-uses_shlib($1_crontab_t)
-allow $1_crontab_t etc_t:file { getattr read };
-allow $1_crontab_t self:unix_stream_socket create_socket_perms;
-allow $1_crontab_t self:unix_dgram_socket create_socket_perms;
-read_locale($1_crontab_t)
-
-# Use capabilities dac_override is to create the file in the directory
-# under /tmp
-allow $1_crontab_t $1_crontab_t:capability { setuid setgid chown dac_override };
-
-# Type for temporary files.
-file_type_auto_trans($1_crontab_t, tmp_t, $1_tmp_t, { dir file })
-
-# Use the type when creating files in /var/spool/cron.
-allow sysadm_crontab_t $1_cron_spool_t:file { getattr read };
-allow $1_crontab_t { var_t var_spool_t }:dir { getattr search };
-file_type_auto_trans($1_crontab_t, cron_spool_t, $1_cron_spool_t, file)
-allow $1_crontab_t self:process { fork signal_perms };
-ifdef(`fcron.te', `
-# fcron wants an instant update of a crontab change for the administrator
-# also crontab does a security check for crontab -u
-ifelse(`$1', `sysadm', `
-allow $1_crontab_t crond_t:process signal;
-can_setfscreate($1_crontab_t)
-', `
-dontaudit $1_crontab_t crond_t:process signal;
-')dnl end ifelse
-')dnl end ifdef fcron
-
-# for the checks used by crontab -u
-dontaudit $1_crontab_t security_t:dir search;
-allow $1_crontab_t proc_t:dir search;
-allow $1_crontab_t proc_t:{ file lnk_file } { getattr read };
-allow $1_crontab_t selinux_config_t:dir search;
-allow $1_crontab_t selinux_config_t:file { getattr read };
-dontaudit $1_crontab_t self:dir search;
-
-# crontab signals crond by updating the mtime on the spooldir
-allow $1_crontab_t cron_spool_t:dir setattr;
-# Allow crond to read those crontabs in cron spool.
-allow crond_t $1_cron_spool_t:file r_file_perms;
-
-# Run helper programs as $1_t
-allow $1_crontab_t { bin_t sbin_t }:dir search;
-allow $1_crontab_t bin_t:lnk_file read;
-domain_auto_trans($1_crontab_t, { bin_t sbin_t shell_exec_t }, $1_t)
-
-# Read user crontabs
-allow $1_crontab_t { $1_home_t $1_home_dir_t }:dir r_dir_perms;
-allow $1_crontab_t $1_home_t:file r_file_perms;
-dontaudit $1_crontab_t $1_home_dir_t:dir write;
-
-# Access the cron log file.
-allow $1_crontab_t crond_log_t:file r_file_perms;
-allow $1_crontab_t crond_log_t:file append;
-
-# Access terminals.
-allow $1_crontab_t device_t:dir search;
-access_terminal($1_crontab_t, $1);
-
-allow $1_crontab_t fs_t:filesystem getattr;
-
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te', `allow $1_crontab_t $1_gph_t:fd use;')
-allow $1_crontab_t privfd:fd use;
-
-dontaudit $1_crontab_t var_run_t:dir search;
-')
diff --git a/strict/macros/program/daemontools_macros.te b/strict/macros/program/daemontools_macros.te
deleted file mode 100644
index 94c4f8e..0000000
--- a/strict/macros/program/daemontools_macros.te
+++ /dev/null
@@ -1,11 +0,0 @@
-ifdef(`daemontools.te', `
-
-define(`svc_ipc_domain',`
-allow $1 svc_start_t:process sigchld;
-allow $1 svc_start_t:fd use;
-allow $1 svc_start_t:fifo_file { read write getattr };
-allow svc_start_t $1:process signal;
-')
-
-') dnl ifdef daemontools
-
diff --git a/strict/macros/program/dbusd_macros.te b/strict/macros/program/dbusd_macros.te
deleted file mode 100644
index 600ac41..0000000
--- a/strict/macros/program/dbusd_macros.te
+++ /dev/null
@@ -1,91 +0,0 @@
-#
-# Macros for Dbus
-#
-# Author: Colin Walters <walters@redhat.com>
-
-# dbusd_domain(domain_prefix)
-#
-# Define a derived domain for the DBus daemon.
-
-define(`dbusd_domain', `
-ifelse(`system', `$1',`
-daemon_domain(system_dbusd, `, userspace_objmgr, nscd_client_domain', `nosysadm')
-# For backwards compatibility
-typealias system_dbusd_t alias dbusd_t;
-type etc_dbusd_t, file_type, sysadmfile;
-',`
-type $1_dbusd_t, domain, privlog, nscd_client_domain, userspace_objmgr;
-role $1_r types $1_dbusd_t;
-domain_auto_trans($1_t, system_dbusd_exec_t, $1_dbusd_t)
-read_locale($1_dbusd_t)
-allow $1_t $1_dbusd_t:process { sigkill signal };
-allow $1_dbusd_t self:process { sigkill signal };
-dontaudit $1_dbusd_t var_t:dir { getattr search };
-')dnl end ifelse system
-
-base_file_read_access($1_dbusd_t)
-uses_shlib($1_dbusd_t)
-allow $1_dbusd_t etc_t:file { getattr read };
-r_dir_file($1_dbusd_t, etc_dbusd_t)
-tmp_domain($1_dbusd)
-allow $1_dbusd_t self:process fork;
-ifdef(`xdm.te', `
-can_pipe_xdm($1_dbusd_t)
-')
-
-allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
-allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
-
-allow $1_dbusd_t urandom_device_t:chr_file { getattr read };
-allow $1_dbusd_t self:file { getattr read write };
-allow $1_dbusd_t proc_t:file read;
-
-can_getsecurity($1_dbusd_t)
-r_dir_file($1_dbusd_t, default_context_t)
-allow system_dbusd_t self:netlink_selinux_socket create_socket_perms;
-
-ifdef(`pamconsole.te', `
-r_dir_file($1_dbusd_t, pam_var_console_t)
-')
-
-allow $1_dbusd_t self:dbus { send_msg acquire_svc };
-
-')dnl end dbusd_domain definition
-
-# dbusd_client(dbus_type, domain_prefix)
-# Example: dbusd_client_domain(system, user)
-#
-# Define a new derived domain for connecting to dbus_type
-# from domain_prefix_t.
-undefine(`dbusd_client')
-define(`dbusd_client',`
-
-ifdef(`dbusd.te',`
-# Derived type used for connection
-type $2_dbusd_$1_t;
-type_change $2_t $1_dbusd_t:dbus $2_dbusd_$1_t;
-
-# SE-DBus specific permissions
-allow $2_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
-
-# For connecting to the bus
-allow $2_t $1_dbusd_t:unix_stream_socket connectto;
-
-') dnl endif dbusd.te
-ifelse(`system', `$1', `
-allow { $2_t } { var_run_t system_dbusd_var_run_t }:dir search;
-allow { $2_t } system_dbusd_var_run_t:sock_file write;
-',`') dnl endif system
-')
-
-# can_dbusd_converse(dbus_type, domain_prefix_a, domain_prefix_b)
-# Example: can_dbusd_converse(system, hald, updfstab)
-# Example: can_dbusd_converse(session, user, user)
-define(`can_dbusd_converse',`')
-ifdef(`dbusd.te',`
-undefine(`can_dbusd_converse')
-define(`can_dbusd_converse',`
-allow $2_dbusd_$1_t $3_dbusd_$1_t:dbus { send_msg };
-allow $3_dbusd_$1_t $2_dbusd_$1_t:dbus { send_msg };
-') dnl endif dbusd.te
-')
diff --git a/strict/macros/program/ethereal_macros.te b/strict/macros/program/ethereal_macros.te
deleted file mode 100644
index 36f1a96..0000000
--- a/strict/macros/program/ethereal_macros.te
+++ /dev/null
@@ -1,82 +0,0 @@
-# DESC - Ethereal
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-#############################################################
-# ethereal_networking(app_prefix) -
-# restricted ethereal rules (sysadm only)
-#
-
-define(`ethereal_networking', `
-
-# Create various types of sockets
-allow $1_t self:netlink_route_socket create_netlink_socket_perms;
-allow $1_t self:udp_socket create_socket_perms;
-allow $1_t self:packet_socket create_socket_perms;
-allow $1_t self:unix_stream_socket create_stream_socket_perms;
-allow $1_t self:tcp_socket create_socket_perms;
-
-allow $1_t self:capability { dac_override dac_read_search net_raw setgid setuid };
-
-# Resolve names via DNS
-can_resolve($1_t)
-
-') dnl ethereal_networking
-
-########################################################
-# Ethereal (GNOME)
-#
-
-define(`ethereal_domain', `
-
-# Type for program
-type $1_ethereal_t, domain, nscd_client_domain;
-
-# Transition from sysadm type
-domain_auto_trans($1_t, ethereal_exec_t, $1_ethereal_t)
-role $1_r types $1_ethereal_t;
-
-# Manual transition from userhelper
-ifdef(`userhelper.te', `
-allow userhelperdomain $1_ethereal_t:process { transition siginh rlimitinh noatsecure };
-allow $1_ethereal_t userhelperdomain:fd use;
-allow $1_ethereal_t userhelperdomain:process sigchld;
-') dnl userhelper
-
-# X, GNOME
-x_client_domain($1_ethereal, $1)
-gnome_application($1_ethereal, $1)
-gnome_file_dialog($1_ethereal, $1)
-
-# Why does it write this?
-ifdef(`snmpd.te', `
-dontaudit sysadm_ethereal_t snmpd_var_lib_t:file write;
-')
-
-# /home/.ethereal
-home_domain($1, ethereal)
-file_type_auto_trans($1_ethereal_t, $1_home_dir_t, $1_ethereal_home_t, dir)
-
-# Enable restricted networking rules for sysadm - this is shared w/ tethereal
-ifelse($1, `sysadm', `
-ethereal_networking($1_ethereal)
-
-# Ethereal tries to write to user terminal
-dontaudit sysadm_ethereal_t user_tty_type:chr_file { read write };
-dontaudit sysadm_ethereal_t unpriv_userdomain:fd use;
-', `')
-
-# Store temporary files
-tmp_domain($1_ethereal)
-
-# Re-execute itself (why?)
-can_exec($1_ethereal_t, ethereal_exec_t)
-allow $1_ethereal_t sbin_t:dir search;
-
-# Supress .local denials until properly implemented
-dontaudit $1_ethereal_t $1_home_t:dir search;
-
-# FIXME: policy is incomplete
-
-') dnl ethereal_domain
diff --git a/strict/macros/program/evolution_macros.te b/strict/macros/program/evolution_macros.te
deleted file mode 100644
index 37fc087..0000000
--- a/strict/macros/program/evolution_macros.te
+++ /dev/null
@@ -1,234 +0,0 @@
-#
-# Evolution
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-################################################
-# evolution_common(app_prefix,role_prefix)
-#
-define(`evolution_common', `
-
-# Gnome common stuff
-gnome_application($1, $2)
-
-# Stat root
-allow $1_t root_t:dir search;
-
-# Access null device
-allow $1_t null_device_t:chr_file rw_file_perms;
-
-# FIXME: suppress access to .local/.icons/.themes until properly implemented
-dontaudit $1_t $2_home_t:dir r_dir_perms;
-
-# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
-# until properly implemented
-dontaudit $1_t $2_home_t:file r_file_perms;
-
-') dnl evolution_common
-
-#######################################
-# evolution_data_server(role_prefix)
-#
-
-define(`evolution_data_server', `
-
-# Type for daemon
-type $1_evolution_server_t, domain, nscd_client_domain;
-
-# Transition from user type
-if (! disable_evolution_trans) {
-domain_auto_trans($1_t, evolution_server_exec_t, $1_evolution_server_t)
-}
-role $1_r types $1_evolution_server_t;
-
-# Evolution common stuff
-evolution_common($1_evolution_server, $1)
-
-# Access evolution home
-home_domain_access($1_evolution_server_t, $1, evolution)
-
-# Talks to exchange
-bonobo_connect($1_evolution_server, $1_evolution_exchange)
-
-can_exec($1_evolution_server_t, shell_exec_t)
-
-# Obtain weather data via http (read server name from xml file in /usr)
-allow $1_evolution_server_t usr_t:file r_file_perms;
-can_resolve($1_evolution_server_t)
-can_network_client_tcp($1_evolution_server_t, { http_port_t http_cache_port_t } )
-allow $1_evolution_server_t { http_cache_port_t http_port_t }:tcp_socket name_connect;
-
-# Talk to ldap (address book)
-can_network_client_tcp($1_evolution_server_t, ldap_port_t)
-allow $1_evolution_server_t ldap_port_t:tcp_socket name_connect;
-
-# Look in /etc/pki
-r_dir_file($1_evolution_server_t, cert_t)
-
-') dnl evolution_data_server
-
-#######################################
-# evolution_webcal(role_prefix)
-#
-
-define(`evolution_webcal', `
-
-# Type for program
-type $1_evolution_webcal_t, domain, nscd_client_domain;
-
-# Transition from user type
-domain_auto_trans($1_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
-role $1_r types $1_evolution_webcal_t;
-
-# X/evolution common stuff
-x_client_domain($1_evolution_webcal, $1)
-evolution_common($1_evolution_webcal, $1)
-
-# Search home directory (?)
-allow $1_evolution_webcal_t $1_home_dir_t:dir search;
-
-# Networking capability - connect to website and handle ics link
-# FIXME: is this necessary ?
-can_resolve($1_evolution_webcal_t);
-can_network_client_tcp($1_evolution_webcal_t, { http_port_t http_cache_port_t } )
-allow $1_evolution_webcal_t { http_cache_port_t http_port_t } :tcp_socket name_connect;
-
-') dnl evolution_webcal
-
-#######################################
-# evolution_alarm(role_prefix)
-#
-define(`evolution_alarm', `
-
-# Type for program
-type $1_evolution_alarm_t, domain, nscd_client_domain;
-
-# Transition from user type
-domain_auto_trans($1_t, evolution_alarm_exec_t, $1_evolution_alarm_t)
-role $1_r types $1_evolution_alarm_t;
-
-# Common evolution stuff, X
-evolution_common($1_evolution_alarm, $1)
-x_client_domain($1_evolution_alarm, $1)
-
-# Connect to exchange, e-d-s
-bonobo_connect($1_evolution_alarm, $1_evolution_server)
-bonobo_connect($1_evolution_alarm, $1_evolution_exchange)
-
-# Access evolution home
-home_domain_access($1_evolution_alarm_t, $1, evolution)
-
-') dnl evolution_alarm
-
-########################################
-# evolution_exchange(role_prefix)
-#
-define(`evolution_exchange', `
-
-# Type for program
-type $1_evolution_exchange_t, domain, nscd_client_domain;
-
-# Transition from user type
-domain_auto_trans($1_t, evolution_exchange_exec_t, $1_evolution_exchange_t)
-role $1_r types $1_evolution_exchange_t;
-
-# Common evolution stuff, X
-evolution_common($1_evolution_exchange, $1)
-x_client_domain($1_evolution_exchange, $1)
-
-# Access evolution home
-home_domain_access($1_evolution_exchange_t, $1, evolution)
-
-# /tmp/.exchange-$USER
-tmp_domain($1_evolution_exchange)
-
-# Allow netstat
-allow $1_evolution_exchange_t bin_t:dir search;
-can_exec($1_evolution_exchange_t, bin_t)
-r_dir_file($1_evolution_exchange_t, proc_net_t)
-allow $1_evolution_exchange_t sysctl_net_t:dir search;
-allow $1_evolution_exchange_t self:{ udp_socket tcp_socket } create_socket_perms;
-
-# Clock applet talks to exchange (FIXME: Needs policy)
-bonobo_connect($1, $1_evolution_exchange)
-
-# FIXME: policy incomplete
-
-') dnl evolution_exchange
-
-#######################################
-# evolution_domain(role_prefix)
-#
-
-define(`evolution_domain', `
-
-# Type for program
-type $1_evolution_t, domain, nscd_client_domain, privlog;
-
-# Transition from user type
-domain_auto_trans($1_t, evolution_exec_t, $1_evolution_t)
-role $1_r types $1_evolution_t;
-
-# X, mail, evolution common stuff
-x_client_domain($1_evolution, $1)
-mail_client_domain($1_evolution, $1)
-gnome_file_dialog($1_evolution, $1)
-evolution_common($1_evolution, $1)
-
-# Connect to e-d-s, exchange, alarm
-bonobo_connect($1_evolution, $1_evolution_server)
-bonobo_connect($1_evolution, $1_evolution_exchange)
-bonobo_connect($1_evolution, $1_evolution_alarm)
-
-# Access .evolution
-home_domain($1, evolution)
-
-# Store passwords in .gnome2_private
-gnome_private_store($1_evolution, $1)
-
-# Run various programs
-allow $1_evolution_t { bin_t sbin_t }:dir r_dir_perms;
-allow $1_evolution_t { self bin_t }:lnk_file r_file_perms;
-
-### Junk mail filtering (start spamd)
-ifdef(`spamd.te', `
-# Start the spam daemon
-domain_auto_trans($1_evolution_t, spamd_exec_t, spamd_t)
-role $1_r types spamd_t;
-
-# Write pid file and socket in ~/.evolution/cache/tmp
-file_type_auto_trans(spamd_t, $1_evolution_home_t, spamd_tmp_t, { file sock_file })
-
-# Allow evolution to signal the daemon
-# FIXME: Now evolution can read spamd temp files
-allow $1_evolution_t spamd_tmp_t:file r_file_perms;
-allow $1_evolution_t spamd_t:process signal;
-dontaudit $1_evolution_t spamd_tmp_t:sock_file getattr;
-') dnl spamd.te
-
-### Junk mail filtering (start spamc)
-ifdef(`spamc.te', `
-domain_auto_trans($1_evolution_t, spamc_exec_t, $1_spamc_t)
-
-# Allow connection to spamd socket above
-allow $1_spamc_t $1_evolution_home_t:dir search;
-') dnl spamc.te
-
-### Junk mail filtering (start spamassassin)
-ifdef(`spamassassin.te', `
-domain_auto_trans($1_evolution_t, spamassassin_exec_t, $1_spamassassin_t)
-') dnl spamassasin.te
-
-') dnl evolution_domain
-
-#################################
-# evolution_domains(role_prefix)
-
-define(`evolution_domains', `
-evolution_domain($1)
-evolution_data_server($1)
-evolution_webcal($1)
-evolution_alarm($1)
-evolution_exchange($1)
-') dnl end evolution_domains
diff --git a/strict/macros/program/fingerd_macros.te b/strict/macros/program/fingerd_macros.te
deleted file mode 100644
index fd56ca7..0000000
--- a/strict/macros/program/fingerd_macros.te
+++ /dev/null
@@ -1,15 +0,0 @@
-#
-# Macro for fingerd
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-
-#
-# fingerd_macro(domain_prefix)
-#
-# allow fingerd to create a fingerlog file in the user home dir
-#
-define(`fingerd_macro', `
-type $1_home_fingerlog_t, file_type, sysadmfile, $1_file_type;
-file_type_auto_trans(fingerd_t, $1_home_dir_t, $1_home_fingerlog_t)
-')
diff --git a/strict/macros/program/fontconfig_macros.te b/strict/macros/program/fontconfig_macros.te
deleted file mode 100644
index 7f4a56d..0000000
--- a/strict/macros/program/fontconfig_macros.te
+++ /dev/null
@@ -1,52 +0,0 @@
-#
-# Fontconfig related types
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-# fontconfig_domain(role_prefix) - create fontconfig domain
-#
-# read_fonts(domain, role_prefix) -
-# allow domain to read fonts, optionally per/user
-#
-
-define(`fontconfig_domain', `
-
-type $1_fonts_t, file_type, $1_file_type, sysadmfile;
-type $1_fonts_config_t, file_type, $1_file_type, sysadmfile;
-type $1_fonts_cache_t, file_type, $1_file_type, sysadmfile;
-
-create_dir_file($1_t, $1_fonts_t)
-allow $1_t $1_fonts_t:{ dir file } { relabelto relabelfrom };
-
-create_dir_file($1_t, $1_fonts_config_t)
-allow $1_t $1_fonts_config_t:file { relabelto relabelfrom };
-
-# For startup relabel
-allow $1_t $1_fonts_cache_t:{ dir file } { relabelto relabelfrom };
-
-') dnl fontconfig_domain
-
-####################
-
-define(`read_fonts', `
-
-# Read global fonts and font config
-r_dir_file($1, fonts_t)
-r_dir_file($1, etc_t)
-
-ifelse(`$2', `', `', `
-
-# Manipulate the global font cache
-create_dir_file($1, $2_fonts_cache_t)
-
-# Read per user fonts and font config
-r_dir_file($1, $2_fonts_t)
-r_dir_file($1, $2_fonts_config_t)
-
-# There are some fonts in .gnome2
-ifdef(`gnome.te', `
-allow $1 $2_gnome_settings_t:dir { getattr search };
-')
-
-') dnl ifelse
-') dnl read_fonts
diff --git a/strict/macros/program/games_domain.te b/strict/macros/program/games_domain.te
deleted file mode 100644
index d4c1d05..0000000
--- a/strict/macros/program/games_domain.te
+++ /dev/null
@@ -1,89 +0,0 @@
-#DESC games
-#
-# Macros for games
-#
-#
-# Authors: Dan Walsh <dwalsh@redhat.com>
-#
-#
-# games_domain(domain_prefix)
-#
-#
-define(`games_domain', `
-
-type $1_games_t, domain, nscd_client_domain;
-
-# Type transition
-if (! disable_games_trans) {
-domain_auto_trans($1_t, games_exec_t, $1_games_t)
-}
-can_exec($1_games_t, games_exec_t)
-role $1_r types $1_games_t;
-
-can_create_pty($1_games)
-
-# X access, GNOME, /tmp files
-x_client_domain($1_games, $1)
-tmp_domain($1_games, `', { dir notdevfile_class_set })
-gnome_application($1_games, $1)
-gnome_file_dialog($1_games, $1)
-
-# Games seem to need this
-if (allow_execmem) {
-allow $1_games_t self:process execmem;
-}
-
-allow $1_games_t texrel_shlib_t:file execmod;
-allow $1_games_t var_t:dir { search getattr };
-rw_dir_create_file($1_games_t, games_data_t)
-allow $1_games_t sound_device_t:chr_file rw_file_perms;
-can_udp_send($1_games_t, $1_games_t)
-can_tcp_connect($1_games_t, $1_games_t)
-
-# Access /home/user/.gnome2
-# FIXME: Change to use per app types
-create_dir_file($1_games_t, $1_gnome_settings_t)
-
-# FIXME: why is this necessary - ORBit?
-# ORBit works differently now
-create_dir_file($1_games_t, $1_tmp_t)
-allow $1_games_t $1_tmp_t:sock_file create_file_perms;
-can_unix_connect($1_t, $1_games_t)
-can_unix_connect($1_games_t, $1_t)
-
-ifdef(`xdm.te', `
-allow $1_games_t xdm_tmp_t:dir rw_dir_perms;
-allow $1_games_t xdm_tmp_t:sock_file create_file_perms;
-allow $1_games_t xdm_var_lib_t:file { getattr read };
-')dnl end if xdm.te
-
-allow $1_games_t var_lib_t:dir search;
-r_dir_file($1_games_t, man_t)
-allow $1_games_t { proc_t self }:dir search;
-allow $1_games_t { proc_t self }:{ file lnk_file } { read getattr };
-ifdef(`mozilla.te', `
-dontaudit $1_games_t $1_mozilla_t:unix_stream_socket connectto;
-')
-allow $1_games_t event_device_t:chr_file getattr;
-allow $1_games_t mouse_device_t:chr_file getattr;
-
-allow $1_games_t self:file { getattr read };
-allow $1_games_t self:sem create_sem_perms;
-
-allow $1_games_t { bin_t sbin_t }:dir { getattr search };
-can_exec($1_games_t, { shell_exec_t bin_t utempter_exec_t })
-allow $1_games_t bin_t:lnk_file read;
-
-dontaudit $1_games_t var_run_t:dir search;
-dontaudit $1_games_t initrc_var_run_t:file { read write };
-dontaudit $1_games_t var_log_t:dir search;
-
-can_network($1_games_t)
-allow $1_games_t port_t:tcp_socket name_bind;
-allow $1_games_t port_t:tcp_socket name_connect;
-
-# Suppress .icons denial until properly implemented
-dontaudit $1_games_t $1_home_t:dir read;
-
-')dnl end macro definition
-
diff --git a/strict/macros/program/gconf_macros.te b/strict/macros/program/gconf_macros.te
deleted file mode 100644
index 5f34ea7..0000000
--- a/strict/macros/program/gconf_macros.te
+++ /dev/null
@@ -1,57 +0,0 @@
-#
-# GConfd daemon
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-#######################################
-# gconfd_domain(role_prefix)
-#
-
-define(`gconfd_domain', `
-
-# Type for daemon
-type $1_gconfd_t, domain, nscd_client_domain, privlog;
-
-gnome_application($1_gconfd, $1)
-
-# Transition from user type
-domain_auto_trans($1_t, gconfd_exec_t, $1_gconfd_t)
-role $1_r types $1_gconfd_t;
-
-allow $1_gconfd_t self:process { signal getsched };
-
-# Access .gconfd and .gconf
-home_domain($1, gconfd)
-file_type_auto_trans($1_gconfd_t, $1_home_dir_t, $1_gconfd_home_t, dir)
-
-# Access /etc/gconf
-r_dir_file($1_gconfd_t, gconf_etc_t)
-
-# /tmp/gconfd-USER
-tmp_domain($1_gconfd)
-
-ifdef(`xdm.te', `
-can_pipe_xdm($1_gconfd_t)
-allow xdm_t $1_gconfd_t:process signal;
-')
-
-') dnl gconf_domain
-
-#####################################
-# gconf_client(prefix, role_prefix)
-#
-
-define(`gconf_client', `
-
-# Launch the daemon if necessary
-domain_auto_trans($1_t, gconfd_exec_t, $2_gconfd_t)
-
-# Connect over bonobo
-bonobo_connect($1, $2_gconfd)
-
-# Read lock/ior
-allow $1_t $2_gconfd_tmp_t:dir { getattr search };
-allow $1_t $2_gconfd_tmp_t:file { getattr read };
-
-') dnl gconf_client
diff --git a/strict/macros/program/gift_macros.te b/strict/macros/program/gift_macros.te
deleted file mode 100644
index c75a061..0000000
--- a/strict/macros/program/gift_macros.te
+++ /dev/null
@@ -1,106 +0,0 @@
-#
-# Macros for giFT
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-# gift_domains(domain_prefix)
-# declares a domain for giftui and giftd
-
-#########################
-# gift_domain(user) #
-#########################
-
-define(`gift_domain', `
-
-# Type transition
-type $1_gift_t, domain, nscd_client_domain;
-domain_auto_trans($1_t, gift_exec_t, $1_gift_t)
-role $1_r types $1_gift_t;
-
-# X access, Home files, GNOME, /tmp
-x_client_domain($1_gift, $1)
-gnome_application($1_gift, $1)
-home_domain($1, gift)
-file_type_auto_trans($1_gift_t, $1_home_dir_t, $1_gift_home_t, dir)
-
-# Allow the user domain to signal/ps.
-can_ps($1_t, $1_gift_t)
-allow $1_t $1_gift_t:process signal_perms;
-
-# Launch gift daemon
-allow $1_gift_t bin_t:dir search;
-domain_auto_trans($1_gift_t, giftd_exec_t, $1_giftd_t)
-
-# Connect to gift daemon
-can_network_client_tcp($1_gift_t, giftd_port_t)
-allow $1_gift_t giftd_port_t:tcp_socket name_connect;
-
-# Read /proc/meminfo
-allow $1_gift_t proc_t:dir search;
-allow $1_gift_t proc_t:file { getattr read };
-
-# giftui looks in .icons, .themes.
-dontaudit $1_gift_t $1_home_t:dir { getattr read search };
-dontaudit $1_gift_t $1_home_t:file { getattr read };
-
-') dnl gift_domain
-
-##########################
-# giftd_domain(user) #
-##########################
-
-define(`giftd_domain', `
-
-type $1_giftd_t, domain;
-
-# Transition from user type
-domain_auto_trans($1_t, giftd_exec_t, $1_giftd_t)
-role $1_r types $1_giftd_t;
-
-# Self permissions, allow fork
-allow $1_giftd_t self:process { fork signal sigchld setsched };
-allow $1_giftd_t self:unix_stream_socket create_socket_perms;
-
-read_sysctl($1_giftd_t)
-read_locale($1_giftd_t)
-uses_shlib($1_giftd_t)
-access_terminal($1_giftd_t, $1)
-
-# Read /proc/meminfo
-allow $1_giftd_t proc_t:dir search;
-allow $1_giftd_t proc_t:file { getattr read };
-
-# Read /etc/mtab
-allow $1_giftd_t etc_runtime_t:file { getattr read };
-
-# Access home domain
-home_domain_access($1_giftd_t, $1, gift)
-file_type_auto_trans($1_gift_t, $1_home_dir_t, $1_gift_home_t, dir)
-
-# Serve content on various p2p networks. Ports can be random.
-can_network_server($1_giftd_t)
-allow $1_giftd_t self:udp_socket listen;
-allow $1_giftd_t port_type:{ tcp_socket udp_socket } name_bind;
-
-# Connect to various p2p networks. Ports can be random.
-can_network_client($1_giftd_t)
-allow $1_giftd_t port_type:tcp_socket name_connect;
-
-# Plugins
-r_dir_file($1_giftd_t, usr_t)
-
-# Connect to xdm
-ifdef(`xdm.te', `
-can_pipe_xdm($1_giftd_t)
-')
-
-') dnl giftd_domain
-
-##########################
-# gift_domains(user) #
-##########################
-
-define(`gift_domains', `
-gift_domain($1)
-giftd_domain($1)
-') dnl gift_domains
diff --git a/strict/macros/program/gnome_macros.te b/strict/macros/program/gnome_macros.te
deleted file mode 100644
index 5d31af5..0000000
--- a/strict/macros/program/gnome_macros.te
+++ /dev/null
@@ -1,115 +0,0 @@
-#
-# GNOME related types
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-# gnome_domain(role_prefix) - create GNOME domain (run for each role)
-# gnome_application(app_prefix, role_prefix) - common stuff for gnome apps
-# gnome_file_dialog(role_prefix) - gnome file dialog rules
-# gnome_private_store(app_prefix, role_prefix) - store private files in .gnome2_private
-
-define(`gnome_domain', `
-
-# Types for .gnome2 and .gnome2_private.
-# For backwards compatibility, allow unrestricted
-# access from ROLE_t. However, content inside
-# *should* be labeled per application eventually.
-# For .gnome2_private, use the private_store macro below.
-
-type $1_gnome_settings_t, file_type, $1_file_type, sysadmfile;
-create_dir_file($1_t, $1_gnome_settings_t)
-allow $1_t $1_gnome_settings_t:{ dir file } { relabelfrom relabelto };
-
-type $1_gnome_secret_t, file_type, $1_file_type, sysadmfile;
-create_dir_file($1_t, $1_gnome_secret_t)
-allow $1_t $1_gnome_secret_t:{ dir file } { relabelfrom relabelto };
-
-# GConf domain
-gconfd_domain($1)
-gconf_client($1, $1)
-
-# Bonobo-activation-server
-bonobo_domain($1)
-bonobo_client($1, $1)
-
-# GNOME vfs daemon
-gnome_vfs_domain($1)
-gnome_vfs_client($1, $1)
-
-# ICE is necessary for session management
-ice_domain($1, $1)
-
-')
-
-#################################
-
-define(`gnome_application', `
-
-# If launched from a terminal
-access_terminal($1_t, $2)
-
-# Forking is generally okay
-allow $1_t self:process { sigchld sigkill signal setrlimit getsched setsched fork };
-allow $1_t self:fifo_file rw_file_perms;
-
-# Shlib, locale, sysctl, proc
-uses_shlib($1_t)
-read_locale($1_t)
-read_sysctl($1_t)
-
-allow $1_t { self proc_t }:dir { search read getattr };
-allow $1_t { self proc_t }:{ file lnk_file } { read getattr };
-
-# Most gnome apps use bonobo
-bonobo_client($1, $2)
-
-# Within-process bonobo-activation of components
-bonobo_connect($1, $1)
-
-# Session management happens over ICE
-# FIXME: More specific context is needed for gnome-session
-ice_connect($1, $2)
-
-# Most talk to GConf
-gconf_client($1, $2)
-
-# Allow getattr/read/search of .gnome2 and .gnome2_private
-# Reading files should *not* be allowed - instead, more specific
-# types should be created to handle such requests
-allow $1_t { $2_gnome_settings_t $2_gnome_secret_t }:dir r_dir_perms;
-
-# Access /etc/mtab, /etc/nsswitch.conf
-allow $1_t etc_t:file { read getattr };
-allow $1_t etc_runtime_t:file { read getattr };
-
-# Themes, gtkrc
-allow $1_t usr_t:{ file lnk_file } r_file_perms;
-
-') dnl gnome_application
-
-################################
-
-define(`gnome_file_dialog', `
-
-# GNOME Open/Save As dialogs
-dontaudit_getattr($1_t)
-dontaudit_search_dir($1_t)
-
-# Bonobo connection to gnome_vfs daemon
-bonobo_connect($1, $2_gnome_vfs)
-
-') dnl gnome_file_dialog
-
-################################
-
-define(`gnome_private_store', `
-
-# Type for storing secret data
-# (different from home, not directly accessible from ROLE_t)
-type $1_secret_t, file_type, $2_file_type, sysadmfile;
-
-# Put secret files in .gnome2_private
-file_type_auto_trans($1_t, $2_gnome_secret_t, $1_secret_t, file);
-allow $2_t $1_secret_t:file unlink;
-
-') dnl gnome_private_store
diff --git a/strict/macros/program/gnome_vfs_macros.te b/strict/macros/program/gnome_vfs_macros.te
deleted file mode 100644
index 8ff5c28..0000000
--- a/strict/macros/program/gnome_vfs_macros.te
+++ /dev/null
@@ -1,55 +0,0 @@
-#
-# GNOME VFS daemon
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-#######################################
-# gnome_vfs_domain(role_prefix)
-#
-
-define(`gnome_vfs_domain', `
-
-# Type for daemon
-type $1_gnome_vfs_t, domain, nscd_client_domain;
-
-# GNOME, dbus
-gnome_application($1_gnome_vfs, $1)
-dbusd_client(system, $1_gnome_vfs)
-allow $1_gnome_vfs_t system_dbusd_t:dbus send_msg;
-ifdef(`hald.te', `
-allow $1_gnome_vfs_t hald_t:dbus send_msg;
-allow hald_t $1_gnome_vfs_t:dbus send_msg;
-')
-
-# Transition from user type
-domain_auto_trans($1_t, gnome_vfs_exec_t, $1_gnome_vfs_t)
-role $1_r types $1_gnome_vfs_t;
-
-# Stat top level directories on mount_points (check free space?)
-allow $1_gnome_vfs_t { fs_type default_t boot_t home_root_t device_t }:dir getattr;
-
-# Search path to /home (??)
-allow $1_gnome_vfs_t home_root_t:dir search;
-allow $1_gnome_vfs_t $1_home_dir_t:dir search;
-
-# Search path to rpc_pipefs mount point (??)
-allow $1_gnome_vfs_t var_lib_nfs_t:dir search;
-allow $1_gnome_vfs_t var_lib_t:dir search;
-
-# Search libexec (??)
-allow $1_gnome_vfs_t bin_t:dir search;
-can_exec($1_gnome_vfs_t, bin_t)
-
-') dnl gnome_vfs_domain
-
-#####################################
-# gnome_vfs_client(prefix, role_prefix)
-#
-
-define(`gnome_vfs_client', `
-
-# Connect over bonobo
-bonobo_connect($1, $2_gnome_vfs)
-
-') dnl gnome_vfs_client
diff --git a/strict/macros/program/gpg_agent_macros.te b/strict/macros/program/gpg_agent_macros.te
deleted file mode 100644
index f7ad8b0..0000000
--- a/strict/macros/program/gpg_agent_macros.te
+++ /dev/null
@@ -1,125 +0,0 @@
-#
-# Macros for gpg agent
-#
-# Author: Thomas Bleher <ThomasBleher@gmx.de>
-#
-#
-# gpg_agent_domain(domain_prefix)
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/gpg-agent.te.
-#
-define(`gpg_agent_domain',`
-# Define a derived domain for the gpg-agent program when executed
-# by a user domain.
-# Derived domain based on the calling user domain and the program.
-type $1_gpg_agent_t, domain;
-
-# Transition from the user domain to the derived domain.
-domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t)
-
-# The user role is authorized for this domain.
-role $1_r types $1_gpg_agent_t;
-
-allow $1_gpg_agent_t privfd:fd use;
-
-# Write to the user domain tty.
-access_terminal($1_gpg_agent_t, $1)
-
-# Allow the user shell to signal the gpg-agent program.
-allow $1_t $1_gpg_agent_t:process { signal sigkill };
-# allow ps to show gpg-agent
-can_ps($1_t, $1_gpg_agent_t)
-
-uses_shlib($1_gpg_agent_t)
-read_locale($1_gpg_agent_t)
-
-# rlimit: gpg-agent wants to prevent coredumps
-allow $1_gpg_agent_t self:process { setrlimit fork sigchld };
-
-allow $1_gpg_agent_t { self proc_t }:dir search;
-allow $1_gpg_agent_t { self proc_t }:lnk_file read;
-
-allow $1_gpg_agent_t device_t:dir { getattr read };
-
-# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
-allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search;
-create_dir_file($1_gpg_agent_t, $1_gpg_secret_t)
-if (use_nfs_home_dirs) {
-create_dir_file($1_gpg_agent_t, nfs_t)
-}
-if (use_samba_home_dirs) {
-create_dir_file($1_gpg_agent_t, cifs_t)
-}
-
-allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms;
-allow $1_gpg_agent_t self:fifo_file { getattr read write };
-
-# create /tmp files
-tmp_domain($1_gpg_agent, `', `{ file dir sock_file }')
-
-# gpg connect
-allow $1_gpg_t $1_gpg_agent_tmp_t:dir search;
-allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write;
-can_unix_connect($1_gpg_t, $1_gpg_agent_t)
-
-# policy for pinentry
-# ===================
-# we need to allow gpg-agent to call pinentry so it can get the passphrase
-# from the user.
-# Please note that I didnt use the x_client_domain-macro as it gives too
-# much permissions
-type $1_gpg_pinentry_t, domain;
-role $1_r types $1_gpg_pinentry_t;
-
-allow $1_gpg_agent_t bin_t:dir search;
-domain_auto_trans($1_gpg_agent_t, pinentry_exec_t, $1_gpg_pinentry_t)
-
-uses_shlib($1_gpg_pinentry_t)
-read_locale($1_gpg_pinentry_t)
-
-allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
-allow $1_gpg_pinentry_t self:fifo_file { getattr read write };
-
-ifdef(`xdm.te', `
-allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search;
-allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write };
-can_unix_connect($1_gpg_pinentry_t, xdm_xserver_t)
-')dnl end ig xdm.te
-
-read_fonts($1_gpg_pinentry_t, $1)
-# read kde font cache
-allow $1_gpg_pinentry_t usr_t:file { getattr read };
-
-allow $1_gpg_pinentry_t { proc_t self }:dir search;
-allow $1_gpg_pinentry_t { proc_t self }:lnk_file read;
-# read /proc/meminfo
-allow $1_gpg_pinentry_t proc_t:file read;
-
-allow $1_gpg_pinentry_t { tmp_t home_root_t }:dir { getattr search };
-
-# for .Xauthority
-allow $1_gpg_pinentry_t $1_home_dir_t:dir { getattr search };
-allow $1_gpg_pinentry_t $1_home_t:file { getattr read };
-# wants to put some lock files into the user home dir, seems to work fine without
-dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write };
-dontaudit $1_gpg_pinentry_t $1_home_t:file write;
-if (use_nfs_home_dirs) {
-allow $1_gpg_pinentry_t nfs_t:dir { getattr search };
-allow $1_gpg_pinentry_t nfs_t:file { getattr read };
-dontaudit $1_gpg_pinentry_t nfs_t:dir { read write };
-dontaudit $1_gpg_pinentry_t nfs_t:file write;
-}
-if (use_samba_home_dirs) {
-allow $1_gpg_pinentry_t cifs_t:dir { getattr search };
-allow $1_gpg_pinentry_t cifs_t:file { getattr read };
-dontaudit $1_gpg_pinentry_t cifs_t:dir { read write };
-dontaudit $1_gpg_pinentry_t cifs_t:file write;
-}
-
-# read /etc/X11/qtrc
-allow $1_gpg_pinentry_t etc_t:file { getattr read };
-
-dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t bin_t }:dir { getattr search };
-
-')dnl end if gpg_agent
diff --git a/strict/macros/program/gpg_macros.te b/strict/macros/program/gpg_macros.te
deleted file mode 100644
index a836ed6..0000000
--- a/strict/macros/program/gpg_macros.te
+++ /dev/null
@@ -1,115 +0,0 @@
-#
-# Macros for gpg and pgp
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-# based on the work of:
-# Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-#
-# gpg_domain(domain_prefix)
-#
-# Define a derived domain for the gpg/pgp program when executed by
-# a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/gpg.te.
-#
-define(`gpg_domain', `
-# Derived domain based on the calling user domain and the program.
-type $1_gpg_t, domain, privlog;
-type $1_gpg_secret_t, file_type, $1_file_type, sysadmfile;
-
-# Transition from the user domain to the derived domain.
-domain_auto_trans($1_t, gpg_exec_t, $1_gpg_t)
-role $1_r types $1_gpg_t;
-
-can_network($1_gpg_t)
-allow $1_gpg_t port_type:tcp_socket name_connect;
-can_ypbind($1_gpg_t)
-
-# for a bug in kmail
-dontaudit $1_gpg_t $1_t:unix_stream_socket { getattr read write };
-
-allow $1_gpg_t device_t:dir r_dir_perms;
-allow $1_gpg_t { random_device_t urandom_device_t }:chr_file r_file_perms;
-
-allow $1_gpg_t etc_t:file r_file_perms;
-
-allow $1_gpg_t self:unix_stream_socket create_stream_socket_perms;
-allow $1_gpg_t self:tcp_socket create_stream_socket_perms;
-
-access_terminal($1_gpg_t, $1)
-ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;')
-
-# Inherit and use descriptors
-allow $1_gpg_t { privfd $1_t }:fd use;
-allow { $1_t $1_gpg_t } $1_gpg_t:process signal;
-
-# setrlimit is for ulimit -c 0
-allow $1_gpg_t self:process { setrlimit setcap setpgid };
-
-# allow ps to show gpg
-can_ps($1_t, $1_gpg_t)
-
-uses_shlib($1_gpg_t)
-
-# Access .gnupg
-rw_dir_create_file($1_gpg_t, $1_gpg_secret_t)
-
-# Read content to encrypt/decrypt/sign
-read_content($1_gpg_t, $1)
-
-# Write content to encrypt/decrypt/sign
-write_trusted($1_gpg_t, $1)
-
-allow $1_gpg_t self:capability { ipc_lock setuid };
-
-allow $1_gpg_t { etc_t usr_t }:dir r_dir_perms;
-allow $1_gpg_t fs_t:filesystem getattr;
-allow $1_gpg_t usr_t:file r_file_perms;
-read_locale($1_gpg_t)
-
-dontaudit $1_gpg_t var_t:dir search;
-
-ifdef(`gpg-agent.te', `gpg_agent_domain($1)')
-
-# for helper programs (which automatically fetch keys)
-# Note: this is only tested with the hkp interface. If you use eg the
-# mail interface you will likely need additional permissions.
-type $1_gpg_helper_t, domain;
-role $1_r types $1_gpg_helper_t;
-
-domain_auto_trans($1_gpg_t, gpg_helper_exec_t, $1_gpg_helper_t)
-uses_shlib($1_gpg_helper_t)
-
-# allow gpg to fork so it can call the helpers
-allow $1_gpg_t self:process { fork sigchld };
-allow $1_gpg_t self:fifo_file { getattr read write };
-
-dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
-if (use_nfs_home_dirs) {
-dontaudit $1_gpg_helper_t nfs_t:file { read write };
-}
-if (use_samba_home_dirs) {
-dontaudit $1_gpg_helper_t cifs_t:file { read write };
-}
-
-# communicate with the user
-allow $1_gpg_helper_t $1_t:fd use;
-allow $1_gpg_helper_t $1_t:fifo_file write;
-# get keys from the network
-can_network_client($1_gpg_helper_t)
-allow $1_gpg_helper_t port_type:tcp_socket name_connect;
-allow $1_gpg_helper_t etc_t:file { getattr read };
-allow $1_gpg_helper_t urandom_device_t:chr_file read;
-allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
-# for nscd
-dontaudit $1_gpg_helper_t var_t:dir search;
-
-ifdef(`xdm.te', `
-can_pipe_xdm($1_gpg_t)
-')
-
-')dnl end gpg_domain definition
diff --git a/strict/macros/program/gph_macros.te b/strict/macros/program/gph_macros.te
deleted file mode 100644
index d784fcc..0000000
--- a/strict/macros/program/gph_macros.te
+++ /dev/null
@@ -1,85 +0,0 @@
-#
-# Macros for gnome-pty-helper domains.
-#
-
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-#
-# gph_domain(domain_prefix, role_prefix)
-#
-# Define a derived domain for the gnome-pty-helper program when
-# executed by a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/gnome-pty-helper.te.
-#
-# The *_gph_t domains are for the gnome_pty_helper program.
-# This program is executed by gnome-terminal to handle
-# updates to utmp and wtmp. In this regard, it is similar
-# to utempter. However, unlike utempter, gnome-pty-helper
-# also creates the pty file for the terminal program.
-# There is one *_gph_t domain for each user domain.
-#
-undefine(`gph_domain')
-define(`gph_domain',`
-# Derived domain based on the calling user domain and the program.
-type $1_gph_t, domain, gphdomain, nscd_client_domain;
-
-# Transition from the user domain to the derived domain.
-domain_auto_trans($1_t, gph_exec_t, $1_gph_t)
-
-# The user role is authorized for this domain.
-role $2_r types $1_gph_t;
-
-# This domain is granted permissions common to most domains.
-uses_shlib($1_gph_t)
-
-# Use capabilities.
-allow $1_gph_t self:capability { chown fsetid setgid setuid };
-
-# Update /var/run/utmp and /var/log/wtmp.
-allow $1_gph_t { var_t var_run_t }:dir search;
-allow $1_gph_t initrc_var_run_t:file rw_file_perms;
-allow $1_gph_t wtmp_t:file rw_file_perms;
-
-# Allow gph to rw to stream sockets of appropriate user type.
-# (Need this so gnome-pty-helper can pass pty fd to parent
-# gnome-terminal which is running in a user domain.)
-allow $1_gph_t $1_t:unix_stream_socket rw_stream_socket_perms;
-
-allow $1_gph_t self:unix_stream_socket create_stream_socket_perms;
-
-# Allow user domain to use pty fd from gnome-pty-helper.
-allow $1_t $1_gph_t:fd use;
-
-# Use the network, e.g. for NIS lookups.
-can_resolve($1_gph_t)
-can_ypbind($1_gph_t)
-
-allow $1_gph_t etc_t:file { getattr read };
-
-# Added by David A. Wheeler:
-# Allow gnome-pty-helper to update /var/log/lastlog
-# (the gnome-pty-helper in Red Hat Linux 7.1 does this):
-allow $1_gph_t lastlog_t:file rw_file_perms;
-allow $1_gph_t var_log_t:dir search;
-allow $1_t $1_gph_t:process signal;
-
-ifelse($2, `system', `
-# Create ptys for the system
-can_create_other_pty($1_gph, initrc)
-', `
-# Create ptys for the user domain.
-can_create_other_pty($1_gph, $1)
-
-# Read and write the users tty.
-allow $1_gph_t $1_tty_device_t:chr_file rw_file_perms;
-
-# Allow gnome-pty-helper to write the .xsession-errors file.
-allow $1_gph_t home_root_t:dir search;
-allow $1_gph_t $1_home_t:dir { search add_name };
-allow $1_gph_t $1_home_t:file { create write };
-')dnl end ifelse system
-')dnl end macro
diff --git a/strict/macros/program/i18n_input_macros.te b/strict/macros/program/i18n_input_macros.te
deleted file mode 100644
index 58699fc..0000000
--- a/strict/macros/program/i18n_input_macros.te
+++ /dev/null
@@ -1,21 +0,0 @@
-#
-# Macros for i18n_input
-#
-
-#
-# Authors: Dan Walsh <dwalsh@redhat.com>
-#
-
-#
-# i18n_input_domain(domain)
-#
-ifdef(`i18n_input.te', `
-define(`i18n_input_domain', `
-allow i18n_input_t $1_home_dir_t:dir { getattr search };
-r_dir_file(i18n_input_t, $1_home_t)
-if (use_nfs_home_dirs) { r_dir_file(i18n_input_t, nfs_t) }
-if (use_samba_home_dirs) { r_dir_file(i18n_input_t, cifs_t) }
-')
-')
-
-
diff --git a/strict/macros/program/ice_macros.te b/strict/macros/program/ice_macros.te
deleted file mode 100644
index b373496..0000000
--- a/strict/macros/program/ice_macros.te
+++ /dev/null
@@ -1,38 +0,0 @@
-#
-# ICE related types
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-# ice_domain(prefix, role) - create ICE sockets
-# ice_connect(type1_prefix, type2_prefix) - allow communication through ICE sockets
-
-define(`ice_domain', `
-ifdef(`$1_ice_tmp_t_defined',`', `
-define(`$1_ice_tmp_t_defined')
-
-# Type for ICE sockets
-type $1_ice_tmp_t, file_type, $1_file_type, sysadmfile, tmpfile;
-file_type_auto_trans($1_t, ice_tmp_t, $1_ice_tmp_t)
-
-# Create the sockets
-allow $1_t self:unix_stream_socket create_stream_socket_perms;
-allow $1_t self:unix_dgram_socket create_socket_perms;
-
-# FIXME: How does iceauth tie in?
-
-')
-')
-
-# FIXME: Should this be bidirectional?
-# Adding only unidirectional for now.
-
-define(`ice_connect', `
-
-# Read .ICEauthority file
-allow $1_t $2_iceauth_home_t:file { read getattr };
-
-can_unix_connect($1_t, $2_t)
-allow $1_t ice_tmp_t:dir r_dir_perms;
-allow $1_t $2_ice_tmp_t:sock_file { read write };
-allow $1_t $2_t:unix_stream_socket { read write };
-')
diff --git a/strict/macros/program/iceauth_macros.te b/strict/macros/program/iceauth_macros.te
deleted file mode 100644
index cc7e804..0000000
--- a/strict/macros/program/iceauth_macros.te
+++ /dev/null
@@ -1,40 +0,0 @@
-#
-# Macros for iceauth domains.
-#
-# Author: Ivan Gyurdiev <gyurdiev@redhat.com>
-#
-# iceauth_domain(domain_prefix)
-
-define(`iceauth_domain',`
-
-# Program type
-type $1_iceauth_t, domain;
-
-# Transition from the user domain to this domain.
-domain_auto_trans($1_t, iceauth_exec_t, $1_iceauth_t)
-role $1_r types $1_iceauth_t;
-
-# Store .ICEauthority files
-home_domain($1, iceauth)
-file_type_auto_trans($1_iceauth_t, $1_home_dir_t, $1_iceauth_home_t, file)
-
-# Supress xdm trying to restore .ICEauthority permissions
-ifdef(`xdm.te', `
-dontaudit xdm_t $1_iceauth_home_t:file r_file_perms;
-')
-
-# /root
-allow $1_iceauth_t root_t:dir search;
-
-# Terminal output
-access_terminal($1_iceauth_t, $1)
-
-uses_shlib($1_iceauth_t)
-
-# ???
-allow $1_iceauth_t etc_t:dir search;
-allow $1_iceauth_t usr_t:dir search;
-
-# FIXME: policy is incomplete
-
-')dnl end xauth_domain macro
diff --git a/strict/macros/program/inetd_macros.te b/strict/macros/program/inetd_macros.te
deleted file mode 100644
index e5c4eed..0000000
--- a/strict/macros/program/inetd_macros.te
+++ /dev/null
@@ -1,97 +0,0 @@
-#################################
-#
-# Rules for the $1_t domain.
-#
-# $1_t is a general domain for daemons started
-# by inetd that do not have their own individual domains yet.
-# $1_exec_t is the type of the corresponding
-# programs.
-#
-define(`inetd_child_domain', `
-type $1_t, domain, privlog, nscd_client_domain;
-role system_r types $1_t;
-
-#
-# Allows user to define a tunable to disable domain transition
-#
-bool $1_disable_trans false;
-if ($1_disable_trans) {
-can_exec(initrc_t, $1_exec_t)
-can_exec(sysadm_t, $1_exec_t)
-} else {
-domain_auto_trans(inetd_t, $1_exec_t, $1_t)
-allow inetd_t $1_t:process sigkill;
-}
-
-can_network_server($1_t)
-can_ypbind($1_t)
-uses_shlib($1_t)
-allow $1_t self:unix_dgram_socket create_socket_perms;
-allow $1_t self:unix_stream_socket create_socket_perms;
-allow $1_t self:fifo_file rw_file_perms;
-type $1_exec_t, file_type, sysadmfile, exec_type;
-read_locale($1_t)
-allow $1_t device_t:dir search;
-allow $1_t proc_t:dir search;
-allow $1_t proc_t:{ file lnk_file } { getattr read };
-allow $1_t self:process { fork signal_perms };
-allow $1_t fs_t:filesystem getattr;
-
-read_sysctl($1_t)
-
-allow $1_t etc_t:file { getattr read };
-
-tmp_domain($1)
-allow $1_t var_t:dir search;
-var_run_domain($1)
-
-# Inherit and use descriptors from inetd.
-allow $1_t inetd_t:fd use;
-
-# for identd
-allow $1_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow $1_t self:capability { setuid setgid };
-allow $1_t home_root_t:dir search;
-allow $1_t self:dir search;
-allow $1_t self:{ lnk_file file } { getattr read };
-can_kerberos($1_t)
-allow $1_t urandom_device_t:chr_file r_file_perms;
-# Use sockets inherited from inetd.
-ifelse($2, `', `
-allow inetd_t $1_port_t:udp_socket name_bind;
-allow $1_t inetd_t:udp_socket rw_socket_perms;
-allow inetd_t $1_port_t:tcp_socket name_bind;
-allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
-')
-ifelse($2, tcp, `
-allow inetd_t $1_port_t:tcp_socket name_bind;
-allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
-')
-ifelse($2, udp, `
-allow inetd_t $1_port_t:udp_socket name_bind;
-allow $1_t inetd_t:udp_socket rw_socket_perms;
-')
-r_dir_file($1_t, proc_net_t)
-')
-define(`remote_login_daemon', `
-inetd_child_domain($1)
-
-# Execute /bin/login on a new PTY
-allow $1_t { bin_t sbin_t }:dir search;
-domain_auto_trans($1_t, login_exec_t, remote_login_t)
-can_create_pty($1, `, server_pty, userpty_type')
-allow $1_t self:capability { fsetid chown fowner sys_tty_config dac_override } ;
-
-# Append to /var/log/wtmp.
-allow $1_t var_log_t:dir search;
-allow $1_t wtmp_t:file rw_file_perms;
-allow $1_t initrc_var_run_t:file rw_file_perms;
-
-# Allow reading of /etc/issue.net
-allow $1_t etc_runtime_t:file r_file_perms;
-
-# Allow krb5 $1 to use fork and open /dev/tty for use
-allow $1_t userpty_type:chr_file setattr;
-allow $1_t devtty_t:chr_file rw_file_perms;
-dontaudit $1_t selinux_config_t:dir search;
-')
diff --git a/strict/macros/program/irc_macros.te b/strict/macros/program/irc_macros.te
deleted file mode 100644
index 3adaef7..0000000
--- a/strict/macros/program/irc_macros.te
+++ /dev/null
@@ -1,85 +0,0 @@
-#
-# Macros for irc domains.
-#
-
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-
-#
-# irc_domain(domain_prefix)
-#
-# Define a derived domain for the irc program when executed
-# by a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/irc.te.
-#
-undefine(`irc_domain')
-ifdef(`irc.te', `
-define(`irc_domain',`
-
-# Home domain
-home_domain($1, irc)
-file_type_auto_trans($1_irc_t, $1_home_dir_t, $1_irc_home_t, dir)
-
-# Derived domain based on the calling user domain and the program.
-type $1_irc_t, domain;
-type $1_irc_exec_t, file_type, sysadmfile, $1_file_type;
-
-allow $1_t $1_irc_exec_t:file { relabelfrom relabelto create_file_perms };
-
-# Transition from the user domain to this domain.
-domain_auto_trans($1_t, { irc_exec_t $1_irc_exec_t }, $1_irc_t)
-
-# The user role is authorized for this domain.
-role $1_r types $1_irc_t;
-
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te', `allow $1_irc_t $1_gph_t:fd use;')
-
-# Inherit and use descriptors from newrole.
-ifdef(`newrole.te', `allow $1_irc_t newrole_t:fd use;')
-
-# allow ps to show irc
-can_ps($1_t, $1_irc_t)
-allow $1_t $1_irc_t:process signal;
-
-# Use the network.
-can_network_client($1_irc_t)
-allow $1_irc_t port_type:tcp_socket name_connect;
-can_ypbind($1_irc_t)
-
-allow $1_irc_t usr_t:file { getattr read };
-
-access_terminal($1_irc_t, $1)
-uses_shlib($1_irc_t)
-allow $1_irc_t etc_t:file { read getattr };
-read_locale($1_irc_t)
-allow $1_irc_t fs_t:filesystem getattr;
-allow $1_irc_t var_t:dir search;
-allow $1_irc_t device_t:dir search;
-allow $1_irc_t self:unix_stream_socket create_stream_socket_perms;
-allow $1_irc_t privfd:fd use;
-allow $1_irc_t proc_t:dir search;
-allow $1_irc_t { self proc_t }:lnk_file read;
-allow $1_irc_t self:dir search;
-dontaudit $1_irc_t var_run_t:dir search;
-
-# allow utmp access
-allow $1_irc_t initrc_var_run_t:file { getattr read };
-dontaudit $1_irc_t initrc_var_run_t:file lock;
-
-# access files under /tmp
-file_type_auto_trans($1_irc_t, tmp_t, $1_tmp_t)
-
-ifdef(`ircd.te', `
-can_tcp_connect($1_irc_t, ircd_t)
-')dnl end ifdef irc.te
-')dnl end macro definition
-
-', `
-
-define(`irc_domain',`')
-
-')dnl end ifdef irc.te
diff --git a/strict/macros/program/java_macros.te b/strict/macros/program/java_macros.te
deleted file mode 100644
index 874d6dc..0000000
--- a/strict/macros/program/java_macros.te
+++ /dev/null
@@ -1,93 +0,0 @@
-#
-# Authors: Dan Walsh <dwalsh@redhat.com>
-#
-# Macros for javaplugin (java plugin) domains.
-#
-#
-# javaplugin_domain(domain_prefix, role)
-#
-# Define a derived domain for the javaplugin program when executed by
-# a web browser.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/java.te.
-#
-define(`javaplugin_domain',`
-type $1_javaplugin_t, domain, privlog , nscd_client_domain, transitionbool;
-
-# The user role is authorized for this domain.
-role $2_r types $1_javaplugin_t;
-domain_auto_trans($1_t, java_exec_t, $1_javaplugin_t)
-
-allow $1_javaplugin_t sound_device_t:chr_file rw_file_perms;
-# Unrestricted inheritance from the caller.
-allow $1_t $1_javaplugin_t:process { noatsecure siginh rlimitinh };
-allow $1_javaplugin_t $1_t:process signull;
-
-can_unix_connect($1_javaplugin_t, $1_t)
-allow $1_javaplugin_t $1_t:unix_stream_socket { read write };
-
-# This domain is granted permissions common to most domains (including can_net)
-can_network_client($1_javaplugin_t)
-allow $1_javaplugin_t port_type:tcp_socket name_connect;
-can_ypbind($1_javaplugin_t)
-allow $1_javaplugin_t self:process { fork signal_perms getsched setsched };
-allow $1_javaplugin_t self:fifo_file rw_file_perms;
-allow $1_javaplugin_t etc_runtime_t:file { getattr read };
-allow $1_javaplugin_t fs_t:filesystem getattr;
-r_dir_file($1_javaplugin_t, { proc_t proc_net_t })
-allow $1_javaplugin_t self:dir search;
-allow $1_javaplugin_t self:lnk_file read;
-allow $1_javaplugin_t self:file { getattr read };
-
-read_sysctl($1_javaplugin_t)
-allow $1_javaplugin_t sysctl_vm_t:dir search;
-
-tmp_domain($1_javaplugin)
-read_fonts($1_javaplugin_t, $2)
-r_dir_file($1_javaplugin_t,{ usr_t etc_t })
-
-# Search bin directory under javaplugin for javaplugin executable
-allow $1_javaplugin_t bin_t:dir search;
-can_exec($1_javaplugin_t, java_exec_t)
-
-# libdeploy.so legacy
-allow $1_javaplugin_t texrel_shlib_t:file execmod;
-if (allow_execmem) {
-allow $1_javaplugin_t self:process execmem;
-}
-
-# Connect to X server
-x_client_domain($1_javaplugin, $2)
-
-uses_shlib($1_javaplugin_t)
-read_locale($1_javaplugin_t)
-rw_dir_file($1_javaplugin_t, $1_home_t)
-
-if (allow_java_execstack) {
-legacy_domain($1_javaplugin)
-allow $1_javaplugin_t lib_t:file execute;
-allow $1_javaplugin_t locale_t:file execute;
-allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute;
-allow $1_javaplugin_t fonts_t:file execute;
-allow $1_javaplugin_t sound_device_t:chr_file execute;
-}
-
-allow $1_javaplugin_t { random_device_t urandom_device_t }:chr_file ra_file_perms;
-
-allow $1_javaplugin_t home_root_t:dir { getattr search };
-file_type_auto_trans($1_javaplugin_t, $2_home_dir_t, $1_home_t)
-allow $1_javaplugin_t $2_xauth_home_t:file { getattr read };
-allow $1_javaplugin_t $2_tmp_t:sock_file write;
-allow $1_javaplugin_t $2_t:fd use;
-
-allow $1_javaplugin_t var_t:dir getattr;
-allow $1_javaplugin_t var_lib_t:dir { getattr search };
-
-dontaudit $1_javaplugin_t $2_devpts_t:chr_file { read write };
-dontaudit $1_javaplugin_t sysadm_devpts_t:chr_file { read write };
-dontaudit $1_javaplugin_t devtty_t:chr_file { read write };
-dontaudit $1_javaplugin_t tmpfs_t:file { execute read write };
-dontaudit $1_javaplugin_t $1_home_t:file { execute setattr };
-
-')
diff --git a/strict/macros/program/kerberos_macros.te b/strict/macros/program/kerberos_macros.te
deleted file mode 100644
index 91850d3..0000000
--- a/strict/macros/program/kerberos_macros.te
+++ /dev/null
@@ -1,11 +0,0 @@
-define(`can_kerberos',`
-ifdef(`kerberos.te',`
-if (allow_kerberos) {
-can_network_client($1, `kerberos_port_t')
-allow $1 kerberos_port_t:tcp_socket name_connect;
-can_resolve($1)
-}
-') dnl kerberos.te
-dontaudit $1 krb5_conf_t:file write;
-allow $1 krb5_conf_t:file { getattr read };
-')
diff --git a/strict/macros/program/lockdev_macros.te b/strict/macros/program/lockdev_macros.te
deleted file mode 100644
index 28f7c01..0000000
--- a/strict/macros/program/lockdev_macros.te
+++ /dev/null
@@ -1,46 +0,0 @@
-#
-# Macros for lockdev domains.
-#
-
-#
-# Authors: Daniel Walsh <dwalsh@redhat.com>
-#
-
-#
-# lockdev_domain(domain_prefix)
-#
-# Define a derived domain for the lockdev programs when executed
-# by a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/lockdev.te.
-#
-undefine(`lockdev_domain')
-define(`lockdev_domain',`
-# Derived domain based on the calling user domain and the program
-type $1_lockdev_t, domain, privlog;
-# Transition from the user domain to the derived domain.
-domain_auto_trans($1_t, lockdev_exec_t, $1_lockdev_t)
-
-# The user role is authorized for this domain.
-role $1_r types $1_lockdev_t;
-# Use capabilities.
-allow $1_lockdev_t self:capability setgid;
-allow $1_lockdev_t $1_t:process signull;
-
-allow $1_lockdev_t var_t:dir search;
-
-lock_domain($1_lockdev)
-
-r_dir_file($1_lockdev_t, lockfile)
-
-allow $1_lockdev_t device_t:dir search;
-allow $1_lockdev_t null_device_t:chr_file rw_file_perms;
-access_terminal($1_lockdev_t, $1)
-dontaudit $1_lockdev_t root_t:dir search;
-
-uses_shlib($1_lockdev_t)
-allow $1_lockdev_t fs_t:filesystem getattr;
-
-')dnl end macro definition
-
diff --git a/strict/macros/program/login_macros.te b/strict/macros/program/login_macros.te
deleted file mode 100644
index 0d0993c..0000000
--- a/strict/macros/program/login_macros.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# Macros for login type programs (/bin/login, sshd, etc).
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-
-define(`login_spawn_domain', `
-domain_trans($1_t, shell_exec_t, $2)
-
-# Signal the user domains.
-allow $1_t $2:process signal;
-')
diff --git a/strict/macros/program/lpr_macros.te b/strict/macros/program/lpr_macros.te
deleted file mode 100644
index 3dea9b0..0000000
--- a/strict/macros/program/lpr_macros.te
+++ /dev/null
@@ -1,117 +0,0 @@
-#
-# Macros for lpr domains.
-#
-
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-#
-# lpr_domain(domain_prefix)
-#
-# Define a derived domain for the lpr/lpq/lprm programs when executed
-# by a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/lpr.te.
-#
-undefine(`lpr_domain')
-define(`lpr_domain',`
-# Derived domain based on the calling user domain and the program
-type $1_lpr_t, domain, privlog, nscd_client_domain;
-
-# Transition from the user domain to the derived domain.
-domain_auto_trans($1_t, lpr_exec_t, $1_lpr_t)
-
-allow $1_t $1_lpr_t:process signull;
-
-# allow using shared objects, accessing root dir, etc
-uses_shlib($1_lpr_t)
-
-read_locale($1_lpr_t)
-
-# The user role is authorized for this domain.
-role $1_r types $1_lpr_t;
-
-# This domain is granted permissions common to most domains (including can_net)
-can_network_client($1_lpr_t)
-allow $1_lpr_t port_type:tcp_socket name_connect;
-can_ypbind($1_lpr_t)
-
-# Use capabilities.
-allow $1_lpr_t $1_lpr_t:capability { setuid dac_override net_bind_service chown };
-
-allow $1_lpr_t self:unix_stream_socket create_stream_socket_perms;
-
-# for lpd config files (should have a new type)
-r_dir_file($1_lpr_t, etc_t)
-
-# for test print
-r_dir_file($1_lpr_t, usr_t)
-ifdef(`lpd.te', `
-r_dir_file($1_lpr_t, printconf_t)
-')
-
-tmp_domain($1_lpr)
-
-# Type for spool files.
-type $1_print_spool_t, file_type, sysadmfile;
-# Use this type when creating files in /var/spool/lpd and /var/spool/cups.
-file_type_auto_trans($1_lpr_t, print_spool_t, $1_print_spool_t, file)
-allow $1_lpr_t var_spool_t:dir search;
-
-# for /dev/null
-allow $1_lpr_t device_t:dir search;
-
-# Access the terminal.
-access_terminal($1_lpr_t, $1)
-
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te', `allow $1_lpr_t $1_gph_t:fd use;')
-allow $1_lpr_t privfd:fd use;
-
-# Read user files.
-read_content(sysadm_lpr_t, $1)
-read_content($1_lpr_t, $1)
-
-# Read and write shared files in the spool directory.
-allow $1_lpr_t print_spool_t:file rw_file_perms;
-
-# lpr can run in lightweight mode, without a local print spooler. If the
-# lpd policy is present, grant some permissions for this domain and the lpd
-# domain to interact.
-ifdef(`lpd.te', `
-allow $1_lpr_t { var_t var_run_t }:dir search;
-allow $1_lpr_t lpd_var_run_t:dir search;
-allow $1_lpr_t lpd_var_run_t:sock_file write;
-
-# Allow lpd to read, rename, and unlink spool files.
-allow lpd_t $1_print_spool_t:file r_file_perms;
-allow lpd_t $1_print_spool_t:file link_file_perms;
-
-# Connect to lpd via a Unix domain socket.
-allow $1_lpr_t printer_t:sock_file rw_file_perms;
-can_unix_connect($1_lpr_t, lpd_t)
-dontaudit $1_lpr_t $1_t:unix_stream_socket { read write };
-
-# Connect to lpd via a TCP socket.
-can_tcp_connect($1_lpr_t, lpd_t)
-
-allow $1_lpr_t fs_t:filesystem getattr;
-# Send SIGHUP to lpd.
-allow $1_lpr_t lpd_t:process signal;
-
-')dnl end if lpd.te
-
-ifdef(`xdm.te', `
-can_pipe_xdm($1_lpr_t)
-')
-
-ifdef(`cups.te', `
-allow { $1_lpr_t $1_t } cupsd_etc_t:dir search;
-allow $1_lpr_t { cupsd_etc_t cupsd_rw_etc_t }:file { getattr read };
-can_tcp_connect({ $1_lpr_t $1_t }, cupsd_t)
-')dnl end ifdef cups.te
-
-')dnl end macro definition
-
diff --git a/strict/macros/program/mail_client_macros.te b/strict/macros/program/mail_client_macros.te
deleted file mode 100644
index da22a62..0000000
--- a/strict/macros/program/mail_client_macros.te
+++ /dev/null
@@ -1,68 +0,0 @@
-#
-# Shared macro for mail clients
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-########################################
-# mail_client_domain(client, role_prefix)
-#
-
-define(`mail_client_domain', `
-
-# Allow netstat
-# Startup shellscripts
-allow $1_t bin_t:dir r_dir_perms;
-allow $1_t bin_t:lnk_file r_file_perms;
-can_exec($1_t, bin_t)
-r_dir_file($1_t, proc_net_t)
-allow $1_t sysctl_net_t:dir search;
-
-# Allow DNS
-can_resolve($1_t)
-
-# Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing)
-can_ypbind($1_t)
-can_network_client_tcp($1_t, { pop_port_t smtp_port_t innd_port_t ldap_port_t ipp_port_t })
-allow $1_t { pop_port_t smtp_port_t innd_port_t ldap_port_t ipp_port_t }:tcp_socket name_connect;
-
-# Allow printing the mail
-ifdef(`cups.te',`
-allow $1_t cupsd_etc_t:dir r_dir_perms;
-allow $1_t cupsd_rw_etc_t:file r_file_perms;
-')
-ifdef(`lpr.te', `
-domain_auto_trans($1_t, lpr_exec_t, $2_lpr_t)
-')
-
-# Attachments
-read_content($1_t, $2, mail)
-
-# Save mail
-write_untrusted($1_t, $2)
-
-# Encrypt mail
-ifdef(`gpg.te', `
-domain_auto_trans($1_t, gpg_exec_t, $2_gpg_t)
-allow $1_t $2_gpg_t:process signal;
-')
-
-# Start links in web browser
-ifdef(`mozilla.te', `
-can_exec($1_t, shell_exec_t)
-domain_auto_trans($1_t, mozilla_exec_t, $2_mozilla_t)
-')
-ifdef(`dbusd.te', `
-dbusd_client(system, $1)
-allow $1_t system_dbusd_t:dbus send_msg;
-dbusd_client($2, $1)
-allow $1_t $2_dbusd_t:dbus send_msg;
-ifdef(`cups.te', `
-allow cupsd_t $1_t:dbus send_msg;
-')
-')
-# Allow the user domain to signal/ps.
-can_ps($2_t, $1_t)
-allow $2_t $1_t:process signal_perms;
-
-')
diff --git a/strict/macros/program/mount_macros.te b/strict/macros/program/mount_macros.te
deleted file mode 100644
index 0aa0577..0000000
--- a/strict/macros/program/mount_macros.te
+++ /dev/null
@@ -1,90 +0,0 @@
-#
-# Macros for mount
-#
-# Author: Brian May <bam@snoopy.apana.org.au>
-# Extended by Russell Coker <russell@coker.com.au>
-#
-
-#
-# mount_domain(domain_prefix,dst_domain_prefix)
-#
-# Define a derived domain for the mount program for anyone.
-#
-define(`mount_domain', `
-#
-# Rules for the $2_t domain, used by the $1_t domain.
-#
-# $2_t is the domain for the mount process.
-#
-# This macro will not be included by all users and it may be included twice if
-# called from other macros, so we need protection for this do not call this
-# macro if $2_def is defined
-define(`$2_def', `')
-#
-type $2_t, domain, privlog $3, nscd_client_domain;
-
-allow $2_t sysfs_t:dir search;
-
-uses_shlib($2_t)
-
-role $1_r types $2_t;
-# when mount is run by $1 goto $2_t domain
-domain_auto_trans($1_t, mount_exec_t, $2_t)
-
-allow $2_t proc_t:dir search;
-allow $2_t proc_t:file { getattr read };
-
-#
-# Allow mounting of cdrom by user
-#
-allow $2_t device_type:blk_file getattr;
-
-tmp_domain($2)
-
-# Use capabilities.
-allow $2_t self:capability { net_bind_service sys_rawio sys_admin dac_override chown };
-
-allow $2_t self:unix_stream_socket create_socket_perms;
-
-# Create and modify /etc/mtab.
-file_type_auto_trans($2_t, etc_t, etc_runtime_t, file)
-
-allow $2_t etc_t:file { getattr read };
-
-read_locale($2_t)
-
-allow $2_t home_root_t:dir search;
-allow $2_t $1_home_dir_t:dir search;
-allow $2_t noexattrfile:filesystem { mount unmount };
-allow $2_t fs_t:filesystem getattr;
-allow $2_t removable_t:filesystem { mount unmount };
-allow $2_t mnt_t:dir { mounton search };
-allow $2_t sbin_t:dir search;
-
-# Access the terminal.
-access_terminal($2_t, $1)
-ifdef(`gnome-pty-helper.te', `allow $2_t $1_gph_t:fd use;')
-allow $2_t var_t:dir search;
-allow $2_t var_run_t:dir search;
-
-ifdef(`distro_redhat',`
-ifdef(`pamconsole.te',`
-r_dir_file($2_t,pam_var_console_t)
-# mount config by default sets fscontext=removable_t
-allow $2_t dosfs_t:filesystem relabelfrom;
-') dnl end pamconsole.te
-') dnl end distro_redhat
-') dnl end mount_domain
-
-# mount_loopback_privs(domain_prefix,dst_domain_prefix)
-#
-# Add loopback mounting privileges to a particular derived
-# mount domain.
-#
-define(`mount_loopback_privs',`
-type $1_$2_source_t, file_type, sysadmfile, $1_file_type;
-allow $1_t $1_$2_source_t:file create_file_perms;
-allow $1_t $1_$2_source_t:file { relabelto relabelfrom };
-allow $2_t $1_$2_source_t:file rw_file_perms;
-')
-
diff --git a/strict/macros/program/mozilla_macros.te b/strict/macros/program/mozilla_macros.te
deleted file mode 100644
index cc8afb0..0000000
--- a/strict/macros/program/mozilla_macros.te
+++ /dev/null
@@ -1,157 +0,0 @@
-#
-# Macros for mozilla/mozilla (or other browser) domains.
-#
-
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-#
-# mozilla_domain(domain_prefix)
-#
-# Define a derived domain for the mozilla/mozilla program when executed by
-# a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/mozilla.te.
-#
-
-# FIXME: Rules were removed to centralize policy in a gnome_app macro
-# A similar thing might be necessary for mozilla compiled without GNOME
-# support (is this possible?).
-
-define(`mozilla_domain',`
-
-type $1_mozilla_t, domain, web_client_domain, nscd_client_domain, privlog;
-
-# Type transition
-if (! disable_mozilla_trans) {
-domain_auto_trans($1_t, mozilla_exec_t, $1_mozilla_t)
-}
-role $1_r types $1_mozilla_t;
-
-# X access, Home files
-home_domain($1, mozilla)
-x_client_domain($1_mozilla, $1)
-
-# GNOME integration
-ifdef(`gnome.te', `
-gnome_application($1_mozilla, $1)
-gnome_file_dialog($1_mozilla, $1)
-')
-
-# Look for plugins
-allow $1_mozilla_t bin_t:dir { getattr read search };
-
-# Browse the web, connect to printer
-can_resolve($1_mozilla_t)
-can_network_client_tcp($1_mozilla_t, { http_port_t http_cache_port_t ftp_port_t ipp_port_t } )
-allow $1_mozilla_t { http_port_t http_cache_port_t ftp_port_t ipp_port_t }:tcp_socket name_connect;
-
-# Should not need other ports
-dontaudit $1_mozilla_t port_t:tcp_socket { name_connect name_bind };
-
-allow $1_mozilla_t sound_device_t:chr_file rw_file_perms;
-dontaudit $1_mozilla_t dri_device_t:chr_file rw_file_perms;
-
-# Unrestricted inheritance from the caller.
-allow $1_t $1_mozilla_t:process { noatsecure siginh rlimitinh };
-allow $1_mozilla_t $1_t:process signull;
-
-# Allow the user domain to signal/ps.
-can_ps($1_t, $1_mozilla_t)
-allow $1_t $1_mozilla_t:process signal_perms;
-
-# Access /proc, sysctl
-allow $1_mozilla_t proc_t:dir search;
-allow $1_mozilla_t proc_t:file { getattr read };
-allow $1_mozilla_t proc_t:lnk_file read;
-allow $1_mozilla_t sysctl_net_t:dir search;
-allow $1_mozilla_t sysctl_t:dir search;
-
-# /var/lib
-allow $1_mozilla_t var_lib_t:dir search;
-allow $1_mozilla_t var_lib_t:file { getattr read };
-
-# Self permissions
-allow $1_mozilla_t self:socket create_socket_perms;
-allow $1_mozilla_t self:file { getattr read };
-allow $1_mozilla_t self:sem create_sem_perms;
-
-# for bash - old mozilla binary
-can_exec($1_mozilla_t, mozilla_exec_t)
-can_exec($1_mozilla_t, shell_exec_t)
-can_exec($1_mozilla_t, bin_t)
-allow $1_mozilla_t bin_t:lnk_file read;
-allow $1_mozilla_t device_t:dir r_dir_perms;
-allow $1_mozilla_t self:dir search;
-allow $1_mozilla_t self:lnk_file read;
-r_dir_file($1_mozilla_t, proc_net_t)
-
-# interacting with gstreamer
-r_dir_file($1_mozilla_t, var_t)
-
-# Uploads, local html
-read_content($1_mozilla_t, $1, mozilla)
-
-# Save web pages
-write_untrusted($1_mozilla_t, $1)
-
-# Mozpluggerrc
-allow $1_mozilla_t mozilla_conf_t:file r_file_perms;
-
-######### Java plugin
-ifdef(`java.te', `
-javaplugin_domain($1_mozilla, $1)
-') dnl java.te
-
-######### Print web content
-ifdef(`cups.te', `
-allow $1_mozilla_t cupsd_etc_t:dir search;
-allow $1_mozilla_t cupsd_rw_etc_t:file { getattr read };
-')
-ifdef(`lpr.te', `
-domain_auto_trans($1_mozilla_t, lpr_exec_t, $1_lpr_t)
-dontaudit $1_lpr_t $1_mozilla_home_t:file { read write };
-dontaudit $1_lpr_t $1_mozilla_t:tcp_socket { read write };
-') dnl if lpr.te
-
-######### Launch mplayer
-ifdef(`mplayer.te', `
-domain_auto_trans($1_mozilla_t, mplayer_exec_t, $1_mplayer_t)
-dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write };
-dontaudit $1_mplayer_t $1_mozilla_t:unix_stream_socket { read write };
-dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write };
-')dnl end if mplayer.te
-
-######### Launch email client, and make webcal links work
-ifdef(`evolution.te', `
-domain_auto_trans($1_mozilla_t, evolution_exec_t, $1_evolution_t)
-domain_auto_trans($1_mozilla_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
-') dnl if evolution.te
-
-ifdef(`thunderbird.te', `
-domain_auto_trans($1_mozilla_t, thunderbird_exec_t, $1_thunderbird_t)
-') dnl if evolution.te
-
-if (allow_execmem) {
-allow $1_mozilla_t self:process { execmem execstack };
-}
-allow $1_mozilla_t texrel_shlib_t:file execmod;
-
-ifdef(`dbusd.te', `
-dbusd_client(system, $1_mozilla)
-allow $1_mozilla_t system_dbusd_t:dbus send_msg;
-ifdef(`cups.te', `
-allow cupsd_t $1_mozilla_t:dbus send_msg;
-')
-')
-
-ifdef(`apache.te', `
-ifelse($1, sysadm, `', `
-r_dir_file($1_mozilla_t, { httpd_$1_script_exec_t httpd_$1_content_t })
-')
-')
-
-')dnl end mozilla macro
-
diff --git a/strict/macros/program/mplayer_macros.te b/strict/macros/program/mplayer_macros.te
deleted file mode 100644
index 6d06757..0000000
--- a/strict/macros/program/mplayer_macros.te
+++ /dev/null
@@ -1,159 +0,0 @@
-#
-# Macros for mplayer
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-# mplayer_domains(user) declares domains for mplayer, gmplayer,
-# and mencoder
-
-#####################################################
-# mplayer_common(role_prefix, mplayer_domain) #
-#####################################################
-
-define(`mplayer_common',`
-
-# Read global config
-r_dir_file($1_$2_t, mplayer_etc_t)
-
-# Allow the user domain to signal/ps.
-can_ps($1_t, $1_$2_t)
-allow $1_t $1_$2_t:process signal_perms;
-
-# Read data in /usr/share (fonts, icons..)
-r_dir_file($1_$2_t, usr_t)
-
-# Read /proc files and directories
-# Necessary for /proc/meminfo, /proc/cpuinfo, etc..
-allow $1_$2_t proc_t:dir search;
-allow $1_$2_t proc_t:file { getattr read };
-
-# Sysctl on kernel version
-read_sysctl($1_$2_t)
-
-# Allow ps, shared libs, locale, terminal access
-can_ps($1_t, $1_$2_t)
-uses_shlib($1_$2_t)
-read_locale($1_$2_t)
-access_terminal($1_$2_t, $1)
-
-# Required for win32 binary loader
-allow $1_$2_t zero_device_t:chr_file { read write execute };
-if (allow_execmem) {
-allow $1_$2_t self:process execmem;
-}
-
-if (allow_execmod) {
-allow $1_$2_t zero_device_t:chr_file execmod;
-}
-allow $1_$2_t texrel_shlib_t:file execmod;
-
-# Access to DVD/CD/V4L
-allow $1_$2_t device_t:dir r_dir_perms;
-allow $1_$2_t device_t:lnk_file { getattr read };
-allow $1_$2_t removable_device_t:blk_file { getattr read };
-allow $1_$2_t v4l_device_t:chr_file { getattr read };
-
-# Legacy domain issues
-if (allow_mplayer_execstack) {
-legacy_domain($1_$2)
-allow $1_$2_t lib_t:file execute;
-allow $1_$2_t locale_t:file execute;
-allow $1_$2_t sound_device_t:chr_file execute;
-}
-')
-
-###################################
-# mplayer_domain(role_prefix) #
-###################################
-
-define(`mplayer_domain',`
-
-type $1_mplayer_t, domain, nscd_client_domain;
-
-# Type transition
-domain_auto_trans($1_t, mplayer_exec_t, $1_mplayer_t)
-role $1_r types $1_mplayer_t;
-
-# Home access, X access
-home_domain($1, mplayer)
-x_client_domain($1_mplayer, $1)
-
-# Mplayer common stuff
-mplayer_common($1, mplayer)
-
-# Fork
-allow $1_mplayer_t self:process { fork signal_perms getsched };
-allow $1_mplayer_t self:fifo_file rw_file_perms;
-
-# Audio, alsa.conf
-allow $1_mplayer_t sound_device_t:chr_file rw_file_perms;
-allow $1_mplayer_t etc_t:file { getattr read };
-r_dir_file($1_mplayer_t, alsa_etc_rw_t);
-
-# RTC clock
-allow $1_mplayer_t clock_device_t:chr_file { ioctl read };
-
-# Legacy domain issues
-if (allow_mplayer_execstack) {
-allow $1_mplayer_t $1_mplayer_tmpfs_t:file execute;
-}
-
-#======gmplayer gui==========#
-# File dialogs
-dontaudit_getattr($1_mplayer_t)
-dontaudit_read_dir($1_mplayer_t)
-dontaudit_search_dir($1_mplayer_t)
-
-# Unfortunately the ancient file dialog starts in /
-allow $1_mplayer_t home_root_t:dir read;
-
-# Read /etc/mtab
-allow $1_mplayer_t etc_runtime_t:file { read getattr };
-
-# Run bash/sed (??)
-allow $1_mplayer_t bin_t:dir search;
-allow $1_mplayer_t bin_t:lnk_file read;
-can_exec($1_mplayer_t, bin_t)
-can_exec($1_mplayer_t, shell_exec_t)
-#============================#
-
-# Read songs
-read_content($1_mplayer_t, $1)
-
-') dnl end mplayer_domain
-
-###################################
-# mencoder_domain(role_prefix) #
-###################################
-
-define(`mencoder_domain',`
-
-type $1_mencoder_t, domain;
-
-# Type transition
-domain_auto_trans($1_t, mencoder_exec_t, $1_mencoder_t)
-role $1_r types $1_mencoder_t;
-
-# Access mplayer home domain
-home_domain_access($1_mencoder_t, $1, mplayer)
-
-# Mplayer common stuff
-mplayer_common($1, mencoder)
-
-# Read content to encode
-read_content($1_mencoder_t, $1)
-
-# Save encoded files
-write_trusted($1_mencoder_t, $1)
-
-') dnl end mencoder_domain
-
-#############################
-# mplayer_domains(role) #
-#############################
-
-define(`mplayer_domains', `
-mplayer_domain($1)
-mencoder_domain($1)
-') dnl end mplayer_domains
-
diff --git a/strict/macros/program/mta_macros.te b/strict/macros/program/mta_macros.te
deleted file mode 100644
index 930d1a2..0000000
--- a/strict/macros/program/mta_macros.te
+++ /dev/null
@@ -1,121 +0,0 @@
-# Macros for MTA domains.
-#
-
-#
-# Author: Russell Coker <russell@coker.com.au>
-# Based on the work of: Stephen Smalley <sds@epoch.ncsc.mil>
-# Timothy Fraser
-#
-
-#
-# mail_domain(domain_prefix)
-#
-# Define a derived domain for the sendmail program when executed by
-# a user domain to send outgoing mail. These domains are separate and
-# independent of the domain used for the sendmail daemon process.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/mta.te.
-#
-undefine(`mail_domain')
-define(`mail_domain',`
-# Derived domain based on the calling user domain and the program.
-type $1_mail_t, domain, privlog, user_mail_domain, nscd_client_domain;
-
-ifdef(`sendmail.te', `
-sendmail_user_domain($1)
-')
-
-can_exec($1_mail_t, sendmail_exec_t)
-allow $1_mail_t sendmail_exec_t:lnk_file { getattr read };
-
-# The user role is authorized for this domain.
-role $1_r types $1_mail_t;
-
-uses_shlib($1_mail_t)
-can_network_client_tcp($1_mail_t)
-allow $1_mail_t port_type:tcp_socket name_connect;
-can_resolve($1_mail_t)
-can_ypbind($1_mail_t)
-allow $1_mail_t self:unix_dgram_socket create_socket_perms;
-allow $1_mail_t self:unix_stream_socket create_socket_perms;
-
-read_locale($1_mail_t)
-read_sysctl($1_mail_t)
-allow $1_mail_t device_t:dir search;
-allow $1_mail_t { var_t var_spool_t }:dir search;
-allow $1_mail_t self:process { fork signal_perms setrlimit };
-allow $1_mail_t sbin_t:dir search;
-
-# It wants to check for nscd
-dontaudit $1_mail_t var_run_t:dir search;
-
-# Use capabilities
-allow $1_mail_t self:capability { setuid setgid chown };
-
-# Execute procmail.
-can_exec($1_mail_t, bin_t)
-ifdef(`procmail.te',`
-can_exec($1_mail_t, procmail_exec_t)')
-
-ifelse(`$1', `system', `
-# Transition from a system domain to the derived domain.
-domain_auto_trans(privmail, sendmail_exec_t, system_mail_t)
-allow privmail sendmail_exec_t:lnk_file { getattr read };
-
-ifdef(`crond.te', `
-# Read cron temporary files.
-allow system_mail_t system_crond_tmp_t:file { read getattr ioctl };
-allow mta_user_agent system_crond_tmp_t:file { read getattr };
-')
-can_access_pty(system_mail_t, initrc)
-
-', `
-# For when the user wants to send mail via port 25 localhost
-can_tcp_connect($1_t, mail_server_domain)
-
-# Transition from the user domain to the derived domain.
-domain_auto_trans($1_t, sendmail_exec_t, $1_mail_t)
-allow $1_t sendmail_exec_t:lnk_file { getattr read };
-
-# Read user temporary files.
-allow $1_mail_t $1_tmp_t:file r_file_perms;
-dontaudit $1_mail_t $1_tmp_t:file append;
-ifdef(`postfix.te', `
-# postfix seems to need write access if the file handle is opened read/write
-allow $1_mail_t $1_tmp_t:file write;
-')dnl end if postfix
-
-allow mta_user_agent $1_tmp_t:file { read getattr };
-
-# Write to the user domain tty.
-access_terminal(mta_user_agent, $1)
-access_terminal($1_mail_t, $1)
-
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;')
-allow $1_mail_t privfd:fd use;
-
-# Create dead.letter in user home directories.
-file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file)
-
-if (use_samba_home_dirs) {
-rw_dir_create_file($1_mail_t, cifs_t)
-}
-
-# if you do not want to allow dead.letter then use the following instead
-#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms;
-#allow $1_mail_t $1_home_t:file r_file_perms;
-
-# for reading .forward - maybe we need a new type for it?
-# also for delivering mail to maildir
-file_type_auto_trans(mta_delivery_agent, $1_home_dir_t, $1_home_t)
-')dnl end if system
-
-allow $1_mail_t etc_t:file { getattr read };
-ifdef(`qmail.te', `
-allow $1_mail_t qmail_etc_t:dir search;
-allow $1_mail_t qmail_etc_t:{ file lnk_file } read;
-')dnl end if qmail
-
-')
diff --git a/strict/macros/program/newrole_macros.te b/strict/macros/program/newrole_macros.te
deleted file mode 100644
index 0d52282..0000000
--- a/strict/macros/program/newrole_macros.te
+++ /dev/null
@@ -1,97 +0,0 @@
-# Authors: Anthony Colatrella (NSA) Stephen Smalley <sds@epoch.ncsc.mil>
-# Russell Coker <russell@coker.com.au>
-
-# This macro defines the rules for a newrole like program, it is used by
-# newrole.te and sudo.te, but may be used by other policy at some later time.
-
-define(`newrole_domain', `
-# Rules for the $1_t domain.
-#
-# $1_t is the domain for the program.
-# $1_exec_t is the type of the executable.
-#
-type $1_t, domain, privrole, privowner, privlog, auth_chkpwd, nscd_client_domain, privfd, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl $2;
-in_user_role($1_t)
-role sysadm_r types $1_t;
-
-general_domain_access($1_t);
-
-uses_shlib($1_t)
-read_locale($1_t)
-read_sysctl($1_t)
-
-allow $1_t self:netlink_audit_socket { create bind write nlmsg_read read };
-
-# for when the user types "exec newrole" at the command line
-allow $1_t privfd:process sigchld;
-
-# Inherit descriptors from the current session.
-allow $1_t privfd:fd use;
-
-# Execute /sbin/pwdb_chkpwd to check the password.
-allow $1_t sbin_t:dir r_dir_perms;
-
-# Execute shells
-allow $1_t bin_t:dir r_dir_perms;
-allow $1_t bin_t:lnk_file read;
-allow $1_t shell_exec_t:file r_file_perms;
-
-allow $1_t urandom_device_t:chr_file { getattr read };
-
-# Allow $1_t to transition to user domains.
-domain_trans($1_t, shell_exec_t, unpriv_userdomain)
-if(!secure_mode)
-{
- # if we are not in secure mode then we can transition to sysadm_t
- domain_trans($1_t, shell_exec_t, sysadm_t)
-}
-
-can_setexec($1_t)
-
-allow $1_t autofs_t:dir search;
-
-# Use capabilities.
-allow $1_t self:capability { fowner setuid setgid net_bind_service dac_override };
-
-# Read the devpts root directory.
-allow $1_t devpts_t:dir r_dir_perms;
-
-# Read the /etc/security/default_type file
-r_dir_file($1_t, default_context_t)
-r_dir_file($1_t, selinux_config_t)
-allow $1_t etc_t:file r_file_perms;
-
-# Read /var.
-r_dir_file($1_t, var_t)
-
-# Read /dev directories and any symbolic links.
-allow $1_t device_t:dir r_dir_perms;
-
-# Relabel terminals.
-allow $1_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto };
-
-# Access terminals.
-allow $1_t { ttyfile ptyfile devtty_t }:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;')
-
-ifdef(`distro_debian', `
-# for /etc/alternatives
-allow $1_t etc_t:lnk_file read;
-')
-
-#
-# Allow newrole to obtain contexts to relabel TTYs
-#
-can_getsecurity($1_t)
-
-allow $1_t fs_t:filesystem getattr;
-
-# for some PAM modules and for cwd
-dontaudit $1_t { home_root_t home_type }:dir search;
-
-allow $1_t proc_t:dir search;
-allow $1_t proc_t:file { getattr read };
-
-# for when the network connection is killed
-dontaudit unpriv_userdomain $1_t:process signal;
-')
diff --git a/strict/macros/program/orbit_macros.te b/strict/macros/program/orbit_macros.te
deleted file mode 100644
index b2dd5d1..0000000
--- a/strict/macros/program/orbit_macros.te
+++ /dev/null
@@ -1,44 +0,0 @@
-#
-# ORBit related types
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-# orbit_domain(prefix, role_prefix) - create ORBit sockets
-# orbit_connect(type1_prefix, type2_prefix)
-# - allow communication through ORBit sockets from type1 to type2
-
-define(`orbit_domain', `
-
-# Protect against double inclusion for speed and correctness
-ifdef(`orbit_domain_$1_$2', `', `
-define(`orbit_domain_$1_$2')
-
-# Relabel directory (startup script)
-allow $1_t $1_orbit_tmp_t:{ dir file } { relabelfrom relabelto };
-
-# Type for ORBit sockets
-type $1_orbit_tmp_t, file_type, $2_file_type, sysadmfile, tmpfile;
-file_type_auto_trans($1_t, $2_orbit_tmp_t, $1_orbit_tmp_t)
-allow $1_t tmp_t:dir { read search getattr };
-
-# Create the sockets
-allow $1_t self:unix_stream_socket create_stream_socket_perms;
-allow $1_t self:unix_dgram_socket create_socket_perms;
-
-# Use random device(s)
-allow $1_t { random_device_t urandom_device_t }:chr_file { read getattr ioctl };
-
-# Why do they do that?
-dontaudit $1_t $2_orbit_tmp_t:dir setattr;
-
-') dnl ifdef orbit_domain_args
-') dnl orbit_domain
-
-##########################
-
-define(`orbit_connect', `
-
-can_unix_connect($1_t, $2_t)
-allow $1_t $2_orbit_tmp_t:sock_file write;
-
-') dnl orbit_connect
diff --git a/strict/macros/program/pyzor_macros.te b/strict/macros/program/pyzor_macros.te
deleted file mode 100644
index af67d30..0000000
--- a/strict/macros/program/pyzor_macros.te
+++ /dev/null
@@ -1,69 +0,0 @@
-#
-# Pyzor - Pyzor is a collaborative, networked system to detect and
-# block spam using identifying digests of messages.
-#
-# Author: David Hampton <hampton@employees.org>
-#
-
-##########
-# common definitions for pyzord and all flavors of pyzor
-##########
-define(`pyzor_base_domain',`
-
-# Networking
-can_network_client_tcp($1_t, http_port_t);
-can_network_udp($1_t, pyzor_port_t);
-can_resolve($1_t);
-
-general_proc_read_access($1_t)
-
-tmp_domain($1)
-
-allow $1_t bin_t:dir { getattr search };
-allow $1_t bin_t:file getattr;
-allow $1_t lib_t:file { getattr read };
-allow $1_t { var_t var_lib_t var_run_t }:dir search;
-uses_shlib($1_t)
-
-# Python does a getattr on this file
-allow $1_t pyzor_exec_t:file getattr;
-
-# mktemp and other randoms
-allow $1_t { random_device_t urandom_device_t }:chr_file r_file_perms;
-
-# Allow access to various files in the /etc/directory including mtab
-# and nsswitch
-allow $1_t { etc_t etc_runtime_t }:file { getattr read };
-read_locale($1_t)
-')
-
-
-#
-# Define a user domain for a pyzor
-#
-# Note: expects to be called with an argument of user, sysadm
-
-define(`pyzor_domain',`
-type $1_pyzor_t, domain, privlog, nscd_client_domain;
-role $1_r types $1_pyzor_t;
-domain_auto_trans($1_t, pyzor_exec_t, $1_pyzor_t)
-
-pyzor_base_domain($1_pyzor)
-
-# Per-user config/data files
-home_domain($1, pyzor)
-file_type_auto_trans($1_pyzor_t, $1_home_dir_t, $1_pyzor_home_t, dir)
-
-# System config files
-r_dir_file($1_pyzor_t, pyzor_etc_t)
-
-# System data files
-r_dir_file($1_pyzor_t, pyzor_var_lib_t);
-
-allow $1_pyzor_t self:unix_stream_socket create_stream_socket_perms;
-
-# Allow pyzor to be run by hand. Needed by any action other than
-# invocation from a spam filter.
-can_access_pty($1_pyzor_t, $1)
-allow $1_pyzor_t sshd_t:fd use;
-')
diff --git a/strict/macros/program/razor_macros.te b/strict/macros/program/razor_macros.te
deleted file mode 100644
index e4c7c55..0000000
--- a/strict/macros/program/razor_macros.te
+++ /dev/null
@@ -1,75 +0,0 @@
-#
-# Razor - Razor is a collaborative, networked system to detect and
-# block spam using identifying digests of messages.
-#
-# Author: David Hampton <hampton@employees.org>
-#
-
-##########
-# common definitions for razord and all flavors of razor
-##########
-define(`razor_base_domain',`
-
-# Razor is one executable and several symlinks
-allow $1_t razor_exec_t:{ file lnk_file } { getattr read };
-
-# Networking
-can_network_client_tcp($1_t, razor_port_t)
-can_resolve($1_t);
-
-general_proc_read_access($1_t)
-
-# Read system config file
-r_dir_file($1_t, razor_etc_t)
-
-# Update razor common files
-file_type_auto_trans($1_t, var_log_t, razor_log_t, file)
-create_dir_file($1_t, razor_log_t)
-allow $1_t var_lib_t:dir search;
-create_dir_file($1_t, razor_var_lib_t)
-
-allow $1_t bin_t:dir { getattr search };
-allow $1_t bin_t:file getattr;
-allow $1_t lib_t:file { getattr read };
-allow $1_t { var_t var_run_t }:dir search;
-uses_shlib($1_t)
-
-# Razor forks other programs to do part of its work.
-general_domain_access($1_t)
-can_exec($1_t, bin_t)
-
-# mktemp and other randoms
-allow $1_t { random_device_t urandom_device_t }:chr_file r_file_perms;
-
-# Allow access to various files in the /etc/directory including mtab
-# and nsswitch
-allow $1_t { etc_t etc_runtime_t }:file { getattr read };
-read_locale($1_t)
-')
-
-
-#
-# Define a user domain for a razor
-#
-# Note: expects to be called with an argument of user, sysadm
-
-define(`razor_domain',`
-type $1_razor_t, domain, privlog, nscd_client_domain;
-role $1_r types $1_razor_t;
-domain_auto_trans($1_t, razor_exec_t, $1_razor_t)
-
-razor_base_domain($1_razor)
-
-# Per-user config/data files
-home_domain($1, razor)
-file_type_auto_trans($1_razor_t, $1_home_dir_t, $1_razor_home_t, dir)
-
-tmp_domain($1_razor)
-
-allow $1_razor_t self:unix_stream_socket create_stream_socket_perms;
-
-# Allow razor to be run by hand. Needed by any action other than
-# invocation from a spam filter.
-can_access_pty($1_razor_t, $1)
-allow $1_razor_t sshd_t:fd use;
-')
diff --git a/strict/macros/program/resmgrd_macros.te b/strict/macros/program/resmgrd_macros.te
deleted file mode 100644
index ec0ac60..0000000
--- a/strict/macros/program/resmgrd_macros.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# Macro for resmgrd
-
-define(`can_resmgrd_connect', `
-ifdef(`resmgrd.te', `
-allow $1 resmgrd_t:unix_stream_socket connectto;
-allow $1 { var_t var_run_t }:dir search;
-allow $1 resmgrd_var_run_t:sock_file write;
-allow $1 resmgrd_t:fd use;
-')
-')
-
diff --git a/strict/macros/program/rhgb_macros.te b/strict/macros/program/rhgb_macros.te
deleted file mode 100644
index 9700fba..0000000
--- a/strict/macros/program/rhgb_macros.te
+++ /dev/null
@@ -1,8 +0,0 @@
-
-define(`rhgb_domain', `
-ifdef(`rhgb.te', `
-allow $1 rhgb_t:process sigchld;
-allow $1 rhgb_t:fd use;
-allow $1 rhgb_t:fifo_file { read write };
-')dnl end ifdef
-')
diff --git a/strict/macros/program/rssh_macros.te b/strict/macros/program/rssh_macros.te
deleted file mode 100644
index 33fbdb5..0000000
--- a/strict/macros/program/rssh_macros.te
+++ /dev/null
@@ -1,58 +0,0 @@
-#
-# Macros for Rssh domains
-#
-# Author: Colin Walters <walters@verbum.org>
-#
-
-#
-# rssh_domain(domain_prefix)
-#
-# Define a specific rssh domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/rssh.te.
-#
-undefine(`rssh_domain')
-ifdef(`rssh.te', `
-define(`rssh_domain',`
-type rssh_$1_t, domain, userdomain, privlog, privfd;
-role rssh_$1_r types rssh_$1_t;
-allow system_r rssh_$1_r;
-
-type rssh_$1_rw_t, file_type, sysadmfile, $1_file_type;
-type rssh_$1_ro_t, file_type, sysadmfile, $1_file_type;
-
-general_domain_access(rssh_$1_t);
-uses_shlib(rssh_$1_t);
-base_file_read_access(rssh_$1_t);
-allow rssh_$1_t var_t:dir r_dir_perms;
-r_dir_file(rssh_$1_t, etc_t);
-allow rssh_$1_t etc_runtime_t:file { getattr read };
-r_dir_file(rssh_$1_t, locale_t);
-can_exec(rssh_$1_t, bin_t);
-
-allow rssh_$1_t proc_t:dir { getattr search };
-allow rssh_$1_t proc_t:lnk_file { getattr read };
-
-r_dir_file(rssh_$1_t, rssh_$1_ro_t);
-create_dir_file(rssh_$1_t, rssh_$1_rw_t);
-
-can_create_pty(rssh_$1, `, userpty_type, user_tty_type')
-# Use the type when relabeling pty devices.
-type_change rssh_$1_t server_pty:chr_file rssh_$1_devpts_t;
-
-ifdef(`ssh.te',`
-allow rssh_$1_t sshd_t:fd use;
-allow rssh_$1_t sshd_t:tcp_socket rw_stream_socket_perms;
-allow rssh_$1_t sshd_t:unix_stream_socket rw_stream_socket_perms;
-# For reading /home/user/.ssh
-r_dir_file(sshd_t, rssh_$1_ro_t);
-domain_trans(sshd_t, rssh_exec_t, rssh_$1_t);
-')
-')
-
-', `
-
-define(`rssh_domain',`')
-
-')
diff --git a/strict/macros/program/run_program_macros.te b/strict/macros/program/run_program_macros.te
deleted file mode 100644
index c98bbee..0000000
--- a/strict/macros/program/run_program_macros.te
+++ /dev/null
@@ -1,73 +0,0 @@
-
-# $1 is the source domain (or domains), $2 is the source role (or roles) and $3
-# is the base name for the domain to run. $1 is normally sysadm_t, and $2 is
-# normally sysadm_r. $4 is the type of program to run and $5 is the domain to
-# transition to.
-# sample usage:
-# run_program(sysadm_t, sysadm_r, init, etc_t, initrc_t)
-#
-# if you have several users who run the same run_init type program for
-# different purposes (think of a run_db program used by several database
-# administrators to start several databases) then you can list all the source
-# domains in $1, all the source roles in $2, but you may not want to list all
-# types of programs to run in $4 and target domains in $5 (as that may permit
-# entering a domain from the wrong type). In such a situation just specify
-# one value for each of $4 and $5 and have some rules such as the following:
-# domain_trans(run_whatever_t, whatever_exec_t, whatever_t)
-
-define(`run_program', `
-type run_$3_exec_t, file_type, exec_type, sysadmfile;
-
-# domain for program to run in, needs to change role (priv_system_role), change
-# identity to system_u (privuser), log failures to syslog (privlog) and
-# authenticate users
-type run_$3_t, domain, priv_system_role, privuser, privlog;
-domain_auto_trans($1, run_$3_exec_t, run_$3_t)
-role $2 types run_$3_t;
-
-domain_auto_trans(run_$3_t, chkpwd_exec_t, sysadm_chkpwd_t)
-dontaudit run_$3_t shadow_t:file getattr;
-
-# for utmp
-allow run_$3_t initrc_var_run_t:file rw_file_perms;
-allow run_$3_t admin_tty_type:chr_file rw_file_perms;
-
-dontaudit run_$3_t devpts_t:dir { getattr read };
-dontaudit run_$3_t device_t:dir read;
-
-# for auth_chkpwd
-dontaudit run_$3_t shadow_t:file read;
-allow run_$3_t self:process { fork sigchld };
-allow run_$3_t self:fifo_file rw_file_perms;
-allow run_$3_t self:capability setuid;
-allow run_$3_t self:lnk_file read;
-
-# often the administrator runs such programs from a directory that is owned
-# by a different user or has restrictive SE permissions, do not want to audit
-# the failed access to the current directory
-dontaudit run_$3_t file_type:dir search;
-dontaudit run_$3_t self:capability { dac_override dac_read_search };
-
-allow run_$3_t bin_t:lnk_file read;
-can_exec(run_$3_t, { bin_t shell_exec_t })
-ifdef(`chkpwd.te', `
-can_exec(run_$3_t, chkpwd_exec_t)
-')
-
-domain_trans(run_$3_t, $4, $5)
-can_setexec(run_$3_t)
-
-allow run_$3_t privfd:fd use;
-uses_shlib(run_$3_t)
-allow run_$3_t lib_t:file { getattr read };
-can_getsecurity(run_$3_t)
-r_dir_file(run_$3_t,selinux_config_t)
-r_dir_file(run_$3_t,default_context_t)
-allow run_$3_t self:unix_stream_socket create_socket_perms;
-allow run_$3_t self:unix_dgram_socket create_socket_perms;
-allow run_$3_t etc_t:file { getattr read };
-read_locale(run_$3_t)
-allow run_$3_t fs_t:filesystem getattr;
-allow run_$3_t { bin_t sbin_t }:dir search;
-dontaudit run_$3_t device_t:dir { getattr search };
-')
diff --git a/strict/macros/program/samba_macros.te b/strict/macros/program/samba_macros.te
deleted file mode 100644
index d766784..0000000
--- a/strict/macros/program/samba_macros.te
+++ /dev/null
@@ -1,30 +0,0 @@
-#
-# Macros for samba domains.
-#
-
-#
-# Authors: Dan Walsh <dwalsh@redhat.com>
-#
-
-#
-# samba_domain(domain_prefix)
-#
-# Define a derived domain for the samba program when executed
-# by a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/samba.te.
-#
-undefine(`samba_domain')
-ifdef(`samba.te', `
-define(`samba_domain',`
-if ( samba_enable_home_dirs ) {
-allow smbd_t home_root_t:dir r_dir_perms;
-file_type_auto_trans(smbd_t, $1_home_dir_t, $1_home_t)
-dontaudit smbd_t $1_file_type:dir_file_class_set getattr;
-}
-')
-', `
-define(`samba_domain',`')
-
-')dnl end if samba.te
diff --git a/strict/macros/program/screen_macros.te b/strict/macros/program/screen_macros.te
deleted file mode 100644
index e81a90a..0000000
--- a/strict/macros/program/screen_macros.te
+++ /dev/null
@@ -1,113 +0,0 @@
-#
-# Macros for screen domains.
-#
-
-#
-# Author: Russell Coker <russell@coker.com.au>
-# Based on the work of Stephen Smalley <sds@epoch.ncsc.mil>
-# and Timothy Fraser
-#
-
-#
-# screen_domain(domain_prefix)
-#
-# Define a derived domain for the screen program when executed
-# by a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/screen.te.
-#
-undefine(`screen_domain')
-ifdef(`screen.te', `
-define(`screen_domain',`
-# Derived domain based on the calling user domain and the program.
-type $1_screen_t, domain, privlog, privfd, nscd_client_domain;
-
-# Transition from the user domain to this domain.
-domain_auto_trans($1_t, screen_exec_t, $1_screen_t)
-
-tmp_domain($1_screen, `', `{ dir file fifo_file }')
-base_file_read_access($1_screen_t)
-# The user role is authorized for this domain.
-role $1_r types $1_screen_t;
-
-uses_shlib($1_screen_t)
-
-# for SSP
-allow $1_screen_t urandom_device_t:chr_file read;
-
-# Revert to the user domain when a shell is executed.
-domain_auto_trans($1_screen_t, { shell_exec_t bin_t }, $1_t)
-domain_auto_trans($1_screen_t, $1_home_t, $1_t)
-if (use_nfs_home_dirs) {
-domain_auto_trans($1_screen_t, nfs_t, $1_t)
-}
-if (use_samba_home_dirs) {
-domain_auto_trans($1_screen_t, cifs_t, $1_t)
-}
-
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te', `allow $1_screen_t $1_gph_t:fd use;')
-
-home_domain_ro($1, screen)
-
-allow $1_screen_t privfd:fd use;
-
-# Write to utmp.
-allow $1_screen_t initrc_var_run_t:file rw_file_perms;
-ifdef(`utempter.te', `
-dontaudit $1_screen_t utempter_exec_t:file execute;
-')
-
-# create pty devices
-can_create_other_pty($1_screen, $1)
-allow $1_screen_t $1_tty_device_t:chr_file rw_file_perms;
-allow $1_screen_t device_t:dir { getattr read };
-
-allow $1_screen_t fs_t:filesystem getattr;
-
-# Create fifo
-allow $1_screen_t var_t:dir search;
-file_type_auto_trans($1_screen_t, var_run_t, screen_dir_t, dir)
-type $1_screen_var_run_t, file_type, sysadmfile, pidfile;
-file_type_auto_trans($1_screen_t, screen_dir_t, $1_screen_var_run_t, fifo_file)
-
-allow $1_screen_t self:process { fork signal_perms };
-allow $1_t $1_screen_t:process signal;
-allow $1_screen_t $1_t:process signal;
-allow $1_screen_t self:capability { setuid setgid fsetid };
-
-dontaudit $1_screen_t shadow_t:file read;
-
-allow $1_screen_t tmp_t:dir search;
-can_network($1_screen_t)
-allow $1_screen_t port_type:tcp_socket name_connect;
-can_ypbind($1_screen_t)
-
-# get stats
-allow $1_screen_t proc_t:dir search;
-allow $1_screen_t proc_t:file { getattr read };
-allow $1_screen_t proc_t:lnk_file read;
-allow $1_screen_t etc_t:{ file lnk_file } { read getattr };
-allow $1_screen_t self:dir { search read };
-allow $1_screen_t self:lnk_file read;
-allow $1_screen_t device_t:dir search;
-allow $1_screen_t { home_root_t $1_home_dir_t }:dir search;
-
-# Internal screen networking
-allow $1_screen_t self:fd use;
-allow $1_screen_t self:unix_stream_socket create_socket_perms;
-allow $1_screen_t self:unix_dgram_socket create_socket_perms;
-
-allow $1_screen_t bin_t:dir search;
-allow $1_screen_t bin_t:lnk_file read;
-read_locale($1_screen_t)
-
-dontaudit $1_screen_t file_type:{ chr_file blk_file } getattr;
-')dnl end screen_domain
-
-', `
-
-define(`screen_domain',`')
-
-')
diff --git a/strict/macros/program/sendmail_macros.te b/strict/macros/program/sendmail_macros.te
deleted file mode 100644
index 540e0a2..0000000
--- a/strict/macros/program/sendmail_macros.te
+++ /dev/null
@@ -1,56 +0,0 @@
-#
-# Macros for sendmail domains.
-#
-
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# Russell Coker <russell@coker.com.au>
-#
-
-#
-# sendmail_user_domain(domain_prefix)
-#
-# Define a derived domain for the sendmail program when executed by
-# a user domain to send outgoing mail. These domains are separate and
-# independent of the domain used for the sendmail daemon process.
-#
-undefine(`sendmail_user_domain')
-define(`sendmail_user_domain', `
-
-# Use capabilities
-allow $1_mail_t self:capability net_bind_service;
-
-tmp_domain($1_mail)
-
-# Write to /var/spool/mail and /var/spool/mqueue.
-allow $1_mail_t mail_spool_t:dir rw_dir_perms;
-allow $1_mail_t mail_spool_t:file create_file_perms;
-allow $1_mail_t mqueue_spool_t:dir rw_dir_perms;
-allow $1_mail_t mqueue_spool_t:file create_file_perms;
-
-# Write to /var/log/sendmail.st
-file_type_auto_trans($1_mail_t, var_log_t, sendmail_log_t)
-
-allow $1_mail_t etc_mail_t:dir { getattr search };
-
-allow $1_mail_t { var_t var_spool_t }:dir getattr;
-
-allow $1_mail_t etc_runtime_t:file { getattr read };
-
-# Check available space.
-allow $1_mail_t fs_t:filesystem getattr;
-
-allow $1_mail_t sysctl_kernel_t:dir search;
-
-ifelse(`$1', `sysadm', `
-allow $1_mail_t proc_t:dir { getattr search };
-allow $1_mail_t proc_t:{ lnk_file file } { getattr read };
-dontaudit $1_mail_t proc_net_t:dir search;
-allow $1_mail_t sysctl_kernel_t:file { getattr read };
-allow $1_mail_t etc_runtime_t:file { getattr read };
-', `
-dontaudit $1_mail_t proc_t:dir search;
-dontaudit $1_mail_t sysctl_kernel_t:file read;
-')dnl end if sysadm
-')
-
diff --git a/strict/macros/program/slocate_macros.te b/strict/macros/program/slocate_macros.te
deleted file mode 100644
index 115022b..0000000
--- a/strict/macros/program/slocate_macros.te
+++ /dev/null
@@ -1,64 +0,0 @@
-#
-# Macros for locate domains.
-#
-
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-
-#
-# locate_domain(domain_prefix)
-#
-# Define a derived domain for the locate program when executed
-# by a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/locate.te.
-#
-undefine(`locate_domain')
-ifdef(`slocate.te', `
-define(`locate_domain',`
-# Derived domain based on the calling user domain and the program.
-type $1_locate_t, domain;
-
-allow $1_locate_t self:process signal;
-
-allow $1_locate_t etc_t:file { getattr read };
-allow $1_locate_t self:unix_stream_socket create_socket_perms;
-r_dir_file($1_locate_t,locate_var_lib_t)
-allow $1_locate_t var_lib_t:dir search;
-
-# Transition from the user domain to this domain.
-domain_auto_trans($1_t, locate_exec_t, $1_locate_t)
-
-# The user role is authorized for this domain.
-role $1_r types $1_locate_t;
-
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te', `
-allow $1_locate_t $1_gph_t:fd use;
-')
-
-allow $1_locate_t privfd:fd use;
-
-# allow ps to show locate
-can_ps($1_t, $1_locate_t)
-allow $1_t $1_locate_t:process signal;
-
-uses_shlib($1_locate_t)
-access_terminal($1_locate_t, $1)
-
-allow $1_locate_t { home_root_t $1_home_dir_t $1_file_type }:dir { getattr search };
-allow $1_locate_t $1_file_type:{ file lnk_file } { getattr read };
-
-base_file_read_access($1_locate_t)
-r_dir_file($1_locate_t, { etc_t lib_t var_t })
-dontaudit $1_locate_t { fs_type file_type }:dir r_dir_perms;
-dontaudit $1_locate_t { fs_type file_type -shadow_t}:file { getattr read };
-')
-
-', `
-
-define(`locate_domain',`')
-
-')
diff --git a/strict/macros/program/spamassassin_macros.te b/strict/macros/program/spamassassin_macros.te
deleted file mode 100644
index c85cfc7..0000000
--- a/strict/macros/program/spamassassin_macros.te
+++ /dev/null
@@ -1,128 +0,0 @@
-#
-# Macros for spamassassin domains.
-#
-# Author: Colin Walters <walters@verbum.org>
-
-# spamassassin_domain(domain_prefix)
-#
-# Define derived domains for various spamassassin tools when executed
-# by a user domain.
-#
-# The type declarations for the executable types of these programs are
-# provided separately in domains/program/spamassassin.te and
-# domains/program/spamc.te.
-#
-undefine(`spamassassin_domain')
-ifdef(`spamassassin.te', `define(`using_spamassassin', `')')
-ifdef(`spamd.te', `define(`using_spamassassin', `')')
-ifdef(`spamc.te', `define(`using_spamassassin', `')')
-
-ifdef(`using_spamassassin',`
-
-#######
-# Macros used internally in these spamassassin macros.
-#
-
-###
-# Define a domain for a spamassassin-like program (spamc/spamassassin).
-#
-# Note: most of this should really be in a generic macro like
-# base_user_program($1, foo)
-define(`spamassassin_program_domain',`
-type $1_$2_t, domain, privlog $3;
-domain_auto_trans($1_t, $2_exec_t, $1_$2_t)
-
-role $1_r types $1_$2_t;
-general_domain_access($1_$2_t)
-
-base_file_read_access($1_$2_t)
-r_dir_file($1_$2_t, etc_t)
-ifdef(`sendmail.te', `
-r_dir_file($1_$2_t, etc_mail_t)
-')
-allow $1_$2_t etc_runtime_t:file r_file_perms;
-uses_shlib($1_$2_t)
-read_locale($1_$2_t)
-dontaudit $1_$2_t var_t:dir search;
-tmp_domain($1_$2)
-allow $1_$2_t privfd:fd use;
-allow $1_$2_t userpty_type:chr_file rw_file_perms;
-') dnl end spamassassin_program_domain
-
-###
-# Give privileges to a domain for accessing ~/.spamassassin
-# and a few other misc things like /dev/random.
-# This is granted to /usr/bin/spamassassin and
-# /usr/sbin/spamd, but NOT spamc (because it does not need it).
-#
-define(`spamassassin_agent_privs',`
-allow $1 home_root_t:dir r_dir_perms;
-file_type_auto_trans($1, $2_home_dir_t, $2_spamassassin_home_t)
-create_dir_file($1, $2_spamassassin_home_t)
-
-allow $1 urandom_device_t:chr_file r_file_perms;
-')
-
-#######
-# Define the main spamassassin macro. This itself creates a
-# domain for /usr/bin/spamassassin, and also spamc/spamd if
-# applicable.
-#
-define(`spamassassin_domain',`
-spamassassin_program_domain($1, spamassassin)
-
-# For perl libraries.
-allow $1_spamassassin_t lib_t:file rx_file_perms;
-# Ignore perl digging in /proc and /var.
-dontaudit $1_spamassassin_t proc_t:dir search;
-dontaudit $1_spamassassin_t proc_t:lnk_file read;
-dontaudit $1_spamassassin_t { sysctl_t sysctl_kernel_t }:dir search;
-
-# For ~/.spamassassin
-home_domain($1, spamassassin)
-file_type_auto_trans($1_spamassassin_t, $1_home_dir_t, $1_spamassassin_home_t, dir)
-
-spamassassin_agent_privs($1_spamassassin_t, $1)
-
-can_resolve($1_spamassassin_t)
-# set tunable if you have spamassassin do DNS lookups
-if (spamassasin_can_network) {
-can_network($1_spamassassin_t)
-allow $1_spamassassin_t port_type:tcp_socket name_connect;
-}
-if (spamassasin_can_network && allow_ypbind) {
-uncond_can_ypbind($1_spamassassin_t)
-}
-###
-# Define the domain for /usr/bin/spamc
-#
-ifdef(`spamc.te',`
-spamassassin_program_domain($1, spamc, `, nscd_client_domain')
-can_network($1_spamc_t)
-allow $1_spamc_t port_type:tcp_socket name_connect;
-can_ypbind($1_spamc_t)
-
-# Allow connecting to a local spamd
-ifdef(`spamd.te',`
-can_tcp_connect($1_spamc_t, spamd_t)
-can_unix_connect($1_spamc_t, spamd_t)
-allow $1_spamc_t spamd_tmp_t:sock_file rw_file_perms;
-') dnl endif spamd.te
-') dnl endif spamc.te
-
-###
-# Define the domain for /usr/sbin/spamd
-#
-ifdef(`spamd.te',`
-
-spamassassin_agent_privs(spamd_t, $1)
-
-') dnl endif spamd.te
-
-') dnl end spamassassin_domain
-
-', `
-
-define(`spamassassin_domain',`')
-
-')
diff --git a/strict/macros/program/ssh_agent_macros.te b/strict/macros/program/ssh_agent_macros.te
deleted file mode 100644
index 7215f5c..0000000
--- a/strict/macros/program/ssh_agent_macros.te
+++ /dev/null
@@ -1,117 +0,0 @@
-#
-# Macros for ssh agent
-#
-
-#
-# Author: Thomas Bleher <ThomasBleher@gmx.de>
-#
-
-#
-# ssh_agent_domain(domain_prefix)
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/ssh-agent.te.
-#
-define(`ssh_agent_domain',`
-# Define a derived domain for the ssh-agent program when executed
-# by a user domain.
-# Derived domain based on the calling user domain and the program.
-type $1_ssh_agent_t, domain, privlog;
-
-# Transition from the user domain to the derived domain.
-domain_auto_trans($1_t, ssh_agent_exec_t, $1_ssh_agent_t)
-
-# The user role is authorized for this domain.
-role $1_r types $1_ssh_agent_t;
-
-allow $1_ssh_agent_t privfd:fd use;
-
-# Write to the user domain tty.
-access_terminal($1_ssh_agent_t, $1)
-
-# Allow the user shell to signal the ssh program.
-allow $1_t $1_ssh_agent_t:process signal;
-# allow ps to show ssh
-can_ps($1_t, $1_ssh_agent_t)
-
-can_ypbind($1_ssh_agent_t)
-if (use_nfs_home_dirs) {
-allow $1_ssh_agent_t autofs_t:dir { search getattr };
-rw_dir_create_file($1_ssh_agent_t, nfs_t)
-}
-if (use_samba_home_dirs) {
-rw_dir_create_file($1_ssh_agent_t, cifs_t)
-}
-
-uses_shlib($1_ssh_agent_t)
-read_locale($1_ssh_agent_t)
-
-allow $1_ssh_agent_t proc_t:dir search;
-dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read };
-dontaudit $1_ssh_agent_t selinux_config_t:dir search;
-dontaudit $1_ssh_agent_t selinux_config_t:file { read getattr };
-read_sysctl($1_ssh_agent_t)
-
-# Access the ssh temporary files. Should we have an own type here
-# to which only ssh, ssh-agent and ssh-add have access?
-allow $1_ssh_agent_t $1_tmp_t:dir r_dir_perms;
-file_type_auto_trans($1_ssh_agent_t, tmp_t, $1_tmp_t)
-allow $1_ssh_agent_t self:unix_stream_socket create_stream_socket_perms;
-allow $1_ssh_agent_t self:unix_dgram_socket create_socket_perms;
-
-allow $1_ssh_agent_t self:process { fork sigchld setrlimit };
-allow $1_ssh_agent_t self:capability setgid;
-
-# access the random devices
-allow $1_ssh_agent_t { random_device_t urandom_device_t }:chr_file { getattr read };
-
-# for ssh-add
-can_unix_connect($1_t, $1_ssh_agent_t)
-
-# transition back to normal privs upon exec
-domain_auto_trans($1_ssh_agent_t, { bin_t shell_exec_t $1_home_t }, $1_t)
-if (use_nfs_home_dirs) {
-domain_auto_trans($1_ssh_agent_t, nfs_t, $1_t)
-}
-if (use_samba_home_dirs) {
-domain_auto_trans($1_ssh_agent_t, cifs_t, $1_t)
-}
-allow $1_ssh_agent_t bin_t:dir search;
-
-# allow reading of /usr/bin/X11 (is a symlink)
-allow $1_ssh_agent_t bin_t:lnk_file read;
-
-allow $1_ssh_agent_t { $1_ssh_agent_t $1_t }:process signull;
-
-allow $1_ssh_agent_t { home_root_t $1_home_dir_t }:dir search;
-
-allow $1_ssh_t $1_tmp_t:sock_file write;
-allow $1_ssh_t $1_t:unix_stream_socket connectto;
-allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto;
-
-ifdef(`xdm.te', `
-can_pipe_xdm($1_ssh_agent_t)
-
-# kdm: sigchld
-allow $1_ssh_agent_t xdm_t:process sigchld;
-')
-
-#
-# Allow command to ssh-agent > ~/.ssh_agent
-#
-allow $1_ssh_agent_t $1_home_t:file rw_file_perms;
-allow $1_ssh_agent_t $1_tmp_t:file rw_file_perms;
-
-allow $1_ssh_agent_t etc_runtime_t:file { getattr read };
-allow $1_ssh_agent_t etc_t:file { getattr read };
-allow $1_ssh_agent_t lib_t:file { getattr read };
-
-allow $1_ssh_agent_t self:dir search;
-allow $1_ssh_agent_t self:file { getattr read };
-
-# Allow the ssh program to communicate with ssh-agent.
-allow $1_ssh_t $1_tmp_t:sock_file write;
-allow $1_ssh_t $1_t:unix_stream_socket connectto;
-allow $1_ssh_t sshd_t:unix_stream_socket connectto;
-')dnl end if ssh_agent
-
diff --git a/strict/macros/program/ssh_macros.te b/strict/macros/program/ssh_macros.te
deleted file mode 100644
index 0f6549f..0000000
--- a/strict/macros/program/ssh_macros.te
+++ /dev/null
@@ -1,168 +0,0 @@
-#
-# Macros for ssh domains.
-#
-
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil>
-# Russell Coker <russell@coker.com.au>
-# Thomas Bleher <ThomasBleher@gmx.de>
-#
-
-#
-# ssh_domain(domain_prefix)
-#
-# Define a derived domain for the ssh program when executed
-# by a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/ssh.te.
-#
-undefine(`ssh_domain')
-ifdef(`ssh.te', `
-define(`ssh_domain',`
-# Derived domain based on the calling user domain and the program.
-type $1_ssh_t, domain, privlog, nscd_client_domain;
-type $1_home_ssh_t, file_type, $1_file_type, sysadmfile;
-
-allow $1_ssh_t autofs_t:dir { search getattr };
-if (use_nfs_home_dirs) {
-create_dir_file($1_ssh_t, nfs_t)
-}
-if (use_samba_home_dirs) {
-create_dir_file($1_ssh_t, cifs_t)
-}
-
-# Transition from the user domain to the derived domain.
-domain_auto_trans($1_t, ssh_exec_t, $1_ssh_t)
-
-# The user role is authorized for this domain.
-role $1_r types $1_ssh_t;
-
-# Grant permissions within the domain.
-general_domain_access($1_ssh_t)
-
-# Use descriptors created by sshd
-allow $1_ssh_t privfd:fd use;
-
-uses_shlib($1_ssh_t)
-read_locale($1_ssh_t)
-
-# Get attributes of file systems.
-allow $1_ssh_t fs_type:filesystem getattr;
-
-base_file_read_access($1_ssh_t)
-
-# Read /var.
-r_dir_file($1_ssh_t, var_t)
-
-# Read /var/run, /var/log.
-allow $1_ssh_t var_run_t:dir r_dir_perms;
-allow $1_ssh_t var_run_t:{ file lnk_file } r_file_perms;
-allow $1_ssh_t var_log_t:dir r_dir_perms;
-allow $1_ssh_t var_log_t:{ file lnk_file } r_file_perms;
-
-# Read /etc.
-r_dir_file($1_ssh_t, etc_t)
-allow $1_ssh_t etc_runtime_t:{ file lnk_file } r_file_perms;
-
-# Read /dev directories and any symbolic links.
-allow $1_ssh_t device_t:dir r_dir_perms;
-allow $1_ssh_t device_t:lnk_file r_file_perms;
-
-# Read /dev/urandom.
-allow $1_ssh_t urandom_device_t:chr_file r_file_perms;
-
-# Read and write /dev/null.
-allow $1_ssh_t { null_device_t zero_device_t }:chr_file rw_file_perms;
-
-# Grant permissions needed to create TCP and UDP sockets and
-# to access the network.
-can_network_client_tcp($1_ssh_t)
-allow $1_ssh_t ssh_port_t:tcp_socket name_connect;
-can_resolve($1_ssh_t)
-can_ypbind($1_ssh_t)
-can_kerberos($1_ssh_t)
-
-# for port forwarding
-if (user_tcp_server) {
-allow $1_ssh_t port_t:tcp_socket name_bind;
-}
-
-# Use capabilities.
-allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };
-
-# run helper programs - needed eg for x11-ssh-askpass
-can_exec($1_ssh_t, { shell_exec_t bin_t })
-
-# Read the ssh key file.
-allow $1_ssh_t sshd_key_t:file r_file_perms;
-
-# Access the ssh temporary files.
-file_type_auto_trans($1_ssh_t, tmp_t, sshd_tmp_t)
-allow $1_ssh_t $1_tmp_t:dir r_dir_perms;
-
-# for rsync
-allow $1_ssh_t $1_t:unix_stream_socket rw_socket_perms;
-
-# Access the users .ssh directory.
-file_type_auto_trans({ sysadm_ssh_t $1_ssh_t }, $1_home_dir_t, $1_home_ssh_t, dir)
-file_type_auto_trans($1_ssh_t, $1_home_dir_t, $1_home_ssh_t, sock_file)
-allow $1_t $1_home_ssh_t:sock_file create_file_perms;
-allow { sysadm_ssh_t $1_ssh_t } $1_home_ssh_t:file create_file_perms;
-allow { sysadm_ssh_t $1_ssh_t } $1_home_ssh_t:lnk_file { getattr read };
-dontaudit $1_ssh_t $1_home_t:dir { getattr search };
-r_dir_file({ sshd_t sshd_extern_t }, $1_home_ssh_t)
-rw_dir_create_file($1_t, $1_home_ssh_t)
-
-# for /bin/sh used to execute xauth
-dontaudit $1_ssh_t proc_t:dir search;
-dontaudit $1_ssh_t proc_t:{ lnk_file file } { getattr read };
-
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te', `allow $1_ssh_t $1_gph_t:fd use;')
-
-# Write to the user domain tty.
-access_terminal($1_ssh_t, $1)
-
-# Allow the user shell to signal the ssh program.
-allow $1_t $1_ssh_t:process signal;
-# allow ps to show ssh
-can_ps($1_t, $1_ssh_t)
-
-# Connect to X server
-x_client_domain($1_ssh, $1)
-
-ifdef(`ssh-agent.te', `
-ssh_agent_domain($1)
-')dnl end if ssh_agent.te
-
-#allow ssh to access keys stored on removable media
-# Should we have a boolean around this?
-allow $1_ssh_t mnt_t:dir search;
-r_dir_file($1_ssh_t, removable_t)
-
-type $1_ssh_keysign_t, domain, nscd_client_domain;
-role $1_r types $1_ssh_keysign_t;
-
-if (allow_ssh_keysign) {
-domain_auto_trans($1_ssh_t, ssh_keysign_exec_t, $1_ssh_keysign_t)
-allow $1_ssh_keysign_t sshd_key_t:file { getattr read };
-allow $1_ssh_keysign_t self:capability { setgid setuid };
-allow $1_ssh_keysign_t urandom_device_t:chr_file r_file_perms;
-uses_shlib($1_ssh_keysign_t)
-dontaudit $1_ssh_keysign_t selinux_config_t:dir search;
-dontaudit $1_ssh_keysign_t proc_t:dir search;
-dontaudit $1_ssh_keysign_t proc_t:{ lnk_file file } { getattr read };
-allow $1_ssh_keysign_t usr_t:dir search;
-allow $1_ssh_keysign_t etc_t:file { getattr read };
-allow $1_ssh_keysign_t self:dir search;
-allow $1_ssh_keysign_t self:file { getattr read };
-allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms;
-}
-
-')dnl end macro definition
-', `
-
-define(`ssh_domain',`')
-
-')dnl end if ssh.te
diff --git a/strict/macros/program/su_macros.te b/strict/macros/program/su_macros.te
deleted file mode 100644
index 206f58e..0000000
--- a/strict/macros/program/su_macros.te
+++ /dev/null
@@ -1,188 +0,0 @@
-#
-# Macros for su domains.
-#
-
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-#
-# su_domain(domain_prefix)
-#
-# Define a derived domain for the su program when executed
-# by a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/su.te.
-#
-
-undefine(`su_restricted_domain')
-undefine(`su_mini_domain')
-undefine(`su_domain')
-ifdef(`su.te', `
-
-define(`su_restricted_domain', `
-# Derived domain based on the calling user domain and the program.
-type $1_su_t, domain, privlog, privrole, privuser, privowner, privfd, nscd_client_domain;
-ifdef(`support_polyinstantiation', `
-typeattribute $1_su_t mlsfileread;
-typeattribute $1_su_t mlsfilewrite;
-typeattribute $1_su_t mlsfileupgrade;
-typeattribute $1_su_t mlsfiledowngrade;
-typeattribute $1_su_t mlsprocsetsl;
-')
-
-# for SSP
-allow $1_su_t urandom_device_t:chr_file { getattr read };
-
-# Transition from the user domain to this domain.
-domain_auto_trans($1_t, su_exec_t, $1_su_t)
-
-allow $1_su_t sbin_t:dir search;
-
-uses_shlib($1_su_t)
-allow $1_su_t etc_t:file { getattr read };
-read_locale($1_su_t)
-read_sysctl($1_su_t)
-allow $1_su_t self:unix_dgram_socket { connect create write };
-allow $1_su_t self:unix_stream_socket create_stream_socket_perms;
-allow $1_su_t self:fifo_file rw_file_perms;
-allow $1_su_t proc_t:dir search;
-allow $1_su_t proc_t:lnk_file read;
-r_dir_file($1_su_t, self)
-allow $1_su_t proc_t:file read;
-allow $1_su_t self:process { setsched setrlimit };
-allow $1_su_t device_t:dir search;
-allow $1_su_t self:process { fork sigchld };
-nsswitch_domain($1_su_t)
-r_dir_file($1_su_t, selinux_config_t)
-
-dontaudit $1_su_t shadow_t:file { getattr read };
-dontaudit $1_su_t home_root_t:dir search;
-dontaudit $1_su_t init_t:fd use;
-allow $1_su_t var_lib_t:dir search;
-allow $1_t $1_su_t:process signal;
-
-ifdef(`crond.te', `
-allow $1_su_t crond_t:fifo_file read;
-')
-
-# Use capabilities.
-allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource audit_control audit_write };
-dontaudit $1_su_t self:capability sys_tty_config;
-#
-# Caused by su - init scripts
-#
-dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
-
-# By default, revert to the calling domain when a shell is executed.
-domain_auto_trans($1_su_t, shell_exec_t, $1_t)
-allow $1_su_t bin_t:dir search;
-allow $1_su_t bin_t:lnk_file read;
-
-# But also allow transitions to unprivileged user domains.
-domain_trans($1_su_t, shell_exec_t, unpriv_userdomain)
-can_setexec($1_su_t)
-
-# Get security decisions
-can_getsecurity($1_su_t)
-r_dir_file($1_su_t, default_context_t)
-
-allow $1_su_t privfd:fd use;
-
-# Write to utmp.
-allow $1_su_t { var_t var_run_t }:dir search;
-allow $1_su_t initrc_var_run_t:file rw_file_perms;
-can_kerberos($1_su_t)
-
-ifdef(`chkpwd.te', `
-domain_auto_trans($1_su_t, chkpwd_exec_t, $2_chkpwd_t)
-')
-
-allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
-
-') dnl end su_restricted_domain
-
-define(`su_mini_domain', `
-su_restricted_domain($1,$1)
-if(!secure_mode)
-{
- # if we are not in secure mode then we can transition to sysadm_t
- domain_trans($1_su_t, shell_exec_t, sysadm_t)
-}
-
-# Relabel ttys and ptys.
-allow $1_su_t device_t:dir { getattr read search };
-allow $1_su_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto };
-
-# Close and re-open ttys and ptys to get the fd into the correct domain.
-allow $1_su_t { ttyfile ptyfile }:chr_file { read write };
-
-')dnl end su_mini_domain
-
-define(`su_domain', `
-su_mini_domain($1)
-
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te', `allow $1_su_t $1_gph_t:fd use;')
-
-# The user role is authorized for this domain.
-role $1_r types $1_su_t;
-
-# Write to the user domain tty.
-access_terminal($1_su_t, $1)
-
-allow $1_su_t { home_root_t $1_home_dir_t }:dir search;
-allow $1_su_t $1_home_t:file create_file_perms;
-ifdef(`user_canbe_sysadm', `
-allow $1_su_t home_dir_type:dir { search write };
-', `
-dontaudit $1_su_t home_dir_type:dir { search write };
-')
-
-allow $1_su_t autofs_t:dir { search getattr };
-if (use_nfs_home_dirs) {
-allow $1_su_t nfs_t:dir search;
-}
-if (use_samba_home_dirs) {
-allow $1_su_t cifs_t:dir search;
-}
-
-ifdef(`support_polyinstantiation', `
-# Su can polyinstantiate
-polyinstantiater($1_su_t)
-# Su has to unmount polyinstantiated directories (like home)
-# that should not be polyinstantiated under the new user
-allow $1_su_t fs_t:filesystem unmount;
-# Su needs additional permission to mount over a previous mount
-allow $1_su_t polymember:dir mounton;
-')
-
-# Modify .Xauthority file (via xauth program).
-ifdef(`xauth.te', `
-file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
-file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file)
-file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file)
-domain_auto_trans($1_su_t, xauth_exec_t, $1_xauth_t)
-')
-
-ifdef(`cyrus.te', `
-allow $1_su_t cyrus_var_lib_t:dir search;
-')
-ifdef(`ssh.te', `
-# Access sshd cookie files.
-allow $1_su_t sshd_tmp_t:dir rw_dir_perms;
-allow $1_su_t sshd_tmp_t:file rw_file_perms;
-file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t)
-')
-
-allow $1_su_t var_lib_t:dir search;
-dontaudit $1_su_t init_t:fd use;
-')dnl end su_domain
-
-', `
-
-define(`su_domain',`')
-
-')
-
diff --git a/strict/macros/program/sudo_macros.te b/strict/macros/program/sudo_macros.te
deleted file mode 100644
index b2b4e1c..0000000
--- a/strict/macros/program/sudo_macros.te
+++ /dev/null
@@ -1,34 +0,0 @@
-# Authors: Dan Walsh, Russell Coker
-# Maintained by Dan Walsh <dwalsh@redhat.com>
-define(`sudo_domain',`
-newrole_domain($1_sudo, `, privuser')
-
-# By default, revert to the calling domain when a shell is executed.
-domain_auto_trans($1_sudo_t, shell_exec_t, $1_t)
-
-ifdef(`mta.te', `
-domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t)
-allow $1_mail_t $1_sudo_t:fifo_file rw_file_perms;
-')
-
-allow $1_sudo_t self:capability sys_resource;
-
-allow $1_sudo_t self:process setrlimit;
-
-ifdef(`pam.te', `
-allow $1_sudo_t pam_var_run_t:dir create_dir_perms;
-allow $1_sudo_t pam_var_run_t:file create_file_perms;
-')
-
-allow $1_sudo_t initrc_var_run_t:file rw_file_perms;
-allow $1_sudo_t sysctl_t:dir search;
-allow $1_sudo_t { su_exec_t etc_t lib_t usr_t bin_t sbin_t exec_type } :file getattr;
-allow $1_sudo_t { su_exec_t etc_t lib_t usr_t bin_t sbin_t exec_type } :lnk_file { getattr read };
-read_sysctl($1_sudo_t)
-
-allow $1_sudo_t var_run_t:dir search;
-r_dir_file($1_sudo_t, default_context_t)
-rw_dir_create_file($1_sudo_t, $1_tmp_t)
-rw_dir_create_file($1_sudo_t, $1_home_t)
-domain_auto_trans($1_t, sudo_exec_t, $1_sudo_t)
-')
diff --git a/strict/macros/program/thunderbird_macros.te b/strict/macros/program/thunderbird_macros.te
deleted file mode 100644
index 2c0711d..0000000
--- a/strict/macros/program/thunderbird_macros.te
+++ /dev/null
@@ -1,60 +0,0 @@
-#
-# Thunderbird
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-#######################################
-# thunderbird_domain(role_prefix)
-#
-
-# FIXME: Rules were removed to centralize policy in a gnome_app macro
-# A similar thing might be necessary for mozilla compiled without GNOME
-# support (is this possible?).
-
-define(`thunderbird_domain', `
-
-# Type for program
-type $1_thunderbird_t, domain, nscd_client_domain;
-
-# Transition from user type
-if (! disable_thunderbird_trans) {
-domain_auto_trans($1_t, thunderbird_exec_t, $1_thunderbird_t)
-}
-role $1_r types $1_thunderbird_t;
-
-# FIXME: Why does it try to do that?
-dontaudit $1_thunderbird_t evolution_exec_t:file { getattr execute };
-
-# Why is thunderbird looking in .mozilla ?
-# FIXME: there are legitimate uses of invoking the browser - about -> release notes
-dontaudit $1_thunderbird_t $1_mozilla_home_t:dir search;
-
-# .kde/....gtkrc
-# FIXME: support properly
-dontaudit $1_thunderbird_t $1_home_t:file { getattr read };
-
-# X, mail common stuff
-x_client_domain($1_thunderbird, $1)
-mail_client_domain($1_thunderbird, $1)
-
-allow $1_thunderbird_t self:process signull;
-allow $1_thunderbird_t fs_t:filesystem getattr;
-
-# GNOME support
-ifdef(`gnome.te', `
-gnome_application($1_thunderbird, $1)
-gnome_file_dialog($1_thunderbird, $1)
-allow $1_thunderbird_t $1_gnome_settings_t:file { read write };
-')
-
-# Access ~/.thunderbird
-home_domain($1, thunderbird)
-
-# RSS feeds
-can_network_client_tcp($1_thunderbird_t, http_port_t)
-allow $1_thunderbird_t http_port_t:tcp_socket name_connect;
-
-allow $1_thunderbird_t self:process { execheap execmem execstack };
-
-')
diff --git a/strict/macros/program/tvtime_macros.te b/strict/macros/program/tvtime_macros.te
deleted file mode 100644
index d965ae1..0000000
--- a/strict/macros/program/tvtime_macros.te
+++ /dev/null
@@ -1,64 +0,0 @@
-#
-# Macros for tvtime domains.
-#
-
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-#
-
-#
-# tvtime_domain(domain_prefix)
-#
-# Define a derived domain for the tvtime program when executed
-# by a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/tvtime.te.
-#
-undefine(`tvtime_domain')
-ifdef(`tvtime.te', `
-define(`tvtime_domain',`
-
-# Type transition
-type $1_tvtime_t, domain, nscd_client_domain;
-domain_auto_trans($1_t, tvtime_exec_t, $1_tvtime_t)
-role $1_r types $1_tvtime_t;
-
-# X access, Home files
-home_domain($1, tvtime)
-file_type_auto_trans($1_tvtime_t, $1_home_dir_t, $1_tvtime_home_t, dir)
-x_client_domain($1_tvtime, $1)
-
-uses_shlib($1_tvtime_t)
-read_locale($1_tvtime_t)
-read_sysctl($1_tvtime_t)
-access_terminal($1_tvtime_t, $1)
-
-# Allow the user domain to signal/ps.
-can_ps($1_t, $1_tvtime_t)
-allow $1_t $1_tvtime_t:process signal_perms;
-
-# Read /etc/tvtime
-allow $1_tvtime_t etc_t:file { getattr read };
-
-# Tmp files
-tmp_domain($1_tvtime, `', `{ file dir fifo_file }')
-
-allow $1_tvtime_t urandom_device_t:chr_file read;
-allow $1_tvtime_t clock_device_t:chr_file { ioctl read };
-allow $1_tvtime_t kernel_t:system ipc_info;
-allow $1_tvtime_t sound_device_t:chr_file { ioctl read };
-allow $1_tvtime_t $1_home_t:dir { getattr read search };
-allow $1_tvtime_t $1_home_t:file { getattr read };
-allow $1_tvtime_t self:capability { setuid sys_nice sys_resource };
-allow $1_tvtime_t self:process setsched;
-allow $1_tvtime_t usr_t:file { getattr read };
-
-')dnl end tvtime_domain
-
-', `
-
-define(`tvtime_domain',`')
-
-')
-
diff --git a/strict/macros/program/uml_macros.te b/strict/macros/program/uml_macros.te
deleted file mode 100644
index bc635f8..0000000
--- a/strict/macros/program/uml_macros.te
+++ /dev/null
@@ -1,137 +0,0 @@
-#
-# Macros for uml domains.
-#
-
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-
-#
-# uml_domain(domain_prefix)
-#
-# Define a derived domain for the uml program when executed
-# by a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/uml.te.
-#
-undefine(`uml_domain')
-ifdef(`uml.te', `
-define(`uml_domain',`
-
-# Derived domain based on the calling user domain and the program.
-type $1_uml_t, domain;
-type $1_uml_exec_t, file_type, sysadmfile, $1_file_type;
-type $1_uml_ro_t, file_type, sysadmfile, $1_file_type;
-type $1_uml_rw_t, file_type, sysadmfile, $1_file_type;
-
-# for X
-ifdef(`startx.te', `
-ifelse($1, sysadm, `', `
-ifdef(`xdm.te', `
-allow $1_uml_t xdm_xserver_tmp_t:dir search;
-')dnl end if xdm.te
-allow $1_uml_t $1_xserver_tmp_t:sock_file write;
-can_unix_connect($1_uml_t, $1_xserver_t)
-')dnl end ifelse sysadm
-')dnl end ifdef startx
-
-allow $1_t { $1_uml_ro_t $1_uml_rw_t }:{ file sock_file fifo_file } { relabelfrom relabelto create_file_perms };
-allow $1_t $1_uml_exec_t:file { relabelfrom relabelto create_file_perms };
-allow $1_t { $1_uml_ro_t $1_uml_rw_t }:lnk_file { relabelfrom relabelto create_lnk_perms };
-allow $1_t { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }:dir { relabelfrom relabelto create_dir_perms };
-r_dir_file($1_t, uml_ro_t)
-
-# Transition from the user domain to this domain.
-domain_auto_trans($1_t, { uml_exec_t $1_uml_exec_t }, $1_uml_t)
-can_exec($1_uml_t, { uml_exec_t $1_uml_exec_t })
-
-# The user role is authorized for this domain.
-role $1_r types $1_uml_t;
-
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te', `allow $1_uml_t $1_gph_t:fd use;')
-
-# Inherit and use descriptors from newrole.
-ifdef(`newrole.te', `allow $1_uml_t newrole_t:fd use;')
-
-# allow ps, ptrace, signal
-can_ps($1_t, $1_uml_t)
-can_ptrace($1_t, $1_uml_t)
-allow $1_t $1_uml_t:process signal_perms;
-
-# allow the UML thing to happen
-allow $1_uml_t self:process { fork signal_perms ptrace };
-can_create_pty($1_uml)
-allow $1_uml_t root_t:dir search;
-tmp_domain($1_uml)
-can_exec($1_uml_t, $1_uml_tmp_t)
-tmpfs_domain($1_uml)
-can_exec($1_uml_t, $1_uml_tmpfs_t)
-create_dir_file($1_t, $1_uml_tmp_t)
-allow $1_t $1_uml_tmp_t:sock_file create_file_perms;
-allow $1_uml_t self:fifo_file rw_file_perms;
-allow $1_uml_t fs_t:filesystem getattr;
-
-allow $1_uml_t tun_tap_device_t:chr_file { read write ioctl };
-
-ifdef(`uml_net.te', `
-# for uml_net
-domain_auto_trans($1_uml_t, uml_net_exec_t, uml_net_t)
-allow uml_net_t $1_uml_t:unix_stream_socket { read write };
-allow uml_net_t $1_uml_t:unix_dgram_socket { read write };
-dontaudit uml_net_t privfd:fd use;
-can_access_pty(uml_net_t, $1_uml)
-dontaudit uml_net_t $1_uml_rw_t:dir { getattr search };
-')dnl end ifdef uml_net.te
-
-# for mconsole
-allow { $1_t $1_uml_t } $1_uml_t:unix_dgram_socket sendto;
-allow $1_uml_t $1_t:unix_dgram_socket sendto;
-
-# Use the network.
-can_network($1_uml_t)
-allow $1_uml_t port_type:tcp_socket name_connect;
-can_ypbind($1_uml_t)
-
-# for xterm
-uses_shlib($1_uml_t)
-can_exec($1_uml_t, { bin_t sbin_t lib_t })
-allow $1_uml_t { bin_t sbin_t }:dir search;
-allow $1_uml_t etc_t:file { getattr read };
-dontaudit $1_uml_t etc_runtime_t:file read;
-can_tcp_connect($1_uml_t, sshd_t)
-ifdef(`xauth.te', `
-allow $1_uml_t $1_xauth_home_t:file { getattr read };
-')
-allow $1_uml_t var_run_t:dir search;
-allow $1_uml_t initrc_var_run_t:file { getattr read };
-dontaudit $1_uml_t initrc_var_run_t:file { write lock };
-
-allow $1_uml_t device_t:dir search;
-allow $1_uml_t self:unix_stream_socket create_stream_socket_perms;
-allow $1_uml_t self:unix_dgram_socket create_socket_perms;
-allow $1_uml_t privfd:fd use;
-allow $1_uml_t proc_t:dir search;
-allow $1_uml_t proc_t:file { getattr read };
-
-# for SKAS - need something better
-allow $1_uml_t proc_t:file write;
-
-# Write to the user domain tty.
-access_terminal($1_uml_t, $1)
-
-# access config files
-allow $1_uml_t home_root_t:dir search;
-file_type_auto_trans($1_uml_t, $1_home_dir_t, $1_uml_rw_t)
-r_dir_file($1_uml_t, { $1_uml_ro_t uml_ro_t })
-
-# putting uml data under /var is usual...
-allow $1_uml_t var_t:dir search;
-')dnl end macro definition
-
-', `
-
-define(`uml_domain',`')
-
-')
diff --git a/strict/macros/program/userhelper_macros.te b/strict/macros/program/userhelper_macros.te
deleted file mode 100644
index 2c715d3..0000000
--- a/strict/macros/program/userhelper_macros.te
+++ /dev/null
@@ -1,142 +0,0 @@
-#DESC Userhelper - SELinux utility to run a shell with a new role
-#
-# Authors: Dan Walsh (Red Hat)
-# Maintained by Dan Walsh <dwalsh@redhat.com>
-#
-
-#
-# userhelper_domain(domain_prefix)
-#
-# Define a derived domain for the userhelper/userhelper program when executed by
-# a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/userhelper.te.
-#
-define(`userhelper_domain',`
-type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd, privuser, nscd_client_domain;
-
-in_user_role($1_userhelper_t)
-role sysadm_r types $1_userhelper_t;
-
-ifelse($1, sysadm, `
-typealias sysadm_userhelper_t alias userhelper_t;
-domain_auto_trans(initrc_t, userhelper_exec_t, sysadm_userhelper_t)
-')
-
-general_domain_access($1_userhelper_t);
-
-uses_shlib($1_userhelper_t)
-read_locale($1_userhelper_t)
-read_sysctl($1_userhelper_t)
-
-# for when the user types "exec userhelper" at the command line
-allow $1_userhelper_t privfd:process sigchld;
-
-domain_auto_trans($1_t, userhelper_exec_t, $1_userhelper_t)
-
-# Inherit descriptors from the current session.
-allow $1_userhelper_t { init_t privfd }:fd use;
-
-can_exec($1_userhelper_t, { bin_t sbin_t userhelper_exec_t })
-
-# Execute shells
-allow $1_userhelper_t { sbin_t bin_t }:dir r_dir_perms;
-allow $1_userhelper_t { sbin_t bin_t }:lnk_file read;
-allow $1_userhelper_t shell_exec_t:file r_file_perms;
-
-# By default, revert to the calling domain when a program is executed.
-domain_auto_trans($1_userhelper_t, { bin_t sbin_t }, $1_t)
-
-# Allow $1_userhelper_t to transition to user domains.
-domain_trans($1_userhelper_t, { bin_t sbin_t exec_type }, unpriv_userdomain)
-if (!secure_mode) {
- # if we are not in secure mode then we can transition to sysadm_t
- domain_trans($1_userhelper_t, { bin_t sbin_t exec_type }, sysadm_t)
-}
-can_setexec($1_userhelper_t)
-
-ifdef(`distro_redhat', `
-ifdef(`rpm.te', `
-# Allow transitioning to rpm_t, for up2date
-allow $1_userhelper_t rpm_t:process { transition siginh rlimitinh noatsecure };
-')
-')
-
-# Use capabilities.
-allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config };
-
-# Write to utmp.
-file_type_auto_trans($1_userhelper_t, var_run_t, initrc_var_run_t, file)
-
-# Read the devpts root directory.
-allow $1_userhelper_t devpts_t:dir r_dir_perms;
-
-# Read the /etc/security/default_type file
-allow $1_userhelper_t etc_t:file r_file_perms;
-
-# Read /var.
-r_dir_file($1_userhelper_t, var_t)
-
-# Read /dev directories and any symbolic links.
-allow $1_userhelper_t device_t:dir r_dir_perms;
-
-# Relabel terminals.
-allow $1_userhelper_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto };
-
-# Access terminals.
-allow $1_userhelper_t { ttyfile ptyfile devtty_t }:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow $1_userhelper_t gphdomain:fd use;')
-
-#
-# Allow $1_userhelper to obtain contexts to relabel TTYs
-#
-can_getsecurity($1_userhelper_t)
-
-allow $1_userhelper_t fs_t:filesystem getattr;
-
-# for some PAM modules and for cwd
-allow $1_userhelper_t { home_root_t $1_home_dir_t }:dir search;
-
-allow $1_userhelper_t proc_t:dir search;
-allow $1_userhelper_t proc_t:file { getattr read };
-
-# for when the network connection is killed
-dontaudit unpriv_userdomain $1_userhelper_t:process signal;
-
-allow $1_userhelper_t userhelper_conf_t:file rw_file_perms;
-allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms;
-
-ifdef(`pam.te', `
-allow $1_userhelper_t pam_var_run_t:dir create_dir_perms;
-allow $1_userhelper_t pam_var_run_t:file create_file_perms;
-')
-
-allow $1_userhelper_t urandom_device_t:chr_file { getattr read };
-
-allow $1_userhelper_t autofs_t:dir search;
-role system_r types $1_userhelper_t;
-r_dir_file($1_userhelper_t, nfs_t)
-
-ifdef(`xdm.te', `
-can_pipe_xdm($1_userhelper_t)
-allow $1_userhelper_t xdm_var_run_t:dir search;
-')
-
-r_dir_file($1_userhelper_t, selinux_config_t)
-r_dir_file($1_userhelper_t, default_context_t)
-
-ifdef(`xauth.te', `
-domain_auto_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t)
-allow $1_userhelper_t $1_xauth_home_t:file { getattr read };
-')
-
-ifdef(`pamconsole.te', `
-allow $1_userhelper_t pam_var_console_t:dir { search };
-')
-
-ifdef(`mozilla.te', `
-domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t)
-')
-
-')dnl end userhelper macro
diff --git a/strict/macros/program/vmware_macros.te b/strict/macros/program/vmware_macros.te
deleted file mode 100644
index bb0914a..0000000
--- a/strict/macros/program/vmware_macros.te
+++ /dev/null
@@ -1,128 +0,0 @@
-# Macro for vmware
-#
-# Based on work contributed by Mark Westerman (mark.westerman@westcam.com),
-# modifications by NAI Labs.
-#
-# Turned into a macro by Thomas Bleher <ThomasBleher@gmx.de>
-#
-# vmware_domain(domain_prefix)
-#
-# Define a derived domain for the vmware program when executed by
-# a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/vmware.te. This file also
-# implements a separate domain vmware_t.
-#
-
-define(`vmware_domain', `
-
-# Domain for the user applications to run in.
-type $1_vmware_t, domain, privmem;
-
-role $1_r types $1_vmware_t;
-
-# The user file type is for files created when the user is running VMWare
-type $1_vmware_file_t, $1_file_type, file_type, sysadmfile;
-
-# The user file type for the VMWare configuration files
-type $1_vmware_conf_t, $1_file_type, file_type, sysadmfile;
-
-#############################################################
-# User rules for running VMWare
-#
-# Transition to VMWare user domain
-domain_auto_trans($1_t, vmware_user_exec_t, $1_vmware_t)
-can_exec($1_vmware_t, vmware_user_exec_t)
-uses_shlib($1_vmware_t)
-var_run_domain($1_vmware)
-
-general_domain_access($1_vmware_t);
-
-# Capabilities needed by VMWare for the user execution. This seems a
-# bit too much, so be careful.
-allow $1_vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio };
-
-# Access to ttys
-allow $1_vmware_t vmware_device_t:chr_file rw_file_perms;
-allow $1_vmware_t $1_tty_device_t:chr_file rw_file_perms;
-allow $1_vmware_t privfd:fd use;
-
-# Access /proc
-r_dir_file($1_vmware_t, proc_t)
-allow $1_vmware_t proc_net_t:dir search;
-allow $1_vmware_t proc_net_t:file { getattr read };
-
-# Access to some files in the user home directory
-r_dir_file($1_vmware_t, $1_home_t)
-
-# Access to runtime files for user
-allow $1_vmware_t $1_vmware_file_t:dir rw_dir_perms;
-allow $1_vmware_t $1_vmware_file_t:file create_file_perms;
-allow $1_vmware_t $1_vmware_conf_t:file create_file_perms;
-
-# Allow read access to /etc/vmware and /usr/lib/vmware configuration files
-r_dir_file($1_vmware_t, vmware_sys_conf_t)
-
-# Allow $1_vmware_t to read/write files in the tmp dir
-tmp_domain($1_vmware)
-allow $1_vmware_t $1_vmware_tmp_t:file execute;
-
-# Allow read access to several paths
-r_dir_file($1_vmware_t, etc_t)
-allow $1_vmware_t etc_runtime_t:file r_file_perms;
-allow $1_vmware_t device_t:dir r_dir_perms;
-allow $1_vmware_t var_t:dir r_dir_perms;
-allow $1_vmware_t tmpfs_t:file rw_file_perms;
-
-# Allow vmware to write to ~/.vmware
-rw_dir_create_file($1_vmware_t, $1_vmware_file_t)
-
-#
-# This is bad; VMWare needs execute permission to the .cfg file for the
-# configuration to run.
-#
-allow $1_vmware_t $1_vmware_conf_t:file execute;
-
-# Access X11 config files
-allow $1_vmware_t lib_t:file r_file_perms;
-
-# Access components of VMWare in /usr/lib/vmware/bin by default
-allow $1_vmware_t bin_t:dir r_dir_perms;
-
-# Allow access to lp port (Need to create an lp device domain )
-allow $1_vmware_t device_t:chr_file r_file_perms;
-
-# Allow access to /dev/mem
-allow $1_vmware_t memory_device_t:chr_file { read write };
-
-# Allow access to mouse
-allow $1_vmware_t mouse_device_t:chr_file r_file_perms;
-
-# Allow access the sound device
-allow $1_vmware_t sound_device_t:chr_file { ioctl write };
-
-# Allow removable media and devices
-allow $1_vmware_t removable_device_t:blk_file r_file_perms;
-allow $1_vmware_t device_t:lnk_file read;
-
-# Allow access to the real time clock device
-allow $1_vmware_t clock_device_t:chr_file read;
-
-# Allow to attach to Xserver, and Xserver to attach back
-ifdef(`gnome-pty-helper.te', `
-allow $1_vmware_t $1_gph_t:fd use;
-')
-ifdef(`startx.te', `
-allow $1_vmware_t $1_xserver_tmp_t:sock_file { unlink write };
-allow $1_vmware_t $1_xserver_tmp_t:dir search;
-allow $1_vmware_t $1_xserver_t:unix_stream_socket connectto;
-allow $1_xserver_t $1_vmware_t:shm r_shm_perms;
-allow $1_xserver_t $1_vmware_t:fd use;
-')
-
-# Allow filesystem read access
-allow $1_vmware_t fs_t:filesystem getattr;
-
-')
-
diff --git a/strict/macros/program/x_client_macros.te b/strict/macros/program/x_client_macros.te
deleted file mode 100644
index adce9f0..0000000
--- a/strict/macros/program/x_client_macros.te
+++ /dev/null
@@ -1,96 +0,0 @@
-#
-# Macros for X client programs
-#
-
-#
-# Author: Russell Coker <russell@coker.com.au>
-# Based on the work of Stephen Smalley <sds@epoch.ncsc.mil>
-# and Timothy Fraser
-#
-
-# Allows clients to write to the X server's shm
-bool allow_write_xshm false;
-
-define(`xsession_domain', `
-
-# Connect to xserver
-can_unix_connect($1_t, $2_xserver_t)
-
-# Read /tmp/.X0-lock
-allow $1_t $2_xserver_tmp_t:file { getattr read };
-
-# Signal Xserver
-allow $1_t $2_xserver_t:process signal;
-
-# Xserver read/write client shm
-allow $2_xserver_t $1_t:fd use;
-allow $2_xserver_t $1_t:shm rw_shm_perms;
-allow $2_xserver_t $1_tmpfs_t:file rw_file_perms;
-
-# Client read xserver shm
-allow $1_t $2_xserver_t:fd use;
-allow $1_t $2_xserver_t:shm r_shm_perms;
-allow $1_t $2_xserver_tmpfs_t:file r_file_perms;
-
-# Client write xserver shm
-if (allow_write_xshm) {
-allow $1_t $2_xserver_t:shm rw_shm_perms;
-allow $1_t $2_xserver_tmpfs_t:file rw_file_perms;
-}
-
-')
-
-#
-# x_client_domain(client, role)
-#
-# Defines common X access rules for the client domain
-#
-define(`x_client_domain',`
-
-# Create socket to communicate with X server
-allow $1_t self:unix_dgram_socket create_socket_perms;
-allow $1_t self:unix_stream_socket { connectto create_stream_socket_perms };
-
-# Read .Xauthority file
-ifdef(`xauth.te',`
-allow $1_t home_root_t:dir { search getattr };
-allow $1_t $2_home_dir_t:dir { search getattr };
-allow $1_t $2_xauth_home_t:file { getattr read };
-')
-
-# for .xsession-errors
-dontaudit $1_t $2_home_t:file write;
-
-# for X over a ssh tunnel
-ifdef(`ssh.te', `
-can_tcp_connect($1_t, sshd_t)
-')
-
-# Use a separate type for tmpfs/shm pseudo files.
-tmpfs_domain($1)
-allow $1_t self:shm create_shm_perms;
-
-# allow X client to read all font files
-read_fonts($1_t, $2)
-
-# Allow connections to X server.
-ifdef(`xserver.te', `
-allow $1_t tmp_t:dir search;
-
-ifdef(`xdm.te', `
-xsession_domain($1, xdm)
-
-# for when /tmp/.X11-unix is created by the system
-can_pipe_xdm($1_t)
-allow $1_t xdm_tmp_t:dir search;
-allow $1_t xdm_tmp_t:sock_file { read write };
-dontaudit $1_t xdm_t:tcp_socket { read write };
-')
-
-ifdef(`startx.te', `
-xsession_domain($1, $2)
-')dnl end startx
-
-')dnl end xserver
-
-')dnl end x_client macro
diff --git a/strict/macros/program/xauth_macros.te b/strict/macros/program/xauth_macros.te
deleted file mode 100644
index ca7a5ee..0000000
--- a/strict/macros/program/xauth_macros.te
+++ /dev/null
@@ -1,83 +0,0 @@
-#
-# Macros for xauth domains.
-#
-
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-
-#
-# xauth_domain(domain_prefix)
-#
-# Define a derived domain for the xauth program when executed
-# by a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/xauth.te.
-#
-undefine(`xauth_domain')
-ifdef(`xauth.te', `
-define(`xauth_domain',`
-# Derived domain based on the calling user domain and the program.
-type $1_xauth_t, domain;
-
-allow $1_xauth_t self:process signal;
-
-home_domain($1, xauth)
-file_type_auto_trans($1_xauth_t, $1_home_dir_t, $1_xauth_home_t, file)
-
-# Transition from the user domain to this domain.
-domain_auto_trans($1_t, xauth_exec_t, $1_xauth_t)
-ifdef(`ssh.te', `
-domain_auto_trans($1_ssh_t, xauth_exec_t, $1_xauth_t)
-allow $1_xauth_t sshd_t:fifo_file { getattr read };
-dontaudit $1_xauth_t $1_ssh_t:tcp_socket { read write };
-allow $1_xauth_t sshd_t:process sigchld;
-')dnl end if ssh
-
-# The user role is authorized for this domain.
-role $1_r types $1_xauth_t;
-
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te', `
-allow $1_xauth_t $1_gph_t:fd use;
-')
-
-allow $1_xauth_t privfd:fd use;
-allow $1_xauth_t ptmx_t:chr_file { read write };
-
-# allow ps to show xauth
-can_ps($1_t, $1_xauth_t)
-allow $1_t $1_xauth_t:process signal;
-
-uses_shlib($1_xauth_t)
-
-# allow DNS lookups...
-can_resolve($1_xauth_t)
-can_ypbind($1_xauth_t)
-ifdef(`named.te', `
-can_udp_send($1_xauth_t, named_t)
-can_udp_send(named_t, $1_xauth_t)
-')dnl end if named.te
-
-allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms;
-allow $1_xauth_t etc_t:file { getattr read };
-allow $1_xauth_t fs_t:filesystem getattr;
-
-# Write to the user domain tty.
-access_terminal($1_xauth_t, $1)
-
-# Scan /var/run.
-allow $1_xauth_t var_t:dir search;
-allow $1_xauth_t var_run_t:dir search;
-
-tmp_domain($1_xauth)
-allow $1_xauth_t $1_tmp_t:file { getattr ioctl read };
-
-')dnl end xauth_domain macro
-
-', `
-
-define(`xauth_domain',`')
-
-')dnl end if xauth.te
diff --git a/strict/macros/program/xdm_macros.te b/strict/macros/program/xdm_macros.te
deleted file mode 100644
index 404b877..0000000
--- a/strict/macros/program/xdm_macros.te
+++ /dev/null
@@ -1,11 +0,0 @@
-########################################
-#
-# can_pipe_xdm(domain)
-#
-# Allow communication to xdm over a pipe
-#
-
-define(`can_pipe_xdm', `
-allow $1 xdm_t:fd use;
-allow $1 xdm_t:fifo_file { getattr read write ioctl };
-') dnl can_pipe_xdm
diff --git a/strict/macros/program/xserver_macros.te b/strict/macros/program/xserver_macros.te
deleted file mode 100644
index e2eaf82..0000000
--- a/strict/macros/program/xserver_macros.te
+++ /dev/null
@@ -1,274 +0,0 @@
-#
-# Macros for X server domains.
-#
-
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-#################################
-#
-# xserver_domain(domain_prefix)
-#
-# Define a derived domain for the X server when executed
-# by a user domain (e.g. via startx). See the xdm_t domain
-# in domains/program/xdm.te if using an X Display Manager.
-#
-# The type declarations for the executable type for this program
-# and the log type are provided separately in domains/program/xserver.te.
-#
-# FIXME! The X server requires far too many privileges.
-#
-undefine(`xserver_domain')
-ifdef(`xserver.te', `
-
-define(`xserver_domain',`
-# Derived domain based on the calling user domain and the program.
-ifdef(`distro_redhat', `
-type $1_xserver_t, domain, privlog, privmem, privmodule, nscd_client_domain;
-allow $1_xserver_t sysctl_modprobe_t:file { getattr read };
-ifdef(`rpm.te', `
-allow $1_xserver_t rpm_t:shm { unix_read unix_write read write associate getattr };
-allow $1_xserver_t rpm_tmpfs_t:file { read write };
-allow $1_xserver_t rpm_t:fd use;
-')
-
-', `
-type $1_xserver_t, domain, privlog, privmem, nscd_client_domain;
-')
-
-# for SSP
-allow $1_xserver_t urandom_device_t:chr_file { getattr read ioctl };
-
-# Transition from the user domain to this domain.
-ifelse($1, xdm, `
-ifdef(`xdm.te', `
-domain_auto_trans(xdm_t, xserver_exec_t, xdm_xserver_t)
-')
-', `
-domain_auto_trans($1_t, xserver_exec_t, $1_xserver_t)
-')dnl end ifelse xdm
-can_exec($1_xserver_t, xserver_exec_t)
-
-uses_shlib($1_xserver_t)
-
-allow $1_xserver_t texrel_shlib_t:file execmod;
-
-can_network($1_xserver_t)
-allow $1_xserver_t port_type:tcp_socket name_connect;
-can_ypbind($1_xserver_t)
-allow $1_xserver_t xserver_port_t:tcp_socket name_bind;
-
-# for access within the domain
-general_domain_access($1_xserver_t)
-
-allow $1_xserver_t self:process execmem;
-# Until the X module loader is fixed.
-allow $1_xserver_t self:process execheap;
-
-allow $1_xserver_t etc_runtime_t:file { getattr read };
-
-ifelse($1, xdm, `
-# The system role is authorised for the xdm and initrc domains
-role system_r types xdm_xserver_t;
-
-allow xdm_xserver_t init_t:fd use;
-
-dontaudit xdm_xserver_t home_dir_type:dir { read search };
-
-# Read all global and per user fonts
-read_fonts($1_xserver_t, sysadm)
-read_fonts($1_xserver_t, staff)
-read_fonts($1_xserver_t, user)
-
-', `
-# The user role is authorized for this domain.
-role $1_r types $1_xserver_t;
-
-allow $1_xserver_t getty_t:fd use;
-allow $1_xserver_t local_login_t:fd use;
-allow $1_xserver_t $1_tty_device_t:chr_file { setattr rw_file_perms };
-
-allow $1_xserver_t $1_tmpfs_t:file rw_file_perms;
-allow $1_t $1_xserver_tmpfs_t:file rw_file_perms;
-
-can_unix_connect($1_t, $1_xserver_t)
-
-# Read fonts
-read_fonts($1_xserver_t, $1)
-
-# Access the home directory.
-allow $1_xserver_t home_root_t:dir search;
-allow $1_xserver_t $1_home_dir_t:dir { getattr search };
-
-ifdef(`xauth.te', `
-domain_auto_trans($1_xserver_t, xauth_exec_t, $1_xauth_t)
-allow $1_xserver_t $1_xauth_home_t:file { getattr read };
-', `
-allow $1_xserver_t $1_home_t:file { getattr read };
-')dnl end ifdef xauth
-ifdef(`userhelper.te', `
-allow $1_xserver_t userhelper_conf_t:dir search;
-')dnl end ifdef userhelper
-')dnl end ifelse xdm
-
-allow $1_xserver_t self:process setsched;
-
-allow $1_xserver_t fs_t:filesystem getattr;
-
-# Xorg wants to check if kernel is tainted
-read_sysctl($1_xserver_t)
-
-# Use capabilities.
-# allow setuid/setgid for the wrapper program to change UID
-# sys_rawio is for iopl access - should not be needed for frame-buffer
-# sys_admin, locking shared mem? chowning IPC message queues or semaphores?
-# admin of APM bios?
-# sys_nice is so that the X server can set a negative nice value
-allow $1_xserver_t self:capability { dac_override fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
-allow $1_xserver_t nfs_t:dir { getattr search };
-
-# memory_device_t access is needed if not using the frame buffer
-#dontaudit $1_xserver_t memory_device_t:chr_file read;
-allow $1_xserver_t memory_device_t:chr_file { rw_file_perms execute };
-# net_bind_service is needed if you want your X server to allow TCP connections
-# from other hosts, EG an XDM serving a network of X terms
-# if you want good security you do not want this
-# not sure why some people want chown, fsetid, and sys_tty_config.
