diff --git a/COPYING b/COPYING
new file mode 100644
index 0000000..5b6e7c6
--- /dev/null
+++ b/COPYING
@@ -0,0 +1,340 @@
+ GNU GENERAL PUBLIC LICENSE
+ Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+ 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The licenses for most software are designed to take away your
+freedom to share and change it. By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users. This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it. (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.) You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+ To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have. You must make sure that they, too, receive or can get the
+source code. And you must show them these terms so they know their
+rights.
+
+ We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+ Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software. If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+ Finally, any free program is threatened constantly by software
+patents. We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary. To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+�
+ GNU GENERAL PUBLIC LICENSE
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+ 0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License. The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language. (Hereinafter, translation is included without limitation in
+the term "modification".) Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope. The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+ 1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+ 2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+ a) You must cause the modified files to carry prominent notices
+ stating that you changed the files and the date of any change.
+
+ b) You must cause any work that you distribute or publish, that in
+ whole or in part contains or is derived from the Program or any
+ part thereof, to be licensed as a whole at no charge to all third
+ parties under the terms of this License.
+
+ c) If the modified program normally reads commands interactively
+ when run, you must cause it, when started running for such
+ interactive use in the most ordinary way, to print or display an
+ announcement including an appropriate copyright notice and a
+ notice that there is no warranty (or else, saying that you provide
+ a warranty) and that users may redistribute the program under
+ these conditions, and telling the user how to view a copy of this
+ License. (Exception: if the Program itself is interactive but
+ does not normally print such an announcement, your work based on
+ the Program is not required to print an announcement.)
+�
+These requirements apply to the modified work as a whole. If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works. But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+ 3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+ a) Accompany it with the complete corresponding machine-readable
+ source code, which must be distributed under the terms of Sections
+ 1 and 2 above on a medium customarily used for software interchange; or,
+
+ b) Accompany it with a written offer, valid for at least three
+ years, to give any third party, for a charge no more than your
+ cost of physically performing source distribution, a complete
+ machine-readable copy of the corresponding source code, to be
+ distributed under the terms of Sections 1 and 2 above on a medium
+ customarily used for software interchange; or,
+
+ c) Accompany it with the information you received as to the offer
+ to distribute corresponding source code. (This alternative is
+ allowed only for noncommercial distribution and only if you
+ received the program in object code or executable form with such
+ an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it. For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable. However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+�
+ 4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License. Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+ 5. You are not required to accept this License, since you have not
+signed it. However, nothing else grants you permission to modify or
+distribute the Program or its derivative works. These actions are
+prohibited by law if you do not accept this License. Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+ 6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions. You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+ 7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all. For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices. Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+�
+ 8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded. In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+ 9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation. If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+ 10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission. For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this. Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+ NO WARRANTY
+
+ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+ END OF TERMS AND CONDITIONS
+�
+ How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+ <one line to give the program's name and a brief idea of what it does.>
+ Copyright (C) <year> <name of author>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+ Gnomovision version 69, Copyright (C) year name of author
+ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License. Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. Here is a sample; alter the names:
+
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+ `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+ <signature of Ty Coon>, 1 April 1989
+ Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs. If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library. If this is what you want to do, use the GNU Library General
+Public License instead of this License.
diff --git a/Changelog b/Changelog
new file mode 100644
index 0000000..72baf6d
--- /dev/null
+++ b/Changelog
@@ -0,0 +1,820 @@
+- Unconditional staff and user oidentd home config access from Dominick Grift.
+- Conditional mmap_zero support from Dominick Grift.
+- Added devtmpfs support.
+- Dbadm updates from KaiGai Kohei.
+- Virtio disk file context update from Mika Pfluger.
+- Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh.
+- Add JIT usage for freshclam.
+- Remove ethereal module since the application was renamed to wireshark.
+- Remove duplicate/redundant rules, from Russell Coker.
+- Increased default number of categories to 1024, from Russell Coker.
+- Added modules:
+ accountsd (Dan Walsh)
+ cgroup (Dominick Grift)
+ kdumpgui (Dan Walsh)
+ livecd (Dan Walsh)
+ mojomojo (Lain Arnell)
+ sambagui (Dan Walsh)
+ shutdown (Dan Walsh)
+
+* Mon May 24 2010 Chris PeBenito <selinux@tresys.com> - 2.20100524
+- Merged a significant portion of Fedora policy.
+- Move rules from mta mailserver delivery from interface to .te to use
+ attributes.
+- Remove concept of users from terminal module interfaces since the
+ attributes are not specific to users.
+- Add non-drawing X client support, for consolekit usage.
+- Misc Gentoo fixes from Chris Richards.
+- AFS and abrt fixes from Dominick Grift.
+- Improved the XML docs of 55 most-used interfaces.
+- Apcupsd and amavis fixes from Dominick Grift.
+- Fix network_port() in corenetwork to correctly handle port ranges.
+- SE-Postgresql updates from KaiGai Kohei.
+- X object manager revisions from Eamon Walsh.
+- Added modules:
+ aisexec (Dan Walsh)
+ chronyd (Miroslav Grepl)
+ cobbler (Dominick Grift)
+ corosync (Dan Walsh)
+ dbadm (KaiGai Kohei)
+ denyhosts (Dan Walsh)
+ nut (Stefan Schulze Frielinghaus, Miroslav Grepl)
+ likewise (Scott Salley)
+ plymouthd (Dan Walsh)
+ pyicqt (Stefan Schulze Frielinghaus)
+ rhcs (Dan Walsh)
+ rgmanager (Dan Walsh)
+ sectoolm (Miroslav Grepl)
+ usbmuxd (Dan Walsh)
+ vhostmd (Dan Walsh)
+
+* Tue Nov 17 2009 Chris PeBenito <selinux@tresys.com> - 2.20091117
+- Add separate x_pointer and x_keyboard classes inheriting from x_device.
+ From Eamon Walsh.
+- Deprecated the userdom_xwindows_client_template().
+- Misc Gentoo fixes from Corentin Labbe.
+- Debian policykit fixes from Martin Orr.
+- Fix unconfined_r use of unconfined_java_t.
+- Add missing x_device rules for XI2 functions, from Eamon Walsh.
+- Add missing rules to make unconfined_cronjob_t a valid cron job domain.
+- Add btrfs and ext4 to labeling targets.
+- Fix infrastructure to expand macros in initrc_context when installing.
+- Handle unix_chkpwd usage by useradd and groupadd.
+- Add missing compatibility aliases for xdm_xserver*_t types.
+- Added modules:
+ abrt (Dan Walsh)
+ dkim (Stefan Schulze Frielinghaus)
+ gitosis (Miroslav Grepl)
+ gnomeclock (Dan Walsh)
+ hddtemp (Dan Walsh)
+ kdump (Dan Walsh)
+ modemmanager(Dan Walsh)
+ nslcd (Dan Walsh)
+ puppet (Craig Grube)
+ rtkit (Dan Walsh)
+ seunshare (Dan Walsh)
+ shorewall (Dan Walsh)
+ tgtd (Matthew Ife)
+ tuned (Miroslav Grepl)
+ xscreensaver (Corentin Labbe)
+
+* Thu Jul 30 2009 Chris PeBenito <selinux@tresys.com> - 2.20090730
+- Gentoo fixes for init scripts and system startup.
+- Remove read_default_t tunable.
+- Greylist milter from Paul Howarth.
+- Crack db access for su to handle password expiration, from Brandon Whalen.
+- Misc fixes for unix_update from Brandon Whalen.
+- Add x_device permissions for XI2 functions, from Eamon Walsh.
+- MLS constraints for the x_selection class, from Eamon Walsh.
+- Postgresql updates from KaiGai Kohei.
+- Milter state directory patch from Paul Howarth.
+- Add MLS constrains for ingress/egress and secmark from Paul Moore.
+- Drop write permission from fs_read_rpc_sockets().
+- Remove unused udev_runtime_t type.
+- Patch for RadSec port from Glen Turner.
+- Enable network_peer_controls policy capability from Paul Moore.
+- Btrfs xattr support from Paul Moore.
+- Add db_procedure install permission from KaiGai Kohei.
+- Add support for network interfaces with access controlled by a Boolean
+ from the CLIP project.
+- Several fixes from the CLIP project.
+- Add support for labeled Booleans.
+- Remove node definitions and change node usage to generic nodes.
+- Add kernel_service access vectors, from Stephen Smalley.
+- Added modules:
+ certmaster (Dan Walsh)
+ cpufreqselector (Dan Walsh)
+ devicekit (Dan Walsh)
+ fprintd (Dan Walsh)
+ git (Dan Walsh)
+ gpsd (Miroslav Grepl)
+ guest (Dan Walsh)
+ ifplugd (Dan Walsh)
+ lircd (Miroslav Grepl)
+ logadm (Dan Walsh)
+ pads (Dan Walsh)
+ pingd (Dan Walsh)
+ policykit (Dan Walsh)
+ pulseaudio (Dan Walsh)
+ psad (Dan Walsh)
+ portreserve (Dan Walsh)
+ sssd (Dan Walsh)
+ ulogd (Dan Walsh)
+ varnishd (Dan Walsh)
+ webadm (Dan Walsh)
+ wm (Dan Walsh)
+ xguest (Dan Walsh)
+ zosremote (Dan Walsh)
+
+* Wed Dec 10 2008 Chris PeBenito <selinux@tresys.com> - 2.20081210
+- Fix consistency of audioentropy and iscsi module naming.
+- Debian file context fix for xen from Russell Coker.
+- Xserver MLS fix from Eamon Walsh.
+- Add omapi port for dhcpcd.
+- Deprecate per-role templates and rolemap support.
+- Implement user-based access control for use as role separations.
+- Move shared library calls from individual modules to the domain module.
+- Enable open permission checks policy capability.
+- Remove hierarchy from portage module as it is not a good example of
+ hieararchy.
+- Remove enableaudit target from modular build as semodule -DB supplants it.
+- Added modules:
+ milter (Paul Howarth)
+
+* Tue Oct 14 2008 Chris PeBenito <selinux@tresys.com> - 20081014
+- Debian update for NetworkManager/wpa_supplicant from Martin Orr.
+- Logrotate and Bind updates from Vaclav Ovsik.
+- Init script file and domain support.
+- Glibc 2.7 fix from Vaclav Ovsik.
+- Samba/winbind update from Mike Edenfield.
+- Policy size optimization with a non-security file attribute from James
+ Carter.
+- Database labeled networking update from KaiGai Kohei.
+- Several misc changes from the Fedora policy, cherry picked by David
+ Hardeman.
+- Large whitespace fix from Dominick Grift.
+- Pam_mount fix for local login from Stefan Schulze Frielinghaus.
+- Issuing commands to upstart is over a datagram socket, not the initctl
+ named pipe. Updated init_telinit() to match.
+- Added modules:
+ cyphesis (Dan Walsh)
+ memcached (Dan Walsh)
+ oident (Dominick Grift)
+ w3c (Dan Walsh)
+
+* Wed Jul 02 2008 Chris PeBenito <selinux@tresys.com> - 20080702
+- Fix httpd_enable_homedirs to actually provide the access it is supposed to
+ provide.
+- Add unused interface/template parameter metadata in XML.
+- Patch to handle postfix data_directory from Vaclav Ovsik.
+- SE-Postgresql policy from KaiGai Kohei.
+- Patch for X.org dbus support from Martin Orr.
+- Patch for labeled networking controls in 2.6.25 from Paul Moore.
+- Module loading now requires setsched on kernel threads.
+- Patch to allow gpg agent --write-env-file option from Vaclav Ovsik.
+- X application data class from Eamon Walsh and Ted Toth.
+- Move user roles into individual modules.
+- Make hald_log_t a log file.
+- Cryptsetup runs shell scripts. Patch from Martin Orr.
+- Add file for enabling policy capabilities.
+- Patch to fix leaky interface/template call depth calculator from Vaclav
+ Ovsik.
+- Added modules:
+ kerneloops (Dan Walsh)
+ kismet (Dan Walsh)
+ podsleuth (Dan Walsh)
+ prelude (Dan Walsh)
+ qemu (Dan Walsh)
+ virt (Dan Walsh)
+
+* Wed Apr 02 2008 Chris PeBenito <selinux@tresys.com> - 20080402
+- Add core Security Enhanced X Windows support.
+- Fix winbind socket connection interface for default location of the
+ sock_file.
+- Add wireshark module based on ethereal module.
+- Revise upstart support in init module to use a tunable, as upstart is now
+ used in Fedora too.
+- Add iferror.m4 rather generate it out of the Makefiles.
+- Definitions for open permisson on file and similar objects from Eric
+ Paris.
+- Apt updates for ptys and logs, from Martin Orr.
+- RPC update from Vaclav Ovsik.
+- Exim updates on Debian from Devin Carrawy.
+- Pam and samba updates from Stefan Schulze Frielinghaus.
+- Backup update on Debian from Vaclav Ovsik.
+- Cracklib update on Debian from Vaclav Ovsik.
+- Label /proc/kallsyms with system_map_t.
+- 64-bit capabilities from Stephen Smalley.
+- Labeled networking peer object class updates.
+
+* Fri Dec 14 2007 Chris PeBenito <selinux@tresys.com> - 20071214
+- Patch for debian logrotate to handle syslogd-listfiles, from Vaclav Ovsik.
+- Improve several tunables descriptions from Dan Walsh.
+- Patch to clean up ns switch usage in the policy from Dan Walsh.
+- More complete labeled networking infrastructure from KaiGai Kohei.
+- Add interface for libselinux constructor, for libselinux-linked
+ SELinux-enabled programs.
+- Patch to restructure user role templates to create restricted user roles
+ from Dan Walsh.
+- Russian man page translations from Andrey Markelov.
+- Remove unused types from dbus.
+- Add infrastructure for managing all user web content.
+- Deprecate some old file and dir permission set macros in favor of the
+ newer, more consistently-named macros.
+- Patch to clean up unescaped periods in several file context entries from
+ Jan-Frode Myklebust.
+- Merge shlib_t into lib_t.
+- Merge strict and targeted policies. The policy will now behave like the
+ strict policy if the unconfined module is not present. If it is, it will
+ behave like the targeted policy. Added an unconfined role to have a mix
+ of confined and unconfined users.
+- Added modules:
+ exim (Dan Walsh)
+ postfixpolicyd (Jan-Frode Myklebust)
+
+* Fri Sep 28 2007 Chris PeBenito <selinux@tresys.com> - 20070928
+- Add support for setting the unknown permissions handling.
+- Fix XML building for external reference builds and headers builds.
+- Patch to add missing requirements in userdomain interfaces from Shintaro
+ Fujiwara.
+- Add tcpd_wrapped_domain() for services that use tcp wrappers.
+- Update MLS constraints from LSPP evaluated policy.
+- Allow initrc_t file descriptors to be inherited regardless of MLS level.
+ Accordingly drop MLS permissions from daemons that inherit from any level.
+- Files and radvd updates from Stefan Schulze Frielinghaus.
+- Deprecate mls_file_write_down() and mls_file_read_up(), replaced with
+ mls_write_all_levels() and mls_read_all_levels(), for consistency.
+- Add make kernel and init ranged interfaces pass the range transition MLS
+ constraints. Also remove calls to mls_rangetrans_target() in modules that use
+ the kernel and init interfaces, since its redundant.
+- Add interfaces for all MLS attributes except X object classes.
+- Require all sensitivities and categories for MLS and MCS policies, not just
+ the low and high sensitivity and category.
+- Database userspace object manager classes from KaiGai Kohei.
+- Add third-party interface for Apache CGI.
+- Add getserv and shmemserv nscd permissions.
+- Add debian apcupsd binary location, from Stefan Schulze Frielinghaus.
+- Added modules:
+ application
+ awstats (Stefan Schulze Frielinghaus)
+ bitlbee (Devin Carraway)
+ brctl (Dan Walsh)
+
+* Fri Jun 29 2007 Chris PeBenito <selinux@tresys.com> - 20070629
+- Fix incorrectly named files_lib_filetrans_shared_lib() interface in the
+ libraries module.
+- Unified labeled networking policy from Paul Moore.
+- Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.
+- Xen updates from Dan Walsh.
+- Filesystem updates from Dan Walsh.
+- Large samba update from Dan Walsh.
+- Drop snmpd_etc_t.
+- Confine sendmail and logrotate on targeted.
+- Tunable connection to postgresql for users from KaiGai Kohei.
+- Memprotect support patch from Stephen Smalley.
+- Add logging_send_audit_msgs() interface and deprecate
+ send_audit_msgs_pattern().
+- Openct updates patch from Dan Walsh.
+- Merge restorecon into setfiles.
+- Patch to begin separating out hald helper programs from Dan Walsh.
+- Fixes for squid, dovecot, and snmp from Dan Walsh.
+- Miscellaneous consolekit fixes from Dan Walsh.
+- Patch to have avahi use the nsswitch interface rather than individual
+ permissions from Dan Walsh.
+- Patch to dontaudit logrotate searching avahi pid directory from Dan Walsh.
+- Patch to allow insmod to mount kvmfs and dontaudit rw unconfined_t pipes
+ to handle usage from userhelper from Dan Walsh.
+- Patch to allow amavis to read spamassassin libraries from Dan Walsh.
+- Patch to allow slocate to getattr other filesystems and directories on those
+ filesystems from Dan Walsh.
+- Fixes for RHEL4 from the CLIP project.
+- Replace the old lrrd fc entries with munin ones.
+- Move program admin template usage out of userdom_admin_user_template() to
+ sysadm policy in userdomain.te to fix usage of the template for third
+ parties.
+- Fix clockspeed_run_cli() declaration, it was incorrectly defined as a
+ template instead of an interface.
+- Added modules:
+ amtu (Dan Walsh)
+ apcupsd (Dan Walsh)
+ rpcbind (Dan Walsh)
+ rwho (Nalin Dahyabhai)
+
+* Tue Apr 17 2007 Chris PeBenito <selinux@tresys.com> - 20070417
+- Patch for sasl's use of kerberos from Dan Walsh.
+- Patches to confine ldconfig, udev, and insmod in the targeted policy from Dan Walsh.
+- Man page updates from Dan Walsh.
+- Two patches from Paul Moore to for ipsec to remove redundant rules and
+ have setkey read the config file.
+- Move booleans and tunables to modules when it is only used in a single
+ module.
+- Add support for tunables and booleans local to a module.
+- Merge sbin_t and ls_exec_t into bin_t.
+- Remove disable_trans booleans.
+- Output different header sets for kernel and userland from flask headers.
+- Marked the pax class as deprecated, changed it to userland so
+ it will be removed from the kernel.
+- Stop including netfilter contexts by default.
+- Add dontaudits for init fds and console to init_daemon_domain().
+- Patch to allow gpg to create user keys dir.
+- Patch to support kvmfs from Dan Walsh.
+- Patch for misc fixes in sudo from Dan Walsh.
+- Patch to fix netlabel recvfrom MLS constraint from Paul Moore.
+- Patch for handling restart of nscd when ran from useradd, groupadd, and
+ admin passwd, from Dan Walsh.
+- Patch for procmail, spamassassin, and pyzor updates from Dan Walsh.
+- Patch for setroubleshoot for validating file contexts from Dan Walsh.
+- Patch for gssd fixes from Dan Walsh.
+- Patch for lvm fixes from Dan Walsh.
+- Patch for ricci fixes from Dan Walsh.
+- Patch for postfix lmtp labeling and pickup rule fix from Dan Walsh.
+- Patch for kerberized telnet fixes from Dan Walsh.
+- Patch for kerberized ftp and other ftp fixes from Dan Walsh.
+- Patch for an additional wine executable from Dan Walsh.
+- Eight patches for file contexts in games, wine, networkmanager, miscfiles,
+ corecommands, devices, and java from Dan Walsh.
+- Add support for libselinux 2.0.5 init_selinuxmnt() changes.
+- Patch for misc fixes to bluetooth from Dan Walsh.
+- Patch for misc fixes to kerberos from Dan Walsh.
+- Patch to start deprecating usercanread attribute from Ryan Bradetich.
+- Add dccp_socket object class which was added in kernel 2.6.20.
+- Patch for prelink relabefrom it's temp files from Dan Walsh.
+- Patch for capability fix for auditd and networking fix for syslogd from
+ Dan Walsh.
+- Patch to remove redundant mls_trusted_object() call from Dan Walsh.
+- Patch for misc fixes to nis ypxfr policy from Dan Walsh.
+- Patch to allow apmd to telinit from Dan Walsh.
+- Patch for additional labeling of samba files from Stefan Schulze
+ Frielinghaus.
+- Patch to remove incorrect cron labeling in apache.fc from Ryan Bradetich.
+- Fix ptys and ttys to be device nodes.
+- Fix explicit use of httpd_t in openca_domtrans().
+- Clean up file context regexes in apache and java, from Eamon Walsh.
+- Patches from Dan Walsh:
+ Thu, 25 Jan 2007
+- Added modules:
+ consolekit (Dan Walsh)
+ fail2ban (Dan Walsh)
+ zabbix (Dan Walsh)
+
+* Tue Dec 12 2006 Chris PeBenito <selinux@tresys.com> - 20061212
+- Add policy patterns support macros. This changes the behavior of
+ the create_dir_perms and create_file_perms permission sets.
+- Association polmatch MLS constraint making unlabeled_t an exception
+ is no longer needed, patch from Venkat Yekkirala.
+- Context contains checking for PAM and cron from James Antill.
+- Add a reload target to Modules.devel and change the load
+ target to only insert modules that were changed.
+- Allow semanage to read from /root on strict non-MLS for
+ local policy modules.
+- Gentoo init script fixes for udev.
+- Allow udev to read kernel modules.inputmap.
+- Dnsmasq fixes from testing.
+- Allow kernel NFS server to getattr filesystems so df can work
+ on clients.
+- Patch from Matt Anderson for a MLS constraint exemption on a
+ file that can be written to from a subject whose range is
+ within the object's range.
+- Enhanced setransd support from Darrel Goeddel.
+- Patches from Dan Walsh:
+ Tue, 24 Oct 2006
+ Wed, 29 Nov 2006
+- Added modules:
+ aide (Matt Anderson)
+ ccs (Dan Walsh)
+ iscsi (Dan Walsh)
+ ricci (Dan Walsh)
+
+* Wed Oct 18 2006 Chris PeBenito <selinux@tresys.com> - 20061018
+- Patch from Russell Coker Thu, 5 Oct 2006
+- Move range transitions to modules.
+- Make number of MLS sensitivities, and number of MLS and MCS
+ categories configurable as build options.
+- Add role infrastructure.
+- Debian updates from Erich Schubert.
+- Add nscd_socket_use() to auth_use_nsswitch().
+- Remove old selopt rules.
+- Full support for netfilter_contexts.
+- MRTG patch for daemon operation from Stefan.
+- Add authlogin interface to abstract common access for login programs.
+- Remove setbool auditallow, except for RHEL4.
+- Change eventpollfs to task SID labeling.
+- Add key support from Michael LeMay.
+- Add ftpdctl domain to ftp, from Paul Howarth.
+- Fix build system to not move type declarations out of optionals.
+- Add gcc-config domain to portage.
+- Add packet object class and support in corenetwork.
+- Add a copy of genhomedircon for monolithic policy building, so that a
+ policycoreutils package update is not required for RHEL4 systems.
+- Add appletalk sockets for use in cups.
+- Add Make target to validate module linking.
+- Make duplicate template and interface declarations a fatal error.
+- Patch to stabilize modules.conf `make conf` output, from Erich Schubert.
+- Move xconsole_device_t from devices to xserver since it is
+ not actually a device, it is a named pipe.
+- Handle nonexistant .fc and .if files in devel Makefile by
+ automatically creating empty files.
+- Remove unused devfs_control_t.
+- Add rhel4 distro, which also implies redhat distro.
+- Remove unneeded range_transition for su_exec_t and move the
+ type declaration back to the su module.
+- Constrain transitions in MCS so unconfined_t cannot have
+ arbitrary category sets.
+- Change reiserfs from xattr filesystem to genfscon as it's xattrs
+ are currently nonfunctional.
+- Change files and filesystem modules to use their own interfaces.
+- Add user fonts to xserver.
+- Additional interfaces in corecommands, miscfiles, and userdomain
+ from Joy Latten.
+- Miscellaneous fixes from Thomas Bleher.
+- Deprecate module name as first parameter of optional_policy()
+ now that optionals are allowed everywhere.
+- Enable optional blocks in base module and monolithic policy.
+ This requires checkpolicy 1.30.1.
+- Fix vpn module declaration.
+- Numerous fixes from Dan Walsh.
+- Change build order to preserve m4 line number information so policy
+ compile errors are useful again.
+- Additional MLS interfaces from Chad Hanson.
+- Move some rules out of domain_type() and domain_base_type()
+ to the TE file, to use the domain attribute to take advantage
+ of space savings from attribute use.
+- Add global stack smashing protector rule for urandom access from
+ Petre Rodan.
+- Fix temporary rules at the bottom of portmap.
+- Updated comments in mls file from Chad Hanson.
+- Patches from Dan Walsh:
+ Fri, 17 Mar 2006
+ Wed, 29 Mar 2006
+ Tue, 11 Apr 2006
+ Fri, 14 Apr 2006
+ Tue, 18 Apr 2006
+ Thu, 20 Apr 2006
+ Tue, 02 May 2006
+ Mon, 15 May 2006
+ Thu, 18 May 2006
+ Tue, 06 Jun 2006
+ Mon, 12 Jun 2006
+ Tue, 20 Jun 2006
+ Wed, 26 Jul 2006
+ Wed, 23 Aug 2006
+ Thu, 31 Aug 2006
+ Fri, 01 Sep 2006
+ Tue, 05 Sep 2006
+ Wed, 20 Sep 2006
+ Fri, 22 Sep 2006
+ Mon, 25 Sep 2006
+- Added modules:
+ afs
+ amavis (Erich Schubert)
+ apt (Erich Schubert)
+ asterisk
+ audioentropy
+ authbind
+ backup
+ calamaris
+ cipe
+ clamav (Erich Schubert)
+ clockspeed (Petre Rodan)
+ courier
+ dante
+ dcc
+ ddclient
+ dpkg (Erich Schubert)
+ dnsmasq
+ ethereal
+ evolution
+ games
+ gatekeeper
+ gift
+ gnome (James Carter)
+ imaze
+ ircd
+ jabber
+ monop
+ mozilla
+ mplayer
+ munin
+ nagios
+ nessus
+ netlabel (Paul Moore)
+ nsd
+ ntop
+ nx
+ oav
+ oddjob (Dan Walsh)
+ openca
+ openvpn (Petre Rodan)
+ perdition
+ portslave
+ postgrey
+ pxe
+ pyzor (Dan Walsh)
+ qmail (Petre Rodan)
+ razor
+ resmgr
+ rhgb
+ rssh
+ snort
+ soundserver
+ speedtouch
+ sxid
+ thunderbird
+ tor (Erich Schubert)
+ transproxy
+ tripwire
+ uptime
+ uwimap
+ vmware
+ watchdog
+ xen (Dan Walsh)
+ xprint
+ yam
+
+* Tue Mar 07 2006 Chris PeBenito <selinux@tresys.com> - 20060307
+- Make all interface parameters required.
+- Move boot_t, system_map_t, and modules_object_t to files module,
+ and move bootloader to admin layer.
+- Add semanage policy for semodule from Dan Walsh.
+- Remove allow_execmem from targeted policy domain_base_type().
+- Add users_extra and seusers support.
+- Postfix fixes from Serge Hallyn.
+- Run python and shell directly to interpret scripts so policy
+ sources need not be executable.
+- Add desc tag XML to booleans and tunables, and add summary
+ to param XML tag, to make future translations possible.
+- Remove unused lvm_vg_t.
+- Many interface renames to improve naming consistency.
+- Merge xdm into xserver.
+- Remove kernel module reversed interfaces.
+- Add filename attribute to module XML tag and lineno attribute to
+ interface XML tag.
+- Changed QUIET build option to a yes or no option.
+- Add a Makefile used for compiling loadable modules in a
+ user's development environment, building against policy headers.
+- Add Make target for installing policy headers.
+- Separate per-userdomain template expansion from the userdomain
+ module and add infrastructure to expand templates in the modules
+ that own the template.
+- Enable secadm only for MLS policies.
+- Remove role change rules in su and sudo since this functionality has been
+ removed from these programs.
+- Add ctags Make target from Thomas Bleher.
+- Collapse commands with grep piped to sed into one sed command.
+- Fix type_change bug in term_user_pty().
+- Move ice_tmp_t from miscfiles to xserver.
+- Login fixes from Serge Hallyn.
+- Move xserver_log_t from xdm to xserver.
+- Add lpr per-userdomain policy to lpd.
+- Miscellaneous fixes from Dan Walsh.
+- Change initrc_var_run_t interface noun from script_pid to utmp,
+ for greater clarity.
+- Added modules:
+ certwatch
+ mono (Dan Walsh)
+ mrtg
+ portage
+ tvtime
+ userhelper
+ usernetctl
+ wine (Dan Walsh)
+ xserver
+
+* Tue Jan 17 2006 Chris PeBenito <selinux@tresys.com> - 20060117
+- Adds support for generating corenetwork interfaces based on attributes
+ in addition to types.
+- Permits the listing of multiple nodes in a network_node() that will be
+ given the same type.
+- Add two new permission sets for stream sockets.
+- Rename file type transition interfaces verb from create to
+ filetrans to differentiate it from create interfaces without
+ type transitions.
+- Fix expansion of interfaces from disabled modules.
+- Rsync can be long running from init,
+ added rules to allow this.
+- Add polyinstantiation build option.
+- Add setcontext to the association object class.
+- Add apache relay and db connect tunables.
+- Rename texrel_shlib_t to textrel_shlib_t.
+- Add swat to samba module.
+- Numerous miscellaneous fixes from Dan Walsh.
+- Added modules:
+ alsa
+ automount
+ cdrecord
+ daemontools (Petre Rodan)
+ ddcprobe
+ djbdns (Petre Rodan)
+ fetchmail
+ irc
+ java
+ lockdev
+ logwatch (Dan Walsh)
+ openct
+ prelink (Dan Walsh)
+ publicfile (Petre Rodan)
+ readahead
+ roundup
+ screen
+ slocate (Dan Walsh)
+ slrnpull
+ smartmon
+ sysstat
+ ucspitcp (Petre Rodan)
+ usbmodules
+ vbetool (Dan Walsh)
+
+* Wed Dec 07 2005 Chris PeBenito <selinux@tresys.com> - 20051207
+- Add unlabeled IPSEC association rule to domains with
+ networking permissions.
+- Merge systemuser back in to users, as these files
+ do not need to be split.
+- Add check for duplicate interface/template definitions.
+- Move domain, files, and corecommands modules to kernel
+ layer to resolve some layering inconsistencies.
+- Move policy build options out of Makefile into build.conf.
+- Add yppasswd to nis module.
+- Change optional_policy() to refer to the module name
+ rather than modulename.te.
+- Fix labeling targets to use installed file_contexts rather
+ than partial file_contexts in the policy source directory.
+- Fix build process to use make's internal vpath functions
+ to detect modules rather than using subshells and find.
+- Add install target for modular policy.
+- Add load target for modular policy.
+- Add appconfig dependency to the load target.
+- Miscellaneous fixes from Dan Walsh.
+- Fix corenetwork gen_context()'s to expand during the policy
+ build phase instead of during the generation phase.
+- Added policies:
+ amanda
+ avahi
+ canna
+ cyrus
+ dbskk
+ dovecot
+ distcc
+ i18n_input
+ irqbalance
+ lpd
+ networkmanager
+ pegasus
+ postfix
+ procmail
+ radius
+ rdisc
+ rpc
+ spamassassin
+ timidity
+ xdm
+ xfs
+
+* Wed Oct 19 2005 Chris PeBenito <selinux@tresys.com> - 20051019
+- Many fixes to make loadable modules build.
+- Add targets for sechecker.
+- Updated to sedoctool to read bool files and tunable
+ files separately.
+- Changed the xml tag of <boolean> to <bool> to be consistent
+ with gen_bool().
+- Modified the implementation of segenxml to use regular
+ expressions.
+- Rename context_template() to gen_context() to clarify
+ that its not a Reference Policy template, but a support
+ macro.
+- Add disable_*_trans bool support for targeted policy.
+- Add MLS module to handle MLS constraint exceptions,
+ such as reading up and writing down.
+- Fix errors uncovered by sediff.
+- Added policies:
+ anaconda
+ apache
+ apm
+ arpwatch
+ bluetooth
+ dmidecode
+ finger
+ ftp
+ kudzu
+ mailman
+ ppp
+ radvd
+ sasl
+ webalizer
+
+* Thu Sep 22 2005 Chris PeBenito <selinux@tresys.com> - 20050922
+- Make logrotate, sendmail, sshd, and rpm policies
+ unconfined in the targeted policy so no special
+ modules.conf is required.
+- Add experimental MCS support.
+- Add appconfig for MLS.
+- Add equivalents for old can_resolve(), can_ldap(), and
+ can_portmap() to sysnetwork.
+- Fix base module compile issues.
+- Added policies:
+ cpucontrol
+ cvs
+ ktalk
+ portmap
+ postgresql
+ rlogin
+ samba
+ snmp
+ stunnel
+ telnet
+ tftp
+ uucp
+ vpn
+ zebra
+
+* Wed Sep 07 2005 Chris PeBenito <selinux@tresys.com> - 20050907
+- Fix errors uncovered by sediff.
+- Doc tool will explicitly say a module does not have interfaces
+ or templates on the module page.
+- Added policies:
+ comsat
+ dbus
+ dhcp
+ dictd
+ hal
+ inn
+ ntp
+ squid
+
+* Fri Aug 26 2005 Chris PeBenito <selinux@tresys.com> - 20050826
+- Add Makefile support for building loadable modules.
+- Add genclassperms.py tool to add require blocks
+ for loadable modules.
+- Change sedoctool to make required modules part of base
+ by default, otherwise make as modules, in modules.conf.
+- Fix segenxml to handle modules with no interfaces.
+- Rename ipsec connect interface for consistency.
+- Add missing parts of unix stream socket connect interface
+ of ipsec.
+- Rename inetd connect interface for consistency.
+- Rename interface for purging contents of tmp, for clarity,
+ since it allows deletion of classes other than file.
+- Misc. cleanups.
+- Added policies:
+ acct
+ bind
+ firstboot
+ gpm
+ howl
+ ldap
+ loadkeys
+ mysql
+ privoxy
+ quota
+ rshd
+ rsync
+ su
+ sudo
+ tcpd
+ tmpreaper
+ updfstab
+
+* Tue Aug 2 2005 Chris PeBenito <selinux@tresys.com> - 20050802
+- Fix comparison bug in fc_sort.
+- Fix handling of ordered and unordered HTML lists.
+- Corenetwork now supports multiple network interfaces having the
+ same type.
+- Doc tool now creates pages for global Booleans and global tunables.
+- Doc tool now links directly to the interface/template in the
+ module page when it is selected in the interface/template index.
+- Added support for layer summaries.
+- Added policies:
+ ipsec
+ nscd
+ pcmcia
+ raid
+
+* Thu Jul 7 2005 Chris PeBenito <selinux@tresys.com> - 20050707
+- Changed xml to have modules encapsulated by layer tags, rather
+ than putting layer="foo" in the module tags. Also in the future
+ we can put a summary and description for each layer.
+- Added tool to infer interface, module, and layer tags. This will
+ now list all interfaces, even if they are missing xml docs.
+- Shortened xml tag names.
+- Added macros to declare interfaces and templates.
+- Added interface call trace.
+- Updated all xml documentation for shorter and inferred tags.
+- Doc tool now displays templates in the web pages.
+- Doc tool retains the user's settings in modules.conf and
+ tunables.conf if the files already exist.
+- Modules.conf behavior has been changed to be a list of all
+ available modules, and the user can specify if the module is
+ built as a loadable module, included in the monolithic policy,
+ or excluded.
+- Added policies:
+ fstools (fsck, mkfs, swapon, etc. tools)
+ logrotate
+ inetd
+ kerberos
+ nis (ypbind and ypserv)
+ ssh (server, client, and agent)
+ unconfined
+- Added infrastructure for targeted policy support, only missing
+ transition boolean support.
+
+* Wed Jun 15 2005 Chris PeBenito <selinux@tresys.com> - 20050615
+ - Initial release
diff --git a/INSTALL b/INSTALL
new file mode 100644
index 0000000..12885d2
--- /dev/null
+++ b/INSTALL
@@ -0,0 +1,48 @@
+Reference Policy has a requirement of checkpolicy 1.33.1 and
+libsepol-1.16.2. Red Hat Enterprise Linux 4 and Fedora Core 4 RPMs
+are available on the CLIP download page at http://oss.tresys.com,
+and can be installed thusly:
+
+Red Hat Enterprise Linux 4:
+
+ rpm -i libsepol-1.11.7-1.i386.rpm
+ rpm -U checkpolicy-1.28-4.i386.rpm
+
+Fedora Core 4:
+
+ rpm -U libsepol-1.11.7-1.i386.rpm checkpolicy-1.28-4.i386.rpm
+
+To install Reference Policy sources into /etc/selinux/refpolicy/src/policy:
+
+ make install-src
+
+This will back up a pre-existing source policy to the
+/etc/selinux/refpolicy/src/policy.bak directory.
+
+If you do not have a modules.conf, one can be generated:
+
+ make conf
+
+This will create a default modules.conf. Options for the policy
+build process can be found in build.conf. After installing the policy sources,
+the old Make targets have been maintained for the monolithic policy:
+
+Local policy development:
+
+ make policy
+
+Compile and install the policy:
+
+ make install
+
+Compile, install, and load the policy:
+
+ make load
+
+Filesystem labeling:
+
+ make relabel
+ make checklabels
+ make restorelabels
+
+See the README for more information on available make targets.
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..b8804f7
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,670 @@
+#
+# Makefile for the security policy.
+#
+# Targets:
+#
+# install - compile and install the policy configuration, and context files.
+# load - compile, install, and load the policy configuration.
+# reload - compile, install, and load/reload the policy configuration.
+# relabel - relabel filesystems based on the file contexts configuration.
+# checklabels - check filesystems against the file context configuration
+# restorelabels - check filesystems against the file context configuration
+# and restore the label of files with incorrect labels
+# policy - compile the policy configuration locally for testing/development.
+#
+# The default target is 'policy'.
+#
+#
+# Please see build.conf for policy build options.
+#
+
+########################################
+#
+# NO OPTIONS BELOW HERE
+#
+
+# Include the local build.conf if it exists, otherwise
+# include the configuration of the root directory.
+include build.conf
+
+ifdef LOCAL_ROOT
+ -include $(LOCAL_ROOT)/build.conf
+endif
+
+# refpolicy version
+version = $(shell cat VERSION)
+
+ifdef LOCAL_ROOT
+builddir := $(LOCAL_ROOT)/
+tmpdir := $(LOCAL_ROOT)/tmp
+tags := $(LOCAL_ROOT)/tags
+else
+tmpdir := tmp
+tags := tags
+endif
+
+# executable paths
+BINDIR ?= /usr/bin
+SBINDIR ?= /usr/sbin
+ifdef TEST_TOOLCHAIN
+tc_usrbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(BINDIR)
+tc_usrsbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(SBINDIR)
+tc_sbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)/sbin
+else
+tc_usrbindir := $(BINDIR)
+tc_usrsbindir := $(SBINDIR)
+tc_sbindir := /sbin
+endif
+CHECKPOLICY ?= $(tc_usrbindir)/checkpolicy
+CHECKMODULE ?= $(tc_usrbindir)/checkmodule
+SEMODULE ?= $(tc_usrsbindir)/semodule
+SEMOD_PKG ?= $(tc_usrbindir)/semodule_package
+SEMOD_LNK ?= $(tc_usrbindir)/semodule_link
+SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand
+LOADPOLICY ?= $(tc_usrsbindir)/load_policy
+SETFILES ?= $(tc_sbindir)/setfiles
+XMLLINT ?= $(BINDIR)/xmllint
+SECHECK ?= $(BINDIR)/sechecker
+
+# interpreters and aux tools
+AWK ?= gawk
+GREP ?= egrep
+INSTALL ?= install
+M4 ?= m4
+PYTHON ?= python
+SED ?= sed
+SORT ?= LC_ALL=C sort
+
+CFLAGS += -Wall
+
+# policy source layout
+poldir := policy
+moddir := $(poldir)/modules
+flaskdir := $(poldir)/flask
+secclass := $(flaskdir)/security_classes
+isids := $(flaskdir)/initial_sids
+avs := $(flaskdir)/access_vectors
+
+# local source layout
+ifdef LOCAL_ROOT
+local_poldir := $(LOCAL_ROOT)/policy
+local_moddir := $(local_poldir)/modules
+endif
+
+# policy building support tools
+support := support
+genxml := $(PYTHON) -E $(support)/segenxml.py
+gendoc := $(PYTHON) -E $(support)/sedoctool.py
+genperm := $(PYTHON) -E $(support)/genclassperms.py
+fcsort := $(tmpdir)/fc_sort
+setbools := $(AWK) -f $(support)/set_bools_tuns.awk
+get_type_attr_decl := $(SED) -r -f $(support)/get_type_attr_decl.sed
+comment_move_decl := $(SED) -r -f $(support)/comment_move_decl.sed
+gennetfilter := $(PYTHON) -E $(support)/gennetfilter.py
+m4iferror := $(support)/iferror.m4
+m4divert := $(support)/divert.m4
+m4undivert := $(support)/undivert.m4
+# use our own genhomedircon to make sure we have a known usable one,
+# so policycoreutils updates are not required (RHEL4)
+genhomedircon := $(PYTHON) -E $(support)/genhomedircon
+
+# documentation paths
+docs := doc
+xmldtd = $(docs)/policy.dtd
+metaxml = metadata.xml
+doctemplate = $(docs)/templates
+docfiles = $(docs)/Makefile.example $(addprefix $(docs)/,example.te example.if example.fc)
+
+ifndef LOCAL_ROOT
+polxml = $(docs)/policy.xml
+tunxml = $(docs)/global_tunables.xml
+boolxml = $(docs)/global_booleans.xml
+htmldir = $(docs)/html
+else
+polxml = $(LOCAL_ROOT)/doc/policy.xml
+tunxml = $(LOCAL_ROOT)/doc/global_tunables.xml
+boolxml = $(LOCAL_ROOT)/doc/global_booleans.xml
+htmldir = $(LOCAL_ROOT)/doc/html
+endif
+
+# config file paths
+globaltun = $(poldir)/global_tunables
+globalbool = $(poldir)/global_booleans
+rolemap = $(poldir)/rolemap
+user_files := $(poldir)/users
+policycaps := $(poldir)/policy_capabilities
+
+# local config file paths
+ifndef LOCAL_ROOT
+mod_conf = $(poldir)/modules.conf
+booleans = $(poldir)/booleans.conf
+tunables = $(poldir)/tunables.conf
+else
+mod_conf = $(local_poldir)/modules.conf
+booleans = $(local_poldir)/booleans.conf
+tunables = $(local_poldir)/tunables.conf
+endif
+
+# install paths
+PKGNAME ?= refpolicy-$(version)
+prefix = $(DESTDIR)/usr
+topdir = $(DESTDIR)/etc/selinux
+installdir = $(topdir)/$(strip $(NAME))
+srcpath = $(installdir)/src
+userpath = $(installdir)/users
+policypath = $(installdir)/policy
+contextpath = $(installdir)/contexts
+homedirpath = $(contextpath)/files/homedir_template
+fcpath = $(contextpath)/files/file_contexts
+ncpath = $(contextpath)/netfilter_contexts
+sharedir = $(prefix)/share/selinux
+modpkgdir = $(sharedir)/$(strip $(NAME))
+headerdir = $(modpkgdir)/include
+docsdir = $(prefix)/share/doc/$(PKGNAME)
+
+# enable MLS if requested.
+ifeq "$(TYPE)" "mls"
+ M4PARAM += -D enable_mls
+ CHECKPOLICY += -M
+ CHECKMODULE += -M
+ gennetfilter += -m
+endif
+
+# enable MLS if MCS requested.
+ifeq "$(TYPE)" "mcs"
+ M4PARAM += -D enable_mcs
+ CHECKPOLICY += -M
+ CHECKMODULE += -M
+ gennetfilter += -c
+endif
+
+# enable distribution-specific policy
+ifneq ($(DISTRO),)
+ M4PARAM += -D distro_$(DISTRO)
+endif
+
+# rhel4 also implies redhat
+ifeq "$(DISTRO)" "rhel4"
+ M4PARAM += -D distro_redhat
+endif
+
+ifeq "$(DISTRO)" "ubuntu"
+ M4PARAM += -D distro_debian
+endif
+
+ifneq ($(OUTPUT_POLICY),)
+ CHECKPOLICY += -c $(OUTPUT_POLICY)
+endif
+
+# if not set, use the type as the name.
+NAME ?= $(TYPE)
+
+# default unknown permissions setting
+#UNK_PERMS ?= deny
+
+ifeq ($(DIRECT_INITRC),y)
+ M4PARAM += -D direct_sysadm_daemon
+endif
+
+ifeq "$(UBAC)" "y"
+ M4PARAM += -D enable_ubac
+endif
+
+# default MLS/MCS sensitivity and category settings.
+MLS_SENS ?= 16
+MLS_CATS ?= 1024
+MCS_CATS ?= 1024
+
+ifeq ($(QUIET),y)
+ verbose = @
+endif
+
+M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D mcs_num_cats=$(MCS_CATS) -D hide_broken_symptoms
+
+# we need exuberant ctags; unfortunately it is named
+# differently on different distros
+ifeq ($(DISTRO),debian)
+ CTAGS := ctags-exuberant
+endif
+
+ifeq ($(DISTRO),gentoo)
+ CTAGS := exuberant-ctags
+endif
+
+CTAGS ?= ctags
+
+m4support := $(m4divert) $(wildcard $(poldir)/support/*.spt)
+ifdef LOCAL_ROOT
+m4support += $(wildcard $(local_poldir)/support/*.spt)
+endif
+m4support += $(m4undivert)
+
+appconf := config/appconfig-$(TYPE)
+seusers := $(appconf)/seusers
+appdir := $(contextpath)
+user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
+user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context) $(contextpath)/files/media $(user_default_contexts_names)
+net_contexts := $(builddir)net_contexts
+
+all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
+ifdef LOCAL_ROOT
+all_layers += $(shell find $(wildcard $(local_moddir)/*) -maxdepth 0 -type d)
+endif
+
+generated_te := $(basename $(foreach dir,$(all_layers),$(wildcard $(dir)/*.te.in)))
+generated_if := $(basename $(foreach dir,$(all_layers),$(wildcard $(dir)/*.if.in)))
+generated_fc := $(basename $(foreach dir,$(all_layers),$(wildcard $(dir)/*.fc.in)))
+
+# sort here since it removes duplicates, which can happen
+# when a generated file is already generated
+detected_mods := $(sort $(foreach dir,$(all_layers),$(wildcard $(dir)/*.te)) $(generated_te))
+
+modxml := $(addprefix $(tmpdir)/, $(detected_mods:.te=.xml))
+layerxml := $(sort $(addprefix $(tmpdir)/, $(notdir $(addsuffix .xml,$(all_layers)))))
+layer_names := $(sort $(notdir $(all_layers)))
+all_metaxml = $(call detect-metaxml, $(layer_names))
+
+# modules.conf setting for base module
+configbase := base
+
+# modules.conf setting for loadable module
+configmod := module
+
+# modules.conf setting for unused module
+configoff := off
+
+# test for module overrides from command line
+mod_test = $(filter $(APPS_OFF), $(APPS_BASE) $(APPS_MODS))
+mod_test += $(filter $(APPS_MODS), $(APPS_BASE))
+ifneq "$(strip $(mod_test))" ""
+ $(error Applications must be base, module, or off, and not in more than one list! $(strip $(mod_test)) found in multiple lists!)
+endif
+
+# add on suffix to modules specified on command line
+cmdline_base := $(addsuffix .te,$(APPS_BASE))
+cmdline_mods := $(addsuffix .te,$(APPS_MODS))
+cmdline_off := $(addsuffix .te,$(APPS_OFF))
+
+# extract settings from modules.conf
+mod_conf_base := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configbase)") print $$1 }' $(mod_conf) 2> /dev/null)))
+mod_conf_mods := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configmod)") print $$1 }' $(mod_conf) 2> /dev/null)))
+mod_conf_off := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configoff)") print $$1 }' $(mod_conf) 2> /dev/null)))
+
+base_mods := $(cmdline_base)
+mod_mods := $(cmdline_mods)
+off_mods := $(cmdline_off)
+
+base_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_conf_base))
+mod_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_conf_mods))
+off_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_conf_off))
+
+# add modules not in modules.conf to the off list
+off_mods += $(filter-out $(base_mods) $(mod_mods) $(off_mods),$(notdir $(detected_mods)))
+
+# filesystems to be used in labeling targets
+filesystems = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[234]|btrfs| xfs| jfs).*rw/{print $$3}';)
+fs_names := "btrfs ext2 ext3 ext4 xfs jfs"
+
+########################################
+#
+# Functions
+#
+
+# parse-rolemap-compat modulename,outputfile
+define parse-rolemap-compat
+ $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
+ $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+endef
+
+# parse-rolemap modulename,outputfile
+define parse-rolemap
+ $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
+ $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+endef
+
+# perrole-expansion modulename,outputfile
+define perrole-expansion
+ $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
+ $(call parse-rolemap,$1,$2)
+ $(verbose) echo "')" >> $2
+
+ $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
+ $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
+ $(call parse-rolemap-compat,$1,$2)
+ $(verbose) echo "')" >> $2
+endef
+
+# create-base-per-role-tmpl modulenames,outputfile
+define create-base-per-role-tmpl
+ $(verbose) echo "define(\`base_per_role_template',\`" >> $2
+
+ $(verbose) for i in $1; do \
+ echo "ifdef(\`""$$i""_per_role_template',\`""$$i""_per_role_template("'$$*'")')" \
+ >> $2 ;\
+ done
+
+ $(verbose) for i in $1; do \
+ echo "ifdef(\`""$$i""_per_userdomain_template',\`" >> $2 ;\
+ echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$$i""_per_userdomain_template)'__endline__)" >> $2 ;\
+ echo """$$i""_per_userdomain_template("'$$*'")')" >> $2 ;\
+ done
+ $(verbose) echo "')" >> $@
+
+endef
+
+# detect-metaxml layer_names
+ifdef LOCAL_ROOT
+define detect-metaxml
+ $(shell for i in $1; do \
+ if [ -d $(moddir)/$$i -a -d $(local_moddir)/$$i ]; then \
+ if [ -f $(local_moddir)/$$i/$(metaxml) ]; then \
+ echo $(local_moddir)/$$i/$(metaxml) ;\
+ else \
+ echo $(moddir)/$$i/$(metaxml) ;\
+ fi \
+ elif [ -d $(local_moddir)/$$i ]; then
+ echo $(local_moddir)/$$i/$(metaxml) ;\
+ else \
+ echo $(moddir)/$$i/$(metaxml) ;\
+ fi \
+ done )
+endef
+else
+define detect-metaxml
+ $(shell for i in $1; do echo $(moddir)/$$i/$(metaxml); done)
+endef
+endif
+
+########################################
+#
+# Load appropriate rules
+#
+
+ifeq ($(MONOLITHIC),y)
+ include Rules.monolithic
+else
+ include Rules.modular
+endif
+
+########################################
+#
+# Generated files
+#
+# NOTE: There is no "local" version of these files.
+#
+generate: $(generated_te) $(generated_if) $(generated_fc)
+
+$(moddir)/kernel/corenetwork.if: $(moddir)/kernel/corenetwork.te.in $(moddir)/kernel/corenetwork.if.m4 $(moddir)/kernel/corenetwork.if.in
+ @echo "#" > $@
+ @echo "# This is a generated file! Instead of modifying this file, the" >> $@
+ @echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
+ @echo "#" >> $@
+ $(verbose) cat $@.in >> $@
+ $(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)(_controlled)?\(.*\)" $< \
+ | $(M4) -D self_contained_policy $(M4PARAM) $@.m4 - \
+ | $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
+
+$(moddir)/kernel/corenetwork.te: $(moddir)/kernel/corenetwork.te.m4 $(moddir)/kernel/corenetwork.te.in
+ @echo "#" > $@
+ @echo "# This is a generated file! Instead of modifying this file, the" >> $@
+ @echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
+ @echo "#" >> $@
+ $(verbose) $(M4) -D self_contained_policy $(M4PARAM) $^ \
+ | $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
+
+########################################
+#
+# Network packet labeling
+#
+$(net_contexts): $(moddir)/kernel/corenetwork.te.in
+ @echo "Creating netfilter network labeling rules"
+ $(verbose) $(gennetfilter) $^ > $@
+
+########################################
+#
+# Create config files
+#
+conf: $(mod_conf) $(booleans) $(generated_te) $(generated_if) $(generated_fc)
+
+$(mod_conf) $(booleans): $(polxml)
+ @echo "Updating $(mod_conf) and $(booleans)"
+ $(verbose) $(gendoc) -b $(booleans) -m $(mod_conf) -x $(polxml)
+
+########################################
+#
+# Generate the fc_sort program
+#
+$(fcsort) : $(support)/fc_sort.c
+ $(verbose) $(CC) $(CFLAGS) $^ -o $@
+
+########################################
+#
+# Documentation generation
+#
+$(layerxml): %.xml: $(all_metaxml) $(filter $(addprefix $(moddir)/, $(notdir $*))%, $(detected_mods)) $(subst .te,.if, $(filter $(addprefix $(moddir)/, $(notdir $*))%, $(detected_mods)))
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ $(verbose) cat $(filter %$(notdir $*)/$(metaxml), $(all_metaxml)) > $@
+ $(verbose) for i in $(basename $(filter $(addprefix $(moddir)/, $(notdir $*))%, $(detected_mods))); do $(genxml) -w -m $$i >> $@; done
+ifdef LOCAL_ROOT
+ $(verbose) for i in $(basename $(filter $(addprefix $(local_moddir)/, $(notdir $*))%, $(detected_mods))); do $(genxml) -w -m $$i >> $@; done
+endif
+
+$(tunxml): $(globaltun)
+ $(verbose) $(genxml) -w -t $< > $@
+
+$(boolxml): $(globalbool)
+ $(verbose) $(genxml) -w -b $< > $@
+
+$(polxml): $(layerxml) $(tunxml) $(boolxml)
+ @echo "Creating $(@F)"
+ @test -d $(dir $(polxml)) || mkdir -p $(dir $(polxml))
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ $(verbose) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
+ $(verbose) echo '<!DOCTYPE policy SYSTEM "$(notdir $(xmldtd))">' >> $@
+ $(verbose) echo '<policy>' >> $@
+ $(verbose) for i in $(basename $(notdir $(layerxml))); do echo "<layer name=\"$$i\">" >> $@; cat $(tmpdir)/$$i.xml >> $@; echo "</layer>" >> $@; done
+ $(verbose) cat $(tunxml) $(boolxml) >> $@
+ $(verbose) echo '</policy>' >> $@
+ $(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
+ $(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\
+ fi
+
+xml: $(polxml)
+
+html $(tmpdir)/html: $(polxml)
+ @echo "Building html interface reference documentation in $(htmldir)"
+ @test -d $(htmldir) || mkdir -p $(htmldir)
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ $(verbose) $(gendoc) -d $(htmldir) -T $(doctemplate) -x $(polxml)
+ $(verbose) cp $(doctemplate)/*.css $(htmldir)
+ @touch $(tmpdir)/html
+
+########################################
+#
+# Runtime binary policy patching of users
+#
+$(userpath)/system.users: $(m4support) $(tmpdir)/generated_definitions.conf $(user_files)
+ @mkdir -p $(tmpdir)
+ @mkdir -p $(userpath)
+ @echo "Installing system.users"
+ @echo "# " > $(tmpdir)/system.users
+ @echo "# Do not edit this file. " >> $(tmpdir)/system.users
+ @echo "# This file is replaced on reinstalls of this policy." >> $(tmpdir)/system.users
+ @echo "# Please edit local.users to make local changes." >> $(tmpdir)/system.users
+ @echo "#" >> $(tmpdir)/system.users
+ $(verbose) $(M4) -D self_contained_policy $(M4PARAM) $^ | $(SED) -r -e 's/^[[:blank:]]+//' \
+ -e '/^[[:blank:]]*($$|#)/d' >> $(tmpdir)/system.users
+ $(verbose) $(INSTALL) -m 644 $(tmpdir)/system.users $@
+
+$(userpath)/local.users: config/local.users
+ @mkdir -p $(userpath)
+ @echo "Installing local.users"
+ $(verbose) $(INSTALL) -b -m 644 $< $@
+
+########################################
+#
+# Build Appconfig files
+#
+$(tmpdir)/initrc_context: $(appconf)/initrc_context
+ @mkdir -p $(tmpdir)
+ $(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z]' > $@
+
+########################################
+#
+# Install Appconfig files
+#
+install-appconfig: $(appfiles)
+
+$(installdir)/booleans: $(booleans)
+ @mkdir -p $(tmpdir)
+ @mkdir -p $(installdir)
+ $(verbose) $(SED) -r -e 's/false/0/g' -e 's/true/1/g' \
+ -e '/^[[:blank:]]*($$|#)/d' $(booleans) | $(SORT) > $(tmpdir)/booleans
+ $(verbose) $(INSTALL) -m 644 $(tmpdir)/booleans $@
+
+$(contextpath)/files/media: $(appconf)/media
+ @mkdir -p $(contextpath)/files/
+ $(verbose) $(INSTALL) -m 644 $< $@
+
+$(contextpath)/users/%: $(appconf)/%_default_contexts
+ @mkdir -p $(appdir)/users
+ $(verbose) $(INSTALL) -m 644 $^ $@
+
+$(appdir)/%: $(appconf)/%
+ @mkdir -p $(appdir)
+ $(verbose) $(M4) $(M4PARAM) $(m4support) $< > $@
+
+########################################
+#
+# Install policy headers
+#
+install-headers: $(layerxml) $(tunxml) $(boolxml)
+ @mkdir -p $(headerdir)
+ @echo "Installing $(NAME) policy headers."
+ $(verbose) $(INSTALL) -m 644 $^ $(headerdir)
+ $(verbose) $(M4) $(M4PARAM) $(rolemap) > $(headerdir)/$(notdir $(rolemap))
+ $(verbose) mkdir -p $(headerdir)/support
+ $(verbose) $(INSTALL) -m 644 $(m4support) $(word $(words $(genxml)),$(genxml)) $(xmldtd) $(headerdir)/support
+ $(verbose) $(genperm) $(avs) $(secclass) > $(headerdir)/support/all_perms.spt
+ $(verbose) for i in $(notdir $(all_layers)); do \
+ mkdir -p $(headerdir)/$$i ;\
+ $(INSTALL) -m 644 $(moddir)/$$i/*.if $(headerdir)/$$i ;\
+ done
+ $(verbose) echo "TYPE ?= $(TYPE)" > $(headerdir)/build.conf
+ $(verbose) echo "NAME ?= $(NAME)" >> $(headerdir)/build.conf
+ifneq "$(DISTRO)" ""
+ $(verbose) echo "DISTRO ?= $(DISTRO)" >> $(headerdir)/build.conf
+endif
+ $(verbose) echo "MONOLITHIC ?= n" >> $(headerdir)/build.conf
+ $(verbose) echo "DIRECT_INITRC ?= $(DIRECT_INITRC)" >> $(headerdir)/build.conf
+ $(verbose) echo "override UBAC := $(UBAC)" >> $(headerdir)/build.conf
+ $(verbose) echo "override MLS_SENS := $(MLS_SENS)" >> $(headerdir)/build.conf
+ $(verbose) echo "override MLS_CATS := $(MLS_CATS)" >> $(headerdir)/build.conf
+ $(verbose) echo "override MCS_CATS := $(MCS_CATS)" >> $(headerdir)/build.conf
+ $(verbose) $(INSTALL) -m 644 $(support)/Makefile.devel $(headerdir)/Makefile
+
+########################################
+#
+# Install policy documentation
+#
+install-docs: $(tmpdir)/html
+ @mkdir -p $(docsdir)/html
+ @echo "Installing policy documentation"
+ $(verbose) $(INSTALL) -m 644 $(docfiles) $(docsdir)
+ $(verbose) $(INSTALL) -m 644 $(wildcard $(htmldir)/*) $(docsdir)/html
+
+########################################
+#
+# Install policy sources
+#
+install-src:
+ rm -rf $(srcpath)/policy.old
+ -mv $(srcpath)/policy $(srcpath)/policy.old
+ mkdir -p $(srcpath)/policy
+ cp -R . $(srcpath)/policy
+
+########################################
+#
+# Generate tags file
+#
+tags: $(tags)
+$(tags):
+ @($(CTAGS) --version | grep -q Exuberant) || (echo ERROR: Need exuberant-ctags to function!; exit 1)
+ @LC_ALL=C $(CTAGS) -f $(tags) --langdef=te --langmap=te:..te.if.spt \
+ --regex-te='/^type[ \t]+(\w+)(,|;)/\1/t,type/' \
+ --regex-te='/^typealias[ \t]+\w+[ \t+]+alias[ \t]+(\w+);/\1/t,type/' \
+ --regex-te='/^attribute[ \t]+(\w+);/\1/a,attribute/' \
+ --regex-te='/^[ \t]*define\(`(\w+)/\1/d,define/' \
+ --regex-te='/^[ \t]*interface\(`(\w+)/\1/i,interface/' \
+ --regex-te='/^[ \t]*template\(`(\w+)/\1/i,template/' \
+ --regex-te='/^[ \t]*bool[ \t]+(\w+)/\1/b,bool/' policy/modules/*/*.{if,te} policy/support/*.spt
+
+########################################
+#
+# Filesystem labeling
+#
+checklabels:
+ @echo "Checking labels on filesystem types: $(fs_names)"
+ @if test -z "$(filesystems)"; then \
+ echo "No filesystems with extended attributes found!" ;\
+ false ;\
+ fi
+ $(verbose) $(SETFILES) -v -n $(fcpath) $(filesystems)
+
+restorelabels:
+ @echo "Restoring labels on filesystem types: $(fs_names)"
+ @if test -z "$(filesystems)"; then \
+ echo "No filesystems with extended attributes found!" ;\
+ false ;\
+ fi
+ $(verbose) $(SETFILES) -v $(fcpath) $(filesystems)
+
+relabel:
+ @echo "Relabeling filesystem types: $(fs_names)"
+ @if test -z "$(filesystems)"; then \
+ echo "No filesystems with extended attributes found!" ;\
+ false ;\
+ fi
+ $(verbose) $(SETFILES) $(fcpath) $(filesystems)
+
+resetlabels:
+ @echo "Resetting labels on filesystem types: $(fs_names)"
+ @if test -z "$(filesystems)"; then \
+ echo "No filesystems with extended attributes found!" ;\
+ false ;\
+ fi
+ $(verbose) $(SETFILES) -F $(fcpath) $(filesystems)
+
+########################################
+#
+# Clean everything
+#
+bare: clean
+ rm -f $(polxml)
+ rm -f $(layerxml)
+ rm -f $(modxml)
+ rm -f $(tunxml)
+ rm -f $(boolxml)
+ rm -f $(mod_conf)
+ rm -f $(booleans)
+ rm -fR $(htmldir)
+ rm -f $(tags)
+# don't remove these files if we're given a local root
+ifndef LOCAL_ROOT
+ rm -f $(fcsort)
+ rm -f $(support)/*.pyc
+ifneq ($(generated_te),)
+ rm -f $(generated_te)
+endif
+ifneq ($(generated_if),)
+ rm -f $(generated_if)
+endif
+ifneq ($(generated_fc),)
+ rm -f $(generated_fc)
+endif
+endif
+
+.PHONY: install-src install-appconfig install-headers generate xml conf html bare tags
+.SUFFIXES:
+.SUFFIXES: .c
diff --git a/README b/README
new file mode 100644
index 0000000..184c6ef
--- /dev/null
+++ b/README
@@ -0,0 +1,269 @@
+1) Reference Policy make targets:
+
+General Make targets:
+
+install-src Install the policy sources into
+ /etc/selinux/NAME/src/policy, where NAME is defined in
+ the Makefile. If not defined, the TYPE, as defined in
+ the Makefile, is used. The default NAME is refpolicy.
+ A pre-existing source policy will be moved to
+ /etc/selinux/NAME/src/policy.bak.
+
+conf Regenerate policy.xml, and update/create modules.conf
+ and booleans.conf. This should be done after adding
+ or removing modules, or after running the bare target.
+ If the configuration files exist, their settings will
+ be preserved. This must be ran on policy sources that
+ are checked out from the CVS repository before they can
+ be used.
+
+clean Delete all temporary files, compiled policies,
+ and file_contexts. Configuration files are left intact.
+
+bare Do the clean make target and also delete configuration
+ files, web page documentation, and policy.xml.
+
+html Regenerate policy.xml and create web page documentation
+ in the doc/html directory.
+
+Make targets specific to modular (loadable modules) policies:
+
+base Compile and package the base module. This is the
+ default target for modular policies.
+
+modules Compile and package all Reference Policy modules
+ configured to be built as loadable modules.
+
+MODULENAME.pp Compile and package the MODULENAME Reference Policy
+ module.
+
+all Compile and package the base module and all Reference
+ Policy modules configured to be built as loadable
+ modules.
+
+install Compile, package, and install the base module and
+ Reference Policy modules configured to be built as
+ loadable modules.
+
+load Compile, package, and install the base module and
+ Reference Policy modules configured to be built as
+ loadable modules, then insert them into the module
+ store.
+
+validate Validate if the configured modules can successfully
+ link and expand.
+
+install-headers Install the policy headers into /usr/share/selinux/NAME.
+ The headers are sufficient for building a policy
+ module locally, without requiring the complete
+ Reference Policy sources. The build.conf settings
+ for this policy configuration should be set before
+ using this target.
+
+Make targets specific to monolithic policies:
+
+policy Compile a policy locally for development and testing.
+ This is the default target for monolithic policies.
+
+install Compile and install the policy and file contexts.
+
+load Compile and install the policy and file contexts, then
+ load the policy.
+
+enableaudit Remove all dontaudit rules from policy.conf.
+
+relabel Relabel the filesystem.
+
+checklabels Check the labels on the filesystem, and report when
+ a file would be relabeled, but do not change its label.
+
+restorelabels Relabel the filesystem and report each file that is
+ relabeled.
+
+
+2) Reference Policy Build Options (build.conf)
+
+TYPE String. Available options are standard, mls, and mcs.
+ For a type enforcement only system, set standard.
+ This optionally enables multi-level security (MLS) or
+ multi-category security (MCS) features. This option
+ controls enable_mls, and enable_mcs policy blocks.
+
+NAME String (optional). Sets the name of the policy; the
+ NAME is used when installing files to e.g.,
+ /etc/selinux/NAME and /usr/share/selinux/NAME. If not
+ set, the policy type (TYPE) is used.
+
+DISTRO String (optional). Enable distribution-specific policy.
+ Available options are redhat, rhel4, gentoo, debian,
+ and suse. This option controls distro_redhat,
+ distro_rhel4, distro_gentoo, distro_debian, and
+ distro_suse policy blocks.
+
+MONOLITHIC Boolean. If set, a monolithic policy is built,
+ otherwise a modular policy is built.
+
+DIRECT_INITRC Boolean. If set, sysadm will be allowed to directly
+ run init scripts, instead of requiring the run_init
+ tool. This is a build option instead of a tunable since
+ role transitions do not work in conditional policy.
+ This option controls direct_sysadm_daemon policy
+ blocks.
+
+OUTPUT_POLICY Integer. Set the version of the policy created when
+ building a monolithic policy. This option has no effect
+ on modular policy.
+
+UNK_PERMS String. Set the kernel behavior for handling of
+ permissions defined in the kernel but missing from the
+ policy. The permissions can either be allowed, denied,
+ or the policy loading can be rejected.
+
+UBAC Boolean. If set, the SELinux user will be used
+ additionally for approximate role separation.
+
+MLS_SENS Integer. Set the number of sensitivities in the MLS
+ policy. Ignored on standard and MCS policies.
+
+MLS_CATS Integer. Set the number of categories in the MLS
+ policy. Ignored on standard and MCS policies.
+
+MCS_CATS Integer. Set the number of categories in the MCS
+ policy. Ignored on standard and MLS policies.
+
+QUIET Boolean. If set, the build system will only display
+ status messages and error messages. This option has no
+ effect on policy.
+
+
+3) Reference Policy Files and Directories
+All directories relative to the root of the Reference Policy sources directory.
+
+Makefile General rules for building the policy.
+
+Rules.modular Makefile rules specific to building loadable module
+ policies.
+
+Rules.monolithic Makefile rules specific to building monolithic policies.
+
+build.conf Options which influence the building of the policy,
+ such as the policy type and distribution.
+
+config/appconfig-* Application configuration files for all configurations
+ of the Reference Policy (targeted/strict with or without
+ MLS or MCS). These are used by SELinux-aware programs.
+
+config/local.users The file read by load policy for adding SELinux users
+ to the policy on the fly.
+
+doc/html/* This contains the contents of the in-policy XML
+ documentation, presented in web page form.
+
+doc/policy.dtd The doc/policy.xml file is validated against this DTD.
+
+doc/policy.xml This file is generated/updated by the conf and html make
+ targets. It contains the complete XML documentation
+ included in the policy.
+
+doc/templates/* Templates used for documentation web pages.
+
+policy/booleans.conf This file is generated/updated by the conf make target.
+ It contains the booleans in the policy, and their
+ default values. If tunables are implemented as
+ booleans, tunables will also be included. This file
+ will be installed as the /etc/selinux/NAME/booleans
+ file.
+
+policy/constraints This file defines additional constraints on permissions
+ in the form of boolean expressions that must be
+ satisfied in order for specified permissions to be
+ granted. These constraints are used to further refine
+ the type enforcement rules and the role allow rules.
+ Typically, these constraints are used to restrict
+ changes in user identity or role to certain domains.
+
+policy/global_booleans This file defines all booleans that have a global scope,
+ their default value, and documentation.
+
+policy/global_tunables This file defines all tunables that have a global scope,
+ their default value, and documentation.
+
+policy/flask/initial_sids This file has declarations for each initial SID.
+
+policy/flask/security_classes This file has declarations for each security class.
+
+policy/flask/access_vectors This file defines the access vectors. Common
+ prefixes for access vectors may be defined at the
+ beginning of the file. After the common prefixes are
+ defined, an access vector may be defined for each
+ security class.
+
+policy/mcs The multi-category security (MCS) configuration.
+
+policy/mls The multi-level security (MLS) configuration.
+
+policy/modules/* Each directory represents a layer in Reference Policy
+ all of the modules are contained in one of these layers.
+
+policy/modules.conf This file contains a listing of available modules, and
+ how they will be used when building Reference Policy. To
+ prevent a module from being used, set the module to
+ "off". For monolithic policies, modules set to "base"
+ and "module" will be included in the policy. For
+ modular policies, modules set to "base" will be included
+ in the base module; those set to "module" will be
+ compiled as individual loadable modules.
+
+policy/rolemap This file contains prefix and user domain type that
+ corresponds to each user role. The contents of this
+ file will be used to expand the per-user domain
+ templates for each module.
+
+policy/support/* Support macros.
+
+policy/users This file defines the users included in the policy.
+
+support/* Tools used in the build process.
+
+
+4) Building policy modules using Reference Policy headers:
+
+The system must first have the Reference Policy headers installed, typically
+by the distribution. Otherwise, the headers can be installed using the
+install-headers target from the full Reference Policy sources.
+
+To set up a directory to build a local module, one must simply place a .te
+file in a directory. A sample Makefile to use in the directory is the
+Makefile.example in the doc directory. This may be installed in
+/usr/share/doc, under the directory for the distribution's policy.
+Alternatively, the primary Makefile in the headers directory (typically
+/usr/share/selinux/NAME/Makefile) can be called directly, using make's -f
+option.
+
+Larger projects can set up a structure of layers, just as in Reference
+Policy, by creating policy/modules/LAYERNAME directories. Each layer also
+must have a metadata.xml file which is an XML file with a summary tag and
+optional desc (long description) tag. This should describe the purpose of
+the layer.
+
+Metadata.xml example:
+
+<summary>ABC modules for the XYZ components.</summary>
+
+Make targets for modules built from headers:
+
+MODULENAME.pp Compile and package the MODULENAME local module.
+
+all Compile and package the modules in the current
+ directory.
+
+load Compile and package the modules in the current
+ directory, then insert them into the module store.
+
+refresh Attempts to reinsert all modules that are currently
+ in the module store from the local and system module
+ packages.
+
+xml Build a policy.xml from the XML included with the
+ base policy headers and any XML in the modules in
+ the current directory.
diff --git a/Rules.modular b/Rules.modular
new file mode 100644
index 0000000..168a14f
--- /dev/null
+++ b/Rules.modular
@@ -0,0 +1,223 @@
+########################################
+#
+# Rules and Targets for building modular policies
+#
+
+all_modules := $(base_mods) $(mod_mods) $(off_mods)
+all_interfaces := $(all_modules:.te=.if)
+
+base_pkg := $(builddir)base.pp
+base_fc := $(builddir)base.fc
+base_conf := $(builddir)base.conf
+base_mod := $(tmpdir)/base.mod
+
+users_extra := $(tmpdir)/users_extra
+
+base_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf
+
+base_pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs $(policycaps)
+base_te_files := $(base_mods)
+base_post_te_files := $(user_files) $(poldir)/constraints
+base_fc_files := $(base_mods:.te=.fc)
+
+mod_pkgs := $(addprefix $(builddir),$(notdir $(mod_mods:.te=.pp)))
+
+# policy packages to install
+instpkg := $(addprefix $(modpkgdir)/,$(notdir $(base_pkg)) $(mod_pkgs))
+
+# search layer dirs for source files
+vpath %.te $(all_layers)
+vpath %.if $(all_layers)
+vpath %.fc $(all_layers)
+
+.SECONDARY: $(addprefix $(tmpdir)/,$(mod_pkgs:.pp=.mod)) $(addprefix $(tmpdir)/,$(mod_pkgs:.pp=.mod.fc))
+
+########################################
+#
+# default action: create all module packages
+#
+default: policy
+
+all policy: base modules
+
+base: $(base_pkg)
+
+modules: $(mod_pkgs)
+
+install: $(instpkg) $(appfiles)
+
+########################################
+#
+# Load all configured modules
+#
+load: $(instpkg) $(appfiles)
+# make sure two directories exist since they are not
+# created by semanage
+ @mkdir -p $(policypath) $(dir $(fcpath))
+ @echo "Loading configured modules."
+ $(verbose) $(SEMODULE) -s $(NAME) -b $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod))
+
+########################################
+#
+# Install policy packages
+#
+$(modpkgdir)/%.pp: $(builddir)%.pp
+ @mkdir -p $(modpkgdir)
+ @echo "Installing $(NAME) $(@F) policy package."
+ $(verbose) $(INSTALL) -m 0644 $^ $(modpkgdir)
+
+########################################
+#
+# Build module packages
+#
+$(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
+ @echo "Compliling $(NAME) $(@F) module"
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ $(call perrole-expansion,$(basename $(@F)),$@.role)
+ $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
+ $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
+
+$(tmpdir)/%.mod.fc: $(m4support) %.fc
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ $(verbose) $(M4) $(M4PARAM) $(m4support) $^ > $@
+
+$(builddir)%.pp: $(tmpdir)/%.mod $(tmpdir)/%.mod.fc
+ @echo "Creating $(NAME) $(@F) policy package"
+ @test -d $(builddir) || mkdir -p $(builddir)
+ $(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc
+
+########################################
+#
+# Create a base module package
+#
+$(base_pkg): $(base_mod) $(base_fc) $(users_extra) $(tmpdir)/seusers
+ @echo "Creating $(NAME) base module package"
+ @test -d $(builddir) || mkdir -p $(builddir)
+ $(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(tmpdir)/seusers
+
+ifneq "$(UNK_PERMS)" ""
+$(base_mod): CHECKMODULE += -U $(UNK_PERMS)
+endif
+$(base_mod): $(base_conf)
+ @echo "Compiling $(NAME) base module"
+ $(verbose) $(CHECKMODULE) $^ -o $@
+
+$(tmpdir)/seusers: $(seusers)
+ @mkdir -p $(tmpdir)
+ $(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z_]' > $@
+
+$(users_extra): $(m4support) $(user_files)
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ $(verbose) $(M4) $(M4PARAM) -D users_extra $^ | \
+ $(SED) -r -n -e 's/^[[:blank:]]*//g' -e '/^user/p' > $@
+
+########################################
+#
+# Construct a base.conf
+#
+$(base_conf): $(base_sections)
+ @echo "Creating $(NAME) base module $(@F)"
+ @test -d $(@D) || mkdir -p $(@D)
+ $(verbose) cat $^ > $@
+
+$(tmpdir)/pre_te_files.conf: M4PARAM += -D self_contained_policy
+$(tmpdir)/pre_te_files.conf: $(base_pre_te_files)
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ $(verbose) $(M4) $(M4PARAM) $^ > $@
+
+$(tmpdir)/generated_definitions.conf:
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+# define all available object classes
+ $(verbose) $(genperm) $(avs) $(secclass) > $@
+ $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
+ $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
+
+$(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
+$(tmpdir)/global_bools.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(globalbool) $(globaltun)
+ $(verbose) $(M4) $(M4PARAM) $^ > $@
+
+$(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces) $(m4iferror)
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ @echo "divert(-1)" > $@
+ $(verbose) $(M4) $^ >> $(tmpdir)/$(@F).tmp
+ $(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(tmpdir)/$(@F).tmp >> $@
+ @echo "divert" >> $@
+
+$(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
+$(tmpdir)/rolemap.conf: $(rolemap)
+ $(verbose) echo "" > $@
+ $(call parse-rolemap,base,$@)
+
+$(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
+$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
+ifeq "$(strip $(base_te_files))" ""
+ $(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
+endif
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ $(verbose) $(M4) $(M4PARAM) -s $^ > $@
+
+$(tmpdir)/post_te_files.conf: M4PARAM += -D self_contained_policy
+$(tmpdir)/post_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(base_post_te_files)
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ $(verbose) $(M4) $(M4PARAM) $^ > $@
+
+# extract attributes and put them first. extract post te stuff
+# like genfscon and put last.
+$(tmpdir)/all_attrs_types.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf
+ $(verbose) $(get_type_attr_decl) $(tmpdir)/all_te_files.conf | $(SORT) > $(tmpdir)/all_attrs_types.conf
+ $(verbose) cat $(tmpdir)/post_te_files.conf > $(tmpdir)/all_post.conf
+# these have to run individually because order matters:
+ $(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+ $(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+ $(verbose) $(GREP) ^genfscon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+ $(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+ $(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+ $(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+ $(verbose) $(comment_move_decl) $(tmpdir)/all_te_files.conf > $(tmpdir)/only_te_rules.conf
+
+########################################
+#
+# Construct a base.fc
+#
+$(base_fc): $(tmpdir)/$(notdir $(base_fc)).tmp $(fcsort)
+ $(verbose) $(fcsort) $< $@
+
+$(tmpdir)/$(notdir $(base_fc)).tmp: $(m4support) $(tmpdir)/generated_definitions.conf $(base_fc_files)
+ifeq ($(base_fc_files),)
+ $(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
+endif
+ @echo "Creating $(NAME) base module file contexts."
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ $(verbose) $(M4) $(M4PARAM) $^ > $@
+
+########################################
+#
+# Appconfig files
+#
+$(appdir)/customizable_types: $(base_conf)
+ @mkdir -p $(appdir)
+ $(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(tmpdir)/customizable_types
+ $(verbose) $(INSTALL) -m 644 $(tmpdir)/customizable_types $@
+
+########################################
+#
+# Validate linking and expanding of modules
+#
+validate: $(base_pkg) $(mod_pkgs)
+ @echo "Validating policy linking."
+ $(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^
+ $(verbose) $(SEMOD_EXP) $(tmpdir)/test.lnk $(tmpdir)/policy.bin
+ @echo "Success."
+
+########################################
+#
+# Clean the sources
+#
+clean:
+ rm -f $(base_conf)
+ rm -f $(base_fc)
+ rm -f $(builddir)*.pp
+ rm -f $(net_contexts)
+ rm -fR $(tmpdir)
+
+.PHONY: default all policy base modules install load clean validate
diff --git a/Rules.monolithic b/Rules.monolithic
new file mode 100644
index 0000000..5b0d534
--- /dev/null
+++ b/Rules.monolithic
@@ -0,0 +1,258 @@
+########################################
+#
+# Rules and Targets for building monolithic policies
+#
+
+# determine the policy version and current kernel version if possible
+pv := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
+kv := $(shell cat /selinux/policyvers)
+
+# dont print version warnings if we are unable to determine
+# the currently running kernel's policy version
+ifeq "$(kv)" ""
+ kv := $(pv)
+endif
+
+policy_conf = $(builddir)policy.conf
+fc = $(builddir)file_contexts
+polver = $(builddir)policy.$(pv)
+homedir_template = $(builddir)homedir_template
+
+M4PARAM += -D self_contained_policy
+
+# install paths
+loadpath = $(policypath)/$(notdir $(polver))
+
+appfiles += $(installdir)/booleans $(installdir)/seusers $(userpath)/local.users
+
+# for monolithic policy use all base and module to create policy
+all_modules := $(strip $(base_mods) $(mod_mods))
+# off module interfaces included to make sure all interfaces are expanded.
+all_interfaces := $(all_modules:.te=.if) $(off_mods:.te=.if)
+all_te_files := $(all_modules)
+all_fc_files := $(all_modules:.te=.fc)
+
+pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs $(policycaps)
+post_te_files := $(user_files) $(poldir)/constraints
+
+policy_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf
+
+# search layer dirs for source files
+vpath %.te $(all_layers)
+vpath %.if $(all_layers)
+vpath %.fc $(all_layers)
+
+########################################
+#
+# default action: build policy locally
+#
+default: policy
+
+policy: $(polver)
+
+install: $(loadpath) $(fcpath) $(appfiles)
+
+load: $(tmpdir)/load
+
+checklabels: $(fcpath)
+restorelabels: $(fcpath)
+relabel: $(fcpath)
+resetlabels: $(fcpath)
+
+########################################
+#
+# Build a binary policy locally
+#
+ifneq "$(UNK_PERMS)" ""
+$(polver): CHECKPOLICY += -U $(UNK_PERMS)
+endif
+$(polver): $(policy_conf)
+ @echo "Compiling $(NAME) $(polver)"
+ifneq ($(pv),$(kv))
+ @echo
+ @echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?"
+ @echo
+endif
+ $(verbose) $(CHECKPOLICY) $^ -o $@
+
+########################################
+#
+# Install a binary policy
+#
+ifneq "$(UNK_PERMS)" ""
+$(loadpath): CHECKPOLICY += -U $(UNK_PERMS)
+endif
+$(loadpath): $(policy_conf)
+ @mkdir -p $(policypath)
+ @echo "Compiling and installing $(NAME) $(loadpath)"
+ifneq ($(pv),$(kv))
+ @echo
+ @echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?"
+ @echo
+endif
+ $(verbose) $(CHECKPOLICY) $^ -o $@
+
+########################################
+#
+# Load the binary policy
+#
+reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles)
+ @echo "Loading $(NAME) $(loadpath)"
+ $(verbose) $(LOADPOLICY) -q $(loadpath)
+ @touch $(tmpdir)/load
+
+########################################
+#
+# Construct a monolithic policy.conf
+#
+$(policy_conf): $(policy_sections)
+ @echo "Creating $(NAME) $(@F)"
+ @test -d $(@D) || mkdir -p $(@D)
+ $(verbose) cat $^ > $@
+
+$(tmpdir)/pre_te_files.conf: $(pre_te_files)
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ $(verbose) $(M4) $(M4PARAM) $^ > $@
+
+$(tmpdir)/generated_definitions.conf: $(all_te_files)
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+# define all available object classes
+ $(verbose) $(genperm) $(avs) $(secclass) > $@
+ $(verbose) $(call create-base-per-role-tmpl,$(basename $(notdir $(all_modules))),$@)
+ $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
+
+$(tmpdir)/global_bools.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(globalbool) $(globaltun)
+ $(verbose) $(M4) $(M4PARAM) $^ > $@
+
+$(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces) $(m4iferror)
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ @echo "divert(-1)" > $@
+ $(verbose) $(M4) $^ >> $(tmpdir)/$(@F).tmp
+ $(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(tmpdir)/$(@F).tmp >> $@
+ @echo "divert" >> $@
+
+$(tmpdir)/rolemap.conf: $(rolemap)
+ $(verbose) echo "" > $@
+ $(call parse-rolemap,base,$@)
+
+$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(all_te_files) $(tmpdir)/rolemap.conf
+ifeq "$(strip $(all_te_files))" ""
+ $(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
+endif
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ $(verbose) $(M4) $(M4PARAM) -s $^ > $@
+
+$(tmpdir)/post_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(post_te_files)
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ $(verbose) $(M4) $(M4PARAM) $^ > $@
+
+# extract attributes and put them first. extract post te stuff
+# like genfscon and put last.
+$(tmpdir)/all_attrs_types.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf
+ $(verbose) $(get_type_attr_decl) $(tmpdir)/all_te_files.conf | $(SORT) > $(tmpdir)/all_attrs_types.conf
+ $(verbose) cat $(tmpdir)/post_te_files.conf > $(tmpdir)/all_post.conf
+# these have to run individually because order matters:
+ $(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+ $(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+ $(verbose) $(GREP) ^genfscon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+ $(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+ $(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+ $(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+ $(verbose) $(comment_move_decl) $(tmpdir)/all_te_files.conf > $(tmpdir)/only_te_rules.conf
+
+########################################
+#
+# Remove the dontaudit rules from the policy.conf
+#
+enableaudit: $(policy_conf)
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ @echo "Removing dontaudit rules from $(notdir $(policy_conf))"
+ $(verbose) $(GREP) -v dontaudit $^ > $(tmpdir)/policy.audit
+ $(verbose) mv $(tmpdir)/policy.audit $(policy_conf)
+
+########################################
+#
+# Construct file_contexts
+#
+$(fc): $(tmpdir)/$(notdir $(fc)).tmp $(fcsort)
+ $(verbose) $(fcsort) $< $@
+ $(verbose) $(GREP) -e HOME -e ROLE -e USER $@ > $(homedir_template)
+ $(verbose) $(SED) -i -e /HOME/d -e /ROLE/d -e /USER/d $@
+
+$(tmpdir)/$(notdir $(fc)).tmp: $(m4support) $(tmpdir)/generated_definitions.conf $(all_fc_files)
+ifeq ($(all_fc_files),)
+ $(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
+endif
+ @echo "Creating $(NAME) file_contexts."
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ $(verbose) $(M4) $(M4PARAM) $^ > $@
+
+$(homedir_template): $(fc)
+
+########################################
+#
+# Install file_contexts
+#
+$(fcpath): $(fc) $(loadpath) $(userpath)/system.users
+ @echo "Validating $(NAME) file_contexts."
+ $(verbose) $(SETFILES) -q -c $(loadpath) $(fc)
+ @echo "Installing file_contexts."
+ @mkdir -p $(contextpath)/files
+ $(verbose) $(INSTALL) -m 644 $(fc) $(fcpath)
+ $(verbose) $(INSTALL) -m 644 $(homedir_template) $(homedirpath)
+ $(verbose) $(genhomedircon) -d $(topdir) -t $(NAME) $(USEPWD)
+ifeq "$(DISTRO)" "rhel4"
+# Setfiles in RHEL4 does not look at file_contexts.homedirs.
+ $(verbose) cat $@.homedirs >> $@
+# Delete the file_contexts.homedirs in case the toolchain has
+# been updated, to prevent duplicate match errors.
+ $(verbose) rm -f $@.homedirs
+endif
+
+########################################
+#
+# Intall netfilter_contexts
+#
+$(ncpath): $(net_contexts)
+ @echo "Installing $(NAME) netfilter_contexts."
+ $(verbose) $(INSTALL) -m 0644 $^ $@
+
+########################################
+#
+# Run policy source checks
+#
+check: $(builddir)check.res
+$(builddir)check.res: $(policy_conf) $(fc)
+ $(SECHECK) -s --profile=development --policy=$(policy_conf) --fcfile=$(fc) > $@
+
+longcheck: $(builddir)longcheck.res
+$(builddir)longcheck.res: $(policy_conf) $(fc)
+ $(SECHECK) -s --profile=all --policy=$(policy_conf) --fcfile=$(fc) > $@
+
+########################################
+#
+# Appconfig files
+#
+$(appdir)/customizable_types: $(policy_conf)
+ @mkdir -p $(appdir)
+ $(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(tmpdir)/customizable_types
+ $(verbose) $(INSTALL) -m 644 $(tmpdir)/customizable_types $@
+
+$(installdir)/seusers: $(seusers)
+ @mkdir -p $(installdir)
+ $(verbose) $(INSTALL) -m 644 $^ $@
+
+########################################
+#
+# Clean the sources
+#
+clean:
+ rm -f $(policy_conf)
+ rm -f $(polver)
+ rm -f $(fc)
+ rm -f $(homedir_template)
+ rm -f $(net_contexts)
+ rm -f *.res
+ rm -fR $(tmpdir)
+
+.PHONY: default policy install load reload enableaudit checklabels restorelabels relabel check longcheck clean
diff --git a/VERSION b/VERSION
new file mode 100644
index 0000000..1523d62
--- /dev/null
+++ b/VERSION
@@ -0,0 +1 @@
+2.20100524
diff --git a/build.conf b/build.conf
new file mode 100644
index 0000000..4aae82d
--- /dev/null
+++ b/build.conf
@@ -0,0 +1,71 @@
+########################################
+#
+# Policy build options
+#
+
+# Policy version
+# By default, checkpolicy will create the highest
+# version policy it supports. Setting this will
+# override the version. This only has an
+# effect for monolithic policies.
+#OUTPUT_POLICY = 18
+
+# Policy Type
+# standard, mls, mcs
+TYPE = standard
+
+# Policy Name
+# If set, this will be used as the policy
+# name. Otherwise the policy type will be
+# used for the name.
+NAME = refpolicy
+
+# Distribution
+# Some distributions have portions of policy
+# for programs or configurations specific to the
+# distribution. Setting this will enable options
+# for the distribution.
+# redhat, gentoo, debian, suse, and rhel4 are current options.
+# Fedora users should enable redhat.
+#DISTRO = redhat
+
+# Unknown Permissions Handling
+# The behavior for handling permissions defined in the
+# kernel but missing from the policy. The permissions
+# can either be allowed, denied, or the policy loading
+# can be rejected.
+# allow, deny, and reject are current options.
+#UNK_PERMS = deny
+
+# Direct admin init
+# Setting this will allow sysadm to directly
+# run init scripts, instead of requring run_init.
+# This is a build option, as role transitions do
+# not work in conditional policy.
+DIRECT_INITRC = n
+
+# Build monolithic policy. Putting n here
+# will build a loadable module policy.
+MONOLITHIC = y
+
+# User-based access control (UBAC)
+# Enable UBAC for role separations.
+UBAC = y
+
+# Number of MLS Sensitivities
+# The sensitivities will be s0 to s(MLS_SENS-1).
+# Dominance will be in increasing numerical order
+# with s0 being lowest.
+MLS_SENS = 16
+
+# Number of MLS Categories
+# The categories will be c0 to c(MLS_CATS-1).
+MLS_CATS = 1024
+
+# Number of MCS Categories
+# The categories will be c0 to c(MLS_CATS-1).
+MCS_CATS = 1024
+
+# Set this to y to only display status messages
+# during build.
+QUIET = n
diff --git a/config/appconfig-mcs/dbus_contexts b/config/appconfig-mcs/dbus_contexts
new file mode 100644
index 0000000..116e684
--- /dev/null
+++ b/config/appconfig-mcs/dbus_contexts
@@ -0,0 +1,6 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+ <selinux>
+ </selinux>
+</busconfig>
diff --git a/config/appconfig-mcs/default_contexts b/config/appconfig-mcs/default_contexts
new file mode 100644
index 0000000..22aeb67
--- /dev/null
+++ b/config/appconfig-mcs/default_contexts
@@ -0,0 +1,15 @@
+system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
+system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
+system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+
+staff_r:staff_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
+
+sysadm_r:sysadm_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
+
+user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-mcs/default_type b/config/appconfig-mcs/default_type
new file mode 100644
index 0000000..33528d6
--- /dev/null
+++ b/config/appconfig-mcs/default_type
@@ -0,0 +1,6 @@
+auditadm_r:auditadm_t
+secadm_r:secadm_t
+sysadm_r:sysadm_t
+staff_r:staff_t
+unconfined_r:unconfined_t
+user_r:user_t
diff --git a/config/appconfig-mcs/failsafe_context b/config/appconfig-mcs/failsafe_context
new file mode 100644
index 0000000..999abd9
--- /dev/null
+++ b/config/appconfig-mcs/failsafe_context
@@ -0,0 +1 @@
+sysadm_r:sysadm_t:s0
diff --git a/config/appconfig-mcs/guest_u_default_contexts b/config/appconfig-mcs/guest_u_default_contexts
new file mode 100644
index 0000000..90e5262
--- /dev/null
+++ b/config/appconfig-mcs/guest_u_default_contexts
@@ -0,0 +1,6 @@
+guest_r:guest_t:s0 guest_r:guest_t:s0
+system_r:crond_t:s0 guest_r:guest_t:s0
+system_r:initrc_su_t:s0 guest_r:guest_t:s0
+system_r:local_login_t:s0 guest_r:guest_t:s0
+system_r:remote_login_t:s0 guest_r:guest_t:s0
+system_r:sshd_t:s0 guest_r:guest_t:s0
diff --git a/config/appconfig-mcs/initrc_context b/config/appconfig-mcs/initrc_context
new file mode 100644
index 0000000..30ab971
--- /dev/null
+++ b/config/appconfig-mcs/initrc_context
@@ -0,0 +1 @@
+system_u:system_r:initrc_t:s0
diff --git a/config/appconfig-mcs/media b/config/appconfig-mcs/media
new file mode 100644
index 0000000..81f3463
--- /dev/null
+++ b/config/appconfig-mcs/media
@@ -0,0 +1,3 @@
+cdrom system_u:object_r:removable_device_t:s0
+floppy system_u:object_r:removable_device_t:s0
+disk system_u:object_r:fixed_disk_device_t:s0
diff --git a/config/appconfig-mcs/removable_context b/config/appconfig-mcs/removable_context
new file mode 100644
index 0000000..7fcc56e
--- /dev/null
+++ b/config/appconfig-mcs/removable_context
@@ -0,0 +1 @@
+system_u:object_r:removable_t:s0
diff --git a/config/appconfig-mcs/root_default_contexts b/config/appconfig-mcs/root_default_contexts
new file mode 100644
index 0000000..7805778
--- /dev/null
+++ b/config/appconfig-mcs/root_default_contexts
@@ -0,0 +1,11 @@
+system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
+system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+
+staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+sysadm_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+user_r:user_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+
+#
+# Uncomment if you want to automatically login as sysadm_r
+#
+#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-mcs/securetty_types b/config/appconfig-mcs/securetty_types
new file mode 100644
index 0000000..527d835
--- /dev/null
+++ b/config/appconfig-mcs/securetty_types
@@ -0,0 +1 @@
+user_tty_device_t
diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers
new file mode 100644
index 0000000..dc5f1e4
--- /dev/null
+++ b/config/appconfig-mcs/seusers
@@ -0,0 +1,3 @@
+system_u:system_u:s0-mcs_systemhigh
+root:root:s0-mcs_systemhigh
+__default__:user_u:s0
diff --git a/config/appconfig-mcs/staff_u_default_contexts b/config/appconfig-mcs/staff_u_default_contexts
new file mode 100644
index 0000000..881a292
--- /dev/null
+++ b/config/appconfig-mcs/staff_u_default_contexts
@@ -0,0 +1,10 @@
+system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:remote_login_t:s0 staff_r:staff_t:s0
+system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:crond_t:s0 staff_r:cronjob_t:s0
+system_r:xdm_t:s0 staff_r:staff_t:s0
+staff_r:staff_su_t:s0 staff_r:staff_t:s0
+staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
+sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
+
diff --git a/config/appconfig-mcs/unconfined_u_default_contexts b/config/appconfig-mcs/unconfined_u_default_contexts
new file mode 100644
index 0000000..106e093
--- /dev/null
+++ b/config/appconfig-mcs/unconfined_u_default_contexts
@@ -0,0 +1,9 @@
+system_r:crond_t:s0 unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:initrc_t:s0 unconfined_r:unconfined_t:s0
+system_r:local_login_t:s0 unconfined_r:unconfined_t:s0
+system_r:remote_login_t:s0 unconfined_r:unconfined_t:s0
+system_r:rshd_t:s0 unconfined_r:unconfined_t:s0
+system_r:sshd_t:s0 unconfined_r:unconfined_t:s0
+system_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0
+system_r:unconfined_t:s0 unconfined_r:unconfined_t:s0
+system_r:xdm_t:s0 unconfined_r:unconfined_t:s0
diff --git a/config/appconfig-mcs/user_u_default_contexts b/config/appconfig-mcs/user_u_default_contexts
new file mode 100644
index 0000000..cacbc93
--- /dev/null
+++ b/config/appconfig-mcs/user_u_default_contexts
@@ -0,0 +1,8 @@
+system_r:local_login_t:s0 user_r:user_t:s0
+system_r:remote_login_t:s0 user_r:user_t:s0
+system_r:sshd_t:s0 user_r:user_t:s0
+system_r:crond_t:s0 user_r:cronjob_t:s0
+system_r:xdm_t:s0 user_r:user_t:s0
+user_r:user_su_t:s0 user_r:user_t:s0
+user_r:user_sudo_t:s0 user_r:user_t:s0
+
diff --git a/config/appconfig-mcs/userhelper_context b/config/appconfig-mcs/userhelper_context
new file mode 100644
index 0000000..dc37a69
--- /dev/null
+++ b/config/appconfig-mcs/userhelper_context
@@ -0,0 +1 @@
+system_u:sysadm_r:sysadm_t:s0
diff --git a/config/appconfig-mcs/x_contexts b/config/appconfig-mcs/x_contexts
new file mode 100644
index 0000000..0b32044
--- /dev/null
+++ b/config/appconfig-mcs/x_contexts
@@ -0,0 +1,105 @@
+#
+# Config file for XSELinux extension
+#
+
+
+#
+##
+### Rules for X Clients
+##
+#
+
+#
+# The default client rule defines a context to be used for all clients
+# connecting to the server from a remote host.
+#
+client * system_u:object_r:remote_t:s0
+
+
+#
+##
+### Rules for X Properties
+##
+#
+
+#
+# Property rules map a property name to a context. A default property
+# rule indicated by an asterisk should follow all other property rules.
+#
+# Properties that normal clients may only read
+property _SELINUX_* system_u:object_r:seclabel_xproperty_t:s0
+
+# Clipboard and selection properties
+property CUT_BUFFER? system_u:object_r:clipboard_xproperty_t:s0
+
+# Default fallback type
+property * system_u:object_r:xproperty_t:s0
+
+
+#
+##
+### Rules for X Extensions
+##
+#
+
+#
+# Extension rules map an extension name to a context. A default extension
+# rule indicated by an asterisk should follow all other extension rules.
+#
+# Restricted extensions
+extension SELinux system_u:object_r:security_xextension_t:s0
+
+# Standard extensions
+extension * system_u:object_r:xextension_t:s0
+
+
+#
+##
+### Rules for X Selections
+##
+#
+
+# Selection rules map a selection name to a context. A default selection
+# rule indicated by an asterisk should follow all other selection rules.
+#
+# Standard selections
+selection PRIMARY system_u:object_r:clipboard_xselection_t:s0
+selection CLIPBOARD system_u:object_r:clipboard_xselection_t:s0
+
+# Default fallback type
+selection * system_u:object_r:xselection_t:s0
+
+
+#
+##
+### Rules for X Events
+##
+#
+
+#
+# Event rules map an event protocol name to a context. A default event
+# rule indicated by an asterisk should follow all other event rules.
+#
+# Input events
+event X11:KeyPress system_u:object_r:input_xevent_t:s0
+event X11:KeyRelease system_u:object_r:input_xevent_t:s0
+event X11:ButtonPress system_u:object_r:input_xevent_t:s0
+event X11:ButtonRelease system_u:object_r:input_xevent_t:s0
+event X11:MotionNotify system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceKeyPress system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceKeyRelease system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceButtonPress system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceButtonRelease system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceMotionNotify system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceValuator system_u:object_r:input_xevent_t:s0
+event XInputExtension:ProximityIn system_u:object_r:input_xevent_t:s0
+event XInputExtension:ProximityOut system_u:object_r:input_xevent_t:s0
+
+# Client message events
+event X11:ClientMessage system_u:object_r:client_xevent_t:s0
+event X11:SelectionNotify system_u:object_r:client_xevent_t:s0
+event X11:UnmapNotify system_u:object_r:client_xevent_t:s0
+event X11:ConfigureNotify system_u:object_r:client_xevent_t:s0
+
+# Default fallback type
+event * system_u:object_r:xevent_t:s0
diff --git a/config/appconfig-mcs/xguest_u_default_contexts b/config/appconfig-mcs/xguest_u_default_contexts
new file mode 100644
index 0000000..574363b
--- /dev/null
+++ b/config/appconfig-mcs/xguest_u_default_contexts
@@ -0,0 +1,7 @@
+system_r:crond_t:s0 xguest_r:xguest_t:s0
+system_r:initrc_su_t:s0 xguest_r:xguest_t:s0
+system_r:local_login_t:s0 xguest_r:xguest_t:s0
+system_r:remote_login_t:s0 xguest_r:xguest_t:s0
+system_r:sshd_t:s0 xguest_r:xguest_t:s0
+system_r:xdm_t:s0 xguest_r:xguest_t:s0
+xguest_r:xguest_t:s0 xguest_r:xguest_t:s0
diff --git a/config/appconfig-mls/dbus_contexts b/config/appconfig-mls/dbus_contexts
new file mode 100644
index 0000000..116e684
--- /dev/null
+++ b/config/appconfig-mls/dbus_contexts
@@ -0,0 +1,6 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+ <selinux>
+ </selinux>
+</busconfig>
diff --git a/config/appconfig-mls/default_contexts b/config/appconfig-mls/default_contexts
new file mode 100644
index 0000000..22aeb67
--- /dev/null
+++ b/config/appconfig-mls/default_contexts
@@ -0,0 +1,15 @@
+system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
+system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
+system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+
+staff_r:staff_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
+
+sysadm_r:sysadm_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
+
+user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-mls/default_type b/config/appconfig-mls/default_type
new file mode 100644
index 0000000..33528d6
--- /dev/null
+++ b/config/appconfig-mls/default_type
@@ -0,0 +1,6 @@
+auditadm_r:auditadm_t
+secadm_r:secadm_t
+sysadm_r:sysadm_t
+staff_r:staff_t
+unconfined_r:unconfined_t
+user_r:user_t
diff --git a/config/appconfig-mls/failsafe_context b/config/appconfig-mls/failsafe_context
new file mode 100644
index 0000000..999abd9
--- /dev/null
+++ b/config/appconfig-mls/failsafe_context
@@ -0,0 +1 @@
+sysadm_r:sysadm_t:s0
diff --git a/config/appconfig-mls/guest_u_default_contexts b/config/appconfig-mls/guest_u_default_contexts
new file mode 100644
index 0000000..e2106ef
--- /dev/null
+++ b/config/appconfig-mls/guest_u_default_contexts
@@ -0,0 +1,5 @@
+guest_r:guest_t:s0 guest_r:guest_t:s0
+system_r:crond_t:s0 guest_r:guest_t:s0
+system_r:local_login_t:s0 guest_r:guest_t:s0
+system_r:remote_login_t:s0 guest_r:guest_t:s0
+system_r:sshd_t:s0 guest_r:guest_t:s0
diff --git a/config/appconfig-mls/initrc_context b/config/appconfig-mls/initrc_context
new file mode 100644
index 0000000..4598f92
--- /dev/null
+++ b/config/appconfig-mls/initrc_context
@@ -0,0 +1 @@
+system_u:system_r:initrc_t:s0-mls_systemhigh
diff --git a/config/appconfig-mls/media b/config/appconfig-mls/media
new file mode 100644
index 0000000..81f3463
--- /dev/null
+++ b/config/appconfig-mls/media
@@ -0,0 +1,3 @@
+cdrom system_u:object_r:removable_device_t:s0
+floppy system_u:object_r:removable_device_t:s0
+disk system_u:object_r:fixed_disk_device_t:s0
diff --git a/config/appconfig-mls/removable_context b/config/appconfig-mls/removable_context
new file mode 100644
index 0000000..7fcc56e
--- /dev/null
+++ b/config/appconfig-mls/removable_context
@@ -0,0 +1 @@
+system_u:object_r:removable_t:s0
diff --git a/config/appconfig-mls/root_default_contexts b/config/appconfig-mls/root_default_contexts
new file mode 100644
index 0000000..7805778
--- /dev/null
+++ b/config/appconfig-mls/root_default_contexts
@@ -0,0 +1,11 @@
+system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
+system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+
+staff_r:staff_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+sysadm_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+user_r:user_su_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
+
+#
+# Uncomment if you want to automatically login as sysadm_r
+#
+#system_r:sshd_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
diff --git a/config/appconfig-mls/securetty_types b/config/appconfig-mls/securetty_types
new file mode 100644
index 0000000..527d835
--- /dev/null
+++ b/config/appconfig-mls/securetty_types
@@ -0,0 +1 @@
+user_tty_device_t
diff --git a/config/appconfig-mls/seusers b/config/appconfig-mls/seusers
new file mode 100644
index 0000000..dc156bf
--- /dev/null
+++ b/config/appconfig-mls/seusers
@@ -0,0 +1,3 @@
+system_u:system_u:s0-mls_systemhigh
+root:root:s0-mls_systemhigh
+__default__:user_u:s0
diff --git a/config/appconfig-mls/staff_u_default_contexts b/config/appconfig-mls/staff_u_default_contexts
new file mode 100644
index 0000000..881a292
--- /dev/null
+++ b/config/appconfig-mls/staff_u_default_contexts
@@ -0,0 +1,10 @@
+system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:remote_login_t:s0 staff_r:staff_t:s0
+system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:crond_t:s0 staff_r:cronjob_t:s0
+system_r:xdm_t:s0 staff_r:staff_t:s0
+staff_r:staff_su_t:s0 staff_r:staff_t:s0
+staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
+sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
+
diff --git a/config/appconfig-mls/unconfined_u_default_contexts b/config/appconfig-mls/unconfined_u_default_contexts
new file mode 100644
index 0000000..106e093
--- /dev/null
+++ b/config/appconfig-mls/unconfined_u_default_contexts
@@ -0,0 +1,9 @@
+system_r:crond_t:s0 unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0
+system_r:initrc_t:s0 unconfined_r:unconfined_t:s0
+system_r:local_login_t:s0 unconfined_r:unconfined_t:s0
+system_r:remote_login_t:s0 unconfined_r:unconfined_t:s0
+system_r:rshd_t:s0 unconfined_r:unconfined_t:s0
+system_r:sshd_t:s0 unconfined_r:unconfined_t:s0
+system_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0
+system_r:unconfined_t:s0 unconfined_r:unconfined_t:s0
+system_r:xdm_t:s0 unconfined_r:unconfined_t:s0
diff --git a/config/appconfig-mls/user_u_default_contexts b/config/appconfig-mls/user_u_default_contexts
new file mode 100644
index 0000000..cacbc93
--- /dev/null
+++ b/config/appconfig-mls/user_u_default_contexts
@@ -0,0 +1,8 @@
+system_r:local_login_t:s0 user_r:user_t:s0
+system_r:remote_login_t:s0 user_r:user_t:s0
+system_r:sshd_t:s0 user_r:user_t:s0
+system_r:crond_t:s0 user_r:cronjob_t:s0
+system_r:xdm_t:s0 user_r:user_t:s0
+user_r:user_su_t:s0 user_r:user_t:s0
+user_r:user_sudo_t:s0 user_r:user_t:s0
+
diff --git a/config/appconfig-mls/userhelper_context b/config/appconfig-mls/userhelper_context
new file mode 100644
index 0000000..dc37a69
--- /dev/null
+++ b/config/appconfig-mls/userhelper_context
@@ -0,0 +1 @@
+system_u:sysadm_r:sysadm_t:s0
diff --git a/config/appconfig-mls/x_contexts b/config/appconfig-mls/x_contexts
new file mode 100644
index 0000000..0b32044
--- /dev/null
+++ b/config/appconfig-mls/x_contexts
@@ -0,0 +1,105 @@
+#
+# Config file for XSELinux extension
+#
+
+
+#
+##
+### Rules for X Clients
+##
+#
+
+#
+# The default client rule defines a context to be used for all clients
+# connecting to the server from a remote host.
+#
+client * system_u:object_r:remote_t:s0
+
+
+#
+##
+### Rules for X Properties
+##
+#
+
+#
+# Property rules map a property name to a context. A default property
+# rule indicated by an asterisk should follow all other property rules.
+#
+# Properties that normal clients may only read
+property _SELINUX_* system_u:object_r:seclabel_xproperty_t:s0
+
+# Clipboard and selection properties
+property CUT_BUFFER? system_u:object_r:clipboard_xproperty_t:s0
+
+# Default fallback type
+property * system_u:object_r:xproperty_t:s0
+
+
+#
+##
+### Rules for X Extensions
+##
+#
+
+#
+# Extension rules map an extension name to a context. A default extension
+# rule indicated by an asterisk should follow all other extension rules.
+#
+# Restricted extensions
+extension SELinux system_u:object_r:security_xextension_t:s0
+
+# Standard extensions
+extension * system_u:object_r:xextension_t:s0
+
+
+#
+##
+### Rules for X Selections
+##
+#
+
+# Selection rules map a selection name to a context. A default selection
+# rule indicated by an asterisk should follow all other selection rules.
+#
+# Standard selections
+selection PRIMARY system_u:object_r:clipboard_xselection_t:s0
+selection CLIPBOARD system_u:object_r:clipboard_xselection_t:s0
+
+# Default fallback type
+selection * system_u:object_r:xselection_t:s0
+
+
+#
+##
+### Rules for X Events
+##
+#
+
+#
+# Event rules map an event protocol name to a context. A default event
+# rule indicated by an asterisk should follow all other event rules.
+#
+# Input events
+event X11:KeyPress system_u:object_r:input_xevent_t:s0
+event X11:KeyRelease system_u:object_r:input_xevent_t:s0
+event X11:ButtonPress system_u:object_r:input_xevent_t:s0
+event X11:ButtonRelease system_u:object_r:input_xevent_t:s0
+event X11:MotionNotify system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceKeyPress system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceKeyRelease system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceButtonPress system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceButtonRelease system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceMotionNotify system_u:object_r:input_xevent_t:s0
+event XInputExtension:DeviceValuator system_u:object_r:input_xevent_t:s0
+event XInputExtension:ProximityIn system_u:object_r:input_xevent_t:s0
+event XInputExtension:ProximityOut system_u:object_r:input_xevent_t:s0
+
+# Client message events
+event X11:ClientMessage system_u:object_r:client_xevent_t:s0
+event X11:SelectionNotify system_u:object_r:client_xevent_t:s0
+event X11:UnmapNotify system_u:object_r:client_xevent_t:s0
+event X11:ConfigureNotify system_u:object_r:client_xevent_t:s0
+
+# Default fallback type
+event * system_u:object_r:xevent_t:s0
diff --git a/config/appconfig-mls/xguest_u_default_contexts b/config/appconfig-mls/xguest_u_default_contexts
new file mode 100644
index 0000000..574363b
--- /dev/null
+++ b/config/appconfig-mls/xguest_u_default_contexts
@@ -0,0 +1,7 @@
+system_r:crond_t:s0 xguest_r:xguest_t:s0
+system_r:initrc_su_t:s0 xguest_r:xguest_t:s0
+system_r:local_login_t:s0 xguest_r:xguest_t:s0
+system_r:remote_login_t:s0 xguest_r:xguest_t:s0
+system_r:sshd_t:s0 xguest_r:xguest_t:s0
+system_r:xdm_t:s0 xguest_r:xguest_t:s0
+xguest_r:xguest_t:s0 xguest_r:xguest_t:s0
diff --git a/config/appconfig-standard/dbus_contexts b/config/appconfig-standard/dbus_contexts
new file mode 100644
index 0000000..116e684
--- /dev/null
+++ b/config/appconfig-standard/dbus_contexts
@@ -0,0 +1,6 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+ <selinux>
+ </selinux>
+</busconfig>
diff --git a/config/appconfig-standard/default_contexts b/config/appconfig-standard/default_contexts
new file mode 100644
index 0000000..6141347
--- /dev/null
+++ b/config/appconfig-standard/default_contexts
@@ -0,0 +1,15 @@
+system_r:crond_t user_r:cronjob_t staff_r:cronjob_t sysadm_r:cronjob_t system_r:system_crond_t unconfined_r:unconfined_cronjob_t
+system_r:local_login_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
+system_r:remote_login_t user_r:user_t staff_r:staff_t unconfined_r:unconfined_t
+system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
+system_r:sulogin_t sysadm_r:sysadm_t
+system_r:xdm_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t
+
+staff_r:staff_su_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
+staff_r:staff_sudo_t sysadm_r:sysadm_t staff_r:staff_t
+
+sysadm_r:sysadm_su_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
+sysadm_r:sysadm_sudo_t sysadm_r:sysadm_t
+
+user_r:user_su_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
+user_r:user_sudo_t sysadm_r:sysadm_t user_r:user_t
diff --git a/config/appconfig-standard/default_type b/config/appconfig-standard/default_type
new file mode 100644
index 0000000..33528d6
--- /dev/null
+++ b/config/appconfig-standard/default_type
@@ -0,0 +1,6 @@
+auditadm_r:auditadm_t
+secadm_r:secadm_t
+sysadm_r:sysadm_t
+staff_r:staff_t
+unconfined_r:unconfined_t
+user_r:user_t
diff --git a/config/appconfig-standard/failsafe_context b/config/appconfig-standard/failsafe_context
new file mode 100644
index 0000000..2f96c9f
--- /dev/null
+++ b/config/appconfig-standard/failsafe_context
@@ -0,0 +1 @@
+sysadm_r:sysadm_t
diff --git a/config/appconfig-standard/guest_u_default_contexts b/config/appconfig-standard/guest_u_default_contexts
new file mode 100644
index 0000000..85a35fb
--- /dev/null
+++ b/config/appconfig-standard/guest_u_default_contexts
@@ -0,0 +1,7 @@
+guest_r:guest_t guest_r:guest_t
+system_r:crond_t guest_r:guest_t
+system_r:initrc_su_t guest_r:guest_t
+system_r:local_login_t guest_r:guest_t
+system_r:remote_login_t guest_r:guest_t
+system_r:sshd_t guest_r:guest_t
+
diff --git a/config/appconfig-standard/initrc_context b/config/appconfig-standard/initrc_context
new file mode 100644
index 0000000..7fcf70b
--- /dev/null
+++ b/config/appconfig-standard/initrc_context
@@ -0,0 +1 @@
+system_u:system_r:initrc_t
diff --git a/config/appconfig-standard/media b/config/appconfig-standard/media
new file mode 100644
index 0000000..de2a652
--- /dev/null
+++ b/config/appconfig-standard/media
@@ -0,0 +1,3 @@
+cdrom system_u:object_r:removable_device_t
+floppy system_u:object_r:removable_device_t
+disk system_u:object_r:fixed_disk_device_t
diff --git a/config/appconfig-standard/removable_context b/config/appconfig-standard/removable_context
new file mode 100644
index 0000000..d4921f0
--- /dev/null
+++ b/config/appconfig-standard/removable_context
@@ -0,0 +1 @@
+system_u:object_r:removable_t
diff --git a/config/appconfig-standard/root_default_contexts b/config/appconfig-standard/root_default_contexts
new file mode 100644
index 0000000..f522568
--- /dev/null
+++ b/config/appconfig-standard/root_default_contexts
@@ -0,0 +1,11 @@
+system_r:crond_t unconfined_r:unconfined_t sysadm_r:cronjob_t staff_r:cronjob_t user_r:cronjob_t
+system_r:local_login_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+
+staff_r:staff_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+sysadm_r:sysadm_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+user_r:user_su_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
+
+#
+# Uncomment if you want to automatically login as sysadm_r
+#
+#system_r:sshd_t unconfined_r:unconfined_t sysadm_r:sysadm_t staff_r:staff_t user_r:user_t
diff --git a/config/appconfig-standard/securetty_types b/config/appconfig-standard/securetty_types
new file mode 100644
index 0000000..527d835
--- /dev/null
+++ b/config/appconfig-standard/securetty_types
@@ -0,0 +1 @@
+user_tty_device_t
diff --git a/config/appconfig-standard/seusers b/config/appconfig-standard/seusers
new file mode 100644
index 0000000..36b193b
--- /dev/null
+++ b/config/appconfig-standard/seusers
@@ -0,0 +1,3 @@
+system_u:system_u
+root:root
+__default__:user_u
diff --git a/config/appconfig-standard/staff_u_default_contexts b/config/appconfig-standard/staff_u_default_contexts
new file mode 100644
index 0000000..c2a5ea8
--- /dev/null
+++ b/config/appconfig-standard/staff_u_default_contexts
@@ -0,0 +1,10 @@
+system_r:local_login_t staff_r:staff_t sysadm_r:sysadm_t
+system_r:remote_login_t staff_r:staff_t
+system_r:sshd_t staff_r:staff_t sysadm_r:sysadm_t
+system_r:crond_t staff_r:cronjob_t
+system_r:xdm_t staff_r:staff_t
+staff_r:staff_su_t staff_r:staff_t
+staff_r:staff_sudo_t staff_r:staff_t
+sysadm_r:sysadm_su_t sysadm_r:sysadm_t
+sysadm_r:sysadm_sudo_t sysadm_r:sysadm_t
+
diff --git a/config/appconfig-standard/unconfined_u_default_contexts b/config/appconfig-standard/unconfined_u_default_contexts
new file mode 100644
index 0000000..e340b21
--- /dev/null
+++ b/config/appconfig-standard/unconfined_u_default_contexts
@@ -0,0 +1,9 @@
+system_r:crond_t unconfined_r:unconfined_t unconfined_r:unconfined_cronjob_t
+system_r:initrc_t unconfined_r:unconfined_t
+system_r:local_login_t unconfined_r:unconfined_t
+system_r:remote_login_t unconfined_r:unconfined_t
+system_r:rshd_t unconfined_r:unconfined_t
+system_r:sshd_t unconfined_r:unconfined_t
+system_r:sysadm_su_t unconfined_r:unconfined_t
+system_r:unconfined_t unconfined_r:unconfined_t
+system_r:xdm_t unconfined_r:unconfined_t
diff --git a/config/appconfig-standard/user_u_default_contexts b/config/appconfig-standard/user_u_default_contexts
new file mode 100644
index 0000000..f5bfac3
--- /dev/null
+++ b/config/appconfig-standard/user_u_default_contexts
@@ -0,0 +1,8 @@
+system_r:local_login_t user_r:user_t
+system_r:remote_login_t user_r:user_t
+system_r:sshd_t user_r:user_t
+system_r:crond_t user_r:cronjob_t
+system_r:xdm_t user_r:user_t
+user_r:user_su_t user_r:user_t
+user_r:user_sudo_t user_r:user_t
+
diff --git a/config/appconfig-standard/userhelper_context b/config/appconfig-standard/userhelper_context
new file mode 100644
index 0000000..081e93b
--- /dev/null
+++ b/config/appconfig-standard/userhelper_context
@@ -0,0 +1 @@
+system_u:sysadm_r:sysadm_t
diff --git a/config/appconfig-standard/x_contexts b/config/appconfig-standard/x_contexts
new file mode 100644
index 0000000..5b752f8
--- /dev/null
+++ b/config/appconfig-standard/x_contexts
@@ -0,0 +1,105 @@
+#
+# Config file for XSELinux extension
+#
+
+
+#
+##
+### Rules for X Clients
+##
+#
+
+#
+# The default client rule defines a context to be used for all clients
+# connecting to the server from a remote host.
+#
+client * system_u:object_r:remote_t
+
+
+#
+##
+### Rules for X Properties
+##
+#
+
+#
+# Property rules map a property name to a context. A default property
+# rule indicated by an asterisk should follow all other property rules.
+#
+# Properties that normal clients may only read
+property _SELINUX_* system_u:object_r:seclabel_xproperty_t
+
+# Clipboard and selection properties
+property CUT_BUFFER? system_u:object_r:clipboard_xproperty_t
+
+# Default fallback type
+property * system_u:object_r:xproperty_t
+
+
+#
+##
+### Rules for X Extensions
+##
+#
+
+#
+# Extension rules map an extension name to a context. A default extension
+# rule indicated by an asterisk should follow all other extension rules.
+#
+# Restricted extensions
+extension SELinux system_u:object_r:security_xextension_t
+
+# Standard extensions
+extension * system_u:object_r:xextension_t
+
+
+#
+##
+### Rules for X Selections
+##
+#
+
+# Selection rules map a selection name to a context. A default selection
+# rule indicated by an asterisk should follow all other selection rules.
+#
+# Standard selections
+selection PRIMARY system_u:object_r:clipboard_xselection_t
+selection CLIPBOARD system_u:object_r:clipboard_xselection_t
+
+# Default fallback type
+selection * system_u:object_r:xselection_t
+
+
+#
+##
+### Rules for X Events
+##
+#
+
+#
+# Event rules map an event protocol name to a context. A default event
+# rule indicated by an asterisk should follow all other event rules.
+#
+# Input events
+event X11:KeyPress system_u:object_r:input_xevent_t
+event X11:KeyRelease system_u:object_r:input_xevent_t
+event X11:ButtonPress system_u:object_r:input_xevent_t
+event X11:ButtonRelease system_u:object_r:input_xevent_t
+event X11:MotionNotify system_u:object_r:input_xevent_t
+event XInputExtension:DeviceKeyPress system_u:object_r:input_xevent_t
+event XInputExtension:DeviceKeyRelease system_u:object_r:input_xevent_t
+event XInputExtension:DeviceButtonPress system_u:object_r:input_xevent_t
+event XInputExtension:DeviceButtonRelease system_u:object_r:input_xevent_t
+event XInputExtension:DeviceMotionNotify system_u:object_r:input_xevent_t
+event XInputExtension:DeviceValuator system_u:object_r:input_xevent_t
+event XInputExtension:ProximityIn system_u:object_r:input_xevent_t
+event XInputExtension:ProximityOut system_u:object_r:input_xevent_t
+
+# Client message events
+event X11:ClientMessage system_u:object_r:client_xevent_t
+event X11:SelectionNotify system_u:object_r:client_xevent_t
+event X11:UnmapNotify system_u:object_r:client_xevent_t
+event X11:ConfigureNotify system_u:object_r:client_xevent_t
+
+# Default fallback type
+event * system_u:object_r:xevent_t
diff --git a/config/appconfig-standard/xguest_u_default_contexts b/config/appconfig-standard/xguest_u_default_contexts
new file mode 100644
index 0000000..55d44d1
--- /dev/null
+++ b/config/appconfig-standard/xguest_u_default_contexts
@@ -0,0 +1,7 @@
+system_r:crond_t xguest_r:xguest_t
+system_r:initrc_su_t xguest_r:xguest_t
+system_r:local_login_t xguest_r:xguest_t
+system_r:remote_login_t xguest_r:xguest_t
+system_r:sshd_t xguest_r:xguest_t
+system_r:xdm_t xguest_r:xguest_t
+xguest_r:xguest_t xguest_r:xguest_t
diff --git a/config/local.users b/config/local.users
new file mode 100644
index 0000000..7e2bf7a
--- /dev/null
+++ b/config/local.users
@@ -0,0 +1,21 @@
+##################################
+#
+# User configuration.
+#
+# This file defines additional users recognized by the system security policy.
+# Only the user identities defined in this file and the system.users file
+# may be used as the user attribute in a security context.
+#
+# Each user has a set of roles that may be entered by processes
+# with the users identity. The syntax of a user declaration is:
+#
+# user username roles role_set [ level default_level range allowed_range ];
+#
+# The MLS default level and allowed range should only be specified if
+# MLS was enabled in the policy.
+
+# sample for administrative user
+# user jadmin roles { staff_r sysadm_r };
+
+# sample for regular user
+#user jdoe roles { user_r };
diff --git a/doc/Makefile.example b/doc/Makefile.example
new file mode 100644
index 0000000..9f2a8d5
--- /dev/null
+++ b/doc/Makefile.example
@@ -0,0 +1,8 @@
+
+AWK ?= gawk
+
+NAME ?= $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config)
+SHAREDIR ?= /usr/share/selinux
+HEADERDIR := $(SHAREDIR)/$(NAME)/include
+
+include $(HEADERDIR)/Makefile
diff --git a/doc/example.fc b/doc/example.fc
new file mode 100644
index 0000000..9cf7c4c
--- /dev/null
+++ b/doc/example.fc
@@ -0,0 +1,6 @@
+# myapp executable will have:
+# label: system_u:object_r:myapp_exec_t
+# MLS sensitivity: s0
+# MCS categories: <none>
+
+/usr/sbin/myapp -- gen_context(system_u:object_r:myapp_exec_t,s0)
diff --git a/doc/example.if b/doc/example.if
new file mode 100644
index 0000000..54d42ae
--- /dev/null
+++ b/doc/example.if
@@ -0,0 +1,54 @@
+## <summary>Myapp example policy</summary>
+## <desc>
+## <p>
+## More descriptive text about myapp. The desc
+## tag can also use p, ul, and ol
+## html tags for formatting.
+## </p>
+## <p>
+## This policy supports the following myapp features:
+## <ul>
+## <li>Feature A</li>
+## <li>Feature B</li>
+## <li>Feature C</li>
+## </ul>
+## </p>
+## </desc>
+#
+
+########################################
+## <summary>
+## Execute a domain transition to run myapp.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`myapp_domtrans',`
+ gen_require(`
+ type myapp_t, myapp_exec_t;
+ ')
+
+ domtrans_pattern($1,myapp_exec_t,myapp_t)
+')
+
+########################################
+## <summary>
+## Read myapp log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to read the log files.
+## </summary>
+## </param>
+#
+interface(`myapp_read_log',`
+ gen_require(`
+ type myapp_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 myapp_log_t:file read_file_perms;
+')
diff --git a/doc/example.te b/doc/example.te
new file mode 100644
index 0000000..8238355
--- /dev/null
+++ b/doc/example.te
@@ -0,0 +1,28 @@
+
+policy_module(myapp,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type myapp_t;
+type myapp_exec_t;
+domain_type(myapp_t)
+domain_entry_file(myapp_t, myapp_exec_t)
+
+type myapp_log_t;
+logging_log_file(myapp_log_t)
+
+type myapp_tmp_t;
+files_tmp_file(myapp_tmp_t)
+
+########################################
+#
+# Myapp local policy
+#
+
+allow myapp_t myapp_log_t:file { read_file_perms append_file_perms };
+
+allow myapp_t myapp_tmp_t:file manage_file_perms;
+files_tmp_filetrans(myapp_t,myapp_tmp_t,file)
diff --git a/doc/policy.dtd b/doc/policy.dtd
new file mode 100644
index 0000000..b797f71
--- /dev/null
+++ b/doc/policy.dtd
@@ -0,0 +1,44 @@
+<!ENTITY % inline.class "pre|p|ul|ol|li">
+
+<!ELEMENT policy (layer+,(tunable|bool)*)>
+<!ELEMENT layer (summary,module+)>
+<!ATTLIST layer
+ name CDATA #REQUIRED>
+<!ELEMENT module (summary,desc?,required?,(interface|template)*,(bool|tunable)*)>
+<!ATTLIST module
+ name CDATA #REQUIRED
+ filename CDATA #REQUIRED>
+<!ELEMENT required (#PCDATA)>
+<!ATTLIST required
+ val (true|false) "false">
+<!ELEMENT tunable (desc)>
+<!ATTLIST tunable
+ name CDATA #REQUIRED
+ dftval CDATA #REQUIRED>
+<!ELEMENT bool (desc)>
+<!ATTLIST bool
+ name CDATA #REQUIRED
+ dftval CDATA #REQUIRED>
+<!ELEMENT summary (#PCDATA)>
+<!ELEMENT interface (summary,desc?,param+,infoflow?,(rolebase|rolecap)?)>
+<!ATTLIST interface name CDATA #REQUIRED lineno CDATA #REQUIRED>
+<!ELEMENT template (summary,desc?,param+,(rolebase|rolecap)?)>
+<!ATTLIST template name CDATA #REQUIRED lineno CDATA #REQUIRED>
+<!ELEMENT desc (#PCDATA|%inline.class;)*>
+<!ELEMENT param (summary)>
+<!ATTLIST param
+ name CDATA #REQUIRED
+ optional (true|false) "false"
+ unused (true|false) "false">
+<!ELEMENT infoflow EMPTY>
+<!ATTLIST infoflow
+ type CDATA #REQUIRED
+ weight CDATA #IMPLIED>
+<!ELEMENT rolebase EMPTY>
+<!ELEMENT rolecap EMPTY>
+
+<!ATTLIST pre caption CDATA #IMPLIED>
+<!ELEMENT p (#PCDATA|%inline.class;)*>
+<!ELEMENT ul (li+)>
+<!ELEMENT ol (li+)>
+<!ELEMENT li (#PCDATA|%inline.class;)*>
diff --git a/doc/templates/bool_list.html b/doc/templates/bool_list.html
new file mode 100644
index 0000000..2d852da
--- /dev/null
+++ b/doc/templates/bool_list.html
@@ -0,0 +1,23 @@
+<h3>Master boolean index:</h3>
+
+[[for bool in booleans]]
+<div id="interfacesmall">
+[[if bool.has_key('mod_layer')]]
+Module: <a href='[[bool['mod_layer']+ "_" + bool['mod_name'] + ".html#link_" + bool['bool_name']]]'>
+[[bool['mod_name']]]</a><p/>
+Layer: <a href='[[bool['mod_layer']]].html'>
+[[bool['mod_layer']]]</a><p/>
+[[else]]
+Global
+[[end]]
+<div id="codeblock">
+[[bool['bool_name']]]
+<small>(Default: [[bool['def_val']]])</small>
+</div>
+[[if bool['desc']]]
+<div id="description">
+[[bool['desc']]]
+</div>
+[[end]]
+</div>
+[[end]]
diff --git a/doc/templates/boolean.html b/doc/templates/boolean.html
new file mode 100644
index 0000000..ea5a260
--- /dev/null
+++ b/doc/templates/boolean.html
@@ -0,0 +1,13 @@
+[[for bool in booleans]]
+<a name="link_[[bool['bool_name']]]"></a>
+<div id="interface">
+<div id="codeblock">[[bool['bool_name']]]</div>
+<div id="description">
+<h5>Default value</h5>
+<p>[[bool['def_val']]]</p>
+[[if bool['desc']]]
+<h5>Description</h5>
+[[bool['desc']]]
+[[end]]
+</div></div>
+[[end]]
diff --git a/doc/templates/global_bool_list.html b/doc/templates/global_bool_list.html
new file mode 100644
index 0000000..a8065af
--- /dev/null
+++ b/doc/templates/global_bool_list.html
@@ -0,0 +1,14 @@
+<h3>Global booleans:</h3>
+
+[[for bool in booleans]]
+<div id="interface">
+<div id="codeblock">[[bool['bool_name']]]</div>
+<div id="description">
+<h5>Default value</h5>
+<p>[[bool['def_val']]]</p>
+[[if bool['desc']]]
+<h5>Description</h5>
+[[bool['desc']]]
+[[end]]
+</div></div>
+[[end]]
diff --git a/doc/templates/global_tun_list.html b/doc/templates/global_tun_list.html
new file mode 100644
index 0000000..6ed8013
--- /dev/null
+++ b/doc/templates/global_tun_list.html
@@ -0,0 +1,14 @@
+<h3>Global tunables:</h3>
+
+[[for tun in tunables]]
+<div id="interface">
+<div id="codeblock">[[tun['tun_name']]]</div>
+<div id="description">
+<h5>Default value</h5>
+<p>[[tun['def_val']]]</p>
+[[if tun['desc']]]
+<h5>Description</h5>
+[[tun['desc']]]
+[[end]]
+</div></div>
+[[end]]
diff --git a/doc/templates/header.html b/doc/templates/header.html
new file mode 100644
index 0000000..9ef487c
--- /dev/null
+++ b/doc/templates/header.html
@@ -0,0 +1,15 @@
+<html>
+<head>
+<title>
+ Security Enhanced Linux Reference Policy
+ </title>
+<style type="text/css" media="all">@import "style.css";</style>
+</head>
+<body>
+<div id="Header">Security Enhanced Linux Reference Policy</div>
+[[menu]]
+<div id="Content">
+[[content]]
+</div>
+</body>
+</html>
diff --git a/doc/templates/int_list.html b/doc/templates/int_list.html
new file mode 100644
index 0000000..b95c343
--- /dev/null
+++ b/doc/templates/int_list.html
@@ -0,0 +1,33 @@
+<h3>Master interface index:</h3>
+
+[[for int in interfaces]]
+<div id="interfacesmall">
+Module: <a href='[[int['mod_layer']+ "_" + int['mod_name'] + ".html#link_" + int['interface_name']]]'>
+[[int['mod_name']]]</a><p/>
+Layer: <a href='[[int['mod_layer']]].html'>
+[[int['mod_layer']]]</a><p/>
+<div id="codeblock">
+[[exec i = 0]]
+<b>[[int['interface_name']]]</b>(
+ [[for arg in int['interface_parameters']]]
+ [[if i != 0]]
+ ,
+ [[end]]
+ [[exec i = 1]]
+ [[if arg['optional'] == 'yes']]
+ [
+ [[end]]
+ [[arg['name']]]
+ [[if arg['optional'] == 'yes']]
+ ]
+ [[end]]
+ [[end]]
+ )<br>
+</div>
+[[if int['interface_summary']]]
+<div id="description">
+[[int['interface_summary']]]
+</div>
+[[end]]
+</div>
+[[end]]
diff --git a/doc/templates/interface.html b/doc/templates/interface.html
new file mode 100644
index 0000000..90eb436
--- /dev/null
+++ b/doc/templates/interface.html
@@ -0,0 +1,50 @@
+[[for int in interfaces]]
+<a name="link_[[int['interface_name']]]"></a>
+<div id="interface">
+[[if int.has_key("mod_layer")]]
+ Layer: [[mod_layer]]<br>
+[[end]]
+[[if int.has_key("mod_name")]]
+ Module: [[mod_name]]<br>
+[[end]]
+<div id="codeblock">
+[[exec i = 0]]
+<b>[[int['interface_name']]]</b>(
+ [[for arg in int['interface_parameters']]]
+ [[if i != 0]]
+ ,
+ [[end]]
+ [[exec i = 1]]
+ [[if arg['optional'] == 'yes']]
+ [
+ [[end]]
+ [[arg['name']]]
+ [[if arg['optional'] == 'yes']]
+ ]
+ [[end]]
+ [[end]]
+ )<br>
+</div>
+<div id="description">
+[[if int['interface_summary']]]
+<h5>Summary</h5>
+[[int['interface_summary']]]
+[[end]]
+[[if int['interface_desc']]]
+<h5>Description</h5>
+[[int['interface_desc']]]
+[[end]]
+<h5>Parameters</h5>
+<table border="1" cellspacing="0" cellpadding="3" width="65%">
+<tr><th >Parameter:</th><th >Description:</th></tr>
+[[for arg in int['interface_parameters']]]
+<tr><td>
+[[arg['name']]]
+</td><td>
+[[arg['desc']]]
+</td></tr>
+[[end]]
+</table>
+</div>
+</div>
+[[end]]
diff --git a/doc/templates/menu.html b/doc/templates/menu.html
new file mode 100644
index 0000000..9472b2c
--- /dev/null
+++ b/doc/templates/menu.html
@@ -0,0 +1,26 @@
+<div id='Menu'>
+ [[for layer_name, layer_mods in menulist]]
+ <a href="[[layer_name]].html">+
+ [[layer_name]]</a></br/>
+ <div id='subitem'>
+ [[for module, s in layer_mods]]
+ - <a href='[[layer_name + "_" + module]].html'>
+ [[module]]</a><br/>
+ [[end]]
+ </div>
+ [[end]]
+ <br/><p/>
+ <a href="global_booleans.html">* Global Booleans </a>
+ <br/><p/>
+ <a href="global_tunables.html">* Global Tunables </a>
+ <p/><br/><p/>
+ <a href="index.html">* Layer Index</a>
+ <br/><p/>
+ <a href="booleans.html">* Boolean Index</a>
+ <br/><p/>
+ <a href="tunables.html">* Tunable Index</a>
+ <br/><p/>
+ <a href="interfaces.html">* Interface Index</a>
+ <br/><p/>
+ <a href="templates.html">* Template Index</a>
+</div>
diff --git a/doc/templates/module.html b/doc/templates/module.html
new file mode 100644
index 0000000..a8d008a
--- /dev/null
+++ b/doc/templates/module.html
@@ -0,0 +1,52 @@
+<a name="top":></a>
+<h1>Layer: [[mod_layer]]</h1><p/>
+<h2>Module: [[mod_name]]</h2><p/>
+[[if booleans]]
+<a href=#booleans>Booleans</a>
+[[end]]
+[[if tunables]]
+<a href=#tunables>Tunables</a>
+[[end]]
+[[if interfaces]]
+<a href=#interfaces>Interfaces</a>
+[[end]]
+[[if templates]]
+<a href=#templates>Templates</a>
+[[end]]
+<h3>Description:</h3>
+[[if mod_desc]]
+<p>[[mod_desc]]</p>
+[[else]]
+<p>[[mod_summary]]</p>
+[[end]]
+[[if mod_req]]
+<p>This module is required to be included in all policies.</p>
+[[end]]
+<hr>
+[[if booleans]]
+<a name="booleans"></a>
+<h3>Booleans: </h3>
+[[booleans]]
+<a href=#top>Return</a>
+[[end]]
+[[if tunables]]
+<a name="tunables"></a>
+<h3>Tunables: </h3>
+[[tunables]]
+<a href=#top>Return</a>
+[[end]]
+[[if interfaces]]
+<a name="interfaces"></a>
+<h3>Interfaces: </h3>
+[[interfaces]]
+<a href=#top>Return</a>
+[[end]]
+[[if templates]]
+<a name="templates"></a>
+<h3>Templates: </h3>
+[[templates]]
+<a href=#top>Return</a>
+[[end]]
+[[if not templates and not interfaces and not tunables]]
+<h3>No booleans, tunables, interfaces, or templates.</h3>
+[[end]]
diff --git a/doc/templates/module_list.html b/doc/templates/module_list.html
new file mode 100644
index 0000000..7317a6b
--- /dev/null
+++ b/doc/templates/module_list.html
@@ -0,0 +1,19 @@
+[[if mod_layer]]
+<h1>Layer: [[mod_layer]]</h1><p/>
+[[if layer_summary]]
+<p>[[layer_summary]]</p><br/>
+[[end]]
+[[end]]
+<table border="1" cellspacing="0" cellpadding="3" width="75%">
+<tr><td class="title">Module:</td><td class="title">Description:</td></tr>
+ [[for layer_name, layer_mods in menulist]]
+ [[for module, s in layer_mods]]
+ <tr><td>
+ <a href='[[layer_name + "_" + module]].html'>
+ [[module]]</a></td>
+ <td>[[s]]</td>
+ [[end]]
+ </td></tr>
+ [[end]]
+</table>
+<p/><br/><br/>
diff --git a/doc/templates/style.css b/doc/templates/style.css
new file mode 100644
index 0000000..9bac0d9
--- /dev/null
+++ b/doc/templates/style.css
@@ -0,0 +1,216 @@
+body {
+ margin:0px;
+ padding:0px;
+ font-family:verdana, arial, helvetica, sans-serif;
+ color:#333;
+ background-color:white;
+ }
+h1 {
+ margin:0px 0px 5px 0px;
+ padding:0px;
+ font-size:150%
+ line-height:28px;
+ font-weight:900;
+ color:#ccc;
+ }
+h2 {
+ font-size:125%;
+ margin:0px;
+ padding:5px 0px 10px 0px;
+ }
+h3 {
+ font-size:110%;
+ margin:0px;
+ padding:5px 0px 10px 5px;
+ }
+h4 {
+ font-size:100%;
+ margin:0px;
+ padding:5px 0px 10px 5px;
+ }
+h5 {
+ font-size:100%;
+ margin:0px;
+ font-weight:600;
+ padding:0px 0px 5px 0px;
+ margin:0px 0px 0px 5px;
+}
+li {
+ font:11px/20px verdana, arial, helvetica, sans-serif;
+ margin:0px 0px 0px 10px;
+ padding:0px;
+ }
+p {
+ /* normal */
+ font:11px/20px verdana, arial, helvetica, sans-serif;
+ margin:0px 0px 0px 10px;
+ padding:0px;
+ }
+
+tt {
+ /* inline code */
+ font-family: monospace;
+ }
+
+table {
+ background-color:#efefef;
+ /*background-color: white;*/
+ border-style:solid;
+ border-color:black;
+ border-width:0px 1px 1px 0px;
+ color: black;
+ text-align: left;
+ font:11px/20px verdana, arial, helvetica, sans-serif;
+ margin-left: 5%;
+ margin-right: 5%;
+}
+
+th {
+ font-weight:500;
+ background-color: #eaeaef;
+ text-align: center;
+}
+
+td.header {
+ font-weight: bold;
+}
+
+#Content>p {margin:0px;}
+#Content>p+p {text-indent:30px;}
+a {
+ color:#09c;
+ font-size:11px;
+ text-decoration:none;
+ font-weight:600;
+ font-family:verdana, arial, helvetica, sans-serif;
+ }
+a:link {color:#09c;}
+a:visited {color:#07a;}
+a:hover {background-color:#eee;}
+
+#Codeblock {
+ margin:5px 50px 5px 10px;
+ padding:5px 0px 5px 15px;
+ border-style:solid;
+ border-color:lightgrey;
+ border-width:1px 1px 1px 1px;
+ background-color:#f5f5ff;
+ font-size:100%;
+ font-weight:600;
+ text-decoration:none;
+ font-family:monospace;
+}
+#Interface {
+ margin:5px 0px 25px 5px;
+ padding:5px 0px 5px 5px;
+ border-style:solid;
+ border-color:black;
+ border-width:1px 1px 1px 1px;
+ background-color:#fafafa;
+ font-size:14px;
+ font-weight:400;
+ text-decoration:none;
+ font-family:verdana, arial, helvetica, sans-serif;
+}
+#Interfacesmall {
+ margin:0px 0px 5px 0px;
+ padding:5px 0px 0px 5px;
+ border-style:solid;
+ border-color:black;
+ border-width:1px 1px 1px 1px;
+ background-color:#fafafa;
+ font-size:14px;
+ font-weight:400;
+ text-decoration:none;
+ font-family:verdana, arial, helvetica, sans-serif;
+}
+#Template {
+ margin:5px 0px 25px 5px;
+ padding:5px 0px 5px 5px;
+ border-style:solid;
+ border-color:black;
+ border-width:1px 1px 1px 1px;
+ background-color:#fafafa;
+ font-size:14px;
+ font-weight:400;
+ text-decoration:none;
+ font-family:verdana, arial, helvetica, sans-serif;
+}
+#Templatesmall {
+ margin:0px 0px 5px 0px;
+ padding:5px 0px 0px 5px;
+ border-style:solid;
+ border-color:black;
+ border-width:1px 1px 1px 1px;
+ background-color:#fafafa;
+ font-size:14px;
+ font-weight:400;
+ text-decoration:none;
+ font-family:verdana, arial, helvetica, sans-serif;
+}
+#Description {
+ margin:0px 0px 0px 5px;
+ padding:0px 0px 0px 5px;
+ text-decoration:none;
+ font-family:verdana, arial, helvetica, sans-serif;
+ font-size:12px;
+ font-weight:400;
+}
+pre {
+ margin:0px;
+ padding:0px;
+ font-size:14px;
+ text-decoration:none;
+ font-family:verdana, arial, helvetica, sans-serif;
+}
+dl {
+ /* definition text block */
+ font:11px/20px verdana, arial, helvetica, sans-serif;
+ margin:0px 0px 16px 0px;
+ padding:0px;
+ }
+dt {
+ /* definition term */
+ font-weight: bold;
+ }
+
+#Header {
+ margin:50px 0px 10px 0px;
+ padding:17px 0px 0px 20px;
+ /* For IE5/Win's benefit height = [correct height] + [top padding] + [top and bottom border widths] */
+ height:33px; /* 14px + 17px + 2px = 33px */
+ border-style:solid;
+ border-color:black;
+ border-width:1px 0px; /* top and bottom borders: 1px; left and right borders: 0px */
+ line-height:11px;
+ font-size:110%;
+ background-color:#eee;
+ voice-family: "\"}\"";
+ voice-family:inherit;
+ height:14px; /* the correct height */
+ }
+body>#Header {height:14px;}
+#Content {
+ margin:0px 50px 0px 200px;
+ padding:10px;
+ }
+
+#Menu {
+ position:absolute;
+ top:100px;
+ left:20px;
+ width:162px;
+ padding:10px;
+ background-color:#eee;
+ border:1px solid #aaa;
+ line-height:17px;
+ text-align:left;
+ voice-family: "\"}\"";
+ voice-family:inherit;
+ width:160px;
+ }
+#Menu subitem {
+ font-size: 5px;
+}
+
+body>#Menu {width:160px;}
diff --git a/doc/templates/temp_list.html b/doc/templates/temp_list.html
new file mode 100644
index 0000000..9d635d8
--- /dev/null
+++ b/doc/templates/temp_list.html
@@ -0,0 +1,33 @@
+<h3>Master template index:</h3>
+
+[[for temp in templates]]
+<div id="templatesmall">
+Module: <a href='[[temp['mod_layer']+ "_" + temp['mod_name'] + ".html#link_" + temp['template_name']]]'>
+[[temp['mod_name']]]</a><p/>
+Layer: <a href='[[temp['mod_layer']]].html'>
+[[temp['mod_layer']]]</a><p/>
+<div id="codeblock">
+[[exec i = 0]]
+<b>[[temp['template_name']]]</b>(
+ [[for arg in temp['template_parameters']]]
+ [[if i != 0]]
+ ,
+ [[end]]
+ [[exec i = 1]]
+ [[if arg['optional'] == 'yes']]
+ [
+ [[end]]
+ [[arg['name']]]
+ [[if arg['optional'] == 'yes']]
+ ]
+ [[end]]
+ [[end]]
+ )<br>
+</div>
+[[if temp['template_summary']]]
+<div id="description">
+[[temp['template_summary']]]
+</div>
+[[end]]
+</div>
+[[end]]
diff --git a/doc/templates/template.html b/doc/templates/template.html
new file mode 100644
index 0000000..251d227
--- /dev/null
+++ b/doc/templates/template.html
@@ -0,0 +1,50 @@
+[[for temp in templates]]
+<a name="link_[[temp['template_name']]]"></a>
+<div id="template">
+[[if temp.has_key("mod_layer")]]
+ Layer: [[mod_layer]]<br>
+[[end]]
+[[if temp.has_key("mod_name")]]
+ Module: [[mod_name]]<br>
+[[end]]
+<div id="codeblock">
+[[exec i = 0]]
+<b>[[temp['template_name']]]</b>(
+ [[for arg in temp['template_parameters']]]
+ [[if i != 0]]
+ ,
+ [[end]]
+ [[exec i = 1]]
+ [[if arg['optional'] == 'yes']]
+ [
+ [[end]]
+ [[arg['name']]]
+ [[if arg['optional'] == 'yes']]
+ ]
+ [[end]]
+ [[end]]
+ )<br>
+</div>
+<div id="description">
+[[if temp['template_summary']]]
+<h5>Summary</h5>
+[[temp['template_summary']]]
+[[end]]
+[[if temp['template_desc']]]
+<h5>Description</h5>
+[[temp['template_desc']]]
+[[end]]
+<h5>Parameters</h5>
+<table border="1" cellspacing="0" cellpadding="3" width="65%">
+<tr><th >Parameter:</th><th >Description:</th></tr>
+[[for arg in temp['template_parameters']]]
+<tr><td>
+[[arg['name']]]
+</td><td>
+[[arg['desc']]]
+</td></tr>
+[[end]]
+</table>
+</div>
+</div>
+[[end]]
diff --git a/doc/templates/tun_list.html b/doc/templates/tun_list.html
new file mode 100644
index 0000000..278f284
--- /dev/null
+++ b/doc/templates/tun_list.html
@@ -0,0 +1,23 @@
+<h3>Master tunable index:</h3>
+
+[[for tun in tunables]]
+<div id="interfacesmall">
+[[if tun.has_key('mod_layer')]]
+Module: <a href='[[tun['mod_layer']+ "_" + tun['mod_name'] + ".html#link_" + tun['tun_name']]]'>
+[[tun['mod_name']]]</a><p/>
+Layer: <a href='[[tun['mod_layer']]].html'>
+[[tun['mod_layer']]]</a><p/>
+[[else]]
+Global
+[[end]]
+<div id="codeblock">
+[[tun['tun_name']]]
+<small>(Default: [[tun['def_val']]])</small>
+</div>
+[[if tun['desc']]]
+<div id="description">
+[[tun['desc']]]
+</div>
+[[end]]
+</div>
+[[end]]
diff --git a/doc/templates/tunable.html b/doc/templates/tunable.html
new file mode 100644
index 0000000..9316779
--- /dev/null
+++ b/doc/templates/tunable.html
@@ -0,0 +1,13 @@
+[[for tun in tunables]]
+<a name="link_[[tun['tun_name']]]"></a>
+<div id="interface">
+<div id="codeblock">[[tun['tun_name']]]</div>
+<div id="description">
+<h5>Default value</h5>
+<p>[[tun['def_val']]]</p>
+[[if tun['desc']]]
+<h5>Description</h5>
+[[tun['desc']]]
+[[end]]
+</div></div>
+[[end]]
diff --git a/man/man8/ftpd_selinux.8 b/man/man8/ftpd_selinux.8
new file mode 100644
index 0000000..5bebd82
--- /dev/null
+++ b/man/man8/ftpd_selinux.8
@@ -0,0 +1,65 @@
+.TH "ftpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ftpd SELinux policy documentation"
+.SH "NAME"
+.PP
+ftpd_selinux \- Security-Enhanced Linux policy for ftp daemons.
+.SH "DESCRIPTION"
+.PP
+Security-Enhanced Linux provides security for ftp daemons via flexible mandatory access control.
+.SH FILE_CONTEXTS
+.PP
+SELinux requires files to have a file type. File types may be specified with semanage and are restored with restorecon. Policy governs the access that daemons have to files.
+.TP
+Allow ftp servers to read the /var/ftp directory by adding the public_content_t file type to the directory and by restoring the file type.
+.PP
+.B
+semanage fcontext -a -t public_content_t "/var/ftp(/.*)?"
+.TP
+.B
+restorecon -F -R -v /var/ftp
+.TP
+Allow ftp servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_ftpd_anon_write boolean to be set.
+.PP
+.B
+semanage fcontext -a -t public_content_rw_t "/var/ftp/incoming(/.*)?"
+.TP
+.B
+restorecon -F -R -v /var/ftp/incoming
+
+.SH BOOLEANS
+.PP
+SELinux policy is based on least privilege required and may also be customizable by setting a boolean with setsebool.
+.TP
+Allow ftp servers to read and write files with the public_content_rw_t file type.
+.PP
+.B
+setsebool -P allow_ftpd_anon_write on
+.TP
+Allow ftp servers to read or write files in the user home directories.
+.PP
+.B
+setsebool -P ftp_home_dir on
+.TP
+Allow ftp servers to read or write all files on the system.
+.PP
+.B
+setsebool -P allow_ftpd_full_access on
+.TP
+Allow ftp servers to use cifs for public file transfer services.
+.PP
+.B
+setsebool -P allow_ftpd_use_cifs on
+.TP
+Allow ftp servers to use nfs for public file transfer services.
+.PP
+.B
+setsebool -P allow_ftpd_use_nfs on
+.TP
+system-config-selinux is a GUI tool available to customize SELinux policy settings.
+.SH AUTHOR
+.PP
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+.PP
+
+selinux(8), ftpd(8), setsebool(8), semanage(8), restorecon(8)
diff --git a/man/man8/git_selinux.8 b/man/man8/git_selinux.8
new file mode 100644
index 0000000..e9c43b1
--- /dev/null
+++ b/man/man8/git_selinux.8
@@ -0,0 +1,109 @@
+.TH "git_selinux" "8" "27 May 2010" "domg472@gmail.com" "Git SELinux policy documentation"
+.de EX
+.nf
+.ft CW
+..
+.de EE
+.ft R
+.fi
+..
+.SH "NAME"
+git_selinux \- Security Enhanced Linux Policy for the Git daemon.
+.SH "DESCRIPTION"
+Security-Enhanced Linux secures the Git server via flexible mandatory access
+control.
+.SH FILE_CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+Policy governs the access daemons have to these files.
+SELinux Git policy is very flexible allowing users to setup their web services in as secure a method as possible.
+.PP
+The following file contexts types are by default defined for Git:
+.EX
+git_system_content_t
+.EE
+- Set files with git_system_content_t if you want the Git system daemon to read the file, and if you want the file to be modifiable and executable by all "Git shell" users.
+.EX
+git_session_content_t
+.EE
+- Set files with git_session_content_t if you want the Git session and system daemon to read the file, and if you want the file to be modifiable and executable by all users. Note that "Git shell" users may not interact with this type.
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. Git policy is extremely flexible and has several booleans that allow you to manipulate the policy and run Git with the tightest access possible.
+.PP
+Allow the Git system daemon to search user home directories so that it can find git session content. This is useful if you want the Git system daemon to host users personal repositories.
+.EX
+sudo setsebool -P git_system_enable_homedirs 1
+.EE
+.PP
+Allow the Git system daemon to read system shared repositories on NFS shares.
+.EX
+sudo setsebool -P git_system_use_nfs 1
+.EE
+.PP
+Allow the Git system daemon to read system shared repositories on Samba shares.
+.EX
+sudo setsebool -P git_system_use_cifs 1
+.EE
+.PP
+Allow the Git session daemon to read users personal repositories on NFS mounted home directories.
+.EX
+sudo setsebool -P use_nfs_home_dirs 1
+.EE
+.PP
+Allow the Git session daemon to read users personal repositories on Samba mounted home directories.
+.EX
+sudo setsebool -P use_samba_home_dirs 1
+.EE
+.PP
+To also allow Git system daemon to read users personal repositories on NFS and Samba mounted home directories you must also allow the Git system daemon to search home directories so that it can find the repositories.
+.EX
+sudo setsebool -P git_system_enable_homedirs 1
+.EE
+.PP
+To allow the Git System daemon mass hosting of users personal repositories you can allow the Git daemon to listen to any unreserved ports.
+.EX
+sudo setsebool -P git_session_bind_all_unreserved_ports 1
+.EE
+.SH GIT_SHELL
+The Git policy by default provides a restricted user environment to be used with "Git shell". This default git_shell_u SELinux user can modify and execute generic Git system content (generic system shared respositories with type git_system_content_t).
+.PP
+To add a new Linux user and map him to this Git shell user domain automatically:
+.EX
+sudo useradd -Z git_shell_u joe
+.EE
+.SH ADVANCED_SYSTEM_SHARED_REPOSITORY_AND GIT_SHELL_RESTRICTIONS
+Alternatively Git SELinux policy can be used to restrict "Git shell" users to git system shared repositories. The policy allows for the creation of new types of Git system content and Git shell user environment. The policy allows for delegation of types of "Git shell" environments to types of Git system content.
+.PP
+To add a new Git system repository type, for example "project1" create a file named project1.te and add to it:
+.EX
+policy_module(project1, 1.0.0)
+git_content_template(project1)
+.EE
+Next create a file named project1.fc and add a file context specification for the new repository type to it:
+.EX
+/srv/git/project1\.git(/.*)? gen_context(system_u:object_r:git_project1_content_t,s0)
+.EE
+Build a binary representation of this source policy module, load it into the policy store and restore the context of the repository:
+.EX
+make -f /usr/share/selinux/devel/Makefile project.pp
+sudo semodule -i project1.pp
+sudo restorecon -R -v /srv/git/project1
+.EE
+To create a "Git shell" domain that can interact with this repository create a file named project1user.te in the same directory as where the source policy for the Git systemm content type is and add the following:
+.EX
+policy_module(project1user, 1.0.0)
+git_role_template(project1user)
+git_content_delegation(project1user_t, git_project1_content_t)
+gen_user(project1user_u, user, project1user_r, s0, s0)
+.EE
+Build a binary representation of this source policy module, load it into the policy store and map Linux users to the new project1user_u SELinux user:
+.EX
+make -f /usr/share/selinux/devel/Makefile project1user.pp
+sudo semodule -i project1user.pp
+sudo useradd -Z project1user_u jane
+.EE
+.PP
+system-config-selinux is a GUI tool available to customize SELinux policy settings.
+.SH AUTHOR
+This manual page was written by Dominick Grift <domg472@gmail.com>.
+.SH "SEE ALSO"
+selinux(8), git(8), chcon(1), semodule(8), setsebool(8)
diff --git a/man/man8/httpd_selinux.8 b/man/man8/httpd_selinux.8
new file mode 100644
index 0000000..a939a74
--- /dev/null
+++ b/man/man8/httpd_selinux.8
@@ -0,0 +1,120 @@
+.TH "httpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "httpd Selinux Policy documentation"
+.de EX
+.nf
+.ft CW
+..
+.de EE
+.ft R
+.fi
+..
+.SH "NAME"
+httpd_selinux \- Security Enhanced Linux Policy for the httpd daemon
+.SH "DESCRIPTION"
+
+Security-Enhanced Linux secures the httpd server via flexible mandatory access
+control.
+.SH FILE_CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+Policy governs the access daemons have to these files.
+SELinux httpd policy is very flexible allowing users to setup their web services in as secure a method as possible.
+.PP
+The following file contexts types are defined for httpd:
+.EX
+httpd_sys_content_t
+.EE
+- Set files with httpd_sys_content_t if you want httpd_sys_script_exec_t scripts and the daemon to read the file, and disallow other non sys scripts from access.
+.EX
+httpd_sys_script_exec_t
+.EE
+- Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types.
+.EX
+httpd_sys_content_rw_t
+.EE
+- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and disallow other non sys scripts from access.
+.EX
+httpd_sys_content_ra_t
+.EE
+- Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts and the daemon to read/append to the file, and disallow other non sys scripts from access.
+.EX
+httpd_unconfined_script_exec_t
+.EE
+- Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a very complex httpd scripts, after exhausting all other options. It is better to use this script rather than turning off SELinux protection for httpd.
+
+.SH NOTE
+With certain policies you can define additional file contexts based on roles like user or staff. httpd_user_script_exec_t can be defined where it would only have access to "user" contexts.
+
+.SH SHARING FILES
+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for httpd you would execute:
+
+.EX
+setsebool -P allow_httpd_anon_write=1
+.EE
+
+or
+
+.EX
+setsebool -P allow_httpd_sys_script_anon_write=1
+.EE
+
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. SElinux can be setup to prevent certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.
+.PP
+httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this
+
+.EX
+setsebool -P httpd_enable_cgi 1
+.EE
+
+.PP
+SELinux policy for httpd can be setup to not allowed to access users home directories. If you want to allow access to users home directories you need to set the httpd_enable_homedirs boolean and change the context of the files that you want people to access off the home dir.
+
+.EX
+setsebool -P httpd_enable_homedirs 1
+chcon -R -t httpd_sys_content_t ~user/public_html
+.EE
+
+.PP
+SELinux policy for httpd can be setup to not allow access to the controlling terminal. In most cases this is preferred, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access.
+
+.EX
+setsebool -P httpd_tty_comm 1
+.EE
+
+.PP
+httpd can be configured to not differentiate file controls based on context, i.e. all files labeled as httpd context can be read/write/execute. Setting this boolean to false allows you to setup the security policy such that one httpd service can not interfere with another.
+
+.EX
+setsebool -P httpd_unified 0
+.EE
+
+.PP
+SELinu policy for httpd can be configured to turn on sending email. This is a security feature, since it would prevent a vulnerabiltiy in http from causing a spam attack. I certain situations, you may want http modules to send mail. You can turn on the httpd_send_mail boolean.
+
+.EX
+setsebool -P httpd_can_sendmail 1
+.PP
+httpd can be configured to turn off internal scripting (PHP). PHP and other
+loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts.
+
+.EX
+setsebool -P httpd_builtin_scripting 0
+.EE
+
+.PP
+SELinux policy can be setup such that httpd scripts are not allowed to connect out to the network.
+This would prevent a hacker from breaking into you httpd server and attacking
+other machines. If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on.
+
+.EX
+setsebool -P httpd_can_network_connect 1
+.EE
+
+.PP
+system-config-selinux is a GUI tool available to customize SELinux policy settings.
+.SH AUTHOR
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+selinux(8), httpd(8), chcon(1), setsebool(8)
+
+
diff --git a/man/man8/kerberos_selinux.8 b/man/man8/kerberos_selinux.8
new file mode 100644
index 0000000..a8f81c8
--- /dev/null
+++ b/man/man8/kerberos_selinux.8
@@ -0,0 +1,28 @@
+.TH "kerberos_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "kerberos Selinux Policy documentation"
+.de EX
+.nf
+.ft CW
+..
+.de EE
+.ft R
+.fi
+..
+.SH "NAME"
+kerberos_selinux \- Security Enhanced Linux Policy for Kerberos.
+.SH "DESCRIPTION"
+
+Security-Enhanced Linux secures the system via flexible mandatory access
+control. SELinux policy can be configured to deny Kerberos access to confined applications, since it requires daemons to be allowed greater access to certain secure files and additional access to the network.
+.SH BOOLEANS
+.PP
+You must set the allow_kerberos boolean to allow your system to work properly in a Kerberos environment.
+.EX
+setsebool -P allow_kerberos 1
+.EE
+.PP
+system-config-selinux is a GUI tool available to customize SELinux policy settings.
+.SH AUTHOR
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+selinux(8), kerberos(1), chcon(1), setsebool(8)
diff --git a/man/man8/named_selinux.8 b/man/man8/named_selinux.8
new file mode 100644
index 0000000..4dab2e2
--- /dev/null
+++ b/man/man8/named_selinux.8
@@ -0,0 +1,30 @@
+.TH "named_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "named Selinux Policy documentation"
+.de EX
+.nf
+.ft CW
+..
+.de EE
+.ft R
+.fi
+..
+.SH "NAME"
+named_selinux \- Security Enhanced Linux Policy for the Internet Name server (named) daemon
+.SH "DESCRIPTION"
+
+Security-Enhanced Linux secures the named server via flexible mandatory access
+control.
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. So by
+default SElinux policy does not allow named to write master zone files. If you want to have named update the master zone files you need to set the named_write_master_zones boolean.
+.EX
+setsebool -P named_write_master_zones 1
+.EE
+.PP
+system-config-selinux is a GUI tool available to customize SELinux policy settings.
+.SH AUTHOR
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+selinux(8), named(8), chcon(1), setsebool(8)
+
+
diff --git a/man/man8/nfs_selinux.8 b/man/man8/nfs_selinux.8
new file mode 100644
index 0000000..8e30c4c
--- /dev/null
+++ b/man/man8/nfs_selinux.8
@@ -0,0 +1,31 @@
+.TH "nfs_selinux" "8" "9 Feb 2009" "dwalsh@redhat.com" "NFS SELinux Policy documentation"
+.SH "NAME"
+nfs_selinux \- Security Enhanced Linux Policy for NFS
+.SH "DESCRIPTION"
+
+Security Enhanced Linux secures the NFS server via flexible mandatory access
+control.
+.SH BOOLEANS
+SELinux policy is customizable based on the least level of access required. SELinux can be configured to not allow NFS to share files. If you want to share NFS partitions, and only allow read-only access to those NFS partitions, turn the nfs_export_all_ro boolean on:
+
+.TP
+setsebool -P nfs_export_all_ro 1
+.TP
+If you want to share files read/write you must set the nfs_export_all_rw boolean.
+.TP
+setsebool -P nfs_export_all_rw 1
+
+.TP
+These booleans are not required when files to be shared are labeled with the public_content_t or public_content_rw_t types. NFS can share files labeled with the public_content_t or public_content_rw_t types even if the nfs_export_all_ro and nfs_export_all_rw booleans are off.
+
+.TP
+If you want to use a remote NFS server for the home directories on this machine, you must set the use_nfs_home_dirs boolean:
+.TP
+setsebool -P use_nfs_home_dirs 1
+.TP
+system-config-selinux is a GUI tool available to customize SELinux policy settings.
+.SH AUTHOR
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+selinux(8), chcon(1), setsebool(8)
diff --git a/man/man8/nis_selinux.8 b/man/man8/nis_selinux.8
new file mode 100644
index 0000000..6271c95
--- /dev/null
+++ b/man/man8/nis_selinux.8
@@ -0,0 +1 @@
+.so man8/ypbind_selinux.8
diff --git a/man/man8/rsync_selinux.8 b/man/man8/rsync_selinux.8
new file mode 100644
index 0000000..ad9ccf5
--- /dev/null
+++ b/man/man8/rsync_selinux.8
@@ -0,0 +1,52 @@
+.TH "rsync_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "rsync Selinux Policy documentation"
+.de EX
+.nf
+.ft CW
+..
+.de EE
+.ft R
+.fi
+..
+.SH "NAME"
+rsync_selinux \- Security Enhanced Linux Policy for the rsync daemon
+.SH "DESCRIPTION"
+
+Security-Enhanced Linux secures the rsync server via flexible mandatory access
+control.
+.SH FILE_CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+Policy governs the access daemons have to these files.
+If you want to share files using the rsync daemon, you must label the files and directories public_content_t. So if you created a special directory /var/rsync, you
+would need to label the directory with the chcon tool.
+.TP
+chcon -t public_content_t /var/rsync
+.TP
+.TP
+To make this change permanent (survive a relabel), use the semanage command to add the change to file context configuration:
+.TP
+semanage fcontext -a -t public_content_t "/var/rsync(/.*)?"
+.TP
+This command adds the following entry to /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local:
+.TP
+/var/rsync(/.*)? system_u:object_r:publix_content_t:s0
+.TP
+Run the restorecon command to apply the changes:
+.TP
+restorecon -R -v /var/rsync/
+.EE
+
+.SH SHARING FILES
+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for rsync you would execute:
+
+.EX
+setsebool -P allow_rsync_anon_write=1
+.EE
+
+.SH BOOLEANS
+.TP
+system-config-selinux is a GUI tool available to customize SELinux policy settings.
+.SH AUTHOR
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+selinux(8), rsync(1), chcon(1), setsebool(8), semanage(8)
diff --git a/man/man8/samba_selinux.8 b/man/man8/samba_selinux.8
new file mode 100644
index 0000000..14498e1
--- /dev/null
+++ b/man/man8/samba_selinux.8
@@ -0,0 +1,56 @@
+.TH "samba_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "Samba Selinux Policy documentation"
+.SH "NAME"
+samba_selinux \- Security Enhanced Linux Policy for Samba
+.SH "DESCRIPTION"
+
+Security-Enhanced Linux secures the Samba server via flexible mandatory access
+control.
+.SH FILE_CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+Policy governs the access daemons have to these files.
+If you want to share files other than home directories, those files must be
+labeled samba_share_t. So if you created a special directory /var/eng, you
+would need to label the directory with the chcon tool.
+.TP
+chcon -t samba_share_t /var/eng
+.TP
+To make this change permanent (survive a relabel), use the semanage command to add the change to file context configuration:
+.TP
+semanage fcontext -a -t samba_share_t "/var/eng(/.*)?"
+.TP
+This command adds the following entry to /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local:
+.TP
+/var/eng(/.*)? system_u:object_r:samba_share_t:s0
+.TP
+Run the restorecon command to apply the changes:
+.TP
+restorecon -R -v /var/eng/
+
+.SH SHARING FILES
+If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for samba you would execute:
+
+setsebool -P allow_smbd_anon_write=1
+
+.SH BOOLEANS
+.br
+SELinux policy is customizable based on least access required. So by
+default SElinux policy turns off SELinux sharing of home directories and
+the use of Samba shares from a remote machine as a home directory.
+.TP
+If you are setting up this machine as a Samba server and wish to share the home directories, you need to set the samba_enable_home_dirs boolean.
+.br
+
+setsebool -P samba_enable_home_dirs 1
+.TP
+If you want to use a remote Samba server for the home directories on this machine, you must set the use_samba_home_dirs boolean.
+.br
+
+setsebool -P use_samba_home_dirs 1
+.TP
+system-config-selinux is a GUI tool available to customize SELinux policy settings.
+
+.SH AUTHOR
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+selinux(8), samba(7), chcon(1), setsebool(8), semanage(8)
diff --git a/man/man8/ypbind_selinux.8 b/man/man8/ypbind_selinux.8
new file mode 100644
index 0000000..5061a5f
--- /dev/null
+++ b/man/man8/ypbind_selinux.8
@@ -0,0 +1,19 @@
+.TH "ypbind_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "ypbind Selinux Policy documentation"
+.SH "NAME"
+ypbind_selinux \- Security Enhanced Linux Policy for NIS.
+.SH "DESCRIPTION"
+
+Security-Enhanced Linux secures the system via flexible mandatory access
+control. SELinux can be setup deny NIS from working, since it requires daemons to be allowed greater access to the network.
+.SH BOOLEANS
+.TP
+You must set the allow_ypbind boolean to allow your system to work properly in a NIS environment.
+.TP
+setsebool -P allow_ypbind 1
+.TP
+system-config-selinux is a GUI tool available to customize SELinux policy settings.
+.SH AUTHOR
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+selinux(8), ypbind(8), chcon(1), setsebool(8)
diff --git a/man/ru/man8/ftpd_selinux.8 b/man/ru/man8/ftpd_selinux.8
new file mode 100644
index 0000000..efa915e
--- /dev/null
+++ b/man/ru/man8/ftpd_selinux.8
@@ -0,0 +1,57 @@
+.TH "ftpd_selinux" "8" "17 Янв 2005" "dwalsh@redhat.com" "ftpd Selinux Policy documentation"
+.SH "НАЗВАНИЕ"
+ftpd_selinux \- Политика Security Enhanced Linux для демона ftp
+.SH "ОПИСАНИЕ"
+
+Security-Enhanced Linux обеспечивает защиту сервера ftpd при помощи гибко настраиваемого мандатного контроля доступа.
+.SH КОНТЕКСТ ФАЙЛОВ
+SELinux требует наличия у файлов расширенных атрибутов, определяющих тип файла.
+Политика управляет видом доступа демона к этим файлам. Если вы хотите организовать анонимный
+доступ к файлам, вы должны присвоить этим файлам и директориям контекст public_content_t.
+Таким образом, если вы создаете специальную директорию /var/ftp, то вам необходимо установить контекст для этой директории при помощи утилиты chcon.
+.TP
+chcon -R -t public_content_t /var/ftp
+.TP
+Если вы хотите задать директорию, в которую вы собираетесь загружать файлы, то вы должны
+установить контекст ftpd_anon_rw_t. Таким образом, если вы создаете специальную директорию /var/ftp/incoming, то вам необходимо установить контекст для этой директории при помощи утилиты chcon.
+.TP
+chcon -t public_content_rw_t /var/ftp/incoming
+.TP
+Вы также должны включить переключатель allow_ftpd_anon_write.
+.TP
+setsebool -P allow_ftpd_anon_write=1
+.TP
+Если вы хотите сделать эти изменения постоянными, иными словами, чтобы данный контекст сохранялся
+при обновлении контекстов, вы должны добавить записи в файл file_contexts.local.
+.TP
+/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
+.br
+/var/ftp(/.*)? system_u:object_r:public_content_t
+/var/ftp/incoming(/.*)? system_u:object_r:public_content_rw_t
+
+.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
+Политика SELinux для демона ftp настроена исходя из принципа наименьших привелегий. Таким
+образом, по умолчанию политика SELinux не позволяет пользователям заходить на сервер и
+читать содержимое их домашних директорий.
+.br
+Если вы настраиваете данную машину как ftpd-сервер и хотите, чтобы пользователи могли получать
+доступ к своим домашним директориям, то вам необходимо установить переключатель ftp_home_dir.
+.TP
+setsebool -P ftp_home_dir 1
+.TP
+ftpd может функционировать как самостоятельный демон, а также как часть домена xinetd. Если вы
+хотите, чтобы ftpd работал как демон, вы должны установить переключатель ftpd_is_daemon.
+.TP
+setsebool -P ftpd_is_daemon 1
+.br
+service vsftpd restart
+.TP
+Для управления настройками SELinux существует графическая утилита system-config-selinux.
+.SH АВТОРЫ
+Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
+Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
+
+.SH "СМОТРИ ТАКЖЕ"
+selinux(8), ftpd(8), chcon(1), setsebool(8)
+
+
diff --git a/man/ru/man8/httpd_selinux.8 b/man/ru/man8/httpd_selinux.8
new file mode 100644
index 0000000..a653b7d
--- /dev/null
+++ b/man/ru/man8/httpd_selinux.8
@@ -0,0 +1,137 @@
+.TH "httpd_selinux" "8" "17 Янв 2005" "dwalsh@redhat.com" "httpd Selinux Policy documentation"
+.de EX
+.nf
+.ft CW
+..
+.de EE
+.ft R
+.fi
+..
+.SH "НАЗВАНИЕ"
+httpd_selinux \- Политика Security Enhanced Linux для демона httpd
+.SH "ОПИСАНИЕ"
+
+Security-Enhanced Linux обеспечивает защиту сервера httpd при помощи гибко настраиваемого мандатного контроля доступа.
+.SH КОНТЕКСТ ФАЙЛОВ
+SELinux требует наличия у файлов расширенных атрибутов, определяющих тип файла.
+Политика управляет видом доступа демона к этим файлам.
+Политика SELinux для демона httpd позволяет пользователям настроить web-службы максимально безопасным методом с высокой степенью гибкости.
+.PP
+Для httpd определены следующие контексты файлов:
+.EX
+httpd_sys_content_t
+.EE
+- Установите контекст httpd_sys_content_t для содержимого, которое должно быть доступно для всех скриптов httpd и для самого демона.
+.EX
+httpd_sys_script_exec_t
+.EE
+- Установите контекст httpd_sys_script_exec_t для cgi-скриптов, чтобы разрешить им доступ ко всем sys-типам.
+.EX
+httpd_sys_script_ro_t
+.EE
+- Установите на файлы контекст httpd_sys_script_ro_t если вы хотите, чтобы скрипты httpd_sys_script_exec_t могли читать данные, и при этом нужно запретить доступ другим не-sys скриптам.
+.EX
+httpd_sys_script_rw_t
+.EE
+- Установите на файлы контекст httpd_sys_script_rw_t если вы хотите, чтобы скрипты httpd_sys_script_exec_t могли читать и писать данные, и при этом нужно запретить доступ другим не-sys скриптам.
+.EX
+httpd_sys_script_ra_t
+.EE
+- Установите на файлы контекст httpd_sys_script_ra_t если вы хотите, чтобы скрипты httpd_sys_script_exec_t могли читать и добавлять данные, и при этом нужно запретить доступ другим не-sys скриптам.
+.EX
+httpd_unconfined_script_exec_t
+.EE
+- Установите на cgi-скрипты контекст httpd_unconfined_script_exec_t если вы хотите разрешить
+им исполняться без какой-либо защиты SELinux. Такой способ должен использоваться только для
+скриптов с очень комплексными требованиями, и только в случае, если все остальные варианты настройки не дали результата. Лучше использовать скрипты с контекстом httpd_unconfined_script_exec_t, чем выключать защиту SELinux для httpd.
+
+.SH ЗАМЕЧАНИЕ
+Вместе с некоторыми политиками, вы можете определить дополнительные контексты файлов, основанные
+на ролях, таких как user или staff. Может быть определен контекст httpd_user_script_exec_t, который будет иметь доступ только к "пользовательским" контекстам.
+
+.SH СОВМЕСТНОЕ ВЛАДЕНИЕ ФАЙЛАМИ
+Если вы хотите организовать между несколькими доменами (Apache, FTP, rsync, Samba) совместный
+доступ к файлам, то вы можете установить контекст файлов в public_content_t и public_content_rw_t.
+Данный контекст позволяет любому из выше перечисленных демонов читать содержимое.
+Если вы хотите, чтобы конкретный домен имел право записи в домен public_content_rw_t, вы должны
+установить соответствующий переключатель allow_ДОМЕН_anon_write. Таким образом, для httpd вы должны выполнить команду:
+
+.EX
+setsebool -P allow_httpd_anon_write=1
+.EE
+
+или
+
+.EX
+setsebool -P allow_httpd_sys_script_anon_write=1
+.EE
+
+.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
+Политика SELinux настроена исходя из принципа наименьших привилегий. Таким образом,
+по умолчанию SELinux препятствует работе некоторых http-скриптов. Политика httpd весьма
+гибка, и существующие переключатели управляют политикой, позволяя httpd выполняться
+с наименее возможными правами доступа.
+.PP
+Если вы хотите, чтобы httpd мог исполнять cgi-скрипты, установите переключатель httpd_enable_cgi
+.EX
+setsebool -P httpd_enable_cgi 1
+.EE
+
+.PP
+По умолчанию демону httpd не разрешен доступ в домашние дерикториии пользователей. Если вы хотите разрешить доступ, вам необходимо установить переключатель httpd_enable_homedirs и изменить контекст
+тех файлов в домашних директориях пользователей, к которым должен быть разрешен доступ.
+
+.EX
+setsebool -P httpd_enable_homedirs 1
+chcon -R -t httpd_sys_content_t ~user/public_html
+.EE
+
+.PP
+По умолчанию демон httpd не имеет доступ к управляющему терминалу. В большинстве случаев такое
+поведение является предпочтительным. Это связанно с тем, что злоумышленник может попытаться
+использовать доступ к терминалу для получения привилегий. Однако, в некоторых ситуациях демон
+httpd должен выводить запрос пароля для открытия файла сертификата и в таких случаях нужен доступ
+к терминалу. Для того, чтобы разрешить доступ к терминалу, установите переключатель httpd_tty_comm.
+.EX
+setsebool -P httpd_tty_comm 1
+.EE
+
+.PP
+httpd может быть настроен так, чтобы не разграничивать тип доступа к файлу на основании контекста.
+Иными словами, ко всем файлам, имеющим контекст httpd разрешен доступ на чтение/запись/исполнение.
+Установка этого переключателя в false, позволяет настроить политику безопасности таким образом,
+что одина служба httpd не конфликтует с другой.
+.EX
+setsebool -P httpd_unified 0
+.EE
+
+.PP
+Имеется возможность настроить httpd таким образом, чтобы отключить встроенную поддержку
+скриптов (PHP). PHP и другие загружаемые модули работают в том же контексте, что и httpd.
+Таким образом, если используются только внешние cgi-скрипты, некоторые из правил политики
+разрешают httpd больший доступ к системе, чем необходимо.
+
+.EX
+setsebool -P httpd_builtin_scripting 0
+.EE
+
+.PP
+По умолчанию httpd-скриптам запрещено устанавливать внешние сетевые подключения.
+Это не позволит хакеру, взломавшему ваш httpd-сервер, атаковать другие машины.
+Если вашим скриптам необходимо иметь возможность подключения, установите переключатель
+httpd_can_network_connect
+
+.EX
+setsebool -P httpd_can_network_connect 1
+.EE
+
+.PP
+Для управления настройками SELinux существует графическая утилита system-config-selinux.
+.SH АВТОРЫ
+Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
+Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
+
+.SH "СМОТРИ ТАКЖЕ"
+selinux(8), httpd(8), chcon(1), setsebool(8)
+
+
diff --git a/man/ru/man8/kerberos_selinux.8 b/man/ru/man8/kerberos_selinux.8
new file mode 100644
index 0000000..9f546dc
--- /dev/null
+++ b/man/ru/man8/kerberos_selinux.8
@@ -0,0 +1,30 @@
+.TH "kerberos_selinux" "8" "17 Янв 2005" "dwalsh@redhat.com" "kerberos Selinux Policy documentation"
+.de EX
+.nf
+.ft CW
+..
+.de EE
+.ft R
+.fi
+..
+.SH "НАЗВАНИЕ"
+kerberos_selinux \- Политика Security Enhanced Linux для Kerberos.
+.SH "ОПИСАНИЕ"
+
+Security-Enhanced Linux защищает систему при помощи гибко настраиваемого мандатного контроля доступа. По умолчанию Kerberos запрещен, поскольку требуется функционирование демонов,
+которым предоставляется слишком обширный доступ к сети и некоторым чувствительным в плане безопасности файлам.
+
+.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
+.PP
+Для того, чтобы система могла корректно работать в окружении Kerberos, вы должны установить переключатель allow_kerberos.
+.EX
+setsebool -P allow_kerberos 1
+.EE
+.PP
+Для управления настройками SELinux существует графическая утилита system-config-selinux.
+.SH АВТОРЫ
+Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
+Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
+
+.SH "СМОТРИ ТАКЖЕ"
+selinux(8), kerberos(1), chcon(1), setsebool(8)
diff --git a/man/ru/man8/named_selinux.8 b/man/ru/man8/named_selinux.8
new file mode 100644
index 0000000..9818f79
--- /dev/null
+++ b/man/ru/man8/named_selinux.8
@@ -0,0 +1,31 @@
+.TH "named_selinux" "8" "17 Янв 2005" "dwalsh@redhat.com" "named Selinux Policy documentation"
+.de EX
+.nf
+.ft CW
+..
+.de EE
+.ft R
+.fi
+..
+.SH "НАЗВАНИЕ"
+named_selinux \- Политика Security Enhanced Linux для демона Internet Name server (named)
+.SH "ОПИСАНИЕ"
+
+Security-Enhanced Linux обеспечивает защиту сервера named при помощи гибко настраиваемого мандатного контроля доступа.
+.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
+Политика SELinux настраивается исходя из принципа наименьших привилегий. Таким образом,
+по умолчанию политика SELinux не позволяет демону named осуществлять изменения файлов мастер-зоны.
+Если вам необходимо, чтобы named мог обновлять файлы мастер-зоны, вы должны установить переключатель named_write_master_zones boolean.
+.EX
+setsebool -P named_write_master_zones 1
+.EE
+.PP
+Для управления настройками SELinux существует графическая утилита system-config-selinux.
+.SH АВТОРЫ
+Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
+Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
+
+.SH "СМОТРИ ТАКЖЕ"
+selinux(8), named(8), chcon(1), setsebool(8)
+
+
diff --git a/man/ru/man8/nfs_selinux.8 b/man/ru/man8/nfs_selinux.8
new file mode 100644
index 0000000..525513f
--- /dev/null
+++ b/man/ru/man8/nfs_selinux.8
@@ -0,0 +1,33 @@
+.TH "nfs_selinux" "8" "17 Янв 2005" "dwalsh@redhat.com" "nfs Selinux Policy documentation"
+.SH "НАЗВАНИЕ"
+nfs_selinux \- Политика Security Enhanced Linux для NFS
+.SH "ОПИСАНИЕ"
+
+Security-Enhanced Linux защищает сервер nfs при помощи гибко настраиваемого мандатного контроля доступа.
+.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
+Политика SELinux настраивается исходя из принципа наименьших привилегий. Таким образом,
+по умолчанию политика SELinux не позволяет предоставлять доступ к файлам по nfs. Если вы хотите
+разрешить доступ только на чтение к файлам этой машины по nfs, вы должны установить переключатель
+nfs_export_all_ro.
+
+.TP
+setsebool -P nfs_export_all_ro 1
+.TP
+Если вы хотите разрешить доступ на чтение/запись, вы должны установить переключатель nfs_export_all_rw.
+.TP
+setsebool -P nfs_export_all_rw 1
+
+.TP
+Если вы хотите использовать удаленный NFS сервер для хранения домашних директорий этой машины,
+то вы должны установить переключатель use_nfs_home_dir boolean.
+.TP
+setsebool -P use_nfs_home_dirs 1
+.TP
+Для управления настройками SELinux существует графическая утилита
+system-config-selinux.
+.SH АВТОРЫ
+Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
+Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
+
+.SH "СМОТРИ ТАКЖЕ"
+selinux(8), chcon(1), setsebool(8)
diff --git a/man/ru/man8/rsync_selinux.8 b/man/ru/man8/rsync_selinux.8
new file mode 100644
index 0000000..7b60605
--- /dev/null
+++ b/man/ru/man8/rsync_selinux.8
@@ -0,0 +1,50 @@
+.TH "rsync_selinux" "8" "17 Янв 2005" "dwalsh@redhat.com" "rsync Selinux Policy documentation"
+.de EX
+.nf
+.ft CW
+..
+.de EE
+.ft R
+.fi
+..
+.SH "НАЗВАНИЕ"
+rsync_selinux \- Политика Security Enhanced Linux для демона rsync
+.SH "ОПИСАНИЕ"
+
+Security-Enhanced Linux обеспечивает защиту сервера rsync при помощи гибко настраиваемого мандатного контроля доступа.
+.SH КОНТЕКСТ ФАЙЛОВ
+SELinux требует наличия у файлов расширенных атрибутов, определяющих тип файла.
+Политика управляет видом доступа демона к этим файлам. Если вы хотите предоставить доступ к файлам
+при помощи демона rsync, вы должны присвоить этим файлам и директориям контекст
+public_content_t. Таким образом, если вы создаете специальную директорию /var/rsync, то вам
+необходимо установить контекст для этой директории при помощи утилиты chcon.
+.TP
+chcon -t public_content_t /var/rsync
+.TP
+Если вы хотите сделать эти изменения постоянными, иными словами, чтобы данный контекст сохранялся
+при обновлении контекстов, вы должны добавить записи в файл file_contexts.local.
+.EX
+/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
+/var/rsync(/.*)? system_u:object_r:public_content_t
+.EE
+
+.SH СОВМЕСТНОЕ ВЛАДЕНИЕ ФАЙЛАМИ
+Если вы хотите организовать между несколькими доменами (Apache, FTP, rsync, Samba) совместный
+доступ к файлам, то вы можете установить контекст файлов в public_content_t и public_content_rw_t.
+Данный контекст позволяет любому из выше перечисленных демонов читать содержимое.
+Если вы хотите, чтобы конкретный домен имел право записи в домен public_content_rw_t, вы должны
+установить соответствующий переключатель allow_ДОМЕН_anon_write. Таким образом, для rsync вы должны выполнить команду:
+
+.EX
+setsebool -P allow_rsync_anon_write=1
+.EE
+
+.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
+.TP
+Для управления настройками SELinux существует графическая утилита system-config-selinux.
+.SH АВТОРЫ
+Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
+Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
+
+.SH "СМОТРИ ТАКЖЕ"
+selinux(8), rsync(1), chcon(1), setsebool(8)
diff --git a/man/ru/man8/samba_selinux.8 b/man/ru/man8/samba_selinux.8
new file mode 100644
index 0000000..9a16863
--- /dev/null
+++ b/man/ru/man8/samba_selinux.8
@@ -0,0 +1,60 @@
+.TH "samba_selinux" "8" "17 Янв 2005" "dwalsh@redhat.com" "Samba Selinux Policy documentation"
+.SH "НАЗВАНИЕ"
+samba_selinux \- Политика Security Enhanced Linux для Samba
+.SH "ОПИСАНИЕ"
+
+Security-Enhanced Linux обеспечивает защиту сервера Samba при помощи гибко настраиваемого мандатного контроля доступа.
+.SH КОНТЕКСТ ФАЙЛОВ
+SELinux требует наличия у файлов расширенных атрибутов, определяющих тип файла.
+Политика управляет видом доступа демона к этим файлам.
+Если вы хотите предоставить доступ к файлам вовне домашних директорий, этим файлам необходимо
+присвоить контекст samba_share_t.
+Таким образом, если вы создаете специальную директорию /var/eng, то вам необходимо
+установить контекст для этой директории при помощи утилиты chcon.
+.TP
+chcon -t samba_share_t /var/eng
+.TP
+
+Если вы хотите сделать эти изменения постоянными, иными словами, чтобы данный контекст сохранялся
+при обновлении контекстов, вы должны добавить записи в файл file_contexts.local.
+.TP
+/etc/selinux/POLICYTYPE/contexts/files/file_contexts.local
+.br
+/var/eng(/.*)? system_u:object_r:samba_share_t
+
+.SH СОВМЕСТНОЕ ВЛАДЕНИЕ ФАЙЛАМИ
+Если вы хотите организовать между несколькими доменами (Apache, FTP, rsync, Samba) совместный
+доступ к файлам, то вы можете установить контекст файлов в public_content_t и public_content_rw_t.
+Данный контекст позволяет любому из выше перечисленных демонов читать содержимое.
+Если вы хотите, чтобы конкретный домен имел право записи в домен public_content_rw_t, вы должны
+установить соответствующий переключатель allow_ДОМЕН_anon_write. Таким образом, для samba вы должны выполнить команду:
+
+setsebool -P allow_smbd_anon_write=1
+
+.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
+.br
+Политика SELinux настраивается исходя из принципа наименьших привилегий.
+Таким образом, по умолчанию политика SELinux не позволяет предоставлять удаленный доступ
+к домашним директориям и не позволяет использовать удаленный сервер Samba для хранения
+домашних директорий.
+.TP
+Если вы настроили эту машину как сервер Samba и желаете предоставить доступ к домашним
+директориям, вы должны установить переключатель samba_enable_home_dirs.
+.br
+
+setsebool -P samba_enable_home_dirs 1
+.TP
+Если вы хотите для хранения домашних директорий пользователей этой машины использовать удаленный
+сервер Samba, вы должны установить переключатель use_samba_home_dirs.
+.br
+
+setsebool -P use_samba_home_dirs 1
+.TP
+Для управления настройками SELinux существует графическая утилита system-config-selinux.
+
+.SH АВТОРЫ
+Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
+Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
+
+.SH "СМОТРИ ТАКЖЕ"
+selinux(8), samba(7), chcon(1), setsebool(8)
diff --git a/man/ru/man8/ypbind_selinux.8 b/man/ru/man8/ypbind_selinux.8
new file mode 100644
index 0000000..a6c084a
--- /dev/null
+++ b/man/ru/man8/ypbind_selinux.8
@@ -0,0 +1,19 @@
+.TH "ypbind_selinux" "8" "17 Янв 2005" "dwalsh@redhat.com" "ypbind Selinux Policy documentation"
+.SH "НАЗВАНИЕ"
+ypbind_selinux \- Политика Security Enhanced Linux для NIS.
+.SH "ОПИСАНИЕ"
+
+Security-Enhanced Linux защищает систему при помощи гибко настраиваемого мандатного контроля доступа. По умолчанию работа NIS запрещена. Это является следствием того, что демоны NIS требуют слишком обширного доступа к сети.
+.SH ПЕРЕКЛЮЧАТЕЛИ (BOOLEANS)
+.TP
+Для того, чтобы система могла работать в окружении NIS, вы должны установить переключатель allow_ypbind.
+.TP
+setsebool -P allow_ypbind 1
+.TP
+Для управления настройками SELinux существует графическая утилита system-config-selinux.
+.SH АВТОРЫ
+Эту страницу руководства написал Dan Walsh <dwalsh@redhat.com>.
+Перевод руководства - Андрей Маркелов <andrey@markelov.net>, 2007г.
+
+.SH "СМОТРИ ТАКЖЕ"
+selinux(8), ypbind(8), chcon(1), setsebool(8)
diff --git a/policy/constraints b/policy/constraints
new file mode 100644
index 0000000..155883b
--- /dev/null
+++ b/policy/constraints
@@ -0,0 +1,245 @@
+
+#
+# Define the constraints
+#
+# constrain class_set perm_set expression ;
+#
+# expression : ( expression )
+# | not expression
+# | expression and expression
+# | expression or expression
+# | u1 op u2
+# | r1 role_op r2
+# | t1 op t2
+# | u1 op names
+# | u2 op names
+# | r1 op names
+# | r2 op names
+# | t1 op names
+# | t2 op names
+#
+# op : == | !=
+# role_op : == | != | eq | dom | domby | incomp
+#
+# names : name | { name_list }
+# name_list : name | name_list name
+#
+
+define(`basic_ubac_conditions',`
+ ifdef(`enable_ubac',`
+ u1 == u2
+ or u1 == system_u
+ or u2 == system_u
+ or t1 != ubac_constrained_type
+ or t2 != ubac_constrained_type
+ ')
+')
+
+define(`basic_ubac_constraint',`
+ ifdef(`enable_ubac',`
+ constrain $1 all_$1_perms
+ (
+ basic_ubac_conditions
+ );
+ ')
+')
+
+define(`exempted_ubac_constraint',`
+ ifdef(`enable_ubac',`
+ constrain $1 all_$1_perms
+ (
+ basic_ubac_conditions
+ or t1 == $2
+ );
+ ')
+')
+
+########################################
+#
+# File rules
+#
+
+exempted_ubac_constraint(dir, ubacfile)
+exempted_ubac_constraint(file, ubacfile)
+exempted_ubac_constraint(lnk_file, ubacfile)
+exempted_ubac_constraint(fifo_file, ubacfile)
+exempted_ubac_constraint(sock_file, ubacfile)
+exempted_ubac_constraint(chr_file, ubacfile)
+exempted_ubac_constraint(blk_file, ubacfile)
+
+# SELinux object identity change constraint:
+constrain dir_file_class_set { create relabelto relabelfrom }
+(
+ u1 == u2
+ or t1 == can_change_object_identity
+);
+
+########################################
+#
+# Process rules
+#
+
+ifdef(`enable_ubac',`
+ constrain process { sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setrlimit }
+ (
+ basic_ubac_conditions
+ or t1 == ubacproc
+ );
+')
+
+constrain process { transition noatsecure siginh rlimitinh }
+(
+ u1 == u2
+ or ( t1 == can_change_process_identity and t2 == process_user_target )
+ or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) )
+ or ( t1 == can_system_change and u2 == system_u )
+ or ( t1 == process_uncond_exempt )
+);
+
+constrain process { transition noatsecure siginh rlimitinh }
+(
+ r1 == r2
+ or ( t1 == can_change_process_role and t2 == process_user_target )
+ or ( t1 == cron_source_domain and t2 == cron_job_domain )
+ or ( t1 == can_system_change and r2 == system_r )
+ or ( t1 == process_uncond_exempt )
+);
+
+constrain process dyntransition
+(
+ u1 == u2 and r1 == r2
+);
+
+# These permissions do not have ubac constraints:
+# fork
+# setexec
+# setfscreate
+# setcurrent
+# execmem
+# execstack
+# execheap
+# setkeycreate
+# setsockcreate
+
+########################################
+#
+# File descriptor rules
+#
+
+exempted_ubac_constraint(fd, ubacfd)
+
+########################################
+#
+# Socket rules
+#
+
+exempted_ubac_constraint(socket, ubacsock)
+exempted_ubac_constraint(tcp_socket, ubacsock)
+exempted_ubac_constraint(udp_socket, ubacsock)
+exempted_ubac_constraint(rawip_socket, ubacsock)
+exempted_ubac_constraint(netlink_socket, ubacsock)
+exempted_ubac_constraint(packet_socket, ubacsock)
+exempted_ubac_constraint(key_socket, ubacsock)
+exempted_ubac_constraint(unix_stream_socket, ubacsock)
+exempted_ubac_constraint(unix_dgram_socket, ubacsock)
+exempted_ubac_constraint(netlink_route_socket, ubacsock)
+exempted_ubac_constraint(netlink_firewall_socket, ubacsock)
+exempted_ubac_constraint(netlink_tcpdiag_socket, ubacsock)
+exempted_ubac_constraint(netlink_nflog_socket, ubacsock)
+exempted_ubac_constraint(netlink_xfrm_socket, ubacsock)
+exempted_ubac_constraint(netlink_selinux_socket, ubacsock)
+exempted_ubac_constraint(netlink_audit_socket, ubacsock)
+exempted_ubac_constraint(netlink_ip6fw_socket, ubacsock)
+exempted_ubac_constraint(netlink_dnrt_socket, ubacsock)
+exempted_ubac_constraint(netlink_kobject_uevent_socket, ubacsock)
+exempted_ubac_constraint(appletalk_socket, ubacsock)
+exempted_ubac_constraint(dccp_socket, ubacsock)
+
+constrain socket_class_set { create relabelto relabelfrom }
+(
+ u1 == u2
+ or t1 == can_change_object_identity
+);
+
+########################################
+#
+# SysV IPC rules
+
+exempted_ubac_constraint(sem, ubacipc)
+exempted_ubac_constraint(msg, ubacipc)
+exempted_ubac_constraint(msgq, ubacipc)
+exempted_ubac_constraint(shm, ubacipc)
+exempted_ubac_constraint(ipc, ubacipc)
+
+########################################
+#
+# SE-X Windows rules
+#
+
+exempted_ubac_constraint(x_drawable, ubacxwin)
+exempted_ubac_constraint(x_screen, ubacxwin)
+exempted_ubac_constraint(x_gc, ubacxwin)
+exempted_ubac_constraint(x_font, ubacxwin)
+exempted_ubac_constraint(x_colormap, ubacxwin)
+exempted_ubac_constraint(x_property, ubacxwin)
+exempted_ubac_constraint(x_selection, ubacxwin)
+exempted_ubac_constraint(x_cursor, ubacxwin)
+exempted_ubac_constraint(x_client, ubacxwin)
+exempted_ubac_constraint(x_device, ubacxwin)
+exempted_ubac_constraint(x_server, ubacxwin)
+exempted_ubac_constraint(x_extension, ubacxwin)
+exempted_ubac_constraint(x_resource, ubacxwin)
+exempted_ubac_constraint(x_event, ubacxwin)
+exempted_ubac_constraint(x_synthetic_event, ubacxwin)
+exempted_ubac_constraint(x_application_data, ubacxwin)
+
+########################################
+#
+# D-BUS rules
+#
+
+exempted_ubac_constraint(dbus, ubacdbus)
+
+########################################
+#
+# Key rules
+#
+
+exempted_ubac_constraint(key, ubackey)
+
+########################################
+#
+# Database rules
+#
+
+exempted_ubac_constraint(db_database, ubacdb)
+exempted_ubac_constraint(db_table, ubacdb)
+exempted_ubac_constraint(db_procedure, ubacdb)
+exempted_ubac_constraint(db_column, ubacdb)
+exempted_ubac_constraint(db_tuple, ubacdb)
+exempted_ubac_constraint(db_blob, ubacdb)
+
+
+
+basic_ubac_constraint(association)
+basic_ubac_constraint(peer)
+
+
+# these classes have no UBAC restrictions
+#class security
+#class system
+#class capability
+#class memprotect
+#class passwd # userspace
+#class node
+#class netif
+#class packet
+#class capability2
+#class nscd # userspace
+#class context # userspace
+
+
+
+undefine(`basic_ubac_constraint')
+undefine(`basic_ubac_conditions')
+undefine(`exempted_ubac_constraint')
diff --git a/policy/flask/Makefile b/policy/flask/Makefile
new file mode 100644
index 0000000..17dc174
--- /dev/null
+++ b/policy/flask/Makefile
@@ -0,0 +1,51 @@
+PYTHON ?= python
+
+# flask needs to know where to export the libselinux headers.
+LIBSELINUX_D ?= ../../libselinux
+
+# flask needs to know where to export the kernel headers.
