diff --git a/booleans-minimum.conf b/booleans-minimum.conf
new file mode 100644
index 0000000..e5f205e
--- /dev/null
+++ b/booleans-minimum.conf
@@ -0,0 +1,252 @@
+# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
+#
+allow_execmem = false
+
+# Allow making a modified private filemapping executable (text relocation).
+#
+allow_execmod = false
+
+# Allow making the stack executable via mprotect.Also requires allow_execmem.
+#
+allow_execstack = false
+
+# Allow ftpd to read cifs directories.
+#
+allow_ftpd_use_cifs = false
+
+# Allow ftpd to read nfs directories.
+#
+allow_ftpd_use_nfs = false
+
+# Allow ftp servers to modify public filesused for public file transfer services.
+#
+allow_ftpd_anon_write = false
+
+# Allow gssd to read temp directory.
+#
+allow_gssd_read_tmp = true
+
+# Allow Apache to modify public filesused for public file transfer services.
+#
+allow_httpd_anon_write = false
+
+# Allow Apache to use mod_auth_pam module
+#
+allow_httpd_mod_auth_pam = false
+
+# Allow system to run with kerberos
+#
+allow_kerberos = true
+
+# Allow rsync to modify public filesused for public file transfer services.
+#
+allow_rsync_anon_write = false
+
+# Allow sasl to read shadow
+#
+allow_saslauthd_read_shadow = false
+
+# Allow samba to modify public filesused for public file transfer services.
+#
+allow_smbd_anon_write = false
+
+# Allow system to run with NIS
+#
+allow_ypbind = false
+
+# Allow zebra to write it own configuration files
+#
+allow_zebra_write_config = true
+
+# Enable extra rules in the cron domainto support fcron.
+#
+fcron_crond = false
+
+# Allow ftp to read and write files in the user home directories
+#
+ftp_home_dir = false
+
+#
+# allow httpd to connect to mysql/posgresql
+httpd_can_network_connect_db = false
+
+#
+# allow httpd to network relay
+httpd_can_network_relay = false
+
+# Allow httpd to use built in scripting (usually php)
+#
+httpd_builtin_scripting = true
+
+# Allow http daemon to tcp connect
+#
+httpd_can_network_connect = false
+
+# Allow httpd cgi support
+#
+httpd_enable_cgi = true
+
+# Allow httpd to act as a FTP server bylistening on the ftp port.
+#
+httpd_enable_ftp_server = false
+
+# Allow httpd to read home directories
+#
+httpd_enable_homedirs = true
+
+# Run SSI execs in system CGI script domain.
+#
+httpd_ssi_exec = false
+
+# Allow http daemon to communicate with the TTY
+#
+httpd_tty_comm = true
+
+# Run CGI in the main httpd domain
+#
+httpd_unified = true
+
+# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
+#
+named_write_master_zones = false
+
+# Allow nfs to be exported read/write.
+#
+nfs_export_all_rw = true
+
+# Allow nfs to be exported read only
+#
+nfs_export_all_ro = true
+
+# Allow pppd to load kernel modules for certain modems
+#
+pppd_can_insmod = false
+
+# Allow reading of default_t files.
+#
+read_default_t = true
+
+# Allow samba to export user home directories.
+#
+samba_enable_home_dirs = false
+
+# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
+#
+squid_connect_any = false
+
+# Support NFS home directories
+#
+use_nfs_home_dirs = true
+
+# Support SAMBA home directories
+#
+use_samba_home_dirs = false
+
+# Control users use of ping and traceroute
+#
+user_ping = true
+
+# allow host key based authentication
+#
+allow_ssh_keysign = false
+
+# Allow pppd to be run for a regular user
+#
+pppd_for_user = false
+
+# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted
+#
+read_untrusted_content = false
+
+# Allow spamd to write to users homedirs
+#
+spamd_enable_home_dirs = true
+
+# Allow regular users direct mouse access
+#
+user_direct_mouse = false
+
+# Allow users to read system messages.
+#
+user_dmesg = false
+
+# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
+#
+user_rw_noexattrfile = false
+
+# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols.
+#
+user_tcp_server = false
+
+# Allow w to display everyone
+#
+user_ttyfile_stat = false
+
+# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored.
+#
+write_untrusted_content = false
+
+# Allow all domains to talk to ttys
+#
+allow_daemons_use_tty = true
+
+# Allow login domains to polyinstatiate directories
+#
+allow_polyinstantiation = false
+
+# Allow all domains to dump core
+#
+allow_daemons_dump_core = true
+
+# Allow samba to act as the domain controller
+#
+samba_domain_controller = false
+
+# Allow samba to export user home directories.