-#allow $1_xserver_t self:capability { net_bind_service chown fsetid sys_tty_config };
-dontaudit $1_xserver_t self:capability chown;
-
-# for nscd
-dontaudit $1_xserver_t var_run_t:dir search;
-
-allow $1_xserver_t mtrr_device_t:file rw_file_perms;
-allow $1_xserver_t apm_bios_t:chr_file rw_file_perms;
-allow $1_xserver_t framebuf_device_t:chr_file rw_file_perms;
-allow $1_xserver_t device_t:lnk_file { getattr read };
-allow $1_xserver_t devtty_t:chr_file rw_file_perms;
-allow $1_xserver_t zero_device_t:chr_file { read write execute };
-
-# Type for temporary files.
-tmp_domain($1_xserver, `', `{ dir file sock_file }')
-file_type_auto_trans($1_xserver_t, xdm_xserver_tmp_t, $1_xserver_tmp_t, sock_file)
-
-ifelse($1, xdm, `
-ifdef(`xdm.te', `
-allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms;
-allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
-allow xdm_t $1_xserver_t:process signal;
-can_unix_connect(xdm_t, xdm_xserver_t)
-allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms;
-allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms;
-allow xdm_xserver_t xdm_t:process signal;
-allow xdm_xserver_t xdm_t:shm rw_shm_perms;
-allow xdm_t xdm_xserver_t:shm rw_shm_perms;
-dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write };
-')
-', `
-allow $1_t xdm_xserver_tmp_t:dir r_dir_perms;
-allow $1_t xdm_xserver_t:unix_stream_socket connectto;
-allow $1_t $1_xserver_t:process signal;
-
-# Allow the user domain to connect to the X server.
-can_unix_connect($1_t, $1_xserver_t)
-allow $1_t $1_xserver_tmp_t:sock_file rw_file_perms;
-allow $1_t $1_xserver_tmp_t:dir r_dir_perms;
-ifdef(`xdm.te', `
-allow $1_t xdm_tmp_t:sock_file unlink;
-allow $1_xserver_t xdm_var_run_t:dir search;
-')
-
-# Signal the user domain.
-allow $1_xserver_t $1_t:process signal;
-
-# Communicate via System V shared memory.
-allow $1_xserver_t $1_t:shm rw_shm_perms;
-allow $1_t $1_xserver_t:shm rw_shm_perms;
-allow $1_xserver_t initrc_t:shm rw_shm_perms;
-
-')dnl end ifelse xdm
-
-# Create files in /var/log with the xserver_log_t type.
-allow $1_xserver_t var_t:dir search;
-file_type_auto_trans($1_xserver_t, var_log_t, xserver_log_t, file)
-allow $1_xserver_t xserver_log_t:dir r_dir_perms;
-
-# Access AGP device.
-allow $1_xserver_t agp_device_t:chr_file rw_file_perms;
-
-# for other device nodes such as the NVidia binary-only driver
-allow $1_xserver_t xserver_misc_device_t:chr_file rw_file_perms;
-
-# Access /proc/mtrr
-allow $1_xserver_t proc_t:file rw_file_perms;
-allow $1_xserver_t proc_t:lnk_file { getattr read };
-
-# Access /proc/sys/dev
-allow $1_xserver_t sysctl_dev_t:dir search;
-allow $1_xserver_t sysctl_dev_t:file { getattr read };
-# Access /proc/bus/pci
-allow $1_xserver_t proc_t:dir r_dir_perms;
-
-# Create and access /dev/dri devices.
-allow $1_xserver_t device_t:dir { create setattr };
-file_type_auto_trans($1_xserver_t, device_t, dri_device_t, chr_file)
-# brought on by rhgb
-allow $1_xserver_t mnt_t:dir search;
-
-allow $1_xserver_t tty_device_t:chr_file { setattr rw_file_perms };
-
-# Run helper programs in $1_xserver_t.
-allow $1_xserver_t { bin_t sbin_t }:dir search;
-allow $1_xserver_t etc_t:{ file lnk_file } { getattr read };
-allow $1_xserver_t bin_t:lnk_file read;
-can_exec($1_xserver_t, { bin_t shell_exec_t })
-
-# Connect to xfs.
-ifdef(`xfs.te', `
-can_unix_connect($1_xserver_t, xfs_t)
-allow $1_xserver_t xfs_tmp_t:dir r_dir_perms;
-allow $1_xserver_t xfs_tmp_t:sock_file rw_file_perms;
-
-# Bind to the X server socket in /tmp.
-allow $1_xserver_t $1_xserver_tmp_t:unix_stream_socket name_bind;
-')
-
-read_locale($1_xserver_t)
-
-# Type for tmpfs/shm files.
-tmpfs_domain($1_xserver)
-ifelse($1, xdm, `
-ifdef(`xdm.te', `
-allow xdm_xserver_t xdm_t:shm rw_shm_perms;
-allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms;
-')
-', `
-allow $1_xserver_t $1_t:shm rw_shm_perms;
-rw_dir_file($1_xserver_t, $1_tmpfs_t)
-')dnl end ifelse xdm
-
-
-r_dir_file($1_xserver_t,sysfs_t)
-
-# Use the mouse.
-allow $1_xserver_t mouse_device_t:chr_file rw_file_perms;
-# Allow xserver to read events - the synaptics touchpad
-# driver reads raw events
-allow $1_xserver_t event_device_t:chr_file rw_file_perms;
-ifdef(`pamconsole.te', `
-allow $1_xserver_t pam_var_console_t:dir search;
-')
-dontaudit $1_xserver_t selinux_config_t:dir search;
-
-allow $1_xserver_t var_lib_t:dir search;
-rw_dir_create_file($1_xserver_t, xkb_var_lib_t)
-
-')dnl end macro definition
-
-', `
-
-define(`xserver_domain',`')
-
-')
-
diff --git a/strict/macros/program/ypbind_macros.te b/strict/macros/program/ypbind_macros.te
deleted file mode 100644
index 61db7cc..0000000
--- a/strict/macros/program/ypbind_macros.te
+++ /dev/null
@@ -1,20 +0,0 @@
-
-define(`uncond_can_ypbind', `
-can_network($1)
-r_dir_file($1,var_yp_t)
-allow $1 { reserved_port_t port_t }:{ tcp_socket udp_socket } name_bind;
-allow $1 { portmap_port_t reserved_port_t port_t }:tcp_socket name_connect;
-dontaudit $1 self:capability net_bind_service;
-dontaudit $1 reserved_port_type:tcp_socket name_connect;
-dontaudit $1 reserved_port_type:{ tcp_socket udp_socket } name_bind;
-')
-
-define(`can_ypbind', `
-ifdef(`ypbind.te', `
-if (allow_ypbind) {
-uncond_can_ypbind($1)
-} else {
-dontaudit $1 var_yp_t:dir search;
-}
-') dnl ypbind.te
-') dnl can_ypbind
diff --git a/strict/macros/user_macros.te b/strict/macros/user_macros.te
deleted file mode 100644
index 2c76665..0000000
--- a/strict/macros/user_macros.te
+++ /dev/null
@@ -1,324 +0,0 @@
-#
-# Macros for all user login domains.
-#
-
-# role_tty_type_change(starting_role, ending_role)
-#
-# change from role $1_r to $2_r and relabel tty appropriately
-#
-
-undefine(`role_tty_type_change')
-define(`role_tty_type_change', `
-allow $1_r $2_r;
-type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
-type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
-# avoid annoying messages on terminal hangup
-dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
-')
-
-#
-# reach_sysadm(user)
-#
-# Reach sysadm_t via programs like userhelper/sudo/su
-#
-
-undefine(`reach_sysadm')
-define(`reach_sysadm', `
-ifdef(`userhelper.te', `userhelper_domain($1)')
-ifdef(`sudo.te', `sudo_domain($1)')
-ifdef(`su.te', `
-su_domain($1)
-# When an ordinary user domain runs su, su may try to
-# update the /root/.Xauthority file, and the user shell may
-# try to update the shell history. This is not allowed, but
-# we dont need to audit it.
-dontaudit $1_su_t { sysadm_home_dir_t staff_home_dir_t }:dir search;
-dontaudit $1_su_t { sysadm_home_t staff_home_t }:dir rw_dir_perms;
-dontaudit $1_su_t { sysadm_home_t staff_home_t }:file create_file_perms;
-') dnl ifdef su.te
-ifdef(`xauth.te', `
-file_type_auto_trans($1_xauth_t, sysadm_home_dir_t, sysadm_xauth_home_t,file)
-ifdef(`userhelper.te', `
-file_type_auto_trans($1_userhelper_t, sysadm_home_dir_t, sysadm_xauth_home_t,file)
-') dnl userhelper.te
-') dnl xauth.te
-') dnl reach_sysadm
-
-#
-# priv_user(user)
-#
-# Privileged user domain
-#
-
-undefine(`priv_user')
-define(`priv_user', `
-# Reach sysadm_t
-reach_sysadm($1)
-
-# Read file_contexts for rpm and get security decisions.
-r_dir_file($1_t, file_context_t)
-can_getsecurity($1_t)
-
-# Signal and see information about unprivileged user domains.
-allow $1_t unpriv_userdomain:process signal_perms;
-can_ps($1_t, unpriv_userdomain)
-allow $1_t { ttyfile ptyfile tty_device_t }:chr_file getattr;
-
-# Read /root files if boolean is enabled.
-if (staff_read_sysadm_file) {
-allow $1_t sysadm_home_dir_t:dir { getattr search };
-allow $1_t sysadm_home_t:file { getattr read };
-}
-
-') dnl priv_user
-
-#
-# user_domain(domain_prefix)
-#
-# Define derived types and rules for an ordinary user domain.
-#
-# The type declaration and role authorization for the domain must be
-# provided separately. Likewise, domain transitions into this domain
-# must be specified separately.
-#
-
-# user_domain() is also called by the admin_domain() macro
-undefine(`user_domain')
-define(`user_domain', `
-# Use capabilities
-
-# Type for home directory.
-type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type, polydir;
-type $1_home_t, file_type, sysadmfile, home_type, user_home_type, $1_file_type, polymember;
-
-# Transition manually for { lnk sock fifo }. The rest is in content macros.
-tmp_domain_notrans($1, `, user_tmpfile, $1_file_type')
-file_type_auto_trans($1_t, tmp_t, $1_tmp_t, { lnk_file sock_file fifo_file })
-allow $1_t $1_tmp_t:{ dir file } { relabelto relabelfrom };
-
-ifdef(`support_polyinstantiation', `
-type_member $1_t tmp_t:dir $1_tmp_t;
-type_member $1_t $1_home_dir_t:dir $1_home_t;
-')
-
-base_user_domain($1)
-ifdef(`mls_policy', `', `
-access_removable_media($1_t)
-')
-
-# do not allow privhome access to sysadm_home_dir_t
-file_type_auto_trans(privhome, $1_home_dir_t, $1_home_t)
-
-allow $1_t boot_t:dir { getattr search };
-dontaudit $1_t boot_t:lnk_file read;
-dontaudit $1_t boot_t:file read;
-allow $1_t system_map_t:file { getattr read };
-
-# Instantiate derived domains for a number of programs.
-# These derived domains encode both information about the calling
-# user domain and the program, and allow us to maintain separation
-# between different instances of the program being run by different
-# user domains.
-ifelse($1, sysadm, `',`
-ifdef(`apache.te', `apache_user_domain($1)')
-ifdef(`i18n_input.te', `i18n_input_domain($1)')
-')
-ifdef(`slocate.te', `locate_domain($1)')
-ifdef(`lockdev.te', `lockdev_domain($1)')
-
-can_kerberos($1_t)
-# allow port_t name binding for UDP because it is not very usable otherwise
-allow $1_t port_t:udp_socket name_bind;
-
-#
-# Need the following rule to allow users to run vpnc
-#
-ifdef(`xserver.te', `
-allow $1_t xserver_port_t:tcp_socket name_bind;
-')
-
-# Allow users to run TCP servers (bind to ports and accept connection from
-# the same domain and outside users) disabling this forces FTP passive mode
-# and may change other protocols
-if (user_tcp_server) {
-allow $1_t port_t:tcp_socket name_bind;
-}
-# port access is audited even if dac would not have allowed it, so dontaudit it here
-dontaudit $1_t reserved_port_type:tcp_socket name_bind;
-
-# Allow system log read
-if (user_dmesg) {
-allow $1_t kernel_t:system syslog_read;
-} else {
-# else do not log it
-dontaudit $1_t kernel_t:system syslog_read;
-}
-
-# Allow read access to utmp.
-allow $1_t initrc_var_run_t:file { getattr read lock };
-# The library functions always try to open read-write first,
-# then fall back to read-only if it fails.
-# Do not audit write denials to utmp to avoid the noise.
-dontaudit $1_t initrc_var_run_t:file write;
-
-
-# do not audit read on disk devices
-dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read;
-
-ifdef(`xdm.te', `
-allow xdm_t $1_home_t:lnk_file read;
-allow xdm_t $1_home_t:dir search;
-#
-# Changing this to dontaudit should cause the .xsession-errors file to be written to /tmp
-#
-dontaudit xdm_t $1_home_t:file rw_file_perms;
-')dnl end ifdef xdm.te
-
-ifdef(`ftpd.te', `
-if (ftp_home_dir) {
-file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
-}
-')dnl end ifdef ftpd
-
-
-')dnl end user_domain macro
-
-
-###########################################################################
-#
-# Domains for ordinary users.
-#
-undefine(`limited_user_role')
-define(`limited_user_role', `
-# user_t/$1_t is an unprivileged users domain.
-type $1_t, domain, userdomain, unpriv_userdomain, nscd_client_domain, privfd;
-
-#Type for tty devices.
-type $1_tty_device_t, sysadmfile, ttyfile, user_tty_type, dev_fs;
-# Type and access for pty devices.
-can_create_pty($1, `, userpty_type, user_tty_type')
-
-# Access ttys.
-allow $1_t privfd:fd use;
-allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
-
-# Grant read/search permissions to some of /proc.
-r_dir_file($1_t, proc_t)
-r_dir_file($1_t, proc_net_t)
-
-base_file_read_access($1_t)
-
-# Execute from the system shared libraries.
-uses_shlib($1_t)
-
-# Read /etc.
-r_dir_file($1_t, etc_t)
-allow $1_t etc_runtime_t:file r_file_perms;
-allow $1_t etc_runtime_t:lnk_file { getattr read };
-
-allow $1_t self:process { fork sigchld setpgid signal_perms };
-
-# read localization information
-read_locale($1_t)
-
-read_sysctl($1_t)
-can_exec($1_t, { bin_t sbin_t shell_exec_t ls_exec_t })
-
-allow $1_t self:dir search;
-allow $1_t self:file { getattr read };
-allow secadm_t self:fifo_file rw_file_perms;
-
-allow $1_t self:lnk_file read;
-allow $1_t self:unix_stream_socket create_socket_perms;
-allow $1_t urandom_device_t:chr_file { getattr read };
-dontaudit $1_t { var_spool_t var_log_t }:dir search;
-
-# Read /dev directories and any symbolic links.
-allow $1_t device_t:dir r_dir_perms;
-allow $1_t device_t:lnk_file { getattr read };
-allow $1_t devtty_t:chr_file { read write };
-
-')
-
-undefine(`full_user_role')
-define(`full_user_role', `
-
-limited_user_role($1)
-
-typeattribute $1_t web_client_domain;
-
-attribute $1_file_type;
-
-ifdef(`useradd.te', `
-# Useradd relabels /etc/skel files so needs these privs
-allow useradd_t $1_file_type:dir create_dir_perms;
-allow useradd_t $1_file_type:notdevfile_class_set create_file_perms;
-')
-
-can_exec($1_t, usr_t)
-
-# Read directories and files with the readable_t type.
-# This type is a general type for "world"-readable files.
-allow $1_t readable_t:dir r_dir_perms;
-allow $1_t readable_t:notdevfile_class_set r_file_perms;
-
-# Stat lost+found.
-allow $1_t lost_found_t:dir getattr;
-
-# Read /var, /var/spool, /var/run.
-r_dir_file($1_t, var_t)
-# what about pipes and sockets under /var/spool?
-r_dir_file($1_t, var_spool_t)
-r_dir_file($1_t, var_run_t)
-allow $1_t var_lib_t:dir r_dir_perms;
-allow $1_t var_lib_t:file { getattr read };
-
-# for running depmod as part of the kernel packaging process
-allow $1_t modules_conf_t:file { getattr read };
-
-# Read man directories and files.
-r_dir_file($1_t, man_t)
-
-# Allow users to rw usb devices
-if (user_rw_usb) {
-rw_dir_create_file($1_t,usbdevfs_t)
-} else {
-r_dir_file($1_t,usbdevfs_t)
-}
-
-r_dir_file($1_t,sysfs_t)
-
-# Do not audit write denials to /etc/ld.so.cache.
-dontaudit $1_t ld_so_cache_t:file write;
-
-# $1_t is also granted permissions specific to user domains.
-user_domain($1)
-
-dontaudit $1_t sysadm_home_t:file { read append };
-
-ifdef(`syslogd.te', `
-# Some programs that are left in $1_t will try to connect
-# to syslogd, but we do not want to let them generate log messages.
-# Do not audit.
-dontaudit $1_t devlog_t:sock_file { read write };
-dontaudit $1_t syslogd_t:unix_dgram_socket sendto;
-')
-
-# Stop warnings about access to /dev/console
-dontaudit $1_t init_t:fd use;
-dontaudit $1_t initrc_t:fd use;
-allow $1_t initrc_t:fifo_file write;
-
-#
-# Rules used to associate a homedir as a mountpoint
-#
-allow $1_home_t self:filesystem associate;
-allow $1_file_type $1_home_t:filesystem associate;
-')
-
-undefine(`in_user_role')
-define(`in_user_role', `
-role user_r types $1;
-role staff_r types $1;
-')
-
diff --git a/strict/mcs b/strict/mcs
deleted file mode 100644
index d67b134..0000000
--- a/strict/mcs
+++ /dev/null
@@ -1,354 +0,0 @@
-#
-# Define sensitivities
-#
-# Each sensitivity has a name and zero or more aliases.
-#
-# MCS is single-sensitivity.
-#
-sensitivity s0;
-
-#
-# Define the ordering of the sensitivity levels (least to greatest)
-#
-dominance { s0 }
-
-
-#
-# Define the categories
-#
-# Each category has a name and zero or more aliases.
-#
-category c0;
-category c1;
-category c2;
-category c3;
-category c4;
-category c5;
-category c6;
-category c7;
-category c8;
-category c9;
-category c10;
-category c11;
-category c12;
-category c13;
-category c14;
-category c15;
-category c16;
-category c17;
-category c18;
-category c19;
-category c20;
-category c21;
-category c22;
-category c23;
-category c24;
-category c25;
-category c26;
-category c27;
-category c28;
-category c29;
-category c30;
-category c31;
-category c32;
-category c33;
-category c34;
-category c35;
-category c36;
-category c37;
-category c38;
-category c39;
-category c40;
-category c41;
-category c42;
-category c43;
-category c44;
-category c45;
-category c46;
-category c47;
-category c48;
-category c49;
-category c50;
-category c51;
-category c52;
-category c53;
-category c54;
-category c55;
-category c56;
-category c57;
-category c58;
-category c59;
-category c60;
-category c61;
-category c62;
-category c63;
-category c64;
-category c65;
-category c66;
-category c67;
-category c68;
-category c69;
-category c70;
-category c71;
-category c72;
-category c73;
-category c74;
-category c75;
-category c76;
-category c77;
-category c78;
-category c79;
-category c80;
-category c81;
-category c82;
-category c83;
-category c84;
-category c85;
-category c86;
-category c87;
-category c88;
-category c89;
-category c90;
-category c91;
-category c92;
-category c93;
-category c94;
-category c95;
-category c96;
-category c97;
-category c98;
-category c99;
-category c100;
-category c101;
-category c102;
-category c103;
-category c104;
-category c105;
-category c106;
-category c107;
-category c108;
-category c109;
-category c110;
-category c111;
-category c112;
-category c113;
-category c114;
-category c115;
-category c116;
-category c117;
-category c118;
-category c119;
-category c120;
-category c121;
-category c122;
-category c123;
-category c124;
-category c125;
-category c126;
-category c127;
-category c128;
-category c129;
-category c130;
-category c131;
-category c132;
-category c133;
-category c134;
-category c135;
-category c136;
-category c137;
-category c138;
-category c139;
-category c140;
-category c141;
-category c142;
-category c143;
-category c144;
-category c145;
-category c146;
-category c147;
-category c148;
-category c149;
-category c150;
-category c151;
-category c152;
-category c153;
-category c154;
-category c155;
-category c156;
-category c157;
-category c158;
-category c159;
-category c160;
-category c161;
-category c162;
-category c163;
-category c164;
-category c165;
-category c166;
-category c167;
-category c168;
-category c169;
-category c170;
-category c171;
-category c172;
-category c173;
-category c174;
-category c175;
-category c176;
-category c177;
-category c178;
-category c179;
-category c180;
-category c181;
-category c182;
-category c183;
-category c184;
-category c185;
-category c186;
-category c187;
-category c188;
-category c189;
-category c190;
-category c191;
-category c192;
-category c193;
-category c194;
-category c195;
-category c196;
-category c197;
-category c198;
-category c199;
-category c200;
-category c201;
-category c202;
-category c203;
-category c204;
-category c205;
-category c206;
-category c207;
-category c208;
-category c209;
-category c210;
-category c211;
-category c212;
-category c213;
-category c214;
-category c215;
-category c216;
-category c217;
-category c218;
-category c219;
-category c220;
-category c221;
-category c222;
-category c223;
-category c224;
-category c225;
-category c226;
-category c227;
-category c228;
-category c229;
-category c230;
-category c231;
-category c232;
-category c233;
-category c234;
-category c235;
-category c236;
-category c237;
-category c238;
-category c239;
-category c240;
-category c241;
-category c242;
-category c243;
-category c244;
-category c245;
-category c246;
-category c247;
-category c248;
-category c249;
-category c250;
-category c251;
-category c252;
-category c253;
-category c254;
-category c255;
-
-
-#
-# Each MCS level specifies a sensitivity and zero or more categories which may
-# be associated with that sensitivity.
-#
-level s0:c0.c255;
-
-#
-# Define the MCS policy
-#
-# mlsconstrain class_set perm_set expression ;
-#
-# mlsvalidatetrans class_set expression ;
-#
-# expression : ( expression )
-# | not expression
-# | expression and expression
-# | expression or expression
-# | u1 op u2
-# | r1 role_mls_op r2
-# | t1 op t2
-# | l1 role_mls_op l2
-# | l1 role_mls_op h2
-# | h1 role_mls_op l2
-# | h1 role_mls_op h2
-# | l1 role_mls_op h1
-# | l2 role_mls_op h2
-# | u1 op names
-# | u2 op names
-# | r1 op names
-# | r2 op names
-# | t1 op names
-# | t2 op names
-# | u3 op names (NOTE: this is only available for mlsvalidatetrans)
-# | r3 op names (NOTE: this is only available for mlsvalidatetrans)
-# | t3 op names (NOTE: this is only available for mlsvalidatetrans)
-#
-# op : == | !=
-# role_mls_op : == | != | eq | dom | domby | incomp
-#
-# names : name | { name_list }
-# name_list : name | name_list name
-#
-
-#
-# MCS policy for the file classes
-#
-# Constrain file access so that the high range of the process dominates
-# the high range of the file. We use the high range of the process so
-# that processes can always simply run at s0.
-#
-# Only files are constrained by MCS at this stage.
-#
-mlsconstrain file { write setattr append unlink link rename
- create ioctl lock execute } (h1 dom h2);
-
-mlsconstrain file { read } ((h1 dom h2) or
- ( t1 == mlsfileread ));
-
-
-# new file labels must be dominated by the relabeling subject's clearance
-mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom relabelto }
- ( h1 dom h2 );
-
-define(`nogetattr_file_perms', `{ create ioctl read lock write setattr append
-link unlink rename relabelfrom relabelto }')
-
-define(`nogetattr_dir_perms', `{ create read lock setattr ioctl link unlink
-rename search add_name remove_name reparent write rmdir relabelfrom
-relabelto }')
-
-# XXX
-#
-# For some reason, we need to reference the mlsfileread attribute
-# or we get a build error. Below is a dummy entry to do this.
-mlsconstrain xextension query ( t1 == mlsfileread );
-
diff --git a/strict/mls b/strict/mls
deleted file mode 100644
index b3e9b5a..0000000
--- a/strict/mls
+++ /dev/null
@@ -1,872 +0,0 @@
-#
-# Define sensitivities
-#
-# Each sensitivity has a name and zero or more aliases.
-#
-sensitivity s0;
-sensitivity s1;
-sensitivity s2;
-sensitivity s3;
-sensitivity s4;
-sensitivity s5;
-sensitivity s6;
-sensitivity s7;
-sensitivity s8;
-sensitivity s9;
-sensitivity s10;
-sensitivity s11;
-sensitivity s12;
-sensitivity s13;
-sensitivity s14;
-sensitivity s15;
-
-#
-# Define the ordering of the sensitivity levels (least to greatest)
-#
-dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 }
-
-
-#
-# Define the categories
-#
-# Each category has a name and zero or more aliases.
-#
-category c0;
-category c1;
-category c2;
-category c3;
-category c4;
-category c5;
-category c6;
-category c7;
-category c8;
-category c9;
-category c10;
-category c11;
-category c12;
-category c13;
-category c14;
-category c15;
-category c16;
-category c17;
-category c18;
-category c19;
-category c20;
-category c21;
-category c22;
-category c23;
-category c24;
-category c25;
-category c26;
-category c27;
-category c28;
-category c29;
-category c30;
-category c31;
-category c32;
-category c33;
-category c34;
-category c35;
-category c36;
-category c37;
-category c38;
-category c39;
-category c40;
-category c41;
-category c42;
-category c43;
-category c44;
-category c45;
-category c46;
-category c47;
-category c48;
-category c49;
-category c50;
-category c51;
-category c52;
-category c53;
-category c54;
-category c55;
-category c56;
-category c57;
-category c58;
-category c59;
-category c60;
-category c61;
-category c62;
-category c63;
-category c64;
-category c65;
-category c66;
-category c67;
-category c68;
-category c69;
-category c70;
-category c71;
-category c72;
-category c73;
-category c74;
-category c75;
-category c76;
-category c77;
-category c78;
-category c79;
-category c80;
-category c81;
-category c82;
-category c83;
-category c84;
-category c85;
-category c86;
-category c87;
-category c88;
-category c89;
-category c90;
-category c91;
-category c92;
-category c93;
-category c94;
-category c95;
-category c96;
-category c97;
-category c98;
-category c99;
-category c100;
-category c101;
-category c102;
-category c103;
-category c104;
-category c105;
-category c106;
-category c107;
-category c108;
-category c109;
-category c110;
-category c111;
-category c112;
-category c113;
-category c114;
-category c115;
-category c116;
-category c117;
-category c118;
-category c119;
-category c120;
-category c121;
-category c122;
-category c123;
-category c124;
-category c125;
-category c126;
-category c127;
-category c128;
-category c129;
-category c130;
-category c131;
-category c132;
-category c133;
-category c134;
-category c135;
-category c136;
-category c137;
-category c138;
-category c139;
-category c140;
-category c141;
-category c142;
-category c143;
-category c144;
-category c145;
-category c146;
-category c147;
-category c148;
-category c149;
-category c150;
-category c151;
-category c152;
-category c153;
-category c154;
-category c155;
-category c156;
-category c157;
-category c158;
-category c159;
-category c160;
-category c161;
-category c162;
-category c163;
-category c164;
-category c165;
-category c166;
-category c167;
-category c168;
-category c169;
-category c170;
-category c171;
-category c172;
-category c173;
-category c174;
-category c175;
-category c176;
-category c177;
-category c178;
-category c179;
-category c180;
-category c181;
-category c182;
-category c183;
-category c184;
-category c185;
-category c186;
-category c187;
-category c188;
-category c189;
-category c190;
-category c191;
-category c192;
-category c193;
-category c194;
-category c195;
-category c196;
-category c197;
-category c198;
-category c199;
-category c200;
-category c201;
-category c202;
-category c203;
-category c204;
-category c205;
-category c206;
-category c207;
-category c208;
-category c209;
-category c210;
-category c211;
-category c212;
-category c213;
-category c214;
-category c215;
-category c216;
-category c217;
-category c218;
-category c219;
-category c220;
-category c221;
-category c222;
-category c223;
-category c224;
-category c225;
-category c226;
-category c227;
-category c228;
-category c229;
-category c230;
-category c231;
-category c232;
-category c233;
-category c234;
-category c235;
-category c236;
-category c237;
-category c238;
-category c239;
-category c240;
-category c241;
-category c242;
-category c243;
-category c244;
-category c245;
-category c246;
-category c247;
-category c248;
-category c249;
-category c250;
-category c251;
-category c252;
-category c253;
-category c254;
-category c255;
-
-
-#
-# Each MLS level specifies a sensitivity and zero or more categories which may
-# be associated with that sensitivity.
-#
-level s0:c0.c255;
-level s1:c0.c255;
-level s2:c0.c255;
-level s3:c0.c255;
-level s4:c0.c255;
-level s5:c0.c255;
-level s6:c0.c255;
-level s7:c0.c255;
-level s8:c0.c255;
-level s9:c0.c255;
-level s10:c0.c255;
-level s11:c0.c255;
-level s12:c0.c255;
-level s13:c0.c255;
-level s14:c0.c255;
-level s15:c0.c255;
-
-
-#
-# Define the MLS policy
-#
-# mlsconstrain class_set perm_set expression ;
-#
-# mlsvalidatetrans class_set expression ;
-#
-# expression : ( expression )
-# | not expression
-# | expression and expression
-# | expression or expression
-# | u1 op u2
-# | r1 role_mls_op r2
-# | t1 op t2
-# | l1 role_mls_op l2
-# | l1 role_mls_op h2
-# | h1 role_mls_op l2
-# | h1 role_mls_op h2
-# | l1 role_mls_op h1
-# | l2 role_mls_op h2
-# | u1 op names
-# | u2 op names
-# | r1 op names
-# | r2 op names
-# | t1 op names
-# | t2 op names
-# | u3 op names (NOTE: this is only available for mlsvalidatetrans)
-# | r3 op names (NOTE: this is only available for mlsvalidatetrans)
-# | t3 op names (NOTE: this is only available for mlsvalidatetrans)
-#
-# op : == | !=
-# role_mls_op : == | != | eq | dom | domby | incomp
-#
-# names : name | { name_list }
-# name_list : name | name_list name
-#
-
-#
-# MLS policy for the file classes
-#
-
-# make sure these file classes are "single level"
-mlsconstrain { file lnk_file fifo_file } { create relabelto }
- ( l2 eq h2 );
-
-# new file labels must be dominated by the relabeling subject's clearance
-mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto
- ( h1 dom h2 );
-
-# the file "read" ops (note the check is dominance of the low level)
-mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute }
- (( l1 dom l2 ) or
- (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsfileread ) or
- ( t2 == mlstrustedobject ));
-
-mlsconstrain dir search
- (( l1 dom l2 ) or
- (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsfileread ) or
- ( t2 == mlstrustedobject ));
-
-# the "single level" file "write" ops
-mlsconstrain { file lnk_file fifo_file } { write create setattr relabelfrom append unlink link rename mounton }
- (( l1 eq l2 ) or
- (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsfilewrite ) or
- ( t2 == mlstrustedobject ));
-
-# the "ranged" file "write" ops
-mlsconstrain { dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton }
- ((( l1 dom l2 ) and ( l1 domby h2 )) or
- (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsfilewrite ) or
- ( t2 == mlstrustedobject ));
-
-mlsconstrain dir { add_name remove_name reparent rmdir }
- ((( l1 dom l2 ) and ( l1 domby h2 )) or
- (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsfilewrite ) or
- ( t2 == mlstrustedobject ));
-
-# these access vectors have no MLS restrictions
-# { dir file lnk_file chr_file blk_file sock_file fifo_file } { ioctl lock swapon quotaon }
-#
-# { file chr_file } { execute_no_trans entrypoint execmod }
-
-# the file upgrade/downgrade rule
-mlsvalidatetrans { dir file lnk_file chr_file blk_file sock_file fifo_file }
- ((( l1 eq l2 ) or
- (( t3 == mlsfileupgrade ) and ( l1 domby l2 )) or
- (( t3 == mlsfiledowngrade ) and ( l1 dom l2 )) or
- (( t3 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and
- (( h1 eq h2 ) or
- (( t3 == mlsfileupgrade ) and ( h1 domby h2 )) or
- (( t3 == mlsfiledowngrade ) and ( h1 dom h2 )) or
- (( t3 == mlsfiledowngrade ) and ( h1 incomp h2 ))));
-
-# create can also require the upgrade/downgrade checks if the creating process
-# has used setfscreate (note that both the high and low level of the object
-# default to the process' sensitivity level)
-mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create
- ((( l1 eq l2 ) or
- (( t1 == mlsfileupgrade ) and ( l1 domby l2 )) or
- (( t1 == mlsfiledowngrade ) and ( l1 dom l2 )) or
- (( t1 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and
- (( l1 eq h2 ) or
- (( t1 == mlsfileupgrade ) and ( l1 domby h2 )) or
- (( t1 == mlsfiledowngrade ) and ( l1 dom h2 )) or
- (( t1 == mlsfiledowngrade ) and ( l1 incomp h2 ))));
-
-
-
-
-#
-# MLS policy for the filesystem class
-#
-
-# new filesystem labels must be dominated by the relabeling subject's clearance
-mlsconstrain filesystem relabelto
- ( h1 dom h2 );
-
-# the filesystem "read" ops (implicit single level)
-mlsconstrain filesystem { getattr quotaget }
- (( l1 dom l2 ) or
- (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsfileread ));
-
-# all the filesystem "write" ops (implicit single level)
-mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
- (( l1 eq l2 ) or
- (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsfilewrite ));
-
-# these access vectors have no MLS restrictions
-# filesystem { transition associate }
-
-
-
-
-#
-# MLS policy for the socket classes
-#
-
-# new socket labels must be dominated by the relabeling subject's clearance
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
- ( h1 dom h2 );
-
-# the socket "read" ops (note the check is dominance of the low level)
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recvfrom recv_msg }
- (( l1 dom l2 ) or
- (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsnetread ));
-
-mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_read
- (( l1 dom l2 ) or
- (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsnetread ));
-
-# the socket "write" ops
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown }
- ((( l1 dom l2 ) and ( l1 domby h2 )) or
- (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsnetwrite ));
-
-# these access vectors have no MLS restrictions
-# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }
-#
-# { tcp_socket udp_socket rawip_socket } node_bind
-#
-# { tcp_socket unix_stream_socket } { connectto newconn acceptfrom }
-#
-# { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write
-#
-
-
-
-
-#
-# MLS policy for the ipc classes
-#
-
-# the ipc "read" ops (implicit single level)
-mlsconstrain { ipc sem msgq shm } { getattr read unix_read }
- (( l1 dom l2 ) or
- (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsipcread ));
-
-mlsconstrain msg receive
- (( l1 dom l2 ) or
- (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsipcread ));
-
-# the ipc "write" ops (implicit single level)
-mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write }
- (( l1 eq l2 ) or
- (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsipcwrite ));
-
-mlsconstrain msgq enqueue
- (( l1 eq l2 ) or
- (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsipcwrite ));
-
-mlsconstrain shm lock
- (( l1 eq l2 ) or
- (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsipcwrite ));
-
-mlsconstrain msg send
- (( l1 eq l2 ) or
- (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsipcwrite ));
-
-# these access vectors have no MLS restrictions
-# { ipc sem msgq shm } associate
-
-
-
-
-#
-# MLS policy for the fd class
-#
-
-# these access vectors have no MLS restrictions
-# fd use
-
-
-
-
-#
-# MLS policy for the network object classes
-#
-
-# the netif/node "read" ops (implicit single level socket doing the read)
-# (note the check is dominance of the low level)
-mlsconstrain { node netif } { tcp_recv udp_recv rawip_recv }
- (( l1 dom l2 ) or ( t1 == mlsnetrecvall ));
-
-# the netif/node "write" ops (implicit single level socket doing the write)
-mlsconstrain { netif node } { tcp_send udp_send rawip_send }
- (( l1 dom l2 ) and ( l1 domby h2 ));
-
-# these access vectors have no MLS restrictions
-# { netif node } { enforce_dest }
-
-
-
-
-#
-# MLS policy for the process class
-#
-
-# new process labels must be dominated by the relabeling subject's clearance
-# and sensitivity level changes require privilege
-mlsconstrain process transition
- (( h1 dom h2 ) and
- (( l1 eq l2 ) or ( t1 == mlsprocsetsl ) or
- (( t1 == privrangetrans ) and ( t2 == mlsrangetrans ))));
-mlsconstrain process dyntransition
- (( h1 dom h2 ) and
- (( l1 eq l2 ) or ( t1 == mlsprocsetsl )));
-
-# all the process "read" ops
-mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
- (( l1 dom l2 ) or
- (( t1 == mlsprocreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsprocread ));
-
-# all the process "write" ops (note the check is equality on the low level)
-mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec setfscreate setcurrent ptrace share }
- (( l1 eq l2 ) or
- (( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsprocwrite ));
-
-# these access vectors have no MLS restrictions
-# process { fork sigchld signull noatsecure siginh setrlimit rlimitinh execmem }
-
-
-
-
-#
-# MLS policy for the security class
-#
-
-# these access vectors have no MLS restrictions
-# security *
-
-
-
-
-#
-# MLS policy for the system class
-#
-
-# these access vectors have no MLS restrictions
-# system *
-
-
-
-
-#
-# MLS policy for the capability class
-#
-
-# these access vectors have no MLS restrictions
-# capability *
-
-
-
-
-#
-# MLS policy for the passwd class
-#
-
-# these access vectors have no MLS restrictions
-# passwd *
-
-
-
-
-#
-# MLS policy for the drawable class
-#
-
-# the drawable "read" ops (implicit single level)
-mlsconstrain drawable { getattr copy }
- (( l1 dom l2 ) or
- (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsxwinread ));
-
-# the drawable "write" ops (implicit single level)
-mlsconstrain drawable { create destroy draw copy }
- (( l1 eq l2 ) or
- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsxwinwrite ));
-
-
-
-
-#
-# MLS policy for the gc class
-#
-
-# the gc "read" ops (implicit single level)
-mlsconstrain gc getattr
- (( l1 dom l2 ) or
- (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsxwinread ));
-
-# the gc "write" ops (implicit single level)
-mlsconstrain gc { create free setattr }
- (( l1 eq l2 ) or
- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsxwinwrite ));
-
-
-
-
-#
-# MLS policy for the window class
-#
-
-# the window "read" ops (implicit single level)
-mlsconstrain window { listprop getattr enumerate mousemotion inputevent drawevent windowchangeevent windowchangerequest serverchangeevent extensionevent }
- (( l1 dom l2 ) or
- (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsxwinread ));
-
-# the window "write" ops (implicit single level)
-mlsconstrain window { addchild create destroy chstack chproplist chprop setattr setfocus move chselection chparent ctrllife transparent clientcomevent }
- (( l1 eq l2 ) or
- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsxwinwrite ));
-
-# these access vectors have no MLS restrictions
-# window { map unmap }
-
-
-
-
-#
-# MLS policy for the font class
-#
-
-# the font "read" ops (implicit single level)
-mlsconstrain font { load getattr }
- (( l1 dom l2 ) or
- (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsxwinread ));
-
-# the font "write" ops (implicit single level)
-mlsconstrain font free
- (( l1 eq l2 ) or
- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsxwinwrite ));
-
-# these access vectors have no MLS restrictions
-# font use
-
-
-
-
-#
-# MLS policy for the colormap class
-#
-
-# the colormap "read" ops (implicit single level)
-mlsconstrain colormap { list read getattr }
- (( l1 dom l2 ) or
- (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsxwinread ));
-
-# the colormap "write" ops (implicit single level)
-mlsconstrain colormap { create free install uninstall store setattr }
- (( l1 eq l2 ) or
- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsxwinwrite ));
-
-
-
-
-#
-# MLS policy for the property class
-#
-
-# the property "read" ops (implicit single level)
-mlsconstrain property { read }
- (( l1 dom l2 ) or
- (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsxwinread ));
-
-# the property "write" ops (implicit single level)
-mlsconstrain property { create free write }
- (( l1 eq l2 ) or
- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsxwinwrite ));
-
-
-
-
-#
-# MLS policy for the cursor class
-#
-
-# the cursor "write" ops (implicit single level)
-mlsconstrain cursor { create createglyph free assign setattr }
- (( l1 eq l2 ) or
- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsxwinwrite ));
-
-
-
-
-#
-# MLS policy for the xclient class
-#
-
-# the xclient "write" ops (implicit single level)
-mlsconstrain xclient kill
- (( l1 eq l2 ) or
- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsxwinwrite ));
-
-
-
-
-#
-# MLS policy for the xinput class
-#
-
-# the xinput "read" ops (implicit single level)
-mlsconstrain xinput { lookup getattr mousemotion }
- (( l1 dom l2 ) or
- (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsxwinread ));
-
-# the xinput "write" ops (implicit single level)
-mlsconstrain xinput { setattr setfocus warppointer activegrab passivegrab ungrab bell relabelinput }
- (( l1 eq l2 ) or
- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsxwinwrite ));
-
-
-
-
-#
-# MLS policy for the xserver class
-#
-
-# the xserver "read" ops (implicit single level)
-mlsconstrain xserver { gethostlist getfontpath getattr screensaver }
- (( l1 dom l2 ) or
- (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsxwinread ));
-
-# the xserver "write" ops (implicit single level)
-mlsconstrain xserver { sethostlist setfontpath grab ungrab screensaver }
- (( l1 eq l2 ) or
- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsxwinwrite ));
-
-
-
-
-#
-# MLS policy for the xextension class
-#
-
-# the xextension "read" ops (implicit single level)
-mlsconstrain xextension query
- (( l1 dom l2 ) or
- (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsxwinread ));
-
-# the xextension "write" ops (implicit single level)
-mlsconstrain xextension use
- (( l1 eq l2 ) or
- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsxwinwrite ));
-
-
-#
-# MLS policy for the pax class
-#
-
-# these access vectors have no MLS restrictions
-# pax { pageexec emutramp mprotect randmmap randexec segmexec }
-
-
-
-
-#
-# MLS policy for the dbus class
-#
-
-# these access vectors have no MLS restrictions
-# dbus { acquire_svc send_msg }
-
-
-
-
-#
-# MLS policy for the nscd class
-#
-
-# these access vectors have no MLS restrictions
-# nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost }
-
-
-
-
-#
-# MLS policy for the association class
-#
-
-# these access vectors have no MLS restrictions
-# association { sendto recvfrom }
-
diff --git a/strict/net_contexts b/strict/net_contexts
deleted file mode 100644
index 8ab1118..0000000
--- a/strict/net_contexts
+++ /dev/null
@@ -1,247 +0,0 @@
-# FLASK
-
-#
-# Security contexts for network entities
-# If no context is specified, then a default initial SID is used.
-#
-
-# Modified by Reino Wallin <reino@oribium.com>
-# Multi NIC, and IPSEC features
-
-# Modified by Russell Coker
-# ifdefs to encapsulate domains, and many additional port contexts
-
-#
-# Port numbers (default = initial SID "port")
-#
-# protocol number context
-# protocol low-high context
-#
-portcon tcp 7 system_u:object_r:inetd_child_port_t
-portcon udp 7 system_u:object_r:inetd_child_port_t
-portcon tcp 9 system_u:object_r:inetd_child_port_t
-portcon udp 9 system_u:object_r:inetd_child_port_t
-portcon tcp 13 system_u:object_r:inetd_child_port_t
-portcon udp 13 system_u:object_r:inetd_child_port_t
-portcon tcp 19 system_u:object_r:inetd_child_port_t
-portcon udp 19 system_u:object_r:inetd_child_port_t
-portcon tcp 37 system_u:object_r:inetd_child_port_t
-portcon udp 37 system_u:object_r:inetd_child_port_t
-portcon tcp 113 system_u:object_r:auth_port_t
-portcon tcp 512 system_u:object_r:inetd_child_port_t
-portcon tcp 543 system_u:object_r:inetd_child_port_t
-portcon tcp 544 system_u:object_r:inetd_child_port_t
-portcon tcp 891 system_u:object_r:inetd_child_port_t
-portcon udp 891 system_u:object_r:inetd_child_port_t
-portcon tcp 892 system_u:object_r:inetd_child_port_t
-portcon udp 892 system_u:object_r:inetd_child_port_t
-portcon tcp 2105 system_u:object_r:inetd_child_port_t
-portcon tcp 20 system_u:object_r:ftp_data_port_t
-portcon tcp 21 system_u:object_r:ftp_port_t
-portcon tcp 22 system_u:object_r:ssh_port_t
-portcon tcp 23 system_u:object_r:telnetd_port_t
-
-portcon tcp 25 system_u:object_r:smtp_port_t
-portcon tcp 465 system_u:object_r:smtp_port_t
-portcon tcp 587 system_u:object_r:smtp_port_t
-
-portcon udp 500 system_u:object_r:isakmp_port_t
-portcon udp 53 system_u:object_r:dns_port_t
-portcon tcp 53 system_u:object_r:dns_port_t
-
-portcon udp 67 system_u:object_r:dhcpd_port_t
-portcon udp 647 system_u:object_r:dhcpd_port_t
-portcon tcp 647 system_u:object_r:dhcpd_port_t
-portcon udp 847 system_u:object_r:dhcpd_port_t
-portcon tcp 847 system_u:object_r:dhcpd_port_t
-portcon udp 68 system_u:object_r:dhcpc_port_t
-portcon udp 70 system_u:object_r:gopher_port_t
-portcon tcp 70 system_u:object_r:gopher_port_t
-
-portcon udp 69 system_u:object_r:tftp_port_t
-portcon tcp 79 system_u:object_r:fingerd_port_t
-
-portcon tcp 80 system_u:object_r:http_port_t
-portcon tcp 443 system_u:object_r:http_port_t
-portcon tcp 488 system_u:object_r:http_port_t
-portcon tcp 8008 system_u:object_r:http_port_t
-
-portcon tcp 106 system_u:object_r:pop_port_t
-portcon tcp 109 system_u:object_r:pop_port_t
-portcon tcp 110 system_u:object_r:pop_port_t
-portcon tcp 143 system_u:object_r:pop_port_t
-portcon tcp 220 system_u:object_r:pop_port_t
-portcon tcp 993 system_u:object_r:pop_port_t
-portcon tcp 995 system_u:object_r:pop_port_t
-portcon tcp 1109 system_u:object_r:pop_port_t
-
-portcon udp 111 system_u:object_r:portmap_port_t
-portcon tcp 111 system_u:object_r:portmap_port_t
-
-portcon tcp 119 system_u:object_r:innd_port_t
-portcon udp 123 system_u:object_r:ntp_port_t
-
-portcon tcp 137 system_u:object_r:smbd_port_t
-portcon udp 137 system_u:object_r:nmbd_port_t
-portcon tcp 138 system_u:object_r:smbd_port_t
-portcon udp 138 system_u:object_r:nmbd_port_t
-portcon tcp 139 system_u:object_r:smbd_port_t
-portcon udp 139 system_u:object_r:nmbd_port_t
-portcon tcp 445 system_u:object_r:smbd_port_t
-
-portcon udp 161 system_u:object_r:snmp_port_t
-portcon udp 162 system_u:object_r:snmp_port_t
-portcon tcp 199 system_u:object_r:snmp_port_t
-portcon udp 512 system_u:object_r:comsat_port_t
-
-portcon tcp 389 system_u:object_r:ldap_port_t
-portcon udp 389 system_u:object_r:ldap_port_t
-portcon tcp 636 system_u:object_r:ldap_port_t
-portcon udp 636 system_u:object_r:ldap_port_t
-
-portcon tcp 513 system_u:object_r:rlogind_port_t
-portcon tcp 514 system_u:object_r:rsh_port_t
-
-portcon tcp 515 system_u:object_r:printer_port_t
-portcon udp 514 system_u:object_r:syslogd_port_t
-portcon udp 517 system_u:object_r:ktalkd_port_t
-portcon udp 518 system_u:object_r:ktalkd_port_t
-portcon tcp 631 system_u:object_r:ipp_port_t
-portcon udp 631 system_u:object_r:ipp_port_t
-portcon tcp 88 system_u:object_r:kerberos_port_t
-portcon udp 88 system_u:object_r:kerberos_port_t
-portcon tcp 464 system_u:object_r:kerberos_admin_port_t
-portcon udp 464 system_u:object_r:kerberos_admin_port_t
-portcon tcp 749 system_u:object_r:kerberos_admin_port_t
-portcon tcp 750 system_u:object_r:kerberos_port_t
-portcon udp 750 system_u:object_r:kerberos_port_t
-portcon tcp 4444 system_u:object_r:kerberos_master_port_t
-portcon udp 4444 system_u:object_r:kerberos_master_port_t
-portcon tcp 783 system_u:object_r:spamd_port_t
-portcon tcp 540 system_u:object_r:uucpd_port_t
-portcon tcp 2401 system_u:object_r:cvs_port_t
-portcon udp 2401 system_u:object_r:cvs_port_t
-portcon tcp 873 system_u:object_r:rsync_port_t
-portcon udp 873 system_u:object_r:rsync_port_t
-portcon tcp 901 system_u:object_r:swat_port_t
-portcon tcp 953 system_u:object_r:rndc_port_t
-portcon tcp 1213 system_u:object_r:giftd_port_t
-portcon tcp 1241 system_u:object_r:nessus_port_t
-portcon tcp 1234 system_u:object_r:monopd_port_t
-portcon udp 1645 system_u:object_r:radius_port_t
-portcon udp 1646 system_u:object_r:radacct_port_t
-portcon udp 1812 system_u:object_r:radius_port_t
-portcon udp 1813 system_u:object_r:radacct_port_t
-portcon udp 1718 system_u:object_r:gatekeeper_port_t
-portcon udp 1719 system_u:object_r:gatekeeper_port_t
-portcon tcp 1721 system_u:object_r:gatekeeper_port_t
-portcon tcp 7000 system_u:object_r:gatekeeper_port_t
-portcon tcp 2040 system_u:object_r:afs_fs_port_t
-portcon udp 7000 system_u:object_r:afs_fs_port_t
-portcon udp 7002 system_u:object_r:afs_pt_port_t
-portcon udp 7003 system_u:object_r:afs_vl_port_t
-portcon udp 7004 system_u:object_r:afs_ka_port_t
-portcon udp 7005 system_u:object_r:afs_fs_port_t
-portcon udp 7007 system_u:object_r:afs_bos_port_t
-portcon tcp 1720 system_u:object_r:asterisk_port_t
-portcon udp 2427 system_u:object_r:asterisk_port_t
-portcon udp 2727 system_u:object_r:asterisk_port_t
-portcon udp 4569 system_u:object_r:asterisk_port_t
-portcon udp 5060 system_u:object_r:asterisk_port_t
-portcon tcp 2000 system_u:object_r:mail_port_t
-portcon tcp 2601 system_u:object_r:zebra_port_t
-portcon tcp 2628 system_u:object_r:dict_port_t
-portcon tcp 3306 system_u:object_r:mysqld_port_t
-portcon tcp 3632 system_u:object_r:distccd_port_t
-portcon udp 4011 system_u:object_r:pxe_port_t
-portcon udp 5000 system_u:object_r:openvpn_port_t
-portcon tcp 5323 system_u:object_r:imaze_port_t
-portcon udp 5323 system_u:object_r:imaze_port_t
-portcon tcp 5335 system_u:object_r:howl_port_t
-portcon udp 5353 system_u:object_r:howl_port_t
-portcon tcp 5222 system_u:object_r:jabber_client_port_t
-portcon tcp 5223 system_u:object_r:jabber_client_port_t
-portcon tcp 5269 system_u:object_r:jabber_interserver_port_t
-portcon tcp 5432 system_u:object_r:postgresql_port_t
-portcon tcp 5666 system_u:object_r:inetd_child_port_t
-portcon tcp 5703 system_u:object_r:ptal_port_t
-portcon tcp 50000 system_u:object_r:hplip_port_t
-portcon tcp 50002 system_u:object_r:hplip_port_t
-portcon tcp 5900 system_u:object_r:vnc_port_t
-portcon tcp 5988 system_u:object_r:pegasus_http_port_t
-portcon tcp 5989 system_u:object_r:pegasus_https_port_t
-portcon tcp 6000 system_u:object_r:xserver_port_t
-portcon tcp 6001 system_u:object_r:xserver_port_t
-portcon tcp 6002 system_u:object_r:xserver_port_t
-portcon tcp 6003 system_u:object_r:xserver_port_t
-portcon tcp 6004 system_u:object_r:xserver_port_t
-portcon tcp 6005 system_u:object_r:xserver_port_t
-portcon tcp 6006 system_u:object_r:xserver_port_t
-portcon tcp 6007 system_u:object_r:xserver_port_t
-portcon tcp 6008 system_u:object_r:xserver_port_t
-portcon tcp 6009 system_u:object_r:xserver_port_t
-portcon tcp 6010 system_u:object_r:xserver_port_t
-portcon tcp 6011 system_u:object_r:xserver_port_t
-portcon tcp 6012 system_u:object_r:xserver_port_t
-portcon tcp 6013 system_u:object_r:xserver_port_t
-portcon tcp 6014 system_u:object_r:xserver_port_t
-portcon tcp 6015 system_u:object_r:xserver_port_t
-portcon tcp 6016 system_u:object_r:xserver_port_t
-portcon tcp 6017 system_u:object_r:xserver_port_t
-portcon tcp 6018 system_u:object_r:xserver_port_t
-portcon tcp 6019 system_u:object_r:xserver_port_t
-portcon tcp 6667 system_u:object_r:ircd_port_t
-portcon tcp 8000 system_u:object_r:soundd_port_t
-# 9433 is for YIFF
-portcon tcp 9433 system_u:object_r:soundd_port_t
-portcon tcp 3128 system_u:object_r:http_cache_port_t
-portcon tcp 8080 system_u:object_r:http_cache_port_t
-portcon udp 3130 system_u:object_r:http_cache_port_t
-# 8118 is for privoxy
-portcon tcp 8118 system_u:object_r:http_cache_port_t
-
-portcon udp 4041 system_u:object_r:clockspeed_port_t
-portcon tcp 8081 system_u:object_r:transproxy_port_t
-portcon udp 10080 system_u:object_r:amanda_port_t
-portcon tcp 10080 system_u:object_r:amanda_port_t
-portcon udp 10081 system_u:object_r:amanda_port_t
-portcon tcp 10081 system_u:object_r:amanda_port_t
-portcon tcp 10082 system_u:object_r:amanda_port_t
-portcon tcp 10083 system_u:object_r:amanda_port_t
-portcon tcp 60000 system_u:object_r:postgrey_port_t
-
-portcon tcp 10024 system_u:object_r:amavisd_recv_port_t
-portcon tcp 10025 system_u:object_r:amavisd_send_port_t
-portcon tcp 3310 system_u:object_r:clamd_port_t
-portcon udp 6276 system_u:object_r:dcc_port_t
-portcon udp 6277 system_u:object_r:dcc_port_t
-portcon udp 24441 system_u:object_r:pyzor_port_t
-portcon tcp 2703 system_u:object_r:razor_port_t
-portcon tcp 8021 system_u:object_r:zope_port_t
-
-# Defaults for reserved ports. Earlier portcon entries take precedence;
-# these entries just cover any remaining reserved ports not otherwise
-# declared or omitted due to removal of a domain.
-portcon tcp 1-1023 system_u:object_r:reserved_port_t
-portcon udp 1-1023 system_u:object_r:reserved_port_t
-
-# Network interfaces (default = initial SID "netif" and "netmsg")
-#
-# interface netif_context default_msg_context
-#
-
-# Nodes (default = initial SID "node")
-#
-# address mask context
-#
-nodecon 127.0.0.1 255.255.255.255 system_u:object_r:node_lo_t
-nodecon 0.0.0.0 255.255.255.255 system_u:object_r:node_inaddr_any_t
-nodecon :: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system_u:object_r:node_unspec_t
-nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system_u:object_r:node_lo_t
-nodecon ff00:: ff00:: system_u:object_r:node_multicast_t
-nodecon fe80:: ffff:ffff:ffff:ffff:: system_u:object_r:node_link_local_t
-nodecon fec0:: ffc0:: system_u:object_r:node_site_local_t
-nodecon :: ffff:ffff:ffff:ffff:ffff:ffff:: system_u:object_r:node_compat_ipv4_t
-nodecon ::ffff:0000:0000 ffff:ffff:ffff:ffff:ffff:ffff:: system_u:object_r:node_mapped_ipv4_t
-
-# FLASK
diff --git a/strict/rbac b/strict/rbac
deleted file mode 100644
index 708f70d..0000000
--- a/strict/rbac
+++ /dev/null
@@ -1,33 +0,0 @@
-################################################
-#
-# Role-based access control (RBAC) configuration.
-#
-
-# The RBAC configuration was originally centralized in this
-# file, but has been decomposed into individual role declarations,
-# role allow rules, and role transition rules throughout the TE
-# configuration to support easy removal or adding of domains without
-# modifying a centralized file each time. This also allowed the macros
-# to properly instantiate role declarations and rules for domains.
-# Hence, this file is largely unused, except for miscellaneous
-# role allow rules.
-
-########################################
-#
-# Role allow rules.
-#
-# A role allow rule specifies the allowable
-# transitions between roles on an execve.
-# If no rule is specified, then the change in
-# roles will not be permitted. Additional
-# controls over role transitions based on the
-# type of the process may be specified through
-# the constraints file.
-#
-# The syntax of a role allow rule is:
-# allow current_role new_role ;
-#
-# Allow the admin role to transition to the system
-# role for run_init.
-#
-allow sysadm_r system_r;
diff --git a/strict/tunables/distro.tun b/strict/tunables/distro.tun
deleted file mode 100644
index 2d49189..0000000
--- a/strict/tunables/distro.tun
+++ /dev/null
@@ -1,14 +0,0 @@
-# Distro-specific customizations.
-
-# Comment out all but the one that matches your distro.
-# The policy .te files can then wrap distro-specific customizations with
-# appropriate ifdefs.
-
-
-dnl define(`distro_redhat')
-
-dnl define(`distro_suse')
-
-dnl define(`distro_gentoo')
-
-dnl define(`distro_debian')
diff --git a/strict/tunables/tunable.tun b/strict/tunables/tunable.tun
deleted file mode 100644
index a6cc2f4..0000000
--- a/strict/tunables/tunable.tun
+++ /dev/null
@@ -1,34 +0,0 @@
-# Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
-
-# Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
-
-# Allow rc scripts to run unconfined, including any daemon
-# started by an rc script that does not have a domain transition
-# explicitly defined.
-dnl define(`unlimitedRC')
-
-# Allow sysadm_t to directly start daemons
-define(`direct_sysadm_daemon')
-
-# Do not allow sysadm_t to be in the security manager domain
-dnl define(`separate_secadm')
-
-# Do not audit things that we know to be broken but which
-# are not security risks
-dnl define(`hide_broken_symptoms')
-
-# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
-# Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
-
-# Allow xinetd to run unconfined, including any services it starts
-# that do not have a domain transition explicitly defined.
-dnl define(`unlimitedInetd')
-
-# for ndc_t to be used for restart shell scripts
-dnl define(`ndc_shell_script')
-
-# Enable Polyinstantiation support
-dnl define(`support_polyinstatiation')
diff --git a/strict/types/device.te b/strict/types/device.te
deleted file mode 100644
index ffa6c11..0000000
--- a/strict/types/device.te
+++ /dev/null
@@ -1,163 +0,0 @@
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-############################################
-#
-# Device types
-#
-
-#
-# device_t is the type of /dev.
-#
-type device_t, file_type, mount_point, dev_fs;
-
-#
-# null_device_t is the type of /dev/null.
-#
-type null_device_t, device_type, dev_fs, mlstrustedobject;
-
-#
-# zero_device_t is the type of /dev/zero.
-#
-type zero_device_t, device_type, dev_fs, mlstrustedobject;
-
-#
-# console_device_t is the type of /dev/console.
-#
-type console_device_t, device_type, dev_fs;
-
-#
-# xconsole_device_t is the type of /dev/xconsole
-type xconsole_device_t, file_type, dev_fs;
-
-#
-# memory_device_t is the type of /dev/kmem,
-# /dev/mem, and /dev/port.
-#
-type memory_device_t, device_type, dev_fs;
-
-#
-# random_device_t is the type of /dev/random
-# urandom_device_t is the type of /dev/urandom
-#
-type random_device_t, device_type, dev_fs;
-type urandom_device_t, device_type, dev_fs;
-
-#
-# devtty_t is the type of /dev/tty.
-#
-type devtty_t, device_type, dev_fs, mlstrustedobject;
-
-#
-# tty_device_t is the type of /dev/*tty*
-#
-type tty_device_t, serial_device, device_type, dev_fs;
-
-#
-# bsdpty_device_t is the type of /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f]
-type bsdpty_device_t, device_type, dev_fs;
-
-#
-# usbtty_device_t is the type of /dev/usr/tty*
-#
-type usbtty_device_t, serial_device, device_type, dev_fs;
-
-#
-# printer_device_t is the type for printer devices
-#
-type printer_device_t, device_type, dev_fs;
-
-#
-# fixed_disk_device_t is the type of
-# /dev/hd* and /dev/sd*.
-#
-type fixed_disk_device_t, device_type, dev_fs;
-
-#
-# scsi_generic_device_t is the type of /dev/sg*
-# it gives access to ALL SCSI devices (both fixed and removable)
-#
-type scsi_generic_device_t, device_type, dev_fs;
-
-#
-# removable_device_t is the type of
-# /dev/scd* and /dev/fd*.
-#
-type removable_device_t, device_type, dev_fs;
-
-#
-# clock_device_t is the type of
-# /dev/rtc.
-#
-type clock_device_t, device_type, dev_fs;
-
-#
-# tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/*
-#
-type tun_tap_device_t, device_type, dev_fs;
-
-#
-# misc_device_t is the type of miscellaneous devices.
-# XXX: FIXME! Appropriate access to these devices need to be identified.
-#
-type misc_device_t, device_type, dev_fs;
-
-#
-# A more general type for mouse devices.
-#
-type mouse_device_t, device_type, dev_fs;
-
-#
-# For generic /dev/input/event* event devices
-#
-type event_device_t, device_type, dev_fs;
-
-#
-# Not sure what these devices are for, but X wants access to them.
-#
-type agp_device_t, device_type, dev_fs;
-type dri_device_t, device_type, dev_fs;
-
-# Type for sound devices.
-type sound_device_t, device_type, dev_fs;
-
-# Type for /dev/ppp.
-type ppp_device_t, device_type, dev_fs;
-
-# Type for frame buffer /dev/fb/*
-type framebuf_device_t, device_type, dev_fs;
-
-# Type for /dev/.devfsd
-type devfs_control_t, device_type, dev_fs;
-
-# Type for /dev/cpu/mtrr
-type mtrr_device_t, device_type, dev_fs;
-
-# Type for /dev/pmu
-type power_device_t, device_type, dev_fs;
-
-# Type for /dev/apm_bios
-type apm_bios_t, device_type, dev_fs;
-
-# Type for v4l
-type v4l_device_t, device_type, dev_fs;
-
-# tape drives
-type tape_device_t, device_type, dev_fs;
-
-# scanners
-type scanner_device_t, device_type, dev_fs;
-
-# cpu control devices /dev/cpu/0/*
-type cpu_device_t, device_type, dev_fs;
-
-# for other device nodes such as the NVidia binary-only driver
-type xserver_misc_device_t, device_type, dev_fs;
-
-# for the IBM zSeries z90crypt hardware ssl accelorator
-type crypt_device_t, device_type, dev_fs;
-
-
-
-
diff --git a/strict/types/devpts.te b/strict/types/devpts.te
deleted file mode 100644
index 291ec53..0000000
--- a/strict/types/devpts.te
+++ /dev/null
@@ -1,24 +0,0 @@
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-############################################
-#
-# Devpts types
-#
-
-#
-# ptmx_t is the type for /dev/ptmx.
-#
-type ptmx_t, sysadmfile, device_type, dev_fs, mlstrustedobject;
-
-#
-# devpts_t is the type of the devpts file system and
-# the type of the root directory of the file system.
-#
-type devpts_t, mount_point, fs_type;
-
-ifdef(`targeted_policy', `
-typeattribute devpts_t ttyfile;
-')
-
diff --git a/strict/types/file.te b/strict/types/file.te
deleted file mode 100644
index 7b6fa9e..0000000
--- a/strict/types/file.te
+++ /dev/null
@@ -1,349 +0,0 @@
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-#######################################
-#
-# General file-related types
-#
-
-#
-# unlabeled_t is the type of unlabeled objects.
-# Objects that have no known labeling information or that
-# have labels that are no longer valid are treated as having this type.
-#
-type unlabeled_t, sysadmfile;
-
-#
-# fs_t is the default type for conventional filesystems.
-#
-type fs_t, fs_type;
-
-# needs more work
-type eventpollfs_t, fs_type;
-type futexfs_t, fs_type;
-type bdev_t, fs_type;
-type usbfs_t, mount_point, fs_type;
-type nfsd_fs_t, fs_type;
-type rpc_pipefs_t, fs_type;
-type binfmt_misc_fs_t, mount_point, fs_type;
-
-#
-# file_t is the default type of a file that has not yet been
-# assigned an extended attribute (EA) value (when using a filesystem
-# that supports EAs).
-#
-type file_t, file_type, mount_point, sysadmfile;
-
-# default_t is the default type for files that do not
-# match any specification in the file_contexts configuration
-# other than the generic /.* specification.
-type default_t, file_type, mount_point, sysadmfile;
-
-#
-# root_t is the type for the root directory.
-#
-type root_t, file_type, mount_point, polyparent, sysadmfile;
-
-#
-# mnt_t is the type for mount points such as /mnt/cdrom
-type mnt_t, file_type, mount_point, sysadmfile;
-
-#
-# home_root_t is the type for the directory where user home directories
-# are created
-#
-type home_root_t, file_type, mount_point, polyparent, sysadmfile;
-
-#
-# lost_found_t is the type for the lost+found directories.
-#
-type lost_found_t, file_type, sysadmfile;
-
-#
-# boot_t is the type for files in /boot,
-# including the kernel.
-#
-type boot_t, file_type, mount_point, sysadmfile;
-# system_map_t is for the system.map files in /boot
-type system_map_t, file_type, sysadmfile;
-
-#
-# boot_runtime_t is the type for /boot/kernel.h,
-# which is automatically generated at boot time.
-# only for red hat
-type boot_runtime_t, file_type, sysadmfile;
-
-#
-# tmp_t is the type of /tmp and /var/tmp.
-#
-type tmp_t, file_type, mount_point, sysadmfile, polydir, tmpfile;
-
-#
-# etc_t is the type of the system etc directories.
-#
-type etc_t, file_type, sysadmfile;
-
-#
-# shadow_t is the type of the /etc/shadow file
-#
-type shadow_t, file_type, secure_file_type;
-allow auth shadow_t:file { getattr read };
-
-#
-# ld_so_cache_t is the type of /etc/ld.so.cache.
-#
-type ld_so_cache_t, file_type, sysadmfile;
-
-#
-# etc_runtime_t is the type of various
-# files in /etc that are automatically
-# generated during initialization.
-#
-type etc_runtime_t, file_type, sysadmfile;
-
-#
-# fonts_runtime_t is the type of various
-# fonts files in /usr that are automatically
-# generated during initialization.
-#
-type fonts_t, file_type, sysadmfile, usercanread;
-
-#
-# etc_aliases_t is the type of the aliases database.
-#
-type etc_aliases_t, file_type, sysadmfile;
-
-# net_conf_t is the type of the /etc/resolv.conf file.
-# all DHCP clients and PPP need write access to this file.
-type net_conf_t, file_type, sysadmfile;
-
-#
-# lib_t is the type of files in the system lib directories.
-#
-type lib_t, file_type, sysadmfile;
-
-#
-# shlib_t is the type of shared objects in the system lib
-# directories.
-#
-ifdef(`targeted_policy', `
-typealias lib_t alias shlib_t;
-', `
-type shlib_t, file_type, sysadmfile;
-')
-
-#
-# texrel_shlib_t is the type of shared objects in the system lib
-# directories, which require text relocation.
-#
-ifdef(`targeted_policy', `
-typealias lib_t alias texrel_shlib_t;
-', `
-type texrel_shlib_t, file_type, sysadmfile;
-')
-
-# ld_so_t is the type of the system dynamic loaders.
-#
-type ld_so_t, file_type, sysadmfile;
-
-#
-# bin_t is the type of files in the system bin directories.
-#
-type bin_t, file_type, sysadmfile;
-
-#
-# cert_t is the type of files in the system certs directories.
-#
-type cert_t, file_type, sysadmfile, secure_file_type;
-
-#
-# ls_exec_t is the type of the ls program.
-#
-type ls_exec_t, file_type, exec_type, sysadmfile;
-
-#
-# shell_exec_t is the type of user shells such as /bin/bash.
-#
-type shell_exec_t, file_type, exec_type, sysadmfile;
-
-#
-# sbin_t is the type of files in the system sbin directories.
-#
-type sbin_t, file_type, sysadmfile;
-
-#
-# usr_t is the type for /usr.
-#
-type usr_t, file_type, mount_point, sysadmfile;
-
-#
-# src_t is the type of files in the system src directories.
-#
-type src_t, file_type, mount_point, sysadmfile;
-
-#
-# var_t is the type for /var.
-#
-type var_t, file_type, mount_point, sysadmfile;
-
-#
-# Types for subdirectories of /var.
-#
-type var_run_t, file_type, sysadmfile;
-type var_log_t, file_type, sysadmfile, logfile;
-typealias var_log_t alias crond_log_t;
-type faillog_t, file_type, sysadmfile, logfile;
-type var_lock_t, file_type, sysadmfile, lockfile;
-type var_lib_t, mount_point, file_type, sysadmfile;
-# for /var/{spool,lib}/texmf index files
-type tetex_data_t, file_type, sysadmfile, tmpfile;
-type var_spool_t, file_type, sysadmfile, tmpfile;
-type var_yp_t, file_type, sysadmfile;
-
-# Type for /var/log/ksyms.
-type var_log_ksyms_t, file_type, sysadmfile, logfile;
-
-# Type for /var/log/lastlog.
-type lastlog_t, file_type, sysadmfile, logfile;
-
-# Type for /var/lib/nfs.
-type var_lib_nfs_t, file_type, mount_point, sysadmfile, usercanread;
-
-#
-# wtmp_t is the type of /var/log/wtmp.
-#
-type wtmp_t, file_type, sysadmfile, logfile;
-
-#
-# cron_spool_t is the type for /var/spool/cron.
-#
-type cron_spool_t, file_type, sysadmfile;
-
-#
-# print_spool_t is the type for /var/spool/lpd and /var/spool/cups.
-#
-type print_spool_t, file_type, sysadmfile, tmpfile;
-
-#
-# mail_spool_t is the type for /var/spool/mail.
-#
-type mail_spool_t, file_type, sysadmfile;
-
-#
-# mqueue_spool_t is the type for /var/spool/mqueue.
-#
-type mqueue_spool_t, file_type, sysadmfile;
-
-#
-# man_t is the type for the man directories.
-#
-type man_t, file_type, sysadmfile;
-typealias man_t alias catman_t;
-
-#
-# readable_t is a general type for
-# files that are readable by all domains.
-#
-type readable_t, file_type, sysadmfile;
-
-#
-# Base type for the tests directory.
-#
-type test_file_t, file_type, sysadmfile;
-
-#
-# poly_t is the type for the polyinstantiated directories.
-#
-type poly_t, file_type, sysadmfile;
-
-#
-# swapfile_t is for swap files
-#
-type swapfile_t, file_type, sysadmfile;
-
-#
-# locale_t is the type for system localization
-#
-type locale_t, file_type, sysadmfile;
-
-#
-# Allow each file type to be associated with
-# the default file system type.
-#
-allow { file_type device_type ttyfile } fs_t:filesystem associate;
-
-# Allow the pty to be associated with the file system.
-allow devpts_t self:filesystem associate;
-
-type tmpfs_t, file_type, mount_point, sysadmfile, fs_type;
-allow { logfile tmpfs_t tmpfile home_type } tmpfs_t:filesystem associate;
-allow { logfile tmpfile home_type } tmp_t:filesystem associate;
-ifdef(`distro_redhat', `
-allow { dev_fs ttyfile } { tmpfs_t tmp_t }:filesystem associate;
-')
-
-type autofs_t, fs_type, noexattrfile, sysadmfile;
-allow autofs_t self:filesystem associate;
-
-type usbdevfs_t, fs_type, mount_point, noexattrfile, sysadmfile;
-allow usbdevfs_t self:filesystem associate;
-
-type sysfs_t, mount_point, fs_type, sysadmfile;
-allow sysfs_t self:filesystem associate;
-
-type iso9660_t, fs_type, noexattrfile, sysadmfile;
-allow iso9660_t self:filesystem associate;
-
-type romfs_t, fs_type, sysadmfile;
-allow romfs_t self:filesystem associate;
-
-type ramfs_t, fs_type, sysadmfile;
-allow ramfs_t self:filesystem associate;
-
-type dosfs_t, fs_type, noexattrfile, sysadmfile;
-allow dosfs_t self:filesystem associate;
-
-type hugetlbfs_t, mount_point, fs_type, sysadmfile;
-allow hugetlbfs_t self:filesystem associate;
-
-typealias file_t alias mqueue_t;
-
-# udev_runtime_t is the type of the udev table file
-type udev_runtime_t, file_type, sysadmfile;
-
-# krb5_conf_t is the type of the /etc/krb5.conf file
-type krb5_conf_t, file_type, sysadmfile;
-
-type cifs_t, fs_type, noexattrfile, sysadmfile;
-allow cifs_t self:filesystem associate;
-
-type debugfs_t, fs_type, sysadmfile;
-allow debugfs_t self:filesystem associate;
-
-type inotifyfs_t, fs_type, sysadmfile;
-allow inotifyfs_t self:filesystem associate;
-
-type capifs_t, fs_type, sysadmfile;
-allow capifs_t self:filesystem associate;
-
-# removable_t is the default type of all removable media
-type removable_t, file_type, sysadmfile, usercanread;
-allow removable_t self:filesystem associate;
-allow file_type removable_t:filesystem associate;
-allow file_type noexattrfile:filesystem associate;
-
-# Type for anonymous FTP data, used by ftp and rsync
-type public_content_t, file_type, sysadmfile, customizable;
-type public_content_rw_t, file_type, sysadmfile, customizable;
-typealias public_content_t alias ftpd_anon_t;
-typealias public_content_rw_t alias ftpd_anon_rw_t;
-
-allow customizable self:filesystem associate;
-
-# type for /tmp/.ICE-unix
-type ice_tmp_t, file_type, sysadmfile, tmpfile;
-
-# type for /usr/share/hwdata
-type hwdata_t, file_type, sysadmfile;
-
diff --git a/strict/types/network.te b/strict/types/network.te
deleted file mode 100644
index eb8bdcb..0000000
--- a/strict/types/network.te
+++ /dev/null
@@ -1,178 +0,0 @@
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-# Modified by Reino Wallin <reino@oribium.com>
-# Multi NIC, and IPSEC features
-
-# Modified by Russell Coker
-# Move port types to their respective domains, add ifdefs, other cleanups.
-
-type xserver_port_t, port_type;
-#
-# Defines used by the te files need to be defined outside of net_constraints
-#
-type rsh_port_t, port_type, reserved_port_type;
-type dns_port_t, port_type, reserved_port_type;
-type smtp_port_t, port_type, reserved_port_type;
-type dhcpd_port_t, port_type, reserved_port_type;
-type smbd_port_t, port_type, reserved_port_type;
-type nmbd_port_t, port_type, reserved_port_type;
-type http_cache_port_t, port_type;
-type http_port_t, port_type, reserved_port_type;
-type ipp_port_t, port_type, reserved_port_type;
-type gopher_port_t, port_type, reserved_port_type;
-type isakmp_port_t, port_type, reserved_port_type;
-
-allow web_client_domain { http_cache_port_t http_port_t }:tcp_socket name_connect;
-type pop_port_t, port_type, reserved_port_type;
-
-type ftp_port_t, port_type, reserved_port_type;
-type ftp_data_port_t, port_type, reserved_port_type;
-
-############################################
-#
-# Network types
-#
-
-#
-# mail_port_t is for generic mail ports shared by different mail servers
-#
-type mail_port_t, port_type;
-
-#
-# Ports used to communicate with kerberos server
-#
-type kerberos_port_t, port_type, reserved_port_type;
-type kerberos_admin_port_t, port_type, reserved_port_type;
-type kerberos_master_port_t, port_type;
-
-#
-# Ports used to communicate with portmap server
-#
-type portmap_port_t, port_type, reserved_port_type;
-
-#
-# Ports used to communicate with ldap server
-#
-type ldap_port_t, port_type, reserved_port_type;
-
-#
-# port_t is the default type of INET port numbers.
-# The *_port_t types are used for specific port
-# numbers in net_contexts or net_contexts.mls.
-#
-type port_t, port_type;
-
-# reserved_port_t is the default type for INET reserved ports
-# that are not otherwise mapped to a specific port type.
-type reserved_port_t, port_type, reserved_port_type;
-
-#
-# netif_t is the default type of network interfaces.
-# The netif_*_t types are used for specific network
-# interfaces in net_contexts or net_contexts.mls.
-#
-type netif_t, netif_type;
-
-#
-# node_t is the default type of network nodes.
-# The node_*_t types are used for specific network
-# nodes in net_contexts or net_contexts.mls.
-#
-type node_t, node_type;
-type node_lo_t, node_type;
-type node_internal_t, node_type;
-type node_inaddr_any_t, node_type;
-type node_unspec_t, node_type;
-type node_link_local_t, node_type;
-type node_site_local_t, node_type;
-type node_multicast_t, node_type;
-type node_mapped_ipv4_t, node_type;
-type node_compat_ipv4_t, node_type;
-
-# Kernel-generated traffic, e.g. ICMP replies.
-allow kernel_t netif_type:netif { rawip_send rawip_recv };
-allow kernel_t node_type:node { rawip_send rawip_recv };
-
-# Kernel-generated traffic, e.g. TCP resets.
-allow kernel_t netif_type:netif { tcp_send tcp_recv };
-allow kernel_t node_type:node { tcp_send tcp_recv };
-type radius_port_t, port_type;
-type radacct_port_t, port_type;
-type rndc_port_t, port_type, reserved_port_type;
-type tftp_port_t, port_type, reserved_port_type;
-type printer_port_t, port_type, reserved_port_type;
-type mysqld_port_t, port_type;
-type postgresql_port_t, port_type;
-type ptal_port_t, port_type;
-type howl_port_t, port_type;
-type dict_port_t, port_type;
-type syslogd_port_t, port_type, reserved_port_type;
-type spamd_port_t, port_type, reserved_port_type;
-type ssh_port_t, port_type, reserved_port_type;
-type pxe_port_t, port_type;
-type amanda_port_t, port_type;
-type fingerd_port_t, port_type, reserved_port_type;
-type dhcpc_port_t, port_type, reserved_port_type;
-type ntp_port_t, port_type, reserved_port_type;
-type stunnel_port_t, port_type;
-type zebra_port_t, port_type;
-type i18n_input_port_t, port_type;
-type vnc_port_t, port_type;
-type pegasus_http_port_t, port_type;
-type pegasus_https_port_t, port_type;
-type openvpn_port_t, port_type;
-type clamd_port_t, port_type;
-type transproxy_port_t, port_type;
-type clockspeed_port_t, port_type;
-type pyzor_port_t, port_type;
-type postgrey_port_t, port_type;
-type asterisk_port_t, port_type;
-type utcpserver_port_t, port_type;
-type nessus_port_t, port_type;
-type razor_port_t, port_type;
-type distccd_port_t, port_type;
-type socks_port_t, port_type;
-type gatekeeper_port_t, port_type;
-type dcc_port_t, port_type;
-type lrrd_port_t, port_type;
-type jabber_client_port_t, port_type;
-type jabber_interserver_port_t, port_type;
-type ircd_port_t, port_type;
-type giftd_port_t, port_type;
-type soundd_port_t, port_type;
-type imaze_port_t, port_type;
-type monopd_port_t, port_type;
-# Differentiate between the port where amavisd receives mail, and the
-# port where it returns cleaned mail back to the MTA.
-type amavisd_recv_port_t, port_type;
-type amavisd_send_port_t, port_type;
-type innd_port_t, port_type, reserved_port_type;
-type snmp_port_t, port_type, reserved_port_type;
-type biff_port_t, port_type, reserved_port_type;
-type hplip_port_t, port_type;
-
-#inetd_child_ports
-
-type rlogind_port_t, port_type, reserved_port_type;
-type telnetd_port_t, port_type, reserved_port_type;
-type comsat_port_t, port_type, reserved_port_type;
-type cvs_port_t, port_type;
-type dbskkd_port_t, port_type;
-type inetd_child_port_t, port_type, reserved_port_type;
-type ktalkd_port_t, port_type, reserved_port_type;
-type rsync_port_t, port_type, reserved_port_type;
-type uucpd_port_t, port_type, reserved_port_type;
-type swat_port_t, port_type, reserved_port_type;
-type zope_port_t, port_type;
-type auth_port_t, port_type, reserved_port_type;
-
-# afs ports
-
-type afs_fs_port_t, port_type;
-type afs_pt_port_t, port_type;
-type afs_vl_port_t, port_type;
-type afs_ka_port_t, port_type;
-type afs_bos_port_t, port_type;
-
diff --git a/strict/types/nfs.te b/strict/types/nfs.te
deleted file mode 100644
index 9076bb8..0000000
--- a/strict/types/nfs.te
+++ /dev/null
@@ -1,22 +0,0 @@
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-#############################################
-#
-# NFS types
-#
-
-#
-# nfs_t is the default type for NFS file systems
-# and their files.
-# The nfs_*_t types are used for specific NFS
-# servers in net_contexts or net_contexts.mls.
-#
-type nfs_t, mount_point, fs_type;
-
-#
-# Allow NFS files to be associated with an NFS file system.
-#
-allow nfs_t self:filesystem associate;
-allow file_type nfs_t:filesystem associate;
diff --git a/strict/types/procfs.te b/strict/types/procfs.te
deleted file mode 100644
index 20703ac..0000000
--- a/strict/types/procfs.te
+++ /dev/null
@@ -1,50 +0,0 @@
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-############################################
-#
-# Procfs types
-#
-
-#
-# proc_t is the type of /proc.
-# proc_kmsg_t is the type of /proc/kmsg.
-# proc_kcore_t is the type of /proc/kcore.
-# proc_mdstat_t is the type of /proc/mdstat.
-# proc_net_t is the type of /proc/net.
-#
-type proc_t, fs_type, mount_point, proc_fs;
-type proc_kmsg_t, proc_fs;
-type proc_kcore_t, proc_fs;
-type proc_mdstat_t, proc_fs;
-type proc_net_t, proc_fs;
-
-#
-# sysctl_t is the type of /proc/sys.
-# sysctl_fs_t is the type of /proc/sys/fs.
-# sysctl_kernel_t is the type of /proc/sys/kernel.
-# sysctl_modprobe_t is the type of /proc/sys/kernel/modprobe.
-# sysctl_hotplug_t is the type of /proc/sys/kernel/hotplug.
-# sysctl_net_t is the type of /proc/sys/net.
-# sysctl_net_unix_t is the type of /proc/sys/net/unix.
-# sysctl_vm_t is the type of /proc/sys/vm.
-# sysctl_dev_t is the type of /proc/sys/dev.
-# sysctl_rpc_t is the type of /proc/net/rpc.
-#
-# These types are applied to both the entries in
-# /proc/sys and the corresponding sysctl parameters.
-#
-type sysctl_t, mount_point, sysctl_type;
-type sysctl_fs_t, sysctl_type;
-type sysctl_kernel_t, sysctl_type;
-type sysctl_modprobe_t, sysctl_type;
-type sysctl_hotplug_t, sysctl_type;
-type sysctl_net_t, sysctl_type;
-type sysctl_net_unix_t, sysctl_type;
-type sysctl_vm_t, sysctl_type;
-type sysctl_dev_t, sysctl_type;
-type sysctl_rpc_t, sysctl_type;
-type sysctl_irq_t, sysctl_type;
-
-
diff --git a/strict/types/security.te b/strict/types/security.te
deleted file mode 100644
index 76d97dd..0000000
--- a/strict/types/security.te
+++ /dev/null
@@ -1,54 +0,0 @@
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-############################################
-#
-# Security types
-#
-
-#
-# security_t is the target type when checking
-# the permissions in the security class. It is also
-# applied to selinuxfs inodes.
-#
-type security_t, mount_point, fs_type, mlstrustedobject;
-
-#
-# policy_config_t is the type of /etc/security/selinux/*
-# the security server policy configuration.
-#
-type policy_config_t, file_type, secadmfile;
-
-#
-# policy_src_t is the type of the policy source
-# files.
-#
-type policy_src_t, file_type, secadmfile;
-
-
-#
-# default_context_t is the type applied to
-# /etc/selinux/*/contexts/*
-#
-type default_context_t, file_type, login_contexts, secadmfile;
-
-#
-# file_context_t is the type applied to
-# /etc/selinux/*/contexts/files
-#
-type file_context_t, file_type, secadmfile;
-
-#
-# no_access_t is the type for objects that should
-# only be accessed administratively.
-#
-type no_access_t, file_type, sysadmfile;
-
-#
-# selinux_config_t is the type applied to
-# /etc/selinux/config
-#
-type selinux_config_t, file_type, secadmfile;
-
-
diff --git a/strict/types/x.te b/strict/types/x.te
deleted file mode 100644
index 0cee314..0000000
--- a/strict/types/x.te
+++ /dev/null
@@ -1,32 +0,0 @@
-#
-# Authors: Eamon Walsh <ewalsh@epoch.ncsc.mil>
-#
-
-#######################################
-#
-# Types for the SELinux-enabled X Window System
-#
-
-#
-# X protocol extension types. The SELinux extension in the X server
-# has a hardcoded table that maps actual extension names to these types.
-#
-type accelgraphics_ext_t, xextension;
-type debug_ext_t, xextension;
-type font_ext_t, xextension;
-type input_ext_t, xextension;
-type screensaver_ext_t, xextension;
-type security_ext_t, xextension;
-type shmem_ext_t, xextension;
-type std_ext_t, xextension;
-type sync_ext_t, xextension;
-type unknown_ext_t, xextension;
-type video_ext_t, xextension;
-type windowmgr_ext_t, xextension;
-
-#
-# X property types. The SELinux extension in the X server has a
-# hardcoded table that maps actual extension names to these types.
-#
-type wm_property_t, xproperty;
-type unknown_property_t, xproperty;
diff --git a/strict/users b/strict/users
deleted file mode 100644
index acf0292..0000000
--- a/strict/users
+++ /dev/null
@@ -1,57 +0,0 @@
-##################################
-#
-# User configuration.
-#
-# This file defines each user recognized by the system security policy.
-# Only the user identities defined in this file may be used as the
-# user attribute in a security context.
-#
-# Each user has a set of roles that may be entered by processes
-# with the users identity. The syntax of a user declaration is:
-#
-# user username roles role_set [ level default_level range allowed_range ] level s0 range s0;
-#
-# The MLS default level and allowed range should only be specified if
-# MLS was enabled in the policy.
-
-#
-# system_u is the user identity for system processes and objects.
-# There should be no corresponding Unix user identity for system_u,
-# and a user process should never be assigned the system_u user
-# identity.
-#
-user system_u roles system_r;
-
-#
-# user_u is a generic user identity for Linux users who have no
-# SELinux user identity defined. The modified daemons will use
-# this user identity in the security context if there is no matching
-# SELinux user identity for a Linux user. If you do not want to
-# permit any access to such users, then remove this entry.
-#
-user user_u roles { user_r };
-
-#
-# The following users correspond to Unix identities.
-# These identities are typically assigned as the user attribute
-# when login starts the user shell. Users with access to the sysadm_r
-# role should use the staff_r role instead of the user_r role when
-# not in the sysadm_r.
-#
-
-# The sysadm_r user also needs to be permitted system_r if we are to allow
-# direct execution of daemons
-user root roles { sysadm_r staff_r secadm_r ifdef(`direct_sysadm_daemon', `system_r') };
-
-# sample for administrative user
-#user jadmin roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', `system_r') };
-
-# sample for regular user
-#user jdoe roles { user_r };
-
-#
-# The following users correspond to special Unix identities
-#
-ifdef(`nx_server.te', `
-user nx roles nx_server_r;
-')
diff --git a/targeted/COPYING b/targeted/COPYING
deleted file mode 100644
index 5b6e7c6..0000000
--- a/targeted/COPYING
+++ /dev/null
@@ -1,340 +0,0 @@
- GNU GENERAL PUBLIC LICENSE
- Version 2, June 1991
-
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.
- 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
- Preamble
-
- The licenses for most software are designed to take away your
-freedom to share and change it. By contrast, the GNU General Public
-License is intended to guarantee your freedom to share and change free
-software--to make sure the software is free for all its users. This
-General Public License applies to most of the Free Software
-Foundation's software and to any other program whose authors commit to
-using it. (Some other Free Software Foundation software is covered by
-the GNU Library General Public License instead.) You can apply it to
-your programs, too.
-
- When we speak of free software, we are referring to freedom, not
-price. Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-this service if you wish), that you receive source code or can get it
-if you want it, that you can change the software or use pieces of it
-in new free programs; and that you know you can do these things.
-
- To protect your rights, we need to make restrictions that forbid
-anyone to deny you these rights or to ask you to surrender the rights.
-These restrictions translate to certain responsibilities for you if you
-distribute copies of the software, or if you modify it.
-
- For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must give the recipients all the rights that
-you have. You must make sure that they, too, receive or can get the
-source code. And you must show them these terms so they know their
-rights.
-
- We protect your rights with two steps: (1) copyright the software, and
-(2) offer you this license which gives you legal permission to copy,
-distribute and/or modify the software.
-
- Also, for each author's protection and ours, we want to make certain
-that everyone understands that there is no warranty for this free
-software. If the software is modified by someone else and passed on, we
-want its recipients to know that what they have is not the original, so
-that any problems introduced by others will not reflect on the original
-authors' reputations.
-
- Finally, any free program is threatened constantly by software
-patents. We wish to avoid the danger that redistributors of a free
-program will individually obtain patent licenses, in effect making the
-program proprietary. To prevent this, we have made it clear that any
-patent must be licensed for everyone's free use or not licensed at all.
-
- The precise terms and conditions for copying, distribution and
-modification follow.
-�
- GNU GENERAL PUBLIC LICENSE
- TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
-
- 0. This License applies to any program or other work which contains
-a notice placed by the copyright holder saying it may be distributed
-under the terms of this General Public License. The "Program", below,
-refers to any such program or work, and a "work based on the Program"
-means either the Program or any derivative work under copyright law:
-that is to say, a work containing the Program or a portion of it,
-either verbatim or with modifications and/or translated into another
-language. (Hereinafter, translation is included without limitation in
-the term "modification".) Each licensee is addressed as "you".
-
-Activities other than copying, distribution and modification are not
-covered by this License; they are outside its scope. The act of
-running the Program is not restricted, and the output from the Program
-is covered only if its contents constitute a work based on the
-Program (independent of having been made by running the Program).
-Whether that is true depends on what the Program does.
-
- 1. You may copy and distribute verbatim copies of the Program's
-source code as you receive it, in any medium, provided that you
-conspicuously and appropriately publish on each copy an appropriate
-copyright notice and disclaimer of warranty; keep intact all the
-notices that refer to this License and to the absence of any warranty;
-and give any other recipients of the Program a copy of this License
-along with the Program.
-
-You may charge a fee for the physical act of transferring a copy, and
-you may at your option offer warranty protection in exchange for a fee.
-
- 2. You may modify your copy or copies of the Program or any portion
-of it, thus forming a work based on the Program, and copy and
-distribute such modifications or work under the terms of Section 1
-above, provided that you also meet all of these conditions:
-
- a) You must cause the modified files to carry prominent notices
- stating that you changed the files and the date of any change.
-
- b) You must cause any work that you distribute or publish, that in
- whole or in part contains or is derived from the Program or any
- part thereof, to be licensed as a whole at no charge to all third
- parties under the terms of this License.
-
- c) If the modified program normally reads commands interactively
- when run, you must cause it, when started running for such
- interactive use in the most ordinary way, to print or display an
- announcement including an appropriate copyright notice and a
- notice that there is no warranty (or else, saying that you provide
- a warranty) and that users may redistribute the program under
- these conditions, and telling the user how to view a copy of this
- License. (Exception: if the Program itself is interactive but
- does not normally print such an announcement, your work based on
- the Program is not required to print an announcement.)
-�
-These requirements apply to the modified work as a whole. If
-identifiable sections of that work are not derived from the Program,
-and can be reasonably considered independent and separate works in
-themselves, then this License, and its terms, do not apply to those
-sections when you distribute them as separate works. But when you
-distribute the same sections as part of a whole which is a work based
-on the Program, the distribution of the whole must be on the terms of
-this License, whose permissions for other licensees extend to the
-entire whole, and thus to each and every part regardless of who wrote it.
-
-Thus, it is not the intent of this section to claim rights or contest
-your rights to work written entirely by you; rather, the intent is to
-exercise the right to control the distribution of derivative or
-collective works based on the Program.
-
-In addition, mere aggregation of another work not based on the Program
-with the Program (or with a work based on the Program) on a volume of
-a storage or distribution medium does not bring the other work under
-the scope of this License.
-
- 3. You may copy and distribute the Program (or a work based on it,
-under Section 2) in object code or executable form under the terms of
-Sections 1 and 2 above provided that you also do one of the following:
-
- a) Accompany it with the complete corresponding machine-readable
- source code, which must be distributed under the terms of Sections
- 1 and 2 above on a medium customarily used for software interchange; or,
-
- b) Accompany it with a written offer, valid for at least three
- years, to give any third party, for a charge no more than your
- cost of physically performing source distribution, a complete
- machine-readable copy of the corresponding source code, to be
- distributed under the terms of Sections 1 and 2 above on a medium
- customarily used for software interchange; or,
-
- c) Accompany it with the information you received as to the offer
- to distribute corresponding source code. (This alternative is
- allowed only for noncommercial distribution and only if you
- received the program in object code or executable form with such
- an offer, in accord with Subsection b above.)
-
-The source code for a work means the preferred form of the work for
-making modifications to it. For an executable work, complete source
-code means all the source code for all modules it contains, plus any
-associated interface definition files, plus the scripts used to
-control compilation and installation of the executable. However, as a
-special exception, the source code distributed need not include
-anything that is normally distributed (in either source or binary
-form) with the major components (compiler, kernel, and so on) of the
-operating system on which the executable runs, unless that component
-itself accompanies the executable.
-
-If distribution of executable or object code is made by offering
-access to copy from a designated place, then offering equivalent
-access to copy the source code from the same place counts as
-distribution of the source code, even though third parties are not
-compelled to copy the source along with the object code.
-�
- 4. You may not copy, modify, sublicense, or distribute the Program
-except as expressly provided under this License. Any attempt
-otherwise to copy, modify, sublicense or distribute the Program is
-void, and will automatically terminate your rights under this License.
-However, parties who have received copies, or rights, from you under
-this License will not have their licenses terminated so long as such
-parties remain in full compliance.
-
- 5. You are not required to accept this License, since you have not
-signed it. However, nothing else grants you permission to modify or
-distribute the Program or its derivative works. These actions are
-prohibited by law if you do not accept this License. Therefore, by
-modifying or distributing the Program (or any work based on the
-Program), you indicate your acceptance of this License to do so, and
-all its terms and conditions for copying, distributing or modifying
-the Program or works based on it.
-
- 6. Each time you redistribute the Program (or any work based on the
-Program), the recipient automatically receives a license from the
-original licensor to copy, distribute or modify the Program subject to
-these terms and conditions. You may not impose any further
-restrictions on the recipients' exercise of the rights granted herein.
-You are not responsible for enforcing compliance by third parties to
-this License.
-
- 7. If, as a consequence of a court judgment or allegation of patent
-infringement or for any other reason (not limited to patent issues),
-conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License. If you cannot
-distribute so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you
-may not distribute the Program at all. For example, if a patent
-license would not permit royalty-free redistribution of the Program by
-all those who receive copies directly or indirectly through you, then
-the only way you could satisfy both it and this License would be to
-refrain entirely from distribution of the Program.
-
-If any portion of this section is held invalid or unenforceable under
-any particular circumstance, the balance of the section is intended to
-apply and the section as a whole is intended to apply in other
-circumstances.
-
-It is not the purpose of this section to induce you to infringe any
-patents or other property right claims or to contest validity of any
-such claims; this section has the sole purpose of protecting the
-integrity of the free software distribution system, which is
-implemented by public license practices. Many people have made
-generous contributions to the wide range of software distributed
-through that system in reliance on consistent application of that
-system; it is up to the author/donor to decide if he or she is willing
-to distribute software through any other system and a licensee cannot
-impose that choice.
-
-This section is intended to make thoroughly clear what is believed to
-be a consequence of the rest of this License.
-�
- 8. If the distribution and/or use of the Program is restricted in
-certain countries either by patents or by copyrighted interfaces, the
-original copyright holder who places the Program under this License
-may add an explicit geographical distribution limitation excluding
-those countries, so that distribution is permitted only in or among
-countries not thus excluded. In such case, this License incorporates
-the limitation as if written in the body of this License.
-
- 9. The Free Software Foundation may publish revised and/or new versions
-of the General Public License from time to time. Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-Each version is given a distinguishing version number. If the Program
-specifies a version number of this License which applies to it and "any
-later version", you have the option of following the terms and conditions
-either of that version or of any later version published by the Free
-Software Foundation. If the Program does not specify a version number of
-this License, you may choose any version ever published by the Free Software
-Foundation.
-
- 10. If you wish to incorporate parts of the Program into other free
-programs whose distribution conditions are different, write to the author
-to ask for permission. For software which is copyrighted by the Free
-Software Foundation, write to the Free Software Foundation; we sometimes
-make exceptions for this. Our decision will be guided by the two goals
-of preserving the free status of all derivatives of our free software and
-of promoting the sharing and reuse of software generally.
-
- NO WARRANTY
-
- 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
-FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
-OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
-PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
-OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
-TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
-PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
-REPAIR OR CORRECTION.
-
- 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
-REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
-INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
-OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
-TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
-YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
-PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGES.
-
- END OF TERMS AND CONDITIONS
-�
- How to Apply These Terms to Your New Programs
-
- If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
- To do so, attach the following notices to the program. It is safest
-to attach them to the start of each source file to most effectively
-convey the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
- <one line to give the program's name and a brief idea of what it does.>
- Copyright (C) <year> <name of author>
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
-
-
-Also add information on how to contact you by electronic and paper mail.
-
-If the program is interactive, make it output a short notice like this
-when it starts in an interactive mode:
-
- Gnomovision version 69, Copyright (C) year name of author
- Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
- This is free software, and you are welcome to redistribute it
- under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License. Of course, the commands you use may
-be called something other than `show w' and `show c'; they could even be
-mouse-clicks or menu items--whatever suits your program.
-
-You should also get your employer (if you work as a programmer) or your
-school, if any, to sign a "copyright disclaimer" for the program, if
-necessary. Here is a sample; alter the names:
-
- Yoyodyne, Inc., hereby disclaims all copyright interest in the program
- `Gnomovision' (which makes passes at compilers) written by James Hacker.
-
- <signature of Ty Coon>, 1 April 1989
- Ty Coon, President of Vice
-
-This General Public License does not permit incorporating your program into
-proprietary programs. If your program is a subroutine library, you may
-consider it more useful to permit linking proprietary applications with the
-library. If this is what you want to do, use the GNU Library General
-Public License instead of this License.
diff --git a/targeted/ChangeLog b/targeted/ChangeLog
deleted file mode 100644
index 9be1231..0000000
--- a/targeted/ChangeLog
+++ /dev/null
@@ -1,414 +0,0 @@
-1.27.2 2005-10-20
- * Merged patch from Chad Hanson. Modified MLS constraints.
- Provided comments for the MLS attributes.
- * Merged two patches from Thomas Bleher which made some minor
- fixes and cleanups.
- * Merged patches from Russell Coker. Added comments to some of the
- MLS attributes. Added the secure_mode_insmod boolean to determine
- whether the system permits loading policy, setting enforcing mode,
- and changing boolean values. Made minor fixes for the cdrecord_domain
- macro, application_domain, newrole_domain, and daemon_base_domain
- macros. Added rules to allow the mail server to access the user
- home directories in the targeted policy and allows the postfix
- showq program to do DNS lookups. Minor fixes for the MCS
- policy. Made other minor fixes and cleanups.
- * Merged patch from Dan Walsh. Added opencd, pegasus, readahead,
- and roundup policies. Created can_access_pty macro to handle pty
- output. Created nsswithch_domain macro for domains using
- nsswitch. Added mcs transition rules. Removed mqueue and added
- capifs genfscon entries. Added dhcpd and pegasus ports. Added
- domain transitions from login domains to pam_console and alsa
- domains. Added rules to allow the httpd and squid domains to
- relay more protocols. For the targeted policy, removed sysadm_r
- role from unconfined_t. Made other fixes and cleanups.
-1.27.1 2005-09-15
- * Merged small patches from Russell Coker for the apostrophe,
- dhcpc, fsadm, and setfiles policy.
- * Merged a patch from Russell Coker with some minor fixes to a
- multitude of policy files.
- * Merged patch from Dan Walsh from August 15th. Adds certwatch
- policy. Adds mcs support to Makefile. Adds mcs file which
- defines sensitivities and categories for the MSC policy. Creates
- an authentication_domain macro in global_macros.te for domains
- that use pam_authentication. Creates the anonymous_domain macro
- so that the ftpd, rsync, httpd, and smbd domains can share the
- ftpd_anon_t and ftpd_anon_rw_t types. Removes netifcon rules to
- start isolating individual ethernet devices. Changes vpnc from a
- daemon to an application_domain. Adds audit_control capability to
- crond_t. Adds dac_override and dac_read_search capabilities to
- fsadm_t to allow the manipulation of removable media. Adds
- read_sysctl macro to the base_passwd_domain macro. Adds rules to
- allow alsa_t to communicate with userspace. Allows networkmanager
- to communicate with isakmp_port and to use vpnc. For targeted
- policy, removes transitions of sysadm_t to apm_t, backup_t,
- bootloader_t, cardmgr_t, clockspeed_t, hwclock_t, and kudzu_t.
- Makes other minor cleanups and fixes.
-
-1.26 2005-09-06
- * Updated version for release.
-
-1.25.4 2005-08-10
- * Merged small patches from Russell Coker for the restorecon,
- kudzu, lvm, radvd, and spamassasin policies.
- * Added fs_use_trans rule for mqueue from Mark Gebhart to support
- the work he has done on providing SELinux support for mqueue.
- * Merged a patch from Dan Walsh. Removes the user_can_mount
- tunable. Adds disable_evolution_trans and disable_thunderbird_trans
- booleans. Adds the nscd_client_domain attribute to insmod_t.
- Removes the user_ping boolean from targeted policy. Adds
- hugetlbfs, inotifyfs, and mqueue filesystems to genfs_contexts.
- Adds the isakmp_port for vpnc. Creates the pptp daemon domain.
- Allows getty to run sbin_t for pppd. Allows initrc to write to
- default_t for booting. Allows Hotplug_t sys_rawio for prism54
- card at boot. Other minor fixes.
-
-1.25.3 2005-07-18
- * Merged patch from Dan Walsh. Adds auth_bool attribute to allow
- domains to have read access to shadow_t. Creates pppd_can_insmod
- boolean to control the loading of modem kernel modules. Allows
- nfs to export noexattrfile types. Allows unix_chpwd to access
- cert files and random devices for encryption purposes. Other
- minor cleanups and fixes.
-
-1.25.2 2005-07-11
- * Merged patch from Dan Walsh. Added allow_ptrace boolean to
- allow sysadm_t to ptrace and debug apps. Gives auth_chkpwd the
- audit_control and audit_write capabilities. Stops targeted policy
- from transitioning from unconfined_t to netutils. Allows cupsd to
- audit messages. Gives prelink the execheap, execmem, and execstack
- permissions by default. Adds can_winbind boolean and functions to
- better handle samba and winbind communications. Eliminates
- allow_execmod checks around texrel_shlib_t libraries. Other minor
- cleanups and fixes.
-
-1.25.1 2005-07-05
- * Moved role_tty_type_change, reach_sysadm, and priv_user macros
- from user.te to user_macros.te as suggested by Steve.
- * Modified admin_domain macro so autrace would work and removed
- privuser attribute for dhcpc as suggested by Russell Coker.
- * Merged rather large patch from Dan Walsh. Moves
- targeted/strict/mls policies closer together. Adds local.te for
- users to customize. Includes minor fixes to auditd, cups,
- cyrus_imapd, dhcpc, and dovecot. Includes Russell Coker's patch
- that defines all ports in network.te. Ports are always defined
- now, no ifdefs are used in network.te. Also includes Ivan
- Gyurdiev's user home directory policy patches. These patches add
- alsa, bonobo, ethereal, evolution, gconf, gnome, gnome_vfs,
- iceauth, orbit, and thunderbird policy. They create read_content,
- write_trusted, and write_untrusted macros in content.te. They
- create network_home, write_network_home, read_network_home,
- base_domain_ro_access, home_domain_access, home_domain, and
- home_domain_ro macros in home_macros.te. They also create
- $3_read_content, $3_write_content, and write_untrusted booleans.
-
-1.24 2005-06-20
- * Updated version for release.
-
-1.23.18 2005-05-31
- * Merged minor fixes to pppd.fc and courier.te by Russell Coker.
- * Removed devfsd policy as suggested by Russell Coker.
- * Merged patch from Dan Walsh. Includes beginnings of Ivan
- Gyurdiev's Font Config policy. Don't transition to fsadm_t from
- unconfined_t (sysadm_t) in targeted policy. Add support for
- debugfs in modutil. Allow automount to create and delete
- directories in /root and /home dirs. Move can_ypbind to
- chkpwd_macro.te. Allow useradd to create additional files and
- types via the skell mechanism. Other minor cleanups and fixes.
-
-1.23.17 2005-05-23
- * Merged minor fixes by Petre Rodan to the daemontools, dante,
- gpg, kerberos, and ucspi-tcp policies.
- * Merged minor fixes by Russell Coker to the bluetooth, crond,
- initrc, postfix, and udev policies. Modifies constraints so that
- newaliases can be run. Modifies types.fc so that objects in
- lost+found directories will not be relabled.
- * Modified fc rules for nvidia.
- * Added Chad Sellers policy for polyinstantiation support, which
- creates the polydir, polyparent, and polymember attributes. Also
- added the support_polyinstantiation tunable.
- * Merged patch from Dan Walsh. Includes mount_point attribute,
- read_font macros and some other policy fixes from Ivan Gyurdiev.
- Adds privkmsg and secadmfile attributes and ddcprobe policy.
- Removes the use_syslogng boolean. Many other minor fixes.
-
-1.23.16 2005-05-13
- * Added rdisc policy from Russell Coker.
- * Merged minor fix to named policy by Petre Rodan.
- * Merged minor fixes to policy from Russell Coker for kudzu,
- named, screen, setfiles, telnet, and xdm.
- * Merged minor fix to Makefile from Russell Coker.
-
-1.23.15 2005-05-06
- * Added tripwire and yam policy from David Hampton.
- * Merged minor fixes to amavid and a clarification to the
- httpdcontent attribute comments from David Hampton.
- * Merged patch from Dan Walsh. Includes fixes for restorecon,
- games, and postfix from Russell Coker. Adds support for debugfs.
- Restores support for reiserfs. Allows udev to work with tmpfs_t
- before /dev is labled. Removes transition from sysadm_t
- (unconfined_t) to ifconfig_t for the targeted policy. Other minor
- cleanups and fixes.
-
-1.23.14 2005-04-29
- * Added afs policy from Andrew Reisse.
- * Merged patch from Lorenzo Hernández García-Hierro which defines
- execstack and execheap permissions. The patch excludes these
- permissions from general_domain_access and updates the macros for
- X, legacy binaries, users, and unconfined domains.
- * Added nlmsg_relay permisison where netlink_audit_socket class is
- used. Added nlmsg_readpriv permission to auditd_t and auditctl_t.
- * Merged some minor cleanups from Russell Coker and David Hampton.
- * Merged patch from Dan Walsh. Many changes made to allow
- targeted policy to run closer to strict and now almost all of
- non-userspace is protected via SELinux. Kernel is now in
- unconfined_domain for targeted and runs as root:system_r:kernel_t.
- Added transitionbool to daemon_sub_domain, mainly to turn off
- httpd_suexec transitioning. Implemented web_client_domain
- name_connect rules. Added yp support for cups. Now the real
- hotplug, udev, initial_sid_contexts are used for the targeted
- policy. Other minor cleanups and fixes. Auditd fixes by Paul
- Moore.
-
-1.23.13 2005-04-22
- * Merged more changes from Dan Walsh to initrc_t for removal of
- unconfined_domain.
- * Merged Dan Walsh's split of auditd policy into auditd_t for the
- audit daemon and auditctl_t for the autoctl program.
- * Added use of name_connect to uncond_can_ypbind macro by Dan
- Walsh.
- * Merged other cleanup and fixes by Dan Walsh.
-
-1.23.12 2005-04-20
- * Merged Dan Walsh's Netlink changes to handle new auditing pam
- modules.
- * Merged Dan Walsh's patch removing the sysadmfile attribute from
- policy files to separate sysadm_t from secadm_t.
- * Added CVS and uucpd policy from Dan Walsh.
- * Cleanup by Dan Walsh to handle turning off unlimitedRC.
- * Merged Russell Coker's fixes to ntpd, postgrey, and named
- policy.
- * Cleanup of chkpwd_domain and added permissions to su_domain
- macro due to pam changes to support audit.
- * Added nlmsg_relay and nlmsg_readpriv permissions to the
- netlink_audit_socket class.
-
-1.23.11 2005-04-14
- * Merged Dan Walsh's separation of the security manager and system
- administrator.
- * Removed screensaver.te as suggested by Thomas Bleher
- * Cleanup of typealiases that are no longer used by Thomas Bleher.
- * Cleanup of fc files and additional rules for SuSE by Thomas
- Bleher.
- * Merged changes to auditd and named policy by Russell Coker.
- * Merged MLS change from Darrel Goeddel to support the policy
- hierarchy patch.
-
-1.23.10 2005-04-08
- * Removed pump.te, pump.fc, and targeted/domains/program/modutil.te
-
-1.23.9 2005-04-07
- * Merged diffs from Dan Walsh. Includes Ivan Gyurdiev's cleanup
- of x_client apps.
- * Added dmidecode policy from Ivan Gyurdiev.
-
-1.23.8 2005-04-05
- * Added netlink_kobject_uevent_socket class.
- * Removed empty files pump.te and pump.fc.
- * Added NetworkManager policy from Dan Walsh.
- * Merged Dan Walsh's major restructuring of Apache's policy.
-
-1.23.7 2005-04-04
- * Merged David Hampton's amavis and clamav cleanups.
- * Added David Hampton's dcc, pyzor, and razor policy.
-
-1.23.6 2005-04-01
- * Merged cleanup of the Makefile and other stuff from Dan Walsh.
- Dan's patch includes some desktop changes from Ivan Gyurdiev.
- * Merged Thomas Bleher's patches which increase the usage of
- lock_domain() and etc_domain(), changes var_lib_DOMAIN_t usage to
- DOMAIN_var_lib_t, and removes use of notdevfile_class_set where
- possible.
- * Merged Greg Norris's cleanup of fetchmail.
-
-1.23.5 2005-03-23
- * Added name_connect support from Dan Walsh.
- * Added httpd_unconfined_t from Dan Walsh.
- * Merged cleanup of assert.te to allow unresticted full access
- from Dan Walsh.
-
-1.23.4 2005-03-21
- * Merged diffs from Dan Walsh:
- * Cleanup of x_client_macro, tvtime, mozilla, and mplayer by Ivan
- Gyurdiev.
- * Added syslogng support to syslog.te.
-
-1.23.3 2005-03-15
- * Added policy for nx_server from Thomas Bleher.
- * Added policies for clockspeed, daemontools, djbdns, ucspi-tcp, and
- publicfile from Petre Rodan.
-
-1.23.2 2005-03-14
- * Merged diffs from Dan Walsh. Dan's patch includes Ivan Gyurdiev's
- gift policy.
- * Made sysadm_r the first role for root, so root's home will be labled
- as sysadm_home_dir_t instead of staff_home_dir_t.
- * Modified fs_use and Makefile to reflect jfs now supporting security
- xattrs.
-
-1.23.1 2005-03-10
- * Merged diffs from Dan Walsh. Dan's patch includes Ivan
- Gyurdiev's cleanup of homedir macros and more extensive use of
- read_sysctl()
-
-1.22 2005-03-09
- * Updated version for release.
-
-1.21 2005-02-24
- * Added secure_file_type attribute from Dan Walsh
- * Added access_terminal() macro from Ivan Gyurdiev
- * Updated capability access vector for audit capabilities.
- * Added mlsconvert Makefile target to help generate MLS policies
- (see selinux-doc/README.MLS for instructions).
- * Changed policy Makefile to still generate policy.18 as well,
- and use it for make load if the kernel doesn't support 19.
- * Merged enhanced MLS support from Darrel Goeddel (TCS).
- * Merged diffs from Dan Walsh, Russell Coker, and Greg Norris.
- * Merged man pages from Dan Walsh.
-
-1.20 2005-01-04
- * Merged diffs from Dan Walsh, Russell Coker, Thomas Bleher, and
- Petre Rodan.
- * Merged can_create() macro used for file_type_{,auto_}trans()
- from Thomas Bleher.
- * Merged dante and stunnel policy by Petre Rodan.
- * Merged $1_file_type attribute from Thomas Bleher.
- * Merged network_macros from Dan Walsh.
-
-1.18 2004-10-25
- * Merged diffs from Russell Coker and Dan Walsh.
- * Merged mkflask and mkaccess_vector patches from Ulrich Drepper.
- * Added reserved_port_t type and portcon entries to map all other
- reserved ports to this type.
- * Added distro_ prefix to distro tunables to avoid conflicts.
- * Merged diffs from Russell Coker.
-
-1.16 2004-08-16
- * Added nscd definitions.
- * Converted many tunables to policy booleans.
- * Added crontab permission.
- * Merged diffs from Dan Walsh.
- This included diffs from Thomas Bleher, Russell Coker, and Colin Walters as well.
- * Merged diffs from Russell Coker.
- * Adjusted constraints for crond restart.
- * Merged dbus/userspace object manager policy from Colin Walters.
- * Merged dbus definitions from Matthew Rickard.
- * Merged dnsmasq policy from Greg Norris.
- * Merged gpg-agent policy from Thomas Bleher.
-
-1.14 2004-06-28
- * Removed vmware-config.pl from vmware.fc.
- * Added crond entry to root_default_contexts.
- * Merged patch from Dan Walsh.
- * Merged mdadm and postfix changes from Colin Walters.
- * Merged reiserfs and rpm changes from Russell Coker.
- * Merged runaway .* glob fix from Valdis Kletnieks.
- * Merged diff from Dan Walsh.
- * Merged fine-grained netlink classes and permissions.
- * Merged changes for new /etc/selinux layout.
- * Changed mkaccess_vector.sh to provide stable order.
- * Merged diff from Dan Walsh.
- * Fix restorecon path in restorecon.fc.
- * Merged pax class and access vector definition from Joshua Brindle.
-
-1.12 2004-05-12
- * Added targeted policy.
- * Merged atd/at into crond/crontab domains.
- * Exclude bind mounts from relabeling to avoid aliasing.
- * Removed some obsolete types and remapped their initial SIDs to unlabeled.
- * Added SE-X related security classes and policy framework.
- * Added devnull initial SID and context.
- * Merged diffs from Fedora policy.
-
-1.10 2004-04-07
- * Merged ipv6 support from James Morris of RedHat.
- * Merged policy diffs from Dan Walsh.
- * Updated call to genhomedircon to reflect new usage.
- * Merged policy diffs from Dan Walsh and Russell Coker.
- * Removed config-users and config-services per Dan's request.
-
-1.8 2004-03-09
- * Merged genhomedircon patch from Karl MacMillan of Tresys.
- * Added restorecon domain.
- * Added unconfined_domain macro.
- * Added default_t for /.* file_contexts entry and replaced some
- uses of file_t with default_t in the policy.
- * Added su_restricted_domain() macro and use it for initrc_t.
- * Merged policy diffs from Dan Walsh and Russell Coker.
- These included a merge of an earlier patch by Chris PeBenito
- to rename the etc types to be consistent with other types.
-
-1.6 2004-02-18
- * Merged xfs support from Chris PeBenito.
- * Merged conditional rules for ping.te.
- * Defined setbool permission, added can_setbool macro.
- * Partial network policy cleanup.
- * Merged with Russell Coker's policy.
- * Renamed netscape macro and domain to mozilla and renamed
- ipchains domain to iptables for consistency with Russell.
- * Merged rhgb macro and domain from Russell Coker.
- * Merged tunable.te from Russell Coker.
- Only define direct_sysadm_daemon by default in our copy.
- * Added rootok permission to passwd class.
- * Merged Makefile change from Dan Walsh to generate /home
- file_contexts entries for staff users.
- * Added automatic role and domain transitions for init scripts and
- daemons. Added an optional third argument (nosysadm) to
- daemon_domain to omit the direct transition from sysadm_r when
- the same executable is also used as an application, in which
- case the daemon must be restarted via the init script to obtain
- the proper security context. Added system_r to the authorized roles
- for admin users at least until support for automatic user identity
- transitions exist so that a transition to system_u can be provided
- transparently.
- * Added support to su domain for using pam_selinux.
- Added entries to default_contexts for the su domains to
- provide reasonable defaults. Removed user_su_t.
- * Tighten restriction on user identity and role transitions in constraints.
- * Merged macro for newrole-like domains from Russell Coker.
- * Merged stub dbusd domain from Russell Coker.
- * Merged stub prelink domain from Dan Walsh.
- * Merged updated userhelper and config tool domains from Dan Walsh.
- * Added send_msg/recv_msg permissions to can_network macro.
- * Merged patch by Chris PeBenito for sshd subsystems.
- * Merged patch by Chris PeBenito for passing class to var_run_domain.
- * Merged patch by Yuichi Nakamura for append_log_domain macros.
- * Merged patch by Chris PeBenito for rpc_pipefs labeling.
- * Merged patch by Colin Walters to apply m4 once so that
- source file info is preserved for checkpolicy.
-
-1.4 2003-12-01
- * Merged patches from Russell Coker.
- * Revised networking permissions.
- * Added new node_bind permission.
- * Added new siginh, rlimitinh, and setrlimit permissions.
- * Added proc_t:file read permission for new is_selinux_enabled logic.
- * Added failsafe_context configuration file to appconfig.
- * Moved newrules.pl to policycoreutils, renamed to audit2allow.
- * Merged newrules.pl patch from Yuichi Nakamura.
-
-1.2 2003-09-30
- * More policy merging with Russell Coker.
- * Transferred newrules.pl script from the old SELinux.
- * Merged MLS configuration patch from Karl MacMillan of Tresys.
- * Limit staff_t to reading /proc entries for unpriv_userdomain.
- * Updated Makefile and spec file to allow non-root builds,
- based on patch by Paul Nasrat.
-
-1.1 2003-08-13
- * Merged Makefile check-all and te-includes patches from Colin Walters.
- * Merged x-debian-packages.patch from Colin Walters.
- * Folded read permission into domain_trans.
-
-1.0 2003-07-11
- * Initial public release.
-
diff --git a/targeted/Makefile b/targeted/Makefile
deleted file mode 100644
index 4311654..0000000
--- a/targeted/Makefile
+++ /dev/null
@@ -1,364 +0,0 @@
-#
-# Makefile for the security policy.
-#
-# Targets:
-#
-# install - compile and install the policy configuration, and context files.
-# load - compile, install, and load the policy configuration.
-# reload - compile, install, and load/reload the policy configuration.
-# relabel - relabel filesystems based on the file contexts configuration.
-# policy - compile the policy configuration locally for testing/development.
-#
-# The default target is 'install'.
-#
-
-# Set to y if MLS is enabled in the policy.
-MLS=n
-
-# Set to y if MCS is enabled in the policy
-MCS=y
-
-FLASKDIR = flask/
-PREFIX = /usr
-BINDIR = $(PREFIX)/bin
-SBINDIR = $(PREFIX)/sbin
-LOADPOLICY = $(SBINDIR)/load_policy
-CHECKPOLICY = $(BINDIR)/checkpolicy
-GENHOMEDIRCON = $(SBINDIR)/genhomedircon
-SETFILES = $(SBINDIR)/setfiles
-VERS := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ')
-PREVERS := 20
-KERNVERS := $(shell cat /selinux/policyvers)
-MLSENABLED := $(shell cat /selinux/mls)
-POLICYVER := policy.$(VERS)
-TOPDIR = $(DESTDIR)/etc/selinux
-TYPE=targeted
-
-INSTALLDIR = $(TOPDIR)/$(TYPE)
-POLICYPATH = $(INSTALLDIR)/policy
-SRCPATH = $(INSTALLDIR)/src
-USERPATH = $(INSTALLDIR)/users
-CONTEXTPATH = $(INSTALLDIR)/contexts
-LOADPATH = $(POLICYPATH)/$(POLICYVER)
-FCPATH = $(CONTEXTPATH)/files/file_contexts
-HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
-
-ALL_PROGRAM_MACROS := $(wildcard macros/program/*.te)
-ALL_MACROS := $(ALL_PROGRAM_MACROS) $(wildcard macros/*.te)
-ALL_TYPES := $(wildcard types/*.te)
-ALL_DOMAINS := $(wildcard domains/*.te domains/misc/*.te domains/program/*.te)
-ALLTEFILES := attrib.te tmp/program_used_flags.te $(ALL_MACROS) $(ALL_TYPES) $(ALL_DOMAINS) assert.te
-TE_RBAC_FILES := $(ALLTEFILES) rbac
-ALL_TUNABLES := $(wildcard tunables/*.tun )
-USER_FILES := users
-POLICYFILES = $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors)
-ifeq ($(MLS),y)
-POLICYFILES += mls
-CHECKPOLMLS += -M
-endif
-ifeq ($(MCS), y)
-POLICYFILES += mcs
-CHECKPOLMLS += -M
-endif
-DEFCONTEXTFILES = initial_sid_contexts fs_use genfs_contexts net_contexts
-POLICYFILES += $(ALL_TUNABLES) $(TE_RBAC_FILES)
-POLICYFILES += $(USER_FILES)
-POLICYFILES += constraints
-POLICYFILES += $(DEFCONTEXTFILES)
-CONTEXTFILES = $(DEFCONTEXTFILES)
-POLICY_DIRS = domains domains/program domains/misc macros macros/program
-
-UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te)
-
-FC = file_contexts/file_contexts
-HOMEDIR_TEMPLATE = file_contexts/homedir_template
-FCFILES=file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te)) file_contexts/distros.fc $(wildcard file_contexts/misc/*.fc)
-CONTEXTFILES += $(FCFILES)
-
-APPDIR=$(CONTEXTPATH)
-APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types port_types) $(CONTEXTPATH)/files/media
-CONTEXTFILES += $(wildcard appconfig/*_context*) appconfig/media
-
-ROOTFILES = $(addprefix $(APPDIR)/users/,root)
-
-all: policy
-
-tmp/valid_fc: $(LOADPATH) $(FC)
-ifeq ($(CHECKPOLMLS), -M)
-ifeq ($(MLSENABLED),1)
- @echo "Validating file contexts files ..."
- $(SETFILES) -q -c $(LOADPATH) $(FC)
-endif
-endif
- @touch tmp/valid_fc
-
-install: $(FCPATH) $(APPFILES) $(ROOTFILES) $(USERPATH)/local.users
-
-$(USERPATH)/system.users: $(ALL_TUNABLES) $(USER_FILES) policy.conf
- @mkdir -p $(USERPATH)
- @echo "# " > tmp/system.users
- @echo "# Do not edit this file. " >> tmp/system.users
- @echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users
- @echo "# Please edit local.users to make local changes." >> tmp/system.users
- @echo "#" >> tmp/system.users
- @m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USER_FILES) | grep -v "^#" >> tmp/system.users
- install -m 644 tmp/system.users $@
-
-$(USERPATH)/local.users: local.users
- @mkdir -p $(USERPATH)
- install -b -m 644 $< $@
-
-$(CONTEXTPATH)/files/media: appconfig/media
- @mkdir -p $(CONTEXTPATH)/files/
- install -m 644 $< $@
-
-$(APPDIR)/default_contexts: appconfig/default_contexts
- @mkdir -p $(APPDIR)
- install -m 644 $< $@
-
-$(APPDIR)/removable_context: appconfig/removable_context
- @mkdir -p $(APPDIR)
- install -m 644 $< $@
-
-$(APPDIR)/customizable_types: policy.conf
- @mkdir -p $(APPDIR)
- @grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
- install -m 644 tmp/customizable_types $@
-
-$(APPDIR)/port_types: policy.conf
- @mkdir -p $(APPDIR)
- @grep "^type .*port_type" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/port_types
- install -m 644 tmp/port_types $@
-
-$(APPDIR)/default_type: appconfig/default_type
- @mkdir -p $(APPDIR)
- install -m 644 $< $@
-
-$(APPDIR)/userhelper_context: appconfig/userhelper_context
- @mkdir -p $(APPDIR)
- install -m 644 $< $@
-
-$(APPDIR)/initrc_context: appconfig/initrc_context
- @mkdir -p $(APPDIR)
- install -m 644 $< $@
-
-$(APPDIR)/failsafe_context: appconfig/failsafe_context
- @mkdir -p $(APPDIR)
- install -m 644 $< $@
-
-$(APPDIR)/dbus_contexts: appconfig/dbus_contexts
- @mkdir -p $(APPDIR)
- install -m 644 $< $@
-
-$(APPDIR)/users/root: appconfig/root_default_contexts
- @mkdir -p $(APPDIR)/users
- install -m 644 $< $@
-
-$(LOADPATH): policy.conf $(CHECKPOLICY)
- @echo "Compiling policy ..."
- @mkdir -p $(POLICYPATH)
- $(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
-ifneq ($(VERS),$(PREVERS))
- $(CHECKPOLICY) $(CHECKPOLMLS) -c $(PREVERS) -o $(POLICYPATH)/policy.$(PREVERS) policy.conf
-endif
-
-# Note: Can't use install, so not sure how to deal with mode, user, and group
-# other than by default.
-
-policy: $(POLICYVER)
-
-$(POLICYVER): policy.conf $(FC) $(CHECKPOLICY)
- $(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
-ifeq ($(CHECKPOLMLS), -M)
-ifeq (1, $(MLSENABLED))
- @echo "Validating file contexts files ..."
- $(SETFILES) -q -c $(POLICYVER) $(FC)
-endif
-endif
-
-reload tmp/load: $(LOADPATH)
- @echo "Loading Policy ..."
- $(LOADPOLICY)
- touch tmp/load
-
-load: tmp/load $(FCPATH)
-
-enableaudit: policy.conf
- grep -v dontaudit policy.conf > policy.audit
- mv policy.audit policy.conf
-
-policy.conf: $(POLICYFILES) $(POLICY_DIRS)
- @echo "Building policy.conf ..."
- @mkdir -p tmp
- m4 $(M4PARAM) -Imacros -s $(POLICYFILES) > $@.tmp
- @mv $@.tmp $@
-
-install-src:
- rm -rf $(SRCPATH)/policy.old
- -mv $(SRCPATH)/policy $(SRCPATH)/policy.old
- @mkdir -p $(SRCPATH)/policy
- cp -R . $(SRCPATH)/policy
-
-tmp/program_used_flags.te: $(wildcard domains/program/*.te) domains/program
- @mkdir -p tmp
- ( cd domains/program/ ; for n in *.te ; do echo "define(\`$$n')"; done ) > $@.tmp
- ( cd domains/misc/ ; for n in *.te ; do echo "define(\`$$n')"; done ) >> $@.tmp
- mv $@.tmp $@
-
-FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs | reiserfs ).*rw/{print $$3}';`
-
-checklabels: $(SETFILES)
- $(SETFILES) -v -n $(FC) $(FILESYSTEMS)
-
-restorelabels: $(SETFILES)
- $(SETFILES) -v $(FC) $(FILESYSTEMS)
-
-relabel: $(FC) $(SETFILES)
- $(SETFILES) $(FC) $(FILESYSTEMS)
-
-file_contexts/misc:
- @mkdir -p file_contexts/misc
-
-$(FCPATH): tmp/valid_fc $(USERPATH)/system.users $(APPDIR)/customizable_types $(APPDIR)/port_types
- @echo "Installing file contexts files..."
- @mkdir -p $(CONTEXTPATH)/files
- install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
- install -m 644 $(FC) $(FCPATH)
- @$(GENHOMEDIRCON) -d $(TOPDIR) -t $(TYPE) $(USEPWD)
-
-$(FC): $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) domains/program domains/misc file_contexts/program file_contexts/misc users /etc/passwd
- @echo "Building file contexts files..."
- @m4 $(M4PARAM) $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) > $@.tmp
- @grep -v -e HOME -e ROLE -e USER $@.tmp > $@
- @grep -e HOME -e ROLE -e USER $@.tmp > $(HOMEDIR_TEMPLATE)
- @-rm $@.tmp
-
-# Create a tags-file for the policy:
-# we need exuberant ctags; unfortunately it is named differently on different distros, sigh...
-pathsearch = $(firstword $(wildcard $(addsuffix /$(1),$(subst :, ,$(PATH))))) # taken from make-docs
-CTAGS := $(call pathsearch,ctags-exuberant) # debian naming scheme
-ifeq ($(strip $(CTAGS)),)
-CTAGS := $(call pathsearch,ctags) # suse naming scheme
-endif
-
-tags: $(wildcard *.te types/*.te domains/*.te domains/misc/*.te domains/program/*.te domains/program/unused/*.te macros/*.te macros/program/*.te)
- @($(CTAGS) --version | grep -q Exuberant) || (echo ERROR: Need exuberant-ctags to function!; exit 1)
- @LC_ALL=C $(CTAGS) --langdef=te --langmap=te:..te \
- --regex-te='/^[ \t]*type[ \t]+(\w+)(,|;)/\1/t,type/' \
- --regex-te='/^[ \t]*typealias[ \t]+\w+[ \t+]+alias[ \t]+(\w+);/\1/t,type/' \
- --regex-te='/^[ \t]*attribute[ \t]+(\w+);/\1/a,attribute/' \
- --regex-te='/^[ \t]*define\(`(\w+)/\1/d,define/' \
- --regex-te='/^[ \t]*bool[ \t]+(\w+)/\1/b,bool/' $^
-
-clean:
- rm -f policy.conf $(POLICYVER)
- rm -f tags
- rm -f tmp/*
- rm -f $(FC)
- rm -f flask/*.h
-# for the policy regression tester
- find "domains/program/" -maxdepth 1 -type l -exec rm {} \; ; \
-
-# Policy regression tester.
-# Written by Colin Walters <walters@debian.org>
-cur_te = $(filter-out %/,$(subst /,/ ,$@))
-
-TESTED_TE_FILES := $(notdir $(UNUSED_TE_FILES))
-
-define compute_depends
- export TE_DEPENDS_$(1) := $(shell egrep '^#[[:space:]]*Depends: ' domains/program/unused/$(1) | head -1 | sed -e 's/^.*Depends: //')
-endef
-
-
-ifeq ($(TE_DEPENDS_DEFINED),)
-ifeq ($(MAKECMDGOALS),check-all)
- GENRULES := $(TESTED_TE_FILES)
- export TE_DEPENDS_DEFINED := yes
-else
- # Handle the case where checkunused/blah.te is run directly.
- ifneq ($(findstring checkunused/,$(MAKECMDGOALS)),)
- GENRULES := $(TESTED_TE_FILES)
- export TE_DEPENDS_DEFINED := yes
- endif
-endif
-endif
-
-# Test for a new enough version of GNU Make.
-$(eval have_eval := yes)
-ifneq ($(GENRULES),)
- ifeq ($(have_eval),)
-$(error Need GNU Make 3.80 or better!)
-Need GNU Make 3.80 or better
- endif
-endif
-$(foreach f,$(GENRULES),$(eval $(call compute_depends,$(f))))
-
-PHONIES :=
-
-define compute_presymlinks
-PHONIES += presymlink/$(1)
-presymlink/$(1):: $(patsubst %,presymlink/%,$(TE_DEPENDS_$(1)))
- @if ! test -L domains/program/$(1); then \
- cd domains/program && ln -s unused/$(1) .; \
- fi
-endef
-
-# Compute dependencies.
-$(foreach f,$(TESTED_TE_FILES),$(eval $(call compute_presymlinks,$(f))))
-
-PHONIES += $(patsubst %,checkunused/%,$(TESTED_TE_FILES))
-$(patsubst %,checkunused/%,$(TESTED_TE_FILES)) :: checkunused/% :
- @$(MAKE) -s clean
-
-$(patsubst %,checkunused/%,$(TESTED_TE_FILES)) :: checkunused/% : presymlink/%
- @if test -n "$(TE_DEPENDS_$(cur_te))"; then \
- echo "Dependencies for $(cur_te): $(TE_DEPENDS_$(cur_te))"; \
- fi
- @echo "Testing $(cur_te)...";
- @if ! make -s policy 1>/dev/null; then \
- echo "Testing $(cur_te)...FAILED"; \
- exit 1; \
- fi;
- @echo "Testing $(cur_te)...success."; \
-
-check-all:
- @for goal in $(patsubst %,checkunused/%,$(TESTED_TE_FILES)); do \
- $(MAKE) --no-print-directory $$goal; \
- done
-
-.PHONY: clean $(PHONIES)
-
-mlsconvert:
- @for file in $(CONTEXTFILES); do \
- echo "Converting $$file"; \
- sed -e 's/_t\b/_t:s0/g' $$file > $$file.new && \
- mv $$file.new $$file; \
- done
- @for file in $(USER_FILES); do \
- echo "Converting $$file"; \
- sed -e 's/;/ level s0 range s0 - s15:c0.c255;/' $$file > $$file.new && \
- mv $$file.new $$file; \
- done
- @sed -e '/sid kernel/s/s0/s0 - s15:c0.c255/' initial_sid_contexts > initial_sid_contexts.new && mv initial_sid_contexts.new initial_sid_contexts
- @echo "Enabling MLS in the Makefile"
- @sed "s/MLS=n/MLS=y/" Makefile > Makefile.new
- @mv Makefile.new Makefile
- @echo "Done"
-
-mcsconvert:
- @for file in $(CONTEXTFILES); do \
- echo "Converting $$file"; \
- sed -e 's/_t\b/_t:s0/g' $$file > $$file.new && \
- mv $$file.new $$file; \
- done
- @for file in $(USER_FILES); do \
- echo "Converting $$file"; \
- sed -r -e 's/\;/ level s0 range s0;/' $$file | \
- sed -r -e 's/(user (user_u|root|system_u).*);/\1 - s0:c0.c255;/' > $$file.new; \
- mv $$file.new $$file; \
- done
- @echo "Enabling MCS in the Makefile"
- @sed "s/MCS=y/MCS=y/" Makefile > Makefile.new
- @mv Makefile.new Makefile
- @echo "Done"
-
diff --git a/targeted/README b/targeted/README
deleted file mode 100644
index 6818b66..0000000
--- a/targeted/README
+++ /dev/null
@@ -1,125 +0,0 @@
-The Makefile targets are:
-policy - compile the policy configuration.
-install - compile and install the policy configuration.
-load - compile, install, and load the policy configuration.
-relabel - relabel the filesystem.
-check-all - check individual additional policy files in domains/program/unused.
-checkunused/FILE.te - check individual file FILE from domains/program/unused.
-
-If you have configured MLS into your module, then set MLS=y in the
-Makefile prior to building the policy. Of course, you must have also
-built checkpolicy with MLS enabled.
-
-Three of the configuration files are independent of the particular
-security policy:
-1) flask/security_classes -
- This file has a simple declaration for each security class.
- The corresponding symbol definitions are in the automatically
- generated header file <selinux/flask.h>.
-
-2) flask/initial_sids -
- This file has a simple declaration for each initial SID.
- The corresponding symbol definitions are in the automatically
- generated header file <selinux/flask.h>.
-
-3) access_vectors -
- This file defines the access vectors. Common prefixes for
- access vectors may be defined at the beginning of the file.
- After the common prefixes are defined, an access vector
- may be defined for each security class.
- The corresponding symbol definitions are in the automatically
- generated header file <selinux/av_permissions.h>.
-
-In addition to being read by the security server, these configuration
-files are used during the kernel build to automatically generate
-symbol definitions used by the kernel for security classes, initial
-SIDs and permissions. Since the symbol definitions generated from
-these files are used during the kernel build, the values of existing
-security classes and permissions may not be modified by load_policy.
-However, new classes may be appended to the list of classes and new
-permissions may be appended to the list of permissions associated with
-each access vector definition.
-
-The policy-dependent configuration files are:
-1) tmp/all.te -
- This file defines the Type Enforcement (TE) configuration.
- This file is automatically generated from a collection of files.
-
- The macros subdirectory contains a collection of m4 macro definitions
- used by the TE configuration. The global_macros.te file contains global
- macros used throughout the configuration for common groupings of classes
- and permissions and for common sets of rules. The user_macros.te file
- contains macros used in defining user domains. The admin_macros.te file
- contains macros used in defining admin domains. The macros/program
- subdirectory contains macros that are used to instantiate derived domains
- for certain programs that encode information about both the calling user
- domain and the program, permitting the policy to maintain separation
- between different instances of the program.
-
- The types subdirectory contains several files with declarations for
- general types (types not associated with a particular domain) and
- some rules defining relationships among those types. Related types
- are grouped together into each file in this directory, e.g. all
- device type declarations are in the device.te file.
-
- The domains subdirectory contains several files and directories
- with declarations and rules for each domain. User domains are defined in
- user.te. Administrator domains are defined in admin.te. Domains for
- specific programs, including both system daemons and other programs, are
- in the .te files within the domains/program subdirectory. The domains/misc
- subdirectory is for miscellaneous domains such as the kernel domain and
- the kernel module loader domain.
-
- The assert.te file contains assertions that are checked after evaluating
- the entire TE configuration.
-
-2) rbac -
- This file defines the Role-Based Access Control (RBAC) configuration.
-
-3) mls -
- This file defines the Multi-Level Security (MLS) configuration.
-
-4) users -
- This file defines the users recognized by the security policy.
-
-5) constraints -
- This file defines additional constraints on permissions
- in the form of boolean expressions that must be satisfied in order
- for specified permissions to be granted. These constraints
- are used to further refine the type enforcement tables and
- the role allow rules. Typically, these constraints are used
- to restrict changes in user identity or role to certain domains.
-
-6) initial_sid_contexts -
- This file defines the security context for each initial SID.
- A security context consists of a user identity, a role, a type and
- optionally a MLS range if the MLS policy is enabled. If left unspecified,
- the high MLS level defaults to the low MLS level. The syntax of a valid
- security context is:
-
- user:role:type[:sensitivity[:category,...][-sensitivity[:category,...]]]
-
-7) fs_use -
- This file defines the labeling behavior for inodes in particular
- filesystem types.
-
-8) genfs_contexts -
- This file defines security contexts for files in filesystems that
- cannot support persistent label mappings or use one of the fixed
- labeling schemes specified in fs_use.
-
-8) net_contexts -
- This file defines the security contexts of network objects
- such as ports, interfaces, and nodes.
-
-9) file_contexts/{types.fc,program/*.fc}
- These files define the security contexts for persistent files.
-
-It is possible to test the security server functions on a given policy
-configuration by running the checkpolicy program with the -d option.
-This program is built from the same sources as the security server
-component of the kernel, so it may be used both to verify that a
-policy configuration will load successfully and to determine how the
-security server would respond if it were using that policy
-configuration. A menu-based interface is provided for calling any of
-the security server functions after the policy is loaded.
diff --git a/targeted/VERSION b/targeted/VERSION
deleted file mode 100644
index 457f038..0000000
--- a/targeted/VERSION
+++ /dev/null
@@ -1 +0,0 @@
-1.27.2
diff --git a/targeted/appconfig/dbus_contexts b/targeted/appconfig/dbus_contexts
deleted file mode 100644
index 116e684..0000000
--- a/targeted/appconfig/dbus_contexts
+++ /dev/null
@@ -1,6 +0,0 @@
-<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
- "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
-<busconfig>
- <selinux>
- </selinux>
-</busconfig>
diff --git a/targeted/appconfig/default_contexts b/targeted/appconfig/default_contexts
deleted file mode 100644
index 94de330..0000000
--- a/targeted/appconfig/default_contexts
+++ /dev/null
@@ -1,6 +0,0 @@
-system_r:unconfined_t:s0 system_r:unconfined_t:s0
-system_r:initrc_t:s0 system_r:unconfined_t:s0
-system_r:local_login_t:s0 system_r:unconfined_t:s0
-system_r:remote_login_t:s0 system_r:unconfined_t:s0
-system_r:rshd_t:s0 system_r:unconfined_t:s0
-system_r:crond_t:s0 system_r:unconfined_t:s0
diff --git a/targeted/appconfig/default_type b/targeted/appconfig/default_type
deleted file mode 100644
index 7ba74a9..0000000
--- a/targeted/appconfig/default_type
+++ /dev/null
@@ -1 +0,0 @@
-system_r:unconfined_t
diff --git a/targeted/appconfig/failsafe_context b/targeted/appconfig/failsafe_context
deleted file mode 100644
index 30fd6c0..0000000
--- a/targeted/appconfig/failsafe_context
+++ /dev/null
@@ -1 +0,0 @@
-system_r:unconfined_t:s0
diff --git a/targeted/appconfig/initrc_context b/targeted/appconfig/initrc_context
deleted file mode 100644
index dd0e5d9..0000000
--- a/targeted/appconfig/initrc_context
+++ /dev/null
@@ -1 +0,0 @@
-user_u:system_r:unconfined_t:s0
diff --git a/targeted/appconfig/media b/targeted/appconfig/media
deleted file mode 100644
index 81f3463..0000000
--- a/targeted/appconfig/media
+++ /dev/null
@@ -1,3 +0,0 @@
-cdrom system_u:object_r:removable_device_t:s0
-floppy system_u:object_r:removable_device_t:s0
-disk system_u:object_r:fixed_disk_device_t:s0
diff --git a/targeted/appconfig/removable_context b/targeted/appconfig/removable_context
deleted file mode 100644
index 7fcc56e..0000000
--- a/targeted/appconfig/removable_context
+++ /dev/null
@@ -1 +0,0 @@
-system_u:object_r:removable_t:s0
diff --git a/targeted/appconfig/root_default_contexts b/targeted/appconfig/root_default_contexts
deleted file mode 100644
index 94de330..0000000
--- a/targeted/appconfig/root_default_contexts
+++ /dev/null
@@ -1,6 +0,0 @@
-system_r:unconfined_t:s0 system_r:unconfined_t:s0
-system_r:initrc_t:s0 system_r:unconfined_t:s0
-system_r:local_login_t:s0 system_r:unconfined_t:s0
-system_r:remote_login_t:s0 system_r:unconfined_t:s0
-system_r:rshd_t:s0 system_r:unconfined_t:s0
-system_r:crond_t:s0 system_r:unconfined_t:s0
diff --git a/targeted/appconfig/userhelper_context b/targeted/appconfig/userhelper_context
deleted file mode 100644
index 01f02a3..0000000
--- a/targeted/appconfig/userhelper_context
+++ /dev/null
@@ -1 +0,0 @@
-system_u:system_r:unconfined_t:s0
diff --git a/targeted/assert.te b/targeted/assert.te
deleted file mode 100644
index 4fa84f0..0000000
--- a/targeted/assert.te
+++ /dev/null
@@ -1,40 +0,0 @@
-##############################
-#
-# Assertions for the type enforcement (TE) configuration.
-#
-
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-##################################
-#
-# Access vector assertions.
-#
-# An access vector assertion specifies permissions that should not be in
-# an access vector based on a source type, a target type, and a class.
-# If any of the specified permissions are in the corresponding access
-# vector, then the policy compiler will reject the policy configuration.
-# Currently, there is only one kind of access vector assertion, neverallow,
-# but support for the other kinds of vectors could be easily added. Access
-# vector assertions use the same syntax as access vector rules.
-#
-
-# Confined domains must never touch an unconfined domain except to
-# send SIGCHLD for child termination notifications.
-neverallow { domain -unrestricted -unconfinedtrans -snmpd_t } unconfined_t:process ~sigchld;
-
-# Confined domains must never see /proc/pid entries for an unconfined domain.
-neverallow { domain -unrestricted -snmpd_t } unconfined_t:dir { getattr search };
-
-#
-# Verify that every type that can be entered by
-# a domain is also tagged as a domain.
-#
-neverallow domain ~domain:process { transition dyntransition};
-
-# for gross mistakes in policy
-neverallow domain domain:dir ~r_dir_perms;
-neverallow domain domain:file_class_set ~rw_file_perms;
-neverallow domain file_type:process *;
-neverallow ~{ domain unlabeled_t } *:process *;
diff --git a/targeted/attrib.te b/targeted/attrib.te
deleted file mode 100644
index 2a19fa8..0000000
--- a/targeted/attrib.te
+++ /dev/null
@@ -1,563 +0,0 @@
-#
-# Declarations for type attributes.
-#
-
-# A type attribute can be used to identify a set of types with a similar
-# property. Each type can have any number of attributes, and each
-# attribute can be associated with any number of types. Attributes are
-# explicitly declared here, and can then be associated with particular
-# types in type declarations. Attribute names can then be used throughout
-# the configuration to express the set of types that are associated with
-# the attribute. Attributes have no implicit meaning to SELinux. The
-# meaning of all attributes are completely defined through their
-# usage within the configuration, but should be documented here as
-# comments preceding the attribute declaration.
-
-#####################
-# Attributes for MLS:
-#
-
-# Common Terminology
-# MLS Range: low-high
-# low referred to as "Effective Sensitivity Label (SL)"
-# high referred to as "Clearance SL"
-
-
-#
-# File System MLS attributes/privileges
-#
-# Grant MLS read access to files not dominated by the process Effective SL
-attribute mlsfileread;
-# Grant MLS read access to files which dominate the process Effective SL
-# and are dominated by the process Clearance SL
-attribute mlsfilereadtoclr;
-# Grant MLS write access to files not equal to the Effective SL
-attribute mlsfilewrite;
-# Grant MLS write access to files which dominate the process Effective SL
-# and are dominated by the process Clearance SL
-attribute mlsfilewritetoclr;
-# Grant MLS ability to change file label to a new label which dominates
-# the old label
-attribute mlsfileupgrade;
-# Grant MLS ability to change file label to a new label which is
-# dominated by or incomparable to the old label
-attribute mlsfiledowngrade;
-
-#
-# Network MLS attributes/privileges
-#
-# Grant MLS read access to packets not dominated by the process Effective SL
-attribute mlsnetread;
-# Grant MLS read access to packets which dominate the process Effective SL
-# and are dominated by the process Clearance SL
-attribute mlsnetreadtoclr;
-# Grant MLS write access to packets not equal to the Effective SL
-attribute mlsnetwrite;
-# Grant MLS write access to packets which dominate the Effective SL
-# and are dominated by the process Clearance SL
-attribute mlsnetwritetoclr;
-# Grant MLS read access to packets from hosts or interfaces which dominate
-# or incomparable to the process Effective SL
-attribute mlsnetrecvall;
-# Grant MLS ability to change socket label to a new label which dominates
-# the old label
-attribute mlsnetupgrade;
-# Grant MLS ability to change socket label to a new label which is
-# dominated by or incomparable to the old label
-attribute mlsnetdowngrade;
-
-#
-# IPC MLS attributes/privileges
-#
-# Grant MLS read access to IPC objects not dominated by the process Effective SL
-attribute mlsipcread;
-# Grant MLS read access to IPC objects which dominate the process Effective SL
-# and are dominated by the process Clearance SL
-attribute mlsipcreadtoclr;
-# Grant MLS write access to IPC objects not equal to the process Effective SL
-attribute mlsipcwrite;
-# Grant MLS write access to IPC objects which dominate the process Effective SL
-# and are dominated by the process Clearance SL
-attribute mlsipcwritetoclr;
-
-#
-# Process MLS attributes/privileges
-#
-# Grant MLS read access to processes not dominated by the process Effective SL
-attribute mlsprocread;
-# Grant MLS read access to processes which dominate the process Effective SL
-# and are dominated by the process Clearance SL
-attribute mlsprocreadtoclr;
-# Grant MLS write access to processes not equal to the Effective SL
-attribute mlsprocwrite;
-# Grant MLS write access to processes which dominate the process Effective SL
-# and are dominated by the process Clearance SL
-attribute mlsprocwritetoclr;
-# Grant MLS ability to change Effective SL or Clearance SL of process to a
-# label dominated by the Clearance SL
-attribute mlsprocsetsl;
-
-#
-# X Window MLS attributes/privileges
-#
-# Grant MLS read access to X objects not dominated by the process Effective SL
-attribute mlsxwinread;
-# Grant MLS read access to X objects which dominate the process Effective SL
-# and are dominated by the process Clearance SL
-attribute mlsxwinreadtoclr;
-# Grant MLS write access to X objects not equal to the process Effective SL
-attribute mlsxwinwrite;
-# Grant MLS write access to X objects which dominate the process Effective SL
-# and are dominated by the process Clearance SL
-attribute mlsxwinwritetoclr;
-# Grant MLS read access to X properties not dominated by
-# the process Effective SL
-attribute mlsxwinreadproperty;
-# Grant MLS write access to X properties not equal to the process Effective SL
-attribute mlsxwinwriteproperty;
-# Grant MLS read access to X colormaps not dominated by
-# the process Effective SL
-attribute mlsxwinreadcolormap;
-# Grant MLS write access to X colormaps not equal to the process Effective SL
-attribute mlsxwinwritecolormap;
-# Grant MLS write access to X xinputs not equal to the process Effective SL
-attribute mlsxwinwritexinput;
-
-# Grant MLS read/write access to objects which internally arbitrate MLS
-attribute mlstrustedobject;
-
-#
-# Both of the following attributes are needed for a range transition to succeed
-#
-# Grant ability for the current domain to change SL upon process transition
-attribute privrangetrans;
-# Grant ability for the new process domain to change SL upon process transition
-attribute mlsrangetrans;
-
-#########################
-# Attributes for domains:
-#
-
-# The domain attribute identifies every type that can be
-# assigned to a process. This attribute is used in TE rules
-# that should be applied to all domains, e.g. permitting
-# init to kill all processes.
-attribute domain;
-
-# The daemon attribute identifies domains for system processes created via
-# the daemon_domain, daemon_base_domain, and init_service_domain macros.
-attribute daemon;
-
-# The privuser attribute identifies every domain that can
-# change its SELinux user identity. This attribute is used
-# in the constraints configuration. NOTE: This attribute
-# is not required for domains that merely change the Linux
-# uid attributes, only for domains that must change the
-# SELinux user identity. Also note that this attribute makes
-# no sense without the privrole attribute.
-attribute privuser;
-
-# The privrole attribute identifies every domain that can
-# change its SELinux role. This attribute is used in the
-# constraints configuration.
-attribute privrole;
-
-# The userspace_objmgr attribute identifies every domain
-# which enforces its own policy.
-attribute userspace_objmgr;
-
-# The priv_system_role attribute identifies every domain that can
-# change role from a user role to system_r role, and identity from a user
-# identity to system_u. It is used in the constraints configuration.
-attribute priv_system_role;
-
-# The privowner attribute identifies every domain that can
-# assign a different SELinux user identity to a file, or that
-# can create a file with an identity that is not the same as the
-# process identity. This attribute is used in the constraints
-# configuration.
-attribute privowner;
-
-# The privlog attribute identifies every domain that can
-# communicate with syslogd through its Unix domain socket.
-# There is an assertion that other domains can not do it,
-# and an allow rule to permit it
-attribute privlog;
-
-# The privmodule attribute identifies every domain that can run
-# modprobe, there is an assertion that other domains can not do it,
-# and an allow rule to permit it
-attribute privmodule;
-
-# The privsysmod attribute identifies every domain that can have the
-# sys_module capability
-attribute privsysmod;
-
-# The privmem attribute identifies every domain that can
-# access kernel memory devices.
-# This attribute is used in the TE assertions to verify
-# that such access is limited to domains that are explicitly
-# tagged with this attribute.
-attribute privmem;
-
-# The privkmsg attribute identifies every domain that can
-# read kernel messages (/proc/kmsg)
-# This attribute is used in the TE assertions to verify
-# that such access is limited to domains that are explicitly
-# tagged with this attribute.
-attribute privkmsg;
-
-# The privfd attribute identifies every domain that should have
-# file handles inherited widely (IE sshd_t and getty_t).
-attribute privfd;
-
-# The privhome attribute identifies every domain that can create files under
-# regular user home directories in the regular context (IE act on behalf of
-# a user in writing regular files)
-attribute privhome;
-
-# The auth attribute identifies every domain that needs
-# to read /etc/shadow, and grants the permission.
-attribute auth;
-
-# The auth_bool attribute identifies every domain that can
-# read /etc/shadow if its boolean is set;
-attribute auth_bool;
-
-# The auth_write attribute identifies every domain that can have write or
-# relabel access to /etc/shadow, but does not grant it.
-attribute auth_write;
-
-# The auth_chkpwd attribute identifies every system domain that can
-# authenticate users by running unix_chkpwd
-attribute auth_chkpwd;
-
-# The change_context attribute identifies setfiles_t, restorecon_t, and other
-# system domains that change the context of most/all files on the system
-attribute change_context;
-
-# The etc_writer attribute identifies every domain that can write to etc_t
-attribute etc_writer;
-
-# The sysctl_kernel_writer attribute identifies domains that can write to
-# sysctl_kernel_t, in addition the admin attribute is permitted write access
-attribute sysctl_kernel_writer;
-
-# the sysctl_net_writer attribute identifies domains that can write to
-# sysctl_net_t files.
-attribute sysctl_net_writer;
-
-# The sysctl_type attribute identifies every type that is assigned
-# to a sysctl entry. This can be used in allow rules to grant
-# permissions to all sysctl entries without enumerating each individual
-# type, but should be used with care.
-attribute sysctl_type;
-
-# The admin attribute identifies every administrator domain.
-# It is used in TE assertions when verifying that only administrator
-# domains have certain permissions.
-# This attribute is presently associated with sysadm_t and
-# certain administrator utility domains.
-# XXX The use of this attribute should be reviewed for consistency.
-# XXX Might want to partition into several finer-grained attributes
-# XXX used in different assertions within assert.te.
-attribute admin;
-
-# The secadmin attribute identifies every security administrator domain.
-# It is used in TE assertions when verifying that only administrator
-# domains have certain permissions.
-# This attribute is presently associated with sysadm_t and secadm_t
-attribute secadmin;
-
-# The userdomain attribute identifies every user domain, presently
-# user_t and sysadm_t. It is used in TE rules that should be applied
-# to all user domains.
-attribute userdomain;
-
-# for a small domain that can only be used for newrole
-attribute user_mini_domain;
-
-# pty for the mini domain
-attribute mini_pty_type;
-
-# pty created by a server such as sshd
-attribute server_pty;
-
-# attribute for all non-administrative devpts types
-attribute userpty_type;
-
-# The user_tty_type identifies every type for a tty or pty owned by an
-# unpriviledged user
-attribute user_tty_type;
-
-# The admin_tty_type identifies every type for a tty or pty owned by a
-# priviledged user
-attribute admin_tty_type;
-
-# The user_crond_domain attribute identifies every user_crond domain, presently
-# user_crond_t and sysadm_crond_t. It is used in TE rules that should be
-# applied to all user domains.
-attribute user_crond_domain;
-
-# The unpriv_userdomain identifies non-administrative users (default user_t)
-attribute unpriv_userdomain;
-
-# This attribute is for the main user home directory for unpriv users
-attribute user_home_dir_type;
-
-# The gphdomain attribute identifies every gnome-pty-helper derived
-# domain. It is used in TE rules to permit inheritance and use of
-# descriptors created by these domains.
-attribute gphdomain;
-
-# The fs_domain identifies every domain that may directly access a fixed disk
-attribute fs_domain;
-
-# This attribute is for all domains for the userhelper program.
-attribute userhelperdomain;
-
-############################
-# Attributes for file types:
-#
-
-# The file_type attribute identifies all types assigned to files
-# in persistent filesystems. It is used in TE rules to permit
-# the association of all such file types with persistent filesystem
-# types, and to permit certain domains to access all such types as
-# appropriate.
-attribute file_type;
-
-# The secure_file_type attribute identifies files
-# which will be treated with a higer level of security.
-# Most domains will be prevented from manipulating files in this domain
-attribute secure_file_type;
-
-# The device_type attribute identifies all types assigned to device nodes
-attribute device_type;
-
-# The proc_fs attribute identifies all types that may be assigned to
-# files under /proc.
-attribute proc_fs;
-
-# The dev_fs attribute identifies all types that may be assigned to
-# files, sockets, or pipes under /dev.
-attribute dev_fs;
-
-# The sysadmfile attribute identifies all types assigned to files
-# that should be completely accessible to administrators. It is used
-# in TE rules to grant such access for administrator domains.
-attribute sysadmfile;
-
-# The secadmfile attribute identifies all types assigned to files
-# that should be only accessible to security administrators. It is used
-# in TE rules to grant such access for security administrator domains.
-attribute secadmfile;
-
-# The fs_type attribute identifies all types assigned to filesystems
-# (not limited to persistent filesystems).
-# It is used in TE rules to permit certain domains to mount
-# any filesystem and to permit most domains to obtain the
-# overall filesystem statistics.
-attribute fs_type;
-
-# The mount_point attribute identifies all types that can serve
-# as a mount point (for the mount binary). It is used in the mount
-# policy to grant mounton permission, and in other domains to grant
-# getattr permission over all the mount points.
-attribute mount_point;
-
-# The exec_type attribute identifies all types assigned
-# to entrypoint executables for domains. This attribute is
-# used in TE rules and assertions that should be applied to all
-# such executables.
-attribute exec_type;
-
-# The tmpfile attribute identifies all types assigned to temporary
-# files. This attribute is used in TE rules to grant certain
-# domains the ability to remove all such files (e.g. init, crond).
-attribute tmpfile;
-
-# The user_tmpfile attribute identifies all types associated with temporary
-# files for unpriv_userdomain domains.
-attribute user_tmpfile;
-
-# for the user_xserver_tmp_t etc
-attribute xserver_tmpfile;
-
-# The tmpfsfile attribute identifies all types defined for tmpfs
-# type transitions.
-# It is used in TE rules to grant certain domains the ability to
-# access all such files.
-attribute tmpfsfile;
-
-# The home_type attribute identifies all types assigned to home
-# directories. This attribute is used in TE rules to grant certain
-# domains the ability to access all home directory types.
-attribute home_type;
-
-# This attribute is for the main user home directory /home/user, to
-# distinguish it from sub-dirs. Often you want a process to be able to
-# read the user home directory but not read the regular directories under it.
-attribute home_dir_type;
-
-# The ttyfile attribute identifies all types assigned to ttys.
-# It is used in TE rules to grant certain domains the ability to
-# access all ttys.
-attribute ttyfile;
-
-# The ptyfile attribute identifies all types assigned to ptys.
-# It is used in TE rules to grant certain domains the ability to
-# access all ptys.
-attribute ptyfile;
-
-# The pidfile attribute identifies all types assigned to pid files.
-# It is used in TE rules to grant certain domains the ability to
-# access all such files.
-attribute pidfile;
-
-
-############################
-# Attributes for network types:
-#
-
-# The socket_type attribute identifies all types assigned to
-# kernel-created sockets. Ordinary sockets are assigned the
-# domain of the creating process.
-# XXX This attribute is unused. Remove?
-attribute socket_type;
-
-# Identifies all types assigned to port numbers to control binding.
-attribute port_type;
-
-# Identifies all types assigned to reserved port (<1024) numbers to control binding.
-attribute reserved_port_type;
-
-# Identifies all types assigned to network interfaces to control
-# operations on the interface (XXX obsolete, not supported via LSM)
-# and to control traffic sent or received on the interface.
-attribute netif_type;
-
-# Identifies all default types assigned to packets received
-# on network interfaces.
-attribute netmsg_type;
-
-# Identifies all types assigned to network nodes/hosts to control
-# traffic sent to or received from the node.
-attribute node_type;
-
-# Identifier for log files or directories that only exist for log files.
-attribute logfile;
-
-# Identifier for lock files (/var/lock/*) or directories that only exist for
-# lock files.
-attribute lockfile;
-
-
-
-##############################
-# Attributes for security policy types:
-#
-
-# The login_contexts attribute idenitifies the files used
-# to define default contexts for login types (e.g., login, cron).
-attribute login_contexts;
-
-# Identifier for a domain used by "sendmail -t" (IE user_mail_t,
-# sysadm_mail_t, etc)
-attribute user_mail_domain;
-
-# Identifies domains that can transition to system_mail_t
-attribute privmail;
-
-# Type for non-sysadm home directory
-attribute user_home_type;
-
-# For domains that are part of a mail server and need to read user files and
-# fifos, and inherit file handles to enable user email to get to the mail
-# spool
-attribute mta_user_agent;
-
-# For domains that are part of a mail server for delivering messages to the
-# user
-attribute mta_delivery_agent;
-
-# For domains that make outbound TCP port 25 connections to send mail from the
-# mail server.
-attribute mail_server_sender;
-
-# For a mail server process that takes TCP connections on port 25
-attribute mail_server_domain;
-
-# For web clients such as netscape and squid
-attribute web_client_domain;
-
-# For X Window System server domains
-attribute xserver;
-
-# For X Window System client domains
-attribute xclient;
-
-# For X Window System protocol extensions
-attribute xextension;
-
-# For X Window System property types
-attribute xproperty;
-
-#
-# For file systems that do not have extended attributes but need to be
-# r/w by users
-#
-attribute noexattrfile;
-
-#
-# For filetypes that the usercan read
-#
-attribute usercanread;
-
-#
-# For serial devices
-#
-attribute serial_device;
-
-# Attribute to designate unrestricted access
-attribute unrestricted;
-
-# Attribute to designate can transition to unconfined_t
-attribute unconfinedtrans;
-
-# For clients of nscd.
-attribute nscd_client_domain;
-
-# For clients of nscd that can use shmem interface.
-attribute nscd_shmem_domain;
-
-# For labeling of content for httpd. This attribute is only used by
-# the httpd_unified domain, which says treat all httpdcontent the
-# same. If you want content to be served in a "non-unified" system
-# you must specifically add "r_dir_file(httpd_t, your_content_t)" to
-# your policy.
-attribute httpdcontent;
-
-# For labeling of domains whos transition can be disabled
-attribute transitionbool;
-
-# For labeling of file_context domains which users can change files to rather
-# then the default file context. These file_context can survive a relabeling
-# of the file system.
-attribute customizable;
-
-##############################
-# Attributes for polyinstatiation support:
-#
-
-# For labeling types that are to be polyinstantiated
-attribute polydir;
-
-# And for labeling the parent directories of those polyinstantiated directories
-# This is necessary for remounting the original in the parent to give
-# security aware apps access
-attribute polyparent;
-
-# And labeling for the member directories
-attribute polymember;
-
diff --git a/targeted/constraints b/targeted/constraints
deleted file mode 100644
index 85586b5..0000000
--- a/targeted/constraints
+++ /dev/null
@@ -1,54 +0,0 @@
-#
-# Define m4 macros for the constraints
-#
-
-#
-# Define the constraints
-#
-# constrain class_set perm_set expression ;
-#
-# expression : ( expression )
-# | not expression
-# | expression and expression
-# | expression or expression
-# | u1 op u2
-# | r1 role_op r2
-# | t1 op t2
-# | u1 op names
-# | u2 op names
-# | r1 op names
-# | r2 op names
-# | t1 op names
-# | t2 op names
-#
-# op : == | !=
-# role_op : == | != | eq | dom | domby | incomp
-#
-# names : name | { name_list }
-# name_list : name | name_list name#
-#
-
-#
-# Restrict the ability to transition to other users
-# or roles to a few privileged types.
-#
-
-constrain process transition
- ( u1 == u2 or t1 == privuser );
-
-constrain process transition
- ( r1 == r2 or t1 == privrole );
-
-constrain process dyntransition
- ( u1 == u2 and r1 == r2);
-
-#
-# Restrict the ability to label objects with other
-# user identities to a few privileged types.
-#
-
-constrain dir_file_class_set { create relabelto relabelfrom }
- ( u1 == u2 or t1 == privowner );
-
-constrain socket_class_set { create relabelto relabelfrom }
- ( u1 == u2 or t1 == privowner );
diff --git a/targeted/domains/misc/kernel.te b/targeted/domains/misc/kernel.te
deleted file mode 100644
index 5b13c0f..0000000
--- a/targeted/domains/misc/kernel.te
+++ /dev/null
@@ -1,75 +0,0 @@
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-#################################
-#
-# Rules for the kernel_t domain.
-#
-
-#
-# kernel_t is the domain of kernel threads.
-# It is also the target type when checking permissions in the system class.
-#
-type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod, etc_writer, privrangetrans ;
-role system_r types kernel_t;
-general_domain_access(kernel_t)
-general_proc_read_access(kernel_t)
-base_file_read_access(kernel_t)
-uses_shlib(kernel_t)
-can_exec(kernel_t, shell_exec_t)
-
-# Use capabilities.
-allow kernel_t self:capability *;
-
-r_dir_file(kernel_t, sysfs_t)
-allow kernel_t { usbfs_t usbdevfs_t }:dir search;
-
-# Run init in the init_t domain.
-domain_auto_trans(kernel_t, init_exec_t, init_t)
-
-ifdef(`mls_policy', `
-# run init with maximum MLS range
-range_transition kernel_t init_exec_t s0 - s15:c0.c255;
-')
-
-# Share state with the init process.
-allow kernel_t init_t:process share;
-
-# Mount and unmount file systems.
-allow kernel_t fs_type:filesystem mount_fs_perms;
-
-# Send signal to any process.
-allow kernel_t domain:process signal;
-allow kernel_t domain:dir search;
-
-# Access the console.
-allow kernel_t device_t:dir search;
-allow kernel_t console_device_t:chr_file rw_file_perms;
-
-# Access the initrd filesystem.
-allow kernel_t file_t:chr_file rw_file_perms;
-can_exec(kernel_t, file_t)
-ifdef(`chroot.te', `
-can_exec(kernel_t, chroot_exec_t)
-')
-allow kernel_t self:capability sys_chroot;
-
-allow kernel_t { unlabeled_t root_t file_t }:dir mounton;
-allow kernel_t unlabeled_t:fifo_file rw_file_perms;
-allow kernel_t file_t:dir rw_dir_perms;
-allow kernel_t file_t:blk_file create_file_perms;
-allow kernel_t { sysctl_t sysctl_kernel_t }:file { setattr rw_file_perms };
-
-# Lookup the policy.
-allow kernel_t policy_config_t:dir r_dir_perms;
-
-# Load the policy configuration.
-can_loadpol(kernel_t)
-
-# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
-can_exec(kernel_t, bin_t)
-
-ifdef(`targeted_policy', `
-unconfined_domain(kernel_t)
-')
diff --git a/targeted/domains/misc/local.te b/targeted/domains/misc/local.te
deleted file mode 100644
index cedba3c..0000000
--- a/targeted/domains/misc/local.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# Local customization of existing policy should be done in this file.
-# If you are creating brand new policy for a new "target" domain, you
-# need to create a type enforcement (.te) file in domains/program
-# and a file context (.fc) file in file_context/program.
-
diff --git a/targeted/domains/program/NetworkManager.te b/targeted/domains/program/NetworkManager.te
deleted file mode 100644
index 28093f2..0000000
--- a/targeted/domains/program/NetworkManager.te
+++ /dev/null
@@ -1,117 +0,0 @@
-#DESC NetworkManager -
-#
-# Authors: Dan Walsh <dwalsh@redhat.com>
-#
-#
-
-#################################
-#
-# Rules for the NetworkManager_t domain.
-#
-# NetworkManager_t is the domain for the NetworkManager daemon.
-# NetworkManager_exec_t is the type of the NetworkManager executable.
-#
-daemon_domain(NetworkManager, `, nscd_client_domain, privsysmod, mlsfileread' )
-
-can_network(NetworkManager_t)
-allow NetworkManager_t port_type:tcp_socket name_connect;
-allow NetworkManager_t { isakmp_port_t dhcpc_port_t }:udp_socket name_bind;
-allow NetworkManager_t dhcpc_t:process signal;
-
-can_ypbind(NetworkManager_t)
-uses_shlib(NetworkManager_t)
-allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service sys_module ipc_lock};
-
-allow NetworkManager_t { random_device_t urandom_device_t }:chr_file { getattr read };
-
-allow NetworkManager_t self:process { setcap getsched };
-allow NetworkManager_t self:fifo_file rw_file_perms;
-allow NetworkManager_t self:unix_dgram_socket create_socket_perms;
-allow NetworkManager_t self:file { getattr read };
-allow NetworkManager_t self:packet_socket create_socket_perms;
-allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
-
-
-#
-# Communicate with Caching Name Server
-#
-ifdef(`named.te', `
-allow NetworkManager_t named_zone_t:dir search;
-rw_dir_create_file(NetworkManager_t, named_cache_t)
-domain_auto_trans(NetworkManager_t, named_exec_t, named_t)
-allow named_t NetworkManager_t:udp_socket { read write };
-allow named_t NetworkManager_t:netlink_route_socket { read write };
-allow NetworkManager_t named_t:process signal;
-allow named_t NetworkManager_t:packet_socket { read write };
-')
-
-allow NetworkManager_t selinux_config_t:dir search;
-allow NetworkManager_t selinux_config_t:file { getattr read };
-
-ifdef(`dbusd.te', `
-dbusd_client(system, NetworkManager)
-allow NetworkManager_t system_dbusd_t:dbus { acquire_svc send_msg };
-allow NetworkManager_t self:dbus send_msg;
-ifdef(`hald.te', `
-allow NetworkManager_t hald_t:dbus send_msg;
-allow hald_t NetworkManager_t:dbus send_msg;
-')
-allow NetworkManager_t initrc_t:dbus send_msg;
-allow initrc_t NetworkManager_t:dbus send_msg;
-ifdef(`targeted_policy', `
-allow NetworkManager_t unconfined_t:dbus send_msg;
-allow unconfined_t NetworkManager_t:dbus send_msg;
-')
-allow NetworkManager_t userdomain:dbus send_msg;
-allow userdomain NetworkManager_t:dbus send_msg;
-')
-
-allow NetworkManager_t usr_t:file { getattr read };
-
-ifdef(`ifconfig.te', `
-domain_auto_trans(NetworkManager_t, ifconfig_exec_t, ifconfig_t)
-')dnl end if def ifconfig
-
-allow NetworkManager_t { sbin_t bin_t }:dir search;
-allow NetworkManager_t bin_t:lnk_file read;
-can_exec(NetworkManager_t, { ls_exec_t sbin_t bin_t shell_exec_t })
-
-# in /etc created by NetworkManager will be labelled net_conf_t.
-file_type_auto_trans(NetworkManager_t, etc_t, net_conf_t, file)
-
-allow NetworkManager_t { etc_t etc_runtime_t }:file { getattr read };
-allow NetworkManager_t proc_t:file { getattr read };
-r_dir_file(NetworkManager_t, proc_net_t)
-
-allow NetworkManager_t { domain -unrestricted }:dir search;
-allow NetworkManager_t { domain -unrestricted }:file { getattr read };
-dontaudit NetworkManager_t unrestricted:dir search;
-dontaudit NetworkManager_t unrestricted:file { getattr read };
-
-allow NetworkManager_t howl_t:process signal;
-allow NetworkManager_t initrc_var_run_t:file { getattr read };
-
-domain_auto_trans(NetworkManager_t, insmod_exec_t, insmod_t)
-allow NetworkManager_t self:netlink_route_socket r_netlink_socket_perms;
-# allow vpnc connections
-allow NetworkManager_t self:rawip_socket create_socket_perms;
-allow NetworkManager_t tun_tap_device_t:chr_file rw_file_perms;
-
-domain_auto_trans(NetworkManager_t, initrc_exec_t, initrc_t)
-domain_auto_trans(NetworkManager_t, dhcpc_exec_t, dhcpc_t)
-ifdef(`vpnc.te', `
-domain_auto_trans(NetworkManager_t, vpnc_exec_t, vpnc_t)
-')
-
-ifdef(`dhcpc.te', `
-allow NetworkManager_t dhcp_state_t:dir search;
-allow NetworkManager_t dhcpc_var_run_t:file { getattr read unlink };
-')
-allow NetworkManager_t var_lib_t:dir search;
-dontaudit NetworkManager_t user_tty_type:chr_file { read write };
-dontaudit NetworkManager_t security_t:dir search;
-
-ifdef(`consoletype.te', `
-can_exec(NetworkManager_t, consoletype_exec_t)
-')
-
diff --git a/targeted/domains/program/acct.te b/targeted/domains/program/acct.te
deleted file mode 100644
index bbb4fdc..0000000
--- a/targeted/domains/program/acct.te
+++ /dev/null
@@ -1,66 +0,0 @@
-#DESC Acct - BSD process accounting
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: acct
-#
-
-#################################
-#
-# Rules for the acct_t domain.