+LINUX_D ?= ../../../linux-2.6
+
+ACCESS_VECTORS_F = access_vectors
+INITIAL_SIDS_F = initial_sids
+SECURITY_CLASSES_F = security_classes
+
+USER_D = userspace
+KERN_D = kernel
+
+LIBSELINUX_INCLUDE_H = flask.h av_permissions.h
+LIBSELINUX_SOURCE_H = class_to_string.h av_inherit.h common_perm_to_string.h av_perm_to_string.h
+
+FLASK_H = class_to_string.h flask.h initial_sid_to_string.h
+ACCESS_VECTORS_H = av_inherit.h common_perm_to_string.h av_perm_to_string.h av_permissions.h
+ALL_H = $(FLASK_H) $(ACCESS_VECTORS_H)
+
+USER_H = $(addprefix $(USER_D)/, $(ALL_H))
+KERN_H = $(addprefix $(KERN_D)/, $(ALL_H))
+
+FLASK_NOWARNINGS = --nowarnings
+
+all: $(USER_H) $(KERN_H)
+
+$(USER_H): flask.py $(ACCESS_VECTORS_F) $(INITIAL_SIDS_F) $(SECURITY_CLASSES_F)
+ mkdir -p $(USER_D)
+ $(PYTHON) flask.py -a $(ACCESS_VECTORS_F) -i $(INITIAL_SIDS_F) -s $(SECURITY_CLASSES_F) -o $(USER_D) -u $(FLASK_NOWARNINGS)
+
+$(KERN_H): flask.py $(ACCESS_VECTORS_F) $(INITIAL_SIDS_F) $(SECURITY_CLASSES_F)
+ mkdir -p $(KERN_D)
+ $(PYTHON) flask.py -a $(ACCESS_VECTORS_F) -i $(INITIAL_SIDS_F) -s $(SECURITY_CLASSES_F) -o $(KERN_D) -k $(FLASK_NOWARNINGS)
+
+tolib: all
+ install -m 644 $(addprefix $(USER_D)/, $(LIBSELINUX_INCLUDE_H)) $(LIBSELINUX_D)/include/selinux
+ install -m 644 $(addprefix $(USER_D)/, $(LIBSELINUX_SOURCE_H)) $(LIBSELINUX_D)/src
+
+tokern: all
+ install -m 644 $(KERN_H) $(LINUX_D)/security/selinux/include
+
+install: all
+
+relabel:
+
+clean:
+ rm -fr userspace
+ rm -fr kernel
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
new file mode 100644
index 0000000..6760c95
--- /dev/null
+++ b/policy/flask/access_vectors
@@ -0,0 +1,818 @@
+#
+# Define common prefixes for access vectors
+#
+# common common_name { permission_name ... }
+
+
+#
+# Define a common prefix for file access vectors.
+#
+
+common file
+{
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+ unlink
+ link
+ rename
+ execute
+ swapon
+ quotaon
+ mounton
+}
+
+
+#
+# Define a common prefix for socket access vectors.
+#
+
+common socket
+{
+# inherited from file
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+# socket-specific
+ bind
+ connect
+ listen
+ accept
+ getopt
+ setopt
+ shutdown
+ recvfrom
+ sendto
+ recv_msg
+ send_msg
+ name_bind
+}
+
+#
+# Define a common prefix for ipc access vectors.
+#
+
+common ipc
+{
+ create
+ destroy
+ getattr
+ setattr
+ read
+ write
+ associate
+ unix_read
+ unix_write
+}
+
+#
+# Define a common prefix for userspace database object access vectors.
+#
+
+common database
+{
+ create
+ drop
+ getattr
+ setattr
+ relabelfrom
+ relabelto
+}
+
+#
+# Define a common prefix for pointer and keyboard access vectors.
+#
+
+common x_device
+{
+ getattr
+ setattr
+ use
+ read
+ write
+ getfocus
+ setfocus
+ bell
+ force_cursor
+ freeze
+ grab
+ manage
+ list_property
+ get_property
+ set_property
+ add
+ remove
+ create
+ destroy
+}
+
+#
+# Define the access vectors.
+#
+# class class_name [ inherits common_name ] { permission_name ... }
+
+
+#
+# Define the access vector interpretation for file-related objects.
+#
+
+class filesystem
+{
+ mount
+ remount
+ unmount
+ getattr
+ relabelfrom
+ relabelto
+ transition
+ associate
+ quotamod
+ quotaget
+}
+
+class dir
+inherits file
+{
+ add_name
+ remove_name
+ reparent
+ search
+ rmdir
+ open
+}
+
+class file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+ execmod
+ open
+}
+
+class lnk_file
+inherits file
+
+class chr_file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+ execmod
+ open
+}
+
+class blk_file
+inherits file
+{
+ open
+}
+
+class sock_file
+inherits file
+{
+ open
+}
+
+class fifo_file
+inherits file
+{
+ open
+}
+
+class fd
+{
+ use
+}
+
+
+#
+# Define the access vector interpretation for network-related objects.
+#
+
+class socket
+inherits socket
+
+class tcp_socket
+inherits socket
+{
+ connectto
+ newconn
+ acceptfrom
+ node_bind
+ name_connect
+}
+
+class udp_socket
+inherits socket
+{
+ node_bind
+}
+
+class rawip_socket
+inherits socket
+{
+ node_bind
+}
+
+class node
+{
+ tcp_recv
+ tcp_send
+ udp_recv
+ udp_send
+ rawip_recv
+ rawip_send
+ enforce_dest
+ dccp_recv
+ dccp_send
+ recvfrom
+ sendto
+}
+
+class netif
+{
+ tcp_recv
+ tcp_send
+ udp_recv
+ udp_send
+ rawip_recv
+ rawip_send
+ dccp_recv
+ dccp_send
+ ingress
+ egress
+}
+
+class netlink_socket
+inherits socket
+
+class packet_socket
+inherits socket
+
+class key_socket
+inherits socket
+
+class unix_stream_socket
+inherits socket
+{
+ connectto
+ newconn
+ acceptfrom
+}
+
+class unix_dgram_socket
+inherits socket
+
+#
+# Define the access vector interpretation for process-related objects
+#
+
+class process
+{
+ fork
+ transition
+ sigchld # commonly granted from child to parent
+ sigkill # cannot be caught or ignored
+ sigstop # cannot be caught or ignored
+ signull # for kill(pid, 0)
+ signal # all other signals
+ ptrace
+ getsched
+ setsched
+ getsession
+ getpgid
+ setpgid
+ getcap
+ setcap
+ share
+ getattr
+ setexec
+ setfscreate
+ noatsecure
+ siginh
+ setrlimit
+ rlimitinh
+ dyntransition
+ setcurrent
+ execmem
+ execstack
+ execheap
+ setkeycreate
+ setsockcreate
+}
+
+
+#
+# Define the access vector interpretation for ipc-related objects
+#
+
+class ipc
+inherits ipc
+
+class sem
+inherits ipc
+
+class msgq
+inherits ipc
+{
+ enqueue
+}
+
+class msg
+{
+ send
+ receive
+}
+
+class shm
+inherits ipc
+{
+ lock
+}
+
+
+#
+# Define the access vector interpretation for the security server.
+#
+
+class security
+{
+ compute_av
+ compute_create
+ compute_member
+ check_context
+ load_policy
+ compute_relabel
+ compute_user
+ setenforce # was avc_toggle in system class
+ setbool
+ setsecparam
+ setcheckreqprot
+}
+
+
+#
+# Define the access vector interpretation for system operations.
+#
+
+class system
+{
+ ipc_info
+ syslog_read
+ syslog_mod
+ syslog_console
+ module_request
+}
+
+#
+# Define the access vector interpretation for controling capabilies
+#
+
+class capability
+{
+ # The capabilities are defined in include/linux/capability.h
+ # Capabilities >= 32 are defined in the capability2 class.
+ # Care should be taken to ensure that these are consistent with
+ # those definitions. (Order matters)
+
+ chown
+ dac_override
+ dac_read_search
+ fowner
+ fsetid
+ kill
+ setgid
+ setuid
+ setpcap
+ linux_immutable
+ net_bind_service
+ net_broadcast
+ net_admin
+ net_raw
+ ipc_lock
+ ipc_owner
+ sys_module
+ sys_rawio
+ sys_chroot
+ sys_ptrace
+ sys_pacct
+ sys_admin
+ sys_boot
+ sys_nice
+ sys_resource
+ sys_time
+ sys_tty_config
+ mknod
+ lease
+ audit_write
+ audit_control
+ setfcap
+}
+
+class capability2
+{
+ mac_override # unused by SELinux
+ mac_admin # unused by SELinux
+}
+
+#
+# Define the access vector interpretation for controlling
+# changes to passwd information.
+#
+class passwd
+{
+ passwd # change another user passwd
+ chfn # change another user finger info
+ chsh # change another user shell
+ rootok # pam_rootok check (skip auth)
+ crontab # crontab on another user
+}
+
+#
+# SE-X Windows stuff
+#
+class x_drawable
+{
+ create
+ destroy
+ read
+ write
+ blend
+ getattr
+ setattr
+ list_child
+ add_child
+ remove_child
+ list_property
+ get_property
+ set_property
+ manage
+ override
+ show
+ hide
+ send
+ receive
+}
+
+class x_screen
+{
+ getattr
+ setattr
+ hide_cursor
+ show_cursor
+ saver_getattr
+ saver_setattr
+ saver_hide
+ saver_show
+}
+
+class x_gc
+{
+ create
+ destroy
+ getattr
+ setattr
+ use
+}
+
+class x_font
+{
+ create
+ destroy
+ getattr
+ add_glyph
+ remove_glyph
+ use
+}
+
+class x_colormap
+{
+ create
+ destroy
+ read
+ write
+ getattr
+ add_color
+ remove_color
+ install
+ uninstall
+ use
+}
+
+class x_property
+{
+ create
+ destroy
+ read
+ write
+ append
+ getattr
+ setattr
+}
+
+class x_selection
+{
+ read
+ write
+ getattr
+ setattr
+}
+
+class x_cursor
+{
+ create
+ destroy
+ read
+ write
+ getattr
+ setattr
+ use
+}
+
+class x_client
+{
+ destroy
+ getattr
+ setattr
+ manage
+}
+
+class x_device
+inherits x_device
+
+class x_server
+{
+ getattr
+ setattr
+ record
+ debug
+ grab
+ manage
+}
+
+class x_extension
+{
+ query
+ use
+}
+
+class x_resource
+{
+ read
+ write
+}
+
+class x_event
+{
+ send
+ receive
+}
+
+class x_synthetic_event
+{
+ send
+ receive
+}
+
+#
+# Extended Netlink classes
+#
+class netlink_route_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_firewall_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_tcpdiag_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_nflog_socket
+inherits socket
+
+class netlink_xfrm_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_selinux_socket
+inherits socket
+
+class netlink_audit_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+ nlmsg_relay
+ nlmsg_readpriv
+ nlmsg_tty_audit
+}
+
+class netlink_ip6fw_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_dnrt_socket
+inherits socket
+
+# Define the access vector interpretation for controlling
+# access and communication through the D-BUS messaging
+# system.
+#
+class dbus
+{
+ acquire_svc
+ send_msg
+}
+
+# Define the access vector interpretation for controlling
+# access through the name service cache daemon (nscd).
+#
+class nscd
+{
+ getpwd
+ getgrp
+ gethost
+ getstat
+ admin
+ shmempwd
+ shmemgrp
+ shmemhost
+ getserv
+ shmemserv
+}
+
+# Define the access vector interpretation for controlling
+# access to IPSec network data by association
+#
+class association
+{
+ sendto
+ recvfrom
+ setcontext
+ polmatch
+}
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+inherits socket
+
+class appletalk_socket
+inherits socket
+
+class packet
+{
+ send
+ recv
+ relabelto
+ flow_in # deprecated
+ flow_out # deprecated
+ forward_in
+ forward_out
+}
+
+class key
+{
+ view
+ read
+ write
+ search
+ link
+ setattr
+ create
+}
+
+class context
+{
+ translate
+ contains
+}
+
+class dccp_socket
+inherits socket
+{
+ node_bind
+ name_connect
+}
+
+class memprotect
+{
+ mmap_zero
+}
+
+class db_database
+inherits database
+{
+ access
+ install_module
+ load_module
+ get_param # deprecated
+ set_param # deprecated
+}
+
+class db_table
+inherits database
+{
+ use # deprecated
+ select
+ update
+ insert
+ delete
+ lock
+}
+
+class db_procedure
+inherits database
+{
+ execute
+ entrypoint
+ install
+}
+
+class db_column
+inherits database
+{
+ use # deprecated
+ select
+ update
+ insert
+}
+
+class db_tuple
+{
+ relabelfrom
+ relabelto
+ use # deprecated
+ select
+ update
+ insert
+ delete
+}
+
+class db_blob
+inherits database
+{
+ read
+ write
+ import
+ export
+}
+
+# network peer labels
+class peer
+{
+ recv
+}
+
+class x_application_data
+{
+ paste
+ paste_after_confirm
+ copy
+}
+
+class kernel_service
+{
+ use_as_override
+ create_files_as
+}
+
+class tun_socket
+inherits socket
+
+class x_pointer
+inherits x_device
+
+class x_keyboard
+inherits x_device
diff --git a/policy/flask/flask.py b/policy/flask/flask.py
new file mode 100644
index 0000000..8b4be50
--- /dev/null
+++ b/policy/flask/flask.py
@@ -0,0 +1,536 @@
+#!/usr/bin/python -E
+#
+# Author(s): Caleb Case <ccase@tresys.com>
+#
+# Adapted from the bash/awk scripts mkflask.sh and mkaccess_vector.sh
+#
+
+import getopt
+import os
+import sys
+import re
+
+class ParseError(Exception):
+ def __init__(self, type, file, line):
+ self.type = type
+ self.file = file
+ self.line = line
+ def __str__(self):
+ typeS = self.type
+ if type(self.type) is not str: typeS = Flask.CONSTANT_S[self.type]
+ return "Parse Error: Unexpected %s on line %d of %s." % (typeS, self.line, self.file)
+
+class DuplicateError(Exception):
+ def __init__(self, type, file, line, symbol):
+ self.type = type
+ self.file = file
+ self.line = line
+ self.symbol = symbol
+ def __str__(self):
+ typeS = self.type
+ if type(self.type) is not str: typeS = Flask.CONSTANT_S[self.type]
+ return "Duplicate Error: Duplicate %s '%s' on line %d of %s." % (typeS, self.symbol, self.line, self.file)
+
+class UndefinedError(Exception):
+ def __init__(self, type, file, line, symbol):
+ self.type = type
+ self.file = file
+ self.line = line
+ self.symbol = symbol
+ def __str__(self):
+ typeS = self.type
+ if type(self.type) is not str: typeS = Flask.CONSTANT_S[self.type]
+ return "Undefined Error: %s '%s' is not defined but used on line %d of %s." % (typeS, self.symbol, self.line, self.file)
+
+class UnusedError(Exception):
+ def __init__(self, info):
+ self.info = info
+ def __str__(self):
+ return "Unused Error: %s" % self.info
+
+class Flask:
+ '''
+ FLASK container class with utilities for parsing definition
+ files and creating c header files.
+ '''
+
+ #Constants used in definitions parsing.
+ WHITE = re.compile(r'^\s*$')
+ COMMENT = re.compile(r'^\s*#')
+ USERFLAG = re.compile(r'# userspace')
+ CLASS = re.compile(r'^class (?P<name>\w+)')
+ COMMON = re.compile(r'^common (?P<name>\w+)')
+ INHERITS = re.compile(r'^inherits (?P<name>\w+)')
+ OPENB = re.compile(r'^{')
+ VECTOR = re.compile(r'^\s*(?P<name>\w+)')
+ CLOSEB = re.compile(r'^}')
+ SID = re.compile(r'^sid (?P<name>\w+)')
+ EOF = "end of file"
+
+ #Constants used in header generation.
+ USERSPACE = 0
+ KERNEL = 1
+
+ CONSTANT_S = { \
+ #parsing constants
+ WHITE : "whitespace", \
+ COMMENT : "comment", \
+ USERFLAG : "userspace flag", \
+ CLASS : "class definition", \
+ COMMON : "common definition", \
+ INHERITS : "inherits definition", \
+ OPENB : "'{'", \
+ VECTOR : "access vector definition", \
+ CLOSEB : "'}'", \
+ SID : "security identifier", \
+ EOF : "end of file", \
+ #generation constants
+ USERSPACE : "userspace mode", \
+ KERNEL : "kernel mode", \
+ }
+
+ def __init__(self, warn = True):
+ self.WARN = warn
+ self.autogen = "/* This file is automatically generated. Do not edit. */\n"
+ self.commons = []
+ self.user_commons = []
+ self.common = {}
+ self.classes = []
+ self.vectors = []
+ self.vector = {}
+ self.userspace = {}
+ self.sids = []
+ self.inherits = {}
+
+ def warning(self, msg):
+ '''
+ Prints a warning message out to stderr if warnings are enabled.
+ '''
+ if self.WARN: sys.stderr.write("Warning: %s\n" % msg)
+
+ def parseClasses(self, path):
+ '''
+ Parses security class definitions from the given path.
+ '''
+ classes = []
+ input = open(path, 'r')
+
+ number = 0
+ for line in input:
+ number += 1
+ m = self.COMMENT.search(line)
+ if m: continue
+
+ m = self.WHITE.search(line)
+ if m: continue
+
+ m = self.CLASS.search(line)
+ if m:
+ g = m.groupdict()
+ c = g['name']
+ if c in classes: raise DuplicateError, (self.CLASS, path, number, c)
+ classes.append(c)
+ if self.USERFLAG.search(line):
+ self.userspace[c] = True
+ else:
+ self.userspace[c] = False
+ continue
+
+ raise ParseError, ("data. Was expecting either a comment, whitespace, or class definition. ", path, number)
+
+ self.classes = classes
+ return classes
+
+ def parseSids(self, path):
+ '''
+ Parses initial SID definitions from the given path.
+ '''
+
+ sids = []
+ input = open(path, 'r')
+ for line in input:
+ m = self.COMMENT.search(line)
+ if m: continue
+
+ m = self.WHITE.search(line)
+ if m: continue
+
+ m = self.SID.search(line)
+ if m:
+ g = m.groupdict()
+ s = g['name']
+ if s in sids: raise DuplicateError, (self.SID, path, number, s)
+ sids.append(s)
+ continue
+
+ raise ParseError, ("data. Was expecting either a comment, whitespace, or security identifier. ", path, number)
+
+ self.sids = sids
+ return sids
+
+ def parseVectors(self, path):
+ '''
+ Parses access vector definitions from the given path.
+ '''
+ vectors = []
+ vector = {}
+ commons = []
+ common = {}
+ inherits = {}
+ user_commons = {}
+ input = open(path, 'r')
+
+ # states
+ NONE = 0
+ COMMON = 1
+ CLASS = 2
+ INHERIT = 3
+ OPEN = 4
+
+ state = NONE
+ state2 = NONE
+ number = 0
+ for line in input:
+ number += 1
+ m = self.COMMENT.search(line)
+ if m: continue
+
+ m = self.WHITE.search(line)
+ if m:
+ if state == INHERIT:
+ state = NONE
+ continue
+
+ m = self.COMMON.search(line)
+ if m:
+ if state != NONE: raise ParseError, (self.COMMON, path, number)
+ g = m.groupdict()
+ c = g['name']
+ if c in commons: raise DuplicateError, (self.COMMON, path, number, c)
+ commons.append(c)
+ common[c] = []
+ user_commons[c] = True
+ state = COMMON
+ continue
+
+ m = self.CLASS.search(line)
+ if m:
+ if state != NONE: raise ParseError, (self.CLASS, number)
+ g = m.groupdict()
+ c = g['name']
+ if c in vectors: raise DuplicateError, (self.CLASS, path, number, c)
+ if c not in self.classes: raise UndefinedError, (self.CLASS, path, number, c)
+ vectors.append(c)
+ vector[c] = []
+ state = CLASS
+ continue
+
+ m = self.INHERITS.search(line)
+ if m:
+ if state != CLASS: raise ParseError, (self.INHERITS, number)
+ g = m.groupdict()
+ i = g['name']
+ if c in inherits: raise DuplicateError, (self.INHERITS, path, number, c)
+ if i not in common: raise UndefinedError, (self.COMMON, path, number, i)
+ inherits[c] = i
+ state = INHERIT
+ if not self.userspace[c]: user_commons[i] = False
+ continue
+
+ m = self.OPENB.search(line)
+ if m:
+ if (state != CLASS \
+ and state != INHERIT \
+ and state != COMMON) \
+ or state2 != NONE:
+ raise ParseError, (self.OPENB, path, number)
+ state2 = OPEN
+ continue
+
+ m = self.VECTOR.search(line)
+ if m:
+ if state2 != OPEN: raise ParseError, (self.VECTOR, path, number)
+ g = m.groupdict()
+ v = g['name']
+ if state == CLASS or state == INHERIT:
+ if v in vector[c]: raise DuplicateError, (self.VECTOR, path, number, v)
+ vector[c].append(v)
+ elif state == COMMON:
+ if v in common[c]: raise DuplicateError, (self.VECTOR, path, number, v)
+ common[c].append(v)
+ continue
+
+ m = self.CLOSEB.search(line)
+ if m:
+ if state2 != OPEN: raise ParseError, (self.CLOSEB, path, number)
+ state = NONE
+ state2 = NONE
+ c = None
+ continue
+
+ raise ParseError, ("data", path, number)
+
+ if state != NONE and state2 != NONE: raise ParseError, (self.EOF, path, number)
+
+ cvdiff = set(self.classes) - set(vectors)
+ if cvdiff: raise UnusedError, "Not all security classes were used in access vectors: %s" % cvdiff # the inverse of this will be caught as an undefined class error
+
+ self.commons = commons
+ self.user_commons = user_commons
+ self.common = common
+ self.vectors = vectors
+ self.vector = vector
+ self.inherits = inherits
+ return vector
+
+ def createHeaders(self, path, mode = USERSPACE):
+ '''
+ Creates the C header files in the specified MODE and outputs
+ them to give PATH.
+ '''
+ headers = { \
+ 'av_inherit.h' : self.createAvInheritH(mode), \
+ 'av_perm_to_string.h' : self.createAvPermToStringH(mode), \
+ 'av_permissions.h' : self.createAvPermissionsH(mode), \
+ 'class_to_string.h' : self.createClassToStringH(mode), \
+ 'common_perm_to_string.h' : self.createCommonPermToStringH(mode), \
+ 'flask.h' : self.createFlaskH(mode), \
+ 'initial_sid_to_string.h' : self.createInitialSidToStringH(mode) \
+ }
+
+ for key, value in headers.items():
+ of = open(os.path.join(path, key), 'w')
+ of.writelines(value)
+ of.close()
+
+ def createUL(self, count):
+ fields = [1, 2, 4, 8]
+ return "0x%08xUL" % (fields[count % 4] << 4 * (count / 4))
+
+ def createAvInheritH(self, mode = USERSPACE):
+ '''
+ '''
+ results = []
+ results.append(self.autogen)
+ for c in self.vectors:
+ if self.inherits.has_key(c):
+ i = self.inherits[c]
+ count = len(self.common[i])
+ if not (mode == self.KERNEL and self.userspace[c]):
+ results.append(" S_(SECCLASS_%s, %s, %s)\n" % (c.upper(), i, self.createUL(count)))
+ return results
+
+ def createAvPermToStringH(self, mode = USERSPACE):
+ '''
+ '''
+ results = []
+ results.append(self.autogen)
+ for c in self.vectors:
+ for p in self.vector[c]:
+ if not (mode == self.KERNEL and self.userspace[c]):
+ results.append(" S_(SECCLASS_%s, %s__%s, \"%s\")\n" % (c.upper(), c.upper(), p.upper(), p))
+
+ return results
+
+ def createAvPermissionsH(self, mode = USERSPACE):
+ '''
+ '''
+ results = []
+ results.append(self.autogen)
+
+ width = 57
+ count = 0
+ for common in self.commons:
+ count = 0
+ shift = 0
+ for p in self.common[common]:
+ if not (mode == self.KERNEL and self.user_commons[common]):
+ columnA = "#define COMMON_%s__%s " % (common.upper(), p.upper())
+ columnA += "".join([" " for i in range(width - len(columnA))])
+ results.append("%s%s\n" % (columnA, self.createUL(count)))
+ count += 1
+
+ width = 50 # broken for old tools whitespace
+ for c in self.vectors:
+ count = 0
+
+ ps = []
+ if self.inherits.has_key(c):
+ ps += self.common[self.inherits[c]]
+ ps += self.vector[c]
+ for p in ps:
+ columnA = "#define %s__%s " % (c.upper(), p.upper())
+ columnA += "".join([" " for i in range(width - len(columnA))])
+ if not (mode == self.KERNEL and self.userspace[c]):
+ results.append("%s%s\n" % (columnA, self.createUL(count)))
+ count += 1
+
+ return results
+
+ def createClassToStringH(self, mode = USERSPACE):
+ '''
+ '''
+ results = []
+ results.append(self.autogen)
+ results.append("/*\n * Security object class definitions\n */\n")
+
+ if mode == self.KERNEL:
+ results.append(" S_(NULL)\n")
+ else:
+ results.append(" S_(\"null\")\n")
+
+ for c in self.classes:
+ if mode == self.KERNEL and self.userspace[c]:
+ results.append(" S_(NULL)\n")
+ else:
+ results.append(" S_(\"%s\")\n" % c)
+ return results
+
+ def createCommonPermToStringH(self, mode = USERSPACE):
+ '''
+ '''
+ results = []
+ results.append(self.autogen)
+ for common in self.commons:
+ if not (mode == self.KERNEL and self.user_commons[common]):
+ results.append("TB_(common_%s_perm_to_string)\n" % common)
+ for p in self.common[common]:
+ results.append(" S_(\"%s\")\n" % p)
+ results.append("TE_(common_%s_perm_to_string)\n\n" % common)
+ return results
+
+ def createFlaskH(self, mode = USERSPACE):
+ '''
+ '''
+ results = []
+ results.append(self.autogen)
+ results.append("#ifndef _SELINUX_FLASK_H_\n")
+ results.append("#define _SELINUX_FLASK_H_\n")
+ results.append("\n")
+ results.append("/*\n")
+ results.append(" * Security object class definitions\n")
+ results.append(" */\n")
+
+ count = 0
+ width = 57
+ for c in self.classes:
+ count += 1
+ columnA = "#define SECCLASS_%s " % c.upper()
+ columnA += "".join([" " for i in range(width - len(columnA))])
+ if not (mode == self.KERNEL and self.userspace[c]):
+ results.append("%s%d\n" % (columnA, count))
+
+ results.append("\n")
+ results.append("/*\n")
+ results.append(" * Security identifier indices for initial entities\n")
+ results.append(" */\n")
+
+ count = 0
+ width = 56 # broken for old tools whitespace
+ for s in self.sids:
+ count += 1
+ columnA = "#define SECINITSID_%s " % s.upper()
+ columnA += "".join([" " for i in range(width - len(columnA))])
+ results.append("%s%d\n" % (columnA, count))
+
+ results.append("\n")
+ columnA = "#define SECINITSID_NUM "
+ columnA += "".join([" " for i in range(width - len(columnA))])
+ results.append("%s%d\n" % (columnA, count))
+
+ results.append("\n")
+ results.append("#endif\n")
+ return results
+
+
+
+ def createInitialSidToStringH(self, mode = USERSPACE):
+ '''
+ '''
+ results = []
+ results.append(self.autogen)
+ results.append("static char *initial_sid_to_string[] =\n")
+ results.append("{\n")
+ results.append(" \"null\",\n")
+ for s in self.sids:
+ results.append(" \"%s\",\n" % s)
+ results.append("};\n")
+ results.append("\n")
+
+ return results
+
+def usage():
+ '''
+ Returns the usage string.
+ '''
+ usage = 'Usage: %s -a ACCESS_VECTORS -i INITIAL_SIDS -s SECURITY_CLASSES -o OUTPUT_DIRECTORY -k|-u [-w]\n' % os.path.basename(sys.argv[0])
+ usage += '\n'
+ usage += ' -a --access_vectors\taccess vector definitions\n'
+ usage += ' -i --initial_sids\tinitial sid definitions\n'
+ usage += ' -s --security_classes\tsecurity class definitions\n'
+ usage += ' -o --output\toutput directory for generated files\n'
+ usage += ' -k --kernel\toutput mode set to kernel (kernel headers contain empty blocks for all classes specified with # userspace in the security_classes file)\n'
+ usage += ' -u --user\toutput mode set to userspace\n'
+ usage += ' -w --nowarnings\tsupresses output of warning messages\n'
+ return usage
+
+########## MAIN ##########
+if __name__ == '__main__':
+
+ # Parse command line args
+ try:
+ opts, args = getopt.getopt(sys.argv[1:], 'a:i:s:o:kuwh', ['access_vectors=', 'initial_sids=', 'security_classes=', 'output=', 'kernel', 'user', 'nowarnings', 'help'])
+ except getopt.GetoptError:
+ print(usage())
+ sys.exit(2)
+
+ avec = None
+ isid = None
+ secc = None
+ outd = None
+ mode = None
+ warn = True
+ for o, a in opts:
+ if o in ('-h', '--help'):
+ print(usage())
+ sys.exit(0)
+ elif o in ('-a', '--access_vectors'):
+ avec = a
+ elif o in ('-i', '--initial_sids'):
+ isid = a
+ elif o in ('-s', '--security_classes'):
+ secc = a
+ elif o in ('-o', '--output'):
+ outd = a
+ elif o in ('-k', '--kernel'):
+ if mode != None:
+ print(usage())
+ sys.exit(2)
+ mode = Flask.KERNEL
+ elif o in ('-u', '--user'):
+ if mode != None:
+ print(usage())
+ sys.exit(2)
+ mode = Flask.USERSPACE
+ elif o in ('-w', '--nowarnings'):
+ warn = False
+ else:
+ print(usage())
+ sys.exit(2)
+
+ if avec == None or \
+ isid == None or \
+ secc == None or \
+ outd == None:
+ print(usage())
+ sys.exit(2)
+
+ try:
+ f = Flask(warn)
+ f.parseSids(isid)
+ f.parseClasses(secc)
+ f.parseVectors(avec)
+ f.createHeaders(outd, mode)
+ except Exception, e:
+ print(e)
+ sys.exit(2)
diff --git a/policy/flask/initial_sids b/policy/flask/initial_sids
new file mode 100644
index 0000000..95894eb
--- /dev/null
+++ b/policy/flask/initial_sids
@@ -0,0 +1,35 @@
+# FLASK
+
+#
+# Define initial security identifiers
+#
+
+sid kernel
+sid security
+sid unlabeled
+sid fs
+sid file
+sid file_labels
+sid init
+sid any_socket
+sid port
+sid netif
+sid netmsg
+sid node
+sid igmp_packet
+sid icmp_socket
+sid tcp_socket
+sid sysctl_modprobe
+sid sysctl
+sid sysctl_fs
+sid sysctl_kernel
+sid sysctl_net
+sid sysctl_net_unix
+sid sysctl_vm
+sid sysctl_dev
+sid kmod
+sid policy
+sid scmp_packet
+sid devnull
+
+# FLASK
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
new file mode 100644
index 0000000..fa65db2
--- /dev/null
+++ b/policy/flask/security_classes
@@ -0,0 +1,128 @@
+# FLASK
+
+#
+# Define the security object classes
+#
+
+# Classes marked as userspace are classes
+# for userspace object managers
+
+class security
+class process
+class system
+class capability
+
+# file-related classes
+class filesystem
+class file
+class dir
+class fd
+class lnk_file
+class chr_file
+class blk_file
+class sock_file
+class fifo_file
+
+# network-related classes
+class socket
+class tcp_socket
+class udp_socket
+class rawip_socket
+class node
+class netif
+class netlink_socket
+class packet_socket
+class key_socket
+class unix_stream_socket
+class unix_dgram_socket
+
+# sysv-ipc-related classes
+class sem
+class msg
+class msgq
+class shm
+class ipc
+
+#
+# userspace object manager classes
+#
+
+# passwd/chfn/chsh
+class passwd # userspace
+
+# SE-X Windows stuff (more classes below)
+class x_drawable # userspace
+class x_screen # userspace
+class x_gc # userspace
+class x_font # userspace
+class x_colormap # userspace
+class x_property # userspace
+class x_selection # userspace
+class x_cursor # userspace
+class x_client # userspace
+class x_device # userspace
+class x_server # userspace
+class x_extension # userspace
+
+# extended netlink sockets
+class netlink_route_socket
+class netlink_firewall_socket
+class netlink_tcpdiag_socket
+class netlink_nflog_socket
+class netlink_xfrm_socket
+class netlink_selinux_socket
+class netlink_audit_socket
+class netlink_ip6fw_socket
+class netlink_dnrt_socket
+
+class dbus # userspace
+class nscd # userspace
+
+# IPSec association
+class association
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+
+class appletalk_socket
+
+class packet
+
+# Kernel access key retention
+class key
+
+class context # userspace
+
+class dccp_socket
+
+class memprotect
+
+class db_database # userspace
+class db_table # userspace
+class db_procedure # userspace
+class db_column # userspace
+class db_tuple # userspace
+class db_blob # userspace
+
+# network peer labels
+class peer
+
+# Capabilities >= 32
+class capability2
+
+# More SE-X Windows stuff
+class x_resource # userspace
+class x_event # userspace
+class x_synthetic_event # userspace
+class x_application_data # userspace
+
+# kernel services that need to override task security, e.g. cachefiles
+class kernel_service
+
+class tun_socket
+
+# Still More SE-X Windows stuff
+class x_pointer # userspace
+class x_keyboard # userspace
+
+# FLASK
diff --git a/policy/global_booleans b/policy/global_booleans
new file mode 100644
index 0000000..111d004
--- /dev/null
+++ b/policy/global_booleans
@@ -0,0 +1,30 @@
+#
+# This file is for the declaration of global booleans.
+# To change the default value at build time, the booleans.conf
+# file should be used.
+#
+
+## <desc>
+## <p>
+## Enabling secure mode disallows programs, such as
+## newrole, from transitioning to administrative
+## user domains.
+## </p>
+## </desc>
+gen_bool(secure_mode,false)
+
+## <desc>
+## <p>
+## Disable transitions to insmod.
+## </p>
+## </desc>
+gen_bool(secure_mode_insmod,false)
+
+## <desc>
+## <p>
+## boolean to determine whether the system permits loading policy, setting
+## enforcing mode, and changing boolean values. Set this to true and you
+## have to reboot to set it back
+## </p>
+## </desc>
+gen_bool(secure_mode_policyload,false)
diff --git a/policy/global_tunables b/policy/global_tunables
new file mode 100644
index 0000000..6e82b1e
--- /dev/null
+++ b/policy/global_tunables
@@ -0,0 +1,112 @@
+#
+# This file is for the declaration of global tunables.
+# To change the default value at build time, the booleans.conf
+# file should be used.
+#
+
+## <desc>
+## <p>
+## Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
+## </p>
+## </desc>
+gen_tunable(allow_execheap,false)
+
+## <desc>
+## <p>
+## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla
+## </p>
+## </desc>
+gen_tunable(allow_execmem,false)
+
+## <desc>
+## <p>
+## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t
+## </p>
+## </desc>
+gen_tunable(allow_execmod,false)
+
+## <desc>
+## <p>
+## Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
+## </p>
+## </desc>
+gen_tunable(allow_execstack,false)
+
+## <desc>
+## <p>
+## Enable polyinstantiated directory support.
+## </p>
+## </desc>
+gen_tunable(allow_polyinstantiation,false)
+
+## <desc>
+## <p>
+## Allow system to run with NIS
+## </p>
+## </desc>
+gen_tunable(allow_ypbind,false)
+
+## <desc>
+## <p>
+## Enable reading of urandom for all domains.
+## </p>
+## <p>
+## This should be enabled when all programs
+## are compiled with ProPolice/SSP
+## stack smashing protection. All domains will
+## be allowed to read from /dev/urandom.
+## </p>
+## </desc>
+gen_tunable(global_ssp,false)
+
+## <desc>
+## <p>
+## Allow any files/directories to be exported read/write via NFS.
+## </p>
+## </desc>
+gen_tunable(nfs_export_all_rw,false)
+
+## <desc>
+## <p>
+## Allow any files/directories to be exported read/only via NFS.
+## </p>
+## </desc>
+gen_tunable(nfs_export_all_ro,false)
+
+## <desc>
+## <p>
+## Support NFS home directories
+## </p>
+## </desc>
+gen_tunable(use_nfs_home_dirs,false)
+
+## <desc>
+## <p>
+## Support SAMBA home directories
+## </p>
+## </desc>
+gen_tunable(use_samba_home_dirs,false)
+
+## <desc>
+## <p>
+## Support fusefs home directories
+## </p>
+## </desc>
+gen_tunable(use_fusefs_home_dirs,false)
+
+## <desc>
+## <p>
+## Allow users to run TCP servers (bind to ports and accept connection from
+## the same domain and outside users) disabling this forces FTP passive mode
+## and may change other protocols.
+## </p>
+## </desc>
+gen_tunable(user_tcp_server,false)
+
+## <desc>
+## <p>
+## Allow direct login to the console device. Required for System 390
+## </p>
+## </desc>
+gen_tunable(allow_console_login,false)
+
diff --git a/policy/mcs b/policy/mcs
new file mode 100644
index 0000000..9fef0f8
--- /dev/null
+++ b/policy/mcs
@@ -0,0 +1,138 @@
+ifdef(`enable_mcs',`
+#
+# Define sensitivities
+#
+# MCS is single-sensitivity.
+
+gen_sens(1)
+
+#
+# Define the categories
+#
+# Generate declarations
+
+gen_cats(mcs_num_cats)
+
+#
+# Each MCS level specifies a sensitivity and zero or more categories which may
+# be associated with that sensitivity.
+#
+
+gen_levels(1,mcs_num_cats)
+
+#
+# Define the MCS policy
+#
+# mlsconstrain class_set perm_set expression ;
+#
+# mlsvalidatetrans class_set expression ;
+#
+# expression : ( expression )
+# | not expression
+# | expression and expression
+# | expression or expression
+# | u1 op u2
+# | r1 role_mls_op r2
+# | t1 op t2
+# | l1 role_mls_op l2
+# | l1 role_mls_op h2
+# | h1 role_mls_op l2
+# | h1 role_mls_op h2
+# | l1 role_mls_op h1
+# | l2 role_mls_op h2
+# | u1 op names
+# | u2 op names
+# | r1 op names
+# | r2 op names
+# | t1 op names
+# | t2 op names
+# | u3 op names (NOTE: this is only available for mlsvalidatetrans)
+# | r3 op names (NOTE: this is only available for mlsvalidatetrans)
+# | t3 op names (NOTE: this is only available for mlsvalidatetrans)
+#
+# op : == | !=
+# role_mls_op : == | != | eq | dom | domby | incomp
+#
+# names : name | { name_list }
+# name_list : name | name_list name
+#
+
+#
+# MCS policy for the file classes
+#
+# Constrain file access so that the high range of the process dominates
+# the high range of the file. We use the high range of the process so
+# that processes can always simply run at s0.
+#
+# Note:
+# - getattr on dirs/files is not constrained.
+# - /proc/pid operations are not constrained.
+
+mlsconstrain file { read ioctl lock execute execute_no_trans }
+ (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
+
+mlsconstrain file { write setattr append unlink link rename }
+ (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
+
+mlsconstrain dir { search read ioctl lock }
+ (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
+
+mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
+ (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
+
+# New filesystem object labels must be dominated by the relabeling subject
+# clearance, also the objects are single-level.
+mlsconstrain file { create relabelto }
+ (( h1 dom h2 ) and ( l2 eq h2 ));
+
+# new file labels must be dominated by the relabeling subject clearance
+mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file file } { relabelfrom }
+ ( h1 dom h2 );
+
+mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file file } { create relabelto }
+ (( h1 dom h2 ) and ( l2 eq h2 ));
+
+mlsconstrain process { transition dyntransition }
+ (( h1 dom h2 ) or ( t1 == mcssetcats ));
+
+mlsconstrain process { ptrace }
+ (( h1 dom h2) or ( t1 == mcsptraceall ));
+
+mlsconstrain process { sigkill sigstop }
+ (( h1 dom h2 ) or ( t1 == mcskillall ));
+
+mlsconstrain process { signal }
+ (( h1 dom h2 ) or ( t1 != mcsuntrustedproc ));
+
+#
+# MCS policy for SELinux-enabled databases
+#
+
+# Any database object must be dominated by the relabeling subject
+# clearance, also the objects are single-level.
+mlsconstrain { db_database db_table db_procedure db_column db_blob } { create relabelto }
+ (( h1 dom h2 ) and ( l2 eq h2 ));
+
+mlsconstrain { db_tuple } { insert relabelto }
+ (( h1 dom h2 ) and ( l2 eq h2 ));
+
+# Access control for any database objects based on MCS rules.
+mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }
+ ( h1 dom h2 );
+
+mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete use lock }
+ ( h1 dom h2 );
+
+mlsconstrain db_column { drop getattr setattr relabelfrom select update insert use }
+ ( h1 dom h2 );
+
+mlsconstrain db_tuple { relabelfrom select update delete use }
+ ( h1 dom h2 );
+
+mlsconstrain db_procedure { drop getattr setattr execute install }
+ ( h1 dom h2 );
+
+mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
+ ( h1 dom h2 );
+
+') dnl end enable_mcs
diff --git a/policy/mls b/policy/mls
new file mode 100644
index 0000000..b9f0a3e
--- /dev/null
+++ b/policy/mls
@@ -0,0 +1,830 @@
+ifdef(`enable_mls',`
+#
+# Define sensitivities
+#
+# Domination of sensitivities is in increasin
+# numerical order, with s0 being the lowest
+
+gen_sens(mls_num_sens)
+
+#
+# Define the categories
+#
+# Generate declarations
+
+gen_cats(mls_num_cats)
+
+#
+# Each MLS level specifies a sensitivity and zero or more categories which may
+# be associated with that sensitivity.
+#
+# Generate levels from all sensitivities
+# with all categories
+
+gen_levels(mls_num_sens,mls_num_cats)
+
+#
+# Define the MLS policy
+#
+# mlsconstrain class_set perm_set expression ;
+#
+# mlsvalidatetrans class_set expression ;
+#
+# expression : ( expression )
+# | not expression
+# | expression and expression
+# | expression or expression
+# | u1 op u2
+# | r1 role_mls_op r2
+# | t1 op t2
+# | l1 role_mls_op l2
+# | l1 role_mls_op h2
+# | h1 role_mls_op l2
+# | h1 role_mls_op h2
+# | l1 role_mls_op h1
+# | l2 role_mls_op h2
+# | u1 op names
+# | u2 op names
+# | r1 op names
+# | r2 op names
+# | t1 op names
+# | t2 op names
+# | u3 op names (NOTE: this is only available for mlsvalidatetrans)
+# | r3 op names (NOTE: this is only available for mlsvalidatetrans)
+# | t3 op names (NOTE: this is only available for mlsvalidatetrans)
+#
+# op : == | !=
+# role_mls_op : == | != | eq | dom | domby | incomp
+#
+# names : name | { name_list }
+# name_list : name | name_list name
+#
+
+#
+# MLS policy for the file classes
+#
+
+# make sure these file classes are "single level"
+mlsconstrain { file lnk_file fifo_file } { create relabelto }
+ ( l2 eq h2 );
+
+# new file labels must be dominated by the relabeling subjects clearance
+mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto
+ ( h1 dom h2 );
+
+# the file "read" ops (note the check is dominance of the low level)
+mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute }
+ (( l1 dom l2 ) or
+ (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsfileread ) or
+ ( t2 == mlstrustedobject ));
+
+mlsconstrain dir search
+ (( l1 dom l2 ) or
+ (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsfileread ) or
+ ( t2 == mlstrustedobject ));
+
+# the "single level" file "write" ops
+mlsconstrain { file lnk_file fifo_file dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton }
+ (( l1 eq l2 ) or
+ (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ (( t2 == mlsfilewriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+ ( t1 == mlsfilewrite ) or
+ ( t2 == mlstrustedobject ));
+
+# Directory "write" ops
+mlsconstrain dir { add_name remove_name reparent rmdir }
+ (( l1 eq l2 ) or
+ (( t1 == mlsfilewriteinrange ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsfilewrite ) or
+ ( t2 == mlstrustedobject ));
+
+# these access vectors have no MLS restrictions
+# { dir file lnk_file chr_file blk_file sock_file fifo_file } { ioctl lock swapon quotaon }
+#
+# { file chr_file } { execute_no_trans entrypoint execmod }
+
+# the file upgrade/downgrade rule
+mlsvalidatetrans { dir file lnk_file chr_file blk_file sock_file fifo_file }
+ ((( l1 eq l2 ) or
+ (( t3 == mlsfileupgrade ) and ( l1 domby l2 )) or
+ (( t3 == mlsfiledowngrade ) and ( l1 dom l2 )) or
+ (( t3 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and
+ (( h1 eq h2 ) or
+ (( t3 == mlsfileupgrade ) and ( h1 domby h2 )) or
+ (( t3 == mlsfiledowngrade ) and ( h1 dom h2 )) or
+ (( t3 == mlsfiledowngrade ) and ( h1 incomp h2 ))));
+
+# create can also require the upgrade/downgrade checks if the creating process
+# has used setfscreate (note that both the high and low level of the object
+# default to the process sensitivity level)
+mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create
+ ((( l1 eq l2 ) or
+ (( t1 == mlsfileupgrade ) and ( l1 domby l2 )) or
+ (( t1 == mlsfiledowngrade ) and ( l1 dom l2 )) or
+ (( t1 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and
+ (( l1 eq h2 ) or
+ (( t1 == mlsfileupgrade ) and ( l1 domby h2 )) or
+ (( t1 == mlsfiledowngrade ) and ( l1 dom h2 )) or
+ (( t1 == mlsfiledowngrade ) and ( l1 incomp h2 ))));
+
+
+
+
+#
+# MLS policy for the filesystem class
+#
+
+# new filesystem labels must be dominated by the relabeling subjects clearance
+mlsconstrain filesystem relabelto
+ ( h1 dom h2 );
+
+# the filesystem "read" ops (implicit single level)
+mlsconstrain filesystem { getattr quotaget }
+ (( l1 dom l2 ) or
+ (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsfileread ));
+
+# all the filesystem "write" ops (implicit single level)
+mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
+ (( l1 eq l2 ) or
+ (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsfilewrite ));
+
+# these access vectors have no MLS restrictions
+# filesystem { transition associate }
+
+
+
+
+#
+# MLS policy for the socket classes
+#
+
+# new socket labels must be dominated by the relabeling subjects clearance
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
+ ( h1 dom h2 );
+
+# the socket "read+write" ops
+# (Socket FDs are generally bidirectional, equivalent to open(..., O_RDWR),
+# require equal levels for unprivileged subjects, or read *and* write overrides)
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { accept connect }
+ (( l1 eq l2 ) or
+ (((( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsnetread )) and
+ ((( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsnetwrite ))));
+
+
+# the socket "read" ops (note the check is dominance of the low level)
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recv_msg }
+ (( l1 dom l2 ) or
+ (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsnetread ));
+
+mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_read
+ (( l1 dom l2 ) or
+ (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsnetread ));
+
+# the socket "write" ops
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown }
+ (( l1 eq l2 ) or
+ (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsnetwrite ));
+
+# used by netlabel to restrict normal domains to same level connections
+mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
+ (( l1 eq l2 ) or
+ (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsnetread ));
+
+# UNIX domain socket ops
+mlsconstrain unix_stream_socket connectto
+ (( l1 eq l2 ) or
+ (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsnetwrite ) or
+ ( t2 == mlstrustedobject ));
+
+mlsconstrain unix_dgram_socket sendto
+ (( l1 eq l2 ) or
+ (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsnetwrite ) or
+ ( t2 == mlstrustedobject ));
+
+# these access vectors have no MLS restrictions
+# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }
+#
+# { tcp_socket udp_socket rawip_socket } node_bind
+#
+# { tcp_socket unix_stream_socket } { connectto newconn acceptfrom }
+#
+# tcp_socket name_connect
+#
+# { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write
+#
+# netlink_audit_socket { nlmsg_relay nlmsg_readpriv }
+#
+# netlink_kobject_uevent_socket *
+#
+
+
+
+
+#
+# MLS policy for the ipc classes
+#
+
+# the ipc "read" ops (implicit single level)
+mlsconstrain { ipc sem msgq shm } { getattr read unix_read }
+ (( l1 dom l2 ) or
+ (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsipcread ));
+
+mlsconstrain msg receive
+ (( l1 dom l2 ) or
+ (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsipcread ));
+
+# the ipc "write" ops (implicit single level)
+mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write }
+ (( l1 eq l2 ) or
+ (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsipcwrite ));
+
+mlsconstrain msgq enqueue
+ (( l1 eq l2 ) or
+ (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsipcwrite ));
+
+mlsconstrain shm lock
+ (( l1 eq l2 ) or
+ (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsipcwrite ));
+
+mlsconstrain msg send
+ (( l1 eq l2 ) or
+ (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsipcwrite ));
+
+# these access vectors have no MLS restrictions
+# { ipc sem msgq shm } associate
+
+
+
+
+#
+# MLS policy for the fd class
+#
+
+# No sharing of open file descriptors between levels unless
+# the process type is authorized to use fds created by
+# other levels (mlsfduse) or the fd type is authorized to
+# shared among levels (mlsfdshare).
+mlsconstrain fd use (
+ l1 eq l2
+ or t1 == mlsfduse
+ or t2 == mlsfdshare
+);
+
+#
+# MLS policy for the network object classes
+#
+
+# the netif/node "read" ops (implicit single level socket doing the read)
+# (note the check is dominance of the low level)
+mlsconstrain { node netif } { tcp_recv udp_recv rawip_recv }
+ (( l1 dom l2 ) or ( t1 == mlsnetrecvall ));
+
+# the netif/node "write" ops (implicit single level socket doing the write)
+mlsconstrain { netif node } { tcp_send udp_send rawip_send }
+ (( l1 eq l2 ) or
+ (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )));
+
+# these access vectors have no MLS restrictions
+# node enforce_dest
+
+
+
+
+#
+# MLS policy for the network ingress/egress controls
+#
+
+# the netif ingress/egress ops, the ingress permission is a "write" operation
+# because the subject in this particular case is the remote domain which is
+# writing data out the network interface which is acting as the object
+mlsconstrain { netif } { ingress }
+ ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ ( t1 == mlsnetinbound ) or
+ ( t1 == unlabeled_t ));
+mlsconstrain { netif } { egress }
+ ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ ( t1 == mlsnetoutbound ));
+
+# the node recvfrom/sendto ops, the recvfrom permission is a "write" operation
+# because the subject in this particular case is the remote domain which is
+# writing data out the network node which is acting as the object
+mlsconstrain { node } { recvfrom }
+ ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ ( t1 == mlsnetinbound ) or
+ ( t1 == unlabeled_t ));
+mlsconstrain { node } { sendto }
+ ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ ( t1 == mlsnetoutbound ));
+
+# the forward ops, the forward_in permission is a "write" operation because the
+# subject in this particular case is the remote domain which is writing data
+# to the network with a secmark label, the object in this case
+mlsconstrain { packet } { forward_in }
+ ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ ( t1 == mlsnetinbound ) or
+ ( t1 == unlabeled_t ));
+mlsconstrain { packet } { forward_out }
+ ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ ( t1 == mlsnetoutbound ) or
+ ( t1 == unlabeled_t ));
+
+#
+# MLS policy for the secmark and peer controls
+#
+
+# the peer/packet recv op
+mlsconstrain { peer packet } { recv }
+ (( l1 dom l2 ) or
+ (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsnetread ));
+
+
+
+
+#
+# MLS policy for the process class
+#
+
+# new process labels must be dominated by the relabeling subjects clearance
+# and sensitivity level changes require privilege
+mlsconstrain process transition
+ (( h1 dom h2 ) and
+ (( l1 eq l2 ) or ( t1 == mlsprocsetsl ) or
+ (( t1 == privrangetrans ) and ( t2 == mlsrangetrans ))));
+mlsconstrain process dyntransition
+ (( h1 dom h2 ) and
+ (( l1 eq l2 ) or ( t1 == mlsprocsetsl )));
+
+# all the process "read" ops
+mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
+ (( l1 dom l2 ) or
+ (( t1 == mlsprocreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsprocread ));
+
+# all the process "write" ops (note the check is equality on the low level)
+mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec setfscreate setcurrent ptrace share }
+ (( l1 eq l2 ) or
+ (( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsprocwrite ));
+
+# these access vectors have no MLS restrictions
+# process { fork sigchld signull noatsecure siginh setrlimit rlimitinh execmem execstack execheap }
+
+
+
+
+#
+# MLS policy for the security class
+#
+
+# these access vectors have no MLS restrictions
+# security *
+
+
+
+
+#
+# MLS policy for the system class
+#
+
+# these access vectors have no MLS restrictions
+# system *
+
+
+
+
+#
+# MLS policy for the capability class
+#
+
+# these access vectors have no MLS restrictions
+# capability *
+
+
+
+
+#
+# MLS policy for the passwd class
+#
+
+# these access vectors have no MLS restrictions
+# passwd *
+
+
+
+
+#
+# MLS policy for the x_drawable class
+#
+
+# the x_drawable "read" ops (implicit single level)
+mlsconstrain x_drawable { read blend getattr list_child list_property get_property receive }
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinread ));
+
+# the x_drawable "write" ops (implicit single level)
+mlsconstrain x_drawable { create destroy write setattr add_child remove_child send manage }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwrite ));
+
+# No MLS restrictions: x_drawable { show hide override }
+
+
+#
+# MLS policy for the x_gc class
+#
+
+# the x_gc "read" ops (implicit single level)
+mlsconstrain x_gc { getattr use }
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinread ));
+
+# the x_gc "write" ops (implicit single level)
+mlsconstrain x_gc { create destroy setattr }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwrite ));
+
+
+#
+# MLS policy for the x_font class
+#
+
+# the x_font "read" ops (implicit single level)
+mlsconstrain x_font { use }
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinread ));
+
+# the x_font "write" ops (implicit single level)
+mlsconstrain x_font { create destroy add_glyph remove_glyph }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwrite ));
+
+# these access vectors have no MLS restrictions
+# font use
+
+
+#
+# MLS policy for the x_colormap class
+#
+
+# the x_colormap "read" ops (implicit single level)
+mlsconstrain x_colormap { read getattr use }
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinreadcolormap ) or
+ ( t1 == mlsxwinread ));
+
+# the x_colormap "write" ops (implicit single level)
+mlsconstrain x_colormap { create destroy write add_color remove_color install uninstall }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwritecolormap ) or
+ ( t1 == mlsxwinwrite ));
+
+
+#
+# MLS policy for the x_property class
+#
+
+# the x_property "read" ops (implicit single level)
+mlsconstrain x_property { read getattr }
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinreadproperty ) or
+ ( t1 == mlsxwinread ));
+
+# the x_property "write" ops (implicit single level)
+mlsconstrain x_property { create destroy write append setattr }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwriteproperty ) or
+ ( t1 == mlsxwinwrite ));
+
+
+#
+# MLS policy for the x_selection class
+#
+
+# the x_selection "read" ops (implicit single level)
+mlsconstrain x_selection { read getattr }
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinreadselection ) or
+ ( t1 == mlsxwinread ));
+
+# the x_selection "write" ops (implicit single level)
+mlsconstrain x_selection { write setattr }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwriteselection ) or
+ ( t1 == mlsxwinwrite ));
+
+
+#
+# MLS policy for the x_cursor class
+#
+
+# the x_cursor "read" ops (implicit single level)
+mlsconstrain x_cursor { read getattr use }
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinread ));
+
+# the x_cursor "write" ops (implicit single level)
+mlsconstrain x_cursor { create destroy write setattr }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwrite ));
+
+
+#
+# MLS policy for the x_client class
+#
+
+# the x_client "read" ops (implicit single level)
+mlsconstrain x_client { getattr }
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinread ));
+
+# the x_client "write" ops (implicit single level)
+mlsconstrain x_client { destroy setattr manage }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwrite ));
+
+
+#
+# MLS policy for the x_device class
+#
+
+# the x_device "read" ops (implicit single level)
+mlsconstrain x_device { getattr use read getfocus grab }
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinread ));
+
+# the x_device "write" ops (implicit single level)
+mlsconstrain x_device { setattr write setfocus bell force_cursor freeze manage }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwritexinput ) or
+ ( t1 == mlsxwinwrite ));
+
+
+#
+# MLS policy for the x_server class
+#
+
+# these access vectors have no MLS restrictions
+# x_server *
+
+
+#
+# MLS policy for the x_extension class
+#
+
+# these access vectors have no MLS restrictions
+# x_extension { query use }
+
+
+#
+# MLS policy for the x_resource class
+#
+
+# the x_resource "read" ops (implicit single level)
+mlsconstrain x_resource { read }
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinread ));
+
+# the x_resource "write" ops (implicit single level)
+mlsconstrain x_resource { write }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwritexinput ) or
+ ( t1 == mlsxwinwrite ));
+
+
+#
+# MLS policy for the x_event class
+#
+
+# the x_event "read" ops (implicit single level)
+mlsconstrain x_event { receive }
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsxwinread ));
+
+# the x_event "write" ops (implicit single level)
+mlsconstrain x_event { send }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsxwinwritexinput ) or
+ ( t1 == mlsxwinwrite ));
+
+
+#
+# MLS policy for the x_application_data class
+#
+
+# the x_application_data "paste" ops
+mlsconstrain x_application_data { paste }
+ ( l1 domby l2 );
+
+# the x_application_data "paste_after_confirm" ops
+mlsconstrain x_application_data { paste_after_confirm }
+ ( l1 dom l2 );
+
+
+
+#
+# MLS policy for the dbus class
+#
+
+mlsconstrain dbus { send_msg }
+ (( l1 eq l2 ) or
+ ( t1 == mlsdbussend ) or
+ ( t2 == mlsdbusrecv ));
+
+# these access vectors have no MLS restrictions
+# dbus { acquire_svc }
+
+
+
+
+#
+# MLS policy for the nscd class
+#
+
+# these access vectors have no MLS restrictions
+# nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost }
+
+
+
+
+#
+# MLS policy for the association class
+#
+
+mlsconstrain association { recvfrom }
+ ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsnetread ) or
+ ( t2 == unlabeled_t ));
+
+mlsconstrain association { sendto }
+ (( l1 eq l2 ) or
+ (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
+ ( t2 == unlabeled_t ));
+
+mlsconstrain association { polmatch }
+ (( l1 dom l2 ) and ( h1 domby h2 ));
+
+
+
+#
+# MLS policy for the context class
+#
+
+mlsconstrain context translate
+ (( h1 dom h2 ) or ( t1 == mlstranslate ));
+
+mlsconstrain context contains
+ ( h1 dom h2 );
+
+#
+# MLS policy for database classes
+#
+
+# make sure these database classes are "single level"
+mlsconstrain { db_database db_table db_procedure db_column db_blob } { create relabelto }
+ ( l2 eq h2 );
+mlsconstrain { db_tuple } { insert relabelto }
+ ( l2 eq h2 );
+
+# new database labels must be dominated by the relabeling subjects clearance
+mlsconstrain { db_database db_table db_procedure db_column db_tuple db_blob } { relabelto }
+ ( h1 dom h2 );
+
+# the database "read" ops (note the check is dominance of the low level)
+mlsconstrain { db_database } { getattr access get_param }
+ (( l1 dom l2 ) or
+ (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsdbread ) or
+ ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_table } { getattr use select lock }
+ (( l1 dom l2 ) or
+ (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsdbread ) or
+ ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_column } { getattr use select }
+ (( l1 dom l2 ) or
+ (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsdbread ) or
+ ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_procedure } { getattr execute install }
+ (( l1 dom l2 ) or
+ (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsdbread ) or
+ ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_blob } { getattr read export }
+ (( l1 dom l2 ) or
+ (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsdbread ) or
+ ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_tuple } { use select }
+ (( l1 dom l2 ) or
+ (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsdbread ) or
+ ( t2 == mlstrustedobject ));
+
+# the "single level" file "write" ops
+mlsconstrain { db_database } { create drop setattr relabelfrom install_module load_module set_param }
+ (( l1 eq l2 ) or
+ (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+ ( t1 == mlsdbwrite ) or
+ ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_table } { create drop setattr relabelfrom update insert delete }
+ (( l1 eq l2 ) or
+ (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+ ( t1 == mlsdbwrite ) or
+ ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_column } { create drop setattr relabelfrom update insert }
+ (( l1 eq l2 ) or
+ (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+ ( t1 == mlsdbwrite ) or
+ ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_procedure } { create drop setattr relabelfrom }
+ (( l1 eq l2 ) or
+ (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+ ( t1 == mlsdbwrite ) or
+ ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_blob } { create drop setattr relabelfrom write import }
+ (( l1 eq l2 ) or
+ (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+ ( t1 == mlsdbwrite ) or
+ ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_tuple } { relabelfrom update insert delete }
+ (( l1 eq l2 ) or
+ (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+ ( t1 == mlsdbwrite ) or
+ ( t2 == mlstrustedobject ));
+
+# the database upgrade/downgrade rule
+mlsvalidatetrans { db_database db_table db_procedure db_column db_tuple db_blob }
+ ((( l1 eq l2 ) or
+ (( t3 == mlsdbupgrade ) and ( l1 domby l2 )) or
+ (( t3 == mlsdbdowngrade ) and ( l1 dom l2 )) or
+ (( t3 == mlsdbdowngrade ) and ( l1 incomp l2 ))) and
+ (( l1 eq h2 ) or
+ (( t3 == mlsdbupgrade ) and ( h1 domby h2 )) or
+ (( t3 == mlsdbdowngrade ) and ( h1 dom h2 )) or
+ (( t3 == mlsdbdowngrade ) and ( h1 incomp h2 ))));
+
+') dnl end enable_mls
diff --git a/policy/modules/admin/acct.fc b/policy/modules/admin/acct.fc
new file mode 100644
index 0000000..e81367c
--- /dev/null
+++ b/policy/modules/admin/acct.fc
@@ -0,0 +1,9 @@
+
+/etc/cron\.(daily|monthly)/acct -- gen_context(system_u:object_r:acct_exec_t,s0)
+
+/sbin/accton -- gen_context(system_u:object_r:acct_exec_t,s0)
+
+/usr/sbin/accton -- gen_context(system_u:object_r:acct_exec_t,s0)
+
+/var/account(/.*)? gen_context(system_u:object_r:acct_data_t,s0)
+/var/log/account(/.*)? gen_context(system_u:object_r:acct_data_t,s0)
diff --git a/policy/modules/admin/acct.if b/policy/modules/admin/acct.if
new file mode 100644
index 0000000..e66c296
--- /dev/null
+++ b/policy/modules/admin/acct.if
@@ -0,0 +1,80 @@
+## <summary>Berkeley process accounting</summary>
+
+########################################
+## <summary>
+## Transition to the accounting management domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`acct_domtrans',`
+ gen_require(`
+ type acct_t, acct_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, acct_exec_t, acct_t)
+')
+
+########################################
+## <summary>
+## Execute accounting management tools in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`acct_exec',`
+ gen_require(`
+ type acct_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, acct_exec_t)
+')
+
+########################################
+## <summary>
+## Execute accounting management data in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: this is added for logrotate, and does
+# not make sense to me.
+interface(`acct_exec_data',`
+ gen_require(`
+ type acct_data_t;
+ ')
+
+ files_search_var($1)
+ can_exec($1, acct_data_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete process accounting data.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`acct_manage_data',`
+ gen_require(`
+ type acct_data_t;
+ ')
+
+ files_search_var($1)
+ manage_files_pattern($1, acct_data_t, acct_data_t)
+ manage_lnk_files_pattern($1, acct_data_t, acct_data_t)
+')
diff --git a/policy/modules/admin/acct.te b/policy/modules/admin/acct.te
new file mode 100644
index 0000000..321798e
--- /dev/null
+++ b/policy/modules/admin/acct.te
@@ -0,0 +1,89 @@
+policy_module(acct, 1.4.1)
+
+########################################
+#
+# Declarations
+#
+
+type acct_t;
+type acct_exec_t;
+init_system_domain(acct_t, acct_exec_t)
+
+type acct_data_t;
+logging_log_file(acct_data_t)
+
+########################################
+#
+# Local Policy
+#
+
+# gzip needs chown capability for some reason
+allow acct_t self:capability { sys_pacct chown fsetid };
+# not sure why we need kill, the command "last" is reported as using it
+dontaudit acct_t self:capability { kill sys_tty_config };
+
+allow acct_t self:fifo_file rw_fifo_file_perms;
+allow acct_t self:process signal_perms;
+
+manage_files_pattern(acct_t, acct_data_t, acct_data_t)
+manage_lnk_files_pattern(acct_t, acct_data_t, acct_data_t)
+
+can_exec(acct_t, acct_exec_t)
+
+kernel_list_proc(acct_t)
+kernel_read_system_state(acct_t)
+kernel_read_kernel_sysctls(acct_t)
+
+dev_read_sysfs(acct_t)
+# for SSP
+dev_read_urand(acct_t)
+
+fs_search_auto_mountpoints(acct_t)
+fs_getattr_xattr_fs(acct_t)
+
+term_dontaudit_use_console(acct_t)
+term_dontaudit_use_generic_ptys(acct_t)
+
+corecmd_exec_bin(acct_t)
+corecmd_exec_shell(acct_t)
+
+domain_use_interactive_fds(acct_t)
+
+files_read_etc_files(acct_t)
+files_read_etc_runtime_files(acct_t)
+files_list_usr(acct_t)
+# for nscd
+files_dontaudit_search_pids(acct_t)
+
+init_use_fds(acct_t)
+init_use_script_ptys(acct_t)
+init_exec_script_files(acct_t)
+
+logging_send_syslog_msg(acct_t)
+
+miscfiles_read_localization(acct_t)
+
+userdom_dontaudit_use_unpriv_user_fds(acct_t)
+userdom_dontaudit_search_user_home_dirs(acct_t)
+
+optional_policy(`
+ optional_policy(`
+ # for monthly cron job
+ auth_log_filetrans_login_records(acct_t)
+ auth_manage_login_records(acct_t)
+ ')
+
+ cron_system_entry(acct_t, acct_exec_t)
+')
+
+optional_policy(`
+ nscd_socket_use(acct_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(acct_t)
+')
+
+optional_policy(`
+ udev_read_db(acct_t)
+')
diff --git a/policy/modules/admin/alsa.fc b/policy/modules/admin/alsa.fc
new file mode 100644
index 0000000..72a0458
--- /dev/null
+++ b/policy/modules/admin/alsa.fc
@@ -0,0 +1,18 @@
+HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0)
+
+/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
+
+/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/etc/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+
+/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
+/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
+
+/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
+
+/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+
+/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if
new file mode 100644
index 0000000..20d51d0
--- /dev/null
+++ b/policy/modules/admin/alsa.if
@@ -0,0 +1,170 @@
+## <summary>Ainit ALSA configuration tool.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run Alsa.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`alsa_domtrans',`
+ gen_require(`
+ type alsa_t, alsa_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, alsa_exec_t, alsa_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run
+## Alsa, and allow the specified role
+## the Alsa domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`alsa_run',`
+ gen_require(`
+ type alsa_t;
+ ')
+
+ alsa_domtrans($1)
+ role $2 types alsa_t;
+')
+
+########################################
+## <summary>
+## Read and write Alsa semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`alsa_rw_semaphores',`
+ gen_require(`
+ type alsa_t;
+ ')
+
+ allow $1 alsa_t:sem rw_sem_perms;
+')
+
+########################################
+## <summary>
+## Read and write Alsa shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`alsa_rw_shared_mem',`
+ gen_require(`
+ type alsa_t;
+ ')
+
+ allow $1 alsa_t:shm rw_shm_perms;
+')
+
+########################################
+## <summary>
+## Read writable Alsa config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`alsa_read_rw_config',`
+ gen_require(`
+ type alsa_etc_rw_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 alsa_etc_rw_t:dir list_dir_perms;
+ read_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
+ read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
+
+ ifdef(`distro_debian',`
+ files_search_usr($1)
+ ')
+')
+
+########################################
+## <summary>
+## Manage writable Alsa config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`alsa_manage_rw_config',`
+ gen_require(`
+ type alsa_etc_rw_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 alsa_etc_rw_t:dir list_dir_perms;
+ manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
+ read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
+
+ ifdef(`distro_debian',`
+ files_search_usr($1)
+ ')
+')
+
+########################################
+## <summary>
+## Read Alsa home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`alsa_read_home_files',`
+ gen_require(`
+ type alsa_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 alsa_home_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Read Alsa lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`alsa_read_lib',`
+ gen_require(`
+ type alsa_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
+')
diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te
new file mode 100644
index 0000000..0f227f1
--- /dev/null
+++ b/policy/modules/admin/alsa.te
@@ -0,0 +1,76 @@
+policy_module(alsa, 1.9.2)
+
+########################################
+#
+# Declarations
+#
+
+type alsa_t;
+type alsa_exec_t;
+init_system_domain(alsa_t, alsa_exec_t)
+role system_r types alsa_t;
+
+type alsa_etc_rw_t;
+files_type(alsa_etc_rw_t)
+
+type alsa_var_lib_t;
+files_type(alsa_var_lib_t)
+
+type alsa_home_t;
+userdom_user_home_content(alsa_home_t)
+
+########################################
+#
+# Local policy
+#
+
+allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner };
+dontaudit alsa_t self:capability sys_admin;
+allow alsa_t self:sem create_sem_perms;
+allow alsa_t self:shm create_shm_perms;
+allow alsa_t self:unix_stream_socket create_stream_socket_perms;
+allow alsa_t self:unix_dgram_socket create_socket_perms;
+
+allow alsa_t alsa_home_t:file read_file_perms;
+
+manage_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
+manage_lnk_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
+files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
+
+can_exec(alsa_t, alsa_exec_t)
+
+manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
+manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
+files_search_var_lib(alsa_t)
+
+kernel_read_system_state(alsa_t)
+
+dev_read_sound(alsa_t)
+dev_write_sound(alsa_t)
+dev_read_sysfs(alsa_t)
+
+corecmd_exec_bin(alsa_t)
+
+files_read_etc_files(alsa_t)
+files_read_usr_files(alsa_t)
+
+term_dontaudit_use_console(alsa_t)
+term_dontaudit_use_generic_ptys(alsa_t)
+term_dontaudit_use_all_ptys(alsa_t)
+
+auth_use_nsswitch(alsa_t)
+
+init_use_fds(alsa_t)
+
+logging_send_syslog_msg(alsa_t)
+
+miscfiles_read_localization(alsa_t)
+
+userdom_manage_unpriv_user_semaphores(alsa_t)
+userdom_manage_unpriv_user_shared_mem(alsa_t)
+userdom_search_user_home_dirs(alsa_t)
+
+optional_policy(`
+ hal_use_fds(alsa_t)
+ hal_write_log(alsa_t)
+')
diff --git a/policy/modules/admin/amanda.fc b/policy/modules/admin/amanda.fc
new file mode 100644
index 0000000..e3e0701
--- /dev/null
+++ b/policy/modules/admin/amanda.fc
@@ -0,0 +1,26 @@
+/etc/amanda(/.*)? gen_context(system_u:object_r:amanda_config_t,s0)
+/etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
+/etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0)
+/etc/dumpdates gen_context(system_u:object_r:amanda_dumpdates_t,s0)
+# empty m4 string so the index macro is not invoked
+/etc/amanda/.*/index`'(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
+
+/root/restore -d gen_context(system_u:object_r:amanda_recover_dir_t,s0)
+
+/usr/lib(64)?/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0)
+/usr/lib(64)?/amanda/.+ -- gen_context(system_u:object_r:amanda_exec_t,s0)
+/usr/lib(64)?/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+/usr/lib(64)?/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+/usr/lib(64)?/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+
+/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
+
+/var/lib/amanda -d gen_context(system_u:object_r:amanda_var_lib_t,s0)
+/var/lib/amanda/[^/]+(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
+/var/lib/amanda/[^/]*/log(/.*)? gen_context(system_u:object_r:amanda_log_t,s0)
+/var/lib/amanda/\.amandahosts -- gen_context(system_u:object_r:amanda_config_t,s0)
+/var/lib/amanda/gnutar-lists(/.*)? gen_context(system_u:object_r:amanda_gnutarlists_t,s0)
+# the null string in here because index is a m4 builtin function
+/var/lib/amanda/[^/]+/index`'(/.*)? gen_context(system_u:object_r:amanda_var_lib_t,s0)
+
+/var/log/amanda(/.*)? gen_context(system_u:object_r:amanda_log_t,s0)
diff --git a/policy/modules/admin/amanda.if b/policy/modules/admin/amanda.if
new file mode 100644
index 0000000..8498e97
--- /dev/null
+++ b/policy/modules/admin/amanda.if
@@ -0,0 +1,161 @@
+## <summary>Advanced Maryland Automatic Network Disk Archiver.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run
+## Amanda recover.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`amanda_domtrans_recover',`
+ gen_require(`
+ type amanda_recover_t, amanda_recover_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, amanda_recover_exec_t, amanda_recover_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run
+## Amanda recover, and allow the specified
+## role the Amanda recover domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`amanda_run_recover',`
+ gen_require(`
+ type amanda_recover_t;
+ ')
+
+ amanda_domtrans_recover($1)
+ role $2 types amanda_recover_t;
+')
+
+########################################
+## <summary>
+## Search Amanda library directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`amanda_search_lib',`
+ gen_require(`
+ type amanda_usr_lib_t;
+ ')
+
+ files_search_usr($1)
+ allow $1 amanda_usr_lib_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read /etc/dumpdates.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`amanda_dontaudit_read_dumpdates',`
+ gen_require(`
+ type amanda_dumpdates_t;
+ ')
+
+ dontaudit $1 amanda_dumpdates_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Read and write /etc/dumpdates.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`amanda_rw_dumpdates_files',`
+ gen_require(`
+ type amanda_dumpdates_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 amanda_dumpdates_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Search Amanda library directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`amanda_manage_lib',`
+ gen_require(`
+ type amanda_usr_lib_t;
+ ')
+
+ files_search_usr($1)
+ allow $1 amanda_usr_lib_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Read and append amanda logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`amanda_append_log_files',`
+ gen_require(`
+ type amanda_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 amanda_log_t:file { read_file_perms append_file_perms };
+')
+
+#######################################
+## <summary>
+## Search Amanda var library directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`amanda_search_var_lib',`
+ gen_require(`
+ type amanda_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 amanda_var_lib_t:dir search_dir_perms;
+')
diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te
new file mode 100644
index 0000000..a05f32f
--- /dev/null
+++ b/policy/modules/admin/amanda.te
@@ -0,0 +1,211 @@
+policy_module(amanda, 1.12.1)
+
+#######################################
+#
+# Declarations
+#
+
+type amanda_t;
+type amanda_inetd_exec_t;
+inetd_service_domain(amanda_t, amanda_inetd_exec_t)
+role system_r types amanda_t;
+
+type amanda_exec_t;
+domain_entry_file(amanda_t, amanda_exec_t)
+
+type amanda_log_t;
+logging_log_file(amanda_log_t)
+
+type amanda_config_t;
+files_type(amanda_config_t)
+
+type amanda_usr_lib_t;
+files_type(amanda_usr_lib_t)
+
+type amanda_var_lib_t;
+files_type(amanda_var_lib_t)
+
+type amanda_gnutarlists_t;
+files_type(amanda_gnutarlists_t)
+
+type amanda_tmp_t;
+files_tmp_file(amanda_tmp_t)
+
+type amanda_amandates_t;
+files_type(amanda_amandates_t)
+
+type amanda_dumpdates_t;
+files_type(amanda_dumpdates_t)
+
+type amanda_data_t;
+files_type(amanda_data_t)
+
+type amanda_recover_t;
+type amanda_recover_exec_t;
+application_domain(amanda_recover_t, amanda_recover_exec_t)
+role system_r types amanda_recover_t;
+
+type amanda_recover_dir_t;
+files_type(amanda_recover_dir_t)
+
+optional_policy(`
+ prelink_object_file(amanda_usr_lib_t)
+')
+
+########################################
+#
+# Amanda local policy
+#
+
+allow amanda_t self:capability { chown dac_override setuid kill };
+allow amanda_t self:process { setpgid signal };
+allow amanda_t self:fifo_file rw_fifo_file_perms;
+allow amanda_t self:unix_stream_socket create_stream_socket_perms;
+allow amanda_t self:unix_dgram_socket create_socket_perms;
+allow amanda_t self:tcp_socket create_stream_socket_perms;
+allow amanda_t self:udp_socket create_socket_perms;
+
+allow amanda_t amanda_amandates_t:file rw_file_perms;
+
+allow amanda_t amanda_config_t:file read_file_perms;
+
+manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
+manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
+filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
+
+allow amanda_t amanda_dumpdates_t:file rw_file_perms;
+
+can_exec(amanda_t, amanda_exec_t)
+can_exec(amanda_t, amanda_inetd_exec_t)
+
+allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms;
+allow amanda_t amanda_gnutarlists_t:file manage_file_perms;
+allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms;
+
+manage_dirs_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t)
+manage_files_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t)
+
+manage_files_pattern(amanda_t, amanda_log_t, amanda_log_t)
+manage_dirs_pattern(amanda_t, amanda_log_t, amanda_log_t)
+logging_log_filetrans(amanda_t, amanda_log_t, { file dir })
+
+manage_files_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t)
+manage_dirs_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t)
+files_tmp_filetrans(amanda_t, amanda_tmp_t, { file dir })
+
+kernel_read_system_state(amanda_t)
+kernel_read_kernel_sysctls(amanda_t)
+kernel_dontaudit_getattr_unlabeled_files(amanda_t)
+kernel_dontaudit_read_proc_symlinks(amanda_t)
+
+corecmd_exec_shell(amanda_t)
+corecmd_exec_bin(amanda_t)
+
+corenet_all_recvfrom_unlabeled(amanda_t)
+corenet_all_recvfrom_netlabel(amanda_t)
+corenet_tcp_sendrecv_generic_if(amanda_t)
+corenet_udp_sendrecv_generic_if(amanda_t)
+corenet_raw_sendrecv_generic_if(amanda_t)
+corenet_tcp_sendrecv_generic_node(amanda_t)
+corenet_udp_sendrecv_generic_node(amanda_t)
+corenet_raw_sendrecv_generic_node(amanda_t)
+corenet_tcp_sendrecv_all_ports(amanda_t)
+corenet_udp_sendrecv_all_ports(amanda_t)
+corenet_tcp_bind_generic_node(amanda_t)
+corenet_udp_bind_generic_node(amanda_t)
+corenet_tcp_bind_all_rpc_ports(amanda_t)
+corenet_tcp_bind_generic_port(amanda_t)
+corenet_dontaudit_tcp_bind_all_ports(amanda_t)
+
+dev_getattr_all_blk_files(amanda_t)
+dev_getattr_all_chr_files(amanda_t)
+
+files_read_etc_files(amanda_t)
+files_read_etc_runtime_files(amanda_t)
+files_list_all(amanda_t)
+files_read_all_files(amanda_t)
+files_read_all_symlinks(amanda_t)
+files_read_all_blk_files(amanda_t)
+files_read_all_chr_files(amanda_t)
+files_getattr_all_pipes(amanda_t)
+files_getattr_all_sockets(amanda_t)
+
+fs_getattr_xattr_fs(amanda_t)
+fs_list_all(amanda_t)
+
+storage_raw_read_fixed_disk(amanda_t)
+storage_read_tape(amanda_t)
+storage_write_tape(amanda_t)
+
+auth_use_nsswitch(amanda_t)
+auth_read_shadow(amanda_t)
+
+logging_send_syslog_msg(amanda_t)
+
+########################################
+#
+# Amanda recover local policy
+#
+
+allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override };
+allow amanda_recover_t self:process { sigkill sigstop signal };
+allow amanda_recover_t self:fifo_file rw_fifo_file_perms;
+allow amanda_recover_t self:unix_stream_socket { connect create read write };
+allow amanda_recover_t self:tcp_socket create_stream_socket_perms;
+allow amanda_recover_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t)
+manage_lnk_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t)
+
+manage_dirs_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
+manage_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
+manage_lnk_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
+manage_fifo_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
+manage_sock_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
+userdom_user_home_dir_filetrans(amanda_recover_t, amanda_recover_dir_t, { dir file lnk_file sock_file fifo_file })
+
+manage_dirs_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
+manage_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
+manage_lnk_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
+manage_fifo_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
+manage_sock_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
+files_tmp_filetrans(amanda_recover_t, amanda_tmp_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_read_system_state(amanda_recover_t)
+kernel_read_kernel_sysctls(amanda_recover_t)
+
+corecmd_exec_shell(amanda_recover_t)
+corecmd_exec_bin(amanda_recover_t)
+
+corenet_all_recvfrom_unlabeled(amanda_recover_t)
+corenet_all_recvfrom_netlabel(amanda_recover_t)
+corenet_tcp_sendrecv_generic_if(amanda_recover_t)
+corenet_udp_sendrecv_generic_if(amanda_recover_t)
+corenet_tcp_sendrecv_generic_node(amanda_recover_t)
+corenet_udp_sendrecv_generic_node(amanda_recover_t)
+corenet_tcp_sendrecv_all_ports(amanda_recover_t)
+corenet_udp_sendrecv_all_ports(amanda_recover_t)
+corenet_tcp_bind_generic_node(amanda_recover_t)
+corenet_udp_bind_generic_node(amanda_recover_t)
+corenet_tcp_bind_reserved_port(amanda_recover_t)
+corenet_tcp_connect_amanda_port(amanda_recover_t)
+corenet_sendrecv_amanda_client_packets(amanda_recover_t)
+
+domain_use_interactive_fds(amanda_recover_t)
+
+files_read_etc_files(amanda_recover_t)
+files_read_etc_runtime_files(amanda_recover_t)
+files_search_tmp(amanda_recover_t)
+files_search_pids(amanda_recover_t)
+
+auth_use_nsswitch(amanda_recover_t)
+
+fstools_domtrans(amanda_t)
+fstools_signal(amanda_t)
+
+logging_search_logs(amanda_recover_t)
+
+miscfiles_read_localization(amanda_recover_t)
+
+userdom_use_user_terminals(amanda_recover_t)
+userdom_search_user_home_content(amanda_recover_t)
diff --git a/policy/modules/admin/amtu.fc b/policy/modules/admin/amtu.fc
new file mode 100644
index 0000000..d97160e
--- /dev/null
+++ b/policy/modules/admin/amtu.fc
@@ -0,0 +1 @@
+/usr/bin/amtu -- gen_context(system_u:object_r:amtu_exec_t,s0)
diff --git a/policy/modules/admin/amtu.if b/policy/modules/admin/amtu.if
new file mode 100644
index 0000000..be82315
--- /dev/null
+++ b/policy/modules/admin/amtu.if
@@ -0,0 +1,46 @@
+## <summary>Abstract Machine Test Utility.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run Amtu.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`amtu_domtrans',`
+ gen_require(`
+ type amtu_t, amtu_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, amtu_exec_t, amtu_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run
+## Amtu, and allow the specified role
+## the Amtu domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`amtu_run',`
+ gen_require(`
+ type amtu_t;
+ ')
+
+ amtu_domtrans($1)
+ role $2 types amtu_t;
+')
diff --git a/policy/modules/admin/amtu.te b/policy/modules/admin/amtu.te
new file mode 100644
index 0000000..057abb0
--- /dev/null
+++ b/policy/modules/admin/amtu.te
@@ -0,0 +1,34 @@
+policy_module(amtu, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type amtu_t;
+type amtu_exec_t;
+domain_type(amtu_t)
+domain_entry_file(amtu_t, amtu_exec_t)
+
+########################################
+#
+# amtu local policy
+#
+
+kernel_read_system_state(amtu_t)
+
+files_manage_boot_files(amtu_t)
+files_read_etc_runtime_files(amtu_t)
+files_read_etc_files(amtu_t)
+
+logging_send_audit_msgs(amtu_t)
+
+userdom_use_user_terminals(amtu_t)
+
+optional_policy(`
+ nscd_dontaudit_search_pid(amtu_t)
+')
+
+optional_policy(`
+ seutil_use_newrole_fds(amtu_t)
+')
diff --git a/policy/modules/admin/anaconda.fc b/policy/modules/admin/anaconda.fc
new file mode 100644
index 0000000..b098089
--- /dev/null
+++ b/policy/modules/admin/anaconda.fc
@@ -0,0 +1 @@
+# No file context specifications.
diff --git a/policy/modules/admin/anaconda.if b/policy/modules/admin/anaconda.if
new file mode 100644
index 0000000..14a61b7
--- /dev/null
+++ b/policy/modules/admin/anaconda.if
@@ -0,0 +1 @@
+## <summary>Anaconda installer.</summary>
diff --git a/policy/modules/admin/anaconda.te b/policy/modules/admin/anaconda.te
new file mode 100644
index 0000000..9a9526a
--- /dev/null
+++ b/policy/modules/admin/anaconda.te
@@ -0,0 +1,60 @@
+policy_module(anaconda, 1.5.1)
+
+########################################
+#
+# Declarations
+#
+
+type anaconda_t;
+type anaconda_exec_t;
+domain_type(anaconda_t)
+domain_obj_id_change_exemption(anaconda_t)
+role system_r types anaconda_t;
+
+########################################
+#
+# Local policy
+#
+
+allow anaconda_t self:process execmem;
+
+kernel_domtrans_to(anaconda_t, anaconda_exec_t)
+
+init_domtrans_script(anaconda_t)
+
+libs_domtrans_ldconfig(anaconda_t)
+
+logging_send_syslog_msg(anaconda_t)
+
+modutils_domtrans_insmod(anaconda_t)
+modutils_domtrans_depmod(anaconda_t)
+
+seutil_domtrans_semanage(anaconda_t)
+seutil_domtrans_setsebool(anaconda_t)
+
+userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
+
+optional_policy(`
+ kudzu_domtrans(anaconda_t)
+')
+
+optional_policy(`
+ rpm_domtrans(anaconda_t)
+ rpm_domtrans_script(anaconda_t)
+')
+
+optional_policy(`
+ ssh_domtrans_keygen(anaconda_t)
+')
+
+optional_policy(`
+ udev_domtrans(anaconda_t)
+')
+
+optional_policy(`
+ unconfined_domain_noaudit(anaconda_t)
+')
+
+optional_policy(`
+ usermanage_domtrans_admin_passwd(anaconda_t)
+')
diff --git a/policy/modules/admin/apt.fc b/policy/modules/admin/apt.fc
new file mode 100644
index 0000000..e4f4850
--- /dev/null
+++ b/policy/modules/admin/apt.fc
@@ -0,0 +1,21 @@
+/usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0)
+# apt-shell is redhat specific
+/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
+# other package managers
+/usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0)
+/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0)
+
+# package cache repository
+/var/cache/apt(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
+
+# package list repository
+/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
+/var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
+
+# aptitude lock
+/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0)
+# aptitude log
+/var/log/aptitude gen_context(system_u:object_r:apt_var_log_t,s0)
+
+# dpkg terminal log
+/var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0)
diff --git a/policy/modules/admin/apt.if b/policy/modules/admin/apt.if
new file mode 100644
index 0000000..e696b80
--- /dev/null
+++ b/policy/modules/admin/apt.if
@@ -0,0 +1,225 @@
+## <summary>APT advanced package tool.</summary>
+
+########################################
+## <summary>
+## Execute apt programs in the apt domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`apt_domtrans',`
+ gen_require(`
+ type apt_t, apt_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, apt_exec_t, apt_t)
+')
+
+########################################
+## <summary>
+## Execute apt programs in the apt domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the apt domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apt_run',`
+ gen_require(`
+ type apt_t;
+ ')
+
+ apt_domtrans($1)
+ role $2 types apt_t;
+ # TODO: likely have to add dpkg_run here.
+')
+
+########################################
+## <summary>
+## Inherit and use file descriptors from apt.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apt_use_fds',`
+ gen_require(`
+ type apt_t;
+ ')
+
+ allow $1 apt_t:fd use;
+ # TODO: enforce dpkg_use_fd?
+')
+
+########################################
+## <summary>
+## Do not audit attempts to use file descriptors from apt.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`apt_dontaudit_use_fds',`
+ gen_require(`
+ type apt_t;
+ ')
+
+ dontaudit $1 apt_t:fd use;
+')
+
+########################################
+## <summary>
+## Read from an unnamed apt pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apt_read_pipes',`
+ gen_require(`
+ type apt_t;
+ ')
+
+ allow $1 apt_t:fifo_file read_fifo_file_perms;
+ # TODO: enforce dpkg_read_pipes?
+')
+
+########################################
+## <summary>
+## Read and write an unnamed apt pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apt_rw_pipes',`
+ gen_require(`
+ type apt_t;
+ ')
+
+ allow $1 apt_t:fifo_file rw_file_perms;
+ # TODO: enforce dpkg_rw_pipes?
+')
+
+########################################
+## <summary>
+## Read from and write to apt ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apt_use_ptys',`
+ gen_require(`
+ type apt_devpts_t;
+ ')
+
+ allow $1 apt_devpts_t:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Read the apt package cache.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apt_read_cache',`
+ gen_require(`
+ type apt_var_cache_t;
+ ')
+
+ files_search_var($1)
+ allow $1 apt_var_cache_t:dir list_dir_perms;
+ dontaudit $1 apt_var_cache_t:dir write;
+ allow $1 apt_var_cache_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Read the apt package database.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apt_read_db',`
+ gen_require(`
+ type apt_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 apt_var_lib_t:dir list_dir_perms;
+ read_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
+ read_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete the apt package database.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apt_manage_db',`
+ gen_require(`
+ type apt_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
+ # cjp: shouldnt this be manage_lnk_files?
+ rw_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
+ delete_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to create, read,
+## write, and delete the apt package database.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`apt_dontaudit_manage_db',`
+ gen_require(`
+ type apt_var_lib_t;
+ ')
+
+ dontaudit $1 apt_var_lib_t:dir rw_dir_perms;
+ dontaudit $1 apt_var_lib_t:file manage_file_perms;
+ dontaudit $1 apt_var_lib_t:lnk_file manage_lnk_file_perms;
+')
diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te
new file mode 100644
index 0000000..4044710
--- /dev/null
+++ b/policy/modules/admin/apt.te
@@ -0,0 +1,162 @@
+policy_module(apt, 1.6.0)
+
+########################################
+#
+# Declarations
+#
+
+type apt_t;
+type apt_exec_t;
+init_system_domain(apt_t, apt_exec_t)
+domain_system_change_exemption(apt_t)
+role system_r types apt_t;
+
+# pseudo terminal for running dpkg
+type apt_devpts_t;
+term_pty(apt_devpts_t)
+
+# aptitude lock file
+type apt_lock_t;
+files_lock_file(apt_lock_t)
+
+type apt_tmp_t;
+files_tmp_file(apt_tmp_t)
+
+type apt_tmpfs_t;
+files_tmpfs_file(apt_tmpfs_t)
+
+# package cache
+type apt_var_cache_t alias var_cache_apt_t;
+files_type(apt_var_cache_t)
+
+# status files
+type apt_var_lib_t alias var_lib_apt_t;
+files_type(apt_var_lib_t)
+
+# aptitude log file
+type apt_var_log_t;
+logging_log_file(apt_var_log_t)
+
+########################################
+#
+# apt Local policy
+#
+
+allow apt_t self:capability { chown dac_override fowner fsetid };
+allow apt_t self:process { signal setpgid fork };
+allow apt_t self:fd use;
+allow apt_t self:fifo_file rw_fifo_file_perms;
+allow apt_t self:unix_dgram_socket create_socket_perms;
+allow apt_t self:unix_stream_socket rw_stream_socket_perms;
+allow apt_t self:unix_dgram_socket sendto;
+allow apt_t self:unix_stream_socket connectto;
+allow apt_t self:udp_socket { connect create_socket_perms };
+allow apt_t self:tcp_socket create_stream_socket_perms;
+allow apt_t self:shm create_shm_perms;
+allow apt_t self:sem create_sem_perms;
+allow apt_t self:msgq create_msgq_perms;
+allow apt_t self:msg { send receive };
+# Run update
+allow apt_t self:netlink_route_socket r_netlink_socket_perms;
+
+# lock files
+allow apt_t apt_lock_t:dir manage_dir_perms;
+allow apt_t apt_lock_t:file manage_file_perms;
+files_lock_filetrans(apt_t, apt_lock_t, {dir file})
+
+manage_dirs_pattern(apt_t, apt_tmp_t, apt_tmp_t)
+manage_files_pattern(apt_t, apt_tmp_t, apt_tmp_t)
+files_tmp_filetrans(apt_t, apt_tmp_t, { file dir })
+
+manage_dirs_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
+manage_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
+manage_lnk_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
+manage_fifo_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
+manage_sock_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
+fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+# Access /var/cache/apt files
+manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
+files_var_filetrans(apt_t, apt_var_cache_t, dir)
+
+# Access /var/lib/apt files
+manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
+files_var_lib_filetrans(apt_t, apt_var_lib_t, dir)
+
+# log files
+allow apt_t apt_var_log_t:file manage_file_perms;
+logging_log_filetrans(apt_t, apt_var_log_t, file)
+
+kernel_read_system_state(apt_t)
+kernel_read_kernel_sysctls(apt_t)
+
+# to launch dpkg-preconfigure
+corecmd_exec_bin(apt_t)
+corecmd_exec_shell(apt_t)
+
+corenet_all_recvfrom_unlabeled(apt_t)
+corenet_all_recvfrom_netlabel(apt_t)
+corenet_tcp_sendrecv_generic_if(apt_t)
+corenet_udp_sendrecv_generic_if(apt_t)
+corenet_tcp_sendrecv_generic_node(apt_t)
+corenet_udp_sendrecv_generic_node(apt_t)
+corenet_tcp_sendrecv_all_ports(apt_t)
+corenet_udp_sendrecv_all_ports(apt_t)
+# TODO: really allow all these?
+corenet_tcp_bind_generic_node(apt_t)
+corenet_udp_bind_generic_node(apt_t)
+corenet_tcp_connect_all_ports(apt_t)
+corenet_sendrecv_all_client_packets(apt_t)
+
+dev_read_urand(apt_t)
+
+domain_getattr_all_domains(apt_t)
+domain_use_interactive_fds(apt_t)
+
+files_exec_usr_files(apt_t)
+files_read_etc_files(apt_t)
+files_read_etc_runtime_files(apt_t)
+
+fs_getattr_all_fs(apt_t)
+
+term_create_pty(apt_t, apt_devpts_t)
+term_list_ptys(apt_t)
+term_use_all_terms(apt_t)
+
+libs_exec_ld_so(apt_t)
+libs_exec_lib_files(apt_t)
+
+logging_send_syslog_msg(apt_t)
+
+miscfiles_read_localization(apt_t)
+
+seutil_use_newrole_fds(apt_t)
+
+sysnet_read_config(apt_t)
+
+userdom_use_user_terminals(apt_t)
+
+# with boolean, for cron-apt and such?
+#optional_policy(`
+# cron_system_entry(apt_t,apt_exec_t)
+#')
+
+optional_policy(`
+ # dpkg interaction
+ dpkg_read_db(apt_t)
+ dpkg_domtrans(apt_t)
+ dpkg_lock_db(apt_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(apt_t)
+')
+
+optional_policy(`
+ rpm_read_db(apt_t)
+ rpm_domtrans(apt_t)
+')
+
+optional_policy(`
+ unconfined_domain(apt_t)
+')
diff --git a/policy/modules/admin/backup.fc b/policy/modules/admin/backup.fc
new file mode 100644
index 0000000..223b7f2
--- /dev/null
+++ b/policy/modules/admin/backup.fc
@@ -0,0 +1,13 @@
+# backup
+# label programs that do backups to other files on disk (IE a cron job that
+# calls tar) in backup_exec_t and label the directory for storing them as
+# backup_store_t, Debian uses /var/backups
+
+#/usr/local/bin/backup-script -- gen_context(system_u:object_r:backup_exec_t,s0)
+
+ifdef(`distro_debian',`
+/etc/cron.daily/aptitude -- gen_context(system_u:object_r:backup_exec_t,s0)
+/etc/cron.daily/standard -- gen_context(system_u:object_r:backup_exec_t,s0)
+')
+
+/var/backups(/.*)? gen_context(system_u:object_r:backup_store_t,s0)
diff --git a/policy/modules/admin/backup.if b/policy/modules/admin/backup.if
new file mode 100644
index 0000000..1017b7a
--- /dev/null
+++ b/policy/modules/admin/backup.if
@@ -0,0 +1,45 @@
+## <summary>System backup scripts</summary>
+
+########################################
+## <summary>
+## Execute backup in the backup domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`backup_domtrans',`
+ gen_require(`
+ type backup_t, backup_exec_t;
+ ')
+
+ domtrans_pattern($1, backup_exec_t, backup_t)
+')
+
+########################################
+## <summary>
+## Execute backup in the backup domain, and
+## allow the specified role the backup domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`backup_run',`
+ gen_require(`
+ type backup_t;
+ ')
+
+ backup_domtrans($1)
+ role $2 types backup_t;
+')
diff --git a/policy/modules/admin/backup.te b/policy/modules/admin/backup.te
new file mode 100644
index 0000000..0bfc958
--- /dev/null
+++ b/policy/modules/admin/backup.te
@@ -0,0 +1,85 @@
+policy_module(backup, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type backup_t;
+type backup_exec_t;
+domain_type(backup_t)
+domain_entry_file(backup_t, backup_exec_t)
+role system_r types backup_t;
+
+type backup_store_t;
+files_type(backup_store_t)
+
+########################################
+#
+# Local policy
+#
+
+allow backup_t self:capability dac_override;
+allow backup_t self:process signal;
+allow backup_t self:fifo_file rw_fifo_file_perms;
+allow backup_t self:tcp_socket create_socket_perms;
+allow backup_t self:udp_socket create_socket_perms;
+
+allow backup_t backup_store_t:file setattr;
+manage_files_pattern(backup_t, backup_store_t, backup_store_t)
+rw_files_pattern(backup_t, backup_store_t, backup_store_t)
+read_lnk_files_pattern(backup_t, backup_store_t, backup_store_t)
+
+kernel_read_system_state(backup_t)
+kernel_read_kernel_sysctls(backup_t)
+
+corecmd_exec_bin(backup_t)
+corecmd_exec_shell(backup_t)
+
+corenet_all_recvfrom_unlabeled(backup_t)
+corenet_all_recvfrom_netlabel(backup_t)
+corenet_tcp_sendrecv_generic_if(backup_t)
+corenet_udp_sendrecv_generic_if(backup_t)
+corenet_raw_sendrecv_generic_if(backup_t)
+corenet_tcp_sendrecv_generic_node(backup_t)
+corenet_udp_sendrecv_generic_node(backup_t)
+corenet_raw_sendrecv_generic_node(backup_t)
+corenet_tcp_sendrecv_all_ports(backup_t)
+corenet_udp_sendrecv_all_ports(backup_t)
+corenet_tcp_connect_all_ports(backup_t)
+corenet_sendrecv_all_client_packets(backup_t)
+
+dev_getattr_all_blk_files(backup_t)
+dev_getattr_all_chr_files(backup_t)
+# for SSP
+dev_read_urand(backup_t)
+
+domain_use_interactive_fds(backup_t)
+
+files_read_all_files(backup_t)
+files_read_all_symlinks(backup_t)
+files_getattr_all_pipes(backup_t)
+files_getattr_all_sockets(backup_t)
+
+fs_getattr_xattr_fs(backup_t)
+fs_list_all(backup_t)
+
+auth_read_shadow(backup_t)
+
+logging_send_syslog_msg(backup_t)
+
+sysnet_read_config(backup_t)
+
+userdom_use_user_terminals(backup_t)
+
+optional_policy(`
+ cron_system_entry(backup_t, backup_exec_t)
+')
+
+optional_policy(`
+ hostname_exec(backup_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(backup_t)
+')
diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
new file mode 100644
index 0000000..7a6f06f
--- /dev/null
+++ b/policy/modules/admin/bootloader.fc
@@ -0,0 +1,9 @@
+
+/etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
+/etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
+
+/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+
+/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
new file mode 100644
index 0000000..ebe8570
--- /dev/null
+++ b/policy/modules/admin/bootloader.if
@@ -0,0 +1,129 @@
+## <summary>Policy for the kernel modules, kernel image, and bootloader.</summary>
+
+########################################
+## <summary>
+## Execute bootloader in the bootloader domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`bootloader_domtrans',`
+ gen_require(`
+ type bootloader_t, bootloader_exec_t;
+ ')
+
+ domtrans_pattern($1, bootloader_exec_t, bootloader_t)
+')
+
+########################################
+## <summary>
+## Execute bootloader interactively and do
+## a domain transition to the bootloader domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`bootloader_run',`
+ gen_require(`
+ type bootloader_t;
+ ')
+
+ bootloader_domtrans($1)
+
+ role $2 types bootloader_t;
+
+ ifdef(`distro_redhat',`
+ # for mke2fs
+ mount_run(bootloader_t, $2)
+ ')
+')
+
+########################################
+## <summary>
+## Read the bootloader configuration file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bootloader_read_config',`
+ gen_require(`
+ type bootloader_etc_t;
+ ')
+
+ allow $1 bootloader_etc_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write the bootloader
+## configuration file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`bootloader_rw_config',`
+ gen_require(`
+ type bootloader_etc_t;
+ ')
+
+ allow $1 bootloader_etc_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write the bootloader
+## temporary data in /tmp.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bootloader_rw_tmp_files',`
+ gen_require(`
+ type bootloader_tmp_t;
+ ')
+
+ # FIXME: read tmp_t dir
+ allow $1 bootloader_tmp_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write the bootloader
+## temporary data in /tmp.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bootloader_create_runtime_file',`
+ gen_require(`
+ type boot_runtime_t;
+ ')
+
+ allow $1 boot_runtime_t:file { create_file_perms rw_file_perms };
+ files_boot_filetrans($1, boot_runtime_t, file)
+')
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
new file mode 100644
index 0000000..a9bc854
--- /dev/null
+++ b/policy/modules/admin/bootloader.te
@@ -0,0 +1,215 @@
+policy_module(bootloader, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+#
+# boot_runtime_t is the type for /boot/kernel.h,
+# which is automatically generated at boot time.
+# only for Red Hat
+#
+type boot_runtime_t;
+files_type(boot_runtime_t)
+
+type bootloader_t;
+type bootloader_exec_t;
+application_domain(bootloader_t, bootloader_exec_t)
+role system_r types bootloader_t;
+
+#
+# bootloader_etc_t is the configuration file,
+# grub.conf, lilo.conf, etc.
+#
+type bootloader_etc_t alias etc_bootloader_t;
+files_type(bootloader_etc_t)
+
+#
+# The temp file is used for initrd creation;
+# it consists of files and device nodes
+#
+type bootloader_tmp_t;
+files_tmp_file(bootloader_tmp_t)
+dev_node(bootloader_tmp_t)
+
+#
+# /var/log/ksyms
+# cjp: this probably can be removed, I do not
+# think it is used on 2.6 kernels
+type var_log_ksyms_t;
+logging_log_file(var_log_ksyms_t)
+
+########################################
+#
+# bootloader local policy
+#
+
+allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin mknod chown };
+allow bootloader_t self:process { sigkill sigstop signull signal execmem };
+allow bootloader_t self:fifo_file rw_fifo_file_perms;
+
+allow bootloader_t bootloader_etc_t:file read_file_perms;
+# uncomment the following lines if you use "lilo -p"
+#allow bootloader_t bootloader_etc_t:file manage_file_perms;
+#files_etc_filetrans(bootloader_t,bootloader_etc_t,file)
+
+manage_dirs_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
+manage_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
+manage_lnk_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
+manage_blk_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
+manage_chr_files_pattern(bootloader_t, bootloader_tmp_t, bootloader_tmp_t)
+files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file blk_file })
+# for tune2fs (cjp: ?)
+files_root_filetrans(bootloader_t, bootloader_tmp_t, file)
+
+kernel_getattr_core_if(bootloader_t)
+kernel_read_network_state(bootloader_t)
+kernel_read_system_state(bootloader_t)
+kernel_read_software_raid_state(bootloader_t)
+kernel_read_kernel_sysctls(bootloader_t)
+
+storage_raw_read_fixed_disk(bootloader_t)
+storage_raw_write_fixed_disk(bootloader_t)
+storage_raw_read_removable_device(bootloader_t)
+storage_raw_write_removable_device(bootloader_t)
+
+dev_getattr_all_chr_files(bootloader_t)
+dev_getattr_all_blk_files(bootloader_t)
+dev_dontaudit_rw_generic_dev_nodes(bootloader_t)
+dev_read_rand(bootloader_t)
+dev_read_urand(bootloader_t)
+dev_read_sysfs(bootloader_t)
+# needed on some hardware
+dev_rw_nvram(bootloader_t)
+
+fs_getattr_xattr_fs(bootloader_t)
+fs_getattr_tmpfs(bootloader_t)
+fs_read_tmpfs_symlinks(bootloader_t)
+#Needed for ia64
+fs_manage_dos_files(bootloader_t)
+
+mls_file_read_all_levels(bootloader_t)
+mls_file_write_all_levels(bootloader_t)
+
+term_getattr_all_ttys(bootloader_t)
+term_dontaudit_manage_pty_dirs(bootloader_t)
+
+corecmd_exec_all_executables(bootloader_t)
+
+domain_use_interactive_fds(bootloader_t)
+
+files_create_boot_dirs(bootloader_t)
+files_manage_boot_files(bootloader_t)
+files_manage_boot_symlinks(bootloader_t)
+files_read_etc_files(bootloader_t)
+files_exec_etc_files(bootloader_t)
+files_read_usr_src_files(bootloader_t)
+files_read_usr_files(bootloader_t)
+files_read_var_files(bootloader_t)
+files_read_kernel_modules(bootloader_t)
+# for nscd
+files_dontaudit_search_pids(bootloader_t)
+# for blkid.tab
+files_manage_etc_runtime_files(bootloader_t)
+files_etc_filetrans_etc_runtime(bootloader_t, file)
+files_dontaudit_search_home(bootloader_t)
+
+init_getattr_initctl(bootloader_t)
+init_use_script_ptys(bootloader_t)
+init_use_script_fds(bootloader_t)
+init_rw_script_pipes(bootloader_t)
+
+libs_read_lib_files(bootloader_t)
+libs_exec_lib_files(bootloader_t)
+
+logging_send_syslog_msg(bootloader_t)
+logging_rw_generic_logs(bootloader_t)
+
+miscfiles_read_localization(bootloader_t)
+
+modutils_domtrans_insmod_uncond(bootloader_t)
+
+seutil_read_bin_policy(bootloader_t)
+seutil_read_loadpolicy(bootloader_t)
+seutil_dontaudit_search_config(bootloader_t)
+
+userdom_use_user_terminals(bootloader_t)
+userdom_dontaudit_search_user_home_dirs(bootloader_t)
+
+ifdef(`distro_debian',`
+ allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
+ fs_list_tmpfs(bootloader_t)
+
+ files_relabel_kernel_modules(bootloader_t)
+ files_relabelfrom_boot_files(bootloader_t)
+ files_delete_kernel_modules(bootloader_t)
+ files_relabelto_usr_files(bootloader_t)
+ files_search_var_lib(bootloader_t)
+ # for /usr/share/initrd-tools/scripts
+ files_exec_usr_files(bootloader_t)
+
+ fstools_manage_entry_files(bootloader_t)
+ fstools_relabelto_entry_files(bootloader_t)
+
+ libs_relabelto_lib_files(bootloader_t)
+')
+
+ifdef(`distro_redhat',`
+ # for memlock
+ allow bootloader_t self:capability ipc_lock;
+
+ # new file system defaults to file_t, granting file_t access is still bad.
+ allow bootloader_t boot_runtime_t:file { read_file_perms unlink };
+
+ # new file system defaults to file_t, granting file_t access is still bad.
+ files_manage_isid_type_dirs(bootloader_t)
+ files_manage_isid_type_files(bootloader_t)
+ files_manage_isid_type_symlinks(bootloader_t)
+ files_manage_isid_type_blk_files(bootloader_t)
+ files_manage_isid_type_chr_files(bootloader_t)
+
+ # for mke2fs
+ mount_domtrans(bootloader_t)
+
+ optional_policy(`
+ unconfined_domain(bootloader_t)
+ ')
+')
+
+optional_policy(`
+ fstools_exec(bootloader_t)
+')
+
+optional_policy(`
+ hal_dontaudit_append_lib_files(bootloader_t)
+ hal_write_log(bootloader_t)
+')
+
+optional_policy(`
+ kudzu_domtrans(bootloader_t)
+')
+
+optional_policy(`
+ dev_rw_lvm_control(bootloader_t)
+
+ lvm_domtrans(bootloader_t)
+ lvm_read_config(bootloader_t)
+')
+
+optional_policy(`
+ modutils_exec_insmod(bootloader_t)
+ modutils_read_module_deps(bootloader_t)
+ modutils_read_module_config(bootloader_t)
+ modutils_exec_insmod(bootloader_t)
+ modutils_exec_depmod(bootloader_t)
+ modutils_exec_update_mods(bootloader_t)
+')
+
+optional_policy(`
+ nscd_socket_use(bootloader_t)
+')
+
+optional_policy(`
+ rpm_rw_pipes(bootloader_t)
+')
diff --git a/policy/modules/admin/brctl.fc b/policy/modules/admin/brctl.fc
new file mode 100644
index 0000000..642f67e
--- /dev/null
+++ b/policy/modules/admin/brctl.fc
@@ -0,0 +1 @@
+/usr/sbin/brctl -- gen_context(system_u:object_r:brctl_exec_t,s0)
diff --git a/policy/modules/admin/brctl.if b/policy/modules/admin/brctl.if
new file mode 100644
index 0000000..fdb453c
--- /dev/null
+++ b/policy/modules/admin/brctl.if
@@ -0,0 +1,38 @@
+## <summary>Utilities for configuring the linux ethernet bridge</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run brctl.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`brctl_domtrans',`
+ gen_require(`
+ type brctl_t, brctl_exec_t;
+ ')
+
+ domtrans_pattern($1, brctl_exec_t, brctl_t)
+')
+
+#####################################
+## <summary>
+## Execute brctl in the brctl domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`brctl_run',`
+ gen_require(`
+ type brctl_t, brctl_exec_t;
+ ')
+
+ brctl_domtrans($1)
+ role $2 types brctl_t;
+')
diff --git a/policy/modules/admin/brctl.te b/policy/modules/admin/brctl.te
new file mode 100644
index 0000000..0ff3679
--- /dev/null
+++ b/policy/modules/admin/brctl.te
@@ -0,0 +1,45 @@
+policy_module(brctl, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type brctl_t;
+type brctl_exec_t;
+domain_type(brctl_t)
+init_system_domain(brctl_t, brctl_exec_t)
+
+########################################
+#
+# brctl local policy
+#
+
+allow brctl_t self:capability net_admin;
+allow brctl_t self:fifo_file rw_file_perms;
+allow brctl_t self:unix_stream_socket create_stream_socket_perms;
+allow brctl_t self:unix_dgram_socket create_socket_perms;
+allow brctl_t self:tcp_socket create_socket_perms;
+
+kernel_request_load_module(brctl_t)
+kernel_read_network_state(brctl_t)
+kernel_read_sysctl(brctl_t)
+
+corenet_rw_tun_tap_dev(brctl_t)
+
+dev_rw_sysfs(brctl_t)
+dev_write_sysfs_dirs(brctl_t)
+
+# Init script handling
+domain_use_interactive_fds(brctl_t)
+
+files_read_etc_files(brctl_t)
+
+term_dontaudit_use_console(brctl_t)
+
+miscfiles_read_localization(brctl_t)
+
+optional_policy(`
+ xen_append_log(brctl_t)
+ xen_dontaudit_rw_unix_stream_sockets(brctl_t)
+')
diff --git a/policy/modules/admin/certwatch.fc b/policy/modules/admin/certwatch.fc
new file mode 100644
index 0000000..b8a3414
--- /dev/null
+++ b/policy/modules/admin/certwatch.fc
@@ -0,0 +1 @@
+/usr/bin/certwatch -- gen_context(system_u:object_r:certwatch_exec_t,s0)
diff --git a/policy/modules/admin/certwatch.if b/policy/modules/admin/certwatch.if
new file mode 100644
index 0000000..953451a
--- /dev/null
+++ b/policy/modules/admin/certwatch.if
@@ -0,0 +1,78 @@
+## <summary>Digital Certificate Tracking</summary>
+
+########################################
+## <summary>
+## Domain transition to certwatch.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`certwatch_domtrans',`
+ gen_require(`
+ type certwatch_exec_t, certwatch_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, certwatch_exec_t, certwatch_t)
+')
+
+########################################
+## <summary>
+## Execute certwatch in the certwatch domain, and
+## allow the specified role the certwatch domain,
+## and use the caller's terminal. Has a sigchld
+## backchannel.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`certwatch_run',`
+ gen_require(`
+ type certwatch_t;
+ ')
+
+ certwatch_domtrans($1)
+ role $2 types certwatch_t;
+')
+
+########################################
+## <summary>
+## Execute certwatch in the certwatch domain, and
+## allow the specified role the certwatch domain,
+## and use the caller's terminal. Has a sigchld
+## backchannel. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the certwatch domain to use.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`certwatach_run',`
+ refpolicywarn(`$0($*) has been deprecated, please use certwatch_run() instead.')
+ certwatch_run($*)
+')
diff --git a/policy/modules/admin/certwatch.te b/policy/modules/admin/certwatch.te
new file mode 100644
index 0000000..cec5c56
--- /dev/null
+++ b/policy/modules/admin/certwatch.te
@@ -0,0 +1,53 @@
+policy_module(certwatch, 1.5.2)
+
+########################################
+#
+# Declarations
+#
+
+type certwatch_t;
+type certwatch_exec_t;
+application_domain(certwatch_t, certwatch_exec_t)
+role system_r types certwatch_t;
+
+########################################
+#
+# Local policy
+#
+allow certwatch_t self:capability sys_nice;
+allow certwatch_t self:process { setsched getsched };
+
+dev_read_urand(certwatch_t)
+
+files_read_etc_files(certwatch_t)
+files_read_usr_files(certwatch_t)
+files_read_usr_symlinks(certwatch_t)
+files_list_tmp(certwatch_t)
+
+fs_list_inotifyfs(certwatch_t)
+
+auth_manage_cache(certwatch_t)
+auth_var_filetrans_cache(certwatch_t)
+
+logging_send_syslog_msg(certwatch_t)
+
+miscfiles_read_generic_certs(certwatch_t)
+miscfiles_read_localization(certwatch_t)
+
+userdom_use_user_terminals(certwatch_t)
+userdom_dontaudit_list_admin_dir(certwatch_t)
+
+optional_policy(`
+ apache_exec_modules(certwatch_t)
+ apache_read_config(certwatch_t)
+')
+
+optional_policy(`
+ cron_system_entry(certwatch_t, certwatch_exec_t)
+')
+
+optional_policy(`
+ pcscd_domtrans(certwatch_t)
+ pcscd_stream_connect(certwatch_t)
+ pcscd_read_pub_files(certwatch_t)
+')
diff --git a/policy/modules/admin/consoletype.fc b/policy/modules/admin/consoletype.fc
new file mode 100644
index 0000000..b7f053b
--- /dev/null
+++ b/policy/modules/admin/consoletype.fc
@@ -0,0 +1,2 @@
+
+/sbin/consoletype -- gen_context(system_u:object_r:consoletype_exec_t,s0)
diff --git a/policy/modules/admin/consoletype.if b/policy/modules/admin/consoletype.if
new file mode 100644
index 0000000..0f57d3b
--- /dev/null
+++ b/policy/modules/admin/consoletype.if
@@ -0,0 +1,71 @@
+## <summary>
+## Determine of the console connected to the controlling terminal.
+## </summary>
+
+########################################
+## <summary>
+## Execute consoletype in the consoletype domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`consoletype_domtrans',`
+ gen_require(`
+ type consoletype_t, consoletype_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, consoletype_exec_t, consoletype_t)
+
+ ifdef(`hide_broken_symptoms', `
+ dontaudit consoletype_t $1:socket_class_set { read write };
+ ')
+')
+
+########################################
+## <summary>
+## Execute consoletype in the consoletype domain, and
+## allow the specified role the consoletype domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`consoletype_run',`
+ gen_require(`
+ type consoletype_t;
+ ')
+
+ consoletype_domtrans($1)
+ role $2 types consoletype_t;
+')
+
+########################################
+## <summary>
+## Execute consoletype in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`consoletype_exec',`
+ gen_require(`
+ type consoletype_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, consoletype_exec_t)
+')
diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
new file mode 100644
index 0000000..a370656
--- /dev/null
+++ b/policy/modules/admin/consoletype.te
@@ -0,0 +1,118 @@
+policy_module(consoletype, 1.9.1)
+
+########################################
+#
+# Declarations
+#
+
+type consoletype_t;
+type consoletype_exec_t;
+application_executable_file(consoletype_exec_t)
+init_domain(consoletype_t, consoletype_exec_t)
+init_system_domain(consoletype_t, consoletype_exec_t)
+role system_r types consoletype_t;
+
+########################################
+#
+# Local declarations
+#
+
+allow consoletype_t self:capability { sys_admin sys_tty_config };
+allow consoletype_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow consoletype_t self:fd use;
+allow consoletype_t self:fifo_file rw_fifo_file_perms;
+allow consoletype_t self:sock_file read_sock_file_perms;
+allow consoletype_t self:unix_dgram_socket create_socket_perms;
+allow consoletype_t self:unix_stream_socket create_stream_socket_perms;
+allow consoletype_t self:unix_dgram_socket sendto;
+allow consoletype_t self:unix_stream_socket connectto;
+allow consoletype_t self:shm create_shm_perms;
+allow consoletype_t self:sem create_sem_perms;
+allow consoletype_t self:msgq create_msgq_perms;
+allow consoletype_t self:msg { send receive };
+
+kernel_use_fds(consoletype_t)
+kernel_dontaudit_read_system_state(consoletype_t)
+
+fs_getattr_all_fs(consoletype_t)
+fs_search_auto_mountpoints(consoletype_t)
+fs_write_nfs_files(consoletype_t)
+fs_list_inotifyfs(consoletype_t)
+
+mls_file_read_all_levels(consoletype_t)
+mls_file_write_all_levels(consoletype_t)
+
+term_use_all_terms(consoletype_t)
+
+init_use_fds(consoletype_t)
+init_use_script_ptys(consoletype_t)
+init_use_script_fds(consoletype_t)
+init_rw_script_pipes(consoletype_t)
+
+domain_use_interactive_fds(consoletype_t)
+
+files_dontaudit_read_root_files(consoletype_t)
+files_list_usr(consoletype_t)
+
+userdom_use_user_terminals(consoletype_t)
+
+ifdef(`distro_redhat',`
+ fs_rw_tmpfs_chr_files(consoletype_t)
+')
+
+optional_policy(`
+ apm_use_fds(consoletype_t)
+ apm_write_pipes(consoletype_t)
+')
+
+optional_policy(`
+ auth_read_pam_pid(consoletype_t)
+')
+
+optional_policy(`
+ cron_read_pipes(consoletype_t)
+ cron_use_system_job_fds(consoletype_t)
+')
+
+optional_policy(`
+ files_read_etc_files(consoletype_t)
+ firstboot_use_fds(consoletype_t)
+ firstboot_rw_pipes(consoletype_t)
+')
+
+optional_policy(`
+ hal_dontaudit_leaks(consoletype_t)
+')
+
+optional_policy(`
+ hotplug_dontaudit_use_fds(consoletype_t)
+')
+
+optional_policy(`
+ logrotate_dontaudit_use_fds(consoletype_t)
+')
+
+optional_policy(`
+ lpd_read_config(consoletype_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(consoletype_t)
+')
+
+optional_policy(`
+ # Commonly used from postinst scripts
+ rpm_read_pipes(consoletype_t)
+')
+
+optional_policy(`
+ userdom_use_unpriv_users_fds(consoletype_t)
+')
+
+optional_policy(`
+ kernel_read_xen_state(consoletype_t)
+ kernel_write_xen_state(consoletype_t)
+ xen_append_log(consoletype_t)
+ xen_dontaudit_rw_unix_stream_sockets(consoletype_t)
+ xen_dontaudit_use_fds(consoletype_t)
+')
diff --git a/policy/modules/admin/ddcprobe.fc b/policy/modules/admin/ddcprobe.fc
new file mode 100644
index 0000000..49e6a25
--- /dev/null
+++ b/policy/modules/admin/ddcprobe.fc
@@ -0,0 +1,4 @@
+#
+# /usr
+#
+/usr/sbin/ddcprobe -- gen_context(system_u:object_r:ddcprobe_exec_t,s0)
diff --git a/policy/modules/admin/ddcprobe.if b/policy/modules/admin/ddcprobe.if
new file mode 100644
index 0000000..9868652
--- /dev/null
+++ b/policy/modules/admin/ddcprobe.if
@@ -0,0 +1,45 @@
+## <summary>ddcprobe retrieves monitor and graphics card information</summary>
+
+########################################
+## <summary>
+## Execute ddcprobe in the ddcprobe domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ddcprobe_domtrans',`
+ gen_require(`
+ type ddcprobe_t, ddcprobe_exec_t;
+ ')
+
+ domtrans_pattern($1, ddcprobe_exec_t, ddcprobe_t)
+')
+
+########################################
+## <summary>
+## Execute ddcprobe in the ddcprobe domain, and
+## allow the specified role the ddcprobe domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role to be authenticated for ddcprobe domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ddcprobe_run',`
+ gen_require(`
+ type ddcprobe_t;
+ ')
+
+ ddcprobe_domtrans($1)
+ role $2 types ddcprobe_t;
+')
diff --git a/policy/modules/admin/ddcprobe.te b/policy/modules/admin/ddcprobe.te
new file mode 100644
index 0000000..5e062bc
--- /dev/null
+++ b/policy/modules/admin/ddcprobe.te
@@ -0,0 +1,51 @@
+policy_module(ddcprobe, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type ddcprobe_t;
+type ddcprobe_exec_t;
+application_domain(ddcprobe_t, ddcprobe_exec_t)
+role system_r types ddcprobe_t;
+
+########################################
+#
+# Local policy
+#
+
+allow ddcprobe_t self:capability { sys_rawio sys_admin };
+allow ddcprobe_t self:process execmem;
+
+kernel_read_system_state(ddcprobe_t)
+kernel_read_kernel_sysctls(ddcprobe_t)
+kernel_change_ring_buffer_level(ddcprobe_t)
+
+files_search_kernel_modules(ddcprobe_t)
+
+corecmd_list_bin(ddcprobe_t)
+corecmd_exec_bin(ddcprobe_t)
+
+dev_read_urand(ddcprobe_t)
+dev_read_raw_memory(ddcprobe_t)
+dev_wx_raw_memory(ddcprobe_t)
+
+files_read_etc_files(ddcprobe_t)
+files_read_etc_runtime_files(ddcprobe_t)
+files_read_usr_files(ddcprobe_t)
+
+term_use_all_ttys(ddcprobe_t)
+term_use_all_ptys(ddcprobe_t)
+
+libs_read_lib_files(ddcprobe_t)
+
+miscfiles_read_localization(ddcprobe_t)
+
+modutils_read_module_deps(ddcprobe_t)
+
+userdom_use_user_terminals(ddcprobe_t)
+userdom_use_all_users_fds(ddcprobe_t)
+
+#reh why? this does not seem even necessary to function properly
+kudzu_getattr_exec_files(ddcprobe_t)
diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc
new file mode 100644
index 0000000..d6cc2d9
--- /dev/null
+++ b/policy/modules/admin/dmesg.fc
@@ -0,0 +1,2 @@
+
+/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if
new file mode 100644
index 0000000..e1973c7
--- /dev/null
+++ b/policy/modules/admin/dmesg.if
@@ -0,0 +1,40 @@
+## <summary>Policy for dmesg.</summary>
+
+########################################
+## <summary>
+## Execute dmesg in the dmesg domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dmesg_domtrans',`
+ gen_require(`
+ type dmesg_t, dmesg_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, dmesg_exec_t, dmesg_t)
+')
+
+########################################
+## <summary>
+## Execute dmesg in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dmesg_exec',`
+ gen_require(`
+ type dmesg_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, dmesg_exec_t)
+')
diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
new file mode 100644
index 0000000..5421065
--- /dev/null
+++ b/policy/modules/admin/dmesg.te
@@ -0,0 +1,64 @@
+policy_module(dmesg, 1.3.0)
+
+########################################
+#
+# Declarations
+#
+
+type dmesg_t;
+type dmesg_exec_t;
+init_system_domain(dmesg_t, dmesg_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow dmesg_t self:capability sys_admin;
+dontaudit dmesg_t self:capability sys_tty_config;
+
+allow dmesg_t self:process signal_perms;
+
+kernel_read_kernel_sysctls(dmesg_t)
+kernel_read_ring_buffer(dmesg_t)
+kernel_clear_ring_buffer(dmesg_t)
+kernel_change_ring_buffer_level(dmesg_t)
+kernel_list_proc(dmesg_t)
+kernel_read_proc_symlinks(dmesg_t)
+
+dev_read_sysfs(dmesg_t)
+
+fs_search_auto_mountpoints(dmesg_t)
+
+term_dontaudit_use_console(dmesg_t)
+
+domain_use_interactive_fds(dmesg_t)
+
+files_list_etc(dmesg_t)
+# for when /usr is not mounted:
+files_dontaudit_search_isid_type_dirs(dmesg_t)
+
+init_use_fds(dmesg_t)
+init_use_script_ptys(dmesg_t)
+
+logging_send_syslog_msg(dmesg_t)
+logging_write_generic_logs(dmesg_t)
+
+miscfiles_read_localization(dmesg_t)
+
+userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
+userdom_use_user_terminals(dmesg_t)
+
+optional_policy(`
+ abrt_cache_append(dmesg_t)
+ abrt_rw_fifo_file(dmesg_t)
+ abrt_manage_pid_files(dmesg_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(dmesg_t)
+')
+
+optional_policy(`
+ udev_read_db(dmesg_t)
+')
diff --git a/policy/modules/admin/dmidecode.fc b/policy/modules/admin/dmidecode.fc
new file mode 100644
index 0000000..016e6b8
--- /dev/null
+++ b/policy/modules/admin/dmidecode.fc
@@ -0,0 +1,4 @@
+
+/usr/sbin/dmidecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
+/usr/sbin/ownership -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
+/usr/sbin/vpddecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
diff --git a/policy/modules/admin/dmidecode.if b/policy/modules/admin/dmidecode.if
new file mode 100644
index 0000000..4bf435c
--- /dev/null
+++ b/policy/modules/admin/dmidecode.if
@@ -0,0 +1,50 @@
+## <summary>Decode DMI data for x86/ia64 bioses.</summary>
+
+########################################
+## <summary>
+## Execute dmidecode in the dmidecode domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dmidecode_domtrans',`
+ gen_require(`
+ type dmidecode_t, dmidecode_exec_t;
+ ')
+
+ domain_auto_trans($1, dmidecode_exec_t, dmidecode_t)
+
+ allow $1 dmidecode_t:fd use;
+ allow dmidecode_t $1:fd use;
+ allow dmidecode_t $1:fifo_file rw_file_perms;
+ allow dmidecode_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute dmidecode in the dmidecode domain, and
+## allow the specified role the dmidecode domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dmidecode_run',`
+ gen_require(`
+ type dmidecode_t;
+ ')
+
+ dmidecode_domtrans($1)
+ role $2 types dmidecode_t;
+')
diff --git a/policy/modules/admin/dmidecode.te b/policy/modules/admin/dmidecode.te
new file mode 100644
index 0000000..d6356b5
--- /dev/null
+++ b/policy/modules/admin/dmidecode.te
@@ -0,0 +1,30 @@
+policy_module(dmidecode, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+
+type dmidecode_t;
+type dmidecode_exec_t;
+application_domain(dmidecode_t, dmidecode_exec_t)
+role system_r types dmidecode_t;
+
+########################################
+#
+# Local policy
+#
+
+allow dmidecode_t self:capability sys_rawio;
+
+dev_read_sysfs(dmidecode_t)
+# Allow dmidecode to read /dev/mem
+dev_read_raw_memory(dmidecode_t)
+
+mls_file_read_all_levels(dmidecode_t)
+
+files_list_usr(dmidecode_t)
+
+locallogin_use_fds(dmidecode_t)
+
+userdom_use_user_terminals(dmidecode_t)
diff --git a/policy/modules/admin/dpkg.fc b/policy/modules/admin/dpkg.fc
new file mode 100644
index 0000000..6d0f9ee
--- /dev/null
+++ b/policy/modules/admin/dpkg.fc
@@ -0,0 +1,12 @@
+# Debian package manager
+/usr/bin/debsums -- gen_context(system_u:object_r:dpkg_exec_t,s0)
+/usr/bin/dpkg -- gen_context(system_u:object_r:dpkg_exec_t,s0)
+# not sure if dselect should be in apt instead?
+/usr/bin/dselect -- gen_context(system_u:object_r:dpkg_exec_t,s0)
+
+/var/lib/dpkg(/.*)? gen_context(system_u:object_r:dpkg_var_lib_t,s0)
+# lockfile is treated specially, since used by apt, too
+/var/lib/dpkg/(meth)?lock -- gen_context(system_u:object_r:dpkg_lock_t,s0)
+
+/usr/sbin/dpkg-preconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0)
+/usr/sbin/dpkg-reconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0)
diff --git a/policy/modules/admin/dpkg.if b/policy/modules/admin/dpkg.if
new file mode 100644
index 0000000..9317171
--- /dev/null
+++ b/policy/modules/admin/dpkg.if
@@ -0,0 +1,226 @@
+## <summary>Policy for the Debian package manager.</summary>
+# TODO: need debconf policy
+# TODO: need install-menu policy
+
+########################################
+## <summary>
+## Execute dpkg programs in the dpkg domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dpkg_domtrans',`
+ gen_require(`
+ type dpkg_t, dpkg_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, dpkg_exec_t, dpkg_t)
+')
+
+########################################
+## <summary>
+## Execute dpkg_script programs in the dpkg_script domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dpkg_domtrans_script',`
+ gen_require(`
+ type dpkg_script_t;
+ ')
+
+ # transition to dpkg script:
+ corecmd_shell_domtrans($1, dpkg_script_t)
+ allow dpkg_script_t $1:fd use;
+ allow dpkg_script_t $1:fifo_file rw_file_perms;
+ allow dpkg_script_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute dpkg programs in the dpkg domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the dpkg domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dpkg_run',`
+ gen_require(`
+ type dpkg_t, dpkg_script_t;
+ ')
+
+ dpkg_domtrans($1)
+ role $2 types dpkg_t;
+ role $2 types dpkg_script_t;
+ seutil_run_loadpolicy(dpkg_script_t, $2)
+')
+
+########################################
+## <summary>
+## Inherit and use file descriptors from dpkg.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dpkg_use_fds',`
+ gen_require(`
+ type dpkg_t;
+ ')
+
+ allow $1 dpkg_t:fd use;
+')
+
+########################################
+## <summary>
+## Read from an unnamed dpkg pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dpkg_read_pipes',`
+ gen_require(`
+ type dpkg_t;
+ ')
+
+ allow $1 dpkg_t:fifo_file read_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write an unnamed dpkg pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dpkg_rw_pipes',`
+ gen_require(`
+ type dpkg_t;
+ ')
+
+ allow $1 dpkg_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Inherit and use file descriptors from dpkg scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dpkg_use_script_fds',`
+ gen_require(`
+ type dpkg_script_t;
+ ')
+
+ allow $1 dpkg_script_t:fd use;
+')
+
+########################################
+## <summary>
+## Read the dpkg package database.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dpkg_read_db',`
+ gen_require(`
+ type dpkg_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 dpkg_var_lib_t:dir list_dir_perms;
+ read_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t)
+ read_lnk_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete the dpkg package database.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dpkg_manage_db',`
+ gen_require(`
+ type dpkg_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t)
+ manage_lnk_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to create, read,
+## write, and delete the dpkg package database.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dpkg_dontaudit_manage_db',`
+ gen_require(`
+ type dpkg_var_lib_t;
+ ')
+
+ dontaudit $1 dpkg_var_lib_t:dir rw_dir_perms;
+ dontaudit $1 dpkg_var_lib_t:file manage_file_perms;
+ dontaudit $1 dpkg_var_lib_t:lnk_file manage_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Lock the dpkg package database.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dpkg_lock_db',`
+ gen_require(`
+ type dpkg_lock_t, dpkg_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 dpkg_var_lib_t:dir list_dir_perms;
+ allow $1 dpkg_lock_t:file manage_file_perms;
+')
diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te
new file mode 100644
index 0000000..6776b69
--- /dev/null
+++ b/policy/modules/admin/dpkg.te
@@ -0,0 +1,338 @@
+policy_module(dpkg, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type dpkg_t;
+type dpkg_exec_t;
+# dpkg can start/stop services
+init_system_domain(dpkg_t, dpkg_exec_t)
+# dpkg can change file labels, roles, IO
+domain_obj_id_change_exemption(dpkg_t)
+domain_role_change_exemption(dpkg_t)
+domain_system_change_exemption(dpkg_t)
+domain_interactive_fd(dpkg_t)
+role system_r types dpkg_t;
+
+# lockfile
+type dpkg_lock_t;
+files_type(dpkg_lock_t)
+
+type dpkg_tmp_t;
+files_tmp_file(dpkg_tmp_t)
+
+type dpkg_tmpfs_t;
+files_tmpfs_file(dpkg_tmpfs_t)
+
+# status files
+type dpkg_var_lib_t alias var_lib_dpkg_t;
+files_type(dpkg_var_lib_t)
+
+# package scripts
+type dpkg_script_t;
+domain_type(dpkg_script_t)
+domain_entry_file(dpkg_t, dpkg_var_lib_t)
+corecmd_shell_entry_type(dpkg_script_t)
+domain_obj_id_change_exemption(dpkg_script_t)
+domain_system_change_exemption(dpkg_script_t)
+domain_interactive_fd(dpkg_script_t)
+role system_r types dpkg_script_t;
+
+type dpkg_script_tmp_t;
+files_tmp_file(dpkg_script_tmp_t)
+
+type dpkg_script_tmpfs_t;
+files_tmpfs_file(dpkg_script_tmpfs_t)
+
+########################################
+#
+# dpkg Local policy
+#
+
+allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
+allow dpkg_t self:process { setpgid fork getsched setfscreate };
+allow dpkg_t self:fd use;
+allow dpkg_t self:fifo_file rw_fifo_file_perms;
+allow dpkg_t self:unix_dgram_socket create_socket_perms;
+allow dpkg_t self:unix_stream_socket rw_stream_socket_perms;
+allow dpkg_t self:unix_dgram_socket sendto;
+allow dpkg_t self:unix_stream_socket connectto;
+allow dpkg_t self:udp_socket { connect create_socket_perms };
+allow dpkg_t self:tcp_socket create_stream_socket_perms;
+allow dpkg_t self:shm create_shm_perms;
+allow dpkg_t self:sem create_sem_perms;
+allow dpkg_t self:msgq create_msgq_perms;
+allow dpkg_t self:msg { send receive };
+
+allow dpkg_t dpkg_lock_t:file manage_file_perms;
+
+manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
+manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
+files_tmp_filetrans(dpkg_t, dpkg_tmp_t, { file dir })
+
+manage_dirs_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
+manage_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
+manage_lnk_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
+manage_sock_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
+manage_fifo_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
+fs_tmpfs_filetrans(dpkg_t, dpkg_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+# Access /var/lib/dpkg files
+manage_files_pattern(dpkg_t, dpkg_var_lib_t, dpkg_var_lib_t)
+files_var_lib_filetrans(dpkg_t, dpkg_var_lib_t, dir)
+
+kernel_read_system_state(dpkg_t)
+kernel_read_kernel_sysctls(dpkg_t)
+
+corecmd_exec_all_executables(dpkg_t)
+
+# TODO: do we really need all networking?
+corenet_all_recvfrom_unlabeled(dpkg_t)
+corenet_all_recvfrom_netlabel(dpkg_t)
+corenet_tcp_sendrecv_generic_if(dpkg_t)
+corenet_raw_sendrecv_generic_if(dpkg_t)
+corenet_udp_sendrecv_generic_if(dpkg_t)
+corenet_tcp_sendrecv_generic_node(dpkg_t)
+corenet_raw_sendrecv_generic_node(dpkg_t)
+corenet_udp_sendrecv_generic_node(dpkg_t)
+corenet_tcp_sendrecv_all_ports(dpkg_t)
+corenet_udp_sendrecv_all_ports(dpkg_t)
+corenet_tcp_connect_all_ports(dpkg_t)
+corenet_sendrecv_all_client_packets(dpkg_t)
+
+dev_list_sysfs(dpkg_t)
+dev_list_usbfs(dpkg_t)
+dev_read_urand(dpkg_t)
+#devices_manage_all_device_types(dpkg_t)
+
+domain_read_all_domains_state(dpkg_t)
+domain_getattr_all_domains(dpkg_t)
+domain_dontaudit_ptrace_all_domains(dpkg_t)
+domain_use_interactive_fds(dpkg_t)
+domain_dontaudit_getattr_all_pipes(dpkg_t)
+domain_dontaudit_getattr_all_tcp_sockets(dpkg_t)
+domain_dontaudit_getattr_all_udp_sockets(dpkg_t)
+domain_dontaudit_getattr_all_packet_sockets(dpkg_t)
+domain_dontaudit_getattr_all_raw_sockets(dpkg_t)
+domain_dontaudit_getattr_all_stream_sockets(dpkg_t)
+domain_dontaudit_getattr_all_dgram_sockets(dpkg_t)
+
+fs_manage_nfs_dirs(dpkg_t)
+fs_manage_nfs_files(dpkg_t)
+fs_manage_nfs_symlinks(dpkg_t)
+fs_getattr_all_fs(dpkg_t)
+fs_search_auto_mountpoints(dpkg_t)
+
+mls_file_read_all_levels(dpkg_t)
+mls_file_write_all_levels(dpkg_t)
+mls_file_upgrade(dpkg_t)
+
+selinux_get_fs_mount(dpkg_t)
+selinux_validate_context(dpkg_t)
+selinux_compute_access_vector(dpkg_t)
+selinux_compute_create_context(dpkg_t)
+selinux_compute_relabel_context(dpkg_t)
+selinux_compute_user_contexts(dpkg_t)
+
+storage_raw_write_fixed_disk(dpkg_t)
+# for installing kernel packages
+storage_raw_read_fixed_disk(dpkg_t)
+
+auth_relabel_all_files_except_shadow(dpkg_t)
+auth_manage_all_files_except_shadow(dpkg_t)
+auth_dontaudit_read_shadow(dpkg_t)
+
+files_exec_etc_files(dpkg_t)
+
+init_domtrans_script(dpkg_t)
+init_use_script_ptys(dpkg_t)
+
+libs_exec_ld_so(dpkg_t)
+libs_exec_lib_files(dpkg_t)
+libs_domtrans_ldconfig(dpkg_t)
+
+logging_send_syslog_msg(dpkg_t)
+
+# allow compiling and loading new policy
+seutil_manage_src_policy(dpkg_t)
+seutil_manage_bin_policy(dpkg_t)
+
+sysnet_read_config(dpkg_t)
+
+userdom_use_user_terminals(dpkg_t)
+userdom_use_unpriv_users_fds(dpkg_t)
+
+# transition to dpkg script:
+dpkg_domtrans_script(dpkg_t)
+# since the scripts aren't labeled correctly yet...
+allow dpkg_t dpkg_var_lib_t:file mmap_file_perms;
+
+optional_policy(`
+ apt_use_ptys(dpkg_t)
+')
+
+# TODO: allow?
+#optional_policy(`
+# cron_system_entry(dpkg_t,dpkg_exec_t)
+#')
+
+optional_policy(`
+ nis_use_ypbind(dpkg_t)
+')
+
+optional_policy(`
+ unconfined_domain(dpkg_t)
+')
+
+# TODO: the following was copied from dpkg_script_t, and could probably
+# be removed again when dpkg_script_t is actually used...
+domain_signal_all_domains(dpkg_t)
+domain_signull_all_domains(dpkg_t)
+files_read_etc_runtime_files(dpkg_t)
+files_exec_usr_files(dpkg_t)
+miscfiles_read_localization(dpkg_t)
+modutils_domtrans_depmod(dpkg_t)
+modutils_domtrans_insmod(dpkg_t)
+seutil_domtrans_loadpolicy(dpkg_t)
+seutil_domtrans_setfiles(dpkg_t)
+userdom_use_all_users_fds(dpkg_t)
+optional_policy(`
+ mta_send_mail(dpkg_t)
+')
+optional_policy(`
+ usermanage_domtrans_groupadd(dpkg_t)
+ usermanage_domtrans_useradd(dpkg_t)
+')
+
+########################################
+#
+# dpkg-script Local policy
+#
+# TODO: actually use dpkg_script_t
+
+allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
+allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow dpkg_script_t self:fd use;
+allow dpkg_script_t self:fifo_file rw_fifo_file_perms;
+allow dpkg_script_t self:unix_dgram_socket create_socket_perms;
+allow dpkg_script_t self:unix_stream_socket rw_stream_socket_perms;
+allow dpkg_script_t self:unix_dgram_socket sendto;
+allow dpkg_script_t self:unix_stream_socket connectto;
+allow dpkg_script_t self:shm create_shm_perms;
+allow dpkg_script_t self:sem create_sem_perms;
+allow dpkg_script_t self:msgq create_msgq_perms;
+allow dpkg_script_t self:msg { send receive };
+
+allow dpkg_script_t dpkg_tmp_t:file read_file_perms;
+
+allow dpkg_script_t dpkg_script_tmp_t:dir { manage_dir_perms mounton };
+allow dpkg_script_t dpkg_script_tmp_t:file manage_file_perms;
+files_tmp_filetrans(dpkg_script_t, dpkg_script_tmp_t, { file dir })
+
+allow dpkg_script_t dpkg_script_tmpfs_t:dir manage_dir_perms;
+allow dpkg_script_t dpkg_script_tmpfs_t:file manage_file_perms;
+allow dpkg_script_t dpkg_script_tmpfs_t:lnk_file manage_lnk_file_perms;
+allow dpkg_script_t dpkg_script_tmpfs_t:sock_file manage_sock_file_perms;
+allow dpkg_script_t dpkg_script_tmpfs_t:fifo_file manage_fifo_file_perms;
+fs_tmpfs_filetrans(dpkg_script_t, dpkg_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_read_kernel_sysctls(dpkg_script_t)
+kernel_read_system_state(dpkg_script_t)
+
+corecmd_exec_all_executables(dpkg_script_t)
+
+dev_list_sysfs(dpkg_script_t)
+# ideally we would not need this
+dev_manage_generic_blk_files(dpkg_script_t)
+dev_manage_generic_chr_files(dpkg_script_t)
+dev_manage_all_blk_files(dpkg_script_t)
+dev_manage_all_chr_files(dpkg_script_t)
+
+domain_read_all_domains_state(dpkg_script_t)
+domain_getattr_all_domains(dpkg_script_t)
+domain_dontaudit_ptrace_all_domains(dpkg_script_t)
+domain_use_interactive_fds(dpkg_script_t)
+domain_signal_all_domains(dpkg_script_t)
+domain_signull_all_domains(dpkg_script_t)
+
+files_exec_etc_files(dpkg_script_t)
+files_read_etc_runtime_files(dpkg_script_t)
+files_exec_usr_files(dpkg_script_t)
+
+fs_manage_nfs_files(dpkg_script_t)
+fs_getattr_nfs(dpkg_script_t)
+# why is this not using mount?
+fs_getattr_xattr_fs(dpkg_script_t)
+fs_mount_xattr_fs(dpkg_script_t)
+fs_unmount_xattr_fs(dpkg_script_t)
+fs_search_auto_mountpoints(dpkg_script_t)
+
+mls_file_read_all_levels(dpkg_script_t)
+mls_file_write_all_levels(dpkg_script_t)
+
+selinux_get_fs_mount(dpkg_script_t)
+selinux_validate_context(dpkg_script_t)
+selinux_compute_access_vector(dpkg_script_t)
+selinux_compute_create_context(dpkg_script_t)
+selinux_compute_relabel_context(dpkg_script_t)
+selinux_compute_user_contexts(dpkg_script_t)
+
+storage_raw_read_fixed_disk(dpkg_script_t)
+storage_raw_write_fixed_disk(dpkg_script_t)
+
+term_use_all_terms(dpkg_script_t)
+
+auth_dontaudit_getattr_shadow(dpkg_script_t)
+# ideally we would not need this
+auth_manage_all_files_except_shadow(dpkg_script_t)
+
+init_domtrans_script(dpkg_script_t)
+init_use_script_fds(dpkg_script_t)
+
+libs_exec_ld_so(dpkg_script_t)
+libs_exec_lib_files(dpkg_script_t)
+libs_domtrans_ldconfig(dpkg_script_t)
+
+logging_send_syslog_msg(dpkg_script_t)
+
+miscfiles_read_localization(dpkg_script_t)
+
+modutils_domtrans_depmod(dpkg_script_t)
+modutils_domtrans_insmod(dpkg_script_t)
+
+seutil_domtrans_loadpolicy(dpkg_script_t)
+seutil_domtrans_setfiles(dpkg_script_t)
+
+userdom_use_all_users_fds(dpkg_script_t)
+
+tunable_policy(`allow_execmem',`
+ allow dpkg_script_t self:process execmem;
+')
+
+optional_policy(`
+ apt_rw_pipes(dpkg_script_t)
+ apt_use_fds(dpkg_script_t)
+')
+
+optional_policy(`
+ bootloader_domtrans(dpkg_script_t)
+')
+
+optional_policy(`
+ mta_send_mail(dpkg_script_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(dpkg_script_t)
+')
+
+optional_policy(`
+ unconfined_domain(dpkg_script_t)
+')
+
+optional_policy(`
+ usermanage_domtrans_groupadd(dpkg_script_t)
+ usermanage_domtrans_useradd(dpkg_script_t)
+')
diff --git a/policy/modules/admin/firstboot.fc b/policy/modules/admin/firstboot.fc
new file mode 100644
index 0000000..ba614e4
--- /dev/null
+++ b/policy/modules/admin/firstboot.fc
@@ -0,0 +1,3 @@
+/usr/sbin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0)
+
+/usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0)
diff --git a/policy/modules/admin/firstboot.if b/policy/modules/admin/firstboot.if
new file mode 100644
index 0000000..8fa451c
--- /dev/null
+++ b/policy/modules/admin/firstboot.if
@@ -0,0 +1,157 @@
+## <summary>
+## Final system configuration run during the first boot
+## after installation of Red Hat/Fedora systems.
+## </summary>
+
+########################################
+## <summary>
+## Execute firstboot in the firstboot domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`firstboot_domtrans',`
+ gen_require(`
+ type firstboot_t, firstboot_exec_t;
+ ')
+
+ domtrans_pattern($1, firstboot_exec_t, firstboot_t)
+')
+
+########################################
+## <summary>
+## Execute firstboot in the firstboot domain, and
+## allow the specified role the firstboot domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`firstboot_run',`
+ gen_require(`
+ type firstboot_t;
+ ')
+
+ firstboot_domtrans($1)
+ role $2 types firstboot_t;
+')
+
+########################################
+## <summary>
+## Inherit and use a file descriptor from firstboot.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`firstboot_use_fds',`
+ gen_require(`
+ type firstboot_t;
+ ')
+
+ allow $1 firstboot_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to inherit a
+## file descriptor from firstboot.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`firstboot_dontaudit_use_fds',`
+ gen_require(`
+ type firstboot_t;
+ ')
+
+ dontaudit $1 firstboot_t:fd use;
+')
+
+########################################
+## <summary>
+## Write to a firstboot unnamed pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`firstboot_write_pipes',`
+ gen_require(`
+ type firstboot_t;
+ ')
+
+ allow $1 firstboot_t:fifo_file write;
+')
+
+########################################
+## <summary>
+## Read and Write to a firstboot unnamed pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`firstboot_rw_pipes',`
+ gen_require(`
+ type firstboot_t;
+ ')
+
+ allow $1 firstboot_t:fifo_file { read write };
+')
+
+########################################
+## <summary>
+## Do not audit attemps to read and write to a firstboot unnamed pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`firstboot_dontaudit_rw_pipes',`
+ gen_require(`
+ type firstboot_t;
+ ')
+
+ dontaudit $1 firstboot_t:fifo_file { read write };
+')
+
+########################################
+## <summary>
+## Do not audit attemps to read and write to a firstboot
+## unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`firstboot_dontaudit_rw_stream_sockets',`
+ gen_require(`
+ type firstboot_t;
+ ')
+
+ dontaudit $1 firstboot_t:unix_stream_socket { read write };
+')
diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te
new file mode 100644
index 0000000..bfda8e9
--- /dev/null
+++ b/policy/modules/admin/firstboot.te
@@ -0,0 +1,140 @@
+policy_module(firstboot, 1.11.2)
+
+gen_require(`
+ class passwd rootok;
+')
+
+########################################
+#
+# Declarations
+#
+
+type firstboot_t;
+type firstboot_exec_t;
+init_system_domain(firstboot_t, firstboot_exec_t)
+domain_obj_id_change_exemption(firstboot_t)
+domain_subj_id_change_exemption(firstboot_t)
+role system_r types firstboot_t;
+
+type firstboot_etc_t;
+files_config_file(firstboot_etc_t)
+
+########################################
+#
+# Local policy
+#
+
+allow firstboot_t self:capability { dac_override setgid };
+allow firstboot_t self:process setfscreate;
+allow firstboot_t self:fifo_file rw_fifo_file_perms;
+allow firstboot_t self:tcp_socket create_stream_socket_perms;
+allow firstboot_t self:unix_stream_socket { connect create };
+allow firstboot_t self:passwd rootok;
+
+allow firstboot_t firstboot_etc_t:file read_file_perms;
+
+kernel_read_system_state(firstboot_t)
+kernel_read_kernel_sysctls(firstboot_t)
+
+corenet_all_recvfrom_unlabeled(firstboot_t)
+corenet_all_recvfrom_netlabel(firstboot_t)
+corenet_tcp_sendrecv_generic_if(firstboot_t)
+corenet_tcp_sendrecv_generic_node(firstboot_t)
+corenet_tcp_sendrecv_all_ports(firstboot_t)
+
+dev_read_urand(firstboot_t)
+
+selinux_get_fs_mount(firstboot_t)
+selinux_validate_context(firstboot_t)
+selinux_compute_access_vector(firstboot_t)
+selinux_compute_create_context(firstboot_t)
+selinux_compute_relabel_context(firstboot_t)
+selinux_compute_user_contexts(firstboot_t)
+
+auth_dontaudit_getattr_shadow(firstboot_t)
+
+corecmd_exec_all_executables(firstboot_t)
+
+files_exec_etc_files(firstboot_t)
+files_manage_etc_files(firstboot_t)
+files_manage_etc_runtime_files(firstboot_t)
+files_read_usr_files(firstboot_t)
+files_manage_var_dirs(firstboot_t)
+files_manage_var_files(firstboot_t)
+files_manage_var_symlinks(firstboot_t)
+
+init_domtrans_script(firstboot_t)
+init_rw_utmp(firstboot_t)
+
+libs_exec_ld_so(firstboot_t)
+libs_exec_lib_files(firstboot_t)
+
+locallogin_use_fds(firstboot_t)
+
+logging_send_syslog_msg(firstboot_t)
+
+miscfiles_read_localization(firstboot_t)
+
+modutils_domtrans_insmod(firstboot_t)
+modutils_domtrans_depmod(firstboot_t)
+modutils_read_module_config(firstboot_t)
+modutils_read_module_deps(firstboot_t)
+
+userdom_use_user_terminals(firstboot_t)
+# Add/remove user home directories
+userdom_manage_user_home_content_dirs(firstboot_t)
+userdom_manage_user_home_content_files(firstboot_t)
+userdom_manage_user_home_content_symlinks(firstboot_t)
+userdom_manage_user_home_content_pipes(firstboot_t)
+userdom_manage_user_home_content_sockets(firstboot_t)
+userdom_home_filetrans_user_home_dir(firstboot_t)
+userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
+
+optional_policy(`
+ consoletype_domtrans(firstboot_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(firstboot_t)
+
+ optional_policy(`
+ hal_dbus_chat(firstboot_t)
+ ')
+')
+
+optional_policy(`
+ iptables_domtrans(firstboot_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(firstboot_t)
+')
+
+optional_policy(`
+ samba_rw_config(firstboot_t)
+')
+
+optional_policy(`
+ unconfined_domtrans(firstboot_t)
+ # The big hammer
+ unconfined_domain(firstboot_t)
+')
+
+optional_policy(`
+ usermanage_domtrans_chfn(firstboot_t)
+ usermanage_domtrans_groupadd(firstboot_t)
+ usermanage_domtrans_passwd(firstboot_t)
+ usermanage_domtrans_useradd(firstboot_t)
+ usermanage_domtrans_admin_passwd(firstboot_t)
+')
+
+optional_policy(`
+ gnome_admin_home_gconf_filetrans(firstboot_t, dir)
+ gnome_manage_config(firstboot_t)
+')
+
+optional_policy(`
+ xserver_domtrans(firstboot_t)
+ xserver_rw_shm(firstboot_t)
+ xserver_unconfined(firstboot_t)
+')
diff --git a/policy/modules/admin/kismet.fc b/policy/modules/admin/kismet.fc
new file mode 100644
index 0000000..dae60e5
--- /dev/null
+++ b/policy/modules/admin/kismet.fc
@@ -0,0 +1,6 @@
+HOME_DIR/\.kismet(/.*)? gen_context(system_u:object_r:kismet_home_t,s0)
+
+/usr/bin/kismet -- gen_context(system_u:object_r:kismet_exec_t,s0)
+/var/lib/kismet(/.*)? gen_context(system_u:object_r:kismet_var_lib_t,s0)
+/var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0)
+/var/run/kismet_server.pid -- gen_context(system_u:object_r:kismet_var_run_t,s0)
diff --git a/policy/modules/admin/kismet.if b/policy/modules/admin/kismet.if
new file mode 100644
index 0000000..c18c920
--- /dev/null
+++ b/policy/modules/admin/kismet.if
@@ -0,0 +1,247 @@
+## <summary>Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run kismet.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`kismet_domtrans',`
+ gen_require(`
+ type kismet_t, kismet_exec_t;
+ ')
+
+ domtrans_pattern($1, kismet_exec_t, kismet_t)
+ allow kismet_t $1:process signull;
+')
+
+########################################
+## <summary>
+## Execute kismet in the kismet domain, and
+## allow the specified role the kismet domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`kismet_run',`
+ gen_require(`
+ type kismet_t;
+ ')
+
+ kismet_domtrans($1)
+ role $2 types kismet_t;
+')
+
+########################################
+## <summary>
+## Read kismet PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kismet_read_pid_files',`
+ gen_require(`
+ type kismet_var_run_t;
+ ')
+
+ allow $1 kismet_var_run_t:file read_file_perms;
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
+## Manage kismet var_run files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kismet_manage_pid_files',`
+ gen_require(`
+ type kismet_var_run_t;
+ ')
+
+ allow $1 kismet_var_run_t:file manage_file_perms;
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
+## Search kismet lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kismet_search_lib',`
+ gen_require(`
+ type kismet_var_lib_t;
+ ')
+
+ allow $1 kismet_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read kismet lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kismet_read_lib_files',`
+ gen_require(`
+ type kismet_var_lib_t;
+ ')
+
+ allow $1 kismet_var_lib_t:file read_file_perms;
+ allow $1 kismet_var_lib_t:dir list_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## kismet lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kismet_manage_lib_files',`
+ gen_require(`
+ type kismet_var_lib_t;
+ ')
+
+ manage_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t)
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Manage kismet var_lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kismet_manage_lib',`
+ gen_require(`
+ type kismet_var_lib_t;
+ ')
+
+ manage_dirs_pattern($1, kismet_var_lib_t, kismet_var_lib_t)
+ manage_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t)
+ manage_lnk_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read kismet's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kismet_read_log',`
+ gen_require(`
+ type kismet_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, kismet_log_t, kismet_log_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to append
+## kismet log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kismet_append_log',`
+ gen_require(`
+ type kismet_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, kismet_log_t, kismet_log_t)
+')
+
+########################################
+## <summary>
+## Allow domain to manage kismet log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kismet_manage_log',`
+ gen_require(`
+ type kismet_log_t;
+ ')
+
+ manage_dirs_pattern($1, kismet_log_t, kismet_log_t)
+ manage_files_pattern($1, kismet_log_t, kismet_log_t)
+ manage_lnk_files_pattern($1, kismet_log_t, kismet_log_t)
+ logging_search_logs($1)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate an kismet environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kismet_admin',`
+ gen_require(`
+ type kismet_t;
+ ')
+
+ ps_process_pattern($1, kismet_t)
+ allow $1 kismet_t:process { ptrace signal_perms };
+
+ kismet_manage_pid_files($1)
+ kismet_manage_lib($1)
+ kismet_manage_log($1)
+')
diff --git a/policy/modules/admin/kismet.te b/policy/modules/admin/kismet.te
new file mode 100644
index 0000000..908622a
--- /dev/null
+++ b/policy/modules/admin/kismet.te
@@ -0,0 +1,101 @@
+policy_module(kismet, 1.5.1)
+
+########################################
+#
+# Declarations
+#
+
+type kismet_t;
+type kismet_exec_t;
+application_domain(kismet_t, kismet_exec_t)
+role system_r types kismet_t;
+
+type kismet_home_t;
+userdom_user_home_content(kismet_home_t)
+
+type kismet_log_t;
+logging_log_file(kismet_log_t)
+
+type kismet_tmp_t;
+files_tmp_file(kismet_tmp_t)
+
+type kismet_tmpfs_t;
+files_tmp_file(kismet_tmpfs_t)
+
+type kismet_var_lib_t;
+files_type(kismet_var_lib_t)
+
+type kismet_var_run_t;
+files_pid_file(kismet_var_run_t)
+
+########################################
+#
+# kismet local policy
+#
+
+allow kismet_t self:capability { dac_override kill net_admin net_raw setuid setgid };
+allow kismet_t self:process signal_perms;
+allow kismet_t self:fifo_file rw_file_perms;
+allow kismet_t self:packet_socket create_socket_perms;
+allow kismet_t self:unix_dgram_socket { create_socket_perms sendto };
+allow kismet_t self:unix_stream_socket create_stream_socket_perms;
+allow kismet_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(kismet_t, kismet_home_t, kismet_home_t)
+manage_files_pattern(kismet_t, kismet_home_t, kismet_home_t)
+manage_lnk_files_pattern(kismet_t, kismet_home_t, kismet_home_t)
+userdom_user_home_dir_filetrans(kismet_t, kismet_home_t, { file dir })
+userdom_search_user_home_dirs(kismet_t)
+
+manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
+allow kismet_t kismet_log_t:dir setattr;
+logging_log_filetrans(kismet_t, kismet_log_t, { file dir })
+
+manage_dirs_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
+manage_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
+manage_sock_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
+files_tmp_filetrans(kismet_t, kismet_tmp_t, { file dir sock_file })
+
+manage_dirs_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t)
+manage_files_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t)
+fs_tmpfs_filetrans(kismet_t, kismet_tmpfs_t, { dir file })
+
+allow kismet_t kismet_var_lib_t:file manage_file_perms;
+allow kismet_t kismet_var_lib_t:dir manage_dir_perms;
+files_var_lib_filetrans(kismet_t, kismet_var_lib_t, { file dir })
+
+allow kismet_t kismet_var_run_t:file manage_file_perms;
+allow kismet_t kismet_var_run_t:dir manage_dir_perms;
+files_pid_filetrans(kismet_t, kismet_var_run_t, { file dir })
+
+kernel_search_debugfs(kismet_t)
+kernel_read_system_state(kismet_t)
+kernel_read_network_state(kismet_t)
+
+corecmd_exec_bin(kismet_t)
+
+corenet_all_recvfrom_unlabeled(kismet_t)
+corenet_all_recvfrom_netlabel(kismet_t)
+corenet_tcp_sendrecv_generic_if(kismet_t)
+corenet_tcp_sendrecv_generic_node(kismet_t)
+corenet_tcp_sendrecv_all_ports(kismet_t)
+corenet_tcp_bind_generic_node(kismet_t)
+corenet_tcp_bind_kismet_port(kismet_t)
+corenet_tcp_connect_kismet_port(kismet_t)
+corenet_tcp_connect_pulseaudio_port(kismet_t)
+
+auth_use_nsswitch(kismet_t)
+
+files_read_etc_files(kismet_t)
+files_read_usr_files(kismet_t)
+
+miscfiles_read_localization(kismet_t)
+
+userdom_use_user_terminals(kismet_t)
+userdom_read_user_tmpfs_files(kismet_t)
+
+optional_policy(`
+ dbus_system_bus_client(kismet_t)
+
+ networkmanager_dbus_chat(kismet_t)
+')
diff --git a/policy/modules/admin/kudzu.fc b/policy/modules/admin/kudzu.fc
new file mode 100644
index 0000000..dd88f74
--- /dev/null
+++ b/policy/modules/admin/kudzu.fc
@@ -0,0 +1,5 @@
+
+/sbin/kmodule -- gen_context(system_u:object_r:kudzu_exec_t,s0)
+/sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0)
+
+/usr/sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0)
diff --git a/policy/modules/admin/kudzu.if b/policy/modules/admin/kudzu.if
new file mode 100644
index 0000000..65bcaff
--- /dev/null
+++ b/policy/modules/admin/kudzu.if
@@ -0,0 +1,64 @@
+## <summary>Hardware detection and configuration tools</summary>
+
+########################################
+## <summary>
+## Execute kudzu in the kudzu domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`kudzu_domtrans',`
+ gen_require(`
+ type kudzu_t, kudzu_exec_t;
+ ')
+
+ domtrans_pattern($1, kudzu_exec_t, kudzu_t)
+')
+
+########################################
+## <summary>
+## Execute kudzu in the kudzu domain, and
+## allow the specified role the kudzu domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kudzu_run',`
+ gen_require(`
+ type kudzu_t;
+ ')
+
+ kudzu_domtrans($1)
+ role $2 types kudzu_t;
+')
+
+########################################
+## <summary>
+## Get attributes of kudzu executable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for ddcprobe
+interface(`kudzu_getattr_exec_files',`
+ gen_require(`
+ type kudzu_exec_t;
+ ')
+
+ allow $1 kudzu_exec_t:file getattr;
+')
diff --git a/policy/modules/admin/kudzu.te b/policy/modules/admin/kudzu.te
new file mode 100644
index 0000000..4f7bd3c
--- /dev/null
+++ b/policy/modules/admin/kudzu.te
@@ -0,0 +1,145 @@
+policy_module(kudzu, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type kudzu_t;
+type kudzu_exec_t;
+init_system_domain(kudzu_t, kudzu_exec_t)
+
+type kudzu_tmp_t;
+files_tmp_file(kudzu_tmp_t)
+
+type kudzu_var_run_t;
+files_pid_file(kudzu_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow kudzu_t self:capability { dac_override sys_admin sys_ptrace sys_rawio net_admin sys_tty_config mknod };
+dontaudit kudzu_t self:capability sys_tty_config;
+allow kudzu_t self:process { signal_perms execmem };
+allow kudzu_t self:fifo_file rw_fifo_file_perms;
+allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow kudzu_t self:unix_dgram_socket create_socket_perms;
+allow kudzu_t self:udp_socket { create ioctl };
+
+manage_dirs_pattern(kudzu_t, kudzu_tmp_t, kudzu_tmp_t)
+manage_files_pattern(kudzu_t, kudzu_tmp_t, kudzu_tmp_t)
+manage_chr_files_pattern(kudzu_t, kudzu_tmp_t, kudzu_tmp_t)
+files_tmp_filetrans(kudzu_t, kudzu_tmp_t, { file dir chr_file })
+
+manage_dirs_pattern(kudzu_t, kudzu_var_run_t, kudzu_var_run_t)
+manage_files_pattern(kudzu_t, kudzu_var_run_t, kudzu_var_run_t)
+files_pid_filetrans(kudzu_t, kudzu_var_run_t, file)
+
+kernel_change_ring_buffer_level(kudzu_t)
+kernel_list_proc(kudzu_t)
+kernel_read_device_sysctls(kudzu_t)
+kernel_read_kernel_sysctls(kudzu_t)
+kernel_read_proc_symlinks(kudzu_t)
+kernel_read_network_state(kudzu_t)
+kernel_read_system_state(kudzu_t)
+kernel_rw_hotplug_sysctls(kudzu_t)
+kernel_rw_kernel_sysctl(kudzu_t)
+
+files_read_kernel_modules(kudzu_t)
+
+dev_list_sysfs(kudzu_t)
+dev_read_usbfs(kudzu_t)
+dev_read_sysfs(kudzu_t)
+dev_rx_raw_memory(kudzu_t)
+dev_wx_raw_memory(kudzu_t)
+dev_rw_mouse(kudzu_t)
+dev_rwx_zero(kudzu_t)
+
+fs_search_auto_mountpoints(kudzu_t)
+fs_search_ramfs(kudzu_t)
+fs_write_ramfs_sockets(kudzu_t)
+
+mls_file_read_all_levels(kudzu_t)
+mls_file_write_all_levels(kudzu_t)
+
+storage_read_scsi_generic(kudzu_t)
+storage_read_tape(kudzu_t)
+storage_raw_write_fixed_disk(kudzu_t)
+storage_raw_write_removable_device(kudzu_t)
+storage_raw_read_fixed_disk(kudzu_t)
+storage_raw_read_removable_device(kudzu_t)
+
+term_dontaudit_use_console(kudzu_t)
+# so it can write messages to the console
+term_use_unallocated_ttys(kudzu_t)
+
+corecmd_exec_all_executables(kudzu_t)
+
+domain_use_interactive_fds(kudzu_t)
+
+files_search_var(kudzu_t)
+files_search_locks(kudzu_t)
+files_manage_etc_files(kudzu_t)
+files_manage_etc_runtime_files(kudzu_t)
+files_etc_filetrans_etc_runtime(kudzu_t, file)
+files_manage_mnt_files(kudzu_t)
+files_manage_mnt_symlinks(kudzu_t)
+files_dontaudit_search_src(kudzu_t)
+# Read /usr/share/hwdata/.* and /usr/share/terminfo/l/linux
+files_read_usr_files(kudzu_t)
+# for /etc/sysconfig/hwconf - probably need a new type
+files_rw_etc_runtime_files(kudzu_t)
+# for file systems that are not yet mounted
+files_dontaudit_search_isid_type_dirs(kudzu_t)
+
+init_use_fds(kudzu_t)
+init_use_script_ptys(kudzu_t)
+init_stream_connect_script(kudzu_t)
+init_read_state(kudzu_t)
+init_ptrace(kudzu_t)
+# kudzu will telinit to make init re-read
+# the inittab after configuring serial consoles
+init_telinit(kudzu_t)
+
+# Read /usr/lib/gconv/gconv-modules.*
+libs_read_lib_files(kudzu_t)
+
+logging_send_syslog_msg(kudzu_t)
+
+miscfiles_read_hwdata(kudzu_t)
+miscfiles_read_localization(kudzu_t)
+
+modutils_read_module_config(kudzu_t)
+modutils_read_module_deps(kudzu_t)
+modutils_rename_module_config(kudzu_t)
+modutils_delete_module_config(kudzu_t)
+modutils_domtrans_insmod(kudzu_t)
+
+sysnet_read_config(kudzu_t)
+
+userdom_use_user_terminals(kudzu_t)
+userdom_dontaudit_use_unpriv_user_fds(kudzu_t)
+userdom_search_user_home_dirs(kudzu_t)
+
+optional_policy(`
+ gpm_getattr_gpmctl(kudzu_t)
+')
+
+optional_policy(`
+ nscd_socket_use(kudzu_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(kudzu_t)
+')
+
+optional_policy(`
+ udev_read_db(kudzu_t)
+')
+
+optional_policy(`
+ unconfined_domtrans(kudzu_t)
+ unconfined_domain(kudzu_t)
+')
diff --git a/policy/modules/admin/logrotate.fc b/policy/modules/admin/logrotate.fc
new file mode 100644
index 0000000..36c8de7
--- /dev/null
+++ b/policy/modules/admin/logrotate.fc
@@ -0,0 +1,9 @@
+/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0)
+
+/usr/sbin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0)
+
+ifdef(`distro_debian', `
+/var/lib/logrotate(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0)
+', `
+/var/lib/logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0)
+')
diff --git a/policy/modules/admin/logrotate.if b/policy/modules/admin/logrotate.if
new file mode 100644
index 0000000..6672183
--- /dev/null
+++ b/policy/modules/admin/logrotate.if
@@ -0,0 +1,118 @@
+## <summary>Rotate and archive system logs</summary>
+
+########################################
+## <summary>
+## Execute logrotate in the logrotate domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`logrotate_domtrans',`
+ gen_require(`
+ type logrotate_t, logrotate_exec_t;
+ ')
+
+ domtrans_pattern($1, logrotate_exec_t, logrotate_t)
+')
+
+########################################
+## <summary>
+## Execute logrotate in the logrotate domain, and
+## allow the specified role the logrotate domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logrotate_run',`
+ gen_require(`
+ type logrotate_t;
+ ')
+
+ logrotate_domtrans($1)
+ role $2 types logrotate_t;
+')
+
+########################################
+## <summary>
+## Execute logrotate in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logrotate_exec',`
+ gen_require(`
+ type logrotate_exec_t;
+ ')
+
+ can_exec($1, logrotate_exec_t)
+')
+
+########################################
+## <summary>
+## Inherit and use logrotate file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logrotate_use_fds',`
+ gen_require(`
+ type logrotate_t;
+ ')
+
+ allow $1 logrotate_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to inherit logrotate file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`logrotate_dontaudit_use_fds',`
+ gen_require(`
+ type logrotate_t;
+ ')
+
+ dontaudit $1 logrotate_t:fd use;
+')
+
+########################################
+## <summary>
+## Read a logrotate temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logrotate_read_tmp_files',`
+ gen_require(`
+ type logrotate_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 logrotate_tmp_t:file read_file_perms;
+')
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
new file mode 100644
index 0000000..d64682f
--- /dev/null
+++ b/policy/modules/admin/logrotate.te
@@ -0,0 +1,236 @@
+policy_module(logrotate, 1.13.0)
+
+########################################
+#
+# Declarations
+#
+
+type logrotate_t;
+domain_type(logrotate_t)
+domain_obj_id_change_exemption(logrotate_t)
+domain_system_change_exemption(logrotate_t)
+role system_r types logrotate_t;
+
+type logrotate_exec_t;
+domain_entry_file(logrotate_t, logrotate_exec_t)
+
+type logrotate_lock_t;
+files_lock_file(logrotate_lock_t)
+
+type logrotate_tmp_t;
+files_tmp_file(logrotate_tmp_t)
+
+type logrotate_var_lib_t;
+files_type(logrotate_var_lib_t)
+
+########################################
+#
+# Local policy
+#
+
+# Change ownership on log files.
+allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
+# for mailx
+dontaudit logrotate_t self:capability { setuid setgid sys_ptrace };
+
+allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+
+# Set a context other than the default one for newly created files.
+allow logrotate_t self:process setfscreate;
+
+allow logrotate_t self:fd use;
+allow logrotate_t self:fifo_file rw_fifo_file_perms;
+allow logrotate_t self:unix_dgram_socket create_socket_perms;
+allow logrotate_t self:unix_stream_socket create_stream_socket_perms;
+allow logrotate_t self:unix_dgram_socket sendto;
+allow logrotate_t self:unix_stream_socket connectto;
+allow logrotate_t self:shm create_shm_perms;
+allow logrotate_t self:sem create_sem_perms;
+allow logrotate_t self:msgq create_msgq_perms;
+allow logrotate_t self:msg { send receive };
+
+allow logrotate_t logrotate_lock_t:file manage_file_perms;
+files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
+
+can_exec(logrotate_t, logrotate_tmp_t)
+
+manage_dirs_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t)
+manage_files_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t)
+files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
+
+# for /var/lib/logrotate.status and /var/lib/logcheck
+create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
+manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
+files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file)
+
+kernel_read_system_state(logrotate_t)
+kernel_read_kernel_sysctls(logrotate_t)
+
+dev_read_urand(logrotate_t)
+
+fs_search_auto_mountpoints(logrotate_t)
+fs_getattr_xattr_fs(logrotate_t)
+fs_list_inotifyfs(logrotate_t)
+
+mls_file_read_all_levels(logrotate_t)
+mls_file_write_all_levels(logrotate_t)
+mls_file_upgrade(logrotate_t)
+
+selinux_get_fs_mount(logrotate_t)
+selinux_get_enforce_mode(logrotate_t)
+
+auth_manage_login_records(logrotate_t)
+auth_use_nsswitch(logrotate_t)
+
+# Run helper programs.
+corecmd_exec_bin(logrotate_t)
+corecmd_exec_shell(logrotate_t)
+
+domain_signal_all_domains(logrotate_t)
+domain_use_interactive_fds(logrotate_t)
+domain_getattr_all_entry_files(logrotate_t)
+# Read /proc/PID directories for all domains.
+domain_read_all_domains_state(logrotate_t)
+
+files_read_usr_files(logrotate_t)
+files_read_etc_files(logrotate_t)
+files_read_etc_runtime_files(logrotate_t)
+files_read_all_pids(logrotate_t)
+files_search_all(logrotate_t)
+files_read_var_lib_files(logrotate_t)
+# Write to /var/spool/slrnpull - should be moved into its own type.
+files_manage_generic_spool(logrotate_t)
+files_manage_generic_spool_dirs(logrotate_t)
+files_getattr_generic_locks(logrotate_t)
+
+# cjp: why is this needed?
+init_domtrans_script(logrotate_t)
+
+logging_manage_all_logs(logrotate_t)
+logging_send_syslog_msg(logrotate_t)
+logging_send_audit_msgs(logrotate_t)
+# cjp: why is this needed?
+logging_exec_all_logs(logrotate_t)
+
+miscfiles_read_localization(logrotate_t)
+
+seutil_dontaudit_read_config(logrotate_t)
+
+userdom_use_user_terminals(logrotate_t)
+userdom_list_user_home_dirs(logrotate_t)
+userdom_use_unpriv_users_fds(logrotate_t)
+userdom_dontaudit_list_admin_dir(logrotate_t)
+
+cron_system_entry(logrotate_t, logrotate_exec_t)
+cron_search_spool(logrotate_t)
+
+#mta_send_mail(logrotate_t)
+mta_base_mail_template(logrotate)
+mta_sendmail_domtrans(logrotate_t, logrotate_mail_t)
+role system_r types logrotate_mail_t;
+logging_read_all_logs(logrotate_mail_t)
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
+
+ifdef(`distro_debian', `
+ allow logrotate_t logrotate_tmp_t:file relabel_file_perms;
+ # for savelog
+ can_exec(logrotate_t, logrotate_exec_t)
+
+ # for syslogd-listfiles
+ logging_read_syslog_config(logrotate_t)
+
+ # for "test -x /sbin/syslogd"
+ logging_check_exec_syslog(logrotate_t)
+')
+
+optional_policy(`
+ abrt_cache_manage(logrotate_t)
+')
+
+optional_policy(`
+ acct_domtrans(logrotate_t)
+ acct_manage_data(logrotate_t)
+ acct_exec_data(logrotate_t)
+')
+
+optional_policy(`
+ apache_read_config(logrotate_t)
+ apache_domtrans(logrotate_t)
+ apache_signull(logrotate_t)
+')
+
+optional_policy(`
+ asterisk_domtrans(logrotate_t)
+')
+
+optional_policy(`
+ bind_manage_cache(logrotate_t)
+')
+
+optional_policy(`
+ consoletype_exec(logrotate_t)
+')
+
+optional_policy(`
+ cups_domtrans(logrotate_t)
+')
+
+optional_policy(`
+ fail2ban_stream_connect(logrotate_t)
+')
+
+optional_policy(`
+ hostname_exec(logrotate_t)
+')
+
+optional_policy(`
+ icecast_signal(logrotate_t)
+')
+
+optional_policy(`
+ mailman_domtrans(logrotate_t)
+ mailman_search_data(logrotate_t)
+ mailman_manage_log(logrotate_t)
+')
+
+optional_policy(`
+ munin_read_config(logrotate_t)
+ munin_stream_connect(logrotate_t)
+ munin_search_lib(logrotate_t)
+')
+
+optional_policy(`
+ mysql_read_config(logrotate_t)
+ mysql_search_db(logrotate_t)
+ mysql_stream_connect(logrotate_t)
+')
+
+optional_policy(`
+ psad_domtrans(logrotate_t)
+')
+
+
+optional_policy(`
+ samba_exec_log(logrotate_t)
+')
+
+optional_policy(`
+ sssd_domtrans(logrotate_t)
+')
+
+optional_policy(`
+ slrnpull_manage_spool(logrotate_t)
+')
+
+optional_policy(`
+ squid_domtrans(logrotate_t)
+')
+
+optional_policy(`
+ #Red Hat bug 564565
+ su_exec(logrotate_t)
+')
+
+optional_policy(`
+ varnishd_manage_log(logrotate_t)
+')
diff --git a/policy/modules/admin/logwatch.fc b/policy/modules/admin/logwatch.fc
new file mode 100644
index 0000000..1e155f5
--- /dev/null
+++ b/policy/modules/admin/logwatch.fc
@@ -0,0 +1,11 @@
+/usr/sbin/logcheck -- gen_context(system_u:object_r:logwatch_exec_t,s0)
+/usr/sbin/epylog -- gen_context(system_u:object_r:logwatch_exec_t,s0)
+
+/usr/share/logwatch/scripts/logwatch\.pl -- gen_context(system_u:object_r:logwatch_exec_t, s0)
+
+/var/cache/logwatch(/.*)? gen_context(system_u:object_r:logwatch_cache_t, s0)
+/var/lib/logcheck(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0)
+/var/lib/epylog(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0)
+/var/log/logcheck/.+ -- gen_context(system_u:object_r:logwatch_lock_t,s0)
+
+/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0)
diff --git a/policy/modules/admin/logwatch.if b/policy/modules/admin/logwatch.if
new file mode 100644
index 0000000..d878e75
--- /dev/null
+++ b/policy/modules/admin/logwatch.if
@@ -0,0 +1,38 @@
+## <summary>System log analyzer and reporter</summary>
+
+########################################
+## <summary>
+## Read logwatch temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logwatch_read_tmp_files',`
+ gen_require(`
+ type logwatch_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 logwatch_tmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Search logwatch cache directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logwatch_search_cache_dir',`
+ gen_require(`
+ type logwatch_cache_t;
+ ')
+
+ allow $1 logwatch_cache_t:dir search_dir_perms;
+')
diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te
new file mode 100644
index 0000000..b845467
--- /dev/null
+++ b/policy/modules/admin/logwatch.te
@@ -0,0 +1,161 @@
+policy_module(logwatch, 1.11.0)
+
+#################################
+#
+# Declarations
+#
+
+type logwatch_t;
+type logwatch_exec_t;
+application_domain(logwatch_t, logwatch_exec_t)
+role system_r types logwatch_t;
+
+type logwatch_cache_t;
+files_type(logwatch_cache_t)
+
+type logwatch_lock_t;
+files_lock_file(logwatch_lock_t)
+
+type logwatch_tmp_t;
+files_tmp_file(logwatch_tmp_t)
+
+type logwatch_var_run_t;
+files_pid_file(logwatch_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow logwatch_t self:capability { dac_override dac_read_search setgid };
+allow logwatch_t self:process signal;
+allow logwatch_t self:fifo_file rw_file_perms;
+allow logwatch_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
+manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
+
+allow logwatch_t logwatch_lock_t:file manage_file_perms;
+files_lock_filetrans(logwatch_t, logwatch_lock_t, file)
+
+manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
+manage_files_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
+files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir })
+
+allow logwatch_t logwatch_var_run_t:file manage_file_perms;
+files_pid_filetrans(logwatch_t, logwatch_var_run_t, file)
+
+kernel_read_fs_sysctls(logwatch_t)
+kernel_read_kernel_sysctls(logwatch_t)
+kernel_read_system_state(logwatch_t)
+kernel_read_net_sysctls(logwatch_t)
+kernel_read_network_state(logwatch_t)
+
+corecmd_exec_bin(logwatch_t)
+corecmd_exec_shell(logwatch_t)
+
+dev_read_urand(logwatch_t)
+dev_read_sysfs(logwatch_t)
+
+# Read /proc/PID directories for all domains.
+domain_read_all_domains_state(logwatch_t)
+
+files_list_var(logwatch_t)
+files_read_var_symlinks(logwatch_t)
+files_read_etc_files(logwatch_t)
+files_read_etc_runtime_files(logwatch_t)
+files_read_usr_files(logwatch_t)
+files_search_spool(logwatch_t)
+files_search_mnt(logwatch_t)
+files_dontaudit_search_home(logwatch_t)
+files_dontaudit_search_boot(logwatch_t)
+# Execs df and if file system mounted with a context avc raised
+files_dontaudit_search_all_dirs(logwatch_t)
+
+fs_getattr_all_fs(logwatch_t)
+fs_dontaudit_list_auto_mountpoints(logwatch_t)
+fs_list_inotifyfs(logwatch_t)
+
+term_dontaudit_getattr_pty_dirs(logwatch_t)
+term_dontaudit_list_ptys(logwatch_t)
+
+auth_use_nsswitch(logwatch_t)
+auth_dontaudit_read_shadow(logwatch_t)
+
+init_read_utmp(logwatch_t)
+init_dontaudit_write_utmp(logwatch_t)
+
+libs_read_lib_files(logwatch_t)
+
+logging_read_all_logs(logwatch_t)
+logging_send_syslog_msg(logwatch_t)
+
+miscfiles_read_localization(logwatch_t)
+
+selinux_dontaudit_getattr_dir(logwatch_t)
+
+sysnet_dns_name_resolve(logwatch_t)
+sysnet_exec_ifconfig(logwatch_t)
+
+userdom_dontaudit_search_user_home_dirs(logwatch_t)
+userdom_dontaudit_list_admin_dir(logwatch_t)
+
+#mta_send_mail(logwatch_t)
+mta_base_mail_template(logwatch)
+mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
+role system_r types logwatch_mail_t;
+logging_read_all_logs(logwatch_mail_t)
+manage_files_pattern(logwatch_mail_t, logwatch_tmp_t, logwatch_tmp_t)
+allow logwatch_mail_t self:capability { dac_read_search dac_override };
+mta_read_home(logwatch_mail_t)
+
+ifdef(`distro_redhat',`
+ files_search_all(logwatch_t)
+ files_getattr_all_file_type_fs(logwatch_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs(logwatch_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_list_cifs(logwatch_t)
+')
+
+optional_policy(`
+ apache_read_log(logwatch_t)
+')
+
+optional_policy(`
+ avahi_dontaudit_search_pid(logwatch_t)
+')
+
+optional_policy(`
+ bind_read_config(logwatch_t)
+ bind_read_zone(logwatch_t)
+')
+
+optional_policy(`
+ cron_system_entry(logwatch_t, logwatch_exec_t)
+')
+
+optional_policy(`
+ hostname_exec(logwatch_t)
+')
+
+optional_policy(`
+ mta_getattr_spool(logwatch_t)
+')
+
+optional_policy(`
+ ntp_domtrans(logwatch_t)
+')
+
+optional_policy(`
+ rpc_search_nfs_state_data(logwatch_t)
+')
+
+optional_policy(`
+ samba_read_log(logwatch_t)
+ samba_read_share_files(logwatch_t)
+')
diff --git a/policy/modules/admin/mcelog.fc b/policy/modules/admin/mcelog.fc
new file mode 100644
index 0000000..56c43c0
--- /dev/null
+++ b/policy/modules/admin/mcelog.fc
@@ -0,0 +1 @@
+/usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0)
diff --git a/policy/modules/admin/mcelog.if b/policy/modules/admin/mcelog.if
new file mode 100644
index 0000000..3d4cb1a
--- /dev/null
+++ b/policy/modules/admin/mcelog.if
@@ -0,0 +1,20 @@
+## <summary>policy for mcelog</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run mcelog.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mcelog_domtrans',`
+ gen_require(`
+ type mcelog_t, mcelog_exec_t;
+ ')
+
+ domtrans_pattern($1, mcelog_exec_t, mcelog_t)
+')
+
diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te
new file mode 100644
index 0000000..5a9cebf
--- /dev/null
+++ b/policy/modules/admin/mcelog.te
@@ -0,0 +1,32 @@
+policy_module(mcelog, 1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type mcelog_t;
+type mcelog_exec_t;
+application_domain(mcelog_t, mcelog_exec_t)
+cron_system_entry(mcelog_t, mcelog_exec_t)
+
+########################################
+#
+# mcelog local policy
+#
+
+allow mcelog_t self:capability sys_admin;
+
+kernel_read_system_state(mcelog_t)
+
+dev_read_raw_memory(mcelog_t)
+dev_read_kmsg(mcelog_t)
+
+files_read_etc_files(mcelog_t)
+
+# for /dev/mem access
+mls_file_read_all_levels(mcelog_t)
+
+logging_send_syslog_msg(mcelog_t)
+
+miscfiles_read_localization(mcelog_t)
diff --git a/policy/modules/admin/metadata.xml b/policy/modules/admin/metadata.xml
new file mode 100644
index 0000000..bd8d174
--- /dev/null
+++ b/policy/modules/admin/metadata.xml
@@ -0,0 +1,3 @@
+<summary>
+ Policy modules for administrative functions, such as package management.
+</summary>
diff --git a/policy/modules/admin/mrtg.fc b/policy/modules/admin/mrtg.fc
new file mode 100644
index 0000000..37fb953
--- /dev/null
+++ b/policy/modules/admin/mrtg.fc
@@ -0,0 +1,18 @@
+#
+# /etc
+#
+/etc/mrtg.* gen_context(system_u:object_r:mrtg_etc_t,s0)
+
+#
+# /usr
+#
+/usr/bin/mrtg -- gen_context(system_u:object_r:mrtg_exec_t,s0)
+/etc/mrtg/mrtg\.ok -- gen_context(system_u:object_r:mrtg_lock_t,s0)
+
+#
+# /var
+#
+/var/lib/mrtg(/.*)? gen_context(system_u:object_r:mrtg_var_lib_t,s0)
+/var/lock/mrtg(/.*)? gen_context(system_u:object_r:mrtg_lock_t,s0)
+/var/log/mrtg(/.*)? gen_context(system_u:object_r:mrtg_log_t,s0)
+/var/run/mrtg\.pid gen_context(system_u:object_r:mrtg_var_run_t,s0)
diff --git a/policy/modules/admin/mrtg.if b/policy/modules/admin/mrtg.if
new file mode 100644
index 0000000..5970b9c
--- /dev/null
+++ b/policy/modules/admin/mrtg.if
@@ -0,0 +1,20 @@
+## <summary>Network traffic graphing</summary>
+
+########################################
+## <summary>
+## Create and append mrtg logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mrtg_append_create_logs',`
+ gen_require(`
+ type mrtg_log_t;
+ ')
+
+ append_files_pattern($1, mrtg_log_t, mrtg_log_t)
+ create_files_pattern($1, mrtg_log_t, mrtg_log_t)
+')
diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te
new file mode 100644
index 0000000..9d58abe
--- /dev/null
+++ b/policy/modules/admin/mrtg.te
@@ -0,0 +1,161 @@
+policy_module(mrtg, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type mrtg_t;
+type mrtg_exec_t;
+init_system_domain(mrtg_t, mrtg_exec_t)
+
+type mrtg_etc_t;
+files_config_file(mrtg_etc_t)
+
+type mrtg_lock_t;
+files_lock_file(mrtg_lock_t)
+
+type mrtg_log_t;
+logging_log_file(mrtg_log_t)
+
+type mrtg_var_lib_t;
+files_type(mrtg_var_lib_t)
+
+type mrtg_var_run_t;
+files_pid_file(mrtg_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow mrtg_t self:capability { setgid setuid chown };
+dontaudit mrtg_t self:capability sys_tty_config;
+allow mrtg_t self:process signal_perms;
+allow mrtg_t self:fifo_file rw_fifo_file_perms;
+allow mrtg_t self:unix_stream_socket create_socket_perms;
+allow mrtg_t self:tcp_socket create_socket_perms;
+allow mrtg_t self:udp_socket create_socket_perms;
+
+allow mrtg_t mrtg_etc_t:dir list_dir_perms;
+read_files_pattern(mrtg_t, mrtg_etc_t, mrtg_etc_t)
+read_lnk_files_pattern(mrtg_t, mrtg_etc_t, mrtg_etc_t)
+dontaudit mrtg_t mrtg_etc_t:dir write;
+dontaudit mrtg_t mrtg_etc_t:file { write ioctl };
+
+manage_files_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t)
+manage_lnk_files_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t)
+
+manage_files_pattern(mrtg_t, mrtg_log_t, mrtg_log_t)
+logging_log_filetrans(mrtg_t, mrtg_log_t, { file dir })
+
+manage_files_pattern(mrtg_t, mrtg_var_lib_t, mrtg_var_lib_t)
+manage_lnk_files_pattern(mrtg_t, mrtg_var_lib_t, mrtg_var_lib_t)
+
+allow mrtg_t mrtg_var_run_t:file manage_file_perms;
+files_pid_filetrans(mrtg_t, mrtg_var_run_t, file)
+
+kernel_read_system_state(mrtg_t)
+kernel_read_network_state(mrtg_t)
+kernel_read_kernel_sysctls(mrtg_t)
+
+corecmd_exec_bin(mrtg_t)
+corecmd_exec_shell(mrtg_t)
+
+corenet_all_recvfrom_unlabeled(mrtg_t)
+corenet_all_recvfrom_netlabel(mrtg_t)
+corenet_tcp_sendrecv_generic_if(mrtg_t)
+corenet_udp_sendrecv_generic_if(mrtg_t)
+corenet_tcp_sendrecv_generic_node(mrtg_t)
+corenet_udp_sendrecv_generic_node(mrtg_t)
+corenet_tcp_sendrecv_all_ports(mrtg_t)
+corenet_udp_sendrecv_all_ports(mrtg_t)
+corenet_tcp_connect_all_ports(mrtg_t)
+corenet_sendrecv_all_client_packets(mrtg_t)
+
+dev_read_sysfs(mrtg_t)
+dev_read_urand(mrtg_t)
+
+domain_use_interactive_fds(mrtg_t)
+domain_dontaudit_search_all_domains_state(mrtg_t)
+
+files_read_usr_files(mrtg_t)
+files_search_var(mrtg_t)
+files_search_locks(mrtg_t)
+files_search_var_lib(mrtg_t)
+files_search_spool(mrtg_t)
+files_getattr_tmp_dirs(mrtg_t)
+# for uptime
+files_read_etc_runtime_files(mrtg_t)
+# read config files
+files_read_etc_files(mrtg_t)
+
+fs_search_auto_mountpoints(mrtg_t)
+fs_getattr_xattr_fs(mrtg_t)
+fs_list_inotifyfs(mrtg_t)
+
+term_dontaudit_use_console(mrtg_t)
+
+init_use_fds(mrtg_t)
+init_use_script_ptys(mrtg_t)
+# for uptime
+init_read_utmp(mrtg_t)
+init_dontaudit_write_utmp(mrtg_t)
+
+auth_use_nsswitch(mrtg_t)
+
+libs_read_lib_files(mrtg_t)
+
+logging_send_syslog_msg(mrtg_t)
+
+miscfiles_read_localization(mrtg_t)
+
+selinux_dontaudit_getattr_dir(mrtg_t)
+
+userdom_use_user_terminals(mrtg_t)
+userdom_dontaudit_read_user_home_content_files(mrtg_t)
+userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
+userdom_dontaudit_list_admin_dir(mrtg_t)
+
+netutils_domtrans_ping(mrtg_t)
+
+ifdef(`enable_mls',`
+ corenet_udp_sendrecv_lo_if(mrtg_t)
+')
+
+ifdef(`distro_redhat',`
+ allow mrtg_t mrtg_lock_t:file manage_file_perms;
+ filetrans_pattern(mrtg_t, mrtg_etc_t, mrtg_lock_t, file)
+')
+
+optional_policy(`
+ apache_manage_sys_content(mrtg_t)
+')
+
+optional_policy(`
+ cron_system_entry(mrtg_t, mrtg_exec_t)
+')
+
+optional_policy(`
+ hostname_exec(mrtg_t)
+')
+
+optional_policy(`
+ hddtemp_domtrans(mrtg_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(mrtg_t)
+')
+
+optional_policy(`
+ quota_dontaudit_getattr_db(mrtg_t)
+')
+
+optional_policy(`
+ snmp_read_snmp_var_lib_files(mrtg_t)
+')
+
+optional_policy(`
+ udev_read_db(mrtg_t)
+')
diff --git a/policy/modules/admin/ncftool.fc b/policy/modules/admin/ncftool.fc
new file mode 100644
index 0000000..ae4045e
--- /dev/null
+++ b/policy/modules/admin/ncftool.fc
@@ -0,0 +1,2 @@
+
+/usr/bin/ncftool -- gen_context(system_u:object_r:ncftool_exec_t,s0)
diff --git a/policy/modules/admin/ncftool.if b/policy/modules/admin/ncftool.if
new file mode 100644
index 0000000..8c2e044
--- /dev/null
+++ b/policy/modules/admin/ncftool.if
@@ -0,0 +1,78 @@
+
+## <summary>policy for ncftool</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run ncftool.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ncftool_domtrans',`
+ gen_require(`
+ type ncftool_t, ncftool_exec_t;
+ ')
+
+ domtrans_pattern($1, ncftool_exec_t, ncftool_t)
+')
+
+########################################
+## <summary>
+## Execute ncftool in the ncftool domain, and
+## allow the specified role the ncftool domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the ncftool domain.
+## </summary>
+## </param>
+#
+interface(`ncftool_run',`
+ gen_require(`
+ type ncftool_t;
+ ')
+
+ ncftool_domtrans($1)
+ role $2 types ncftool_t;
+
+ optional_policy(`
+ brctl_run(ncftool_t, $2)
+ ')
+')
+
+########################################
+## <summary>
+## Role access for ncftool
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`ncftool_role',`
+ gen_require(`
+ type ncftool_t;
+ ')
+
+ role $1 types ncftool_t;
+
+ ncftool_domtrans($2)
+
+ ps_process_pattern($2, ncftool_t)
+ allow $2 ncftool_t:process signal;
+')
+
diff --git a/policy/modules/admin/ncftool.te b/policy/modules/admin/ncftool.te
new file mode 100644
index 0000000..eef0c87
--- /dev/null
+++ b/policy/modules/admin/ncftool.te
@@ -0,0 +1,91 @@
+policy_module(ncftool, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ncftool_t;
+type ncftool_exec_t;
+application_domain(ncftool_t, ncftool_exec_t)
+domain_obj_id_change_exemption(ncftool_t)
+domain_system_change_exemption(ncftool_t)
+role system_r types ncftool_t;
+
+permissive ncftool_t;
+
+########################################
+#
+# ncftool local policy
+#
+
+allow ncftool_t self:capability { net_admin sys_ptrace };
+
+allow ncftool_t self:process signal;
+
+allow ncftool_t self:fifo_file manage_fifo_file_perms;
+allow ncftool_t self:unix_stream_socket create_stream_socket_perms;
+
+allow ncftool_t self:netlink_route_socket create_netlink_socket_perms;
+allow ncftool_t self:tcp_socket create_stream_socket_perms;
+
+kernel_read_kernel_sysctls(ncftool_t)
+kernel_read_modprobe_sysctls(ncftool_t)
+kernel_read_network_state(ncftool_t)
+kernel_read_system_state(ncftool_t)
+kernel_request_load_module(ncftool_t)
+kernel_rw_net_sysctls(ncftool_t)
+
+corecmd_exec_bin(ncftool_t)
+corecmd_exec_shell(ncftool_t)
+
+domain_read_all_domains_state(ncftool_t)
+
+dev_read_sysfs(ncftool_t)
+
+files_manage_system_conf_files(ncftool_t)
+files_relabelto_system_conf_files(ncftool_t)
+files_read_etc_files(ncftool_t)
+files_read_etc_runtime_files(ncftool_t)
+files_read_usr_files(ncftool_t)
+
+term_use_all_terms(ncftool_t)
+
+miscfiles_read_localization(ncftool_t)
+
+modutils_list_module_config(ncftool_t)
+modutils_read_module_config(ncftool_t)
+modutils_domtrans_insmod(ncftool_t)
+
+sysnet_delete_dhcpc_pid(ncftool_t)
+sysnet_domtrans_dhcpc(ncftool_t)
+sysnet_domtrans_ifconfig(ncftool_t)
+sysnet_etc_filetrans_config(ncftool_t)
+sysnet_manage_config(ncftool_t)
+sysnet_read_dhcpc_state(ncftool_t)
+sysnet_relabelfrom_net_conf(ncftool_t)
+sysnet_relabelto_net_conf(ncftool_t)
+sysnet_read_dhcpc_pid(ncftool_t)
+sysnet_signal_dhcpc(ncftool_t)
+
+userdom_read_user_tmp_files(ncftool_t)
+
+optional_policy(`
+ consoletype_exec(ncftool_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(ncftool_t)
+')
+
+optional_policy(`
+ iptables_initrc_domtrans(ncftool_t)
+')
+
+optional_policy(`
+ iptables_initrc_domtrans(ncftool_t)
+')
+
+optional_policy(`
+ netutils_domtrans(ncftool_t)
+')
diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
new file mode 100644
index 0000000..407078f
--- /dev/null
+++ b/policy/modules/admin/netutils.fc
@@ -0,0 +1,15 @@
+/bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
+/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+
+/sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0)
+
+/usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+/usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+/usr/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+
+/usr/sbin/fping -- gen_context(system_u:object_r:ping_exec_t,s0)
+/usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+/usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0)
+/usr/sbin/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0)
+/usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0)
diff --git a/policy/modules/admin/netutils.if b/policy/modules/admin/netutils.if
new file mode 100644
index 0000000..a005782
--- /dev/null
+++ b/policy/modules/admin/netutils.if
@@ -0,0 +1,301 @@
+## <summary>Network analysis utilities</summary>
+
+########################################
+## <summary>
+## Execute network utilities in the netutils domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`netutils_domtrans',`
+ gen_require(`
+ type netutils_t, netutils_exec_t;
+ ')
+
+ domtrans_pattern($1, netutils_exec_t, netutils_t)
+')
+
+########################################
+## <summary>
+## Execute network utilities in the netutils domain, and
+## allow the specified role the netutils domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`netutils_run',`
+ gen_require(`
+ type netutils_t;
+ ')
+
+ netutils_domtrans($1)
+ role $2 types netutils_t;
+')
+
+########################################
+## <summary>
+## Execute network utilities in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`netutils_exec',`
+ gen_require(`
+ type netutils_exec_t;
+ ')
+
+ can_exec($1, netutils_exec_t)
+')
+
+########################################
+## <summary>
+## Send generic signals to network utilities.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`netutils_signal',`
+ gen_require(`
+ type netutils_t;
+ ')
+
+ allow $1 netutils_t:process signal;
+')
+
+########################################
+## <summary>
+## Execute ping in the ping domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`netutils_domtrans_ping',`
+ gen_require(`
+ type ping_t, ping_exec_t;
+ ')
+
+ domtrans_pattern($1, ping_exec_t, ping_t)
+')
+
+########################################
+## <summary>
+## Send a kill (SIGKILL) signal to ping.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`netutils_kill_ping',`
+ gen_require(`
+ type ping_t;
+ ')
+
+ allow $1 ping_t:process sigkill;
+')
+
+########################################
+## <summary>
+## Send generic signals to ping.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`netutils_signal_ping',`
+ gen_require(`
+ type ping_t;
+ ')
+
+ allow $1 ping_t:process signal;
+')
+
+########################################
+## <summary>
+## Execute ping in the ping domain, and
+## allow the specified role the ping domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`netutils_run_ping',`
+ gen_require(`
+ type ping_t;
+ ')
+
+ netutils_domtrans_ping($1)
+ role $2 types ping_t;
+')
+
+########################################
+## <summary>
+## Conditionally execute ping in the ping domain, and
+## allow the specified role the ping domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`netutils_run_ping_cond',`
+ gen_require(`
+ type ping_t;
+ bool user_ping;
+ ')
+
+ role $2 types ping_t;
+
+ if ( user_ping ) {
+ netutils_domtrans_ping($1)
+ }
+')
+
+########################################
+## <summary>
+## Execute ping in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`netutils_exec_ping',`
+ gen_require(`
+ type ping_exec_t;
+ ')
+
+ can_exec($1, ping_exec_t)
+')
+
+########################################
+## <summary>
+## Execute traceroute in the traceroute domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`netutils_domtrans_traceroute',`
+ gen_require(`
+ type traceroute_t, traceroute_exec_t;
+ ')
+
+ domtrans_pattern($1, traceroute_exec_t, traceroute_t)
+')
+
+########################################
+## <summary>
+## Execute traceroute in the traceroute domain, and
+## allow the specified role the traceroute domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`netutils_run_traceroute',`
+ gen_require(`
+ type traceroute_t;
+ ')
+
+ netutils_domtrans_traceroute($1)
+ role $2 types traceroute_t;
+')
+
+########################################
+## <summary>
+## Conditionally execute traceroute in the traceroute domain, and
+## allow the specified role the traceroute domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`netutils_run_traceroute_cond',`
+ gen_require(`
+ type traceroute_t;
+ bool user_ping;
+ ')
+
+ role $2 types traceroute_t;
+
+ if( user_ping ) {
+ netutils_domtrans_traceroute($1)
+ }
+')
+
+########################################
+## <summary>
+## Execute traceroute in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`netutils_exec_traceroute',`
+ gen_require(`
+ type traceroute_exec_t;
+ ')
+
+ can_exec($1, traceroute_exec_t)
+')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
new file mode 100644
index 0000000..4f38995
--- /dev/null
+++ b/policy/modules/admin/netutils.te
@@ -0,0 +1,240 @@
+policy_module(netutils, 1.10.1)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Control users use of ping and traceroute
+## </p>
+## </desc>
+gen_tunable(user_ping, false)
+
+type netutils_t;
+type netutils_exec_t;
+init_system_domain(netutils_t, netutils_exec_t)
+role system_r types netutils_t;
+
+type netutils_tmp_t;
+files_tmp_file(netutils_tmp_t)
+
+type ping_t;
+type ping_exec_t;
+init_system_domain(ping_t, ping_exec_t)
+role system_r types ping_t;
+
+type traceroute_t;
+type traceroute_exec_t;
+init_system_domain(traceroute_t, traceroute_exec_t)
+role system_r types traceroute_t;
+
+########################################
+#
+# Netutils local policy
+#
+
+# Perform network administration operations and have raw access to the network.