+#
+samba_run_unconfined = true
+
+# Allows XServer to execute writable memory
+#
+allow_xserver_execmem = true
+
+# disallow guest accounts to execute files that they can create
+#
+allow_guest_exec_content = false
+allow_xguest_exec_content = false
+
+# Only allow browser to use the web
+#
+browser_confine_xguest=false
+
+# Allow postfix locat to write to mail spool
+#
+allow_postfix_local_write_mail_spool=true
+
+# Allow common users to read/write noexattrfile systems
+#
+user_rw_noexattrfile=true
+
+# Allow qemu to connect fully to the network
+#
+allow_qemu_full_network=true
+
+# Allow nsplugin execmem/execstack for bad plugins
+#
+allow_nsplugin_execmem=true
+
+# Allow unconfined domain to transition to confined domain
+#
+allow_unconfined_nsplugin_transition=true
+
+# Allow unconfined domains mmap low kernel memory
+#
+allow_unconfined_mmap_low = false
+
+# System uses init upstart program
+#
+init_upstart = true
+
+# Allow mount to mount any file/dir
+#
+allow_mount_anyfile = true
diff --git a/modules-minimum.conf b/modules-minimum.conf
new file mode 100644
index 0000000..e5b8f8d
--- /dev/null
+++ b/modules-minimum.conf
@@ -0,0 +1,1679 @@
+#
+# This file contains a listing of available modules.
+# To prevent a module from being used in policy
+# creation, set the module name to "off".
+#
+# For monolithic policies, modules set to "base" and "module"
+# will be built into the policy.
+#
+# For modular policies, modules set to "base" will be
+# included in the base module. "module" will be compiled
+# as individual loadable modules.
+#
+
+# Layer: admin
+# Module: acct
+#
+# Berkeley process accounting
+#
+acct = base
+
+# Layer: admin
+# Module: alsa
+#
+# Ainit ALSA configuration tool
+#
+alsa = base
+
+# Layer: apps
+# Module: ada
+#
+# ada executable
+#
+ada = module
+
+# Layer: modules
+# Module: awstats
+#
+# awstats executable
+#
+awstats = module
+
+# Layer: admin
+# Module: amanda
+#
+# Automated backup program.
+#
+amanda = module
+
+# Layer: services
+# Module: amavis
+#
+# Anti-virus
+#
+amavis = module
+
+# Layer: admin
+# Module: anaconda
+#
+# Policy for the Anaconda installer.
+#
+anaconda = base
+
+# Layer: services
+# Module: apache
+#
+# Apache web server
+#
+apache = module
+
+# Layer: services
+# Module: apm
+#
+# Advanced power management daemon
+#
+apm = base
+
+# Layer: system
+# Module: application
+# Required in base
+#
+# Defines attributs and interfaces for all user applications
+#
+application = base
+
+# Layer: services
+# Module: arpwatch
+#
+# Ethernet activity monitor.
+#
+arpwatch = module
+
+# Layer: services
+# Module: audioentropy
+#
+# Generate entropy from audio input
+#
+audioentropy = module
+
+# Layer: system
+# Module: authlogin
+#
+# Common policy for authentication and user login.
+#
+authlogin = base
+
+# Layer: services
+# Module: automount
+#
+# Filesystem automounter service.
+#
+automount = module
+
+# Layer: services
+# Module: avahi
+#
+# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture
+#
+avahi = module
+
+# Layer: services
+# Module: bind
+#
+# Berkeley internet name domain DNS server.
+#
+bind = module
+
+# Layer: services
+# Module: dnsmasq
+#
+# A lightweight DHCP and caching DNS server.
+#
+dnsmasq = module
+
+# Layer: services
+# Module: bluetooth
+#
+# Bluetooth tools and system services.
+#
+bluetooth = module
+
+# Layer: kernel
+# Module: bootloader
+#
+# Policy for the kernel modules, kernel image, and bootloader.
+#
+bootloader = base
+
+
+# Layer: services
+# Module: canna
+#
+# Canna - kana-kanji conversion server
+#
+canna = module
+
+# Layer: services
+# Module: ccs
+#
+# policy for ccs
+#
+ccs = module
+
+# Layer: apps
+# Module: calamaris
+#
+#
+# Squid log analysis
+#
+calamaris = module
+
+# Layer: apps
+# Module: cdrecord
+#
+# Policy for cdrecord
+#
+cdrecord = module
+
+# Layer: admin
+# Module: certwatch
+#
+# Digital Certificate Tracking
+#
+certwatch = module
+
+# Layer: services
+# Module: cipe
+#
+# Encrypted tunnel daemon
+#
+cipe = module
+
+# Layer: services
+# Module: comsat
+#
+# Comsat, a biff server.
+#
+comsat = module
+
+# Layer: services
+# Module: clamav
+#
+# ClamAV Virus Scanner
+#
+clamav = module
+
+# Layer: system
+# Module: clock
+#
+# Policy for reading and setting the hardware clock.
+#
+clock = base
+
+# Layer: services
+# Module: consolekit
+#
+# ConsoleKit is a system daemon for tracking what users are logged
+#
+consolekit = module
+
+# Layer: admin
+# Module: consoletype
+#
+# Determine of the console connected to the controlling terminal.