-#
-# acct_exec_t is the type of the acct executable.
-#
-daemon_base_domain(acct)
-ifdef(`crond.te', `
-system_crond_entry(acct_exec_t, acct_t)
-
-# for monthly cron job
-file_type_auto_trans(acct_t, var_log_t, wtmp_t, file)
-')
-
-# for SSP
-allow acct_t urandom_device_t:chr_file read;
-
-type acct_data_t, file_type, logfile, sysadmfile;
-
-# not sure why we need this, the command "last" is reported as using it
-dontaudit acct_t self:capability kill;
-
-# gzip needs chown capability for some reason
-allow acct_t self:capability { chown fsetid sys_pacct };
-
-allow acct_t var_t:dir { getattr search };
-rw_dir_create_file(acct_t, acct_data_t)
-
-can_exec(acct_t, { shell_exec_t bin_t initrc_exec_t acct_exec_t })
-allow acct_t { bin_t sbin_t }:dir search;
-allow acct_t bin_t:lnk_file read;
-
-read_locale(acct_t)
-
-allow acct_t fs_t:filesystem getattr;
-
-allow acct_t self:unix_stream_socket create_socket_perms;
-
-allow acct_t self:fifo_file { read write getattr };
-
-allow acct_t { self proc_t }:file { read getattr };
-
-read_sysctl(acct_t)
-
-dontaudit acct_t sysadm_home_dir_t:dir { getattr search };
-
-# for nscd
-dontaudit acct_t var_run_t:dir search;
-
-
-allow acct_t devtty_t:chr_file { read write };
-
-allow acct_t { etc_t etc_runtime_t }:file { read getattr };
-
-ifdef(`logrotate.te', `
-domain_auto_trans(logrotate_t, acct_exec_t, acct_t)
-rw_dir_create_file(logrotate_t, acct_data_t)
-can_exec(logrotate_t, acct_data_t)
-')
-
diff --git a/targeted/domains/program/amanda.te b/targeted/domains/program/amanda.te
deleted file mode 100644
index 4b63f5f..0000000
--- a/targeted/domains/program/amanda.te
+++ /dev/null
@@ -1,284 +0,0 @@
-#DESC Amanda - Automated backup program
-#
-# This policy file sets the rigths for amanda client started by inetd_t
-# and amrecover
-#
-# X-Debian-Packages: amanda-common amanda-server
-# Depends: inetd.te
-# Author : Carsten Grohmann <carstengrohmann@gmx.de>
-#
-# License : GPL
-#
-# last change: 27. August 2002
-#
-# state : complete and tested
-#
-# Hints :
-# - amanda.fc is the appendant file context file
-# - If you use amrecover please extract the files and directories to the
-# directory speficified in amanda.fc as type amanda_recover_dir_t.
-# - The type amanda_user_exec_t is defined to label the files but not used.
-# This configuration works only as an client and a amanda client does not need
-# this programs.
-#
-# Enhancements/Corrections:
-# - set tighter permissions to /bin/tar instead bin_t
-
-##############################################################################
-# AMANDA CLIENT DECLARATIONS
-##############################################################################
-
-# General declarations
-######################
-
-type amanda_t, domain, privlog, auth, fs_domain, nscd_client_domain;
-role system_r types amanda_t;
-
-# type for the amanda executables
-type amanda_exec_t, file_type, sysadmfile, exec_type;
-
-# type for the amanda executables started by inetd
-type amanda_inetd_exec_t, file_type, sysadmfile, exec_type;
-
-# type for amanda configurations files
-type amanda_config_t, file_type, sysadmfile;
-
-# type for files in /usr/lib/amanda
-type amanda_usr_lib_t, file_type, sysadmfile;
-
-# type for all files in /var/lib/amanda
-type amanda_var_lib_t, file_type, sysadmfile;
-
-# type for all files in /var/lib/amanda/gnutar-lists/
-type amanda_gnutarlists_t, file_type, sysadmfile;
-
-# type for user startable files
-type amanda_user_exec_t, file_type, sysadmfile, exec_type;
-
-# type for same awk and other scripts
-type amanda_script_exec_t, file_type, sysadmfile, exec_type;
-
-# type for the shell configuration files
-type amanda_shellconfig_t, file_type, sysadmfile;
-
-tmp_domain(amanda)
-
-# type for /etc/amandates
-type amanda_amandates_t, file_type, sysadmfile;
-
-# type for /etc/dumpdates
-type amanda_dumpdates_t, file_type, sysadmfile;
-
-# type for amanda data
-type amanda_data_t, file_type, sysadmfile;
-
-# Domain transitions
-####################
-
-domain_auto_trans(inetd_t, amanda_inetd_exec_t, amanda_t)
-
-
-##################
-# File permissions
-##################
-
-# configuration files -> read only
-allow amanda_t amanda_config_t:file { getattr read };
-
-# access to amanda_amandates_t
-allow amanda_t amanda_amandates_t:file { getattr lock read write };
-
-# access to amanda_dumpdates_t
-allow amanda_t amanda_dumpdates_t:file { getattr lock read write };
-
-# access to amandas data structure
-allow amanda_t amanda_data_t:dir { read search write };
-allow amanda_t amanda_data_t:file { read write };
-
-# access to proc_t
-allow amanda_t proc_t:file { getattr read };
-
-# access to etc_t and similar
-allow amanda_t etc_t:file { getattr read };
-allow amanda_t etc_runtime_t:file { getattr read };
-
-# access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists)
-rw_dir_create_file(amanda_t, amanda_gnutarlists_t)
-
-# access to device_t and similar
-allow amanda_t devtty_t:chr_file { read write };
-
-# access to fs_t
-allow amanda_t fs_t:filesystem getattr;
-
-# access to sysctl_kernel_t ( proc/sys/kernel/* )
-read_sysctl(amanda_t)
-
-#####################
-# process permissions
-#####################
-
-# Allow to use shared libs
-uses_shlib(amanda_t)
-
-# Allow to execute a amanda executable file
-allow amanda_t amanda_exec_t:file { execute execute_no_trans getattr read };
-
-# Allow to run a shell
-allow amanda_t shell_exec_t:file { execute execute_no_trans getattr read };
-
-# access to bin_t (tar)
-allow amanda_t bin_t:file { execute execute_no_trans };
-
-allow amanda_t self:capability { chown dac_override setuid };
-allow amanda_t self:process { fork sigchld setpgid signal };
-allow amanda_t self:dir search;
-allow amanda_t self:file { getattr read };
-
-
-###################################
-# Network and process communication
-###################################
-
-can_network_server(amanda_t);
-can_ypbind(amanda_t);
-can_exec(amanda_t, sbin_t);
-
-allow amanda_t self:fifo_file { getattr read write ioctl lock };
-allow amanda_t self:unix_stream_socket create_stream_socket_perms;
-allow amanda_t self:unix_dgram_socket create_socket_perms;
-
-
-##########################
-# Communication with inetd
-##########################
-
-allow amanda_t inetd_t:udp_socket { read write };
-
-
-###################
-# inetd permissions
-###################
-
-allow inetd_t amanda_usr_lib_t:dir search;
-
-
-########################
-# Access to to save data
-########################
-
-# access to user_home_t
-allow amanda_t user_home_type:file { getattr read };
-
-##############################################################################
-# AMANDA RECOVER DECLARATIONS
-##############################################################################
-
-
-# General declarations
-######################
-
-# type for amrecover
-type amanda_recover_t, domain;
-role sysadm_r types amanda_recover_t;
-role system_r types amanda_recover_t;
-
-# exec types for amrecover
-type amanda_recover_exec_t, file_type, sysadmfile, exec_type;
-
-# type for recover files ( restored data )
-type amanda_recover_dir_t, file_type, sysadmfile;
-file_type_auto_trans(amanda_recover_t, sysadm_home_dir_t, amanda_recover_dir_t)
-
-# domain transsition
-domain_auto_trans(sysadm_t, amanda_recover_exec_t, amanda_recover_t)
-
-# file type auto trans to write debug messages
-file_type_auto_trans(amanda_recover_t, tmp_t, amanda_tmp_t)
-
-
-# amanda recover process permissions
-####################################
-
-uses_shlib(amanda_recover_t)
-allow amanda_recover_t self:process { fork sigkill sigstop sigchld signal };
-allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override net_bind_service };
-can_exec(amanda_recover_t, shell_exec_t)
-allow amanda_recover_t privfd:fd use;
-
-
-# amrecover network and process communication
-#############################################
-
-can_network(amanda_recover_t);
-allow amanda_recover_t amanda_port_t:tcp_socket name_connect;
-can_ypbind(amanda_recover_t);
-read_locale(amanda_recover_t);
-
-allow amanda_recover_t self:fifo_file { getattr ioctl read write };
-allow amanda_recover_t self:unix_stream_socket { connect create read write };
-allow amanda_recover_t var_log_t:dir search;
-rw_dir_create_file(amanda_recover_t, amanda_log_t)
-
-# amrecover file permissions
-############################
-
-# access to etc_t and similar
-allow amanda_recover_t etc_t:dir search;
-allow amanda_recover_t etc_t:file { getattr read };
-allow amanda_recover_t etc_runtime_t:file { getattr read };
-
-# access to amanda_recover_dir_t
-allow amanda_recover_t amanda_recover_dir_t:dir { add_name remove_name search write };
-allow amanda_recover_t amanda_recover_dir_t:file { append create getattr setattr unlink };
-
-# access to var_t and var_run_t
-allow amanda_recover_t var_t:dir search;
-allow amanda_recover_t var_run_t:dir search;
-
-# access to proc_t
-allow amanda_recover_t proc_t:dir search;
-allow amanda_recover_t proc_t:file { getattr read };
-
-# access to sysctl_kernel_t
-read_sysctl(amanda_recover_t)
-
-# access to dev_t and similar
-allow amanda_recover_t device_t:dir search;
-allow amanda_recover_t devtty_t:chr_file { read write };
-allow amanda_recover_t null_device_t:chr_file { getattr write };
-
-# access to bin_t
-allow amanda_recover_t bin_t:file { execute execute_no_trans };
-
-# access to sysadm_home_t and sysadm_home_dir_t to start amrecover
-# in the sysadm home directory
-allow amanda_recover_t { sysadm_home_dir_t sysadm_home_t }:dir { search getattr };
-
-# access to use sysadm_tty_device_t (/dev/tty?)
-allow amanda_recover_t sysadm_tty_device_t:chr_file { getattr ioctl read write };
-
-# access to amanda_tmp_t and tmp_t
-allow amanda_recover_t amanda_tmp_t:dir { add_name remove_name search write };
-allow amanda_recover_t amanda_tmp_t:file { append create getattr setattr unlink };
-allow amanda_recover_t tmp_t:dir search;
-
-#
-# Rules to allow amanda to be run as a service in xinetd
-#
-allow inetd_t amanda_port_t:{ tcp_socket udp_socket } name_bind;
-
-#amanda needs to look at fs_type directories to decide whether it should backup
-allow amanda_t { fs_type file_type }:dir {getattr read search };
-allow amanda_t file_type:{ lnk_file file chr_file blk_file } {getattr read };
-allow amanda_t device_type:{ blk_file chr_file } getattr;
-allow amanda_t fixed_disk_device_t:blk_file read;
-domain_auto_trans(amanda_t, fsadm_exec_t, fsadm_t)
-
-allow amanda_t file_type:sock_file getattr;
-logdir_domain(amanda)
-
-dontaudit amanda_t proc_t:lnk_file read;
-dontaudit amanda_t unlabeled_t:file getattr;
-#amanda wants to check attributes on fifo_files
-allow amanda_t file_type:fifo_file getattr;
diff --git a/targeted/domains/program/anaconda.te b/targeted/domains/program/anaconda.te
deleted file mode 100644
index 175947d..0000000
--- a/targeted/domains/program/anaconda.te
+++ /dev/null
@@ -1,48 +0,0 @@
-#DESC Anaconda - Red Hat Installation program
-#
-# Authors: Dan Walsh <dwalsh@redhat.com>
-#
-#
-
-#################################
-#
-# Rules for the anaconda_t domain.
-#
-# anaconda_t is the domain of the installation program
-#
-type anaconda_t, admin, etc_writer, fs_domain, privmem, auth_write, domain, privlog, privowner, privmodule, sysctl_kernel_writer;
-role system_r types anaconda_t;
-unconfined_domain(anaconda_t)
-
-role system_r types ldconfig_t;
-domain_auto_trans(anaconda_t, ldconfig_exec_t, ldconfig_t)
-
-# Run other rc scripts in the anaconda_t domain.
-domain_auto_trans(anaconda_t, initrc_exec_t, initrc_t)
-
-ifdef(`dmesg.te', `
-domain_auto_trans(anaconda_t, dmesg_exec_t, dmesg_t)
-')
-
-ifdef(`distro_redhat', `
-file_type_auto_trans(anaconda_t, boot_t, boot_runtime_t, file)
-')
-
-ifdef(`rpm.te', `
-# Access /var/lib/rpm.
-domain_auto_trans(anaconda_t, rpm_exec_t, rpm_t)
-')
-
-file_type_auto_trans(anaconda_t, var_log_t, var_log_ksyms_t, file)
-
-ifdef(`udev.te', `
-domain_auto_trans(anaconda_t, udev_exec_t, udev_t)
-')
-
-ifdef(`ssh-agent.te', `
-role system_r types sysadm_ssh_agent_t;
-domain_auto_trans(anaconda_t, ssh_agent_exec_t, sysadm_ssh_agent_t)
-')
-ifdef(`passwd.te', `
-domain_auto_trans(anaconda_t , admin_passwd_exec_t, sysadm_passwd_t)
-')
diff --git a/targeted/domains/program/apache.te b/targeted/domains/program/apache.te
deleted file mode 100644
index e95cae0..0000000
--- a/targeted/domains/program/apache.te
+++ /dev/null
@@ -1,414 +0,0 @@
-#DESC Apache - Web server
-#
-# X-Debian-Packages: apache2-common apache
-#
-###############################################################################
-#
-# Policy file for running the Apache web server
-#
-# NOTES:
-# This policy will work with SUEXEC enabled as part of the Apache
-# configuration. However, the user CGI scripts will run under the
-# system_u:system_r:httpd_$1_script_t domain where $1 is the domain of the
-# of the creating user.
-#
-# The user CGI scripts must be labeled with the httpd_$1_script_exec_t
-# type, and the directory containing the scripts should also be labeled
-# with these types. This policy allows user_r role to perform that
-# relabeling. If it is desired that only sysadm_r should be able to relabel
-# the user CGI scripts, then relabel rule for user_r should be removed.
-#
-###############################################################################
-
-define(`httpd_home_dirs', `
-r_dir_file(httpd_t, $1)
-r_dir_file(httpd_suexec_t, $1)
-can_exec(httpd_suexec_t, $1)
-')
-
-bool httpd_unified false;
-
-# Allow httpd to use built in scripting (usually php)
-bool httpd_builtin_scripting false;
-
-# Allow httpd cgi support
-bool httpd_enable_cgi false;
-
-# Allow httpd to read home directories
-bool httpd_enable_homedirs false;
-
-# Run SSI execs in system CGI script domain.
-bool httpd_ssi_exec false;
-
-# Allow http daemon to communicate with the TTY
-bool httpd_tty_comm false;
-
-# Allow http daemon to tcp connect
-bool httpd_can_network_connect false;
-
-#########################################################
-# Apache types
-#########################################################
-# httpd_config_t is the type given to the configuration
-# files for apache /etc/httpd/conf
-#
-type httpd_config_t, file_type, sysadmfile;
-
-# httpd_modules_t is the type given to module files (libraries)
-# that come with Apache /etc/httpd/modules and /usr/lib/apache
-#
-type httpd_modules_t, file_type, sysadmfile;
-
-# httpd_cache_t is the type given to the /var/cache/httpd
-# directory and the files under that directory
-#
-type httpd_cache_t, file_type, sysadmfile;
-
-# httpd_exec_t is the type give to the httpd executable.
-#
-daemon_domain(httpd, `, privmail, nscd_client_domain')
-
-append_logdir_domain(httpd)
-#can read /etc/httpd/logs
-allow httpd_t httpd_log_t:lnk_file read;
-
-# For /etc/init.d/apache2 reload
-can_tcp_connect(httpd_t, httpd_t)
-
-can_tcp_connect(web_client_domain, httpd_t)
-
-can_exec(httpd_t, httpd_exec_t)
-file_type_auto_trans(httpd_t, var_run_t, httpd_var_run_t, sock_file)
-
-general_domain_access(httpd_t)
-
-allow httpd_t { random_device_t urandom_device_t }:chr_file { getattr ioctl read };
-
-read_sysctl(httpd_t)
-
-allow httpd_t crypt_device_t:chr_file rw_file_perms;
-
-# for modules that want to access /etc/mtab and /proc/meminfo
-allow httpd_t { proc_t etc_runtime_t }:file { getattr read };
-
-uses_shlib(httpd_t)
-allow httpd_t { usr_t lib_t }:file { getattr read ioctl };
-allow httpd_t usr_t:lnk_file { getattr read };
-
-# for apache2 memory mapped files
-var_lib_domain(httpd)
-
-# for tomcat
-r_dir_file(httpd_t, var_lib_t)
-
-# execute perl
-allow httpd_t { bin_t sbin_t }:dir r_dir_perms;
-can_exec(httpd_t, { bin_t sbin_t })
-allow httpd_t bin_t:lnk_file read;
-
-########################################
-# Set up networking
-########################################
-
-can_network_server(httpd_t)
-can_kerberos(httpd_t)
-can_resolve(httpd_t)
-nsswitch_domain(httpd_t)
-allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind;
-# allow httpd to connect to mysql/posgresql
-allow httpd_t { postgresql_port_t mysqld_port_t }:tcp_socket name_connect;
-# allow httpd to work as a relay
-allow httpd_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:tcp_socket name_connect;
-
-if (httpd_can_network_connect) {
-can_network_client(httpd_t)
-allow httpd_t port_type:tcp_socket name_connect;
-}
-
-##########################################
-# Legacy: remove when it's fixed #
-# Allow libphp5.so with text relocations #
-##########################################
-allow httpd_t texrel_shlib_t:file execmod;
-
-#########################################
-# Allow httpd to search users directories
-#########################################
-allow httpd_t home_root_t:dir { getattr search };
-dontaudit httpd_t sysadm_home_dir_t:dir getattr;
-
-############################################################################
-# Allow the httpd_t the capability to bind to a port and various other stuff
-############################################################################
-allow httpd_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
-dontaudit httpd_t self:capability net_admin;
-
-#################################################
-# Allow the httpd_t to read the web servers config files
-###################################################
-r_dir_file(httpd_t, httpd_config_t)
-# allow logrotate to read the config files for restart
-ifdef(`logrotate.te', `
-r_dir_file(logrotate_t, httpd_config_t)
-domain_auto_trans(logrotate_t, httpd_exec_t, httpd_t)
-allow logrotate_t httpd_t:process signull;
-')
-r_dir_file(initrc_t, httpd_config_t)
-##################################################
-
-###############################
-# Allow httpd_t to put files in /var/cache/httpd etc
-##############################
-create_dir_file(httpd_t, httpd_cache_t)
-
-###############################
-# Allow httpd_t to access the tmpfs file system
-##############################
-tmpfs_domain(httpd)
-
-#####################
-# Allow httpd_t to access
-# libraries for its modules
-###############################
-allow httpd_t httpd_modules_t:file rx_file_perms;
-allow httpd_t httpd_modules_t:dir r_dir_perms;
-allow httpd_t httpd_modules_t:lnk_file r_file_perms;
-
-######################################################################
-# Allow initrc_t to access the Apache modules directory.
-######################################################################
-allow initrc_t httpd_modules_t:dir r_dir_perms;
-
-##############################################
-# Allow httpd_t to have access to files
-# such as nisswitch.conf
-# need ioctl for php
-###############################################
-allow httpd_t etc_t:file { read getattr ioctl };
-allow httpd_t etc_t:lnk_file { getattr read };
-
-# setup the system domain for system CGI scripts
-apache_domain(sys)
-dontaudit httpd_sys_script_t httpd_config_t:dir search;
-
-# Run SSI execs in system CGI script domain.
-if (httpd_ssi_exec) {
-domain_auto_trans(httpd_t, shell_exec_t, httpd_sys_script_t)
-}
-allow httpd_sys_script_t httpd_t:tcp_socket { read write };
-
-##################################################
-#
-# PHP Directives
-##################################################
-
-type httpd_php_exec_t, file_type, sysadmfile, exec_type;
-type httpd_php_t, domain;
-
-# Transition from the user domain to this domain.
-domain_auto_trans(httpd_t, httpd_php_exec_t, httpd_php_t)
-
-# The system role is authorized for this domain.
-role system_r types httpd_php_t;
-
-general_domain_access(httpd_php_t)
-uses_shlib(httpd_php_t)
-can_exec(httpd_php_t, lib_t)
-
-# allow php to read and append to apache logfiles
-allow httpd_php_t httpd_log_t:file ra_file_perms;
-
-# access to /tmp
-tmp_domain(httpd)
-tmp_domain(httpd_php)
-
-# Creation of lock files for apache2
-lock_domain(httpd)
-
-# Allow apache to used public_content_t
-anonymous_domain(httpd)
-
-# connect to mysql
-ifdef(`mysqld.te', `
-can_unix_connect(httpd_php_t, mysqld_t)
-can_unix_connect(httpd_t, mysqld_t)
-can_unix_connect(httpd_sys_script_t, mysqld_t)
-allow httpd_php_t mysqld_var_run_t:dir search;
-allow httpd_php_t mysqld_var_run_t:sock_file write;
-allow { httpd_t httpd_sys_script_t } mysqld_db_t:dir search;
-allow { httpd_t httpd_sys_script_t } mysqld_db_t:sock_file rw_file_perms;
-allow { httpd_t httpd_sys_script_t } mysqld_var_run_t:sock_file rw_file_perms;
-')
-allow httpd_t bin_t:dir search;
-allow httpd_t sbin_t:dir search;
-allow httpd_t httpd_log_t:dir remove_name;
-
-read_fonts(httpd_t)
-
-allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
-
-allow httpd_t autofs_t:dir { search getattr };
-
-if (use_nfs_home_dirs && httpd_enable_homedirs) {
-httpd_home_dirs(nfs_t)
-}
-if (use_samba_home_dirs && httpd_enable_homedirs) {
-httpd_home_dirs(cifs_t)
-}
-
-#
-# Allow users to mount additional directories as http_source
-#
-allow httpd_t mnt_t:dir r_dir_perms;
-
-ifdef(`targeted_policy', `
-typealias httpd_sys_content_t alias httpd_user_content_t;
-typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
-
-if (httpd_enable_homedirs) {
-allow { httpd_t httpd_sys_script_t httpd_suexec_t } user_home_dir_t:dir { getattr search };
-}
-') dnl targeted policy
-
-# We no longer call httpd_domain(sysadm), but need httpd_sysadm_content_t for file context
-typealias httpd_sys_content_t alias httpd_sysadm_content_t;
-
-ifdef(`distro_redhat', `
-#
-# mod_jk2 creates /var/log/httpd/jk2.shm to communicate with tomcat
-# This is a bug but it still exists in FC2
-#
-typealias httpd_log_t alias httpd_runtime_t;
-allow { httpd_t httpd_sys_script_t } httpd_runtime_t:file { getattr append };
-dontaudit httpd_t httpd_runtime_t:file ioctl;
-') dnl distro_redhat
-#
-# Customer reported the following
-#
-ifdef(`snmpd.te', `
-dontaudit httpd_t snmpd_var_lib_t:dir search;
-dontaudit httpd_t snmpd_var_lib_t:file { getattr write read };
-', `
-dontaudit httpd_t usr_t:dir write;
-')
-
-application_domain(httpd_helper)
-role system_r types httpd_helper_t;
-domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t)
-allow httpd_helper_t httpd_config_t:file { getattr read };
-allow httpd_helper_t httpd_log_t:file { append };
-
-########################################
-# When the admin starts the server, the server wants to access
-# the TTY or PTY associated with the session. The httpd appears
-# to run correctly without this permission, so the permission
-# are dontaudited here.
-##################################################
-
-if (httpd_tty_comm) {
-allow { httpd_t httpd_helper_t } devpts_t:dir search;
-ifdef(`targeted_policy', `
-allow { httpd_helper_t httpd_t } { devtty_t devpts_t }:chr_file rw_file_perms;
-')
-allow { httpd_t httpd_helper_t } admin_tty_type:chr_file rw_file_perms;
-} else {
-dontaudit httpd_t admin_tty_type:chr_file rw_file_perms;
-}
-
-read_sysctl(httpd_sys_script_t)
-allow httpd_sys_script_t var_lib_t:dir search;
-dontaudit httpd_t selinux_config_t:dir search;
-r_dir_file(httpd_t, cert_t)
-
-#
-# unconfined domain for apache scripts. Only to be used as a last resort
-#
-type httpd_unconfined_script_exec_t, file_type, sysadmfile, customizable;
-type httpd_unconfined_script_t, domain, nscd_client_domain;
-role system_r types httpd_unconfined_script_t;
-unconfined_domain(httpd_unconfined_script_t)
-
-# The following are types for SUEXEC,which runs user scripts as their
-# own user ID
-#
-daemon_sub_domain(httpd_t, httpd_suexec, `, transitionbool')
-allow httpd_t httpd_suexec_exec_t:file { getattr read };
-
-#########################################################
-# Permissions for running child processes and scripts
-##########################################################
-
-allow httpd_suexec_t self:capability { setuid setgid };
-
-dontaudit httpd_suexec_t var_run_t:dir search;
-allow httpd_suexec_t { var_t var_log_t }:dir search;
-allow httpd_suexec_t home_root_t:dir search;
-
-allow httpd_suexec_t httpd_log_t:dir ra_dir_perms;
-allow httpd_suexec_t httpd_log_t:file { create ra_file_perms };
-allow httpd_suexec_t httpd_t:fifo_file getattr;
-allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
-
-allow httpd_suexec_t etc_t:file { getattr read };
-read_locale(httpd_suexec_t)
-read_sysctl(httpd_suexec_t)
-allow httpd_suexec_t urandom_device_t:chr_file { getattr read };
-
-# for shell scripts
-allow httpd_suexec_t bin_t:dir search;
-allow httpd_suexec_t bin_t:lnk_file read;
-can_exec(httpd_suexec_t, { bin_t shell_exec_t })
-
-if (httpd_can_network_connect) {
-can_network(httpd_suexec_t)
-allow httpd_suexec_t port_type:tcp_socket name_connect;
-}
-
-can_ypbind(httpd_suexec_t)
-allow httpd_suexec_t { usr_t lib_t }:file { getattr read ioctl };
-
-allow httpd_suexec_t autofs_t:dir { search getattr };
-tmp_domain(httpd_suexec)
-
-if (httpd_enable_cgi && httpd_unified) {
-domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
-ifdef(`targeted_policy', `', `
-domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
-')
-}
-if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting) {
-domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
-create_dir_file(httpd_t, httpdcontent)
-}
-if (httpd_enable_cgi) {
-domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
-domain_auto_trans(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
-allow httpd_t httpd_unconfined_script_t:process { signal sigkill sigstop };
-allow httpd_t httpd_unconfined_script_exec_t:dir r_dir_perms;
-}
-
-#
-# Types for squirrelmail
-#
-type httpd_squirrelmail_t, file_type, sysadmfile;
-create_dir_file(httpd_t, httpd_squirrelmail_t)
-allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
-# File Type of squirrelmail attachments
-type squirrelmail_spool_t, file_type, sysadmfile, tmpfile;
-allow { httpd_t httpd_sys_script_t } var_spool_t:dir { getattr search };
-create_dir_file(httpd_t, squirrelmail_spool_t)
-r_dir_file(httpd_sys_script_t, squirrelmail_spool_t)
-
-ifdef(`mta.te', `
-# apache should set close-on-exec
-dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
-dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write };
-dontaudit system_mail_t httpd_log_t:file { append getattr };
-allow system_mail_t httpd_squirrelmail_t:file { append read };
-dontaudit system_mail_t httpd_t:tcp_socket { read write };
-')
-bool httpd_enable_ftp_server false;
-if (httpd_enable_ftp_server) {
-allow httpd_t ftp_port_t:tcp_socket name_bind;
-}
-
diff --git a/targeted/domains/program/apmd.te b/targeted/domains/program/apmd.te
deleted file mode 100644
index 720336c..0000000
--- a/targeted/domains/program/apmd.te
+++ /dev/null
@@ -1,161 +0,0 @@
-#DESC Apmd - Automatic Power Management daemon
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: apmd
-#
-
-#################################
-#
-# Rules for the apmd_t domain.
-#
-daemon_domain(apmd, `, privmodule, nscd_client_domain')
-
-# for SSP
-allow apmd_t urandom_device_t:chr_file read;
-
-type apm_t, domain, privlog;
-type apm_exec_t, file_type, sysadmfile, exec_type;
-ifdef(`targeted_policy', `', `
-domain_auto_trans(sysadm_t, apm_exec_t, apm_t)
-')
-uses_shlib(apm_t)
-allow apm_t privfd:fd use;
-allow apm_t admin_tty_type:chr_file rw_file_perms;
-allow apm_t device_t:dir search;
-allow apm_t self:capability { dac_override sys_admin };
-allow apm_t proc_t:dir search;
-allow apm_t proc_t:file r_file_perms;
-allow apm_t fs_t:filesystem getattr;
-allow apm_t apm_bios_t:chr_file rw_file_perms;
-role sysadm_r types apm_t;
-role system_r types apm_t;
-
-allow apmd_t device_t:lnk_file read;
-allow apmd_t proc_t:file { getattr read write };
-can_sysctl(apmd_t)
-allow apmd_t sysfs_t:file write;
-
-allow apmd_t self:unix_dgram_socket create_socket_perms;
-allow apmd_t self:unix_stream_socket create_stream_socket_perms;
-allow apmd_t self:fifo_file rw_file_perms;
-allow apmd_t { etc_runtime_t modules_conf_t }:file { getattr read };
-allow apmd_t etc_t:lnk_file read;
-
-# acpid wants a socket
-file_type_auto_trans(apmd_t, var_run_t, apmd_var_run_t, sock_file)
-
-# acpid also has a logfile
-log_domain(apmd)
-tmp_domain(apmd)
-
-ifdef(`distro_suse', `
-var_lib_domain(apmd)
-')
-
-allow apmd_t self:file { getattr read ioctl };
-allow apmd_t self:process getsession;
-
-# Use capabilities.
-allow apmd_t self:capability { sys_admin sys_nice sys_time kill };
-
-# controlling an orderly resume of PCMCIA requires creating device
-# nodes 254,{0,1,2} for some reason.
-allow apmd_t self:capability mknod;
-
-# Access /dev/apm_bios.
-allow apmd_t apm_bios_t:chr_file rw_file_perms;
-
-# Run helper programs.
-can_exec_any(apmd_t)
-
-# apmd calls hwclock.sh on suspend and resume
-allow apmd_t clock_device_t:chr_file r_file_perms;
-ifdef(`hwclock.te', `
-domain_auto_trans(apmd_t, hwclock_exec_t, hwclock_t)
-allow apmd_t adjtime_t:file rw_file_perms;
-allow hwclock_t apmd_log_t:file append;
-allow hwclock_t apmd_t:unix_stream_socket { read write };
-')
-
-
-# to quiet fuser and ps
-# setuid for fuser, dac* for ps
-dontaudit apmd_t self:capability { setuid dac_override dac_read_search };
-dontaudit apmd_t domain:socket_class_set getattr;
-dontaudit apmd_t { file_type fs_type }:notdevfile_class_set getattr;
-dontaudit apmd_t device_type:devfile_class_set getattr;
-dontaudit apmd_t home_type:dir { search getattr };
-dontaudit apmd_t domain:key_socket getattr;
-dontaudit apmd_t domain:dir search;
-
-ifdef(`distro_redhat', `
-can_exec(apmd_t, apmd_var_run_t)
-# for /var/lock/subsys/network
-lock_domain(apmd)
-
-# ifconfig_exec_t needs to be run in its own domain for Red Hat
-ifdef(`ifconfig.te', `domain_auto_trans(apmd_t, ifconfig_exec_t, ifconfig_t)')
-ifdef(`iptables.te', `domain_auto_trans(apmd_t, iptables_exec_t, iptables_t)')
-ifdef(`netutils.te', `domain_auto_trans(apmd_t, netutils_exec_t, netutils_t)')
-', `
-# for ifconfig which is run all the time
-dontaudit apmd_t sysctl_t:dir search;
-')
-
-ifdef(`udev.te', `
-allow apmd_t udev_t:file { getattr read };
-allow apmd_t udev_t:lnk_file { getattr read };
-')
-#
-# apmd tells the machine to shutdown requires the following
-#
-allow apmd_t initctl_t:fifo_file write;
-allow apmd_t initrc_var_run_t:file { read write lock };
-
-#
-# Allow it to run killof5 and pidof
-#
-typeattribute apmd_t unrestricted;
-r_dir_file(apmd_t, domain)
-
-# Same for apm/acpid scripts
-domain_auto_trans(apmd_t, initrc_exec_t, initrc_t)
-ifdef(`consoletype.te', `
-allow consoletype_t apmd_t:fd use;
-allow consoletype_t apmd_t:fifo_file write;
-')
-ifdef(`mount.te', `allow mount_t apmd_t:fd use;')
-ifdef(`crond.te', `
-domain_auto_trans(apmd_t, anacron_exec_t, system_crond_t)
-allow apmd_t crond_t:fifo_file { getattr read write ioctl };
-')
-
-ifdef(`mta.te', `
-domain_auto_trans(apmd_t, sendmail_exec_t, system_mail_t)
-')
-
-# for a find /dev operation that gets /dev/shm
-dontaudit apmd_t tmpfs_t:dir r_dir_perms;
-dontaudit apmd_t selinux_config_t:dir search;
-allow apmd_t user_tty_type:chr_file rw_file_perms;
-# Access /dev/apm_bios.
-allow initrc_t apm_bios_t:chr_file { setattr getattr read };
-
-ifdef(`logrotate.te', `
-allow apmd_t logrotate_t:fd use;
-')dnl end if logrotate.te
-allow apmd_t devpts_t:dir { getattr search };
-allow apmd_t security_t:dir search;
-allow apmd_t usr_t:dir search;
-r_dir_file(apmd_t, hwdata_t)
-ifdef(`targeted_policy', `
-unconfined_domain(apmd_t)
-')
-
-ifdef(`NetworkManager.te', `
-ifdef(`dbusd.te', `
-allow apmd_t NetworkManager_t:dbus send_msg;
-allow NetworkManager_t apmd_t:dbus send_msg;
-')
-')
diff --git a/targeted/domains/program/arpwatch.te b/targeted/domains/program/arpwatch.te
deleted file mode 100644
index 3065800..0000000
--- a/targeted/domains/program/arpwatch.te
+++ /dev/null
@@ -1,48 +0,0 @@
-#DESC arpwatch - keep track of ethernet/ip address pairings
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-#
-
-#################################
-#
-# Rules for the arpwatch_t domain.
-#
-# arpwatch_exec_t is the type of the arpwatch executable.
-#
-daemon_domain(arpwatch, `, privmail')
-
-# for files created by arpwatch
-type arpwatch_data_t, file_type, sysadmfile;
-create_dir_file(arpwatch_t,arpwatch_data_t)
-tmp_domain(arpwatch)
-
-allow arpwatch_t self:capability { net_admin net_raw setgid setuid };
-
-can_network_server(arpwatch_t)
-allow arpwatch_t self:netlink_route_socket r_netlink_socket_perms;
-allow arpwatch_t self:udp_socket create_socket_perms;
-allow arpwatch_t self:unix_dgram_socket create_socket_perms;
-allow arpwatch_t self:packet_socket create_socket_perms;
-allow arpwatch_t self:unix_stream_socket create_stream_socket_perms;
-
-allow arpwatch_t { sbin_t var_lib_t }:dir search;
-allow arpwatch_t sbin_t:lnk_file read;
-r_dir_file(arpwatch_t, etc_t)
-r_dir_file(arpwatch_t, usr_t)
-can_ypbind(arpwatch_t)
-
-ifdef(`qmail.te', `
-allow arpwatch_t bin_t:dir search;
-')
-
-ifdef(`distro_gentoo', `
-allow initrc_t arpwatch_data_t:dir { add_name write };
-allow initrc_t arpwatch_data_t:file create;
-')dnl end distro_gentoo
-
-# why is mail delivered to a directory of type arpwatch_data_t?
-allow mta_delivery_agent arpwatch_data_t:dir search;
-allow { system_mail_t mta_user_agent } arpwatch_tmp_t:file rw_file_perms;
-ifdef(`hide_broken_symptoms', `
-dontaudit { system_mail_t mta_user_agent } arpwatch_t:packet_socket { read write };
-')
diff --git a/targeted/domains/program/auditd.te b/targeted/domains/program/auditd.te
deleted file mode 100644
index 3dd15a7..0000000
--- a/targeted/domains/program/auditd.te
+++ /dev/null
@@ -1,69 +0,0 @@
-#DESC auditd - System auditing daemon
-#
-# Authors: Colin Walters <walters@verbum.org>
-#
-# Some fixes by Paul Moore <paul.moore@hp.com>
-#
-define(`audit_manager_domain', `
-allow $1 auditd_etc_t:file rw_file_perms;
-create_dir_file($1, auditd_log_t)
-domain_auto_trans($1, auditctl_exec_t, auditctl_t)
-')
-
-daemon_domain(auditd)
-
-allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
-allow auditd_t self:unix_dgram_socket create_socket_perms;
-allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource };
-allow auditd_t self:process setsched;
-allow auditd_t self:file { getattr read write };
-allow auditd_t etc_t:file { getattr read };
-
-# Do not use logdir_domain since this is a security file
-type auditd_log_t, file_type, secure_file_type;
-allow auditd_t var_log_t:dir search;
-rw_dir_create_file(auditd_t, auditd_log_t)
-
-can_exec(auditd_t, init_exec_t)
-allow auditd_t initctl_t:fifo_file write;
-
-ifdef(`targeted_policy', `
-dontaudit auditd_t unconfined_t:fifo_file read;
-')
-
-type auditctl_t, domain, privlog;
-type auditctl_exec_t, file_type, exec_type, sysadmfile;
-uses_shlib(auditctl_t)
-allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
-allow auditctl_t self:capability { audit_write audit_control };
-allow auditctl_t etc_t:file { getattr read };
-allow auditctl_t admin_tty_type:chr_file rw_file_perms;
-
-type auditd_etc_t, file_type, secure_file_type;
-allow { auditd_t auditctl_t } auditd_etc_t:file r_file_perms;
-allow initrc_t auditd_etc_t:file r_file_perms;
-
-role secadm_r types auditctl_t;
-role sysadm_r types auditctl_t;
-audit_manager_domain(secadm_t)
-
-ifdef(`targeted_policy', `', `
-ifdef(`separate_secadm', `', `
-audit_manager_domain(sysadm_t)
-')
-')
-
-role system_r types auditctl_t;
-domain_auto_trans(initrc_t, auditctl_exec_t, auditctl_t)
-
-dontaudit auditctl_t local_login_t:fd use;
-allow auditctl_t proc_t:dir search;
-allow auditctl_t sysctl_kernel_t:dir search;
-allow auditctl_t sysctl_kernel_t:file { getattr read };
-dontaudit auditctl_t init_t:fd use;
-allow auditctl_t initrc_devpts_t:chr_file { read write };
-allow auditctl_t privfd:fd use;
-
-
-allow auditd_t sbin_t:dir search;
-can_exec(auditd_t, sbin_t)
diff --git a/targeted/domains/program/avahi.te b/targeted/domains/program/avahi.te
deleted file mode 100644
index 0d021b0..0000000
--- a/targeted/domains/program/avahi.te
+++ /dev/null
@@ -1,29 +0,0 @@
-#DESC avahi - mDNS/DNS-SD daemon implementing Apple’s ZeroConf architecture
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-#
-
-daemon_domain(avahi, `, privsysmod')
-r_dir_file(avahi_t, proc_net_t)
-can_network_server(avahi_t)
-can_ypbind(avahi_t)
-allow avahi_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow avahi_t self:unix_dgram_socket create_socket_perms;
-allow avahi_t self:capability { dac_override setgid chown kill setuid };
-allow avahi_t urandom_device_t:chr_file r_file_perms;
-allow avahi_t howl_port_t:{ udp_socket tcp_socket } name_bind;
-allow avahi_t self:fifo_file { read write };
-allow avahi_t self:netlink_route_socket r_netlink_socket_perms;
-allow avahi_t self:process setrlimit;
-allow avahi_t etc_t:file { getattr read };
-allow avahi_t initrc_t:process { signal signull };
-allow avahi_t system_dbusd_t:dbus { acquire_svc send_msg };
-allow avahi_t avahi_var_run_t:dir setattr;
-allow avahi_t avahi_var_run_t:sock_file create_file_perms;
-
-ifdef(`dbusd.te', `
-dbusd_client(system, avahi)
-allow avahi_t unconfined_t:dbus send_msg;
-allow unconfined_t avahi_t:dbus send_msg;
-')
-
diff --git a/targeted/domains/program/bluetooth.te b/targeted/domains/program/bluetooth.te
deleted file mode 100644
index c6c5631..0000000
--- a/targeted/domains/program/bluetooth.te
+++ /dev/null
@@ -1,116 +0,0 @@
-#DESC Bluetooth
-#
-# Authors: Dan Walsh
-# RH-Packages: Bluetooth
-#
-
-#################################
-#
-# Rules for the bluetooth_t domain.
-#
-daemon_domain(bluetooth)
-
-file_type_auto_trans(bluetooth_t, var_run_t, bluetooth_var_run_t, sock_file)
-file_type_auto_trans(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t)
-
-tmp_domain(bluetooth)
-var_lib_domain(bluetooth)
-
-# Use capabilities.
-allow bluetooth_t self:file read;
-allow bluetooth_t self:capability { net_admin net_raw sys_tty_config };
-allow bluetooth_t self:process getsched;
-allow bluetooth_t proc_t:file { getattr read };
-
-allow bluetooth_t self:shm create_shm_perms;
-
-lock_domain(bluetooth)
-
-# Use the network.
-can_network(bluetooth_t)
-can_ypbind(bluetooth_t)
-ifdef(`dbusd.te', `
-dbusd_client(system, bluetooth)
-allow bluetooth_t system_dbusd_t:dbus send_msg;
-')
-allow bluetooth_t self:socket create_stream_socket_perms;
-
-allow bluetooth_t self:unix_dgram_socket create_socket_perms;
-allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
-
-dontaudit bluetooth_t sysadm_devpts_t:chr_file { read write };
-
-# bluetooth_conf_t is the type of the /etc/bluetooth dir.
-type bluetooth_conf_t, file_type, sysadmfile;
-type bluetooth_conf_rw_t, file_type, sysadmfile;
-
-# Read /etc/bluetooth
-allow bluetooth_t bluetooth_conf_t:dir search;
-allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl };
-#/usr/sbin/hid2hci causes the following
-allow initrc_t usbfs_t:file { getattr read };
-allow bluetooth_t usbfs_t:dir r_dir_perms;
-allow bluetooth_t usbfs_t:file rw_file_perms;
-allow bluetooth_t bin_t:dir search;
-can_exec(bluetooth_t, { bin_t shell_exec_t })
-allow bluetooth_t bin_t:lnk_file read;
-
-#Handle bluetooth serial devices
-allow bluetooth_t tty_device_t:chr_file rw_file_perms;
-allow bluetooth_t self:fifo_file rw_file_perms;
-allow bluetooth_t { etc_t etc_runtime_t }:file { getattr read };
-r_dir_file(bluetooth_t, fonts_t)
-allow bluetooth_t urandom_device_t:chr_file r_file_perms;
-allow bluetooth_t usr_t:file { getattr read };
-
-application_domain(bluetooth_helper, `, nscd_client_domain')
-domain_auto_trans(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t)
-role system_r types bluetooth_helper_t;
-read_locale(bluetooth_helper_t)
-typeattribute bluetooth_helper_t unrestricted;
-r_dir_file(bluetooth_helper_t, domain)
-allow bluetooth_helper_t bin_t:dir { getattr search };
-can_exec(bluetooth_helper_t, { bin_t shell_exec_t })
-allow bluetooth_helper_t bin_t:lnk_file read;
-allow bluetooth_helper_t self:capability sys_nice;
-allow bluetooth_helper_t self:fifo_file rw_file_perms;
-allow bluetooth_helper_t self:process { fork getsched sigchld };
-allow bluetooth_helper_t self:shm create_shm_perms;
-allow bluetooth_helper_t self:unix_stream_socket create_stream_socket_perms;
-allow bluetooth_helper_t { etc_t etc_runtime_t }:file { getattr read };
-r_dir_file(bluetooth_helper_t, fonts_t)
-r_dir_file(bluetooth_helper_t, proc_t)
-read_sysctl(bluetooth_helper_t)
-allow bluetooth_helper_t tmp_t:dir search;
-allow bluetooth_helper_t usr_t:file { getattr read };
-allow bluetooth_helper_t home_dir_type:dir search;
-ifdef(`xserver.te', `
-allow bluetooth_helper_t xserver_log_t:dir search;
-allow bluetooth_helper_t xserver_log_t:file { getattr read };
-')
-ifdef(`targeted_policy', `
-allow bluetooth_helper_t tmp_t:sock_file { read write };
-allow bluetooth_helper_t tmpfs_t:file { read write };
-allow bluetooth_helper_t unconfined_t:unix_stream_socket connectto;
-allow bluetooth_t unconfined_t:dbus send_msg;
-allow unconfined_t bluetooth_t:dbus send_msg;
-', `
-ifdef(`xdm.te', `
-allow bluetooth_helper_t xdm_xserver_tmp_t:sock_file { read write };
-')
-allow bluetooth_t unpriv_userdomain:dbus send_msg;
-allow unpriv_userdomain bluetooth_t:dbus send_msg;
-')
-allow bluetooth_helper_t bluetooth_t:socket { read write };
-allow bluetooth_helper_t self:unix_dgram_socket create_socket_perms;
-allow bluetooth_helper_t self:unix_stream_socket connectto;
-tmp_domain(bluetooth_helper)
-allow bluetooth_helper_t urandom_device_t:chr_file r_file_perms;
-
-dontaudit bluetooth_helper_t default_t:dir { read search };
-dontaudit bluetooth_helper_t { devtty_t ttyfile }:chr_file { read write };
-dontaudit bluetooth_helper_t home_dir_type:dir r_dir_perms;
-ifdef(`xserver.te', `
-allow bluetooth_helper_t xserver_log_t:dir search;
-allow bluetooth_helper_t xserver_log_t:file { getattr read };
-')
diff --git a/targeted/domains/program/canna.te b/targeted/domains/program/canna.te
deleted file mode 100644
index feb4e52..0000000
--- a/targeted/domains/program/canna.te
+++ /dev/null
@@ -1,46 +0,0 @@
-#DESC canna - A Japanese character set input system.
-#
-# Authors: Dan Walsh <dwalsh@redhat.com>
-#
-#
-
-#################################
-#
-# Rules for the canna_t domain.
-#
-daemon_domain(canna)
-
-file_type_auto_trans(canna_t, var_run_t, canna_var_run_t, sock_file)
-
-logdir_domain(canna)
-var_lib_domain(canna)
-
-allow canna_t self:capability { setgid setuid net_bind_service };
-allow canna_t tmp_t:dir { search };
-allow canna_t self:unix_stream_socket { connectto create_stream_socket_perms};
-allow canna_t self:unix_dgram_socket create_stream_socket_perms;
-allow canna_t etc_t:file { getattr read };
-allow canna_t usr_t:file { getattr read };
-
-allow canna_t proc_t:file r_file_perms;
-allow canna_t etc_runtime_t:file r_file_perms;
-allow canna_t canna_var_lib_t:dir create;
-
-rw_dir_create_file(canna_t, canna_var_lib_t)
-
-can_network_tcp(canna_t)
-allow canna_t port_type:tcp_socket name_connect;
-can_ypbind(canna_t)
-
-allow userdomain canna_var_run_t:dir search;
-allow userdomain canna_var_run_t:sock_file write;
-can_unix_connect(userdomain, canna_t)
-
-ifdef(`i18n_input.te', `
-allow i18n_input_t canna_var_run_t:dir search;
-allow i18n_input_t canna_var_run_t:sock_file write;
-can_unix_connect(i18n_input_t, canna_t)
-')
-
-dontaudit canna_t kernel_t:fd use;
-dontaudit canna_t root_t:file read;
diff --git a/targeted/domains/program/cardmgr.te b/targeted/domains/program/cardmgr.te
deleted file mode 100644
index 8f78988..0000000
--- a/targeted/domains/program/cardmgr.te
+++ /dev/null
@@ -1,90 +0,0 @@
-#DESC Cardmgr - PCMCIA control programs
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: pcmcia-cs
-#
-
-#################################
-#
-# Rules for the cardmgr_t domain.
-#
-daemon_domain(cardmgr, `, privmodule')
-
-# for SSP
-allow cardmgr_t urandom_device_t:chr_file read;
-
-type cardctl_exec_t, file_type, sysadmfile, exec_type;
-ifdef(`targeted_policy', `', `
-domain_auto_trans(sysadm_t, cardctl_exec_t, cardmgr_t)
-')
-role sysadm_r types cardmgr_t;
-allow cardmgr_t admin_tty_type:chr_file { read write };
-
-allow cardmgr_t sysfs_t:dir search;
-allow cardmgr_t home_root_t:dir search;
-
-# Use capabilities (net_admin for route), setuid for cardctl
-allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod };
-
-# for /etc/resolv.conf
-file_type_auto_trans(cardmgr_t, etc_t, net_conf_t, file)
-
-allow cardmgr_t etc_runtime_t:file { getattr read };
-
-allow cardmgr_t modules_object_t:dir search;
-allow cardmgr_t self:unix_dgram_socket create_socket_perms;
-allow cardmgr_t self:unix_stream_socket create_socket_perms;
-allow cardmgr_t self:fifo_file rw_file_perms;
-
-# Create stab file
-var_lib_domain(cardmgr)
-
-# for /var/lib/misc/pcmcia-scheme
-# would be better to have it in a different type if I knew how it was created..
-allow cardmgr_t var_lib_t:file { getattr read };
-
-# Create device files in /tmp.
-type cardmgr_dev_t, file_type, sysadmfile, tmpfile, device_type, dev_fs;
-file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t }, cardmgr_dev_t, { blk_file chr_file })
-
-# Create symbolic links in /dev.
-type cardmgr_lnk_t, file_type, sysadmfile;
-file_type_auto_trans(cardmgr_t, device_t, cardmgr_lnk_t, lnk_file)
-
-# Run a shell, normal commands, /etc/pcmcia scripts.
-can_exec_any(cardmgr_t)
-allow cardmgr_t etc_t:lnk_file read;
-
-# Run ifconfig.
-domain_auto_trans(cardmgr_t, ifconfig_exec_t, ifconfig_t)
-allow ifconfig_t cardmgr_t:fd use;
-
-allow cardmgr_t proc_t:file { getattr read ioctl };
-
-# Read /proc/PID directories for all domains (for fuser).
-can_ps(cardmgr_t, domain -unrestricted)
-dontaudit cardmgr_t unrestricted:dir search;
-
-allow cardmgr_t device_type:{ chr_file blk_file } getattr;
-allow cardmgr_t ttyfile:chr_file getattr;
-dontaudit cardmgr_t ptyfile:chr_file getattr;
-dontaudit cardmgr_t file_type:{ dir notdevfile_class_set } getattr;
-dontaudit cardmgr_t domain:{ fifo_file socket_class_set } getattr;
-dontaudit cardmgr_t proc_kmsg_t:file getattr;
-
-allow cardmgr_t tty_device_t:chr_file rw_file_perms;
-
-ifdef(`apmd.te', `
-domain_auto_trans(apmd_t, { cardctl_exec_t cardmgr_exec_t }, cardmgr_t)
-')
-
-ifdef(`hide_broken_symptoms', `
-dontaudit insmod_t cardmgr_dev_t:chr_file { read write };
-dontaudit ifconfig_t cardmgr_dev_t:chr_file { read write };
-')
-ifdef(`hald.te', `
-rw_dir_file(hald_t, cardmgr_var_run_t)
-allow hald_t cardmgr_var_run_t:chr_file create_file_perms;
-')
-allow cardmgr_t device_t:lnk_file { getattr read };
diff --git a/targeted/domains/program/checkpolicy.te b/targeted/domains/program/checkpolicy.te
deleted file mode 100644
index 0cfa5a0..0000000
--- a/targeted/domains/program/checkpolicy.te
+++ /dev/null
@@ -1,64 +0,0 @@
-#DESC Checkpolicy - SELinux policy compliler
-#
-# Authors: Frank Mayer, mayerf@tresys.com
-# X-Debian-Packages: checkpolicy
-#
-
-###########################
-#
-# checkpolicy_t is the domain type for checkpolicy
-# checkpolicy_exec_t if file type for the executable
-
-type checkpolicy_t, domain;
-role sysadm_r types checkpolicy_t;
-role system_r types checkpolicy_t;
-role secadm_r types checkpolicy_t;
-
-type checkpolicy_exec_t, file_type, exec_type, sysadmfile;
-
-##########################
-#
-# Rules
-
-domain_auto_trans(secadmin, checkpolicy_exec_t, checkpolicy_t)
-
-# able to create and modify binary policy files
-allow checkpolicy_t policy_config_t:dir rw_dir_perms;
-allow checkpolicy_t policy_config_t:file create_file_perms;
-
-###########################
-# constrain what checkpolicy can use as source files
-#
-
-# only allow read of policy source files
-allow checkpolicy_t policy_src_t:dir r_dir_perms;
-allow checkpolicy_t policy_src_t:{ file lnk_file } r_file_perms;
-
-# allow test policies to be created in src directories
-file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t, file)
-
-# directory search permissions for path to source and binary policy files
-allow checkpolicy_t root_t:dir search;
-allow checkpolicy_t etc_t:dir search;
-
-# Read the devpts root directory.
-allow checkpolicy_t devpts_t:dir r_dir_perms;
-ifdef(`sshd.te',
-`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
-
-# Other access
-allow checkpolicy_t { initrc_devpts_t admin_tty_type devtty_t }:chr_file { read write ioctl getattr };
-uses_shlib(checkpolicy_t)
-allow checkpolicy_t self:capability dac_override;
-
-##########################
-# Allow users to execute checkpolicy without a domain transition
-# so it can be used without privilege to write real binary policy file
-can_exec(unpriv_userdomain, checkpolicy_exec_t)
-
-allow checkpolicy_t { userdomain privfd }:fd use;
-
-allow checkpolicy_t fs_t:filesystem getattr;
-allow checkpolicy_t console_device_t:chr_file { read write };
-allow checkpolicy_t init_t:fd use;
-allow checkpolicy_t selinux_config_t:dir search;
diff --git a/targeted/domains/program/chkpwd.te b/targeted/domains/program/chkpwd.te
deleted file mode 100644
index 22ac7f2..0000000
--- a/targeted/domains/program/chkpwd.te
+++ /dev/null
@@ -1,18 +0,0 @@
-#DESC Chkpwd - PAM password checking programs
-# X-Debian-Packages: libpam-modules
-#
-# Domains for the /sbin/.*_chkpwd utilities.
-#
-
-#
-# chkpwd_exec_t is the type of the /sbin/.*_chkpwd executables.
-#
-type chkpwd_exec_t, file_type, sysadmfile, exec_type;
-
-chkpwd_domain(system)
-dontaudit system_chkpwd_t privfd:fd use;
-role sysadm_r types system_chkpwd_t;
-in_user_role(system_chkpwd_t)
-
-# Everything else is in the chkpwd_domain macro in
-# macros/program/chkpwd_macros.te.
diff --git a/targeted/domains/program/compat.te b/targeted/domains/program/compat.te
deleted file mode 100644
index 72dc2d0..0000000
--- a/targeted/domains/program/compat.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typealias bin_t alias mount_exec_t;
-typealias bin_t alias dmesg_exec_t;
-typealias bin_t alias loadkeys_exec_t;
diff --git a/targeted/domains/program/comsat.te b/targeted/domains/program/comsat.te
deleted file mode 100644
index cd0e3f9..0000000
--- a/targeted/domains/program/comsat.te
+++ /dev/null
@@ -1,20 +0,0 @@
-#DESC comsat - biff server
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-# Depends: inetd.te
-#
-
-#################################
-#
-# Rules for the comsat_t domain.
-#
-# comsat_exec_t is the type of the comsat executable.
-#
-
-inetd_child_domain(comsat, udp)
-allow comsat_t initrc_var_run_t:file r_file_perms;
-dontaudit comsat_t initrc_var_run_t:file write;
-allow comsat_t mail_spool_t:dir r_dir_perms;
-allow comsat_t mail_spool_t:lnk_file read;
-allow comsat_t var_spool_t:dir search;
-dontaudit comsat_t sysadm_tty_device_t:chr_file getattr;
diff --git a/targeted/domains/program/consoletype.te b/targeted/domains/program/consoletype.te
deleted file mode 100644
index b1cc126..0000000
--- a/targeted/domains/program/consoletype.te
+++ /dev/null
@@ -1,65 +0,0 @@
-#DESC consoletype - determine the type of a console device
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages:
-#
-
-#################################
-#
-# Rules for the consoletype_t domain.
-#
-# consoletype_t is the domain for the consoletype program.
-# consoletype_exec_t is the type of the corresponding program.
-#
-type consoletype_t, domain, mlsfileread, mlsfilewrite;
-type consoletype_exec_t, file_type, sysadmfile, exec_type;
-
-role system_r types consoletype_t;
-
-uses_shlib(consoletype_t)
-general_domain_access(consoletype_t)
-
-ifdef(`targeted_policy', `', `
-domain_auto_trans(initrc_t, consoletype_exec_t, consoletype_t)
-
-ifdef(`xdm.te', `
-domain_auto_trans(xdm_t, consoletype_exec_t, consoletype_t)
-allow consoletype_t xdm_tmp_t:file { read write };
-')
-
-ifdef(`hotplug.te', `
-domain_auto_trans(hotplug_t, consoletype_exec_t, consoletype_t)
-')
-')
-
-allow consoletype_t {admin_tty_type tty_device_t devtty_t initrc_devpts_t }:chr_file rw_file_perms;
-
-allow consoletype_t { kernel_t init_t initrc_t privfd sysadm_t }:fd use;
-
-# Use capabilities.
-allow consoletype_t self:capability sys_admin;
-
-allow consoletype_t console_device_t:chr_file { getattr ioctl read write };
-allow consoletype_t initrc_t:fifo_file write;
-allow consoletype_t nfs_t:file write;
-allow consoletype_t sysadm_t:fifo_file rw_file_perms;
-
-ifdef(`lpd.te', `
-allow consoletype_t printconf_t:file { getattr read };
-')
-
-ifdef(`pam.te', `
-allow consoletype_t pam_var_run_t:file { getattr read };
-')
-ifdef(`distro_redhat', `
-allow consoletype_t tmpfs_t:chr_file rw_file_perms;
-')
-ifdef(`firstboot.te', `
-allow consoletype_t firstboot_t:fifo_file write;
-')
-dontaudit consoletype_t proc_t:dir search;
-dontaudit consoletype_t proc_t:file read;
-dontaudit consoletype_t root_t:file read;
-allow consoletype_t crond_t:fifo_file { read getattr ioctl };
-allow consoletype_t system_crond_t:fd use;
-allow consoletype_t fs_t:filesystem getattr;
diff --git a/targeted/domains/program/cpucontrol.te b/targeted/domains/program/cpucontrol.te
deleted file mode 100644
index 23a13b7..0000000
--- a/targeted/domains/program/cpucontrol.te
+++ /dev/null
@@ -1,17 +0,0 @@
-#DESC cpucontrol - domain for microcode_ctl and other programs to control CPU
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-
-type cpucontrol_conf_t, file_type, sysadmfile;
-
-daemon_base_domain(cpucontrol)
-
-# Access cpu devices.
-allow cpucontrol_t cpu_device_t:chr_file rw_file_perms;
-allow cpucontrol_t device_t:lnk_file { getattr read };
-allow initrc_t cpu_device_t:chr_file getattr;
-
-allow cpucontrol_t self:capability sys_rawio;
-
-r_dir_file(cpucontrol_t, cpucontrol_conf_t)
diff --git a/targeted/domains/program/cpuspeed.te b/targeted/domains/program/cpuspeed.te
deleted file mode 100644
index b80f705..0000000
--- a/targeted/domains/program/cpuspeed.te
+++ /dev/null
@@ -1,17 +0,0 @@
-#DESC cpuspeed - domain for microcode_ctl, powernowd, etc
-#
-# Authors: Russell Coker <russell@coker.com.au>
-# Thomas Bleher <ThomasBleher@gmx.de>
-#
-
-daemon_base_domain(cpuspeed)
-read_locale(cpuspeed_t)
-
-allow cpuspeed_t sysfs_t:dir search;
-allow cpuspeed_t sysfs_t:file rw_file_perms;
-allow cpuspeed_t proc_t:dir r_dir_perms;
-allow cpuspeed_t proc_t:file { getattr read };
-allow cpuspeed_t { etc_t etc_runtime_t }:file { getattr read };
-
-allow cpuspeed_t self:process setsched;
-allow cpuspeed_t self:unix_dgram_socket create_socket_perms;
diff --git a/targeted/domains/program/crond.te b/targeted/domains/program/crond.te
deleted file mode 100644
index 78d70c7..0000000
--- a/targeted/domains/program/crond.te
+++ /dev/null
@@ -1,33 +0,0 @@
-#DESC crond
-#
-# Authors: Daniel Walsh <dwalsh@redhat.com>
-#
-
-#################################
-#
-# Rules for the crond domain.
-#
-# crond_exec_t is the type of the /usr/sbin/crond and other programs.
-# This domain is defined just for targeted policy.
-#
-type crond_exec_t, file_type, sysadmfile, exec_type;
-type crond_t, domain, privuser, privrole, privfd, privowner;
-typealias crond_t alias system_crond_t;
-type anacron_exec_t, file_type, sysadmfile, exec_type;
-type system_crond_tmp_t, file_type, tmpfile, sysadmfile;
-type system_cron_spool_t, file_type, sysadmfile;
-type sysadm_cron_spool_t, file_type, sysadmfile;
-role system_r types crond_t;
-domain_auto_trans(initrc_t, crond_exec_t, crond_t)
-domain_auto_trans(initrc_t, anacron_exec_t, crond_t)
-# Access log files
-file_type_auto_trans(crond_t, user_home_dir_t, user_home_t)
-file_type_auto_trans(crond_t, tmp_t, system_crond_tmp_t)
-var_run_domain(crond)
-
-ifdef(`targeted_policy', `
-unconfined_domain(crond_t)
-allow crond_t initrc_t:dbus send_msg;
-allow crond_t unconfined_t:dbus send_msg;
-allow crond_t unconfined_t:process transition;
-')
diff --git a/targeted/domains/program/cups.te b/targeted/domains/program/cups.te
deleted file mode 100644
index 6bc5106..0000000
--- a/targeted/domains/program/cups.te
+++ /dev/null
@@ -1,321 +0,0 @@
-#DESC Cups - Common Unix Printing System
-#
-# Created cups policy from lpd policy: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: cupsys cupsys-client cupsys-bsd
-# Depends: lpd.te lpr.te
-
-#################################
-#
-# Rules for the cupsd_t domain.
-#
-# cupsd_t is the domain of cupsd.
-# cupsd_exec_t is the type of the cupsd executable.
-#
-daemon_domain(cupsd, `, auth_chkpwd, nscd_client_domain')
-etcdir_domain(cupsd)
-type cupsd_rw_etc_t, file_type, sysadmfile, usercanread;
-
-can_network(cupsd_t)
-allow cupsd_t port_type:tcp_socket name_connect;
-logdir_domain(cupsd)
-
-tmp_domain(cupsd, `', { file dir fifo_file })
-
-allow cupsd_t devpts_t:dir search;
-
-allow cupsd_t device_t:lnk_file read;
-allow cupsd_t printer_device_t:chr_file rw_file_perms;
-allow cupsd_t urandom_device_t:chr_file { getattr read };
-dontaudit cupsd_t random_device_t:chr_file ioctl;
-
-# temporary solution, we need something better
-allow cupsd_t serial_device:chr_file rw_file_perms;
-
-r_dir_file(cupsd_t, usbdevfs_t)
-r_dir_file(cupsd_t, usbfs_t)
-
-ifdef(`logrotate.te', `
-domain_auto_trans(logrotate_t, cupsd_exec_t, cupsd_t)
-')
-
-ifdef(`inetd.te', `
-allow inetd_t printer_port_t:tcp_socket name_bind;
-domain_auto_trans(inetd_t, cupsd_exec_t, cupsd_t)
-')
-
-# write to spool
-allow cupsd_t var_spool_t:dir search;
-
-# this is not ideal, and allowing setattr access to cupsd_etc_t is wrong
-file_type_auto_trans(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
-file_type_auto_trans(cupsd_t, var_t, cupsd_rw_etc_t, { dir file })
-allow cupsd_t cupsd_rw_etc_t:dir { setattr rw_dir_perms };
-allow cupsd_t cupsd_etc_t:file setattr;
-allow cupsd_t cupsd_etc_t:dir setattr;
-
-allow cupsd_t { etc_t etc_runtime_t }:file { getattr read ioctl };
-can_exec(cupsd_t, initrc_exec_t)
-allow cupsd_t proc_t:file r_file_perms;
-allow cupsd_t proc_t:dir r_dir_perms;
-allow cupsd_t self:file { getattr read };
-read_sysctl(cupsd_t)
-allow cupsd_t sysctl_dev_t:dir search;
-allow cupsd_t sysctl_dev_t:file { getattr read };
-
-# for /etc/printcap
-dontaudit cupsd_t etc_t:file write;
-
-# allow cups to execute its backend scripts
-can_exec(cupsd_t, cupsd_exec_t)
-allow cupsd_t cupsd_exec_t:dir search;
-allow cupsd_t cupsd_exec_t:lnk_file read;
-allow cupsd_t reserved_port_t:tcp_socket name_bind;
-dontaudit cupsd_t reserved_port_type:tcp_socket name_bind;
-
-allow cupsd_t self:unix_stream_socket create_socket_perms;
-allow cupsd_t self:unix_dgram_socket create_socket_perms;
-allow cupsd_t self:fifo_file rw_file_perms;
-
-# Use capabilities.
-allow cupsd_t self:capability { dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config audit_write };
-dontaudit cupsd_t self:capability net_admin;
-
-#
-# /usr/lib/cups/backend/serial needs sys_admin
-# Need new context to run under???
-allow cupsd_t self:capability sys_admin;
-
-allow cupsd_t self:process setsched;
-
-# for /var/lib/defoma
-allow cupsd_t var_lib_t:dir search;
-r_dir_file(cupsd_t, readable_t)
-
-# Bind to the cups/ipp port (631).
-allow cupsd_t ipp_port_t:{ udp_socket tcp_socket } name_bind;
-
-can_tcp_connect(web_client_domain, cupsd_t)
-can_tcp_connect(cupsd_t, cupsd_t)
-
-# Send to portmap.
-ifdef(`portmap.te', `
-can_udp_send(cupsd_t, portmap_t)
-can_udp_send(portmap_t, cupsd_t)
-')
-
-# Write to /var/spool/cups.
-allow cupsd_t print_spool_t:dir { setattr rw_dir_perms };
-allow cupsd_t print_spool_t:file create_file_perms;
-allow cupsd_t print_spool_t:file rw_file_perms;
-
-# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
-allow cupsd_t { bin_t sbin_t }:dir { search getattr };
-allow cupsd_t bin_t:lnk_file read;
-can_exec(cupsd_t, { shell_exec_t bin_t sbin_t })
-
-# They will also invoke ghostscript, which needs to read fonts
-read_fonts(cupsd_t)
-
-# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
-allow cupsd_t lib_t:file { read getattr };
-
-# read python modules
-allow cupsd_t usr_t:{ file lnk_file } { read getattr ioctl };
-
-#
-# lots of errors generated requiring the following
-#
-allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-allow cupsd_t self:netlink_route_socket { r_netlink_socket_perms };
-
-#
-# Satisfy readahead
-#
-allow initrc_t cupsd_log_t:file { getattr read };
-r_dir_file(cupsd_t, var_t)
-
-r_dir_file(cupsd_t, usercanread)
-ifdef(`samba.te', `
-rw_dir_file(cupsd_t, samba_var_t)
-allow smbd_t cupsd_etc_t:dir search;
-')
-
-ifdef(`pam.te', `
-dontaudit cupsd_t pam_var_run_t:file { getattr read };
-')
-dontaudit cupsd_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
-# PTAL
-daemon_domain(ptal)
-etcdir_domain(ptal)
-
-file_type_auto_trans(ptal_t, var_run_t, ptal_var_run_t)
-allow ptal_t self:capability { chown sys_rawio };
-allow ptal_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
-allow ptal_t self:unix_stream_socket { listen accept };
-can_network_server_tcp(ptal_t)
-allow ptal_t ptal_port_t:tcp_socket name_bind;
-allow userdomain ptal_t:unix_stream_socket connectto;
-allow userdomain ptal_var_run_t:sock_file write;
-allow userdomain ptal_var_run_t:dir search;
-allow ptal_t self:fifo_file rw_file_perms;
-allow ptal_t device_t:dir read;
-allow ptal_t printer_device_t:chr_file rw_file_perms;
-allow initrc_t printer_device_t:chr_file getattr;
-allow ptal_t { etc_t etc_runtime_t }:file { getattr read };
-r_dir_file(ptal_t, usbdevfs_t)
-rw_dir_file(ptal_t, usbfs_t)
-allow cupsd_t ptal_var_run_t:sock_file { write setattr };
-allow cupsd_t ptal_t:unix_stream_socket connectto;
-allow cupsd_t ptal_var_run_t:dir search;
-dontaudit ptal_t { sysadm_home_dir_t staff_home_dir_t }:dir { getattr search };
-
-allow initrc_t ptal_var_run_t:dir rmdir;
-allow initrc_t ptal_var_run_t:fifo_file unlink;
-
-
-# HPLIP
-daemon_domain(hplip)
-etcdir_domain(hplip)
-allow hplip_t etc_t:file r_file_perms;
-allow hplip_t etc_runtime_t:file { read getattr };
-allow hplip_t printer_device_t:chr_file rw_file_perms;
-allow cupsd_t hplip_var_run_t:file { read getattr };
-allow hplip_t cupsd_etc_t:dir search;
-can_network(hplip_t)
-allow hplip_t { hplip_port_t ipp_port_t }:tcp_socket name_connect;
-allow hplip_t hplip_port_t:tcp_socket name_bind;
-
-# Uses networking to talk to the daemons
-allow hplip_t self:unix_dgram_socket create_socket_perms;
-allow hplip_t self:unix_stream_socket create_socket_perms;
-allow hplip_t self:rawip_socket create_socket_perms;
-
-# for python
-can_exec(hplip_t, bin_t)
-allow hplip_t { sbin_t bin_t }:dir search;
-allow hplip_t self:file { getattr read };
-allow hplip_t proc_t:file r_file_perms;
-allow hplip_t urandom_device_t:chr_file { getattr read };
-allow hplip_t usr_t:{ file lnk_file } r_file_perms;
-allow hplip_t devpts_t:dir search;
-allow hplip_t devpts_t:chr_file { getattr ioctl };
-
-
-dontaudit cupsd_t selinux_config_t:dir search;
-dontaudit cupsd_t selinux_config_t:file { getattr read };
-
-allow cupsd_t printconf_t:file { getattr read };
-
-ifdef(`dbusd.te', `
-dbusd_client(system, cupsd)
-allow cupsd_t system_dbusd_t:dbus send_msg;
-allow cupsd_t userdomain:dbus send_msg;
-')
-
-# CUPS configuration daemon
-daemon_domain(cupsd_config, `, nscd_client_domain')
-
-allow cupsd_config_t devpts_t:dir search;
-allow cupsd_config_t devpts_t:chr_file { getattr ioctl };
-
-ifdef(`distro_redhat', `
-ifdef(`rpm.te', `
-allow cupsd_config_t rpm_var_lib_t:dir { getattr search };
-allow cupsd_config_t rpm_var_lib_t:file { getattr read };
-')
-allow cupsd_config_t initrc_exec_t:file getattr;
-')dnl end distro_redhat
-
-allow cupsd_config_t { etc_t etc_runtime_t net_conf_t }:file { getattr read };
-allow cupsd_config_t self:file { getattr read };
-
-allow cupsd_config_t proc_t:file { getattr read };
-allow cupsd_config_t cupsd_var_run_t:file { getattr read };
-allow cupsd_config_t cupsd_t:process { signal };
-allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read };
-can_ps(cupsd_config_t, cupsd_t)
-
-allow cupsd_config_t self:capability { chown sys_tty_config };
-
-rw_dir_create_file(cupsd_config_t, cupsd_etc_t)
-rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t)
-file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file)
-file_type_auto_trans(cupsd_config_t, var_t, cupsd_rw_etc_t, file)
-allow cupsd_config_t var_t:lnk_file read;
-
-can_network_tcp(cupsd_config_t)
-can_ypbind(cupsd_config_t)
-allow cupsd_config_t port_type:tcp_socket name_connect;
-can_tcp_connect(cupsd_config_t, cupsd_t)
-allow cupsd_config_t self:fifo_file rw_file_perms;
-
-allow cupsd_config_t self:unix_stream_socket create_socket_perms;
-allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
-ifdef(`dbusd.te', `
-dbusd_client(system, cupsd_config)
-allow cupsd_config_t userdomain:dbus send_msg;
-allow cupsd_config_t system_dbusd_t:dbus { send_msg acquire_svc };
-allow userdomain cupsd_config_t:dbus send_msg;
-')dnl end if dbusd.te
-
-ifdef(`hald.te', `
-
-ifdef(`dbusd.te', `
-allow { cupsd_t cupsd_config_t } hald_t:dbus send_msg;
-allow hald_t { cupsd_t cupsd_config_t }:dbus send_msg;
-')dnl end if dbusd.te
-
-allow hald_t cupsd_config_t:process signal;
-domain_auto_trans(hald_t, cupsd_config_exec_t, cupsd_config_t)
-
-') dnl end if hald.te
-
-
-can_exec(cupsd_config_t, { bin_t sbin_t shell_exec_t })
-ifdef(`hostname.te', `
-can_exec(cupsd_t, hostname_exec_t)
-can_exec(cupsd_config_t, hostname_exec_t)
-')
-allow cupsd_config_t { bin_t sbin_t }:dir { search getattr };
-allow cupsd_config_t { bin_t sbin_t }:lnk_file read;
-# killall causes the following
-dontaudit cupsd_config_t domain:dir { getattr search };
-dontaudit cupsd_config_t selinux_config_t:dir search;
-
-can_exec(cupsd_config_t, cupsd_config_exec_t)
-
-allow cupsd_config_t usr_t:file { getattr read };
-allow cupsd_config_t var_lib_t:dir { getattr search };
-allow cupsd_config_t rpm_var_lib_t:file { getattr read };
-allow cupsd_config_t printconf_t:file { getattr read };
-
-allow cupsd_config_t urandom_device_t:chr_file { getattr read };
-
-ifdef(`logrotate.te', `
-allow cupsd_config_t logrotate_t:fd use;
-')dnl end if logrotate.te
-allow cupsd_config_t system_crond_t:fd use;
-allow cupsd_config_t crond_t:fifo_file r_file_perms;
-allow cupsd_t crond_t:fifo_file read;
-allow cupsd_t crond_t:fd use;
-
-# Alternatives asks for this
-allow cupsd_config_t initrc_exec_t:file getattr;
-ifdef(`targeted_policy', `
-can_unix_connect(cupsd_t, initrc_t)
-allow cupsd_t initrc_t:dbus send_msg;
-allow initrc_t cupsd_t:dbus send_msg;
-allow { cupsd_config_t cupsd_t } unconfined_t:dbus send_msg;
-allow unconfined_t cupsd_config_t:dbus send_msg;
-allow { cupsd_t cupsd_config_t } unconfined_t:fifo_file read;
-')
-typealias printer_port_t alias cupsd_lpd_port_t;
-inetd_child_domain(cupsd_lpd)
-allow inetd_t printer_port_t:tcp_socket name_bind;
-r_dir_file(cupsd_lpd_t, cupsd_etc_t)
-r_dir_file(cupsd_lpd_t, cupsd_rw_etc_t)
-allow cupsd_lpd_t ipp_port_t:tcp_socket name_connect;
-ifdef(`use_mcs', `
-range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
-')
-
diff --git a/targeted/domains/program/cvs.te b/targeted/domains/program/cvs.te
deleted file mode 100644
index 3f3e63c..0000000
--- a/targeted/domains/program/cvs.te
+++ /dev/null
@@ -1,31 +0,0 @@
-#DESC cvs - Concurrent Versions System
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-#
-# Depends: inetd.te
-
-#################################
-#
-# Rules for the cvs_t domain.
-#
-# cvs_exec_t is the type of the cvs executable.
-#
-
-inetd_child_domain(cvs, tcp)
-typeattribute cvs_t privmail;
-typeattribute cvs_t auth_chkpwd;
-
-type cvs_data_t, file_type, sysadmfile, customizable;
-create_dir_file(cvs_t, cvs_data_t)
-can_exec(cvs_t, { bin_t sbin_t shell_exec_t })
-allow cvs_t bin_t:dir search;
-allow cvs_t { bin_t sbin_t }:lnk_file read;
-allow cvs_t etc_runtime_t:file { getattr read };
-allow system_mail_t cvs_data_t:file { getattr read };
-dontaudit cvs_t devtty_t:chr_file { read write };
-ifdef(`kerberos.te', `
-# Allow kerberos to work
-allow cvs_t { krb5_keytab_t krb5_conf_t }:file r_file_perms;
-dontaudit cvs_t krb5_conf_t:file write;
-')
-
diff --git a/targeted/domains/program/cyrus.te b/targeted/domains/program/cyrus.te
deleted file mode 100644
index a423235..0000000
--- a/targeted/domains/program/cyrus.te
+++ /dev/null
@@ -1,52 +0,0 @@
-#DESC cyrus-imapd
-#
-# Authors: Dan Walsh <dwalsh@redhat.com>
-#
-
-# cyrusd_exec_t is the type of the cyrusd executable.
-# cyrusd_key_t is the type of the cyrus private key files
-daemon_domain(cyrus)
-
-general_domain_access(cyrus_t)
-file_type_auto_trans(cyrus_t, var_run_t, cyrus_var_run_t, sock_file)
-
-type cyrus_var_lib_t, file_type, sysadmfile;
-
-allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
-allow cyrus_t self:process setrlimit;
-
-can_network(cyrus_t)
-allow cyrus_t port_type:tcp_socket name_connect;
-can_ypbind(cyrus_t)
-can_exec(cyrus_t, bin_t)
-allow cyrus_t cyrus_var_lib_t:dir create_dir_perms;
-allow cyrus_t cyrus_var_lib_t:{file sock_file lnk_file} create_file_perms;
-allow cyrus_t etc_t:file { getattr read };
-allow cyrus_t lib_t:file { execute execute_no_trans getattr read };
-read_locale(cyrus_t)
-read_sysctl(cyrus_t)
-tmp_domain(cyrus)
-allow cyrus_t { mail_port_t pop_port_t }:tcp_socket name_bind;
-allow cyrus_t proc_t:dir search;
-allow cyrus_t proc_t:file { getattr read };
-allow cyrus_t sysadm_devpts_t:chr_file { read write };
-
-allow cyrus_t var_lib_t:dir search;
-
-allow cyrus_t etc_runtime_t:file { read getattr };
-ifdef(`crond.te', `
-system_crond_entry(cyrus_exec_t, cyrus_t)
-allow system_crond_t cyrus_var_lib_t:dir rw_dir_perms;
-allow system_crond_t cyrus_var_lib_t:file create_file_perms;
-')
-create_dir_file(cyrus_t, mail_spool_t)
-allow cyrus_t var_spool_t:dir search;
-
-ifdef(`saslauthd.te', `
-allow cyrus_t saslauthd_var_run_t:dir search;
-allow cyrus_t saslauthd_var_run_t:sock_file { read write };
-allow cyrus_t saslauthd_t:unix_stream_socket { connectto };
-')
-
-r_dir_file(cyrus_t, cert_t)
-allow cyrus_t { urandom_device_t random_device_t }:chr_file { read getattr };
diff --git a/targeted/domains/program/dbskkd.te b/targeted/domains/program/dbskkd.te
deleted file mode 100644
index e75d90b..0000000
--- a/targeted/domains/program/dbskkd.te
+++ /dev/null
@@ -1,14 +0,0 @@
-#DESC dbskkd - A dictionary server for the SKK Japanese input method system.
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-#
-
-#################################
-#
-# Rules for the dbskkd_t domain.
-#
-# dbskkd_exec_t is the type of the dbskkd executable.
-#
-# Depends: inetd.te
-
-inetd_child_domain(dbskkd)
diff --git a/targeted/domains/program/dbusd.te b/targeted/domains/program/dbusd.te
deleted file mode 100644
index acad4de..0000000
--- a/targeted/domains/program/dbusd.te
+++ /dev/null
@@ -1,27 +0,0 @@
-#DESC dbus-daemon-1 server for dbus desktop bus protocol
-#
-# Author: Russell Coker <russell@coker.com.au>
-
-dbusd_domain(system)
-
-allow system_dbusd_t system_dbusd_var_run_t:sock_file create_file_perms;
-
-ifdef(`pamconsole.te', `
-r_dir_file(system_dbusd_t, pam_var_console_t)
-')
-
-# dac_override: /var/run/dbus is owned by messagebus on Debian
-allow system_dbusd_t self:capability { dac_override setgid setuid };
-nsswitch_domain(system_dbusd_t)
-
-# I expect we need more than this
-
-allow initrc_t system_dbusd_t:dbus { send_msg acquire_svc };
-allow initrc_t system_dbusd_t:unix_stream_socket connectto;
-allow initrc_t system_dbusd_var_run_t:sock_file write;
-
-can_exec(system_dbusd_t, sbin_t)
-allow system_dbusd_t self:fifo_file { read write };
-allow system_dbusd_t self:unix_stream_socket connectto;
-allow system_dbusd_t self:unix_stream_socket connectto;
-allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
diff --git a/targeted/domains/program/dhcpc.te b/targeted/domains/program/dhcpc.te
deleted file mode 100644
index d21b9db..0000000
--- a/targeted/domains/program/dhcpc.te
+++ /dev/null
@@ -1,168 +0,0 @@
-#DESC DHCPC - DHCP client
-#
-# Authors: Wayne Salamon (NAI Labs) <wsalamon@tislabs.com>
-# Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: pump dhcp-client udhcpc
-#
-
-#################################
-#
-# Rules for the dhcpc_t domain.
-#
-# dhcpc_t is the domain for the client side of DHCP. dhcpcd, the DHCP
-# network configurator daemon started by /etc/sysconfig/network-scripts
-# rc scripts, runs in this domain.
-# dhcpc_exec_t is the type of the dhcpcd executable.
-# The dhcpc_t can be used for other DHCPC related files as well.
-#
-daemon_domain(dhcpc)
-
-# for SSP
-allow dhcpc_t urandom_device_t:chr_file read;
-
-can_network(dhcpc_t)
-allow dhcpc_t port_type:tcp_socket name_connect;
-can_ypbind(dhcpc_t)
-allow dhcpc_t self:unix_dgram_socket create_socket_perms;
-allow dhcpc_t self:unix_stream_socket create_socket_perms;
-allow dhcpc_t self:fifo_file rw_file_perms;
-
-allow dhcpc_t devpts_t:dir search;
-
-# for localization
-allow dhcpc_t lib_t:file { getattr read };
-
-ifdef(`consoletype.te', `
-domain_auto_trans(dhcpc_t, consoletype_exec_t, consoletype_t)
-')
-ifdef(`nscd.te', `
-domain_auto_trans(dhcpc_t, nscd_exec_t, nscd_t)
-allow dhcpc_t nscd_var_run_t:file { getattr read };
-')
-ifdef(`cardmgr.te', `
-domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
-allow cardmgr_t dhcpc_var_run_t:file { getattr read };
-allow cardmgr_t dhcpc_t:process signal_perms;
-allow cardmgr_t dhcpc_var_run_t:file unlink;
-allow dhcpc_t cardmgr_dev_t:chr_file { read write };
-')
-ifdef(`hotplug.te', `
-domain_auto_trans(hotplug_t, dhcpc_exec_t, dhcpc_t)
-allow hotplug_t dhcpc_t:process signal_perms;
-allow hotplug_t dhcpc_var_run_t:file { getattr read };
-allow hotplug_t dhcp_etc_t:file rw_file_perms;
-allow dhcpc_t hotplug_etc_t:dir { getattr search };
-ifdef(`distro_redhat', `
-domain_auto_trans(dhcpc_t, syslogd_exec_t, syslogd_t)
-')
-')dnl end hotplug.te
-
-# for the dhcp client to run ping to check IP addresses
-ifdef(`ping.te', `
-domain_auto_trans(dhcpc_t, ping_exec_t, ping_t)
-ifdef(`hotplug.te', `
-allow ping_t hotplug_t:fd use;
-') dnl end if hotplug
-ifdef(`cardmgr.te', `
-allow ping_t cardmgr_t:fd use;
-') dnl end if cardmgr
-', `
-allow dhcpc_t self:capability setuid;
-allow dhcpc_t self:rawip_socket create_socket_perms;
-') dnl end if ping
-
-ifdef(`dhcpd.te', `', `
-type dhcp_state_t, file_type, sysadmfile;
-type dhcp_etc_t, file_type, sysadmfile, usercanread;
-')
-type dhcpc_state_t, file_type, sysadmfile;
-
-allow dhcpc_t etc_t:lnk_file read;
-allow dhcpc_t { etc_t etc_runtime_t }:file { getattr read };
-allow dhcpc_t proc_net_t:dir search;
-allow dhcpc_t { proc_t proc_net_t }:file { getattr read };
-allow dhcpc_t self:file { getattr read };
-read_sysctl(dhcpc_t)
-allow dhcpc_t userdomain:fd use;
-ifdef(`run_init.te', `
-allow dhcpc_t run_init_t:fd use;
-')
-
-# Use capabilities
-allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config };
-
-# for access("/etc/bashrc", X_OK) on Red Hat
-dontaudit dhcpc_t self:capability { dac_read_search sys_module };
-
-# for udp port 68
-allow dhcpc_t dhcpc_port_t:udp_socket name_bind;
-
-# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
-# in /etc created by dhcpcd will be labelled net_conf_t.
-file_type_auto_trans(dhcpc_t, etc_t, net_conf_t, file)
-
-# Allow access to the dhcpc file types
-r_dir_file(dhcpc_t, dhcp_etc_t)
-allow dhcpc_t sbin_t:dir search;
-can_exec(dhcpc_t, { dhcpc_exec_t dhcp_etc_t sbin_t })
-ifdef(`distro_redhat', `
-can_exec(dhcpc_t, etc_t)
-allow initrc_t dhcp_etc_t:file rw_file_perms;
-')
-ifdef(`ifconfig.te', `
-domain_auto_trans(dhcpc_t, ifconfig_exec_t, ifconfig_t)
-')dnl end if def ifconfig
-
-
-tmp_domain(dhcpc)
-
-# Allow dhcpc_t to use packet sockets
-allow dhcpc_t self:packet_socket create_socket_perms;
-allow dhcpc_t var_lib_t:dir search;
-file_type_auto_trans(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
-allow dhcpc_t dhcp_state_t:file { getattr read };
-
-allow dhcpc_t bin_t:dir { getattr search };
-allow dhcpc_t bin_t:lnk_file read;
-can_exec(dhcpc_t, { bin_t shell_exec_t })
-
-ifdef(`hostname.te', `
-domain_auto_trans(dhcpc_t, hostname_exec_t, hostname_t)
-')
-dontaudit dhcpc_t { devpts_t ttyfile ptyfile tty_device_t }:chr_file rw_file_perms;
-allow dhcpc_t { userdomain kernel_t }:fd use;
-
-allow dhcpc_t home_root_t:dir search;
-allow initrc_t dhcpc_state_t:file { getattr read };
-dontaudit dhcpc_t var_lock_t:dir search;
-allow dhcpc_t self:netlink_route_socket r_netlink_socket_perms;
-dontaudit dhcpc_t domain:dir getattr;
-allow dhcpc_t initrc_var_run_t:file rw_file_perms;
-#
-# dhclient sometimes starts ypbind and ntdp
-#
-can_exec(dhcpc_t, initrc_exec_t)
-ifdef(`ypbind.te', `
-domain_auto_trans(dhcpc_t, ypbind_exec_t, ypbind_t)
-allow dhcpc_t ypbind_var_run_t:file { r_file_perms unlink };
-allow dhcpc_t ypbind_t:process signal;
-')
-ifdef(`ntpd.te', `
-domain_auto_trans(dhcpc_t, ntpd_exec_t, ntpd_t)
-')
-role sysadm_r types dhcpc_t;
-domain_auto_trans(sysadm_t, dhcpc_exec_t, dhcpc_t)
-ifdef(`dbusd.te', `
-dbusd_client(system, dhcpc)
-domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t)
-allow dhcpc_t system_dbusd_t:dbus { acquire_svc send_msg };
-allow dhcpc_t self:dbus send_msg;
-allow { NetworkManager_t initrc_t } dhcpc_t:dbus send_msg;
-allow dhcpc_t { NetworkManager_t initrc_t }:dbus send_msg;
-ifdef(`unconfined.te', `
-allow unconfined_t dhcpc_t:dbus send_msg;
-allow dhcpc_t unconfined_t:dbus send_msg;
-')
-')
-ifdef(`netutils.te', `domain_auto_trans(dhcpc_t, netutils_exec_t, netutils_t)')
-allow dhcpc_t locale_t:file write;
diff --git a/targeted/domains/program/dhcpd.te b/targeted/domains/program/dhcpd.te
deleted file mode 100644
index e276af2..0000000
--- a/targeted/domains/program/dhcpd.te
+++ /dev/null
@@ -1,78 +0,0 @@
-#DESC DHCPD - DHCP server
-#
-# Author: Russell Coker <russell@coker.com.au>
-# based on the dhcpc_t policy from:
-# Wayne Salamon (NAI Labs) <wsalamon@tislabs.com>
-# X-Debian-Packages: dhcp dhcp3-server
-#
-
-#################################
-#
-# Rules for the dhcpd_t domain.
-#
-# dhcpd_t is the domain for the server side of DHCP. dhcpd, the DHCP
-# server daemon rc scripts, runs in this domain.
-# dhcpd_exec_t is the type of the dhcpdd executable.
-# The dhcpd_t can be used for other DHCPC related files as well.
-#
-daemon_domain(dhcpd, `, nscd_client_domain')
-
-# for UDP port 4011
-allow dhcpd_t pxe_port_t:udp_socket name_bind;
-
-type dhcp_etc_t, file_type, sysadmfile, usercanread;
-
-# Use the network.
-can_network(dhcpd_t)
-allow dhcpd_t port_type:tcp_socket name_connect;
-allow dhcpd_t dhcpd_port_t:{ tcp_socket udp_socket } name_bind;
-can_ypbind(dhcpd_t)
-allow dhcpd_t self:unix_dgram_socket create_socket_perms;
-allow dhcpd_t self:unix_stream_socket create_socket_perms;
-allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms;
-
-allow dhcpd_t var_lib_t:dir search;
-
-allow dhcpd_t devtty_t:chr_file { read write };
-
-# Use capabilities
-allow dhcpd_t self:capability { net_raw net_bind_service };
-dontaudit dhcpd_t self:capability net_admin;
-
-# Allow access to the dhcpd file types
-type dhcp_state_t, file_type, sysadmfile;
-type dhcpd_state_t, file_type, sysadmfile;
-allow dhcpd_t dhcp_etc_t:file { read getattr };
-allow dhcpd_t dhcp_etc_t:dir search;
-file_type_auto_trans(dhcpd_t, dhcp_state_t, dhcpd_state_t, file)
-
-allow dhcpd_t etc_t:lnk_file read;
-allow dhcpd_t { etc_t etc_runtime_t }:file r_file_perms;
-
-# Allow dhcpd_t programs to execute themselves and bin_t (uname etc)
-can_exec(dhcpd_t, { dhcpd_exec_t bin_t })
-
-# Allow dhcpd_t to use packet sockets
-allow dhcpd_t self:packet_socket create_socket_perms;
-allow dhcpd_t self:rawip_socket create_socket_perms;
-
-# allow to run utilities and scripts
-allow dhcpd_t { bin_t sbin_t }:dir r_dir_perms;
-allow dhcpd_t { bin_t sbin_t }:{ file lnk_file } rx_file_perms;
-allow dhcpd_t self:fifo_file { read write getattr };
-
-# allow reading /proc
-allow dhcpd_t proc_t:{ file lnk_file } r_file_perms;
-tmp_domain(dhcpd)
-
-ifdef(`distro_gentoo', `
-allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
-allow initrc_t dhcpd_state_t:file setattr;
-')
-r_dir_file(dhcpd_t, usr_t)
-allow dhcpd_t { urandom_device_t random_device_t }:chr_file r_file_perms;
-
-ifdef(`named.te', `
-allow dhcpd_t { named_conf_t named_zone_t }:dir search;
-allow dhcpd_t dnssec_t:file { getattr read };
-')
diff --git a/targeted/domains/program/dictd.te b/targeted/domains/program/dictd.te
deleted file mode 100644
index d610d07..0000000
--- a/targeted/domains/program/dictd.te
+++ /dev/null
@@ -1,48 +0,0 @@
-#DESC Dictd - Dictionary daemon
-#
-# Authors: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: dictd
-#
-
-#################################
-#
-# Rules for the dictd_t domain.
-#
-# dictd_exec_t is the type of the dictd executable.
-#
-daemon_base_domain(dictd)
-type dictd_var_lib_t, file_type, sysadmfile;
-typealias dictd_var_lib_t alias var_lib_dictd_t;
-etc_domain(dictd)
-
-# for checking for nscd
-dontaudit dictd_t var_run_t:dir search;
-
-# read config files
-allow dictd_t { etc_t etc_runtime_t }:file r_file_perms;
-
-read_locale(dictd_t)
-
-allow dictd_t { var_t var_lib_t }:dir search;
-allow dictd_t dictd_var_lib_t:dir r_dir_perms;
-allow dictd_t dictd_var_lib_t:file r_file_perms;
-
-allow dictd_t self:capability { setuid setgid };
-
-allow dictd_t usr_t:file r_file_perms;
-
-allow dictd_t self:process { setpgid fork sigchld };
-
-allow dictd_t proc_t:file r_file_perms;
-
-allow dictd_t dict_port_t:tcp_socket name_bind;
-
-allow dictd_t devtty_t:chr_file rw_file_perms;
-
-allow dictd_t self:unix_stream_socket create_stream_socket_perms;
-
-can_network_server(dictd_t)
-can_ypbind(dictd_t)
-can_tcp_connect(userdomain, dictd_t)
-
-allow dictd_t fs_t:filesystem getattr;
diff --git a/targeted/domains/program/dmidecode.te b/targeted/domains/program/dmidecode.te
deleted file mode 100644
index 05b93f7..0000000
--- a/targeted/domains/program/dmidecode.te
+++ /dev/null
@@ -1,22 +0,0 @@
-#DESC dmidecode - decodes DMI data for x86/ia64 bioses
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-type dmidecode_t, domain, privmem;
-type dmidecode_exec_t, file_type, exec_type, sysadmfile;
-
-# Allow execution by the sysadm
-role sysadm_r types dmidecode_t;
-role system_r types dmidecode_t;
-domain_auto_trans(sysadm_t, dmidecode_exec_t, dmidecode_t)
-
-uses_shlib(dmidecode_t)
-
-# Allow terminal access
-access_terminal(dmidecode_t, sysadm)
-
-# Allow dmidecode to read /dev/mem
-allow dmidecode_t memory_device_t:chr_file read;
-
-allow dmidecode_t self:capability sys_rawio;
diff --git a/targeted/domains/program/dovecot.te b/targeted/domains/program/dovecot.te
deleted file mode 100644
index eb7a30e..0000000
--- a/targeted/domains/program/dovecot.te
+++ /dev/null
@@ -1,75 +0,0 @@
-#DESC Dovecot POP and IMAP servers
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: dovecot-imapd, dovecot-pop3d
-
-#
-# Main dovecot daemon
-#
-daemon_domain(dovecot, `, privhome')
-etc_domain(dovecot);
-
-allow dovecot_t dovecot_var_run_t:sock_file create_file_perms;
-
-can_exec(dovecot_t, dovecot_exec_t)
-
-type dovecot_cert_t, file_type, sysadmfile;
-type dovecot_passwd_t, file_type, sysadmfile;
-type dovecot_spool_t, file_type, sysadmfile;
-
-allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
-allow dovecot_t self:process setrlimit;
-can_network_tcp(dovecot_t)
-allow dovecot_t port_type:tcp_socket name_connect;
-can_ypbind(dovecot_t)
-allow dovecot_t self:unix_dgram_socket create_socket_perms;
-allow dovecot_t self:unix_stream_socket create_stream_socket_perms;
-can_unix_connect(dovecot_t, self)
-
-allow dovecot_t etc_t:file { getattr read };
-allow dovecot_t initrc_var_run_t:file getattr;
-allow dovecot_t bin_t:dir { getattr search };
-can_exec(dovecot_t, bin_t)
-
-allow dovecot_t pop_port_t:tcp_socket name_bind;
-allow dovecot_t urandom_device_t:chr_file { getattr read };
-allow dovecot_t cert_t:dir search;
-r_dir_file(dovecot_t, dovecot_cert_t)
-r_dir_file(dovecot_t, cert_t)
-
-allow dovecot_t { self proc_t }:file { getattr read };
-allow dovecot_t self:fifo_file rw_file_perms;
-
-can_kerberos(dovecot_t)
-
-allow dovecot_t tmp_t:dir search;
-rw_dir_create_file(dovecot_t, mail_spool_t)
-
-
-create_dir_file(dovecot_t, dovecot_spool_t)
-create_dir_file(mta_delivery_agent, dovecot_spool_t)
-allow dovecot_t mail_spool_t:lnk_file read;
-allow dovecot_t var_spool_t:dir { search };
-
-#
-# Dovecot auth daemon
-#
-daemon_sub_domain(dovecot_t, dovecot_auth, `, auth_chkpwd')
-can_ldap(dovecot_auth_t)
-can_ypbind(dovecot_auth_t)
-can_kerberos(dovecot_auth_t)
-can_resolve(dovecot_auth_t)
-allow dovecot_auth_t self:process { fork signal_perms };
-allow dovecot_auth_t self:capability { setgid setuid };
-allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
-allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
-allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
-allow dovecot_auth_t self:fifo_file rw_file_perms;
-allow dovecot_auth_t urandom_device_t:chr_file { getattr read };
-allow dovecot_auth_t etc_t:file { getattr read };
-allow dovecot_auth_t { self proc_t }:file { getattr read };
-read_locale(dovecot_auth_t)
-read_sysctl(dovecot_auth_t)
-allow dovecot_auth_t dovecot_passwd_t:file { getattr read };
-dontaudit dovecot_auth_t selinux_config_t:dir search;
-
diff --git a/targeted/domains/program/fingerd.te b/targeted/domains/program/fingerd.te
deleted file mode 100644
index 73fee16..0000000
--- a/targeted/domains/program/fingerd.te
+++ /dev/null
@@ -1,80 +0,0 @@
-#DESC Fingerd - Finger daemon
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: fingerd cfingerd efingerd ffingerd
-#
-
-#################################
-#
-# Rules for the fingerd_t domain.
-#
-# fingerd_exec_t is the type of the fingerd executable.
-#
-daemon_domain(fingerd)
-
-etcdir_domain(fingerd)
-
-allow fingerd_t etc_t:lnk_file read;
-allow fingerd_t { etc_t etc_runtime_t }:file { read getattr };
-
-log_domain(fingerd)
-system_crond_entry(fingerd_exec_t, fingerd_t)
-ifdef(`logrotate.te', `can_exec(fingerd_t, logrotate_exec_t)')
-
-allow fingerd_t fingerd_port_t:tcp_socket name_bind;
-ifdef(`inetd.te', `
-allow inetd_t fingerd_port_t:tcp_socket name_bind;
-# can be run from inetd
-domain_auto_trans(inetd_t, fingerd_exec_t, fingerd_t)
-allow fingerd_t inetd_t:tcp_socket { read write getattr ioctl };
-')
-ifdef(`tcpd.te', `
-domain_auto_trans(tcpd_t, fingerd_exec_t, fingerd_t)
-')
-
-allow fingerd_t self:capability { setgid setuid };
-# for gzip from logrotate
-dontaudit fingerd_t self:capability fsetid;
-
-# cfingerd runs shell scripts
-allow fingerd_t { bin_t sbin_t }:dir search;
-allow fingerd_t bin_t:lnk_file read;
-can_exec(fingerd_t, { shell_exec_t bin_t sbin_t })
-allow fingerd_t devtty_t:chr_file { read write };
-
-allow fingerd_t { ttyfile ptyfile }:chr_file getattr;
-
-# Use the network.
-can_network_server(fingerd_t)
-can_ypbind(fingerd_t)
-
-allow fingerd_t self:unix_dgram_socket create_socket_perms;
-allow fingerd_t self:unix_stream_socket create_socket_perms;
-allow fingerd_t self:fifo_file { read write getattr };
-
-# allow any user domain to connect to the finger server
-can_tcp_connect(userdomain, fingerd_t)
-
-# for .finger, .plan. etc
-allow fingerd_t { home_root_t user_home_dir_type }:dir search;
-# should really have a different type for .plan etc
-allow fingerd_t user_home_type:file { getattr read };
-# stop it accessing sub-directories, prevents checking a Maildir for new mail,
-# have to change this when we create a type for Maildir
-dontaudit fingerd_t user_home_t:dir search;
-
-# for mail
-allow fingerd_t { var_spool_t mail_spool_t }:dir search;
-allow fingerd_t mail_spool_t:file getattr;
-allow fingerd_t mail_spool_t:lnk_file read;
-
-# see who is logged in and when users last logged in
-allow fingerd_t { initrc_var_run_t lastlog_t }:file { read getattr };
-dontaudit fingerd_t initrc_var_run_t:file lock;
-allow fingerd_t devpts_t:dir search;
-allow fingerd_t ptyfile:chr_file getattr;
-
-allow fingerd_t proc_t:file { read getattr };
-
-# for date command
-read_sysctl(fingerd_t)
diff --git a/targeted/domains/program/firstboot.te b/targeted/domains/program/firstboot.te
deleted file mode 100644
index e07bc43..0000000
--- a/targeted/domains/program/firstboot.te
+++ /dev/null
@@ -1,131 +0,0 @@
-#DESC firstboot
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-# X-Debian-Packages: firstboot
-#
-
-#################################
-#
-# Rules for the firstboot_t domain.
-#
-# firstboot_exec_t is the type of the firstboot executable.
-#
-application_domain(firstboot,`, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, privuser, sysctl_kernel_writer')
-type firstboot_rw_t, file_type, sysadmfile;
-role system_r types firstboot_t;
-
-ifdef(`xserver.te', `
-domain_auto_trans(firstboot_t, xserver_exec_t, xdm_xserver_t)
-')
-
-etc_domain(firstboot)
-
-allow firstboot_t proc_t:file r_file_perms;
-
-allow firstboot_t urandom_device_t:chr_file { getattr read };
-allow firstboot_t proc_t:file { getattr read write };
-
-domain_auto_trans(initrc_t, firstboot_exec_t, firstboot_t)
-file_type_auto_trans(firstboot_t, etc_t, firstboot_rw_t, file)
-
-can_exec_any(firstboot_t)
-ifdef(`useradd.te',`
-domain_auto_trans(firstboot_t, useradd_exec_t, useradd_t)
-domain_auto_trans(firstboot_t, groupadd_exec_t, groupadd_t)
-')
-allow firstboot_t etc_runtime_t:file { getattr read };
-
-r_dir_file(firstboot_t, etc_t)
-
-allow firstboot_t firstboot_rw_t:dir create_dir_perms;
-allow firstboot_t firstboot_rw_t:file create_file_perms;
-allow firstboot_t self:fifo_file { getattr read write };
-allow firstboot_t self:process { fork sigchld };
-allow firstboot_t self:unix_stream_socket { connect create };
-allow firstboot_t initrc_exec_t:file { getattr read };
-allow firstboot_t initrc_var_run_t:file r_file_perms;
-allow firstboot_t lib_t:file { getattr read };
-allow firstboot_t local_login_t:fd use;
-read_locale(firstboot_t)
-
-allow firstboot_t proc_t:dir search;
-allow firstboot_t { devtty_t sysadm_tty_device_t }:chr_file rw_file_perms;
-allow firstboot_t usr_t:file r_file_perms;
-
-allow firstboot_t etc_t:file write;
-
-# Allow write to utmp file
-allow firstboot_t initrc_var_run_t:file write;
-
-ifdef(`samba.te', `
-rw_dir_file(firstboot_t, samba_etc_t)
-')
-
-dontaudit firstboot_t shadow_t:file getattr;
-
-role system_r types initrc_t;
-#role_transition firstboot_r initrc_exec_t system_r;
-domain_auto_trans(firstboot_t, initrc_exec_t, initrc_t)
-
-allow firstboot_t self:passwd rootok;
-
-ifdef(`userhelper.te', `
-role system_r types sysadm_userhelper_t;
-domain_auto_trans(firstboot_t, userhelper_exec_t, sysadm_userhelper_t)
-')
-
-ifdef(`consoletype.te', `
-allow consoletype_t devtty_t:chr_file { read write };
-allow consoletype_t etc_t:file { getattr read };
-allow consoletype_t firstboot_t:fd use;
-')
-
-allow firstboot_t etc_t:{ file lnk_file } create_file_perms;
-
-allow firstboot_t self:capability { dac_override setgid };
-allow firstboot_t self:dir search;
-allow firstboot_t self:file { read write };
-allow firstboot_t self:lnk_file read;
-can_setfscreate(firstboot_t)
-allow firstboot_t krb5_conf_t:file rw_file_perms;
-
-allow firstboot_t modules_conf_t:file { getattr read };
-allow firstboot_t modules_dep_t:file { getattr read };
-allow firstboot_t modules_object_t:dir search;
-allow firstboot_t port_t:tcp_socket { recv_msg send_msg };
-allow firstboot_t proc_t:lnk_file read;
-
-can_getsecurity(firstboot_t)
-
-dontaudit firstboot_t sysadm_t:process { noatsecure rlimitinh siginh transition };
-read_sysctl(firstboot_t)
-
-allow firstboot_t var_run_t:dir getattr;
-allow firstboot_t var_t:dir getattr;
-ifdef(`hostname.te', `
-allow hostname_t devtty_t:chr_file { read write };
-allow hostname_t firstboot_t:fd use;
-')
-ifdef(`iptables.te', `
-allow iptables_t devtty_t:chr_file { read write };
-allow iptables_t firstboot_t:fd use;
-allow iptables_t firstboot_t:fifo_file write;
-')
-can_network_server(firstboot_t)
-can_ypbind(firstboot_t)
-ifdef(`printconf.te', `
-can_exec(firstboot_t, printconf_t)
-')
-create_dir_file(firstboot_t, var_t)
-# Add/remove user home directories
-file_type_auto_trans(firstboot_t, home_root_t, user_home_dir_t, dir)
-file_type_auto_trans(firstboot_t, user_home_dir_t, user_home_t)
-
-#
-# The big hammer
-#
-unconfined_domain(firstboot_t)
-ifdef(`targeted_policy', `
-allow firstboot_t unconfined_t:process transition;
-')
-
diff --git a/targeted/domains/program/fsadm.te b/targeted/domains/program/fsadm.te
deleted file mode 100644
index 0bfbb68..0000000
--- a/targeted/domains/program/fsadm.te
+++ /dev/null
@@ -1,123 +0,0 @@
-#DESC Fsadm - Disk and file system administration
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: util-linux e2fsprogs xfsprogs reiserfsprogs parted raidtools2 mount
-#
-
-#################################
-#
-# Rules for the fsadm_t domain.
-#
-# fsadm_t is the domain for disk and file system
-# administration.
-# fsadm_exec_t is the type of the corresponding programs.
-#
-type fsadm_t, domain, privlog, fs_domain, mlsfileread, mlsfilewrite;
-role system_r types fsadm_t;
-role sysadm_r types fsadm_t;
-
-general_domain_access(fsadm_t)
-
-# for swapon
-r_dir_file(fsadm_t, sysfs_t)
-
-# Read system information files in /proc.
-r_dir_file(fsadm_t, proc_t)
-
-# Read system variables in /proc/sys
-read_sysctl(fsadm_t)
-
-# for /dev/shm
-allow fsadm_t tmpfs_t:dir { getattr search };
-allow fsadm_t tmpfs_t:file { read write };
-
-base_file_read_access(fsadm_t)
-
-# Read /etc.
-r_dir_file(fsadm_t, etc_t)
-
-# Read module-related files.
-allow fsadm_t modules_conf_t:{ file lnk_file } r_file_perms;
-
-# Read /dev directories and any symbolic links.
-allow fsadm_t device_t:dir r_dir_perms;
-allow fsadm_t device_t:lnk_file r_file_perms;
-
-uses_shlib(fsadm_t)
-
-type fsadm_exec_t, file_type, sysadmfile, exec_type;
-domain_auto_trans(initrc_t, fsadm_exec_t, fsadm_t)
-ifdef(`targeted_policy', `', `
-domain_auto_trans(sysadm_t, fsadm_exec_t, fsadm_t)
-')
-tmp_domain(fsadm)
-
-# remount file system to apply changes
-allow fsadm_t fs_t:filesystem remount;
-
-allow fsadm_t fs_t:filesystem getattr;
-
-# mkreiserfs needs this
-allow fsadm_t proc_t:filesystem getattr;
-
-# mkreiserfs and other programs need this for UUID
-allow fsadm_t { urandom_device_t random_device_t }:chr_file { getattr read };
-
-# Use capabilities. ipc_lock is for losetup
-allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_override dac_read_search };
-
-# Write to /etc/mtab.
-file_type_auto_trans(fsadm_t, etc_t, etc_runtime_t, file)
-
-# Inherit and use descriptors from init.
-allow fsadm_t init_t:fd use;
-
-# Run other fs admin programs in the fsadm_t domain.
-can_exec(fsadm_t, fsadm_exec_t)
-
-# Access disk devices.
-allow fsadm_t fixed_disk_device_t:devfile_class_set rw_file_perms;
-allow fsadm_t removable_device_t:devfile_class_set rw_file_perms;
-allow fsadm_t scsi_generic_device_t:chr_file r_file_perms;
-
-# Access lost+found.
-allow fsadm_t lost_found_t:dir create_dir_perms;
-allow fsadm_t lost_found_t:{ file sock_file fifo_file } create_file_perms;
-allow fsadm_t lost_found_t:lnk_file create_lnk_perms;
-
-allow fsadm_t file_t:dir { search read getattr rmdir create };
-
-# Recreate /mnt/cdrom.
-allow fsadm_t mnt_t:dir { search read getattr rmdir create };
-
-# Recreate /dev/cdrom.
-allow fsadm_t device_t:dir rw_dir_perms;
-allow fsadm_t device_t:lnk_file { unlink create };
-
-# Enable swapping to devices and files
-allow fsadm_t swapfile_t:file { getattr swapon };
-allow fsadm_t fixed_disk_device_t:blk_file { getattr swapon };
-
-# Allow console log change (updfstab)
-allow fsadm_t kernel_t:system syslog_console;
-
-# Access terminals.
-can_access_pty(fsadm_t, initrc)
-allow fsadm_t { admin_tty_type devtty_t console_device_t }:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
-allow fsadm_t privfd:fd use;
-
-read_locale(fsadm_t)
-
-# for smartctl cron jobs
-system_crond_entry(fsadm_exec_t, fsadm_t)
-
-# Access to /initrd devices
-allow fsadm_t { file_t unlabeled_t }:dir rw_dir_perms;
-allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms;
-allow fsadm_t usbfs_t:dir { getattr search };
-allow fsadm_t ramfs_t:fifo_file rw_file_perms;
-allow fsadm_t device_type:chr_file getattr;
-
-# for tune2fs
-allow fsadm_t file_type:dir { getattr search };
diff --git a/targeted/domains/program/ftpd.te b/targeted/domains/program/ftpd.te
deleted file mode 100644
index b20252b..0000000
--- a/targeted/domains/program/ftpd.te
+++ /dev/null
@@ -1,116 +0,0 @@
-#DESC Ftpd - Ftp daemon
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: proftpd-common bsd-ftpd ftpd vsftpd
-#
-
-#################################
-#
-# Rules for the ftpd_t domain
-#
-daemon_domain(ftpd, `, auth_chkpwd, nscd_client_domain')
-etc_domain(ftpd)
-
-can_network(ftpd_t)
-allow ftpd_t port_type:tcp_socket name_connect;
-allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
-allow ftpd_t self:unix_stream_socket create_socket_perms;
-allow ftpd_t self:process { getcap setcap setsched setrlimit };
-allow ftpd_t self:fifo_file rw_file_perms;
-
-allow ftpd_t bin_t:dir search;
-can_exec(ftpd_t, bin_t)
-allow ftpd_t bin_t:lnk_file read;
-read_sysctl(ftpd_t)
-
-allow ftpd_t urandom_device_t:chr_file { getattr read };
-
-ifdef(`crond.te', `
-system_crond_entry(ftpd_exec_t, ftpd_t)
-allow system_crond_t xferlog_t:file r_file_perms;
-can_exec(ftpd_t, { sbin_t shell_exec_t })
-allow ftpd_t usr_t:file { getattr read };
-ifdef(`logrotate.te', `
-can_exec(ftpd_t, logrotate_exec_t)
-')dnl end if logrotate.te
-')dnl end if crond.te
-
-allow ftpd_t ftp_data_port_t:tcp_socket name_bind;
-allow ftpd_t port_t:tcp_socket name_bind;
-
-# ftpd_lock_t is only needed when ftpd_is_daemon is true, but we cannot define types conditionally
-type ftpd_lock_t, file_type, sysadmfile, lockfile;
-
-# Allow ftpd to run directly without inetd.
-bool ftpd_is_daemon false;
-if (ftpd_is_daemon) {
-file_type_auto_trans(ftpd_t, var_lock_t, ftpd_lock_t, file)
-allow ftpd_t ftp_port_t:tcp_socket name_bind;
-can_tcp_connect(userdomain, ftpd_t)
-# Allows it to check exec privs on daemon
-allow inetd_t ftpd_exec_t:file x_file_perms;
-}
-ifdef(`inetd.te', `
-if (!ftpd_is_daemon) {
-ifdef(`tcpd.te', `domain_auto_trans(tcpd_t, ftpd_exec_t, ftpd_t)')
-domain_auto_trans(inetd_t, ftpd_exec_t, ftpd_t)
-
-# Use sockets inherited from inetd.
-allow ftpd_t inetd_t:fd use;
-allow ftpd_t inetd_t:tcp_socket rw_stream_socket_perms;
-
-# Send SIGCHLD to inetd on death.
-allow ftpd_t inetd_t:process sigchld;
-}
-') dnl end inetd.te
-
-# Access shared memory tmpfs instance.
-tmpfs_domain(ftpd)
-
-# Use capabilities.
-allow ftpd_t self:capability { chown fowner fsetid setgid setuid net_bind_service sys_chroot sys_nice sys_resource };
-
-# Append to /var/log/wtmp.
-allow ftpd_t wtmp_t:file { getattr append };
-#kerberized ftp requires the following
-allow ftpd_t wtmp_t:file { write lock };
-
-# Create and modify /var/log/xferlog.
-type xferlog_t, file_type, sysadmfile, logfile;
-file_type_auto_trans(ftpd_t, var_log_t, xferlog_t, file)
-
-# Execute /bin/ls (can comment this out for proftpd)
-# also may need rules to allow tar etc...
-can_exec(ftpd_t, ls_exec_t)
-
-allow initrc_t ftpd_etc_t:file { getattr read };
-allow ftpd_t { etc_t etc_runtime_t }:file { getattr read };
-allow ftpd_t proc_t:file { getattr read };
-
-dontaudit ftpd_t sysadm_home_dir_t:dir getattr;
-dontaudit ftpd_t selinux_config_t:dir search;
-allow ftpd_t autofs_t:dir search;
-allow ftpd_t self:file { getattr read };
-tmp_domain(ftpd)
-
-# Allow ftp to read/write files in the user home directories.
-bool ftp_home_dir false;
-
-if (ftp_home_dir) {
-# allow access to /home
-allow ftpd_t home_root_t:dir r_dir_perms;
-create_dir_file(ftpd_t, home_type)
-ifdef(`targeted_policy', `
-file_type_auto_trans(ftpd_t, user_home_dir_t, user_home_t)
-')
-}
-if (use_nfs_home_dirs && ftp_home_dir) {
- r_dir_file(ftpd_t, nfs_t)
-}
-if (use_samba_home_dirs && ftp_home_dir) {
- r_dir_file(ftpd_t, cifs_t)
-}
-dontaudit ftpd_t selinux_config_t:dir search;
-anonymous_domain(ftpd)
-
diff --git a/targeted/domains/program/getty.te b/targeted/domains/program/getty.te
deleted file mode 100644
index 7899aec..0000000
--- a/targeted/domains/program/getty.te
+++ /dev/null
@@ -1,61 +0,0 @@
-#DESC Getty - Manage ttys
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: util-linux fbgetty mingetty mgetty rungetty
-#
-
-#################################
-#
-# Rules for the getty_t domain.
-#
-init_service_domain(getty, `, privfd')
-
-etcdir_domain(getty)
-
-allow getty_t console_device_t:chr_file setattr;
-
-tmp_domain(getty)
-log_domain(getty)
-
-allow getty_t { etc_t etc_runtime_t }:file { getattr read };
-allow getty_t etc_t:lnk_file read;
-allow getty_t self:process { getpgid getsession };
-allow getty_t self:unix_dgram_socket create_socket_perms;
-allow getty_t self:unix_stream_socket create_socket_perms;
-
-# Use capabilities.
-allow getty_t self:capability { dac_override chown sys_resource sys_tty_config };
-
-read_locale(getty_t)
-
-# Run login in local_login_t domain.
-allow getty_t { sbin_t bin_t }:dir search;
-domain_auto_trans(getty_t, login_exec_t, local_login_t)
-
-# Write to /var/run/utmp.
-allow getty_t { var_t var_run_t }:dir search;
-allow getty_t initrc_var_run_t:file rw_file_perms;
-
-# Write to /var/log/wtmp.
-allow getty_t wtmp_t:file rw_file_perms;
-
-# Chown, chmod, read and write ttys.
-allow getty_t tty_device_t:chr_file { setattr rw_file_perms };
-allow getty_t ttyfile:chr_file { setattr rw_file_perms };
-dontaudit getty_t initrc_devpts_t:chr_file rw_file_perms;
-
-# for error condition handling
-allow getty_t fs_t:filesystem getattr;
-
-lock_domain(getty)
-r_dir_file(getty_t, sysfs_t)
-# for mgetty
-var_run_domain(getty)
-allow getty_t self:capability { fowner fsetid };
-
-#
-# getty needs to be able to run pppd
-#
-ifdef(`pppd.te', `
-domain_auto_trans(getty_t, pppd_exec_t, pppd_t)
-')
diff --git a/targeted/domains/program/hald.te b/targeted/domains/program/hald.te
deleted file mode 100644
index a51709a..0000000
--- a/targeted/domains/program/hald.te
+++ /dev/null
@@ -1,104 +0,0 @@
-#DESC hald - server for device info
-#
-# Author: Russell Coker <rcoker@redhat.com>
-# X-Debian-Packages:
-#
-
-#################################
-#
-# Rules for the hald_t domain.
-#
-# hald_exec_t is the type of the hald executable.
-#
-daemon_domain(hald, `, fs_domain, nscd_client_domain')
-
-can_exec_any(hald_t)
-
-allow hald_t { etc_t etc_runtime_t }:file { getattr read };
-allow hald_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow hald_t self:unix_dgram_socket create_socket_perms;
-
-ifdef(`dbusd.te', `
-allow hald_t system_dbusd_t:dbus { acquire_svc send_msg };
-dbusd_client(system, hald)
-allow hald_t self:dbus send_msg;
-')
-
-allow hald_t self:file { getattr read };
-allow hald_t proc_t:file rw_file_perms;
-
-allow hald_t { bin_t sbin_t }:dir search;
-allow hald_t self:fifo_file rw_file_perms;
-allow hald_t usr_t:file { getattr read };
-allow hald_t bin_t:file getattr;
-
-# For backwards compatibility with older kernels
-allow hald_t self:netlink_socket create_socket_perms;
-
-allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
-allow hald_t self:netlink_route_socket r_netlink_socket_perms;
-allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod sys_rawio };
-can_network_server(hald_t)
-can_ypbind(hald_t)
-
-allow hald_t device_t:lnk_file read;
-allow hald_t { fixed_disk_device_t removable_device_t }:blk_file { getattr read ioctl };
-allow hald_t removable_device_t:blk_file write;
-allow hald_t event_device_t:chr_file { getattr read ioctl };
-allow hald_t printer_device_t:chr_file rw_file_perms;
-allow hald_t urandom_device_t:chr_file read;
-allow hald_t mouse_device_t:chr_file r_file_perms;
-allow hald_t device_type:chr_file getattr;
-
-can_getsecurity(hald_t)
-
-ifdef(`updfstab.te', `
-domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t)
-allow updfstab_t hald_t:dbus send_msg;
-allow hald_t updfstab_t:dbus send_msg;
-')
-ifdef(`udev.te', `
-domain_auto_trans(hald_t, udev_exec_t, udev_t)
-allow udev_t hald_t:unix_dgram_socket sendto;
-allow hald_t udev_tbl_t:file { getattr read };
-')
-
-ifdef(`hotplug.te', `
-r_dir_file(hald_t, hotplug_etc_t)
-')
-allow hald_t fs_type:dir { search getattr };
-allow hald_t usbfs_t:dir r_dir_perms;
-allow hald_t { usbdevfs_t usbfs_t }:file rw_file_perms;
-allow hald_t bin_t:lnk_file read;
-r_dir_file(hald_t, { selinux_config_t default_context_t } )
-allow hald_t initrc_t:dbus send_msg;
-allow initrc_t hald_t:dbus send_msg;
-allow hald_t etc_runtime_t:file rw_file_perms;
-allow hald_t var_lib_t:dir search;
-allow hald_t device_t:dir create_dir_perms;
-allow hald_t device_t:chr_file create_file_perms;
-tmp_domain(hald)
-allow hald_t mnt_t:dir search;
-r_dir_file(hald_t, proc_net_t)
-
-# For /usr/libexec/hald-addon-acpi - writes to /var/run/acpid.socket
-ifdef(`apmd.te', `
-allow hald_t apmd_var_run_t:sock_file write;
-allow hald_t apmd_t:unix_stream_socket connectto;
-')
-
-# For /usr/libexec/hald-probe-smbios
-domain_auto_trans(hald_t, dmidecode_exec_t, dmidecode_t)
-
-# ??
-ifdef(`lvm.te', `
-allow hald_t lvm_control_t:chr_file r_file_perms;
-')
-ifdef(`targeted_policy', `
-allow unconfined_t hald_t:dbus send_msg;
-allow hald_t unconfined_t:dbus send_msg;
-')
-ifdef(`mount.te', `
-domain_auto_trans(hald_t, mount_exec_t, mount_t)
-')
-r_dir_file(hald_t, hwdata_t)
diff --git a/targeted/domains/program/hostname.te b/targeted/domains/program/hostname.te
deleted file mode 100644
index 2138baf..0000000
--- a/targeted/domains/program/hostname.te
+++ /dev/null
@@ -1,28 +0,0 @@
-#DESC hostname - show or set the system host name
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: hostname
-
-# for setting the hostname
-daemon_core_rules(hostname, , nosysadm)
-allow hostname_t self:capability sys_admin;
-allow hostname_t etc_t:file { getattr read };
-
-allow hostname_t { user_tty_type admin_tty_type }:chr_file rw_file_perms;
-read_locale(hostname_t)
-can_resolve(hostname_t)
-allow hostname_t userdomain:fd use;
-dontaudit hostname_t kernel_t:fd use;
-allow hostname_t net_conf_t:file { getattr read };
-allow hostname_t self:unix_stream_socket create_stream_socket_perms;
-dontaudit hostname_t var_t:dir search;
-allow hostname_t fs_t:filesystem getattr;
-
-# for when /usr is not mounted
-dontaudit hostname_t file_t:dir search;
-
-ifdef(`distro_redhat', `
-allow hostname_t tmpfs_t:chr_file rw_file_perms;
-')
-can_access_pty(hostname_t, initrc)
-allow hostname_t initrc_t:fd use;
diff --git a/targeted/domains/program/hotplug.te b/targeted/domains/program/hotplug.te
deleted file mode 100644
index a6d8fbe..0000000
--- a/targeted/domains/program/hotplug.te
+++ /dev/null
@@ -1,163 +0,0 @@
-#DESC Hotplug - Hardware event manager
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: hotplug
-#
-
-#################################
-#
-# Rules for the hotplug_t domain.
-#
-# hotplug_exec_t is the type of the hotplug executable.
-#
-ifdef(`unlimitedUtils', `
-daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer, nscd_client_domain')
-', `
-daemon_domain(hotplug, `, privmodule, nscd_client_domain')
-')
-
-etcdir_domain(hotplug)
-
-allow hotplug_t self:fifo_file { read write getattr ioctl };
-allow hotplug_t self:unix_dgram_socket create_socket_perms;
-allow hotplug_t self:unix_stream_socket create_socket_perms;
-allow hotplug_t self:udp_socket create_socket_perms;
-
-read_sysctl(hotplug_t)
-allow hotplug_t sysctl_net_t:dir r_dir_perms;
-allow hotplug_t sysctl_net_t:file { getattr read };
-
-# get info from /proc
-r_dir_file(hotplug_t, proc_t)
-allow hotplug_t self:file { getattr read ioctl };
-
-allow hotplug_t devtty_t:chr_file rw_file_perms;
-
-allow hotplug_t device_t:dir r_dir_perms;
-
-# for SSP
-allow hotplug_t urandom_device_t:chr_file read;
-
-allow hotplug_t { bin_t sbin_t }:dir search;
-allow hotplug_t { bin_t sbin_t }:lnk_file read;
-can_exec(hotplug_t, { hotplug_exec_t bin_t sbin_t ls_exec_t shell_exec_t hotplug_etc_t etc_t })
-ifdef(`hostname.te', `
-can_exec(hotplug_t, hostname_exec_t)
-dontaudit hostname_t hotplug_t:fd use;
-')
-ifdef(`netutils.te', `
-ifdef(`distro_redhat', `
-# for arping used for static IP addresses on PCMCIA ethernet
-domain_auto_trans(hotplug_t, netutils_exec_t, netutils_t)
-
-allow hotplug_t tmpfs_t:dir search;
-allow hotplug_t tmpfs_t:chr_file rw_file_perms;
-')dnl end if distro_redhat
-')dnl end if netutils.te
-
-allow initrc_t usbdevfs_t:file { getattr read ioctl };
-allow initrc_t modules_dep_t:file { getattr read ioctl };
-r_dir_file(hotplug_t, usbdevfs_t)
-allow hotplug_t usbfs_t:dir r_dir_perms;
-allow hotplug_t usbfs_t:file { getattr read };
-
-# read config files
-allow hotplug_t etc_t:dir r_dir_perms;
-allow hotplug_t etc_t:{ file lnk_file } r_file_perms;
-
-allow hotplug_t kernel_t:process { sigchld setpgid };
-
-ifdef(`distro_redhat', `
-allow hotplug_t var_lock_t:dir search;
-allow hotplug_t var_lock_t:file getattr;
-')
-
-ifdef(`hald.te', `
-allow hotplug_t hald_t:unix_dgram_socket sendto;
-allow hald_t hotplug_etc_t:dir search;
-allow hald_t hotplug_etc_t:file { getattr read };
-')
-
-# for killall
-allow hotplug_t self:process { getsession getattr };
-allow hotplug_t self:file getattr;
-
-domain_auto_trans(kernel_t, hotplug_exec_t, hotplug_t)
-ifdef(`mount.te', `
-domain_auto_trans(hotplug_t, mount_exec_t, mount_t)
-')
-domain_auto_trans(hotplug_t, ifconfig_exec_t, ifconfig_t)
-ifdef(`updfstab.te', `
-domain_auto_trans(hotplug_t, updfstab_exec_t, updfstab_t)
-')
-
-# init scripts run /etc/hotplug/usb.rc
-domain_auto_trans(initrc_t, hotplug_etc_t, hotplug_t)
-allow initrc_t hotplug_etc_t:dir r_dir_perms;
-
-ifdef(`iptables.te', `domain_auto_trans(hotplug_t, iptables_exec_t, iptables_t)')
-
-r_dir_file(hotplug_t, modules_object_t)
-allow hotplug_t modules_dep_t:file { getattr read ioctl };
-
-# for lsmod
-dontaudit hotplug_t self:capability { sys_module sys_admin };
-
-# for access("/etc/bashrc", X_OK) on Red Hat
-dontaudit hotplug_t self:capability { dac_override dac_read_search };
-
-ifdef(`fsadm.te', `
-domain_auto_trans(hotplug_t, fsadm_exec_t, fsadm_t)
-')
-
-allow hotplug_t var_log_t:dir search;
-
-# for ps
-dontaudit hotplug_t domain:dir { getattr search };
-dontaudit hotplug_t { init_t kernel_t }:file read;
-ifdef(`initrc.te', `
-can_ps(hotplug_t, initrc_t)
-')
-
-# for when filesystems are not mounted early in the boot
-dontaudit hotplug_t file_t:dir { search getattr };
-
-# kernel threads inherit from shared descriptor table used by init
-dontaudit hotplug_t initctl_t:fifo_file { read write };
-
-# Read /usr/lib/gconv/.*
-allow hotplug_t lib_t:file { getattr read };
-
-allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
-allow hotplug_t sysfs_t:dir { getattr read search write };
-allow hotplug_t sysfs_t:file rw_file_perms;
-allow hotplug_t sysfs_t:lnk_file { getattr read };
-r_dir_file(hotplug_t, hwdata_t)
-allow hotplug_t udev_runtime_t:file rw_file_perms;
-ifdef(`lpd.te', `
-allow hotplug_t printer_device_t:chr_file setattr;
-')
-allow hotplug_t fixed_disk_device_t:blk_file setattr;
-allow hotplug_t removable_device_t:blk_file setattr;
-allow hotplug_t sound_device_t:chr_file setattr;
-
-ifdef(`udev.te', `
-domain_auto_trans(hotplug_t, { udev_exec_t udev_helper_exec_t }, udev_t)
-')
-
-file_type_auto_trans(hotplug_t, etc_t, etc_runtime_t, file)
-
-can_network_server(hotplug_t)
-can_ypbind(hotplug_t)
-dbusd_client(system, hotplug)
-
-# Allow hotplug (including /sbin/ifup-local) to start/stop services and # run sendmail -q
-domain_auto_trans(hotplug_t, initrc_exec_t, initrc_t)
-ifdef(`mta.te', `
-domain_auto_trans(hotplug_t, sendmail_exec_t, system_mail_t)
-')
-
-allow { insmod_t kernel_t } hotplug_etc_t:dir { search getattr };
-allow hotplug_t self:netlink_route_socket r_netlink_socket_perms;
-
-dontaudit hotplug_t selinux_config_t:dir search;
diff --git a/targeted/domains/program/howl.te b/targeted/domains/program/howl.te
deleted file mode 100644
index ccb2fb1..0000000
--- a/targeted/domains/program/howl.te
+++ /dev/null
@@ -1,21 +0,0 @@
-#DESC howl - port of Apple Rendezvous multicast DNS
-#
-# Author: Russell Coker <rcoker@redhat.com>
-#
-
-daemon_domain(howl, `, privsysmod')
-r_dir_file(howl_t, proc_net_t)
-can_network_server(howl_t)
-can_ypbind(howl_t)
-allow howl_t self:unix_dgram_socket create_socket_perms;
-allow howl_t self:capability { kill net_admin sys_module };
-
-allow howl_t self:fifo_file rw_file_perms;
-
-allow howl_t howl_port_t:{ udp_socket tcp_socket } name_bind;
-
-allow howl_t self:unix_dgram_socket create_socket_perms;
-
-allow howl_t etc_t:file { getattr read };
-allow howl_t initrc_var_run_t:file rw_file_perms;
-
diff --git a/targeted/domains/program/hwclock.te b/targeted/domains/program/hwclock.te
deleted file mode 100644
index dab39ee..0000000
--- a/targeted/domains/program/hwclock.te
+++ /dev/null
@@ -1,49 +0,0 @@
-#DESC Hwclock - Hardware clock manager
-#
-# Author: David A. Wheeler <dwheeler@ida.org>
-# Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: util-linux
-#
-
-#################################
-#
-# Rules for the hwclock_t domain.
-# This domain moves time information between the "hardware clock"
-# (which runs when the system is off) and the "system clock",
-# and it stores adjustment values in /etc/adjtime so that errors in the
-# hardware clock are corrected.
-# Note that any errors from this domain are NOT recorded by the system logger,
-# because the system logger isnt running when this domain is active.
-#
-daemon_base_domain(hwclock)
-role sysadm_r types hwclock_t;
-ifdef(`targeted_policy', `', `
-domain_auto_trans(sysadm_t, hwclock_exec_t, hwclock_t)
-')
-type adjtime_t, file_type, sysadmfile;
-allow hwclock_t fs_t:filesystem getattr;
-
-read_locale(hwclock_t)
-
-# Give hwclock the capabilities it requires. dac_override is a surprise,
-# but hwclock does require it.
-allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config };
-
-# Allow hwclock to set the hardware clock.
-allow hwclock_t clock_device_t:devfile_class_set { setattr rw_file_perms };
-
-# Allow hwclock to store & retrieve correction factors.
-allow hwclock_t adjtime_t:file { setattr rw_file_perms };
-
-# Read and write console and ttys.
-allow hwclock_t tty_device_t:chr_file rw_file_perms;
-allow hwclock_t ttyfile:chr_file rw_file_perms;
-allow hwclock_t ptyfile:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow hwclock_t sysadm_gph_t:fd use;')
-
-read_locale(hwclock_t)
-
-# for when /usr is not mounted
-dontaudit hwclock_t file_t:dir search;
-allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-r_dir_file(hwclock_t, etc_t)
diff --git a/targeted/domains/program/ifconfig.te b/targeted/domains/program/ifconfig.te
deleted file mode 100644
index 6cccc32..0000000
--- a/targeted/domains/program/ifconfig.te
+++ /dev/null
@@ -1,74 +0,0 @@
-#DESC Ifconfig - Configure network interfaces
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: net-tools
-#
-
-#################################
-#
-# Rules for the ifconfig_t domain.
-#
-# ifconfig_t is the domain for the ifconfig program.
-# ifconfig_exec_t is the type of the corresponding program.
-#
-type ifconfig_t, domain, privlog, privmodule;
-type ifconfig_exec_t, file_type, sysadmfile, exec_type;
-
-role system_r types ifconfig_t;
-role sysadm_r types ifconfig_t;
-
-uses_shlib(ifconfig_t)
-general_domain_access(ifconfig_t)
-
-domain_auto_trans(initrc_t, ifconfig_exec_t, ifconfig_t)
-ifdef(`targeted_policy', `', `
-domain_auto_trans(sysadm_t, ifconfig_exec_t, ifconfig_t)
-')
-
-# for /sbin/ip
-allow ifconfig_t self:packet_socket create_socket_perms;
-allow ifconfig_t self:netlink_route_socket rw_netlink_socket_perms;
-allow ifconfig_t self:tcp_socket { create ioctl };
-allow ifconfig_t etc_t:file { getattr read };
-
-allow ifconfig_t self:socket create_socket_perms;
-
-# Use capabilities.
-allow ifconfig_t self:capability { net_raw net_admin };
-dontaudit ifconfig_t self:capability sys_module;
-allow ifconfig_t self:capability sys_tty_config;
-
-# Inherit and use descriptors from init.
-allow ifconfig_t { kernel_t init_t }:fd use;
-
-# Access /proc
-r_dir_file(ifconfig_t, proc_t)
-r_dir_file(ifconfig_t, proc_net_t)
-
-allow ifconfig_t privfd:fd use;
-allow ifconfig_t run_init_t:fd use;
-
-# Create UDP sockets, necessary when called from dhcpc
-allow ifconfig_t self:udp_socket create_socket_perms;
-
-# Access terminals.
-can_access_pty(ifconfig_t, initrc)
-allow ifconfig_t { user_tty_type admin_tty_type }:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
-
-allow ifconfig_t tun_tap_device_t:chr_file { read write };
-
-# ifconfig attempts to search some sysctl entries.
-# Do not audit those attempts; comment out these rules if it is desired to
-# see the denials.
-allow ifconfig_t { sysctl_t sysctl_net_t }:dir search;
-
-allow ifconfig_t fs_t:filesystem getattr;
-
-read_locale(ifconfig_t)
-allow ifconfig_t lib_t:file { getattr read };
-
-rhgb_domain(ifconfig_t)
-allow ifconfig_t userdomain:fd use;
-dontaudit ifconfig_t root_t:file read;
-r_dir_file(ifconfig_t, sysfs_t)
diff --git a/targeted/domains/program/inetd.te b/targeted/domains/program/inetd.te
deleted file mode 100644
index 5c88ab3..0000000
--- a/targeted/domains/program/inetd.te
+++ /dev/null
@@ -1,64 +0,0 @@
-#DESC Inetd - Internet services daemon
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# re-written with daemon_domain by Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: netkit-inetd openbsd-inetd xinetd
-#
-
-#################################
-#
-# Rules for the inetd_t domain and
-# the inetd_child_t domain.
-#
-
-daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' )
-
-can_network(inetd_t)
-allow inetd_t port_type:tcp_socket name_connect;
-allow inetd_t self:unix_dgram_socket create_socket_perms;
-allow inetd_t self:unix_stream_socket create_socket_perms;
-allow inetd_t self:fifo_file rw_file_perms;
-allow inetd_t etc_t:file { getattr read ioctl };
-allow inetd_t self:process setsched;
-
-log_domain(inetd)
-tmp_domain(inetd)
-
-# Use capabilities.
-allow inetd_t self:capability { setuid setgid net_bind_service };
-
-# allow any domain to connect to inetd
-can_tcp_connect(userdomain, inetd_t)
-
-# Run each daemon with a defined domain in its own domain.
-# These rules have been moved to the individual target domain .te files.
-
-# Run other daemons in the inetd_child_t domain.
-allow inetd_t { bin_t sbin_t }:dir search;
-allow inetd_t sbin_t:lnk_file read;
-
-# Bind to the telnet, ftp, rlogin and rsh ports.
-ifdef(`ftpd.te', `allow inetd_t ftp_port_t:tcp_socket name_bind;')
-ifdef(`rshd.te', `allow inetd_t rsh_port_t:tcp_socket name_bind;')
-ifdef(`talk.te', `
-allow inetd_t talk_port_t:tcp_socket name_bind;
-allow inetd_t ntalk_port_t:tcp_socket name_bind;
-')
-
-allow inetd_t auth_port_t:tcp_socket name_bind;
-# Communicate with the portmapper.
-ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)')
-
-
-inetd_child_domain(inetd_child)
-allow inetd_child_t proc_net_t:dir search;
-allow inetd_child_t proc_net_t:file { getattr read };
-
-ifdef(`unconfined.te', `
-domain_auto_trans(inetd_t, unconfined_exec_t, unconfined_t)
-')
-
-ifdef(`unlimitedInetd', `
-unconfined_domain(inetd_t)
-')
-
diff --git a/targeted/domains/program/init.te b/targeted/domains/program/init.te
deleted file mode 100644
index dc5c050..0000000
--- a/targeted/domains/program/init.te
+++ /dev/null
@@ -1,147 +0,0 @@
-#DESC Init - Process initialization
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: sysvinit
-#
-
-#################################
-#
-# Rules for the init_t domain.
-#
-# init_t is the domain of the init process.
-# init_exec_t is the type of the init program.
-# initctl_t is the type of the named pipe created
-# by init during initialization. This pipe is used
-# to communicate with init.
-#
-type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain, mlsrangetrans, mlsfileread, mlsfilewrite, mlsprocwrite;
-role system_r types init_t;
-uses_shlib(init_t);
-type init_exec_t, file_type, sysadmfile, exec_type;
-type initctl_t, file_type, sysadmfile, dev_fs, mlstrustedobject;
-
-# for init to determine whether SE Linux is active so it can know whether to
-# activate it
-allow init_t security_t:dir search;
-allow init_t security_t:file { getattr read };
-
-# for mount points
-allow init_t file_t:dir search;
-
-# Use capabilities.
-allow init_t self:capability ~sys_module;
-
-# Run /etc/rc.sysinit, /etc/rc, /etc/rc.local in the initrc_t domain.
-domain_auto_trans(init_t, initrc_exec_t, initrc_t)
-
-# Run the shell in the sysadm_t domain for single-user mode.
-domain_auto_trans(init_t, shell_exec_t, sysadm_t)
-
-# Run /sbin/update in the init_t domain.
-can_exec(init_t, sbin_t)
-
-# Run init.
-can_exec(init_t, init_exec_t)
-
-# Run chroot from initrd scripts.
-ifdef(`chroot.te', `
-can_exec(init_t, chroot_exec_t)
-')
-
-# Create /dev/initctl.
-file_type_auto_trans(init_t, device_t, initctl_t, fifo_file)
-ifdef(`distro_redhat', `
-file_type_auto_trans(init_t, tmpfs_t, initctl_t, fifo_file)
-')
-
-# Create ioctl.save.
-file_type_auto_trans(init_t, etc_t, etc_runtime_t, file)
-
-# Update /etc/ld.so.cache
-allow init_t ld_so_cache_t:file rw_file_perms;
-
-# Allow access to log files
-allow init_t var_t:dir search;
-allow init_t var_log_t:dir search;
-allow init_t var_log_t:file rw_file_perms;
-
-read_locale(init_t)
-
-# Create unix sockets
-allow init_t self:unix_dgram_socket create_socket_perms;
-allow init_t self:unix_stream_socket create_socket_perms;
-allow init_t self:fifo_file rw_file_perms;
-
-# Permissions required for system startup
-allow init_t { bin_t sbin_t }:dir r_dir_perms;
-allow init_t { bin_t sbin_t }:{ file lnk_file } { read getattr lock ioctl };
-
-# allow init to fork
-allow init_t self:process { fork sigchld };
-
-# Modify utmp.
-allow init_t var_run_t:file rw_file_perms;
-allow init_t initrc_var_run_t:file { setattr rw_file_perms };
-can_unix_connect(init_t, initrc_t)
-
-# For /var/run/shutdown.pid.
-var_run_domain(init)
-
-# Shutdown permissions
-r_dir_file(init_t, proc_t)
-r_dir_file(init_t, self)
-allow init_t devpts_t:dir r_dir_perms;
-
-# Modify wtmp.
-allow init_t wtmp_t:file rw_file_perms;
-
-# Kill all processes.
-allow init_t domain:process signal_perms;
-
-# Allow all processes to send SIGCHLD to init.
-allow domain init_t:process { sigchld signull };
-
-# If you load a new policy that removes active domains, processes can
-# get stuck if you do not allow unlabeled processes to signal init
-# If you load an incompatible policy, you should probably reboot,
-# since you may have compromised system security.
-allow unlabeled_t init_t:process sigchld;
-
-# for loading policy
-allow init_t policy_config_t:file r_file_perms;
-
-# Set booleans.
-can_setbool(init_t)
-
-# Read and write the console and ttys.
-allow init_t { tty_device_t console_device_t } :chr_file rw_file_perms;
-ifdef(`distro_redhat', `
-allow init_t tmpfs_t:chr_file rw_file_perms;
-')
-allow init_t ttyfile:chr_file rw_file_perms;
-allow init_t ptyfile:chr_file rw_file_perms;
-
-# Run system executables.
-can_exec(init_t,bin_t)
-ifdef(`consoletype.te', `
-can_exec(init_t, consoletype_exec_t)
-')
-
-# Run /etc/X11/prefdm.
-can_exec(init_t,etc_t)
-
-allow init_t lib_t:file { getattr read };
-
-allow init_t devtty_t:chr_file { read write };
-allow init_t ramfs_t:dir search;
-allow init_t ramfs_t:sock_file write;
-r_dir_file(init_t, sysfs_t)
-
-r_dir_file(init_t, selinux_config_t)
-
-# file descriptors inherited from the rootfs.
-dontaudit init_t root_t:{ file chr_file } { read write };
-ifdef(`targeted_policy', `
-unconfined_domain(init_t)
-')
-
diff --git a/targeted/domains/program/initrc.te b/targeted/domains/program/initrc.te
deleted file mode 100644
index 56ca417..0000000
--- a/targeted/domains/program/initrc.te
+++ /dev/null
@@ -1,342 +0,0 @@
-#DESC Initrc - System initialization scripts
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: sysvinit policycoreutils
-#
-
-#################################
-#
-# Rules for the initrc_t domain.
-#
-# initrc_t is the domain of the init rc scripts.
-# initrc_exec_t is the type of the init program.
-#
-# do not use privmail for sendmail as it creates a type transition conflict
-type initrc_t, fs_domain, ifdef(`unlimitedRC', `admin, etc_writer, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain, mlsfileread, mlsfilewrite, mlsprocread, mlsprocwrite;
-
-role system_r types initrc_t;
-uses_shlib(initrc_t);
-can_network(initrc_t)
-allow initrc_t port_type:tcp_socket name_connect;
-can_ypbind(initrc_t)
-type initrc_exec_t, file_type, sysadmfile, exec_type;
-
-# for halt to down interfaces
-allow initrc_t self:udp_socket create_socket_perms;
-
-# read files in /etc/init.d
-allow initrc_t etc_t:lnk_file r_file_perms;
-
-read_locale(initrc_t)
-
-r_dir_file(initrc_t, usr_t)
-
-# Read system information files in /proc.
-r_dir_file(initrc_t, { proc_t proc_net_t })
-allow initrc_t proc_mdstat_t:file { getattr read };
-
-# Allow IPC with self
-allow initrc_t self:unix_dgram_socket create_socket_perms;
-allow initrc_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow initrc_t self:fifo_file rw_file_perms;
-
-# Read the root directory of a usbdevfs filesystem, and
-# the devices and drivers files. Permit stating of the
-# device nodes, but nothing else.
-allow initrc_t usbdevfs_t:dir r_dir_perms;
-allow initrc_t usbdevfs_t:lnk_file r_file_perms;
-allow initrc_t usbdevfs_t:file getattr;
-allow initrc_t usbfs_t:dir r_dir_perms;
-allow initrc_t usbfs_t:file getattr;
-
-# allow initrc to fork and renice itself
-allow initrc_t self:process { fork sigchld getpgid setsched setpgid setrlimit getsched };
-
-# Can create ptys for open_init_pty
-can_create_pty(initrc)
-
-tmp_domain(initrc)
-#
-# Some initscripts generate scripts that they need to execute (ldap)
-#
-can_exec(initrc_t, initrc_tmp_t)
-
-var_run_domain(initrc)
-allow initrc_t var_run_t:{ file sock_file lnk_file } unlink;
-allow initrc_t var_run_t:dir { create rmdir };
-
-ifdef(`distro_debian', `
-allow initrc_t { etc_t device_t }:dir setattr;
-
-# for storing state under /dev/shm
-allow initrc_t tmpfs_t:dir setattr;
-file_type_auto_trans(initrc_t, tmpfs_t, initrc_var_run_t, dir)
-file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file)
-allow { initrc_var_run_t fixed_disk_device_t } tmpfs_t:filesystem associate;
-')
-
-allow initrc_t framebuf_device_t:chr_file r_file_perms;
-
-# Use capabilities.
-allow initrc_t self:capability ~{ sys_admin sys_module };
-
-# Use system operations.
-allow initrc_t kernel_t:system *;
-
-# Set values in /proc/sys.
-can_sysctl(initrc_t)
-
-# Run helper programs in the initrc_t domain.
-allow initrc_t {bin_t sbin_t }:dir r_dir_perms;
-allow initrc_t {bin_t sbin_t }:lnk_file read;
-can_exec(initrc_t, etc_t)
-can_exec(initrc_t, lib_t)
-can_exec(initrc_t, bin_t)
-can_exec(initrc_t, sbin_t)
-can_exec(initrc_t, exec_type)
-#
-# These rules are here to allow init scripts to su
-#
-ifdef(`su.te', `
-su_restricted_domain(initrc,system)
-role system_r types initrc_su_t;
-')
-allow initrc_t self:passwd rootok;
-
-# read /lib/modules
-allow initrc_t modules_object_t:dir { search read };
-
-# Read conf.modules.
-allow initrc_t modules_conf_t:file r_file_perms;
-
-# Run other rc scripts in the initrc_t domain.
-can_exec(initrc_t, initrc_exec_t)
-
-# Run init (telinit) in the initrc_t domain.
-can_exec(initrc_t, init_exec_t)
-
-# Communicate with the init process.
-allow initrc_t initctl_t:fifo_file rw_file_perms;
-
-# Read /proc/PID directories for all domains.
-r_dir_file(initrc_t, domain)
-allow initrc_t domain:process { getattr getsession };
-
-# Mount and unmount file systems.
-allow initrc_t fs_type:filesystem mount_fs_perms;
-allow initrc_t file_t:dir { read search getattr mounton };
-
-# during boot up initrc needs to do the following
-allow initrc_t default_t:dir { write read search getattr mounton };
-
-# rhgb-console writes to ramfs
-allow initrc_t ramfs_t:fifo_file write;
-
-# Create runtime files in /etc, e.g. /etc/mtab, /etc/HOSTNAME.
-file_type_auto_trans(initrc_t, etc_t, etc_runtime_t, file)
-
-# Update /etc/ld.so.cache.
-allow initrc_t ld_so_cache_t:file rw_file_perms;
-
-# Update /var/log/wtmp and /var/log/dmesg.
-allow initrc_t wtmp_t:file { setattr rw_file_perms };
-allow initrc_t var_log_t:dir rw_dir_perms;
-allow initrc_t var_log_t:file create_file_perms;
-allow initrc_t lastlog_t:file { setattr rw_file_perms };
-allow initrc_t logfile:file { read append };
-
-# remove old locks
-allow initrc_t lockfile:dir rw_dir_perms;
-allow initrc_t lockfile:file { getattr unlink };
-
-# Access /var/lib/random-seed.
-allow initrc_t var_lib_t:file rw_file_perms;
-allow initrc_t var_lib_t:file unlink;
-
-# Create lock file.
-allow initrc_t var_lock_t:dir create_dir_perms;
-allow initrc_t var_lock_t:file create_file_perms;
-
-# Set the clock.
-allow initrc_t clock_device_t:devfile_class_set rw_file_perms;
-
-# Kill all processes.
-allow initrc_t domain:process signal_perms;
-
-# Write to /dev/urandom.
-allow initrc_t { random_device_t urandom_device_t }:chr_file rw_file_perms;
-
-# for cryptsetup
-allow initrc_t fixed_disk_device_t:blk_file getattr;
-
-# Set device ownerships/modes.
-allow initrc_t framebuf_device_t:chr_file setattr;
-allow initrc_t misc_device_t:devfile_class_set setattr;
-allow initrc_t device_t:devfile_class_set setattr;
-allow initrc_t fixed_disk_device_t:devfile_class_set setattr;
-allow initrc_t removable_device_t:devfile_class_set setattr;
-allow initrc_t device_t:lnk_file read;
-allow initrc_t xconsole_device_t:fifo_file setattr;
-
-# Stat any file.
-allow initrc_t file_type:notdevfile_class_set getattr;
-allow initrc_t file_type:dir { search getattr };
-
-# Read and write console and ttys.
-allow initrc_t devtty_t:chr_file rw_file_perms;
-allow initrc_t console_device_t:chr_file rw_file_perms;
-allow initrc_t tty_device_t:chr_file rw_file_perms;
-allow initrc_t ttyfile:chr_file rw_file_perms;
-allow initrc_t ptyfile:chr_file rw_file_perms;
-
-# Reset tty labels.
-allow initrc_t ttyfile:chr_file relabelfrom;
-allow initrc_t tty_device_t:chr_file relabelto;
-
-ifdef(`distro_redhat', `
-# Create and read /boot/kernel.h and /boot/System.map.
-# Redhat systems typically create this file at boot time.
-allow initrc_t boot_t:lnk_file rw_file_perms;
-file_type_auto_trans(initrc_t, boot_t, boot_runtime_t, file)
-
-allow initrc_t tmpfs_t:chr_file rw_file_perms;
-allow initrc_t tmpfs_t:dir r_dir_perms;
-
-# Allow initrc domain to set the enforcing flag.
-can_setenforce(initrc_t)
-
-#
-# readahead asks for these
-#
-allow initrc_t etc_aliases_t:file { getattr read };
-allow initrc_t var_lib_nfs_t:file { getattr read };
-
-# for /halt /.autofsck and other flag files
-file_type_auto_trans({ initrc_t sysadm_t }, root_t, etc_runtime_t, file)
-
-file_type_auto_trans(initrc_t, device_t, fixed_disk_device_t, blk_file)
-allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
-allow initrc_t self:capability sys_admin;
-allow initrc_t device_t:dir create;
-# wants to delete /poweroff and other files
-allow initrc_t root_t:file unlink;
-# wants to read /.fonts directory
-allow initrc_t default_t:file { getattr read };
-ifdef(`xserver.te', `
-# wants to cleanup xserver log dir
-allow initrc_t xserver_log_t:dir rw_dir_perms;
-allow initrc_t xserver_log_t:file unlink;
-')
-')dnl end distro_redhat
-
-allow initrc_t system_map_t:{ file lnk_file } r_file_perms;
-allow initrc_t var_spool_t:file rw_file_perms;
-
-# Allow access to the sysadm TTYs. Note that this will give access to the
-# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-# started from init should be placed in their own domain.
-allow initrc_t admin_tty_type:chr_file rw_file_perms;
-
-# Access sound device and files.
-allow initrc_t sound_device_t:chr_file { setattr ioctl read write };
-
-# Read user home directories.
-allow initrc_t { home_root_t home_type }:dir r_dir_perms;
-allow initrc_t home_type:file r_file_perms;
-
-# Read and unlink /var/run/*.pid files.
-allow initrc_t pidfile:file { getattr read unlink };
-
-# for system start scripts
-allow initrc_t pidfile:dir { rmdir rw_dir_perms };
-allow initrc_t pidfile:sock_file unlink;
-
-rw_dir_create_file(initrc_t, var_lib_t)
-
-# allow start scripts to clean /tmp
-allow initrc_t { unlabeled_t tmpfile }:dir { rw_dir_perms rmdir };
-allow initrc_t { unlabeled_t tmpfile }:notdevfile_class_set { getattr unlink };
-
-# for lsof which is used by alsa shutdown
-dontaudit initrc_t domain:{ udp_socket tcp_socket fifo_file unix_dgram_socket } getattr;
-dontaudit initrc_t proc_kmsg_t:file getattr;
-
-#################################
-#
-# Rules for the run_init_t domain.
-#
-ifdef(`targeted_policy', `
-type run_init_exec_t, file_type, sysadmfile, exec_type;
-type run_init_t, domain;
-domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
-allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
-allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
-typeattribute initrc_t privuser;
-domain_trans(initrc_t, shell_exec_t, unconfined_t)
-allow initrc_t unconfined_t:system syslog_mod;
-', `
-run_program(sysadm_t, sysadm_r, init, initrc_exec_t, initrc_t)
-')
-allow initrc_t privfd:fd use;
-
-# Transition to system_r:initrc_t upon executing init scripts.
-ifdef(`direct_sysadm_daemon', `
-role_transition sysadm_r initrc_exec_t system_r;
-domain_auto_trans(sysadm_t, initrc_exec_t, initrc_t)
-')
-
-#
-# Shutting down xinet causes these
-#
-# Fam
-dontaudit initrc_t device_t:dir { read write };
-# Rsync
-dontaudit initrc_t mail_spool_t:lnk_file read;
-
-allow initrc_t sysfs_t:dir { getattr read search };
-allow initrc_t sysfs_t:file { getattr read write };
-allow initrc_t sysfs_t:lnk_file { getattr read };
-allow initrc_t udev_runtime_t:file rw_file_perms;
-allow initrc_t device_type:chr_file setattr;
-allow initrc_t binfmt_misc_fs_t:dir { getattr search };
-allow initrc_t binfmt_misc_fs_t:file { getattr ioctl write };
-
-# for lsof in shutdown scripts
-can_kerberos(initrc_t)
-
-#
-# Wants to remove udev.tbl
-#
-allow initrc_t device_t:dir rw_dir_perms;
-allow initrc_t device_t:lnk_file unlink;
-
-r_dir_file(initrc_t,selinux_config_t)
-
-ifdef(`unlimitedRC', `
-unconfined_domain(initrc_t)
-')
-#
-# initrc script does a cat /selinux/enforce
-#
-allow initrc_t security_t:dir { getattr search };
-allow initrc_t security_t:file { getattr read };
-
-# init script state
-type initrc_state_t, file_type, sysadmfile;
-create_dir_file(initrc_t,initrc_state_t)
-
-ifdef(`distro_gentoo', `
-# Gentoo integrated run_init+open_init_pty-runscript:
-domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
-')
-allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
-allow initrc_t device_t:lnk_file create_file_perms;
-ifdef(`dbusd.te', `
-allow initrc_t system_dbusd_var_run_t:sock_file write;
-')
-
-# Slapd needs to read cert files from its initscript
-r_dir_file(initrc_t, cert_t)
-ifdef(`use_mcs', `
-range_transition sysadm_t initrc_exec_t s0;
-')
diff --git a/targeted/domains/program/innd.te b/targeted/domains/program/innd.te
deleted file mode 100644
index 25047df..0000000
--- a/targeted/domains/program/innd.te
+++ /dev/null
@@ -1,81 +0,0 @@
-#DESC INN - InterNetNews server
-#
-# Author: Faye Coker <faye@lurking-grue.org>
-# X-Debian-Packages: inn
-#
-################################
-
-# Types for the server port and news spool.
-#
-type news_spool_t, file_type, sysadmfile;
-
-
-# need privmail attribute so innd can access system_mail_t
-daemon_domain(innd, `, privmail')
-
-# allow innd to create files and directories of type news_spool_t
-create_dir_file(innd_t, news_spool_t)
-
-# allow user domains to read files and directories these types
-r_dir_file(userdomain, { news_spool_t innd_var_lib_t innd_etc_t })
-
-can_exec(initrc_t, innd_etc_t)
-can_exec(innd_t, { innd_exec_t bin_t shell_exec_t })
-ifdef(`hostname.te', `
-can_exec(innd_t, hostname_exec_t)
-')
-
-allow innd_t var_spool_t:dir { getattr search };
-
-can_network(innd_t)
-allow innd_t port_type:tcp_socket name_connect;
-can_ypbind(innd_t)
-
-can_unix_send( { innd_t sysadm_t }, { innd_t sysadm_t } )
-allow innd_t self:unix_dgram_socket create_socket_perms;
-allow innd_t self:unix_stream_socket create_stream_socket_perms;
-can_unix_connect(innd_t, self)
-
-allow innd_t self:fifo_file rw_file_perms;
-allow innd_t innd_port_t:tcp_socket name_bind;
-
-allow innd_t self:capability { dac_override kill setgid setuid net_bind_service };
-allow innd_t self:process setsched;
-
-allow innd_t { bin_t sbin_t }:dir search;
-allow innd_t usr_t:lnk_file read;
-allow innd_t usr_t:file { getattr read ioctl };
-allow innd_t lib_t:file ioctl;
-allow innd_t etc_t:file { getattr read };
-allow innd_t { proc_t etc_runtime_t }:file { getattr read };
-allow innd_t urandom_device_t:chr_file read;
-
-allow innd_t innd_var_run_t:sock_file create_file_perms;
-
-# allow innd to read directories of type innd_etc_t (/etc/news/(/.*)? and symbolic links with that type
-etcdir_domain(innd)
-
-# allow innd to create files under /var/log of type innd_log_t and have a directory for its own files that
-# it can write to
-logdir_domain(innd)
-
-# allow innd read-write directory permissions to /var/lib/news.
-var_lib_domain(innd)
-
-ifdef(`crond.te', `
-system_crond_entry(innd_exec_t, innd_t)
-allow system_crond_t innd_etc_t:file { getattr read };
-rw_dir_create_file(system_crond_t, innd_log_t)
-rw_dir_create_file(system_crond_t, innd_var_run_t)
-')
-
-ifdef(`syslogd.te', `
-allow syslogd_t innd_log_t:dir search;
-allow syslogd_t innd_log_t:file create_file_perms;
-')
-
-allow innd_t self:file { getattr read };
-dontaudit innd_t selinux_config_t:dir { search };
-allow system_crond_t innd_etc_t:file { getattr read };
-allow innd_t bin_t:lnk_file { read };
-allow innd_t sbin_t:lnk_file { read };
diff --git a/targeted/domains/program/kerberos.te b/targeted/domains/program/kerberos.te
deleted file mode 100644
index 19cc3c4..0000000
--- a/targeted/domains/program/kerberos.te
+++ /dev/null
@@ -1,91 +0,0 @@
-#DESC Kerberos5 - MIT Kerberos5
-# supports krb5kdc and kadmind daemons
-# kinit, kdestroy, klist clients
-# ksu support not complete
-#
-# includes rules for OpenSSH daemon compiled with both
-# kerberos5 and SELinux support
-#
-# Not supported : telnetd, ftpd, kprop/kpropd daemons
-#
-# Author: Kerry Thompson <kerry@crypt.gen.nz>
-# Modified by Colin Walters <walters@redhat.com>
-#
-
-#################################
-#
-# Rules for the krb5kdc_t,kadmind_t domains.
-#
-daemon_domain(krb5kdc)
-daemon_domain(kadmind)
-
-can_exec(krb5kdc_t, krb5kdc_exec_t)
-can_exec(kadmind_t, kadmind_exec_t)
-
-# types for general configuration files in /etc
-type krb5_keytab_t, file_type, sysadmfile, secure_file_type;
-
-# types for KDC configs and principal file(s)
-type krb5kdc_conf_t, file_type, sysadmfile;
-type krb5kdc_principal_t, file_type, sysadmfile;
-
-# Use capabilities. Surplus capabilities may be allowed.
-allow krb5kdc_t self:capability { setuid setgid net_admin net_bind_service chown fowner dac_override sys_nice };
-allow kadmind_t self:capability { setuid setgid net_bind_service chown fowner dac_override sys_nice };
-
-# krb5kdc and kadmind can use network
-can_network_server( { krb5kdc_t kadmind_t } )
-can_ypbind( { krb5kdc_t kadmind_t } )
-
-# allow UDP transfer to/from any program
-can_udp_send(kerberos_port_t, krb5kdc_t)
-can_udp_send(krb5kdc_t, kerberos_port_t)
-can_tcp_connect(kerberos_port_t, krb5kdc_t)
-can_tcp_connect(kerberos_admin_port_t, kadmind_t)
-
-# Bind to the kerberos, kerberos-adm ports.
-allow krb5kdc_t kerberos_port_t:{ udp_socket tcp_socket } name_bind;
-allow kadmind_t kerberos_admin_port_t:{ udp_socket tcp_socket } name_bind;
-allow kadmind_t reserved_port_t:tcp_socket name_bind;
-dontaudit kadmind_t reserved_port_type:tcp_socket name_bind;
-
-#
-# Rules for Kerberos5 KDC daemon
-allow krb5kdc_t self:unix_dgram_socket create_socket_perms;
-allow krb5kdc_t self:unix_stream_socket create_socket_perms;
-allow kadmind_t self:unix_stream_socket create_socket_perms;
-allow krb5kdc_t krb5kdc_conf_t:dir search;
-allow krb5kdc_t krb5kdc_conf_t:file r_file_perms;
-allow krb5kdc_t krb5kdc_principal_t:file r_file_perms;
-dontaudit krb5kdc_t krb5kdc_principal_t:file write;
-allow krb5kdc_t locale_t:file { getattr read };
-dontaudit krb5kdc_t krb5kdc_conf_t:file write;
-allow { kadmind_t krb5kdc_t } etc_t:dir { getattr search };
-allow { kadmind_t krb5kdc_t } etc_t:file { getattr read };
-allow { kadmind_t krb5kdc_t } krb5_conf_t:file r_file_perms;
-dontaudit { kadmind_t krb5kdc_t } krb5_conf_t:file write;
-tmp_domain(krb5kdc)
-log_domain(krb5kdc)
-allow { kadmind_t krb5kdc_t } urandom_device_t:chr_file { getattr read };
-allow kadmind_t random_device_t:chr_file { getattr read };
-allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
-allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
-allow krb5kdc_t proc_t:dir r_dir_perms;
-allow krb5kdc_t proc_t:file { getattr read };
-
-#
-# Rules for Kerberos5 Kadmin daemon
-allow kadmind_t self:unix_dgram_socket { connect create write };
-allow kadmind_t krb5kdc_conf_t:dir search;
-allow kadmind_t krb5kdc_conf_t:file r_file_perms;
-allow kadmind_t krb5kdc_principal_t:file { getattr lock read write setattr };
-read_locale(kadmind_t)
-dontaudit kadmind_t krb5kdc_conf_t:file write;
-tmp_domain(kadmind)
-log_domain(kadmind)
-
-#
-# Allow user programs to talk to KDC
-allow krb5kdc_t userdomain:udp_socket recvfrom;
-allow userdomain krb5kdc_t:udp_socket recvfrom;
-allow initrc_t krb5_conf_t:file ioctl;
diff --git a/targeted/domains/program/klogd.te b/targeted/domains/program/klogd.te
deleted file mode 100644
index dd0b79c..0000000
--- a/targeted/domains/program/klogd.te
+++ /dev/null
@@ -1,48 +0,0 @@
-#DESC Klogd - Kernel log daemon
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: klogd
-#
-
-#################################
-#
-# Rules for the klogd_t domain.
-#
-daemon_domain(klogd, `, privmem, privkmsg, mlsfileread')
-
-tmp_domain(klogd)
-allow klogd_t proc_t:dir r_dir_perms;
-allow klogd_t proc_t:lnk_file r_file_perms;
-allow klogd_t proc_t:file { getattr read };
-allow klogd_t self:dir r_dir_perms;
-allow klogd_t self:lnk_file r_file_perms;
-
-# read /etc/nsswitch.conf
-allow klogd_t etc_t:lnk_file read;
-allow klogd_t etc_t:file r_file_perms;
-
-read_locale(klogd_t)
-
-allow klogd_t etc_runtime_t:file { getattr read };
-
-# Create unix sockets
-allow klogd_t self:unix_dgram_socket create_socket_perms;
-
-# Use the sys_admin and sys_rawio capabilities.
-allow klogd_t self:capability { sys_admin sys_rawio };
-dontaudit klogd_t self:capability sys_resource;
-
-
-# Read /proc/kmsg and /dev/mem.
-allow klogd_t proc_kmsg_t:file r_file_perms;
-allow klogd_t memory_device_t:chr_file r_file_perms;
-
-# Control syslog and console logging
-allow klogd_t kernel_t:system { syslog_mod syslog_console };
-
-# Read /boot/System.map*
-allow klogd_t system_map_t:file r_file_perms;
-allow klogd_t boot_t:dir r_dir_perms;
-ifdef(`targeted_policy', `
-allow klogd_t unconfined_t:system syslog_mod;
-')
diff --git a/targeted/domains/program/ktalkd.te b/targeted/domains/program/ktalkd.te
deleted file mode 100644
index 7ae0109..0000000
--- a/targeted/domains/program/ktalkd.te
+++ /dev/null
@@ -1,14 +0,0 @@
-#DESC ktalkd - KDE version of the talk server
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-#
-# Depends: inetd.te
-
-#################################
-#
-# Rules for the ktalkd_t domain.
-#
-# ktalkd_exec_t is the type of the ktalkd executable.
-#
-
-inetd_child_domain(ktalkd, udp)
diff --git a/targeted/domains/program/kudzu.te b/targeted/domains/program/kudzu.te
deleted file mode 100644
index 9b64f98..0000000
--- a/targeted/domains/program/kudzu.te
+++ /dev/null
@@ -1,117 +0,0 @@
-#DESC kudzu - Red Hat utility to recognise new hardware
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-
-daemon_base_domain(kudzu, `, etc_writer, privmodule, sysctl_kernel_writer, fs_domain, privmem')
-
-read_locale(kudzu_t)
-
-# for /etc/sysconfig/hwconf - probably need a new type
-allow kudzu_t etc_runtime_t:file rw_file_perms;
-
-# for kmodule
-if (allow_execmem) {
-allow kudzu_t self:process execmem;
-}
-allow kudzu_t zero_device_t:chr_file rx_file_perms;
-allow kudzu_t memory_device_t:chr_file { read write execute };
-
-allow kudzu_t ramfs_t:dir search;
-allow kudzu_t ramfs_t:sock_file write;
-allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
-allow kudzu_t modules_conf_t:file { getattr read unlink rename };
-allow kudzu_t modules_object_t:dir r_dir_perms;
-allow kudzu_t { modules_object_t modules_dep_t }:file { getattr read };
-allow kudzu_t mouse_device_t:chr_file { read write };
-allow kudzu_t proc_net_t:dir r_dir_perms;
-allow kudzu_t { proc_net_t proc_t }:file { getattr read };
-allow kudzu_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms;
-allow kudzu_t scsi_generic_device_t:chr_file r_file_perms;
-allow kudzu_t { bin_t sbin_t }:dir { getattr search };
-allow kudzu_t { bin_t sbin_t }:lnk_file read;
-read_sysctl(kudzu_t)
-allow kudzu_t sysctl_dev_t:dir { getattr search read };
-allow kudzu_t sysctl_dev_t:file { getattr read };
-allow kudzu_t sysctl_kernel_t:file write;
-allow kudzu_t usbdevfs_t:dir search;
-allow kudzu_t usbdevfs_t:file { getattr read };
-allow kudzu_t usbfs_t:dir search;
-allow kudzu_t usbfs_t:file { getattr read };
-var_run_domain(kudzu)
-allow kudzu_t kernel_t:system syslog_console;
-allow kudzu_t self:udp_socket { create ioctl };
-allow kudzu_t var_lock_t:dir search;
-allow kudzu_t devpts_t:dir search;
-
-# so it can write messages to the console
-allow kudzu_t { tty_device_t devtty_t admin_tty_type }:chr_file rw_file_perms;
-
-role sysadm_r types kudzu_t;
-ifdef(`targeted_policy', `', `
-domain_auto_trans(sysadm_t, kudzu_exec_t, kudzu_t)
-')
-ifdef(`anaconda.te', `
-domain_auto_trans(anaconda_t, kudzu_exec_t, kudzu_t)
-')
-
-allow kudzu_t sysadm_home_dir_t:dir search;
-rw_dir_create_file(kudzu_t, etc_t)
-
-rw_dir_create_file(kudzu_t, mnt_t)
-can_exec(kudzu_t, { bin_t sbin_t init_exec_t })
-# Read /usr/lib/gconv/gconv-modules.*
-allow kudzu_t lib_t:file { read getattr };
-# Read /usr/share/hwdata/.* and /usr/share/terminfo/l/linux
-allow kudzu_t usr_t:file { read getattr };
-r_dir_file(kudzu_t, hwdata_t)
-
-# Communicate with rhgb-client.
-allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow kudzu_t self:unix_dgram_socket create_socket_perms;
-
-ifdef(`rhgb.te', `
-allow kudzu_t rhgb_t:unix_stream_socket connectto;
-')
-
-allow kudzu_t self:file { getattr read };
-allow kudzu_t self:fifo_file rw_file_perms;
-ifdef(`gpm.te', `
-allow kudzu_t gpmctl_t:sock_file getattr;
-')
-
-can_exec(kudzu_t, shell_exec_t)
-
-# Write to /proc/sys/kernel/hotplug. Why?