+allow netutils_t self:capability { net_admin net_raw setuid setgid };
+dontaudit netutils_t self:capability sys_tty_config;
+allow netutils_t self:process { sigkill sigstop signull signal };
+allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
+allow netutils_t self:packet_socket create_socket_perms;
+allow netutils_t self:udp_socket create_socket_perms;
+allow netutils_t self:tcp_socket create_stream_socket_perms;
+allow netutils_t self:socket create_socket_perms;
+
+manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
+manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
+files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
+
+kernel_search_proc(netutils_t)
+kernel_read_all_sysctls(netutils_t)
+kernel_read_network_state(netutils_t)
+kernel_request_load_module(netutils_t)
+
+corenet_all_recvfrom_unlabeled(netutils_t)
+corenet_all_recvfrom_netlabel(netutils_t)
+corenet_tcp_sendrecv_generic_if(netutils_t)
+corenet_raw_sendrecv_generic_if(netutils_t)
+corenet_udp_sendrecv_generic_if(netutils_t)
+corenet_tcp_sendrecv_generic_node(netutils_t)
+corenet_raw_sendrecv_generic_node(netutils_t)
+corenet_udp_sendrecv_generic_node(netutils_t)
+corenet_tcp_sendrecv_all_ports(netutils_t)
+corenet_udp_sendrecv_all_ports(netutils_t)
+corenet_tcp_connect_all_ports(netutils_t)
+corenet_sendrecv_all_client_packets(netutils_t)
+corenet_udp_bind_generic_node(netutils_t)
+
+dev_read_sysfs(netutils_t)
+dev_read_usbmon_dev(netutils_t)
+dev_write_usbmon_dev(netutils_t)
+dev_rw_generic_usb_dev(netutils_t)
+
+fs_getattr_xattr_fs(netutils_t)
+
+domain_use_interactive_fds(netutils_t)
+
+files_read_etc_files(netutils_t)
+# for nscd
+files_dontaudit_search_var(netutils_t)
+
+init_use_fds(netutils_t)
+init_use_script_ptys(netutils_t)
+
+auth_use_nsswitch(netutils_t)
+
+logging_send_syslog_msg(netutils_t)
+
+miscfiles_read_localization(netutils_t)
+
+term_dontaudit_use_console(netutils_t)
+userdom_use_user_terminals(netutils_t)
+userdom_use_all_users_fds(netutils_t)
+
+optional_policy(`
+ nis_use_ypbind(netutils_t)
+')
+
+optional_policy(`
+ vmware_append_log(netutils_t)
+')
+
+optional_policy(`
+ xen_append_log(netutils_t)
+')
+
+########################################
+#
+# Ping local policy
+#
+
+allow ping_t self:capability { setuid net_raw };
+dontaudit ping_t self:capability sys_tty_config;
+allow ping_t self:tcp_socket create_socket_perms;
+allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
+allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
+allow ping_t self:netlink_route_socket create_netlink_socket_perms;
+
+corenet_all_recvfrom_unlabeled(ping_t)
+corenet_all_recvfrom_netlabel(ping_t)
+corenet_tcp_sendrecv_generic_if(ping_t)
+corenet_raw_sendrecv_generic_if(ping_t)
+corenet_raw_sendrecv_generic_node(ping_t)
+corenet_tcp_sendrecv_generic_node(ping_t)
+corenet_raw_bind_generic_node(ping_t)
+corenet_tcp_sendrecv_all_ports(ping_t)
+
+fs_dontaudit_getattr_xattr_fs(ping_t)
+
+domain_use_interactive_fds(ping_t)
+
+files_read_etc_files(ping_t)
+files_dontaudit_search_var(ping_t)
+
+kernel_read_system_state(ping_t)
+
+auth_use_nsswitch(ping_t)
+
+logging_send_syslog_msg(ping_t)
+
+miscfiles_read_localization(ping_t)
+
+ifdef(`hide_broken_symptoms',`
+ init_dontaudit_use_fds(ping_t)
+
+ optional_policy(`
+ nagios_dontaudit_rw_log(ping_t)
+ nagios_dontaudit_rw_pipes(ping_t)
+ ')
+')
+
+term_use_all_terms(ping_t)
+
+tunable_policy(`user_ping',`
+ term_use_all_ttys(ping_t)
+ term_use_all_ptys(ping_t)
+',`
+ term_dontaudit_use_all_ttys(ping_t)
+ term_dontaudit_use_all_ptys(ping_t)
+')
+
+optional_policy(`
+ munin_append_log(ping_t)
+')
+
+optional_policy(`
+ nagios_rw_inerited_tmp_files(ping_t)
+')
+
+optional_policy(`
+ pcmcia_use_cardmgr_fds(ping_t)
+')
+
+optional_policy(`
+ hotplug_use_fds(ping_t)
+')
+
+########################################
+#
+# Traceroute local policy
+#
+
+allow traceroute_t self:capability { net_admin net_raw setuid setgid };
+allow traceroute_t self:rawip_socket create_socket_perms;
+allow traceroute_t self:packet_socket create_socket_perms;
+allow traceroute_t self:udp_socket create_socket_perms;
+
+kernel_read_system_state(traceroute_t)
+kernel_read_network_state(traceroute_t)
+
+corenet_all_recvfrom_unlabeled(traceroute_t)
+corenet_all_recvfrom_netlabel(traceroute_t)
+corenet_tcp_sendrecv_generic_if(traceroute_t)
+corenet_udp_sendrecv_generic_if(traceroute_t)
+corenet_raw_sendrecv_generic_if(traceroute_t)
+corenet_tcp_sendrecv_generic_node(traceroute_t)
+corenet_udp_sendrecv_generic_node(traceroute_t)
+corenet_raw_sendrecv_generic_node(traceroute_t)
+corenet_tcp_sendrecv_all_ports(traceroute_t)
+corenet_udp_sendrecv_all_ports(traceroute_t)
+corenet_udp_bind_generic_node(traceroute_t)
+corenet_tcp_bind_generic_node(traceroute_t)
+# traceroute needs this but not tracepath
+corenet_raw_bind_generic_node(traceroute_t)
+corenet_udp_bind_traceroute_port(traceroute_t)
+corenet_tcp_connect_all_ports(traceroute_t)
+corenet_sendrecv_all_client_packets(traceroute_t)
+corenet_sendrecv_traceroute_server_packets(traceroute_t)
+
+fs_dontaudit_getattr_xattr_fs(traceroute_t)
+
+domain_use_interactive_fds(traceroute_t)
+
+files_read_etc_files(traceroute_t)
+files_read_usr_files(traceroute_t)
+files_dontaudit_search_var(traceroute_t)
+
+init_use_fds(traceroute_t)
+
+auth_use_nsswitch(traceroute_t)
+
+logging_send_syslog_msg(traceroute_t)
+
+miscfiles_read_localization(traceroute_t)
+
+#rules needed for nmap
+dev_read_rand(traceroute_t)
+dev_read_urand(traceroute_t)
+
+term_use_all_terms(traceroute_t)
+
+tunable_policy(`user_ping',`
+ term_use_all_ttys(traceroute_t)
+ term_use_all_ptys(traceroute_t)
+',`
+ term_dontaudit_use_all_ttys(traceroute_t)
+ term_dontaudit_use_all_ptys(traceroute_t)
+')
diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
new file mode 100644
index 0000000..db46387
--- /dev/null
+++ b/policy/modules/admin/portage.fc
@@ -0,0 +1,24 @@
+/etc/make\.conf -- gen_context(system_u:object_r:portage_conf_t,s0)
+/etc/make\.globals -- gen_context(system_u:object_r:portage_conf_t,s0)
+/etc/portage(/.*)? gen_context(system_u:object_r:portage_conf_t,s0)
+
+/usr/bin/gcc-config -- gen_context(system_u:object_r:gcc_config_exec_t,s0)
+/usr/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
+
+/usr/lib(64)?/portage/bin/ebuild -- gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib(64)?/portage/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib(64)?/portage/bin/quickpkg -- gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib(64)?/portage/bin/ebuild\.sh -- gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib(64)?/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib(64)?/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
+
+/usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
+
+/var/db/pkg(/.*)? gen_context(system_u:object_r:portage_db_t,s0)
+/var/cache/edb(/.*)? gen_context(system_u:object_r:portage_cache_t,s0)
+/var/log/emerge\.log.* -- gen_context(system_u:object_r:portage_log_t,s0)
+/var/log/emerge-fetch.log -- gen_context(system_u:object_r:portage_log_t,s0)
+/var/log/portage(/.*)? gen_context(system_u:object_r:portage_log_t,s0)
+/var/lib/portage(/.*)? gen_context(system_u:object_r:portage_cache_t,s0)
+/var/tmp/portage(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0)
+/var/tmp/portage-pkg(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0)
diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
new file mode 100644
index 0000000..8aaa46d
--- /dev/null
+++ b/policy/modules/admin/portage.if
@@ -0,0 +1,283 @@
+## <summary>
+## Portage Package Management System. The primary package management and
+## distribution system for Gentoo.
+## </summary>
+
+########################################
+## <summary>
+## Execute emerge in the portage domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`portage_domtrans',`
+ gen_require(`
+ type portage_t, portage_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+
+ # transition to portage
+ domtrans_pattern($1, portage_exec_t, portage_t)
+')
+
+########################################
+## <summary>
+## Execute emerge in the portage domain, and
+## allow the specified role the portage domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the portage domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`portage_run',`
+ gen_require(`
+ type portage_t, portage_fetch_t, portage_sandbox_t;
+ ')
+
+ portage_domtrans($1)
+ role $2 types { portage_t portage_fetch_t portage_sandbox_t };
+')
+
+########################################
+## <summary>
+## Template for portage sandbox.
+## </summary>
+## <desc>
+## <p>
+## Template for portage sandbox. Portage
+## does all compiling in the sandbox.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain Allowed Access
+## </summary>
+## </param>
+#
+interface(`portage_compile_domain',`
+
+ gen_require(`
+ class dbus send_msg;
+ type portage_devpts_t, portage_log_t, portage_tmp_t;
+ type portage_tmpfs_t;
+ ')
+
+ allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
+ dontaudit $1 self:capability sys_chroot;
+ allow $1 self:process { setpgid setsched setrlimit signal_perms execmem };
+ allow $1 self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow $1 self:fd use;
+ allow $1 self:fifo_file rw_fifo_file_perms;
+ allow $1 self:shm create_shm_perms;
+ allow $1 self:sem create_sem_perms;
+ allow $1 self:msgq create_msgq_perms;
+ allow $1 self:msg { send receive };
+ allow $1 self:unix_dgram_socket create_socket_perms;
+ allow $1 self:unix_stream_socket create_stream_socket_perms;
+ allow $1 self:unix_dgram_socket sendto;
+ allow $1 self:unix_stream_socket connectto;
+ # really shouldnt need this
+ allow $1 self:tcp_socket create_stream_socket_perms;
+ allow $1 self:udp_socket create_socket_perms;
+ # misc networking stuff (esp needed for compiling perl):
+ allow $1 self:rawip_socket { create ioctl };
+ # needed for merging dbus:
+ allow $1 self:netlink_selinux_socket { bind create read };
+ allow $1 self:dbus send_msg;
+
+ allow $1 portage_devpts_t:chr_file { rw_chr_file_perms setattr };
+ term_create_pty($1, portage_devpts_t)
+
+ # write compile logs
+ allow $1 portage_log_t:dir setattr;
+ allow $1 portage_log_t:file { write_file_perms setattr };
+
+ # run scripts out of the build directory
+ can_exec(portage_sandbox_t, portage_tmp_t)
+
+ manage_dirs_pattern($1, portage_tmp_t, portage_tmp_t)
+ manage_files_pattern($1, portage_tmp_t, portage_tmp_t)
+ manage_lnk_files_pattern($1, portage_tmp_t, portage_tmp_t)
+ manage_fifo_files_pattern($1, portage_tmp_t, portage_tmp_t)
+ manage_sock_files_pattern($1, portage_tmp_t, portage_tmp_t)
+ files_tmp_filetrans($1, portage_tmp_t, { dir file lnk_file sock_file fifo_file })
+ # SELinux-enabled programs running in the sandbox
+ allow $1 portage_tmp_t:file relabel_file_perms;
+
+ manage_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
+ manage_lnk_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
+ manage_fifo_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
+ manage_sock_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
+ fs_tmpfs_filetrans($1, portage_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+ kernel_read_system_state($1)
+ kernel_read_network_state($1)
+ kernel_read_software_raid_state($1)
+ kernel_getattr_core_if($1)
+ kernel_getattr_message_if($1)
+ kernel_read_kernel_sysctls($1)
+
+ corecmd_exec_all_executables($1)
+
+ # really shouldnt need this but some packages test
+ # network access, such as during configure
+ # also distcc--need to reinvestigate confining distcc client
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
+ corenet_tcp_sendrecv_generic_if($1)
+ corenet_udp_sendrecv_generic_if($1)
+ corenet_raw_sendrecv_generic_if($1)
+ corenet_tcp_sendrecv_generic_node($1)
+ corenet_udp_sendrecv_generic_node($1)
+ corenet_raw_sendrecv_generic_node($1)
+ corenet_tcp_sendrecv_all_ports($1)
+ corenet_udp_sendrecv_all_ports($1)
+ corenet_tcp_connect_all_reserved_ports($1)
+ corenet_tcp_connect_distccd_port($1)
+
+ dev_read_sysfs($1)
+ dev_read_rand($1)
+ dev_read_urand($1)
+
+ domain_use_interactive_fds($1)
+ domain_dontaudit_read_all_domains_state($1)
+ # SELinux-aware installs doing relabels in the sandbox
+ domain_obj_id_change_exemption($1)
+
+ files_exec_etc_files($1)
+ files_exec_usr_src_files($1)
+
+ fs_getattr_xattr_fs($1)
+ fs_list_noxattr_fs($1)
+ fs_read_noxattr_fs_files($1)
+ fs_read_noxattr_fs_symlinks($1)
+ fs_search_auto_mountpoints($1)
+
+ selinux_validate_context($1)
+ # needed for merging dbus:
+ selinux_compute_access_vector($1)
+
+ auth_read_all_dirs_except_shadow($1)
+ auth_read_all_files_except_shadow($1)
+ auth_read_all_symlinks_except_shadow($1)
+
+ libs_exec_lib_files($1)
+ # some config scripts use ldd
+ libs_exec_ld_so($1)
+ # this violates the idea of sandbox, but
+ # regular sandbox allows it
+ libs_domtrans_ldconfig($1)
+
+ logging_send_syslog_msg($1)
+
+ userdom_use_user_terminals($1)
+
+ # SELinux-enabled programs running in the sandbox
+ seutil_libselinux_linked($1)
+
+ ifdef(`TODO',`
+ # some gui ebuilds want to interact with X server, like xawtv
+ optional_policy(`
+ allow $1 xdm_xserver_tmp_t:dir { add_name remove_name write };
+ allow $1 xdm_xserver_tmp_t:sock_file { create getattr unlink write };
+ ')
+ ') dnl end TODO
+')
+
+########################################
+## <summary>
+## Execute gcc-config in the gcc_config domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`portage_domtrans_gcc_config',`
+ gen_require(`
+ type gcc_config_t, gcc_config_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+
+ domtrans_pattern($1, gcc_config_exec_t, gcc_config_t)
+')
+
+########################################
+## <summary>
+## Execute gcc-config in the gcc_config domain, and
+## allow the specified role the gcc_config domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the gcc_config domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`portage_run_gcc_config',`
+ gen_require(`
+ type gcc_config_t;
+ ')
+
+ portage_domtrans_gcc_config($1)
+ role $2 types gcc_config_t;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the
+## portage temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`portage_dontaudit_search_tmp',`
+ gen_require(`
+ type portage_tmp_t;
+ ')
+
+ dontaudit $1 portage_tmp_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## the portage temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`portage_dontaudit_rw_tmp_files',`
+ gen_require(`
+ type portage_tmp_t;
+ ')
+
+ dontaudit $1 portage_tmp_t:file rw_file_perms;
+')
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
new file mode 100644
index 0000000..c633aea
--- /dev/null
+++ b/policy/modules/admin/portage.te
@@ -0,0 +1,276 @@
+policy_module(portage, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+
+type gcc_config_t;
+type gcc_config_exec_t;
+application_domain(gcc_config_t, gcc_config_exec_t)
+
+# constraining type
+type portage_t;
+type portage_exec_t;
+application_domain(portage_t, portage_exec_t)
+domain_obj_id_change_exemption(portage_t)
+rsync_entry_type(portage_t)
+corecmd_shell_entry_type(portage_t)
+
+# portage compile sandbox domain
+type portage_sandbox_t;
+application_domain(portage_sandbox_t, portage_exec_t)
+# the shell is the entrypoint if regular sandbox is disabled
+# portage_exec_t is the entrypoint if regular sandbox is enabled
+corecmd_shell_entry_type(portage_sandbox_t)
+
+# portage package fetching domain
+type portage_fetch_t;
+application_type(portage_fetch_t)
+corecmd_shell_entry_type(portage_fetch_t)
+rsync_entry_type(portage_fetch_t)
+
+type portage_devpts_t;
+term_pty(portage_devpts_t)
+
+type portage_ebuild_t;
+files_type(portage_ebuild_t)
+
+type portage_fetch_tmp_t;
+files_tmp_file(portage_fetch_tmp_t)
+
+type portage_db_t;
+files_type(portage_db_t)
+
+type portage_conf_t;
+files_type(portage_conf_t)
+
+type portage_cache_t;
+files_type(portage_cache_t)
+
+type portage_log_t;
+logging_log_file(portage_log_t)
+
+type portage_tmp_t;
+files_tmp_file(portage_tmp_t)
+
+type portage_tmpfs_t;
+files_tmpfs_file(portage_tmpfs_t)
+
+########################################
+#
+# gcc-config policy
+#
+
+allow gcc_config_t self:capability { chown fsetid };
+allow gcc_config_t self:fifo_file rw_file_perms;
+
+manage_files_pattern(gcc_config_t, portage_cache_t, portage_cache_t)
+
+read_files_pattern(gcc_config_t, portage_conf_t, portage_conf_t)
+
+allow gcc_config_t portage_ebuild_t:dir list_dir_perms;
+read_files_pattern(gcc_config_t, portage_ebuild_t, portage_ebuild_t)
+
+allow gcc_config_t portage_exec_t:file mmap_file_perms;
+
+kernel_read_system_state(gcc_config_t)
+kernel_read_kernel_sysctls(gcc_config_t)
+
+corecmd_exec_shell(gcc_config_t)
+corecmd_exec_bin(gcc_config_t)
+corecmd_manage_bin_files(gcc_config_t)
+
+domain_use_interactive_fds(gcc_config_t)
+
+files_manage_etc_files(gcc_config_t)
+files_rw_etc_runtime_files(gcc_config_t)
+files_read_usr_files(gcc_config_t)
+files_search_var_lib(gcc_config_t)
+files_search_pids(gcc_config_t)
+# complains loudly about not being able to list
+# the directory it is being run from
+files_list_all(gcc_config_t)
+
+# seems to be ok without this
+init_dontaudit_read_script_status_files(gcc_config_t)
+
+libs_read_lib_files(gcc_config_t)
+libs_domtrans_ldconfig(gcc_config_t)
+libs_manage_shared_libs(gcc_config_t)
+# gcc-config creates a temp dir for the libs
+libs_manage_lib_dirs(gcc_config_t)
+
+logging_send_syslog_msg(gcc_config_t)
+
+miscfiles_read_localization(gcc_config_t)
+
+userdom_use_user_terminals(gcc_config_t)
+
+consoletype_exec(gcc_config_t)
+
+optional_policy(`
+ seutil_use_newrole_fds(gcc_config_t)
+')
+
+########################################
+#
+# Portage Merging Rules
+#
+
+# - setfscreate for merging to live fs
+# - setexec to run portage fetch
+allow portage_t self:process { setfscreate setexec };
+# - kill for mysql merging, at least
+allow portage_t self:capability { sys_nice kill };
+
+# user post-sync scripts
+can_exec(portage_t, portage_conf_t)
+
+allow portage_t portage_log_t:file manage_file_perms;
+logging_log_filetrans(portage_t, portage_log_t, file)
+
+allow portage_t { portage_fetch_t portage_sandbox_t }:process signal;
+
+# transition for rsync and wget
+corecmd_shell_spec_domtrans(portage_t, portage_fetch_t)
+rsync_entry_domtrans(portage_t, portage_fetch_t)
+allow portage_fetch_t portage_t:fd use;
+allow portage_fetch_t portage_t:fifo_file rw_file_perms;
+allow portage_fetch_t portage_t:process sigchld;
+
+# transition to sandbox for compiling
+domain_trans(portage_t, portage_exec_t, portage_sandbox_t)
+corecmd_shell_spec_domtrans(portage_t, portage_sandbox_t)
+allow portage_sandbox_t portage_t:fd use;
+allow portage_sandbox_t portage_t:fifo_file rw_file_perms;
+allow portage_sandbox_t portage_t:process sigchld;
+
+# run scripts out of the build directory
+can_exec(portage_t, portage_tmp_t)
+
+# merging baselayout will need this:
+kernel_write_proc_files(portage_t)
+
+domain_dontaudit_read_all_domains_state(portage_t)
+
+# modify any files in the system
+files_manage_all_files(portage_t)
+
+selinux_get_fs_mount(portage_t)
+
+auth_manage_shadow(portage_t)
+
+# merging baselayout will need this:
+init_exec(portage_t)
+
+# run setfiles -r
+seutil_domtrans_setfiles(portage_t)
+# run semodule
+seutil_domtrans_semanage(portage_t)
+
+portage_domtrans_gcc_config(portage_t)
+# if sesandbox is disabled, compiling is performed in this domain
+portage_compile_domain(portage_t)
+
+optional_policy(`
+ bootloader_domtrans(portage_t)
+')
+
+optional_policy(`
+ modutils_domtrans_depmod(portage_t)
+ modutils_domtrans_update_mods(portage_t)
+ #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
+')
+
+optional_policy(`
+ usermanage_domtrans_groupadd(portage_t)
+ usermanage_domtrans_useradd(portage_t)
+')
+
+ifdef(`TODO',`
+# seems to work ok without these
+dontaudit portage_t device_t:{ blk_file chr_file } getattr;
+dontaudit portage_t proc_t:dir setattr;
+dontaudit portage_t device_type:chr_file read_chr_file_perms;
+dontaudit portage_t device_type:blk_file read_blk_file_perms;
+')
+
+##########################################
+#
+# Portage fetch domain
+# - for rsync and distfile fetching
+#
+
+allow portage_fetch_t self:capability { dac_override fowner fsetid };
+allow portage_fetch_t self:process signal;
+allow portage_fetch_t self:unix_stream_socket create_socket_perms;
+allow portage_fetch_t self:tcp_socket create_stream_socket_perms;
+
+allow portage_fetch_t portage_conf_t:dir list_dir_perms;
+read_files_pattern(portage_fetch_t, portage_conf_t, portage_conf_t)
+
+manage_dirs_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t)
+manage_files_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t)
+
+manage_dirs_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t)
+manage_files_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t)
+files_tmp_filetrans(portage_fetch_t, portage_fetch_tmp_t, { file dir })
+
+# portage makes home dir the portage tmp dir, so
+# wget looks for .wgetrc there
+dontaudit portage_fetch_t portage_tmp_t:dir search_dir_perms;
+# rsync server timestamp check
+allow portage_fetch_t portage_tmp_t:file { read_file_perms delete_file_perms };
+
+kernel_read_system_state(portage_fetch_t)
+kernel_read_kernel_sysctls(portage_fetch_t)
+
+corecmd_exec_bin(portage_fetch_t)
+
+corenet_all_recvfrom_unlabeled(portage_fetch_t)
+corenet_all_recvfrom_netlabel(portage_fetch_t)
+corenet_tcp_sendrecv_generic_if(portage_fetch_t)
+corenet_tcp_sendrecv_generic_node(portage_fetch_t)
+corenet_tcp_sendrecv_all_ports(portage_fetch_t)
+# would rather not connect to unspecified ports, but
+# it occasionally comes up
+corenet_tcp_connect_all_reserved_ports(portage_fetch_t)
+corenet_tcp_connect_generic_port(portage_fetch_t)
+
+dev_dontaudit_read_rand(portage_fetch_t)
+
+domain_use_interactive_fds(portage_fetch_t)
+
+files_read_etc_files(portage_fetch_t)
+files_read_etc_runtime_files(portage_fetch_t)
+files_search_var(portage_fetch_t)
+files_dontaudit_search_pids(portage_fetch_t)
+
+term_search_ptys(portage_fetch_t)
+
+miscfiles_read_localization(portage_fetch_t)
+
+sysnet_read_config(portage_fetch_t)
+sysnet_dns_name_resolve(portage_fetch_t)
+
+userdom_use_user_terminals(portage_fetch_t)
+userdom_dontaudit_read_user_home_content_files(portage_fetch_t)
+
+ifdef(`hide_broken_symptoms',`
+ dontaudit portage_fetch_t portage_cache_t:file read;
+')
+
+##########################################
+#
+# Portage sandbox domain
+# - SELinux-enforced sandbox
+#
+
+portage_compile_domain(portage_sandbox_t)
+
+ifdef(`hide_broken_symptoms',`
+ # leaked descriptors
+ dontaudit portage_sandbox_t portage_cache_t:dir { setattr };
+ dontaudit portage_sandbox_t portage_cache_t:file { setattr write };
+')
diff --git a/policy/modules/admin/prelink.fc b/policy/modules/admin/prelink.fc
new file mode 100644
index 0000000..ec0e76a
--- /dev/null
+++ b/policy/modules/admin/prelink.fc
@@ -0,0 +1,11 @@
+/etc/cron\.daily/prelink -- gen_context(system_u:object_r:prelink_cron_system_exec_t,s0)
+
+/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0)
+
+/usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0)
+
+/var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0)
+/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0)
+
+/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0)
+/var/lib/prelink(/.*)? gen_context(system_u:object_r:prelink_var_lib_t,s0)
diff --git a/policy/modules/admin/prelink.if b/policy/modules/admin/prelink.if
new file mode 100644
index 0000000..93ec175
--- /dev/null
+++ b/policy/modules/admin/prelink.if
@@ -0,0 +1,204 @@
+## <summary>Prelink ELF shared library mappings.</summary>
+
+########################################
+## <summary>
+## Execute the prelink program in the prelink domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`prelink_domtrans',`
+ gen_require(`
+ type prelink_t, prelink_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, prelink_exec_t, prelink_t)
+
+ ifdef(`hide_broken_symptoms', `
+ dontaudit prelink_t $1:socket_class_set { read write };
+ dontaudit prelink_t $1:fifo_file setattr;
+ ')
+')
+
+########################################
+## <summary>
+## Execute the prelink program in the current domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`prelink_exec',`
+ gen_require(`
+ type prelink_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, prelink_exec_t)
+')
+
+########################################
+## <summary>
+## Execute the prelink program in the prelink domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the prelink domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`prelink_run',`
+ gen_require(`
+ type prelink_t;
+ ')
+
+ prelink_domtrans($1)
+ role $2 types prelink_t;
+')
+
+########################################
+## <summary>
+## Make the specified file type prelinkable.
+## </summary>
+## <param name="file_type">
+## <summary>
+## File type to be prelinked.
+## </summary>
+## </param>
+#
+# cjp: added for misc non-entrypoint objects
+interface(`prelink_object_file',`
+ gen_require(`
+ attribute prelink_object;
+ ')
+
+ typeattribute $1 prelink_object;
+')
+
+########################################
+## <summary>
+## Read the prelink cache.
+## </summary>
+## <param name="file_type">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`prelink_read_cache',`
+ gen_require(`
+ type prelink_cache_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 prelink_cache_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Delete the prelink cache.
+## </summary>
+## <param name="file_type">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`prelink_delete_cache',`
+ gen_require(`
+ type prelink_cache_t;
+ ')
+
+ allow $1 prelink_cache_t:file unlink;
+ files_rw_etc_dirs($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## prelink log files.
+## </summary>
+## <param name="file_type">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`prelink_manage_log',`
+ gen_require(`
+ type prelink_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_files_pattern($1, prelink_log_t, prelink_log_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## prelink var_lib files.
+## </summary>
+## <param name="file_type">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`prelink_manage_lib',`
+ gen_require(`
+ type prelink_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
+')
+
+########################################
+## <summary>
+## Relabel from files in the /boot directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`prelink_relabelfrom_lib',`
+ gen_require(`
+ type prelink_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ relabelfrom_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
+')
+
+########################################
+## <summary>
+## Relabel from files in the /boot directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`prelink_relabel_lib',`
+ gen_require(`
+ type prelink_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
+')
diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
new file mode 100644
index 0000000..0faba2a
--- /dev/null
+++ b/policy/modules/admin/prelink.te
@@ -0,0 +1,182 @@
+policy_module(prelink, 1.9.1)
+
+########################################
+#
+# Declarations
+
+attribute prelink_object;
+
+type prelink_t;
+type prelink_exec_t;
+init_system_domain(prelink_t, prelink_exec_t)
+domain_obj_id_change_exemption(prelink_t)
+
+type prelink_cache_t;
+files_type(prelink_cache_t)
+
+type prelink_cron_system_t;
+type prelink_cron_system_exec_t;
+domain_type(prelink_cron_system_t)
+domain_entry_file(prelink_cron_system_t, prelink_cron_system_exec_t)
+
+type prelink_log_t;
+logging_log_file(prelink_log_t)
+
+type prelink_tmp_t;
+files_tmp_file(prelink_tmp_t)
+
+type prelink_tmpfs_t;
+files_tmpfs_file(prelink_tmpfs_t)
+
+type prelink_var_lib_t;
+files_type(prelink_var_lib_t)
+
+########################################
+#
+# Local policy
+#
+
+allow prelink_t self:capability { chown dac_override fowner fsetid sys_resource };
+allow prelink_t self:process { execheap execmem execstack signal };
+allow prelink_t self:fifo_file rw_fifo_file_perms;
+
+allow prelink_t prelink_cache_t:file manage_file_perms;
+files_etc_filetrans(prelink_t, prelink_cache_t, file)
+
+allow prelink_t prelink_log_t:dir setattr;
+create_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
+append_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
+read_lnk_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
+logging_log_filetrans(prelink_t, prelink_log_t, file)
+
+allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod };
+files_tmp_filetrans(prelink_t, prelink_tmp_t, file)
+
+allow prelink_t prelink_tmpfs_t:file { manage_file_perms execute relabelfrom execmod };
+fs_tmpfs_filetrans(prelink_t, prelink_tmpfs_t, file)
+
+manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
+manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
+relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
+files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file })
+files_search_var_lib(prelink_t)
+
+# prelink misc objects that are not system
+# libraries or entrypoints
+allow prelink_t prelink_object:file { manage_file_perms execute relabel_file_perms };
+
+kernel_read_system_state(prelink_t)
+kernel_read_kernel_sysctls(prelink_t)
+
+corecmd_manage_all_executables(prelink_t)
+corecmd_relabel_all_executables(prelink_t)
+corecmd_mmap_all_executables(prelink_t)
+corecmd_read_bin_symlinks(prelink_t)
+
+dev_read_urand(prelink_t)
+dev_getattr_all_chr_files(prelink_t)
+
+files_list_all(prelink_t)
+files_getattr_all_files(prelink_t)
+files_write_non_security_dirs(prelink_t)
+files_read_etc_files(prelink_t)
+files_read_etc_runtime_files(prelink_t)
+files_dontaudit_read_all_symlinks(prelink_t)
+files_manage_usr_files(prelink_t)
+files_manage_var_files(prelink_t)
+files_relabelfrom_usr_files(prelink_t)
+
+fs_getattr_xattr_fs(prelink_t)
+
+storage_getattr_fixed_disk_dev(prelink_t)
+
+selinux_get_enforce_mode(prelink_t)
+
+libs_exec_ld_so(prelink_t)
+libs_legacy_use_shared_libs(prelink_t)
+libs_manage_ld_so(prelink_t)
+libs_relabel_ld_so(prelink_t)
+libs_manage_shared_libs(prelink_t)
+libs_relabel_shared_libs(prelink_t)
+libs_delete_lib_symlinks(prelink_t)
+
+miscfiles_read_localization(prelink_t)
+
+userdom_use_user_terminals(prelink_t)
+userdom_manage_user_home_content(prelink_t)
+userdom_execmod_user_home_files(prelink_t)
+
+optional_policy(`
+ amanda_manage_lib(prelink_t)
+')
+
+optional_policy(`
+ cron_system_entry(prelink_t, prelink_exec_t)
+')
+
+optional_policy(`
+ nsplugin_manage_rw_files(prelink_t)
+')
+
+optional_policy(`
+ rpm_manage_tmp_files(prelink_t)
+')
+
+optional_policy(`
+ unconfined_domain(prelink_t)
+')
+
+########################################
+#
+# Prelink Cron system Policy
+#
+
+optional_policy(`
+ allow prelink_cron_system_t self:capability setuid;
+ allow prelink_cron_system_t self:process { setsched setfscreate signal };
+ allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms;
+ allow prelink_cron_system_t self:unix_dgram_socket { write bind create setopt };
+
+ read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
+ allow prelink_cron_system_t prelink_cache_t:file unlink;
+ files_delete_etc_dir_entry(prelink_cron_system_t)
+
+ domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
+ allow prelink_cron_system_t prelink_t:process noatsecure;
+
+ manage_files_pattern(prelink_cron_system_t, prelink_log_t, prelink_log_t)
+
+ manage_files_pattern(prelink_cron_system_t, prelink_var_lib_t, prelink_var_lib_t)
+ files_var_lib_filetrans(prelink_cron_system_t, prelink_var_lib_t, file)
+ allow prelink_cron_system_t prelink_var_lib_t:file { relabelfrom relabelto };
+
+ kernel_read_system_state(prelink_cron_system_t)
+
+ corecmd_exec_bin(prelink_cron_system_t)
+ corecmd_exec_shell(prelink_cron_system_t)
+
+ files_dontaudit_search_all_mountpoints(prelink_cron_system_t)
+ files_read_etc_files(prelink_cron_system_t)
+ files_search_var_lib(prelink_cron_system_t)
+
+ init_telinit(prelink_cron_system_t)
+
+ libs_exec_ld_so(prelink_cron_system_t)
+
+ logging_search_logs(prelink_cron_system_t)
+
+ miscfiles_read_localization(prelink_cron_system_t)
+
+ cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t)
+
+ userdom_dontaudit_list_admin_dir(prelink_cron_system_t)
+
+ optional_policy(`
+ rpm_read_db(prelink_cron_system_t)
+ ')
+')
+ifdef(`hide_broken_symptoms', `
+ optional_policy(`
+ dbus_read_config(prelink_t)
+ ')
+')
diff --git a/policy/modules/admin/quota.fc b/policy/modules/admin/quota.fc
new file mode 100644
index 0000000..f387230
--- /dev/null
+++ b/policy/modules/admin/quota.fc
@@ -0,0 +1,19 @@
+HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+
+/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+
+/boot/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+
+/etc/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+
+/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
+
+/var/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0)
+/var/spool/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+
+ifdef(`distro_redhat',`
+/usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
+',`
+/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
+')
diff --git a/policy/modules/admin/quota.if b/policy/modules/admin/quota.if
new file mode 100644
index 0000000..6382d3c
--- /dev/null
+++ b/policy/modules/admin/quota.if
@@ -0,0 +1,84 @@
+## <summary>File system quota management</summary>
+
+########################################
+## <summary>
+## Execute quota management tools in the quota domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`quota_domtrans',`
+ gen_require(`
+ type quota_t, quota_exec_t;
+ ')
+
+ domtrans_pattern($1, quota_exec_t, quota_t)
+')
+
+########################################
+## <summary>
+## Execute quota management tools in the quota domain, and
+## allow the specified role the quota domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`quota_run',`
+ gen_require(`
+ type quota_t;
+ ')
+
+ quota_domtrans($1)
+ role $2 types quota_t;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of filesystem quota data files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`quota_dontaudit_getattr_db',`
+ gen_require(`
+ type quota_db_t;
+ ')
+
+ dontaudit $1 quota_db_t:file getattr;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete quota
+## flag files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`quota_manage_flags',`
+ gen_require(`
+ type quota_flag_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, quota_flag_t, quota_flag_t)
+')
diff --git a/policy/modules/admin/quota.te b/policy/modules/admin/quota.te
new file mode 100644
index 0000000..d47698a
--- /dev/null
+++ b/policy/modules/admin/quota.te
@@ -0,0 +1,84 @@
+policy_module(quota, 1.4.1)
+
+########################################
+#
+# Declarations
+#
+
+type quota_t;
+type quota_exec_t;
+init_system_domain(quota_t, quota_exec_t)
+
+type quota_db_t;
+files_type(quota_db_t)
+
+type quota_flag_t;
+files_type(quota_flag_t)
+
+########################################
+#
+# Local policy
+#
+
+allow quota_t self:capability { sys_admin dac_override };
+dontaudit quota_t self:capability sys_tty_config;
+allow quota_t self:process signal_perms;
+
+# for /quota.*
+allow quota_t quota_db_t:file { manage_file_perms quotaon };
+files_root_filetrans(quota_t, quota_db_t, file)
+files_boot_filetrans(quota_t, quota_db_t, file)
+files_etc_filetrans(quota_t, quota_db_t, file)
+files_tmp_filetrans(quota_t, quota_db_t, file)
+files_home_filetrans(quota_t, quota_db_t, file)
+files_usr_filetrans(quota_t, quota_db_t, file)
+files_var_filetrans(quota_t, quota_db_t, file)
+files_spool_filetrans(quota_t, quota_db_t, file)
+
+kernel_list_proc(quota_t)
+kernel_read_proc_symlinks(quota_t)
+kernel_read_kernel_sysctls(quota_t)
+kernel_setsched(quota_t)
+
+dev_read_sysfs(quota_t)
+dev_getattr_all_blk_files(quota_t)
+dev_getattr_all_chr_files(quota_t)
+
+fs_get_xattr_fs_quotas(quota_t)
+fs_set_xattr_fs_quotas(quota_t)
+fs_getattr_xattr_fs(quota_t)
+fs_remount_xattr_fs(quota_t)
+fs_search_auto_mountpoints(quota_t)
+
+mls_file_read_all_levels(quota_t)
+
+storage_raw_read_fixed_disk(quota_t)
+
+term_dontaudit_use_console(quota_t)
+
+domain_use_interactive_fds(quota_t)
+
+files_list_all(quota_t)
+files_read_all_files(quota_t)
+files_read_all_symlinks(quota_t)
+files_getattr_all_pipes(quota_t)
+files_getattr_all_sockets(quota_t)
+files_getattr_all_file_type_fs(quota_t)
+# Read /etc/mtab.
+files_read_etc_runtime_files(quota_t)
+
+init_use_fds(quota_t)
+init_use_script_ptys(quota_t)
+
+logging_send_syslog_msg(quota_t)
+
+userdom_use_user_terminals(quota_t)
+userdom_dontaudit_use_unpriv_user_fds(quota_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(quota_t)
+')
+
+optional_policy(`
+ udev_read_db(quota_t)
+')
diff --git a/policy/modules/admin/readahead.fc b/policy/modules/admin/readahead.fc
new file mode 100644
index 0000000..7077413
--- /dev/null
+++ b/policy/modules/admin/readahead.fc
@@ -0,0 +1,3 @@
+/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
+/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
+/var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0)
diff --git a/policy/modules/admin/readahead.if b/policy/modules/admin/readahead.if
new file mode 100644
index 0000000..47c4723
--- /dev/null
+++ b/policy/modules/admin/readahead.if
@@ -0,0 +1 @@
+## <summary>Readahead, read files into page cache for improved performance</summary>
diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te
new file mode 100644
index 0000000..c1aaa79
--- /dev/null
+++ b/policy/modules/admin/readahead.te
@@ -0,0 +1,103 @@
+policy_module(readahead, 1.11.1)
+
+########################################
+#
+# Declarations
+#
+
+type readahead_t;
+type readahead_exec_t;
+init_daemon_domain(readahead_t, readahead_exec_t)
+application_domain(readahead_t, readahead_exec_t)
+
+type readahead_var_lib_t;
+files_type(readahead_var_lib_t)
+typealias readahead_var_lib_t alias readahead_etc_rw_t;
+
+type readahead_var_run_t;
+files_pid_file(readahead_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow readahead_t self:capability { fowner dac_override dac_read_search };
+dontaudit readahead_t self:capability { net_admin sys_tty_config };
+allow readahead_t self:process { setsched signal_perms };
+
+manage_dirs_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t)
+manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t)
+files_search_var_lib(readahead_t)
+
+manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
+files_pid_filetrans(readahead_t, readahead_var_run_t, file)
+
+kernel_read_all_sysctls(readahead_t)
+kernel_read_system_state(readahead_t)
+kernel_dontaudit_getattr_core_if(readahead_t)
+
+dev_read_sysfs(readahead_t)
+dev_getattr_generic_chr_files(readahead_t)
+dev_getattr_generic_blk_files(readahead_t)
+dev_getattr_all_chr_files(readahead_t)
+dev_getattr_all_blk_files(readahead_t)
+dev_dontaudit_read_all_blk_files(readahead_t)
+dev_dontaudit_getattr_memory_dev(readahead_t)
+dev_dontaudit_getattr_nvram_dev(readahead_t)
+# Early devtmpfs, before udev relabel
+dev_dontaudit_rw_generic_chr_files(readahead_t)
+
+domain_use_interactive_fds(readahead_t)
+domain_read_all_domains_state(readahead_t)
+
+files_list_non_security(readahead_t)
+files_read_non_security_files(readahead_t)
+files_dontaudit_read_security_files(readahead_t)
+files_create_boot_flag(readahead_t)
+files_getattr_all_pipes(readahead_t)
+files_dontaudit_getattr_all_sockets(readahead_t)
+files_dontaudit_getattr_non_security_blk_files(readahead_t)
+
+fs_getattr_all_fs(readahead_t)
+fs_search_auto_mountpoints(readahead_t)
+fs_getattr_all_pipes(readahead_t)
+fs_getattr_all_files(readahead_t)
+fs_read_cgroup_files(readahead_t)
+fs_read_tmpfs_files(readahead_t)
+fs_read_tmpfs_symlinks(readahead_t)
+fs_list_inotifyfs(readahead_t)
+fs_dontaudit_read_tmpfs_blk_dev(readahead_t)
+fs_dontaudit_search_ramfs(readahead_t)
+fs_dontaudit_read_ramfs_pipes(readahead_t)
+fs_dontaudit_read_ramfs_files(readahead_t)
+fs_dontaudit_use_tmpfs_chr_dev(readahead_t)
+
+mls_file_read_all_levels(readahead_t)
+
+storage_raw_read_fixed_disk(readahead_t)
+
+term_dontaudit_use_console(readahead_t)
+
+auth_dontaudit_read_shadow(readahead_t)
+
+init_use_fds(readahead_t)
+init_use_script_ptys(readahead_t)
+init_getattr_initctl(readahead_t)
+
+logging_send_syslog_msg(readahead_t)
+logging_set_audit_parameters(readahead_t)
+logging_dontaudit_search_audit_config(readahead_t)
+
+miscfiles_read_localization(readahead_t)
+
+userdom_dontaudit_use_unpriv_user_fds(readahead_t)
+userdom_dontaudit_search_user_home_dirs(readahead_t)
+
+optional_policy(`
+ cron_system_entry(readahead_t, readahead_exec_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(readahead_t)
+')
diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
new file mode 100644
index 0000000..48922c9
--- /dev/null
+++ b/policy/modules/admin/rpm.fc
@@ -0,0 +1,58 @@
+
+/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+/usr/bin/debuginfo-install -- gen_context(system_u:object_r:debuginfo_exec_t,s0)
+/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+ifdef(`distro_redhat', `
+/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/rpmdev-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0)
+')
+
+/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
+
+/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+
+/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0)
+/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
+
+/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
+
+/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0)
+/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
+
+# SuSE
+ifdef(`distro_suse', `
+/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/sbin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/log/YaST2(/.*)? gen_context(system_u:object_r:rpm_log_t,s0)
+')
+
+ifdef(`enable_mls',`
+/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
+')
diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if
new file mode 100644
index 0000000..ddbb3af
--- /dev/null
+++ b/policy/modules/admin/rpm.if
@@ -0,0 +1,690 @@
+## <summary>Policy for the RPM package manager.</summary>
+
+########################################
+## <summary>
+## Execute rpm programs in the rpm domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rpm_domtrans',`
+ gen_require(`
+ type rpm_t, rpm_exec_t;
+ attribute rpm_transition_domain;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, rpm_exec_t, rpm_t)
+ typeattribute $1 rpm_transition_domain;
+ rpm_debuginfo_domtrans($1)
+')
+
+########################################
+## <summary>
+## Execute debuginfo_install programs in the rpm domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rpm_debuginfo_domtrans',`
+ gen_require(`
+ type rpm_t;
+ type debuginfo_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, debuginfo_exec_t, rpm_t)
+')
+
+########################################
+## <summary>
+## Execute rpm_script programs in the rpm_script domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rpm_domtrans_script',`
+ gen_require(`
+ type rpm_script_t;
+ ')
+
+ # transition to rpm script:
+ corecmd_shell_domtrans($1, rpm_script_t)
+ allow rpm_script_t $1:fd use;
+ allow rpm_script_t $1:fifo_file rw_file_perms;
+ allow rpm_script_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute RPM programs in the RPM domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the RPM domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`rpm_run',`
+ gen_require(`
+ type rpm_t, rpm_script_t;
+ ')
+
+ rpm_domtrans($1)
+ role $2 types rpm_t;
+ role $2 types rpm_script_t;
+
+ domain_system_change_exemption($1)
+ role_transition $2 rpm_exec_t system_r;
+ allow $2 system_r;
+
+ seutil_run_loadpolicy(rpm_script_t, $2)
+ seutil_run_semanage(rpm_script_t, $2)
+ seutil_run_setfiles(rpm_script_t, $2)
+')
+
+########################################
+## <summary>
+## Execute the rpm client in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_exec',`
+ gen_require(`
+ type rpm_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, rpm_exec_t)
+')
+
+########################################
+## <summary>
+## Send a null signal to rpm.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_signull',`
+ gen_require(`
+ type rpm_t;
+ ')
+
+ allow $1 rpm_t:process signull;
+')
+
+########################################
+## <summary>
+## Inherit and use file descriptors from RPM.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_use_fds',`
+ gen_require(`
+ type rpm_t;
+ ')
+
+ allow $1 rpm_t:fd use;
+')
+
+########################################
+## <summary>
+## Read from an unnamed RPM pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_read_pipes',`
+ gen_require(`
+ type rpm_t;
+ ')
+
+ allow $1 rpm_t:fifo_file read_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write an unnamed RPM pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_rw_pipes',`
+ gen_require(`
+ type rpm_t;
+ ')
+
+ allow $1 rpm_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_dontaudit_leaks',`
+ gen_require(`
+ type rpm_t, rpm_var_cache_t;
+ type rpm_script_t, rpm_var_run_t, rpm_tmp_t;
+ type rpm_tmpfs_t, rpm_script_tmp_t, rpm_var_lib_t;
+ ')
+
+ dontaudit $1 rpm_t:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit $1 rpm_t:tcp_socket { read write };
+ dontaudit $1 rpm_t:unix_dgram_socket { read write };
+ dontaudit $1 rpm_t:shm rw_shm_perms;
+
+ dontaudit $1 rpm_script_t:fd use;
+ dontaudit $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms;
+
+ dontaudit $1 rpm_var_run_t:file rw_inherited_file_perms;
+
+ dontaudit $1 rpm_tmp_t:file rw_inherited_file_perms;
+ dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms;
+ dontaudit $1 rpm_tmpfs_t:file rw_inherited_file_perms;
+ dontaudit $1 rpm_script_tmp_t:file rw_inherited_file_perms;
+ dontaudit $1 rpm_var_lib_t:file rw_inherited_file_perms;
+ dontaudit $1 rpm_var_cache_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## rpm over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_dbus_chat',`
+ gen_require(`
+ type rpm_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 rpm_t:dbus send_msg;
+ allow rpm_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to send and
+## receive messages from rpm over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`rpm_dontaudit_dbus_chat',`
+ gen_require(`
+ type rpm_t;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 rpm_t:dbus send_msg;
+ dontaudit rpm_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## rpm_script over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_script_dbus_chat',`
+ gen_require(`
+ type rpm_script_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 rpm_script_t:dbus send_msg;
+ allow rpm_script_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Search RPM log directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_search_log',`
+ gen_require(`
+ type rpm_log_t;
+ ')
+
+ allow $1 rpm_log_t:dir search_dir_perms;
+')
+
+#####################################
+## <summary>
+## Allow the specified domain to append
+## to rpm log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_append_log',`
+ gen_require(`
+ type rpm_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, rpm_log_t, rpm_log_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete the RPM log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_manage_log',`
+ gen_require(`
+ type rpm_log_t;
+ ')
+
+ logging_rw_generic_log_dirs($1)
+ allow $1 rpm_log_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Inherit and use file descriptors from RPM scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_use_script_fds',`
+ gen_require(`
+ type rpm_script_t;
+ ')
+
+ allow $1 rpm_script_t:fd use;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete RPM
+## script temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_manage_script_tmp_files',`
+ gen_require(`
+ type rpm_script_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ manage_dirs_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
+ manage_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
+ manage_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
+')
+
+#####################################
+## <summary>
+## Allow the specified domain to append
+## to rpm tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_append_tmp_files',`
+ gen_require(`
+ type rpm_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ append_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete RPM
+## temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_manage_tmp_files',`
+ gen_require(`
+ type rpm_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ manage_dirs_pattern($1, rpm_tmp_t, rpm_tmp_t)
+ manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
+ manage_lnk_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
+')
+
+########################################
+## <summary>
+## Read RPM script temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_read_script_tmp_files',`
+ gen_require(`
+ type rpm_script_tmp_t;
+ ')
+
+ read_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
+ read_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
+')
+
+########################################
+## <summary>
+## Read the RPM cache.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_read_cache',`
+ gen_require(`
+ type rpm_var_cache_t;
+ ')
+
+ files_search_var($1)
+ allow $1 rpm_var_cache_t:dir list_dir_perms;
+ read_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+ read_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete the RPM package database.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_manage_cache',`
+ gen_require(`
+ type rpm_var_cache_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+ manage_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+ manage_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+')
+
+########################################
+## <summary>
+## Read the RPM package database.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_read_db',`
+ gen_require(`
+ type rpm_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 rpm_var_lib_t:dir list_dir_perms;
+ read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
+ read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
+ rpm_read_cache($1)
+')
+
+########################################
+## <summary>
+## Delete the RPM package database.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_delete_db',`
+ gen_require(`
+ type rpm_var_lib_t;
+ ')
+
+ delete_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete the RPM package database.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_manage_db',`
+ gen_require(`
+ type rpm_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
+ manage_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to create, read,
+## write, and delete the RPM package database.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`rpm_dontaudit_manage_db',`
+ gen_require(`
+ type rpm_var_lib_t;
+ ')
+
+ dontaudit $1 rpm_var_lib_t:dir rw_dir_perms;
+ dontaudit $1 rpm_var_lib_t:file manage_file_perms;
+ dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
+')
+
+#####################################
+## <summary>
+## Read rpm pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_read_pid_files',`
+ gen_require(`
+ type rpm_var_run_t;
+ ')
+
+ read_files_pattern($1, rpm_var_run_t, rpm_var_run_t)
+ files_search_pids($1)
+')
+
+#####################################
+## <summary>
+## Create, read, write, and delete rpm pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_manage_pid_files',`
+ gen_require(`
+ type rpm_var_run_t;
+ ')
+
+ manage_files_pattern($1, rpm_var_run_t, rpm_var_run_t)
+ files_search_pids($1)
+')
+
+######################################
+## <summary>
+## Create files in /var/run with the rpm pid file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_pid_filetrans',`
+ gen_require(`
+ type rpm_var_run_t;
+ ')
+
+ files_pid_filetrans($1, rpm_var_run_t, file)
+')
+
+########################################
+## <summary>
+## Send a null signal to rpm.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_inherited_fifo',`
+ gen_require(`
+ attribute rpm_transition_domain;
+ ')
+
+ allow $1 rpm_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+')
+
+
+########################################
+## <summary>
+## Make rpm_exec_t an entry point for
+## the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_entry_type',`
+ gen_require(`
+ type rpm_exec_t;
+ ')
+
+ domain_entry_file($1, rpm_exec_t)
+')
+
+########################################
+## <summary>
+## Allow application to transition to rpm_script domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_transition_script',`
+ gen_require(`
+ type rpm_script_t;
+ attribute rpm_transition_domain;
+ ')
+
+ typeattribute $1 rpm_transition_domain;
+ allow $1 rpm_script_t:process transition;
+
+ allow $1 rpm_script_t:fd use;
+ allow rpm_script_t $1:fd use;
+ allow rpm_script_t $1:fifo_file rw_fifo_file_perms;
+ allow rpm_script_t $1:process sigchld;
+')
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
new file mode 100644
index 0000000..bdba9c5
--- /dev/null
+++ b/policy/modules/admin/rpm.te
@@ -0,0 +1,404 @@
+policy_module(rpm, 1.11.1)
+
+attribute rpm_transition_domain;
+
+########################################
+#
+# Declarations
+#
+type debuginfo_exec_t;
+domain_entry_file(rpm_t, debuginfo_exec_t)
+
+type rpm_t;
+type rpm_exec_t;
+init_system_domain(rpm_t, rpm_exec_t)
+domain_obj_id_change_exemption(rpm_t)
+domain_role_change_exemption(rpm_t)
+domain_system_change_exemption(rpm_t)
+domain_interactive_fd(rpm_t)
+role system_r types rpm_t;
+
+type rpm_file_t;
+files_type(rpm_file_t)
+
+type rpm_tmp_t;
+files_tmp_file(rpm_tmp_t)
+
+type rpm_tmpfs_t;
+files_tmpfs_file(rpm_tmpfs_t)
+
+type rpm_log_t;
+logging_log_file(rpm_log_t)
+
+type rpm_var_lib_t;
+files_type(rpm_var_lib_t)
+typealias rpm_var_lib_t alias var_lib_rpm_t;
+
+type rpm_var_cache_t;
+files_type(rpm_var_cache_t)
+
+type rpm_var_run_t;
+files_pid_file(rpm_var_run_t)
+
+type rpm_script_t;
+type rpm_script_exec_t;
+domain_obj_id_change_exemption(rpm_script_t)
+domain_system_change_exemption(rpm_script_t)
+corecmd_shell_entry_type(rpm_script_t)
+corecmd_bin_entry_type(rpm_script_t)
+domain_type(rpm_script_t)
+domain_entry_file(rpm_t, rpm_script_exec_t)
+domain_interactive_fd(rpm_script_t)
+role system_r types rpm_script_t;
+
+type rpm_script_tmp_t;
+files_tmp_file(rpm_script_tmp_t)
+
+type rpm_script_tmpfs_t;
+files_tmpfs_file(rpm_script_tmpfs_t)
+
+########################################
+#
+# rpm Local policy
+#
+
+allow rpm_t self:capability { chown dac_override fowner fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
+
+allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
+allow rpm_t self:process { getattr setexec setfscreate setrlimit };
+allow rpm_t self:fd use;
+allow rpm_t self:fifo_file rw_fifo_file_perms;
+allow rpm_t self:unix_dgram_socket create_socket_perms;
+allow rpm_t self:unix_stream_socket rw_stream_socket_perms;
+allow rpm_t self:unix_dgram_socket sendto;
+allow rpm_t self:unix_stream_socket connectto;
+allow rpm_t self:udp_socket { connect };
+allow rpm_t self:udp_socket create_socket_perms;
+allow rpm_t self:tcp_socket create_stream_socket_perms;
+allow rpm_t self:shm create_shm_perms;
+allow rpm_t self:sem create_sem_perms;
+allow rpm_t self:msgq create_msgq_perms;
+allow rpm_t self:msg { send receive };
+allow rpm_t self:dir search;
+allow rpm_t self:file rw_file_perms;;
+
+allow rpm_t rpm_log_t:file manage_file_perms;
+logging_log_filetrans(rpm_t, rpm_log_t, file)
+
+manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
+manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
+files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir })
+can_exec(rpm_t, rpm_tmp_t)
+
+manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
+manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
+manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
+manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
+manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
+fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+can_exec(rpm_t, rpm_tmpfs_t)
+
+manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
+manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
+files_var_filetrans(rpm_t, rpm_var_cache_t, dir)
+
+# Access /var/lib/rpm files
+manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
+files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
+
+manage_dirs_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
+manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
+files_pid_filetrans(rpm_t, rpm_var_run_t, { file dir })
+
+kernel_read_network_state(rpm_t)
+kernel_read_system_state(rpm_t)
+kernel_read_kernel_sysctls(rpm_t)
+kernel_read_network_state_symlinks(rpm_t)
+
+corecmd_exec_all_executables(rpm_t)
+
+corenet_all_recvfrom_unlabeled(rpm_t)
+corenet_all_recvfrom_netlabel(rpm_t)
+corenet_tcp_sendrecv_generic_if(rpm_t)
+corenet_raw_sendrecv_generic_if(rpm_t)
+corenet_udp_sendrecv_generic_if(rpm_t)
+corenet_tcp_sendrecv_generic_node(rpm_t)
+corenet_raw_sendrecv_generic_node(rpm_t)
+corenet_udp_sendrecv_generic_node(rpm_t)
+corenet_tcp_sendrecv_all_ports(rpm_t)
+corenet_udp_sendrecv_all_ports(rpm_t)
+corenet_tcp_connect_all_ports(rpm_t)
+corenet_sendrecv_all_client_packets(rpm_t)
+
+dev_list_sysfs(rpm_t)
+dev_list_usbfs(rpm_t)
+dev_read_urand(rpm_t)
+dev_read_raw_memory(rpm_t)
+#devices_manage_all_device_types(rpm_t)
+
+fs_getattr_all_dirs(rpm_t)
+fs_list_inotifyfs(rpm_t)
+fs_manage_nfs_dirs(rpm_t)
+fs_manage_nfs_files(rpm_t)
+fs_manage_nfs_symlinks(rpm_t)
+fs_getattr_all_fs(rpm_t)
+fs_search_auto_mountpoints(rpm_t)
+
+mls_file_read_all_levels(rpm_t)
+mls_file_write_all_levels(rpm_t)
+mls_file_upgrade(rpm_t)
+mls_file_downgrade(rpm_t)
+
+selinux_get_fs_mount(rpm_t)
+selinux_validate_context(rpm_t)
+selinux_compute_access_vector(rpm_t)
+selinux_compute_create_context(rpm_t)
+selinux_compute_relabel_context(rpm_t)
+selinux_compute_user_contexts(rpm_t)
+
+storage_raw_write_fixed_disk(rpm_t)
+# for installing kernel packages
+storage_raw_read_fixed_disk(rpm_t)
+
+term_list_ptys(rpm_t)
+
+auth_relabel_all_files_except_shadow(rpm_t)
+auth_manage_all_files_except_shadow(rpm_t)
+auth_dontaudit_read_shadow(rpm_t)
+auth_use_nsswitch(rpm_t)
+
+# transition to rpm script:
+rpm_domtrans_script(rpm_t)
+
+domain_read_all_domains_state(rpm_t)
+domain_getattr_all_domains(rpm_t)
+domain_dontaudit_ptrace_all_domains(rpm_t)
+domain_use_interactive_fds(rpm_t)
+domain_dontaudit_getattr_all_pipes(rpm_t)
+domain_dontaudit_getattr_all_tcp_sockets(rpm_t)
+domain_dontaudit_getattr_all_udp_sockets(rpm_t)
+domain_dontaudit_getattr_all_packet_sockets(rpm_t)
+domain_dontaudit_getattr_all_raw_sockets(rpm_t)
+domain_dontaudit_getattr_all_stream_sockets(rpm_t)
+domain_dontaudit_getattr_all_dgram_sockets(rpm_t)
+
+files_exec_etc_files(rpm_t)
+
+init_domtrans_script(rpm_t)
+init_use_script_ptys(rpm_t)
+
+libs_exec_ld_so(rpm_t)
+libs_exec_lib_files(rpm_t)
+libs_domtrans_ldconfig(rpm_t)
+
+logging_send_syslog_msg(rpm_t)
+
+# allow compiling and loading new policy
+seutil_manage_src_policy(rpm_t)
+seutil_manage_bin_policy(rpm_t)
+
+userdom_use_user_terminals(rpm_t)
+userdom_use_unpriv_users_fds(rpm_t)
+
+optional_policy(`
+ cron_system_entry(rpm_t, rpm_exec_t)
+')
+
+optional_policy(`
+ dbus_system_domain(rpm_t, rpm_exec_t)
+ dbus_system_domain(rpm_t, debuginfo_exec_t)
+
+ optional_policy(`
+ hal_dbus_chat(rpm_t)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(rpm_t)
+ ')
+
+')
+
+optional_policy(`
+ prelink_domtrans(rpm_t)
+')
+
+optional_policy(`
+ unconfined_domain_noaudit(rpm_t)
+ # yum-updatesd requires this
+ unconfined_dbus_chat(rpm_t)
+ unconfined_dbus_chat(rpm_script_t)
+')
+
+########################################
+#
+# rpm-script Local policy
+#
+
+allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_ptrace sys_rawio sys_nice mknod kill net_admin };
+allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
+allow rpm_script_t self:fd use;
+allow rpm_script_t self:fifo_file rw_fifo_file_perms;
+allow rpm_script_t self:unix_dgram_socket create_socket_perms;
+allow rpm_script_t self:unix_stream_socket rw_stream_socket_perms;
+allow rpm_script_t self:unix_dgram_socket sendto;
+allow rpm_script_t self:unix_stream_socket connectto;
+allow rpm_script_t self:shm create_shm_perms;
+allow rpm_script_t self:sem create_sem_perms;
+allow rpm_script_t self:msgq create_msgq_perms;
+allow rpm_script_t self:msg { send receive };
+allow rpm_script_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+allow rpm_script_t rpm_tmp_t:file read_file_perms;
+
+allow rpm_script_t rpm_script_tmp_t:dir mounton;
+manage_dirs_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
+manage_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
+manage_blk_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
+manage_chr_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
+files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
+
+manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
+manage_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
+manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
+manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
+manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
+fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_read_kernel_sysctls(rpm_script_t)
+kernel_read_system_state(rpm_script_t)
+kernel_read_network_state(rpm_script_t)
+kernel_list_all_proc(rpm_script_t)
+kernel_read_software_raid_state(rpm_script_t)
+
+dev_list_sysfs(rpm_script_t)
+
+# ideally we would not need this
+dev_manage_generic_blk_files(rpm_script_t)
+dev_manage_generic_chr_files(rpm_script_t)
+dev_manage_all_blk_files(rpm_script_t)
+dev_manage_all_chr_files(rpm_script_t)
+
+fs_manage_nfs_files(rpm_script_t)
+fs_getattr_nfs(rpm_script_t)
+fs_search_all(rpm_script_t)
+fs_getattr_all_fs(rpm_script_t)
+# why is this not using mount?
+fs_getattr_xattr_fs(rpm_script_t)
+fs_mount_xattr_fs(rpm_script_t)
+fs_unmount_xattr_fs(rpm_script_t)
+fs_search_auto_mountpoints(rpm_script_t)
+
+mcs_killall(rpm_script_t)
+mcs_ptrace_all(rpm_script_t)
+
+mls_file_read_all_levels(rpm_script_t)
+mls_file_write_all_levels(rpm_script_t)
+
+selinux_get_fs_mount(rpm_script_t)
+selinux_validate_context(rpm_script_t)
+selinux_compute_access_vector(rpm_script_t)
+selinux_compute_create_context(rpm_script_t)
+selinux_compute_relabel_context(rpm_script_t)
+selinux_compute_user_contexts(rpm_script_t)
+
+storage_raw_read_fixed_disk(rpm_script_t)
+storage_raw_write_fixed_disk(rpm_script_t)
+
+term_getattr_unallocated_ttys(rpm_script_t)
+term_list_ptys(rpm_script_t)
+term_use_all_terms(rpm_script_t)
+
+auth_dontaudit_getattr_shadow(rpm_script_t)
+auth_use_nsswitch(rpm_script_t)
+# ideally we would not need this
+auth_manage_all_files_except_shadow(rpm_script_t)
+auth_relabel_shadow(rpm_script_t)
+
+corecmd_exec_all_executables(rpm_script_t)
+can_exec(rpm_script_t, rpm_script_tmp_t)
+can_exec(rpm_script_t, rpm_script_tmpfs_t)
+
+domain_read_all_domains_state(rpm_script_t)
+domain_getattr_all_domains(rpm_script_t)
+domain_dontaudit_ptrace_all_domains(rpm_script_t)
+domain_use_interactive_fds(rpm_script_t)
+domain_signal_all_domains(rpm_script_t)
+domain_signull_all_domains(rpm_script_t)
+
+files_exec_etc_files(rpm_script_t)
+files_read_etc_runtime_files(rpm_script_t)
+files_exec_usr_files(rpm_script_t)
+files_relabel_all_files(rpm_script_t)
+
+init_domtrans_script(rpm_script_t)
+init_telinit(rpm_script_t)
+
+libs_exec_ld_so(rpm_script_t)
+libs_exec_lib_files(rpm_script_t)
+libs_domtrans_ldconfig(rpm_script_t)
+
+logging_send_syslog_msg(rpm_script_t)
+
+miscfiles_read_localization(rpm_script_t)
+
+modutils_domtrans_depmod(rpm_script_t)
+modutils_domtrans_insmod(rpm_script_t)
+
+seutil_domtrans_loadpolicy(rpm_script_t)
+seutil_domtrans_setfiles(rpm_script_t)
+seutil_domtrans_semanage(rpm_script_t)
+seutil_domtrans_setsebool(rpm_script_t)
+
+userdom_use_all_users_fds(rpm_script_t)
+userdom_exec_admin_home_files(rpm_script_t)
+
+ifdef(`distro_redhat',`
+ optional_policy(`
+ mta_send_mail(rpm_script_t)
+ mta_system_content(rpm_var_run_t)
+ ')
+')
+
+tunable_policy(`allow_execmem',`
+ allow rpm_script_t self:process execmem;
+')
+
+optional_policy(`
+ bootloader_domtrans(rpm_script_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(rpm_script_t)
+')
+
+optional_policy(`
+ lvm_domtrans(rpm_script_t)
+')
+
+optional_policy(`
+ tzdata_domtrans(rpm_t)
+ tzdata_domtrans(rpm_script_t)
+')
+
+optional_policy(`
+ udev_domtrans(rpm_script_t)
+')
+
+optional_policy(`
+ unconfined_domain_noaudit(rpm_script_t)
+ unconfined_domtrans(rpm_script_t)
+ unconfined_execmem_domtrans(rpm_script_t)
+
+ optional_policy(`
+ java_domtrans_unconfined(rpm_script_t)
+ ')
+
+ optional_policy(`
+ mono_domtrans(rpm_script_t)
+ ')
+')
+
+optional_policy(`
+ usermanage_domtrans_groupadd(rpm_script_t)
+ usermanage_domtrans_useradd(rpm_script_t)
+')
diff --git a/policy/modules/admin/sectoolm.fc b/policy/modules/admin/sectoolm.fc
new file mode 100644
index 0000000..1ed6870
--- /dev/null
+++ b/policy/modules/admin/sectoolm.fc
@@ -0,0 +1,4 @@
+/usr/libexec/sectool-mechanism\.py -- gen_context(system_u:object_r:sectoolm_exec_t,s0)
+
+/var/lib/sectool(/.*)? gen_context(system_u:object_r:sectool_var_lib_t,s0)
+/var/log/sectool\.log -- gen_context(system_u:object_r:sectool_var_log_t,s0)
diff --git a/policy/modules/admin/sectoolm.if b/policy/modules/admin/sectoolm.if
new file mode 100644
index 0000000..9007451
--- /dev/null
+++ b/policy/modules/admin/sectoolm.if
@@ -0,0 +1,2 @@
+## <summary>Sectool security audit tool</summary>
+
diff --git a/policy/modules/admin/sectoolm.te b/policy/modules/admin/sectoolm.te
new file mode 100644
index 0000000..c8ef84b
--- /dev/null
+++ b/policy/modules/admin/sectoolm.te
@@ -0,0 +1,106 @@
+policy_module(sectoolm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type sectoolm_t;
+type sectoolm_exec_t;
+dbus_system_domain(sectoolm_t, sectoolm_exec_t)
+
+type sectool_var_lib_t;
+files_type(sectool_var_lib_t)
+
+type sectool_var_log_t;
+logging_log_file(sectool_var_log_t)
+
+type sectool_tmp_t;
+files_tmp_file(sectool_tmp_t)
+
+########################################
+#
+# sectool local policy
+#
+
+allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace };
+allow sectoolm_t self:process { getcap getsched signull setsched };
+dontaudit sectoolm_t self:process { execstack execmem };
+allow sectoolm_t self:fifo_file rw_fifo_file_perms;
+allow sectoolm_t self:unix_dgram_socket { create_socket_perms sendto };
+
+manage_dirs_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t)
+manage_files_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t)
+files_tmp_filetrans(sectoolm_t, sectool_tmp_t, { file dir })
+
+manage_files_pattern(sectoolm_t, sectool_var_lib_t, sectool_var_lib_t)
+manage_dirs_pattern(sectoolm_t, sectool_var_lib_t, sectool_var_lib_t)
+files_var_lib_filetrans(sectoolm_t, sectool_var_lib_t, { file dir })
+
+manage_files_pattern(sectoolm_t, sectool_var_log_t, sectool_var_log_t)
+logging_log_filetrans(sectoolm_t, sectool_var_log_t, file)
+
+kernel_read_net_sysctls(sectoolm_t)
+kernel_read_network_state(sectoolm_t)
+kernel_read_kernel_sysctls(sectoolm_t)
+
+corecmd_exec_bin(sectoolm_t)
+corecmd_exec_shell(sectoolm_t)
+
+dev_read_sysfs(sectoolm_t)
+dev_read_urand(sectoolm_t)
+dev_getattr_all_blk_files(sectoolm_t)
+dev_getattr_all_chr_files(sectoolm_t)
+
+domain_getattr_all_domains(sectoolm_t)
+domain_read_all_domains_state(sectoolm_t)
+
+files_getattr_all_pipes(sectoolm_t)
+files_getattr_all_sockets(sectoolm_t)
+files_read_all_files(sectoolm_t)
+files_read_all_symlinks(sectoolm_t)
+
+fs_getattr_all_fs(sectoolm_t)
+fs_list_noxattr_fs(sectoolm_t)
+
+selinux_validate_context(sectoolm_t)
+
+# tcp_wrappers test
+application_exec_all(sectoolm_t)
+
+auth_use_nsswitch(sectoolm_t)
+
+# tests related to network
+hostname_exec(sectoolm_t)
+
+# tests related to network
+iptables_domtrans(sectoolm_t)
+
+libs_exec_ld_so(sectoolm_t)
+
+logging_send_syslog_msg(sectoolm_t)
+
+# tests related to network
+sysnet_domtrans_ifconfig(sectoolm_t)
+
+userdom_manage_user_tmp_sockets(sectoolm_t)
+
+optional_policy(`
+ mount_exec(sectoolm_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(sectoolm_t)
+')
+
+# suid test using
+# rpm -Vf option
+optional_policy(`
+ prelink_domtrans(sectoolm_t)
+')
+
+optional_policy(`
+ rpm_exec(sectoolm_t)
+ rpm_dontaudit_manage_db(sectoolm_t)
+')
+
diff --git a/policy/modules/admin/shorewall.fc b/policy/modules/admin/shorewall.fc
new file mode 100644
index 0000000..029cb7e
--- /dev/null
+++ b/policy/modules/admin/shorewall.fc
@@ -0,0 +1,14 @@
+/etc/rc\.d/init\.d/shorewall -- gen_context(system_u:object_r:shorewall_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/shorewall-lite -- gen_context(system_u:object_r:shorewall_initrc_exec_t,s0)
+
+/etc/shorewall(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0)
+/etc/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0)
+
+/sbin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0)
+/sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0)
+
+/var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
+/var/lib/shorewall6(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
+/var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
+
+/var/log/shorewall.* gen_context(system_u:object_r:shorewall_log_t,s0)
diff --git a/policy/modules/admin/shorewall.if b/policy/modules/admin/shorewall.if
new file mode 100644
index 0000000..f198119
--- /dev/null
+++ b/policy/modules/admin/shorewall.if
@@ -0,0 +1,202 @@
+## <summary>Shoreline Firewall high-level tool for configuring netfilter</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run shorewall.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`shorewall_domtrans',`
+ gen_require(`
+ type shorewall_t, shorewall_exec_t;
+ ')
+
+ domtrans_pattern($1, shorewall_exec_t, shorewall_t)
+')
+
+######################################
+## <summary>
+## Execute a domain transition to run shorewall.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`shorewall_domtrans_lib',`
+ gen_require(`
+ type shorewall_t, shorewall_var_lib_t;
+ ')
+
+ domtrans_pattern($1, shorewall_var_lib_t, shorewall_t)
+')
+
+#######################################
+## <summary>
+## Read shorewall etc configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`shorewall_read_config',`
+ gen_require(`
+ type shorewall_etc_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, shorewall_etc_t, shorewall_etc_t)
+')
+
+#######################################
+## <summary>
+## Read shorewall PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`shorewall_read_pid_files',`
+ gen_require(`
+ type shorewall_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
+')
+
+#######################################
+## <summary>
+## Read and write shorewall PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`shorewall_rw_pid_files',`
+ gen_require(`
+ type shorewall_var_run_t;
+ ')
+
+ files_search_pids($1)
+ rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
+')
+
+######################################
+## <summary>
+## Read shorewall /var/lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`shorewall_read_lib_files',`
+ gen_require(`
+ type shorewall_t;
+ ')
+
+ files_search_var_lib($1)
+ search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+ read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+')
+
+#######################################
+## <summary>
+## Read and write shorewall /var/lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`shorewall_rw_lib_files',`
+ gen_require(`
+ type shorewall_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+ rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
+')
+
+#######################################
+## <summary>
+## Read shorewall tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`shorewall_read_tmp_files',`
+ gen_require(`
+ type shorewall_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_files_pattern($1, shorewall_tmp_t, shorewall_tmp_t)
+')
+
+#######################################
+## <summary>
+## All of the rules required to administrate
+## an shorewall environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the syslog domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`shorewall_admin',`
+ gen_require(`
+ type shorewall_t, shorewall_lock_t;
+ type shorewall_log_t;
+ type shorewall_initrc_exec_t, shorewall_var_lib_t;
+ type shorewall_tmp_t, shorewall_etc_t;
+ ')
+
+ allow $1 shorewall_t:process { ptrace signal_perms };
+ ps_process_pattern($1, shorewall_t)
+
+ init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 shorewall_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, shorewall_etc_t)
+
+ files_list_locks($1)
+ admin_pattern($1, shorewall_lock_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, shorewall_var_lib_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, shorewall_log_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, shorewall_tmp_t)
+')
diff --git a/policy/modules/admin/shorewall.te b/policy/modules/admin/shorewall.te
new file mode 100644
index 0000000..ffc0571
--- /dev/null
+++ b/policy/modules/admin/shorewall.te
@@ -0,0 +1,113 @@
+policy_module(shorewall, 1.1.1)
+
+########################################
+#
+# Declarations
+#
+
+type shorewall_t;
+type shorewall_exec_t;
+init_daemon_domain(shorewall_t, shorewall_exec_t)
+
+type shorewall_initrc_exec_t;
+init_script_file(shorewall_initrc_exec_t)
+
+# etc files
+type shorewall_etc_t;
+files_config_file(shorewall_etc_t)
+
+# lock files
+type shorewall_lock_t;
+files_lock_file(shorewall_lock_t)
+
+# tmp files
+type shorewall_tmp_t;
+files_tmp_file(shorewall_tmp_t)
+
+# var/lib files
+type shorewall_var_lib_t;
+files_type(shorewall_var_lib_t)
+
+type shorewall_log_t;
+logging_log_file(shorewall_log_t)
+
+########################################
+#
+# shorewall local policy
+#
+
+allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace };
+dontaudit shorewall_t self:capability sys_tty_config;
+allow shorewall_t self:fifo_file rw_fifo_file_perms;
+
+read_files_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
+list_dirs_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
+
+manage_files_pattern(shorewall_t, shorewall_lock_t, shorewall_lock_t)
+files_lock_filetrans(shorewall_t, shorewall_lock_t, file)
+
+manage_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
+manage_dirs_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
+logging_log_filetrans(shorewall_t, shorewall_log_t, { file dir })
+
+manage_dirs_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t)
+manage_files_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t)
+files_tmp_filetrans(shorewall_t, shorewall_tmp_t, { file dir })
+
+exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
+manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
+manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
+files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file })
+allow shorewall_t shorewall_var_lib_t:file entrypoint;
+
+allow shorewall_t shorewall_initrc_exec_t:file read_file_perms;
+
+kernel_read_kernel_sysctls(shorewall_t)
+kernel_read_network_state(shorewall_t)
+kernel_read_system_state(shorewall_t)
+kernel_rw_net_sysctls(shorewall_t)
+
+corecmd_exec_bin(shorewall_t)
+corecmd_exec_shell(shorewall_t)
+
+dev_read_urand(shorewall_t)
+
+domain_read_all_domains_state(shorewall_t)
+
+files_getattr_kernel_modules(shorewall_t)
+files_read_etc_files(shorewall_t)
+files_read_usr_files(shorewall_t)
+files_search_kernel_modules(shorewall_t)
+
+fs_getattr_all_fs(shorewall_t)
+
+init_rw_utmp(shorewall_t)
+
+logging_read_generic_logs(shorewall_t)
+logging_send_syslog_msg(shorewall_t)
+
+miscfiles_read_localization(shorewall_t)
+
+sysnet_domtrans_ifconfig(shorewall_t)
+
+userdom_dontaudit_list_admin_dir(shorewall_t)
+
+optional_policy(`
+ brctl_domtrans(shorewall_t)
+')
+
+optional_policy(`
+ hostname_exec(shorewall_t)
+')
+
+optional_policy(`
+ iptables_domtrans(shorewall_t)
+')
+
+optional_policy(`
+ modutils_domtrans_insmod(shorewall_t)
+')
+
+optional_policy(`
+ ulogd_search_log(shorewall_t)
+')
diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc
new file mode 100644
index 0000000..09c3771
--- /dev/null
+++ b/policy/modules/admin/shutdown.fc
@@ -0,0 +1,7 @@
+/etc/nologin -- gen_context(system_u:object_r:shutdown_etc_t,s0)
+
+/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+
+/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
+
+/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
diff --git a/policy/modules/admin/shutdown.if b/policy/modules/admin/shutdown.if
new file mode 100644
index 0000000..914e1ac
--- /dev/null
+++ b/policy/modules/admin/shutdown.if
@@ -0,0 +1,135 @@
+## <summary>System shutdown command</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run shutdown.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`shutdown_domtrans',`
+ gen_require(`
+ type shutdown_t, shutdown_exec_t;
+ ')
+
+ domtrans_pattern($1, shutdown_exec_t, shutdown_t)
+
+ ifdef(`hide_broken_symptoms', `
+ dontaudit shutdown_t $1:socket_class_set { read write };
+ dontaudit shutdown_t $1:fifo_file rw_inherited_fifo_file_perms;
+ ')
+')
+
+
+########################################
+## <summary>
+## Execute shutdown in the shutdown domain, and
+## allow the specified role the shutdown domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`shutdown_run',`
+ gen_require(`
+ type shutdown_t;
+ ')
+
+ shutdown_domtrans($1)
+ role $2 types shutdown_t;
+')
+
+########################################
+## <summary>
+## Role access for shutdown
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`shutdown_role',`
+ gen_require(`
+ type shutdown_t;
+ ')
+
+ role $1 types shutdown_t;
+
+ shutdown_domtrans($2)
+
+ ps_process_pattern($2, shutdown_t)
+ allow $2 shutdown_t:process signal;
+')
+
+########################################
+## <summary>
+## Recieve sigchld from shutdown
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`shutdown_send_sigchld',`
+ gen_require(`
+ type shutdown_t;
+ ')
+
+ allow shutdown_t $1:process signal;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## shutdown over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`shutdown_dbus_chat',`
+ gen_require(`
+ type shutdown_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 shutdown_t:dbus send_msg;
+ allow shutdown_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Get attributes of shutdown executable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`shutdown_getattr_exec_files',`
+ gen_require(`
+ type shutdown_exec_t;
+ ')
+
+ allow $1 shutdown_exec_t:file getattr;
+')
diff --git a/policy/modules/admin/shutdown.te b/policy/modules/admin/shutdown.te
new file mode 100644
index 0000000..eb63a79
--- /dev/null
+++ b/policy/modules/admin/shutdown.te
@@ -0,0 +1,66 @@
+policy_module(shutdown, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type shutdown_t;
+type shutdown_exec_t;
+application_domain(shutdown_t, shutdown_exec_t)
+role system_r types shutdown_t;
+
+type shutdown_etc_t;
+files_config_file(shutdown_etc_t)
+
+type shutdown_var_run_t;
+files_pid_file(shutdown_var_run_t)
+
+########################################
+#
+# shutdown local policy
+#
+
+allow shutdown_t self:capability { dac_override kill setuid sys_tty_config };
+allow shutdown_t self:process { fork signal signull };
+
+allow shutdown_t self:fifo_file manage_fifo_file_perms;
+allow shutdown_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(shutdown_t, shutdown_etc_t, shutdown_etc_t)
+files_etc_filetrans(shutdown_t, shutdown_etc_t, file)
+
+manage_files_pattern(shutdown_t, shutdown_var_run_t, shutdown_var_run_t)
+files_pid_filetrans(shutdown_t, shutdown_var_run_t, file)
+
+files_read_etc_files(shutdown_t)
+files_read_generic_pids(shutdown_t)
+
+mls_file_write_to_clearance(shutdown_t)
+
+term_use_all_terms(shutdown_t)
+
+auth_use_nsswitch(shutdown_t)
+auth_write_login_records(shutdown_t)
+
+init_rw_utmp(shutdown_t)
+init_telinit(shutdown_t)
+
+logging_search_logs(shutdown_t)
+logging_send_audit_msgs(shutdown_t)
+
+miscfiles_read_localization(shutdown_t)
+
+optional_policy(`
+ dbus_system_bus_client(shutdown_t)
+ dbus_connect_system_bus(shutdown_t)
+')
+
+optional_policy(`
+ oddjob_dontaudit_rw_fifo_file(shutdown_t)
+ oddjob_sigchld(shutdown_t)
+')
+
+optional_policy(`
+ xserver_dontaudit_write_log(shutdown_t)
+')
diff --git a/policy/modules/admin/smoltclient.fc b/policy/modules/admin/smoltclient.fc
new file mode 100644
index 0000000..47cc440
--- /dev/null
+++ b/policy/modules/admin/smoltclient.fc
@@ -0,0 +1,2 @@
+/usr/share/smolt/client/sendProfile.py -- gen_context(system_u:object_r:smoltclient_exec_t,s0)
+
diff --git a/policy/modules/admin/smoltclient.if b/policy/modules/admin/smoltclient.if
new file mode 100644
index 0000000..a54079b
--- /dev/null
+++ b/policy/modules/admin/smoltclient.if
@@ -0,0 +1 @@
+## <summary>The Fedora hardware profiler client</summary>
diff --git a/policy/modules/admin/smoltclient.te b/policy/modules/admin/smoltclient.te
new file mode 100644
index 0000000..f48e9dd
--- /dev/null
+++ b/policy/modules/admin/smoltclient.te
@@ -0,0 +1,68 @@
+policy_module(smoltclient, 1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type smoltclient_t;
+type smoltclient_exec_t;
+application_domain(smoltclient_t, smoltclient_exec_t)
+cron_system_entry(smoltclient_t, smoltclient_exec_t)
+
+type smoltclient_tmp_t;
+files_tmp_file(smoltclient_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow smoltclient_t self:process { setsched getsched };
+
+allow smoltclient_t self:fifo_file rw_fifo_file_perms;
+allow smoltclient_t self:tcp_socket create_socket_perms;
+allow smoltclient_t self:udp_socket create_socket_perms;
+
+can_exec(smoltclient_t, smoltclient_tmp_t)
+manage_dirs_pattern(smoltclient_t, smoltclient_tmp_t, smoltclient_tmp_t)
+manage_files_pattern(smoltclient_t, smoltclient_tmp_t, smoltclient_tmp_t)
+files_tmp_filetrans(smoltclient_t, smoltclient_tmp_t, { dir file })
+
+kernel_read_system_state(smoltclient_t)
+kernel_read_network_state(smoltclient_t)
+kernel_read_kernel_sysctls(smoltclient_t)
+
+corecmd_exec_bin(smoltclient_t)
+corecmd_exec_shell(smoltclient_t)
+
+corenet_tcp_connect_http_port(smoltclient_t)
+
+dev_read_sysfs(smoltclient_t)
+
+fs_getattr_all_fs(smoltclient_t)
+fs_getattr_all_dirs(smoltclient_t)
+fs_list_auto_mountpoints(smoltclient_t)
+
+files_getattr_generic_locks(smoltclient_t)
+files_read_etc_files(smoltclient_t)
+files_read_usr_files(smoltclient_t)
+
+auth_use_nsswitch(smoltclient_t)
+
+logging_send_syslog_msg(smoltclient_t)
+
+miscfiles_read_localization(smoltclient_t)
+
+optional_policy(`
+ dbus_system_bus_client(smoltclient_t)
+')
+
+optional_policy(`
+ hal_dbus_chat(smoltclient_t)
+')
+
+optional_policy(`
+ rpm_exec(smoltclient_t)
+ rpm_read_db(smoltclient_t)
+')
diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc
new file mode 100644
index 0000000..688abc2
--- /dev/null
+++ b/policy/modules/admin/su.fc
@@ -0,0 +1,5 @@
+
+/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
+
+/usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
+/usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
new file mode 100644
index 0000000..1b60ad8
--- /dev/null
+++ b/policy/modules/admin/su.if
@@ -0,0 +1,339 @@
+## <summary>Run shells with substitute user and group</summary>
+
+#######################################
+## <summary>
+## Restricted su domain template.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domain which is allowed
+## to change the linux user id, to run shells as a different
+## user.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`su_restricted_domain_template', `
+ gen_require(`
+ type su_exec_t;
+ ')
+
+ type $1_su_t;
+ domain_entry_file($1_su_t, su_exec_t)
+ domain_type($1_su_t)
+ domain_interactive_fd($1_su_t)
+ role $3 types $1_su_t;
+
+ allow $2 $1_su_t:process signal;
+
+ allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
+ dontaudit $1_su_t self:capability sys_tty_config;
+ allow $1_su_t self:key { search write };
+ allow $1_su_t self:process { setexec setsched setrlimit };
+ allow $1_su_t self:fifo_file rw_fifo_file_perms;
+ allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
+ allow $1_su_t self:unix_stream_socket create_stream_socket_perms;
+
+ # Transition from the user domain to this domain.
+ domtrans_pattern($2, su_exec_t, $1_su_t)
+
+ # By default, revert to the calling domain when a shell is executed.
+ corecmd_shell_domtrans($1_su_t,$2)
+ allow $2 $1_su_t:fd use;
+ allow $2 $1_su_t:fifo_file rw_file_perms;
+ allow $2 $1_su_t:process sigchld;
+
+ kernel_read_system_state($1_su_t)
+ kernel_read_kernel_sysctls($1_su_t)
+ kernel_search_key($1_su_t)
+ kernel_link_key($1_su_t)
+
+ # for SSP
+ dev_read_urand($1_su_t)
+
+ files_read_etc_files($1_su_t)
+ files_read_etc_runtime_files($1_su_t)
+ files_search_var_lib($1_su_t)
+ files_dontaudit_getattr_tmp_dirs($1_su_t)
+
+ # for the rootok check
+ selinux_compute_access_vector($1_su_t)
+
+ auth_domtrans_chk_passwd($1_su_t)
+ auth_dontaudit_read_shadow($1_su_t)
+ auth_use_nsswitch($1_su_t)
+ auth_rw_faillog($1_su_t)
+
+ domain_use_interactive_fds($1_su_t)
+
+ init_dontaudit_use_fds($1_su_t)
+ init_dontaudit_use_script_ptys($1_su_t)
+ # Write to utmp.
+ init_rw_utmp($1_su_t)
+
+ logging_send_syslog_msg($1_su_t)
+
+ miscfiles_read_localization($1_su_t)
+
+ ifdef(`distro_redhat',`
+ # RHEL5 and possibly newer releases incl. Fedora
+ auth_domtrans_upd_passwd($1_su_t)
+
+ optional_policy(`
+ locallogin_search_keys($1_su_t)
+ ')
+ ')
+
+ ifdef(`distro_rhel4',`
+ domain_role_change_exemption($1_su_t)
+ domain_subj_id_change_exemption($1_su_t)
+ domain_obj_id_change_exemption($1_su_t)
+
+ selinux_get_fs_mount($1_su_t)
+ selinux_validate_context($1_su_t)
+ selinux_compute_access_vector($1_su_t)
+ selinux_compute_create_context($1_su_t)
+ selinux_compute_relabel_context($1_su_t)
+ selinux_compute_user_contexts($1_su_t)
+
+ seutil_read_config($1_su_t)
+ seutil_read_default_contexts($1_su_t)
+
+ # Only allow transitions to unprivileged user domains.
+ userdom_spec_domtrans_unpriv_users($1_su_t)
+ ')
+
+ ifdef(`hide_broken_symptoms',`
+ # dontaudit leaked sockets from parent
+ dontaudit $1_su_t $2:socket_class_set { read write };
+ ')
+
+ optional_policy(`
+ cron_read_pipes($1_su_t)
+ ')
+
+ optional_policy(`
+ kerberos_use($1_su_t)
+ ')
+
+ optional_policy(`
+ # used when the password has expired
+ usermanage_read_crack_db($1_su_t)
+ ')
+
+ ifdef(`TODO',`
+ # Caused by su - init scripts
+ dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
+ ') dnl end TODO
+')
+
+#######################################
+## <summary>
+## The role template for the su module.
+## </summary>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`su_role_template',`
+ gen_require(`
+ attribute su_domain_type;
+ type su_exec_t;
+ bool secure_mode;
+ ')
+
+ type $1_su_t, su_domain_type;
+ domain_entry_file($1_su_t, su_exec_t)
+ domain_type($1_su_t)
+ domain_interactive_fd($1_su_t)
+ ubac_constrained($1_su_t)
+ role $2 types $1_su_t;
+
+ allow $3 $1_su_t:process signal;
+
+ allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
+ dontaudit $1_su_t self:capability sys_tty_config;
+ allow $1_su_t self:process { setexec setsched setrlimit };
+ allow $1_su_t self:fifo_file rw_fifo_file_perms;
+ allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
+ allow $1_su_t self:key { search write };
+
+ # Transition from the user domain to this domain.
+ domtrans_pattern($3, su_exec_t, $1_su_t)
+
+ ps_process_pattern($3, $1_su_t)
+
+ # By default, revert to the calling domain when a shell is executed.
+ corecmd_shell_domtrans($1_su_t, $3)
+ allow $3 $1_su_t:fd use;
+ allow $3 $1_su_t:fifo_file rw_file_perms;
+ allow $3 $1_su_t:process sigchld;
+
+ kernel_read_system_state($1_su_t)
+ kernel_read_kernel_sysctls($1_su_t)
+ kernel_search_key($1_su_t)
+ kernel_link_key($1_su_t)
+
+ # for SSP
+ dev_read_urand($1_su_t)
+
+ fs_search_auto_mountpoints($1_su_t)
+
+ # needed for pam_rootok
+ selinux_compute_access_vector($1_su_t)
+
+ auth_domtrans_chk_passwd($1_su_t)
+ auth_dontaudit_read_shadow($1_su_t)
+ auth_use_pam($1_su_t)
+ auth_rw_faillog($1_su_t)
+
+ corecmd_search_bin($1_su_t)
+
+ domain_use_interactive_fds($1_su_t)
+
+ files_read_etc_files($1_su_t)
+ files_read_etc_runtime_files($1_su_t)
+ files_search_var_lib($1_su_t)
+ files_dontaudit_getattr_tmp_dirs($1_su_t)
+
+ init_dontaudit_use_fds($1_su_t)
+ # Write to utmp.
+ init_rw_utmp($1_su_t)
+
+ mls_file_write_all_levels($1_su_t)
+
+ logging_send_syslog_msg($1_su_t)
+
+ miscfiles_read_localization($1_su_t)
+
+ userdom_use_user_terminals($1_su_t)
+ userdom_search_user_home_dirs($1_su_t)
+ userdom_search_admin_dir($1_su_t)
+
+ ifdef(`distro_redhat',`
+ # RHEL5 and possibly newer releases incl. Fedora
+ auth_domtrans_upd_passwd($1_su_t)
+
+ optional_policy(`
+ locallogin_search_keys($1_su_t)
+ ')
+ ')
+
+ ifdef(`distro_rhel4',`
+ domain_role_change_exemption($1_su_t)
+ domain_subj_id_change_exemption($1_su_t)
+ domain_obj_id_change_exemption($1_su_t)
+
+ selinux_get_fs_mount($1_su_t)
+ selinux_validate_context($1_su_t)
+ selinux_compute_create_context($1_su_t)
+ selinux_compute_relabel_context($1_su_t)
+ selinux_compute_user_contexts($1_su_t)
+
+ # Relabel ttys and ptys.
+ term_relabel_all_ttys($1_su_t)
+ term_relabel_all_ptys($1_su_t)
+ # Close and re-open ttys and ptys to get the fd into the correct domain.
+ term_use_all_ttys($1_su_t)
+ term_use_all_ptys($1_su_t)
+
+ seutil_read_config($1_su_t)
+ seutil_read_default_contexts($1_su_t)
+
+ if(secure_mode) {
+ # Only allow transitions to unprivileged user domains.
+ userdom_spec_domtrans_unpriv_users($1_su_t)
+ } else {
+ # Allow transitions to all user domains
+ userdom_spec_domtrans_all_users($1_su_t)
+ }
+
+ optional_policy(`
+ unconfined_domtrans($1_su_t)
+ unconfined_signal($1_su_t)
+ ')
+ ')
+
+ ifdef(`hide_broken_symptoms',`
+ # dontaudit leaked sockets from parent
+ dontaudit $1_su_t $3:socket_class_set { read write };
+ ')
+
+ tunable_policy(`allow_polyinstantiation',`
+ fs_mount_xattr_fs($1_su_t)
+ fs_unmount_xattr_fs($1_su_t)
+ ')
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_search_nfs($1_su_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_search_cifs($1_su_t)
+ ')
+
+ optional_policy(`
+ cron_read_pipes($1_su_t)
+ ')
+
+ optional_policy(`
+ kerberos_use($1_su_t)
+ ')
+
+ optional_policy(`
+ # used when the password has expired
+ usermanage_read_crack_db($1_su_t)
+ ')
+
+ # Modify .Xauthority file (via xauth program).
+ optional_policy(`
+ xserver_user_home_dir_filetrans_user_xauth($1_su_t)
+ xserver_domtrans_xauth($1_su_t)
+ ')
+')
+
+#######################################
+## <summary>
+## Execute su in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`su_exec',`
+ gen_require(`
+ type su_exec_t;
+ ')
+
+ can_exec($1, su_exec_t)
+')
diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te
new file mode 100644
index 0000000..b62353a
--- /dev/null
+++ b/policy/modules/admin/su.te
@@ -0,0 +1,11 @@
+policy_module(su, 1.10.1)
+
+########################################
+#
+# Declarations
+#
+
+attribute su_domain_type;
+
+type su_exec_t;
+corecmd_executable_file(su_exec_t)
diff --git a/policy/modules/admin/sudo.fc b/policy/modules/admin/sudo.fc
new file mode 100644
index 0000000..2b59ed0
--- /dev/null
+++ b/policy/modules/admin/sudo.fc
@@ -0,0 +1,4 @@
+
+/usr/bin/sudo(edit)? -- gen_context(system_u:object_r:sudo_exec_t,s0)
+
+/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
new file mode 100644
index 0000000..bb95e79
--- /dev/null
+++ b/policy/modules/admin/sudo.if
@@ -0,0 +1,191 @@
+## <summary>Execute a command with a substitute user</summary>
+
+#######################################
+## <summary>
+## The role template for the sudo module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domain which is allowed
+## to change the linux user id, to run commands as a different
+## user.
+## </p>
+## </desc>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The user role.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The user domain associated with the role.
+## </summary>
+## </param>
+#
+template(`sudo_role_template',`
+
+ gen_require(`
+ type sudo_exec_t;
+ type sudo_db_t;
+ attribute sudodomain;
+ ')
+
+ ##############################
+ #
+ # Declarations
+ #
+
+ type $1_sudo_t, sudodomain;
+ application_domain($1_sudo_t, sudo_exec_t)
+ domain_interactive_fd($1_sudo_t)
+ domain_role_change_exemption($1_sudo_t)
+ ubac_constrained($1_sudo_t)
+ role $2 types $1_sudo_t;
+
+ manage_dirs_pattern($1_sudo_t, sudo_db_t, sudo_db_t)
+ manage_files_pattern($1_sudo_t, sudo_db_t, sudo_db_t)
+
+ ##############################
+ #
+ # Local Policy
+ #
+
+ # Use capabilities.
+ allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
+ allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow $1_sudo_t self:process { setexec setrlimit };
+ allow $1_sudo_t self:fd use;
+ allow $1_sudo_t self:fifo_file rw_fifo_file_perms;
+ allow $1_sudo_t self:shm create_shm_perms;
+ allow $1_sudo_t self:sem create_sem_perms;
+ allow $1_sudo_t self:msgq create_msgq_perms;
+ allow $1_sudo_t self:msg { send receive };
+ allow $1_sudo_t self:unix_dgram_socket create_socket_perms;
+ allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_sudo_t self:unix_dgram_socket sendto;
+ allow $1_sudo_t self:unix_stream_socket connectto;
+ allow $1_sudo_t self:key manage_key_perms;
+
+ allow $1_sudo_t $3:key search;
+
+ # Enter this derived domain from the user domain
+ domtrans_pattern($3, sudo_exec_t, $1_sudo_t)
+
+ # By default, revert to the calling domain when a shell is executed.
+ corecmd_shell_domtrans($1_sudo_t, $3)
+ corecmd_bin_domtrans($1_sudo_t, $3)
+ userdom_domtrans_user_home($1_sudo_t, $3)
+ userdom_domtrans_user_tmp($1_sudo_t, $3)
+ allow $3 $1_sudo_t:fd use;
+ allow $3 $1_sudo_t:fifo_file rw_file_perms;
+ allow $3 $1_sudo_t:process signal_perms;
+
+ kernel_read_kernel_sysctls($1_sudo_t)
+ kernel_read_system_state($1_sudo_t)
+ kernel_link_key($1_sudo_t)
+
+ corecmd_read_bin_symlinks($1_sudo_t)
+ corecmd_exec_all_executables($1_sudo_t)
+
+ dev_read_urand($1_sudo_t)
+ dev_rw_generic_usb_dev($1_sudo_t)
+ dev_read_sysfs($1_sudo_t)
+
+ domain_use_interactive_fds($1_sudo_t)
+ domain_sigchld_interactive_fds($1_sudo_t)
+ domain_getattr_all_entry_files($1_sudo_t)
+
+ files_read_etc_files($1_sudo_t)
+ files_read_var_files($1_sudo_t)
+ files_read_usr_symlinks($1_sudo_t)
+ files_getattr_usr_files($1_sudo_t)
+ # for some PAM modules and for cwd
+ files_dontaudit_search_home($1_sudo_t)
+ files_list_tmp($1_sudo_t)
+
+ fs_search_auto_mountpoints($1_sudo_t)
+ fs_getattr_xattr_fs($1_sudo_t)
+
+ selinux_validate_context($1_sudo_t)
+ selinux_compute_relabel_context($1_sudo_t)
+
+ term_relabel_all_ttys($1_sudo_t)
+ term_relabel_all_ptys($1_sudo_t)
+ term_getattr_pty_fs($1_sudo_t)
+
+ auth_run_chk_passwd($1_sudo_t, $2)
+ # sudo stores a token in the pam_pid directory
+ auth_manage_pam_pid($1_sudo_t)
+ auth_use_nsswitch($1_sudo_t)
+
+ application_signal($1_sudo_t)
+
+ init_rw_utmp($1_sudo_t)
+
+ logging_send_audit_msgs($1_sudo_t)
+ logging_send_syslog_msg($1_sudo_t)
+
+ miscfiles_read_localization($1_sudo_t)
+
+ seutil_search_default_contexts($1_sudo_t)
+ seutil_libselinux_linked($1_sudo_t)
+
+ userdom_spec_domtrans_all_users($1_sudo_t)
+ userdom_manage_user_home_content_files($1_sudo_t)
+ userdom_manage_user_home_content_symlinks($1_sudo_t)
+ userdom_manage_user_tmp_files($1_sudo_t)
+ userdom_manage_user_tmp_symlinks($1_sudo_t)
+ userdom_use_user_terminals($1_sudo_t)
+ userdom_signal_unpriv_users($1_sudo_t)
+ # for some PAM modules and for cwd
+ userdom_search_user_home_content($1_sudo_t)
+ userdom_search_admin_dir($1_sudo_t)
+ userdom_manage_all_users_keys($1_sudo_t)
+
+ ifdef(`hide_broken_symptoms', `
+ dontaudit $1_sudo_t $3:socket_class_set { read write };
+ ')
+
+ mta_role($2, $1_sudo_t)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files($1_sudo_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files($1_sudo_t)
+ ')
+
+ optional_policy(`
+ dbus_system_bus_client($1_sudo_t)
+ ')
+
+ optional_policy(`
+ fprintd_dbus_chat($1_sudo_t)
+ ')
+
+')
+
+########################################
+## <summary>
+## Send a SIGCHLD signal to the sudo domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sudo_sigchld',`
+ gen_require(`
+ attribute sudodomain;
+ ')
+
+ allow $1 sudodomain:process sigchld;
+')
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
new file mode 100644
index 0000000..c927b85
--- /dev/null
+++ b/policy/modules/admin/sudo.te
@@ -0,0 +1,13 @@
+policy_module(sudo, 1.6.1)
+
+########################################
+#
+# Declarations
+attribute sudodomain;
+
+type sudo_exec_t;
+application_executable_file(sudo_exec_t)
+
+type sudo_db_t;
+files_type(sudo_db_t)
+
diff --git a/policy/modules/admin/sxid.fc b/policy/modules/admin/sxid.fc
new file mode 100644
index 0000000..bc3797b
--- /dev/null
+++ b/policy/modules/admin/sxid.fc
@@ -0,0 +1,6 @@
+/usr/bin/sxid -- gen_context(system_u:object_r:sxid_exec_t,s0)
+/usr/sbin/checksecurity\.se -- gen_context(system_u:object_r:sxid_exec_t,s0)
+
+/var/log/setuid.* -- gen_context(system_u:object_r:sxid_log_t,s0)
+/var/log/setuid\.today.* -- gen_context(system_u:object_r:sxid_log_t,s0)
+/var/log/sxid\.log.* -- gen_context(system_u:object_r:sxid_log_t,s0)
diff --git a/policy/modules/admin/sxid.if b/policy/modules/admin/sxid.if
new file mode 100644
index 0000000..dd8ac62
--- /dev/null
+++ b/policy/modules/admin/sxid.if
@@ -0,0 +1,22 @@
+## <summary>SUID/SGID program monitoring</summary>
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## sxid log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sxid_read_log',`
+ gen_require(`
+ type sxid_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 sxid_log_t:file read_file_perms;
+')
diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te
new file mode 100644
index 0000000..d5aaf0e
--- /dev/null
+++ b/policy/modules/admin/sxid.te
@@ -0,0 +1,97 @@
+policy_module(sxid, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type sxid_t;
+type sxid_exec_t;
+application_domain(sxid_t, sxid_exec_t)
+
+type sxid_log_t;
+logging_log_file(sxid_log_t)
+
+type sxid_tmp_t;
+files_tmp_file(sxid_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow sxid_t self:capability { dac_override dac_read_search fsetid };
+dontaudit sxid_t self:capability { setuid setgid sys_tty_config };
+allow sxid_t self:process signal_perms;
+allow sxid_t self:fifo_file rw_fifo_file_perms;
+allow sxid_t self:tcp_socket create_stream_socket_perms;
+allow sxid_t self:udp_socket create_socket_perms;
+
+allow sxid_t sxid_log_t:file manage_file_perms;
+logging_log_filetrans(sxid_t, sxid_log_t, file)
+
+manage_dirs_pattern(sxid_t, sxid_tmp_t, sxid_tmp_t)
+manage_files_pattern(sxid_t, sxid_tmp_t, sxid_tmp_t)
+files_tmp_filetrans(sxid_t, sxid_tmp_t, { file dir })
+
+kernel_read_system_state(sxid_t)
+kernel_read_kernel_sysctls(sxid_t)
+
+corecmd_exec_bin(sxid_t)
+corecmd_exec_shell(sxid_t)
+
+corenet_all_recvfrom_unlabeled(sxid_t)
+corenet_all_recvfrom_netlabel(sxid_t)
+corenet_tcp_sendrecv_generic_if(sxid_t)
+corenet_udp_sendrecv_generic_if(sxid_t)
+corenet_tcp_sendrecv_generic_node(sxid_t)
+corenet_udp_sendrecv_generic_node(sxid_t)
+corenet_tcp_sendrecv_all_ports(sxid_t)
+corenet_udp_sendrecv_all_ports(sxid_t)
+
+dev_read_sysfs(sxid_t)
+dev_getattr_all_blk_files(sxid_t)
+dev_getattr_all_chr_files(sxid_t)
+
+domain_use_interactive_fds(sxid_t)
+
+files_list_all(sxid_t)
+files_getattr_all_symlinks(sxid_t)
+files_getattr_all_pipes(sxid_t)
+files_getattr_all_sockets(sxid_t)
+
+fs_getattr_xattr_fs(sxid_t)
+fs_search_auto_mountpoints(sxid_t)
+fs_list_all(sxid_t)
+
+term_dontaudit_use_console(sxid_t)
+
+auth_read_all_files_except_shadow(sxid_t)
+auth_dontaudit_getattr_shadow(sxid_t)
+
+init_use_fds(sxid_t)
+init_use_script_ptys(sxid_t)
+
+logging_send_syslog_msg(sxid_t)
+
+miscfiles_read_localization(sxid_t)
+
+mount_exec(sxid_t)
+
+sysnet_read_config(sxid_t)
+
+userdom_dontaudit_use_unpriv_user_fds(sxid_t)
+
+cron_system_entry(sxid_t, sxid_exec_t)
+
+optional_policy(`
+ mta_send_mail(sxid_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(sxid_t)
+')
+
+optional_policy(`
+ udev_read_db(sxid_t)
+')
diff --git a/policy/modules/admin/tmpreaper.fc b/policy/modules/admin/tmpreaper.fc
new file mode 100644
index 0000000..81077db
--- /dev/null
+++ b/policy/modules/admin/tmpreaper.fc
@@ -0,0 +1,2 @@
+/usr/sbin/tmpreaper -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
+/usr/sbin/tmpwatch -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
diff --git a/policy/modules/admin/tmpreaper.if b/policy/modules/admin/tmpreaper.if
new file mode 100644
index 0000000..8dfbd80
--- /dev/null
+++ b/policy/modules/admin/tmpreaper.if
@@ -0,0 +1,21 @@
+## <summary>Manage temporary directory sizes and file ages</summary>
+
+########################################
+## <summary>
+## Execute tmpreaper in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tmpreaper_exec',`
+ gen_require(`
+ type tmpreaper_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ can_exec($1, tmpreaper_exec_t)
+')
diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te
new file mode 100644
index 0000000..50cd538
--- /dev/null
+++ b/policy/modules/admin/tmpreaper.te
@@ -0,0 +1,87 @@
+policy_module(tmpreaper, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type tmpreaper_t;
+type tmpreaper_exec_t;
+application_domain(tmpreaper_t, tmpreaper_exec_t)
+role system_r types tmpreaper_t;
+
+########################################
+#
+# Local Policy
+#
+
+allow tmpreaper_t self:process { fork sigchld };
+allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
+
+dev_read_urand(tmpreaper_t)
+
+fs_getattr_xattr_fs(tmpreaper_t)
+
+files_read_etc_files(tmpreaper_t)
+files_read_var_lib_files(tmpreaper_t)
+files_purge_tmp(tmpreaper_t)
+files_delete_usr_dirs(tmpreaper_t)
+files_delete_usr_files(tmpreaper_t)
+# why does it need setattr?
+files_setattr_all_tmp_dirs(tmpreaper_t)
+files_setattr_usr_dirs(tmpreaper_t)
+files_getattr_all_dirs(tmpreaper_t)
+files_getattr_all_files(tmpreaper_t)
+
+mls_file_read_all_levels(tmpreaper_t)
+mls_file_write_all_levels(tmpreaper_t)
+
+logging_send_syslog_msg(tmpreaper_t)
+
+miscfiles_read_localization(tmpreaper_t)
+miscfiles_delete_man_pages(tmpreaper_t)
+
+cron_system_entry(tmpreaper_t, tmpreaper_exec_t)
+
+ifdef(`distro_redhat',`
+ userdom_list_user_home_content(tmpreaper_t)
+ userdom_delete_user_home_content_dirs(tmpreaper_t)
+ userdom_delete_user_home_content_files(tmpreaper_t)
+ userdom_delete_user_home_content_symlinks(tmpreaper_t)
+')
+
+optional_policy(`
+ amavis_manage_spool_files(tmpreaper_t)
+')
+
+optional_policy(`
+ apache_delete_sys_content_rw(tmpreaper_t)
+ apache_list_cache(tmpreaper_t)
+ apache_delete_cache_dirs(tmpreaper_t)
+ apache_delete_cache_files(tmpreaper_t)
+ apache_setattr_cache_dirs(tmpreaper_t)
+')
+
+optional_policy(`
+ kismet_manage_log(tmpreaper_t)
+')
+
+optional_policy(`
+ lpd_manage_spool(tmpreaper_t)
+')
+
+optional_policy(`
+ sandbox_list(tmpreaper_t)
+ sandbox_delete_dirs(tmpreaper_t)
+ sandbox_delete_files(tmpreaper_t)
+ sandbox_delete_sock_files(tmpreaper_t)
+ sandbox_setattr_dirs(tmpreaper_t)
+')
+
+optional_policy(`
+ rpm_manage_cache(tmpreaper_t)
+')
+
+optional_policy(`
+ unconfined_domain(tmpreaper_t)
+')
diff --git a/policy/modules/admin/tripwire.fc b/policy/modules/admin/tripwire.fc
new file mode 100644
index 0000000..962662f
--- /dev/null
+++ b/policy/modules/admin/tripwire.fc
@@ -0,0 +1,10 @@
+
+/etc/tripwire(/.*)? gen_context(system_u:object_r:tripwire_etc_t,s0)
+
+/usr/sbin/siggen -- gen_context(system_u:object_r:siggen_exec_t,s0)
+/usr/sbin/tripwire -- gen_context(system_u:object_r:tripwire_exec_t,s0)
+/usr/sbin/twadmin -- gen_context(system_u:object_r:twadmin_exec_t,s0)
+/usr/sbin/twprint -- gen_context(system_u:object_r:twprint_exec_t,s0)
+
+/var/lib/tripwire(/.*)? gen_context(system_u:object_r:tripwire_var_lib_t,s0)
+/var/lib/tripwire/report(/.*)? gen_context(system_u:object_r:tripwire_report_t,s0)
diff --git a/policy/modules/admin/tripwire.if b/policy/modules/admin/tripwire.if
new file mode 100644
index 0000000..27abd88
--- /dev/null
+++ b/policy/modules/admin/tripwire.if
@@ -0,0 +1,190 @@
+## <summary>Tripwire file integrity checker.</summary>
+## <desc>
+## <p>
+## Tripwire file integrity checker.
+## </p>
+## <p>
+## NOTE: Tripwire creates temp file in its current working directory.
+## This policy does not allow write access to home directories, so
+## users will need to either cd to a directory where they have write
+## permission, or set the TEMPDIRECTORY variable in the tripwire config
+## file. The latter is preferable, as then the file_type_auto_trans
+## rules will kick in and label the files as private to tripwire.
+## </p>
+## </desc>
+
+########################################
+## <summary>
+## Execute tripwire in the tripwire domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`tripwire_domtrans_tripwire',`
+ gen_require(`
+ type tripwire_t, tripwire_exec_t;
+ ')
+
+ domtrans_pattern($1, tripwire_exec_t, tripwire_t)
+')
+
+########################################
+## <summary>
+## Execute tripwire in the tripwire domain, and
+## allow the specified role the tripwire domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`tripwire_run_tripwire',`
+ gen_require(`
+ type tripwire_t;
+ ')
+
+ tripwire_domtrans_tripwire($1)
+ role $2 types tripwire_t;
+')
+
+########################################
+## <summary>
+## Execute twadmin in the twadmin domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`tripwire_domtrans_twadmin',`
+ gen_require(`
+ type twadmin_t, twadmin_exec_t;
+ ')
+
+ domtrans_pattern($1, twadmin_exec_t, twadmin_t)
+')
+
+########################################
+## <summary>
+## Execute twadmin in the twadmin domain, and
+## allow the specified role the twadmin domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`tripwire_run_twadmin',`
+ gen_require(`
+ type twadmin_t;
+ ')
+
+ tripwire_domtrans_twadmin($1)
+ role $2 types twadmin_t;
+')
+
+########################################
+## <summary>
+## Execute twprint in the twprint domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`tripwire_domtrans_twprint',`
+ gen_require(`
+ type twprint_t, twprint_exec_t;
+ ')
+
+ domtrans_pattern($1, twprint_exec_t, twprint_t)
+')
+
+########################################
+## <summary>
+## Execute twprint in the twprint domain, and
+## allow the specified role the twprint domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`tripwire_run_twprint',`
+ gen_require(`
+ type twprint_t;
+ ')
+
+ tripwire_domtrans_twprint($1)
+ role $2 types twprint_t;
+')
+
+########################################
+## <summary>
+## Execute siggen in the siggen domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`tripwire_domtrans_siggen',`
+ gen_require(`
+ type siggen_t, siggen_exec_t;
+ ')
+
+ domtrans_pattern($1, siggen_exec_t, siggen_t)
+')
+
+########################################
+## <summary>
+## Execute siggen in the siggen domain, and
+## allow the specified role the siggen domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`tripwire_run_siggen',`
+ gen_require(`
+ type siggen_t;
+ ')
+
+ tripwire_domtrans_siggen($1)
+ role $2 types siggen_t;
+')
diff --git a/policy/modules/admin/tripwire.te b/policy/modules/admin/tripwire.te
new file mode 100644
index 0000000..2ae8b62
--- /dev/null
+++ b/policy/modules/admin/tripwire.te
@@ -0,0 +1,146 @@
+policy_module(tripwire, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type siggen_t;
+type siggen_exec_t;
+application_domain(siggen_t, siggen_exec_t)
+
+type tripwire_t;
+type tripwire_exec_t;
+application_domain(tripwire_t, tripwire_exec_t)
+role system_r types tripwire_t;
+
+type tripwire_etc_t;
+files_config_file(tripwire_etc_t)
+
+type tripwire_report_t;
+files_type(tripwire_report_t)
+
+type tripwire_tmp_t;
+files_tmp_file(tripwire_tmp_t)
+
+type tripwire_var_lib_t;
+files_type(tripwire_var_lib_t)
+
+type twadmin_t;
+type twadmin_exec_t;
+application_domain(twadmin_t, twadmin_exec_t)
+
+type twprint_t;
+type twprint_exec_t;
+application_domain(twprint_t, twprint_exec_t)
+
+########################################
+#
+# Tripwire local policy
+#
+
+allow tripwire_t self:capability { setgid setuid dac_override };
+
+allow tripwire_t tripwire_etc_t:dir list_dir_perms;
+read_files_pattern(tripwire_t, tripwire_etc_t, tripwire_etc_t)
+read_lnk_files_pattern(tripwire_t, tripwire_etc_t, tripwire_etc_t)
+files_search_etc(tripwire_t)
+
+# Tripwire report files
+manage_dirs_pattern(tripwire_t, tripwire_report_t, tripwire_report_t)
+manage_files_pattern(tripwire_t, tripwire_report_t, tripwire_report_t)
+manage_lnk_files_pattern(tripwire_t, tripwire_report_t, tripwire_report_t)
+
+manage_dirs_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t)
+manage_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t)
+manage_lnk_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t)
+manage_fifo_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t)
+manage_sock_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t)
+files_tmp_filetrans(tripwire_t, tripwire_tmp_t,{ dir file lnk_file sock_file fifo_file })
+
+manage_files_pattern(tripwire_t, tripwire_var_lib_t, tripwire_var_lib_t)
+files_var_lib_filetrans(tripwire_t, tripwire_var_lib_t, file)
+
+kernel_read_system_state(tripwire_t)
+kernel_read_network_state(tripwire_t)
+kernel_read_software_raid_state(tripwire_t)
+kernel_getattr_core_if(tripwire_t)
+kernel_getattr_message_if(tripwire_t)
+kernel_read_kernel_sysctls(tripwire_t)
+
+corecmd_exec_shell(tripwire_t)
+corecmd_exec_bin(tripwire_t)
+
+domain_use_interactive_fds(tripwire_t)
+
+files_read_all_files(tripwire_t)
+files_read_all_symlinks(tripwire_t)
+files_getattr_all_pipes(tripwire_t)
+files_getattr_all_sockets(tripwire_t)
+
+logging_send_syslog_msg(tripwire_t)
+
+userdom_use_user_terminals(tripwire_t)
+
+optional_policy(`
+ cron_system_entry(tripwire_t, tripwire_exec_t)
+')
+
+########################################
+#
+# Twadmin local policy
+#
+
+manage_dirs_pattern(twadmin_t, tripwire_etc_t, tripwire_etc_t)
+manage_files_pattern(twadmin_t, tripwire_etc_t, tripwire_etc_t)
+manage_lnk_files_pattern(twadmin_t, tripwire_etc_t, tripwire_etc_t)
+
+domain_use_interactive_fds(twadmin_t)
+
+logging_send_syslog_msg(twadmin_t)
+
+miscfiles_read_localization(twadmin_t)
+
+userdom_use_user_terminals(twadmin_t)
+
+########################################
+#
+# Twprint local policy
+#
+
+allow twprint_t tripwire_etc_t:dir list_dir_perms;
+read_files_pattern(twprint_t, tripwire_etc_t, tripwire_etc_t)
+read_lnk_files_pattern(twprint_t, tripwire_etc_t, tripwire_etc_t)
+
+allow twprint_t tripwire_report_t:dir list_dir_perms;
+read_files_pattern(twprint_t, tripwire_report_t, tripwire_report_t)
+read_lnk_files_pattern(twprint_t, tripwire_report_t, tripwire_report_t)
+
+allow twprint_t tripwire_var_lib_t:dir list_dir_perms;
+read_files_pattern(twprint_t, tripwire_var_lib_t, tripwire_var_lib_t)
+read_lnk_files_pattern(twprint_t, tripwire_var_lib_t, tripwire_var_lib_t)
+files_search_var_lib(twprint_t)
+
+domain_use_interactive_fds(twprint_t)
+
+logging_send_syslog_msg(twprint_t)
+
+miscfiles_read_localization(twprint_t)
+
+userdom_use_user_terminals(twprint_t)
+
+########################################
+#
+# Siggen local policy
+#
+
+domain_use_interactive_fds(siggen_t)
+
+# Need permission to read files
+files_read_all_files(siggen_t)
+
+logging_send_syslog_msg(siggen_t)
+
+miscfiles_read_localization(siggen_t)
+
+userdom_use_user_terminals(siggen_t)
diff --git a/policy/modules/admin/tzdata.fc b/policy/modules/admin/tzdata.fc
new file mode 100644
index 0000000..04b8548
--- /dev/null
+++ b/policy/modules/admin/tzdata.fc
@@ -0,0 +1 @@
+/usr/sbin/tzdata-update -- gen_context(system_u:object_r:tzdata_exec_t,s0)
diff --git a/policy/modules/admin/tzdata.if b/policy/modules/admin/tzdata.if
new file mode 100644
index 0000000..7747b16
--- /dev/null
+++ b/policy/modules/admin/tzdata.if
@@ -0,0 +1,44 @@
+## <summary>Time zone updater</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run tzdata.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`tzdata_domtrans',`
+ gen_require(`
+ type tzdata_t, tzdata_exec_t;
+ ')
+
+ domtrans_pattern($1, tzdata_exec_t, tzdata_t)
+')
+
+########################################
+## <summary>
+## Execute the tzdata program in the tzdata domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the tzdata domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`tzdata_run',`
+ gen_require(`
+ type tzdata_t;
+ ')
+
+ tzdata_domtrans($1)
+ role $2 types tzdata_t;
+')
diff --git a/policy/modules/admin/tzdata.te b/policy/modules/admin/tzdata.te
new file mode 100644
index 0000000..7851643
--- /dev/null
+++ b/policy/modules/admin/tzdata.te
@@ -0,0 +1,36 @@
+policy_module(tzdata, 1.3.0)
+
+########################################
+#
+# Declarations
+#
+
+type tzdata_t;
+type tzdata_exec_t;
+init_daemon_domain(tzdata_t, tzdata_exec_t)
+application_domain(tzdata_t, tzdata_exec_t)
+
+########################################
+#
+# tzdata local policy
+#
+
+files_read_config_files(tzdata_t)
+files_search_spool(tzdata_t)
+
+fs_getattr_xattr_fs(tzdata_t)
+
+term_dontaudit_list_ptys(tzdata_t)
+
+locallogin_dontaudit_use_fds(tzdata_t)
+
+miscfiles_read_localization(tzdata_t)
+miscfiles_manage_localization(tzdata_t)
+miscfiles_etc_filetrans_localization(tzdata_t)
+
+userdom_use_user_terminals(tzdata_t)
+
+# tzdata looks for /var/spool/postfix/etc/localtime.
+optional_policy(`
+ postfix_search_spool(tzdata_t)
+')
diff --git a/policy/modules/admin/updfstab.fc b/policy/modules/admin/updfstab.fc
new file mode 100644
index 0000000..e534c88
--- /dev/null
+++ b/policy/modules/admin/updfstab.fc
@@ -0,0 +1,3 @@
+
+/usr/sbin/fstab-sync -- gen_context(system_u:object_r:updfstab_exec_t,s0)
+/usr/sbin/updfstab -- gen_context(system_u:object_r:updfstab_exec_t,s0)
diff --git a/policy/modules/admin/updfstab.if b/policy/modules/admin/updfstab.if
new file mode 100644
index 0000000..4d4b60e
--- /dev/null
+++ b/policy/modules/admin/updfstab.if
@@ -0,0 +1,21 @@
+## <summary>Red Hat utility to change /etc/fstab.</summary>
+
+########################################
+## <summary>
+## Execute updfstab in the updfstab domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`updfstab_domtrans',`
+ gen_require(`
+ type updfstab_t, updfstab_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, updfstab_exec_t, updfstab_t)
+')
diff --git a/policy/modules/admin/updfstab.te b/policy/modules/admin/updfstab.te
new file mode 100644
index 0000000..ef12ed5
--- /dev/null
+++ b/policy/modules/admin/updfstab.te
@@ -0,0 +1,116 @@
+policy_module(updfstab, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type updfstab_t;
+type updfstab_exec_t;
+init_system_domain(updfstab_t, updfstab_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow updfstab_t self:capability dac_override;
+dontaudit updfstab_t self:capability { sys_admin sys_tty_config };
+allow updfstab_t self:process signal_perms;
+allow updfstab_t self:fifo_file rw_fifo_file_perms;
+
+kernel_use_fds(updfstab_t)
+kernel_read_kernel_sysctls(updfstab_t)
+kernel_dontaudit_write_kernel_sysctl(updfstab_t)
+# for /proc/partitions
+kernel_read_system_state(updfstab_t)
+# cjp: why is this required
+kernel_change_ring_buffer_level(updfstab_t)
+
+dev_read_sysfs(updfstab_t)
+dev_manage_generic_symlinks(updfstab_t)
+
+fs_getattr_xattr_fs(updfstab_t)
+fs_getattr_tmpfs(updfstab_t)
+fs_getattr_tmpfs_dirs(updfstab_t)
+fs_search_auto_mountpoints(updfstab_t)
+
+selinux_get_fs_mount(updfstab_t)
+selinux_validate_context(updfstab_t)
+selinux_compute_access_vector(updfstab_t)
+selinux_compute_create_context(updfstab_t)
+selinux_compute_relabel_context(updfstab_t)
+selinux_compute_user_contexts(updfstab_t)
+
+storage_raw_read_fixed_disk(updfstab_t)
+storage_raw_write_fixed_disk(updfstab_t)
+storage_raw_read_removable_device(updfstab_t)
+storage_raw_write_removable_device(updfstab_t)
+storage_read_scsi_generic(updfstab_t)
+storage_write_scsi_generic(updfstab_t)
+
+term_dontaudit_use_console(updfstab_t)
+
+corecmd_exec_bin(updfstab_t)
+
+domain_use_interactive_fds(updfstab_t)
+
+files_manage_mnt_files(updfstab_t)
+files_manage_mnt_dirs(updfstab_t)
+files_manage_mnt_symlinks(updfstab_t)
+files_manage_etc_files(updfstab_t)
+files_dontaudit_search_home(updfstab_t)
+# for /etc/mtab
+files_read_etc_runtime_files(updfstab_t)
+
+init_use_fds(updfstab_t)
+init_use_script_ptys(updfstab_t)
+
+logging_send_syslog_msg(updfstab_t)
+logging_search_logs(updfstab_t)
+
+miscfiles_read_localization(updfstab_t)
+
+seutil_read_config(updfstab_t)
+seutil_read_default_contexts(updfstab_t)
+seutil_read_file_contexts(updfstab_t)
+
+userdom_dontaudit_search_user_home_content(updfstab_t)
+userdom_dontaudit_use_unpriv_user_fds(updfstab_t)
+
+optional_policy(`
+ auth_domtrans_pam_console(updfstab_t)
+')
+
+optional_policy(`
+ init_dbus_chat_script(updfstab_t)
+
+ dbus_system_bus_client(updfstab_t)
+')
+
+optional_policy(`
+ fstools_getattr_swap_files(updfstab_t)
+')
+
+optional_policy(`
+ hal_stream_connect(updfstab_t)
+ hal_dbus_chat(updfstab_t)
+')
+
+optional_policy(`
+ modutils_read_module_config(updfstab_t)
+ modutils_exec_insmod(updfstab_t)
+ modutils_read_module_deps(updfstab_t)
+')
+
+optional_policy(`
+ nscd_socket_use(updfstab_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(updfstab_t)
+')
+
+optional_policy(`
+ udev_read_db(updfstab_t)
+')
diff --git a/policy/modules/admin/usbmodules.fc b/policy/modules/admin/usbmodules.fc
new file mode 100644
index 0000000..a008efb
--- /dev/null
+++ b/policy/modules/admin/usbmodules.fc
@@ -0,0 +1,9 @@
+#
+# /sbin
+#
+/sbin/usbmodules -- gen_context(system_u:object_r:usbmodules_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/usbmodules -- gen_context(system_u:object_r:usbmodules_exec_t,s0)
diff --git a/policy/modules/admin/usbmodules.if b/policy/modules/admin/usbmodules.if
new file mode 100644
index 0000000..b7eade3
--- /dev/null
+++ b/policy/modules/admin/usbmodules.if
@@ -0,0 +1,46 @@
+## <summary>List kernel modules of USB devices</summary>
+
+########################################
+## <summary>
+## Execute usbmodules in the usbmodules domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`usbmodules_domtrans',`
+ gen_require(`
+ type usbmodules_t, usbmodules_exec_t;
+ ')
+
+ domtrans_pattern($1, usbmodules_exec_t, usbmodules_t)
+')
+
+########################################
+## <summary>
+## Execute usbmodules in the usbmodules domain, and
+## allow the specified role the usbmodules domain,
+## and use the caller's terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`usbmodules_run',`
+ gen_require(`
+ type usbmodules_t;
+ ')
+
+ usbmodules_domtrans($1)
+ role $2 types usbmodules_t;
+')
diff --git a/policy/modules/admin/usbmodules.te b/policy/modules/admin/usbmodules.te
new file mode 100644
index 0000000..74354da
--- /dev/null
+++ b/policy/modules/admin/usbmodules.te
@@ -0,0 +1,47 @@
+policy_module(usbmodules, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type usbmodules_t;
+type usbmodules_exec_t;
+init_system_domain(usbmodules_t, usbmodules_exec_t)
+role system_r types usbmodules_t;
+
+########################################
+#
+# Local policy
+#
+
+kernel_list_proc(usbmodules_t)
+
+files_list_kernel_modules(usbmodules_t)
+
+dev_list_usbfs(usbmodules_t)
+# allow usb device access
+dev_rw_usbfs(usbmodules_t)
+
+files_list_etc(usbmodules_t)
+# needs etc_t read access for the hotplug config, maybe should have a new type
+files_read_etc_files(usbmodules_t)
+
+term_read_console(usbmodules_t)
+term_write_console(usbmodules_t)
+
+init_use_fds(usbmodules_t)
+
+miscfiles_read_hwdata(usbmodules_t)
+
+modutils_read_module_deps(usbmodules_t)
+
+userdom_use_user_terminals(usbmodules_t)
+
+optional_policy(`
+ hotplug_read_config(usbmodules_t)
+')
+
+optional_policy(`
+ logging_send_syslog_msg(usbmodules_t)
+')
diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
new file mode 100644
index 0000000..c467144
--- /dev/null
+++ b/policy/modules/admin/usermanage.fc
@@ -0,0 +1,33 @@
+ifdef(`distro_gentoo',`
+/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0)
+')
+
+/usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0)
+/usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0)
+/usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0)
+/usr/bin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0)
+/usr/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0)
+/usr/bin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+/usr/bin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+
+/usr/lib(64)?/cracklib_dict.* -- gen_context(system_u:object_r:crack_db_t,s0)
+
+/usr/sbin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
+/usr/sbin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
+/usr/sbin/gpasswd -- gen_context(system_u:object_r:groupadd_exec_t,s0)
+/usr/sbin/groupadd -- gen_context(system_u:object_r:groupadd_exec_t,s0)
+/usr/sbin/groupdel -- gen_context(system_u:object_r:groupadd_exec_t,s0)
+/usr/sbin/groupmod -- gen_context(system_u:object_r:groupadd_exec_t,s0)
+/usr/sbin/grpconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+/usr/sbin/grpunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+/usr/sbin/pwconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+/usr/sbin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+/usr/sbin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0)
+/usr/sbin/userdel -- gen_context(system_u:object_r:useradd_exec_t,s0)
+/usr/sbin/usermod -- gen_context(system_u:object_r:useradd_exec_t,s0)
+/usr/sbin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+/usr/sbin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+
+/usr/share/cracklib(/.*)? gen_context(system_u:object_r:crack_db_t,s0)
+
+/var/cache/cracklib(/.*)? gen_context(system_u:object_r:crack_db_t,s0)
diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
new file mode 100644
index 0000000..0b5e634
--- /dev/null
+++ b/policy/modules/admin/usermanage.if
@@ -0,0 +1,319 @@
+## <summary>Policy for managing user accounts.</summary>
+
+########################################
+## <summary>
+## Execute chfn in the chfn domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`usermanage_domtrans_chfn',`
+ gen_require(`
+ type chfn_t, chfn_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, chfn_exec_t, chfn_t)
+
+ ifdef(`hide_broken_symptoms',`
+ dontaudit chfn_t $1:socket_class_set { read write };
+ ')
+')
+
+########################################
+## <summary>
+## Execute chfn in the chfn domain, and
+## allow the specified role the chfn domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`usermanage_run_chfn',`
+ gen_require(`
+ type chfn_t;
+ ')
+
+ usermanage_domtrans_chfn($1)
+ role $2 types chfn_t;
+')
+
+########################################
+## <summary>
+## Execute groupadd in the groupadd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`usermanage_domtrans_groupadd',`
+ gen_require(`
+ type groupadd_t, groupadd_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, groupadd_exec_t, groupadd_t)
+
+ ifdef(`hide_broken_symptoms',`
+ dontaudit groupadd_t $1:socket_class_set { read write };
+ ')
+')
+
+########################################
+## <summary>
+## Execute groupadd in the groupadd domain, and
+## allow the specified role the groupadd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`usermanage_run_groupadd',`
+ gen_require(`
+ type groupadd_t;
+ ')
+
+ usermanage_domtrans_groupadd($1)
+ role $2 types groupadd_t;
+
+ optional_policy(`
+ nscd_run(groupadd_t, $2)
+ ')
+')
+
+########################################
+## <summary>
+## Execute passwd in the passwd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`usermanage_domtrans_passwd',`
+ gen_require(`
+ type passwd_t, passwd_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, passwd_exec_t, passwd_t)
+
+ ifdef(`hide_broken_symptoms',`
+ dontaudit passwd_t $1:socket_class_set { read write };
+ ')
+')
+
+########################################
+## <summary>
+## Send sigkills to passwd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`usermanage_kill_passwd',`
+ gen_require(`
+ type passwd_t;
+ ')
+
+ allow $1 passwd_t:process sigkill;
+')
+
+########################################
+## <summary>
+## Execute passwd in the passwd domain, and
+## allow the specified role the passwd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`usermanage_run_passwd',`
+ gen_require(`
+ type passwd_t;
+ ')
+
+ usermanage_domtrans_passwd($1)
+ role $2 types passwd_t;
+ auth_run_chk_passwd(passwd_t, $2)
+')
+
+########################################
+## <summary>
+## Execute password admin functions in
+## the admin passwd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`usermanage_domtrans_admin_passwd',`
+ gen_require(`
+ type sysadm_passwd_t, admin_passwd_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, admin_passwd_exec_t, sysadm_passwd_t)
+')
+
+########################################
+## <summary>
+## Execute passwd admin functions in the admin
+## passwd domain, and allow the specified role
+## the admin passwd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`usermanage_run_admin_passwd',`
+ gen_require(`
+ type sysadm_passwd_t;
+ ')
+
+ usermanage_domtrans_admin_passwd($1)
+ role $2 types sysadm_passwd_t;
+
+ optional_policy(`
+ nscd_run(sysadm_passwd_t, $2)
+ ')
+')
+
+########################################
+## <summary>
+## Do not audit attempts to use useradd fds.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`usermanage_dontaudit_use_useradd_fds',`
+ gen_require(`
+ type useradd_t;
+ ')
+
+ dontaudit $1 useradd_t:fd use;
+')
+
+########################################
+## <summary>
+## Execute useradd in the useradd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`usermanage_domtrans_useradd',`
+ gen_require(`
+ type useradd_t, useradd_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, useradd_exec_t, useradd_t)
+
+ ifdef(`hide_broken_symptoms',`
+ dontaudit useradd_t $1:socket_class_set { read write };
+ ')
+')
+
+########################################
+## <summary>
+## Execute useradd in the useradd domain, and
+## allow the specified role the useradd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`usermanage_run_useradd',`
+ gen_require(`
+ type useradd_t;
+ ')
+
+ usermanage_domtrans_useradd($1)
+ role $2 types useradd_t;
+
+ # Add/remove user home directories
+ userdom_manage_home_role($2, useradd_t)
+
+ seutil_run_semanage(useradd_t, $2)
+
+ optional_policy(`
+ nscd_run(useradd_t, $2)
+ ')
+')
+
+########################################
+## <summary>
+## Read the crack database.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`usermanage_read_crack_db',`
+ gen_require(`
+ type crack_db_t;
+ ')
+
+ read_files_pattern($1, crack_db_t, crack_db_t)
+')
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
new file mode 100644
index 0000000..b1a841a
--- /dev/null
+++ b/policy/modules/admin/usermanage.te
@@ -0,0 +1,540 @@
+policy_module(usermanage, 1.15.1)
+
+########################################
+#
+# Declarations
+#
+
+type admin_passwd_exec_t;
+files_type(admin_passwd_exec_t)
+
+type chfn_t;
+type chfn_exec_t;
+domain_obj_id_change_exemption(chfn_t)
+application_domain(chfn_t, chfn_exec_t)
+role system_r types chfn_t;
+
+type crack_t;
+type crack_exec_t;
+application_domain(crack_t, crack_exec_t)
+role system_r types crack_t;
+
+type crack_db_t;
+files_type(crack_db_t)
+
+type crack_tmp_t;
+files_tmp_file(crack_tmp_t)
+
+type groupadd_t;
+type groupadd_exec_t;
+domain_obj_id_change_exemption(groupadd_t)
+init_system_domain(groupadd_t, groupadd_exec_t)
+role system_r types groupadd_t;
+
+type passwd_t;
+type passwd_exec_t;
+domain_obj_id_change_exemption(passwd_t)
+application_domain(passwd_t, passwd_exec_t)
+role system_r types passwd_t;
+
+type sysadm_passwd_t;
+domain_obj_id_change_exemption(sysadm_passwd_t)
+application_domain(sysadm_passwd_t, admin_passwd_exec_t)
+role system_r types sysadm_passwd_t;
+
+type sysadm_passwd_tmp_t;
+files_tmp_file(sysadm_passwd_tmp_t)
+
+type useradd_t;
+type useradd_exec_t;
+domain_obj_id_change_exemption(useradd_t)
+init_system_domain(useradd_t, useradd_exec_t)
+role system_r types useradd_t;
+
+########################################
+#
+# Chfn local policy
+#
+
+allow chfn_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
+allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
+allow chfn_t self:process { setrlimit setfscreate };
+allow chfn_t self:fd use;
+allow chfn_t self:fifo_file rw_fifo_file_perms;
+allow chfn_t self:sock_file read_sock_file_perms;
+allow chfn_t self:shm create_shm_perms;
+allow chfn_t self:sem create_sem_perms;
+allow chfn_t self:msgq create_msgq_perms;
+allow chfn_t self:msg { send receive };
+allow chfn_t self:unix_dgram_socket create_socket_perms;
+allow chfn_t self:unix_stream_socket create_stream_socket_perms;
+allow chfn_t self:unix_dgram_socket sendto;
+allow chfn_t self:unix_stream_socket connectto;
+
+kernel_read_system_state(chfn_t)
+kernel_read_kernel_sysctls(chfn_t)
+
+selinux_get_fs_mount(chfn_t)
+selinux_validate_context(chfn_t)
+selinux_compute_access_vector(chfn_t)
+selinux_compute_create_context(chfn_t)
+selinux_compute_relabel_context(chfn_t)
+selinux_compute_user_contexts(chfn_t)
+
+term_use_all_ttys(chfn_t)
+term_use_all_ptys(chfn_t)
+
+fs_getattr_xattr_fs(chfn_t)
+fs_search_auto_mountpoints(chfn_t)
+
+# for SSP
+dev_read_urand(chfn_t)
+
+auth_use_pam(chfn_t)
+
+# allow checking if a shell is executable
+corecmd_check_exec_shell(chfn_t)
+
+domain_use_interactive_fds(chfn_t)
+
+files_manage_etc_files(chfn_t)
+files_read_etc_runtime_files(chfn_t)
+files_dontaudit_search_var(chfn_t)
+files_dontaudit_search_home(chfn_t)
+
+# /usr/bin/passwd asks for w access to utmp, but it will operate
+# correctly without it. Do not audit write denials to utmp.
+init_dontaudit_rw_utmp(chfn_t)
+
+miscfiles_read_localization(chfn_t)
+
+logging_send_syslog_msg(chfn_t)
+
+# uses unix_chkpwd for checking passwords
+seutil_dontaudit_search_config(chfn_t)
+
+userdom_use_unpriv_users_fds(chfn_t)
+# user generally runs this from their home directory, so do not audit a search
+# on user home dir
+userdom_dontaudit_search_user_home_content(chfn_t)
+
+########################################
+#
+# Crack local policy
+#
+
+allow crack_t self:process { sigkill sigstop signull signal };
+allow crack_t self:fifo_file rw_fifo_file_perms;
+
+manage_files_pattern(crack_t, crack_db_t, crack_db_t)
+manage_lnk_files_pattern(crack_t, crack_db_t, crack_db_t)
+files_search_var(crack_t)
+
+manage_dirs_pattern(crack_t, crack_tmp_t, crack_tmp_t)
+manage_files_pattern(crack_t, crack_tmp_t, crack_tmp_t)
+files_tmp_filetrans(crack_t, crack_tmp_t, { file dir })
+
+kernel_read_system_state(crack_t)
+
+# for SSP
+dev_read_urand(crack_t)
+
+fs_getattr_xattr_fs(crack_t)
+
+files_read_etc_files(crack_t)
+files_read_etc_runtime_files(crack_t)
+# for dictionaries
+files_read_usr_files(crack_t)
+
+corecmd_exec_bin(crack_t)
+
+logging_send_syslog_msg(crack_t)
+
+userdom_dontaudit_search_user_home_dirs(crack_t)
+
+ifdef(`distro_debian',`
+ # the package cracklib-runtime on Debian contains a daily maintenance
+ # script /etc/cron.daily/cracklib-runtime, that calls
+ # update-cracklib and that calls crack_mkdict, which is a shell script.
+ corecmd_exec_shell(crack_t)
+')
+
+optional_policy(`
+ cron_system_entry(crack_t, crack_exec_t)
+')
+
+########################################
+#
+# Groupadd local policy
+#
+
+allow groupadd_t self:capability { dac_override chown kill setuid sys_resource audit_write };
+dontaudit groupadd_t self:capability { fsetid sys_tty_config };
+allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
+allow groupadd_t self:process { setrlimit setfscreate };
+allow groupadd_t self:fd use;
+allow groupadd_t self:fifo_file rw_fifo_file_perms;
+allow groupadd_t self:shm create_shm_perms;
+allow groupadd_t self:sem create_sem_perms;
+allow groupadd_t self:msgq create_msgq_perms;
+allow groupadd_t self:msg { send receive };
+allow groupadd_t self:unix_dgram_socket create_socket_perms;
+allow groupadd_t self:unix_stream_socket create_stream_socket_perms;
+allow groupadd_t self:unix_dgram_socket sendto;
+allow groupadd_t self:unix_stream_socket connectto;
+
+fs_getattr_xattr_fs(groupadd_t)
+fs_search_auto_mountpoints(groupadd_t)
+
+# Allow access to context for shadow file
+selinux_get_fs_mount(groupadd_t)
+selinux_validate_context(groupadd_t)
+selinux_compute_access_vector(groupadd_t)
+selinux_compute_create_context(groupadd_t)
+selinux_compute_relabel_context(groupadd_t)
+selinux_compute_user_contexts(groupadd_t)
+
+term_use_all_ttys(groupadd_t)
+term_use_all_ptys(groupadd_t)
+
+init_use_fds(groupadd_t)
+init_read_utmp(groupadd_t)
+init_dontaudit_write_utmp(groupadd_t)
+
+domain_use_interactive_fds(groupadd_t)
+
+files_manage_etc_files(groupadd_t)
+files_relabel_etc_files(groupadd_t)
+files_read_etc_runtime_files(groupadd_t)
+files_read_usr_symlinks(groupadd_t)
+
+# Execute /usr/bin/{passwd, chfn, chsh} and /usr/sbin/{useradd, vipw}.
+corecmd_exec_bin(groupadd_t)
+
+logging_send_audit_msgs(groupadd_t)
+logging_send_syslog_msg(groupadd_t)
+
+miscfiles_read_localization(groupadd_t)
+
+auth_domtrans_chk_passwd(groupadd_t)
+auth_rw_lastlog(groupadd_t)
+auth_use_nsswitch(groupadd_t)
+# these may be unnecessary due to the above
+# domtrans_chk_passwd() call.
+auth_manage_shadow(groupadd_t)
+auth_relabel_shadow(groupadd_t)
+auth_etc_filetrans_shadow(groupadd_t)
+
+seutil_read_config(groupadd_t)
+
+userdom_use_unpriv_users_fds(groupadd_t)
+# for when /root is the cwd
+userdom_dontaudit_search_user_home_dirs(groupadd_t)
+
+optional_policy(`
+ dpkg_use_fds(groupadd_t)
+ dpkg_rw_pipes(groupadd_t)
+')
+
+optional_policy(`
+ nscd_domtrans(groupadd_t)
+')
+
+optional_policy(`
+ puppet_rw_tmp(groupadd_t)
+')
+
+optional_policy(`
+ rpm_use_fds(groupadd_t)
+ rpm_rw_pipes(groupadd_t)
+')
+
+########################################
+#
+# Passwd local policy
+#
+
+allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource };
+dontaudit passwd_t self:capability sys_tty_config;
+allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow passwd_t self:process { setrlimit setfscreate };
+allow passwd_t self:fd use;
+allow passwd_t self:fifo_file rw_fifo_file_perms;
+allow passwd_t self:sock_file read_sock_file_perms;
+allow passwd_t self:unix_dgram_socket create_socket_perms;
+allow passwd_t self:unix_stream_socket create_stream_socket_perms;
+allow passwd_t self:unix_dgram_socket sendto;
+allow passwd_t self:unix_stream_socket connectto;
+allow passwd_t self:shm create_shm_perms;
+allow passwd_t self:sem create_sem_perms;
+allow passwd_t self:msgq create_msgq_perms;
+allow passwd_t self:msg { send receive };
+
+allow passwd_t crack_db_t:dir list_dir_perms;
+read_files_pattern(passwd_t, crack_db_t, crack_db_t)
+
+kernel_read_kernel_sysctls(passwd_t)
+
+# for SSP
+dev_read_urand(passwd_t)
+
+fs_getattr_xattr_fs(passwd_t)
+fs_search_auto_mountpoints(passwd_t)
+
+mls_file_write_all_levels(passwd_t)
+mls_file_downgrade(passwd_t)
+
+selinux_get_fs_mount(passwd_t)
+selinux_validate_context(passwd_t)
+selinux_compute_access_vector(passwd_t)
+selinux_compute_create_context(passwd_t)
+selinux_compute_relabel_context(passwd_t)
+selinux_compute_user_contexts(passwd_t)
+
+term_use_all_terms(passwd_t)
+
+auth_manage_shadow(passwd_t)
+auth_relabel_shadow(passwd_t)
+auth_etc_filetrans_shadow(passwd_t)
+auth_use_pam(passwd_t)
+
+# allow checking if a shell is executable
+corecmd_check_exec_shell(passwd_t)
+corecmd_exec_bin(passwd_t)
+
+corenet_tcp_connect_kerberos_password_port(passwd_t)
+
+domain_use_interactive_fds(passwd_t)
+
+files_read_etc_runtime_files(passwd_t)
+files_manage_etc_files(passwd_t)
+files_search_var(passwd_t)
+files_dontaudit_search_pids(passwd_t)
+files_relabel_etc_files(passwd_t)
+
+# /usr/bin/passwd asks for w access to utmp, but it will operate
+# correctly without it. Do not audit write denials to utmp.
+init_dontaudit_rw_utmp(passwd_t)
+init_use_fds(passwd_t)
+
+logging_send_audit_msgs(passwd_t)
+logging_send_syslog_msg(passwd_t)
+
+miscfiles_read_localization(passwd_t)
+
+seutil_dontaudit_search_config(passwd_t)
+
+userdom_use_user_terminals(passwd_t)
+userdom_use_unpriv_users_fds(passwd_t)
+# make sure that getcon succeeds
+userdom_getattr_all_users(passwd_t)
+userdom_read_all_users_state(passwd_t)
+userdom_read_user_tmp_files(passwd_t)
+# user generally runs this from their home directory, so do not audit a search
+# on user home dir
+userdom_dontaudit_search_user_home_content(passwd_t)
+userdom_stream_connect(passwd_t)
+
+optional_policy(`
+ nscd_domtrans(passwd_t)
+')
+
+########################################
+#
+# Password admin local policy
+#
+
+allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
+allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow sysadm_passwd_t self:process { setrlimit setfscreate };
+allow sysadm_passwd_t self:fd use;
+allow sysadm_passwd_t self:fifo_file rw_fifo_file_perms;
+allow sysadm_passwd_t self:sock_file read_sock_file_perms;
+allow sysadm_passwd_t self:unix_dgram_socket create_socket_perms;
+allow sysadm_passwd_t self:unix_stream_socket create_stream_socket_perms;
+allow sysadm_passwd_t self:unix_dgram_socket sendto;
+allow sysadm_passwd_t self:unix_stream_socket connectto;
+allow sysadm_passwd_t self:shm create_shm_perms;
+allow sysadm_passwd_t self:sem create_sem_perms;
+allow sysadm_passwd_t self:msgq create_msgq_perms;
+allow sysadm_passwd_t self:msg { send receive };
+
+# allow vipw to create temporary files under /var/tmp/vi.recover
+manage_dirs_pattern(sysadm_passwd_t, sysadm_passwd_tmp_t, sysadm_passwd_tmp_t)
+manage_files_pattern(sysadm_passwd_t, sysadm_passwd_tmp_t, sysadm_passwd_tmp_t)
+files_tmp_filetrans(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir })
+files_search_var(sysadm_passwd_t)
+files_dontaudit_search_home(sysadm_passwd_t)
+
+kernel_read_kernel_sysctls(sysadm_passwd_t)
+# for /proc/meminfo
+kernel_read_system_state(sysadm_passwd_t)
+
+selinux_get_fs_mount(sysadm_passwd_t)
+selinux_validate_context(sysadm_passwd_t)
+selinux_compute_access_vector(sysadm_passwd_t)
+selinux_compute_create_context(sysadm_passwd_t)
+selinux_compute_relabel_context(sysadm_passwd_t)
+selinux_compute_user_contexts(sysadm_passwd_t)
+
+# for SSP
+dev_read_urand(sysadm_passwd_t)
+
+fs_getattr_xattr_fs(sysadm_passwd_t)
+fs_search_auto_mountpoints(sysadm_passwd_t)
+
+term_use_all_ttys(sysadm_passwd_t)
+term_use_all_ptys(sysadm_passwd_t)
+
+auth_manage_shadow(sysadm_passwd_t)
+auth_relabel_shadow(sysadm_passwd_t)
+auth_etc_filetrans_shadow(sysadm_passwd_t)
+auth_use_nsswitch(sysadm_passwd_t)
+
+# allow vipw to exec the editor
+corecmd_exec_bin(sysadm_passwd_t)
+corecmd_exec_shell(sysadm_passwd_t)
+files_read_usr_files(sysadm_passwd_t)
+
+domain_use_interactive_fds(sysadm_passwd_t)
+
+files_manage_etc_files(sysadm_passwd_t)
+files_relabel_etc_files(sysadm_passwd_t)
+files_read_etc_runtime_files(sysadm_passwd_t)
+# for nscd lookups
+files_dontaudit_search_pids(sysadm_passwd_t)
+
+# /usr/bin/passwd asks for w access to utmp, but it will operate
+# correctly without it. Do not audit write denials to utmp.
+init_dontaudit_rw_utmp(sysadm_passwd_t)
+
+miscfiles_read_localization(sysadm_passwd_t)
+
+logging_send_syslog_msg(sysadm_passwd_t)
+
+seutil_dontaudit_search_config(sysadm_passwd_t)
+
+userdom_use_unpriv_users_fds(sysadm_passwd_t)
+# user generally runs this from their home directory, so do not audit a search
+# on user home dir
+userdom_dontaudit_search_user_home_content(sysadm_passwd_t)
+
+optional_policy(`
+ nscd_domtrans(sysadm_passwd_t)
+')
+
+########################################
+#
+# Useradd local policy
+#
+
+allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource sys_ptrace };
+dontaudit useradd_t self:capability sys_tty_config;
+allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow useradd_t self:process setfscreate;
+allow useradd_t self:fd use;
+allow useradd_t self:fifo_file rw_fifo_file_perms;
+allow useradd_t self:shm create_shm_perms;
+allow useradd_t self:sem create_sem_perms;
+allow useradd_t self:msgq create_msgq_perms;
+allow useradd_t self:msg { send receive };
+allow useradd_t self:unix_dgram_socket create_socket_perms;
+allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+allow useradd_t self:unix_dgram_socket sendto;
+allow useradd_t self:unix_stream_socket connectto;
+
+# for getting the number of groups
+kernel_read_kernel_sysctls(useradd_t)
+
+corecmd_exec_shell(useradd_t)
+# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
+corecmd_exec_bin(useradd_t)
+
+domain_use_interactive_fds(useradd_t)
+domain_read_all_domains_state(useradd_t)
+
+files_manage_etc_files(useradd_t)
+files_search_var_lib(useradd_t)
+files_relabel_etc_files(useradd_t)
+files_read_etc_runtime_files(useradd_t)
+
+fs_search_auto_mountpoints(useradd_t)
+fs_getattr_xattr_fs(useradd_t)
+
+mls_file_upgrade(useradd_t)
+
+# Allow access to context for shadow file
+selinux_get_fs_mount(useradd_t)
+selinux_validate_context(useradd_t)
+selinux_compute_access_vector(useradd_t)
+selinux_compute_create_context(useradd_t)
+selinux_compute_relabel_context(useradd_t)
+selinux_compute_user_contexts(useradd_t)
+
+term_use_all_ttys(useradd_t)
+term_use_all_ptys(useradd_t)
+
+auth_domtrans_chk_passwd(useradd_t)
+auth_rw_lastlog(useradd_t)
+auth_rw_faillog(useradd_t)
+auth_use_nsswitch(useradd_t)
+# these may be unnecessary due to the above
+# domtrans_chk_passwd() call.
+auth_manage_shadow(useradd_t)
+auth_relabel_shadow(useradd_t)
+auth_etc_filetrans_shadow(useradd_t)
+
+init_use_fds(useradd_t)
+init_rw_utmp(useradd_t)
+
+logging_send_audit_msgs(useradd_t)
+logging_send_syslog_msg(useradd_t)
+
+miscfiles_read_localization(useradd_t)
+
+seutil_read_config(useradd_t)
+seutil_read_file_contexts(useradd_t)
+seutil_read_default_contexts(useradd_t)
+seutil_domtrans_semanage(useradd_t)
+seutil_domtrans_setfiles(useradd_t)
+
+userdom_use_unpriv_users_fds(useradd_t)
+# Add/remove user home directories
+userdom_home_filetrans_user_home_dir(useradd_t)
+userdom_manage_home_role(system_r, useradd_t)
+
+mta_manage_spool(useradd_t)
+
+ifdef(`distro_redhat',`
+ optional_policy(`
+ unconfined_domain(useradd_t)
+ ')
+')
+
+optional_policy(`
+ apache_manage_all_user_content(useradd_t)
+')
+
+optional_policy(`
+ dpkg_use_fds(useradd_t)
+ dpkg_rw_pipes(useradd_t)
+')
+
+optional_policy(`
+ nscd_domtrans(useradd_t)
+')
+
+optional_policy(`
+ puppet_rw_tmp(useradd_t)
+')
+
+optional_policy(`
+ tunable_policy(`samba_domain_controller',`
+ samba_append_log(useradd_t)
+ ')
+')
+
+optional_policy(`
+ rpm_use_fds(useradd_t)
+ rpm_rw_pipes(useradd_t)
+')
diff --git a/policy/modules/admin/vbetool.fc b/policy/modules/admin/vbetool.fc
new file mode 100644
index 0000000..d00970f
--- /dev/null
+++ b/policy/modules/admin/vbetool.fc
@@ -0,0 +1 @@
+/usr/sbin/vbetool -- gen_context(system_u:object_r:vbetool_exec_t,s0)
diff --git a/policy/modules/admin/vbetool.if b/policy/modules/admin/vbetool.if
new file mode 100644
index 0000000..f46ab17
--- /dev/null
+++ b/policy/modules/admin/vbetool.if
@@ -0,0 +1,45 @@
+## <summary>run real-mode video BIOS code to alter hardware state</summary>
+
+########################################
+## <summary>
+## Execute vbetool application in the vbetool domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`vbetool_domtrans',`
+ gen_require(`
+ type vbetool_t, vbetool_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, vbetool_exec_t, vbetool_t)
+')
+
+########################################
+## <summary>
+## Execute vbetool in the vbetool domain, and
+## allow the specified role the vbetool domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`vbetool_run',`
+ gen_require(`
+ type vbetool_t;
+ ')
+
+ vbetool_domtrans($1)
+ role $2 types vbetool_t;
+')
diff --git a/policy/modules/admin/vbetool.te b/policy/modules/admin/vbetool.te
new file mode 100644
index 0000000..2758c8f
--- /dev/null
+++ b/policy/modules/admin/vbetool.te
@@ -0,0 +1,51 @@
+policy_module(vbetool, 1.5.2)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Ignore vbetool mmap_zero errors.
+## </p>
+## </desc>
+gen_tunable(vbetool_mmap_zero_ignore, false)
+
+type vbetool_t;
+type vbetool_exec_t;
+init_system_domain(vbetool_t, vbetool_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow vbetool_t self:capability { dac_override sys_tty_config sys_admin };
+allow vbetool_t self:process execmem;
+
+dev_wx_raw_memory(vbetool_t)
+dev_read_raw_memory(vbetool_t)
+dev_rwx_zero(vbetool_t)
+dev_rw_sysfs(vbetool_t)
+dev_rw_xserver_misc(vbetool_t)
+dev_rw_mtrr(vbetool_t)
+
+domain_mmap_low(vbetool_t)
+
+mls_file_read_all_levels(vbetool_t)
+mls_file_write_all_levels(vbetool_t)
+
+term_use_unallocated_ttys(vbetool_t)
+
+miscfiles_read_localization(vbetool_t)
+
+tunable_policy(`vbetool_mmap_zero_ignore',`
+ dontaudit vbetool_t self:memprotect mmap_zero;
+')
+
+optional_policy(`
+ hal_rw_pid_files(vbetool_t)
+ hal_write_log(vbetool_t)
+ hal_dontaudit_append_lib_files(vbetool_t)
+')
diff --git a/policy/modules/admin/vpn.fc b/policy/modules/admin/vpn.fc
new file mode 100644
index 0000000..076dcc3
--- /dev/null
+++ b/policy/modules/admin/vpn.fc
@@ -0,0 +1,13 @@
+#
+# sbin
+#
+/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/openconnect -- gen_context(system_u:object_r:vpnc_exec_t,s0)
+
+/usr/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
+
+/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0)
diff --git a/policy/modules/admin/vpn.if b/policy/modules/admin/vpn.if
new file mode 100644
index 0000000..64f8cdc
--- /dev/null
+++ b/policy/modules/admin/vpn.if
@@ -0,0 +1,139 @@
+## <summary>Virtual Private Networking client</summary>
+
+########################################
+## <summary>
+## Execute VPN clients in the vpnc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`vpn_domtrans',`
+ gen_require(`
+ type vpnc_t, vpnc_exec_t;
+ ')
+
+ domtrans_pattern($1, vpnc_exec_t, vpnc_t)
+')
+
+########################################
+## <summary>
+## Execute VPN clients in the vpnc domain, and
+## allow the specified role the vpnc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`vpn_run',`
+ gen_require(`
+ type vpnc_t;
+ ')
+
+ vpn_domtrans($1)
+ role $2 types vpnc_t;
+ sysnet_run_ifconfig(vpnc_t, $2)
+')
+
+########################################
+## <summary>
+## Send VPN clients the kill signal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vpn_kill',`
+ gen_require(`
+ type vpnc_t;
+ ')
+
+ allow $1 vpnc_t:process sigkill;
+')
+
+########################################
+## <summary>
+## Send generic signals to VPN clients.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vpn_signal',`
+ gen_require(`
+ type vpnc_t;
+ ')
+
+ allow $1 vpnc_t:process signal;
+')
+
+########################################
+## <summary>
+## Send signull to VPN clients.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vpn_signull',`
+ gen_require(`
+ type vpnc_t;
+ ')
+
+ allow $1 vpnc_t:process signull;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## Vpnc over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vpn_dbus_chat',`
+ gen_require(`
+ type vpnc_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 vpnc_t:dbus send_msg;
+ allow vpnc_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Relabelfrom from vpnc socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vpn_relabelfrom_tun_socket',`
+ gen_require(`
+ type vpnc_t;
+ ')
+
+ allow $1 vpnc_t:tun_socket relabelfrom;
+')
diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te
new file mode 100644
index 0000000..6067b85
--- /dev/null
+++ b/policy/modules/admin/vpn.te
@@ -0,0 +1,122 @@
+policy_module(vpn, 1.13.1)
+
+########################################
+#
+# Declarations
+#
+
+type vpnc_t;
+type vpnc_exec_t;
+application_domain(vpnc_t, vpnc_exec_t)
+role system_r types vpnc_t;
+
+type vpnc_tmp_t;
+files_tmp_file(vpnc_tmp_t)
+
+type vpnc_var_run_t;
+files_pid_file(vpnc_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw };
+allow vpnc_t self:process { getsched signal };
+allow vpnc_t self:fifo_file rw_fifo_file_perms;
+allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
+allow vpnc_t self:tcp_socket create_stream_socket_perms;
+allow vpnc_t self:udp_socket create_socket_perms;
+allow vpnc_t self:rawip_socket create_socket_perms;
+allow vpnc_t self:unix_dgram_socket create_socket_perms;
+allow vpnc_t self:unix_stream_socket create_socket_perms;
+allow vpnc_t self:tun_socket { create_socket_perms relabelfrom };
+# cjp: this needs to be fixed
+allow vpnc_t self:socket create_socket_perms;
+
+manage_dirs_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t)
+manage_files_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t)
+files_tmp_filetrans(vpnc_t, vpnc_tmp_t, { file dir })
+
+manage_dirs_pattern(vpnc_t, vpnc_var_run_t, vpnc_var_run_t)
+manage_files_pattern(vpnc_t, vpnc_var_run_t, vpnc_var_run_t)
+files_pid_filetrans(vpnc_t, vpnc_var_run_t, { file dir})
+
+kernel_read_system_state(vpnc_t)
+kernel_read_network_state(vpnc_t)
+kernel_read_all_sysctls(vpnc_t)
+kernel_request_load_module(vpnc_t)
+kernel_rw_net_sysctls(vpnc_t)
+
+corenet_all_recvfrom_unlabeled(vpnc_t)
+corenet_all_recvfrom_netlabel(vpnc_t)
+corenet_tcp_sendrecv_generic_if(vpnc_t)
+corenet_udp_sendrecv_generic_if(vpnc_t)
+corenet_raw_sendrecv_generic_if(vpnc_t)
+corenet_tcp_sendrecv_generic_node(vpnc_t)
+corenet_udp_sendrecv_generic_node(vpnc_t)
+corenet_raw_sendrecv_generic_node(vpnc_t)
+corenet_tcp_sendrecv_all_ports(vpnc_t)
+corenet_udp_sendrecv_all_ports(vpnc_t)
+corenet_udp_bind_generic_node(vpnc_t)
+corenet_udp_bind_generic_port(vpnc_t)
+corenet_udp_bind_isakmp_port(vpnc_t)
+corenet_udp_bind_ipsecnat_port(vpnc_t)
+corenet_tcp_connect_all_ports(vpnc_t)
+corenet_sendrecv_all_client_packets(vpnc_t)
+corenet_sendrecv_isakmp_server_packets(vpnc_t)
+corenet_sendrecv_generic_server_packets(vpnc_t)
+corenet_rw_tun_tap_dev(vpnc_t)
+
+dev_read_rand(vpnc_t)
+dev_read_urand(vpnc_t)
+dev_read_sysfs(vpnc_t)
+
+domain_use_interactive_fds(vpnc_t)
+
+fs_getattr_xattr_fs(vpnc_t)
+fs_getattr_tmpfs(vpnc_t)
+
+term_use_all_ptys(vpnc_t)
+term_use_all_ttys(vpnc_t)
+
+corecmd_exec_all_executables(vpnc_t)
+
+files_exec_etc_files(vpnc_t)
+files_read_etc_runtime_files(vpnc_t)
+files_read_etc_files(vpnc_t)
+files_dontaudit_search_home(vpnc_t)
+
+auth_use_nsswitch(vpnc_t)
+
+libs_exec_ld_so(vpnc_t)
+libs_exec_lib_files(vpnc_t)
+
+locallogin_use_fds(vpnc_t)
+
+logging_send_syslog_msg(vpnc_t)
+logging_dontaudit_search_logs(vpnc_t)
+
+miscfiles_read_localization(vpnc_t)
+
+seutil_dontaudit_search_config(vpnc_t)
+seutil_use_newrole_fds(vpnc_t)
+
+sysnet_etc_filetrans_config(vpnc_t)
+sysnet_manage_config(vpnc_t)
+
+userdom_use_all_users_fds(vpnc_t)
+userdom_read_home_certs(vpnc_t)
+userdom_search_admin_dir(vpnc_t)
+
+optional_policy(`
+ dbus_system_bus_client(vpnc_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(vpnc_t)
+ ')
+')
+
+optional_policy(`
+ networkmanager_attach_tun_iface(vpnc_t)
+')
diff --git a/policy/modules/apps/ada.fc b/policy/modules/apps/ada.fc
new file mode 100644
index 0000000..e802ed5
--- /dev/null
+++ b/policy/modules/apps/ada.fc
@@ -0,0 +1,7 @@
+#
+# /usr
+#
+/usr/bin/gnatbind -- gen_context(system_u:object_r:ada_exec_t,s0)
+/usr/bin/gnatls -- gen_context(system_u:object_r:ada_exec_t,s0)
+/usr/bin/gnatmake -- gen_context(system_u:object_r:ada_exec_t,s0)
+/usr/libexec/gcc(/.*)?/gnat1 -- gen_context(system_u:object_r:ada_exec_t,s0)
diff --git a/policy/modules/apps/ada.if b/policy/modules/apps/ada.if
new file mode 100644
index 0000000..43ba21d
--- /dev/null
+++ b/policy/modules/apps/ada.if
@@ -0,0 +1,45 @@
+## <summary>GNAT Ada95 compiler</summary>
+
+########################################
+## <summary>
+## Execute the ada program in the ada domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ada_domtrans',`
+ gen_require(`
+ type ada_t, ada_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ada_exec_t, ada_t)
+')
+
+########################################
+## <summary>
+## Execute ada in the ada domain, and
+## allow the specified role the ada domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`ada_run',`
+ gen_require(`
+ type ada_t;
+ ')
+
+ ada_domtrans($1)
+ role $2 types ada_t;
+')
diff --git a/policy/modules/apps/ada.te b/policy/modules/apps/ada.te
new file mode 100644
index 0000000..39c75fb
--- /dev/null
+++ b/policy/modules/apps/ada.te
@@ -0,0 +1,24 @@
+policy_module(ada, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+
+type ada_t;
+type ada_exec_t;
+application_domain(ada_t, ada_exec_t)
+role system_r types ada_t;
+
+########################################
+#
+# Local policy
+#
+
+allow ada_t self:process { execstack execmem };
+
+userdom_use_user_terminals(ada_t)
+
+optional_policy(`
+ unconfined_domain(ada_t)
+')
diff --git a/policy/modules/apps/authbind.fc b/policy/modules/apps/authbind.fc
new file mode 100644
index 0000000..48cf11b
--- /dev/null
+++ b/policy/modules/apps/authbind.fc
@@ -0,0 +1,3 @@
+/etc/authbind(/.*)? gen_context(system_u:object_r:authbind_etc_t,s0)
+
+/usr/lib(64)?/authbind/helper -- gen_context(system_u:object_r:authbind_exec_t,s0)
diff --git a/policy/modules/apps/authbind.if b/policy/modules/apps/authbind.if
new file mode 100644
index 0000000..d28020f
--- /dev/null
+++ b/policy/modules/apps/authbind.if
@@ -0,0 +1,20 @@
+## <summary>Tool for non-root processes to bind to reserved ports</summary>
+
+########################################
+## <summary>
+## Use authbind to bind to a reserved port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`authbind_domtrans',`
+ gen_require(`
+ type authbind_t, authbind_exec_t;
+ ')
+
+ domtrans_pattern($1, authbind_exec_t, authbind_t)
+ allow authbind_t $1:{ tcp_socket udp_socket } rw_socket_perms;
+')
diff --git a/policy/modules/apps/authbind.te b/policy/modules/apps/authbind.te
new file mode 100644
index 0000000..b4285f7
--- /dev/null
+++ b/policy/modules/apps/authbind.te
@@ -0,0 +1,31 @@
+policy_module(authbind, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type authbind_t;
+type authbind_exec_t;
+application_domain(authbind_t, authbind_exec_t)
+role system_r types authbind_t;
+
+type authbind_etc_t;
+files_config_file(authbind_etc_t)
+
+########################################
+#
+# Local policy
+#
+
+allow authbind_t self:capability net_bind_service;
+
+allow authbind_t authbind_etc_t:dir list_dir_perms;
+exec_files_pattern(authbind_t, authbind_etc_t, authbind_etc_t)
+read_lnk_files_pattern(authbind_t, authbind_etc_t, authbind_etc_t)
+
+files_list_etc(authbind_t)
+
+term_use_console(authbind_t)
+
+logging_send_syslog_msg(authbind_t)
diff --git a/policy/modules/apps/awstats.fc b/policy/modules/apps/awstats.fc
new file mode 100644
index 0000000..5f0fa49
--- /dev/null
+++ b/policy/modules/apps/awstats.fc
@@ -0,0 +1,5 @@
+/usr/share/awstats/tools/.+\.pl -- gen_context(system_u:object_r:awstats_exec_t,s0)
+/usr/share/awstats/wwwroot(/.*)? gen_context(system_u:object_r:httpd_awstats_content_t,s0)
+/usr/share/awstats/wwwroot/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_awstats_script_exec_t,s0)
+
+/var/lib/awstats(/.*)? gen_context(system_u:object_r:awstats_var_lib_t,s0)
diff --git a/policy/modules/apps/awstats.if b/policy/modules/apps/awstats.if
new file mode 100644
index 0000000..283ff0d
--- /dev/null
+++ b/policy/modules/apps/awstats.if
@@ -0,0 +1,42 @@
+## <summary>
+## AWStats is a free powerful and featureful tool that generates advanced
+## web, streaming, ftp or mail server statistics, graphically.
+## </summary>
+
+########################################
+## <summary>
+## Read and write awstats unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`awstats_rw_pipes',`
+ gen_require(`
+ type awstats_t;
+ ')
+
+ allow $1 awstats_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Execute awstats cgi scripts in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`awstats_cgi_exec',`
+ gen_require(`
+ type httpd_awstats_script_exec_t, httpd_awstats_content_t;
+ ')
+
+ allow $1 httpd_awstats_content_t:dir search_dir_perms;
+ allow $1 httpd_awstats_script_exec_t:dir search_dir_perms;
+ can_exec($1, httpd_awstats_script_exec_t)
+')
diff --git a/policy/modules/apps/awstats.te b/policy/modules/apps/awstats.te
new file mode 100644
index 0000000..25b6f5a
--- /dev/null
+++ b/policy/modules/apps/awstats.te
@@ -0,0 +1,81 @@
+policy_module(awstats, 1.2.1)
+
+########################################
+#
+# Declarations
+#
+
+type awstats_t;
+type awstats_exec_t;
+domain_type(awstats_t)
+domain_entry_file(awstats_t, awstats_exec_t)
+role system_r types awstats_t;
+
+type awstats_tmp_t;
+files_tmp_file(awstats_tmp_t)
+
+type awstats_var_lib_t;
+files_type(awstats_var_lib_t)
+
+apache_content_template(awstats)
+
+########################################
+#
+# awstats policy
+#
+
+awstats_rw_pipes(awstats_t)
+awstats_cgi_exec(awstats_t)
+
+can_exec(awstats_t, awstats_exec_t)
+
+manage_dirs_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t)
+manage_files_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t)
+files_tmp_filetrans(awstats_t, awstats_tmp_t, { dir file })
+
+manage_files_pattern(awstats_t, awstats_var_lib_t, awstats_var_lib_t)
+files_var_lib_filetrans(awstats_t, awstats_var_lib_t, file)
+
+# dontaudit access to /proc/meminfo
+kernel_dontaudit_read_system_state(awstats_t)
+
+corecmd_exec_bin(awstats_t)
+corecmd_exec_shell(awstats_t)
+
+dev_read_urand(awstats_t)
+
+files_read_etc_files(awstats_t)
+# e.g. /usr/share/awstats/lang/awstats-en.txt
+files_read_usr_files(awstats_t)
+files_dontaudit_search_all_mountpoints(awstats_t)
+
+fs_list_inotifyfs(awstats_t)
+
+libs_read_lib_files(awstats_t)
+
+logging_read_generic_logs(awstats_t)
+
+miscfiles_read_localization(awstats_t)
+
+sysnet_dns_name_resolve(awstats_t)
+
+apache_read_log(awstats_t)
+
+optional_policy(`
+ cron_system_entry(awstats_t, awstats_exec_t)
+')
+
+optional_policy(`
+ # dontaudit searching nscd pid directory
+ nscd_dontaudit_search_pid(awstats_t)
+')
+
+########################################
+#
+# awstats cgi script policy
+#
+
+allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms;
+
+read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
+files_search_var_lib(httpd_awstats_script_t)
diff --git a/policy/modules/apps/calamaris.fc b/policy/modules/apps/calamaris.fc
new file mode 100644
index 0000000..9cbd0a0
--- /dev/null
+++ b/policy/modules/apps/calamaris.fc
@@ -0,0 +1,10 @@
+#
+# /etc
+#
+/etc/cron\.daily/calamaris -- gen_context(system_u:object_r:calamaris_exec_t,s0)
+
+#
+# /var
+#
+/var/log/calamaris(/.*)? gen_context(system_u:object_r:calamaris_log_t,s0)
+/var/www/calamaris(/.*)? gen_context(system_u:object_r:calamaris_www_t,s0)
diff --git a/policy/modules/apps/calamaris.if b/policy/modules/apps/calamaris.if
new file mode 100644
index 0000000..df183be
--- /dev/null
+++ b/policy/modules/apps/calamaris.if
@@ -0,0 +1,21 @@
+## <summary>Squid log analysis</summary>
+
+#######################################
+## <summary>
+## Allow domain to read calamaris www files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`calamaris_read_www_files',`
+ gen_require(`
+ type calamaris_www_t;
+ ')
+
+ allow $1 calamaris_www_t:dir list_dir_perms;
+ read_files_pattern($1, calamaris_www_t, calamaris_www_t)
+ read_lnk_files_pattern($1, calamaris_www_t, calamaris_www_t)
+')
diff --git a/policy/modules/apps/calamaris.te b/policy/modules/apps/calamaris.te
new file mode 100644
index 0000000..47d81d1
--- /dev/null
+++ b/policy/modules/apps/calamaris.te
@@ -0,0 +1,81 @@
+policy_module(calamaris, 1.6.0)
+
+########################################
+#
+# Declarations
+#
+
+type calamaris_t;
+type calamaris_exec_t;
+init_system_domain(calamaris_t, calamaris_exec_t)
+
+type calamaris_www_t;
+files_type(calamaris_www_t)
+
+type calamaris_log_t;
+logging_log_file(calamaris_log_t)
+
+########################################
+#
+# Local policy
+#
+
+# for when squid has a different UID
+allow calamaris_t self:capability dac_override;
+allow calamaris_t self:process { fork signal_perms setsched };
+allow calamaris_t self:fifo_file rw_fifo_file_perms;
+allow calamaris_t self:unix_stream_socket create_stream_socket_perms;
+allow calamaris_t self:tcp_socket create_stream_socket_perms;
+allow calamaris_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(calamaris_t, calamaris_www_t, calamaris_www_t)
+manage_lnk_files_pattern(calamaris_t, calamaris_www_t, calamaris_www_t)
+
+manage_files_pattern(calamaris_t, calamaris_log_t, calamaris_log_t)
+logging_log_filetrans(calamaris_t, calamaris_log_t, { file dir })
+
+kernel_read_all_sysctls(calamaris_t)
+kernel_read_system_state(calamaris_t)
+
+corecmd_exec_bin(calamaris_t)
+
+corenet_all_recvfrom_unlabeled(calamaris_t)
+corenet_all_recvfrom_netlabel(calamaris_t)
+corenet_tcp_sendrecv_generic_if(calamaris_t)
+corenet_udp_sendrecv_generic_if(calamaris_t)
+corenet_tcp_sendrecv_generic_node(calamaris_t)
+corenet_udp_sendrecv_generic_node(calamaris_t)
+corenet_tcp_sendrecv_all_ports(calamaris_t)
+corenet_udp_sendrecv_all_ports(calamaris_t)
+
+dev_read_urand(calamaris_t)
+
+files_search_pids(calamaris_t)
+files_read_etc_files(calamaris_t)
+files_read_usr_files(calamaris_t)
+files_read_var_files(calamaris_t)
+files_read_etc_runtime_files(calamaris_t)
+
+libs_read_lib_files(calamaris_t)
+
+auth_use_nsswitch(calamaris_t)
+
+logging_send_syslog_msg(calamaris_t)
+
+miscfiles_read_localization(calamaris_t)
+
+userdom_dontaudit_list_user_home_dirs(calamaris_t)
+
+squid_read_log(calamaris_t)
+
+optional_policy(`
+ apache_search_sys_content(calamaris_t)
+')
+
+optional_policy(`
+ cron_system_entry(calamaris_t, calamaris_exec_t)
+')
+
+optional_policy(`
+ mta_send_mail(calamaris_t)
+')
diff --git a/policy/modules/apps/cdrecord.fc b/policy/modules/apps/cdrecord.fc
new file mode 100644
index 0000000..91697cc
--- /dev/null
+++ b/policy/modules/apps/cdrecord.fc
@@ -0,0 +1,6 @@
+#
+# /usr
+#
+/usr/bin/cdrecord -- gen_context(system_u:object_r:cdrecord_exec_t,s0)
+/usr/bin/growisofs -- gen_context(system_u:object_r:cdrecord_exec_t,s0)
+/usr/bin/wodim -- gen_context(system_u:object_r:cdrecord_exec_t,s0)
diff --git a/policy/modules/apps/cdrecord.if b/policy/modules/apps/cdrecord.if
new file mode 100644
index 0000000..1582faf
--- /dev/null
+++ b/policy/modules/apps/cdrecord.if
@@ -0,0 +1,33 @@
+## <summary>Policy for cdrecord</summary>
+
+########################################
+## <summary>
+## Role access for cdrecord
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`cdrecord_role',`
+ gen_require(`
+ type cdrecord_t, cdrecord_exec_t;
+ ')
+
+ role $1 types cdrecord_t;
+
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, cdrecord_exec_t, cdrecord_t)
+
+ allow cdrecord_t $2:unix_stream_socket { getattr read write ioctl };
+
+ # allow ps to show cdrecord and allow the user to kill it
+ ps_process_pattern($2, cdrecord_t)
+ allow $2 cdrecord_t:process signal;
+')
diff --git a/policy/modules/apps/cdrecord.te b/policy/modules/apps/cdrecord.te
new file mode 100644
index 0000000..1403835
--- /dev/null
+++ b/policy/modules/apps/cdrecord.te
@@ -0,0 +1,120 @@
+policy_module(cdrecord, 2.3.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow cdrecord to read various content.
+## nfs, samba, removable devices, user temp
+## and untrusted content files
+## </p>
+## </desc>
+gen_tunable(cdrecord_read_content, false)
+
+type cdrecord_t;
+type cdrecord_exec_t;
+typealias cdrecord_t alias { user_cdrecord_t staff_cdrecord_t sysadm_cdrecord_t };
+typealias cdrecord_t alias { auditadm_cdrecord_t secadm_cdrecord_t };
+application_domain(cdrecord_t, cdrecord_exec_t)
+ubac_constrained(cdrecord_t)
+
+########################################
+#
+# Local policy
+#
+
+allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
+allow cdrecord_t self:process { getcap getsched setsched sigkill };
+allow cdrecord_t self:unix_dgram_socket create_socket_perms;
+allow cdrecord_t self:unix_stream_socket create_stream_socket_perms;
+
+# growisofs uses mkisofs
+corecmd_exec_bin(cdrecord_t)
+
+# allow searching for cdrom-drive
+dev_list_all_dev_nodes(cdrecord_t)
+dev_read_sysfs(cdrecord_t)
+
+domain_interactive_fd(cdrecord_t)
+domain_use_interactive_fds(cdrecord_t)
+
+files_read_etc_files(cdrecord_t)
+
+term_use_controlling_term(cdrecord_t)
+term_list_ptys(cdrecord_t)
+
+# allow cdrecord to write the CD
+storage_raw_read_removable_device(cdrecord_t)
+storage_raw_write_removable_device(cdrecord_t)
+storage_write_scsi_generic(cdrecord_t)
+
+logging_send_syslog_msg(cdrecord_t)
+
+miscfiles_read_localization(cdrecord_t)
+
+# write to the user domain tty.
+userdom_use_user_terminals(cdrecord_t)
+userdom_read_user_home_content_files(cdrecord_t)
+
+# Handle nfs home dirs
+tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(cdrecord_t)
+ files_list_home(cdrecord_t)
+ fs_read_nfs_files(cdrecord_t)
+ fs_read_nfs_symlinks(cdrecord_t)
+
+',`
+ files_dontaudit_list_home(cdrecord_t)
+ fs_dontaudit_list_auto_mountpoints(cdrecord_t)
+ fs_dontaudit_read_nfs_files(cdrecord_t)
+ fs_dontaudit_list_nfs(cdrecord_t)
+')
+# Handle samba home dirs
+tunable_policy(`cdrecord_read_content && use_samba_home_dirs',`
+ fs_list_auto_mountpoints(cdrecord_t)
+ files_list_home(cdrecord_t)
+ fs_read_cifs_files(cdrecord_t)
+ fs_read_cifs_symlinks(cdrecord_t)
+',`
+ files_dontaudit_list_home(cdrecord_t)
+ fs_dontaudit_list_auto_mountpoints(cdrecord_t)
+ fs_dontaudit_read_cifs_files(cdrecord_t)
+ fs_dontaudit_list_cifs(cdrecord_t)
+')
+
+# Handle removable media, /tmp, and /home
+tunable_policy(`cdrecord_read_content',`
+ userdom_list_user_tmp(cdrecord_t)
+ userdom_read_user_tmp_files(cdrecord_t)
+ userdom_read_user_tmp_symlinks(cdrecord_t)
+ userdom_read_user_home_content_files(cdrecord_t)
+ userdom_read_user_home_content_symlinks(cdrecord_t)
+
+ ifndef(`enable_mls',`
+ fs_search_removable(cdrecord_t)
+ fs_read_removable_files(cdrecord_t)
+ fs_read_removable_symlinks(cdrecord_t)
+ ')
+',`
+ files_dontaudit_list_tmp(cdrecord_t)
+ files_dontaudit_list_home(cdrecord_t)
+ fs_dontaudit_list_removable(cdrecord_t)
+ fs_dontaudit_read_removable_files(cdrecord_t)
+ userdom_dontaudit_list_user_tmp(cdrecord_t)
+ userdom_dontaudit_read_user_tmp_files(cdrecord_t)
+ userdom_dontaudit_list_user_home_dirs(cdrecord_t)
+ userdom_dontaudit_read_user_home_content_files(cdrecord_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ files_search_mnt(cdrecord_t)
+ fs_read_nfs_files(cdrecord_t)
+ fs_read_nfs_symlinks(cdrecord_t)
+')
+
+optional_policy(`
+ resmgr_stream_connect(cdrecord_t)
+')
diff --git a/policy/modules/apps/chrome.fc b/policy/modules/apps/chrome.fc
new file mode 100644
index 0000000..432fb25
--- /dev/null
+++ b/policy/modules/apps/chrome.fc
@@ -0,0 +1,3 @@
+ /opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
+
+/usr/lib(64)?/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
diff --git a/policy/modules/apps/chrome.if b/policy/modules/apps/chrome.if
new file mode 100644
index 0000000..5ef90cd
--- /dev/null
+++ b/policy/modules/apps/chrome.if
@@ -0,0 +1,90 @@
+
+## <summary>policy for chrome</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run chrome_sandbox.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`chrome_domtrans_sandbox',`
+ gen_require(`
+ type chrome_sandbox_t, chrome_sandbox_exec_t;
+ ')
+
+ domtrans_pattern($1,chrome_sandbox_exec_t,chrome_sandbox_t)
+ ps_process_pattern(chrome_sandbox_t, $1)
+ifdef(`hide_broken_symptoms', `
+ dontaudit chrome_sandbox_t $1:socket_class_set { read write };
+ fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t)
+')
+')
+
+
+########################################
+## <summary>
+## Execute chrome_sandbox in the chrome_sandbox domain, and
+## allow the specified role the chrome_sandbox domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the chrome_sandbox domain.
+## </summary>
+## </param>
+#
+interface(`chrome_run_sandbox',`
+ gen_require(`
+ type chrome_sandbox_t;
+ ')
+
+ chrome_domtrans_sandbox($1)
+ role $2 types chrome_sandbox_t;
+')
+
+########################################
+## <summary>
+## Role access for chrome sandbox
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`chrome_role',`
+ gen_require(`
+ type chrome_sandbox_t;
+ type chrome_sandbox_tmpfs_t;
+ ')
+
+ role $1 types chrome_sandbox_t;
+
+ chrome_domtrans_sandbox($2)
+
+ ps_process_pattern($2, chrome_sandbox_t)
+ allow $2 chrome_sandbox_t:process signal_perms;
+
+ allow chrome_sandbox_t $2:unix_dgram_socket { read write };
+ allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
+ allow chrome_sandbox_t $2:unix_stream_socket { read write };
+ allow $2 chrome_sandbox_t:unix_stream_socket { read write };
+
+ allow $2 chrome_sandbox_t:shm rw_shm_perms;
+
+ allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms;
+')
+
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
index 0000000..4e92e87
--- /dev/null
+++ b/policy/modules/apps/chrome.te
@@ -0,0 +1,92 @@
+policy_module(chrome,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type chrome_sandbox_t;
+type chrome_sandbox_exec_t;
+application_domain(chrome_sandbox_t, chrome_sandbox_exec_t)
+role system_r types chrome_sandbox_t;
+
+type chrome_sandbox_tmp_t;
+files_tmp_file(chrome_sandbox_tmp_t)
+
+type chrome_sandbox_tmpfs_t;
+files_tmpfs_file(chrome_sandbox_tmpfs_t)
+ubac_constrained(chrome_sandbox_tmpfs_t)
+
+########################################
+#
+# chrome_sandbox local policy
+#
+allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
+allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
+allow chrome_sandbox_t self:fifo_file manage_file_perms;
+allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms;
+allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto };
+allow chrome_sandbox_t self:shm create_shm_perms;
+
+manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
+files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })
+
+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
+fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, file)
+
+kernel_read_system_state(chrome_sandbox_t)
+kernel_read_kernel_sysctls(chrome_sandbox_t)
+
+fs_manage_cgroup_dirs(chrome_sandbox_t)
+fs_manage_cgroup_files(chrome_sandbox_t)
+
+corecmd_exec_bin(chrome_sandbox_t)
+
+domain_dontaudit_read_all_domains_state(chrome_sandbox_t)
+
+dev_read_urand(chrome_sandbox_t)
+dev_read_sysfs(chrome_sandbox_t)
+dev_rwx_zero(chrome_sandbox_t)
+
+files_read_etc_files(chrome_sandbox_t)
+files_read_usr_files(chrome_sandbox_t)
+
+fs_dontaudit_getattr_all_fs(chrome_sandbox_t)
+
+userdom_rw_user_tmpfs_files(chrome_sandbox_t)
+userdom_use_user_ptys(chrome_sandbox_t)
+userdom_write_inherited_user_tmp_files(chrome_sandbox_t)
+userdom_read_inherited_user_home_content_files(chrome_sandbox_t)
+userdom_dontaudit_use_user_terminals(chrome_sandbox_t)
+
+miscfiles_read_localization(chrome_sandbox_t)
+miscfiles_read_fonts(chrome_sandbox_t)
+
+sysnet_dontaudit_read_config(chrome_sandbox_t)
+
+optional_policy(`
+ execmem_exec(chrome_sandbox_t)
+')
+
+optional_policy(`
+ gnome_rw_inherited_config(chrome_sandbox_t)
+ gnome_list_home_config(chrome_sandbox_t)
+')
+
+optional_policy(`
+ xserver_use_user_fonts(chrome_sandbox_t)
+ xserver_user_x_domain_template(chrome_sandbox, chrome_sandbox_t, chrome_sandbox_tmpfs_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_search_nfs(chrome_sandbox_t)
+ fs_read_inherited_nfs_files(chrome_sandbox_t)
+ fs_read_nfs_symlinks(chrome_sandbox_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_search_cifs(chrome_sandbox_t)
+ fs_read_inherited_cifs_files(chrome_sandbox_t)
+ fs_dontaudit_append_cifs_files(chrome_sandbox_t)
+')
diff --git a/policy/modules/apps/cpufreqselector.fc b/policy/modules/apps/cpufreqselector.fc
new file mode 100644
index 0000000..b187f0f
--- /dev/null
+++ b/policy/modules/apps/cpufreqselector.fc
@@ -0,0 +1 @@
+/usr/bin/cpufreq-selector -- gen_context(system_u:object_r:cpufreqselector_exec_t,s0)
diff --git a/policy/modules/apps/cpufreqselector.if b/policy/modules/apps/cpufreqselector.if
new file mode 100644
index 0000000..ed94975
--- /dev/null
+++ b/policy/modules/apps/cpufreqselector.if
@@ -0,0 +1 @@
+## <summary>Command-line CPU frequency settings.</summary>
diff --git a/policy/modules/apps/cpufreqselector.te b/policy/modules/apps/cpufreqselector.te
new file mode 100644
index 0000000..899e234
--- /dev/null
+++ b/policy/modules/apps/cpufreqselector.te
@@ -0,0 +1,52 @@
+policy_module(cpufreqselector, 1.1.1)
+
+########################################
+#
+# Declarations
+#
+
+type cpufreqselector_t;
+type cpufreqselector_exec_t;
+application_domain(cpufreqselector_t, cpufreqselector_exec_t)
+
+########################################
+#
+# cpufreq-selector local policy
+#
+
+allow cpufreqselector_t self:capability { sys_nice sys_ptrace };
+allow cpufreqselector_t self:fifo_file rw_fifo_file_perms;
+
+files_read_etc_files(cpufreqselector_t)
+files_read_usr_files(cpufreqselector_t)
+
+corecmd_search_bin(cpufreqselector_t)
+
+dev_rw_sysfs(cpufreqselector_t)
+
+miscfiles_read_localization(cpufreqselector_t)
+
+userdom_read_all_users_state(cpufreqselector_t)
+userdom_dontaudit_search_admin_dir(cpufreqselector_t)
+
+optional_policy(`
+ dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(cpufreqselector_t)
+ ')
+
+ optional_policy(`
+ policykit_dbus_chat(cpufreqselector_t)
+ ')
+')
+
+optional_policy(`
+ nscd_dontaudit_search_pid(cpufreqselector_t)
+')
+
+optional_policy(`
+ policykit_domtrans_auth(cpufreqselector_t)
+ policykit_read_lib(cpufreqselector_t)
+ policykit_read_reload(cpufreqselector_t)
+')
diff --git a/policy/modules/apps/evolution.fc b/policy/modules/apps/evolution.fc
new file mode 100644
index 0000000..c011277
--- /dev/null
+++ b/policy/modules/apps/evolution.fc
@@ -0,0 +1,21 @@
+#
+# HOME_DIR/
+#
+
+HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:evolution_home_t,s0)
+HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0)
+
+#
+# /tmp
+#
+/tmp/\.exchange-USER(/.*)? gen_context(system_u:object_r:evolution_exchange_tmp_t,s0)
+
+#
+# /usr
+#
+/usr/bin/evolution.* -- gen_context(system_u:object_r:evolution_exec_t,s0)
+
+/usr/libexec/evolution/.*evolution-alarm-notify.* -- gen_context(system_u:object_r:evolution_alarm_exec_t,s0)
+/usr/libexec/evolution/.*evolution-exchange-storage.* -- gen_context(system_u:object_r:evolution_exchange_exec_t,s0)
+/usr/libexec/evolution-data-server.* -- gen_context(system_u:object_r:evolution_server_exec_t,s0)
+/usr/libexec/evolution-webcal.* -- gen_context(system_u:object_r:evolution_webcal_exec_t,s0)
diff --git a/policy/modules/apps/evolution.if b/policy/modules/apps/evolution.if
new file mode 100644
index 0000000..1cb204c
--- /dev/null
+++ b/policy/modules/apps/evolution.if
@@ -0,0 +1,153 @@
+## <summary>Evolution email client</summary>
+
+########################################
+## <summary>
+## Role access for evolution
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`evolution_role',`
+ gen_require(`
+ type evolution_t, evolution_exec_t, evolution_home_t;
+ type evolution_alarm_t, evolution_alarm_exec_t;
+ type evolution_exchange_t, evolution_exchange_exec_t;
+ type evolution_exchange_orbit_tmp_t;
+ type evolution_server_t, evolution_server_exec_t;
+ type evolution_webcal_t, evolution_webcal_exec_t;
+ ')
+
+ role $1 types { evolution_t evolution_alarm_t evolution_exchange_t };
+ role $1 types { evolution_server_t evolution_webcal_t };
+
+ domtrans_pattern($2, evolution_exec_t, evolution_t)
+ domtrans_pattern($2, evolution_alarm_exec_t, evolution_alarm_t)
+ domtrans_pattern($2, evolution_exchange_exec_t, evolution_exchange_t)
+ domtrans_pattern($2, evolution_server_exec_t, evolution_server_t)
+ domtrans_pattern($2, evolution_webcal_exec_t, evolution_webcal_t)
+
+ ps_process_pattern($2, evolution_t)
+ ps_process_pattern($2, evolution_alarm_t)
+ ps_process_pattern($2, evolution_exchange_t)
+ ps_process_pattern($2, evolution_server_t)
+ ps_process_pattern($2, evolution_webcal_t)
+
+ allow evolution_t $2:dir search;
+ allow evolution_t $2:file read;
+ allow evolution_t $2:lnk_file read;
+ allow evolution_t $2:unix_stream_socket connectto;
+
+ allow $2 evolution_t:unix_stream_socket connectto;
+ allow $2 evolution_t:process noatsecure;
+ allow $2 evolution_t:process signal_perms;
+
+ # Access .evolution
+ allow $2 evolution_home_t:dir manage_dir_perms;
+ allow $2 evolution_home_t:file manage_file_perms;
+ allow $2 evolution_home_t:lnk_file manage_lnk_file_perms;
+ allow $2 evolution_home_t:{ dir file lnk_file } { relabelfrom relabelto };
+
+ allow evolution_exchange_t $2:unix_stream_socket connectto;
+
+ # Clock applet talks to exchange (FIXME: Needs policy)
+ allow $2 evolution_exchange_t:unix_stream_socket connectto;
+ allow $2 evolution_exchange_orbit_tmp_t:sock_file write;
+')
+
+########################################
+## <summary>
+## Create objects in users evolution home folders.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## Private file type.