+#
+consoletype = base
+
+# Layer: kernel
+# Module: corecommands
+# Required in base
+#
+# Core policy for shells, and generic programs
+# in /bin, /sbin, /usr/bin, and /usr/sbin.
+#
+corecommands = base
+
+# Layer: kernel
+# Module: corenetwork
+# Required in base
+#
+# Policy controlling access to network objects
+#
+corenetwork = base
+
+# Layer: services
+# Module: cpucontrol
+#
+# Services for loading CPU microcode and CPU frequency scaling.
+#
+cpucontrol = base
+
+# Layer: services
+# Module: cron
+#
+# Periodic execution of scheduled commands.
+#
+cron = base
+
+# Layer: services
+# Module: cups
+#
+# Common UNIX printing system
+#
+cups = module
+
+# Layer: services
+# Module: cvs
+#
+# Concurrent versions system
+#
+cvs = module
+
+# Layer: services
+# Module: cyphesis
+#
+# cyphesis game server
+#
+cyphesis = module
+
+# Layer: services
+# Module: cyrus
+#
+# Cyrus is an IMAP service intended to be run on sealed servers
+#
+cyrus = module
+
+# Layer: system
+# Module: daemontools
+#
+# Collection of tools for managing UNIX services
+#
+daemontools = module
+
+# Layer: services
+# Module: dbskk
+#
+# Dictionary server for the SKK Japanese input method system.
+#
+dbskk = module
+
+# Layer: services
+# Module: dbus
+#
+# Desktop messaging bus
+#
+dbus = base
+
+# Layer: services
+# Module: dcc
+#
+# A distributed, collaborative, spam detection and filtering network.
+#
+dcc = module
+
+# Layer: admin
+# Module: ddcprobe
+#
+# ddcprobe retrieves monitor and graphics card information
+#
+ddcprobe = off
+
+# Layer: kernel
+# Module: devices
+# Required in base
+#
+# Device nodes and interfaces for many basic system devices.
+#
+devices = base
+
+# Layer: services
+# Module: dhcp
+#
+# Dynamic host configuration protocol (DHCP) server
+#
+dhcp = module
+
+# Layer: services
+# Module: dictd
+#
+# Dictionary daemon
+#
+dictd = module
+
+# Layer: services
+# Module: distcc
+#
+# Distributed compiler daemon
+#
+distcc = off
+
+# Layer: admin
+# Module: dmesg
+#
+# Policy for dmesg.
+#
+dmesg = base
+
+# Layer: admin
+# Module: dmidecode
+#
+# Decode DMI data for x86/ia64 bioses.
+#
+dmidecode = base
+
+# Layer: system
+# Module: domain
+# Required in base
+#
+# Core policy for domains.
+#
+domain = base
+
+# Layer: services
+# Module: dovecot
+#
+# Dovecot POP and IMAP mail server
+#
+dovecot = module
+
+# Layer: apps
+# Module: gpg
+#
+# Policy for GNU Privacy Guard and related programs.
+#
+gpg = off
+
+# Layer: services
+# Module: gpm
+#
+# General Purpose Mouse driver
+#
+gpm = module
+
+# Layer: apps
+# Module: ethereal
+#
+# Ethereal packet capture tool.
+#
+ethereal = module
+
+# Layer: services
+# Module: fail2ban
+#
+# daiemon that bans IP that makes too many password failures
+#
+fail2ban = module
+
+# Layer: services
+# Module: fetchmail
+#
+# Remote-mail retrieval and forwarding utility
+#
+fetchmail = module
+
+# Layer: kernel
+# Module: files
+# Required in base
+#
+# Basic filesystem types and interfaces.
+#
+files = base
+
+# Layer: kernel
+# Module: filesystem
+# Required in base
+#
+# Policy for filesystems.
+#
+filesystem = base
+
+# Layer: services
+# Module: finger
+#
+# Finger user information service.
+#
+finger = module
+
+# Layer: admin
+# Module: firstboot
+#
+# Final system configuration run during the first boot
+# after installation of Red Hat/Fedora systems.
+#
+firstboot = base
+
+# Layer: system
+# Module: fstools
+#
+# Tools for filesystem management, such as mkfs and fsck.
+#
+fstools = base
+
+# Layer: services
+# Module: ftp
+#
+# File transfer protocol service
+#
+ftp = module
+
+# Layer: apps
+# Module: games
+#
+# The Open Group Pegasus CIM/WBEM Server.
+#
+games = module
+
+# Layer: system
+# Module: getty
+#
+# Policy for getty.
+#
+getty = base
+
+# Layer: apps
+# Module: gnome
+#
+# gnome session and gconf
+#
+gnome = module
+
+# Layer: services
+# Module: gnomeclock
+#
+# gnomeclock used by dbus/polkit to set time
+#
+gnomeclock = module
+
+# Layer: services
+# Module: hal
+#
+# Hardware abstraction layer
+#
+hal = module
+
+# Layer: services
+# Module: polkit
+#
+# Hardware abstraction layer
+#
+polkit = module
+
+# Layer: system
+# Module: hostname
+#
+# Policy for changing the system host name.