-allow kudzu_t sysctl_hotplug_t:file { read write };
-
-allow kudzu_t sysfs_t:dir { getattr read search };
-allow kudzu_t sysfs_t:file { getattr read };
-allow kudzu_t sysfs_t:lnk_file read;
-file_type_auto_trans(kudzu_t, etc_t, etc_runtime_t, file)
-allow kudzu_t tape_device_t:chr_file r_file_perms;
-tmp_domain(kudzu, `', `{ file dir chr_file }')
-
-# for file systems that are not yet mounted
-dontaudit kudzu_t file_t:dir search;
-ifdef(`lpd.te', `
-allow kudzu_t printconf_t:file { getattr read };
-')
-ifdef(`cups.te', `
-allow kudzu_t cupsd_rw_etc_t:dir r_dir_perms;
-')
-dontaudit kudzu_t src_t:dir search;
-ifdef(`xserver.te', `
-allow kudzu_t xserver_exec_t:file getattr;
-')
-
-ifdef(`userhelper.te', `
-role system_r types sysadm_userhelper_t;
-domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t)
-', `
-unconfined_domain(kudzu_t)
-')
-
-allow kudzu_t initrc_t:unix_stream_socket connectto;
-allow kudzu_t net_conf_t:file { getattr read };
-
diff --git a/targeted/domains/program/ldconfig.te b/targeted/domains/program/ldconfig.te
deleted file mode 100644
index fbb7688..0000000
--- a/targeted/domains/program/ldconfig.te
+++ /dev/null
@@ -1,52 +0,0 @@
-#DESC Ldconfig - Configure dynamic linker bindings
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: libc6
-#
-
-#################################
-#
-# Rules for the ldconfig_t domain.
-#
-type ldconfig_t, domain, privlog, etc_writer;
-type ldconfig_exec_t, file_type, sysadmfile, exec_type;
-
-role sysadm_r types ldconfig_t;
-role system_r types ldconfig_t;
-
-domain_auto_trans({ sysadm_t initrc_t }, ldconfig_exec_t, ldconfig_t)
-dontaudit ldconfig_t device_t:dir search;
-can_access_pty(ldconfig_t, initrc)
-allow ldconfig_t admin_tty_type:chr_file rw_file_perms;
-allow ldconfig_t privfd:fd use;
-
-uses_shlib(ldconfig_t)
-
-file_type_auto_trans(ldconfig_t, etc_t, ld_so_cache_t, file)
-allow ldconfig_t lib_t:dir rw_dir_perms;
-allow ldconfig_t lib_t:lnk_file create_lnk_perms;
-
-allow ldconfig_t userdomain:fd use;
-# unlink for when /etc/ld.so.cache is mislabeled
-allow ldconfig_t etc_t:file { getattr read unlink };
-allow ldconfig_t etc_t:lnk_file read;
-
-allow ldconfig_t fs_t:filesystem getattr;
-allow ldconfig_t tmp_t:dir search;
-
-ifdef(`apache.te', `
-# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
-dontaudit ldconfig_t httpd_modules_t:dir search;
-')
-
-allow ldconfig_t { var_t var_lib_t }:dir search;
-allow ldconfig_t proc_t:file { getattr read };
-ifdef(`hide_broken_symptoms', `
-ifdef(`unconfined.te',`
-dontaudit ldconfig_t unconfined_t:tcp_socket { read write };
-');
-')dnl end hide_broken_symptoms
-ifdef(`targeted_policy', `
-allow ldconfig_t lib_t:file r_file_perms;
-unconfined_domain(ldconfig_t)
-')
diff --git a/targeted/domains/program/load_policy.te b/targeted/domains/program/load_policy.te
deleted file mode 100644
index 3d43900..0000000
--- a/targeted/domains/program/load_policy.te
+++ /dev/null
@@ -1,65 +0,0 @@
-#DESC LoadPolicy - SELinux policy loading utilities
-#
-# Authors: Frank Mayer, mayerf@tresys.com
-# X-Debian-Packages: policycoreutils
-#
-
-###########################
-# load_policy_t is the domain type for load_policy
-# load_policy_exec_t is the file type for the executable
-
-# boolean to determine whether the system permits loading policy, setting
-# enforcing mode, and changing boolean values. Set this to true and you
-# have to reboot to set it back
-bool secure_mode_policyload false;
-
-type load_policy_t, domain;
-role sysadm_r types load_policy_t;
-role secadm_r types load_policy_t;
-role system_r types load_policy_t;
-
-type load_policy_exec_t, file_type, exec_type, sysadmfile;
-
-##########################
-#
-# Rules
-
-domain_auto_trans(secadmin, load_policy_exec_t, load_policy_t)
-
-allow load_policy_t console_device_t:chr_file { read write };
-
-# Reload the policy configuration (sysadm_t no longer has this ability)
-can_loadpol(load_policy_t)
-
-# Reset policy boolean values.
-can_setbool(load_policy_t)
-
-
-###########################
-# constrain from where load_policy can load a policy, specifically
-# policy_config_t files
-#
-
-# only allow read of policy config files
-allow load_policy_t policy_src_t:dir search;
-r_dir_file(load_policy_t, policy_config_t)
-r_dir_file(load_policy_t, selinux_config_t)
-
-# directory search permissions for path to binary policy files
-allow load_policy_t root_t:dir search;
-allow load_policy_t etc_t:dir search;
-
-# for mcs.conf
-allow load_policy_t etc_t:file { getattr read };
-
-# Other access
-can_access_pty(load_policy_t, initrc)
-allow load_policy_t { admin_tty_type devtty_t }:chr_file { read write ioctl getattr };
-uses_shlib(load_policy_t)
-allow load_policy_t self:capability dac_override;
-
-allow load_policy_t { userdomain privfd initrc_t }:fd use;
-
-allow load_policy_t fs_t:filesystem getattr;
-
-read_locale(load_policy_t)
diff --git a/targeted/domains/program/login.te b/targeted/domains/program/login.te
deleted file mode 100644
index 289879b..0000000
--- a/targeted/domains/program/login.te
+++ /dev/null
@@ -1,234 +0,0 @@
-#DESC Login - Local/remote login utilities
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# Macroised by Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: login
-#
-
-#################################
-#
-# Rules for the local_login_t domain
-# and the remote_login_t domain.
-#
-
-# $1 is the name of the domain (local or remote)
-define(`login_domain', `
-type $1_login_t, domain, privuser, privrole, privlog, auth_chkpwd, privowner, privfd, nscd_client_domain, mlsfilewrite, mlsprocsetsl, mlsfileupgrade, mlsfiledowngrade;
-role system_r types $1_login_t;
-
-dontaudit $1_login_t shadow_t:file { getattr read };
-
-general_domain_access($1_login_t);
-
-# Read system information files in /proc.
-r_dir_file($1_login_t, proc_t)
-
-base_file_read_access($1_login_t)
-
-# Read directories and files with the readable_t type.
-# This type is a general type for "world"-readable files.
-allow $1_login_t readable_t:dir r_dir_perms;
-allow $1_login_t readable_t:notdevfile_class_set r_file_perms;
-
-# Read /var, /var/spool
-allow $1_login_t { var_t var_spool_t }:dir search;
-
-# for when /var/mail is a sym-link
-allow $1_login_t var_t:lnk_file read;
-
-# Read /etc.
-r_dir_file($1_login_t, etc_t)
-allow $1_login_t etc_runtime_t:{ file lnk_file } r_file_perms;
-
-read_locale($1_login_t)
-
-# for SSP/ProPolice
-allow $1_login_t urandom_device_t:chr_file { getattr read };
-
-# Read executable types.
-allow $1_login_t exec_type:{ file lnk_file } r_file_perms;
-
-# Read /dev directories and any symbolic links.
-allow $1_login_t device_t:dir r_dir_perms;
-allow $1_login_t device_t:lnk_file r_file_perms;
-
-uses_shlib($1_login_t);
-
-tmp_domain($1_login)
-
-ifdef(`pam.te', `
-can_exec($1_login_t, pam_exec_t)
-')
-
-ifdef(`pamconsole.te', `
-rw_dir_create_file($1_login_t, pam_var_console_t)
-domain_auto_trans($1_login_t, pam_console_exec_t, pam_console_t)
-')
-
-ifdef(`alsa.te', `
-domain_auto_trans($1_login_t, alsa_exec_t, alsa_t)
-')
-
-# Use capabilities
-allow $1_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
-allow $1_login_t self:process setrlimit;
-dontaudit $1_login_t sysfs_t:dir search;
-
-# Set exec context.
-can_setexec($1_login_t)
-
-allow $1_login_t autofs_t:dir { search read getattr };
-allow $1_login_t mnt_t:dir r_dir_perms;
-
-if (use_nfs_home_dirs) {
-r_dir_file($1_login_t, nfs_t)
-}
-
-if (use_samba_home_dirs) {
-r_dir_file($1_login_t, cifs_t)
-}
-
-# Login can polyinstantiate
-polyinstantiater($1_login_t)
-
-# FIXME: what is this for?
-ifdef(`xdm.te', `
-allow xdm_t $1_login_t:process signull;
-')
-
-ifdef(`crack.te', `
-allow $1_login_t crack_db_t:file r_file_perms;
-')
-
-# Permit login to search the user home directories.
-allow $1_login_t home_root_t:dir search;
-allow $1_login_t home_dir_type:dir search;
-
-# Write to /var/run/utmp.
-allow $1_login_t var_run_t:dir search;
-allow $1_login_t initrc_var_run_t:file rw_file_perms;
-
-# Write to /var/log/wtmp.
-allow $1_login_t var_log_t:dir search;
-allow $1_login_t wtmp_t:file rw_file_perms;
-
-# Write to /var/log/lastlog.
-allow $1_login_t lastlog_t:file rw_file_perms;
-
-# Write to /var/log/btmp
-allow $1_login_t faillog_t:file { lock append read write };
-
-# Search for mail spool file.
-allow $1_login_t mail_spool_t:dir r_dir_perms;
-allow $1_login_t mail_spool_t:file getattr;
-allow $1_login_t mail_spool_t:lnk_file read;
-
-# Get security policy decisions.
-can_getsecurity($1_login_t)
-
-# allow read access to default_contexts in /etc/security
-allow $1_login_t default_context_t:file r_file_perms;
-allow $1_login_t default_context_t:dir search;
-r_dir_file($1_login_t, selinux_config_t)
-
-allow $1_login_t mouse_device_t:chr_file { getattr setattr };
-
-ifdef(`targeted_policy',`
-unconfined_domain($1_login_t)
-domain_auto_trans($1_login_t, shell_exec_t, unconfined_t)
-')
-
-')dnl end login_domain macro
-#################################
-#
-# Rules for the local_login_t domain.
-#
-# local_login_t is the domain of a login process
-# spawned by getty.
-#
-# remote_login_t is the domain of a login process
-# spawned by rlogind.
-#
-# login_exec_t is the type of the login program
-#
-type login_exec_t, file_type, sysadmfile, exec_type;
-
-login_domain(local)
-
-# But also permit other user domains to be entered by login.
-login_spawn_domain(local_login, userdomain)
-
-# Do not audit denied attempts to access devices.
-dontaudit local_login_t fixed_disk_device_t:blk_file { getattr setattr };
-dontaudit local_login_t removable_device_t:blk_file { getattr setattr };
-dontaudit local_login_t device_t:{ chr_file blk_file lnk_file } { getattr setattr };
-dontaudit local_login_t misc_device_t:{ chr_file blk_file } { getattr setattr };
-dontaudit local_login_t framebuf_device_t:chr_file { getattr setattr read };
-dontaudit local_login_t apm_bios_t:chr_file { getattr setattr };
-dontaudit local_login_t v4l_device_t:chr_file { getattr setattr read };
-dontaudit local_login_t removable_device_t:chr_file { getattr setattr };
-dontaudit local_login_t scanner_device_t:chr_file { getattr setattr };
-
-# Do not audit denied attempts to access /mnt.
-dontaudit local_login_t mnt_t:dir r_dir_perms;
-
-
-# Create lock file.
-lock_domain(local_login)
-
-# Read and write ttys.
-allow local_login_t tty_device_t:chr_file { setattr rw_file_perms };
-allow local_login_t ttyfile:chr_file { setattr rw_file_perms };
-
-# Relabel ttys.
-allow local_login_t tty_device_t:chr_file { getattr relabelfrom relabelto };
-allow local_login_t ttyfile:chr_file { getattr relabelfrom relabelto };
-
-ifdef(`gpm.te',
-`allow local_login_t gpmctl_t:sock_file { getattr setattr };')
-
-# Allow setting of attributes on sound devices.
-allow local_login_t sound_device_t:chr_file { getattr setattr };
-
-# Allow setting of attributes on power management devices.
-allow local_login_t power_device_t:chr_file { getattr setattr };
-dontaudit local_login_t init_t:fd use;
-
-#################################
-#
-# Rules for the remote_login_t domain.
-#
-
-login_domain(remote)
-
-# Only permit unprivileged user domains to be entered via rlogin,
-# since very weak authentication is used.
-login_spawn_domain(remote_login, unpriv_userdomain)
-
-allow remote_login_t userpty_type:chr_file { setattr write };
-
-# Use the pty created by rlogind.
-ifdef(`rlogind.te', `
-can_access_pty(remote_login_t, rlogind)
-# Relabel ptys created by rlogind.
-allow remote_login_t rlogind_devpts_t:chr_file { setattr relabelfrom relabelto };
-')
-
-# Use the pty created by telnetd.
-ifdef(`telnetd.te', `
-can_access_pty(remote_login_t, telnetd)
-# Relabel ptys created by telnetd.
-allow remote_login_t telnetd_devpts_t:chr_file { setattr relabelfrom relabelto };
-')
-
-allow remote_login_t ptyfile:chr_file { getattr relabelfrom relabelto ioctl };
-allow remote_login_t fs_t:filesystem { getattr };
-
-# Allow remote login to resolve host names (passed in via the -h switch)
-can_resolve(remote_login_t)
-
-ifdef(`use_mcs', `
-ifdef(`getty.te', `
-range_transition getty_t login_exec_t s0 - s0:c0.c255;
-')
-')
diff --git a/targeted/domains/program/lpd.te b/targeted/domains/program/lpd.te
deleted file mode 100644
index 76cd44d..0000000
--- a/targeted/domains/program/lpd.te
+++ /dev/null
@@ -1,161 +0,0 @@
-#DESC Lpd - Print server
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# Modified by David A. Wheeler <dwheeler@ida.org> for LPRng (Red Hat 7.1)
-# Modified by Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: lpr
-#
-
-#################################
-#
-# Rules for the lpd_t domain.
-#
-# lpd_t is the domain of lpd.
-# lpd_exec_t is the type of the lpd executable.
-# printer_t is the type of the Unix domain socket created
-# by lpd.
-#
-daemon_domain(lpd)
-
-allow lpd_t lpd_var_run_t:sock_file create_file_perms;
-
-read_fonts(lpd_t)
-
-type printer_t, file_type, sysadmfile, dev_fs;
-
-type printconf_t, file_type, sysadmfile; # Type for files in /usr/share/printconf.
-
-tmp_domain(lpd);
-
-# for postscript include files
-allow lpd_t usr_t:{ file lnk_file } { getattr read };
-
-# Allow checkpc to access the lpd spool so it can check & fix it.
-# This requires that /usr/sbin/checkpc have type checkpc_t.
-type checkpc_t, domain, privlog;
-role system_r types checkpc_t;
-uses_shlib(checkpc_t)
-can_network_client(checkpc_t)
-allow checkpc_t port_type:tcp_socket name_connect;
-can_ypbind(checkpc_t)
-log_domain(checkpc)
-type checkpc_exec_t, file_type, sysadmfile, exec_type;
-domain_auto_trans(initrc_t, checkpc_exec_t, checkpc_t)
-domain_auto_trans(sysadm_t, checkpc_exec_t, checkpc_t)
-role sysadm_r types checkpc_t;
-allow checkpc_t admin_tty_type:chr_file { read write };
-allow checkpc_t privfd:fd use;
-ifdef(`crond.te', `
-system_crond_entry(checkpc_exec_t, checkpc_t)
-')
-allow checkpc_t self:capability { setgid setuid dac_override };
-allow checkpc_t self:process { fork signal_perms };
-
-allow checkpc_t proc_t:dir search;
-allow checkpc_t proc_t:lnk_file read;
-allow checkpc_t proc_t:file { getattr read };
-r_dir_file(checkpc_t, self)
-allow checkpc_t self:unix_stream_socket create_socket_perms;
-
-allow checkpc_t { etc_t etc_runtime_t }:file { getattr read };
-allow checkpc_t etc_t:lnk_file read;
-
-allow checkpc_t { var_t var_spool_t }:dir { getattr search };
-allow checkpc_t print_spool_t:file { rw_file_perms unlink };
-allow checkpc_t print_spool_t:dir { read write search add_name remove_name getattr };
-allow checkpc_t device_t:dir search;
-allow checkpc_t printer_device_t:chr_file { getattr append };
-allow checkpc_t devtty_t:chr_file rw_file_perms;
-allow checkpc_t initrc_devpts_t:chr_file rw_file_perms;
-
-# Allow access to /dev/console through the fd:
-allow checkpc_t init_t:fd use;
-
-# This is less desirable, but checkpc demands /bin/bash and /bin/chown:
-allow checkpc_t { bin_t sbin_t }:dir search;
-allow checkpc_t bin_t:lnk_file read;
-can_exec(checkpc_t, shell_exec_t)
-can_exec(checkpc_t, bin_t)
-
-# bash wants access to /proc/meminfo
-allow lpd_t proc_t:file { getattr read };
-
-# gs-gnu wants to read some sysctl entries, it seems to work without though
-dontaudit lpd_t { sysctl_t sysctl_kernel_t }:dir search;
-
-# for defoma
-r_dir_file(lpd_t, var_lib_t)
-
-allow checkpc_t var_run_t:dir search;
-allow checkpc_t lpd_var_run_t:dir { search getattr };
-
-# This is needed to permit chown to read /var/spool/lpd/lp.
-# This is opens up security more than necessary; this means that ANYTHING
-# running in the initrc_t domain can read the printer spool directory.
-# Perhaps executing /etc/rc.d/init.d/lpd should transition
-# to domain lpd_t, instead of waiting for executing lpd.
-allow initrc_t print_spool_t:dir read;
-
-# for defoma
-r_dir_file(lpd_t, readable_t)
-
-# Use capabilities.
-allow lpd_t self:capability { setgid setuid net_bind_service dac_read_search dac_override chown fowner };
-
-# Use the network.
-can_network_server(lpd_t)
-can_ypbind(lpd_t)
-allow lpd_t self:fifo_file rw_file_perms;
-allow lpd_t self:unix_stream_socket create_stream_socket_perms;
-allow lpd_t self:unix_dgram_socket create_socket_perms;
-
-allow lpd_t self:file { getattr read };
-allow lpd_t etc_runtime_t:file { getattr read };
-
-# Bind to the printer port.
-allow lpd_t printer_port_t:tcp_socket name_bind;
-
-# Send to portmap.
-ifdef(`portmap.te', `can_udp_send(lpd_t, portmap_t)')
-
-ifdef(`ypbind.te',
-`# Connect to ypbind.
-can_tcp_connect(lpd_t, ypbind_t)')
-
-# Create and bind to /dev/printer.
-file_type_auto_trans(lpd_t, device_t, printer_t, lnk_file)
-allow lpd_t printer_t:unix_stream_socket name_bind;
-allow lpd_t printer_t:unix_dgram_socket name_bind;
-allow lpd_t printer_device_t:chr_file rw_file_perms;
-
-# Write to /var/spool/lpd.
-allow lpd_t var_spool_t:dir search;
-allow lpd_t print_spool_t:dir rw_dir_perms;
-allow lpd_t print_spool_t:file create_file_perms;
-allow lpd_t print_spool_t:file rw_file_perms;
-
-# Execute filter scripts.
-# can_exec(lpd_t, print_spool_t)
-
-# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
-allow lpd_t bin_t:dir search;
-allow lpd_t bin_t:lnk_file read;
-can_exec(lpd_t, { bin_t sbin_t shell_exec_t })
-
-# lpd must be able to execute the filter utilities in /usr/share/printconf.
-can_exec(lpd_t, printconf_t)
-allow lpd_t printconf_t:file rx_file_perms;
-allow lpd_t printconf_t:dir { getattr search read };
-
-# config files for lpd are of type etc_t, probably should change this
-allow lpd_t etc_t:file { getattr read };
-allow lpd_t etc_t:lnk_file read;
-
-# checkpc needs similar permissions.
-allow checkpc_t printconf_t:file getattr;
-allow checkpc_t printconf_t:dir { getattr search read };
-
-# Read printconf files.
-allow initrc_t printconf_t:dir r_dir_perms;
-allow initrc_t printconf_t:file r_file_perms;
-
diff --git a/targeted/domains/program/mailman.te b/targeted/domains/program/mailman.te
deleted file mode 100644
index 72fe6a7..0000000
--- a/targeted/domains/program/mailman.te
+++ /dev/null
@@ -1,113 +0,0 @@
-#DESC Mailman - GNU Mailman mailing list manager
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: mailman
-
-type mailman_data_t, file_type, sysadmfile;
-type mailman_archive_t, file_type, sysadmfile;
-
-type mailman_log_t, file_type, sysadmfile, logfile;
-type mailman_lock_t, file_type, sysadmfile, lockfile;
-
-define(`mailman_domain', `
-type mailman_$1_t, domain, privlog $2;
-type mailman_$1_exec_t, file_type, sysadmfile, exec_type;
-role system_r types mailman_$1_t;
-file_type_auto_trans(mailman_$1_t, var_log_t, mailman_log_t, file)
-allow mailman_$1_t mailman_log_t:dir rw_dir_perms;
-create_dir_file(mailman_$1_t, mailman_data_t)
-uses_shlib(mailman_$1_t)
-can_exec_any(mailman_$1_t)
-read_sysctl(mailman_$1_t)
-allow mailman_$1_t proc_t:dir search;
-allow mailman_$1_t proc_t:file { read getattr };
-allow mailman_$1_t var_lib_t:dir r_dir_perms;
-allow mailman_$1_t var_lib_t:lnk_file read;
-allow mailman_$1_t device_t:dir search;
-allow mailman_$1_t etc_runtime_t:file { read getattr };
-read_locale(mailman_$1_t)
-file_type_auto_trans(mailman_$1_t, var_lock_t, mailman_lock_t, file)
-allow mailman_$1_t mailman_lock_t:dir rw_dir_perms;
-allow mailman_$1_t fs_t:filesystem getattr;
-can_network(mailman_$1_t)
-allow mailman_$1_t smtp_port_t:tcp_socket name_connect;
-can_ypbind(mailman_$1_t)
-allow mailman_$1_t self:{ unix_stream_socket unix_dgram_socket } create_socket_perms;
-allow mailman_$1_t var_t:dir r_dir_perms;
-tmp_domain(mailman_$1)
-')
-
-mailman_domain(queue, `, auth_chkpwd, nscd_client_domain')
-can_tcp_connect(mailman_queue_t, mail_server_domain)
-
-can_exec(mailman_queue_t, su_exec_t)
-allow mailman_queue_t self:capability { setgid setuid };
-allow mailman_queue_t self:fifo_file rw_file_perms;
-dontaudit mailman_queue_t var_run_t:dir search;
-allow mailman_queue_t proc_t:lnk_file { getattr read };
-
-# for su
-dontaudit mailman_queue_t selinux_config_t:dir search;
-allow mailman_queue_t self:dir search;
-allow mailman_queue_t self:file { getattr read };
-allow mailman_queue_t self:unix_dgram_socket create_socket_perms;
-allow mailman_queue_t self:lnk_file { getattr read };
-
-# some of the following could probably be changed to dontaudit, someone who
-# knows mailman well should test this out and send the changes
-allow mailman_queue_t sysadm_home_dir_t:dir { getattr search };
-
-mailman_domain(mail)
-dontaudit mailman_mail_t mta_delivery_agent:tcp_socket { read write };
-allow mailman_mail_t mta_delivery_agent:fd use;
-ifdef(`qmail.te', `
-allow mailman_mail_t qmail_spool_t:file { read ioctl getattr };
-# do we really need this?
-allow mailman_mail_t qmail_lspawn_t:fifo_file write;
-')
-
-create_dir_file(mailman_queue_t, mailman_archive_t)
-
-ifdef(`apache.te', `
-mailman_domain(cgi)
-can_tcp_connect(mailman_cgi_t, mail_server_domain)
-
-domain_auto_trans({ httpd_t httpd_suexec_t }, mailman_cgi_exec_t, mailman_cgi_t)
-# should have separate types for public and private archives
-r_dir_file(httpd_t, mailman_archive_t)
-create_dir_file(mailman_cgi_t, mailman_archive_t)
-allow httpd_t mailman_data_t:dir { getattr search };
-
-dontaudit mailman_cgi_t httpd_log_t:file append;
-allow httpd_t mailman_cgi_t:process signal;
-allow mailman_cgi_t httpd_t:process sigchld;
-allow mailman_cgi_t httpd_t:fd use;
-allow mailman_cgi_t httpd_t:fifo_file { getattr read write ioctl };
-allow mailman_cgi_t httpd_sys_script_t:dir search;
-allow mailman_cgi_t devtty_t:chr_file { read write };
-allow mailman_cgi_t self:process { fork sigchld };
-allow mailman_cgi_t var_spool_t:dir search;
-')
-
-allow mta_delivery_agent mailman_data_t:dir search;
-allow mta_delivery_agent mailman_data_t:lnk_file read;
-allow initrc_t mailman_data_t:lnk_file read;
-allow initrc_t mailman_data_t:dir r_dir_perms;
-domain_auto_trans({ mta_delivery_agent initrc_t }, mailman_mail_exec_t, mailman_mail_t)
-ifdef(`direct_sysadm_daemon', `
-domain_auto_trans(sysadm_t, mailman_mail_exec_t, mailman_mail_t)
-')
-allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
-
-system_crond_entry(mailman_queue_exec_t, mailman_queue_t)
-allow mailman_queue_t devtty_t:chr_file { read write };
-allow mailman_queue_t self:process { fork signal sigchld };
-allow mailman_queue_t self:netlink_route_socket r_netlink_socket_perms;
-
-# so MTA can access /var/lib/mailman/mail/wrapper
-allow mta_delivery_agent var_lib_t:dir search;
-
-# Handle mailman log files
-rw_dir_create_file(logrotate_t, mailman_log_t)
-allow logrotate_t mailman_data_t:dir search;
-can_exec(logrotate_t, mailman_mail_exec_t)
diff --git a/targeted/domains/program/modutil.te b/targeted/domains/program/modutil.te
deleted file mode 100644
index a934534..0000000
--- a/targeted/domains/program/modutil.te
+++ /dev/null
@@ -1,243 +0,0 @@
-#DESC Modutil - Dynamic module utilities
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: modutils
-#
-
-#################################
-#
-# Rules for the module utility domains.
-#
-type modules_dep_t, file_type, sysadmfile;
-type modules_conf_t, file_type, sysadmfile;
-type modules_object_t, file_type, sysadmfile;
-
-
-ifdef(`IS_INITRD', `', `
-#################################
-#
-# Rules for the depmod_t domain.
-#
-type depmod_t, domain;
-role system_r types depmod_t;
-role sysadm_r types depmod_t;
-
-uses_shlib(depmod_t)
-
-r_dir_file(depmod_t, src_t)
-
-type depmod_exec_t, file_type, exec_type, sysadmfile;
-domain_auto_trans(initrc_t, depmod_exec_t, depmod_t)
-allow depmod_t { bin_t sbin_t }:dir search;
-can_exec(depmod_t, depmod_exec_t)
-ifdef(`targeted_policy', `', `
-domain_auto_trans(sysadm_t, depmod_exec_t, depmod_t)
-')
-
-# Inherit and use descriptors from init and login programs.
-allow depmod_t { init_t privfd }:fd use;
-
-allow depmod_t { etc_t etc_runtime_t }:file { getattr read };
-allow depmod_t { device_t proc_t }:dir search;
-allow depmod_t proc_t:file { getattr read };
-allow depmod_t fs_t:filesystem getattr;
-
-# read system.map
-allow depmod_t boot_t:dir search;
-allow depmod_t boot_t:file { getattr read };
-allow depmod_t system_map_t:file { getattr read };
-
-# Read conf.modules.
-allow depmod_t modules_conf_t:file r_file_perms;
-
-# Create modules.dep.
-file_type_auto_trans(depmod_t, modules_object_t, modules_dep_t, file)
-
-# Read module objects.
-allow depmod_t modules_object_t:dir r_dir_perms;
-allow depmod_t modules_object_t:{ file lnk_file } r_file_perms;
-allow depmod_t modules_object_t:file unlink;
-
-# Access terminals.
-can_access_pty(depmod_t, initrc)
-allow depmod_t { console_device_t admin_tty_type }:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
-
-# Read System.map from home directories.
-allow depmod_t { home_root_t staff_home_dir_t sysadm_home_dir_t }:dir r_dir_perms;
-r_dir_file(depmod_t, { staff_home_t sysadm_home_t })
-')dnl end IS_INITRD
-
-#################################
-#
-# Rules for the insmod_t domain.
-#
-
-type insmod_t, domain, privlog, sysctl_kernel_writer, privmem, privsysmod ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule' ), mlsfilewrite, nscd_client_domain
-;
-role system_r types insmod_t;
-role sysadm_r types insmod_t;
-type insmod_exec_t, file_type, exec_type, sysadmfile;
-
-bool secure_mode_insmod false;
-
-can_ypbind(insmod_t)
-
-ifdef(`unlimitedUtils', `
-unconfined_domain(insmod_t)
-')
-uses_shlib(insmod_t)
-read_locale(insmod_t)
-
-# for SSP
-allow insmod_t urandom_device_t:chr_file read;
-allow insmod_t lib_t:file { getattr read };
-
-allow insmod_t { bin_t sbin_t }:dir search;
-allow insmod_t { bin_t sbin_t }:lnk_file read;
-
-allow insmod_t self:dir search;
-allow insmod_t self:lnk_file read;
-
-allow insmod_t usr_t:file { getattr read };
-
-allow insmod_t privfd:fd use;
-can_access_pty(insmod_t, initrc)
-allow insmod_t admin_tty_type:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow insmod_t sysadm_gph_t:fd use;')
-
-allow insmod_t { agp_device_t apm_bios_t }:chr_file { read write };
-
-allow insmod_t sound_device_t:chr_file { read ioctl write };
-allow insmod_t zero_device_t:chr_file read;
-allow insmod_t memory_device_t:chr_file rw_file_perms;
-
-# Read module config and dependency information
-allow insmod_t { modules_conf_t modules_dep_t }:file { getattr read };
-
-# Read module objects.
-r_dir_file(insmod_t, modules_object_t)
-# for locking
-allow insmod_t modules_object_t:file write;
-
-allow insmod_t { var_t var_log_t }:dir search;
-ifdef(`xserver.te', `
-allow insmod_t xserver_log_t:file getattr;
-allow insmod_t xserver_misc_device_t:chr_file { read write };
-')
-rw_dir_create_file(insmod_t, var_log_ksyms_t)
-allow insmod_t { etc_t etc_runtime_t }:file { getattr read };
-
-allow insmod_t self:udp_socket create_socket_perms;
-allow insmod_t self:unix_dgram_socket create_socket_perms;
-allow insmod_t self:unix_stream_socket create_stream_socket_perms;
-allow insmod_t self:rawip_socket create_socket_perms;
-allow insmod_t self:capability { dac_override kill net_raw sys_tty_config };
-allow insmod_t domain:process signal;
-allow insmod_t self:process { fork signal_perms };
-allow insmod_t device_t:dir search;
-allow insmod_t etc_runtime_t:file { getattr read };
-
-# for loading modules at boot time
-allow insmod_t { init_t initrc_t }:fd use;
-allow insmod_t initrc_t:fifo_file { getattr read write };
-
-allow insmod_t fs_t:filesystem getattr;
-allow insmod_t sysfs_t:dir search;
-allow insmod_t { usbfs_t usbdevfs_t }:dir search;
-allow insmod_t { usbfs_t usbdevfs_t debugfs_t }:filesystem mount;
-r_dir_file(insmod_t, debugfs_t)
-
-# Rules for /proc/sys/kernel/tainted
-read_sysctl(insmod_t)
-allow insmod_t proc_t:dir search;
-allow insmod_t sysctl_kernel_t:file { setattr rw_file_perms };
-
-allow insmod_t proc_t:file rw_file_perms;
-allow insmod_t proc_t:lnk_file read;
-
-# Write to /proc/mtrr.
-allow insmod_t mtrr_device_t:file write;
-
-# Read /proc/sys/kernel/hotplug.
-allow insmod_t sysctl_hotplug_t:file { getattr read };
-
-allow insmod_t device_t:dir read;
-allow insmod_t devpts_t:dir { getattr search };
-
-if (!secure_mode_insmod) {
-domain_auto_trans(privmodule, insmod_exec_t, insmod_t)
-allow insmod_t self:capability sys_module;
-}dnl end if !secure_mode_insmod
-
-can_exec(insmod_t, { insmod_exec_t shell_exec_t bin_t sbin_t etc_t })
-allow insmod_t devtty_t:chr_file rw_file_perms;
-allow insmod_t privmodule:process sigchld;
-dontaudit sysadm_t self:capability sys_module;
-
-ifdef(`mount.te', `
-# Run mount in the mount_t domain.
-domain_auto_trans(insmod_t, mount_exec_t, mount_t)
-')
-# for when /var is not mounted early in the boot
-dontaudit insmod_t file_t:dir search;
-
-# for nscd
-dontaudit insmod_t var_run_t:dir search;
-
-ifdef(`crond.te', `
-rw_dir_create_file(system_crond_t, var_log_ksyms_t)
-')
-
-ifdef(`IS_INITRD', `', `
-#################################
-#
-# Rules for the update_modules_t domain.
-#
-type update_modules_t, domain, privlog;
-type update_modules_exec_t, file_type, exec_type, sysadmfile;
-
-role system_r types update_modules_t;
-role sysadm_r types update_modules_t;
-
-domain_auto_trans({ initrc_t sysadm_t }, update_modules_exec_t, update_modules_t)
-allow update_modules_t privfd:fd use;
-allow update_modules_t init_t:fd use;
-
-allow update_modules_t device_t:dir { getattr search };
-allow update_modules_t { console_device_t devtty_t }:chr_file rw_file_perms;
-can_access_pty(update_modules_t, initrc)
-allow update_modules_t admin_tty_type:chr_file rw_file_perms;
-
-can_exec(update_modules_t, insmod_exec_t)
-allow update_modules_t urandom_device_t:chr_file { getattr read };
-
-dontaudit update_modules_t sysadm_home_dir_t:dir search;
-
-uses_shlib(update_modules_t)
-read_locale(update_modules_t)
-allow update_modules_t lib_t:file { getattr read };
-allow update_modules_t self:process { fork sigchld };
-allow update_modules_t self:fifo_file rw_file_perms;
-allow update_modules_t self:file { getattr read };
-allow update_modules_t modules_dep_t:file rw_file_perms;
-file_type_auto_trans(update_modules_t, modules_object_t, modules_conf_t, file)
-domain_auto_trans(update_modules_t, depmod_exec_t, depmod_t)
-can_exec(update_modules_t, { shell_exec_t bin_t sbin_t update_modules_exec_t etc_t })
-allow update_modules_t { sbin_t bin_t }:lnk_file read;
-allow update_modules_t { sbin_t bin_t }:dir search;
-allow update_modules_t { etc_t etc_runtime_t }:file r_file_perms;
-allow update_modules_t etc_t:lnk_file read;
-allow update_modules_t fs_t:filesystem getattr;
-
-allow update_modules_t proc_t:dir search;
-allow update_modules_t proc_t:file r_file_perms;
-allow update_modules_t { self proc_t }:lnk_file read;
-read_sysctl(update_modules_t)
-allow update_modules_t self:dir search;
-allow update_modules_t self:unix_stream_socket create_socket_perms;
-
-file_type_auto_trans(update_modules_t, etc_t, modules_conf_t, file)
-
-tmp_domain(update_modules)
-')dnl end IS_INITRD
diff --git a/targeted/domains/program/mta.te b/targeted/domains/program/mta.te
deleted file mode 100644
index 2d0b612..0000000
--- a/targeted/domains/program/mta.te
+++ /dev/null
@@ -1,82 +0,0 @@
-#DESC MTA - Mail agents
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: postfix exim sendmail sendmail-wide
-#
-# policy for all mail servers, including allowing user to send mail from the
-# command-line and for cron jobs to use sendmail -t
-
-#
-# sendmail_exec_t is the type of /usr/sbin/sendmail
-#
-# define sendmail_exec_t if sendmail.te does not do it for us
-ifdef(`sendmail.te', `', `
-type sendmail_exec_t, file_type, exec_type, sysadmfile;
-')
-
-# create a system_mail_t domain for daemons, init scripts, etc when they run
-# "mail user@domain"
-mail_domain(system)
-
-ifdef(`targeted_policy', `
-# rules are currently defined in sendmail.te, but it is not included in
-# targeted policy. We could move these rules permanantly here.
-ifdef(`postfix.te', `', `can_exec_any(system_mail_t)')
-allow system_mail_t self:dir search;
-allow system_mail_t self:lnk_file read;
-r_dir_file(system_mail_t, { proc_t proc_net_t })
-allow system_mail_t fs_t:filesystem getattr;
-allow system_mail_t { var_t var_spool_t }:dir getattr;
-create_dir_file(system_mail_t, mqueue_spool_t)
-create_dir_file(system_mail_t, mail_spool_t)
-allow system_mail_t mail_spool_t:fifo_file rw_file_perms;
-allow system_mail_t etc_mail_t:file { getattr read };
-
-# for reading .forward - maybe we need a new type for it?
-# also for delivering mail to maildir
-file_type_auto_trans(mta_delivery_agent, user_home_dir_t, user_home_t)
-', `
-ifdef(`sendmail.te', `
-# sendmail has an ugly design, the one process parses input from the user and
-# then does system things with it.
-domain_auto_trans(initrc_t, sendmail_exec_t, sendmail_t)
-', `
-domain_auto_trans(initrc_t, sendmail_exec_t, system_mail_t)
-')
-allow initrc_t sendmail_exec_t:lnk_file { getattr read };
-
-# allow the sysadmin to do "mail someone < /home/user/whatever"
-allow sysadm_mail_t user_home_dir_type:dir search;
-r_dir_file(sysadm_mail_t, user_home_type)
-')
-# for a mail server process that does things in response to a user command
-allow mta_user_agent userdomain:process sigchld;
-allow mta_user_agent { userdomain privfd }:fd use;
-ifdef(`crond.te', `
-allow mta_user_agent crond_t:process sigchld;
-')
-allow mta_user_agent sysadm_t:fifo_file { read write };
-
-allow { system_mail_t mta_user_agent } privmail:fd use;
-allow { system_mail_t mta_user_agent } privmail:process sigchld;
-allow { system_mail_t mta_user_agent } privmail:fifo_file { read write };
-allow { system_mail_t mta_user_agent } admin_tty_type:chr_file { read write };
-
-allow mta_delivery_agent home_root_t:dir { getattr search };
-
-# for /var/spool/mail
-ra_dir_create_file(mta_delivery_agent, mail_spool_t)
-
-# for piping mail to a command
-can_exec(mta_delivery_agent, shell_exec_t)
-allow mta_delivery_agent bin_t:dir search;
-allow mta_delivery_agent bin_t:lnk_file read;
-allow mta_delivery_agent devtty_t:chr_file rw_file_perms;
-allow mta_delivery_agent { etc_runtime_t proc_t }:file { getattr read };
-
-allow system_mail_t etc_runtime_t:file { getattr read };
-allow system_mail_t { random_device_t urandom_device_t }:chr_file { getattr read };
-ifdef(`targeted_policy', `
-typealias system_mail_t alias sysadm_mail_t;
-')
-
diff --git a/targeted/domains/program/mysqld.te b/targeted/domains/program/mysqld.te
deleted file mode 100644
index 75557f1..0000000
--- a/targeted/domains/program/mysqld.te
+++ /dev/null
@@ -1,94 +0,0 @@
-#DESC Mysqld - Database server
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: mysql-server
-#
-
-#################################
-#
-# Rules for the mysqld_t domain.
-#
-# mysqld_exec_t is the type of the mysqld executable.
-#
-daemon_domain(mysqld, `, nscd_client_domain')
-
-allow mysqld_t mysqld_port_t:tcp_socket { name_bind name_connect };
-
-allow mysqld_t mysqld_var_run_t:sock_file create_file_perms;
-
-etcdir_domain(mysqld)
-type mysqld_db_t, file_type, sysadmfile;
-
-log_domain(mysqld)
-
-# for temporary tables
-tmp_domain(mysqld)
-
-allow mysqld_t usr_t:file { getattr read };
-
-allow mysqld_t self:fifo_file { read write };
-allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
-allow initrc_t mysqld_t:unix_stream_socket connectto;
-allow initrc_t mysqld_var_run_t:sock_file write;
-
-allow initrc_t mysqld_log_t:file { write append setattr ioctl };
-
-allow mysqld_t self:capability { dac_override setgid setuid net_bind_service sys_resource };
-allow mysqld_t self:process { setrlimit setsched getsched };
-
-allow mysqld_t proc_t:file { getattr read };
-
-# Allow access to the mysqld databases
-create_dir_file(mysqld_t, mysqld_db_t)
-file_type_auto_trans(mysqld_t, var_lib_t, mysqld_db_t, { dir file })
-
-can_network(mysqld_t)
-can_ypbind(mysqld_t)
-
-# read config files
-r_dir_file(initrc_t, mysqld_etc_t)
-allow mysqld_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr };
-
-allow mysqld_t etc_t:dir search;
-
-read_sysctl(mysqld_t)
-
-can_unix_connect(sysadm_t, mysqld_t)
-
-# for /root/.my.cnf - should not be needed
-allow mysqld_t sysadm_home_dir_t:dir search;
-allow mysqld_t sysadm_home_t:file { read getattr };
-
-ifdef(`logrotate.te', `
-r_dir_file(logrotate_t, mysqld_etc_t)
-allow logrotate_t mysqld_db_t:dir search;
-allow logrotate_t mysqld_var_run_t:dir search;
-allow logrotate_t mysqld_var_run_t:sock_file write;
-can_unix_connect(logrotate_t, mysqld_t)
-')
-
-ifdef(`daemontools.te', `
-domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t)
-allow svc_start_t mysqld_t:process signal;
-svc_ipc_domain(mysqld_t)
-')dnl end ifdef daemontools
-
-ifdef(`distro_redhat', `
-allow initrc_t mysqld_db_t:dir create_dir_perms;
-
-# because Fedora has the sock_file in the database directory
-file_type_auto_trans(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
-')
-ifdef(`targeted_policy', `', `
-bool allow_user_mysql_connect false;
-
-if (allow_user_mysql_connect) {
-allow userdomain mysqld_var_run_t:dir search;
-allow userdomain mysqld_var_run_t:sock_file write;
-}
-')
-
-allow mysqld_t self:netlink_route_socket r_netlink_socket_perms;
-ifdef(`crond.te', `
-allow system_crond_t mysqld_etc_t:file { getattr read };
-')
diff --git a/targeted/domains/program/named.te b/targeted/domains/program/named.te
deleted file mode 100644
index 1bf6343..0000000
--- a/targeted/domains/program/named.te
+++ /dev/null
@@ -1,186 +0,0 @@
-#DESC BIND - Name server
-#
-# Authors: Yuichi Nakamura <ynakam@ori.hitachi-sk.co.jp>,
-# Russell Coker
-# X-Debian-Packages: bind bind9
-#
-#
-
-#################################
-#
-# Rules for the named_t domain.
-#
-
-daemon_domain(named, `, nscd_client_domain')
-tmp_domain(named)
-
-type named_checkconf_exec_t, file_type, exec_type, sysadmfile;
-domain_auto_trans(initrc_t, named_checkconf_exec_t, named_t)
-
-# For /var/run/ndc used in BIND 8
-file_type_auto_trans(named_t, var_run_t, named_var_run_t, sock_file)
-
-# ndc_t is the domain for the ndc program
-type ndc_t, domain, privlog, nscd_client_domain;
-role sysadm_r types ndc_t;
-role system_r types ndc_t;
-
-ifdef(`targeted_policy', `
-dontaudit ndc_t root_t:file { getattr read };
-dontaudit ndc_t unlabeled_t:file { getattr read };
-')
-
-can_exec(named_t, named_exec_t)
-allow named_t sbin_t:dir search;
-
-allow named_t self:process { setsched setcap setrlimit };
-
-# A type for configuration files of named.
-type named_conf_t, file_type, sysadmfile, mount_point;
-
-# for primary zone files
-type named_zone_t, file_type, sysadmfile;
-
-# for secondary zone files
-type named_cache_t, file_type, sysadmfile;
-
-# for DNSSEC key files
-type dnssec_t, file_type, sysadmfile, secure_file_type;
-allow { ndc_t named_t } dnssec_t:file { getattr read };
-
-# Use capabilities. Surplus capabilities may be allowed.
-allow named_t self:capability { chown dac_override fowner setgid setuid net_bind_service sys_chroot sys_nice sys_resource };
-
-allow named_t etc_t:file { getattr read };
-allow named_t etc_runtime_t:{ file lnk_file } { getattr read };
-
-#Named can use network
-can_network(named_t)
-allow named_t port_type:tcp_socket name_connect;
-can_ypbind(named_t)
-# allow UDP transfer to/from any program
-can_udp_send(domain, named_t)
-can_udp_send(named_t, domain)
-can_tcp_connect(domain, named_t)
-log_domain(named)
-
-# Bind to the named port.
-allow named_t dns_port_t:udp_socket name_bind;
-allow named_t { dns_port_t rndc_port_t }:tcp_socket name_bind;
-
-bool named_write_master_zones false;
-
-#read configuration files
-r_dir_file(named_t, named_conf_t)
-
-if (named_write_master_zones) {
-#create and modify zone files
-create_dir_file(named_t, named_zone_t)
-}
-#read zone files
-r_dir_file(named_t, named_zone_t)
-
-#write cache for secondary zones
-rw_dir_create_file(named_t, named_cache_t)
-
-allow named_t self:unix_stream_socket create_stream_socket_perms;
-allow named_t self:unix_dgram_socket create_socket_perms;
-allow named_t self:netlink_route_socket r_netlink_socket_perms;
-
-# Read sysctl kernel variables.
-read_sysctl(named_t)
-
-# Read /proc/cpuinfo and /proc/net
-r_dir_file(named_t, proc_t)
-r_dir_file(named_t, proc_net_t)
-
-# Read /dev/random.
-allow named_t device_t:dir r_dir_perms;
-allow named_t random_device_t:chr_file r_file_perms;
-
-# Use a pipe created by self.
-allow named_t self:fifo_file rw_file_perms;
-
-# Enable named dbus support:
-ifdef(`dbusd.te', `
-dbusd_client(system, named)
-domain_auto_trans(system_dbusd_t, named_exec_t, named_t)
-allow named_t system_dbusd_t:dbus { acquire_svc send_msg };
-allow named_t self:dbus send_msg;
-allow { NetworkManager_t dhcpc_t initrc_t } named_t:dbus send_msg;
-allow named_t { NetworkManager_t dhcpc_t initrc_t }:dbus send_msg;
-ifdef(`unconfined.te', `
-allow unconfined_t named_t:dbus send_msg;
-allow named_t unconfined_t:dbus send_msg;
-')
-')
-
-
-# Set own capabilities.
-#A type for /usr/sbin/ndc
-type ndc_exec_t, file_type,sysadmfile, exec_type;
-domain_auto_trans({ sysadm_t initrc_t }, ndc_exec_t, ndc_t)
-uses_shlib(ndc_t)
-can_network_client_tcp(ndc_t)
-allow ndc_t rndc_port_t:tcp_socket name_connect;
-can_ypbind(ndc_t)
-can_resolve(ndc_t)
-read_locale(ndc_t)
-can_tcp_connect(ndc_t, named_t)
-
-ifdef(`distro_redhat', `
-# for /etc/rndc.key
-allow { ndc_t initrc_t } named_conf_t:dir search;
-# Allow init script to cp localtime to named_conf_t
-allow initrc_t named_conf_t:file { setattr write };
-allow initrc_t named_conf_t:dir create_dir_perms;
-allow initrc_t var_run_t:lnk_file create_file_perms;
-ifdef(`automount.te', `
-# automount has no need to search the /proc file system for the named chroot
-dontaudit automount_t named_zone_t:dir search;
-')dnl end ifdef automount.te
-')dnl end ifdef distro_redhat
-
-allow { ndc_t initrc_t } named_conf_t:file { getattr read };
-
-allow ndc_t etc_t:dir r_dir_perms;
-allow ndc_t etc_t:file r_file_perms;
-allow ndc_t self:unix_stream_socket create_stream_socket_perms;
-allow ndc_t self:unix_stream_socket connect;
-allow ndc_t self:capability { dac_override net_admin };
-allow ndc_t var_t:dir search;
-allow ndc_t var_run_t:dir search;
-allow ndc_t named_var_run_t:sock_file rw_file_perms;
-allow ndc_t named_t:unix_stream_socket connectto;
-allow ndc_t { privfd init_t }:fd use;
-# seems to need read as well for some reason
-allow ndc_t { admin_tty_type initrc_devpts_t }:chr_file { getattr read write };
-allow ndc_t fs_t:filesystem getattr;
-
-# Read sysctl kernel variables.
-read_sysctl(ndc_t)
-
-allow ndc_t self:process { fork signal_perms };
-allow ndc_t self:fifo_file { read write getattr ioctl };
-allow ndc_t named_zone_t:dir search;
-
-# for chmod in start script
-dontaudit initrc_t named_var_run_t:dir setattr;
-
-# for ndc_t to be used for restart shell scripts
-ifdef(`ndc_shell_script', `
-system_crond_entry(ndc_exec_t, ndc_t)
-allow ndc_t devtty_t:chr_file { read write ioctl };
-allow ndc_t etc_runtime_t:file { getattr read };
-allow ndc_t proc_t:dir search;
-allow ndc_t proc_t:file { getattr read };
-can_exec(ndc_t, { bin_t sbin_t shell_exec_t })
-allow ndc_t named_var_run_t:file getattr;
-allow ndc_t named_zone_t:dir { read getattr };
-allow ndc_t named_zone_t:file getattr;
-dontaudit ndc_t sysadm_home_t:dir { getattr search read };
-')
-allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
-dontaudit ndc_t sysadm_tty_device_t:chr_file { ioctl };
-
-
diff --git a/targeted/domains/program/netutils.te b/targeted/domains/program/netutils.te
deleted file mode 100644
index 8dcbdf1..0000000
--- a/targeted/domains/program/netutils.te
+++ /dev/null
@@ -1,64 +0,0 @@
-#DESC Netutils - Network utilities
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil>
-# X-Debian-Packages: netbase iputils arping tcpdump
-#
-
-#
-# Rules for the netutils_t domain.
-# This domain is for network utilities that require access to
-# special protocol families.
-#
-type netutils_t, domain, privlog;
-type netutils_exec_t, file_type, sysadmfile, exec_type;
-role system_r types netutils_t;
-role sysadm_r types netutils_t;
-
-uses_shlib(netutils_t)
-can_network(netutils_t)
-allow netutils_t port_type:tcp_socket name_connect;
-can_ypbind(netutils_t)
-tmp_domain(netutils)
-
-domain_auto_trans(initrc_t, netutils_exec_t, netutils_t)
-ifdef(`targeted_policy', `', `
-domain_auto_trans(sysadm_t, netutils_exec_t, netutils_t)
-')
-
-# Inherit and use descriptors from init.
-allow netutils_t { userdomain init_t }:fd use;
-
-allow netutils_t self:process { fork signal_perms };
-
-# Perform network administration operations and have raw access to the network.
-allow netutils_t self:capability { net_admin net_raw setuid setgid };
-
-# Create and use netlink sockets.
-allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
-
-# Create and use packet sockets.
-allow netutils_t self:packet_socket create_socket_perms;
-
-# Create and use UDP sockets.
-allow netutils_t self:udp_socket create_socket_perms;
-
-# Create and use TCP sockets.
-allow netutils_t self:tcp_socket create_socket_perms;
-
-allow netutils_t self:unix_stream_socket create_socket_perms;
-
-# Read certain files in /etc
-allow netutils_t etc_t:file r_file_perms;
-read_locale(netutils_t)
-
-allow netutils_t fs_t:filesystem getattr;
-
-# Access terminals.
-allow netutils_t privfd:fd use;
-can_access_pty(netutils_t, initrc)
-allow netutils_t admin_tty_type:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow netutils_t sysadm_gph_t:fd use;')
-allow netutils_t proc_t:dir search;
-
-# for nscd
-dontaudit netutils_t var_t:dir search;
diff --git a/targeted/domains/program/newrole.te b/targeted/domains/program/newrole.te
deleted file mode 100644
index 207274d..0000000
--- a/targeted/domains/program/newrole.te
+++ /dev/null
@@ -1,24 +0,0 @@
-#DESC Newrole - SELinux utility to run a shell with a new role
-#
-# Authors: Anthony Colatrella (NSA)
-# Maintained by Stephen Smalley <sds@epoch.ncsc.mil>
-# X-Debian-Packages: policycoreutils
-#
-
-# secure mode means that newrole/sudo/su/userhelper cannot reach sysadm_t
-bool secure_mode false;
-
-type newrole_exec_t, file_type, exec_type, sysadmfile;
-domain_auto_trans(userdomain, newrole_exec_t, newrole_t)
-
-newrole_domain(newrole)
-
-# Write to utmp.
-allow newrole_t var_run_t:dir r_dir_perms;
-allow newrole_t initrc_var_run_t:file rw_file_perms;
-
-role secadm_r types newrole_t;
-
-ifdef(`targeted_policy', `
-typeattribute newrole_t unconfinedtrans;
-')
diff --git a/targeted/domains/program/nscd.te b/targeted/domains/program/nscd.te
deleted file mode 100644
index 8e899c7..0000000
--- a/targeted/domains/program/nscd.te
+++ /dev/null
@@ -1,79 +0,0 @@
-#DESC NSCD - Name service cache daemon cache lookup of user-name
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: nscd
-#
-define(`nscd_socket_domain', `
-can_unix_connect($1, nscd_t)
-allow $1 nscd_var_run_t:sock_file rw_file_perms;
-allow $1 { var_run_t var_t }:dir search;
-allow $1 nscd_t:nscd { getpwd getgrp gethost };
-dontaudit $1 nscd_t:fd use;
-dontaudit $1 nscd_var_run_t:dir { search getattr };
-dontaudit $1 nscd_var_run_t:file { getattr read };
-dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
-')
-#################################
-#
-# Rules for the nscd_t domain.
-#
-# nscd is both the client program and the daemon.
-daemon_domain(nscd, `, userspace_objmgr')
-
-allow nscd_t etc_t:file r_file_perms;
-allow nscd_t etc_t:lnk_file read;
-can_network_client(nscd_t)
-allow nscd_t port_type:tcp_socket name_connect;
-can_ypbind(nscd_t)
-
-file_type_auto_trans(nscd_t, var_run_t, nscd_var_run_t, sock_file)
-
-allow nscd_t self:unix_stream_socket create_stream_socket_perms;
-
-nscd_socket_domain(nscd_client_domain)
-nscd_socket_domain(daemon)
-
-# Clients that are allowed to map the database via a fd obtained from nscd.
-nscd_socket_domain(nscd_shmem_domain)
-allow nscd_shmem_domain nscd_var_run_t:dir r_dir_perms;
-allow nscd_shmem_domain nscd_t:nscd { shmempwd shmemgrp shmemhost };
-# Receive fd from nscd and map the backing file with read access.
-allow nscd_shmem_domain nscd_t:fd use;
-
-# For client program operation, invoked from sysadm_t.
-# Transition occurs to nscd_t due to direct_sysadm_daemon.
-allow nscd_t self:nscd { admin getstat };
-allow nscd_t admin_tty_type:chr_file rw_file_perms;
-
-read_sysctl(nscd_t)
-allow nscd_t self:process { getattr setsched };
-allow nscd_t self:unix_dgram_socket create_socket_perms;
-allow nscd_t self:fifo_file { read write };
-allow nscd_t self:capability { kill setgid setuid net_bind_service };
-
-# for when /etc/passwd has just been updated and has the wrong type
-allow nscd_t shadow_t:file getattr;
-
-dontaudit nscd_t sysadm_home_dir_t:dir search;
-
-ifdef(`winbind.te', `
-#
-# Handle winbind for samba, Might only be needed for targeted policy
-#
-allow nscd_t winbind_var_run_t:sock_file { read write getattr };
-can_unix_connect(nscd_t, winbind_t)
-allow nscd_t samba_var_t:dir search;
-allow nscd_t winbind_var_run_t:dir { getattr search };
-')
-
-r_dir_file(nscd_t, selinux_config_t)
-can_getsecurity(nscd_t)
-allow nscd_t self:netlink_selinux_socket create_socket_perms;
-allow nscd_t self:netlink_route_socket r_netlink_socket_perms;
-allow nscd_t tmp_t:dir { search getattr };
-allow nscd_t tmp_t:lnk_file read;
-allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read };
-log_domain(nscd)
-r_dir_file(nscd_t, cert_t)
-allow nscd_t tun_tap_device_t:chr_file { read write };
-allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
diff --git a/targeted/domains/program/ntpd.te b/targeted/domains/program/ntpd.te
deleted file mode 100644
index 9916a6a..0000000
--- a/targeted/domains/program/ntpd.te
+++ /dev/null
@@ -1,88 +0,0 @@
-#DESC NTPD - Time synchronisation daemon
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: ntp ntp-simple
-#
-
-#################################
-#
-# Rules for the ntpd_t domain.
-#
-daemon_domain(ntpd, `, nscd_client_domain')
-type ntp_drift_t, file_type, sysadmfile;
-
-type ntpdate_exec_t, file_type, sysadmfile, exec_type;
-domain_auto_trans(initrc_t, ntpdate_exec_t, ntpd_t)
-
-logdir_domain(ntpd)
-
-allow ntpd_t var_lib_t:dir r_dir_perms;
-allow ntpd_t usr_t:file r_file_perms;
-# reading /usr/share/ssl/cert.pem requires
-allow ntpd_t usr_t:lnk_file read;
-allow ntpd_t ntp_drift_t:dir rw_dir_perms;
-allow ntpd_t ntp_drift_t:file create_file_perms;
-
-# for SSP
-allow ntpd_t urandom_device_t:chr_file { getattr read };
-
-# sys_resource and setrlimit is for locking memory
-allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot sys_nice sys_resource };
-dontaudit ntpd_t self:capability { fsetid net_admin };
-allow ntpd_t self:process { setcap setsched setrlimit };
-# ntpdate wants sys_nice
-
-# for some reason it creates a file in /tmp
-tmp_domain(ntpd)
-
-allow ntpd_t etc_t:dir r_dir_perms;
-allow ntpd_t etc_t:file { read getattr };
-
-# Use the network.
-can_network(ntpd_t)
-allow ntpd_t ntp_port_t:tcp_socket name_connect;
-can_ypbind(ntpd_t)
-allow ntpd_t ntp_port_t:udp_socket name_bind;
-allow sysadm_t ntp_port_t:udp_socket name_bind;
-allow ntpd_t self:unix_dgram_socket create_socket_perms;
-allow ntpd_t self:unix_stream_socket create_socket_perms;
-allow ntpd_t self:netlink_route_socket r_netlink_socket_perms;
-
-# so the start script can change firewall entries
-allow initrc_t net_conf_t:file { getattr read ioctl };
-
-# for cron jobs
-# system_crond_t is not right, cron is not doing what it should
-ifdef(`crond.te', `
-system_crond_entry(ntpdate_exec_t, ntpd_t)
-')
-
-can_exec(ntpd_t, initrc_exec_t)
-allow ntpd_t self:fifo_file { read write getattr };
-allow ntpd_t etc_runtime_t:file r_file_perms;
-can_exec(ntpd_t, { bin_t shell_exec_t sbin_t ls_exec_t ntpd_exec_t })
-allow ntpd_t { sbin_t bin_t }:dir search;
-allow ntpd_t bin_t:lnk_file read;
-read_sysctl(ntpd_t);
-allow ntpd_t proc_t:file r_file_perms;
-allow ntpd_t sysadm_home_dir_t:dir r_dir_perms;
-allow ntpd_t self:file { getattr read };
-dontaudit ntpd_t domain:dir search;
-ifdef(`logrotate.te', `
-can_exec(ntpd_t, logrotate_exec_t)
-')
-
-allow ntpd_t devtty_t:chr_file rw_file_perms;
-
-can_udp_send(ntpd_t, sysadm_t)
-can_udp_send(sysadm_t, ntpd_t)
-can_udp_send(ntpd_t, ntpd_t)
-ifdef(`firstboot.te', `
-dontaudit ntpd_t firstboot_t:fd use;
-')
-ifdef(`winbind.te', `
-allow ntpd_t winbind_var_run_t:dir r_dir_perms;
-allow ntpd_t winbind_var_run_t:sock_file rw_file_perms;
-')
-# For clock devices like wwvb1
-allow ntpd_t device_t:lnk_file read;
diff --git a/targeted/domains/program/passwd.te b/targeted/domains/program/passwd.te
deleted file mode 100644
index 30d7f86..0000000
--- a/targeted/domains/program/passwd.te
+++ /dev/null
@@ -1,156 +0,0 @@
-#DESC Passwd - Password utilities
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: passwd
-#
-
-#################################
-#
-# Rules for the passwd_t domain.
-#
-define(`base_passwd_domain', `
-type $1_t, domain, privlog, $2;
-
-# for SSP
-allow $1_t urandom_device_t:chr_file read;
-
-allow $1_t self:process setrlimit;
-
-general_domain_access($1_t);
-uses_shlib($1_t);
-
-# Inherit and use descriptors from login.
-allow $1_t privfd:fd use;
-ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;')
-
-read_locale($1_t)
-
-allow $1_t fs_t:filesystem getattr;
-
-# allow checking if a shell is executable
-allow $1_t shell_exec_t:file execute;
-
-# Obtain contexts
-can_getsecurity($1_t)
-
-allow $1_t etc_t:file create_file_perms;
-
-# read /etc/mtab
-allow $1_t etc_runtime_t:file { getattr read };
-
-# Allow etc_t symlinks for /etc/alternatives on Debian.
-allow $1_t etc_t:lnk_file read;
-
-# Use capabilities.
-allow $1_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
-
-# Access terminals.
-allow $1_t { ttyfile ptyfile }:chr_file rw_file_perms;
-allow $1_t devtty_t:chr_file rw_file_perms;
-
-dontaudit $1_t devpts_t:dir getattr;
-
-# /usr/bin/passwd asks for w access to utmp, but it will operate
-# correctly without it. Do not audit write denials to utmp.
-dontaudit $1_t initrc_var_run_t:file { read write };
-
-# user generally runs this from their home directory, so do not audit a search
-# on user home dir
-dontaudit $1_t { user_home_dir_type user_home_type }:dir search;
-
-# When the wrong current passwd is entered, passwd, for some reason,
-# attempts to access /proc and /dev, but handles failure appropriately. So
-# do not audit those denials.
-dontaudit $1_t { proc_t device_t }:dir { search read };
-
-allow $1_t device_t:dir getattr;
-read_sysctl($1_t)
-')
-
-#################################
-#
-# Rules for the passwd_t domain.
-#
-define(`passwd_domain', `
-base_passwd_domain($1, `auth_write, privowner')
-# Update /etc/shadow and /etc/passwd
-file_type_auto_trans($1_t, etc_t, shadow_t, file)
-allow $1_t { etc_t shadow_t }:file { relabelfrom relabelto };
-can_setfscreate($1_t)
-')
-
-passwd_domain(passwd)
-passwd_domain(sysadm_passwd)
-base_passwd_domain(chfn, `auth_chkpwd, etc_writer, privowner')
-can_setfscreate(chfn_t)
-
-# can exec /sbin/unix_chkpwd
-allow chfn_t { bin_t sbin_t }:dir search;
-
-# uses unix_chkpwd for checking passwords
-dontaudit chfn_t shadow_t:file read;
-allow chfn_t etc_t:dir rw_dir_perms;
-allow chfn_t etc_t:file create_file_perms;
-allow chfn_t proc_t:file { getattr read };
-allow chfn_t self:file write;
-
-in_user_role(passwd_t)
-in_user_role(chfn_t)
-role sysadm_r types passwd_t;
-role sysadm_r types sysadm_passwd_t;
-role sysadm_r types chfn_t;
-role system_r types passwd_t;
-role system_r types chfn_t;
-
-type admin_passwd_exec_t, file_type, sysadmfile;
-type passwd_exec_t, file_type, sysadmfile, exec_type;
-type chfn_exec_t, file_type, sysadmfile, exec_type;
-
-domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, passwd_exec_t, passwd_t)
-domain_auto_trans({ userdomain ifdef(`firstboot.te', `firstboot_t') }, chfn_exec_t, chfn_t)
-domain_auto_trans(sysadm_t, admin_passwd_exec_t, sysadm_passwd_t)
-
-dontaudit chfn_t var_t:dir search;
-
-ifdef(`crack.te', `
-allow passwd_t var_t:dir search;
-dontaudit passwd_t var_run_t:dir search;
-allow passwd_t crack_db_t:dir r_dir_perms;
-allow passwd_t crack_db_t:file r_file_perms;
-', `
-dontaudit passwd_t var_t:dir search;
-')
-
-# allow vipw to exec the editor
-allow sysadm_passwd_t { root_t bin_t sbin_t }:dir search;
-allow sysadm_passwd_t bin_t:lnk_file read;
-can_exec(sysadm_passwd_t, { shell_exec_t bin_t })
-r_dir_file(sysadm_passwd_t, usr_t)
-
-# allow vipw to create temporary files under /var/tmp/vi.recover
-allow sysadm_passwd_t var_t:dir search;
-tmp_domain(sysadm_passwd)
-# for vipw - vi looks in the root home directory for config
-dontaudit sysadm_passwd_t sysadm_home_dir_t:dir { getattr search };
-# for /etc/alternatives/vi
-allow sysadm_passwd_t etc_t:lnk_file read;
-
-# for nscd lookups
-dontaudit sysadm_passwd_t var_run_t:dir search;
-
-# for /proc/meminfo
-allow sysadm_passwd_t proc_t:file { getattr read };
-
-dontaudit { chfn_t passwd_t sysadm_passwd_t } selinux_config_t:dir search;
-dontaudit sysadm_passwd_t devpts_t:dir search;
-
-# make sure that getcon succeeds
-allow passwd_t userdomain:dir search;
-allow passwd_t userdomain:file { getattr read };
-allow passwd_t userdomain:process getattr;
-
-allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-
-ifdef(`targeted_policy', `
-role system_r types sysadm_passwd_t;
-')
diff --git a/targeted/domains/program/pegasus.te b/targeted/domains/program/pegasus.te
deleted file mode 100644
index e2b557e..0000000
--- a/targeted/domains/program/pegasus.te
+++ /dev/null
@@ -1,37 +0,0 @@
-#DESC pegasus - The Open Group Pegasus CIM/WBEM Server
-#
-# Author: Jason Vas Dias <jvdias@redhat.com>
-# Package: tog-pegasus
-#
-#################################
-#
-# Rules for the pegasus domain
-#
-daemon_domain(pegasus, `, nscd_client_domain, auth')
-type pegasus_data_t, file_type, sysadmfile;
-type pegasus_conf_t, file_type, sysadmfile;
-type pegasus_mof_t, file_type, sysadmfile;
-type pegasus_conf_exec_t, file_type, exec_type, sysadmfile;
-allow pegasus_t self:capability { dac_override net_bind_service audit_write };
-can_network_tcp(pegasus_t);
-nsswitch_domain(pegasus_t);
-allow pegasus_t pegasus_var_run_t:sock_file { create setattr };
-allow pegasus_t self:unix_dgram_socket create_socket_perms;
-allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
-allow pegasus_t self:file { read getattr };
-allow pegasus_t self:fifo_file rw_file_perms;
-allow pegasus_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-allow pegasus_t { pegasus_http_port_t pegasus_https_port_t }:tcp_socket { name_bind name_connect };
-allow pegasus_t proc_t:file { getattr read };
-allow pegasus_t sysctl_vm_t:dir search;
-allow pegasus_t initrc_var_run_t:file { read write lock };
-allow pegasus_t urandom_device_t:chr_file { getattr read };
-r_dir_file(pegasus_t, etc_t)
-r_dir_file(pegasus_t, var_lib_t)
-r_dir_file(pegasus_t, pegasus_mof_t)
-rw_dir_create_file(pegasus_t, pegasus_conf_t)
-rw_dir_create_file(pegasus_t, pegasus_data_t)
-rw_dir_create_file(pegasus_conf_exec_t, pegasus_conf_t)
-allow pegasus_t shadow_t:file { getattr read };
-dontaudit pegasus_t selinux_config_t:dir search;
-
diff --git a/targeted/domains/program/ping.te b/targeted/domains/program/ping.te
deleted file mode 100644
index 0a0d94c..0000000
--- a/targeted/domains/program/ping.te
+++ /dev/null
@@ -1,63 +0,0 @@
-#DESC Ping - Send ICMP messages to network hosts
-#
-# Author: David A. Wheeler <dwheeler@ida.org>
-# X-Debian-Packages: iputils-ping netkit-ping iputils-arping arping hping2
-#
-
-#################################
-#
-# Rules for the ping_t domain.
-#
-# ping_t is the domain for the ping program.
-# ping_exec_t is the type of the corresponding program.
-#
-type ping_t, domain, privlog, nscd_client_domain;
-role sysadm_r types ping_t;
-role system_r types ping_t;
-in_user_role(ping_t)
-type ping_exec_t, file_type, sysadmfile, exec_type;
-
-ifdef(`targeted_policy', `
- allow ping_t { devpts_t ttyfile ptyfile }:chr_file rw_file_perms;
-', `
-bool user_ping false;
-
-if (user_ping) {
- domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t)
- # allow access to the terminal
- allow ping_t { ttyfile ptyfile }:chr_file rw_file_perms;
- ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;')
-}
-')
-
-# Transition into this domain when you run this program.
-domain_auto_trans(sysadm_t, ping_exec_t, ping_t)
-domain_auto_trans(initrc_t, ping_exec_t, ping_t)
-
-uses_shlib(ping_t)
-can_network_client(ping_t)
-can_resolve(ping_t)
-can_ypbind(ping_t)
-allow ping_t etc_t:file { getattr read };
-allow ping_t self:unix_stream_socket create_socket_perms;
-
-# Let ping create raw ICMP packets.
-allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
-
-# Use capabilities.
-allow ping_t self:capability { net_raw setuid };
-
-# Access the terminal.
-allow ping_t admin_tty_type:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow ping_t sysadm_gph_t:fd use;')
-allow ping_t privfd:fd use;
-dontaudit ping_t fs_t:filesystem getattr;
-
-# it tries to access /var/run
-dontaudit ping_t var_t:dir search;
-dontaudit ping_t devtty_t:chr_file { read write };
-dontaudit ping_t self:capability sys_tty_config;
-ifdef(`hide_broken_symptoms', `
-dontaudit ping_t init_t:fd use;
-')
-
diff --git a/targeted/domains/program/portmap.te b/targeted/domains/program/portmap.te
deleted file mode 100644
index 54cad6f..0000000
--- a/targeted/domains/program/portmap.te
+++ /dev/null
@@ -1,71 +0,0 @@
-#DESC Portmap - Maintain RPC program number map
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: portmap
-#
-
-
-
-#################################
-#
-# Rules for the portmap_t domain.
-#
-daemon_domain(portmap, `, nscd_client_domain')
-
-can_network(portmap_t)
-allow portmap_t port_type:tcp_socket name_connect;
-can_ypbind(portmap_t)
-allow portmap_t self:unix_dgram_socket create_socket_perms;
-allow portmap_t self:unix_stream_socket create_stream_socket_perms;
-
-tmp_domain(portmap)
-
-allow portmap_t portmap_port_t:{ udp_socket tcp_socket } name_bind;
-dontaudit portmap_t reserved_port_type:{ udp_socket tcp_socket } name_bind;
-
-# portmap binds to arbitary ports
-allow portmap_t port_t:{ udp_socket tcp_socket } name_bind;
-allow portmap_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
-
-allow portmap_t etc_t:file { getattr read };
-
-# Send to ypbind, initrc, rpc.statd, xinetd.
-ifdef(`ypbind.te',
-`can_udp_send(portmap_t, ypbind_t)')
-can_udp_send(portmap_t, { initrc_t init_t })
-can_udp_send(init_t, portmap_t)
-ifdef(`rpcd.te',
-`can_udp_send(portmap_t, rpcd_t)')
-ifdef(`inetd.te',
-`can_udp_send(portmap_t, inetd_t)')
-ifdef(`lpd.te',
-`can_udp_send(portmap_t, lpd_t)')
-ifdef(`tcpd.te', `
-can_udp_send(tcpd_t, portmap_t)
-')
-can_udp_send(portmap_t, kernel_t)
-can_udp_send(kernel_t, portmap_t)
-can_udp_send(sysadm_t, portmap_t)
-can_udp_send(portmap_t, sysadm_t)
-
-# Use capabilities
-allow portmap_t self:capability { net_bind_service setuid setgid };
-allow portmap_t self:netlink_route_socket r_netlink_socket_perms;
-
-application_domain(portmap_helper)
-role system_r types portmap_helper_t;
-domain_auto_trans(initrc_t, portmap_helper_exec_t, portmap_helper_t)
-dontaudit portmap_helper_t self:capability { net_admin };
-allow portmap_helper_t self:capability { net_bind_service };
-allow portmap_helper_t initrc_var_run_t:file rw_file_perms;
-file_type_auto_trans(portmap_helper_t, var_run_t, portmap_var_run_t, file)
-allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
-can_network(portmap_helper_t)
-allow portmap_helper_t port_type:tcp_socket name_connect;
-can_ypbind(portmap_helper_t)
-dontaudit portmap_helper_t admin_tty_type:chr_file rw_file_perms;
-allow portmap_helper_t etc_t:file { getattr read };
-dontaudit portmap_helper_t { userdomain privfd }:fd use;
-allow portmap_helper_t reserved_port_t:{ tcp_socket udp_socket } name_bind;
-dontaudit portmap_helper_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
diff --git a/targeted/domains/program/postfix.te b/targeted/domains/program/postfix.te
deleted file mode 100644
index 6b94177..0000000
--- a/targeted/domains/program/postfix.te
+++ /dev/null
@@ -1,368 +0,0 @@
-#DESC Postfix - Mail server
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: postfix
-# Depends: mta.te
-#
-
-# Type for files created during execution of postfix.
-type postfix_var_run_t, file_type, sysadmfile, pidfile;
-
-type postfix_etc_t, file_type, sysadmfile;
-type postfix_exec_t, file_type, sysadmfile, exec_type;
-type postfix_public_t, file_type, sysadmfile;
-type postfix_private_t, file_type, sysadmfile;
-type postfix_spool_t, file_type, sysadmfile;
-type postfix_spool_maildrop_t, file_type, sysadmfile;
-type postfix_spool_flush_t, file_type, sysadmfile;
-type postfix_prng_t, file_type, sysadmfile;
-
-# postfix needs this for newaliases
-allow { system_mail_t sysadm_mail_t } tmp_t:dir getattr;
-
-#################################
-#
-# Rules for the postfix_$1_t domain.
-#
-# postfix_$1_exec_t is the type of the postfix_$1 executables.
-#
-define(`postfix_domain', `
-daemon_core_rules(postfix_$1, `$2')
-allow postfix_$1_t self:process setpgid;
-allow postfix_$1_t postfix_master_t:process sigchld;
-allow postfix_master_t postfix_$1_t:process signal;
-
-allow postfix_$1_t { etc_t postfix_etc_t postfix_spool_t }:dir r_dir_perms;
-allow postfix_$1_t postfix_etc_t:file r_file_perms;
-read_locale(postfix_$1_t)
-allow postfix_$1_t etc_t:file { getattr read };
-allow postfix_$1_t self:unix_dgram_socket create_socket_perms;
-allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms;
-allow postfix_$1_t self:unix_stream_socket connectto;
-
-allow postfix_$1_t { sbin_t bin_t }:dir r_dir_perms;
-allow postfix_$1_t { bin_t usr_t }:lnk_file { getattr read };
-allow postfix_$1_t shell_exec_t:file rx_file_perms;
-allow postfix_$1_t { var_t var_spool_t }:dir { search getattr };
-allow postfix_$1_t postfix_exec_t:file rx_file_perms;
-allow postfix_$1_t devtty_t:chr_file rw_file_perms;
-allow postfix_$1_t etc_runtime_t:file r_file_perms;
-allow postfix_$1_t proc_t:dir r_dir_perms;
-allow postfix_$1_t proc_t:file r_file_perms;
-allow postfix_$1_t postfix_exec_t:dir r_dir_perms;
-allow postfix_$1_t fs_t:filesystem getattr;
-allow postfix_$1_t proc_net_t:dir search;
-allow postfix_$1_t proc_net_t:file { getattr read };
-can_exec(postfix_$1_t, postfix_$1_exec_t)
-r_dir_file(postfix_$1_t, cert_t)
-allow postfix_$1_t { urandom_device_t random_device_t }:chr_file { read getattr };
-
-allow postfix_$1_t tmp_t:dir getattr;
-
-file_type_auto_trans(postfix_$1_t, var_run_t, postfix_var_run_t, file)
-
-read_sysctl(postfix_$1_t)
-
-')dnl end postfix_domain
-
-ifdef(`crond.te',
-`allow system_mail_t crond_t:tcp_socket { read write create };')
-
-postfix_domain(master, `, mail_server_domain')
-rhgb_domain(postfix_master_t)
-
-# for a find command
-dontaudit postfix_master_t security_t:dir search;
-
-read_sysctl(postfix_master_t)
-
-ifdef(`targeted_policy', `
-bool postfix_disable_trans false;
-if (!postfix_disable_trans) {
-')
-domain_auto_trans(initrc_t, postfix_master_exec_t, postfix_master_t)
-allow initrc_t postfix_master_t:process { noatsecure siginh rlimitinh };
-
-domain_auto_trans(sysadm_t, postfix_master_exec_t, postfix_master_t)
-allow sysadm_t postfix_master_t:process { noatsecure siginh rlimitinh };
-ifdef(`targeted_policy', `', `
-role_transition sysadm_r postfix_master_exec_t system_r;
-')
-allow postfix_master_t postfix_etc_t:file rw_file_perms;
-dontaudit postfix_master_t admin_tty_type:chr_file { read write };
-allow postfix_master_t devpts_t:dir search;
-
-domain_auto_trans(sysadm_mail_t, postfix_master_exec_t, system_mail_t)
-allow system_mail_t sysadm_t:process sigchld;
-allow system_mail_t privfd:fd use;
-
-ifdef(`pppd.te', `
-domain_auto_trans(pppd_t, postfix_master_exec_t, postfix_master_t)
-')
-
-ifdef(`targeted_policy', `
-}
-')
-
-allow postfix_master_t privfd:fd use;
-ifdef(`newrole.te', `allow postfix_master_t newrole_t:process sigchld;')
-allow postfix_master_t initrc_devpts_t:chr_file rw_file_perms;
-
-# postfix does a "find" on startup for some reason - keep it quiet
-dontaudit postfix_master_t selinux_config_t:dir search;
-can_exec({ sysadm_mail_t system_mail_t }, postfix_master_exec_t)
-ifdef(`distro_redhat', `
-# compatability for old default main.cf
-file_type_auto_trans({ sysadm_mail_t system_mail_t postfix_master_t }, postfix_etc_t, etc_aliases_t)
-# for newer main.cf that uses /etc/aliases
-file_type_auto_trans(postfix_master_t, etc_t, etc_aliases_t)
-')
-file_type_auto_trans({ sysadm_mail_t system_mail_t }, etc_t, etc_aliases_t)
-allow postfix_master_t sendmail_exec_t:file r_file_perms;
-allow postfix_master_t sbin_t:lnk_file { getattr read };
-
-can_exec(postfix_master_t, { ls_exec_t sbin_t })
-allow postfix_master_t self:fifo_file rw_file_perms;
-allow postfix_master_t usr_t:file r_file_perms;
-can_exec(postfix_master_t, { shell_exec_t bin_t postfix_exec_t })
-# chown is to set the correct ownership of queue dirs
-allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
-allow postfix_master_t postfix_public_t:fifo_file create_file_perms;
-allow postfix_master_t postfix_public_t:sock_file create_file_perms;
-allow postfix_master_t postfix_public_t:dir rw_dir_perms;
-allow postfix_master_t postfix_private_t:dir rw_dir_perms;
-allow postfix_master_t postfix_private_t:sock_file create_file_perms;
-allow postfix_master_t postfix_private_t:fifo_file create_file_perms;
-can_network(postfix_master_t)
-allow postfix_master_t port_type:tcp_socket name_connect;
-can_ypbind(postfix_master_t)
-allow postfix_master_t { amavisd_send_port_t smtp_port_t }:tcp_socket name_bind;
-allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms;
-allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr };
-allow postfix_master_t postfix_prng_t:file getattr;
-allow postfix_master_t privfd:fd use;
-allow postfix_master_t etc_aliases_t:file rw_file_perms;
-
-ifdef(`saslauthd.te',`
-allow postfix_smtpd_t saslauthd_var_run_t:dir { search getattr };
-allow postfix_smtpd_t saslauthd_var_run_t:sock_file { read write };
-can_unix_connect(postfix_smtpd_t,saslauthd_t)
-')
-
-create_dir_file(postfix_master_t, postfix_spool_flush_t)
-allow postfix_master_t postfix_prng_t:file rw_file_perms;
-# for ls to get the current context
-allow postfix_master_t self:file { getattr read };
-
-# allow access to deferred queue and allow removing bogus incoming entries
-allow postfix_master_t postfix_spool_t:dir create_dir_perms;
-allow postfix_master_t postfix_spool_t:file create_file_perms;
-
-dontaudit postfix_master_t man_t:dir search;
-
-define(`postfix_server_domain', `
-postfix_domain($1, `$2')
-domain_auto_trans(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
-allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
-allow postfix_$1_t self:capability { setuid setgid dac_override };
-can_network_client(postfix_$1_t)
-allow postfix_$1_t port_type:tcp_socket name_connect;
-can_ypbind(postfix_$1_t)
-')
-
-postfix_server_domain(smtp, `, mail_server_sender')
-allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
-allow postfix_smtp_t { postfix_private_t postfix_public_t }:dir search;
-allow postfix_smtp_t { postfix_private_t postfix_public_t }:sock_file write;
-allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto;
-# if you have two different mail servers on the same host let them talk via
-# SMTP, also if one mail server wants to talk to itself then allow it and let
-# the SMTP protocol sort it out (SE Linux is not to prevent mail server
-# misconfiguration)
-can_tcp_connect(postfix_smtp_t, mail_server_domain)
-
-postfix_server_domain(smtpd)
-allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
-allow postfix_smtpd_t { postfix_private_t postfix_public_t }:dir search;
-allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file rw_file_perms;
-allow postfix_smtpd_t postfix_master_t:unix_stream_socket connectto;
-# for OpenSSL certificates
-r_dir_file(postfix_smtpd_t,usr_t)
-allow postfix_smtpd_t etc_aliases_t:file r_file_perms;
-allow postfix_smtpd_t self:file { getattr read };
-
-# for prng_exch
-allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
-
-allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms;
-
-postfix_server_domain(local, `, mta_delivery_agent')
-ifdef(`procmail.te', `
-domain_auto_trans(postfix_local_t, procmail_exec_t, procmail_t)
-# for a bug in the postfix local program
-dontaudit procmail_t postfix_local_t:tcp_socket { read write };
-dontaudit procmail_t postfix_master_t:fd use;
-')
-allow postfix_local_t etc_aliases_t:file r_file_perms;
-allow postfix_local_t self:fifo_file rw_file_perms;
-allow postfix_local_t self:process { setsched setrlimit };
-allow postfix_local_t postfix_spool_t:file rw_file_perms;
-# for .forward - maybe we need a new type for it?
-allow postfix_local_t postfix_private_t:dir search;
-allow postfix_local_t postfix_private_t:sock_file rw_file_perms;
-allow postfix_local_t postfix_master_t:unix_stream_socket connectto;
-allow postfix_local_t postfix_public_t:dir search;
-allow postfix_local_t postfix_public_t:sock_file write;
-tmp_domain(postfix_local)
-can_exec(postfix_local_t,{ shell_exec_t bin_t })
-allow postfix_local_t mail_spool_t:dir { remove_name };
-allow postfix_local_t mail_spool_t:file { unlink };
-# For reading spamassasin
-r_dir_file(postfix_local_t, etc_mail_t)
-
-define(`postfix_public_domain',`
-postfix_server_domain($1)
-allow postfix_$1_t postfix_public_t:dir search;
-')
-
-postfix_public_domain(cleanup)
-create_dir_file(postfix_cleanup_t, postfix_spool_t)
-allow postfix_cleanup_t postfix_public_t:fifo_file rw_file_perms;
-allow postfix_cleanup_t postfix_public_t:sock_file { getattr write };
-allow postfix_cleanup_t postfix_private_t:dir search;
-allow postfix_cleanup_t postfix_private_t:sock_file rw_file_perms;
-allow postfix_cleanup_t postfix_master_t:unix_stream_socket connectto;
-allow postfix_cleanup_t postfix_spool_bounce_t:dir r_dir_perms;
-allow postfix_cleanup_t self:process setrlimit;
-
-allow user_mail_domain postfix_spool_t:dir r_dir_perms;
-allow user_mail_domain postfix_etc_t:dir r_dir_perms;
-allow { user_mail_domain initrc_t } postfix_etc_t:file r_file_perms;
-allow user_mail_domain self:capability dac_override;
-
-define(`postfix_user_domain', `
-postfix_domain($1, `$2')
-domain_auto_trans(user_mail_domain, postfix_$1_exec_t, postfix_$1_t)
-in_user_role(postfix_$1_t)
-role sysadm_r types postfix_$1_t;
-allow postfix_$1_t userdomain:process sigchld;
-allow postfix_$1_t userdomain:fifo_file { write getattr };
-allow postfix_$1_t { userdomain privfd }:fd use;
-allow postfix_$1_t self:capability dac_override;
-')
-
-postfix_user_domain(postqueue)
-allow postfix_postqueue_t postfix_public_t:dir search;
-allow postfix_postqueue_t postfix_public_t:fifo_file getattr;
-allow postfix_postqueue_t self:udp_socket { create ioctl };
-allow postfix_postqueue_t self:tcp_socket create;
-allow postfix_master_t postfix_postqueue_exec_t:file getattr;
-domain_auto_trans(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
-allow postfix_postqueue_t initrc_t:process sigchld;
-allow postfix_postqueue_t initrc_t:fd use;
-
-# to write the mailq output, it really should not need read access!
-allow postfix_postqueue_t { ptyfile ttyfile }:chr_file { read write getattr };
-ifdef(`gnome-pty-helper.te', `allow postfix_postqueue_t user_gph_t:fd use;')
-
-# wants to write to /var/spool/postfix/public/showq
-allow postfix_postqueue_t postfix_public_t:sock_file rw_file_perms;
-allow postfix_postqueue_t postfix_master_t:unix_stream_socket connectto;
-# write to /var/spool/postfix/public/qmgr
-allow postfix_postqueue_t postfix_public_t:fifo_file write;
-dontaudit postfix_postqueue_t net_conf_t:file r_file_perms;
-
-postfix_user_domain(showq)
-# the following auto_trans is usually in postfix server domain
-domain_auto_trans(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
-can_resolve(postfix_showq_t)
-r_dir_file(postfix_showq_t, postfix_spool_maildrop_t)
-domain_auto_trans(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
-allow postfix_showq_t self:capability { setuid setgid };
-allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
-allow postfix_showq_t postfix_spool_t:file r_file_perms;
-allow postfix_showq_t self:tcp_socket create_socket_perms;
-allow postfix_showq_t { ttyfile ptyfile }:chr_file { read write };
-dontaudit postfix_showq_t net_conf_t:file r_file_perms;
-
-postfix_user_domain(postdrop, `, mta_user_agent')
-allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms;
-allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms;
-allow postfix_postdrop_t user_mail_domain:unix_stream_socket rw_socket_perms;
-allow postfix_postdrop_t postfix_public_t:dir search;
-allow postfix_postdrop_t postfix_public_t:fifo_file rw_file_perms;
-dontaudit postfix_postdrop_t { ptyfile ttyfile }:chr_file { read write };
-dontaudit postfix_postdrop_t net_conf_t:file r_file_perms;
-allow postfix_master_t postfix_postdrop_exec_t:file getattr;
-ifdef(`crond.te',
-`allow postfix_postdrop_t { crond_t system_crond_t }:fd use;
-allow postfix_postdrop_t { crond_t system_crond_t }:fifo_file rw_file_perms;')
-# usually it does not need a UDP socket
-allow postfix_postdrop_t self:udp_socket create_socket_perms;
-allow postfix_postdrop_t self:tcp_socket create;
-allow postfix_postdrop_t self:capability sys_resource;
-allow postfix_postdrop_t self:tcp_socket create;
-
-postfix_public_domain(pickup)
-allow postfix_pickup_t postfix_public_t:fifo_file rw_file_perms;
-allow postfix_pickup_t postfix_public_t:sock_file rw_file_perms;
-allow postfix_pickup_t postfix_private_t:dir search;
-allow postfix_pickup_t postfix_private_t:sock_file write;
-allow postfix_pickup_t postfix_master_t:unix_stream_socket connectto;
-allow postfix_pickup_t postfix_spool_maildrop_t:dir rw_dir_perms;
-allow postfix_pickup_t postfix_spool_maildrop_t:file r_file_perms;
-allow postfix_pickup_t postfix_spool_maildrop_t:file unlink;
-allow postfix_pickup_t self:tcp_socket create_socket_perms;
-
-postfix_public_domain(qmgr)
-allow postfix_qmgr_t postfix_public_t:fifo_file rw_file_perms;
-allow postfix_qmgr_t postfix_public_t:sock_file write;
-allow postfix_qmgr_t postfix_private_t:dir search;
-allow postfix_qmgr_t postfix_private_t:sock_file rw_file_perms;
-allow postfix_qmgr_t postfix_master_t:unix_stream_socket connectto;
-
-# for /var/spool/postfix/active
-create_dir_file(postfix_qmgr_t, postfix_spool_t)
-
-postfix_public_domain(bounce)
-type postfix_spool_bounce_t, file_type, sysadmfile;
-create_dir_file(postfix_bounce_t, postfix_spool_bounce_t)
-create_dir_file(postfix_bounce_t, postfix_spool_t)
-allow postfix_master_t postfix_spool_bounce_t:dir create_dir_perms;
-allow postfix_master_t postfix_spool_bounce_t:file getattr;
-allow postfix_bounce_t self:capability dac_read_search;
-allow postfix_bounce_t postfix_public_t:sock_file write;
-allow postfix_bounce_t self:tcp_socket create_socket_perms;
-
-r_dir_file(postfix_qmgr_t, postfix_spool_bounce_t)
-
-postfix_public_domain(pipe)
-allow postfix_pipe_t postfix_spool_t:dir search;
-allow postfix_pipe_t postfix_spool_t:file rw_file_perms;
-allow postfix_pipe_t self:fifo_file { read write };
-allow postfix_pipe_t postfix_private_t:dir search;
-allow postfix_pipe_t postfix_private_t:sock_file write;
-ifdef(`procmail.te', `
-domain_auto_trans(postfix_pipe_t, procmail_exec_t, procmail_t)
-')
-ifdef(`sendmail.te', `
-r_dir_file(sendmail_t, postfix_etc_t)
-allow sendmail_t postfix_spool_t:dir search;
-')
-
-# Program for creating database files
-application_domain(postfix_map)
-base_file_read_access(postfix_map_t)
-allow postfix_map_t { etc_t etc_runtime_t }:{ file lnk_file } { getattr read };
-tmp_domain(postfix_map)
-create_dir_file(postfix_map_t, postfix_etc_t)
-allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
-dontaudit postfix_map_t proc_t:dir { getattr read search };
-dontaudit postfix_map_t local_login_t:fd use;
-allow postfix_master_t postfix_map_exec_t:file rx_file_perms;
-read_locale(postfix_map_t)
-allow postfix_map_t self:capability setgid;
-allow postfix_map_t self:unix_dgram_socket create_socket_perms;
-dontaudit postfix_map_t var_t:dir search;
-can_network_server(postfix_map_t)
-allow postfix_map_t port_type:tcp_socket name_connect;
diff --git a/targeted/domains/program/postgresql.te b/targeted/domains/program/postgresql.te
deleted file mode 100644
index a86d9d4..0000000
--- a/targeted/domains/program/postgresql.te
+++ /dev/null
@@ -1,138 +0,0 @@
-#DESC Postgresql - Database server
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: postgresql
-#
-
-#################################
-#
-# Rules for the postgresql_t domain.
-#
-# postgresql_exec_t is the type of the postgresql executable.
-#
-daemon_domain(postgresql)
-allow initrc_t postgresql_exec_t:lnk_file read;
-allow postgresql_t usr_t:file { getattr read };
-
-allow postgresql_t postgresql_var_run_t:sock_file create_file_perms;
-
-ifdef(`distro_debian', `
-can_exec(postgresql_t, initrc_exec_t)
-# gross hack
-domain_auto_trans(dpkg_t, postgresql_exec_t, postgresql_t)
-can_exec(postgresql_t, dpkg_exec_t)
-')
-
-dontaudit postgresql_t sysadm_home_dir_t:dir search;
-
-# quiet ps and killall
-dontaudit postgresql_t domain:dir { getattr search };
-
-# for currect directory of scripts
-allow postgresql_t { var_spool_t cron_spool_t }:dir search;
-
-# capability kill is for shutdown script
-allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config };
-dontaudit postgresql_t self:capability sys_admin;
-
-etcdir_domain(postgresql)
-type postgresql_db_t, file_type, sysadmfile;
-
-logdir_domain(postgresql)
-
-ifdef(`crond.te', `
-# allow crond to find /usr/lib/postgresql/bin/do.maintenance
-allow crond_t postgresql_db_t:dir search;
-system_crond_entry(postgresql_exec_t, postgresql_t)
-')
-
-tmp_domain(postgresql, `', `{ dir file sock_file }')
-file_type_auto_trans(postgresql_t, tmpfs_t, postgresql_tmp_t)
-
-# Use the network.
-can_network(postgresql_t)
-can_ypbind(postgresql_t)
-allow postgresql_t self:fifo_file { getattr read write ioctl };
-allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
-can_unix_connect(postgresql_t, self)
-allow postgresql_t self:unix_dgram_socket create_socket_perms;
-
-allow postgresql_t self:shm create_shm_perms;
-
-ifdef(`targeted_policy', `', `
-bool allow_user_postgresql_connect false;
-
-if (allow_user_postgresql_connect) {
-# allow any user domain to connect to the database server
-can_tcp_connect(userdomain, postgresql_t)
-allow userdomain postgresql_t:unix_stream_socket connectto;
-allow userdomain postgresql_var_run_t:sock_file write;
-allow userdomain postgresql_tmp_t:sock_file write;
-}
-')
-ifdef(`consoletype.te', `
-can_exec(postgresql_t, consoletype_exec_t)
-')
-
-ifdef(`hostname.te', `
-can_exec(postgresql_t, hostname_exec_t)
-')
-
-allow postgresql_t postgresql_port_t:tcp_socket name_bind;
-allow postgresql_t auth_port_t:tcp_socket name_connect;
-
-allow postgresql_t { proc_t self }:file { getattr read };
-
-# Allow access to the postgresql databases
-create_dir_file(postgresql_t, postgresql_db_t)
-file_type_auto_trans(postgresql_t, var_lib_t, postgresql_db_t)
-allow postgresql_t var_lib_t:dir { getattr search };
-
-# because postgresql start scripts are broken and put the pid file in the DB
-# directory
-rw_dir_file(initrc_t, postgresql_db_t)
-
-# read config files
-allow postgresql_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr };
-r_dir_file(initrc_t, postgresql_etc_t)
-
-allow postgresql_t etc_t:dir rw_dir_perms;
-
-read_sysctl(postgresql_t)
-
-allow postgresql_t devtty_t:chr_file { read write };
-allow postgresql_t devpts_t:dir search;
-
-allow postgresql_t { bin_t sbin_t }:dir search;
-allow postgresql_t { bin_t sbin_t }:lnk_file { getattr read };
-allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
-
-allow postgresql_t self:sem create_sem_perms;
-
-allow postgresql_t initrc_var_run_t:file { getattr read lock };
-dontaudit postgresql_t selinux_config_t:dir search;
-allow postgresql_t mail_spool_t:dir search;
-lock_domain(postgresql)
-can_exec(postgresql_t, { shell_exec_t bin_t postgresql_exec_t ls_exec_t } )
-ifdef(`apache.te', `
-#
-# Allow httpd to work with postgresql
-#
-allow httpd_t postgresql_tmp_t:sock_file rw_file_perms;
-can_unix_connect(httpd_t, postgresql_t)
-')
-
-ifdef(`distro_gentoo', `
-# "su - postgres ..." is called from initrc_t
-allow initrc_su_t postgresql_db_t:dir search;
-allow postgresql_t initrc_su_t:process sigchld;
-dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms;
-')
-
-dontaudit postgresql_t home_root_t:dir search;
-can_kerberos(postgresql_t)
-allow postgresql_t urandom_device_t:chr_file { getattr read };
-
-if (allow_execmem) {
-allow postgresql_t self:process execmem;
-}
diff --git a/targeted/domains/program/pppd.te b/targeted/domains/program/pppd.te
deleted file mode 100644
index 8499da7..0000000
--- a/targeted/domains/program/pppd.te
+++ /dev/null
@@ -1,148 +0,0 @@
-#DESC PPPD - PPP daemon
-#
-# Author: Russell Coker
-# X-Debian-Packages: ppp
-#
-
-#################################
-#
-# Rules for the pppd_t domain, et al.
-#
-# pppd_t is the domain for the pppd program.
-# pppd_exec_t is the type of the pppd executable.
-# pppd_secret_t is the type of the pap and chap password files
-#
-bool pppd_for_user false;
-
-daemon_domain(pppd, `, privmail, privsysmod, nscd_client_domain')
-type pppd_secret_t, file_type, sysadmfile;
-
-# Define a separate type for /etc/ppp
-etcdir_domain(pppd)
-# Define a separate type for writable files under /etc/ppp
-type pppd_etc_rw_t, file_type, sysadmfile;
-# Automatically label newly created files under /etc/ppp with this type
-file_type_auto_trans(pppd_t, pppd_etc_t, pppd_etc_rw_t, file)
-
-# for SSP
-allow pppd_t urandom_device_t:chr_file read;
-
-allow pppd_t sysfs_t:dir search;
-
-log_domain(pppd)
-
-# Use the network.
-can_network_server(pppd_t)
-can_ypbind(pppd_t)
-
-# Use capabilities.
-allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override sys_module };
-lock_domain(pppd)
-
-# Access secret files
-allow pppd_t pppd_secret_t:file r_file_perms;
-
-ifdef(`postfix.te', `
-allow pppd_t postfix_etc_t:dir search;
-allow pppd_t postfix_etc_t:file r_file_perms;
-allow pppd_t postfix_master_exec_t:file { getattr read };
-allow postfix_postqueue_t pppd_t:fd use;
-allow postfix_postqueue_t pppd_t:process sigchld;
-')
-
-# allow running ip-up and ip-down scripts and running chat.
-can_exec(pppd_t, { shell_exec_t bin_t sbin_t etc_t ifconfig_exec_t })
-allow pppd_t { bin_t sbin_t }:dir search;
-allow pppd_t { sbin_t bin_t }:lnk_file read;
-allow ifconfig_t pppd_t:fd use;
-
-# Access /dev/ppp.
-allow pppd_t ppp_device_t:chr_file rw_file_perms;
-allow pppd_t devtty_t:chr_file { read write };
-
-allow pppd_t self:unix_dgram_socket create_socket_perms;
-allow pppd_t self:unix_stream_socket create_socket_perms;
-
-allow pppd_t proc_t:dir search;
-allow pppd_t proc_t:{ file lnk_file } r_file_perms;
-allow pppd_t proc_net_t:dir { read search };
-allow pppd_t proc_net_t:file r_file_perms;
-
-allow pppd_t etc_runtime_t:file r_file_perms;
-
-allow pppd_t self:socket create_socket_perms;
-
-allow pppd_t tty_device_t:chr_file { setattr rw_file_perms };
-
-allow pppd_t devpts_t:dir search;
-
-# for scripts
-allow pppd_t self:fifo_file rw_file_perms;
-allow pppd_t etc_t:lnk_file read;
-
-# for ~/.ppprc - if it actually exists then you need some policy to read it
-allow pppd_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search;
-
-in_user_role(pppd_t)
-if (pppd_for_user) {
-# Run pppd in pppd_t by default for user
-domain_auto_trans(unpriv_userdomain, pppd_exec_t, pppd_t)
-allow unpriv_userdomain pppd_t:process signal;
-}
-
-# for pppoe
-can_create_pty(pppd)
-allow pppd_t self:file { read getattr };
-
-allow pppd_t self:packet_socket create_socket_perms;
-
-file_type_auto_trans(pppd_t, etc_t, net_conf_t, file)
-tmp_domain(pppd)
-allow pppd_t sysctl_net_t:dir search;
-allow pppd_t sysctl_net_t:file r_file_perms;
-allow pppd_t self:netlink_route_socket r_netlink_socket_perms;
-allow pppd_t initrc_var_run_t:file r_file_perms;
-dontaudit pppd_t initrc_var_run_t:file { lock write };
-
-# pppd needs to load kernel modules for certain modems
-bool pppd_can_insmod false;
-if (pppd_can_insmod) {
-ifdef(`modutil.te', `
-domain_auto_trans(pppd_t, insmod_exec_t, insmod_t)
-')
-}
-
-daemon_domain(pptp, `, nscd_client_domain')
-can_network_client_tcp(pptp_t)
-allow pptp_t { reserved_port_type port_t }:tcp_socket name_connect;
-can_exec(pptp_t, hostname_exec_t)
-domain_auto_trans(pppd_t, pptp_exec_t, pptp_t)
-allow pptp_t self:rawip_socket create_socket_perms;
-allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow pptp_t self:unix_dgram_socket create_socket_perms;
-can_exec(pptp_t, pppd_etc_rw_t)
-allow pptp_t devpts_t:chr_file ioctl;
-r_dir_file(pptp_t, pppd_etc_rw_t)
-r_dir_file(pptp_t, pppd_etc_t)
-allow pptp_t devpts_t:dir search;
-allow pppd_t devpts_t:chr_file ioctl;
-allow pppd_t pptp_t:process signal;
-allow pptp_t self:capability net_raw;
-allow pptp_t self:fifo_file { read write };
-allow pptp_t ptmx_t:chr_file rw_file_perms;
-log_domain(pptp)
-
-# Fix sockets
-allow pptp_t pptp_var_run_t:sock_file create_file_perms;
-
-# Allow pptp to append to pppd log files
-allow pptp_t pppd_log_t:file append;
-
-ifdef(`named.te', `
-dontaudit ndc_t pppd_t:fd use;
-')
-
-# Allow /etc/ppp/ip-{up,down} to run most anything
-type pppd_script_exec_t, file_type, sysadmfile;
-domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t)
-allow pppd_t initrc_t:process noatsecure;
diff --git a/targeted/domains/program/privoxy.te b/targeted/domains/program/privoxy.te
deleted file mode 100644
index b8a522d..0000000
--- a/targeted/domains/program/privoxy.te
+++ /dev/null
@@ -1,27 +0,0 @@
-#DESC privoxy - privacy enhancing proxy
-#
-# Authors: Dan Walsh <dwalsh@redhat.com>
-#
-#
-
-#################################
-#
-# Rules for the privoxy_t domain.
-#
-daemon_domain(privoxy, `, web_client_domain')
-
-logdir_domain(privoxy)
-
-# Use capabilities.
-allow privoxy_t self:capability net_bind_service;
-
-# Use the network.
-can_network_tcp(privoxy_t)
-can_ypbind(privoxy_t)
-can_resolve(privoxy_t)
-allow privoxy_t http_cache_port_t:tcp_socket name_bind;
-allow privoxy_t etc_t:file { getattr read };
-allow privoxy_t self:capability { setgid setuid };
-allow privoxy_t self:unix_stream_socket create_socket_perms ;
-allow privoxy_t admin_tty_type:chr_file { read write };
-
diff --git a/targeted/domains/program/procmail.te b/targeted/domains/program/procmail.te
deleted file mode 100644
index 2c77b46..0000000
--- a/targeted/domains/program/procmail.te
+++ /dev/null
@@ -1,91 +0,0 @@
-#DESC Procmail - Mail delivery agent for mail servers
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: procmail
-#
-
-#################################
-#
-# Rules for the procmail_t domain.
-#
-# procmail_exec_t is the type of the procmail executable.
-#
-# privhome only works until we define a different type for maildir
-type procmail_t, domain, privlog, privhome, nscd_client_domain;
-type procmail_exec_t, file_type, sysadmfile, exec_type;
-
-role system_r types procmail_t;
-
-uses_shlib(procmail_t)
-allow procmail_t device_t:dir search;
-can_network_server(procmail_t)
-nsswitch_domain(procmail_t)
-
-allow procmail_t self:capability { sys_nice chown setuid setgid dac_override };
-
-allow procmail_t etc_t:dir r_dir_perms;
-allow procmail_t { etc_t etc_runtime_t }:file { getattr read };
-allow procmail_t etc_t:lnk_file read;
-read_locale(procmail_t)
-read_sysctl(procmail_t)
-
-allow procmail_t sysctl_t:dir search;
-
-allow procmail_t self:process { setsched fork sigchld signal };
-dontaudit procmail_t sbin_t:dir { getattr search };
-can_exec(procmail_t, { bin_t shell_exec_t })
-allow procmail_t bin_t:dir { getattr search };
-allow procmail_t bin_t:lnk_file read;
-allow procmail_t self:fifo_file rw_file_perms;
-
-allow procmail_t self:unix_stream_socket create_socket_perms;
-allow procmail_t self:unix_dgram_socket create_socket_perms;
-
-# for /var/mail
-rw_dir_create_file(procmail_t, mail_spool_t)
-
-allow procmail_t var_t:dir { getattr search };
-allow procmail_t var_spool_t:dir r_dir_perms;
-
-allow procmail_t fs_t:filesystem getattr;
-allow procmail_t { self proc_t }:dir search;
-allow procmail_t proc_t:file { getattr read };
-allow procmail_t { self proc_t }:lnk_file read;
-
-# for if /var/mail is a symlink to /var/spool/mail
-#allow procmail_t mail_spool_t:lnk_file r_file_perms;
-
-# for spamassasin
-allow procmail_t usr_t:file { getattr ioctl read };
-ifdef(`spamassassin.te', `
-can_exec(procmail_t, spamassassin_exec_t)
-allow procmail_t port_t:udp_socket name_bind;
-allow procmail_t tmp_t:dir getattr;
-')
-ifdef(`spamc.te', `
-can_exec(procmail_t, spamc_exec_t)
-')
-
-ifdef(`targeted_policy', `
-allow procmail_t port_t:udp_socket name_bind;
-allow procmail_t tmp_t:dir getattr;
-')
-
-# Search /var/run.
-allow procmail_t var_run_t:dir { getattr search };
-
-# Do not audit attempts to access /root.
-dontaudit procmail_t sysadm_home_dir_t:dir { getattr search };
-
-allow procmail_t devtty_t:chr_file { read write };
-
-allow procmail_t urandom_device_t:chr_file { getattr read };
-
-ifdef(`sendmail.te', `
-r_dir_file(procmail_t, etc_mail_t)
-allow procmail_t sendmail_t:tcp_socket { read write };
-')
-
-ifdef(`hide_broken_symptoms', `
-dontaudit procmail_t mqueue_spool_t:file { getattr read write };
-')
diff --git a/targeted/domains/program/radius.te b/targeted/domains/program/radius.te
deleted file mode 100644
index 5d02923..0000000
--- a/targeted/domains/program/radius.te
+++ /dev/null
@@ -1,66 +0,0 @@
-#DESC RADIUS - Radius server
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: radiusd-cistron radiusd-livingston xtradius yardradius radiusd-freeradius
-#
-
-#################################
-#
-# Rules for the radiusd_t domain.
-#
-# radiusd_exec_t is the type of the radiusd executable.
-#
-daemon_domain(radiusd, `, auth')
-
-etcdir_domain(radiusd)
-
-system_crond_entry(radiusd_exec_t, radiusd_t)
-
-allow radiusd_t self:process setsched;
-
-allow radiusd_t proc_t:file { read getattr };
-
-dontaudit radiusd_t sysadm_home_dir_t:dir getattr;
-
-# allow pthreads to read kernel version
-read_sysctl(radiusd_t)
-
-# read config files
-allow radiusd_t etc_t:dir r_dir_perms;
-allow radiusd_t { etc_t etc_runtime_t }:file { read getattr };
-allow radiusd_t etc_t:lnk_file read;
-
-# write log files
-logdir_domain(radiusd)
-allow radiusd_t radiusd_log_t:dir create;
-
-allow radiusd_t usr_t:file r_file_perms;
-
-can_exec(radiusd_t, lib_t)
-can_exec(radiusd_t, { bin_t shell_exec_t })
-allow radiusd_t { bin_t sbin_t }:dir search;
-allow radiusd_t bin_t:lnk_file read;
-
-allow radiusd_t devtty_t:chr_file { read write };
-allow radiusd_t self:fifo_file rw_file_perms;
-# fsetid is for gzip which needs it when run from scripts
-# gzip also needs chown access to preserve GID for radwtmp files
-allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
-
-can_network_server(radiusd_t)
-can_ypbind(radiusd_t)
-allow radiusd_t { radius_port_t radacct_port_t }:udp_socket name_bind;
-
-# for RADIUS proxy port
-allow radiusd_t port_t:udp_socket name_bind;
-
-ifdef(`snmpd.te', `
-can_tcp_connect(radiusd_t, snmpd_t)
-')
-ifdef(`logrotate.te', `
-can_exec(radiusd_t, logrotate_exec_t)
-')
-can_udp_send(sysadm_t, radiusd_t)
-can_udp_send(radiusd_t, sysadm_t)
-
-allow radiusd_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/targeted/domains/program/radvd.te b/targeted/domains/program/radvd.te
deleted file mode 100644
index 868ef8b..0000000
--- a/targeted/domains/program/radvd.te
+++ /dev/null
@@ -1,30 +0,0 @@
-#DESC Radv - IPv6 route advisory daemon
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: radvd
-#
-
-#################################
-#
-# Rules for the radvd_t domain.
-#
-daemon_domain(radvd)
-
-etc_domain(radvd)
-allow radvd_t etc_t:file { getattr read };
-
-allow radvd_t self:{ rawip_socket unix_dgram_socket } rw_socket_perms;
-
-allow radvd_t self:capability { setgid setuid net_raw };
-allow radvd_t self:{ unix_dgram_socket rawip_socket } create;
-allow radvd_t self:unix_stream_socket create_socket_perms;
-
-can_network_server(radvd_t)
-can_ypbind(radvd_t)
-
-allow radvd_t { proc_t proc_net_t }:dir r_dir_perms;
-allow radvd_t { proc_t proc_net_t }:file { getattr read };
-allow radvd_t etc_t:lnk_file read;
-
-allow radvd_t sysctl_net_t:file r_file_perms;
-allow radvd_t sysctl_net_t:dir r_dir_perms;
diff --git a/targeted/domains/program/restorecon.te b/targeted/domains/program/restorecon.te
deleted file mode 100644
index 52fff2f..0000000
--- a/targeted/domains/program/restorecon.te
+++ /dev/null
@@ -1,66 +0,0 @@
-#DESC restorecon - Restore or check the context of a file
-#
-# Authors: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: policycoreutils
-#
-
-#################################
-#
-# Rules for the restorecon_t domain.
-#
-# restorecon_exec_t is the type of the restorecon executable.
-#
-# needs auth_write attribute because it has relabelfrom/relabelto
-# access to shadow_t
-type restorecon_t, domain, privlog, privowner, auth_write, change_context, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade;
-type restorecon_exec_t, file_type, sysadmfile, exec_type;
-
-role system_r types restorecon_t;
-role sysadm_r types restorecon_t;
-role secadm_r types restorecon_t;
-
-can_access_pty(restorecon_t, initrc)
-allow restorecon_t { tty_device_t admin_tty_type user_tty_type devtty_t }:chr_file { read write ioctl };
-
-domain_auto_trans({ initrc_t sysadm_t secadm_t }, restorecon_exec_t, restorecon_t)
-allow restorecon_t { userdomain init_t privfd }:fd use;
-
-uses_shlib(restorecon_t)
-allow restorecon_t self:capability { dac_override dac_read_search fowner };
-
-# for upgrading glibc and other shared objects - without this the upgrade
-# scripts will put things in a state such that restorecon can not be run!
-allow restorecon_t lib_t:file { read execute };
-
-# Get security policy decisions.
-can_getsecurity(restorecon_t)
-
-r_dir_file(restorecon_t, policy_config_t)
-
-allow restorecon_t file_type:dir r_dir_perms;
-allow restorecon_t file_type:{ dir file lnk_file sock_file fifo_file } { getattr relabelfrom relabelto };
-allow restorecon_t unlabeled_t:dir_file_class_set { getattr relabelfrom };
-allow restorecon_t unlabeled_t:dir read;
-allow restorecon_t { device_t device_type }:{ chr_file blk_file } { getattr relabelfrom relabelto };
-ifdef(`distro_redhat', `
-allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto };
-')
-ifdef(`dpkg.te', `
-domain_auto_trans(dpkg_t, restorecon_exec_t, restorecon_t)
-')
-
-allow restorecon_t ptyfile:chr_file getattr;
-
-allow restorecon_t fs_t:filesystem getattr;
-
-allow restorecon_t etc_runtime_t:file { getattr read };
-allow restorecon_t etc_t:file { getattr read };
-allow restorecon_t proc_t:file { getattr read };
-dontaudit restorecon_t proc_t:lnk_file { getattr read };
-
-allow restorecon_t device_t:file { read write };
-allow restorecon_t kernel_t:fd use;
-allow restorecon_t kernel_t:fifo_file { read write };
-allow restorecon_t kernel_t:unix_dgram_socket { read write };
-r_dir_file(restorecon_t, { selinux_config_t file_context_t default_context_t } )
-allow restorecon_t autofs_t:dir search;
diff --git a/targeted/domains/program/rlogind.te b/targeted/domains/program/rlogind.te
deleted file mode 100644
index 88af4e4..0000000
--- a/targeted/domains/program/rlogind.te
+++ /dev/null
@@ -1,40 +0,0 @@
-#DESC Rlogind - Remote login daemon
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: rsh-client rsh-redone-client
-# Depends: inetd.te
-#
-
-#################################
-#
-# Rules for the rlogind_t domain.
-#
-remote_login_daemon(rlogind)
-typeattribute rlogind_t auth_chkpwd;
-
-ifdef(`tcpd.te', `
-domain_auto_trans(tcpd_t, rlogind_exec_t, rlogind_t)
-')
-
-# for /usr/lib/telnetlogin
-can_exec(rlogind_t, rlogind_exec_t)
-
-# Use capabilities.
-allow rlogind_t self:capability { net_bind_service };
-
-# Run login in remote_login_t.
-allow remote_login_t inetd_t:fd use;
-allow remote_login_t inetd_t:tcp_socket rw_file_perms;
-
-# Send SIGCHLD to inetd on death.
-allow rlogind_t inetd_t:process sigchld;
-
-allow rlogind_t home_dir_type:dir search;
-allow rlogind_t home_type:file { getattr read };
-allow rlogind_t self:file { getattr read };
-allow rlogind_t default_t:dir search;
-typealias rlogind_port_t alias rlogin_port_t;
-read_sysctl(rlogind_t);
-ifdef(`kerberos.te', `
-allow rlogind_t krb5_keytab_t:file { getattr read };
-')
diff --git a/targeted/domains/program/rpcd.te b/targeted/domains/program/rpcd.te
deleted file mode 100644
index 8efa09c..0000000
--- a/targeted/domains/program/rpcd.te
+++ /dev/null
@@ -1,167 +0,0 @@
-#DESC Rpcd - RPC daemon
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# Russell Coker <russell@coker.com.au>
-# Depends: portmap.te
-# X-Debian-Packages: nfs-common
-#
-
-#################################
-#
-# Rules for the rpcd_t and nfsd_t domain.
-#
-define(`rpc_domain', `
-ifdef(`targeted_policy', `
-daemon_base_domain($1, `, transitionbool')
-', `
-daemon_base_domain($1)
-')
-can_network($1_t)
-allow $1_t port_type:tcp_socket name_connect;
-can_ypbind($1_t)
-allow $1_t { etc_runtime_t etc_t }:file { getattr read };
-read_locale($1_t)
-allow $1_t self:capability net_bind_service;
-dontaudit $1_t self:capability net_admin;
-
-allow $1_t var_t:dir { getattr search };
-allow $1_t var_lib_t:dir search;
-allow $1_t var_lib_nfs_t:dir create_dir_perms;
-allow $1_t var_lib_nfs_t:file create_file_perms;
-# do not log when it tries to bind to a port belonging to another domain
-dontaudit $1_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
-allow $1_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
-allow $1_t self:netlink_route_socket r_netlink_socket_perms;
-allow $1_t self:unix_dgram_socket create_socket_perms;
-allow $1_t self:unix_stream_socket create_stream_socket_perms;
-# bind to arbitary unused ports
-allow $1_t port_t:{ tcp_socket udp_socket } name_bind;
-allow $1_t sysctl_rpc_t:dir search;
-allow $1_t sysctl_rpc_t:file rw_file_perms;
-')
-
-type exports_t, file_type, sysadmfile;
-dontaudit userdomain exports_t:file getattr;
-
-# rpcd_t is the domain of rpc daemons.
-# rpcd_exec_t is the type of rpc daemon programs.
-#
-rpc_domain(rpcd)
-var_run_domain(rpcd)
-allow rpcd_t rpcd_var_run_t:dir setattr;
-
-# for rpc.rquotad
-allow rpcd_t sysctl_t:dir r_dir_perms;
-allow rpcd_t self:fifo_file rw_file_perms;
-
-# rpcd_t needs to talk to the portmap_t domain
-can_udp_send(rpcd_t, portmap_t)
-
-allow initrc_t exports_t:file r_file_perms;
-ifdef(`distro_redhat', `
-allow rpcd_t self:capability { chown dac_override setgid setuid };
-# for /etc/rc.d/init.d/nfs to create /etc/exports
-allow initrc_t exports_t:file write;
-')
-
-allow rpcd_t self:file { getattr read };
-
-# nfs kernel server needs kernel UDP access. It is less risky and painful
-# to just give it everything.
-can_network_server(kernel_t)
-#can_udp_send(kernel_t, rpcd_t)
-#can_udp_send(rpcd_t, kernel_t)
-
-rpc_domain(nfsd)
-domain_auto_trans(sysadm_t, nfsd_exec_t, nfsd_t)
-role sysadm_r types nfsd_t;
-
-# for /proc/fs/nfs/exports - should we have a new type?
-allow nfsd_t proc_t:file r_file_perms;
-allow nfsd_t proc_net_t:dir search;
-allow nfsd_t exports_t:file { getattr read };
-
-allow nfsd_t nfsd_fs_t:filesystem mount;
-allow nfsd_t nfsd_fs_t:dir search;
-allow nfsd_t nfsd_fs_t:file rw_file_perms;
-allow initrc_t sysctl_rpc_t:dir search;
-allow initrc_t sysctl_rpc_t:file rw_file_perms;
-
-type nfsd_rw_t, file_type, sysadmfile, usercanread;
-type nfsd_ro_t, file_type, sysadmfile, usercanread;
-
-bool nfs_export_all_rw false;
-
-if(nfs_export_all_rw) {
-allow nfsd_t { noexattrfile file_type -shadow_t }:dir r_dir_perms;
-r_dir_file(kernel_t, noexattrfile)
-create_dir_file(kernel_t,{ file_type -shadow_t })
-}
-
-dontaudit kernel_t shadow_t:file getattr;
-
-bool nfs_export_all_ro false;
-
-if(nfs_export_all_ro) {
-allow nfsd_t { noexattrfile file_type -shadow_t }:dir r_dir_perms;
-r_dir_file(kernel_t,{ noexattrfile file_type -shadow_t })
-}
-
-allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms;
-create_dir_file(kernel_t, nfsd_rw_t);
-r_dir_file(kernel_t, nfsd_ro_t);
-
-allow kernel_t nfsd_t:udp_socket rw_socket_perms;
-can_udp_send(kernel_t, nfsd_t)
-can_udp_send(nfsd_t, kernel_t)
-
-# does not really need this, but it is easier to just allow it
-allow nfsd_t var_run_t:dir search;
-
-allow nfsd_t self:capability { sys_admin sys_resource };
-allow nfsd_t fs_type:filesystem getattr;
-
-can_udp_send(nfsd_t, portmap_t)
-can_udp_send(portmap_t, nfsd_t)
-
-can_tcp_connect(nfsd_t, portmap_t)
-
-# for exportfs and rpc.mountd
-allow nfsd_t tmp_t:dir getattr;
-
-r_dir_file(rpcd_t, rpc_pipefs_t)
-allow rpcd_t rpc_pipefs_t:sock_file { read write };
-dontaudit rpcd_t selinux_config_t:dir { search };
-allow rpcd_t proc_net_t:dir search;
-
-
-rpc_domain(gssd)
-can_kerberos(gssd_t)
-ifdef(`kerberos.te', `
-allow gssd_t krb5_keytab_t:file r_file_perms;
-')
-allow gssd_t urandom_device_t:chr_file { getattr read };
-r_dir_file(gssd_t, tmp_t)
-tmp_domain(gssd)
-allow gssd_t self:fifo_file { read write };
-r_dir_file(gssd_t, proc_net_t)
-allow gssd_t rpc_pipefs_t:dir r_dir_perms;
-allow gssd_t rpc_pipefs_t:sock_file { read write };
-allow gssd_t rpc_pipefs_t:file r_file_perms;
-allow gssd_t self:capability { dac_override dac_read_search setuid };
-allow nfsd_t devtty_t:chr_file rw_file_perms;
-allow rpcd_t devtty_t:chr_file rw_file_perms;
-
-bool allow_gssd_read_tmp true;
-if (allow_gssd_read_tmp) {
-#
-#needs to be able to udpate the kerberos ticket file
-#
-ifdef(`targeted_policy', `
-r_dir_file(gssd_t, tmp_t)
-allow gssd_t tmp_t:file write;
-', `
-r_dir_file(gssd_t, user_tmpfile)
-allow gssd_t user_tmpfile:file write;
-')
-}
diff --git a/targeted/domains/program/rpm.te b/targeted/domains/program/rpm.te
deleted file mode 100644
index 62aa940..0000000
--- a/targeted/domains/program/rpm.te
+++ /dev/null
@@ -1,16 +0,0 @@
-#DESC rpm - Linux configurable dynamic device naming support
-#
-# Authors: Daniel Walsh <dwalsh@redhat.com>
-#
-
-#################################
-#
-# Rules for the rpm domain.
-#
-# rpm_exec_t is the type of the /bin/rpm and other programs.
-# This domain is defined just for targeted policy to labeld /var/lib/rpm
-#
-type rpm_exec_t, file_type, sysadmfile, exec_type;
-type rpm_var_lib_t, file_type, sysadmfile;
-typealias var_log_t alias rpm_log_t;
-type rpm_tmpfs_t, file_type, sysadmfile;
diff --git a/targeted/domains/program/rshd.te b/targeted/domains/program/rshd.te
deleted file mode 100644
index 39976c5..0000000
--- a/targeted/domains/program/rshd.te
+++ /dev/null
@@ -1,65 +0,0 @@
-#DESC RSHD - RSH daemon
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: rsh-server rsh-redone-server
-# Depends: inetd.te
-#
-
-#################################
-#
-# Rules for the rshd_t domain.
-#
-daemon_sub_domain(inetd_t, rshd, `, auth_chkpwd, privuser, privrole')
-
-ifdef(`tcpd.te', `
-domain_auto_trans(tcpd_t, rshd_exec_t, rshd_t)
-')
-
-# Use sockets inherited from inetd.
-allow rshd_t inetd_t:tcp_socket rw_stream_socket_perms;
-
-# Use capabilities.
-allow rshd_t self:capability { net_bind_service setuid setgid fowner fsetid chown dac_override};
-
-# Use the network.
-can_network_server(rshd_t)
-allow rshd_t rsh_port_t:tcp_socket name_bind;
-
-allow rshd_t etc_t:file { getattr read };
-read_locale(rshd_t)
-allow rshd_t self:unix_dgram_socket create_socket_perms;
-allow rshd_t self:unix_stream_socket create_stream_socket_perms;
-allow rshd_t { home_root_t home_dir_type }:dir { search getattr };
-can_kerberos(rshd_t)
-allow rshd_t { bin_t sbin_t tmp_t}:dir { search };
-allow rshd_t { bin_t sbin_t }:lnk_file r_file_perms;
-ifdef(`rlogind.te', `
-allow rshd_t rlogind_tmp_t:file rw_file_perms;
-')
-allow rshd_t urandom_device_t:chr_file { getattr read };
-
-# Read the user's .rhosts file.
-allow rshd_t home_type:file r_file_perms ;
-
-# Random reasons
-can_getsecurity(rshd_t)
-can_setexec(rshd_t)
-r_dir_file(rshd_t, selinux_config_t)
-r_dir_file(rshd_t, default_context_t)
-read_sysctl(rshd_t);
-
-if (use_nfs_home_dirs) {
-r_dir_file(rshd_t, nfs_t)
-}
-
-if (use_samba_home_dirs) {
-r_dir_file(rshd_t, cifs_t)
-}
-
-allow rshd_t self:process { fork signal setsched setpgid };
-allow rshd_t self:fifo_file rw_file_perms;
-
-ifdef(`targeted_policy', `
-unconfined_domain(rshd_t)
-domain_auto_trans(rshd_t,shell_exec_t,unconfined_t)
-')
diff --git a/targeted/domains/program/rsync.te b/targeted/domains/program/rsync.te
deleted file mode 100644
index bed52a3..0000000
--- a/targeted/domains/program/rsync.te
+++ /dev/null
@@ -1,18 +0,0 @@
-#DESC rsync - flexible replacement for rcp
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-#
-# Depends: inetd.te
-
-#################################
-#
-# Rules for the rsync_t domain.
-#
-# rsync_exec_t is the type of the rsync executable.
-#
-
-inetd_child_domain(rsync)
-type rsync_data_t, file_type, sysadmfile;
-r_dir_file(rsync_t, rsync_data_t)
-anonymous_domain(rsync)
-allow rsync_t self:capability sys_chroot;
diff --git a/targeted/domains/program/samba.te b/targeted/domains/program/samba.te
deleted file mode 100644
index e9f28c4..0000000
--- a/targeted/domains/program/samba.te
+++ /dev/null
@@ -1,225 +0,0 @@
-#DESC SAMBA - SMB file server
-#
-# Author: Ryan Bergauer (bergauer@rice.edu)
-# X-Debian-Packages: samba
-#
-
-#################################
-#
-# Declarations for Samba
-#
-
-daemon_domain(smbd, `, auth_chkpwd, nscd_client_domain')
-daemon_domain(nmbd)
-type samba_etc_t, file_type, sysadmfile, usercanread;
-type samba_log_t, file_type, sysadmfile, logfile;
-type samba_var_t, file_type, sysadmfile;
-type samba_share_t, file_type, sysadmfile, customizable;
-type samba_secrets_t, file_type, sysadmfile;
-
-# for /var/run/samba/messages.tdb
-allow smbd_t nmbd_var_run_t:file rw_file_perms;
-
-allow smbd_t self:process setrlimit;
-
-# not sure why it needs this
-tmp_domain(smbd)
-
-# Allow samba to search mnt_t for potential mounted dirs
-allow smbd_t mnt_t:dir r_dir_perms;
-
-ifdef(`crond.te', `
-allow system_crond_t samba_etc_t:file { read getattr lock };
-allow system_crond_t samba_log_t:file { read getattr lock };
-#allow system_crond_t samba_secrets_t:file { read getattr lock };
-')
-
-#################################
-#
-# Rules for the smbd_t domain.
-#
-
-# Permissions normally found in every_domain.
-general_domain_access(smbd_t)
-general_proc_read_access(smbd_t)
-
-allow smbd_t smbd_port_t:tcp_socket name_bind;
-
-# Use capabilities.
-allow smbd_t self:capability { setgid setuid sys_resource net_bind_service lease dac_override dac_read_search };
-
-# Use the network.
-can_network(smbd_t)
-nsswitch_domain(smbd_t)
-can_kerberos(smbd_t)
-allow smbd_t { smbd_port_t ipp_port_t }:tcp_socket name_connect;
-
-allow smbd_t urandom_device_t:chr_file { getattr read };
-
-# Permissions for Samba files in /etc/samba
-# either allow read access to the directory or allow the auto_trans rule to
-# allow creation of the secrets.tdb file and the MACHINE.SID file
-#allow smbd_t samba_etc_t:dir { search getattr };
-file_type_auto_trans(smbd_t, samba_etc_t, samba_secrets_t, file)
-
-allow smbd_t { etc_t samba_etc_t etc_runtime_t }:file r_file_perms;
-
-# Permissions for Samba cache files in /var/cache/samba and /var/lib/samba
-allow smbd_t var_lib_t:dir search;
-create_dir_file(smbd_t, samba_var_t)
-
-# Needed for shared printers
-allow smbd_t var_spool_t:dir search;
-
-# Permissions to write log files.
-allow smbd_t samba_log_t:file { create ra_file_perms };
-allow smbd_t var_log_t:dir search;
-allow smbd_t samba_log_t:dir ra_dir_perms;
-dontaudit smbd_t samba_log_t:dir remove_name;
-
-ifdef(`hide_broken_symptoms', `
-dontaudit smbd_t { usbfs_t security_t devpts_t boot_t default_t tmpfs_t }:dir getattr;
-dontaudit smbd_t devpts_t:dir getattr;
-')
-allow smbd_t fs_t:filesystem quotaget;
-
-allow smbd_t usr_t:file { getattr read };
-
-# Access Samba shares.
-create_dir_file(smbd_t, samba_share_t)
-anonymous_domain(smbd)
-
-ifdef(`logrotate.te', `
-# the application should be changed
-can_exec(logrotate_t, samba_log_t)
-')
-#################################
-#
-# Rules for the nmbd_t domain.
-#
-
-# Permissions normally found in every_domain.
-general_domain_access(nmbd_t)
-general_proc_read_access(nmbd_t)
-
-allow nmbd_t nmbd_port_t:udp_socket name_bind;
-
-# Use capabilities.
-allow nmbd_t self:capability net_bind_service;
-
-# Use the network.
-can_network_server(nmbd_t)
-
-# Permissions for Samba files in /etc/samba
-allow nmbd_t samba_etc_t:file { getattr read };
-allow nmbd_t samba_etc_t:dir { search getattr };
-
-# Permissions for Samba cache files in /var/cache/samba
-allow nmbd_t samba_var_t:dir { write remove_name add_name lock getattr search };
-allow nmbd_t samba_var_t:file { lock unlink create write setattr read getattr rename };
-
-allow nmbd_t usr_t:file { getattr read };
-
-# Permissions to write log files.
-allow nmbd_t samba_log_t:file { create ra_file_perms };
-allow nmbd_t var_log_t:dir search;
-allow nmbd_t samba_log_t:dir ra_dir_perms;
-allow nmbd_t etc_t:file { getattr read };
-ifdef(`cups.te', `
-allow smbd_t cupsd_rw_etc_t:file { getattr read };
-')
-# Needed for winbindd
-allow smbd_t { samba_var_t smbd_var_run_t }:sock_file create_file_perms;
-
-# Support Samba sharing of home directories
-bool samba_enable_home_dirs false;
-
-ifdef(`mount.te', `
-#
-# Domain for running smbmount
-#
-
-# Derive from app. domain. Transition from mount.
-application_domain(smbmount, `, fs_domain, nscd_client_domain')
-domain_auto_trans(mount_t, smbmount_exec_t, smbmount_t)
-
-# Capabilities
-# FIXME: is all of this really necessary?
-allow smbmount_t self:capability { net_bind_service sys_rawio sys_admin dac_override chown };
-
-# Access samba config
-allow smbmount_t samba_etc_t:file r_file_perms;
-allow smbmount_t samba_etc_t:dir r_dir_perms;
-allow initrc_t samba_etc_t:file rw_file_perms;
-
-# Write samba log
-allow smbmount_t samba_log_t:file create_file_perms;
-allow smbmount_t samba_log_t:dir r_dir_perms;
-
-# Write stuff in var
-allow smbmount_t var_log_t:dir r_dir_perms;
-rw_dir_create_file(smbmount_t, samba_var_t)
-
-# Access mtab
-file_type_auto_trans(smbmount_t, etc_t, etc_runtime_t, file)
-
-# Read nsswitch.conf
-allow smbmount_t etc_t:file r_file_perms;
-
-# Networking
-can_network(smbmount_t)
-allow smbmount_t port_type:tcp_socket name_connect;
-can_ypbind(smbmount_t)
-allow smbmount_t self:unix_dgram_socket create_socket_perms;
-allow smbmount_t self:unix_stream_socket create_socket_perms;
-allow kernel_t smbmount_t:tcp_socket { read write };
-allow userdomain smbmount_t:tcp_socket write;
-
-# Proc
-# FIXME: is this necessary?
-r_dir_file(smbmount_t, proc_t)
-
-# Fork smbmnt
-allow smbmount_t bin_t:dir r_dir_perms;
-can_exec(smbmount_t, smbmount_exec_t)
-allow smbmount_t self:process { fork signal_perms };
-
-# Mount
-allow smbmount_t cifs_t:filesystem mount_fs_perms;
-allow smbmount_t cifs_t:dir r_dir_perms;
-allow smbmount_t mnt_t:dir r_dir_perms;
-allow smbmount_t mnt_t:dir mounton;
-
-# Terminal
-read_locale(smbmount_t)
-access_terminal(smbmount_t, sysadm)
-allow smbmount_t userdomain:fd use;
-allow smbmount_t local_login_t:fd use;
-')
-# Derive from app. domain. Transition from mount.
-application_domain(samba_net, `, nscd_client_domain')
-role system_r types samba_net_t;
-in_user_role(samba_net_t)
-file_type_auto_trans(samba_net_t, samba_etc_t, samba_secrets_t, file)
-read_locale(samba_net_t)
-allow samba_net_t samba_etc_t:file r_file_perms;
-r_dir_file(samba_net_t, samba_var_t)
-can_network_udp(samba_net_t)
-access_terminal(samba_net_t, sysadm)
-allow samba_net_t self:unix_dgram_socket create_socket_perms;
-allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
-rw_dir_create_file(samba_net_t, samba_var_t)
-allow samba_net_t etc_t:file { getattr read };
-can_network_client(samba_net_t)
-allow samba_net_t smbd_port_t:tcp_socket name_connect;
-can_ldap(samba_net_t)
-can_kerberos(samba_net_t)
-allow samba_net_t urandom_device_t:chr_file r_file_perms;
-allow samba_net_t proc_t:dir search;
-allow samba_net_t proc_t:lnk_file read;
-allow samba_net_t self:dir search;
-allow samba_net_t self:file read;
-allow samba_net_t self:process signal;
-tmp_domain(samba_net)
-dontaudit samba_net_t sysadm_home_dir_t:dir search;
-allow samba_net_t privfd:fd use;
diff --git a/targeted/domains/program/saslauthd.te b/targeted/domains/program/saslauthd.te
deleted file mode 100644
index 8786dd1..0000000
--- a/targeted/domains/program/saslauthd.te
+++ /dev/null
@@ -1,41 +0,0 @@
-#DESC saslauthd - Authentication daemon for SASL
-#
-# Author: Colin Walters <walters@verbum.org>
-#
-
-daemon_domain(saslauthd, `, auth_chkpwd, auth_bool')
-
-allow saslauthd_t self:fifo_file { read write };
-allow saslauthd_t self:unix_dgram_socket create_socket_perms;
-allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
-allow saslauthd_t saslauthd_var_run_t:sock_file create_file_perms;
-allow saslauthd_t var_lib_t:dir search;
-
-allow saslauthd_t etc_t:dir { getattr search };
-allow saslauthd_t etc_t:file r_file_perms;
-allow saslauthd_t net_conf_t:file r_file_perms;
-
-allow saslauthd_t self:file r_file_perms;
-allow saslauthd_t proc_t:file { getattr read };
-
-allow saslauthd_t urandom_device_t:chr_file { getattr read };
-
-# Needs investigation
-dontaudit saslauthd_t home_root_t:dir getattr;
-can_network_client_tcp(saslauthd_t)
-allow saslauthd_t pop_port_t:tcp_socket name_connect;
-
-bool allow_saslauthd_read_shadow false;
-
-if (allow_saslauthd_read_shadow) {
-allow saslauthd_t shadow_t:file r_file_perms;
-}
-dontaudit saslauthd_t selinux_config_t:dir search;
-dontaudit saslauthd_t selinux_config_t:file { getattr read };
-
-
-dontaudit saslauthd_t initrc_t:unix_stream_socket connectto;
-ifdef(`mysqld.te', `
-allow saslauthd_t mysqld_db_t:dir search;
-allow saslauthd_t mysqld_var_run_t:sock_file rw_file_perms;
-')
diff --git a/targeted/domains/program/sendmail.te b/targeted/domains/program/sendmail.te
deleted file mode 100644
index fa69545..0000000
--- a/targeted/domains/program/sendmail.te
+++ /dev/null
@@ -1,17 +0,0 @@
-#DESC sendmail
-#
-# Authors: Daniel Walsh <dwalsh@redhat.com>
-#
-
-#################################
-#
-# Rules for the sendmaild domain.
-#
-# sendmail_exec_t is the type of the /usr/sbin/sendmail and other programs.
-# This domain is defined just for targeted policy.
-#
-type sendmail_exec_t, file_type, sysadmfile, exec_type;
-type sendmail_log_t, file_type, sysadmfile;
-domain_auto_trans(initrc_t, sendmail_exec_t, sendmail_t)
-var_run_domain(sendmail)
-
diff --git a/targeted/domains/program/setfiles.te b/targeted/domains/program/setfiles.te
deleted file mode 100644
index 85bcd4c..0000000
--- a/targeted/domains/program/setfiles.te
+++ /dev/null
@@ -1,66 +0,0 @@
-#DESC Setfiles - SELinux filesystem labeling utilities
-#
-# Authors: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: policycoreutils
-#
-
-#################################
-#
-# Rules for the setfiles_t domain.
-#
-# setfiles_exec_t is the type of the setfiles executable.
-#
-# needs auth_write attribute because it has relabelfrom/relabelto
-# access to shadow_t
-type setfiles_t, domain, privlog, privowner, auth_write, change_context, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade;
-type setfiles_exec_t, file_type, sysadmfile, exec_type;
-
-role system_r types setfiles_t;
-role sysadm_r types setfiles_t;
-role secadm_r types setfiles_t;
-
-ifdef(`distro_redhat', `
-domain_auto_trans(initrc_t, setfiles_exec_t, setfiles_t)
-')
-can_access_pty(hostname_t, initrc)
-allow setfiles_t { ttyfile ptyfile tty_device_t admin_tty_type devtty_t }:chr_file { read write ioctl };
-
-allow setfiles_t self:unix_dgram_socket create_socket_perms;
-
-domain_auto_trans(secadmin, setfiles_exec_t, setfiles_t)
-allow setfiles_t { userdomain privfd initrc_t init_t }:fd use;
-
-uses_shlib(setfiles_t)
-allow setfiles_t self:capability { dac_override dac_read_search fowner };
-
-# for upgrading glibc and other shared objects - without this the upgrade
-# scripts will put things in a state such that setfiles can not be run!
-allow setfiles_t lib_t:file { read execute };
-
-# Get security policy decisions.
-can_getsecurity(setfiles_t)
-
-r_dir_file(setfiles_t, { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t })
-
-allow setfiles_t file_type:dir r_dir_perms;
-allow setfiles_t { file_type unlabeled_t device_type }:dir_file_class_set { getattr relabelfrom };
-allow setfiles_t file_type:{ dir file lnk_file sock_file fifo_file } relabelto;
-allow setfiles_t unlabeled_t:dir read;
-allow setfiles_t { device_type device_t }:{ chr_file blk_file } { getattr relabelfrom relabelto };
-allow setfiles_t { ttyfile ptyfile }:chr_file getattr;
-# dontaudit access to ttyfile - we do not want setfiles to relabel our terminal
-dontaudit setfiles_t ttyfile:chr_file relabelfrom;
-
-allow setfiles_t fs_t:filesystem getattr;
-allow setfiles_t fs_type:dir r_dir_perms;
-
-read_locale(setfiles_t)
-
-allow setfiles_t etc_runtime_t:file { getattr read };
-allow setfiles_t etc_t:file { getattr read };
-allow setfiles_t proc_t:file { getattr read };
-dontaudit setfiles_t proc_t:lnk_file { getattr read };
-
-# for config files in a home directory
-allow setfiles_t home_type:file r_file_perms;
-dontaudit setfiles_t sysadm_tty_device_t:chr_file relabelfrom;
diff --git a/targeted/domains/program/slapd.te b/targeted/domains/program/slapd.te
deleted file mode 100644
index dd9e416..0000000
--- a/targeted/domains/program/slapd.te
+++ /dev/null
@@ -1,61 +0,0 @@
-#DESC Slapd - OpenLDAP server
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: slapd
-#
-
-#################################
-#
-# Rules for the slapd_t domain.
-#
-# slapd_exec_t is the type of the slapd executable.
-#
-daemon_domain(slapd)
-
-allow slapd_t ldap_port_t:tcp_socket name_bind;
-
-etc_domain(slapd)
-type slapd_db_t, file_type, sysadmfile;
-type slapd_replog_t, file_type, sysadmfile;
-
-tmp_domain(slapd)
-
-# Use the network.
-can_network(slapd_t)
-allow slapd_t port_type:tcp_socket name_connect;
-can_ypbind(slapd_t)
-allow slapd_t self:fifo_file { read write };
-allow slapd_t self:unix_stream_socket create_socket_perms;
-allow slapd_t self:unix_dgram_socket create_socket_perms;
-# allow any domain to connect to the LDAP server
-can_tcp_connect(domain, slapd_t)
-
-# Use capabilities should not need kill...
-allow slapd_t self:capability { kill setgid setuid net_bind_service net_raw dac_override dac_read_search };
-allow slapd_t self:process setsched;
-
-allow slapd_t proc_t:file r_file_perms;
-
-# Allow access to the slapd databases
-create_dir_file(slapd_t, slapd_db_t)
-allow initrc_t slapd_db_t:dir r_dir_perms;
-allow slapd_t var_lib_t:dir r_dir_perms;
-
-# Allow access to write the replication log (should tighten this)
-create_dir_file(slapd_t, slapd_replog_t)
-
-# read config files
-allow slapd_t etc_t:{ file lnk_file } { getattr read };
-allow slapd_t etc_runtime_t:file { getattr read };
-
-# for startup script
-allow initrc_t slapd_etc_t:file { getattr read };
-
-allow slapd_t etc_t:dir r_dir_perms;
-
-read_sysctl(slapd_t)
-
-allow slapd_t usr_t:file { read getattr };
-allow slapd_t urandom_device_t:chr_file { getattr read };
-allow slapd_t self:netlink_route_socket r_netlink_socket_perms;
-r_dir_file(slapd_t, cert_t)
diff --git a/targeted/domains/program/snmpd.te b/targeted/domains/program/snmpd.te
deleted file mode 100644
index ea75c8d..0000000
--- a/targeted/domains/program/snmpd.te
+++ /dev/null
@@ -1,85 +0,0 @@
-#DESC SNMPD - Simple Network Management Protocol daemon
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: snmpd
-#
-
-#################################
-#
-# Rules for the snmpd_t domain.
-#
-daemon_domain(snmpd, `, nscd_client_domain')
-
-#temp
-allow snmpd_t var_t:dir getattr;
-
-can_network_server(snmpd_t)
-can_ypbind(snmpd_t)
-
-allow snmpd_t snmp_port_t:{ udp_socket tcp_socket } name_bind;
-
-etc_domain(snmpd)
-
-# for the .index file
-var_lib_domain(snmpd)
-file_type_auto_trans(snmpd_t, var_t, snmpd_var_lib_t, { dir sock_file })
-file_type_auto_trans(snmpd_t, { usr_t var_t }, snmpd_var_lib_t, file)
-allow snmpd_t snmpd_var_lib_t:sock_file create_file_perms;
-
-log_domain(snmpd)
-# for /usr/share/snmp/mibs
-allow snmpd_t usr_t:file { getattr read };
-
-can_udp_send(sysadm_t, snmpd_t)
-can_udp_send(snmpd_t, sysadm_t)
-
-allow snmpd_t self:unix_dgram_socket create_socket_perms;
-allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
-allow snmpd_t etc_t:lnk_file read;
-allow snmpd_t { etc_t etc_runtime_t }:file r_file_perms;
-allow snmpd_t { random_device_t urandom_device_t }:chr_file { getattr read };
-allow snmpd_t self:capability { dac_override kill net_bind_service net_admin sys_nice sys_tty_config };
-
-allow snmpd_t proc_t:dir search;
-allow snmpd_t proc_t:file r_file_perms;
-allow snmpd_t self:file { getattr read };
-allow snmpd_t self:fifo_file rw_file_perms;
-allow snmpd_t { bin_t sbin_t }:dir search;
-can_exec(snmpd_t, { bin_t sbin_t shell_exec_t })
-
-ifdef(`distro_redhat', `
-ifdef(`rpm.te', `
-r_dir_file(snmpd_t, rpm_var_lib_t)
-dontaudit snmpd_t rpm_var_lib_t:dir write;
-dontaudit snmpd_t rpm_var_lib_t:file write;
-')
-')
-
-allow snmpd_t home_root_t:dir search;
-allow snmpd_t initrc_var_run_t:file r_file_perms;
-dontaudit snmpd_t initrc_var_run_t:file write;
-dontaudit snmpd_t rpc_pipefs_t:dir getattr;
-allow snmpd_t rpc_pipefs_t:dir getattr;
-read_sysctl(snmpd_t)
-allow snmpd_t sysctl_net_t:dir search;
-allow snmpd_t sysctl_net_t:file { getattr read };
-
-dontaudit snmpd_t { removable_device_t fixed_disk_device_t }:blk_file { getattr ioctl read };
-allow snmpd_t sysfs_t:dir { getattr read search };
-ifdef(`amanda.te', `
-dontaudit snmpd_t amanda_dumpdates_t:file { getattr read };
-')
-ifdef(`cupsd.te', `
-allow snmpd_t cupsd_rw_etc_t:file { getattr read };
-')
-allow snmpd_t var_lib_nfs_t:dir search;
-
-# needed in order to retrieve net traffic data
-allow snmpd_t proc_net_t:dir search;
-allow snmpd_t proc_net_t:file r_file_perms;
-
-allow snmpd_t domain:dir { getattr search };
-allow snmpd_t domain:file { getattr read };
-allow snmpd_t domain:process signull;
-
-dontaudit snmpd_t selinux_config_t:dir search;
diff --git a/targeted/domains/program/spamc.te b/targeted/domains/program/spamc.te
deleted file mode 100644
index 9b49fbf..0000000
--- a/targeted/domains/program/spamc.te
+++ /dev/null
@@ -1,10 +0,0 @@
-#DESC Spamc - Spamassassin client
-#
-# Author: Colin Walters <walters@debian.org>
-# X-Debian-Packages: spamc
-# Depends: spamassassin.te
-#
-
-type spamc_exec_t, file_type, sysadmfile, exec_type;
-
-# Everything else is in spamassassin_macros.te.
diff --git a/targeted/domains/program/spamd.te b/targeted/domains/program/spamd.te
deleted file mode 100644
index 7c25002..0000000
--- a/targeted/domains/program/spamd.te
+++ /dev/null
@@ -1,70 +0,0 @@
-#DESC Spamd - Spamassassin daemon
-#
-# Author: Colin Walters <walters@debian.org>
-# X-Debian-Packages: spamassassin
-# Depends: spamassassin.te
-#
-
-daemon_domain(spamd)
-
-tmp_domain(spamd)
-
-general_domain_access(spamd_t)
-uses_shlib(spamd_t)
-read_sysctl(spamd_t)
-
-# Various Perl bits
-allow spamd_t lib_t:file rx_file_perms;
-dontaudit spamd_t shadow_t:file { getattr read };
-dontaudit spamd_t initrc_var_run_t:file { read write lock };
-dontaudit spamd_t sysadm_home_dir_t:dir { getattr search };
-
-can_network_server(spamd_t)
-allow spamd_t spamd_port_t:tcp_socket name_bind;
-can_ypbind(spamd_t)
-allow spamd_t self:capability net_bind_service;
-
-allow spamd_t proc_t:file { getattr read };
-
-# Spamassassin, when run as root and using per-user config files,
-# setuids to the user running spamc. Comment this if you are not
-# using this ability.
-allow spamd_t self:capability { setuid setgid dac_override sys_tty_config };
-
-allow spamd_t { bin_t sbin_t }:dir { getattr search };
-can_exec(spamd_t, bin_t)
-
-ifdef(`sendmail.te', `
-allow spamd_t etc_mail_t:dir { getattr read search };
-allow spamd_t etc_mail_t:file { getattr ioctl read };
-')
-allow spamd_t { etc_t etc_runtime_t }:file { getattr ioctl read };
-
-ifdef(`amavis.te', `
-# for bayes tokens
-allow spamd_t var_lib_t:dir { getattr search };
-rw_dir_create_file(spamd_t, amavisd_lib_t)
-')
-
-allow spamd_t usr_t:file { getattr ioctl read };
-allow spamd_t usr_t:lnk_file { getattr read };
-allow spamd_t urandom_device_t:chr_file { getattr read };
-
-system_crond_entry(spamd_exec_t, spamd_t)
-
-allow spamd_t autofs_t:dir { search getattr };
-
-if (use_nfs_home_dirs) {
-allow spamd_t nfs_t:dir rw_dir_perms;
-allow spamd_t nfs_t:file create_file_perms;
-}
-
-if (use_samba_home_dirs) {
-allow spamd_t cifs_t:dir rw_dir_perms;
-allow spamd_t cifs_t:file create_file_perms;
-}
-
-allow spamd_t home_root_t:dir getattr;
-allow spamd_t user_home_dir_type:dir { search getattr };
-
-
diff --git a/targeted/domains/program/squid.te b/targeted/domains/program/squid.te
deleted file mode 100644
index 1727186..0000000
--- a/targeted/domains/program/squid.te
+++ /dev/null
@@ -1,85 +0,0 @@
-#DESC Squid - Web cache
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: squid
-#
-
-#################################
-#
-# Rules for the squid_t domain.
-#
-# squid_t is the domain the squid process runs in
-ifdef(`apache.te',`
-can_tcp_connect(squid_t, httpd_t)
-')
-bool squid_connect_any false;
-daemon_domain(squid, `, web_client_domain, nscd_client_domain')
-type squid_conf_t, file_type, sysadmfile;
-general_domain_access(squid_t)
-allow { squid_t initrc_t } squid_conf_t:file r_file_perms;
-allow squid_t squid_conf_t:dir r_dir_perms;
-allow squid_t squid_conf_t:lnk_file read;
-
-logdir_domain(squid)
-rw_dir_create_file(initrc_t, squid_log_t)
-
-allow squid_t usr_t:file { getattr read };
-
-# type for /var/cache/squid
-type squid_cache_t, file_type, sysadmfile;
-
-allow squid_t self:capability { setgid setuid net_bind_service dac_override };
-allow squid_t { etc_t etc_runtime_t }:file r_file_perms;
-allow squid_t etc_t:lnk_file read;
-allow squid_t self:unix_stream_socket create_socket_perms;
-allow squid_t self:unix_dgram_socket create_socket_perms;
-allow squid_t self:fifo_file rw_file_perms;
-
-read_sysctl(squid_t)
-
-allow squid_t devtty_t:chr_file rw_file_perms;
-
-allow squid_t { self proc_t }:file { read getattr };
-
-# for when we use /var/spool/cache
-allow squid_t var_spool_t:dir search;
-
-# Grant permissions to create, access, and delete cache files.
-# No type transitions required, as the files inherit the parent directory type.
-create_dir_file(squid_t, squid_cache_t)
-ifdef(`logrotate.te',
-`domain_auto_trans(logrotate_t, squid_exec_t, squid_t)')
-ifdef(`crond.te', `domain_auto_trans(system_crond_t, squid_exec_t, squid_t)')
-
-# Use the network
-can_network(squid_t)
-if (squid_connect_any) {
-allow squid_t port_type:tcp_socket name_connect;
-}
-can_ypbind(squid_t)
-can_tcp_connect(web_client_domain, squid_t)
-
-# tcp port 8080 and udp port 3130 is http_cache_port_t (see net_contexts)
-allow squid_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:{ tcp_socket udp_socket } name_bind;
-allow squid_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:tcp_socket name_connect;
-
-# to allow running programs from /usr/lib/squid (IE unlinkd)
-# also allow exec()ing itself
-can_exec(squid_t, { lib_t squid_exec_t bin_t sbin_t shell_exec_t } )
-allow squid_t { bin_t sbin_t }:dir search;
-allow squid_t { bin_t sbin_t }:lnk_file read;
-
-dontaudit squid_t { boot_t tmp_t home_root_t security_t devpts_t }:dir getattr;
-ifdef(`targeted_policy', `
-dontaudit squid_t tty_device_t:chr_file { read write };
-')
-allow squid_t urandom_device_t:chr_file { getattr read };
-
-#squid requires the following when run in diskd mode, the recommended setting
-allow squid_t tmpfs_t:file { read write };
-r_dir_file(squid_t, cert_t)
-ifdef(`winbind.te', `
-domain_auto_trans(squid_t, winbind_helper_exec_t, winbind_helper_t)
-allow winbind_helper_t squid_t:tcp_socket rw_socket_perms;
-allow winbind_helper_t squid_log_t:file ra_file_perms;
-')
diff --git a/targeted/domains/program/ssh.te b/targeted/domains/program/ssh.te
deleted file mode 100644
index bfd1ea2..0000000
--- a/targeted/domains/program/ssh.te
+++ /dev/null
@@ -1,22 +0,0 @@
-#DESC sshd
-#
-# Authors: Daniel Walsh <dwalsh@redhat.com>
-#
-
-#################################
-#
-# Rules for the sshd domain.
-#
-# sshd_exec_t is the type of the /bin/sshd and other programs.
-# This domain is defined just for targeted policy.
-#
-type sshd_exec_t, file_type, sysadmfile, exec_type;
-type ssh_exec_t, file_type, sysadmfile, exec_type;
-type ssh_keygen_exec_t, file_type, sysadmfile, exec_type;
-type ssh_keysign_exec_t, file_type, sysadmfile, exec_type;
-type sshd_key_t, file_type, sysadmfile;
-type sshd_var_run_t, file_type, sysadmfile;
-domain_auto_trans(initrc_t, sshd_exec_t, sshd_t)
-ifdef(`use_mcs', `
-range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
-')
diff --git a/targeted/domains/program/stunnel.te b/targeted/domains/program/stunnel.te
deleted file mode 100644
index 4dbfcec..0000000
--- a/targeted/domains/program/stunnel.te
+++ /dev/null
@@ -1,33 +0,0 @@
-# DESC: selinux policy for stunnel
-#
-# Author: petre rodan <kaiowas@gentoo.org>
-#
-ifdef(`distro_gentoo', `
-
-daemon_domain(stunnel)
-
-can_network(stunnel_t)
-allow stunnel_t port_type:tcp_socket name_connect;
-
-allow stunnel_t self:capability { setgid setuid sys_chroot };
-allow stunnel_t self:fifo_file { read write };
-allow stunnel_t self:tcp_socket { read write };
-allow stunnel_t self:unix_stream_socket { connect create };
-
-r_dir_file(stunnel_t, etc_t)
-', `
-inetd_child_domain(stunnel, tcp)
-allow stunnel_t self:capability sys_chroot;
-
-bool stunnel_is_daemon false;
-if (stunnel_is_daemon) {
-# Policy to run stunnel as a daemon should go here.
-allow stunnel_t self:tcp_socket rw_stream_socket_perms;
-allow stunnel_t stunnel_port_t:tcp_socket name_bind;
-}
-')
-
-type stunnel_etc_t, file_type, sysadmfile;
-r_dir_file(stunnel_t, stunnel_etc_t)
-allow stunnel_t stunnel_port_t:tcp_socket { name_bind };
-
diff --git a/targeted/domains/program/su.te b/targeted/domains/program/su.te
deleted file mode 100644
index 6d39909..0000000
--- a/targeted/domains/program/su.te
+++ /dev/null
@@ -1,23 +0,0 @@
-#DESC Su - Run shells with substitute user and group
-#
-# Domains for the su program.
-# X-Debian-Packages: login
-
-#
-# su_exec_t is the type of the su executable.
-#
-type su_exec_t, file_type, sysadmfile;
-
-allow sysadm_su_t user_home_dir_type:dir search;
-
-# Everything else is in the su_domain macro in
-# macros/program/su_macros.te.
-
-ifdef(`use_mcs', `
-ifdef(`targeted_policy', `
-range_transition unconfined_t su_exec_t s0 - s0:c0.c255;
-domain_auto_trans(unconfined_t, su_exec_t, sysadm_su_t)
-can_exec(sysadm_su_t, bin_t)
-rw_dir_create_file(sysadm_su_t, home_dir_type)
-')
-')
diff --git a/targeted/domains/program/syslogd.te b/targeted/domains/program/syslogd.te
deleted file mode 100644
index be427ec..0000000
--- a/targeted/domains/program/syslogd.te
+++ /dev/null
@@ -1,109 +0,0 @@
-#DESC Syslogd - System log daemon
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# X-Debian-Packages: sysklogd syslog-ng
-#
-
-#################################
-#
-# Rules for the syslogd_t domain.
-#
-# syslogd_t is the domain of syslogd.
-# syslogd_exec_t is the type of the syslogd executable.
-# devlog_t is the type of the Unix domain socket created
-# by syslogd.
-#
-ifdef(`klogd.te', `
-daemon_domain(syslogd, `, privkmsg, nscd_client_domain')
-', `
-daemon_domain(syslogd, `, privmem, privkmsg, nscd_client_domain')
-')
-
-# can_network is for the UDP socket
-can_network_udp(syslogd_t)
-can_ypbind(syslogd_t)
-
-r_dir_file(syslogd_t, sysfs_t)
-
-type devlog_t, file_type, sysadmfile, dev_fs, mlstrustedobject;
-
-# if something can log to syslog they should be able to log to the console
-allow privlog console_device_t:chr_file { ioctl read write getattr };
-
-tmp_domain(syslogd)
-
-# read files in /etc
-allow syslogd_t { etc_runtime_t etc_t }:file r_file_perms;
-
-# Use capabilities.
-allow syslogd_t self:capability { dac_override net_admin net_bind_service sys_resource sys_tty_config };
-
-# Modify/create log files.
-create_append_log_file(syslogd_t, var_log_t)
-
-# Create and bind to /dev/log or /var/run/log.
-file_type_auto_trans(syslogd_t, { device_t var_run_t }, devlog_t, sock_file)
-ifdef(`distro_suse', `
-# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
-file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file)
-')
-allow syslogd_t self:unix_dgram_socket create_socket_perms;
-allow syslogd_t self:unix_dgram_socket sendto;
-allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-allow syslogd_t self:fifo_file rw_file_perms;
-allow syslogd_t devlog_t:unix_stream_socket name_bind;
-allow syslogd_t devlog_t:unix_dgram_socket name_bind;
-# log to the xconsole
-allow syslogd_t xconsole_device_t:fifo_file { ioctl read write };
-
-# Domains with the privlog attribute may log to syslogd.
-allow privlog devlog_t:sock_file rw_file_perms;
-can_unix_send(privlog,syslogd_t)
-can_unix_connect(privlog,syslogd_t)
-# allow /dev/log to be a link elsewhere for chroot setup
-allow privlog devlog_t:lnk_file read;
-
-ifdef(`crond.te', `
-# for daemon re-start
-allow system_crond_t syslogd_t:lnk_file read;
-')
-
-ifdef(`logrotate.te', `
-allow logrotate_t syslogd_exec_t:file r_file_perms;
-')
-
-# for sending messages to logged in users
-allow syslogd_t initrc_var_run_t:file { read lock };
-dontaudit syslogd_t initrc_var_run_t:file write;
-allow syslogd_t ttyfile:chr_file { getattr write };
-
-#
-# Special case to handle crashes
-#
-allow syslogd_t { device_t file_t }:sock_file { getattr unlink };
-
-# Allow syslog to a terminal
-allow syslogd_t tty_device_t:chr_file { getattr write ioctl append };
-
-# Allow name_bind for remote logging
-allow syslogd_t syslogd_port_t:udp_socket name_bind;
-#
-# /initrd is not umounted before minilog starts
-#
-dontaudit syslogd_t file_t:dir search;
-allow syslogd_t { tmpfs_t devpts_t }:dir search;
-dontaudit syslogd_t unlabeled_t:file { getattr read };
-dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
-allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
-ifdef(`targeted_policy', `
-allow syslogd_t var_run_t:fifo_file { ioctl read write };
-')
-
-# Allow access to /proc/kmsg for syslog-ng
-allow syslogd_t proc_t:dir search;
-allow syslogd_t proc_kmsg_t:file { getattr read };
-allow syslogd_t kernel_t:system { syslog_mod syslog_console };
-allow syslogd_t self:capability { sys_admin chown fsetid };
-allow syslogd_t var_log_t:dir { create setattr };
-allow syslogd_t syslogd_port_t:tcp_socket name_bind;
-allow syslogd_t rsh_port_t:tcp_socket name_connect;
diff --git a/targeted/domains/program/telnetd.te b/targeted/domains/program/telnetd.te
deleted file mode 100644
index bbbb2c1..0000000
--- a/targeted/domains/program/telnetd.te
+++ /dev/null
@@ -1,10 +0,0 @@
-# telnet server daemon
-#
-
-#################################
-#
-# Rules for the telnetd_t domain
-#
-
-remote_login_daemon(telnetd)
-typealias telnetd_port_t alias telnet_port_t;
diff --git a/targeted/domains/program/tftpd.te b/targeted/domains/program/tftpd.te
deleted file mode 100644
index c749987..0000000
--- a/targeted/domains/program/tftpd.te
+++ /dev/null
@@ -1,41 +0,0 @@
-#DESC TFTP - UDP based file server for boot loaders
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: tftpd atftpd
-# Depends: inetd.te
-#
-
-#################################
-#
-# Rules for the tftpd_t domain.
-#
-# tftpd_exec_t is the type of the tftpd executable.
-#
-daemon_domain(tftpd)
-
-# tftpdir_t is the type of files in the /tftpboot directories.
-type tftpdir_t, file_type, sysadmfile;
-r_dir_file(tftpd_t, tftpdir_t)
-
-domain_auto_trans(inetd_t, tftpd_exec_t, tftpd_t)
-
-# Use the network.
-can_network_udp(tftpd_t)
-allow tftpd_t tftp_port_t:udp_socket name_bind;
-ifdef(`inetd.te', `
-allow inetd_t tftp_port_t:udp_socket name_bind;
-')
-allow tftpd_t self:unix_dgram_socket create_socket_perms;
-allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
-
-# allow any domain to connect to the TFTP server
-allow tftpd_t inetd_t:udp_socket rw_socket_perms;
-
-# Use capabilities
-allow tftpd_t self:capability { setgid setuid net_bind_service sys_chroot };
-
-allow tftpd_t etc_t:dir r_dir_perms;
-allow tftpd_t etc_t:file r_file_perms;
-
-allow tftpd_t var_t:dir r_dir_perms;
-allow tftpd_t var_t:{ file lnk_file } r_file_perms;
diff --git a/targeted/domains/program/udev.te b/targeted/domains/program/udev.te
deleted file mode 100644
index cc5f7d4..0000000
--- a/targeted/domains/program/udev.te
+++ /dev/null
@@ -1,152 +0,0 @@
-#DESC udev - Linux configurable dynamic device naming support
-#
-# Author: Dan Walsh dwalsh@redhat.com
-#
-
-#################################
-#
-# Rules for the udev_t domain.
-#
-# udev_exec_t is the type of the udev executable.
-#
-daemon_domain(udev, `, nscd_client_domain, privmodule, privmem, fs_domain, privfd, privowner, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocwrite')
-
-general_domain_access(udev_t)
-
-if (allow_execmem) {
-# for alsactl
-allow udev_t self:process execmem;
-}
-
-etc_domain(udev)
-type udev_helper_exec_t, file_type, sysadmfile, exec_type;
-can_exec_any(udev_t)
-
-#
-# Rules used for udev
-#
-type udev_tdb_t, file_type, sysadmfile, dev_fs;
-typealias udev_tdb_t alias udev_tbl_t;
-file_type_auto_trans(udev_t, device_t, udev_tdb_t, file)
-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_nice mknod net_raw net_admin sys_rawio sys_nice };
-allow udev_t self:file { getattr read };
-allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms};
-allow udev_t self:unix_dgram_socket create_socket_perms;
-allow udev_t self:fifo_file rw_file_perms;
-allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
-allow udev_t device_t:file { unlink rw_file_perms };
-allow udev_t device_t:sock_file create_file_perms;
-allow udev_t device_t:lnk_file create_lnk_perms;
-allow udev_t { device_t device_type }:{ chr_file blk_file } { relabelfrom relabelto create_file_perms };
-ifdef(`distro_redhat', `
-allow udev_t tmpfs_t:dir create_dir_perms;
-allow udev_t tmpfs_t:{ sock_file file } create_file_perms;
-allow udev_t tmpfs_t:lnk_file create_lnk_perms;
-allow udev_t tmpfs_t:{ chr_file blk_file } { relabelfrom relabelto create_file_perms };
-allow udev_t tmpfs_t:dir search;
-
-# for arping used for static IP addresses on PCMCIA ethernet
-domain_auto_trans(udev_t, netutils_exec_t, netutils_t)
-')
-allow udev_t etc_t:file { getattr read ioctl };
-allow udev_t { bin_t sbin_t }:dir r_dir_perms;
-allow udev_t { sbin_t bin_t }:lnk_file read;
-allow udev_t bin_t:lnk_file read;
-can_exec(udev_t, { shell_exec_t bin_t sbin_t etc_t } )
-can_exec(udev_t, udev_exec_t)
-rw_dir_file(udev_t, sysfs_t)
-allow udev_t sysadm_tty_device_t:chr_file { read write };
-
-# to read the file_contexts file
-r_dir_file(udev_t, { selinux_config_t file_context_t default_context_t } )
-
-allow udev_t policy_config_t:dir search;
-allow udev_t proc_t:file { getattr read ioctl };
-allow udev_t proc_kcore_t:file getattr;
-
-# Get security policy decisions.
-can_getsecurity(udev_t)
-
-# set file system create context
-can_setfscreate(udev_t)
-
-allow udev_t kernel_t:fd use;
-allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };
-allow udev_t kernel_t:process signal;
-
-allow udev_t initrc_var_run_t:file r_file_perms;
-dontaudit udev_t initrc_var_run_t:file write;
-
-domain_auto_trans(kernel_t, udev_exec_t, udev_t)
-domain_auto_trans(udev_t, restorecon_exec_t, restorecon_t)
-ifdef(`hide_broken_symptoms', `
-dontaudit restorecon_t udev_t:unix_dgram_socket { read write };
-')
-allow udev_t devpts_t:dir { getattr search };
-allow udev_t etc_runtime_t:file { getattr read };
-ifdef(`xdm.te', `
-allow udev_t xdm_var_run_t:file { getattr read };
-')
-
-ifdef(`hotplug.te', `
-r_dir_file(udev_t, hotplug_etc_t)
-')
-allow udev_t var_log_t:dir search;
-
-ifdef(`consoletype.te', `
-can_exec(udev_t, consoletype_exec_t)
-')
-ifdef(`pamconsole.te', `
-allow udev_t pam_var_console_t:dir search;
-allow udev_t pam_var_console_t:file { getattr read };
-domain_auto_trans(udev_t, pam_console_exec_t, pam_console_t)
-')
-allow udev_t var_lock_t:dir search;
-allow udev_t var_lock_t:file getattr;
-domain_auto_trans(udev_t, ifconfig_exec_t, ifconfig_t)
-ifdef(`hide_broken_symptoms', `
-dontaudit ifconfig_t udev_t:unix_dgram_socket { read write };
-')
-
-dontaudit udev_t file_t:dir search;
-ifdef(`dhcpc.te', `
-domain_auto_trans(udev_t, dhcpc_exec_t, dhcpc_t)
-')
-
-allow udev_t udev_helper_exec_t:dir r_dir_perms;
-
-dbusd_client(system, udev)
-
-allow udev_t device_t:dir { relabelfrom relabelto create_dir_perms };
-allow udev_t sysctl_dev_t:dir search;
-allow udev_t mnt_t:dir search;
-allow udev_t { sysctl_dev_t sysctl_modprobe_t sysctl_kernel_t sysctl_hotplug_t }:file { getattr read };
-allow udev_t self:rawip_socket create_socket_perms;
-dontaudit udev_t domain:dir r_dir_perms;
-dontaudit udev_t ttyfile:chr_file unlink;
-ifdef(`hotplug.te', `
-r_dir_file(udev_t, hotplug_var_run_t)
-')
-r_dir_file(udev_t, modules_object_t)
-#
-# Udev is now writing dhclient-eth*.conf* files.
-#
-ifdef(`dhcpd.te', `define(`use_dhcp')')
-ifdef(`dhcpc.te', `define(`use_dhcp')')
-ifdef(`use_dhcp', `
-allow udev_t dhcp_etc_t:file rw_file_perms;
-file_type_auto_trans(udev_t, etc_t, dhcp_etc_t, file)
-')
-r_dir_file(udev_t, domain)
-allow udev_t modules_dep_t:file r_file_perms;
-
-nsswitch_domain(udev_t)
-
-ifdef(`unlimitedUtils', `
-unconfined_domain(udev_t)
-')
-dontaudit hostname_t udev_t:fd use;
-ifdef(`use_mcs', `
-range_transition kernel_t udev_exec_t s0 - s0:c0.c255;
-range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
-')
diff --git a/targeted/domains/program/updfstab.te b/targeted/domains/program/updfstab.te
deleted file mode 100644
index 82edf3d..0000000
--- a/targeted/domains/program/updfstab.te
+++ /dev/null
@@ -1,81 +0,0 @@
-#DESC updfstab - Red Hat utility to change /etc/fstab
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-
-daemon_base_domain(updfstab, `, fs_domain, etc_writer')
-
-rw_dir_create_file(updfstab_t, etc_t)
-create_dir_file(updfstab_t, mnt_t)
-
-# Read /dev directories and modify sym-links
-allow updfstab_t device_t:dir rw_dir_perms;
-allow updfstab_t device_t:lnk_file create_file_perms;
-
-# Access disk devices.
-allow updfstab_t fixed_disk_device_t:blk_file rw_file_perms;
-allow updfstab_t removable_device_t:blk_file rw_file_perms;
-allow updfstab_t scsi_generic_device_t:chr_file rw_file_perms;
-
-# for /proc/partitions
-allow updfstab_t proc_t:file { getattr read };
-
-# for /proc/self/mounts
-r_dir_file(updfstab_t, self)
-
-# for /etc/mtab
-allow updfstab_t etc_runtime_t:file { getattr read };
-
-read_locale(updfstab_t)
-
-ifdef(`dbusd.te', `
-dbusd_client(system, updfstab)
-allow updfstab_t system_dbusd_t:dbus { send_msg };
-allow initrc_t updfstab_t:dbus send_msg;
-allow updfstab_t initrc_t:dbus send_msg;
-')
-
-# not sure what the sysctl_kernel_t file is, or why it wants to write it, so
-# I will not allow it
-read_sysctl(updfstab_t)
-dontaudit updfstab_t sysctl_kernel_t:file write;
-allow updfstab_t modules_conf_t:file { getattr read };
-allow updfstab_t sbin_t:dir search;
-allow updfstab_t sbin_t:lnk_file read;
-allow updfstab_t { var_t var_log_t }:dir search;
-
-allow updfstab_t kernel_t:fd use;
-
-allow updfstab_t self:unix_stream_socket create_stream_socket_perms;
-allow updfstab_t self:unix_dgram_socket create_socket_perms;
-
-ifdef(`modutil.te', `
-dnl domain_auto_trans(updfstab_t, insmod_exec_t, insmod_t)
-can_exec(updfstab_t, insmod_exec_t)
-allow updfstab_t modules_object_t:dir search;
-allow updfstab_t modules_dep_t:file { getattr read };
-')
-
-ifdef(`pamconsole.te', `
-domain_auto_trans(updfstab_t, pam_console_exec_t, pam_console_t)
-')
-allow updfstab_t kernel_t:system syslog_console;
-allow updfstab_t sysadm_tty_device_t:chr_file { read write };
-allow updfstab_t self:capability dac_override;
-dontaudit updfstab_t self:capability sys_admin;
-
-r_dir_file(updfstab_t, { selinux_config_t file_context_t default_context_t } )
-can_getsecurity(updfstab_t)
-
-allow updfstab_t { sbin_t bin_t }:dir { search getattr };
-dontaudit updfstab_t devtty_t:chr_file { read write };
-allow updfstab_t self:fifo_file { getattr read write ioctl };
-can_exec(updfstab_t, { sbin_t bin_t ls_exec_t } )
-dontaudit updfstab_t home_root_t:dir { getattr search };
-dontaudit updfstab_t { home_dir_type home_type }:dir search;
-allow updfstab_t fs_t:filesystem { getattr };
-allow updfstab_t tmpfs_t:dir getattr;
-ifdef(`hald.te', `
-can_unix_connect(updfstab_t, hald_t)
-')
-
diff --git a/targeted/domains/program/uucpd.te b/targeted/domains/program/uucpd.te
deleted file mode 100644
index 05791bd..0000000
--- a/targeted/domains/program/uucpd.te
+++ /dev/null
@@ -1,24 +0,0 @@
-#DESC uucpd - UUCP file transfer daemon
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-#
-# Depends: inetd.te
-
-#################################
-#
-# Rules for the uucpd_t domain.