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+#
+interface(`evolution_home_filetrans',`
+ gen_require(`
+ type evolution_home_t;
+ ')
+
+ allow $1 evolution_home_t:dir rw_dir_perms;
+ type_transition $1 evolution_home_t:$3 $2;
+')
+
+########################################
+## <summary>
+## Connect to evolution unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`evolution_stream_connect',`
+ gen_require(`
+ type evolution_t, evolution_home_t;
+ ')
+
+ allow $1 evolution_t:unix_stream_socket connectto;
+ allow $1 evolution_home_t:dir search;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## evolution over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`evolution_dbus_chat',`
+ gen_require(`
+ type evolution_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 evolution_t:dbus send_msg;
+ allow evolution_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## evolution_alarm over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`evolution_alarm_dbus_chat',`
+ gen_require(`
+ type evolution_alarm_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 evolution_alarm_t:dbus send_msg;
+ allow evolution_alarm_t $1:dbus send_msg;
+')
diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te
new file mode 100644
index 0000000..e15a20c
--- /dev/null
+++ b/policy/modules/apps/evolution.te
@@ -0,0 +1,618 @@
+policy_module(evolution, 2.1.2)
+
+########################################
+#
+# Declarations
+#
+
+type evolution_t;
+type evolution_exec_t;
+typealias evolution_t alias { user_evolution_t staff_evolution_t sysadm_evolution_t };
+typealias evolution_t alias { auditadm_evolution_t secadm_evolution_t };
+application_domain(evolution_t, evolution_exec_t)
+ubac_constrained(evolution_t)
+
+type evolution_alarm_t;
+type evolution_alarm_exec_t;
+typealias evolution_alarm_t alias { user_evolution_alarm_t staff_evolution_alarm_t sysadm_evolution_alarm_t };
+typealias evolution_alarm_t alias { auditadm_evolution_alarm_t secadm_evolution_alarm_t };
+application_domain(evolution_alarm_t, evolution_alarm_exec_t)
+ubac_constrained(evolution_alarm_t)
+
+type evolution_alarm_tmpfs_t;
+typealias evolution_alarm_tmpfs_t alias { user_evolution_alarm_tmpfs_t staff_evolution_alarm_tmpfs_t sysadm_evolution_alarm_tmpfs_t };
+typealias evolution_alarm_tmpfs_t alias { auditadm_evolution_alarm_tmpfs_t secadm_evolution_alarm_tmpfs_t };
+files_tmpfs_file(evolution_alarm_tmpfs_t)
+ubac_constrained(evolution_alarm_tmpfs_t)
+
+type evolution_alarm_orbit_tmp_t;
+typealias evolution_alarm_orbit_tmp_t alias { user_evolution_alarm_orbit_tmp_t staff_evolution_alarm_orbit_tmp_t sysadm_evolution_alarm_orbit_tmp_t };
+typealias evolution_alarm_orbit_tmp_t alias { auditadm_evolution_alarm_orbit_tmp_t secadm_evolution_alarm_orbit_tmp_t };
+files_tmp_file(evolution_alarm_orbit_tmp_t)
+ubac_constrained(evolution_alarm_orbit_tmp_t)
+
+type evolution_exchange_t;
+type evolution_exchange_exec_t;
+typealias evolution_exchange_t alias { user_evolution_exchange_t staff_evolution_exchange_t sysadm_evolution_exchange_t };
+typealias evolution_exchange_t alias { auditadm_evolution_exchange_t secadm_evolution_exchange_t };
+application_domain(evolution_exchange_t, evolution_exchange_exec_t)
+ubac_constrained(evolution_exchange_t)
+
+type evolution_exchange_tmpfs_t;
+typealias evolution_exchange_tmpfs_t alias { user_evolution_exchange_tmpfs_t staff_evolution_exchange_tmpfs_t sysadm_evolution_exchange_tmpfs_t };
+typealias evolution_exchange_tmpfs_t alias { auditadm_evolution_exchange_tmpfs_t secadm_evolution_exchange_tmpfs_t };
+files_tmpfs_file(evolution_exchange_tmpfs_t)
+ubac_constrained(evolution_exchange_tmpfs_t)
+
+type evolution_exchange_tmp_t;
+typealias evolution_exchange_tmp_t alias { user_evolution_exchange_tmp_t staff_evolution_exchange_tmp_t sysadm_evolution_exchange_tmp_t };
+typealias evolution_exchange_tmp_t alias { auditadm_evolution_exchange_tmp_t secadm_evolution_exchange_tmp_t };
+files_tmp_file(evolution_exchange_tmp_t)
+ubac_constrained(evolution_exchange_tmp_t)
+
+type evolution_exchange_orbit_tmp_t;
+typealias evolution_exchange_orbit_tmp_t alias { user_evolution_exchange_orbit_tmp_t staff_evolution_exchange_orbit_tmp_t sysadm_evolution_exchange_orbit_tmp_t };
+typealias evolution_exchange_orbit_tmp_t alias { auditadm_evolution_exchange_orbit_tmp_t secadm_evolution_exchange_orbit_tmp_t };
+files_tmp_file(evolution_exchange_orbit_tmp_t)
+ubac_constrained(evolution_exchange_orbit_tmp_t)
+
+type evolution_home_t;
+typealias evolution_home_t alias { user_evolution_home_t staff_evolution_home_t sysadm_evolution_home_t };
+typealias evolution_home_t alias { auditadm_evolution_home_t secadm_evolution_home_t };
+userdom_user_home_content(evolution_home_t)
+
+type evolution_orbit_tmp_t;
+typealias evolution_home_t alias { user_evolution_orbit_tmp_t staff_evolution_orbit_tmp_t sysadm_evolution_orbit_tmp_t };
+typealias evolution_home_t alias { auditadm_evolution_orbit_tmp_t secadm_evolution_orbit_tmp_t };
+files_tmp_file(evolution_orbit_tmp_t)
+ubac_constrained(evolution_orbit_tmp_t)
+
+type evolution_server_t;
+type evolution_server_exec_t;
+typealias evolution_server_t alias { user_evolution_server_t staff_evolution_server_t sysadm_evolution_server_t };
+typealias evolution_server_t alias { auditadm_evolution_server_t secadm_evolution_server_t };
+application_domain(evolution_server_t, evolution_server_exec_t)
+ubac_constrained(evolution_server_t)
+
+type evolution_server_orbit_tmp_t;
+typealias evolution_server_orbit_tmp_t alias { user_evolution_server_orbit_tmp_t staff_evolution_server_orbit_tmp_t sysadm_evolution_server_orbit_tmp_t };
+typealias evolution_server_orbit_tmp_t alias { auditadm_evolution_server_orbit_tmp_t secadm_evolution_server_orbit_tmp_t };
+files_tmp_file(evolution_server_orbit_tmp_t)
+ubac_constrained(evolution_server_orbit_tmp_t)
+
+type evolution_tmpfs_t;
+typealias evolution_tmpfs_t alias { user_evolution_tmpfs_t staff_evolution_tmpfs_t sysadm_evolution_tmpfs_t };
+typealias evolution_tmpfs_t alias { auditadm_evolution_tmpfs_t secadm_evolution_tmpfs_t };
+files_tmpfs_file(evolution_tmpfs_t)
+ubac_constrained(evolution_tmpfs_t)
+
+type evolution_webcal_t;
+type evolution_webcal_exec_t;
+typealias evolution_webcal_t alias { user_evolution_webcal_t staff_evolution_webcal_t sysadm_evolution_webcal_t };
+typealias evolution_webcal_t alias { auditadm_evolution_webcal_t secadm_evolution_webcal_t };
+application_domain(evolution_webcal_t, evolution_webcal_exec_t)
+ubac_constrained(evolution_webcal_t)
+
+type evolution_webcal_tmpfs_t;
+typealias evolution_webcal_tmpfs_t alias { user_evolution_webcal_tmpfs_t staff_evolution_webcal_tmpfs_t sysadm_evolution_webcal_tmpfs_t };
+typealias evolution_webcal_tmpfs_t alias { auditadm_evolution_webcal_tmpfs_t secadm_evolution_webcal_tmpfs_t };
+files_tmpfs_file(evolution_webcal_tmpfs_t)
+ubac_constrained(evolution_webcal_tmpfs_t)
+
+########################################
+#
+# Evolution local policy
+#
+
+allow evolution_t self:capability { setuid setgid sys_nice };
+allow evolution_t self:process { signal getsched setsched };
+allow evolution_t self:fifo_file rw_file_perms;
+allow evolution_t self:tcp_socket create_socket_perms;
+allow evolution_t self:udp_socket create_socket_perms;
+
+allow evolution_t evolution_alarm_t:dir search_dir_perms;
+allow evolution_t evolution_alarm_t:file read;
+
+allow evolution_t evolution_alarm_t:unix_stream_socket connectto;
+allow evolution_t evolution_alarm_orbit_tmp_t:sock_file write;
+
+can_exec(evolution_t, evolution_alarm_exec_t)
+
+allow evolution_t evolution_exchange_t:unix_stream_socket connectto;
+allow evolution_t evolution_exchange_orbit_tmp_t:sock_file write;
+
+allow evolution_t evolution_home_t:dir manage_dir_perms;
+allow evolution_t evolution_home_t:file manage_file_perms;
+allow evolution_t evolution_home_t:lnk_file manage_lnk_file_perms;
+userdom_search_user_home_dirs(evolution_t)
+
+allow evolution_t evolution_orbit_tmp_t:dir manage_dir_perms;
+allow evolution_t evolution_orbit_tmp_t:file manage_file_perms;
+files_tmp_filetrans(evolution_t, evolution_orbit_tmp_t, { dir file })
+
+allow evolution_server_t evolution_orbit_tmp_t:dir manage_dir_perms;
+allow evolution_server_t evolution_orbit_tmp_t:file manage_file_perms;
+files_tmp_filetrans(evolution_server_t, evolution_orbit_tmp_t, { dir file })
+
+allow evolution_t evolution_server_t:dir search_dir_perms;
+allow evolution_t evolution_server_t:file read;
+
+allow evolution_t evolution_server_t:unix_stream_socket connectto;
+allow evolution_t evolution_server_orbit_tmp_t:sock_file write;
+
+can_exec(evolution_t, evolution_server_exec_t)
+
+allow evolution_t evolution_tmpfs_t:dir rw_dir_perms;
+allow evolution_t evolution_tmpfs_t:file manage_file_perms;
+allow evolution_t evolution_tmpfs_t:lnk_file manage_lnk_file_perms;
+allow evolution_t evolution_tmpfs_t:sock_file manage_sock_file_perms;
+allow evolution_t evolution_tmpfs_t:fifo_file manage_fifo_file_perms;
+fs_tmpfs_filetrans(evolution_t, evolution_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+#FIXME check to see if really needed
+kernel_read_kernel_sysctls(evolution_t)
+kernel_read_system_state(evolution_t)
+# Allow netstat
+kernel_read_network_state(evolution_t)
+kernel_read_net_sysctls(evolution_t)
+
+corecmd_exec_shell(evolution_t)
+# Run various programs
+corecmd_exec_bin(evolution_t)
+
+corenet_all_recvfrom_unlabeled(evolution_t)
+corenet_all_recvfrom_netlabel(evolution_t)
+corenet_tcp_sendrecv_generic_if(evolution_t)
+corenet_udp_sendrecv_generic_if(evolution_t)
+corenet_raw_sendrecv_generic_if(evolution_t)
+corenet_tcp_sendrecv_generic_node(evolution_t)
+corenet_udp_sendrecv_generic_node(evolution_t)
+corenet_tcp_sendrecv_pop_port(evolution_t)
+corenet_udp_sendrecv_pop_port(evolution_t)
+corenet_tcp_sendrecv_smtp_port(evolution_t)
+corenet_udp_sendrecv_smtp_port(evolution_t)
+corenet_tcp_sendrecv_innd_port(evolution_t)
+corenet_udp_sendrecv_innd_port(evolution_t)
+corenet_tcp_sendrecv_ldap_port(evolution_t)
+corenet_udp_sendrecv_ldap_port(evolution_t)
+corenet_tcp_sendrecv_ipp_port(evolution_t)
+corenet_udp_sendrecv_ipp_port(evolution_t)
+corenet_tcp_connect_pop_port(evolution_t)
+corenet_tcp_connect_smtp_port(evolution_t)
+corenet_tcp_connect_innd_port(evolution_t)
+corenet_tcp_connect_ldap_port(evolution_t)
+corenet_tcp_connect_ipp_port(evolution_t)
+corenet_sendrecv_pop_client_packets(evolution_t)
+corenet_sendrecv_smtp_client_packets(evolution_t)
+corenet_sendrecv_innd_client_packets(evolution_t)
+corenet_sendrecv_ldap_client_packets(evolution_t)
+corenet_sendrecv_ipp_client_packets(evolution_t)
+# not sure about this bind
+corenet_udp_bind_generic_node(evolution_t)
+corenet_udp_bind_generic_port(evolution_t)
+
+dev_read_urand(evolution_t)
+
+domain_dontaudit_read_all_domains_state(evolution_t)
+
+files_read_etc_files(evolution_t)
+files_read_usr_files(evolution_t)
+files_read_usr_symlinks(evolution_t)
+files_read_var_files(evolution_t)
+
+fs_search_auto_mountpoints(evolution_t)
+
+logging_send_syslog_msg(evolution_t)
+
+miscfiles_read_localization(evolution_t)
+
+sysnet_read_config(evolution_t)
+sysnet_dns_name_resolve(evolution_t)
+
+udev_read_state(evolution_t)
+
+userdom_rw_user_tmp_files(evolution_t)
+userdom_manage_user_tmp_dirs(evolution_t)
+userdom_manage_user_tmp_sockets(evolution_t)
+userdom_manage_user_tmp_files(evolution_t)
+userdom_use_user_terminals(evolution_t)
+# FIXME: suppress access to .local/.icons/.themes until properly implemented
+# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
+# until properly implemented
+userdom_dontaudit_read_user_home_content_files(evolution_t)
+
+mta_read_config(evolution_t)
+
+xserver_user_x_domain_template(evolution, evolution_t, evolution_tmpfs_t)
+xserver_read_xdm_tmp_files(evolution_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(evolution_t)
+ fs_manage_nfs_files(evolution_t)
+ fs_manage_nfs_symlinks(evolution_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(evolution_t)
+ fs_manage_cifs_files(evolution_t)
+ fs_manage_cifs_symlinks(evolution_t)
+')
+
+tunable_policy(`mail_read_content && use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(evolution_t)
+ files_list_home(evolution_t)
+ fs_read_nfs_files(evolution_t)
+ fs_read_nfs_symlinks(evolution_t)
+
+',`
+ files_dontaudit_list_home(evolution_t)
+ fs_dontaudit_list_auto_mountpoints(evolution_t)
+ fs_dontaudit_read_nfs_files(evolution_t)
+ fs_dontaudit_list_nfs(evolution_t)
+')
+
+tunable_policy(`mail_read_content && use_samba_home_dirs',`
+ fs_list_auto_mountpoints(evolution_t)
+ files_list_home(evolution_t)
+ fs_read_cifs_files(evolution_t)
+ fs_read_cifs_symlinks(evolution_t)
+',`
+ files_dontaudit_list_home(evolution_t)
+ fs_dontaudit_list_auto_mountpoints(evolution_t)
+ fs_dontaudit_read_cifs_files(evolution_t)
+ fs_dontaudit_list_cifs(evolution_t)
+')
+
+tunable_policy(`mail_read_content',`
+ userdom_list_user_tmp(evolution_t)
+ userdom_read_user_tmp_files(evolution_t)
+ userdom_read_user_tmp_symlinks(evolution_t)
+ userdom_read_user_home_content_files(evolution_t)
+ userdom_read_user_home_content_symlinks(evolution_t)
+
+ ifndef(`enable_mls',`
+ fs_search_removable(evolution_t)
+ fs_read_removable_files(evolution_t)
+ fs_read_removable_symlinks(evolution_t)
+ ')
+',`
+ files_dontaudit_list_tmp(evolution_t)
+ files_dontaudit_list_home(evolution_t)
+ fs_dontaudit_list_removable(evolution_t)
+ fs_dontaudit_read_removable_files(evolution_t)
+ userdom_dontaudit_list_user_tmp(evolution_t)
+ userdom_dontaudit_read_user_tmp_files(evolution_t)
+ userdom_dontaudit_list_user_home_dirs(evolution_t)
+ userdom_dontaudit_read_user_home_content_files(evolution_t)
+')
+
+optional_policy(`
+ automount_read_state(evolution_t)
+')
+
+# Allow printing the mail
+optional_policy(`
+ cups_read_rw_config(evolution_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(evolution_t)
+ dbus_session_bus_client(evolution_t)
+')
+
+optional_policy(`
+ gnome_stream_connect_gconf(evolution_t)
+')
+
+# Encrypt mail
+optional_policy(`
+ gpg_domtrans(evolution_t)
+ gpg_signal(evolution_t)
+')
+
+optional_policy(`
+ lpd_domtrans_lpr(evolution_t)
+')
+
+optional_policy(`
+ mozilla_read_user_home_files(evolution_t)
+ mozilla_domtrans(evolution_t)
+')
+
+# Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing)
+optional_policy(`
+ nis_use_ypbind(evolution_t)
+')
+
+optional_policy(`
+ nscd_socket_use(evolution_t)
+')
+
+### Junk mail filtering (start spamd)
+optional_policy(`
+ spamassassin_exec_spamd(evolution_t)
+ spamassassin_domtrans_client(evolution_t)
+ spamassassin_domtrans_local_client(evolution_t)
+ # Allow evolution to signal the daemon
+ # FIXME: Now evolution can read spamd temp files
+ spamassassin_read_spamd_tmp_files(evolution_t)
+ spamassassin_signal_spamd(evolution_t)
+ spamassassin_dontaudit_getattr_spamd_tmp_sockets(evolution_t)
+')
+
+########################################
+#
+# Evolution alarm local policy
+#
+
+allow evolution_alarm_t self:process { signal getsched };
+allow evolution_alarm_t self:fifo_file rw_fifo_file_perms;
+
+allow evolution_alarm_t evolution_t:unix_stream_socket connectto;
+allow evolution_alarm_t evolution_orbit_tmp_t:sock_file write;
+
+allow evolution_alarm_t evolution_alarm_tmpfs_t:dir rw_dir_perms;
+allow evolution_alarm_t evolution_alarm_tmpfs_t:file manage_file_perms;
+allow evolution_alarm_t evolution_alarm_tmpfs_t:lnk_file manage_lnk_file_perms;
+allow evolution_alarm_t evolution_alarm_tmpfs_t:sock_file manage_sock_file_perms;
+allow evolution_alarm_t evolution_alarm_tmpfs_t:fifo_file manage_fifo_file_perms;
+fs_tmpfs_filetrans(evolution_alarm_t, evolution_alarm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+allow evolution_alarm_t evolution_exchange_t:unix_stream_socket connectto;
+allow evolution_alarm_t evolution_exchange_orbit_tmp_t:sock_file write;
+
+# Access evolution home
+allow evolution_alarm_t evolution_home_t:dir manage_dir_perms;
+allow evolution_alarm_t evolution_home_t:file manage_file_perms;
+allow evolution_alarm_t evolution_home_t:lnk_file manage_lnk_file_perms;
+
+allow evolution_alarm_t evolution_server_t:unix_stream_socket connectto;
+allow evolution_alarm_t evolution_server_orbit_tmp_t:sock_file write;
+
+dev_read_urand(evolution_alarm_t)
+
+files_read_etc_files(evolution_alarm_t)
+files_read_usr_files(evolution_alarm_t)
+
+fs_search_auto_mountpoints(evolution_alarm_t)
+
+miscfiles_read_localization(evolution_alarm_t)
+
+# Access evolution home
+userdom_search_user_home_dirs(evolution_alarm_t)
+# FIXME: suppress access to .local/.icons/.themes until properly implemented
+# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
+# until properly implemented
+userdom_dontaudit_read_user_home_content_files(evolution_alarm_t)
+
+xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t)
+
+# Access evolution home
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files(evolution_alarm_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files(evolution_alarm_t)
+')
+
+optional_policy(`
+ dbus_session_bus_client(evolution_alarm_t)
+')
+
+optional_policy(`
+ gnome_stream_connect_gconf(evolution_alarm_t)
+')
+
+optional_policy(`
+ nscd_socket_use(evolution_alarm_t)
+')
+
+########################################
+#
+# Evolution exchange connector local policy
+#
+
+allow evolution_exchange_t self:process getsched;
+allow evolution_exchange_t self:fifo_file rw_fifo_file_perms;
+
+allow evolution_exchange_t self:tcp_socket create_socket_perms;
+allow evolution_exchange_t self:udp_socket create_socket_perms;
+
+allow evolution_exchange_t evolution_t:unix_stream_socket connectto;
+allow evolution_exchange_t evolution_orbit_tmp_t:sock_file write;
+
+allow evolution_exchange_t evolution_alarm_t:unix_stream_socket connectto;
+allow evolution_exchange_t evolution_alarm_orbit_tmp_t:sock_file write;
+
+# Access evolution home
+allow evolution_exchange_t evolution_home_t:dir manage_dir_perms;
+allow evolution_exchange_t evolution_home_t:file manage_file_perms;
+allow evolution_exchange_t evolution_home_t:lnk_file manage_lnk_file_perms;
+
+allow evolution_exchange_t evolution_server_t:unix_stream_socket connectto;
+allow evolution_exchange_t evolution_server_orbit_tmp_t:sock_file write;
+
+# /tmp/.exchange-$USER
+allow evolution_exchange_t evolution_exchange_tmp_t:dir manage_dir_perms;
+allow evolution_exchange_t evolution_exchange_tmp_t:file manage_file_perms;
+files_tmp_filetrans(evolution_exchange_t, evolution_exchange_tmp_t, { file dir })
+
+allow evolution_exchange_t evolution_exchange_tmpfs_t:dir rw_dir_perms;
+allow evolution_exchange_t evolution_exchange_tmpfs_t:file manage_file_perms;
+allow evolution_exchange_t evolution_exchange_tmpfs_t:lnk_file manage_lnk_file_perms;
+allow evolution_exchange_t evolution_exchange_tmpfs_t:sock_file manage_sock_file_perms;
+allow evolution_exchange_t evolution_exchange_tmpfs_t:fifo_file manage_fifo_file_perms;
+fs_tmpfs_filetrans(evolution_exchange_t, evolution_exchange_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_read_network_state(evolution_exchange_t)
+kernel_read_net_sysctls(evolution_exchange_t)
+
+# Allow netstat
+corecmd_exec_bin(evolution_exchange_t)
+
+dev_read_urand(evolution_exchange_t)
+
+files_read_etc_files(evolution_exchange_t)
+files_read_usr_files(evolution_exchange_t)
+
+# Access evolution home
+fs_search_auto_mountpoints(evolution_exchange_t)
+
+miscfiles_read_localization(evolution_exchange_t)
+
+userdom_write_user_tmp_sockets(evolution_exchange_t)
+# Access evolution home
+userdom_search_user_home_dirs(evolution_exchange_t)
+# FIXME: suppress access to .local/.icons/.themes until properly implemented
+# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
+# until properly implemented
+userdom_dontaudit_read_user_home_content_files(evolution_exchange_t)
+
+xserver_user_x_domain_template(evolution_exchange, evolution_exchange_t, evolution_exchange_tmpfs_t)
+
+# Access evolution home
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files(evolution_exchange_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files(evolution_exchange_t)
+')
+
+optional_policy(`
+ gnome_stream_connect_gconf(evolution_exchange_t)
+')
+
+optional_policy(`
+ nscd_socket_use(evolution_exchange_t)
+')
+
+########################################
+#
+# Evolution data server local policy
+#
+
+allow evolution_server_t self:process { getsched signal };
+
+allow evolution_server_t self:fifo_file { read write };
+allow evolution_server_t self:unix_stream_socket { accept connectto };
+# Talk to ldap (address book),
+# Obtain weather data via http (read server name from xml file in /usr)
+allow evolution_server_t self:tcp_socket create_socket_perms;
+
+allow evolution_server_t evolution_t:unix_stream_socket connectto;
+allow evolution_server_t evolution_orbit_tmp_t:sock_file write;
+
+allow evolution_server_t evolution_exchange_t:unix_stream_socket connectto;
+allow evolution_server_t evolution_exchange_orbit_tmp_t:sock_file write;
+
+# Access evolution home
+allow evolution_server_t evolution_home_t:dir manage_dir_perms;
+allow evolution_server_t evolution_home_t:file manage_file_perms;
+allow evolution_server_t evolution_home_t:lnk_file manage_lnk_file_perms;
+
+allow evolution_server_t evolution_alarm_t:unix_stream_socket connectto;
+allow evolution_server_t evolution_alarm_orbit_tmp_t:sock_file write;
+
+kernel_read_system_state(evolution_server_t)
+
+corecmd_exec_shell(evolution_server_t)
+
+# Obtain weather data via http (read server name from xml file in /usr)
+corenet_all_recvfrom_unlabeled(evolution_server_t)
+corenet_all_recvfrom_netlabel(evolution_server_t)
+corenet_tcp_sendrecv_generic_if(evolution_server_t)
+corenet_tcp_sendrecv_generic_node(evolution_server_t)
+corenet_tcp_sendrecv_http_port(evolution_server_t)
+corenet_tcp_sendrecv_http_cache_port(evolution_server_t)
+corenet_tcp_connect_http_cache_port(evolution_server_t)
+corenet_tcp_connect_http_port(evolution_server_t)
+corenet_sendrecv_http_client_packets(evolution_server_t)
+corenet_sendrecv_http_cache_client_packets(evolution_server_t)
+
+dev_read_urand(evolution_server_t)
+
+files_read_etc_files(evolution_server_t)
+# Obtain weather data via http (read server name from xml file in /usr)
+files_read_usr_files(evolution_server_t)
+
+fs_search_auto_mountpoints(evolution_server_t)
+
+miscfiles_read_localization(evolution_server_t)
+# Look in /etc/pki
+miscfiles_read_generic_certs(evolution_server_t)
+
+# Talk to ldap (address book)
+sysnet_read_config(evolution_server_t)
+sysnet_dns_name_resolve(evolution_server_t)
+sysnet_use_ldap(evolution_server_t)
+
+# Access evolution home
+userdom_search_user_home_dirs(evolution_server_t)
+# FIXME: suppress access to .local/.icons/.themes until properly implemented
+# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
+# until properly implemented
+userdom_dontaudit_read_user_home_content_files(evolution_server_t)
+
+# Access evolution home
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files(evolution_server_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files(evolution_server_t)
+')
+
+optional_policy(`
+ gnome_stream_connect_gconf(evolution_server_t)
+')
+
+optional_policy(`
+ nscd_socket_use(evolution_server_t)
+')
+
+########################################
+#
+# Evolution webcal local policy
+#
+
+allow evolution_webcal_t self:tcp_socket create_socket_perms;
+
+# X/evolution common stuff
+allow evolution_webcal_t evolution_webcal_tmpfs_t:dir rw_dir_perms;
+allow evolution_webcal_t evolution_webcal_tmpfs_t:file manage_file_perms;
+allow evolution_webcal_t evolution_webcal_tmpfs_t:lnk_file manage_lnk_file_perms;
+allow evolution_webcal_t evolution_webcal_tmpfs_t:sock_file manage_sock_file_perms;
+allow evolution_webcal_t evolution_webcal_tmpfs_t:fifo_file manage_fifo_file_perms;
+fs_tmpfs_filetrans(evolution_webcal_t, evolution_webcal_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+corenet_all_recvfrom_unlabeled(evolution_webcal_t)
+corenet_all_recvfrom_netlabel(evolution_webcal_t)
+corenet_tcp_sendrecv_generic_if(evolution_webcal_t)
+corenet_raw_sendrecv_generic_if(evolution_webcal_t)
+corenet_tcp_sendrecv_generic_node(evolution_webcal_t)
+corenet_raw_sendrecv_generic_node(evolution_webcal_t)
+corenet_tcp_sendrecv_http_port(evolution_webcal_t)
+corenet_tcp_sendrecv_http_cache_port(evolution_webcal_t)
+corenet_tcp_connect_http_cache_port(evolution_webcal_t)
+corenet_tcp_connect_http_port(evolution_webcal_t)
+corenet_sendrecv_http_client_packets(evolution_webcal_t)
+corenet_sendrecv_http_cache_client_packets(evolution_webcal_t)
+
+# Networking capability - connect to website and handle ics link
+sysnet_read_config(evolution_webcal_t)
+sysnet_dns_name_resolve(evolution_webcal_t)
+
+# Search home directory (?)
+userdom_search_user_home_dirs(evolution_webcal_t)
+# FIXME: suppress access to .local/.icons/.themes until properly implemented
+# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
+# until properly implemented
+userdom_dontaudit_read_user_home_content_files(evolution_webcal_t)
+
+xserver_user_x_domain_template(evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t)
+
+optional_policy(`
+ nscd_socket_use(evolution_webcal_t)
+')
diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc
new file mode 100644
index 0000000..9bd4f45
--- /dev/null
+++ b/policy/modules/apps/execmem.fc
@@ -0,0 +1,48 @@
+
+/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/compiz -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/dosbox -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/plasma-desktop -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/runghc -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/runhaskell -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/sbcl -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/skype -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/valgrind -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/sbin/vboxadd-service -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/sbin/VBox.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+')
+/usr/lib(64)?/chromium-browser/chromium-browser gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib64/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib64/R/bin/exec/R -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib/R/bin/exec/R -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/usr/libexec/ghc-[^/]+/.*bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/libexec/ghc-[^/]+/ghc.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib(64)?/ghc-[^/]+/ghc.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib(64)/virtualbox/VirtualBox -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/opt/real/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/usr/lib/wingide-[^/]+/bin/PyCore/python -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib/thunderbird-[^/]+/thunderbird-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Updater -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Application -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/opt/likewise/bin/domainjoin-cli -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/opt/google/chrome/chrome -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/google/chrome/google-chrome -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if
new file mode 100644
index 0000000..06ed3de
--- /dev/null
+++ b/policy/modules/apps/execmem.if
@@ -0,0 +1,110 @@
+## <summary>execmem domain</summary>
+
+########################################
+## <summary>
+## Execute the execmem program in the execmem domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`execmem_exec',`
+ gen_require(`
+ type execmem_exec_t;
+ ')
+
+ can_exec($1, execmem_exec_t)
+')
+
+#######################################
+## <summary>
+## The role template for the execmem module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for execmem applications.
+## </p>
+## </desc>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`execmem_role_template',`
+ gen_require(`
+ type execmem_exec_t;
+ ')
+
+ type $1_execmem_t;
+ domain_type($1_execmem_t)
+ domain_entry_file($1_execmem_t, execmem_exec_t)
+ role $2 types $1_execmem_t;
+
+ userdom_unpriv_usertype($1, $1_execmem_t)
+ userdom_manage_tmp_role($2, $1_execmem_t)
+ userdom_manage_tmpfs_role($2, $1_execmem_t)
+
+ allow $1_execmem_t self:process { execmem execstack };
+ allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms };
+ domtrans_pattern($3, execmem_exec_t, $1_execmem_t)
+ifdef(`hide_broken_symptoms', `
+ dontaudit $1_execmem_t $3:socket_class_set { read write };
+')
+ files_execmod_tmp($1_execmem_t)
+
+ optional_policy(`
+ chrome_role($2, $1_execmem_t)
+ ')
+
+ optional_policy(`
+ mozilla_execmod_user_home_files($1_execmem_t)
+ ')
+
+ optional_policy(`
+ nsplugin_rw_shm($1_execmem_t)
+ nsplugin_rw_semaphores($1_execmem_t)
+ ')
+
+ optional_policy(`
+ xserver_role($2, $1_execmem_t)
+ ')
+')
+
+########################################
+## <summary>
+## Execute a execmem_exec file
+## in the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`execmem_domtrans',`
+ gen_require(`
+ type execmem_exec_t;
+ ')
+
+ domtrans_pattern($1, execmem_exec_t, $2)
+')
diff --git a/policy/modules/apps/execmem.te b/policy/modules/apps/execmem.te
new file mode 100644
index 0000000..a7d37e2
--- /dev/null
+++ b/policy/modules/apps/execmem.te
@@ -0,0 +1,10 @@
+policy_module(execmem, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type execmem_exec_t alias unconfined_execmem_exec_t;
+application_executable_file(execmem_exec_t)
+
diff --git a/policy/modules/apps/firewallgui.fc b/policy/modules/apps/firewallgui.fc
new file mode 100644
index 0000000..ce498b3
--- /dev/null
+++ b/policy/modules/apps/firewallgui.fc
@@ -0,0 +1,3 @@
+
+/usr/share/system-config-firewall/system-config-firewall-mechanism.py -- gen_context(system_u:object_r:firewallgui_exec_t,s0)
+
diff --git a/policy/modules/apps/firewallgui.if b/policy/modules/apps/firewallgui.if
new file mode 100644
index 0000000..7fe26f3
--- /dev/null
+++ b/policy/modules/apps/firewallgui.if
@@ -0,0 +1,41 @@
+
+## <summary>policy for firewallgui</summary>
+
+########################################
+## <summary>
+## Send and receive messages from
+## firewallgui over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`firewallgui_dbus_chat',`
+ gen_require(`
+ type firewallgui_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 firewallgui_t:dbus send_msg;
+ allow firewallgui_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Read and write firewallgui unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`firewallgui_dontaudit_rw_pipes',`
+ gen_require(`
+ type firewallgui_t;
+ ')
+
+ dontaudit $1 firewallgui_t:fifo_file rw_inherited_fifo_file_perms;
+')
diff --git a/policy/modules/apps/firewallgui.te b/policy/modules/apps/firewallgui.te
new file mode 100644
index 0000000..0bbd523
--- /dev/null
+++ b/policy/modules/apps/firewallgui.te
@@ -0,0 +1,66 @@
+policy_module(firewallgui,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type firewallgui_t;
+type firewallgui_exec_t;
+dbus_system_domain(firewallgui_t, firewallgui_exec_t)
+
+type firewallgui_tmp_t;
+files_tmp_file(firewallgui_tmp_t)
+
+########################################
+#
+# firewallgui local policy
+#
+
+allow firewallgui_t self:capability { net_admin sys_rawio } ;
+allow firewallgui_t self:fifo_file rw_fifo_file_perms;
+
+manage_files_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t)
+manage_dirs_pattern(firewallgui_t,firewallgui_tmp_t,firewallgui_tmp_t)
+files_tmp_filetrans(firewallgui_t,firewallgui_tmp_t, { file dir })
+
+kernel_read_system_state(firewallgui_t)
+kernel_read_network_state(firewallgui_t)
+kernel_rw_net_sysctls(firewallgui_t)
+kernel_rw_kernel_sysctl(firewallgui_t)
+kernel_rw_vm_sysctls(firewallgui_t)
+
+corecmd_exec_shell(firewallgui_t)
+corecmd_exec_bin(firewallgui_t)
+consoletype_exec(firewallgui_t)
+
+dev_read_urand(firewallgui_t)
+dev_read_sysfs(firewallgui_t)
+
+files_manage_system_conf_files(firewallgui_t)
+files_etc_filetrans_system_conf(firewallgui_t)
+files_read_etc_files(firewallgui_t)
+files_read_usr_files(firewallgui_t)
+files_search_kernel_modules(firewallgui_t)
+files_list_kernel_modules(firewallgui_t)
+
+iptables_domtrans(firewallgui_t)
+iptables_initrc_domtrans(firewallgui_t)
+
+modutils_getattr_module_deps(firewallgui_t)
+
+miscfiles_read_localization(firewallgui_t)
+
+userdom_dontaudit_search_user_home_dirs(firewallgui_t)
+
+nscd_dontaudit_search_pid(firewallgui_t)
+nscd_socket_use(firewallgui_t)
+
+optional_policy(`
+ gnome_read_gconf_home_files(firewallgui_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(firewallgui_t)
+')
+
diff --git a/policy/modules/apps/games.fc b/policy/modules/apps/games.fc
new file mode 100644
index 0000000..78dc515
--- /dev/null
+++ b/policy/modules/apps/games.fc
@@ -0,0 +1,66 @@
+#
+# /usr
+#
+/usr/lib/games(/.*)? gen_context(system_u:object_r:games_exec_t,s0)
+/usr/games/.* -- gen_context(system_u:object_r:games_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/games(/.*)? gen_context(system_u:object_r:games_data_t,s0)
+/var/games(/.*)? gen_context(system_u:object_r:games_data_t,s0)
+
+ifndef(`distro_debian',`
+/usr/bin/micq -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/blackjack -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gataxx -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/glines -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnect -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnibbles -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnobots2 -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnome-stones -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnomine -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnotravex -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gnotski -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/gtali -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/iagno -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/mahjongg -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/same-gnome -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/sol -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/atlantik -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kasteroids -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/katomic -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kbackgammon -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kbattleship -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kblackbox -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kbounce -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kenolaba -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kfouleggs -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kgoldrunner -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kjumpingcube -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/klickety -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/klines -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kmahjongg -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kmines -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kolf -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/konquest -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kpat -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kpoker -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kreversi -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ksame -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kshisen -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ksirtet -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ksmiletris -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ksnake -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ksokoban -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kspaceduel -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ktron -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/ktuberling -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kwin4 -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/kwin4proc -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/lskat -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/lskatproc -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/Maelstrom -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/civclient.* -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/bin/civserver.* -- gen_context(system_u:object_r:games_exec_t,s0)
+')dnl end non-Debian section
diff --git a/policy/modules/apps/games.if b/policy/modules/apps/games.if
new file mode 100644
index 0000000..7ac736d
--- /dev/null
+++ b/policy/modules/apps/games.if
@@ -0,0 +1,51 @@
+## <summary>Games</summary>
+
+############################################################
+## <summary>
+## Role access for games
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`games_role',`
+ gen_require(`
+ type games_t, games_exec_t;
+ ')
+
+ role $1 types games_t;
+
+ domtrans_pattern($2, games_exec_t, games_t)
+ allow $2 games_t:unix_stream_socket connectto;
+ allow games_t $2:unix_stream_socket connectto;
+
+ # Allow the user domain to signal/ps.
+ ps_process_pattern($2, games_t)
+ allow $2 games_t:process signal_perms;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read/write
+## games data.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`games_rw_data',`
+ gen_require(`
+ type games_data_t;
+ ')
+
+ rw_files_pattern($1, games_data_t, games_data_t)
+')
diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te
new file mode 100644
index 0000000..ac4f509
--- /dev/null
+++ b/policy/modules/apps/games.te
@@ -0,0 +1,181 @@
+policy_module(games, 2.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type games_t;
+type games_exec_t;
+typealias games_t alias { user_games_t staff_games_t sysadm_games_t };
+typealias games_t alias { auditadm_games_t secadm_games_t };
+application_domain(games_t, games_exec_t)
+ubac_constrained(games_t)
+
+type games_data_t;
+typealias games_data_t alias { user_games_data_t staff_games_data_t sysadm_games_data_t };
+typealias games_data_t alias { auditadm_games_data_t secadm_games_data_t };
+files_type(games_data_t)
+ubac_constrained(games_data_t)
+
+type games_devpts_t;
+typealias games_devpts_t alias { user_games_devpts_t staff_games_devpts_t sysadm_games_devpts_t };
+typealias games_devpts_t alias { auditadm_games_devpts_t secadm_games_devpts_t };
+term_pty(games_devpts_t)
+ubac_constrained(games_devpts_t)
+
+# games_srv_t is for system operation of games, generic games daemons and
+# games recovery scripts
+type games_srv_t;
+init_system_domain(games_srv_t, games_exec_t)
+
+type games_srv_var_run_t;
+files_pid_file(games_srv_var_run_t)
+
+type games_tmp_t;
+typealias games_tmp_t alias { user_games_tmp_t staff_games_tmp_t sysadm_games_tmp_t };
+typealias games_tmp_t alias { auditadm_games_tmp_t secadm_games_tmp_t };
+files_tmp_file(games_tmp_t)
+ubac_constrained(games_tmp_t)
+
+type games_tmpfs_t;
+typealias games_tmpfs_t alias { user_games_tmpfs_t staff_games_tmpfs_t sysadm_games_tmpfs_t };
+typealias games_tmpfs_t alias { auditadm_games_tmpfs_t secadm_games_tmpfs_t };
+files_tmpfs_file(games_tmpfs_t)
+ubac_constrained(games_tmpfs_t)
+
+########################################
+#
+# Server local policy
+#
+
+dontaudit games_srv_t self:capability sys_tty_config;
+allow games_srv_t self:process signal_perms;
+
+manage_files_pattern(games_srv_t, games_data_t, games_data_t)
+manage_lnk_files_pattern(games_srv_t, games_data_t, games_data_t)
+
+manage_files_pattern(games_srv_t, games_srv_var_run_t, games_srv_var_run_t)
+files_pid_filetrans(games_srv_t, games_srv_var_run_t, file)
+
+can_exec(games_srv_t, games_exec_t)
+
+kernel_read_kernel_sysctls(games_srv_t)
+kernel_list_proc(games_srv_t)
+kernel_read_proc_symlinks(games_srv_t)
+
+dev_read_sysfs(games_srv_t)
+
+fs_getattr_all_fs(games_srv_t)
+fs_search_auto_mountpoints(games_srv_t)
+
+term_dontaudit_use_console(games_srv_t)
+
+domain_use_interactive_fds(games_srv_t)
+
+init_use_fds(games_srv_t)
+init_use_script_ptys(games_srv_t)
+
+logging_send_syslog_msg(games_srv_t)
+
+miscfiles_read_localization(games_srv_t)
+
+userdom_dontaudit_use_unpriv_user_fds(games_srv_t)
+
+userdom_dontaudit_search_user_home_dirs(games_srv_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(games_srv_t)
+')
+
+optional_policy(`
+ udev_read_db(games_srv_t)
+')
+
+########################################
+#
+# Local policy
+#
+
+allow games_t self:sem create_sem_perms;
+allow games_t self:tcp_socket create_stream_socket_perms;
+allow games_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(games_t, games_data_t, games_data_t)
+manage_lnk_files_pattern(games_t, games_data_t, games_data_t)
+
+allow games_t games_devpts_t:chr_file { rw_chr_file_perms setattr };
+term_create_pty(games_t, games_devpts_t)
+
+manage_dirs_pattern(games_t, games_tmp_t, games_tmp_t)
+manage_files_pattern(games_t, games_tmp_t, games_tmp_t)
+files_tmp_filetrans(games_t, games_tmp_t, { file dir })
+
+manage_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
+manage_lnk_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
+manage_fifo_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
+manage_sock_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
+fs_tmpfs_filetrans(games_t, games_tmpfs_t, { file lnk_file sock_file fifo_file })
+
+can_exec(games_t, games_exec_t)
+
+kernel_read_system_state(games_t)
+
+corecmd_exec_bin(games_t)
+
+corenet_all_recvfrom_unlabeled(games_t)
+corenet_all_recvfrom_netlabel(games_t)
+corenet_tcp_sendrecv_generic_if(games_t)
+corenet_udp_sendrecv_generic_if(games_t)
+corenet_tcp_sendrecv_generic_node(games_t)
+corenet_udp_sendrecv_generic_node(games_t)
+corenet_tcp_sendrecv_all_ports(games_t)
+corenet_udp_sendrecv_all_ports(games_t)
+corenet_tcp_bind_generic_node(games_t)
+corenet_tcp_bind_generic_port(games_t)
+corenet_tcp_connect_generic_port(games_t)
+corenet_sendrecv_generic_client_packets(games_t)
+corenet_sendrecv_generic_server_packets(games_t)
+
+dev_read_sound(games_t)
+dev_write_sound(games_t)
+dev_read_input(games_t)
+dev_read_mouse(games_t)
+dev_read_urand(games_t)
+
+files_list_var(games_t)
+files_search_var_lib(games_t)
+files_dontaudit_search_var(games_t)
+files_read_etc_files(games_t)
+files_read_usr_files(games_t)
+files_read_var_files(games_t)
+
+init_dontaudit_rw_utmp(games_t)
+
+logging_dontaudit_search_logs(games_t)
+
+miscfiles_read_man_pages(games_t)
+miscfiles_read_localization(games_t)
+
+sysnet_read_config(games_t)
+
+userdom_manage_user_tmp_dirs(games_t)
+userdom_manage_user_tmp_files(games_t)
+userdom_manage_user_tmp_symlinks(games_t)
+userdom_manage_user_tmp_sockets(games_t)
+# Suppress .icons denial until properly implemented
+userdom_dontaudit_read_user_home_content_files(games_t)
+
+tunable_policy(`allow_execmem',`
+ allow games_t self:process execmem;
+')
+
+optional_policy(`
+ nscd_socket_use(games_t)
+')
+
+optional_policy(`
+ xserver_user_x_domain_template(games, games_t, games_tmpfs_t)
+ xserver_create_xdm_tmp_sockets(games_t)
+ xserver_read_xdm_lib_files(games_t)
+')
diff --git a/policy/modules/apps/gift.fc b/policy/modules/apps/gift.fc
new file mode 100644
index 0000000..df7ced4
--- /dev/null
+++ b/policy/modules/apps/gift.fc
@@ -0,0 +1,6 @@
+HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:gift_home_t,s0)
+
+/usr/(local/)?bin/apollon -- gen_context(system_u:object_r:gift_exec_t,s0)
+/usr/(local/)?bin/giftd -- gen_context(system_u:object_r:giftd_exec_t,s0)
+/usr/(local/)?bin/giftui -- gen_context(system_u:object_r:gift_exec_t,s0)
+/usr/(local/)?bin/giFToxic -- gen_context(system_u:object_r:gift_exec_t,s0)
diff --git a/policy/modules/apps/gift.if b/policy/modules/apps/gift.if
new file mode 100644
index 0000000..c9b90d3
--- /dev/null
+++ b/policy/modules/apps/gift.if
@@ -0,0 +1,42 @@
+## <summary>giFT peer to peer file sharing tool</summary>
+
+############################################################
+## <summary>
+## Role access for gift
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`gift_role',`
+ gen_require(`
+ type gift_t, gift_exec_t;
+ type giftd_t, giftd_exec_t;
+ type gift_home_t;
+ ')
+
+ role $1 types { gift_t giftd_t };
+
+ # transition from user domain
+ domtrans_pattern($2, gift_exec_t, gift_t)
+ domtrans_pattern($2, giftd_exec_t, giftd_t)
+
+ # user managed content
+ manage_dirs_pattern($2, gift_home_t, gift_home_t)
+ manage_files_pattern($2, gift_home_t, gift_home_t)
+ manage_lnk_files_pattern($2, gift_home_t, gift_home_t)
+ relabel_dirs_pattern($2, gift_home_t, gift_home_t)
+ relabel_files_pattern($2, gift_home_t, gift_home_t)
+ relabel_lnk_files_pattern($2, gift_home_t, gift_home_t)
+
+ # Allow the user domain to signal/ps.
+ ps_process_pattern($2, { gift_t giftd_t })
+ allow $2 { gift_t giftd_t }:process signal_perms;
+')
diff --git a/policy/modules/apps/gift.te b/policy/modules/apps/gift.te
new file mode 100644
index 0000000..f378681
--- /dev/null
+++ b/policy/modules/apps/gift.te
@@ -0,0 +1,147 @@
+policy_module(gift, 2.1.1)
+
+########################################
+#
+# Declarations
+#
+
+type gift_t;
+type gift_exec_t;
+typealias gift_t alias { user_gift_t staff_gift_t sysadm_gift_t };
+typealias gift_t alias { auditadm_gift_t secadm_gift_t };
+application_domain(gift_t, gift_exec_t)
+ubac_constrained(gift_t)
+
+type gift_home_t;
+typealias gift_home_t alias { user_gift_home_t staff_gift_home_t sysadm_gift_home_t };
+typealias gift_home_t alias { auditadm_gift_home_t secadm_gift_home_t };
+userdom_user_home_content(gift_home_t)
+
+type gift_tmpfs_t;
+typealias gift_tmpfs_t alias { user_gift_tmpfs_t staff_gift_tmpfs_t sysadm_gift_tmpfs_t };
+typealias gift_tmpfs_t alias { auditadm_gift_tmpfs_t secadm_gift_tmpfs_t };
+files_tmpfs_file(gift_tmpfs_t)
+ubac_constrained(gift_tmpfs_t)
+
+type giftd_t;
+type giftd_exec_t;
+typealias giftd_t alias { user_giftd_t staff_giftd_t sysadm_giftd_t };
+typealias giftd_t alias { auditadm_giftd_t secadm_giftd_t };
+application_domain(giftd_t, giftd_exec_t)
+ubac_constrained(giftd_t)
+
+##############################
+#
+# giFT user interface local policy
+#
+
+allow gift_t self:tcp_socket create_socket_perms;
+
+manage_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
+manage_lnk_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
+manage_fifo_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
+manage_sock_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
+fs_tmpfs_filetrans(gift_t, gift_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+manage_dirs_pattern(gift_t, gift_home_t, gift_home_t)
+manage_files_pattern(gift_t, gift_home_t, gift_home_t)
+manage_lnk_files_pattern(gift_t, gift_home_t, gift_home_t)
+userdom_user_home_dir_filetrans(gift_t, gift_home_t, dir)
+
+# Launch gift daemon
+domtrans_pattern(gift_t, giftd_exec_t, giftd_t)
+
+# Read /proc/meminfo
+kernel_read_system_state(gift_t)
+
+# Connect to gift daemon
+corenet_all_recvfrom_unlabeled(gift_t)
+corenet_all_recvfrom_netlabel(gift_t)
+corenet_tcp_sendrecv_generic_if(gift_t)
+corenet_tcp_sendrecv_generic_node(gift_t)
+corenet_tcp_sendrecv_giftd_port(gift_t)
+corenet_tcp_connect_giftd_port(gift_t)
+corenet_sendrecv_giftd_client_packets(gift_t)
+
+fs_search_auto_mountpoints(gift_t)
+
+sysnet_read_config(gift_t)
+
+# giftui looks in .icons, .themes.
+userdom_dontaudit_read_user_home_content_files(gift_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(gift_t)
+ fs_manage_nfs_files(gift_t)
+ fs_manage_nfs_symlinks(gift_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(gift_t)
+ fs_manage_cifs_files(gift_t)
+ fs_manage_cifs_symlinks(gift_t)
+')
+
+optional_policy(`
+ nscd_socket_use(gift_t)
+')
+
+optional_policy(`
+ xserver_user_x_domain_template(gift, gift_t, gift_tmpfs_t)
+')
+
+##############################
+#
+# giFT server local policy
+#
+
+allow giftd_t self:process { signal setsched };
+allow giftd_t self:unix_stream_socket create_socket_perms;
+allow giftd_t self:tcp_socket create_stream_socket_perms;
+allow giftd_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(giftd_t, gift_home_t, gift_home_t)
+manage_files_pattern(giftd_t, gift_home_t, gift_home_t)
+manage_lnk_files_pattern(giftd_t, gift_home_t, gift_home_t)
+userdom_user_home_dir_filetrans(giftd_t, gift_home_t, dir)
+
+kernel_read_system_state(giftd_t)
+kernel_read_kernel_sysctls(giftd_t)
+
+# Serve content on various p2p networks. Ports can be random.
+corenet_all_recvfrom_unlabeled(giftd_t)
+corenet_all_recvfrom_netlabel(giftd_t)
+corenet_tcp_sendrecv_generic_if(giftd_t)
+corenet_udp_sendrecv_generic_if(giftd_t)
+corenet_tcp_sendrecv_generic_node(giftd_t)
+corenet_udp_sendrecv_generic_node(giftd_t)
+corenet_tcp_sendrecv_all_ports(giftd_t)
+corenet_udp_sendrecv_all_ports(giftd_t)
+corenet_tcp_bind_generic_node(giftd_t)
+corenet_udp_bind_generic_node(giftd_t)
+corenet_tcp_bind_all_ports(giftd_t)
+corenet_udp_bind_all_ports(giftd_t)
+corenet_tcp_connect_all_ports(giftd_t)
+corenet_sendrecv_all_client_packets(giftd_t)
+
+files_read_usr_files(giftd_t)
+# Read /etc/mtab
+files_read_etc_runtime_files(giftd_t)
+
+miscfiles_read_localization(giftd_t)
+
+sysnet_read_config(giftd_t)
+
+userdom_use_user_terminals(giftd_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(giftd_t)
+ fs_manage_nfs_files(giftd_t)
+ fs_manage_nfs_symlinks(giftd_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(giftd_t)
+ fs_manage_cifs_files(giftd_t)
+ fs_manage_cifs_symlinks(giftd_t)
+')
diff --git a/policy/modules/apps/gitosis.fc b/policy/modules/apps/gitosis.fc
new file mode 100644
index 0000000..7e90e45
--- /dev/null
+++ b/policy/modules/apps/gitosis.fc
@@ -0,0 +1,5 @@
+/usr/bin/gitosis-serve -- gen_context(system_u:object_r:gitosis_exec_t,s0)
+/usr/bin/gl-auth-command -- gen_context(system_u:object_r:gitosis_exec_t,s0)
+
+/var/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
+/var/lib/gitolite(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
diff --git a/policy/modules/apps/gitosis.if b/policy/modules/apps/gitosis.if
new file mode 100644
index 0000000..e898b91
--- /dev/null
+++ b/policy/modules/apps/gitosis.if
@@ -0,0 +1,86 @@
+## <summary>Tools for managing and hosting git repositories.</summary>
+
+#######################################
+## <summary>
+## Execute a domain transition to run gitosis.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gitosis_domtrans',`
+ gen_require(`
+ type gitosis_t, gitosis_exec_t;
+ ')
+
+ domtrans_pattern($1, gitosis_exec_t, gitosis_t)
+')
+
+#######################################
+## <summary>
+## Execute gitosis-serve in the gitosis domain, and
+## allow the specified role the gitosis domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`gitosis_run',`
+ gen_require(`
+ type gitosis_t;
+ ')
+
+ gitosis_domtrans($1)
+ role $2 types gitosis_t;
+')
+
+#######################################
+## <summary>
+## Allow the specified domain to read
+## gitosis lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gitosis_read_lib_files',`
+ gen_require(`
+ type gitosis_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+ read_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+ list_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+')
+
+######################################
+## <summary>
+## Allow the specified domain to manage
+## gitosis lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gitosis_manage_lib_files',`
+ gen_require(`
+ type gitosis_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+')
diff --git a/policy/modules/apps/gitosis.te b/policy/modules/apps/gitosis.te
new file mode 100644
index 0000000..df1c189
--- /dev/null
+++ b/policy/modules/apps/gitosis.te
@@ -0,0 +1,41 @@
+policy_module(gitosis, 1.1.1)
+
+########################################
+#
+# Declarations
+#
+
+type gitosis_t;
+type gitosis_exec_t;
+application_domain(gitosis_t, gitosis_exec_t)
+role system_r types gitosis_t;
+
+type gitosis_var_lib_t;
+files_type(gitosis_var_lib_t)
+
+########################################
+#
+# gitosis local policy
+#
+
+allow gitosis_t self:fifo_file rw_fifo_file_perms;
+
+exec_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t)
+manage_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t)
+manage_lnk_files_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t)
+manage_dirs_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t)
+
+kernel_read_system_state(gitosis_t)
+
+corecmd_exec_bin(gitosis_t)
+corecmd_exec_shell(gitosis_t)
+
+dev_read_urand(gitosis_t)
+
+files_read_etc_files(gitosis_t)
+files_read_usr_files(gitosis_t)
+files_search_var_lib(gitosis_t)
+
+miscfiles_read_localization(gitosis_t)
+
+sysnet_read_config(gitosis_t)
diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc
new file mode 100644
index 0000000..46db5ff
--- /dev/null
+++ b/policy/modules/apps/gnome.fc
@@ -0,0 +1,30 @@
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.local/share(.*)? gen_context(system_u:object_r:data_home_t,s0)
+/HOME_DIR/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0)
+/HOME_DIR/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+
+/root/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+/root/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+/root/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
+/root/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+/root/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
+/root/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
+/root/\.local/share(.*)? gen_context(system_u:object_r:data_home_t,s0)
+/root/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0)
+
+/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
+
+/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0)
+
+# Don't use because toolchain is broken
+#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+
+/usr/libexec/gconf-defaults-mechanism -- gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0)
+
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
new file mode 100644
index 0000000..91737d4
--- /dev/null
+++ b/policy/modules/apps/gnome.if
@@ -0,0 +1,602 @@
+## <summary>GNU network object model environment (GNOME)</summary>
+
+############################################################
+## <summary>
+## Role access for gnome
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`gnome_role',`
+ gen_require(`
+ type gconfd_t, gconfd_exec_t;
+ type gconf_tmp_t;
+ ')
+
+ role $1 types gconfd_t;
+
+ domain_auto_trans($2, gconfd_exec_t, gconfd_t)
+ allow gconfd_t $2:fd use;
+ allow gconfd_t $2:fifo_file write;
+ allow gconfd_t $2:unix_stream_socket connectto;
+
+ ps_process_pattern($2, gconfd_t)
+
+ #gnome_stream_connect_gconf_template($1, $2)
+ read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
+ allow $2 gconfd_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## gconf connection template.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_stream_connect_gconf',`
+ gen_require(`
+ type gconfd_t, gconf_tmp_t;
+ ')
+
+ read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
+ allow $1 gconfd_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Run gconfd in gconfd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_domtrans_gconfd',`
+ gen_require(`
+ type gconfd_t, gconfd_exec_t;
+ ')
+
+ domtrans_pattern($1, gconfd_exec_t, gconfd_t)
+')
+
+########################################
+## <summary>
+## Dontaudit search gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_dontaudit_search_config',`
+ gen_require(`
+ attribute gnome_home_type;
+ ')
+
+ dontaudit $1 gnome_home_type:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## manage gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_config',`
+ gen_require(`
+ attribute gnome_home_type;
+ ')
+
+ allow $1 gnome_home_type:dir manage_dir_perms;
+ allow $1 gnome_home_type:file manage_file_perms;
+ allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Send general signals to all gconf domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_signal_all',`
+ gen_require(`
+ attribute gnomedomain;
+ ')
+
+ allow $1 gnomedomain:process signal;
+')
+
+########################################
+## <summary>
+## Create objects in a Gnome cache home directory
+## with an automatic type transition to
+## a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+#
+interface(`gnome_cache_filetrans',`
+ gen_require(`
+ type cache_home_t;
+ ')
+
+ filetrans_pattern($1, cache_home_t, $2, $3)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Read generic cache home files (.cache)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_generic_cache_files',`
+ gen_require(`
+ type cache_home_t;
+ ')
+
+ read_files_pattern($1, cache_home_t, cache_home_t)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Set attributes of cache home dir (.cache)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_setattr_cache_home_dir',`
+ gen_require(`
+ type cache_home_t;
+ ')
+
+ setattr_dirs_pattern($1, cache_home_t, cache_home_t)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## append to generic cache home files (.cache)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_append_generic_cache_files',`
+ gen_require(`
+ type cache_home_t;
+ ')
+
+ append_files_pattern($1, cache_home_t, cache_home_t)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## write to generic cache home files (.cache)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_write_generic_cache_files',`
+ gen_require(`
+ type cache_home_t;
+ ')
+
+ write_files_pattern($1, cache_home_t, cache_home_t)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## read gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`gnome_read_config',`
+ gen_require(`
+ attribute gnome_home_type;
+ ')
+
+ list_dirs_pattern($1, gnome_home_type, gnome_home_type)
+ read_files_pattern($1, gnome_home_type, gnome_home_type)
+ read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
+')
+
+########################################
+## <summary>
+## Create objects in a Gnome gconf home directory
+## with an automatic type transition to
+## a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+#
+interface(`gnome_data_filetrans',`
+ gen_require(`
+ type data_home_t;
+ ')
+
+ filetrans_pattern($1, data_home_t, $2, $3)
+ gnome_search_gconf($1)
+')
+
+########################################
+## <summary>
+## Create gconf_home_t objects in the /root directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+#
+interface(`gnome_admin_home_gconf_filetrans',`
+ gen_require(`
+ type gconf_home_t;
+ ')
+
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, $2)
+')
+
+########################################
+## <summary>
+## read gconf config files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_gconf_config',`
+ gen_require(`
+ type gconf_etc_t;
+ ')
+
+ allow $1 gconf_etc_t:dir list_dir_perms;
+ read_files_pattern($1, gconf_etc_t, gconf_etc_t)
+')
+
+#######################################
+## <summary>
+## Manage gconf config files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_gconf_config',`
+ gen_require(`
+ type gconf_etc_t;
+ ')
+
+ allow $1 gconf_etc_t:dir list_dir_perms;
+ manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
+')
+
+########################################
+## <summary>
+## Execute gconf programs in
+## in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_exec_gconf',`
+ gen_require(`
+ type gconfd_exec_t;
+ ')
+
+ can_exec($1, gconfd_exec_t)
+')
+
+########################################
+## <summary>
+## Read gconf home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_gconf_home_files',`
+ gen_require(`
+ type gconf_home_t;
+ type data_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 gconf_home_t:dir list_dir_perms;
+ allow $1 data_home_t:dir list_dir_perms;
+ read_files_pattern($1, gconf_home_t, gconf_home_t)
+ read_files_pattern($1, data_home_t, data_home_t)
+')
+
+########################################
+## <summary>
+## search gconf homedir (.local)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_search_gconf',`
+ gen_require(`
+ type gconf_home_t;
+ ')
+
+ allow $1 gconf_home_t:dir search_dir_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Set attributes of Gnome config dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_setattr_config_dirs',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+ setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
+ files_search_home($1)
+')
+
+########################################
+## <summary>
+## Append gconf home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_append_gconf_home_files',`
+ gen_require(`
+ type gconf_home_t;
+ ')
+
+ append_files_pattern($1, gconf_home_t, gconf_home_t)
+')
+
+########################################
+## <summary>
+## manage gconf home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_gconf_home_files',`
+ gen_require(`
+ type gconf_home_t;
+ ')
+
+ allow $1 gconf_home_t:dir list_dir_perms;
+ manage_files_pattern($1, gconf_home_t, gconf_home_t)
+')
+
+########################################
+## <summary>
+## Connect to gnome over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+interface(`gnome_stream_connect',`
+ gen_require(`
+ attribute gnome_home_type;
+ ')
+
+ # Connect to pulseaudit server
+ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
+')
+
+########################################
+## <summary>
+## list gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_list_home_config',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ allow $1 config_home_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Set attributes of gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`gnome_setattr_home_config',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ setattr_dirs_pattern($1, config_home_t, config_home_t)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## read gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_read_home_config',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ read_files_pattern($1, config_home_t, config_home_t)
+')
+
+########################################
+## <summary>
+## manage gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`gnome_manage_home_config',`
+ gen_require(`
+ type config_home_t;
+ ')
+
+ manage_files_pattern($1, config_home_t, config_home_t)
+')
+
+########################################
+## <summary>
+## Read/Write all inherited gnome home config
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_rw_inherited_config',`
+ gen_require(`
+ attribute gnome_home_type;
+ ')
+
+ allow $1 gnome_home_type:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## gconf system service over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_dbus_chat_gconfdefault',`
+ gen_require(`
+ type gconfdefaultsm_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 gconfdefaultsm_t:dbus send_msg;
+ allow gconfdefaultsm_t $1:dbus send_msg;
+')
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
new file mode 100644
index 0000000..26852d2
--- /dev/null
+++ b/policy/modules/apps/gnome.te
@@ -0,0 +1,186 @@
+policy_module(gnome, 2.0.1)
+
+##############################
+#
+# Declarations
+#
+
+attribute gnomedomain;
+attribute gnome_home_type;
+
+type gconf_etc_t;
+files_config_file(gconf_etc_t)
+
+type data_home_t, gnome_home_type;
+userdom_user_home_content(data_home_t)
+
+type config_home_t, gnome_home_type;
+userdom_user_home_content(config_home_t)
+
+type cache_home_t, gnome_home_type;
+userdom_user_home_content(cache_home_t)
+
+type gstreamer_home_t, gnome_home_type;
+userdom_user_home_content(gstreamer_home_t)
+
+type gconf_home_t, gnome_home_type;
+typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
+typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
+typealias gconf_home_t alias unconfined_gconf_home_t;
+userdom_user_home_content(gconf_home_t)
+
+type gconf_tmp_t;
+typealias gconf_tmp_t alias { user_gconf_tmp_t staff_gconf_tmp_t sysadm_gconf_tmp_t };
+typealias gconf_tmp_t alias { auditadm_gconf_tmp_t secadm_gconf_tmp_t };
+typealias gconf_tmp_t alias unconfined_gconf_tmp_t;
+files_tmp_file(gconf_tmp_t)
+ubac_constrained(gconf_tmp_t)
+
+type gconfd_t, gnomedomain;
+type gconfd_exec_t;
+typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
+typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
+application_domain(gconfd_t, gconfd_exec_t)
+ubac_constrained(gconfd_t)
+
+type gnome_home_t, gnome_home_type;
+typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t };
+typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t };
+typealias gnome_home_t alias unconfined_gnome_home_t;
+userdom_user_home_content(gnome_home_t)
+
+type gconfdefaultsm_t;
+type gconfdefaultsm_exec_t;
+dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
+
+type gnomesystemmm_t;
+type gnomesystemmm_exec_t;
+dbus_system_domain(gnomesystemmm_t, gnomesystemmm_exec_t)
+
+##############################
+#
+# Local Policy
+#
+
+allow gconfd_t self:process getsched;
+allow gconfd_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t)
+manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t)
+userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir)
+
+manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
+manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
+userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
+
+allow gconfd_t gconf_etc_t:dir list_dir_perms;
+read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t)
+
+dev_read_urand(gconfd_t)
+
+files_read_etc_files(gconfd_t)
+
+miscfiles_read_localization(gconfd_t)
+
+logging_send_syslog_msg(gconfd_t)
+
+userdom_manage_user_tmp_sockets(gconfd_t)
+userdom_manage_user_tmp_dirs(gconfd_t)
+userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
+
+optional_policy(`
+ nscd_dontaudit_search_pid(gconfd_t)
+')
+
+optional_policy(`
+ xserver_use_xdm_fds(gconfd_t)
+ xserver_rw_xdm_pipes(gconfd_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(gconfdefaultsm_t)
+ fs_manage_nfs_files(gconfdefaultsm_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(gconfdefaultsm_t)
+ fs_manage_cifs_files(gconfdefaultsm_t)
+')
+
+#######################################
+#
+# gconf-defaults-mechanisms local policy
+#
+
+allow gconfdefaultsm_t self:capability { dac_override sys_nice sys_ptrace };
+allow gconfdefaultsm_t self:process getsched;
+allow gconfdefaultsm_t self:fifo_file rw_fifo_file_perms;
+
+corecmd_search_bin(gconfdefaultsm_t)
+
+files_read_etc_files(gconfdefaultsm_t)
+files_read_usr_files(gconfdefaultsm_t)
+
+miscfiles_read_localization(gconfdefaultsm_t)
+
+gnome_manage_gconf_home_files(gconfdefaultsm_t)
+gnome_manage_gconf_config(gconfdefaultsm_t)
+
+userdom_read_all_users_state(gconfdefaultsm_t)
+userdom_search_user_home_dirs(gconfdefaultsm_t)
+
+userdom_dontaudit_search_admin_dir(gconfdefaultsm_t)
+
+optional_policy(`
+ consolekit_dbus_chat(gconfdefaultsm_t)
+')
+
+optional_policy(`
+ nscd_dontaudit_search_pid(gconfdefaultsm_t)
+')
+
+optional_policy(`
+ policykit_domtrans_auth(gconfdefaultsm_t)
+ policykit_dbus_chat(gconfdefaultsm_t)
+ policykit_read_lib(gconfdefaultsm_t)
+ policykit_read_reload(gconfdefaultsm_t)
+')
+
+#######################################
+#
+# gnome-system-monitor-mechanisms local policy
+#
+
+allow gnomesystemmm_t self:capability { sys_nice sys_ptrace };
+allow gnomesystemmm_t self:fifo_file rw_fifo_file_perms;
+
+corecmd_search_bin(gnomesystemmm_t)
+
+domain_kill_all_domains(gnomesystemmm_t)
+domain_search_all_domains_state(gnomesystemmm_t)
+domain_setpriority_all_domains(gnomesystemmm_t)
+domain_signal_all_domains(gnomesystemmm_t)
+domain_sigstop_all_domains(gnomesystemmm_t)
+
+files_read_etc_files(gnomesystemmm_t)
+files_read_usr_files(gnomesystemmm_t)
+
+miscfiles_read_localization(gnomesystemmm_t)
+
+userdom_read_all_users_state(gnomesystemmm_t)
+userdom_dontaudit_search_admin_dir(gnomesystemmm_t)
+
+optional_policy(`
+ consolekit_dbus_chat(gnomesystemmm_t)
+')
+
+optional_policy(`
+ nscd_dontaudit_search_pid(gnomesystemmm_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(gnomesystemmm_t)
+ policykit_domtrans_auth(gnomesystemmm_t)
+ policykit_read_lib(gnomesystemmm_t)
+ policykit_read_reload(gnomesystemmm_t)
+')
diff --git a/policy/modules/apps/gpg.fc b/policy/modules/apps/gpg.fc
new file mode 100644
index 0000000..717d163
--- /dev/null
+++ b/policy/modules/apps/gpg.fc
@@ -0,0 +1,10 @@
+HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
+/root/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
+
+/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
+/usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0)
+
+/usr/lib(64)?/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if
new file mode 100644
index 0000000..13d939a
--- /dev/null
+++ b/policy/modules/apps/gpg.if
@@ -0,0 +1,202 @@
+## <summary>Policy for GNU Privacy Guard and related programs.</summary>
+
+############################################################
+## <summary>
+## Role access for gpg
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`gpg_role',`
+ gen_require(`
+ type gpg_t, gpg_exec_t;
+ type gpg_agent_t, gpg_agent_exec_t;
+ type gpg_agent_tmp_t;
+ type gpg_helper_t, gpg_pinentry_t;
+ type gpg_pinentry_tmp_t;
+ ')
+
+ role $1 types { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t };
+
+ # transition from the userdomain to the derived domain
+ domtrans_pattern($2, gpg_exec_t, gpg_t)
+
+ # allow ps to show gpg
+ ps_process_pattern($2, gpg_t)
+ allow $2 gpg_t:process { signull sigstop signal sigkill };
+
+ # communicate with the user
+ allow gpg_helper_t $2:fd use;
+ allow gpg_helper_t $2:fifo_file write;
+
+ # allow ps to show gpg-agent
+ ps_process_pattern($2, gpg_agent_t)
+
+ # Allow the user shell to signal the gpg-agent program.
+ allow $2 gpg_agent_t:process { signal sigkill };
+
+ manage_dirs_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+ manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+ manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+ files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
+
+ # Transition from the user domain to the agent domain.
+ domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)
+
+ manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
+ relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
+
+ allow gpg_pinentry_t $2:fifo_file { read write };
+
+ optional_policy(`
+ gpg_pinentry_dbus_chat($2)
+ ')
+
+ ifdef(`hide_broken_symptoms',`
+ #Leaked File Descriptors
+ dontaudit gpg_t $2:socket_class_set { getattr read write };
+ dontaudit gpg_t $2:fifo_file rw_fifo_file_perms;
+ dontaudit gpg_agent_t $2:socket_class_set { getattr read write };
+ dontaudit gpg_agent_t $2:fifo_file rw_fifo_file_perms;
+ ')
+')
+
+########################################
+## <summary>
+## Transition to a user gpg domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gpg_domtrans',`
+ gen_require(`
+ type gpg_t, gpg_exec_t;
+ ')
+
+ domtrans_pattern($1, gpg_exec_t, gpg_t)
+')
+
+######################################
+## <summary>
+## Transition to a gpg web domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_domtrans_web',`
+ gen_require(`
+ type gpg_web_t, gpg_exec_t;
+ ')
+
+ domtrans_pattern($1, gpg_exec_t, gpg_web_t)
+')
+
+######################################
+## <summary>
+## Make gpg an entrypoint for
+## the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain for which cifs_t is an entrypoint.
+## </summary>
+## </param>
+#
+interface(`gpg_entry_type',`
+ gen_require(`
+ type gpg_exec_t;
+ ')
+
+ domain_entry_file($1, gpg_exec_t)
+')
+
+########################################
+## <summary>
+## Send generic signals to user gpg processes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_signal',`
+ gen_require(`
+ type gpg_t;
+ ')
+
+ allow $1 gpg_t:process signal;
+')
+
+########################################
+## <summary>
+## Read and write GPG agent pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_rw_agent_pipes',`
+ # Just wants read/write could this be a leak?
+ gen_require(`
+ type gpg_agent_t;
+ ')
+
+ allow $1 gpg_agent_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Send messages to and from GPG
+## Pinentry over DBUS.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_pinentry_dbus_chat',`
+ gen_require(`
+ type gpg_pinentry_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 gpg_pinentry_t:dbus send_msg;
+ allow gpg_pinentry_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## List Gnu Privacy Guard user secrets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_list_user_secrets',`
+ gen_require(`
+ type gpg_secret_t;
+ ')
+
+ list_dirs_pattern($1, gpg_secret_t, gpg_secret_t)
+ userdom_search_user_home_dirs($1)
+')
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
new file mode 100644
index 0000000..e9a7937
--- /dev/null
+++ b/policy/modules/apps/gpg.te
@@ -0,0 +1,414 @@
+policy_module(gpg, 2.3.1)
+
+########################################
+#
+# Declarations
+#
+attribute gpgdomain;
+
+## <desc>
+## <p>
+## Allow usage of the gpg-agent --write-env-file option.
+## This also allows gpg-agent to manage user files.
+## </p>
+## </desc>
+gen_tunable(gpg_agent_env_file, false)
+
+## <desc>
+## <p>
+## Allow gpg web domain to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(gpg_web_anon_write, false)
+
+type gpg_t, gpgdomain;
+type gpg_exec_t;
+typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t };
+typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
+application_domain(gpg_t, gpg_exec_t)
+ubac_constrained(gpg_t)
+role system_r types gpg_t;
+
+type gpg_agent_t;
+type gpg_agent_exec_t;
+typealias gpg_agent_t alias { user_gpg_agent_t staff_gpg_agent_t sysadm_gpg_agent_t };
+typealias gpg_agent_t alias { auditadm_gpg_agent_t secadm_gpg_agent_t };
+application_domain(gpg_agent_t, gpg_agent_exec_t)
+ubac_constrained(gpg_agent_t)
+
+type gpg_agent_tmp_t;
+typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t };
+typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t };
+files_tmp_file(gpg_agent_tmp_t)
+ubac_constrained(gpg_agent_tmp_t)
+
+type gpg_secret_t;
+typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t };
+typealias gpg_secret_t alias { auditadm_gpg_secret_t secadm_gpg_secret_t };
+userdom_user_home_content(gpg_secret_t)
+
+type gpg_helper_t;
+type gpg_helper_exec_t;
+typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t };
+typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t };
+application_domain(gpg_helper_t, gpg_helper_exec_t)
+ubac_constrained(gpg_helper_t)
+role system_r types gpg_helper_t;
+
+type gpg_pinentry_t;
+type pinentry_exec_t;
+typealias gpg_pinentry_t alias { user_gpg_pinentry_t staff_gpg_pinentry_t sysadm_gpg_pinentry_t };
+typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t };
+application_domain(gpg_pinentry_t, pinentry_exec_t)
+ubac_constrained(gpg_pinentry_t)
+
+type gpg_pinentry_tmp_t;
+files_tmp_file(gpg_pinentry_tmp_t)
+ubac_constrained(gpg_pinentry_tmp_t)
+
+type gpg_pinentry_tmpfs_t;
+files_tmpfs_file(gpg_pinentry_tmpfs_t)
+ubac_constrained(gpg_pinentry_tmpfs_t)
+
+type gpg_web_t;
+domain_type(gpg_web_t)
+gpg_entry_type(gpg_web_t)
+role system_r types gpg_web_t;
+
+########################################
+#
+# GPG local policy
+#
+
+allow gpgdomain self:capability { ipc_lock setuid };
+allow gpgdomain self:process { getsched setsched };
+#at setrlimit is for ulimit -c 0
+allow gpgdomain self:process { signal signull setrlimit getcap setcap setpgid };
+
+allow gpgdomain self:fifo_file rw_fifo_file_perms;
+allow gpgdomain self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
+
+domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
+
+# transition from the gpg domain to the helper domain
+domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
+
+allow gpg_t gpg_secret_t:dir create_dir_perms;
+manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
+manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
+userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
+
+kernel_read_sysctl(gpg_t)
+
+corecmd_exec_shell(gpg_t)
+corecmd_exec_bin(gpg_t)
+
+corenet_all_recvfrom_unlabeled(gpg_t)
+corenet_all_recvfrom_netlabel(gpg_t)
+corenet_tcp_sendrecv_generic_if(gpg_t)
+corenet_udp_sendrecv_generic_if(gpg_t)
+corenet_tcp_sendrecv_generic_node(gpg_t)
+corenet_udp_sendrecv_generic_node(gpg_t)
+corenet_tcp_sendrecv_all_ports(gpg_t)
+corenet_udp_sendrecv_all_ports(gpg_t)
+corenet_tcp_connect_all_ports(gpg_t)
+corenet_sendrecv_all_client_packets(gpg_t)
+
+dev_read_rand(gpg_t)
+dev_read_urand(gpg_t)
+dev_read_generic_usb_dev(gpg_t)
+
+fs_getattr_xattr_fs(gpg_t)
+fs_list_inotifyfs(gpg_t)
+
+domain_use_interactive_fds(gpg_t)
+
+files_read_etc_files(gpg_t)
+files_read_usr_files(gpg_t)
+files_dontaudit_search_var(gpg_t)
+
+auth_use_nsswitch(gpg_t)
+
+logging_send_syslog_msg(gpg_t)
+
+miscfiles_read_localization(gpg_t)
+
+userdom_use_user_terminals(gpg_t)
+# sign/encrypt user files
+userdom_manage_user_tmp_files(gpg_t)
+userdom_manage_user_home_content_files(gpg_t)
+userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
+userdom_stream_connect(gpg_t)
+
+mta_write_config(gpg_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(gpg_t)
+ fs_manage_nfs_files(gpg_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(gpg_t)
+ fs_manage_cifs_files(gpg_t)
+')
+
+optional_policy(`
+ gnome_read_config(gpg_t)
+')
+
+optional_policy(`
+ mozilla_read_user_home_files(gpg_t)
+ mozilla_write_user_home_files(gpg_t)
+')
+
+optional_policy(`
+ xserver_use_xdm_fds(gpg_t)
+ xserver_rw_xdm_pipes(gpg_t)
+')
+
+#optional_policy(`
+# cron_system_entry(gpg_t, gpg_exec_t)
+# cron_read_system_job_tmp_files(gpg_t)
+#')
+
+########################################
+#
+# GPG helper local policy
+#
+
+allow gpg_helper_t self:process { getsched setsched };
+
+# for helper programs (which automatically fetch keys)
+# Note: this is only tested with the hkp interface. If you use eg the
+# mail interface you will likely need additional permissions.
+
+allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
+allow gpg_helper_t self:tcp_socket { connect connected_socket_perms };
+allow gpg_helper_t self:udp_socket { connect connected_socket_perms };
+
+dontaudit gpg_helper_t gpg_secret_t:file read;
+
+corenet_all_recvfrom_unlabeled(gpg_helper_t)
+corenet_all_recvfrom_netlabel(gpg_helper_t)
+corenet_tcp_sendrecv_generic_if(gpg_helper_t)
+corenet_raw_sendrecv_generic_if(gpg_helper_t)
+corenet_udp_sendrecv_generic_if(gpg_helper_t)
+corenet_tcp_sendrecv_generic_node(gpg_helper_t)
+corenet_udp_sendrecv_generic_node(gpg_helper_t)
+corenet_raw_sendrecv_generic_node(gpg_helper_t)
+corenet_tcp_sendrecv_all_ports(gpg_helper_t)
+corenet_udp_sendrecv_all_ports(gpg_helper_t)
+corenet_tcp_bind_generic_node(gpg_helper_t)
+corenet_udp_bind_generic_node(gpg_helper_t)
+corenet_tcp_connect_all_ports(gpg_helper_t)
+
+files_read_etc_files(gpg_helper_t)
+
+auth_use_nsswitch(gpg_helper_t)
+
+userdom_use_user_terminals(gpg_helper_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_dontaudit_rw_nfs_files(gpg_helper_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_dontaudit_rw_cifs_files(gpg_helper_t)
+')
+
+########################################
+#
+# GPG agent local policy
+#
+domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
+
+# rlimit: gpg-agent wants to prevent coredumps
+allow gpg_agent_t self:process setrlimit;
+
+allow gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
+allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
+
+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
+manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
+
+# Allow the gpg-agent to manage its tmp files (socket)
+manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
+
+# allow gpg to connect to the gpg agent
+stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
+
+corecmd_read_bin_symlinks(gpg_agent_t)
+corecmd_search_bin(gpg_agent_t)
+corecmd_exec_shell(gpg_agent_t)
+
+dev_read_urand(gpg_agent_t)
+
+domain_use_interactive_fds(gpg_agent_t)
+
+fs_dontaudit_list_inotifyfs(gpg_agent_t)
+
+miscfiles_read_localization(gpg_agent_t)
+
+# Write to the user domain tty.
+userdom_use_user_terminals(gpg_agent_t)
+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
+userdom_search_user_home_dirs(gpg_agent_t)
+
+ifdef(`hide_broken_symptoms',`
+ userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
+ userdom_dontaudit_write_user_tmp_files(gpg_agent_t)
+')
+
+tunable_policy(`gpg_agent_env_file',`
+ # write ~/.gpg-agent-info or a similar to the users home dir
+ # or subdir (gpg-agent --write-env-file option)
+ #
+ userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
+ userdom_manage_user_home_content_dirs(gpg_agent_t)
+ userdom_manage_user_home_content_files(gpg_agent_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(gpg_agent_t)
+ fs_manage_nfs_files(gpg_agent_t)
+ fs_manage_nfs_symlinks(gpg_agent_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(gpg_agent_t)
+ fs_manage_cifs_files(gpg_agent_t)
+ fs_manage_cifs_symlinks(gpg_agent_t)
+')
+
+optional_policy(`
+ mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
+')
+
+##############################
+#
+# Pinentry local policy
+#
+
+allow gpg_pinentry_t self:process { getcap getsched setsched signal };
+allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
+allow gpg_pinentry_t self:netlink_route_socket create_netlink_socket_perms;
+allow gpg_pinentry_t self:shm create_shm_perms;
+allow gpg_pinentry_t self:tcp_socket create_stream_socket_perms;
+allow gpg_pinentry_t self:unix_dgram_socket sendto;
+allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
+
+can_exec(gpg_pinentry_t, pinentry_exec_t)
+
+# we need to allow gpg-agent to call pinentry so it can get the passphrase
+# from the user.
+domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
+
+manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
+userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)
+
+manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
+manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
+fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
+
+# read /proc/meminfo
+kernel_read_system_state(gpg_pinentry_t)
+
+corecmd_exec_bin(gpg_pinentry_t)
+
+corenet_all_recvfrom_netlabel(gpg_pinentry_t)
+corenet_all_recvfrom_unlabeled(gpg_pinentry_t)
+corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t)
+corenet_tcp_bind_generic_node(gpg_pinentry_t)
+corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t)
+corenet_tcp_sendrecv_generic_if(gpg_pinentry_t)
+corenet_tcp_sendrecv_generic_node(gpg_pinentry_t)
+corenet_tcp_sendrecv_generic_port(gpg_pinentry_t)
+
+dev_read_urand(gpg_pinentry_t)
+dev_read_rand(gpg_pinentry_t)
+
+files_read_usr_files(gpg_pinentry_t)
+# read /etc/X11/qtrc
+files_read_etc_files(gpg_pinentry_t)
+
+fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
+fs_getattr_tmpfs(gpg_pinentry_t)
+
+auth_use_nsswitch(gpg_pinentry_t)
+
+logging_send_syslog_msg(gpg_pinentry_t)
+
+miscfiles_read_fonts(gpg_pinentry_t)
+miscfiles_read_localization(gpg_pinentry_t)
+
+# for .Xauthority
+userdom_read_user_home_content_files(gpg_pinentry_t)
+userdom_read_user_tmpfs_files(gpg_pinentry_t)
+# Bug: user pulseaudio files need open,read and unlink:
+allow gpg_pinentry_t user_tmpfs_t:file unlink;
+userdom_signull_unpriv_users(gpg_pinentry_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(gpg_pinentry_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files(gpg_pinentry_t)
+')
+
+optional_policy(`
+ dbus_session_bus_client(gpg_pinentry_t)
+ dbus_system_bus_client(gpg_pinentry_t)
+')
+
+optional_policy(`
+ gnome_write_generic_cache_files(gpg_pinentry_t)
+ gnome_read_generic_cache_files(gpg_pinentry_t)
+ gnome_read_gconf_home_files(gpg_pinentry_t)
+')
+
+optional_policy(`
+ pulseaudio_exec(gpg_pinentry_t)
+ pulseaudio_rw_home_files(gpg_pinentry_t)
+ pulseaudio_setattr_home_dir(gpg_pinentry_t)
+ pulseaudio_stream_connect(gpg_pinentry_t)
+ pulseaudio_signull(gpg_pinentry_t)
+')
+
+optional_policy(`
+ xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
+
+')
+
+#############################
+#
+# gpg web local policy
+#
+
+allow gpg_web_t self:process setrlimit;
+
+dev_read_rand(gpg_web_t)
+dev_read_urand(gpg_web_t)
+
+can_exec(gpg_web_t, gpg_exec_t)
+
+files_read_usr_files(gpg_web_t)
+
+miscfiles_read_localization(gpg_web_t)
+
+apache_dontaudit_rw_tmp_files(gpg_web_t)
+apache_manage_sys_content_rw(gpg_web_t)
+
+tunable_policy(`gpg_web_anon_write',`
+ miscfiles_manage_public_files(gpg_web_t)
+')
diff --git a/policy/modules/apps/irc.fc b/policy/modules/apps/irc.fc
new file mode 100644
index 0000000..6bfdfd3
--- /dev/null
+++ b/policy/modules/apps/irc.fc
@@ -0,0 +1,15 @@
+#
+# /home
+#
+HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0)
+HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irssi_home_t,s0)
+
+/etc/irssi\.conf -- gen_context(system_u:object_r:irssi_etc_t,s0)
+
+#
+# /usr
+#
+/usr/bin/[st]irc -- gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/ircII -- gen_context(system_u:object_r:irc_exec_t,s0)
+/usr/bin/irssi -- gen_context(system_u:object_r:irssi_exec_t,s0)
+/usr/bin/tinyirc -- gen_context(system_u:object_r:irc_exec_t,s0)
diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if
new file mode 100644
index 0000000..8dc8a5f
--- /dev/null
+++ b/policy/modules/apps/irc.if
@@ -0,0 +1,46 @@
+## <summary>IRC client policy</summary>
+
+########################################
+## <summary>
+## Role access for IRC
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`irc_role',`
+ gen_require(`
+ type irc_t, irc_exec_t;
+ type irssi_t, irssi_exec_t, irssi_home_t;
+ ')
+
+ role $1 types irc_t;
+ role $1 types irssi_t;
+
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, irc_exec_t, irc_t)
+
+ # allow ps to show irc
+ ps_process_pattern($2, irc_t)
+ allow $2 irc_t:process signal;
+
+ domtrans_pattern($2, irssi_exec_t, irssi_t)
+
+ allow $2 irssi_t:process { ptrace signal_perms };
+ ps_process_pattern($2, irssi_t)
+
+ manage_dirs_pattern($2, irssi_home_t, irssi_home_t)
+ manage_files_pattern($2, irssi_home_t, irssi_home_t)
+ manage_lnk_files_pattern($2, irssi_home_t, irssi_home_t)
+
+ relabel_dirs_pattern($2, irssi_home_t, irssi_home_t)
+ relabel_files_pattern($2, irssi_home_t, irssi_home_t)
+ relabel_lnk_files_pattern($2, irssi_home_t, irssi_home_t)
+')
diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te
new file mode 100644
index 0000000..b7c6502
--- /dev/null
+++ b/policy/modules/apps/irc.te
@@ -0,0 +1,207 @@
+policy_module(irc, 2.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type irc_t;
+type irc_exec_t;
+typealias irc_t alias { user_irc_t staff_irc_t sysadm_irc_t };
+typealias irc_t alias { auditadm_irc_t secadm_irc_t };
+application_domain(irc_t, irc_exec_t)
+ubac_constrained(irc_t)
+
+type irc_home_t;
+typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t };
+typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t };
+userdom_user_home_content(irc_home_t)
+
+type irc_tmp_t;
+typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t };
+typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t };
+userdom_user_home_content(irc_tmp_t)
+
+########################################
+#
+# Irssi personal declarations.
+#
+
+## <desc>
+## <p>
+## Allow the Irssi IRC Client to connect to any port,
+## and to bind to any unreserved port.
+## </p>
+## </desc>
+gen_tunable(irssi_use_full_network, false)
+
+type irssi_t;
+type irssi_exec_t;
+application_domain(irssi_t, irssi_exec_t)
+ubac_constrained(irssi_t)
+
+type irssi_etc_t;
+files_config_file(irssi_etc_t)
+
+type irssi_home_t;
+userdom_user_home_content(irssi_home_t)
+
+########################################
+#
+# Local policy
+#
+
+allow irc_t self:unix_stream_socket create_stream_socket_perms;
+allow irc_t self:tcp_socket create_socket_perms;
+allow irc_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(irc_t, irc_home_t, irc_home_t)
+manage_files_pattern(irc_t, irc_home_t, irc_home_t)
+manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t)
+userdom_user_home_dir_filetrans(irc_t, irc_home_t, { dir file lnk_file })
+
+# access files under /tmp
+manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
+manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
+manage_lnk_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
+manage_fifo_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
+manage_sock_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
+files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
+
+kernel_read_proc_symlinks(irc_t)
+
+corenet_all_recvfrom_unlabeled(irc_t)
+corenet_all_recvfrom_netlabel(irc_t)
+corenet_tcp_sendrecv_generic_if(irc_t)
+corenet_udp_sendrecv_generic_if(irc_t)
+corenet_tcp_sendrecv_generic_node(irc_t)
+corenet_udp_sendrecv_generic_node(irc_t)
+corenet_tcp_sendrecv_all_ports(irc_t)
+corenet_udp_sendrecv_all_ports(irc_t)
+corenet_sendrecv_ircd_client_packets(irc_t)
+# cjp: this seems excessive:
+corenet_tcp_connect_all_ports(irc_t)
+corenet_sendrecv_all_client_packets(irc_t)
+
+domain_use_interactive_fds(irc_t)
+
+files_dontaudit_search_pids(irc_t)
+files_search_var(irc_t)
+files_read_etc_files(irc_t)
+files_read_usr_files(irc_t)
+
+fs_getattr_xattr_fs(irc_t)
+fs_search_auto_mountpoints(irc_t)
+
+term_use_controlling_term(irc_t)
+term_list_ptys(irc_t)
+
+# allow utmp access
+init_read_utmp(irc_t)
+init_dontaudit_lock_utmp(irc_t)
+
+miscfiles_read_localization(irc_t)
+
+# Inherit and use descriptors from newrole.
+seutil_use_newrole_fds(irc_t)
+
+sysnet_read_config(irc_t)
+
+# Write to the user domain tty.
+userdom_use_user_terminals(irc_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(irc_t)
+ fs_manage_nfs_files(irc_t)
+ fs_manage_nfs_symlinks(irc_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(irc_t)
+ fs_manage_cifs_files(irc_t)
+ fs_manage_cifs_symlinks(irc_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(irc_t)
+')
+
+########################################
+#
+# Irssi personal declarations.
+#
+
+allow irssi_t self:process { signal sigkill };
+allow irssi_t self:fifo_file rw_fifo_file_perms;
+allow irssi_t self:netlink_route_socket create_netlink_socket_perms;
+allow irssi_t self:tcp_socket create_stream_socket_perms;
+allow irssi_t self:udp_socket create_socket_perms;
+
+read_files_pattern(irssi_t, irssi_etc_t, irssi_etc_t)
+
+manage_dirs_pattern(irssi_t, irssi_home_t, irssi_home_t)
+manage_files_pattern(irssi_t, irssi_home_t, irssi_home_t)
+manage_lnk_files_pattern(irssi_t, irssi_home_t, irssi_home_t)
+userdom_user_home_dir_filetrans(irssi_t, irssi_home_t, { dir file lnk_file })
+userdom_search_user_home_dirs(irssi_t)
+
+corecmd_search_bin(irssi_t)
+corecmd_read_bin_symlinks(irssi_t)
+
+corenet_tcp_connect_ircd_port(irssi_t)
+corenet_sendrecv_ircd_client_packets(irssi_t)
+
+# Privoxy
+corenet_tcp_connect_http_cache_port(irssi_t)
+corenet_sendrecv_http_cache_client_packets(irssi_t)
+
+corenet_all_recvfrom_netlabel(irssi_t)
+corenet_all_recvfrom_unlabeled(irssi_t)
+corenet_tcp_sendrecv_generic_if(irssi_t)
+corenet_tcp_sendrecv_generic_node(irssi_t)
+corenet_tcp_sendrecv_generic_port(irssi_t)
+corenet_tcp_bind_generic_node(irssi_t)
+corenet_udp_bind_generic_node(irssi_t)
+
+dev_read_urand(irssi_t)
+# irssi-otr genkey.
+dev_read_rand(irssi_t)
+
+files_read_etc_files(irssi_t)
+files_read_usr_files(irssi_t)
+
+fs_search_auto_mountpoints(irssi_t)
+
+miscfiles_read_localization(irssi_t)
+
+sysnet_read_config(irssi_t)
+
+userdom_use_user_terminals(irssi_t)
+
+tunable_policy(`irssi_use_full_network', `
+ corenet_tcp_bind_all_unreserved_ports(irssi_t)
+ corenet_tcp_connect_all_ports(irssi_t)
+ corenet_sendrecv_generic_server_packets(irssi_t)
+ corenet_sendrecv_all_client_packets(irssi_t)
+')
+
+tunable_policy(`use_nfs_home_dirs', `
+ fs_manage_nfs_dirs(irssi_t)
+ fs_manage_nfs_files(irssi_t)
+ fs_manage_nfs_symlinks(irssi_t)
+')
+
+tunable_policy(`use_samba_home_dirs', `
+ fs_manage_cifs_dirs(irssi_t)
+ fs_manage_cifs_files(irssi_t)
+ fs_manage_cifs_symlinks(irssi_t)
+')
+
+optional_policy(`
+ automount_dontaudit_getattr_tmp_dirs(irssi_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(irssi_t)
+')
+
diff --git a/policy/modules/apps/java.fc b/policy/modules/apps/java.fc
new file mode 100644
index 0000000..87d560b
--- /dev/null
+++ b/policy/modules/apps/java.fc
@@ -0,0 +1,42 @@
+#
+# /opt
+#
+/opt/(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
+/opt/ibm/java.*/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+/opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/opt/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+
+#
+# /usr
+#
+/usr/Aptana[^/]*/AptanaStudio -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/fastjar -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/gij -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/gjarsigner -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/gkeytool -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
+
+/usr/lib(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/eclipse/eclipse -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib64/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+
+/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+
+/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+
+/opt/ibm/lotus/Symphony/framework/rcp/eclipse/plugins(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+/opt/ibm(/.*)?/eclipse/plugins(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+
+ifdef(`distro_redhat',`
+/usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:java_exec_t,s0)
+')
diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if
new file mode 100644
index 0000000..f0c4777
--- /dev/null
+++ b/policy/modules/apps/java.if
@@ -0,0 +1,202 @@
+## <summary>Java virtual machine</summary>
+
+########################################
+## <summary>
+## Role access for java
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`java_role',`
+ gen_require(`
+ type java_t, java_exec_t;
+ ')
+
+ role $1 types java_t;
+
+ # The user role is authorized for this domain.
+ domtrans_pattern($2, java_exec_t, java_t)
+ allow java_t $2:process signull;
+ # Unrestricted inheritance from the caller.
+ allow $2 java_t:process { noatsecure siginh rlimitinh };
+
+ allow java_t $2:unix_stream_socket connectto;
+ allow java_t $2:unix_stream_socket { read write };
+ allow java_t $2:tcp_socket { read write };
+')
+
+#######################################
+## <summary>
+## The role template for the java module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for java applications.
+## </p>
+## </desc>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`java_role_template',`
+ gen_require(`
+ type java_exec_t;
+ ')
+
+ type $1_java_t;
+ domain_type($1_java_t)
+ domain_entry_file($1_java_t, java_exec_t)
+ role $2 types $1_java_t;
+
+ domain_interactive_fd($1_java_t)
+
+ userdom_unpriv_usertype($1, $1_java_t)
+ userdom_manage_tmpfs_role($2, $1_java_t)
+
+ allow $1_java_t self:process { ptrace signal getsched execmem execstack };
+
+ dontaudit $1_java_t $3:tcp_socket { read write };
+
+ allow $3 $1_java_t:process { getattr ptrace noatsecure signal_perms };
+
+ domtrans_pattern($3, java_exec_t, $1_java_t)
+
+ corecmd_bin_domtrans($1_java_t, $1_t)
+
+ dev_dontaudit_append_rand($1_java_t)
+
+ files_execmod_all_files($1_java_t)
+
+ fs_dontaudit_rw_tmpfs_files($1_java_t)
+
+ optional_policy(`
+ xserver_role($2, $1_java_t)
+ ')
+')
+
+########################################
+## <summary>
+## Run java in javaplugin domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+template(`java_domtrans',`
+ gen_require(`
+ type java_t, java_exec_t;
+ ')
+
+ domtrans_pattern($1, java_exec_t, java_t)
+')
+
+########################################
+## <summary>
+## Execute java in the java domain, and
+## allow the specified role the java domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`java_run',`
+ gen_require(`
+ type java_t;
+ ')
+
+ java_domtrans($1)
+ role $2 types java_t;
+')
+
+########################################
+## <summary>
+## Execute the java program in the unconfined java domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`java_domtrans_unconfined',`
+ gen_require(`
+ type unconfined_java_t, java_exec_t;
+ ')
+
+ domtrans_pattern($1, java_exec_t, unconfined_java_t)
+ corecmd_search_bin($1)
+')
+
+########################################
+## <summary>
+## Execute the java program in the unconfined java domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`java_run_unconfined',`
+ gen_require(`
+ type unconfined_java_t;
+ ')
+
+ java_domtrans_unconfined($1)
+ role $2 types unconfined_java_t;
+ nsplugin_role_notrans($2, unconfined_java_t)
+')
+
+########################################
+## <summary>
+## Execute the java program in the java domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`java_exec',`
+ gen_require(`
+ type java_exec_t;
+ ')
+
+ can_exec($1, java_exec_t)
+')
diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te
new file mode 100644
index 0000000..90ce46a
--- /dev/null
+++ b/policy/modules/apps/java.te
@@ -0,0 +1,159 @@
+policy_module(java, 2.3.1)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow java executable stack
+## </p>
+## </desc>
+gen_tunable(allow_java_execstack, false)
+
+type java_t;
+type java_exec_t;
+application_domain(java_t, java_exec_t)
+ubac_constrained(java_t)
+typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t };
+typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
+role system_r types java_t;
+
+type java_tmp_t;
+files_tmp_file(java_tmp_t)
+ubac_constrained(java_tmp_t)
+typealias java_tmp_t alias { staff_javaplugin_tmp_t user_javaplugin_tmp_t sysadm_javaplugin_tmp_t };
+typealias java_tmp_t alias { auditadm_tmp_javaplugin_t secadm_javaplugin_tmp_t };
+
+type java_tmpfs_t;
+ubac_constrained(java_tmpfs_t)
+files_tmpfs_file(java_tmpfs_t)
+typealias java_tmpfs_t alias { staff_javaplugin_tmpfs_t user_javaplugin_tmpfs_t sysadm_javaplugin_tmpfs_t };
+typealias java_tmpfs_t alias { auditadm_tmpfs_javaplugin_t secadm_tmpfs_javaplugin_t };
+
+type unconfined_java_t;
+init_system_domain(unconfined_java_t, java_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow java_t self:process { signal_perms getsched setsched execmem };
+allow java_t self:fifo_file rw_fifo_file_perms;
+allow java_t self:tcp_socket create_socket_perms;
+allow java_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(java_t, java_tmp_t, java_tmp_t)
+manage_files_pattern(java_t, java_tmp_t, java_tmp_t)
+files_tmp_filetrans(java_t, java_tmp_t, { file dir })
+
+manage_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
+manage_lnk_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
+manage_fifo_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
+manage_sock_files_pattern(java_t, java_tmpfs_t, java_tmpfs_t)
+fs_tmpfs_filetrans(java_t, java_tmpfs_t, { file lnk_file sock_file fifo_file })
+
+can_exec(java_t, java_exec_t)
+
+kernel_read_all_sysctls(java_t)
+kernel_search_vm_sysctl(java_t)
+kernel_read_network_state(java_t)
+kernel_read_system_state(java_t)
+
+# Search bin directory under java for java executable
+corecmd_search_bin(java_t)
+
+corenet_all_recvfrom_unlabeled(java_t)
+corenet_all_recvfrom_netlabel(java_t)
+corenet_tcp_sendrecv_generic_if(java_t)
+corenet_udp_sendrecv_generic_if(java_t)
+corenet_tcp_sendrecv_generic_node(java_t)
+corenet_udp_sendrecv_generic_node(java_t)
+corenet_tcp_sendrecv_all_ports(java_t)
+corenet_udp_sendrecv_all_ports(java_t)
+corenet_tcp_connect_all_ports(java_t)
+corenet_sendrecv_all_client_packets(java_t)
+
+dev_read_sound(java_t)
+dev_write_sound(java_t)
+dev_read_urand(java_t)
+dev_read_rand(java_t)
+dev_dontaudit_append_rand(java_t)
+
+files_read_etc_files(java_t)
+files_read_usr_files(java_t)
+files_search_home(java_t)
+files_search_var_lib(java_t)
+files_read_etc_runtime_files(java_t)
+# Read global fonts and font config
+
+fs_getattr_xattr_fs(java_t)
+fs_dontaudit_rw_tmpfs_files(java_t)
+
+logging_send_syslog_msg(java_t)
+
+miscfiles_read_localization(java_t)
+# Read global fonts and font config
+miscfiles_read_fonts(java_t)
+
+sysnet_read_config(java_t)
+
+userdom_dontaudit_use_user_terminals(java_t)
+userdom_dontaudit_setattr_user_home_content_files(java_t)
+userdom_dontaudit_exec_user_home_content_files(java_t)
+userdom_manage_user_home_content_dirs(java_t)
+userdom_manage_user_home_content_files(java_t)
+userdom_manage_user_home_content_symlinks(java_t)
+userdom_manage_user_home_content_pipes(java_t)
+userdom_manage_user_home_content_sockets(java_t)
+userdom_user_home_dir_filetrans_user_home_content(java_t, { file lnk_file sock_file fifo_file })
+userdom_write_user_tmp_sockets(java_t)
+
+tunable_policy(`allow_java_execstack',`
+ allow java_t self:process execstack;
+
+ allow java_t java_tmp_t:file execute;
+
+ libs_legacy_use_shared_libs(java_t)
+ libs_legacy_use_ld_so(java_t)
+
+ miscfiles_legacy_read_localization(java_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(java_t)
+')
+
+optional_policy(`
+ nscd_socket_use(java_t)
+')
+
+optional_policy(`
+ xserver_user_x_domain_template(java, java_t, java_tmpfs_t)
+')
+
+########################################
+#
+# Unconfined java local policy
+#
+
+optional_policy(`
+ # execheap is needed for itanium/BEA jrocket
+ allow unconfined_java_t self:process { execstack execmem execheap };
+
+ init_dbus_chat_script(unconfined_java_t)
+
+ files_execmod_all_files(unconfined_java_t)
+
+ init_dbus_chat_script(unconfined_java_t)
+
+ unconfined_domain_noaudit(unconfined_java_t)
+ unconfined_dbus_chat(unconfined_java_t)
+ userdom_unpriv_usertype(unconfined, unconfined_java_t)
+
+ optional_policy(`
+ rpm_domtrans(unconfined_java_t)
+ ')
+')
diff --git a/policy/modules/apps/kdumpgui.fc b/policy/modules/apps/kdumpgui.fc
new file mode 100644
index 0000000..250679c
--- /dev/null
+++ b/policy/modules/apps/kdumpgui.fc
@@ -0,0 +1 @@
+/usr/share/system-config-kdump/system-config-kdump-backend\.py -- gen_context(system_u:object_r:kdumpgui_exec_t,s0)
diff --git a/policy/modules/apps/kdumpgui.if b/policy/modules/apps/kdumpgui.if
new file mode 100644
index 0000000..d6af9b0
--- /dev/null
+++ b/policy/modules/apps/kdumpgui.if
@@ -0,0 +1,2 @@
+## <summary>system-config-kdump GUI</summary>
+
diff --git a/policy/modules/apps/kdumpgui.te b/policy/modules/apps/kdumpgui.te
new file mode 100644
index 0000000..3812a46
--- /dev/null
+++ b/policy/modules/apps/kdumpgui.te
@@ -0,0 +1,67 @@
+policy_module(kdumpgui, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type kdumpgui_t;
+type kdumpgui_exec_t;
+dbus_system_domain(kdumpgui_t, kdumpgui_exec_t)
+
+######################################
+#
+# system-config-kdump local policy
+#
+
+allow kdumpgui_t self:capability { net_admin sys_admin sys_rawio };
+allow kdumpgui_t self:fifo_file rw_fifo_file_perms;
+allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+kernel_read_system_state(kdumpgui_t)
+kernel_read_network_state(kdumpgui_t)
+
+corecmd_exec_bin(kdumpgui_t)
+corecmd_exec_shell(kdumpgui_t)
+
+dev_dontaudit_getattr_all_chr_files(kdumpgui_t)
+dev_read_sysfs(kdumpgui_t)
+
+files_manage_boot_files(kdumpgui_t)
+files_manage_boot_symlinks(kdumpgui_t)
+# Needed for running chkconfig
+files_manage_etc_symlinks(kdumpgui_t)
+# for blkid.tab
+files_manage_etc_runtime_files(kdumpgui_t)
+files_etc_filetrans_etc_runtime(kdumpgui_t, file)
+files_read_usr_files(kdumpgui_t)
+
+storage_raw_read_fixed_disk(kdumpgui_t)
+storage_raw_write_fixed_disk(kdumpgui_t)
+
+auth_use_nsswitch(kdumpgui_t)
+
+consoletype_exec(kdumpgui_t)
+
+kdump_manage_config(kdumpgui_t)
+kdump_initrc_domtrans(kdumpgui_t)
+
+logging_send_syslog_msg(kdumpgui_t)
+
+miscfiles_read_localization(kdumpgui_t)
+
+init_dontaudit_read_all_script_files(kdumpgui_t)
+
+userdom_dontaudit_search_admin_dir(kdumpgui_t)
+
+optional_policy(`
+ dev_rw_lvm_control(kdumpgui_t)
+')
+
+optional_policy(`
+ gnome_dontaudit_search_config(kdumpgui_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(kdumpgui_t)
+')
diff --git a/policy/modules/apps/livecd.fc b/policy/modules/apps/livecd.fc
new file mode 100644
index 0000000..34937fc
--- /dev/null
+++ b/policy/modules/apps/livecd.fc
@@ -0,0 +1 @@
+/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0)
diff --git a/policy/modules/apps/livecd.if b/policy/modules/apps/livecd.if
new file mode 100644
index 0000000..b67cf26
--- /dev/null
+++ b/policy/modules/apps/livecd.if
@@ -0,0 +1,124 @@
+## <summary>Livecd tool for building alternate livecd for different os and policy versions.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run livecd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`livecd_domtrans',`
+ gen_require(`
+ type livecd_t, livecd_exec_t;
+ ')
+
+ domtrans_pattern($1, livecd_exec_t, livecd_t)
+')
+
+########################################
+## <summary>
+## Execute livecd in the livecd domain, and
+## allow the specified role the livecd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`livecd_run',`
+ gen_require(`
+ type livecd_t;
+ ')
+
+ livecd_domtrans($1)
+ role $2 types livecd_t;
+
+ seutil_run_setfiles_mac(livecd_t, $2)
+
+ optional_policy(`
+ mount_run(livecd_t, $2)
+ ')
+')
+
+########################################
+## <summary>
+## Dontaudit read/write to a livecd leaks
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`livecd_dontaudit_leaks',`
+ gen_require(`
+ type livecd_t;
+ ')
+
+ dontaudit $1 livecd_t:unix_dgram_socket { read write };
+')
+
+########################################
+## <summary>
+## Read livecd temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`livecd_read_tmp_files',`
+ gen_require(`
+ type livecd_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_files_pattern($1, livecd_tmp_t, livecd_tmp_t)
+')
+
+########################################
+## <summary>
+## Read and write livecd temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`livecd_rw_tmp_files',`
+ gen_require(`
+ type livecd_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ rw_files_pattern($1, livecd_tmp_t, livecd_tmp_t)
+')
+
+########################################
+## <summary>
+## Allow read and write access to livecd semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`livecd_rw_semaphores',`
+ gen_require(`
+ type livecd_t;
+ ')
+
+ allow $1 livecd_t:sem { unix_read unix_write associate read write };
+')
diff --git a/policy/modules/apps/livecd.te b/policy/modules/apps/livecd.te
new file mode 100644
index 0000000..47a193c
--- /dev/null
+++ b/policy/modules/apps/livecd.te
@@ -0,0 +1,35 @@
+policy_module(livecd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type livecd_t;
+type livecd_exec_t;
+application_domain(livecd_t, livecd_exec_t)
+role system_r types livecd_t;
+
+type livecd_tmp_t;
+files_tmp_file(livecd_tmp_t)
+
+########################################
+#
+# livecd local policy
+#
+
+dontaudit livecd_t self:capability2 mac_admin;
+
+domain_ptrace_all_domains(livecd_t)
+
+manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
+manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
+files_tmp_filetrans(livecd_t, livecd_tmp_t, { dir file })
+
+optional_policy(`
+ unconfined_domain_noaudit(livecd_t)
+')
+
+optional_policy(`
+ hal_dbus_chat(livecd_t)
+')
diff --git a/policy/modules/apps/loadkeys.fc b/policy/modules/apps/loadkeys.fc
new file mode 100644
index 0000000..8549f9f
--- /dev/null
+++ b/policy/modules/apps/loadkeys.fc
@@ -0,0 +1,3 @@
+
+/bin/loadkeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
+/bin/unikeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
diff --git a/policy/modules/apps/loadkeys.if b/policy/modules/apps/loadkeys.if
new file mode 100644
index 0000000..b55edd0
--- /dev/null
+++ b/policy/modules/apps/loadkeys.if
@@ -0,0 +1,67 @@
+## <summary>Load keyboard mappings.</summary>
+
+########################################
+## <summary>
+## Execute the loadkeys program in the loadkeys domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`loadkeys_domtrans',`
+ gen_require(`
+ type loadkeys_t, loadkeys_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, loadkeys_exec_t, loadkeys_t)
+
+ ifdef(`hide_broken_symptoms',`
+ dontaudit loadkeys_t $1:socket_class_set { read write };
+ ')
+')
+
+########################################
+## <summary>
+## Execute the loadkeys program in the loadkeys domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the loadkeys domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`loadkeys_run',`
+ gen_require(`
+ type loadkeys_t;
+ ')
+
+ loadkeys_domtrans($1)
+ role $2 types loadkeys_t;
+')
+
+########################################
+## <summary>
+## Execute the loadkeys program in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`loadkeys_exec',`
+ gen_require(`
+ type loadkeys_exec_t;
+ ')
+
+ can_exec($1, loadkeys_exec_t)
+')
diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te
new file mode 100644
index 0000000..a076ebb
--- /dev/null
+++ b/policy/modules/apps/loadkeys.te
@@ -0,0 +1,50 @@
+policy_module(loadkeys, 1.7.1)
+
+########################################
+#
+# Declarations
+#
+
+# cjp: this should probably be rewritten
+# per user domain, since it can rw
+# all user domain ttys
+type loadkeys_t;
+type loadkeys_exec_t;
+init_system_domain(loadkeys_t, loadkeys_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow loadkeys_t self:capability { dac_override dac_read_search setuid sys_tty_config };
+allow loadkeys_t self:fifo_file rw_fifo_file_perms;
+
+kernel_read_system_state(loadkeys_t)
+
+corecmd_exec_bin(loadkeys_t)
+corecmd_exec_shell(loadkeys_t)
+
+files_read_etc_files(loadkeys_t)
+files_read_etc_runtime_files(loadkeys_t)
+
+term_dontaudit_use_console(loadkeys_t)
+term_use_unallocated_ttys(loadkeys_t)
+
+init_dontaudit_use_fds(loadkeys_t)
+init_dontaudit_use_script_ptys(loadkeys_t)
+
+locallogin_use_fds(loadkeys_t)
+
+miscfiles_read_localization(loadkeys_t)
+
+userdom_use_user_ttys(loadkeys_t)
+userdom_list_user_home_content(loadkeys_t)
+
+ifdef(`hide_broken_symptoms',`
+ dev_dontaudit_rw_lvm_control(loadkeys_t)
+')
+
+optional_policy(`
+ nscd_dontaudit_search_pid(loadkeys_t)
+')
diff --git a/policy/modules/apps/lockdev.fc b/policy/modules/apps/lockdev.fc
new file mode 100644
index 0000000..8b5ce03
--- /dev/null
+++ b/policy/modules/apps/lockdev.fc
@@ -0,0 +1,2 @@
+
+/usr/sbin/lockdev -- gen_context(system_u:object_r:lockdev_exec_t,s0)
diff --git a/policy/modules/apps/lockdev.if b/policy/modules/apps/lockdev.if
new file mode 100644
index 0000000..8e7d279
--- /dev/null
+++ b/policy/modules/apps/lockdev.if
@@ -0,0 +1,33 @@
+## <summary>device locking policy for lockdev</summary>
+
+########################################
+## <summary>
+## Role access for lockdev
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`lockdev_role',`
+ gen_require(`
+ type lockdev_t, lockdev_exec_t;
+ type lockdev_lock_t;
+ ')
+
+ role $1 types lockdev_t;
+
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, lockdev_exec_t, lockdev_t)
+ allow lockdev_t $2:process signull;
+
+ # allow ps to show lockdev
+ ps_process_pattern($2, lockdev_t)
+ allow $2 lockdev_t:process signal;
+')
diff --git a/policy/modules/apps/lockdev.te b/policy/modules/apps/lockdev.te
new file mode 100644
index 0000000..0bac996
--- /dev/null
+++ b/policy/modules/apps/lockdev.te
@@ -0,0 +1,39 @@
+policy_module(lockdev, 1.3.0)
+
+########################################
+#
+# Declarations
+#
+
+type lockdev_t;
+type lockdev_exec_t;
+typealias lockdev_t alias { user_lockdev_t staff_lockdev_t sysadm_lockdev_t };
+typealias lockdev_t alias { auditadm_lockdev_t secadm_lockdev_t };
+application_domain(lockdev_t, lockdev_exec_t)
+ubac_constrained(lockdev_t)
+
+type lockdev_lock_t;
+typealias lockdev_lock_t alias { user_lockdev_lock_t staff_lockdev_lock_t sysadm_lockdev_lock_t };
+typealias lockdev_lock_t alias { auditadm_lockdev_lock_t secadm_lockdev_lock_t };
+files_lock_file(lockdev_lock_t)
+ubac_constrained(lockdev_lock_t)
+
+########################################
+#
+# Local policy
+#
+
+# Use capabilities.
+allow lockdev_t self:capability setgid;
+
+allow lockdev_t lockdev_lock_t:file manage_file_perms;
+files_lock_filetrans(lockdev_t, lockdev_lock_t, file)
+
+files_read_all_locks(lockdev_t)
+
+fs_getattr_xattr_fs(lockdev_t)
+
+logging_send_syslog_msg(lockdev_t)
+
+userdom_use_user_terminals(lockdev_t)
+
diff --git a/policy/modules/apps/mediawiki.fc b/policy/modules/apps/mediawiki.fc
new file mode 100644
index 0000000..bf872ef
--- /dev/null
+++ b/policy/modules/apps/mediawiki.fc
@@ -0,0 +1,10 @@
+
+/usr/lib(64)?/mediawiki/math/texvc -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
+/usr/lib(64)?/mediawiki/math/texvc_tex -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
+/usr/lib(64)?/mediawiki/math/texvc_tes -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
+
+/var/www/wiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_rw_content_t,s0)
+
+/var/www/wiki/.*\.php -- gen_context(system_u:object_r:httpd_mediawiki_content_t,s0)
+
+/usr/share/mediawiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_content_t,s0)
diff --git a/policy/modules/apps/mediawiki.if b/policy/modules/apps/mediawiki.if
new file mode 100644
index 0000000..1c1d012
--- /dev/null
+++ b/policy/modules/apps/mediawiki.if
@@ -0,0 +1,40 @@
+## <summary>Mediawiki policy</summary>
+
+#######################################
+## <summary>
+## Allow the specified domain to read
+## mediawiki tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mediawiki_read_tmp_files',`
+ gen_require(`
+ type httpd_mediawiki_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
+ read_lnk_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
+')
+
+#######################################
+## <summary>
+## Delete mediawiki tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mediawiki_delete_tmp_files',`
+ gen_require(`
+ type httpd_mediawiki_tmp_t;
+ ')
+
+ delete_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
+')
diff --git a/policy/modules/apps/mediawiki.te b/policy/modules/apps/mediawiki.te
new file mode 100644
index 0000000..b7f569d
--- /dev/null
+++ b/policy/modules/apps/mediawiki.te
@@ -0,0 +1,35 @@
+
+policy_module(mediawiki, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+apache_content_template(mediawiki)
+
+type httpd_mediawiki_tmp_t;
+files_tmp_file(httpd_mediawiki_tmp_t)
+
+permissive httpd_mediawiki_script_t;
+
+########################################
+#
+# mediawiki local policy
+#
+
+manage_dirs_pattern(httpd_mediawiki_script_t, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
+manage_files_pattern(httpd_mediawiki_script_t, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
+manage_lnk_files_pattern(httpd_mediawiki_script_t, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
+files_tmp_filetrans(httpd_mediawiki_script_t, httpd_mediawiki_tmp_t, { file dir lnk_file })
+
+files_search_var_lib(httpd_mediawiki_script_t)
+
+userdom_read_user_tmp_files(httpd_mediawiki_script_t)
+
+miscfiles_read_tetex_data(httpd_mediawiki_script_t)
+
+optional_policy(`
+ apache_dontaudit_rw_tmp_files(httpd_mediawiki_script_t)
+')
+
diff --git a/policy/modules/apps/metadata.xml b/policy/modules/apps/metadata.xml
new file mode 100644
index 0000000..a5ad4c0
--- /dev/null
+++ b/policy/modules/apps/metadata.xml
@@ -0,0 +1 @@
+<summary>Policy modules for applications</summary>
diff --git a/policy/modules/apps/mono.fc b/policy/modules/apps/mono.fc
new file mode 100644
index 0000000..b01bc91
--- /dev/null
+++ b/policy/modules/apps/mono.fc
@@ -0,0 +1 @@
+/usr/bin/mono.* -- gen_context(system_u:object_r:mono_exec_t,s0)
diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if
new file mode 100644
index 0000000..9c9e6c1
--- /dev/null
+++ b/policy/modules/apps/mono.if
@@ -0,0 +1,142 @@
+## <summary>Run .NET server and client applications on Linux.</summary>
+
+#######################################
+## <summary>
+## The role template for the mono module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for mono applications.
+## </p>
+## </desc>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`mono_role_template',`
+ gen_require(`
+ type mono_exec_t;
+ ')
+
+ type $1_mono_t;
+ domain_type($1_mono_t)
+ domain_entry_file($1_mono_t, mono_exec_t)
+ role $2 types $1_mono_t;
+
+ domain_interactive_fd($1_mono_t)
+ application_type($1_mono_t)
+
+ allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack };
+ allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
+
+ domtrans_pattern($3, mono_exec_t, $1_mono_t)
+
+ fs_dontaudit_rw_tmpfs_files($1_mono_t)
+ corecmd_bin_domtrans($1_mono_t, $1_t)
+
+ userdom_unpriv_usertype($1, $1_mono_t)
+ userdom_manage_tmpfs_role($2, $1_mono_t)
+
+ ifdef(`hide_broken_symptoms', `
+ dontaudit $1_t $1_mono_t:socket_class_set { read write };
+ ')
+
+ optional_policy(`
+ xserver_role($1_r, $1_mono_t)
+ ')
+')
+
+########################################
+## <summary>
+## Execute the mono program in the mono domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mono_domtrans',`
+ gen_require(`
+ type mono_t, mono_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, mono_exec_t, mono_t)
+')
+
+########################################
+## <summary>
+## Execute mono in the mono domain, and
+## allow the specified role the mono domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`mono_run',`
+ gen_require(`
+ type mono_t;
+ ')
+
+ mono_domtrans($1)
+ role $2 types mono_t;
+')
+
+########################################
+## <summary>
+## Execute the mono program in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mono_exec',`
+ gen_require(`
+ type mono_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, mono_exec_t)
+')
+
+########################################
+## <summary>
+## Read and write to mono shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mono_rw_shm',`
+ gen_require(`
+ type mono_t;
+ ')
+
+ allow $1 mono_t:shm rw_shm_perms;
+')
diff --git a/policy/modules/apps/mono.te b/policy/modules/apps/mono.te
new file mode 100644
index 0000000..c101631
--- /dev/null
+++ b/policy/modules/apps/mono.te
@@ -0,0 +1,52 @@
+policy_module(mono, 1.7.1)
+
+########################################
+#
+# Declarations
+#
+
+type mono_t;
+type mono_exec_t;
+application_type(mono_t)
+init_system_domain(mono_t, mono_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow mono_t self:process { ptrace signal getsched execheap execmem execstack };
+
+init_dbus_chat_script(mono_t)
+
+userdom_user_home_dir_filetrans_user_home_content(mono_t, { dir file lnk_file fifo_file sock_file })
+
+optional_policy(`
+ avahi_dbus_chat(mono_t)
+')
+
+optional_policy(`
+ cups_dbus_chat(mono_t)
+')
+
+optional_policy(`
+ hal_dbus_chat(mono_t)
+')
+
+optional_policy(`
+ networkmanager_dbus_chat(mono_t)
+')
+
+optional_policy(`
+ rpm_dbus_chat(mono_t)
+')
+
+optional_policy(`
+ unconfined_domain(mono_t)
+ unconfined_dbus_chat(mono_t)
+ unconfined_dbus_connect(mono_t)
+')
+
+optional_policy(`
+ xserver_rw_shm(mono_t)
+')
diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc
new file mode 100644
index 0000000..aafece7
--- /dev/null
+++ b/policy/modules/apps/mozilla.fc
@@ -0,0 +1,31 @@
+HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+
+#
+# /bin
+#
+/usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/mozilla-snapshot -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+
+#
+# /lib
+#
+/usr/lib(64)?/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
new file mode 100644
index 0000000..b0c1197
--- /dev/null
+++ b/policy/modules/apps/mozilla.if
@@ -0,0 +1,296 @@
+## <summary>Policy for Mozilla and related web browsers</summary>
+
+########################################
+## <summary>
+## Role access for mozilla
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`mozilla_role',`
+ gen_require(`
+ type mozilla_t, mozilla_exec_t, mozilla_home_t;
+ ')
+
+ role $1 types mozilla_t;
+
+ domain_auto_trans($2, mozilla_exec_t, mozilla_t)
+ # Unrestricted inheritance from the caller.
+ allow $2 mozilla_t:process { noatsecure siginh rlimitinh };
+ allow mozilla_t $2:fd use;
+ allow mozilla_t $2:process { sigchld signull };
+ allow mozilla_t $2:unix_stream_socket connectto;
+
+ mozilla_run_plugin(mozilla_t, $2)
+
+ # Allow the user domain to signal/ps.
+ ps_process_pattern($2, mozilla_t)
+ allow $2 mozilla_t:process signal_perms;
+
+ allow $2 mozilla_t:fd use;
+ allow $2 mozilla_t:shm { associate getattr };
+ allow $2 mozilla_t:shm { unix_read unix_write };
+ allow $2 mozilla_t:unix_stream_socket connectto;
+
+ # X access, Home files
+ manage_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
+ manage_files_pattern($2, mozilla_home_t, mozilla_home_t)
+ manage_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
+ relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
+ relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
+ relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
+
+ mozilla_dbus_chat($2)
+
+ userdom_manage_tmp_role($1, mozilla_t)
+
+ optional_policy(`
+ nsplugin_role($1, mozilla_t)
+ ')
+
+ optional_policy(`
+ pulseaudio_role($1, mozilla_t)
+ ')
+')
+
+########################################
+## <summary>
+## Read mozilla home directory content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mozilla_read_user_home_files',`
+ gen_require(`
+ type mozilla_home_t;
+ ')
+
+ allow $1 mozilla_home_t:dir list_dir_perms;
+ allow $1 mozilla_home_t:file read_file_perms;
+ allow $1 mozilla_home_t:lnk_file read_lnk_file_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Write mozilla home directory content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mozilla_write_user_home_files',`
+ gen_require(`
+ type mozilla_home_t;
+ ')
+
+ write_files_pattern($1, mozilla_home_t, mozilla_home_t)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Dontaudit attempts to read/write mozilla home directory content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`mozilla_dontaudit_rw_user_home_files',`
+ gen_require(`
+ type mozilla_home_t;
+ ')
+
+ dontaudit $1 mozilla_home_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Dontaudit attempts to write mozilla home directory content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`mozilla_dontaudit_manage_user_home_files',`
+ gen_require(`
+ type mozilla_home_t;
+ ')
+
+ dontaudit $1 mozilla_home_t:dir manage_dir_perms;
+ dontaudit $1 mozilla_home_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Execute mozilla home directory content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mozilla_execute_user_home_files',`
+ gen_require(`
+ type mozilla_home_t;
+ ')
+
+ can_exec($1, mozilla_home_t)
+')
+
+########################################
+## <summary>
+## Execmod mozilla home directory content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mozilla_execmod_user_home_files',`
+ gen_require(`
+ type mozilla_home_t;
+ ')
+
+ allow $1 mozilla_home_t:file execmod;
+')
+
+########################################
+## <summary>
+## Run mozilla in the mozilla domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mozilla_domtrans',`
+ gen_require(`
+ type mozilla_t, mozilla_exec_t;
+ ')
+
+ domtrans_pattern($1, mozilla_exec_t, mozilla_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run mozilla_plugin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mozilla_domtrans_plugin',`
+ gen_require(`
+ type mozilla_plugin_t, mozilla_plugin_exec_t;
+ ')
+
+ domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t)
+ allow mozilla_plugin_t $1:process signull;
+')
+
+
+########################################
+## <summary>
+## Execute mozilla_plugin in the mozilla_plugin domain, and
+## allow the specified role the mozilla_plugin domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the mozilla_plugin domain.
+## </summary>
+## </param>
+#
+interface(`mozilla_run_plugin',`
+ gen_require(`
+ type mozilla_plugin_t;
+ ')
+
+ mozilla_domtrans_plugin($1)
+ role $2 types mozilla_plugin_t;
+ allow $1 mozilla_plugin_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Execute qemu unconfined programs in the role.
+## </summary>
+## <param name="role">
+## <summary>
+## The role to allow the mozilla_plugin domain.
+## </summary>
+## </param>
+#
+interface(`mozilla_role_plugin',`
+ gen_require(`
+ type mozilla_plugin_t;
+ ')
+
+ role $1 types mozilla_plugin_t;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## mozilla over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mozilla_dbus_chat',`
+ gen_require(`
+ type mozilla_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 mozilla_t:dbus send_msg;
+ allow mozilla_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## read/write mozilla per user tcp_socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mozilla_rw_tcp_sockets',`
+ gen_require(`
+ type mozilla_t;
+ ')
+
+ allow $1 mozilla_t:tcp_socket rw_socket_perms;
+')
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
new file mode 100644
index 0000000..d4cb9c4
--- /dev/null
+++ b/policy/modules/apps/mozilla.te
@@ -0,0 +1,415 @@
+policy_module(mozilla, 2.2.2)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Control mozilla content access
+## </p>
+## </desc>
+gen_tunable(mozilla_read_content, false)
+
+type mozilla_t;
+type mozilla_exec_t;
+typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
+typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
+application_domain(mozilla_t, mozilla_exec_t)
+ubac_constrained(mozilla_t)
+
+type mozilla_conf_t;
+files_config_file(mozilla_conf_t)
+
+type mozilla_home_t;
+typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
+typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
+files_poly_member(mozilla_home_t)
+userdom_user_home_content(mozilla_home_t)
+
+type mozilla_tmpfs_t;
+typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sysadm_mozilla_tmpfs_t };
+typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
+files_tmpfs_file(mozilla_tmpfs_t)
+ubac_constrained(mozilla_tmpfs_t)
+
+type mozilla_plugin_t;
+type mozilla_plugin_exec_t;
+application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
+role system_r types mozilla_plugin_t;
+
+type mozilla_plugin_tmp_t;
+files_tmp_file(mozilla_plugin_tmp_t)
+
+type mozilla_plugin_tmpfs_t;
+files_tmpfs_file(mozilla_plugin_tmpfs_t)
+ubac_constrained(mozilla_plugin_tmpfs_t)
+
+permissive mozilla_plugin_t;
+
+########################################
+#
+# Local policy
+#
+
+allow mozilla_t self:capability { sys_nice setgid setuid };
+allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
+allow mozilla_t self:fifo_file rw_fifo_file_perms;
+allow mozilla_t self:shm { unix_read unix_write read write destroy create };
+allow mozilla_t self:sem create_sem_perms;
+allow mozilla_t self:socket create_socket_perms;
+allow mozilla_t self:unix_stream_socket { listen accept };
+# Browse the web, connect to printer
+allow mozilla_t self:tcp_socket create_socket_perms;
+allow mozilla_t self:netlink_route_socket r_netlink_socket_perms;
+
+# for bash - old mozilla binary
+can_exec(mozilla_t, mozilla_exec_t)
+
+# X access, Home files
+manage_dirs_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
+manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
+manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
+userdom_search_user_home_dirs(mozilla_t)
+userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir)
+
+# Mozpluggerrc
+allow mozilla_t mozilla_conf_t:file read_file_perms;
+
+manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
+
+kernel_read_kernel_sysctls(mozilla_t)
+kernel_read_network_state(mozilla_t)
+# Access /proc, sysctl
+kernel_read_system_state(mozilla_t)
+kernel_read_net_sysctls(mozilla_t)
+
+# Look for plugins
+corecmd_list_bin(mozilla_t)
+# for bash - old mozilla binary
+corecmd_exec_shell(mozilla_t)
+corecmd_exec_bin(mozilla_t)
+
+# Browse the web, connect to printer
+corenet_all_recvfrom_unlabeled(mozilla_t)
+corenet_all_recvfrom_netlabel(mozilla_t)
+corenet_tcp_sendrecv_generic_if(mozilla_t)
+corenet_raw_sendrecv_generic_if(mozilla_t)
+corenet_tcp_sendrecv_generic_node(mozilla_t)
+corenet_raw_sendrecv_generic_node(mozilla_t)
+corenet_tcp_sendrecv_http_port(mozilla_t)
+corenet_tcp_sendrecv_http_cache_port(mozilla_t)
+corenet_tcp_sendrecv_squid_port(mozilla_t)
+corenet_tcp_connect_flash_port(mozilla_t)
+corenet_tcp_sendrecv_ftp_port(mozilla_t)
+corenet_tcp_sendrecv_ipp_port(mozilla_t)
+corenet_tcp_connect_http_port(mozilla_t)
+corenet_tcp_connect_http_cache_port(mozilla_t)
+corenet_tcp_connect_squid_port(mozilla_t)
+corenet_tcp_connect_ftp_port(mozilla_t)
+corenet_tcp_connect_ipp_port(mozilla_t)
+corenet_tcp_connect_generic_port(mozilla_t)
+corenet_tcp_connect_soundd_port(mozilla_t)
+corenet_sendrecv_http_client_packets(mozilla_t)
+corenet_sendrecv_http_cache_client_packets(mozilla_t)
+corenet_sendrecv_squid_client_packets(mozilla_t)
+corenet_sendrecv_ftp_client_packets(mozilla_t)
+corenet_sendrecv_ipp_client_packets(mozilla_t)
+corenet_sendrecv_generic_client_packets(mozilla_t)
+# Should not need other ports
+corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t)
+corenet_dontaudit_tcp_bind_generic_port(mozilla_t)
+corenet_tcp_connect_speech_port(mozilla_t)
+
+dev_read_urand(mozilla_t)
+dev_read_rand(mozilla_t)
+dev_write_sound(mozilla_t)
+dev_read_sound(mozilla_t)
+dev_dontaudit_rw_dri(mozilla_t)
+dev_getattr_sysfs_dirs(mozilla_t)
+
+domain_dontaudit_read_all_domains_state(mozilla_t)
+
+files_read_etc_runtime_files(mozilla_t)
+files_read_usr_files(mozilla_t)
+files_read_etc_files(mozilla_t)
+# /var/lib
+files_read_var_lib_files(mozilla_t)
+# interacting with gstreamer
+files_read_var_files(mozilla_t)
+files_read_var_symlinks(mozilla_t)
+files_dontaudit_getattr_boot_dirs(mozilla_t)
+
+fs_search_auto_mountpoints(mozilla_t)
+fs_list_inotifyfs(mozilla_t)
+fs_rw_tmpfs_files(mozilla_t)
+
+term_dontaudit_getattr_pty_dirs(mozilla_t)
+
+logging_send_syslog_msg(mozilla_t)
+
+miscfiles_read_fonts(mozilla_t)
+miscfiles_read_localization(mozilla_t)
+miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
+
+# Browse the web, connect to printer
+sysnet_dns_name_resolve(mozilla_t)
+
+userdom_use_user_ptys(mozilla_t)
+
+xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
+xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
+xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
+
+tunable_policy(`allow_execmem',`
+ allow mozilla_t self:process { execmem execstack };
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(mozilla_t)
+ fs_manage_nfs_files(mozilla_t)
+ fs_manage_nfs_symlinks(mozilla_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(mozilla_t)
+ fs_manage_cifs_files(mozilla_t)
+ fs_manage_cifs_symlinks(mozilla_t)
+')
+
+# Uploads, local html
+tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(mozilla_t)
+ files_list_home(mozilla_t)
+ fs_read_nfs_files(mozilla_t)
+ fs_read_nfs_symlinks(mozilla_t)
+
+',`
+ files_dontaudit_list_home(mozilla_t)
+ fs_dontaudit_list_auto_mountpoints(mozilla_t)
+ fs_dontaudit_read_nfs_files(mozilla_t)
+ fs_dontaudit_list_nfs(mozilla_t)
+')
+
+tunable_policy(`mozilla_read_content && use_samba_home_dirs',`
+ fs_list_auto_mountpoints(mozilla_t)
+ files_list_home(mozilla_t)
+ fs_read_cifs_files(mozilla_t)
+ fs_read_cifs_symlinks(mozilla_t)
+',`
+ files_dontaudit_list_home(mozilla_t)
+ fs_dontaudit_list_auto_mountpoints(mozilla_t)
+ fs_dontaudit_read_cifs_files(mozilla_t)
+ fs_dontaudit_list_cifs(mozilla_t)
+')
+
+tunable_policy(`mozilla_read_content',`
+ userdom_list_user_tmp(mozilla_t)
+ userdom_read_user_tmp_files(mozilla_t)
+ userdom_read_user_tmp_symlinks(mozilla_t)
+ userdom_read_user_home_content_files(mozilla_t)
+ userdom_read_user_home_content_symlinks(mozilla_t)
+
+ ifdef(`enable_mls',`',`
+ fs_search_removable(mozilla_t)
+ fs_read_removable_files(mozilla_t)
+ fs_read_removable_symlinks(mozilla_t)
+ ')
+',`
+ files_dontaudit_list_tmp(mozilla_t)
+ files_dontaudit_list_home(mozilla_t)
+ fs_dontaudit_list_removable(mozilla_t)
+ fs_dontaudit_read_removable_files(mozilla_t)
+ userdom_dontaudit_list_user_tmp(mozilla_t)
+ userdom_dontaudit_read_user_tmp_files(mozilla_t)
+ userdom_dontaudit_list_user_home_dirs(mozilla_t)
+ userdom_dontaudit_read_user_home_content_files(mozilla_t)
+')
+
+optional_policy(`
+ apache_read_user_scripts(mozilla_t)
+ apache_read_user_content(mozilla_t)
+')
+
+optional_policy(`
+ automount_dontaudit_getattr_tmp_dirs(mozilla_t)
+')
+
+optional_policy(`
+ cups_read_rw_config(mozilla_t)
+ cups_dbus_chat(mozilla_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(mozilla_t)
+ dbus_session_bus_client(mozilla_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(mozilla_t)
+ ')
+')
+
+optional_policy(`
+ gnome_stream_connect_gconf(mozilla_t)
+ gnome_manage_config(mozilla_t)
+ gnome_manage_gconf_home_files(mozilla_t)
+')
+
+optional_policy(`
+ java_domtrans(mozilla_t)
+')
+
+optional_policy(`
+ lpd_domtrans_lpr(mozilla_t)
+')
+
+optional_policy(`
+ mplayer_domtrans(mozilla_t)
+ mplayer_read_user_home_files(mozilla_t)
+')
+
+optional_policy(`
+ nscd_socket_use(mozilla_t)
+')
+
+optional_policy(`
+ nsplugin_manage_rw(mozilla_t)
+ nsplugin_manage_home_files(mozilla_t)
+')
+
+optional_policy(`
+ pulseaudio_exec(mozilla_t)
+ pulseaudio_stream_connect(mozilla_t)
+ pulseaudio_manage_home_files(mozilla_t)
+')
+
+optional_policy(`
+ thunderbird_domtrans(mozilla_t)
+')
+
+########################################
+#
+# mozilla_plugin local policy
+#
+allow mozilla_plugin_t self:process { setsched signal_perms execmem };
+allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+allow mozilla_plugin_t self:tcp_socket create_socket_perms;
+allow mozilla_plugin_t self:udp_socket create_socket_perms;
+
+allow mozilla_plugin_t self:sem create_sem_perms;
+allow mozilla_plugin_t self:shm create_shm_perms;
+allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
+allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
+
+can_exec(mozilla_plugin_t, mozilla_home_t)
+read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+
+manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file })
+can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t)
+
+manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
+fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
+
+can_exec(mozilla_plugin_t, mozilla_exec_t)
+
+kernel_read_kernel_sysctls(mozilla_plugin_t)
+kernel_read_system_state(mozilla_plugin_t)
+kernel_request_load_module(mozilla_plugin_t)
+
+corecmd_exec_bin(mozilla_plugin_t)
+corecmd_exec_shell(mozilla_plugin_t)
+
+corenet_tcp_connect_flash_port(mozilla_plugin_t)
+corenet_tcp_connect_streaming_port(mozilla_plugin_t)
+corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
+corenet_tcp_connect_http_port(mozilla_plugin_t)
+corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
+corenet_tcp_connect_squid_port(mozilla_plugin_t)
+corenet_tcp_connect_ipp_port(mozilla_plugin_t)
+corenet_tcp_connect_speech_port(mozilla_plugin_t)
+
+dev_read_urand(mozilla_plugin_t)
+dev_read_video_dev(mozilla_plugin_t)
+dev_write_video_dev(mozilla_plugin_t)
+dev_read_sysfs(mozilla_plugin_t)
+dev_read_sound(mozilla_plugin_t)
+dev_write_sound(mozilla_plugin_t)
+dev_dontaudit_rw_dri(mozilla_plugin_t)
+
+domain_use_interactive_fds(mozilla_plugin_t)
+domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+
+files_read_config_files(mozilla_plugin_t)
+files_read_usr_files(mozilla_plugin_t)
+
+fs_getattr_tmpfs(mozilla_plugin_t)
+
+miscfiles_read_localization(mozilla_plugin_t)
+miscfiles_read_fonts(mozilla_plugin_t)
+
+sysnet_dns_name_resolve(mozilla_plugin_t)
+
+term_getattr_all_ttys(mozilla_plugin_t)
+term_getattr_all_ptys(mozilla_plugin_t)
+
+userdom_rw_user_tmpfs_files(mozilla_plugin_t)
+userdom_delete_user_tmpfs_files(mozilla_plugin_t)
+userdom_stream_connect(mozilla_plugin_t)
+userdom_dontaudit_use_user_ptys(mozilla_plugin_t)
+userdom_manage_user_tmp_sockets(mozilla_plugin_t)
+
+userdom_list_user_tmp(mozilla_plugin_t)
+userdom_manage_user_tmp_dirs(mozilla_plugin_t)
+userdom_read_user_tmp_files(mozilla_plugin_t)
+userdom_read_user_tmp_symlinks(mozilla_plugin_t)
+userdom_read_user_home_content_files(mozilla_plugin_t)
+userdom_read_user_home_content_files(mozilla_plugin_t)
+userdom_read_user_home_content_symlinks(mozilla_plugin_t)
+
+optional_policy(`
+ alsa_read_rw_config(mozilla_plugin_t)
+ alsa_read_home_files(mozilla_plugin_t)
+')
+
+optional_policy(`
+ dbus_session_bus_client(mozilla_plugin_t)
+ dbus_read_lib_files(mozilla_plugin_t)
+')
+
+optional_policy(`
+ gnome_manage_config(mozilla_plugin_t)
+ gnome_setattr_home_config(mozilla_plugin_t)
+')
+
+optional_policy(`
+ nsplugin_domtrans(mozilla_plugin_t)
+ nsplugin_rw_exec(mozilla_plugin_t)
+ nsplugin_manage_home_dirs(mozilla_plugin_t)
+ nsplugin_manage_home_files(mozilla_plugin_t)
+ nsplugin_user_home_dir_filetrans(mozilla_plugin_t, dir)
+ nsplugin_signal(mozilla_plugin_t)
+')
+
+optional_policy(`
+ pulseaudio_exec(mozilla_plugin_t)
+ pulseaudio_stream_connect(mozilla_plugin_t)
+ pulseaudio_setattr_home_dir(mozilla_plugin_t)
+ pulseaudio_manage_home_files(mozilla_plugin_t)
+')
+
+optional_policy(`
+ xserver_read_xdm_pid(mozilla_plugin_t)
+ xserver_stream_connect(mozilla_plugin_t)
+ xserver_use_user_fonts(mozilla_plugin_t)
+ xserver_read_user_iceauth(mozilla_plugin_t)
+')
diff --git a/policy/modules/apps/mplayer.fc b/policy/modules/apps/mplayer.fc
new file mode 100644
index 0000000..5a37c50
--- /dev/null
+++ b/policy/modules/apps/mplayer.fc
@@ -0,0 +1,14 @@
+#
+# /etc
+#
+/etc/mplayer(/.*)? gen_context(system_u:object_r:mplayer_etc_t,s0)
+
+#
+# /usr
+#
+/usr/bin/mplayer -- gen_context(system_u:object_r:mplayer_exec_t,s0)
+/usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0)
+/usr/bin/vlc -- gen_context(system_u:object_r:mplayer_exec_t,s0)
+/usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0)
+
+HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:mplayer_home_t,s0)
diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if
new file mode 100644
index 0000000..8bdc526
--- /dev/null
+++ b/policy/modules/apps/mplayer.if
@@ -0,0 +1,140 @@
+## <summary>Mplayer media player and encoder</summary>
+
+########################################
+## <summary>
+## Role access for mplayer
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`mplayer_role',`
+ gen_require(`
+ type mencoder_t, mencoder_exec_t;
+ type mplayer_t, mplayer_exec_t;
+ type mplayer_home_t;
+ ')
+
+ role $1 types { mencoder_t mplayer_t };
+
+ # domain transition
+ domtrans_pattern($2, mencoder_exec_t, mencoder_t)
+
+ # Allow the user domain to signal/ps.
+ ps_process_pattern($2, mencoder_t)
+ allow $2 mencoder_t:process signal_perms;
+
+ # Home access
+ manage_dirs_pattern($2, mplayer_home_t, mplayer_home_t)
+ manage_files_pattern($2, mplayer_home_t, mplayer_home_t)
+ manage_lnk_files_pattern($2, mplayer_home_t, mplayer_home_t)
+ relabel_dirs_pattern($2, mplayer_home_t, mplayer_home_t)
+ relabel_files_pattern($2, mplayer_home_t, mplayer_home_t)
+ relabel_lnk_files_pattern($2, mplayer_home_t, mplayer_home_t)
+
+ # domain transition
+ domtrans_pattern($2, mplayer_exec_t, mplayer_t)
+
+ # Allow the user domain to signal/ps.
+ ps_process_pattern($2, mplayer_t)
+ allow $2 mplayer_t:process signal_perms;
+')
+
+########################################
+## <summary>
+## Run mplayer in mplayer domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mplayer_domtrans',`
+ gen_require(`
+ type mplayer_t, mplayer_exec_t;
+ ')
+
+ domtrans_pattern($1, mplayer_exec_t, mplayer_t)
+')
+
+########################################
+## <summary>
+## Execute mplayer in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+#
+interface(`mplayer_exec',`
+ gen_require(`
+ type mplayer_exec_t;
+ ')
+
+ can_exec($1, mplayer_exec_t)
+')
+
+########################################
+## <summary>
+## Read mplayer per user homedir
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mplayer_read_user_home_files',`
+ gen_require(`
+ type mplayer_home_t;
+ ')
+
+ read_files_pattern($1, mplayer_home_t, mplayer_home_t)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Execute mplayer_exec_t
+## in the specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a mplayer_exec_t
+## in the specified domain.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`mplayer_exec_domtrans',`
+ gen_require(`
+ type mplayer_exec_t;
+ ')
+
+ allow $2 mplayer_exec_t:file entrypoint;
+ domtrans_pattern($1, mplayer_exec_t, $2)
+')
diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
new file mode 100644
index 0000000..192d54e
--- /dev/null
+++ b/policy/modules/apps/mplayer.te
@@ -0,0 +1,319 @@
+policy_module(mplayer, 2.1.2)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow mplayer executable stack
+## </p>
+## </desc>
+gen_tunable(allow_mplayer_execstack, false)
+
+type mencoder_t;
+type mencoder_exec_t;
+typealias mencoder_t alias { user_mencoder_t staff_mencoder_t sysadm_mencoder_t };
+typealias mencoder_t alias { auditadm_mencoder_t secadm_mencoder_t };
+application_domain(mencoder_t, mencoder_exec_t)
+ubac_constrained(mencoder_t)
+
+type mplayer_t;
+type mplayer_exec_t;
+typealias mplayer_t alias { user_mplayer_t staff_mplayer_t sysadm_mplayer_t };
+typealias mplayer_t alias { auditadm_mplayer_t secadm_mplayer_t };
+application_domain(mplayer_t, mplayer_exec_t)
+ubac_constrained(mplayer_t)
+
+type mplayer_etc_t;
+files_config_file(mplayer_etc_t)
+
+type mplayer_home_t;
+typealias mplayer_home_t alias { user_mplayer_home_t staff_mplayer_home_t sysadm_mplayer_home_t };
+typealias mplayer_home_t alias { auditadm_mplayer_home_t secadm_mplayer_home_t };
+files_poly_member(mplayer_home_t)
+userdom_user_home_content(mplayer_home_t)
+
+type mplayer_tmpfs_t;
+typealias mplayer_tmpfs_t alias { user_mplayer_tmpfs_t staff_mplayer_tmpfs_t sysadm_mplayer_tmpfs_t };
+typealias mplayer_tmpfs_t alias { auditadm_mplayer_tmpfs_t secadm_mplayer_tmpfs_t };
+files_tmpfs_file(mplayer_tmpfs_t)
+ubac_constrained(mplayer_tmpfs_t)
+
+########################################
+#
+# mencoder local policy
+#
+
+manage_dirs_pattern(mencoder_t, mplayer_home_t, mplayer_home_t)
+manage_files_pattern(mencoder_t, mplayer_home_t, mplayer_home_t)
+manage_lnk_files_pattern(mencoder_t, mplayer_home_t, mplayer_home_t)
+
+# Read global config
+allow mencoder_t mplayer_etc_t:dir list_dir_perms;
+read_files_pattern(mencoder_t, mplayer_etc_t, mplayer_etc_t)
+read_lnk_files_pattern(mencoder_t, mplayer_etc_t, mplayer_etc_t)
+
+# Read /proc files and directories
+# Necessary for /proc/meminfo, /proc/cpuinfo, etc..
+kernel_read_system_state(mencoder_t)
+# Sysctl on kernel version
+kernel_read_kernel_sysctls(mencoder_t)
+
+# Required for win32 binary loader
+dev_rwx_zero(mencoder_t)
+# Access to DVD/CD/V4L
+dev_read_video_dev(mencoder_t)
+
+# Read data in /usr/share (fonts, icons..)
+files_read_usr_files(mencoder_t)
+files_read_usr_symlinks(mencoder_t)
+
+fs_search_auto_mountpoints(mencoder_t)
+
+# Access to DVD/CD/V4L
+storage_raw_read_removable_device(mencoder_t)
+
+miscfiles_read_localization(mencoder_t)
+
+userdom_use_user_terminals(mencoder_t)
+# Handle removable media, /tmp, and /home
+userdom_list_user_tmp(mencoder_t)
+userdom_read_user_tmp_files(mencoder_t)
+userdom_read_user_tmp_symlinks(mencoder_t)
+userdom_read_user_home_content_files(mencoder_t)
+userdom_read_user_home_content_symlinks(mencoder_t)
+
+# Read content to encode
+ifndef(`enable_mls',`
+ fs_search_removable(mencoder_t)
+ fs_read_removable_files(mencoder_t)
+ fs_read_removable_symlinks(mencoder_t)
+')
+
+tunable_policy(`allow_execmem',`
+ allow mencoder_t self:process execmem;
+')
+
+tunable_policy(`allow_execmod',`
+ dev_execmod_zero(mencoder_t)
+')
+
+tunable_policy(`allow_mplayer_execstack',`
+ allow mencoder_t self:process { execmem execstack };
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(mencoder_t)
+ fs_manage_nfs_files(mencoder_t)
+ fs_manage_nfs_symlinks(mencoder_t)
+
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(mencoder_t)
+ fs_manage_cifs_files(mencoder_t)
+ fs_manage_cifs_symlinks(mencoder_t)
+
+')
+
+# Read content to encode
+tunable_policy(`use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(mencoder_t)
+ files_list_home(mencoder_t)
+ fs_read_nfs_files(mencoder_t)
+ fs_read_nfs_symlinks(mencoder_t)
+
+',`
+ files_dontaudit_list_home(mencoder_t)
+ fs_dontaudit_list_auto_mountpoints(mencoder_t)
+ fs_dontaudit_read_nfs_files(mencoder_t)
+ fs_dontaudit_list_nfs(mencoder_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_list_auto_mountpoints(mencoder_t)
+ files_list_home(mencoder_t)
+ fs_read_cifs_files(mencoder_t)
+ fs_read_cifs_symlinks(mencoder_t)
+',`
+ files_dontaudit_list_home(mencoder_t)
+ fs_dontaudit_list_auto_mountpoints(mencoder_t)
+ fs_dontaudit_read_cifs_files(mencoder_t)
+ fs_dontaudit_list_cifs(mencoder_t)
+')
+
+########################################
+#
+# mplayer local policy
+#
+
+allow mplayer_t self:process { signal_perms getsched };
+allow mplayer_t self:fifo_file rw_fifo_file_perms;
+allow mplayer_t self:sem create_sem_perms;
+allow mplayer_t self:netlink_route_socket create_netlink_socket_perms;
+allow mplayer_t self:tcp_socket create_socket_perms;
+allow mplayer_t self:unix_dgram_socket sendto;
+
+manage_dirs_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
+manage_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
+manage_lnk_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
+userdom_user_home_dir_filetrans(mplayer_t, mplayer_home_t, dir)
+userdom_search_user_home_dirs(mplayer_t)
+
+manage_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
+manage_lnk_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
+manage_fifo_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
+manage_sock_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
+fs_tmpfs_filetrans(mplayer_t, mplayer_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+# Read global config
+allow mplayer_t mplayer_etc_t:dir list_dir_perms;
+read_files_pattern(mplayer_t, mplayer_etc_t, mplayer_etc_t)
+read_lnk_files_pattern(mplayer_t, mplayer_etc_t, mplayer_etc_t)
+
+kernel_dontaudit_list_unlabeled(mplayer_t)
+kernel_dontaudit_getattr_unlabeled_files(mplayer_t)
+kernel_dontaudit_read_unlabeled_files(mplayer_t)
+# Necessary for /proc/meminfo, /proc/cpuinfo, etc..
+kernel_read_system_state(mplayer_t)
+# Sysctl on kernel version
+kernel_read_kernel_sysctls(mplayer_t)
+
+corenet_all_recvfrom_netlabel(mplayer_t)
+corenet_all_recvfrom_unlabeled(mplayer_t)
+corenet_tcp_sendrecv_generic_if(mplayer_t)
+corenet_tcp_sendrecv_generic_node(mplayer_t)
+corenet_tcp_bind_generic_node(mplayer_t)
+corenet_tcp_connect_pulseaudio_port(mplayer_t)
+corenet_sendrecv_pulseaudio_client_packets(mplayer_t)
+
+# Run bash/sed (??)
+corecmd_exec_bin(mplayer_t)
+corecmd_exec_shell(mplayer_t)
+
+dev_read_rand(mplayer_t)
+dev_read_urand(mplayer_t)
+# Required for win32 binary loader
+dev_rwx_zero(mplayer_t)
+# Access to DVD/CD/V4L
+dev_read_video_dev(mplayer_t)
+# Audio, alsa.conf
+dev_read_sound_mixer(mplayer_t)
+dev_write_sound_mixer(mplayer_t)
+# RTC clock
+dev_read_realtime_clock(mplayer_t)
+
+# Access to DVD/CD/V4L
+storage_raw_read_removable_device(mplayer_t)
+
+files_read_etc_files(mplayer_t)
+files_dontaudit_list_non_security(mplayer_t)
+files_dontaudit_getattr_non_security_files(mplayer_t)
+files_read_non_security_files(mplayer_t)
+# Unfortunately the ancient file dialog starts in /
+files_list_home(mplayer_t)
+# Read /etc/mtab
+files_read_etc_runtime_files(mplayer_t)
+# Read data in /usr/share (fonts, icons..)
+files_read_usr_files(mplayer_t)
+files_read_usr_symlinks(mplayer_t)
+
+fs_dontaudit_getattr_all_fs(mplayer_t)
+fs_search_auto_mountpoints(mplayer_t)
+fs_list_inotifyfs(mplayer_t)
+
+logging_send_syslog_msg(mplayer_t)
+
+miscfiles_read_localization(mplayer_t)
+miscfiles_read_fonts(mplayer_t)
+
+userdom_use_user_terminals(mplayer_t)
+# Read media files
+userdom_list_user_tmp(mplayer_t)
+userdom_read_user_tmp_files(mplayer_t)
+userdom_read_user_tmp_symlinks(mplayer_t)
+userdom_read_user_home_content_files(mplayer_t)
+userdom_read_user_home_content_symlinks(mplayer_t)
+userdom_write_user_tmp_sockets(mplayer_t)
+
+xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
+
+# Read songs
+ifdef(`enable_mls',`',`
+ fs_search_removable(mplayer_t)
+ fs_read_removable_files(mplayer_t)
+ fs_read_removable_symlinks(mplayer_t)
+')
+
+tunable_policy(`allow_execmem',`
+ allow mplayer_t self:process execmem;
+')
+
+tunable_policy(`allow_execmod',`
+ dev_execmod_zero(mplayer_t)
+')
+
+tunable_policy(`allow_mplayer_execstack',`
+ allow mplayer_t self:process { execmem execstack };
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(mplayer_t)
+ fs_manage_nfs_files(mplayer_t)
+ fs_manage_nfs_symlinks(mplayer_t)
+')
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(mplayer_t)
+ fs_manage_cifs_files(mplayer_t)
+ fs_manage_cifs_symlinks(mplayer_t)
+')
+
+# Legacy domain issues
+tunable_policy(`allow_mplayer_execstack',`
+ allow mplayer_t mplayer_tmpfs_t:file execute;
+')
+
+# Read songs
+tunable_policy(`use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(mplayer_t)
+ files_list_home(mplayer_t)
+ fs_read_nfs_files(mplayer_t)
+ fs_read_nfs_symlinks(mplayer_t)
+
+',`
+ files_dontaudit_list_home(mplayer_t)
+ fs_dontaudit_list_auto_mountpoints(mplayer_t)
+ fs_dontaudit_read_nfs_files(mplayer_t)
+ fs_dontaudit_list_nfs(mplayer_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_list_auto_mountpoints(mplayer_t)
+ files_list_home(mplayer_t)
+ fs_read_cifs_files(mplayer_t)
+ fs_read_cifs_symlinks(mplayer_t)
+',`
+ files_dontaudit_list_home(mplayer_t)
+ fs_dontaudit_list_auto_mountpoints(mplayer_t)
+ fs_dontaudit_read_cifs_files(mplayer_t)
+ fs_dontaudit_list_cifs(mplayer_t)
+')
+
+optional_policy(`
+ alsa_read_rw_config(mplayer_t)
+')
+
+optional_policy(`
+ gnome_setattr_config_dirs(mplayer_t)
+')
+
+optional_policy(`
+ nscd_socket_use(mplayer_t)
+')
+
+optional_policy(`
+ pulseaudio_exec(mplayer_t)
+ pulseaudio_stream_connect(mplayer_t)
+')
diff --git a/policy/modules/apps/nsplugin.fc b/policy/modules/apps/nsplugin.fc
new file mode 100644
index 0000000..717eb3f
--- /dev/null
+++ b/policy/modules/apps/nsplugin.fc
@@ -0,0 +1,11 @@
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+
+/usr/bin/nspluginscan -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/bin/nspluginviewer -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0)
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
diff --git a/policy/modules/apps/nsplugin.if b/policy/modules/apps/nsplugin.if
new file mode 100644
index 0000000..4dbb161
--- /dev/null
+++ b/policy/modules/apps/nsplugin.if
@@ -0,0 +1,436 @@
+
+## <summary>policy for nsplugin</summary>
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## nsplugin rw files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_manage_rw_files',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ allow $1 nsplugin_rw_t:file manage_file_perms;
+ allow $1 nsplugin_rw_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+## Manage nsplugin rw files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_manage_rw',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ manage_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+ manage_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+ manage_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+')
+
+#######################################
+## <summary>
+## The per role template for the nsplugin module.
+## </summary>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+interface(`nsplugin_role_notrans',`
+ gen_require(`
+ type nsplugin_rw_t;
+ type nsplugin_home_t;
+ type nsplugin_exec_t;
+ type nsplugin_config_exec_t;
+ type nsplugin_t;
+ type nsplugin_config_t;
+ class x_drawable all_x_drawable_perms;
+ class x_resource all_x_resource_perms;
+ class dbus send_msg;
+ ')
+
+ role $1 types nsplugin_t;
+ role $1 types nsplugin_config_t;
+
+ allow nsplugin_t $2:process signull;
+ allow nsplugin_t $2:dbus send_msg;
+ allow $2 nsplugin_t:dbus send_msg;
+
+ list_dirs_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+ read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+ read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
+ can_exec($2, nsplugin_rw_t)
+
+ #Leaked File Descriptors
+ifdef(`hide_broken_symptoms', `
+ dontaudit nsplugin_t $2:socket_class_set { read write };
+ dontaudit nsplugin_t $2:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit nsplugin_config_t $2:socket_class_set { read write };
+ dontaudit nsplugin_config_t $2:fifo_file rw_inherited_fifo_file_perms;
+')
+ allow nsplugin_t $2:unix_stream_socket connectto;
+ dontaudit nsplugin_t $2:process ptrace;
+ allow nsplugin_t $2:sem rw_sem_perms;
+ allow nsplugin_t $2:shm rw_shm_perms;
+ dontaudit nsplugin_t $2:shm destroy;
+ allow $2 nsplugin_t:sem rw_sem_perms;
+
+ allow $2 nsplugin_t:process { getattr ptrace signal_perms };
+ allow $2 nsplugin_t:unix_stream_socket connectto;
+
+ # Connect to pulseaudit server
+ stream_connect_pattern(nsplugin_t, user_home_t, user_home_t, $2)
+ gnome_stream_connect(nsplugin_t, $2)
+
+ userdom_use_user_terminals(nsplugin_t)
+ userdom_use_user_terminals(nsplugin_config_t)
+ userdom_dontaudit_setattr_user_home_content_files(nsplugin_t)
+ userdom_manage_tmpfs_role($1, nsplugin_t)
+
+ optional_policy(`
+ pulseaudio_role($1, nsplugin_t)
+ ')
+')
+
+#######################################
+## <summary>
+## Role access for nsplugin
+## </summary>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+interface(`nsplugin_role',`
+ gen_require(`
+ type nsplugin_exec_t;
+ type nsplugin_config_exec_t;
+ type nsplugin_t;
+ type nsplugin_config_t;
+ ')
+
+ nsplugin_role_notrans($1, $2)
+
+ domtrans_pattern($2, nsplugin_exec_t, nsplugin_t)
+ domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t)
+
+')
+
+#######################################
+## <summary>
+## The per role template for the nsplugin module.
+## </summary>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+interface(`nsplugin_domtrans',`
+ gen_require(`
+ type nsplugin_exec_t;
+ type nsplugin_t;
+ ')
+
+ domtrans_pattern($1, nsplugin_exec_t, nsplugin_t)
+ allow $1 nsplugin_t:unix_stream_socket connectto;
+ allow nsplugin_t $1:process signal;
+')
+
+#######################################
+## <summary>
+## The per role template for the nsplugin module.
+## </summary>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+interface(`nsplugin_domtrans_config',`
+ gen_require(`
+ type nsplugin_config_exec_t;
+ type nsplugin_config_t;
+ ')
+
+ domtrans_pattern($1, nsplugin_config_exec_t, nsplugin_config_t)
+')
+
+########################################
+## <summary>
+## Search nsplugin rw directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_search_rw_dir',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ allow $1 nsplugin_rw_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read nsplugin rw files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_read_rw_files',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ list_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+ read_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+ read_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
+')
+
+########################################
+## <summary>
+## Read nsplugin home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_read_home',`
+ gen_require(`
+ type nsplugin_home_t;
+ ')
+
+ list_dirs_pattern($1, nsplugin_home_t, nsplugin_home_t)
+ read_files_pattern($1, nsplugin_home_t, nsplugin_home_t)
+ read_lnk_files_pattern($1, nsplugin_home_t, nsplugin_home_t)
+')
+
+########################################
+## <summary>
+## Exec nsplugin rw files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_rw_exec',`
+ gen_require(`
+ type nsplugin_rw_t;
+ ')
+
+ can_exec($1, nsplugin_rw_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## nsplugin home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_manage_home_files',`
+ gen_require(`
+ type nsplugin_home_t;
+ ')
+
+ manage_files_pattern($1, nsplugin_home_t, nsplugin_home_t)
+')
+
+########################################
+## <summary>
+## manage nnsplugin home dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_manage_home_dirs',`
+ gen_require(`
+ type nsplugin_home_t;
+ ')
+
+ manage_dirs_pattern($1, nsplugin_home_t, nsplugin_home_t)
+')
+
+########################################
+## <summary>
+## Allow attempts to read and write to
+## nsplugin named pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`nsplugin_rw_pipes',`
+ gen_require(`
+ type nsplugin_home_t;
+ ')
+
+ allow $1 nsplugin_home_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write to nsplugin shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_rw_shm',`
+ gen_require(`
+ type nsplugin_t;
+ ')
+
+ allow $1 nsplugin_t:shm rw_shm_perms;
+')
+
+#####################################
+## <summary>
+## Allow read and write access to nsplugin semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_rw_semaphores',`
+ gen_require(`
+ type nsplugin_t;
+ ')
+
+ allow $1 nsplugin_t:sem rw_sem_perms;
+')
+
+########################################
+## <summary>
+## Execute nsplugin_exec_t
+## in the specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a nsplugin_exec_t
+## in the specified domain.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`nsplugin_exec_domtrans',`
+ gen_require(`
+ type nsplugin_exec_t;
+ ')
+
+ allow $2 nsplugin_exec_t:file entrypoint;
+ domtrans_pattern($1, nsplugin_exec_t, $2)
+')
+
+########################################
+## <summary>
+## Send generic signals to user nsplugin processes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsplugin_signal',`
+ gen_require(`
+ type nsplugin_t;
+ ')
+
+ allow $1 nsplugin_t:process signal;
+')
+
+########################################
+## <summary>
+## Create objects in a user home directory
+## with an automatic type transition to
+## the nsplugin home file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+#
+interface(`nsplugin_user_home_dir_filetrans',`
+ gen_require(`
+ type nsplugin_home_t;
+ ')
+
+ userdom_user_home_content_filetrans($1, nsplugin_home_t, $2)
+')
diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
new file mode 100644
index 0000000..1ca0e76
--- /dev/null
+++ b/policy/modules/apps/nsplugin.te
@@ -0,0 +1,313 @@
+policy_module(nsplugin, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow nsplugin code to execmem/execstack
+## </p>
+## </desc>
+gen_tunable(allow_nsplugin_execmem, false)
+
+## <desc>
+## <p>
+## Allow nsplugin code to connect to unreserved ports
+## </p>
+## </desc>
+gen_tunable(nsplugin_can_network, true)
+
+type nsplugin_exec_t;
+application_executable_file(nsplugin_exec_t)
+
+type nsplugin_config_exec_t;
+application_executable_file(nsplugin_config_exec_t)
+
+type nsplugin_rw_t;
+files_poly_member(nsplugin_rw_t)
+files_type(nsplugin_rw_t)
+
+type nsplugin_tmp_t;
+files_tmp_file(nsplugin_tmp_t)
+
+type nsplugin_home_t;
+files_poly_member(nsplugin_home_t)
+userdom_user_home_content(nsplugin_home_t)
+typealias nsplugin_home_t alias user_nsplugin_home_t;
+
+type nsplugin_t;
+domain_type(nsplugin_t)
+domain_entry_file(nsplugin_t, nsplugin_exec_t)
+
+type nsplugin_config_t;
+domain_type(nsplugin_config_t)
+domain_entry_file(nsplugin_config_t, nsplugin_config_exec_t)
+
+application_executable_file(nsplugin_exec_t)
+application_executable_file(nsplugin_config_exec_t)
+
+
+########################################
+#
+# nsplugin local policy
+#
+dontaudit nsplugin_t self:capability { sys_nice sys_tty_config };
+allow nsplugin_t self:fifo_file rw_file_perms;
+allow nsplugin_t self:process { ptrace setpgid getsched setsched signal_perms };
+
+allow nsplugin_t self:sem create_sem_perms;
+allow nsplugin_t self:shm create_shm_perms;
+allow nsplugin_t self:msgq create_msgq_perms;
+allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow nsplugin_t self:unix_dgram_socket { sendto create_socket_perms };
+allow nsplugin_t nsplugin_rw_t:dir list_dir_perms;
+read_lnk_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t)
+read_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t)
+
+tunable_policy(`allow_nsplugin_execmem',`
+ allow nsplugin_t self:process { execstack execmem };
+ allow nsplugin_config_t self:process { execstack execmem };
+')
+
+tunable_policy(`nsplugin_can_network',`
+ corenet_tcp_connect_all_unreserved_ports(nsplugin_t)
+')
+
+manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_fifo_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_sock_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+userdom_user_home_dir_filetrans(nsplugin_t, nsplugin_home_t, {file dir})
+userdom_user_home_content_filetrans(nsplugin_t, nsplugin_home_t, {file dir})
+userdom_dontaudit_getattr_user_home_content(nsplugin_t)
+userdom_dontaudit_search_user_bin_dirs(nsplugin_t)
+userdom_dontaudit_write_user_home_content_files(nsplugin_t)
+userdom_dontaudit_search_admin_dir(nsplugin_t)
+
+corecmd_exec_bin(nsplugin_t)
+corecmd_exec_shell(nsplugin_t)
+
+corenet_all_recvfrom_unlabeled(nsplugin_t)
+corenet_all_recvfrom_netlabel(nsplugin_t)
+corenet_tcp_connect_flash_port(nsplugin_t)
+corenet_tcp_connect_streaming_port(nsplugin_t)
+corenet_tcp_connect_pulseaudio_port(nsplugin_t)
+corenet_tcp_connect_http_port(nsplugin_t)
+corenet_tcp_connect_http_cache_port(nsplugin_t)
+corenet_tcp_connect_squid_port(nsplugin_t)
+corenet_tcp_sendrecv_generic_if(nsplugin_t)
+corenet_tcp_sendrecv_generic_node(nsplugin_t)
+corenet_tcp_connect_ipp_port(nsplugin_t)
+corenet_tcp_connect_speech_port(nsplugin_t)
+
+domain_dontaudit_read_all_domains_state(nsplugin_t)
+
+dev_read_rand(nsplugin_t)
+dev_read_sound(nsplugin_t)
+dev_write_sound(nsplugin_t)
+dev_read_video_dev(nsplugin_t)
+dev_write_video_dev(nsplugin_t)
+dev_getattr_dri_dev(nsplugin_t)
+dev_rwx_zero(nsplugin_t)
+dev_search_sysfs(nsplugin_t)
+
+kernel_read_kernel_sysctls(nsplugin_t)
+kernel_read_system_state(nsplugin_t)
+
+files_dontaudit_getattr_lost_found_dirs(nsplugin_t)
+files_dontaudit_list_home(nsplugin_t)
+files_read_etc_files(nsplugin_t)
+files_read_usr_files(nsplugin_t)
+files_read_config_files(nsplugin_t)
+
+fs_getattr_tmpfs(nsplugin_t)
+fs_getattr_xattr_fs(nsplugin_t)
+fs_search_auto_mountpoints(nsplugin_t)
+fs_rw_anon_inodefs_files(nsplugin_t)
+fs_list_inotifyfs(nsplugin_t)
+fs_dontaudit_list_fusefs(nsplugin_t)
+
+storage_dontaudit_getattr_fixed_disk_dev(nsplugin_t)
+storage_dontaudit_getattr_removable_dev(nsplugin_t)
+
+term_dontaudit_getattr_all_ptys(nsplugin_t)
+term_dontaudit_getattr_all_ttys(nsplugin_t)
+
+auth_use_nsswitch(nsplugin_t)
+
+libs_exec_ld_so(nsplugin_t)
+
+miscfiles_read_localization(nsplugin_t)
+miscfiles_read_fonts(nsplugin_t)
+miscfiles_dontaudit_write_fonts(nsplugin_t)
+miscfiles_setattr_fonts_cache_dirs(nsplugin_t)
+
+userdom_manage_user_tmp_dirs(nsplugin_t)
+userdom_manage_user_tmp_files(nsplugin_t)
+userdom_manage_user_tmp_sockets(nsplugin_t)
+userdom_tmp_filetrans_user_tmp(nsplugin_t, { file dir sock_file })
+userdom_rw_semaphores(nsplugin_t)
+userdom_dontaudit_rw_user_tmp_pipes(nsplugin_t)
+
+userdom_read_user_home_content_symlinks(nsplugin_t)
+userdom_read_user_home_content_files(nsplugin_t)
+userdom_read_user_tmp_files(nsplugin_t)
+userdom_write_user_tmp_sockets(nsplugin_t)
+userdom_dontaudit_append_user_home_content_files(nsplugin_t)
+
+optional_policy(`
+ alsa_read_rw_config(nsplugin_t)
+ alsa_read_home_files(nsplugin_t)
+')
+
+optional_policy(`
+ cups_stream_connect(nsplugin_t)
+')
+
+optional_policy(`
+ dbus_session_bus_client(nsplugin_t)
+ dbus_connect_session_bus(nsplugin_t)
+ dbus_system_bus_client(nsplugin_t)
+')
+
+optional_policy(`
+ gnome_exec_gconf(nsplugin_t)
+ gnome_manage_config(nsplugin_t)
+ gnome_read_gconf_home_files(nsplugin_t)
+')
+
+optional_policy(`
+ mozilla_execute_user_home_files(nsplugin_t)
+ mozilla_read_user_home_files(nsplugin_t)
+ mozilla_write_user_home_files(nsplugin_t)
+')
+
+optional_policy(`
+ mplayer_exec(nsplugin_t)
+ mplayer_read_user_home_files(nsplugin_t)
+')
+
+optional_policy(`
+ unconfined_execmem_signull(nsplugin_t)
+')
+
+optional_policy(`
+ sandbox_read_tmpfs_files(nsplugin_t)
+')
+
+optional_policy(`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
+ xserver_user_x_domain_template(nsplugin, nsplugin_t, user_tmpfs_t)
+ xserver_rw_shm(nsplugin_t)
+ xserver_read_xdm_pid(nsplugin_t)
+ xserver_read_xdm_tmp_files(nsplugin_t)
+ xserver_read_user_xauth(nsplugin_t)
+ xserver_read_user_iceauth(nsplugin_t)
+ xserver_use_user_fonts(nsplugin_t)
+ xserver_rw_inherited_user_fonts(nsplugin_t)
+')
+
+########################################
+#
+# nsplugin_config local policy
+#
+
+allow nsplugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
+allow nsplugin_config_t self:process { setsched signal_perms getsched execmem };
+#execing pulseaudio
+dontaudit nsplugin_t self:process { getcap setcap };
+
+allow nsplugin_config_t self:fifo_file rw_file_perms;
+allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
+
+dev_dontaudit_read_rand(nsplugin_config_t)
+dev_dontaudit_rw_dri(nsplugin_config_t)
+
+fs_search_auto_mountpoints(nsplugin_config_t)
+fs_list_inotifyfs(nsplugin_config_t)
+
+can_exec(nsplugin_config_t, nsplugin_rw_t)
+manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+
+manage_dirs_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+manage_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+
+corecmd_exec_bin(nsplugin_config_t)
+corecmd_exec_shell(nsplugin_config_t)
+
+kernel_read_system_state(nsplugin_config_t)
+kernel_request_load_module(nsplugin_config_t)
+
+files_read_etc_files(nsplugin_config_t)
+files_read_usr_files(nsplugin_config_t)
+files_dontaudit_search_home(nsplugin_config_t)
+files_list_tmp(nsplugin_config_t)
+
+auth_use_nsswitch(nsplugin_config_t)
+
+miscfiles_read_localization(nsplugin_config_t)
+miscfiles_read_fonts(nsplugin_config_t)
+
+userdom_search_user_home_content(nsplugin_config_t)
+userdom_read_user_home_content_symlinks(nsplugin_config_t)
+userdom_read_user_home_content_files(nsplugin_config_t)
+userdom_dontaudit_search_admin_dir(nsplugin_config_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_getattr_nfs(nsplugin_t)
+ fs_manage_nfs_dirs(nsplugin_t)
+ fs_manage_nfs_files(nsplugin_t)
+ fs_read_nfs_symlinks(nsplugin_t)
+ fs_manage_nfs_named_pipes(nsplugin_t)
+ fs_manage_nfs_dirs(nsplugin_config_t)
+ fs_manage_nfs_files(nsplugin_config_t)
+ fs_manage_nfs_named_pipes(nsplugin_config_t)
+ fs_read_nfs_symlinks(nsplugin_config_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_getattr_cifs(nsplugin_t)
+ fs_manage_cifs_dirs(nsplugin_t)
+ fs_manage_cifs_files(nsplugin_t)
+ fs_read_cifs_symlinks(nsplugin_t)
+ fs_manage_cifs_named_pipes(nsplugin_t)
+ fs_manage_cifs_dirs(nsplugin_config_t)
+ fs_manage_cifs_files(nsplugin_config_t)
+ fs_manage_cifs_named_pipes(nsplugin_config_t)
+ fs_read_cifs_symlinks(nsplugin_config_t)
+')
+
+domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, nsplugin_t)
+
+optional_policy(`
+ xserver_use_user_fonts(nsplugin_config_t)
+')
+
+optional_policy(`
+ mozilla_read_user_home_files(nsplugin_config_t)
+ mozilla_write_user_home_files(nsplugin_config_t)
+')
+
+application_signull(nsplugin_t)
+
+optional_policy(`
+ pulseaudio_exec(nsplugin_t)
+ pulseaudio_stream_connect(nsplugin_t)
+ pulseaudio_manage_home_files(nsplugin_t)
+ pulseaudio_setattr_home_dir(nsplugin_t)
+')
+
+optional_policy(`
+ unconfined_execmem_exec(nsplugin_t)
+')
+
+
diff --git a/policy/modules/apps/openoffice.fc b/policy/modules/apps/openoffice.fc
new file mode 100644
index 0000000..0c53a12
--- /dev/null
+++ b/policy/modules/apps/openoffice.fc
@@ -0,0 +1,4 @@
+/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
+/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
+/opt/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
+
diff --git a/policy/modules/apps/openoffice.if b/policy/modules/apps/openoffice.if
new file mode 100644
index 0000000..6863365
--- /dev/null
+++ b/policy/modules/apps/openoffice.if
@@ -0,0 +1,129 @@
+## <summary>Openoffice</summary>
+
+#######################################
+## <summary>
+## The per role template for the openoffice module.
+## </summary>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+interface(`openoffice_plugin_role',`
+ gen_require(`
+ type openoffice_exec_t;
+ type openoffice_t;
+ ')
+
+ ########################################
+ #
+ # Local policy
+ #
+
+ domtrans_pattern($1, openoffice_exec_t, openoffice_t)
+ allow $1 openoffice_t:process { signal sigkill };
+')
+
+#######################################
+## <summary>
+## role for openoffice
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for java applications.
+## </p>
+## </desc>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+interface(`openoffice_role_template',`
+ gen_require(`
+ type openoffice_exec_t;
+ ')
+
+ role $2 types $1_openoffice_t;
+
+ type $1_openoffice_t;
+ domain_type($1_openoffice_t)
+ domain_entry_file($1_openoffice_t, openoffice_exec_t)
+ domain_interactive_fd($1_openoffice_t)
+
+ userdom_unpriv_usertype($1, $1_openoffice_t)
+ userdom_exec_user_home_content_files($1_openoffice_t)
+
+ allow $1_openoffice_t self:process { getsched sigkill execheap execmem execstack };
+
+ allow $3 $1_openoffice_t:process { getattr ptrace signal_perms noatsecure siginh rlimitinh };
+ allow $1_openoffice_t $3:tcp_socket { read write };
+
+ domtrans_pattern($3, openoffice_exec_t, $1_openoffice_t)
+
+ dev_read_urand($1_openoffice_t)
+ dev_read_rand($1_openoffice_t)
+
+ fs_dontaudit_rw_tmpfs_files($1_openoffice_t)
+
+ allow $3 $1_openoffice_t:process { signal sigkill };
+ allow $1_openoffice_t $3:unix_stream_socket connectto;
+
+ optional_policy(`
+ xserver_role($2, $1_openoffice_t)
+ ')
+')
+
+########################################
+## <summary>
+## Execute openoffice_exec_t
+## in the specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a openoffice_exec_t
+## in the specified domain.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`openoffice_exec_domtrans',`
+ gen_require(`
+ type openoffice_exec_t;
+ ')
+
+ allow $2 openoffice_exec_t:file entrypoint;
+ domtrans_pattern($1, openoffice_exec_t, $2)
+')
diff --git a/policy/modules/apps/openoffice.te b/policy/modules/apps/openoffice.te
new file mode 100644
index 0000000..a842371
--- /dev/null
+++ b/policy/modules/apps/openoffice.te
@@ -0,0 +1,16 @@
+policy_module(openoffice, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type openoffice_t;
+type openoffice_exec_t;
+application_domain(openoffice_t, openoffice_exec_t)
+
+########################################
+#
+# Unconfined java local policy
+#
+
diff --git a/policy/modules/apps/podsleuth.fc b/policy/modules/apps/podsleuth.fc
new file mode 100644
index 0000000..6fbc01c
--- /dev/null
+++ b/policy/modules/apps/podsleuth.fc
@@ -0,0 +1,3 @@
+/usr/bin/podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0)
+/usr/libexec/hal-podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0)
+/var/cache/podsleuth(/.*)? gen_context(system_u:object_r:podsleuth_cache_t,s0)
diff --git a/policy/modules/apps/podsleuth.if b/policy/modules/apps/podsleuth.if
new file mode 100644
index 0000000..d6d80a0
--- /dev/null
+++ b/policy/modules/apps/podsleuth.if
@@ -0,0 +1,45 @@
+## <summary>Podsleuth is a tool to get information about an Apple (TM) iPod (TM)</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run podsleuth.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`podsleuth_domtrans',`
+ gen_require(`
+ type podsleuth_t, podsleuth_exec_t;
+ ')
+
+ domtrans_pattern($1, podsleuth_exec_t, podsleuth_t)
+ allow $1 podsleuth_t:process signal;
+')
+
+########################################
+## <summary>
+## Execute podsleuth in the podsleuth domain, and
+## allow the specified role the podsleuth domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`podsleuth_run',`
+ gen_require(`
+ type podsleuth_t;
+ ')
+
+ podsleuth_domtrans($1)
+ role $2 types podsleuth_t;
+')
diff --git a/policy/modules/apps/podsleuth.te b/policy/modules/apps/podsleuth.te
new file mode 100644
index 0000000..815d35d
--- /dev/null
+++ b/policy/modules/apps/podsleuth.te
@@ -0,0 +1,89 @@
+policy_module(podsleuth, 1.3.1)
+
+########################################
+#
+# Declarations
+#
+
+type podsleuth_t;
+type podsleuth_exec_t;
+application_domain(podsleuth_t, podsleuth_exec_t)
+role system_r types podsleuth_t;
+
+type podsleuth_cache_t;
+files_type(podsleuth_cache_t)
+ubac_constrained(podsleuth_cache_t)
+
+type podsleuth_tmp_t;
+files_tmp_file(podsleuth_tmp_t)
+ubac_constrained(podsleuth_tmp_t)
+
+type podsleuth_tmpfs_t;
+files_tmpfs_file(podsleuth_tmpfs_t)
+ubac_constrained(podsleuth_tmpfs_t)
+
+########################################
+#
+# podsleuth local policy
+#
+allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
+allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack };
+allow podsleuth_t self:fifo_file rw_file_perms;
+allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
+allow podsleuth_t self:sem create_sem_perms;
+allow podsleuth_t self:tcp_socket create_stream_socket_perms;
+allow podsleuth_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t)
+manage_files_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t)
+files_var_filetrans(podsleuth_t, podsleuth_cache_t, { file dir })
+
+allow podsleuth_t podsleuth_tmp_t:dir mounton;
+manage_dirs_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t)
+manage_files_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t)
+files_tmp_filetrans(podsleuth_t, podsleuth_tmp_t, { file dir })
+
+manage_dirs_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t)
+manage_files_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t)
+manage_lnk_files_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t)
+fs_tmpfs_filetrans(podsleuth_t, podsleuth_tmpfs_t, { dir file lnk_file })
+
+kernel_read_system_state(podsleuth_t)
+kernel_request_load_module(podsleuth_t)
+
+corecmd_exec_bin(podsleuth_t)
+
+corenet_tcp_connect_http_port(podsleuth_t)
+
+dev_read_urand(podsleuth_t)
+
+files_read_etc_files(podsleuth_t)
+
+fs_mount_dos_fs(podsleuth_t)
+fs_unmount_dos_fs(podsleuth_t)
+fs_getattr_dos_fs(podsleuth_t)
+fs_read_dos_files(podsleuth_t)
+fs_search_dos(podsleuth_t)
+fs_getattr_tmpfs(podsleuth_t)
+fs_list_tmpfs(podsleuth_t)
+fs_rw_removable_blk_files(podsleuth_t)
+
+miscfiles_read_localization(podsleuth_t)
+
+sysnet_dns_name_resolve(podsleuth_t)
+
+userdom_signal_unpriv_users(podsleuth_t)
+userdom_signull_unpriv_users(podsleuth_t)
+userdom_read_user_tmpfs_files(podsleuth_t)
+
+optional_policy(`
+ dbus_system_bus_client(podsleuth_t)
+
+ optional_policy(`
+ hal_dbus_chat(podsleuth_t)
+ ')
+')
+
+optional_policy(`
+ mono_exec(podsleuth_t)
+')
diff --git a/policy/modules/apps/ptchown.fc b/policy/modules/apps/ptchown.fc
new file mode 100644
index 0000000..9fc398e
--- /dev/null
+++ b/policy/modules/apps/ptchown.fc
@@ -0,0 +1 @@
+/usr/libexec/pt_chown -- gen_context(system_u:object_r:ptchown_exec_t,s0)
diff --git a/policy/modules/apps/ptchown.if b/policy/modules/apps/ptchown.if
new file mode 100644
index 0000000..96cc023
--- /dev/null
+++ b/policy/modules/apps/ptchown.if
@@ -0,0 +1,44 @@
+## <summary>helper function for grantpt(3), changes ownship and permissions of pseudotty</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run ptchown.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ptchown_domtrans',`
+ gen_require(`
+ type ptchown_t, ptchown_exec_t;
+ ')
+
+ domtrans_pattern($1, ptchown_exec_t, ptchown_t)
+')
+
+########################################
+## <summary>
+## Execute ptchown in the ptchown domain, and
+## allow the specified role the ptchown domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`ptchown_run',`
+ gen_require(`
+ type ptchown_t;
+ ')
+
+ ptchown_domtrans($1)
+ role $2 types ptchown_t;
+')
diff --git a/policy/modules/apps/ptchown.te b/policy/modules/apps/ptchown.te
new file mode 100644
index 0000000..d90245a
--- /dev/null
+++ b/policy/modules/apps/ptchown.te
@@ -0,0 +1,31 @@
+policy_module(ptchown, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type ptchown_t;
+type ptchown_exec_t;
+application_domain(ptchown_t, ptchown_exec_t)
+role system_r types ptchown_t;
+
+########################################
+#
+# ptchown local policy
+#
+
+allow ptchown_t self:capability { chown fowner fsetid setuid };
+allow ptchown_t self:process { getcap setcap };
+
+files_read_etc_files(ptchown_t)
+
+fs_rw_anon_inodefs_files(ptchown_t)
+
+term_setattr_generic_ptys(ptchown_t)
+term_getattr_all_ptys(ptchown_t)
+term_setattr_all_ptys(ptchown_t)
+term_use_generic_ptys(ptchown_t)
+term_use_ptmx(ptchown_t)
+
+miscfiles_read_localization(ptchown_t)
diff --git a/policy/modules/apps/pulseaudio.fc b/policy/modules/apps/pulseaudio.fc
new file mode 100644
index 0000000..84f23dc
--- /dev/null
+++ b/policy/modules/apps/pulseaudio.fc
@@ -0,0 +1,7 @@
+HOME_DIR/\.pulse-cookie gen_context(system_u:object_r:pulseaudio_home_t,s0)
+HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
+
+/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
+
+/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
+/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if
new file mode 100644
index 0000000..9f12b51
--- /dev/null
+++ b/policy/modules/apps/pulseaudio.if
@@ -0,0 +1,264 @@
+## <summary>Pulseaudio network sound server.</summary>
+
+########################################
+## <summary>
+## Role access for pulseaudio
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`pulseaudio_role',`
+ gen_require(`
+ type pulseaudio_t, pulseaudio_exec_t;
+ class dbus { acquire_svc send_msg };
+ ')
+
+ role $1 types pulseaudio_t;
+
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, pulseaudio_exec_t, pulseaudio_t)
+
+ ps_process_pattern($2, pulseaudio_t)
+
+ allow pulseaudio_t $2:process { signal signull };
+ allow $2 pulseaudio_t:process { signal signull sigkill };
+ ps_process_pattern(pulseaudio_t, $2)
+
+ allow pulseaudio_t $2:unix_stream_socket connectto;
+ allow $2 pulseaudio_t:unix_stream_socket connectto;
+
+ userdom_manage_home_role($1, pulseaudio_t)
+ userdom_manage_tmp_role($1, pulseaudio_t)
+ userdom_manage_tmpfs_role($1, pulseaudio_t)
+
+ allow $2 pulseaudio_t:dbus send_msg;
+ allow pulseaudio_t $2:dbus { acquire_svc send_msg };
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run pulseaudio.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_domtrans',`
+ gen_require(`
+ type pulseaudio_t, pulseaudio_exec_t;
+ ')
+
+ domtrans_pattern($1, pulseaudio_exec_t, pulseaudio_t)
+')
+
+########################################
+## <summary>
+## Execute pulseaudio in the pulseaudio domain, and
+## allow the specified role the pulseaudio domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_run',`
+ gen_require(`
+ type pulseaudio_t;
+ ')
+
+ pulseaudio_domtrans($1)
+ role $2 types pulseaudio_t;
+')
+
+########################################
+## <summary>
+## Execute a pulseaudio in the current domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_exec',`
+ gen_require(`
+ type pulseaudio_exec_t;
+ ')
+
+ can_exec($1, pulseaudio_exec_t)
+')
+
+########################################
+## <summary>
+## Do not audit to execute a pulseaudio.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_dontaudit_exec',`
+ gen_require(`
+ type pulseaudio_exec_t;
+ ')
+
+ dontaudit $1 pulseaudio_exec_t:file exec_file_perms;
+')
+
+########################################
+## <summary>
+## Send signull signal to pulseaudio
+## processes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_signull',`
+ gen_require(`
+ type pulseaudio_t;
+ ')
+
+ allow $1 pulseaudio_t:process signull;
+')
+
+#####################################
+## <summary>
+## Connect to pulseaudio over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_stream_connect',`
+ gen_require(`
+ type pulseaudio_t, pulseaudio_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 pulseaudio_t:process signull;
+ allow pulseaudio_t $1:process signull;
+ stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## pulseaudio over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_dbus_chat',`
+ gen_require(`
+ type pulseaudio_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 pulseaudio_t:dbus send_msg;
+ allow pulseaudio_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Set the attributes of the pulseaudio homedir.
+## </summary>
+## <param name="user_domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_setattr_home_dir',`
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
+ allow $1 pulseaudio_home_t:dir setattr;
+')
+
+########################################
+## <summary>
+## Read pulseaudio homedir files.
+## </summary>
+## <param name="user_domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_read_home_files',`
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+')
+
+########################################
+## <summary>
+## Read and write Pulse Audio files.
+## </summary>
+## <param name="user_domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_rw_home_files',`
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
+ rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete pulseaudio
+## home directory files.
+## </summary>
+## <param name="user_domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_manage_home_files',`
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+')
diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
new file mode 100644
index 0000000..db96581
--- /dev/null
+++ b/policy/modules/apps/pulseaudio.te
@@ -0,0 +1,158 @@
+policy_module(pulseaudio, 1.2.3)
+
+########################################
+#
+# Declarations
+#
+
+type pulseaudio_t;
+type pulseaudio_exec_t;
+init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
+application_domain(pulseaudio_t, pulseaudio_exec_t)
+ubac_constrained(pulseaudio_t)
+role system_r types pulseaudio_t;
+
+type pulseaudio_home_t;
+userdom_user_home_content(pulseaudio_home_t)
+
+type pulseaudio_tmpfs_t;
+files_tmpfs_file(pulseaudio_tmpfs_t)
+ubac_constrained(pulseaudio_tmpfs_t)
+
+type pulseaudio_var_lib_t;
+files_type(pulseaudio_var_lib_t)
+ubac_constrained(pulseaudio_var_lib_t)
+
+type pulseaudio_var_run_t;
+files_pid_file(pulseaudio_var_run_t)
+ubac_constrained(pulseaudio_var_run_t)
+
+########################################
+#
+# pulseaudio local policy
+#
+
+allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config };
+allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull };
+allow pulseaudio_t self:fifo_file rw_file_perms;
+allow pulseaudio_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms };
+allow pulseaudio_t self:tcp_socket create_stream_socket_perms;
+allow pulseaudio_t self:udp_socket create_socket_perms;
+allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
+manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
+userdom_search_user_home_dirs(pulseaudio_t)
+userdom_search_admin_dir(pulseaudio_t)
+
+manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
+manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
+manage_lnk_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
+files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
+
+manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
+manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
+manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
+files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { file dir })
+
+can_exec(pulseaudio_t, pulseaudio_exec_t)
+
+kernel_getattr_proc(pulseaudio_t)
+kernel_read_system_state(pulseaudio_t)
+kernel_read_kernel_sysctls(pulseaudio_t)
+
+corecmd_exec_bin(pulseaudio_t)
+
+corenet_all_recvfrom_unlabeled(pulseaudio_t)
+corenet_all_recvfrom_netlabel(pulseaudio_t)
+corenet_tcp_bind_pulseaudio_port(pulseaudio_t)
+corenet_tcp_bind_soundd_port(pulseaudio_t)
+corenet_tcp_sendrecv_generic_if(pulseaudio_t)
+corenet_tcp_sendrecv_generic_node(pulseaudio_t)
+corenet_udp_bind_sap_port(pulseaudio_t)
+corenet_udp_sendrecv_generic_if(pulseaudio_t)
+corenet_udp_sendrecv_generic_node(pulseaudio_t)
+
+dev_read_sound(pulseaudio_t)
+dev_write_sound(pulseaudio_t)
+dev_read_sysfs(pulseaudio_t)
+dev_read_urand(pulseaudio_t)
+
+files_read_etc_files(pulseaudio_t)
+files_read_usr_files(pulseaudio_t)
+
+fs_rw_anon_inodefs_files(pulseaudio_t)
+fs_getattr_tmpfs(pulseaudio_t)
+fs_list_inotifyfs(pulseaudio_t)
+
+term_use_all_ttys(pulseaudio_t)
+term_use_all_ptys(pulseaudio_t)
+
+auth_use_nsswitch(pulseaudio_t)
+
+logging_send_syslog_msg(pulseaudio_t)
+
+miscfiles_read_localization(pulseaudio_t)
+
+optional_policy(`
+ alsa_read_rw_config(pulseaudio_t)
+')
+
+optional_policy(`
+ bluetooth_stream_connect(pulseaudio_t)
+')
+
+optional_policy(`
+ dbus_system_domain(pulseaudio_t, pulseaudio_exec_t)
+ dbus_system_bus_client(pulseaudio_t)
+ dbus_session_bus_client(pulseaudio_t)
+ dbus_connect_session_bus(pulseaudio_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(pulseaudio_t)
+ ')
+
+ optional_policy(`
+ hal_dbus_chat(pulseaudio_t)
+ ')
+
+ optional_policy(`
+ policykit_dbus_chat(pulseaudio_t)
+ ')
+
+ optional_policy(`
+ rpm_dbus_chat(pulseaudio_t)
+ ')
+')
+
+optional_policy(`
+ rtkit_scheduled(pulseaudio_t)
+')
+
+optional_policy(`
+ mpd_read_tmpfs_files(pulseaudio_t)
+')
+
+optional_policy(`
+ policykit_domtrans_auth(pulseaudio_t)
+ policykit_read_lib(pulseaudio_t)
+ policykit_read_reload(pulseaudio_t)
+')
+
+optional_policy(`
+ udev_read_state(pulseaudio_t)
+ udev_read_db(pulseaudio_t)
+')
+
+optional_policy(`
+ xserver_stream_connect(pulseaudio_t)
+ xserver_manage_xdm_tmp_files(pulseaudio_t)
+ xserver_read_xdm_lib_files(pulseaudio_t)
+ xserver_read_xdm_pid(pulseaudio_t)
+ xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
+')
+
+optional_policy(`
+ sandbox_manage_tmpfs_files(pulseaudio_t)
+')
diff --git a/policy/modules/apps/qemu.fc b/policy/modules/apps/qemu.fc
new file mode 100644
index 0000000..64d877e
--- /dev/null
+++ b/policy/modules/apps/qemu.fc
@@ -0,0 +1,4 @@
+/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if
new file mode 100644
index 0000000..f4e1572
--- /dev/null
+++ b/policy/modules/apps/qemu.if
@@ -0,0 +1,410 @@
+## <summary>QEMU machine emulator and virtualizer</summary>
+
+########################################
+## <summary>
+## Creates types and rules for a basic
+## qemu process domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`qemu_domain_template',`
+
+ ##############################
+ #
+ # Local Policy
+ #
+
+ type $1_t;
+ domain_type($1_t)
+
+ type $1_tmp_t;
+ files_tmp_file($1_tmp_t)
+
+ ##############################
+ #
+ # Local Policy
+ #
+
+ allow $1_t self:capability { dac_read_search dac_override };
+ allow $1_t self:process { execstack execmem signal getsched };
+ allow $1_t self:fifo_file rw_file_perms;
+ allow $1_t self:shm create_shm_perms;
+ allow $1_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_t self:tcp_socket create_stream_socket_perms;
+ allow $1_t self:tun_socket create;
+
+ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
+
+ kernel_read_system_state($1_t)
+
+ corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
+ corenet_tcp_sendrecv_generic_if($1_t)
+ corenet_tcp_sendrecv_generic_node($1_t)
+ corenet_tcp_sendrecv_all_ports($1_t)
+ corenet_tcp_bind_generic_node($1_t)
+ corenet_tcp_bind_vnc_port($1_t)
+ corenet_rw_tun_tap_dev($1_t)
+
+# dev_rw_kvm($1_t)
+
+ domain_use_interactive_fds($1_t)
+
+ files_read_etc_files($1_t)
+ files_read_usr_files($1_t)
+ files_read_var_files($1_t)
+ files_search_all($1_t)
+
+ fs_list_inotifyfs($1_t)
+ fs_rw_anon_inodefs_files($1_t)
+ fs_rw_tmpfs_files($1_t)
+
+ storage_raw_write_removable_device($1_t)
+ storage_raw_read_removable_device($1_t)
+
+ term_use_ptmx($1_t)
+ term_getattr_pty_fs($1_t)
+ term_use_generic_ptys($1_t)
+
+ miscfiles_read_localization($1_t)
+
+ sysnet_read_config($1_t)
+
+ userdom_use_user_terminals($1_t)
+ userdom_attach_admin_tun_iface($1_t)
+
+ optional_policy(`
+ samba_domtrans_smbd($1_t)
+ ')
+
+ optional_policy(`
+ virt_manage_images($1_t)
+ virt_read_config($1_t)
+ virt_read_lib_files($1_t)
+ virt_attach_tun_iface($1_t)
+ ')
+
+ optional_policy(`
+ xserver_stream_connect($1_t)
+ xserver_read_xdm_tmp_files($1_t)
+ xserver_read_xdm_pid($1_t)
+# xserver_xdm_rw_shm($1_t)
+ ')
+')
+
+#######################################
+## <summary>
+## The per role template for the qemu module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for qemu web browser.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`qemu_role',`
+ gen_require(`
+ type qemu_t, qemu_exec_t;
+ type qemu_config_t, qemu_config_exec_t;
+ ')
+
+ role $1 types { qemu_t qemu_config_t };
+
+ domtrans_pattern($2, qemu_exec_t, qemu_t)
+ domtrans_pattern($2, qemu_config_exec_t, qemu_config_t)
+ allow qemu_t $2:process signull;
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run qemu.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`qemu_domtrans',`
+ gen_require(`
+ type qemu_t, qemu_exec_t;
+ ')
+
+ domtrans_pattern($1, qemu_exec_t, qemu_t)
+')
+
+########################################
+## <summary>
+## Execute a qemu in the callers domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qemu_exec',`
+ gen_require(`
+ type qemu_exec_t;
+ ')
+
+ can_exec($1, qemu_exec_t)
+')
+
+########################################
+## <summary>
+## Execute qemu in the qemu domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the qemu domain.
+## </summary>
+## </param>
+#
+interface(`qemu_run',`
+ gen_require(`
+ type qemu_t;
+ ')
+
+ qemu_domtrans($1)
+ role $2 types qemu_t;
+
+ optional_policy(`
+ samba_run_smb(qemu_t, $2, $3)
+ ')
+')
+
+########################################
+## <summary>
+## Allow the domain to read state files in /proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow access.
+## </summary>
+## </param>
+#
+interface(`qemu_read_state',`
+ gen_require(`
+ type qemu_t;
+ ')
+
+ read_files_pattern($1, qemu_t, qemu_t)
+')
+
+########################################
+## <summary>
+## Set the schedule on qemu.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qemu_setsched',`
+ gen_require(`
+ type qemu_t;
+ ')
+
+ allow $1 qemu_t:process setsched;
+')
+
+########################################
+## <summary>
+## Send a signal to qemu.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qemu_signal',`
+ gen_require(`
+ type qemu_t;
+ ')
+
+ allow $1 qemu_t:process signal;
+')
+
+########################################
+## <summary>
+## Send a sigill to qemu
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qemu_kill',`
+ gen_require(`
+ type qemu_t;
+ ')
+
+ allow $1 qemu_t:process sigkill;
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run qemu unconfined.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`qemu_domtrans_unconfined',`
+ gen_require(`
+ type unconfined_qemu_t, qemu_exec_t;
+ ')
+
+ domtrans_pattern($1, qemu_exec_t, unconfined_qemu_t)
+')
+
+########################################
+## <summary>
+## Execute qemu_exec_t
+## in the specified domain but do not
+## do it automatically. This is an explicit
+## transition, requiring the caller to use setexeccon().
+## </summary>
+## <desc>
+## <p>
+## Execute qemu_exec_t
+## in the specified domain. This allows
+## the specified domain to qemu programs
+## on these filesystems in the specified
+## domain.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`qemu_spec_domtrans',`
+ gen_require(`
+ type qemu_exec_t;
+ ')
+
+ read_lnk_files_pattern($1, qemu_exec_t, qemu_exec_t)
+ domain_transition_pattern($1, qemu_exec_t, $2)
+ domain_entry_file($2,qemu_exec_t)
+ can_exec($1,qemu_exec_t)
+
+ allow $2 $1:fd use;
+ allow $2 $1:fifo_file rw_fifo_file_perms;
+ allow $2 $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute qemu unconfined programs in the role.
+## </summary>
+## <param name="role">
+## <summary>
+## The role to allow the qemu unconfined domain.
+## </summary>
+## </param>
+#
+interface(`qemu_unconfined_role',`
+ gen_require(`
+ type unconfined_qemu_t;
+ type qemu_t;
+ ')
+ role $1 types unconfined_qemu_t;
+ role $1 types qemu_t;
+')
+
+########################################
+## <summary>
+## Manage qemu temporary dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qemu_manage_tmp_dirs',`
+ gen_require(`
+ type qemu_tmp_t;
+ ')
+
+ manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t)
+')
+
+########################################
+## <summary>
+## Manage qemu temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qemu_manage_tmp_files',`
+ gen_require(`
+ type qemu_tmp_t;
+ ')
+
+ manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
+')
+
+########################################
+## <summary>
+## Make qemu_exec_t an entrypoint for
+## the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain for which qemu_exec_t is an entrypoint.