+#
+hostname = base
+
+
+# Layer: system
+# Module: hotplug
+#
+# Policy for hotplug system, for supporting the
+# connection and disconnection of devices at runtime.
+#
+hotplug = base
+
+# Layer: services
+# Module: howl
+#
+# Port of Apple Rendezvous multicast DNS
+#
+howl = module
+
+# Layer: services
+# Module: inetd
+#
+# Internet services daemon.
+#
+inetd = base
+
+# Layer: system
+# Module: init
+#
+# System initialization programs (init and init scripts).
+#
+init = base
+
+# Layer: services
+# Module: inn
+#
+# Internet News NNTP server
+#
+inn = module
+
+# Layer: system
+# Module: iptables
+#
+# Policy for iptables.
+#
+iptables = base
+
+# Layer: system
+# Module: ipsec
+#
+# TCP/IP encryption
+#
+ipsec = module
+
+# Layer: apps
+# Module: irc
+#
+# IRC client policy
+#
+irc = module
+
+# Layer: services
+# Module: irqbalance
+#
+# IRQ balancing daemon
+#
+irqbalance = base
+
+# Layer: system
+# Module: iscsi
+#
+# Open-iSCSI daemon
+#
+iscsi = module
+
+# Layer: services
+# Module: i18n_input
+#
+# IIIMF htt server
+#
+i18n_input = off
+
+
+# Layer: apps
+# Module: java
+#
+# java executable
+#
+java = module
+
+# Layer: services
+# Module: kerberos
+#
+# MIT Kerberos admin and KDC
+#
+kerberos = module
+
+# Layer: kernel
+# Module: kernel
+# Required in base
+#
+# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
+#
+kernel = base
+
+# Layer: services
+# Module: ktalk
+#
+# KDE Talk daemon
+#
+ktalk = module
+
+# Layer: admin
+# Module: kudzu
+#
+# Hardware detection and configuration tools
+#
+kudzu = base
+
+
+# Layer: services
+# Module: ldap
+#
+# OpenLDAP directory server
+#
+ldap = module
+
+# Layer: system
+# Module: libraries
+#
+# Policy for system libraries.
+#
+libraries = base
+
+# Layer: apps
+# Module: loadkeys
+#
+# Load keyboard mappings.
+#
+loadkeys = base
+
+# Layer: system
+# Module: locallogin
+#
+# Policy for local logins.
+#
+locallogin = base
+
+# Layer: apps
+# Module: lockdev
+#
+# device locking policy for lockdev
+#
+lockdev = module
+
+# Layer: system
+# Module: logging
+#
+# Policy for the kernel message logger and system logging daemon.
+#
+logging = base
+
+# Layer: admin
+# Module: logrotate
+#
+# Rotate and archive system logs
+#
+logrotate = base
+
+# Layer: services
+# Module: logwatch
+#
+# logwatch executable
+#
+logwatch = base
+
+# Layer: services
+# Module: lpd
+#
+# Line printer daemon
+#
+lpd = module
+
+# Layer: system
+# Module: lvm
+#
+# Policy for logical volume management programs.
+#
+lvm = base
+
+# Layer: services
+# Module: mailman
+#
+# Mailman is for managing electronic mail discussion and e-newsletter lists
+#
+mailman = module
+
+# Layer: services
+# Module: mailscanner
+#
+# Anti-Virus and Anti-Spam Filter
+#
+mailscanner = module
+
+# Layer: kernel
+# Module: mcs
+# Required in base
+#
+# MultiCategory security policy
+#
+mcs = base
+
+# Layer: system
+# Module: miscfiles
+#
+# Miscelaneous files.
+#
+miscfiles = base
+
+# Layer: kernel
+# Module: mls
+# Required in base
+#
+# Multilevel security policy
+#
+mls = base
+
+# Layer: system
+# Module: modutils
+#
+# Policy for kernel module utilities
+#
+modutils = base
+
+# Layer: apps
+# Module: mono
+#
+# mono executable
+#
+mono = module
+
+# Layer: system
+# Module: mount
+#
+# Policy for mount.
+#
+mount = base
+
+# Layer: apps
+# Module: mozilla
+#
+# Policy for Mozilla and related web browsers
+#
+mozilla = module
+
+# Layer: apps
+# Module: nsplugin
+#
+# Policy for nspluginwrapper
+#
+nsplugin = module
+
+# Layer: apps
+# Module: mplayer
+#
+# Policy for Mozilla and related web browsers
+#
+mplayer = module
+
+# Layer: apps
+# Module: gpg
+#
+# Policy for Mozilla and related web browsers
+#
+gpg = module
+
+# Layer: admin
+# Module: mrtg
+#
+# Network traffic graphing
+#
+mrtg = module
+
+# Layer: services
+# Module: mta
+#
+# Policy common to all email tranfer agents.