-#
-# uucpd_exec_t is the type of the uucpd executable.
-#
-
-inetd_child_domain(uucpd, tcp)
-type uucpd_rw_t, file_type, sysadmfile;
-type uucpd_ro_t, file_type, sysadmfile;
-type uucpd_spool_t, file_type, sysadmfile;
-create_dir_file(uucpd_t, uucpd_rw_t)
-r_dir_file(uucpd_t, uucpd_ro_t)
-allow uucpd_t sbin_t:dir search;
-can_exec(uucpd_t, sbin_t)
-logdir_domain(uucpd)
-allow uucpd_t var_spool_t:dir search;
-create_dir_file(uucpd_t, uucpd_spool_t)
diff --git a/targeted/domains/program/webalizer.te b/targeted/domains/program/webalizer.te
deleted file mode 100644
index c1f38bd..0000000
--- a/targeted/domains/program/webalizer.te
+++ /dev/null
@@ -1,51 +0,0 @@
-# DESC webalizer - webalizer
-#
-# Author: Yuichi Nakamura (ynakam @ selinux.gr.jp)
-#
-# Depends: apache.te
-
-application_domain(webalizer, `, nscd_client_domain')
-# to use from cron
-system_crond_entry(webalizer_exec_t,webalizer_t)
-role system_r types webalizer_t;
-
-##type definision
-# type for usage file
-type webalizer_usage_t,file_type,sysadmfile;
-# type for /var/lib/webalizer
-type webalizer_write_t,file_type,sysadmfile;
-# type for webalizer.conf
-etc_domain(webalizer)
-
-#read apache log
-allow webalizer_t var_log_t:dir r_dir_perms;
-r_dir_file(webalizer_t, httpd_log_t)
-ifdef(`ftpd.te', `
-allow webalizer_t xferlog_t:file { getattr read };
-')
-
-#r/w /var/lib/webalizer
-var_lib_domain(webalizer)
-
-#read /var/www/usage
-create_dir_file(webalizer_t, httpd_sys_content_t)
-
-#read system files under /etc
-allow webalizer_t { etc_t etc_runtime_t }:file { getattr read };
-read_locale(webalizer_t)
-
-# can use tmp file
-tmp_domain(webalizer)
-
-# can read /proc
-read_sysctl(webalizer_t)
-allow webalizer_t proc_t:dir search;
-allow webalizer_t proc_t:file r_file_perms;
-
-# network
-can_network_server(webalizer_t)
-
-#process communication inside webalizer itself
-general_domain_access(webalizer_t)
-
-allow webalizer_t self:capability dac_override;
diff --git a/targeted/domains/program/winbind.te b/targeted/domains/program/winbind.te
deleted file mode 100644
index 7b9e5e9..0000000
--- a/targeted/domains/program/winbind.te
+++ /dev/null
@@ -1,50 +0,0 @@
-#DESC winbind - Name Service Switch daemon for resolving names from NT servers
-#
-# Author: Dan Walsh (dwalsh@redhat.com)
-#
-
-#################################
-#
-# Declarations for winbind
-#
-
-daemon_domain(winbind, `, privhome, auth_chkpwd, nscd_client_domain')
-log_domain(winbind)
-tmp_domain(winbind)
-allow winbind_t etc_t:file r_file_perms;
-allow winbind_t etc_t:lnk_file read;
-can_network(winbind_t)
-allow winbind_t smbd_port_t:tcp_socket name_connect;
-can_resolve(winbind_t)
-
-ifdef(`samba.te', `', `
-type samba_etc_t, file_type, sysadmfile, usercanread;
-type samba_log_t, file_type, sysadmfile, logfile;
-type samba_var_t, file_type, sysadmfile;
-type samba_secrets_t, file_type, sysadmfile;
-')
-file_type_auto_trans(winbind_t, samba_etc_t, samba_secrets_t, file)
-rw_dir_create_file(winbind_t, samba_log_t)
-allow winbind_t samba_secrets_t:file rw_file_perms;
-allow winbind_t self:unix_dgram_socket create_socket_perms;
-allow winbind_t self:unix_stream_socket create_stream_socket_perms;
-allow winbind_t urandom_device_t:chr_file { getattr read };
-allow winbind_t self:fifo_file { read write };
-rw_dir_create_file(winbind_t, samba_var_t)
-can_kerberos(winbind_t)
-allow winbind_t self:netlink_route_socket r_netlink_socket_perms;
-allow winbind_t winbind_var_run_t:sock_file create_file_perms;
-allow initrc_t winbind_var_run_t:file r_file_perms;
-
-application_domain(winbind_helper, `, nscd_client_domain')
-role system_r types winbind_helper_t;
-access_terminal(winbind_helper_t, sysadm)
-read_locale(winbind_helper_t)
-r_dir_file(winbind_helper_t, samba_etc_t)
-r_dir_file(winbind_t, samba_etc_t)
-allow winbind_helper_t self:unix_dgram_socket create_socket_perms;
-allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms;
-allow winbind_helper_t samba_var_t:dir search;
-allow winbind_helper_t winbind_var_run_t:dir r_dir_perms;
-can_winbind(winbind_helper_t)
-allow winbind_helper_t privfd:fd use;
diff --git a/targeted/domains/program/xdm.te b/targeted/domains/program/xdm.te
deleted file mode 100644
index 740f124..0000000
--- a/targeted/domains/program/xdm.te
+++ /dev/null
@@ -1,26 +0,0 @@
-#DESC xdm - Linux configurable dynamic device naming support
-#
-# Authors: Daniel Walsh <dwalsh@redhat.com>
-#
-
-#################################
-#
-# Rules for the xdm domain.
-#
-# xdm_exec_t is the type of the /usr/bin/gdm and other programs.
-# This domain is defined just for targeted policy.
-#
-type xdm_exec_t, file_type, sysadmfile, exec_type;
-type xsession_exec_t, file_type, sysadmfile, exec_type;
-type xserver_log_t, file_type, sysadmfile;
-type xdm_xserver_tmp_t, file_type, sysadmfile;
-type xdm_rw_etc_t, file_type, sysadmfile;
-type xdm_var_run_t, file_type, sysadmfile;
-type xdm_var_lib_t, file_type, sysadmfile;
-type xdm_tmp_t, file_type, sysadmfile;
-domain_auto_trans(initrc_t, xdm_exec_t, xdm_t)
-domain_auto_trans(init_t, xdm_exec_t, xdm_t)
-ifdef(`use_mcs', `
-range_transition init_t xdm_exec_t s0 - s0:c0.c255;
-range_transition initrc_t xdm_exec_t s0 - s0:c0.c255;
-')
diff --git a/targeted/domains/program/ypbind.te b/targeted/domains/program/ypbind.te
deleted file mode 100644
index ed7c3f8..0000000
--- a/targeted/domains/program/ypbind.te
+++ /dev/null
@@ -1,44 +0,0 @@
-#DESC Ypbind - NIS/YP
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: nis
-# Depends: portmap.te named.te
-#
-
-#################################
-#
-# Rules for the ypbind_t domain.
-#
-daemon_domain(ypbind)
-
-tmp_domain(ypbind)
-
-# Use capabilities.
-allow ypbind_t self:capability { net_bind_service };
-dontaudit ypbind_t self:capability net_admin;
-
-# Use the network.
-can_network(ypbind_t)
-allow ypbind_t port_type:tcp_socket name_connect;
-allow ypbind_t port_t:{ tcp_socket udp_socket } name_bind;
-
-allow ypbind_t self:fifo_file rw_file_perms;
-
-read_sysctl(ypbind_t)
-
-# Send to portmap and initrc.
-can_udp_send(ypbind_t, portmap_t)
-can_udp_send(ypbind_t, initrc_t)
-
-# Read and write /var/yp.
-allow ypbind_t var_yp_t:dir rw_dir_perms;
-allow ypbind_t var_yp_t:file create_file_perms;
-allow initrc_t var_yp_t:dir { getattr read };
-allow ypbind_t etc_t:file { getattr read };
-allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
-allow ypbind_t self:netlink_route_socket r_netlink_socket_perms;
-allow ypbind_t reserved_port_t:{ tcp_socket udp_socket } name_bind;
-dontaudit ypbind_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
-can_udp_send(initrc_t, ypbind_t)
-
diff --git a/targeted/domains/program/ypserv.te b/targeted/domains/program/ypserv.te
deleted file mode 100644
index 1ecc731..0000000
--- a/targeted/domains/program/ypserv.te
+++ /dev/null
@@ -1,42 +0,0 @@
-#DESC Ypserv - NIS/YP
-#
-# Authors: Dan Walsh <dwalsh@redhat.com>
-# Depends: portmap.te
-#
-
-#################################
-#
-# Rules for the ypserv_t domain.
-#
-daemon_domain(ypserv)
-
-tmp_domain(ypserv)
-
-# Use capabilities.
-allow ypserv_t self:capability { net_bind_service };
-
-# Use the network.
-can_network_server(ypserv_t)
-
-allow ypserv_t self:fifo_file rw_file_perms;
-
-read_sysctl(ypserv_t)
-
-# Send to portmap and initrc.
-can_udp_send(ypserv_t, portmap_t)
-can_udp_send(ypserv_t, initrc_t)
-
-type ypserv_conf_t, file_type, sysadmfile;
-
-# Read and write /var/yp.
-allow ypserv_t var_yp_t:dir rw_dir_perms;
-allow ypserv_t var_yp_t:file create_file_perms;
-allow ypserv_t ypserv_conf_t:file { getattr read };
-allow ypserv_t self:unix_dgram_socket create_socket_perms;
-allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
-ifdef(`rpcd.te', `
-allow rpcd_t ypserv_conf_t:file { getattr read };
-')
-allow ypserv_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
-dontaudit ypserv_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
-can_exec(ypserv_t, bin_t)
diff --git a/targeted/domains/program/zebra.te b/targeted/domains/program/zebra.te
deleted file mode 100644
index 640c621..0000000
--- a/targeted/domains/program/zebra.te
+++ /dev/null
@@ -1,32 +0,0 @@
-#DESC Zebra - BGP server
-#
-# Author: Russell Coker <russell@coker.com.au>
-# X-Debian-Packages: zebra
-#
-
-daemon_domain(zebra, `, sysctl_net_writer')
-type zebra_conf_t, file_type, sysadmfile;
-r_dir_file({ initrc_t zebra_t }, zebra_conf_t)
-
-can_network_server(zebra_t)
-can_ypbind(zebra_t)
-allow zebra_t { etc_t etc_runtime_t }:file { getattr read };
-
-allow zebra_t self:process setcap;
-allow zebra_t self:capability { setgid setuid net_bind_service net_admin net_raw };
-file_type_auto_trans(zebra_t, var_run_t, zebra_var_run_t, sock_file)
-
-logdir_domain(zebra)
-
-# /tmp/.bgpd is such a bad idea!
-tmp_domain(zebra, `', sock_file)
-
-allow zebra_t self:unix_dgram_socket create_socket_perms;
-allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow zebra_t self:rawip_socket create_socket_perms;
-allow zebra_t self:netlink_route_socket r_netlink_socket_perms;
-allow zebra_t zebra_port_t:tcp_socket name_bind;
-
-allow zebra_t proc_t:file { getattr read };
-allow zebra_t { sysctl_t sysctl_net_t }:dir search;
-allow zebra_t sysctl_net_t:file rw_file_perms;
diff --git a/targeted/domains/unconfined.te b/targeted/domains/unconfined.te
deleted file mode 100644
index 715aa77..0000000
--- a/targeted/domains/unconfined.te
+++ /dev/null
@@ -1,91 +0,0 @@
-#DESC Unconfined - The unconfined domain
-
-# This is the initial domain, and is used for everything that
-# is not explicitly confined. It has no restrictions.
-# It needs to be carefully protected from the confined domains.
-
-type unconfined_t, domain, privuser, privhome, privrole, privowner, admin, auth_write, fs_domain, privmem;
-role system_r types unconfined_t;
-role user_r types unconfined_t;
-unconfined_domain(unconfined_t)
-allow domain unconfined_t:fd use;
-allow domain unconfined_t:process sigchld;
-
-# Define some type aliases to help with compatibility with
-# macros and domains from the "strict" policy.
-typealias unconfined_t alias { logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
-
-typeattribute tty_device_t admin_tty_type;
-typeattribute devpts_t admin_tty_type;
-
-# User home directory type.
-type user_home_t, file_type, sysadmfile, home_type;
-type user_home_dir_t, file_type, sysadmfile, home_dir_type;
-file_type_auto_trans(unconfined_t, home_root_t, user_home_dir_t, dir)
-allow privhome home_root_t:dir { getattr search };
-file_type_auto_trans(privhome, user_home_dir_t, user_home_t)
-
-define(`user_typealias', `
-ifelse($1,`user',`',`
-typealias user_home_t alias $1_home_t;
-typealias user_home_dir_t alias $1_home_dir_t;
-')
-typealias tty_device_t alias $1_tty_device_t;
-typealias devpts_t alias $1_devpts_t;
-')
-user_typealias(sysadm)
-user_typealias(staff)
-user_typealias(user)
-attribute user_file_type;
-attribute staff_file_type;
-attribute sysadm_file_type;
-
-allow unconfined_t unlabeled_t:filesystem *;
-allow unconfined_t self:system syslog_read;
-allow unlabeled_t self:filesystem associate;
-
-# Support NFS home directories
-bool use_nfs_home_dirs false;
-
-# Allow making anonymous memory executable, e.g.
-# for runtime-code generation or executable stack.
-bool allow_execmem true;
-
-# Allow making the stack executable via mprotect.
-# Also requires allow_execmem.
-bool allow_execstack true;
-
-# Allow making a modified private file mapping executable (text relocation).
-bool allow_execmod true;
-
-# Support SAMBA home directories
-bool use_samba_home_dirs false;
-
-ifdef(`samba.te', `samba_domain(user)')
-ifdef(`i18n_input.te', `i18n_input_domain(user)')
-
-# Allow system to run with NIS
-bool allow_ypbind false;
-
-# Allow system to run with Kerberos
-bool allow_kerberos false;
-
-# allow reading of default file context
-bool read_default_t true;
-
-if (allow_execmem) {
-allow domain self:process execmem;
-}
-
-#Removing i18n_input from targeted for now, since wants to read users homedirs
-typealias bin_t alias i18n_input_exec_t;
-typealias unconfined_t alias i18n_input_t;
-typealias var_run_t alias i18n_input_var_run_t;
-ifdef(`su.te', `
-typealias unconfined_t alias { sysadm_chkpwd_t };
-typealias tmp_t alias { sysadm_tmp_t sshd_tmp_t };
-su_domain(sysadm)
-typeattribute sysadm_su_t unconfinedtrans;
-role system_r types sysadm_su_t;
-')
-
diff --git a/targeted/file_contexts/distros.fc b/targeted/file_contexts/distros.fc
deleted file mode 100644
index 33c7f5e..0000000
--- a/targeted/file_contexts/distros.fc
+++ /dev/null
@@ -1,164 +0,0 @@
-ifdef(`distro_redhat', `
-/usr/share/system-config-network(/netconfig)?/[^/]+\.py -- system_u:object_r:bin_t:s0
-/etc/sysconfig/networking/profiles/.*/resolv\.conf -- system_u:object_r:net_conf_t:s0
-/etc/sysconfig/network-scripts/.*resolv\.conf -- system_u:object_r:net_conf_t:s0
-/usr/share/rhn/rhn_applet/applet\.py -- system_u:object_r:bin_t:s0
-/usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- system_u:object_r:shlib_t:s0
-/usr/share/rhn/rhn_applet/needed-packages\.py -- system_u:object_r:bin_t:s0
-/usr/share/authconfig/authconfig-gtk\.py -- system_u:object_r:bin_t:s0
-/usr/share/hwbrowser/hwbrowser -- system_u:object_r:bin_t:s0
-/usr/share/system-config-httpd/system-config-httpd -- system_u:object_r:bin_t:s0
-/usr/share/system-config-services/system-config-services -- system_u:object_r:bin_t:s0
-/usr/share/system-logviewer/system-logviewer\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-lvm/system-config-lvm.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-date/system-config-date\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-display/system-config-display -- system_u:object_r:bin_t:s0
-/usr/share/system-config-keyboard/system-config-keyboard -- system_u:object_r:bin_t:s0
-/usr/share/system-config-language/system-config-language -- system_u:object_r:bin_t:s0
-/usr/share/system-config-mouse/system-config-mouse -- system_u:object_r:bin_t:s0
-/usr/share/system-config-netboot/system-config-netboot\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-netboot/pxeos\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-netboot/pxeboot\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-nfs/system-config-nfs\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-rootpassword/system-config-rootpassword -- system_u:object_r:bin_t:s0
-/usr/share/system-config-samba/system-config-samba\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-services/serviceconf\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-soundcard/system-config-soundcard -- system_u:object_r:bin_t:s0
-/usr/share/system-config-users/system-config-users -- system_u:object_r:bin_t:s0
-/usr/share/switchdesk/switchdesk-gui\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-network/neat-control\.py -- system_u:object_r:bin_t:s0
-/usr/share/system-config-nfs/nfs-export\.py -- system_u:object_r:bin_t:s0
-/usr/share/pydict/pydict\.py -- system_u:object_r:bin_t:s0
-/usr/share/cvs/contrib/rcs2log -- system_u:object_r:bin_t:s0
-/usr/share/pwlib/make/ptlib-config -- system_u:object_r:bin_t:s0
-/usr/share/texmf/web2c/mktexdir -- system_u:object_r:bin_t:s0
-/usr/share/texmf/web2c/mktexnam -- system_u:object_r:bin_t:s0
-/usr/share/texmf/web2c/mktexupd -- system_u:object_r:bin_t:s0
-/etc/rhgb(/.*)? -d system_u:object_r:mnt_t:s0
-/usr/share/ssl/misc(/.*)? system_u:object_r:bin_t:s0
-#
-# /emul/ia32-linux/usr
-#
-/emul(/.*)? system_u:object_r:usr_t:s0
-/emul/ia32-linux/usr(/.*)?/lib(/.*)? system_u:object_r:lib_t:s0
-/emul/ia32-linux/usr(/.*)?/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0
-/emul/ia32-linux/usr(/.*)?/java/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0
-/emul/ia32-linux/usr(/.*)?/java/.*\.jar -- system_u:object_r:shlib_t:s0
-/emul/ia32-linux/usr(/.*)?/java/.*\.jsa -- system_u:object_r:shlib_t:s0
-/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t:s0
-/emul/ia32-linux/usr(/.*)?/bin(/.*)? system_u:object_r:bin_t:s0
-/emul/ia32-linux/usr(/.*)?/Bin(/.*)? system_u:object_r:bin_t:s0
-/emul/ia32-linux/usr(/.*)?/sbin(/.*)? system_u:object_r:sbin_t:s0
-/emul/ia32-linux/usr/libexec(/.*)? system_u:object_r:bin_t:s0
-# /emul/ia32-linux/lib
-/emul/ia32-linux/lib(/.*)? system_u:object_r:lib_t:s0
-/emul/ia32-linux/lib/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0
-/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t:s0
-# /emul/ia32-linux/bin
-/emul/ia32-linux/bin(/.*)? system_u:object_r:bin_t:s0
-# /emul/ia32-linux/sbin
-/emul/ia32-linux/sbin(/.*)? system_u:object_r:sbin_t:s0
-
-ifdef(`dbusd.te', `', `
-/var/run/dbus(/.*)? system_u:object_r:system_dbusd_var_run_t:s0
-')
-
-# The following are libraries with text relocations in need of execmod permissions
-# Some of them should be fixed and removed from this list
-
-# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
-# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
-/usr/lib/gstreamer-.*/libgstffmpeg\.so.* -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/gstreamer-.*/libgsthermescolorspace\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/gstreamer-.*/libgstmms\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libstdc\+\+\.so\.2\.7\.2\.8 -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libg\+\+\.so\.2\.7\.2\.8 -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libglide3\.so.* -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libdv\.so.* -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/helix/plugins/oggfformat\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/helix/plugins/theorarend\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/helix/plugins/vorbisrend\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/helix/codecs/colorcvt\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/helix/codecs/cvt1\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libSDL-.*\.so.* -- system_u:object_r:texrel_shlib_t:s0
-/usr/X11R6/lib/modules/dri/.*\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/X11R6/lib/libOSMesa\.so.* -- system_u:object_r:texrel_shlib_t:s0
-/usr/X11R6/lib/libfglrx_gamma\.so.* -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libHermes\.so.* -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/valgrind/hp2ps -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/valgrind/stage2 -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/valgrind/vg.*\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/.*/libxpcom_core.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/.*/program(/.*)? system_u:object_r:bin_t:s0
-/usr/lib/.*/program/.*\.so.* system_u:object_r:shlib_t:s0
-/usr/lib/.*/program/libicudata\.so.* -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/.*/program/libsts645li\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/.*/program/libvclplug_gen645li\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/.*/program/libwrp645li\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/.*/program/libswd680li\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib(64)?/.*/program/librecentfile\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib(64)?/.*/program/libsvx680li\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib(64)?/.*/program/libsoffice\.so -- system_u:object_r:texrel_shlib_t:s0
-
-# Fedora Extras packages: ladspa, imlib2, ocaml
-/usr/lib/ladspa/analogue_osc_1416\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/bandpass_a_iir_1893\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/bandpass_iir_1892\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/butterworth_1902\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/fm_osc_1415\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/gsm_1215\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/gverb_1216\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/hermes_filter_1200\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/highpass_iir_1890\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/lowpass_iir_1891\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/notch_iir_1894\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/pitch_scale_1193\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/pitch_scale_1194\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/sc1_1425\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/sc2_1426\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/sc3_1427\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/sc4_1882\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ladspa/se4_1883\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libImlib2\.so.* -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/ocaml/stublibs/dllnums\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/httpd/modules/libphp5\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/php/modules/.*\.so -- system_u:object_r:texrel_shlib_t:s0
-
-# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
-/usr/lib/xmms/Input/libmpg123\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libpostproc\.so.* -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libavformat-.*\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libavcodec-.*\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libxvidcore\.so.* -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/xine/plugins/.*\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libgsm\.so.* -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libmp3lame\.so.* -- system_u:object_r:texrel_shlib_t:s0
-
-# Flash plugin, Macromedia
-HOME_DIR/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t:s0
-
-# Jai, Sun Microsystems (Jpackage SPRM)
-/usr/lib/libmlib_jai\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libdivxdecore.so.0 -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib/libdivxencore.so.0 -- system_u:object_r:texrel_shlib_t:s0
-
-# Java, Sun Microsystems (JPackage SRPM)
-/usr/.*/jre/lib/i386/libdeploy.so -- system_u:object_r:texrel_shlib_t:s0
-
-/usr(/.*)?/Reader/intellinux/plug_ins/.*\.api -- system_u:object_r:shlib_t:s0
-/usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api -- system_u:object_r:texrel_shlib_t:s0
-/usr(/.*)?/Reader/intellinux/plug_ins/EScript\.api -- system_u:object_r:texrel_shlib_t:s0
-/usr(/.*)?/Reader/intellinux/SPPlugins/ADMPlugin\.apl -- system_u:object_r:texrel_shlib_t:s0
-')
-
-ifdef(`distro_suse', `
-/var/lib/samba/bin/.+ system_u:object_r:bin_t:s0
-/var/lib/samba/bin/.*\.so(\.[^/]*)* -l system_u:object_r:lib_t:s0
-/usr/lib/samba/classic/.* -- system_u:object_r:bin_t:s0
-/usr/lib/samba/classic/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0
-/success -- system_u:object_r:etc_runtime_t:s0
-/etc/defkeymap\.map -- system_u:object_r:etc_runtime_t:s0
-')
diff --git a/targeted/file_contexts/homedir_template b/targeted/file_contexts/homedir_template
deleted file mode 100644
index e994915..0000000
--- a/targeted/file_contexts/homedir_template
+++ /dev/null
@@ -1,12 +0,0 @@
-# HOME_ROOT expands to all valid home directory prefixes found in /etc/passwd
-# HOME_DIR expands to each users home directory,
-# and to HOME_ROOT/[^/]+ for each HOME_ROOT.
-# ROLE expands to each users role when role != user_r, and to "user" otherwise.
-HOME_ROOT -d system_u:object_r:home_root_t:s0
-HOME_DIR -d system_u:object_r:ROLE_home_dir_t:s0
-HOME_DIR/.+ system_u:object_r:ROLE_home_t:s0
-HOME_ROOT/\.journal <<none>>
-HOME_ROOT/lost\+found -d system_u:object_r:lost_found_t:s0
-HOME_ROOT/lost\+found/.* <<none>>
-HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_t:s0
-HOME_DIR/.*/plugins/libflashplayer\.so.* -- system_u:object_r:texrel_shlib_t:s0
diff --git a/targeted/file_contexts/program/NetworkManager.fc b/targeted/file_contexts/program/NetworkManager.fc
deleted file mode 100644
index cb57584..0000000
--- a/targeted/file_contexts/program/NetworkManager.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# NetworkManager
-/usr/bin/NetworkManager -- system_u:object_r:NetworkManager_exec_t:s0
diff --git a/targeted/file_contexts/program/acct.fc b/targeted/file_contexts/program/acct.fc
deleted file mode 100644
index 78622bd..0000000
--- a/targeted/file_contexts/program/acct.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# berkeley process accounting
-/sbin/accton -- system_u:object_r:acct_exec_t:s0
-/usr/sbin/accton -- system_u:object_r:acct_exec_t:s0
-/var/account(/.*)? system_u:object_r:acct_data_t:s0
-/etc/cron\.(daily|monthly)/acct -- system_u:object_r:acct_exec_t:s0
diff --git a/targeted/file_contexts/program/afs.fc b/targeted/file_contexts/program/afs.fc
deleted file mode 100644
index fb49f33..0000000
--- a/targeted/file_contexts/program/afs.fc
+++ /dev/null
@@ -1,20 +0,0 @@
-# afs
-/usr/afs/bin/bosserver -- system_u:object_r:afs_bosserver_exec_t
-/usr/afs/bin/kaserver -- system_u:object_r:afs_kaserver_exec_t
-/usr/afs/bin/vlserver -- system_u:object_r:afs_vlserver_exec_t
-/usr/afs/bin/ptserver -- system_u:object_r:afs_ptserver_exec_t
-/usr/afs/bin/fileserver -- system_u:object_r:afs_fsserver_exec_t
-/usr/afs/bin/volserver -- system_u:object_r:afs_fsserver_exec_t
-/usr/afs/bin/salvager -- system_u:object_r:afs_fsserver_exec_t
-
-/usr/afs/logs(/.*)? system_u:object_r:afs_logfile_t
-/usr/afs/etc(/.*)? system_u:object_r:afs_config_t
-/usr/afs/local(/.*)? system_u:object_r:afs_config_t
-/usr/afs/db -d system_u:object_r:afs_dbdir_t
-/usr/afs/db/pr.* -- system_u:object_r:afs_pt_db_t
-/usr/afs/db/ka.* -- system_u:object_r:afs_ka_db_t
-/usr/afs/db/vl.* -- system_u:object_r:afs_vl_db_t
-
-/vicepa system_u:object_r:afs_files_t
-/vicepb system_u:object_r:afs_files_t
-/vicepc system_u:object_r:afs_files_t
diff --git a/targeted/file_contexts/program/alsa.fc b/targeted/file_contexts/program/alsa.fc
deleted file mode 100644
index 837b071..0000000
--- a/targeted/file_contexts/program/alsa.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-#DESC ainit - configuration tool for ALSA
-/usr/bin/ainit -- system_u:object_r:alsa_exec_t
-/etc/alsa/pcm(/.*)? system_u:object_r:alsa_etc_rw_t
diff --git a/targeted/file_contexts/program/amanda.fc b/targeted/file_contexts/program/amanda.fc
deleted file mode 100644
index 917b41a..0000000
--- a/targeted/file_contexts/program/amanda.fc
+++ /dev/null
@@ -1,70 +0,0 @@
-#
-# Author: Carsten Grohmann <carstengrohmann@gmx.de>
-#
-
-# amanda
-/etc/amanda(/.*)? system_u:object_r:amanda_config_t:s0
-/etc/amanda/.*/tapelist(/.*)? system_u:object_r:amanda_data_t:s0
-/etc/amandates system_u:object_r:amanda_amandates_t:s0
-/etc/dumpdates system_u:object_r:amanda_dumpdates_t:s0
-/root/restore -d system_u:object_r:amanda_recover_dir_t:s0
-/tmp/amanda(/.*)? system_u:object_r:amanda_tmp_t:s0
-/usr/lib(64)?/amanda -d system_u:object_r:amanda_usr_lib_t:s0
-/usr/lib(64)?/amanda/amandad -- system_u:object_r:amanda_inetd_exec_t:s0
-/usr/lib(64)?/amanda/amcat\.awk -- system_u:object_r:amanda_script_exec_t:s0
-/usr/lib(64)?/amanda/amcleanupdisk -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/amidxtaped -- system_u:object_r:amanda_inetd_exec_t:s0
-/usr/lib(64)?/amanda/amindexd -- system_u:object_r:amanda_inetd_exec_t:s0
-/usr/lib(64)?/amanda/amlogroll -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/amplot\.awk -- system_u:object_r:amanda_script_exec_t:s0
-/usr/lib(64)?/amanda/amplot\.g -- system_u:object_r:amanda_script_exec_t:s0
-/usr/lib(64)?/amanda/amplot\.gp -- system_u:object_r:amanda_script_exec_t:s0
-/usr/lib(64)?/amanda/amtrmidx -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/amtrmlog -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/calcsize -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/chg-chio -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/chg-chs -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/chg-manual -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/chg-mtx -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/chg-multi -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/chg-rth -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/chg-scsi -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/chg-zd-mtx -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/driver -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/dumper -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/killpgrp -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/patch-system -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/planner -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/rundump -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/runtar -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/selfcheck -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/sendbackup -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/sendsize -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/taper -- system_u:object_r:amanda_exec_t:s0
-/usr/lib(64)?/amanda/versionsuffix -- system_u:object_r:amanda_exec_t:s0
-/usr/sbin/amadmin -- system_u:object_r:amanda_user_exec_t:s0
-/usr/sbin/amcheck -- system_u:object_r:amanda_user_exec_t:s0
-/usr/sbin/amcheckdb -- system_u:object_r:amanda_user_exec_t:s0
-/usr/sbin/amcleanup -- system_u:object_r:amanda_user_exec_t:s0
-/usr/sbin/amdump -- system_u:object_r:amanda_user_exec_t:s0
-/usr/sbin/amflush -- system_u:object_r:amanda_user_exec_t:s0
-/usr/sbin/amgetconf -- system_u:object_r:amanda_user_exec_t:s0
-/usr/sbin/amlabel -- system_u:object_r:amanda_user_exec_t:s0
-/usr/sbin/amoverview -- system_u:object_r:amanda_user_exec_t:s0
-/usr/sbin/amplot -- system_u:object_r:amanda_user_exec_t:s0
-/usr/sbin/amrecover -- system_u:object_r:amanda_recover_exec_t:s0
-/usr/sbin/amreport -- system_u:object_r:amanda_user_exec_t:s0
-/usr/sbin/amrestore -- system_u:object_r:amanda_user_exec_t:s0
-/usr/sbin/amrmtape -- system_u:object_r:amanda_user_exec_t:s0
-/usr/sbin/amstatus -- system_u:object_r:amanda_user_exec_t:s0
-/usr/sbin/amtape -- system_u:object_r:amanda_user_exec_t:s0
-/usr/sbin/amtoc -- system_u:object_r:amanda_user_exec_t:s0
-/usr/sbin/amverify -- system_u:object_r:amanda_user_exec_t:s0
-/var/lib/amanda -d system_u:object_r:amanda_var_lib_t:s0
-/var/lib/amanda/\.amandahosts -- system_u:object_r:amanda_config_t:s0
-/var/lib/amanda/\.bashrc -- system_u:object_r:amanda_shellconfig_t:s0
-/var/lib/amanda/\.profile -- system_u:object_r:amanda_shellconfig_t:s0
-/var/lib/amanda/disklist -- system_u:object_r:amanda_data_t:s0
-/var/lib/amanda/gnutar-lists(/.*)? system_u:object_r:amanda_gnutarlists_t:s0
-/var/lib/amanda/index system_u:object_r:amanda_data_t:s0
-/var/log/amanda(/.*)? system_u:object_r:amanda_log_t:s0
diff --git a/targeted/file_contexts/program/amavis.fc b/targeted/file_contexts/program/amavis.fc
deleted file mode 100644
index 366da33..0000000
--- a/targeted/file_contexts/program/amavis.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-# amavis
-/usr/sbin/amavisd.* -- system_u:object_r:amavisd_exec_t
-/etc/amavisd\.conf -- system_u:object_r:amavisd_etc_t
-/var/log/amavisd\.log -- system_u:object_r:amavisd_log_t
-/var/lib/amavis(/.*)? system_u:object_r:amavisd_lib_t
-/var/run/amavis(/.*)? system_u:object_r:amavisd_var_run_t
-/var/amavis(/.*)? system_u:object_r:amavisd_lib_t
-/var/virusmails(/.*)? system_u:object_r:amavisd_quarantine_t
diff --git a/targeted/file_contexts/program/anaconda.fc b/targeted/file_contexts/program/anaconda.fc
deleted file mode 100644
index a0cbc0e..0000000
--- a/targeted/file_contexts/program/anaconda.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-#
-# Anaconda file context
-# currently anaconda does not have any file context since it is started during install
-# This is a placeholder to stop makefile from complaining
-#
diff --git a/targeted/file_contexts/program/apache.fc b/targeted/file_contexts/program/apache.fc
deleted file mode 100644
index 0eb4c1c..0000000
--- a/targeted/file_contexts/program/apache.fc
+++ /dev/null
@@ -1,60 +0,0 @@
-# apache
-HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_t:s0
-/var/www(/.*)? system_u:object_r:httpd_sys_content_t:s0
-/srv/([^/]*/)?www(/.*)? system_u:object_r:httpd_sys_content_t:s0
-/var/www/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0
-/usr/lib/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0
-/var/www/perl(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0
-/var/www/icons(/.*)? system_u:object_r:httpd_sys_content_t:s0
-/var/cache/httpd(/.*)? system_u:object_r:httpd_cache_t:s0
-/var/cache/php-eaccelerator(/.*)? system_u:object_r:httpd_cache_t:s0
-/var/cache/php-mmcache(/.*)? system_u:object_r:httpd_cache_t:s0
-/var/cache/mason(/.*)? system_u:object_r:httpd_cache_t:s0
-/var/cache/rt3(/.*)? system_u:object_r:httpd_cache_t:s0
-/etc/httpd -d system_u:object_r:httpd_config_t:s0
-/etc/httpd/conf.* system_u:object_r:httpd_config_t:s0
-/etc/httpd/logs system_u:object_r:httpd_log_t:s0
-/etc/httpd/modules system_u:object_r:httpd_modules_t:s0
-/etc/apache(2)?(/.*)? system_u:object_r:httpd_config_t:s0
-/etc/vhosts -- system_u:object_r:httpd_config_t:s0
-/usr/lib(64)?/apache(/.*)? system_u:object_r:httpd_modules_t:s0
-/usr/lib(64)?/apache2/modules(/.*)? system_u:object_r:httpd_modules_t:s0
-/usr/lib(64)?/httpd(/.*)? system_u:object_r:httpd_modules_t:s0
-/usr/sbin/httpd(\.worker)? -- system_u:object_r:httpd_exec_t:s0
-/usr/sbin/apache(2)? -- system_u:object_r:httpd_exec_t:s0
-/usr/sbin/suexec -- system_u:object_r:httpd_suexec_exec_t:s0
-/usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- system_u:object_r:httpd_suexec_exec_t:s0
-/usr/lib(64)?/apache(2)?/suexec(2)? -- system_u:object_r:httpd_suexec_exec_t:s0
-/var/log/httpd(/.*)? system_u:object_r:httpd_log_t:s0
-/var/log/apache(2)?(/.*)? system_u:object_r:httpd_log_t:s0
-/var/log/cgiwrap\.log.* -- system_u:object_r:httpd_log_t:s0
-/var/cache/ssl.*\.sem -- system_u:object_r:httpd_cache_t:s0
-/var/cache/mod_ssl(/.*)? system_u:object_r:httpd_cache_t:s0
-/var/run/apache.* system_u:object_r:httpd_var_run_t:s0
-/var/lib/httpd(/.*)? system_u:object_r:httpd_var_lib_t:s0
-/var/lib/php/session(/.*)? system_u:object_r:httpd_var_run_t:s0
-/etc/apache-ssl(2)?(/.*)? system_u:object_r:httpd_config_t:s0
-/usr/lib/apache-ssl/.+ -- system_u:object_r:httpd_exec_t:s0
-/usr/sbin/apache-ssl(2)? -- system_u:object_r:httpd_exec_t:s0
-/var/log/apache-ssl(2)?(/.*)? system_u:object_r:httpd_log_t:s0
-/var/run/gcache_port -s system_u:object_r:httpd_var_run_t:s0
-ifdef(`distro_debian', `
-/var/log/horde2(/.*)? system_u:object_r:httpd_log_t:s0
-')
-ifdef(`distro_suse', `
-# suse puts shell scripts there :-(
-/usr/share/apache2/[^/]* -- system_u:object_r:bin_t:s0
-/usr/sbin/httpd2-.* -- system_u:object_r:httpd_exec_t:s0
-')
-/var/lib/squirrelmail/prefs(/.*)? system_u:object_r:httpd_squirrelmail_t:s0
-/var/spool/squirrelmail(/.*)? system_u:object_r:squirrelmail_spool_t:s0
-/usr/bin/htsslpass -- system_u:object_r:httpd_helper_exec_t:s0
-/usr/share/htdig(/.*)? system_u:object_r:httpd_sys_content_t:s0
-/var/lib/htdig(/.*)? system_u:object_r:httpd_sys_content_t:s0
-/etc/htdig(/.*)? system_u:object_r:httpd_sys_content_t:s0
-/var/spool/gosa(/.*)? system_u:object_r:httpd_sys_script_rw_t:s0
-ifdef(`targeted_policy', `', `
-/var/spool/cron/apache -- system_u:object_r:user_cron_spool_t:s0
-')
-/usr/sbin/apachectl -- system_u:object_r:initrc_exec_t:s0
-
diff --git a/targeted/file_contexts/program/apmd.fc b/targeted/file_contexts/program/apmd.fc
deleted file mode 100644
index 6554b52..0000000
--- a/targeted/file_contexts/program/apmd.fc
+++ /dev/null
@@ -1,14 +0,0 @@
-# apmd
-/usr/sbin/apmd -- system_u:object_r:apmd_exec_t:s0
-/usr/sbin/acpid -- system_u:object_r:apmd_exec_t:s0
-/usr/sbin/powersaved -- system_u:object_r:apmd_exec_t:s0
-/usr/bin/apm -- system_u:object_r:apm_exec_t:s0
-/var/run/apmd\.pid -- system_u:object_r:apmd_var_run_t:s0
-/var/run/\.?acpid\.socket -s system_u:object_r:apmd_var_run_t:s0
-/var/run/powersaved\.pid -- system_u:object_r:apmd_var_run_t:s0
-/var/run/powersave_socket -s system_u:object_r:apmd_var_run_t:s0
-/var/log/acpid -- system_u:object_r:apmd_log_t:s0
-ifdef(`distro_suse', `
-/var/lib/acpi(/.*)? system_u:object_r:apmd_var_lib_t:s0
-')
-
diff --git a/targeted/file_contexts/program/arpwatch.fc b/targeted/file_contexts/program/arpwatch.fc
deleted file mode 100644
index 4869940..0000000
--- a/targeted/file_contexts/program/arpwatch.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# arpwatch - keep track of ethernet/ip address pairings
-/usr/sbin/arpwatch -- system_u:object_r:arpwatch_exec_t:s0
-/var/arpwatch(/.*)? system_u:object_r:arpwatch_data_t:s0
-/var/lib/arpwatch(/.*)? system_u:object_r:arpwatch_data_t:s0
diff --git a/targeted/file_contexts/program/asterisk.fc b/targeted/file_contexts/program/asterisk.fc
deleted file mode 100644
index 6f4eb4b..0000000
--- a/targeted/file_contexts/program/asterisk.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-# asterisk
-/usr/sbin/asterisk -- system_u:object_r:asterisk_exec_t
-/var/run/asterisk(/.*)? system_u:object_r:asterisk_var_run_t
-/etc/asterisk(/.*)? system_u:object_r:asterisk_etc_t
-/var/log/asterisk(/.*)? system_u:object_r:asterisk_log_t
-/var/lib/asterisk(/.*)? system_u:object_r:asterisk_var_lib_t
-/var/spool/asterisk(/.*)? system_u:object_r:asterisk_spool_t
diff --git a/targeted/file_contexts/program/audio-entropyd.fc b/targeted/file_contexts/program/audio-entropyd.fc
deleted file mode 100644
index a8f616a..0000000
--- a/targeted/file_contexts/program/audio-entropyd.fc
+++ /dev/null
@@ -1 +0,0 @@
-/usr/sbin/audio-entropyd -- system_u:object_r:entropyd_exec_t
diff --git a/targeted/file_contexts/program/auditd.fc b/targeted/file_contexts/program/auditd.fc
deleted file mode 100644
index 08b9320..0000000
--- a/targeted/file_contexts/program/auditd.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-# auditd
-/sbin/auditctl -- system_u:object_r:auditctl_exec_t:s0
-/sbin/auditd -- system_u:object_r:auditd_exec_t:s0
-/var/log/audit.log -- system_u:object_r:auditd_log_t:s0
-/var/log/audit(/.*)? system_u:object_r:auditd_log_t:s0
-/etc/auditd.conf -- system_u:object_r:auditd_etc_t:s0
-/etc/audit.rules -- system_u:object_r:auditd_etc_t:s0
-
diff --git a/targeted/file_contexts/program/authbind.fc b/targeted/file_contexts/program/authbind.fc
deleted file mode 100644
index 9fed63e..0000000
--- a/targeted/file_contexts/program/authbind.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# authbind
-/etc/authbind(/.*)? system_u:object_r:authbind_etc_t
-/usr/lib(64)?/authbind/helper -- system_u:object_r:authbind_exec_t
diff --git a/targeted/file_contexts/program/automount.fc b/targeted/file_contexts/program/automount.fc
deleted file mode 100644
index f7b56f7..0000000
--- a/targeted/file_contexts/program/automount.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# automount
-/usr/sbin/automount -- system_u:object_r:automount_exec_t
-/etc/apm/event\.d/autofs -- system_u:object_r:automount_exec_t
-/var/run/autofs(/.*)? system_u:object_r:automount_var_run_t
-/etc/auto\..+ -- system_u:object_r:automount_etc_t
diff --git a/targeted/file_contexts/program/avahi.fc b/targeted/file_contexts/program/avahi.fc
deleted file mode 100644
index fa6e00e..0000000
--- a/targeted/file_contexts/program/avahi.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-#DESC avahi - mDNS/DNS-SD daemon implementing Apple’s ZeroConf architecture
-/usr/sbin/avahi-daemon -- system_u:object_r:avahi_exec_t:s0
-/usr/sbin/avahi-dnsconfd -- system_u:object_r:avahi_exec_t:s0
-/var/run/avahi-daemon(/.*)? system_u:object_r:avahi_var_run_t:s0
diff --git a/targeted/file_contexts/program/backup.fc b/targeted/file_contexts/program/backup.fc
deleted file mode 100644
index ed82809..0000000
--- a/targeted/file_contexts/program/backup.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# backup
-# label programs that do backups to other files on disk (IE a cron job that
-# calls tar) in backup_exec_t and label the directory for storing them as
-# backup_store_t, Debian uses /var/backups
-#/usr/local/bin/backup-script -- system_u:object_r:backup_exec_t
-/var/backups(/.*)? system_u:object_r:backup_store_t
diff --git a/targeted/file_contexts/program/bluetooth.fc b/targeted/file_contexts/program/bluetooth.fc
deleted file mode 100644
index 6c5aac3..0000000
--- a/targeted/file_contexts/program/bluetooth.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-# bluetooth
-/etc/bluetooth(/.*)? system_u:object_r:bluetooth_conf_t:s0
-/etc/bluetooth/link_key system_u:object_r:bluetooth_conf_rw_t:s0
-/usr/bin/rfcomm -- system_u:object_r:bluetooth_exec_t:s0
-/usr/sbin/hcid -- system_u:object_r:bluetooth_exec_t:s0
-/usr/sbin/sdpd -- system_u:object_r:bluetooth_exec_t:s0
-/usr/sbin/hciattach -- system_u:object_r:bluetooth_exec_t:s0
-/var/run/sdp -s system_u:object_r:bluetooth_var_run_t:s0
-/usr/sbin/hid2hci -- system_u:object_r:bluetooth_exec_t:s0
-/usr/bin/blue.*pin -- system_u:object_r:bluetooth_helper_exec_t:s0
-/var/lib/bluetooth(/.*)? system_u:object_r:bluetooth_var_lib_t:s0
diff --git a/targeted/file_contexts/program/bonobo.fc b/targeted/file_contexts/program/bonobo.fc
deleted file mode 100644
index 9c27b25..0000000
--- a/targeted/file_contexts/program/bonobo.fc
+++ /dev/null
@@ -1 +0,0 @@
-/usr/libexec/bonobo-activation-server -- system_u:object_r:bonobo_exec_t
diff --git a/targeted/file_contexts/program/bootloader.fc b/targeted/file_contexts/program/bootloader.fc
deleted file mode 100644
index 90f8e85..0000000
--- a/targeted/file_contexts/program/bootloader.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-# bootloader
-/etc/lilo\.conf.* -- system_u:object_r:bootloader_etc_t
-/initrd\.img.* -l system_u:object_r:boot_t
-/sbin/lilo.* -- system_u:object_r:bootloader_exec_t
-/sbin/grub.* -- system_u:object_r:bootloader_exec_t
-/vmlinuz.* -l system_u:object_r:boot_t
-/usr/sbin/mkinitrd -- system_u:object_r:bootloader_exec_t
-/sbin/mkinitrd -- system_u:object_r:bootloader_exec_t
-/etc/mkinitrd/scripts/.* -- system_u:object_r:bootloader_exec_t
-/sbin/ybin.* -- system_u:object_r:bootloader_exec_t
-/etc/yaboot\.conf.* -- system_u:object_r:bootloader_etc_t
diff --git a/targeted/file_contexts/program/calamaris.fc b/targeted/file_contexts/program/calamaris.fc
deleted file mode 100644
index 36d8c87..0000000
--- a/targeted/file_contexts/program/calamaris.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# squid
-/etc/cron\.daily/calamaris -- system_u:object_r:calamaris_exec_t
-/var/www/calamaris(/.*)? system_u:object_r:calamaris_www_t
-/var/log/calamaris(/.*)? system_u:object_r:calamaris_log_t
diff --git a/targeted/file_contexts/program/canna.fc b/targeted/file_contexts/program/canna.fc
deleted file mode 100644
index aada263..0000000
--- a/targeted/file_contexts/program/canna.fc
+++ /dev/null
@@ -1,12 +0,0 @@
-# canna.fc
-/usr/sbin/cannaserver -- system_u:object_r:canna_exec_t:s0
-/usr/sbin/jserver -- system_u:object_r:canna_exec_t:s0
-/usr/bin/cannaping -- system_u:object_r:canna_exec_t:s0
-/usr/bin/catdic -- system_u:object_r:canna_exec_t:s0
-/var/log/canna(/.*)? system_u:object_r:canna_log_t:s0
-/var/log/wnn(/.*)? system_u:object_r:canna_log_t:s0
-/var/lib/canna/dic(/.*)? system_u:object_r:canna_var_lib_t:s0
-/var/lib/wnn/dic(/.*)? system_u:object_r:canna_var_lib_t:s0
-/var/run/\.iroha_unix -d system_u:object_r:canna_var_run_t:s0
-/var/run/\.iroha_unix/.* -s system_u:object_r:canna_var_run_t:s0
-/var/run/wnn-unix(/.*) system_u:object_r:canna_var_run_t:s0
diff --git a/targeted/file_contexts/program/cardmgr.fc b/targeted/file_contexts/program/cardmgr.fc
deleted file mode 100644
index 1dc5187..0000000
--- a/targeted/file_contexts/program/cardmgr.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-# cardmgr
-/sbin/cardmgr -- system_u:object_r:cardmgr_exec_t:s0
-/sbin/cardctl -- system_u:object_r:cardctl_exec_t:s0
-/var/run/stab -- system_u:object_r:cardmgr_var_run_t:s0
-/var/run/cardmgr\.pid -- system_u:object_r:cardmgr_var_run_t:s0
-/etc/apm/event\.d/pcmcia -- system_u:object_r:cardmgr_exec_t:s0
-/var/lib/pcmcia(/.*)? system_u:object_r:cardmgr_var_run_t:s0
diff --git a/targeted/file_contexts/program/cdrecord.fc b/targeted/file_contexts/program/cdrecord.fc
deleted file mode 100644
index d03d3bc..0000000
--- a/targeted/file_contexts/program/cdrecord.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# cdrecord
-/usr/bin/cdrecord -- system_u:object_r:cdrecord_exec_t
-
diff --git a/targeted/file_contexts/program/certwatch.fc b/targeted/file_contexts/program/certwatch.fc
deleted file mode 100644
index 20bb8ca..0000000
--- a/targeted/file_contexts/program/certwatch.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# certwatch.fc
-/usr/bin/certwatch -- system_u:object_r:certwatch_exec_t
-
diff --git a/targeted/file_contexts/program/checkpolicy.fc b/targeted/file_contexts/program/checkpolicy.fc
deleted file mode 100644
index dddeecf..0000000
--- a/targeted/file_contexts/program/checkpolicy.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# checkpolicy
-/usr/bin/checkpolicy -- system_u:object_r:checkpolicy_exec_t:s0
diff --git a/targeted/file_contexts/program/chkpwd.fc b/targeted/file_contexts/program/chkpwd.fc
deleted file mode 100644
index 5f253f7..0000000
--- a/targeted/file_contexts/program/chkpwd.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# chkpwd
-/sbin/unix_chkpwd -- system_u:object_r:chkpwd_exec_t:s0
-/sbin/unix_verify -- system_u:object_r:chkpwd_exec_t:s0
-ifdef(`distro_suse', `
-/sbin/unix2_chkpwd -- system_u:object_r:chkpwd_exec_t:s0
-')
diff --git a/targeted/file_contexts/program/chroot.fc b/targeted/file_contexts/program/chroot.fc
deleted file mode 100644
index aa61acc..0000000
--- a/targeted/file_contexts/program/chroot.fc
+++ /dev/null
@@ -1 +0,0 @@
-/usr/sbin/chroot -- system_u:object_r:chroot_exec_t
diff --git a/targeted/file_contexts/program/ciped.fc b/targeted/file_contexts/program/ciped.fc
deleted file mode 100644
index e3a12a1..0000000
--- a/targeted/file_contexts/program/ciped.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-/usr/sbin/ciped.* -- system_u:object_r:ciped_exec_t
-/etc/cipe/ip-up.* -- system_u:object_r:bin_t
-/etc/cipe/ip-down.* -- system_u:object_r:bin_t
diff --git a/targeted/file_contexts/program/clamav.fc b/targeted/file_contexts/program/clamav.fc
deleted file mode 100644
index 90c898c..0000000
--- a/targeted/file_contexts/program/clamav.fc
+++ /dev/null
@@ -1,15 +0,0 @@
-# clamscan
-/usr/bin/clamscan -- system_u:object_r:clamscan_exec_t
-/usr/bin/freshclam -- system_u:object_r:freshclam_exec_t
-/usr/sbin/clamav-freshclam-handledaemon -- system_u:object_r:freshclam_exec_t
-/usr/sbin/clamd -- system_u:object_r:clamd_exec_t
-/var/lib/clamav(/.*)? system_u:object_r:clamav_var_lib_t
-/var/log/clam-update\.log -- system_u:object_r:freshclam_log_t
-/var/log/clamav-freshclam\.log.* -- system_u:object_r:freshclam_log_t
-/var/log/clamav(/.*)? system_u:object_r:freshclam_log_t
-/var/log/clamav/clamd\.log.* -- system_u:object_r:clamd_log_t
-/var/log/clamav/freshclam\.log.* -- system_u:object_r:freshclam_log_t
-/var/run/clamd\.ctl -s system_u:object_r:clamd_sock_t
-/var/run/clamd\.pid -- system_u:object_r:clamd_var_run_t
-/var/run/clamav(/.*)? system_u:object_r:clamd_var_run_t
-/var/run/clamav/clamd\.sock -s system_u:object_r:clamd_sock_t
diff --git a/targeted/file_contexts/program/clockspeed.fc b/targeted/file_contexts/program/clockspeed.fc
deleted file mode 100644
index e00cd56..0000000
--- a/targeted/file_contexts/program/clockspeed.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-# clockspeed
-/usr/bin/clockspeed -- system_u:object_r:clockspeed_exec_t
-/usr/bin/clockadd -- system_u:object_r:clockspeed_exec_t
-/usr/bin/clockview -- system_u:object_r:clockspeed_exec_t
-/usr/bin/sntpclock -- system_u:object_r:clockspeed_exec_t
-/usr/bin/taiclock -- system_u:object_r:clockspeed_exec_t
-/usr/bin/taiclockd -- system_u:object_r:clockspeed_exec_t
-/usr/sbin/ntpclockset -- system_u:object_r:clockspeed_exec_t
-
-/var/lib/clockspeed(/.*)? system_u:object_r:clockspeed_var_lib_t
-
diff --git a/targeted/file_contexts/program/compat.fc b/targeted/file_contexts/program/compat.fc
deleted file mode 100644
index 4772ed7..0000000
--- a/targeted/file_contexts/program/compat.fc
+++ /dev/null
@@ -1,62 +0,0 @@
-ifdef(`setfiles.te', `', `
-# setfiles
-/usr/sbin/setfiles.* -- system_u:object_r:setfiles_exec_t:s0
-')
-
-ifdef(`mount.te', `', `
-# mount
-/bin/mount.* -- system_u:object_r:mount_exec_t:s0
-/bin/umount.* -- system_u:object_r:mount_exec_t:s0
-')
-ifdef(`loadkeys.te', `', `
-# loadkeys
-/bin/unikeys -- system_u:object_r:loadkeys_exec_t:s0
-/bin/loadkeys -- system_u:object_r:loadkeys_exec_t:s0
-')
-ifdef(`dmesg.te', `', `
-# dmesg
-/bin/dmesg -- system_u:object_r:dmesg_exec_t:s0
-')
-ifdef(`fsadm.te', `', `
-# fs admin utilities
-/sbin/fsck.* -- system_u:object_r:fsadm_exec_t:s0
-/sbin/mkfs.* -- system_u:object_r:fsadm_exec_t:s0
-/sbin/e2fsck -- system_u:object_r:fsadm_exec_t:s0
-/sbin/mkdosfs -- system_u:object_r:fsadm_exec_t:s0
-/sbin/dosfsck -- system_u:object_r:fsadm_exec_t:s0
-/sbin/reiserfs(ck|tune) -- system_u:object_r:fsadm_exec_t:s0
-/sbin/mkreiserfs -- system_u:object_r:fsadm_exec_t:s0
-/sbin/resize.*fs -- system_u:object_r:fsadm_exec_t:s0
-/sbin/e2label -- system_u:object_r:fsadm_exec_t:s0
-/sbin/findfs -- system_u:object_r:fsadm_exec_t:s0
-/sbin/mkfs -- system_u:object_r:fsadm_exec_t:s0
-/sbin/mke2fs -- system_u:object_r:fsadm_exec_t:s0
-/sbin/mkswap -- system_u:object_r:fsadm_exec_t:s0
-/sbin/scsi_info -- system_u:object_r:fsadm_exec_t:s0
-/sbin/sfdisk -- system_u:object_r:fsadm_exec_t:s0
-/sbin/cfdisk -- system_u:object_r:fsadm_exec_t:s0
-/sbin/fdisk -- system_u:object_r:fsadm_exec_t:s0
-/sbin/parted -- system_u:object_r:fsadm_exec_t:s0
-/sbin/tune2fs -- system_u:object_r:fsadm_exec_t:s0
-/sbin/dumpe2fs -- system_u:object_r:fsadm_exec_t:s0
-/sbin/swapon.* -- system_u:object_r:fsadm_exec_t:s0
-/sbin/hdparm -- system_u:object_r:fsadm_exec_t:s0
-/sbin/raidstart -- system_u:object_r:fsadm_exec_t:s0
-/sbin/mkraid -- system_u:object_r:fsadm_exec_t:s0
-/sbin/blockdev -- system_u:object_r:fsadm_exec_t:s0
-/sbin/losetup.* -- system_u:object_r:fsadm_exec_t:s0
-/sbin/jfs_.* -- system_u:object_r:fsadm_exec_t:s0
-/sbin/lsraid -- system_u:object_r:fsadm_exec_t:s0
-/usr/sbin/smartctl -- system_u:object_r:fsadm_exec_t:s0
-/sbin/install-mbr -- system_u:object_r:fsadm_exec_t:s0
-/usr/bin/scsi_unique_id -- system_u:object_r:fsadm_exec_t:s0
-/usr/bin/raw -- system_u:object_r:fsadm_exec_t:s0
-/sbin/partx -- system_u:object_r:fsadm_exec_t:s0
-/usr/bin/partition_uuid -- system_u:object_r:fsadm_exec_t:s0
-/sbin/partprobe -- system_u:object_r:fsadm_exec_t:s0
-')
-ifdef(`kudzu.te', `', `
-# kudzu
-/usr/sbin/kudzu -- system_u:object_r:kudzu_exec_t:s0
-/sbin/kmodule -- system_u:object_r:kudzu_exec_t:s0
-')
diff --git a/targeted/file_contexts/program/comsat.fc b/targeted/file_contexts/program/comsat.fc
deleted file mode 100644
index 3704901..0000000
--- a/targeted/file_contexts/program/comsat.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# biff server
-/usr/sbin/in\.comsat -- system_u:object_r:comsat_exec_t:s0
diff --git a/targeted/file_contexts/program/consoletype.fc b/targeted/file_contexts/program/consoletype.fc
deleted file mode 100644
index 1258f57..0000000
--- a/targeted/file_contexts/program/consoletype.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# consoletype
-/sbin/consoletype -- system_u:object_r:consoletype_exec_t:s0
diff --git a/targeted/file_contexts/program/courier.fc b/targeted/file_contexts/program/courier.fc
deleted file mode 100644
index 16f6adb..0000000
--- a/targeted/file_contexts/program/courier.fc
+++ /dev/null
@@ -1,18 +0,0 @@
-# courier pop, imap, and webmail
-/usr/lib(64)?/courier(/.*)? system_u:object_r:bin_t
-/usr/lib(64)?/courier/rootcerts(/.*)? system_u:object_r:courier_etc_t
-/usr/lib(64)?/courier/authlib/.* -- system_u:object_r:courier_authdaemon_exec_t
-/usr/lib(64)?/courier/courier/.* -- system_u:object_r:courier_exec_t
-/usr/lib(64)?/courier/courier/courierpop.* -- system_u:object_r:courier_pop_exec_t
-/usr/lib(64)?/courier/courier/imaplogin -- system_u:object_r:courier_pop_exec_t
-/usr/lib(64)?/courier/courier/pcpd -- system_u:object_r:courier_pcp_exec_t
-/usr/lib(64)?/courier/imapd -- system_u:object_r:courier_pop_exec_t
-/usr/lib(64)?/courier/pop3d -- system_u:object_r:courier_pop_exec_t
-/usr/lib(64)?/courier/sqwebmail/cleancache\.pl -- system_u:object_r:sqwebmail_cron_exec_t
-/var/lib/courier(/.*)? system_u:object_r:courier_var_lib_t
-/usr/bin/imapd -- system_u:object_r:courier_pop_exec_t
-/usr/sbin/courierlogger -- system_u:object_r:courier_exec_t
-/usr/sbin/courierldapaliasd -- system_u:object_r:courier_exec_t
-/usr/sbin/couriertcpd -- system_u:object_r:courier_tcpd_exec_t
-/var/run/courier(/.*)? system_u:object_r:courier_var_run_t
-/etc/courier(/.*)? system_u:object_r:courier_etc_t
diff --git a/targeted/file_contexts/program/cpucontrol.fc b/targeted/file_contexts/program/cpucontrol.fc
deleted file mode 100644
index e7e488a..0000000
--- a/targeted/file_contexts/program/cpucontrol.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# cpucontrol
-/sbin/microcode_ctl -- system_u:object_r:cpucontrol_exec_t:s0
-/etc/firmware/.* -- system_u:object_r:cpucontrol_conf_t:s0
diff --git a/targeted/file_contexts/program/cpuspeed.fc b/targeted/file_contexts/program/cpuspeed.fc
deleted file mode 100644
index 5e91f55..0000000
--- a/targeted/file_contexts/program/cpuspeed.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# cpuspeed
-/usr/sbin/cpuspeed -- system_u:object_r:cpuspeed_exec_t:s0
-/usr/sbin/powernowd -- system_u:object_r:cpuspeed_exec_t:s0
diff --git a/targeted/file_contexts/program/crack.fc b/targeted/file_contexts/program/crack.fc
deleted file mode 100644
index 7d99136..0000000
--- a/targeted/file_contexts/program/crack.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# crack - for password checking
-/usr/sbin/cracklib-[a-z]* -- system_u:object_r:crack_exec_t
-/usr/sbin/crack_[a-z]* -- system_u:object_r:crack_exec_t
-/var/cache/cracklib(/.*)? system_u:object_r:crack_db_t
-/usr/lib(64)?/cracklib_dict.* -- system_u:object_r:crack_db_t
-/usr/share/cracklib(/.*)? system_u:object_r:crack_db_t
diff --git a/targeted/file_contexts/program/crond.fc b/targeted/file_contexts/program/crond.fc
deleted file mode 100644
index 3ee6ee5..0000000
--- a/targeted/file_contexts/program/crond.fc
+++ /dev/null
@@ -1,34 +0,0 @@
-# crond
-/etc/crontab -- system_u:object_r:system_cron_spool_t:s0
-/etc/cron\.d(/.*)? system_u:object_r:system_cron_spool_t:s0
-/usr/sbin/cron(d)? -- system_u:object_r:crond_exec_t:s0
-/usr/sbin/anacron -- system_u:object_r:anacron_exec_t:s0
-/var/spool/cron -d system_u:object_r:cron_spool_t:s0
-/var/spool/cron/crontabs -d system_u:object_r:cron_spool_t:s0
-/var/spool/cron/crontabs/.* -- <<none>>
-/var/spool/cron/crontabs/root -- system_u:object_r:sysadm_cron_spool_t:s0
-/var/spool/cron/root -- system_u:object_r:sysadm_cron_spool_t:s0
-/var/spool/cron/[^/]* -- <<none>>
-/var/run/crond\.reboot -- system_u:object_r:crond_var_run_t:s0
-/var/run/crond?\.pid -- system_u:object_r:crond_var_run_t:s0
-# fcron
-/usr/sbin/fcron -- system_u:object_r:crond_exec_t:s0
-/var/spool/fcron -d system_u:object_r:cron_spool_t:s0
-/var/spool/fcron/.* <<none>>
-/var/spool/fcron/systab\.orig -- system_u:object_r:system_cron_spool_t:s0
-/var/spool/fcron/systab -- system_u:object_r:system_cron_spool_t:s0
-/var/spool/fcron/new\.systab -- system_u:object_r:system_cron_spool_t:s0
-/var/run/fcron\.fifo -s system_u:object_r:crond_var_run_t:s0
-/var/run/fcron\.pid -- system_u:object_r:crond_var_run_t:s0
-# atd
-/usr/sbin/atd -- system_u:object_r:crond_exec_t:s0
-/var/spool/at -d system_u:object_r:cron_spool_t:s0
-/var/spool/at/spool -d system_u:object_r:cron_spool_t:s0
-/var/spool/at/[^/]* -- <<none>>
-/var/run/atd\.pid -- system_u:object_r:crond_var_run_t:s0
-ifdef(`distro_suse', `
-/usr/lib/cron/run-crons -- system_u:object_r:bin_t:s0
-/var/spool/cron/lastrun -d system_u:object_r:crond_tmp_t:s0
-/var/spool/cron/lastrun/[^/]* -- <<none>>
-/var/spool/cron/tabs -d system_u:object_r:cron_spool_t:s0
-')
diff --git a/targeted/file_contexts/program/crontab.fc b/targeted/file_contexts/program/crontab.fc
deleted file mode 100644
index 5c18699..0000000
--- a/targeted/file_contexts/program/crontab.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# crontab
-/usr/bin/(f)?crontab -- system_u:object_r:crontab_exec_t
-/usr/bin/at -- system_u:object_r:crontab_exec_t
diff --git a/targeted/file_contexts/program/cups.fc b/targeted/file_contexts/program/cups.fc
deleted file mode 100644
index fea8ef0..0000000
--- a/targeted/file_contexts/program/cups.fc
+++ /dev/null
@@ -1,46 +0,0 @@
-# cups printing
-/etc/cups(/.*)? system_u:object_r:cupsd_etc_t:s0
-/usr/share/cups(/.*)? system_u:object_r:cupsd_etc_t:s0
-/etc/alchemist/namespace/printconf(/.*)? system_u:object_r:cupsd_rw_etc_t:s0
-/var/cache/alchemist/printconf.* system_u:object_r:cupsd_rw_etc_t:s0
-/etc/cups/client\.conf -- system_u:object_r:etc_t:s0
-/etc/cups/cupsd\.conf.* -- system_u:object_r:cupsd_rw_etc_t:s0
-/etc/cups/classes\.conf.* -- system_u:object_r:cupsd_rw_etc_t:s0
-/etc/cups/lpoptions -- system_u:object_r:cupsd_rw_etc_t:s0
-/etc/cups/printers\.conf.* -- system_u:object_r:cupsd_rw_etc_t:s0
-/etc/cups/ppd/.* -- system_u:object_r:cupsd_rw_etc_t:s0
-/etc/cups/certs -d system_u:object_r:cupsd_rw_etc_t:s0
-/etc/cups/certs/.* -- system_u:object_r:cupsd_rw_etc_t:s0
-/var/lib/cups/certs -d system_u:object_r:cupsd_rw_etc_t:s0
-/var/lib/cups/certs/.* -- system_u:object_r:cupsd_rw_etc_t:s0
-/etc/cups/ppds\.dat -- system_u:object_r:cupsd_rw_etc_t:s0
-/etc/cups/lpoptions.* -- system_u:object_r:cupsd_rw_etc_t:s0
-/etc/printcap.* -- system_u:object_r:cupsd_rw_etc_t:s0
-/usr/lib(64)?/cups/backend/.* -- system_u:object_r:cupsd_exec_t:s0
-/usr/lib(64)?/cups/daemon/.* -- system_u:object_r:cupsd_exec_t:s0
-/usr/lib(64)?/cups/daemon/cups-lpd -- system_u:object_r:cupsd_lpd_exec_t:s0
-/usr/sbin/cupsd -- system_u:object_r:cupsd_exec_t:s0
-ifdef(`hald.te', `
-# cupsd_config depends on hald
-/usr/bin/cups-config-daemon -- system_u:object_r:cupsd_config_exec_t:s0
-/usr/sbin/hal_lpadmin -- system_u:object_r:cupsd_config_exec_t:s0
-/usr/sbin/printconf-backend -- system_u:object_r:cupsd_config_exec_t:s0
-')
-/var/log/cups(/.*)? system_u:object_r:cupsd_log_t:s0
-/var/log/turboprint_cups\.log.* -- system_u:object_r:cupsd_log_t:s0
-/var/spool/cups(/.*)? system_u:object_r:print_spool_t:s0
-/var/run/cups/printcap -- system_u:object_r:cupsd_var_run_t:s0
-/usr/lib(64)?/cups/filter/.* -- system_u:object_r:bin_t:s0
-/usr/lib(64)?/cups/cgi-bin/.* -- system_u:object_r:bin_t:s0
-/usr/sbin/ptal-printd -- system_u:object_r:ptal_exec_t:s0
-/usr/sbin/ptal-mlcd -- system_u:object_r:ptal_exec_t:s0
-/usr/sbin/ptal-photod -- system_u:object_r:ptal_exec_t:s0
-/var/run/ptal-printd(/.*)? system_u:object_r:ptal_var_run_t:s0
-/var/run/ptal-mlcd(/.*)? system_u:object_r:ptal_var_run_t:s0
-/etc/hp(/.*)? system_u:object_r:hplip_etc_t:s0
-/usr/sbin/hpiod -- system_u:object_r:hplip_exec_t:s0
-/usr/share/hplip/hpssd.py -- system_u:object_r:hplip_exec_t:s0
-/usr/share/foomatic/db/oldprinterids -- system_u:object_r:cupsd_rw_etc_t:s0
-/var/cache/foomatic(/.*)? -- system_u:object_r:cupsd_rw_etc_t:s0
-/var/run/hp.*\.pid -- system_u:object_r:hplip_var_run_t:s0
-/var/run/hp.*\.port -- system_u:object_r:hplip_var_run_t:s0
diff --git a/targeted/file_contexts/program/cvs.fc b/targeted/file_contexts/program/cvs.fc
deleted file mode 100644
index 8aa1edc..0000000
--- a/targeted/file_contexts/program/cvs.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# cvs program
-/usr/bin/cvs -- system_u:object_r:cvs_exec_t:s0
diff --git a/targeted/file_contexts/program/cyrus.fc b/targeted/file_contexts/program/cyrus.fc
deleted file mode 100644
index f415273..0000000
--- a/targeted/file_contexts/program/cyrus.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# cyrus
-/var/lib/imap(/.*)? system_u:object_r:cyrus_var_lib_t:s0
-/usr/lib(64)?/cyrus-imapd/.* -- system_u:object_r:bin_t:s0
-/usr/lib(64)?/cyrus-imapd/cyrus-master -- system_u:object_r:cyrus_exec_t:s0
-/var/spool/imap(/.*)? system_u:object_r:mail_spool_t:s0
diff --git a/targeted/file_contexts/program/daemontools.fc b/targeted/file_contexts/program/daemontools.fc
deleted file mode 100644
index c2642ed..0000000
--- a/targeted/file_contexts/program/daemontools.fc
+++ /dev/null
@@ -1,54 +0,0 @@
-# daemontools
-
-/var/service/.* system_u:object_r:svc_svc_t
-
-# symlinks to /var/service/*
-/service(/.*)? system_u:object_r:svc_svc_t
-
-# supervise scripts
-/usr/bin/svc-add -- system_u:object_r:svc_script_exec_t
-/usr/bin/svc-isdown -- system_u:object_r:svc_script_exec_t
-/usr/bin/svc-isup -- system_u:object_r:svc_script_exec_t
-/usr/bin/svc-remove -- system_u:object_r:svc_script_exec_t
-/usr/bin/svc-start -- system_u:object_r:svc_script_exec_t
-/usr/bin/svc-status -- system_u:object_r:svc_script_exec_t
-/usr/bin/svc-stop -- system_u:object_r:svc_script_exec_t
-/usr/bin/svc-waitdown -- system_u:object_r:svc_script_exec_t
-/usr/bin/svc-waitup -- system_u:object_r:svc_script_exec_t
-
-# supervise init binaries
-# these programs read/write to /service/*/supervise/* and /service/*/log/supervise/*
-/usr/bin/svc -- system_u:object_r:svc_start_exec_t
-/usr/bin/svscan -- system_u:object_r:svc_start_exec_t
-/usr/bin/svscanboot -- system_u:object_r:svc_start_exec_t
-/usr/bin/svok -- system_u:object_r:svc_start_exec_t
-/usr/bin/supervise -- system_u:object_r:svc_start_exec_t
-
-# starting scripts
-/var/service/.*/run.* system_u:object_r:svc_run_exec_t
-/var/service/.*/log/run system_u:object_r:svc_run_exec_t
-
-# configurations
-/var/service/.*/env(/.*)? system_u:object_r:svc_conf_t
-
-# log
-/var/service/.*/log/main(/.*)? system_u:object_r:svc_log_t
-
-# programs that impose a given environment to daemons
-/usr/bin/softlimit -- system_u:object_r:svc_run_exec_t
-/usr/bin/setuidgid -- system_u:object_r:svc_run_exec_t
-/usr/bin/envuidgid -- system_u:object_r:svc_run_exec_t
-/usr/bin/envdir -- system_u:object_r:svc_run_exec_t
-/usr/bin/setlock -- system_u:object_r:svc_run_exec_t
-
-# helper programs
-/usr/bin/fghack -- system_u:object_r:svc_run_exec_t
-/usr/bin/pgrphack -- system_u:object_r:svc_run_exec_t
-
-/var/run/svscan\.pid -- system_u:object_r:initrc_var_run_t
-# daemontools logger # writes to service/*/log/main/ and /var/log/*/
-/usr/bin/multilog -- system_u:object_r:svc_multilog_exec_t
-
-/sbin/svcinit -- system_u:object_r:initrc_exec_t
-/sbin/runsvcscript\.sh -- system_u:object_r:initrc_exec_t
-
diff --git a/targeted/file_contexts/program/dante.fc b/targeted/file_contexts/program/dante.fc
deleted file mode 100644
index ce7f335..0000000
--- a/targeted/file_contexts/program/dante.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# dante
-/usr/sbin/sockd -- system_u:object_r:dante_exec_t
-/etc/socks(/.*)? system_u:object_r:dante_conf_t
-/var/run/sockd.pid -- system_u:object_r:dante_var_run_t
diff --git a/targeted/file_contexts/program/dbskkd.fc b/targeted/file_contexts/program/dbskkd.fc
deleted file mode 100644
index 4f2d72f..0000000
--- a/targeted/file_contexts/program/dbskkd.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# A dictionary server for the SKK Japanese input method system.
-/usr/sbin/dbskkd-cdb -- system_u:object_r:dbskkd_exec_t:s0
diff --git a/targeted/file_contexts/program/dbusd.fc b/targeted/file_contexts/program/dbusd.fc
deleted file mode 100644
index ea4e065..0000000
--- a/targeted/file_contexts/program/dbusd.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-/usr/bin/dbus-daemon(-1)? -- system_u:object_r:system_dbusd_exec_t:s0
-/etc/dbus-1(/.*)? system_u:object_r:etc_dbusd_t:s0
-/var/run/dbus(/.*)? system_u:object_r:system_dbusd_var_run_t:s0
diff --git a/targeted/file_contexts/program/dcc.fc b/targeted/file_contexts/program/dcc.fc
deleted file mode 100644
index a6b1372..0000000
--- a/targeted/file_contexts/program/dcc.fc
+++ /dev/null
@@ -1,17 +0,0 @@
-# DCC
-/etc/dcc(/.*)? system_u:object_r:dcc_var_t
-/etc/dcc/map -- system_u:object_r:dcc_client_map_t
-/etc/dcc/dccifd -s system_u:object_r:dccifd_sock_t
-/usr/bin/cdcc system_u:object_r:cdcc_exec_t
-/usr/bin/dccproc system_u:object_r:dcc_client_exec_t
-/usr/libexec/dcc/dbclean system_u:object_r:dcc_dbclean_exec_t
-/usr/libexec/dcc/dccd system_u:object_r:dccd_exec_t
-/usr/libexec/dcc/dccifd system_u:object_r:dccifd_exec_t
-/usr/libexec/dcc/dccm system_u:object_r:dccm_exec_t
-/usr/libexec/dcc/start-.* system_u:object_r:dcc_script_exec_t
-/usr/libexec/dcc/stop-.* system_u:object_r:dcc_script_exec_t
-/var/dcc(/.*)? system_u:object_r:dcc_var_t
-/var/dcc/map -- system_u:object_r:dcc_client_map_t
-/var/run/dcc system_u:object_r:dcc_var_run_t
-/var/run/dcc/map -- system_u:object_r:dcc_client_map_t
-/var/run/dcc/dccifd -s system_u:object_r:dccifd_sock_t
diff --git a/targeted/file_contexts/program/ddclient.fc b/targeted/file_contexts/program/ddclient.fc
deleted file mode 100644
index 83ee3d2..0000000
--- a/targeted/file_contexts/program/ddclient.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-# ddclient
-/etc/ddclient\.conf -- system_u:object_r:ddclient_etc_t
-/usr/sbin/ddclient -- system_u:object_r:ddclient_exec_t
-/var/cache/ddclient(/.*)? system_u:object_r:ddclient_var_t
-/var/run/ddclient\.pid -- system_u:object_r:ddclient_var_run_t
-# ddt - Dynamic DNS client
-/usr/sbin/ddtcd -- system_u:object_r:ddclient_exec_t
-/var/run/ddtcd\.pid -- system_u:object_r:ddclient_var_run_t
-/etc/ddtcd\.conf -- system_u:object_r:ddclient_etc_t
-/var/lib/ddt-client(/.*)? system_u:object_r:ddclient_var_lib_t
-/var/log/ddtcd\.log.* -- system_u:object_r:ddclient_log_t
diff --git a/targeted/file_contexts/program/ddcprobe.fc b/targeted/file_contexts/program/ddcprobe.fc
deleted file mode 100644
index 4313349..0000000
--- a/targeted/file_contexts/program/ddcprobe.fc
+++ /dev/null
@@ -1 +0,0 @@
-/usr/sbin/ddcprobe -- system_u:object_r:ddcprobe_exec_t
diff --git a/targeted/file_contexts/program/dhcpc.fc b/targeted/file_contexts/program/dhcpc.fc
deleted file mode 100644
index e892abe..0000000
--- a/targeted/file_contexts/program/dhcpc.fc
+++ /dev/null
@@ -1,19 +0,0 @@
-# dhcpcd
-/etc/dhcpc.* system_u:object_r:dhcp_etc_t:s0
-/etc/dhcp3?/dhclient.* system_u:object_r:dhcp_etc_t:s0
-/etc/dhclient.*conf -- system_u:object_r:dhcp_etc_t:s0
-/etc/dhclient-script -- system_u:object_r:dhcp_etc_t:s0
-/sbin/dhcpcd -- system_u:object_r:dhcpc_exec_t:s0
-/sbin/dhcdbd -- system_u:object_r:dhcpc_exec_t:s0
-/sbin/dhclient.* -- system_u:object_r:dhcpc_exec_t:s0
-/var/lib/dhcp(3)?/dhclient.* system_u:object_r:dhcpc_state_t:s0
-/var/lib/dhcpcd(/.*)? system_u:object_r:dhcpc_state_t:s0
-/var/lib/dhclient(/.*)? system_u:object_r:dhcpc_state_t:s0
-/var/run/dhclient.*\.pid -- system_u:object_r:dhcpc_var_run_t:s0
-/var/run/dhclient.*\.leases -- system_u:object_r:dhcpc_var_run_t:s0
-# pump
-/sbin/pump -- system_u:object_r:dhcpc_exec_t:s0
-ifdef(`dhcp_defined', `', `
-/var/lib/dhcp(3)? -d system_u:object_r:dhcp_state_t:s0
-define(`dhcp_defined')
-')
diff --git a/targeted/file_contexts/program/dhcpd.fc b/targeted/file_contexts/program/dhcpd.fc
deleted file mode 100644
index 5aff344..0000000
--- a/targeted/file_contexts/program/dhcpd.fc
+++ /dev/null
@@ -1,34 +0,0 @@
-# dhcpd
-/etc/dhcpd\.conf -- system_u:object_r:dhcp_etc_t:s0
-/etc/dhcp3(/.*)? system_u:object_r:dhcp_etc_t:s0
-/usr/sbin/dhcpd.* -- system_u:object_r:dhcpd_exec_t:s0
-/var/lib/dhcp([3d])?/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t:s0
-/var/run/dhcpd\.pid -- system_u:object_r:dhcpd_var_run_t:s0
-ifdef(`dhcp_defined', `', `
-/var/lib/dhcp([3d])? -d system_u:object_r:dhcp_state_t:s0
-define(`dhcp_defined')
-')
-
-ifdef(`distro_gentoo', `
-/etc/dhcp -d system_u:object_r:dhcp_etc_t:s0
-/etc/dhcp(/.*)? -- system_u:object_r:dhcp_etc_t:s0
-/var/lib/dhcp -d system_u:object_r:dhcp_state_t:s0
-/var/lib/dhcpd(/.*)? system_u:object_r:dhcpd_state_t:s0
-/var/lib/dhcp/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t:s0
-/var/run/dhcp/dhcpd\.pid -- system_u:object_r:dhcpd_var_run_t:s0
-
-# for the chroot setup
-/chroot/dhcp -d system_u:object_r:root_t:s0
-/chroot/dhcp/dev -d system_u:object_r:device_t:s0
-/chroot/dhcp/etc -d system_u:object_r:etc_t:s0
-/chroot/dhcp/etc/dhcp -d system_u:object_r:dhcp_etc_t:s0
-/chroot/dhcp/etc/dhcp(/.*)? -- system_u:object_r:dhcp_etc_t:s0
-/chroot/dhcp/usr/sbin/dhcpd -- system_u:object_r:dhcpd_exec_t:s0
-/chroot/dhcp/var -d system_u:object_r:var_t:s0
-/chroot/dhcp/var/run -d system_u:object_r:var_run_t:s0
-/chroot/dhcp/var/lib -d system_u:object_r:var_lib_t:s0
-/chroot/dhcp/var/lib/dhcp -d system_u:object_r:dhcp_state_t:s0
-/chroot/dhcp/var/lib/dhcp/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t:s0
-/chroot/dhcp/var/run/dhcp/dhcpd\.pid -- system_u:object_r:dhcpd_state_t:s0
-')
-
diff --git a/targeted/file_contexts/program/dictd.fc b/targeted/file_contexts/program/dictd.fc
deleted file mode 100644
index b089863..0000000
--- a/targeted/file_contexts/program/dictd.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# dictd
-/etc/dictd\.conf -- system_u:object_r:dictd_etc_t:s0
-/usr/sbin/dictd -- system_u:object_r:dictd_exec_t:s0
-/var/lib/dictd(/.*)? system_u:object_r:dictd_var_lib_t:s0
diff --git a/targeted/file_contexts/program/distcc.fc b/targeted/file_contexts/program/distcc.fc
deleted file mode 100644
index 3ab9797..0000000
--- a/targeted/file_contexts/program/distcc.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# distcc
-/usr/bin/distccd -- system_u:object_r:distccd_exec_t
diff --git a/targeted/file_contexts/program/djbdns.fc b/targeted/file_contexts/program/djbdns.fc
deleted file mode 100644
index 6174b9f..0000000
--- a/targeted/file_contexts/program/djbdns.fc
+++ /dev/null
@@ -1,26 +0,0 @@
-#djbdns
-/usr/bin/dnscache -- system_u:object_r:djbdns_dnscache_exec_t
-/usr/bin/tinydns -- system_u:object_r:djbdns_tinydns_exec_t
-/usr/bin/axfrdns -- system_u:object_r:djbdns_axfrdns_exec_t
-
-/var/dnscache[a-z]?(/.*)? system_u:object_r:svc_svc_t
-/var/dnscache[a-z]?/run -- system_u:object_r:svc_run_exec_t
-/var/dnscache[a-z]?/log/run -- system_u:object_r:svc_run_exec_t
-/var/dnscache[a-z]?/env(/.*)? system_u:object_r:svc_conf_t
-/var/dnscache[a-z]?/root(/.*)? system_u:object_r:djbdns_dnscache_conf_t
-/var/dnscache[a-z]?/log/main(/.*)? system_u:object_r:var_log_t
-
-/var/tinydns(/.*)? system_u:object_r:svc_svc_t
-/var/tinydns/run -- system_u:object_r:svc_run_exec_t
-/var/tinydns/log/run -- system_u:object_r:svc_run_exec_t
-/var/tinydns/env(/.*)? system_u:object_r:svc_conf_t
-/var/tinydns/root(/.*)? system_u:object_r:djbdns_tinydns_conf_t
-/var/tinydns/log/main(/.*)? system_u:object_r:var_log_t
-
-/var/axfrdns(/.*)? system_u:object_r:svc_svc_t
-/var/axfrdns/run -- system_u:object_r:svc_run_exec_t
-/var/axfrdns/log/run -- system_u:object_r:svc_run_exec_t
-/var/axfrdns/env(/.*)? system_u:object_r:svc_conf_t
-/var/axfrdns/root(/.*)? system_u:object_r:djbdns_axfrdns_conf_t
-/var/axfrdns/log/main(/.*)? system_u:object_r:var_log_t
-
diff --git a/targeted/file_contexts/program/dmesg.fc b/targeted/file_contexts/program/dmesg.fc
deleted file mode 100644
index 2df5752..0000000
--- a/targeted/file_contexts/program/dmesg.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# dmesg
-/bin/dmesg -- system_u:object_r:dmesg_exec_t
diff --git a/targeted/file_contexts/program/dmidecode.fc b/targeted/file_contexts/program/dmidecode.fc
deleted file mode 100644
index 7b02fd5..0000000
--- a/targeted/file_contexts/program/dmidecode.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# dmidecode
-/usr/sbin/dmidecode -- system_u:object_r:dmidecode_exec_t:s0
-/usr/sbin/ownership -- system_u:object_r:dmidecode_exec_t:s0
-/usr/sbin/vpddecode -- system_u:object_r:dmidecode_exec_t:s0
diff --git a/targeted/file_contexts/program/dnsmasq.fc b/targeted/file_contexts/program/dnsmasq.fc
deleted file mode 100644
index e1b1c35..0000000
--- a/targeted/file_contexts/program/dnsmasq.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# dnsmasq
-/usr/sbin/dnsmasq -- system_u:object_r:dnsmasq_exec_t
-/var/lib/misc/dnsmasq\.leases -- system_u:object_r:dnsmasq_lease_t
-/var/run/dnsmasq\.pid -- system_u:object_r:dnsmasq_var_run_t
diff --git a/targeted/file_contexts/program/dovecot.fc b/targeted/file_contexts/program/dovecot.fc
deleted file mode 100644
index bc45b9d..0000000
--- a/targeted/file_contexts/program/dovecot.fc
+++ /dev/null
@@ -1,16 +0,0 @@
-# for Dovecot POP and IMAP server
-/etc/dovecot.conf.* system_u:object_r:dovecot_etc_t:s0
-/etc/dovecot.passwd.* system_u:object_r:dovecot_passwd_t:s0
-/usr/sbin/dovecot -- system_u:object_r:dovecot_exec_t:s0
-ifdef(`distro_redhat', `
-/usr/libexec/dovecot/dovecot-auth -- system_u:object_r:dovecot_auth_exec_t:s0
-')
-ifdef(`distro_debian', `
-/usr/lib/dovecot/dovecot-auth -- system_u:object_r:dovecot_auth_exec_t:s0
-')
-/usr/share/ssl/certs/dovecot\.pem -- system_u:object_r:dovecot_cert_t:s0
-/usr/share/ssl/private/dovecot\.pem -- system_u:object_r:dovecot_cert_t:s0
-/etc/pki/dovecot(/.*)? system_u:object_r:dovecot_cert_t:s0
-/var/run/dovecot(-login)?(/.*)? system_u:object_r:dovecot_var_run_t:s0
-/usr/lib(64)?/dovecot/.+ -- system_u:object_r:bin_t:s0
-/var/spool/dovecot(/.*)? system_u:object_r:dovecot_spool_t:s0
diff --git a/targeted/file_contexts/program/dpkg.fc b/targeted/file_contexts/program/dpkg.fc
deleted file mode 100644
index f0f56f6..0000000
--- a/targeted/file_contexts/program/dpkg.fc
+++ /dev/null
@@ -1,49 +0,0 @@
-# dpkg/dselect/apt
-/etc/apt(/.*)? system_u:object_r:apt_etc_t
-/etc/apt/listbugs(/.*)? system_u:object_r:apt_rw_etc_t
-/usr/bin/apt-cache -- system_u:object_r:apt_exec_t
-/usr/bin/apt-config -- system_u:object_r:apt_exec_t
-/usr/bin/apt-get -- system_u:object_r:apt_exec_t
-/usr/bin/dpkg -- system_u:object_r:dpkg_exec_t
-/usr/sbin/dpkg-reconfigure -- system_u:object_r:dpkg_exec_t
-/usr/bin/dselect -- system_u:object_r:dpkg_exec_t
-/usr/bin/aptitude -- system_u:object_r:dpkg_exec_t
-/usr/bin/update-menus -- system_u:object_r:install_menu_exec_t
-/usr/lib(64)?/apt/methods/.+ -- system_u:object_r:apt_exec_t
-/usr/lib(64)?/man-db(/.*)? system_u:object_r:bin_t
-/usr/lib(64)?/dpkg/.+ -- system_u:object_r:dpkg_exec_t
-/usr/sbin/dpkg-preconfigure -- system_u:object_r:dpkg_exec_t
-/usr/sbin/install-menu -- system_u:object_r:install_menu_exec_t
-/usr/share/applnk(/.*)? system_u:object_r:debian_menu_t
-/usr/share/debconf/.+ -- system_u:object_r:dpkg_exec_t
-/usr/share/debiandoc-sgml/saspconvert -- system_u:object_r:bin_t
-/usr/share/lintian/.+ -- system_u:object_r:bin_t
-/usr/share/kernel-package/.+ -- system_u:object_r:bin_t
-/usr/share/smartmontools/selftests -- system_u:object_r:bin_t
-/usr/share/bug/[^/]+ -- system_u:object_r:bin_t
-/var/cache/apt(/.*)? system_u:object_r:var_cache_apt_t
-/var/cache/apt-listbugs(/.*)? system_u:object_r:var_cache_apt_t
-/var/lib/apt(/.*)? system_u:object_r:apt_var_lib_t
-/var/state/apt(/.*)? system_u:object_r:apt_var_lib_t
-/var/lib/dpkg(/.*)? system_u:object_r:dpkg_var_lib_t
-/var/lib/dpkg/(meth)?lock -- system_u:object_r:dpkg_lock_t
-/var/lib/kde(/.*)? system_u:object_r:debian_menu_t
-/var/spool/kdeapplnk(/.*)? system_u:object_r:debian_menu_t
-/var/cache/debconf(/.*)? system_u:object_r:debconf_cache_t
-/etc/dpkg/.+ -- system_u:object_r:dpkg_etc_t
-/etc/menu-methods/.* -- system_u:object_r:install_menu_exec_t
-/usr/share/console/getkmapchoice\.pl -- system_u:object_r:bin_t
-/var/run/update-menus\.pid -- system_u:object_r:install_menu_var_run_t
-/usr/share/dlint/digparse -- system_u:object_r:bin_t
-/usr/share/gimp/1\.2/user_install -- system_u:object_r:bin_t
-/usr/share/openoffice\.org-debian-files/install-hook -- system_u:object_r:bin_t
-/var/lib/defoma(/.*)? system_u:object_r:fonts_t
-/usr/lib(64)?/doc-rfc/register-doc-rfc-docs -- system_u:object_r:bin_t
-/usr/share/intltool-debian/.* -- system_u:object_r:bin_t
-/usr/share/po-debconf/intltool-merge -- system_u:object_r:bin_t
-/usr/share/linuxdoc-tools/sgmlswhich -- system_u:object_r:bin_t
-/usr/share/shorewall/.* -- system_u:object_r:bin_t
-/usr/share/reportbug/.* -- system_u:object_r:bin_t
-/etc/network/ifstate.* -- system_u:object_r:etc_runtime_t
-/usr/lib(64)?/gconf2/gconfd-2 -- system_u:object_r:bin_t
-/bin/mountpoint -- system_u:object_r:fsadm_exec_t
diff --git a/targeted/file_contexts/program/ethereal.fc b/targeted/file_contexts/program/ethereal.fc
deleted file mode 100644
index abe9b02..0000000
--- a/targeted/file_contexts/program/ethereal.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-/usr/sbin/tethereal.* -- system_u:object_r:tethereal_exec_t
-/usr/sbin/ethereal.* -- system_u:object_r:ethereal_exec_t
-HOME_DIR/\.ethereal(/.*)? system_u:object_r:ROLE_ethereal_home_t
diff --git a/targeted/file_contexts/program/evolution.fc b/targeted/file_contexts/program/evolution.fc
deleted file mode 100644
index 1a3bf38..0000000
--- a/targeted/file_contexts/program/evolution.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-/usr/bin/evolution.* -- system_u:object_r:evolution_exec_t
-/usr/libexec/evolution/.*evolution-alarm-notify.* -- system_u:object_r:evolution_alarm_exec_t
-/usr/libexec/evolution/.*evolution-exchange-storage.* -- system_u:object_r:evolution_exchange_exec_t
-/usr/libexec/evolution-data-server.* -- system_u:object_r:evolution_server_exec_t
-/usr/libexec/evolution-webcal.* -- system_u:object_r:evolution_webcal_exec_t
-HOME_DIR/\.evolution(/.*)? system_u:object_r:ROLE_evolution_home_t
-HOME_DIR/\.camel_certs(/.*)? system_u:object_r:ROLE_evolution_home_t
-/tmp/\.exchange-USER(/.*)? system_u:object_r:ROLE_evolution_exchange_tmp_t
diff --git a/targeted/file_contexts/program/fetchmail.fc b/targeted/file_contexts/program/fetchmail.fc
deleted file mode 100644
index 5186172..0000000
--- a/targeted/file_contexts/program/fetchmail.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# fetchmail
-/etc/fetchmailrc -- system_u:object_r:fetchmail_etc_t
-/usr/bin/fetchmail -- system_u:object_r:fetchmail_exec_t
-/var/run/fetchmail/.* -- system_u:object_r:fetchmail_var_run_t
-/var/mail/\.fetchmail-UIDL-cache -- system_u:object_r:fetchmail_uidl_cache_t
diff --git a/targeted/file_contexts/program/fingerd.fc b/targeted/file_contexts/program/fingerd.fc
deleted file mode 100644
index f7ed20d..0000000
--- a/targeted/file_contexts/program/fingerd.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# fingerd
-/usr/sbin/in\.fingerd -- system_u:object_r:fingerd_exec_t:s0
-/usr/sbin/[cef]fingerd -- system_u:object_r:fingerd_exec_t:s0
-/etc/cron\.weekly/(c)?fingerd -- system_u:object_r:fingerd_exec_t:s0
-/etc/cfingerd(/.*)? system_u:object_r:fingerd_etc_t:s0
-/var/log/cfingerd\.log.* -- system_u:object_r:fingerd_log_t:s0
diff --git a/targeted/file_contexts/program/firstboot.fc b/targeted/file_contexts/program/firstboot.fc
deleted file mode 100644
index 9a087ed..0000000
--- a/targeted/file_contexts/program/firstboot.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# firstboot
-/usr/sbin/firstboot -- system_u:object_r:firstboot_exec_t:s0
-/usr/share/firstboot system_u:object_r:firstboot_rw_t:s0
-/usr/share/firstboot/firstboot\.py -- system_u:object_r:firstboot_exec_t:s0
diff --git a/targeted/file_contexts/program/fontconfig.fc b/targeted/file_contexts/program/fontconfig.fc
deleted file mode 100644
index d8a8dc9..0000000
--- a/targeted/file_contexts/program/fontconfig.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-HOME_DIR/\.fonts.conf -- system_u:object_r:ROLE_fonts_config_t
-HOME_DIR/\.fonts(/.*)? system_u:object_r:ROLE_fonts_t
-HOME_DIR/\.fonts/auto(/.*)? system_u:object_r:ROLE_fonts_cache_t
-HOME_DIR/\.fonts.cache-.* -- system_u:object_r:ROLE_fonts_cache_t
diff --git a/targeted/file_contexts/program/fs_daemon.fc b/targeted/file_contexts/program/fs_daemon.fc
deleted file mode 100644
index 19ac531..0000000
--- a/targeted/file_contexts/program/fs_daemon.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# fs admin daemons
-/usr/sbin/smartd -- system_u:object_r:fsdaemon_exec_t
-/var/run/smartd\.pid -- system_u:object_r:fsdaemon_var_run_t
-/etc/smartd\.conf -- system_u:object_r:etc_runtime_t
diff --git a/targeted/file_contexts/program/fsadm.fc b/targeted/file_contexts/program/fsadm.fc
deleted file mode 100644
index 4601a39..0000000
--- a/targeted/file_contexts/program/fsadm.fc
+++ /dev/null
@@ -1,40 +0,0 @@
-# fs admin utilities
-/sbin/fsck.* -- system_u:object_r:fsadm_exec_t:s0
-/sbin/mkfs.* -- system_u:object_r:fsadm_exec_t:s0
-/sbin/mkfs\.cramfs -- system_u:object_r:sbin_t:s0
-/sbin/e2fsck -- system_u:object_r:fsadm_exec_t:s0
-/sbin/mkdosfs -- system_u:object_r:fsadm_exec_t:s0
-/sbin/dosfsck -- system_u:object_r:fsadm_exec_t:s0
-/sbin/reiserfs(ck|tune) -- system_u:object_r:fsadm_exec_t:s0
-/sbin/mkreiserfs -- system_u:object_r:fsadm_exec_t:s0
-/sbin/resize.*fs -- system_u:object_r:fsadm_exec_t:s0
-/sbin/e2label -- system_u:object_r:fsadm_exec_t:s0
-/sbin/findfs -- system_u:object_r:fsadm_exec_t:s0
-/sbin/mkfs -- system_u:object_r:fsadm_exec_t:s0
-/sbin/mke2fs -- system_u:object_r:fsadm_exec_t:s0
-/sbin/mkswap -- system_u:object_r:fsadm_exec_t:s0
-/sbin/scsi_info -- system_u:object_r:fsadm_exec_t:s0
-/sbin/sfdisk -- system_u:object_r:fsadm_exec_t:s0
-/sbin/cfdisk -- system_u:object_r:fsadm_exec_t:s0
-/sbin/fdisk -- system_u:object_r:fsadm_exec_t:s0
-/sbin/parted -- system_u:object_r:fsadm_exec_t:s0
-/sbin/tune2fs -- system_u:object_r:fsadm_exec_t:s0
-/sbin/dumpe2fs -- system_u:object_r:fsadm_exec_t:s0
-/sbin/dump -- system_u:object_r:fsadm_exec_t:s0
-/sbin/swapon.* -- system_u:object_r:fsadm_exec_t:s0
-/sbin/hdparm -- system_u:object_r:fsadm_exec_t:s0
-/sbin/raidstart -- system_u:object_r:fsadm_exec_t:s0
-/sbin/raidautorun -- system_u:object_r:fsadm_exec_t:s0
-/sbin/mkraid -- system_u:object_r:fsadm_exec_t:s0
-/sbin/blockdev -- system_u:object_r:fsadm_exec_t:s0
-/sbin/losetup.* -- system_u:object_r:fsadm_exec_t:s0
-/sbin/jfs_.* -- system_u:object_r:fsadm_exec_t:s0
-/sbin/lsraid -- system_u:object_r:fsadm_exec_t:s0
-/usr/sbin/smartctl -- system_u:object_r:fsadm_exec_t:s0
-/sbin/install-mbr -- system_u:object_r:fsadm_exec_t:s0
-/usr/bin/scsi_unique_id -- system_u:object_r:fsadm_exec_t:s0
-/usr/bin/raw -- system_u:object_r:fsadm_exec_t:s0
-/sbin/partx -- system_u:object_r:fsadm_exec_t:s0
-/usr/bin/partition_uuid -- system_u:object_r:fsadm_exec_t:s0
-/sbin/partprobe -- system_u:object_r:fsadm_exec_t:s0
-/usr/bin/syslinux -- system_u:object_r:fsadm_exec_t:s0
diff --git a/targeted/file_contexts/program/ftpd.fc b/targeted/file_contexts/program/ftpd.fc
deleted file mode 100644
index 92a8c3e..0000000
--- a/targeted/file_contexts/program/ftpd.fc
+++ /dev/null
@@ -1,17 +0,0 @@
-# ftpd
-/usr/sbin/in\.ftpd -- system_u:object_r:ftpd_exec_t:s0
-/usr/sbin/proftpd -- system_u:object_r:ftpd_exec_t:s0
-/usr/sbin/muddleftpd -- system_u:object_r:ftpd_exec_t:s0
-/usr/sbin/ftpwho -- system_u:object_r:ftpd_exec_t:s0
-/usr/kerberos/sbin/ftpd -- system_u:object_r:ftpd_exec_t:s0
-/usr/sbin/vsftpd -- system_u:object_r:ftpd_exec_t:s0
-/etc/proftpd\.conf -- system_u:object_r:ftpd_etc_t:s0
-/var/run/proftpd/proftpd-inetd -- system_u:object_r:ftpd_var_run_t:s0
-/var/run/proftpd/proftpd\.scoreboard -- system_u:object_r:ftpd_var_run_t:s0
-/var/log/muddleftpd\.log.* -- system_u:object_r:xferlog_t:s0
-/var/log/xferlog.* -- system_u:object_r:xferlog_t:s0
-/var/log/vsftpd.* -- system_u:object_r:xferlog_t:s0
-/var/log/xferreport.* -- system_u:object_r:xferlog_t:s0
-/etc/cron\.monthly/proftpd -- system_u:object_r:ftpd_exec_t:s0
-/var/ftp(/.*)? system_u:object_r:public_content_t:s0
-/srv/([^/]*/)?ftp(/.*)? system_u:object_r:public_content_t:s0
diff --git a/targeted/file_contexts/program/games.fc b/targeted/file_contexts/program/games.fc
deleted file mode 100644
index 3465eee..0000000
--- a/targeted/file_contexts/program/games.fc
+++ /dev/null
@@ -1,61 +0,0 @@
-# games
-/usr/lib/games(/.*)? system_u:object_r:games_exec_t
-/var/lib/games(/.*)? system_u:object_r:games_data_t
-ifdef(`distro_debian', `
-/usr/games/.* -- system_u:object_r:games_exec_t
-/var/games(/.*)? system_u:object_r:games_data_t
-', `
-/usr/bin/micq -- system_u:object_r:games_exec_t
-/usr/bin/blackjack -- system_u:object_r:games_exec_t
-/usr/bin/gataxx -- system_u:object_r:games_exec_t
-/usr/bin/glines -- system_u:object_r:games_exec_t
-/usr/bin/gnect -- system_u:object_r:games_exec_t
-/usr/bin/gnibbles -- system_u:object_r:games_exec_t
-/usr/bin/gnobots2 -- system_u:object_r:games_exec_t
-/usr/bin/gnome-stones -- system_u:object_r:games_exec_t
-/usr/bin/gnomine -- system_u:object_r:games_exec_t
-/usr/bin/gnotravex -- system_u:object_r:games_exec_t
-/usr/bin/gnotski -- system_u:object_r:games_exec_t
-/usr/bin/gtali -- system_u:object_r:games_exec_t
-/usr/bin/iagno -- system_u:object_r:games_exec_t
-/usr/bin/mahjongg -- system_u:object_r:games_exec_t
-/usr/bin/same-gnome -- system_u:object_r:games_exec_t
-/usr/bin/sol -- system_u:object_r:games_exec_t
-/usr/bin/atlantik -- system_u:object_r:games_exec_t
-/usr/bin/kasteroids -- system_u:object_r:games_exec_t
-/usr/bin/katomic -- system_u:object_r:games_exec_t
-/usr/bin/kbackgammon -- system_u:object_r:games_exec_t
-/usr/bin/kbattleship -- system_u:object_r:games_exec_t
-/usr/bin/kblackbox -- system_u:object_r:games_exec_t
-/usr/bin/kbounce -- system_u:object_r:games_exec_t
-/usr/bin/kenolaba -- system_u:object_r:games_exec_t
-/usr/bin/kfouleggs -- system_u:object_r:games_exec_t
-/usr/bin/kgoldrunner -- system_u:object_r:games_exec_t
-/usr/bin/kjumpingcube -- system_u:object_r:games_exec_t
-/usr/bin/klickety -- system_u:object_r:games_exec_t
-/usr/bin/klines -- system_u:object_r:games_exec_t
-/usr/bin/kmahjongg -- system_u:object_r:games_exec_t
-/usr/bin/kmines -- system_u:object_r:games_exec_t
-/usr/bin/kolf -- system_u:object_r:games_exec_t
-/usr/bin/konquest -- system_u:object_r:games_exec_t
-/usr/bin/kpat -- system_u:object_r:games_exec_t
-/usr/bin/kpoker -- system_u:object_r:games_exec_t
-/usr/bin/kreversi -- system_u:object_r:games_exec_t
-/usr/bin/ksame -- system_u:object_r:games_exec_t
-/usr/bin/kshisen -- system_u:object_r:games_exec_t
-/usr/bin/ksirtet -- system_u:object_r:games_exec_t
-/usr/bin/ksmiletris -- system_u:object_r:games_exec_t
-/usr/bin/ksnake -- system_u:object_r:games_exec_t
-/usr/bin/ksokoban -- system_u:object_r:games_exec_t
-/usr/bin/kspaceduel -- system_u:object_r:games_exec_t
-/usr/bin/ktron -- system_u:object_r:games_exec_t
-/usr/bin/ktuberling -- system_u:object_r:games_exec_t
-/usr/bin/kwin4 -- system_u:object_r:games_exec_t
-/usr/bin/kwin4proc -- system_u:object_r:games_exec_t
-/usr/bin/lskat -- system_u:object_r:games_exec_t
-/usr/bin/lskatproc -- system_u:object_r:games_exec_t
-/usr/bin/Maelstrom -- system_u:object_r:games_exec_t
-/usr/bin/civclient.* -- system_u:object_r:games_exec_t
-/usr/bin/civserver.* -- system_u:object_r:games_exec_t
-')dnl end non-Debian section
-
diff --git a/targeted/file_contexts/program/gatekeeper.fc b/targeted/file_contexts/program/gatekeeper.fc
deleted file mode 100644
index e51491a..0000000
--- a/targeted/file_contexts/program/gatekeeper.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-# gatekeeper
-/etc/gatekeeper\.ini -- system_u:object_r:gatekeeper_etc_t
-/usr/sbin/gk -- system_u:object_r:gatekeeper_exec_t
-/usr/sbin/gnugk -- system_u:object_r:gatekeeper_exec_t
-/var/run/gk\.pid -- system_u:object_r:gatekeeper_var_run_t
-/var/run/gnugk(/.*)? system_u:object_r:gatekeeper_var_run_t
-/var/log/gnugk(/.*)? system_u:object_r:gatekeeper_log_t
diff --git a/targeted/file_contexts/program/gconf.fc b/targeted/file_contexts/program/gconf.fc
deleted file mode 100644
index 3ee63e0..0000000
--- a/targeted/file_contexts/program/gconf.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-/usr/libexec/gconfd-2 -- system_u:object_r:gconfd_exec_t
-/etc/gconf(/.*)? system_u:object_r:gconf_etc_t
-HOME_DIR/\.gconf(/.*)? system_u:object_r:ROLE_gconfd_home_t
-HOME_DIR/\.gconfd(/.*)? system_u:object_r:ROLE_gconfd_home_t
-/tmp/gconfd-USER(/.*)? system_u:object_r:ROLE_gconfd_tmp_t
diff --git a/targeted/file_contexts/program/getty.fc b/targeted/file_contexts/program/getty.fc
deleted file mode 100644
index 19b7e64..0000000
--- a/targeted/file_contexts/program/getty.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# getty
-/sbin/.*getty -- system_u:object_r:getty_exec_t:s0
-/etc/mgetty(/.*)? system_u:object_r:getty_etc_t:s0
-/var/run/mgetty\.pid.* -- system_u:object_r:getty_var_run_t:s0
-/var/log/mgetty\.log.* -- system_u:object_r:getty_log_t:s0
diff --git a/targeted/file_contexts/program/gift.fc b/targeted/file_contexts/program/gift.fc
deleted file mode 100644
index 88ed5f2..0000000
--- a/targeted/file_contexts/program/gift.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-/usr/(local/)?bin/giftd -- system_u:object_r:giftd_exec_t
-/usr/(local/)?bin/giftui -- system_u:object_r:gift_exec_t
-/usr/(local/)?bin/giFToxic -- system_u:object_r:gift_exec_t
-/usr/(local/)?bin/apollon -- system_u:object_r:gift_exec_t
-HOME_DIR/\.giFT(/.*)? system_u:object_r:ROLE_gift_home_t
diff --git a/targeted/file_contexts/program/gnome-pty-helper.fc b/targeted/file_contexts/program/gnome-pty-helper.fc
deleted file mode 100644
index 24a0b1b..0000000
--- a/targeted/file_contexts/program/gnome-pty-helper.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# gnome-pty-helper
-/usr/sbin/gnome-pty-helper -- system_u:object_r:gph_exec_t
-/usr/lib(64)?/vte/gnome-pty-helper -- system_u:object_r:gph_exec_t
diff --git a/targeted/file_contexts/program/gnome.fc b/targeted/file_contexts/program/gnome.fc
deleted file mode 100644
index 670c86f..0000000
--- a/targeted/file_contexts/program/gnome.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-# FIXME: add a lot more GNOME folders
-HOME_DIR/\.gnome(2)?(/.*)? system_u:object_r:ROLE_gnome_settings_t
-HOME_DIR/\.gnome(2)?_private(/.*)? system_u:object_r:ROLE_gnome_secret_t
-ifdef(`evolution.te', `
-HOME_DIR/\.gnome(2)?_private/Evolution -- system_u:object_r:ROLE_evolution_secret_t
-')
-HOME_DIR/\.gnome(2)?/share/fonts(/.*)? system_u:object_r:ROLE_fonts_t
-HOME_DIR/\.gnome(2)?/share/cursor-fonts(/.*)? system_u:object_r:ROLE_fonts_t
diff --git a/targeted/file_contexts/program/gnome_vfs.fc b/targeted/file_contexts/program/gnome_vfs.fc
deleted file mode 100644
index f945d59..0000000
--- a/targeted/file_contexts/program/gnome_vfs.fc
+++ /dev/null
@@ -1 +0,0 @@
-/usr/libexec/gnome-vfs-daemon -- system_u:object_r:gnome_vfs_exec_t
diff --git a/targeted/file_contexts/program/gpg-agent.fc b/targeted/file_contexts/program/gpg-agent.fc
deleted file mode 100644
index bb25b63..0000000
--- a/targeted/file_contexts/program/gpg-agent.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# gpg-agent
-/usr/bin/gpg-agent -- system_u:object_r:gpg_agent_exec_t
-/usr/bin/pinentry.* -- system_u:object_r:pinentry_exec_t
diff --git a/targeted/file_contexts/program/gpg.fc b/targeted/file_contexts/program/gpg.fc
deleted file mode 100644
index 650df0c..0000000
--- a/targeted/file_contexts/program/gpg.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-# gpg
-HOME_DIR/\.gnupg(/.+)? system_u:object_r:ROLE_gpg_secret_t
-/usr/bin/gpg(2)? -- system_u:object_r:gpg_exec_t
-/usr/bin/kgpg -- system_u:object_r:gpg_exec_t
-/usr/lib/gnupg/.* -- system_u:object_r:gpg_exec_t
-/usr/lib/gnupg/gpgkeys.* -- system_u:object_r:gpg_helper_exec_t
-
diff --git a/targeted/file_contexts/program/gpm.fc b/targeted/file_contexts/program/gpm.fc
deleted file mode 100644
index b681881..0000000
--- a/targeted/file_contexts/program/gpm.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# gpm
-/dev/gpmctl -s system_u:object_r:gpmctl_t
-/dev/gpmdata -p system_u:object_r:gpmctl_t
-/usr/sbin/gpm -- system_u:object_r:gpm_exec_t
-/etc/gpm(/.*)? system_u:object_r:gpm_conf_t
diff --git a/targeted/file_contexts/program/groupadd.fc b/targeted/file_contexts/program/groupadd.fc
deleted file mode 100644
index e69de29..0000000
--- a/targeted/file_contexts/program/groupadd.fc
+++ /dev/null
diff --git a/targeted/file_contexts/program/hald.fc b/targeted/file_contexts/program/hald.fc
deleted file mode 100644
index b57463d..0000000
--- a/targeted/file_contexts/program/hald.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# hald - hardware information daemon
-/usr/sbin/hald -- system_u:object_r:hald_exec_t:s0
-/usr/libexec/hal-hotplug-map -- system_u:object_r:hald_exec_t:s0
-/etc/hal/device\.d/printer_remove\.hal -- system_u:object_r:hald_exec_t:s0
-/etc/hal/capability\.d/printer_update\.hal -- system_u:object_r:hald_exec_t:s0
-/usr/share/hal/device-manager/hal-device-manager -- system_u:object_r:bin_t:s0
diff --git a/targeted/file_contexts/program/hostname.fc b/targeted/file_contexts/program/hostname.fc
deleted file mode 100644
index 01a957a..0000000
--- a/targeted/file_contexts/program/hostname.fc
+++ /dev/null
@@ -1 +0,0 @@
-/bin/hostname -- system_u:object_r:hostname_exec_t:s0
diff --git a/targeted/file_contexts/program/hotplug.fc b/targeted/file_contexts/program/hotplug.fc
deleted file mode 100644
index 05c6504..0000000
--- a/targeted/file_contexts/program/hotplug.fc
+++ /dev/null
@@ -1,13 +0,0 @@
-# hotplug
-/etc/hotplug(/.*)? system_u:object_r:hotplug_etc_t:s0
-/sbin/hotplug -- system_u:object_r:hotplug_exec_t:s0
-/sbin/netplugd -- system_u:object_r:hotplug_exec_t:s0
-/etc/hotplug\.d/.* -- system_u:object_r:hotplug_exec_t:s0
-/etc/hotplug\.d/default/default.* system_u:object_r:sbin_t:s0
-/etc/netplug\.d(/.*)? system_u:object_r:sbin_t:s0
-/etc/hotplug/.*agent -- system_u:object_r:sbin_t:s0
-/etc/hotplug/.*rc -- system_u:object_r:sbin_t:s0
-/etc/hotplug/hotplug\.functions -- system_u:object_r:sbin_t:s0
-/var/run/usb(/.*)? system_u:object_r:hotplug_var_run_t:s0
-/var/run/hotplug(/.*)? system_u:object_r:hotplug_var_run_t:s0
-/etc/hotplug/firmware.agent -- system_u:object_r:hotplug_exec_t:s0
diff --git a/targeted/file_contexts/program/howl.fc b/targeted/file_contexts/program/howl.fc
deleted file mode 100644
index 4546ac1..0000000
--- a/targeted/file_contexts/program/howl.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-/usr/bin/nifd -- system_u:object_r:howl_exec_t:s0
-/usr/bin/mDNSResponder -- system_u:object_r:howl_exec_t:s0
-/var/run/nifd\.pid -- system_u:object_r:howl_var_run_t:s0
diff --git a/targeted/file_contexts/program/hwclock.fc b/targeted/file_contexts/program/hwclock.fc
deleted file mode 100644
index 9d0d909..0000000
--- a/targeted/file_contexts/program/hwclock.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# hwclock
-/sbin/hwclock -- system_u:object_r:hwclock_exec_t:s0
-/etc/adjtime -- system_u:object_r:adjtime_t:s0
diff --git a/targeted/file_contexts/program/i18n_input.fc b/targeted/file_contexts/program/i18n_input.fc
deleted file mode 100644
index 5403e2b..0000000
--- a/targeted/file_contexts/program/i18n_input.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-# i18n_input.fc
-/usr/sbin/htt -- system_u:object_r:i18n_input_exec_t
-/usr/sbin/htt_server -- system_u:object_r:i18n_input_exec_t
-/usr/bin/iiimd\.bin -- system_u:object_r:i18n_input_exec_t
-/usr/bin/httx -- system_u:object_r:i18n_input_exec_t
-/usr/bin/htt_xbe -- system_u:object_r:i18n_input_exec_t
-/usr/bin/iiimx -- system_u:object_r:i18n_input_exec_t
-/usr/lib/iiim/iiim-xbe -- system_u:object_r:i18n_input_exec_t
-/usr/lib(64)?/im/.*\.so.* -- system_u:object_r:shlib_t
-/usr/lib(64)?/iiim/.*\.so.* -- system_u:object_r:shlib_t
-/var/run/iiim(/.*)? system_u:object_r:i18n_input_var_run_t
diff --git a/targeted/file_contexts/program/iceauth.fc b/targeted/file_contexts/program/iceauth.fc
deleted file mode 100644
index 31bf1f3..0000000
--- a/targeted/file_contexts/program/iceauth.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# iceauth
-/usr/X11R6/bin/iceauth -- system_u:object_r:iceauth_exec_t
-HOME_DIR/\.ICEauthority.* -- system_u:object_r:ROLE_iceauth_home_t
diff --git a/targeted/file_contexts/program/ifconfig.fc b/targeted/file_contexts/program/ifconfig.fc
deleted file mode 100644
index 22d52ed..0000000
--- a/targeted/file_contexts/program/ifconfig.fc
+++ /dev/null
@@ -1,12 +0,0 @@
-# ifconfig
-/sbin/ifconfig -- system_u:object_r:ifconfig_exec_t:s0
-/sbin/iwconfig -- system_u:object_r:ifconfig_exec_t:s0
-/sbin/ip -- system_u:object_r:ifconfig_exec_t:s0
-/sbin/tc -- system_u:object_r:ifconfig_exec_t:s0
-/usr/sbin/tc -- system_u:object_r:ifconfig_exec_t:s0
-/bin/ip -- system_u:object_r:ifconfig_exec_t:s0
-/sbin/ethtool -- system_u:object_r:ifconfig_exec_t:s0
-/sbin/mii-tool -- system_u:object_r:ifconfig_exec_t:s0
-/sbin/ipx_interface -- system_u:object_r:ifconfig_exec_t:s0
-/sbin/ipx_configure -- system_u:object_r:ifconfig_exec_t:s0
-/sbin/ipx_internal_net -- system_u:object_r:ifconfig_exec_t:s0
diff --git a/targeted/file_contexts/program/imazesrv.fc b/targeted/file_contexts/program/imazesrv.fc
deleted file mode 100644
index dae194e..0000000
--- a/targeted/file_contexts/program/imazesrv.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# imazesrv
-/usr/share/games/imaze(/.*)? system_u:object_r:imazesrv_data_t
-/usr/games/imazesrv -- system_u:object_r:imazesrv_exec_t
-/var/log/imaze\.log -- system_u:object_r:imazesrv_log_t
diff --git a/targeted/file_contexts/program/inetd.fc b/targeted/file_contexts/program/inetd.fc
deleted file mode 100644
index d066e36..0000000
--- a/targeted/file_contexts/program/inetd.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-# inetd
-/usr/sbin/inetd -- system_u:object_r:inetd_exec_t:s0
-/usr/sbin/xinetd -- system_u:object_r:inetd_exec_t:s0
-/usr/sbin/rlinetd -- system_u:object_r:inetd_exec_t:s0
-/usr/sbin/identd -- system_u:object_r:inetd_child_exec_t:s0
-/usr/sbin/in\..*d -- system_u:object_r:inetd_child_exec_t:s0
-/var/log/(x)?inetd\.log -- system_u:object_r:inetd_log_t:s0
-/var/run/inetd\.pid -- system_u:object_r:inetd_var_run_t:s0
diff --git a/targeted/file_contexts/program/init.fc b/targeted/file_contexts/program/init.fc
deleted file mode 100644
index cdf424f..0000000
--- a/targeted/file_contexts/program/init.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# init
-/dev/initctl -p system_u:object_r:initctl_t:s0
-/sbin/init -- system_u:object_r:init_exec_t:s0
diff --git a/targeted/file_contexts/program/initrc.fc b/targeted/file_contexts/program/initrc.fc
deleted file mode 100644
index 65a1dba..0000000
--- a/targeted/file_contexts/program/initrc.fc
+++ /dev/null
@@ -1,48 +0,0 @@
-# init rc scripts
-ifdef(`targeted_policy', `
-/etc/X11/prefdm -- system_u:object_r:bin_t:s0
-', `
-/etc/X11/prefdm -- system_u:object_r:initrc_exec_t:s0
-')
-/etc/rc\.d/rc -- system_u:object_r:initrc_exec_t:s0
-/etc/rc\.d/rc\.sysinit -- system_u:object_r:initrc_exec_t:s0
-/etc/rc\.d/rc\.local -- system_u:object_r:initrc_exec_t:s0
-/etc/rc\.d/init\.d/.* -- system_u:object_r:initrc_exec_t:s0
-/etc/rc\.d/init\.d/functions -- system_u:object_r:etc_t:s0
-/etc/init\.d/.* -- system_u:object_r:initrc_exec_t:s0
-/etc/init\.d/functions -- system_u:object_r:etc_t:s0
-/var/run/utmp -- system_u:object_r:initrc_var_run_t:s0
-/var/run/runlevel\.dir system_u:object_r:initrc_var_run_t:s0
-/var/run/random-seed -- system_u:object_r:initrc_var_run_t:s0
-/var/run/setmixer_flag -- system_u:object_r:initrc_var_run_t:s0
-ifdef(`distro_suse', `
-/var/run/sysconfig(/.*)? system_u:object_r:initrc_var_run_t:s0
-/var/run/keymap -- system_u:object_r:initrc_var_run_t:s0
-/var/run/numlock-on -- system_u:object_r:initrc_var_run_t:s0
-/var/run/setleds-on -- system_u:object_r:initrc_var_run_t:s0
-/var/run/bootsplashctl -p system_u:object_r:initrc_var_run_t:s0
-/etc/init\.d/\.depend.* -- system_u:object_r:etc_runtime_t:s0
-')
-
-ifdef(`distro_gentoo', `
-/sbin/rc -- system_u:object_r:initrc_exec_t:s0
-/sbin/runscript -- system_u:object_r:initrc_exec_t:s0
-/sbin/runscript\.sh -- system_u:object_r:initrc_exec_t:s0
-/var/lib/init\.d(/.*)? system_u:object_r:initrc_state_t:s0
-')
-
-# run_init
-/usr/sbin/run_init -- system_u:object_r:run_init_exec_t:s0
-/usr/sbin/open_init_pty -- system_u:object_r:initrc_exec_t:s0
-/etc/nologin.* -- system_u:object_r:etc_runtime_t:s0
-/etc/nohotplug -- system_u:object_r:etc_runtime_t:s0
-ifdef(`distro_redhat', `
-/halt -- system_u:object_r:etc_runtime_t:s0
-/fastboot -- system_u:object_r:etc_runtime_t:s0
-/fsckoptions -- system_u:object_r:etc_runtime_t:s0
-/forcefsck -- system_u:object_r:etc_runtime_t:s0
-/poweroff -- system_u:object_r:etc_runtime_t:s0
-/\.autofsck -- system_u:object_r:etc_runtime_t:s0
-/\.autorelabel -- system_u:object_r:etc_runtime_t:s0
-')
-
diff --git a/targeted/file_contexts/program/innd.fc b/targeted/file_contexts/program/innd.fc
deleted file mode 100644
index a7bb62f..0000000
--- a/targeted/file_contexts/program/innd.fc
+++ /dev/null
@@ -1,49 +0,0 @@
-# innd
-/usr/sbin/innd.* -- system_u:object_r:innd_exec_t:s0
-/usr/bin/rpost -- system_u:object_r:innd_exec_t:s0
-/usr/bin/suck -- system_u:object_r:innd_exec_t:s0
-/var/run/innd(/.*)? system_u:object_r:innd_var_run_t:s0
-/etc/news(/.*)? system_u:object_r:innd_etc_t:s0
-/etc/news/boot -- system_u:object_r:innd_exec_t:s0
-/var/spool/news(/.*)? system_u:object_r:news_spool_t:s0
-/var/log/news(/.*)? system_u:object_r:innd_log_t:s0
-/var/lib/news(/.*)? system_u:object_r:innd_var_lib_t:s0
-/var/run/news(/.*)? system_u:object_r:innd_var_run_t:s0
-/usr/sbin/in\.nnrpd -- system_u:object_r:innd_exec_t:s0
-/usr/bin/inews -- system_u:object_r:innd_exec_t:s0
-/usr/bin/rnews -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin(/.*)? system_u:object_r:bin_t:s0
-/usr/lib(64)?/news/bin/innd -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/actsync -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/archive -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/batcher -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/buffchan -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/convdate -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/ctlinnd -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/cvtbatch -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/expire -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/expireover -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/fastrm -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/filechan -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/getlist -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/grephistory -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/inews -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/innconfval -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/inndf -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/inndstart -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/innfeed -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/innxbatch -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/innxmit -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/makedbz -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/makehistory -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/newsrequeue -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/nnrpd -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/nntpget -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/ovdb_recover -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/overchan -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/prunehistory -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/rnews -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/shlock -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/shrinkfile -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/sm -- system_u:object_r:innd_exec_t:s0
-/usr/lib(64)?/news/bin/startinnfeed -- system_u:object_r:innd_exec_t:s0
diff --git a/targeted/file_contexts/program/ipsec.fc b/targeted/file_contexts/program/ipsec.fc
deleted file mode 100644
index e915b75..0000000
--- a/targeted/file_contexts/program/ipsec.fc
+++ /dev/null
@@ -1,32 +0,0 @@
-# IPSEC utilities and daemon.
-
-/etc/ipsec\.secrets -- system_u:object_r:ipsec_key_file_t
-/etc/ipsec\.conf -- system_u:object_r:ipsec_conf_file_t
-/etc/ipsec\.d(/.*)? system_u:object_r:ipsec_key_file_t
-/etc/ipsec\.d/examples(/.*)? system_u:object_r:etc_t
-/usr/lib(64)?/ipsec/.* -- system_u:object_r:sbin_t
-/usr/lib(64)?/ipsec/_plutoload -- system_u:object_r:ipsec_mgmt_exec_t
-/usr/lib(64)?/ipsec/_plutorun -- system_u:object_r:ipsec_mgmt_exec_t
-/usr/local/lib(64)?/ipsec/.* -- system_u:object_r:sbin_t
-/usr/libexec/ipsec/eroute -- system_u:object_r:ipsec_exec_t
-/usr/lib(64)?/ipsec/eroute -- system_u:object_r:ipsec_exec_t
-/usr/local/lib(64)?/ipsec/eroute -- system_u:object_r:ipsec_exec_t
-/usr/libexec/ipsec/klipsdebug -- system_u:object_r:ipsec_exec_t
-/usr/lib(64)?/ipsec/klipsdebug -- system_u:object_r:ipsec_exec_t
-/usr/local/lib(64)?/ipsec/klipsdebug -- system_u:object_r:ipsec_exec_t
-/usr/libexec/ipsec/pluto -- system_u:object_r:ipsec_exec_t
-/usr/lib(64)?/ipsec/pluto -- system_u:object_r:ipsec_exec_t
-/usr/local/lib(64)?/ipsec/pluto -- system_u:object_r:ipsec_exec_t
-/usr/libexec/ipsec/spi -- system_u:object_r:ipsec_exec_t
-/usr/lib(64)?/ipsec/spi -- system_u:object_r:ipsec_exec_t
-/usr/local/lib(64)?/ipsec/spi -- system_u:object_r:ipsec_exec_t
-/var/run/pluto(/.*)? system_u:object_r:ipsec_var_run_t
-/var/racoon(/.*)? system_u:object_r:ipsec_var_run_t
-
-# Kame
-/usr/sbin/racoon -- system_u:object_r:ipsec_exec_t
-/usr/sbin/setkey -- system_u:object_r:ipsec_exec_t
-/sbin/setkey -- system_u:object_r:ipsec_exec_t
-/etc/racoon(/.*)? system_u:object_r:ipsec_conf_file_t
-/etc/racoon/certs(/.*)? system_u:object_r:ipsec_key_file_t
-/etc/racoon/psk\.txt -- system_u:object_r:ipsec_key_file_t
diff --git a/targeted/file_contexts/program/iptables.fc b/targeted/file_contexts/program/iptables.fc
deleted file mode 100644
index 3dcde2e..0000000
--- a/targeted/file_contexts/program/iptables.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-# iptables
-/sbin/ipchains.* -- system_u:object_r:iptables_exec_t
-/sbin/iptables.* -- system_u:object_r:iptables_exec_t
-/sbin/ip6tables.* -- system_u:object_r:iptables_exec_t
-/usr/sbin/ipchains.* -- system_u:object_r:iptables_exec_t
-/usr/sbin/iptables.* -- system_u:object_r:iptables_exec_t
-/usr/sbin/ip6tables.* -- system_u:object_r:iptables_exec_t
-
diff --git a/targeted/file_contexts/program/irc.fc b/targeted/file_contexts/program/irc.fc
deleted file mode 100644
index 9f52efb..0000000
--- a/targeted/file_contexts/program/irc.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# irc clients
-/usr/bin/[st]irc -- system_u:object_r:irc_exec_t
-/usr/bin/ircII -- system_u:object_r:irc_exec_t
-/usr/bin/tinyirc -- system_u:object_r:irc_exec_t
-HOME_DIR/\.ircmotd -- system_u:object_r:ROLE_irc_home_t
diff --git a/targeted/file_contexts/program/ircd.fc b/targeted/file_contexts/program/ircd.fc
deleted file mode 100644
index 2ef668c..0000000
--- a/targeted/file_contexts/program/ircd.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# ircd - irc server
-/usr/sbin/(dancer-)?ircd -- system_u:object_r:ircd_exec_t
-/etc/(dancer-)?ircd(/.*)? system_u:object_r:ircd_etc_t
-/var/log/(dancer-)?ircd(/.*)? system_u:object_r:ircd_log_t
-/var/lib/dancer-ircd(/.*)? system_u:object_r:ircd_var_lib_t
-/var/run/dancer-ircd(/.*)? system_u:object_r:ircd_var_run_t
diff --git a/targeted/file_contexts/program/irqbalance.fc b/targeted/file_contexts/program/irqbalance.fc
deleted file mode 100644
index c849491..0000000
--- a/targeted/file_contexts/program/irqbalance.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# irqbalance
-/usr/sbin/irqbalance -- system_u:object_r:irqbalance_exec_t
diff --git a/targeted/file_contexts/program/jabberd.fc b/targeted/file_contexts/program/jabberd.fc
deleted file mode 100644
index c614cb8..0000000
--- a/targeted/file_contexts/program/jabberd.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# jabberd
-/usr/sbin/jabberd -- system_u:object_r:jabberd_exec_t
-/var/lib/jabber(/.*)? system_u:object_r:jabberd_var_lib_t
-/var/log/jabber(/.*)? system_u:object_r:jabberd_log_t
diff --git a/targeted/file_contexts/program/java.fc b/targeted/file_contexts/program/java.fc
deleted file mode 100644
index 8edf85b..0000000
--- a/targeted/file_contexts/program/java.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# java
-/usr(/.*)?/bin/java.* -- system_u:object_r:java_exec_t
diff --git a/targeted/file_contexts/program/kerberos.fc b/targeted/file_contexts/program/kerberos.fc
deleted file mode 100644
index 2faebe0..0000000
--- a/targeted/file_contexts/program/kerberos.fc
+++ /dev/null
@@ -1,20 +0,0 @@
-# MIT Kerberos krbkdc, kadmind
-/etc/krb5\.keytab system_u:object_r:krb5_keytab_t:s0
-/usr(/local)?(/kerberos)?/sbin/krb5kdc -- system_u:object_r:krb5kdc_exec_t:s0
-/usr(/local)?(/kerberos)?/sbin/kadmind -- system_u:object_r:kadmind_exec_t:s0
-/var/kerberos/krb5kdc(/.*)? system_u:object_r:krb5kdc_conf_t:s0
-/usr/local/var/krb5kdc(/.*)? system_u:object_r:krb5kdc_conf_t:s0
-/var/kerberos/krb5kdc/principal.* system_u:object_r:krb5kdc_principal_t:s0
-/usr/local/var/krb5kdc/principal.* system_u:object_r:krb5kdc_principal_t:s0
-/var/log/krb5kdc\.log system_u:object_r:krb5kdc_log_t:s0
-/var/log/kadmind\.log system_u:object_r:kadmind_log_t:s0
-/usr(/local)?/bin/ksu -- system_u:object_r:su_exec_t:s0
-
-# gentoo file locations
-/usr/sbin/krb5kdc -- system_u:object_r:krb5kdc_exec_t:s0
-/usr/sbin/kadmind -- system_u:object_r:kadmind_exec_t:s0
-/etc/krb5kdc(/.*)? system_u:object_r:krb5kdc_conf_t:s0
-/etc/krb5kdc/principal.* system_u:object_r:krb5kdc_principal_t:s0
-/etc/krb5kdc/kadm5.keytab -- system_u:object_r:krb5_keytab_t:s0
-/var/log/kadmin.log -- system_u:object_r:kadmind_log_t:s0
-
diff --git a/targeted/file_contexts/program/klogd.fc b/targeted/file_contexts/program/klogd.fc
deleted file mode 100644
index 5fcdf29..0000000
--- a/targeted/file_contexts/program/klogd.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# klogd
-/sbin/klogd -- system_u:object_r:klogd_exec_t:s0
-/usr/sbin/klogd -- system_u:object_r:klogd_exec_t:s0
-/var/run/klogd\.pid -- system_u:object_r:klogd_var_run_t:s0
diff --git a/targeted/file_contexts/program/ktalkd.fc b/targeted/file_contexts/program/ktalkd.fc
deleted file mode 100644
index 33973fd..0000000
--- a/targeted/file_contexts/program/ktalkd.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# kde talk daemon
-/usr/bin/ktalkd -- system_u:object_r:ktalkd_exec_t:s0
diff --git a/targeted/file_contexts/program/kudzu.fc b/targeted/file_contexts/program/kudzu.fc
deleted file mode 100644
index 3602a30..0000000
--- a/targeted/file_contexts/program/kudzu.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# kudzu
-(/usr)?/sbin/kudzu -- system_u:object_r:kudzu_exec_t:s0
-/sbin/kmodule -- system_u:object_r:kudzu_exec_t:s0
-/var/run/Xconfig -- root:object_r:kudzu_var_run_t:s0
diff --git a/targeted/file_contexts/program/lcd.fc b/targeted/file_contexts/program/lcd.fc
deleted file mode 100644
index 4294d44..0000000
--- a/targeted/file_contexts/program/lcd.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# lcd
-/usr/sbin/lcd.* -- system_u:object_r:lcd_exec_t
diff --git a/targeted/file_contexts/program/ldconfig.fc b/targeted/file_contexts/program/ldconfig.fc
deleted file mode 100644
index 1f82fcf..0000000
--- a/targeted/file_contexts/program/ldconfig.fc
+++ /dev/null
@@ -1 +0,0 @@
-/sbin/ldconfig -- system_u:object_r:ldconfig_exec_t:s0
diff --git a/targeted/file_contexts/program/load_policy.fc b/targeted/file_contexts/program/load_policy.fc
deleted file mode 100644
index a4c98ce..0000000
--- a/targeted/file_contexts/program/load_policy.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# load_policy
-/usr/sbin/load_policy -- system_u:object_r:load_policy_exec_t:s0
-/sbin/load_policy -- system_u:object_r:load_policy_exec_t:s0
diff --git a/targeted/file_contexts/program/loadkeys.fc b/targeted/file_contexts/program/loadkeys.fc
deleted file mode 100644
index f440f3c..0000000
--- a/targeted/file_contexts/program/loadkeys.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# loadkeys
-/bin/unikeys -- system_u:object_r:loadkeys_exec_t
-/bin/loadkeys -- system_u:object_r:loadkeys_exec_t
diff --git a/targeted/file_contexts/program/lockdev.fc b/targeted/file_contexts/program/lockdev.fc
deleted file mode 100644
index 9185bec..0000000
--- a/targeted/file_contexts/program/lockdev.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# lockdev
-/usr/sbin/lockdev -- system_u:object_r:lockdev_exec_t
diff --git a/targeted/file_contexts/program/login.fc b/targeted/file_contexts/program/login.fc
deleted file mode 100644
index ab8bf1a..0000000
--- a/targeted/file_contexts/program/login.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# login
-/bin/login -- system_u:object_r:login_exec_t:s0
-/usr/kerberos/sbin/login\.krb5 -- system_u:object_r:login_exec_t:s0
diff --git a/targeted/file_contexts/program/logrotate.fc b/targeted/file_contexts/program/logrotate.fc
deleted file mode 100644
index a7c9ea3..0000000
--- a/targeted/file_contexts/program/logrotate.fc
+++ /dev/null
@@ -1,13 +0,0 @@
-# logrotate
-/usr/sbin/logrotate -- system_u:object_r:logrotate_exec_t
-/usr/sbin/logcheck -- system_u:object_r:logrotate_exec_t
-ifdef(`distro_debian', `
-/usr/bin/savelog -- system_u:object_r:logrotate_exec_t
-/var/lib/logrotate(/.*)? system_u:object_r:logrotate_var_lib_t
-', `
-/var/lib/logrotate\.status -- system_u:object_r:logrotate_var_lib_t
-')
-/etc/cron\.(daily|weekly)/sysklogd -- system_u:object_r:logrotate_exec_t
-/var/lib/logcheck(/.*)? system_u:object_r:logrotate_var_lib_t
-# using a hard-coded name under /var/tmp is a bug - new version fixes it
-/var/tmp/logcheck -d system_u:object_r:logrotate_tmp_t
diff --git a/targeted/file_contexts/program/lpd.fc b/targeted/file_contexts/program/lpd.fc
deleted file mode 100644
index da61bf4..0000000
--- a/targeted/file_contexts/program/lpd.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-# lpd
-/dev/printer -s system_u:object_r:printer_t:s0
-/usr/sbin/lpd -- system_u:object_r:lpd_exec_t:s0
-/usr/sbin/checkpc -- system_u:object_r:checkpc_exec_t:s0
-/var/spool/lpd(/.*)? system_u:object_r:print_spool_t:s0
-/usr/share/printconf/.* -- system_u:object_r:printconf_t:s0
-/usr/share/printconf/util/print\.py -- system_u:object_r:bin_t:s0
-/var/run/lprng(/.*)? system_u:object_r:lpd_var_run_t:s0
diff --git a/targeted/file_contexts/program/lpr.fc b/targeted/file_contexts/program/lpr.fc
deleted file mode 100644
index 618ddcc..0000000
--- a/targeted/file_contexts/program/lpr.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# lp utilities.
-/usr/bin/lpr(\.cups)? -- system_u:object_r:lpr_exec_t
-/usr/bin/lpq(\.cups)? -- system_u:object_r:lpr_exec_t
-/usr/bin/lprm(\.cups)? -- system_u:object_r:lpr_exec_t
diff --git a/targeted/file_contexts/program/lrrd.fc b/targeted/file_contexts/program/lrrd.fc
deleted file mode 100644
index 08494fc..0000000
--- a/targeted/file_contexts/program/lrrd.fc
+++ /dev/null
@@ -1,10 +0,0 @@
-# lrrd
-/usr/bin/lrrd-.* -- system_u:object_r:lrrd_exec_t
-/usr/sbin/lrrd-.* -- system_u:object_r:lrrd_exec_t
-/usr/share/lrrd/lrrd-.* -- system_u:object_r:lrrd_exec_t
-/usr/share/lrrd/plugins/.* -- system_u:object_r:lrrd_exec_t
-/var/run/lrrd(/.*)? system_u:object_r:lrrd_var_run_t
-/var/log/lrrd.* -- system_u:object_r:lrrd_log_t
-/var/lib/lrrd(/.*)? system_u:object_r:lrrd_var_lib_t
-/var/www/lrrd(/.*)? system_u:object_r:lrrd_var_lib_t
-/etc/lrrd(/.*)? system_u:object_r:lrrd_etc_t
diff --git a/targeted/file_contexts/program/lvm.fc b/targeted/file_contexts/program/lvm.fc
deleted file mode 100644
index 648beb0..0000000
--- a/targeted/file_contexts/program/lvm.fc
+++ /dev/null
@@ -1,69 +0,0 @@
-# lvm
-/sbin/lvmiopversion -- system_u:object_r:lvm_exec_t
-/etc/lvm(/.*)? system_u:object_r:lvm_etc_t
-/etc/lvm/\.cache -- system_u:object_r:lvm_metadata_t
-/etc/lvm/archive(/.*)? system_u:object_r:lvm_metadata_t
-/etc/lvm/backup(/.*)? system_u:object_r:lvm_metadata_t
-/etc/lvmtab(/.*)? system_u:object_r:lvm_metadata_t
-/etc/lvmtab\.d(/.*)? system_u:object_r:lvm_metadata_t
-# LVM creates lock files in /var before /var is mounted
-# configure LVM to put lockfiles in /etc/lvm/lock instead
-# for this policy to work (unless you have no separate /var)
-/etc/lvm/lock(/.*)? system_u:object_r:lvm_lock_t
-/var/lock/lvm(/.*)? system_u:object_r:lvm_lock_t
-/dev/lvm -c system_u:object_r:fixed_disk_device_t
-/dev/mapper/control -c system_u:object_r:lvm_control_t
-/lib/lvm-10/.* -- system_u:object_r:lvm_exec_t
-/lib/lvm-200/.* -- system_u:object_r:lvm_exec_t
-/sbin/e2fsadm -- system_u:object_r:lvm_exec_t
-/sbin/lvchange -- system_u:object_r:lvm_exec_t
-/sbin/lvcreate -- system_u:object_r:lvm_exec_t
-/sbin/lvdisplay -- system_u:object_r:lvm_exec_t
-/sbin/lvextend -- system_u:object_r:lvm_exec_t
-/sbin/lvmchange -- system_u:object_r:lvm_exec_t
-/sbin/lvmdiskscan -- system_u:object_r:lvm_exec_t
-/sbin/lvmsadc -- system_u:object_r:lvm_exec_t
-/sbin/lvmsar -- system_u:object_r:lvm_exec_t
-/sbin/lvreduce -- system_u:object_r:lvm_exec_t
-/sbin/lvremove -- system_u:object_r:lvm_exec_t
-/sbin/lvrename -- system_u:object_r:lvm_exec_t
-/sbin/lvscan -- system_u:object_r:lvm_exec_t
-/sbin/pvchange -- system_u:object_r:lvm_exec_t
-/sbin/pvcreate -- system_u:object_r:lvm_exec_t
-/sbin/pvdata -- system_u:object_r:lvm_exec_t
-/sbin/pvdisplay -- system_u:object_r:lvm_exec_t
-/sbin/pvmove -- system_u:object_r:lvm_exec_t
-/sbin/pvscan -- system_u:object_r:lvm_exec_t
-/sbin/vgcfgbackup -- system_u:object_r:lvm_exec_t
-/sbin/vgcfgrestore -- system_u:object_r:lvm_exec_t
-/sbin/vgchange -- system_u:object_r:lvm_exec_t
-/sbin/vgchange\.static -- system_u:object_r:lvm_exec_t
-/sbin/vgck -- system_u:object_r:lvm_exec_t
-/sbin/vgcreate -- system_u:object_r:lvm_exec_t
-/sbin/vgdisplay -- system_u:object_r:lvm_exec_t
-/sbin/vgexport -- system_u:object_r:lvm_exec_t
-/sbin/vgextend -- system_u:object_r:lvm_exec_t
-/sbin/vgimport -- system_u:object_r:lvm_exec_t
-/sbin/vgmerge -- system_u:object_r:lvm_exec_t
-/sbin/vgmknodes -- system_u:object_r:lvm_exec_t
-/sbin/vgreduce -- system_u:object_r:lvm_exec_t
-/sbin/vgremove -- system_u:object_r:lvm_exec_t
-/sbin/vgrename -- system_u:object_r:lvm_exec_t
-/sbin/vgscan -- system_u:object_r:lvm_exec_t
-/sbin/vgscan\.static -- system_u:object_r:lvm_exec_t
-/sbin/vgsplit -- system_u:object_r:lvm_exec_t
-/sbin/vgwrapper -- system_u:object_r:lvm_exec_t
-/sbin/cryptsetup -- system_u:object_r:lvm_exec_t
-/sbin/dmsetup -- system_u:object_r:lvm_exec_t
-/sbin/dmsetup\.static -- system_u:object_r:lvm_exec_t
-/sbin/lvm -- system_u:object_r:lvm_exec_t
-/sbin/lvm\.static -- system_u:object_r:lvm_exec_t
-/usr/sbin/lvm -- system_u:object_r:lvm_exec_t
-/sbin/lvresize -- system_u:object_r:lvm_exec_t
-/sbin/lvs -- system_u:object_r:lvm_exec_t
-/sbin/pvremove -- system_u:object_r:lvm_exec_t
-/sbin/pvs -- system_u:object_r:lvm_exec_t
-/sbin/vgs -- system_u:object_r:lvm_exec_t
-/sbin/multipathd -- system_u:object_r:lvm_exec_t
-/var/cache/multipathd(/.*)? system_u:object_r:lvm_metadata_t
-/usr/sbin/clvmd -- system_u:object_r:clvmd_exec_t
diff --git a/targeted/file_contexts/program/mailman.fc b/targeted/file_contexts/program/mailman.fc
deleted file mode 100644
index d8d5b4b..0000000
--- a/targeted/file_contexts/program/mailman.fc
+++ /dev/null
@@ -1,24 +0,0 @@
-# mailman list server
-/var/lib/mailman(/.*)? system_u:object_r:mailman_data_t:s0
-/var/log/mailman(/.*)? system_u:object_r:mailman_log_t:s0
-/usr/lib/mailman/cron/.* -- system_u:object_r:mailman_queue_exec_t:s0
-/usr/lib/mailman/bin/mailmanctl -- system_u:object_r:mailman_mail_exec_t:s0
-/var/run/mailman(/.*)? system_u:object_r:mailman_lock_t:s0
-/var/lib/mailman/archives(/.*)? system_u:object_r:mailman_archive_t:s0
-
-ifdef(`distro_debian', `
-/usr/lib/cgi-bin/mailman/.* -- system_u:object_r:mailman_cgi_exec_t:s0
-/usr/lib/mailman/mail/wrapper -- system_u:object_r:mailman_mail_exec_t:s0
-/usr/mailman/mail/wrapper -- system_u:object_r:mailman_mail_exec_t:s0
-/etc/cron\.daily/mailman -- system_u:object_r:mailman_queue_exec_t:s0
-/etc/cron\.monthly/mailman -- system_u:object_r:mailman_queue_exec_t:s0
-')
-
-ifdef(`distro_redhat', `
-/usr/lib/mailman/cgi-bin/.* -- system_u:object_r:mailman_cgi_exec_t:s0
-/var/lock/mailman(/.*)? system_u:object_r:mailman_lock_t:s0
-/usr/lib/mailman/scripts/mailman -- system_u:object_r:mailman_mail_exec_t:s0
-/usr/lib/mailman/bin/qrunner -- system_u:object_r:mailman_queue_exec_t:s0
-/etc/mailman(/.*)? system_u:object_r:mailman_data_t:s0
-/var/spool/mailman(/.*)? system_u:object_r:mailman_data_t:s0
-')
diff --git a/targeted/file_contexts/program/mdadm.fc b/targeted/file_contexts/program/mdadm.fc
deleted file mode 100644
index 7ca9f0d..0000000
--- a/targeted/file_contexts/program/mdadm.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# mdadm - manage MD devices aka Linux Software Raid.