+## </summary>
+## </param>
+#
+interface(`qemu_entry_type',`
+ gen_require(`
+ type qemu_exec_t;
+ ')
+
+ domain_entry_file($1, qemu_exec_t)
+')
+
+
diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te
new file mode 100644
index 0000000..7551020
--- /dev/null
+++ b/policy/modules/apps/qemu.te
@@ -0,0 +1,124 @@
+policy_module(qemu, 1.4.1)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow qemu to connect fully to the network
+## </p>
+## </desc>
+gen_tunable(qemu_full_network, false)
+
+## <desc>
+## <p>
+## Allow qemu to use cifs/Samba file systems
+## </p>
+## </desc>
+gen_tunable(qemu_use_cifs, true)
+
+## <desc>
+## <p>
+## Allow qemu to user serial/parallel communication ports
+## </p>
+## </desc>
+gen_tunable(qemu_use_comm, false)
+
+## <desc>
+## <p>
+## Allow qemu to use nfs file systems
+## </p>
+## </desc>
+gen_tunable(qemu_use_nfs, true)
+
+## <desc>
+## <p>
+## Allow qemu to use usb devices
+## </p>
+## </desc>
+gen_tunable(qemu_use_usb, true)
+
+type qemu_exec_t;
+virt_domain_template(qemu)
+application_domain(qemu_t, qemu_exec_t)
+role system_r types qemu_t;
+
+########################################
+#
+# qemu local policy
+#
+
+storage_raw_write_removable_device(qemu_t)
+storage_raw_read_removable_device(qemu_t)
+
+userdom_search_user_home_content(qemu_t)
+userdom_read_user_tmpfs_files(qemu_t)
+
+tunable_policy(`qemu_full_network',`
+ allow qemu_t self:udp_socket create_socket_perms;
+
+ corenet_udp_sendrecv_all_if(qemu_t)
+ corenet_udp_sendrecv_all_nodes(qemu_t)
+ corenet_udp_sendrecv_all_ports(qemu_t)
+ corenet_udp_bind_all_nodes(qemu_t)
+ corenet_udp_bind_all_ports(qemu_t)
+ corenet_tcp_bind_all_ports(qemu_t)
+ corenet_tcp_connect_all_ports(qemu_t)
+')
+
+tunable_policy(`qemu_use_cifs',`
+ fs_manage_cifs_dirs(qemu_t)
+ fs_manage_cifs_files(qemu_t)
+')
+
+tunable_policy(`qemu_use_comm',`
+ term_use_unallocated_ttys(qemu_t)
+ dev_rw_printer(qemu_t)
+')
+
+tunable_policy(`qemu_use_nfs',`
+ fs_manage_nfs_dirs(qemu_t)
+ fs_manage_nfs_files(qemu_t)
+')
+
+tunable_policy(`qemu_use_usb',`
+ dev_rw_usbfs(qemu_t)
+ fs_manage_dos_dirs(qemu_t)
+ fs_manage_dos_files(qemu_t)
+')
+
+optional_policy(`
+ samba_domtrans_smbd(qemu_t)
+')
+
+optional_policy(`
+ virt_manage_images(qemu_t)
+ virt_append_log(qemu_t)
+')
+
+optional_policy(`
+ xen_rw_image_files(qemu_t)
+')
+
+optional_policy(`
+ xen_rw_image_files(qemu_t)
+')
+
+########################################
+#
+# Unconfined qemu local policy
+#
+
+optional_policy(`
+ type unconfined_qemu_t;
+ typealias unconfined_qemu_t alias qemu_unconfined_t;
+ application_type(unconfined_qemu_t)
+ unconfined_domain(unconfined_qemu_t)
+ userdom_manage_tmpfs_role(unconfined_r, unconfined_qemu_t)
+ userdom_unpriv_usertype(unconfined, unconfined_qemu_t)
+
+ allow unconfined_qemu_t self:process { execstack execmem };
+ allow unconfined_qemu_t qemu_exec_t:file execmod;
+')
diff --git a/policy/modules/apps/rssh.fc b/policy/modules/apps/rssh.fc
new file mode 100644
index 0000000..4c091ca
--- /dev/null
+++ b/policy/modules/apps/rssh.fc
@@ -0,0 +1 @@
+/usr/bin/rssh -- gen_context(system_u:object_r:rssh_exec_t,s0)
diff --git a/policy/modules/apps/rssh.if b/policy/modules/apps/rssh.if
new file mode 100644
index 0000000..7cdac1e
--- /dev/null
+++ b/policy/modules/apps/rssh.if
@@ -0,0 +1,66 @@
+## <summary>Restricted (scp/sftp) only shell</summary>
+
+########################################
+## <summary>
+## Role access for rssh
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`rssh_role',`
+ gen_require(`
+ type rssh_t;
+ ')
+
+ role $1 types rssh_t;
+
+ # allow ps to show irc
+ ps_process_pattern($2, rssh_t)
+ allow $2 rssh_t:process signal;
+')
+
+########################################
+## <summary>
+## Transition to all user rssh domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rssh_spec_domtrans',`
+ gen_require(`
+ type rssh_t, rssh_exec_t;
+ ')
+
+ spec_domtrans_pattern($1, rssh_exec_t, rssh_t)
+')
+
+########################################
+## <summary>
+## Read all users rssh read-only content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rssh_read_ro_content',`
+ gen_require(`
+ type rssh_ro_t;
+ ')
+
+ allow $1 rssh_ro_t:dir list_dir_perms;
+ read_files_pattern($1, rssh_ro_t, rssh_ro_t)
+ read_lnk_files_pattern($1, rssh_ro_t, rssh_ro_t)
+')
diff --git a/policy/modules/apps/rssh.te b/policy/modules/apps/rssh.te
new file mode 100644
index 0000000..c605046
--- /dev/null
+++ b/policy/modules/apps/rssh.te
@@ -0,0 +1,80 @@
+policy_module(rssh, 2.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type rssh_t;
+type rssh_exec_t;
+typealias rssh_t alias { user_rssh_t staff_rssh_t sysadm_rssh_t };
+typealias rssh_t alias { auditadm_rssh_t secadm_rssh_t };
+application_domain(rssh_t, rssh_exec_t)
+domain_user_exemption_target(rssh_t)
+domain_interactive_fd(rssh_t)
+ubac_constrained(rssh_t)
+role system_r types rssh_t;
+
+type rssh_devpts_t;
+typealias rssh_devpts_t alias { user_rssh_devpts_t staff_rssh_devpts_t sysadm_rssh_devpts_t };
+typealias rssh_devpts_t alias { auditadm_rssh_devpts_t secadm_rssh_devpts_t };
+term_user_pty(rssh_t, rssh_devpts_t)
+ubac_constrained(rssh_devpts_t)
+
+type rssh_ro_t;
+typealias rssh_ro_t alias { user_rssh_ro_t staff_rssh_ro_t sysadm_rssh_ro_t };
+typealias rssh_ro_t alias { auditadm_rssh_ro_t secadm_rssh_ro_t };
+userdom_user_home_content(rssh_ro_t)
+
+type rssh_rw_t;
+typealias rssh_rw_t alias { user_rssh_rw_t staff_rssh_rw_t sysadm_rssh_rw_t };
+typealias rssh_rw_t alias { auditadm_rssh_rw_t secadm_rssh_rw_t };
+userdom_user_home_content(rssh_rw_t)
+
+##############################
+#
+# Local policy
+#
+
+allow rssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow rssh_t self:fd use;
+allow rssh_t self:fifo_file rw_fifo_file_perms;
+allow rssh_t self:unix_dgram_socket create_socket_perms;
+allow rssh_t self:unix_stream_socket create_stream_socket_perms;
+allow rssh_t self:unix_dgram_socket sendto;
+allow rssh_t self:unix_stream_socket connectto;
+allow rssh_t self:shm create_shm_perms;
+allow rssh_t self:sem create_sem_perms;
+allow rssh_t self:msgq create_msgq_perms;
+allow rssh_t self:msg { send receive };
+
+allow rssh_t rssh_devpts_t:chr_file { rw_file_perms setattr };
+term_create_pty(rssh_t, rssh_devpts_t)
+
+allow rssh_t rssh_ro_t:dir list_dir_perms;
+read_files_pattern(rssh_t, rssh_ro_t, rssh_ro_t)
+
+manage_dirs_pattern(rssh_t, rssh_rw_t, rssh_rw_t)
+manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t)
+
+kernel_read_system_state(rssh_t)
+kernel_read_kernel_sysctls(rssh_t)
+
+files_read_etc_files(rssh_t)
+files_read_etc_runtime_files(rssh_t)
+files_list_home(rssh_t)
+files_read_usr_files(rssh_t)
+files_list_var(rssh_t)
+
+fs_search_auto_mountpoints(rssh_t)
+
+logging_send_syslog_msg(rssh_t)
+
+miscfiles_read_localization(rssh_t)
+
+ssh_rw_tcp_sockets(rssh_t)
+ssh_rw_stream_sockets(rssh_t)
+
+optional_policy(`
+ nis_use_ypbind(rssh_t)
+')
diff --git a/policy/modules/apps/sambagui.fc b/policy/modules/apps/sambagui.fc
new file mode 100644
index 0000000..c13d607
--- /dev/null
+++ b/policy/modules/apps/sambagui.fc
@@ -0,0 +1 @@
+/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0)
diff --git a/policy/modules/apps/sambagui.if b/policy/modules/apps/sambagui.if
new file mode 100644
index 0000000..b31ed10
--- /dev/null
+++ b/policy/modules/apps/sambagui.if
@@ -0,0 +1,2 @@
+## <summary>system-config-samba dbus service policy</summary>
+
diff --git a/policy/modules/apps/sambagui.te b/policy/modules/apps/sambagui.te
new file mode 100644
index 0000000..26bb71c
--- /dev/null
+++ b/policy/modules/apps/sambagui.te
@@ -0,0 +1,63 @@
+policy_module(sambagui, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type sambagui_t;
+type sambagui_exec_t;
+dbus_system_domain(sambagui_t, sambagui_exec_t)
+
+########################################
+#
+# system-config-samba local policy
+#
+
+allow sambagui_t self:capability dac_override;
+allow sambagui_t self:fifo_file rw_fifo_file_perms;
+allow sambagui_t self:unix_dgram_socket create_socket_perms;
+
+# read meminfo
+kernel_read_system_state(sambagui_t)
+
+# execut apps of system-config-samba
+corecmd_exec_shell(sambagui_t)
+corecmd_exec_bin(sambagui_t)
+
+dev_dontaudit_read_urand(sambagui_t)
+
+files_read_etc_files(sambagui_t)
+files_search_var_lib(sambagui_t)
+files_read_usr_files(sambagui_t)
+
+auth_use_nsswitch(sambagui_t)
+
+logging_send_syslog_msg(sambagui_t)
+
+miscfiles_read_localization(sambagui_t)
+
+nscd_dontaudit_search_pid(sambagui_t)
+
+userdom_dontaudit_search_admin_dir(sambagui_t)
+
+# handling with samba conf files
+samba_append_log(sambagui_t)
+samba_manage_config(sambagui_t)
+samba_manage_var_files(sambagui_t)
+samba_read_secrets(sambagui_t)
+samba_initrc_domtrans(sambagui_t)
+samba_domtrans_smbd(sambagui_t)
+samba_domtrans_nmbd(sambagui_t)
+
+optional_policy(`
+ consoletype_exec(sambagui_t)
+')
+
+optional_policy(`
+ gnome_dontaudit_search_config(sambagui_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(sambagui_t)
+')
diff --git a/policy/modules/apps/sandbox.fc b/policy/modules/apps/sandbox.fc
new file mode 100644
index 0000000..15778fd
--- /dev/null
+++ b/policy/modules/apps/sandbox.fc
@@ -0,0 +1 @@
+# No types are sandbox_exec_t
diff --git a/policy/modules/apps/sandbox.if b/policy/modules/apps/sandbox.if
new file mode 100644
index 0000000..587c440
--- /dev/null
+++ b/policy/modules/apps/sandbox.if
@@ -0,0 +1,339 @@
+
+## <summary>policy for sandbox</summary>
+
+########################################
+## <summary>
+## Execute sandbox in the sandbox domain, and
+## allow the specified role the sandbox domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the sandbox domain.
+## </summary>
+## </param>
+#
+interface(`sandbox_transition',`
+ gen_require(`
+ type sandbox_xserver_t;
+ attribute sandbox_domain;
+ attribute sandbox_x_domain;
+ attribute sandbox_file_type;
+ attribute sandbox_tmpfs_type;
+ ')
+
+ allow $1 sandbox_domain:process transition;
+ dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
+ role $2 types sandbox_domain;
+ allow sandbox_domain $1:process { sigchld signull };
+ allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
+
+ allow $1 sandbox_x_domain:process { signal_perms transition };
+ dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh };
+ allow sandbox_x_domain $1:process { sigchld signull };
+ dontaudit sandbox_domain $1:process signal;
+ role $2 types sandbox_x_domain;
+ role $2 types sandbox_xserver_t;
+ allow $1 sandbox_xserver_t:process signal_perms;
+ dontaudit sandbox_xserver_t $1:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit sandbox_xserver_t $1:tcp_socket rw_socket_perms;
+ dontaudit sandbox_xserver_t $1:udp_socket rw_socket_perms;
+ allow sandbox_xserver_t $1:unix_stream_socket { connectto rw_socket_perms };
+ allow sandbox_x_domain sandbox_x_domain:process signal;
+ # Dontaudit leaked file descriptors
+ dontaudit sandbox_x_domain $1:fifo_file { read write };
+ dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
+ dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
+ dontaudit sandbox_x_domain $1:unix_stream_socket { read write };
+ dontaudit sandbox_x_domain $1:process signal;
+
+ allow $1 sandbox_tmpfs_type:file manage_file_perms;
+ dontaudit $1 sandbox_tmpfs_type:file manage_file_perms;
+
+ can_exec($1, sandbox_file_type)
+ manage_files_pattern($1, sandbox_file_type, sandbox_file_type);
+ manage_dirs_pattern($1, sandbox_file_type, sandbox_file_type);
+ manage_sock_files_pattern($1, sandbox_file_type, sandbox_file_type);
+ manage_fifo_files_pattern($1, sandbox_file_type, sandbox_file_type);
+ manage_lnk_files_pattern($1, sandbox_file_type, sandbox_file_type);
+ relabel_dirs_pattern($1, sandbox_file_type, sandbox_file_type)
+ relabel_files_pattern($1, sandbox_file_type, sandbox_file_type)
+ relabel_lnk_files_pattern($1, sandbox_file_type, sandbox_file_type)
+ relabel_fifo_files_pattern($1, sandbox_file_type, sandbox_file_type)
+ relabel_sock_files_pattern($1, sandbox_file_type, sandbox_file_type)
+')
+
+########################################
+## <summary>
+## Creates types and rules for a basic
+## qemu process domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`sandbox_domain_template',`
+
+ gen_require(`
+ attribute sandbox_domain;
+ attribute sandbox_file_type;
+ attribute sandbox_x_type;
+ ')
+
+ type $1_t, sandbox_domain, sandbox_x_type;
+ application_type($1_t)
+
+ mls_rangetrans_target($1_t)
+ mcs_untrusted_proc($1_t)
+
+ type $1_file_t, sandbox_file_type;
+ files_type($1_file_t)
+
+ can_exec($1_t, $1_file_t)
+ manage_dirs_pattern($1_t, $1_file_t, $1_file_t)
+ manage_files_pattern($1_t, $1_file_t, $1_file_t)
+ manage_lnk_files_pattern($1_t, $1_file_t, $1_file_t)
+ manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t)
+ manage_sock_files_pattern($1_t, $1_file_t, $1_file_t)
+')
+
+########################################
+## <summary>
+## Creates types and rules for a basic
+## qemu process domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`sandbox_x_domain_template',`
+ gen_require(`
+ type xserver_exec_t, sandbox_devpts_t;
+ type sandbox_xserver_t;
+ attribute sandbox_domain, sandbox_x_domain;
+ attribute sandbox_file_type, sandbox_tmpfs_type;
+ ')
+
+ type $1_t, sandbox_x_domain;
+ application_type($1_t)
+ mcs_untrusted_proc($1_t)
+
+ type $1_file_t, sandbox_file_type;
+ files_type($1_file_t)
+
+ can_exec($1_t, $1_file_t)
+ manage_dirs_pattern($1_t, $1_file_t, $1_file_t)
+ manage_files_pattern($1_t, $1_file_t, $1_file_t)
+ manage_lnk_files_pattern($1_t, $1_file_t, $1_file_t)
+ manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t)
+ manage_sock_files_pattern($1_t, $1_file_t, $1_file_t)
+
+ type $1_devpts_t;
+ term_pty($1_devpts_t)
+ term_create_pty($1_t, $1_devpts_t)
+ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr };
+
+ # window manager
+ miscfiles_setattr_fonts_cache_dirs($1_t)
+ allow $1_t self:capability setuid;
+
+ type $1_client_t, sandbox_x_domain;
+ application_type($1_client_t)
+ mcs_untrusted_proc($1_t)
+
+ type $1_client_tmpfs_t, sandbox_tmpfs_type;
+ files_tmpfs_file($1_client_tmpfs_t)
+
+ term_search_ptys($1_t)
+ allow $1_client_t sandbox_devpts_t:chr_file { rw_term_perms setattr };
+ term_create_pty($1_client_t,sandbox_devpts_t)
+
+ manage_files_pattern($1_client_t, $1_client_tmpfs_t, $1_client_tmpfs_t)
+ fs_tmpfs_filetrans($1_client_t, $1_client_tmpfs_t, file )
+ # Pulseaudio tmpfs files with different MCS labels
+ dontaudit $1_client_t $1_client_tmpfs_t:file { read write };
+ allow sandbox_xserver_t $1_client_tmpfs_t:file { read write };
+
+ domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t)
+ allow $1_t sandbox_xserver_t:process signal_perms;
+
+ domtrans_pattern($1_t, $1_file_t, $1_client_t)
+ domain_entry_file($1_client_t, $1_file_t)
+
+ # Random tmpfs_t that gets created when you run X.
+ fs_rw_tmpfs_files($1_t)
+
+ manage_dirs_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
+ manage_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
+ manage_sock_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
+ allow sandbox_xserver_t $1_file_t:sock_file create_sock_file_perms;
+ ps_process_pattern(sandbox_xserver_t, $1_client_t)
+ ps_process_pattern(sandbox_xserver_t, $1_t)
+ allow sandbox_xserver_t $1_client_t:shm rw_shm_perms;
+ allow sandbox_xserver_t $1_t:shm rw_shm_perms;
+ allow $1_client_t $1_t:unix_stream_socket connectto;
+ allow $1_t $1_client_t:unix_stream_socket connectto;
+
+ can_exec($1_client_t, $1_file_t)
+ manage_dirs_pattern($1_client_t, $1_file_t, $1_file_t)
+ manage_files_pattern($1_client_t, $1_file_t, $1_file_t)
+ manage_lnk_files_pattern($1_client_t, $1_file_t, $1_file_t)
+ manage_fifo_files_pattern($1_client_t, $1_file_t, $1_file_t)
+ manage_sock_files_pattern($1_client_t, $1_file_t, $1_file_t)
+')
+
+########################################
+## <summary>
+## allow domain to read,
+## write sandbox_xserver tmp files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`sandbox_rw_xserver_tmpfs_files',`
+ gen_require(`
+ type sandbox_xserver_tmpfs_t;
+ ')
+
+ allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## allow domain to read
+## sandbox tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`sandbox_read_tmpfs_files',`
+ gen_require(`
+ attribute sandbox_tmpfs_type;
+ ')
+
+ allow $1 sandbox_tmpfs_type:file read_file_perms;
+')
+
+########################################
+## <summary>
+## allow domain to manage
+## sandbox tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`sandbox_manage_tmpfs_files',`
+ gen_require(`
+ attribute sandbox_tmpfs_type;
+ ')
+
+ allow $1 sandbox_tmpfs_type:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Delete sandbox files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`sandbox_delete_files',`
+ gen_require(`
+ attribute sandbox_file_type;
+ ')
+
+ delete_files_pattern($1, sandbox_file_type, sandbox_file_type)
+')
+
+########################################
+## <summary>
+## Delete sandbox sock files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`sandbox_delete_sock_files',`
+ gen_require(`
+ attribute sandbox_file_type;
+ ')
+
+ delete_sock_files_pattern($1, sandbox_file_type, sandbox_file_type)
+')
+
+########################################
+## <summary>
+## Allow domain to set the attributes
+## of the sandbox directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`sandbox_setattr_dirs',`
+ gen_require(`
+ attribute sandbox_file_type;
+ ')
+
+ allow $1 sandbox_file_type:dir setattr;
+')
+
+########################################
+## <summary>
+## allow domain to delete sandbox files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`sandbox_delete_dirs',`
+ gen_require(`
+ attribute sandbox_file_type;
+ ')
+
+ delete_dirs_pattern($1, sandbox_file_type, sandbox_file_type)
+')
+
+########################################
+## <summary>
+## allow domain to list sandbox dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`sandbox_list',`
+ gen_require(`
+ attribute sandbox_file_type;
+ ')
+
+ allow $1 sandbox_file_type:dir list_dir_perms;
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
index 0000000..89fcce3
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
@@ -0,0 +1,408 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
+attribute sandbox_x_domain;
+attribute sandbox_file_type;
+attribute sandbox_web_type;
+attribute sandbox_tmpfs_type;
+attribute sandbox_x_type;
+
+########################################
+#
+# Declarations
+#
+
+sandbox_domain_template(sandbox)
+sandbox_x_domain_template(sandbox_min)
+sandbox_x_domain_template(sandbox_x)
+sandbox_x_domain_template(sandbox_web)
+sandbox_x_domain_template(sandbox_net)
+
+type sandbox_xserver_t;
+domain_type(sandbox_xserver_t)
+xserver_user_x_domain_template(sandbox_xserver, sandbox_xserver_t, sandbox_xserver_tmpfs_t)
+
+type sandbox_xserver_tmpfs_t;
+files_tmpfs_file(sandbox_xserver_tmpfs_t)
+
+type sandbox_devpts_t;
+term_pty(sandbox_devpts_t)
+files_type(sandbox_devpts_t)
+
+########################################
+#
+# sandbox xserver policy
+#
+allow sandbox_xserver_t self:process { execmem execstack };
+allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms;
+allow sandbox_xserver_t self:shm create_shm_perms;
+allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_lnk_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_fifo_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_sock_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_dontaudit_request_load_module(sandbox_xserver_t)
+
+corecmd_exec_bin(sandbox_xserver_t)
+corecmd_exec_shell(sandbox_xserver_t)
+
+corenet_all_recvfrom_unlabeled(sandbox_xserver_t)
+corenet_all_recvfrom_netlabel(sandbox_xserver_t)
+corenet_tcp_sendrecv_all_if(sandbox_xserver_t)
+corenet_udp_sendrecv_all_if(sandbox_xserver_t)
+corenet_tcp_sendrecv_all_nodes(sandbox_xserver_t)
+corenet_udp_sendrecv_all_nodes(sandbox_xserver_t)
+corenet_tcp_sendrecv_all_ports(sandbox_xserver_t)
+corenet_udp_sendrecv_all_ports(sandbox_xserver_t)
+corenet_tcp_bind_all_nodes(sandbox_xserver_t)
+corenet_tcp_bind_xserver_port(sandbox_xserver_t)
+corenet_sendrecv_xserver_server_packets(sandbox_xserver_t)
+corenet_sendrecv_all_client_packets(sandbox_xserver_t)
+
+dev_rwx_zero(sandbox_xserver_t)
+
+files_read_config_files(sandbox_xserver_t)
+files_read_usr_files(sandbox_xserver_t)
+files_search_home(sandbox_xserver_t)
+fs_dontaudit_rw_tmpfs_files(sandbox_xserver_t)
+fs_list_inotifyfs(sandbox_xserver_t)
+
+miscfiles_read_fonts(sandbox_xserver_t)
+miscfiles_read_localization(sandbox_xserver_t)
+
+kernel_read_system_state(sandbox_xserver_t)
+
+selinux_validate_context(sandbox_xserver_t)
+selinux_compute_access_vector(sandbox_xserver_t)
+selinux_compute_create_context(sandbox_xserver_t)
+
+auth_use_nsswitch(sandbox_xserver_t)
+
+logging_send_syslog_msg(sandbox_xserver_t)
+logging_send_audit_msgs(sandbox_xserver_t)
+
+userdom_use_user_terminals(sandbox_xserver_t)
+userdom_dontaudit_search_user_home_content(sandbox_xserver_t)
+
+xserver_entry_type(sandbox_xserver_t)
+
+optional_policy(`
+ dbus_system_bus_client(sandbox_xserver_t)
+
+ optional_policy(`
+ hal_dbus_chat(sandbox_xserver_t)
+ ')
+')
+
+########################################
+#
+# sandbox local policy
+#
+
+## internal communication is often done using fifo and unix sockets.
+allow sandbox_domain self:fifo_file manage_file_perms;
+allow sandbox_domain self:sem create_sem_perms;
+allow sandbox_domain self:shm create_shm_perms;
+allow sandbox_domain self:msgq create_msgq_perms;
+allow sandbox_domain self:unix_stream_socket create_stream_socket_perms;
+allow sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
+dontaudit sandbox_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+dev_rw_all_inherited_chr_files(sandbox_domain)
+dev_rw_all_inherited_blk_files(sandbox_domain)
+
+gen_require(`
+ type usr_t, lib_t, locale_t;
+ type var_t, var_run_t, rpm_log_t, locale_t;
+ attribute exec_type, configfile;
+')
+
+files_rw_all_inherited_files(sandbox_domain, -exec_type -configfile -usr_t -lib_t -locale_t -var_t -var_run_t -device_t -rpm_log_t )
+files_entrypoint_all_files(sandbox_domain)
+
+files_read_config_files(sandbox_domain)
+files_read_usr_files(sandbox_domain)
+files_read_var_files(sandbox_domain)
+files_dontaudit_search_all_dirs(sandbox_domain)
+
+miscfiles_read_localization(sandbox_domain)
+
+kernel_dontaudit_read_system_state(sandbox_domain)
+corecmd_exec_all_executables(sandbox_domain)
+
+userdom_dontaudit_use_user_terminals(sandbox_domain)
+
+mta_dontaudit_read_spool_symlinks(sandbox_domain)
+
+########################################
+#
+# sandbox_x_domain local policy
+#
+allow sandbox_x_domain self:fifo_file manage_file_perms;
+allow sandbox_x_domain self:sem create_sem_perms;
+allow sandbox_x_domain self:shm create_shm_perms;
+allow sandbox_x_domain self:msgq create_msgq_perms;
+allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms;
+allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };
+
+allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms;
+
+allow sandbox_x_domain self:process { signal_perms getsched setpgid execstack execmem };
+dontaudit sandbox_x_domain self:process signal;
+
+allow sandbox_x_domain self:shm create_shm_perms;
+allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms };
+allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };
+allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto;
+dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+domain_dontaudit_read_all_domains_state(sandbox_x_domain)
+
+files_search_home(sandbox_x_domain)
+files_dontaudit_list_tmp(sandbox_x_domain)
+
+kernel_getattr_proc(sandbox_x_domain)
+kernel_read_network_state(sandbox_x_domain)
+kernel_read_system_state(sandbox_x_domain)
+
+corecmd_exec_all_executables(sandbox_x_domain)
+
+dev_read_urand(sandbox_x_domain)
+dev_dontaudit_read_rand(sandbox_x_domain)
+dev_read_sysfs(sandbox_x_domain)
+
+files_entrypoint_all_files(sandbox_x_domain)
+files_read_config_files(sandbox_x_domain)
+files_read_usr_files(sandbox_x_domain)
+files_read_usr_symlinks(sandbox_x_domain)
+
+fs_getattr_tmpfs(sandbox_x_domain)
+fs_getattr_xattr_fs(sandbox_x_domain)
+fs_list_inotifyfs(sandbox_x_domain)
+
+auth_dontaudit_read_login_records(sandbox_x_domain)
+auth_dontaudit_write_login_records(sandbox_x_domain)
+auth_use_nsswitch(sandbox_x_domain)
+auth_search_pam_console_data(sandbox_x_domain)
+
+init_read_utmp(sandbox_x_domain)
+init_dontaudit_write_utmp(sandbox_x_domain)
+
+miscfiles_read_localization(sandbox_x_domain)
+miscfiles_dontaudit_setattr_fonts_cache_dirs(sandbox_x_domain)
+
+term_getattr_pty_fs(sandbox_x_domain)
+term_use_ptmx(sandbox_x_domain)
+
+logging_send_syslog_msg(sandbox_x_domain)
+logging_dontaudit_search_logs(sandbox_x_domain)
+
+miscfiles_read_fonts(sandbox_x_domain)
+
+storage_dontaudit_rw_fuse(sandbox_x_domain)
+
+optional_policy(`
+ cups_stream_connect(sandbox_x_domain)
+ cups_read_rw_config(sandbox_x_domain)
+')
+
+optional_policy(`
+ dbus_system_bus_client(sandbox_x_domain)
+')
+
+optional_policy(`
+ gnome_read_gconf_config(sandbox_x_domain)
+')
+
+optional_policy(`
+ nscd_dontaudit_search_pid(sandbox_x_domain)
+')
+
+optional_policy(`
+ sssd_dontaudit_search_lib(sandbox_x_domain)
+')
+
+optional_policy(`
+ udev_read_db(sandbox_x_domain)
+')
+
+userdom_dontaudit_use_user_terminals(sandbox_x_domain)
+userdom_read_user_home_content_symlinks(sandbox_x_domain)
+userdom_search_user_home_content(sandbox_x_domain)
+
+files_search_home(sandbox_x_t)
+userdom_use_user_ptys(sandbox_x_t)
+
+########################################
+#
+# sandbox_x_client_t local policy
+#
+allow sandbox_x_client_t self:tcp_socket create_stream_socket_perms;
+allow sandbox_x_client_t self:udp_socket create_socket_perms;
+allow sandbox_x_client_t self:dbus { acquire_svc send_msg };
+allow sandbox_x_client_t self:netlink_selinux_socket create_socket_perms;
+
+dev_read_rand(sandbox_x_client_t)
+
+corenet_tcp_connect_ipp_port(sandbox_x_client_t)
+
+auth_use_nsswitch(sandbox_x_client_t)
+
+selinux_get_fs_mount(sandbox_x_client_t)
+selinux_validate_context(sandbox_x_client_t)
+selinux_compute_access_vector(sandbox_x_client_t)
+selinux_compute_create_context(sandbox_x_client_t)
+selinux_compute_relabel_context(sandbox_x_client_t)
+selinux_compute_user_contexts(sandbox_x_client_t)
+seutil_read_default_contexts(sandbox_x_client_t)
+
+optional_policy(`
+ hal_dbus_chat(sandbox_x_client_t)
+')
+
+
+allow sandbox_web_t self:process setsched;
+
+optional_policy(`
+ nsplugin_read_rw_files(sandbox_web_t)
+')
+
+########################################
+#
+# sandbox_web_client_t local policy
+#
+typeattribute sandbox_web_client_t sandbox_web_type;
+
+allow sandbox_web_type self:capability { setuid setgid };
+allow sandbox_web_type self:netlink_audit_socket nlmsg_relay;
+allow sandbox_web_type self:process setsched;
+dontaudit sandbox_web_type self:process setrlimit;
+
+allow sandbox_web_type self:tcp_socket create_stream_socket_perms;
+allow sandbox_web_type self:udp_socket create_socket_perms;
+allow sandbox_web_type self:dbus { acquire_svc send_msg };
+allow sandbox_web_type self:netlink_selinux_socket create_socket_perms;
+
+kernel_dontaudit_search_kernel_sysctl(sandbox_web_type)
+kernel_request_load_module(sandbox_web_type)
+
+dev_read_rand(sandbox_web_type)
+dev_write_sound(sandbox_web_type)
+dev_read_sound(sandbox_web_type)
+
+corenet_all_recvfrom_unlabeled(sandbox_web_type)
+corenet_all_recvfrom_netlabel(sandbox_web_type)
+corenet_tcp_sendrecv_all_if(sandbox_web_type)
+corenet_raw_sendrecv_all_if(sandbox_web_type)
+corenet_tcp_sendrecv_all_nodes(sandbox_web_type)
+corenet_raw_sendrecv_all_nodes(sandbox_web_type)
+corenet_tcp_sendrecv_http_port(sandbox_web_type)
+corenet_tcp_sendrecv_http_cache_port(sandbox_web_type)
+corenet_tcp_sendrecv_squid_port(sandbox_web_type)
+corenet_tcp_sendrecv_ftp_port(sandbox_web_type)
+corenet_tcp_sendrecv_ipp_port(sandbox_web_type)
+corenet_tcp_connect_http_port(sandbox_web_type)
+corenet_tcp_connect_http_cache_port(sandbox_web_type)
+corenet_tcp_connect_squid_port(sandbox_web_type)
+corenet_tcp_connect_flash_port(sandbox_web_type)
+corenet_tcp_connect_ftp_port(sandbox_web_type)
+corenet_tcp_connect_ipp_port(sandbox_web_type)
+corenet_tcp_connect_streaming_port(sandbox_web_type)
+corenet_tcp_connect_pulseaudio_port(sandbox_web_type)
+corenet_tcp_connect_speech_port(sandbox_web_type)
+corenet_tcp_connect_generic_port(sandbox_web_type)
+corenet_tcp_connect_soundd_port(sandbox_web_type)
+corenet_tcp_connect_speech_port(sandbox_web_type)
+corenet_sendrecv_http_client_packets(sandbox_web_type)
+corenet_sendrecv_http_cache_client_packets(sandbox_web_type)
+corenet_sendrecv_squid_client_packets(sandbox_web_type)
+corenet_sendrecv_ftp_client_packets(sandbox_web_type)
+corenet_sendrecv_ipp_client_packets(sandbox_web_type)
+corenet_sendrecv_generic_client_packets(sandbox_web_type)
+
+corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_type)
+corenet_dontaudit_tcp_bind_generic_port(sandbox_web_type)
+
+files_dontaudit_getattr_all_dirs(sandbox_web_type)
+files_dontaudit_list_mnt(sandbox_web_type)
+
+fs_dontaudit_rw_anon_inodefs_files(sandbox_web_type)
+fs_dontaudit_getattr_all_fs(sandbox_web_type)
+
+storage_dontaudit_getattr_fixed_disk_dev(sandbox_web_type)
+
+auth_use_nsswitch(sandbox_web_type)
+
+dbus_system_bus_client(sandbox_web_type)
+dbus_read_config(sandbox_web_type)
+selinux_get_fs_mount(sandbox_web_type)
+selinux_validate_context(sandbox_web_type)
+selinux_compute_access_vector(sandbox_web_type)
+selinux_compute_create_context(sandbox_web_type)
+selinux_compute_relabel_context(sandbox_web_type)
+selinux_compute_user_contexts(sandbox_web_type)
+seutil_read_default_contexts(sandbox_web_type)
+
+userdom_rw_user_tmpfs_files(sandbox_web_type)
+userdom_delete_user_tmpfs_files(sandbox_web_type)
+
+optional_policy(`
+ bluetooth_dontaudit_dbus_chat(sandbox_web_type)
+')
+
+optional_policy(`
+ consolekit_dbus_chat(sandbox_web_type)
+')
+
+optional_policy(`
+ hal_dbus_chat(sandbox_web_type)
+')
+
+optional_policy(`
+ nsplugin_read_rw_files(sandbox_web_type)
+ nsplugin_rw_exec(sandbox_web_type)
+')
+
+optional_policy(`
+ pulseaudio_stream_connect(sandbox_web_type)
+ allow sandbox_web_type self:netlink_kobject_uevent_socket create_socket_perms;
+')
+
+optional_policy(`
+ rtkit_daemon_dontaudit_dbus_chat(sandbox_web_type)
+')
+
+optional_policy(`
+ networkmanager_dontaudit_dbus_chat(sandbox_web_type)
+')
+
+optional_policy(`
+ udev_read_state(sandbox_web_type)
+')
+
+########################################
+#
+# sandbox_net_client_t local policy
+#
+typeattribute sandbox_net_client_t sandbox_web_type;
+
+corenet_all_recvfrom_unlabeled(sandbox_net_client_t)
+corenet_all_recvfrom_netlabel(sandbox_net_client_t)
+corenet_tcp_sendrecv_all_if(sandbox_net_client_t)
+corenet_udp_sendrecv_all_if(sandbox_net_client_t)
+corenet_tcp_sendrecv_all_nodes(sandbox_net_client_t)
+corenet_udp_sendrecv_all_nodes(sandbox_net_client_t)
+corenet_tcp_sendrecv_all_ports(sandbox_net_client_t)
+corenet_udp_sendrecv_all_ports(sandbox_net_client_t)
+corenet_tcp_connect_all_ports(sandbox_net_client_t)
+corenet_sendrecv_all_client_packets(sandbox_net_client_t)
+
+optional_policy(`
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_t)
+ mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t)
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
+')
diff --git a/policy/modules/apps/screen.fc b/policy/modules/apps/screen.fc
new file mode 100644
index 0000000..1f2cde4
--- /dev/null
+++ b/policy/modules/apps/screen.fc
@@ -0,0 +1,14 @@
+#
+# /home
+#
+HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0)
+
+#
+# /usr
+#
+/usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0)
+
+#
+# /var
+#
+/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
new file mode 100644
index 0000000..320df26
--- /dev/null
+++ b/policy/modules/apps/screen.if
@@ -0,0 +1,157 @@
+## <summary>GNU terminal multiplexer</summary>
+
+#######################################
+## <summary>
+## The role template for the screen module.
+## </summary>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`screen_role_template',`
+ gen_require(`
+ type screen_exec_t, screen_tmp_t;
+ type screen_home_t, screen_var_run_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_screen_t;
+ application_domain($1_screen_t, screen_exec_t)
+ domain_interactive_fd($1_screen_t)
+ ubac_constrained($1_screen_t)
+ role $2 types $1_screen_t;
+
+ ########################################
+ #
+ # Local policy
+ #
+
+ allow $1_screen_t self:capability { setuid setgid fsetid };
+ allow $1_screen_t self:process signal_perms;
+ allow $1_screen_t self:fifo_file rw_fifo_file_perms;
+ allow $1_screen_t self:tcp_socket create_stream_socket_perms;
+ allow $1_screen_t self:udp_socket create_socket_perms;
+ # Internal screen networking
+ allow $1_screen_t self:fd use;
+ allow $1_screen_t self:unix_stream_socket create_socket_perms;
+ allow $1_screen_t self:unix_dgram_socket create_socket_perms;
+
+ manage_dirs_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
+ manage_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
+ manage_fifo_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
+ files_tmp_filetrans($1_screen_t, screen_tmp_t, { file dir })
+
+ # Create fifo
+ manage_fifo_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
+ manage_dirs_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
+ files_pid_filetrans($1_screen_t, screen_var_run_t, dir)
+
+ allow $1_screen_t screen_home_t:dir list_dir_perms;
+ read_files_pattern($1_screen_t, screen_home_t, screen_home_t)
+ read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t)
+
+ allow $1_screen_t $3:process signal;
+
+ domtrans_pattern($3, screen_exec_t, $1_screen_t)
+ allow $3 $1_screen_t:process { signal sigchld };
+ allow $1_screen_t $3:process signal;
+
+ manage_dirs_pattern($3, screen_home_t, screen_home_t)
+ manage_files_pattern($3, screen_home_t, screen_home_t)
+ manage_lnk_files_pattern($3, screen_home_t, screen_home_t)
+ relabel_dirs_pattern($3, screen_home_t, screen_home_t)
+ relabel_files_pattern($3, screen_home_t, screen_home_t)
+ relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
+
+ manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
+ manage_files_pattern($3, screen_var_run_t, screen_var_run_t)
+ manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t)
+ manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t)
+
+ kernel_read_system_state($1_screen_t)
+ kernel_read_kernel_sysctls($1_screen_t)
+
+ corecmd_list_bin($1_screen_t)
+ corecmd_read_bin_files($1_screen_t)
+ corecmd_read_bin_symlinks($1_screen_t)
+ corecmd_read_bin_pipes($1_screen_t)
+ corecmd_read_bin_sockets($1_screen_t)
+ # Revert to the user domain when a shell is executed.
+ corecmd_shell_domtrans($1_screen_t, $3)
+ corecmd_bin_domtrans($1_screen_t, $3)
+
+ corenet_all_recvfrom_unlabeled($1_screen_t)
+ corenet_all_recvfrom_netlabel($1_screen_t)
+ corenet_tcp_sendrecv_generic_if($1_screen_t)
+ corenet_udp_sendrecv_generic_if($1_screen_t)
+ corenet_tcp_sendrecv_generic_node($1_screen_t)
+ corenet_udp_sendrecv_generic_node($1_screen_t)
+ corenet_tcp_sendrecv_all_ports($1_screen_t)
+ corenet_udp_sendrecv_all_ports($1_screen_t)
+ corenet_tcp_connect_all_ports($1_screen_t)
+
+ dev_dontaudit_getattr_all_chr_files($1_screen_t)
+ dev_dontaudit_getattr_all_blk_files($1_screen_t)
+ # for SSP
+ dev_read_urand($1_screen_t)
+
+ domain_use_interactive_fds($1_screen_t)
+
+ files_search_tmp($1_screen_t)
+ files_search_home($1_screen_t)
+ files_list_home($1_screen_t)
+ files_read_usr_files($1_screen_t)
+ files_read_etc_files($1_screen_t)
+
+ fs_search_auto_mountpoints($1_screen_t)
+ fs_getattr_xattr_fs($1_screen_t)
+
+ auth_domtrans_chk_passwd($1_screen_t)
+ auth_use_nsswitch($1_screen_t)
+ auth_dontaudit_read_shadow($1_screen_t)
+ auth_dontaudit_exec_utempter($1_screen_t)
+
+ # Write to utmp.
+ init_rw_utmp($1_screen_t)
+
+ logging_send_syslog_msg($1_screen_t)
+
+ miscfiles_read_localization($1_screen_t)
+
+ seutil_read_config($1_screen_t)
+
+ userdom_use_user_terminals($1_screen_t)
+ userdom_create_user_pty($1_screen_t)
+ userdom_user_home_domtrans($1_screen_t, $3)
+ userdom_setattr_user_ptys($1_screen_t)
+ userdom_setattr_user_ttys($1_screen_t)
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_cifs_domtrans($1_screen_t, $3)
+ fs_read_cifs_symlinks($1_screen_t)
+ fs_list_cifs($1_screen_t)
+ ')
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_nfs_domtrans($1_screen_t, $3)
+ fs_list_nfs($1_screen_t)
+ fs_read_nfs_symlinks($1_screen_t)
+ ')
+')
diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te
new file mode 100644
index 0000000..8c65cc6
--- /dev/null
+++ b/policy/modules/apps/screen.te
@@ -0,0 +1,26 @@
+policy_module(screen, 2.3.0)
+
+########################################
+#
+# Declarations
+#
+
+type screen_exec_t;
+application_executable_file(screen_exec_t)
+
+type screen_home_t;
+typealias screen_home_t alias { user_screen_home_t staff_screen_home_t sysadm_screen_home_t };
+typealias screen_home_t alias { auditadm_screen_home_t secadm_screen_home_t };
+userdom_user_home_content(screen_home_t)
+
+type screen_tmp_t;
+typealias screen_tmp_t alias { user_screen_tmp_t staff_screen_tmp_t sysadm_screen_tmp_t };
+typealias screen_tmp_t alias { auditadm_screen_tmp_t secadm_screen_tmp_t };
+files_tmp_file(screen_tmp_t)
+ubac_constrained(screen_tmp_t)
+
+type screen_var_run_t;
+typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t };
+typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t };
+files_pid_file(screen_var_run_t)
+ubac_constrained(screen_var_run_t)
diff --git a/policy/modules/apps/seunshare.fc b/policy/modules/apps/seunshare.fc
new file mode 100644
index 0000000..30a4b9f
--- /dev/null
+++ b/policy/modules/apps/seunshare.fc
@@ -0,0 +1 @@
+/usr/sbin/seunshare -- gen_context(system_u:object_r:seunshare_exec_t,s0)
diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
new file mode 100644
index 0000000..7455c19
--- /dev/null
+++ b/policy/modules/apps/seunshare.if
@@ -0,0 +1,99 @@
+## <summary>Filesystem namespacing/polyinstantiation application.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run seunshare.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`seunshare_domtrans',`
+ gen_require(`
+ type seunshare_t, seunshare_exec_t;
+ ')
+
+ domtrans_pattern($1, seunshare_exec_t, seunshare_t)
+')
+
+########################################
+## <summary>
+## Execute seunshare in the seunshare domain, and
+## allow the specified role the seunshare domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`seunshare_run',`
+ gen_require(`
+ type seunshare_t;
+ ')
+
+ seunshare_domtrans($1)
+ role $2 types seunshare_t;
+
+ allow $1 seunshare_t:process signal_perms;
+
+ ifdef(`hide_broken_symptoms', `
+ dontaudit seunshare_t $1:tcp_socket rw_socket_perms;
+ dontaudit seunshare_t $1:udp_socket rw_socket_perms;
+ dontaudit seunshare_t $1:unix_stream_socket rw_socket_perms;
+ ')
+')
+
+########################################
+## <summary>
+## The role template for the seunshare module.
+## </summary>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`seunshare_role_template',`
+ gen_require(`
+ attribute seunshare_domain;
+ type seunshare_exec_t;
+ ')
+
+ type $1_seunshare_t, seunshare_domain;
+ application_domain($1_seunshare_t, seunshare_exec_t)
+ role $2 types $1_seunshare_t;
+
+ mls_process_set_level($1_seunshare_t)
+
+ domtrans_pattern($3, seunshare_exec_t, $1_seunshare_t)
+ sandbox_transition($1_seunshare_t, $2)
+
+ ps_process_pattern($3, $1_seunshare_t)
+ allow $3 $1_seunshare_t:process signal_perms;
+
+ allow $1_seunshare_t $3:process transition;
+ dontaudit $1_seunshare_t $3:process { noatsecure siginh rlimitinh };
+
+ ifdef(`hide_broken_symptoms', `
+ dontaudit $1_seunshare_t $3:socket_class_set { read write };
+ ')
+')
diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te
new file mode 100644
index 0000000..e5ef7b3
--- /dev/null
+++ b/policy/modules/apps/seunshare.te
@@ -0,0 +1,49 @@
+policy_module(seunshare, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute seunshare_domain;
+type seunshare_exec_t;
+
+########################################
+#
+# seunshare local policy
+#
+allow seunshare_domain self:capability { fowner setuid dac_override setpcap sys_admin sys_nice };
+allow seunshare_domain self:process { fork setexec signal getcap setcap setsched };
+
+allow seunshare_domain self:fifo_file rw_file_perms;
+allow seunshare_domain self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_system_state(seunshare_domain)
+
+corecmd_exec_shell(seunshare_domain)
+corecmd_exec_bin(seunshare_domain)
+
+files_search_all(seunshare_domain)
+files_read_etc_files(seunshare_domain)
+files_mounton_all_poly_members(seunshare_domain)
+
+fs_manage_cgroup_dirs(seunshare_domain)
+fs_manage_cgroup_files(seunshare_domain)
+
+auth_use_nsswitch(seunshare_domain)
+
+logging_send_syslog_msg(seunshare_domain)
+
+miscfiles_read_localization(seunshare_domain)
+
+userdom_use_user_terminals(seunshare_domain)
+
+ifdef(`hide_broken_symptoms', `
+ fs_dontaudit_rw_anon_inodefs_files(seunshare_domain)
+ fs_dontaudit_list_inotifyfs(seunshare_domain)
+
+ optional_policy(`
+ mozilla_dontaudit_manage_user_home_files(seunshare_domain)
+ ')
+')
+
diff --git a/policy/modules/apps/slocate.fc b/policy/modules/apps/slocate.fc
new file mode 100644
index 0000000..1951c4b
--- /dev/null
+++ b/policy/modules/apps/slocate.fc
@@ -0,0 +1,2 @@
+/usr/bin/updatedb -- gen_context(system_u:object_r:locate_exec_t, s0)
+/var/lib/[sm]locate(/.*)? gen_context(system_u:object_r:locate_var_lib_t,s0)
diff --git a/policy/modules/apps/slocate.if b/policy/modules/apps/slocate.if
new file mode 100644
index 0000000..b7505a0
--- /dev/null
+++ b/policy/modules/apps/slocate.if
@@ -0,0 +1,41 @@
+## <summary>Update database for mlocate</summary>
+
+########################################
+## <summary>
+## Create the locate log with append mode.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`slocate_create_append_log',`
+ gen_require(`
+ type locate_log_t;
+ ')
+
+ logging_search_logs($1)
+ create_files_pattern($1, locate_log_t, locate_log_t)
+ append_files_pattern($1, locate_log_t, locate_log_t)
+')
+
+########################################
+## <summary>
+## Read locate lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`locate_read_lib_files',`
+ gen_require(`
+ type locate_var_lib_t;
+ ')
+
+ read_files_pattern($1, locate_var_lib_t, locate_var_lib_t)
+ allow $1 locate_var_lib_t:dir list_dir_perms;
+ files_search_var_lib($1)
+')
diff --git a/policy/modules/apps/slocate.te b/policy/modules/apps/slocate.te
new file mode 100644
index 0000000..3d2ef30
--- /dev/null
+++ b/policy/modules/apps/slocate.te
@@ -0,0 +1,70 @@
+policy_module(slocate, 1.9.1)
+
+#################################
+#
+# Declarations
+#
+
+type locate_t;
+type locate_exec_t;
+init_system_domain(locate_t, locate_exec_t)
+
+type locate_log_t;
+logging_log_file(locate_log_t)
+
+type locate_var_lib_t;
+files_type(locate_var_lib_t)
+
+########################################
+#
+# Local policy
+#
+
+allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid };
+allow locate_t self:process { execmem execheap execstack signal };
+allow locate_t self:fifo_file rw_fifo_file_perms;
+allow locate_t self:unix_stream_socket create_socket_perms;
+
+manage_dirs_pattern(locate_t, locate_var_lib_t, locate_var_lib_t)
+manage_files_pattern(locate_t, locate_var_lib_t, locate_var_lib_t)
+
+kernel_read_system_state(locate_t)
+kernel_dontaudit_search_network_state(locate_t)
+kernel_dontaudit_search_sysctl(locate_t)
+
+corecmd_exec_bin(locate_t)
+
+dev_getattr_all_blk_files(locate_t)
+dev_getattr_all_chr_files(locate_t)
+
+files_list_all(locate_t)
+files_dontaudit_read_all_symlinks(locate_t)
+files_getattr_all_files(locate_t)
+files_getattr_all_pipes(locate_t)
+files_getattr_all_sockets(locate_t)
+files_read_etc_runtime_files(locate_t)
+files_read_etc_files(locate_t)
+
+fs_getattr_all_fs(locate_t)
+fs_getattr_all_files(locate_t)
+fs_getattr_all_pipes(locate_t)
+fs_getattr_all_symlinks(locate_t)
+fs_getattr_all_blk_files(locate_t)
+fs_getattr_all_chr_files(locate_t)
+fs_list_all(locate_t)
+fs_list_inotifyfs(locate_t)
+fs_read_noxattr_fs_symlinks(locate_t)
+
+# getpwnam
+auth_use_nsswitch(locate_t)
+
+miscfiles_read_localization(locate_t)
+
+ifdef(`enable_mls',`
+ # On MLS machines will not be allowed to getattr Anything but SystemLow
+ files_dontaudit_getattr_all_dirs(locate_t)
+')
+
+optional_policy(`
+ cron_system_entry(locate_t, locate_exec_t)
+')
diff --git a/policy/modules/apps/telepathy.fc b/policy/modules/apps/telepathy.fc
new file mode 100644
index 0000000..809bb65
--- /dev/null
+++ b/policy/modules/apps/telepathy.fc
@@ -0,0 +1,15 @@
+HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t, s0)
+HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0)
+HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
+HOME_DIR/.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t, s0)
+
+/usr/libexec/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t, s0)
+
+/usr/libexec/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t, s0)
+/usr/libexec/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t, s0)
+/usr/libexec/telepathy-haze -- gen_context(system_u:object_r:telepathy_msn_exec_t, s0)
+/usr/libexec/telepathy-idle -- gen_context(system_u:object_r:telepathy_idle_exec_t, s0)
+/usr/libexec/telepathy-salut -- gen_context(system_u:object_r:telepathy_salut_exec_t, s0)
+/usr/libexec/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t, s0)
+/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t, s0)
+/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0)
diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if
new file mode 100644
index 0000000..3d12484
--- /dev/null
+++ b/policy/modules/apps/telepathy.if
@@ -0,0 +1,188 @@
+
+## <summary>Telepathy framework.</summary>
+
+#######################################
+## <summary>
+## Creates basic types for telepathy
+## domain
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+#
+template(`telepathy_domain_template',`
+
+ gen_require(`
+ attribute telepathy_domain;
+ attribute telepathy_executable;
+ ')
+
+ type telepathy_$1_t, telepathy_domain;
+ type telepathy_$1_exec_t, telepathy_executable;
+ application_domain(telepathy_$1_t, telepathy_$1_exec_t)
+ ubac_constrained(telepathy_$1_t)
+
+ type telepathy_$1_tmp_t;
+ files_tmp_file(telepathy_$1_tmp_t)
+ ubac_constrained(telepathy_$1_tmp_t)
+
+ dbus_session_domain(telepathy_$1_t, telepathy_$1_exec_t)
+')
+
+#######################################
+## <summary>
+## Role access for telepathy domains
+### that executes via dbus-session
+## </summary>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`telepathy_dbus_session_role', `
+ gen_require(`
+ attribute telepathy_domain;
+ ')
+
+ role $1 types telepathy_domain;
+
+ allow $2 telepathy_domain:process { ptrace signal_perms };
+ ps_process_pattern($2, telepathy_domain)
+
+ optional_policy(`
+ telepathy_dbus_chat($2)
+ ')
+
+ telepathy_gabble_stream_connect($2)
+ telepathy_msn_stream_connect($2)
+ telepathy_salut_stream_connect($2)
+')
+
+########################################
+## <summary>
+## Send DBus messages to and from
+## all Telepathy domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`telepathy_dbus_chat', `
+ gen_require(`
+ attribute telepathy_domain;
+ class dbus send_msg;
+ ')
+
+ allow $1 telepathy_domain:dbus send_msg;
+ allow telepathy_domain $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send DBus messages to and from
+## Telepathy Gabble.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`telepathy_gabble_dbus_chat', `
+ gen_require(`
+ type telepathy_gabble_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 telepathy_gabble_t:dbus send_msg;
+ allow telepathy_gabble_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Read and write Telepathy Butterfly
+## temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`telepathy_butterfly_rw_tmp_files', `
+ gen_require(`
+ type telepathy_butterfly_tmp_t;
+ ')
+
+ allow $1 telepathy_butterfly_tmp_t:file rw_file_perms;
+ files_search_tmp($1)
+')
+
+########################################
+## <summary>
+## Stream connect to Telepathy Gabble
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`telepathy_gabble_stream_connect', `
+ gen_require(`
+ type telepathy_gabble_t, telepathy_gabble_tmp_t;
+ ')
+
+ stream_connect_pattern($1, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t, telepathy_gabble_t)
+ files_search_tmp($1)
+')
+
+#######################################
+## <summary>
+## Stream connect to telepathy MSN managers
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`telepathy_msn_stream_connect', `
+ gen_require(`
+ type telepathy_msn_t, telepathy_msn_tmp_t;
+ ')
+
+ stream_connect_pattern($1, telepathy_msn_tmp_t, telepathy_msn_tmp_t, telepathy_msn_t)
+ files_search_tmp($1)
+')
+
+
+########################################
+## <summary>
+## Stream connect to Telepathy Salut
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`telepathy_salut_stream_connect', `
+ gen_require(`
+ type telepathy_salut_t, telepathy_salut_tmp_t;
+ ')
+
+ stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t)
+ files_search_tmp($1)
+')
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
new file mode 100644
index 0000000..0b28cf8
--- /dev/null
+++ b/policy/modules/apps/telepathy.te
@@ -0,0 +1,329 @@
+
+policy_module(telepathy, 1.0.0)
+
+########################################
+#
+# Declarations.
+#
+
+## <desc>
+## <p>
+## Allow the Telepathy connection managers
+## to connect to any generic TCP port.
+## </p>
+## </desc>
+gen_tunable(telepathy_tcp_connect_generic_network_ports, false)
+
+attribute telepathy_domain;
+attribute telepathy_executable;
+
+telepathy_domain_template(gabble)
+
+type telepathy_gabble_cache_home_t;
+userdom_user_home_content(telepathy_gabble_cache_home_t)
+
+telepathy_domain_template(idle)
+telepathy_domain_template(mission_control)
+
+type telepathy_mission_control_home_t;
+userdom_user_home_content(telepathy_mission_control_home_t)
+
+type telepathy_mission_control_cache_home_t;
+userdom_user_home_content(telepathy_mission_control_cache_home_t)
+
+type telepathy_sunshine_home_t;
+userdom_user_home_content(telepathy_sunshine_home_t)
+
+telepathy_domain_template(msn)
+telepathy_domain_template(salut)
+telepathy_domain_template(sofiasip)
+telepathy_domain_template(stream_engine)
+telepathy_domain_template(sunshine)
+
+#######################################
+#
+# Telepathy Butterfly and Haze local policy.
+#
+
+allow telepathy_msn_t self:process setsched;
+allow telepathy_msn_t self:netlink_route_socket create_netlink_socket_perms;
+allow telepathy_msn_t self:unix_dgram_socket { write create connect };
+
+manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
+manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
+manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
+exec_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
+files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
+userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
+userdom_dontaudit_setattr_user_tmp(telepathy_msn_t)
+can_exec(telepathy_msn_t, telepathy_msn_tmp_t)
+
+corenet_sendrecv_http_client_packets(telepathy_msn_t)
+corenet_sendrecv_mmcc_client_packets(telepathy_msn_t)
+corenet_sendrecv_msnp_client_packets(telepathy_msn_t)
+corenet_tcp_connect_http_port(telepathy_msn_t)
+corenet_tcp_connect_mmcc_port(telepathy_msn_t)
+corenet_tcp_connect_msnp_port(telepathy_msn_t)
+corenet_tcp_connect_sametime_port(telepathy_msn_t)
+
+corecmd_exec_bin(telepathy_msn_t)
+corecmd_exec_shell(telepathy_msn_t)
+corecmd_read_bin_symlinks(telepathy_msn_t)
+
+dev_read_urand(telepathy_msn_t)
+
+files_read_etc_files(telepathy_msn_t)
+files_read_usr_files(telepathy_msn_t)
+
+auth_use_nsswitch(telepathy_msn_t)
+
+init_read_state(telepathy_msn_t)
+
+libs_exec_ldconfig(telepathy_msn_t)
+
+logging_send_syslog_msg(telepathy_msn_t)
+
+miscfiles_read_all_certs(telepathy_msn_t)
+
+sysnet_read_config(telepathy_msn_t)
+
+optional_policy(`
+ dbus_system_bus_client(telepathy_msn_t)
+ optional_policy(`
+ networkmanager_dbus_chat(telepathy_msn_t)
+ ')
+')
+
+optional_policy(`
+ gnome_read_gconf_home_files(telepathy_msn_t)
+')
+
+#######################################
+#
+# Telepathy Gabble local policy.
+#
+
+allow telepathy_gabble_t self:netlink_route_socket create_netlink_socket_perms;
+allow telepathy_gabble_t self:tcp_socket { listen accept };
+allow telepathy_gabble_t self:unix_dgram_socket { write read create getattr sendto };
+
+manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
+manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
+files_tmp_filetrans(telepathy_gabble_t, telepathy_gabble_tmp_t, { dir sock_file })
+
+# ~/.cache/gabble/caps-cache.db-journal
+optional_policy(`
+ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
+ manage_files_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
+ gnome_cache_filetrans(telepathy_gabble_t, telepathy_gabble_cache_home_t, { dir file })
+')
+
+corenet_sendrecv_commplex_client_packets(telepathy_gabble_t)
+corenet_sendrecv_http_client_packets(telepathy_gabble_t)
+corenet_sendrecv_jabber_client_client_packets(telepathy_gabble_t)
+corenet_sendrecv_vnc_client_packets(telepathy_gabble_t)
+
+corenet_tcp_connect_commplex_port(telepathy_gabble_t)
+corenet_tcp_connect_http_port(telepathy_gabble_t)
+corenet_tcp_connect_jabber_client_port(telepathy_gabble_t)
+corenet_tcp_connect_vnc_port(telepathy_gabble_t)
+
+dev_read_rand(telepathy_gabble_t)
+dev_read_urand(telepathy_gabble_t)
+
+files_read_config_files(telepathy_gabble_t)
+files_read_usr_files(telepathy_gabble_t)
+
+miscfiles_read_all_certs(telepathy_gabble_t)
+
+sysnet_read_config(telepathy_gabble_t)
+
+optional_policy(`
+ dbus_system_bus_client(telepathy_gabble_t)
+')
+
+tunable_policy(`use_nfs_home_dirs', `
+ fs_manage_nfs_dirs(telepathy_gabble_t)
+ fs_manage_nfs_files(telepathy_gabble_t)
+')
+
+tunable_policy(`use_samba_home_dirs', `
+ fs_manage_cifs_dirs(telepathy_gabble_t)
+ fs_manage_cifs_files(telepathy_gabble_t)
+')
+
+#######################################
+#
+# Telepathy Idle local policy.
+#
+
+allow telepathy_idle_t self:netlink_route_socket create_netlink_socket_perms;
+
+corenet_sendrecv_ircd_client_packets(telepathy_idle_t)
+corenet_tcp_connect_ircd_port(telepathy_idle_t)
+
+files_read_etc_files(telepathy_idle_t)
+
+sysnet_read_config(telepathy_idle_t)
+
+#######################################
+#
+# Telepathy Mission-Control local policy.
+#
+
+manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
+manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
+userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file })
+userdom_search_user_home_dirs(telepathy_mission_control_t)
+
+dev_read_rand(telepathy_mission_control_t)
+
+files_read_etc_files(telepathy_mission_control_t)
+files_read_usr_files(telepathy_mission_control_t)
+
+tunable_policy(`use_nfs_home_dirs', `
+ fs_manage_nfs_dirs(telepathy_mission_control_t)
+ fs_manage_nfs_files(telepathy_mission_control_t)
+')
+
+tunable_policy(`use_samba_home_dirs', `
+ fs_manage_cifs_dirs(telepathy_mission_control_t)
+ fs_manage_cifs_files(telepathy_mission_control_t)
+')
+
+auth_use_nsswitch(telepathy_mission_control_t)
+
+# ~/.cache/.mc_connections.
+optional_policy(`
+ manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t)
+ gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file)
+')
+
+optional_policy(`
+ gnome_read_gconf_home_files(telepathy_mission_control_t)
+ gnome_setattr_cache_home_dir(telepathy_mission_control_t)
+ gnome_read_generic_cache_files(telepathy_mission_control_t)
+')
+
+#######################################
+#
+# Telepathy Salut local policy.
+#
+
+allow telepathy_salut_t self:netlink_route_socket create_netlink_socket_perms;
+allow telepathy_salut_t self:tcp_socket { accept listen };
+
+manage_sock_files_pattern(telepathy_salut_t, telepathy_salut_tmp_t, telepathy_salut_tmp_t)
+files_tmp_filetrans(telepathy_salut_t, telepathy_salut_tmp_t, sock_file)
+
+corenet_sendrecv_presence_server_packets(telepathy_salut_t)
+corenet_tcp_bind_presence_port(telepathy_salut_t)
+corenet_tcp_connect_presence_port(telepathy_salut_t)
+
+dev_read_urand(telepathy_salut_t)
+
+files_read_etc_files(telepathy_salut_t)
+
+sysnet_read_config(telepathy_salut_t)
+
+optional_policy(`
+ dbus_system_bus_client(telepathy_salut_t)
+
+ optional_policy(`
+ avahi_dbus_chat(telepathy_salut_t)
+ ')
+')
+
+#######################################
+#
+# Telepathy Sofiasip local policy.
+#
+
+allow telepathy_sofiasip_t self:netlink_route_socket create_netlink_socket_perms;
+allow telepathy_sofiasip_t self:rawip_socket { create_socket_perms listen };
+allow telepathy_sofiasip_t self:tcp_socket { listen };
+
+corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t)
+corenet_tcp_connect_sip_port(telepathy_sofiasip_t)
+
+dev_read_urand(telepathy_sofiasip_t)
+
+kernel_request_load_module(telepathy_sofiasip_t)
+
+sysnet_read_config(telepathy_sofiasip_t)
+
+#######################################
+#
+# Telepathy Sunshine local policy.
+#
+manage_dirs_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t)
+manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t)
+userdom_user_home_dir_filetrans(telepathy_sunshine_t, telepathy_sunshine_home_t, { dir file })
+userdom_search_user_home_dirs(telepathy_sunshine_t)
+
+manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t)
+exec_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t)
+files_tmp_filetrans(telepathy_sunshine_t, telepathy_sunshine_tmp_t, file)
+
+corecmd_exec_bin(telepathy_sunshine_t)
+
+dev_read_urand(telepathy_sunshine_t)
+
+files_read_etc_files(telepathy_sunshine_t)
+files_read_usr_files(telepathy_sunshine_t)
+
+optional_policy(`
+ xserver_read_xdm_pid(telepathy_sunshine_t)
+ xserver_stream_connect(telepathy_sunshine_t)
+')
+
+#######################################
+#
+# telepathy domains common policy
+#
+
+allow telepathy_domain self:process { getsched signal sigkill };
+allow telepathy_domain self:fifo_file rw_fifo_file_perms;
+allow telepathy_domain self:tcp_socket create_socket_perms;
+allow telepathy_domain self:udp_socket create_socket_perms;
+
+corenet_all_recvfrom_netlabel(telepathy_domain)
+corenet_all_recvfrom_unlabeled(telepathy_domain)
+corenet_raw_bind_generic_node(telepathy_domain)
+corenet_raw_sendrecv_generic_if(telepathy_domain)
+corenet_raw_sendrecv_generic_node(telepathy_domain)
+corenet_tcp_bind_generic_node(telepathy_domain)
+corenet_tcp_sendrecv_generic_if(telepathy_domain)
+corenet_tcp_sendrecv_generic_node(telepathy_domain)
+corenet_udp_bind_generic_node(telepathy_domain)
+
+kernel_read_system_state(telepathy_domain)
+
+fs_search_auto_mountpoints(telepathy_domain)
+
+miscfiles_read_localization(telepathy_domain)
+
+# This interface does not facilitate files_search_tmp which appears to be a bug.
+userdom_stream_connect(telepathy_domain)
+userdom_use_user_terminals(telepathy_domain)
+
+tunable_policy(`telepathy_tcp_connect_generic_network_ports', `
+ corenet_tcp_connect_generic_port(telepathy_domain)
+ corenet_sendrecv_generic_client_packets(telepathy_domain)
+')
+
+optional_policy(`
+ automount_dontaudit_getattr_tmp_dirs(telepathy_domain)
+')
+
+optional_policy(`
+ nis_use_ypbind(telepathy_domain)
+')
+
+optional_policy(`
+ telepathy_dbus_chat(telepathy_domain)
+')
+
+optional_policy(`
+ xserver_rw_xdm_pipes(telepathy_domain)
+')
diff --git a/policy/modules/apps/thunderbird.fc b/policy/modules/apps/thunderbird.fc
new file mode 100644
index 0000000..fb43a7b
--- /dev/null
+++ b/policy/modules/apps/thunderbird.fc
@@ -0,0 +1,6 @@
+#
+# /usr
+#
+/usr/bin/thunderbird.* -- gen_context(system_u:object_r:thunderbird_exec_t,s0)
+
+HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:thunderbird_home_t,s0)
diff --git a/policy/modules/apps/thunderbird.if b/policy/modules/apps/thunderbird.if
new file mode 100644
index 0000000..a76e9f9
--- /dev/null
+++ b/policy/modules/apps/thunderbird.if
@@ -0,0 +1,63 @@
+## <summary>Thunderbird email client</summary>
+
+########################################
+## <summary>
+## Role access for thunderbird
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`thunderbird_role',`
+ gen_require(`
+ type thunderbird_t, thunderbird_exec_t;
+ type thunderbird_home_t, thunderbird_tmpfs_t;
+ ')
+
+ role $1 types thunderbird_t;
+
+ domain_auto_trans($2, thunderbird_exec_t, thunderbird_t)
+ allow $2 thunderbird_t:fd use;
+ allow $2 thunderbird_t:shm { associate getattr };
+ allow $2 thunderbird_t:unix_stream_socket connectto;
+ allow thunderbird_t $2:fd use;
+ allow thunderbird_t $2:process sigchld;
+ allow thunderbird_t $2:unix_stream_socket connectto;
+
+ # allow ps to show thunderbird and allow the user to kill it
+ ps_process_pattern($2, thunderbird_t)
+ allow $2 thunderbird_t:process signal;
+
+ # Access ~/.thunderbird
+ manage_dirs_pattern($2, thunderbird_home_t, thunderbird_home_t)
+ manage_files_pattern($2, thunderbird_home_t, thunderbird_home_t)
+ manage_lnk_files_pattern($2, thunderbird_home_t, thunderbird_home_t)
+ relabel_dirs_pattern($2, thunderbird_home_t, thunderbird_home_t)
+ relabel_files_pattern($2, thunderbird_home_t, thunderbird_home_t)
+ relabel_lnk_files_pattern($2, thunderbird_home_t, thunderbird_home_t)
+')
+
+########################################
+## <summary>
+## Run thunderbird in the user thunderbird domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`thunderbird_domtrans',`
+ gen_require(`
+ type thunderbird_t, thunderbird_exec_t;
+ ')
+
+ domtrans_pattern($1, thunderbird_exec_t, thunderbird_t)
+')
diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te
new file mode 100644
index 0000000..794c0be
--- /dev/null
+++ b/policy/modules/apps/thunderbird.te
@@ -0,0 +1,210 @@
+policy_module(thunderbird, 2.1.1)
+
+########################################
+#
+# Declarations
+#
+
+type thunderbird_t;
+type thunderbird_exec_t;
+typealias thunderbird_t alias { user_thunderbird_t staff_thunderbird_t sysadm_thunderbird_t };
+typealias thunderbird_t alias { auditadm_thunderbird_t secadm_thunderbird_t };
+application_domain(thunderbird_t, thunderbird_exec_t)
+ubac_constrained(thunderbird_t)
+
+type thunderbird_home_t;
+typealias thunderbird_home_t alias { user_thunderbird_home_t staff_thunderbird_home_t sysadm_thunderbird_home_t };
+typealias thunderbird_home_t alias { auditadm_thunderbird_home_t secadm_thunderbird_home_t };
+userdom_user_home_content(thunderbird_home_t)
+
+type thunderbird_tmpfs_t;
+typealias thunderbird_tmpfs_t alias { user_thunderbird_tmpfs_t staff_thunderbird_tmpfs_t sysadm_thunderbird_tmpfs_t };
+typealias thunderbird_tmpfs_t alias { auditadm_thunderbird_tmpfs_t secadm_thunderbird_tmpfs_t };
+files_tmpfs_file(thunderbird_tmpfs_t)
+ubac_constrained(thunderbird_tmpfs_t)
+
+########################################
+#
+# Local policy
+#
+
+allow thunderbird_t self:capability sys_nice;
+allow thunderbird_t self:process { signal_perms setsched getsched execheap execmem execstack };
+allow thunderbird_t self:fifo_file { ioctl read write getattr };
+allow thunderbird_t self:unix_dgram_socket { create connect };
+allow thunderbird_t self:unix_stream_socket { create accept connect write getattr read listen bind };
+allow thunderbird_t self:tcp_socket create_socket_perms;
+allow thunderbird_t self:shm { read write create destroy unix_read unix_write };
+
+# Access ~/.thunderbird
+manage_dirs_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t)
+manage_files_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t)
+manage_lnk_files_pattern(thunderbird_t, thunderbird_home_t, thunderbird_home_t)
+userdom_search_user_home_dirs(thunderbird_t)
+
+manage_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t)
+manage_lnk_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t)
+manage_fifo_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t)
+manage_sock_files_pattern(thunderbird_t, thunderbird_tmpfs_t, thunderbird_tmpfs_t)
+fs_tmpfs_filetrans(thunderbird_t, thunderbird_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+# Allow netstat
+kernel_read_network_state(thunderbird_t)
+kernel_read_net_sysctls(thunderbird_t)
+kernel_read_system_state(thunderbird_t)
+
+# Startup shellscript
+corecmd_exec_shell(thunderbird_t)
+
+corenet_all_recvfrom_unlabeled(thunderbird_t)
+corenet_all_recvfrom_netlabel(thunderbird_t)
+corenet_tcp_sendrecv_generic_if(thunderbird_t)
+corenet_tcp_sendrecv_generic_node(thunderbird_t)
+corenet_tcp_sendrecv_ipp_port(thunderbird_t)
+corenet_tcp_sendrecv_ldap_port(thunderbird_t)
+corenet_tcp_sendrecv_innd_port(thunderbird_t)
+corenet_tcp_sendrecv_smtp_port(thunderbird_t)
+corenet_tcp_sendrecv_pop_port(thunderbird_t)
+corenet_tcp_sendrecv_http_port(thunderbird_t)
+corenet_tcp_connect_ipp_port(thunderbird_t)
+corenet_tcp_connect_ldap_port(thunderbird_t)
+corenet_tcp_connect_innd_port(thunderbird_t)
+corenet_tcp_connect_smtp_port(thunderbird_t)
+corenet_tcp_connect_pop_port(thunderbird_t)
+corenet_tcp_connect_http_port(thunderbird_t)
+corenet_sendrecv_ipp_client_packets(thunderbird_t)
+corenet_sendrecv_ldap_client_packets(thunderbird_t)
+corenet_sendrecv_innd_client_packets(thunderbird_t)
+corenet_sendrecv_smtp_client_packets(thunderbird_t)
+corenet_sendrecv_pop_client_packets(thunderbird_t)
+corenet_sendrecv_http_client_packets(thunderbird_t)
+
+dev_read_urand(thunderbird_t)
+dev_dontaudit_search_sysfs(thunderbird_t)
+
+files_list_tmp(thunderbird_t)
+files_read_usr_files(thunderbird_t)
+files_read_etc_files(thunderbird_t)
+files_read_etc_runtime_files(thunderbird_t)
+files_read_var_files(thunderbird_t)
+files_read_var_symlinks(thunderbird_t)
+files_dontaudit_getattr_all_tmp_files(thunderbird_t)
+files_dontaudit_getattr_boot_dirs(thunderbird_t)
+files_dontaudit_getattr_lost_found_dirs(thunderbird_t)
+files_dontaudit_search_mnt(thunderbird_t)
+
+fs_getattr_xattr_fs(thunderbird_t)
+fs_list_inotifyfs(thunderbird_t)
+# Access ~/.thunderbird
+fs_search_auto_mountpoints(thunderbird_t)
+
+auth_use_nsswitch(thunderbird_t)
+
+miscfiles_read_fonts(thunderbird_t)
+miscfiles_read_localization(thunderbird_t)
+
+userdom_manage_user_tmp_dirs(thunderbird_t)
+userdom_read_user_tmp_files(thunderbird_t)
+userdom_manage_user_tmp_sockets(thunderbird_t)
+# .kde/....gtkrc
+userdom_read_user_home_content_files(thunderbird_t)
+
+xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t)
+xserver_read_xdm_tmp_files(thunderbird_t)
+xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t)
+
+# Access ~/.thunderbird
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(thunderbird_t)
+ fs_manage_nfs_files(thunderbird_t)
+ fs_manage_nfs_symlinks(thunderbird_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(thunderbird_t)
+ fs_manage_cifs_files(thunderbird_t)
+ fs_manage_cifs_symlinks(thunderbird_t)
+')
+
+tunable_policy(`mail_read_content && use_nfs_home_dirs',`
+ files_list_home(thunderbird_t)
+
+ fs_list_auto_mountpoints(thunderbird_t)
+ fs_read_nfs_files(thunderbird_t)
+ fs_read_nfs_symlinks(thunderbird_t)
+',`
+ files_dontaudit_list_home(thunderbird_t)
+
+ fs_dontaudit_list_auto_mountpoints(thunderbird_t)
+ fs_dontaudit_list_nfs(thunderbird_t)
+ fs_dontaudit_read_nfs_files(thunderbird_t)
+')
+
+tunable_policy(`mail_read_content && use_samba_home_dirs',`
+ files_list_home(thunderbird_t)
+
+ fs_list_auto_mountpoints(thunderbird_t)
+ fs_read_cifs_files(thunderbird_t)
+ fs_read_cifs_symlinks(thunderbird_t)
+',`
+ files_dontaudit_list_home(thunderbird_t)
+
+ fs_dontaudit_list_auto_mountpoints(thunderbird_t)
+ fs_dontaudit_read_cifs_files(thunderbird_t)
+ fs_dontaudit_list_cifs(thunderbird_t)
+')
+
+tunable_policy(`mail_read_content',`
+ userdom_list_user_tmp(thunderbird_t)
+ userdom_read_user_tmp_files(thunderbird_t)
+ userdom_read_user_tmp_symlinks(thunderbird_t)
+ userdom_search_user_home_dirs(thunderbird_t)
+ userdom_read_user_home_content_files(thunderbird_t)
+
+ ifndef(`enable_mls',`
+ fs_search_removable(thunderbird_t)
+ fs_read_removable_files(thunderbird_t)
+ fs_read_removable_symlinks(thunderbird_t)
+ ')
+',`
+ files_dontaudit_list_tmp(thunderbird_t)
+ files_dontaudit_list_home(thunderbird_t)
+
+ fs_dontaudit_list_removable(thunderbird_t)
+ fs_dontaudit_read_removable_files(thunderbird_t)
+
+ userdom_dontaudit_list_user_tmp(thunderbird_t)
+ userdom_dontaudit_read_user_tmp_files(thunderbird_t)
+ userdom_dontaudit_list_user_home_dirs(thunderbird_t)
+ userdom_dontaudit_read_user_home_content_files(thunderbird_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(thunderbird_t)
+ dbus_session_bus_client(thunderbird_t)
+')
+
+optional_policy(`
+ cups_read_rw_config(thunderbird_t)
+ cups_dbus_chat(thunderbird_t)
+')
+
+optional_policy(`
+ gnome_stream_connect_gconf(thunderbird_t)
+ gnome_domtrans_gconfd(thunderbird_t)
+ gnome_manage_config(thunderbird_t)
+')
+
+optional_policy(`
+ gpg_domtrans(thunderbird_t)
+')
+
+optional_policy(`
+ lpd_domtrans_lpr(thunderbird_t)
+')
+
+optional_policy(`
+ mozilla_read_user_home_files(thunderbird_t)
+ mozilla_domtrans(thunderbird_t)
+ mozilla_dbus_chat(thunderbird_t)
+')
diff --git a/policy/modules/apps/tvtime.fc b/policy/modules/apps/tvtime.fc
new file mode 100644
index 0000000..8698a61
--- /dev/null
+++ b/policy/modules/apps/tvtime.fc
@@ -0,0 +1,5 @@
+#
+# /usr
+#
+/usr/bin/tvtime -- gen_context(system_u:object_r:tvtime_exec_t,s0)
+
diff --git a/policy/modules/apps/tvtime.if b/policy/modules/apps/tvtime.if
new file mode 100644
index 0000000..8d89f21
--- /dev/null
+++ b/policy/modules/apps/tvtime.if
@@ -0,0 +1,40 @@
+## <summary> tvtime - a high quality television application </summary>
+
+########################################
+## <summary>
+## Role access for tvtime
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`tvtime_role',`
+ gen_require(`
+ type tvtime_t, tvtime_exec_t;
+ type tvtime_home_t, tvtime_tmpfs_t;
+ ')
+
+ role $1 types tvtime_t;
+
+ # Type transition
+ domtrans_pattern($2, tvtime_exec_t, tvtime_t)
+
+ # X access, Home files
+ manage_dirs_pattern($2, tvtime_home_t, tvtime_home_t)
+ manage_files_pattern($2, tvtime_home_t, tvtime_home_t)
+ manage_lnk_files_pattern($2, tvtime_home_t, tvtime_home_t)
+ relabel_dirs_pattern($2, tvtime_home_t, tvtime_home_t)
+ relabel_files_pattern($2, tvtime_home_t, tvtime_home_t)
+ relabel_lnk_files_pattern($2, tvtime_home_t, tvtime_home_t)
+
+ # Allow the user domain to signal/ps.
+ ps_process_pattern($2, tvtime_t)
+ allow $2 tvtime_t:process signal_perms;
+')
diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te
new file mode 100644
index 0000000..e926470
--- /dev/null
+++ b/policy/modules/apps/tvtime.te
@@ -0,0 +1,93 @@
+policy_module(tvtime, 2.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type tvtime_t;
+type tvtime_exec_t;
+typealias tvtime_t alias { user_tvtime_t staff_tvtime_t sysadm_tvtime_t };
+typealias tvtime_t alias { auditadm_tvtime_t secadm_tvtime_t };
+application_domain(tvtime_t, tvtime_exec_t)
+ubac_constrained(tvtime_t)
+
+type tvtime_home_t alias tvtime_rw_t;
+typealias tvtime_home_t alias { user_tvtime_home_t staff_tvtime_home_t sysadm_tvtime_home_t };
+typealias tvtime_home_t alias { auditadm_tvtime_home_t secadm_tvtime_home_t };
+userdom_user_home_content(tvtime_home_t)
+
+type tvtime_tmp_t;
+typealias tvtime_tmp_t alias { user_tvtime_tmp_t staff_tvtime_tmp_t sysadm_tvtime_tmp_t };
+typealias tvtime_tmp_t alias { auditadm_tvtime_tmp_t secadm_tvtime_tmp_t };
+files_tmp_file(tvtime_tmp_t)
+ubac_constrained(tvtime_tmp_t)
+
+type tvtime_tmpfs_t;
+typealias tvtime_tmpfs_t alias { user_tvtime_tmpfs_t staff_tvtime_tmpfs_t sysadm_tvtime_tmpfs_t };
+typealias tvtime_tmpfs_t alias { auditadm_tvtime_tmpfs_t secadm_tvtime_tmpfs_t };
+files_tmpfs_file(tvtime_tmpfs_t)
+ubac_constrained(tvtime_tmpfs_t)
+
+########################################
+#
+# Local policy
+#
+
+allow tvtime_t self:capability { setuid sys_nice sys_resource };
+allow tvtime_t self:process setsched;
+allow tvtime_t self:unix_dgram_socket rw_socket_perms;
+allow tvtime_t self:unix_stream_socket rw_stream_socket_perms;
+
+# X access, Home files
+manage_dirs_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)
+manage_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)
+manage_lnk_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)
+userdom_user_home_dir_filetrans(tvtime_t, tvtime_home_t, dir)
+
+manage_dirs_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t)
+manage_files_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t)
+files_tmp_filetrans(tvtime_t, tvtime_tmp_t,{ file dir })
+
+manage_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t)
+manage_lnk_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t)
+manage_fifo_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t)
+manage_sock_files_pattern(tvtime_t, tvtime_tmpfs_t, tvtime_tmpfs_t)
+fs_tmpfs_filetrans(tvtime_t, tvtime_tmpfs_t,{ file lnk_file sock_file fifo_file })
+
+kernel_read_all_sysctls(tvtime_t)
+kernel_get_sysvipc_info(tvtime_t)
+
+dev_read_urand(tvtime_t)
+dev_read_realtime_clock(tvtime_t)
+dev_read_sound(tvtime_t)
+
+files_read_usr_files(tvtime_t)
+files_search_pids(tvtime_t)
+# Read /etc/tvtime
+files_read_etc_files(tvtime_t)
+
+# X access, Home files
+fs_search_auto_mountpoints(tvtime_t)
+
+miscfiles_read_localization(tvtime_t)
+miscfiles_read_fonts(tvtime_t)
+
+userdom_use_user_terminals(tvtime_t)
+userdom_read_user_home_content_files(tvtime_t)
+
+# X access, Home files
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(tvtime_t)
+ fs_manage_nfs_files(tvtime_t)
+ fs_manage_nfs_symlinks(tvtime_t)
+')
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(tvtime_t)
+ fs_manage_cifs_files(tvtime_t)
+ fs_manage_cifs_symlinks(tvtime_t)
+')
+
+optional_policy(`
+ xserver_user_x_domain_template(tvtime, tvtime_t, tvtime_tmpfs_t)
+')
diff --git a/policy/modules/apps/uml.fc b/policy/modules/apps/uml.fc
new file mode 100644
index 0000000..b8b9520
--- /dev/null
+++ b/policy/modules/apps/uml.fc
@@ -0,0 +1,14 @@
+#
+# HOME_DIR/
+#
+HOME_DIR/\.uml(/.*)? gen_context(system_u:object_r:uml_rw_t,s0)
+
+#
+# /usr
+#
+/usr/bin/uml_switch -- gen_context(system_u:object_r:uml_switch_exec_t,s0)
+
+#
+# /var
+#
+/var/run/uml-utilities(/.*)? gen_context(system_u:object_r:uml_switch_var_run_t,s0)
diff --git a/policy/modules/apps/uml.if b/policy/modules/apps/uml.if
new file mode 100644
index 0000000..d2ab7cb
--- /dev/null
+++ b/policy/modules/apps/uml.if
@@ -0,0 +1,99 @@
+## <summary>Policy for UML</summary>
+
+########################################
+## <summary>
+## Role access for uml
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`uml_role',`
+ gen_require(`
+ type uml_t, uml_exec_t;
+ type uml_ro_t, uml_rw_t, uml_tmp_t;
+ type uml_devpts_t, uml_tmpfs_t;
+ ')
+
+ role $1 types uml_t;
+
+ # Transition from the user domain to this domain.
+ domtrans_pattern($2, uml_exec_t, uml_t)
+
+ # for mconsole
+ allow $2 uml_t:unix_dgram_socket sendto;
+ allow uml_t $2:unix_dgram_socket sendto;
+
+ # allow ps, ptrace, signal
+ ps_process_pattern($2, uml_t)
+ allow $2 uml_t:process { ptrace signal_perms };
+
+ allow $2 uml_ro_t:dir list_dir_perms;
+ read_files_pattern($2, uml_ro_t, uml_ro_t)
+ read_lnk_files_pattern($2, uml_ro_t, uml_ro_t)
+
+ manage_dirs_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+ manage_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+ manage_lnk_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+ manage_fifo_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+ manage_sock_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+ relabel_dirs_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+ relabel_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+ relabel_lnk_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+ relabel_fifo_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+ relabel_sock_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
+
+ manage_dirs_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t })
+ manage_files_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t })
+ relabel_dirs_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t })
+ relabel_files_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t })
+
+ manage_dirs_pattern($2, uml_tmp_t, uml_tmp_t)
+ manage_files_pattern($2, uml_tmp_t, uml_tmp_t)
+ manage_lnk_files_pattern($2, uml_tmp_t, uml_tmp_t)
+ manage_sock_files_pattern($2, uml_tmp_t, uml_tmp_t)
+')
+
+########################################
+## <summary>
+## Set attributes on uml utility socket files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`uml_setattr_util_sockets',`
+ gen_require(`
+ type uml_switch_var_run_t;
+ ')
+
+ allow $1 uml_switch_var_run_t:sock_file setattr;
+')
+
+########################################
+## <summary>
+## Manage uml utility files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`uml_manage_util_files',`
+ gen_require(`
+ type uml_switch_var_run_t;
+ ')
+
+ manage_files_pattern($1, uml_switch_var_run_t, uml_switch_var_run_t)
+ manage_lnk_files_pattern($1, uml_switch_var_run_t, uml_switch_var_run_t)
+')
diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te
new file mode 100644
index 0000000..2df1343
--- /dev/null
+++ b/policy/modules/apps/uml.te
@@ -0,0 +1,191 @@
+policy_module(uml, 2.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type uml_t;
+type uml_exec_t;
+typealias uml_t alias { user_uml_t staff_uml_t sysadm_uml_t };
+typealias uml_t alias { auditadm_uml_t secadm_uml_t };
+application_domain(uml_t, uml_exec_t)
+ubac_constrained(uml_t)
+
+type uml_ro_t;
+typealias uml_ro_t alias { user_uml_ro_t staff_uml_ro_t sysadm_uml_ro_t };
+typealias uml_ro_t alias { auditadm_uml_ro_t secadm_uml_ro_t };
+userdom_user_home_content(uml_ro_t)
+
+type uml_rw_t;
+typealias uml_rw_t alias { user_uml_rw_t staff_uml_rw_t sysadm_uml_rw_t };
+typealias uml_rw_t alias { auditadm_uml_rw_t secadm_uml_rw_t };
+userdom_user_home_content(uml_rw_t)
+
+type uml_tmp_t;
+typealias uml_tmp_t alias { user_uml_tmp_t staff_uml_tmp_t sysadm_uml_tmp_t };
+typealias uml_tmp_t alias { auditadm_uml_tmp_t secadm_uml_tmp_t };
+files_tmp_file(uml_tmp_t)
+ubac_constrained(uml_tmp_t)
+
+type uml_tmpfs_t;
+typealias uml_tmpfs_t alias { user_uml_tmpfs_t staff_uml_tmpfs_t sysadm_uml_tmpfs_t };
+typealias uml_tmpfs_t alias { auditadm_uml_tmpfs_t secadm_uml_tmpfs_t };
+files_tmpfs_file(uml_tmpfs_t)
+ubac_constrained(uml_tmpfs_t)
+
+type uml_devpts_t;
+typealias uml_devpts_t alias { user_uml_devpts_t staff_uml_devpts_t sysadm_uml_devpts_t };
+typealias uml_devpts_t alias { auditadm_uml_devpts_t secadm_uml_devpts_t };
+term_pty(uml_devpts_t)
+ubac_constrained(uml_devpts_t)
+
+type uml_switch_t;
+type uml_switch_exec_t;
+init_daemon_domain(uml_switch_t, uml_switch_exec_t)
+
+type uml_switch_var_run_t;
+files_pid_file(uml_switch_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow uml_t self:fifo_file rw_fifo_file_perms;
+allow uml_t self:process { signal_perms ptrace };
+allow uml_t self:unix_stream_socket create_stream_socket_perms;
+allow uml_t self:unix_dgram_socket create_socket_perms;
+# Use the network.
+allow uml_t self:tcp_socket create_stream_socket_perms;
+allow uml_t self:udp_socket create_socket_perms;
+allow uml_t self:tun_socket create;
+# for mconsole
+allow uml_t self:unix_dgram_socket sendto;
+
+# allow the UML thing to happen
+allow uml_t uml_devpts_t:chr_file { rw_file_perms setattr };
+term_create_pty(uml_t, uml_devpts_t)
+
+manage_dirs_pattern(uml_t, uml_tmp_t, uml_tmp_t)
+manage_files_pattern(uml_t, uml_tmp_t, uml_tmp_t)
+files_tmp_filetrans(uml_t, uml_tmp_t, { file dir })
+can_exec(uml_t, uml_tmp_t)
+
+manage_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t)
+manage_lnk_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t)
+manage_fifo_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t)
+manage_sock_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t)
+fs_tmpfs_filetrans(uml_t, uml_tmpfs_t, { file lnk_file sock_file fifo_file })
+can_exec(uml_t, uml_tmpfs_t)
+
+# access config files
+allow uml_t { uml_ro_t uml_ro_t }:dir list_dir_perms;
+read_files_pattern(uml_t, { uml_ro_t uml_ro_t }, { uml_ro_t uml_ro_t })
+read_lnk_files_pattern(uml_t, { uml_ro_t uml_ro_t }, { uml_ro_t uml_ro_t })
+
+manage_dirs_pattern(uml_t, uml_rw_t, uml_rw_t)
+manage_files_pattern(uml_t, uml_rw_t, uml_rw_t)
+manage_lnk_files_pattern(uml_t, uml_rw_t, uml_rw_t)
+manage_fifo_files_pattern(uml_t, uml_rw_t, uml_rw_t)
+manage_sock_files_pattern(uml_t, uml_rw_t, uml_rw_t)
+userdom_user_home_dir_filetrans(uml_t, uml_rw_t, { file lnk_file sock_file fifo_file })
+
+can_exec(uml_t, { uml_exec_t uml_exec_t })
+
+kernel_read_system_state(uml_t)
+# for SKAS - need something better
+kernel_write_proc_files(uml_t)
+
+# for xterm
+corecmd_exec_bin(uml_t)
+
+corenet_all_recvfrom_unlabeled(uml_t)
+corenet_all_recvfrom_netlabel(uml_t)
+corenet_tcp_sendrecv_generic_if(uml_t)
+corenet_udp_sendrecv_generic_if(uml_t)
+corenet_tcp_sendrecv_generic_node(uml_t)
+corenet_udp_sendrecv_generic_node(uml_t)
+corenet_tcp_sendrecv_all_ports(uml_t)
+corenet_udp_sendrecv_all_ports(uml_t)
+corenet_tcp_connect_all_ports(uml_t)
+corenet_sendrecv_all_client_packets(uml_t)
+corenet_rw_tun_tap_dev(uml_t)
+
+domain_use_interactive_fds(uml_t)
+
+# for xterm
+files_read_etc_files(uml_t)
+files_dontaudit_read_etc_runtime_files(uml_t)
+# putting uml data under /var is usual...
+files_search_var(uml_t)
+
+fs_getattr_xattr_fs(uml_t)
+
+init_read_utmp(uml_t)
+init_dontaudit_write_utmp(uml_t)
+
+# for xterm
+libs_exec_lib_files(uml_t)
+
+# Inherit and use descriptors from newrole.
+seutil_use_newrole_fds(uml_t)
+
+# Use the network.
+sysnet_read_config(uml_t)
+
+userdom_use_user_terminals(uml_t)
+userdom_attach_admin_tun_iface(uml_t)
+
+optional_policy(`
+ nis_use_ypbind(uml_t)
+')
+
+optional_policy(`
+ virt_attach_tun_iface(uml_t)
+')
+
+########################################
+#
+# Local policy
+#
+
+dontaudit uml_switch_t self:capability sys_tty_config;
+allow uml_switch_t self:process signal_perms;
+allow uml_switch_t self:unix_dgram_socket create_socket_perms;
+allow uml_switch_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(uml_switch_t, uml_switch_var_run_t, uml_switch_var_run_t)
+manage_sock_files_pattern(uml_switch_t, uml_switch_var_run_t, uml_switch_var_run_t)
+files_pid_filetrans(uml_switch_t, uml_switch_var_run_t, file)
+
+kernel_read_kernel_sysctls(uml_switch_t)
+kernel_list_proc(uml_switch_t)
+kernel_read_proc_symlinks(uml_switch_t)
+
+dev_read_sysfs(uml_switch_t)
+
+domain_use_interactive_fds(uml_switch_t)
+
+fs_getattr_all_fs(uml_switch_t)
+fs_search_auto_mountpoints(uml_switch_t)
+
+term_dontaudit_use_console(uml_switch_t)
+
+init_use_fds(uml_switch_t)
+init_use_script_ptys(uml_switch_t)
+
+logging_send_syslog_msg(uml_switch_t)
+
+miscfiles_read_localization(uml_switch_t)
+
+userdom_dontaudit_use_unpriv_user_fds(uml_switch_t)
+userdom_dontaudit_search_user_home_dirs(uml_switch_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(uml_switch_t)
+')
+
+optional_policy(`
+ udev_read_db(uml_switch_t)
+')
diff --git a/policy/modules/apps/userhelper.fc b/policy/modules/apps/userhelper.fc
new file mode 100644
index 0000000..cd83b89
--- /dev/null
+++ b/policy/modules/apps/userhelper.fc
@@ -0,0 +1,10 @@
+#
+# /etc
+#
+/etc/security/console\.apps(/.*)? gen_context(system_u:object_r:userhelper_conf_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
+/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0)
diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if
new file mode 100644
index 0000000..2e50976
--- /dev/null
+++ b/policy/modules/apps/userhelper.if
@@ -0,0 +1,317 @@
+## <summary>SELinux utility to run a shell with a new role</summary>
+
+#######################################
+## <summary>
+## The role template for the userhelper module.
+## </summary>
+## <param name="userrole_prefix">
+## <summary>
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The user role.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The user domain associated with the role.
+## </summary>
+## </param>
+#
+template(`userhelper_role_template',`
+ gen_require(`
+ attribute userhelper_type;
+ type userhelper_exec_t, userhelper_conf_t;
+ class dbus send_msg;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_userhelper_t, userhelper_type;
+ application_domain($1_userhelper_t, userhelper_exec_t)
+ domain_role_change_exemption($1_userhelper_t)
+ domain_obj_id_change_exemption($1_userhelper_t)
+ domain_interactive_fd($1_userhelper_t)
+ domain_subj_id_change_exemption($1_userhelper_t)
+ ubac_constrained($1_userhelper_t)
+ role $2 types $1_userhelper_t;
+
+ ########################################
+ #
+ # Local policy
+ #
+ allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config };
+ allow $1_userhelper_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow $1_userhelper_t self:process setexec;
+ allow $1_userhelper_t self:fd use;
+ allow $1_userhelper_t self:fifo_file rw_fifo_file_perms;
+ allow $1_userhelper_t self:shm create_shm_perms;
+ allow $1_userhelper_t self:sem create_sem_perms;
+ allow $1_userhelper_t self:msgq create_msgq_perms;
+ allow $1_userhelper_t self:msg { send receive };
+ allow $1_userhelper_t self:unix_dgram_socket create_socket_perms;
+ allow $1_userhelper_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_userhelper_t self:unix_dgram_socket sendto;
+ allow $1_userhelper_t self:unix_stream_socket connectto;
+ allow $1_userhelper_t self:sock_file read_sock_file_perms;
+
+ #Transition to the derived domain.
+ domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t)
+
+ allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms;
+ rw_files_pattern($1_userhelper_t, userhelper_conf_t, userhelper_conf_t)
+
+ can_exec($1_userhelper_t, userhelper_exec_t)
+
+ dontaudit $3 $1_userhelper_t:process signal;
+
+ kernel_read_all_sysctls($1_userhelper_t)
+ kernel_getattr_debugfs($1_userhelper_t)
+ kernel_read_system_state($1_userhelper_t)
+
+ # Execute shells
+ corecmd_exec_shell($1_userhelper_t)
+ # By default, revert to the calling domain when a program is executed
+ corecmd_bin_domtrans($1_userhelper_t, $3)
+
+ # Inherit descriptors from the current session.
+ domain_use_interactive_fds($1_userhelper_t)
+ # for when the user types "exec userhelper" at the command line
+ domain_sigchld_interactive_fds($1_userhelper_t)
+
+ dev_read_urand($1_userhelper_t)
+ # Read /dev directories and any symbolic links.
+ dev_list_all_dev_nodes($1_userhelper_t)
+
+ files_list_var_lib($1_userhelper_t)
+ # Read the /etc/security/default_type file
+ files_read_etc_files($1_userhelper_t)
+ # Read /var.
+ files_read_var_files($1_userhelper_t)
+ files_read_var_symlinks($1_userhelper_t)
+ # for some PAM modules and for cwd
+ files_search_home($1_userhelper_t)
+
+ fs_search_auto_mountpoints($1_userhelper_t)
+ fs_read_nfs_files($1_userhelper_t)
+ fs_read_nfs_symlinks($1_userhelper_t)
+
+ # Allow $1_userhelper to obtain contexts to relabel TTYs
+ selinux_get_fs_mount($1_userhelper_t)
+ selinux_validate_context($1_userhelper_t)
+ selinux_compute_access_vector($1_userhelper_t)
+ selinux_compute_create_context($1_userhelper_t)
+ selinux_compute_relabel_context($1_userhelper_t)
+ selinux_compute_user_contexts($1_userhelper_t)
+
+ # Read the devpts root directory.
+ term_list_ptys($1_userhelper_t)
+ # Relabel terminals.
+ term_relabel_all_ttys($1_userhelper_t)
+ term_relabel_all_ptys($1_userhelper_t)
+ # Access terminals.
+ term_use_all_ttys($1_userhelper_t)
+ term_use_all_ptys($1_userhelper_t)
+
+ auth_domtrans_chk_passwd($1_userhelper_t)
+ auth_manage_pam_pid($1_userhelper_t)
+ auth_manage_var_auth($1_userhelper_t)
+ auth_search_pam_console_data($1_userhelper_t)
+
+ # Inherit descriptors from the current session.
+ init_use_fds($1_userhelper_t)
+ # Write to utmp.
+ init_manage_utmp($1_userhelper_t)
+ init_pid_filetrans_utmp($1_userhelper_t)
+
+ miscfiles_read_localization($1_userhelper_t)
+
+ seutil_read_config($1_userhelper_t)
+ seutil_read_default_contexts($1_userhelper_t)
+
+ # Allow $1_userhelper_t to transition to user domains.
+ userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t)
+ userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t)
+
+ ifdef(`distro_redhat',`
+ optional_policy(`
+ # Allow transitioning to rpm_t, for up2date
+ rpm_domtrans($1_userhelper_t)
+ ')
+ ')
+
+ optional_policy(`
+ logging_send_syslog_msg($1_userhelper_t)
+ ')
+
+ optional_policy(`
+ nis_use_ypbind($1_userhelper_t)
+ ')
+
+ optional_policy(`
+ nscd_socket_use($1_userhelper_t)
+ ')
+
+ optional_policy(`
+ tunable_policy(`! secure_mode',`
+ #if we are not in secure mode then we can transition to sysadm_t
+ sysadm_bin_spec_domtrans($1_userhelper_t)
+ sysadm_entry_spec_domtrans($1_userhelper_t)
+ ')
+ ')
+')
+
+########################################
+## <summary>
+## Search the userhelper configuration directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userhelper_search_config',`
+ gen_require(`
+ type userhelper_conf_t;
+ ')
+
+ allow $1 userhelper_conf_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search
+## the userhelper configuration directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userhelper_dontaudit_search_config',`
+ gen_require(`
+ type userhelper_conf_t;
+ ')
+
+ dontaudit $1 userhelper_conf_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Allow domain to use userhelper file descriptor.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userhelper_use_fd',`
+ gen_require(`
+ attribute userhelper_type;
+ ')
+
+ allow $1 userhelper_type:fd use;
+')
+
+########################################
+## <summary>
+## Allow domain to send sigchld to userhelper.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userhelper_sigchld',`
+ gen_require(`
+ attribute userhelper_type;
+ ')
+
+ allow $1 userhelper_type:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute the userhelper program in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userhelper_exec',`
+ gen_require(`
+ type userhelper_exec_t;
+ ')
+
+ can_exec($1, userhelper_exec_t)
+')
+
+#######################################
+## <summary>
+## The role template for the consolehelper module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for consolehelper applications.
+## </p>
+## </desc>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`userhelper_console_role_template',`
+ gen_require(`
+ type consolehelper_exec_t;
+ attribute consolehelper_domain;
+ class dbus send_msg;
+ ')
+ type $1_consolehelper_t, consolehelper_domain;
+ domain_type($1_consolehelper_t)
+ domain_entry_file($1_consolehelper_t, consolehelper_exec_t)
+ role $2 types $1_consolehelper_t;
+
+ domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t)
+
+ allow $3 $1_consolehelper_t:dbus send_msg;
+ allow $1_consolehelper_t $3:dbus send_msg;
+
+ auth_use_pam($1_consolehelper_t)
+
+ userdom_manage_tmpfs_role($2, $1_consolehelper_t)
+
+ optional_policy(`
+ shutdown_run($1_consolehelper_t, $2)
+ shutdown_send_sigchld($3)
+ ')
+
+ optional_policy(`
+ xserver_run_xauth($1_consolehelper_t, $2)
+ xserver_read_xdm_pid($1_consolehelper_t)
+ ')
+')
diff --git a/policy/modules/apps/userhelper.te b/policy/modules/apps/userhelper.te
new file mode 100644
index 0000000..b46a20e
--- /dev/null
+++ b/policy/modules/apps/userhelper.te
@@ -0,0 +1,66 @@
+policy_module(userhelper, 1.5.1)
+
+########################################
+#
+# Declarations
+#
+
+attribute userhelper_type;
+attribute consolehelper_domain;
+
+type userhelper_conf_t;
+files_type(userhelper_conf_t)
+
+type userhelper_exec_t;
+application_executable_file(userhelper_exec_t)
+
+type consolehelper_exec_t;
+application_executable_file(consolehelper_exec_t)
+
+########################################
+#
+# consolehelper local policy
+#
+
+allow consolehelper_domain self:shm create_shm_perms;
+allow consolehelper_domain self:capability { setgid setuid };
+
+dontaudit consolehelper_domain userhelper_conf_t:file write;
+read_files_pattern(consolehelper_domain, userhelper_conf_t, userhelper_conf_t)
+
+# Init script handling
+domain_use_interactive_fds(consolehelper_domain)
+
+# internal communication is often done using fifo and unix sockets.
+allow consolehelper_domain self:fifo_file rw_fifo_file_perms;
+allow consolehelper_domain self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_kernel_sysctls(consolehelper_domain)
+
+corecmd_exec_bin(consolehelper_domain)
+
+files_read_config_files(consolehelper_domain)
+files_read_usr_files(consolehelper_domain)
+
+auth_search_pam_console_data(consolehelper_domain)
+auth_read_pam_pid(consolehelper_domain)
+
+init_read_utmp(consolehelper_domain)
+
+miscfiles_read_localization(consolehelper_domain)
+miscfiles_read_fonts(consolehelper_domain)
+
+userhelper_exec(consolehelper_domain)
+
+userdom_use_user_ptys(consolehelper_domain)
+userdom_use_user_ttys(consolehelper_domain)
+userdom_read_user_home_content_files(consolehelper_domain)
+
+optional_policy(`
+ gnome_read_gconf_home_files(consolehelper_domain)
+')
+
+optional_policy(`
+ xserver_read_home_fonts(consolehelper_domain)
+ xserver_stream_connect(consolehelper_domain)
+')
diff --git a/policy/modules/apps/usernetctl.fc b/policy/modules/apps/usernetctl.fc
new file mode 100644
index 0000000..aa07e1e
--- /dev/null
+++ b/policy/modules/apps/usernetctl.fc
@@ -0,0 +1,2 @@
+
+/usr/sbin/usernetctl -- gen_context(system_u:object_r:usernetctl_exec_t,s0)
diff --git a/policy/modules/apps/usernetctl.if b/policy/modules/apps/usernetctl.if
new file mode 100644
index 0000000..ba9b9d6
--- /dev/null
+++ b/policy/modules/apps/usernetctl.if
@@ -0,0 +1,64 @@
+## <summary>User network interface configuration helper</summary>
+
+########################################
+## <summary>
+## Execute usernetctl in the usernetctl domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`usernetctl_domtrans',`
+ gen_require(`
+ type usernetctl_t, usernetctl_exec_t;
+ ')
+
+ domtrans_pattern($1, usernetctl_exec_t, usernetctl_t)
+')
+
+########################################
+## <summary>
+## Execute usernetctl in the usernetctl domain, and
+## allow the specified role the usernetctl domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`usernetctl_run',`
+ gen_require(`
+ type usernetctl_t;
+ ')
+
+ usernetctl_domtrans($1)
+ role $2 types usernetctl_t;
+
+ sysnet_run_ifconfig(usernetctl_t, $2)
+ sysnet_run_dhcpc(usernetctl_t, $2)
+
+ optional_policy(`
+ consoletype_run(usernetctl_t, $2)
+ ')
+
+ optional_policy(`
+ iptables_run(usernetctl_t, $2)
+ ')
+
+ optional_policy(`
+ modutils_run_insmod(usernetctl_t, $2)
+ ')
+
+ optional_policy(`
+ ppp_run(usernetctl_t, $2)
+ ')
+')
diff --git a/policy/modules/apps/usernetctl.te b/policy/modules/apps/usernetctl.te
new file mode 100644
index 0000000..9586818
--- /dev/null
+++ b/policy/modules/apps/usernetctl.te
@@ -0,0 +1,69 @@
+policy_module(usernetctl, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type usernetctl_t;
+type usernetctl_exec_t;
+application_domain(usernetctl_t, usernetctl_exec_t)
+domain_interactive_fd(usernetctl_t)
+
+########################################
+#
+# Local policy
+#
+
+allow usernetctl_t self:capability { setuid setgid dac_override };
+allow usernetctl_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow usernetctl_t self:fd use;
+allow usernetctl_t self:fifo_file rw_fifo_file_perms;
+allow usernetctl_t self:shm create_shm_perms;
+allow usernetctl_t self:sem create_sem_perms;
+allow usernetctl_t self:msgq create_msgq_perms;
+allow usernetctl_t self:msg { send receive };
+allow usernetctl_t self:unix_dgram_socket create_socket_perms;
+allow usernetctl_t self:unix_stream_socket create_stream_socket_perms;
+allow usernetctl_t self:unix_dgram_socket sendto;
+allow usernetctl_t self:unix_stream_socket connectto;
+
+can_exec(usernetctl_t, usernetctl_exec_t)
+
+kernel_read_system_state(usernetctl_t)
+kernel_read_kernel_sysctls(usernetctl_t)
+
+corecmd_list_bin(usernetctl_t)
+corecmd_exec_bin(usernetctl_t)
+corecmd_exec_shell(usernetctl_t)
+
+domain_dontaudit_read_all_domains_state(usernetctl_t)
+
+files_read_etc_files(usernetctl_t)
+files_exec_etc_files(usernetctl_t)
+files_read_etc_runtime_files(usernetctl_t)
+files_list_pids(usernetctl_t)
+files_list_home(usernetctl_t)
+files_read_usr_files(usernetctl_t)
+
+fs_search_auto_mountpoints(usernetctl_t)
+
+auth_use_nsswitch(usernetctl_t)
+
+logging_send_syslog_msg(usernetctl_t)
+
+miscfiles_read_localization(usernetctl_t)
+
+seutil_read_config(usernetctl_t)
+
+sysnet_read_config(usernetctl_t)
+
+userdom_use_user_terminals(usernetctl_t)
+
+optional_policy(`
+ hostname_exec(usernetctl_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(usernetctl_t)
+')
diff --git a/policy/modules/apps/vmware.fc b/policy/modules/apps/vmware.fc
new file mode 100644
index 0000000..028c994
--- /dev/null
+++ b/policy/modules/apps/vmware.fc
@@ -0,0 +1,71 @@
+#
+# HOME_DIR/
+#
+HOME_DIR/\.vmware(/.*)? gen_context(system_u:object_r:vmware_file_t,s0)
+HOME_DIR/\.vmware[^/]*/.*\.cfg -- gen_context(system_u:object_r:vmware_conf_t,s0)
+HOME_DIR/vmware(/.*)? gen_context(system_u:object_r:vmware_file_t,s0)
+
+#
+# /etc
+#
+/etc/vmware.*(/.*)? gen_context(system_u:object_r:vmware_sys_conf_t,s0)
+
+#
+# /usr
+#
+/usr/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmnet-dhcpd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmnet-natd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmnet-netifup -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmnet-sniffer -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-network -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-nmbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-ping -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0)
+
+/usr/lib/vmware/config -- gen_context(system_u:object_r:vmware_sys_conf_t,s0)
+/usr/lib/vmware/bin/vmplayer -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib/vmware/bin/vmware-mks -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib/vmware/bin/vmware-ui -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib/vmware/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+
+ifdef(`distro_redhat',`
+/usr/lib/vmware-tools/sbin32/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/lib/vmware-tools/sbin64/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+')
+
+/usr/lib64/vmware/config -- gen_context(system_u:object_r:vmware_sys_conf_t,s0)
+/usr/lib64/vmware/bin/vmware-mks -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib64/vmware/bin/vmware-ui -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib64/vmware/bin/vmplayer -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/usr/lib64/vmware/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+
+/usr/sbin/vmware-guest.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/usr/sbin/vmware-serverd -- gen_context(system_u:object_r:vmware_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+/opt/vmware/(workstation|player)/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmnet-dhcpd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmnet-natd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmnet-netifup -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmnet-sniffer -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmware-nmbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmware-ping -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmware-smbd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmware-smbpasswd -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmware-smbpasswd\.bin -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmware-wizard -- gen_context(system_u:object_r:vmware_exec_t,s0)
+/opt/vmware/(workstation|player)/bin/vmware -- gen_context(system_u:object_r:vmware_exec_t,s0)
+')
+
+/var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0)
+/var/log/vnetlib.* -- gen_context(system_u:object_r:vmware_log_t,s0)
+
+/var/run/vmnet.* gen_context(system_u:object_r:vmware_var_run_t,s0)
+/var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0)
+/var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0)
diff --git a/policy/modules/apps/vmware.if b/policy/modules/apps/vmware.if
new file mode 100644
index 0000000..853f575
--- /dev/null
+++ b/policy/modules/apps/vmware.if
@@ -0,0 +1,104 @@
+## <summary>VMWare Workstation virtual machines</summary>
+
+########################################
+## <summary>
+## Role access for vmware
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`vmware_role',`
+ gen_require(`
+ type vmware_t, vmware_exec_t;
+ ')
+
+ role $1 types vmware_t;
+
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, vmware_exec_t, vmware_t)
+
+ # allow ps to show vmware and allow the user to kill it
+ ps_process_pattern($2, vmware_t)
+ allow $2 vmware_t:process signal;
+')
+
+########################################
+## <summary>
+## Execute vmware host executables
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vmware_exec_host',`
+ gen_require(`
+ type vmware_host_exec_t;
+ ')
+
+ can_exec($1, vmware_host_exec_t)
+')
+
+########################################
+## <summary>
+## Read VMWare system configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vmware_read_system_config',`
+ gen_require(`
+ type vmware_sys_conf_t;
+ ')
+
+ allow $1 vmware_sys_conf_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Append to VMWare system configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vmware_append_system_config',`
+ gen_require(`
+ type vmware_sys_conf_t;
+ ')
+
+ allow $1 vmware_sys_conf_t:file append;
+')
+
+########################################
+## <summary>
+## Append to VMWare log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vmware_append_log',`
+ gen_require(`
+ type vmware_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, vmware_log_t, vmware_log_t)
+')
diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
new file mode 100644
index 0000000..4bdcbe3
--- /dev/null
+++ b/policy/modules/apps/vmware.te
@@ -0,0 +1,295 @@
+policy_module(vmware, 2.2.1)
+
+########################################
+#
+# Declarations
+#
+
+# VMWare user program
+type vmware_t;
+type vmware_exec_t;
+typealias vmware_t alias { user_vmware_t staff_vmware_t sysadm_vmware_t };
+typealias vmware_t alias { auditadm_vmware_t secadm_vmware_t };
+application_domain(vmware_t, vmware_exec_t)
+ubac_constrained(vmware_t)
+
+type vmware_conf_t;
+typealias vmware_conf_t alias { user_vmware_conf_t staff_vmware_conf_t sysadm_vmware_conf_t };
+typealias vmware_conf_t alias { auditadm_vmware_conf_t secadm_vmware_conf_t };
+userdom_user_home_content(vmware_conf_t)
+
+type vmware_file_t;
+typealias vmware_file_t alias { user_vmware_file_t staff_vmware_file_t sysadm_vmware_file_t };
+typealias vmware_file_t alias { auditadm_vmware_file_t secadm_vmware_file_t };
+userdom_user_home_content(vmware_file_t)
+
+# VMWare host programs
+type vmware_host_t;
+type vmware_host_exec_t;
+init_daemon_domain(vmware_host_t, vmware_host_exec_t)
+
+type vmware_host_pid_t alias vmware_var_run_t;
+files_pid_file(vmware_host_pid_t)
+
+type vmware_host_tmp_t;
+files_tmp_file(vmware_host_tmp_t)
+ubac_constrained(vmware_host_tmp_t)
+
+type vmware_log_t;
+typealias vmware_log_t alias { user_vmware_log_t staff_vmware_log_t sysadm_vmware_log_t };
+typealias vmware_log_t alias { auditadm_vmware_log_t secadm_vmware_log_t };
+logging_log_file(vmware_log_t)
+ubac_constrained(vmware_log_t)
+
+type vmware_pid_t;
+typealias vmware_pid_t alias { user_vmware_pid_t staff_vmware_pid_t sysadm_vmware_pid_t };
+typealias vmware_pid_t alias { auditadm_vmware_pid_t secadm_vmware_pid_t };
+files_pid_file(vmware_pid_t)
+ubac_constrained(vmware_pid_t)
+
+# Systemwide configuration files
+type vmware_sys_conf_t;
+files_type(vmware_sys_conf_t)
+
+type vmware_tmp_t;
+typealias vmware_tmp_t alias { user_vmware_tmp_t staff_vmware_tmp_t sysadm_vmware_tmp_t };
+typealias vmware_tmp_t alias { auditadm_vmware_tmp_t secadm_vmware_tmp_t };
+files_tmp_file(vmware_tmp_t)
+ubac_constrained(vmware_tmp_t)
+
+type vmware_tmpfs_t;
+typealias vmware_tmpfs_t alias { user_vmware_tmpfs_t staff_vmware_tmpfs_t sysadm_vmware_tmpfs_t };
+typealias vmware_tmpfs_t alias { auditadm_vmware_tmpfs_t secadm_vmware_tmpfs_t };
+files_tmpfs_file(vmware_tmpfs_t)
+ubac_constrained(vmware_tmpfs_t)
+
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(vmware_host_t, vmware_host_exec_t, s0 - mcs_systemhigh)
+')
+
+########################################
+#
+# VMWare host local policy
+#
+
+allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override };
+dontaudit vmware_host_t self:capability sys_tty_config;
+allow vmware_host_t self:process { execstack execmem signal_perms };
+allow vmware_host_t self:fifo_file rw_fifo_file_perms;
+allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
+allow vmware_host_t self:rawip_socket create_socket_perms;
+allow vmware_host_t self:tcp_socket create_socket_perms;
+
+can_exec(vmware_host_t, vmware_host_exec_t)
+
+# cjp: the ro and rw files should be split up
+manage_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t)
+manage_lnk_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t)
+
+manage_dirs_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
+manage_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
+manage_sock_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
+files_tmp_filetrans(vmware_host_t, vmware_host_tmp_t, { file dir })
+
+manage_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)
+manage_sock_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)
+files_pid_filetrans(vmware_host_t, vmware_var_run_t, { file sock_file })
+
+manage_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t)
+logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir })
+
+kernel_read_kernel_sysctls(vmware_host_t)
+kernel_read_system_state(vmware_host_t)
+kernel_read_network_state(vmware_host_t)
+
+corenet_all_recvfrom_unlabeled(vmware_host_t)
+corenet_all_recvfrom_netlabel(vmware_host_t)
+corenet_tcp_sendrecv_generic_if(vmware_host_t)
+corenet_udp_sendrecv_generic_if(vmware_host_t)
+corenet_raw_sendrecv_generic_if(vmware_host_t)
+corenet_tcp_sendrecv_generic_node(vmware_host_t)
+corenet_udp_sendrecv_generic_node(vmware_host_t)
+corenet_raw_sendrecv_generic_node(vmware_host_t)
+corenet_tcp_sendrecv_all_ports(vmware_host_t)
+corenet_udp_sendrecv_all_ports(vmware_host_t)
+corenet_raw_bind_generic_node(vmware_host_t)
+corenet_tcp_bind_generic_node(vmware_host_t)
+corenet_udp_bind_generic_node(vmware_host_t)
+corenet_tcp_connect_all_ports(vmware_host_t)
+corenet_sendrecv_all_client_packets(vmware_host_t)
+corenet_sendrecv_all_server_packets(vmware_host_t)
+
+corecmd_exec_bin(vmware_host_t)
+corecmd_exec_shell(vmware_host_t)
+
+dev_getattr_all_blk_files(vmware_host_t)
+dev_read_sysfs(vmware_host_t)
+dev_read_urand(vmware_host_t)
+dev_rw_vmware(vmware_host_t)
+dev_rw_generic_chr_files(vmware_host_t)
+
+domain_use_interactive_fds(vmware_host_t)
+domain_dontaudit_read_all_domains_state(vmware_host_t)
+
+files_list_tmp(vmware_host_t)
+files_read_etc_files(vmware_host_t)
+files_read_etc_runtime_files(vmware_host_t)
+files_read_usr_files(vmware_host_t)
+
+fs_getattr_all_fs(vmware_host_t)
+fs_search_auto_mountpoints(vmware_host_t)
+
+storage_getattr_fixed_disk_dev(vmware_host_t)
+
+term_dontaudit_use_console(vmware_host_t)
+
+init_use_fds(vmware_host_t)
+init_use_script_ptys(vmware_host_t)
+
+libs_exec_ld_so(vmware_host_t)
+
+logging_send_syslog_msg(vmware_host_t)
+
+miscfiles_read_localization(vmware_host_t)
+
+sysnet_dns_name_resolve(vmware_host_t)
+sysnet_domtrans_ifconfig(vmware_host_t)
+
+userdom_dontaudit_use_unpriv_user_fds(vmware_host_t)
+userdom_dontaudit_search_user_home_dirs(vmware_host_t)
+
+netutils_domtrans_ping(vmware_host_t)
+
+optional_policy(`
+ hostname_exec(vmware_host_t)
+')
+
+optional_policy(`
+ modutils_domtrans_insmod(vmware_host_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(vmware_host_t)
+')
+
+optional_policy(`
+ shutdown_domtrans(vmware_host_t)
+')
+
+optional_policy(`
+ udev_read_db(vmware_host_t)
+')
+
+optional_policy(`
+ xserver_read_tmp_files(vmware_host_t)
+ xserver_read_xdm_pid(vmware_host_t)
+')
+
+ifdef(`TODO',`
+# VMWare need access to pcmcia devices for network
+optional_policy(`
+allow kernel_t cardmgr_var_lib_t:dir { getattr search };
+allow kernel_t cardmgr_var_lib_t:file { getattr ioctl read };
+')
+# Vmware create network devices
+allow kernel_t self:capability net_admin;
+allow kernel_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
+allow kernel_t self:socket create;
+')
+
+##############################
+#
+# VMWare guest local policy
+#
+
+allow vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown };
+dontaudit vmware_t self:capability sys_tty_config;
+allow vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow vmware_t self:process { execmem execstack };
+allow vmware_t self:fd use;
+allow vmware_t self:fifo_file rw_fifo_file_perms;
+allow vmware_t self:unix_dgram_socket { create_socket_perms sendto };
+allow vmware_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow vmware_t self:shm create_shm_perms;
+allow vmware_t self:sem create_sem_perms;
+allow vmware_t self:msgq create_msgq_perms;
+allow vmware_t self:msg { send receive };
+
+can_exec(vmware_t, vmware_exec_t)
+
+# User configuration files
+allow vmware_t vmware_conf_t:file manage_file_perms;
+
+# VMWare disks
+manage_files_pattern(vmware_t, vmware_file_t, vmware_file_t)
+manage_lnk_files_pattern(vmware_t, vmware_file_t, vmware_file_t)
+
+allow vmware_t vmware_tmp_t:file execute;
+manage_dirs_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t)
+manage_files_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t)
+manage_sock_files_pattern(vmware_t, vmware_tmp_t, vmware_tmp_t)
+files_tmp_filetrans(vmware_t, vmware_tmp_t, { file dir })
+
+manage_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)
+manage_lnk_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)
+manage_fifo_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)
+manage_sock_files_pattern(vmware_t, vmware_tmpfs_t, vmware_tmpfs_t)
+fs_tmpfs_filetrans(vmware_t, vmware_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+# Read clobal configuration files
+allow vmware_t vmware_sys_conf_t:dir list_dir_perms;
+read_files_pattern(vmware_t, vmware_sys_conf_t, vmware_sys_conf_t)
+read_lnk_files_pattern(vmware_t, vmware_sys_conf_t, vmware_sys_conf_t)
+
+manage_dirs_pattern(vmware_t, vmware_pid_t, vmware_pid_t)
+manage_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t)
+manage_lnk_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t)
+manage_sock_files_pattern(vmware_t, vmware_pid_t, vmware_pid_t)
+files_pid_filetrans(vmware_t, vmware_pid_t, { dir file lnk_file })
+
+kernel_read_system_state(vmware_t)
+kernel_read_network_state(vmware_t)
+kernel_read_kernel_sysctls(vmware_t)
+
+# startup scripts
+corecmd_exec_bin(vmware_t)
+corecmd_exec_shell(vmware_t)
+
+dev_read_raw_memory(vmware_t)
+dev_write_raw_memory(vmware_t)
+dev_read_mouse(vmware_t)
+dev_write_sound(vmware_t)
+dev_read_realtime_clock(vmware_t)
+dev_rwx_vmware(vmware_t)
+dev_rw_usbfs(vmware_t)
+dev_search_sysfs(vmware_t)
+
+domain_use_interactive_fds(vmware_t)
+
+files_read_etc_files(vmware_t)
+files_read_etc_runtime_files(vmware_t)
+files_read_usr_files(vmware_t)
+files_list_home(vmware_t)
+
+fs_getattr_all_fs(vmware_t)
+fs_search_auto_mountpoints(vmware_t)
+
+storage_raw_read_removable_device(vmware_t)
+storage_raw_write_removable_device(vmware_t)
+
+# startup scripts run ldd
+libs_exec_ld_so(vmware_t)
+# Access X11 config files
+libs_read_lib_files(vmware_t)
+
+miscfiles_read_localization(vmware_t)
+
+userdom_use_user_terminals(vmware_t)
+userdom_list_user_home_dirs(vmware_t)
+# cjp: why?
+userdom_read_user_home_content_files(vmware_t)
+
+sysnet_dns_name_resolve(vmware_t)
+sysnet_read_config(vmware_t)
+
+xserver_user_x_domain_template(vmware, vmware_t, vmware_tmpfs_t)
diff --git a/policy/modules/apps/webalizer.fc b/policy/modules/apps/webalizer.fc
new file mode 100644
index 0000000..e4f7d30
--- /dev/null
+++ b/policy/modules/apps/webalizer.fc
@@ -0,0 +1,10 @@
+
+#
+# /usr
+#
+/usr/bin/webalizer -- gen_context(system_u:object_r:webalizer_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/webalizer(/.*)? gen_context(system_u:object_r:webalizer_var_lib_t,s0)
diff --git a/policy/modules/apps/webalizer.if b/policy/modules/apps/webalizer.if
new file mode 100644
index 0000000..3c78e7c
--- /dev/null
+++ b/policy/modules/apps/webalizer.if
@@ -0,0 +1,45 @@
+## <summary>Web server log analysis</summary>
+
+########################################
+## <summary>
+## Execute webalizer in the webalizer domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`webalizer_domtrans',`
+ gen_require(`
+ type webalizer_t, webalizer_exec_t;
+ ')
+
+ domtrans_pattern($1, webalizer_exec_t, webalizer_t)
+')
+
+########################################
+## <summary>
+## Execute webalizer in the webalizer domain, and
+## allow the specified role the webalizer domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`webalizer_run',`
+ gen_require(`
+ type webalizer_t;
+ ')
+
+ webalizer_domtrans($1)
+ role $2 types webalizer_t;
+')
diff --git a/policy/modules/apps/webalizer.te b/policy/modules/apps/webalizer.te
new file mode 100644
index 0000000..f79314b
--- /dev/null
+++ b/policy/modules/apps/webalizer.te
@@ -0,0 +1,105 @@
+policy_module(webalizer, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+
+type webalizer_t;
+type webalizer_exec_t;
+application_domain(webalizer_t, webalizer_exec_t)
+role system_r types webalizer_t;
+
+type webalizer_etc_t;
+files_config_file(webalizer_etc_t)
+
+type webalizer_usage_t;
+files_type(webalizer_usage_t)
+
+type webalizer_tmp_t;
+files_tmp_file(webalizer_tmp_t)
+
+type webalizer_var_lib_t;
+files_type(webalizer_var_lib_t)
+
+type webalizer_write_t;
+files_type(webalizer_write_t)
+
+########################################
+#
+# Local policy
+#
+
+allow webalizer_t self:capability dac_override;
+allow webalizer_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow webalizer_t self:fd use;
+allow webalizer_t self:fifo_file rw_fifo_file_perms;
+allow webalizer_t self:sock_file read_sock_file_perms;
+allow webalizer_t self:shm create_shm_perms;
+allow webalizer_t self:sem create_sem_perms;
+allow webalizer_t self:msgq create_msgq_perms;
+allow webalizer_t self:msg { send receive };
+allow webalizer_t self:unix_dgram_socket create_socket_perms;
+allow webalizer_t self:unix_stream_socket create_stream_socket_perms;
+allow webalizer_t self:unix_dgram_socket sendto;
+allow webalizer_t self:unix_stream_socket connectto;
+allow webalizer_t self:tcp_socket connected_stream_socket_perms;
+allow webalizer_t self:udp_socket { connect connected_socket_perms };
+allow webalizer_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow webalizer_t webalizer_etc_t:file read_file_perms;
+
+manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
+manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
+files_tmp_filetrans(webalizer_t, webalizer_tmp_t, { file dir })
+
+manage_files_pattern(webalizer_t, webalizer_var_lib_t, webalizer_var_lib_t)
+files_var_lib_filetrans(webalizer_t, webalizer_var_lib_t, file)
+
+kernel_read_kernel_sysctls(webalizer_t)
+kernel_read_system_state(webalizer_t)
+
+corenet_all_recvfrom_unlabeled(webalizer_t)
+corenet_all_recvfrom_netlabel(webalizer_t)
+corenet_tcp_sendrecv_generic_if(webalizer_t)
+corenet_tcp_sendrecv_generic_node(webalizer_t)
+corenet_tcp_sendrecv_all_ports(webalizer_t)
+
+fs_search_auto_mountpoints(webalizer_t)
+fs_getattr_xattr_fs(webalizer_t)
+fs_rw_anon_inodefs_files(webalizer_t)
+
+files_read_etc_files(webalizer_t)
+files_read_etc_runtime_files(webalizer_t)
+
+logging_list_logs(webalizer_t)
+logging_send_syslog_msg(webalizer_t)
+
+miscfiles_read_localization(webalizer_t)
+miscfiles_read_public_files(webalizer_t)
+
+sysnet_dns_name_resolve(webalizer_t)
+sysnet_read_config(webalizer_t)
+
+userdom_use_user_terminals(webalizer_t)
+userdom_use_unpriv_users_fds(webalizer_t)
+userdom_dontaudit_search_user_home_content(webalizer_t)
+
+apache_read_log(webalizer_t)
+apache_manage_sys_content(webalizer_t)
+
+optional_policy(`
+ cron_system_entry(webalizer_t, webalizer_exec_t)
+')
+
+optional_policy(`
+ ftp_read_log(webalizer_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(webalizer_t)
+')
+
+optional_policy(`
+ nscd_socket_use(webalizer_t)
+')
diff --git a/policy/modules/apps/wine.fc b/policy/modules/apps/wine.fc
new file mode 100644
index 0000000..9782698
--- /dev/null
+++ b/policy/modules/apps/wine.fc
@@ -0,0 +1,22 @@
+HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0)
+
+/opt/cxoffice/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
+
+/opt/google/picasa(/.*)?/Picasa3/.*exe -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/wdi -- gen_context(system_u:object_r:wine_exec_t,s0)
+/opt/google/picasa(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
+
+/opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
+
+/usr/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/regsvr32 -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/regedit -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0)
+/usr/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0)
diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
new file mode 100644
index 0000000..e10101a
--- /dev/null
+++ b/policy/modules/apps/wine.if
@@ -0,0 +1,186 @@
+## <summary>Wine Is Not an Emulator. Run Windows programs in Linux.</summary>
+
+#######################################
+## <summary>
+## The per role template for the wine module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for wine applications.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`wine_role',`
+ gen_require(`
+ type wine_t;
+ type wine_home_t;
+ type wine_exec_t;
+ ')
+
+ role $1 types wine_t;
+
+ domain_auto_trans($2, wine_exec_t, wine_t)
+ # Unrestricted inheritance from the caller.
+ allow $2 wine_t:process { noatsecure siginh rlimitinh };
+ allow wine_t $2:fd use;
+ allow wine_t $2:process { sigchld signull };
+ allow wine_t $2:unix_stream_socket connectto;
+
+ # Allow the user domain to signal/ps.
+ ps_process_pattern($2, wine_t)
+ allow $2 wine_t:process signal_perms;
+
+ allow $2 wine_t:fd use;
+ allow $2 wine_t:shm { associate getattr unix_read unix_write };
+ allow $2 wine_t:unix_stream_socket connectto;
+
+ # X access, Home files
+ manage_dirs_pattern($2, wine_home_t, wine_home_t)
+ manage_files_pattern($2, wine_home_t, wine_home_t)
+ manage_lnk_files_pattern($2, wine_home_t, wine_home_t)
+ relabel_dirs_pattern($2, wine_home_t, wine_home_t)
+ relabel_files_pattern($2, wine_home_t, wine_home_t)
+ relabel_lnk_files_pattern($2, wine_home_t, wine_home_t)
+')
+
+#######################################
+## <summary>
+## The role template for the wine module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for wine applications.
+## </p>
+## </desc>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`wine_role_template',`
+ gen_require(`
+ type wine_t;
+ type wine_exec_t;
+ ')
+
+ type $1_wine_t;
+ domain_type($1_wine_t)
+ domain_entry_file($1_wine_t, wine_exec_t)
+ ubac_constrained($1_wine_t)
+ role $2 types $1_wine_t;
+
+ allow $1_wine_t self:process { execmem execstack };
+ allow $3 $1_wine_t:process { getattr ptrace noatsecure signal_perms };
+ domtrans_pattern($3, wine_exec_t, $1_wine_t)
+ corecmd_bin_domtrans($1_wine_t, $1_t)
+
+ userdom_unpriv_usertype($1, $1_wine_t)
+ userdom_manage_tmpfs_role($2, $1_wine_t)
+
+ domain_mmap_low($1_wine_t)
+
+ tunable_policy(`wine_mmap_zero_ignore',`
+ dontaudit $1_wine_t self:memprotect mmap_zero;
+ ')
+
+ tunable_policy(`wine_mmap_zero_ignore',`
+ dontaudit $1_wine_t self:memprotect mmap_zero;
+ ')
+
+ optional_policy(`
+ xserver_role($1_r, $1_wine_t)
+ ')
+')
+
+########################################
+## <summary>
+## Execute the wine program in the wine domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`wine_domtrans',`
+ gen_require(`
+ type wine_t, wine_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, wine_exec_t, wine_t)
+')
+
+########################################
+## <summary>
+## Execute wine in the wine domain, and
+## allow the specified role the wine domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`wine_run',`
+ gen_require(`
+ type wine_t;
+ ')
+
+ wine_domtrans($1)
+ role $2 types wine_t;
+')
+
+########################################
+## <summary>
+## Read and write wine Shared
+## memory segments.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`wine_rw_shm',`
+ gen_require(`
+ type wine_t;
+ ')
+
+ allow $1 wine_t:shm rw_shm_perms;
+')
diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te
new file mode 100644
index 0000000..277543a
--- /dev/null
+++ b/policy/modules/apps/wine.te
@@ -0,0 +1,64 @@
+policy_module(wine, 1.7.2)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Ignore wine mmap_zero errors.
+## </p>
+## </desc>
+gen_tunable(wine_mmap_zero_ignore, false)
+
+type wine_t;
+type wine_exec_t;
+application_domain(wine_t, wine_exec_t)
+ubac_constrained(wine_t)
+role system_r types wine_t;
+
+type wine_tmp_t;
+files_tmp_file(wine_tmp_t)
+ubac_constrained(wine_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow wine_t self:process { execstack execmem execheap };
+allow wine_t self:fifo_file manage_fifo_file_perms;
+
+can_exec(wine_t, wine_exec_t)
+
+manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t)
+manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
+files_tmp_filetrans(wine_t, wine_tmp_t, { file dir })
+
+domain_mmap_low(wine_t)
+
+files_execmod_all_files(wine_t)
+
+userdom_use_user_terminals(wine_t)
+
+tunable_policy(`wine_mmap_zero_ignore',`
+ dontaudit wine_t self:memprotect mmap_zero;
+')
+
+optional_policy(`
+ hal_dbus_chat(wine_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(wine_t)
+')
+
+optional_policy(`
+ unconfined_domain(wine_t)
+')
+
+optional_policy(`
+ xserver_read_xdm_pid(wine_t)
+ xserver_rw_shm(wine_t)
+')
diff --git a/policy/modules/apps/wireshark.fc b/policy/modules/apps/wireshark.fc
new file mode 100644
index 0000000..96844ae
--- /dev/null
+++ b/policy/modules/apps/wireshark.fc
@@ -0,0 +1,3 @@
+HOME_DIR/\.wireshark(/.*)? gen_context(system_u:object_r:wireshark_home_t,s0)
+
+/usr/bin/wireshark -- gen_context(system_u:object_r:wireshark_exec_t,s0)
diff --git a/policy/modules/apps/wireshark.if b/policy/modules/apps/wireshark.if
new file mode 100644
index 0000000..ea6ffe6
--- /dev/null
+++ b/policy/modules/apps/wireshark.if
@@ -0,0 +1,55 @@
+## <summary>Wireshark packet capture tool.</summary>
+
+############################################################
+## <summary>
+## Role access for wireshark
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`wireshark_role',`
+ gen_require(`
+ type wireshark_t, wireshark_exec_t;
+ type wireshark_home_t, wireshark_tmp_t;
+ type wireshark_tmpfs_t;
+ ')
+
+ role $1 types wireshark_t;
+
+ domain_auto_trans($2, wireshark_exec_t, wireshark_t)
+ allow wireshark_t $2:fd use;
+ allow wireshark_t $2:process sigchld;
+
+ manage_dirs_pattern($2, wireshark_home_t, wireshark_home_t)
+ manage_files_pattern($2, wireshark_home_t, wireshark_home_t)
+ manage_lnk_files_pattern($2, wireshark_home_t, wireshark_home_t)
+ relabel_dirs_pattern($2, wireshark_home_t, wireshark_home_t)
+ relabel_files_pattern($2, wireshark_home_t, wireshark_home_t)
+ relabel_lnk_files_pattern($2, wireshark_home_t, wireshark_home_t)
+')
+
+########################################
+## <summary>
+## Run wireshark in wireshark domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`wireshark_domtrans',`
+ gen_require(`
+ type wireshark_t, wireshark_exec_t;
+ ')
+
+ domtrans_pattern($1, wireshark_exec_t, wireshark_t)
+')
diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
new file mode 100644
index 0000000..7c05189
--- /dev/null
+++ b/policy/modules/apps/wireshark.te
@@ -0,0 +1,123 @@
+policy_module(wireshark, 2.1.1)
+
+########################################
+#
+# Declarations
+#
+
+type wireshark_t;
+type wireshark_exec_t;
+typealias wireshark_t alias { user_wireshark_t staff_wireshark_t sysadm_wireshark_t };
+typealias wireshark_t alias { auditadm_wireshark_t secadm_wireshark_t };
+application_domain(wireshark_t, wireshark_exec_t)
+ubac_constrained(wireshark_t)
+
+type wireshark_home_t;
+typealias wireshark_home_t alias { user_wireshark_home_t staff_wireshark_home_t sysadm_wireshark_home_t };
+typealias wireshark_home_t alias { auditadm_wireshark_home_t secadm_wireshark_home_t };
+files_poly_member(wireshark_home_t)
+userdom_user_home_content(wireshark_home_t)
+
+type wireshark_tmp_t;
+typealias wireshark_tmp_t alias { user_wireshark_tmp_t staff_wireshark_tmp_t sysadm_wireshark_tmp_t };
+typealias wireshark_tmp_t alias { auditadm_wireshark_tmp_t secadm_wireshark_tmp_t };
+files_tmp_file(wireshark_tmp_t)
+ubac_constrained(wireshark_tmp_t)
+
+type wireshark_tmpfs_t;
+typealias wireshark_tmpfs_t alias { user_wireshark_tmpfs_t staff_wireshark_tmpfs_t sysadm_wireshark_tmpfs_t };
+typealias wireshark_tmpfs_t alias { auditadm_wireshark_tmpfs_t secadm_wireshark_tmpfs_t };
+files_tmpfs_file(wireshark_tmpfs_t)
+ubac_constrained(wireshark_tmpfs_t)
+
+##############################
+#
+# Local Policy
+#
+
+allow wireshark_t self:capability { net_admin net_raw setgid };
+allow wireshark_t self:process { signal getsched };
+allow wireshark_t self:fifo_file { getattr read write };
+allow wireshark_t self:shm destroy;
+allow wireshark_t self:shm create_shm_perms;
+allow wireshark_t self:netlink_route_socket { nlmsg_read create_socket_perms };
+allow wireshark_t self:packet_socket { setopt bind ioctl getopt create read };
+allow wireshark_t self:tcp_socket create_socket_perms;
+allow wireshark_t self:udp_socket create_socket_perms;
+
+# Re-execute itself (why?)
+can_exec(wireshark_t, wireshark_exec_t)
+corecmd_search_bin(wireshark_t)
+
+# /home/.wireshark
+manage_dirs_pattern(wireshark_t, wireshark_home_t, wireshark_home_t)
+manage_files_pattern(wireshark_t, wireshark_home_t, wireshark_home_t)
+manage_lnk_files_pattern(wireshark_t, wireshark_home_t, wireshark_home_t)
+userdom_user_home_dir_filetrans(wireshark_t, wireshark_home_t, dir)
+
+# Store temporary files
+manage_dirs_pattern(wireshark_t, wireshark_tmp_t, wireshark_tmp_t)
+manage_files_pattern(wireshark_t, wireshark_tmp_t, wireshark_tmp_t)
+files_tmp_filetrans(wireshark_t, wireshark_tmp_t, { dir file })
+
+manage_dirs_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t)
+manage_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t)
+manage_lnk_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t)
+manage_sock_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t)
+manage_fifo_files_pattern(wireshark_t, wireshark_tmpfs_t, wireshark_tmpfs_t)
+fs_tmpfs_filetrans(wireshark_t, wireshark_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+kernel_read_kernel_sysctls(wireshark_t)
+kernel_read_system_state(wireshark_t)
+kernel_read_sysctl(wireshark_t)
+
+corecmd_search_bin(wireshark_t)
+
+corenet_tcp_connect_generic_port(wireshark_t)
+corenet_tcp_sendrecv_generic_if(wireshark_t)
+
+dev_read_urand(wireshark_t)
+
+files_read_etc_files(wireshark_t)
+files_read_usr_files(wireshark_t)
+
+fs_list_inotifyfs(wireshark_t)
+fs_search_auto_mountpoints(wireshark_t)
+
+libs_read_lib_files(wireshark_t)
+
+miscfiles_read_fonts(wireshark_t)
+miscfiles_read_localization(wireshark_t)
+
+seutil_use_newrole_fds(wireshark_t)
+
+sysnet_read_config(wireshark_t)
+
+userdom_manage_user_home_content_files(wireshark_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(wireshark_t)
+ fs_manage_nfs_files(wireshark_t)
+ fs_manage_nfs_symlinks(wireshark_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(wireshark_t)
+ fs_manage_cifs_files(wireshark_t)
+ fs_manage_cifs_symlinks(wireshark_t)
+')
+
+optional_policy(`
+ nscd_socket_use(wireshark_t)
+')
+
+# Manual transition from userhelper
+optional_policy(`
+ userhelper_use_fd(wireshark_t)
+ userhelper_sigchld(wireshark_t)
+')
+
+optional_policy(`
+ xserver_user_x_domain_template(wireshark, wireshark_t, wireshark_tmpfs_t)
+ xserver_create_xdm_tmp_sockets(wireshark_t)
+')
diff --git a/policy/modules/apps/wm.fc b/policy/modules/apps/wm.fc
new file mode 100644
index 0000000..be30d55
--- /dev/null
+++ b/policy/modules/apps/wm.fc
@@ -0,0 +1,3 @@
+/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0)
+/usr/bin/openbox -- gen_context(system_u:object_r:wm_exec_t,s0)
+/usr/bin/metacity -- gen_context(system_u:object_r:wm_exec_t,s0)
diff --git a/policy/modules/apps/wm.if b/policy/modules/apps/wm.if
new file mode 100644
index 0000000..369c3b5
--- /dev/null
+++ b/policy/modules/apps/wm.if
@@ -0,0 +1,113 @@
+## <summary>X Window Managers</summary>
+
+#######################################
+## <summary>
+## The role template for the wm module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for window manager applications.
+## </p>
+## </desc>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`wm_role_template',`
+ gen_require(`
+ type wm_exec_t;
+ class dbus send_msg;
+ ')
+
+ type $1_wm_t;
+ domain_type($1_wm_t)
+ domain_entry_file($1_wm_t, wm_exec_t)
+ role $2 types $1_wm_t;
+
+ allow $1_wm_t self:fifo_file rw_fifo_file_perms;
+ allow $1_wm_t self:process getsched;
+ allow $1_wm_t self:shm create_shm_perms;
+
+ allow $1_wm_t $3:unix_stream_socket connectto;
+ allow $3 $1_wm_t:unix_stream_socket connectto;
+ allow $3 $1_wm_t:process { signal sigchld };
+ allow $1_wm_t $3:process { signull sigkill };
+
+ allow $1_wm_t $3:dbus send_msg;
+ allow $3 $1_wm_t:dbus send_msg;
+
+ domtrans_pattern($3, wm_exec_t, $1_wm_t)
+
+ kernel_read_system_state($1_wm_t)
+
+ corecmd_bin_domtrans($1_wm_t, $3)
+ corecmd_shell_domtrans($1_wm_t, $3)
+
+ dev_read_urand($1_wm_t)
+
+ files_read_etc_files($1_wm_t)
+ files_read_usr_files($1_wm_t)
+
+ fs_getattr_tmpfs($1_wm_t)
+
+ mls_file_read_all_levels($1_wm_t)
+ mls_file_write_all_levels($1_wm_t)
+ mls_xwin_read_all_levels($1_wm_t)
+ mls_xwin_write_all_levels($1_wm_t)
+ mls_fd_use_all_levels($1_wm_t)
+
+ auth_use_nsswitch($1_wm_t)
+
+ miscfiles_read_fonts($1_wm_t)
+ miscfiles_read_localization($1_wm_t)
+
+ userdom_manage_home_role($2, $1_wm_t)
+ userdom_manage_tmpfs_role($2, $1_wm_t)
+ userdom_manage_tmp_role($2, $1_wm_t)
+
+ optional_policy(`
+ dbus_system_bus_client($1_wm_t)
+ dbus_session_bus_client($1_wm_t)
+ ')
+
+ optional_policy(`
+ pulseaudio_stream_connect($1_wm_t)
+ ')
+
+ optional_policy(`
+ xserver_role($2, $1_wm_t)
+ xserver_manage_core_devices($1_wm_t)
+ ')
+')
+
+########################################
+## <summary>
+## Execute the wm program in the wm domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`wm_exec',`
+ gen_require(`
+ type wm_exec_t;
+ ')
+
+ can_exec($1, wm_exec_t)
+')
diff --git a/policy/modules/apps/wm.te b/policy/modules/apps/wm.te
new file mode 100644
index 0000000..aeea34d
--- /dev/null
+++ b/policy/modules/apps/wm.te
@@ -0,0 +1,9 @@
+policy_module(wm, 1.0.2)
+
+########################################
+#
+# Declarations
+#
+
+type wm_exec_t;
+corecmd_executable_file(wm_exec_t)
diff --git a/policy/modules/apps/xscreensaver.fc b/policy/modules/apps/xscreensaver.fc
new file mode 100644
index 0000000..29396da
--- /dev/null
+++ b/policy/modules/apps/xscreensaver.fc
@@ -0,0 +1 @@
+/usr/bin/xscreensaver -- gen_context(system_u:object_r:xscreensaver_exec_t,s0)
diff --git a/policy/modules/apps/xscreensaver.if b/policy/modules/apps/xscreensaver.if
new file mode 100644
index 0000000..1067bd1
--- /dev/null
+++ b/policy/modules/apps/xscreensaver.if
@@ -0,0 +1,30 @@
+## <summary>X Screensaver</summary>
+
+########################################
+## <summary>
+## Role access for xscreensaver
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`xscreensaver_role',`
+ gen_require(`
+ type xscreensaver_t, xscreensaver_exec_t;
+ ')
+
+ role $1 types xscreensaver_t;
+
+ domtrans_pattern($2, xscreensaver_exec_t, xscreensaver_t)
+
+ # Allow the user domain to signal/ps.
+ ps_process_pattern($2, xscreensaver_t)
+ allow $2 xscreensaver_t:process signal_perms;
+')
diff --git a/policy/modules/apps/xscreensaver.te b/policy/modules/apps/xscreensaver.te
new file mode 100644
index 0000000..1bdeb16
--- /dev/null
+++ b/policy/modules/apps/xscreensaver.te
@@ -0,0 +1,44 @@
+policy_module(xscreensaver, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type xscreensaver_t;
+type xscreensaver_exec_t;
+application_domain(xscreensaver_t, xscreensaver_exec_t)
+ubac_constrained(xscreensaver_t)
+
+type xscreensaver_tmpfs_t;
+files_tmpfs_file(xscreensaver_tmpfs_t)
+ubac_constrained(xscreensaver_tmpfs_t)
+
+########################################
+#
+# Local policy
+#
+
+allow xscreensaver_t self:fifo_file rw_fifo_file_perms;
+allow xscreensaver_t self:process signal;
+
+kernel_read_system_state(xscreensaver_t)
+
+files_read_usr_files(xscreensaver_t)
+
+auth_use_nsswitch(xscreensaver_t)
+auth_domtrans_chk_passwd(xscreensaver_t)
+
+#/var/run/utmp
+init_read_utmp(xscreensaver_t)
+
+logging_send_audit_msgs(xscreensaver_t)
+logging_send_syslog_msg(xscreensaver_t)
+
+miscfiles_read_localization(xscreensaver_t)
+
+userdom_use_user_ptys(xscreensaver_t)
+#access to .icons and ~/.xscreensaver
+userdom_read_user_home_content_files(xscreensaver_t)
+
+xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
diff --git a/policy/modules/apps/yam.fc b/policy/modules/apps/yam.fc
new file mode 100644
index 0000000..4ec6ede
--- /dev/null
+++ b/policy/modules/apps/yam.fc
@@ -0,0 +1,6 @@
+/etc/yam\.conf -- gen_context(system_u:object_r:yam_etc_t,s0)
+
+/usr/bin/yam -- gen_context(system_u:object_r:yam_exec_t,s0)
+
+/var/yam(/.*)? gen_context(system_u:object_r:yam_content_t,s0)
+/var/www/yam(/.*)? gen_context(system_u:object_r:yam_content_t,s0)
diff --git a/policy/modules/apps/yam.if b/policy/modules/apps/yam.if
new file mode 100644
index 0000000..07015a2
--- /dev/null
+++ b/policy/modules/apps/yam.if
@@ -0,0 +1,66 @@
+## <summary>Yum/Apt Mirroring</summary>
+
+########################################
+## <summary>
+## Execute yam in the yam domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`yam_domtrans',`
+ gen_require(`
+ type yam_t, yam_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, yam_exec_t, yam_t)
+')
+
+########################################
+## <summary>
+## Execute yam in the yam domain, and
+## allow the specified role the yam domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`yam_run',`
+ gen_require(`
+ type yam_t;
+ ')
+
+ yam_domtrans($1)
+ role $2 types yam_t;
+')
+
+########################################
+## <summary>
+## Read yam content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`yam_read_content',`
+ gen_require(`
+ type yam_content_t;
+ ')
+
+ allow $1 yam_content_t:dir list_dir_perms;
+ read_files_pattern($1, yam_content_t, yam_content_t)
+ read_lnk_files_pattern($1, yam_content_t, yam_content_t)
+')
diff --git a/policy/modules/apps/yam.te b/policy/modules/apps/yam.te
new file mode 100644
index 0000000..223ad43
--- /dev/null
+++ b/policy/modules/apps/yam.te
@@ -0,0 +1,124 @@
+policy_module(yam, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+
+type yam_t alias yam_crond_t;
+type yam_exec_t;
+application_domain(yam_t, yam_exec_t)
+
+type yam_content_t;
+files_mountpoint(yam_content_t)
+
+type yam_etc_t;
+files_config_file(yam_etc_t)
+
+type yam_tmp_t;
+files_tmp_file(yam_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow yam_t self:capability { chown fowner fsetid dac_override };
+allow yam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow yam_t self:process execmem;
+allow yam_t self:fd use;
+allow yam_t self:fifo_file rw_fifo_file_perms;
+allow yam_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow yam_t self:unix_dgram_socket { create_socket_perms sendto };
+allow yam_t self:shm create_shm_perms;
+allow yam_t self:sem create_sem_perms;
+allow yam_t self:msgq create_msgq_perms;
+allow yam_t self:msg { send receive };
+allow yam_t self:tcp_socket create_socket_perms;
+
+# Update the content being managed by yam.
+manage_dirs_pattern(yam_t, yam_content_t, yam_content_t)
+manage_files_pattern(yam_t, yam_content_t, yam_content_t)
+manage_lnk_files_pattern(yam_t, yam_content_t, yam_content_t)
+
+allow yam_t yam_etc_t:file read_file_perms;
+files_search_etc(yam_t)
+
+manage_files_pattern(yam_t, yam_tmp_t, yam_tmp_t)
+manage_dirs_pattern(yam_t, yam_tmp_t, yam_tmp_t)
+files_tmp_filetrans(yam_t, yam_tmp_t, { file dir })
+
+kernel_read_kernel_sysctls(yam_t)
+kernel_read_proc_symlinks(yam_t)
+# Python works fine without reading /proc/meminfo
+kernel_dontaudit_read_system_state(yam_t)
+
+corecmd_exec_shell(yam_t)
+corecmd_exec_bin(yam_t)
+
+# Rsync and lftp need to network. They also set files attributes to
+# match whats on the remote server.
+corenet_all_recvfrom_unlabeled(yam_t)
+corenet_all_recvfrom_netlabel(yam_t)
+corenet_tcp_sendrecv_generic_if(yam_t)
+corenet_tcp_sendrecv_generic_node(yam_t)
+corenet_tcp_sendrecv_all_ports(yam_t)
+corenet_tcp_connect_http_port(yam_t)
+corenet_tcp_connect_rsync_port(yam_t)
+corenet_sendrecv_http_client_packets(yam_t)
+corenet_sendrecv_rsync_client_packets(yam_t)
+
+# mktemp
+dev_read_urand(yam_t)
+
+files_read_etc_files(yam_t)
+files_read_etc_runtime_files(yam_t)
+# /usr/share/createrepo/genpkgmetadata.py:
+files_exec_usr_files(yam_t)
+# Programs invoked to build package lists need various permissions.
+# genpkglist creates tmp files in /var/cache/apt/genpkglist
+files_rw_var_files(yam_t)
+
+fs_search_auto_mountpoints(yam_t)
+# Content can also be on ISO image files.
+fs_read_iso9660_files(yam_t)
+
+logging_send_syslog_msg(yam_t)
+
+miscfiles_read_localization(yam_t)
+
+seutil_read_config(yam_t)
+
+sysnet_dns_name_resolve(yam_t)
+sysnet_read_config(yam_t)
+
+userdom_use_user_terminals(yam_t)
+userdom_use_unpriv_users_fds(yam_t)
+# Reading dotfiles...
+# cjp: ?
+userdom_search_user_home_dirs(yam_t)
+
+# The whole point of this program is to make updates available on a
+# local web server. Need to go through /var to get to /var/yam
+# Go through /var/www to get to /var/www/yam
+apache_search_sys_content(yam_t)
+
+optional_policy(`
+ cron_system_entry(yam_t, yam_exec_t)
+')
+
+optional_policy(`
+ mount_domtrans(yam_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(yam_t)
+')
+
+optional_policy(`
+ nscd_socket_use(yam_t)
+')
+
+optional_policy(`
+ rsync_exec(yam_t)
+')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
new file mode 100644
index 0000000..46af2a4
--- /dev/null
+++ b/policy/modules/kernel/corecommands.fc
@@ -0,0 +1,392 @@
+
+#
+# /bin
+#
+/bin -d gen_context(system_u:object_r:bin_t,s0)
+/bin/.* gen_context(system_u:object_r:bin_t,s0)
+/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0)
+/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0)
+/bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
+
+#
+# /dev
+#
+/dev/MAKEDEV -- gen_context(system_u:object_r:bin_t,s0)
+
+#
+# /emul
+#
+ifdef(`distro_redhat',`
+/emul/ia32-linux/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/emul/ia32-linux/sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/emul/ia32-linux/usr(/.*)?/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/emul/ia32-linux/usr(/.*)?/Bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/emul/ia32-linux/usr(/.*)?/sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/emul/ia32-linux/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
+')
+
+#
+# /etc
+#
+/etc/acpi/actions(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/etc/apcupsd/apccontrol -- gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/changeme -- gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/commfailure -- gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/commok -- gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/masterconnect -- gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/mastertimeout -- gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/offbattery -- gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0)
+
+/etc/avahi/.*\.action -- gen_context(system_u:object_r:bin_t,s0)
+
+/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
+
+/etc/ConsoleKit/run-seat\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/etc/ConsoleKit/run-session\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/etc/cron.daily(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/etc/cron.hourly(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/etc/cron.weekly(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/etc/cron.monthly(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/etc/dhcp/dhclient\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0)
+/etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0)
+/etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0)
+/etc/hotplug\.d/default/default.* gen_context(system_u:object_r:bin_t,s0)
+
+/etc/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
+
+/etc/mail/make -- gen_context(system_u:object_r:bin_t,s0)
+/etc/mgetty\+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0)
+
+/etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/etc/PackageKit/events(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/etc/pm/power\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/etc/pm/sleep\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/ppp/ip-up\..* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/ppp/ipv6-down\..* -- gen_context(system_u:object_r:bin_t,s0)
+
+/etc/racoon/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
+
+/etc/security/namespace.init -- gen_context(system_u:object_r:bin_t,s0)
+
+/etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0)
+/etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0)
+/etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0)
+/etc/sysconfig/netconsole -- gen_context(system_u:object_r:bin_t,s0)
+/etc/sysconfig/readonly-root -- gen_context(system_u:object_r:bin_t,s0)
+
+/etc/sysconfig/network-scripts/ifup.* gen_context(system_u:object_r:bin_t,s0)
+/etc/sysconfig/network-scripts/ifdown.* gen_context(system_u:object_r:bin_t,s0)
+/etc/sysconfig/network-scripts/net.* gen_context(system_u:object_r:bin_t,s0)
+/etc/sysconfig/network-scripts/init.* gen_context(system_u:object_r:bin_t,s0)
+
+/etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0)
+/etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0)
+/etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0)
+/etc/X11/xinit(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/etc/pki/tls/certs/make-dummy-cert -- gen_context(system_u:object_r:bin_t,s0)
+/etc/pki/tls/misc(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+
+/etc/profile.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/etc/xen/qemu-ifup -- gen_context(system_u:object_r:bin_t,s0)
+/etc/xen/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ifdef(`distro_debian',`
+/etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0)
+')
+
+/etc/vmware-tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+#
+# /lib
+#
+
+/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
+/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
+/lib64/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
+
+ifdef(`distro_gentoo',`
+/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
+/lib64/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
+
+/lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/lib/rcscripts/net\.modules\.d/helpers\.d/dhclient-.* -- gen_context(system_u:object_r:bin_t,s0)
+/lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
+')
+/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+#
+# /sbin
+#
+/sbin -d gen_context(system_u:object_r:bin_t,s0)
+/sbin/.* gen_context(system_u:object_r:bin_t,s0)
+/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
+/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
+/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
+
+#
+# /opt
+#
+/opt/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/opt/(.*/)?libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/opt/OpenPrinting-Gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ifdef(`distro_gentoo',`
+/opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0)
+/opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
+')
+
+#
+# /usr
+#
+/usr/(.*/)?Bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0)
+
+/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/cups(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/debug/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/libexec/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
+
+/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
+
+/usr/share/ajaxterm/qweb.py.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/ajaxterm/ajaxterm.py.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/dayplanner/dayplanner -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/denyhosts/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/denyhosts/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
+/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/gitolite/hooks/gitolite-admin/post-update -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/hal/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/mc/extfs/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/Modules/init(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0)
+/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
+
+ifdef(`distro_gentoo', `
+/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/.*-.*-linux-gnu/binutils-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+')
+
+ifdef(`distro_redhat', `
+/etc/gdm/XKeepsCrashing[^/]* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
+/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/cvs/contrib/rcs2log -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/rhn/rhn_applet/needed-packages\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-httpd/system-config-httpd -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-keyboard/system-config-keyboard -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-language/system-config-language -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-lvm/system-config-lvm\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-mouse/system-config-mouse -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-netboot/system-config-netboot\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-netboot/pxeos\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-netboot/pxeboot\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-network(/netconfig)?/[^/]+\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-network/neat-control\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-nfs/nfs-export\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-nfs/system-config-nfs\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-printer/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-services/gui\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-services/serviceconf\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-services/system-config-services -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-soundcard/system-config-soundcard -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-users/system-config-users -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-logviewer/system-logviewer\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/texmf/web2c/mktexdir -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/texmf/web2c/mktexnam -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/texmf/web2c/mktexupd -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/texmf/texconfig/tcfmgr -- gen_context(system_u:object_r:bin_t,s0)
+')
+
+ifdef(`distro_suse', `
+/usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/ssh/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
+')
+
+#
+# /var
+#
+/var/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib64/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
+
+/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
+/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/var/qmail/rc -- gen_context(system_u:object_r:bin_t,s0)
+
+ifdef(`distro_suse',`
+/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
+')
+/var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
+/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
+
+/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib/wicd/monitor.py -- gen_context(system_u:object_r:bin_t, s0)
+
+/usr/lib(64)?/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
new file mode 100644
index 0000000..ae853de
--- /dev/null
+++ b/policy/modules/kernel/corecommands.if
@@ -0,0 +1,1094 @@
+## <summary>
+## Core policy for shells, and generic programs
+## in /bin, /sbin, /usr/bin, and /usr/sbin.
+## </summary>
+## <required val="true">
+## Contains the base bin and sbin directory types
+## which need to be searched for the kernel to
+## run init.
+## </required>
+
+########################################
+## <summary>
+## Make the specified type usable for files
+## that are exectuables, such as binary programs.
+## This does not include shared libraries.
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used for files.
+## </summary>
+## </param>
+#
+interface(`corecmd_executable_file',`
+ gen_require(`
+ attribute exec_type;
+ ')
+
+ typeattribute $1 exec_type;
+
+ files_type($1)
+')
+
+########################################
+## <summary>
+## Create a aliased type to generic bin files. (Deprecated)
+## </summary>
+## <desc>
+## <p>
+## Create a aliased type to generic bin files. (Deprecated)
+## </p>
+## <p>
+## This is added to support targeted policy. Its
+## use should be limited. It has no effect
+## on the strict policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Alias type for bin_t.
+## </summary>
+## </param>
+#
+interface(`corecmd_bin_alias',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+## Make general progams in bin an entrypoint for
+## the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain for which bin_t is an entrypoint.
+## </summary>
+## </param>
+#
+interface(`corecmd_bin_entry_type',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ domain_entry_file($1, bin_t)
+')
+
+########################################
+## <summary>
+## Make general progams in sbin an entrypoint for
+## the specified domain. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain for which sbin programs are an entrypoint.
+## </summary>
+## </param>
+#
+interface(`corecmd_sbin_entry_type',`
+ corecmd_bin_entry_type($1)
+ refpolicywarn(`$0() has been deprecated, please use corecmd_bin_entry_type() instead.')
+')
+
+########################################
+## <summary>
+## Make the shell an entrypoint for the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain for which the shell is an entrypoint.
+## </summary>
+## </param>
+#
+interface(`corecmd_shell_entry_type',`
+ gen_require(`
+ type shell_exec_t;
+ ')
+
+ domain_entry_file($1, shell_exec_t)
+')
+
+########################################
+## <summary>
+## Search the contents of bin directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_search_bin',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ search_dirs_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the contents of bin directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corecmd_dontaudit_search_bin',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ dontaudit $1 bin_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## List the contents of bin directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_list_bin',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ list_dirs_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write bin directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corecmd_dontaudit_write_bin_dirs',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ dontaudit $1 bin_t:dir write;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write bin files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corecmd_dontaudit_write_bin_files',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ dontaudit $1 bin_t:file write;
+')
+
+########################################
+## <summary>
+## Get the attributes of files in bin directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_getattr_bin_files',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ getattr_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+## Get the attributes of files in bin directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_dontaudit_getattr_bin_files',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ dontaudit $1 bin_t:dir search_dir_perms;
+ dontaudit $1 bin_t:file getattr_file_perms;
+')
+
+########################################
+## <summary>
+## Read files in bin directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_read_bin_files',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ read_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+## Read symbolic links in bin directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_read_bin_symlinks',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ read_lnk_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+## Read pipes in bin directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_read_bin_pipes',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ read_fifo_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+## Read named sockets in bin directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_read_bin_sockets',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ read_sock_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+## Execute generic programs in bin directories,
+## in the caller domain.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to execute generic programs
+## in system bin directories (/bin, /sbin, /usr/bin,
+## /usr/sbin) a without domain transition.
+## </p>
+## <p>
+## Typically, this interface should be used when the domain
+## executes general system progams within the privileges
+## of the source domain. Some examples of these programs
+## are ls, cp, sed, python, and tar. This does not include
+## shells, such as bash.
+## </p>
+## <p>
+## Related interface:
+## </p>
+## <ul>
+## <li>corecmd_exec_shell()</li>
+## </ul>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_exec_bin',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ read_lnk_files_pattern($1, bin_t, bin_t)
+ list_dirs_pattern($1, bin_t, bin_t)
+ can_exec($1, bin_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete bin files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_manage_bin_files',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ manage_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+## Relabel to and from the bin type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_relabel_bin_files',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ relabel_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+## Mmap a bin file as executable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_mmap_bin_files',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ mmap_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+## Execute a file in a bin directory
+## in the specified domain but do not
+## do it automatically. This is an explicit
+## transition, requiring the caller to use setexeccon().
+## </summary>
+## <desc>
+## <p>
+## Execute a file in a bin directory
+## in the specified domain. This allows
+## the specified domain to execute any file
+## on these filesystems in the specified
+## domain. This is not suggested.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## <p>
+## This interface was added to handle
+## the userhelper policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`corecmd_bin_spec_domtrans',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ read_lnk_files_pattern($1, bin_t, bin_t)
+ domain_transition_pattern($1, bin_t, $2)
+')
+
+########################################
+## <summary>
+## Execute a file in a bin directory
+## in the specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a file in a bin directory
+## in the specified domain. This allows
+## the specified domain to execute any file
+## on these filesystems in the specified
+## domain. This is not suggested.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## <p>
+## This interface was added to handle
+## the ssh-agent policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`corecmd_bin_domtrans',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ corecmd_bin_spec_domtrans($1, $2)
+ type_transition $1 bin_t:process $2;
+')
+
+########################################
+## <summary>
+## Search the contents of sbin directories. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_search_sbin',`
+ corecmd_search_bin($1)
+ refpolicywarn(`$0() has been deprecated, please use corecmd_search_bin() instead.')
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search
+## sbin directories. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corecmd_dontaudit_search_sbin',`
+ corecmd_dontaudit_search_bin($1)
+ refpolicywarn(`$0() has been deprecated, please use corecmd_dontaudit_search_bin() instead.')
+')
+
+########################################
+## <summary>
+## List the contents of sbin directories. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_list_sbin',`
+ corecmd_list_bin($1)
+ refpolicywarn(`$0() has been deprecated, please use corecmd_list_bin() instead.')
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write
+## sbin directories. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corecmd_dontaudit_write_sbin_dirs',`
+ corecmd_dontaudit_write_bin_dirs($1)
+ refpolicywarn(`$0() has been deprecated, please use corecmd_dontaudit_write_bin_dirs() instead.')
+')
+
+########################################
+## <summary>
+## Get the attributes of sbin files. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_getattr_sbin_files',`
+ corecmd_getattr_bin_files($1)
+ refpolicywarn(`$0() has been deprecated, please use corecmd_getattr_bin_files() instead.')
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attibutes
+## of sbin files. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corecmd_dontaudit_getattr_sbin_files',`
+ corecmd_dontaudit_getattr_bin_files($1)
+ refpolicywarn(`$0() has been deprecated, please use corecmd_dontaudit_getattr_bin_files() instead.')
+')
+
+########################################
+## <summary>
+## Read files in sbin directories. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_read_sbin_files',`
+ corecmd_read_bin_files($1)
+ refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_files() instead.')
+')
+
+########################################
+## <summary>
+## Read symbolic links in sbin directories. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_read_sbin_symlinks',`
+ corecmd_read_bin_symlinks($1)
+ refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_symlinks() instead.')
+')
+
+########################################
+## <summary>
+## Read named pipes in sbin directories. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_read_sbin_pipes',`
+ corecmd_read_bin_pipes($1)
+ refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_pipes() instead.')
+')
+
+########################################
+## <summary>
+## Read named sockets in sbin directories. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_read_sbin_sockets',`
+ corecmd_read_bin_sockets($1)
+ refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_sockets() instead.')
+')
+
+########################################
+## <summary>
+## Execute generic programs in sbin directories,
+## in the caller domain. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_exec_sbin',`
+ corecmd_exec_bin($1)
+ refpolicywarn(`$0() has been deprecated, please use corecmd_exec_bin() instead.')
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete sbin files. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for prelink
+interface(`corecmd_manage_sbin_files',`
+ corecmd_manage_bin_files($1)
+ refpolicywarn(`$0() has been deprecated, please use corecmd_manage_bin_files() instead.')
+')
+
+########################################
+## <summary>
+## Relabel to and from the sbin type. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for prelink
+interface(`corecmd_relabel_sbin_files',`
+ corecmd_relabel_bin_files($1)
+ refpolicywarn(`$0() has been deprecated, please use corecmd_relabel_bin_files() instead.')
+')
+
+########################################
+## <summary>
+## Mmap a sbin file as executable. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for prelink
+interface(`corecmd_mmap_sbin_files',`
+ corecmd_mmap_bin_files($1)
+ refpolicywarn(`$0() has been deprecated, please use corecmd_mmap_bin_files() instead.')
+')
+
+########################################
+## <summary>
+## Execute a file in a sbin directory
+## in the specified domain. (Deprecated)
+## </summary>
+## <desc>
+## <p>
+## Execute a file in a sbin directory
+## in the specified domain. This allows
+## the specified domain to execute any file
+## on these filesystems in the specified
+## domain. This is not suggested. (Deprecated)
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## <p>
+## This interface was added to handle
+## the ssh-agent policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`corecmd_sbin_domtrans',`
+ corecmd_bin_domtrans($1, $2)
+ refpolicywarn(`$0() has been deprecated, please use corecmd_bin_domtrans() instead.')
+')
+
+########################################
+## <summary>
+## Execute a file in a sbin directory
+## in the specified domain but do not
+## do it automatically. This is an explicit
+## transition, requiring the caller to use setexeccon(). (Deprecated)
+## </summary>
+## <desc>
+## <p>
+## Execute a file in a sbin directory
+## in the specified domain. This allows
+## the specified domain to execute any file
+## on these filesystems in the specified
+## domain. This is not suggested. (Deprecated)
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## <p>
+## This interface was added to handle
+## the userhelper policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`corecmd_sbin_spec_domtrans',`
+ corecmd_bin_spec_domtrans($1, $2)
+ refpolicywarn(`$0() has been deprecated, please use corecmd_bin_spec_domtrans() instead.')
+')
+
+########################################
+## <summary>
+## Check if a shell is executable (DAC-wise).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_check_exec_shell',`
+ gen_require(`
+ type bin_t, shell_exec_t;
+ ')
+
+ list_dirs_pattern($1, bin_t, bin_t)
+ read_lnk_files_pattern($1, bin_t, bin_t)
+ allow $1 shell_exec_t:file execute;
+')
+
+########################################
+## <summary>
+## Execute shells in the caller domain.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to execute shells without
+## a domain transition.
+## </p>
+## <p>
+## Typically, this interface should be used when the domain
+## executes shells within the privileges
+## of the source domain. Some examples of these programs
+## are bash, tcsh, and zsh.
+## </p>
+## <p>
+## Related interface:
+## </p>
+## <ul>
+## <li>corecmd_exec_bin()</li>
+## </ul>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_exec_shell',`
+ gen_require(`
+ type bin_t, shell_exec_t;
+ ')
+
+ list_dirs_pattern($1, bin_t, bin_t)
+ read_lnk_files_pattern($1, bin_t, bin_t)
+ can_exec($1, shell_exec_t)
+')
+
+########################################
+## <summary>
+## Execute ls in the caller domain. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_exec_ls',`
+ corecmd_exec_bin($1)
+ refpolicywarn(`$0() has been deprecated, please use corecmd_exec_bin() instead.')
+')
+
+########################################
+## <summary>
+## Execute a shell in the target domain. This
+## is an explicit transition, requiring the
+## caller to use setexeccon().
+## </summary>
+## <desc>
+## <p>
+## Execute a shell in the target domain. This
+## is an explicit transition, requiring the
+## caller to use setexeccon().
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the shell process.
+## </summary>
+## </param>
+#
+interface(`corecmd_shell_spec_domtrans',`
+ gen_require(`
+ type bin_t, shell_exec_t;
+ ')
+
+ list_dirs_pattern($1, bin_t, bin_t)
+ read_lnk_files_pattern($1, bin_t, bin_t)
+ domain_transition_pattern($1, shell_exec_t, $2)
+')
+
+########################################
+## <summary>
+## Execute a shell in the specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a shell in the specified domain.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the shell process.
+## </summary>
+## </param>
+#
+interface(`corecmd_shell_domtrans',`
+ gen_require(`
+ type shell_exec_t;
+ ')
+
+ corecmd_shell_spec_domtrans($1, $2)
+ type_transition $1 shell_exec_t:process $2;
+')
+
+########################################
+## <summary>
+## Execute chroot in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_exec_chroot',`
+ gen_require(`
+ type chroot_exec_t;
+ ')
+
+ read_lnk_files_pattern($1, bin_t, bin_t)
+ can_exec($1, chroot_exec_t)
+ allow $1 self:capability sys_chroot;
+')
+
+########################################
+## <summary>
+## Get the attributes of all executable files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`corecmd_getattr_all_executables',`
+ gen_require(`
+ attribute exec_type;
+ type bin_t;
+ ')
+
+ allow $1 bin_t:dir list_dir_perms;
+ getattr_files_pattern($1, bin_t, exec_type)
+')
+
+########################################
+## <summary>
+## Read all executable files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`corecmd_read_all_executables',`
+ gen_require(`
+ attribute exec_type;
+ ')
+
+ read_files_pattern($1, exec_type, exec_type)
+')
+
+########################################
+## <summary>
+## Execute all executable files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`corecmd_exec_all_executables',`
+ gen_require(`
+ attribute exec_type;
+ type bin_t;
+ ')
+
+ can_exec($1, exec_type)
+ list_dirs_pattern($1, bin_t, bin_t)
+ read_lnk_files_pattern($1, bin_t, exec_type)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to execute all executables.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corecmd_dontaudit_exec_all_executables',`
+ gen_require(`
+ attribute exec_type;
+ ')
+
+ dontaudit $1 exec_type:file { execute execute_no_trans };
+')
+
+########################################
+## <summary>
+## Create, read, write, and all executable files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`corecmd_manage_all_executables',`
+ gen_require(`
+ attribute exec_type;
+ type bin_t;
+ ')
+
+ manage_dirs_pattern($1, bin_t, exec_type)
+ manage_files_pattern($1, bin_t, exec_type)
+ manage_lnk_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+## Relabel to and from the bin type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`corecmd_relabel_all_executables',`
+ gen_require(`
+ attribute exec_type;
+ type bin_t;
+ ')
+
+ relabel_files_pattern($1, bin_t, exec_type)
+')
+
+########################################
+## <summary>
+## Mmap all executables as executable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_mmap_all_executables',`
+ gen_require(`
+ attribute exec_type;
+ type bin_t;
+ ')
+
+ mmap_files_pattern($1, bin_t, exec_type)
+')
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
new file mode 100644
index 0000000..e1963dd
--- /dev/null
+++ b/policy/modules/kernel/corecommands.te
@@ -0,0 +1,27 @@
+policy_module(corecommands, 1.13.2)
+
+########################################
+#
+# Declarations
+#
+
+#
+# Types with the exec_type attribute are executable files.
+#
+attribute exec_type;
+
+#
+# bin_t is the type of files in the system bin/sbin directories.
+#
+type bin_t alias { ls_exec_t sbin_t };
+corecmd_executable_file(bin_t)
+dev_associate(bin_t) #For /dev/MAKEDEV
+
+#
+# shell_exec_t is the type of user shells such as /bin/bash.
+#
+type shell_exec_t;
+corecmd_executable_file(shell_exec_t)
+
+type chroot_exec_t;
+corecmd_executable_file(chroot_exec_t)
diff --git a/policy/modules/kernel/corenetwork.fc b/policy/modules/kernel/corenetwork.fc
new file mode 100644
index 0000000..953e0e8
--- /dev/null
+++ b/policy/modules/kernel/corenetwork.fc
@@ -0,0 +1,10 @@
+
+/dev/ippp.* -c gen_context(system_u:object_r:ppp_device_t,s0)
+/dev/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
+/dev/pppox.* -c gen_context(system_u:object_r:ppp_device_t,s0)
+/dev/tap.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
+
+/dev/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
+
+/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
+/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
new file mode 100644
index 0000000..b06df19
--- /dev/null
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -0,0 +1,3044 @@
+## <summary>Policy controlling access to network objects</summary>
+## <required val="true">
+## Contains the initial SIDs for network objects.
+## </required>
+
+########################################
+## <summary>
+## Define type to be a network port type
+## </summary>
+## <desc>
+## <p>
+## Define type to be a network port type
+## </p>
+## <p>
+## This is for supporting third party modules and its
+## use is not allowed in upstream reference policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Type to be used for network ports.
+## </summary>
+## </param>
+#
+interface(`corenet_port',`
+ gen_require(`
+ attribute port_type;
+ ')
+
+ typeattribute $1 port_type;
+')
+
+########################################
+## <summary>
+## Define network type to be a reserved port (lt 1024)
+## </summary>
+## <desc>
+## <p>
+## Define network type to be a reserved port (lt 1024)
+## </p>
+## <p>
+## This is for supporting third party modules and its
+## use is not allowed in upstream reference policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Type to be used for network ports.
+## </summary>
+## </param>
+#
+interface(`corenet_reserved_port',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+ typeattribute $1 reserved_port_type;
+')
+
+########################################
+## <summary>
+## Define network type to be a rpc port ( 512 lt PORT lt 1024)
+## </summary>
+## <desc>
+## <p>
+## Define network type to be a rpc port ( 512 lt PORT lt 1024)
+## </p>
+## <p>
+## This is for supporting third party modules and its
+## use is not allowed in upstream reference policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Type to be used for network ports.
+## </summary>
+## </param>
+#
+interface(`corenet_rpc_port',`
+ gen_require(`
+ attribute rpc_port_type;
+ ')
+
+ typeattribute $1 rpc_port_type;
+')
+
+########################################
+## <summary>
+## Define type to be a network client packet type
+## </summary>
+## <desc>
+## <p>
+## Define type to be a network client packet type
+## </p>
+## <p>
+## This is for supporting third party modules and its
+## use is not allowed in upstream reference policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Type to be used for a network client packet.
+## </summary>
+## </param>
+#
+interface(`corenet_client_packet',`
+ gen_require(`
+ attribute packet_type, client_packet_type;
+ ')
+
+ typeattribute $1 client_packet_type, packet_type;
+')
+
+########################################
+## <summary>
+## Define type to be a network server packet type
+## </summary>
+## <desc>
+## <p>
+## Define type to be a network server packet type
+## </p>
+## <p>
+## This is for supporting third party modules and its
+## use is not allowed in upstream reference policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Type to be used for a network server packet.
+## </summary>
+## </param>
+#
+interface(`corenet_server_packet',`
+ gen_require(`
+ attribute packet_type, server_packet_type;
+ ')
+
+ typeattribute $1 server_packet_type, packet_type;
+')
+
+########################################
+## <summary>
+## Send and receive TCP network traffic on generic interfaces.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to send and receive TCP network
+## traffic on generic network interfaces.
+## </p>
+## <p>
+## Related interface:
+## </p>
+## <ul>
+## <li>corenet_all_recvfrom_unlabeled()</li>
+## <li>corenet_tcp_sendrecv_generic_node()</li>
+## <li>corenet_tcp_sendrecv_all_ports()</li>
+## <li>corenet_tcp_connect_all_ports()</li>
+## </ul>
+## <p>
+## Example client being able to connect to all ports over
+## generic nodes, without labeled networking:
+## </p>
+## <p>
+## allow myclient_t self:tcp_socket create_stream_socket_perms;
+## corenet_tcp_sendrecv_generic_if(myclient_t)
+## corenet_tcp_sendrecv_generic_node(myclient_t)
+## corenet_tcp_sendrecv_all_ports(myclient_t)
+## corenet_tcp_connect_all_ports(myclient_t)
+## corenet_all_recvfrom_unlabeled(myclient_t)
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_generic_if',`
+ gen_require(`
+ type netif_t;
+ ')
+
+ allow $1 netif_t:netif { tcp_send tcp_recv egress ingress };
+')
+
+########################################
+## <summary>
+## Send UDP network traffic on generic interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_send_generic_if',`
+ gen_require(`
+ type netif_t;
+ ')
+
+ allow $1 netif_t:netif { udp_send egress };
+')
+
+########################################
+## <summary>
+## Dontaudit attempts to send UDP network traffic
+## on generic interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_send_generic_if',`
+ gen_require(`
+ type netif_t;
+ ')
+
+ dontaudit $1 netif_t:netif { udp_send egress };
+')
+
+########################################
+## <summary>
+## Receive UDP network traffic on generic interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_receive_generic_if',`
+ gen_require(`
+ type netif_t;
+ ')
+
+ allow $1 netif_t:netif { udp_recv ingress };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive UDP network
+## traffic on generic interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_receive_generic_if',`
+ gen_require(`
+ type netif_t;
+ ')
+
+ dontaudit $1 netif_t:netif { udp_recv ingress };
+')
+
+########################################
+## <summary>
+## Send and receive UDP network traffic on generic interfaces.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to send and receive UDP network
+## traffic on generic network interfaces.
+## </p>
+## <p>
+## Related interface:
+## </p>
+## <ul>
+## <li>corenet_all_recvfrom_unlabeled()</li>
+## <li>corenet_udp_sendrecv_generic_node()</li>
+## <li>corenet_udp_sendrecv_all_ports()</li>
+## </ul>
+## <p>
+## Example client being able to send to all ports over
+## generic nodes, without labeled networking:
+## </p>
+## <p>
+## allow myclient_t self:udp_socket create_socket_perms;
+## corenet_udp_sendrecv_generic_if(myclient_t)
+## corenet_udp_sendrecv_generic_node(myclient_t)
+## corenet_udp_sendrecv_all_ports(myclient_t)
+## corenet_all_recvfrom_unlabeled(myclient_t)
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_generic_if',`
+ corenet_udp_send_generic_if($1)
+ corenet_udp_receive_generic_if($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to send and receive UDP network
+## traffic on generic interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_sendrecv_generic_if',`
+ corenet_dontaudit_udp_send_generic_if($1)
+ corenet_dontaudit_udp_receive_generic_if($1)
+')
+
+########################################
+## <summary>
+## Send raw IP packets on generic interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_raw_send_generic_if',`
+ gen_require(`
+ type netif_t;
+ ')
+
+ allow $1 netif_t:netif { rawip_send egress };
+')
+
+########################################
+## <summary>
+## Receive raw IP packets on generic interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_raw_receive_generic_if',`
+ gen_require(`
+ type netif_t;
+ ')
+
+ allow $1 netif_t:netif { rawip_recv ingress };
+')
+
+########################################
+## <summary>
+## Send and receive raw IP packets on generic interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_raw_sendrecv_generic_if',`
+ corenet_raw_send_generic_if($1)
+ corenet_raw_receive_generic_if($1)
+')
+
+########################################
+## <summary>
+## Allow outgoing network traffic on the generic interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## The peer label of the outgoing network traffic.
+## </summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_out_generic_if',`
+ gen_require(`
+ type netif_t;
+ ')
+
+ allow $1 netif_t:netif egress;
+')
+
+########################################
+## <summary>
+## Allow incoming traffic on the generic interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## The peer label of the incoming network traffic.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_in_generic_if',`
+ gen_require(`
+ type netif_t;
+ ')
+
+ allow $1 netif_t:netif ingress;
+')
+
+########################################
+## <summary>
+## Allow incoming and outgoing network traffic on the generic interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## The peer label of the network traffic.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_inout_generic_if',`
+ corenet_in_generic_if($1)
+ corenet_out_generic_if($1)
+')
+
+########################################
+## <summary>
+## Send and receive TCP network traffic on all interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_sendrecv_all_if',`
+ gen_require(`
+ attribute netif_type;
+ ')
+
+ allow $1 netif_type:netif { tcp_send tcp_recv egress ingress };
+')
+
+########################################
+## <summary>
+## Send UDP network traffic on all interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_send_all_if',`
+ gen_require(`
+ attribute netif_type;
+ ')
+
+ allow $1 netif_type:netif { udp_send egress };
+')
+
+########################################
+## <summary>
+## Receive UDP network traffic on all interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_receive_all_if',`
+ gen_require(`
+ attribute netif_type;
+ ')
+
+ allow $1 netif_type:netif { udp_recv ingress };
+')
+
+########################################
+## <summary>
+## Send and receive UDP network traffic on all interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_sendrecv_all_if',`
+ corenet_udp_send_all_if($1)
+ corenet_udp_receive_all_if($1)
+')
+
+########################################
+## <summary>
+## Send raw IP packets on all interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_raw_send_all_if',`
+ gen_require(`
+ attribute netif_type;
+ ')
+
+ allow $1 netif_type:netif { rawip_send egress };
+')
+
+########################################
+## <summary>
+## Receive raw IP packets on all interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_raw_receive_all_if',`
+ gen_require(`
+ attribute netif_type;
+ ')
+
+ allow $1 netif_type:netif { rawip_recv ingress };
+')
+
+########################################
+## <summary>
+## Send and receive raw IP packets on all interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_raw_sendrecv_all_if',`
+ corenet_raw_send_all_if($1)
+ corenet_raw_receive_all_if($1)
+')
+
+########################################
+## <summary>
+## Send and receive TCP network traffic on generic nodes.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to send and receive TCP network
+## traffic to/from generic network nodes (hostnames/networks).
+## </p>
+## <p>
+## Related interface:
+## </p>
+## <ul>
+## <li>corenet_all_recvfrom_unlabeled()</li>
+## <li>corenet_tcp_sendrecv_generic_if()</li>
+## <li>corenet_tcp_sendrecv_all_ports()</li>
+## <li>corenet_tcp_connect_all_ports()</li>
+## </ul>
+## <p>
+## Example client being able to connect to all ports over
+## generic nodes, without labeled networking:
+## </p>
+## <p>
+## allow myclient_t self:tcp_socket create_stream_socket_perms;
+## corenet_tcp_sendrecv_generic_if(myclient_t)
+## corenet_tcp_sendrecv_generic_node(myclient_t)
+## corenet_tcp_sendrecv_all_ports(myclient_t)
+## corenet_tcp_connect_all_ports(myclient_t)
+## corenet_all_recvfrom_unlabeled(myclient_t)
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_generic_node',`
+ gen_require(`
+ type node_t;
+ ')
+
+ allow $1 node_t:node { tcp_send tcp_recv sendto recvfrom };
+')
+
+########################################
+## <summary>
+## Send UDP network traffic on generic nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_send_generic_node',`
+ gen_require(`
+ type node_t;
+ ')
+
+ allow $1 node_t:node { udp_send sendto };
+')
+
+########################################
+## <summary>
+## Receive UDP network traffic on generic nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_receive_generic_node',`
+ gen_require(`
+ type node_t;
+ ')
+
+ allow $1 node_t:node { udp_recv recvfrom };
+')
+
+########################################
+## <summary>
+## Send and receive UDP network traffic on generic nodes.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to send and receive UDP network
+## traffic to/from generic network nodes (hostnames/networks).
+## </p>
+## <p>
+## Related interface:
+## </p>
+## <ul>
+## <li>corenet_all_recvfrom_unlabeled()</li>
+## <li>corenet_udp_sendrecv_generic_if()</li>
+## <li>corenet_udp_sendrecv_all_ports()</li>
+## </ul>
+## <p>
+## Example client being able to send to all ports over
+## generic nodes, without labeled networking:
+## </p>
+## <p>
+## allow myclient_t self:udp_socket create_socket_perms;
+## corenet_udp_sendrecv_generic_if(myclient_t)
+## corenet_udp_sendrecv_generic_node(myclient_t)
+## corenet_udp_sendrecv_all_ports(myclient_t)
+## corenet_all_recvfrom_unlabeled(myclient_t)
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_generic_node',`
+ corenet_udp_send_generic_node($1)
+ corenet_udp_receive_generic_node($1)
+')
+
+########################################
+## <summary>
+## Send raw IP packets on generic nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_raw_send_generic_node',`
+ gen_require(`
+ type node_t;
+ ')
+
+ allow $1 node_t:node { rawip_send sendto };
+')
+
+########################################
+## <summary>
+## Receive raw IP packets on generic nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_raw_receive_generic_node',`
+ gen_require(`
+ type node_t;
+ ')
+
+ allow $1 node_t:node { rawip_recv recvfrom };
+')
+
+########################################
+## <summary>
+## Send and receive raw IP packets on generic nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_raw_sendrecv_generic_node',`
+ corenet_raw_send_generic_node($1)
+ corenet_raw_receive_generic_node($1)
+')
+
+########################################
+## <summary>
+## Bind TCP sockets to generic nodes.
+## </summary>
+## <desc>
+## <p>
+## Bind TCP sockets to generic nodes. This is
+## necessary for binding a socket so it
+## can be used for servers to listen
+## for incoming connections.
+## </p>
+## <p>
+## Related interface:
+## </p>
+## <ul>
+## <li>corenet_udp_bind_generic_node()</li>
+## </ul>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="1"/>
+#
+interface(`corenet_tcp_bind_generic_node',`
+ gen_require(`
+ type node_t;
+ ')
+
+ allow $1 node_t:tcp_socket node_bind;
+')
+
+########################################
+## <summary>
+## Bind UDP sockets to generic nodes.
+## </summary>
+## <desc>
+## <p>
+## Bind UDP sockets to generic nodes. This is
+## necessary for binding a socket so it
+## can be used for servers to listen
+## for incoming connections.
+## </p>
+## <p>
+## Related interface:
+## </p>
+## <ul>
+## <li>corenet_tcp_bind_generic_node()</li>
+## </ul>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="1"/>
+#
+interface(`corenet_udp_bind_generic_node',`
+ gen_require(`
+ type node_t;
+ ')
+
+ allow $1 node_t:udp_socket node_bind;
+')
+
+########################################
+## <summary>
+## Bind raw sockets to genric nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+# rawip_socket node_bind does not make much sense.
+# cjp: vmware hits this too
+interface(`corenet_raw_bind_generic_node',`
+ gen_require(`
+ type node_t;
+ ')
+
+ allow $1 node_t:rawip_socket node_bind;
+')
+
+########################################
+## <summary>
+## Allow outgoing network traffic to generic nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The peer label of the outgoing network traffic.
+## </summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_out_generic_node',`
+ gen_require(`
+ type node_t;
+ ')
+
+ allow $1 node_t:node sendto;
+')
+
+########################################
+## <summary>
+## Allow incoming network traffic from generic nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The peer label of the incoming network traffic.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_in_generic_node',`
+ gen_require(`
+ type node_t;
+ ')
+
+ allow $1 node_t:node recvfrom;
+')
+
+########################################
+## <summary>
+## Allow incoming and outgoing network traffic with generic nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## The peer label of the network traffic.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_inout_generic_node',`
+ corenet_in_generic_node($1)
+ corenet_out_generic_node($1)
+')
+
+########################################
+## <summary>
+## Send and receive TCP network traffic on all nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_sendrecv_all_nodes',`
+ gen_require(`
+ attribute node_type;
+ ')
+
+ allow $1 node_type:node { tcp_send tcp_recv sendto recvfrom };
+')
+
+########################################
+## <summary>
+## Send UDP network traffic on all nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_send_all_nodes',`
+ gen_require(`
+ attribute node_type;
+ ')
+
+ allow $1 node_type:node { udp_send sendto };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to send UDP network
+## traffic on any nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_send_all_nodes',`
+ gen_require(`
+ attribute node_type;
+ ')
+
+ dontaudit $1 node_type:node { udp_send sendto };
+')
+
+########################################
+## <summary>
+## Receive UDP network traffic on all nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_receive_all_nodes',`
+ gen_require(`
+ attribute node_type;
+ ')
+
+ allow $1 node_type:node { udp_recv recvfrom };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive UDP
+## network traffic on all nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_receive_all_nodes',`
+ gen_require(`
+ attribute node_type;
+ ')
+
+ dontaudit $1 node_type:node { udp_recv recvfrom };
+')
+
+########################################
+## <summary>
+## Send and receive UDP network traffic on all nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_sendrecv_all_nodes',`
+ corenet_udp_send_all_nodes($1)
+ corenet_udp_receive_all_nodes($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to send and receive UDP
+## network traffic on any nodes nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_sendrecv_all_nodes',`
+ corenet_dontaudit_udp_send_all_nodes($1)
+ corenet_dontaudit_udp_receive_all_nodes($1)
+')
+
+########################################
+## <summary>
+## Send raw IP packets on all nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_raw_send_all_nodes',`
+ gen_require(`
+ attribute node_type;
+ ')
+
+ allow $1 node_type:node { rawip_send sendto };
+')
+
+########################################
+## <summary>
+## Receive raw IP packets on all nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_raw_receive_all_nodes',`
+ gen_require(`
+ attribute node_type;
+ ')
+
+ allow $1 node_type:node { rawip_recv recvfrom };
+')
+
+########################################
+## <summary>
+## Send and receive raw IP packets on all nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_raw_sendrecv_all_nodes',`
+ corenet_raw_send_all_nodes($1)
+ corenet_raw_receive_all_nodes($1)
+')
+
+########################################
+## <summary>
+## Bind TCP sockets to all nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_bind_all_nodes',`
+ gen_require(`
+ attribute node_type;
+ ')
+
+ allow $1 node_type:tcp_socket node_bind;
+')
+
+########################################
+## <summary>
+## Bind UDP sockets to all nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_bind_all_nodes',`
+ gen_require(`
+ attribute node_type;
+ ')
+
+ allow $1 node_type:udp_socket node_bind;
+')
+
+########################################
+## <summary>
+## Bind raw sockets to all nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+# rawip_socket node_bind does not make much sense.
+# cjp: vmware hits this too
+interface(`corenet_raw_bind_all_nodes',`
+ gen_require(`
+ attribute node_type;
+ ')
+
+ allow $1 node_type:rawip_socket node_bind;
+')
+
+########################################
+## <summary>
+## Send and receive TCP network traffic on generic ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_sendrecv_generic_port',`
+ gen_require(`
+ type port_t;
+ ')
+
+ allow $1 port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+## Do not audit send and receive TCP network traffic on generic ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_sendrecv_generic_port',`
+ gen_require(`
+ type port_t;
+ ')
+
+ dontaudit $1 port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+## Send UDP network traffic on generic ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_send_generic_port',`
+ gen_require(`
+ type port_t;
+ ')
+
+ allow $1 port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+## Receive UDP network traffic on generic ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_receive_generic_port',`
+ gen_require(`
+ type port_t;
+ ')
+
+ allow $1 port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+## Send and receive UDP network traffic on generic ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_sendrecv_generic_port',`
+ corenet_udp_send_generic_port($1)
+ corenet_udp_receive_generic_port($1)
+')
+
+########################################
+## <summary>
+## Bind TCP sockets to generic ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_bind_generic_port',`
+ gen_require(`
+ type port_t;
+ attribute port_type;
+ ')
+
+ allow $1 port_t:tcp_socket name_bind;
+ dontaudit $1 { port_type -port_t }:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
+## Do not audit bind TCP sockets to generic ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_bind_generic_port',`
+ gen_require(`
+ type port_t;
+ ')
+
+ dontaudit $1 port_t:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
+## Bind UDP sockets to generic ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_bind_generic_port',`
+ gen_require(`
+ type port_t;
+ attribute port_type;
+ ')
+
+ allow $1 port_t:udp_socket name_bind;
+ dontaudit $1 { port_type -port_t }:udp_socket name_bind;
+')
+
+########################################
+## <summary>
+## Connect TCP sockets to generic ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_connect_generic_port',`
+ gen_require(`
+ type port_t;
+ ')
+
+ allow $1 port_t:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+## Send and receive TCP network traffic on all ports.
+## </summary>
+## <desc>
+## <p>
+## Send and receive TCP network traffic on all ports.
+## Related interfaces:
+## </p>
+## <ul>
+## <li>corenet_all_recvfrom_unlabeled()</li>
+## <li>corenet_tcp_sendrecv_generic_if()</li>
+## <li>corenet_tcp_sendrecv_generic_node()</li>
+## <li>corenet_tcp_connect_all_ports()</li>
+## <li>corenet_tcp_bind_all_ports()</li>
+## </ul>
+## <p>
+## Example client being able to connect to all ports over
+## generic nodes, without labeled networking:
+## </p>
+## <p>
+## allow myclient_t self:tcp_socket create_stream_socket_perms;
+## corenet_tcp_sendrecv_generic_if(myclient_t)
+## corenet_tcp_sendrecv_generic_node(myclient_t)
+## corenet_tcp_sendrecv_all_ports(myclient_t)
+## corenet_tcp_connect_all_ports(myclient_t)
+## corenet_all_recvfrom_unlabeled(myclient_t)
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_all_ports',`
+ gen_require(`
+ attribute port_type;
+ ')
+
+ allow $1 port_type:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+## Send UDP network traffic on all ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_send_all_ports',`
+ gen_require(`
+ attribute port_type;
+ ')
+
+ allow $1 port_type:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+## Receive UDP network traffic on all ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_receive_all_ports',`
+ gen_require(`
+ attribute port_type;
+ ')
+
+ allow $1 port_type:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+## Send and receive UDP network traffic on all ports.
+## </summary>
+## <desc>
+## <p>
+## Send and receive UDP network traffic on all ports.
+## Related interfaces:
+## </p>
+## <ul>
+## <li>corenet_all_recvfrom_unlabeled()</li>
+## <li>corenet_udp_sendrecv_generic_if()</li>
+## <li>corenet_udp_sendrecv_generic_node()</li>
+## <li>corenet_udp_bind_all_ports()</li>
+## </ul>
+## <p>
+## Example client being able to send to all ports over
+## generic nodes, without labeled networking:
+## </p>
+## <p>
+## allow myclient_t self:udp_socket create_socket_perms;
+## corenet_udp_sendrecv_generic_if(myclient_t)
+## corenet_udp_sendrecv_generic_node(myclient_t)
+## corenet_udp_sendrecv_all_ports(myclient_t)
+## corenet_all_recvfrom_unlabeled(myclient_t)
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_all_ports',`
+ corenet_udp_send_all_ports($1)
+ corenet_udp_receive_all_ports($1)
+')
+
+########################################
+## <summary>
+## Bind TCP sockets to all ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_bind_all_ports',`
+ gen_require(`
+ attribute port_type;
+ ')
+
+ allow $1 port_type:tcp_socket name_bind;
+ allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+## Do not audit attepts to bind TCP sockets to any ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_bind_all_ports',`
+ gen_require(`
+ attribute port_type;
+ ')
+
+ dontaudit $1 port_type:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
+## Bind UDP sockets to all ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_bind_all_ports',`
+ gen_require(`
+ attribute port_type;
+ ')
+
+ allow $1 port_type:udp_socket name_bind;
+ allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+## Do not audit attepts to bind UDP sockets to any ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_bind_all_ports',`
+ gen_require(`
+ attribute port_type;
+ ')
+
+ dontaudit $1 port_type:udp_socket name_bind;
+')
+
+########################################
+## <summary>
+## Connect TCP sockets to all ports.