+#
+mta = base
+
+# Layer: services
+# Module: mysql
+#
+# Policy for MySQL
+#
+mysql = module
+
+# Layer: services
+# Module: nagios
+#
+# policy for nagios Host/service/network monitoring program
+#
+nagios = module
+
+# Layer: admin
+# Module: netutils
+#
+# Network analysis utilities
+#
+netutils = base
+
+# Layer: services
+# Module: networkmanager
+#
+# Manager for dynamically switching between networks.
+#
+networkmanager = base
+
+# Layer: services
+# Module: nis
+#
+# Policy for NIS (YP) servers and clients
+#
+nis = module
+
+
+# Layer: services
+# Module: nscd
+#
+# Name service cache daemon
+#
+nscd = base
+
+
+# Layer: services
+# Module: ntp
+#
+# Network time protocol daemon
+#
+ntp = module
+
+# Layer: services
+# Module: nx
+#
+# NX Remote Desktop
+#
+nx = module
+
+
+# Layer: services
+# Module: oddjob
+#
+# policy for oddjob
+#
+oddjob = module
+
+# Layer: services
+# Module: openct
+#
+# Service for handling smart card readers.
+#
+openct = off
+
+# Layer: services
+# Module: openvpn
+#
+# Policy for OPENVPN full-featured SSL VPN solution
+#
+openvpn = module
+
+
+# Layer: service
+# Module: pcscd
+#
+# PC/SC Smart Card Daemon
+#
+pcscd = module
+
+# Layer: service
+# Module: openct
+#
+# Middleware framework for smart card terminals
+#
+openct = module
+
+# Layer: system
+# Module: pcmcia
+#
+# PCMCIA card management services
+#
+pcmcia = base
+
+# Layer: services
+# Module: pegasus
+#
+# The Open Group Pegasus CIM/WBEM Server.
+#
+pegasus = module
+
+# Layer: services
+# Module: postgresql
+#
+# PostgreSQL relational database
+#
+postgresql = module
+
+# Layer: services
+# Module: portmap
+#
+# RPC port mapping service.
+#
+portmap = module
+
+# Layer: services
+# Module: postfix
+#
+# Postfix email server
+#
+postfix = module
+
+o# Layer: services
+# Module: postgrey
+#
+# email scanner
+#
+postgrey = module
+
+# Layer: services
+# Module: ppp
+#
+# Point to Point Protocol daemon creates links in ppp networks
+#
+ppp = module
+
+# Layer: admin
+# Module: prelink
+#
+# Manage temporary directory sizes and file ages
+#
+prelink = base
+
+# Layer: services
+# Module: procmail
+#
+# Procmail mail delivery agent
+#
+procmail = module
+
+# Layer: services
+# Module: privoxy
+#
+# Privacy enhancing web proxy.
+#
+privoxy = module
+
+# Layer: services
+# Module: publicfile
+#
+# publicfile supplies files to the public through HTTP and FTP
+#
+publicfile = module
+
+# Layer: services
+# Module: pyzor
+#
+# Spam Blocker
+#
+pyzor = module
+
+
+# Layer: services
+# Module: qmail
+#
+# Policy for qmail
+#
+qmail = module
+
+# Layer: admin
+# Module: quota
+#
+# File system quota management
+#
+quota = base
+
+# Layer: system
+# Module: raid
+#
+# RAID array management tools
+#
+raid = base
+
+# Layer: services
+# Module: radius
+#
+# RADIUS authentication and accounting server.
+#
+radius = module
+
+# Layer: services
+# Module: radvd
+#
+# IPv6 router advertisement daemon
+#
+radvd = module
+
+# Layer: services
+# Module: razor
+#
+# A distributed, collaborative, spam detection and filtering network.
+#
+razor = module
+
+# Layer: admin
+# Module: readahead
+#
+# Readahead, read files into page cache for improved performance
+#
+readahead = base
+
+# Layer: services
+# Module: rhgb
+#
+# X windows login display manager
+#
+rhgb = module
+
+# Layer: services
+# Module: rdisc
+#
+# Network router discovery daemon
+#
+rdisc = module
+
+# Layer: services
+# Module: remotelogin
+#
+# Policy for rshd, rlogind, and telnetd.
+#
+remotelogin = module
+
+# Layer: services
+# Module: ricci
+#
+# policy for ricci
+#
+ricci = module
+
+# Layer: services
+# Module: rlogin
+#
+# Remote login daemon
+#
+rlogin = module
+
+# Layer: services
+# Module: roundup
+#
+# Roundup Issue Tracking System policy
+#
+roundup = module
+
+# Layer: services
+# Module: rpc
+#
+# Remote Procedure Call Daemon for managment of network based process communication
+#
+rpc = base
+
+# Layer: admin
+# Module: rpm
+#
+# Policy for the RPM package manager.