-/sbin/mdmpd -- system_u:object_r:mdadm_exec_t
-/sbin/mdadm -- system_u:object_r:mdadm_exec_t
-/var/run/mdadm(/.*)? system_u:object_r:mdadm_var_run_t
diff --git a/targeted/file_contexts/program/modutil.fc b/targeted/file_contexts/program/modutil.fc
deleted file mode 100644
index 0c88179..0000000
--- a/targeted/file_contexts/program/modutil.fc
+++ /dev/null
@@ -1,14 +0,0 @@
-# module utilities
-/etc/modules\.conf.* -- system_u:object_r:modules_conf_t:s0
-/etc/modprobe\.conf.* -- system_u:object_r:modules_conf_t:s0
-/lib(64)?/modules/modprobe\.conf -- system_u:object_r:modules_conf_t:s0
-/lib(64)?/modules(/.*)? system_u:object_r:modules_object_t:s0
-/lib(64)?/modules/[^/]+/modules\..+ -- system_u:object_r:modules_dep_t:s0
-/lib(64)?/modules/modprobe\.conf.* -- system_u:object_r:modules_conf_t:s0
-/sbin/depmod.* -- system_u:object_r:depmod_exec_t:s0
-/sbin/modprobe.* -- system_u:object_r:insmod_exec_t:s0
-/sbin/insmod.* -- system_u:object_r:insmod_exec_t:s0
-/sbin/insmod_ksymoops_clean -- system_u:object_r:sbin_t:s0
-/sbin/rmmod.* -- system_u:object_r:insmod_exec_t:s0
-/sbin/update-modules -- system_u:object_r:update_modules_exec_t:s0
-/sbin/generate-modprobe\.conf -- system_u:object_r:update_modules_exec_t:s0
diff --git a/targeted/file_contexts/program/monopd.fc b/targeted/file_contexts/program/monopd.fc
deleted file mode 100644
index 457493e..0000000
--- a/targeted/file_contexts/program/monopd.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# monopd
-/etc/monopd\.conf -- system_u:object_r:monopd_etc_t
-/usr/sbin/monopd -- system_u:object_r:monopd_exec_t
-/usr/share/monopd/games(/.*)? system_u:object_r:monopd_share_t
diff --git a/targeted/file_contexts/program/mount.fc b/targeted/file_contexts/program/mount.fc
deleted file mode 100644
index 7b1ca14..0000000
--- a/targeted/file_contexts/program/mount.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# mount
-/bin/mount.* -- system_u:object_r:mount_exec_t
-/bin/umount.* -- system_u:object_r:mount_exec_t
diff --git a/targeted/file_contexts/program/mozilla.fc b/targeted/file_contexts/program/mozilla.fc
deleted file mode 100644
index 2b533a6..0000000
--- a/targeted/file_contexts/program/mozilla.fc
+++ /dev/null
@@ -1,21 +0,0 @@
-# netscape/mozilla
-HOME_DIR/\.galeon(/.*)? system_u:object_r:ROLE_mozilla_home_t
-HOME_DIR/\.netscape(/.*)? system_u:object_r:ROLE_mozilla_home_t
-HOME_DIR/\.mozilla(/.*)? system_u:object_r:ROLE_mozilla_home_t
-HOME_DIR/\.phoenix(/.*)? system_u:object_r:ROLE_mozilla_home_t
-HOME_DIR/\.java(/.*)? system_u:object_r:ROLE_mozilla_home_t
-/usr/bin/netscape -- system_u:object_r:mozilla_exec_t
-/usr/bin/mozilla -- system_u:object_r:mozilla_exec_t
-/usr/bin/mozilla-snapshot -- system_u:object_r:mozilla_exec_t
-/usr/bin/epiphany-bin -- system_u:object_r:mozilla_exec_t
-/usr/bin/mozilla-[0-9].* -- system_u:object_r:mozilla_exec_t
-/usr/bin/mozilla-bin-[0-9].* -- system_u:object_r:mozilla_exec_t
-/usr/lib(64)?/galeon/galeon -- system_u:object_r:mozilla_exec_t
-/usr/lib(64)?/netscape/.+/communicator/communicator-smotif\.real -- system_u:object_r:mozilla_exec_t
-/usr/lib(64)?/netscape/base-4/wrapper -- system_u:object_r:mozilla_exec_t
-/usr/lib(64)?/mozilla[^/]*/reg.+ -- system_u:object_r:mozilla_exec_t
-/usr/lib(64)?/mozilla[^/]*/mozilla-.* -- system_u:object_r:mozilla_exec_t
-/usr/lib(64)?/firefox[^/]*/mozilla-.* -- system_u:object_r:mozilla_exec_t
-/usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- system_u:object_r:mozilla_exec_t
-/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- system_u:object_r:bin_t
-/etc/mozpluggerrc system_u:object_r:mozilla_conf_t
diff --git a/targeted/file_contexts/program/mplayer.fc b/targeted/file_contexts/program/mplayer.fc
deleted file mode 100644
index 10465aa..0000000
--- a/targeted/file_contexts/program/mplayer.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# mplayer
-/usr/bin/mplayer -- system_u:object_r:mplayer_exec_t
-/usr/bin/mencoder -- system_u:object_r:mencoder_exec_t
-
-/etc/mplayer(/.*)? system_u:object_r:mplayer_etc_t
-HOME_DIR/\.mplayer(/.*)? system_u:object_r:ROLE_mplayer_home_t
diff --git a/targeted/file_contexts/program/mrtg.fc b/targeted/file_contexts/program/mrtg.fc
deleted file mode 100644
index adfecff..0000000
--- a/targeted/file_contexts/program/mrtg.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-# mrtg - traffic grapher
-/usr/bin/mrtg -- system_u:object_r:mrtg_exec_t
-/var/lib/mrtg(/.*)? system_u:object_r:mrtg_var_lib_t
-/var/lock/mrtg(/.*)? system_u:object_r:mrtg_lock_t
-/etc/mrtg.* system_u:object_r:mrtg_etc_t
-/etc/mrtg/mrtg\.ok -- system_u:object_r:mrtg_lock_t
-/var/log/mrtg(/.*)? system_u:object_r:mrtg_log_t
diff --git a/targeted/file_contexts/program/mta.fc b/targeted/file_contexts/program/mta.fc
deleted file mode 100644
index 68b30e8..0000000
--- a/targeted/file_contexts/program/mta.fc
+++ /dev/null
@@ -1,12 +0,0 @@
-# types for general mail servers
-/usr/sbin/sendmail(.sendmail)? -- system_u:object_r:sendmail_exec_t:s0
-/usr/lib(64)?/sendmail -- system_u:object_r:sendmail_exec_t:s0
-/etc/aliases -- system_u:object_r:etc_aliases_t:s0
-/etc/aliases\.db -- system_u:object_r:etc_aliases_t:s0
-/var/spool/mail(/.*)? system_u:object_r:mail_spool_t:s0
-/var/mail(/.*)? system_u:object_r:mail_spool_t:s0
-ifdef(`postfix.te', `', `
-/usr/sbin/sendmail.postfix -- system_u:object_r:sendmail_exec_t:s0
-/var/spool/postfix(/.*)? system_u:object_r:mail_spool_t:s0
-')
-
diff --git a/targeted/file_contexts/program/mysqld.fc b/targeted/file_contexts/program/mysqld.fc
deleted file mode 100644
index 22933da..0000000
--- a/targeted/file_contexts/program/mysqld.fc
+++ /dev/null
@@ -1,12 +0,0 @@
-# mysql database server
-/usr/sbin/mysqld(-max)? -- system_u:object_r:mysqld_exec_t:s0
-/usr/libexec/mysqld -- system_u:object_r:mysqld_exec_t:s0
-/var/run/mysqld(/.*)? system_u:object_r:mysqld_var_run_t:s0
-/var/log/mysql.* -- system_u:object_r:mysqld_log_t:s0
-/var/lib/mysql(/.*)? system_u:object_r:mysqld_db_t:s0
-/var/lib/mysql/mysql\.sock -s system_u:object_r:mysqld_var_run_t:s0
-/etc/my\.cnf -- system_u:object_r:mysqld_etc_t:s0
-/etc/mysql(/.*)? system_u:object_r:mysqld_etc_t:s0
-ifdef(`distro_debian', `
-/etc/mysql/debian-start -- system_u:object_r:bin_t:s0
-')
diff --git a/targeted/file_contexts/program/nagios.fc b/targeted/file_contexts/program/nagios.fc
deleted file mode 100644
index 6a8a22d..0000000
--- a/targeted/file_contexts/program/nagios.fc
+++ /dev/null
@@ -1,15 +0,0 @@
-# nagios - network monitoring server
-/var/log/netsaint(/.*)? system_u:object_r:nagios_log_t
-/usr/lib(64)?/netsaint/plugins(/.*)? system_u:object_r:bin_t
-/usr/lib(64)?/cgi-bin/netsaint/.+ -- system_u:object_r:nagios_cgi_exec_t
-# nagios
-ifdef(`distro_debian', `
-/usr/sbin/nagios -- system_u:object_r:nagios_exec_t
-/usr/lib/cgi-bin/nagios/.+ -- system_u:object_r:nagios_cgi_exec_t
-', `
-/usr/bin/nagios -- system_u:object_r:nagios_exec_t
-/usr/lib(64)?/nagios/cgi/.+ -- system_u:object_r:nagios_cgi_exec_t
-')
-/etc/nagios(/.*)? system_u:object_r:nagios_etc_t
-/var/log/nagios(/.*)? system_u:object_r:nagios_log_t
-/usr/lib(64)?/nagios/plugins(/.*)? system_u:object_r:bin_t
diff --git a/targeted/file_contexts/program/named.fc b/targeted/file_contexts/program/named.fc
deleted file mode 100644
index b94d641..0000000
--- a/targeted/file_contexts/program/named.fc
+++ /dev/null
@@ -1,49 +0,0 @@
-# named
-ifdef(`distro_redhat', `
-/var/named(/.*)? system_u:object_r:named_zone_t:s0
-/var/named/slaves(/.*)? system_u:object_r:named_cache_t:s0
-/var/named/data(/.*)? system_u:object_r:named_cache_t:s0
-/etc/named\.conf -- system_u:object_r:named_conf_t:s0
-') dnl end distro_redhat
-
-ifdef(`distro_debian', `
-/etc/bind(/.*)? system_u:object_r:named_zone_t:s0
-/etc/bind/named\.conf -- system_u:object_r:named_conf_t:s0
-/etc/bind/rndc\.key -- system_u:object_r:dnssec_t:s0
-/var/cache/bind(/.*)? system_u:object_r:named_cache_t:s0
-') dnl distro_debian
-
-/etc/rndc.* -- system_u:object_r:named_conf_t:s0
-/etc/rndc\.key -- system_u:object_r:dnssec_t:s0
-/usr/sbin/named -- system_u:object_r:named_exec_t:s0
-/usr/sbin/named-checkconf -- system_u:object_r:named_checkconf_exec_t:s0
-/usr/sbin/r?ndc -- system_u:object_r:ndc_exec_t:s0
-/var/run/ndc -s system_u:object_r:named_var_run_t:s0
-/var/run/bind(/.*)? system_u:object_r:named_var_run_t:s0
-/var/run/named(/.*)? system_u:object_r:named_var_run_t:s0
-/usr/sbin/lwresd -- system_u:object_r:named_exec_t:s0
-/var/log/named.* -- system_u:object_r:named_log_t:s0
-
-ifdef(`distro_redhat', `
-/var/named/named\.ca -- system_u:object_r:named_conf_t:s0
-/var/named/chroot(/.*)? system_u:object_r:named_conf_t:s0
-/var/named/chroot/dev/null -c system_u:object_r:null_device_t:s0
-/var/named/chroot/dev/random -c system_u:object_r:random_device_t:s0
-/var/named/chroot/dev/zero -c system_u:object_r:zero_device_t:s0
-/var/named/chroot/etc(/.*)? system_u:object_r:named_conf_t:s0
-/var/named/chroot/etc/rndc.key -- system_u:object_r:dnssec_t:s0
-/var/named/chroot/var/run/named.* system_u:object_r:named_var_run_t:s0
-/var/named/chroot/var/tmp(/.*)? system_u:object_r:named_cache_t:s0
-/var/named/chroot/var/named(/.*)? system_u:object_r:named_zone_t:s0
-/var/named/chroot/var/named/slaves(/.*)? system_u:object_r:named_cache_t:s0
-/var/named/chroot/var/named/data(/.*)? system_u:object_r:named_cache_t:s0
-/var/named/chroot/var/named/named\.ca -- system_u:object_r:named_conf_t:s0
-') dnl distro_redhat
-
-ifdef(`distro_gentoo', `
-/etc/bind(/.*)? system_u:object_r:named_zone_t:s0
-/etc/bind/named\.conf -- system_u:object_r:named_conf_t:s0
-/etc/bind/rndc\.key -- system_u:object_r:dnssec_t:s0
-/var/bind(/.*)? system_u:object_r:named_cache_t:s0
-/var/bind/pri(/.*)? system_u:object_r:named_zone_t:s0
-') dnl distro_gentoo
diff --git a/targeted/file_contexts/program/nessusd.fc b/targeted/file_contexts/program/nessusd.fc
deleted file mode 100644
index adec00b..0000000
--- a/targeted/file_contexts/program/nessusd.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# nessusd - network scanning server
-/usr/sbin/nessusd -- system_u:object_r:nessusd_exec_t
-/usr/lib(64)?/nessus/plugins/.* -- system_u:object_r:nessusd_exec_t
-/var/lib/nessus(/.*)? system_u:object_r:nessusd_db_t
-/var/log/nessus(/.*)? system_u:object_r:nessusd_log_t
-/etc/nessus/nessusd\.conf -- system_u:object_r:nessusd_etc_t
diff --git a/targeted/file_contexts/program/netutils.fc b/targeted/file_contexts/program/netutils.fc
deleted file mode 100644
index a6ae5d5..0000000
--- a/targeted/file_contexts/program/netutils.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# network utilities
-/sbin/arping -- system_u:object_r:netutils_exec_t:s0
-/usr/sbin/tcpdump -- system_u:object_r:netutils_exec_t:s0
-/etc/network/ifstate -- system_u:object_r:etc_runtime_t:s0
diff --git a/targeted/file_contexts/program/newrole.fc b/targeted/file_contexts/program/newrole.fc
deleted file mode 100644
index 6b03678..0000000
--- a/targeted/file_contexts/program/newrole.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# newrole
-/usr/bin/newrole -- system_u:object_r:newrole_exec_t:s0
diff --git a/targeted/file_contexts/program/nrpe.fc b/targeted/file_contexts/program/nrpe.fc
deleted file mode 100644
index 6523cc3..0000000
--- a/targeted/file_contexts/program/nrpe.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-# nrpe
-/usr/bin/nrpe -- system_u:object_r:nrpe_exec_t
-/etc/nagios/nrpe\.cfg -- system_u:object_r:nrpe_etc_t
-ifdef(`nagios.te', `', `
-/usr/lib(64)?/netsaint/plugins(/.*)? system_u:object_r:bin_t
-/usr/lib(64)?/nagios/plugins(/.*)? system_u:object_r:bin_t
-')
diff --git a/targeted/file_contexts/program/nscd.fc b/targeted/file_contexts/program/nscd.fc
deleted file mode 100644
index aa8af5b..0000000
--- a/targeted/file_contexts/program/nscd.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-# nscd
-/usr/sbin/nscd -- system_u:object_r:nscd_exec_t:s0
-/var/run/\.nscd_socket -s system_u:object_r:nscd_var_run_t:s0
-/var/run/nscd\.pid -- system_u:object_r:nscd_var_run_t:s0
-/var/db/nscd(/.*)? system_u:object_r:nscd_var_run_t:s0
-/var/run/nscd(/.*)? system_u:object_r:nscd_var_run_t:s0
-/var/log/nscd\.log.* -- system_u:object_r:nscd_log_t:s0
diff --git a/targeted/file_contexts/program/nsd.fc b/targeted/file_contexts/program/nsd.fc
deleted file mode 100644
index 43b49fe..0000000
--- a/targeted/file_contexts/program/nsd.fc
+++ /dev/null
@@ -1,12 +0,0 @@
-# nsd
-/etc/nsd(/.*)? system_u:object_r:nsd_conf_t
-/etc/nsd/primary(/.*)? system_u:object_r:nsd_zone_t
-/etc/nsd/secondary(/.*)? system_u:object_r:nsd_zone_t
-/etc/nsd/nsd\.db -- system_u:object_r:nsd_db_t
-/var/lib/nsd(/.*)? system_u:object_r:nsd_zone_t
-/var/lib/nsd/nsd\.db -- system_u:object_r:nsd_db_t
-/usr/sbin/nsd -- system_u:object_r:nsd_exec_t
-/usr/sbin/nsdc -- system_u:object_r:nsd_exec_t
-/usr/sbin/nsd-notify -- system_u:object_r:nsd_exec_t
-/usr/sbin/zonec -- system_u:object_r:nsd_exec_t
-/var/run/nsd\.pid -- system_u:object_r:nsd_var_run_t
diff --git a/targeted/file_contexts/program/ntpd.fc b/targeted/file_contexts/program/ntpd.fc
deleted file mode 100644
index b9040bb..0000000
--- a/targeted/file_contexts/program/ntpd.fc
+++ /dev/null
@@ -1,12 +0,0 @@
-/var/lib/ntp(/.*)? system_u:object_r:ntp_drift_t:s0
-/etc/ntp/data(/.*)? system_u:object_r:ntp_drift_t:s0
-/etc/ntp(d)?\.conf.* -- system_u:object_r:net_conf_t:s0
-/etc/ntp/step-tickers.* -- system_u:object_r:net_conf_t:s0
-/usr/sbin/ntpd -- system_u:object_r:ntpd_exec_t:s0
-/usr/sbin/ntpdate -- system_u:object_r:ntpdate_exec_t:s0
-/var/log/ntpstats(/.*)? system_u:object_r:ntpd_log_t:s0
-/var/log/ntp.* -- system_u:object_r:ntpd_log_t:s0
-/var/log/xntpd.* -- system_u:object_r:ntpd_log_t:s0
-/var/run/ntpd\.pid -- system_u:object_r:ntpd_var_run_t:s0
-/etc/cron\.(daily|weekly)/ntp-simple -- system_u:object_r:ntpd_exec_t:s0
-/etc/cron\.(daily|weekly)/ntp-server -- system_u:object_r:ntpd_exec_t:s0
diff --git a/targeted/file_contexts/program/nx_server.fc b/targeted/file_contexts/program/nx_server.fc
deleted file mode 100644
index d993646..0000000
--- a/targeted/file_contexts/program/nx_server.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# nx
-/opt/NX/bin/nxserver -- system_u:object_r:nx_server_exec_t
-/opt/NX/var(/.*)? system_u:object_r:nx_server_var_run_t
-/opt/NX/home/nx/\.ssh(/.*)? system_u:object_r:nx_server_home_ssh_t
-
diff --git a/targeted/file_contexts/program/oav-update.fc b/targeted/file_contexts/program/oav-update.fc
deleted file mode 100644
index 5e88a02..0000000
--- a/targeted/file_contexts/program/oav-update.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-/var/lib/oav-virussignatures -- system_u:object_r:oav_update_var_lib_t
-/var/lib/oav-update(/.*)? system_u:object_r:oav_update_var_lib_t
-/usr/sbin/oav-update -- system_u:object_r:oav_update_exec_t
-/etc/oav-update(/.*)? system_u:object_r:oav_update_etc_t
diff --git a/targeted/file_contexts/program/openca-ca.fc b/targeted/file_contexts/program/openca-ca.fc
deleted file mode 100644
index 99ddefe..0000000
--- a/targeted/file_contexts/program/openca-ca.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-/etc/openca(/.*)? system_u:object_r:openca_etc_t
-/etc/openca/rbac(/.*)? system_u:object_r:openca_etc_writeable_t
-/etc/openca/*.\.in(/.*)? system_u:object_r:openca_etc_in_t
-/var/lib/openca(/.*)? system_u:object_r:openca_var_lib_t
-/var/lib/openca/crypto/keys(/.*)? system_u:object_r:openca_var_lib_keys_t
-/usr/share/openca(/.*)? system_u:object_r:openca_usr_share_t
-/usr/share/openca/htdocs(/.*)? system_u:object_r:httpd_sys_content_t
-/usr/share/openca/cgi-bin/ca/.+ -- system_u:object_r:openca_ca_exec_t
diff --git a/targeted/file_contexts/program/openca-common.fc b/targeted/file_contexts/program/openca-common.fc
deleted file mode 100644
index b75952f..0000000
--- a/targeted/file_contexts/program/openca-common.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-/etc/openca(/.*)? system_u:object_r:openca_etc_t
-/etc/openca/rbac(/.*)? system_u:object_r:openca_etc_writeable_t
-/etc/openca/*.\.in(/.*)? system_u:object_r:openca_etc_in_t
-/var/lib/openca(/.*)? system_u:object_r:openca_var_lib_t
-/var/lib/openca/crypto/keys(/.*)? system_u:object_r:openca_var_lib_keys_t
-/usr/share/openca(/.*)? system_u:object_r:openca_usr_share_t
-/usr/share/openca/htdocs(/.*)? system_u:object_r:httpd_sys_content_t
diff --git a/targeted/file_contexts/program/openct.fc b/targeted/file_contexts/program/openct.fc
deleted file mode 100644
index 43d656e..0000000
--- a/targeted/file_contexts/program/openct.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-/usr/sbin/openct-control -- system_u:object_r:openct_exec_t
-/var/run/openct(/.*)? system_u:object_r:openct_var_run_t
diff --git a/targeted/file_contexts/program/openvpn.fc b/targeted/file_contexts/program/openvpn.fc
deleted file mode 100644
index 34b2992..0000000
--- a/targeted/file_contexts/program/openvpn.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# OpenVPN
-
-/etc/openvpn/.* -- system_u:object_r:openvpn_etc_t
-/usr/sbin/openvpn -- system_u:object_r:openvpn_exec_t
diff --git a/targeted/file_contexts/program/orbit.fc b/targeted/file_contexts/program/orbit.fc
deleted file mode 100644
index 4afbc83..0000000
--- a/targeted/file_contexts/program/orbit.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-/tmp/orbit-USER(-.*)? -d system_u:object_r:ROLE_orbit_tmp_t
-/tmp/orbit-USER(-.*)?/linc.* -s <<none>>
-/tmp/orbit-USER(-.*)?/bonobo.* -- system_u:object_r:ROLE_orbit_tmp_t
diff --git a/targeted/file_contexts/program/pam.fc b/targeted/file_contexts/program/pam.fc
deleted file mode 100644
index 7209276..0000000
--- a/targeted/file_contexts/program/pam.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-/var/run/sudo(/.*)? system_u:object_r:pam_var_run_t
-/sbin/pam_timestamp_check -- system_u:object_r:pam_exec_t
-/lib(64)?/security/pam_krb5/pam_krb5_storetmp -- system_u:object_r:pam_exec_t
diff --git a/targeted/file_contexts/program/pamconsole.fc b/targeted/file_contexts/program/pamconsole.fc
deleted file mode 100644
index 75c8c55..0000000
--- a/targeted/file_contexts/program/pamconsole.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# pam_console_apply
-/sbin/pam_console_apply -- system_u:object_r:pam_console_exec_t
-/var/run/console(/.*)? system_u:object_r:pam_var_console_t
diff --git a/targeted/file_contexts/program/passwd.fc b/targeted/file_contexts/program/passwd.fc
deleted file mode 100644
index 823f931..0000000
--- a/targeted/file_contexts/program/passwd.fc
+++ /dev/null
@@ -1,13 +0,0 @@
-# spasswd
-/usr/bin/passwd -- system_u:object_r:passwd_exec_t:s0
-/usr/bin/chage -- system_u:object_r:passwd_exec_t:s0
-/usr/bin/chsh -- system_u:object_r:chfn_exec_t:s0
-/usr/bin/chfn -- system_u:object_r:chfn_exec_t:s0
-/usr/sbin/vipw -- system_u:object_r:admin_passwd_exec_t:s0
-/usr/sbin/vigr -- system_u:object_r:admin_passwd_exec_t:s0
-/usr/bin/vipw -- system_u:object_r:admin_passwd_exec_t:s0
-/usr/bin/vigr -- system_u:object_r:admin_passwd_exec_t:s0
-/usr/sbin/pwconv -- system_u:object_r:admin_passwd_exec_t:s0
-/usr/sbin/pwunconv -- system_u:object_r:admin_passwd_exec_t:s0
-/usr/sbin/grpconv -- system_u:object_r:admin_passwd_exec_t:s0
-/usr/sbin/grpunconv -- system_u:object_r:admin_passwd_exec_t:s0
diff --git a/targeted/file_contexts/program/pegasus.fc b/targeted/file_contexts/program/pegasus.fc
deleted file mode 100644
index f4b9f15..0000000
--- a/targeted/file_contexts/program/pegasus.fc
+++ /dev/null
@@ -1,9 +0,0 @@
-# File Contexts for The Open Group Pegasus (tog-pegasus) cimserver
-/usr/sbin/cimserver -- system_u:object_r:pegasus_exec_t:s0
-/usr/sbin/init_repository -- system_u:object_r:pegasus_exec_t:s0
-/etc/Pegasus(/.*)? system_u:object_r:pegasus_conf_t:s0
-/var/lib/Pegasus(/.*)? system_u:object_r:pegasus_data_t:s0
-/var/run/tog-pegasus(/.*)? system_u:object_r:pegasus_var_run_t:s0
-/usr/share/Pegasus/mof(/.*)?/.*\.mof system_u:object_r:pegasus_mof_t:s0
-/etc/Pegasus/pegasus_current.conf system_u:object_r:pegasus_data_t:s0
-
diff --git a/targeted/file_contexts/program/perdition.fc b/targeted/file_contexts/program/perdition.fc
deleted file mode 100644
index a2d2adb..0000000
--- a/targeted/file_contexts/program/perdition.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# perdition POP and IMAP proxy
-/usr/sbin/perdition -- system_u:object_r:perdition_exec_t
-/etc/perdition(/.*)? system_u:object_r:perdition_etc_t
diff --git a/targeted/file_contexts/program/ping.fc b/targeted/file_contexts/program/ping.fc
deleted file mode 100644
index a4ed8cb..0000000
--- a/targeted/file_contexts/program/ping.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# ping
-/bin/ping.* -- system_u:object_r:ping_exec_t:s0
-/usr/sbin/hping2 -- system_u:object_r:ping_exec_t:s0
diff --git a/targeted/file_contexts/program/portmap.fc b/targeted/file_contexts/program/portmap.fc
deleted file mode 100644
index 60da994..0000000
--- a/targeted/file_contexts/program/portmap.fc
+++ /dev/null
@@ -1,10 +0,0 @@
-# portmap
-/sbin/portmap -- system_u:object_r:portmap_exec_t:s0
-ifdef(`distro_debian', `
-/sbin/pmap_dump -- system_u:object_r:portmap_helper_exec_t:s0
-/sbin/pmap_set -- system_u:object_r:portmap_helper_exec_t:s0
-', `
-/usr/sbin/pmap_dump -- system_u:object_r:portmap_helper_exec_t:s0
-/usr/sbin/pmap_set -- system_u:object_r:portmap_helper_exec_t:s0
-')
-/var/run/portmap.upgrade-state -- system_u:object_r:portmap_var_run_t:s0
diff --git a/targeted/file_contexts/program/portslave.fc b/targeted/file_contexts/program/portslave.fc
deleted file mode 100644
index 873334d..0000000
--- a/targeted/file_contexts/program/portslave.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# portslave
-/usr/sbin/portslave -- system_u:object_r:portslave_exec_t
-/usr/sbin/ctlportslave -- system_u:object_r:portslave_exec_t
-/etc/portslave(/.*)? system_u:object_r:portslave_etc_t
-/var/run/radius\.(id|seq) -- system_u:object_r:pppd_var_run_t
diff --git a/targeted/file_contexts/program/postfix.fc b/targeted/file_contexts/program/postfix.fc
deleted file mode 100644
index 300da75..0000000
--- a/targeted/file_contexts/program/postfix.fc
+++ /dev/null
@@ -1,59 +0,0 @@
-# postfix
-/etc/postfix(/.*)? system_u:object_r:postfix_etc_t:s0
-ifdef(`distro_redhat', `
-/etc/postfix/aliases.* system_u:object_r:etc_aliases_t:s0
-/usr/libexec/postfix/.* -- system_u:object_r:postfix_exec_t:s0
-/usr/libexec/postfix/cleanup -- system_u:object_r:postfix_cleanup_exec_t:s0
-/usr/libexec/postfix/local -- system_u:object_r:postfix_local_exec_t:s0
-/usr/libexec/postfix/master -- system_u:object_r:postfix_master_exec_t:s0
-/usr/libexec/postfix/pickup -- system_u:object_r:postfix_pickup_exec_t:s0
-/usr/libexec/postfix/(n)?qmgr -- system_u:object_r:postfix_qmgr_exec_t:s0
-/usr/libexec/postfix/showq -- system_u:object_r:postfix_showq_exec_t:s0
-/usr/libexec/postfix/smtp -- system_u:object_r:postfix_smtp_exec_t:s0
-/usr/libexec/postfix/scache -- system_u:object_r:postfix_smtp_exec_t:s0
-/usr/libexec/postfix/smtpd -- system_u:object_r:postfix_smtpd_exec_t:s0
-/usr/libexec/postfix/bounce -- system_u:object_r:postfix_bounce_exec_t:s0
-/usr/libexec/postfix/pipe -- system_u:object_r:postfix_pipe_exec_t:s0
-', `
-/usr/lib/postfix/.* -- system_u:object_r:postfix_exec_t:s0
-/usr/lib/postfix/cleanup -- system_u:object_r:postfix_cleanup_exec_t:s0
-/usr/lib/postfix/local -- system_u:object_r:postfix_local_exec_t:s0
-/usr/lib/postfix/master -- system_u:object_r:postfix_master_exec_t:s0
-/usr/lib/postfix/pickup -- system_u:object_r:postfix_pickup_exec_t:s0
-/usr/lib/postfix/(n)?qmgr -- system_u:object_r:postfix_qmgr_exec_t:s0
-/usr/lib/postfix/showq -- system_u:object_r:postfix_showq_exec_t:s0
-/usr/lib/postfix/smtp -- system_u:object_r:postfix_smtp_exec_t:s0
-/usr/lib/postfix/scache -- system_u:object_r:postfix_smtp_exec_t:s0
-/usr/lib/postfix/smtpd -- system_u:object_r:postfix_smtpd_exec_t:s0
-/usr/lib/postfix/bounce -- system_u:object_r:postfix_bounce_exec_t:s0
-/usr/lib/postfix/pipe -- system_u:object_r:postfix_pipe_exec_t:s0
-')
-/etc/postfix/postfix-script.* -- system_u:object_r:postfix_exec_t:s0
-/etc/postfix/prng_exch -- system_u:object_r:postfix_prng_t:s0
-/usr/sbin/postalias -- system_u:object_r:postfix_master_exec_t:s0
-/usr/sbin/postcat -- system_u:object_r:postfix_master_exec_t:s0
-/usr/sbin/postdrop -- system_u:object_r:postfix_postdrop_exec_t:s0
-/usr/sbin/postfix -- system_u:object_r:postfix_master_exec_t:s0
-/usr/sbin/postkick -- system_u:object_r:postfix_master_exec_t:s0
-/usr/sbin/postlock -- system_u:object_r:postfix_master_exec_t:s0
-/usr/sbin/postlog -- system_u:object_r:postfix_master_exec_t:s0
-/usr/sbin/postmap -- system_u:object_r:postfix_map_exec_t:s0
-/usr/sbin/postqueue -- system_u:object_r:postfix_postqueue_exec_t:s0
-/usr/sbin/postsuper -- system_u:object_r:postfix_master_exec_t:s0
-/usr/sbin/rmail -- system_u:object_r:sendmail_exec_t:s0
-/usr/sbin/sendmail.postfix -- system_u:object_r:sendmail_exec_t:s0
-/var/spool/postfix(/.*)? system_u:object_r:postfix_spool_t:s0
-/var/spool/postfix/maildrop(/.*)? system_u:object_r:postfix_spool_maildrop_t:s0
-/var/spool/postfix/pid -d system_u:object_r:var_run_t:s0
-/var/spool/postfix/pid/.* system_u:object_r:postfix_var_run_t:s0
-/var/spool/postfix/private(/.*)? system_u:object_r:postfix_private_t:s0
-/var/spool/postfix/public(/.*)? system_u:object_r:postfix_public_t:s0
-/var/spool/postfix/bounce(/.*)? system_u:object_r:postfix_spool_bounce_t:s0
-/var/spool/postfix/flush(/.*)? system_u:object_r:postfix_spool_flush_t:s0
-/var/spool/postfix/etc(/.*)? system_u:object_r:etc_t:s0
-/var/spool/postfix/lib(64)?(/.*)? system_u:object_r:lib_t:s0
-/var/spool/postfix/usr(/.*)? system_u:object_r:lib_t:s0
-/var/spool/postfix/lib(64)?/ld.*\.so.* -- system_u:object_r:ld_so_t:s0
-/var/spool/postfix/lib(64)?/lib.*\.so.* -- system_u:object_r:shlib_t:s0
-/var/spool/postfix/lib(64)?/[^/]*/lib.*\.so.* -- system_u:object_r:shlib_t:s0
-/var/spool/postfix/lib(64)?/devfsd/.*\.so.* -- system_u:object_r:shlib_t:s0
diff --git a/targeted/file_contexts/program/postgresql.fc b/targeted/file_contexts/program/postgresql.fc
deleted file mode 100644
index 635a74a..0000000
--- a/targeted/file_contexts/program/postgresql.fc
+++ /dev/null
@@ -1,20 +0,0 @@
-# postgresql - database server
-/usr/lib(64)?/postgresql/bin/.* -- system_u:object_r:postgresql_exec_t:s0
-/usr/bin/postgres -- system_u:object_r:postgresql_exec_t:s0
-/usr/bin/initdb -- system_u:object_r:postgresql_exec_t:s0
-
-/var/lib/postgres(ql)?(/.*)? system_u:object_r:postgresql_db_t:s0
-/var/lib/pgsql/data(/.*)? system_u:object_r:postgresql_db_t:s0
-/var/run/postgresql(/.*)? system_u:object_r:postgresql_var_run_t:s0
-/etc/postgresql(/.*)? system_u:object_r:postgresql_etc_t:s0
-/var/log/postgres\.log.* -- system_u:object_r:postgresql_log_t:s0
-/var/log/postgresql(/.*)? system_u:object_r:postgresql_log_t:s0
-/var/lib/pgsql/pgstartup.log system_u:object_r:postgresql_log_t:s0
-/usr/lib/pgsql/test/regres(/.*)? system_u:object_r:postgresql_db_t:s0
-/usr/lib/pgsql/test/regress/.*\.so -- system_u:object_r:shlib_t:s0
-/usr/lib/pgsql/test/regress/.*\.sh -- system_u:object_r:bin_t:s0
-/usr/lib/pgsql/test/regress/pg_regress -- system_u:object_r:postgresql_exec_t:s0
-ifdef(`distro_redhat', `
-/usr/share/jonas/pgsql(/.*)? system_u:object_r:postgresql_db_t:s0
-/var/log/rhdb/rhdb(/.*)? system_u:object_r:postgresql_log_t:s0
-')
diff --git a/targeted/file_contexts/program/postgrey.fc b/targeted/file_contexts/program/postgrey.fc
deleted file mode 100644
index 89e43fd..0000000
--- a/targeted/file_contexts/program/postgrey.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# postgrey - postfix grey-listing server
-/usr/sbin/postgrey -- system_u:object_r:postgrey_exec_t
-/var/run/postgrey\.pid -- system_u:object_r:postgrey_var_run_t
-/etc/postgrey(/.*)? system_u:object_r:postgrey_etc_t
-/var/lib/postgrey(/.*)? system_u:object_r:postgrey_var_lib_t
diff --git a/targeted/file_contexts/program/pppd.fc b/targeted/file_contexts/program/pppd.fc
deleted file mode 100644
index 87e3cb7..0000000
--- a/targeted/file_contexts/program/pppd.fc
+++ /dev/null
@@ -1,25 +0,0 @@
-# pppd
-/usr/sbin/pppd -- system_u:object_r:pppd_exec_t:s0
-/usr/sbin/pptp -- system_u:object_r:pptp_exec_t:s0
-/usr/sbin/ipppd -- system_u:object_r:pppd_exec_t:s0
-/dev/ppp -c system_u:object_r:ppp_device_t:s0
-/dev/pppox.* -c system_u:object_r:ppp_device_t:s0
-/dev/ippp.* -c system_u:object_r:ppp_device_t:s0
-/var/run/pppd[0-9]*\.tdb -- system_u:object_r:pppd_var_run_t:s0
-/var/run/ppp(/.*)? system_u:object_r:pppd_var_run_t:s0
-/etc/ppp -d system_u:object_r:pppd_etc_t:s0
-/etc/ppp/.* -- system_u:object_r:pppd_etc_rw_t:s0
-/etc/ppp/.*secrets -- system_u:object_r:pppd_secret_t:s0
-/var/run/(i)?ppp.*pid -- system_u:object_r:pppd_var_run_t:s0
-/var/log/ppp-connect-errors.* -- system_u:object_r:pppd_log_t:s0
-/var/log/ppp/.* -- system_u:object_r:pppd_log_t:s0
-/etc/ppp/ip-down\..* -- system_u:object_r:bin_t:s0
-/etc/ppp/ip-up\..* -- system_u:object_r:bin_t:s0
-/etc/ppp/ipv6-up\..* -- system_u:object_r:bin_t:s0
-/etc/ppp/ipv6-down\..* -- system_u:object_r:bin_t:s0
-/etc/ppp/plugins/rp-pppoe\.so -- system_u:object_r:shlib_t:s0
-/etc/ppp/resolv\.conf -- system_u:object_r:pppd_etc_rw_t:s0
-# Fix pptp sockets
-/var/run/pptp(/.*)? system_u:object_r:pptp_var_run_t:s0
-# Fix /etc/ppp {up,down} family scripts (see man pppd)
-/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- system_u:object_r:pppd_script_exec_t:s0
diff --git a/targeted/file_contexts/program/prelink.fc b/targeted/file_contexts/program/prelink.fc
deleted file mode 100644
index 331e315..0000000
--- a/targeted/file_contexts/program/prelink.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-# prelink - prelink ELF shared libraries and binaries to speed up startup time
-/usr/sbin/prelink -- system_u:object_r:prelink_exec_t
-ifdef(`distro_debian', `
-/usr/sbin/prelink\.bin -- system_u:object_r:prelink_exec_t
-')
-/etc/prelink\.conf -- system_u:object_r:etc_prelink_t
-/var/log/prelink\.log -- system_u:object_r:prelink_log_t
-/etc/prelink\.cache -- system_u:object_r:prelink_cache_t
diff --git a/targeted/file_contexts/program/privoxy.fc b/targeted/file_contexts/program/privoxy.fc
deleted file mode 100644
index d8d5647..0000000
--- a/targeted/file_contexts/program/privoxy.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# privoxy
-/usr/sbin/privoxy -- system_u:object_r:privoxy_exec_t:s0
-/var/log/privoxy(/.*)? system_u:object_r:privoxy_log_t:s0
diff --git a/targeted/file_contexts/program/procmail.fc b/targeted/file_contexts/program/procmail.fc
deleted file mode 100644
index 543602d..0000000
--- a/targeted/file_contexts/program/procmail.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# procmail
-/usr/bin/procmail -- system_u:object_r:procmail_exec_t
diff --git a/targeted/file_contexts/program/publicfile.fc b/targeted/file_contexts/program/publicfile.fc
deleted file mode 100644
index dc32249..0000000
--- a/targeted/file_contexts/program/publicfile.fc
+++ /dev/null
@@ -1,9 +0,0 @@
-
-/usr/bin/ftpd -- system_u:object_r:publicfile_exec_t
-/usr/bin/httpd -- system_u:object_r:publicfile_exec_t
-/usr/bin/publicfile-conf -- system_u:object_r:publicfile_exec_t
-
-# this is the place where online content located
-# set this to suit your needs
-#/var/www(/.*)? system_u:object_r:publicfile_content_t
-
diff --git a/targeted/file_contexts/program/pxe.fc b/targeted/file_contexts/program/pxe.fc
deleted file mode 100644
index 165076a..0000000
--- a/targeted/file_contexts/program/pxe.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# pxe network boot server
-/usr/sbin/pxe -- system_u:object_r:pxe_exec_t
-/var/log/pxe\.log -- system_u:object_r:pxe_log_t
-/var/run/pxe\.pid -- system_u:object_r:pxe_var_run_t
-
diff --git a/targeted/file_contexts/program/pyzor.fc b/targeted/file_contexts/program/pyzor.fc
deleted file mode 100644
index ff62295..0000000
--- a/targeted/file_contexts/program/pyzor.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-/etc/pyzor(/.*)? system_u:object_r:pyzor_etc_t
-/usr/bin/pyzor -- system_u:object_r:pyzor_exec_t
-/usr/bin/pyzord -- system_u:object_r:pyzord_exec_t
-/var/lib/pyzord(/.*)? system_u:object_r:pyzor_var_lib_t
-/var/log/pyzord.log -- system_u:object_r:pyzord_log_t
-HOME_DIR/\.pyzor(/.*)? system_u:object_r:ROLE_pyzor_home_t
diff --git a/targeted/file_contexts/program/qmail.fc b/targeted/file_contexts/program/qmail.fc
deleted file mode 100644
index 7704ed7..0000000
--- a/targeted/file_contexts/program/qmail.fc
+++ /dev/null
@@ -1,38 +0,0 @@
-# qmail - Debian locations
-/etc/qmail(/.*)? system_u:object_r:qmail_etc_t
-/var/qmail(/.*)? system_u:object_r:qmail_etc_t
-/var/spool/qmail(/.*)? system_u:object_r:qmail_spool_t
-/usr/sbin/qmail-start -- system_u:object_r:qmail_start_exec_t
-/usr/sbin/qmail-lspawn -- system_u:object_r:qmail_lspawn_exec_t
-/usr/bin/tcp-env -- system_u:object_r:qmail_tcp_env_exec_t
-/usr/sbin/qmail-inject -- system_u:object_r:qmail_inject_exec_t
-/usr/sbin/qmail-smtpd -- system_u:object_r:qmail_smtpd_exec_t
-/usr/sbin/qmail-queue -- system_u:object_r:qmail_queue_exec_t
-/usr/sbin/qmail-local -- system_u:object_r:qmail_local_exec_t
-/usr/sbin/qmail-clean -- system_u:object_r:qmail_clean_exec_t
-/usr/sbin/qmail-send -- system_u:object_r:qmail_send_exec_t
-/usr/sbin/qmail-rspawn -- system_u:object_r:qmail_rspawn_exec_t
-/usr/sbin/qmail-remote -- system_u:object_r:qmail_remote_exec_t
-/usr/sbin/qmail-qread -- system_u:object_r:qmail_qread_exec_t
-/usr/sbin/splogger -- system_u:object_r:qmail_splogger_exec_t
-/usr/sbin/qmail-getpw -- system_u:object_r:qmail_exec_t
-/usr/local/bin/serialmail/.* -- system_u:object_r:qmail_serialmail_exec_t
-# qmail - djb locations
-/var/qmail/control(/.*)? system_u:object_r:qmail_etc_t
-/var/qmail/bin -d system_u:object_r:bin_t
-/var/qmail/queue(/.*)? system_u:object_r:qmail_spool_t
-/var/qmail/bin/qmail-lspawn -- system_u:object_r:qmail_lspawn_exec_t
-/var/qmail/bin/tcp-env -- system_u:object_r:qmail_tcp_env_exec_t
-/var/qmail/bin/qmail-inject -- system_u:object_r:qmail_inject_exec_t
-/var/qmail/bin/qmail-smtpd -- system_u:object_r:qmail_smtpd_exec_t
-/var/qmail/bin/qmail-queue -- system_u:object_r:qmail_queue_exec_t
-/var/qmail/bin/qmail-local -- system_u:object_r:qmail_local_exec_t
-/var/qmail/bin/qmail-clean -- system_u:object_r:qmail_clean_exec_t
-/var/qmail/bin/qmail-send -- system_u:object_r:qmail_send_exec_t
-/var/qmail/bin/qmail-rspawn -- system_u:object_r:qmail_rspawn_exec_t
-/var/qmail/bin/qmail-remote -- system_u:object_r:qmail_remote_exec_t
-/var/qmail/bin/qmail-qread -- system_u:object_r:qmail_qread_exec_t
-/var/qmail/bin/qmail-start -- system_u:object_r:qmail_start_exec_t
-/var/qmail/rc -- system_u:object_r:bin_t
-/var/qmail/bin/splogger -- system_u:object_r:qmail_splogger_exec_t
-/var/qmail/bin/qmail-getpw -- system_u:object_r:qmail_exec_t
diff --git a/targeted/file_contexts/program/quota.fc b/targeted/file_contexts/program/quota.fc
deleted file mode 100644
index f91f1a4..0000000
--- a/targeted/file_contexts/program/quota.fc
+++ /dev/null
@@ -1,10 +0,0 @@
-# quota system
-/var/lib/quota(/.*)? system_u:object_r:quota_flag_t
-/sbin/quota(check|on) -- system_u:object_r:quota_exec_t
-ifdef(`distro_redhat', `
-/usr/sbin/convertquota -- system_u:object_r:quota_exec_t
-', `
-/sbin/convertquota -- system_u:object_r:quota_exec_t
-')
-HOME_ROOT/a?quota\.(user|group) -- system_u:object_r:quota_db_t
-/var/a?quota\.(user|group) -- system_u:object_r:quota_db_t
diff --git a/targeted/file_contexts/program/radius.fc b/targeted/file_contexts/program/radius.fc
deleted file mode 100644
index e3b9d51..0000000
--- a/targeted/file_contexts/program/radius.fc
+++ /dev/null
@@ -1,15 +0,0 @@
-# radius
-/etc/raddb(/.*)? system_u:object_r:radiusd_etc_t:s0
-/usr/sbin/radiusd -- system_u:object_r:radiusd_exec_t:s0
-/usr/sbin/freeradius -- system_u:object_r:radiusd_exec_t:s0
-/var/log/radiusd-freeradius(/.*)? system_u:object_r:radiusd_log_t:s0
-/var/log/radius\.log.* -- system_u:object_r:radiusd_log_t:s0
-/var/log/radius(/.*)? system_u:object_r:radiusd_log_t:s0
-/var/log/freeradius(/.*)? system_u:object_r:radiusd_log_t:s0
-/var/log/radacct(/.*)? system_u:object_r:radiusd_log_t:s0
-/var/log/radutmp -- system_u:object_r:radiusd_log_t:s0
-/var/log/radwtmp.* -- system_u:object_r:radiusd_log_t:s0
-/etc/cron\.(daily|monthly)/radiusd -- system_u:object_r:radiusd_exec_t:s0
-/etc/cron\.(daily|weekly|monthly)/freeradius -- system_u:object_r:radiusd_exec_t:s0
-/var/run/radiusd\.pid -- system_u:object_r:radiusd_var_run_t:s0
-/var/run/radiusd(/.*)? system_u:object_r:radiusd_var_run_t:s0
diff --git a/targeted/file_contexts/program/radvd.fc b/targeted/file_contexts/program/radvd.fc
deleted file mode 100644
index ab6bc47..0000000
--- a/targeted/file_contexts/program/radvd.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# radvd
-/etc/radvd\.conf -- system_u:object_r:radvd_etc_t:s0
-/usr/sbin/radvd -- system_u:object_r:radvd_exec_t:s0
-/var/run/radvd\.pid -- system_u:object_r:radvd_var_run_t:s0
-/var/run/radvd(/.*)? system_u:object_r:radvd_var_run_t:s0
diff --git a/targeted/file_contexts/program/razor.fc b/targeted/file_contexts/program/razor.fc
deleted file mode 100644
index f3f1346..0000000
--- a/targeted/file_contexts/program/razor.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# razor
-/etc/razor(/.*)? system_u:object_r:razor_etc_t
-/usr/bin/razor.* system_u:object_r:razor_exec_t
-/var/lib/razor(/.*)? system_u:object_r:razor_var_lib_t
-/var/log/razor-agent.log system_u:object_r:razor_log_t
-HOME_DIR/\.razor(/.*)? system_u:object_r:ROLE_razor_home_t
diff --git a/targeted/file_contexts/program/rdisc.fc b/targeted/file_contexts/program/rdisc.fc
deleted file mode 100644
index d3f9dcf..0000000
--- a/targeted/file_contexts/program/rdisc.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# rdisc
-/sbin/rdisc system_u:object_r:rdisc_exec_t
diff --git a/targeted/file_contexts/program/readahead.fc b/targeted/file_contexts/program/readahead.fc
deleted file mode 100644
index 0755fef..0000000
--- a/targeted/file_contexts/program/readahead.fc
+++ /dev/null
@@ -1 +0,0 @@
-/usr/sbin/readahead -- system_u:object_r:readahead_exec_t
diff --git a/targeted/file_contexts/program/resmgrd.fc b/targeted/file_contexts/program/resmgrd.fc
deleted file mode 100644
index bee4680..0000000
--- a/targeted/file_contexts/program/resmgrd.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# resmgrd
-/sbin/resmgrd -- system_u:object_r:resmgrd_exec_t
-/etc/resmgr\.conf -- system_u:object_r:resmgrd_etc_t
-/var/run/resmgr\.pid -- system_u:object_r:resmgrd_var_run_t
-/var/run/\.resmgr_socket -s system_u:object_r:resmgrd_var_run_t
-
diff --git a/targeted/file_contexts/program/restorecon.fc b/targeted/file_contexts/program/restorecon.fc
deleted file mode 100644
index cd62c78..0000000
--- a/targeted/file_contexts/program/restorecon.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# restorecon
-/sbin/restorecon -- system_u:object_r:restorecon_exec_t:s0
diff --git a/targeted/file_contexts/program/rhgb.fc b/targeted/file_contexts/program/rhgb.fc
deleted file mode 100644
index 118972e..0000000
--- a/targeted/file_contexts/program/rhgb.fc
+++ /dev/null
@@ -1 +0,0 @@
-/usr/bin/rhgb -- system_u:object_r:rhgb_exec_t
diff --git a/targeted/file_contexts/program/rlogind.fc b/targeted/file_contexts/program/rlogind.fc
deleted file mode 100644
index ce68e2c..0000000
--- a/targeted/file_contexts/program/rlogind.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# rlogind and telnetd
-/usr/sbin/in\.rlogind -- system_u:object_r:rlogind_exec_t:s0
-/usr/lib(64)?/telnetlogin -- system_u:object_r:rlogind_exec_t:s0
-/usr/kerberos/sbin/klogind -- system_u:object_r:rlogind_exec_t:s0
diff --git a/targeted/file_contexts/program/roundup.fc b/targeted/file_contexts/program/roundup.fc
deleted file mode 100644
index 99b2700..0000000
--- a/targeted/file_contexts/program/roundup.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-/usr/bin/roundup-server -- system_u:object_r:roundup_exec_t
-/var/lib/roundup(/.*)? -- system_u:object_r:roundup_var_lib_t
diff --git a/targeted/file_contexts/program/rpcd.fc b/targeted/file_contexts/program/rpcd.fc
deleted file mode 100644
index 916cd25..0000000
--- a/targeted/file_contexts/program/rpcd.fc
+++ /dev/null
@@ -1,12 +0,0 @@
-# RPC daemons
-/sbin/rpc\..* -- system_u:object_r:rpcd_exec_t:s0
-/usr/sbin/rpc.idmapd -- system_u:object_r:rpcd_exec_t:s0
-/usr/sbin/rpc\.nfsd -- system_u:object_r:nfsd_exec_t:s0
-/usr/sbin/exportfs -- system_u:object_r:nfsd_exec_t:s0
-/usr/sbin/rpc\.gssd -- system_u:object_r:gssd_exec_t:s0
-/usr/sbin/rpc\.svcgssd -- system_u:object_r:gssd_exec_t:s0
-/usr/sbin/rpc\.mountd -- system_u:object_r:nfsd_exec_t:s0
-/var/run/rpc\.statd\.pid -- system_u:object_r:rpcd_var_run_t:s0
-/var/run/rpc\.statd(/.*)? system_u:object_r:rpcd_var_run_t:s0
-/etc/exports -- system_u:object_r:exports_t:s0
-
diff --git a/targeted/file_contexts/program/rpm.fc b/targeted/file_contexts/program/rpm.fc
deleted file mode 100644
index 494fbcf..0000000
--- a/targeted/file_contexts/program/rpm.fc
+++ /dev/null
@@ -1,29 +0,0 @@
-# rpm
-/var/lib/rpm(/.*)? system_u:object_r:rpm_var_lib_t:s0
-/var/lib/alternatives(/.*)? system_u:object_r:rpm_var_lib_t:s0
-/bin/rpm -- system_u:object_r:rpm_exec_t:s0
-/usr/bin/yum -- system_u:object_r:rpm_exec_t:s0
-/usr/bin/apt-get -- system_u:object_r:rpm_exec_t:s0
-/usr/bin/apt-shell -- system_u:object_r:rpm_exec_t:s0
-/usr/bin/synaptic -- system_u:object_r:rpm_exec_t:s0
-/usr/lib(64)?/rpm/rpmd -- system_u:object_r:bin_t:s0
-/usr/lib(64)?/rpm/rpmq -- system_u:object_r:bin_t:s0
-/usr/lib(64)?/rpm/rpmk -- system_u:object_r:bin_t:s0
-/usr/lib(64)?/rpm/rpmv -- system_u:object_r:bin_t:s0
-/var/log/rpmpkgs.* -- system_u:object_r:rpm_log_t:s0
-/var/log/yum\.log -- system_u:object_r:rpm_log_t:s0
-ifdef(`distro_redhat', `
-/usr/sbin/up2date -- system_u:object_r:rpm_exec_t:s0
-/usr/sbin/rhn_check -- system_u:object_r:rpm_exec_t:s0
-')
-# SuSE
-ifdef(`distro_suse', `
-/usr/bin/online_update -- system_u:object_r:rpm_exec_t:s0
-/sbin/yast2 -- system_u:object_r:rpm_exec_t:s0
-/var/lib/YaST2(/.*)? system_u:object_r:rpm_var_lib_t:s0
-/var/log/YaST2(/.*)? system_u:object_r:rpm_log_t:s0
-')
-
-ifdef(`mls_policy', `
-/sbin/cpio -- system_u:object_r:rpm_exec_t:s0
-')
diff --git a/targeted/file_contexts/program/rshd.fc b/targeted/file_contexts/program/rshd.fc
deleted file mode 100644
index a7141fe..0000000
--- a/targeted/file_contexts/program/rshd.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# rshd.
-/usr/sbin/in\.rshd -- system_u:object_r:rshd_exec_t:s0
-/usr/sbin/in\.rexecd -- system_u:object_r:rshd_exec_t:s0
-/usr/kerberos/sbin/kshd -- system_u:object_r:rshd_exec_t:s0
diff --git a/targeted/file_contexts/program/rssh.fc b/targeted/file_contexts/program/rssh.fc
deleted file mode 100644
index 16ec3a3..0000000
--- a/targeted/file_contexts/program/rssh.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# rssh
-/usr/bin/rssh -- system_u:object_r:rssh_exec_t
diff --git a/targeted/file_contexts/program/rsync.fc b/targeted/file_contexts/program/rsync.fc
deleted file mode 100644
index edb25f3..0000000
--- a/targeted/file_contexts/program/rsync.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# rsync program
-/usr/bin/rsync -- system_u:object_r:rsync_exec_t:s0
-/srv/([^/]*/)?rsync(/.*)? system_u:object_r:public_content_t:s0
diff --git a/targeted/file_contexts/program/samba.fc b/targeted/file_contexts/program/samba.fc
deleted file mode 100644
index 204eb3f..0000000
--- a/targeted/file_contexts/program/samba.fc
+++ /dev/null
@@ -1,26 +0,0 @@
-# samba scripts
-/usr/sbin/smbd -- system_u:object_r:smbd_exec_t:s0
-/usr/sbin/nmbd -- system_u:object_r:nmbd_exec_t:s0
-/usr/bin/net -- system_u:object_r:samba_net_exec_t:s0
-/etc/samba(/.*)? system_u:object_r:samba_etc_t:s0
-/var/log/samba(/.*)? system_u:object_r:samba_log_t:s0
-/var/cache/samba(/.*)? system_u:object_r:samba_var_t:s0
-/var/lib/samba(/.*)? system_u:object_r:samba_var_t:s0
-/etc/samba/secrets\.tdb -- system_u:object_r:samba_secrets_t:s0
-/etc/samba/MACHINE\.SID -- system_u:object_r:samba_secrets_t:s0
-# samba really wants write access to smbpasswd
-/etc/samba/smbpasswd -- system_u:object_r:samba_secrets_t:s0
-/var/run/samba/locking\.tdb -- system_u:object_r:smbd_var_run_t:s0
-/var/run/samba/connections\.tdb -- system_u:object_r:smbd_var_run_t:s0
-/var/run/samba/sessionid\.tdb -- system_u:object_r:smbd_var_run_t:s0
-/var/run/samba/brlock\.tdb -- system_u:object_r:smbd_var_run_t:s0
-/var/run/samba/namelist\.debug -- system_u:object_r:nmbd_var_run_t:s0
-/var/run/samba/messages\.tdb -- system_u:object_r:nmbd_var_run_t:s0
-/var/run/samba/unexpected\.tdb -- system_u:object_r:nmbd_var_run_t:s0
-/var/run/samba/smbd\.pid -- system_u:object_r:smbd_var_run_t:s0
-/var/run/samba/nmbd\.pid -- system_u:object_r:nmbd_var_run_t:s0
-/var/spool/samba(/.*)? system_u:object_r:samba_var_t:s0
-ifdef(`mount.te', `
-/usr/bin/smbmount -- system_u:object_r:smbmount_exec_t:s0
-/usr/bin/smbmnt -- system_u:object_r:smbmount_exec_t:s0
-')
diff --git a/targeted/file_contexts/program/saslauthd.fc b/targeted/file_contexts/program/saslauthd.fc
deleted file mode 100644
index a8275a6..0000000
--- a/targeted/file_contexts/program/saslauthd.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# saslauthd
-/usr/sbin/saslauthd -- system_u:object_r:saslauthd_exec_t:s0
-/var/run/saslauthd(/.*)? system_u:object_r:saslauthd_var_run_t:s0
diff --git a/targeted/file_contexts/program/scannerdaemon.fc b/targeted/file_contexts/program/scannerdaemon.fc
deleted file mode 100644
index a43bf87..0000000
--- a/targeted/file_contexts/program/scannerdaemon.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# scannerdaemon
-/usr/sbin/scannerdaemon -- system_u:object_r:scannerdaemon_exec_t
-/etc/scannerdaemon/scannerdaemon\.conf -- system_u:object_r:scannerdaemon_etc_t
-/var/log/scannerdaemon\.log -- system_u:object_r:scannerdaemon_log_t
diff --git a/targeted/file_contexts/program/screen.fc b/targeted/file_contexts/program/screen.fc
deleted file mode 100644
index 0e6e78d..0000000
--- a/targeted/file_contexts/program/screen.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# screen
-/usr/bin/screen -- system_u:object_r:screen_exec_t
-HOME_DIR/\.screenrc -- system_u:object_r:ROLE_screen_ro_home_t
-/var/run/screens?/S-[^/]+ -d system_u:object_r:screen_dir_t
-/var/run/screens?/S-[^/]+/.* <<none>>
diff --git a/targeted/file_contexts/program/sendmail.fc b/targeted/file_contexts/program/sendmail.fc
deleted file mode 100644
index ee28318..0000000
--- a/targeted/file_contexts/program/sendmail.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# sendmail
-/etc/mail(/.*)? system_u:object_r:etc_mail_t:s0
-/var/log/sendmail\.st -- system_u:object_r:sendmail_log_t:s0
-/var/log/mail(/.*)? system_u:object_r:sendmail_log_t:s0
-/var/run/sendmail\.pid -- system_u:object_r:sendmail_var_run_t:s0
-/var/run/sm-client\.pid -- system_u:object_r:sendmail_var_run_t:s0
diff --git a/targeted/file_contexts/program/setfiles.fc b/targeted/file_contexts/program/setfiles.fc
deleted file mode 100644
index 45e245b..0000000
--- a/targeted/file_contexts/program/setfiles.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# setfiles
-/usr/sbin/setfiles.* -- system_u:object_r:setfiles_exec_t:s0
-
diff --git a/targeted/file_contexts/program/seuser.fc b/targeted/file_contexts/program/seuser.fc
deleted file mode 100644
index 0c7f71b..0000000
--- a/targeted/file_contexts/program/seuser.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# seuser
-/usr/bin/seuser -- system_u:object_r:seuser_exec_t
-/usr/apol/seuser\.conf system_u:object_r:seuser_conf_t
-
diff --git a/targeted/file_contexts/program/slapd.fc b/targeted/file_contexts/program/slapd.fc
deleted file mode 100644
index 7c072d1..0000000
--- a/targeted/file_contexts/program/slapd.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-# slapd - ldap server
-/usr/sbin/slapd -- system_u:object_r:slapd_exec_t:s0
-/var/lib/ldap(/.*)? system_u:object_r:slapd_db_t:s0
-/var/lib/ldap/replog(/.*)? system_u:object_r:slapd_replog_t:s0
-/var/run/slapd\.args -- system_u:object_r:slapd_var_run_t:s0
-/etc/ldap/slapd\.conf -- system_u:object_r:slapd_etc_t:s0
-/var/run/slapd\.pid -- system_u:object_r:slapd_var_run_t:s0
diff --git a/targeted/file_contexts/program/slocate.fc b/targeted/file_contexts/program/slocate.fc
deleted file mode 100644
index 1796c77..0000000
--- a/targeted/file_contexts/program/slocate.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# locate - file locater
-/usr/bin/slocate -- system_u:object_r:locate_exec_t
-/var/lib/slocate(/.*)? system_u:object_r:locate_var_lib_t
-/etc/updatedb\.conf -- system_u:object_r:locate_etc_t
diff --git a/targeted/file_contexts/program/slrnpull.fc b/targeted/file_contexts/program/slrnpull.fc
deleted file mode 100644
index 4c0d36c..0000000
--- a/targeted/file_contexts/program/slrnpull.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# slrnpull
-/usr/bin/slrnpull -- system_u:object_r:slrnpull_exec_t
-/var/spool/slrnpull(/.*)? system_u:object_r:slrnpull_spool_t
diff --git a/targeted/file_contexts/program/snmpd.fc b/targeted/file_contexts/program/snmpd.fc
deleted file mode 100644
index c81b3fe..0000000
--- a/targeted/file_contexts/program/snmpd.fc
+++ /dev/null
@@ -1,10 +0,0 @@
-# snmpd
-/usr/sbin/snmp(trap)?d -- system_u:object_r:snmpd_exec_t:s0
-/var/lib/snmp(/.*)? system_u:object_r:snmpd_var_lib_t:s0
-/var/lib/net-snmp(/.*)? system_u:object_r:snmpd_var_lib_t:s0
-/etc/snmp/snmp(trap)?d\.conf -- system_u:object_r:snmpd_etc_t:s0
-/usr/share/snmp/mibs/\.index -- system_u:object_r:snmpd_var_lib_t:s0
-/var/run/snmpd\.pid -- system_u:object_r:snmpd_var_run_t:s0
-/var/run/snmpd -d system_u:object_r:snmpd_var_run_t:s0
-/var/net-snmp(/.*) system_u:object_r:snmpd_var_lib_t:s0
-/var/log/snmpd\.log -- system_u:object_r:snmpd_log_t:s0
diff --git a/targeted/file_contexts/program/snort.fc b/targeted/file_contexts/program/snort.fc
deleted file mode 100644
index a40670c..0000000
--- a/targeted/file_contexts/program/snort.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# SNORT
-/usr/(s)?bin/snort -- system_u:object_r:snort_exec_t
-/etc/snort(/.*)? system_u:object_r:snort_etc_t
-/var/log/snort(/.*)? system_u:object_r:snort_log_t
diff --git a/targeted/file_contexts/program/sound-server.fc b/targeted/file_contexts/program/sound-server.fc
deleted file mode 100644
index dfa8245..0000000
--- a/targeted/file_contexts/program/sound-server.fc
+++ /dev/null
@@ -1,8 +0,0 @@
-# sound servers, nas, yiff, etc
-/usr/sbin/yiff -- system_u:object_r:soundd_exec_t
-/usr/bin/nasd -- system_u:object_r:soundd_exec_t
-/usr/bin/gpe-soundserver -- system_u:object_r:soundd_exec_t
-/etc/nas(/.*)? system_u:object_r:etc_soundd_t
-/etc/yiff(/.*)? system_u:object_r:etc_soundd_t
-/var/state/yiff(/.*)? system_u:object_r:soundd_state_t
-/var/run/yiff-[0-9]+\.pid -- system_u:object_r:soundd_var_run_t
diff --git a/targeted/file_contexts/program/sound.fc b/targeted/file_contexts/program/sound.fc
deleted file mode 100644
index 5e6b0d1..0000000
--- a/targeted/file_contexts/program/sound.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# sound
-/bin/aumix-minimal -- system_u:object_r:sound_exec_t
-/etc/\.aumixrc -- system_u:object_r:sound_file_t
diff --git a/targeted/file_contexts/program/spamassassin.fc b/targeted/file_contexts/program/spamassassin.fc
deleted file mode 100644
index a85b8b1..0000000
--- a/targeted/file_contexts/program/spamassassin.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# spamassasin
-/usr/bin/spamassassin -- system_u:object_r:spamassassin_exec_t
-HOME_DIR/\.spamassassin(/.*)? system_u:object_r:ROLE_spamassassin_home_t
diff --git a/targeted/file_contexts/program/spamc.fc b/targeted/file_contexts/program/spamc.fc
deleted file mode 100644
index 1168d40..0000000
--- a/targeted/file_contexts/program/spamc.fc
+++ /dev/null
@@ -1 +0,0 @@
-/usr/bin/spamc -- system_u:object_r:spamc_exec_t:s0
diff --git a/targeted/file_contexts/program/spamd.fc b/targeted/file_contexts/program/spamd.fc
deleted file mode 100644
index 8c9add8..0000000
--- a/targeted/file_contexts/program/spamd.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-/usr/sbin/spamd -- system_u:object_r:spamd_exec_t:s0
-/usr/bin/spamd -- system_u:object_r:spamd_exec_t:s0
-/usr/bin/sa-learn -- system_u:object_r:spamd_exec_t:s0
diff --git a/targeted/file_contexts/program/speedmgmt.fc b/targeted/file_contexts/program/speedmgmt.fc
deleted file mode 100644
index 486906e..0000000
--- a/targeted/file_contexts/program/speedmgmt.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# speedmgmt
-/usr/sbin/speedmgmt -- system_u:object_r:speedmgmt_exec_t
diff --git a/targeted/file_contexts/program/squid.fc b/targeted/file_contexts/program/squid.fc
deleted file mode 100644
index e0d6f71..0000000
--- a/targeted/file_contexts/program/squid.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-# squid
-/usr/sbin/squid -- system_u:object_r:squid_exec_t:s0
-/var/cache/squid(/.*)? system_u:object_r:squid_cache_t:s0
-/var/spool/squid(/.*)? system_u:object_r:squid_cache_t:s0
-/var/log/squid(/.*)? system_u:object_r:squid_log_t:s0
-/etc/squid(/.*)? system_u:object_r:squid_conf_t:s0
-/var/run/squid\.pid -- system_u:object_r:squid_var_run_t:s0
-/usr/share/squid(/.*)? system_u:object_r:squid_conf_t:s0
-ifdef(`httpd.te', `
-/usr/lib/squid/cachemgr.cgi -- system_u:object_r:httpd_exec_t:s0
-')
diff --git a/targeted/file_contexts/program/ssh-agent.fc b/targeted/file_contexts/program/ssh-agent.fc
deleted file mode 100644
index 512eb47..0000000
--- a/targeted/file_contexts/program/ssh-agent.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# ssh-agent
-/usr/bin/ssh-agent -- system_u:object_r:ssh_agent_exec_t
diff --git a/targeted/file_contexts/program/ssh.fc b/targeted/file_contexts/program/ssh.fc
deleted file mode 100644
index 4ccba2e..0000000
--- a/targeted/file_contexts/program/ssh.fc
+++ /dev/null
@@ -1,21 +0,0 @@
-# ssh
-/usr/bin/ssh -- system_u:object_r:ssh_exec_t:s0
-/usr/libexec/openssh/ssh-keysign -- system_u:object_r:ssh_keysign_exec_t:s0
-/usr/bin/ssh-keygen -- system_u:object_r:ssh_keygen_exec_t:s0
-# sshd
-/etc/ssh/primes -- system_u:object_r:sshd_key_t:s0
-/etc/ssh/ssh_host_key -- system_u:object_r:sshd_key_t:s0
-/etc/ssh/ssh_host_dsa_key -- system_u:object_r:sshd_key_t:s0
-/etc/ssh/ssh_host_rsa_key -- system_u:object_r:sshd_key_t:s0
-/usr/sbin/sshd -- system_u:object_r:sshd_exec_t:s0
-/var/run/sshd\.init\.pid -- system_u:object_r:sshd_var_run_t:s0
-# subsystems
-/usr/lib(64)?/misc/sftp-server -- system_u:object_r:bin_t:s0
-/usr/libexec/openssh/sftp-server -- system_u:object_r:bin_t:s0
-/usr/lib(64)?/sftp-server -- system_u:object_r:bin_t:s0
-ifdef(`distro_suse', `
-/usr/lib(64)?/ssh/.* -- system_u:object_r:bin_t:s0
-')
-ifdef(`targeted_policy', `', `
-HOME_DIR/\.ssh(/.*)? system_u:object_r:ROLE_home_ssh_t:s0
-')
diff --git a/targeted/file_contexts/program/stunnel.fc b/targeted/file_contexts/program/stunnel.fc
deleted file mode 100644
index 2f0798c..0000000
--- a/targeted/file_contexts/program/stunnel.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-/usr/sbin/stunnel -- system_u:object_r:stunnel_exec_t:s0
-/etc/stunnel(/.*)? system_u:object_r:stunnel_etc_t:s0
-/var/run/stunnel(/.*)? system_u:object_r:stunnel_var_run_t:s0
diff --git a/targeted/file_contexts/program/su.fc b/targeted/file_contexts/program/su.fc
deleted file mode 100644
index 8712b4b..0000000
--- a/targeted/file_contexts/program/su.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# su
-/bin/su -- system_u:object_r:su_exec_t:s0
diff --git a/targeted/file_contexts/program/sudo.fc b/targeted/file_contexts/program/sudo.fc
deleted file mode 100644
index d733894..0000000
--- a/targeted/file_contexts/program/sudo.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# sudo
-/usr/bin/sudo(edit)? -- system_u:object_r:sudo_exec_t
-
diff --git a/targeted/file_contexts/program/sulogin.fc b/targeted/file_contexts/program/sulogin.fc
deleted file mode 100644
index eb719dc..0000000
--- a/targeted/file_contexts/program/sulogin.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# sulogin
-/sbin/sulogin -- system_u:object_r:sulogin_exec_t
diff --git a/targeted/file_contexts/program/swat.fc b/targeted/file_contexts/program/swat.fc
deleted file mode 100644
index 721c229..0000000
--- a/targeted/file_contexts/program/swat.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# samba management tool
-/usr/sbin/swat -- system_u:object_r:swat_exec_t
diff --git a/targeted/file_contexts/program/sxid.fc b/targeted/file_contexts/program/sxid.fc
deleted file mode 100644
index e9126bc..0000000
--- a/targeted/file_contexts/program/sxid.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# sxid - ldap server
-/usr/bin/sxid -- system_u:object_r:sxid_exec_t
-/var/log/sxid\.log.* -- system_u:object_r:sxid_log_t
-/var/log/setuid\.today.* -- system_u:object_r:sxid_log_t
-/usr/sbin/checksecurity\.se -- system_u:object_r:sxid_exec_t
-/var/log/setuid.* -- system_u:object_r:sxid_log_t
diff --git a/targeted/file_contexts/program/syslogd.fc b/targeted/file_contexts/program/syslogd.fc
deleted file mode 100644
index d0fb0a4..0000000
--- a/targeted/file_contexts/program/syslogd.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-# syslogd
-/sbin/syslogd -- system_u:object_r:syslogd_exec_t:s0
-/sbin/minilogd -- system_u:object_r:syslogd_exec_t:s0
-/usr/sbin/syslogd -- system_u:object_r:syslogd_exec_t:s0
-/sbin/syslog-ng -- system_u:object_r:syslogd_exec_t:s0
-/dev/log -s system_u:object_r:devlog_t:s0
-/var/run/log -s system_u:object_r:devlog_t:s0
-ifdef(`distro_suse', `
-/var/lib/stunnel/dev/log -s system_u:object_r:devlog_t:s0
-')
-/var/run/syslogd\.pid -- system_u:object_r:syslogd_var_run_t:s0
diff --git a/targeted/file_contexts/program/sysstat.fc b/targeted/file_contexts/program/sysstat.fc
deleted file mode 100644
index 2637b68..0000000
--- a/targeted/file_contexts/program/sysstat.fc
+++ /dev/null
@@ -1,7 +0,0 @@
-# sysstat and other sar programs
-/usr/lib(64)?/atsar/atsa.* -- system_u:object_r:sysstat_exec_t
-/usr/lib(64)?/sysstat/sa.* -- system_u:object_r:sysstat_exec_t
-/usr/lib(64)?/sa/sadc -- system_u:object_r:sysstat_exec_t
-/var/log/atsar(/.*)? system_u:object_r:sysstat_log_t
-/var/log/sysstat(/.*)? system_u:object_r:sysstat_log_t
-/var/log/sa(/.*)? system_u:object_r:sysstat_log_t
diff --git a/targeted/file_contexts/program/tcpd.fc b/targeted/file_contexts/program/tcpd.fc
deleted file mode 100644
index 2e84aa8..0000000
--- a/targeted/file_contexts/program/tcpd.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# tcpd
-/usr/sbin/tcpd -- system_u:object_r:tcpd_exec_t
diff --git a/targeted/file_contexts/program/telnetd.fc b/targeted/file_contexts/program/telnetd.fc
deleted file mode 100644
index 15587a2..0000000
--- a/targeted/file_contexts/program/telnetd.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# telnetd
-/usr/sbin/in\.telnetd -- system_u:object_r:telnetd_exec_t:s0
-/usr/kerberos/sbin/telnetd -- system_u:object_r:telnetd_exec_t:s0
diff --git a/targeted/file_contexts/program/tftpd.fc b/targeted/file_contexts/program/tftpd.fc
deleted file mode 100644
index 1e503b9..0000000
--- a/targeted/file_contexts/program/tftpd.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# tftpd
-/usr/sbin/in\.tftpd -- system_u:object_r:tftpd_exec_t:s0
-/usr/sbin/atftpd -- system_u:object_r:tftpd_exec_t:s0
-/tftpboot(/.*)? system_u:object_r:tftpdir_t:s0
diff --git a/targeted/file_contexts/program/thunderbird.fc b/targeted/file_contexts/program/thunderbird.fc
deleted file mode 100644
index ca37346..0000000
--- a/targeted/file_contexts/program/thunderbird.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-/usr/bin/thunderbird.* -- system_u:object_r:thunderbird_exec_t
-HOME_DIR/\.thunderbird(/.*)? system_u:object_r:ROLE_thunderbird_home_t
diff --git a/targeted/file_contexts/program/timidity.fc b/targeted/file_contexts/program/timidity.fc
deleted file mode 100644
index 2b44dce..0000000
--- a/targeted/file_contexts/program/timidity.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# timidity
-/usr/bin/timidity -- system_u:object_r:timidity_exec_t
diff --git a/targeted/file_contexts/program/tinydns.fc b/targeted/file_contexts/program/tinydns.fc
deleted file mode 100644
index 10ea1a3..0000000
--- a/targeted/file_contexts/program/tinydns.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# tinydns
-/etc/tinydns(/.*)? system_u:object_r:tinydns_conf_t
-/etc/tinydns/root/data* -- system_u:object_r:tinydns_zone_t
-/usr/bin/tinydns* -- system_u:object_r:tinydns_exec_t
-#/var/log/dns/tinydns(/.*) system_u:object_r:tinydns_log_t
-#/var/lib/svscan(/.*) system_u:object_r:tinydns_svscan_t
diff --git a/targeted/file_contexts/program/tmpreaper.fc b/targeted/file_contexts/program/tmpreaper.fc
deleted file mode 100644
index d8ed96e..0000000
--- a/targeted/file_contexts/program/tmpreaper.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# tmpreaper or tmpwatch
-/usr/sbin/tmpreaper -- system_u:object_r:tmpreaper_exec_t
-/usr/sbin/tmpwatch -- system_u:object_r:tmpreaper_exec_t
diff --git a/targeted/file_contexts/program/traceroute.fc b/targeted/file_contexts/program/traceroute.fc
deleted file mode 100644
index 66a6c5f..0000000
--- a/targeted/file_contexts/program/traceroute.fc
+++ /dev/null
@@ -1,6 +0,0 @@
-# traceroute
-/bin/traceroute.* -- system_u:object_r:traceroute_exec_t
-/bin/tracepath.* -- system_u:object_r:traceroute_exec_t
-/usr/(s)?bin/traceroute.* -- system_u:object_r:traceroute_exec_t
-/usr/bin/lft -- system_u:object_r:traceroute_exec_t
-/usr/bin/nmap -- system_u:object_r:traceroute_exec_t
diff --git a/targeted/file_contexts/program/transproxy.fc b/targeted/file_contexts/program/transproxy.fc
deleted file mode 100644
index 2027eea..0000000
--- a/targeted/file_contexts/program/transproxy.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# transproxy - http transperant proxy
-/usr/sbin/tproxy -- system_u:object_r:transproxy_exec_t
-/var/run/tproxy\.pid -- system_u:object_r:transproxy_var_run_t
diff --git a/targeted/file_contexts/program/tripwire.fc b/targeted/file_contexts/program/tripwire.fc
deleted file mode 100644
index 88afc34..0000000
--- a/targeted/file_contexts/program/tripwire.fc
+++ /dev/null
@@ -1,9 +0,0 @@
-# tripwire
-/etc/tripwire(/.*)? system_u:object_r:tripwire_etc_t
-/usr/sbin/siggen system_u:object_r:siggen_exec_t
-/usr/sbin/tripwire system_u:object_r:tripwire_exec_t
-/usr/sbin/tripwire-setup-keyfiles system_u:object_r:bin_t
-/usr/sbin/twadmin system_u:object_r:twadmin_exec_t
-/usr/sbin/twprint system_u:object_r:twprint_exec_t
-/var/lib/tripwire(/.*)? system_u:object_r:tripwire_var_lib_t
-/var/lib/tripwire/report(/.*)? system_u:object_r:tripwire_report_t
diff --git a/targeted/file_contexts/program/tvtime.fc b/targeted/file_contexts/program/tvtime.fc
deleted file mode 100644
index 0969e96..0000000
--- a/targeted/file_contexts/program/tvtime.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# tvtime
-/usr/bin/tvtime -- system_u:object_r:tvtime_exec_t
-
diff --git a/targeted/file_contexts/program/ucspi-tcp.fc b/targeted/file_contexts/program/ucspi-tcp.fc
deleted file mode 100644
index 448c1ab..0000000
--- a/targeted/file_contexts/program/ucspi-tcp.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-#ucspi-tcp
-/usr/bin/tcpserver -- system_u:object_r:utcpserver_exec_t
-/usr/bin/rblsmtpd -- system_u:object_r:rblsmtpd_exec_t
diff --git a/targeted/file_contexts/program/udev.fc b/targeted/file_contexts/program/udev.fc
deleted file mode 100644
index 0df162f..0000000
--- a/targeted/file_contexts/program/udev.fc
+++ /dev/null
@@ -1,14 +0,0 @@
-# udev
-/sbin/udevsend -- system_u:object_r:udev_exec_t:s0
-/sbin/udev -- system_u:object_r:udev_exec_t:s0
-/sbin/udevd -- system_u:object_r:udev_exec_t:s0
-/sbin/start_udev -- system_u:object_r:udev_exec_t:s0
-/sbin/udevstart -- system_u:object_r:udev_exec_t:s0
-/usr/bin/udevinfo -- system_u:object_r:udev_exec_t:s0
-/etc/dev\.d/.+ -- system_u:object_r:udev_helper_exec_t:s0
-/etc/udev/scripts/.+ -- system_u:object_r:udev_helper_exec_t:s0
-/etc/udev/devices/.* system_u:object_r:device_t:s0
-/etc/hotplug\.d/default/udev.* -- system_u:object_r:udev_helper_exec_t:s0
-/dev/udev\.tbl -- system_u:object_r:udev_tbl_t:s0
-/dev/\.udevdb(/.*)? -- system_u:object_r:udev_tdb_t:s0
-/sbin/wait_for_sysfs -- system_u:object_r:udev_exec_t:s0
diff --git a/targeted/file_contexts/program/uml.fc b/targeted/file_contexts/program/uml.fc
deleted file mode 100644
index dc1621d..0000000
--- a/targeted/file_contexts/program/uml.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# User Mode Linux
-/usr/bin/uml_switch -- system_u:object_r:uml_switch_exec_t
-/var/run/uml-utilities(/.*)? system_u:object_r:uml_switch_var_run_t
-HOME_DIR/\.uml(/.*)? system_u:object_r:ROLE_uml_rw_t
diff --git a/targeted/file_contexts/program/uml_net.fc b/targeted/file_contexts/program/uml_net.fc
deleted file mode 100644
index 67aa1f2..0000000
--- a/targeted/file_contexts/program/uml_net.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# User Mode Linux
-# WARNING: Do not install this file on any machine that has hostile users.
-/usr/lib(64)?/uml/uml_net -- system_u:object_r:uml_net_exec_t
diff --git a/targeted/file_contexts/program/unconfined.fc b/targeted/file_contexts/program/unconfined.fc
deleted file mode 100644
index c3a6c12..0000000
--- a/targeted/file_contexts/program/unconfined.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# Add programs here which should not be confined by SELinux
-# e.g.:
-# /usr/local/bin/appsrv -- system_u:object_r:unconfined_exec_t
diff --git a/targeted/file_contexts/program/updfstab.fc b/targeted/file_contexts/program/updfstab.fc
deleted file mode 100644
index f6ac1d9..0000000
--- a/targeted/file_contexts/program/updfstab.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# updfstab
-/usr/sbin/updfstab -- system_u:object_r:updfstab_exec_t:s0
-/usr/sbin/fstab-sync -- system_u:object_r:updfstab_exec_t:s0
diff --git a/targeted/file_contexts/program/uptimed.fc b/targeted/file_contexts/program/uptimed.fc
deleted file mode 100644
index f80ccb4..0000000
--- a/targeted/file_contexts/program/uptimed.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# uptimed
-/etc/uptimed\.conf -- system_u:object_r:uptimed_etc_t
-/usr/sbin/uptimed -- system_u:object_r:uptimed_exec_t
-/var/spool/uptimed(/.*)? system_u:object_r:uptimed_spool_t
diff --git a/targeted/file_contexts/program/usbmodules.fc b/targeted/file_contexts/program/usbmodules.fc
deleted file mode 100644
index 52e03a4..0000000
--- a/targeted/file_contexts/program/usbmodules.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-# usbmodules
-/usr/sbin/usbmodules -- system_u:object_r:usbmodules_exec_t
-/sbin/usbmodules -- system_u:object_r:usbmodules_exec_t
diff --git a/targeted/file_contexts/program/useradd.fc b/targeted/file_contexts/program/useradd.fc
deleted file mode 100644
index b29351b..0000000
--- a/targeted/file_contexts/program/useradd.fc
+++ /dev/null
@@ -1,10 +0,0 @@
-#useradd
-/usr/sbin/usermod -- system_u:object_r:useradd_exec_t
-/usr/sbin/useradd -- system_u:object_r:useradd_exec_t
-/usr/sbin/userdel -- system_u:object_r:useradd_exec_t
-#groupadd
-/usr/sbin/groupmod -- system_u:object_r:groupadd_exec_t
-/usr/sbin/groupadd -- system_u:object_r:groupadd_exec_t
-/usr/sbin/groupdel -- system_u:object_r:groupadd_exec_t
-/usr/bin/gpasswd -- system_u:object_r:groupadd_exec_t
-/usr/sbin/gpasswd -- system_u:object_r:groupadd_exec_t
diff --git a/targeted/file_contexts/program/userhelper.fc b/targeted/file_contexts/program/userhelper.fc
deleted file mode 100644
index 8623456..0000000
--- a/targeted/file_contexts/program/userhelper.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-/etc/security/console.apps(/.*)? system_u:object_r:userhelper_conf_t
-/usr/sbin/userhelper -- system_u:object_r:userhelper_exec_t
diff --git a/targeted/file_contexts/program/usernetctl.fc b/targeted/file_contexts/program/usernetctl.fc
deleted file mode 100644
index b9ef00f..0000000
--- a/targeted/file_contexts/program/usernetctl.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# usernetctl
-/usr/sbin/usernetctl -- system_u:object_r:usernetctl_exec_t
diff --git a/targeted/file_contexts/program/utempter.fc b/targeted/file_contexts/program/utempter.fc
deleted file mode 100644
index 4e6670a..0000000
--- a/targeted/file_contexts/program/utempter.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# utempter
-/usr/sbin/utempter -- system_u:object_r:utempter_exec_t
diff --git a/targeted/file_contexts/program/uucpd.fc b/targeted/file_contexts/program/uucpd.fc
deleted file mode 100644
index a359cc3..0000000
--- a/targeted/file_contexts/program/uucpd.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# uucico program
-/usr/sbin/uucico -- system_u:object_r:uucpd_exec_t:s0
-/var/spool/uucp(/.*)? system_u:object_r:uucpd_spool_t:s0
-/var/spool/uucppublic(/.*)? system_u:object_r:uucpd_spool_t:s0
-/var/log/uucp(/.*)? system_u:object_r:uucpd_log_t:s0
diff --git a/targeted/file_contexts/program/uwimapd.fc b/targeted/file_contexts/program/uwimapd.fc
deleted file mode 100644
index 00f9073..0000000
--- a/targeted/file_contexts/program/uwimapd.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# uw-imapd and uw-imapd-ssl
-/usr/sbin/imapd -- system_u:object_r:imapd_exec_t
diff --git a/targeted/file_contexts/program/vmware.fc b/targeted/file_contexts/program/vmware.fc
deleted file mode 100644
index d015988..0000000
--- a/targeted/file_contexts/program/vmware.fc
+++ /dev/null
@@ -1,42 +0,0 @@
-#
-# File contexts for VMWare.
-# Contributed by Mark Westerman (mark.westerman@westcam.com)
-# Changes made by NAI Labs.
-# Tested with VMWare 3.1
-#
-/usr/bin/vmnet-bridge -- system_u:object_r:vmware_exec_t
-/usr/bin/vmnet-dhcpd -- system_u:object_r:vmware_exec_t
-/usr/bin/vmnet-natd -- system_u:object_r:vmware_exec_t
-/usr/bin/vmnet-netifup -- system_u:object_r:vmware_exec_t
-/usr/bin/vmnet-sniffer -- system_u:object_r:vmware_exec_t
-/usr/bin/vmware-nmbd -- system_u:object_r:vmware_exec_t
-/usr/bin/vmware-ping -- system_u:object_r:vmware_exec_t
-/usr/bin/vmware-smbd -- system_u:object_r:vmware_exec_t
-/usr/bin/vmware-smbpasswd -- system_u:object_r:vmware_exec_t
-/usr/bin/vmware-smbpasswd\.bin -- system_u:object_r:vmware_exec_t
-/usr/bin/vmware-wizard -- system_u:object_r:vmware_user_exec_t
-/usr/bin/vmware -- system_u:object_r:vmware_user_exec_t
-
-/dev/vmmon -c system_u:object_r:vmware_device_t
-/dev/vmnet.* -c system_u:object_r:vmware_device_t
-/dev/plex86 -c system_u:object_r:vmware_device_t
-
-/etc/vmware.*(/.*)? system_u:object_r:vmware_sys_conf_t
-/usr/lib(64)?/vmware/config -- system_u:object_r:vmware_sys_conf_t
-
-/usr/lib(64)?/vmware/bin/vmware-mks -- system_u:object_r:vmware_user_exec_t
-/usr/lib(64)?/vmware/bin/vmware-ui -- system_u:object_r:vmware_user_exec_t
-
-#
-# This is only an example of how to protect vmware session configuration
-# files. A general user can execute vmware and start a vmware session
-# but the user can not modify the session configuration information
-#/usr/local/vmware(/.*)? system_u:object_r:vmware_user_file_t
-#/usr/local/vmware/[^/]*/.*\.cfg -- system_u:object_r:vmware_user_conf_t
-
-# The rules below assume that the user VMWare virtual disks are in the
-# ~/vmware, and the preferences and license files are in ~/.vmware.
-#
-HOME_DIR/\.vmware(/.*)? system_u:object_r:ROLE_vmware_file_t
-HOME_DIR/vmware(/.*)? system_u:object_r:ROLE_vmware_file_t
-HOME_DIR/\.vmware[^/]*/.*\.cfg -- system_u:object_r:ROLE_vmware_conf_t
diff --git a/targeted/file_contexts/program/vpnc.fc b/targeted/file_contexts/program/vpnc.fc
deleted file mode 100644
index afaea76..0000000
--- a/targeted/file_contexts/program/vpnc.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# vpnc
-/usr/sbin/vpnc -- system_u:object_r:vpnc_exec_t
-/sbin/vpnc -- system_u:object_r:vpnc_exec_t
-/etc/vpnc/vpnc-script -- system_u:object_r:bin_t
diff --git a/targeted/file_contexts/program/watchdog.fc b/targeted/file_contexts/program/watchdog.fc
deleted file mode 100644
index d7a8c7f..0000000
--- a/targeted/file_contexts/program/watchdog.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# watchdog
-/usr/sbin/watchdog -- system_u:object_r:watchdog_exec_t
-/dev/watchdog -c system_u:object_r:watchdog_device_t
-/var/log/watchdog(/.*)? system_u:object_r:watchdog_log_t
-/var/run/watchdog\.pid -- system_u:object_r:watchdog_var_run_t
diff --git a/targeted/file_contexts/program/webalizer.fc b/targeted/file_contexts/program/webalizer.fc
deleted file mode 100644
index 7244932..0000000
--- a/targeted/file_contexts/program/webalizer.fc
+++ /dev/null
@@ -1,3 +0,0 @@
-#
-/usr/bin/webalizer -- system_u:object_r:webalizer_exec_t:s0
-/var/lib/webalizer(/.*) system_u:object_r:webalizer_var_lib_t:s0
diff --git a/targeted/file_contexts/program/winbind.fc b/targeted/file_contexts/program/winbind.fc
deleted file mode 100644
index b1d9d57..0000000
--- a/targeted/file_contexts/program/winbind.fc
+++ /dev/null
@@ -1,11 +0,0 @@
-/usr/sbin/winbindd -- system_u:object_r:winbind_exec_t:s0
-/var/run/winbindd(/.*)? system_u:object_r:winbind_var_run_t:s0
-ifdef(`samba.te', `', `
-/var/log/samba(/.*)? system_u:object_r:samba_log_t:s0
-/etc/samba(/.*)? system_u:object_r:samba_etc_t:s0
-/etc/samba/secrets\.tdb -- system_u:object_r:samba_secrets_t:s0
-/etc/samba/MACHINE\.SID -- system_u:object_r:samba_secrets_t:s0
-/var/cache/samba(/.*)? system_u:object_r:samba_var_t:s0
-')
-/var/cache/samba/winbindd_privileged(/.*)? system_u:object_r:winbind_var_run_t:s0
-/usr/bin/ntlm_auth -- system_u:object_r:winbind_helper_exec_t:s0
diff --git a/targeted/file_contexts/program/xauth.fc b/targeted/file_contexts/program/xauth.fc
deleted file mode 100644
index 055fc2f..0000000
--- a/targeted/file_contexts/program/xauth.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# xauth
-/usr/X11R6/bin/xauth -- system_u:object_r:xauth_exec_t
-HOME_DIR/\.xauth.* -- system_u:object_r:ROLE_xauth_home_t
-HOME_DIR/\.Xauthority.* -- system_u:object_r:ROLE_xauth_home_t
diff --git a/targeted/file_contexts/program/xdm.fc b/targeted/file_contexts/program/xdm.fc
deleted file mode 100644
index 267e1e0..0000000
--- a/targeted/file_contexts/program/xdm.fc
+++ /dev/null
@@ -1,40 +0,0 @@
-# X Display Manager
-/usr/bin/[xgkw]dm -- system_u:object_r:xdm_exec_t:s0
-/usr/X11R6/bin/[xgkw]dm -- system_u:object_r:xdm_exec_t:s0
-/opt/kde3/bin/kdm -- system_u:object_r:xdm_exec_t:s0
-/usr/bin/gpe-dm -- system_u:object_r:xdm_exec_t:s0
-/usr/(s)?bin/gdm-binary -- system_u:object_r:xdm_exec_t:s0
-/var/[xgk]dm(/.*)? system_u:object_r:xserver_log_t:s0
-/usr/var/[xgkw]dm(/.*)? system_u:object_r:xserver_log_t:s0
-/var/log/[kw]dm\.log -- system_u:object_r:xserver_log_t:s0
-/var/log/gdm(/.*)? system_u:object_r:xserver_log_t:s0
-/tmp/\.X0-lock -- system_u:object_r:xdm_xserver_tmp_t:s0
-/etc/X11/Xsession[^/]* -- system_u:object_r:xsession_exec_t:s0
-/etc/X11/wdm(/.*)? system_u:object_r:xdm_rw_etc_t:s0
-/etc/X11/wdm/Xsetup.* -- system_u:object_r:xsession_exec_t:s0
-/etc/X11/wdm/Xstartup.* -- system_u:object_r:xsession_exec_t:s0
-/etc/X11/[wx]dm/Xreset.* -- system_u:object_r:xsession_exec_t:s0
-/etc/X11/[wx]dm/Xsession -- system_u:object_r:xsession_exec_t:s0
-/etc/kde/kdm/Xsession -- system_u:object_r:xsession_exec_t:s0
-/var/run/xdmctl(/.*)? system_u:object_r:xdm_var_run_t:s0
-/var/run/xdm\.pid -- system_u:object_r:xdm_var_run_t:s0
-/var/lib/[xkw]dm(/.*)? system_u:object_r:xdm_var_lib_t:s0
-ifdef(`distro_suse', `
-/var/lib/pam_devperm/:0 -- system_u:object_r:xdm_var_lib_t:s0
-')
-
-#
-# Additional Xsession scripts
-#
-/etc/X11/xdm/GiveConsole -- system_u:object_r:bin_t:s0
-/etc/X11/xdm/TakeConsole -- system_u:object_r:bin_t:s0
-/etc/X11/xdm/Xsetup_0 -- system_u:object_r:bin_t:s0
-/etc/X11/xinit(/.*)? system_u:object_r:bin_t:s0
-#
-# Rules for kde login
-#
-/etc/kde3?/kdm/Xstartup -- system_u:object_r:xsession_exec_t:s0
-/etc/kde3?/kdm/Xreset -- system_u:object_r:xsession_exec_t:s0
-/etc/kde3?/kdm/Xsession -- system_u:object_r:xsession_exec_t:s0
-/etc/kde3?/kdm/backgroundrc system_u:object_r:xdm_var_run_t:s0
-/usr/lib(64)?/qt-.*/etc/settings(/.*)? system_u:object_r:xdm_var_run_t:s0
diff --git a/targeted/file_contexts/program/xfs.fc b/targeted/file_contexts/program/xfs.fc
deleted file mode 100644
index 9edae3f..0000000
--- a/targeted/file_contexts/program/xfs.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# xfs
-/tmp/\.font-unix(/.*)? system_u:object_r:xfs_tmp_t
-/usr/X11R6/bin/xfs -- system_u:object_r:xfs_exec_t
-/usr/X11R6/bin/xfs-xtt -- system_u:object_r:xfs_exec_t
-/usr/bin/xfstt -- system_u:object_r:xfs_exec_t
diff --git a/targeted/file_contexts/program/xprint.fc b/targeted/file_contexts/program/xprint.fc
deleted file mode 100644
index 3c72a77..0000000
--- a/targeted/file_contexts/program/xprint.fc
+++ /dev/null
@@ -1 +0,0 @@
-/usr/bin/Xprt -- system_u:object_r:xprint_exec_t
diff --git a/targeted/file_contexts/program/xserver.fc b/targeted/file_contexts/program/xserver.fc
deleted file mode 100644
index 3d48a6f..0000000
--- a/targeted/file_contexts/program/xserver.fc
+++ /dev/null
@@ -1,17 +0,0 @@
-# X server
-/usr/X11R6/bin/Xwrapper -- system_u:object_r:xserver_exec_t
-/usr/X11R6/bin/X -- system_u:object_r:xserver_exec_t
-/usr/X11R6/bin/XFree86 -- system_u:object_r:xserver_exec_t
-/usr/X11R6/bin/Xorg -- system_u:object_r:xserver_exec_t
-/usr/X11R6/bin/Xipaq -- system_u:object_r:xserver_exec_t
-/var/lib/xkb(/.*)? system_u:object_r:xkb_var_lib_t
-/usr/X11R6/lib/X11/xkb -d system_u:object_r:xkb_var_lib_t
-/usr/X11R6/lib/X11/xkb/.* -- system_u:object_r:xkb_var_lib_t
-/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- system_u:object_r:bin_t
-/var/log/XFree86.* -- system_u:object_r:xserver_log_t
-/var/log/Xorg.* -- system_u:object_r:xserver_log_t
-/etc/init\.d/xfree86-common -- system_u:object_r:xserver_exec_t
-/tmp/\.X11-unix -d system_u:object_r:xdm_tmp_t
-/tmp/\.X11-unix/.* -s <<none>>
-/tmp/\.ICE-unix -d system_u:object_r:ice_tmp_t
-/tmp/\.ICE-unix/.* -s <<none>>
diff --git a/targeted/file_contexts/program/yam.fc b/targeted/file_contexts/program/yam.fc
deleted file mode 100644
index 023b740..0000000
--- a/targeted/file_contexts/program/yam.fc
+++ /dev/null
@@ -1,5 +0,0 @@
-# yam
-/etc/yam.conf -- system_u:object_r:yam_etc_t
-/usr/bin/yam system_u:object_r:yam_exec_t
-/var/yam(/.*)? system_u:object_r:yam_content_t
-/var/www/yam(/.*)? system_u:object_r:yam_content_t
diff --git a/targeted/file_contexts/program/ypbind.fc b/targeted/file_contexts/program/ypbind.fc
deleted file mode 100644
index f9f6ff8..0000000
--- a/targeted/file_contexts/program/ypbind.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# ypbind
-/sbin/ypbind -- system_u:object_r:ypbind_exec_t:s0
diff --git a/targeted/file_contexts/program/yppasswdd.fc b/targeted/file_contexts/program/yppasswdd.fc
deleted file mode 100644
index e390bd8..0000000
--- a/targeted/file_contexts/program/yppasswdd.fc
+++ /dev/null
@@ -1,2 +0,0 @@
-# yppasswd
-/usr/sbin/rpc.yppasswdd -- system_u:object_r:yppasswdd_exec_t
diff --git a/targeted/file_contexts/program/ypserv.fc b/targeted/file_contexts/program/ypserv.fc
deleted file mode 100644
index 023746f..0000000
--- a/targeted/file_contexts/program/ypserv.fc
+++ /dev/null
@@ -1,4 +0,0 @@
-# ypserv
-/usr/sbin/ypserv -- system_u:object_r:ypserv_exec_t:s0
-/usr/lib/yp/.+ -- system_u:object_r:bin_t:s0
-/etc/ypserv\.conf -- system_u:object_r:ypserv_conf_t:s0
diff --git a/targeted/file_contexts/program/zebra.fc b/targeted/file_contexts/program/zebra.fc
deleted file mode 100644
index 328f987..0000000
--- a/targeted/file_contexts/program/zebra.fc
+++ /dev/null
@@ -1,13 +0,0 @@
-# Zebra - BGP daemon
-/usr/sbin/zebra -- system_u:object_r:zebra_exec_t:s0
-/usr/sbin/bgpd -- system_u:object_r:zebra_exec_t:s0
-/var/log/zebra(/.*)? system_u:object_r:zebra_log_t:s0
-/etc/zebra(/.*)? system_u:object_r:zebra_conf_t:s0
-/var/run/\.zserv -s system_u:object_r:zebra_var_run_t:s0
-/var/run/\.zebra -s system_u:object_r:zebra_var_run_t:s0
-# Quagga
-/usr/sbin/rip.* -- system_u:object_r:zebra_exec_t:s0
-/usr/sbin/ospf.* -- system_u:object_r:zebra_exec_t:s0
-/etc/quagga(/.*)? system_u:object_r:zebra_conf_t:s0
-/var/log/quagga(/.*)? system_u:object_r:zebra_log_t:s0
-/var/run/quagga(/.*)? system_u:object_r:zebra_var_run_t:s0
diff --git a/targeted/file_contexts/types.fc b/targeted/file_contexts/types.fc
deleted file mode 100644
index 4b36106..0000000
--- a/targeted/file_contexts/types.fc
+++ /dev/null
@@ -1,517 +0,0 @@
-#
-# This file describes the security contexts to be applied to files
-# when the security policy is installed. The setfiles program
-# reads this file and labels files accordingly.
-#
-# Each specification has the form:
-# regexp [ -type ] ( context | <<none>> )
-#
-# By default, the regexp is an anchored match on both ends (i.e. a
-# caret (^) is prepended and a dollar sign ($) is appended automatically).
-# This default may be overridden by using .* at the beginning and/or
-# end of the regular expression.
-#
-# The optional type field specifies the file type as shown in the mode
-# field by ls, e.g. use -d to match only directories or -- to match only
-# regular files.
-#
-# The value of <<none> may be used to indicate that matching files
-# should not be relabeled.
-#
-# The last matching specification is used.
-#
-# If there are multiple hard links to a file that match
-# different specifications and those specifications indicate
-# different security contexts, then a warning is displayed
-# but the file is still labeled based on the last matching
-# specification other than <<none>>.
-#
-# Some of the files listed here get re-created during boot and therefore
-# need type transition rules to retain the correct type. These files are
-# listed here anyway so that if the setfiles program is used on a running
-# system it does not relabel them to something we do not want. An example of
-# this is /var/run/utmp.
-#
-
-#
-# The security context for all files not otherwise specified.
-#
-/.* system_u:object_r:default_t:s0
-
-#
-# The root directory.
-#
-/ -d system_u:object_r:root_t:s0
-
-#
-# Ordinary user home directories.
-# HOME_ROOT expands to all valid home directory prefixes found in /etc/passwd
-# HOME_DIR expands to each users home directory,
-# and to HOME_ROOT/[^/]+ for each HOME_ROOT.
-# ROLE expands to each users role when role != user_r, and to "user" otherwise.
-#
-HOME_ROOT -d system_u:object_r:home_root_t:s0
-HOME_DIR -d system_u:object_r:ROLE_home_dir_t:s0
-HOME_DIR/.+ system_u:object_r:ROLE_home_t:s0
-
-/root/\.default_contexts -- system_u:object_r:default_context_t:s0
-
-#
-# Mount points; do not relabel subdirectories, since
-# we do not want to change any removable media by default.
-/mnt(/[^/]*)? -d system_u:object_r:mnt_t:s0
-/mnt/[^/]*/.* <<none>>
-/media(/[^/]*)? -d system_u:object_r:mnt_t:s0
-/media/[^/]*/.* <<none>>
-
-#
-# /var
-#
-/var(/.*)? system_u:object_r:var_t:s0
-/var/cache/man(/.*)? system_u:object_r:man_t:s0
-/var/yp(/.*)? system_u:object_r:var_yp_t:s0
-/var/lib(/.*)? system_u:object_r:var_lib_t:s0
-/var/lib/nfs(/.*)? system_u:object_r:var_lib_nfs_t:s0
-/var/lib/texmf(/.*)? system_u:object_r:tetex_data_t:s0
-/var/cache/fonts(/.*)? system_u:object_r:tetex_data_t:s0
-/var/lock(/.*)? system_u:object_r:var_lock_t:s0
-/var/tmp -d system_u:object_r:tmp_t:s0
-/var/tmp/.* <<none>>
-/var/tmp/vi\.recover -d system_u:object_r:tmp_t:s0
-/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
-/var/mailman/bin(/.*)? system_u:object_r:bin_t:s0
-/var/mailman/pythonlib(/.*)?/.*\.so(\..*)? -- system_u:object_r:shlib_t:s0
-
-#
-# /var/ftp
-#
-/var/ftp/bin(/.*)? system_u:object_r:bin_t:s0
-/var/ftp/bin/ls -- system_u:object_r:ls_exec_t:s0
-/var/ftp/lib(64)?(/.*)? system_u:object_r:lib_t:s0
-/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t:s0
-/var/ftp/lib(64)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0
-/var/ftp/etc(/.*)? system_u:object_r:etc_t:s0
-
-#
-# /bin
-#
-/bin(/.*)? system_u:object_r:bin_t:s0
-/bin/tcsh -- system_u:object_r:shell_exec_t:s0
-/bin/bash -- system_u:object_r:shell_exec_t:s0
-/bin/bash2 -- system_u:object_r:shell_exec_t:s0
-/bin/sash -- system_u:object_r:shell_exec_t:s0
-/bin/d?ash -- system_u:object_r:shell_exec_t:s0
-/bin/zsh.* -- system_u:object_r:shell_exec_t:s0
-/usr/sbin/sesh -- system_u:object_r:shell_exec_t:s0
-/bin/ls -- system_u:object_r:ls_exec_t:s0
-
-#
-# /boot
-#
-/boot(/.*)? system_u:object_r:boot_t:s0
-/boot/System\.map(-.*)? system_u:object_r:system_map_t:s0
-
-#
-# /dev
-#
-/dev(/.*)? system_u:object_r:device_t:s0
-/dev/pts(/.*)? <<none>>
-/dev/cpu/.* -c system_u:object_r:cpu_device_t:s0
-/dev/microcode -c system_u:object_r:cpu_device_t:s0
-/dev/MAKEDEV -- system_u:object_r:sbin_t:s0
-/dev/null -c system_u:object_r:null_device_t:s0
-/dev/full -c system_u:object_r:null_device_t:s0
-/dev/zero -c system_u:object_r:zero_device_t:s0
-/dev/console -c system_u:object_r:console_device_t:s0
-/dev/xconsole -p system_u:object_r:xconsole_device_t:s0
-/dev/(kmem|mem|port) -c system_u:object_r:memory_device_t:s0
-/dev/nvram -c system_u:object_r:memory_device_t:s0
-/dev/random -c system_u:object_r:random_device_t:s0
-/dev/urandom -c system_u:object_r:urandom_device_t:s0
-/dev/adb.* -c system_u:object_r:tty_device_t:s0
-/dev/capi.* -c system_u:object_r:tty_device_t:s0
-/dev/dcbri[0-9]+ -c system_u:object_r:tty_device_t:s0
-/dev/irlpt[0-9]+ -c system_u:object_r:printer_device_t:s0
-/dev/ircomm[0-9]+ -c system_u:object_r:tty_device_t:s0
-/dev/rfcomm[0-9]+ -c system_u:object_r:tty_device_t:s0
-/dev/isdn.* -c system_u:object_r:tty_device_t:s0
-/dev/.*tty[^/]* -c system_u:object_r:tty_device_t:s0
-/dev/[pt]ty[abcdepqrstuvwxyz][0-9a-f] -c system_u:object_r:bsdpty_device_t:s0
-/dev/cu.* -c system_u:object_r:tty_device_t:s0
-/dev/vcs[^/]* -c system_u:object_r:tty_device_t:s0
-/dev/ip2[^/]* -c system_u:object_r:tty_device_t:s0
-/dev/hvc.* -c system_u:object_r:tty_device_t:s0
-/dev/hvsi.* -c system_u:object_r:tty_device_t:s0
-/dev/ttySG.* -c system_u:object_r:tty_device_t:s0
-/dev/tty -c system_u:object_r:devtty_t:s0
-/dev/lp.* -c system_u:object_r:printer_device_t:s0
-/dev/par.* -c system_u:object_r:printer_device_t:s0
-/dev/usb/lp.* -c system_u:object_r:printer_device_t:s0
-/dev/usblp.* -c system_u:object_r:printer_device_t:s0
-ifdef(`distro_redhat', `
-/dev/root -b system_u:object_r:fixed_disk_device_t:s0
-')
-/dev/[shmx]d[^/]* -b system_u:object_r:fixed_disk_device_t:s0
-/dev/dm-[0-9]+ -b system_u:object_r:fixed_disk_device_t:s0
-/dev/sg[0-9]+ -c system_u:object_r:scsi_generic_device_t:s0
-/dev/rd.* -b system_u:object_r:fixed_disk_device_t:s0
-/dev/i2o/hd[^/]* -b system_u:object_r:fixed_disk_device_t:s0
-/dev/ubd[^/]* -b system_u:object_r:fixed_disk_device_t:s0
-/dev/cciss/[^/]* -b system_u:object_r:fixed_disk_device_t:s0
-/dev/mapper/.* -b system_u:object_r:fixed_disk_device_t:s0
-/dev/ida/[^/]* -b system_u:object_r:fixed_disk_device_t:s0
-/dev/dasd[^/]* -b system_u:object_r:fixed_disk_device_t:s0
-/dev/flash[^/]* -b system_u:object_r:fixed_disk_device_t:s0
-/dev/nb[^/]+ -b system_u:object_r:fixed_disk_device_t:s0
-/dev/ataraid/.* -b system_u:object_r:fixed_disk_device_t:s0
-/dev/loop.* -b system_u:object_r:fixed_disk_device_t:s0
-/dev/net/.* -c system_u:object_r:tun_tap_device_t:s0
-/dev/ram.* -b system_u:object_r:fixed_disk_device_t:s0
-/dev/rawctl -c system_u:object_r:fixed_disk_device_t:s0
-/dev/raw/raw[0-9]+ -c system_u:object_r:fixed_disk_device_t:s0
-/dev/scramdisk/.* -b system_u:object_r:fixed_disk_device_t:s0
-/dev/initrd -b system_u:object_r:fixed_disk_device_t:s0
-/dev/jsfd -b system_u:object_r:fixed_disk_device_t:s0
-/dev/js.* -c system_u:object_r:mouse_device_t:s0
-/dev/jsflash -c system_u:object_r:fixed_disk_device_t:s0
-/dev/s(cd|r)[^/]* -b system_u:object_r:removable_device_t:s0
-/dev/usb/rio500 -c system_u:object_r:removable_device_t:s0
-/dev/fd[^/]+ -b system_u:object_r:removable_device_t:s0
-# I think a parallel port disk is a removable device...
-/dev/pd[a-d][^/]* -b system_u:object_r:removable_device_t:s0
-/dev/p[fg][0-3] -b system_u:object_r:removable_device_t:s0
-/dev/aztcd -b system_u:object_r:removable_device_t:s0
-/dev/bpcd -b system_u:object_r:removable_device_t:s0
-/dev/gscd -b system_u:object_r:removable_device_t:s0
-/dev/hitcd -b system_u:object_r:removable_device_t:s0
-/dev/pcd[0-3] -b system_u:object_r:removable_device_t:s0
-/dev/mcdx? -b system_u:object_r:removable_device_t:s0
-/dev/cdu.* -b system_u:object_r:removable_device_t:s0
-/dev/cm20.* -b system_u:object_r:removable_device_t:s0
-/dev/optcd -b system_u:object_r:removable_device_t:s0
-/dev/sbpcd.* -b system_u:object_r:removable_device_t:s0
-/dev/sjcd -b system_u:object_r:removable_device_t:s0
-/dev/sonycd -b system_u:object_r:removable_device_t:s0
-# parallel port ATAPI generic device
-/dev/pg[0-3] -c system_u:object_r:removable_device_t:s0
-/dev/rtc -c system_u:object_r:clock_device_t:s0
-/dev/psaux -c system_u:object_r:mouse_device_t:s0
-/dev/atibm -c system_u:object_r:mouse_device_t:s0
-/dev/logibm -c system_u:object_r:mouse_device_t:s0
-/dev/.*mouse.* -c system_u:object_r:mouse_device_t:s0
-/dev/input/.*mouse.* -c system_u:object_r:mouse_device_t:s0
-/dev/input/event.* -c system_u:object_r:event_device_t:s0
-/dev/input/mice -c system_u:object_r:mouse_device_t:s0
-/dev/input/js.* -c system_u:object_r:mouse_device_t:s0
-/dev/ptmx -c system_u:object_r:ptmx_t:s0
-/dev/sequencer -c system_u:object_r:misc_device_t:s0
-/dev/fb[0-9]* -c system_u:object_r:framebuf_device_t:s0
-/dev/apm_bios -c system_u:object_r:apm_bios_t:s0
-/dev/cpu/mtrr -c system_u:object_r:mtrr_device_t:s0
-/dev/pmu -c system_u:object_r:power_device_t:s0
-/dev/(radio|video|vbi|vtx).* -c system_u:object_r:v4l_device_t:s0
-/dev/winradio. -c system_u:object_r:v4l_device_t:s0
-/dev/vttuner -c system_u:object_r:v4l_device_t:s0
-/dev/tlk[0-3] -c system_u:object_r:v4l_device_t:s0
-/dev/adsp -c system_u:object_r:sound_device_t:s0
-/dev/mixer.* -c system_u:object_r:sound_device_t:s0
-/dev/dsp.* -c system_u:object_r:sound_device_t:s0
-/dev/audio.* -c system_u:object_r:sound_device_t:s0
-/dev/r?midi.* -c system_u:object_r:sound_device_t:s0
-/dev/sequencer2 -c system_u:object_r:sound_device_t:s0
-/dev/smpte.* -c system_u:object_r:sound_device_t:s0
-/dev/sndstat -c system_u:object_r:sound_device_t:s0
-/dev/beep -c system_u:object_r:sound_device_t:s0
-/dev/patmgr[01] -c system_u:object_r:sound_device_t:s0
-/dev/mpu401.* -c system_u:object_r:sound_device_t:s0
-/dev/srnd[0-7] -c system_u:object_r:sound_device_t:s0
-/dev/aload.* -c system_u:object_r:sound_device_t:s0
-/dev/amidi.* -c system_u:object_r:sound_device_t:s0
-/dev/amixer.* -c system_u:object_r:sound_device_t:s0
-/dev/snd/.* -c system_u:object_r:sound_device_t:s0
-/dev/n?[hs]t[0-9].* -c system_u:object_r:tape_device_t:s0
-/dev/n?(raw)?[qr]ft[0-3] -c system_u:object_r:tape_device_t:s0
-/dev/n?z?qft[0-3] -c system_u:object_r:tape_device_t:s0
-/dev/n?tpqic[12].* -c system_u:object_r:tape_device_t:s0
-/dev/ht[0-1] -b system_u:object_r:tape_device_t:s0
-/dev/n?osst[0-3].* -c system_u:object_r:tape_device_t:s0
-/dev/n?pt[0-9]+ -c system_u:object_r:tape_device_t:s0
-/dev/tape.* -c system_u:object_r:tape_device_t:s0
-ifdef(`distro_suse', `
-/dev/usbscanner -c system_u:object_r:scanner_device_t:s0
-')
-/dev/usb/scanner.* -c system_u:object_r:scanner_device_t:s0
-/dev/usb/dc2xx.* -c system_u:object_r:scanner_device_t:s0
-/dev/usb/mdc800.* -c system_u:object_r:scanner_device_t:s0
-/dev/usb/tty.* -c system_u:object_r:usbtty_device_t:s0
-/dev/mmetfgrab -c system_u:object_r:scanner_device_t:s0
-/dev/nvidia.* -c system_u:object_r:xserver_misc_device_t:s0
-/dev/dri/.+ -c system_u:object_r:dri_device_t:s0
-/dev/radeon -c system_u:object_r:dri_device_t:s0
-/dev/agpgart -c system_u:object_r:agp_device_t:s0
-/dev/z90crypt -c system_u:object_r:crypt_device_t:s0
-
-#
-# Misc
-#
-/proc(/.*)? <<none>>
-/sys(/.*)? <<none>>
-/selinux(/.*)? <<none>>
-
-#
-# /opt
-#
-/opt(/.*)? system_u:object_r:usr_t:s0
-/opt(/.*)?/lib(64)?(/.*)? system_u:object_r:lib_t:s0
-/opt(/.*)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0
-/opt(/.*)?/libexec(/.*)? system_u:object_r:bin_t:s0
-/opt(/.*)?/bin(/.*)? system_u:object_r:bin_t:s0
-/opt(/.*)?/sbin(/.*)? system_u:object_r:sbin_t:s0
-/opt(/.*)?/man(/.*)? system_u:object_r:man_t:s0
-/opt(/.*)?/var/lib(64)?(/.*)? system_u:object_r:var_lib_t:s0
-
-#
-# /etc
-#
-/etc(/.*)? system_u:object_r:etc_t:s0
-/var/db/.*\.db -- system_u:object_r:etc_t:s0
-/etc/\.pwd\.lock -- system_u:object_r:shadow_t:s0
-/etc/passwd\.lock -- system_u:object_r:shadow_t:s0
-/etc/group\.lock -- system_u:object_r:shadow_t:s0
-/etc/shadow.* -- system_u:object_r:shadow_t:s0
-/etc/gshadow.* -- system_u:object_r:shadow_t:s0
-/var/db/shadow.* -- system_u:object_r:shadow_t:s0
-/etc/blkid\.tab.* -- system_u:object_r:etc_runtime_t:s0
-/etc/fstab\.REVOKE -- system_u:object_r:etc_runtime_t:s0
-/etc/\.fstab\.hal\..+ -- system_u:object_r:etc_runtime_t:s0
-/etc/HOSTNAME -- system_u:object_r:etc_runtime_t:s0
-/etc/ioctl\.save -- system_u:object_r:etc_runtime_t:s0
-/etc/mtab -- system_u:object_r:etc_runtime_t:s0
-/etc/motd -- system_u:object_r:etc_runtime_t:s0
-/etc/issue -- system_u:object_r:etc_runtime_t:s0
-/etc/issue\.net -- system_u:object_r:etc_runtime_t:s0
-/etc/sysconfig/hwconf -- system_u:object_r:etc_runtime_t:s0
-/etc/sysconfig/iptables\.save -- system_u:object_r:etc_runtime_t:s0
-/etc/sysconfig/firstboot -- system_u:object_r:etc_runtime_t:s0
-/etc/asound\.state -- system_u:object_r:etc_runtime_t:s0
-/etc/ptal/ptal-printd-like -- system_u:object_r:etc_runtime_t:s0
-ifdef(`distro_gentoo', `
-/etc/profile\.env -- system_u:object_r:etc_runtime_t:s0
-/etc/csh\.env -- system_u:object_r:etc_runtime_t:s0
-/etc/env\.d/.* -- system_u:object_r:etc_runtime_t:s0
-')
-/etc/ld\.so\.cache -- system_u:object_r:ld_so_cache_t:s0
-/etc/ld\.so\.preload -- system_u:object_r:ld_so_cache_t:s0
-/etc/yp\.conf.* -- system_u:object_r:net_conf_t:s0
-/etc/resolv\.conf.* -- system_u:object_r:net_conf_t:s0
-
-/etc/selinux(/.*)? system_u:object_r:selinux_config_t:s0
-/etc/selinux/([^/]*/)?policy(/.*)? system_u:object_r:policy_config_t:s0
-/etc/selinux/([^/]*/)?src(/.*)? system_u:object_r:policy_src_t:s0
-/etc/selinux/([^/]*/)?contexts(/.*)? system_u:object_r:default_context_t:s0
-/etc/selinux/([^/]*/)?contexts/files(/.*)? system_u:object_r:file_context_t:s0
-
-
-#
-# /lib(64)?
-#
-/lib(64)?(/.*)? system_u:object_r:lib_t:s0
-/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0
-/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t:s0
-
-#
-# /sbin
-#
-/sbin(/.*)? system_u:object_r:sbin_t:s0
-
-#
-# /tmp
-#
-/tmp -d system_u:object_r:tmp_t:s0
-/tmp/.* <<none>>
-
-#
-# /usr
-#
-/usr(/.*)? system_u:object_r:usr_t:s0
-/usr(/.*)?/lib(64)?(/.*)? system_u:object_r:lib_t:s0
-/usr(/.*)?/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0
-/usr/lib/win32/.* -- system_u:object_r:shlib_t:s0
-/usr(/.*)?/java/.*\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t:s0
-/usr(/.*)?/java/.*\.jar -- system_u:object_r:shlib_t:s0
-/usr(/.*)?/java/.*\.jsa -- system_u:object_r:shlib_t:s0
-/usr(/.*)?/HelixPlayer/.*\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t:s0
-/usr(/.*)?/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t:s0
-/usr(/.*)?/bin(/.*)? system_u:object_r:bin_t:s0
-/usr(/.*)?/Bin(/.*)? system_u:object_r:bin_t:s0
-/usr(/.*)?/sbin(/.*)? system_u:object_r:sbin_t:s0
-/usr/etc(/.*)? system_u:object_r:etc_t:s0
-/usr/inclu.e(/.*)? system_u:object_r:usr_t:s0
-/usr/libexec(/.*)? system_u:object_r:bin_t:s0
-/usr/src(/.*)? system_u:object_r:src_t:s0
-/usr/tmp -d system_u:object_r:tmp_t:s0
-/usr/tmp/.* <<none>>
-/usr/man(/.*)? system_u:object_r:man_t:s0
-/usr/share/man(/.*)? system_u:object_r:man_t:s0
-/usr/share/mc/extfs/.* -- system_u:object_r:bin_t:s0
-/usr/share(/.*)?/lib(64)?(/.*)? system_u:object_r:usr_t:s0
-/usr/share/ssl/certs(/.*)? system_u:object_r:cert_t:s0
-/usr/share/ssl/private(/.*)? system_u:object_r:cert_t:s0
-
-# nvidia share libraries
-/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t:s0
-/usr(/.*)?/nvidia/.*\.so(\..*)? -- system_u:object_r:texrel_shlib_t:s0
-/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t:s0
-/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- system_u:object_r:texrel_shlib_t:s0
-
-# libGL
-/usr/X11R6/lib/libGL\.so.* -- system_u:object_r:texrel_shlib_t:s0
-
-ifdef(`distro_debian', `
-/usr/share/selinux(/.*)? system_u:object_r:policy_src_t:s0
-')
-ifdef(`distro_gentoo', `
-/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? system_u:object_r:bin_t:s0
-')
-
-#
-# /usr/lib(64)?
-#
-/usr/lib(64)?/perl5/man(/.*)? system_u:object_r:man_t:s0
-/usr/lib(64)?/selinux(/.*)? system_u:object_r:policy_src_t:s0
-/usr/lib(64)?/emacsen-common/.* system_u:object_r:bin_t:s0
-
-#
-# /usr/local
-#
-/usr/local/etc(/.*)? system_u:object_r:etc_t:s0
-/usr/local/src(/.*)? system_u:object_r:src_t:s0
-/usr/local/man(/.*)? system_u:object_r:man_t:s0
-/usr/local/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t:s0
-/usr/(local/)?lib/wine/.*\.so -- system_u:object_r:texrel_shlib_t:s0
-/usr/(local/)?lib/libfame-.*\.so.* -- system_u:object_r:texrel_shlib_t:s0
-
-
-#
-# /usr/X11R6/man
-#
-/usr/X11R6/man(/.*)? system_u:object_r:man_t:s0
-
-#
-# Fonts dir
-#
-/usr/X11R6/lib/X11/fonts(/.*)? system_u:object_r:fonts_t:s0
-ifdef(`distro_debian', `
-/var/lib/msttcorefonts(/.*)? system_u:object_r:fonts_t:s0
-')
-/usr/share/fonts(/.*)? system_u:object_r:fonts_t:s0
-/usr/share/ghostscript/fonts(/.*)? system_u:object_r:fonts_t:s0
-/usr/local/share/fonts(/.*)? system_u:object_r:fonts_t:s0
-
-#
-# /var/run
-#
-/var/run(/.*)? system_u:object_r:var_run_t:s0
-/var/run/.*\.*pid <<none>>
-
-#
-# /var/spool
-#
-/var/spool(/.*)? system_u:object_r:var_spool_t:s0
-/var/spool/texmf(/.*)? system_u:object_r:tetex_data_t:s0
-/var/spool/(client)?mqueue(/.*)? system_u:object_r:mqueue_spool_t:s0
-
-#
-# /var/log
-#
-/var/log(/.*)? system_u:object_r:var_log_t:s0
-/var/log/wtmp.* -- system_u:object_r:wtmp_t:s0
-/var/log/btmp.* -- system_u:object_r:faillog_t:s0
-/var/log/faillog -- system_u:object_r:faillog_t:s0
-/var/log/ksyms.* -- system_u:object_r:var_log_ksyms_t:s0
-/var/log/dmesg -- system_u:object_r:var_log_t:s0
-/var/log/lastlog -- system_u:object_r:lastlog_t:s0
-/var/log/ksymoops(/.*)? system_u:object_r:var_log_ksyms_t:s0
-/var/log/syslog -- system_u:object_r:var_log_t:s0
-
-#
-# Journal files
-#
-/\.journal <<none>>
-/usr/\.journal <<none>>
-/boot/\.journal <<none>>
-HOME_ROOT/\.journal <<none>>
-/var/\.journal <<none>>
-/tmp/\.journal <<none>>
-/usr/local/\.journal <<none>>
-
-#
-# Lost and found directories.
-#
-/lost\+found -d system_u:object_r:lost_found_t:s0
-/lost\+found/.* <<none>>
-/usr/lost\+found -d system_u:object_r:lost_found_t:s0
-/usr/lost\+found/.* <<none>>
-/boot/lost\+found -d system_u:object_r:lost_found_t:s0
-/boot/lost\+found/.* <<none>>
-HOME_ROOT/lost\+found -d system_u:object_r:lost_found_t:s0
-HOME_ROOT/lost\+found/.* <<none>>
-/var/lost\+found -d system_u:object_r:lost_found_t:s0
-/var/lost\+found/.* <<none>>
-/tmp/lost\+found -d system_u:object_r:lost_found_t:s0
-/tmp/lost\+found/.* <<none>>
-/var/tmp/lost\+found -d system_u:object_r:lost_found_t:s0
-/var/tmp/lost\+found/.* <<none>>
-/usr/local/lost\+found -d system_u:object_r:lost_found_t:s0
-/usr/local/lost\+found/.* <<none>>
-
-#
-# system localization
-#
-/usr/share/zoneinfo(/.*)? system_u:object_r:locale_t:s0
-/usr/share/locale(/.*)? system_u:object_r:locale_t:s0
-/usr/lib/locale(/.*)? system_u:object_r:locale_t:s0
-/etc/localtime -- system_u:object_r:locale_t:s0
-/etc/localtime -l system_u:object_r:etc_t:s0
-/etc/pki(/.*)? system_u:object_r:cert_t:s0
-
-#
-# Gnu Cash
-#
-/usr/share/gnucash/finance-quote-check -- system_u:object_r:bin_t:s0
-/usr/share/gnucash/finance-quote-helper -- system_u:object_r:bin_t:s0
-
-#
-# Turboprint
-#
-/usr/share/turboprint/lib(/.*)? -- system_u:object_r:bin_t:s0
-/usr/share/hwdata(/.*)? system_u:object_r:hwdata_t:s0
-
-#
-# initrd mount point, only used during boot
-#
-/initrd -d system_u:object_r:root_t:s0
-
-#
-# The krb5.conf file is always being tested for writability, so
-# we defined a type to dontaudit
-#
-/etc/krb5\.conf -- system_u:object_r:krb5_conf_t:s0
-
-#
-# Thunderbird
-#
-/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- system_u:object_r:bin_t:s0
-/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- system_u:object_r:bin_t:s0
-/usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- system_u:object_r:bin_t:s0
-/usr/lib(64)?/[^/]*/run-mozilla\.sh -- system_u:object_r:bin_t:s0
-/usr/lib(64)?/[^/]*/mozilla-xremote-client -- system_u:object_r:bin_t:s0
-
-#
-# /srv
-#
-/srv(/.*)? system_u:object_r:var_t:s0
-
-/etc/sysconfig/network-scripts/ifup-.* -- system_u:object_r:bin_t:s0
-/etc/sysconfig/network-scripts/ifdown-.* -- system_u:object_r:bin_t:s0
diff --git a/targeted/flask/Makefile b/targeted/flask/Makefile
deleted file mode 100644
index 970b9fe..0000000
--- a/targeted/flask/Makefile
+++ /dev/null
@@ -1,41 +0,0 @@
-# flask needs to know where to export the libselinux headers.
-LIBSEL ?= ../../libselinux
-
-# flask needs to know where to export the kernel headers.
-LINUXDIR ?= ../../../linux-2.6
-
-AWK = awk
-
-CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
- else if [ -x /bin/bash ]; then echo /bin/bash; \
- else echo sh; fi ; fi)
-
-FLASK_H_DEPEND = security_classes initial_sids
-AV_H_DEPEND = access_vectors
-
-FLASK_H_FILES = class_to_string.h flask.h initial_sid_to_string.h
-AV_H_FILES = av_inherit.h common_perm_to_string.h av_perm_to_string.h av_permissions.h
-ALL_H_FILES = $(FLASK_H_FILES) $(AV_H_FILES)
-
-all: $(ALL_H_FILES)
-
-$(FLASK_H_FILES): $(FLASK_H_DEPEND)
- $(CONFIG_SHELL) mkflask.sh $(AWK) $(FLASK_H_DEPEND)
-
-$(AV_H_FILES): $(AV_H_DEPEND)
- $(CONFIG_SHELL) mkaccess_vector.sh $(AWK) $(AV_H_DEPEND)
-
-tolib: all
- install -m 644 flask.h av_permissions.h $(LIBSEL)/include/selinux
- install -m 644 class_to_string.h av_inherit.h common_perm_to_string.h av_perm_to_string.h $(LIBSEL)/src
-
-tokern: all
- install -m 644 $(ALL_H_FILES) $(LINUXDIR)/security/selinux/include
-
-install: all
-
-relabel:
-
-clean:
- rm -f $(FLASK_H_FILES)
- rm -f $(AV_H_FILES)
diff --git a/targeted/flask/access_vectors b/targeted/flask/access_vectors
deleted file mode 100644
index dc20463..0000000
--- a/targeted/flask/access_vectors
+++ /dev/null
@@ -1,608 +0,0 @@
-#
-# Define common prefixes for access vectors
-#
-# common common_name { permission_name ... }
-
-
-#
-# Define a common prefix for file access vectors.
-#
-
-common file
-{
- ioctl
- read
- write
- create
- getattr
- setattr
- lock
- relabelfrom
- relabelto
- append
- unlink
- link
- rename
- execute
- swapon
- quotaon
- mounton
-}
-
-
-#
-# Define a common prefix for socket access vectors.
-#
-
-common socket
-{
-# inherited from file
- ioctl
- read
- write
- create
- getattr
- setattr
- lock
- relabelfrom
- relabelto
- append
-# socket-specific
- bind
- connect
- listen
- accept
- getopt
- setopt
- shutdown
- recvfrom
- sendto
- recv_msg
- send_msg
- name_bind
-}
-
-#
-# Define a common prefix for ipc access vectors.
-#
-
-common ipc
-{
- create
- destroy
- getattr
- setattr
- read
- write
- associate
- unix_read
- unix_write
-}
-
-#
-# Define the access vectors.
-#
-# class class_name [ inherits common_name ] { permission_name ... }
-
-
-#
-# Define the access vector interpretation for file-related objects.
-#
-
-class filesystem
-{
- mount
- remount
- unmount
- getattr
- relabelfrom
- relabelto
- transition
- associate
- quotamod
- quotaget
-}
-
-class dir
-inherits file
-{
- add_name
- remove_name
- reparent
- search
- rmdir
-}
-
-class file
-inherits file
-{
- execute_no_trans
- entrypoint
- execmod
-}
-
-class lnk_file
-inherits file
-
-class chr_file
-inherits file
-{
- execute_no_trans
- entrypoint
- execmod
-}
-
-class blk_file
-inherits file
-
-class sock_file
-inherits file
-
-class fifo_file
-inherits file
-
-class fd
-{
- use
-}
-
-
-#
-# Define the access vector interpretation for network-related objects.
-#
-
-class socket
-inherits socket
-
-class tcp_socket
-inherits socket
-{
- connectto
- newconn
- acceptfrom
- node_bind
- name_connect
-}
-
-class udp_socket
-inherits socket
-{
- node_bind
-}
-
-class rawip_socket
-inherits socket
-{
- node_bind
-}
-
-class node
-{
- tcp_recv
- tcp_send
- udp_recv
- udp_send
- rawip_recv
- rawip_send
- enforce_dest
-}
-
-class netif
-{
- tcp_recv
- tcp_send
- udp_recv
- udp_send
- rawip_recv
- rawip_send
-}
-
-class netlink_socket
-inherits socket
-
-class packet_socket
-inherits socket
-
-class key_socket
-inherits socket
-
-class unix_stream_socket
-inherits socket
-{
- connectto
- newconn
- acceptfrom
-}
-
-class unix_dgram_socket
-inherits socket
-
-
-#
-# Define the access vector interpretation for process-related objects
-#
-
-class process
-{
- fork
- transition
- sigchld # commonly granted from child to parent
- sigkill # cannot be caught or ignored
- sigstop # cannot be caught or ignored
- signull # for kill(pid, 0)
- signal # all other signals
- ptrace
- getsched
- setsched
- getsession
- getpgid
- setpgid
- getcap
- setcap
- share
- getattr
- setexec
- setfscreate
- noatsecure
- siginh
- setrlimit
- rlimitinh
- dyntransition
- setcurrent
- execmem
- execstack
- execheap
-}
-
-
-#
-# Define the access vector interpretation for ipc-related objects
-#
-
-class ipc
-inherits ipc
-
-class sem
-inherits ipc
-
-class msgq
-inherits ipc
-{
- enqueue
-}
-
-class msg
-{
- send
- receive
-}
-
-class shm
-inherits ipc
-{
- lock
-}
-
-
-#
-# Define the access vector interpretation for the security server.
-#
-
-class security
-{
- compute_av
- compute_create
- compute_member
- check_context
- load_policy
- compute_relabel
- compute_user
- setenforce # was avc_toggle in system class
- setbool
- setsecparam
- setcheckreqprot
-}
-
-
-#
-# Define the access vector interpretation for system operations.
-#
-
-class system
-{
- ipc_info
- syslog_read
- syslog_mod
- syslog_console
-}
-
-#
-# Define the access vector interpretation for controling capabilies
-#
-
-class capability
-{
- # The capabilities are defined in include/linux/capability.h
- # Care should be taken to ensure that these are consistent with
- # those definitions. (Order matters)
-
- chown
- dac_override
- dac_read_search
- fowner
- fsetid
- kill
- setgid
- setuid
- setpcap
- linux_immutable
- net_bind_service
- net_broadcast
- net_admin
- net_raw
- ipc_lock
- ipc_owner
- sys_module
- sys_rawio
- sys_chroot
- sys_ptrace
- sys_pacct
- sys_admin
- sys_boot
- sys_nice
- sys_resource
- sys_time
- sys_tty_config
- mknod
- lease
- audit_write
- audit_control
-}
-
-
-#
-# Define the access vector interpretation for controlling
-# changes to passwd information.
-#
-class passwd
-{
- passwd # change another user passwd
- chfn # change another user finger info
- chsh # change another user shell
- rootok # pam_rootok check (skip auth)
- crontab # crontab on another user
-}
-
-#
-# SE-X Windows stuff
-#
-class drawable
-{
- create
- destroy
- draw
- copy
- getattr
-}
-
-class gc
-{
- create
- free
- getattr
- setattr
-}
-
-class window
-{
- addchild
- create
- destroy
- map
- unmap
- chstack
- chproplist
- chprop
- listprop
- getattr
- setattr
- setfocus
- move
- chselection
- chparent
- ctrllife
- enumerate
- transparent
- mousemotion
- clientcomevent
- inputevent
- drawevent
- windowchangeevent
- windowchangerequest
- serverchangeevent
- extensionevent
-}
-
-class font
-{
- load
- free
- getattr
- use
-}
-
-class colormap
-{
- create
- free
- install
- uninstall
- list
- read
- store
- getattr
- setattr
-}
-
-class property
-{
- create
- free
- read
- write
-}
-
-class cursor
-{
- create
- createglyph
- free
- assign
- setattr
-}
-
-class xclient
-{
- kill
-}
-
-class xinput
-{
- lookup
- getattr
- setattr
- setfocus
- warppointer
- activegrab
- passivegrab
- ungrab
- bell
- mousemotion
- relabelinput
-}
-
-class xserver
-{
- screensaver
- gethostlist
- sethostlist
- getfontpath
- setfontpath
- getattr
- grab
- ungrab
-}
-
-class xextension
-{
- query
- use
-}
-
-#
-# Define the access vector interpretation for controlling
-# PaX flags
-#
-class pax
-{
- pageexec # Paging based non-executable pages
- emutramp # Emulate trampolines
- mprotect # Restrict mprotect()
- randmmap # Randomize mmap() base
- randexec # Randomize ET_EXEC base
- segmexec # Segmentation based non-executable pages
-}
-
-#
-# Extended Netlink classes
-#
-class netlink_route_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_firewall_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_tcpdiag_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_nflog_socket
-inherits socket
-
-class netlink_xfrm_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_selinux_socket
-inherits socket
-
-class netlink_audit_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
- nlmsg_relay
- nlmsg_readpriv
-}
-
-class netlink_ip6fw_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_dnrt_socket
-inherits socket
-
-# Define the access vector interpretation for controlling
-# access and communication through the D-BUS messaging
-# system.
-#
-class dbus
-{
- acquire_svc
- send_msg
-}
-
-# Define the access vector interpretation for controlling
-# access through the name service cache daemon (nscd).
-#
-class nscd
-{
- getpwd
- getgrp
- gethost
- getstat
- admin
- shmempwd
- shmemgrp
- shmemhost
-}
-
-# Define the access vector interpretation for controlling
-# access to IPSec network data by association
-#
-class association
-{
- sendto
- recvfrom
-}
-
-# Updated Netlink class for KOBJECT_UEVENT family.
-class netlink_kobject_uevent_socket
-inherits socket
diff --git a/targeted/flask/initial_sids b/targeted/flask/initial_sids
deleted file mode 100644
index 95894eb..0000000
--- a/targeted/flask/initial_sids
+++ /dev/null
@@ -1,35 +0,0 @@
-# FLASK
-
-#
-# Define initial security identifiers
-#
-
-sid kernel
-sid security
-sid unlabeled
-sid fs
-sid file
-sid file_labels
-sid init
-sid any_socket
-sid port
-sid netif
-sid netmsg
-sid node
-sid igmp_packet
-sid icmp_socket
-sid tcp_socket
-sid sysctl_modprobe
-sid sysctl
-sid sysctl_fs
-sid sysctl_kernel
-sid sysctl_net
-sid sysctl_net_unix
-sid sysctl_vm
-sid sysctl_dev
-sid kmod
-sid policy
-sid scmp_packet
-sid devnull
-
-# FLASK
diff --git a/targeted/flask/mkaccess_vector.sh b/targeted/flask/mkaccess_vector.sh
deleted file mode 100644
index b5da734..0000000
--- a/targeted/flask/mkaccess_vector.sh
+++ /dev/null
@@ -1,227 +0,0 @@
-#!/bin/sh -
-#
-
-# FLASK
-
-set -e
-
-awk=$1
-shift
-
-# output files
-av_permissions="av_permissions.h"
-av_inherit="av_inherit.h"
-common_perm_to_string="common_perm_to_string.h"
-av_perm_to_string="av_perm_to_string.h"
-
-cat $* | $awk "
-BEGIN {
- outfile = \"$av_permissions\"
- inheritfile = \"$av_inherit\"
- cpermfile = \"$common_perm_to_string\"
- avpermfile = \"$av_perm_to_string\"
- "'
- nextstate = "COMMON_OR_AV";
- printf("/* This file is automatically generated. Do not edit. */\n") > outfile;
- printf("/* This file is automatically generated. Do not edit. */\n") > inheritfile;
- printf("/* This file is automatically generated. Do not edit. */\n") > cpermfile;
- printf("/* This file is automatically generated. Do not edit. */\n") > avpermfile;
-;
- }
-/^[ \t]*#/ {
- next;
- }
-$1 == "common" {
- if (nextstate != "COMMON_OR_AV")
- {
- printf("Parse error: Unexpected COMMON definition on line %d\n", NR);
- next;
- }
-
- if ($2 in common_defined)
- {
- printf("Duplicate COMMON definition for %s on line %d.\n", $2, NR);
- next;
- }
- common_defined[$2] = 1;
-
- tclass = $2;
- common_name = $2;
- permission = 1;
-
- printf("TB_(common_%s_perm_to_string)\n", $2) > cpermfile;
-
- nextstate = "COMMON-OPENBRACKET";
- next;
- }
-$1 == "class" {
- if (nextstate != "COMMON_OR_AV" &&
- nextstate != "CLASS_OR_CLASS-OPENBRACKET")
- {
- printf("Parse error: Unexpected class definition on line %d\n", NR);
- next;
- }
-
- tclass = $2;
-
- if (tclass in av_defined)
- {
- printf("Duplicate access vector definition for %s on line %d\n", tclass, NR);
- next;
- }
- av_defined[tclass] = 1;
-
- inherits = "";
- permission = 1;
-
- nextstate = "INHERITS_OR_CLASS-OPENBRACKET";
- next;
- }
-$1 == "inherits" {
- if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET")
- {
- printf("Parse error: Unexpected INHERITS definition on line %d\n", NR);
- next;
- }
-
- if (!($2 in common_defined))
- {
- printf("COMMON %s is not defined (line %d).\n", $2, NR);
- next;
- }
-
- inherits = $2;
- permission = common_base[$2];
-
- for (combined in common_perms)
- {
- split(combined,separate, SUBSEP);
- if (separate[1] == inherits)
- {
- inherited_perms[common_perms[combined]] = separate[2];
- }
- }
-
- j = 1;
- for (i in inherited_perms) {
- ind[j] = i + 0;
- j++;
- }
- n = asort(ind);
- for (i = 1; i <= n; i++) {
- perm = inherited_perms[ind[i]];
- printf("#define %s__%s", toupper(tclass), toupper(perm)) > outfile;
- spaces = 40 - (length(perm) + length(tclass));
- if (spaces < 1)
- spaces = 1;
- for (j = 0; j < spaces; j++)
- printf(" ") > outfile;
- printf("0x%08xUL\n", ind[i]) > outfile;
- }
- printf("\n") > outfile;
- for (i in ind) delete ind[i];
- for (i in inherited_perms) delete inherited_perms[i];
-
- printf(" S_(SECCLASS_%s, %s, 0x%08xUL)\n", toupper(tclass), inherits, permission) > inheritfile;
-
- nextstate = "CLASS_OR_CLASS-OPENBRACKET";
- next;
- }
-$1 == "{" {
- if (nextstate != "INHERITS_OR_CLASS-OPENBRACKET" &&
- nextstate != "CLASS_OR_CLASS-OPENBRACKET" &&
- nextstate != "COMMON-OPENBRACKET")
- {
- printf("Parse error: Unexpected { on line %d\n", NR);
- next;
- }
-
- if (nextstate == "INHERITS_OR_CLASS-OPENBRACKET")
- nextstate = "CLASS-CLOSEBRACKET";
-
- if (nextstate == "CLASS_OR_CLASS-OPENBRACKET")
- nextstate = "CLASS-CLOSEBRACKET";
-
- if (nextstate == "COMMON-OPENBRACKET")
- nextstate = "COMMON-CLOSEBRACKET";
- }
-/[a-z][a-z_]*/ {
- if (nextstate != "COMMON-CLOSEBRACKET" &&
- nextstate != "CLASS-CLOSEBRACKET")
- {
- printf("Parse error: Unexpected symbol %s on line %d\n", $1, NR);
- next;
- }
-
- if (nextstate == "COMMON-CLOSEBRACKET")
- {
- if ((common_name,$1) in common_perms)
- {
- printf("Duplicate permission %s for common %s on line %d.\n", $1, common_name, NR);
- next;
- }
-
- common_perms[common_name,$1] = permission;
-
- printf("#define COMMON_%s__%s", toupper(common_name), toupper($1)) > outfile;
-
- printf(" S_(\"%s\")\n", $1) > cpermfile;
- }
- else
- {
- if ((tclass,$1) in av_perms)
- {
- printf("Duplicate permission %s for %s on line %d.\n", $1, tclass, NR);
- next;
- }
-
- av_perms[tclass,$1] = permission;
-
- if (inherits != "")
- {
- if ((inherits,$1) in common_perms)
- {
- printf("Permission %s in %s on line %d conflicts with common permission.\n", $1, tclass, inherits, NR);
- next;
- }
- }
-
- printf("#define %s__%s", toupper(tclass), toupper($1)) > outfile;
-
- printf(" S_(SECCLASS_%s, %s__%s, \"%s\")\n", toupper(tclass), toupper(tclass), toupper($1), $1) > avpermfile;
- }
-
- spaces = 40 - (length($1) + length(tclass));
- if (spaces < 1)
- spaces = 1;
-
- for (i = 0; i < spaces; i++)
- printf(" ") > outfile;
- printf("0x%08xUL\n", permission) > outfile;
- permission = permission * 2;
- }
-$1 == "}" {
- if (nextstate != "CLASS-CLOSEBRACKET" &&
- nextstate != "COMMON-CLOSEBRACKET")
- {
- printf("Parse error: Unexpected } on line %d\n", NR);
- next;
- }
-
- if (nextstate == "COMMON-CLOSEBRACKET")
- {
- common_base[common_name] = permission;
- printf("TE_(common_%s_perm_to_string)\n\n", common_name) > cpermfile;
- }
-
- printf("\n") > outfile;
-
- nextstate = "COMMON_OR_AV";
- }
-END {
- if (nextstate != "COMMON_OR_AV" && nextstate != "CLASS_OR_CLASS-OPENBRACKET")
- printf("Parse error: Unexpected end of file\n");
-
- }'
-
-# FLASK
diff --git a/targeted/flask/mkflask.sh b/targeted/flask/mkflask.sh
deleted file mode 100644
index 9c84754..0000000
--- a/targeted/flask/mkflask.sh
+++ /dev/null
@@ -1,95 +0,0 @@
-#!/bin/sh -
-#
-
-# FLASK
-
-set -e
-
-awk=$1
-shift 1
-
-# output file
-output_file="flask.h"
-debug_file="class_to_string.h"
-debug_file2="initial_sid_to_string.h"
-
-cat $* | $awk "
-BEGIN {
- outfile = \"$output_file\"
- debugfile = \"$debug_file\"
- debugfile2 = \"$debug_file2\"
- "'
- nextstate = "CLASS";
-
- printf("/* This file is automatically generated. Do not edit. */\n") > outfile;
-
- printf("#ifndef _SELINUX_FLASK_H_\n") > outfile;
- printf("#define _SELINUX_FLASK_H_\n") > outfile;
- printf("\n/*\n * Security object class definitions\n */\n") > outfile;
- printf("/* This file is automatically generated. Do not edit. */\n") > debugfile;
- printf("/*\n * Security object class definitions\n */\n") > debugfile;
- printf(" S_(\"null\")\n") > debugfile;
- printf("/* This file is automatically generated. Do not edit. */\n") > debugfile2;
- printf("static char *initial_sid_to_string[] =\n{\n") > debugfile2;
- printf(" \"null\",\n") > debugfile2;
- }
-/^[ \t]*#/ {
- next;
- }
-$1 == "class" {
- if (nextstate != "CLASS")
- {
- printf("Parse error: Unexpected class definition on line %d\n", NR);
- next;
- }
-
- if ($2 in class_found)
- {
- printf("Duplicate class definition for %s on line %d.\n", $2, NR);
- next;
- }
- class_found[$2] = 1;
-
- class_value++;
-
- printf("#define SECCLASS_%s", toupper($2)) > outfile;
- for (i = 0; i < 40 - length($2); i++)
- printf(" ") > outfile;
- printf("%d\n", class_value) > outfile;
-
- printf(" S_(\"%s\")\n", $2) > debugfile;
- }
-$1 == "sid" {
- if (nextstate == "CLASS")
- {
- nextstate = "SID";
- printf("\n/*\n * Security identifier indices for initial entities\n */\n") > outfile;
- }
-
- if ($2 in sid_found)
- {
- printf("Duplicate SID definition for %s on line %d.\n", $2, NR);
- next;
- }
- sid_found[$2] = 1;
- sid_value++;
-
- printf("#define SECINITSID_%s", toupper($2)) > outfile;
- for (i = 0; i < 37 - length($2); i++)
- printf(" ") > outfile;
- printf("%d\n", sid_value) > outfile;
- printf(" \"%s\",\n", $2) > debugfile2;
- }
-END {
- if (nextstate != "SID")
- printf("Parse error: Unexpected end of file\n");
-
- printf("\n#define SECINITSID_NUM") > outfile;
- for (i = 0; i < 34; i++)
- printf(" ") > outfile;
- printf("%d\n", sid_value) > outfile;
- printf("\n#endif\n") > outfile;
- printf("};\n\n") > debugfile2;
- }'
-
-# FLASK
diff --git a/targeted/flask/security_classes b/targeted/flask/security_classes
deleted file mode 100644
index 2669c30..0000000
--- a/targeted/flask/security_classes
+++ /dev/null
@@ -1,86 +0,0 @@
-# FLASK
-
-#
-# Define the security object classes
-#
-
-class security
-class process
-class system
-class capability
-
-# file-related classes
-class filesystem
-class file
-class dir
-class fd
-class lnk_file
-class chr_file
-class blk_file
-class sock_file
-class fifo_file
-
-# network-related classes
-class socket
-class tcp_socket
-class udp_socket
-class rawip_socket
-class node
-class netif
-class netlink_socket
-class packet_socket
-class key_socket
-class unix_stream_socket
-class unix_dgram_socket
-
-# sysv-ipc-related classes
-class sem
-class msg
-class msgq
-class shm
-class ipc
-
-#
-# userspace object manager classes
-#
-
-# passwd/chfn/chsh
-class passwd
-
-# SE-X Windows stuff
-class drawable
-class window
-class gc
-class font
-class colormap
-class property
-class cursor
-class xclient
-class xinput
-class xserver
-class xextension
-
-# pax flags
-class pax
-
-# extended netlink sockets
-class netlink_route_socket
-class netlink_firewall_socket
-class netlink_tcpdiag_socket
-class netlink_nflog_socket
-class netlink_xfrm_socket
-class netlink_selinux_socket
-class netlink_audit_socket
-class netlink_ip6fw_socket
-class netlink_dnrt_socket
-
-class dbus
-class nscd
-
-# IPSec association
-class association
-
-# Updated Netlink class for KOBJECT_UEVENT family.
-class netlink_kobject_uevent_socket
-
-# FLASK
diff --git a/targeted/fs_use b/targeted/fs_use
deleted file mode 100644
index d884039..0000000
--- a/targeted/fs_use
+++ /dev/null
@@ -1,33 +0,0 @@
-#
-# Define the labeling behavior for inodes in particular filesystem types.
-# This information was formerly hardcoded in the SELinux module.
-
-# Use xattrs for the following filesystem types.
-# Requires that a security xattr handler exist for the filesystem.
-fs_use_xattr ext2 system_u:object_r:fs_t:s0;
-fs_use_xattr ext3 system_u:object_r:fs_t:s0;
-fs_use_xattr xfs system_u:object_r:fs_t:s0;
-fs_use_xattr jfs system_u:object_r:fs_t:s0;
-fs_use_xattr reiserfs system_u:object_r:fs_t:s0;
-
-# Use the allocating task SID to label inodes in the following filesystem
-# types, and label the filesystem itself with the specified context.
-# This is appropriate for pseudo filesystems that represent objects
-# like pipes and sockets, so that these objects are labeled with the same
-# type as the creating task.
-fs_use_task pipefs system_u:object_r:fs_t:s0;
-fs_use_task sockfs system_u:object_r:fs_t:s0;
-
-# Use a transition SID based on the allocating task SID and the
-# filesystem SID to label inodes in the following filesystem types,
-# and label the filesystem itself with the specified context.
-# This is appropriate for pseudo filesystems like devpts and tmpfs
-# where we want to label objects with a derived type.
-fs_use_trans devpts system_u:object_r:devpts_t:s0;
-fs_use_trans tmpfs system_u:object_r:tmpfs_t:s0;
-fs_use_trans shm system_u:object_r:tmpfs_t:s0;
-fs_use_trans mqueue system_u:object_r:tmpfs_t:s0;
-
-# The separate genfs_contexts configuration can be used for filesystem
-# types that cannot support persistent label mappings or use
-# one of the fixed label schemes specified here.
diff --git a/targeted/genfs_contexts b/targeted/genfs_contexts
deleted file mode 100644
index b76cd4d..0000000
--- a/targeted/genfs_contexts
+++ /dev/null
@@ -1,108 +0,0 @@
-# FLASK
-
-#
-# Security contexts for files in filesystems that
-# cannot support xattr or use one of the fixed labeling schemes
-# specified in fs_use.
-#
-# Each specifications has the form:
-# genfscon fstype pathname-prefix [ -type ] context
-#
-# The entry with the longest matching pathname prefix is used.
-# / refers to the root directory of the file system, and
-# everything is specified relative to this root directory.
-# If there is no entry with a matching pathname prefix, then
-# the unlabeled initial SID is used.
-#
-# The optional type field specifies the file type as shown in the mode
-# field by ls, e.g. use -c to match only character device files, -b
-# to match only block device files.
-#
-# Except for proc, in 2.6 other filesystems are limited to a single entry (/)
-# that covers all entries in the filesystem with a default file context.
-# For proc, a pathname can be reliably generated from the proc_dir_entry
-# tree. The proc /sys entries are used for both proc inodes and for sysctl(2)
-# calls. /proc/PID entries are automatically labeled based on the associated
-# process.
-#
-# Support for other filesystem types requires corresponding code to be
-# added to the kernel, either as an xattr handler in the filesystem
-# implementation (preferred, and necessary if you want to access the labels
-# from userspace) or as logic in the SELinux module.
-
-# proc (excluding /proc/PID)
-genfscon proc / system_u:object_r:proc_t:s0
-genfscon proc /kmsg system_u:object_r:proc_kmsg_t:s0
-genfscon proc /kcore system_u:object_r:proc_kcore_t:s0
-genfscon proc /mdstat system_u:object_r:proc_mdstat_t:s0
-genfscon proc /mtrr system_u:object_r:mtrr_device_t:s0
-genfscon proc /net system_u:object_r:proc_net_t:s0
-genfscon proc /sysvipc system_u:object_r:proc_t:s0
-genfscon proc /sys system_u:object_r:sysctl_t:s0
-genfscon proc /sys/kernel system_u:object_r:sysctl_kernel_t:s0
-genfscon proc /sys/kernel/modprobe system_u:object_r:sysctl_modprobe_t:s0
-genfscon proc /sys/kernel/hotplug system_u:object_r:sysctl_hotplug_t:s0
-genfscon proc /sys/net system_u:object_r:sysctl_net_t:s0
-genfscon proc /sys/net/unix system_u:object_r:sysctl_net_unix_t:s0
-genfscon proc /sys/vm system_u:object_r:sysctl_vm_t:s0
-genfscon proc /sys/dev system_u:object_r:sysctl_dev_t:s0
-genfscon proc /net/rpc system_u:object_r:sysctl_rpc_t:s0
-genfscon proc /irq system_u:object_r:sysctl_irq_t:s0
-
-# rootfs
-genfscon rootfs / system_u:object_r:root_t:s0
-
-# sysfs
-genfscon sysfs / system_u:object_r:sysfs_t:s0
-
-# selinuxfs
-genfscon selinuxfs / system_u:object_r:security_t:s0
-
-# autofs
-genfscon autofs / system_u:object_r:autofs_t:s0
-genfscon automount / system_u:object_r:autofs_t:s0
-
-# usbdevfs
-genfscon usbdevfs / system_u:object_r:usbdevfs_t:s0
-
-# iso9660
-genfscon iso9660 / system_u:object_r:iso9660_t:s0
-genfscon udf / system_u:object_r:iso9660_t:s0
-
-# romfs
-genfscon romfs / system_u:object_r:romfs_t:s0
-genfscon cramfs / system_u:object_r:romfs_t:s0
-
-# ramfs
-genfscon ramfs / system_u:object_r:ramfs_t:s0
-
-# vfat, msdos
-genfscon vfat / system_u:object_r:dosfs_t:s0
-genfscon msdos / system_u:object_r:dosfs_t:s0
-genfscon fat / system_u:object_r:dosfs_t:s0
-genfscon ntfs / system_u:object_r:dosfs_t:s0
-
-# samba
-genfscon cifs / system_u:object_r:cifs_t:s0
-genfscon smbfs / system_u:object_r:cifs_t:s0
-
-# nfs
-genfscon nfs / system_u:object_r:nfs_t:s0
-genfscon nfs4 / system_u:object_r:nfs_t:s0
-genfscon afs / system_u:object_r:nfs_t:s0
-
-genfscon debugfs / system_u:object_r:debugfs_t:s0
-genfscon inotifyfs / system_u:object_r:inotifyfs_t:s0
-genfscon hugetlbfs / system_u:object_r:hugetlbfs_t:s0
-genfscon capifs / system_u:object_r:capifs_t:s0
-genfscon configfs / system_u:object_r:configfs_t:s0
-
-# needs more work
-genfscon eventpollfs / system_u:object_r:eventpollfs_t:s0
-genfscon futexfs / system_u:object_r:futexfs_t:s0
-genfscon bdev / system_u:object_r:bdev_t:s0
-genfscon usbfs / system_u:object_r:usbfs_t:s0
-genfscon nfsd / system_u:object_r:nfsd_fs_t:s0
-genfscon rpc_pipefs / system_u:object_r:rpc_pipefs_t:s0
-genfscon binfmt_misc / system_u:object_r:binfmt_misc_fs_t:s0
-
diff --git a/targeted/initial_sid_contexts b/targeted/initial_sid_contexts
deleted file mode 100644
index 6653d05..0000000
--- a/targeted/initial_sid_contexts
+++ /dev/null
@@ -1,46 +0,0 @@
-# FLASK
-
-#
-# Define the security context for each initial SID
-# sid sidname context
-
-sid kernel system_u:system_r:kernel_t:s0
-sid security system_u:object_r:security_t:s0
-sid unlabeled system_u:object_r:unlabeled_t:s0
-sid fs system_u:object_r:fs_t:s0
-sid file system_u:object_r:file_t:s0
-# Persistent label mapping is gone. This initial SID can be removed.
-sid file_labels system_u:object_r:unlabeled_t:s0
-# init_t:s0 is still used, but an initial SID is no longer required.
-sid init system_u:object_r:unlabeled_t:s0
-# any_socket is no longer used.
-sid any_socket system_u:object_r:unlabeled_t:s0
-sid port system_u:object_r:port_t:s0
-sid netif system_u:object_r:netif_t:s0
-# netmsg is no longer used.
-sid netmsg system_u:object_r:unlabeled_t:s0
-sid node system_u:object_r:node_t:s0
-# These sockets are now labeled with the kernel SID,
-# and do not require their own initial SIDs.
-sid igmp_packet system_u:object_r:unlabeled_t:s0
-sid icmp_socket system_u:object_r:unlabeled_t:s0
-sid tcp_socket system_u:object_r:unlabeled_t:s0
-# Most of the sysctl SIDs are now computed at runtime
-# from genfs_contexts, so the corresponding initial SIDs
-# are no longer required.
-sid sysctl_modprobe system_u:object_r:unlabeled_t:s0
-# But we still need the base sysctl initial SID as a default.
-sid sysctl system_u:object_r:sysctl_t:s0
-sid sysctl_fs system_u:object_r:unlabeled_t:s0
-sid sysctl_kernel system_u:object_r:unlabeled_t:s0
-sid sysctl_net system_u:object_r:unlabeled_t:s0
-sid sysctl_net_unix system_u:object_r:unlabeled_t:s0
-sid sysctl_vm system_u:object_r:unlabeled_t:s0
-sid sysctl_dev system_u:object_r:unlabeled_t:s0
-# No longer used, can be removed.
-sid kmod system_u:object_r:unlabeled_t:s0
-sid policy system_u:object_r:unlabeled_t:s0
-sid scmp_packet system_u:object_r:unlabeled_t:s0
-sid devnull system_u:object_r:null_device_t:s0
-
-# FLASK
diff --git a/targeted/local.users b/targeted/local.users
deleted file mode 100644
index 6dd04d6..0000000
--- a/targeted/local.users
+++ /dev/null
@@ -1,21 +0,0 @@
-##################################
-#
-# User configuration.
-#
-# This file defines additional users recognized by the system security policy.
-# Only the user identities defined in this file and the system.users file
-# may be used as the user attribute in a security context.
-#
-# Each user has a set of roles that may be entered by processes
-# with the users identity. The syntax of a user declaration is:
-#
-# user username roles role_set [ level default_level range allowed_range ];
-#
-# The MLS default level and allowed range should only be specified if
-# MLS was enabled in the policy.
-
-# sample for administrative user
-# user jadmin roles { staff_r sysadm_r system_r };
-
-# sample for regular user
-#user jdoe roles { user_r };
diff --git a/targeted/macros/admin_macros.te b/targeted/macros/admin_macros.te
deleted file mode 100644
index aaa816e..0000000
--- a/targeted/macros/admin_macros.te
+++ /dev/null
@@ -1,227 +0,0 @@
-#
-# Macros for all admin domains.
-#
-
-#
-# admin_domain(domain_prefix)
-#
-# Define derived types and rules for an administrator domain.
-#
-# The type declaration and role authorization for the domain must be
-# provided separately. Likewise, domain transitions into this domain
-# must be specified separately. If the every_domain() rules are desired,
-# then these rules must also be specified separately.
-#
-undefine(`admin_domain')
-define(`admin_domain',`
-# Type for home directory.
-attribute $1_file_type;
-type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type;
-type $1_home_t, file_type, sysadmfile, home_type, $1_file_type;
-
-# Type and access for pty devices.
-can_create_pty($1, `, admin_tty_type')
-
-# Transition manually for { lnk sock fifo }. The rest is in content macros.
-tmp_domain_notrans($1, `, $1_file_type')
-file_type_auto_trans($1_t, tmp_t, $1_tmp_t, { lnk_file sock_file fifo_file })
-allow $1_t $1_tmp_t:{ dir file } { relabelto relabelfrom };
-
-# Type for tty devices.
-type $1_tty_device_t, sysadmfile, ttyfile, dev_fs, admin_tty_type;
-
-# Inherit rules for ordinary users.
-base_user_domain($1)
-access_removable_media($1_t)
-
-allow $1_t self:capability setuid;
-
-ifdef(`su.te', `su_domain($1)')
-ifdef(`userhelper.te', `userhelper_domain($1)')
-ifdef(`sudo.te', `sudo_domain($1)')
-
-# Let admin stat the shadow file.
-allow $1_t shadow_t:file getattr;
-
-ifdef(`crond.te', `
-allow $1_crond_t var_log_t:file r_file_perms;
-')
-
-# Allow system log read
-allow $1_t kernel_t:system syslog_read;
-
-# Allow autrace
-# allow sysadm_t self:netlink_audit_socket nlmsg_readpriv;
-
-# Use capabilities other than sys_module.
-allow $1_t self:capability ~sys_module;
-
-# Use system operations.
-allow $1_t kernel_t:system *;
-
-# Set password information for other users.
-allow $1_t self:passwd { passwd chfn chsh };
-
-# Skip authentication when pam_rootok is specified.
-allow $1_t self:passwd rootok;
-
-# Manipulate other user crontab.
-allow $1_t self:passwd crontab;
-can_getsecurity(sysadm_crontab_t)
-
-# Change system parameters.
-can_sysctl($1_t)
-
-# Create and use all files that have the sysadmfile attribute.
-allow $1_t sysadmfile:{ file sock_file fifo_file } create_file_perms;
-allow $1_t sysadmfile:lnk_file create_lnk_perms;
-allow $1_t sysadmfile:dir create_dir_perms;
-
-# for lsof
-allow $1_t mtrr_device_t:file getattr;
-allow $1_t fs_type:dir getattr;
-
-# Access removable devices.
-allow $1_t removable_device_t:devfile_class_set rw_file_perms;
-
-# Communicate with the init process.
-allow $1_t initctl_t:fifo_file rw_file_perms;
-
-# Examine all processes.
-can_ps($1_t, domain)
-
-# allow renice
-allow $1_t domain:process setsched;
-
-# Send signals to all processes.
-allow $1_t { domain unlabeled_t }:process signal_perms;
-
-# Access all user terminals.
-allow $1_t tty_device_t:chr_file rw_file_perms;
-allow $1_t ttyfile:chr_file rw_file_perms;
-allow $1_t ptyfile:chr_file rw_file_perms;
-allow $1_t serial_device:chr_file setattr;
-
-# allow setting up tunnels
-allow $1_t tun_tap_device_t:chr_file rw_file_perms;
-
-# run ls -l /dev
-allow $1_t device_t:dir r_dir_perms;
-allow $1_t { device_t device_type }:{ chr_file blk_file } getattr;
-allow $1_t ptyfile:chr_file getattr;
-
-# Run programs from staff home directories.
-# Not ideal, but typical if users want to login as both sysadm_t or staff_t.
-can_exec($1_t, staff_home_t)
-
-# Run programs from /usr/src.
-can_exec($1_t, src_t)
-
-# Relabel all files.
-# Actually this will not allow relabeling ALL files unless you change
-# sysadmfile to file_type (and change the assertion in assert.te that
-# only auth_write can relabel shadow_t)
-allow $1_t sysadmfile:dir { getattr read search relabelfrom relabelto };
-allow $1_t sysadmfile:notdevfile_class_set { getattr relabelfrom relabelto };
-
-ifdef(`startx.te', `
-ifdef(`xserver.te', `
-# Create files in /tmp/.X11-unix with our X servers derived
-# tmp type rather than user_xserver_tmp_t.
-file_type_auto_trans($1_xserver_t, xserver_tmpfile, $1_xserver_tmp_t, sock_file)
-')dnl end xserver.te
-')dnl end startx.te
-
-ifdef(`xdm.te', `
-ifdef(`xauth.te', `
-if (xdm_sysadm_login) {
-allow xdm_t $1_home_t:lnk_file read;
-allow xdm_t $1_home_t:dir search;
-}
-can_pipe_xdm($1_t)
-')dnl end ifdef xauth.te
-')dnl end ifdef xdm.te
-
-#
-# A user who is authorized for sysadm_t may nonetheless have
-# a home directory labeled with user_home_t if the user is expected
-# to login in either user_t or sysadm_t. Hence, the derived domains
-# for programs need to be able to access user_home_t.
-#
-
-# Allow our gph domain to write to .xsession-errors.
-ifdef(`gnome-pty-helper.te', `
-allow $1_gph_t user_home_dir_type:dir rw_dir_perms;
-allow $1_gph_t user_home_type:file create_file_perms;
-')
-
-# Allow our crontab domain to unlink a user cron spool file.
-ifdef(`crontab.te',
-`allow $1_crontab_t user_cron_spool_t:file unlink;')
-
-# for the administrator to run TCP servers directly
-can_tcp_connect($1_t, $1_t)
-allow $1_t port_t:tcp_socket name_bind;
-
-# Connect data port to ftpd.
-ifdef(`ftpd.te', `can_tcp_connect(ftpd_t, $1_t)')
-
-# Connect second port to rshd.
-ifdef(`rshd.te', `can_tcp_connect(rshd_t, $1_t)')
-
-#
-# Allow sysadm to execute quota commands against filesystems and files.
-#
-allow $1_t fs_type:filesystem quotamod;
-
-# Grant read and write access to /dev/console.
-allow $1_t console_device_t:chr_file rw_file_perms;
-
-# Allow MAKEDEV to work
-allow $1_t device_t:dir rw_dir_perms;
-allow $1_t device_type:{ blk_file chr_file } { create unlink rename };
-allow $1_t device_t:lnk_file { create read };
-
-# for lsof
-allow $1_t domain:socket_class_set getattr;
-allow $1_t eventpollfs_t:file getattr;
-')
-
-define(`security_manager_domain', `
-
-typeattribute $1 secadmin;
-# Allow administrator domains to set the enforcing flag.
-can_setenforce($1)
-
-# Allow administrator domains to set policy booleans.
-can_setbool($1)
-
-# Get security policy decisions.
-can_getsecurity($1)
-
-# Allow administrator domains to set security parameters
-can_setsecparam($1)
-
-# Run admin programs that require different permissions in their own domain.
-# These rules were moved into the appropriate program domain file.
-
-# added by mayerf@tresys.com
-# The following rules are temporary until such time that a complete
-# policy management infrastructure is in place so that an administrator
-# cannot directly manipulate policy files with arbitrary programs.
-#
-allow $1 secadmfile:file { relabelto relabelfrom create_file_perms };
-allow $1 secadmfile:lnk_file { relabelto relabelfrom create_lnk_perms };
-allow $1 secadmfile:dir { relabelto relabelfrom create_dir_perms };
-
-# Set an exec context, e.g. for runcon.
-can_setexec($1)
-
-# Set a context other than the default one for newly created files.
-can_setfscreate($1)
-
-allow $1 self:netlink_audit_socket nlmsg_readpriv;
-
-')
-
-
diff --git a/targeted/macros/base_user_macros.te b/targeted/macros/base_user_macros.te
deleted file mode 100644
index cecbaf7..0000000
--- a/targeted/macros/base_user_macros.te
+++ /dev/null
@@ -1,397 +0,0 @@
-#
-# Macros for all user login domains.
-#
-
-#
-# base_user_domain(domain_prefix)
-#
-# Define derived types and rules for an ordinary user domain.
-#
-# The type declaration and role authorization for the domain must be
-# provided separately. Likewise, domain transitions into this domain
-# must be specified separately.
-#
-
-# base_user_domain() is also called by the admin_domain() macro
-undefine(`base_user_domain')
-define(`base_user_domain', `
-
-# Type for network-obtained content
-type $1_untrusted_content_t, file_type, $1_file_type, sysadmfile, customizable, polymember;
-type $1_untrusted_content_tmp_t, file_type, $1_file_type, sysadmfile, tmpfile, customizable, polymember;
-
-# Allow user to relabel untrusted content
-allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { create_dir_perms relabelto relabelfrom };
-allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename };
-
-# Read content
-read_content($1_t, $1)
-
-# Write trusted content. This includes proper transition
-# for /home, and /tmp, so no other transition is necessary (or allowed)
-write_trusted($1_t, $1)
-
-# Maybe the home directory is networked
-network_home($1_t)
-
-# Transition for { lnk, fifo, sock }. The rest is covered by write_trusted.
-# Relabel files in the home directory
-file_type_auto_trans($1_t, $1_home_dir_t, $1_home_t, { fifo_file sock_file lnk_file });
-allow $1_t $1_home_t:{ notdevfile_class_set dir } { relabelfrom relabelto };
-can_setfscreate($1_t)
-
-ifdef(`ftpd.te' , `
-if (ftpd_is_daemon) {
-file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
-}
-')
-
-allow $1_t self:capability { setgid chown fowner };
-dontaudit $1_t self:capability { sys_nice fsetid };
-
-# $1_r is authorized for $1_t for the initial login domain.
-role $1_r types $1_t;
-allow system_r $1_r;
-
-r_dir_file($1_t, usercanread)
-
-# Grant permissions within the domain.
-general_domain_access($1_t)
-
-if (allow_execmem) {
-# Allow making anonymous memory executable, e.g.
-# for runtime-code generation or executable stack.
-allow $1_t self:process execmem;
-}
-
-if (allow_execmem && allow_execstack) {
-# Allow making the stack executable via mprotect.
-allow $1_t self:process execstack;
-}
-
-# Allow text relocations on system shared libraries, e.g. libGL.
-allow $1_t texrel_shlib_t:file execmod;
-
-#
-# kdeinit wants this access
-#
-allow $1_t device_t:dir { getattr search };
-
-# Find CDROM devices
-r_dir_file($1_t, sysctl_dev_t)
-# for eject
-allow $1_t fixed_disk_device_t:blk_file getattr;
-
-allow $1_t fs_type:dir getattr;
-
-allow $1_t event_device_t:chr_file { getattr read ioctl };
-
-# open office is looking for the following
-allow $1_t dri_device_t:chr_file getattr;
-dontaudit $1_t dri_device_t:chr_file rw_file_perms;
-
-# Supress ls denials:
-# getattr() - ls -l
-# search_dir() - symlink path resolution
-# read_dir() - deep ls: ls parent/...
-
-dontaudit_getattr($1_t)
-dontaudit_search_dir($1_t)
-dontaudit_read_dir($1_t)
-
-# allow ptrace
-can_ptrace($1_t, $1_t)
-
-# Allow user to run restorecon and relabel files
-can_getsecurity($1_t)
-r_dir_file($1_t, default_context_t)
-r_dir_file($1_t, file_context_t)
-
-allow $1_t usbtty_device_t:chr_file read;
-
-# GNOME checks for usb and other devices
-rw_dir_file($1_t,usbfs_t)
-
-can_exec($1_t, noexattrfile)
-# Bind to a Unix domain socket in /tmp.
-allow $1_t $1_tmp_t:unix_stream_socket name_bind;
-
-# Use the type when relabeling terminal devices.
-type_change $1_t tty_device_t:chr_file $1_tty_device_t;
-
-# Debian login is from shadow utils and does not allow resetting the perms.
-# have to fix this!
-type_change $1_t ttyfile:chr_file $1_tty_device_t;
-
-# for running TeX programs
-r_dir_file($1_t, tetex_data_t)
-can_exec($1_t, tetex_data_t)
-
-# Use the type when relabeling pty devices.
-type_change $1_t server_pty:chr_file $1_devpts_t;
-
-tmpfs_domain($1)
-
-ifdef(`cardmgr.te', `
-# to allow monitoring of pcmcia status
-allow $1_t cardmgr_var_run_t:file { getattr read };
-')
-
-# Modify mail spool file.
-allow $1_t mail_spool_t:dir r_dir_perms;
-allow $1_t mail_spool_t:file rw_file_perms;
-allow $1_t mail_spool_t:lnk_file read;
-
-#
-# Allow graphical boot to check battery lifespan
-#
-ifdef(`apmd.te', `
-allow $1_t apmd_t:unix_stream_socket connectto;
-allow $1_t apmd_var_run_t:sock_file write;
-')
-
-#
-# Allow the query of filesystem quotas
-#
-allow $1_t fs_type:filesystem quotaget;
-
-# Run helper programs.
-can_exec_any($1_t)
-# Run programs developed by other users in the same domain.
-can_exec($1_t, $1_home_t)
-can_exec($1_t, $1_tmp_t)
-
-# Run user programs that require different permissions in their own domain.
-# These rules were moved into the individual program domains.
-
-# Instantiate derived domains for a number of programs.
-# These derived domains encode both information about the calling
-# user domain and the program, and allow us to maintain separation
-# between different instances of the program being run by different
-# user domains.
-ifdef(`gnome-pty-helper.te', `gph_domain($1, $1)')
-ifdef(`chkpwd.te', `chkpwd_domain($1)')
-ifdef(`fingerd.te', `fingerd_macro($1)')
-ifdef(`mta.te', `mail_domain($1)')
-ifdef(`exim.te', `exim_user_domain($1)')
-ifdef(`crontab.te', `crontab_domain($1)')
-
-ifdef(`screen.te', `screen_domain($1)')
-ifdef(`tvtime.te', `tvtime_domain($1)')
-ifdef(`mozilla.te', `mozilla_domain($1)')
-ifdef(`thunderbird.te', `thunderbird_domain($1)')
-ifdef(`samba.te', `samba_domain($1)')
-ifdef(`gpg.te', `gpg_domain($1)')
-ifdef(`xauth.te', `xauth_domain($1)')
-ifdef(`iceauth.te', `iceauth_domain($1)')
-ifdef(`startx.te', `xserver_domain($1)')
-ifdef(`lpr.te', `lpr_domain($1)')
-ifdef(`ssh.te', `ssh_domain($1)')
-ifdef(`irc.te', `irc_domain($1)')
-ifdef(`using_spamassassin', `spamassassin_domain($1)')
-ifdef(`pyzor.te', `pyzor_domain($1)')
-ifdef(`razor.te', `razor_domain($1)')
-ifdef(`uml.te', `uml_domain($1)')
-ifdef(`cdrecord.te', `cdrecord_domain($1)')
-ifdef(`mplayer.te', `mplayer_domains($1)')
-
-fontconfig_domain($1)
-
-# GNOME
-ifdef(`gnome.te', `
-gnome_domain($1)
-ifdef(`games.te', `games_domain($1)')
-ifdef(`gift.te', `gift_domains($1)')
-ifdef(`evolution.te', `evolution_domains($1)')
-ifdef(`ethereal.te', `ethereal_domain($1)')
-')
-
-# ICE communication channel
-ice_domain($1, $1)
-
-# ORBit communication channel (independent of GNOME)
-orbit_domain($1, $1)
-
-# Instantiate a derived domain for user cron jobs.
-ifdef(`crond.te', `crond_domain($1)')
-
-ifdef(`vmware.te', `vmware_domain($1)')
-
-if (user_direct_mouse) {
-# Read the mouse.
-allow $1_t mouse_device_t:chr_file r_file_perms;
-}
-# Access other miscellaneous devices.
-allow $1_t misc_device_t:{ chr_file blk_file } rw_file_perms;
-allow $1_t device_t:lnk_file { getattr read };
-
-can_resmgrd_connect($1_t)
-
-#
-# evolution and gnome-session try to create a netlink socket
-#
-dontaudit $1_t self:netlink_socket create_socket_perms;
-dontaudit $1_t self:netlink_route_socket create_netlink_socket_perms;
-
-# Use the network.
-can_network($1_t)
-allow $1_t port_type:tcp_socket name_connect;
-can_ypbind($1_t)
-can_winbind($1_t)
-
-ifdef(`pamconsole.te', `
-allow $1_t pam_var_console_t:dir search;
-')
-
-allow $1_t var_lock_t:dir search;
-
-# Grant permissions to access the system DBus
-ifdef(`dbusd.te', `
-dbusd_client(system, $1)
-can_network_server_tcp($1_dbusd_t)
-allow $1_dbusd_t reserved_port_t:tcp_socket name_bind;
-
-allow $1_t system_dbusd_t:dbus { send_msg acquire_svc };
-dbusd_client($1, $1)
-allow $1_t $1_dbusd_t:dbus { send_msg acquire_svc };
-dbusd_domain($1)
-ifdef(`hald.te', `
-allow $1_t hald_t:dbus send_msg;
-allow hald_t $1_t:dbus send_msg;
-') dnl end ifdef hald.te
-') dnl end ifdef dbus.te
-
-# allow port_t name binding for UDP because it is not very usable otherwise
-allow $1_t port_t:udp_socket name_bind;
-
-# Gnome pannel binds to the following
-ifdef(`cups.te', `
-allow $1_t { cupsd_etc_t cupsd_rw_etc_t }:file { read getattr };
-')
-
-# for perl
-dontaudit $1_t net_conf_t:file ioctl;
-
-# Communicate within the domain.
-can_udp_send($1_t, self)
-
-# Connect to inetd.
-ifdef(`inetd.te', `
-can_tcp_connect($1_t, inetd_t)
-can_udp_send($1_t, inetd_t)
-can_udp_send(inetd_t, $1_t)
-')
-
-# Connect to portmap.
-ifdef(`portmap.te', `can_tcp_connect($1_t, portmap_t)')
-
-# Inherit and use sockets from inetd
-ifdef(`inetd.te', `
-allow $1_t inetd_t:fd use;
-allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;')
-
-# Very permissive allowing every domain to see every type.
-allow $1_t kernel_t:system ipc_info;
-
-# When the user domain runs ps, there will be a number of access
-# denials when ps tries to search /proc. Do not audit these denials.
-dontaudit $1_t domain:dir r_dir_perms;
-dontaudit $1_t domain:notdevfile_class_set r_file_perms;
-dontaudit $1_t domain:process { getattr getsession };
-#
-# Cups daemon running as user tries to write /etc/printcap
-#
-dontaudit $1_t usr_t:file setattr;
-
-# Use X
-x_client_domain($1, $1)
-
-ifdef(`xserver.te', `
-allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms;
-')
-
-ifdef(`xdm.te', `
-# Connect to the X server run by the X Display Manager.
-can_unix_connect($1_t, xdm_t)
-# certain apps want to read xdm.pid file
-r_dir_file($1_t, xdm_var_run_t)
-allow $1_t xdm_var_lib_t:file { getattr read };
-allow xdm_t $1_home_dir_t:dir getattr;
-ifdef(`xauth.te', `
-file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file)
-')
-
-')dnl end ifdef xdm.te
-
-# Access the sound device.
-allow $1_t sound_device_t:chr_file { getattr read write ioctl };
-
-# Access the power device.
-allow $1_t power_device_t:chr_file { getattr read write ioctl };
-
-allow $1_t var_log_t:dir { getattr search };
-dontaudit $1_t logfile:file getattr;
-
-# Check to see if cdrom is mounted
-allow $1_t mnt_t:dir { getattr search };
-
-# Get attributes of file systems.
-allow $1_t fs_type:filesystem getattr;
-
-# Read and write /dev/tty and /dev/null.
-allow $1_t devtty_t:chr_file rw_file_perms;
-allow $1_t null_device_t:chr_file rw_file_perms;
-allow $1_t zero_device_t:chr_file { rw_file_perms execute };
-allow $1_t { random_device_t urandom_device_t }:chr_file ra_file_perms;
-#
-# Added to allow reading of cdrom
-#
-allow $1_t rpc_pipefs_t:dir getattr;
-allow $1_t nfsd_fs_t:dir getattr;
-allow $1_t binfmt_misc_fs_t:dir getattr;
-
-# /initrd is left mounted, various programs try to look at it
-dontaudit $1_t ramfs_t:dir getattr;
-
-#
-# Emacs wants this access
-#
-allow $1_t wtmp_t:file r_file_perms;
-dontaudit $1_t wtmp_t:file write;
-
-# Read the devpts root directory.
-allow $1_t devpts_t:dir r_dir_perms;
-
-r_dir_file($1_t, src_t)
-
-# Allow user to read default_t files
-# This is different from reading default_t content,
-# because it also includes sockets, fifos, and links
-
-if (read_default_t) {
-allow $1_t default_t:dir r_dir_perms;
-allow $1_t default_t:notdevfile_class_set r_file_perms;
-}
-
-# Read fonts
-read_fonts($1_t, $1)
-
-read_sysctl($1_t);
-
-#
-# Caused by su - init scripts
-#
-dontaudit $1_t initrc_devpts_t:chr_file { ioctl read write };
-
-#
-# Running ifconfig as a user generates the following
-#
-dontaudit $1_t self:socket create;
-dontaudit $1_t sysctl_net_t:dir search;
-
-ifdef(`rpcd.te', `
-create_dir_file($1_t, nfsd_rw_t)
-')
-
-')dnl end base_user_domain macro
-
diff --git a/targeted/macros/content_macros.te b/targeted/macros/content_macros.te
deleted file mode 100644
index fb36d46..0000000
--- a/targeted/macros/content_macros.te
+++ /dev/null
@@ -1,188 +0,0 @@
-# Content access macros
-
-# FIXME: After nested booleans are supported, replace NFS/CIFS
-# w/ read_network_home, and write_network_home macros from global
-
-# FIXME: If true/false constant booleans are supported, replace
-# ugly $3 ifdefs with if(true), if(false)...
-
-# FIXME: Do we want write to imply read?
-
-############################################################
-# read_content(domain, role_prefix, bool_prefix)
-#
-# Allow the given domain to read content.
-# Content may be trusted or untrusted,
-# Reading anything is subject to a controlling boolean based on bool_prefix.
-# Reading untrusted content is additionally subject to read_untrusted_content
-# Reading default_t is additionally subject to read_default_t
-
-define(`read_content', `
-
-# Declare controlling boolean
-ifelse($3, `', `', `
-ifdef(`$3_read_content_defined', `', `
-define(`$3_read_content_defined')
-bool $3_read_content false;
-') dnl ifdef
-') dnl ifelse
-
-# Handle nfs home dirs
-ifelse($3, `',
-`if (use_nfs_home_dirs) { ',
-`if ($3_read_content && use_nfs_home_dirs) {')
-allow $1 { autofs_t home_root_t }:dir { read search getattr };
-r_dir_file($1, nfs_t)
-} else {
-dontaudit $1 { autofs_t home_root_t }:dir { read search getattr };
-dontaudit $1 nfs_t:file r_file_perms;
-dontaudit $1 nfs_t:dir r_dir_perms;
-}
-
-# Handle samba home dirs
-ifelse($3, `',
-`if (use_samba_home_dirs) { ',
-`if ($3_read_content && use_samba_home_dirs) {')
-allow $1 { autofs_t home_root_t }:dir { read search getattr };
-r_dir_file($1, cifs_t)
-} else {
-dontaudit $1 { autofs_t home_root_t }:dir { read search getattr };
-dontaudit $1 cifs_t:file r_file_perms;
-dontaudit $1 cifs_t:dir r_dir_perms;
-}
-
-# Handle removable media, /tmp, and /home
-ifelse($3, `', `',
-`if ($3_read_content) {')
-allow $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search };
-r_dir_file($1, { $2_tmp_t $2_home_t } )
-ifdef(`mls_policy', `', `
-r_dir_file($1, removable_t)
-')
-
-ifelse($3, `', `',
-`} else {
-dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search };
-dontaudit $1 { removable_t $2_tmp_t $2_home_t }:dir r_dir_perms;
-dontaudit $1 { removable_t $2_tmp_t $2_home_t }:file r_file_perms;
-}')
-
-# Handle default_t content
-ifelse($3, `',
-`if (read_default_t) { ',
-`if ($3_read_content && read_default_t) {')
-r_dir_file($1, default_t)
-} else {
-dontaudit $1 default_t:file r_file_perms;
-dontaudit $1 default_t:dir r_dir_perms;
-}
-
-# Handle untrusted content
-ifelse($3, `',
-`if (read_untrusted_content) { ',
-`if ($3_read_content && read_untrusted_content) {')
-allow $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search };
-r_dir_file($1, { $2_untrusted_content_t $2_untrusted_content_tmp_t })
-} else {
-dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search };
-dontaudit $1 { $2_untrusted_content_t $2_untrusted_content_tmp_t }:dir r_dir_perms;
-dontaudit $1 { $2_untrusted_content_t $2_untrusted_content_tmp_t }:file r_file_perms;
-}
-') dnl read_content
-
-#################################################
-# write_trusted(domain, role_prefix, bool_prefix)
-#
-# Allow the given domain to write trusted content.
-# This is subject to a controlling boolean based
-# on bool_prefix.
-
-define(`write_trusted', `
-
-# Declare controlling boolean
-ifelse($3, `', `', `
-ifdef(`$3_write_content_defined', `', `
-define(`$3_write_content_defined')
-bool $3_write_content false;
-') dnl ifdef
-') dnl ifelse
-
-# Handle nfs homedirs
-ifelse($3, `',
-`if (use_nfs_home_dirs) { ',
-`if ($3_write_content && use_nfs_home_dirs) {')
-allow $1 { autofs_t home_root_t }:dir { read search getattr };
-create_dir_file($1, nfs_t)
-} else {
-dontaudit $1 { autofs_t home_root_t }:dir { read search getattr };
-dontaudit $1 nfs_t:file create_file_perms;
-dontaudit $1 nfs_t:dir create_dir_perms;
-}
-
-# Handle samba homedirs
-ifelse($3, `',
-`if (use_samba_home_dirs) { ',
-`if ($3_write_content && use_samba_home_dirs) {')
-allow $1 { autofs_t home_root_t }:dir { read search getattr };
-create_dir_file($1, cifs_t)
-} else {
-dontaudit $1 { autofs_t home_root_t }:dir { read search getattr };
-dontaudit $1 cifs_t:file create_file_perms;
-dontaudit $1 cifs_t:dir create_dir_perms;
-}
-
-# Handle /tmp and /home
-ifelse($3, `', `',
-`if ($3_write_content) {')
-allow $1 home_root_t:dir { read getattr search };
-file_type_auto_trans($1, tmp_t, $2_tmp_t, { dir file });
-file_type_auto_trans($1, $2_home_dir_t, $2_home_t, { dir file });
-ifelse($3, `', `',
-`} else {
-dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search };
-dontaudit $1 { $2_tmp_t $2_home_t }:file create_file_perms;
-dontaudit $1 { $2_tmp_t $2_home_t }:dir create_dir_perms;
-}')
-
-') dnl write_trusted
-
-#########################################
-# write_untrusted(domain, role_prefix)
-#
-# Allow the given domain to write untrusted content.
-# This is subject to the global boolean write_untrusted.
-
-define(`write_untrusted', `
-
-# Handle nfs homedirs
-if (write_untrusted_content && use_nfs_home_dirs) {
-allow $1 { autofs_t home_root_t }:dir { read search getattr };
-create_dir_file($1, nfs_t)
-} else {
-dontaudit $1 { autofs_t home_root_t }:dir { read search getattr };
-dontaudit $1 nfs_t:file create_file_perms;
-dontaudit $1 nfs_t:dir create_dir_perms;
-}
-
-# Handle samba homedirs
-if (write_untrusted_content && use_samba_home_dirs) {
-allow $1 { autofs_t home_root_t }:dir { read search getattr };
-create_dir_file($1, cifs_t)
-} else {
-dontaudit $1 { autofs_t home_root_t }:dir { read search getattr };
-dontaudit $1 cifs_t:file create_file_perms;
-dontaudit $1 cifs_t:dir create_dir_perms;
-}
-
-# Handle /tmp and /home
-if (write_untrusted_content) {
-allow $1 home_root_t:dir { read getattr search };
-file_type_auto_trans($1, { tmp_t $2_tmp_t }, $2_untrusted_content_tmp_t, { dir file })
-file_type_auto_trans($1, { $2_home_dir_t $2_home_t }, $2_untrusted_content_t, { dir file })
-} else {
-dontaudit $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search };
-dontaudit $1 { $2_tmp_t $2_home_t }:file create_file_perms;
-dontaudit $1 { $2_tmp_t $2_home_t }:dir create_dir_perms;
-}
-
-') dnl write_untrusted
diff --git a/targeted/macros/core_macros.te b/targeted/macros/core_macros.te
deleted file mode 100644
index 6bae8bf..0000000
--- a/targeted/macros/core_macros.te
+++ /dev/null
@@ -1,706 +0,0 @@
-
-##############################
-#
-# core macros for the type enforcement (TE) configuration.
-#
-
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil>, Timothy Fraser
-# Howard Holm (NSA) <hdholm@epoch.ncsc.mil>
-# Russell Coker <russell@coker.com.au>
-#
-
-#################################
-#
-# Macros for groups of classes and
-# groups of permissions.
-#
-
-#
-# All directory and file classes
-#
-define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }')
-
-#
-# All non-directory file classes.
-#
-define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }')
-
-#
-# Non-device file classes.
-#
-define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
-
-#
-# Device file classes.
-#
-define(`devfile_class_set', `{ chr_file blk_file }')
-
-#
-# All socket classes.
-#
-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket }')
-
-
-#
-# Datagram socket classes.
-#
-define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
-
-#
-# Stream socket classes.
-#
-define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
-
-#
-# Unprivileged socket classes (exclude rawip, netlink, packet).
-#
-define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
-
-
-#
-# Permissions for getting file attributes.
-#
-define(`stat_file_perms', `{ getattr }')
-
-#
-# Permissions for executing files.
-#
-define(`x_file_perms', `{ getattr execute }')
-
-#
-# Permissions for reading files and their attributes.
-#
-define(`r_file_perms', `{ read getattr lock ioctl }')
-
-#
-# Permissions for reading and executing files.
-#
-define(`rx_file_perms', `{ read getattr lock execute ioctl }')
-
-#
-# Permissions for reading and writing files and their attributes.
-#
-define(`rw_file_perms', `{ ioctl read getattr lock write append }')
-
-#
-# Permissions for reading and appending to files.
-#
-define(`ra_file_perms', `{ ioctl read getattr lock append }')
-
-#
-# Permissions for linking, unlinking and renaming files.
-#
-define(`link_file_perms', `{ getattr link unlink rename }')
-
-#
-# Permissions for creating lnk_files.
-#
-define(`create_lnk_perms', `{ create read getattr setattr link unlink rename }')
-
-#
-# Permissions for creating and using files.
-#
-define(`create_file_perms', `{ create ioctl read getattr lock write setattr append link unlink rename }')
-
-#
-# Permissions for reading directories and their attributes.
-#
-define(`r_dir_perms', `{ read getattr lock search ioctl }')
-
-#
-# Permissions for reading and writing directories and their attributes.
-#
-define(`rw_dir_perms', `{ read getattr lock search ioctl add_name remove_name write }')
-
-#
-# Permissions for reading and adding names to directories.
-#
-define(`ra_dir_perms', `{ read getattr lock search ioctl add_name write }')
-
-
-#
-# Permissions for creating and using directories.
-#
-define(`create_dir_perms', `{ create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }')
-
-#
-# Permissions to mount and unmount file systems.
-#
-define(`mount_fs_perms', `{ mount remount unmount getattr }')
-
-#
-# Permissions for using sockets.
-#
-define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
-
-#
-# Permissions for creating and using sockets.
-#
-define(`create_socket_perms', `{ create rw_socket_perms }')
-
-#
-# Permissions for using stream sockets.
-#
-define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
-
-#
-# Permissions for creating and using stream sockets.
-#
-define(`create_stream_socket_perms', `{ create_socket_perms listen accept }')
-
-#
-# Permissions for creating and using sockets.
-#
-define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
-
-#
-# Permissions for creating and using sockets.
-#
-define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }')
-
-
-#
-# Permissions for creating and using netlink sockets.
-#
-define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
-
-#
-# Permissions for using netlink sockets for operations that modify state.
-#
-define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
-
-#
-# Permissions for using netlink sockets for operations that observe state.
-#
-define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }')
-
-#
-# Permissions for sending all signals.
-#
-define(`signal_perms', `{ sigchld sigkill sigstop signull signal }')
-
-#
-# Permissions for sending and receiving network packets.
-#
-define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }')
-
-#
-# Permissions for using System V IPC
-#
-define(`r_sem_perms', `{ associate getattr read unix_read }')
-define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }')
-define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }')
-define(`r_msgq_perms', `{ associate getattr read unix_read }')
-define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }')
-define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }')
-define(`r_shm_perms', `{ associate getattr read unix_read }')
-define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }')
-define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }')
-
-#################################
-#
-# Macros for type transition rules and
-# access vector rules.
-#
-
-#
-# Simple combinations for reading and writing both
-# directories and files.
-#
-define(`r_dir_file', `
-allow $1 $2:dir r_dir_perms;
-allow $1 $2:file r_file_perms;
-allow $1 $2:lnk_file { getattr read };
-')
-
-define(`rw_dir_file', `
-allow $1 $2:dir rw_dir_perms;
-allow $1 $2:file rw_file_perms;
-allow $1 $2:lnk_file { getattr read };
-')
-
-define(`ra_dir_file', `
-allow $1 $2:dir ra_dir_perms;
-allow $1 $2:file ra_file_perms;
-allow $1 $2:lnk_file { getattr read };
-')
-
-define(`ra_dir_create_file', `
-allow $1 $2:dir ra_dir_perms;
-allow $1 $2:file { create ra_file_perms };
-allow $1 $2:lnk_file { create read getattr };
-')
-
-define(`rw_dir_create_file', `
-allow $1 $2:dir rw_dir_perms;
-allow $1 $2:file create_file_perms;
-allow $1 $2:lnk_file create_lnk_perms;
-')
-
-define(`create_dir_file', `
-allow $1 $2:dir create_dir_perms;
-allow $1 $2:file create_file_perms;
-allow $1 $2:lnk_file create_lnk_perms;
-')
-
-define(`create_dir_notdevfile', `
-allow $1 $2:dir create_dir_perms;
-allow $1 $2:{ file sock_file fifo_file } create_file_perms;
-allow $1 $2:lnk_file create_lnk_perms;
-')
-
-define(`create_append_log_file', `
-allow $1 $2:dir { read getattr search add_name write };
-allow $1 $2:file { create ioctl getattr setattr append link };
-')
-
-##################################
-#
-# can_ps(domain1, domain2)
-#
-# Authorize domain1 to see /proc entries for domain2 (see it in ps output)
-#
-define(`can_ps',`
-allow $1 $2:dir { search getattr read };
-allow $1 $2:{ file lnk_file } { read getattr };
-allow $1 $2:process getattr;
-# We need to suppress this denial because procps tries to access
-# /proc/pid/environ and this now triggers a ptrace check in recent kernels
-# (2.4 and 2.6). Might want to change procps to not do this, or only if
-# running in a privileged domain.
-dontaudit $1 $2:process ptrace;
-')
-
-##################################
-#
-# can_getsecurity(domain)
-#
-# Authorize a domain to get security policy decisions.
-#
-define(`can_getsecurity',`
-# Get the selinuxfs mount point via /proc/self/mounts.
-allow $1 proc_t:dir search;
-allow $1 proc_t:{ file lnk_file } { getattr read };
-allow $1 self:dir search;
-allow $1 self:file { getattr read };
-# Access selinuxfs.
-allow $1 security_t:dir { read search getattr };
-allow $1 security_t:file { getattr read write };
-allow $1 security_t:security { check_context compute_av compute_create compute_relabel compute_user };
-')
-
-##################################
-#
-# can_setenforce(domain)
-#
-# Authorize a domain to set the enforcing flag.
-# Due to its sensitivity, always audit this permission.
-#
-define(`can_setenforce',`
-# Get the selinuxfs mount point via /proc/self/mounts.