+## </summary>
+## <desc>
+## <p>
+## Connect TCP sockets to all ports
+## </p>
+## <p>
+## Related interfaces:
+## </p>
+## <ul>
+## <li>corenet_all_recvfrom_unlabeled()</li>
+## <li>corenet_tcp_sendrecv_generic_if()</li>
+## <li>corenet_tcp_sendrecv_generic_node()</li>
+## <li>corenet_tcp_sendrecv_all_ports()</li>
+## <li>corenet_tcp_bind_all_ports()</li>
+## </ul>
+## <p>
+## Example client being able to connect to all ports over
+## generic nodes, without labeled networking:
+## </p>
+## <p>
+## allow myclient_t self:tcp_socket create_stream_socket_perms;
+## corenet_tcp_sendrecv_generic_if(myclient_t)
+## corenet_tcp_sendrecv_generic_node(myclient_t)
+## corenet_tcp_sendrecv_all_ports(myclient_t)
+## corenet_tcp_connect_all_ports(myclient_t)
+## corenet_all_recvfrom_unlabeled(myclient_t)
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="write" weight="1"/>
+#
+interface(`corenet_tcp_connect_all_ports',`
+ gen_require(`
+ attribute port_type;
+ ')
+
+ allow $1 port_type:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to connect TCP sockets
+## to all ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_connect_all_ports',`
+ gen_require(`
+ attribute port_type;
+ ')
+
+ dontaudit $1 port_type:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+## Send and receive TCP network traffic on generic reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_sendrecv_reserved_port',`
+ gen_require(`
+ type reserved_port_t;
+ ')
+
+ allow $1 reserved_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+## Send UDP network traffic on generic reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_send_reserved_port',`
+ gen_require(`
+ type reserved_port_t;
+ ')
+
+ allow $1 reserved_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+## Receive UDP network traffic on generic reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_receive_reserved_port',`
+ gen_require(`
+ type reserved_port_t;
+ ')
+
+ allow $1 reserved_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+## Send and receive UDP network traffic on generic reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_sendrecv_reserved_port',`
+ corenet_udp_send_reserved_port($1)
+ corenet_udp_receive_reserved_port($1)
+')
+
+########################################
+## <summary>
+## Bind TCP sockets to generic reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_bind_reserved_port',`
+ gen_require(`
+ type reserved_port_t;
+ ')
+
+ allow $1 reserved_port_t:tcp_socket name_bind;
+ allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+## Bind UDP sockets to generic reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_bind_reserved_port',`
+ gen_require(`
+ type reserved_port_t;
+ ')
+
+ allow $1 reserved_port_t:udp_socket name_bind;
+ allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+## Connect TCP sockets to generic reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_connect_reserved_port',`
+ gen_require(`
+ type reserved_port_t;
+ ')
+
+ allow $1 reserved_port_t:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+## Send and receive TCP network traffic on all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_sendrecv_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+ allow $1 reserved_port_type:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+## Send UDP network traffic on all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_send_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+ allow $1 reserved_port_type:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+## Receive UDP network traffic on all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_receive_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+ allow $1 reserved_port_type:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+## Send and receive UDP network traffic on all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_sendrecv_all_reserved_ports',`
+ corenet_udp_send_all_reserved_ports($1)
+ corenet_udp_receive_all_reserved_ports($1)
+')
+
+########################################
+## <summary>
+## Bind TCP sockets to all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_bind_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+ allow $1 reserved_port_type:tcp_socket name_bind;
+ allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to bind TCP sockets to all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+ dontaudit $1 reserved_port_type:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
+## Bind UDP sockets to all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_bind_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+ allow $1 reserved_port_type:udp_socket name_bind;
+ allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to bind UDP sockets to all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+ dontaudit $1 reserved_port_type:udp_socket name_bind;
+')
+
+########################################
+## <summary>
+## Bind TCP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_bind_all_unreserved_ports',`
+ gen_require(`
+ attribute port_type, reserved_port_type;
+ ')
+
+ allow $1 { port_type -reserved_port_type }:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
+## Bind UDP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_bind_all_unreserved_ports',`
+ gen_require(`
+ attribute port_type, reserved_port_type;
+ ')
+
+ allow $1 { port_type -reserved_port_type }:udp_socket name_bind;
+')
+
+########################################
+## <summary>
+## Connect TCP sockets to reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_connect_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+ allow $1 reserved_port_type:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+## Connect TCP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_connect_all_unreserved_ports',`
+ gen_require(`
+ attribute port_type, reserved_port_type;
+ ')
+
+ allow $1 { port_type -reserved_port_type }:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to connect TCP sockets
+## all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+ dontaudit $1 reserved_port_type:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+## Connect TCP sockets to rpc ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_connect_all_rpc_ports',`
+ gen_require(`
+ attribute rpc_port_type;
+ ')
+
+ allow $1 rpc_port_type:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to connect TCP sockets
+## all rpc ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
+ gen_require(`
+ attribute rpc_port_type;
+ ')
+
+ dontaudit $1 rpc_port_type:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
+## Read and write the TUN/TAP virtual network device.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_rw_tun_tap_dev',`
+ gen_require(`
+ type tun_tap_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 tun_tap_device_t:chr_file rw_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write the TUN/TAP
+## virtual network device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_rw_tun_tap_dev',`
+ gen_require(`
+ type tun_tap_device_t;
+ ')
+
+ dontaudit $1 tun_tap_device_t:chr_file { read write };
+')
+
+########################################
+## <summary>
+## Getattr the point-to-point device.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_getattr_ppp_dev',`
+ gen_require(`
+ type ppp_device_t;
+ ')
+
+ allow $1 ppp_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Read and write the point-to-point device.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_rw_ppp_dev',`
+ gen_require(`
+ type ppp_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 ppp_device_t:chr_file rw_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Bind TCP sockets to all RPC ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_bind_all_rpc_ports',`
+ gen_require(`
+ attribute rpc_port_type;
+ ')
+
+ allow $1 rpc_port_type:tcp_socket name_bind;
+ allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to bind TCP sockets to all RPC ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_bind_all_rpc_ports',`
+ gen_require(`
+ attribute rpc_port_type;
+ ')
+
+ dontaudit $1 rpc_port_type:tcp_socket name_bind;
+')
+
+########################################
+## <summary>
+## Bind UDP sockets to all RPC ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_bind_all_rpc_ports',`
+ gen_require(`
+ attribute rpc_port_type;
+ ')
+
+ allow $1 rpc_port_type:udp_socket name_bind;
+ allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to bind UDP sockets to all RPC ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_bind_all_rpc_ports',`
+ gen_require(`
+ attribute rpc_port_type;
+ ')
+
+ dontaudit $1 rpc_port_type:udp_socket name_bind;
+')
+
+########################################
+## <summary>
+## Send and receive messages on a
+## non-encrypted (no IPSEC) network
+## session.
+## </summary>
+## <desc>
+## <p>
+## Send and receive messages on a
+## non-encrypted (no IPSEC) network
+## session. (Deprecated)
+## </p>
+## <p>
+## The corenet_all_recvfrom_unlabeled() interface should be used instead
+## of this one.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_non_ipsec_sendrecv',`
+ refpolicywarn(`$0($*) has been deprecated, use corenet_all_recvfrom_unlabeled() instead.')
+ corenet_all_recvfrom_unlabeled($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to send and receive
+## messages on a non-encrypted (no IPSEC) network
+## session.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to send and receive
+## messages on a non-encrypted (no IPSEC) network
+## session.
+## </p>
+## <p>
+## The corenet_dontaudit_all_recvfrom_unlabeled() interface should be
+## used instead of this one.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_non_ipsec_sendrecv',`
+ refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_all_recvfrom_unlabeled() instead.')
+ corenet_dontaudit_all_recvfrom_unlabeled($1)
+')
+
+########################################
+## <summary>
+## Receive TCP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_recv_netlabel',`
+ refpolicywarn(`$0($*) has been deprecated, use corenet_tcp_recvfrom_netlabel() instead.')
+ corenet_tcp_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+## Receive TCP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ allow $1 netlabel_peer_t:peer recv;
+ allow $1 netlabel_peer_t:tcp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Receive TCP packets from an unlabled connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_recvfrom_unlabeled',`
+ kernel_tcp_recvfrom_unlabeled($1)
+ kernel_recvfrom_unlabeled_peer($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive TCP packets from a NetLabel
+## connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_recv_netlabel',`
+ refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_tcp_recvfrom_netlabel() instead.')
+ corenet_dontaudit_tcp_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive TCP packets from a NetLabel
+## connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ dontaudit $1 netlabel_peer_t:peer recv;
+ dontaudit $1 netlabel_peer_t:tcp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive TCP packets from an unlabeled
+## connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_recvfrom_unlabeled',`
+ kernel_dontaudit_tcp_recvfrom_unlabeled($1)
+ kernel_dontaudit_recvfrom_unlabeled_peer($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_dontaudit_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+## Receive UDP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_recv_netlabel',`
+ refpolicywarn(`$0($*) has been deprecated, use corenet_udp_recvfrom_netlabel() instead.')
+ corenet_udp_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+## Receive UDP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ allow $1 netlabel_peer_t:peer recv;
+ allow $1 netlabel_peer_t:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Receive UDP packets from an unlabeled connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_recvfrom_unlabeled',`
+ kernel_udp_recvfrom_unlabeled($1)
+ kernel_recvfrom_unlabeled_peer($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive UDP packets from a NetLabel
+## connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_recv_netlabel',`
+ refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_udp_recvfrom_netlabel($1) instead.')
+ corenet_dontaudit_udp_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive UDP packets from a NetLabel
+## connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ dontaudit $1 netlabel_peer_t:peer recv;
+ dontaudit $1 netlabel_peer_t:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive UDP packets from an unlabeled
+## connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_recvfrom_unlabeled',`
+ kernel_dontaudit_udp_recvfrom_unlabeled($1)
+ kernel_dontaudit_recvfrom_unlabeled_peer($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_dontaudit_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+## Receive Raw IP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_raw_recv_netlabel',`
+ refpolicywarn(`$0($*) has been deprecated, use corenet_raw_recvfrom_netlabel() instead.')
+ corenet_raw_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+## Receive Raw IP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_raw_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ allow $1 netlabel_peer_t:peer recv;
+ allow $1 netlabel_peer_t:rawip_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Receive Raw IP packets from an unlabeled connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_raw_recvfrom_unlabeled',`
+ kernel_raw_recvfrom_unlabeled($1)
+ kernel_recvfrom_unlabeled_peer($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive Raw IP packets from a NetLabel
+## connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_raw_recv_netlabel',`
+ refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_raw_recvfrom_netlabel() instead.')
+ corenet_dontaudit_raw_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive Raw IP packets from a NetLabel
+## connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_raw_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ dontaudit $1 netlabel_peer_t:peer recv;
+ dontaudit $1 netlabel_peer_t:rawip_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive Raw IP packets from an unlabeled
+## connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
+ kernel_dontaudit_raw_recvfrom_unlabeled($1)
+ kernel_dontaudit_recvfrom_unlabeled_peer($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_dontaudit_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+## Receive packets from an unlabeled connection.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to receive packets from an
+## unlabeled connection. On machines that do not utilize
+## labeled networking, this will be required on all
+## networking domains. On machines tha do utilize
+## labeled networking, this will be required for any
+## networking domain that is allowed to receive
+## network traffic that does not have a label.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_all_recvfrom_unlabeled',`
+ kernel_tcp_recvfrom_unlabeled($1)
+ kernel_udp_recvfrom_unlabeled($1)
+ kernel_raw_recvfrom_unlabeled($1)
+ kernel_recvfrom_unlabeled_peer($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+## Receive packets from a NetLabel connection.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to receive NetLabel
+## network traffic, which utilizes the Commercial IP
+## Security Option (CIPSO) to set the MLS level
+## of the network packets. This is required for
+## all networking domains that receive NetLabel
+## network traffic.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_all_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ allow $1 netlabel_peer_t:peer recv;
+ allow $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive packets from an unlabeled connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
+ kernel_dontaudit_tcp_recvfrom_unlabeled($1)
+ kernel_dontaudit_udp_recvfrom_unlabeled($1)
+ kernel_dontaudit_raw_recvfrom_unlabeled($1)
+ kernel_dontaudit_recvfrom_unlabeled_peer($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_dontaudit_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive packets from a NetLabel
+## connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_all_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ dontaudit $1 netlabel_peer_t:peer recv;
+ dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
+')
+
+########################################
+## <summary>
+## Rules for receiving labeled TCP packets.
+## </summary>
+## <desc>
+## <p>
+## Rules for receiving labeled TCP packets.
+## </p>
+## <p>
+## Due to the nature of TCP, this is bidirectional.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="peer_domain">
+## <summary>
+## Peer domain.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_recvfrom_labeled',`
+ allow { $1 $2 } self:association sendto;
+ allow $1 $2:{ association tcp_socket } recvfrom;
+ allow $2 $1:{ association tcp_socket } recvfrom;
+
+ allow $1 $2:peer recv;
+ allow $2 $1:peer recv;
+
+ # allow receiving packets from MLS-only peers using NetLabel
+ corenet_tcp_recvfrom_netlabel($1)
+ corenet_tcp_recvfrom_netlabel($2)
+')
+
+########################################
+## <summary>
+## Rules for receiving labeled UDP packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="peer_domain">
+## <summary>
+## Peer domain.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_recvfrom_labeled',`
+ allow $2 self:association sendto;
+ allow $1 $2:{ association udp_socket } recvfrom;
+
+ allow $1 $2:peer recv;
+
+ # allow receiving packets from MLS-only peers using NetLabel
+ corenet_udp_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+## Rules for receiving labeled raw IP packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="peer_domain">
+## <summary>
+## Peer domain.
+## </summary>
+## </param>
+#
+interface(`corenet_raw_recvfrom_labeled',`
+ allow $2 self:association sendto;
+ allow $1 $2:{ association rawip_socket } recvfrom;
+
+ allow $1 $2:peer recv;
+
+ # allow receiving packets from MLS-only peers using NetLabel
+ corenet_raw_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+## Rules for receiving labeled packets via TCP, UDP and raw IP.
+## </summary>
+## <desc>
+## <p>
+## Rules for receiving labeled packets via TCP, UDP and raw IP.
+## </p>
+## <p>
+## Due to the nature of TCP, the rules (for TCP
+## networking only) are bidirectional.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="peer_domain">
+## <summary>
+## Peer domain.
+## </summary>
+## </param>
+#
+interface(`corenet_all_recvfrom_labeled',`
+ corenet_tcp_recvfrom_labeled($1,$2)
+ corenet_udp_recvfrom_labeled($1,$2)
+ corenet_raw_recvfrom_labeled($1,$2)
+')
+
+########################################
+## <summary>
+## Send generic client packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_send_generic_client_packets',`
+ gen_require(`
+ type client_packet_t;
+ ')
+
+ allow $1 client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+## Receive generic client packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_receive_generic_client_packets',`
+ gen_require(`
+ type client_packet_t;
+ ')
+
+ allow $1 client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+## Send and receive generic client packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sendrecv_generic_client_packets',`
+ corenet_send_generic_client_packets($1)
+ corenet_receive_generic_client_packets($1)
+')
+
+########################################
+## <summary>
+## Relabel packets to the generic client packet type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_relabelto_generic_client_packets',`
+ gen_require(`
+ type client_packet_t;
+ ')
+
+ allow $1 client_packet_t:packet relabelto;
+')
+
+########################################
+## <summary>
+## Send generic server packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_send_generic_server_packets',`
+ gen_require(`
+ type server_packet_t;
+ ')
+
+ allow $1 server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+## Receive generic server packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_receive_generic_server_packets',`
+ gen_require(`
+ type server_packet_t;
+ ')
+
+ allow $1 server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+## Send and receive generic server packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sendrecv_generic_server_packets',`
+ corenet_send_generic_server_packets($1)
+ corenet_receive_generic_server_packets($1)
+')
+
+########################################
+## <summary>
+## Relabel packets to the generic server packet type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_relabelto_generic_server_packets',`
+ gen_require(`
+ type server_packet_t;
+ ')
+
+ allow $1 server_packet_t:packet relabelto;
+')
+
+########################################
+## <summary>
+## Send and receive unlabeled packets.
+## </summary>
+## <desc>
+## <p>
+## Send and receive unlabeled packets.
+## These packets do not match any netfilter
+## SECMARK rules.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sendrecv_unlabeled_packets',`
+ kernel_sendrecv_unlabeled_packets($1)
+')
+
+########################################
+## <summary>
+## Send all client packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_send_all_client_packets',`
+ gen_require(`
+ attribute client_packet_type;
+ ')
+
+ allow $1 client_packet_type:packet send;
+')
+
+########################################
+## <summary>
+## Receive all client packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_receive_all_client_packets',`
+ gen_require(`
+ attribute client_packet_type;
+ ')
+
+ allow $1 client_packet_type:packet recv;
+')
+
+########################################
+## <summary>
+## Send and receive all client packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sendrecv_all_client_packets',`
+ corenet_send_all_client_packets($1)
+ corenet_receive_all_client_packets($1)
+')
+
+########################################
+## <summary>
+## Relabel packets to any client packet type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_relabelto_all_client_packets',`
+ gen_require(`
+ attribute client_packet_type;
+ ')
+
+ allow $1 client_packet_type:packet relabelto;
+')
+
+########################################
+## <summary>
+## Send all server packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_send_all_server_packets',`
+ gen_require(`
+ attribute server_packet_type;
+ ')
+
+ allow $1 server_packet_type:packet send;
+')
+
+########################################
+## <summary>
+## Receive all server packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_receive_all_server_packets',`
+ gen_require(`
+ attribute server_packet_type;
+ ')
+
+ allow $1 server_packet_type:packet recv;
+')
+
+########################################
+## <summary>
+## Send and receive all server packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sendrecv_all_server_packets',`
+ corenet_send_all_server_packets($1)
+ corenet_receive_all_server_packets($1)
+')
+
+########################################
+## <summary>
+## Relabel packets to any server packet type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_relabelto_all_server_packets',`
+ gen_require(`
+ attribute server_packet_type;
+ ')
+
+ allow $1 server_packet_type:packet relabelto;
+')
+
+########################################
+## <summary>
+## Send all packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_send_all_packets',`
+ gen_require(`
+ attribute packet_type;
+ ')
+
+ allow $1 packet_type:packet send;
+')
+
+########################################
+## <summary>
+## Receive all packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_receive_all_packets',`
+ gen_require(`
+ attribute packet_type;
+ ')
+
+ allow $1 packet_type:packet recv;
+')
+
+########################################
+## <summary>
+## Send and receive all packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sendrecv_all_packets',`
+ corenet_send_all_packets($1)
+ corenet_receive_all_packets($1)
+')
+
+########################################
+## <summary>
+## Relabel packets to any packet type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_relabelto_all_packets',`
+ gen_require(`
+ attribute packet_type;
+ ')
+
+ allow $1 packet_type:packet relabelto;
+')
+
+########################################
+## <summary>
+## Unconfined access to network objects.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_unconfined',`
+ gen_require(`
+ attribute corenet_unconfined_type;
+ ')
+
+ typeattribute $1 corenet_unconfined_type;
+')
diff --git a/policy/modules/kernel/corenetwork.if.m4 b/policy/modules/kernel/corenetwork.if.m4
new file mode 100644
index 0000000..8e0f9cd
--- /dev/null
+++ b/policy/modules/kernel/corenetwork.if.m4
@@ -0,0 +1,853 @@
+#
+# shiftn(num,list...)
+#
+# shift the list num times
+#
+define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')')
+
+########################################
+#
+# Network Interface generated macros
+#
+########################################
+
+define(`create_netif_interfaces',``
+########################################
+## <summary>
+## Send and receive TCP network traffic on the $1 interface.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_$1_if',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:netif { tcp_send tcp_recv egress ingress };
+')
+
+########################################
+## <summary>
+## Send UDP network traffic on the $1 interface.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_$1_if',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:netif { udp_send egress };
+')
+
+########################################
+## <summary>
+## Receive UDP network traffic on the $1 interface.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_$1_if',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:netif { udp_recv ingress };
+')
+
+########################################
+## <summary>
+## Send and receive UDP network traffic on the $1 interface.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_$1_if',`
+ corenet_udp_send_$1_if(dollarsone)
+ corenet_udp_receive_$1_if(dollarsone)
+')
+
+########################################
+## <summary>
+## Send raw IP packets on the $1 interface.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_raw_send_$1_if',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:netif { rawip_send egress };
+')
+
+########################################
+## <summary>
+## Receive raw IP packets on the $1 interface.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_raw_receive_$1_if',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:netif { rawip_recv ingress };
+')
+
+########################################
+## <summary>
+## Send and receive raw IP packets on the $1 interface.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_raw_sendrecv_$1_if',`
+ corenet_raw_send_$1_if(dollarsone)
+ corenet_raw_receive_$1_if(dollarsone)
+')
+'') dnl end create_netif_interfaces
+
+# create confined network interfaces controlled by the network_enabled boolean
+# do not call this macro for loop back
+define(`create_netif_interfaces_controlled',``
+########################################
+## <summary>
+## Send and receive TCP network traffic on the $1 interface.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_$1_if',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ if (network_enabled) {
+ allow dollarsone $1_$2:netif { tcp_send tcp_recv egress ingress };
+ }
+')
+
+########################################
+## <summary>
+## Send UDP network traffic on the $1 interface.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_$1_if',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ if (network_enabled) {
+ allow dollarsone $1_$2:netif { udp_send egress };
+ }
+')
+
+########################################
+## <summary>
+## Receive UDP network traffic on the $1 interface.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_$1_if',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ if (network_enabled) {
+ allow dollarsone $1_$2:netif { udp_recv ingress };
+ }
+')
+
+########################################
+## <summary>
+## Send and receive UDP network traffic on the $1 interface.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_$1_if',`
+ corenet_udp_send_$1_if(dollarsone)
+ corenet_udp_receive_$1_if(dollarsone)
+')
+
+########################################
+## <summary>
+## Send raw IP packets on the $1 interface.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_raw_send_$1_if',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ if (network_enabled) {
+ allow dollarsone $1_$2:netif { rawip_send egress };
+ }
+')
+
+########################################
+## <summary>
+## Receive raw IP packets on the $1 interface.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_raw_receive_$1_if',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ if (network_enabled) {
+ allow dollarsone $1_$2:netif { rawip_recv ingress };
+ }
+')
+
+########################################
+## <summary>
+## Send and receive raw IP packets on the $1 interface.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_raw_sendrecv_$1_if',`
+ corenet_raw_send_$1_if(dollarsone)
+ corenet_raw_receive_$1_if(dollarsone)
+')
+'') dnl end create_netif_interfaces_controlled
+
+########################################
+#
+# Network node generated macros
+#
+########################################
+
+define(`create_node_interfaces',``
+########################################
+## <summary>
+## Send and receive TCP traffic on the $1 node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_$1_node',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:node { tcp_send tcp_recv sendto recvfrom };
+')
+
+########################################
+## <summary>
+## Send UDP traffic on the $1 node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_$1_node',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:node { udp_send sendto };
+')
+
+########################################
+## <summary>
+## Receive UDP traffic on the $1 node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_$1_node',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:node { udp_recv recvfrom };
+')
+
+########################################
+## <summary>
+## Send and receive UDP traffic on the $1 node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_$1_node',`
+ corenet_udp_send_$1_node(dollarsone)
+ corenet_udp_receive_$1_node(dollarsone)
+')
+
+########################################
+## <summary>
+## Send raw IP packets on the $1 node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_raw_send_$1_node',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:node { rawip_send sendto };
+')
+
+########################################
+## <summary>
+## Receive raw IP packets on the $1 node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_raw_receive_$1_node',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:node { rawip_recv recvfrom };
+')
+
+########################################
+## <summary>
+## Send and receive raw IP packets on the $1 node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_raw_sendrecv_$1_node',`
+ corenet_raw_send_$1_node(dollarsone)
+ corenet_raw_receive_$1_node(dollarsone)
+')
+
+########################################
+## <summary>
+## Bind TCP sockets to node $1.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_$1_node',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:tcp_socket node_bind;
+')
+
+########################################
+## <summary>
+## Bind UDP sockets to the $1 node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_$1_node',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:udp_socket node_bind;
+')
+'') dnl end create_node_interfaces
+
+########################################
+#
+# Network port generated macros
+#
+########################################
+
+define(`create_port_interfaces',``
+########################################
+## <summary>
+## Send and receive TCP traffic on the $1 port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_$1_port',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+## Send UDP traffic on the $1 port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_$1_port',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to send UDP traffic on the $1 port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_$1_port',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ dontaudit dollarsone $1_$2:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+## Receive UDP traffic on the $1 port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_$1_port',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive UDP traffic on the $1 port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_$1_port',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ dontaudit dollarsone $1_$2:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+## Send and receive UDP traffic on the $1 port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_$1_port',`
+ corenet_udp_send_$1_port(dollarsone)
+ corenet_udp_receive_$1_port(dollarsone)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to send and receive
+## UDP traffic on the $1 port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_$1_port',`
+ corenet_dontaudit_udp_send_$1_port(dollarsone)
+ corenet_dontaudit_udp_receive_$1_port(dollarsone)
+')
+
+########################################
+## <summary>
+## Bind TCP sockets to the $1 port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_$1_port',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:tcp_socket name_bind;
+ $4
+')
+
+########################################
+## <summary>
+## Bind UDP sockets to the $1 port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_$1_port',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:udp_socket name_bind;
+ $4
+')
+
+########################################
+## <summary>
+## Make a TCP connection to the $1 port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_connect_$1_port',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:tcp_socket name_connect;
+')
+'') dnl end create_port_interfaces
+
+define(`create_packet_interfaces',``
+########################################
+## <summary>
+## Send $1 packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_$1_packets',`
+ gen_require(`
+ type $1_packet_t;
+ ')
+
+ allow dollarsone $1_packet_t:packet send;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to send $1 packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_$1_packets',`
+ gen_require(`
+ type $1_packet_t;
+ ')
+
+ dontaudit dollarsone $1_packet_t:packet send;
+')
+
+########################################
+## <summary>
+## Receive $1 packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_$1_packets',`
+ gen_require(`
+ type $1_packet_t;
+ ')
+
+ allow dollarsone $1_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive $1 packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_$1_packets',`
+ gen_require(`
+ type $1_packet_t;
+ ')
+
+ dontaudit dollarsone $1_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+## Send and receive $1 packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_$1_packets',`
+ corenet_send_$1_packets(dollarsone)
+ corenet_receive_$1_packets(dollarsone)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to send and receive $1 packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_$1_packets',`
+ corenet_dontaudit_send_$1_packets(dollarsone)
+ corenet_dontaudit_receive_$1_packets(dollarsone)
+')
+
+########################################
+## <summary>
+## Relabel packets to $1 the packet type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_relabelto_$1_packets',`
+ gen_require(`
+ type $1_packet_t;
+ ')
+
+ allow dollarsone $1_packet_t:packet relabelto;
+')
+'') dnl end create_port_interfaces
+
+#
+# create_netif_*_interfaces(linux_interfacename)
+#
+define(`create_netif_type_interfaces',`
+create_netif_interfaces($1,netif_t,type)
+')
+define(`create_netif_type_interfaces_controlled',`
+create_netif_interfaces_controlled($1,netif_t,type)
+')
+define(`create_netif_attrib_interfaces',`
+create_netif_interfaces($1,netif,attribute)
+')
+define(`create_netif_attrib_interfaces_controlled',`
+create_netif_interfaces_controlled($1,netif,attribute)
+')
+
+#
+# network_interface(linux_interfacename,mls_sensitivity)
+#
+define(`network_interface',`
+create_netif_type_interfaces($1)
+')
+
+define(`network_interface_controlled',`
+create_netif_type_interfaces_controlled($1)
+')
+
+#
+# create_node_*_interfaces(node_name)
+#
+define(`create_node_type_interfaces',`
+create_node_interfaces($1,node_t,type)
+')
+define(`create_node_attrib_interfaces',`
+create_node_interfaces($1,node,attribute)
+')
+
+#
+# network_node(node_name,mls_sensitivity,address,netmask)
+#
+define(`network_node',`
+create_node_type_interfaces($1)
+')
+
+# These next three macros have formatting, and should not me indented
+define(`determine_reserved_capability',`dnl
+ifelse($2,`',`',`dnl
+ifelse(eval($2 < 1024),1,``allow' dollarsone self:capability net_bind_service;',`dnl
+determine_reserved_capability(shiftn(3,$*))dnl
+')dnl end inner ifelse
+')dnl end outer ifelse
+') dnl end determine reserved capability
+
+#
+# create_port_*_interfaces(port_name, protocol,portnum,mls_sensitivity [,protocol portnum mls_sensitivity[,...]])
+# (these wrap create_port_interfaces to handle attributes and types)
+define(`create_port_type_interfaces',`create_port_interfaces($1,port_t,type,determine_reserved_capability(shift($*)))')
+define(`create_port_attrib_interfaces',`create_port_interfaces($1,port,attribute,determine_reserved_capability(shift($*)))')
+
+#
+# network_port(port_name,protocol portnum mls_sensitivity [,protocol,portnum,mls_sensitivity[,...]])
+#
+define(`network_port',`
+create_port_type_interfaces($*)
+create_packet_interfaces($1_client)
+create_packet_interfaces($1_server)
+')
+
+#
+# network_packet(packet_name)
+#
+define(`network_packet',`
+create_packet_interfaces($1_client)
+create_packet_interfaces($1_server)
+')
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
new file mode 100644
index 0000000..f15e5ba
--- /dev/null
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -0,0 +1,299 @@
+policy_module(corenetwork, 1.14.1)
+
+########################################
+#
+# Declarations
+#
+
+attribute client_packet_type;
+attribute netif_type;
+attribute node_type;
+attribute packet_type;
+attribute port_type;
+attribute reserved_port_type;
+attribute rpc_port_type;
+attribute server_packet_type;
+
+attribute corenet_unconfined_type;
+
+type ppp_device_t;
+dev_node(ppp_device_t)
+
+#
+# tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/*
+#
+type tun_tap_device_t;
+dev_node(tun_tap_device_t)
+mls_trusted_object(tun_tap_device_t)
+
+########################################
+#
+# Ports and packets
+#
+
+#
+# client_packet_t is the default type of IPv4 and IPv6 client packets.
+#
+type client_packet_t, packet_type, client_packet_type;
+
+#
+# The netlabel_peer_t is used by the kernel's NetLabel subsystem for network
+# connections using NetLabel which do not carry full SELinux contexts.
+#
+type netlabel_peer_t;
+sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh)
+
+#
+# port_t is the default type of INET port numbers.
+#
+type port_t, port_type;
+sid port gen_context(system_u:object_r:port_t,s0)
+
+#
+# reserved_port_t is the type of INET port numbers below 1024.
+#
+type reserved_port_t, port_type, reserved_port_type;
+
+#
+# hi_reserved_port_t is the type of INET port numbers between 512-1023.
+#
+type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
+
+#
+# server_packet_t is the default type of IPv4 and IPv6 server packets.
+#
+type server_packet_t, packet_type, server_packet_type;
+
+network_port(afs_bos, udp,7007,s0)
+network_port(afs_client, udp,7001,s0)
+network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
+network_port(afs_ka, udp,7004,s0)
+network_port(afs_pt, udp,7002,s0)
+network_port(afs_vl, udp,7003,s0)
+network_port(agentx, udp,705,s0, tcp,705,s0)
+network_port(ajaxterm, tcp,8022,s0)
+network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
+network_port(amavisd_recv, tcp,10024,s0)
+network_port(amavisd_send, tcp,10025,s0)
+network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
+network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
+network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
+network_port(apertus_ldp, tcp,539,s0, udp,539,s0)
+network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
+network_port(audit, tcp,60,s0)
+network_port(auth, tcp,113,s0)
+network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
+network_port(boinc, tcp,31416,s0)
+type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
+network_port(certmaster, tcp,51235,s0)
+network_port(chronyd, udp,323,s0)
+network_port(clamd, tcp,3310,s0)
+network_port(clockspeed, udp,4041,s0)
+network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0)
+network_port(cobbler, tcp,25151,s0)
+network_port(commplex, tcp,5000,s0, udp,5000,s0, tcp,5001,s0, udp,5001,s0)
+network_port(comsat, udp,512,s0)
+network_port(cvs, tcp,2401,s0, udp,2401,s0)
+network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
+network_port(dbskkd, tcp,1178,s0)
+network_port(dcc, udp,6276,s0, udp,6277,s0)
+network_port(dccm, tcp,5679,s0, udp,5679,s0)
+network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
+network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
+network_port(dict, tcp,2628,s0)
+network_port(distccd, tcp,3632,s0)
+network_port(dns, udp,53,s0, tcp,53,s0)
+network_port(epmap, tcp,135,s0, udp,135,s0)
+network_port(festival, tcp,1314,s0)
+network_port(fingerd, tcp,79,s0)
+network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0)
+network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
+network_port(ftp_data, tcp,20,s0)
+network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
+network_port(giftd, tcp,1213,s0)
+network_port(git, tcp,9418,s0, udp,9418,s0)
+network_port(gopher, tcp,70,s0, udp,70,s0)
+network_port(gpsd, tcp,2947,s0)
+network_port(hddtemp, tcp,7634,s0)
+network_port(howl, tcp,5335,s0, udp,5353,s0)
+network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
+network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
+network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
+network_port(i18n_input, tcp,9010,s0)
+network_port(imaze, tcp,5323,s0, udp,5323,s0)
+network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
+network_port(innd, tcp,119,s0)
+network_port(ipmi, udp,623,s0, udp,664,s0)
+network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
+network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
+network_port(ircd, tcp,6667,s0)
+network_port(isakmp, udp,500,s0)
+network_port(iscsi, tcp,3260,s0)
+network_port(isns, tcp,3205,s0, udp,3205,s0)
+network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
+network_port(jabber_interserver, tcp,5269,s0)
+network_port(jabber_router, tcp,5347,s0)
+network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
+network_port(kerberos_admin, tcp,749,s0)
+network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
+network_port(kerberos_password, tcp,464,s0, udp,464,s0)
+network_port(kismet, tcp,2501,s0)
+network_port(kprop, tcp,754,s0)
+network_port(ktalkd, udp,517,s0, udp,518,s0)
+network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
+network_port(lirc, tcp,8765,s0)
+network_port(luci, tcp,8084,s0)
+network_port(lmtp, tcp,24,s0, udp,24,s0)
+type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
+network_port(mail, tcp,2000,s0, tcp,3905,s0)
+network_port(memcache, tcp,11211,s0, udp,11211,s0)
+network_port(mmcc, tcp,5050,s0, udp,5050,s0)
+network_port(monopd, tcp,1234,s0)
+network_port(mpd, tcp,6600,s0)
+network_port(msnp, tcp,1863,s0, udp,1863,s0)
+network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
+network_port(munin, tcp,4949,s0, udp,4949,s0)
+network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
+network_port(mysqlmanagerd, tcp,2273,s0)
+network_port(nessus, tcp,1241,s0)
+network_port(netport, tcp,3129,s0, udp,3129,s0)
+network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
+network_port(nmbd, udp,137,s0, udp,138,s0)
+network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0)
+network_port(ntp, udp,123,s0)
+network_port(ocsp, tcp,9080,s0)
+network_port(openvpn, tcp,1194,s0, udp,1194,s0)
+network_port(pegasus_http, tcp,5988,s0)
+network_port(pegasus_https, tcp,5989,s0)
+network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
+network_port(pingd, tcp,9125,s0)
+network_port(piranha, tcp,3636,s0)
+network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443, s0, tcp, 9444, s0, tcp, 9445, s0)
+network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443, s0, tcp, 10444, s0, tcp, 10445, s0)
+network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443, s0, tcp, 11444, s0, tcp, 11445, s0)
+network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443, s0, tcp, 13444, s0, tcp, 13445, s0)
+network_port(pki_ra, tcp,12888-12889,s0)
+network_port(pki_tps, tcp,7888-7889,s0)
+network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
+network_port(portmap, udp,111,s0, tcp,111,s0)
+network_port(postfix_policyd, tcp,10031,s0)
+network_port(postgresql, tcp,5432,s0)
+network_port(postgrey, tcp,60000,s0)
+network_port(prelude, tcp,4690,s0, udp,4690,s0)
+network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
+network_port(printer, tcp,515,s0)
+network_port(ptal, tcp,5703,s0)
+network_port(pulseaudio, tcp,4713,s0)
+network_port(puppet, tcp, 8140, s0)
+network_port(pxe, udp,4011,s0)
+network_port(pyzor, udp,24441,s0)
+network_port(radacct, udp,1646,s0, udp,1813,s0)
+network_port(radius, udp,1645,s0, udp,1812,s0)
+network_port(radsec, tcp,2083,s0)
+network_port(razor, tcp,2703,s0)
+network_port(ricci, tcp,11111,s0, udp,11111,s0)
+network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
+network_port(rlogind, tcp,513,s0)
+network_port(rndc, tcp,953,s0)
+network_port(router, udp,520-521,s0, tcp,521,s0)
+network_port(rsh, tcp,514,s0)
+network_port(rsync, tcp,873,s0, udp,873,s0)
+network_port(rwho, udp,513,s0)
+network_port(sap, tcp,9875,s0, udp,9875,s0)
+network_port(sametime, tcp,1533,s0, udp,1533,s0)
+network_port(sieve, tcp,4190,s0)
+network_port(sip, tcp,5060-5061,s0, udp,5060-5061,s0)
+network_port(sixxsconfig, tcp,3874,s0, udp,3874,s0)
+network_port(smbd, tcp,137-139,s0, tcp,445,s0)
+network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
+network_port(snmp, tcp,161-162,s0, udp,161-162,s0, tcp,199,s0, tcp, 1161, s0)
+type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
+network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
+network_port(spamd, tcp,783,s0)
+network_port(speech, tcp,8036,s0)
+network_port(squid, tcp,3128,s0, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
+network_port(ssh, tcp,22,s0)
+network_port(streaming, tcp, 1755, s0, udp, 1755, s0)
+type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
+network_port(swat, tcp,901,s0)
+network_port(sype, tcp,9911,s0, udp,9911,s0)
+network_port(syslogd, udp,514,s0)
+network_port(telnetd, tcp,23,s0)
+network_port(tftp, udp,69,s0)
+network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
+network_port(traceroute, udp,64000-64010,s0)
+network_port(transproxy, tcp,8081,s0)
+network_port(ups, tcp,3493,s0)
+type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
+network_port(uucpd, tcp,540,s0)
+network_port(varnishd, tcp,6081-6082,s0)
+network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
+network_port(virt_migration, tcp,49152-49216,s0)
+network_port(vnc, tcp,5900-5999,s0)
+network_port(wccp, udp,2048,s0)
+network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
+network_port(xdmcp, udp,177,s0, tcp,177,s0)
+network_port(xen, tcp,8002,s0)
+network_port(xfs, tcp,7100,s0)
+network_port(xserver, tcp,6000-6150,s0)
+network_port(zarafa, tcp,236,s0)
+network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
+network_port(zope, tcp,8021,s0)
+
+# Defaults for reserved ports. Earlier portcon entries take precedence;
+# these entries just cover any remaining reserved ports not otherwise declared.
+
+portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
+portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
+
+########################################
+#
+# Network nodes
+#
+
+#
+# node_t is the default type of network nodes.
+# The node_*_t types are used for specific network
+# nodes in net_contexts or net_contexts.mls.
+#
+type node_t, node_type;
+typealias node_t alias { compat_ipv4_node_t lo_node_t link_local_node_t inaddr_any_node_t unspec_node_t };
+sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh)
+
+# network_node examples:
+#network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255)
+#network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
+
+########################################
+#
+# Network Interfaces
+#
+
+#
+# netif_t is the default type of network interfaces.
+#
+type netif_t, netif_type;
+sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+
+build_option(`enable_mls',`
+network_interface(lo, lo, s0 - mls_systemhigh)
+',`
+typealias netif_t alias { lo_netif_t netif_lo_t };
+')
+
+########################################
+#
+# Unconfined access to this module
+#
+
+allow corenet_unconfined_type node_type:node *;
+allow corenet_unconfined_type netif_type:netif *;
+allow corenet_unconfined_type packet_type:packet *;
+allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect };
+allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
+
+# Bind to any network address.
+allow corenet_unconfined_type port_type:{ tcp_socket udp_socket } name_bind;
+allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4
new file mode 100644
index 0000000..35fed4f
--- /dev/null
+++ b/policy/modules/kernel/corenetwork.te.m4
@@ -0,0 +1,105 @@
+#
+# shiftn(num,list...)
+#
+# shift the list num times
+#
+define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')')
+
+#
+# range_start(num)
+#
+# return the low port in a range.
+#
+# range_start(600) returns "600"
+# range_start(1200-1600) returns "1200"
+#
+define(`range_start',`ifelse(-1,index(`$1', `-'),$1,substr($1,0,index(`$1', `-')))')
+
+#
+# build_option(option_name,true,[false])
+#
+# makes an ifdef. hacky quoting changes because with
+# regular quoting, the macros in $2 and $3 will not be expanded
+#
+define(`build_option',`dnl
+changequote([,])dnl
+[ifdef(`$1',`]
+changequote(`,')dnl
+$2
+changequote([,])dnl
+[',`]
+changequote(`,')dnl
+$3
+changequote([,])dnl
+[')]
+changequote(`,')dnl
+')
+
+define(`declare_netifs',`dnl
+netifcon $2 gen_context(system_u:object_r:$1,$3) gen_context(system_u:object_r:unlabeled_t,$3)
+ifelse(`$4',`',`',`declare_netifs($1,shiftn(3,$*))')dnl
+')
+
+#
+# network_interface(if_name,linux_interface,mls_sensitivity)
+#
+define(`network_interface',`
+gen_require(``type unlabeled_t;'')
+type $1_netif_t alias netif_$1_t, netif_type;
+declare_netifs($1_netif_t,shift($*))
+')
+
+define(`network_interface_controlled',`
+ifdef(`__network_enabled_declared__',`',`
+## <desc>
+## <p>
+## Enable network traffic on all controlled interfaces.
+## </p>
+## </desc>
+gen_bool(network_enabled, true)
+define(`__network_enabled_declared__')
+')
+gen_require(``type unlabeled_t;'')
+type $1_netif_t alias netif_$1_t, netif_type;
+declare_netifs($1_netif_t,shift($*))
+')
+
+define(`declare_nodes',`dnl
+nodecon $3 $4 gen_context(system_u:object_r:$1,$2)
+ifelse(`$5',`',`',`declare_nodes($1,shiftn(4,$*))')dnl
+')
+
+#
+# network_node(node_name,mls_sensitivity,address,netmask[, mls_sensitivity,address,netmask, [...]])
+#
+define(`network_node',`
+type $1_node_t alias node_$1_t, node_type;
+declare_nodes($1_node_t,shift($*))
+')
+
+# bindresvport in glibc starts searching for reserved ports at 512
+define(`declare_ports',`dnl
+ifelse(eval(range_start($3) < 1024),1,`typeattribute $1 reserved_port_type;
+ifelse(eval(range_start($3) >= 512),1,`typeattribute $1 rpc_port_type;',`dnl')
+',`dnl')
+portcon $2 $3 gen_context(system_u:object_r:$1,$4)
+ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
+')
+
+#
+# network_port(port_name,protocol portnum mls_sensitivity [,protocol portnum mls_sensitivity[,...]])
+#
+define(`network_port',`
+type $1_port_t, port_type;
+type $1_client_packet_t, packet_type, client_packet_type;
+type $1_server_packet_t, packet_type, server_packet_type;
+declare_ports($1_port_t,shift($*))dnl
+')
+
+#
+# network_packet(packet_name)
+#
+define(`network_packet',`
+type $1_client_packet_t, packet_type, client_packet_type;
+type $1_server_packet_t, packet_type, server_packet_type;
+')
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
new file mode 100644
index 0000000..7c29e17
--- /dev/null
+++ b/policy/modules/kernel/devices.fc
@@ -0,0 +1,198 @@
+
+/dev -d gen_context(system_u:object_r:device_t,s0)
+/dev/.* gen_context(system_u:object_r:device_t,s0)
+
+/dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/[0-9].* -c gen_context(system_u:object_r:usb_device_t,s0)
+/dev/3dfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/admmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/adsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/(misc/)?agpgart -c gen_context(system_u:object_r:agp_device_t,s0)
+/dev/aload.* -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/amidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/amixer.* -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/apm_bios -c gen_context(system_u:object_r:apm_bios_t,s0)
+/dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0)
+/dev/beep -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/btrfs-control -c gen_context(system_u:object_r:lvm_control_t,s0)
+/dev/controlD64 -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/dahdi/.* -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
+/dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/etherd/.+ -c gen_context(system_u:object_r:lvm_control_t,s0)
+/dev/event.* -c gen_context(system_u:object_r:event_device_t,s0)
+/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
+/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
+/dev/full -c gen_context(system_u:object_r:null_device_t,s0)
+/dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0)
+/dev/gfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/graphics -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/gtrsc.* -c gen_context(system_u:object_r:clock_device_t,s0)
+/dev/hfmodem -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0)
+/dev/hidraw.* -c gen_context(system_u:object_r:usb_device_t,s0)
+/dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0)
+/dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0)
+/dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0)
+/dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0)
+/dev/inportbm -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/ipmi[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0)
+/dev/ipmi/[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0)
+/dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0)
+/dev/jbm -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+/dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
+/dev/kqemu -c gen_context(system_u:object_r:qemu_device_t,s0)
+/dev/ksm -c gen_context(system_u:object_r:ksm_device_t,s0)
+/dev/kvm -c gen_context(system_u:object_r:kvm_device_t,s0)
+/dev/lik.* -c gen_context(system_u:object_r:event_device_t,s0)
+/dev/lirc[0-9]+ -c gen_context(system_u:object_r:lirc_device_t,s0)
+/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
+/dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
+/dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+/dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+/dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/microcode -c gen_context(system_u:object_r:cpu_device_t,s0)
+/dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/misc/dlm.* -c gen_context(system_u:object_r:dlm_control_device_t,s0)
+/dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0)
+/dev/modem -c gen_context(system_u:object_r:modem_device_t,s0)
+/dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/msr.* -c gen_context(system_u:object_r:cpu_device_t,s0)
+/dev/net/vhost -c gen_context(system_u:object_r:vhost_device_t,s0)
+/dev/network_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0)
+/dev/network_throughput -c gen_context(system_u:object_r:netcontrol_device_t,s0)
+/dev/noz.* -c gen_context(system_u:object_r:modem_device_t,s0)
+/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
+/dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
+/dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+/dev/opengl -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0)
+/dev/patmgr[01] -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/pc110pad -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/pcfclock.* -c gen_context(system_u:object_r:clock_device_t,s0)
+/dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
+/dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+/dev/pps.* -c gen_context(system_u:object_r:clock_device_t,s0)
+/dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0)
+/dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
+/dev/raw1394.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/rfkill -c gen_context(system_u:object_r:wireless_device_t,s0)
+/dev/(misc/)?rtc[0-9]* -c gen_context(system_u:object_r:clock_device_t,s0)
+/dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/smpte.* -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/smu -c gen_context(system_u:object_r:power_device_t,s0)
+/dev/srnd[0-7] -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/snapshot -c gen_context(system_u:object_r:apm_bios_t,s0)
+/dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0)
+/dev/uinput -c gen_context(system_u:object_r:event_device_t,s0)
+/dev/uio[0-9]+ -c gen_context(system_u:object_r:userio_device_t,s0)
+/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
+/dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0)
+/dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0)
+/dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
+/dev/usbmon.+ -c gen_context(system_u:object_r:usbmon_device_t,s0)
+ifdef(`distro_suse', `
+/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
+')
+/dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0)
+/dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/vga_arbiter -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0)
+/dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0)
+/dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/vrtpanel -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/watchdog -c gen_context(system_u:object_r:watchdog_device_t,s0)
+/dev/winradio. -c gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/z90crypt -c gen_context(system_u:object_r:crypt_device_t,s0)
+/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
+
+/dev/bus/usb/.*/[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0)
+
+/dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
+
+/dev/cpu_dma_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0)
+/dev/cpu.* -c gen_context(system_u:object_r:cpu_device_t,s0)
+/dev/cpu/mtrr -c gen_context(system_u:object_r:mtrr_device_t,s0)
+
+/dev/biometric/sensor.* -c gen_context(system_u:object_r:event_device_t,s0)
+
+/dev/dri/.+ -c gen_context(system_u:object_r:dri_device_t,s0)
+
+/dev/dvb/.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+
+/dev/input/.* -c gen_context(system_u:object_r:event_device_t,s0)
+/dev/input/m.* -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/input/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/input/keyboard.* -c gen_context(system_u:object_r:event_device_t,s0)
+/dev/input/event.* -c gen_context(system_u:object_r:event_device_t,s0)
+/dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/input/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/input/uinput -c gen_context(system_u:object_r:event_device_t,s0)
+
+/dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0)
+
+/dev/mfpports/.* -c gen_context(system_u:object_r:printer_device_t,s0)
+
+/dev/mvideo/.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+
+/dev/mqueue(/.*)? <<none>>
+/dev/pts(/.*)? <<none>>
+
+/dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0)
+
+/dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0)
+
+/dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0)
+/dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
+/dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
+/dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0)
+
+/dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0)
+/dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
+
+/etc/udev/devices -d gen_context(system_u:object_r:device_t,s0)
+
+/lib/udev/devices(/.*) gen_context(system_u:object_r:device_t,s0)
+
+# used by init scripts to initally populate udev /dev
+/lib/udev/devices/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
+/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
+
+ifdef(`distro_redhat',`
+# originally from named.fc
+/var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0)
+/var/named/chroot/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
+/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
+/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
+')
+
+#
+# /sys
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
new file mode 100644
index 0000000..3fb8756
--- /dev/null
+++ b/policy/modules/kernel/devices.if
@@ -0,0 +1,4695 @@
+## <summary>
+## Device nodes and interfaces for many basic system devices.
+## </summary>
+## <desc>
+## <p>
+## This module creates the device node concept and provides
+## the policy for many of the device files. Notable exceptions are
+## the mass storage and terminal devices that are covered by other
+## modules.
+## </p>
+## <p>
+## This module creates the concept of a device node. That is a
+## char or block device file, usually in /dev. All types that
+## are used to label device nodes should use the dev_node macro.
+## </p>
+## <p>
+## Additionally, this module controls access to three things:
+## <ul>
+## <li>the device directories containing device nodes</li>
+## <li>device nodes as a group</li>
+## <li>individual access to specific device nodes covered by
+## this module.</li>
+## </ul>
+## </p>
+## </desc>
+## <required val="true">
+## Depended on by other required modules.
+## </required>
+
+########################################
+## <summary>
+## Make the specified type usable for device
+## nodes in a filesystem.
+## </summary>
+## <desc>
+## <p>
+## Make the specified type usable for device nodes
+## in a filesystem. Types used for device nodes that
+## do not use this interface, or an interface that
+## calls this one, will have unexpected behaviors
+## while the system is running.
+## </p>
+## <p>
+## Example:
+## </p>
+## <p>
+## type mydev_t;
+## dev_node(mydev_t)
+## allow mydomain_t mydev_t:chr_file read_chr_file_perms;
+## </p>
+## <p>
+## Related interfaces:
+## </p>
+## <ul>
+## <li>term_tty()</li>
+## <li>term_pty()</li>
+## </ul>
+## </desc>
+## <param name="type">
+## <summary>
+## Type to be used for device nodes.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`dev_node',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ typeattribute $1 device_node;
+')
+
+########################################
+## <summary>
+## Associate the specified file type with device filesystem.
+## </summary>
+## <param name="file_type">
+## <summary>
+## The type of the file to be associated.
+## </summary>
+## </param>
+#
+interface(`dev_associate',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:filesystem associate;
+ fs_associate_tmpfs($1) #For backwards compatibility
+')
+
+########################################
+## <summary>
+## Mount a filesystem on /dev
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allow access.
+## </summary>
+## </param>
+#
+interface(`dev_mounton',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:dir mounton;
+')
+
+########################################
+## <summary>
+## Allow full relabeling (to and from) of all device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dev_relabel_all_dev_nodes',`
+ gen_require(`
+ attribute device_node;
+ type device_t;
+ ')
+
+ relabelfrom_dirs_pattern($1, device_t, device_node)
+ relabelfrom_files_pattern($1, device_t, device_node)
+ relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
+ relabelfrom_fifo_files_pattern($1, device_t, device_node)
+ relabelfrom_sock_files_pattern($1, device_t, device_node)
+ relabel_blk_files_pattern($1, device_t, { device_t device_node })
+ relabel_chr_files_pattern($1, device_t, { device_t device_node })
+')
+
+########################################
+## <summary>
+## List all of the device nodes in a device directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_list_all_dev_nodes',`
+ gen_require(`
+ type device_t;
+ ')
+
+ list_dirs_pattern($1, device_t, device_t)
+ read_lnk_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+## Set the attributes of /dev directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_generic_dirs',`
+ gen_require(`
+ type device_t;
+ ')
+
+ setattr_dirs_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+## Dontaudit attempts to list all device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_list_all_dev_nodes',`
+ gen_require(`
+ type device_t;
+ ')
+
+ dontaudit $1 device_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Add entries to directories in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_add_entry_generic_dirs',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:dir add_entry_dir_perms;
+')
+
+########################################
+## <summary>
+## Add entries to directories in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_remove_entry_generic_dirs',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:dir del_entry_dir_perms;
+')
+
+########################################
+## <summary>
+## Create a directory in the device directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_create_generic_dirs',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:dir list_dir_perms;
+ create_dirs_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+## Delete a directory in the device directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_delete_generic_dirs',`
+ gen_require(`
+ type device_t;
+ ')
+
+ delete_dirs_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+## Manage of directories in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_manage_generic_dirs',`
+ gen_require(`
+ type device_t;
+ ')
+
+ manage_dirs_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+## Allow full relabeling (to and from) of directories in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_relabel_generic_dev_dirs',`
+ gen_require(`
+ type device_t;
+ ')
+
+ relabel_dirs_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+## dontaudit getattr generic files in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_generic_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ dontaudit $1 device_t:file getattr;
+')
+
+########################################
+## <summary>
+## read generic files in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_read_generic_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ read_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+## Read and write generic files in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_generic_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ rw_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+## Delete generic files in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_delete_generic_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ delete_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+## Create a file in the device directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_manage_generic_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ manage_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+## Dontaudit getattr on generic pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_generic_pipes',`
+ gen_require(`
+ type device_t;
+ ')
+
+ dontaudit $1 device_t:fifo_file getattr;
+')
+
+########################################
+## <summary>
+## Allow getattr on generic block devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_generic_blk_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ getattr_blk_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+## Dontaudit getattr on generic block devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_generic_blk_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ dontaudit $1 device_t:blk_file getattr;
+')
+
+########################################
+## <summary>
+## Dontaudit setattr on generic block devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_setattr_generic_blk_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ dontaudit $1 device_t:blk_file setattr;
+')
+
+########################################
+## <summary>
+## Create generic block device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_create_generic_blk_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ create_blk_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+## Delete generic block device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_delete_generic_blk_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ delete_blk_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+## Allow getattr for generic character device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_generic_chr_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+## Allow relablefrom for generic character device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_relabelfrom_generic_chr_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:chr_file relabelfrom;
+')
+
+########################################
+## <summary>
+## Dontaudit getattr for generic character device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_generic_chr_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ dontaudit $1 device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Dontaudit setattr for generic character device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_setattr_generic_chr_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ dontaudit $1 device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Read generic character device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_generic_chr_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:chr_file read_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write generic character device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_generic_chr_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:chr_file rw_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write generic block device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_generic_blk_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:blk_file rw_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Dontaudit attempts to read/write generic character device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to dontaudit access.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_rw_generic_chr_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ dontaudit $1 device_t:chr_file rw_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Create generic character device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_create_generic_chr_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ create_chr_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+## Delete generic character device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_delete_generic_chr_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ delete_chr_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to set the attributes
+## of symbolic links in device directories (/dev).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_setattr_generic_symlinks',`
+ gen_require(`
+ type device_t;
+ ')
+
+ dontaudit $1 device_t:lnk_file setattr;
+')
+
+########################################
+## <summary>
+## Create symbolic links in device directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_create_generic_symlinks',`
+ gen_require(`
+ type device_t;
+ ')
+
+ create_lnk_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+## Delete symbolic links in device directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_delete_generic_symlinks',`
+ gen_require(`
+ type device_t;
+ ')
+
+ delete_lnk_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+## Read symbolic links in device directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_generic_symlinks',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Create, delete, read, and write symbolic links in device directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_manage_generic_symlinks',`
+ gen_require(`
+ type device_t;
+ ')
+
+ manage_lnk_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+## Relabel symbolic links in device directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_relabel_generic_symlinks',`
+ gen_require(`
+ type device_t;
+ ')
+
+ relabel_lnk_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+## Create, delete, read, and write device nodes in device directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_manage_all_dev_nodes',`
+ gen_require(`
+ attribute device_node, memory_raw_read, memory_raw_write;
+ type device_t;
+ ')
+
+ manage_dirs_pattern($1, device_t, device_t)
+ manage_sock_files_pattern($1, device_t, device_t)
+ manage_lnk_files_pattern($1, device_t, device_t)
+ manage_chr_files_pattern($1, device_t, { device_t device_node })
+ manage_blk_files_pattern($1, device_t, { device_t device_node })
+ relabel_dirs_pattern($1, device_t, device_t)
+ relabel_chr_files_pattern($1, device_t, { device_t device_node })
+ relabel_blk_files_pattern($1, device_t, { device_t device_node })
+
+ # these next rules are to satisfy assertions broken by the above lines.
+ # the permissions hopefully can be cut back a lot
+ storage_raw_read_fixed_disk($1)
+ storage_raw_write_fixed_disk($1)
+ storage_read_scsi_generic($1)
+ storage_write_scsi_generic($1)
+
+ typeattribute $1 memory_raw_read;
+ typeattribute $1 memory_raw_write;
+')
+
+########################################
+## <summary>
+## Dontaudit getattr for generic device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_rw_generic_dev_nodes',`
+ gen_require(`
+ type device_t;
+ ')
+
+ dontaudit $1 device_t:{ chr_file blk_file } { getattr read write ioctl };
+')
+
+########################################
+## <summary>
+## Create, delete, read, and write block device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_manage_generic_blk_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ manage_blk_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+## Create, delete, read, and write character device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_manage_generic_chr_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ manage_chr_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+## Create, read, and write device nodes. The node
+## will be transitioned to the type provided.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file">
+## <summary>
+## Type to which the created node will be transitioned.
+## </summary>
+## </param>
+## <param name="objectclass(es)">
+## <summary>
+## Object class(es) (single or set including {}) for which this
+## the transition will occur.
+## </summary>
+## </param>
+#
+interface(`dev_filetrans',`
+ gen_require(`
+ type device_t;
+ ')
+
+ filetrans_pattern($1, device_t, $2, $3)
+
+ dev_associate($2)
+ files_associate_tmp($2)
+')
+
+########################################
+## <summary>
+## Create, read, and write device nodes. The node
+## will be transitioned to the type provided. This is
+## a temporary interface until devtmpfs functionality
+## fixed.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="objectclass(es)">
+## <summary>
+## Object class(es) (single or set including {}) for which this
+## the transition will occur.
+## </summary>
+## </param>
+#
+interface(`dev_tmpfs_filetrans_dev',`
+ gen_require(`
+ type device_t;
+ ')
+
+ fs_tmpfs_filetrans($1, device_t, $2)
+')
+
+########################################
+## <summary>
+## Getattr on all block file device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dev_getattr_all_blk_files',`
+ gen_require(`
+ attribute device_node;
+ type device_t;
+ ')
+
+ getattr_blk_files_pattern($1, device_t, device_node)
+')
+
+########################################
+## <summary>
+## Dontaudit getattr on all block file device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_all_blk_files',`
+ gen_require(`
+ attribute device_node;
+ type device_t;
+ ')
+
+ dontaudit $1 { device_t device_node }:blk_file getattr;
+')
+
+########################################
+## <summary>
+## Getattr on all character file device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dev_getattr_all_chr_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, device_node)
+')
+
+########################################
+## <summary>
+## Dontaudit getattr on all character file device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_all_chr_files',`
+ gen_require(`
+ attribute device_node;
+ type device_t;
+ ')
+
+ dontaudit $1 { device_t device_node }:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Setattr on all block file device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dev_setattr_all_blk_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ setattr_blk_files_pattern($1, device_t, device_node)
+')
+
+########################################
+## <summary>
+## Setattr on all character file device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dev_setattr_all_chr_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ setattr_chr_files_pattern($1, device_t, device_node)
+')
+
+########################################
+## <summary>
+## Dontaudit read on all block file device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_read_all_blk_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ dontaudit $1 device_node:blk_file { getattr read };
+')
+
+########################################
+## <summary>
+## Dontaudit write on all block file device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_write_all_blk_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ dontaudit $1 device_node:blk_file write;
+')
+
+########################################
+## <summary>
+## Dontaudit read on all character file device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_read_all_chr_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ dontaudit $1 device_node:chr_file { getattr read };
+')
+
+########################################
+## <summary>
+## Dontaudit write on all character file device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_write_all_chr_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ dontaudit $1 device_node:chr_file write;
+')
+
+########################################
+## <summary>
+## Create all block device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_create_all_blk_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ create_blk_files_pattern($1, device_t, device_node)
+')
+
+########################################
+## <summary>
+## Create all character device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_create_all_chr_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ create_chr_files_pattern($1, device_t, device_node)
+')
+
+########################################
+## <summary>
+## rw all inherited character device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_all_inherited_chr_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ allow $1 device_node:chr_file rw_inherited_chr_file_perms;
+')
+
+########################################
+## <summary>
+## rw all inherited blk device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_all_inherited_blk_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ allow $1 device_node:blk_file rw_inherited_blk_file_perms;
+')
+
+########################################
+## <summary>
+## Delete all block device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_delete_all_blk_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ delete_blk_files_pattern($1, device_t, device_node)
+')
+
+########################################
+## <summary>
+## Delete all character device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_delete_all_chr_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ delete_chr_files_pattern($1, device_t, device_node)
+')
+
+########################################
+## <summary>
+## Rename all block device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rename_all_blk_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ rename_blk_files_pattern($1, device_t, device_node)
+')
+
+########################################
+## <summary>
+## Rename all character device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rename_all_chr_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ rename_chr_files_pattern($1, device_t, device_node)
+')
+
+########################################
+## <summary>
+## Read, write, create, and delete all block device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_manage_all_blk_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ manage_blk_files_pattern($1, device_t, device_node)
+
+ # these next rules are to satisfy assertions broken by the above lines.
+ storage_raw_read_fixed_disk($1)
+ storage_raw_write_fixed_disk($1)
+ storage_read_scsi_generic($1)
+ storage_write_scsi_generic($1)
+')
+
+########################################
+## <summary>
+## Read, write, create, and delete all character device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_manage_all_chr_files',`
+ gen_require(`
+ attribute device_node, memory_raw_read, memory_raw_write;
+ ')
+
+ manage_chr_files_pattern($1, device_t, device_node)
+
+ typeattribute $1 memory_raw_read, memory_raw_write;
+')
+
+########################################
+## <summary>
+## Getattr the agp devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_agp_dev',`
+ gen_require(`
+ type device_t, agp_device_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, agp_device_t)
+')
+
+########################################
+## <summary>
+## Read and write the agp devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_agp',`
+ gen_require(`
+ type device_t, agp_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, agp_device_t)
+')
+
+########################################
+## <summary>
+## Get the attributes of the apm bios device node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_apm_bios_dev',`
+ gen_require(`
+ type device_t, apm_bios_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, apm_bios_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes of
+## the apm bios device node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_apm_bios_dev',`
+ gen_require(`
+ type apm_bios_t;
+ ')
+
+ dontaudit $1 apm_bios_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Set the attributes of the apm bios device node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_apm_bios_dev',`
+ gen_require(`
+ type device_t, apm_bios_t;
+ ')
+
+ setattr_chr_files_pattern($1, device_t, apm_bios_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to set the attributes of
+## the apm bios device node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_setattr_apm_bios_dev',`
+ gen_require(`
+ type apm_bios_t;
+ ')
+
+ dontaudit $1 apm_bios_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Read and write the apm bios.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_apm_bios',`
+ gen_require(`
+ type device_t, apm_bios_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, apm_bios_t)
+')
+
+########################################
+## <summary>
+## Get the attributes of the autofs device node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_autofs_dev',`
+ gen_require(`
+ type device_t, autofs_device_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, autofs_device_t)
+')
+
+########################################
+## <summary>
+## Relable the autofs device node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_relabel_autofs_dev',`
+ gen_require(`
+ type autofs_device_t;
+ ')
+
+ allow $1 autofs_device_t:chr_file relabel_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes of
+## the autofs device node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_autofs_dev',`
+ gen_require(`
+ type autofs_device_t;
+ ')
+
+ dontaudit $1 autofs_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Set the attributes of the autofs device node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_autofs_dev',`
+ gen_require(`
+ type device_t, autofs_device_t;
+ ')
+
+ setattr_chr_files_pattern($1, device_t, autofs_device_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to set the attributes of
+## the autofs device node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_setattr_autofs_dev',`
+ gen_require(`
+ type autofs_device_t;
+ ')
+
+ dontaudit $1 autofs_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Read and write the autofs device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_autofs',`
+ gen_require(`
+ type device_t, autofs_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, autofs_device_t)
+')
+
+########################################
+## <summary>
+## Read and write the PCMCIA card manager device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_cardmgr',`
+ gen_require(`
+ type cardmgr_dev_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, cardmgr_dev_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and
+## write the PCMCIA card manager device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_rw_cardmgr',`
+ gen_require(`
+ type cardmgr_dev_t;
+ ')
+
+ dontaudit $1 cardmgr_dev_t:chr_file { read write };
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## the PCMCIA card manager device
+## with the correct type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_create_cardmgr_dev',`
+ gen_require(`
+ type device_t, cardmgr_dev_t;
+ ')
+
+ create_chr_files_pattern($1, device_t, cardmgr_dev_t)
+ create_blk_files_pattern($1, device_t, cardmgr_dev_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## the PCMCIA card manager device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_manage_cardmgr_dev',`
+ gen_require(`
+ type device_t, cardmgr_dev_t;
+ ')
+
+ manage_chr_files_pattern($1, device_t, cardmgr_dev_t)
+ manage_blk_files_pattern($1, device_t, cardmgr_dev_t)
+')
+
+########################################
+## <summary>
+## Automatic type transition to the type
+## for PCMCIA card manager device nodes when
+## created in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_filetrans_cardmgr',`
+ gen_require(`
+ type device_t, cardmgr_dev_t;
+ ')
+
+ filetrans_pattern($1, device_t, cardmgr_dev_t, { chr_file blk_file })
+')
+
+########################################
+## <summary>
+## Get the attributes of the CPU
+## microcode and id interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_cpu_dev',`
+ gen_require(`
+ type device_t, cpu_device_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, cpu_device_t)
+')
+
+########################################
+## <summary>
+## Set the attributes of the CPU
+## microcode and id interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_cpu_dev',`
+ gen_require(`
+ type device_t, cpu_device_t;
+ ')
+
+ setattr_chr_files_pattern($1, device_t, cpu_device_t)
+')
+
+########################################
+## <summary>
+## Read the CPU identity.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_cpuid',`
+ gen_require(`
+ type device_t, cpu_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, cpu_device_t)
+')
+
+########################################
+## <summary>
+## Read and write the the CPU microcode device. This
+## is required to load CPU microcode.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_cpu_microcode',`
+ gen_require(`
+ type device_t, cpu_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, cpu_device_t)
+')
+
+########################################
+## <summary>
+## Read and write the the hardware SSL accelerator.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_crypto',`
+ gen_require(`
+ type device_t, crypt_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, crypt_device_t)
+')
+
+#######################################
+## <summary>
+## Set the attributes of the dlm control devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_dlm_control',`
+ gen_require(`
+ type device_t, kvm_device_t;
+ ')
+
+ setattr_chr_files_pattern($1, device_t, dlm_control_device_t)
+')
+
+#######################################
+## <summary>
+## Read and write the the dlm control device
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_dlm_control',`
+ gen_require(`
+ type device_t, dlm_control_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, dlm_control_device_t)
+')
+
+########################################
+## <summary>
+## getattr the dri devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_dri_dev',`
+ gen_require(`
+ type device_t, dri_device_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, dri_device_t)
+')
+
+########################################
+## <summary>
+## Setattr the dri devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_dri_dev',`
+ gen_require(`
+ type device_t, dri_device_t;
+ ')
+
+ setattr_chr_files_pattern($1, device_t, dri_device_t)
+')
+
+########################################
+## <summary>
+## Read and write the dri devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_dri',`
+ gen_require(`
+ type device_t, dri_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, dri_device_t)
+')
+
+########################################
+## <summary>
+## Dontaudit read and write on the dri devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_rw_dri',`
+ gen_require(`
+ type dri_device_t;
+ ')
+
+ dontaudit $1 dri_device_t:chr_file rw_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete the dri devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_manage_dri_dev',`
+ gen_require(`
+ type device_t, dri_device_t;
+ ')
+
+ manage_chr_files_pattern($1, device_t, dri_device_t)
+')
+
+########################################
+## <summary>
+## Automatic type transition to the type
+## for DRI device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_filetrans_dri',`
+ gen_require(`
+ type device_t, dri_device_t;
+ ')
+
+ filetrans_pattern($1, device_t, dri_device_t, chr_file)
+')
+
+########################################
+## <summary>
+## Get the attributes of the event devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_input_dev',`
+ gen_require(`
+ type device_t, event_device_t;
+ ')
+
+ allow $1 device_t:dir list_dir_perms;
+ allow $1 event_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Set the attributes of the event devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_input_dev',`
+ gen_require(`
+ type device_t, event_device_t;
+ ')
+
+ allow $1 device_t:dir list_dir_perms;
+ allow $1 event_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Read input event devices (/dev/input).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_input',`
+ gen_require(`
+ type device_t, event_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, event_device_t)
+')
+
+########################################
+## <summary>
+## Read input event devices (/dev/input).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_input_dev',`
+ gen_require(`
+ type device_t, event_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, event_device_t)
+')
+
+########################################
+## <summary>
+## Get the attributes of the framebuffer device node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_framebuffer_dev',`
+ gen_require(`
+ type device_t, framebuf_device_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, framebuf_device_t)
+')
+
+########################################
+## <summary>
+## Set the attributes of the framebuffer device node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_framebuffer_dev',`
+ gen_require(`
+ type device_t, framebuf_device_t;
+ ')
+
+ setattr_chr_files_pattern($1, device_t, framebuf_device_t)
+')
+
+########################################
+## <summary>
+## Dot not audit attempts to set the attributes
+## of the framebuffer device node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_setattr_framebuffer_dev',`
+ gen_require(`
+ type framebuf_device_t;
+ ')
+
+ dontaudit $1 framebuf_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Read the framebuffer.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_framebuffer',`
+ gen_require(`
+ type framebuf_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, framebuf_device_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read the framebuffer.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_read_framebuffer',`
+ gen_require(`
+ type framebuf_device_t;
+ ')
+
+ dontaudit $1 framebuf_device_t:chr_file { getattr read };
+')
+
+########################################
+## <summary>
+## Write the framebuffer.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_write_framebuffer',`
+ gen_require(`
+ type device_t, framebuf_device_t;
+ ')
+
+ write_chr_files_pattern($1, device_t, framebuf_device_t)
+')
+
+########################################
+## <summary>
+## Read and write the framebuffer.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_framebuffer',`
+ gen_require(`
+ type device_t, framebuf_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, framebuf_device_t)
+')
+
+########################################
+## <summary>
+## Read the kernel messages
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_kmsg',`
+ gen_require(`
+ type device_t, kmsg_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, kmsg_device_t)
+')
+
+########################################
+## <summary>
+## Write to the kernel messages device
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_write_kmsg',`
+ gen_require(`
+ type device_t, kmsg_device_t;
+ ')
+
+ write_chr_files_pattern($1, device_t, kmsg_device_t)
+')
+
+########################################
+## <summary>
+## Get the attributes of the ksm devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_ksm_dev',`
+ gen_require(`
+ type device_t, ksm_device_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, ksm_device_t)
+')
+
+########################################
+## <summary>
+## Set the attributes of the ksm devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_ksm_dev',`
+ gen_require(`
+ type device_t, ksm_device_t;
+ ')
+
+ setattr_chr_files_pattern($1, device_t, ksm_device_t)
+')
+
+########################################
+## <summary>
+## Read the ksm devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_ksm',`
+ gen_require(`
+ type device_t, ksm_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, ksm_device_t)
+')
+
+########################################
+## <summary>
+## Read and write to ksm devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_ksm',`
+ gen_require(`
+ type device_t, ksm_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, ksm_device_t)
+')
+
+########################################
+## <summary>
+## Get the attributes of the kvm devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_kvm_dev',`
+ gen_require(`
+ type device_t, kvm_device_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, kvm_device_t)
+')
+
+########################################
+## <summary>
+## Set the attributes of the kvm devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_kvm_dev',`
+ gen_require(`
+ type device_t, kvm_device_t;
+ ')
+
+ setattr_chr_files_pattern($1, device_t, kvm_device_t)
+')
+
+########################################
+## <summary>
+## Read the kvm devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_kvm',`
+ gen_require(`
+ type device_t, kvm_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, kvm_device_t)
+')
+
+########################################
+## <summary>
+## Read and write to kvm devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_kvm',`
+ gen_require(`
+ type device_t, kvm_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, kvm_device_t)
+')
+
+######################################
+## <summary>
+## Read the lirc device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_lirc',`
+ gen_require(`
+ type device_t, lirc_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, lirc_device_t)
+')
+
+######################################
+## <summary>
+## Read and write the lirc device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_lirc',`
+ gen_require(`
+ type device_t, lirc_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, lirc_device_t)
+')
+
+######################################
+## <summary>
+## Automatic type transition to the type
+## for lirc device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_filetrans_lirc',`
+ gen_require(`
+ type device_t, lirc_device_t;
+ ')
+
+ filetrans_pattern($1, device_t, lirc_device_t, chr_file)
+')
+
+########################################
+## <summary>
+## Get the attributes of the lvm comtrol device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_lvm_control',`
+ gen_require(`
+ type device_t, lvm_control_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, lvm_control_t)
+')
+
+########################################
+## <summary>
+## Read the lvm comtrol device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_lvm_control',`
+ gen_require(`
+ type device_t, lvm_control_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, lvm_control_t)
+')
+
+########################################
+## <summary>
+## Read and write the lvm control device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_lvm_control',`
+ gen_require(`
+ type device_t, lvm_control_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, lvm_control_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write lvm control device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_rw_lvm_control',`
+ gen_require(`
+ type lvm_control_t;
+ ')
+
+ dontaudit $1 lvm_control_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Delete the lvm control device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_delete_lvm_control_dev',`
+ gen_require(`
+ type device_t, lvm_control_t;
+ ')
+
+ delete_chr_files_pattern($1, device_t, lvm_control_t)
+')
+
+########################################
+## <summary>
+## dontaudit getattr raw memory devices (e.g. /dev/mem).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_memory_dev',`
+ gen_require(`
+ type memory_device_t;
+ ')
+
+ dontaudit $1 memory_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Read raw memory devices (e.g. /dev/mem).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_raw_memory',`
+ gen_require(`
+ type device_t, memory_device_t;
+ attribute memory_raw_read;
+ ')
+
+ read_chr_files_pattern($1, device_t, memory_device_t)
+
+ allow $1 self:capability sys_rawio;
+ typeattribute $1 memory_raw_read;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read raw memory devices
+## (e.g. /dev/mem).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_read_raw_memory',`
+ gen_require(`
+ type memory_device_t;
+ ')
+
+ dontaudit $1 memory_device_t:chr_file read_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Write raw memory devices (e.g. /dev/mem).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_write_raw_memory',`
+ gen_require(`
+ type device_t, memory_device_t;
+ attribute memory_raw_write;
+ ')
+
+ write_chr_files_pattern($1, device_t, memory_device_t)
+
+ allow $1 self:capability sys_rawio;
+ typeattribute $1 memory_raw_write;
+')
+
+########################################
+## <summary>
+## Read and execute raw memory devices (e.g. /dev/mem).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rx_raw_memory',`
+ gen_require(`
+ type device_t, memory_device_t;
+ ')
+
+ dev_read_raw_memory($1)
+ allow $1 memory_device_t:chr_file execute;
+')
+
+########################################
+## <summary>
+## Write and execute raw memory devices (e.g. /dev/mem).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_wx_raw_memory',`
+ gen_require(`
+ type device_t, memory_device_t;
+ ')
+
+ dev_write_raw_memory($1)
+ allow $1 memory_device_t:chr_file execute;
+')
+
+########################################
+## <summary>
+## Get the attributes of miscellaneous devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_misc_dev',`
+ gen_require(`
+ type device_t, misc_device_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, misc_device_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of miscellaneous devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_misc_dev',`
+ gen_require(`
+ type misc_device_t;
+ ')
+
+ dontaudit $1 misc_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Set the attributes of miscellaneous devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_misc_dev',`
+ gen_require(`
+ type device_t, misc_device_t;
+ ')
+
+ setattr_chr_files_pattern($1, device_t, misc_device_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to set the attributes
+## of miscellaneous devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_setattr_misc_dev',`
+ gen_require(`
+ type misc_device_t;
+ ')
+
+ dontaudit $1 misc_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Read miscellaneous devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_misc',`
+ gen_require(`
+ type device_t, misc_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, misc_device_t)
+')
+
+########################################
+## <summary>
+## Write miscellaneous devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_write_misc',`
+ gen_require(`
+ type device_t, misc_device_t;
+ ')
+
+ write_chr_files_pattern($1, device_t, misc_device_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write miscellaneous devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_rw_misc',`
+ gen_require(`
+ type misc_device_t;
+ ')
+
+ dontaudit $1 misc_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of the modem devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_modem_dev',`
+ gen_require(`
+ type device_t, modem_device_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, modem_device_t)
+')
+
+########################################
+## <summary>
+## Set the attributes of the modem devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_modem_dev',`
+ gen_require(`
+ type device_t, modem_device_t;
+ ')
+
+ setattr_chr_files_pattern($1, device_t, modem_device_t)
+')
+
+########################################
+## <summary>
+## Read the modem devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_modem',`
+ gen_require(`
+ type device_t, modem_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, modem_device_t)
+')
+
+########################################
+## <summary>
+## Read and write to modem devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_modem',`
+ gen_require(`
+ type device_t, modem_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, modem_device_t)
+')
+
+########################################
+## <summary>
+## Get the attributes of the mouse devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_mouse_dev',`
+ gen_require(`
+ type device_t, mouse_device_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, mouse_device_t)
+')
+
+########################################
+## <summary>
+## Set the attributes of the mouse devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_mouse_dev',`
+ gen_require(`
+ type device_t, mouse_device_t;
+ ')
+
+ setattr_chr_files_pattern($1, device_t, mouse_device_t)
+')
+
+########################################
+## <summary>
+## Read the mouse devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_mouse',`
+ gen_require(`
+ type device_t, mouse_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, mouse_device_t)
+')
+
+########################################
+## <summary>
+## Read and write to mouse devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_mouse',`
+ gen_require(`
+ type device_t, mouse_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, mouse_device_t)
+')
+
+########################################
+## <summary>
+## Get the attributes of the memory type range
+## registers (MTRR) device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_mtrr_dev',`
+ gen_require(`
+ type device_t, mtrr_device_t;
+ ')
+
+ getattr_files_pattern($1, device_t, mtrr_device_t)
+ getattr_chr_files_pattern($1, device_t, mtrr_device_t)
+')
+
+########################################
+## <summary>
+## Read the memory type range
+## registers (MTRR). (Deprecated)
+## </summary>
+## <desc>
+## <p>
+## Read the memory type range
+## registers (MTRR). This interface has
+## been deprecated, dev_rw_mtrr() should be
+## used instead.
+## </p>
+## <p>
+## The MTRR device ioctls can be used for
+## reading and writing; thus, read access to the
+## device cannot be separated from write access.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_mtrr',`
+ refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().')
+ dev_rw_mtrr($1)
+')
+
+########################################
+## <summary>
+## Write the memory type range
+## registers (MTRR). (Deprecated)
+## </summary>
+## <desc>
+## <p>
+## Write the memory type range
+## registers (MTRR). This interface has
+## been deprecated, dev_rw_mtrr() should be
+## used instead.
+## </p>
+## <p>
+## The MTRR device ioctls can be used for
+## reading and writing; thus, write access to the
+## device cannot be separated from read access.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_write_mtrr',`
+ refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().')
+ dev_rw_mtrr($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write the memory type
+## range registers (MTRR).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_write_mtrr',`
+ gen_require(`
+ type mtrr_device_t;
+ ')
+
+ dontaudit $1 mtrr_device_t:file write;
+ dontaudit $1 mtrr_device_t:chr_file write;
+')
+
+########################################
+## <summary>
+## Read and write the memory type range registers (MTRR).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_mtrr',`
+ gen_require(`
+ type device_t, mtrr_device_t;
+ ')
+
+ rw_files_pattern($1, device_t, mtrr_device_t)
+ rw_chr_files_pattern($1, device_t, mtrr_device_t)
+')
+
+########################################
+## <summary>
+## Get the attributes of the network control device
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_netcontrol_dev',`
+ gen_require(`
+ type device_t, netcontrol_device_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, netcontrol_device_t)
+')
+
+########################################
+## <summary>
+## Read the network control identity.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_netcontrol',`
+ gen_require(`
+ type device_t, netcontrol_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, netcontrol_device_t)
+')
+
+########################################
+## <summary>
+## Read and write the the network control device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_netcontrol',`
+ gen_require(`
+ type device_t, netcontrol_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, netcontrol_device_t)
+')
+
+########################################
+## <summary>
+## Get the attributes of the null device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_null_dev',`
+ gen_require(`
+ type device_t, null_device_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, null_device_t)
+')
+
+########################################
+## <summary>
+## Set the attributes of the null device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_null_dev',`
+ gen_require(`
+ type device_t, null_device_t;
+ ')
+
+ setattr_chr_files_pattern($1, device_t, null_device_t)
+')
+
+########################################
+## <summary>
+## Delete the null device (/dev/null).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_delete_null',`
+ gen_require(`
+ type device_t, null_device_t;
+ ')
+
+ delete_chr_files_pattern($1, device_t, null_device_t)
+')
+
+########################################
+## <summary>
+## Read and write to the null device (/dev/null).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_null',`
+ gen_require(`
+ type device_t, null_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, null_device_t)
+')
+
+########################################
+## <summary>
+## Create the null device (/dev/null).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_create_null_dev',`
+ gen_require(`
+ type device_t, null_device_t;
+ ')
+
+ create_chr_files_pattern($1, device_t, null_device_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of the BIOS non-volatile RAM device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_nvram_dev',`
+ gen_require(`
+ type nvram_device_t;
+ ')
+
+ dontaudit $1 nvram_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Read and write BIOS non-volatile RAM.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_nvram',`
+ gen_require(`
+ type nvram_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, nvram_device_t)
+')
+
+########################################
+## <summary>
+## Get the attributes of the printer device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_printer_dev',`
+ gen_require(`
+ type device_t, printer_device_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, printer_device_t)
+')
+
+########################################
+## <summary>
+## Set the attributes of the printer device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_printer_dev',`
+ gen_require(`
+ type device_t, printer_device_t;
+ ')
+
+ setattr_chr_files_pattern($1, device_t, printer_device_t)
+')
+
+########################################
+## <summary>
+## Append the printer device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for lpd/checkpc_t
+interface(`dev_append_printer',`
+ gen_require(`
+ type device_t, printer_device_t;
+ ')
+
+ append_chr_files_pattern($1, device_t, printer_device_t)
+')
+
+########################################
+## <summary>
+## Read and write the printer device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_printer',`
+ gen_require(`
+ type device_t, printer_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, printer_device_t)
+')
+
+########################################
+## <summary>
+## Read printk devices (e.g., /dev/kmsg /dev/mcelog)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_printk',`
+ gen_require(`
+ type device_t, printk_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, printk_device_t)
+')
+
+########################################
+## <summary>
+## Get the attributes of the QEMU
+## microcode and id interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_qemu_dev',`
+ gen_require(`
+ type device_t, qemu_device_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, qemu_device_t)
+')
+
+########################################
+## <summary>
+## Set the attributes of the QEMU
+## microcode and id interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_qemu_dev',`
+ gen_require(`
+ type device_t, qemu_device_t;
+ ')
+
+ setattr_chr_files_pattern($1, device_t, qemu_device_t)
+')
+
+########################################
+## <summary>
+## Read the QEMU device
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_qemu',`
+ gen_require(`
+ type device_t, qemu_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, qemu_device_t)
+')
+
+########################################
+## <summary>
+## Read and write the the QEMU device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_qemu',`
+ gen_require(`
+ type device_t, qemu_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, qemu_device_t)
+')
+
+########################################
+## <summary>
+## Read from random number generator
+## devices (e.g., /dev/random).
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to read from random number
+## generator devices (e.g., /dev/random). Typically this is
+## used in situations when a cryptographically secure random
+## number is needed.
+## </p>
+## <p>
+## Related interface:
+## </p>
+## <ul>
+## <li>dev_read_urand()</li>
+## </ul>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`dev_read_rand',`
+ gen_require(`
+ type device_t, random_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, random_device_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read from random
+## number generator devices (e.g., /dev/random)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_read_rand',`
+ gen_require(`
+ type random_device_t;
+ ')
+
+ dontaudit $1 random_device_t:chr_file { getattr read };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to append to random
+## number generator devices (e.g., /dev/random)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_append_rand',`
+ gen_require(`
+ type random_device_t;
+ ')
+
+ dontaudit $1 random_device_t:chr_file append_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Write to the random device (e.g., /dev/random). This adds
+## entropy used to generate the random data read from the
+## random device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_write_rand',`
+ gen_require(`
+ type device_t, random_device_t;
+ ')
+
+ write_chr_files_pattern($1, device_t, random_device_t)
+')
+
+########################################
+## <summary>
+## Read the realtime clock (/dev/rtc).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_realtime_clock',`
+ gen_require(`
+ type device_t, clock_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, clock_device_t)
+')
+
+########################################
+## <summary>
+## Set the realtime clock (/dev/rtc).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_write_realtime_clock',`
+ gen_require(`
+ type device_t, clock_device_t;
+ ')
+
+ write_chr_files_pattern($1, device_t, clock_device_t)
+
+ allow $1 clock_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Read and set the realtime clock (/dev/rtc).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_realtime_clock',`
+ dev_read_realtime_clock($1)
+ dev_write_realtime_clock($1)
+')
+
+########################################
+## <summary>
+## Get the attributes of the scanner device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_scanner_dev',`
+ gen_require(`
+ type device_t, scanner_device_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, scanner_device_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes of
+## the scanner device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_scanner_dev',`
+ gen_require(`
+ type scanner_device_t;
+ ')
+
+ dontaudit $1 scanner_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Set the attributes of the scanner device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_scanner_dev',`
+ gen_require(`
+ type device_t, scanner_device_t;
+ ')
+
+ setattr_chr_files_pattern($1, device_t, scanner_device_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to set the attributes of
+## the scanner device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_setattr_scanner_dev',`
+ gen_require(`
+ type scanner_device_t;
+ ')
+
+ dontaudit $1 scanner_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Read and write the scanner device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_scanner',`
+ gen_require(`
+ type device_t, scanner_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, scanner_device_t)
+')
+
+########################################
+## <summary>
+## Get the attributes of the sound devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_sound_dev',`
+ gen_require(`
+ type device_t, sound_device_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, sound_device_t)
+')
+
+########################################
+## <summary>
+## Set the attributes of the sound devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_sound_dev',`
+ gen_require(`
+ type device_t, sound_device_t;
+ ')
+
+ setattr_chr_files_pattern($1, device_t, sound_device_t)
+')
+
+########################################
+## <summary>
+## Read the sound devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_sound',`
+ gen_require(`
+ type device_t, sound_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, sound_device_t)
+')
+
+########################################
+## <summary>
+## Write the sound devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_write_sound',`
+ gen_require(`
+ type device_t, sound_device_t;
+ ')
+
+ write_chr_files_pattern($1, device_t, sound_device_t)
+')
+
+########################################
+## <summary>
+## Read the sound mixer devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_sound_mixer',`
+ gen_require(`
+ type device_t, sound_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, sound_device_t)
+')
+
+########################################
+## <summary>
+## Write the sound mixer devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_write_sound_mixer',`
+ gen_require(`
+ type device_t, sound_device_t;
+ ')
+
+ write_chr_files_pattern($1, device_t, sound_device_t)
+')
+
+########################################
+## <summary>
+## Get the attributes of the the power management device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_power_mgmt_dev',`
+ gen_require(`
+ type device_t, power_device_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, power_device_t)
+')
+
+########################################
+## <summary>
+## Set the attributes of the the power management device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_power_mgmt_dev',`
+ gen_require(`
+ type device_t, power_device_t;
+ ')
+
+ setattr_chr_files_pattern($1, device_t, power_device_t)
+')
+
+########################################
+## <summary>
+## Read and write the the power management device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_power_management',`
+ gen_require(`
+ type device_t, power_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, power_device_t)
+')
+
+########################################
+## <summary>
+## Getattr on smartcard devices
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_smartcard_dev',`
+ gen_require(`
+ type smartcard_device_t;
+ ')
+
+ allow $1 smartcard_device_t:chr_file getattr;
+
+')
+
+########################################
+## <summary>
+## dontaudit getattr on smartcard devices
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_smartcard_dev',`
+ gen_require(`
+ type smartcard_device_t;
+ ')
+
+ dontaudit $1 smartcard_device_t:chr_file getattr;
+
+')
+
+########################################
+## <summary>
+## Read and write smartcard devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_smartcard',`
+ gen_require(`
+ type device_t, smartcard_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, smartcard_device_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete smartcard devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_manage_smartcard',`
+ gen_require(`
+ type device_t, smartcard_device_t;
+ ')
+
+ manage_chr_files_pattern($1, device_t, smartcard_device_t)
+')
+
+########################################
+## <summary>
+## Associate a file to a sysfs filesystem.
+## </summary>
+## <param name="file_type">
+## <summary>
+## The type of the file to be associated to sysfs.
+## </summary>
+## </param>
+#
+interface(`dev_associate_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:filesystem associate;
+')
+
+########################################
+## <summary>
+## Get the attributes of sysfs directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_sysfs_dirs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:dir getattr_dir_perms;
+')
+
+########################################
+## <summary>
+## Search the sysfs directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_search_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ search_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search sysfs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_search_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ dontaudit $1 sysfs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## List the contents of the sysfs directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_list_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ list_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+## <summary>
+## Write in a sysfs directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for cpuspeed
+interface(`dev_write_sysfs_dirs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:dir write;
+')
+
+########################################
+## <summary>
+## Read hardware state information.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to read the contents of
+## the sysfs filesystem. This filesystem contains
+## information, parameters, and other settings on the
+## hardware installed on the system.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`dev_read_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ read_files_pattern($1, sysfs_t, sysfs_t)
+ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
+
+ list_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+## <summary>
+## Allow caller to modify hardware state information.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ rw_files_pattern($1, sysfs_t, sysfs_t)
+ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
+
+ list_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+## <summary>
+## Allow caller to modify hardware state information.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_manage_sysfs_dirs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ manage_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+## <summary>
+## Read from pseudo random number generator devices (e.g., /dev/urandom).
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to read from pseudo random number
+## generator devices (e.g., /dev/urandom). Typically this is
+## used in situations when a cryptographically secure random
+## number is not necessarily needed. One example is the Stack
+## Smashing Protector (SSP, formerly known as ProPolice) support
+## that may be compiled into programs.
+## </p>
+## <p>
+## Related interface:
+## </p>
+## <ul>
+## <li>dev_read_rand()</li>
+## </ul>
+## <p>
+## Related tunable:
+## </p>
+## <ul>
+## <li>global_ssp</li>
+## </ul>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`dev_read_urand',`
+ gen_require(`
+ type device_t, urandom_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, urandom_device_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read from pseudo
+## random devices (e.g., /dev/urandom)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_read_urand',`
+ gen_require(`
+ type urandom_device_t;
+ ')
+
+ dontaudit $1 urandom_device_t:chr_file { getattr read };
+')
+
+########################################
+## <summary>
+## Write to the pseudo random device (e.g., /dev/urandom). This
+## sets the random number generator seed.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_write_urand',`
+ gen_require(`
+ type device_t, urandom_device_t;
+ ')
+
+ write_chr_files_pattern($1, device_t, urandom_device_t)
+')
+
+########################################
+## <summary>
+## Getattr generic the USB devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_generic_usb_dev',`
+ gen_require(`
+ type usb_device_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, usb_device_t)
+')
+
+########################################
+## <summary>
+## Setattr generic the USB devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_generic_usb_dev',`
+ gen_require(`
+ type usb_device_t;
+ ')
+
+ setattr_chr_files_pattern($1, device_t, usb_device_t)
+')
+
+########################################
+## <summary>
+## Read generic the USB devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_generic_usb_dev',`
+ gen_require(`
+ type usb_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, usb_device_t)
+')
+
+########################################
+## <summary>
+## Read and write generic the USB devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_generic_usb_dev',`
+ gen_require(`
+ type device_t, usb_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, usb_device_t)
+')
+
+########################################
+## <summary>
+## Read USB monitor devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_usbmon_dev',`
+ gen_require(`
+ type device_t, usbmon_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, usbmon_device_t)
+')
+
+########################################
+## <summary>
+## Write USB monitor devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_write_usbmon_dev',`
+ gen_require(`
+ type device_t, usbmon_device_t;
+ ')
+
+ write_chr_files_pattern($1, device_t, usbmon_device_t)
+')
+
+########################################
+## <summary>
+## Mount a usbfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_mount_usbfs',`
+ gen_require(`
+ type usbfs_t;
+ ')
+
+ allow $1 usbfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+## Associate a file to a usbfs filesystem.
+## </summary>
+## <param name="file_type">
+## <summary>
+## The type of the file to be associated to usbfs.
+## </summary>
+## </param>
+#
+interface(`dev_associate_usbfs',`
+ gen_require(`
+ type usbfs_t;
+ ')
+
+ allow $1 usbfs_t:filesystem associate;
+')
+
+########################################
+## <summary>
+## Get the attributes of a directory in the usb filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_usbfs_dirs',`
+ gen_require(`
+ type usbfs_t;
+ ')
+
+ allow $1 usbfs_t:dir getattr_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of a directory in the usb filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_usbfs_dirs',`
+ gen_require(`
+ type usbfs_t;
+ ')
+
+ dontaudit $1 usbfs_t:dir getattr_dir_perms;
+')
+
+########################################
+## <summary>
+## Search the directory containing USB hardware information.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_search_usbfs',`
+ gen_require(`
+ type usbfs_t;
+ ')
+
+ search_dirs_pattern($1, usbfs_t, usbfs_t)
+')
+
+########################################
+## <summary>
+## Allow caller to get a list of usb hardware.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_list_usbfs',`
+ gen_require(`
+ type usbfs_t;
+ ')
+
+ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
+ getattr_files_pattern($1, usbfs_t, usbfs_t)
+
+ list_dirs_pattern($1, usbfs_t, usbfs_t)
+')
+
+########################################
+## <summary>
+## Set the attributes of usbfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_usbfs_files',`
+ gen_require(`
+ type usbfs_t;
+ ')
+
+ setattr_files_pattern($1, usbfs_t, usbfs_t)
+ list_dirs_pattern($1, usbfs_t, usbfs_t)
+')
+
+########################################
+## <summary>
+## Read USB hardware information using
+## the usbfs filesystem interface.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_usbfs',`
+ gen_require(`
+ type usbfs_t;
+ ')
+
+ read_files_pattern($1, usbfs_t, usbfs_t)
+ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
+ list_dirs_pattern($1, usbfs_t, usbfs_t)
+')
+
+########################################
+## <summary>
+## Allow caller to modify usb hardware configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_usbfs',`
+ gen_require(`
+ type usbfs_t;
+ ')
+
+ list_dirs_pattern($1, usbfs_t, usbfs_t)
+ rw_files_pattern($1, usbfs_t, usbfs_t)
+ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
+')
+
+########################################
+## <summary>
+## Get the attributes of video4linux devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_video_dev',`
+ gen_require(`
+ type device_t, v4l_device_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, v4l_device_t)
+')
+
+######################################
+## <summary>
+## Read and write userio device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_userio_dev',`
+ gen_require(`
+ type device_t, userio_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, userio_device_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of video4linux device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_video_dev',`
+ gen_require(`
+ type v4l_device_t;
+ ')
+
+ dontaudit $1 v4l_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Set the attributes of video4linux device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_video_dev',`
+ gen_require(`
+ type device_t, v4l_device_t;
+ ')
+
+ setattr_chr_files_pattern($1, device_t, v4l_device_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to set the attributes
+## of video4linux device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_setattr_video_dev',`
+ gen_require(`
+ type v4l_device_t;
+ ')
+
+ dontaudit $1 v4l_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Read the video4linux devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_video_dev',`
+ gen_require(`
+ type device_t, v4l_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, v4l_device_t)
+')
+
+########################################
+## <summary>
+## Write the video4linux devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_write_video_dev',`
+ gen_require(`
+ type device_t, v4l_device_t;
+ ')
+
+ write_chr_files_pattern($1, device_t, v4l_device_t)
+')
+
+########################################
+## <summary>
+## Allow read/write the vhost net device
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_vhost',`
+ gen_require(`
+ type device_t, vhost_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, vhost_device_t)
+')
+
+########################################
+## <summary>
+## Read and write VMWare devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_vmware',`
+ gen_require(`
+ type device_t, vmware_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, vmware_device_t)
+')
+
+########################################
+## <summary>
+## Read, write, and mmap VMWare devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rwx_vmware',`
+ gen_require(`
+ type device_t, vmware_device_t;
+ ')
+
+ dev_rw_vmware($1)
+ allow $1 vmware_device_t:chr_file execute;
+')
+
+########################################
+## <summary>
+## Write to watchdog devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_write_watchdog',`
+ gen_require(`
+ type device_t, watchdog_device_t;
+ ')
+
+ write_chr_files_pattern($1, device_t, watchdog_device_t)
+')
+
+########################################
+## <summary>
+## Read and write the the wireless device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_wireless',`
+ gen_require(`
+ type device_t, wireless_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, wireless_device_t)
+')
+
+########################################
+## <summary>
+## Read and write Xen devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_xen',`
+ gen_require(`
+ type device_t, xen_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, xen_device_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete Xen devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_manage_xen',`
+ gen_require(`
+ type device_t, xen_device_t;
+ ')
+
+ manage_chr_files_pattern($1, device_t, xen_device_t)
+')
+
+########################################
+## <summary>
+## Automatic type transition to the type
+## for xen device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_filetrans_xen',`
+ gen_require(`
+ type device_t, xen_device_t;
+ ')
+
+ filetrans_pattern($1, device_t, xen_device_t, chr_file)
+')
+
+########################################
+## <summary>
+## Get the attributes of X server miscellaneous devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_xserver_misc_dev',`
+ gen_require(`
+ type device_t, xserver_misc_device_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, xserver_misc_device_t)
+')
+
+########################################
+## <summary>
+## Set the attributes of X server miscellaneous devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_xserver_misc_dev',`
+ gen_require(`
+ type device_t, xserver_misc_device_t;
+ ')
+
+ setattr_chr_files_pattern($1, device_t, xserver_misc_device_t)
+')
+
+########################################
+## <summary>
+## Read and write X server miscellaneous devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_xserver_misc',`
+ gen_require(`
+ type device_t, xserver_misc_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, xserver_misc_device_t)
+')
+
+########################################
+## <summary>
+## Read and write to the zero device (/dev/zero).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_zero',`
+ gen_require(`
+ type device_t, zero_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, zero_device_t)
+')
+
+########################################
+## <summary>
+## Read, write, and execute the zero device (/dev/zero).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rwx_zero',`
+ gen_require(`
+ type zero_device_t;
+ ')
+
+ dev_rw_zero($1)
+ allow $1 zero_device_t:chr_file execute;
+')
+
+########################################
+## <summary>
+## Execmod the zero device (/dev/zero).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_execmod_zero',`
+ gen_require(`
+ type zero_device_t;
+ ')
+
+ dev_rw_zero($1)
+ allow $1 zero_device_t:chr_file execmod;
+')
+
+########################################
+## <summary>
+## Create the zero device (/dev/zero).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_create_zero_dev',`
+ gen_require(`
+ type device_t, zero_device_t;
+ ')
+
+ create_chr_files_pattern($1, device_t, zero_device_t)
+')
+
+########################################
+## <summary>
+## Unconfined access to devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_unconfined',`
+ gen_require(`
+ attribute devices_unconfined_type;
+ ')
+
+ typeattribute $1 devices_unconfined_type;
+')
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
new file mode 100644
index 0000000..20c2d34
--- /dev/null
+++ b/policy/modules/kernel/devices.te
@@ -0,0 +1,309 @@
+policy_module(devices, 1.10.2)
+
+########################################
+#
+# Declarations
+#
+
+attribute device_node;
+attribute memory_raw_read;
+attribute memory_raw_write;
+attribute devices_unconfined_type;
+
+#
+# device_t is the type of /dev.
+#
+type device_t;
+fs_associate_tmpfs(device_t)
+files_type(device_t)
+files_mountpoint(device_t)
+files_associate_tmp(device_t)
+fs_type(device_t)
+fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
+
+#
+# Type for /dev/agpgart
+#
+type agp_device_t;
+dev_node(agp_device_t)
+
+#
+# Type for /dev/apm_bios
+#
+type apm_bios_t;
+dev_node(apm_bios_t)
+
+#
+# Type for /dev/autofs
+#
+type autofs_device_t;
+dev_node(autofs_device_t)
+
+type cardmgr_dev_t;
+dev_node(cardmgr_dev_t)
+files_tmp_file(cardmgr_dev_t)
+
+#
+# clock_device_t is the type of
+# /dev/rtc.
+#
+type clock_device_t;
+dev_node(clock_device_t)
+
+#
+# cpu control devices /dev/cpu/0/*
+#
+type cpu_device_t;
+dev_node(cpu_device_t)
+
+# for the IBM zSeries z90crypt hardware ssl accelorator
+type crypt_device_t;
+dev_node(crypt_device_t)
+
+#
+# dlm_misc_device_t is the type of /dev/misc/dlm.*
+#
+type dlm_control_device_t;
+dev_node(dlm_control_device_t)
+
+type dri_device_t;
+dev_node(dri_device_t)
+
+type event_device_t;
+dev_node(event_device_t)
+
+#
+# Type for framebuffer /dev/fb/*
+#
+type framebuf_device_t;
+dev_node(framebuf_device_t)
+
+#
+# Type for /dev/ipmi/0
+#
+type ipmi_device_t;
+dev_node(ipmi_device_t)
+
+#
+# Type for /dev/kmsg
+#
+type kmsg_device_t;
+dev_node(kmsg_device_t)
+
+#
+# ksm_device_t is the type of /dev/ksm
+#
+type ksm_device_t;
+dev_node(ksm_device_t)
+
+#
+# kvm_device_t is the type of
+# /dev/kvm
+#
+type kvm_device_t;
+dev_node(kvm_device_t)
+mls_trusted_object(kvm_device_t)
+
+#
+# Type for /dev/lirc
+#
+type lirc_device_t;
+dev_node(lirc_device_t)
+
+#
+# Type for /dev/mapper/control
+#
+type lvm_control_t;
+dev_node(lvm_control_t)
+
+#
+# memory_device_t is the type of /dev/kmem,
+# /dev/mem and /dev/port.
+#
+type memory_device_t;
+dev_node(memory_device_t)
+
+neverallow ~{ memory_raw_read devices_unconfined_type } memory_device_t:{ chr_file blk_file } read;
+neverallow ~{ memory_raw_write devices_unconfined_type } memory_device_t:{ chr_file blk_file } { append write };
+
+type misc_device_t;
+dev_node(misc_device_t)
+
+#
+# A general type for modem devices.
+#
+type modem_device_t;
+dev_node(modem_device_t)
+
+#
+# A more general type for mouse devices.
+#
+type mouse_device_t;
+dev_node(mouse_device_t)
+
+#
+# Type for /dev/cpu/mtrr and /proc/mtrr
+#
+type mtrr_device_t;
+dev_node(mtrr_device_t)
+genfscon proc /mtrr gen_context(system_u:object_r:mtrr_device_t,s0)
+
+#
+# network control devices
+#
+type netcontrol_device_t;
+dev_node(netcontrol_device_t)
+
+#
+# null_device_t is the type of /dev/null.
+#
+type null_device_t;
+dev_node(null_device_t)
+mls_trusted_object(null_device_t)
+sid devnull gen_context(system_u:object_r:null_device_t,s0)
+
+#
+# Type for /dev/nvram
+#
+type nvram_device_t;
+dev_node(nvram_device_t)
+
+#
+# Type for /dev/pmu
+#
+type power_device_t;
+dev_node(power_device_t)
+
+type printer_device_t;
+dev_node(printer_device_t)
+mls_file_write_within_range(printer_device_t)
+
+#
+# qemu control devices
+#
+type qemu_device_t;
+dev_node(qemu_device_t)
+
+#
+# random_device_t is the type of /dev/random
+#
+type random_device_t;
+dev_node(random_device_t)
+
+type scanner_device_t;
+dev_node(scanner_device_t)
+
+#
+# Type for smartcards
+#
+type smartcard_device_t;
+dev_node(smartcard_device_t)
+
+#
+# Type for sound devices and mixers
+#
+type sound_device_t;
+dev_node(sound_device_t)
+
+#
+# sysfs_t is the type for the /sys pseudofs
+#
+type sysfs_t;
+files_mountpoint(sysfs_t)
+fs_type(sysfs_t)
+genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
+
+#
+# Type for /dev/tpm
+#
+type tpm_device_t;
+dev_node(tpm_device_t)
+
+#
+# urandom_device_t is the type of /dev/urandom
+#
+type urandom_device_t;
+dev_node(urandom_device_t)
+
+#
+# usbfs_t is the type for the /proc/bus/usb pseudofs
+#
+type usbfs_t alias usbdevfs_t;
+files_mountpoint(usbfs_t)
+fs_noxattr_type(usbfs_t)
+genfscon usbfs / gen_context(system_u:object_r:usbfs_t,s0)
+genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0)
+
+#
+# usb_device_t is the type for /dev/bus/usb/[0-9]+/[0-9]+
+#
+type usb_device_t;
+dev_node(usb_device_t)
+
+#
+# usb_device_t is the type for /dev/usbmon
+#
+type usbmon_device_t;
+dev_node(usbmon_device_t)
+
+#
+# userio_device_t is the type for /dev/uio[0-9]+
+#
+type userio_device_t;
+dev_node(userio_device_t)
+
+type v4l_device_t;
+dev_node(v4l_device_t)
+
+#
+# vhost_device_t is the type for /dev/vhost-net
+#
+type vhost_device_t;
+dev_node(vhost_device_t)
+
+# Type for vmware devices.
+type vmware_device_t;
+dev_node(vmware_device_t)
+
+type watchdog_device_t;
+dev_node(watchdog_device_t)
+
+#
+# wireless control devices
+#
+type wireless_device_t;
+dev_node(wireless_device_t)
+
+type xen_device_t;
+dev_node(xen_device_t)
+
+type xserver_misc_device_t;
+dev_node(xserver_misc_device_t)
+
+#
+# zero_device_t is the type of /dev/zero.
+#
+type zero_device_t;
+dev_node(zero_device_t)
+mls_trusted_object(zero_device_t)
+
+########################################
+#
+# Rules for all device nodes
+#
+
+allow device_node device_t:filesystem associate;
+
+fs_associate(device_node)
+fs_associate_tmpfs(device_node)
+
+files_associate_tmp(device_node)
+
+########################################
+#
+# Unconfined access to this module
+#
+
+allow devices_unconfined_type self:capability sys_rawio;
+allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
+allow devices_unconfined_type mtrr_device_t:file *;
diff --git a/policy/modules/kernel/domain.fc b/policy/modules/kernel/domain.fc
new file mode 100644
index 0000000..7be4ddf
--- /dev/null
+++ b/policy/modules/kernel/domain.fc
@@ -0,0 +1 @@
+# This module currently does not have any file contexts.
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
new file mode 100644
index 0000000..0d8458a
--- /dev/null
+++ b/policy/modules/kernel/domain.if
@@ -0,0 +1,1513 @@
+## <summary>Core policy for domains.</summary>
+## <required val="true">
+## Contains the concept of a domain.
+## </required>
+
+########################################
+## <summary>
+## Make the specified type usable as a basic domain.
+## </summary>
+## <desc>
+## <p>
+## Make the specified type usable as a basic domain.
+## </p>
+## <p>
+## This is primarily used for kernel threads;
+## generally the domain_type() interface is
+## more appropriate for userland processes.
+## </p>
+## </desc>
+## <param name="type">
+## <summary>
+## Type to be used as a basic domain type.
+## </summary>
+## </param>
+#
+interface(`domain_base_type',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ typeattribute $1 domain;
+')
+
+########################################
+## <summary>
+## Make the specified type usable as a domain.
+## </summary>
+## <desc>
+## <p>
+## Make the specified type usable as a domain. This,
+## or an interface that calls this interface, must be
+## used on all types that are used as domains.
+## </p>
+## <p>
+## Related interfaces:
+## </p>
+## <ul>
+## <li>application_domain()</li>
+## <li>init_daemon_domain()</li>
+## <li>init_domaion()</li>
+## <li>init_ranged_daemon_domain()</li>
+## <li>init_ranged_domain()</li>
+## <li>init_ranged_system_domain()</li>
+## <li>init_script_domain()</li>
+## <li>init_system_domain()</li>
+## </ul>
+## <p>
+## Example:
+## </p>
+## <p>
+## type mydomain_t;
+## domain_type(mydomain_t)
+## type myfile_t;
+## files_type(myfile_t)
+## allow mydomain_t myfile_t:file read_file_perms;
+## </p>
+## </desc>
+## <param name="type">
+## <summary>
+## Type to be used as a domain type.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`domain_type',`
+ # start with basic domain
+ domain_base_type($1)
+
+ ifdef(`distro_redhat',`
+ optional_policy(`
+ unconfined_use_fds($1)
+ ')
+ ')
+
+ # send init a sigchld and signull
+ optional_policy(`
+ init_sigchld($1)
+ init_signull($1)
+ ')
+
+ # these seem questionable:
+
+ optional_policy(`
+ rpm_use_fds($1)
+ rpm_read_pipes($1)
+ ')
+
+ optional_policy(`
+ selinux_dontaudit_getattr_fs($1)
+ selinux_dontaudit_read_fs($1)
+ ')
+
+ optional_policy(`
+ seutil_dontaudit_read_config($1)
+ ')
+')
+
+########################################
+## <summary>
+## Make the specified type usable as
+## an entry point for the domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to be entered.
+## </summary>
+## </param>
+## <param name="type">
+## <summary>
+## Type of program used for entering
+## the domain.
+## </summary>
+## </param>
+#
+interface(`domain_entry_file',`
+ gen_require(`
+ attribute entry_type;
+ ')
+
+ allow $1 $2:file entrypoint;
+ allow $1 $2:file { mmap_file_perms ioctl lock };
+
+ typeattribute $2 entry_type;
+
+ corecmd_executable_file($2)
+')
+
+########################################
+## <summary>
+## Make the file descriptors of the specified
+## domain for interactive use (widely inheritable)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_interactive_fd',`
+ gen_require(`
+ attribute privfd;
+ ')
+
+ typeattribute $1 privfd;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to perform
+## dynamic transitions.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to perform
+## dynamic transitions.
+## </p>
+## <p>
+## This violates process tranquility, and it
+## is strongly suggested that this not be used.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_dyntrans_type',`
+ gen_require(`
+ attribute set_curr_context;
+ ')
+
+ typeattribute $1 set_curr_context;
+')
+
+########################################
+## <summary>
+## Makes caller and execption to the constraint
+## preventing changing to the system user
+## identity and system role.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_system_change_exemption',`
+ gen_require(`
+ attribute can_system_change;
+ ')
+
+ typeattribute $1 can_system_change;
+')
+
+########################################
+## <summary>
+## Makes caller an exception to the constraint preventing
+## changing of user identity.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type to make an exception to the constraint.
+## </summary>
+## </param>
+#
+interface(`domain_subj_id_change_exemption',`
+ gen_require(`
+ attribute can_change_process_identity;
+ ')
+
+ typeattribute $1 can_change_process_identity;
+')
+
+########################################
+## <summary>
+## Makes caller an exception to the constraint preventing
+## changing of role.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type to make an exception to the constraint.
+## </summary>
+## </param>
+#
+interface(`domain_role_change_exemption',`
+ gen_require(`
+ attribute can_change_process_role;
+ ')
+
+ typeattribute $1 can_change_process_role;
+')
+
+########################################
+## <summary>
+## Makes caller an exception to the constraint preventing
+## changing the user identity in object contexts.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type to make an exception to the constraint.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_obj_id_change_exemption',`
+ gen_require(`
+ attribute can_change_object_identity;
+ ')
+
+ typeattribute $1 can_change_object_identity;
+')
+
+########################################
+## <summary>
+## Make the specified domain the target of
+## the user domain exception of the
+## SELinux role and identity change
+## constraints.
+## </summary>
+## <desc>
+## <p>
+## Make the specified domain the target of
+## the user domain exception of the
+## SELinux role and identity change
+## constraints.
+## </p>
+## <p>
+## This interface is needed to decouple
+## the user domains from the base module.
+## It should not be used other than on
+## user domains.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain target for user exemption.
+## </summary>
+## </param>
+#
+interface(`domain_user_exemption_target',`
+ gen_require(`
+ attribute process_user_target;
+ ')
+
+ typeattribute $1 process_user_target;
+')
+
+########################################
+## <summary>
+## Make the specified domain the source of
+## the cron domain exception of the
+## SELinux role and identity change
+## constraints.
+## </summary>
+## <desc>
+## <p>
+## Make the specified domain the source of
+## the cron domain exception of the
+## SELinux role and identity change
+## constraints.
+## </p>
+## <p>
+## This interface is needed to decouple
+## the cron domains from the base module.
+## It should not be used other than on
+## cron domains.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain target for user exemption.
+## </summary>
+## </param>
+#
+interface(`domain_cron_exemption_source',`
+ gen_require(`
+ attribute cron_source_domain;
+ ')
+
+ typeattribute $1 cron_source_domain;
+')
+
+########################################
+## <summary>
+## Make the specified domain the target of
+## the cron domain exception of the
+## SELinux role and identity change
+## constraints.
+## </summary>
+## <desc>
+## <p>
+## Make the specified domain the target of
+## the cron domain exception of the
+## SELinux role and identity change
+## constraints.
+## </p>
+## <p>
+## This interface is needed to decouple
+## the cron domains from the base module.
+## It should not be used other than on
+## user cron jobs.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain target for user exemption.
+## </summary>
+## </param>
+#
+interface(`domain_cron_exemption_target',`
+ gen_require(`
+ attribute cron_job_domain;
+ ')
+
+ typeattribute $1 cron_job_domain;
+')
+
+########################################
+## <summary>
+## Inherit and use file descriptors from
+## domains with interactive programs.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to inherit and use file
+## descriptors from domains with interactive programs.
+## This does not allow access to the objects being referenced
+## by the file descriptors.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="1"/>
+#
+interface(`domain_use_interactive_fds',`
+ gen_require(`
+ attribute privfd;
+ ')
+
+ allow $1 privfd:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to inherit file
+## descriptors from domains with interactive
+## programs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_use_interactive_fds',`
+ gen_require(`
+ attribute privfd;
+ ')
+
+ dontaudit $1 privfd:fd use;
+')
+
+########################################
+## <summary>
+## Send a SIGCHLD signal to domains whose file
+## discriptors are widely inheritable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: this was added because of newrole
+interface(`domain_sigchld_interactive_fds',`
+ gen_require(`
+ attribute privfd;
+ ')
+
+ allow $1 privfd:process sigchld;
+')
+
+########################################
+## <summary>
+## Set the nice level of all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_setpriority_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:process setsched;
+')
+
+########################################
+## <summary>
+## Send general signals to all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_signal_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:process signal;
+')
+
+########################################
+## <summary>
+## Dontaudit sending general signals to all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_dontaudit_signal_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:process signal;
+')
+
+########################################
+## <summary>
+## Send a null signal to all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_signull_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:process signull;
+')
+
+########################################
+## <summary>
+## Send a stop signal to all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_sigstop_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:process sigstop;
+')
+
+########################################
+## <summary>
+## Send a child terminated signal to all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_sigchld_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:process sigchld;
+')
+
+########################################
+## <summary>
+## Send a kill signal to all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_kill_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:process sigkill;
+ allow $1 self:capability kill;
+')
+
+########################################
+## <summary>
+## Search the process state directory (/proc/pid) of all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_search_all_domains_state',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ kernel_search_proc($1)
+ allow $1 domain:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the process
+## state directory (/proc/pid) of all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_search_all_domains_state',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read the process state (/proc/pid) of all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_read_all_domains_state',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ kernel_search_proc($1)
+ allow $1 domain:dir list_dir_perms;
+ read_files_pattern($1, domain, domain)
+ read_lnk_files_pattern($1, domain, domain)
+')
+
+########################################
+## <summary>
+## Get the attributes of all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_getattr_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:process getattr;
+')
+
+########################################
+## <summary>
+## Dontaudit geting the attributes of all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:process getattr;
+')
+
+########################################
+## <summary>
+## Read the process state (/proc/pid) of all confined domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_read_confined_domains_state',`
+ gen_require(`
+ attribute domain, unconfined_domain_type;
+ ')
+
+ kernel_search_proc($1)
+ allow $1 { domain -unconfined_domain_type }:dir list_dir_perms;
+ read_files_pattern($1, { domain -unconfined_domain_type }, { domain -unconfined_domain_type })
+ read_lnk_files_pattern($1, { domain -unconfined_domain_type }, { domain -unconfined_domain_type })
+
+ dontaudit $1 unconfined_domain_type:dir search_dir_perms;
+ dontaudit $1 unconfined_domain_type:file read_file_perms;
+ dontaudit $1 unconfined_domain_type:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of all confined domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_getattr_confined_domains',`
+ gen_require(`
+ attribute domain, unconfined_domain_type;
+ ')
+
+ allow $1 { domain -unconfined_domain_type }:process getattr;
+')
+
+########################################
+## <summary>
+## Ptrace all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_ptrace_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:process ptrace;
+ allow domain $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to ptrace all domains.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to ptrace all domains.
+## </p>
+## <p>
+## Generally this needs to be suppressed because procps tries to access
+## /proc/pid/environ and this now triggers a ptrace check in recent kernels
+## (2.4 and 2.6).
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_ptrace_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:process ptrace;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to ptrace confined domains.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to ptrace confined domains.
+## </p>
+## <p>
+## Generally this needs to be suppressed because procps tries to access
+## /proc/pid/environ and this now triggers a ptrace check in recent kernels
+## (2.4 and 2.6).
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_ptrace_confined_domains',`
+ gen_require(`
+ attribute domain, unconfined_domain_type;
+ ')
+
+ dontaudit $1 { domain -unconfined_domain_type }:process ptrace;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read the process
+## state (/proc/pid) of all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_read_all_domains_state',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:dir list_dir_perms;
+ dontaudit $1 domain:lnk_file read_lnk_file_perms;
+ dontaudit $1 domain:file read_file_perms;
+
+ # cjp: these should be removed:
+ dontaudit $1 domain:sock_file read_sock_file_perms;
+ dontaudit $1 domain:fifo_file read_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read the process state
+## directories of all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_list_all_domains_state',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Get the session ID of all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_getsession_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:process getsession;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the
+## session ID of all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_getsession_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:process getsession;
+')
+
+########################################
+## <summary>
+## Get the process group ID of all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_getpgid_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:process getpgid;
+')
+
+########################################
+## <summary>
+## Get the scheduler information of all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_getsched_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:process getsched;
+')
+
+########################################
+## <summary>
+## Get the attributes of all domains
+## sockets, for all socket types.
+## </summary>
+## <desc>
+## <p>
+## Get the attributes of all domains
+## sockets, for all socket types.
+## </p>
+## <p>
+## This is commonly used for domains
+## that can use lsof on all domains.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_getattr_all_sockets',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:socket_class_set getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all domains sockets, for all socket types.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to get the attributes
+## of all domains sockets, for all socket types.
+## </p>
+## <p>
+## This interface was added for PCMCIA cardmgr
+## and is probably excessive.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_sockets',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:socket_class_set getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all domains TCP sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_tcp_sockets',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:tcp_socket getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all domains UDP sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_udp_sockets',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:udp_socket getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## all domains UDP sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_rw_all_udp_sockets',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:udp_socket { read write };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get attribues of
+## all domains IPSEC key management sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_key_sockets',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:key_socket getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get attribues of
+## all domains packet sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_packet_sockets',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:packet_socket getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get attribues of
+## all domains raw sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_raw_sockets',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:rawip_socket getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## all domains key sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_rw_all_key_sockets',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:key_socket { read write };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all domains unix datagram sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_dgram_sockets',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:unix_dgram_socket getattr;
+')
+
+########################################
+## <summary>
+## Get the attributes
+## of all domains unix datagram sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_getattr_all_stream_sockets',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:unix_stream_socket getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all domains unix datagram sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_stream_sockets',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:unix_stream_socket getattr;
+')
+
+########################################
+## <summary>
+## Get the attributes of all domains
+## unnamed pipes.
+## </summary>
+## <desc>
+## <p>
+## Get the attributes of all domains
+## unnamed pipes.
+## </p>
+## <p>
+## This is commonly used for domains
+## that can use lsof on all domains.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_getattr_all_pipes',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:fifo_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all domains unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_getattr_all_pipes',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:fifo_file getattr;
+')
+
+########################################
+## <summary>
+## Allow specified type to set context of all
+## domains IPSEC associations.
+## </summary>
+## <param name="type">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_ipsec_setcontext_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:association setcontext;
+')
+
+########################################
+## <summary>
+## Get the attributes of entry point
+## files for all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_getattr_all_entry_files',`
+ gen_require(`
+ attribute entry_type;
+ ')
+
+ allow $1 entry_type:lnk_file read_lnk_file_perms;
+ allow $1 entry_type:file getattr;
+')
+
+########################################
+## <summary>
+## Read the entry point files for all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_read_all_entry_files',`
+ gen_require(`
+ attribute entry_type;
+ ')
+
+ allow $1 entry_type:lnk_file read_lnk_file_perms;
+ allow $1 entry_type:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Execute the entry point files for all
+## domains in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_exec_all_entry_files',`
+ gen_require(`
+ attribute entry_type;
+ ')
+
+ can_exec($1, entry_type)
+')
+
+########################################
+## <summary>
+## dontaudit checking for execute on all entry point files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_exec_all_entry_files',`
+ gen_require(`
+ attribute entry_type;
+ ')
+
+ dontaudit $1 entry_type:file exec_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete all
+## entrypoint files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for prelink
+interface(`domain_manage_all_entry_files',`
+ gen_require(`
+ attribute entry_type;
+ ')
+
+ allow $1 entry_type:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Relabel to and from all entry point
+## file types.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for prelink
+interface(`domain_relabel_all_entry_files',`
+ gen_require(`
+ attribute entry_type;
+ ')
+
+ allow $1 entry_type:file relabel_file_perms;
+')
+
+########################################
+## <summary>
+## Mmap all entry point files as executable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for prelink
+interface(`domain_mmap_all_entry_files',`
+ gen_require(`
+ attribute entry_type;
+ ')
+
+ allow $1 entry_type:file mmap_file_perms;
+')
+
+########################################
+## <summary>
+## Execute an entry_type in the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+# cjp: added for userhelper
+interface(`domain_entry_file_spec_domtrans',`
+ gen_require(`
+ attribute entry_type;
+ ')
+
+ domain_transition_pattern($1, entry_type, $2)
+')
+
+########################################
+## <summary>
+## Ability to mmap a low area of the address
+## space conditionally, as configured by
+## /proc/sys/kernel/mmap_min_addr.
+## Preventing such mappings helps protect against
+## exploiting null deref bugs in the kernel.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_mmap_low',`
+ gen_require(`
+ attribute mmap_low_domain_type;
+ bool mmap_low_allowed;
+ ')
+
+ typeattribute $1 mmap_low_domain_type;
+
+ if ( mmap_low_allowed ) {
+ allow $1 self:memprotect mmap_zero;
+ }
+')
+
+########################################
+## <summary>
+## Ability to mmap a low area of the address
+## space unconditionally, as configured
+## by /proc/sys/kernel/mmap_min_addr.
+## Preventing such mappings helps protect against
+## exploiting null deref bugs in the kernel.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_mmap_low_uncond',`
+ gen_require(`
+ attribute mmap_low_domain_type;
+ ')
+
+ typeattribute $1 mmap_low_domain_type;
+
+ allow $1 self:memprotect mmap_zero;
+')
+
+########################################
+## <summary>
+## Allow specified type to receive labeled
+## networking packets from all domains, over
+## all protocols (TCP, UDP, etc)
+## </summary>
+## <param name="type">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_all_recvfrom_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ corenet_all_recvfrom_labeled($1, domain)
+')
+
+########################################
+## <summary>
+## Send generic signals to the unconfined domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_unconfined_signal',`
+ gen_require(`
+ attribute unconfined_domain_type;
+ ')
+
+ allow $1 unconfined_domain_type:process signal;
+')
+
+########################################
+## <summary>
+## Unconfined access to domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_unconfined',`
+ gen_require(`
+ attribute set_curr_context;
+ attribute can_change_object_identity;
+ attribute unconfined_domain_type;
+ attribute process_uncond_exempt;
+ ')
+
+ typeattribute $1 unconfined_domain_type;
+
+ # pass constraints
+ typeattribute $1 can_change_object_identity;
+ typeattribute $1 set_curr_context;
+ typeattribute $1 process_uncond_exempt;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## all leaked sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_leaks',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:socket_class_set { read write };
+')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
new file mode 100644
index 0000000..5843cad
--- /dev/null
+++ b/policy/modules/kernel/domain.te
@@ -0,0 +1,277 @@
+policy_module(domain, 1.8.1)
+
+########################################
+#
+# Declarations
+#
+## <desc>
+## <p>
+## Allow all domains to use other domains file descriptors
+## </p>
+## </desc>
+#
+gen_tunable(allow_domain_fd_use, true)
+
+## <desc>
+## <p>
+## Allow all domains to have the kernel load modules
+## </p>
+## </desc>
+#
+gen_tunable(domain_kernel_load_modules, false)
+
+## <desc>
+## <p>
+## Control the ability to mmap a low area of the address space,
+## as configured by /proc/sys/kernel/mmap_min_addr.
+## </p>
+## </desc>
+gen_tunable(mmap_low_allowed, false)
+
+# Mark process types as domains
+attribute domain;
+
+# Transitions only allowed from domains to other domains
+neverallow domain ~domain:process { transition dyntransition };
+
+# Domains that are unconfined
+attribute unconfined_domain_type;
+
+# Domains that can mmap low memory.
+attribute mmap_low_domain_type;
+neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
+
+# Domains that can set their current context
+# (perform dynamic transitions)
+attribute set_curr_context;
+
+# enabling setcurrent breaks process tranquility. If you do not
+# know what this means or do not understand the implications of a
+# dynamic transition, you should not be using it!!!
+neverallow { domain -set_curr_context } self:process setcurrent;
+
+# entrypoint executables
+attribute entry_type;
+
+# widely-inheritable file descriptors
+attribute privfd;
+
+#
+# constraint related attributes
+#
+
+# [1] types that can change SELinux identity on transition
+attribute can_change_process_identity;
+
+# [2] types that can change SELinux role on transition
+attribute can_change_process_role;
+
+# [3] types that can change the SELinux identity on a filesystem
+# object or a socket object on a create or relabel
+attribute can_change_object_identity;
+
+# [3] types that can change to system_u:system_r
+attribute can_system_change;
+
+# [4] types that have attribute 1 can change the SELinux
+# identity only if the target domain has this attribute.
+# Types that have attribute 2 can change the SELinux role
+# only if the target domain has this attribute.
+attribute process_user_target;
+
+# For cron jobs
+# [5] types used for cron daemons
+attribute cron_source_domain;
+# [6] types used for cron jobs
+attribute cron_job_domain;
+
+# [7] types that are unconditionally exempt from
+# SELinux identity and role change constraints
+attribute process_uncond_exempt; # add userhelperdomain to this one
+
+neverallow { domain unlabeled_t } ~{ domain unlabeled_t }:process *;
+neverallow ~{ domain unlabeled_t } *:process *;
+
+########################################
+#
+# Rules applied to all domains
+#
+
+# read /proc/(pid|self) entries
+allow domain self:dir list_dir_perms;
+allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
+allow domain self:file rw_file_perms;
+kernel_read_proc_symlinks(domain)
+kernel_read_crypto_sysctls(domain)
+
+# Every domain gets the key ring, so we should default
+# to no one allowed to look at it; afs kernel support creates
+# a keyring
+kernel_dontaudit_search_key(domain)
+kernel_dontaudit_link_key(domain)
+kernel_dontaudit_search_debugfs(domain)
+
+# create child processes in the domain
+allow domain self:process { fork getsched sigchld };
+
+# Use trusted objects in /dev
+dev_rw_null(domain)
+dev_rw_zero(domain)
+term_use_controlling_term(domain)
+
+# list the root directory
+files_list_root(domain)
+# allow all domains to search through default_t directory, since users sometimes
+# place labels within these directories. (samba_share_t) for example.
+files_search_default(domain)
+
+# All executables should be able to search the directory they are in
+corecmd_search_bin(domain)
+
+tunable_policy(`domain_kernel_load_modules',`
+ kernel_request_load_module(domain)
+')
+
+tunable_policy(`global_ssp',`
+ # enable reading of urandom for all domains:
+ # this should be enabled when all programs
+ # are compiled with ProPolice/SSP
+ # stack smashing protection.
+ dev_read_urand(domain)
+')
+
+optional_policy(`
+ afs_rw_cache(domain)
+')
+
+optional_policy(`
+ libs_use_ld_so(domain)
+ libs_use_shared_libs(domain)
+ libs_read_lib_files(domain)
+')
+
+optional_policy(`
+ setrans_translate_context(domain)
+')
+
+# xdm passes an open file descriptor to xsession-errors.log which is then audited by all confined domains.
+optional_policy(`
+ xserver_dontaudit_use_xdm_fds(domain)
+ xserver_dontaudit_rw_xdm_pipes(domain)
+ xserver_dontaudit_append_xdm_home_files(domain)
+ xserver_dontaudit_write_log(domain)
+')
+
+########################################
+#
+# Unconfined access to this module
+#
+
+# unconfined access also allows constraints, but this
+# is handled in the interface as typeattribute cannot
+# be used on an attribute.
+
+# Use/sendto/connectto sockets created by any domain.
+allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
+
+# Use descriptors and pipes created by any domain.
+allow unconfined_domain_type domain:fd use;
+allow unconfined_domain_type domain:fifo_file rw_file_perms;
+
+allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
+
+# Act upon any other process.
+allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
+
+# Create/access any System V IPC objects.
+allow unconfined_domain_type domain:{ sem msgq shm } *;
+allow unconfined_domain_type domain:msg { send receive };
+
+# For /proc/pid
+allow unconfined_domain_type domain:dir list_dir_perms;
+allow unconfined_domain_type domain:file rw_file_perms;
+allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+
+# act on all domains keys
+allow unconfined_domain_type domain:key *;
+
+# receive from all domains over labeled networking
+domain_all_recvfrom_all_domains(unconfined_domain_type)
+
+selinux_getattr_fs(domain)
+selinux_search_fs(domain)
+selinux_dontaudit_read_fs(domain)
+
+seutil_dontaudit_read_config(domain)
+
+init_sigchld(domain)
+init_signull(domain)
+
+ifdef(`distro_redhat',`
+ files_search_mnt(domain)
+ optional_policy(`
+ unconfined_use_fds(domain)
+ ')
+')
+
+# these seem questionable:
+
+optional_policy(`
+ abrt_domtrans_helper(domain)
+ abrt_read_pid_files(domain)
+ abrt_read_state(domain)
+ abrt_signull(domain)
+ abrt_stream_connect(domain)
+')
+
+optional_policy(`
+ rpm_use_fds(domain)
+ rpm_read_pipes(domain)
+ rpm_search_log(domain)
+ rpm_append_tmp_files(domain)
+ rpm_dontaudit_leaks(domain)
+ rpm_read_script_tmp_files(domain)
+ rpm_inherited_fifo(domain)
+')
+
+optional_policy(`
+ sosreport_append_tmp_files(domain)
+')
+
+tunable_policy(`allow_domain_fd_use',`
+ # Allow all domains to use fds past to them
+ allow domain domain:fd use;
+')
+
+optional_policy(`
+ cron_dontaudit_write_system_job_tmp_files(domain)
+ cron_rw_pipes(domain)
+ cron_rw_system_job_pipes(domain)
+')
+
+ifdef(`hide_broken_symptoms',`
+ dontaudit domain self:udp_socket listen;
+ allow domain domain:key { link search };
+')
+
+optional_policy(`
+ hal_dontaudit_read_pid_files(domain)
+')
+
+optional_policy(`
+ ifdef(`hide_broken_symptoms',`
+ afs_rw_udp_sockets(domain)
+ ')
+')
+
+optional_policy(`
+ ssh_rw_pipes(domain)
+')
+
+optional_policy(`
+ unconfined_dontaudit_rw_pipes(domain)
+ unconfined_sigchld(domain)
+')
+
+# broken kernel
+dontaudit can_change_object_identity can_change_object_identity:key link;
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
new file mode 100644
index 0000000..bd4c23d
--- /dev/null
+++ b/policy/modules/kernel/files.fc
@@ -0,0 +1,272 @@
+
+#
+# /
+#
+/.* gen_context(system_u:object_r:default_t,s0)
+/ -d gen_context(system_u:object_r:root_t,s0)
+/\.journal <<none>>
+/afs -d gen_context(system_u:object_r:mnt_t,s0)
+/initrd\.img.* -l gen_context(system_u:object_r:boot_t,s0)
+/vmlinuz.* -l gen_context(system_u:object_r:boot_t,s0)
+
+ifdef(`distro_redhat',`
+/\.autofsck -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/\.autorelabel -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/\.suspended -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/fastboot -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/forcefsck -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/halt -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/poweroff -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/[^/]+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
+')
+
+ifdef(`distro_suse',`
+/success -- gen_context(system_u:object_r:etc_runtime_t,s0)
+')
+
+#
+# /boot
+#
+/boot -d gen_context(system_u:object_r:boot_t,s0)
+/boot/.* gen_context(system_u:object_r:boot_t,s0)
+/boot/\.journal <<none>>
+/boot/efi(/.*)?/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
+/boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+/boot/lost\+found/.* <<none>>
+/boot/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
+
+#
+# /emul
+#
+/emul -d gen_context(system_u:object_r:usr_t,s0)
+/emul/.* gen_context(system_u:object_r:usr_t,s0)
+
+#
+# /etc
+#
+/etc -d gen_context(system_u:object_r:etc_t,s0)
+/etc/.* gen_context(system_u:object_r:etc_t,s0)
+/etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/cmtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/HOSTNAME -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/issue -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/issue\.net -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
+/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/reader\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/smartd\.conf.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+
+/etc/sysctl\.conf(\.old)? -- gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/ebtables.* -- gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0)
+
+
+/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
+
+/etc/ipsec\.d/examples(/.*)? gen_context(system_u:object_r:etc_t,s0)
+
+/etc/network/ifstate -- gen_context(system_u:object_r:etc_runtime_t,s0)
+
+/etc/ptal/ptal-printd-like -- gen_context(system_u:object_r:etc_runtime_t,s0)
+
+/etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
+
+/etc/xorg\.conf\.d/00-system-setup-keyboard\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
+
+ifdef(`distro_gentoo', `
+/etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/csh\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+')
+
+ifdef(`distro_redhat',`
+/etc/rhgb(/.*)? -d gen_context(system_u:object_r:mnt_t,s0)
+')
+
+ifdef(`distro_suse',`
+/etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+')
+
+#
+# HOME_ROOT
+# expanded by genhomedircon
+#
+HOME_ROOT gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh)
+HOME_ROOT/\.journal <<none>>
+HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+HOME_ROOT/lost\+found/.* <<none>>
+
+#
+# /initrd
+#
+# initrd mount point, only used during boot
+/initrd -d gen_context(system_u:object_r:root_t,s0)
+
+#
+# /lib(64)?
+#
+/lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
+/lib64/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
+
+#
+# /lost+found
+#
+/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+/lost\+found/.* <<none>>
+
+#
+# /media
+#
+# Mount points; do not relabel subdirectories, since
+# we don't want to change any removable media by default.
+/media(/[^/]*) -l gen_context(system_u:object_r:mnt_t,s0)
+/media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
+/media/[^/]*/.* <<none>>
+/media/\.hal-.* -- gen_context(system_u:object_r:mnt_t,s0)
+
+#
+# /misc
+#
+/misc -d gen_context(system_u:object_r:mnt_t,s0)
+
+#
+# /mnt
+#
+/mnt(/[^/]*) -l gen_context(system_u:object_r:mnt_t,s0)
+/mnt(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
+/mnt/[^/]*/.* <<none>>
+
+#
+# /net
+#
+/net -d gen_context(system_u:object_r:mnt_t,s0)
+
+#
+# /opt
+#
+/opt -d gen_context(system_u:object_r:usr_t,s0)
+/opt/.* gen_context(system_u:object_r:usr_t,s0)
+
+/opt/(.*/)?var/lib(64)?(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
+
+#
+# /proc
+#
+/proc -d <<none>>
+/proc/.* <<none>>
+
+ifdef(`distro_redhat',`
+/rhev -d gen_context(system_u:object_r:mnt_t,s0)
+/rhev(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
+/rhev/[^/]*/.* <<none>>
+')
+
+#
+# /selinux
+#
+/selinux -d <<none>>
+/selinux/.* <<none>>
+
+#
+# /srv
+#
+/srv -d gen_context(system_u:object_r:var_t,s0)
+/srv/.* gen_context(system_u:object_r:var_t,s0)
+
+#
+# /tmp
+#
+/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+/tmp/.* <<none>>
+/tmp/\.journal <<none>>
+
+/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+/tmp/lost\+found/.* <<none>>
+
+#
+# /usr
+#
+/usr -d gen_context(system_u:object_r:usr_t,s0)
+/usr/.* gen_context(system_u:object_r:usr_t,s0)
+/usr/\.journal <<none>>
+
+/usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
+
+/usr/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
+
+/usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0)
+
+/usr/local/\.journal <<none>>
+
+/usr/local/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
+
+/usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+/usr/local/lost\+found/.* <<none>>
+
+/usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+/usr/lost\+found/.* <<none>>
+
+/usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0)
+
+/usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+/usr/tmp/.* <<none>>
+
+ifndef(`distro_redhat',`
+/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
+/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
+/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
+')
+
+#
+# /var
+#
+/var -d gen_context(system_u:object_r:var_t,s0)
+/var/.* gen_context(system_u:object_r:var_t,s0)
+/var/\.journal <<none>>
+
+/var/db/.*\.db -- gen_context(system_u:object_r:etc_t,s0)
+
+/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
+
+/var/named/chroot/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
+
+/var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
+
+/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
+
+/var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
+
+/var/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+/var/lost\+found/.* <<none>>
+
+/var/run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
+/var/run/.* gen_context(system_u:object_r:var_run_t,s0)
+/var/run/.*\.*pid <<none>>
+
+/var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0)
+/var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
+
+/var/tmp gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+/var/tmp/.* <<none>>
+/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+/var/tmp/lost\+found/.* <<none>>
+/var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0)
+
+ifdef(`distro_debian',`
+/var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
+')
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
new file mode 100644
index 0000000..a738502
--- /dev/null
+++ b/policy/modules/kernel/files.if
@@ -0,0 +1,6383 @@
+## <summary>
+## Basic filesystem types and interfaces.
+## </summary>
+## <desc>
+## <p>
+## This module contains basic filesystem types and interfaces. This
+## includes:
+## <ul>
+## <li>The concept of different file types including basic
+## files, mount points, tmp files, etc.</li>
+## <li>Access to groups of files and all files.</li>
+## <li>Types and interfaces for the basic filesystem layout
+## (/, /etc, /tmp, /usr, etc.).</li>
+## </ul>
+## </p>
+## </desc>
+## <required val="true">
+## Contains the concept of a file.
+## Comains the file initial SID.
+## </required>
+
+########################################
+## <summary>
+## Make the specified type usable for files
+## in a filesystem.
+## </summary>
+## <desc>
+## <p>
+## Make the specified type usable for files
+## in a filesystem. Types used for files that
+## do not use this interface, or an interface that
+## calls this one, will have unexpected behaviors
+## while the system is running. If the type is used
+## for device nodes (character or block files), then
+## the dev_node() interface is more appropriate.
+## </p>
+## <p>
+## Related interfaces:
+## </p>
+## <ul>
+## <li>application_domain()</li>
+## <li>application_executable_file()</li>
+## <li>corecmd_executable_file()</li>
+## <li>init_daemon_domain()</li>
+## <li>init_domaion()</li>
+## <li>init_ranged_daemon_domain()</li>
+## <li>init_ranged_domain()</li>
+## <li>init_ranged_system_domain()</li>
+## <li>init_script_file()</li>
+## <li>init_script_domain()</li>
+## <li>init_system_domain()</li>
+## <li>files_config_files()</li>
+## <li>files_lock_file()</li>
+## <li>files_mountpoint()</li>
+## <li>files_pid_file()</li>
+## <li>files_security_file()</li>
+## <li>files_security_mountpoint()</li>
+## <li>files_tmp_file()</li>
+## <li>files_tmpfs_file()</li>
+## <li>logging_log_file()</li>
+## <li>userdom_user_home_content()</li>
+## </ul>
+## <p>
+## Example:
+## </p>
+## <p>
+## type myfile_t;
+## files_type(myfile_t)
+## allow mydomain_t myfile_t:file read_file_perms;
+## </p>
+## </desc>
+## <param name="type">
+## <summary>
+## Type to be used for files.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`files_type',`
+ gen_require(`
+ attribute file_type, non_security_file_type;
+ ')
+
+ typeattribute $1 file_type, non_security_file_type;
+')
+
+########################################
+## <summary>
+## Make the specified type a file that
+## should not be dontaudited from
+## browsing from user domains.
+## </summary>
+## <param name="file_type">
+## <summary>
+## Type of the file to be used as a
+## member directory.
+## </summary>
+## </param>
+#
+interface(`files_security_file',`
+ gen_require(`
+ attribute file_type, security_file_type;
+ ')
+
+ typeattribute $1 file_type, security_file_type;
+')
+
+########################################
+## <summary>
+## Make the specified type usable for
+## lock files.
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used for lock files.
+## </summary>
+## </param>
+#
+interface(`files_lock_file',`
+ gen_require(`
+ attribute lockfile;
+ ')
+
+ files_type($1)
+ typeattribute $1 lockfile;
+')
+
+########################################
+## <summary>
+## Make the specified type usable for
+## filesystem mount points.
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used for mount points.
+## </summary>
+## </param>
+#
+interface(`files_mountpoint',`
+ gen_require(`
+ attribute mountpoint;
+ ')
+
+ files_type($1)
+ typeattribute $1 mountpoint;
+')
+
+########################################
+## <summary>
+## Make the specified type usable for
+## security file filesystem mount points.
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used for mount points.
+## </summary>
+## </param>
+#
+interface(`files_security_mountpoint',`
+ gen_require(`
+ attribute mountpoint;
+ ')
+
+ files_security_file($1)
+ typeattribute $1 mountpoint;
+')
+
+########################################
+## <summary>
+## Make the specified type usable for
+## runtime process ID files.
+## </summary>
+## <desc>
+## <p>
+## Make the specified type usable for runtime process ID files,
+## typically found in /var/run.
+## This will also make the type usable for files, making
+## calls to files_type() redundant. Failure to use this interface
+## for a PID file type may result in problems with starting
+## or stopping services.
+## </p>
+## <p>
+## Related interfaces:
+## </p>
+## <ul>
+## <li>files_pid_filetrans()</li>
+## </ul>
+## <p>
+## Example usage with a domain that can create and
+## write its PID file with a private PID file type in the
+## /var/run directory:
+## </p>
+## <p>
+## type mypidfile_t;
+## files_pid_file(mypidfile_t)
+## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
+## files_pid_filetrans(mydomain_t, mypidfile_t, file)
+## </p>
+## </desc>
+## <param name="type">
+## <summary>
+## Type to be used for PID files.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`files_pid_file',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ files_type($1)
+ typeattribute $1 pidfile;
+')
+
+########################################
+## <summary>
+## Make the specified type a
+## configuration file.
+## </summary>
+## <desc>
+## <p>
+## Make the specified type usable for configuration files.
+## This will also make the type usable for files, making
+## calls to files_type() redundant. Failure to use this interface
+## for a temporary file may result in problems with
+## configuration management tools.
+## </p>
+## <p>
+## Example usage with a domain that can read
+## its configuration file /etc:
+## </p>
+## <p>
+## type myconffile_t;
+## files_config_file(myconffile_t)
+## allow mydomain_t myconffile_t:file read_file_perms;
+## files_search_etc(mydomain_t)
+## </p>
+## </desc>
+## <param name="file_type">
+## <summary>
+## Type to be used as a configuration file.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`files_config_file',`
+ gen_require(`
+ attribute configfile;
+ ')
+ files_type($1)
+ typeattribute $1 configfile;
+')
+
+########################################
+## <summary>
+## Make the specified type a
+## polyinstantiated directory.
+## </summary>
+## <param name="file_type">
+## <summary>
+## Type of the file to be used as a
+## polyinstantiated directory.
+## </summary>
+## </param>
+#
+interface(`files_poly',`
+ gen_require(`
+ attribute polydir;
+ ')
+
+ files_type($1)
+ typeattribute $1 polydir;
+')
+
+########################################
+## <summary>
+## Make the specified type a parent
+## of a polyinstantiated directory.
+## </summary>
+## <param name="file_type">
+## <summary>
+## Type of the file to be used as a
+## parent directory.
+## </summary>
+## </param>
+#
+interface(`files_poly_parent',`
+ gen_require(`
+ attribute polyparent;
+ ')
+
+ files_type($1)
+ typeattribute $1 polyparent;
+')
+
+########################################
+## <summary>
+## Make the specified type a
+## polyinstantiation member directory.
+## </summary>
+## <param name="file_type">
+## <summary>
+## Type of the file to be used as a
+## member directory.
+## </summary>
+## </param>
+#
+interface(`files_poly_member',`
+ gen_require(`
+ attribute polymember;
+ ')
+
+ files_type($1)
+ typeattribute $1 polymember;
+')
+
+########################################
+## <summary>
+## Make the domain use the specified
+## type of polyinstantiated directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain using the polyinstantiated
+## directory.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## Type of the file to be used as a
+## member directory.
+## </summary>
+## </param>
+#
+interface(`files_poly_member_tmp',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ type_member $1 tmp_t:dir $2;
+')
+
+########################################
+## <summary>
+## Make the specified type a file
+## used for temporary files.
+## </summary>
+## <desc>
+## <p>
+## Make the specified type usable for temporary files.
+## This will also make the type usable for files, making
+## calls to files_type() redundant. Failure to use this interface
+## for a temporary file may result in problems with
+## purging temporary files.
+## </p>
+## <p>
+## Related interfaces:
+## </p>
+## <ul>
+## <li>files_tmp_filetrans()</li>
+## </ul>
+## <p>
+## Example usage with a domain that can create and
+## write its temporary file in the system temporary file
+## directories (/tmp or /var/tmp):
+## </p>
+## <p>
+## type mytmpfile_t;
+## files_tmp_file(mytmpfile_t)
+## allow mydomain_t mytmpfile_t:file { create_file_perms write_file_perms };
+## files_tmp_filetrans(mydomain_t, mytmpfile_t, file)
+## </p>
+## </desc>
+## <param name="file_type">
+## <summary>
+## Type of the file to be used as a
+## temporary file.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`files_tmp_file',`
+ gen_require(`
+ attribute tmpfile;
+ type tmp_t;
+ ')
+
+ files_type($1)
+ files_poly_member($1)
+ typeattribute $1 tmpfile;
+')
+
+########################################
+## <summary>
+## Transform the type into a file, for use on a
+## virtual memory filesystem (tmpfs).
+## </summary>
+## <param name="type">
+## <summary>
+## The type to be transformed.
+## </summary>
+## </param>
+#
+interface(`files_tmpfs_file',`
+ gen_require(`
+ attribute tmpfsfile;
+ ')
+
+ files_type($1)
+ typeattribute $1 tmpfsfile;
+')
+
+########################################
+## <summary>
+## Get the attributes of all directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_all_dirs',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ getattr_dirs_pattern($1, file_type, file_type)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_all_dirs',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ dontaudit $1 file_type:dir getattr;
+')
+
+########################################
+## <summary>
+## List all non-security directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_non_security',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ list_dirs_pattern($1, non_security_file_type, non_security_file_type)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to list all
+## non-security directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_list_non_security',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ dontaudit $1 non_security_file_type:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Mount a filesystem on all non-security
+## directories and files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_mounton_non_security',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ allow $1 non_security_file_type:dir mounton;
+ allow $1 non_security_file_type:file mounton;
+')
+
+########################################
+## <summary>
+## Allow attempts to modify any directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_write_non_security_dirs',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ allow $1 non_security_file_type:dir write;
+')
+
+########################################
+## <summary>
+## Allow attempts to manage non-security directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_non_security_dirs',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ allow $1 non_security_file_type:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of all files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_all_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ getattr_files_pattern($1, file_type, file_type)
+ getattr_lnk_files_pattern($1, file_type, file_type)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_all_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ dontaudit $1 file_type:file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of non security files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_non_security_files',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ dontaudit $1 non_security_file_type:file getattr;
+')
+
+########################################
+## <summary>
+## Read all files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_all_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:dir list_dir_perms;
+ read_files_pattern($1, file_type, file_type)
+
+ optional_policy(`
+ auth_read_shadow($1)
+ ')
+')
+
+########################################
+## <summary>
+## Allow shared library text relocations in all files.
+## </summary>
+## <desc>
+## <p>
+## Allow shared library text relocations in all files.
+## </p>
+## <p>
+## This is added to support WINE policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_execmod_all_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:file execmod;
+')
+
+########################################
+## <summary>
+## Read all non-security files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_read_non_security_files',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ read_files_pattern($1, non_security_file_type, non_security_file_type)
+ read_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
+')
+
+########################################
+## <summary>
+## Read all directories on the filesystem, except
+## the listed exceptions.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="exception_types" optional="true">
+## <summary>
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+## </summary>
+## </param>
+#
+interface(`files_read_all_dirs_except',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 { file_type $2 }:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Read all files on the filesystem, except
+## the listed exceptions.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="exception_types" optional="true">
+## <summary>
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+## </summary>
+## </param>
+#
+interface(`files_read_all_files_except',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ read_files_pattern($1, { file_type $2 }, { file_type $2 })
+')
+
+########################################
+## <summary>
+## Read all symbolic links on the filesystem, except
+## the listed exceptions.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="exception_types" optional="true">
+## <summary>
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+## </summary>
+## </param>
+#
+interface(`files_read_all_symlinks_except',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
+')
+
+########################################
+## <summary>
+## Get the attributes of all symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_all_symlinks',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ getattr_lnk_files_pattern($1, file_type, file_type)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_all_symlinks',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ dontaudit $1 file_type:lnk_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read all symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_read_all_symlinks',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ dontaudit $1 file_type:lnk_file read;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of non security symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_non_security_symlinks',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ dontaudit $1 non_security_file_type:lnk_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of non security block devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_non_security_blk_files',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ dontaudit $1 non_security_file_type:blk_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of non security character devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_non_security_chr_files',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ dontaudit $1 non_security_file_type:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Read all symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_read_all_symlinks',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:dir list_dir_perms;
+ read_lnk_files_pattern($1, file_type, file_type)
+')
+
+########################################
+## <summary>
+## Get the attributes of all named pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_all_pipes',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:dir list_dir_perms;
+ getattr_fifo_files_pattern($1, file_type, file_type)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all named pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_all_pipes',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ dontaudit $1 file_type:fifo_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of non security named pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_non_security_pipes',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ dontaudit $1 non_security_file_type:fifo_file getattr;
+')
+
+########################################
+## <summary>
+## Get the attributes of all named sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_all_sockets',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:dir list_dir_perms;
+ getattr_sock_files_pattern($1, file_type, file_type)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all named sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_all_sockets',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ dontaudit $1 file_type:sock_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of non security named sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_non_security_sockets',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ dontaudit $1 non_security_file_type:sock_file getattr;
+')
+
+########################################
+## <summary>
+## Read all block nodes with file types.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_all_blk_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ read_blk_files_pattern($1, file_type, file_type)
+')
+
+########################################
+## <summary>
+## Read all character nodes with file types.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_all_chr_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ read_chr_files_pattern($1, file_type, file_type)
+')
+
+########################################
+## <summary>
+## Relabel all files on the filesystem, except
+## the listed exceptions.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="exception_types" optional="true">
+## <summary>
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_relabel_all_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 { file_type $2 }:dir list_dir_perms;
+ relabel_dirs_pattern($1, { file_type $2 }, { file_type $2 })
+ relabel_files_pattern($1, { file_type $2 }, { file_type $2 })
+ relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
+ relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
+ relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
+ relabel_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
+ relabel_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
+
+ # satisfy the assertions:
+ seutil_relabelto_bin_policy($1)
+')
+
+########################################
+## <summary>
+## rw all files on the filesystem, except
+## the listed exceptions.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="exception_types" optional="true">
+## <summary>
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_rw_all_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ rw_files_pattern($1, { file_type $2 }, { file_type $2 })
+')
+
+########################################
+## <summary>
+## Manage all files on the filesystem, except
+## the listed exceptions.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="exception_types" optional="true">
+## <summary>
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_all_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ manage_dirs_pattern($1, { file_type $2 }, { file_type $2 })
+ manage_files_pattern($1, { file_type $2 }, { file_type $2 })
+ manage_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
+ manage_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
+ manage_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
+
+ # satisfy the assertions:
+ seutil_create_bin_policy($1)
+ files_manage_kernel_modules($1)
+')
+
+########################################
+## <summary>
+## Search the contents of all directories on
+## extended attribute filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_search_all',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## List the contents of all directories on
+## extended attribute filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_all',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the
+## contents of any directories on extended
+## attribute filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_search_all_dirs',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ dontaudit $1 file_type:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of all filesystems
+## with the type of a file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# dwalsh: This interface is to allow quotacheck to work on a
+# a filesystem mounted with the --context switch
+# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212957
+#
+interface(`files_getattr_all_file_type_fs',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Relabel a filesystem to the type of a file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabelto_all_file_type_fs',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:filesystem relabelto;
+')
+
+########################################
+## <summary>
+## Relabel a filesystem to the type of a file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabel_all_file_type_fs',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:filesystem { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
+## Mount all filesystems with the type of a file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_mount_all_file_type_fs',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:filesystem mount;
+')
+
+########################################
+## <summary>
+## Unmount all filesystems with the type of a file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_unmount_all_file_type_fs',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:filesystem unmount;
+')
+
+#############################################
+## <summary>
+## Manage all configuration directories on filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+##
+#
+interface(`files_manage_config_dirs',`
+ gen_require(`
+ attribute configfile;
+ ')
+
+ manage_dirs_pattern($1, configfile, configfile)
+')
+
+#########################################
+## <summary>
+## Relabel configuration directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+##
+#
+interface(`files_relabel_config_dirs',`
+ gen_require(`
+ attribute configfile;
+ ')
+
+ relabel_dirs_pattern($1, configfile, configfile)
+')
+
+########################################
+## <summary>
+## Read config files in /etc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_config_files',`
+ gen_require(`
+ attribute configfile;
+ ')
+
+ allow $1 configfile:dir list_dir_perms;
+ read_files_pattern($1, configfile, configfile)
+ read_lnk_files_pattern($1, configfile, configfile)
+')
+
+###########################################
+## <summary>
+## Manage all configuration files on filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+##
+#
+interface(`files_manage_config_files',`
+ gen_require(`
+ attribute configfile;
+ ')
+
+ manage_files_pattern($1, configfile, configfile)
+')
+
+#######################################
+## <summary>
+## Relabel configuration files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+##
+#
+interface(`files_relabel_config_files',`
+ gen_require(`
+ attribute configfile;
+ ')
+
+ relabel_files_pattern($1, configfile, configfile)
+')
+
+########################################
+## <summary>
+## Mount a filesystem on all mount points.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_mounton_all_mountpoints',`
+ gen_require(`
+ attribute mountpoint;
+ ')
+
+ allow $1 mountpoint:dir { search_dir_perms mounton };
+ allow $1 mountpoint:file { getattr mounton };
+')
+
+########################################
+## <summary>
+## Get the attributes of all mount points.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_all_mountpoints',`
+ gen_require(`
+ attribute mountpoint;
+ ')
+
+ allow $1 mountpoint:dir getattr;
+')
+
+########################################
+## <summary>
+## Search all mount points.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_search_all_mountpoints',`
+ gen_require(`
+ attribute mountpoint;
+ ')
+
+ allow $1 mountpoint:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit searching of all mount points.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_search_all_mountpoints',`
+ gen_require(`
+ attribute mountpoint;
+ ')
+
+ dontaudit $1 mountpoint:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit listing of all mount points.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_list_all_mountpoints',`
+ gen_require(`
+ attribute mountpoint;
+ ')
+
+ dontaudit $1 mountpoint:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Write all mount points.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_write_all_mountpoints',`
+ gen_require(`
+ attribute mountpoint;
+ ')
+
+ allow $1 mountpoint:dir write;
+')
+
+########################################
+## <summary>
+## List the contents of the root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_root',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:dir list_dir_perms;
+ allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write
+## files in the root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_rw_root_dir',`
+ gen_require(`
+ type root_t;
+ ')
+
+ dontaudit $1 root_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+## Create an object in the root directory, with a private
+## type using a type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private type">
+## <summary>
+## The type of the object to be created.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+#
+interface(`files_root_filetrans',`
+ gen_require(`
+ type root_t;
+ ')
+
+ filetrans_pattern($1, root_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read files in
+## the root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_read_root_files',`
+ gen_require(`
+ type root_t;
+ ')
+
+ dontaudit $1 root_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## files in the root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_rw_root_files',`
+ gen_require(`
+ type root_t;
+ ')
+
+ dontaudit $1 root_t:file { read write };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## character device nodes in the root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_rw_root_chr_files',`
+ gen_require(`
+ type root_t;
+ ')
+
+ dontaudit $1 root_t:chr_file { read write };
+')
+
+########################################
+## <summary>
+## Delete files in the root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_root_files',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:file unlink;
+')
+
+########################################
+## <summary>
+## Remove entries from the root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_root_dir_entry',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+## Unmount a rootfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_unmount_rootfs',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+## Get attributes of the /boot directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_boot_dirs',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ allow $1 boot_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get attributes
+## of the /boot directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_boot_dirs',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ dontaudit $1 boot_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Search the /boot directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_search_boot',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ allow $1 boot_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the /boot directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_search_boot',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ dontaudit $1 boot_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## List the /boot directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_boot',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ allow $1 boot_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Create directories in /boot
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_create_boot_dirs',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ allow $1 boot_t:dir { create rw_dir_perms };
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## directories in /boot.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_boot_dirs',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ allow $1 boot_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Create a private type object in boot
+## with an automatic type transition
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to be created.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+#
+interface(`files_boot_filetrans',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ filetrans_pattern($1, boot_t, $2, $3)
+')
+
+########################################
+## <summary>
+## read files in the /boot directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_read_boot_files',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ read_files_pattern($1, boot_t, boot_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete files
+## in the /boot directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_boot_files',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ manage_files_pattern($1, boot_t, boot_t)
+')
+
+########################################
+## <summary>
+## Relabel from files in the /boot directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabelfrom_boot_files',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ relabelfrom_files_pattern($1, boot_t, boot_t)
+')
+
+########################################
+## <summary>
+## Read and write symbolic links
+## in the /boot directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_rw_boot_symlinks',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ allow $1 boot_t:dir list_dir_perms;
+ rw_lnk_files_pattern($1, boot_t, boot_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete symbolic links
+## in the /boot directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_boot_symlinks',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ manage_lnk_files_pattern($1, boot_t, boot_t)
+')
+
+########################################
+## <summary>
+## Read kernel files in the /boot directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_kernel_img',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ allow $1 boot_t:dir list_dir_perms;
+ read_files_pattern($1, boot_t, boot_t)
+ read_lnk_files_pattern($1, boot_t, boot_t)
+')
+
+########################################
+## <summary>
+## Install a kernel into the /boot directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_create_kernel_img',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ allow $1 boot_t:file { create_file_perms rw_file_perms };
+ manage_lnk_files_pattern($1, boot_t, boot_t)
+')
+
+########################################
+## <summary>
+## Delete a kernel from /boot.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_delete_kernel',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ delete_files_pattern($1, boot_t, boot_t)
+')
+
+########################################
+## <summary>
+## Getattr of directories with the default file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_default_dirs',`
+ gen_require(`
+ type default_t;
+ ')
+
+ allow $1 default_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes of
+## directories with the default file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_default_dirs',`
+ gen_require(`
+ type default_t;
+ ')
+
+ dontaudit $1 default_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Search the contents of directories with the default file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_search_default',`
+ gen_require(`
+ type default_t;
+ ')
+
+ allow $1 default_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## List contents of directories with the default file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_default',`
+ gen_require(`
+ type default_t;
+ ')
+
+ allow $1 default_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to list contents of
+## directories with the default file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_list_default',`
+ gen_require(`
+ type default_t;
+ ')
+
+ dontaudit $1 default_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete directories with
+## the default file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_default_dirs',`
+ gen_require(`
+ type default_t;
+ ')
+
+ manage_dirs_pattern($1, default_t, default_t)
+')
+
+########################################
+## <summary>
+## Mount a filesystem on a directory with the default file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_mounton_default',`
+ gen_require(`
+ type default_t;
+ ')
+
+ allow $1 default_t:dir { search_dir_perms mounton };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes of
+## files with the default file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_default_files',`
+ gen_require(`
+ type default_t;
+ ')
+
+ dontaudit $1 default_t:file getattr;
+')
+
+########################################
+## <summary>
+## Read files with the default file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_default_files',`
+ gen_require(`
+ type default_t;
+ ')
+
+ allow $1 default_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read files
+## with the default file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_read_default_files',`
+ gen_require(`
+ type default_t;
+ ')
+
+ dontaudit $1 default_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete files with
+## the default file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_default_files',`
+ gen_require(`
+ type default_t;
+ ')
+
+ manage_files_pattern($1, default_t, default_t)
+')
+
+########################################
+## <summary>
+## Read symbolic links with the default file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_default_symlinks',`
+ gen_require(`
+ type default_t;
+ ')
+
+ allow $1 default_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Read sockets with the default file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_default_sockets',`
+ gen_require(`
+ type default_t;
+ ')
+
+ allow $1 default_t:sock_file read_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Read named pipes with the default file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_default_pipes',`
+ gen_require(`
+ type default_t;
+ ')
+
+ allow $1 default_t:fifo_file read_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Search the contents of /etc directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_search_etc',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Set the attributes of the /etc directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_setattr_etc_dirs',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:dir setattr;
+')
+
+########################################
+## <summary>
+## List the contents of /etc directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_etc',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write to /etc dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_write_etc_dirs',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ dontaudit $1 etc_t:dir write;
+')
+
+########################################
+## <summary>
+## Add and remove entries from /etc directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_rw_etc_dirs',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:dir rw_dir_perms;
+')
+
+##########################################
+## <summary>
+## Manage generic directories in /etc
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+##
+#
+interface(`files_manage_etc_dirs',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ manage_dirs_pattern($1, etc_t, etc_t)
+')
+
+########################################
+## <summary>
+## Read generic files in /etc.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to read generic
+## files in /etc. These files are typically
+## general system configuration files that do
+## not have more specific SELinux types. Some
+## examples of these files are:
+## </p>
+## <ul>
+## <li>/etc/fstab</li>
+## <li>/etc/passwd</li>
+## <li>/etc/services</li>
+## <li>/etc/shells</li>
+## </ul>
+## <p>
+## This interface does not include access to /etc/shadow.
+## </p>
+## <p>
+## Generally, it is safe for many domains to have
+## this access. However, since this interface provides
+## access to the /etc/passwd file, caution must be
+## exercised, as user account names can be leaked
+## through this access.
+## </p>
+## <p>
+## Related interfaces:
+## </p>
+## <ul>
+## <li>auth_read_shadow()</li>
+## <li>files_read_etc_runtime_files()</li>
+## <li>seutil_read_config()</li>
+## </ul>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`files_read_etc_files',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:dir list_dir_perms;
+ read_files_pattern($1, etc_t, etc_t)
+ read_lnk_files_pattern($1, etc_t, etc_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write generic files in /etc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_write_etc_files',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ dontaudit $1 etc_t:file write;
+')
+
+########################################
+## <summary>
+## Read and write generic files in /etc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_rw_etc_files',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:dir list_dir_perms;
+ rw_files_pattern($1, etc_t, etc_t)
+ read_lnk_files_pattern($1, etc_t, etc_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete generic
+## files in /etc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_etc_files',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ manage_files_pattern($1, etc_t, etc_t)
+ read_lnk_files_pattern($1, etc_t, etc_t)
+')
+
+########################################
+## <summary>
+## Delete system configuration files in /etc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_etc_files',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ delete_files_pattern($1, etc_t, etc_t)
+')
+
+########################################
+## <summary>
+## Remove entries from the etc directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_etc_dir_entry',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:dir del_entry_dir_perms;
+')
+
+########################################
+## <summary>
+## Execute generic files in /etc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_exec_etc_files',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:dir list_dir_perms;
+ read_lnk_files_pattern($1, etc_t, etc_t)
+ exec_files_pattern($1, etc_t, etc_t)
+')
+
+#######################################
+## <summary>
+## Relabel from and to generic files in /etc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabel_etc_files',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:dir list_dir_perms;
+ relabel_files_pattern($1, etc_t, etc_t)
+')
+
+########################################
+## <summary>
+## Read symbolic links in /etc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_etc_symlinks',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ read_lnk_files_pattern($1, etc_t, etc_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete symbolic links in /etc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_etc_symlinks',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ manage_lnk_files_pattern($1, etc_t, etc_t)
+')
+
+########################################
+## <summary>
+## Create objects in /etc with a private
+## type using a type_transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## Private file type.
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+## Object classes to be created.
+## </summary>
+## </param>
+#
+interface(`files_etc_filetrans',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ filetrans_pattern($1, etc_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Create a boot flag.
+## </summary>
+## <desc>
+## <p>
+## Create a boot flag, such as
+## /.autorelabel and /.autofsck.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_create_boot_flag',`
+ gen_require(`
+ type root_t, etc_runtime_t;
+ ')
+
+ allow $1 etc_runtime_t:file manage_file_perms;
+ filetrans_pattern($1, root_t, etc_runtime_t, file)
+')
+
+########################################
+## <summary>
+## Read files in /etc that are dynamically
+## created on boot, such as mtab.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to read dynamically created
+## configuration files in /etc. These files are typically
+## general system configuration files that do
+## not have more specific SELinux types. Some
+## examples of these files are:
+## </p>
+## <ul>
+## <li>/etc/motd</li>
+## <li>/etc/mtab</li>
+## <li>/etc/nologin</li>
+## </ul>
+## <p>
+## This interface does not include access to /etc/shadow.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10" />
+## <rolecap/>
+#
+interface(`files_read_etc_runtime_files',`
+ gen_require(`
+ type etc_t, etc_runtime_t;
+ ')
+
+ allow $1 etc_t:dir list_dir_perms;
+ read_files_pattern($1, etc_t, etc_runtime_t)
+ read_lnk_files_pattern($1, etc_t, etc_runtime_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read files
+## in /etc that are dynamically
+## created on boot, such as mtab.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_read_etc_runtime_files',`
+ gen_require(`
+ type etc_runtime_t;
+ ')
+
+ dontaudit $1 etc_runtime_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Read and write files in /etc that are dynamically
+## created on boot, such as mtab.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_rw_etc_runtime_files',`
+ gen_require(`
+ type etc_t, etc_runtime_t;
+ ')
+
+ allow $1 etc_t:dir list_dir_perms;
+ rw_files_pattern($1, etc_t, etc_runtime_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete files in
+## /etc that are dynamically created on boot,
+## such as mtab.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_etc_runtime_files',`
+ gen_require(`
+ type etc_t, etc_runtime_t;
+ ')
+
+ manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
+')
+
+########################################
+## <summary>
+## Create, etc runtime objects with an automatic
+## type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The class of the object being created.
+## </summary>
+## </param>
+#
+interface(`files_etc_filetrans_etc_runtime',`
+ gen_require(`
+ type etc_t, etc_runtime_t;
+ ')
+
+ filetrans_pattern($1, etc_t, etc_runtime_t, $2)
+')
+
+########################################
+## <summary>
+## Getattr of directories on new filesystems
+## that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_isid_type_dirs',`
+ gen_require(`
+ type file_t;
+ ')
+
+ allow $1 file_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search directories on new filesystems
+## that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_search_isid_type_dirs',`
+ gen_require(`
+ type file_t;
+ ')
+
+ dontaudit $1 file_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## List the contents of directories on new filesystems
+## that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_isid_type_dirs',`
+ gen_require(`
+ type file_t;
+ ')
+
+ allow $1 file_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Read and write directories on new filesystems
+## that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_rw_isid_type_dirs',`
+ gen_require(`
+ type file_t;
+ ')
+
+ allow $1 file_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+## Delete directories on new filesystems
+## that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_isid_type_dirs',`
+ gen_require(`
+ type file_t;
+ ')
+
+ delete_dirs_pattern($1, file_t, file_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete directories
+## on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_isid_type_dirs',`
+ gen_require(`
+ type file_t;
+ ')
+
+ allow $1 file_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Mount a filesystem on a directory on new filesystems
+## that has not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_mounton_isid_type_dirs',`
+ gen_require(`
+ type file_t;
+ ')
+
+ allow $1 file_t:dir { search_dir_perms mounton };
+')
+
+########################################
+## <summary>
+## Read files on new filesystems
+## that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_isid_type_files',`
+ gen_require(`
+ type file_t;
+ ')
+
+ allow $1 file_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Delete files on new filesystems
+## that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_isid_type_files',`
+ gen_require(`
+ type file_t;
+ ')
+
+ delete_files_pattern($1, file_t, file_t)
+')
+
+########################################
+## <summary>
+## Delete symbolic links on new filesystems
+## that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_isid_type_symlinks',`
+ gen_require(`
+ type file_t;
+ ')
+
+ delete_lnk_files_pattern($1, file_t, file_t)
+')
+
+########################################
+## <summary>
+## Delete named pipes on new filesystems
+## that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_isid_type_fifo_files',`
+ gen_require(`
+ type file_t;
+ ')
+
+ delete_fifo_files_pattern($1, file_t, file_t)
+')
+
+########################################
+## <summary>
+## Delete named sockets on new filesystems
+## that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_isid_type_sock_files',`
+ gen_require(`
+ type file_t;
+ ')
+
+ delete_sock_files_pattern($1, file_t, file_t)
+')
+
+########################################
+## <summary>
+## Delete block files on new filesystems
+## that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_isid_type_blk_files',`
+ gen_require(`
+ type file_t;
+ ')
+
+ delete_blk_files_pattern($1, file_t, file_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write to character
+## files that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_write_isid_chr_files',`
+ gen_require(`
+ type file_t;
+ ')
+
+ dontaudit $1 file_t:chr_file write;
+')
+
+########################################
+## <summary>
+## Delete chr files on new filesystems
+## that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_isid_type_chr_files',`
+ gen_require(`
+ type file_t;
+ ')
+
+ delete_chr_files_pattern($1, file_t, file_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete files
+## on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_isid_type_files',`
+ gen_require(`
+ type file_t;
+ ')
+
+ allow $1 file_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete symbolic links
+## on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_isid_type_symlinks',`
+ gen_require(`
+ type file_t;
+ ')
+
+ allow $1 file_t:lnk_file manage_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write block device nodes on new filesystems
+## that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_rw_isid_type_blk_files',`
+ gen_require(`
+ type file_t;
+ ')
+
+ allow $1 file_t:blk_file rw_blk_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete block device nodes
+## on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_isid_type_blk_files',`
+ gen_require(`
+ type file_t;
+ ')
+
+ allow $1 file_t:blk_file manage_blk_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete character device nodes
+## on new filesystems that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_isid_type_chr_files',`
+ gen_require(`
+ type file_t;
+ ')
+
+ allow $1 file_t:chr_file manage_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of the home directories root
+## (/home).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_home_dir',`
+ gen_require(`
+ type home_root_t;
+ ')
+
+ allow $1 home_root_t:dir getattr;
+ allow $1 home_root_t:lnk_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the
+## attributes of the home directories root
+## (/home).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_home_dir',`
+ gen_require(`
+ type home_root_t;
+ ')
+
+ dontaudit $1 home_root_t:dir getattr;
+ dontaudit $1 home_root_t:lnk_file getattr;
+')
+
+########################################
+## <summary>
+## Search home directories root (/home).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_search_home',`
+ gen_require(`
+ type home_root_t;
+ ')
+
+ allow $1 home_root_t:dir search_dir_perms;
+ allow $1 home_root_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search
+## home directories root (/home).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_search_home',`
+ gen_require(`
+ type home_root_t;
+ ')
+
+ dontaudit $1 home_root_t:dir search_dir_perms;
+ dontaudit $1 home_root_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to list
+## home directories root (/home).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_list_home',`
+ gen_require(`
+ type home_root_t;
+ ')
+
+ dontaudit $1 home_root_t:dir list_dir_perms;
+ dontaudit $1 home_root_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Get listing of home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_home',`
+ gen_require(`
+ type home_root_t;
+ ')
+
+ allow $1 home_root_t:dir list_dir_perms;
+ allow $1 home_root_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Relabel to user home root (/home).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabelto_home',`
+ gen_require(`
+ type home_root_t;
+ ')
+
+ allow $1 home_root_t:dir relabelto;
+')
+
+########################################
+## <summary>
+## Create objects in /home.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="home_type">
+## <summary>
+## The private type.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The class of the object being created.
+## </summary>
+## </param>
+#
+interface(`files_home_filetrans',`
+ gen_require(`
+ type home_root_t;
+ ')
+
+ filetrans_pattern($1, home_root_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Get the attributes of lost+found directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_lost_found_dirs',`
+ gen_require(`
+ type lost_found_t;
+ ')
+
+ allow $1 lost_found_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes of
+## lost+found directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_lost_found_dirs',`
+ gen_require(`
+ type lost_found_t;
+ ')
+
+ dontaudit $1 lost_found_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete objects in
+## lost+found directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_lost_found',`
+ gen_require(`
+ type lost_found_t;
+ ')
+
+ manage_dirs_pattern($1, lost_found_t, lost_found_t)
+ manage_files_pattern($1, lost_found_t, lost_found_t)
+ manage_lnk_files_pattern($1, lost_found_t, lost_found_t)
+ manage_fifo_files_pattern($1, lost_found_t, lost_found_t)
+ manage_sock_files_pattern($1, lost_found_t, lost_found_t)
+')
+
+########################################
+## <summary>
+## Search the contents of /mnt.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_search_mnt',`
+ gen_require(`
+ type mnt_t;
+ ')
+
+ allow $1 mnt_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search /mnt.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_search_mnt',`
+ gen_require(`
+ type mnt_t;
+ ')
+
+ dontaudit $1 mnt_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## List the contents of /mnt.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_mnt',`
+ gen_require(`
+ type mnt_t;
+ ')
+
+ allow $1 mnt_t:dir list_dir_perms;
+')
+
+######################################
+## <summary>
+## dontaudit List the contents of /mnt.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_list_mnt',`
+ gen_require(`
+ type mnt_t;
+ ')
+
+ dontaudit $1 mnt_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Mount a filesystem on /mnt.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_mounton_mnt',`
+ gen_require(`
+ type mnt_t;
+ ')
+
+ allow $1 mnt_t:dir { search_dir_perms mounton };
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete directories in /mnt.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_mnt_dirs',`
+ gen_require(`
+ type mnt_t;
+ ')
+
+ allow $1 mnt_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete files in /mnt.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_mnt_files',`
+ gen_require(`
+ type mnt_t;
+ ')
+
+ manage_files_pattern($1, mnt_t, mnt_t)
+')
+
+########################################
+## <summary>
+## read files in /mnt.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_mnt_files',`
+ gen_require(`
+ type mnt_t;
+ ')
+
+ read_files_pattern($1, mnt_t, mnt_t)
+')
+
+######################################
+## <summary>
+## Read symbolic links in /mnt.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_mnt_symlinks',`
+ gen_require(`
+ type mnt_t;
+ ')
+
+ read_lnk_files_pattern($1, mnt_t, mnt_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete symbolic links in /mnt.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_mnt_symlinks',`
+ gen_require(`
+ type mnt_t;
+ ')
+
+ manage_lnk_files_pattern($1, mnt_t, mnt_t)
+')
+
+########################################
+## <summary>
+## Search the contents of the kernel module directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_search_kernel_modules',`
+ gen_require(`
+ type modules_object_t;
+ ')
+
+ allow $1 modules_object_t:dir search_dir_perms;
+ read_lnk_files_pattern($1, modules_object_t, modules_object_t)
+')
+
+########################################
+## <summary>
+## List the contents of the kernel module directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_kernel_modules',`
+ gen_require(`
+ type modules_object_t;
+ ')
+
+ allow $1 modules_object_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of kernel module files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_kernel_modules',`
+ gen_require(`
+ type modules_object_t;
+ ')
+
+ getattr_files_pattern($1, modules_object_t, modules_object_t)
+')
+
+########################################
+## <summary>
+## Read kernel module files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_kernel_modules',`
+ gen_require(`
+ type modules_object_t;
+ ')
+
+ allow $1 modules_object_t:dir list_dir_perms;
+ read_files_pattern($1, modules_object_t, modules_object_t)
+ read_lnk_files_pattern($1, modules_object_t, modules_object_t)
+')
+
+########################################
+## <summary>
+## Write kernel module files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_write_kernel_modules',`
+ gen_require(`
+ type modules_object_t;
+ ')
+
+ allow $1 modules_object_t:dir list_dir_perms;
+ write_files_pattern($1, modules_object_t, modules_object_t)
+')
+
+########################################
+## <summary>
+## Delete kernel module files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_kernel_modules',`
+ gen_require(`
+ type modules_object_t;
+ ')
+
+ delete_files_pattern($1, modules_object_t, modules_object_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## kernel module files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_kernel_modules',`
+ gen_require(`
+ type modules_object_t;
+ ')
+
+ manage_files_pattern($1, modules_object_t, modules_object_t)
+')
+
+########################################
+## <summary>
+## Relabel from and to kernel module files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabel_kernel_modules',`
+ gen_require(`
+ type modules_object_t;
+ ')
+
+ relabel_files_pattern($1, modules_object_t, modules_object_t)
+ allow $1 modules_object_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Create objects in the kernel module directories
+## with a private type via an automatic type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to be created.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+#
+interface(`files_kernel_modules_filetrans',`
+ gen_require(`
+ type modules_object_t;
+ ')
+
+ filetrans_pattern($1, modules_object_t, $2, $3)
+')
+
+########################################
+## <summary>
+## List world-readable directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_list_world_readable',`
+ gen_require(`
+ type readable_t;
+ ')
+
+ allow $1 readable_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Read world-readable files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_read_world_readable_files',`
+ gen_require(`
+ type readable_t;
+ ')
+
+ allow $1 readable_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Read world-readable symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_read_world_readable_symlinks',`
+ gen_require(`
+ type readable_t;
+ ')
+
+ allow $1 readable_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Read world-readable named pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_world_readable_pipes',`
+ gen_require(`
+ type readable_t;
+ ')
+
+ allow $1 readable_t:fifo_file read_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Read world-readable sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_world_readable_sockets',`
+ gen_require(`
+ type readable_t;
+ ')
+
+ allow $1 readable_t:sock_file read_sock_file_perms;
+')
+
+#######################################
+## <summary>
+## Read manageable system configuration files in /etc
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_read_system_conf_files',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
+
+ allow $1 etc_t:dir list_dir_perms;
+ read_files_pattern($1, etc_t, system_conf_t)
+ read_lnk_files_pattern($1, etc_t, system_conf_t)
+')
+
+######################################
+## <summary>
+## Manage manageable system configuration files in /etc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_system_conf_files',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
+
+ manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
+')
+
+######################################
+## <summary>
+## Relabel manageable system configuration files in /etc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabelto_system_conf_files',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ relabelto_files_pattern($1, system_conf_t, system_conf_t)
+')
+
+######################################
+## <summary>
+## Relabel manageable system configuration files in /etc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabelfrom_system_conf_files',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
+')
+
+###################################
+## <summary>
+## Create files in /etc with the type used for
+## the manageable system config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`files_etc_filetrans_system_conf',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
+
+ filetrans_pattern($1, etc_t, system_conf_t, file)
+')
+
+########################################
+## <summary>
+## Allow the specified type to associate
+## to a filesystem with the type of the
+## temporary directory (/tmp).
+## </summary>
+## <param name="file_type">
+## <summary>
+## Type of the file to associate.
+## </summary>
+## </param>
+#
+interface(`files_associate_tmp',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ allow $1 tmp_t:filesystem associate;
+')
+
+########################################
+## <summary>
+## Get the attributes of the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_tmp_dirs',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ allow $1 tmp_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the
+## attributes of the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_tmp_dirs',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ dontaudit $1 tmp_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Search the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_search_tmp',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ allow $1 tmp_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_search_tmp',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ dontaudit $1 tmp_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_tmp',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ allow $1 tmp_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit listing of the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain not to audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_list_tmp',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ dontaudit $1 tmp_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Remove entries from the tmp directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_tmp_dir_entry',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ allow $1 tmp_t:dir del_entry_dir_perms;
+')
+
+########################################
+## <summary>
+## Read files in the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_generic_tmp_files',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ read_files_pattern($1, tmp_t, tmp_t)
+')
+
+########################################
+## <summary>
+## Manage temporary directories in /tmp.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_generic_tmp_dirs',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ manage_dirs_pattern($1, tmp_t, tmp_t)
+')
+
+########################################
+## <summary>
+## Allow shared library text relocations in tmp files.
+## </summary>
+## <desc>
+## <p>
+## Allow shared library text relocations in tmp files.
+## </p>
+## <p>
+## This is added to support java policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_execmod_tmp',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
+ allow $1 tmpfile:file execmod;
+')
+
+########################################
+## <summary>
+## Manage temporary files and directories in /tmp.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_generic_tmp_files',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ manage_files_pattern($1, tmp_t, tmp_t)
+')
+
+########################################
+## <summary>
+## Read symbolic links in the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_generic_tmp_symlinks',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ read_lnk_files_pattern($1, tmp_t, tmp_t)
+')
+
+########################################
+## <summary>
+## Read and write generic named sockets in the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_rw_generic_tmp_sockets',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ rw_sock_files_pattern($1, tmp_t, tmp_t)
+')
+
+########################################
+## <summary>
+## Set the attributes of all tmp directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_setattr_all_tmp_dirs',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
+ allow $1 tmpfile:dir { search_dir_perms setattr };
+')
+
+########################################
+## <summary>
+## List all tmp directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_all_tmp',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
+ allow $1 tmpfile:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain not to audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_all_tmp_files',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
+ dontaudit $1 tmpfile:file getattr;
+')
+
+########################################
+## <summary>
+## Allow attempts to get the attributes
+## of all tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_all_tmp_files',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
+ allow $1 tmpfile:file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all tmp sock_file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain not to audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_all_tmp_sockets',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
+ dontaudit $1 tmpfile:sock_file getattr;
+')
+
+########################################
+## <summary>
+## Read all tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_all_tmp_files',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
+ read_files_pattern($1, tmpfile, tmpfile)
+')
+
+########################################
+## <summary>
+## Create an object in the tmp directories, with a private
+## type using a type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private type">
+## <summary>
+## The type of the object to be created.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+#
+interface(`files_tmp_filetrans',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ filetrans_pattern($1, tmp_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Delete the contents of /tmp.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_purge_tmp',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
+ allow $1 tmpfile:dir list_dir_perms;
+ delete_dirs_pattern($1, tmpfile, tmpfile)
+ delete_files_pattern($1, tmpfile, tmpfile)
+ delete_lnk_files_pattern($1, tmpfile, tmpfile)
+ delete_fifo_files_pattern($1, tmpfile, tmpfile)
+ delete_sock_files_pattern($1, tmpfile, tmpfile)
+ files_delete_isid_type_dirs($1)
+ files_delete_isid_type_files($1)
+ files_delete_isid_type_symlinks($1)
+ files_delete_isid_type_fifo_files($1)
+ files_delete_isid_type_sock_files($1)
+ files_delete_isid_type_blk_files($1)
+ files_delete_isid_type_chr_files($1)
+')
+
+########################################
+## <summary>
+## Set the attributes of the /usr directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_setattr_usr_dirs',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ allow $1 usr_t:dir setattr;
+')
+
+########################################
+## <summary>
+## Search the content of /etc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_search_usr',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ allow $1 usr_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## List the contents of generic
+## directories in /usr.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_usr',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ allow $1 usr_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit write of /usr dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_write_usr_dirs',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ dontaudit $1 usr_t:dir write;
+')
+
+########################################
+## <summary>
+## Add and remove entries from /usr directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_rw_usr_dirs',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ allow $1 usr_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to add and remove
+## entries from /usr directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_rw_usr_dirs',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ dontaudit $1 usr_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+## Delete generic directories in /usr in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_usr_dirs',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ delete_dirs_pattern($1, usr_t, usr_t)
+')
+
+########################################
+## <summary>
+## Delete generic files in /usr in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_usr_files',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ delete_files_pattern($1, usr_t, usr_t)
+')
+
+########################################
+## <summary>
+## Get the attributes of files in /usr.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_usr_files',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ getattr_files_pattern($1, usr_t, usr_t)
+')
+
+########################################
+## <summary>
+## Read generic files in /usr.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to read generic
+## files in /usr. These files are various program
+## files that do not have more specific SELinux types.
+## Some examples of these files are:
+## </p>
+## <ul>
+## <li>/usr/include/*</li>
+## <li>/usr/share/doc/*</li>
+## <li>/usr/share/info/*</li>
+## </ul>
+## <p>
+## Generally, it is safe for many domains to have
+## this access.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`files_read_usr_files',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ allow $1 usr_t:dir list_dir_perms;
+ read_files_pattern($1, usr_t, usr_t)
+ read_lnk_files_pattern($1, usr_t, usr_t)
+')
+
+########################################
+## <summary>
+## Execute generic programs in /usr in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_exec_usr_files',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ allow $1 usr_t:dir list_dir_perms;
+ exec_files_pattern($1, usr_t, usr_t)
+ read_lnk_files_pattern($1, usr_t, usr_t)
+')
+
+########################################
+## <summary>
+## dontaudit write of /usr files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_write_usr_files',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ dontaudit $1 usr_t:file write;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete files in the /usr directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_usr_files',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ manage_files_pattern($1, usr_t, usr_t)
+')
+
+########################################
+## <summary>
+## Relabel a file to the type used in /usr.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabelto_usr_files',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ relabelto_files_pattern($1, usr_t, usr_t)
+')
+
+########################################
+## <summary>
+## Relabel a file from the type used in /usr.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabelfrom_usr_files',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ relabelfrom_files_pattern($1, usr_t, usr_t)
+')
+
+########################################
+## <summary>
+## Read symbolic links in /usr.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_usr_symlinks',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ read_lnk_files_pattern($1, usr_t, usr_t)
+')
+
+########################################
+## <summary>
+## Create objects in the /usr directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## The type of the object to be created
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The object class.
+## </summary>
+## </param>
+#
+interface(`files_usr_filetrans',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ filetrans_pattern($1, usr_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search /usr/src.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_search_src',`
+ gen_require(`
+ type src_t;
+ ')
+
+ dontaudit $1 src_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of files in /usr/src.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_usr_src_files',`
+ gen_require(`
+ type usr_t, src_t;
+ ')
+
+ getattr_files_pattern($1, src_t, src_t)
+
+ # /usr/src/linux symlink:
+ read_lnk_files_pattern($1, usr_t, src_t)
+')
+
+########################################
+## <summary>
+## Read files in /usr/src.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_usr_src_files',`
+ gen_require(`
+ type usr_t, src_t;
+ ')
+
+ allow $1 usr_t:dir search_dir_perms;
+ read_files_pattern($1, { usr_t src_t }, src_t)
+ read_lnk_files_pattern($1, { usr_t src_t }, src_t)
+ allow $1 src_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Execute programs in /usr/src in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_exec_usr_src_files',`
+ gen_require(`
+ type usr_t, src_t;
+ ')
+
+ list_dirs_pattern($1, usr_t, src_t)
+ exec_files_pattern($1, src_t, src_t)
+ read_lnk_files_pattern($1, src_t, src_t)
+')
+
+########################################
+## <summary>
+## Install a system.map into the /boot directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_create_kernel_symbol_table',`
+ gen_require(`
+ type boot_t, system_map_t;
+ ')
+
+ allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
+ allow $1 system_map_t:file { create_file_perms rw_file_perms };
+')
+
+########################################
+## <summary>
+## Read system.map in the /boot directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_kernel_symbol_table',`
+ gen_require(`
+ type boot_t, system_map_t;
+ ')
+
+ allow $1 boot_t:dir list_dir_perms;
+ read_files_pattern($1, boot_t, system_map_t)
+')
+
+########################################
+## <summary>
+## Delete a system.map in the /boot directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_kernel_symbol_table',`
+ gen_require(`
+ type boot_t, system_map_t;
+ ')
+
+ allow $1 boot_t:dir list_dir_perms;
+ delete_files_pattern($1, boot_t, system_map_t)
+')
+
+########################################
+## <summary>
+## Search the contents of /var.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_search_var',`
+ gen_require(`
+ type var_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write to /var.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_write_var_dirs',`
+ gen_require(`
+ type var_t;
+ ')
+
+ dontaudit $1 var_t:dir write;
+')
+
+########################################
+## <summary>
+## Allow attempts to write to /var.dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_write_var_dirs',`
+ gen_require(`
+ type var_t;
+ ')
+
+ allow $1 var_t:dir write;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search
+## the contents of /var.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_search_var',`
+ gen_require(`
+ type var_t;
+ ')
+
+ dontaudit $1 var_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## List the contents of /var.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_var',`
+ gen_require(`
+ type var_t;
+ ')
+
+ allow $1 var_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete directories
+## in the /var directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_var_dirs',`
+ gen_require(`
+ type var_t;
+ ')
+
+ allow $1 var_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Read files in the /var directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_var_files',`
+ gen_require(`
+ type var_t;
+ ')
+
+ read_files_pattern($1, var_t, var_t)
+')
+
+########################################
+## <summary>
+## Append files in the /var directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_append_var_files',`
+ gen_require(`
+ type var_t;
+ ')
+
+ append_files_pattern($1, var_t, var_t)
+')
+
+########################################
+## <summary>
+## Read and write files in the /var directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_rw_var_files',`
+ gen_require(`
+ type var_t;
+ ')
+
+ rw_files_pattern($1, var_t, var_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## files in the /var directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_rw_var_files',`
+ gen_require(`
+ type var_t;
+ ')
+
+ dontaudit $1 var_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete files in the /var directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_var_files',`
+ gen_require(`
+ type var_t;
+ ')
+
+ manage_files_pattern($1, var_t, var_t)
+')
+
+########################################
+## <summary>
+## Read symbolic links in the /var directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_var_symlinks',`
+ gen_require(`
+ type var_t;
+ ')
+
+ read_lnk_files_pattern($1, var_t, var_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete symbolic
+## links in the /var directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_var_symlinks',`
+ gen_require(`
+ type var_t;
+ ')
+
+ manage_lnk_files_pattern($1, var_t, var_t)
+')
+
+########################################
+## <summary>
+## Create objects in the /var directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## The type of the object to be created
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The object class.
+## </summary>
+## </param>
+#
+interface(`files_var_filetrans',`
+ gen_require(`
+ type var_t;
+ ')
+
+ filetrans_pattern($1, var_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Get the attributes of the /var/lib directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_var_lib_dirs',`
+ gen_require(`
+ type var_t, var_lib_t;
+ ')
+
+ getattr_dirs_pattern($1, var_t, var_lib_t)
+')
+
+########################################
+## <summary>
+## Search the /var/lib directory.
+## </summary>
+## <desc>
+## <p>
+## Search the /var/lib directory. This is
+## necessary to access files or directories under
+## /var/lib that have a private type. For example, a
+## domain accessing a private library file in the
+## /var/lib directory:
+## </p>
+## <p>
+## allow mydomain_t mylibfile_t:file read_file_perms;
+## files_search_var_lib(mydomain_t)
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="5"/>
+#
+interface(`files_search_var_lib',`
+ gen_require(`
+ type var_t, var_lib_t;
+ ')
+
+ search_dirs_pattern($1, var_t, var_lib_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the
+## contents of /var/lib.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <infoflow type="read" weight="5"/>
+#
+interface(`files_dontaudit_search_var_lib',`
+ gen_require(`
+ type var_lib_t;
+ ')
+
+ dontaudit $1 var_lib_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## List the contents of the /var/lib directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_var_lib',`
+ gen_require(`
+ type var_t, var_lib_t;
+ ')
+
+ list_dirs_pattern($1, var_t, var_lib_t)
+')
+
+###########################################
+## <summary>
+## Read-write /var/lib directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_rw_var_lib_dirs',`
+ gen_require(`
+ type var_lib_t;
+ ')
+
+ rw_dirs_pattern($1, var_lib_t, var_lib_t)
+')
+
+########################################
+## <summary>
+## Create objects in the /var/lib directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## The type of the object to be created
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The object class.
+## </summary>
+## </param>
+#
+interface(`files_var_lib_filetrans',`
+ gen_require(`
+ type var_t, var_lib_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ filetrans_pattern($1, var_lib_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Read generic files in /var/lib.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_var_lib_files',`
+ gen_require(`
+ type var_t, var_lib_t;
+ ')
+
+ allow $1 var_lib_t:dir list_dir_perms;
+ read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
+')
+
+########################################
+## <summary>
+## Read generic symbolic links in /var/lib
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_var_lib_symlinks',`
+ gen_require(`
+ type var_t, var_lib_t;
+ ')
+
+ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
+')
+
+# cjp: the next two interfaces really need to be fixed
+# in some way. They really neeed their own types.
+
+########################################
+## <summary>
+## Create, read, write, and delete the
+## pseudorandom number generator seed.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_urandom_seed',`
+ gen_require(`
+ type var_t, var_lib_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ manage_files_pattern($1, var_lib_t, var_lib_t)
+')
+
+########################################
+## <summary>
+## Allow domain to manage mount tables
+## necessary for rpcd, nfsd, etc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_mounttab',`
+ gen_require(`
+ type var_t, var_lib_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ manage_files_pattern($1, var_lib_t, var_lib_t)
+')
+
+########################################
+## <summary>
+## List generic lock directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_locks',`
+ gen_require(`
+ type var_t, var_lock_t;
+ ')
+
+ list_dirs_pattern($1, var_t, var_lock_t)
+')
+
+########################################
+## <summary>
+## Search the locks directory (/var/lock).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_search_locks',`
+ gen_require(`
+ type var_t, var_lock_t;
+ ')
+
+ search_dirs_pattern($1, var_t, var_lock_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the
+## locks directory (/var/lock).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_search_locks',`
+ gen_require(`
+ type var_lock_t;
+ ')
+
+ dontaudit $1 var_lock_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Add and remove entries in the /var/lock
+## directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_rw_lock_dirs',`
+ gen_require(`
+ type var_t, var_lock_t;
+ ')
+
+ rw_dirs_pattern($1, var_t, var_lock_t)
+')
+
+########################################
+## <summary>
+## Get the attributes of generic lock files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_generic_locks',`
+ gen_require(`
+ type var_t, var_lock_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_lock_t:dir list_dir_perms;
+ getattr_files_pattern($1, var_lock_t, var_lock_t)
+')
+
+########################################
+## <summary>
+## Delete generic lock files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_generic_locks',`
+ gen_require(`
+ type var_t, var_lock_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ delete_files_pattern($1, var_lock_t, var_lock_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete generic
+## lock files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_generic_locks',`
+ gen_require(`
+ type var_t, var_lock_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ manage_files_pattern($1, var_lock_t, var_lock_t)
+')
+
+########################################
+## <summary>
+## Delete all lock files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_delete_all_locks',`
+ gen_require(`
+ attribute lockfile;
+ type var_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ delete_files_pattern($1, lockfile, lockfile)
+')
+
+########################################
+## <summary>
+## Read all lock files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_all_locks',`
+ gen_require(`
+ attribute lockfile;
+ type var_t, var_lock_t;
+ ')
+
+ allow $1 { var_t var_lock_t }:dir search_dir_perms;
+ allow $1 lockfile:dir list_dir_perms;
+ read_files_pattern($1, lockfile, lockfile)
+ read_lnk_files_pattern($1, lockfile, lockfile)
+')
+
+########################################
+## <summary>
+## manage all lock files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_all_locks',`
+ gen_require(`
+ attribute lockfile;
+ type var_t, var_lock_t;
+ ')
+
+ allow $1 { var_t var_lock_t }:dir search_dir_perms;
+ manage_dirs_pattern($1, lockfile, lockfile)
+ manage_files_pattern($1, lockfile, lockfile)
+ manage_lnk_files_pattern($1, lockfile, lockfile)
+')
+
+########################################
+## <summary>
+## Create an object in the locks directory, with a private
+## type using a type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private type">
+## <summary>
+## The type of the object to be created.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+#
+interface(`files_lock_filetrans',`
+ gen_require(`
+ type var_t, var_lock_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ filetrans_pattern($1, var_lock_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of the /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_pid_dirs',`
+ gen_require(`
+ type var_run_t;
+ ')
+
+ dontaudit $1 var_run_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Set the attributes of the /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_setattr_pid_dirs',`
+ gen_require(`
+ type var_run_t;
+ ')
+
+ allow $1 var_run_t:dir setattr;
+')
+
+########################################
+## <summary>
+## Search the contents of runtime process
+## ID directories (/var/run).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_search_pids',`
+ gen_require(`
+ type var_t, var_run_t;
+ ')
+
+ search_dirs_pattern($1, var_t, var_run_t)
+')
+
+######################################
+## <summary>
+## Add and remove entries from pid directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_rw_pid_dirs',`
+ gen_require(`
+ type var_run_t;
+ ')
+
+ allow $1 var_run_t:dir rw_dir_perms;
+')
+
+#######################################
+## <summary>
+## Create generic pid directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_create_var_run_dirs',`
+ gen_require(`
+ type var_t, var_run_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_run_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search
+## the /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_search_pids',`
+ gen_require(`
+ type var_run_t;
+ ')
+
+ dontaudit $1 var_run_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## List the contents of the runtime process
+## ID directories (/var/run).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_pids',`
+ gen_require(`
+ type var_t, var_run_t;
+ ')
+
+ list_dirs_pattern($1, var_t, var_run_t)
+')
+
+########################################
+## <summary>
+## Read generic process ID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_generic_pids',`
+ gen_require(`
+ type var_t, var_run_t;
+ ')
+
+ list_dirs_pattern($1, var_t, var_run_t)
+ read_files_pattern($1, var_run_t, var_run_t)
+')
+
+########################################
+## <summary>
+## Write named generic process ID pipes
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_write_generic_pid_pipes',`
+ gen_require(`
+ type var_run_t;
+ ')
+
+ allow $1 var_run_t:fifo_file write;
+')
+
+########################################
+## <summary>
+## Create an object in the process ID directory, with a private type.