+#
+rpm = base
+
+
+# Layer: services
+# Module: rshd
+#
+# Remote shell service.
+#
+rshd = module
+
+# Layer: services
+# Module: rsync
+#
+# Fast incremental file transfer for synchronization
+#
+rsync = module
+
+# Layer: services
+# Module: rwho
+#
+# who is logged in on local machines
+#
+rwho = module
+
+# Layer: services
+# Module: sasl
+#
+# SASL authentication server
+#
+sasl = module
+
+# Layer: services
+# Module: sendmail
+#
+# Policy for sendmail.
+#
+sendmail = base
+
+# Layer: services
+# Module: samba
+#
+# SMB and CIFS client/server programs for UNIX and
+# name Service Switch daemon for resolving names
+# from Windows NT servers.
+#
+samba = module
+
+# Layer: apps
+# Module: screen
+#
+# GNU terminal multiplexer
+#
+screen = module
+
+# Layer: kernel
+# Module: selinux
+# Required in base
+#
+# Policy for kernel security interface, in particular, selinuxfs.
+#
+selinux = base
+
+# Layer: system
+# Module: selinuxutil
+#
+# Policy for SELinux policy and userland applications.
+#
+selinuxutil = base
+
+# Layer: system
+# Module: setrans
+# Required in base
+#
+# Policy for setrans
+#
+setrans = base
+
+# Layer: services
+# Module: setroubleshoot
+#
+# Policy for the SELinux troubleshooting utility
+#
+setroubleshoot = base
+
+# Layer: services
+# Module: slrnpull
+#
+# Service for downloading news feeds the slrn newsreader.
+#
+slrnpull = off
+
+# Layer: apps
+# Module: slocate
+#
+# Update database for mlocate
+#
+slocate = module
+
+# Layer: services
+# Module: smartmon
+#
+# Smart disk monitoring daemon policy
+#
+smartmon = module
+
+# Layer: services
+# Module: snmp
+#
+# Simple network management protocol services
+#
+snmp = module
+
+# Layer: services
+# Module: spamassassin
+#
+# Filter used for removing unsolicited email.
+#
+spamassassin = module
+
+# Layer: services
+# Module: squid
+#
+# Squid caching http proxy server
+#
+squid = module
+
+# Layer: services
+# Module: ssh
+#
+# Secure shell client and server policy.
+#
+ssh = base
+
+# Layer: kernel
+# Module: storage
+#
+# Policy controlling access to storage devices
+#
+storage = base
+
+# Layer: services
+# Module: stunnel
+#
+# SSL Tunneling Proxy
+#
+stunnel = module
+
+# Layer: admin
+# Module: su
+#
+# Run shells with substitute user and group
+#
+su = base
+
+# Layer: admin
+# Module: sudo
+#
+# Execute a command with a substitute user
+#
+sudo = base
+
+# Layer: system
+# Module: sysnetwork
+#
+# Policy for network configuration: ifconfig and dhcp client.
+#
+sysnetwork = base
+
+
+# Layer: services
+# Module: sysstat
+#
+# Policy for sysstat. Reports on various system states
+#
+sysstat = module
+
+# Layer: services
+# Module: tcpd
+#
+# Policy for TCP daemon.
+#
+tcpd = module
+
+# Layer: system
+# Module: udev
+#
+# Policy for udev.
+#
+udev = base
+
+# Layer: system
+# Module: userdomain
+#
+# Policy for user domains
+#
+userdomain = base
+
+# Layer: system
+# Module: unconfined
+#
+# The unconfined domain.
+#
+unconfined = module
+
+# Layer: apps
+# Module: wine
+#
+# wine executable
+#
+wine = module
+
+# Layer: admin
+# Module: tzdata
+#
+# Policy for tzdata-update
+#
+tzdata = base
+
+# Layer: apps
+# Module: userhelper
+#
+# A helper interface to pam.