-allow $1 proc_t:dir search;
-allow $1 proc_t:lnk_file read;
-allow $1 self:dir search;
-allow $1 self:file { getattr read };
-# Access selinuxfs.
-allow $1 security_t:dir { read search getattr };
-allow $1 security_t:file { getattr read write };
-if (!secure_mode_policyload) {
-allow $1 security_t:security setenforce;
-auditallow $1 security_t:security setenforce;
-}dnl end if !secure_mode_policyload
-')
-
-##################################
-#
-# can_setbool(domain)
-#
-# Authorize a domain to set a policy boolean.
-# Due to its sensitivity, always audit this permission.
-#
-define(`can_setbool',`
-# Get the selinuxfs mount point via /proc/self/mounts.
-allow $1 proc_t:dir search;
-allow $1 proc_t:lnk_file read;
-allow $1 self:dir search;
-allow $1 self:file { getattr read };
-# Access selinuxfs.
-allow $1 security_t:dir { read search getattr };
-allow $1 security_t:file { getattr read write };
-if (!secure_mode_policyload) {
-allow $1 security_t:security setbool;
-auditallow $1 security_t:security setbool;
-}dnl end if !secure_mode_policyload
-')
-
-##################################
-#
-# can_setsecparam(domain)
-#
-# Authorize a domain to set security parameters.
-# Due to its sensitivity, always audit this permission.
-#
-define(`can_setsecparam',`
-# Get the selinuxfs mount point via /proc/self/mounts.
-allow $1 proc_t:dir search;
-allow $1 proc_t:lnk_file read;
-allow $1 self:dir search;
-allow $1 self:file { getattr read };
-# Access selinuxfs.
-allow $1 security_t:dir { read search getattr };
-allow $1 security_t:file { getattr read write };
-allow $1 security_t:security setsecparam;
-auditallow $1 security_t:security setsecparam;
-')
-
-##################################
-#
-# can_loadpol(domain)
-#
-# Authorize a domain to load a policy configuration.
-# Due to its sensitivity, always audit this permission.
-#
-define(`can_loadpol',`
-# Get the selinuxfs mount point via /proc/self/mounts.
-allow $1 proc_t:dir search;
-allow $1 proc_t:lnk_file read;
-allow $1 proc_t:file { getattr read };
-allow $1 self:dir search;
-allow $1 self:file { getattr read };
-# Access selinuxfs.
-allow $1 security_t:dir { read search getattr };
-allow $1 security_t:file { getattr read write };
-if (!secure_mode_policyload) {
-allow $1 security_t:security load_policy;
-auditallow $1 security_t:security load_policy;
-}dnl end if !secure_mode_policyload
-')
-
-#################################
-#
-# domain_trans(parent_domain, program_type, child_domain)
-#
-# Permissions for transitioning to a new domain.
-#
-
-define(`domain_trans',`
-
-#
-# Allow the process to transition to the new domain.
-#
-allow $1 $3:process transition;
-
-#
-# Do not audit when glibc secure mode is enabled upon the transition.
-#
-dontaudit $1 $3:process noatsecure;
-
-#
-# Do not audit when signal-related state is cleared upon the transition.
-#
-dontaudit $1 $3:process siginh;
-
-#
-# Do not audit when resource limits are reset upon the transition.
-#
-dontaudit $1 $3:process rlimitinh;
-
-#
-# Allow the process to execute the program.
-#
-allow $1 $2:file { read x_file_perms };
-
-#
-# Allow the process to reap the new domain.
-#
-allow $3 $1:process sigchld;
-
-#
-# Allow the new domain to inherit and use file
-# descriptions from the creating process and vice versa.
-#
-allow $3 $1:fd use;
-allow $1 $3:fd use;
-
-#
-# Allow the new domain to write back to the old domain via a pipe.
-#
-allow $3 $1:fifo_file rw_file_perms;
-
-#
-# Allow the new domain to read and execute the program.
-#
-allow $3 $2:file rx_file_perms;
-
-#
-# Allow the new domain to be entered via the program.
-#
-allow $3 $2:file entrypoint;
-')
-
-#################################
-#
-# domain_auto_trans(parent_domain, program_type, child_domain)
-#
-# Define a default domain transition and allow it.
-#
-define(`domain_auto_trans',`
-domain_trans($1,$2,$3)
-type_transition $1 $2:process $3;
-')
-
-#################################
-#
-# can_ptrace(domain, domain)
-#
-# Permissions for running ptrace (strace or gdb) on another domain
-#
-define(`can_ptrace',`
-allow $1 $2:process ptrace;
-allow $2 $1:process sigchld;
-')
-
-#################################
-#
-# can_exec(domain, type)
-#
-# Permissions for executing programs with
-# a specified type without changing domains.
-#
-define(`can_exec',`
-allow $1 $2:file { rx_file_perms execute_no_trans };
-')
-
-# this is an internal macro used by can_create
-define(`can_create_internal', `
-ifelse(`$3', `dir', `
-allow $1 $2:$3 create_dir_perms;
-', `$3', `lnk_file', `
-allow $1 $2:$3 create_lnk_perms;
-', `
-allow $1 $2:$3 create_file_perms;
-')dnl end if dir
-')dnl end can_create_internal
-
-
-#################################
-#
-# can_create(domain, file_type, object_class)
-#
-# Permissions for creating files of the specified type and class
-#
-define(`can_create', `
-ifelse(regexp($3, `\w'), -1, `', `
-can_create_internal($1, $2, regexp($3, `\(\w+\)', `\1'))
-
-can_create($1, $2, regexp($3, `\w+\(.*\)', `\1'))
-')
-')
-#################################
-#
-# file_type_trans(domain, dir_type, file_type)
-#
-# Permissions for transitioning to a new file type.
-#
-
-define(`file_type_trans',`
-
-#
-# Allow the process to modify the directory.
-#
-allow $1 $2:dir rw_dir_perms;
-
-#
-# Allow the process to create the file.
-#
-ifelse(`$4', `', `
-can_create($1, $3, `{ file lnk_file sock_file fifo_file dir }')
-', `
-can_create($1, $3, $4)
-')dnl end if param 4 specified
-
-')
-
-#################################
-#
-# file_type_auto_trans(creator_domain, parent_directory_type, file_type, object_class)
-#
-# the object class will default to notdevfile_class_set if not specified as
-# the fourth parameter
-#
-# Define a default file type transition and allow it.
-#
-define(`file_type_auto_trans',`
-ifelse(`$4', `', `
-file_type_trans($1,$2,$3)
-type_transition $1 $2:dir $3;
-type_transition $1 $2:notdevfile_class_set $3;
-', `
-file_type_trans($1,$2,$3,$4)
-type_transition $1 $2:$4 $3;
-')dnl end ifelse
-
-')
-
-
-#################################
-#
-# can_unix_connect(client, server)
-#
-# Permissions for establishing a Unix stream connection.
-#
-define(`can_unix_connect',`
-allow $1 $2:unix_stream_socket connectto;
-')
-
-#################################
-#
-# can_unix_send(sender, receiver)
-#
-# Permissions for sending Unix datagrams.
-#
-define(`can_unix_send',`
-allow $1 $2:unix_dgram_socket sendto;
-')
-
-#################################
-#
-# can_tcp_connect(client, server)
-#
-# Permissions for establishing a TCP connection.
-# Irrelevant until we have labeled networking.
-#
-define(`can_tcp_connect',`
-#allow $1 $2:tcp_socket { connectto recvfrom };
-#allow $2 $1:tcp_socket { acceptfrom recvfrom };
-#allow $2 kernel_t:tcp_socket recvfrom;
-#allow $1 kernel_t:tcp_socket recvfrom;
-')
-
-#################################
-#
-# can_udp_send(sender, receiver)
-#
-# Permissions for sending/receiving UDP datagrams.
-# Irrelevant until we have labeled networking.
-#
-define(`can_udp_send',`
-#allow $1 $2:udp_socket sendto;
-#allow $2 $1:udp_socket recvfrom;
-')
-
-
-##################################
-#
-# base_pty_perms(domain_prefix)
-#
-# Base permissions used for can_create_pty() and can_create_other_pty()
-#
-define(`base_pty_perms', `
-# Access the pty master multiplexer.
-allow $1_t ptmx_t:chr_file rw_file_perms;
-
-allow $1_t devpts_t:filesystem getattr;
-
-# allow searching /dev/pts
-allow $1_t devpts_t:dir { getattr read search };
-
-# ignore old BSD pty devices
-dontaudit $1_t bsdpty_device_t:chr_file { getattr read write };
-')
-
-
-##################################
-#
-# pty_slave_label(domain_prefix, attributes)
-#
-# give access to a slave pty but do not allow creating new ptys
-#
-define(`pty_slave_label', `
-type $1_devpts_t, file_type, sysadmfile, ptyfile $2;
-
-# Allow the pty to be associated with the file system.
-allow $1_devpts_t devpts_t:filesystem associate;
-
-# Label pty files with a derived type.
-type_transition $1_t devpts_t:chr_file $1_devpts_t;
-
-# allow searching /dev/pts
-allow $1_t devpts_t:dir { getattr read search };
-
-# Read and write my pty files.
-allow $1_t $1_devpts_t:chr_file { setattr rw_file_perms };
-')
-
-
-##################################
-#
-# can_create_pty(domain_prefix, attributes)
-#
-# Permissions for creating ptys.
-#
-define(`can_create_pty',`
-base_pty_perms($1)
-pty_slave_label($1, `$2')
-')
-
-
-##################################
-#
-# can_create_other_pty(domain_prefix,other_domain)
-#
-# Permissions for creating ptys for another domain.
-#
-define(`can_create_other_pty',`
-base_pty_perms($1)
-# Label pty files with a derived type.
-type_transition $1_t devpts_t:chr_file $2_devpts_t;
-
-# Read and write pty files.
-allow $1_t $2_devpts_t:chr_file { setattr rw_file_perms };
-')
-
-
-#
-# general_domain_access(domain)
-#
-# Grant permissions within the domain.
-# This includes permissions to processes, /proc/PID files,
-# file descriptors, pipes, Unix sockets, and System V IPC objects
-# labeled with the domain.
-#
-define(`general_domain_access',`
-# Access other processes in the same domain.
-# Omits ptrace, setcurrent, setexec, setfscreate, setrlimit, execmem, execstack and execheap.
-# These must be granted separately if desired.
-allow $1 self:process ~{ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap};
-
-# Access /proc/PID files for processes in the same domain.
-allow $1 self:dir r_dir_perms;
-allow $1 self:notdevfile_class_set r_file_perms;
-
-# Access file descriptions, pipes, and sockets
-# created by processes in the same domain.
-allow $1 self:fd *;
-allow $1 self:fifo_file rw_file_perms;
-allow $1 self:unix_dgram_socket create_socket_perms;
-allow $1 self:unix_stream_socket create_stream_socket_perms;
-
-# Allow the domain to communicate with other processes in the same domain.
-allow $1 self:unix_dgram_socket sendto;
-allow $1 self:unix_stream_socket connectto;
-
-# Access System V IPC objects created by processes in the same domain.
-allow $1 self:sem create_sem_perms;
-allow $1 self:msg { send receive };
-allow $1 self:msgq create_msgq_perms;
-allow $1 self:shm create_shm_perms;
-allow $1 unpriv_userdomain:fd use;
-#
-# Every app is asking for ypbind so I am adding this here,
-# eventually this should become can_nsswitch
-#
-can_ypbind($1)
-allow $1 autofs_t:dir { search getattr };
-')dnl end general_domain_access
diff --git a/targeted/macros/global_macros.te b/targeted/macros/global_macros.te
deleted file mode 100644
index 0faa4be..0000000
--- a/targeted/macros/global_macros.te
+++ /dev/null
@@ -1,766 +0,0 @@
-##############################
-#
-# Global macros for the type enforcement (TE) configuration.
-#
-
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# Howard Holm (NSA) <hdholm@epoch.ncsc.mil>
-# Russell Coker <russell@coker.com.au>
-#
-#
-#
-
-##################################
-#
-# can_setexec(domain)
-#
-# Authorize a domain to set its exec context
-# (via /proc/pid/attr/exec).
-#
-define(`can_setexec',`
-allow $1 self:process setexec;
-allow $1 proc_t:dir search;
-allow $1 proc_t:{ file lnk_file } read;
-allow $1 self:dir search;
-allow $1 self:file { getattr read write };
-')
-
-##################################
-#
-# can_getcon(domain)
-#
-# Authorize a domain to get its context
-# (via /proc/pid/attr/current).
-#
-define(`can_getcon',`
-allow $1 proc_t:dir search;
-allow $1 proc_t:{ file lnk_file } read;
-allow $1 self:dir search;
-allow $1 self:file { getattr read };
-allow $1 self:process getattr;
-')
-
-##################################
-#
-# can_setcon(domain)
-#
-# Authorize a domain to set its current context
-# (via /proc/pid/attr/current).
-#
-define(`can_setcon',`
-allow $1 self:process setcurrent;
-allow $1 proc_t:dir search;
-allow $1 proc_t:{ file lnk_file } read;
-allow $1 self:dir search;
-allow $1 self:file { getattr read write };
-')
-
-##################################
-# read_sysctl(domain)
-#
-# Permissions for reading sysctl variables.
-# If the second parameter is full, allow
-# reading of any sysctl variables, else only
-# sysctl_kernel_t.
-#
-define(`read_sysctl', `
-# Read system variables in /sys.
-ifelse($2,`full', `
-allow $1 sysctl_type:dir r_dir_perms;
-allow $1 sysctl_type:file r_file_perms;
-', `
-allow $1 sysctl_t:dir search;
-allow $1 sysctl_kernel_t:dir search;
-allow $1 sysctl_kernel_t:file { getattr read };
-')
-
-')dnl read_sysctl
-
-##################################
-#
-# can_setfscreate(domain)
-#
-# Authorize a domain to set its fscreate context
-# (via /proc/pid/attr/fscreate).
-#
-define(`can_setfscreate',`
-allow $1 self:process setfscreate;
-allow $1 proc_t:dir search;
-allow $1 proc_t:{ file lnk_file } read;
-allow $1 self:dir search;
-allow $1 self:file { getattr read write };
-')
-
-#################################
-#
-# uses_shlib(domain)
-#
-# Permissions for using shared libraries.
-#
-define(`uses_shlib',`
-allow $1 { root_t usr_t lib_t etc_t }:dir r_dir_perms;
-allow $1 lib_t:lnk_file r_file_perms;
-allow $1 ld_so_t:file rx_file_perms;
-#allow $1 ld_so_t:file execute_no_trans;
-allow $1 ld_so_t:lnk_file r_file_perms;
-allow $1 { texrel_shlib_t shlib_t }:file rx_file_perms;
-allow $1 { texrel_shlib_t shlib_t }:lnk_file r_file_perms;
-allow $1 texrel_shlib_t:file execmod;
-allow $1 ld_so_cache_t:file r_file_perms;
-allow $1 device_t:dir search;
-allow $1 null_device_t:chr_file rw_file_perms;
-')
-
-#################################
-#
-# can_exec_any(domain)
-#
-# Permissions for executing a variety
-# of executable types.
-#
-define(`can_exec_any',`
-allow $1 { bin_t sbin_t lib_t etc_t }:dir r_dir_perms;
-allow $1 { bin_t sbin_t etc_t }:lnk_file { getattr read };
-uses_shlib($1)
-can_exec($1, etc_t)
-can_exec($1, lib_t)
-can_exec($1, bin_t)
-can_exec($1, sbin_t)
-can_exec($1, exec_type)
-can_exec($1, ld_so_t)
-')
-
-
-#################################
-#
-# can_sysctl(domain)
-#
-# Permissions for modifying sysctl parameters.
-#
-define(`can_sysctl',`
-allow $1 sysctl_type:dir r_dir_perms;
-allow $1 sysctl_type:file { setattr rw_file_perms };
-')
-
-
-##################################
-#
-# read_locale(domain)
-#
-# Permissions for reading the locale data,
-# /etc/localtime and the files that it links to
-#
-define(`read_locale', `
-allow $1 etc_t:lnk_file read;
-allow $1 lib_t:file r_file_perms;
-r_dir_file($1, locale_t)
-')
-
-define(`can_access_pty', `
-allow $1 devpts_t:dir r_dir_perms;
-allow $1 $2_devpts_t:chr_file rw_file_perms;
-')
-
-###################################
-#
-# access_terminal(domain, typeprefix)
-#
-# Permissions for accessing the terminal
-#
-define(`access_terminal', `
-allow $1 $2_tty_device_t:chr_file { read write getattr ioctl };
-allow $1 devtty_t:chr_file { read write getattr ioctl };
-can_access_pty($1, $2)
-')
-
-#
-# general_proc_read_access(domain)
-#
-# Grant read/search permissions to most of /proc, excluding
-# the /proc/PID directories and the /proc/kmsg and /proc/kcore files.
-# The general_domain_access macro grants access to the domain /proc/PID
-# directories, but not to other domains. Only permissions to stat
-# are granted for /proc/kmsg and /proc/kcore, since these files are more
-# sensitive.
-#
-define(`general_proc_read_access',`
-# Read system information files in /proc.
-r_dir_file($1, proc_t)
-r_dir_file($1, proc_net_t)
-allow $1 proc_mdstat_t:file r_file_perms;
-
-# Stat /proc/kmsg and /proc/kcore.
-allow $1 proc_fs:file stat_file_perms;
-
-# Read system variables in /proc/sys.
-read_sysctl($1)
-')
-
-#
-# base_file_read_access(domain)
-#
-# Grant read/search permissions to a few system file types.
-#
-define(`base_file_read_access',`
-# Read /.
-allow $1 root_t:dir r_dir_perms;
-allow $1 root_t:notdevfile_class_set r_file_perms;
-
-# Read /home.
-allow $1 home_root_t:dir r_dir_perms;
-
-# Read /usr.
-allow $1 usr_t:dir r_dir_perms;
-allow $1 usr_t:notdevfile_class_set r_file_perms;
-
-# Read bin and sbin directories.
-allow $1 bin_t:dir r_dir_perms;
-allow $1 bin_t:notdevfile_class_set r_file_perms;
-allow $1 sbin_t:dir r_dir_perms;
-allow $1 sbin_t:notdevfile_class_set r_file_perms;
-read_sysctl($1)
-
-r_dir_file($1, selinux_config_t)
-
-if (read_default_t) {
-#
-# Read default_t
-#.
-allow $1 default_t:dir r_dir_perms;
-allow $1 default_t:notdevfile_class_set r_file_perms;
-}
-
-')
-
-#######################
-# daemon_core_rules(domain_prefix, attribs)
-#
-# Define the core rules for a daemon, used by both daemon_base_domain() and
-# init_service_domain().
-# Attribs is the list of attributes which must start with "," if it is not empty
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-define(`daemon_core_rules', `
-type $1_t, domain, privlog, daemon $2;
-type $1_exec_t, file_type, sysadmfile, exec_type;
-dontaudit $1_t self:capability sys_tty_config;
-
-role system_r types $1_t;
-
-# Inherit and use descriptors from init.
-allow $1_t init_t:fd use;
-allow $1_t init_t:process sigchld;
-allow $1_t self:process { signal_perms fork };
-
-uses_shlib($1_t)
-
-allow $1_t { self proc_t }:dir r_dir_perms;
-allow $1_t { self proc_t }:lnk_file { getattr read };
-
-allow $1_t device_t:dir r_dir_perms;
-ifdef(`udev.te', `
-allow $1_t udev_tdb_t:file r_file_perms;
-')dnl end if udev.te
-allow $1_t null_device_t:chr_file rw_file_perms;
-dontaudit $1_t console_device_t:chr_file rw_file_perms;
-dontaudit $1_t unpriv_userdomain:fd use;
-
-r_dir_file($1_t, sysfs_t)
-
-allow $1_t autofs_t:dir { search getattr };
-ifdef(`targeted_policy', `
-dontaudit $1_t { tty_device_t devpts_t }:chr_file { read write };
-dontaudit $1_t root_t:file { getattr read };
-')dnl end if targeted_policy
-
-')dnl end macro daemon_core_rules
-
-#######################
-# init_service_domain(domain_prefix, attribs)
-#
-# Define a domain for a program that is run from init
-# Attribs is the list of attributes which must start with "," if it is not empty
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-define(`init_service_domain', `
-daemon_core_rules($1, `$2')
-
-domain_auto_trans(init_t, $1_exec_t, $1_t)
-')dnl
-
-#######################
-# daemon_base_domain(domain_prefix, attribs)
-#
-# Define a daemon domain with a base set of type declarations
-# and permissions that are common to most daemons.
-# attribs is the list of attributes which must start with "," if it is not empty
-# nosysadm may be given as an optional third parameter, to specify that the
-# sysadmin should not transition to the domain when directly calling the executable
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-define(`daemon_base_domain', `
-daemon_core_rules($1, `$2')
-
-rhgb_domain($1_t)
-
-read_sysctl($1_t)
-
-ifdef(`direct_sysadm_daemon', `
-dontaudit $1_t admin_tty_type:chr_file rw_file_perms;
-')
-
-#
-# Allows user to define a tunable to disable domain transition
-#
-ifelse(index(`$2',`transitionbool'), -1, `', `
-bool $1_disable_trans false;
-if ($1_disable_trans) {
-can_exec(initrc_t, $1_exec_t)
-can_exec(sysadm_t, $1_exec_t)
-} else {
-') dnl transitionbool
-domain_auto_trans(initrc_t, $1_exec_t, $1_t)
-
-allow initrc_t $1_t:process { noatsecure siginh rlimitinh };
-ifdef(`direct_sysadm_daemon', `
-ifelse(`$3', `nosysadm', `', `
-domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
-allow sysadm_t $1_t:process { noatsecure siginh rlimitinh };
-')dnl end nosysadm
-')dnl end direct_sysadm_daemon
-ifelse(index(`$2', `transitionbool'), -1, `', `
-}
-') dnl end transitionbool
-ifdef(`direct_sysadm_daemon', `
-ifelse(`$3', `nosysadm', `', `
-role_transition sysadm_r $1_exec_t system_r;
-')dnl end nosysadm
-')dnl end direct_sysadm_daemon
-
-allow $1_t privfd:fd use;
-ifdef(`newrole.te', `allow $1_t newrole_t:process sigchld;')
-allow $1_t initrc_devpts_t:chr_file rw_file_perms;
-')dnl
-
-# allow a domain to create its own files under /var/run and to create files
-# in directories that are created for it. $2 is an optional list of
-# classes to use; default is file.
-define(`var_run_domain', `
-type $1_var_run_t, file_type, sysadmfile, pidfile;
-
-ifelse(`$2', `', `
-file_type_auto_trans($1_t, var_run_t, $1_var_run_t, file)
-', `
-file_type_auto_trans($1_t, var_run_t, $1_var_run_t, $2)
-')
-allow $1_t var_t:dir search;
-allow $1_t $1_var_run_t:dir rw_dir_perms;
-')
-
-#######################
-# daemon_domain(domain_prefix, attribs)
-#
-# see daemon_base_domain for calling details
-# daemon_domain defines some additional privileges needed by many domains,
-# like pid files and locale support
-
-define(`daemon_domain', `
-ifdef(`targeted_policy', `
-daemon_base_domain($1, `$2, transitionbool', $3)
-', `
-daemon_base_domain($1, `$2', $3)
-')
-# Create pid file.
-allow $1_t var_t:dir { getattr search };
-var_run_domain($1)
-
-allow $1_t devtty_t:chr_file rw_file_perms;
-
-# for daemons that look at /root on startup
-dontaudit $1_t sysadm_home_dir_t:dir search;
-
-# for df
-allow $1_t fs_type:filesystem getattr;
-allow $1_t removable_t:filesystem getattr;
-
-read_locale($1_t)
-
-# for localization
-allow $1_t lib_t:file { getattr read };
-')dnl end daemon_domain macro
-
-define(`uses_authbind',
-`domain_auto_trans($1, authbind_exec_t, authbind_t)
-allow authbind_t $1:process sigchld;
-allow authbind_t $1:fd use;
-allow authbind_t $1:{ tcp_socket udp_socket } rw_socket_perms;
-')
-
-# define a sub-domain, $1_t is the parent domain, $2 is the name
-# of the sub-domain.
-#
-define(`daemon_sub_domain', `
-# $1 is the parent domain (or domains), $2_t is the child domain,
-# and $3 is any attributes to apply to the child
-type $2_t, domain, privlog, daemon $3;
-type $2_exec_t, file_type, sysadmfile, exec_type;
-
-role system_r types $2_t;
-
-ifelse(index(`$3',`transitionbool'), -1, `
-
-domain_auto_trans($1, $2_exec_t, $2_t)
-
-', `
-
-bool $2_disable_trans false;
-
-if (! $2_disable_trans) {
-domain_auto_trans($1, $2_exec_t, $2_t)
-}
-
-');
-# Inherit and use descriptors from parent.
-allow $2_t $1:fd use;
-allow $2_t $1:process sigchld;
-
-allow $2_t self:process signal_perms;
-
-uses_shlib($2_t)
-
-allow $2_t { self proc_t }:dir r_dir_perms;
-allow $2_t { self proc_t }:lnk_file read;
-
-allow $2_t device_t:dir getattr;
-')
-
-# grant access to /tmp
-# by default, only plain files and dirs may be stored there.
-# This can be overridden with a third parameter
-define(`tmp_domain', `
-type $1_tmp_t, file_type, sysadmfile, polymember, tmpfile $2;
-ifelse($3, `',
-`file_type_auto_trans($1_t, tmp_t, $1_tmp_t, `{ file dir }')',
-`file_type_auto_trans($1_t, tmp_t, $1_tmp_t, `$3')')
-')
-
-# grant access to /tmp. Do not perform an automatic transition.
-define(`tmp_domain_notrans', `
-type $1_tmp_t, file_type, sysadmfile, polymember, tmpfile $2;
-')
-
-define(`tmpfs_domain', `
-ifdef(`$1_tmpfs_t_defined',`', `
-define(`$1_tmpfs_t_defined')
-type $1_tmpfs_t, file_type, sysadmfile, tmpfsfile;
-# Use this type when creating tmpfs/shm objects.
-file_type_auto_trans($1_t, tmpfs_t, $1_tmpfs_t)
-allow $1_tmpfs_t tmpfs_t:filesystem associate;
-')
-')
-
-define(`var_lib_domain', `
-type $1_var_lib_t, file_type, sysadmfile;
-file_type_auto_trans($1_t, var_lib_t, $1_var_lib_t, file)
-allow $1_t $1_var_lib_t:dir rw_dir_perms;
-')
-
-define(`log_domain', `
-type $1_log_t, file_type, sysadmfile, logfile;
-file_type_auto_trans($1_t, var_log_t, $1_log_t, file)
-')
-
-define(`logdir_domain', `
-log_domain($1)
-allow $1_t $1_log_t:dir { setattr rw_dir_perms };
-')
-
-define(`etc_domain', `
-type $1_etc_t, file_type, sysadmfile, usercanread;
-allow $1_t $1_etc_t:file r_file_perms;
-')
-
-define(`etcdir_domain', `
-etc_domain($1)
-allow $1_t $1_etc_t:dir r_dir_perms;
-allow $1_t $1_etc_t:lnk_file { getattr read };
-')
-
-define(`append_log_domain', `
-type $1_log_t, file_type, sysadmfile, logfile;
-allow $1_t var_log_t:dir ra_dir_perms;
-allow $1_t $1_log_t:file { create ra_file_perms };
-type_transition $1_t var_log_t:file $1_log_t;
-')
-
-define(`append_logdir_domain', `
-append_log_domain($1)
-allow $1_t $1_log_t:dir { setattr ra_dir_perms };
-')
-
-define(`lock_domain', `
-type $1_lock_t, file_type, sysadmfile, lockfile;
-file_type_auto_trans($1_t, var_lock_t, $1_lock_t, file)
-')
-
-#######################
-# application_domain(domain_prefix)
-#
-# Define a domain with a base set of type declarations
-# and permissions that are common to simple applications.
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-define(`application_domain', `
-type $1_t, domain, privlog $2;
-type $1_exec_t, file_type, sysadmfile, exec_type;
-role sysadm_r types $1_t;
-ifdef(`targeted_policy', `
-role system_r types $1_t;
-')
-domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
-uses_shlib($1_t)
-')
-
-define(`system_domain', `
-type $1_t, domain, privlog $2;
-type $1_exec_t, file_type, sysadmfile, exec_type;
-role system_r types $1_t;
-uses_shlib($1_t)
-allow $1_t etc_t:dir r_dir_perms;
-')
-
-# Dontaudit macros to prevent flooding the log
-
-define(`dontaudit_getattr', `
-dontaudit $1 file_type - secure_file_type:dir_file_class_set getattr;
-dontaudit $1 unlabeled_t:dir_file_class_set getattr;
-dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir_file_class_set getattr;
-')dnl end dontaudit_getattr
-
-define(`dontaudit_search_dir', `
-dontaudit $1 file_type - secure_file_type:dir search;
-dontaudit $1 unlabeled_t:dir search;
-dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir search;
-')dnl end dontaudit_search_dir
-
-define(`dontaudit_read_dir', `
-dontaudit $1 file_type - secure_file_type:dir read;
-dontaudit $1 unlabeled_t:dir read;
-dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir read;
-')dnl end dontaudit_read_dir
-
-# Define legacy_domain for legacy binaries (java)
-# "legacy" binary == lacks PT_GNU_STACK header, i.e. built with an old
-# toolchain. They cause the kernel to automatically start translating all
-# read protection requests to read|execute for backward compatibility on
-# x86. They will all need execmem and execmod, including execmod to
-# shlib_t and ld_so_t unlike non-legacy binaries.
-
-define(`legacy_domain', `
-allow $1_t self:process { execmem execstack };
-allow $1_t { texrel_shlib_t shlib_t }:file execmod;
-allow $1_t ld_so_t:file execmod;
-allow $1_t ld_so_cache_t:file execute;
-')
-
-
-# Allow domain to perform polyinstantiation functions
-# polyinstantiater(domain)
-
-define(`polyinstantiater', `
-
-ifdef(`support_polyinstantiation', `
-# Need to give access to /selinux/member
-allow $1 security_t:security compute_member;
-
-# Need to give access to the directories to be polyinstantiated
-allow $1 polydir:dir { getattr mounton add_name create setattr write search };
-
-# Need to give access to the polyinstantiated subdirectories
-allow $1 polymember:dir {getattr search };
-
-# Need to give access to parent directories where original
-# is remounted for polyinstantiation aware programs (like gdm)
-allow $1 polyparent:dir { getattr mounton };
-
-# Need to give permission to create directories where applicable
-allow $1 polymember: dir { create setattr };
-allow $1 polydir: dir { write add_name };
-allow $1 self:process setfscreate;
-allow $1 polyparent:dir { write add_name };
-# Default type for mountpoints
-allow $1 poly_t:dir { create mounton };
-
-# Need sys_admin capability for mounting
-allow $1 self:capability sys_admin;
-')dnl end else support_polyinstantiation
-
-')dnl end polyinstantiater
-
-#
-# Domain that is allow to read anonymous data off the network
-# without providing authentication.
-# Also define boolean to allow anonymous writing
-#
-define(`anonymous_domain', `
-r_dir_file($1_t, { public_content_t public_content_rw_t } )
-bool allow_$1_anon_write false;
-if (allow_$1_anon_write) {
-create_dir_file($1_t,public_content_rw_t)
-}
-')
-#
-# Define a domain that can do anything, so that it is
-# effectively unconfined by the SELinux policy. This
-# means that it is only restricted by the normal Linux
-# protections. Note that you may need to add further rules
-# to allow other domains to interact with this domain as expected,
-# since this macro only allows the specified domain to act upon
-# all other domains and types, not vice versa.
-#
-define(`unconfined_domain', `
-
-typeattribute $1 unrestricted;
-typeattribute $1 privuser;
-
-# Mount/unmount any filesystem.
-allow $1 fs_type:filesystem *;
-
-# Mount/unmount any filesystem with the context= option.
-allow $1 file_type:filesystem *;
-
-# Create/access any file in a labeled filesystem;
-allow $1 file_type:{ file chr_file } ~execmod;
-allow $1 file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
-allow $1 sysctl_t:{ dir file } *;
-allow $1 device_type:devfile_class_set *;
-allow $1 mtrr_device_t:file *;
-
-# Create/access other files. fs_type is to pick up various
-# pseudo filesystem types that are applied to both the filesystem
-# and its files.
-allow $1 { unlabeled_t fs_type }:dir_file_class_set *;
-allow $1 proc_fs:{ dir file } *;
-
-# For /proc/pid
-r_dir_file($1,domain)
-# Write access is for setting attributes under /proc/self/attr.
-allow $1 self:file rw_file_perms;
-
-# Read and write sysctls.
-can_sysctl($1)
-
-# Access the network.
-allow $1 node_type:node *;
-allow $1 netif_type:netif *;
-allow $1 port_type:{ tcp_socket udp_socket } { send_msg recv_msg };
-allow $1 port_type:tcp_socket name_connect;
-
-# Bind to any network address.
-allow $1 port_type:{ rawip_socket tcp_socket udp_socket } name_bind;
-allow $1 node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
-allow $1 file_type:{ unix_stream_socket unix_dgram_socket } name_bind;
-
-# Use/sendto/connectto sockets created by any domain.
-allow $1 domain:{ socket_class_set socket key_socket } *;
-
-# Use descriptors and pipes created by any domain.
-allow $1 domain:fd use;
-allow $1 domain:fifo_file rw_file_perms;
-
-# Act upon any other process.
-allow $1 domain:process ~{ transition dyntransition execmem };
-# Transition to myself, to make get_ordered_context_list happy.
-allow $1 self:process transition;
-
-if (allow_execmem) {
-# Allow making anonymous memory executable, e.g.
-# for runtime-code generation or executable stack.
-allow $1 self:process execmem;
-}
-
-if (allow_execmem && allow_execstack) {
-# Allow making the stack executable via mprotect.
-allow $1 self:process execstack;
-}
-
-if (allow_execmod) {
-# Allow text relocations on system shared libraries, e.g. libGL.
-ifdef(`targeted_policy', `
-allow $1 file_type:file execmod;
-', `
-allow $1 texrel_shlib_t:file execmod;
-allow $1 home_type:file execmod;
-')
-}
-
-# Create/access any System V IPC objects.
-allow $1 domain:{ sem msgq shm } *;
-allow $1 domain:msg { send receive };
-
-# Access the security API.
-if (!secure_mode_policyload) {
-allow $1 security_t:security *;
-auditallow $1 security_t:security { load_policy setenforce setbool };
-}dnl end if !secure_mode_policyload
-
-# Perform certain system operations that lacked individual capabilities.
-allow $1 kernel_t:system *;
-
-# Use any Linux capability.
-allow $1 self:capability *;
-
-# Set user information and skip authentication.
-allow $1 self:passwd *;
-
-# Communicate via dbusd.
-allow $1 self:dbus *;
-ifdef(`dbusd.te', `
-allow $1 system_dbusd_t:dbus *;
-')
-
-# Get info via nscd.
-allow $1 self:nscd *;
-ifdef(`nscd.te', `
-allow $1 nscd_t:nscd *;
-')
-
-')dnl end unconfined_domain
-
-
-define(`access_removable_media', `
-
-can_exec($1, { removable_t noexattrfile } )
-if (user_rw_noexattrfile) {
-create_dir_file($1, noexattrfile)
-create_dir_file($1, removable_t)
-# Write floppies
-allow $1 removable_device_t:blk_file rw_file_perms;
-allow $1 usbtty_device_t:chr_file write;
-} else {
-r_dir_file($1, noexattrfile)
-r_dir_file($1, removable_t)
-allow $1 removable_device_t:blk_file r_file_perms;
-}
-allow $1 removable_t:filesystem getattr;
-
-')
-
-define(`authentication_domain', `
-can_ypbind($1)
-can_kerberos($1)
-can_ldap($1)
-can_resolve($1)
-can_winbind($1)
-r_dir_file($1, cert_t)
-allow $1 { random_device_t urandom_device_t }:chr_file { getattr read };
-allow $1 self:capability { audit_write audit_control };
-dontaudit $1 shadow_t:file { getattr read };
-allow $1 sbin_t:dir search;
-allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-')
diff --git a/targeted/macros/home_macros.te b/targeted/macros/home_macros.te
deleted file mode 100644
index 033b32f..0000000
--- a/targeted/macros/home_macros.te
+++ /dev/null
@@ -1,130 +0,0 @@
-# Home macros
-
-################################################
-# network_home(source)
-#
-# Allows source domain to use a network home
-# This includes privileges of create and execute
-# as well as the ability to create sockets and fifo
-
-define(`network_home', `
-allow $1 autofs_t:dir { search getattr };
-
-if (use_nfs_home_dirs) {
-create_dir_file($1, nfs_t)
-can_exec($1, nfs_t)
-allow $1 nfs_t:{ sock_file fifo_file } create_file_perms;
-}
-
-if (use_samba_home_dirs) {
-create_dir_file($1, cifs_t)
-can_exec($1, cifs_t)
-allow $1 cifs_t:{ sock_file fifo_file } create_file_perms;
-}
-') dnl network_home
-
-################################################
-# write_network_home(source)
-#
-# Allows source domain to create directories and
-# files on network file system
-
-define(`write_network_home', `
-allow $1 home_root_t:dir search;
-
-if (use_nfs_home_dirs) {
-create_dir_file($1, nfs_t)
-}
-if (use_samba_home_dirs) {
-create_dir_file($1, cifs_t)
-}
-allow $1 autofs_t:dir { search getattr };
-') dnl write_network_home
-
-################################################
-# read_network_home(source)
-#
-# Allows source domain to read directories and
-# files on network file system
-
-define(`read_network_home', `
-allow $1 home_root_t:dir search;
-
-if (use_nfs_home_dirs) {
-r_dir_file($1, nfs_t)
-}
-if (use_samba_home_dirs) {
-r_dir_file($1, cifs_t)
-}
-allow $1 autofs_t:dir { search getattr };
-') dnl read_network_home
-
-##################################################
-# home_domain_ro_access(source, user, app)
-#
-# Gives source access to the read-only home
-# domain of app for the given user type
-
-define(`home_domain_ro_access', `
-allow $1 { home_root_t $2_home_dir_t }:dir { search getattr };
-read_network_home($1)
-r_dir_file($1, $2_$3_ro_home_t)
-') dnl home_domain_ro_access
-
-#################################################
-# home_domain_access(source, user, app)
-#
-# Gives source full access to the home
-# domain of app for the given user type
-#
-# Requires transition in caller
-
-define(`home_domain_access', `
-allow $1 { home_root_t $2_home_dir_t }:dir { search getattr };
-write_network_home($1)
-create_dir_file($1, $2_$3_home_t)
-') dnl home_domain_access
-
-####################################################################
-# home_domain (prefix, app)
-#
-# Creates a domain in the prefix home where an application can
-# store its settings. It is accessible by the prefix domain.
-#
-# Requires transition in caller
-
-define(`home_domain', `
-
-# Declare home domain
-type $1_$2_home_t, file_type, $1_file_type, sysadmfile, polymember;
-typealias $1_$2_home_t alias $1_$2_rw_t;
-
-# User side access
-create_dir_file($1_t, $1_$2_home_t)
-allow $1_t $1_$2_home_t:{ dir file lnk_file } { relabelfrom relabelto };
-
-# App side access
-home_domain_access($1_$2_t, $1, $2)
-')
-
-####################################################################
-# home_domain_ro (user, app)
-#
-# Creates a read-only domain in the user home where an application can
-# store its settings. It is fully accessible by the user, but
-# it is read-only for the application.
-#
-
-define(`home_domain_ro', `
-
-# Declare home domain
-type $1_$2_ro_home_t, file_type, $1_file_type, sysadmfile;
-typealias $1_$2_ro_home_t alias $1_$2_ro_t;
-
-# User side access
-create_dir_file($1_t, $1_$2_ro_home_t)
-allow $1_t $1_$2_ro_home_t:{ dir file lnk_file } { relabelfrom relabelto };
-
-# App side access
-home_domain_ro_access($1_$2_t, $1, $2)
-')
diff --git a/targeted/macros/mini_user_macros.te b/targeted/macros/mini_user_macros.te
deleted file mode 100644
index 9f7d994..0000000
--- a/targeted/macros/mini_user_macros.te
+++ /dev/null
@@ -1,57 +0,0 @@
-#
-# Macros for all user login domains.
-#
-
-#
-# mini_user_domain(domain_prefix)
-#
-# Define derived types and rules for a minimal privs user domain named
-# $1_mini_t which is permitted to be in $1_r role and transition to $1_t.
-#
-undefine(`mini_user_domain')
-define(`mini_user_domain',`
-# user_t/$1_t is an unprivileged users domain.
-type $1_mini_t, domain, user_mini_domain;
-
-# for ~/.bash_profile and other files that the mini domain should be allowed
-# to read (but not write)
-type $1_home_mini_t, file_type, sysadmfile;
-allow $1_t $1_home_mini_t:file { create_file_perms relabelto relabelfrom };
-allow $1_mini_t $1_home_mini_t:file r_file_perms;
-
-# $1_r is authorized for $1_mini_t for the initial login domain.
-role $1_r types $1_mini_t;
-uses_shlib($1_mini_t)
-pty_slave_label($1_mini, `, userpty_type, mini_pty_type')
-
-allow $1_mini_t devtty_t:chr_file rw_file_perms;
-allow $1_mini_t { etc_t etc_runtime_t }:file { getattr read };
-dontaudit $1_mini_t proc_t:dir { getattr search };
-allow $1_mini_t self:unix_stream_socket create_socket_perms;
-allow $1_mini_t self:fifo_file rw_file_perms;
-allow $1_mini_t self:process { fork sigchld setpgid };
-dontaudit $1_mini_t var_t:dir search;
-allow $1_mini_t { bin_t sbin_t }:dir search;
-
-dontaudit $1_mini_t device_t:dir { getattr read };
-dontaudit $1_mini_t devpts_t:dir { getattr read };
-dontaudit $1_mini_t proc_t:lnk_file read;
-
-can_exec($1_mini_t, bin_t)
-allow $1_mini_t { home_root_t $1_home_dir_t }:dir search;
-dontaudit $1_mini_t home_root_t:dir getattr;
-dontaudit $1_mini_t $1_home_dir_t:dir { getattr read };
-dontaudit $1_mini_t $1_home_t:file { append getattr read write };
-
-dontaudit $1_mini_t fs_t:filesystem getattr;
-
-type_change $1_mini_t $1_mini_devpts_t:chr_file $1_devpts_t;
-# uncomment this if using mini domains for console logins
-#type_change $1_mini_t $1_tty_device_t:chr_file $1_tty_device_t;
-
-type_change $1_mini_t server_pty:chr_file $1_mini_devpts_t;
-type_change $1_t $1_mini_devpts_t:chr_file $1_devpts_t;
-
-domain_auto_trans($1_mini_t, newrole_exec_t, newrole_t)
-')dnl end mini_user_domain definition
-
diff --git a/targeted/macros/network_macros.te b/targeted/macros/network_macros.te
deleted file mode 100644
index 8e8b05a..0000000
--- a/targeted/macros/network_macros.te
+++ /dev/null
@@ -1,190 +0,0 @@
-#################################
-#
-# can_network(domain)
-#
-# Permissions for accessing the network.
-# See types/network.te for the network types.
-# See net_contexts for security contexts for network entities.
-#
-define(`base_can_network',`
-#
-# Allow the domain to create and use $2 sockets.
-# Other kinds of sockets must be separately authorized for use.
-allow $1 self:$2_socket connected_socket_perms;
-
-#
-# Allow the domain to send or receive using any network interface.
-# netif_type is a type attribute for all network interface types.
-#
-allow $1 netif_t:netif { $2_recv $2_send rawip_send rawip_recv };
-#
-# Allow the domain to send to or receive from any node.
-# node_type is a type attribute for all node types.
-#
-allow $1 node_type:node { $2_send rawip_send };
-allow $1 node_type:node { $2_recv rawip_recv };
-
-#
-# Allow the domain to send to or receive from any port.
-# port_type is a type attribute for all port types.
-#
-ifelse($3, `', `
-allow $1 port_type:$2_socket { send_msg recv_msg };
-', `
-allow $1 $3:$2_socket { send_msg recv_msg };
-')
-
-# XXX Allow binding to any node type. Remove once
-# individual rules have been added to all domains that
-# bind sockets.
-allow $1 node_type:$2_socket node_bind;
-#
-# Allow access to network files including /etc/resolv.conf
-#
-allow $1 net_conf_t:file r_file_perms;
-')dnl end can_network definition
-
-#################################
-#
-# can_network_server_tcp(domain)
-#
-# Permissions for accessing a tcp network.
-# See types/network.te for the network types.
-# See net_contexts for security contexts for network entities.
-#
-define(`can_network_server_tcp',`
-base_can_network($1, tcp, `$2')
-allow $1 self:tcp_socket { listen accept };
-')
-
-#################################
-#
-# can_network_client_tcp(domain)
-#
-# Permissions for accessing a tcp network.
-# See types/network.te for the network types.
-# See net_contexts for security contexts for network entities.
-#
-define(`can_network_client_tcp',`
-base_can_network($1, tcp, `$2')
-allow $1 self:tcp_socket { connect };
-')
-
-#################################
-#
-# can_network_tcp(domain)
-#
-# Permissions for accessing the network.
-# See types/network.te for the network types.
-# See net_contexts for security contexts for network entities.
-#
-define(`can_network_tcp',`
-
-can_network_server_tcp($1, `$2')
-can_network_client_tcp($1, `$2')
-
-')
-
-#################################
-#
-# can_network_udp(domain)
-#
-# Permissions for accessing the network.
-# See types/network.te for the network types.
-# See net_contexts for security contexts for network entities.
-#
-define(`can_network_udp',`
-base_can_network($1, udp, `$2')
-allow $1 self:udp_socket { connect };
-')
-
-#################################
-#
-# can_network_server(domain)
-#
-# Permissions for accessing the network.
-# See types/network.te for the network types.
-# See net_contexts for security contexts for network entities.
-#
-define(`can_network_server',`
-
-can_network_server_tcp($1, `$2')
-can_network_udp($1, `$2')
-
-')dnl end can_network_server definition
-
-
-#################################
-#
-# can_network_client(domain)
-#
-# Permissions for accessing the network.
-# See types/network.te for the network types.
-# See net_contexts for security contexts for network entities.
-#
-define(`can_network_client',`
-
-can_network_client_tcp($1, `$2')
-can_network_udp($1, `$2')
-
-')dnl end can_network_client definition
-
-#################################
-#
-# can_network(domain)
-#
-# Permissions for accessing the network.
-# See types/network.te for the network types.
-# See net_contexts for security contexts for network entities.
-#
-define(`can_network',`
-
-can_network_tcp($1, `$2')
-can_network_udp($1, `$2')
-
-ifdef(`mount.te', `
-#
-# Allow the domain to send NFS client requests via the socket
-# created by mount.
-#
-allow $1 mount_t:udp_socket rw_socket_perms;
-')
-
-')dnl end can_network definition
-
-define(`can_resolve',`
-can_network_client($1, `dns_port_t')
-allow $1 dns_port_t:tcp_socket name_connect;
-')
-
-define(`can_portmap',`
-can_network_client($1, `portmap_port_t')
-allow $1 portmap_port_t:tcp_socket name_connect;
-')
-
-define(`can_ldap',`
-can_network_client_tcp($1, `ldap_port_t')
-allow $1 ldap_port_t:tcp_socket name_connect;
-')
-
-define(`can_winbind',`
-ifdef(`winbind.te', `
-allow $1 winbind_var_run_t:dir { getattr search };
-allow $1 winbind_t:unix_stream_socket connectto;
-allow $1 winbind_var_run_t:sock_file { getattr read write };
-')
-')
-
-
-#################################
-#
-# nsswitch_domain(domain)
-#
-# Permissions for looking up uid/username mapping via nsswitch
-#
-define(`nsswitch_domain', `
-can_resolve($1)
-can_ypbind($1)
-can_ldap($1)
-can_winbind($1)
-')
diff --git a/targeted/macros/program/apache_macros.te b/targeted/macros/program/apache_macros.te
deleted file mode 100644
index a0d0e5f..0000000
--- a/targeted/macros/program/apache_macros.te
+++ /dev/null
@@ -1,205 +0,0 @@
-
-define(`apache_domain', `
-
-#This type is for webpages
-#
-type httpd_$1_content_t, file_type, httpdcontent, sysadmfile, customizable;
-
-# This type is used for .htaccess files
-#
-type httpd_$1_htaccess_t, file_type, sysadmfile, customizable;
-allow httpd_t httpd_$1_htaccess_t: file r_file_perms;
-
-# This type is used for executable scripts files
-#
-type httpd_$1_script_exec_t, file_type, sysadmfile, customizable;
-
-# Type that CGI scripts run as
-type httpd_$1_script_t, domain, privmail, nscd_client_domain;
-role system_r types httpd_$1_script_t;
-uses_shlib(httpd_$1_script_t)
-
-if (httpd_enable_cgi) {
-domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
-allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
-allow httpd_t httpd_$1_script_exec_t:dir r_dir_perms;
-allow httpd_t httpd_$1_script_exec_t:file r_file_perms;
-
-allow httpd_$1_script_t httpd_t:fd use;
-allow httpd_$1_script_t httpd_t:process sigchld;
-
-allow httpd_$1_script_t { usr_t lib_t }:file { getattr read ioctl };
-allow httpd_$1_script_t usr_t:lnk_file { getattr read };
-
-allow httpd_$1_script_t self:process { fork signal_perms };
-
-allow httpd_$1_script_t devtty_t:chr_file { getattr read write };
-allow httpd_$1_script_t urandom_device_t:chr_file { getattr read };
-allow httpd_$1_script_t etc_runtime_t:file { getattr read };
-read_locale(httpd_$1_script_t)
-allow httpd_$1_script_t fs_t:filesystem getattr;
-allow httpd_$1_script_t self:unix_stream_socket { create_stream_socket_perms connectto };
-
-allow httpd_$1_script_t { self proc_t }:file r_file_perms;
-allow httpd_$1_script_t { self proc_t }:dir r_dir_perms;
-allow httpd_$1_script_t { self proc_t }:lnk_file read;
-
-allow httpd_$1_script_t device_t:dir { getattr search };
-allow httpd_$1_script_t null_device_t:chr_file rw_file_perms;
-}
-
-if (httpd_enable_cgi && httpd_can_network_connect) {
-can_network_client(httpd_$1_script_t)
-allow httpd_$1_script_t port_type:tcp_socket name_connect;
-}
-
-ifdef(`ypbind.te', `
-if (httpd_enable_cgi && allow_ypbind) {
-uncond_can_ypbind(httpd_$1_script_t)
-}
-')
-# The following are the only areas that
-# scripts can read, read/write, or append to
-#
-type httpd_$1_script_ro_t, file_type, httpdcontent, sysadmfile, customizable;
-type httpd_$1_script_rw_t, file_type, httpdcontent, sysadmfile, customizable;
-type httpd_$1_script_ra_t, file_type, httpdcontent, sysadmfile, customizable;
-file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t)
-
-#########################################################
-# Permissions for running child processes and scripts
-##########################################################
-allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir { getattr search };
-
-domain_auto_trans(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
-
-allow httpd_$1_script_t httpd_t:fifo_file write;
-
-allow httpd_$1_script_t self:fifo_file rw_file_perms;
-
-allow httpd_$1_script_t { urandom_device_t random_device_t }:chr_file r_file_perms;
-
-###########################################################################
-# Allow the script interpreters to run the scripts. So
-# the perl executable will be able to run a perl script
-#########################################################################
-allow httpd_$1_script_t httpd_$1_script_exec_t:dir r_dir_perms;
-can_exec_any(httpd_$1_script_t)
-
-allow httpd_$1_script_t etc_t:file { getattr read };
-dontaudit httpd_$1_script_t selinux_config_t:dir search;
-
-############################################################################
-# Allow the script process to search the cgi directory, and users directory
-##############################################################################
-allow httpd_$1_script_t httpd_$1_script_exec_t:dir { search getattr };
-can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
-allow httpd_$1_script_t home_root_t:dir { getattr search };
-allow httpd_$1_script_t httpd_$1_content_t:dir { getattr search };
-
-#############################################################################
-# Allow the scripts to read, read/write, append to the specified directories
-# or files
-############################################################################
-read_fonts(httpd_$1_script_t)
-r_dir_file(httpd_$1_script_t, httpd_$1_script_ro_t)
-create_dir_file(httpd_$1_script_t, httpd_$1_script_rw_t)
-allow httpd_$1_script_t httpd_$1_script_rw_t:sock_file rw_file_perms;
-ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t)
-anonymous_domain(httpd_$1_script)
-
-if (httpd_enable_cgi && httpd_unified) {
-create_dir_file(httpd_$1_script_t, httpdcontent)
-can_exec(httpd_$1_script_t, httpdcontent)
-}
-
-#
-# If a user starts a script by hand it gets the proper context
-#
-ifdef(`targeted_policy', `', `
-if (httpd_enable_cgi) {
-domain_auto_trans(sysadm_t, httpd_$1_script_exec_t, httpd_$1_script_t)
-}
-')
-role sysadm_r types httpd_$1_script_t;
-
-dontaudit httpd_$1_script_t sysctl_kernel_t:dir search;
-dontaudit httpd_$1_script_t sysctl_t:dir search;
-
-############################################
-# Allow scripts to append to http logs
-#########################################
-allow httpd_$1_script_t { var_t var_log_t httpd_log_t }:dir search;
-allow httpd_$1_script_t httpd_log_t:file { getattr append };
-
-# apache should set close-on-exec
-dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
-
-################################################################
-# Allow the web server to run scripts and serve pages
-##############################################################
-if (httpd_builtin_scripting) {
-r_dir_file(httpd_t, httpd_$1_script_ro_t)
-create_dir_file(httpd_t, httpd_$1_script_rw_t)
-allow httpd_t httpd_$1_script_rw_t:sock_file rw_file_perms;
-ra_dir_file(httpd_t, httpd_$1_script_ra_t)
-r_dir_file(httpd_t, httpd_$1_content_t)
-}
-
-')
-define(`apache_user_domain', `
-
-apache_domain($1)
-
-typeattribute httpd_$1_content_t $1_file_type;
-
-if (httpd_enable_cgi && httpd_unified) {
-domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t)
-}
-
-if (httpd_enable_cgi) {
-# If a user starts a script by hand it gets the proper context
-domain_auto_trans($1_t, httpd_$1_script_exec_t, httpd_$1_script_t)
-}
-role $1_r types httpd_$1_script_t;
-
-#######################################
-# Allow user to create or edit web content
-#########################################
-
-create_dir_file($1_t, { httpd_$1_content_t httpd_$1_script_exec_t })
-allow $1_t { httpd_$1_content_t httpd_$1_script_exec_t }:{ dir file lnk_file } { relabelto relabelfrom };
-
-######################################################################
-# Allow the user to create htaccess files
-#####################################################################
-
-allow $1_t httpd_$1_htaccess_t:file { create_file_perms relabelto relabelfrom };
-
-#########################################################################
-# Allow user to create files or directories
-# that scripts are able to read, write, or append to
-###########################################################################
-
-create_dir_file($1_t, { httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t })
-allow $1_t { httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:{ file dir lnk_file } { relabelto relabelfrom };
-
-# allow accessing files/dirs below the users home dir
-if (httpd_enable_homedirs) {
-allow { httpd_t httpd_suexec_t httpd_$1_script_t } $1_home_dir_t:dir { getattr search };
-ifdef(`nfs_home_dirs', `
-r_dir_file(httpd_$1_script_t, nfs_t)
-')dnl end if nfs_home_dirs
-}
-ifdef(`crond.te', `
-create_dir_file($1_crond_t, httpd_$1_content_t)
-')
-
-ifdef(`ftpd.te', `
-if (ftp_home_dir) {
-create_dir_file(ftpd_t, httpd_$1_content_t)
-}
-')
-
-
-')
diff --git a/targeted/macros/program/bonobo_macros.te b/targeted/macros/program/bonobo_macros.te
deleted file mode 100644
index 4c3fdac..0000000
--- a/targeted/macros/program/bonobo_macros.te
+++ /dev/null
@@ -1,117 +0,0 @@
-#
-# Bonobo
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-# bonobo_domain(role_prefix) - invoke per role
-# bonobo_client(app_prefix, role_prefix) - invoke per client app
-# bonobo_connect(type1_prefix, type2_prefix) -
-# connect two bonobo clients, the channel is bidirectional
-
-######################
-
-define(`bonobo_domain', `
-
-# Protect against double inclusion for faster compile
-ifdef(`bonobo_domain_$1', `', `
-define(`bonobo_domain_$1')
-
-# Type for daemon
-type $1_bonobo_t, domain, nscd_client_domain;
-
-# Transition from caller
-domain_auto_trans($1_t, bonobo_exec_t, $1_bonobo_t)
-role $1_r types $1_bonobo_t;
-
-# Shared libraries, gconv-modules
-uses_shlib($1_bonobo_t)
-allow $1_bonobo_t lib_t:file r_file_perms;
-
-read_locale($1_bonobo_t)
-read_sysctl($1_bonobo_t)
-
-# Session management
-# FIXME: More specific context is needed for gnome-session
-ice_connect($1_bonobo, $1)
-
-# nsswitch.conf
-allow $1_bonobo_t etc_t:file { read getattr };
-
-# Fork to start apps
-allow $1_bonobo_t self:process { fork sigchld setpgid getsched signal };
-allow $1_bonobo_t self:fifo_file rw_file_perms;
-
-# ???
-allow $1_bonobo_t root_t:dir search;
-allow $1_bonobo_t home_root_t:dir search;
-allow $1_bonobo_t $1_home_dir_t:dir search;
-
-# libexec ???
-allow $1_bonobo_t bin_t:dir search;
-
-# ORBit sockets for bonobo
-orbit_domain($1_bonobo, $1)
-
-# Bonobo can launch evolution
-ifdef(`evolution.te', `
-domain_auto_trans($1_bonobo_t, evolution_exec_t, $1_evolution_t)
-domain_auto_trans($1_bonobo_t, evolution_alarm_exec_t, $1_evolution_alarm_t)
-domain_auto_trans($1_bonobo_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
-domain_auto_trans($1_bonobo_t, evolution_server_exec_t, $1_evolution_server_t)
-domain_auto_trans($1_bonobo_t, evolution_exchange_exec_t, $1_evolution_exchange_t)
-')
-
-# Bonobo can launch GNOME vfs daemon
-ifdef(`gnome_vfs.te', `
-domain_auto_trans($1_bonobo_t, gnome_vfs_exec_t, $1_gnome_vfs_t)
-')
-
-# Transition to ROLE_t on bin_t apps
-# FIXME: The goal is to get rid of this rule, as it
-# defeats the purpose of a separate domain. It is only
-# here temporarily, since bonobo runs as ROLE_t by default anyway
-domain_auto_trans($1_bonobo_t, bin_t, $1_t)
-
-can_pipe_xdm($1_bonobo_t)
-
-') dnl ifdef bonobo_domain_args
-') dnl bonobo_domain
-
-#####################
-
-define(`bonobo_client', `
-
-# Protect against double inclusion for faster compile
-ifdef(`bonobo_client_$1_$2', `', `
-define(`bonobo_client_$1_$2')
-# Connect over bonobo
-bonobo_connect($1, $2_gconfd, $1)
-
-# Create ORBit sockets
-orbit_domain($1, $2)
-
-# Connect to bonobo
-orbit_connect($1, $2_bonobo)
-orbit_connect($2_bonobo, $1)
-
-# Lock /tmp/bonobo-activation-register.lock
-# Stat /tmp/bonobo-activation-server.ior
-# FIXME: this should probably be of type $2_bonobo..
-# Note that this is file, not sock_file
-allow $1_t $2_orbit_tmp_t:file { getattr read write lock };
-
-domain_auto_trans($1_t, bonobo_exec_t, $2_bonobo_t)
-
-') dnl ifdef bonobo_client_args
-') dnl bonobo_client
-
-#####################
-
-define(`bonobo_connect', `
-
-# FIXME: Should there be a macro for unidirectional conn. ?
-
-orbit_connect($1, $2)
-orbit_connect($2, $1)
-
-') dnl bonobo_connect
diff --git a/targeted/macros/program/cdrecord_macros.te b/targeted/macros/program/cdrecord_macros.te
deleted file mode 100644
index 72d3f4f..0000000
--- a/targeted/macros/program/cdrecord_macros.te
+++ /dev/null
@@ -1,53 +0,0 @@
-# macros for the cdrecord domain
-# Author: Thomas Bleher <ThomasBleher@gmx.de>
-
-define(`cdrecord_domain', `
-type $1_cdrecord_t, domain, privlog;
-
-domain_auto_trans($1_t, cdrecord_exec_t, $1_cdrecord_t)
-
-# The user role is authorized for this domain.
-role $1_r types $1_cdrecord_t;
-
-uses_shlib($1_cdrecord_t)
-read_locale($1_cdrecord_t)
-
-# allow ps to show cdrecord and allow the user to kill it
-can_ps($1_t, $1_cdrecord_t)
-allow $1_t $1_cdrecord_t:process signal;
-
-# write to the user domain tty.
-access_terminal($1_cdrecord_t, $1)
-allow $1_cdrecord_t privfd:fd use;
-
-allow $1_cdrecord_t $1_t:unix_stream_socket { getattr read write ioctl };
-
-allow $1_cdrecord_t self:unix_dgram_socket create_socket_perms;
-allow $1_cdrecord_t self:unix_stream_socket create_stream_socket_perms;
-
-can_resmgrd_connect($1_cdrecord_t)
-
-read_content($1_cdrecord_t, $1, cdrecord)
-
-allow $1_cdrecord_t etc_t:file { getattr read };
-
-# allow searching for cdrom-drive
-allow $1_cdrecord_t device_t:dir r_dir_perms;
-allow $1_cdrecord_t device_t:lnk_file { getattr read };
-
-# allow cdrecord to write the CD
-allow $1_cdrecord_t removable_device_t:blk_file { getattr read write ioctl };
-allow $1_cdrecord_t scsi_generic_device_t:chr_file { getattr read write ioctl };
-
-allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
-allow $1_cdrecord_t self:process { getsched setsched fork sigchld sigkill };
-can_access_pty($1_cdrecord_t, $1)
-allow $1_cdrecord_t $1_home_t:dir search;
-allow $1_cdrecord_t $1_home_dir_t:dir r_dir_perms;
-allow $1_cdrecord_t $1_home_t:file r_file_perms;
-if (use_nfs_home_dirs) {
-allow $1_cdrecord_t mnt_t:dir search;
-r_dir_file($1_cdrecord_t, nfs_t)
-}
-')
-
diff --git a/targeted/macros/program/chkpwd_macros.te b/targeted/macros/program/chkpwd_macros.te
deleted file mode 100644
index 62d8b44..0000000
--- a/targeted/macros/program/chkpwd_macros.te
+++ /dev/null
@@ -1,69 +0,0 @@
-#
-# Macros for chkpwd domains.
-#
-
-#
-# chkpwd_domain(domain_prefix)
-#
-# Define a derived domain for the *_chkpwd program when executed
-# by a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/su.te.
-#
-undefine(`chkpwd_domain')
-ifdef(`chkpwd.te', `
-define(`chkpwd_domain',`
-# Derived domain based on the calling user domain and the program.
-type $1_chkpwd_t, domain, privlog, nscd_client_domain, auth;
-
-role $1_r types $1_chkpwd_t;
-
-# is_selinux_enabled
-allow $1_chkpwd_t proc_t:file read;
-
-can_getcon($1_chkpwd_t)
-authentication_domain($1_chkpwd_t)
-
-ifelse($1, system, `
-domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t)
-dontaudit system_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
-authentication_domain(auth_chkpwd)
-', `
-domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
-
-# Write to the user domain tty.
-access_terminal($1_chkpwd_t, $1)
-
-allow $1_chkpwd_t privfd:fd use;
-
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te',`allow $1_chkpwd_t $1_gph_t:fd use;')
-
-# Inherit and use descriptors from newrole.
-ifdef(`newrole.te', `allow $1_chkpwd_t newrole_t:fd use;')
-')
-
-uses_shlib($1_chkpwd_t)
-allow $1_chkpwd_t etc_t:file { getattr read };
-allow $1_chkpwd_t self:unix_dgram_socket create_socket_perms;
-allow $1_chkpwd_t self:unix_stream_socket create_socket_perms;
-read_locale($1_chkpwd_t)
-
-# Use capabilities.
-allow $1_chkpwd_t self:capability setuid;
-r_dir_file($1_chkpwd_t, selinux_config_t)
-
-# for nscd
-ifdef(`nscd.te', `', `
-dontaudit $1_chkpwd_t var_t:dir search;
-')
-
-dontaudit $1_chkpwd_t fs_t:filesystem getattr;
-')
-
-', `
-
-define(`chkpwd_domain',`')
-
-')
diff --git a/targeted/macros/program/chroot_macros.te b/targeted/macros/program/chroot_macros.te
deleted file mode 100644
index 47ca86b..0000000
--- a/targeted/macros/program/chroot_macros.te
+++ /dev/null
@@ -1,131 +0,0 @@
-
-# macro for chroot environments
-# Author Russell Coker
-
-# chroot(initial_domain, basename, role, tty_device_type)
-define(`chroot', `
-
-ifelse(`$1', `initrc', `
-define(`chroot_role', `system_r')
-define(`chroot_tty_device', `{ console_device_t admin_tty_type }')
-define(`chroot_mount_domain', `mount_t')
-define(`chroot_fd_use', `{ privfd init_t }')
-', `
-define(`chroot_role', `$1_r')
-define(`chroot_tty_device', `{ $1_devpts_t $1_tty_device_t }')
-define(`chroot_fd_use', `privfd')
-
-# allow mounting /proc and /dev
-ifdef(`$1_mount_def', `', `
-mount_domain($1, $1_mount)
-role chroot_role types $1_mount_t;
-')
-define(`chroot_mount_domain', `$1_mount_t')
-ifdef(`ssh.te', `
-can_tcp_connect($1_ssh_t, $2_t)
-')dnl end ssh
-')dnl end ifelse initrc
-
-# types for read-only and read-write files in the chroot
-type $2_ro_t, file_type, sysadmfile, home_type, user_home_type;
-type $2_rw_t, file_type, sysadmfile, home_type, user_home_type;
-# type like $2_ro_t but that triggers a transition from $2_super_t to $2_t
-# when you execute it
-type $2_dropdown_t, file_type, sysadmfile, home_type, user_home_type;
-
-allow chroot_mount_domain { $2_rw_t $2_ro_t }:dir { getattr search mounton };
-allow chroot_mount_domain { $2_rw_t $2_ro_t }:file { getattr mounton };
-
-# entry point for $2_super_t
-type $2_super_entry_t, file_type, sysadmfile, home_type, user_home_type;
-# $2_t is the base domain, has full access to $2_rw_t files
-type $2_t, domain;
-# $2_super_t is the super-chroot domain, can also write to $2_ro_t
-# but still can not access outside the chroot
-type $2_super_t, domain;
-allow $2_super_t chroot_tty_device:chr_file rw_file_perms;
-
-ifdef(`$1_chroot_def', `', `
-dnl can not have this defined twice
-define(`$1_chroot_def')
-
-allow chroot_mount_domain { proc_t device_t fs_t }:filesystem { mount unmount };
-
-# $1_chroot_t is the domain for /usr/sbin/chroot
-type $1_chroot_t, domain;
-
-# allow $1_chroot_t to write to the tty device
-allow $1_chroot_t chroot_tty_device:chr_file rw_file_perms;
-allow $1_chroot_t chroot_fd_use:fd use;
-allow { $1_chroot_t $2_t $2_super_t } $1_t:fd use;
-
-role chroot_role types $1_chroot_t;
-uses_shlib($1_chroot_t)
-allow $1_chroot_t self:capability sys_chroot;
-allow $1_t $1_chroot_t:dir { search getattr read };
-allow $1_t $1_chroot_t:{ file lnk_file } { read getattr };
-domain_auto_trans($1_t, chroot_exec_t, $1_chroot_t)
-allow $1_chroot_t fs_t:filesystem getattr;
-')dnl End conditional
-
-role chroot_role types { $2_t $2_super_t };
-
-# allow ps to show processes and allow killing them
-allow $1_t { $2_super_t $2_t }:dir { search getattr read };
-allow $1_t { $2_super_t $2_t }:{ file lnk_file } { read getattr };
-allow $1_t { $2_super_t $2_t }:process signal_perms;
-allow $2_super_t $2_t:dir { search getattr read };
-allow $2_super_t $2_t:{ file lnk_file } { read getattr };
-allow { $1_t $2_super_t } $2_t:process { signal_perms ptrace };
-allow $1_t $2_super_t:process { signal_perms ptrace };
-allow sysadm_t { $2_super_t $2_t }:process { signal_perms ptrace };
-
-allow { $2_super_t $2_t } { fs_t device_t }:filesystem getattr;
-allow { $2_super_t $2_t } device_t:dir { search getattr };
-allow { $2_super_t $2_t } devtty_t:chr_file rw_file_perms;
-allow { $2_super_t $2_t } random_device_t:chr_file r_file_perms;
-allow { $2_super_t $2_t } self:capability { fowner chown fsetid setgid setuid net_bind_service sys_tty_config };
-allow $2_super_t self:capability sys_ptrace;
-
-can_tcp_connect($2_super_t, $2_t)
-allow { $2_super_t $2_t } $2_rw_t:sock_file create_file_perms;
-
-# quiet ps and killall
-dontaudit { $2_super_t $2_t } domain:dir { search getattr };
-
-# allow $2_t to write to the owner tty device (should remove this)
-allow $2_t chroot_tty_device:chr_file { read write };
-
-r_dir_file($1_chroot_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t })
-can_exec($2_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t })
-can_exec($2_super_t, { $2_ro_t $2_super_entry_t })
-create_dir_notdevfile($2_super_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t })
-# $2_super_t transitions to $2_t when it executes
-# any file that $2_t can write
-domain_auto_trans($2_super_t, { $2_rw_t $2_dropdown_t }, $2_t)
-allow $1_chroot_t { $2_ro_t $2_rw_t }:lnk_file read;
-r_dir_file($2_t, { $2_ro_t $2_super_entry_t $2_dropdown_t })
-create_dir_notdevfile($2_t, $2_rw_t)
-allow $2_t $2_rw_t:fifo_file create_file_perms;
-allow $2_t $2_ro_t:fifo_file rw_file_perms;
-allow { $1_t $2_super_t } { $2_rw_t $2_ro_t }:fifo_file create_file_perms;
-create_dir_notdevfile($1_t, { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t })
-can_exec($1_t, { $2_ro_t $2_dropdown_t })
-domain_auto_trans($1_chroot_t, { $2_ro_t $2_rw_t $2_dropdown_t }, $2_t)
-domain_auto_trans($1_chroot_t, $2_super_entry_t, $2_super_t)
-allow { $1_t $2_super_t } { $2_ro_t $2_rw_t $2_super_entry_t $2_dropdown_t }:{ dir notdevfile_class_set } { relabelfrom relabelto };
-general_proc_read_access({ $2_t $2_super_t })
-general_domain_access({ $2_t $2_super_t })
-can_create_pty($2)
-can_create_pty($2_super)
-can_network({ $2_t $2_super_t })
-allow { $2_t $2_super_t } port_type:tcp_socket name_connect;
-allow { $2_t $2_super_t } null_device_t:chr_file rw_file_perms;
-allow $2_super_t { $2_rw_t $2_ro_t }:{ dir file } mounton;
-allow { $2_t $2_super_t } self:capability { dac_override kill };
-
-undefine(`chroot_role')
-undefine(`chroot_tty_device')
-undefine(`chroot_mount_domain')
-undefine(`chroot_fd_use')
-')
diff --git a/targeted/macros/program/clamav_macros.te b/targeted/macros/program/clamav_macros.te
deleted file mode 100644
index bc15930..0000000
--- a/targeted/macros/program/clamav_macros.te
+++ /dev/null
@@ -1,58 +0,0 @@
-#
-# Macros for clamscan
-#
-# Author: Brian May <bam@snoopy.apana.org.au>
-#
-
-#
-# can_clamd_connect(domain_prefix)
-#
-# Define a domain that can access clamd
-#
-define(`can_clamd_connect',`
-allow $1_t clamd_var_run_t:dir search;
-allow $1_t clamd_var_run_t:sock_file write;
-allow $1_t clamd_sock_t:sock_file write;
-can_unix_connect($1_t, clamd_t)
-')
-
-# clamscan_domain(domain_prefix)
-#
-# Define a derived domain for the clamscan program when executed
-#
-define(`clamscan_domain', `
-# Derived domain based on the calling user domain and the program.
-type $1_clamscan_t, domain, privlog;
-
-# Uses shared librarys
-uses_shlib($1_clamscan_t)
-allow $1_clamscan_t fs_t:filesystem getattr;
-r_dir_file($1_clamscan_t, etc_t)
-read_locale($1_clamscan_t)
-
-# Access virus signatures
-allow $1_clamscan_t var_lib_t:dir search;
-r_dir_file($1_clamscan_t, clamav_var_lib_t)
-
-# Allow temp files
-tmp_domain($1_clamscan)
-
-# Why is this required?
-allow $1_clamscan_t proc_t:dir r_dir_perms;
-allow $1_clamscan_t proc_t:file r_file_perms;
-read_sysctl($1_clamscan_t)
-allow $1_clamscan_t self:unix_stream_socket { connect create read write };
-')
-
-define(`user_clamscan_domain',`
-clamscan_domain($1)
-role $1_r types $1_clamscan_t;
-domain_auto_trans($1_t, clamscan_exec_t, $1_clamscan_t)
-access_terminal($1_clamscan_t, $1)
-r_dir_file($1_clamscan_t,$1_home_t);
-r_dir_file($1_clamscan_t,$1_home_dir_t);
-allow $1_clamscan_t $1_home_t:file r_file_perms;
-allow $1_clamscan_t privfd:fd use;
-ifdef(`gnome-pty-helper.te', `allow $1_clamscan_t $1_gph_t:fd use;')
-')
-
diff --git a/targeted/macros/program/crond_macros.te b/targeted/macros/program/crond_macros.te
deleted file mode 100644
index 5e61d7d..0000000
--- a/targeted/macros/program/crond_macros.te
+++ /dev/null
@@ -1,126 +0,0 @@
-#
-# Macros for crond domains.
-#
-
-#
-# Authors: Jonathan Crowley (MITRE) <jonathan@mitre.org>,
-# Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# Russell Coker <rcoker@redhat.com>
-#
-
-#
-# crond_domain(domain_prefix)
-#
-# Define a derived domain for cron jobs executed by crond on behalf
-# of a user domain. These domains are separate from the top-level domain
-# defined for the crond daemon and the domain defined for system cron jobs,
-# which are specified in domains/program/crond.te.
-#
-undefine(`crond_domain')
-define(`crond_domain',`
-# Derived domain for user cron jobs, user user_crond_domain if not system
-ifelse(`system', `$1', `
-type $1_crond_t, domain, privlog, privmail, nscd_client_domain;
-', `
-type $1_crond_t, domain, user_crond_domain;
-
-# Access user files and dirs.
-allow $1_crond_t home_root_t:dir search;
-file_type_auto_trans($1_crond_t, $1_home_dir_t, $1_home_t)
-
-# Run scripts in user home directory and access shared libs.
-can_exec($1_crond_t, $1_home_t)
-
-file_type_auto_trans($1_crond_t, tmp_t, $1_tmp_t)
-')
-r_dir_file($1_crond_t, selinux_config_t)
-
-# Type of user crontabs once moved to cron spool.
-type $1_cron_spool_t, file_type, sysadmfile;
-
-ifdef(`fcron.te', `
-allow crond_t $1_cron_spool_t:file create_file_perms;
-')
-
-allow $1_crond_t urandom_device_t:chr_file { getattr read };
-
-allow $1_crond_t usr_t:file { getattr ioctl read };
-allow $1_crond_t usr_t:lnk_file read;
-
-# Permit a transition from the crond_t domain to this domain.
-# The transition is requested explicitly by the modified crond
-# via execve_secure. There is no way to set up an automatic
-# transition, since crontabs are configuration files, not executables.
-domain_trans(crond_t, shell_exec_t, $1_crond_t)
-
-ifdef(`mta.te', `
-domain_auto_trans($1_crond_t, sendmail_exec_t, $1_mail_t)
-allow $1_crond_t sendmail_exec_t:lnk_file { getattr read };
-
-# $1_mail_t should only be reading from the cron fifo not needing to write
-dontaudit $1_mail_t crond_t:fifo_file write;
-allow mta_user_agent $1_crond_t:fd use;
-')
-
-# The user role is authorized for this domain.
-role $1_r types $1_crond_t;
-
-# This domain is granted permissions common to most domains.
-can_network($1_crond_t)
-allow $1_crond_t port_type:tcp_socket name_connect;
-can_ypbind($1_crond_t)
-r_dir_file($1_crond_t, self)
-allow $1_crond_t self:fifo_file rw_file_perms;
-allow $1_crond_t self:unix_stream_socket create_stream_socket_perms;
-allow $1_crond_t self:unix_dgram_socket create_socket_perms;
-allow $1_crond_t etc_runtime_t:file { getattr read };
-allow $1_crond_t self:process { fork signal_perms setsched };
-allow $1_crond_t proc_t:dir r_dir_perms;
-allow $1_crond_t proc_t:file { getattr read ioctl };
-read_locale($1_crond_t)
-read_sysctl($1_crond_t)
-allow $1_crond_t var_spool_t:dir search;
-allow $1_crond_t fs_type:filesystem getattr;
-
-allow $1_crond_t devtty_t:chr_file { read write };
-allow $1_crond_t var_t:dir r_dir_perms;
-allow $1_crond_t var_t:file { getattr read ioctl };
-allow $1_crond_t var_log_t:dir search;
-
-# Use capabilities.
-allow $1_crond_t self:capability dac_override;
-
-# Inherit and use descriptors from initrc - I think this is wrong
-#allow $1_crond_t initrc_t:fd use;
-
-#
-# Since crontab files are not directly executed,
-# crond must ensure that the crontab file has
-# a type that is appropriate for the domain of
-# the user cron job. It performs an entrypoint
-# permission check for this purpose.
-#
-allow $1_crond_t $1_cron_spool_t:file entrypoint;
-
-# Run helper programs.
-can_exec_any($1_crond_t)
-
-# ps does not need to access /boot when run from cron
-dontaudit $1_crond_t boot_t:dir search;
-# quiet other ps operations
-dontaudit $1_crond_t domain:dir { getattr search };
-# for nscd
-dontaudit $1_crond_t var_run_t:dir search;
-')
-
-# When system_crond_t domain executes a type $1 executable then transition to
-# domain $2, allow $2 to interact with crond_t as well.
-define(`system_crond_entry', `
-ifdef(`crond.te', `
-domain_auto_trans(system_crond_t, $1, $2)
-allow $2 crond_t:fifo_file { getattr read write ioctl };
-# a rule for privfd may make this obsolete
-allow $2 crond_t:fd use;
-allow $2 crond_t:process sigchld;
-')dnl end ifdef
-')dnl end system_crond_entry
diff --git a/targeted/macros/program/crontab_macros.te b/targeted/macros/program/crontab_macros.te
deleted file mode 100644
index a18d80f..0000000
--- a/targeted/macros/program/crontab_macros.te
+++ /dev/null
@@ -1,102 +0,0 @@
-#
-# Macros for crontab domains.
-#
-
-#
-# Authors: Jonathan Crowley (MITRE) <jonathan@mitre.org>
-# Revised by Stephen Smalley <sds@epoch.ncsc.mil>
-#
-
-#
-# crontab_domain(domain_prefix)
-#
-# Define a derived domain for the crontab program when executed by
-# a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/crontab.te.
-#
-undefine(`crontab_domain')
-define(`crontab_domain',`
-# Derived domain based on the calling user domain and the program.
-type $1_crontab_t, domain, privlog;
-
-# Transition from the user domain to the derived domain.
-domain_auto_trans($1_t, crontab_exec_t, $1_crontab_t)
-
-can_ps($1_t, $1_crontab_t)
-
-# for ^Z
-allow $1_t $1_crontab_t:process signal;
-
-# The user role is authorized for this domain.
-role $1_r types $1_crontab_t;
-
-uses_shlib($1_crontab_t)
-allow $1_crontab_t etc_t:file { getattr read };
-allow $1_crontab_t self:unix_stream_socket create_socket_perms;
-allow $1_crontab_t self:unix_dgram_socket create_socket_perms;
-read_locale($1_crontab_t)
-
-# Use capabilities dac_override is to create the file in the directory
-# under /tmp
-allow $1_crontab_t self:capability { setuid setgid chown dac_override };
-
-# Type for temporary files.
-file_type_auto_trans($1_crontab_t, tmp_t, $1_tmp_t, { dir file })
-
-# Use the type when creating files in /var/spool/cron.
-allow sysadm_crontab_t $1_cron_spool_t:file { getattr read };
-allow $1_crontab_t { var_t var_spool_t }:dir { getattr search };
-file_type_auto_trans($1_crontab_t, cron_spool_t, $1_cron_spool_t, file)
-allow $1_crontab_t self:process { fork signal_perms };
-ifdef(`fcron.te', `
-# fcron wants an instant update of a crontab change for the administrator
-# also crontab does a security check for crontab -u
-ifelse(`$1', `sysadm', `
-allow $1_crontab_t crond_t:process signal;
-can_setfscreate($1_crontab_t)
-', `
-dontaudit $1_crontab_t crond_t:process signal;
-')dnl end ifelse
-')dnl end ifdef fcron
-
-# for the checks used by crontab -u
-dontaudit $1_crontab_t security_t:dir search;
-allow $1_crontab_t proc_t:dir search;
-allow $1_crontab_t proc_t:{ file lnk_file } { getattr read };
-allow $1_crontab_t selinux_config_t:dir search;
-allow $1_crontab_t selinux_config_t:file { getattr read };
-dontaudit $1_crontab_t self:dir search;
-
-# crontab signals crond by updating the mtime on the spooldir
-allow $1_crontab_t cron_spool_t:dir setattr;
-# Allow crond to read those crontabs in cron spool.
-allow crond_t $1_cron_spool_t:file r_file_perms;
-
-# Run helper programs as $1_t
-allow $1_crontab_t { bin_t sbin_t }:dir search;
-allow $1_crontab_t bin_t:lnk_file read;
-domain_auto_trans($1_crontab_t, { bin_t sbin_t shell_exec_t }, $1_t)
-
-# Read user crontabs
-allow $1_crontab_t { $1_home_t $1_home_dir_t }:dir r_dir_perms;
-allow $1_crontab_t $1_home_t:file r_file_perms;
-dontaudit $1_crontab_t $1_home_dir_t:dir write;
-
-# Access the cron log file.
-allow $1_crontab_t crond_log_t:file r_file_perms;
-allow $1_crontab_t crond_log_t:file append;
-
-# Access terminals.
-allow $1_crontab_t device_t:dir search;
-access_terminal($1_crontab_t, $1);
-
-allow $1_crontab_t fs_t:filesystem getattr;
-
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te', `allow $1_crontab_t $1_gph_t:fd use;')
-allow $1_crontab_t privfd:fd use;
-
-dontaudit $1_crontab_t var_run_t:dir search;
-')
diff --git a/targeted/macros/program/daemontools_macros.te b/targeted/macros/program/daemontools_macros.te
deleted file mode 100644
index 94c4f8e..0000000
--- a/targeted/macros/program/daemontools_macros.te
+++ /dev/null
@@ -1,11 +0,0 @@
-ifdef(`daemontools.te', `
-
-define(`svc_ipc_domain',`
-allow $1 svc_start_t:process sigchld;
-allow $1 svc_start_t:fd use;
-allow $1 svc_start_t:fifo_file { read write getattr };
-allow svc_start_t $1:process signal;
-')
-
-') dnl ifdef daemontools
-
diff --git a/targeted/macros/program/dbusd_macros.te b/targeted/macros/program/dbusd_macros.te
deleted file mode 100644
index 2e542a0..0000000
--- a/targeted/macros/program/dbusd_macros.te
+++ /dev/null
@@ -1,90 +0,0 @@
-#
-# Macros for Dbus
-#
-# Author: Colin Walters <walters@redhat.com>
-
-# dbusd_domain(domain_prefix)
-#
-# Define a derived domain for the DBus daemon.
-
-define(`dbusd_domain', `
-ifelse(`system', `$1',`
-daemon_domain(system_dbusd, `, userspace_objmgr, nscd_client_domain', `nosysadm')
-# For backwards compatibility
-typealias system_dbusd_t alias dbusd_t;
-type etc_dbusd_t, file_type, sysadmfile;
-',`
-type $1_dbusd_t, domain, privlog, nscd_client_domain, userspace_objmgr;
-role $1_r types $1_dbusd_t;
-domain_auto_trans($1_t, system_dbusd_exec_t, $1_dbusd_t)
-read_locale($1_dbusd_t)
-allow $1_t $1_dbusd_t:process { sigkill signal };
-allow $1_dbusd_t self:process { sigkill signal };
-dontaudit $1_dbusd_t var_t:dir { getattr search };
-')dnl end ifelse system
-
-base_file_read_access($1_dbusd_t)
-uses_shlib($1_dbusd_t)
-allow $1_dbusd_t etc_t:file { getattr read };
-r_dir_file($1_dbusd_t, etc_dbusd_t)
-tmp_domain($1_dbusd)
-allow $1_dbusd_t self:process fork;
-can_pipe_xdm($1_dbusd_t)
-
-allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
-allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
-
-allow $1_dbusd_t urandom_device_t:chr_file { getattr read };
-allow $1_dbusd_t self:file { getattr read write };
-allow $1_dbusd_t proc_t:file read;
-
-can_getsecurity($1_dbusd_t)
-r_dir_file($1_dbusd_t, default_context_t)
-allow $1_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
-
-ifdef(`pamconsole.te', `
-r_dir_file($1_dbusd_t, pam_var_console_t)
-')
-
-allow $1_dbusd_t self:dbus { send_msg acquire_svc };
-
-')dnl end dbusd_domain definition
-
-# dbusd_client(dbus_type, domain_prefix)
-# Example: dbusd_client_domain(system, user)
-#
-# Define a new derived domain for connecting to dbus_type
-# from domain_prefix_t.
-undefine(`dbusd_client')
-define(`dbusd_client',`
-
-ifdef(`dbusd.te',`
-# Derived type used for connection
-type $2_dbusd_$1_t;
-type_change $2_t $1_dbusd_t:dbus $2_dbusd_$1_t;
-
-# SE-DBus specific permissions
-allow $2_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
-
-# For connecting to the bus
-allow $2_t $1_dbusd_t:unix_stream_socket connectto;
-
-ifelse(`system', `$1', `
-allow { $2_t } { var_run_t system_dbusd_var_run_t }:dir search;
-allow { $2_t } system_dbusd_var_run_t:sock_file write;
-',`') dnl endif system
-') dnl endif dbusd.te
-')
-
-# can_dbusd_converse(dbus_type, domain_prefix_a, domain_prefix_b)
-# Example: can_dbusd_converse(system, hald, updfstab)
-# Example: can_dbusd_converse(session, user, user)
-define(`can_dbusd_converse',`')
-ifdef(`dbusd.te',`
-undefine(`can_dbusd_converse')
-define(`can_dbusd_converse',`
-allow $2_dbusd_$1_t $3_dbusd_$1_t:dbus { send_msg };
-allow $3_dbusd_$1_t $2_dbusd_$1_t:dbus { send_msg };
-') dnl endif dbusd.te
-')
diff --git a/targeted/macros/program/ethereal_macros.te b/targeted/macros/program/ethereal_macros.te
deleted file mode 100644
index 36f1a96..0000000
--- a/targeted/macros/program/ethereal_macros.te
+++ /dev/null
@@ -1,82 +0,0 @@
-# DESC - Ethereal
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-#############################################################
-# ethereal_networking(app_prefix) -
-# restricted ethereal rules (sysadm only)
-#
-
-define(`ethereal_networking', `
-
-# Create various types of sockets
-allow $1_t self:netlink_route_socket create_netlink_socket_perms;
-allow $1_t self:udp_socket create_socket_perms;
-allow $1_t self:packet_socket create_socket_perms;
-allow $1_t self:unix_stream_socket create_stream_socket_perms;
-allow $1_t self:tcp_socket create_socket_perms;
-
-allow $1_t self:capability { dac_override dac_read_search net_raw setgid setuid };
-
-# Resolve names via DNS
-can_resolve($1_t)
-
-') dnl ethereal_networking
-
-########################################################
-# Ethereal (GNOME)
-#
-
-define(`ethereal_domain', `
-
-# Type for program
-type $1_ethereal_t, domain, nscd_client_domain;
-
-# Transition from sysadm type
-domain_auto_trans($1_t, ethereal_exec_t, $1_ethereal_t)
-role $1_r types $1_ethereal_t;
-
-# Manual transition from userhelper
-ifdef(`userhelper.te', `
-allow userhelperdomain $1_ethereal_t:process { transition siginh rlimitinh noatsecure };
-allow $1_ethereal_t userhelperdomain:fd use;
-allow $1_ethereal_t userhelperdomain:process sigchld;
-') dnl userhelper
-
-# X, GNOME
-x_client_domain($1_ethereal, $1)
-gnome_application($1_ethereal, $1)
-gnome_file_dialog($1_ethereal, $1)
-
-# Why does it write this?
-ifdef(`snmpd.te', `
-dontaudit sysadm_ethereal_t snmpd_var_lib_t:file write;
-')
-
-# /home/.ethereal
-home_domain($1, ethereal)
-file_type_auto_trans($1_ethereal_t, $1_home_dir_t, $1_ethereal_home_t, dir)
-
-# Enable restricted networking rules for sysadm - this is shared w/ tethereal
-ifelse($1, `sysadm', `
-ethereal_networking($1_ethereal)
-
-# Ethereal tries to write to user terminal
-dontaudit sysadm_ethereal_t user_tty_type:chr_file { read write };
-dontaudit sysadm_ethereal_t unpriv_userdomain:fd use;
-', `')
-
-# Store temporary files
-tmp_domain($1_ethereal)
-
-# Re-execute itself (why?)
-can_exec($1_ethereal_t, ethereal_exec_t)
-allow $1_ethereal_t sbin_t:dir search;
-
-# Supress .local denials until properly implemented
-dontaudit $1_ethereal_t $1_home_t:dir search;
-
-# FIXME: policy is incomplete
-
-') dnl ethereal_domain
diff --git a/targeted/macros/program/evolution_macros.te b/targeted/macros/program/evolution_macros.te
deleted file mode 100644
index 37fc087..0000000
--- a/targeted/macros/program/evolution_macros.te
+++ /dev/null
@@ -1,234 +0,0 @@
-#
-# Evolution
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-################################################
-# evolution_common(app_prefix,role_prefix)
-#
-define(`evolution_common', `
-
-# Gnome common stuff
-gnome_application($1, $2)
-
-# Stat root
-allow $1_t root_t:dir search;
-
-# Access null device
-allow $1_t null_device_t:chr_file rw_file_perms;
-
-# FIXME: suppress access to .local/.icons/.themes until properly implemented
-dontaudit $1_t $2_home_t:dir r_dir_perms;
-
-# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
-# until properly implemented
-dontaudit $1_t $2_home_t:file r_file_perms;
-
-') dnl evolution_common
-
-#######################################
-# evolution_data_server(role_prefix)
-#
-
-define(`evolution_data_server', `
-
-# Type for daemon
-type $1_evolution_server_t, domain, nscd_client_domain;
-
-# Transition from user type
-if (! disable_evolution_trans) {
-domain_auto_trans($1_t, evolution_server_exec_t, $1_evolution_server_t)
-}
-role $1_r types $1_evolution_server_t;
-
-# Evolution common stuff
-evolution_common($1_evolution_server, $1)
-
-# Access evolution home
-home_domain_access($1_evolution_server_t, $1, evolution)
-
-# Talks to exchange
-bonobo_connect($1_evolution_server, $1_evolution_exchange)
-
-can_exec($1_evolution_server_t, shell_exec_t)
-
-# Obtain weather data via http (read server name from xml file in /usr)
-allow $1_evolution_server_t usr_t:file r_file_perms;
-can_resolve($1_evolution_server_t)
-can_network_client_tcp($1_evolution_server_t, { http_port_t http_cache_port_t } )
-allow $1_evolution_server_t { http_cache_port_t http_port_t }:tcp_socket name_connect;
-
-# Talk to ldap (address book)
-can_network_client_tcp($1_evolution_server_t, ldap_port_t)
-allow $1_evolution_server_t ldap_port_t:tcp_socket name_connect;
-
-# Look in /etc/pki
-r_dir_file($1_evolution_server_t, cert_t)
-
-') dnl evolution_data_server
-
-#######################################
-# evolution_webcal(role_prefix)
-#
-
-define(`evolution_webcal', `
-
-# Type for program
-type $1_evolution_webcal_t, domain, nscd_client_domain;
-
-# Transition from user type
-domain_auto_trans($1_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
-role $1_r types $1_evolution_webcal_t;
-
-# X/evolution common stuff
-x_client_domain($1_evolution_webcal, $1)
-evolution_common($1_evolution_webcal, $1)
-
-# Search home directory (?)
-allow $1_evolution_webcal_t $1_home_dir_t:dir search;
-
-# Networking capability - connect to website and handle ics link
-# FIXME: is this necessary ?
-can_resolve($1_evolution_webcal_t);
-can_network_client_tcp($1_evolution_webcal_t, { http_port_t http_cache_port_t } )
-allow $1_evolution_webcal_t { http_cache_port_t http_port_t } :tcp_socket name_connect;
-
-') dnl evolution_webcal
-
-#######################################
-# evolution_alarm(role_prefix)
-#
-define(`evolution_alarm', `
-
-# Type for program
-type $1_evolution_alarm_t, domain, nscd_client_domain;
-
-# Transition from user type
-domain_auto_trans($1_t, evolution_alarm_exec_t, $1_evolution_alarm_t)
-role $1_r types $1_evolution_alarm_t;
-
-# Common evolution stuff, X
-evolution_common($1_evolution_alarm, $1)
-x_client_domain($1_evolution_alarm, $1)
-
-# Connect to exchange, e-d-s
-bonobo_connect($1_evolution_alarm, $1_evolution_server)
-bonobo_connect($1_evolution_alarm, $1_evolution_exchange)
-
-# Access evolution home
-home_domain_access($1_evolution_alarm_t, $1, evolution)
-
-') dnl evolution_alarm
-
-########################################
-# evolution_exchange(role_prefix)
-#
-define(`evolution_exchange', `
-
-# Type for program
-type $1_evolution_exchange_t, domain, nscd_client_domain;
-
-# Transition from user type
-domain_auto_trans($1_t, evolution_exchange_exec_t, $1_evolution_exchange_t)
-role $1_r types $1_evolution_exchange_t;
-
-# Common evolution stuff, X
-evolution_common($1_evolution_exchange, $1)
-x_client_domain($1_evolution_exchange, $1)
-
-# Access evolution home
-home_domain_access($1_evolution_exchange_t, $1, evolution)
-
-# /tmp/.exchange-$USER
-tmp_domain($1_evolution_exchange)
-
-# Allow netstat
-allow $1_evolution_exchange_t bin_t:dir search;
-can_exec($1_evolution_exchange_t, bin_t)
-r_dir_file($1_evolution_exchange_t, proc_net_t)
-allow $1_evolution_exchange_t sysctl_net_t:dir search;
-allow $1_evolution_exchange_t self:{ udp_socket tcp_socket } create_socket_perms;
-
-# Clock applet talks to exchange (FIXME: Needs policy)
-bonobo_connect($1, $1_evolution_exchange)
-
-# FIXME: policy incomplete
-
-') dnl evolution_exchange
-
-#######################################
-# evolution_domain(role_prefix)
-#
-
-define(`evolution_domain', `
-
-# Type for program
-type $1_evolution_t, domain, nscd_client_domain, privlog;
-
-# Transition from user type
-domain_auto_trans($1_t, evolution_exec_t, $1_evolution_t)
-role $1_r types $1_evolution_t;
-
-# X, mail, evolution common stuff
-x_client_domain($1_evolution, $1)
-mail_client_domain($1_evolution, $1)
-gnome_file_dialog($1_evolution, $1)
-evolution_common($1_evolution, $1)
-
-# Connect to e-d-s, exchange, alarm
-bonobo_connect($1_evolution, $1_evolution_server)
-bonobo_connect($1_evolution, $1_evolution_exchange)
-bonobo_connect($1_evolution, $1_evolution_alarm)
-
-# Access .evolution
-home_domain($1, evolution)
-
-# Store passwords in .gnome2_private
-gnome_private_store($1_evolution, $1)
-
-# Run various programs
-allow $1_evolution_t { bin_t sbin_t }:dir r_dir_perms;
-allow $1_evolution_t { self bin_t }:lnk_file r_file_perms;
-
-### Junk mail filtering (start spamd)
-ifdef(`spamd.te', `
-# Start the spam daemon
-domain_auto_trans($1_evolution_t, spamd_exec_t, spamd_t)
-role $1_r types spamd_t;
-
-# Write pid file and socket in ~/.evolution/cache/tmp
-file_type_auto_trans(spamd_t, $1_evolution_home_t, spamd_tmp_t, { file sock_file })
-
-# Allow evolution to signal the daemon
-# FIXME: Now evolution can read spamd temp files
-allow $1_evolution_t spamd_tmp_t:file r_file_perms;
-allow $1_evolution_t spamd_t:process signal;
-dontaudit $1_evolution_t spamd_tmp_t:sock_file getattr;
-') dnl spamd.te
-
-### Junk mail filtering (start spamc)
-ifdef(`spamc.te', `
-domain_auto_trans($1_evolution_t, spamc_exec_t, $1_spamc_t)
-
-# Allow connection to spamd socket above
-allow $1_spamc_t $1_evolution_home_t:dir search;
-') dnl spamc.te
-
-### Junk mail filtering (start spamassassin)
-ifdef(`spamassassin.te', `
-domain_auto_trans($1_evolution_t, spamassassin_exec_t, $1_spamassassin_t)
-') dnl spamassasin.te
-
-') dnl evolution_domain
-
-#################################
-# evolution_domains(role_prefix)
-
-define(`evolution_domains', `
-evolution_domain($1)
-evolution_data_server($1)
-evolution_webcal($1)
-evolution_alarm($1)
-evolution_exchange($1)
-') dnl end evolution_domains
diff --git a/targeted/macros/program/fingerd_macros.te b/targeted/macros/program/fingerd_macros.te
deleted file mode 100644
index fd56ca7..0000000
--- a/targeted/macros/program/fingerd_macros.te
+++ /dev/null
@@ -1,15 +0,0 @@
-#
-# Macro for fingerd
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-
-#
-# fingerd_macro(domain_prefix)
-#
-# allow fingerd to create a fingerlog file in the user home dir
-#
-define(`fingerd_macro', `
-type $1_home_fingerlog_t, file_type, sysadmfile, $1_file_type;
-file_type_auto_trans(fingerd_t, $1_home_dir_t, $1_home_fingerlog_t)
-')
diff --git a/targeted/macros/program/fontconfig_macros.te b/targeted/macros/program/fontconfig_macros.te
deleted file mode 100644
index 7f4a56d..0000000
--- a/targeted/macros/program/fontconfig_macros.te
+++ /dev/null
@@ -1,52 +0,0 @@
-#
-# Fontconfig related types
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-# fontconfig_domain(role_prefix) - create fontconfig domain
-#
-# read_fonts(domain, role_prefix) -
-# allow domain to read fonts, optionally per/user
-#
-
-define(`fontconfig_domain', `
-
-type $1_fonts_t, file_type, $1_file_type, sysadmfile;
-type $1_fonts_config_t, file_type, $1_file_type, sysadmfile;
-type $1_fonts_cache_t, file_type, $1_file_type, sysadmfile;
-
-create_dir_file($1_t, $1_fonts_t)
-allow $1_t $1_fonts_t:{ dir file } { relabelto relabelfrom };
-
-create_dir_file($1_t, $1_fonts_config_t)
-allow $1_t $1_fonts_config_t:file { relabelto relabelfrom };
-
-# For startup relabel
-allow $1_t $1_fonts_cache_t:{ dir file } { relabelto relabelfrom };
-
-') dnl fontconfig_domain
-
-####################
-
-define(`read_fonts', `
-
-# Read global fonts and font config
-r_dir_file($1, fonts_t)
-r_dir_file($1, etc_t)
-
-ifelse(`$2', `', `', `
-
-# Manipulate the global font cache
-create_dir_file($1, $2_fonts_cache_t)
-
-# Read per user fonts and font config
-r_dir_file($1, $2_fonts_t)
-r_dir_file($1, $2_fonts_config_t)
-
-# There are some fonts in .gnome2
-ifdef(`gnome.te', `
-allow $1 $2_gnome_settings_t:dir { getattr search };
-')
-
-') dnl ifelse
-') dnl read_fonts
diff --git a/targeted/macros/program/games_domain.te b/targeted/macros/program/games_domain.te
deleted file mode 100644
index d4c1d05..0000000
--- a/targeted/macros/program/games_domain.te
+++ /dev/null
@@ -1,89 +0,0 @@
-#DESC games
-#
-# Macros for games
-#
-#
-# Authors: Dan Walsh <dwalsh@redhat.com>
-#
-#
-# games_domain(domain_prefix)
-#
-#
-define(`games_domain', `
-
-type $1_games_t, domain, nscd_client_domain;
-
-# Type transition
-if (! disable_games_trans) {
-domain_auto_trans($1_t, games_exec_t, $1_games_t)
-}
-can_exec($1_games_t, games_exec_t)
-role $1_r types $1_games_t;
-
-can_create_pty($1_games)
-
-# X access, GNOME, /tmp files
-x_client_domain($1_games, $1)
-tmp_domain($1_games, `', { dir notdevfile_class_set })
-gnome_application($1_games, $1)
-gnome_file_dialog($1_games, $1)
-
-# Games seem to need this
-if (allow_execmem) {
-allow $1_games_t self:process execmem;
-}
-
-allow $1_games_t texrel_shlib_t:file execmod;
-allow $1_games_t var_t:dir { search getattr };
-rw_dir_create_file($1_games_t, games_data_t)
-allow $1_games_t sound_device_t:chr_file rw_file_perms;
-can_udp_send($1_games_t, $1_games_t)
-can_tcp_connect($1_games_t, $1_games_t)
-
-# Access /home/user/.gnome2
-# FIXME: Change to use per app types
-create_dir_file($1_games_t, $1_gnome_settings_t)
-
-# FIXME: why is this necessary - ORBit?
-# ORBit works differently now
-create_dir_file($1_games_t, $1_tmp_t)
-allow $1_games_t $1_tmp_t:sock_file create_file_perms;
-can_unix_connect($1_t, $1_games_t)
-can_unix_connect($1_games_t, $1_t)
-
-ifdef(`xdm.te', `
-allow $1_games_t xdm_tmp_t:dir rw_dir_perms;
-allow $1_games_t xdm_tmp_t:sock_file create_file_perms;
-allow $1_games_t xdm_var_lib_t:file { getattr read };
-')dnl end if xdm.te
-
-allow $1_games_t var_lib_t:dir search;
-r_dir_file($1_games_t, man_t)
-allow $1_games_t { proc_t self }:dir search;
-allow $1_games_t { proc_t self }:{ file lnk_file } { read getattr };
-ifdef(`mozilla.te', `
-dontaudit $1_games_t $1_mozilla_t:unix_stream_socket connectto;
-')
-allow $1_games_t event_device_t:chr_file getattr;
-allow $1_games_t mouse_device_t:chr_file getattr;
-
-allow $1_games_t self:file { getattr read };
-allow $1_games_t self:sem create_sem_perms;
-
-allow $1_games_t { bin_t sbin_t }:dir { getattr search };
-can_exec($1_games_t, { shell_exec_t bin_t utempter_exec_t })
-allow $1_games_t bin_t:lnk_file read;
-
-dontaudit $1_games_t var_run_t:dir search;
-dontaudit $1_games_t initrc_var_run_t:file { read write };
-dontaudit $1_games_t var_log_t:dir search;
-
-can_network($1_games_t)
-allow $1_games_t port_t:tcp_socket name_bind;
-allow $1_games_t port_t:tcp_socket name_connect;
-
-# Suppress .icons denial until properly implemented
-dontaudit $1_games_t $1_home_t:dir read;
-
-')dnl end macro definition
-
diff --git a/targeted/macros/program/gconf_macros.te b/targeted/macros/program/gconf_macros.te
deleted file mode 100644
index 6f97ca3..0000000
--- a/targeted/macros/program/gconf_macros.te
+++ /dev/null
@@ -1,57 +0,0 @@
-#
-# GConfd daemon
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-#######################################
-# gconfd_domain(role_prefix)
-#
-
-define(`gconfd_domain', `
-
-# Type for daemon
-type $1_gconfd_t, domain, nscd_client_domain, privlog;
-
-gnome_application($1_gconfd, $1)
-
-# Transition from user type
-domain_auto_trans($1_t, gconfd_exec_t, $1_gconfd_t)
-role $1_r types $1_gconfd_t;
-
-allow $1_gconfd_t self:process { signal getsched };
-
-# Access .gconfd and .gconf
-home_domain($1, gconfd)
-file_type_auto_trans($1_gconfd_t, $1_home_dir_t, $1_gconfd_home_t, dir)
-
-# Access /etc/gconf
-r_dir_file($1_gconfd_t, gconf_etc_t)
-
-# /tmp/gconfd-USER
-tmp_domain($1_gconfd)
-
-can_pipe_xdm($1_gconfd_t)
-ifdef(`xdm.te', `
-allow xdm_t $1_gconfd_t:process signal;
-')
-
-') dnl gconf_domain
-
-#####################################
-# gconf_client(prefix, role_prefix)
-#
-
-define(`gconf_client', `
-
-# Launch the daemon if necessary
-domain_auto_trans($1_t, gconfd_exec_t, $2_gconfd_t)
-
-# Connect over bonobo
-bonobo_connect($1, $2_gconfd)
-
-# Read lock/ior
-allow $1_t $2_gconfd_tmp_t:dir { getattr search };
-allow $1_t $2_gconfd_tmp_t:file { getattr read };
-
-') dnl gconf_client
diff --git a/targeted/macros/program/gift_macros.te b/targeted/macros/program/gift_macros.te
deleted file mode 100644
index d8e39e2..0000000
--- a/targeted/macros/program/gift_macros.te
+++ /dev/null
@@ -1,104 +0,0 @@
-#
-# Macros for giFT
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-# gift_domains(domain_prefix)
-# declares a domain for giftui and giftd
-
-#########################
-# gift_domain(user) #
-#########################
-
-define(`gift_domain', `
-
-# Type transition
-type $1_gift_t, domain, nscd_client_domain;
-domain_auto_trans($1_t, gift_exec_t, $1_gift_t)
-role $1_r types $1_gift_t;
-
-# X access, Home files, GNOME, /tmp
-x_client_domain($1_gift, $1)
-gnome_application($1_gift, $1)
-home_domain($1, gift)
-file_type_auto_trans($1_gift_t, $1_home_dir_t, $1_gift_home_t, dir)
-
-# Allow the user domain to signal/ps.
-can_ps($1_t, $1_gift_t)
-allow $1_t $1_gift_t:process signal_perms;
-
-# Launch gift daemon
-allow $1_gift_t bin_t:dir search;
-domain_auto_trans($1_gift_t, giftd_exec_t, $1_giftd_t)
-
-# Connect to gift daemon
-can_network_client_tcp($1_gift_t, giftd_port_t)
-allow $1_gift_t giftd_port_t:tcp_socket name_connect;
-
-# Read /proc/meminfo
-allow $1_gift_t proc_t:dir search;
-allow $1_gift_t proc_t:file { getattr read };
-
-# giftui looks in .icons, .themes.
-dontaudit $1_gift_t $1_home_t:dir { getattr read search };
-dontaudit $1_gift_t $1_home_t:file { getattr read };
-
-') dnl gift_domain
-
-##########################
-# giftd_domain(user) #
-##########################
-
-define(`giftd_domain', `
-
-type $1_giftd_t, domain;
-
-# Transition from user type
-domain_auto_trans($1_t, giftd_exec_t, $1_giftd_t)
-role $1_r types $1_giftd_t;
-
-# Self permissions, allow fork
-allow $1_giftd_t self:process { fork signal sigchld setsched };
-allow $1_giftd_t self:unix_stream_socket create_socket_perms;
-
-read_sysctl($1_giftd_t)
-read_locale($1_giftd_t)
-uses_shlib($1_giftd_t)
-access_terminal($1_giftd_t, $1)
-
-# Read /proc/meminfo
-allow $1_giftd_t proc_t:dir search;
-allow $1_giftd_t proc_t:file { getattr read };
-
-# Read /etc/mtab
-allow $1_giftd_t etc_runtime_t:file { getattr read };
-
-# Access home domain
-home_domain_access($1_giftd_t, $1, gift)
-file_type_auto_trans($1_gift_t, $1_home_dir_t, $1_gift_home_t, dir)
-
-# Serve content on various p2p networks. Ports can be random.
-can_network_server($1_giftd_t)
-allow $1_giftd_t self:udp_socket listen;
-allow $1_giftd_t port_type:{ tcp_socket udp_socket } name_bind;
-
-# Connect to various p2p networks. Ports can be random.
-can_network_client($1_giftd_t)
-allow $1_giftd_t port_type:tcp_socket name_connect;
-
-# Plugins
-r_dir_file($1_giftd_t, usr_t)
-
-# Connect to xdm
-can_pipe_xdm($1_giftd_t)
-
-') dnl giftd_domain
-
-##########################
-# gift_domains(user) #
-##########################
-
-define(`gift_domains', `
-gift_domain($1)
-giftd_domain($1)
-') dnl gift_domains
diff --git a/targeted/macros/program/gnome_macros.te b/targeted/macros/program/gnome_macros.te
deleted file mode 100644
index 5d31af5..0000000
--- a/targeted/macros/program/gnome_macros.te
+++ /dev/null
@@ -1,115 +0,0 @@
-#
-# GNOME related types
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-# gnome_domain(role_prefix) - create GNOME domain (run for each role)
-# gnome_application(app_prefix, role_prefix) - common stuff for gnome apps
-# gnome_file_dialog(role_prefix) - gnome file dialog rules
-# gnome_private_store(app_prefix, role_prefix) - store private files in .gnome2_private
-
-define(`gnome_domain', `
-
-# Types for .gnome2 and .gnome2_private.
-# For backwards compatibility, allow unrestricted
-# access from ROLE_t. However, content inside
-# *should* be labeled per application eventually.
-# For .gnome2_private, use the private_store macro below.
-
-type $1_gnome_settings_t, file_type, $1_file_type, sysadmfile;
-create_dir_file($1_t, $1_gnome_settings_t)
-allow $1_t $1_gnome_settings_t:{ dir file } { relabelfrom relabelto };
-
-type $1_gnome_secret_t, file_type, $1_file_type, sysadmfile;
-create_dir_file($1_t, $1_gnome_secret_t)
-allow $1_t $1_gnome_secret_t:{ dir file } { relabelfrom relabelto };
-
-# GConf domain
-gconfd_domain($1)
-gconf_client($1, $1)
-
-# Bonobo-activation-server
-bonobo_domain($1)
-bonobo_client($1, $1)
-
-# GNOME vfs daemon
-gnome_vfs_domain($1)
-gnome_vfs_client($1, $1)
-
-# ICE is necessary for session management
-ice_domain($1, $1)
-
-')
-
-#################################
-
-define(`gnome_application', `
-
-# If launched from a terminal
-access_terminal($1_t, $2)
-
-# Forking is generally okay
-allow $1_t self:process { sigchld sigkill signal setrlimit getsched setsched fork };
-allow $1_t self:fifo_file rw_file_perms;
-
-# Shlib, locale, sysctl, proc
-uses_shlib($1_t)
-read_locale($1_t)
-read_sysctl($1_t)
-
-allow $1_t { self proc_t }:dir { search read getattr };
-allow $1_t { self proc_t }:{ file lnk_file } { read getattr };
-
-# Most gnome apps use bonobo
-bonobo_client($1, $2)
-
-# Within-process bonobo-activation of components
-bonobo_connect($1, $1)
-
-# Session management happens over ICE
-# FIXME: More specific context is needed for gnome-session
-ice_connect($1, $2)
-
-# Most talk to GConf
-gconf_client($1, $2)
-
-# Allow getattr/read/search of .gnome2 and .gnome2_private
-# Reading files should *not* be allowed - instead, more specific
-# types should be created to handle such requests
-allow $1_t { $2_gnome_settings_t $2_gnome_secret_t }:dir r_dir_perms;
-
-# Access /etc/mtab, /etc/nsswitch.conf
-allow $1_t etc_t:file { read getattr };
-allow $1_t etc_runtime_t:file { read getattr };
-
-# Themes, gtkrc
-allow $1_t usr_t:{ file lnk_file } r_file_perms;
-
-') dnl gnome_application
-
-################################
-
-define(`gnome_file_dialog', `
-
-# GNOME Open/Save As dialogs
-dontaudit_getattr($1_t)
-dontaudit_search_dir($1_t)
-
-# Bonobo connection to gnome_vfs daemon
-bonobo_connect($1, $2_gnome_vfs)
-
-') dnl gnome_file_dialog
-
-################################
-
-define(`gnome_private_store', `
-
-# Type for storing secret data
-# (different from home, not directly accessible from ROLE_t)
-type $1_secret_t, file_type, $2_file_type, sysadmfile;
-
-# Put secret files in .gnome2_private
-file_type_auto_trans($1_t, $2_gnome_secret_t, $1_secret_t, file);
-allow $2_t $1_secret_t:file unlink;
-
-') dnl gnome_private_store
diff --git a/targeted/macros/program/gnome_vfs_macros.te b/targeted/macros/program/gnome_vfs_macros.te
deleted file mode 100644
index 8ff5c28..0000000
--- a/targeted/macros/program/gnome_vfs_macros.te
+++ /dev/null
@@ -1,55 +0,0 @@
-#
-# GNOME VFS daemon
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-#######################################
-# gnome_vfs_domain(role_prefix)
-#
-
-define(`gnome_vfs_domain', `
-
-# Type for daemon
-type $1_gnome_vfs_t, domain, nscd_client_domain;
-
-# GNOME, dbus
-gnome_application($1_gnome_vfs, $1)
-dbusd_client(system, $1_gnome_vfs)
-allow $1_gnome_vfs_t system_dbusd_t:dbus send_msg;
-ifdef(`hald.te', `
-allow $1_gnome_vfs_t hald_t:dbus send_msg;
-allow hald_t $1_gnome_vfs_t:dbus send_msg;
-')
-
-# Transition from user type
-domain_auto_trans($1_t, gnome_vfs_exec_t, $1_gnome_vfs_t)
-role $1_r types $1_gnome_vfs_t;
-
-# Stat top level directories on mount_points (check free space?)
-allow $1_gnome_vfs_t { fs_type default_t boot_t home_root_t device_t }:dir getattr;
-
-# Search path to /home (??)
-allow $1_gnome_vfs_t home_root_t:dir search;
-allow $1_gnome_vfs_t $1_home_dir_t:dir search;
-
-# Search path to rpc_pipefs mount point (??)
-allow $1_gnome_vfs_t var_lib_nfs_t:dir search;
-allow $1_gnome_vfs_t var_lib_t:dir search;
-
-# Search libexec (??)
-allow $1_gnome_vfs_t bin_t:dir search;
-can_exec($1_gnome_vfs_t, bin_t)
-
-') dnl gnome_vfs_domain
-
-#####################################
-# gnome_vfs_client(prefix, role_prefix)
-#
-
-define(`gnome_vfs_client', `
-
-# Connect over bonobo
-bonobo_connect($1, $2_gnome_vfs)
-
-') dnl gnome_vfs_client
diff --git a/targeted/macros/program/gpg_agent_macros.te b/targeted/macros/program/gpg_agent_macros.te
deleted file mode 100644
index f7ad8b0..0000000
--- a/targeted/macros/program/gpg_agent_macros.te
+++ /dev/null
@@ -1,125 +0,0 @@
-#
-# Macros for gpg agent
-#
-# Author: Thomas Bleher <ThomasBleher@gmx.de>
-#
-#
-# gpg_agent_domain(domain_prefix)
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/gpg-agent.te.
-#
-define(`gpg_agent_domain',`
-# Define a derived domain for the gpg-agent program when executed
-# by a user domain.
-# Derived domain based on the calling user domain and the program.
-type $1_gpg_agent_t, domain;
-
-# Transition from the user domain to the derived domain.
-domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t)
-
-# The user role is authorized for this domain.
-role $1_r types $1_gpg_agent_t;
-
-allow $1_gpg_agent_t privfd:fd use;
-
-# Write to the user domain tty.
-access_terminal($1_gpg_agent_t, $1)
-
-# Allow the user shell to signal the gpg-agent program.
-allow $1_t $1_gpg_agent_t:process { signal sigkill };
-# allow ps to show gpg-agent
-can_ps($1_t, $1_gpg_agent_t)
-
-uses_shlib($1_gpg_agent_t)
-read_locale($1_gpg_agent_t)
-
-# rlimit: gpg-agent wants to prevent coredumps
-allow $1_gpg_agent_t self:process { setrlimit fork sigchld };
-
-allow $1_gpg_agent_t { self proc_t }:dir search;
-allow $1_gpg_agent_t { self proc_t }:lnk_file read;
-
-allow $1_gpg_agent_t device_t:dir { getattr read };
-
-# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
-allow $1_gpg_agent_t { home_root_t $1_home_dir_t }:dir search;
-create_dir_file($1_gpg_agent_t, $1_gpg_secret_t)
-if (use_nfs_home_dirs) {
-create_dir_file($1_gpg_agent_t, nfs_t)
-}
-if (use_samba_home_dirs) {
-create_dir_file($1_gpg_agent_t, cifs_t)
-}
-
-allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms;
-allow $1_gpg_agent_t self:fifo_file { getattr read write };
-
-# create /tmp files
-tmp_domain($1_gpg_agent, `', `{ file dir sock_file }')
-
-# gpg connect
-allow $1_gpg_t $1_gpg_agent_tmp_t:dir search;
-allow $1_gpg_t $1_gpg_agent_tmp_t:sock_file write;
-can_unix_connect($1_gpg_t, $1_gpg_agent_t)
-
-# policy for pinentry
-# ===================
-# we need to allow gpg-agent to call pinentry so it can get the passphrase
-# from the user.
-# Please note that I didnt use the x_client_domain-macro as it gives too
-# much permissions
-type $1_gpg_pinentry_t, domain;
-role $1_r types $1_gpg_pinentry_t;
-
-allow $1_gpg_agent_t bin_t:dir search;
-domain_auto_trans($1_gpg_agent_t, pinentry_exec_t, $1_gpg_pinentry_t)
-
-uses_shlib($1_gpg_pinentry_t)
-read_locale($1_gpg_pinentry_t)
-
-allow $1_gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
-allow $1_gpg_pinentry_t self:fifo_file { getattr read write };
-
-ifdef(`xdm.te', `
-allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search;
-allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write };
-can_unix_connect($1_gpg_pinentry_t, xdm_xserver_t)
-')dnl end ig xdm.te
-
-read_fonts($1_gpg_pinentry_t, $1)
-# read kde font cache
-allow $1_gpg_pinentry_t usr_t:file { getattr read };
-
-allow $1_gpg_pinentry_t { proc_t self }:dir search;
-allow $1_gpg_pinentry_t { proc_t self }:lnk_file read;
-# read /proc/meminfo
-allow $1_gpg_pinentry_t proc_t:file read;
-
-allow $1_gpg_pinentry_t { tmp_t home_root_t }:dir { getattr search };
-
-# for .Xauthority
-allow $1_gpg_pinentry_t $1_home_dir_t:dir { getattr search };
-allow $1_gpg_pinentry_t $1_home_t:file { getattr read };
-# wants to put some lock files into the user home dir, seems to work fine without
-dontaudit $1_gpg_pinentry_t $1_home_t:dir { read write };
-dontaudit $1_gpg_pinentry_t $1_home_t:file write;
-if (use_nfs_home_dirs) {
-allow $1_gpg_pinentry_t nfs_t:dir { getattr search };
-allow $1_gpg_pinentry_t nfs_t:file { getattr read };
-dontaudit $1_gpg_pinentry_t nfs_t:dir { read write };
-dontaudit $1_gpg_pinentry_t nfs_t:file write;
-}
-if (use_samba_home_dirs) {
-allow $1_gpg_pinentry_t cifs_t:dir { getattr search };
-allow $1_gpg_pinentry_t cifs_t:file { getattr read };
-dontaudit $1_gpg_pinentry_t cifs_t:dir { read write };
-dontaudit $1_gpg_pinentry_t cifs_t:file write;
-}
-
-# read /etc/X11/qtrc
-allow $1_gpg_pinentry_t etc_t:file { getattr read };
-
-dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t bin_t }:dir { getattr search };
-
-')dnl end if gpg_agent
diff --git a/targeted/macros/program/gpg_macros.te b/targeted/macros/program/gpg_macros.te
deleted file mode 100644
index 9dba8f7..0000000
--- a/targeted/macros/program/gpg_macros.te
+++ /dev/null
@@ -1,113 +0,0 @@
-#
-# Macros for gpg and pgp
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-# based on the work of:
-# Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-#
-# gpg_domain(domain_prefix)
-#
-# Define a derived domain for the gpg/pgp program when executed by
-# a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/gpg.te.
-#
-define(`gpg_domain', `
-# Derived domain based on the calling user domain and the program.
-type $1_gpg_t, domain, privlog;
-type $1_gpg_secret_t, file_type, $1_file_type, sysadmfile;
-
-# Transition from the user domain to the derived domain.
-domain_auto_trans($1_t, gpg_exec_t, $1_gpg_t)
-role $1_r types $1_gpg_t;
-
-can_network($1_gpg_t)
-allow $1_gpg_t port_type:tcp_socket name_connect;
-can_ypbind($1_gpg_t)
-
-# for a bug in kmail
-dontaudit $1_gpg_t $1_t:unix_stream_socket { getattr read write };
-
-allow $1_gpg_t device_t:dir r_dir_perms;
-allow $1_gpg_t { random_device_t urandom_device_t }:chr_file r_file_perms;
-
-allow $1_gpg_t etc_t:file r_file_perms;
-
-allow $1_gpg_t self:unix_stream_socket create_stream_socket_perms;
-allow $1_gpg_t self:tcp_socket create_stream_socket_perms;
-
-access_terminal($1_gpg_t, $1)
-ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;')
-
-# Inherit and use descriptors
-allow $1_gpg_t { privfd $1_t }:fd use;
-allow { $1_t $1_gpg_t } $1_gpg_t:process signal;
-
-# setrlimit is for ulimit -c 0
-allow $1_gpg_t self:process { setrlimit setcap setpgid };
-
-# allow ps to show gpg
-can_ps($1_t, $1_gpg_t)
-
-uses_shlib($1_gpg_t)
-
-# Access .gnupg
-rw_dir_create_file($1_gpg_t, $1_gpg_secret_t)
-
-# Read content to encrypt/decrypt/sign
-read_content($1_gpg_t, $1)
-
-# Write content to encrypt/decrypt/sign
-write_trusted($1_gpg_t, $1)
-
-allow $1_gpg_t self:capability { ipc_lock setuid };
-
-allow $1_gpg_t { etc_t usr_t }:dir r_dir_perms;
-allow $1_gpg_t fs_t:filesystem getattr;
-allow $1_gpg_t usr_t:file r_file_perms;
-read_locale($1_gpg_t)
-
-dontaudit $1_gpg_t var_t:dir search;
-
-ifdef(`gpg-agent.te', `gpg_agent_domain($1)')
-
-# for helper programs (which automatically fetch keys)
-# Note: this is only tested with the hkp interface. If you use eg the
-# mail interface you will likely need additional permissions.
-type $1_gpg_helper_t, domain;
-role $1_r types $1_gpg_helper_t;
-
-domain_auto_trans($1_gpg_t, gpg_helper_exec_t, $1_gpg_helper_t)
-uses_shlib($1_gpg_helper_t)
-
-# allow gpg to fork so it can call the helpers
-allow $1_gpg_t self:process { fork sigchld };
-allow $1_gpg_t self:fifo_file { getattr read write };
-
-dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
-if (use_nfs_home_dirs) {
-dontaudit $1_gpg_helper_t nfs_t:file { read write };
-}
-if (use_samba_home_dirs) {
-dontaudit $1_gpg_helper_t cifs_t:file { read write };
-}
-
-# communicate with the user
-allow $1_gpg_helper_t $1_t:fd use;
-allow $1_gpg_helper_t $1_t:fifo_file write;
-# get keys from the network
-can_network_client($1_gpg_helper_t)
-allow $1_gpg_helper_t port_type:tcp_socket name_connect;
-allow $1_gpg_helper_t etc_t:file { getattr read };
-allow $1_gpg_helper_t urandom_device_t:chr_file read;
-allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
-# for nscd
-dontaudit $1_gpg_helper_t var_t:dir search;
-
-can_pipe_xdm($1_gpg_t)
-
-')dnl end gpg_domain definition
diff --git a/targeted/macros/program/gph_macros.te b/targeted/macros/program/gph_macros.te
deleted file mode 100644
index d784fcc..0000000
--- a/targeted/macros/program/gph_macros.te
+++ /dev/null
@@ -1,85 +0,0 @@
-#
-# Macros for gnome-pty-helper domains.
-#
-
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-#
-# gph_domain(domain_prefix, role_prefix)
-#
-# Define a derived domain for the gnome-pty-helper program when
-# executed by a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/gnome-pty-helper.te.
-#
-# The *_gph_t domains are for the gnome_pty_helper program.
-# This program is executed by gnome-terminal to handle
-# updates to utmp and wtmp. In this regard, it is similar
-# to utempter. However, unlike utempter, gnome-pty-helper
-# also creates the pty file for the terminal program.
-# There is one *_gph_t domain for each user domain.
-#
-undefine(`gph_domain')
-define(`gph_domain',`
-# Derived domain based on the calling user domain and the program.
-type $1_gph_t, domain, gphdomain, nscd_client_domain;
-
-# Transition from the user domain to the derived domain.
-domain_auto_trans($1_t, gph_exec_t, $1_gph_t)
-
-# The user role is authorized for this domain.
-role $2_r types $1_gph_t;
-
-# This domain is granted permissions common to most domains.
-uses_shlib($1_gph_t)
-
-# Use capabilities.
-allow $1_gph_t self:capability { chown fsetid setgid setuid };
-
-# Update /var/run/utmp and /var/log/wtmp.
-allow $1_gph_t { var_t var_run_t }:dir search;
-allow $1_gph_t initrc_var_run_t:file rw_file_perms;
-allow $1_gph_t wtmp_t:file rw_file_perms;
-
-# Allow gph to rw to stream sockets of appropriate user type.
-# (Need this so gnome-pty-helper can pass pty fd to parent
-# gnome-terminal which is running in a user domain.)
-allow $1_gph_t $1_t:unix_stream_socket rw_stream_socket_perms;
-
-allow $1_gph_t self:unix_stream_socket create_stream_socket_perms;
-
-# Allow user domain to use pty fd from gnome-pty-helper.
-allow $1_t $1_gph_t:fd use;
-
-# Use the network, e.g. for NIS lookups.
-can_resolve($1_gph_t)
-can_ypbind($1_gph_t)
-
-allow $1_gph_t etc_t:file { getattr read };
-
-# Added by David A. Wheeler:
-# Allow gnome-pty-helper to update /var/log/lastlog
-# (the gnome-pty-helper in Red Hat Linux 7.1 does this):
-allow $1_gph_t lastlog_t:file rw_file_perms;
-allow $1_gph_t var_log_t:dir search;
-allow $1_t $1_gph_t:process signal;
-
-ifelse($2, `system', `
-# Create ptys for the system
-can_create_other_pty($1_gph, initrc)
-', `
-# Create ptys for the user domain.
-can_create_other_pty($1_gph, $1)
-
-# Read and write the users tty.
-allow $1_gph_t $1_tty_device_t:chr_file rw_file_perms;
-
-# Allow gnome-pty-helper to write the .xsession-errors file.
-allow $1_gph_t home_root_t:dir search;
-allow $1_gph_t $1_home_t:dir { search add_name };
-allow $1_gph_t $1_home_t:file { create write };
-')dnl end ifelse system
-')dnl end macro
diff --git a/targeted/macros/program/i18n_input_macros.te b/targeted/macros/program/i18n_input_macros.te
deleted file mode 100644
index 58699fc..0000000
--- a/targeted/macros/program/i18n_input_macros.te
+++ /dev/null
@@ -1,21 +0,0 @@
-#
-# Macros for i18n_input
-#
-
-#
-# Authors: Dan Walsh <dwalsh@redhat.com>
-#
-
-#
-# i18n_input_domain(domain)
-#
-ifdef(`i18n_input.te', `
-define(`i18n_input_domain', `
-allow i18n_input_t $1_home_dir_t:dir { getattr search };
-r_dir_file(i18n_input_t, $1_home_t)
-if (use_nfs_home_dirs) { r_dir_file(i18n_input_t, nfs_t) }
-if (use_samba_home_dirs) { r_dir_file(i18n_input_t, cifs_t) }
-')
-')
-
-
diff --git a/targeted/macros/program/ice_macros.te b/targeted/macros/program/ice_macros.te
deleted file mode 100644
index b373496..0000000
--- a/targeted/macros/program/ice_macros.te
+++ /dev/null
@@ -1,38 +0,0 @@
-#
-# ICE related types
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-# ice_domain(prefix, role) - create ICE sockets
-# ice_connect(type1_prefix, type2_prefix) - allow communication through ICE sockets
-
-define(`ice_domain', `
-ifdef(`$1_ice_tmp_t_defined',`', `
-define(`$1_ice_tmp_t_defined')
-
-# Type for ICE sockets
-type $1_ice_tmp_t, file_type, $1_file_type, sysadmfile, tmpfile;
-file_type_auto_trans($1_t, ice_tmp_t, $1_ice_tmp_t)
-
-# Create the sockets
-allow $1_t self:unix_stream_socket create_stream_socket_perms;
-allow $1_t self:unix_dgram_socket create_socket_perms;
-
-# FIXME: How does iceauth tie in?
-
-')
-')
-
-# FIXME: Should this be bidirectional?
-# Adding only unidirectional for now.
-
-define(`ice_connect', `
-
-# Read .ICEauthority file
-allow $1_t $2_iceauth_home_t:file { read getattr };
-
-can_unix_connect($1_t, $2_t)
-allow $1_t ice_tmp_t:dir r_dir_perms;
-allow $1_t $2_ice_tmp_t:sock_file { read write };
-allow $1_t $2_t:unix_stream_socket { read write };
-')
diff --git a/targeted/macros/program/iceauth_macros.te b/targeted/macros/program/iceauth_macros.te
deleted file mode 100644
index cc7e804..0000000
--- a/targeted/macros/program/iceauth_macros.te
+++ /dev/null
@@ -1,40 +0,0 @@
-#
-# Macros for iceauth domains.
-#
-# Author: Ivan Gyurdiev <gyurdiev@redhat.com>
-#
-# iceauth_domain(domain_prefix)
-
-define(`iceauth_domain',`
-
-# Program type
-type $1_iceauth_t, domain;
-
-# Transition from the user domain to this domain.
-domain_auto_trans($1_t, iceauth_exec_t, $1_iceauth_t)
-role $1_r types $1_iceauth_t;
-
-# Store .ICEauthority files
-home_domain($1, iceauth)
-file_type_auto_trans($1_iceauth_t, $1_home_dir_t, $1_iceauth_home_t, file)
-
-# Supress xdm trying to restore .ICEauthority permissions
-ifdef(`xdm.te', `
-dontaudit xdm_t $1_iceauth_home_t:file r_file_perms;
-')
-
-# /root
-allow $1_iceauth_t root_t:dir search;
-
-# Terminal output
-access_terminal($1_iceauth_t, $1)
-
-uses_shlib($1_iceauth_t)
-
-# ???
-allow $1_iceauth_t etc_t:dir search;
-allow $1_iceauth_t usr_t:dir search;
-
-# FIXME: policy is incomplete
-
-')dnl end xauth_domain macro
diff --git a/targeted/macros/program/inetd_macros.te b/targeted/macros/program/inetd_macros.te
deleted file mode 100644
index e5c4eed..0000000
--- a/targeted/macros/program/inetd_macros.te
+++ /dev/null
@@ -1,97 +0,0 @@
-#################################
-#
-# Rules for the $1_t domain.
-#
-# $1_t is a general domain for daemons started
-# by inetd that do not have their own individual domains yet.
-# $1_exec_t is the type of the corresponding
-# programs.
-#
-define(`inetd_child_domain', `
-type $1_t, domain, privlog, nscd_client_domain;
-role system_r types $1_t;
-
-#
-# Allows user to define a tunable to disable domain transition
-#
-bool $1_disable_trans false;
-if ($1_disable_trans) {
-can_exec(initrc_t, $1_exec_t)
-can_exec(sysadm_t, $1_exec_t)
-} else {
-domain_auto_trans(inetd_t, $1_exec_t, $1_t)
-allow inetd_t $1_t:process sigkill;
-}
-
-can_network_server($1_t)
-can_ypbind($1_t)
-uses_shlib($1_t)
-allow $1_t self:unix_dgram_socket create_socket_perms;
-allow $1_t self:unix_stream_socket create_socket_perms;
-allow $1_t self:fifo_file rw_file_perms;
-type $1_exec_t, file_type, sysadmfile, exec_type;
-read_locale($1_t)
-allow $1_t device_t:dir search;
-allow $1_t proc_t:dir search;
-allow $1_t proc_t:{ file lnk_file } { getattr read };
-allow $1_t self:process { fork signal_perms };
-allow $1_t fs_t:filesystem getattr;
-
-read_sysctl($1_t)
-
-allow $1_t etc_t:file { getattr read };
-
-tmp_domain($1)
-allow $1_t var_t:dir search;
-var_run_domain($1)
-
-# Inherit and use descriptors from inetd.
-allow $1_t inetd_t:fd use;
-
-# for identd
-allow $1_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow $1_t self:capability { setuid setgid };
-allow $1_t home_root_t:dir search;
-allow $1_t self:dir search;
-allow $1_t self:{ lnk_file file } { getattr read };
-can_kerberos($1_t)
-allow $1_t urandom_device_t:chr_file r_file_perms;
-# Use sockets inherited from inetd.
-ifelse($2, `', `
-allow inetd_t $1_port_t:udp_socket name_bind;
-allow $1_t inetd_t:udp_socket rw_socket_perms;
-allow inetd_t $1_port_t:tcp_socket name_bind;
-allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
-')
-ifelse($2, tcp, `
-allow inetd_t $1_port_t:tcp_socket name_bind;
-allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
-')
-ifelse($2, udp, `
-allow inetd_t $1_port_t:udp_socket name_bind;
-allow $1_t inetd_t:udp_socket rw_socket_perms;
-')
-r_dir_file($1_t, proc_net_t)
-')
-define(`remote_login_daemon', `
-inetd_child_domain($1)
-
-# Execute /bin/login on a new PTY
-allow $1_t { bin_t sbin_t }:dir search;
-domain_auto_trans($1_t, login_exec_t, remote_login_t)
-can_create_pty($1, `, server_pty, userpty_type')
-allow $1_t self:capability { fsetid chown fowner sys_tty_config dac_override } ;
-
-# Append to /var/log/wtmp.
-allow $1_t var_log_t:dir search;
-allow $1_t wtmp_t:file rw_file_perms;
-allow $1_t initrc_var_run_t:file rw_file_perms;
-
-# Allow reading of /etc/issue.net
-allow $1_t etc_runtime_t:file r_file_perms;
-
-# Allow krb5 $1 to use fork and open /dev/tty for use
-allow $1_t userpty_type:chr_file setattr;
-allow $1_t devtty_t:chr_file rw_file_perms;
-dontaudit $1_t selinux_config_t:dir search;
-')
diff --git a/targeted/macros/program/irc_macros.te b/targeted/macros/program/irc_macros.te
deleted file mode 100644
index 3adaef7..0000000
--- a/targeted/macros/program/irc_macros.te
+++ /dev/null
@@ -1,85 +0,0 @@
-#
-# Macros for irc domains.
-#
-
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-
-#
-# irc_domain(domain_prefix)
-#
-# Define a derived domain for the irc program when executed
-# by a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/irc.te.
-#
-undefine(`irc_domain')
-ifdef(`irc.te', `
-define(`irc_domain',`
-
-# Home domain
-home_domain($1, irc)
-file_type_auto_trans($1_irc_t, $1_home_dir_t, $1_irc_home_t, dir)
-
-# Derived domain based on the calling user domain and the program.
-type $1_irc_t, domain;
-type $1_irc_exec_t, file_type, sysadmfile, $1_file_type;
-
-allow $1_t $1_irc_exec_t:file { relabelfrom relabelto create_file_perms };
-
-# Transition from the user domain to this domain.
-domain_auto_trans($1_t, { irc_exec_t $1_irc_exec_t }, $1_irc_t)
-
-# The user role is authorized for this domain.
-role $1_r types $1_irc_t;
-
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te', `allow $1_irc_t $1_gph_t:fd use;')
-
-# Inherit and use descriptors from newrole.
-ifdef(`newrole.te', `allow $1_irc_t newrole_t:fd use;')
-
-# allow ps to show irc
-can_ps($1_t, $1_irc_t)
-allow $1_t $1_irc_t:process signal;
-
-# Use the network.
-can_network_client($1_irc_t)
-allow $1_irc_t port_type:tcp_socket name_connect;
-can_ypbind($1_irc_t)
-
-allow $1_irc_t usr_t:file { getattr read };
-
-access_terminal($1_irc_t, $1)
-uses_shlib($1_irc_t)
-allow $1_irc_t etc_t:file { read getattr };
-read_locale($1_irc_t)
-allow $1_irc_t fs_t:filesystem getattr;
-allow $1_irc_t var_t:dir search;
-allow $1_irc_t device_t:dir search;
-allow $1_irc_t self:unix_stream_socket create_stream_socket_perms;
-allow $1_irc_t privfd:fd use;
-allow $1_irc_t proc_t:dir search;
-allow $1_irc_t { self proc_t }:lnk_file read;
-allow $1_irc_t self:dir search;
-dontaudit $1_irc_t var_run_t:dir search;
-
-# allow utmp access
-allow $1_irc_t initrc_var_run_t:file { getattr read };
-dontaudit $1_irc_t initrc_var_run_t:file lock;
-
-# access files under /tmp
-file_type_auto_trans($1_irc_t, tmp_t, $1_tmp_t)
-
-ifdef(`ircd.te', `
-can_tcp_connect($1_irc_t, ircd_t)
-')dnl end ifdef irc.te
-')dnl end macro definition
-
-', `
-
-define(`irc_domain',`')
-
-')dnl end ifdef irc.te
diff --git a/targeted/macros/program/java_macros.te b/targeted/macros/program/java_macros.te
deleted file mode 100644
index 874d6dc..0000000
--- a/targeted/macros/program/java_macros.te
+++ /dev/null
@@ -1,93 +0,0 @@
-#
-# Authors: Dan Walsh <dwalsh@redhat.com>
-#
-# Macros for javaplugin (java plugin) domains.
-#
-#
-# javaplugin_domain(domain_prefix, role)
-#
-# Define a derived domain for the javaplugin program when executed by
-# a web browser.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/java.te.
-#
-define(`javaplugin_domain',`
-type $1_javaplugin_t, domain, privlog , nscd_client_domain, transitionbool;
-
-# The user role is authorized for this domain.
-role $2_r types $1_javaplugin_t;
-domain_auto_trans($1_t, java_exec_t, $1_javaplugin_t)
-
-allow $1_javaplugin_t sound_device_t:chr_file rw_file_perms;
-# Unrestricted inheritance from the caller.
-allow $1_t $1_javaplugin_t:process { noatsecure siginh rlimitinh };
-allow $1_javaplugin_t $1_t:process signull;
-
-can_unix_connect($1_javaplugin_t, $1_t)
-allow $1_javaplugin_t $1_t:unix_stream_socket { read write };
-
-# This domain is granted permissions common to most domains (including can_net)
-can_network_client($1_javaplugin_t)
-allow $1_javaplugin_t port_type:tcp_socket name_connect;
-can_ypbind($1_javaplugin_t)
-allow $1_javaplugin_t self:process { fork signal_perms getsched setsched };
-allow $1_javaplugin_t self:fifo_file rw_file_perms;
-allow $1_javaplugin_t etc_runtime_t:file { getattr read };
-allow $1_javaplugin_t fs_t:filesystem getattr;
-r_dir_file($1_javaplugin_t, { proc_t proc_net_t })
-allow $1_javaplugin_t self:dir search;
-allow $1_javaplugin_t self:lnk_file read;
-allow $1_javaplugin_t self:file { getattr read };
-
-read_sysctl($1_javaplugin_t)
-allow $1_javaplugin_t sysctl_vm_t:dir search;
-
-tmp_domain($1_javaplugin)
-read_fonts($1_javaplugin_t, $2)
-r_dir_file($1_javaplugin_t,{ usr_t etc_t })
-
-# Search bin directory under javaplugin for javaplugin executable
-allow $1_javaplugin_t bin_t:dir search;
-can_exec($1_javaplugin_t, java_exec_t)
-
-# libdeploy.so legacy
-allow $1_javaplugin_t texrel_shlib_t:file execmod;
-if (allow_execmem) {
-allow $1_javaplugin_t self:process execmem;
-}
-
-# Connect to X server
-x_client_domain($1_javaplugin, $2)
-
-uses_shlib($1_javaplugin_t)
-read_locale($1_javaplugin_t)
-rw_dir_file($1_javaplugin_t, $1_home_t)
-
-if (allow_java_execstack) {
-legacy_domain($1_javaplugin)
-allow $1_javaplugin_t lib_t:file execute;
-allow $1_javaplugin_t locale_t:file execute;
-allow $1_javaplugin_t $1_javaplugin_tmp_t:file execute;
-allow $1_javaplugin_t fonts_t:file execute;
-allow $1_javaplugin_t sound_device_t:chr_file execute;
-}
-
-allow $1_javaplugin_t { random_device_t urandom_device_t }:chr_file ra_file_perms;
-
-allow $1_javaplugin_t home_root_t:dir { getattr search };
-file_type_auto_trans($1_javaplugin_t, $2_home_dir_t, $1_home_t)
-allow $1_javaplugin_t $2_xauth_home_t:file { getattr read };
-allow $1_javaplugin_t $2_tmp_t:sock_file write;
-allow $1_javaplugin_t $2_t:fd use;
-
-allow $1_javaplugin_t var_t:dir getattr;
-allow $1_javaplugin_t var_lib_t:dir { getattr search };
-
-dontaudit $1_javaplugin_t $2_devpts_t:chr_file { read write };
-dontaudit $1_javaplugin_t sysadm_devpts_t:chr_file { read write };
-dontaudit $1_javaplugin_t devtty_t:chr_file { read write };
-dontaudit $1_javaplugin_t tmpfs_t:file { execute read write };
-dontaudit $1_javaplugin_t $1_home_t:file { execute setattr };
-
-')
diff --git a/targeted/macros/program/kerberos_macros.te b/targeted/macros/program/kerberos_macros.te
deleted file mode 100644
index 91850d3..0000000
--- a/targeted/macros/program/kerberos_macros.te
+++ /dev/null
@@ -1,11 +0,0 @@
-define(`can_kerberos',`
-ifdef(`kerberos.te',`
-if (allow_kerberos) {
-can_network_client($1, `kerberos_port_t')
-allow $1 kerberos_port_t:tcp_socket name_connect;
-can_resolve($1)
-}
-') dnl kerberos.te
-dontaudit $1 krb5_conf_t:file write;
-allow $1 krb5_conf_t:file { getattr read };
-')
diff --git a/targeted/macros/program/lockdev_macros.te b/targeted/macros/program/lockdev_macros.te
deleted file mode 100644
index 28f7c01..0000000
--- a/targeted/macros/program/lockdev_macros.te
+++ /dev/null
@@ -1,46 +0,0 @@
-#
-# Macros for lockdev domains.
-#
-
-#
-# Authors: Daniel Walsh <dwalsh@redhat.com>
-#
-
-#
-# lockdev_domain(domain_prefix)
-#
-# Define a derived domain for the lockdev programs when executed
-# by a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/lockdev.te.
-#
-undefine(`lockdev_domain')
-define(`lockdev_domain',`
-# Derived domain based on the calling user domain and the program
-type $1_lockdev_t, domain, privlog;
-# Transition from the user domain to the derived domain.
-domain_auto_trans($1_t, lockdev_exec_t, $1_lockdev_t)
-
-# The user role is authorized for this domain.
-role $1_r types $1_lockdev_t;
-# Use capabilities.
-allow $1_lockdev_t self:capability setgid;
-allow $1_lockdev_t $1_t:process signull;
-
-allow $1_lockdev_t var_t:dir search;
-
-lock_domain($1_lockdev)
-
-r_dir_file($1_lockdev_t, lockfile)
-
-allow $1_lockdev_t device_t:dir search;
-allow $1_lockdev_t null_device_t:chr_file rw_file_perms;
-access_terminal($1_lockdev_t, $1)
-dontaudit $1_lockdev_t root_t:dir search;
-
-uses_shlib($1_lockdev_t)
-allow $1_lockdev_t fs_t:filesystem getattr;
-
-')dnl end macro definition
-
diff --git a/targeted/macros/program/login_macros.te b/targeted/macros/program/login_macros.te
deleted file mode 100644
index 0d0993c..0000000
--- a/targeted/macros/program/login_macros.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# Macros for login type programs (/bin/login, sshd, etc).
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-
-define(`login_spawn_domain', `
-domain_trans($1_t, shell_exec_t, $2)
-
-# Signal the user domains.
-allow $1_t $2:process signal;
-')
diff --git a/targeted/macros/program/lpr_macros.te b/targeted/macros/program/lpr_macros.te
deleted file mode 100644
index d8b3b31..0000000
--- a/targeted/macros/program/lpr_macros.te
+++ /dev/null
@@ -1,117 +0,0 @@
-#
-# Macros for lpr domains.
-#
-
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-#
-# lpr_domain(domain_prefix)
-#
-# Define a derived domain for the lpr/lpq/lprm programs when executed
-# by a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/lpr.te.
-#
-undefine(`lpr_domain')
-define(`lpr_domain',`
-# Derived domain based on the calling user domain and the program
-type $1_lpr_t, domain, privlog, nscd_client_domain;
-
-# Transition from the user domain to the derived domain.
-domain_auto_trans($1_t, lpr_exec_t, $1_lpr_t)
-
-allow $1_t $1_lpr_t:process signull;
-
-# allow using shared objects, accessing root dir, etc
-uses_shlib($1_lpr_t)
-
-read_locale($1_lpr_t)
-
-# The user role is authorized for this domain.
-role $1_r types $1_lpr_t;
-
-# This domain is granted permissions common to most domains (including can_net)
-can_network_client($1_lpr_t)
-allow $1_lpr_t port_type:tcp_socket name_connect;
-can_ypbind($1_lpr_t)
-
-# Use capabilities.
-allow $1_lpr_t self:capability { setuid dac_override net_bind_service chown };
-
-allow $1_lpr_t self:unix_stream_socket create_stream_socket_perms;
-
-# for lpd config files (should have a new type)
-r_dir_file($1_lpr_t, etc_t)
-
-# for test print
-r_dir_file($1_lpr_t, usr_t)
-ifdef(`lpd.te', `
-r_dir_file($1_lpr_t, printconf_t)
-')
-
-tmp_domain($1_lpr)
-
-# Type for spool files.
-type $1_print_spool_t, file_type, sysadmfile;
-# Use this type when creating files in /var/spool/lpd and /var/spool/cups.
-file_type_auto_trans($1_lpr_t, print_spool_t, $1_print_spool_t, file)
-allow $1_lpr_t var_spool_t:dir search;
-
-# for /dev/null
-allow $1_lpr_t device_t:dir search;
-
-# Access the terminal.
-access_terminal($1_lpr_t, $1)
-
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te', `allow $1_lpr_t $1_gph_t:fd use;')
-allow $1_lpr_t privfd:fd use;
-
-# Read user files.
-read_content(sysadm_lpr_t, $1)
-read_content($1_lpr_t, $1)
-
-# Read and write shared files in the spool directory.
-allow $1_lpr_t print_spool_t:file rw_file_perms;
-
-# lpr can run in lightweight mode, without a local print spooler. If the
-# lpd policy is present, grant some permissions for this domain and the lpd
-# domain to interact.
-ifdef(`lpd.te', `
-allow $1_lpr_t { var_t var_run_t }:dir search;
-allow $1_lpr_t lpd_var_run_t:dir search;
-allow $1_lpr_t lpd_var_run_t:sock_file write;
-
-# Allow lpd to read, rename, and unlink spool files.
-allow lpd_t $1_print_spool_t:file r_file_perms;
-allow lpd_t $1_print_spool_t:file link_file_perms;
-
-# Connect to lpd via a Unix domain socket.
-allow $1_lpr_t printer_t:sock_file rw_file_perms;
-can_unix_connect($1_lpr_t, lpd_t)
-dontaudit $1_lpr_t $1_t:unix_stream_socket { read write };
-
-# Connect to lpd via a TCP socket.
-can_tcp_connect($1_lpr_t, lpd_t)
-
-allow $1_lpr_t fs_t:filesystem getattr;
-# Send SIGHUP to lpd.
-allow $1_lpr_t lpd_t:process signal;
-
-')dnl end if lpd.te
-
-ifdef(`xdm.te', `
-can_pipe_xdm($1_lpr_t)
-')
-
-ifdef(`cups.te', `
-allow { $1_lpr_t $1_t } cupsd_etc_t:dir search;
-allow $1_lpr_t { cupsd_etc_t cupsd_rw_etc_t }:file { getattr read };
-can_tcp_connect({ $1_lpr_t $1_t }, cupsd_t)
-')dnl end ifdef cups.te
-
-')dnl end macro definition
-
diff --git a/targeted/macros/program/mail_client_macros.te b/targeted/macros/program/mail_client_macros.te
deleted file mode 100644
index da22a62..0000000
--- a/targeted/macros/program/mail_client_macros.te
+++ /dev/null
@@ -1,68 +0,0 @@
-#
-# Shared macro for mail clients
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-########################################
-# mail_client_domain(client, role_prefix)
-#
-
-define(`mail_client_domain', `
-
-# Allow netstat
-# Startup shellscripts
-allow $1_t bin_t:dir r_dir_perms;
-allow $1_t bin_t:lnk_file r_file_perms;
-can_exec($1_t, bin_t)
-r_dir_file($1_t, proc_net_t)
-allow $1_t sysctl_net_t:dir search;
-
-# Allow DNS
-can_resolve($1_t)
-
-# Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing)
-can_ypbind($1_t)
-can_network_client_tcp($1_t, { pop_port_t smtp_port_t innd_port_t ldap_port_t ipp_port_t })
-allow $1_t { pop_port_t smtp_port_t innd_port_t ldap_port_t ipp_port_t }:tcp_socket name_connect;
-
-# Allow printing the mail
-ifdef(`cups.te',`
-allow $1_t cupsd_etc_t:dir r_dir_perms;
-allow $1_t cupsd_rw_etc_t:file r_file_perms;
-')
-ifdef(`lpr.te', `
-domain_auto_trans($1_t, lpr_exec_t, $2_lpr_t)
-')
-
-# Attachments
-read_content($1_t, $2, mail)
-
-# Save mail
-write_untrusted($1_t, $2)
-
-# Encrypt mail
-ifdef(`gpg.te', `
-domain_auto_trans($1_t, gpg_exec_t, $2_gpg_t)
-allow $1_t $2_gpg_t:process signal;
-')
-
-# Start links in web browser
-ifdef(`mozilla.te', `
-can_exec($1_t, shell_exec_t)
-domain_auto_trans($1_t, mozilla_exec_t, $2_mozilla_t)
-')
-ifdef(`dbusd.te', `
-dbusd_client(system, $1)
-allow $1_t system_dbusd_t:dbus send_msg;
-dbusd_client($2, $1)
-allow $1_t $2_dbusd_t:dbus send_msg;
-ifdef(`cups.te', `
-allow cupsd_t $1_t:dbus send_msg;
-')
-')
-# Allow the user domain to signal/ps.
-can_ps($2_t, $1_t)
-allow $2_t $1_t:process signal_perms;
-
-')
diff --git a/targeted/macros/program/mount_macros.te b/targeted/macros/program/mount_macros.te
deleted file mode 100644
index 0aa0577..0000000
--- a/targeted/macros/program/mount_macros.te
+++ /dev/null
@@ -1,90 +0,0 @@
-#
-# Macros for mount
-#
-# Author: Brian May <bam@snoopy.apana.org.au>
-# Extended by Russell Coker <russell@coker.com.au>
-#
-
-#
-# mount_domain(domain_prefix,dst_domain_prefix)
-#
-# Define a derived domain for the mount program for anyone.
-#
-define(`mount_domain', `
-#
-# Rules for the $2_t domain, used by the $1_t domain.
-#
-# $2_t is the domain for the mount process.
-#
-# This macro will not be included by all users and it may be included twice if
-# called from other macros, so we need protection for this do not call this
-# macro if $2_def is defined
-define(`$2_def', `')
-#
-type $2_t, domain, privlog $3, nscd_client_domain;
-
-allow $2_t sysfs_t:dir search;
-
-uses_shlib($2_t)
-
-role $1_r types $2_t;
-# when mount is run by $1 goto $2_t domain
-domain_auto_trans($1_t, mount_exec_t, $2_t)
-
-allow $2_t proc_t:dir search;
-allow $2_t proc_t:file { getattr read };
-
-#
-# Allow mounting of cdrom by user
-#
-allow $2_t device_type:blk_file getattr;
-
-tmp_domain($2)
-
-# Use capabilities.
-allow $2_t self:capability { net_bind_service sys_rawio sys_admin dac_override chown };
-
-allow $2_t self:unix_stream_socket create_socket_perms;
-
-# Create and modify /etc/mtab.
-file_type_auto_trans($2_t, etc_t, etc_runtime_t, file)
-
-allow $2_t etc_t:file { getattr read };
-
-read_locale($2_t)
-
-allow $2_t home_root_t:dir search;
-allow $2_t $1_home_dir_t:dir search;
-allow $2_t noexattrfile:filesystem { mount unmount };
-allow $2_t fs_t:filesystem getattr;
-allow $2_t removable_t:filesystem { mount unmount };
-allow $2_t mnt_t:dir { mounton search };
-allow $2_t sbin_t:dir search;
-
-# Access the terminal.
-access_terminal($2_t, $1)
-ifdef(`gnome-pty-helper.te', `allow $2_t $1_gph_t:fd use;')
-allow $2_t var_t:dir search;
-allow $2_t var_run_t:dir search;
-
-ifdef(`distro_redhat',`
-ifdef(`pamconsole.te',`
-r_dir_file($2_t,pam_var_console_t)
-# mount config by default sets fscontext=removable_t
-allow $2_t dosfs_t:filesystem relabelfrom;
-') dnl end pamconsole.te
-') dnl end distro_redhat
-') dnl end mount_domain
-
-# mount_loopback_privs(domain_prefix,dst_domain_prefix)
-#
-# Add loopback mounting privileges to a particular derived
-# mount domain.
-#
-define(`mount_loopback_privs',`
-type $1_$2_source_t, file_type, sysadmfile, $1_file_type;
-allow $1_t $1_$2_source_t:file create_file_perms;
-allow $1_t $1_$2_source_t:file { relabelto relabelfrom };
-allow $2_t $1_$2_source_t:file rw_file_perms;
-')
-
diff --git a/targeted/macros/program/mozilla_macros.te b/targeted/macros/program/mozilla_macros.te
deleted file mode 100644
index cc8afb0..0000000
--- a/targeted/macros/program/mozilla_macros.te
+++ /dev/null
@@ -1,157 +0,0 @@
-#
-# Macros for mozilla/mozilla (or other browser) domains.
-#
-
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-#
-# mozilla_domain(domain_prefix)
-#
-# Define a derived domain for the mozilla/mozilla program when executed by
-# a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/mozilla.te.
-#
-
-# FIXME: Rules were removed to centralize policy in a gnome_app macro
-# A similar thing might be necessary for mozilla compiled without GNOME
-# support (is this possible?).
-
-define(`mozilla_domain',`
-
-type $1_mozilla_t, domain, web_client_domain, nscd_client_domain, privlog;
-
-# Type transition
-if (! disable_mozilla_trans) {
-domain_auto_trans($1_t, mozilla_exec_t, $1_mozilla_t)
-}
-role $1_r types $1_mozilla_t;
-
-# X access, Home files
-home_domain($1, mozilla)
-x_client_domain($1_mozilla, $1)
-
-# GNOME integration
-ifdef(`gnome.te', `
-gnome_application($1_mozilla, $1)
-gnome_file_dialog($1_mozilla, $1)
-')
-
-# Look for plugins
-allow $1_mozilla_t bin_t:dir { getattr read search };
-
-# Browse the web, connect to printer
-can_resolve($1_mozilla_t)
-can_network_client_tcp($1_mozilla_t, { http_port_t http_cache_port_t ftp_port_t ipp_port_t } )
-allow $1_mozilla_t { http_port_t http_cache_port_t ftp_port_t ipp_port_t }:tcp_socket name_connect;
-
-# Should not need other ports
-dontaudit $1_mozilla_t port_t:tcp_socket { name_connect name_bind };
-
-allow $1_mozilla_t sound_device_t:chr_file rw_file_perms;
-dontaudit $1_mozilla_t dri_device_t:chr_file rw_file_perms;
-
-# Unrestricted inheritance from the caller.
-allow $1_t $1_mozilla_t:process { noatsecure siginh rlimitinh };
-allow $1_mozilla_t $1_t:process signull;
-
-# Allow the user domain to signal/ps.
-can_ps($1_t, $1_mozilla_t)
-allow $1_t $1_mozilla_t:process signal_perms;
-
-# Access /proc, sysctl
-allow $1_mozilla_t proc_t:dir search;
-allow $1_mozilla_t proc_t:file { getattr read };
-allow $1_mozilla_t proc_t:lnk_file read;
-allow $1_mozilla_t sysctl_net_t:dir search;
-allow $1_mozilla_t sysctl_t:dir search;
-
-# /var/lib
-allow $1_mozilla_t var_lib_t:dir search;
-allow $1_mozilla_t var_lib_t:file { getattr read };
-
-# Self permissions
-allow $1_mozilla_t self:socket create_socket_perms;
-allow $1_mozilla_t self:file { getattr read };
-allow $1_mozilla_t self:sem create_sem_perms;
-
-# for bash - old mozilla binary
-can_exec($1_mozilla_t, mozilla_exec_t)
-can_exec($1_mozilla_t, shell_exec_t)
-can_exec($1_mozilla_t, bin_t)
-allow $1_mozilla_t bin_t:lnk_file read;
-allow $1_mozilla_t device_t:dir r_dir_perms;
-allow $1_mozilla_t self:dir search;
-allow $1_mozilla_t self:lnk_file read;
-r_dir_file($1_mozilla_t, proc_net_t)
-
-# interacting with gstreamer
-r_dir_file($1_mozilla_t, var_t)
-
-# Uploads, local html
-read_content($1_mozilla_t, $1, mozilla)
-
-# Save web pages
-write_untrusted($1_mozilla_t, $1)
-
-# Mozpluggerrc
-allow $1_mozilla_t mozilla_conf_t:file r_file_perms;
-
-######### Java plugin
-ifdef(`java.te', `
-javaplugin_domain($1_mozilla, $1)
-') dnl java.te
-
-######### Print web content
-ifdef(`cups.te', `
-allow $1_mozilla_t cupsd_etc_t:dir search;
-allow $1_mozilla_t cupsd_rw_etc_t:file { getattr read };
-')
-ifdef(`lpr.te', `
-domain_auto_trans($1_mozilla_t, lpr_exec_t, $1_lpr_t)
-dontaudit $1_lpr_t $1_mozilla_home_t:file { read write };
-dontaudit $1_lpr_t $1_mozilla_t:tcp_socket { read write };
-') dnl if lpr.te
-
-######### Launch mplayer
-ifdef(`mplayer.te', `
-domain_auto_trans($1_mozilla_t, mplayer_exec_t, $1_mplayer_t)
-dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write };
-dontaudit $1_mplayer_t $1_mozilla_t:unix_stream_socket { read write };
-dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write };
-')dnl end if mplayer.te
-
-######### Launch email client, and make webcal links work
-ifdef(`evolution.te', `
-domain_auto_trans($1_mozilla_t, evolution_exec_t, $1_evolution_t)
-domain_auto_trans($1_mozilla_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
-') dnl if evolution.te
-
-ifdef(`thunderbird.te', `
-domain_auto_trans($1_mozilla_t, thunderbird_exec_t, $1_thunderbird_t)
-') dnl if evolution.te
-
-if (allow_execmem) {
-allow $1_mozilla_t self:process { execmem execstack };
-}
-allow $1_mozilla_t texrel_shlib_t:file execmod;
-
-ifdef(`dbusd.te', `
-dbusd_client(system, $1_mozilla)
-allow $1_mozilla_t system_dbusd_t:dbus send_msg;
-ifdef(`cups.te', `
-allow cupsd_t $1_mozilla_t:dbus send_msg;
-')
-')
-
-ifdef(`apache.te', `
-ifelse($1, sysadm, `', `
-r_dir_file($1_mozilla_t, { httpd_$1_script_exec_t httpd_$1_content_t })
-')
-')
-
-')dnl end mozilla macro
-
diff --git a/targeted/macros/program/mplayer_macros.te b/targeted/macros/program/mplayer_macros.te
deleted file mode 100644
index 6d06757..0000000
--- a/targeted/macros/program/mplayer_macros.te
+++ /dev/null
@@ -1,159 +0,0 @@
-#
-# Macros for mplayer
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-# mplayer_domains(user) declares domains for mplayer, gmplayer,
-# and mencoder
-
-#####################################################
-# mplayer_common(role_prefix, mplayer_domain) #
-#####################################################
-
-define(`mplayer_common',`
-
-# Read global config
-r_dir_file($1_$2_t, mplayer_etc_t)
-
-# Allow the user domain to signal/ps.
-can_ps($1_t, $1_$2_t)
-allow $1_t $1_$2_t:process signal_perms;
-
-# Read data in /usr/share (fonts, icons..)
-r_dir_file($1_$2_t, usr_t)
-
-# Read /proc files and directories
-# Necessary for /proc/meminfo, /proc/cpuinfo, etc..
-allow $1_$2_t proc_t:dir search;
-allow $1_$2_t proc_t:file { getattr read };
-
-# Sysctl on kernel version
-read_sysctl($1_$2_t)
-
-# Allow ps, shared libs, locale, terminal access
-can_ps($1_t, $1_$2_t)
-uses_shlib($1_$2_t)
-read_locale($1_$2_t)
-access_terminal($1_$2_t, $1)
-
-# Required for win32 binary loader
-allow $1_$2_t zero_device_t:chr_file { read write execute };
-if (allow_execmem) {
-allow $1_$2_t self:process execmem;
-}
-
-if (allow_execmod) {
-allow $1_$2_t zero_device_t:chr_file execmod;
-}
-allow $1_$2_t texrel_shlib_t:file execmod;
-
-# Access to DVD/CD/V4L
-allow $1_$2_t device_t:dir r_dir_perms;
-allow $1_$2_t device_t:lnk_file { getattr read };
-allow $1_$2_t removable_device_t:blk_file { getattr read };
-allow $1_$2_t v4l_device_t:chr_file { getattr read };
-
-# Legacy domain issues
-if (allow_mplayer_execstack) {
-legacy_domain($1_$2)
-allow $1_$2_t lib_t:file execute;
-allow $1_$2_t locale_t:file execute;
-allow $1_$2_t sound_device_t:chr_file execute;
-}
-')
-
-###################################
-# mplayer_domain(role_prefix) #
-###################################
-
-define(`mplayer_domain',`
-
-type $1_mplayer_t, domain, nscd_client_domain;
-
-# Type transition
-domain_auto_trans($1_t, mplayer_exec_t, $1_mplayer_t)
-role $1_r types $1_mplayer_t;
-
-# Home access, X access
-home_domain($1, mplayer)
-x_client_domain($1_mplayer, $1)
-
-# Mplayer common stuff
-mplayer_common($1, mplayer)
-
-# Fork
-allow $1_mplayer_t self:process { fork signal_perms getsched };
-allow $1_mplayer_t self:fifo_file rw_file_perms;
-
-# Audio, alsa.conf
-allow $1_mplayer_t sound_device_t:chr_file rw_file_perms;
-allow $1_mplayer_t etc_t:file { getattr read };
-r_dir_file($1_mplayer_t, alsa_etc_rw_t);
-
-# RTC clock
-allow $1_mplayer_t clock_device_t:chr_file { ioctl read };
-
-# Legacy domain issues
-if (allow_mplayer_execstack) {
-allow $1_mplayer_t $1_mplayer_tmpfs_t:file execute;
-}
-
-#======gmplayer gui==========#
-# File dialogs
-dontaudit_getattr($1_mplayer_t)
-dontaudit_read_dir($1_mplayer_t)
-dontaudit_search_dir($1_mplayer_t)
-
-# Unfortunately the ancient file dialog starts in /
-allow $1_mplayer_t home_root_t:dir read;
-
-# Read /etc/mtab
-allow $1_mplayer_t etc_runtime_t:file { read getattr };
-
-# Run bash/sed (??)
-allow $1_mplayer_t bin_t:dir search;
-allow $1_mplayer_t bin_t:lnk_file read;
-can_exec($1_mplayer_t, bin_t)
-can_exec($1_mplayer_t, shell_exec_t)
-#============================#
-
-# Read songs
-read_content($1_mplayer_t, $1)
-
-') dnl end mplayer_domain
-
-###################################
-# mencoder_domain(role_prefix) #
-###################################
-
-define(`mencoder_domain',`
-
-type $1_mencoder_t, domain;
-
-# Type transition
-domain_auto_trans($1_t, mencoder_exec_t, $1_mencoder_t)
-role $1_r types $1_mencoder_t;
-
-# Access mplayer home domain
-home_domain_access($1_mencoder_t, $1, mplayer)
-
-# Mplayer common stuff
-mplayer_common($1, mencoder)
-
-# Read content to encode
-read_content($1_mencoder_t, $1)
-
-# Save encoded files
-write_trusted($1_mencoder_t, $1)
-
-') dnl end mencoder_domain
-
-#############################
-# mplayer_domains(role) #
-#############################
-
-define(`mplayer_domains', `
-mplayer_domain($1)
-mencoder_domain($1)
-') dnl end mplayer_domains
-
diff --git a/targeted/macros/program/mta_macros.te b/targeted/macros/program/mta_macros.te
deleted file mode 100644
index b221f54..0000000
--- a/targeted/macros/program/mta_macros.te
+++ /dev/null
@@ -1,121 +0,0 @@
-# Macros for MTA domains.
-#
-
-#
-# Author: Russell Coker <russell@coker.com.au>
-# Based on the work of: Stephen Smalley <sds@epoch.ncsc.mil>
-# Timothy Fraser
-#
-
-#
-# mail_domain(domain_prefix)
-#
-# Define a derived domain for the sendmail program when executed by
-# a user domain to send outgoing mail. These domains are separate and
-# independent of the domain used for the sendmail daemon process.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/mta.te.
-#
-undefine(`mail_domain')
-define(`mail_domain',`
-# Derived domain based on the calling user domain and the program.
-type $1_mail_t, domain, privlog, user_mail_domain, nscd_client_domain;
-
-ifdef(`sendmail.te', `
-sendmail_user_domain($1)
-')
-
-can_exec($1_mail_t, sendmail_exec_t)
-allow $1_mail_t sendmail_exec_t:lnk_file { getattr read };
-
-# The user role is authorized for this domain.
-role $1_r types $1_mail_t;
-
-uses_shlib($1_mail_t)
-can_network_client_tcp($1_mail_t)
-allow $1_mail_t { smtp_port_t port_type }:tcp_socket name_connect;
-can_resolve($1_mail_t)
-can_ypbind($1_mail_t)
-allow $1_mail_t self:unix_dgram_socket create_socket_perms;
-allow $1_mail_t self:unix_stream_socket create_socket_perms;
-
-read_locale($1_mail_t)
-read_sysctl($1_mail_t)
-allow $1_mail_t device_t:dir search;
-allow $1_mail_t { var_t var_spool_t }:dir search;
-allow $1_mail_t self:process { fork signal_perms setrlimit };
-allow $1_mail_t sbin_t:dir search;
-
-# It wants to check for nscd
-dontaudit $1_mail_t var_run_t:dir search;
-
-# Use capabilities
-allow $1_mail_t self:capability { setuid setgid chown };
-
-# Execute procmail.
-can_exec($1_mail_t, bin_t)
-ifdef(`procmail.te',`
-can_exec($1_mail_t, procmail_exec_t)')
-
-ifelse(`$1', `system', `
-# Transition from a system domain to the derived domain.
-domain_auto_trans(privmail, sendmail_exec_t, system_mail_t)
-allow privmail sendmail_exec_t:lnk_file { getattr read };
-
-ifdef(`crond.te', `
-# Read cron temporary files.
-allow system_mail_t system_crond_tmp_t:file { read getattr ioctl };
-allow mta_user_agent system_crond_tmp_t:file { read getattr };
-')
-can_access_pty(system_mail_t, initrc)
-
-', `
-# For when the user wants to send mail via port 25 localhost
-can_tcp_connect($1_t, mail_server_domain)
-
-# Transition from the user domain to the derived domain.
-domain_auto_trans($1_t, sendmail_exec_t, $1_mail_t)
-allow $1_t sendmail_exec_t:lnk_file { getattr read };
-
-# Read user temporary files.
-allow $1_mail_t $1_tmp_t:file r_file_perms;
-dontaudit $1_mail_t $1_tmp_t:file append;
-ifdef(`postfix.te', `
-# postfix seems to need write access if the file handle is opened read/write
-allow $1_mail_t $1_tmp_t:file write;
-')dnl end if postfix
-
-allow mta_user_agent $1_tmp_t:file { read getattr };
-
-# Write to the user domain tty.
-access_terminal(mta_user_agent, $1)
-access_terminal($1_mail_t, $1)
-
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te', `allow $1_mail_t $1_gph_t:fd use;')
-allow $1_mail_t privfd:fd use;
-
-# Create dead.letter in user home directories.
-file_type_auto_trans($1_mail_t, $1_home_dir_t, $1_home_t, file)
-
-if (use_samba_home_dirs) {
-rw_dir_create_file($1_mail_t, cifs_t)
-}
-
-# if you do not want to allow dead.letter then use the following instead
-#allow $1_mail_t { $1_home_dir_t $1_home_t }:dir r_dir_perms;
-#allow $1_mail_t $1_home_t:file r_file_perms;
-
-# for reading .forward - maybe we need a new type for it?
-# also for delivering mail to maildir
-file_type_auto_trans(mta_delivery_agent, $1_home_dir_t, $1_home_t)
-')dnl end if system
-
-allow $1_mail_t etc_t:file { getattr read };
-ifdef(`qmail.te', `
-allow $1_mail_t qmail_etc_t:dir search;
-allow $1_mail_t qmail_etc_t:{ file lnk_file } read;
-')dnl end if qmail
-
-')
diff --git a/targeted/macros/program/newrole_macros.te b/targeted/macros/program/newrole_macros.te
deleted file mode 100644
index 0d52282..0000000
--- a/targeted/macros/program/newrole_macros.te
+++ /dev/null
@@ -1,97 +0,0 @@
-# Authors: Anthony Colatrella (NSA) Stephen Smalley <sds@epoch.ncsc.mil>
-# Russell Coker <russell@coker.com.au>
-
-# This macro defines the rules for a newrole like program, it is used by
-# newrole.te and sudo.te, but may be used by other policy at some later time.
-
-define(`newrole_domain', `
-# Rules for the $1_t domain.
-#
-# $1_t is the domain for the program.
-# $1_exec_t is the type of the executable.
-#
-type $1_t, domain, privrole, privowner, privlog, auth_chkpwd, nscd_client_domain, privfd, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl $2;
-in_user_role($1_t)
-role sysadm_r types $1_t;
-
-general_domain_access($1_t);
-
-uses_shlib($1_t)
-read_locale($1_t)
-read_sysctl($1_t)
-
-allow $1_t self:netlink_audit_socket { create bind write nlmsg_read read };
-
-# for when the user types "exec newrole" at the command line
-allow $1_t privfd:process sigchld;
-
-# Inherit descriptors from the current session.
-allow $1_t privfd:fd use;
-
-# Execute /sbin/pwdb_chkpwd to check the password.
-allow $1_t sbin_t:dir r_dir_perms;
-
-# Execute shells
-allow $1_t bin_t:dir r_dir_perms;
-allow $1_t bin_t:lnk_file read;
-allow $1_t shell_exec_t:file r_file_perms;
-
-allow $1_t urandom_device_t:chr_file { getattr read };
-
-# Allow $1_t to transition to user domains.