+## </summary>
+## <desc>
+## <p>
+## Create an object in the process ID directory (e.g., /var/run)
+## with a private type. Typically this is used for creating
+## private PID files in /var/run with the private type instead
+## of the general PID file type. To accomplish this goal,
+## either the program must be SELinux-aware, or use this interface.
+## </p>
+## <p>
+## Related interfaces:
+## </p>
+## <ul>
+## <li>files_pid_file()</li>
+## </ul>
+## <p>
+## Example usage with a domain that can create and
+## write its PID file with a private PID file type in the
+## /var/run directory:
+## </p>
+## <p>
+## type mypidfile_t;
+## files_pid_file(mypidfile_t)
+## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
+## files_pid_filetrans(mydomain_t, mypidfile_t, file)
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private type">
+## <summary>
+## The type of the object to be created.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`files_pid_filetrans',`
+ gen_require(`
+ type var_t, var_run_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ filetrans_pattern($1, var_run_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Read and write generic process ID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_rw_generic_pids',`
+ gen_require(`
+ type var_t, var_run_t;
+ ')
+
+ list_dirs_pattern($1, var_t, var_run_t)
+ rw_files_pattern($1, var_run_t, var_run_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes of
+## daemon runtime data files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_all_pids',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ dontaudit $1 pidfile:file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write to daemon runtime data files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_write_all_pids',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ dontaudit $1 pidfile:file write;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to ioctl daemon runtime data files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_ioctl_all_pids',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ dontaudit $1 pidfile:file ioctl;
+')
+
+########################################
+## <summary>
+## manage all pidfile directories
+## in the /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_all_pids_dirs',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ manage_dirs_pattern($1,pidfile,pidfile)
+')
+
+
+########################################
+## <summary>
+## Read all process ID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_read_all_pids',`
+ gen_require(`
+ attribute pidfile;
+ type var_t;
+ ')
+
+ list_dirs_pattern($1, var_t, pidfile)
+ read_files_pattern($1, pidfile, pidfile)
+ read_lnk_files_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
+## Mount filesystems on all polyinstantiation
+## member directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_mounton_all_poly_members',`
+ gen_require(`
+ attribute polymember;
+ ')
+
+ allow $1 polymember:dir mounton;
+')
+
+########################################
+## <summary>
+## Delete all process IDs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_delete_all_pids',`
+ gen_require(`
+ attribute pidfile;
+ type var_t, var_run_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_run_t:dir rmdir;
+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+ delete_files_pattern($1, pidfile, pidfile)
+ delete_fifo_files_pattern($1, pidfile, pidfile)
+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
+')
+
+########################################
+## <summary>
+## Delete all process ID directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_all_pid_dirs',`
+ gen_require(`
+ attribute pidfile;
+ type var_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ delete_dirs_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
+## Search the contents of generic spool
+## directories (/var/spool).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_search_spool',`
+ gen_require(`
+ type var_t, var_spool_t;
+ ')
+
+ search_dirs_pattern($1, var_t, var_spool_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search generic
+## spool directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_search_spool',`
+ gen_require(`
+ type var_spool_t;
+ ')
+
+ dontaudit $1 var_spool_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## List the contents of generic spool
+## (/var/spool) directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_spool',`
+ gen_require(`
+ type var_t, var_spool_t;
+ ')
+
+ list_dirs_pattern($1, var_t, var_spool_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete generic
+## spool directories (/var/spool).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_generic_spool_dirs',`
+ gen_require(`
+ type var_t, var_spool_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ manage_dirs_pattern($1, var_spool_t, var_spool_t)
+')
+
+########################################
+## <summary>
+## Read generic spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_generic_spool',`
+ gen_require(`
+ type var_t, var_spool_t;
+ ')
+
+ list_dirs_pattern($1, var_t, var_spool_t)
+ read_files_pattern($1, var_spool_t, var_spool_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete generic
+## spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_generic_spool',`
+ gen_require(`
+ type var_t, var_spool_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ manage_files_pattern($1, var_spool_t, var_spool_t)
+')
+
+########################################
+## <summary>
+## Create objects in the spool directory
+## with a private type with a type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file">
+## <summary>
+## Type to which the created node will be transitioned.
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+## Object class(es) (single or set including {}) for which this
+## the transition will occur.
+## </summary>
+## </param>
+#
+interface(`files_spool_filetrans',`
+ gen_require(`
+ type var_t, var_spool_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ filetrans_pattern($1, var_spool_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Allow access to manage all polyinstantiated
+## directories on the system.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_polyinstantiate_all',`
+ gen_require(`
+ attribute polydir, polymember, polyparent;
+ type poly_t;
+ ')
+
+ # Need to give access to /selinux/member
+ selinux_compute_member($1)
+
+ # Need sys_admin capability for mounting
+ allow $1 self:capability { chown fsetid sys_admin fowner };
+
+ # Need to give access to the directories to be polyinstantiated
+ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
+
+ # Need to give access to the polyinstantiated subdirectories
+ allow $1 polymember:dir search_dir_perms;
+
+ # Need to give access to parent directories where original
+ # is remounted for polyinstantiation aware programs (like gdm)
+ allow $1 polyparent:dir { getattr mounton };
+
+ # Need to give permission to create directories where applicable
+ allow $1 self:process setfscreate;
+ allow $1 polymember: dir { create setattr relabelto };
+ allow $1 polydir: dir { write add_name open };
+ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
+
+ # Default type for mountpoints
+ allow $1 poly_t:dir { create mounton };
+ fs_unmount_xattr_fs($1)
+
+ fs_mount_tmpfs($1)
+ fs_unmount_tmpfs($1)
+
+ ifdef(`distro_redhat',`
+ # namespace.init
+ files_search_tmp($1)
+ files_search_home($1)
+ corecmd_exec_bin($1)
+ seutil_domtrans_setfiles($1)
+ ')
+')
+
+########################################
+## <summary>
+## Unconfined access to files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_unconfined',`
+ gen_require(`
+ attribute files_unconfined_type;
+ ')
+
+ typeattribute $1 files_unconfined_type;
+')
+
+########################################
+## <summary>
+## Create a core files in /
+## </summary>
+## <desc>
+## <p>
+## Create a core file in /,
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_root_files',`
+ gen_require(`
+ type root_t;
+ ')
+
+ manage_files_pattern($1, root_t, root_t)
+')
+
+########################################
+## <summary>
+## Create a default directory
+## </summary>
+## <desc>
+## <p>
+## Create a default_t direcrory
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_create_default_dir',`
+ gen_require(`
+ type default_t;
+ ')
+
+ allow $1 default_t:dir create;
+')
+
+########################################
+## <summary>
+## Create, default_t objects with an automatic
+## type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The class of the object being created.
+## </summary>
+## </param>
+#
+interface(`files_root_filetrans_default',`
+ gen_require(`
+ type root_t, default_t;
+ ')
+
+ filetrans_pattern($1, root_t, default_t, $2)
+')
+
+########################################
+## <summary>
+## manage generic symbolic links
+## in the /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_generic_pids_symlinks',`
+ gen_require(`
+ type var_run_t;
+ ')
+
+ manage_lnk_files_pattern($1,var_run_t,var_run_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to getattr
+## all tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_tmpfs_files',`
+ gen_require(`
+ attribute tmpfsfile;
+ ')
+
+ allow $1 tmpfsfile:file getattr;
+')
+
+########################################
+## <summary>
+## Allow read write all tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_rw_tmpfs_files',`
+ gen_require(`
+ attribute tmpfsfile;
+ ')
+
+ allow $1 tmpfsfile:file { read write };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read security files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_read_security_files',`
+ gen_require(`
+ attribute security_file_type;
+ ')
+
+ dontaudit $1 security_file_type:file read_file_perms;
+')
+
+########################################
+## <summary>
+## rw any files inherited from another process
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_rw_all_inherited_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 { file_type $2 }:file rw_inherited_file_perms;
+ allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms;
+ allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms;
+ allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Allow any file point to be the entrypoint of this domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_entrypoint_all_files',`
+ gen_require(`
+ attribute file_type;
+ ')
+ allow $1 file_type:file entrypoint;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to rw inherited file perms
+## of non security files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_all_non_security_leaks',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## all leaked files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_leaks',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ dontaudit $1 file_type:file rw_inherited_file_perms;
+ dontaudit $1 file_type:lnk_file { read };
+')
+
+########################################
+## <summary>
+## Allow domain to create_file_ass all types
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_create_as_is_all_files',`
+ gen_require(`
+ attribute file_type;
+ class kernel_service create_files_as;
+ ')
+
+ allow $1 file_type:kernel_service create_files_as;
+')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
new file mode 100644
index 0000000..12e9ecf
--- /dev/null
+++ b/policy/modules/kernel/files.te
@@ -0,0 +1,238 @@
+policy_module(files, 1.13.1)
+
+########################################
+#
+# Declarations
+#
+
+attribute file_type;
+attribute files_unconfined_type;
+attribute lockfile;
+attribute mountpoint;
+attribute pidfile;
+attribute configfile;
+attribute etcfile;
+
+# For labeling types that are to be polyinstantiated
+attribute polydir;
+
+# And for labeling the parent directories of those polyinstantiated directories
+# This is necessary for remounting the original in the parent to give
+# security aware apps access
+attribute polyparent;
+
+# And labeling for the member directories
+attribute polymember;
+
+# sensitive security files whose accesses should
+# not be dontaudited for uses
+attribute security_file_type;
+# and its opposite
+attribute non_security_file_type;
+
+attribute tmpfile;
+attribute tmpfsfile;
+
+# this attribute is not currently used and will be removed in the future.
+# unfortunately, this attribute can not be removed yet because it may cause
+# some policies to fail to link if it is still required.
+attribute usercanread;
+
+#
+# boot_t is the type for files in /boot
+#
+type boot_t;
+files_mountpoint(boot_t)
+
+# default_t is the default type for files that do not
+# match any specification in the file_contexts configuration
+# other than the generic /.* specification.
+type default_t;
+files_mountpoint(default_t)
+
+#
+# etc_t is the type of the system etc directories.
+#
+type etc_t, configfile;
+files_type(etc_t)
+# compatibility aliases for removed types:
+typealias etc_t alias automount_etc_t;
+typealias etc_t alias snmpd_etc_t;
+
+# system_conf_t is a new type of various
+# files in /etc/ that can be managed and
+# created by several domains.
+#
+type system_conf_t, configfile;
+files_type(system_conf_t)
+# compatibility aliases for removed type:
+typealias system_conf_t alias iptables_conf_t;
+
+#
+# etc_runtime_t is the type of various
+# files in /etc that are automatically
+# generated during initialization.
+#
+type etc_runtime_t, configfile;
+files_type(etc_runtime_t)
+#Temporarily in policy until FC5 dissappears
+typealias etc_runtime_t alias firstboot_rw_t;
+
+#
+# file_t is the default type of a file that has not yet been
+# assigned an extended attribute (EA) value (when using a filesystem
+# that supports EAs).
+#
+type file_t;
+files_mountpoint(file_t)
+kernel_rootfs_mountpoint(file_t)
+sid file gen_context(system_u:object_r:file_t,s0)
+
+#
+# home_root_t is the type for the directory where user home directories
+# are created
+#
+type home_root_t;
+files_mountpoint(home_root_t)
+files_poly_parent(home_root_t)
+
+#
+# lost_found_t is the type for the lost+found directories.
+#
+type lost_found_t;
+files_type(lost_found_t)
+
+#
+# mnt_t is the type for mount points such as /mnt/cdrom
+#
+type mnt_t;
+files_mountpoint(mnt_t)
+
+#
+# modules_object_t is the type for kernel modules
+#
+type modules_object_t;
+files_type(modules_object_t)
+
+type no_access_t;
+files_type(no_access_t)
+
+type poly_t;
+files_type(poly_t)
+
+type readable_t;
+files_type(readable_t)
+
+#
+# root_t is the type for rootfs and the root directory.
+#
+type root_t;
+files_mountpoint(root_t)
+files_poly_parent(root_t)
+kernel_rootfs_mountpoint(root_t)
+genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
+
+#
+# src_t is the type of files in the system src directories.
+#
+type src_t;
+files_mountpoint(src_t)
+
+#
+# system_map_t is for the system.map files in /boot
+#
+type system_map_t;
+files_type(system_map_t)
+genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0)
+
+#
+# tmp_t is the type of the temporary directories
+#
+type tmp_t;
+files_tmp_file(tmp_t)
+files_mountpoint(tmp_t)
+files_poly(tmp_t)
+files_poly_parent(tmp_t)
+
+#
+# usr_t is the type for /usr.
+#
+type usr_t;
+files_mountpoint(usr_t)
+
+#
+# var_t is the type of /var
+#
+type var_t;
+files_mountpoint(var_t)
+
+#
+# var_lib_t is the type of /var/lib
+#
+type var_lib_t;
+files_mountpoint(var_lib_t)
+
+#
+# var_lock_t is tye type of /var/lock
+#
+type var_lock_t;
+files_lock_file(var_lock_t)
+
+#
+# var_run_t is the type of /var/run, usually
+# used for pid and other runtime files.
+#
+type var_run_t;
+files_pid_file(var_run_t)
+files_mountpoint(var_run_t)
+
+#
+# var_spool_t is the type of /var/spool
+#
+type var_spool_t;
+files_tmp_file(var_spool_t)
+
+########################################
+#
+# Rules for all file types
+#
+
+allow file_type self:filesystem associate;
+
+fs_associate(file_type)
+fs_associate_noxattr(file_type)
+fs_associate_tmpfs(file_type)
+fs_associate_ramfs(file_type)
+fs_associate_hugetlbfs(file_type)
+
+########################################
+#
+# Rules for all tmp file types
+#
+
+allow file_type tmp_t:filesystem associate;
+
+fs_associate_tmpfs(tmpfile)
+
+########################################
+#
+# Rules for all tmpfs file types
+#
+
+fs_associate_tmpfs(tmpfsfile)
+
+########################################
+#
+# Unconfined access to this module
+#
+
+# Create/access any file in a labeled filesystem;
+allow files_unconfined_type file_type:{ file chr_file } ~execmod;
+allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
+
+# Mount/unmount any filesystem with the context= option.
+allow files_unconfined_type file_type:filesystem *;
+
+tunable_policy(`allow_execmod',`
+ allow files_unconfined_type file_type:file execmod;
+')
diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
new file mode 100644
index 0000000..16f0f9e
--- /dev/null
+++ b/policy/modules/kernel/filesystem.fc
@@ -0,0 +1,11 @@
+/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+/dev/shm/.* <<none>>
+
+/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
+/cgroup/.* <<none>>
+
+/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
+/sys/fs/cgroup(/.*)? <<none>>
+
+/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
+/dev/hugepages(/.*)? <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
new file mode 100644
index 0000000..51d47a0
--- /dev/null
+++ b/policy/modules/kernel/filesystem.if
@@ -0,0 +1,4858 @@
+## <summary>Policy for filesystems.</summary>
+## <required val="true">
+## Contains the initial SID for the filesystems.
+## </required>
+
+########################################
+## <summary>
+## Transform specified type into a filesystem type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_type',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ typeattribute $1 filesystem_type;
+')
+
+########################################
+## <summary>
+## Transform specified type into a filesystem
+## type which does not have extended attribute
+## support.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_noxattr_type',`
+ gen_require(`
+ attribute noxattrfs;
+ ')
+
+ fs_type($1)
+
+ typeattribute $1 noxattrfs;
+')
+
+########################################
+## <summary>
+## Associate the specified file type to persistent
+## filesystems with extended attributes. This
+## allows a file of this type to be created on
+## a filesystem such as ext3, JFS, and XFS.
+## </summary>
+## <param name="file_type">
+## <summary>
+## The type of the to be associated.
+## </summary>
+## </param>
+#
+interface(`fs_associate',`
+ gen_require(`
+ type fs_t;
+ ')
+
+ allow $1 fs_t:filesystem associate;
+')
+
+########################################
+## <summary>
+## Associate the specified file type to
+## filesystems which lack extended attributes
+## support. This allows a file of this type
+## to be created on a filesystem such as
+## FAT32, and NFS.
+## </summary>
+## <param name="file_type">
+## <summary>
+## The type of the to be associated.
+## </summary>
+## </param>
+#
+interface(`fs_associate_noxattr',`
+ gen_require(`
+ attribute noxattrfs;
+ ')
+
+ allow $1 noxattrfs:filesystem associate;
+')
+
+########################################
+## <summary>
+## Execute files on a filesystem that does
+## not support extended attributes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_exec_noxattr',`
+ gen_require(`
+ attribute noxattrfs;
+ ')
+
+ can_exec($1, noxattrfs)
+')
+
+########################################
+## <summary>
+## Mount a persistent filesystem which
+## has extended attributes, such as
+## ext3, JFS, or XFS.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mount_xattr_fs',`
+ gen_require(`
+ type fs_t;
+ ')
+
+ allow $1 fs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+## Remount a persistent filesystem which
+## has extended attributes, such as
+## ext3, JFS, or XFS. This allows
+## some mount options to be changed.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_remount_xattr_fs',`
+ gen_require(`
+ type fs_t;
+ ')
+
+ allow $1 fs_t:filesystem remount;
+')
+
+########################################
+## <summary>
+## Unmount a persistent filesystem which
+## has extended attributes, such as
+## ext3, JFS, or XFS.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_unmount_xattr_fs',`
+ gen_require(`
+ type fs_t;
+ ')
+
+ allow $1 fs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+## Get the attributes of persistent
+## filesystems which have extended
+## attributes, such as ext3, JFS, or XFS.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to
+## get the attributes of a persistent
+## filesystems which have extended
+## attributes, such as ext3, JFS, or XFS.
+## Example attributes:
+## </p>
+## <ul>
+## <li>Type of the file system (e.g., ext3)</li>
+## <li>Size of the file system</li>
+## <li>Available space on the file system</li>
+## </ul>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="5"/>
+## <rolecap/>
+#
+interface(`fs_getattr_xattr_fs',`
+ gen_require(`
+ type fs_t;
+ ')
+
+ allow $1 fs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to
+## get the attributes of a persistent
+## filesystem which has extended
+## attributes, such as ext3, JFS, or XFS.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_xattr_fs',`
+ gen_require(`
+ type fs_t;
+ ')
+
+ dontaudit $1 fs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Allow changing of the label of a
+## filesystem with extended attributes
+## using the context= mount option.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabelfrom_xattr_fs',`
+ gen_require(`
+ type fs_t;
+ ')
+
+ allow $1 fs_t:filesystem relabelfrom;
+')
+
+########################################
+## <summary>
+## Get the filesystem quotas of a filesystem
+## with extended attributes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_get_xattr_fs_quotas',`
+ gen_require(`
+ type fs_t;
+ ')
+
+ allow $1 fs_t:filesystem quotaget;
+')
+
+########################################
+## <summary>
+## Set the filesystem quotas of a filesystem
+## with extended attributes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_set_xattr_fs_quotas',`
+ gen_require(`
+ type fs_t;
+ ')
+
+ allow $1 fs_t:filesystem quotamod;
+')
+
+########################################
+## <summary>
+## Read files on anon_inodefs file systems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_anon_inodefs_files',`
+ gen_require(`
+ type anon_inodefs_t;
+
+ ')
+
+ read_files_pattern($1, anon_inodefs_t, anon_inodefs_t)
+')
+
+########################################
+## <summary>
+## Read and write files on anon_inodefs
+## file systems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_rw_anon_inodefs_files',`
+ gen_require(`
+ type anon_inodefs_t;
+
+ ')
+
+ rw_files_pattern($1, anon_inodefs_t, anon_inodefs_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write files on
+## anon_inodefs file systems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_rw_anon_inodefs_files',`
+ gen_require(`
+ type anon_inodefs_t;
+
+ ')
+
+ dontaudit $1 anon_inodefs_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Mount an automount pseudo filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mount_autofs',`
+ gen_require(`
+ type autofs_t;
+ ')
+
+ allow $1 autofs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+## Remount an automount pseudo filesystem
+## This allows some mount options to be changed.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_remount_autofs',`
+ gen_require(`
+ type autofs_t;
+ ')
+
+ allow $1 autofs_t:filesystem remount;
+')
+
+########################################
+## <summary>
+## Unmount an automount pseudo filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_unmount_autofs',`
+ gen_require(`
+ type autofs_t;
+ ')
+
+ allow $1 autofs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+## Get the attributes of an automount
+## pseudo filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_autofs',`
+ gen_require(`
+ type autofs_t;
+ ')
+
+ allow $1 autofs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Search automount filesystem to use automatically
+## mounted filesystems.
+## </summary>
+## <desc>
+## Allow the specified domain to search mount points
+## that have filesystems that are mounted by
+## the automount service. Generally this will
+## be required for any domain that accesses objects
+## on these filesystems.
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="5"/>
+#
+interface(`fs_search_auto_mountpoints',`
+ gen_require(`
+ type autofs_t;
+ ')
+
+ allow $1 autofs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read directories of automatically
+## mounted filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_list_auto_mountpoints',`
+ gen_require(`
+ type autofs_t;
+ ')
+
+ allow $1 autofs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to list directories of automatically
+## mounted filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_list_auto_mountpoints',`
+ gen_require(`
+ type autofs_t;
+ ')
+
+ dontaudit $1 autofs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete symbolic links
+## on an autofs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_autofs_symlinks',`
+ gen_require(`
+ type autofs_t;
+ ')
+
+ manage_lnk_files_pattern($1, autofs_t, autofs_t)
+')
+
+########################################
+## <summary>
+## Get the attributes of directories on
+## binfmt_misc filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_binfmt_misc_dirs',`
+ gen_require(`
+ type binfmt_misc_fs_t;
+ ')
+
+ allow $1 binfmt_misc_fs_t:dir getattr;
+
+')
+
+########################################
+## <summary>
+## Register an interpreter for new binary
+## file types, using the kernel binfmt_misc
+## support.
+## </summary>
+## <desc>
+## <p>
+## Register an interpreter for new binary
+## file types, using the kernel binfmt_misc
+## support.
+## </p>
+## <p>
+## A common use for this is to
+## register a JVM as an interpreter for
+## Java byte code. Registered binaries
+## can be directly executed on a command line
+## without specifying the interpreter.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_register_binary_executable_type',`
+ gen_require(`
+ type binfmt_misc_fs_t;
+ ')
+
+ rw_files_pattern($1, binfmt_misc_fs_t, binfmt_misc_fs_t)
+')
+
+########################################
+## <summary>
+## Mount cgroup filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mount_cgroup', `
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ allow $1 cgroup_t:filesystem mount;
+')
+
+########################################
+## <summary>
+## Remount cgroup filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_remount_cgroup', `
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ allow $1 cgroup_t:filesystem remount;
+')
+
+########################################
+## <summary>
+## Unmount cgroup filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_unmount_cgroup', `
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ allow $1 cgroup_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+## Get attributes of cgroup filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_cgroup',`
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ allow $1 cgroup_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Search cgroup directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_search_cgroup_dirs',`
+ gen_require(`
+ type cgroup_t;
+
+ ')
+
+ search_dirs_pattern($1, cgroup_t, cgroup_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
+## list cgroup directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_list_cgroup_dirs', `
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ list_dirs_pattern($1, cgroup_t, cgroup_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
+## Delete cgroup directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_delete_cgroup_dirs', `
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ delete_dirs_pattern($1, cgroup_t, cgroup_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
+## Manage cgroup directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_cgroup_dirs',`
+ gen_require(`
+ type cgroup_t;
+
+ ')
+
+ manage_dirs_pattern($1, cgroup_t, cgroup_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
+## Read cgroup files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_cgroup_files',`
+ gen_require(`
+ type cgroup_t;
+
+ ')
+
+ read_files_pattern($1, cgroup_t, cgroup_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
+## Write cgroup files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_write_cgroup_files', `
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ write_files_pattern($1, cgroup_t, cgroup_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
+## Read and write cgroup files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_rw_cgroup_files',`
+ gen_require(`
+ type cgroup_t;
+
+ ')
+
+ rw_files_pattern($1, cgroup_t, cgroup_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to open,
+## get attributes, read and write
+## cgroup files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_rw_cgroup_files',`
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ dontaudit $1 cgroup_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Manage cgroup files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_cgroup_files',`
+ gen_require(`
+ type cgroup_t;
+
+ ')
+
+ manage_files_pattern($1, cgroup_t, cgroup_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
+## Mount on cgroup directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mounton_cgroup', `
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ allow $1 cgroup_t:dir mounton;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read
+## dirs on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_list_cifs_dirs',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ dontaudit $1 cifs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Mount a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mount_cifs',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ allow $1 cifs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+## Remount a CIFS or SMB network filesystem.
+## This allows some mount options to be changed.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_remount_cifs',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ allow $1 cifs_t:filesystem remount;
+')
+
+########################################
+## <summary>
+## Unmount a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_unmount_cifs',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ allow $1 cifs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+## Get the attributes of a CIFS or
+## SMB network filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_getattr_cifs',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ allow $1 cifs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Search directories on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_search_cifs',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ allow $1 cifs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## List the contents of directories on a
+## CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_list_cifs',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ allow $1 cifs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to list the contents
+## of directories on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_list_cifs',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ dontaudit $1 cifs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Mounton a CIFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mounton_cifs',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ allow $1 cifs_t:dir mounton;
+')
+
+########################################
+## <summary>
+## Read files on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_read_cifs_files',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ allow $1 cifs_t:dir list_dir_perms;
+ read_files_pattern($1, cifs_t, cifs_t)
+')
+
+########################################
+## <summary>
+## Get the attributes of filesystems that
+## do not have extended attribute support.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_getattr_noxattr_fs',`
+ gen_require(`
+ attribute noxattrfs;
+ ')
+
+ allow $1 noxattrfs:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Read all noxattrfs directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_list_noxattr_fs',`
+ gen_require(`
+ attribute noxattrfs;
+ ')
+
+ allow $1 noxattrfs:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete all noxattrfs directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_noxattr_fs_dirs',`
+ gen_require(`
+ attribute noxattrfs;
+ ')
+
+ allow $1 noxattrfs:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Read all noxattrfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_noxattr_fs_files',`
+ gen_require(`
+ attribute noxattrfs;
+ ')
+
+ read_files_pattern($1, noxattrfs, noxattrfs)
+')
+
+########################################
+## <summary>
+## Dont audit attempts to write to noxattrfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_write_noxattr_fs_files',`
+ gen_require(`
+ attribute noxattrfs;
+ ')
+
+ dontaudit $1 noxattrfs:file write;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete all noxattrfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_noxattr_fs_files',`
+ gen_require(`
+ attribute noxattrfs;
+ ')
+
+ manage_files_pattern($1, noxattrfs, noxattrfs)
+')
+
+########################################
+## <summary>
+## Read all noxattrfs symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_noxattr_fs_symlinks',`
+ gen_require(`
+ attribute noxattrfs;
+ ')
+
+ read_lnk_files_pattern($1, noxattrfs, noxattrfs)
+')
+
+########################################
+## <summary>
+## Relabel all objets from filesystems that
+## do not support extended attributes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabelfrom_noxattr_fs',`
+ gen_require(`
+ attribute noxattrfs;
+ ')
+
+ allow $1 noxattrfs:dir list_dir_perms;
+ relabelfrom_dirs_pattern($1, noxattrfs, noxattrfs)
+ relabelfrom_files_pattern($1, noxattrfs, noxattrfs)
+ relabelfrom_lnk_files_pattern($1, noxattrfs, noxattrfs)
+ relabelfrom_fifo_files_pattern($1, noxattrfs, noxattrfs)
+ relabelfrom_sock_files_pattern($1, noxattrfs, noxattrfs)
+ relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
+ relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read
+## files on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_read_cifs_files',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ dontaudit $1 cifs_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Append files
+## on a CIFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_append_cifs_files',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ append_files_pattern($1, cifs_t, cifs_t)
+')
+
+########################################
+## <summary>
+## dontaudit Append files
+## on a CIFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_dontaudit_append_cifs_files',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ dontaudit $1 cifs_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+## Read inherited files on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_read_inherited_cifs_files',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ allow $1 cifs_t:file read_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or
+## write files on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_rw_cifs_files',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ dontaudit $1 cifs_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Read symbolic links on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_cifs_symlinks',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ allow $1 cifs_t:dir list_dir_perms;
+ read_lnk_files_pattern($1, cifs_t, cifs_t)
+')
+
+########################################
+## <summary>
+## Read named pipes
+## on a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_cifs_named_pipes',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ read_fifo_files_pattern($1, cifs_t, cifs_t)
+')
+
+########################################
+## <summary>
+## Read named pipes
+## on a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_cifs_named_sockets',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ read_sock_files_pattern($1, cifs_t, cifs_t)
+')
+
+########################################
+## <summary>
+## Execute files on a CIFS or SMB
+## network filesystem, in the caller
+## domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_exec_cifs_files',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ allow $1 cifs_t:dir list_dir_perms;
+ exec_files_pattern($1, cifs_t, cifs_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete directories
+## on a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_manage_cifs_dirs',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ allow $1 cifs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to create, read,
+## write, and delete directories
+## on a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_manage_cifs_dirs',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ dontaudit $1 cifs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete files
+## on a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_manage_cifs_files',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ manage_files_pattern($1, cifs_t, cifs_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to create, read,
+## write, and delete files
+## on a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_manage_cifs_files',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ dontaudit $1 cifs_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete symbolic links
+## on a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_cifs_symlinks',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ manage_lnk_files_pattern($1, cifs_t, cifs_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete named pipes
+## on a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_cifs_named_pipes',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ manage_fifo_files_pattern($1, cifs_t, cifs_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete named sockets
+## on a CIFS or SMB network filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_cifs_named_sockets',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ manage_sock_files_pattern($1, cifs_t, cifs_t)
+')
+
+########################################
+## <summary>
+## Execute a file on a CIFS or SMB filesystem
+## in the specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a file on a CIFS or SMB filesystem
+## in the specified domain. This allows
+## the specified domain to execute any file
+## on these filesystems in the specified
+## domain. This is not suggested.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## <p>
+## This interface was added to handle
+## home directories on CIFS/SMB filesystems,
+## in particular used by the ssh-agent policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`fs_cifs_domtrans',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ allow $1 cifs_t:dir search_dir_perms;
+ domain_auto_transition_pattern($1, cifs_t, $2)
+')
+
+########################################
+## <summary>
+## Make general progams in cifs an entrypoint for
+## the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain for which cifs_t is an entrypoint.
+## </summary>
+## </param>
+#
+interface(`fs_cifs_entry_type',`
+ gen_require(`
+ type cifs_t;
+ ')
+
+ domain_entry_file($1, cifs_t)
+')
+
+#######################################
+## <summary>
+## Create, read, write, and delete dirs
+## on a configfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_configfs_dirs',`
+ gen_require(`
+ type configfs_t;
+ ')
+
+ manage_dirs_pattern($1, configfs_t, configfs_t)
+')
+
+#######################################
+## <summary>
+## Create, read, write, and delete files
+## on a configfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_configfs_files',`
+ gen_require(`
+ type configfs_t;
+ ')
+
+ manage_files_pattern($1, configfs_t, configfs_t)
+')
+
+########################################
+## <summary>
+## Mount a DOS filesystem, such as
+## FAT32 or NTFS.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mount_dos_fs',`
+ gen_require(`
+ type dosfs_t;
+ ')
+
+ allow $1 dosfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+## Remount a DOS filesystem, such as
+## FAT32 or NTFS. This allows
+## some mount options to be changed.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_remount_dos_fs',`
+ gen_require(`
+ type dosfs_t;
+ ')
+
+ allow $1 dosfs_t:filesystem remount;
+')
+
+########################################
+## <summary>
+## Unmount a DOS filesystem, such as
+## FAT32 or NTFS.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_unmount_dos_fs',`
+ gen_require(`
+ type dosfs_t;
+ ')
+
+ allow $1 dosfs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+## Get the attributes of a DOS
+## filesystem, such as FAT32 or NTFS.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_getattr_dos_fs',`
+ gen_require(`
+ type dosfs_t;
+ ')
+
+ allow $1 dosfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Allow changing of the label of a
+## DOS filesystem using the context= mount option.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabelfrom_dos_fs',`
+ gen_require(`
+ type dosfs_t;
+ ')
+
+ allow $1 dosfs_t:filesystem relabelfrom;
+')
+
+########################################
+## <summary>
+## Search dosfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_search_dos',`
+ gen_require(`
+ type dosfs_t;
+ ')
+
+ allow $1 dosfs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete dirs
+## on a DOS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_dos_dirs',`
+ gen_require(`
+ type dosfs_t;
+ ')
+
+ manage_dirs_pattern($1, dosfs_t, dosfs_t)
+')
+
+########################################
+## <summary>
+## Read files on a DOS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_dos_files',`
+ gen_require(`
+ type dosfs_t;
+ ')
+
+ read_files_pattern($1, dosfs_t, dosfs_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete files
+## on a DOS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_dos_files',`
+ gen_require(`
+ type dosfs_t;
+ ')
+
+ manage_files_pattern($1, dosfs_t, dosfs_t)
+')
+
+########################################
+## <summary>
+## Read eventpollfs files.
+## </summary>
+## <desc>
+## <p>
+## Read eventpollfs files
+## </p>
+## <p>
+## This interface has been deprecated, and will
+## be removed in the future.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_eventpollfs',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+## Mount a FUSE filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mount_fusefs',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+ allow $1 fusefs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+## Unmount a FUSE filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_unmount_fusefs',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+ allow $1 fusefs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+## Search directories
+## on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_search_fusefs',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+ allow $1 fusefs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to list the contents
+## of directories on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_list_fusefs',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+ dontaudit $1 fusefs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete directories
+## on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_manage_fusefs_dirs',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+ allow $1 fusefs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to create, read,
+## write, and delete directories
+## on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_manage_fusefs_dirs',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+ dontaudit $1 fusefs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Read, a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_read_fusefs_files',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+ read_files_pattern($1, fusefs_t, fusefs_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete files
+## on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_manage_fusefs_files',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+ manage_files_pattern($1, fusefs_t, fusefs_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to create,
+## read, write, and delete files
+## on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_manage_fusefs_files',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+ dontaudit $1 fusefs_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Read symbolic links on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_fusefs_symlinks',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+ allow $1 fusefs_t:dir list_dir_perms;
+ read_lnk_files_pattern($1, fusefs_t, fusefs_t)
+')
+
+########################################
+## <summary>
+## Get the attributes of an hugetlbfs
+## filesystem;
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_hugetlbfs',`
+ gen_require(`
+ type hugetlbfs_t;
+ ')
+
+ allow $1 hugetlbfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## R/W hugetlbfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_rw_hugetlbfs_files',`
+ gen_require(`
+ type hugetlbfs_t;
+ ')
+
+ rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
+')
+########################################
+## <summary>
+## Manage hugetlbfs dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_hugetlbfs_dirs',`
+ gen_require(`
+ type hugetlbfs_t;
+ ')
+
+ manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
+')
+
+########################################
+## <summary>
+## List hugetlbfs dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_list_hugetlbfs',`
+ gen_require(`
+ type hugetlbfs_t;
+ ')
+
+ allow $1 hugetlbfs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Allow the type to associate to hugetlbfs filesystems.
+## </summary>
+## <param name="type">
+## <summary>
+## The type of the object to be associated.
+## </summary>
+## </param>
+#
+interface(`fs_associate_hugetlbfs',`
+ gen_require(`
+ type hugetlbfs_t;
+ ')
+
+ allow $1 hugetlbfs_t:filesystem associate;
+')
+
+########################################
+## <summary>
+## Search inotifyfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_search_inotifyfs',`
+ gen_require(`
+ type inotifyfs_t;
+ ')
+
+ allow $1 inotifyfs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## List inotifyfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_list_inotifyfs',`
+ gen_require(`
+ type inotifyfs_t;
+ ')
+
+ allow $1 inotifyfs_t:dir list_dir_perms;
+ fs_read_anon_inodefs_files($1)
+')
+
+########################################
+## <summary>
+## Dontaudit List inotifyfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_list_inotifyfs',`
+ gen_require(`
+ type inotifyfs_t;
+ ')
+
+ dontaudit $1 inotifyfs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Create an object in a hugetlbfs filesystem, with a private
+## type using a type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private type">
+## <summary>
+## The type of the object to be created.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+#
+interface(`fs_hugetlbfs_filetrans',`
+ gen_require(`
+ type hugetlbfs_t;
+ ')
+
+ allow $2 hugetlbfs_t:filesystem associate;
+ filetrans_pattern($1, hugetlbfs_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Mount an iso9660 filesystem, which
+## is usually used on CDs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mount_iso9660_fs',`
+ gen_require(`
+ type iso9660_t;
+ ')
+
+ allow $1 iso9660_t:filesystem mount;
+')
+
+########################################
+## <summary>
+## Remount an iso9660 filesystem, which
+## is usually used on CDs. This allows
+## some mount options to be changed.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_remount_iso9660_fs',`
+ gen_require(`
+ type iso9660_t;
+ ')
+
+ allow $1 iso9660_t:filesystem remount;
+')
+
+########################################
+## <summary>
+## Unmount an iso9660 filesystem, which
+## is usually used on CDs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_unmount_iso9660_fs',`
+ gen_require(`
+ type iso9660_t;
+ ')
+
+ allow $1 iso9660_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+## Get the attributes of an iso9660
+## filesystem, which is usually used on CDs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_getattr_iso9660_fs',`
+ gen_require(`
+ type iso9660_t;
+ ')
+
+ allow $1 iso9660_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Read files on an iso9660 filesystem, which
+## is usually used on CDs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_iso9660_files',`
+ gen_require(`
+ type iso9660_t;
+ ')
+
+ allow $1 iso9660_t:dir list_dir_perms;
+ allow $1 iso9660_t:file getattr;
+')
+
+########################################
+## <summary>
+## Read files on an iso9660 filesystem, which
+## is usually used on CDs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_iso9660_files',`
+ gen_require(`
+ type iso9660_t;
+ ')
+
+ allow $1 iso9660_t:dir list_dir_perms;
+ read_files_pattern($1, iso9660_t, iso9660_t)
+ read_lnk_files_pattern($1, iso9660_t, iso9660_t)
+')
+
+########################################
+## <summary>
+## Mount a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mount_nfs',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+## Remount a NFS filesystem. This allows
+## some mount options to be changed.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_remount_nfs',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:filesystem remount;
+')
+
+########################################
+## <summary>
+## Unmount a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_unmount_nfs',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+## Get the attributes of a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_getattr_nfs',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Search directories on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_search_nfs',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## List NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_list_nfs',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to list the contents
+## of directories on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_list_nfs',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ dontaudit $1 nfs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Mounton a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mounton_nfs',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:dir mounton;
+')
+
+########################################
+## <summary>
+## Read files on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_read_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:dir list_dir_perms;
+ read_files_pattern($1, nfs_t, nfs_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read
+## files on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_read_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ dontaudit $1 nfs_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Read files on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_write_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:dir list_dir_perms;
+ write_files_pattern($1, nfs_t, nfs_t)
+')
+
+########################################
+## <summary>
+## Execute files on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_exec_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:dir list_dir_perms;
+ exec_files_pattern($1, nfs_t, nfs_t)
+')
+
+########################################
+## <summary>
+## Make general progams in nfs an entrypoint for
+## the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain for which nfs_t is an entrypoint.
+## </summary>
+## </param>
+#
+interface(`fs_nfs_entry_type',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ domain_entry_file($1, nfs_t)
+')
+
+########################################
+## <summary>
+## Append files
+## on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_append_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ append_files_pattern($1, nfs_t, nfs_t)
+')
+
+########################################
+## <summary>
+## dontaudit Append files
+## on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_dontaudit_append_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ dontaudit $1 nfs_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+## Read inherited files on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_read_inherited_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:file read_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or
+## write files on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_rw_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ dontaudit $1 nfs_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Read symbolic links on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_nfs_symlinks',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:dir list_dir_perms;
+ read_lnk_files_pattern($1, nfs_t, nfs_t)
+')
+
+########################################
+## <summary>
+## Dontaudit read symbolic links on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_read_nfs_symlinks',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ dontaudit $1 nfs_t:lnk_file read_lnk_file_perms;
+')
+
+#########################################
+## <summary>
+## Read named sockets on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_nfs_named_sockets',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ read_sock_files_pattern($1, nfs_t, nfs_t)
+')
+
+#########################################
+## <summary>
+## Read named pipes on a NFS network filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_read_nfs_named_pipes',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ read_fifo_files_pattern($1, nfs_t, nfs_t)
+')
+
+########################################
+## <summary>
+## Read directories of RPC file system pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_rpc_dirs',`
+ gen_require(`
+ type rpc_pipefs_t;
+ ')
+
+ allow $1 rpc_pipefs_t:dir getattr;
+
+')
+
+########################################
+## <summary>
+## Search directories of RPC file system pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_search_rpc',`
+ gen_require(`
+ type rpc_pipefs_t;
+ ')
+
+ allow $1 rpc_pipefs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Search removable storage directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_search_removable',`
+ gen_require(`
+ type removable_t;
+ ')
+
+ allow $1 removable_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to list removable storage directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain not to audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_list_removable',`
+ gen_require(`
+ type removable_t;
+ ')
+
+ dontaudit $1 removable_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Read removable storage files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_removable_files',`
+ gen_require(`
+ type removable_t;
+ ')
+
+ read_files_pattern($1, removable_t, removable_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read removable storage files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain not to audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_read_removable_files',`
+ gen_require(`
+ type removable_t;
+ ')
+
+ dontaudit $1 removable_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write removable storage files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain not to audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_write_removable_files',`
+ gen_require(`
+ type removable_t;
+ ')
+
+ dontaudit $1 removable_t:file write_file_perms;
+')
+
+########################################
+## <summary>
+## Read removable storage symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_removable_symlinks',`
+ gen_require(`
+ type removable_t;
+ ')
+
+ read_lnk_files_pattern($1, removable_t, removable_t)
+')
+
+########################################
+## <summary>
+## Read and write block nodes on removable filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_rw_removable_blk_files',`
+ gen_require(`
+ type removable_t;
+ ')
+
+ allow $1 removable_t:dir list_dir_perms;
+ rw_blk_files_pattern($1, removable_t, removable_t)
+')
+
+########################################
+## <summary>
+## Read directories of RPC file system pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_list_rpc',`
+ gen_require(`
+ type rpc_pipefs_t;
+ ')
+
+ allow $1 rpc_pipefs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Read files of RPC file system pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_rpc_files',`
+ gen_require(`
+ type rpc_pipefs_t;
+ ')
+
+ read_files_pattern($1, rpc_pipefs_t, rpc_pipefs_t)
+')
+
+########################################
+## <summary>
+## Read symbolic links of RPC file system pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_rpc_symlinks',`
+ gen_require(`
+ type rpc_pipefs_t;
+ ')
+
+ read_lnk_files_pattern($1, rpc_pipefs_t, rpc_pipefs_t)
+')
+
+########################################
+## <summary>
+## Read sockets of RPC file system pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_rpc_sockets',`
+ gen_require(`
+ type rpc_pipefs_t;
+ ')
+
+ allow $1 rpc_pipefs_t:sock_file read;
+')
+
+########################################
+## <summary>
+## Read and write sockets of RPC file system pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_rw_rpc_sockets',`
+ gen_require(`
+ type rpc_pipefs_t;
+ ')
+
+ allow $1 rpc_pipefs_t:sock_file { read write };
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete directories
+## on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_manage_nfs_dirs',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to create, read,
+## write, and delete directories
+## on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_manage_nfs_dirs',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ dontaudit $1 nfs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete files
+## on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_manage_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ manage_files_pattern($1, nfs_t, nfs_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to create,
+## read, write, and delete files
+## on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_manage_nfs_files',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ dontaudit $1 nfs_t:file manage_file_perms;
+')
+
+#########################################
+## <summary>
+## Create, read, write, and delete symbolic links
+## on a NFS network filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_manage_nfs_symlinks',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ manage_lnk_files_pattern($1, nfs_t, nfs_t)
+')
+
+#########################################
+## <summary>
+## Create, read, write, and delete named pipes
+## on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_nfs_named_pipes',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ manage_fifo_files_pattern($1, nfs_t, nfs_t)
+')
+
+#########################################
+## <summary>
+## Create, read, write, and delete named sockets
+## on a NFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_nfs_named_sockets',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ manage_sock_files_pattern($1, nfs_t, nfs_t)
+')
+
+########################################
+## <summary>
+## Execute a file on a NFS filesystem
+## in the specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a file on a NFS filesystem
+## in the specified domain. This allows
+## the specified domain to execute any file
+## on a NFS filesystem in the specified
+## domain. This is not suggested.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## <p>
+## This interface was added to handle
+## home directories on NFS filesystems,
+## in particular used by the ssh-agent policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`fs_nfs_domtrans',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:dir search_dir_perms;
+ domain_auto_transition_pattern($1, nfs_t, $2)
+')
+
+########################################
+## <summary>
+## Mount a NFS server pseudo filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mount_nfsd_fs',`
+ gen_require(`
+ type nfsd_fs_t;
+ ')
+
+ allow $1 nfsd_fs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+## Mount a NFS server pseudo filesystem.
+## This allows some mount options to be changed.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_remount_nfsd_fs',`
+ gen_require(`
+ type nfsd_fs_t;
+ ')
+
+ allow $1 nfsd_fs_t:filesystem remount;
+')
+
+########################################
+## <summary>
+## Unmount a NFS server pseudo filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_unmount_nfsd_fs',`
+ gen_require(`
+ type nfsd_fs_t;
+ ')
+
+ allow $1 nfsd_fs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+## Get the attributes of a NFS server
+## pseudo filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_nfsd_fs',`
+ gen_require(`
+ type nfsd_fs_t;
+ ')
+
+ allow $1 nfsd_fs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Search NFS server directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_search_nfsd_fs',`
+ gen_require(`
+ type nfsd_fs_t;
+ ')
+
+ allow $1 nfsd_fs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## List NFS server directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_list_nfsd_fs',`
+ gen_require(`
+ type nfsd_fs_t;
+ ')
+
+ allow $1 nfsd_fs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Getattr files on an nfsd filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_nfsd_files',`
+ gen_require(`
+ type nfsd_fs_t;
+ ')
+
+ getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
+')
+
+########################################
+## <summary>
+## Read and write NFS server files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_rw_nfsd_fs',`
+ gen_require(`
+ type nfsd_fs_t;
+ ')
+
+ rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
+')
+
+########################################
+## <summary>
+## Allow the type to associate to ramfs filesystems.
+## </summary>
+## <param name="type">
+## <summary>
+## The type of the object to be associated.
+## </summary>
+## </param>
+#
+interface(`fs_associate_ramfs',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ allow $1 ramfs_t:filesystem associate;
+')
+
+########################################
+## <summary>
+## Mount a RAM filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mount_ramfs',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ allow $1 ramfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+## Remount a RAM filesystem. This allows
+## some mount options to be changed.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_remount_ramfs',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ allow $1 ramfs_t:filesystem remount;
+')
+
+########################################
+## <summary>
+## Unmount a RAM filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_unmount_ramfs',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ allow $1 ramfs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+## Get the attributes of a RAM filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_ramfs',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ allow $1 ramfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Search directories on a ramfs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_search_ramfs',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ allow $1 ramfs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Dontaudit Search directories on a ramfs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_search_ramfs',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ dontaudit $1 ramfs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## directories on a ramfs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_ramfs_dirs',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ allow $1 ramfs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Dontaudit read on a ramfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_read_ramfs_files',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ dontaudit $1 ramfs_t:file read;
+')
+
+########################################
+## <summary>
+## Dontaudit read on a ramfs fifo_files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_read_ramfs_pipes',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ dontaudit $1 ramfs_t:fifo_file read;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## files on a ramfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_ramfs_files',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ manage_files_pattern($1, ramfs_t, ramfs_t)
+')
+
+########################################
+## <summary>
+## Write to named pipe on a ramfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_write_ramfs_pipes',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ write_fifo_files_pattern($1, ramfs_t, ramfs_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write to named
+## pipes on a ramfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_write_ramfs_pipes',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ dontaudit $1 ramfs_t:fifo_file write;
+')
+
+########################################
+## <summary>
+## Read and write a named pipe on a ramfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_rw_ramfs_pipes',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ rw_fifo_files_pattern($1, ramfs_t, ramfs_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## named pipes on a ramfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_ramfs_pipes',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ manage_fifo_files_pattern($1, ramfs_t, ramfs_t)
+')
+
+########################################
+## <summary>
+## Write to named socket on a ramfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_write_ramfs_sockets',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ write_sock_files_pattern($1, ramfs_t, ramfs_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## named sockets on a ramfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_ramfs_sockets',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ manage_sock_files_pattern($1, ramfs_t, ramfs_t)
+')
+
+########################################
+## <summary>
+## Mount a ROM filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mount_romfs',`
+ gen_require(`
+ type romfs_t;
+ ')
+
+ allow $1 romfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+## Remount a ROM filesystem. This allows
+## some mount options to be changed.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_remount_romfs',`
+ gen_require(`
+ type romfs_t;
+ ')
+
+ allow $1 romfs_t:filesystem remount;
+')
+
+########################################
+## <summary>
+## Unmount a ROM filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_unmount_romfs',`
+ gen_require(`
+ type romfs_t;
+ ')
+
+ allow $1 romfs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+## Get the attributes of a ROM
+## filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_romfs',`
+ gen_require(`
+ type romfs_t;
+ ')
+
+ allow $1 romfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Mount a RPC pipe filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mount_rpc_pipefs',`
+ gen_require(`
+ type rpc_pipefs_t;
+ ')
+
+ allow $1 rpc_pipefs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+## Remount a RPC pipe filesystem. This
+## allows some mount option to be changed.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_remount_rpc_pipefs',`
+ gen_require(`
+ type rpc_pipefs_t;
+ ')
+
+ allow $1 rpc_pipefs_t:filesystem remount;
+')
+
+########################################
+## <summary>
+## Unmount a RPC pipe filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_unmount_rpc_pipefs',`
+ gen_require(`
+ type rpc_pipefs_t;
+ ')
+
+ allow $1 rpc_pipefs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+## Get the attributes of a RPC pipe
+## filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_rpc_pipefs',`
+ gen_require(`
+ type rpc_pipefs_t;
+ ')
+
+ allow $1 rpc_pipefs_t:filesystem getattr;
+')
+
+#########################################
+## <summary>
+## Read and write RPC pipe filesystem named pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_rw_rpc_named_pipes',`
+ gen_require(`
+ type rpc_pipefs_t;
+ ')
+
+ allow $1 rpc_pipefs_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Mount a tmpfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mount_tmpfs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+## Remount a tmpfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_remount_tmpfs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:filesystem remount;
+')
+
+########################################
+## <summary>
+## Unmount a tmpfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_unmount_tmpfs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+## Get the attributes of a tmpfs
+## filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_getattr_tmpfs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Allow the type to associate to tmpfs filesystems.
+## </summary>
+## <param name="type">
+## <summary>
+## The type of the object to be associated.
+## </summary>
+## </param>
+#
+interface(`fs_associate_tmpfs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:filesystem associate;
+')
+
+########################################
+## <summary>
+## Get the attributes of tmpfs directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_tmpfs_dirs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of tmpfs directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ dontaudit $1 tmpfs_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Set the attributes of tmpfs directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_setattr_tmpfs_dirs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:dir setattr;
+')
+
+########################################
+## <summary>
+## Search tmpfs directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_search_tmpfs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## List the contents of generic tmpfs directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_list_tmpfs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to list the
+## contents of generic tmpfs directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_list_tmpfs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ dontaudit $1 tmpfs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## tmpfs directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_tmpfs_dirs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Create an object in a tmpfs filesystem, with a private
+## type using a type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private type">
+## <summary>
+## The type of the object to be created.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+#
+interface(`fs_tmpfs_filetrans',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $2 tmpfs_t:filesystem associate;
+ filetrans_pattern($1, tmpfs_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to getattr
+## generic tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_tmpfs_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ dontaudit $1 tmpfs_t:file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## generic tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_rw_tmpfs_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ dontaudit $1 tmpfs_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## auto moutpoints.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_auto_mountpoints',`
+ gen_require(`
+ type autofs_t;
+ ')
+
+ allow $1 autofs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Read generic tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_tmpfs_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ read_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
+## Read and write generic tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_rw_tmpfs_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ rw_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
+## Read tmpfs link files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_tmpfs_symlinks',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ read_lnk_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
+## Read and write character nodes on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_rw_tmpfs_chr_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:dir list_dir_perms;
+ rw_chr_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
+## dontaudit Read and write character nodes on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ dontaudit $1 tmpfs_t:dir list_dir_perms;
+ dontaudit $1 tmpfs_t:chr_file rw_chr_file_perms;
+')
+
+########################################
+## <summary>
+## dontaudit Read and write block nodes on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_read_tmpfs_blk_dev',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ dontaudit $1 tmpfs_t:blk_file read_blk_file_perms;
+')
+
+########################################
+## <summary>
+## Relabel character nodes on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabel_tmpfs_chr_file',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:dir list_dir_perms;
+ relabel_chr_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
+## Read and write block nodes on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_rw_tmpfs_blk_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:dir list_dir_perms;
+ rw_blk_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
+## Relabel block nodes on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabel_tmpfs_blk_file',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:dir list_dir_perms;
+ relabel_blk_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
+## Read and write, create and delete generic
+## files on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_tmpfs_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ manage_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
+## Read and write, create and delete symbolic
+## links on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_tmpfs_symlinks',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ manage_lnk_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
+## Read and write, create and delete socket
+## files on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_tmpfs_sockets',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ manage_sock_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
+## Read and write, create and delete character
+## nodes on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_tmpfs_chr_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ manage_chr_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
+## Read and write, create and delete block nodes
+## on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_tmpfs_blk_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ manage_blk_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
+## Mount a XENFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mount_xenfs',`
+ gen_require(`
+ type xenfs_t;
+ ')
+
+ allow $1 xenfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+## Search the XENFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_search_xenfs',`
+ gen_require(`
+ type xenfs_t;
+ ')
+
+ allow $1 xenfs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete directories
+## on a XENFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_manage_xenfs_dirs',`
+ gen_require(`
+ type xenfs_t;
+ ')
+
+ allow $1 xenfs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to create, read,
+## write, and delete directories
+## on a XENFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_manage_xenfs_dirs',`
+ gen_require(`
+ type xenfs_t;
+ ')
+
+ dontaudit $1 xenfs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete files
+## on a XENFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_manage_xenfs_files',`
+ gen_require(`
+ type xenfs_t;
+ ')
+
+ manage_files_pattern($1, xenfs_t, xenfs_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to create,
+## read, write, and delete files
+## on a XENFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_manage_xenfs_files',`
+ gen_require(`
+ type xenfs_t;
+ ')
+
+ dontaudit $1 xenfs_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Mount all filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mount_all_fs',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ allow $1 filesystem_type:filesystem mount;
+')
+
+########################################
+## <summary>
+## Remount all filesystems. This
+## allows some mount options to be changed.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_remount_all_fs',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ allow $1 filesystem_type:filesystem remount;
+')
+
+########################################
+## <summary>
+## Unmount all filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_unmount_all_fs',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ allow $1 filesystem_type:filesystem unmount;
+')
+
+########################################
+## <summary>
+## Get the attributes of all filesystems.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to
+## et the attributes of all filesystems.
+## Example attributes:
+## </p>
+## <ul>
+## <li>Type of the file system (e.g., ext3)</li>
+## <li>Size of the file system</li>
+## <li>Available space on the file system</li>
+## </ul>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="5"/>
+## <rolecap/>
+#
+interface(`fs_getattr_all_fs',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ allow $1 filesystem_type:filesystem getattr;
+ files_getattr_all_file_type_fs($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## all filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_all_fs',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ dontaudit $1 filesystem_type:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Get the quotas of all filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_get_all_fs_quotas',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ allow $1 filesystem_type:filesystem quotaget;
+')
+
+########################################
+## <summary>
+## Set the quotas of all filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_set_all_quotas',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ allow $1 filesystem_type:filesystem quotamod;
+')
+
+########################################
+## <summary>
+## Relabelfrom all filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabelfrom_all_fs',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ allow $1 filesystem_type:filesystem relabelfrom;
+')
+
+########################################
+## <summary>
+## Get the attributes of all directories
+## with a filesystem type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_all_dirs',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ allow $1 filesystem_type:dir getattr;
+')
+
+########################################
+## <summary>
+## Search all directories with a filesystem type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_search_all',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ allow $1 filesystem_type:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## List all directories with a filesystem type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_list_all',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ allow $1 filesystem_type:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of all files with
+## a filesystem type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_all_files',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ getattr_files_pattern($1, filesystem_type, filesystem_type)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all files with a filesystem type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_all_files',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ dontaudit $1 filesystem_type:file getattr;
+')
+
+########################################
+## <summary>
+## Get the attributes of all symbolic links with
+## a filesystem type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_all_symlinks',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ getattr_lnk_files_pattern($1, filesystem_type, filesystem_type)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all symbolic links with a filesystem type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_all_symlinks',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ dontaudit $1 filesystem_type:lnk_file getattr;
+')
+
+########################################
+## <summary>
+## Get the attributes of all named pipes with
+## a filesystem type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_all_pipes',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ getattr_fifo_files_pattern($1, filesystem_type, filesystem_type)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all named pipes with a filesystem type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_all_pipes',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ dontaudit $1 filesystem_type:fifo_file getattr;
+')
+
+########################################
+## <summary>
+## Get the attributes of all named sockets with
+## a filesystem type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_all_sockets',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ getattr_sock_files_pattern($1, filesystem_type, filesystem_type)
+')
+
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all named sockets with a filesystem type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_all_sockets',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ dontaudit $1 filesystem_type:sock_file getattr;
+')
+
+########################################
+## <summary>
+## Get the attributes of all block device nodes with
+## a filesystem type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_all_blk_files',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ getattr_blk_files_pattern($1, filesystem_type, filesystem_type)
+')
+
+########################################
+## <summary>
+## Get the attributes of all character device nodes with
+## a filesystem type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_all_chr_files',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ getattr_chr_files_pattern($1, filesystem_type, filesystem_type)
+')
+
+########################################
+## <summary>
+## Unconfined access to filesystems
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_unconfined',`
+ gen_require(`
+ attribute filesystem_unconfined_type;
+ ')
+
+ typeattribute $1 filesystem_unconfined_type;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## all leaked filesystems files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_leaks',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ dontaudit $1 filesystem_type:file rw_inherited_file_perms;
+ dontaudit $1 filesystem_type:lnk_file { read };
+')
+
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
new file mode 100644
index 0000000..a09ab47
--- /dev/null
+++ b/policy/modules/kernel/filesystem.te
@@ -0,0 +1,315 @@
+policy_module(filesystem, 1.13.3)
+
+########################################
+#
+# Declarations
+#
+
+attribute filesystem_type;
+attribute filesystem_unconfined_type;
+attribute noxattrfs;
+
+##############################
+#
+# fs_t is the default type for persistent
+# filesystems with extended attributes
+#
+type fs_t;
+fs_type(fs_t)
+sid fs gen_context(system_u:object_r:fs_t,s0)
+
+# Use xattrs for the following filesystem types.
+# Requires that a security xattr handler exist for the filesystem.
+fs_use_xattr btrfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
+
+# Use the allocating task SID to label inodes in the following filesystem
+# types, and label the filesystem itself with the specified context.
+# This is appropriate for pseudo filesystems that represent objects
+# like pipes and sockets, so that these objects are labeled with the same
+# type as the creating task.
+fs_use_task eventpollfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_task pipefs gen_context(system_u:object_r:fs_t,s0);
+fs_use_task sockfs gen_context(system_u:object_r:fs_t,s0);
+
+##############################
+#
+# Non-persistent/pseudo filesystems
+#
+
+type anon_inodefs_t;
+fs_type(anon_inodefs_t)
+files_mountpoint(anon_inodefs_t)
+genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
+mls_trusted_object(anon_inodefs_t)
+
+type bdev_t;
+fs_type(bdev_t)
+genfscon bdev / gen_context(system_u:object_r:bdev_t,s0)
+
+type binfmt_misc_fs_t;
+fs_type(binfmt_misc_fs_t)
+files_mountpoint(binfmt_misc_fs_t)
+genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)
+
+type capifs_t;
+fs_type(capifs_t)
+files_mountpoint(capifs_t)
+genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
+
+type cgroup_t alias cgroupfs_t;
+fs_type(cgroup_t)
+files_type(cgroup_t)
+files_mountpoint(cgroup_t)
+dev_associate_sysfs(cgroup_t)
+genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
+
+type configfs_t;
+fs_type(configfs_t)
+genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
+
+type cpusetfs_t;
+fs_type(cpusetfs_t)
+allow cpusetfs_t self:filesystem associate;
+genfscon cpuset / gen_context(system_u:object_r:cpusetfs_t,s0)
+
+type ecryptfs_t;
+fs_noxattr_type(ecryptfs_t)
+files_mountpoint(ecryptfs_t)
+genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
+
+type eventpollfs_t;
+fs_type(eventpollfs_t)
+# change to task SID 20060628
+#genfscon eventpollfs / gen_context(system_u:object_r:eventpollfs_t,s0)
+
+type futexfs_t;
+fs_type(futexfs_t)
+genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
+
+type hugetlbfs_t;
+fs_type(hugetlbfs_t)
+files_mountpoint(hugetlbfs_t)
+fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
+dev_associate(hugetlbfs_t)
+
+type ibmasmfs_t;
+fs_type(ibmasmfs_t)
+allow ibmasmfs_t self:filesystem associate;
+genfscon ibmasmfs / gen_context(system_u:object_r:ibmasmfs_t,s0)
+
+#
+# infinibandeventfs fs
+#
+
+type infinibandeventfs_t;
+fs_type(infinibandeventfs_t)
+allow infinibandeventfs_t self:filesystem associate;
+genfscon infinibandeventfs / gen_context(system_u:object_r:infinibandeventfs_t,s0)
+
+type inotifyfs_t;
+fs_type(inotifyfs_t)
+genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
+
+type mvfs_t;
+fs_noxattr_type(mvfs_t)
+allow mvfs_t self:filesystem associate;
+genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
+
+type nfsd_fs_t;
+fs_type(nfsd_fs_t)
+genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
+
+type oprofilefs_t;
+fs_type(oprofilefs_t)
+genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0)
+
+type ramfs_t;
+fs_type(ramfs_t)
+files_mountpoint(ramfs_t)
+genfscon ramfs / gen_context(system_u:object_r:ramfs_t,s0)
+
+type romfs_t;
+fs_type(romfs_t)
+genfscon romfs / gen_context(system_u:object_r:romfs_t,s0)
+genfscon cramfs / gen_context(system_u:object_r:romfs_t,s0)
+
+type rpc_pipefs_t;
+fs_type(rpc_pipefs_t)
+genfscon rpc_pipefs / gen_context(system_u:object_r:rpc_pipefs_t,s0)
+files_mountpoint(rpc_pipefs_t)
+
+type spufs_t;
+fs_type(spufs_t)
+genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
+files_mountpoint(spufs_t)
+
+type squash_t;
+fs_type(squash_t)
+genfscon squash / gen_context(system_u:object_r:squash_t,s0)
+files_mountpoint(squash_t)
+
+type sysv_t;
+fs_noxattr_type(sysv_t)
+files_mountpoint(sysv_t)
+genfscon sysv / gen_context(system_u:object_r:sysv_t,s0)
+genfscon v7 / gen_context(system_u:object_r:sysv_t,s0)
+
+type vmblock_t;
+fs_noxattr_type(vmblock_t)
+files_mountpoint(vmblock_t)
+genfscon vmblock / gen_context(system_u:object_r:vmblock_t,s0)
+genfscon vboxsf / gen_context(system_u:object_r:vmblock_t,s0)
+genfscon vmhgfs / gen_context(system_u:object_r:vmblock_t,s0)
+
+type vxfs_t;
+fs_noxattr_type(vxfs_t)
+files_mountpoint(vxfs_t)
+genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
+
+#
+# tmpfs_t is the type for tmpfs filesystems
+#
+type tmpfs_t;
+fs_type(tmpfs_t)
+files_type(tmpfs_t)
+files_mountpoint(tmpfs_t)
+files_poly_parent(tmpfs_t)
+dev_associate(tmpfs_t)
+
+# Use a transition SID based on the allocating task SID and the
+# filesystem SID to label inodes in the following filesystem types,
+# and label the filesystem itself with the specified context.
+# This is appropriate for pseudo filesystems like devpts and tmpfs
+# where we want to label objects with a derived type.
+fs_use_trans mqueue gen_context(system_u:object_r:tmpfs_t,s0);
+fs_use_trans shm gen_context(system_u:object_r:tmpfs_t,s0);
+fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0);
+
+allow tmpfs_t noxattrfs:filesystem associate;
+
+type xenfs_t;
+fs_noxattr_type(xenfs_t)
+files_mountpoint(xenfs_t)
+genfscon xenfs / gen_context(system_u:object_r:xenfs_t,s0)
+
+##############################
+#
+# Filesystems without extended attribute support
+#
+
+type autofs_t;
+fs_noxattr_type(autofs_t)
+files_mountpoint(autofs_t)
+genfscon autofs / gen_context(system_u:object_r:autofs_t,s0)
+genfscon automount / gen_context(system_u:object_r:autofs_t,s0)
+
+#
+# cifs_t is the type for filesystems and their
+# files shared from Windows servers
+#
+type cifs_t alias sambafs_t;
+fs_noxattr_type(cifs_t)
+files_mountpoint(cifs_t)
+genfscon cifs / gen_context(system_u:object_r:cifs_t,s0)
+genfscon smbfs / gen_context(system_u:object_r:cifs_t,s0)
+
+#
+# dosfs_t is the type for fat and vfat
+# filesystems and their files.
+#
+type dosfs_t;
+fs_noxattr_type(dosfs_t)
+files_mountpoint(dosfs_t)
+allow dosfs_t fs_t:filesystem associate;
+genfscon fat / gen_context(system_u:object_r:dosfs_t,s0)
+genfscon hfs / gen_context(system_u:object_r:dosfs_t,s0)
+genfscon hfsplus / gen_context(system_u:object_r:dosfs_t,s0)
+genfscon msdos / gen_context(system_u:object_r:dosfs_t,s0)
+genfscon ntfs-3g / gen_context(system_u:object_r:dosfs_t,s0)
+genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0)
+genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0)
+
+type fusefs_t;
+fs_noxattr_type(fusefs_t)
+files_mountpoint(fusefs_t)
+allow fusefs_t self:filesystem associate;
+allow fusefs_t fs_t:filesystem associate;
+genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
+genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0)
+genfscon fusectl / gen_context(system_u:object_r:fusefs_t,s0)
+
+#
+# iso9660_t is the type for CD filesystems
+# and their files.
+#
+type iso9660_t;
+fs_noxattr_type(iso9660_t)
+files_mountpoint(iso9660_t)
+genfscon iso9660 / gen_context(system_u:object_r:iso9660_t,s0)
+genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+
+#
+# removable_t is the default type of all removable media
+#
+type removable_t;
+allow removable_t noxattrfs:filesystem associate;
+fs_noxattr_type(removable_t)
+files_type(removable_t)
+files_mountpoint(removable_t)
+
+#
+# nfs_t is the default type for NFS file systems
+# and their files.
+#
+type nfs_t;
+fs_noxattr_type(nfs_t)
+files_mountpoint(nfs_t)
+genfscon nfs / gen_context(system_u:object_r:nfs_t,s0)
+genfscon nfs4 / gen_context(system_u:object_r:nfs_t,s0)
+genfscon afs / gen_context(system_u:object_r:nfs_t,s0)
+genfscon dazukofs / gen_context(system_u:object_r:nfs_t,s0)
+genfscon coda / gen_context(system_u:object_r:nfs_t,s0)
+genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
+genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
+genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
+genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
+
+########################################
+#
+# Rules for all filesystem types
+#
+
+allow filesystem_type self:filesystem associate;
+
+########################################
+#
+# Rules for filesystems without xattr support
+#
+
+# Allow me to mv from one noxattrfs to another nfs_t to dosfs_t for example
+fs_associate_noxattr(noxattrfs)
+
+########################################
+#
+# Unconfined access to this module
+#
+
+allow filesystem_unconfined_type filesystem_type:filesystem *;
+
+# Create/access other files. fs_type is to pick up various
+# pseudo filesystem types that are applied to both the filesystem
+# and its files.
+allow filesystem_unconfined_type filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;
diff --git a/policy/modules/kernel/kernel.fc b/policy/modules/kernel/kernel.fc
new file mode 100644
index 0000000..7be4ddf
--- /dev/null
+++ b/policy/modules/kernel/kernel.fc
@@ -0,0 +1 @@
+# This module currently does not have any file contexts.
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
new file mode 100644
index 0000000..10c14fe
--- /dev/null
+++ b/policy/modules/kernel/kernel.if
@@ -0,0 +1,2958 @@
+## <summary>
+## Policy for kernel threads, proc filesystem,
+## and unlabeled processes and objects.
+## </summary>
+## <required val="true">
+## This module has initial SIDs.
+## </required>
+
+########################################
+## <summary>
+## Allows to start userland processes
+## by transitioning to the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type entered by kernel.
+## </summary>
+## </param>
+## <param name="entrypoint">
+## <summary>
+## The executable type for the entrypoint.
+## </summary>
+## </param>
+#
+interface(`kernel_domtrans_to',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ domtrans_pattern(kernel_t, $2, $1)
+')
+
+########################################
+## <summary>
+## Allows to start userland processes
+## by transitioning to the specified domain,
+## with a range transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type entered by kernel.
+## </summary>
+## </param>
+## <param name="entrypoint">
+## <summary>
+## The executable type for the entrypoint.
+## </summary>
+## </param>
+## <param name="range">
+## <summary>
+## Range for the domain.
+## </summary>
+## </param>
+#
+interface(`kernel_ranged_domtrans_to',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ kernel_domtrans_to($1, $2)
+
+ ifdef(`enable_mcs',`
+ range_transition kernel_t $2:process $3;
+ ')
+
+ ifdef(`enable_mls',`
+ range_transition kernel_t $2:process $3;
+ mls_rangetrans_target($1)
+ ')
+')
+
+########################################
+## <summary>
+## Allows the kernel to mount filesystems on
+## the specified directory type.
+## </summary>
+## <param name="directory_type">
+## <summary>
+## The type of the directory to use as a mountpoint.
+## </summary>
+## </param>
+#
+interface(`kernel_rootfs_mountpoint',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow kernel_t $1:dir mounton;
+')
+
+########################################
+## <summary>
+## Set the process group of kernel threads.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_setpgid',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:process setpgid;
+')
+
+########################################
+## <summary>
+## Set the priority of kernel threads.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_setsched',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:process setsched;
+')
+
+########################################
+## <summary>
+## Send a SIGCHLD signal to kernel threads.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_sigchld',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Send a kill signal to kernel threads.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_kill',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:process sigkill;
+')
+
+########################################
+## <summary>
+## Send a generic signal to kernel threads.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_signal',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:process signal;
+')
+
+########################################
+## <summary>
+## Allows the kernel to share state information with
+## the caller.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process with which to share state information.
+## </summary>
+## </param>
+#
+interface(`kernel_share_state',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow kernel_t $1:process share;
+')
+
+########################################
+## <summary>
+## Permits caller to use kernel file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_use_fds',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to use
+## kernel file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_use_fds',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ dontaudit $1 kernel_t:fd use;
+')
+
+########################################
+## <summary>
+## Read and write kernel unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_rw_pipes',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:fifo_file { read write };
+')
+
+########################################
+## <summary>
+## Read and write kernel unix datagram sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_rw_unix_dgram_sockets',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:unix_dgram_socket { read write ioctl };
+')
+
+########################################
+## <summary>
+## Send messages to kernel unix datagram sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_dgram_send',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:unix_dgram_socket sendto;
+')
+
+########################################
+## <summary>
+## Receive messages from kernel TCP sockets. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_tcp_recvfrom',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+## Send UDP network traffic to the kernel. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_udp_send',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+## Receive messages from kernel UDP sockets. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_udp_recvfrom',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+## Allows caller to load kernel modules
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_load_module',`
+ gen_require(`
+ attribute can_load_kernmodule;
+ ')
+
+ allow $1 self:capability sys_module;
+ typeattribute $1 can_load_kernmodule;
+
+ # load_module() calls stop_machine() which
+ # calls sched_setscheduler()
+ allow $1 self:capability sys_nice;
+ kernel_setsched($1)
+')
+
+########################################
+## <summary>
+## Allow search the kernel key ring.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_search_key',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:key search;
+')
+
+########################################
+## <summary>
+## dontaudit search the kernel key ring.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_search_key',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ dontaudit $1 kernel_t:key search;
+')
+
+########################################
+## <summary>
+## Allow link to the kernel key ring.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_link_key',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:key link;
+')
+
+########################################
+## <summary>
+## dontaudit link to the kernel key ring.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_link_key',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ dontaudit $1 kernel_t:key link;
+')
+
+########################################
+## <summary>
+## Allows caller to read the ring buffer.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_read_ring_buffer',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:system syslog_read;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read the ring buffer.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_read_ring_buffer',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ dontaudit $1 kernel_t:system syslog_read;
+')
+
+########################################
+## <summary>
+## Change the level of kernel messages logged to the console.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_change_ring_buffer_level',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:system syslog_console;
+')
+
+########################################
+## <summary>
+## Allows the caller to clear the ring buffer.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_clear_ring_buffer',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:system syslog_mod;
+')
+
+########################################
+## <summary>
+## Allows caller to request the kernel to load a module
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to request that the kernel
+## load a kernel module. An example of this is the
+## auto-loading of network drivers when doing an
+## ioctl() on a network interface.
+## </p>
+## <p>
+## In the specific case of a module loading request
+## on a network interface, the domain will also
+## need the net_admin capability.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_request_load_module',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:system module_request;
+')
+
+########################################
+## <summary>
+## Do not audit requests to the kernel to load a module.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_request_load_module',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ dontaudit $1 kernel_t:system module_request;
+')
+
+########################################
+## <summary>
+## Get information on all System V IPC objects.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_get_sysvipc_info',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:system ipc_info;
+')
+
+########################################
+## <summary>
+## Get the attributes of a kernel debugging filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_getattr_debugfs',`
+ gen_require(`
+ type debugfs_t;
+ ')
+
+ allow $1 debugfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Mount a kernel debugging filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_mount_debugfs',`
+ gen_require(`
+ type debugfs_t;
+ ')
+
+ allow $1 debugfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+## Unmount a kernel debugging filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_unmount_debugfs',`
+ gen_require(`
+ type debugfs_t;
+ ')
+
+ allow $1 debugfs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+## Remount a kernel debugging filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_remount_debugfs',`
+ gen_require(`
+ type debugfs_t;
+ ')
+
+ allow $1 debugfs_t:filesystem remount;
+')
+
+########################################
+## <summary>
+## Search the contents of a kernel debugging filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_search_debugfs',`
+ gen_require(`
+ type debugfs_t;
+ ')
+
+ search_dirs_pattern($1, debugfs_t, debugfs_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the kernel debugging filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_search_debugfs',`
+ gen_require(`
+ type debugfs_t;
+ ')
+
+ dontaudit $1 debugfs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read information from the debugging filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_read_debugfs',`
+ gen_require(`
+ type debugfs_t;
+ ')
+
+ read_files_pattern($1, debugfs_t, debugfs_t)
+ read_lnk_files_pattern($1, debugfs_t, debugfs_t)
+ list_dirs_pattern($1, debugfs_t, debugfs_t)
+')
+
+########################################
+## <summary>
+## Read/Write information from the debugging filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_rw_debugfs',`
+ gen_require(`
+ type debugfs_t;
+ ')
+
+ rw_files_pattern($1, debugfs_t, debugfs_t)
+ read_lnk_files_pattern($1, debugfs_t, debugfs_t)
+ list_dirs_pattern($1, debugfs_t, debugfs_t)
+')
+
+########################################
+## <summary>
+## Manage information from the debugging filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_manage_debugfs',`
+ gen_require(`
+ type debugfs_t;
+ ')
+
+ manage_files_pattern($1, debugfs_t, debugfs_t)
+ read_lnk_files_pattern($1, debugfs_t, debugfs_t)
+ list_dirs_pattern($1, debugfs_t, debugfs_t)
+')
+
+########################################
+## <summary>
+## Mount a kernel VM filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_mount_kvmfs',`
+ gen_require(`
+ type kvmfs_t;
+ ')
+
+ allow $1 kvmfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+## Unmount the proc filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_unmount_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+## Get the attributes of the proc filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_getattr_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Search directories in /proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_search_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ search_dirs_pattern($1, proc_t, proc_t)
+')
+
+########################################
+## <summary>
+## List the contents of directories in /proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_list_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ list_dirs_pattern($1, proc_t, proc_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to list the
+## contents of directories in /proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_list_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ dontaudit $1 proc_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of files in /proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_getattr_proc_files',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ getattr_files_pattern($1, proc_t, proc_t)
+')
+
+########################################
+## <summary>
+## Read generic symbolic links in /proc.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to read (follow) generic
+## symbolic links (symlinks) in the proc filesystem (/proc).
+## This interface does not include access to the targets of
+## these links. An example symlink is /proc/self.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`kernel_read_proc_symlinks',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ read_lnk_files_pattern($1, proc_t, proc_t)
+')
+
+########################################
+## <summary>
+## Allows caller to read system state information in /proc.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to read general system
+## state information from the proc filesystem (/proc).
+## </p>
+## <p>
+## Generally it should be safe to allow this access. Some
+## example files that can be read based on this interface:
+## </p>
+## <ul>
+## <li>/proc/cpuinfo</li>
+## <li>/proc/meminfo</li>
+## <li>/proc/uptime</li>
+## </ul>
+## <p>
+## This does not allow access to sysctl entries (/proc/sys/*)
+## nor process state information (/proc/pid).
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+## <rolecap/>
+#
+interface(`kernel_read_system_state',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ read_files_pattern($1, proc_t, proc_t)
+ read_lnk_files_pattern($1, proc_t, proc_t)
+
+ list_dirs_pattern($1, proc_t, proc_t)
+')
+
+########################################
+## <summary>
+## Write to generic proc entries.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+# cjp: this should probably go away. any
+# file thats writable in proc should really
+# have its own label.
+#
+interface(`kernel_write_proc_files',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ write_files_pattern($1, proc_t, proc_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts by caller to
+## read system state information in proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_read_system_state',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ dontaudit $1 proc_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts by caller to
+## read system state information in proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_read_proc_symlinks',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ dontaudit $1 proc_t:lnk_file read;
+')
+
+#######################################
+## <summary>
+## Allow caller to read and write state information for AFS.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_rw_afs_state',`
+ gen_require(`
+ type proc_t, proc_afs_t;
+ ')
+
+ list_dirs_pattern($1, proc_t, proc_t)
+ rw_files_pattern($1, proc_afs_t, proc_afs_t)
+')
+
+#######################################
+## <summary>
+## Allow caller to read the state information for software raid.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_read_software_raid_state',`
+ gen_require(`
+ type proc_t, proc_mdstat_t;
+ ')
+
+ read_files_pattern($1, proc_t, proc_mdstat_t)
+
+ list_dirs_pattern($1, proc_t, proc_t)
+')
+
+#######################################
+## <summary>
+## Allow caller to read and set the state information for software raid.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_rw_software_raid_state',`
+ gen_require(`
+ type proc_t, proc_mdstat_t;
+ ')
+
+ rw_files_pattern($1, proc_t, proc_mdstat_t)
+
+ list_dirs_pattern($1, proc_t, proc_t)
+')
+
+########################################
+## <summary>
+## Allows caller to get attribues of core kernel interface.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_getattr_core_if',`
+ gen_require(`
+ type proc_t, proc_kcore_t;
+ ')
+
+ getattr_files_pattern($1, proc_t, proc_kcore_t)
+
+ list_dirs_pattern($1, proc_t, proc_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes of
+## core kernel interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_getattr_core_if',`
+ gen_require(`
+ type proc_kcore_t;
+ ')
+
+ dontaudit $1 proc_kcore_t:file getattr;
+')
+
+########################################
+## <summary>
+## Allows caller to read the core kernel interface.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_read_core_if',`
+ gen_require(`
+ type proc_t, proc_kcore_t;
+ attribute can_dump_kernel;
+ ')
+
+ allow $1 self:capability sys_rawio;
+ read_files_pattern($1, proc_t, proc_kcore_t)
+ list_dirs_pattern($1, proc_t, proc_t)
+
+ typeattribute $1 can_dump_kernel;
+')
+
+########################################
+## <summary>
+## Allow caller to read kernel messages
+## using the /proc/kmsg interface.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_read_messages',`
+ gen_require(`
+ attribute can_receive_kernel_messages;
+ type proc_kmsg_t, proc_t;
+ ')
+
+ read_files_pattern($1, proc_t, proc_kmsg_t)
+
+ typeattribute $1 can_receive_kernel_messages;
+')
+
+########################################
+## <summary>
+## Allow caller to get the attributes of kernel message
+## interface (/proc/kmsg).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_getattr_message_if',`
+ gen_require(`
+ type proc_kmsg_t, proc_t;
+ ')
+
+ getattr_files_pattern($1, proc_t, proc_kmsg_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts by caller to get the attributes of kernel
+## message interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_getattr_message_if',`
+ gen_require(`
+ type proc_kmsg_t, proc_t;
+ ')
+
+ dontaudit $1 proc_kmsg_t:file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the network
+## state directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+##
+#
+interface(`kernel_dontaudit_search_network_state',`
+ gen_require(`
+ type proc_net_t;
+ ')
+
+ dontaudit $1 proc_net_t:dir search;
+')
+
+########################################
+## <summary>
+## Allow searching of network state directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+##
+#
+interface(`kernel_search_network_state',`
+ gen_require(`
+ type proc_net_t;
+ ')
+
+ search_dirs_pattern($1, proc_t, proc_net_t)
+')
+
+########################################
+## <summary>
+## Read the network state information.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to read the networking
+## state information. This includes several pieces
+## of networking information, such as network interface
+## names, netfilter (iptables) statistics, protocol
+## information, routes, and remote procedure call (RPC)
+## information.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+## <rolecap/>
+#
+interface(`kernel_read_network_state',`
+ gen_require(`
+ type proc_t, proc_net_t;
+ ')
+
+ read_files_pattern($1, { proc_t proc_net_t }, proc_net_t)
+ read_lnk_files_pattern($1, { proc_t proc_net_t }, proc_net_t)
+
+ list_dirs_pattern($1, proc_t, proc_net_t)
+')
+
+########################################
+## <summary>
+## Allow caller to read the network state symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_read_network_state_symlinks',`
+ gen_require(`
+ type proc_t, proc_net_t;
+ ')
+
+ read_lnk_files_pattern($1, { proc_t proc_net_t }, proc_net_t)
+
+ list_dirs_pattern($1, proc_t, proc_net_t)
+')
+
+########################################
+## <summary>
+## Allow searching of xen state directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+##
+#
+interface(`kernel_search_xen_state',`
+ gen_require(`
+ type proc_t, proc_xen_t;
+ ')
+
+ search_dirs_pattern($1, proc_t, proc_xen_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the xen
+## state directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+##
+#
+interface(`kernel_dontaudit_search_xen_state',`
+ gen_require(`
+ type proc_xen_t;
+ ')
+
+ dontaudit $1 proc_xen_t:dir search;
+')
+
+########################################
+## <summary>
+## Allow caller to read the xen state information.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+##
+#
+interface(`kernel_read_xen_state',`
+ gen_require(`
+ type proc_t, proc_xen_t;
+ ')
+
+ read_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t)
+ read_lnk_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t)
+
+ list_dirs_pattern($1, proc_t, proc_xen_t)
+')
+
+########################################
+## <summary>
+## Allow caller to read the xen state symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+##
+#
+interface(`kernel_read_xen_state_symlinks',`
+ gen_require(`
+ type proc_t, proc_xen_t;
+ ')
+
+ read_lnk_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t)
+
+ list_dirs_pattern($1, proc_t, proc_xen_t)
+')
+
+########################################
+## <summary>
+## Allow caller to write xen state information.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+##
+#
+interface(`kernel_write_xen_state',`
+ gen_require(`
+ type proc_t, proc_xen_t;
+ ')
+
+ write_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t)
+')
+
+########################################
+## <summary>
+## Allow attempts to list all proc directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_list_all_proc',`
+ gen_require(`
+ attribute proc_type;
+ ')
+
+ allow $1 proc_type:dir list_dir_perms;
+ allow $1 proc_type:file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to list all proc directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_list_all_proc',`
+ gen_require(`
+ attribute proc_type;
+ ')
+
+ dontaudit $1 proc_type:dir list_dir_perms;
+ dontaudit $1 proc_type:file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts by caller to search
+## the base directory of sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+##
+#
+interface(`kernel_dontaudit_search_sysctl',`
+ gen_require(`
+ type sysctl_t;
+ ')
+
+ dontaudit $1 sysctl_t:dir search;
+')
+
+########################################
+## <summary>
+## Allow access to read sysctl directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+##
+#
+interface(`kernel_read_sysctl',`
+ gen_require(`
+ type sysctl_t, proc_t;
+ ')
+
+ list_dirs_pattern($1, proc_t, sysctl_t)
+ read_files_pattern($1, sysctl_t, sysctl_t)
+')
+
+########################################
+## <summary>
+## Allow caller to read the device sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_read_device_sysctls',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_dev_t;
+ ')
+
+ read_files_pattern($1, { proc_t sysctl_t sysctl_dev_t }, sysctl_dev_t)
+
+ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_dev_t)
+')
+
+########################################
+## <summary>
+## Read and write device sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_rw_device_sysctls',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_dev_t;
+ ')
+
+ rw_files_pattern($1, { proc_t sysctl_t sysctl_dev_t }, sysctl_dev_t)
+
+ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_dev_t)
+')
+
+########################################
+## <summary>
+## Allow caller to search virtual memory sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_search_vm_sysctl',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_vm_t;
+ ')
+
+ search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_t)
+')
+
+########################################
+## <summary>
+## Allow caller to read virtual memory sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_read_vm_sysctls',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_vm_t;
+ ')
+
+ read_files_pattern($1, { proc_t sysctl_t sysctl_vm_t }, sysctl_vm_t)
+
+ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_t)
+')
+
+########################################
+## <summary>
+## Read and write virtual memory sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_rw_vm_sysctls',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_vm_t;
+ ')
+
+ rw_files_pattern($1 ,{ proc_t sysctl_t sysctl_vm_t }, sysctl_vm_t)
+ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_t)
+
+ # hal needs this
+ allow $1 sysctl_vm_t:dir write;
+')
+
+########################################
+## <summary>
+## Search network sysctl directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_search_network_sysctl',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_net_t;
+ ')
+
+ search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts by caller to search network sysctl directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_search_network_sysctl',`
+ gen_require(`
+ type sysctl_net_t;
+ ')
+
+ dontaudit $1 sysctl_net_t:dir search;
+')
+
+########################################
+## <summary>
+## Allow caller to read network sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_read_net_sysctls',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_net_t;
+ ')
+
+ read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
+
+ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
+')
+
+########################################
+## <summary>
+## Allow caller to modiry contents of sysctl network files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_rw_net_sysctls',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_net_t;
+ ')
+
+ rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
+
+ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
+')
+
+########################################
+## <summary>
+## Allow caller to read unix domain
+## socket sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_read_unix_sysctls',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
+ ')
+
+ read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t)
+
+ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
+')
+
+########################################
+## <summary>
+## Read and write unix domain
+## socket sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_rw_unix_sysctls',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
+ ')
+
+ rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t)
+
+ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
+')
+
+########################################
+## <summary>
+## Read the hotplug sysctl.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_read_hotplug_sysctls',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
+ ')
+
+ read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_hotplug_t)
+
+ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
+')
+
+########################################
+## <summary>
+## Read and write the hotplug sysctl.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_rw_hotplug_sysctls',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t;
+ ')
+
+ rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_hotplug_t)
+
+ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
+')
+
+########################################
+## <summary>
+## Read the modprobe sysctl.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_read_modprobe_sysctls',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
+ ')
+
+ read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_modprobe_t)
+
+ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
+')
+
+########################################
+## <summary>
+## Read and write the modprobe sysctl.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_rw_modprobe_sysctls',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t;
+ ')
+
+ rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_modprobe_t)
+
+ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search generic kernel sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_search_kernel_sysctl',`
+ gen_require(`
+ type sysctl_kernel_t;
+ ')
+
+ dontaudit $1 sysctl_kernel_t:dir search;
+')
+
+########################################
+## <summary>
+## Read generic crypto sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_read_crypto_sysctls',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_crypto_t;
+ ')
+
+ read_files_pattern($1, { proc_t sysctl_t sysctl_crypto_t }, sysctl_crypto_t)
+ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_crypto_t)
+')
+
+########################################
+## <summary>
+## Read general kernel sysctls.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to read general
+## kernel sysctl settings. These settings are typically
+## read using the sysctl program. The settings
+## that are included by this interface are prefixed
+## with "kernel.", for example, kernel.sysrq.
+## </p>
+## <p>
+## This does not include access to the hotplug
+## handler setting (kernel.hotplug)
+## nor the module installer handler setting
+## (kernel.modprobe).
+## </p>
+## <p>
+## Related interfaces:
+## </p>
+## <ul>
+## <li>kernel_rw_kernel_sysctl()</li>
+## </ul>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`kernel_read_kernel_sysctls',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_kernel_t;
+ ')
+
+ read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_kernel_t)
+
+ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write generic kernel sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_write_kernel_sysctl',`
+ gen_require(`
+ type sysctl_kernel_t;
+ ')
+
+ dontaudit $1 sysctl_kernel_t:file write;
+')
+
+########################################
+## <summary>
+## Read and write generic kernel sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_rw_kernel_sysctl',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_kernel_t;
+ ')
+
+ rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_kernel_t)
+
+ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
+')
+
+########################################
+## <summary>
+## Read filesystem sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_read_fs_sysctls',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_fs_t;
+ ')
+
+ read_files_pattern($1, { proc_t sysctl_t sysctl_fs_t }, sysctl_fs_t)
+
+ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_fs_t)
+')
+
+########################################
+## <summary>
+## Read and write fileystem sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_rw_fs_sysctls',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_fs_t;
+ ')
+
+ rw_files_pattern($1, { proc_t sysctl_t sysctl_fs_t }, sysctl_fs_t)
+
+ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_fs_t)
+')
+
+########################################
+## <summary>
+## Read IRQ sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_read_irq_sysctls',`
+ gen_require(`
+ type proc_t, sysctl_irq_t;
+ ')
+
+ read_files_pattern($1, { proc_t sysctl_irq_t }, sysctl_irq_t)
+
+ list_dirs_pattern($1, proc_t, sysctl_irq_t)
+')
+
+########################################
+## <summary>
+## Read and write IRQ sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_rw_irq_sysctls',`
+ gen_require(`
+ type proc_t, sysctl_irq_t;
+ ')
+
+ rw_files_pattern($1, { proc_t sysctl_irq_t }, sysctl_irq_t)
+
+ list_dirs_pattern($1, proc_t, sysctl_irq_t)
+')
+
+########################################
+## <summary>
+## Read RPC sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_read_rpc_sysctls',`
+ gen_require(`
+ type proc_t, proc_net_t, sysctl_rpc_t;
+ ')
+
+ read_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t)
+
+ list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t)
+')
+
+########################################
+## <summary>
+## Read and write RPC sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_rw_rpc_sysctls',`
+ gen_require(`
+ type proc_t, proc_net_t, sysctl_rpc_t;
+ ')
+
+ rw_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t)
+
+ list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to list all sysctl directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_list_all_sysctls',`
+ gen_require(`
+ attribute sysctl_type;
+ ')
+
+ dontaudit $1 sysctl_type:dir list_dir_perms;
+ dontaudit $1 sysctl_type:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Allow caller to read all sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_read_all_sysctls',`
+ gen_require(`
+ attribute sysctl_type;
+ type proc_t, proc_net_t;
+ ')
+
+ # proc_net_t for /proc/net/rpc sysctls
+ read_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type)
+
+ list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_type)
+')
+
+########################################
+## <summary>
+## Read and write all sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_rw_all_sysctls',`
+ gen_require(`
+ attribute sysctl_type;
+ type proc_t, proc_net_t;
+ ')
+
+ # proc_net_t for /proc/net/rpc sysctls
+ rw_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type)
+
+ allow $1 sysctl_type:dir list_dir_perms;
+ # why is setattr needed?
+ allow $1 sysctl_type:file setattr;
+')
+
+########################################
+## <summary>
+## Send a kill signal to unlabeled processes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_kill_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:process sigkill;
+')
+
+########################################
+## <summary>
+## Mount a kernel unlabeled filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_mount_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:filesystem mount;
+')
+
+########################################
+## <summary>
+## Unmount a kernel unlabeled filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_unmount_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+## Send general signals to unlabeled processes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_signal_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:process signal;
+')
+
+########################################
+## <summary>
+## Send a null signal to unlabeled processes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_signull_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:process signull;
+')
+
+########################################
+## <summary>
+## Send a stop signal to unlabeled processes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_sigstop_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:process sigstop;
+')
+
+########################################
+## <summary>
+## Send a child terminated signal to unlabeled processes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_sigchld_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:process sigchld;
+')
+
+########################################
+## <summary>
+## List unlabeled directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_list_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Read the process state (/proc/pid) of all unlabeled_t.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_read_unlabeled_state',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:dir list_dir_perms;
+ read_files_pattern($1, unlabeled_t, unlabeled_t)
+ read_lnk_files_pattern($1, unlabeled_t, unlabeled_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to list unlabeled directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_list_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 unlabeled_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Read and write unlabeled directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_rw_unlabeled_dirs',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+## Read and write unlabeled files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_rw_unlabeled_files',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts by caller to get the
+## attributes of an unlabeled file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_getattr_unlabeled_files',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 unlabeled_t:file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts by caller to
+## read an unlabeled file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_read_unlabeled_files',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 unlabeled_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Do not audit attempts by caller to get the
+## attributes of unlabeled symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_getattr_unlabeled_symlinks',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 unlabeled_t:lnk_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts by caller to get the
+## attributes of unlabeled named pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_getattr_unlabeled_pipes',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 unlabeled_t:fifo_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts by caller to get the
+## attributes of unlabeled named sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_getattr_unlabeled_sockets',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 unlabeled_t:sock_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts by caller to get attributes for
+## unlabeled block devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_getattr_unlabeled_blk_files',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 unlabeled_t:blk_file getattr;
+')
+
+########################################
+## <summary>
+## Read and write unlabeled block device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_rw_unlabeled_blk_files',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:blk_file getattr;
+')
+
+########################################
+## <summary>
+## Read and write unlabeled sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_rw_unlabeled_socket',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts by caller to get attributes for
+## unlabeled character devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_getattr_unlabeled_chr_files',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 unlabeled_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Allow caller to relabel unlabeled directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_relabelfrom_unlabeled_dirs',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:dir { list_dir_perms relabelfrom };
+')
+
+########################################
+## <summary>
+## Allow caller to relabel unlabeled files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_relabelfrom_unlabeled_files',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ kernel_list_unlabeled($1)
+ allow $1 unlabeled_t:file { getattr relabelfrom };
+')
+
+########################################
+## <summary>
+## Allow caller to relabel unlabeled symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_relabelfrom_unlabeled_symlinks',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ kernel_list_unlabeled($1)
+ allow $1 unlabeled_t:lnk_file { getattr relabelfrom };
+')
+
+########################################
+## <summary>
+## Allow caller to relabel unlabeled named pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_relabelfrom_unlabeled_pipes',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ kernel_list_unlabeled($1)
+ allow $1 unlabeled_t:fifo_file { getattr relabelfrom };
+')
+
+########################################
+## <summary>
+## Allow caller to relabel unlabeled named sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_relabelfrom_unlabeled_sockets',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ kernel_list_unlabeled($1)
+ allow $1 unlabeled_t:sock_file { getattr relabelfrom };
+')
+
+########################################
+## <summary>
+## Send and receive messages from an
+## unlabeled IPSEC association.
+## </summary>
+## <desc>
+## <p>
+## Send and receive messages from an
+## unlabeled IPSEC association. Network
+## connections that are not protected
+## by IPSEC have use an unlabeled
+## assocation.
+## </p>
+## <p>
+## The corenetwork interface
+## corenet_non_ipsec_sendrecv() should
+## be used instead of this one.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_sendrecv_unlabeled_association',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:association { sendto recvfrom };
+
+ # temporary hack until labeling on packets is supported
+ allow $1 unlabeled_t:packet { send recv };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to send and receive messages
+## from an unlabeled IPSEC association.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to send and receive messages
+## from an unlabeled IPSEC association. Network
+## connections that are not protected
+## by IPSEC have use an unlabeled
+## assocation.
+## </p>
+## <p>
+## The corenetwork interface
+## corenet_dontaudit_non_ipsec_sendrecv() should
+## be used instead of this one.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 unlabeled_t:association { sendto recvfrom };
+')
+
+########################################
+## <summary>
+## Receive TCP packets from an unlabeled connection.
+## </summary>
+## <desc>
+## <p>
+## Receive TCP packets from an unlabeled connection.
+## </p>
+## <p>
+## The corenetwork interface corenet_tcp_recv_unlabeled() should
+## be used instead of this one.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_tcp_recvfrom_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:tcp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive TCP packets from an unlabeled
+## connection.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to receive TCP packets from an unlabeled
+## connection.
+## </p>
+## <p>
+## The corenetwork interface corenet_dontaudit_tcp_recv_unlabeled()
+## should be used instead of this one.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_tcp_recvfrom_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 unlabeled_t:tcp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Receive UDP packets from an unlabeled connection.
+## </summary>
+## <desc>
+## <p>
+## Receive UDP packets from an unlabeled connection.
+## </p>
+## <p>
+## The corenetwork interface corenet_udp_recv_unlabeled() should
+## be used instead of this one.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_udp_recvfrom_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive UDP packets from an unlabeled
+## connection.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to receive UDP packets from an unlabeled
+## connection.
+## </p>
+## <p>
+## The corenetwork interface corenet_dontaudit_udp_recv_unlabeled()
+## should be used instead of this one.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_udp_recvfrom_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 unlabeled_t:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Receive Raw IP packets from an unlabeled connection.
+## </summary>
+## <desc>
+## <p>
+## Receive Raw IP packets from an unlabeled connection.
+## </p>
+## <p>
+## The corenetwork interface corenet_raw_recv_unlabeled() should
+## be used instead of this one.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_raw_recvfrom_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:rawip_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive Raw IP packets from an unlabeled
+## connection.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to receive Raw IP packets from an unlabeled
+## connection.
+## </p>
+## <p>
+## The corenetwork interface corenet_dontaudit_raw_recv_unlabeled()
+## should be used instead of this one.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_raw_recvfrom_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 unlabeled_t:rawip_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Send and receive unlabeled packets.
+## </summary>
+## <desc>
+## <p>
+## Send and receive unlabeled packets.
+## These packets do not match any netfilter
+## SECMARK rules.
+## </p>
+## <p>
+## The corenetwork interface
+## corenet_sendrecv_unlabeled_packets() should
+## be used instead of this one.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_sendrecv_unlabeled_packets',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:packet { send recv };
+')
+
+########################################
+## <summary>
+## Receive packets from an unlabeled peer.
+## </summary>
+## <desc>
+## <p>
+## Receive packets from an unlabeled peer, these packets do not have any
+## peer labeling information present.
+## </p>
+## <p>
+## The corenetwork interface corenet_recvfrom_unlabeled_peer() should
+## be used instead of this one.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_recvfrom_unlabeled_peer',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:peer recv;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive packets from an unlabeled peer.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to receive packets from an unlabeled peer,
+## these packets do not have any peer labeling information present.
+## </p>
+## <p>
+## The corenetwork interface corenet_dontaudit_*_recvfrom_unlabeled()
+## should be used instead of this one.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_recvfrom_unlabeled_peer',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 unlabeled_t:peer recv;
+')
+
+########################################
+## <summary>
+## Relabel from unlabeled database objects.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_relabelfrom_unlabeled_database',`
+ gen_require(`
+ type unlabeled_t;
+ class db_database { setattr relabelfrom };
+ class db_table { setattr relabelfrom };
+ class db_procedure { setattr relabelfrom };
+ class db_column { setattr relabelfrom };
+ class db_tuple { update relabelfrom };
+ class db_blob { setattr relabelfrom };
+ ')
+
+ allow $1 unlabeled_t:db_database { setattr relabelfrom };
+ allow $1 unlabeled_t:db_table { setattr relabelfrom };
+ allow $1 unlabeled_t:db_procedure { setattr relabelfrom };
+ allow $1 unlabeled_t:db_column { setattr relabelfrom };
+ allow $1 unlabeled_t:db_tuple { update relabelfrom };
+ allow $1 unlabeled_t:db_blob { setattr relabelfrom };
+')
+
+########################################
+## <summary>
+## Relabel to unlabeled context .
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_relabelto_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:dir_file_class_set relabelto;
+')
+
+########################################
+## <summary>
+## Unconfined access to kernel module resources.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_unconfined',`
+ gen_require(`
+ attribute kern_unconfined;
+ ')
+
+ typeattribute $1 kern_unconfined;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to connect to
+## the kernel with a unix socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_stream_connect',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:unix_stream_socket connectto;
+')
+
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
new file mode 100644
index 0000000..806026c
--- /dev/null
+++ b/policy/modules/kernel/kernel.te
@@ -0,0 +1,404 @@
+policy_module(kernel, 1.12.2)
+
+########################################
+#
+# Declarations
+#
+
+# assertion related attributes
+attribute can_load_kernmodule;
+attribute can_receive_kernel_messages;
+attribute can_dump_kernel;
+
+neverallow ~{ can_load_kernmodule kern_unconfined } self:capability sys_module;
+
+# domains with unconfined access to kernel resources
+attribute kern_unconfined;
+
+# regular entries in proc
+attribute proc_type;
+
+# sysctls
+attribute sysctl_type;
+
+role system_r;
+role sysadm_r;
+role staff_r;
+role user_r;
+
+# here until order dependence is fixed:
+role unconfined_r;
+
+ifdef(`enable_mls',`
+ role secadm_r;
+ role auditadm_r;
+')
+
+#
+# kernel_t is the domain of kernel threads.
+# It is also the target type when checking permissions in the system class.
+#
+type kernel_t, can_load_kernmodule;
+domain_base_type(kernel_t)
+mls_rangetrans_source(kernel_t)
+role system_r types kernel_t;
+sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
+
+#
+# DebugFS
+#
+
+type debugfs_t;
+fs_type(debugfs_t)
+allow debugfs_t self:filesystem associate;
+genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
+
+#
+# kvmFS
+#
+
+type kvmfs_t;
+fs_type(kvmfs_t)
+genfscon kvmfs / gen_context(system_u:object_r:kvmfs_t,s0)
+
+#
+# Procfs types
+#
+
+type proc_t, proc_type;
+files_mountpoint(proc_t)
+fs_type(proc_t)
+genfscon proc / gen_context(system_u:object_r:proc_t,s0)
+genfscon proc /sysvipc gen_context(system_u:object_r:proc_t,s0)
+
+type proc_afs_t, proc_type;
+genfscon proc /fs/openafs gen_context(system_u:object_r:proc_afs_t,s0)
+
+# kernel message interface
+type proc_kmsg_t, proc_type;
+genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,mls_systemhigh)
+neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file ~getattr;
+
+# /proc kcore: inaccessible
+type proc_kcore_t, proc_type;
+neverallow ~{ can_dump_kernel kern_unconfined } proc_kcore_t:file ~getattr;
+genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
+
+type proc_mdstat_t, proc_type;
+genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0)
+
+type proc_net_t, proc_type;
+genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0)
+
+type proc_xen_t, proc_type;
+files_mountpoint(proc_xen_t)
+genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0)
+
+#
+# Sysctl types
+#
+
+# /proc/sys directory, base directory of sysctls
+type sysctl_t, sysctl_type;
+files_mountpoint(sysctl_t)
+sid sysctl gen_context(system_u:object_r:sysctl_t,s0)
+genfscon proc /sys gen_context(system_u:object_r:sysctl_t,s0)
+
+# /proc/irq directory and files
+type sysctl_irq_t, sysctl_type;
+genfscon proc /irq gen_context(system_u:object_r:sysctl_irq_t,s0)
+
+# /proc/net/rpc directory and files
+type sysctl_rpc_t, sysctl_type;
+genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0)
+
+# /proc/sys/crypto directory and files
+type sysctl_crypto_t, sysctl_type;
+genfscon proc /sys/crypto gen_context(system_u:object_r:sysctl_crypto_t,s0)
+
+# /proc/sys/fs directory and files
+type sysctl_fs_t, sysctl_type;
+files_mountpoint(sysctl_fs_t)
+genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
+
+# /proc/sys/kernel directory and files
+type sysctl_kernel_t, sysctl_type;
+genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0)
+
+# /proc/sys/kernel/modprobe file
+type sysctl_modprobe_t, sysctl_type;
+genfscon proc /sys/kernel/modprobe gen_context(system_u:object_r:sysctl_modprobe_t,s0)
+
+# /proc/sys/kernel/hotplug file
+type sysctl_hotplug_t, sysctl_type;
+genfscon proc /sys/kernel/hotplug gen_context(system_u:object_r:sysctl_hotplug_t,s0)
+
+# /proc/sys/net directory and files
+type sysctl_net_t, sysctl_type;
+genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s0)
+
+# /proc/sys/net/unix directory and files
+type sysctl_net_unix_t, sysctl_type;
+genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
+
+# /proc/sys/vm directory and files
+type sysctl_vm_t, sysctl_type;
+genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0)
+
+# /proc/sys/dev directory and files
+type sysctl_dev_t, sysctl_type;
+genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
+
+#
+# unlabeled_t is the type of unlabeled objects.
+# Objects that have no known labeling information or that
+# have labels that are no longer valid are treated as having this type.
+#
+type unlabeled_t;
+sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+fs_associate(unlabeled_t)
+
+# These initial sids are no longer used, and can be removed:
+sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+sid file_labels gen_context(system_u:object_r:unlabeled_t,s0)
+sid icmp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+sid igmp_packet gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+sid init gen_context(system_u:object_r:unlabeled_t,s0)
+sid kmod gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+sid policy gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+sid scmp_packet gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+sid sysctl_modprobe gen_context(system_u:object_r:unlabeled_t,s0)
+sid sysctl_fs gen_context(system_u:object_r:unlabeled_t,s0)
+sid sysctl_kernel gen_context(system_u:object_r:unlabeled_t,s0)
+sid sysctl_net gen_context(system_u:object_r:unlabeled_t,s0)
+sid sysctl_net_unix gen_context(system_u:object_r:unlabeled_t,s0)
+sid sysctl_vm gen_context(system_u:object_r:unlabeled_t,s0)
+sid sysctl_dev gen_context(system_u:object_r:unlabeled_t,s0)
+sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+
+########################################
+#
+# kernel local policy
+#
+
+allow kernel_t self:capability *;
+allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow kernel_t self:shm create_shm_perms;
+allow kernel_t self:sem create_sem_perms;
+allow kernel_t self:msg { send receive };
+allow kernel_t self:msgq create_msgq_perms;
+allow kernel_t self:unix_dgram_socket create_socket_perms;
+allow kernel_t self:unix_stream_socket create_stream_socket_perms;
+allow kernel_t self:unix_dgram_socket sendto;
+allow kernel_t self:unix_stream_socket connectto;
+allow kernel_t self:fifo_file rw_fifo_file_perms;
+allow kernel_t self:sock_file read_sock_file_perms;
+allow kernel_t self:fd use;
+
+allow kernel_t debugfs_t:dir search_dir_perms;
+
+allow kernel_t proc_t:dir list_dir_perms;
+allow kernel_t proc_t:file read_file_perms;
+allow kernel_t proc_t:lnk_file read_lnk_file_perms;
+
+allow kernel_t proc_net_t:dir list_dir_perms;
+allow kernel_t proc_net_t:file read_file_perms;
+
+allow kernel_t proc_mdstat_t:file read_file_perms;
+
+allow kernel_t proc_kcore_t:file getattr;
+
+allow kernel_t proc_kmsg_t:file getattr;
+
+allow kernel_t sysctl_kernel_t:dir list_dir_perms;
+allow kernel_t sysctl_kernel_t:file read_file_perms;
+allow kernel_t sysctl_t:dir list_dir_perms;
+
+# Other possible mount points for the root fs are in files
+allow kernel_t unlabeled_t:dir mounton;
+# Kernel-generated traffic e.g., TCP resets on
+# connections with invalidated labels:
+allow kernel_t unlabeled_t:packet send;
+
+# Allow unlabeled network traffic
+allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
+corenet_in_generic_if(unlabeled_t)
+corenet_in_generic_node(unlabeled_t)
+
+corenet_all_recvfrom_unlabeled(kernel_t)
+corenet_all_recvfrom_netlabel(kernel_t)
+# Kernel-generated traffic e.g., ICMP replies:
+corenet_raw_sendrecv_all_if(kernel_t)
+corenet_raw_sendrecv_all_nodes(kernel_t)
+corenet_raw_send_generic_if(kernel_t)
+# Kernel-generated traffic e.g., TCP resets:
+corenet_tcp_sendrecv_all_if(kernel_t)
+corenet_tcp_sendrecv_all_nodes(kernel_t)
+corenet_raw_send_generic_node(kernel_t)
+corenet_send_all_packets(kernel_t)
+
+dev_read_sysfs(kernel_t)
+dev_search_usbfs(kernel_t)
+# devtmpfs handling:
+dev_create_generic_dirs(kernel_t)
+dev_delete_generic_dirs(kernel_t)
+dev_create_generic_blk_files(kernel_t)
+dev_delete_generic_blk_files(kernel_t)
+dev_create_generic_chr_files(kernel_t)
+dev_delete_generic_chr_files(kernel_t)
+dev_mounton(kernel_t)
+
+# Mount root file system. Used when loading a policy
+# from initrd, then mounting the root filesystem
+fs_mount_all_fs(kernel_t)
+fs_unmount_all_fs(kernel_t)
+
+selinux_load_policy(kernel_t)
+
+term_use_all_terms(kernel_t)
+term_use_ptmx(kernel_t)
+
+corecmd_exec_shell(kernel_t)
+corecmd_list_bin(kernel_t)
+# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
+corecmd_exec_bin(kernel_t)
+
+domain_signal_all_domains(kernel_t)
+domain_search_all_domains_state(kernel_t)
+
+files_list_root(kernel_t)
+files_list_etc(kernel_t)
+files_list_home(kernel_t)
+files_read_usr_files(kernel_t)
+files_manage_mounttab(kernel_t)
+files_manage_generic_spool_dirs(kernel_t)
+
+mcs_process_set_categories(kernel_t)
+mcs_file_read_all(kernel_t)
+mcs_file_write_all(kernel_t)
+
+mls_process_read_up(kernel_t)
+mls_process_write_down(kernel_t)
+mls_file_write_all_levels(kernel_t)
+mls_file_read_all_levels(kernel_t)
+mls_socket_write_all_levels(kernel_t)
+mls_fd_share_all_levels(kernel_t)
+
+logging_manage_generic_logs(kernel_t)
+
+ifdef(`distro_redhat',`
+ # Bugzilla 222337
+ fs_rw_tmpfs_chr_files(kernel_t)
+')
+
+userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir })
+
+optional_policy(`
+ hotplug_search_config(kernel_t)
+')
+
+optional_policy(`
+ init_sigchld(kernel_t)
+')
+
+optional_policy(`
+ libs_use_ld_so(kernel_t)
+ libs_use_shared_libs(kernel_t)
+')
+
+optional_policy(`
+ logging_send_syslog_msg(kernel_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(kernel_t)
+')
+
+optional_policy(`
+ # nfs kernel server needs kernel UDP access. It is less risky and painful
+ # to just give it everything.
+ allow kernel_t self:tcp_socket create_stream_socket_perms;
+ allow kernel_t self:udp_socket create_socket_perms;
+
+ # nfs kernel server needs kernel UDP access. It is less risky and painful
+ # to just give it everything.
+ corenet_udp_sendrecv_generic_if(kernel_t)
+ corenet_udp_sendrecv_generic_node(kernel_t)
+ corenet_udp_sendrecv_all_ports(kernel_t)
+ corenet_udp_bind_generic_node(kernel_t)
+ corenet_sendrecv_portmap_client_packets(kernel_t)
+ corenet_sendrecv_generic_server_packets(kernel_t)
+
+ fs_getattr_xattr_fs(kernel_t)
+
+ auth_dontaudit_getattr_shadow(kernel_t)
+
+ sysnet_read_config(kernel_t)
+
+ rpc_manage_nfs_ro_content(kernel_t)
+ rpc_manage_nfs_rw_content(kernel_t)
+ rpc_udp_rw_nfs_sockets(kernel_t)
+
+ tunable_policy(`nfs_export_all_ro',`
+ fs_getattr_noxattr_fs(kernel_t)
+ fs_list_noxattr_fs(kernel_t)
+ fs_read_noxattr_fs_files(kernel_t)
+ fs_read_noxattr_fs_symlinks(kernel_t)
+
+ auth_read_all_dirs_except_shadow(kernel_t)
+ auth_read_all_files_except_shadow(kernel_t)
+ auth_read_all_symlinks_except_shadow(kernel_t)
+ ')
+
+ tunable_policy(`nfs_export_all_rw',`
+ fs_getattr_noxattr_fs(kernel_t)
+ fs_list_noxattr_fs(kernel_t)
+ fs_read_noxattr_fs_files(kernel_t)
+ fs_read_noxattr_fs_symlinks(kernel_t)
+
+ auth_manage_all_files_except_shadow(kernel_t)
+ ')
+')
+
+optional_policy(`
+ seutil_read_config(kernel_t)
+ seutil_read_bin_policy(kernel_t)
+')
+
+optional_policy(`
+ unconfined_domain_noaudit(kernel_t)
+')
+
+optional_policy(`
+ xserver_xdm_manage_spool(kernel_t)
+')
+
+########################################
+#
+# Unlabeled process local policy
+#
+
+optional_policy(`
+ # If you load a new policy that removes active domains, processes can
+ # get stuck if you do not allow unlabeled processes to signal init.
+ # If you load an incompatible policy, you should probably reboot,
+ # since you may have compromised system security.
+ init_sigchld(unlabeled_t)
+')
+
+########################################
+#
+# Rules for unconfined acccess to this module
+#
+
+allow kern_unconfined proc_type:{ dir file lnk_file } *;
+
+allow kern_unconfined sysctl_type:{ dir file } *;
+
+allow kern_unconfined kernel_t:system *;
+
+allow kern_unconfined unlabeled_t:dir_file_class_set *;
+allow kern_unconfined unlabeled_t:filesystem *;
+allow kern_unconfined unlabeled_t:association *;
+allow kern_unconfined unlabeled_t:packet *;
+allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
diff --git a/policy/modules/kernel/mcs.fc b/policy/modules/kernel/mcs.fc
new file mode 100644
index 0000000..fa8a4b1
--- /dev/null
+++ b/policy/modules/kernel/mcs.fc
@@ -0,0 +1 @@
+# no MCS file contexts
diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
new file mode 100644
index 0000000..3d62385
--- /dev/null
+++ b/policy/modules/kernel/mcs.if
@@ -0,0 +1,131 @@
+## <summary>Multicategory security policy</summary>
+## <required val="true">
+## Contains attributes used in MCS policy.
+## </required>
+
+########################################
+## <summary>
+## This domain is allowed to read files and directories
+## regardless of their MCS category set.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain target for user exemption.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mcs_file_read_all',`
+ gen_require(`
+ attribute mcsreadall;
+ ')
+
+ typeattribute $1 mcsreadall;
+')
+
+########################################
+## <summary>
+## This domain is allowed to write files and directories
+## regardless of their MCS category set.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain target for user exemption.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mcs_file_write_all',`
+ gen_require(`
+ attribute mcswriteall;
+ ')
+
+ typeattribute $1 mcswriteall;
+')
+
+########################################
+## <summary>
+## This domain is allowed to sigkill and sigstop
+## all domains regardless of their MCS category set.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain target for user exemption.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mcs_killall',`
+ gen_require(`
+ attribute mcskillall;
+ ')
+
+ typeattribute $1 mcskillall;
+')
+
+########################################
+## <summary>
+## This domain is allowed to ptrace
+## all domains regardless of their MCS
+## category set.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain target for user exemption.
+## </summary>
+## </param>
+#
+interface(`mcs_ptrace_all',`
+ gen_require(`
+ attribute mcsptraceall;
+ ')
+
+ typeattribute $1 mcsptraceall;
+')
+
+########################################
+## <summary>
+## Make specified domain MCS trusted
+## for setting any category set for
+## the processes it executes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain target for user exemption.
+## </summary>
+## </param>
+#
+interface(`mcs_process_set_categories',`
+ gen_require(`
+ attribute mcssetcats;
+ ')
+
+ typeattribute $1 mcssetcats;
+')
+
+########################################
+## <summary>
+## Make specified process type MCS untrusted.
+## </summary>
+## <desc>
+## <p>
+## Make specified process type MCS untrusted. This
+## prevents this process from sending signals to other processes
+## with different mcs labels
+## object.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## The type of the process.
+## </summary>
+## </param>
+#
+interface(`mcs_untrusted_proc',`
+ gen_require(`
+ attribute mcsuntrustedproc;
+ ')
+
+ typeattribute $1 mcsuntrustedproc;
+')
+
diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te
new file mode 100644
index 0000000..dbf577f
--- /dev/null
+++ b/policy/modules/kernel/mcs.te
@@ -0,0 +1,14 @@
+policy_module(mcs, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute mcskillall;
+attribute mcsptraceall;
+attribute mcssetcats;
+attribute mcswriteall;
+attribute mcsreadall;
+attribute mcsuntrustedproc;
+
diff --git a/policy/modules/kernel/metadata.xml b/policy/modules/kernel/metadata.xml
new file mode 100644
index 0000000..d1da3a2
--- /dev/null
+++ b/policy/modules/kernel/metadata.xml
@@ -0,0 +1 @@
+<summary>Policy modules for kernel resources.</summary>
diff --git a/policy/modules/kernel/mls.fc b/policy/modules/kernel/mls.fc
new file mode 100644
index 0000000..13df19e
--- /dev/null
+++ b/policy/modules/kernel/mls.fc
@@ -0,0 +1 @@
+# No MLS file contexts.
diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
new file mode 100644
index 0000000..d178478
--- /dev/null
+++ b/policy/modules/kernel/mls.if
@@ -0,0 +1,984 @@
+## <summary>Multilevel security policy</summary>
+## <desc>
+## <p>
+## This module contains interfaces for handling multilevel
+## security. The interfaces allow the specified subjects
+## and objects to be allowed certain privileges in the
+## MLS rules.
+## </p>
+## </desc>
+## <required val="true">
+## Contains attributes used in MLS policy.
+## </required>
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for reading from files up to its clearance.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_file_read_to_clearance',`
+ gen_require(`
+ attribute mlsfilereadtoclr;
+ ')
+
+ typeattribute $1 mlsfilereadtoclr;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for reading from files at all levels. (Deprecated)
+## </summary>
+## <desc>
+## <p>
+## Make specified domain MLS trusted
+## for reading from files at all levels.
+## </p>
+## <p>
+## This interface has been deprecated, please use
+## mls_file_read_all_levels() instead.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mls_file_read_up',`
+ refpolicywarn(`$0($*) has been deprecated, please use mls_file_read_all_levels() instead.')
+ mls_file_read_all_levels($1)
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for reading from files at all levels.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_file_read_all_levels',`
+ gen_require(`
+ attribute mlsfileread;
+ ')
+
+ typeattribute $1 mlsfileread;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for write to files up to its clearance.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_file_write_to_clearance',`
+ gen_require(`
+ attribute mlsfilewritetoclr;
+ ')
+
+ typeattribute $1 mlsfilewritetoclr;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for writing to files at all levels. (Deprecated)
+## </summary>
+## <desc>
+## <p>
+## Make specified domain MLS trusted
+## for writing to files at all levels.
+## </p>
+## <p>
+## This interface has been deprecated, please use
+## mls_file_write_all_levels() instead.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mls_file_write_down',`
+ refpolicywarn(`$0($*) has been deprecated, please use mls_file_write_all_levels() instead.')
+ mls_file_write_all_levels($1)
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for writing to files at all levels.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_file_write_all_levels',`
+ gen_require(`
+ attribute mlsfilewrite;
+ ')
+
+ typeattribute $1 mlsfilewrite;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for raising the level of files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_file_upgrade',`
+ gen_require(`
+ attribute mlsfileupgrade;
+ ')
+
+ typeattribute $1 mlsfileupgrade;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for lowering the level of files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_file_downgrade',`
+ gen_require(`
+ attribute mlsfiledowngrade;
+ ')
+
+ typeattribute $1 mlsfiledowngrade;
+')
+
+########################################
+## <summary>
+## Make specified domain trusted to
+## be written to within its MLS range.
+## The subject's MLS range must be a
+## proper subset of the object's MLS range.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_file_write_within_range',`
+ gen_require(`
+ attribute mlsfilewriteinrange;
+ ')
+
+ typeattribute $1 mlsfilewriteinrange;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for reading from sockets at any level.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_socket_read_all_levels',`
+ gen_require(`
+ attribute mlsnetread;
+ ')
+
+ typeattribute $1 mlsnetread;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for reading from sockets at any level
+## that is dominated by the process clearance.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_socket_read_to_clearance',`
+ gen_require(`
+ attribute mlsnetreadtoclr;
+ ')
+
+ typeattribute $1 mlsnetreadtoclr;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for writing to sockets up to
+## its clearance.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_socket_write_to_clearance',`
+ gen_require(`
+ attribute mlsnetwritetoclr;
+ ')
+
+ typeattribute $1 mlsnetwritetoclr;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for writing to sockets at any level.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_socket_write_all_levels',`
+ gen_require(`
+ attribute mlsnetwrite;
+ ')
+
+ typeattribute $1 mlsnetwrite;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for receiving network data from
+## network interfaces or hosts at any level.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_net_receive_all_levels',`
+ gen_require(`
+ attribute mlsnetrecvall;
+ ')
+
+ typeattribute $1 mlsnetrecvall;
+')
+
+########################################
+## <summary>
+## Make specified domain trusted to
+## write to network objects within its MLS range.
+## The subject's MLS range must be a
+## proper subset of the object's MLS range.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_net_write_within_range',`
+ gen_require(`
+ attribute mlsnetwriteranged;
+ ')
+
+ typeattribute $1 mlsnetwriteranged;
+')
+
+########################################
+## <summary>
+## Make specified domain trusted to
+## write inbound packets regardless of the
+## network's or node's MLS range.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_net_inbound_all_levels',`
+ gen_require(`
+ attribute mlsnetinbound;
+ ')
+
+ typeattribute $1 mlsnetinbound;
+')
+
+########################################
+## <summary>
+## Make specified domain trusted to
+## write outbound packets regardless of the
+## network's or node's MLS range.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_net_outbound_all_levels',`
+ gen_require(`
+ attribute mlsnetoutbound;
+ ')
+
+ typeattribute $1 mlsnetoutbound;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for reading from System V IPC objects
+## up to its clearance.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_sysvipc_read_to_clearance',`
+ gen_require(`
+ attribute mlsipcreadtoclr;
+ ')
+
+ typeattribute $1 mlsipcreadtoclr;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for reading from System V IPC objects
+## at any level.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_sysvipc_read_all_levels',`
+ gen_require(`
+ attribute mlsipcread;
+ ')
+
+ typeattribute $1 mlsipcread;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for writing to System V IPC objects
+## up to its clearance.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_sysvipc_write_to_clearance',`
+ gen_require(`
+ attribute mlsipcwritetoclr;
+ ')
+
+ typeattribute $1 mlsipcwritetoclr;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for writing to System V IPC objects
+## at any level.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_sysvipc_write_all_levels',`
+ gen_require(`
+ attribute mlsipcwrite;
+ ')
+
+ typeattribute $1 mlsipcwrite;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to do a MLS
+## range transition that changes
+## the current level.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mls_rangetrans_source',`
+ gen_require(`
+ attribute privrangetrans;
+ ')
+
+ typeattribute $1 privrangetrans;
+')
+
+########################################
+## <summary>
+## Make specified domain a target domain
+## for MLS range transitions that change
+## the current level.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mls_rangetrans_target',`
+ gen_require(`
+ attribute mlsrangetrans;
+ ')
+
+ typeattribute $1 mlsrangetrans;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for reading from processes up to
+## its clearance.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_process_read_to_clearance',`
+ gen_require(`
+ attribute mlsprocreadtoclr;
+ ')
+
+ typeattribute $1 mlsprocreadtoclr;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for reading from processes at all levels. (Deprecated)
+## </summary>
+## <desc>
+## <p>
+## Make specified domain MLS trusted
+## for reading from processes at all levels.
+## </p>
+## <p>
+## This interface has been deprecated, please use
+## mls_process_read_all_levels() instead.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mls_process_read_up',`
+# refpolicywarn(`$0($*) has been deprecated, please use mls_process_read_all_levels() instead.')
+ mls_process_read_all_levels($1)
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for reading from processes at all levels.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_process_read_all_levels',`
+ gen_require(`
+ attribute mlsprocread;
+ ')
+
+ typeattribute $1 mlsprocread;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for writing to processes up to
+## its clearance.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_process_write_to_clearance',`
+ gen_require(`
+ attribute mlsprocwritetoclr;
+ ')
+
+ typeattribute $1 mlsprocwritetoclr;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for writing to processes at all levels. (Deprecated)
+## </summary>
+## <desc>
+## <p>
+## Make specified domain MLS trusted
+## for writing to processes at all levels.
+## </p>
+## <p>
+## This interface has been deprecated, please use
+## mls_process_write_all_levels() instead.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mls_process_write_down',`
+# refpolicywarn(`$0($*) has been deprecated, please use mls_process_write_all_levels() instead.')
+ mls_process_write_all_levels($1)
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for writing to processes at all levels.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_process_write_all_levels',`
+ gen_require(`
+ attribute mlsprocwrite;
+ ')
+
+ typeattribute $1 mlsprocwrite;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for setting the level of processes
+## it executes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_process_set_level',`
+ gen_require(`
+ attribute mlsprocsetsl;
+ ')
+
+ typeattribute $1 mlsprocsetsl;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for reading from X objects up to its clearance.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_xwin_read_to_clearance',`
+ gen_require(`
+ attribute mlsxwinreadtoclr;
+ ')
+
+ typeattribute $1 mlsxwinreadtoclr;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for reading from X objects at any level.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_xwin_read_all_levels',`
+ gen_require(`
+ attribute mlsxwinread;
+ ')
+
+ typeattribute $1 mlsxwinread;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for write to X objects up to its clearance.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_xwin_write_to_clearance',`
+ gen_require(`
+ attribute mlsxwinwritetoclr;
+ ')
+
+ typeattribute $1 mlsxwinwritetoclr;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for writing to X objects at any level.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_xwin_write_all_levels',`
+ gen_require(`
+ attribute mlsxwinwrite;
+ ')
+
+ typeattribute $1 mlsxwinwrite;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for reading from X colormaps at any level.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_colormap_read_all_levels',`
+ gen_require(`
+ attribute mlsxwinreadcolormap;
+ ')
+
+ typeattribute $1 mlsxwinreadcolormap;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for writing to X colormaps at any level.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_colormap_write_all_levels',`
+ gen_require(`
+ attribute mlsxwinwritecolormap;
+ ')
+
+ typeattribute $1 mlsxwinwritecolormap;
+')
+
+########################################
+## <summary>
+## Make specified object MLS trusted.
+## </summary>
+## <desc>
+## <p>
+## Make specified object MLS trusted. This
+## allows all levels to read and write the
+## object.
+## </p>
+## <p>
+## This currently only applies to filesystem
+## objects, for example, files and directories.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## The type of the object.
+## </summary>
+## </param>
+#
+interface(`mls_trusted_object',`
+ gen_require(`
+ attribute mlstrustedobject;
+ ')
+
+ typeattribute $1 mlstrustedobject;
+')
+
+########################################
+## <summary>
+## Make the specified domain trusted
+## to inherit and use file descriptors
+## from all levels.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_fd_use_all_levels',`
+ gen_require(`
+ attribute mlsfduse;
+ ')
+
+ typeattribute $1 mlsfduse;
+')
+
+########################################
+## <summary>
+## Make the file descriptors from the
+## specifed domain inheritable by
+## all levels.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_fd_share_all_levels',`
+ gen_require(`
+ attribute mlsfdshare;
+ ')
+
+ typeattribute $1 mlsfdshare;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for translating contexts at all levels.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_context_translate_all_levels',`
+ gen_require(`
+ attribute mlstranslate;
+ ')
+
+ typeattribute $1 mlstranslate;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for reading from databases at any level.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_db_read_all_levels',`
+ gen_require(`
+ attribute mlsdbread;
+ ')
+
+ typeattribute $1 mlsdbread;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for writing to databases at any level.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_db_write_all_levels',`
+ gen_require(`
+ attribute mlsdbwrite;
+ ')
+
+ typeattribute $1 mlsdbwrite;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for raising the level of databases.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_db_upgrade',`
+ gen_require(`
+ attribute mlsdbupgrade;
+ ')
+
+ typeattribute $1 mlsdbupgrade;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for lowering the level of databases.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_db_downgrade',`
+ gen_require(`
+ attribute mlsdbdowngrade;
+ ')
+
+ typeattribute $1 mlsdbdowngrade;
+')
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for sending dbus messages to
+## all levels.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_dbus_send_all_levels',`
+ gen_require(`
+ attribute mlsdbussend;
+ ')
+
+ typeattribute $1 mlsdbussend;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for receiving dbus messages from
+## all levels.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_dbus_recv_all_levels',`
+ gen_require(`
+ attribute mlsdbusrecv;
+ ')
+
+ typeattribute $1 mlsdbusrecv;
+')
diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
new file mode 100644
index 0000000..8c7bd90
--- /dev/null
+++ b/policy/modules/kernel/mls.te
@@ -0,0 +1,69 @@
+policy_module(mls, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute mlsfileread;
+attribute mlsfilereadtoclr;
+attribute mlsfilewrite;
+attribute mlsfilewritetoclr;
+attribute mlsfilewriteinrange;
+attribute mlsfileupgrade;
+attribute mlsfiledowngrade;
+
+attribute mlsnetread;
+attribute mlsnetreadtoclr;
+attribute mlsnetwrite;
+attribute mlsnetwritetoclr;
+attribute mlsnetwriteranged;
+attribute mlsnetupgrade;
+attribute mlsnetdowngrade;
+attribute mlsnetrecvall;
+attribute mlsnetinbound;
+attribute mlsnetoutbound;
+
+attribute mlsipcread;
+attribute mlsipcreadtoclr;
+attribute mlsipcwrite;
+attribute mlsipcwritetoclr;
+
+attribute mlsprocread;
+attribute mlsprocreadtoclr;
+attribute mlsprocwrite;
+attribute mlsprocwritetoclr;
+attribute mlsprocsetsl;
+
+attribute mlsxwinread;
+attribute mlsxwinreadtoclr;
+attribute mlsxwinwrite;
+attribute mlsxwinwritetoclr;
+attribute mlsxwinreadproperty;
+attribute mlsxwinwriteproperty;
+attribute mlsxwinreadselection;
+attribute mlsxwinwriteselection;
+attribute mlsxwinreadcolormap;
+attribute mlsxwinwritecolormap;
+attribute mlsxwinwritexinput;
+
+attribute mlsdbread;
+attribute mlsdbreadtoclr;
+attribute mlsdbwrite;
+attribute mlsdbwritetoclr;
+attribute mlsdbwriteinrange;
+attribute mlsdbupgrade;
+attribute mlsdbdowngrade;
+
+attribute mlstrustedobject;
+
+attribute privrangetrans;
+attribute mlsrangetrans;
+
+attribute mlsfduse;
+attribute mlsfdshare;
+
+attribute mlstranslate;
+
+attribute mlsdbusrecv;
+attribute mlsdbussend;
diff --git a/policy/modules/kernel/selinux.fc b/policy/modules/kernel/selinux.fc
new file mode 100644
index 0000000..7be4ddf
--- /dev/null
+++ b/policy/modules/kernel/selinux.fc
@@ -0,0 +1 @@
+# This module currently does not have any file contexts.
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
new file mode 100644
index 0000000..bc1ed0f
--- /dev/null
+++ b/policy/modules/kernel/selinux.if
@@ -0,0 +1,686 @@
+## <summary>
+## Policy for kernel security interface, in particular, selinuxfs.
+## </summary>
+## <required val="true">
+## Contains the policy for the kernel SELinux security interface.
+## </required>
+
+########################################
+## <summary>
+## Make the specified type used for labeling SELinux Booleans.
+## This interface is only usable in the base module.
+## </summary>
+## <desc>
+## <p>
+## Make the specified type used for labeling SELinux Booleans.
+## </p>
+## <p>
+## This makes use of genfscon statements, which are only
+## available in the base module. Thus any module which calls this
+## interface must be included in the base module.
+## </p>
+## </desc>
+## <param name="type">
+## <summary>
+## Type used for labeling a Boolean.
+## </summary>
+## </param>
+## <param name="boolean">
+## <summary>
+## Name of the Boolean.
+## </summary>
+## </param>
+#
+interface(`selinux_labeled_boolean',`
+ gen_require(`
+ attribute boolean_type;
+ ')
+
+ typeattribute $1 boolean_type;
+
+ # because of this statement, any module which
+ # calls this interface must be in the base module:
+# genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
+')
+
+########################################
+## <summary>
+## Get the mountpoint of the selinuxfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`selinux_get_fs_mount',`
+ gen_require(`
+ type security_t;
+ ')
+
+ # starting in libselinux 2.0.5, init_selinuxmnt() will
+ # attempt to short circuit by checking if SELINUXMNT
+ # (/selinux) is already a selinuxfs
+ allow $1 security_t:filesystem getattr;
+
+ # read /proc/filesystems to see if selinuxfs is supported
+ # then read /proc/self/mount to see where selinuxfs is mounted
+ kernel_read_system_state($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the mountpoint
+## of the selinuxfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`selinux_dontaudit_get_fs_mount',`
+ gen_require(`
+ type security_t;
+ ')
+
+ # starting in libselinux 2.0.5, init_selinuxmnt() will
+ # attempt to short circuit by checking if SELINUXMNT
+ # (/selinux) is already a selinuxfs
+ dontaudit $1 security_t:filesystem getattr;
+
+ # read /proc/filesystems to see if selinuxfs is supported
+ # then read /proc/self/mount to see where selinuxfs is mounted
+ kernel_dontaudit_read_system_state($1)
+')
+
+########################################
+## <summary>
+## Get the attributes of the selinuxfs filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`selinux_getattr_fs',`
+ gen_require(`
+ type security_t;
+ ')
+
+ allow $1 security_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the
+## attributes of the selinuxfs filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`selinux_dontaudit_getattr_fs',`
+ gen_require(`
+ type security_t;
+ ')
+
+ dontaudit $1 security_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the
+## attributes of the selinuxfs directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`selinux_dontaudit_getattr_dir',`
+ gen_require(`
+ type security_t;
+ ')
+
+ dontaudit $1 security_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Search selinuxfs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`selinux_search_fs',`
+ gen_require(`
+ type security_t;
+ ')
+
+ allow $1 security_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search selinuxfs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`selinux_dontaudit_search_fs',`
+ gen_require(`
+ type security_t;
+ ')
+
+ dontaudit $1 security_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read
+## generic selinuxfs entries
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`selinux_dontaudit_read_fs',`
+ gen_require(`
+ type security_t;
+ ')
+
+ selinux_dontaudit_getattr_fs($1)
+ dontaudit $1 security_t:dir search_dir_perms;
+ dontaudit $1 security_t:file read_file_perms;
+')
+
+
+########################################
+## <summary>
+## Do not audit attempts to write
+## generic selinuxfs entries
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`selinux_dontaudit_write_fs',`
+ gen_require(`
+ type security_t;
+ ')
+
+ dontaudit $1 security_t:dir write;
+')
+
+########################################
+## <summary>
+## Allows the caller to get the mode of policy enforcement
+## (enforcing or permissive mode).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`selinux_get_enforce_mode',`
+ gen_require(`
+ type security_t;
+ ')
+
+ selinux_get_fs_mount($1)
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Allow caller to set the mode of policy enforcement
+## (enforcing or permissive mode).
+## </summary>
+## <desc>
+## <p>
+## Allow caller to set the mode of policy enforcement
+## (enforcing or permissive mode).
+## </p>
+## <p>
+## Since this is a security event, this action is
+## always audited.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`selinux_set_enforce_mode',`
+ gen_require(`
+ type security_t;
+ attribute can_setenforce;
+ bool secure_mode_policyload;
+ ')
+
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file rw_file_perms;
+ typeattribute $1 can_setenforce;
+
+ if(!secure_mode_policyload) {
+ allow $1 security_t:security setenforce;
+
+ ifdef(`distro_rhel4',`
+ # needed for systems without audit support
+ auditallow $1 security_t:security setenforce;
+ ')
+ }
+')
+
+########################################
+## <summary>
+## Allow caller to load the policy into the kernel.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`selinux_load_policy',`
+ gen_require(`
+ type security_t;
+ attribute can_load_policy;
+ bool secure_mode_policyload;
+ ')
+
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file rw_file_perms;
+ typeattribute $1 can_load_policy;
+
+ if(!secure_mode_policyload) {
+ allow $1 security_t:security load_policy;
+
+ ifdef(`distro_rhel4',`
+ # needed for systems without audit support
+ auditallow $1 security_t:security load_policy;
+ ')
+ }
+')
+
+########################################
+## <summary>
+## Allow caller to set the state of Booleans to
+## enable or disable conditional portions of the policy. (Deprecated)
+## </summary>
+## <desc>
+## <p>
+## Allow caller to set the state of Booleans to
+## enable or disable conditional portions of the policy.
+## </p>
+## <p>
+## Since this is a security event, this action is
+## always audited.
+## </p>
+## <p>
+## This interface has been deprecated. Please use
+## selinux_set_generic_booleans() or selinux_set_all_booleans()
+## instead.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`selinux_set_boolean',`
+ refpolicywarn(`$0($*) has been deprecated, use selinux_set_generic_booleans() instead.')
+ selinux_set_generic_booleans($1)
+')
+
+########################################
+## <summary>
+## Allow caller to set the state of generic Booleans to
+## enable or disable conditional portions of the policy.
+## </summary>
+## <desc>
+## <p>
+## Allow caller to set the state of generic Booleans to
+## enable or disable conditional portions of the policy.
+## </p>
+## <p>
+## Since this is a security event, this action is
+## always audited.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`selinux_set_generic_booleans',`
+ gen_require(`
+ type security_t;
+ bool secure_mode_policyload;
+ ')
+
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file rw_file_perms;
+
+ if(!secure_mode_policyload) {
+ allow $1 security_t:security setbool;
+
+ ifdef(`distro_rhel4',`
+ # needed for systems without audit support
+ auditallow $1 security_t:security setbool;
+ ')
+ }
+')
+
+########################################
+## <summary>
+## Allow caller to set the state of all Booleans to
+## enable or disable conditional portions of the policy.
+## </summary>
+## <desc>
+## <p>
+## Allow caller to set the state of all Booleans to
+## enable or disable conditional portions of the policy.
+## </p>
+## <p>
+## Since this is a security event, this action is
+## always audited.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`selinux_set_all_booleans',`
+ gen_require(`
+ type security_t;
+ attribute boolean_type;
+ bool secure_mode_policyload;
+ ')
+
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 boolean_type:dir list_dir_perms;
+ allow $1 boolean_type:file rw_file_perms;
+
+ if(!secure_mode_policyload) {
+ allow $1 security_t:security setbool;
+
+ ifdef(`distro_rhel4',`
+ # needed for systems without audit support
+ auditallow $1 security_t:security setbool;
+ ')
+ }
+')
+
+########################################
+## <summary>
+## Allow caller to set SELinux access vector cache parameters.
+## </summary>
+## <desc>
+## <p>
+## Allow caller to set SELinux access vector cache parameters.
+## The allows the domain to set performance related parameters
+## of the AVC, such as cache threshold.
+## </p>
+## <p>
+## Since this is a security event, this action is
+## always audited.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`selinux_set_parameters',`
+ gen_require(`
+ type security_t;
+ attribute can_setsecparam;
+ ')
+
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:security setsecparam;
+ auditallow $1 security_t:security setsecparam;
+ typeattribute $1 can_setsecparam;
+')
+
+########################################
+## <summary>
+## Allows caller to validate security contexts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`selinux_validate_context',`
+ gen_require(`
+ type security_t;
+ ')
+
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:security check_context;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to validate security contexts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`selinux_dontaudit_validate_context',`
+ gen_require(`
+ type security_t;
+ ')
+
+ dontaudit $1 security_t:dir list_dir_perms;
+ dontaudit $1 security_t:file rw_file_perms;
+ dontaudit $1 security_t:security check_context;
+')
+
+########################################
+## <summary>
+## Allows caller to compute an access vector.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`selinux_compute_access_vector',`
+ gen_require(`
+ type security_t;
+ ')
+
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:security compute_av;
+')
+
+########################################
+## <summary>
+## Calculate the default type for object creation.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`selinux_compute_create_context',`
+ gen_require(`
+ type security_t;
+ ')
+
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:security compute_create;
+')
+
+########################################
+## <summary>
+## Allows caller to compute polyinstatntiated
+## directory members.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`selinux_compute_member',`
+ gen_require(`
+ type security_t;
+ ')
+
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:security compute_member;
+')
+
+########################################
+## <summary>
+## Calculate the context for relabeling objects.
+## </summary>
+## <desc>
+## <p>
+## Calculate the context for relabeling objects.
+## This is determined by using the type_change
+## rules in the policy, and is generally used
+## for determining the context for relabeling
+## a terminal when a user logs in.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`selinux_compute_relabel_context',`
+ gen_require(`
+ type security_t;
+ ')
+
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:security compute_relabel;
+')
+
+########################################
+## <summary>
+## Allows caller to compute possible contexts for a user.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`selinux_compute_user_contexts',`
+ gen_require(`
+ type security_t;
+ ')
+
+ allow $1 security_t:dir list_dir_perms;
+ allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:security compute_user;
+')
+
+########################################
+## <summary>
+## Unconfined access to the SELinux kernel security server.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`selinux_unconfined',`
+ gen_require(`
+ attribute selinux_unconfined_type;
+ ')
+
+ typeattribute $1 selinux_unconfined_type;
+')
+
+########################################
+## <summary>
+## Generate a file context for a boolean type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`selinux_genbool',`
+ gen_require(`
+ attribute boolean_type;
+ ')
+
+ type $1, boolean_type;
+ fs_type($1)
+ mls_trusted_object($1)
+')
+
+########################################
+## <summary>
+## Unmount a security filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the domain unmounting the filesystem.
+## </summary>
+## </param>
+#
+interface(`selinux_unmount_fs',`
+ gen_require(`
+ type security_t;
+ ')
+
+ allow $1 security_t:filesystem unmount;
+')
+
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
new file mode 100644
index 0000000..499e997
--- /dev/null
+++ b/policy/modules/kernel/selinux.te
@@ -0,0 +1,51 @@
+policy_module(selinux, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute boolean_type;
+attribute can_load_policy;
+attribute can_setenforce;
+attribute can_setsecparam;
+attribute selinux_unconfined_type;
+
+#
+# security_t is the target type when checking
+# the permissions in the security class. It is also
+# applied to selinuxfs inodes.
+#
+type security_t, boolean_type;
+fs_type(security_t)
+mls_trusted_object(security_t)
+sid security gen_context(system_u:object_r:security_t,mls_systemhigh)
+genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
+genfscon securityfs / gen_context(system_u:object_r:security_t,s0)
+
+neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
+neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
+neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
+
+########################################
+#
+# Unconfined access to this module
+#
+
+# use SELinuxfs
+allow selinux_unconfined_type security_t:dir list_dir_perms;
+allow selinux_unconfined_type security_t:file rw_file_perms;
+allow selinux_unconfined_type boolean_type:file read_file_perms;
+
+# Access the security API.
+allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setbool };
+
+if(!secure_mode_policyload) {
+ allow selinux_unconfined_type boolean_type:file rw_file_perms;
+ allow selinux_unconfined_type security_t:security { load_policy setenforce setbool };
+
+ ifdef(`distro_rhel4',`
+ # needed for systems without audit support
+ auditallow selinux_unconfined_type security_t:security { load_policy setenforce setbool };
+ ')
+}
diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
new file mode 100644
index 0000000..811b859
--- /dev/null
+++ b/policy/modules/kernel/storage.fc
@@ -0,0 +1,82 @@
+
+/dev/n?(raw)?[qr]ft[0-3] -c gen_context(system_u:object_r:tape_device_t,s0)
+/dev/n?[hs]t[0-9].* -c gen_context(system_u:object_r:tape_device_t,s0)
+/dev/n?z?qft[0-3] -c gen_context(system_u:object_r:tape_device_t,s0)
+/dev/n?osst[0-3].* -c gen_context(system_u:object_r:tape_device_t,s0)
+/dev/n?pt[0-9]+ -c gen_context(system_u:object_r:tape_device_t,s0)
+/dev/n?tpqic[12].* -c gen_context(system_u:object_r:tape_device_t,s0)
+/dev/[shmxv]d[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/aztcd -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/bpcd -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/bsg/.+ -c gen_context(system_u:object_r:scsi_generic_device_t,s0)
+/dev/cdu.* -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/cm20.* -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/drbd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/etherd/.+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/fd[^/]+ -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/hitcd -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/ht[0-1] -b gen_context(system_u:object_r:tape_device_t,s0)
+/dev/hwcdrom -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/initrd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/jsfd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/jsflash -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0)
+/dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/mtd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/pcd[0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/pd[a-d][^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/pg[0-3] -c gen_context(system_u:object_r:removable_device_t,s0)
+/dev/ps3d.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/ram.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/(raw/)?rawctl -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/rd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ifdef(`distro_redhat', `
+/dev/root -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+')
+/dev/s(cd|r)[^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/sbpcd.* -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/sg[0-9]+ -c gen_context(system_u:object_r:scsi_generic_device_t,s0)
+/dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/tape.* -c gen_context(system_u:object_r:tape_device_t,s0)
+/dev/tw[a-z][^/]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/ub[a-z][^/]+ -b gen_context(system_u:object_r:removable_device_t,mls_systemhigh)
+/dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/vd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/xvd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+
+/dev/ataraid/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+
+/dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+
+/dev/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
+/dev/floppy/[^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
+
+/dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+
+/dev/ida/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+
+/dev/md/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/mapper/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+
+/dev/device-mapper -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+
+/dev/raw/raw[0-9]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+
+/dev/scramdisk/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+
+/dev/usb/rio500 -c gen_context(system_u:object_r:removable_device_t,s0)
+
+/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
new file mode 100644
index 0000000..bde6daa
--- /dev/null
+++ b/policy/modules/kernel/storage.if
@@ -0,0 +1,813 @@
+## <summary>Policy controlling access to storage devices</summary>
+
+########################################
+## <summary>
+## Allow the caller to get the attributes of fixed disk
+## device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`storage_getattr_fixed_disk_dev',`
+ gen_require(`
+ type fixed_disk_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 fixed_disk_device_t:blk_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts made by the caller to get
+## the attributes of fixed disk device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`storage_dontaudit_getattr_fixed_disk_dev',`
+ gen_require(`
+ type fixed_disk_device_t;
+ ')
+
+ dontaudit $1 fixed_disk_device_t:blk_file getattr;
+ dontaudit $1 fixed_disk_device_t:chr_file getattr; # /dev/rawctl
+')
+
+########################################
+## <summary>
+## Allow the caller to set the attributes of fixed disk
+## device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`storage_setattr_fixed_disk_dev',`
+ gen_require(`
+ type fixed_disk_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 fixed_disk_device_t:blk_file setattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts made by the caller to set
+## the attributes of fixed disk device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`storage_dontaudit_setattr_fixed_disk_dev',`
+ gen_require(`
+ type fixed_disk_device_t;
+ ')
+
+ dontaudit $1 fixed_disk_device_t:blk_file setattr;
+')
+
+########################################
+## <summary>
+## Allow the caller to directly read from a fixed disk.
+## This is extremly dangerous as it can bypass the
+## SELinux protections for filesystem objects, and
+## should only be used by trusted domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`storage_raw_read_fixed_disk',`
+ gen_require(`
+ attribute fixed_disk_raw_read;
+ type fixed_disk_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
+ allow $1 fixed_disk_device_t:chr_file read_chr_file_perms;
+ #577012
+ allow $1 fixed_disk_device_t:lnk_file read_lnk_file_perms;
+ typeattribute $1 fixed_disk_raw_read;
+')
+
+########################################
+## <summary>
+## Do not audit attempts made by the caller to read
+## fixed disk device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`storage_dontaudit_read_fixed_disk',`
+ gen_require(`
+ type fixed_disk_device_t;
+
+ ')
+
+ dontaudit $1 fixed_disk_device_t:blk_file read_blk_file_perms;
+ dontaudit $1 fixed_disk_device_t:chr_file read_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Allow the caller to directly write to a fixed disk.
+## This is extremly dangerous as it can bypass the
+## SELinux protections for filesystem objects, and
+## should only be used by trusted domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`storage_raw_write_fixed_disk',`
+ gen_require(`
+ attribute fixed_disk_raw_write;
+ type fixed_disk_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 fixed_disk_device_t:blk_file write_blk_file_perms;
+ allow $1 fixed_disk_device_t:chr_file write_chr_file_perms;
+ typeattribute $1 fixed_disk_raw_write;
+')
+
+########################################
+## <summary>
+## Do not audit attempts made by the caller to write
+## fixed disk device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`storage_dontaudit_write_fixed_disk',`
+ gen_require(`
+ type fixed_disk_device_t;
+
+ ')
+
+ dontaudit $1 fixed_disk_device_t:blk_file write_blk_file_perms;
+')
+
+########################################
+## <summary>
+## Allow the caller to directly read and write to a fixed disk.
+## This is extremly dangerous as it can bypass the
+## SELinux protections for filesystem objects, and
+## should only be used by trusted domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`storage_raw_rw_fixed_disk',`
+ storage_raw_read_fixed_disk($1)
+ storage_raw_write_fixed_disk($1)
+')
+
+########################################
+## <summary>
+## Allow the caller to create fixed disk device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`storage_create_fixed_disk_dev',`
+ gen_require(`
+ type fixed_disk_device_t;
+ ')
+
+ allow $1 self:capability mknod;
+
+ allow $1 fixed_disk_device_t:blk_file create_blk_file_perms;
+ dev_add_entry_generic_dirs($1)
+')
+
+########################################
+## <summary>
+## Allow the caller to create fixed disk device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`storage_delete_fixed_disk_dev',`
+ gen_require(`
+ type fixed_disk_device_t;
+ ')
+
+ allow $1 fixed_disk_device_t:blk_file delete_blk_file_perms;
+ dev_remove_entry_generic_dirs($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete fixed disk device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`storage_manage_fixed_disk',`
+ gen_require(`
+ attribute fixed_disk_raw_read, fixed_disk_raw_write;
+ type fixed_disk_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 self:capability mknod;
+ allow $1 fixed_disk_device_t:blk_file manage_blk_file_perms;
+ allow $1 fixed_disk_device_t:chr_file manage_chr_file_perms;
+ typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
+')
+
+########################################
+## <summary>
+## Create block devices in /dev with the fixed disk type
+## via an automatic type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`storage_dev_filetrans_fixed_disk',`
+ gen_require(`
+ type fixed_disk_device_t;
+ ')
+
+ dev_filetrans($1, fixed_disk_device_t, blk_file)
+')
+
+########################################
+## <summary>
+## Create block devices in on a tmpfs filesystem with the
+## fixed disk type via an automatic type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`storage_tmpfs_filetrans_fixed_disk',`
+ gen_require(`
+ type fixed_disk_device_t;
+ ')
+
+ fs_tmpfs_filetrans($1, fixed_disk_device_t, blk_file)
+')
+
+########################################
+## <summary>
+## Relabel fixed disk device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`storage_relabel_fixed_disk',`
+ gen_require(`
+ type fixed_disk_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 fixed_disk_device_t:blk_file relabel_blk_file_perms;
+')
+
+########################################
+## <summary>
+## Enable a fixed disk device as swap space
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`storage_swapon_fixed_disk',`
+ gen_require(`
+ type fixed_disk_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 fixed_disk_device_t:blk_file { getattr swapon };
+')
+
+########################################
+## <summary>
+## Allow the caller to get the attributes
+## of device nodes of fuse devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`storage_getattr_fuse_dev',`
+ gen_require(`
+ type fuse_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 fuse_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## read or write fuse device interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`storage_rw_fuse',`
+ gen_require(`
+ type fuse_device_t;
+ ')
+
+ allow $1 fuse_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## fuse device interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`storage_dontaudit_rw_fuse',`
+ gen_require(`
+ type fuse_device_t;
+ ')
+
+ dontaudit $1 fuse_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Allow the caller to get the attributes of
+## the generic SCSI interface device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`storage_getattr_scsi_generic_dev',`
+ gen_require(`
+ type scsi_generic_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 scsi_generic_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Allow the caller to set the attributes of
+## the generic SCSI interface device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`storage_setattr_scsi_generic_dev',`
+ gen_require(`
+ type scsi_generic_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 scsi_generic_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Allow the caller to directly read, in a
+## generic fashion, from any SCSI device.
+## This is extremly dangerous as it can bypass the
+## SELinux protections for filesystem objects, and
+## should only be used by trusted domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`storage_read_scsi_generic',`
+ gen_require(`
+ attribute scsi_generic_read;
+ type scsi_generic_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 scsi_generic_device_t:chr_file read_chr_file_perms;
+ typeattribute $1 scsi_generic_read;
+')
+
+########################################
+## <summary>
+## Allow the caller to directly write, in a
+## generic fashion, from any SCSI device.
+## This is extremly dangerous as it can bypass the
+## SELinux protections for filesystem objects, and
+## should only be used by trusted domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`storage_write_scsi_generic',`
+ gen_require(`
+ attribute scsi_generic_write;
+ type scsi_generic_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 scsi_generic_device_t:chr_file write_chr_file_perms;
+ typeattribute $1 scsi_generic_write;
+')
+
+########################################
+## <summary>
+## Set attributes of the device nodes
+## for the SCSI generic inerface.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`storage_setattr_scsi_generic_dev_dev',`
+ gen_require(`
+ type scsi_generic_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 scsi_generic_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## SCSI generic device interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`storage_dontaudit_rw_scsi_generic',`
+ gen_require(`
+ type scsi_generic_device_t;
+ ')
+
+ dontaudit $1 scsi_generic_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Allow the caller to get the attributes of removable
+## devices device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`storage_getattr_removable_dev',`
+ gen_require(`
+ type removable_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 removable_device_t:blk_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts made by the caller to get
+## the attributes of removable devices device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`storage_dontaudit_getattr_removable_dev',`
+ gen_require(`
+ type removable_device_t;
+ ')
+
+ dontaudit $1 removable_device_t:blk_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts made by the caller to read
+## removable devices device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`storage_dontaudit_read_removable_device',`
+ gen_require(`
+ type removable_device_t;
+
+ ')
+
+ dontaudit $1 removable_device_t:blk_file read_blk_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts made by the caller to write
+## removable devices device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`storage_dontaudit_write_removable_device',`
+ gen_require(`
+ type removable_device_t;
+ ')
+
+ dontaudit $1 removable_device_t:blk_file write_blk_file_perms;
+')
+
+########################################
+## <summary>
+## Allow the caller to set the attributes of removable
+## devices device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`storage_setattr_removable_dev',`
+ gen_require(`
+ type removable_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 removable_device_t:blk_file setattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts made by the caller to set
+## the attributes of removable devices device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`storage_dontaudit_setattr_removable_dev',`
+ gen_require(`
+ type removable_device_t;
+ ')
+
+ dontaudit $1 removable_device_t:blk_file setattr;
+')
+
+########################################
+## <summary>
+## Allow the caller to directly read from
+## a removable device.
+## This is extremly dangerous as it can bypass the
+## SELinux protections for filesystem objects, and
+## should only be used by trusted domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`storage_raw_read_removable_device',`
+ gen_require(`
+ type removable_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 removable_device_t:blk_file read_blk_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to directly read removable devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`storage_dontaudit_raw_read_removable_device',`
+ gen_require(`
+ type removable_device_t;
+ ')
+
+ dontaudit $1 removable_device_t:blk_file read_blk_file_perms;
+')
+
+########################################
+## <summary>
+## Allow the caller to directly write to
+## a removable device.
+## This is extremly dangerous as it can bypass the
+## SELinux protections for filesystem objects, and
+## should only be used by trusted domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`storage_raw_write_removable_device',`
+ gen_require(`
+ type removable_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 removable_device_t:blk_file write_blk_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to directly write removable devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`storage_dontaudit_raw_write_removable_device',`
+ gen_require(`
+ type removable_device_t;
+ ')
+
+ dontaudit $1 removable_device_t:blk_file write_blk_file_perms;
+')
+
+########################################
+## <summary>
+## Allow the caller to directly read
+## a tape device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`storage_read_tape',`
+ gen_require(`
+ type tape_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 tape_device_t:chr_file read_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Allow the caller to directly read
+## a tape device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`storage_write_tape',`
+ gen_require(`
+ type tape_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 tape_device_t:chr_file write_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Allow the caller to get the attributes
+## of device nodes of tape devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`storage_getattr_tape_dev',`
+ gen_require(`
+ type tape_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 tape_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Allow the caller to set the attributes
+## of device nodes of tape devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`storage_setattr_tape_dev',`
+ gen_require(`
+ type tape_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 tape_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Unconfined access to storage devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`storage_unconfined',`
+ gen_require(`
+ attribute storage_unconfined_type;
+ ')
+
+ typeattribute $1 storage_unconfined_type;
+')
diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te
new file mode 100644
index 0000000..b80b3e9
--- /dev/null
+++ b/policy/modules/kernel/storage.te
@@ -0,0 +1,59 @@
+policy_module(storage, 1.8.2)
+
+########################################
+#
+# Declarations
+#
+
+attribute fixed_disk_raw_read;
+attribute fixed_disk_raw_write;
+attribute scsi_generic_read;
+attribute scsi_generic_write;
+attribute storage_unconfined_type;
+
+#
+# fixed_disk_device_t is the type of
+# /dev/hd* and /dev/sd*.
+#
+type fixed_disk_device_t;
+dev_node(fixed_disk_device_t)
+
+neverallow ~{ fixed_disk_raw_read storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } read;
+neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } { append write };
+
+#
+# fuse_device_t is the type of /dev/fuse
+#
+type fuse_device_t;
+dev_node(fuse_device_t)
+
+#
+# scsi_generic_device_t is the type of /dev/sg*
+# it gives access to ALL SCSI devices (both fixed and removable)
+#
+type scsi_generic_device_t;
+dev_node(scsi_generic_device_t)
+
+neverallow ~{ scsi_generic_read storage_unconfined_type } scsi_generic_device_t:{ chr_file blk_file } read;
+neverallow ~{ scsi_generic_write storage_unconfined_type } scsi_generic_device_t:{ chr_file blk_file } { append write };
+
+#
+# removable_device_t is the type of
+# /dev/scd* and /dev/fd*.
+#
+type removable_device_t;
+dev_node(removable_device_t)
+
+#
+# tape_device_t is the type of
+#
+type tape_device_t;
+dev_node(tape_device_t)
+
+########################################
+#
+# Unconfined access to this module
+#
+
+allow storage_unconfined_type { fixed_disk_device_t removable_device_t }:blk_file *;
+allow storage_unconfined_type { scsi_generic_device_t tape_device_t }:chr_file *;
diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
new file mode 100644
index 0000000..3994e57
--- /dev/null
+++ b/policy/modules/kernel/terminal.fc
@@ -0,0 +1,42 @@
+
+/dev/.*tty[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/[pt]ty[a-ep-z][0-9a-f] -c gen_context(system_u:object_r:bsdpty_device_t,s0)
+/dev/adb.* -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/capi.* -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/console -c gen_context(system_u:object_r:console_device_t,s0)
+/dev/cu.* -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/dcbri[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/hvc.* -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/hvsi.* -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/i2c[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/ircomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
+/dev/pts/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
+/dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
+/dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
+
+/dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0)
+
+/dev/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
+
+/dev/tts/[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
+
+/dev/usb/tty.* -c gen_context(system_u:object_r:usbtty_device_t,s0)
+
+/dev/vcc?/.* -c gen_context(system_u:object_r:tty_device_t,s0)
+
+/dev/vcs[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
+
+/dev/xvc[0-9]* -c gen_context(system_u:object_r:tty_device_t,s0)
+
+ifdef(`distro_gentoo',`
+/dev/tts/[0-9]* -c gen_context(system_u:object_r:tty_device_t,s0)
+
+# used by init scripts to initally populate udev /dev
+/lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0)
+')
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
new file mode 100644
index 0000000..87a6942
--- /dev/null
+++ b/policy/modules/kernel/terminal.if
@@ -0,0 +1,1476 @@
+## <summary>Policy for terminals.</summary>
+## <required val="true">
+## Depended on by other required modules.
+## </required>
+
+########################################
+## <summary>
+## Transform specified type into a pty type.
+## </summary>
+## <param name="pty_type">
+## <summary>
+## An object type that will applied to a pty.
+## </summary>
+## </param>
+#
+interface(`term_pty',`
+ gen_require(`
+ attribute ptynode;
+ type devpts_t;
+ ')
+
+ dev_node($1)
+ allow $1 devpts_t:filesystem associate;
+ typeattribute $1 ptynode;
+')
+
+########################################
+## <summary>
+## Transform specified type into an user
+## pty type. This allows it to be relabeled via
+## type change by login programs such as ssh.
+## </summary>
+## <param name="userdomain">
+## <summary>
+## The type of the user domain associated with
+## this pty.
+## </summary>
+## </param>
+## <param name="object_type">
+## <summary>
+## An object type that will applied to a pty.
+## </summary>
+## </param>
+#
+interface(`term_user_pty',`
+ gen_require(`
+ attribute server_ptynode;
+ ')
+
+ term_pty($2)
+ type_change $1 server_ptynode:chr_file $2;
+')
+
+########################################
+## <summary>
+## Transform specified type into a pty type
+## used by login programs, such as sshd.
+## </summary>
+## <param name="pty_type">
+## <summary>
+## An object type that will applied to a pty.
+## </summary>
+## </param>
+#
+interface(`term_login_pty',`
+ gen_require(`
+ attribute server_ptynode;
+ ')
+
+ term_pty($1)
+ typeattribute $1 server_ptynode;
+')
+
+########################################
+## <summary>
+## Transform specified type into a tty type.
+## </summary>
+## <param name="tty_type">
+## <summary>
+## An object type that will applied to a tty.
+## </summary>
+## </param>
+#
+interface(`term_tty',`
+ gen_require(`
+ attribute ttynode, serial_device;
+ type tty_device_t;
+ ')
+
+ typeattribute $1 ttynode, serial_device;
+
+ dev_node($1)
+')
+
+########################################
+## <summary>
+## Transform specified type into a user tty type.
+## </summary>
+## <param name="domain">
+## <summary>
+## User domain that is related to this tty.
+## </summary>
+## </param>
+## <param name="tty_type">
+## <summary>
+## An object type that will applied to a tty.
+## </summary>
+## </param>
+#
+interface(`term_user_tty',`
+ gen_require(`
+ attribute ttynode;
+ type tty_device_t;
+ ')
+
+ term_tty($2)
+
+ type_change $1 tty_device_t:chr_file $2;
+
+ # Debian login is from shadow utils and does not allow resetting the perms.
+ # have to fix this!
+ ifdef(`distro_debian',`
+ type_change $1 ttynode:chr_file $2;
+ ')
+')
+
+########################################
+## <summary>
+## Create a pty in the /dev/pts directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process creating the pty.
+## </summary>
+## </param>
+## <param name="pty_type">
+## <summary>
+## The type of the pty.
+## </summary>
+## </param>
+#
+interface(`term_create_pty',`
+ gen_require(`
+ type bsdpty_device_t, devpts_t, ptmx_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 ptmx_t:chr_file rw_file_perms;
+
+ allow $1 devpts_t:dir list_dir_perms;
+ allow $1 devpts_t:filesystem getattr;
+ dontaudit $1 bsdpty_device_t:chr_file { getattr read write };
+ type_transition $1 devpts_t:chr_file $2;
+')
+
+########################################
+## <summary>
+## Write the console, all
+## ttys and all ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_write_all_terms',`
+ gen_require(`
+ attribute ttynode, ptynode;
+ type console_device_t, devpts_t, tty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:dir list_dir_perms;
+ allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file write_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write the console, all
+## ttys and all ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_use_all_terms',`
+ gen_require(`
+ attribute ttynode, ptynode;
+ type console_device_t, devpts_t, tty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:dir list_dir_perms;
+ allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Write to the console.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_write_console',`
+ gen_require(`
+ type console_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 console_device_t:chr_file write_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Read from the console.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_read_console',`
+ gen_require(`
+ type console_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 console_device_t:chr_file read_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read from the console.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_dontaudit_read_console',`
+ gen_require(`
+ type console_device_t;
+ ')
+
+ dontaudit $1 console_device_t:chr_file read_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Read from and write to the console.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_use_console',`
+ gen_require(`
+ type console_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 console_device_t:chr_file rw_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attemtps to read from
+## or write to the console.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`term_dontaudit_use_console',`
+ gen_require(`
+ type console_device_t;
+ type tty_device_t;
+ ')
+
+ dontaudit $1 console_device_t:chr_file rw_inherited_chr_file_perms;
+ dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Set the attributes of the console
+## device node.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_setattr_console',`
+ gen_require(`
+ type console_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 console_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Relabel from and to the console type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_relabel_console',`
+ gen_require(`
+ type console_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 console_device_t:chr_file relabel_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Create the console device (/dev/console).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_create_console_dev',`
+ gen_require(`
+ type console_device_t;
+ ')
+
+ dev_add_entry_generic_dirs($1)
+ allow $1 console_device_t:chr_file create;
+ allow $1 self:capability mknod;
+')
+
+########################################
+## <summary>
+## Get the attributes of a pty filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_getattr_pty_fs',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ allow $1 devpts_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the
+## attributes of the /dev/pts directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`term_dontaudit_getattr_pty_dirs',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ dontaudit $1 devpts_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Search the contents of the /dev/pts directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_search_ptys',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the
+## contents of the /dev/pts directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`term_dontaudit_search_ptys',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ dev_dontaudit_list_all_dev_nodes($1)
+ dontaudit $1 devpts_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read the /dev/pts directory to
+## list all ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_list_ptys',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read the
+## /dev/pts directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`term_dontaudit_list_ptys',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ dontaudit $1 devpts_t:dir { getattr search read };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to create, read,
+## write, or delete the /dev/pts directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`term_dontaudit_manage_pty_dirs',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ dontaudit $1 devpts_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of generic pty devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`term_dontaudit_getattr_generic_ptys',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ dontaudit $1 devpts_t:chr_file getattr;
+')
+########################################
+## <summary>
+## ioctl of generic pty devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for ppp
+interface(`term_ioctl_generic_ptys',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:dir search;
+ allow $1 devpts_t:chr_file ioctl;
+')
+
+########################################
+## <summary>
+## Allow setting the attributes of
+## generic pty devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# dwalsh: added for rhgb
+interface(`term_setattr_generic_ptys',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ allow $1 devpts_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Dontaudit setting the attributes of
+## generic pty devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+# dwalsh: added for rhgb
+interface(`term_dontaudit_setattr_generic_ptys',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ dontaudit $1 devpts_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Read and write the generic pty
+## type. This is generally only used in
+## the targeted policy.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_use_generic_ptys',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:dir list_dir_perms;
+ allow $1 devpts_t:chr_file { rw_term_perms lock append };
+')
+
+########################################
+## <summary>
+## Dot not audit attempts to read and
+## write the generic pty type. This is
+## generally only used in the targeted policy.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`term_dontaudit_use_generic_ptys',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
+')
+
+#######################################
+## <summary>
+## Set the attributes of the tty device
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_setattr_controlling_term',`
+ gen_require(`
+ type devtty_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devtty_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Read and write the controlling
+## terminal (/dev/tty).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_use_controlling_term',`
+ gen_require(`
+ type devtty_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devtty_t:chr_file { rw_term_perms lock append };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get attributes
+## on the pty multiplexor (/dev/ptmx).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`term_dontaudit_getattr_ptmx',`
+ gen_require(`
+ type ptmx_t;
+ ')
+
+ dontaudit $1 ptmx_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Read and write the pty multiplexor (/dev/ptmx).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_use_ptmx',`
+ gen_require(`
+ type ptmx_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 ptmx_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and
+## write the pty multiplexor (/dev/ptmx).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`term_dontaudit_use_ptmx',`
+ gen_require(`
+ type ptmx_t;
+ ')
+
+ dontaudit $1 ptmx_t:chr_file { getattr read write };
+')
+
+########################################
+## <summary>
+## Get the attributes of all
+## pty device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_getattr_all_ptys',`
+ gen_require(`
+ attribute ptynode;
+ type devpts_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:dir list_dir_perms;
+ allow $1 ptynode:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the
+## attributes of any pty
+## device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`term_dontaudit_getattr_all_ptys',`
+ gen_require(`
+ attribute ptynode;
+ ')
+
+ dontaudit $1 ptynode:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Set the attributes of all
+## pty device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_setattr_all_ptys',`
+ gen_require(`
+ attribute ptynode;
+ type devpts_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:dir list_dir_perms;
+ allow $1 ptynode:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Relabel to all ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_relabelto_all_ptys',`
+ gen_require(`
+ attribute ptynode;
+ ')
+
+ allow $1 ptynode:chr_file relabelto;
+')
+
+########################################
+## <summary>
+## Write to all ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_write_all_ptys',`
+ gen_require(`
+ attribute ptynode;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 ptynode:chr_file write_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write all ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_use_all_ptys',`
+ gen_require(`
+ attribute ptynode;
+ type devpts_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:dir list_dir_perms;
+ allow $1 ptynode:chr_file { rw_term_perms lock append };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write any ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`term_dontaudit_use_all_ptys',`
+ gen_require(`
+ attribute ptynode;
+ ')
+
+ dontaudit $1 ptynode:chr_file { rw_inherited_term_perms lock append };
+')
+
+########################################
+## <summary>
+## Relabel from and to all pty device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_relabel_all_ptys',`
+ gen_require(`
+ attribute ptynode;
+ type devpts_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ relabel_chr_files_pattern($1, devpts_t, ptynode)
+')
+
+########################################
+## <summary>
+## Get the attributes of all user
+## pty device nodes. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_getattr_all_user_ptys',`
+ refpolicywarn(`$0 has been deprecated, use term_getattr_all_ptys() instead.')
+ term_getattr_all_ptys($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the
+## attributes of any user pty
+## device nodes. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_dontaudit_getattr_all_user_ptys',`
+ refpolicywarn(`$0 has been deprecated, use term_dontaudit_getattr_all_ptys() instead.')
+ term_dontaudit_getattr_all_ptys($1)
+')
+
+########################################
+## <summary>
+## Set the attributes of all user
+## pty device nodes. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_setattr_all_user_ptys',`
+ refpolicywarn(`$0 has been deprecated, use term_setattr_all_ptys() instead.')
+ term_setattr_all_ptys($1)
+')
+
+########################################
+## <summary>
+## Relabel to all user ptys. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_relabelto_all_user_ptys',`
+ refpolicywarn(`$0 has been deprecated, use term_relabelto_all_ptys() instead.')
+ term_relabelto_all_ptys($1)
+')
+
+########################################
+## <summary>
+## Write to all user ptys. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_write_all_user_ptys',`
+ refpolicywarn(`$0 has been deprecated, use term_write_all_ptys() instead.')
+ term_write_all_ptys($1)
+')
+
+########################################
+## <summary>
+## Read and write all user ptys. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_use_all_user_ptys',`
+ refpolicywarn(`$0 has been deprecated, use term_use_all_ptys() instead.')
+ term_use_all_ptys($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read any
+## user ptys. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`term_dontaudit_use_all_user_ptys',`
+ refpolicywarn(`$0 has been deprecated, use term_dontaudit_use_all_ptys() instead.')
+ term_dontaudit_use_all_ptys($1)
+')
+
+########################################
+## <summary>
+## Relabel from and to all user
+## user pty device nodes. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_relabel_all_user_ptys',`
+ refpolicywarn(`$0 has been deprecated, use term_relabel_all_ptys() instead.')
+ term_relabel_all_ptys($1)
+')
+
+########################################
+## <summary>
+## Get the attributes of all unallocated
+## tty device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_getattr_unallocated_ttys',`
+ gen_require(`
+ type tty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 tty_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all unallocated tty device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`term_dontaudit_getattr_unallocated_ttys',`
+ gen_require(`
+ type tty_device_t;
+ ')
+
+ dontaudit $1 tty_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Set the attributes of all unallocated
+## tty device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_setattr_unallocated_ttys',`
+ gen_require(`
+ type tty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 tty_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to set the attributes
+## of unallocated tty device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`term_dontaudit_setattr_unallocated_ttys',`
+ gen_require(`
+ type tty_device_t;
+ ')
+
+ dontaudit $1 tty_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to ioctl
+## unallocated tty device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`term_dontaudit_ioctl_unallocated_ttys',`
+ gen_require(`
+ type tty_device_t;
+ ')
+
+ dontaudit $1 tty_device_t:chr_file ioctl;
+')
+
+########################################
+## <summary>
+## Relabel from and to the unallocated
+## tty type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_relabel_unallocated_ttys',`
+ gen_require(`
+ type tty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 tty_device_t:chr_file relabel_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Relabel from all user tty types to
+## the unallocated tty type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_reset_tty_labels',`
+ gen_require(`
+ attribute ttynode;
+ type tty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 ttynode:chr_file relabelfrom;
+ allow $1 tty_device_t:chr_file relabelto;
+')
+
+########################################
+## <summary>
+## Append to unallocated ttys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_append_unallocated_ttys',`
+ gen_require(`
+ type tty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 tty_device_t:chr_file append_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Write to unallocated ttys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_write_unallocated_ttys',`
+ gen_require(`
+ type tty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 tty_device_t:chr_file write_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write unallocated ttys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_use_unallocated_ttys',`
+ gen_require(`
+ type tty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 tty_device_t:chr_file rw_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or
+## write unallocated ttys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`term_dontaudit_use_unallocated_ttys',`
+ gen_require(`
+ type tty_device_t;
+ ')
+
+ dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of all tty device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_getattr_all_ttys',`
+ gen_require(`
+ type tty_device_t;
+ attribute ttynode;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 ttynode:chr_file getattr;
+ allow $1 tty_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the
+## attributes of any tty device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`term_dontaudit_getattr_all_ttys',`
+ gen_require(`
+ attribute ttynode;
+ type tty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ dontaudit $1 ttynode:chr_file getattr;
+ dontaudit $1 tty_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+## Set the attributes of all tty device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_setattr_all_ttys',`
+ gen_require(`
+ attribute ttynode;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 ttynode:chr_file setattr;
+')
+
+########################################
+## <summary>
+## Relabel from and to all tty device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_relabel_all_ttys',`
+ gen_require(`
+ attribute ttynode;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 ttynode:chr_file relabel_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Write to all ttys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_write_all_ttys',`
+ gen_require(`
+ attribute ttynode;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 ttynode:chr_file write_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write all ttys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_use_all_ttys',`
+ gen_require(`
+ attribute ttynode;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 ttynode:chr_file rw_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## any ttys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`term_dontaudit_use_all_ttys',`
+ gen_require(`
+ attribute ttynode;
+ ')
+
+ dontaudit $1 ttynode:chr_file rw_inherited_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of all user tty
+## device nodes. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_getattr_all_user_ttys',`
+ refpolicywarn(`$0() is deprecated, use term_getattr_all_ttys() instead.')
+ term_getattr_all_ttys($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the
+## attributes of any user tty
+## device nodes. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`term_dontaudit_getattr_all_user_ttys',`
+ refpolicywarn(`$0() is deprecated, use term_dontaudit_getattr_all_ttys() instead.')
+ term_dontaudit_getattr_all_ttys($1)
+')
+
+########################################
+## <summary>
+## Set the attributes of all user tty
+## device nodes. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_setattr_all_user_ttys',`
+ refpolicywarn(`$0() is deprecated, use term_setattr_all_ttys() instead.')
+ term_setattr_all_ttys($1)
+')
+
+########################################
+## <summary>
+## Relabel from and to all user
+## user tty device nodes. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_relabel_all_user_ttys',`
+ refpolicywarn(`$0() is deprecated, use term_relabel_all_ttys() instead.')
+ term_relabel_all_ttys($1)
+')
+
+########################################
+## <summary>
+## Write to all user ttys. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_write_all_user_ttys',`
+ refpolicywarn(`$0() is deprecated, use term_write_all_ttys() instead.')
+ term_write_all_ttys($1)
+')
+
+########################################
+## <summary>
+## Read and write all user to all user ttys. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_use_all_user_ttys',`
+ refpolicywarn(`$0() is deprecated, use term_use_all_ttys() instead.')
+ term_use_all_ttys($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## any user ttys. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_dontaudit_use_all_user_ttys',`
+ refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
+ term_dontaudit_use_all_ttys($1)
+')
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
new file mode 100644
index 0000000..a5deade
--- /dev/null
+++ b/policy/modules/kernel/terminal.te
@@ -0,0 +1,59 @@
+policy_module(terminal, 1.8.1)
+
+########################################
+#
+# Declarations
+#
+attribute ttynode;
+attribute ptynode;
+attribute server_ptynode;
+attribute serial_device;
+
+#
+# bsdpty_device_t is the type of /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f]
+type bsdpty_device_t;
+dev_node(bsdpty_device_t)
+
+#
+# console_device_t is the type of /dev/console.
+#
+type console_device_t;
+dev_node(console_device_t)
+
+#
+# devpts_t is the type of the devpts file system and
+# the type of the root directory of the file system.
+#
+type devpts_t;
+files_mountpoint(devpts_t)
+fs_associate_tmpfs(devpts_t)
+fs_type(devpts_t)
+fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
+dev_associate(devpts_t)
+
+#
+# devtty_t is the type of /dev/tty.
+#
+type devtty_t;
+dev_node(devtty_t)
+mls_trusted_object(devtty_t)
+
+#
+# ptmx_t is the type for /dev/ptmx.
+#
+type ptmx_t;
+dev_node(ptmx_t)
+mls_trusted_object(ptmx_t)
+allow ptmx_t devpts_t:filesystem associate;
+
+#
+# tty_device_t is the type of /dev/*tty*
+#
+type tty_device_t, serial_device;
+dev_node(tty_device_t)
+
+#
+# usbtty_device_t is the type of /dev/usr/tty*
+#
+type usbtty_device_t, serial_device;
+dev_node(usbtty_device_t)
diff --git a/policy/modules/kernel/ubac.fc b/policy/modules/kernel/ubac.fc
new file mode 100644
index 0000000..778366f
--- /dev/null
+++ b/policy/modules/kernel/ubac.fc
@@ -0,0 +1 @@
+# no UBAC file contexts
diff --git a/policy/modules/kernel/ubac.if b/policy/modules/kernel/ubac.if
new file mode 100644
index 0000000..464f759
--- /dev/null
+++ b/policy/modules/kernel/ubac.if
@@ -0,0 +1,197 @@
+## <summary>User-based access control policy</summary>
+## <required val="true">
+## Contains attributes used in UBAC policy.
+## </required>
+
+########################################
+## <summary>
+## Constrain by user-based access control (UBAC).
+## </summary>
+## <desc>
+## <p>
+## Constrain the specified type by user-based
+## access control (UBAC). Typically, these are
+## user processes or user files that need to be
+## differentiated by SELinux user. Normally this
+## does not include administrative or privileged
+## programs. For the UBAC rules to be enforced,
+## both the subject (source) type and the object
+## (target) types must be UBAC constrained.
+## </p>
+## </desc>
+## <param name="type">
+## <summary>
+## Type to be constrained by UBAC.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`ubac_constrained',`
+ gen_require(`
+ attribute ubac_constrained_type;
+ ')
+
+ typeattribute $1 ubac_constrained_type;
+')
+
+########################################
+## <summary>
+## Exempt user-based access control for files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to be exempted.
+## </summary>
+## </param>
+#
+interface(`ubac_file_exempt',`
+ gen_require(`
+ attribute ubacfile;
+ ')
+
+ typeattribute $1 ubacfile;
+')
+
+########################################
+## <summary>
+## Exempt user-based access control for processes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to be exempted.
+## </summary>
+## </param>
+#
+interface(`ubac_process_exempt',`
+ gen_require(`
+ attribute ubacproc;
+ ')
+
+ typeattribute $1 ubacproc;
+')
+
+########################################
+## <summary>
+## Exempt user-based access control for file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to be exempted.
+## </summary>
+## </param>
+#
+interface(`ubac_fd_exempt',`
+ gen_require(`
+ attribute ubacfd;
+ ')
+
+ typeattribute $1 ubacfd;
+')
+
+########################################
+## <summary>
+## Exempt user-based access control for sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to be exempted.
+## </summary>
+## </param>
+#
+interface(`ubac_socket_exempt',`
+ gen_require(`
+ attribute ubacsock;
+ ')
+
+ typeattribute $1 ubacsock;
+')
+
+########################################
+## <summary>
+## Exempt user-based access control for SysV IPC.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to be exempted.
+## </summary>
+## </param>
+#
+interface(`ubac_sysvipc_exempt',`
+ gen_require(`
+ attribute ubacipc;
+ ')
+
+ typeattribute $1 ubacipc;
+')
+
+########################################
+## <summary>
+## Exempt user-based access control for X Windows.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to be exempted.
+## </summary>
+## </param>
+#
+interface(`ubac_xwin_exempt',`
+ gen_require(`
+ attribute ubacxwin;
+ ')
+
+ typeattribute $1 ubacxwin;
+')
+
+########################################
+## <summary>
+## Exempt user-based access control for dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to be exempted.
+## </summary>
+## </param>
+#
+interface(`ubac_dbus_exempt',`
+ gen_require(`
+ attribute ubacdbus;
+ ')
+
+ typeattribute $1 ubacdbus;
+')
+
+########################################
+## <summary>
+## Exempt user-based access control for keys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to be exempted.
+## </summary>
+## </param>
+#
+interface(`ubac_key_exempt',`
+ gen_require(`
+ attribute ubackey;
+ ')
+
+ typeattribute $1 ubackey;
+')
+
+########################################
+## <summary>
+## Exempt user-based access control for databases.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to be exempted.
+## </summary>
+## </param>
+#
+interface(`ubac_db_exempt',`
+ gen_require(`
+ attribute ubacdb;
+ ')
+
+ typeattribute $1 ubacdb;
+')
diff --git a/policy/modules/kernel/ubac.te b/policy/modules/kernel/ubac.te
new file mode 100644
index 0000000..0a57c41
--- /dev/null
+++ b/policy/modules/kernel/ubac.te
@@ -0,0 +1,19 @@
+policy_module(ubac, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute ubac_constrained_type;
+
+attribute ubacfile;
+attribute ubacproc;
+attribute ubacsock;
+attribute ubacfd;
+attribute ubacipc;
+attribute ubacxwin;
+attribute ubacdbus;
+attribute ubackey;
+attribute ubacdb;
+
diff --git a/policy/modules/roles/auditadm.fc b/policy/modules/roles/auditadm.fc
new file mode 100644
index 0000000..601a7b0
--- /dev/null
+++ b/policy/modules/roles/auditadm.fc
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --git a/policy/modules/roles/auditadm.if b/policy/modules/roles/auditadm.if
new file mode 100644
index 0000000..d320022
--- /dev/null
+++ b/policy/modules/roles/auditadm.if
@@ -0,0 +1,50 @@
+## <summary>Audit administrator role</summary>
+
+########################################
+## <summary>
+## Change to the audit administrator role.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`auditadm_role_change',`
+ gen_require(`
+ role auditadm_r;
+ ')
+
+ allow $1 auditadm_r;
+')
+
+########################################
+## <summary>
+## Change from the audit administrator role.
+## </summary>
+## <desc>
+## <p>
+## Change from the audit administrator role to
+## the specified role.
+## </p>
+## <p>
+## This is an interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`auditadm_role_change_to',`
+ gen_require(`
+ role auditadm_r;
+ ')
+
+ allow auditadm_r $1;
+')
diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
new file mode 100644
index 0000000..a1bbe8f
--- /dev/null
+++ b/policy/modules/roles/auditadm.te
@@ -0,0 +1,65 @@
+policy_module(auditadm, 2.1.0)
+
+########################################
+#
+# Declarations
+#
+
+role auditadm_r;
+
+userdom_unpriv_user_template(auditadm)
+
+########################################
+#
+# Local policy
+#
+
+allow auditadm_t self:capability { dac_read_search dac_override };
+
+kernel_read_ring_buffer(auditadm_t)
+
+corecmd_exec_shell(auditadm_t)
+
+domain_kill_all_domains(auditadm_t)
+
+logging_send_syslog_msg(auditadm_t)
+logging_read_generic_logs(auditadm_t)
+logging_manage_audit_log(auditadm_t)
+logging_manage_audit_config(auditadm_t)
+logging_run_auditctl(auditadm_t, auditadm_r)
+logging_run_auditd(auditadm_t, auditadm_r)
+logging_stream_connect_syslog(auditadm_t)
+
+seutil_run_runinit(auditadm_t, auditadm_r)
+seutil_read_bin_policy(auditadm_t)
+
+userdom_dontaudit_search_admin_dir(auditadm_t)
+
+optional_policy(`
+ consoletype_exec(auditadm_t)
+')
+
+optional_policy(`
+ dmesg_exec(auditadm_t)
+')
+
+optional_policy(`
+ screen_role_template(auditadm, auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+ secadm_role_change(auditadm_r)
+')
+
+optional_policy(`
+ su_role_template(auditadm, auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+ sudo_role_template(auditadm, auditadm_r, auditadm_t)
+')
+
+optional_policy(`
+ sysadm_role_change(auditadm_r)
+')
+
diff --git a/policy/modules/roles/dbadm.fc b/policy/modules/roles/dbadm.fc
new file mode 100644
index 0000000..e6aa2fb
--- /dev/null
+++ b/policy/modules/roles/dbadm.fc
@@ -0,0 +1 @@
+# No dbadm file contexts
diff --git a/policy/modules/roles/dbadm.if b/policy/modules/roles/dbadm.if
new file mode 100644
index 0000000..56f2af7
--- /dev/null
+++ b/policy/modules/roles/dbadm.if
@@ -0,0 +1,50 @@
+## <summary>Database administrator role</summary>
+
+########################################
+## <summary>
+## Change to the database administrator role.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dbadm_role_change',`
+ gen_require(`
+ role dbadm_r;
+ ')
+
+ allow $1 dbadm_r;
+')
+
+########################################
+## <summary>
+## Change from the database administrator role.
+## </summary>
+## <desc>
+## <p>
+## Change from the database administrator role to
+## the specified role.
+## </p>
+## <p>
+## This is an interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dbadm_role_change_to',`
+ gen_require(`
+ role dbadm_r;
+ ')
+
+ allow dbadm_r $1;
+')
diff --git a/policy/modules/roles/dbadm.te b/policy/modules/roles/dbadm.te
new file mode 100644
index 0000000..e9c9277
--- /dev/null
+++ b/policy/modules/roles/dbadm.te
@@ -0,0 +1,65 @@
+policy_module(dbadm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow dbadm to manage files in users home directories
+## </p>
+## </desc>
+gen_tunable(dbadm_manage_user_files, false)
+
+## <desc>
+## <p>
+## Allow dbadm to read files in users home directories
+## </p>
+## </desc>
+gen_tunable(dbadm_read_user_files, false)
+
+role dbadm_r;
+
+userdom_base_user_template(dbadm)
+
+########################################
+#
+# database admin local policy
+#
+
+allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace };
+
+files_dontaudit_search_all_dirs(dbadm_t)
+files_delete_generic_locks(dbadm_t)
+files_list_var(dbadm_t)
+
+selinux_get_enforce_mode(dbadm_t)
+
+logging_send_syslog_msg(dbadm_t)
+logging_send_audit_msgs(dbadm_t)
+
+userdom_dontaudit_search_user_home_dirs(dbadm_t)
+
+tunable_policy(`dbadm_manage_user_files',`
+ userdom_manage_user_home_content_files(dbadm_t)
+ userdom_read_user_tmp_files(dbadm_t)
+ userdom_write_user_tmp_files(dbadm_t)
+')
+
+tunable_policy(`dbadm_read_user_files',`
+ userdom_read_user_home_content_files(dbadm_t)
+ userdom_read_user_tmp_files(dbadm_t)
+')
+
+optional_policy(`
+ mysql_admin(dbadm_t, dbadm_r)
+')
+
+optional_policy(`
+ postgresql_admin(dbadm_t, dbadm_r)
+')
+
+optional_policy(`
+ sudo_role_template(dbadm, dbadm_r, dbadm_t)
+')
diff --git a/policy/modules/roles/guest.fc b/policy/modules/roles/guest.fc
new file mode 100644
index 0000000..601a7b0
--- /dev/null
+++ b/policy/modules/roles/guest.fc
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --git a/policy/modules/roles/guest.if b/policy/modules/roles/guest.if
new file mode 100644
index 0000000..8906a32
--- /dev/null
+++ b/policy/modules/roles/guest.if
@@ -0,0 +1,50 @@
+## <summary>Least privledge terminal user role</summary>
+
+########################################
+## <summary>
+## Change to the guest role.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`guest_role_change',`
+ gen_require(`
+ role guest_r;
+ ')
+
+ allow $1 guest_r;
+')
+
+########################################
+## <summary>
+## Change from the guest role.
+## </summary>
+## <desc>
+## <p>
+## Change from the guest role to
+## the specified role.
+## </p>
+## <p>
+## This is an interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`guest_role_change_to',`
+ gen_require(`
+ role guest_r;
+ ')
+
+ allow guest_r $1;
+')
diff --git a/policy/modules/roles/guest.te b/policy/modules/roles/guest.te
new file mode 100644
index 0000000..f332441
--- /dev/null
+++ b/policy/modules/roles/guest.te
@@ -0,0 +1,23 @@
+policy_module(guest, 1.1.1)
+
+########################################
+#
+# Declarations
+#
+
+role guest_r;
+
+userdom_restricted_user_template(guest)
+
+kernel_read_system_state(guest_t)
+
+########################################
+#
+# Local policy
+#
+
+optional_policy(`
+ apache_role(guest_r, guest_t)
+')
+
+gen_user(guest_u, user, guest_r, s0, s0)
diff --git a/policy/modules/roles/logadm.fc b/policy/modules/roles/logadm.fc
new file mode 100644
index 0000000..601a7b0
--- /dev/null
+++ b/policy/modules/roles/logadm.fc
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --git a/policy/modules/roles/logadm.if b/policy/modules/roles/logadm.if
new file mode 100644
index 0000000..c9740e5
--- /dev/null
+++ b/policy/modules/roles/logadm.if
@@ -0,0 +1,50 @@
+## <summary>Log administrator role</summary>
+
+########################################
+## <summary>
+## Change to the log administrator role.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logadm_role_change',`
+ gen_require(`
+ role logadm_r;
+ ')
+
+ allow $1 logadm_r;
+')
+
+########################################
+## <summary>
+## Change from the log administrator role.
+## </summary>
+## <desc>
+## <p>
+## Change from the log administrator role to
+## the specified role.
+## </p>
+## <p>
+## This is an interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logadm_role_change_to',`
+ gen_require(`
+ role logadm_r;
+ ')
+
+ allow logadm_r $1;
+')
diff --git a/policy/modules/roles/logadm.te b/policy/modules/roles/logadm.te
new file mode 100644
index 0000000..3a45a3e
--- /dev/null
+++ b/policy/modules/roles/logadm.te
@@ -0,0 +1,19 @@
+policy_module(logadm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+role logadm_r;
+
+userdom_base_user_template(logadm)
+
+########################################
+#
+# logadmin local policy
+#
+
+allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
+
+logging_admin(logadm_t, logadm_r)
diff --git a/policy/modules/roles/metadata.xml b/policy/modules/roles/metadata.xml
new file mode 100644
index 0000000..ba002e8
--- /dev/null
+++ b/policy/modules/roles/metadata.xml
@@ -0,0 +1 @@
+<summary>Policy modules for user roles.</summary>
diff --git a/policy/modules/roles/secadm.fc b/policy/modules/roles/secadm.fc
new file mode 100644
index 0000000..601a7b0
--- /dev/null
+++ b/policy/modules/roles/secadm.fc
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --git a/policy/modules/roles/secadm.if b/policy/modules/roles/secadm.if
new file mode 100644
index 0000000..bb6a5fe
--- /dev/null
+++ b/policy/modules/roles/secadm.if
@@ -0,0 +1,51 @@
+## <summary>Security administrator role</summary>
+
+########################################
+## <summary>
+## Change to the security administrator role.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`secadm_role_change',`
+ gen_require(`
+ role secadm_r;
+ ')
+
+ allow $1 secadm_r;
+')
+
+########################################
+## <summary>
+## Change from the security administrator role.
+## </summary>
+## <desc>
+## <p>
+## Change from the security administrator role to
+## the specified role.
+## </p>
+## <p>
+## This is an interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`secadm_role_change_to_template',`
+ gen_require(`
+ role secadm_r;
+ ')
+
+ allow secadm_r $1;
+')
+
diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
new file mode 100644
index 0000000..e3a1987
--- /dev/null
+++ b/policy/modules/roles/secadm.te
@@ -0,0 +1,75 @@
+policy_module(secadm, 2.1.0)
+
+########################################
+#
+# Declarations
+#
+
+role secadm_r;
+
+userdom_unpriv_user_template(secadm)
+userdom_security_admin_template(secadm_t, secadm_r)
+userdom_inherit_append_admin_home_files(secadm_t)
+userdom_read_admin_home_files(secadm_t)
+
+########################################
+#
+# Local policy
+#
+
+allow secadm_t self:capability { dac_read_search dac_override };
+
+corecmd_exec_shell(secadm_t)
+
+dev_relabel_all_dev_nodes(secadm_t)
+
+domain_obj_id_change_exemption(secadm_t)
+
+mls_process_read_up(secadm_t)
+mls_file_read_all_levels(secadm_t)
+mls_file_write_all_levels(secadm_t)
+mls_file_upgrade(secadm_t)
+mls_file_downgrade(secadm_t)
+
+auth_role(secadm_r, secadm_t)
+auth_relabel_all_files_except_shadow(secadm_t)
+auth_relabel_shadow(secadm_t)
+
+init_exec(secadm_t)
+
+logging_read_audit_log(secadm_t)
+logging_read_generic_logs(secadm_t)
+logging_read_audit_config(secadm_t)
+
+optional_policy(`
+ aide_run(secadm_t, secadm_r)
+')
+
+optional_policy(`
+ auditadm_role_change(secadm_r)
+')
+
+optional_policy(`
+ dmesg_exec(secadm_t)
+')
+
+optional_policy(`
+ netlabel_run_mgmt(secadm_t, secadm_r)
+')
+
+optional_policy(`
+ screen_role_template(secadm, secadm_r, secadm_t)
+')
+
+optional_policy(`
+ su_role_template(secadm, secadm_r, secadm_t)
+')
+
+optional_policy(`
+ sudo_role_template(secadm, secadm_r, secadm_t)
+')
+
+optional_policy(`
+ sysadm_role_change(secadm_r)
+')
+
diff --git a/policy/modules/roles/staff.fc b/policy/modules/roles/staff.fc
new file mode 100644
index 0000000..601a7b0
--- /dev/null
+++ b/policy/modules/roles/staff.fc
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --git a/policy/modules/roles/staff.if b/policy/modules/roles/staff.if
new file mode 100644
index 0000000..234a940
--- /dev/null
+++ b/policy/modules/roles/staff.if
@@ -0,0 +1,50 @@
+## <summary>Administrator's unprivileged user role</summary>
+
+########################################
+## <summary>
+## Change to the staff role.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`staff_role_change',`
+ gen_require(`
+ role staff_r;
+ ')
+
+ allow $1 staff_r;
+')
+
+########################################
+## <summary>
+## Change from the staff role.
+## </summary>
+## <desc>
+## <p>
+## Change from the staff role to
+## the specified role.
+## </p>
+## <p>
+## This is an interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`staff_role_change_to',`
+ gen_require(`
+ role staff_r;
+ ')
+
+ allow staff_r $1;
+')
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
new file mode 100644
index 0000000..571c76e
--- /dev/null
+++ b/policy/modules/roles/staff.te
@@ -0,0 +1,279 @@
+policy_module(staff, 2.1.2)
+
+########################################
+#
+# Declarations
+#
+
+role staff_r;
+
+userdom_unpriv_user_template(staff)
+fs_exec_noxattr(staff_t)
+
+# needed for sandbox
+allow staff_t self:process setexec;
+
+########################################
+#
+# Local policy
+#
+
+kernel_read_ring_buffer(staff_usertype)
+kernel_getattr_core_if(staff_usertype)
+kernel_getattr_message_if(staff_usertype)
+kernel_read_software_raid_state(staff_usertype)
+kernel_read_fs_sysctls(staff_usertype)
+
+domain_read_all_domains_state(staff_usertype)
+domain_getattr_all_domains(staff_usertype)
+domain_obj_id_change_exemption(staff_t)
+
+files_read_kernel_modules(staff_usertype)
+
+seutil_read_module_store(staff_t)
+seutil_run_newrole(staff_t, staff_r)
+
+term_use_unallocated_ttys(staff_usertype)
+
+auth_domtrans_pam_console(staff_t)
+
+init_dbus_chat(staff_t)
+init_dbus_chat_script(staff_t)
+
+miscfiles_read_hwdata(staff_usertype)
+
+modutils_read_module_config(staff_usertype)
+modutils_read_module_deps(staff_usertype)
+
+netutils_run_ping(staff_t, staff_r)
+netutils_signal_ping(staff_t)
+
+optional_policy(`
+ apache_role(staff_r, staff_t)
+')
+
+optional_policy(`
+ auditadm_role_change(staff_r)
+')
+
+optional_policy(`
+ dbadm_role_change(staff_r)
+')
+
+optional_policy(`
+ accountsd_dbus_chat(staff_t)
+ accountsd_read_lib_files(staff_t)
+')
+
+optional_policy(`
+ gnomeclock_dbus_chat(staff_t)
+')
+
+optional_policy(`
+ firewallgui_dbus_chat(staff_t)
+')
+
+optional_policy(`
+ lpd_list_spool(staff_t)
+')
+
+optional_policy(`
+ kerneloops_dbus_chat(staff_t)
+')
+
+optional_policy(`
+ logadm_role_change(staff_r)
+')
+
+optional_policy(`
+ mozilla_run_plugin(staff_t, staff_r)
+')
+
+optional_policy(`
+ oident_manage_user_content(staff_t)
+ oident_relabel_user_content(staff_t)
+')
+
+optional_policy(`
+ postgresql_role(staff_r, staff_t)
+')
+
+optional_policy(`
+ rtkit_scheduled(staff_t)
+')
+
+optional_policy(`
+ rpm_dbus_chat(staff_usertype)
+')
+
+optional_policy(`
+ secadm_role_change(staff_r)
+')
+
+optional_policy(`
+ sandbox_transition(staff_t, staff_r)
+')
+
+optional_policy(`
+ screen_role_template(staff, staff_r, staff_t)
+')
+
+optional_policy(`
+ sysadm_role_change(staff_r)
+ userdom_dontaudit_use_user_terminals(staff_t)
+')
+optional_policy(`
+ setroubleshoot_stream_connect(staff_t)
+ setroubleshoot_dbus_chat(staff_t)
+ setroubleshoot_dbus_chat_fixit(staff_t)
+')
+
+optional_policy(`
+ ssh_role_template(staff, staff_r, staff_t)
+')
+
+optional_policy(`
+ sudo_role_template(staff, staff_r, staff_t)
+')
+
+optional_policy(`
+ telepathy_dbus_session_role(staff_r, staff_t)
+')
+
+optional_policy(`
+ userhelper_console_role_template(staff, staff_r, staff_usertype)
+')
+
+optional_policy(`
+ unconfined_role_change(staff_r)
+')
+
+optional_policy(`
+ virt_stream_connect(staff_t)
+')
+
+optional_policy(`
+ vnstatd_read_lib_files(staff_t)
+')
+
+optional_policy(`
+ webadm_role_change(staff_r)
+')
+
+optional_policy(`
+ xserver_role(staff_r, staff_t)
+')
+
+ifndef(`distro_redhat',`
+ optional_policy(`
+ auth_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
+ bluetooth_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
+ cdrecord_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
+ cron_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
+ dbus_role_template(staff, staff_r, staff_t)
+ ')
+
+ optional_policy(`
+ evolution_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
+ games_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
+ gift_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
+ gnome_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
+ gpg_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
+ irc_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
+ java_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
+ lockdev_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
+ lpd_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
+ mozilla_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
+ mplayer_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
+ mta_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
+ pyzor_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
+ razor_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
+ rssh_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
+ spamassassin_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
+ su_role_template(staff, staff_r, staff_t)
+ ')
+
+ optional_policy(`
+ thunderbird_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
+ tvtime_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
+ uml_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
+ userhelper_role_template(staff, staff_r, staff_t)
+ ')
+
+ optional_policy(`
+ vmware_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
+ wireshark_role(staff_r, staff_t)
+ ')
+')
diff --git a/policy/modules/roles/sysadm.fc b/policy/modules/roles/sysadm.fc
new file mode 100644
index 0000000..601a7b0
--- /dev/null
+++ b/policy/modules/roles/sysadm.fc
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --git a/policy/modules/roles/sysadm.if b/policy/modules/roles/sysadm.if
new file mode 100644
index 0000000..ff92430
--- /dev/null
+++ b/policy/modules/roles/sysadm.if
@@ -0,0 +1,238 @@
+## <summary>General system administration role</summary>
+
+########################################
+## <summary>
+## Change to the system administrator role.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sysadm_role_change',`
+ gen_require(`
+ role sysadm_r;
+ ')
+
+ allow $1 sysadm_r;
+')
+
+########################################
+## <summary>
+## Change from the system administrator role.