+#
+userhelper = module
+
+# Layer: services
+# Module: tor
+#
+# TOR, the onion router
+#
+tor = module
+
+# Layer: apps
+# Module: tvtime
+#
+# tvtime - a high quality television application
+#
+tvtime = module
+
+# Layer: apps
+# Module: uml
+#
+# Policy for UML
+#
+uml = module
+
+# Layer: admin
+# Module: usbmodules
+#
+# List kernel modules of USB devices
+#
+usbmodules = module
+
+# Layer: apps
+# Module: usernetctl
+#
+# User network interface configuration helper
+#
+usernetctl = module
+
+# Layer: system
+# Module: xen
+#
+# virtualization software
+#
+xen = module
+
+# Layer: services
+# Module: virt
+#
+# Virtualization libraries
+#
+virt = module
+
+# Layer: apps
+# Module: qemu
+#
+# Virtualization emulator
+#
+qemu = module
+
+# Layer: system
+# Module: brctl
+#
+# Utilities for configuring the linux ethernet bridge
+#
+brctl = base
+
+# Layer: services
+# Module: telnet
+#
+# Telnet daemon
+#
+telnet = module
+
+# Layer: services
+# Module: timidity
+#
+# MIDI to WAV converter and player configured as a service
+#
+timidity = off
+
+# Layer: services
+# Module: tftp
+#
+# Trivial file transfer protocol daemon
+#
+tftp = module
+
+# Layer: services
+# Module: uucp
+#
+# Unix to Unix Copy
+#
+uucp = module
+
+# Layer: services
+# Module: vbetool
+#
+# run real-mode video BIOS code to alter hardware state
+#
+vbetool = base
+
+# Layer: apps
+# Module: webalizer
+#
+# Web server log analysis
+#
+webalizer = module
+
+# Layer: services
+# Module: xfs
+#
+# X Windows Font Server
+#
+xfs = module
+
+# Layer: services
+# Module: xserver
+#
+# X windows login display manager
+#
+xserver = base
+
+# Layer: services
+# Module: zebra
+#
+# Zebra border gateway protocol network routing service
+#
+zebra = module
+
+# Layer: admin
+# Module: usermanage
+#
+# Policy for managing user accounts.
+#
+usermanage = base
+
+# Layer: admin
+# Module: updfstab
+#
+# Red Hat utility to change /etc/fstab.
+#
+updfstab = base
+
+# Layer: admin
+# Module: vpn
+#
+# Virtual Private Networking client
+#
+vpn = module
+
+# Layer: admin
+# Module: vbetool
+#
+# run real-mode video BIOS code to alter hardware state
+#
+vbetool = base
+
+# Layer: kernel
+# Module: terminal
+# Required in base
+#
+# Policy for terminals.
+#
+terminal = base
+
+# Layer: admin
+# Module: tmpreaper
+#
+# Manage temporary directory sizes and file ages
+#
+tmpreaper = module
+
+# Layer: admin
+# Module: amtu
+#
+# Abstract Machine Test Utility (AMTU)
+#
+amtu = module
+
+# Layer: services
+# Module: zabbix
+#
+# Open-source monitoring solution for your IT infrastructure
+#
+zabbix = module
+
+# Layer: services
+# Module: apcupsd
+#
+# daemon for most APC’s UPS for Linux
+#
+apcupsd = module
+
+# Layer: services
+# Module: aide
+#
+# Policy for aide
+#
+aide = module
+
+# Layer: services
+# Module: w3c
+#
+# w3c
+#
+w3c = module
+
+# Layer: services
+# Module: rpcbind
+#
+# universal addresses to RPC program number mapper
+#
+rpcbind = module
+
+# Layer: apps
+# Module: vmware
+#
+# VMWare Workstation virtual machines
+#
+vmware = module
+
+# Layer: role
+# Module: logadm
+#
+# Minimally prived root role for managing logging system
+#
+logadm = module
+
+# Layer: role
+# Module: webadm
+#
+# Minimally prived root role for managing apache
+#
+webadm = module
+
+#
+# Layer: services
+# Module: exim
+#
+# exim mail server
+#
+exim = module
+
+
+# Layer: services
+# Module: kismet
+#
+# Wireless sniffing and monitoring
+#
+kismet = module
+
+# Layer: services
+# Module: munin
+#
+# Munin
+#
+munin = module
+
+# Layer: services
+# Module: bitlbee
+#
+# An IRC to other chat networks gateway
+#
+bitlbee = module
+
+# Layer: services
+# Module: soundserver
+#
+# sound server for network audio server programs, nasd, yiff, etc
+#
+soundserver = module
+
+# Layer:role
+# Module: staff
+#
+# admin account
+#
+staff = module
+
+# Layer:role
+# Module: sysadm
+#
+# System Administrator
+#
+sysadm = base
+
+# Layer: role
+# Module: unprivuser
+#
+# Minimally privs guest account on tty logins
+#
+unprivuser = module
+
+# Layer: services
+# Module: prelude
+#
+prelude = module
+
+# Layer: services
+# Module: pads
+#
+pads = module
+
+# Layer: services
+# Module: kerneloops
+#
+# program to collect and submit kernel oopses to kerneloops.org
+#
+kerneloops = module
+
+# Layer: apps
+# Module: openoffice
+#
+# openoffice executable
+#
+openoffice = module
+
+# Layer: apps
+# Module: podsleuth
+#
+# Podsleuth probes, identifies, and exposes properties and metadata bound to iPods.
+#
+podsleuth = module
+
+# Layer: role
+# Module: guest
+#
+# Minimally privs guest account on tty logins
+#
+guest = module
+
+# Layer: role
+# Module: xguest
+#
+# Minimally privs guest account on X Windows logins
+#
+xguest = module
+
+# Layer: services
+# Module: courier
+#
+# IMAP and POP3 email servers
+#
+courier = module
+
+# Layer: apps
+# Module: livecd
+#
+# livecd creator
+#
+livecd = module
+
+# Layer: services
+# Module: snort
+#
+# Snort network intrusion detection system
+#
+snort = module
+
+# Layer: services
+# Module: memcached
+#
+# high-performance memory object caching system
+#
+memcached = module
+
+# Layer: system
+# Module: netlabel
+#
+# Basic netlabel types and interfaces.