-domain_trans($1_t, shell_exec_t, unpriv_userdomain)
-if(!secure_mode)
-{
- # if we are not in secure mode then we can transition to sysadm_t
- domain_trans($1_t, shell_exec_t, sysadm_t)
-}
-
-can_setexec($1_t)
-
-allow $1_t autofs_t:dir search;
-
-# Use capabilities.
-allow $1_t self:capability { fowner setuid setgid net_bind_service dac_override };
-
-# Read the devpts root directory.
-allow $1_t devpts_t:dir r_dir_perms;
-
-# Read the /etc/security/default_type file
-r_dir_file($1_t, default_context_t)
-r_dir_file($1_t, selinux_config_t)
-allow $1_t etc_t:file r_file_perms;
-
-# Read /var.
-r_dir_file($1_t, var_t)
-
-# Read /dev directories and any symbolic links.
-allow $1_t device_t:dir r_dir_perms;
-
-# Relabel terminals.
-allow $1_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto };
-
-# Access terminals.
-allow $1_t { ttyfile ptyfile devtty_t }:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;')
-
-ifdef(`distro_debian', `
-# for /etc/alternatives
-allow $1_t etc_t:lnk_file read;
-')
-
-#
-# Allow newrole to obtain contexts to relabel TTYs
-#
-can_getsecurity($1_t)
-
-allow $1_t fs_t:filesystem getattr;
-
-# for some PAM modules and for cwd
-dontaudit $1_t { home_root_t home_type }:dir search;
-
-allow $1_t proc_t:dir search;
-allow $1_t proc_t:file { getattr read };
-
-# for when the network connection is killed
-dontaudit unpriv_userdomain $1_t:process signal;
-')
diff --git a/targeted/macros/program/orbit_macros.te b/targeted/macros/program/orbit_macros.te
deleted file mode 100644
index b2dd5d1..0000000
--- a/targeted/macros/program/orbit_macros.te
+++ /dev/null
@@ -1,44 +0,0 @@
-#
-# ORBit related types
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-# orbit_domain(prefix, role_prefix) - create ORBit sockets
-# orbit_connect(type1_prefix, type2_prefix)
-# - allow communication through ORBit sockets from type1 to type2
-
-define(`orbit_domain', `
-
-# Protect against double inclusion for speed and correctness
-ifdef(`orbit_domain_$1_$2', `', `
-define(`orbit_domain_$1_$2')
-
-# Relabel directory (startup script)
-allow $1_t $1_orbit_tmp_t:{ dir file } { relabelfrom relabelto };
-
-# Type for ORBit sockets
-type $1_orbit_tmp_t, file_type, $2_file_type, sysadmfile, tmpfile;
-file_type_auto_trans($1_t, $2_orbit_tmp_t, $1_orbit_tmp_t)
-allow $1_t tmp_t:dir { read search getattr };
-
-# Create the sockets
-allow $1_t self:unix_stream_socket create_stream_socket_perms;
-allow $1_t self:unix_dgram_socket create_socket_perms;
-
-# Use random device(s)
-allow $1_t { random_device_t urandom_device_t }:chr_file { read getattr ioctl };
-
-# Why do they do that?
-dontaudit $1_t $2_orbit_tmp_t:dir setattr;
-
-') dnl ifdef orbit_domain_args
-') dnl orbit_domain
-
-##########################
-
-define(`orbit_connect', `
-
-can_unix_connect($1_t, $2_t)
-allow $1_t $2_orbit_tmp_t:sock_file write;
-
-') dnl orbit_connect
diff --git a/targeted/macros/program/pyzor_macros.te b/targeted/macros/program/pyzor_macros.te
deleted file mode 100644
index af67d30..0000000
--- a/targeted/macros/program/pyzor_macros.te
+++ /dev/null
@@ -1,69 +0,0 @@
-#
-# Pyzor - Pyzor is a collaborative, networked system to detect and
-# block spam using identifying digests of messages.
-#
-# Author: David Hampton <hampton@employees.org>
-#
-
-##########
-# common definitions for pyzord and all flavors of pyzor
-##########
-define(`pyzor_base_domain',`
-
-# Networking
-can_network_client_tcp($1_t, http_port_t);
-can_network_udp($1_t, pyzor_port_t);
-can_resolve($1_t);
-
-general_proc_read_access($1_t)
-
-tmp_domain($1)
-
-allow $1_t bin_t:dir { getattr search };
-allow $1_t bin_t:file getattr;
-allow $1_t lib_t:file { getattr read };
-allow $1_t { var_t var_lib_t var_run_t }:dir search;
-uses_shlib($1_t)
-
-# Python does a getattr on this file
-allow $1_t pyzor_exec_t:file getattr;
-
-# mktemp and other randoms
-allow $1_t { random_device_t urandom_device_t }:chr_file r_file_perms;
-
-# Allow access to various files in the /etc/directory including mtab
-# and nsswitch
-allow $1_t { etc_t etc_runtime_t }:file { getattr read };
-read_locale($1_t)
-')
-
-
-#
-# Define a user domain for a pyzor
-#
-# Note: expects to be called with an argument of user, sysadm
-
-define(`pyzor_domain',`
-type $1_pyzor_t, domain, privlog, nscd_client_domain;
-role $1_r types $1_pyzor_t;
-domain_auto_trans($1_t, pyzor_exec_t, $1_pyzor_t)
-
-pyzor_base_domain($1_pyzor)
-
-# Per-user config/data files
-home_domain($1, pyzor)
-file_type_auto_trans($1_pyzor_t, $1_home_dir_t, $1_pyzor_home_t, dir)
-
-# System config files
-r_dir_file($1_pyzor_t, pyzor_etc_t)
-
-# System data files
-r_dir_file($1_pyzor_t, pyzor_var_lib_t);
-
-allow $1_pyzor_t self:unix_stream_socket create_stream_socket_perms;
-
-# Allow pyzor to be run by hand. Needed by any action other than
-# invocation from a spam filter.
-can_access_pty($1_pyzor_t, $1)
-allow $1_pyzor_t sshd_t:fd use;
-')
diff --git a/targeted/macros/program/razor_macros.te b/targeted/macros/program/razor_macros.te
deleted file mode 100644
index e4c7c55..0000000
--- a/targeted/macros/program/razor_macros.te
+++ /dev/null
@@ -1,75 +0,0 @@
-#
-# Razor - Razor is a collaborative, networked system to detect and
-# block spam using identifying digests of messages.
-#
-# Author: David Hampton <hampton@employees.org>
-#
-
-##########
-# common definitions for razord and all flavors of razor
-##########
-define(`razor_base_domain',`
-
-# Razor is one executable and several symlinks
-allow $1_t razor_exec_t:{ file lnk_file } { getattr read };
-
-# Networking
-can_network_client_tcp($1_t, razor_port_t)
-can_resolve($1_t);
-
-general_proc_read_access($1_t)
-
-# Read system config file
-r_dir_file($1_t, razor_etc_t)
-
-# Update razor common files
-file_type_auto_trans($1_t, var_log_t, razor_log_t, file)
-create_dir_file($1_t, razor_log_t)
-allow $1_t var_lib_t:dir search;
-create_dir_file($1_t, razor_var_lib_t)
-
-allow $1_t bin_t:dir { getattr search };
-allow $1_t bin_t:file getattr;
-allow $1_t lib_t:file { getattr read };
-allow $1_t { var_t var_run_t }:dir search;
-uses_shlib($1_t)
-
-# Razor forks other programs to do part of its work.
-general_domain_access($1_t)
-can_exec($1_t, bin_t)
-
-# mktemp and other randoms
-allow $1_t { random_device_t urandom_device_t }:chr_file r_file_perms;
-
-# Allow access to various files in the /etc/directory including mtab
-# and nsswitch
-allow $1_t { etc_t etc_runtime_t }:file { getattr read };
-read_locale($1_t)
-')
-
-
-#
-# Define a user domain for a razor
-#
-# Note: expects to be called with an argument of user, sysadm
-
-define(`razor_domain',`
-type $1_razor_t, domain, privlog, nscd_client_domain;
-role $1_r types $1_razor_t;
-domain_auto_trans($1_t, razor_exec_t, $1_razor_t)
-
-razor_base_domain($1_razor)
-
-# Per-user config/data files
-home_domain($1, razor)
-file_type_auto_trans($1_razor_t, $1_home_dir_t, $1_razor_home_t, dir)
-
-tmp_domain($1_razor)
-
-allow $1_razor_t self:unix_stream_socket create_stream_socket_perms;
-
-# Allow razor to be run by hand. Needed by any action other than
-# invocation from a spam filter.
-can_access_pty($1_razor_t, $1)
-allow $1_razor_t sshd_t:fd use;
-')
diff --git a/targeted/macros/program/resmgrd_macros.te b/targeted/macros/program/resmgrd_macros.te
deleted file mode 100644
index ec0ac60..0000000
--- a/targeted/macros/program/resmgrd_macros.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# Macro for resmgrd
-
-define(`can_resmgrd_connect', `
-ifdef(`resmgrd.te', `
-allow $1 resmgrd_t:unix_stream_socket connectto;
-allow $1 { var_t var_run_t }:dir search;
-allow $1 resmgrd_var_run_t:sock_file write;
-allow $1 resmgrd_t:fd use;
-')
-')
-
diff --git a/targeted/macros/program/rhgb_macros.te b/targeted/macros/program/rhgb_macros.te
deleted file mode 100644
index 9700fba..0000000
--- a/targeted/macros/program/rhgb_macros.te
+++ /dev/null
@@ -1,8 +0,0 @@
-
-define(`rhgb_domain', `
-ifdef(`rhgb.te', `
-allow $1 rhgb_t:process sigchld;
-allow $1 rhgb_t:fd use;
-allow $1 rhgb_t:fifo_file { read write };
-')dnl end ifdef
-')
diff --git a/targeted/macros/program/rssh_macros.te b/targeted/macros/program/rssh_macros.te
deleted file mode 100644
index 33fbdb5..0000000
--- a/targeted/macros/program/rssh_macros.te
+++ /dev/null
@@ -1,58 +0,0 @@
-#
-# Macros for Rssh domains
-#
-# Author: Colin Walters <walters@verbum.org>
-#
-
-#
-# rssh_domain(domain_prefix)
-#
-# Define a specific rssh domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/rssh.te.
-#
-undefine(`rssh_domain')
-ifdef(`rssh.te', `
-define(`rssh_domain',`
-type rssh_$1_t, domain, userdomain, privlog, privfd;
-role rssh_$1_r types rssh_$1_t;
-allow system_r rssh_$1_r;
-
-type rssh_$1_rw_t, file_type, sysadmfile, $1_file_type;
-type rssh_$1_ro_t, file_type, sysadmfile, $1_file_type;
-
-general_domain_access(rssh_$1_t);
-uses_shlib(rssh_$1_t);
-base_file_read_access(rssh_$1_t);
-allow rssh_$1_t var_t:dir r_dir_perms;
-r_dir_file(rssh_$1_t, etc_t);
-allow rssh_$1_t etc_runtime_t:file { getattr read };
-r_dir_file(rssh_$1_t, locale_t);
-can_exec(rssh_$1_t, bin_t);
-
-allow rssh_$1_t proc_t:dir { getattr search };
-allow rssh_$1_t proc_t:lnk_file { getattr read };
-
-r_dir_file(rssh_$1_t, rssh_$1_ro_t);
-create_dir_file(rssh_$1_t, rssh_$1_rw_t);
-
-can_create_pty(rssh_$1, `, userpty_type, user_tty_type')
-# Use the type when relabeling pty devices.
-type_change rssh_$1_t server_pty:chr_file rssh_$1_devpts_t;
-
-ifdef(`ssh.te',`
-allow rssh_$1_t sshd_t:fd use;
-allow rssh_$1_t sshd_t:tcp_socket rw_stream_socket_perms;
-allow rssh_$1_t sshd_t:unix_stream_socket rw_stream_socket_perms;
-# For reading /home/user/.ssh
-r_dir_file(sshd_t, rssh_$1_ro_t);
-domain_trans(sshd_t, rssh_exec_t, rssh_$1_t);
-')
-')
-
-', `
-
-define(`rssh_domain',`')
-
-')
diff --git a/targeted/macros/program/run_program_macros.te b/targeted/macros/program/run_program_macros.te
deleted file mode 100644
index c98bbee..0000000
--- a/targeted/macros/program/run_program_macros.te
+++ /dev/null
@@ -1,73 +0,0 @@
-
-# $1 is the source domain (or domains), $2 is the source role (or roles) and $3
-# is the base name for the domain to run. $1 is normally sysadm_t, and $2 is
-# normally sysadm_r. $4 is the type of program to run and $5 is the domain to
-# transition to.
-# sample usage:
-# run_program(sysadm_t, sysadm_r, init, etc_t, initrc_t)
-#
-# if you have several users who run the same run_init type program for
-# different purposes (think of a run_db program used by several database
-# administrators to start several databases) then you can list all the source
-# domains in $1, all the source roles in $2, but you may not want to list all
-# types of programs to run in $4 and target domains in $5 (as that may permit
-# entering a domain from the wrong type). In such a situation just specify
-# one value for each of $4 and $5 and have some rules such as the following:
-# domain_trans(run_whatever_t, whatever_exec_t, whatever_t)
-
-define(`run_program', `
-type run_$3_exec_t, file_type, exec_type, sysadmfile;
-
-# domain for program to run in, needs to change role (priv_system_role), change
-# identity to system_u (privuser), log failures to syslog (privlog) and
-# authenticate users
-type run_$3_t, domain, priv_system_role, privuser, privlog;
-domain_auto_trans($1, run_$3_exec_t, run_$3_t)
-role $2 types run_$3_t;
-
-domain_auto_trans(run_$3_t, chkpwd_exec_t, sysadm_chkpwd_t)
-dontaudit run_$3_t shadow_t:file getattr;
-
-# for utmp
-allow run_$3_t initrc_var_run_t:file rw_file_perms;
-allow run_$3_t admin_tty_type:chr_file rw_file_perms;
-
-dontaudit run_$3_t devpts_t:dir { getattr read };
-dontaudit run_$3_t device_t:dir read;
-
-# for auth_chkpwd
-dontaudit run_$3_t shadow_t:file read;
-allow run_$3_t self:process { fork sigchld };
-allow run_$3_t self:fifo_file rw_file_perms;
-allow run_$3_t self:capability setuid;
-allow run_$3_t self:lnk_file read;
-
-# often the administrator runs such programs from a directory that is owned
-# by a different user or has restrictive SE permissions, do not want to audit
-# the failed access to the current directory
-dontaudit run_$3_t file_type:dir search;
-dontaudit run_$3_t self:capability { dac_override dac_read_search };
-
-allow run_$3_t bin_t:lnk_file read;
-can_exec(run_$3_t, { bin_t shell_exec_t })
-ifdef(`chkpwd.te', `
-can_exec(run_$3_t, chkpwd_exec_t)
-')
-
-domain_trans(run_$3_t, $4, $5)
-can_setexec(run_$3_t)
-
-allow run_$3_t privfd:fd use;
-uses_shlib(run_$3_t)
-allow run_$3_t lib_t:file { getattr read };
-can_getsecurity(run_$3_t)
-r_dir_file(run_$3_t,selinux_config_t)
-r_dir_file(run_$3_t,default_context_t)
-allow run_$3_t self:unix_stream_socket create_socket_perms;
-allow run_$3_t self:unix_dgram_socket create_socket_perms;
-allow run_$3_t etc_t:file { getattr read };
-read_locale(run_$3_t)
-allow run_$3_t fs_t:filesystem getattr;
-allow run_$3_t { bin_t sbin_t }:dir search;
-dontaudit run_$3_t device_t:dir { getattr search };
-')
diff --git a/targeted/macros/program/samba_macros.te b/targeted/macros/program/samba_macros.te
deleted file mode 100644
index d766784..0000000
--- a/targeted/macros/program/samba_macros.te
+++ /dev/null
@@ -1,30 +0,0 @@
-#
-# Macros for samba domains.
-#
-
-#
-# Authors: Dan Walsh <dwalsh@redhat.com>
-#
-
-#
-# samba_domain(domain_prefix)
-#
-# Define a derived domain for the samba program when executed
-# by a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/samba.te.
-#
-undefine(`samba_domain')
-ifdef(`samba.te', `
-define(`samba_domain',`
-if ( samba_enable_home_dirs ) {
-allow smbd_t home_root_t:dir r_dir_perms;
-file_type_auto_trans(smbd_t, $1_home_dir_t, $1_home_t)
-dontaudit smbd_t $1_file_type:dir_file_class_set getattr;
-}
-')
-', `
-define(`samba_domain',`')
-
-')dnl end if samba.te
diff --git a/targeted/macros/program/screen_macros.te b/targeted/macros/program/screen_macros.te
deleted file mode 100644
index e81a90a..0000000
--- a/targeted/macros/program/screen_macros.te
+++ /dev/null
@@ -1,113 +0,0 @@
-#
-# Macros for screen domains.
-#
-
-#
-# Author: Russell Coker <russell@coker.com.au>
-# Based on the work of Stephen Smalley <sds@epoch.ncsc.mil>
-# and Timothy Fraser
-#
-
-#
-# screen_domain(domain_prefix)
-#
-# Define a derived domain for the screen program when executed
-# by a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/screen.te.
-#
-undefine(`screen_domain')
-ifdef(`screen.te', `
-define(`screen_domain',`
-# Derived domain based on the calling user domain and the program.
-type $1_screen_t, domain, privlog, privfd, nscd_client_domain;
-
-# Transition from the user domain to this domain.
-domain_auto_trans($1_t, screen_exec_t, $1_screen_t)
-
-tmp_domain($1_screen, `', `{ dir file fifo_file }')
-base_file_read_access($1_screen_t)
-# The user role is authorized for this domain.
-role $1_r types $1_screen_t;
-
-uses_shlib($1_screen_t)
-
-# for SSP
-allow $1_screen_t urandom_device_t:chr_file read;
-
-# Revert to the user domain when a shell is executed.
-domain_auto_trans($1_screen_t, { shell_exec_t bin_t }, $1_t)
-domain_auto_trans($1_screen_t, $1_home_t, $1_t)
-if (use_nfs_home_dirs) {
-domain_auto_trans($1_screen_t, nfs_t, $1_t)
-}
-if (use_samba_home_dirs) {
-domain_auto_trans($1_screen_t, cifs_t, $1_t)
-}
-
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te', `allow $1_screen_t $1_gph_t:fd use;')
-
-home_domain_ro($1, screen)
-
-allow $1_screen_t privfd:fd use;
-
-# Write to utmp.
-allow $1_screen_t initrc_var_run_t:file rw_file_perms;
-ifdef(`utempter.te', `
-dontaudit $1_screen_t utempter_exec_t:file execute;
-')
-
-# create pty devices
-can_create_other_pty($1_screen, $1)
-allow $1_screen_t $1_tty_device_t:chr_file rw_file_perms;
-allow $1_screen_t device_t:dir { getattr read };
-
-allow $1_screen_t fs_t:filesystem getattr;
-
-# Create fifo
-allow $1_screen_t var_t:dir search;
-file_type_auto_trans($1_screen_t, var_run_t, screen_dir_t, dir)
-type $1_screen_var_run_t, file_type, sysadmfile, pidfile;
-file_type_auto_trans($1_screen_t, screen_dir_t, $1_screen_var_run_t, fifo_file)
-
-allow $1_screen_t self:process { fork signal_perms };
-allow $1_t $1_screen_t:process signal;
-allow $1_screen_t $1_t:process signal;
-allow $1_screen_t self:capability { setuid setgid fsetid };
-
-dontaudit $1_screen_t shadow_t:file read;
-
-allow $1_screen_t tmp_t:dir search;
-can_network($1_screen_t)
-allow $1_screen_t port_type:tcp_socket name_connect;
-can_ypbind($1_screen_t)
-
-# get stats
-allow $1_screen_t proc_t:dir search;
-allow $1_screen_t proc_t:file { getattr read };
-allow $1_screen_t proc_t:lnk_file read;
-allow $1_screen_t etc_t:{ file lnk_file } { read getattr };
-allow $1_screen_t self:dir { search read };
-allow $1_screen_t self:lnk_file read;
-allow $1_screen_t device_t:dir search;
-allow $1_screen_t { home_root_t $1_home_dir_t }:dir search;
-
-# Internal screen networking
-allow $1_screen_t self:fd use;
-allow $1_screen_t self:unix_stream_socket create_socket_perms;
-allow $1_screen_t self:unix_dgram_socket create_socket_perms;
-
-allow $1_screen_t bin_t:dir search;
-allow $1_screen_t bin_t:lnk_file read;
-read_locale($1_screen_t)
-
-dontaudit $1_screen_t file_type:{ chr_file blk_file } getattr;
-')dnl end screen_domain
-
-', `
-
-define(`screen_domain',`')
-
-')
diff --git a/targeted/macros/program/sendmail_macros.te b/targeted/macros/program/sendmail_macros.te
deleted file mode 100644
index 540e0a2..0000000
--- a/targeted/macros/program/sendmail_macros.te
+++ /dev/null
@@ -1,56 +0,0 @@
-#
-# Macros for sendmail domains.
-#
-
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-# Russell Coker <russell@coker.com.au>
-#
-
-#
-# sendmail_user_domain(domain_prefix)
-#
-# Define a derived domain for the sendmail program when executed by
-# a user domain to send outgoing mail. These domains are separate and
-# independent of the domain used for the sendmail daemon process.
-#
-undefine(`sendmail_user_domain')
-define(`sendmail_user_domain', `
-
-# Use capabilities
-allow $1_mail_t self:capability net_bind_service;
-
-tmp_domain($1_mail)
-
-# Write to /var/spool/mail and /var/spool/mqueue.
-allow $1_mail_t mail_spool_t:dir rw_dir_perms;
-allow $1_mail_t mail_spool_t:file create_file_perms;
-allow $1_mail_t mqueue_spool_t:dir rw_dir_perms;
-allow $1_mail_t mqueue_spool_t:file create_file_perms;
-
-# Write to /var/log/sendmail.st
-file_type_auto_trans($1_mail_t, var_log_t, sendmail_log_t)
-
-allow $1_mail_t etc_mail_t:dir { getattr search };
-
-allow $1_mail_t { var_t var_spool_t }:dir getattr;
-
-allow $1_mail_t etc_runtime_t:file { getattr read };
-
-# Check available space.
-allow $1_mail_t fs_t:filesystem getattr;
-
-allow $1_mail_t sysctl_kernel_t:dir search;
-
-ifelse(`$1', `sysadm', `
-allow $1_mail_t proc_t:dir { getattr search };
-allow $1_mail_t proc_t:{ lnk_file file } { getattr read };
-dontaudit $1_mail_t proc_net_t:dir search;
-allow $1_mail_t sysctl_kernel_t:file { getattr read };
-allow $1_mail_t etc_runtime_t:file { getattr read };
-', `
-dontaudit $1_mail_t proc_t:dir search;
-dontaudit $1_mail_t sysctl_kernel_t:file read;
-')dnl end if sysadm
-')
-
diff --git a/targeted/macros/program/slocate_macros.te b/targeted/macros/program/slocate_macros.te
deleted file mode 100644
index 115022b..0000000
--- a/targeted/macros/program/slocate_macros.te
+++ /dev/null
@@ -1,64 +0,0 @@
-#
-# Macros for locate domains.
-#
-
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-
-#
-# locate_domain(domain_prefix)
-#
-# Define a derived domain for the locate program when executed
-# by a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/locate.te.
-#
-undefine(`locate_domain')
-ifdef(`slocate.te', `
-define(`locate_domain',`
-# Derived domain based on the calling user domain and the program.
-type $1_locate_t, domain;
-
-allow $1_locate_t self:process signal;
-
-allow $1_locate_t etc_t:file { getattr read };
-allow $1_locate_t self:unix_stream_socket create_socket_perms;
-r_dir_file($1_locate_t,locate_var_lib_t)
-allow $1_locate_t var_lib_t:dir search;
-
-# Transition from the user domain to this domain.
-domain_auto_trans($1_t, locate_exec_t, $1_locate_t)
-
-# The user role is authorized for this domain.
-role $1_r types $1_locate_t;
-
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te', `
-allow $1_locate_t $1_gph_t:fd use;
-')
-
-allow $1_locate_t privfd:fd use;
-
-# allow ps to show locate
-can_ps($1_t, $1_locate_t)
-allow $1_t $1_locate_t:process signal;
-
-uses_shlib($1_locate_t)
-access_terminal($1_locate_t, $1)
-
-allow $1_locate_t { home_root_t $1_home_dir_t $1_file_type }:dir { getattr search };
-allow $1_locate_t $1_file_type:{ file lnk_file } { getattr read };
-
-base_file_read_access($1_locate_t)
-r_dir_file($1_locate_t, { etc_t lib_t var_t })
-dontaudit $1_locate_t { fs_type file_type }:dir r_dir_perms;
-dontaudit $1_locate_t { fs_type file_type -shadow_t}:file { getattr read };
-')
-
-', `
-
-define(`locate_domain',`')
-
-')
diff --git a/targeted/macros/program/spamassassin_macros.te b/targeted/macros/program/spamassassin_macros.te
deleted file mode 100644
index c85cfc7..0000000
--- a/targeted/macros/program/spamassassin_macros.te
+++ /dev/null
@@ -1,128 +0,0 @@
-#
-# Macros for spamassassin domains.
-#
-# Author: Colin Walters <walters@verbum.org>
-
-# spamassassin_domain(domain_prefix)
-#
-# Define derived domains for various spamassassin tools when executed
-# by a user domain.
-#
-# The type declarations for the executable types of these programs are
-# provided separately in domains/program/spamassassin.te and
-# domains/program/spamc.te.
-#
-undefine(`spamassassin_domain')
-ifdef(`spamassassin.te', `define(`using_spamassassin', `')')
-ifdef(`spamd.te', `define(`using_spamassassin', `')')
-ifdef(`spamc.te', `define(`using_spamassassin', `')')
-
-ifdef(`using_spamassassin',`
-
-#######
-# Macros used internally in these spamassassin macros.
-#
-
-###
-# Define a domain for a spamassassin-like program (spamc/spamassassin).
-#
-# Note: most of this should really be in a generic macro like
-# base_user_program($1, foo)
-define(`spamassassin_program_domain',`
-type $1_$2_t, domain, privlog $3;
-domain_auto_trans($1_t, $2_exec_t, $1_$2_t)
-
-role $1_r types $1_$2_t;
-general_domain_access($1_$2_t)
-
-base_file_read_access($1_$2_t)
-r_dir_file($1_$2_t, etc_t)
-ifdef(`sendmail.te', `
-r_dir_file($1_$2_t, etc_mail_t)
-')
-allow $1_$2_t etc_runtime_t:file r_file_perms;
-uses_shlib($1_$2_t)
-read_locale($1_$2_t)
-dontaudit $1_$2_t var_t:dir search;
-tmp_domain($1_$2)
-allow $1_$2_t privfd:fd use;
-allow $1_$2_t userpty_type:chr_file rw_file_perms;
-') dnl end spamassassin_program_domain
-
-###
-# Give privileges to a domain for accessing ~/.spamassassin
-# and a few other misc things like /dev/random.
-# This is granted to /usr/bin/spamassassin and
-# /usr/sbin/spamd, but NOT spamc (because it does not need it).
-#
-define(`spamassassin_agent_privs',`
-allow $1 home_root_t:dir r_dir_perms;
-file_type_auto_trans($1, $2_home_dir_t, $2_spamassassin_home_t)
-create_dir_file($1, $2_spamassassin_home_t)
-
-allow $1 urandom_device_t:chr_file r_file_perms;
-')
-
-#######
-# Define the main spamassassin macro. This itself creates a
-# domain for /usr/bin/spamassassin, and also spamc/spamd if
-# applicable.
-#
-define(`spamassassin_domain',`
-spamassassin_program_domain($1, spamassassin)
-
-# For perl libraries.
-allow $1_spamassassin_t lib_t:file rx_file_perms;
-# Ignore perl digging in /proc and /var.
-dontaudit $1_spamassassin_t proc_t:dir search;
-dontaudit $1_spamassassin_t proc_t:lnk_file read;
-dontaudit $1_spamassassin_t { sysctl_t sysctl_kernel_t }:dir search;
-
-# For ~/.spamassassin
-home_domain($1, spamassassin)
-file_type_auto_trans($1_spamassassin_t, $1_home_dir_t, $1_spamassassin_home_t, dir)
-
-spamassassin_agent_privs($1_spamassassin_t, $1)
-
-can_resolve($1_spamassassin_t)
-# set tunable if you have spamassassin do DNS lookups
-if (spamassasin_can_network) {
-can_network($1_spamassassin_t)
-allow $1_spamassassin_t port_type:tcp_socket name_connect;
-}
-if (spamassasin_can_network && allow_ypbind) {
-uncond_can_ypbind($1_spamassassin_t)
-}
-###
-# Define the domain for /usr/bin/spamc
-#
-ifdef(`spamc.te',`
-spamassassin_program_domain($1, spamc, `, nscd_client_domain')
-can_network($1_spamc_t)
-allow $1_spamc_t port_type:tcp_socket name_connect;
-can_ypbind($1_spamc_t)
-
-# Allow connecting to a local spamd
-ifdef(`spamd.te',`
-can_tcp_connect($1_spamc_t, spamd_t)
-can_unix_connect($1_spamc_t, spamd_t)
-allow $1_spamc_t spamd_tmp_t:sock_file rw_file_perms;
-') dnl endif spamd.te
-') dnl endif spamc.te
-
-###
-# Define the domain for /usr/sbin/spamd
-#
-ifdef(`spamd.te',`
-
-spamassassin_agent_privs(spamd_t, $1)
-
-') dnl endif spamd.te
-
-') dnl end spamassassin_domain
-
-', `
-
-define(`spamassassin_domain',`')
-
-')
diff --git a/targeted/macros/program/ssh_agent_macros.te b/targeted/macros/program/ssh_agent_macros.te
deleted file mode 100644
index 7215f5c..0000000
--- a/targeted/macros/program/ssh_agent_macros.te
+++ /dev/null
@@ -1,117 +0,0 @@
-#
-# Macros for ssh agent
-#
-
-#
-# Author: Thomas Bleher <ThomasBleher@gmx.de>
-#
-
-#
-# ssh_agent_domain(domain_prefix)
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/ssh-agent.te.
-#
-define(`ssh_agent_domain',`
-# Define a derived domain for the ssh-agent program when executed
-# by a user domain.
-# Derived domain based on the calling user domain and the program.
-type $1_ssh_agent_t, domain, privlog;
-
-# Transition from the user domain to the derived domain.
-domain_auto_trans($1_t, ssh_agent_exec_t, $1_ssh_agent_t)
-
-# The user role is authorized for this domain.
-role $1_r types $1_ssh_agent_t;
-
-allow $1_ssh_agent_t privfd:fd use;
-
-# Write to the user domain tty.
-access_terminal($1_ssh_agent_t, $1)
-
-# Allow the user shell to signal the ssh program.
-allow $1_t $1_ssh_agent_t:process signal;
-# allow ps to show ssh
-can_ps($1_t, $1_ssh_agent_t)
-
-can_ypbind($1_ssh_agent_t)
-if (use_nfs_home_dirs) {
-allow $1_ssh_agent_t autofs_t:dir { search getattr };
-rw_dir_create_file($1_ssh_agent_t, nfs_t)
-}
-if (use_samba_home_dirs) {
-rw_dir_create_file($1_ssh_agent_t, cifs_t)
-}
-
-uses_shlib($1_ssh_agent_t)
-read_locale($1_ssh_agent_t)
-
-allow $1_ssh_agent_t proc_t:dir search;
-dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read };
-dontaudit $1_ssh_agent_t selinux_config_t:dir search;
-dontaudit $1_ssh_agent_t selinux_config_t:file { read getattr };
-read_sysctl($1_ssh_agent_t)
-
-# Access the ssh temporary files. Should we have an own type here
-# to which only ssh, ssh-agent and ssh-add have access?
-allow $1_ssh_agent_t $1_tmp_t:dir r_dir_perms;
-file_type_auto_trans($1_ssh_agent_t, tmp_t, $1_tmp_t)
-allow $1_ssh_agent_t self:unix_stream_socket create_stream_socket_perms;
-allow $1_ssh_agent_t self:unix_dgram_socket create_socket_perms;
-
-allow $1_ssh_agent_t self:process { fork sigchld setrlimit };
-allow $1_ssh_agent_t self:capability setgid;
-
-# access the random devices
-allow $1_ssh_agent_t { random_device_t urandom_device_t }:chr_file { getattr read };
-
-# for ssh-add
-can_unix_connect($1_t, $1_ssh_agent_t)
-
-# transition back to normal privs upon exec
-domain_auto_trans($1_ssh_agent_t, { bin_t shell_exec_t $1_home_t }, $1_t)
-if (use_nfs_home_dirs) {
-domain_auto_trans($1_ssh_agent_t, nfs_t, $1_t)
-}
-if (use_samba_home_dirs) {
-domain_auto_trans($1_ssh_agent_t, cifs_t, $1_t)
-}
-allow $1_ssh_agent_t bin_t:dir search;
-
-# allow reading of /usr/bin/X11 (is a symlink)
-allow $1_ssh_agent_t bin_t:lnk_file read;
-
-allow $1_ssh_agent_t { $1_ssh_agent_t $1_t }:process signull;
-
-allow $1_ssh_agent_t { home_root_t $1_home_dir_t }:dir search;
-
-allow $1_ssh_t $1_tmp_t:sock_file write;
-allow $1_ssh_t $1_t:unix_stream_socket connectto;
-allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto;
-
-ifdef(`xdm.te', `
-can_pipe_xdm($1_ssh_agent_t)
-
-# kdm: sigchld
-allow $1_ssh_agent_t xdm_t:process sigchld;
-')
-
-#
-# Allow command to ssh-agent > ~/.ssh_agent
-#
-allow $1_ssh_agent_t $1_home_t:file rw_file_perms;
-allow $1_ssh_agent_t $1_tmp_t:file rw_file_perms;
-
-allow $1_ssh_agent_t etc_runtime_t:file { getattr read };
-allow $1_ssh_agent_t etc_t:file { getattr read };
-allow $1_ssh_agent_t lib_t:file { getattr read };
-
-allow $1_ssh_agent_t self:dir search;
-allow $1_ssh_agent_t self:file { getattr read };
-
-# Allow the ssh program to communicate with ssh-agent.
-allow $1_ssh_t $1_tmp_t:sock_file write;
-allow $1_ssh_t $1_t:unix_stream_socket connectto;
-allow $1_ssh_t sshd_t:unix_stream_socket connectto;
-')dnl end if ssh_agent
-
diff --git a/targeted/macros/program/ssh_macros.te b/targeted/macros/program/ssh_macros.te
deleted file mode 100644
index 0f6549f..0000000
--- a/targeted/macros/program/ssh_macros.te
+++ /dev/null
@@ -1,168 +0,0 @@
-#
-# Macros for ssh domains.
-#
-
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil>
-# Russell Coker <russell@coker.com.au>
-# Thomas Bleher <ThomasBleher@gmx.de>
-#
-
-#
-# ssh_domain(domain_prefix)
-#
-# Define a derived domain for the ssh program when executed
-# by a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/ssh.te.
-#
-undefine(`ssh_domain')
-ifdef(`ssh.te', `
-define(`ssh_domain',`
-# Derived domain based on the calling user domain and the program.
-type $1_ssh_t, domain, privlog, nscd_client_domain;
-type $1_home_ssh_t, file_type, $1_file_type, sysadmfile;
-
-allow $1_ssh_t autofs_t:dir { search getattr };
-if (use_nfs_home_dirs) {
-create_dir_file($1_ssh_t, nfs_t)
-}
-if (use_samba_home_dirs) {
-create_dir_file($1_ssh_t, cifs_t)
-}
-
-# Transition from the user domain to the derived domain.
-domain_auto_trans($1_t, ssh_exec_t, $1_ssh_t)
-
-# The user role is authorized for this domain.
-role $1_r types $1_ssh_t;
-
-# Grant permissions within the domain.
-general_domain_access($1_ssh_t)
-
-# Use descriptors created by sshd
-allow $1_ssh_t privfd:fd use;
-
-uses_shlib($1_ssh_t)
-read_locale($1_ssh_t)
-
-# Get attributes of file systems.
-allow $1_ssh_t fs_type:filesystem getattr;
-
-base_file_read_access($1_ssh_t)
-
-# Read /var.
-r_dir_file($1_ssh_t, var_t)
-
-# Read /var/run, /var/log.
-allow $1_ssh_t var_run_t:dir r_dir_perms;
-allow $1_ssh_t var_run_t:{ file lnk_file } r_file_perms;
-allow $1_ssh_t var_log_t:dir r_dir_perms;
-allow $1_ssh_t var_log_t:{ file lnk_file } r_file_perms;
-
-# Read /etc.
-r_dir_file($1_ssh_t, etc_t)
-allow $1_ssh_t etc_runtime_t:{ file lnk_file } r_file_perms;
-
-# Read /dev directories and any symbolic links.
-allow $1_ssh_t device_t:dir r_dir_perms;
-allow $1_ssh_t device_t:lnk_file r_file_perms;
-
-# Read /dev/urandom.
-allow $1_ssh_t urandom_device_t:chr_file r_file_perms;
-
-# Read and write /dev/null.
-allow $1_ssh_t { null_device_t zero_device_t }:chr_file rw_file_perms;
-
-# Grant permissions needed to create TCP and UDP sockets and
-# to access the network.
-can_network_client_tcp($1_ssh_t)
-allow $1_ssh_t ssh_port_t:tcp_socket name_connect;
-can_resolve($1_ssh_t)
-can_ypbind($1_ssh_t)
-can_kerberos($1_ssh_t)
-
-# for port forwarding
-if (user_tcp_server) {
-allow $1_ssh_t port_t:tcp_socket name_bind;
-}
-
-# Use capabilities.
-allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };
-
-# run helper programs - needed eg for x11-ssh-askpass
-can_exec($1_ssh_t, { shell_exec_t bin_t })
-
-# Read the ssh key file.
-allow $1_ssh_t sshd_key_t:file r_file_perms;
-
-# Access the ssh temporary files.
-file_type_auto_trans($1_ssh_t, tmp_t, sshd_tmp_t)
-allow $1_ssh_t $1_tmp_t:dir r_dir_perms;
-
-# for rsync
-allow $1_ssh_t $1_t:unix_stream_socket rw_socket_perms;
-
-# Access the users .ssh directory.
-file_type_auto_trans({ sysadm_ssh_t $1_ssh_t }, $1_home_dir_t, $1_home_ssh_t, dir)
-file_type_auto_trans($1_ssh_t, $1_home_dir_t, $1_home_ssh_t, sock_file)
-allow $1_t $1_home_ssh_t:sock_file create_file_perms;
-allow { sysadm_ssh_t $1_ssh_t } $1_home_ssh_t:file create_file_perms;
-allow { sysadm_ssh_t $1_ssh_t } $1_home_ssh_t:lnk_file { getattr read };
-dontaudit $1_ssh_t $1_home_t:dir { getattr search };
-r_dir_file({ sshd_t sshd_extern_t }, $1_home_ssh_t)
-rw_dir_create_file($1_t, $1_home_ssh_t)
-
-# for /bin/sh used to execute xauth
-dontaudit $1_ssh_t proc_t:dir search;
-dontaudit $1_ssh_t proc_t:{ lnk_file file } { getattr read };
-
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te', `allow $1_ssh_t $1_gph_t:fd use;')
-
-# Write to the user domain tty.
-access_terminal($1_ssh_t, $1)
-
-# Allow the user shell to signal the ssh program.
-allow $1_t $1_ssh_t:process signal;
-# allow ps to show ssh
-can_ps($1_t, $1_ssh_t)
-
-# Connect to X server
-x_client_domain($1_ssh, $1)
-
-ifdef(`ssh-agent.te', `
-ssh_agent_domain($1)
-')dnl end if ssh_agent.te
-
-#allow ssh to access keys stored on removable media
-# Should we have a boolean around this?
-allow $1_ssh_t mnt_t:dir search;
-r_dir_file($1_ssh_t, removable_t)
-
-type $1_ssh_keysign_t, domain, nscd_client_domain;
-role $1_r types $1_ssh_keysign_t;
-
-if (allow_ssh_keysign) {
-domain_auto_trans($1_ssh_t, ssh_keysign_exec_t, $1_ssh_keysign_t)
-allow $1_ssh_keysign_t sshd_key_t:file { getattr read };
-allow $1_ssh_keysign_t self:capability { setgid setuid };
-allow $1_ssh_keysign_t urandom_device_t:chr_file r_file_perms;
-uses_shlib($1_ssh_keysign_t)
-dontaudit $1_ssh_keysign_t selinux_config_t:dir search;
-dontaudit $1_ssh_keysign_t proc_t:dir search;
-dontaudit $1_ssh_keysign_t proc_t:{ lnk_file file } { getattr read };
-allow $1_ssh_keysign_t usr_t:dir search;
-allow $1_ssh_keysign_t etc_t:file { getattr read };
-allow $1_ssh_keysign_t self:dir search;
-allow $1_ssh_keysign_t self:file { getattr read };
-allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms;
-}
-
-')dnl end macro definition
-', `
-
-define(`ssh_domain',`')
-
-')dnl end if ssh.te
diff --git a/targeted/macros/program/su_macros.te b/targeted/macros/program/su_macros.te
deleted file mode 100644
index 206f58e..0000000
--- a/targeted/macros/program/su_macros.te
+++ /dev/null
@@ -1,188 +0,0 @@
-#
-# Macros for su domains.
-#
-
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-#
-# su_domain(domain_prefix)
-#
-# Define a derived domain for the su program when executed
-# by a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/su.te.
-#
-
-undefine(`su_restricted_domain')
-undefine(`su_mini_domain')
-undefine(`su_domain')
-ifdef(`su.te', `
-
-define(`su_restricted_domain', `
-# Derived domain based on the calling user domain and the program.
-type $1_su_t, domain, privlog, privrole, privuser, privowner, privfd, nscd_client_domain;
-ifdef(`support_polyinstantiation', `
-typeattribute $1_su_t mlsfileread;
-typeattribute $1_su_t mlsfilewrite;
-typeattribute $1_su_t mlsfileupgrade;
-typeattribute $1_su_t mlsfiledowngrade;
-typeattribute $1_su_t mlsprocsetsl;
-')
-
-# for SSP
-allow $1_su_t urandom_device_t:chr_file { getattr read };
-
-# Transition from the user domain to this domain.
-domain_auto_trans($1_t, su_exec_t, $1_su_t)
-
-allow $1_su_t sbin_t:dir search;
-
-uses_shlib($1_su_t)
-allow $1_su_t etc_t:file { getattr read };
-read_locale($1_su_t)
-read_sysctl($1_su_t)
-allow $1_su_t self:unix_dgram_socket { connect create write };
-allow $1_su_t self:unix_stream_socket create_stream_socket_perms;
-allow $1_su_t self:fifo_file rw_file_perms;
-allow $1_su_t proc_t:dir search;
-allow $1_su_t proc_t:lnk_file read;
-r_dir_file($1_su_t, self)
-allow $1_su_t proc_t:file read;
-allow $1_su_t self:process { setsched setrlimit };
-allow $1_su_t device_t:dir search;
-allow $1_su_t self:process { fork sigchld };
-nsswitch_domain($1_su_t)
-r_dir_file($1_su_t, selinux_config_t)
-
-dontaudit $1_su_t shadow_t:file { getattr read };
-dontaudit $1_su_t home_root_t:dir search;
-dontaudit $1_su_t init_t:fd use;
-allow $1_su_t var_lib_t:dir search;
-allow $1_t $1_su_t:process signal;
-
-ifdef(`crond.te', `
-allow $1_su_t crond_t:fifo_file read;
-')
-
-# Use capabilities.
-allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource audit_control audit_write };
-dontaudit $1_su_t self:capability sys_tty_config;
-#
-# Caused by su - init scripts
-#
-dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
-
-# By default, revert to the calling domain when a shell is executed.
-domain_auto_trans($1_su_t, shell_exec_t, $1_t)
-allow $1_su_t bin_t:dir search;
-allow $1_su_t bin_t:lnk_file read;
-
-# But also allow transitions to unprivileged user domains.
-domain_trans($1_su_t, shell_exec_t, unpriv_userdomain)
-can_setexec($1_su_t)
-
-# Get security decisions
-can_getsecurity($1_su_t)
-r_dir_file($1_su_t, default_context_t)
-
-allow $1_su_t privfd:fd use;
-
-# Write to utmp.
-allow $1_su_t { var_t var_run_t }:dir search;
-allow $1_su_t initrc_var_run_t:file rw_file_perms;
-can_kerberos($1_su_t)
-
-ifdef(`chkpwd.te', `
-domain_auto_trans($1_su_t, chkpwd_exec_t, $2_chkpwd_t)
-')
-
-allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
-
-') dnl end su_restricted_domain
-
-define(`su_mini_domain', `
-su_restricted_domain($1,$1)
-if(!secure_mode)
-{
- # if we are not in secure mode then we can transition to sysadm_t
- domain_trans($1_su_t, shell_exec_t, sysadm_t)
-}
-
-# Relabel ttys and ptys.
-allow $1_su_t device_t:dir { getattr read search };
-allow $1_su_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto };
-
-# Close and re-open ttys and ptys to get the fd into the correct domain.
-allow $1_su_t { ttyfile ptyfile }:chr_file { read write };
-
-')dnl end su_mini_domain
-
-define(`su_domain', `
-su_mini_domain($1)
-
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te', `allow $1_su_t $1_gph_t:fd use;')
-
-# The user role is authorized for this domain.
-role $1_r types $1_su_t;
-
-# Write to the user domain tty.
-access_terminal($1_su_t, $1)
-
-allow $1_su_t { home_root_t $1_home_dir_t }:dir search;
-allow $1_su_t $1_home_t:file create_file_perms;
-ifdef(`user_canbe_sysadm', `
-allow $1_su_t home_dir_type:dir { search write };
-', `
-dontaudit $1_su_t home_dir_type:dir { search write };
-')
-
-allow $1_su_t autofs_t:dir { search getattr };
-if (use_nfs_home_dirs) {
-allow $1_su_t nfs_t:dir search;
-}
-if (use_samba_home_dirs) {
-allow $1_su_t cifs_t:dir search;
-}
-
-ifdef(`support_polyinstantiation', `
-# Su can polyinstantiate
-polyinstantiater($1_su_t)
-# Su has to unmount polyinstantiated directories (like home)
-# that should not be polyinstantiated under the new user
-allow $1_su_t fs_t:filesystem unmount;
-# Su needs additional permission to mount over a previous mount
-allow $1_su_t polymember:dir mounton;
-')
-
-# Modify .Xauthority file (via xauth program).
-ifdef(`xauth.te', `
-file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
-file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file)
-file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file)
-domain_auto_trans($1_su_t, xauth_exec_t, $1_xauth_t)
-')
-
-ifdef(`cyrus.te', `
-allow $1_su_t cyrus_var_lib_t:dir search;
-')
-ifdef(`ssh.te', `
-# Access sshd cookie files.
-allow $1_su_t sshd_tmp_t:dir rw_dir_perms;
-allow $1_su_t sshd_tmp_t:file rw_file_perms;
-file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t)
-')
-
-allow $1_su_t var_lib_t:dir search;
-dontaudit $1_su_t init_t:fd use;
-')dnl end su_domain
-
-', `
-
-define(`su_domain',`')
-
-')
-
diff --git a/targeted/macros/program/sudo_macros.te b/targeted/macros/program/sudo_macros.te
deleted file mode 100644
index b2b4e1c..0000000
--- a/targeted/macros/program/sudo_macros.te
+++ /dev/null
@@ -1,34 +0,0 @@
-# Authors: Dan Walsh, Russell Coker
-# Maintained by Dan Walsh <dwalsh@redhat.com>
-define(`sudo_domain',`
-newrole_domain($1_sudo, `, privuser')
-
-# By default, revert to the calling domain when a shell is executed.
-domain_auto_trans($1_sudo_t, shell_exec_t, $1_t)
-
-ifdef(`mta.te', `
-domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t)
-allow $1_mail_t $1_sudo_t:fifo_file rw_file_perms;
-')
-
-allow $1_sudo_t self:capability sys_resource;
-
-allow $1_sudo_t self:process setrlimit;
-
-ifdef(`pam.te', `
-allow $1_sudo_t pam_var_run_t:dir create_dir_perms;
-allow $1_sudo_t pam_var_run_t:file create_file_perms;
-')
-
-allow $1_sudo_t initrc_var_run_t:file rw_file_perms;
-allow $1_sudo_t sysctl_t:dir search;
-allow $1_sudo_t { su_exec_t etc_t lib_t usr_t bin_t sbin_t exec_type } :file getattr;
-allow $1_sudo_t { su_exec_t etc_t lib_t usr_t bin_t sbin_t exec_type } :lnk_file { getattr read };
-read_sysctl($1_sudo_t)
-
-allow $1_sudo_t var_run_t:dir search;
-r_dir_file($1_sudo_t, default_context_t)
-rw_dir_create_file($1_sudo_t, $1_tmp_t)
-rw_dir_create_file($1_sudo_t, $1_home_t)
-domain_auto_trans($1_t, sudo_exec_t, $1_sudo_t)
-')
diff --git a/targeted/macros/program/thunderbird_macros.te b/targeted/macros/program/thunderbird_macros.te
deleted file mode 100644
index 2c0711d..0000000
--- a/targeted/macros/program/thunderbird_macros.te
+++ /dev/null
@@ -1,60 +0,0 @@
-#
-# Thunderbird
-#
-# Author: Ivan Gyurdiev <ivg2@cornell.edu>
-#
-
-#######################################
-# thunderbird_domain(role_prefix)
-#
-
-# FIXME: Rules were removed to centralize policy in a gnome_app macro
-# A similar thing might be necessary for mozilla compiled without GNOME
-# support (is this possible?).
-
-define(`thunderbird_domain', `
-
-# Type for program
-type $1_thunderbird_t, domain, nscd_client_domain;
-
-# Transition from user type
-if (! disable_thunderbird_trans) {
-domain_auto_trans($1_t, thunderbird_exec_t, $1_thunderbird_t)
-}
-role $1_r types $1_thunderbird_t;
-
-# FIXME: Why does it try to do that?
-dontaudit $1_thunderbird_t evolution_exec_t:file { getattr execute };
-
-# Why is thunderbird looking in .mozilla ?
-# FIXME: there are legitimate uses of invoking the browser - about -> release notes
-dontaudit $1_thunderbird_t $1_mozilla_home_t:dir search;
-
-# .kde/....gtkrc
-# FIXME: support properly
-dontaudit $1_thunderbird_t $1_home_t:file { getattr read };
-
-# X, mail common stuff
-x_client_domain($1_thunderbird, $1)
-mail_client_domain($1_thunderbird, $1)
-
-allow $1_thunderbird_t self:process signull;
-allow $1_thunderbird_t fs_t:filesystem getattr;
-
-# GNOME support
-ifdef(`gnome.te', `
-gnome_application($1_thunderbird, $1)
-gnome_file_dialog($1_thunderbird, $1)
-allow $1_thunderbird_t $1_gnome_settings_t:file { read write };
-')
-
-# Access ~/.thunderbird
-home_domain($1, thunderbird)
-
-# RSS feeds
-can_network_client_tcp($1_thunderbird_t, http_port_t)
-allow $1_thunderbird_t http_port_t:tcp_socket name_connect;
-
-allow $1_thunderbird_t self:process { execheap execmem execstack };
-
-')
diff --git a/targeted/macros/program/tvtime_macros.te b/targeted/macros/program/tvtime_macros.te
deleted file mode 100644
index d965ae1..0000000
--- a/targeted/macros/program/tvtime_macros.te
+++ /dev/null
@@ -1,64 +0,0 @@
-#
-# Macros for tvtime domains.
-#
-
-#
-# Author: Dan Walsh <dwalsh@redhat.com>
-#
-
-#
-# tvtime_domain(domain_prefix)
-#
-# Define a derived domain for the tvtime program when executed
-# by a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/tvtime.te.
-#
-undefine(`tvtime_domain')
-ifdef(`tvtime.te', `
-define(`tvtime_domain',`
-
-# Type transition
-type $1_tvtime_t, domain, nscd_client_domain;
-domain_auto_trans($1_t, tvtime_exec_t, $1_tvtime_t)
-role $1_r types $1_tvtime_t;
-
-# X access, Home files
-home_domain($1, tvtime)
-file_type_auto_trans($1_tvtime_t, $1_home_dir_t, $1_tvtime_home_t, dir)
-x_client_domain($1_tvtime, $1)
-
-uses_shlib($1_tvtime_t)
-read_locale($1_tvtime_t)
-read_sysctl($1_tvtime_t)
-access_terminal($1_tvtime_t, $1)
-
-# Allow the user domain to signal/ps.
-can_ps($1_t, $1_tvtime_t)
-allow $1_t $1_tvtime_t:process signal_perms;
-
-# Read /etc/tvtime
-allow $1_tvtime_t etc_t:file { getattr read };
-
-# Tmp files
-tmp_domain($1_tvtime, `', `{ file dir fifo_file }')
-
-allow $1_tvtime_t urandom_device_t:chr_file read;
-allow $1_tvtime_t clock_device_t:chr_file { ioctl read };
-allow $1_tvtime_t kernel_t:system ipc_info;
-allow $1_tvtime_t sound_device_t:chr_file { ioctl read };
-allow $1_tvtime_t $1_home_t:dir { getattr read search };
-allow $1_tvtime_t $1_home_t:file { getattr read };
-allow $1_tvtime_t self:capability { setuid sys_nice sys_resource };
-allow $1_tvtime_t self:process setsched;
-allow $1_tvtime_t usr_t:file { getattr read };
-
-')dnl end tvtime_domain
-
-', `
-
-define(`tvtime_domain',`')
-
-')
-
diff --git a/targeted/macros/program/uml_macros.te b/targeted/macros/program/uml_macros.te
deleted file mode 100644
index bc635f8..0000000
--- a/targeted/macros/program/uml_macros.te
+++ /dev/null
@@ -1,137 +0,0 @@
-#
-# Macros for uml domains.
-#
-
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-
-#
-# uml_domain(domain_prefix)
-#
-# Define a derived domain for the uml program when executed
-# by a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/uml.te.
-#
-undefine(`uml_domain')
-ifdef(`uml.te', `
-define(`uml_domain',`
-
-# Derived domain based on the calling user domain and the program.
-type $1_uml_t, domain;
-type $1_uml_exec_t, file_type, sysadmfile, $1_file_type;
-type $1_uml_ro_t, file_type, sysadmfile, $1_file_type;
-type $1_uml_rw_t, file_type, sysadmfile, $1_file_type;
-
-# for X
-ifdef(`startx.te', `
-ifelse($1, sysadm, `', `
-ifdef(`xdm.te', `
-allow $1_uml_t xdm_xserver_tmp_t:dir search;
-')dnl end if xdm.te
-allow $1_uml_t $1_xserver_tmp_t:sock_file write;
-can_unix_connect($1_uml_t, $1_xserver_t)
-')dnl end ifelse sysadm
-')dnl end ifdef startx
-
-allow $1_t { $1_uml_ro_t $1_uml_rw_t }:{ file sock_file fifo_file } { relabelfrom relabelto create_file_perms };
-allow $1_t $1_uml_exec_t:file { relabelfrom relabelto create_file_perms };
-allow $1_t { $1_uml_ro_t $1_uml_rw_t }:lnk_file { relabelfrom relabelto create_lnk_perms };
-allow $1_t { $1_uml_ro_t $1_uml_rw_t $1_uml_exec_t }:dir { relabelfrom relabelto create_dir_perms };
-r_dir_file($1_t, uml_ro_t)
-
-# Transition from the user domain to this domain.
-domain_auto_trans($1_t, { uml_exec_t $1_uml_exec_t }, $1_uml_t)
-can_exec($1_uml_t, { uml_exec_t $1_uml_exec_t })
-
-# The user role is authorized for this domain.
-role $1_r types $1_uml_t;
-
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te', `allow $1_uml_t $1_gph_t:fd use;')
-
-# Inherit and use descriptors from newrole.
-ifdef(`newrole.te', `allow $1_uml_t newrole_t:fd use;')
-
-# allow ps, ptrace, signal
-can_ps($1_t, $1_uml_t)
-can_ptrace($1_t, $1_uml_t)
-allow $1_t $1_uml_t:process signal_perms;
-
-# allow the UML thing to happen
-allow $1_uml_t self:process { fork signal_perms ptrace };
-can_create_pty($1_uml)
-allow $1_uml_t root_t:dir search;
-tmp_domain($1_uml)
-can_exec($1_uml_t, $1_uml_tmp_t)
-tmpfs_domain($1_uml)
-can_exec($1_uml_t, $1_uml_tmpfs_t)
-create_dir_file($1_t, $1_uml_tmp_t)
-allow $1_t $1_uml_tmp_t:sock_file create_file_perms;
-allow $1_uml_t self:fifo_file rw_file_perms;
-allow $1_uml_t fs_t:filesystem getattr;
-
-allow $1_uml_t tun_tap_device_t:chr_file { read write ioctl };
-
-ifdef(`uml_net.te', `
-# for uml_net
-domain_auto_trans($1_uml_t, uml_net_exec_t, uml_net_t)
-allow uml_net_t $1_uml_t:unix_stream_socket { read write };
-allow uml_net_t $1_uml_t:unix_dgram_socket { read write };
-dontaudit uml_net_t privfd:fd use;
-can_access_pty(uml_net_t, $1_uml)
-dontaudit uml_net_t $1_uml_rw_t:dir { getattr search };
-')dnl end ifdef uml_net.te
-
-# for mconsole
-allow { $1_t $1_uml_t } $1_uml_t:unix_dgram_socket sendto;
-allow $1_uml_t $1_t:unix_dgram_socket sendto;
-
-# Use the network.
-can_network($1_uml_t)
-allow $1_uml_t port_type:tcp_socket name_connect;
-can_ypbind($1_uml_t)
-
-# for xterm
-uses_shlib($1_uml_t)
-can_exec($1_uml_t, { bin_t sbin_t lib_t })
-allow $1_uml_t { bin_t sbin_t }:dir search;
-allow $1_uml_t etc_t:file { getattr read };
-dontaudit $1_uml_t etc_runtime_t:file read;
-can_tcp_connect($1_uml_t, sshd_t)
-ifdef(`xauth.te', `
-allow $1_uml_t $1_xauth_home_t:file { getattr read };
-')
-allow $1_uml_t var_run_t:dir search;
-allow $1_uml_t initrc_var_run_t:file { getattr read };
-dontaudit $1_uml_t initrc_var_run_t:file { write lock };
-
-allow $1_uml_t device_t:dir search;
-allow $1_uml_t self:unix_stream_socket create_stream_socket_perms;
-allow $1_uml_t self:unix_dgram_socket create_socket_perms;
-allow $1_uml_t privfd:fd use;
-allow $1_uml_t proc_t:dir search;
-allow $1_uml_t proc_t:file { getattr read };
-
-# for SKAS - need something better
-allow $1_uml_t proc_t:file write;
-
-# Write to the user domain tty.
-access_terminal($1_uml_t, $1)
-
-# access config files
-allow $1_uml_t home_root_t:dir search;
-file_type_auto_trans($1_uml_t, $1_home_dir_t, $1_uml_rw_t)
-r_dir_file($1_uml_t, { $1_uml_ro_t uml_ro_t })
-
-# putting uml data under /var is usual...
-allow $1_uml_t var_t:dir search;
-')dnl end macro definition
-
-', `
-
-define(`uml_domain',`')
-
-')
diff --git a/targeted/macros/program/userhelper_macros.te b/targeted/macros/program/userhelper_macros.te
deleted file mode 100644
index 2c715d3..0000000
--- a/targeted/macros/program/userhelper_macros.te
+++ /dev/null
@@ -1,142 +0,0 @@
-#DESC Userhelper - SELinux utility to run a shell with a new role
-#
-# Authors: Dan Walsh (Red Hat)
-# Maintained by Dan Walsh <dwalsh@redhat.com>
-#
-
-#
-# userhelper_domain(domain_prefix)
-#
-# Define a derived domain for the userhelper/userhelper program when executed by
-# a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/userhelper.te.
-#
-define(`userhelper_domain',`
-type $1_userhelper_t, domain, userhelperdomain, privlog, privrole, privowner, auth_chkpwd, privfd, privuser, nscd_client_domain;
-
-in_user_role($1_userhelper_t)
-role sysadm_r types $1_userhelper_t;
-
-ifelse($1, sysadm, `
-typealias sysadm_userhelper_t alias userhelper_t;
-domain_auto_trans(initrc_t, userhelper_exec_t, sysadm_userhelper_t)
-')
-
-general_domain_access($1_userhelper_t);
-
-uses_shlib($1_userhelper_t)
-read_locale($1_userhelper_t)
-read_sysctl($1_userhelper_t)
-
-# for when the user types "exec userhelper" at the command line
-allow $1_userhelper_t privfd:process sigchld;
-
-domain_auto_trans($1_t, userhelper_exec_t, $1_userhelper_t)
-
-# Inherit descriptors from the current session.
-allow $1_userhelper_t { init_t privfd }:fd use;
-
-can_exec($1_userhelper_t, { bin_t sbin_t userhelper_exec_t })
-
-# Execute shells
-allow $1_userhelper_t { sbin_t bin_t }:dir r_dir_perms;
-allow $1_userhelper_t { sbin_t bin_t }:lnk_file read;
-allow $1_userhelper_t shell_exec_t:file r_file_perms;
-
-# By default, revert to the calling domain when a program is executed.
-domain_auto_trans($1_userhelper_t, { bin_t sbin_t }, $1_t)
-
-# Allow $1_userhelper_t to transition to user domains.
-domain_trans($1_userhelper_t, { bin_t sbin_t exec_type }, unpriv_userdomain)
-if (!secure_mode) {
- # if we are not in secure mode then we can transition to sysadm_t
- domain_trans($1_userhelper_t, { bin_t sbin_t exec_type }, sysadm_t)
-}
-can_setexec($1_userhelper_t)
-
-ifdef(`distro_redhat', `
-ifdef(`rpm.te', `
-# Allow transitioning to rpm_t, for up2date
-allow $1_userhelper_t rpm_t:process { transition siginh rlimitinh noatsecure };
-')
-')
-
-# Use capabilities.
-allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config };
-
-# Write to utmp.
-file_type_auto_trans($1_userhelper_t, var_run_t, initrc_var_run_t, file)
-
-# Read the devpts root directory.
-allow $1_userhelper_t devpts_t:dir r_dir_perms;
-
-# Read the /etc/security/default_type file
-allow $1_userhelper_t etc_t:file r_file_perms;
-
-# Read /var.
-r_dir_file($1_userhelper_t, var_t)
-
-# Read /dev directories and any symbolic links.
-allow $1_userhelper_t device_t:dir r_dir_perms;
-
-# Relabel terminals.
-allow $1_userhelper_t { ttyfile ptyfile }:chr_file { relabelfrom relabelto };
-
-# Access terminals.
-allow $1_userhelper_t { ttyfile ptyfile devtty_t }:chr_file rw_file_perms;
-ifdef(`gnome-pty-helper.te', `allow $1_userhelper_t gphdomain:fd use;')
-
-#
-# Allow $1_userhelper to obtain contexts to relabel TTYs
-#
-can_getsecurity($1_userhelper_t)
-
-allow $1_userhelper_t fs_t:filesystem getattr;
-
-# for some PAM modules and for cwd
-allow $1_userhelper_t { home_root_t $1_home_dir_t }:dir search;
-
-allow $1_userhelper_t proc_t:dir search;
-allow $1_userhelper_t proc_t:file { getattr read };
-
-# for when the network connection is killed
-dontaudit unpriv_userdomain $1_userhelper_t:process signal;
-
-allow $1_userhelper_t userhelper_conf_t:file rw_file_perms;
-allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms;
-
-ifdef(`pam.te', `
-allow $1_userhelper_t pam_var_run_t:dir create_dir_perms;
-allow $1_userhelper_t pam_var_run_t:file create_file_perms;
-')
-
-allow $1_userhelper_t urandom_device_t:chr_file { getattr read };
-
-allow $1_userhelper_t autofs_t:dir search;
-role system_r types $1_userhelper_t;
-r_dir_file($1_userhelper_t, nfs_t)
-
-ifdef(`xdm.te', `
-can_pipe_xdm($1_userhelper_t)
-allow $1_userhelper_t xdm_var_run_t:dir search;
-')
-
-r_dir_file($1_userhelper_t, selinux_config_t)
-r_dir_file($1_userhelper_t, default_context_t)
-
-ifdef(`xauth.te', `
-domain_auto_trans($1_userhelper_t, xauth_exec_t, $1_xauth_t)
-allow $1_userhelper_t $1_xauth_home_t:file { getattr read };
-')
-
-ifdef(`pamconsole.te', `
-allow $1_userhelper_t pam_var_console_t:dir { search };
-')
-
-ifdef(`mozilla.te', `
-domain_auto_trans($1_mozilla_t, userhelper_exec_t, $1_userhelper_t)
-')
-
-')dnl end userhelper macro
diff --git a/targeted/macros/program/vmware_macros.te b/targeted/macros/program/vmware_macros.te
deleted file mode 100644
index bb0914a..0000000
--- a/targeted/macros/program/vmware_macros.te
+++ /dev/null
@@ -1,128 +0,0 @@
-# Macro for vmware
-#
-# Based on work contributed by Mark Westerman (mark.westerman@westcam.com),
-# modifications by NAI Labs.
-#
-# Turned into a macro by Thomas Bleher <ThomasBleher@gmx.de>
-#
-# vmware_domain(domain_prefix)
-#
-# Define a derived domain for the vmware program when executed by
-# a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/vmware.te. This file also
-# implements a separate domain vmware_t.
-#
-
-define(`vmware_domain', `
-
-# Domain for the user applications to run in.
-type $1_vmware_t, domain, privmem;
-
-role $1_r types $1_vmware_t;
-
-# The user file type is for files created when the user is running VMWare
-type $1_vmware_file_t, $1_file_type, file_type, sysadmfile;
-
-# The user file type for the VMWare configuration files
-type $1_vmware_conf_t, $1_file_type, file_type, sysadmfile;
-
-#############################################################
-# User rules for running VMWare
-#
-# Transition to VMWare user domain
-domain_auto_trans($1_t, vmware_user_exec_t, $1_vmware_t)
-can_exec($1_vmware_t, vmware_user_exec_t)
-uses_shlib($1_vmware_t)
-var_run_domain($1_vmware)
-
-general_domain_access($1_vmware_t);
-
-# Capabilities needed by VMWare for the user execution. This seems a
-# bit too much, so be careful.
-allow $1_vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio };
-
-# Access to ttys
-allow $1_vmware_t vmware_device_t:chr_file rw_file_perms;
-allow $1_vmware_t $1_tty_device_t:chr_file rw_file_perms;
-allow $1_vmware_t privfd:fd use;
-
-# Access /proc
-r_dir_file($1_vmware_t, proc_t)
-allow $1_vmware_t proc_net_t:dir search;
-allow $1_vmware_t proc_net_t:file { getattr read };
-
-# Access to some files in the user home directory
-r_dir_file($1_vmware_t, $1_home_t)
-
-# Access to runtime files for user
-allow $1_vmware_t $1_vmware_file_t:dir rw_dir_perms;
-allow $1_vmware_t $1_vmware_file_t:file create_file_perms;
-allow $1_vmware_t $1_vmware_conf_t:file create_file_perms;
-
-# Allow read access to /etc/vmware and /usr/lib/vmware configuration files
-r_dir_file($1_vmware_t, vmware_sys_conf_t)
-
-# Allow $1_vmware_t to read/write files in the tmp dir
-tmp_domain($1_vmware)
-allow $1_vmware_t $1_vmware_tmp_t:file execute;
-
-# Allow read access to several paths
-r_dir_file($1_vmware_t, etc_t)
-allow $1_vmware_t etc_runtime_t:file r_file_perms;
-allow $1_vmware_t device_t:dir r_dir_perms;
-allow $1_vmware_t var_t:dir r_dir_perms;
-allow $1_vmware_t tmpfs_t:file rw_file_perms;
-
-# Allow vmware to write to ~/.vmware
-rw_dir_create_file($1_vmware_t, $1_vmware_file_t)
-
-#
-# This is bad; VMWare needs execute permission to the .cfg file for the
-# configuration to run.
-#
-allow $1_vmware_t $1_vmware_conf_t:file execute;
-
-# Access X11 config files
-allow $1_vmware_t lib_t:file r_file_perms;
-
-# Access components of VMWare in /usr/lib/vmware/bin by default
-allow $1_vmware_t bin_t:dir r_dir_perms;
-
-# Allow access to lp port (Need to create an lp device domain )
-allow $1_vmware_t device_t:chr_file r_file_perms;
-
-# Allow access to /dev/mem
-allow $1_vmware_t memory_device_t:chr_file { read write };
-
-# Allow access to mouse
-allow $1_vmware_t mouse_device_t:chr_file r_file_perms;
-
-# Allow access the sound device
-allow $1_vmware_t sound_device_t:chr_file { ioctl write };
-
-# Allow removable media and devices
-allow $1_vmware_t removable_device_t:blk_file r_file_perms;
-allow $1_vmware_t device_t:lnk_file read;
-
-# Allow access to the real time clock device
-allow $1_vmware_t clock_device_t:chr_file read;
-
-# Allow to attach to Xserver, and Xserver to attach back
-ifdef(`gnome-pty-helper.te', `
-allow $1_vmware_t $1_gph_t:fd use;
-')
-ifdef(`startx.te', `
-allow $1_vmware_t $1_xserver_tmp_t:sock_file { unlink write };
-allow $1_vmware_t $1_xserver_tmp_t:dir search;
-allow $1_vmware_t $1_xserver_t:unix_stream_socket connectto;
-allow $1_xserver_t $1_vmware_t:shm r_shm_perms;
-allow $1_xserver_t $1_vmware_t:fd use;
-')
-
-# Allow filesystem read access
-allow $1_vmware_t fs_t:filesystem getattr;
-
-')
-
diff --git a/targeted/macros/program/x_client_macros.te b/targeted/macros/program/x_client_macros.te
deleted file mode 100644
index adce9f0..0000000
--- a/targeted/macros/program/x_client_macros.te
+++ /dev/null
@@ -1,96 +0,0 @@
-#
-# Macros for X client programs
-#
-
-#
-# Author: Russell Coker <russell@coker.com.au>
-# Based on the work of Stephen Smalley <sds@epoch.ncsc.mil>
-# and Timothy Fraser
-#
-
-# Allows clients to write to the X server's shm
-bool allow_write_xshm false;
-
-define(`xsession_domain', `
-
-# Connect to xserver
-can_unix_connect($1_t, $2_xserver_t)
-
-# Read /tmp/.X0-lock
-allow $1_t $2_xserver_tmp_t:file { getattr read };
-
-# Signal Xserver
-allow $1_t $2_xserver_t:process signal;
-
-# Xserver read/write client shm
-allow $2_xserver_t $1_t:fd use;
-allow $2_xserver_t $1_t:shm rw_shm_perms;
-allow $2_xserver_t $1_tmpfs_t:file rw_file_perms;
-
-# Client read xserver shm
-allow $1_t $2_xserver_t:fd use;
-allow $1_t $2_xserver_t:shm r_shm_perms;
-allow $1_t $2_xserver_tmpfs_t:file r_file_perms;
-
-# Client write xserver shm
-if (allow_write_xshm) {
-allow $1_t $2_xserver_t:shm rw_shm_perms;
-allow $1_t $2_xserver_tmpfs_t:file rw_file_perms;
-}
-
-')
-
-#
-# x_client_domain(client, role)
-#
-# Defines common X access rules for the client domain
-#
-define(`x_client_domain',`
-
-# Create socket to communicate with X server
-allow $1_t self:unix_dgram_socket create_socket_perms;
-allow $1_t self:unix_stream_socket { connectto create_stream_socket_perms };
-
-# Read .Xauthority file
-ifdef(`xauth.te',`
-allow $1_t home_root_t:dir { search getattr };
-allow $1_t $2_home_dir_t:dir { search getattr };
-allow $1_t $2_xauth_home_t:file { getattr read };
-')
-
-# for .xsession-errors
-dontaudit $1_t $2_home_t:file write;
-
-# for X over a ssh tunnel
-ifdef(`ssh.te', `
-can_tcp_connect($1_t, sshd_t)
-')
-
-# Use a separate type for tmpfs/shm pseudo files.
-tmpfs_domain($1)
-allow $1_t self:shm create_shm_perms;
-
-# allow X client to read all font files
-read_fonts($1_t, $2)
-
-# Allow connections to X server.
-ifdef(`xserver.te', `
-allow $1_t tmp_t:dir search;
-
-ifdef(`xdm.te', `
-xsession_domain($1, xdm)
-
-# for when /tmp/.X11-unix is created by the system
-can_pipe_xdm($1_t)
-allow $1_t xdm_tmp_t:dir search;
-allow $1_t xdm_tmp_t:sock_file { read write };
-dontaudit $1_t xdm_t:tcp_socket { read write };
-')
-
-ifdef(`startx.te', `
-xsession_domain($1, $2)
-')dnl end startx
-
-')dnl end xserver
-
-')dnl end x_client macro
diff --git a/targeted/macros/program/xauth_macros.te b/targeted/macros/program/xauth_macros.te
deleted file mode 100644
index ca7a5ee..0000000
--- a/targeted/macros/program/xauth_macros.te
+++ /dev/null
@@ -1,83 +0,0 @@
-#
-# Macros for xauth domains.
-#
-
-#
-# Author: Russell Coker <russell@coker.com.au>
-#
-
-#
-# xauth_domain(domain_prefix)
-#
-# Define a derived domain for the xauth program when executed
-# by a user domain.
-#
-# The type declaration for the executable type for this program is
-# provided separately in domains/program/xauth.te.
-#
-undefine(`xauth_domain')
-ifdef(`xauth.te', `
-define(`xauth_domain',`
-# Derived domain based on the calling user domain and the program.
-type $1_xauth_t, domain;
-
-allow $1_xauth_t self:process signal;
-
-home_domain($1, xauth)
-file_type_auto_trans($1_xauth_t, $1_home_dir_t, $1_xauth_home_t, file)
-
-# Transition from the user domain to this domain.
-domain_auto_trans($1_t, xauth_exec_t, $1_xauth_t)
-ifdef(`ssh.te', `
-domain_auto_trans($1_ssh_t, xauth_exec_t, $1_xauth_t)
-allow $1_xauth_t sshd_t:fifo_file { getattr read };
-dontaudit $1_xauth_t $1_ssh_t:tcp_socket { read write };
-allow $1_xauth_t sshd_t:process sigchld;
-')dnl end if ssh
-
-# The user role is authorized for this domain.
-role $1_r types $1_xauth_t;
-
-# Inherit and use descriptors from gnome-pty-helper.
-ifdef(`gnome-pty-helper.te', `
-allow $1_xauth_t $1_gph_t:fd use;
-')
-
-allow $1_xauth_t privfd:fd use;
-allow $1_xauth_t ptmx_t:chr_file { read write };
-
-# allow ps to show xauth
-can_ps($1_t, $1_xauth_t)
-allow $1_t $1_xauth_t:process signal;
-
-uses_shlib($1_xauth_t)
-
-# allow DNS lookups...
-can_resolve($1_xauth_t)
-can_ypbind($1_xauth_t)
-ifdef(`named.te', `
-can_udp_send($1_xauth_t, named_t)
-can_udp_send(named_t, $1_xauth_t)
-')dnl end if named.te
-
-allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms;
-allow $1_xauth_t etc_t:file { getattr read };
-allow $1_xauth_t fs_t:filesystem getattr;
-
-# Write to the user domain tty.
-access_terminal($1_xauth_t, $1)
-
-# Scan /var/run.
-allow $1_xauth_t var_t:dir search;
-allow $1_xauth_t var_run_t:dir search;
-
-tmp_domain($1_xauth)
-allow $1_xauth_t $1_tmp_t:file { getattr ioctl read };
-
-')dnl end xauth_domain macro
-
-', `
-
-define(`xauth_domain',`')
-
-')dnl end if xauth.te
diff --git a/targeted/macros/program/xdm_macros.te b/targeted/macros/program/xdm_macros.te
deleted file mode 100644
index bea127f..0000000
--- a/targeted/macros/program/xdm_macros.te
+++ /dev/null
@@ -1,13 +0,0 @@
-########################################
-#
-# can_pipe_xdm(domain)
-#
-# Allow communication to xdm over a pipe
-#
-
-define(`can_pipe_xdm', `
-ifdef(`xdm.te', `
-allow $1 xdm_t:fd use;
-allow $1 xdm_t:fifo_file { getattr read write ioctl };
-')
-') dnl can_pipe_xdm
diff --git a/targeted/macros/program/xserver_macros.te b/targeted/macros/program/xserver_macros.te
deleted file mode 100644
index e2eaf82..0000000
--- a/targeted/macros/program/xserver_macros.te
+++ /dev/null
@@ -1,274 +0,0 @@
-#
-# Macros for X server domains.
-#
-
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-#################################
-#
-# xserver_domain(domain_prefix)
-#
-# Define a derived domain for the X server when executed
-# by a user domain (e.g. via startx). See the xdm_t domain
-# in domains/program/xdm.te if using an X Display Manager.
-#
-# The type declarations for the executable type for this program
-# and the log type are provided separately in domains/program/xserver.te.
-#
-# FIXME! The X server requires far too many privileges.
-#
-undefine(`xserver_domain')
-ifdef(`xserver.te', `
-
-define(`xserver_domain',`
-# Derived domain based on the calling user domain and the program.
-ifdef(`distro_redhat', `
-type $1_xserver_t, domain, privlog, privmem, privmodule, nscd_client_domain;
-allow $1_xserver_t sysctl_modprobe_t:file { getattr read };
-ifdef(`rpm.te', `
-allow $1_xserver_t rpm_t:shm { unix_read unix_write read write associate getattr };
-allow $1_xserver_t rpm_tmpfs_t:file { read write };
-allow $1_xserver_t rpm_t:fd use;
-')
-
-', `
-type $1_xserver_t, domain, privlog, privmem, nscd_client_domain;
-')
-
-# for SSP
-allow $1_xserver_t urandom_device_t:chr_file { getattr read ioctl };
-
-# Transition from the user domain to this domain.
-ifelse($1, xdm, `
-ifdef(`xdm.te', `
-domain_auto_trans(xdm_t, xserver_exec_t, xdm_xserver_t)
-')
-', `
-domain_auto_trans($1_t, xserver_exec_t, $1_xserver_t)
-')dnl end ifelse xdm
-can_exec($1_xserver_t, xserver_exec_t)
-
-uses_shlib($1_xserver_t)
-
-allow $1_xserver_t texrel_shlib_t:file execmod;
-
-can_network($1_xserver_t)
-allow $1_xserver_t port_type:tcp_socket name_connect;
-can_ypbind($1_xserver_t)
-allow $1_xserver_t xserver_port_t:tcp_socket name_bind;
-
-# for access within the domain
-general_domain_access($1_xserver_t)
-
-allow $1_xserver_t self:process execmem;
-# Until the X module loader is fixed.
-allow $1_xserver_t self:process execheap;
-
-allow $1_xserver_t etc_runtime_t:file { getattr read };
-
-ifelse($1, xdm, `
-# The system role is authorised for the xdm and initrc domains
-role system_r types xdm_xserver_t;
-
-allow xdm_xserver_t init_t:fd use;
-
-dontaudit xdm_xserver_t home_dir_type:dir { read search };
-
-# Read all global and per user fonts
-read_fonts($1_xserver_t, sysadm)
-read_fonts($1_xserver_t, staff)
-read_fonts($1_xserver_t, user)
-
-', `
-# The user role is authorized for this domain.
-role $1_r types $1_xserver_t;
-
-allow $1_xserver_t getty_t:fd use;
-allow $1_xserver_t local_login_t:fd use;
-allow $1_xserver_t $1_tty_device_t:chr_file { setattr rw_file_perms };
-
-allow $1_xserver_t $1_tmpfs_t:file rw_file_perms;
-allow $1_t $1_xserver_tmpfs_t:file rw_file_perms;
-
-can_unix_connect($1_t, $1_xserver_t)
-
-# Read fonts
-read_fonts($1_xserver_t, $1)
-
-# Access the home directory.
-allow $1_xserver_t home_root_t:dir search;
-allow $1_xserver_t $1_home_dir_t:dir { getattr search };
-
-ifdef(`xauth.te', `
-domain_auto_trans($1_xserver_t, xauth_exec_t, $1_xauth_t)
-allow $1_xserver_t $1_xauth_home_t:file { getattr read };
-', `
-allow $1_xserver_t $1_home_t:file { getattr read };
-')dnl end ifdef xauth
-ifdef(`userhelper.te', `
-allow $1_xserver_t userhelper_conf_t:dir search;
-')dnl end ifdef userhelper
-')dnl end ifelse xdm
-
-allow $1_xserver_t self:process setsched;
-
-allow $1_xserver_t fs_t:filesystem getattr;
-
-# Xorg wants to check if kernel is tainted
-read_sysctl($1_xserver_t)
-
-# Use capabilities.
-# allow setuid/setgid for the wrapper program to change UID
-# sys_rawio is for iopl access - should not be needed for frame-buffer
-# sys_admin, locking shared mem? chowning IPC message queues or semaphores?
-# admin of APM bios?
-# sys_nice is so that the X server can set a negative nice value
-allow $1_xserver_t self:capability { dac_override fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
-allow $1_xserver_t nfs_t:dir { getattr search };
-
-# memory_device_t access is needed if not using the frame buffer
-#dontaudit $1_xserver_t memory_device_t:chr_file read;
-allow $1_xserver_t memory_device_t:chr_file { rw_file_perms execute };
-# net_bind_service is needed if you want your X server to allow TCP connections
-# from other hosts, EG an XDM serving a network of X terms
-# if you want good security you do not want this
-# not sure why some people want chown, fsetid, and sys_tty_config.
-#allow $1_xserver_t self:capability { net_bind_service chown fsetid sys_tty_config };
-dontaudit $1_xserver_t self:capability chown;
-
-# for nscd
-dontaudit $1_xserver_t var_run_t:dir search;
-
-allow $1_xserver_t mtrr_device_t:file rw_file_perms;
-allow $1_xserver_t apm_bios_t:chr_file rw_file_perms;
-allow $1_xserver_t framebuf_device_t:chr_file rw_file_perms;
-allow $1_xserver_t device_t:lnk_file { getattr read };
-allow $1_xserver_t devtty_t:chr_file rw_file_perms;
-allow $1_xserver_t zero_device_t:chr_file { read write execute };
-
-# Type for temporary files.
-tmp_domain($1_xserver, `', `{ dir file sock_file }')
-file_type_auto_trans($1_xserver_t, xdm_xserver_tmp_t, $1_xserver_tmp_t, sock_file)
-
-ifelse($1, xdm, `
-ifdef(`xdm.te', `
-allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms;
-allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
-allow xdm_t $1_xserver_t:process signal;
-can_unix_connect(xdm_t, xdm_xserver_t)
-allow xdm_t xdm_xserver_tmp_t:sock_file rw_file_perms;
-allow xdm_t xdm_xserver_tmp_t:dir r_dir_perms;
-allow xdm_xserver_t xdm_t:process signal;
-allow xdm_xserver_t xdm_t:shm rw_shm_perms;
-allow xdm_t xdm_xserver_t:shm rw_shm_perms;
-dontaudit xdm_xserver_t sysadm_t:shm { unix_read unix_write };
-')
-', `
-allow $1_t xdm_xserver_tmp_t:dir r_dir_perms;
-allow $1_t xdm_xserver_t:unix_stream_socket connectto;
-allow $1_t $1_xserver_t:process signal;
-
-# Allow the user domain to connect to the X server.
-can_unix_connect($1_t, $1_xserver_t)
-allow $1_t $1_xserver_tmp_t:sock_file rw_file_perms;
-allow $1_t $1_xserver_tmp_t:dir r_dir_perms;
-ifdef(`xdm.te', `
-allow $1_t xdm_tmp_t:sock_file unlink;
-allow $1_xserver_t xdm_var_run_t:dir search;
-')
-
-# Signal the user domain.
-allow $1_xserver_t $1_t:process signal;
-
-# Communicate via System V shared memory.
-allow $1_xserver_t $1_t:shm rw_shm_perms;
-allow $1_t $1_xserver_t:shm rw_shm_perms;
-allow $1_xserver_t initrc_t:shm rw_shm_perms;
-
-')dnl end ifelse xdm
-
-# Create files in /var/log with the xserver_log_t type.
-allow $1_xserver_t var_t:dir search;
-file_type_auto_trans($1_xserver_t, var_log_t, xserver_log_t, file)
-allow $1_xserver_t xserver_log_t:dir r_dir_perms;
-
-# Access AGP device.
-allow $1_xserver_t agp_device_t:chr_file rw_file_perms;
-
-# for other device nodes such as the NVidia binary-only driver
-allow $1_xserver_t xserver_misc_device_t:chr_file rw_file_perms;
-
-# Access /proc/mtrr
-allow $1_xserver_t proc_t:file rw_file_perms;
-allow $1_xserver_t proc_t:lnk_file { getattr read };
-
-# Access /proc/sys/dev
-allow $1_xserver_t sysctl_dev_t:dir search;
-allow $1_xserver_t sysctl_dev_t:file { getattr read };
-# Access /proc/bus/pci
-allow $1_xserver_t proc_t:dir r_dir_perms;
-
-# Create and access /dev/dri devices.
-allow $1_xserver_t device_t:dir { create setattr };
-file_type_auto_trans($1_xserver_t, device_t, dri_device_t, chr_file)
-# brought on by rhgb
-allow $1_xserver_t mnt_t:dir search;
-
-allow $1_xserver_t tty_device_t:chr_file { setattr rw_file_perms };
-
-# Run helper programs in $1_xserver_t.
-allow $1_xserver_t { bin_t sbin_t }:dir search;
-allow $1_xserver_t etc_t:{ file lnk_file } { getattr read };
-allow $1_xserver_t bin_t:lnk_file read;
-can_exec($1_xserver_t, { bin_t shell_exec_t })
-
-# Connect to xfs.
-ifdef(`xfs.te', `
-can_unix_connect($1_xserver_t, xfs_t)
-allow $1_xserver_t xfs_tmp_t:dir r_dir_perms;
-allow $1_xserver_t xfs_tmp_t:sock_file rw_file_perms;
-
-# Bind to the X server socket in /tmp.
-allow $1_xserver_t $1_xserver_tmp_t:unix_stream_socket name_bind;
-')
-
-read_locale($1_xserver_t)
-
-# Type for tmpfs/shm files.
-tmpfs_domain($1_xserver)
-ifelse($1, xdm, `
-ifdef(`xdm.te', `
-allow xdm_xserver_t xdm_t:shm rw_shm_perms;
-allow xdm_xserver_t xdm_tmpfs_t:file rw_file_perms;
-')
-', `
-allow $1_xserver_t $1_t:shm rw_shm_perms;
-rw_dir_file($1_xserver_t, $1_tmpfs_t)
-')dnl end ifelse xdm
-
-
-r_dir_file($1_xserver_t,sysfs_t)
-
-# Use the mouse.
-allow $1_xserver_t mouse_device_t:chr_file rw_file_perms;
-# Allow xserver to read events - the synaptics touchpad
-# driver reads raw events
-allow $1_xserver_t event_device_t:chr_file rw_file_perms;
-ifdef(`pamconsole.te', `
-allow $1_xserver_t pam_var_console_t:dir search;
-')
-dontaudit $1_xserver_t selinux_config_t:dir search;
-
-allow $1_xserver_t var_lib_t:dir search;
-rw_dir_create_file($1_xserver_t, xkb_var_lib_t)
-
-')dnl end macro definition
-
-', `
-
-define(`xserver_domain',`')
-
-')
-
diff --git a/targeted/macros/program/ypbind_macros.te b/targeted/macros/program/ypbind_macros.te
deleted file mode 100644
index 04a8f1d..0000000
--- a/targeted/macros/program/ypbind_macros.te
+++ /dev/null
@@ -1,19 +0,0 @@
-define(`uncond_can_ypbind', `
-can_network($1)
-r_dir_file($1,var_yp_t)
-allow $1 { reserved_port_t port_t }:{ tcp_socket udp_socket } name_bind;
-allow $1 { portmap_port_t reserved_port_t port_t }:tcp_socket name_connect;
-dontaudit $1 self:capability net_bind_service;
-dontaudit $1 reserved_port_type:tcp_socket name_connect;
-dontaudit $1 reserved_port_type:{ tcp_socket udp_socket } name_bind;
-')
-
-define(`can_ypbind', `
-ifdef(`ypbind.te', `
-if (allow_ypbind) {
-uncond_can_ypbind($1)
-} else {
-dontaudit $1 var_yp_t:dir search;
-}
-') dnl ypbind.te
-') dnl can_ypbind
diff --git a/targeted/macros/user_macros.te b/targeted/macros/user_macros.te
deleted file mode 100644
index fb9b9ae..0000000
--- a/targeted/macros/user_macros.te
+++ /dev/null
@@ -1,325 +0,0 @@
-#
-# Macros for all user login domains.
-#
-
-# role_tty_type_change(starting_role, ending_role)
-#
-# change from role $1_r to $2_r and relabel tty appropriately
-#
-
-undefine(`role_tty_type_change')
-define(`role_tty_type_change', `
-allow $1_r $2_r;
-type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
-type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
-# avoid annoying messages on terminal hangup
-dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
-')
-
-#
-# reach_sysadm(user)
-#
-# Reach sysadm_t via programs like userhelper/sudo/su
-#
-
-undefine(`reach_sysadm')
-define(`reach_sysadm', `
-ifdef(`userhelper.te', `userhelper_domain($1)')
-ifdef(`sudo.te', `sudo_domain($1)')
-ifdef(`su.te', `
-su_domain($1)
-# When an ordinary user domain runs su, su may try to
-# update the /root/.Xauthority file, and the user shell may
-# try to update the shell history. This is not allowed, but
-# we dont need to audit it.
-dontaudit $1_su_t { sysadm_home_dir_t staff_home_dir_t }:dir search;
-dontaudit $1_su_t { sysadm_home_t staff_home_t }:dir rw_dir_perms;
-dontaudit $1_su_t { sysadm_home_t staff_home_t }:file create_file_perms;
-') dnl ifdef su.te
-ifdef(`xauth.te', `
-file_type_auto_trans($1_xauth_t, sysadm_home_dir_t, sysadm_xauth_home_t,file)
-ifdef(`userhelper.te', `
-file_type_auto_trans($1_userhelper_t, sysadm_home_dir_t, sysadm_xauth_home_t,file)
-') dnl userhelper.te
-') dnl xauth.te
-') dnl reach_sysadm
-
-#
-# priv_user(user)
-#
-# Privileged user domain
-#
-
-undefine(`priv_user')
-define(`priv_user', `
-# Reach sysadm_t
-reach_sysadm($1)
-
-# Read file_contexts for rpm and get security decisions.
-r_dir_file($1_t, file_context_t)
-can_getsecurity($1_t)
-
-# Signal and see information about unprivileged user domains.
-allow $1_t unpriv_userdomain:process signal_perms;
-can_ps($1_t, unpriv_userdomain)
-allow $1_t { ttyfile ptyfile tty_device_t }:chr_file getattr;
-
-# Read /root files if boolean is enabled.
-if (staff_read_sysadm_file) {
-allow $1_t sysadm_home_dir_t:dir { getattr search };
-allow $1_t sysadm_home_t:file { getattr read };
-}
-
-') dnl priv_user
-
-#
-# user_domain(domain_prefix)
-#
-# Define derived types and rules for an ordinary user domain.
-#
-# The type declaration and role authorization for the domain must be
-# provided separately. Likewise, domain transitions into this domain
-# must be specified separately.
-#
-
-# user_domain() is also called by the admin_domain() macro
-undefine(`user_domain')
-define(`user_domain', `
-# Use capabilities
-
-# Type for home directory.
-type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type, polydir;
-type $1_home_t, file_type, sysadmfile, home_type, user_home_type, $1_file_type, polymember;
-
-# Transition manually for { lnk sock fifo }. The rest is in content macros.
-tmp_domain_notrans($1, `, user_tmpfile, $1_file_type')
-file_type_auto_trans($1_t, tmp_t, $1_tmp_t, { lnk_file sock_file fifo_file })
-allow $1_t $1_tmp_t:{ dir file } { relabelto relabelfrom };
-
-ifdef(`support_polyinstantiation', `
-type_member $1_t tmp_t:dir $1_tmp_t;
-type_member $1_t $1_home_dir_t:dir $1_home_t;
-')
-
-base_user_domain($1)
-ifdef(`mls_policy', `', `
-access_removable_media($1_t)
-')
-
-# do not allow privhome access to sysadm_home_dir_t
-file_type_auto_trans(privhome, $1_home_dir_t, $1_home_t)
-
-allow $1_t boot_t:dir { getattr search };
-dontaudit $1_t boot_t:lnk_file read;
-dontaudit $1_t boot_t:file read;
-allow $1_t system_map_t:file { getattr read };
-
-# Instantiate derived domains for a number of programs.
-# These derived domains encode both information about the calling
-# user domain and the program, and allow us to maintain separation
-# between different instances of the program being run by different
-# user domains.
-ifelse($1, sysadm, `',`
-ifdef(`apache.te', `apache_user_domain($1)')
-ifdef(`i18n_input.te', `i18n_input_domain($1)')
-')
-ifdef(`slocate.te', `locate_domain($1)')
-ifdef(`lockdev.te', `lockdev_domain($1)')
-
-can_kerberos($1_t)
-# allow port_t name binding for UDP because it is not very usable otherwise
-allow $1_t port_t:udp_socket name_bind;
-
-#
-# Need the following rule to allow users to run vpnc
-#
-ifdef(`xserver.te', `
-allow $1_t xserver_port_t:tcp_socket name_bind;
-')
-
-# Allow users to run TCP servers (bind to ports and accept connection from
-# the same domain and outside users) disabling this forces FTP passive mode
-# and may change other protocols
-if (user_tcp_server) {
-allow $1_t port_t:tcp_socket name_bind;
-}
-# port access is audited even if dac would not have allowed it, so dontaudit it here
-dontaudit $1_t { reserved_port_type reserved_port_t }:tcp_socket name_bind;
-
-# Allow system log read
-if (user_dmesg) {
-allow $1_t kernel_t:system syslog_read;
-} else {
-# else do not log it
-dontaudit $1_t kernel_t:system syslog_read;
-}
-
-# Allow read access to utmp.
-allow $1_t initrc_var_run_t:file { getattr read lock };
-# The library functions always try to open read-write first,
-# then fall back to read-only if it fails.
-# Do not audit write denials to utmp to avoid the noise.
-dontaudit $1_t initrc_var_run_t:file write;
-
-
-# do not audit read on disk devices
-dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read;
-
-ifdef(`xdm.te', `
-allow xdm_t $1_home_t:lnk_file read;
-allow xdm_t $1_home_t:dir search;
-#
-# Changing this to dontaudit should cause the .xsession-errors file to be written to /tmp
-#
-dontaudit xdm_t $1_home_t:file rw_file_perms;
-')dnl end ifdef xdm.te
-
-ifdef(`ftpd.te', `
-if (ftp_home_dir) {
-file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
-}
-')dnl end ifdef ftpd
-
-
-')dnl end user_domain macro
-
-
-###########################################################################
-#
-# Domains for ordinary users.
-#
-undefine(`limited_user_role')
-define(`limited_user_role', `
-# user_t/$1_t is an unprivileged users domain.
-type $1_t, domain, userdomain, unpriv_userdomain, nscd_client_domain, privfd;
-
-#Type for tty devices.
-type $1_tty_device_t, sysadmfile, ttyfile, user_tty_type, dev_fs;
-# Type and access for pty devices.
-can_create_pty($1, `, userpty_type, user_tty_type')
-
-# Access ttys.
-allow $1_t privfd:fd use;
-allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
-
-# Grant read/search permissions to some of /proc.
-r_dir_file($1_t, proc_t)
-# netstat needs to access proc_net_t; if you want to hide this info use dontaudit here instead
-r_dir_file($1_t, proc_net_t)
-
-base_file_read_access($1_t)
-
-# Execute from the system shared libraries.
-uses_shlib($1_t)
-
-# Read /etc.
-r_dir_file($1_t, etc_t)
-allow $1_t etc_runtime_t:file r_file_perms;
-allow $1_t etc_runtime_t:lnk_file { getattr read };
-
-allow $1_t self:process { fork sigchld setpgid signal_perms };
-
-# read localization information
-read_locale($1_t)
-
-read_sysctl($1_t)
-can_exec($1_t, { bin_t sbin_t shell_exec_t ls_exec_t })
-
-allow $1_t self:dir search;
-allow $1_t self:file { getattr read };
-allow $1_t self:fifo_file rw_file_perms;
-
-allow $1_t self:lnk_file read;
-allow $1_t self:unix_stream_socket create_socket_perms;
-allow $1_t urandom_device_t:chr_file { getattr read };
-dontaudit $1_t { var_spool_t var_log_t }:dir search;
-
-# Read /dev directories and any symbolic links.
-allow $1_t device_t:dir r_dir_perms;
-allow $1_t device_t:lnk_file { getattr read };
-allow $1_t devtty_t:chr_file { read write };
-
-')
-
-undefine(`full_user_role')
-define(`full_user_role', `
-
-limited_user_role($1)
-
-typeattribute $1_t web_client_domain;
-
-attribute $1_file_type;
-
-ifdef(`useradd.te', `
-# Useradd relabels /etc/skel files so needs these privs
-allow useradd_t $1_file_type:dir create_dir_perms;
-allow useradd_t $1_file_type:notdevfile_class_set create_file_perms;
-')
-
-can_exec($1_t, usr_t)
-
-# Read directories and files with the readable_t type.
-# This type is a general type for "world"-readable files.
-allow $1_t readable_t:dir r_dir_perms;
-allow $1_t readable_t:notdevfile_class_set r_file_perms;
-
-# Stat lost+found.
-allow $1_t lost_found_t:dir getattr;
-
-# Read /var, /var/spool, /var/run.
-r_dir_file($1_t, var_t)
-# what about pipes and sockets under /var/spool?
-r_dir_file($1_t, var_spool_t)
-r_dir_file($1_t, var_run_t)
-allow $1_t var_lib_t:dir r_dir_perms;
-allow $1_t var_lib_t:file { getattr read };
-
-# for running depmod as part of the kernel packaging process
-allow $1_t modules_conf_t:file { getattr read };
-
-# Read man directories and files.
-r_dir_file($1_t, man_t)
-
-# Allow users to rw usb devices
-if (user_rw_usb) {
-rw_dir_create_file($1_t,usbdevfs_t)
-} else {
-r_dir_file($1_t,usbdevfs_t)
-}
-
-r_dir_file($1_t,sysfs_t)
-
-# Do not audit write denials to /etc/ld.so.cache.
-dontaudit $1_t ld_so_cache_t:file write;
-
-# $1_t is also granted permissions specific to user domains.
-user_domain($1)
-
-dontaudit $1_t sysadm_home_t:file { read append };
-
-ifdef(`syslogd.te', `
-# Some programs that are left in $1_t will try to connect
-# to syslogd, but we do not want to let them generate log messages.
-# Do not audit.
-dontaudit $1_t devlog_t:sock_file { read write };
-dontaudit $1_t syslogd_t:unix_dgram_socket sendto;
-')
-
-# Stop warnings about access to /dev/console
-dontaudit $1_t init_t:fd use;
-dontaudit $1_t initrc_t:fd use;
-allow $1_t initrc_t:fifo_file write;
-
-#
-# Rules used to associate a homedir as a mountpoint
-#
-allow $1_home_t self:filesystem associate;
-allow $1_file_type $1_home_t:filesystem associate;
-')
-
-undefine(`in_user_role')
-define(`in_user_role', `
-role user_r types $1;
-role staff_r types $1;
-')
-
diff --git a/targeted/mcs b/targeted/mcs
deleted file mode 100644
index 8a04ae8..0000000
--- a/targeted/mcs
+++ /dev/null
@@ -1,162 +0,0 @@
-#
-# Define sensitivities
-#
-# Each sensitivity has a name and zero or more aliases.
-#
-# MCS is single-sensitivity.
-#
-sensitivity s0;
-
-#
-# Define the ordering of the sensitivity levels (least to greatest)
-#
-dominance { s0 }
-
-
-#
-# Define the categories
-#
-# Each category has a name and zero or more aliases.
-#
-category c0; category c1; category c2; category c3;
-category c4; category c5; category c6; category c7;
-category c8; category c9; category c10; category c11;
-category c12; category c13; category c14; category c15;
-category c16; category c17; category c18; category c19;
-category c20; category c21; category c22; category c23;
-category c24; category c25; category c26; category c27;
-category c28; category c29; category c30; category c31;
-category c32; category c33; category c34; category c35;
-category c36; category c37; category c38; category c39;
-category c40; category c41; category c42; category c43;
-category c44; category c45; category c46; category c47;
-category c48; category c49; category c50; category c51;
-category c52; category c53; category c54; category c55;
-category c56; category c57; category c58; category c59;
-category c60; category c61; category c62; category c63;
-category c64; category c65; category c66; category c67;
-category c68; category c69; category c70; category c71;
-category c72; category c73; category c74; category c75;
-category c76; category c77; category c78; category c79;
-category c80; category c81; category c82; category c83;
-category c84; category c85; category c86; category c87;
-category c88; category c89; category c90; category c91;
-category c92; category c93; category c94; category c95;
-category c96; category c97; category c98; category c99;
-category c100; category c101; category c102; category c103;
-category c104; category c105; category c106; category c107;
-category c108; category c109; category c110; category c111;
-category c112; category c113; category c114; category c115;
-category c116; category c117; category c118; category c119;
-category c120; category c121; category c122; category c123;
-category c124; category c125; category c126; category c127;
-category c128; category c129; category c130; category c131;
-category c132; category c133; category c134; category c135;
-category c136; category c137; category c138; category c139;
-category c140; category c141; category c142; category c143;
-category c144; category c145; category c146; category c147;
-category c148; category c149; category c150; category c151;
-category c152; category c153; category c154; category c155;
-category c156; category c157; category c158; category c159;
-category c160; category c161; category c162; category c163;
-category c164; category c165; category c166; category c167;
-category c168; category c169; category c170; category c171;
-category c172; category c173; category c174; category c175;
-category c176; category c177; category c178; category c179;
-category c180; category c181; category c182; category c183;
-category c184; category c185; category c186; category c187;
-category c188; category c189; category c190; category c191;
-category c192; category c193; category c194; category c195;
-category c196; category c197; category c198; category c199;
-category c200; category c201; category c202; category c203;
-category c204; category c205; category c206; category c207;
-category c208; category c209; category c210; category c211;
-category c212; category c213; category c214; category c215;
-category c216; category c217; category c218; category c219;
-category c220; category c221; category c222; category c223;
-category c224; category c225; category c226; category c227;
-category c228; category c229; category c230; category c231;
-category c232; category c233; category c234; category c235;
-category c236; category c237; category c238; category c239;
-category c240; category c241; category c242; category c243;
-category c244; category c245; category c246; category c247;
-category c248; category c249; category c250; category c251;
-category c252; category c253; category c254; category c255;
-
-
-#
-# Each MCS level specifies a sensitivity and zero or more categories which may
-# be associated with that sensitivity.
-#
-level s0:c0.c255;
-
-#
-# Define the MCS policy
-#
-# mlsconstrain class_set perm_set expression ;
-#
-# mlsvalidatetrans class_set expression ;
-#
-# expression : ( expression )
-# | not expression
-# | expression and expression
-# | expression or expression
-# | u1 op u2
-# | r1 role_mls_op r2
-# | t1 op t2
-# | l1 role_mls_op l2
-# | l1 role_mls_op h2
-# | h1 role_mls_op l2
-# | h1 role_mls_op h2
-# | l1 role_mls_op h1
-# | l2 role_mls_op h2
-# | u1 op names
-# | u2 op names
-# | r1 op names
-# | r2 op names
-# | t1 op names
-# | t2 op names
-# | u3 op names (NOTE: this is only available for mlsvalidatetrans)
-# | r3 op names (NOTE: this is only available for mlsvalidatetrans)
-# | t3 op names (NOTE: this is only available for mlsvalidatetrans)
-#
-# op : == | !=
-# role_mls_op : == | != | eq | dom | domby | incomp
-#
-# names : name | { name_list }
-# name_list : name | name_list name
-#
-
-#
-# MCS policy for the file classes
-#
-# Constrain file access so that the high range of the process dominates
-# the high range of the file. We use the high range of the process so
-# that processes can always simply run at s0.
-#
-# Only files are constrained by MCS at this stage.
-#
-mlsconstrain file { write setattr append unlink link rename
- create ioctl lock execute } (h1 dom h2);
-
-mlsconstrain file { read } ((h1 dom h2) or
- ( t1 == mlsfileread ));
-
-
-# new file labels must be dominated by the relabeling subject's clearance
-mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom relabelto }
- ( h1 dom h2 );
-
-define(`nogetattr_file_perms', `{ create ioctl read lock write setattr append
-link unlink rename relabelfrom relabelto }')
-
-define(`nogetattr_dir_perms', `{ create read lock setattr ioctl link unlink
-rename search add_name remove_name reparent write rmdir relabelfrom
-relabelto }')
-
-# XXX
-#
-# For some reason, we need to reference the mlsfileread attribute
-# or we get a build error. Below is a dummy entry to do this.
-mlsconstrain xextension query ( t1 == mlsfileread );
-
diff --git a/targeted/mls b/targeted/mls
deleted file mode 100644
index c7d04ef..0000000
--- a/targeted/mls
+++ /dev/null
@@ -1,665 +0,0 @@
-#
-# Define sensitivities
-#
-# Each sensitivity has a name and zero or more aliases.
-#
-sensitivity s0;
-sensitivity s1;
-sensitivity s2;
-sensitivity s3;
-sensitivity s4;
-sensitivity s5;
-sensitivity s6;
-sensitivity s7;
-sensitivity s8;
-sensitivity s9;
-sensitivity s10;
-sensitivity s11;
-sensitivity s12;
-sensitivity s13;
-sensitivity s14;
-sensitivity s15;
-
-#
-# Define the ordering of the sensitivity levels (least to greatest)
-#
-dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 }
-
-
-#
-# Define the categories
-#
-# Each category has a name and zero or more aliases.
-#
-category c0; category c1; category c2; category c3;
-category c4; category c5; category c6; category c7;
-category c8; category c9; category c10; category c11;
-category c12; category c13; category c14; category c15;
-category c16; category c17; category c18; category c19;
-category c20; category c21; category c22; category c23;
-category c24; category c25; category c26; category c27;
-category c28; category c29; category c30; category c31;
-category c32; category c33; category c34; category c35;
-category c36; category c37; category c38; category c39;
-category c40; category c41; category c42; category c43;
-category c44; category c45; category c46; category c47;
-category c48; category c49; category c50; category c51;
-category c52; category c53; category c54; category c55;
-category c56; category c57; category c58; category c59;
-category c60; category c61; category c62; category c63;
-category c64; category c65; category c66; category c67;
-category c68; category c69; category c70; category c71;
-category c72; category c73; category c74; category c75;
-category c76; category c77; category c78; category c79;
-category c80; category c81; category c82; category c83;
-category c84; category c85; category c86; category c87;
-category c88; category c89; category c90; category c91;
-category c92; category c93; category c94; category c95;
-category c96; category c97; category c98; category c99;
-category c100; category c101; category c102; category c103;
-category c104; category c105; category c106; category c107;
-category c108; category c109; category c110; category c111;
-category c112; category c113; category c114; category c115;
-category c116; category c117; category c118; category c119;
-category c120; category c121; category c122; category c123;
-category c124; category c125; category c126; category c127;
-category c128; category c129; category c130; category c131;
-category c132; category c133; category c134; category c135;
-category c136; category c137; category c138; category c139;
-category c140; category c141; category c142; category c143;
-category c144; category c145; category c146; category c147;
-category c148; category c149; category c150; category c151;
-category c152; category c153; category c154; category c155;
-category c156; category c157; category c158; category c159;
-category c160; category c161; category c162; category c163;
-category c164; category c165; category c166; category c167;
-category c168; category c169; category c170; category c171;
-category c172; category c173; category c174; category c175;
-category c176; category c177; category c178; category c179;
-category c180; category c181; category c182; category c183;
-category c184; category c185; category c186; category c187;
-category c188; category c189; category c190; category c191;
-category c192; category c193; category c194; category c195;
-category c196; category c197; category c198; category c199;
-category c200; category c201; category c202; category c203;
-category c204; category c205; category c206; category c207;
-category c208; category c209; category c210; category c211;
-category c212; category c213; category c214; category c215;
-category c216; category c217; category c218; category c219;
-category c220; category c221; category c222; category c223;
-category c224; category c225; category c226; category c227;
-category c228; category c229; category c230; category c231;
-category c232; category c233; category c234; category c235;
-category c236; category c237; category c238; category c239;
-category c240; category c241; category c242; category c243;
-category c244; category c245; category c246; category c247;
-category c248; category c249; category c250; category c251;
-category c252; category c253; category c254; category c255;
-
-
-#
-# Each MLS level specifies a sensitivity and zero or more categories which may
-# be associated with that sensitivity.
-#
-level s0:c0.c255;
-level s1:c0.c255;
-level s2:c0.c255;
-level s3:c0.c255;
-level s4:c0.c255;
-level s5:c0.c255;
-level s6:c0.c255;
-level s7:c0.c255;
-level s8:c0.c255;
-level s9:c0.c255;
-level s10:c0.c255;
-level s11:c0.c255;
-level s12:c0.c255;
-level s13:c0.c255;
-level s14:c0.c255;
-level s15:c0.c255;
-
-
-#
-# Define the MLS policy
-#
-# mlsconstrain class_set perm_set expression ;
-#
-# mlsvalidatetrans class_set expression ;
-#
-# expression : ( expression )
-# | not expression
-# | expression and expression
-# | expression or expression
-# | u1 op u2
-# | r1 role_mls_op r2
-# | t1 op t2
-# | l1 role_mls_op l2
-# | l1 role_mls_op h2
-# | h1 role_mls_op l2
-# | h1 role_mls_op h2
-# | l1 role_mls_op h1
-# | l2 role_mls_op h2
-# | u1 op names
-# | u2 op names
-# | r1 op names
-# | r2 op names
-# | t1 op names
-# | t2 op names
-# | u3 op names (NOTE: this is only available for mlsvalidatetrans)
-# | r3 op names (NOTE: this is only available for mlsvalidatetrans)
-# | t3 op names (NOTE: this is only available for mlsvalidatetrans)
-#
-# op : == | !=
-# role_mls_op : == | != | eq | dom | domby | incomp
-#
-# names : name | { name_list }
-# name_list : name | name_list name
-#
-
-#
-# MLS policy for the file classes
-#
-
-# make sure these file classes are "single level"
-mlsconstrain { file lnk_file fifo_file } { create relabelto }
- ( l2 eq h2 );
-
-# new file labels must be dominated by the relabeling subject's clearance
-mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto
- ( h1 dom h2 );
-
-# the file "read" ops (note the check is dominance of the low level)
-mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute }
- (( l1 dom l2 ) or
- (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsfileread ) or
- ( t2 == mlstrustedobject ));
-
-mlsconstrain dir search
- (( l1 dom l2 ) or
- (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsfileread ) or
- ( t2 == mlstrustedobject ));
-
-# the "single level" file "write" ops
-mlsconstrain { file lnk_file fifo_file } { write create setattr relabelfrom append unlink link rename mounton }
- (( l1 eq l2 ) or
- (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsfilewrite ) or
- ( t2 == mlstrustedobject ));
-
-# the "ranged" file "write" ops
-mlsconstrain { dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton }
- ((( l1 dom l2 ) and ( l1 domby h2 )) or
- (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsfilewrite ) or
- ( t2 == mlstrustedobject ));
-
-mlsconstrain dir { add_name remove_name reparent rmdir }
- ((( l1 dom l2 ) and ( l1 domby h2 )) or
- (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsfilewrite ) or
- ( t2 == mlstrustedobject ));
-
-# these access vectors have no MLS restrictions
-# { dir file lnk_file chr_file blk_file sock_file fifo_file } { ioctl lock swapon quotaon }
-#
-# { file chr_file } { execute_no_trans entrypoint execmod }
-
-# the file upgrade/downgrade rule
-mlsvalidatetrans { dir file lnk_file chr_file blk_file sock_file fifo_file }
- ((( l1 eq l2 ) or
- (( t3 == mlsfileupgrade ) and ( l1 domby l2 )) or
- (( t3 == mlsfiledowngrade ) and ( l1 dom l2 )) or
- (( t3 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and
- (( h1 eq h2 ) or
- (( t3 == mlsfileupgrade ) and ( h1 domby h2 )) or
- (( t3 == mlsfiledowngrade ) and ( h1 dom h2 )) or
- (( t3 == mlsfiledowngrade ) and ( h1 incomp h2 ))));
-
-# create can also require the upgrade/downgrade checks if the creating process
-# has used setfscreate (note that both the high and low level of the object
-# default to the process' sensitivity level)
-mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create
- ((( l1 eq l2 ) or
- (( t1 == mlsfileupgrade ) and ( l1 domby l2 )) or
- (( t1 == mlsfiledowngrade ) and ( l1 dom l2 )) or
- (( t1 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and
- (( l1 eq h2 ) or
- (( t1 == mlsfileupgrade ) and ( l1 domby h2 )) or
- (( t1 == mlsfiledowngrade ) and ( l1 dom h2 )) or
- (( t1 == mlsfiledowngrade ) and ( l1 incomp h2 ))));
-
-
-
-
-#
-# MLS policy for the filesystem class
-#
-
-# new filesystem labels must be dominated by the relabeling subject's clearance
-mlsconstrain filesystem relabelto
- ( h1 dom h2 );
-
-# the filesystem "read" ops (implicit single level)
-mlsconstrain filesystem { getattr quotaget }
- (( l1 dom l2 ) or
- (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsfileread ));
-
-# all the filesystem "write" ops (implicit single level)
-mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
- (( l1 eq l2 ) or
- (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsfilewrite ));
-
-# these access vectors have no MLS restrictions
-# filesystem { transition associate }
-
-
-
-
-#
-# MLS policy for the socket classes
-#
-
-# new socket labels must be dominated by the relabeling subject's clearance
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
- ( h1 dom h2 );
-
-# the socket "read" ops (note the check is dominance of the low level)
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recvfrom recv_msg }
- (( l1 dom l2 ) or
- (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsnetread ));
-
-mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_read
- (( l1 dom l2 ) or
- (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsnetread ));
-
-# the socket "write" ops
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown }
- ((( l1 dom l2 ) and ( l1 domby h2 )) or
- (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsnetwrite ));
-
-# these access vectors have no MLS restrictions
-# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }
-#
-# { tcp_socket udp_socket rawip_socket } node_bind
-#
-# { tcp_socket unix_stream_socket } { connectto newconn acceptfrom }
-#
-# { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write
-#
-
-
-
-
-#
-# MLS policy for the ipc classes
-#
-
-# the ipc "read" ops (implicit single level)
-mlsconstrain { ipc sem msgq shm } { getattr read unix_read }
- (( l1 dom l2 ) or
- (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsipcread ));
-
-mlsconstrain msg receive
- (( l1 dom l2 ) or
- (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsipcread ));
-
-# the ipc "write" ops (implicit single level)
-mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write }
- (( l1 eq l2 ) or
- (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsipcwrite ));
-
-mlsconstrain msgq enqueue
- (( l1 eq l2 ) or
- (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsipcwrite ));
-
-mlsconstrain shm lock
- (( l1 eq l2 ) or
- (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsipcwrite ));
-
-mlsconstrain msg send
- (( l1 eq l2 ) or
- (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsipcwrite ));
-
-# these access vectors have no MLS restrictions
-# { ipc sem msgq shm } associate
-
-
-
-
-#
-# MLS policy for the fd class
-#
-
-# these access vectors have no MLS restrictions
-# fd use
-
-
-
-
-#
-# MLS policy for the network object classes
-#
-
-# the netif/node "read" ops (implicit single level socket doing the read)
-# (note the check is dominance of the low level)
-mlsconstrain { node netif } { tcp_recv udp_recv rawip_recv }
- (( l1 dom l2 ) or ( t1 == mlsnetrecvall ));
-
-# the netif/node "write" ops (implicit single level socket doing the write)
-mlsconstrain { netif node } { tcp_send udp_send rawip_send }
- (( l1 dom l2 ) and ( l1 domby h2 ));
-
-# these access vectors have no MLS restrictions
-# { netif node } { enforce_dest }
-
-
-
-
-#
-# MLS policy for the process class
-#
-
-# new process labels must be dominated by the relabeling subject's clearance
-# and sensitivity level changes require privilege
-mlsconstrain process transition
- (( h1 dom h2 ) and
- (( l1 eq l2 ) or ( t1 == mlsprocsetsl ) or
- (( t1 == privrangetrans ) and ( t2 == mlsrangetrans ))));
-mlsconstrain process dyntransition
- (( h1 dom h2 ) and
- (( l1 eq l2 ) or ( t1 == mlsprocsetsl )));
-
-# all the process "read" ops
-mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
- (( l1 dom l2 ) or
- (( t1 == mlsprocreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsprocread ));
-
-# all the process "write" ops (note the check is equality on the low level)
-mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec setfscreate setcurrent ptrace share }
- (( l1 eq l2 ) or
- (( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsprocwrite ));
-
-# these access vectors have no MLS restrictions
-# process { fork sigchld signull noatsecure siginh setrlimit rlimitinh execmem }
-
-
-
-
-#
-# MLS policy for the security class
-#
-
-# these access vectors have no MLS restrictions
-# security *
-
-
-
-
-#
-# MLS policy for the system class
-#
-
-# these access vectors have no MLS restrictions
-# system *
-
-
-
-
-#
-# MLS policy for the capability class
-#
-
-# these access vectors have no MLS restrictions
-# capability *
-
-
-
-
-#
-# MLS policy for the passwd class
-#
-
-# these access vectors have no MLS restrictions
-# passwd *
-
-
-
-
-#
-# MLS policy for the drawable class
-#
-
-# the drawable "read" ops (implicit single level)
-mlsconstrain drawable { getattr copy }
- (( l1 dom l2 ) or
- (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsxwinread ));
-
-# the drawable "write" ops (implicit single level)
-mlsconstrain drawable { create destroy draw copy }
- (( l1 eq l2 ) or
- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsxwinwrite ));
-
-
-
-
-#
-# MLS policy for the gc class
-#
-
-# the gc "read" ops (implicit single level)
-mlsconstrain gc getattr
- (( l1 dom l2 ) or
- (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsxwinread ));
-
-# the gc "write" ops (implicit single level)
-mlsconstrain gc { create free setattr }
- (( l1 eq l2 ) or
- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsxwinwrite ));
-
-
-
-
-#
-# MLS policy for the window class
-#
-
-# the window "read" ops (implicit single level)
-mlsconstrain window { listprop getattr enumerate mousemotion inputevent drawevent windowchangeevent windowchangerequest serverchangeevent extensionevent }
- (( l1 dom l2 ) or
- (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsxwinread ));
-
-# the window "write" ops (implicit single level)
-mlsconstrain window { addchild create destroy chstack chproplist chprop setattr setfocus move chselection chparent ctrllife transparent clientcomevent }
- (( l1 eq l2 ) or
- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsxwinwrite ) or
- ( t2 == mlstrustedobject ));
-
-# these access vectors have no MLS restrictions
-# window { map unmap }
-
-
-
-
-#
-# MLS policy for the font class
-#
-
-# the font "read" ops (implicit single level)
-mlsconstrain font { load getattr }
- (( l1 dom l2 ) or
- (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsxwinread ));
-
-# the font "write" ops (implicit single level)
-mlsconstrain font free
- (( l1 eq l2 ) or
- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsxwinwrite ));
-
-# these access vectors have no MLS restrictions
-# font use
-
-
-
-
-#
-# MLS policy for the colormap class
-#
-
-# the colormap "read" ops (implicit single level)
-mlsconstrain colormap { list read getattr }
- (( l1 dom l2 ) or
- (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsxwinreadcolormap ) or
- ( t1 == mlsxwinread ));
-
-# the colormap "write" ops (implicit single level)
-mlsconstrain colormap { create free install uninstall store setattr }
- (( l1 eq l2 ) or
- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsxwinwritecolormap ) or
- ( t1 == mlsxwinwrite ));
-
-
-
-
-#
-# MLS policy for the property class
-#
-
-# the property "read" ops (implicit single level)
-mlsconstrain property { read }
- (( l1 dom l2 ) or
- (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsxwinreadproperty ) or
- ( t1 == mlsxwinread ));
-
-# the property "write" ops (implicit single level)
-mlsconstrain property { create free write }
- (( l1 eq l2 ) or
- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsxwinwriteproperty ) or
- ( t1 == mlsxwinwrite ));
-
-
-
-
-#
-# MLS policy for the cursor class
-#
-
-# the cursor "write" ops (implicit single level)
-mlsconstrain cursor { create createglyph free assign setattr }
- (( l1 eq l2 ) or
- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsxwinwrite ));
-
-
-
-
-#
-# MLS policy for the xclient class
-#
-
-# the xclient "write" ops (implicit single level)
-mlsconstrain xclient kill
- (( l1 eq l2 ) or
- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsxwinwrite ));
-
-
-
-
-#
-# MLS policy for the xinput class
-#
-
-# these access vectors have no MLS restrictions
-# xinput ~{ relabelinput setattr }
-
-# the xinput "write" ops (implicit single level)
-mlsconstrain xinput { setattr relabelinput }
- (( l1 eq l2 ) or
- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsxwinwritexinput ) or
- ( t1 == mlsxwinwrite ));
-
-
-
-
-#
-# MLS policy for the xserver class
-#
-
-# these access vectors have no MLS restrictions
-# xserver *
-
-
-
-
-#
-# MLS policy for the xextension class
-#
-
-# these access vectors have no MLS restrictions
-# xextension { query use }
-
-
-#
-# MLS policy for the pax class
-#
-
-# these access vectors have no MLS restrictions
-# pax { pageexec emutramp mprotect randmmap randexec segmexec }
-
-
-
-
-#
-# MLS policy for the dbus class
-#
-
-# these access vectors have no MLS restrictions
-# dbus { acquire_svc send_msg }
-
-
-
-
-#
-# MLS policy for the nscd class
-#
-
-# these access vectors have no MLS restrictions
-# nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost }
-
-
-
-
-#
-# MLS policy for the association class
-#
-
-# these access vectors have no MLS restrictions
-# association { sendto recvfrom }
-
diff --git a/targeted/net_contexts b/targeted/net_contexts
deleted file mode 100644
index 59e6c54..0000000
--- a/targeted/net_contexts
+++ /dev/null
@@ -1,245 +0,0 @@
-# FLASK
-
-#
-# Security contexts for network entities
-# If no context is specified, then a default initial SID is used.
-#
-
-# Modified by Reino Wallin <reino@oribium.com>
-# Multi NIC, and IPSEC features
-
-# Modified by Russell Coker
-# ifdefs to encapsulate domains, and many additional port contexts
-
-#
-# Port numbers (default = initial SID "port")
-#
-# protocol number context
-# protocol low-high context
-#
-portcon tcp 7 system_u:object_r:inetd_child_port_t:s0
-portcon udp 7 system_u:object_r:inetd_child_port_t:s0
-portcon tcp 9 system_u:object_r:inetd_child_port_t:s0
-portcon udp 9 system_u:object_r:inetd_child_port_t:s0
-portcon tcp 13 system_u:object_r:inetd_child_port_t:s0
-portcon udp 13 system_u:object_r:inetd_child_port_t:s0
-portcon tcp 19 system_u:object_r:inetd_child_port_t:s0
-portcon udp 19 system_u:object_r:inetd_child_port_t:s0
-portcon tcp 37 system_u:object_r:inetd_child_port_t:s0
-portcon udp 37 system_u:object_r:inetd_child_port_t:s0
-portcon tcp 113 system_u:object_r:auth_port_t:s0
-portcon tcp 512 system_u:object_r:inetd_child_port_t:s0
-portcon tcp 543 system_u:object_r:inetd_child_port_t:s0
-portcon tcp 544 system_u:object_r:inetd_child_port_t:s0
-portcon tcp 891 system_u:object_r:inetd_child_port_t:s0
-portcon udp 891 system_u:object_r:inetd_child_port_t:s0
-portcon tcp 892 system_u:object_r:inetd_child_port_t:s0
-portcon udp 892 system_u:object_r:inetd_child_port_t:s0
-portcon tcp 2105 system_u:object_r:inetd_child_port_t:s0
-portcon tcp 20 system_u:object_r:ftp_data_port_t:s0
-portcon tcp 21 system_u:object_r:ftp_port_t:s0
-portcon tcp 22 system_u:object_r:ssh_port_t:s0
-portcon tcp 23 system_u:object_r:telnetd_port_t:s0
-
-portcon tcp 25 system_u:object_r:smtp_port_t:s0
-portcon tcp 465 system_u:object_r:smtp_port_t:s0
-portcon tcp 587 system_u:object_r:smtp_port_t:s0
-
-portcon udp 500 system_u:object_r:isakmp_port_t:s0
-portcon udp 53 system_u:object_r:dns_port_t:s0
-portcon tcp 53 system_u:object_r:dns_port_t:s0
-
-portcon udp 67 system_u:object_r:dhcpd_port_t:s0
-portcon udp 647 system_u:object_r:dhcpd_port_t:s0
-portcon tcp 647 system_u:object_r:dhcpd_port_t:s0
-portcon udp 847 system_u:object_r:dhcpd_port_t:s0
-portcon tcp 847 system_u:object_r:dhcpd_port_t:s0
-portcon udp 68 system_u:object_r:dhcpc_port_t:s0
-portcon udp 70 system_u:object_r:gopher_port_t:s0
-portcon tcp 70 system_u:object_r:gopher_port_t:s0
-
-portcon udp 69 system_u:object_r:tftp_port_t:s0
-portcon tcp 79 system_u:object_r:fingerd_port_t:s0
-
-portcon tcp 80 system_u:object_r:http_port_t:s0
-portcon tcp 443 system_u:object_r:http_port_t:s0
-portcon tcp 488 system_u:object_r:http_port_t:s0
-portcon tcp 8008 system_u:object_r:http_port_t:s0
-
-portcon tcp 106 system_u:object_r:pop_port_t:s0
-portcon tcp 109 system_u:object_r:pop_port_t:s0
-portcon tcp 110 system_u:object_r:pop_port_t:s0
-portcon tcp 143 system_u:object_r:pop_port_t:s0
-portcon tcp 220 system_u:object_r:pop_port_t:s0
-portcon tcp 993 system_u:object_r:pop_port_t:s0
-portcon tcp 995 system_u:object_r:pop_port_t:s0
-portcon tcp 1109 system_u:object_r:pop_port_t:s0
-
-portcon udp 111 system_u:object_r:portmap_port_t:s0
-portcon tcp 111 system_u:object_r:portmap_port_t:s0
-
-portcon tcp 119 system_u:object_r:innd_port_t:s0
-portcon udp 123 system_u:object_r:ntp_port_t:s0
-
-portcon tcp 137 system_u:object_r:smbd_port_t:s0
-portcon udp 137 system_u:object_r:nmbd_port_t:s0
-portcon tcp 138 system_u:object_r:smbd_port_t:s0
-portcon udp 138 system_u:object_r:nmbd_port_t:s0
-portcon tcp 139 system_u:object_r:smbd_port_t:s0
-portcon udp 139 system_u:object_r:nmbd_port_t:s0
-portcon tcp 445 system_u:object_r:smbd_port_t:s0
-
-portcon udp 161 system_u:object_r:snmp_port_t:s0
-portcon udp 162 system_u:object_r:snmp_port_t:s0
-portcon tcp 199 system_u:object_r:snmp_port_t:s0
-portcon udp 512 system_u:object_r:comsat_port_t:s0
-
-portcon tcp 389 system_u:object_r:ldap_port_t:s0
-portcon udp 389 system_u:object_r:ldap_port_t:s0
-portcon tcp 636 system_u:object_r:ldap_port_t:s0
-portcon udp 636 system_u:object_r:ldap_port_t:s0
-
-portcon tcp 513 system_u:object_r:rlogind_port_t:s0
-portcon tcp 514 system_u:object_r:rsh_port_t:s0
-
-portcon tcp 515 system_u:object_r:printer_port_t:s0
-portcon udp 514 system_u:object_r:syslogd_port_t:s0
-portcon udp 517 system_u:object_r:ktalkd_port_t:s0
-portcon udp 518 system_u:object_r:ktalkd_port_t:s0
-portcon tcp 631 system_u:object_r:ipp_port_t:s0
-portcon udp 631 system_u:object_r:ipp_port_t:s0
-portcon tcp 88 system_u:object_r:kerberos_port_t:s0
-portcon udp 88 system_u:object_r:kerberos_port_t:s0
-portcon tcp 464 system_u:object_r:kerberos_admin_port_t:s0
-portcon udp 464 system_u:object_r:kerberos_admin_port_t:s0
-portcon tcp 749 system_u:object_r:kerberos_admin_port_t:s0
-portcon tcp 750 system_u:object_r:kerberos_port_t:s0
-portcon udp 750 system_u:object_r:kerberos_port_t:s0
-portcon tcp 783 system_u:object_r:spamd_port_t:s0
-portcon tcp 540 system_u:object_r:uucpd_port_t:s0
-portcon tcp 2401 system_u:object_r:cvs_port_t:s0
-portcon udp 2401 system_u:object_r:cvs_port_t:s0
-portcon tcp 873 system_u:object_r:rsync_port_t:s0
-portcon udp 873 system_u:object_r:rsync_port_t:s0
-portcon tcp 901 system_u:object_r:swat_port_t:s0
-portcon tcp 953 system_u:object_r:rndc_port_t:s0
-portcon tcp 1213 system_u:object_r:giftd_port_t:s0
-portcon tcp 1241 system_u:object_r:nessus_port_t:s0
-portcon tcp 1234 system_u:object_r:monopd_port_t:s0
-portcon udp 1645 system_u:object_r:radius_port_t:s0
-portcon udp 1646 system_u:object_r:radacct_port_t:s0
-portcon udp 1812 system_u:object_r:radius_port_t:s0
-portcon udp 1813 system_u:object_r:radacct_port_t:s0
-portcon udp 1718 system_u:object_r:gatekeeper_port_t:s0
-portcon udp 1719 system_u:object_r:gatekeeper_port_t:s0
-portcon tcp 1721 system_u:object_r:gatekeeper_port_t:s0
-portcon tcp 7000 system_u:object_r:gatekeeper_port_t:s0
-portcon tcp 2040 system_u:object_r:afs_fs_port_t:s0
-portcon udp 7000 system_u:object_r:afs_fs_port_t:s0
-portcon udp 7002 system_u:object_r:afs_pt_port_t:s0
-portcon udp 7003 system_u:object_r:afs_vl_port_t:s0
-portcon udp 7004 system_u:object_r:afs_ka_port_t:s0
-portcon udp 7005 system_u:object_r:afs_fs_port_t:s0
-portcon udp 7007 system_u:object_r:afs_bos_port_t:s0
-portcon tcp 1720 system_u:object_r:asterisk_port_t:s0
-portcon udp 2427 system_u:object_r:asterisk_port_t:s0
-portcon udp 2727 system_u:object_r:asterisk_port_t:s0
-portcon udp 4569 system_u:object_r:asterisk_port_t:s0
-portcon udp 5060 system_u:object_r:asterisk_port_t:s0
-portcon tcp 2000 system_u:object_r:mail_port_t:s0
-portcon tcp 2601 system_u:object_r:zebra_port_t:s0
-portcon tcp 2628 system_u:object_r:dict_port_t:s0
-portcon tcp 3306 system_u:object_r:mysqld_port_t:s0
-portcon tcp 3632 system_u:object_r:distccd_port_t:s0
-portcon udp 4011 system_u:object_r:pxe_port_t:s0
-portcon udp 5000 system_u:object_r:openvpn_port_t:s0
-portcon tcp 5323 system_u:object_r:imaze_port_t:s0
-portcon udp 5323 system_u:object_r:imaze_port_t:s0
-portcon tcp 5335 system_u:object_r:howl_port_t:s0
-portcon udp 5353 system_u:object_r:howl_port_t:s0
-portcon tcp 5222 system_u:object_r:jabber_client_port_t:s0
-portcon tcp 5223 system_u:object_r:jabber_client_port_t:s0
-portcon tcp 5269 system_u:object_r:jabber_interserver_port_t:s0
-portcon tcp 5432 system_u:object_r:postgresql_port_t:s0
-portcon tcp 5666 system_u:object_r:inetd_child_port_t:s0
-portcon tcp 5703 system_u:object_r:ptal_port_t:s0
-portcon tcp 50000 system_u:object_r:hplip_port_t:s0
-portcon tcp 50002 system_u:object_r:hplip_port_t:s0
-portcon tcp 5900 system_u:object_r:vnc_port_t:s0
-portcon tcp 5988 system_u:object_r:pegasus_http_port_t:s0
-portcon tcp 5989 system_u:object_r:pegasus_https_port_t:s0
-portcon tcp 6000 system_u:object_r:xserver_port_t:s0
-portcon tcp 6001 system_u:object_r:xserver_port_t:s0
-portcon tcp 6002 system_u:object_r:xserver_port_t:s0
-portcon tcp 6003 system_u:object_r:xserver_port_t:s0
-portcon tcp 6004 system_u:object_r:xserver_port_t:s0
-portcon tcp 6005 system_u:object_r:xserver_port_t:s0
-portcon tcp 6006 system_u:object_r:xserver_port_t:s0
-portcon tcp 6007 system_u:object_r:xserver_port_t:s0
-portcon tcp 6008 system_u:object_r:xserver_port_t:s0
-portcon tcp 6009 system_u:object_r:xserver_port_t:s0
-portcon tcp 6010 system_u:object_r:xserver_port_t:s0
-portcon tcp 6011 system_u:object_r:xserver_port_t:s0
-portcon tcp 6012 system_u:object_r:xserver_port_t:s0
-portcon tcp 6013 system_u:object_r:xserver_port_t:s0
-portcon tcp 6014 system_u:object_r:xserver_port_t:s0
-portcon tcp 6015 system_u:object_r:xserver_port_t:s0
-portcon tcp 6016 system_u:object_r:xserver_port_t:s0
-portcon tcp 6017 system_u:object_r:xserver_port_t:s0
-portcon tcp 6018 system_u:object_r:xserver_port_t:s0
-portcon tcp 6019 system_u:object_r:xserver_port_t:s0
-portcon tcp 6667 system_u:object_r:ircd_port_t:s0
-portcon tcp 8000 system_u:object_r:soundd_port_t:s0
-# 9433 is for YIFF
-portcon tcp 9433 system_u:object_r:soundd_port_t:s0
-portcon tcp 3128 system_u:object_r:http_cache_port_t:s0
-portcon tcp 8080 system_u:object_r:http_cache_port_t:s0
-portcon udp 3130 system_u:object_r:http_cache_port_t:s0
-# 8118 is for privoxy
-portcon tcp 8118 system_u:object_r:http_cache_port_t:s0
-
-portcon udp 4041 system_u:object_r:clockspeed_port_t:s0
-portcon tcp 8081 system_u:object_r:transproxy_port_t:s0
-portcon udp 10080 system_u:object_r:amanda_port_t:s0
-portcon tcp 10080 system_u:object_r:amanda_port_t:s0
-portcon udp 10081 system_u:object_r:amanda_port_t:s0
-portcon tcp 10081 system_u:object_r:amanda_port_t:s0
-portcon tcp 10082 system_u:object_r:amanda_port_t:s0
-portcon tcp 10083 system_u:object_r:amanda_port_t:s0
-portcon tcp 60000 system_u:object_r:postgrey_port_t:s0
-
-portcon tcp 10024 system_u:object_r:amavisd_recv_port_t:s0
-portcon tcp 10025 system_u:object_r:amavisd_send_port_t:s0
-portcon tcp 3310 system_u:object_r:clamd_port_t:s0
-portcon udp 6276 system_u:object_r:dcc_port_t:s0
-portcon udp 6277 system_u:object_r:dcc_port_t:s0
-portcon udp 24441 system_u:object_r:pyzor_port_t:s0
-portcon tcp 2703 system_u:object_r:razor_port_t:s0
-portcon tcp 8021 system_u:object_r:zope_port_t:s0
-
-# Defaults for reserved ports. Earlier portcon entries take precedence;
-# these entries just cover any remaining reserved ports not otherwise
-# declared or omitted due to removal of a domain.
-portcon tcp 1-1023 system_u:object_r:reserved_port_t:s0
-portcon udp 1-1023 system_u:object_r:reserved_port_t:s0
-
-# Network interfaces (default = initial SID "netif" and "netmsg")
-#
-# interface netif_context default_msg_context
-#
-
-# Nodes (default = initial SID "node")
-#
-# address mask context
-#
-nodecon 127.0.0.1 255.255.255.255 system_u:object_r:node_lo_t:s0
-nodecon 0.0.0.0 255.255.255.255 system_u:object_r:node_inaddr_any_t:s0
-nodecon :: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system_u:object_r:node_unspec_t:s0
-nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system_u:object_r:node_lo_t:s0
-nodecon ff00:: ff00:: system_u:object_r:node_multicast_t:s0
-nodecon fe80:: ffff:ffff:ffff:ffff:: system_u:object_r:node_link_local_t:s0
-nodecon fec0:: ffc0:: system_u:object_r:node_site_local_t:s0
-nodecon :: ffff:ffff:ffff:ffff:ffff:ffff:: system_u:object_r:node_compat_ipv4_t:s0
-nodecon ::ffff:0000:0000 ffff:ffff:ffff:ffff:ffff:ffff:: system_u:object_r:node_mapped_ipv4_t:s0
-
-# FLASK
diff --git a/targeted/rbac b/targeted/rbac
deleted file mode 100644
index 0d6971d..0000000
--- a/targeted/rbac
+++ /dev/null
@@ -1,26 +0,0 @@
-################################################
-#
-# Role-based access control (RBAC) configuration.
-#
-
-########################################
-#
-# Role allow rules.
-#
-# A role allow rule specifies the allowable
-# transitions between roles on an execve.
-# If no rule is specified, then the change in
-# roles will not be permitted. Additional
-# controls over role transitions based on the
-# type of the process may be specified through
-# the constraints file.
-#
-# The syntax of a role allow rule is:
-# allow current_role new_role ;
-#
-
-allow sysadm_r system_r;
-allow user_r system_r;
-allow user_r sysadm_r;
-allow sysadm_r user_r;
-allow system_r sysadm_r;
diff --git a/targeted/tunables/distro.tun b/targeted/tunables/distro.tun
deleted file mode 100644
index 00b6eca..0000000
--- a/targeted/tunables/distro.tun
+++ /dev/null
@@ -1,14 +0,0 @@
-# Distro-specific customizations.
-
-# Comment out all but the one that matches your distro.
-# The policy .te files can then wrap distro-specific customizations with
-# appropriate ifdefs.
-
-
-define(`distro_redhat')
-
-dnl define(`distro_suse')
-
-dnl define(`distro_gentoo')
-
-dnl define(`distro_debian')
diff --git a/targeted/tunables/tunable.tun b/targeted/tunables/tunable.tun
deleted file mode 100644
index a1f9d6e..0000000
--- a/targeted/tunables/tunable.tun
+++ /dev/null
@@ -1,7 +0,0 @@
-define(`targeted_policy')
-define(`hide_broken_symptoms')
-define(`distro_redhat')
-define(`unlimitedInetd')
-define(`unlimitedRC')
-define(`unlimitedUtils')
-define(`use_mcs')
diff --git a/targeted/types/device.te b/targeted/types/device.te
deleted file mode 100644
index aee0a4c..0000000
--- a/targeted/types/device.te
+++ /dev/null
@@ -1,163 +0,0 @@
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-############################################
-#
-# Device types
-#
-
-#
-# device_t is the type of /dev.
-#
-type device_t, file_type, mount_point, dev_fs;
-
-#
-# null_device_t is the type of /dev/null.
-#
-type null_device_t, device_type, dev_fs, mlstrustedobject;
-
-#
-# zero_device_t is the type of /dev/zero.
-#
-type zero_device_t, device_type, dev_fs, mlstrustedobject;
-
-#
-# console_device_t is the type of /dev/console.
-#
-type console_device_t, device_type, dev_fs;
-
-#
-# xconsole_device_t is the type of /dev/xconsole
-type xconsole_device_t, file_type, dev_fs;
-
-#
-# memory_device_t is the type of /dev/kmem,
-# /dev/mem, and /dev/port.
-#
-type memory_device_t, device_type, dev_fs;
-
-#
-# random_device_t is the type of /dev/random
-# urandom_device_t is the type of /dev/urandom
-#
-type random_device_t, device_type, dev_fs;
-type urandom_device_t, device_type, dev_fs;
-
-#
-# devtty_t is the type of /dev/tty.
-#
-type devtty_t, device_type, dev_fs, mlstrustedobject;
-
-#
-# tty_device_t is the type of /dev/*tty*
-#
-type tty_device_t, serial_device, device_type, dev_fs;
-
-#
-# bsdpty_device_t is the type of /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f]
-type bsdpty_device_t, device_type, dev_fs;
-
-#
-# usbtty_device_t is the type of /dev/usr/tty*
-#
-type usbtty_device_t, serial_device, device_type, dev_fs;
-
-#
-# printer_device_t is the type for printer devices
-#
-type printer_device_t, device_type, dev_fs;
-
-#
-# fixed_disk_device_t is the type of
-# /dev/hd* and /dev/sd*.
-#
-type fixed_disk_device_t, device_type, dev_fs;
-
-#
-# scsi_generic_device_t is the type of /dev/sg*
-# it gives access to ALL SCSI devices (both fixed and removable)
-#
-type scsi_generic_device_t, device_type, dev_fs;
-
-#
-# removable_device_t is the type of
-# /dev/scd* and /dev/fd*.
-#
-type removable_device_t, device_type, dev_fs;
-
-#
-# clock_device_t is the type of
-# /dev/rtc.
-#
-type clock_device_t, device_type, dev_fs;
-
-#
-# tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/*
-#
-type tun_tap_device_t, device_type, dev_fs;
-
-#
-# misc_device_t is the type of miscellaneous devices.
-# XXX: FIXME! Appropriate access to these devices need to be identified.
-#
-type misc_device_t, device_type, dev_fs;
-
-#
-# A more general type for mouse devices.
-#
-type mouse_device_t, device_type, dev_fs;
-
-#
-# For generic /dev/input/event* event devices
-#
-type event_device_t, device_type, dev_fs;
-
-#
-# Not sure what these devices are for, but X wants access to them.
-#
-type agp_device_t, device_type, dev_fs;
-type dri_device_t, device_type, dev_fs;
-
-# Type for sound devices.
-type sound_device_t, device_type, dev_fs;
-
-# Type for /dev/ppp.
-type ppp_device_t, device_type, dev_fs;
-
-# Type for frame buffer /dev/fb/*
-type framebuf_device_t, device_type, dev_fs;
-
-# Type for /dev/.devfsd
-type devfs_control_t, device_type, dev_fs;
-
-# Type for /dev/cpu/mtrr and /proc/mtrr
-type mtrr_device_t, device_type, dev_fs, proc_fs;
-
-# Type for /dev/pmu
-type power_device_t, device_type, dev_fs;
-
-# Type for /dev/apm_bios
-type apm_bios_t, device_type, dev_fs;
-
-# Type for v4l
-type v4l_device_t, device_type, dev_fs;
-
-# tape drives
-type tape_device_t, device_type, dev_fs;
-
-# scanners
-type scanner_device_t, device_type, dev_fs;
-
-# cpu control devices /dev/cpu/0/*
-type cpu_device_t, device_type, dev_fs;
-
-# for other device nodes such as the NVidia binary-only driver
-type xserver_misc_device_t, device_type, dev_fs;
-
-# for the IBM zSeries z90crypt hardware ssl accelorator
-type crypt_device_t, device_type, dev_fs;
-
-
-
-
diff --git a/targeted/types/devpts.te b/targeted/types/devpts.te
deleted file mode 100644
index c6982ac..0000000
--- a/targeted/types/devpts.te
+++ /dev/null
@@ -1,23 +0,0 @@
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-############################################
-#
-# Devpts types
-#
-
-#
-# ptmx_t is the type for /dev/ptmx.
-#
-type ptmx_t, sysadmfile, device_type, dev_fs, mlstrustedobject;
-
-#
-# devpts_t is the type of the devpts file system and
-# the type of the root directory of the file system.
-#
-type devpts_t, mount_point, fs_type;
-
-ifdef(`targeted_policy', `
-typeattribute devpts_t ttyfile;
-')
diff --git a/targeted/types/file.te b/targeted/types/file.te
deleted file mode 100644
index 6db5c89..0000000
--- a/targeted/types/file.te
+++ /dev/null
@@ -1,325 +0,0 @@
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-#######################################
-#
-# General file-related types
-#
-
-#
-# unlabeled_t is the type of unlabeled objects.
-# Objects that have no known labeling information or that
-# have labels that are no longer valid are treated as having this type.
-#
-type unlabeled_t, sysadmfile;
-
-#
-# fs_t is the default type for conventional filesystems.
-#
-type fs_t, fs_type;
-
-# needs more work
-type eventpollfs_t, fs_type;
-type futexfs_t, fs_type;
-type bdev_t, fs_type;
-type usbfs_t, mount_point, fs_type;
-type nfsd_fs_t, fs_type;
-type rpc_pipefs_t, fs_type;
-type binfmt_misc_fs_t, mount_point, fs_type;
-
-#
-# file_t is the default type of a file that has not yet been
-# assigned an extended attribute (EA) value (when using a filesystem
-# that supports EAs).
-#
-type file_t, file_type, mount_point, sysadmfile;
-
-# default_t is the default type for files that do not
-# match any specification in the file_contexts configuration
-# other than the generic /.* specification.
-type default_t, file_type, mount_point, sysadmfile;
-
-#
-# root_t is the type for the root directory.
-#
-type root_t, file_type, mount_point, polyparent, sysadmfile;
-
-#
-# mnt_t is the type for mount points such as /mnt/cdrom
-type mnt_t, file_type, mount_point, sysadmfile;
-
-#
-# home_root_t is the type for the directory where user home directories
-# are created
-#
-type home_root_t, file_type, mount_point, polyparent, sysadmfile;
-
-#
-# lost_found_t is the type for the lost+found directories.
-#
-type lost_found_t, file_type, sysadmfile;
-
-#
-# boot_t is the type for files in /boot,
-# including the kernel.
-#
-type boot_t, file_type, mount_point, sysadmfile;
-# system_map_t is for the system.map files in /boot
-type system_map_t, file_type, sysadmfile;
-
-#
-# boot_runtime_t is the type for /boot/kernel.h,
-# which is automatically generated at boot time.
-# only for red hat
-type boot_runtime_t, file_type, sysadmfile;
-
-#
-# tmp_t is the type of /tmp and /var/tmp.
-#
-type tmp_t, file_type, mount_point, sysadmfile, polydir, tmpfile;
-
-#
-# etc_t is the type of the system etc directories.
-#
-type etc_t, file_type, sysadmfile;
-
-# etc_mail_t is the type of /etc/mail.
-type etc_mail_t, file_type, sysadmfile, usercanread;
-
-#
-# shadow_t is the type of the /etc/shadow file
-#
-type shadow_t, file_type, secure_file_type;
-allow auth shadow_t:file { getattr read };
-
-#
-# ld_so_cache_t is the type of /etc/ld.so.cache.
-#
-type ld_so_cache_t, file_type, sysadmfile;
-
-#
-# etc_runtime_t is the type of various
-# files in /etc that are automatically
-# generated during initialization.
-#
-type etc_runtime_t, file_type, sysadmfile;
-
-#
-# fonts_runtime_t is the type of various
-# fonts files in /usr that are automatically
-# generated during initialization.
-#
-type fonts_t, file_type, sysadmfile, usercanread;
-
-#
-# etc_aliases_t is the type of the aliases database.
-#
-type etc_aliases_t, file_type, sysadmfile;
-
-# net_conf_t is the type of the /etc/resolv.conf file.
-# all DHCP clients and PPP need write access to this file.
-type net_conf_t, file_type, sysadmfile;
-
-#
-# lib_t is the type of files in the system lib directories.
-#
-type lib_t, file_type, sysadmfile;
-
-#
-# shlib_t is the type of shared objects in the system lib
-# directories.
-#
-ifdef(`targeted_policy', `
-typealias lib_t alias shlib_t;
-', `
-type shlib_t, file_type, sysadmfile;
-')
-
-#
-# texrel_shlib_t is the type of shared objects in the system lib
-# directories, which require text relocation.
-#
-ifdef(`targeted_policy', `
-typealias lib_t alias texrel_shlib_t;
-', `
-type texrel_shlib_t, file_type, sysadmfile;
-')
-
-# ld_so_t is the type of the system dynamic loaders.
-#
-type ld_so_t, file_type, sysadmfile;
-
-#
-# bin_t is the type of files in the system bin directories.
-#
-type bin_t, file_type, sysadmfile;
-
-#
-# cert_t is the type of files in the system certs directories.
-#
-type cert_t, file_type, sysadmfile, secure_file_type;
-
-#
-# ls_exec_t is the type of the ls program.
-#
-type ls_exec_t, file_type, exec_type, sysadmfile;
-
-#
-# shell_exec_t is the type of user shells such as /bin/bash.
-#
-type shell_exec_t, file_type, exec_type, sysadmfile;
-
-#
-# sbin_t is the type of files in the system sbin directories.
-#
-type sbin_t, file_type, sysadmfile;
-
-#
-# usr_t is the type for /usr.
-#
-type usr_t, file_type, mount_point, sysadmfile;
-
-#
-# src_t is the type of files in the system src directories.
-#
-type src_t, file_type, mount_point, sysadmfile;
-
-#
-# var_t is the type for /var.
-#
-type var_t, file_type, mount_point, sysadmfile;
-
-#
-# Types for subdirectories of /var.
-#
-type var_run_t, file_type, sysadmfile;
-type var_log_t, file_type, sysadmfile, logfile;
-typealias var_log_t alias crond_log_t;
-type faillog_t, file_type, sysadmfile, logfile;
-type var_lock_t, file_type, sysadmfile, lockfile;
-type var_lib_t, mount_point, file_type, sysadmfile;
-# for /var/{spool,lib}/texmf index files
-type tetex_data_t, file_type, sysadmfile, tmpfile;
-type var_spool_t, file_type, sysadmfile, tmpfile;
-type var_yp_t, file_type, sysadmfile;
-
-# Type for /var/log/ksyms.
-type var_log_ksyms_t, file_type, sysadmfile, logfile;
-
-# Type for /var/log/lastlog.
-type lastlog_t, file_type, sysadmfile, logfile;
-
-# Type for /var/lib/nfs.
-type var_lib_nfs_t, file_type, mount_point, sysadmfile, usercanread;
-
-#
-# wtmp_t is the type of /var/log/wtmp.
-#
-type wtmp_t, file_type, sysadmfile, logfile;
-
-#
-# cron_spool_t is the type for /var/spool/cron.
-#
-type cron_spool_t, file_type, sysadmfile;
-
-#
-# print_spool_t is the type for /var/spool/lpd and /var/spool/cups.
-#
-type print_spool_t, file_type, sysadmfile, tmpfile;
-
-#
-# mail_spool_t is the type for /var/spool/mail.
-#
-type mail_spool_t, file_type, sysadmfile;
-
-#
-# mqueue_spool_t is the type for /var/spool/mqueue.
-#
-type mqueue_spool_t, file_type, sysadmfile;
-
-#
-# man_t is the type for the man directories.
-#
-type man_t, file_type, sysadmfile;
-typealias man_t alias catman_t;
-
-#
-# readable_t is a general type for
-# files that are readable by all domains.
-#
-type readable_t, file_type, sysadmfile;
-
-#
-# Base type for the tests directory.
-#
-type test_file_t, file_type, sysadmfile;
-
-#
-# poly_t is the type for the polyinstantiated directories.
-#
-type poly_t, file_type, sysadmfile;
-
-#
-# swapfile_t is for swap files
-#
-type swapfile_t, file_type, sysadmfile;
-
-#
-# locale_t is the type for system localization
-#
-type locale_t, file_type, sysadmfile;
-
-#
-# Allow each file type to be associated with
-# the default file system type.
-#
-allow { file_type device_type ttyfile } fs_t:filesystem associate;
-
-type tmpfs_t, file_type, mount_point, sysadmfile, fs_type;
-allow { logfile tmpfs_t tmpfile home_type } tmpfs_t:filesystem associate;
-allow { logfile tmpfile home_type } tmp_t:filesystem associate;
-ifdef(`distro_redhat', `
-allow { dev_fs ttyfile } { tmpfs_t tmp_t }:filesystem associate;
-')
-
-type autofs_t, fs_type, noexattrfile, sysadmfile;
-type usbdevfs_t, fs_type, mount_point, noexattrfile, sysadmfile;
-type sysfs_t, mount_point, fs_type, sysadmfile;
-type iso9660_t, fs_type, noexattrfile, sysadmfile;
-type romfs_t, fs_type, sysadmfile;
-type ramfs_t, fs_type, sysadmfile;
-type dosfs_t, fs_type, noexattrfile, sysadmfile;
-type hugetlbfs_t, mount_point, fs_type, sysadmfile;
-typealias file_t alias mqueue_t;
-
-# udev_runtime_t is the type of the udev table file
-type udev_runtime_t, file_type, sysadmfile;
-
-# krb5_conf_t is the type of the /etc/krb5.conf file
-type krb5_conf_t, file_type, sysadmfile;
-
-type cifs_t, fs_type, noexattrfile, sysadmfile;
-type debugfs_t, fs_type, sysadmfile;
-type configfs_t, fs_type, sysadmfile;
-type inotifyfs_t, fs_type, sysadmfile;
-type capifs_t, fs_type, sysadmfile;
-
-# removable_t is the default type of all removable media
-type removable_t, file_type, sysadmfile, usercanread;
-allow file_type removable_t:filesystem associate;
-allow file_type noexattrfile:filesystem associate;
-
-# Type for anonymous FTP data, used by ftp and rsync
-type public_content_t, file_type, sysadmfile, customizable;
-type public_content_rw_t, file_type, sysadmfile, customizable;
-typealias public_content_t alias ftpd_anon_t;
-typealias public_content_rw_t alias ftpd_anon_rw_t;
-
-# type for /tmp/.ICE-unix
-type ice_tmp_t, file_type, sysadmfile, tmpfile;
-
-# type for /usr/share/hwdata
-type hwdata_t, file_type, sysadmfile;
-allow { fs_type file_type } self:filesystem associate;
-
diff --git a/targeted/types/network.te b/targeted/types/network.te
deleted file mode 100644
index fad6baf..0000000
--- a/targeted/types/network.te
+++ /dev/null
@@ -1,177 +0,0 @@
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-# Modified by Reino Wallin <reino@oribium.com>
-# Multi NIC, and IPSEC features
-
-# Modified by Russell Coker
-# Move port types to their respective domains, add ifdefs, other cleanups.
-
-type xserver_port_t, port_type;
-#
-# Defines used by the te files need to be defined outside of net_constraints
-#
-type rsh_port_t, port_type, reserved_port_type;
-type dns_port_t, port_type, reserved_port_type;
-type smtp_port_t, port_type, reserved_port_type;
-type dhcpd_port_t, port_type, reserved_port_type;
-type smbd_port_t, port_type, reserved_port_type;
-type nmbd_port_t, port_type, reserved_port_type;
-type http_cache_port_t, port_type;
-type http_port_t, port_type, reserved_port_type;
-type ipp_port_t, port_type, reserved_port_type;
-type gopher_port_t, port_type, reserved_port_type;
-type isakmp_port_t, port_type, reserved_port_type;
-
-allow web_client_domain { http_cache_port_t http_port_t }:tcp_socket name_connect;
-type pop_port_t, port_type, reserved_port_type;
-
-type ftp_port_t, port_type, reserved_port_type;
-type ftp_data_port_t, port_type, reserved_port_type;
-
-############################################
-#
-# Network types
-#
-
-#
-# mail_port_t is for generic mail ports shared by different mail servers
-#
-type mail_port_t, port_type;
-
-#
-# Ports used to communicate with kerberos server
-#
-type kerberos_port_t, port_type, reserved_port_type;
-type kerberos_admin_port_t, port_type, reserved_port_type;
-
-#
-# Ports used to communicate with portmap server
-#
-type portmap_port_t, port_type, reserved_port_type;
-
-#
-# Ports used to communicate with ldap server
-#
-type ldap_port_t, port_type, reserved_port_type;
-
-#
-# port_t is the default type of INET port numbers.
-# The *_port_t types are used for specific port
-# numbers in net_contexts or net_contexts.mls.
-#
-type port_t, port_type;
-
-# reserved_port_t is the default type for INET reserved ports
-# that are not otherwise mapped to a specific port type.
-type reserved_port_t, port_type;
-
-#
-# netif_t is the default type of network interfaces.
-# The netif_*_t types are used for specific network
-# interfaces in net_contexts or net_contexts.mls.
-#
-type netif_t, netif_type;
-
-#
-# node_t is the default type of network nodes.
-# The node_*_t types are used for specific network
-# nodes in net_contexts or net_contexts.mls.
-#
-type node_t, node_type;
-type node_lo_t, node_type;
-type node_internal_t, node_type;
-type node_inaddr_any_t, node_type;
-type node_unspec_t, node_type;
-type node_link_local_t, node_type;
-type node_site_local_t, node_type;
-type node_multicast_t, node_type;
-type node_mapped_ipv4_t, node_type;
-type node_compat_ipv4_t, node_type;
-
-# Kernel-generated traffic, e.g. ICMP replies.
-allow kernel_t netif_type:netif { rawip_send rawip_recv };
-allow kernel_t node_type:node { rawip_send rawip_recv };
-
-# Kernel-generated traffic, e.g. TCP resets.
-allow kernel_t netif_type:netif { tcp_send tcp_recv };
-allow kernel_t node_type:node { tcp_send tcp_recv };
-type radius_port_t, port_type;
-type radacct_port_t, port_type;
-type rndc_port_t, port_type, reserved_port_type;
-type tftp_port_t, port_type, reserved_port_type;
-type printer_port_t, port_type, reserved_port_type;
-type mysqld_port_t, port_type;
-type postgresql_port_t, port_type;
-type ptal_port_t, port_type;
-type howl_port_t, port_type;
-type dict_port_t, port_type;
-type syslogd_port_t, port_type, reserved_port_type;
-type spamd_port_t, port_type, reserved_port_type;
-type ssh_port_t, port_type, reserved_port_type;
-type pxe_port_t, port_type;
-type amanda_port_t, port_type;
-type fingerd_port_t, port_type, reserved_port_type;
-type dhcpc_port_t, port_type, reserved_port_type;
-type ntp_port_t, port_type, reserved_port_type;
-type stunnel_port_t, port_type;
-type zebra_port_t, port_type;
-type i18n_input_port_t, port_type;
-type vnc_port_t, port_type;
-type pegasus_http_port_t, port_type;
-type pegasus_https_port_t, port_type;
-type openvpn_port_t, port_type;
-type clamd_port_t, port_type;
-type transproxy_port_t, port_type;
-type clockspeed_port_t, port_type;
-type pyzor_port_t, port_type;
-type postgrey_port_t, port_type;
-type asterisk_port_t, port_type;
-type utcpserver_port_t, port_type;
-type nessus_port_t, port_type;
-type razor_port_t, port_type;
-type distccd_port_t, port_type;
-type socks_port_t, port_type;
-type gatekeeper_port_t, port_type;
-type dcc_port_t, port_type;
-type lrrd_port_t, port_type;
-type jabber_client_port_t, port_type;
-type jabber_interserver_port_t, port_type;
-type ircd_port_t, port_type;
-type giftd_port_t, port_type;
-type soundd_port_t, port_type;
-type imaze_port_t, port_type;
-type monopd_port_t, port_type;
-# Differentiate between the port where amavisd receives mail, and the
-# port where it returns cleaned mail back to the MTA.
-type amavisd_recv_port_t, port_type;
-type amavisd_send_port_t, port_type;
-type innd_port_t, port_type, reserved_port_type;
-type snmp_port_t, port_type, reserved_port_type;
-type biff_port_t, port_type, reserved_port_type;
-type hplip_port_t, port_type;
-
-#inetd_child_ports
-
-type rlogind_port_t, port_type, reserved_port_type;
-type telnetd_port_t, port_type, reserved_port_type;
-type comsat_port_t, port_type, reserved_port_type;
-type cvs_port_t, port_type;
-type dbskkd_port_t, port_type;
-type inetd_child_port_t, port_type, reserved_port_type;
-type ktalkd_port_t, port_type, reserved_port_type;
-type rsync_port_t, port_type, reserved_port_type;
-type uucpd_port_t, port_type, reserved_port_type;
-type swat_port_t, port_type, reserved_port_type;
-type zope_port_t, port_type;
-type auth_port_t, port_type, reserved_port_type;
-
-# afs ports
-
-type afs_fs_port_t, port_type;
-type afs_pt_port_t, port_type;
-type afs_vl_port_t, port_type;
-type afs_ka_port_t, port_type;
-type afs_bos_port_t, port_type;
-
diff --git a/targeted/types/nfs.te b/targeted/types/nfs.te
deleted file mode 100644
index e6dd6e0..0000000
--- a/targeted/types/nfs.te
+++ /dev/null
@@ -1,21 +0,0 @@
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-#############################################
-#
-# NFS types
-#
-
-#
-# nfs_t is the default type for NFS file systems
-# and their files.
-# The nfs_*_t types are used for specific NFS
-# servers in net_contexts or net_contexts.mls.
-#
-type nfs_t, mount_point, fs_type;
-
-#
-# Allow NFS files to be associated with an NFS file system.
-#
-allow file_type nfs_t:filesystem associate;
diff --git a/targeted/types/procfs.te b/targeted/types/procfs.te
deleted file mode 100644
index 20703ac..0000000
--- a/targeted/types/procfs.te
+++ /dev/null
@@ -1,50 +0,0 @@
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-############################################
-#
-# Procfs types
-#
-
-#
-# proc_t is the type of /proc.
-# proc_kmsg_t is the type of /proc/kmsg.
-# proc_kcore_t is the type of /proc/kcore.
-# proc_mdstat_t is the type of /proc/mdstat.
-# proc_net_t is the type of /proc/net.
-#
-type proc_t, fs_type, mount_point, proc_fs;
-type proc_kmsg_t, proc_fs;
-type proc_kcore_t, proc_fs;
-type proc_mdstat_t, proc_fs;
-type proc_net_t, proc_fs;
-
-#
-# sysctl_t is the type of /proc/sys.
-# sysctl_fs_t is the type of /proc/sys/fs.
-# sysctl_kernel_t is the type of /proc/sys/kernel.
-# sysctl_modprobe_t is the type of /proc/sys/kernel/modprobe.
-# sysctl_hotplug_t is the type of /proc/sys/kernel/hotplug.
-# sysctl_net_t is the type of /proc/sys/net.
-# sysctl_net_unix_t is the type of /proc/sys/net/unix.
-# sysctl_vm_t is the type of /proc/sys/vm.
-# sysctl_dev_t is the type of /proc/sys/dev.
-# sysctl_rpc_t is the type of /proc/net/rpc.
-#
-# These types are applied to both the entries in
-# /proc/sys and the corresponding sysctl parameters.
-#
-type sysctl_t, mount_point, sysctl_type;
-type sysctl_fs_t, sysctl_type;
-type sysctl_kernel_t, sysctl_type;
-type sysctl_modprobe_t, sysctl_type;
-type sysctl_hotplug_t, sysctl_type;
-type sysctl_net_t, sysctl_type;
-type sysctl_net_unix_t, sysctl_type;
-type sysctl_vm_t, sysctl_type;
-type sysctl_dev_t, sysctl_type;
-type sysctl_rpc_t, sysctl_type;
-type sysctl_irq_t, sysctl_type;
-
-
diff --git a/targeted/types/security.te b/targeted/types/security.te
deleted file mode 100644
index cc1574f..0000000
--- a/targeted/types/security.te
+++ /dev/null
@@ -1,60 +0,0 @@
-#
-# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
-#
-
-############################################
-#
-# Security types
-#
-
-#
-# security_t is the target type when checking
-# the permissions in the security class. It is also
-# applied to selinuxfs inodes.
-#
-type security_t, mount_point, fs_type, mlstrustedobject;
-dontaudit domain security_t:dir search;
-dontaudit domain security_t:file { getattr read };
-
-#
-# policy_config_t is the type of /etc/security/selinux/*
-# the security server policy configuration.
-#
-type policy_config_t, file_type, secadmfile;
-# Since libselinux attempts to read these by default, most domains
-# do not need it.
-dontaudit domain selinux_config_t:dir search;
-dontaudit domain selinux_config_t:file { getattr read };
-
-#
-# policy_src_t is the type of the policy source
-# files.
-#
-type policy_src_t, file_type, secadmfile;
-
-
-#
-# default_context_t is the type applied to
-# /etc/selinux/*/contexts/*
-#
-type default_context_t, file_type, login_contexts, secadmfile;
-
-#
-# file_context_t is the type applied to
-# /etc/selinux/*/contexts/files
-#
-type file_context_t, file_type, secadmfile;
-
-#
-# no_access_t is the type for objects that should
-# only be accessed administratively.
-#
-type no_access_t, file_type, sysadmfile;
-
-#
-# selinux_config_t is the type applied to
-# /etc/selinux/config
-#
-type selinux_config_t, file_type, secadmfile;
-
-
diff --git a/targeted/types/x.te b/targeted/types/x.te
deleted file mode 100644
index 0cee314..0000000
--- a/targeted/types/x.te
+++ /dev/null
@@ -1,32 +0,0 @@
-#
-# Authors: Eamon Walsh <ewalsh@epoch.ncsc.mil>
-#
-
-#######################################
-#
-# Types for the SELinux-enabled X Window System
-#
-
-#
-# X protocol extension types. The SELinux extension in the X server
-# has a hardcoded table that maps actual extension names to these types.
-#
-type accelgraphics_ext_t, xextension;
-type debug_ext_t, xextension;
-type font_ext_t, xextension;
-type input_ext_t, xextension;
-type screensaver_ext_t, xextension;
-type security_ext_t, xextension;
-type shmem_ext_t, xextension;
-type std_ext_t, xextension;
-type sync_ext_t, xextension;
-type unknown_ext_t, xextension;
-type video_ext_t, xextension;
-type windowmgr_ext_t, xextension;
-
-#
-# X property types. The SELinux extension in the X server has a
-# hardcoded table that maps actual extension names to these types.
-#
-type wm_property_t, xproperty;
-type unknown_property_t, xproperty;
diff --git a/targeted/users b/targeted/users
deleted file mode 100644
index 88adac5..0000000
--- a/targeted/users
+++ /dev/null
@@ -1,38 +0,0 @@
-##################################
-#
-# User configuration.
-#
-# This file defines each user recognized by the system security policy.
-# Only the user identities defined in this file may be used as the
-# user attribute in a security context.
-#
-# Each user has a set of roles that may be entered by processes
-# with the users identity. The syntax of a user declaration is:
-#
-# user username roles role_set [ ranges MLS_range_set ] level s0 range s0;
-#
-# The MLS range set should only be specified if MLS was enabled
-# for the module and checkpolicy.
-
-#
-# system_u is the user identity for system processes and objects.
-# There should be no corresponding Unix user identity for system_u,
-# and a user process should never be assigned the system_u user
-# identity.
-#
-user system_u roles system_r level s0 range s0 - s0:c0.c255;
-
-#
-# user_u is a generic user identity for Linux users who have no
-# SELinux user identity defined. Authorized for all roles in the
-# relaxed policy. sysadm_r is retained for compatibility, but could
-# be dropped as long as userspace has no hardcoded dependency on it.
-# user_u must be retained due to present userspace hardcoded dependency.
-#
-user user_u roles { user_r sysadm_r system_r } level s0 range s0 - s0:c0.c255;
-
-# root is retained as a separate user identity simply as a compatibility
-# measure with the "strict" policy. It could be dropped and mapped to user_u
-# but this allows existing file contexts that have "root" as the user identity
-# to remain valid.
-user root roles { user_r sysadm_r system_r } level s0 range s0 - s0:c0.c255;
diff --git a/tools/buildtest.sh b/tools/buildtest.sh
index 2878de3..7bcb404 100755
--- a/tools/buildtest.sh
+++ b/tools/buildtest.sh
@@ -4,7 +4,7 @@ DISTROS="rhel4 gentoo debian"
TYPES="strict targeted strict-mcs targeted-mcs strict-mls targeted-mls"
POLVER="`checkpolicy -V |cut -f 1 -d ' '`"
SETFILES="/usr/sbin/setfiles"
-SE_LINK="/usr/bin/semodule_link"
+SE_LINK="time -p /usr/bin/semodule_link"
die() {
if [ "$1" -eq "1" ]; then
@@ -14,18 +14,20 @@ die() {
exit 1
}
-cleanup() {
- make bare
+cleanup_mon() {
+ make MONOLITHIC=y bare
+}
+
+cleanup_mod() {
make MONOLITHIC=n bare
}
do_test() {
local OPTS=""
- trap cleanup SIGINT SIGQUIT
-
for i in $TYPES; do
# Monolithic tests
+ trap cleanup_mon SIGINT SIGQUIT
OPTS="TYPE=$i MONOLITHIC=y QUIET=y DIRECT_INITRC=y"
[ ! -z "$1" ] && OPTS="$OPTS DISTRO=$1"
echo "**** Options: $OPTS ****"
@@ -34,9 +36,10 @@ do_test() {
make $OPTS || die "$?" "$OPTS"
make $OPTS file_contexts || die "$?" "$OPTS"
$SETFILES -q -c policy.$POLVER file_contexts || die "$?" "$OPTS"
- make $OPTS bare || die "$?" "$OPTS"
+ cleanup_mon
# Loadable module tests
+ trap cleanup_mod SIGINT SIGQUIT
OPTS="TYPE=$i MONOLITHIC=n QUIET=y DIRECT_INITRC=y"
[ ! -z "$1" ] && OPTS="$OPTS DISTRO=$1"
echo "**** Options: $OPTS ****"
@@ -48,11 +51,16 @@ do_test() {
############# FIXME
rm dmesg.pp
$SE_LINK tmp/base.pp *.pp || die "$?" "$OPTS"
- make $OPTS bare || die "$?" "$OPTS"
+ cleanup_mod
done
}
-cleanup
+cleanup_mon
+cleanup_mod
do_test
+for i in $DISTROS; do
+ do_test $i
+done
+
echo "Completed successfully."
diff --git a/tools/quicktest.sh b/tools/quicktest.sh
index e97f81d..9d62f8e 100755
--- a/tools/quicktest.sh
+++ b/tools/quicktest.sh
@@ -3,7 +3,7 @@
TYPES="strict targeted-mcs strict-mls"
POLVER="`checkpolicy -V |cut -f 1 -d ' '`"
SETFILES="/usr/sbin/setfiles"
-SE_LINK="/usr/bin/semodule_link"
+SE_LINK="time -p /usr/bin/semodule_link"
die() {
if [ "$1" -eq "1" ]; then
@@ -13,18 +13,20 @@ die() {
exit 1
}
-cleanup() {
- make bare
+cleanup_mon() {
+ make MONOLITHIC=y bare
+}
+
+cleanup_mod() {
make MONOLITHIC=n bare
}
do_test() {
local OPTS=""
- trap cleanup SIGINT SIGQUIT
-
for i in $TYPES; do
# Monolithic tests
+ trap cleanup_mon SIGINT SIGQUIT
OPTS="TYPE=$i MONOLITHIC=y QUIET=y DIRECT_INITRC=y"
[ ! -z "$1" ] && OPTS="$OPTS DISTRO=$1"
echo "**** Options: $OPTS ****"
@@ -33,9 +35,10 @@ do_test() {
make $OPTS || die "$?" "$OPTS"
make $OPTS file_contexts || die "$?" "$OPTS"
$SETFILES -q -c policy.$POLVER file_contexts || die "$?" "$OPTS"
- make $OPTS bare || die "$?" "$OPTS"
+ cleanup_mon
# Loadable module tests
+ trap cleanup_mod SIGINT SIGQUIT
OPTS="TYPE=$i MONOLITHIC=n QUIET=y DIRECT_INITRC=y"
[ ! -z "$1" ] && OPTS="$OPTS DISTRO=$1"
echo "**** Options: $OPTS ****"
@@ -47,11 +50,12 @@ do_test() {
############# FIXME
rm dmesg.pp
$SE_LINK tmp/base.pp *.pp || die "$?" "$OPTS"
- make $OPTS bare || die "$?" "$OPTS"
+ cleanup_mod
done
}
-cleanup
+cleanup_mon
+cleanup_mod
do_test
echo "Completed successfully."