+#
+netlabel = module
+
+# Layer: services
+# Module: zosremote
+#
+# policy for z/OS Remote-services Audit dispatcher plugin
+#
+zosremote = module
+
diff --git a/policy-20080710.patch b/policy-20080710.patch
index 3a762fd..790fb58 100644
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@@ -1860,7 +1860,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.5.11/policy/modules/admin/vpn.te
--- nsaserefpolicy/policy/modules/admin/vpn.te 2008-10-08 19:00:27.000000000 -0400
-+++ serefpolicy-3.5.11/policy/modules/admin/vpn.te 2008-10-08 20:36:17.000000000 -0400
++++ serefpolicy-3.5.11/policy/modules/admin/vpn.te 2008-10-09 07:44:03.000000000 -0400
@@ -23,7 +23,7 @@
#
@@ -1870,16 +1870,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow vpnc_t self:fifo_file rw_fifo_file_perms;
allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
allow vpnc_t self:tcp_socket create_stream_socket_perms;
-@@ -44,8 +44,7 @@
+@@ -44,7 +44,7 @@
kernel_read_system_state(vpnc_t)
kernel_read_network_state(vpnc_t)
-kernel_read_kernel_sysctls(vpnc_t)
--kernel_rw_net_sysctls(vpnc_t)
+kernel_read_all_sysctls(vpnc_t)
+ kernel_rw_net_sysctls(vpnc_t)
corenet_all_recvfrom_unlabeled(vpnc_t)
- corenet_all_recvfrom_netlabel(vpnc_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.fc serefpolicy-3.5.11/policy/modules/apps/ethereal.fc
--- nsaserefpolicy/policy/modules/apps/ethereal.fc 2008-08-07 11:15:03.000000000 -0400
+++ serefpolicy-3.5.11/policy/modules/apps/ethereal.fc 2008-10-08 20:36:17.000000000 -0400
@@ -15951,7 +15950,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.5.11/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.11/policy/modules/services/kerberos.if 2008-10-08 21:22:20.000000000 -0400
++++ serefpolicy-3.5.11/policy/modules/services/kerberos.if 2008-10-09 07:56:36.000000000 -0400
@@ -23,6 +23,43 @@
########################################
@@ -16122,7 +16121,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+## Domain allowed access.
+##
+##
-+ ##
++##
+##
+## The role to be allowed to manage the kerberos domain.
+##
@@ -27937,7 +27936,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.5.11/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2008-09-12 10:48:05.000000000 -0400
-+++ serefpolicy-3.5.11/policy/modules/system/modutils.te 2008-10-08 20:36:17.000000000 -0400
++++ serefpolicy-3.5.11/policy/modules/system/modutils.te 2008-10-09 07:40:52.000000000 -0400
@@ -42,7 +42,7 @@
# insmod local policy
#
@@ -28027,7 +28026,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
unconfined_dontaudit_rw_pipes(insmod_t)
-+ unconfined_dontaudit_use_terminals(insmod_t)
++ unconfined_dontaudit_use_terms(insmod_t)
')
optional_policy(`
@@ -28057,7 +28056,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
# Read System.map from home directories.
- unconfined_read_home_content_files(depmod_t)
-+ unconfined_dontaudit_use_terminals(depmod_t)
++ unconfined_dontaudit_use_terms(depmod_t)
+ unconfined_domain(depmod_t)
')
diff --git a/securetty_types-minimum b/securetty_types-minimum
new file mode 100644
index 0000000..fe7ce17
--- /dev/null
+++ b/securetty_types-minimum
@@ -0,0 +1,3 @@
+sysadm_tty_device_t
+user_tty_device_t
+staff_tty_device_t
diff --git a/setrans-minimum.conf b/setrans-minimum.conf
new file mode 100644
index 0000000..9b46bbd
--- /dev/null
+++ b/setrans-minimum.conf
@@ -0,0 +1,19 @@
+#
+# Multi-Category Security translation table for SELinux
+#
+# Uncomment the following to disable translation libary
+# disable=1
+#
+# Objects can be categorized with 0-1023 categories defined by the admin.
+# Objects can be in more than one category at a time.
+# Categories are stored in the system as c0-c1023. Users can use this
+# table to translate the categories into a more meaningful output.
+# Examples:
+# s0:c0=CompanyConfidential
+# s0:c1=PatientRecord
+# s0:c2=Unclassified
+# s0:c3=TopSecret
+# s0:c1,c3=CompanyConfidentialRedHat
+s0=
+s0-s0:c0.c1023=SystemLow-SystemHigh
+s0:c0.c1023=SystemHigh