+## </summary>
+## <desc>
+## <p>
+## Change from the system administrator role to
+## the specified role.
+## </p>
+## <p>
+## This is an interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sysadm_role_change_to',`
+ gen_require(`
+ role sysadm_r;
+ ')
+
+ allow sysadm_r $1;
+')
+
+########################################
+## <summary>
+## Execute a shell in the sysadm domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysadm_shell_domtrans',`
+ gen_require(`
+ type sysadm_t;
+ ')
+
+ corecmd_shell_domtrans($1, sysadm_t)
+ allow sysadm_t $1:fd use;
+ allow sysadm_t $1:fifo_file rw_file_perms;
+ allow sysadm_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute a generic bin program in the sysadm domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysadm_bin_spec_domtrans',`
+ gen_require(`
+ type sysadm_t;
+ ')
+
+ corecmd_bin_spec_domtrans($1, sysadm_t)
+ allow sysadm_t $1:fd use;
+ allow sysadm_t $1:fifo_file rw_file_perms;
+ allow sysadm_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute all entrypoint files in the sysadm domain. This
+## is an explicit transition, requiring the
+## caller to use setexeccon().
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysadm_entry_spec_domtrans',`
+ gen_require(`
+ type sysadm_t;
+ ')
+
+ domain_entry_file_spec_domtrans($1, sysadm_t)
+ allow sysadm_t $1:fd use;
+ allow sysadm_t $1:fifo_file rw_file_perms;
+ allow sysadm_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Allow sysadm to execute all entrypoint files in
+## a specified domain. This is an explicit transition,
+## requiring the caller to use setexeccon().
+## </summary>
+## <desc>
+## <p>
+## Allow sysadm to execute all entrypoint files in
+## a specified domain. This is an explicit transition,
+## requiring the caller to use setexeccon().
+## </p>
+## <p>
+## This is a interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysadm_entry_spec_domtrans_to',`
+ gen_require(`
+ type sysadm_t;
+ ')
+
+ domain_entry_file_spec_domtrans(sysadm_t, $1)
+ allow $1 sysadm_t:fd use;
+ allow $1 sysadm_t:fifo_file rw_file_perms;
+ allow $1 sysadm_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Allow sysadm to execute a generic bin program in
+## a specified domain. This is an explicit transition,
+## requiring the caller to use setexeccon().
+## </summary>
+## <desc>
+## <p>
+## Allow sysadm to execute a generic bin program in
+## a specified domain.
+## </p>
+## <p>
+## This is a interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to execute in.
+## </summary>
+## </param>
+#
+interface(`sysadm_bin_spec_domtrans_to',`
+ gen_require(`
+ type sysadm_t;
+ ')
+
+ corecmd_bin_spec_domtrans(sysadm_t, $1)
+ allow $1 sysadm_t:fd use;
+ allow $1 sysadm_t:fifo_file rw_file_perms;
+ allow $1 sysadm_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Send a SIGCHLD signal to sysadm users.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysadm_sigchld',`
+ gen_require(`
+ type sysadm_t;
+ ')
+
+ allow $1 sysadm_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Inherit and use sysadm file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysadm_use_fds',`
+ gen_require(`
+ type sysadm_t;
+ ')
+
+ allow $1 sysadm_t:fd use;
+')
+
+########################################
+## <summary>
+## Read and write sysadm user unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysadm_rw_pipes',`
+ gen_require(`
+ type sysadm_t;
+ ')
+
+ allow $1 sysadm_t:fifo_file rw_fifo_file_perms;
+')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
new file mode 100644
index 0000000..1a95085
--- /dev/null
+++ b/policy/modules/roles/sysadm.te
@@ -0,0 +1,515 @@
+policy_module(sysadm, 2.1.1)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow sysadm to debug or ptrace all processes.
+## </p>
+## </desc>
+gen_tunable(allow_ptrace, false)
+
+role sysadm_r;
+
+userdom_admin_user_template(sysadm)
+
+ifndef(`enable_mls',`
+ userdom_security_admin_template(sysadm_t, sysadm_r)
+')
+
+########################################
+#
+# Local policy
+#
+kernel_read_fs_sysctls(sysadm_t)
+
+corecmd_exec_shell(sysadm_t)
+
+domain_dontaudit_read_all_domains_state(sysadm_t)
+
+files_read_kernel_modules(sysadm_t)
+
+mls_process_read_up(sysadm_t)
+mls_file_read_to_clearance(sysadm_t)
+mls_process_write_to_clearance(sysadm_t)
+
+ubac_process_exempt(sysadm_t)
+ubac_file_exempt(sysadm_t)
+ubac_fd_exempt(sysadm_t)
+
+application_exec(sysadm_t)
+
+init_exec(sysadm_t)
+init_exec_script_files(sysadm_t)
+init_dbus_chat(sysadm_t)
+init_script_role_transition(sysadm_r)
+
+modutils_read_module_deps(sysadm_t)
+
+miscfiles_read_hwdata(sysadm_t)
+
+# Add/remove user home directories
+userdom_manage_user_home_dirs(sysadm_t)
+userdom_home_filetrans_user_home_dir(sysadm_t)
+userdom_manage_user_tmp_dirs(sysadm_t)
+userdom_manage_user_tmp_files(sysadm_t)
+userdom_manage_user_tmp_symlinks(sysadm_t)
+userdom_manage_user_tmp_chr_files(sysadm_t)
+userdom_manage_user_tmp_blk_files(sysadm_t)
+
+ifdef(`direct_sysadm_daemon',`
+ optional_policy(`
+ init_run_daemon(sysadm_t, sysadm_r)
+ ')
+',`
+ ifdef(`distro_gentoo',`
+ optional_policy(`
+ seutil_init_script_run_runinit(sysadm_t, sysadm_r)
+ ')
+ ')
+')
+
+ifndef(`enable_mls',`
+ logging_manage_audit_log(sysadm_t)
+ logging_manage_audit_config(sysadm_t)
+ logging_run_auditctl(sysadm_t, sysadm_r)
+ logging_stream_connect_syslog(sysadm_t)
+')
+
+tunable_policy(`allow_ptrace',`
+ domain_ptrace_all_domains(sysadm_t)
+')
+
+optional_policy(`
+ amanda_run_recover(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ apache_run_helper(sysadm_t, sysadm_r)
+ #apache_run_all_scripts(sysadm_t, sysadm_r)
+ #apache_domtrans_sys_script(sysadm_t)
+')
+
+optional_policy(`
+ # cjp: why is this not apm_run_client
+ apm_domtrans_client(sysadm_t)
+')
+
+optional_policy(`
+ apt_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ auditadm_role_change(sysadm_r)
+')
+
+optional_policy(`
+ backup_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ bind_run_ndc(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ bootloader_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ certmonger_dbus_chat(sysadm_t)
+')
+
+optional_policy(`
+ certwatch_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ clock_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ clockspeed_run_cli(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ consoletype_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ daemonstools_run_start(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dcc_run_cdcc(sysadm_t, sysadm_r)
+ dcc_run_client(sysadm_t, sysadm_r)
+ dcc_run_dbclean(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ ddcprobe_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dmesg_exec(sysadm_t)
+')
+
+optional_policy(`
+ dmidecode_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dpkg_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ firstboot_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ fstools_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ hostname_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ # allow system administrator to use the ipsec script to look
+ # at things (e.g., ipsec auto --status)
+ # probably should create an ipsec_admin role for this kind of thing
+ ipsec_exec_mgmt(sysadm_t)
+ ipsec_stream_connect(sysadm_t)
+ # for lsof
+ ipsec_getattr_key_sockets(sysadm_t)
+ ipsec_run_setkey(sysadm_t, sysadm_r)
+ ipsec_run_racoon(sysadm_t, sysadm_r)
+ ipsec_stream_connect_racoon(sysadm_t)
+
+ optional_policy(`
+ ipsec_mgmt_dbus_chat(sysadm_t)
+ ')
+')
+
+optional_policy(`
+ iptables_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ kerberos_exec_kadmind(sysadm_t)
+')
+
+optional_policy(`
+ kudzu_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ libs_run_ldconfig(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ logrotate_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ lpd_run_checkpc(sysadm_t, sysadm_r)
+ lpd_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+ lvm_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ modutils_run_depmod(sysadm_t, sysadm_r)
+ modutils_run_insmod(sysadm_t, sysadm_r)
+ modutils_run_update_mods(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ mount_run(sysadm_t, sysadm_r)
+ mount_run_showmount(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ mta_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+ munin_stream_connect(sysadm_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(sysadm_t)
+')
+
+optional_policy(`
+ ncftool_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ netutils_run(sysadm_t, sysadm_r)
+ netutils_run_ping(sysadm_t, sysadm_r)
+ netutils_run_traceroute(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ ntp_stub()
+ corenet_udp_bind_ntp_port(sysadm_t)
+')
+
+optional_policy(`
+ oav_run_update(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ oident_manage_user_content(sysadm_t)
+ oident_relabel_user_content(sysadm_t)
+')
+
+optional_policy(`
+ pcmcia_run_cardctl(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ portage_run(sysadm_t, sysadm_r)
+ portage_run_gcc_config(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ portmap_run_helper(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ prelink_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ quota_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ raid_domtrans_mdadm(sysadm_t)
+')
+
+optional_policy(`
+ rpc_domtrans_nfsd(sysadm_t)
+')
+
+optional_policy(`
+ rpm_run(sysadm_t, sysadm_r)
+')
+
+
+optional_policy(`
+ rsync_exec(sysadm_t)
+')
+
+optional_policy(`
+ samba_run_net(sysadm_t, sysadm_r)
+ samba_run_winbind_helper(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ screen_role_template(sysadm, sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+ secadm_role_change(sysadm_r)
+')
+
+optional_policy(`
+ seutil_run_setfiles(sysadm_t, sysadm_r)
+ seutil_run_runinit(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ shutdown_run(sysadm_t, sysadm_r)
+')
+
+
+optional_policy(`
+ ssh_role_template(sysadm, sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+ staff_role_change(sysadm_r)
+')
+
+optional_policy(`
+ su_role_template(sysadm, sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+ sudo_role_template(sysadm, sysadm_r, sysadm_t)
+')
+
+optional_policy(`
+ sysnet_run_ifconfig(sysadm_t, sysadm_r)
+ sysnet_run_dhcpc(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ tripwire_run_siggen(sysadm_t, sysadm_r)
+ tripwire_run_tripwire(sysadm_t, sysadm_r)
+ tripwire_run_twadmin(sysadm_t, sysadm_r)
+ tripwire_run_twprint(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ tzdata_domtrans(sysadm_t)
+')
+
+optional_policy(`
+ unconfined_domtrans(sysadm_t)
+')
+
+optional_policy(`
+ unprivuser_role_change(sysadm_r)
+')
+
+optional_policy(`
+ usbmodules_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ usermanage_run_admin_passwd(sysadm_t, sysadm_r)
+ usermanage_run_groupadd(sysadm_t, sysadm_r)
+ usermanage_run_useradd(sysadm_t, sysadm_r)
+')
+
+
+optional_policy(`
+ vpn_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ vpn_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ webalizer_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ virt_stream_connect(sysadm_t)
+')
+
+optional_policy(`
+ yam_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ zebra_stream_connect(sysadm_t)
+')
+
+ifndef(`distro_redhat',`
+ optional_policy(`
+ apache_role(sysadm_r, sysadm_t)
+ ')
+ optional_policy(`
+ auth_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ bluetooth_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ cdrecord_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ cron_admin_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ dbus_role_template(sysadm, sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ evolution_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ games_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ gift_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ gnome_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ gpg_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ irc_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ java_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ lockdev_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ mozilla_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ mplayer_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ pyzor_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ razor_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ rssh_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ spamassassin_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ thunderbird_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ tvtime_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ uml_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ userhelper_role_template(sysadm, sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ vmware_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ wireshark_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+ xserver_role(sysadm_r, sysadm_t)
+ ')
+')
diff --git a/policy/modules/roles/unconfineduser.fc b/policy/modules/roles/unconfineduser.fc
new file mode 100644
index 0000000..0e8654b
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.fc
@@ -0,0 +1,8 @@
+# Add programs here which should not be confined by SELinux
+# e.g.:
+# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
+/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+
+/usr/sbin/xrdp -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0)
diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if
new file mode 100644
index 0000000..8b2cdf3
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.if
@@ -0,0 +1,687 @@
+## <summary>Unconfiend user role</summary>
+
+########################################
+## <summary>
+## Change from the unconfineduser role.
+## </summary>
+## <desc>
+## <p>
+## Change from the unconfineduser role to
+## the specified role.
+## </p>
+## <p>
+## This is an interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`unconfined_role_change_to',`
+ gen_require(`
+ role unconfined_r;
+ ')
+
+ allow unconfined_r $1;
+')
+
+########################################
+## <summary>
+## Transition to the unconfined domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_domtrans',`
+ gen_require(`
+ type unconfined_t, unconfined_exec_t;
+ ')
+
+ domtrans_pattern($1,unconfined_exec_t,unconfined_t)
+')
+
+########################################
+## <summary>
+## Execute specified programs in the unconfined domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the unconfined domain.
+## </summary>
+## </param>
+#
+interface(`unconfined_run',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ unconfined_domtrans($1)
+ role $2 types unconfined_t;
+')
+
+########################################
+## <summary>
+## Transition to the unconfined domain by executing a shell.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_shell_domtrans',`
+ gen_require(`
+ attribute unconfined_login_domain;
+ ')
+ typeattribute $1 unconfined_login_domain;
+')
+
+########################################
+## <summary>
+## Allow unconfined to execute the specified program in
+## the specified domain.
+## </summary>
+## <desc>
+## <p>
+## Allow unconfined to execute the specified program in
+## the specified domain.
+## </p>
+## <p>
+## This is a interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to execute in.
+## </summary>
+## </param>
+## <param name="entry_file">
+## <summary>
+## Domain entry point file.
+## </summary>
+## </param>
+#
+interface(`unconfined_domtrans_to',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ domtrans_pattern(unconfined_t,$2,$1)
+')
+
+########################################
+## <summary>
+## Allow unconfined to execute the specified program in
+## the specified domain. Allow the specified domain the
+## unconfined role and use of unconfined user terminals.
+## </summary>
+## <desc>
+## <p>
+## Allow unconfined to execute the specified program in
+## the specified domain. Allow the specified domain the
+## unconfined role and use of unconfined user terminals.
+## </p>
+## <p>
+## This is a interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to execute in.
+## </summary>
+## </param>
+## <param name="entry_file">
+## <summary>
+## Domain entry point file.
+## </summary>
+## </param>
+#
+interface(`unconfined_run_to',`
+ gen_require(`
+ type unconfined_t;
+ role unconfined_r;
+ ')
+
+ domtrans_pattern(unconfined_t,$2,$1)
+ role unconfined_r types $1;
+ userdom_use_user_terminals($1)
+')
+
+########################################
+## <summary>
+## Inherit file descriptors from the unconfined domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_use_fds',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:fd use;
+')
+
+########################################
+## <summary>
+## Send a SIGCHLD signal to the unconfined domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_sigchld',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Send a SIGNULL signal to the unconfined domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_signull',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process signull;
+')
+
+########################################
+## <summary>
+## Send a SIGNULL signal to the unconfined execmem domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_execmem_signull',`
+ gen_require(`
+ type unconfined_execmem_t;
+ ')
+
+ allow $1 unconfined_execmem_t:process signull;
+')
+
+########################################
+## <summary>
+## Send a signal to the unconfined execmem domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_execmem_signal',`
+ gen_require(`
+ type unconfined_execmem_t;
+ ')
+
+ allow $1 unconfined_execmem_t:process signal;
+')
+
+########################################
+## <summary>
+## Send generic signals to the unconfined domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_signal',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process signal;
+')
+
+########################################
+## <summary>
+## Read unconfined domain unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_read_pipes',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:fifo_file read_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read unconfined domain unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_dontaudit_read_pipes',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ dontaudit $1 unconfined_t:fifo_file read;
+')
+
+########################################
+## <summary>
+## Read and write unconfined domain unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_rw_pipes',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## unconfined domain unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`unconfined_dontaudit_rw_pipes',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ dontaudit $1 unconfined_t:fifo_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## unconfined domain stream.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`unconfined_dontaudit_rw_stream',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+## Connect to the unconfined domain using
+## a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_stream_connect',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## unconfined domain tcp sockets.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to read or write
+## unconfined domain tcp sockets.
+## </p>
+## <p>
+## This interface was added due to a broken
+## symptom in ldconfig.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`unconfined_dontaudit_rw_tcp_sockets',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ dontaudit $1 unconfined_t:tcp_socket { read write };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## unconfined domain packet sockets.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to read or write
+## unconfined domain packet sockets.
+## </p>
+## <p>
+## This interface was added due to a broken
+## symptom.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`unconfined_dontaudit_rw_packet_sockets',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ dontaudit $1 unconfined_t:packet_socket { read write };
+')
+
+########################################
+## <summary>
+## Create keys for the unconfined domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_create_keys',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:key create;
+')
+
+########################################
+## <summary>
+## Send messages to the unconfined domain over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_dbus_send',`
+ gen_require(`
+ type unconfined_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 unconfined_t:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## unconfined_t over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_dbus_chat',`
+ gen_require(`
+ type unconfined_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 unconfined_t:dbus send_msg;
+ allow unconfined_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Connect to the the unconfined DBUS
+## for service (acquire_svc).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_dbus_connect',`
+ gen_require(`
+ type unconfined_t;
+ class dbus acquire_svc;
+ ')
+
+ allow $1 unconfined_t:dbus acquire_svc;
+')
+
+########################################
+## <summary>
+## Allow ptrace of unconfined domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_ptrace',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process ptrace;
+')
+
+########################################
+## <summary>
+## Read and write to unconfined shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`unconfined_rw_shm',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:shm rw_shm_perms;
+')
+
+########################################
+## <summary>
+## Read and write to unconfined execmem shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`unconfined_execmem_rw_shm',`
+ gen_require(`
+ type unconfined_execmem_t;
+ ')
+
+ allow $1 unconfined_execmem_t:shm rw_shm_perms;
+')
+
+########################################
+## <summary>
+## Transition to the unconfined_execmem domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_execmem_domtrans',`
+
+ gen_require(`
+ type unconfined_execmem_t;
+ ')
+
+ execmem_domtrans($1, unconfined_execmem_t)
+')
+
+########################################
+## <summary>
+## execute the execmem applications
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_execmem_exec',`
+
+ gen_require(`
+ type execmem_exec_t;
+ ')
+
+ can_exec($1, execmem_exec_t)
+')
+
+########################################
+## <summary>
+## Allow apps to set rlimits on userdomain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_set_rlimitnh',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process rlimitinh;
+')
+
+########################################
+## <summary>
+## Get the process group of unconfined.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_getpgid',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:process getpgid;
+')
+
+########################################
+## <summary>
+## Change to the unconfined role.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`unconfined_role_change',`
+ gen_require(`
+ role unconfined_r;
+ ')
+
+ allow $1 unconfined_r;
+')
+
+########################################
+## <summary>
+## Allow domain to attach to TUN devices created by unconfined_t users.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_attach_tun_iface',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ allow $1 unconfined_t:tun_socket relabelfrom;
+ allow $1 self:tun_socket relabelto;
+')
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
index 0000000..31bbe95
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
@@ -0,0 +1,489 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+attribute unconfined_login_domain;
+
+## <desc>
+## <p>
+## Transition unconfined user to the nsplugin domains when running nspluginviewer
+## </p>
+## </desc>
+gen_tunable(allow_unconfined_nsplugin_transition, false)
+
+## <desc>
+## <p>
+## Transition unconfined user to the mozilla plugin domain when running xulrunner plugin-container.
+## </p>
+## </desc>
+gen_tunable(unconfined_mozilla_plugin_transition, false)
+
+## <desc>
+## <p>
+## Allow vidio playing tools to tun unconfined
+## </p>
+## </desc>
+gen_tunable(unconfined_mplayer, false)
+
+## <desc>
+## <p>
+## Allow a user to login as an unconfined domain
+## </p>
+## </desc>
+gen_tunable(unconfined_login, true)
+
+## <desc>
+## <p>
+## Transition to confined qemu domains from unconfined user
+## </p>
+## </desc>
+gen_tunable(allow_unconfined_qemu_transition, false)
+
+# usage in this module of types created by these
+# calls is not correct, however we dont currently
+# have another method to add access to these types
+userdom_base_user_template(unconfined)
+userdom_manage_home_role(unconfined_r, unconfined_t)
+userdom_manage_tmp_role(unconfined_r, unconfined_t)
+userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
+userdom_unpriv_usertype(unconfined, unconfined_t)
+
+type unconfined_exec_t;
+init_system_domain(unconfined_t, unconfined_exec_t)
+role unconfined_r types unconfined_t;
+role_transition system_r unconfined_exec_t unconfined_r;
+allow system_r unconfined_r;
+
+domain_user_exemption_target(unconfined_t)
+allow system_r unconfined_r;
+allow unconfined_r system_r;
+init_script_role_transition(unconfined_r)
+role system_r types unconfined_t;
+typealias unconfined_t alias unconfined_crontab_t;
+
+type unconfined_notrans_t;
+type unconfined_notrans_exec_t;
+init_system_domain(unconfined_notrans_t, unconfined_notrans_exec_t)
+role unconfined_r types unconfined_notrans_t;
+
+########################################
+#
+# Local policy
+#
+
+dontaudit unconfined_t self:dir write;
+dontaudit unconfined_t self:file setattr;
+
+allow unconfined_t self:system syslog_read;
+dontaudit unconfined_t self:capability sys_module;
+
+files_create_boot_flag(unconfined_t)
+files_create_default_dir(unconfined_t)
+files_root_filetrans_default(unconfined_t, dir)
+
+mcs_killall(unconfined_t)
+mcs_ptrace_all(unconfined_t)
+mls_file_write_all_levels(unconfined_t)
+
+init_run_daemon(unconfined_t, unconfined_r)
+init_domtrans_script(unconfined_t)
+init_telinit(unconfined_t)
+
+libs_run_ldconfig(unconfined_t, unconfined_r)
+
+logging_send_syslog_msg(unconfined_t)
+logging_run_auditctl(unconfined_t, unconfined_r)
+
+mount_run_unconfined(unconfined_t, unconfined_r)
+# Unconfined running as system_r
+mount_domtrans_unconfined(unconfined_t)
+
+seutil_run_setsebool(unconfined_t, unconfined_r)
+seutil_run_setfiles(unconfined_t, unconfined_r)
+seutil_run_semanage(unconfined_t, unconfined_r)
+
+unconfined_domain_noaudit(unconfined_t)
+
+userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
+
+usermanage_run_passwd(unconfined_t, unconfined_r)
+usermanage_run_chfn(unconfined_t, unconfined_r)
+
+tunable_policy(`allow_execmem',`
+ allow unconfined_t self:process execmem;
+')
+
+tunable_policy(`allow_execmem && allow_execstack',`
+ allow unconfined_t self:process execstack;
+')
+
+tunable_policy(`allow_execmod',`
+ userdom_execmod_user_home_files(unconfined_usertype)
+')
+
+tunable_policy(`unconfined_login',`
+ corecmd_shell_domtrans(unconfined_login_domain,unconfined_t)
+ allow unconfined_t unconfined_login_domain:fd use;
+ allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms;
+ allow unconfined_t unconfined_login_domain:process sigchld;
+')
+
+optional_policy(`
+ gen_require(`
+ attribute unconfined_usertype;
+ ')
+
+ nsplugin_role_notrans(unconfined_r, unconfined_usertype)
+ optional_policy(`
+ tunable_policy(`allow_unconfined_nsplugin_transition',`
+ nsplugin_domtrans(unconfined_usertype)
+ nsplugin_domtrans_config(unconfined_usertype)
+ ')
+ ')
+
+ optional_policy(`
+ abrt_dbus_chat(unconfined_usertype)
+ abrt_run_helper(unconfined_usertype, unconfined_r)
+ ')
+
+ optional_policy(`
+ avahi_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ certmonger_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ devicekit_dbus_chat(unconfined_usertype)
+ devicekit_dbus_chat_disk(unconfined_usertype)
+ devicekit_dbus_chat_power(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ hal_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ policykit_role(unconfined_r, unconfined_usertype)
+ ')
+
+ optional_policy(`
+ rtkit_scheduled(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ setroubleshoot_dbus_chat(unconfined_usertype)
+ setroubleshoot_dbus_chat_fixit(unconfined_t)
+ ')
+
+ optional_policy(`
+ sandbox_transition(unconfined_usertype, unconfined_r)
+ ')
+
+ optional_policy(`
+ shutdown_run(unconfined_t, unconfined_r)
+ ')
+
+ optional_policy(`
+ tzdata_run(unconfined_usertype, unconfined_r)
+ ')
+
+ optional_policy(`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
+
+ xserver_rw_session(unconfined_usertype, user_tmpfs_t)
+ xserver_run_xauth(unconfined_usertype, unconfined_r)
+ xserver_dbus_chat_xdm(unconfined_usertype)
+ ')
+')
+
+ifdef(`distro_gentoo',`
+ seutil_run_runinit(unconfined_t, unconfined_r)
+ seutil_init_script_run_runinit(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ accountsd_dbus_chat(unconfined_t)
+')
+
+optional_policy(`
+ ada_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ alsa_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ apache_run_helper(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ bind_run_ndc(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ bootloader_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ cron_unconfined_role(unconfined_r, unconfined_t)
+')
+
+optional_policy(`
+ chrome_role(unconfined_r, unconfined_usertype)
+')
+
+optional_policy(`
+ dbus_role_template(unconfined, unconfined_r, unconfined_t)
+
+ optional_policy(`
+ unconfined_domain(unconfined_dbusd_t)
+ unconfined_execmem_domtrans(unconfined_dbusd_t)
+
+ optional_policy(`
+ xserver_rw_shm(unconfined_dbusd_t)
+ ')
+ ')
+
+ init_dbus_chat(unconfined_usertype)
+ init_dbus_chat_script(unconfined_usertype)
+
+ dbus_stub(unconfined_t)
+
+ optional_policy(`
+ bluetooth_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ consolekit_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ cups_dbus_chat_config(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ fprintd_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ gnomeclock_dbus_chat(unconfined_usertype)
+ gnome_dbus_chat_gconfdefault(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ ipsec_mgmt_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ kerneloops_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ oddjob_dbus_chat(unconfined_usertype)
+ ')
+
+ optional_policy(`
+ vpn_dbus_chat(unconfined_usertype)
+ ')
+')
+
+optional_policy(`
+ firewallgui_dbus_chat(unconfined_usertype)
+')
+
+optional_policy(`
+ firstboot_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ ftp_run_ftpdctl(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ gpsd_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ java_run_unconfined(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ livecd_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ lpd_run_checkpc(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ modutils_run_update_mods(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ mono_role_template(unconfined, unconfined_r, unconfined_t)
+ unconfined_domain_noaudit(unconfined_mono_t)
+ role system_r types unconfined_mono_t;
+')
+
+
+optional_policy(`
+ mozilla_role_plugin(unconfined_r)
+
+ tunable_policy(`unconfined_mozilla_plugin_transition', `
+ mozilla_domtrans_plugin(unconfined_usertype)
+ ')
+')
+
+optional_policy(`
+ ncftool_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ oddjob_run_mkhomedir(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ prelink_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ portmap_run_helper(unconfined_t, unconfined_r)
+')
+
+#optional_policy(`
+# ppp_run(unconfined_t, unconfined_r)
+#')
+
+optional_policy(`
+ qemu_unconfined_role(unconfined_r)
+
+ tunable_policy(`allow_unconfined_qemu_transition',`
+ qemu_domtrans(unconfined_t)
+ ',`
+ qemu_domtrans_unconfined(unconfined_t)
+ ')
+')
+
+optional_policy(`
+ rpm_run(unconfined_t, unconfined_r)
+ # Allow SELinux aware applications to request rpm_script execution
+ rpm_transition_script(unconfined_t)
+ rpm_dbus_chat(unconfined_t)
+')
+
+optional_policy(`
+ optional_policy(`
+ samba_run_unconfined_net(unconfined_t, unconfined_r)
+ ')
+
+ samba_role_notrans(unconfined_r)
+# samba_run_winbind_helper(unconfined_t, unconfined_r)
+ samba_run_smbcontrol(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ sendmail_run_unconfined(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ sysnet_run_dhcpc(unconfined_t, unconfined_r)
+ sysnet_dbus_chat_dhcpc(unconfined_t)
+ sysnet_role_transition_dhcpc(unconfined_r)
+')
+
+optional_policy(`
+ telepathy_dbus_session_role(unconfined_r, unconfined_t)
+')
+
+optional_policy(`
+ vbetool_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ virt_transition_svirt(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ vpn_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ webalizer_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ wine_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ xserver_run(unconfined_t, unconfined_r)
+')
+
+########################################
+#
+# Unconfined Execmem Local policy
+#
+
+optional_policy(`
+ execmem_role_template(unconfined, unconfined_r, unconfined_t)
+ typealias unconfined_execmem_t alias execmem_t;
+ typealias unconfined_execmem_t alias unconfined_openoffice_t;
+ unconfined_domain_noaudit(unconfined_execmem_t)
+ allow unconfined_execmem_t unconfined_t:process transition;
+ rpm_transition_script(unconfined_execmem_t)
+ role system_r types unconfined_execmem_t;
+
+ optional_policy(`
+ init_dbus_chat_script(unconfined_execmem_t)
+ dbus_system_bus_client(unconfined_execmem_t)
+ unconfined_dbus_chat(unconfined_execmem_t)
+ unconfined_dbus_connect(unconfined_execmem_t)
+ ')
+
+ optional_policy(`
+ tunable_policy(`allow_unconfined_nsplugin_transition',`', `
+ nsplugin_exec_domtrans(unconfined_t, unconfined_execmem_t)
+ ')
+ ')
+
+ optional_policy(`
+ tunable_policy(`unconfined_login',`
+ mplayer_exec_domtrans(unconfined_t, unconfined_execmem_t)
+ ')
+ ')
+
+ optional_policy(`
+ openoffice_exec_domtrans(unconfined_t, unconfined_execmem_t)
+ ')
+')
+
+########################################
+#
+# Unconfined notrans Local policy
+#
+
+allow unconfined_notrans_t self:process { execstack execmem };
+unconfined_domain_noaudit(unconfined_notrans_t)
+userdom_unpriv_usertype(unconfined, unconfined_notrans_t)
+domtrans_pattern(unconfined_t, unconfined_notrans_exec_t, unconfined_notrans_t)
+# Allow SELinux aware applications to request rpm_script execution
+rpm_transition_script(unconfined_notrans_t)
+domain_ptrace_all_domains(unconfined_notrans_t)
+
+########################################
+#
+# Unconfined mount local policy
+#
+
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
diff --git a/policy/modules/roles/unprivuser.fc b/policy/modules/roles/unprivuser.fc
new file mode 100644
index 0000000..601a7b0
--- /dev/null
+++ b/policy/modules/roles/unprivuser.fc
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --git a/policy/modules/roles/unprivuser.if b/policy/modules/roles/unprivuser.if
new file mode 100644
index 0000000..3835596
--- /dev/null
+++ b/policy/modules/roles/unprivuser.if
@@ -0,0 +1,50 @@
+## <summary>Generic unprivileged user role</summary>
+
+########################################
+## <summary>
+## Change to the generic user role.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`unprivuser_role_change',`
+ gen_require(`
+ role user_r;
+ ')
+
+ allow $1 user_r;
+')
+
+########################################
+## <summary>
+## Change from the generic user role.
+## </summary>
+## <desc>
+## <p>
+## Change from the generic user role to
+## the specified role.
+## </p>
+## <p>
+## This is an interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`unprivuser_role_change_to',`
+ gen_require(`
+ role user_r;
+ ')
+
+ allow user_r $1;
+')
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
new file mode 100644
index 0000000..2932c13
--- /dev/null
+++ b/policy/modules/roles/unprivuser.te
@@ -0,0 +1,182 @@
+policy_module(unprivuser, 2.1.2)
+
+# this module should be named user, but that is
+# a compile error since user is a keyword.
+
+########################################
+#
+# Declarations
+#
+
+role user_r;
+
+userdom_unpriv_user_template(user)
+
+fs_exec_noxattr(user_t)
+
+optional_policy(`
+ apache_role(user_r, user_t)
+')
+
+optional_policy(`
+ oident_manage_user_content(user_t)
+ oident_relabel_user_content(user_t)
+')
+
+optional_policy(`
+ mozilla_run_plugin(user_t, user_r)
+')
+
+optional_policy(`
+ rpm_dontaudit_dbus_chat(user_t)
+')
+
+optional_policy(`
+ rtkit_scheduled(user_t)
+')
+
+optional_policy(`
+ sandbox_transition(user_t, user_r)
+')
+
+optional_policy(`
+ screen_role_template(user, user_r, user_t)
+')
+
+optional_policy(`
+ setroubleshoot_dontaudit_stream_connect(user_t)
+')
+
+optional_policy(`
+ telepathy_dbus_session_role(user_r, user_t)
+')
+
+optional_policy(`
+ xserver_role(user_r, user_t)
+')
+
+ifndef(`distro_redhat',`
+ optional_policy(`
+ auth_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ bluetooth_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ cdrecord_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ cron_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ dbus_role_template(user, user_r, user_t)
+ ')
+
+ optional_policy(`
+ evolution_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ games_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ gift_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ gnome_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ gpg_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ irc_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ java_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ lockdev_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ lpd_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ mozilla_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ mplayer_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ mta_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ postgresql_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ pyzor_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ razor_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ rssh_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ spamassassin_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ ssh_role_template(user, user_r, user_t)
+ ')
+
+ optional_policy(`
+ su_role_template(user, user_r, user_t)
+ ')
+
+ optional_policy(`
+ sudo_role_template(user, user_r, user_t)
+ ')
+
+ optional_policy(`
+ thunderbird_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ tvtime_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ uml_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ userhelper_role_template(user, user_r, user_t)
+ ')
+
+ optional_policy(`
+ vmware_role(user_r, user_t)
+ ')
+
+ optional_policy(`
+ wireshark_role(user_r, user_t)
+ ')
+')
diff --git a/policy/modules/roles/webadm.fc b/policy/modules/roles/webadm.fc
new file mode 100644
index 0000000..d46378a
--- /dev/null
+++ b/policy/modules/roles/webadm.fc
@@ -0,0 +1 @@
+# No webadm file contexts.
diff --git a/policy/modules/roles/webadm.if b/policy/modules/roles/webadm.if
new file mode 100644
index 0000000..cc34f8b
--- /dev/null
+++ b/policy/modules/roles/webadm.if
@@ -0,0 +1,50 @@
+## <summary>Web administrator role</summary>
+
+########################################
+## <summary>
+## Change to the web administrator role.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`webadm_role_change',`
+ gen_require(`
+ role webadm_r;
+ ')
+
+ allow $1 webadm_r;
+')
+
+########################################
+## <summary>
+## Change from the web administrator role.
+## </summary>
+## <desc>
+## <p>
+## Change from the web administrator role to
+## the specified role.
+## </p>
+## <p>
+## This is an interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`webadm_role_change_to',`
+ gen_require(`
+ role webadm_r;
+ ')
+
+ allow webadm_r $1;
+')
diff --git a/policy/modules/roles/webadm.te b/policy/modules/roles/webadm.te
new file mode 100644
index 0000000..dbf2710
--- /dev/null
+++ b/policy/modules/roles/webadm.te
@@ -0,0 +1,56 @@
+policy_module(webadm, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow webadm to manage files in users home directories
+## </p>
+## </desc>
+gen_tunable(webadm_manage_user_files, false)
+
+## <desc>
+## <p>
+## Allow webadm to read files in users home directories
+## </p>
+## </desc>
+gen_tunable(webadm_read_user_files, false)
+
+role webadm_r;
+
+userdom_base_user_template(webadm)
+
+########################################
+#
+# webadmin local policy
+#
+
+allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
+
+files_dontaudit_search_all_dirs(webadm_t)
+files_manage_generic_locks(webadm_t)
+files_list_var(webadm_t)
+
+selinux_get_enforce_mode(webadm_t)
+seutil_domtrans_setfiles(webadm_t)
+
+logging_send_syslog_msg(webadm_t)
+logging_send_audit_msgs(webadm_t)
+
+userdom_dontaudit_search_user_home_dirs(webadm_t)
+
+apache_admin(webadm_t, webadm_r)
+
+tunable_policy(`webadm_manage_user_files',`
+ userdom_manage_user_home_content_files(webadm_t)
+ userdom_read_user_tmp_files(webadm_t)
+ userdom_write_user_tmp_files(webadm_t)
+')
+
+tunable_policy(`webadm_read_user_files',`
+ userdom_read_user_home_content_files(webadm_t)
+ userdom_read_user_tmp_files(webadm_t)
+')
diff --git a/policy/modules/roles/xguest.fc b/policy/modules/roles/xguest.fc
new file mode 100644
index 0000000..601a7b0
--- /dev/null
+++ b/policy/modules/roles/xguest.fc
@@ -0,0 +1 @@
+# file contexts handled by userdomain and genhomedircon
diff --git a/policy/modules/roles/xguest.if b/policy/modules/roles/xguest.if
new file mode 100644
index 0000000..d2234e3
--- /dev/null
+++ b/policy/modules/roles/xguest.if
@@ -0,0 +1,50 @@
+## <summary>Least privledge xwindows user role</summary>
+
+########################################
+## <summary>
+## Change to the xguest role.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`xguest_role_change',`
+ gen_require(`
+ role xguest_r;
+ ')
+
+ allow $1 xguest_r;
+')
+
+########################################
+## <summary>
+## Change from the xguest role.
+## </summary>
+## <desc>
+## <p>
+## Change from the xguest role to
+## the specified role.
+## </p>
+## <p>
+## This is an interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`xguest_role_change_to',`
+ gen_require(`
+ role xguest_r;
+ ')
+
+ allow xguest_r $1;
+')
diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
new file mode 100644
index 0000000..e76f7a7
--- /dev/null
+++ b/policy/modules/roles/xguest.te
@@ -0,0 +1,173 @@
+policy_module(xguest, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow xguest users to mount removable media
+## </p>
+## </desc>
+gen_tunable(xguest_mount_media, true)
+
+## <desc>
+## <p>
+## Allow xguest to configure Network Manager and connect to apache ports
+## </p>
+## </desc>
+gen_tunable(xguest_connect_network, true)
+
+## <desc>
+## <p>
+## Allow xguest to use blue tooth devices
+## </p>
+## </desc>
+gen_tunable(xguest_use_bluetooth, true)
+
+role xguest_r;
+
+userdom_restricted_xwindows_user_template(xguest)
+sysnet_dns_name_resolve(xguest_t)
+
+########################################
+#
+# Local policy
+#
+ifndef(`enable_mls',`
+ fs_exec_noxattr(xguest_t)
+
+ tunable_policy(`user_rw_noexattrfile',`
+ fs_manage_noxattr_fs_files(xguest_t)
+ fs_manage_noxattr_fs_dirs(xguest_t)
+ # Write floppies
+ storage_raw_read_removable_device(xguest_t)
+ storage_raw_write_removable_device(xguest_t)
+ ',`
+ storage_raw_read_removable_device(xguest_t)
+ ')
+')
+# Dontaudit fusermount
+mount_dontaudit_exec_fusermount(xguest_t)
+
+allow xguest_t self:process execmem;
+kernel_dontaudit_request_load_module(xguest_t)
+
+tunable_policy(`allow_execstack',`
+ allow xguest_t self:process execstack;
+')
+
+# Allow mounting of file systems
+optional_policy(`
+ tunable_policy(`xguest_mount_media',`
+ kernel_read_fs_sysctls(xguest_t)
+ kernel_request_load_module(xguest_t)
+ files_dontaudit_getattr_boot_dirs(xguest_t)
+ files_search_mnt(xguest_t)
+
+ fs_manage_noxattr_fs_files(xguest_t)
+ fs_manage_noxattr_fs_dirs(xguest_t)
+ fs_manage_noxattr_fs_dirs(xguest_t)
+ fs_getattr_noxattr_fs(xguest_t)
+ fs_read_noxattr_fs_symlinks(xguest_t)
+ fs_mount_fusefs(xguest_t)
+
+ auth_list_pam_console_data(xguest_t)
+ ')
+')
+
+optional_policy(`
+ tunable_policy(`xguest_use_bluetooth',`
+ bluetooth_dbus_chat(xguest_t)
+ ')
+')
+
+optional_policy(`
+ chrome_role(xguest_r, xguest_usertype)
+')
+
+
+optional_policy(`
+ hal_dbus_chat(xguest_t)
+')
+
+optional_policy(`
+ apache_role(xguest_r, xguest_t)
+')
+
+optional_policy(`
+ gnomeclock_dontaudit_dbus_chat(xguest_t)
+')
+
+optional_policy(`
+ java_role_template(xguest, xguest_r, xguest_t)
+')
+
+optional_policy(`
+ mono_role_template(xguest, xguest_r, xguest_t)
+')
+
+optional_policy(`
+ mozilla_run_plugin(xguest_t, xguest_r)
+')
+
+optional_policy(`
+ nsplugin_role(xguest_r, xguest_t)
+')
+
+optional_policy(`
+ tunable_policy(`xguest_connect_network',`
+ kernel_read_network_state(xguest_usertype)
+
+ networkmanager_dbus_chat(xguest_t)
+ networkmanager_read_lib_files(xguest_t)
+ corenet_tcp_connect_pulseaudio_port(xguest_usertype)
+ corenet_all_recvfrom_unlabeled(xguest_usertype)
+ corenet_all_recvfrom_netlabel(xguest_usertype)
+ corenet_tcp_sendrecv_generic_if(xguest_usertype)
+ corenet_raw_sendrecv_generic_if(xguest_usertype)
+ corenet_tcp_sendrecv_generic_node(xguest_usertype)
+ corenet_raw_sendrecv_generic_node(xguest_usertype)
+ corenet_tcp_sendrecv_http_port(xguest_usertype)
+ corenet_tcp_sendrecv_http_cache_port(xguest_usertype)
+ corenet_tcp_sendrecv_squid_port(xguest_usertype)
+ corenet_tcp_sendrecv_ftp_port(xguest_usertype)
+ corenet_tcp_sendrecv_ipp_port(xguest_usertype)
+ corenet_tcp_connect_http_port(xguest_usertype)
+ corenet_tcp_connect_http_cache_port(xguest_usertype)
+ corenet_tcp_connect_squid_port(xguest_usertype)
+ corenet_tcp_connect_flash_port(xguest_usertype)
+ corenet_tcp_connect_ftp_port(xguest_usertype)
+ corenet_tcp_connect_ipp_port(xguest_usertype)
+ corenet_tcp_connect_generic_port(xguest_usertype)
+ corenet_tcp_connect_soundd_port(xguest_usertype)
+ corenet_sendrecv_http_client_packets(xguest_usertype)
+ corenet_sendrecv_http_cache_client_packets(xguest_usertype)
+ corenet_sendrecv_squid_client_packets(xguest_usertype)
+ corenet_sendrecv_ftp_client_packets(xguest_usertype)
+ corenet_sendrecv_ipp_client_packets(xguest_usertype)
+ corenet_sendrecv_generic_client_packets(xguest_usertype)
+ # Should not need other ports
+ corenet_dontaudit_tcp_sendrecv_generic_port(xguest_usertype)
+ corenet_dontaudit_tcp_bind_generic_port(xguest_usertype)
+ corenet_tcp_connect_speech_port(xguest_usertype)
+ corenet_tcp_sendrecv_transproxy_port(xguest_usertype)
+ corenet_tcp_connect_transproxy_port(xguest_usertype)
+ ')
+
+ optional_policy(`
+ telepathy_dbus_session_role(xguest_r, xguest_t)
+ ')
+')
+
+optional_policy(`
+ gen_require(`
+ type mozilla_t;
+ ')
+
+ allow xguest_t mozilla_t:process transition;
+ role xguest_r types mozilla_t;
+')
+
+gen_user(xguest_u, user, xguest_r, s0, s0)
diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc
new file mode 100644
index 0000000..3b3ba64
--- /dev/null
+++ b/policy/modules/services/abrt.fc
@@ -0,0 +1,21 @@
+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
+/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+
+/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+
+/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+/usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+
+/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
+
+/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+
+/var/log/abrt-logger -- gen_context(system_u:object_r:abrt_var_log_t,s0)
+
+/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrtd?\.socket -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
+
+/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if
new file mode 100644
index 0000000..8961dba
--- /dev/null
+++ b/policy/modules/services/abrt.if
@@ -0,0 +1,343 @@
+## <summary>ABRT - automated bug-reporting tool</summary>
+
+######################################
+## <summary>
+## Execute abrt in the abrt domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`abrt_domtrans',`
+ gen_require(`
+ type abrt_t, abrt_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, abrt_exec_t, abrt_t)
+')
+
+######################################
+## <summary>
+## Execute abrt in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`abrt_exec',`
+ gen_require(`
+ type abrt_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, abrt_exec_t)
+')
+
+########################################
+## <summary>
+## Send a null signal to abrt.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`abrt_signull',`
+ gen_require(`
+ type abrt_t;
+ ')
+
+ allow $1 abrt_t:process signull;
+')
+
+########################################
+## <summary>
+## Allow the domain to read abrt state files in /proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`abrt_read_state',`
+ gen_require(`
+ type abrt_t;
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, abrt_t)
+')
+
+########################################
+## <summary>
+## Connect to abrt over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`abrt_stream_connect',`
+ gen_require(`
+ type abrt_t, abrt_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, abrt_var_run_t, abrt_var_run_t, abrt_t)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## abrt over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`abrt_dbus_chat',`
+ gen_require(`
+ type abrt_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 abrt_t:dbus send_msg;
+ allow abrt_t $1:dbus send_msg;
+')
+
+#####################################
+## <summary>
+## Execute abrt-helper in the abrt-helper domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`abrt_domtrans_helper',`
+ gen_require(`
+ type abrt_helper_t, abrt_helper_exec_t;
+ ')
+
+ domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t)
+
+ ifdef(`hide_broken_symptoms', `
+ dontaudit abrt_helper_t $1:socket_class_set { read write };
+ ')
+')
+
+########################################
+## <summary>
+## Execute abrt helper in the abrt_helper domain, and
+## allow the specified role the abrt_helper domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`abrt_run_helper',`
+ gen_require(`
+ type abrt_helper_t;
+ ')
+
+ abrt_domtrans_helper($1)
+ role $2 types abrt_helper_t;
+')
+
+########################################
+## <summary>
+## Append abrt cache
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`abrt_cache_append',`
+ gen_require(`
+ type abrt_var_cache_t;
+ ')
+
+ append_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+')
+
+########################################
+## <summary>
+## Manage abrt cache
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`abrt_cache_manage',`
+ gen_require(`
+ type abrt_var_cache_t;
+ ')
+
+ manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+')
+
+####################################
+## <summary>
+## Read abrt configuration file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`abrt_read_config',`
+ gen_require(`
+ type abrt_etc_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, abrt_etc_t, abrt_etc_t)
+')
+
+######################################
+## <summary>
+## Read abrt logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`abrt_read_log',`
+ gen_require(`
+ type abrt_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, abrt_var_log_t, abrt_var_log_t)
+')
+
+######################################
+## <summary>
+## Read abrt PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`abrt_read_pid_files',`
+ gen_require(`
+ type abrt_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
+')
+
+######################################
+## <summary>
+## Create, read, write, and delete abrt PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`abrt_manage_pid_files',`
+ gen_require(`
+ type abrt_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
+')
+
+########################################
+## <summary>
+## Read and write abrt fifo files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`abrt_rw_fifo_file',`
+ gen_require(`
+ type abrt_t;
+ ')
+
+ allow $1 abrt_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+#####################################
+## <summary>
+## All of the rules required to administrate
+## an abrt environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the abrt domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`abrt_admin',`
+ gen_require(`
+ type abrt_t, abrt_etc_t;
+ type abrt_var_cache_t, abrt_var_log_t;
+ type abrt_var_run_t, abrt_tmp_t;
+ type abrt_initrc_exec_t;
+ ')
+
+ allow $1 abrt_t:process { ptrace signal_perms };
+ ps_process_pattern($1, abrt_t)
+
+ init_labeled_script_domtrans($1, abrt_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 abrt_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, abrt_etc_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, abrt_var_log_t)
+
+ files_list_var($1)
+ admin_pattern($1, abrt_var_cache_t)
+
+ files_list_pids($1)
+ admin_pattern($1, abrt_var_run_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, abrt_tmp_t)
+')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
new file mode 100644
index 0000000..5be7dc8
--- /dev/null
+++ b/policy/modules/services/abrt.te
@@ -0,0 +1,274 @@
+policy_module(abrt, 1.1.1)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow ABRT to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(abrt_anon_write, false)
+
+type abrt_t;
+type abrt_exec_t;
+init_daemon_domain(abrt_t, abrt_exec_t)
+
+type abrt_initrc_exec_t;
+init_script_file(abrt_initrc_exec_t)
+
+# etc files
+type abrt_etc_t;
+files_config_file(abrt_etc_t)
+
+# log files
+type abrt_var_log_t;
+logging_log_file(abrt_var_log_t)
+
+# tmp files
+type abrt_tmp_t;
+files_tmp_file(abrt_tmp_t)
+
+# var/cache files
+type abrt_var_cache_t;
+files_type(abrt_var_cache_t)
+
+# pid files
+type abrt_var_run_t;
+files_pid_file(abrt_var_run_t)
+
+# type needed to allow all domains
+# to handle /var/cache/abrt
+type abrt_helper_t;
+type abrt_helper_exec_t;
+application_domain(abrt_helper_t, abrt_helper_exec_t)
+role system_r types abrt_helper_t;
+
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
+')
+
+########################################
+#
+# abrt local policy
+#
+
+allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override };
+dontaudit abrt_t self:capability sys_rawio;
+allow abrt_t self:process { sigkill signal signull setsched getsched };
+
+allow abrt_t self:fifo_file rw_fifo_file_perms;
+allow abrt_t self:tcp_socket create_stream_socket_perms;
+allow abrt_t self:udp_socket create_socket_perms;
+allow abrt_t self:unix_dgram_socket create_socket_perms;
+allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
+
+# abrt etc files
+rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
+
+# log file
+manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
+logging_log_filetrans(abrt_t, abrt_var_log_t, file)
+
+# abrt tmp files
+manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
+can_exec(abrt_t, abrt_tmp_t)
+
+# abrt var/cache files
+manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
+manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
+manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
+files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
+files_spool_filetrans(abrt_t, abrt_var_cache_t, dir)
+
+# abrt pid files
+manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })
+
+kernel_read_ring_buffer(abrt_t)
+kernel_read_system_state(abrt_t)
+kernel_rw_kernel_sysctl(abrt_t)
+
+corecmd_exec_bin(abrt_t)
+corecmd_exec_shell(abrt_t)
+corecmd_read_all_executables(abrt_t)
+
+corenet_all_recvfrom_netlabel(abrt_t)
+corenet_all_recvfrom_unlabeled(abrt_t)
+corenet_tcp_sendrecv_generic_if(abrt_t)
+corenet_tcp_sendrecv_generic_node(abrt_t)
+corenet_tcp_sendrecv_generic_port(abrt_t)
+corenet_tcp_bind_generic_node(abrt_t)
+corenet_tcp_connect_http_port(abrt_t)
+corenet_tcp_connect_ftp_port(abrt_t)
+corenet_tcp_connect_all_ports(abrt_t)
+corenet_sendrecv_http_client_packets(abrt_t)
+
+dev_getattr_all_chr_files(abrt_t)
+dev_read_urand(abrt_t)
+dev_rw_sysfs(abrt_t)
+dev_dontaudit_read_raw_memory(abrt_t)
+
+domain_getattr_all_domains(abrt_t)
+domain_read_all_domains_state(abrt_t)
+domain_signull_all_domains(abrt_t)
+
+files_getattr_all_files(abrt_t)
+files_read_etc_files(abrt_t)
+files_read_var_symlinks(abrt_t)
+files_read_var_lib_files(abrt_t)
+files_read_usr_files(abrt_t)
+files_read_generic_tmp_files(abrt_t)
+files_read_kernel_modules(abrt_t)
+files_dontaudit_list_default(abrt_t)
+files_dontaudit_read_default_files(abrt_t)
+files_dontaudit_read_all_symlinks(abrt_t)
+files_dontaudit_getattr_all_sockets(abrt_t)
+
+fs_list_inotifyfs(abrt_t)
+fs_getattr_all_fs(abrt_t)
+fs_getattr_all_dirs(abrt_t)
+fs_read_fusefs_files(abrt_t)
+fs_read_noxattr_fs_files(abrt_t)
+fs_read_nfs_files(abrt_t)
+fs_read_nfs_symlinks(abrt_t)
+fs_search_all(abrt_t)
+
+sysnet_dns_name_resolve(abrt_t)
+
+logging_read_generic_logs(abrt_t)
+logging_send_syslog_msg(abrt_t)
+
+miscfiles_read_generic_certs(abrt_t)
+miscfiles_read_localization(abrt_t)
+
+userdom_dontaudit_read_user_home_content_files(abrt_t)
+userdom_dontaudit_read_admin_home_files(abrt_t)
+
+tunable_policy(`abrt_anon_write',`
+ miscfiles_manage_public_files(abrt_t)
+')
+
+optional_policy(`
+ apache_read_modules(abrt_t)
+')
+
+optional_policy(`
+ dbus_system_domain(abrt_t, abrt_exec_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(abrt_t)
+')
+
+optional_policy(`
+ nsplugin_read_rw_files(abrt_t)
+ nsplugin_read_home(abrt_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(abrt_t)
+ policykit_domtrans_auth(abrt_t)
+ policykit_read_lib(abrt_t)
+ policykit_read_reload(abrt_t)
+')
+
+optional_policy(`
+ prelink_exec(abrt_t)
+ libs_exec_ld_so(abrt_t)
+ corecmd_exec_all_executables(abrt_t)
+')
+
+# to install debuginfo packages
+optional_policy(`
+ rpm_exec(abrt_t)
+ rpm_dontaudit_manage_db(abrt_t)
+ rpm_manage_cache(abrt_t)
+ rpm_manage_pid_files(abrt_t)
+ rpm_read_db(abrt_t)
+ rpm_signull(abrt_t)
+')
+
+# to run mailx plugin
+optional_policy(`
+ sendmail_domtrans(abrt_t)
+')
+
+optional_policy(`
+ sosreport_domtrans(abrt_t)
+ sosreport_read_tmp_files(abrt_t)
+ sosreport_delete_tmp_files(abrt_t)
+')
+
+optional_policy(`
+ sssd_stream_connect(abrt_t)
+')
+
+########################################
+#
+# abrt-helper local policy
+#
+
+allow abrt_helper_t self:capability { chown setgid sys_nice };
+allow abrt_helper_t self:process signal;
+
+read_files_pattern(abrt_helper_t, abrt_etc_t, abrt_etc_t)
+
+files_search_spool(abrt_helper_t)
+manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+
+read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
+read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
+
+domain_read_all_domains_state(abrt_helper_t)
+
+files_read_etc_files(abrt_helper_t)
+files_dontaudit_all_non_security_leaks(abrt_helper_t)
+
+fs_list_inotifyfs(abrt_helper_t)
+fs_getattr_all_fs(abrt_helper_t)
+
+auth_use_nsswitch(abrt_helper_t)
+
+logging_send_syslog_msg(abrt_helper_t)
+
+miscfiles_read_localization(abrt_helper_t)
+
+term_dontaudit_use_all_ttys(abrt_helper_t)
+term_dontaudit_use_all_ptys(abrt_helper_t)
+
+ifdef(`hide_broken_symptoms',`
+ domain_dontaudit_leaks(abrt_helper_t)
+ userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
+ userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
+ dev_dontaudit_read_all_blk_files(abrt_helper_t)
+ dev_dontaudit_read_all_chr_files(abrt_helper_t)
+ dev_dontaudit_write_all_chr_files(abrt_helper_t)
+ dev_dontaudit_write_all_blk_files(abrt_helper_t)
+ fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
+
+ optional_policy(`
+ rpm_dontaudit_leaks(abrt_helper_t)
+ ')
+')
+
+ifdef(`hide_broken_symptoms',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow abrt_t self:capability sys_resource;
+ allow abrt_t domain:file write;
+ allow abrt_t domain:process setrlimit;
+')
diff --git a/policy/modules/services/accountsd.fc b/policy/modules/services/accountsd.fc
new file mode 100644
index 0000000..1adca53
--- /dev/null
+++ b/policy/modules/services/accountsd.fc
@@ -0,0 +1,3 @@
+/usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0)
+
+/var/lib/AccountsService(/.*)? gen_context(system_u:object_r:accountsd_var_lib_t,s0)
diff --git a/policy/modules/services/accountsd.if b/policy/modules/services/accountsd.if
new file mode 100644
index 0000000..d639ae0
--- /dev/null
+++ b/policy/modules/services/accountsd.if
@@ -0,0 +1,145 @@
+## <summary>AccountsService and daemon for manipulating user account information via D-Bus</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run accountsd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`accountsd_domtrans',`
+ gen_require(`
+ type accountsd_t, accountsd_exec_t;
+ ')
+
+ domtrans_pattern($1, accountsd_exec_t, accountsd_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write Accounts Daemon
+## fifo file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`accountsd_dontaudit_rw_fifo_file',`
+ gen_require(`
+ type accountsd_t;
+ ')
+
+ dontaudit $1 accountsd_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## accountsd over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`accountsd_dbus_chat',`
+ gen_require(`
+ type accountsd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 accountsd_t:dbus send_msg;
+ allow accountsd_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Search accountsd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`accountsd_search_lib',`
+ gen_require(`
+ type accountsd_var_lib_t;
+ ')
+
+ allow $1 accountsd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read accountsd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`accountsd_read_lib_files',`
+ gen_require(`
+ type accountsd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## accountsd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`accountsd_manage_lib_files',`
+ gen_require(`
+ type accountsd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an accountsd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`accountsd_admin',`
+ gen_require(`
+ type accountsd_t;
+ ')
+
+ allow $1 accountsd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, accountsd_t)
+
+ accountsd_manage_lib_files($1)
+')
diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
new file mode 100644
index 0000000..2724c11
--- /dev/null
+++ b/policy/modules/services/accountsd.te
@@ -0,0 +1,64 @@
+policy_module(accountsd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type accountsd_t;
+type accountsd_exec_t;
+dbus_system_domain(accountsd_t, accountsd_exec_t)
+init_daemon_domain(accountsd_t, accountsd_exec_t)
+role system_r types accountsd_t;
+
+type accountsd_var_lib_t;
+files_type(accountsd_var_lib_t)
+
+########################################
+#
+# accountsd local policy
+#
+
+allow accountsd_t self:capability { dac_override setuid setgid sys_ptrace };
+allow accountsd_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
+manage_files_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
+files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, { file dir })
+
+kernel_read_kernel_sysctls(accountsd_t)
+
+corecmd_exec_bin(accountsd_t)
+
+files_read_usr_files(accountsd_t)
+files_read_mnt_files(accountsd_t)
+
+fs_list_inotifyfs(accountsd_t)
+fs_read_noxattr_fs_files(accountsd_t)
+
+auth_use_nsswitch(accountsd_t)
+auth_read_shadow(accountsd_t)
+
+miscfiles_read_localization(accountsd_t)
+
+logging_send_syslog_msg(accountsd_t)
+logging_set_loginuid(accountsd_t)
+
+userdom_read_user_tmp_files(accountsd_t)
+userdom_read_user_home_content_files(accountsd_t)
+
+usermanage_domtrans_useradd(accountsd_t)
+usermanage_domtrans_passwd(accountsd_t)
+
+optional_policy(`
+ consolekit_read_log(accountsd_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(accountsd_t)
+')
+
+optional_policy(`
+ xserver_dbus_chat_xdm(accountsd_t)
+ xserver_manage_xdm_etc_files(accountsd_t)
+')
diff --git a/policy/modules/services/afs.fc b/policy/modules/services/afs.fc
new file mode 100644
index 0000000..eaea138
--- /dev/null
+++ b/policy/modules/services/afs.fc
@@ -0,0 +1,32 @@
+/etc/rc\.d/init\.d/openafs-client -- gen_context(system_u:object_r:afs_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/afs -- gen_context(system_u:object_r:afs_initrc_exec_t,s0)
+
+/usr/afs/bin/bosserver -- gen_context(system_u:object_r:afs_bosserver_exec_t,s0)
+/usr/afs/bin/fileserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/kaserver -- gen_context(system_u:object_r:afs_kaserver_exec_t,s0)
+/usr/afs/bin/ptserver -- gen_context(system_u:object_r:afs_ptserver_exec_t,s0)
+/usr/afs/bin/salvager -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/volserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/vlserver -- gen_context(system_u:object_r:afs_vlserver_exec_t,s0)
+
+/usr/afs/db -d gen_context(system_u:object_r:afs_dbdir_t,s0)
+/usr/afs/db/pr.* -- gen_context(system_u:object_r:afs_pt_db_t,s0)
+/usr/afs/db/ka.* -- gen_context(system_u:object_r:afs_ka_db_t,s0)
+/usr/afs/db/vl.* -- gen_context(system_u:object_r:afs_vl_db_t,s0)
+
+/usr/afs/etc(/.*)? gen_context(system_u:object_r:afs_config_t,s0)
+
+/usr/afs/local(/.*)? gen_context(system_u:object_r:afs_config_t,s0)
+
+/usr/afs/logs(/.*)? gen_context(system_u:object_r:afs_logfile_t,s0)
+
+/usr/sbin/afsd -- gen_context(system_u:object_r:afs_exec_t,s0)
+
+/usr/vice/cache(/.*)? gen_context(system_u:object_r:afs_cache_t,s0)
+/usr/vice/etc/afsd -- gen_context(system_u:object_r:afs_exec_t,s0)
+
+/var/cache/afs(/.*)? gen_context(system_u:object_r:afs_cache_t,s0)
+
+/vicepa gen_context(system_u:object_r:afs_files_t,s0)
+/vicepb gen_context(system_u:object_r:afs_files_t,s0)
+/vicepc gen_context(system_u:object_r:afs_files_t,s0)
diff --git a/policy/modules/services/afs.if b/policy/modules/services/afs.if
new file mode 100644
index 0000000..49c0cc8
--- /dev/null
+++ b/policy/modules/services/afs.if
@@ -0,0 +1,109 @@
+## <summary>Andrew Filesystem server</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run the
+## afs client.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`afs_domtrans',`
+ gen_require(`
+ type afs_t, afs_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, afs_exec_t, afs_t)
+')
+
+########################################
+## <summary>
+## Read and write afs client UDP sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`afs_rw_udp_sockets',`
+ gen_require(`
+ type afs_t;
+ ')
+
+ allow $1 afs_t:udp_socket { read write };
+')
+
+########################################
+## <summary>
+## read/write afs cache files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`afs_rw_cache',`
+ gen_require(`
+ type afs_cache_t;
+ ')
+
+ files_search_var($1)
+ allow $1 afs_cache_t:file { read write };
+')
+
+########################################
+## <summary>
+## Execute afs server in the afs domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`afs_initrc_domtrans',`
+ gen_require(`
+ type afs_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, afs_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an afs environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the afs domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`afs_admin',`
+ gen_require(`
+ type afs_t, afs_initrc_exec_t;
+ ')
+
+ allow $1 afs_t:process { ptrace signal_perms };
+ ps_process_pattern($1, afs_t)
+
+ # Allow afs_admin to restart the afs service
+ afs_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 afs_initrc_exec_t system_r;
+ allow $2 system_r;
+
+')
diff --git a/policy/modules/services/afs.te b/policy/modules/services/afs.te
new file mode 100644
index 0000000..7e2cdf2
--- /dev/null
+++ b/policy/modules/services/afs.te
@@ -0,0 +1,359 @@
+policy_module(afs, 1.6.1)
+
+########################################
+#
+# Declarations
+#
+
+type afs_t;
+type afs_exec_t;
+init_daemon_domain(afs_t, afs_exec_t)
+
+type afs_bosserver_t;
+type afs_bosserver_exec_t;
+init_daemon_domain(afs_bosserver_t, afs_bosserver_exec_t)
+
+type afs_cache_t;
+files_type(afs_cache_t)
+
+type afs_config_t;
+files_type(afs_config_t)
+
+type afs_dbdir_t;
+files_type(afs_dbdir_t)
+
+# exported files
+type afs_files_t;
+files_type(afs_files_t)
+
+type afs_fsserver_t;
+type afs_fsserver_exec_t;
+domain_type(afs_fsserver_t)
+domain_entry_file(afs_fsserver_t, afs_fsserver_exec_t)
+role system_r types afs_fsserver_t;
+
+type afs_initrc_exec_t;
+init_script_file(afs_initrc_exec_t)
+
+type afs_ka_db_t;
+files_type(afs_ka_db_t)
+
+type afs_kaserver_t;
+type afs_kaserver_exec_t;
+domain_type(afs_kaserver_t)
+domain_entry_file(afs_kaserver_t, afs_kaserver_exec_t)
+role system_r types afs_kaserver_t;
+
+type afs_logfile_t;
+logging_log_file(afs_logfile_t)
+
+type afs_pt_db_t;
+files_type(afs_pt_db_t)
+
+type afs_ptserver_t;
+type afs_ptserver_exec_t;
+domain_type(afs_ptserver_t)
+domain_entry_file(afs_ptserver_t, afs_ptserver_exec_t)
+role system_r types afs_ptserver_t;
+
+type afs_vl_db_t;
+files_type(afs_vl_db_t)
+
+type afs_vlserver_t;
+type afs_vlserver_exec_t;
+domain_type(afs_vlserver_t)
+domain_entry_file(afs_vlserver_t, afs_vlserver_exec_t)
+role system_r types afs_vlserver_t;
+
+########################################
+#
+# afs client local policy
+#
+
+allow afs_t self:capability { sys_admin sys_nice sys_tty_config };
+allow afs_t self:process { setsched signal };
+allow afs_t self:udp_socket create_socket_perms;
+allow afs_t self:fifo_file rw_file_perms;
+allow afs_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(afs_t, afs_cache_t, afs_cache_t)
+manage_dirs_pattern(afs_t, afs_cache_t, afs_cache_t)
+files_var_filetrans(afs_t, afs_cache_t, { file dir })
+
+kernel_rw_afs_state(afs_t)
+
+corenet_all_recvfrom_unlabeled(afs_t)
+corenet_all_recvfrom_netlabel(afs_t)
+corenet_tcp_sendrecv_generic_if(afs_t)
+corenet_udp_sendrecv_generic_if(afs_t)
+corenet_tcp_sendrecv_generic_node(afs_t)
+corenet_udp_sendrecv_generic_node(afs_t)
+corenet_tcp_sendrecv_all_ports(afs_t)
+corenet_udp_sendrecv_all_ports(afs_t)
+corenet_udp_bind_generic_node(afs_t)
+
+files_mounton_mnt(afs_t)
+files_read_etc_files(afs_t)
+files_read_usr_files(afs_t)
+files_rw_etc_runtime_files(afs_t)
+
+fs_getattr_xattr_fs(afs_t)
+fs_mount_nfs(afs_t)
+fs_read_nfs_symlinks(afs_t)
+
+logging_send_syslog_msg(afs_t)
+
+miscfiles_read_localization(afs_t)
+
+sysnet_dns_name_resolve(afs_t)
+
+ifdef(`hide_broken_symptoms',`
+ kernel_rw_unlabeled_files(afs_t)
+')
+
+########################################
+#
+# AFS bossserver local policy
+#
+
+allow afs_bosserver_t self:process { setsched signal_perms };
+allow afs_bosserver_t self:tcp_socket create_stream_socket_perms;
+allow afs_bosserver_t self:udp_socket create_socket_perms;
+
+can_exec(afs_bosserver_t, afs_bosserver_exec_t)
+
+manage_dirs_pattern(afs_bosserver_t, afs_config_t, afs_config_t)
+manage_files_pattern(afs_bosserver_t, afs_config_t, afs_config_t)
+
+allow afs_bosserver_t afs_dbdir_t:dir list_dir_perms;
+
+allow afs_bosserver_t afs_fsserver_t:process signal_perms;
+domtrans_pattern(afs_bosserver_t, afs_fsserver_exec_t, afs_fsserver_t)
+
+allow afs_bosserver_t afs_kaserver_t:process signal_perms;
+domtrans_pattern(afs_bosserver_t, afs_kaserver_exec_t, afs_kaserver_t)
+
+allow afs_bosserver_t afs_logfile_t:file manage_file_perms;
+allow afs_bosserver_t afs_logfile_t:dir manage_dir_perms;
+
+allow afs_bosserver_t afs_ptserver_t:process signal_perms;
+domtrans_pattern(afs_bosserver_t, afs_ptserver_exec_t, afs_ptserver_t)
+
+allow afs_bosserver_t afs_vlserver_t:process signal_perms;
+domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t)
+
+kernel_read_kernel_sysctls(afs_bosserver_t)
+
+corenet_all_recvfrom_unlabeled(afs_bosserver_t)
+corenet_all_recvfrom_netlabel(afs_bosserver_t)
+corenet_tcp_sendrecv_generic_if(afs_bosserver_t)
+corenet_udp_sendrecv_generic_if(afs_bosserver_t)
+corenet_tcp_sendrecv_generic_node(afs_bosserver_t)
+corenet_udp_sendrecv_generic_node(afs_bosserver_t)
+corenet_tcp_sendrecv_all_ports(afs_bosserver_t)
+corenet_udp_sendrecv_all_ports(afs_bosserver_t)
+corenet_udp_bind_generic_node(afs_bosserver_t)
+corenet_udp_bind_afs_bos_port(afs_bosserver_t)
+corenet_sendrecv_afs_bos_server_packets(afs_bosserver_t)
+
+files_read_etc_files(afs_bosserver_t)
+files_list_home(afs_bosserver_t)
+files_read_usr_files(afs_bosserver_t)
+
+miscfiles_read_localization(afs_bosserver_t)
+
+seutil_read_config(afs_bosserver_t)
+
+sysnet_read_config(afs_bosserver_t)
+
+########################################
+#
+# fileserver local policy
+#
+
+allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice };
+dontaudit afs_fsserver_t self:capability fsetid;
+allow afs_fsserver_t self:process { setsched signal_perms };
+allow afs_fsserver_t self:fifo_file rw_fifo_file_perms;
+allow afs_fsserver_t self:tcp_socket create_stream_socket_perms;
+allow afs_fsserver_t self:udp_socket create_socket_perms;
+
+read_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
+allow afs_fsserver_t afs_config_t:dir list_dir_perms;
+
+manage_dirs_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
+manage_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
+
+allow afs_fsserver_t afs_files_t:filesystem getattr;
+manage_dirs_pattern(afs_fsserver_t, afs_files_t, afs_files_t)
+manage_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t)
+manage_lnk_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t)
+manage_fifo_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t)
+manage_sock_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t)
+filetrans_pattern(afs_fsserver_t, afs_config_t, afs_files_t, { file lnk_file sock_file fifo_file })
+
+can_exec(afs_fsserver_t, afs_fsserver_exec_t)
+
+manage_dirs_pattern(afs_fsserver_t, afs_logfile_t, afs_logfile_t)
+manage_files_pattern(afs_fsserver_t, afs_logfile_t, afs_logfile_t)
+
+kernel_read_system_state(afs_fsserver_t)
+kernel_read_kernel_sysctls(afs_fsserver_t)
+
+corenet_tcp_sendrecv_generic_if(afs_fsserver_t)
+corenet_udp_sendrecv_generic_if(afs_fsserver_t)
+corenet_tcp_sendrecv_generic_node(afs_fsserver_t)
+corenet_udp_sendrecv_generic_node(afs_fsserver_t)
+corenet_tcp_sendrecv_all_ports(afs_fsserver_t)
+corenet_udp_sendrecv_all_ports(afs_fsserver_t)
+corenet_all_recvfrom_unlabeled(afs_fsserver_t)
+corenet_all_recvfrom_netlabel(afs_fsserver_t)
+corenet_tcp_bind_generic_node(afs_fsserver_t)
+corenet_udp_bind_generic_node(afs_fsserver_t)
+corenet_tcp_bind_afs_fs_port(afs_fsserver_t)
+corenet_udp_bind_afs_fs_port(afs_fsserver_t)
+corenet_sendrecv_afs_fs_server_packets(afs_fsserver_t)
+
+files_read_etc_files(afs_fsserver_t)
+files_read_etc_runtime_files(afs_fsserver_t)
+files_list_home(afs_fsserver_t)
+files_read_usr_files(afs_fsserver_t)
+files_list_pids(afs_fsserver_t)
+files_dontaudit_search_mnt(afs_fsserver_t)
+
+fs_getattr_xattr_fs(afs_fsserver_t)
+
+term_dontaudit_use_console(afs_fsserver_t)
+
+init_dontaudit_use_script_fds(afs_fsserver_t)
+
+logging_send_syslog_msg(afs_fsserver_t)
+
+miscfiles_read_localization(afs_fsserver_t)
+
+seutil_read_config(afs_fsserver_t)
+
+sysnet_read_config(afs_fsserver_t)
+
+userdom_dontaudit_use_user_terminals(afs_fsserver_t)
+
+########################################
+#
+# kaserver local policy
+#
+
+allow afs_kaserver_t self:unix_stream_socket create_stream_socket_perms;
+allow afs_kaserver_t self:tcp_socket create_stream_socket_perms;
+allow afs_kaserver_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(afs_kaserver_t, afs_config_t, afs_config_t)
+
+manage_files_pattern(afs_kaserver_t, afs_dbdir_t, afs_ka_db_t)
+filetrans_pattern(afs_kaserver_t, afs_dbdir_t, afs_ka_db_t, file)
+
+manage_dirs_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t)
+manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t)
+
+kernel_read_kernel_sysctls(afs_kaserver_t)
+
+corenet_all_recvfrom_unlabeled(afs_kaserver_t)
+corenet_all_recvfrom_netlabel(afs_kaserver_t)
+corenet_tcp_sendrecv_generic_if(afs_kaserver_t)
+corenet_udp_sendrecv_generic_if(afs_kaserver_t)
+corenet_tcp_sendrecv_generic_node(afs_kaserver_t)
+corenet_udp_sendrecv_generic_node(afs_kaserver_t)
+corenet_tcp_sendrecv_all_ports(afs_kaserver_t)
+corenet_udp_sendrecv_all_ports(afs_kaserver_t)
+corenet_udp_bind_generic_node(afs_kaserver_t)
+corenet_udp_bind_afs_ka_port(afs_kaserver_t)
+corenet_udp_bind_kerberos_port(afs_kaserver_t)
+corenet_sendrecv_afs_ka_server_packets(afs_kaserver_t)
+corenet_sendrecv_kerberos_server_packets(afs_kaserver_t)
+
+files_read_etc_files(afs_kaserver_t)
+files_list_home(afs_kaserver_t)
+files_read_usr_files(afs_kaserver_t)
+
+miscfiles_read_localization(afs_kaserver_t)
+
+seutil_read_config(afs_kaserver_t)
+
+sysnet_read_config(afs_kaserver_t)
+
+userdom_dontaudit_use_user_terminals(afs_kaserver_t)
+
+########################################
+#
+# ptserver local policy
+#
+
+allow afs_ptserver_t self:unix_stream_socket create_stream_socket_perms;
+allow afs_ptserver_t self:tcp_socket create_stream_socket_perms;
+allow afs_ptserver_t self:udp_socket create_socket_perms;
+
+read_files_pattern(afs_ptserver_t, afs_config_t, afs_config_t)
+allow afs_ptserver_t afs_config_t:dir list_dir_perms;
+
+manage_dirs_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
+manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
+
+manage_files_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t)
+filetrans_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t, file)
+
+corenet_all_recvfrom_unlabeled(afs_ptserver_t)
+corenet_all_recvfrom_netlabel(afs_ptserver_t)
+corenet_tcp_sendrecv_generic_if(afs_ptserver_t)
+corenet_udp_sendrecv_generic_if(afs_ptserver_t)
+corenet_tcp_sendrecv_generic_node(afs_ptserver_t)
+corenet_udp_sendrecv_generic_node(afs_ptserver_t)
+corenet_tcp_sendrecv_all_ports(afs_ptserver_t)
+corenet_udp_sendrecv_all_ports(afs_ptserver_t)
+corenet_udp_bind_generic_node(afs_ptserver_t)
+corenet_udp_bind_afs_pt_port(afs_ptserver_t)
+corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t)
+
+files_read_etc_files(afs_ptserver_t)
+
+miscfiles_read_localization(afs_ptserver_t)
+
+sysnet_read_config(afs_ptserver_t)
+
+userdom_dontaudit_use_user_terminals(afs_ptserver_t)
+
+########################################
+#
+# vlserver local policy
+#
+
+allow afs_vlserver_t self:unix_stream_socket create_stream_socket_perms;
+allow afs_vlserver_t self:tcp_socket create_stream_socket_perms;
+allow afs_vlserver_t self:udp_socket create_socket_perms;
+
+read_files_pattern(afs_vlserver_t, afs_config_t, afs_config_t)
+allow afs_vlserver_t afs_config_t:dir list_dir_perms;
+
+manage_dirs_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
+manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
+
+manage_files_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t)
+filetrans_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t, file)
+
+corenet_all_recvfrom_unlabeled(afs_vlserver_t)
+corenet_all_recvfrom_netlabel(afs_vlserver_t)
+corenet_tcp_sendrecv_generic_if(afs_vlserver_t)
+corenet_udp_sendrecv_generic_if(afs_vlserver_t)
+corenet_tcp_sendrecv_generic_node(afs_vlserver_t)
+corenet_udp_sendrecv_generic_node(afs_vlserver_t)
+corenet_tcp_sendrecv_all_ports(afs_vlserver_t)
+corenet_udp_sendrecv_all_ports(afs_vlserver_t)
+corenet_udp_bind_generic_node(afs_vlserver_t)
+corenet_udp_bind_afs_vl_port(afs_vlserver_t)
+corenet_sendrecv_afs_vl_server_packets(afs_vlserver_t)
+
+files_read_etc_files(afs_vlserver_t)
+
+miscfiles_read_localization(afs_vlserver_t)
+
+sysnet_read_config(afs_vlserver_t)
+
+userdom_dontaudit_use_user_terminals(afs_vlserver_t)
diff --git a/policy/modules/services/aiccu.fc b/policy/modules/services/aiccu.fc
new file mode 100644
index 0000000..069518f
--- /dev/null
+++ b/policy/modules/services/aiccu.fc
@@ -0,0 +1,6 @@
+/etc/aiccu.conf -- gen_context(system_u:object_r:aiccu_etc_t,s0)
+/etc/rc\.d/init\.d/aiccu -- gen_context(system_u:object_r:aiccu_initrc_exec_t,s0)
+
+/usr/sbin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0)
+
+/var/run/aiccu\.pid -- gen_context(system_u:object_r:aiccu_var_run_t,s0)
diff --git a/policy/modules/services/aiccu.if b/policy/modules/services/aiccu.if
new file mode 100644
index 0000000..6bf0ad6
--- /dev/null
+++ b/policy/modules/services/aiccu.if
@@ -0,0 +1,116 @@
+## <summary>Automatic IPv6 Connectivity Client Utility.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run aiccu.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`aiccu_domtrans',`
+ gen_require(`
+ type aiccu_t, aiccu_exec_t;
+ ')
+
+ domtrans_pattern($1, aiccu_exec_t, aiccu_t)
+ corecmd_search_bin($1)
+')
+
+########################################
+## <summary>
+## Execute aiccu server in the aiccu domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`aiccu_initrc_domtrans',`
+ gen_require(`
+ type aiccu_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, aiccu_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Read aiccu PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`aiccu_read_pid_files',`
+ gen_require(`
+ type aiccu_var_run_t;
+ ')
+
+ allow $1 aiccu_var_run_t:file read_file_perms;
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
+## Manage aiccu PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`aiccu_manage_var_run',`
+ gen_require(`
+ type aiccu_var_run_t;
+ ')
+
+ manage_dirs_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
+ manage_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
+ manage_lnk_files_pattern($1, aiccu_var_run_t, aiccu_var_run_t)
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an aiccu environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`aiccu_admin',`
+ gen_require(`
+ type aiccu_t, aiccu_initrc_exec_t, aiccu_etc_t;
+ type aiccu_var_run_t;
+ ')
+
+ allow $1 aiccu_t:process { ptrace signal_perms };
+ ps_process_pattern($1, aiccu_t)
+
+ aiccu_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 aiccu_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ admin_pattern($1, aiccu_etc_t)
+ files_list_etc($1)
+
+ admin_pattern($1, aiccu_var_run_t)
+ files_list_pids($1)
+')
diff --git a/policy/modules/services/aiccu.te b/policy/modules/services/aiccu.te
new file mode 100644
index 0000000..4b9dc88
--- /dev/null
+++ b/policy/modules/services/aiccu.te
@@ -0,0 +1,71 @@
+policy_module(aiccu, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type aiccu_t;
+type aiccu_exec_t;
+init_daemon_domain(aiccu_t, aiccu_exec_t)
+
+type aiccu_initrc_exec_t;
+init_script_file(aiccu_initrc_exec_t)
+
+type aiccu_etc_t;
+files_config_file(aiccu_etc_t)
+
+type aiccu_var_run_t;
+files_pid_file(aiccu_var_run_t)
+
+########################################
+#
+# aiccu local policy
+#
+
+allow aiccu_t self:capability { kill net_admin net_raw };
+dontaudit aiccu_t self:capability sys_tty_config;
+allow aiccu_t self:process signal;
+allow aiccu_t self:fifo_file rw_fifo_file_perms;
+allow aiccu_t self:netlink_route_socket create_netlink_socket_perms;
+allow aiccu_t self:tcp_socket create_stream_socket_perms;
+allow aiccu_t self:tun_socket create_socket_perms;
+allow aiccu_t self:udp_socket create_stream_socket_perms;
+allow aiccu_t self:unix_stream_socket create_stream_socket_perms;
+
+allow aiccu_t aiccu_etc_t:file read_file_perms;
+
+manage_dirs_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
+manage_files_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
+files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir })
+
+kernel_read_system_state(aiccu_t)
+
+corecmd_exec_shell(aiccu_t)
+
+corenet_all_recvfrom_netlabel(aiccu_t)
+corenet_all_recvfrom_unlabeled(aiccu_t)
+corenet_tcp_bind_generic_node(aiccu_t)
+corenet_tcp_sendrecv_generic_if(aiccu_t)
+corenet_tcp_sendrecv_generic_node(aiccu_t)
+corenet_tcp_sendrecv_generic_port(aiccu_t)
+corenet_sendrecv_sixxsconfig_client_packets(aiccu_t)
+corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t)
+corenet_tcp_connect_sixxsconfig_port(aiccu_t)
+corenet_rw_tun_tap_dev(aiccu_t)
+
+domain_use_interactive_fds(aiccu_t)
+
+dev_read_rand(aiccu_t)
+dev_read_urand(aiccu_t)
+
+files_read_etc_files(aiccu_t)
+
+logging_send_syslog_msg(aiccu_t)
+
+miscfiles_read_localization(aiccu_t)
+
+modutils_domtrans_insmod(aiccu_t)
+
+sysnet_domtrans_ifconfig(aiccu_t)
+sysnet_dns_name_resolve(aiccu_t)
diff --git a/policy/modules/services/aide.fc b/policy/modules/services/aide.fc
new file mode 100644
index 0000000..7798464
--- /dev/null
+++ b/policy/modules/services/aide.fc
@@ -0,0 +1,6 @@
+/usr/sbin/aide -- gen_context(system_u:object_r:aide_exec_t,mls_systemhigh)
+
+/var/lib/aide(/.*) gen_context(system_u:object_r:aide_db_t,mls_systemhigh)
+
+/var/log/aide(/.*)? gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
+/var/log/aide\.log -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
diff --git a/policy/modules/services/aide.if b/policy/modules/services/aide.if
new file mode 100644
index 0000000..0b0db39
--- /dev/null
+++ b/policy/modules/services/aide.if
@@ -0,0 +1,72 @@
+## <summary>Aide filesystem integrity checker</summary>
+
+########################################
+## <summary>
+## Execute aide in the aide domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`aide_domtrans',`
+ gen_require(`
+ type aide_t, aide_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, aide_exec_t, aide_t)
+')
+
+########################################
+## <summary>
+## Execute aide programs in the AIDE domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the AIDE domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`aide_run',`
+ gen_require(`
+ type aide_t;
+ ')
+
+ aide_domtrans($1)
+ role $2 types aide_t;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an aide environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`aide_admin',`
+ gen_require(`
+ type aide_t, aide_db_t, aide_log_t;
+ ')
+
+ allow $1 aide_t:process { ptrace signal_perms };
+ ps_process_pattern($1, aide_t)
+
+ files_list_etc($1)
+ admin_pattern($1, aide_db_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, aide_log_t)
+')
diff --git a/policy/modules/services/aide.te b/policy/modules/services/aide.te
new file mode 100644
index 0000000..4f37ca6
--- /dev/null
+++ b/policy/modules/services/aide.te
@@ -0,0 +1,40 @@
+policy_module(aide, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type aide_t;
+type aide_exec_t;
+application_domain(aide_t, aide_exec_t)
+
+# log files
+type aide_log_t;
+logging_log_file(aide_log_t)
+
+# aide database
+type aide_db_t;
+files_type(aide_db_t)
+
+########################################
+#
+# aide local policy
+#
+
+allow aide_t self:capability { dac_override fowner };
+
+# database actions
+manage_files_pattern(aide_t, aide_db_t, aide_db_t)
+
+# logs
+manage_files_pattern(aide_t, aide_log_t, aide_log_t)
+logging_log_filetrans(aide_t, aide_log_t, file)
+
+files_read_all_files(aide_t)
+
+logging_send_audit_msgs(aide_t)
+
+seutil_use_newrole_fds(aide_t)
+
+userdom_use_user_terminals(aide_t)
diff --git a/policy/modules/services/aisexec.fc b/policy/modules/services/aisexec.fc
new file mode 100644
index 0000000..7b4f4b9
--- /dev/null
+++ b/policy/modules/services/aisexec.fc
@@ -0,0 +1,9 @@
+/etc/rc\.d/init\.d/openais -- gen_context(system_u:object_r:aisexec_initrc_exec_t,s0)
+
+/usr/sbin/aisexec -- gen_context(system_u:object_r:aisexec_exec_t,s0)
+
+/var/lib/openais(/.*)? gen_context(system_u:object_r:aisexec_var_lib_t,s0)
+
+/var/log/cluster/aisexec\.log -- gen_context(system_u:object_r:aisexec_var_log_t,s0)
+
+/var/run/aisexec\.pid -- gen_context(system_u:object_r:aisexec_var_run_t,s0)
diff --git a/policy/modules/services/aisexec.if b/policy/modules/services/aisexec.if
new file mode 100644
index 0000000..af5d229
--- /dev/null
+++ b/policy/modules/services/aisexec.if
@@ -0,0 +1,106 @@
+## <summary>Aisexec Cluster Engine</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run aisexec.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`aisexec_domtrans',`
+ gen_require(`
+ type aisexec_t, aisexec_exec_t;
+ ')
+
+ domtrans_pattern($1, aisexec_exec_t, aisexec_t)
+')
+
+#####################################
+## <summary>
+## Connect to aisexec over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`aisexec_stream_connect',`
+ gen_require(`
+ type aisexec_t, aisexec_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, aisexec_var_run_t, aisexec_var_run_t, aisexec_t)
+')
+
+#######################################
+## <summary>
+## Allow the specified domain to read aisexec's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`aisexec_read_log',`
+ gen_require(`
+ type aisexec_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ list_dirs_pattern($1, aisexec_var_log_t, aisexec_var_log_t)
+ read_files_pattern($1, aisexec_var_log_t, aisexec_var_log_t)
+')
+
+######################################
+## <summary>
+## All of the rules required to administrate
+## an aisexec environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the aisexecd domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`aisexecd_admin',`
+ gen_require(`
+ type aisexec_t, aisexec_var_lib_t, aisexec_var_log_t;
+ type aisexec_var_run_t, aisexec_tmp_t, aisexec_tmpfs_t;
+ type aisexec_initrc_exec_t;
+ ')
+
+ allow $1 aisexec_t:process { ptrace signal_perms };
+ ps_process_pattern($1, aisexec_t)
+
+ init_labeled_script_domtrans($1, aisexec_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 aisexec_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_var_lib($1)
+ admin_pattern($1, aisexec_var_lib_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, aisexec_var_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, aisexec_var_run_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, aisexec_tmp_t)
+
+ admin_pattern($1, aisexec_tmpfs_t)
+')
diff --git a/policy/modules/services/aisexec.te b/policy/modules/services/aisexec.te
new file mode 100644
index 0000000..c24bd66
--- /dev/null
+++ b/policy/modules/services/aisexec.te
@@ -0,0 +1,102 @@
+policy_module(aisexec, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type aisexec_t;
+type aisexec_exec_t;
+init_daemon_domain(aisexec_t, aisexec_exec_t)
+
+type aisexec_initrc_exec_t;
+init_script_file(aisexec_initrc_exec_t);
+
+type aisexec_tmp_t;
+files_tmp_file(aisexec_tmp_t)
+
+type aisexec_tmpfs_t;
+files_tmpfs_file(aisexec_tmpfs_t)
+
+type aisexec_var_lib_t;
+files_type(aisexec_var_lib_t)
+
+type aisexec_var_log_t;
+logging_log_file(aisexec_var_log_t)
+
+type aisexec_var_run_t;
+files_pid_file(aisexec_var_run_t)
+
+########################################
+#
+# aisexec local policy
+#
+
+allow aisexec_t self:capability { sys_nice sys_resource ipc_lock ipc_owner };
+allow aisexec_t self:process { setrlimit setsched signal };
+allow aisexec_t self:fifo_file rw_fifo_file_perms;
+allow aisexec_t self:sem create_sem_perms;
+allow aisexec_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow aisexec_t self:unix_dgram_socket create_socket_perms;
+allow aisexec_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(aisexec_t, aisexec_tmp_t, aisexec_tmp_t)
+manage_files_pattern(aisexec_t, aisexec_tmp_t, aisexec_tmp_t)
+files_tmp_filetrans(aisexec_t, aisexec_tmp_t, { file dir })
+
+manage_dirs_pattern(aisexec_t, aisexec_tmpfs_t, aisexec_tmpfs_t)
+manage_files_pattern(aisexec_t, aisexec_tmpfs_t, aisexec_tmpfs_t)
+fs_tmpfs_filetrans(aisexec_t, aisexec_tmpfs_t, { dir file })
+
+manage_files_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t)
+manage_dirs_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t)
+manage_sock_files_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t)
+files_var_lib_filetrans(aisexec_t, aisexec_var_lib_t, { file dir sock_file })
+
+manage_files_pattern(aisexec_t, aisexec_var_log_t, aisexec_var_log_t)
+manage_sock_files_pattern(aisexec_t, aisexec_var_log_t, aisexec_var_log_t)
+logging_log_filetrans(aisexec_t, aisexec_var_log_t, { sock_file file })
+
+manage_files_pattern(aisexec_t, aisexec_var_run_t, aisexec_var_run_t)
+manage_sock_files_pattern(aisexec_t, aisexec_var_run_t, aisexec_var_run_t)
+files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file })
+
+kernel_read_system_state(aisexec_t)
+
+corecmd_exec_bin(aisexec_t)
+
+corenet_udp_bind_netsupport_port(aisexec_t)
+corenet_tcp_bind_reserved_port(aisexec_t)
+corenet_udp_bind_cluster_port(aisexec_t)
+
+dev_read_urand(aisexec_t)
+
+files_manage_mounttab(aisexec_t)
+
+auth_use_nsswitch(aisexec_t)
+
+init_rw_script_tmp_files(aisexec_t)
+
+logging_send_syslog_msg(aisexec_t)
+
+miscfiles_read_localization(aisexec_t)
+
+userdom_rw_semaphores(aisexec_t)
+userdom_rw_unpriv_user_shared_mem(aisexec_t)
+
+optional_policy(`
+ ccs_stream_connect(aisexec_t)
+')
+
+optional_policy(`
+ # to communication with RHCS
+ rhcs_rw_dlm_controld_semaphores(aisexec_t)
+
+ rhcs_rw_fenced_semaphores(aisexec_t)
+
+ rhcs_rw_gfs_controld_semaphores(aisexec_t)
+ rhcs_rw_gfs_controld_shm(aisexec_t)
+
+ rhcs_rw_groupd_semaphores(aisexec_t)
+ rhcs_rw_groupd_shm(aisexec_t)
+')
diff --git a/policy/modules/services/ajaxterm.fc b/policy/modules/services/ajaxterm.fc
new file mode 100644
index 0000000..aeb1888
--- /dev/null
+++ b/policy/modules/services/ajaxterm.fc
@@ -0,0 +1,6 @@
+
+/etc/rc\.d/init\.d/ajaxterm -- gen_context(system_u:object_r:ajaxterm_initrc_exec_t,s0)
+
+/usr/share/ajaxterm/ajaxterm\.py -- gen_context(system_u:object_r:ajaxterm_exec_t,s0)
+
+/var/run/ajaxterm\.pid -- gen_context(system_u:object_r:ajaxterm_var_run_t,s0)
diff --git a/policy/modules/services/ajaxterm.if b/policy/modules/services/ajaxterm.if
new file mode 100644
index 0000000..8e6e2c3
--- /dev/null
+++ b/policy/modules/services/ajaxterm.if
@@ -0,0 +1,68 @@
+## <summary>policy for ajaxterm</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run ajaxterm.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ajaxterm_domtrans',`
+ gen_require(`
+ type ajaxterm_t, ajaxterm_exec_t;
+ ')
+
+ domtrans_pattern($1, ajaxterm_exec_t, ajaxterm_t)
+')
+
+########################################
+## <summary>
+## Execute ajaxterm server in the ajaxterm domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ajaxterm_initrc_domtrans',`
+ gen_require(`
+ type ajaxterm_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, ajaxterm_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an ajaxterm environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ajaxterm_admin',`
+ gen_require(`
+ type ajaxterm_t, ajaxterm_initrc_exec_t;
+ ')
+
+ allow $1 ajaxterm_t:process { ptrace signal_perms };
+ ps_process_pattern($1, ajaxterm_t)
+
+ ajaxterm_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 ajaxterm_initrc_exec_t system_r;
+ allow $2 system_r;
+')
diff --git a/policy/modules/services/ajaxterm.te b/policy/modules/services/ajaxterm.te
new file mode 100644
index 0000000..cf6af13
--- /dev/null
+++ b/policy/modules/services/ajaxterm.te
@@ -0,0 +1,56 @@
+policy_module(ajaxterm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ajaxterm_t;
+type ajaxterm_exec_t;
+init_daemon_domain(ajaxterm_t, ajaxterm_exec_t)
+
+type ajaxterm_initrc_exec_t;
+init_script_file(ajaxterm_initrc_exec_t)
+
+type ajaxterm_var_run_t;
+files_pid_file(ajaxterm_var_run_t)
+
+type ajaxterm_devpts_t;
+term_login_pty(ajaxterm_devpts_t)
+
+permissive ajaxterm_t;
+
+########################################
+#
+# ajaxterm local policy
+#
+allow ajaxterm_t self:capability setuid;
+allow ajaxterm_t self:process setpgid;
+allow ajaxterm_t self:fifo_file rw_fifo_file_perms;
+allow ajaxterm_t self:unix_stream_socket create_stream_socket_perms;
+allow ajaxterm_t self:tcp_socket create_stream_socket_perms;
+
+allow ajaxterm_t ajaxterm_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms relabelfrom };
+term_create_pty(ajaxterm_t, ajaxterm_devpts_t)
+
+manage_dirs_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
+manage_files_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
+files_pid_filetrans(ajaxterm_t, ajaxterm_var_run_t, { file dir })
+
+kernel_read_system_state(ajaxterm_t)
+
+corecmd_exec_bin(ajaxterm_t)
+
+corenet_tcp_bind_generic_node(ajaxterm_t)
+corenet_tcp_bind_ajaxterm_port(ajaxterm_t)
+
+dev_read_urand(ajaxterm_t)
+
+domain_use_interactive_fds(ajaxterm_t)
+
+files_read_etc_files(ajaxterm_t)
+files_read_usr_files(ajaxterm_t)
+
+miscfiles_read_localization(ajaxterm_t)
+
+sysnet_dns_name_resolve(ajaxterm_t)
diff --git a/policy/modules/services/amavis.fc b/policy/modules/services/amavis.fc
new file mode 100644
index 0000000..d96fdfa
--- /dev/null
+++ b/policy/modules/services/amavis.fc
@@ -0,0 +1,18 @@
+
+/etc/amavis\.conf -- gen_context(system_u:object_r:amavis_etc_t,s0)
+/etc/amavisd(/.*)? gen_context(system_u:object_r:amavis_etc_t,s0)
+/etc/rc\.d/init\.d/amavis -- gen_context(system_u:object_r:amavis_initrc_exec_t,s0)
+
+/usr/sbin/amavisd.* -- gen_context(system_u:object_r:amavis_exec_t,s0)
+/usr/lib(64)?/AntiVir/antivir -- gen_context(system_u:object_r:amavis_exec_t,s0)
+
+ifdef(`distro_debian',`
+/usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0)
+')
+
+/var/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
+/var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
+/var/log/amavisd\.log -- gen_context(system_u:object_r:amavis_var_log_t,s0)
+/var/run/amavis(d)?(/.*)? gen_context(system_u:object_r:amavis_var_run_t,s0)
+/var/spool/amavisd(/.*)? gen_context(system_u:object_r:amavis_spool_t,s0)
+/var/virusmails(/.*)? gen_context(system_u:object_r:amavis_quarantine_t,s0)
diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if
new file mode 100644
index 0000000..e31d92a
--- /dev/null
+++ b/policy/modules/services/amavis.if
@@ -0,0 +1,261 @@
+## <summary>
+## Daemon that interfaces mail transfer agents and content
+## checkers, such as virus scanners.
+## </summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run amavis.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`amavis_domtrans',`
+ gen_require(`
+ type amavis_t, amavis_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, amavis_exec_t, amavis_t)
+')
+
+########################################
+## <summary>
+## Execute amavis server in the amavis domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`amavis_initrc_domtrans',`
+ gen_require(`
+ type amavis_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, amavis_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Read amavis spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`amavis_read_spool_files',`
+ gen_require(`
+ type amavis_spool_t;
+ ')
+
+ files_search_spool($1)
+ read_files_pattern($1, amavis_spool_t, amavis_spool_t)
+')
+
+########################################
+## <summary>
+## Manage amavis spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`amavis_manage_spool_files',`
+ gen_require(`
+ type amavis_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_dirs_pattern($1, amavis_spool_t, amavis_spool_t)
+ manage_files_pattern($1, amavis_spool_t, amavis_spool_t)
+')
+
+########################################
+## <summary>
+## Create objects in the amavis spool directories
+## with a private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## Private file type.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+#
+interface(`amavis_spool_filetrans',`
+ gen_require(`
+ type amavis_spool_t;
+ ')
+
+ files_search_spool($1)
+ filetrans_pattern($1, amavis_spool_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Search amavis lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`amavis_search_lib',`
+ gen_require(`
+ type amavis_var_lib_t;
+ ')
+
+ allow $1 amavis_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read amavis lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`amavis_read_lib_files',`
+ gen_require(`
+ type amavis_var_lib_t;
+ ')
+
+ read_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t)
+ allow $1 amavis_var_lib_t:dir list_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## amavis lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`amavis_manage_lib_files',`
+ gen_require(`
+ type amavis_var_lib_t;
+ ')
+
+ manage_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t)
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Set the attributes of amavis pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`amavis_setattr_pid_files',`
+ gen_require(`
+ type amavis_var_run_t;
+ ')
+
+ allow $1 amavis_var_run_t:file setattr_file_perms;
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
+## Create of amavis pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`amavis_create_pid_files',`
+ gen_require(`
+ type amavis_var_run_t;
+ ')
+
+ allow $1 amavis_var_run_t:file create_file_perms;
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an amavis environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`amavis_admin',`
+ gen_require(`
+ type amavis_t, amavis_tmp_t, amavis_var_log_t;
+ type amavis_spool_t, amavis_var_lib_t, amavis_var_run_t;
+ type amavis_etc_t, amavis_quarantine_t;
+ type amavis_initrc_exec_t;
+ ')
+
+ allow $1 amavis_t:process { ptrace signal_perms };
+ ps_process_pattern($1, amavis_t)
+
+ amavis_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 amavis_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, amavis_etc_t)
+
+ admin_pattern($1, amavis_quarantine_t)
+
+ files_list_spool($1)
+ admin_pattern($1, amavis_spool_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, amavis_tmp_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, amavis_var_lib_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, amavis_var_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, amavis_var_run_t)
+')
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
new file mode 100644
index 0000000..ec40291
--- /dev/null
+++ b/policy/modules/services/amavis.te
@@ -0,0 +1,189 @@
+policy_module(amavis, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+type amavis_t;
+type amavis_exec_t;
+domain_type(amavis_t)
+init_daemon_domain(amavis_t, amavis_exec_t)
+
+# configuration files
+type amavis_etc_t;
+files_config_file(amavis_etc_t)
+
+type amavis_initrc_exec_t;
+init_script_file(amavis_initrc_exec_t)
+
+# pid files
+type amavis_var_run_t;
+files_pid_file(amavis_var_run_t)
+
+# var/lib files
+type amavis_var_lib_t;
+files_type(amavis_var_lib_t)
+
+# log files
+type amavis_var_log_t;
+logging_log_file(amavis_var_log_t)
+
+# tmp files
+type amavis_tmp_t;
+files_tmp_file(amavis_tmp_t)
+
+# virus quarantine
+type amavis_quarantine_t;
+files_type(amavis_quarantine_t)
+
+type amavis_spool_t;
+files_type(amavis_spool_t)
+
+########################################
+#
+# amavis local policy
+#
+
+allow amavis_t self:capability { kill chown dac_override setgid setuid };
+dontaudit amavis_t self:capability sys_tty_config;
+allow amavis_t self:process { signal sigchld signull };
+allow amavis_t self:fifo_file rw_fifo_file_perms;
+allow amavis_t self:unix_stream_socket create_stream_socket_perms;
+allow amavis_t self:unix_dgram_socket create_socket_perms;
+allow amavis_t self:tcp_socket { listen accept };
+allow amavis_t self:netlink_route_socket r_netlink_socket_perms;
+
+# configuration files
+allow amavis_t amavis_etc_t:dir list_dir_perms;
+read_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t)
+read_lnk_files_pattern(amavis_t, amavis_etc_t, amavis_etc_t)
+
+can_exec(amavis_t, amavis_exec_t)
+
+# mail quarantine
+manage_dirs_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t)
+manage_files_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t)
+manage_sock_files_pattern(amavis_t, amavis_quarantine_t, amavis_quarantine_t)
+
+# Spool Files
+manage_dirs_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
+manage_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
+manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
+manage_sock_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
+filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file)
+files_search_spool(amavis_t)
+
+# tmp files
+manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
+allow amavis_t amavis_tmp_t:dir setattr_dir_perms;
+files_tmp_filetrans(amavis_t, amavis_tmp_t, file)
+
+# var/lib files for amavis
+manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
+manage_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
+manage_sock_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
+files_search_var_lib(amavis_t)
+
+# log files
+allow amavis_t amavis_var_log_t:dir setattr_dir_perms;
+manage_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
+manage_sock_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
+logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir })
+
+# pid file
+manage_dirs_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t)
+manage_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t)
+manage_sock_files_pattern(amavis_t, amavis_var_run_t, amavis_var_run_t)
+files_pid_filetrans(amavis_t, amavis_var_run_t, { dir file sock_file })
+
+kernel_read_kernel_sysctls(amavis_t)
+# amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
+kernel_dontaudit_list_proc(amavis_t)
+kernel_dontaudit_read_proc_symlinks(amavis_t)
+kernel_dontaudit_read_system_state(amavis_t)
+
+# find perl
+corecmd_exec_bin(amavis_t)
+
+corenet_all_recvfrom_unlabeled(amavis_t)
+corenet_all_recvfrom_netlabel(amavis_t)
+corenet_tcp_sendrecv_generic_if(amavis_t)
+corenet_tcp_sendrecv_generic_node(amavis_t)
+corenet_tcp_bind_generic_node(amavis_t)
+corenet_udp_bind_generic_node(amavis_t)
+# amavis uses well-defined ports
+corenet_tcp_sendrecv_amavisd_recv_port(amavis_t)
+corenet_tcp_sendrecv_amavisd_send_port(amavis_t)
+# just the other side not. ;-)
+corenet_tcp_sendrecv_all_ports(amavis_t)
+# connect to backchannel port
+corenet_tcp_connect_amavisd_send_port(amavis_t)
+# bind to incoming port
+corenet_tcp_bind_amavisd_recv_port(amavis_t)
+corenet_udp_bind_generic_port(amavis_t)
+corenet_dontaudit_udp_bind_all_ports(amavis_t)
+corenet_tcp_connect_razor_port(amavis_t)
+
+dev_read_rand(amavis_t)
+dev_read_urand(amavis_t)
+
+domain_use_interactive_fds(amavis_t)
+
+files_read_etc_files(amavis_t)
+files_read_etc_runtime_files(amavis_t)
+files_read_usr_files(amavis_t)
+
+fs_getattr_xattr_fs(amavis_t)
+
+auth_dontaudit_read_shadow(amavis_t)
+
+# uses uptime which reads utmp - redhat bug 561383
+init_read_utmp(amavis_t)
+init_stream_connect_script(amavis_t)
+
+logging_send_syslog_msg(amavis_t)
+
+miscfiles_read_generic_certs(amavis_t)
+miscfiles_read_localization(amavis_t)
+
+sysnet_dns_name_resolve(amavis_t)
+sysnet_use_ldap(amavis_t)
+
+userdom_dontaudit_search_user_home_dirs(amavis_t)
+
+# Cron handling
+cron_use_fds(amavis_t)
+cron_use_system_job_fds(amavis_t)
+cron_rw_pipes(amavis_t)
+
+mta_read_config(amavis_t)
+
+optional_policy(`
+ clamav_stream_connect(amavis_t)
+ clamav_domtrans_clamscan(amavis_t)
+')
+
+optional_policy(`
+ dcc_domtrans_client(amavis_t)
+ dcc_stream_connect_dccifd(amavis_t)
+')
+
+optional_policy(`
+ postfix_read_config(amavis_t)
+')
+
+optional_policy(`
+ pyzor_domtrans(amavis_t)
+ pyzor_signal(amavis_t)
+')
+
+optional_policy(`
+ razor_domtrans(amavis_t)
+')
+
+optional_policy(`
+ spamassassin_exec(amavis_t)
+ spamassassin_exec_client(amavis_t)
+ spamassassin_read_lib_files(amavis_t)
+')
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
new file mode 100644
index 0000000..8603d4d
--- /dev/null
+++ b/policy/modules/services/apache.fc
@@ -0,0 +1,123 @@
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
+
+/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
+/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
+/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
+/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
+
+/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
+/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
+/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
+
+/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+/usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/lib(64)?/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+
+/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
+/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+
+ifdef(`distro_suse', `
+/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
+')
+
+/usr/share/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
+
+/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
+
+/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+
+ifdef(`distro_debian', `
+/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+')
+
+/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
+
+/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
+/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+
+/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/var/lib/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
new file mode 100644
index 0000000..6918ff2
--- /dev/null
+++ b/policy/modules/services/apache.if
@@ -0,0 +1,1407 @@
+## <summary>Apache web server</summary>
+
+########################################
+## <summary>
+## Create a set of derived types for apache
+## web content.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix to be used for deriving type names.
+## </summary>
+## </param>
+#
+template(`apache_content_template',`
+ gen_require(`
+ attribute httpd_exec_scripts, httpd_script_exec_type;
+ type httpd_t, httpd_suexec_t, httpd_log_t;
+ type httpd_sys_content_t;
+ ')
+
+ #This type is for webpages
+ type httpd_$1_content_t; # customizable;
+ typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
+ files_type(httpd_$1_content_t)
+
+ # This type is used for .htaccess files
+ type httpd_$1_htaccess_t; # customizable;
+ files_type(httpd_$1_htaccess_t)
+
+ # Type that CGI scripts run as
+ type httpd_$1_script_t;
+ domain_type(httpd_$1_script_t)
+ role system_r types httpd_$1_script_t;
+
+ search_dirs_pattern(httpd_$1_script_t, httpd_sys_content_t, httpd_script_exec_type)
+
+ # This type is used for executable scripts files
+ type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
+ corecmd_shell_entry_type(httpd_$1_script_t)
+ domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
+
+ type httpd_$1_rw_content_t; # customizable
+ typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
+ files_type(httpd_$1_rw_content_t)
+
+ type httpd_$1_ra_content_t; # customizable
+ typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
+ files_type(httpd_$1_ra_content_t)
+
+ read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)
+
+ allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
+ allow httpd_suexec_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
+
+ allow httpd_$1_script_t self:fifo_file rw_file_perms;
+ allow httpd_$1_script_t self:unix_stream_socket connectto;
+
+ allow httpd_$1_script_t httpd_t:fifo_file write;
+ # apache should set close-on-exec
+ dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
+
+ # Allow the script process to search the cgi directory, and users directory
+ allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;
+
+ append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t)
+ logging_search_logs(httpd_$1_script_t)
+
+ can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
+ allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;
+
+ allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
+ read_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+ append_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+ read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+
+ allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms;
+ read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
+ read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
+
+ manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+ manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+ manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+ manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+ manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+
+ kernel_dontaudit_search_sysctl(httpd_$1_script_t)
+ kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
+
+ dev_read_rand(httpd_$1_script_t)
+ dev_read_urand(httpd_$1_script_t)
+
+ corecmd_exec_all_executables(httpd_$1_script_t)
+ application_exec_all(httpd_$1_script_t)
+
+ files_exec_etc_files(httpd_$1_script_t)
+ files_read_etc_files(httpd_$1_script_t)
+ files_search_home(httpd_$1_script_t)
+
+ libs_exec_ld_so(httpd_$1_script_t)
+ libs_exec_lib_files(httpd_$1_script_t)
+
+ miscfiles_read_fonts(httpd_$1_script_t)
+ miscfiles_read_public_files(httpd_$1_script_t)
+
+ seutil_dontaudit_search_config(httpd_$1_script_t)
+
+ # Allow the web server to run scripts and serve pages
+ tunable_policy(`httpd_builtin_scripting',`
+ manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+ manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+ manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+ rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+
+ allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
+ read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+ append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+ read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+
+ allow httpd_t httpd_$1_content_t:dir list_dir_perms;
+ read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
+ read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
+
+ allow httpd_t httpd_$1_content_t:dir list_dir_perms;
+ read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
+ read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
+ allow httpd_t httpd_$1_script_t:unix_stream_socket connectto;
+ ')
+
+ tunable_policy(`httpd_enable_cgi',`
+ allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
+
+ domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+
+ # privileged users run the script:
+ domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
+
+ allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;
+
+ # apache runs the script:
+ domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+
+ allow httpd_t httpd_$1_script_exec_t:file read_file_perms;
+
+ allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
+ allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;
+
+ allow httpd_$1_script_t self:process { setsched signal_perms };
+ allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
+ allow httpd_$1_script_t self:unix_dgram_socket create_socket_perms;
+
+ allow httpd_$1_script_t httpd_t:fd use;
+ allow httpd_$1_script_t httpd_t:process sigchld;
+
+ dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write };
+
+ kernel_read_system_state(httpd_$1_script_t)
+
+ dev_read_urand(httpd_$1_script_t)
+
+ fs_getattr_xattr_fs(httpd_$1_script_t)
+
+ files_read_etc_runtime_files(httpd_$1_script_t)
+ files_read_usr_files(httpd_$1_script_t)
+
+ libs_read_lib_files(httpd_$1_script_t)
+
+ miscfiles_read_localization(httpd_$1_script_t)
+ allow httpd_$1_script_t httpd_sys_content_t:dir search_dir_perms;
+ ')
+
+ optional_policy(`
+ tunable_policy(`httpd_enable_cgi && allow_ypbind',`
+ nis_use_ypbind_uncond(httpd_$1_script_t)
+ ')
+ ')
+
+ optional_policy(`
+ postgresql_unpriv_client(httpd_$1_script_t)
+ ')
+
+ optional_policy(`
+ nscd_socket_use(httpd_$1_script_t)
+ ')
+')
+
+########################################
+## <summary>
+## Role access for apache
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`apache_role',`
+ gen_require(`
+ attribute httpdcontent;
+ type httpd_user_content_t, httpd_user_htaccess_t, httpd_user_script_t;
+ type httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t;
+ ')
+
+ role $1 types httpd_user_script_t;
+
+ allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom };
+
+ allow $2 httpd_user_htaccess_t:file { manage_file_perms relabel_file_perms };
+
+ manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ relabel_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
+
+ manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+
+ manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+ manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+ manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+ relabel_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+ relabel_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+ relabel_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
+
+ manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+ manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+ manage_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+ relabel_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+ relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+ relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+
+ apache_exec_modules($2)
+
+ tunable_policy(`httpd_enable_cgi',`
+ # If a user starts a script by hand it gets the proper context
+ domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
+ ')
+
+ tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ domtrans_pattern($2, httpdcontent, httpd_user_script_t)
+ ')
+')
+
+########################################
+## <summary>
+## Read httpd user scripts executables.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_read_user_scripts',`
+ gen_require(`
+ type httpd_user_script_exec_t;
+ ')
+
+ allow $1 httpd_user_script_exec_t:dir list_dir_perms;
+ read_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t)
+ read_lnk_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t)
+')
+
+########################################
+## <summary>
+## Read user web content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_read_user_content',`
+ gen_require(`
+ type httpd_user_content_t;
+ ')
+
+ allow $1 httpd_user_content_t:dir list_dir_perms;
+ read_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
+ read_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t)
+')
+
+########################################
+## <summary>
+## Transition to apache.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`apache_domtrans',`
+ gen_require(`
+ type httpd_t, httpd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, httpd_exec_t, httpd_t)
+')
+
+######################################
+## <summary>
+## Allow the specified domain to execute apache
+## in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_exec',`
+ gen_require(`
+ type httpd_exec_t;
+ ')
+
+ can_exec($1, httpd_exec_t)
+')
+
+#######################################
+## <summary>
+## Send a generic signal to apache.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_signal',`
+ gen_require(`
+ type httpd_t;
+ ')
+
+ allow $1 httpd_t:process signal;
+')
+
+########################################
+## <summary>
+## Send a null signal to apache.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_signull',`
+ gen_require(`
+ type httpd_t;
+ ')
+
+ allow $1 httpd_t:process signull;
+')
+
+########################################
+## <summary>
+## Send a SIGCHLD signal to apache.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_sigchld',`
+ gen_require(`
+ type httpd_t;
+ ')
+
+ allow $1 httpd_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Inherit and use file descriptors from Apache.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_use_fds',`
+ gen_require(`
+ type httpd_t;
+ ')
+
+ allow $1 httpd_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write Apache
+## unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`apache_dontaudit_rw_fifo_file',`
+ gen_require(`
+ type httpd_t;
+ ')
+
+ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write Apache
+## unix domain stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`apache_dontaudit_rw_stream_sockets',`
+ gen_require(`
+ type httpd_t;
+ ')
+
+ dontaudit $1 httpd_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write Apache
+## TCP sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`apache_dontaudit_rw_tcp_sockets',`
+ gen_require(`
+ type httpd_t;
+ ')
+
+ dontaudit $1 httpd_t:tcp_socket { read write };
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete all web content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_manage_all_content',`
+ gen_require(`
+ attribute httpdcontent, httpd_script_exec_type;
+ ')
+
+ manage_dirs_pattern($1, httpdcontent, httpdcontent)
+ manage_files_pattern($1, httpdcontent, httpdcontent)
+ manage_lnk_files_pattern($1, httpdcontent, httpdcontent)
+
+ manage_dirs_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
+ manage_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
+ manage_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type)
+')
+
+########################################
+## <summary>
+## Allow domain to set the attributes
+## of the APACHE cache directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_setattr_cache_dirs',`
+ gen_require(`
+ type httpd_cache_t;
+ ')
+
+ allow $1 httpd_cache_t:dir setattr_dir_perms;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to list
+## Apache cache.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_list_cache',`
+ gen_require(`
+ type httpd_cache_t;
+ ')
+
+ list_dirs_pattern($1, httpd_cache_t, httpd_cache_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## and write Apache cache files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_rw_cache_files',`
+ gen_require(`
+ type httpd_cache_t;
+ ')
+
+ allow $1 httpd_cache_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to delete
+## Apache cache dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_delete_cache_dirs',`
+ gen_require(`
+ type httpd_cache_t;
+ ')
+
+ delete_dirs_pattern($1, httpd_cache_t, httpd_cache_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to delete
+## Apache cache.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_delete_cache_files',`
+ gen_require(`
+ type httpd_cache_t;
+ ')
+
+ delete_files_pattern($1, httpd_cache_t, httpd_cache_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to search
+## apache configuration dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_search_config',`
+ gen_require(`
+ type httpd_config_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 httpd_config_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## apache configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_read_config',`
+ gen_require(`
+ type httpd_config_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 httpd_config_t:dir list_dir_perms;
+ read_files_pattern($1, httpd_config_t, httpd_config_t)
+ read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to manage
+## apache configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_manage_config',`
+ gen_require(`
+ type httpd_config_t;
+ ')
+
+ files_search_etc($1)
+ manage_dirs_pattern($1, httpd_config_t, httpd_config_t)
+ manage_files_pattern($1, httpd_config_t, httpd_config_t)
+ read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
+')
+
+########################################
+## <summary>
+## Execute the Apache helper program with
+## a domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_domtrans_helper',`
+ gen_require(`
+ type httpd_helper_t, httpd_helper_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, httpd_helper_exec_t, httpd_helper_t)
+')
+
+########################################
+## <summary>
+## Execute the Apache helper program with
+## a domain transition, and allow the
+## specified role the Apache helper domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_run_helper',`
+ gen_require(`
+ type httpd_helper_t;
+ ')
+
+ apache_domtrans_helper($1)
+ role $2 types httpd_helper_t;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## apache log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_read_log',`
+ gen_require(`
+ type httpd_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 httpd_log_t:dir list_dir_perms;
+ read_files_pattern($1, httpd_log_t, httpd_log_t)
+ read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to append
+## to apache log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_append_log',`
+ gen_require(`
+ type httpd_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 httpd_log_t:dir list_dir_perms;
+ append_files_pattern($1, httpd_log_t, httpd_log_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to append to the
+## Apache logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`apache_dontaudit_append_log',`
+ gen_require(`
+ type httpd_log_t;
+ ')
+
+ dontaudit $1 httpd_log_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to manage
+## to apache log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_manage_log',`
+ gen_require(`
+ type httpd_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, httpd_log_t, httpd_log_t)
+ manage_files_pattern($1, httpd_log_t, httpd_log_t)
+ read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search Apache
+## module directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`apache_dontaudit_search_modules',`
+ gen_require(`
+ type httpd_modules_t;
+ ')
+
+ dontaudit $1 httpd_modules_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## the apache module directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_read_modules',`
+ gen_require(`
+ type httpd_modules_t;
+ ')
+
+ read_files_pattern($1, httpd_modules_t, httpd_modules_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to list
+## the contents of the apache modules
+## directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_list_modules',`
+ gen_require(`
+ type httpd_modules_t;
+ ')
+
+ allow $1 httpd_modules_t:dir list_dir_perms;
+ read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to execute
+## apache modules.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_exec_modules',`
+ gen_require(`
+ type httpd_modules_t;
+ ')
+
+ allow $1 httpd_modules_t:dir list_dir_perms;
+ allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
+ can_exec($1, httpd_modules_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run httpd_rotatelogs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`apache_domtrans_rotatelogs',`
+ gen_require(`
+ type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
+ ')
+
+ domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to list
+## apache system content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_list_sys_content',`
+ gen_require(`
+ type httpd_sys_content_t;
+ ')
+
+ list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+ read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+ files_search_var($1)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to manage
+## apache system content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
+interface(`apache_manage_sys_content',`
+ gen_require(`
+ type httpd_sys_content_t;
+ ')
+
+ files_search_var($1)
+ manage_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+ manage_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+ manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+')
+
+######################################
+## <summary>
+## Allow the specified domain to read
+## apache system content rw files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_read_sys_content_rw_files',`
+ gen_require(`
+ type httpd_sys_rw_content_t;
+ ')
+
+ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
+######################################
+## <summary>
+## Allow the specified domain to manage
+## apache system content rw files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_manage_sys_content_rw',`
+ gen_require(`
+ type httpd_sys_rw_content_t;
+ ')
+
+ files_search_var($1)
+ manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to delete
+## apache system content rw files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_delete_sys_content_rw',`
+ gen_require(`
+ type httpd_sys_rw_content_t;
+ ')
+
+ files_search_tmp($1)
+ delete_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ delete_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ delete_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ delete_fifo_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ delete_sock_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
+########################################
+## <summary>
+## Execute all web scripts in the system
+## script domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+# cjp: this interface specifically added to allow
+# sysadm_t to run scripts
+interface(`apache_domtrans_sys_script',`
+ gen_require(`
+ attribute httpdcontent;
+ type httpd_sys_script_t, httpd_sys_content_t;
+ ')
+
+ tunable_policy(`httpd_enable_cgi',`
+ domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t)
+ ')
+
+ tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ domtrans_pattern($1, httpdcontent, httpd_sys_script_t)
+ ')
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write Apache
+## system script unix domain stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`apache_dontaudit_rw_sys_script_stream_sockets',`
+ gen_require(`
+ type httpd_sys_script_t;
+ ')
+
+ dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+## Execute all user scripts in the user
+## script domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`apache_domtrans_all_scripts',`
+ gen_require(`
+ attribute httpd_exec_scripts;
+ ')
+
+ typeattribute $1 httpd_exec_scripts;
+')
+
+########################################
+## <summary>
+## Execute all user scripts in the user
+## script domain. Add user script domains
+## to the specified role.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_run_all_scripts',`
+ gen_require(`
+ attribute httpd_exec_scripts, httpd_script_domains;
+ ')
+
+ role $2 types httpd_script_domains;
+ apache_domtrans_all_scripts($1)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## apache squirrelmail data.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_read_squirrelmail_data',`
+ gen_require(`
+ type httpd_squirrelmail_t;
+ ')
+
+ read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to append
+## apache squirrelmail data.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_append_squirrelmail_data',`
+ gen_require(`
+ type httpd_squirrelmail_t;
+ ')
+
+ allow $1 httpd_squirrelmail_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+## Search apache system content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_search_sys_content',`
+ gen_require(`
+ type httpd_sys_content_t;
+ ')
+
+ allow $1 httpd_sys_content_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read apache system content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_read_sys_content',`
+ gen_require(`
+ type httpd_sys_content_t;
+ ')
+
+ allow $1 httpd_sys_content_t:dir list_dir_perms;
+ read_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+ read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
+')
+
+########################################
+## <summary>
+## Search apache system CGI directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_search_sys_scripts',`
+ gen_require(`
+ type httpd_sys_content_t, httpd_sys_script_exec_t;
+ ')
+
+ search_dirs_pattern($1, httpd_sys_content_t, httpd_sys_script_exec_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete all user web content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_manage_all_user_content',`
+ gen_require(`
+ attribute httpd_user_content_type, httpd_user_script_exec_type;
+ ')
+
+ manage_dirs_pattern($1, httpd_user_content_type, httpd_user_content_type)
+ manage_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
+ manage_lnk_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
+
+ manage_dirs_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
+ manage_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
+ manage_lnk_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
+')
+
+########################################
+## <summary>
+## Search system script state directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_search_sys_script_state',`
+ gen_require(`
+ type httpd_sys_script_t;
+ ')
+
+ allow $1 httpd_sys_script_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## apache tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_read_tmp_files',`
+ gen_require(`
+ type httpd_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
+')
+
+######################################
+## <summary>
+## Dontaudit attempts to read and write
+## apache tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`apache_dontaudit_rw_tmp_files',`
+ gen_require(`
+ type httpd_tmp_t;
+ ')
+
+ dontaudit $1 httpd_tmp_t:file { read write };
+')
+
+########################################
+## <summary>
+## Dontaudit attempts to write
+## apache tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`apache_dontaudit_write_tmp_files',`
+ gen_require(`
+ type httpd_tmp_t;
+ ')
+
+ dontaudit $1 httpd_tmp_t:file write;
+')
+
+########################################
+## <summary>
+## Execute CGI in the specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute CGI in the specified domain.
+## </p>
+## <p>
+## This is an interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain run the cgi script in.
+## </summary>
+## </param>
+## <param name="entrypoint">
+## <summary>
+## Type of the executable to enter the cgi domain.
+## </summary>
+## </param>
+#
+interface(`apache_cgi_domain',`
+ gen_require(`
+ type httpd_t, httpd_sys_script_exec_t;
+ ')
+
+ domtrans_pattern(httpd_t, $2, $1)
+ apache_search_sys_scripts($1)
+
+ allow httpd_t $1:process signal;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate an apache environment
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix of the domain. Example, user would be
+## the prefix for the uder_t domain.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_admin',`
+ gen_require(`
+ attribute httpdcontent, httpd_script_exec_type;
+ type httpd_t, httpd_config_t, httpd_log_t;
+ type httpd_modules_t, httpd_lock_t, httpd_bool_t;
+ type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t;
+ type httpd_suexec_tmp_t, httpd_tmp_t;
+ ')
+
+ allow $1 httpd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, httpd_t)
+
+ init_labeled_script_domtrans($1, httpd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 httpd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ apache_manage_all_content($1)
+ miscfiles_manage_public_files($1)
+
+ files_list_etc($1)
+ admin_pattern($1, httpd_config_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, httpd_log_t)
+
+ admin_pattern($1, httpd_modules_t)
+
+ admin_pattern($1, httpd_lock_t)
+ files_lock_filetrans($1, httpd_lock_t, file)
+
+ admin_pattern($1, httpd_var_run_t)
+ files_pid_filetrans($1, httpd_var_run_t, file)
+
+ admin_pattern($1, httpdcontent)
+ admin_pattern($1, httpd_script_exec_type)
+
+ seutil_domtrans_setfiles($1)
+
+ files_list_tmp($1)
+ admin_pattern($1, httpd_tmp_t)
+ admin_pattern($1, httpd_php_tmp_t)
+ admin_pattern($1, httpd_suexec_tmp_t)
+
+ ifdef(`TODO',`
+ apache_set_booleans($1, $2, $3, httpd_bool_t)
+ seutil_setsebool_role_template($1, $3, $2)
+ allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms;
+ allow httpd_setsebool_t httpd_bool_t:file rw_file_perms;
+ ')
+')
+
+########################################
+## <summary>
+## dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`apache_dontaudit_leaks',`
+ gen_require(`
+ type httpd_t;
+ ')
+
+ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit $1 httpd_t:tcp_socket { read write };
+ dontaudit $1 httpd_t:unix_dgram_socket { read write };
+ dontaudit $1 httpd_t:unix_stream_socket { read write };
+')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
new file mode 100644
index 0000000..410ff39
--- /dev/null
+++ b/policy/modules/services/apache.te
@@ -0,0 +1,1192 @@
+policy_module(apache, 2.2.0)
+
+#
+# NOTES:
+# This policy will work with SUEXEC enabled as part of the Apache
+# configuration. However, the user CGI scripts will run under the
+# system_u:system_r:httpd_user_script_t.
+#
+# The user CGI scripts must be labeled with the httpd_user_script_exec_t
+# type, and the directory containing the scripts should also be labeled
+# with these types. This policy allows the user role to perform that
+# relabeling. If it is desired that only admin role should be able to relabel
+# the user CGI scripts, then relabel rule for user roles should be removed.
+#
+
+########################################
+#
+# Declarations
+#
+
+selinux_genbool(httpd_bool_t)
+
+## <desc>
+## <p>
+## Allow Apache to modify public files
+## used for public file transfer services. Directories/Files must
+## be labeled public_content_rw_t.
+## </p>
+## </desc>
+gen_tunable(allow_httpd_anon_write, false)
+
+## <desc>
+## <p>
+## Allow Apache to use mod_auth_pam
+## </p>
+## </desc>
+gen_tunable(allow_httpd_mod_auth_pam, false)
+
+## <desc>
+## <p>
+## Allow Apache to use mod_auth_pam
+## </p>
+## </desc>
+gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
+
+## <desc>
+## <p>
+## Allow httpd scripts and modules execmem/execstack
+## </p>
+## </desc>
+gen_tunable(httpd_execmem, false)
+
+## <desc>
+## <p>
+## Allow httpd daemon to change system limits
+## </p>
+## </desc>
+gen_tunable(httpd_setrlimit, false)
+
+## <desc>
+## <p>
+## Allow httpd to use built in scripting (usually php)
+## </p>
+## </desc>
+gen_tunable(httpd_builtin_scripting, false)
+
+## <desc>
+## <p>
+## Allow HTTPD scripts and modules to connect to the network using any TCP port.
+## </p>
+## </desc>
+gen_tunable(httpd_can_network_connect, false)
+
+## <desc>
+## <p>
+## Allow HTTPD scripts and modules to connect to cobbler over the network.
+## </p>
+## </desc>
+gen_tunable(httpd_can_network_connect_cobbler, false)
+
+## <desc>
+## <p>
+## Allow HTTPD scripts and modules to connect to databases over the network.
+## </p>
+## </desc>
+gen_tunable(httpd_can_network_connect_db, false)
+
+## <desc>
+## <p>
+## Allow httpd to connect to memcache server
+## </p>
+## </desc>
+gen_tunable(httpd_can_network_memcache, false)
+
+## <desc>
+## <p>
+## Allow httpd to act as a relay
+## </p>
+## </desc>
+gen_tunable(httpd_can_network_relay, false)
+
+## <desc>
+## <p>
+## Allow http daemon to send mail
+## </p>
+## </desc>
+gen_tunable(httpd_can_sendmail, false)
+
+## <desc>
+## <p>
+## Allow http daemon to check spam
+## </p>
+## </desc>
+gen_tunable(httpd_can_check_spam, false)
+
+## <desc>
+## <p>
+## Allow Apache to communicate with avahi service via dbus
+## </p>
+## </desc>
+gen_tunable(httpd_dbus_avahi, false)
+
+## <desc>
+## <p>
+## Allow httpd to execute cgi scripts
+## </p>
+## </desc>
+gen_tunable(httpd_enable_cgi, false)
+
+## <desc>
+## <p>
+## Allow httpd to act as a FTP server by
+## listening on the ftp port.
+## </p>
+## </desc>
+gen_tunable(httpd_enable_ftp_server, false)
+
+## <desc>
+## <p>
+## Allow httpd to read home directories
+## </p>
+## </desc>
+gen_tunable(httpd_enable_homedirs, false)
+
+## <desc>
+## <p>
+## Allow httpd to read user content
+## </p>
+## </desc>
+gen_tunable(httpd_read_user_content, false)
+
+## <desc>
+## <p>
+## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
+## </p>
+## </desc>
+gen_tunable(httpd_ssi_exec, false)
+
+## <desc>
+## <p>
+## Allow Apache to execute tmp content.
+## </p>
+## </desc>
+gen_tunable(httpd_tmp_exec, false)
+
+## <desc>
+## <p>
+## Unify HTTPD to communicate with the terminal.
+## Needed for entering the passphrase for certificates at
+## the terminal.
+## </p>
+## </desc>
+gen_tunable(httpd_tty_comm, false)
+
+## <desc>
+## <p>
+## Unify HTTPD handling of all content files.
+## </p>
+## </desc>
+gen_tunable(httpd_unified, false)
+
+## <desc>
+## <p>
+## Allow httpd to access cifs file systems
+## </p>
+## </desc>
+gen_tunable(httpd_use_cifs, false)
+
+## <desc>
+## <p>
+## Allow httpd to run gpg in gpg-web domain
+## </p>
+## </desc>
+gen_tunable(httpd_use_gpg, false)
+
+## <desc>
+## <p>
+## Allow httpd to access nfs file systems
+## </p>
+## </desc>
+gen_tunable(httpd_use_nfs, false)
+
+## <desc>
+## <p>
+## Allow apache scripts to write to public content. Directories/Files must be labeled public_rw_content_t.
+## </p>
+## </desc>
+gen_tunable(allow_httpd_sys_script_anon_write, false)
+
+attribute httpdcontent;
+attribute httpd_user_content_type;
+
+# domains that can exec all users scripts
+attribute httpd_exec_scripts;
+
+attribute httpd_script_exec_type;
+attribute httpd_user_script_exec_type;
+
+# user script domains
+attribute httpd_script_domains;
+
+type httpd_t;
+type httpd_exec_t;
+init_daemon_domain(httpd_t, httpd_exec_t)
+role system_r types httpd_t;
+
+# httpd_cache_t is the type given to the /var/cache/httpd
+# directory and the files under that directory
+type httpd_cache_t;
+files_type(httpd_cache_t)
+
+# httpd_config_t is the type given to the configuration files
+type httpd_config_t;
+files_type(httpd_config_t)
+
+type httpd_helper_t;
+type httpd_helper_exec_t;
+domain_type(httpd_helper_t)
+domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
+role system_r types httpd_helper_t;
+
+type httpd_initrc_exec_t;
+init_script_file(httpd_initrc_exec_t)
+
+type httpd_lock_t;
+files_lock_file(httpd_lock_t)
+
+type httpd_log_t;
+logging_log_file(httpd_log_t)
+
+# httpd_modules_t is the type given to module files (libraries)
+# that come with Apache /etc/httpd/modules and /usr/lib/apache
+type httpd_modules_t;
+files_type(httpd_modules_t)
+
+type httpd_php_t;
+type httpd_php_exec_t;
+domain_type(httpd_php_t)
+domain_entry_file(httpd_php_t, httpd_php_exec_t)
+role system_r types httpd_php_t;
+
+type httpd_php_tmp_t;
+files_tmp_file(httpd_php_tmp_t)
+
+type httpd_rotatelogs_t;
+type httpd_rotatelogs_exec_t;
+init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
+
+type httpd_squirrelmail_t;
+files_type(httpd_squirrelmail_t)
+
+# SUEXEC runs user scripts as their own user ID
+type httpd_suexec_t; #, daemon;
+type httpd_suexec_exec_t;
+domain_type(httpd_suexec_t)
+domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
+role system_r types httpd_suexec_t;
+
+type httpd_suexec_tmp_t;
+files_tmp_file(httpd_suexec_tmp_t)
+
+# setup the system domain for system CGI scripts
+apache_content_template(sys)
+
+typeattribute httpd_sys_content_t httpdcontent; # customizable
+typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
+typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
+
+# Removal of fastcgi, will cause problems without the following
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
+typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
+typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
+typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
+
+type httpd_tmp_t;
+files_tmp_file(httpd_tmp_t)
+
+type httpd_tmpfs_t;
+files_tmpfs_file(httpd_tmpfs_t)
+
+apache_content_template(user)
+ubac_constrained(httpd_user_script_t)
+typeattribute httpd_user_content_t httpdcontent;
+typeattribute httpd_user_rw_content_t httpdcontent;
+typeattribute httpd_user_ra_content_t httpdcontent;
+
+userdom_user_home_content(httpd_user_content_t)
+userdom_user_home_content(httpd_user_htaccess_t)
+userdom_user_home_content(httpd_user_script_exec_t)
+userdom_user_home_content(httpd_user_ra_content_t)
+userdom_user_home_content(httpd_user_rw_content_t)
+typeattribute httpd_user_script_t httpd_script_domains;
+typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
+typealias httpd_user_content_t alias httpd_unconfined_content_t;
+typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
+typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
+typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
+typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t };
+typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t };
+typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t };
+typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t };
+typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t };
+typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t };
+typealias httpd_user_rw_content_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t };
+typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t };
+typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
+typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
+
+# for apache2 memory mapped files
+type httpd_var_lib_t;
+files_type(httpd_var_lib_t)
+
+type httpd_var_run_t;
+files_pid_file(httpd_var_run_t)
+
+# Removal of fastcgi, will cause problems without the following
+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
+
+# File Type of squirrelmail attachments
+type squirrelmail_spool_t;
+files_tmp_file(squirrelmail_spool_t)
+
+optional_policy(`
+ prelink_object_file(httpd_modules_t)
+')
+
+########################################
+#
+# Apache server local policy
+#
+
+allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
+dontaudit httpd_t self:capability { net_admin sys_tty_config };
+allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow httpd_t self:fd use;
+allow httpd_t self:sock_file read_sock_file_perms;
+allow httpd_t self:fifo_file rw_fifo_file_perms;
+allow httpd_t self:shm create_shm_perms;
+allow httpd_t self:sem create_sem_perms;
+allow httpd_t self:msgq create_msgq_perms;
+allow httpd_t self:msg { send receive };
+allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow httpd_t self:tcp_socket create_stream_socket_perms;
+allow httpd_t self:udp_socket create_socket_perms;
+dontaudit httpd_t self:netlink_audit_socket create_socket_perms;
+
+# Allow httpd_t to put files in /var/cache/httpd etc
+manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
+manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
+manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
+files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
+
+# Allow the httpd_t to read the web servers config files
+allow httpd_t httpd_config_t:dir list_dir_perms;
+read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
+read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
+
+can_exec(httpd_t, httpd_exec_t)
+
+allow httpd_t httpd_lock_t:file manage_file_perms;
+files_lock_filetrans(httpd_t, httpd_lock_t, file)
+
+allow httpd_t httpd_log_t:dir setattr;
+create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+# cjp: need to refine create interfaces to
+# cut this back to add_name only
+logging_log_filetrans(httpd_t, httpd_log_t, file)
+
+allow httpd_t httpd_modules_t:dir list_dir_perms;
+mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+
+apache_domtrans_rotatelogs(httpd_t)
+# Apache-httpd needs to be able to send signals to the log rotate procs.
+allow httpd_t httpd_rotatelogs_t:process signal_perms;
+
+manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+
+allow httpd_t httpd_suexec_exec_t:file read_file_perms;
+
+allow httpd_t httpd_sys_content_t:dir list_dir_perms;
+read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
+read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
+
+allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+
+manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file })
+
+manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+manage_lnk_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
+files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
+
+setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
+manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
+manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
+manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
+files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file dir })
+
+manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+
+kernel_read_kernel_sysctls(httpd_t)
+# for modules that want to access /proc/meminfo
+kernel_read_system_state(httpd_t)
+kernel_search_network_sysctl(httpd_t)
+
+corenet_all_recvfrom_unlabeled(httpd_t)
+corenet_all_recvfrom_netlabel(httpd_t)
+corenet_tcp_sendrecv_generic_if(httpd_t)
+corenet_udp_sendrecv_generic_if(httpd_t)
+corenet_tcp_sendrecv_generic_node(httpd_t)
+corenet_udp_sendrecv_generic_node(httpd_t)
+corenet_tcp_sendrecv_all_ports(httpd_t)
+corenet_udp_sendrecv_all_ports(httpd_t)
+corenet_tcp_bind_generic_node(httpd_t)
+corenet_udp_bind_generic_node(httpd_t)
+corenet_tcp_bind_http_port(httpd_t)
+corenet_tcp_bind_http_cache_port(httpd_t)
+corenet_tcp_bind_ntop_port(httpd_t)
+corenet_sendrecv_http_server_packets(httpd_t)
+# Signal self for shutdown
+corenet_tcp_connect_http_port(httpd_t)
+
+dev_read_sysfs(httpd_t)
+dev_read_rand(httpd_t)
+dev_read_urand(httpd_t)
+dev_rw_crypto(httpd_t)
+
+fs_getattr_all_fs(httpd_t)
+fs_search_auto_mountpoints(httpd_t)
+fs_read_iso9660_files(httpd_t)
+fs_read_anon_inodefs_files(httpd_t)
+
+auth_use_nsswitch(httpd_t)
+
+application_exec_all(httpd_t)
+
+domain_use_interactive_fds(httpd_t)
+
+files_dontaudit_getattr_all_pids(httpd_t)
+files_read_usr_files(httpd_t)
+files_list_mnt(httpd_t)
+files_search_spool(httpd_t)
+files_read_var_lib_files(httpd_t)
+files_search_home(httpd_t)
+files_getattr_home_dir(httpd_t)
+# for modules that want to access /etc/mtab
+files_read_etc_runtime_files(httpd_t)
+# Allow httpd_t to have access to files such as nisswitch.conf
+files_read_etc_files(httpd_t)
+# for tomcat
+files_read_var_lib_symlinks(httpd_t)
+
+fs_search_auto_mountpoints(httpd_sys_script_t)
+# php uploads a file to /tmp and then execs programs to acton them
+manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file })
+
+libs_read_lib_files(httpd_t)
+
+logging_send_syslog_msg(httpd_t)
+
+miscfiles_read_localization(httpd_t)
+miscfiles_read_fonts(httpd_t)
+miscfiles_read_public_files(httpd_t)
+miscfiles_read_generic_certs(httpd_t)
+
+seutil_dontaudit_search_config(httpd_t)
+
+userdom_use_unpriv_users_fds(httpd_t)
+
+tunable_policy(`httpd_setrlimit',`
+ allow httpd_t self:process setrlimit;
+')
+
+tunable_policy(`allow_httpd_anon_write',`
+ miscfiles_manage_public_files(httpd_t)
+')
+
+#
+# We need optionals to be able to be within booleans to make this work
+#
+tunable_policy(`allow_httpd_mod_auth_pam',`
+ auth_domtrans_chkpwd(httpd_t)
+ logging_send_audit_msgs(httpd_t)
+')
+
+optional_policy(`
+ tunable_policy(`allow_httpd_mod_auth_ntlm_winbind',`
+ samba_domtrans_winbind_helper(httpd_t)
+ ')
+')
+
+tunable_policy(`httpd_can_network_connect',`
+ corenet_tcp_connect_all_ports(httpd_t)
+')
+
+tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_mssql_port(httpd_t)
+ corenet_sendrecv_mssql_client_packets(httpd_t)
+')
+
+tunable_policy(`httpd_can_network_memcache',`
+ corenet_tcp_connect_memcache_port(httpd_t)
+')
+
+tunable_policy(`httpd_can_network_relay',`
+ # allow httpd to work as a relay
+ corenet_tcp_connect_gopher_port(httpd_t)
+ corenet_tcp_connect_ftp_port(httpd_t)
+ corenet_tcp_connect_http_port(httpd_t)
+ corenet_tcp_connect_http_cache_port(httpd_t)
+ corenet_tcp_connect_squid_port(httpd_t)
+ corenet_tcp_connect_memcache_port(httpd_t)
+ corenet_sendrecv_gopher_client_packets(httpd_t)
+ corenet_sendrecv_ftp_client_packets(httpd_t)
+ corenet_sendrecv_http_client_packets(httpd_t)
+ corenet_sendrecv_http_cache_client_packets(httpd_t)
+ corenet_sendrecv_squid_client_packets(httpd_t)
+')
+
+tunable_policy(`httpd_execmem',`
+ allow httpd_t self:process { execmem execstack };
+ allow httpd_sys_script_t self:process { execmem execstack };
+ allow httpd_suexec_t self:process { execmem execstack };
+')
+
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
+ filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
+ can_exec(httpd_sys_script_t, httpd_sys_content_t)
+')
+
+tunable_policy(`allow_httpd_sys_script_anon_write',`
+ miscfiles_manage_public_files(httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
+ fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+ fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
+ domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
+ filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
+ manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
+ manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
+ manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
+
+ manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
+ manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
+ manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
+')
+
+tunable_policy(`httpd_enable_ftp_server',`
+ corenet_tcp_bind_ftp_port(httpd_t)
+')
+
+tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
+ can_exec(httpd_t, httpd_tmp_t)
+')
+
+tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
+ can_exec(httpd_sys_script_t, httpd_tmp_t)
+')
+
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+ fs_read_nfs_files(httpd_t)
+ fs_read_nfs_symlinks(httpd_t)
+')
+
+tunable_policy(`httpd_use_nfs',`
+ fs_manage_nfs_dirs(httpd_t)
+ fs_manage_nfs_files(httpd_t)
+ fs_manage_nfs_symlinks(httpd_t)
+')
+
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(httpd_t)
+ fs_read_cifs_symlinks(httpd_t)
+')
+
+tunable_policy(`httpd_can_sendmail',`
+ # allow httpd to connect to mail servers
+ corenet_tcp_connect_smtp_port(httpd_t)
+ corenet_sendrecv_smtp_client_packets(httpd_t)
+ corenet_tcp_connect_pop_port(httpd_t)
+ corenet_sendrecv_pop_client_packets(httpd_t)
+ mta_send_mail(httpd_t)
+ mta_signal_system_mail(httpd_t)
+')
+
+tunable_policy(`httpd_use_cifs',`
+ fs_manage_cifs_dirs(httpd_t)
+ fs_manage_cifs_files(httpd_t)
+ fs_manage_cifs_symlinks(httpd_t)
+')
+
+tunable_policy(`httpd_ssi_exec',`
+ corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
+ allow httpd_sys_script_t httpd_t:fd use;
+ allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
+ allow httpd_sys_script_t httpd_t:process sigchld;
+')
+
+# When the admin starts the server, the server wants to access
+# the TTY or PTY associated with the session. The httpd appears
+# to run correctly without this permission, so the permission
+# are dontaudited here.
+tunable_policy(`httpd_tty_comm',`
+ userdom_use_user_terminals(httpd_t)
+ userdom_use_user_terminals(httpd_suexec_t)
+',`
+ userdom_dontaudit_use_user_terminals(httpd_t)
+ userdom_dontaudit_use_user_terminals(httpd_suexec_t)
+')
+
+optional_policy(`
+ calamaris_read_www_files(httpd_t)
+')
+
+optional_policy(`
+ ccs_read_config(httpd_t)
+')
+
+optional_policy(`
+ cobbler_list_config(httpd_t)
+ cobbler_read_config(httpd_t)
+ cobbler_read_lib_files(httpd_t)
+
+ tunable_policy(`httpd_can_network_connect_cobbler',`
+ corenet_tcp_connect_cobbler_port(httpd_t)
+ ')
+')
+
+optional_policy(`
+ cron_system_entry(httpd_t, httpd_exec_t)
+')
+
+optional_policy(`
+ cvs_read_data(httpd_t)
+')
+
+optional_policy(`
+ daemontools_service_domain(httpd_t, httpd_exec_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(httpd_t)
+
+ tunable_policy(`httpd_dbus_avahi',`
+ avahi_dbus_chat(httpd_t)
+ ')
+')
+
+optional_policy(`
+ gitosis_read_lib_files(httpd_t)
+')
+
+optional_policy(`
+ tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
+ gpg_domtrans_web(httpd_t)
+ ')
+')
+
+optional_policy(`
+ kerberos_keytab_template(httpd, httpd_t)
+')
+
+optional_policy(`
+ mailman_signal_cgi(httpd_t)
+ mailman_domtrans_cgi(httpd_t)
+ mailman_read_data_files(httpd_t)
+ # should have separate types for public and private archives
+ mailman_search_data(httpd_t)
+ mailman_read_archive(httpd_t)
+')
+
+optional_policy(`
+ mediawiki_read_tmp_files(httpd_t)
+ mediawiki_delete_tmp_files(httpd_t)
+')
+
+optional_policy(`
+ # Allow httpd to work with mysql
+ mysql_read_config(httpd_t)
+ mysql_stream_connect(httpd_t)
+ mysql_rw_db_sockets(httpd_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ mysql_tcp_connect(httpd_t)
+ ')
+')
+
+optional_policy(`
+ nagios_read_config(httpd_t)
+ nagios_read_log(httpd_t)
+')
+
+optional_policy(`
+ openca_domtrans(httpd_t)
+ openca_signal(httpd_t)
+ openca_sigstop(httpd_t)
+ openca_kill(httpd_t)
+')
+
+optional_policy(`
+ passenger_domtrans(httpd_t)
+ passenger_manage_pid_content(httpd_t)
+ passenger_read_lib_files(httpd_t)
+')
+
+optional_policy(`
+ rpc_search_nfs_state_data(httpd_t)
+')
+
+optional_policy(`
+ # Allow httpd to work with postgresql
+ postgresql_stream_connect(httpd_t)
+ postgresql_unpriv_client(httpd_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_t)
+ ')
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(httpd_t)
+')
+
+optional_policy(`
+ smokeping_read_lib_files(httpd_t)
+')
+
+optional_policy(`
+ files_dontaudit_rw_usr_dirs(httpd_t)
+ snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
+ snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
+')
+
+optional_policy(`
+ udev_read_db(httpd_t)
+')
+
+optional_policy(`
+ yam_read_content(httpd_t)
+')
+
+optional_policy(`
+ zarafa_stream_connect_server(httpd_t)
+')
+
+########################################
+#
+# Apache helper local policy
+#
+
+domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
+
+allow httpd_helper_t httpd_config_t:file read_file_perms;
+
+allow httpd_helper_t httpd_log_t:file append_file_perms;
+
+logging_send_syslog_msg(httpd_helper_t)
+
+userdom_use_user_terminals(httpd_helper_t)
+
+tunable_policy(`httpd_tty_comm',`
+ userdom_use_user_terminals(httpd_helper_t)
+')
+
+########################################
+#
+# Apache PHP script local policy
+#
+
+allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow httpd_php_t self:fd use;
+allow httpd_php_t self:fifo_file rw_fifo_file_perms;
+allow httpd_php_t self:sock_file read_sock_file_perms;
+allow httpd_php_t self:unix_dgram_socket create_socket_perms;
+allow httpd_php_t self:unix_stream_socket create_stream_socket_perms;
+allow httpd_php_t self:unix_dgram_socket sendto;
+allow httpd_php_t self:unix_stream_socket connectto;
+allow httpd_php_t self:shm create_shm_perms;
+allow httpd_php_t self:sem create_sem_perms;
+allow httpd_php_t self:msgq create_msgq_perms;
+allow httpd_php_t self:msg { send receive };
+
+domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t)
+
+# allow php to read and append to apache logfiles
+allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms };
+
+manage_dirs_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
+manage_files_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
+files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir })
+
+fs_search_auto_mountpoints(httpd_php_t)
+
+auth_use_nsswitch(httpd_php_t)
+
+libs_exec_lib_files(httpd_php_t)
+
+userdom_use_unpriv_users_fds(httpd_php_t)
+
+tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_mssql_port(httpd_php_t)
+ corenet_sendrecv_mssql_client_packets(httpd_php_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(httpd_php_t)
+ mysql_rw_db_sockets(httpd_php_t)
+ mysql_read_config(httpd_php_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ mysql_tcp_connect(httpd_php_t)
+ ')
+')
+
+optional_policy(`
+ postgresql_stream_connect(httpd_php_t)
+ postgresql_unpriv_client(httpd_php_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_php_t)
+ ')
+')
+
+########################################
+#
+# Apache suexec local policy
+#
+
+allow httpd_suexec_t self:capability { setuid setgid };
+allow httpd_suexec_t self:process signal_perms;
+allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
+
+domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
+
+create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
+append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
+read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
+
+allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms;
+
+manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
+
+can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
+
+read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
+
+kernel_read_kernel_sysctls(httpd_suexec_t)
+kernel_list_proc(httpd_suexec_t)
+kernel_read_proc_symlinks(httpd_suexec_t)
+
+dev_read_urand(httpd_suexec_t)
+
+fs_read_iso9660_files(httpd_suexec_t)
+fs_search_auto_mountpoints(httpd_suexec_t)
+
+application_exec_all(httpd_suexec_t)
+
+files_read_etc_files(httpd_suexec_t)
+files_read_usr_files(httpd_suexec_t)
+files_dontaudit_search_pids(httpd_suexec_t)
+files_search_home(httpd_suexec_t)
+
+auth_use_nsswitch(httpd_suexec_t)
+
+logging_search_logs(httpd_suexec_t)
+logging_send_syslog_msg(httpd_suexec_t)
+
+miscfiles_read_localization(httpd_suexec_t)
+miscfiles_read_public_files(httpd_suexec_t)
+
+tunable_policy(`httpd_can_network_connect',`
+ allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_suexec_t self:udp_socket create_socket_perms;
+
+ corenet_all_recvfrom_unlabeled(httpd_suexec_t)
+ corenet_all_recvfrom_netlabel(httpd_suexec_t)
+ corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
+ corenet_udp_sendrecv_generic_if(httpd_suexec_t)
+ corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
+ corenet_udp_sendrecv_generic_node(httpd_suexec_t)
+ corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
+ corenet_udp_sendrecv_all_ports(httpd_suexec_t)
+ corenet_tcp_connect_all_ports(httpd_suexec_t)
+ corenet_sendrecv_all_client_packets(httpd_suexec_t)
+')
+
+tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_mssql_port(httpd_suexec_t)
+ corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
+')
+
+domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
+
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_sys_script_t httpdcontent:file entrypoint;
+ domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
+ manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+')
+
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+ fs_read_nfs_files(httpd_suexec_t)
+ fs_read_nfs_symlinks(httpd_suexec_t)
+ fs_exec_nfs_files(httpd_suexec_t)
+')
+
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(httpd_suexec_t)
+ fs_read_cifs_symlinks(httpd_suexec_t)
+ fs_exec_cifs_files(httpd_suexec_t)
+')
+
+optional_policy(`
+ mailman_domtrans_cgi(httpd_suexec_t)
+')
+
+optional_policy(`
+ mta_stub(httpd_suexec_t)
+
+ # apache should set close-on-exec
+ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
+')
+
+optional_policy(`
+ mysql_stream_connect(httpd_suexec_t)
+ mysql_rw_db_sockets(httpd_suexec_t)
+ mysql_read_config(httpd_suexec_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ mysql_tcp_connect(httpd_suexec_t)
+ ')
+')
+
+optional_policy(`
+ postgresql_stream_connect(httpd_suexec_t)
+ postgresql_unpriv_client(httpd_suexec_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_suexec_t)
+ ')
+')
+
+########################################
+#
+# Apache system script local policy
+#
+
+allow httpd_sys_script_t self:process getsched;
+
+allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
+allow httpd_sys_script_t httpd_t:tcp_socket { read write };
+
+dontaudit httpd_sys_script_t httpd_config_t:dir search;
+
+allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
+
+allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
+read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
+read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
+
+kernel_read_kernel_sysctls(httpd_sys_script_t)
+
+files_search_var_lib(httpd_sys_script_t)
+files_search_spool(httpd_sys_script_t)
+
+logging_inherit_append_all_logs(httpd_sys_script_t)
+
+# Should we add a boolean?
+apache_domtrans_rotatelogs(httpd_sys_script_t)
+
+auth_use_nsswitch(httpd_sys_script_t)
+
+ifdef(`distro_redhat',`
+ allow httpd_sys_script_t httpd_log_t:file append_file_perms;
+')
+
+tunable_policy(`httpd_can_sendmail',`
+ mta_send_mail(httpd_sys_script_t)
+')
+
+optional_policy(`
+ tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
+ spamassassin_domtrans_client(httpd_t)
+ ')
+')
+
+tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_mssql_port(httpd_sys_script_t)
+ corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
+')
+
+fs_cifs_entry_type(httpd_sys_script_t)
+fs_read_iso9660_files(httpd_sys_script_t)
+fs_nfs_entry_type(httpd_sys_script_t)
+
+tunable_policy(`httpd_use_nfs',`
+ fs_manage_nfs_dirs(httpd_sys_script_t)
+ fs_manage_nfs_files(httpd_sys_script_t)
+ fs_manage_nfs_symlinks(httpd_sys_script_t)
+ fs_exec_nfs_files(httpd_sys_script_t)
+
+ fs_manage_nfs_dirs(httpd_suexec_t)
+ fs_manage_nfs_files(httpd_suexec_t)
+ fs_manage_nfs_symlinks(httpd_suexec_t)
+ fs_exec_nfs_files(httpd_suexec_t)
+')
+
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
+
+ corenet_tcp_bind_all_nodes(httpd_sys_script_t)
+ corenet_udp_bind_all_nodes(httpd_sys_script_t)
+ corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
+ corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+ corenet_tcp_sendrecv_all_if(httpd_sys_script_t)
+ corenet_udp_sendrecv_all_if(httpd_sys_script_t)
+ corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t)
+ corenet_udp_sendrecv_all_nodes(httpd_sys_script_t)
+ corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
+ corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
+ corenet_tcp_connect_all_ports(httpd_sys_script_t)
+ corenet_sendrecv_all_client_packets(httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_enable_homedirs',`
+ userdom_search_user_home_dirs(httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+ fs_read_nfs_files(httpd_sys_script_t)
+ fs_read_nfs_symlinks(httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_read_user_content',`
+ userdom_read_user_home_content_files(httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_use_cifs',`
+ fs_manage_cifs_dirs(httpd_sys_script_t)
+ fs_manage_cifs_files(httpd_sys_script_t)
+ fs_manage_cifs_symlinks(httpd_sys_script_t)
+ fs_manage_cifs_dirs(httpd_suexec_t)
+ fs_manage_cifs_files(httpd_suexec_t)
+ fs_manage_cifs_symlinks(httpd_suexec_t)
+ fs_exec_cifs_files(httpd_suexec_t)
+')
+
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(httpd_sys_script_t)
+ fs_read_cifs_symlinks(httpd_sys_script_t)
+')
+
+optional_policy(`
+ clamav_domtrans_clamscan(httpd_sys_script_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(httpd_sys_script_t)
+ mysql_rw_db_sockets(httpd_sys_script_t)
+ mysql_read_config(httpd_sys_script_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ mysql_tcp_connect(httpd_sys_script_t)
+ ')
+')
+
+optional_policy(`
+ postgresql_stream_connect(httpd_sys_script_t)
+ postgresql_unpriv_client(httpd_sys_script_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_sys_script_t)
+ ')
+')
+
+########################################
+#
+# httpd_rotatelogs local policy
+#
+
+allow httpd_rotatelogs_t self:capability dac_override;
+
+manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
+
+kernel_read_kernel_sysctls(httpd_rotatelogs_t)
+kernel_dontaudit_list_proc(httpd_rotatelogs_t)
+kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
+
+files_read_etc_files(httpd_rotatelogs_t)
+
+logging_search_logs(httpd_rotatelogs_t)
+
+miscfiles_read_localization(httpd_rotatelogs_t)
+
+########################################
+#
+# Unconfined script local policy
+#
+
+optional_policy(`
+ type httpd_unconfined_script_t;
+ type httpd_unconfined_script_exec_t;
+ domain_type(httpd_unconfined_script_t)
+ domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t)
+ domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
+ unconfined_domain(httpd_unconfined_script_t)
+
+ role system_r types httpd_unconfined_script_t;
+ allow httpd_t httpd_unconfined_script_t:process signal_perms;
+')
+
+########################################
+#
+# User content local policy
+#
+
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ allow httpd_user_script_t httpdcontent:file entrypoint;
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
+ manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
+ manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
+')
+
+# allow accessing files/dirs below the users home dir
+tunable_policy(`httpd_enable_homedirs',`
+ userdom_search_user_home_content(httpd_t)
+ userdom_search_user_home_content(httpd_suexec_t)
+ userdom_search_user_home_content(httpd_user_script_t)
+')
+
+tunable_policy(`httpd_read_user_content',`
+ userdom_read_user_home_content_files(httpd_t)
+ userdom_read_user_home_content_files(httpd_suexec_t)
+ userdom_read_user_home_content_files(httpd_user_script_t)
+')
diff --git a/policy/modules/services/apcupsd.fc b/policy/modules/services/apcupsd.fc
new file mode 100644
index 0000000..cd07b96
--- /dev/null
+++ b/policy/modules/services/apcupsd.fc
@@ -0,0 +1,15 @@
+/etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
+
+/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
+
+/usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
+
+/var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
+/var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
+
+/var/run/apcupsd\.pid -- gen_context(system_u:object_r:apcupsd_var_run_t,s0)
+
+/var/www/apcupsd/multimon\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+/var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+/var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
+/var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
diff --git a/policy/modules/services/apcupsd.if b/policy/modules/services/apcupsd.if
new file mode 100644
index 0000000..d3451b8
--- /dev/null
+++ b/policy/modules/services/apcupsd.if
@@ -0,0 +1,166 @@
+## <summary>APC UPS monitoring daemon</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run apcupsd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`apcupsd_domtrans',`
+ gen_require(`
+ type apcupsd_t, apcupsd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, apcupsd_exec_t, apcupsd_t)
+')
+
+########################################
+## <summary>
+## Execute apcupsd server in the apcupsd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`apcupsd_initrc_domtrans',`
+ gen_require(`
+ type apcupsd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, apcupsd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Read apcupsd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apcupsd_read_pid_files',`
+ gen_require(`
+ type apcupsd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 apcupsd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read apcupsd's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apcupsd_read_log',`
+ gen_require(`
+ type apcupsd_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 apcupsd_log_t:dir list_dir_perms;
+ allow $1 apcupsd_log_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to append
+## apcupsd log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apcupsd_append_log',`
+ gen_require(`
+ type apcupsd_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 apcupsd_log_t:dir list_dir_perms;
+ allow $1 apcupsd_log_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run httpd_apcupsd_cgi_script.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`apcupsd_cgi_script_domtrans',`
+ gen_require(`
+ type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t;
+ ')
+
+ optional_policy(`
+ apache_search_sys_content($1)
+ ')
+
+ files_search_var($1)
+ domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an apcupsd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the apcupsd domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apcupsd_admin',`
+ gen_require(`
+ type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t;
+ type apcupsd_lock_t, apcupsd_var_run_t, apcupsd_initrc_exec_t;
+ ')
+
+ allow $1 apcupsd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, apcupsd_t)
+
+ apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 apcupsd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_var($1)
+ admin_pattern($1, apcupsd_lock_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, apcupsd_log_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, apcupsd_tmp_t)
+
+ files_list_pids($1)
+ admin_pattern($1, apcupsd_var_run_t)
+')
diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te
new file mode 100644
index 0000000..472ddad
--- /dev/null
+++ b/policy/modules/services/apcupsd.te
@@ -0,0 +1,127 @@
+policy_module(apcupsd, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type apcupsd_t;
+type apcupsd_exec_t;
+init_daemon_domain(apcupsd_t, apcupsd_exec_t)
+
+type apcupsd_lock_t;
+files_lock_file(apcupsd_lock_t)
+
+type apcupsd_initrc_exec_t;
+init_script_file(apcupsd_initrc_exec_t)
+
+type apcupsd_log_t;
+logging_log_file(apcupsd_log_t)
+
+type apcupsd_tmp_t;
+files_tmp_file(apcupsd_tmp_t)
+
+type apcupsd_var_run_t;
+files_pid_file(apcupsd_var_run_t)
+
+########################################
+#
+# apcupsd local policy
+#
+
+allow apcupsd_t self:capability { dac_override setgid sys_tty_config };
+allow apcupsd_t self:process signal;
+allow apcupsd_t self:fifo_file rw_file_perms;
+allow apcupsd_t self:unix_stream_socket create_stream_socket_perms;
+allow apcupsd_t self:tcp_socket create_stream_socket_perms;
+
+allow apcupsd_t apcupsd_lock_t:file manage_file_perms;
+files_lock_filetrans(apcupsd_t, apcupsd_lock_t, file)
+
+allow apcupsd_t apcupsd_log_t:dir setattr;
+manage_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
+logging_log_filetrans(apcupsd_t, apcupsd_log_t, { file dir })
+
+manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t)
+files_tmp_filetrans(apcupsd_t, apcupsd_tmp_t, file)
+
+manage_files_pattern(apcupsd_t, apcupsd_var_run_t, apcupsd_var_run_t)
+files_pid_filetrans(apcupsd_t, apcupsd_var_run_t, file)
+
+kernel_read_system_state(apcupsd_t)
+
+corecmd_exec_bin(apcupsd_t)
+corecmd_exec_shell(apcupsd_t)
+
+corenet_all_recvfrom_unlabeled(apcupsd_t)
+corenet_all_recvfrom_netlabel(apcupsd_t)
+corenet_tcp_sendrecv_generic_if(apcupsd_t)
+corenet_tcp_sendrecv_generic_node(apcupsd_t)
+corenet_tcp_sendrecv_all_ports(apcupsd_t)
+corenet_tcp_bind_generic_node(apcupsd_t)
+corenet_tcp_bind_apcupsd_port(apcupsd_t)
+corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
+corenet_tcp_connect_apcupsd_port(apcupsd_t)
+
+dev_rw_generic_usb_dev(apcupsd_t)
+
+# Init script handling
+domain_use_interactive_fds(apcupsd_t)
+
+files_read_etc_files(apcupsd_t)
+files_search_locks(apcupsd_t)
+# Creates /etc/nologin
+files_manage_etc_runtime_files(apcupsd_t)
+files_etc_filetrans_etc_runtime(apcupsd_t, file)
+
+# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240805
+term_use_unallocated_ttys(apcupsd_t)
+
+#apcupsd runs shutdown, probably need a shutdown domain
+init_rw_utmp(apcupsd_t)
+init_telinit(apcupsd_t)
+
+logging_send_syslog_msg(apcupsd_t)
+
+miscfiles_read_localization(apcupsd_t)
+
+sysnet_dns_name_resolve(apcupsd_t)
+
+userdom_use_user_ttys(apcupsd_t)
+
+optional_policy(`
+ hostname_exec(apcupsd_t)
+')
+
+optional_policy(`
+ shutdown_domtrans(apcupsd_t)
+')
+
+optional_policy(`
+ mta_send_mail(apcupsd_t)
+ mta_system_content(apcupsd_tmp_t)
+')
+
+########################################
+#
+# apcupsd_cgi Declarations
+#
+
+optional_policy(`
+ apache_content_template(apcupsd_cgi)
+
+ allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
+
+ corenet_all_recvfrom_unlabeled(httpd_apcupsd_cgi_script_t)
+ corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t)
+ corenet_tcp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t)
+ corenet_tcp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t)
+ corenet_tcp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
+ corenet_tcp_connect_apcupsd_port(httpd_apcupsd_cgi_script_t)
+ corenet_udp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t)
+ corenet_udp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t)
+ corenet_udp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
+
+ sysnet_dns_name_resolve(httpd_apcupsd_cgi_script_t)
+')
diff --git a/policy/modules/services/apm.fc b/policy/modules/services/apm.fc
new file mode 100644
index 0000000..0123777
--- /dev/null
+++ b/policy/modules/services/apm.fc
@@ -0,0 +1,23 @@
+
+#
+# /usr
+#
+/usr/bin/apm -- gen_context(system_u:object_r:apm_exec_t,s0)
+
+/usr/sbin/acpid -- gen_context(system_u:object_r:apmd_exec_t,s0)
+/usr/sbin/apmd -- gen_context(system_u:object_r:apmd_exec_t,s0)
+/usr/sbin/powersaved -- gen_context(system_u:object_r:apmd_exec_t,s0)
+
+#
+# /var
+#
+/var/log/acpid.* -- gen_context(system_u:object_r:apmd_log_t,s0)
+
+/var/run/\.?acpid\.socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
+/var/run/apmd\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
+/var/run/powersaved\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
+/var/run/powersave_socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
+
+ifdef(`distro_suse',`
+/var/lib/acpi(/.*)? gen_context(system_u:object_r:apmd_var_lib_t,s0)
+')
diff --git a/policy/modules/services/apm.if b/policy/modules/services/apm.if
new file mode 100644
index 0000000..49e6c74
--- /dev/null
+++ b/policy/modules/services/apm.if
@@ -0,0 +1,112 @@
+## <summary>Advanced power management daemon</summary>
+
+########################################
+## <summary>
+## Execute APM in the apm domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`apm_domtrans_client',`
+ gen_require(`
+ type apm_t, apm_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, apm_exec_t, apm_t)
+')
+
+########################################
+## <summary>
+## Use file descriptors for apmd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apm_use_fds',`
+ gen_require(`
+ type apmd_t;
+ ')
+
+ allow $1 apmd_t:fd use;
+')
+
+########################################
+## <summary>
+## Write to apmd unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apm_write_pipes',`
+ gen_require(`
+ type apmd_t;
+ ')
+
+ allow $1 apmd_t:fifo_file write_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write to an apm unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apm_rw_stream_sockets',`
+ gen_require(`
+ type apmd_t;
+ ')
+
+ allow $1 apmd_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+## Append to apm's log file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apm_append_log',`
+ gen_require(`
+ type apmd_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 apmd_log_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+## Connect to apmd over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apm_stream_connect',`
+ gen_require(`
+ type apmd_t, apmd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
+')
diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
new file mode 100644
index 0000000..62bc936
--- /dev/null
+++ b/policy/modules/services/apm.te
@@ -0,0 +1,243 @@
+policy_module(apm, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+type apmd_t;
+type apmd_exec_t;
+init_daemon_domain(apmd_t, apmd_exec_t)
+
+type apm_t;
+type apm_exec_t;
+application_domain(apm_t, apm_exec_t)
+role system_r types apm_t;
+
+type apmd_log_t;
+logging_log_file(apmd_log_t)
+
+type apmd_tmp_t;
+files_tmp_file(apmd_tmp_t)
+
+type apmd_var_run_t;
+files_pid_file(apmd_var_run_t)
+
+ifdef(`distro_redhat',`
+ type apmd_lock_t;
+ files_lock_file(apmd_lock_t)
+')
+
+ifdef(`distro_suse',`
+ type apmd_var_lib_t;
+ files_type(apmd_var_lib_t)
+')
+
+########################################
+#
+# apm client Local policy
+#
+
+allow apm_t self:capability { dac_override sys_admin };
+
+kernel_read_system_state(apm_t)
+
+dev_rw_apm_bios(apm_t)
+
+fs_getattr_xattr_fs(apm_t)
+
+term_use_all_terms(apm_t)
+
+domain_use_interactive_fds(apm_t)
+
+logging_send_syslog_msg(apm_t)
+
+########################################
+#
+# apm daemon Local policy
+#
+
+# mknod: controlling an orderly resume of PCMCIA requires creating device
+# nodes 254,{0,1,2} for some reason.
+allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
+dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
+allow apmd_t self:process { signal_perms getsession };
+allow apmd_t self:fifo_file rw_fifo_file_perms;
+allow apmd_t self:netlink_socket create_socket_perms;
+allow apmd_t self:unix_dgram_socket create_socket_perms;
+allow apmd_t self:unix_stream_socket create_stream_socket_perms;
+
+allow apmd_t apmd_log_t:file manage_file_perms;
+logging_log_filetrans(apmd_t, apmd_log_t, file)
+
+manage_dirs_pattern(apmd_t, apmd_tmp_t, apmd_tmp_t)
+manage_files_pattern(apmd_t, apmd_tmp_t, apmd_tmp_t)
+files_tmp_filetrans(apmd_t, apmd_tmp_t, { file dir })
+
+manage_files_pattern(apmd_t, apmd_var_run_t, apmd_var_run_t)
+manage_sock_files_pattern(apmd_t, apmd_var_run_t, apmd_var_run_t)
+files_pid_filetrans(apmd_t, apmd_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctls(apmd_t)
+kernel_rw_all_sysctls(apmd_t)
+kernel_read_system_state(apmd_t)
+kernel_write_proc_files(apmd_t)
+
+dev_read_input(apmd_t)
+dev_read_realtime_clock(apmd_t)
+dev_read_urand(apmd_t)
+dev_rw_apm_bios(apmd_t)
+dev_rw_sysfs(apmd_t)
+dev_dontaudit_getattr_all_chr_files(apmd_t) # Excessive?
+dev_dontaudit_getattr_all_blk_files(apmd_t) # Excessive?
+
+fs_dontaudit_list_tmpfs(apmd_t)
+fs_getattr_all_fs(apmd_t)
+fs_search_auto_mountpoints(apmd_t)
+fs_dontaudit_getattr_all_files(apmd_t) # Excessive?
+fs_dontaudit_getattr_all_symlinks(apmd_t) # Excessive?
+fs_dontaudit_getattr_all_pipes(apmd_t) # Excessive?
+fs_dontaudit_getattr_all_sockets(apmd_t) # Excessive?
+
+selinux_search_fs(apmd_t)
+
+corecmd_exec_all_executables(apmd_t)
+
+domain_read_all_domains_state(apmd_t)
+domain_dontaudit_ptrace_all_domains(apmd_t)
+domain_use_interactive_fds(apmd_t)
+domain_dontaudit_getattr_all_sockets(apmd_t)
+domain_dontaudit_getattr_all_key_sockets(apmd_t) # Excessive?
+domain_dontaudit_list_all_domains_state(apmd_t) # Excessive?
+
+files_exec_etc_files(apmd_t)
+files_read_etc_runtime_files(apmd_t)
+files_dontaudit_getattr_all_files(apmd_t) # Excessive?
+files_dontaudit_getattr_all_symlinks(apmd_t) # Excessive?
+files_dontaudit_getattr_all_pipes(apmd_t) # Excessive?
+files_dontaudit_getattr_all_sockets(apmd_t) # Excessive?
+
+init_domtrans_script(apmd_t)
+init_rw_utmp(apmd_t)
+init_telinit(apmd_t)
+
+libs_exec_ld_so(apmd_t)
+libs_exec_lib_files(apmd_t)
+
+logging_send_syslog_msg(apmd_t)
+logging_send_audit_msgs(apmd_t)
+
+miscfiles_read_localization(apmd_t)
+miscfiles_read_hwdata(apmd_t)
+
+modutils_domtrans_insmod(apmd_t)
+modutils_read_module_config(apmd_t)
+
+seutil_dontaudit_read_config(apmd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(apmd_t)
+userdom_dontaudit_search_user_home_dirs(apmd_t)
+userdom_dontaudit_search_user_home_content(apmd_t) # Excessive?
+
+ifdef(`distro_redhat',`
+ allow apmd_t apmd_lock_t:file manage_file_perms;
+ files_lock_filetrans(apmd_t, apmd_lock_t, file)
+
+ can_exec(apmd_t, apmd_var_run_t)
+
+ optional_policy(`
+ fstools_domtrans(apmd_t)
+ ')
+
+ optional_policy(`
+ iptables_domtrans(apmd_t)
+ ')
+
+ optional_policy(`
+ netutils_domtrans(apmd_t)
+ ')
+
+ # ifconfig_exec_t needs to be run in its own domain for Red Hat
+ optional_policy(`
+ sssd_search_lib(apmd_t)
+ ')
+
+ optional_policy(`
+ sysnet_domtrans_ifconfig(apmd_t)
+ ')
+
+',`
+ # for ifconfig which is run all the time
+ kernel_dontaudit_search_sysctl(apmd_t)
+')
+
+ifdef(`distro_suse',`
+ manage_dirs_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t)
+ manage_files_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t)
+ files_var_lib_filetrans(apmd_t, apmd_var_lib_t, file)
+')
+
+optional_policy(`
+ automount_domtrans(apmd_t)
+')
+
+optional_policy(`
+ clock_domtrans(apmd_t)
+ clock_rw_adjtime(apmd_t)
+')
+
+optional_policy(`
+ cron_system_entry(apmd_t, apmd_exec_t)
+ cron_anacron_domtrans_system_job(apmd_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(apmd_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(apmd_t)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(apmd_t)
+ ')
+')
+
+optional_policy(`
+ logrotate_use_fds(apmd_t)
+')
+
+optional_policy(`
+ mta_send_mail(apmd_t)
+')
+
+optional_policy(`
+ nscd_socket_use(apmd_t)
+')
+
+optional_policy(`
+ pcmcia_domtrans_cardmgr(apmd_t)
+ pcmcia_domtrans_cardctl(apmd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(apmd_t)
+')
+
+optional_policy(`
+ udev_read_db(apmd_t)
+ udev_read_state(apmd_t) #necessary?
+')
+
+optional_policy(`
+ unconfined_domain(apmd_t)
+')
+
+optional_policy(`
+ vbetool_domtrans(apmd_t)
+')
+
+# cjp: related to sleep/resume (?)
+optional_policy(`
+ xserver_domtrans(apmd_t)
+')
diff --git a/policy/modules/services/arpwatch.fc b/policy/modules/services/arpwatch.fc
new file mode 100644
index 0000000..a86a6c7
--- /dev/null
+++ b/policy/modules/services/arpwatch.fc
@@ -0,0 +1,12 @@
+/etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0)
+
+#
+# /var
+#
+/var/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
+/var/lib/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
diff --git a/policy/modules/services/arpwatch.if b/policy/modules/services/arpwatch.if
new file mode 100644
index 0000000..bdefbe1
--- /dev/null
+++ b/policy/modules/services/arpwatch.if
@@ -0,0 +1,156 @@
+## <summary>Ethernet activity monitor.</summary>
+
+########################################
+## <summary>
+## Execute arpwatch server in the arpwatch domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`arpwatch_initrc_domtrans',`
+ gen_require(`
+ type arpwatch_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, arpwatch_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Search arpwatch's data file directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`arpwatch_search_data',`
+ gen_require(`
+ type arpwatch_data_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 arpwatch_data_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Create arpwatch data files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`arpwatch_manage_data_files',`
+ gen_require(`
+ type arpwatch_data_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, arpwatch_data_t, arpwatch_data_t)
+')
+
+########################################
+## <summary>
+## Read and write arpwatch temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`arpwatch_rw_tmp_files',`
+ gen_require(`
+ type arpwatch_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 arpwatch_tmp_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write arpwatch temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`arpwatch_manage_tmp_files',`
+ gen_require(`
+ type arpwatch_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 arpwatch_tmp_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## arpwatch packet sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`arpwatch_dontaudit_rw_packet_sockets',`
+ gen_require(`
+ type arpwatch_t;
+ ')
+
+ dontaudit $1 arpwatch_t:packet_socket { read write };
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an arpwatch environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the arpwatch domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`arpwatch_admin',`
+ gen_require(`
+ type arpwatch_t, arpwatch_tmp_t;
+ type arpwatch_data_t, arpwatch_var_run_t;
+ type arpwatch_initrc_exec_t;
+ ')
+
+ allow $1 arpwatch_t:process { ptrace signal_perms };
+ ps_process_pattern($1, arpwatch_t)
+
+ arpwatch_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 arpwatch_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, arpwatch_tmp_t)
+
+ files_list_var($1)
+ admin_pattern($1, arpwatch_data_t)
+
+ files_list_pids($1)
+ admin_pattern($1, arpwatch_var_run_t)
+')
diff --git a/policy/modules/services/arpwatch.te b/policy/modules/services/arpwatch.te
new file mode 100644
index 0000000..3be8b9b
--- /dev/null
+++ b/policy/modules/services/arpwatch.te
@@ -0,0 +1,98 @@
+policy_module(arpwatch, 1.9.1)
+
+########################################
+#
+# Declarations
+#
+
+type arpwatch_t;
+type arpwatch_exec_t;
+init_daemon_domain(arpwatch_t, arpwatch_exec_t)
+
+type arpwatch_data_t;
+files_type(arpwatch_data_t)
+
+type arpwatch_initrc_exec_t;
+init_script_file(arpwatch_initrc_exec_t)
+
+type arpwatch_tmp_t;
+files_tmp_file(arpwatch_tmp_t)
+
+type arpwatch_var_run_t;
+files_pid_file(arpwatch_var_run_t)
+
+########################################
+#
+# Local policy
+#
+allow arpwatch_t self:capability { net_admin net_raw setgid setuid };
+dontaudit arpwatch_t self:capability sys_tty_config;
+allow arpwatch_t self:process signal_perms;
+allow arpwatch_t self:unix_dgram_socket create_socket_perms;
+allow arpwatch_t self:unix_stream_socket create_stream_socket_perms;
+allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms };
+allow arpwatch_t self:udp_socket create_socket_perms;
+allow arpwatch_t self:packet_socket create_socket_perms;
+allow arpwatch_t self:socket create_socket_perms;
+
+manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
+manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
+manage_lnk_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
+
+manage_dirs_pattern(arpwatch_t, arpwatch_tmp_t, arpwatch_tmp_t)
+manage_files_pattern(arpwatch_t, arpwatch_tmp_t, arpwatch_tmp_t)
+files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir })
+
+manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
+files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
+
+kernel_read_network_state(arpwatch_t)
+kernel_read_kernel_sysctls(arpwatch_t)
+kernel_list_proc(arpwatch_t)
+kernel_read_proc_symlinks(arpwatch_t)
+kernel_request_load_module(arpwatch_t)
+
+corenet_all_recvfrom_unlabeled(arpwatch_t)
+corenet_all_recvfrom_netlabel(arpwatch_t)
+corenet_tcp_sendrecv_generic_if(arpwatch_t)
+corenet_udp_sendrecv_generic_if(arpwatch_t)
+corenet_raw_sendrecv_generic_if(arpwatch_t)
+corenet_tcp_sendrecv_generic_node(arpwatch_t)
+corenet_udp_sendrecv_generic_node(arpwatch_t)
+corenet_raw_sendrecv_generic_node(arpwatch_t)
+corenet_tcp_sendrecv_all_ports(arpwatch_t)
+corenet_udp_sendrecv_all_ports(arpwatch_t)
+
+dev_read_sysfs(arpwatch_t)
+dev_read_usbmon_dev(arpwatch_t)
+dev_rw_generic_usb_dev(arpwatch_t)
+
+fs_getattr_all_fs(arpwatch_t)
+fs_search_auto_mountpoints(arpwatch_t)
+
+corecmd_read_bin_symlinks(arpwatch_t)
+
+domain_use_interactive_fds(arpwatch_t)
+
+files_read_etc_files(arpwatch_t)
+files_read_usr_files(arpwatch_t)
+files_search_var_lib(arpwatch_t)
+
+auth_use_nsswitch(arpwatch_t)
+
+logging_send_syslog_msg(arpwatch_t)
+
+miscfiles_read_localization(arpwatch_t)
+
+userdom_dontaudit_search_user_home_dirs(arpwatch_t)
+userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
+
+mta_send_mail(arpwatch_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(arpwatch_t)
+')
+
+optional_policy(`
+ udev_read_db(arpwatch_t)
+')
diff --git a/policy/modules/services/asterisk.fc b/policy/modules/services/asterisk.fc
new file mode 100644
index 0000000..b4889d4
--- /dev/null
+++ b/policy/modules/services/asterisk.fc
@@ -0,0 +1,9 @@
+/etc/asterisk(/.*)? gen_context(system_u:object_r:asterisk_etc_t,s0)
+/etc/rc\.d/init\.d/asterisk -- gen_context(system_u:object_r:asterisk_initrc_exec_t,s0)
+
+/usr/sbin/asterisk -- gen_context(system_u:object_r:asterisk_exec_t,s0)
+
+/var/lib/asterisk(/.*)? gen_context(system_u:object_r:asterisk_var_lib_t,s0)
+/var/log/asterisk(/.*)? gen_context(system_u:object_r:asterisk_log_t,s0)
+/var/run/asterisk(/.*)? gen_context(system_u:object_r:asterisk_var_run_t,s0)
+/var/spool/asterisk(/.*)? gen_context(system_u:object_r:asterisk_spool_t,s0)
diff --git a/policy/modules/services/asterisk.if b/policy/modules/services/asterisk.if
new file mode 100644
index 0000000..c1a2b96
--- /dev/null
+++ b/policy/modules/services/asterisk.if
@@ -0,0 +1,92 @@
+## <summary>Asterisk IP telephony server</summary>
+
+######################################
+## <summary>
+## Execute asterisk in the asterisk domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`asterisk_domtrans',`
+ gen_require(`
+ type asterisk_t, asterisk_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, asterisk_exec_t, asterisk_t)
+')
+
+#####################################
+## <summary>
+## Connect to asterisk over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`asterisk_stream_connect',`
+ gen_require(`
+ type asterisk_t, asterisk_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, asterisk_var_run_t, asterisk_var_run_t, asterisk_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an asterisk environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the asterisk domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`asterisk_admin',`
+ gen_require(`
+ type asterisk_t, asterisk_var_run_t, asterisk_spool_t;
+ type asterisk_etc_t, asterisk_tmp_t, asterisk_log_t;
+ type asterisk_var_lib_t;
+ type asterisk_initrc_exec_t;
+ ')
+
+ allow $1 asterisk_t:process { ptrace signal_perms };
+ ps_process_pattern($1, asterisk_t)
+
+ init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 asterisk_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, asterisk_tmp_t)
+
+ files_list_etc($1)
+ admin_pattern($1, asterisk_etc_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, asterisk_log_t)
+
+ files_list_spool($1)
+ admin_pattern($1, asterisk_spool_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, asterisk_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, asterisk_var_run_t)
+')
diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te
new file mode 100644
index 0000000..608e3a1
--- /dev/null
+++ b/policy/modules/services/asterisk.te
@@ -0,0 +1,170 @@
+policy_module(asterisk, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type asterisk_t;
+type asterisk_exec_t;
+init_daemon_domain(asterisk_t, asterisk_exec_t)
+
+type asterisk_etc_t;
+files_config_file(asterisk_etc_t)
+
+type asterisk_initrc_exec_t;
+init_script_file(asterisk_initrc_exec_t)
+
+type asterisk_log_t;
+logging_log_file(asterisk_log_t)
+
+type asterisk_spool_t;
+files_type(asterisk_spool_t)
+
+type asterisk_tmp_t;
+files_tmp_file(asterisk_tmp_t)
+
+type asterisk_tmpfs_t;
+files_tmpfs_file(asterisk_tmpfs_t)
+
+type asterisk_var_lib_t;
+files_type(asterisk_var_lib_t)
+
+type asterisk_var_run_t;
+files_pid_file(asterisk_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+# dac_override for /var/run/asterisk
+allow asterisk_t self:capability { dac_override setgid setuid sys_nice net_admin };
+dontaudit asterisk_t self:capability sys_tty_config;
+allow asterisk_t self:process { getsched setsched signal_perms getcap setcap };
+allow asterisk_t self:fifo_file rw_fifo_file_perms;
+allow asterisk_t self:sem create_sem_perms;
+allow asterisk_t self:shm create_shm_perms;
+allow asterisk_t self:unix_stream_socket connectto;
+allow asterisk_t self:tcp_socket create_stream_socket_perms;
+allow asterisk_t self:udp_socket create_socket_perms;
+
+allow asterisk_t asterisk_etc_t:dir list_dir_perms;
+read_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t)
+read_lnk_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t)
+files_search_etc(asterisk_t)
+
+can_exec(asterisk_t, asterisk_exec_t)
+
+manage_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
+logging_log_filetrans(asterisk_t, asterisk_log_t, { file dir })
+
+manage_dirs_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
+manage_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
+manage_lnk_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
+
+manage_dirs_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t)
+manage_files_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t)
+files_tmp_filetrans(asterisk_t, asterisk_tmp_t, { file dir })
+
+manage_files_pattern(asterisk_t, asterisk_tmpfs_t, asterisk_tmpfs_t)
+manage_lnk_files_pattern(asterisk_t, asterisk_tmpfs_t, asterisk_tmpfs_t)
+manage_fifo_files_pattern(asterisk_t, asterisk_tmpfs_t, asterisk_tmpfs_t)
+manage_sock_files_pattern(asterisk_t, asterisk_tmpfs_t, asterisk_tmpfs_t)
+fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t)
+files_var_lib_filetrans(asterisk_t, asterisk_var_lib_t, file)
+
+manage_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
+manage_fifo_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
+manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
+files_pid_filetrans(asterisk_t, asterisk_var_run_t, file)
+
+kernel_read_system_state(asterisk_t)
+kernel_read_kernel_sysctls(asterisk_t)
+kernel_request_load_module(asterisk_t)
+
+corecmd_exec_bin(asterisk_t)
+corecmd_exec_shell(asterisk_t)
+
+corenet_all_recvfrom_unlabeled(asterisk_t)
+corenet_all_recvfrom_netlabel(asterisk_t)
+corenet_tcp_sendrecv_generic_if(asterisk_t)
+corenet_udp_sendrecv_generic_if(asterisk_t)
+corenet_tcp_sendrecv_generic_node(asterisk_t)
+corenet_udp_sendrecv_generic_node(asterisk_t)
+corenet_tcp_sendrecv_all_ports(asterisk_t)
+corenet_udp_sendrecv_all_ports(asterisk_t)
+corenet_tcp_bind_generic_node(asterisk_t)
+corenet_udp_bind_generic_node(asterisk_t)
+corenet_tcp_bind_asterisk_port(asterisk_t)
+corenet_tcp_bind_sip_port(asterisk_t)
+corenet_udp_bind_asterisk_port(asterisk_t)
+corenet_udp_bind_sip_port(asterisk_t)
+corenet_sendrecv_asterisk_server_packets(asterisk_t)
+# for VOIP voice channels.
+corenet_tcp_bind_generic_port(asterisk_t)
+corenet_udp_bind_generic_port(asterisk_t)
+corenet_dontaudit_udp_bind_all_ports(asterisk_t)
+corenet_sendrecv_generic_server_packets(asterisk_t)
+corenet_tcp_connect_postgresql_port(asterisk_t)
+corenet_tcp_connect_snmp_port(asterisk_t)
+corenet_tcp_connect_sip_port(asterisk_t)
+
+dev_rw_generic_usb_dev(asterisk_t)
+dev_read_sysfs(asterisk_t)
+dev_read_sound(asterisk_t)
+dev_write_sound(asterisk_t)
+dev_read_urand(asterisk_t)
+
+domain_use_interactive_fds(asterisk_t)
+
+files_read_etc_files(asterisk_t)
+files_search_spool(asterisk_t)
+# demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm
+# are labeled usr_t
+files_read_usr_files(asterisk_t)
+
+fs_getattr_all_fs(asterisk_t)
+fs_list_inotifyfs(asterisk_t)
+fs_read_anon_inodefs_files(asterisk_t)
+fs_search_auto_mountpoints(asterisk_t)
+
+auth_use_nsswitch(asterisk_t)
+
+logging_send_syslog_msg(asterisk_t)
+
+miscfiles_read_localization(asterisk_t)
+
+userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
+userdom_dontaudit_search_user_home_dirs(asterisk_t)
+
+optional_policy(`
+ mysql_stream_connect(asterisk_t)
+')
+
+optional_policy(`
+ mta_send_mail(asterisk_t)
+')
+
+optional_policy(`
+ postfix_domtrans_postdrop(asterisk_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(asterisk_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(asterisk_t)
+')
+
+optional_policy(`
+ snmp_read_snmp_var_lib_files(asterisk_t)
+ snmp_stream_connect(asterisk_t)
+')
+
+optional_policy(`
+ udev_read_db(asterisk_t)
+')
diff --git a/policy/modules/services/audioentropy.fc b/policy/modules/services/audioentropy.fc
new file mode 100644
index 0000000..001235e
--- /dev/null
+++ b/policy/modules/services/audioentropy.fc
@@ -0,0 +1,6 @@
+#
+# /usr
+#
+/usr/sbin/audio-entropyd -- gen_context(system_u:object_r:entropyd_exec_t,s0)
+
+/var/run/audio-entropyd\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0)
diff --git a/policy/modules/services/audioentropy.if b/policy/modules/services/audioentropy.if
new file mode 100644
index 0000000..67906f0
--- /dev/null
+++ b/policy/modules/services/audioentropy.if
@@ -0,0 +1 @@
+## <summary>Generate entropy from audio input</summary>
diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te
new file mode 100644
index 0000000..2b348c7
--- /dev/null
+++ b/policy/modules/services/audioentropy.te
@@ -0,0 +1,68 @@
+policy_module(audioentropy, 1.6.0)
+
+########################################
+#
+# Declarations
+#
+
+type entropyd_t;
+type entropyd_exec_t;
+init_daemon_domain(entropyd_t, entropyd_exec_t)
+
+type entropyd_var_run_t;
+files_pid_file(entropyd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow entropyd_t self:capability { dac_override ipc_lock sys_admin };
+dontaudit entropyd_t self:capability sys_tty_config;
+allow entropyd_t self:process signal_perms;
+
+manage_files_pattern(entropyd_t, entropyd_var_run_t, entropyd_var_run_t)
+files_pid_filetrans(entropyd_t, entropyd_var_run_t, file)
+
+kernel_read_kernel_sysctls(entropyd_t)
+kernel_list_proc(entropyd_t)
+kernel_read_proc_symlinks(entropyd_t)
+
+dev_read_sysfs(entropyd_t)
+dev_read_urand(entropyd_t)
+dev_write_urand(entropyd_t)
+dev_read_rand(entropyd_t)
+dev_write_rand(entropyd_t)
+dev_read_sound(entropyd_t)
+# set sound card parameters such as
+# sample format, number of channels
+# and sample rate.
+dev_write_sound(entropyd_t)
+
+files_read_etc_files(entropyd_t)
+files_read_usr_files(entropyd_t)
+
+fs_getattr_all_fs(entropyd_t)
+fs_search_auto_mountpoints(entropyd_t)
+
+domain_use_interactive_fds(entropyd_t)
+
+logging_send_syslog_msg(entropyd_t)
+
+miscfiles_read_localization(entropyd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
+userdom_dontaudit_search_user_home_dirs(entropyd_t)
+
+optional_policy(`
+ alsa_read_lib(entropyd_t)
+ alsa_read_rw_config(entropyd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(entropyd_t)
+')
+
+optional_policy(`
+ udev_read_db(entropyd_t)
+')
diff --git a/policy/modules/services/automount.fc b/policy/modules/services/automount.fc
new file mode 100644
index 0000000..f16ab68
--- /dev/null
+++ b/policy/modules/services/automount.fc
@@ -0,0 +1,16 @@
+#
+# /etc
+#
+/etc/apm/event\.d/autofs -- gen_context(system_u:object_r:automount_exec_t,s0)
+/etc/rc\.d/init\.d/autofs -- gen_context(system_u:object_r:automount_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/automount -- gen_context(system_u:object_r:automount_exec_t,s0)
+
+#
+# /var
+#
+
+/var/run/autofs.* gen_context(system_u:object_r:automount_var_run_t,s0)
diff --git a/policy/modules/services/automount.if b/policy/modules/services/automount.if
new file mode 100644
index 0000000..a43e006
--- /dev/null
+++ b/policy/modules/services/automount.if
@@ -0,0 +1,168 @@
+## <summary>Filesystem automounter service.</summary>
+
+########################################
+## <summary>
+## Execute automount in the automount domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`automount_domtrans',`
+ gen_require(`
+ type automount_t, automount_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, automount_exec_t, automount_t)
+')
+
+########################################
+## <summary>
+## Send automount a signal
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`automount_signal',`
+ gen_require(`
+ type automount_t;
+ ')
+
+ allow $1 automount_t:process signal;
+')
+
+########################################
+## <summary>
+## Execute automount in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`automount_exec_config',`
+ refpolicywarn(`$0(): has been deprecated, please use files_exec_etc_files() instead.')
+ files_exec_etc_files($1)
+')
+
+########################################
+## <summary>
+## Allow the domain to read state files in /proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow access.
+## </summary>
+## </param>
+#
+interface(`automount_read_state',`
+ gen_require(`
+ type automount_t;
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, automount_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to file descriptors for automount.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`automount_dontaudit_use_fds',`
+ gen_require(`
+ type automount_t;
+ ')
+
+ dontaudit $1 automount_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write automount daemon unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`automount_dontaudit_write_pipes',`
+ gen_require(`
+ type automount_t;
+ ')
+
+ dontaudit $1 automount_t:fifo_file write;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of automount temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`automount_dontaudit_getattr_tmp_dirs',`
+ gen_require(`
+ type automount_tmp_t;
+ ')
+
+ dontaudit $1 automount_tmp_t:dir getattr_dir_perms;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an automount environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the automount domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`automount_admin',`
+ gen_require(`
+ type automount_t, automount_lock_t, automount_tmp_t;
+ type automount_var_run_t, automount_initrc_exec_t;
+ ')
+
+ allow $1 automount_t:process { ptrace signal_perms };
+ ps_process_pattern($1, automount_t)
+
+ init_labeled_script_domtrans($1, automount_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 automount_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_var($1)
+ admin_pattern($1, automount_lock_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, automount_tmp_t)
+
+ files_list_pids($1)
+ admin_pattern($1, automount_var_run_t)
+')
diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te
new file mode 100644
index 0000000..6189565
--- /dev/null
+++ b/policy/modules/services/automount.te
@@ -0,0 +1,183 @@
+policy_module(automount, 1.13.0)
+
+########################################
+#
+# Declarations
+#
+
+type automount_t;
+type automount_exec_t;
+init_daemon_domain(automount_t, automount_exec_t)
+
+type automount_initrc_exec_t;
+init_script_file(automount_initrc_exec_t)
+
+type automount_var_run_t;
+files_pid_file(automount_var_run_t)
+
+type automount_lock_t;
+files_lock_file(automount_lock_t)
+
+type automount_tmp_t;
+files_tmp_file(automount_tmp_t)
+files_mountpoint(automount_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow automount_t self:capability { net_bind_service setgid setuid sys_nice sys_resource dac_override sys_admin };
+dontaudit automount_t self:capability sys_tty_config;
+allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
+allow automount_t self:fifo_file rw_fifo_file_perms;
+allow automount_t self:unix_stream_socket create_socket_perms;
+allow automount_t self:unix_dgram_socket create_socket_perms;
+allow automount_t self:tcp_socket create_stream_socket_perms;
+allow automount_t self:udp_socket create_socket_perms;
+allow automount_t self:rawip_socket create_socket_perms;
+
+can_exec(automount_t, automount_exec_t)
+
+allow automount_t automount_lock_t:file manage_file_perms;
+files_lock_filetrans(automount_t, automount_lock_t, file)
+
+manage_dirs_pattern(automount_t, automount_tmp_t, automount_tmp_t)
+manage_files_pattern(automount_t, automount_tmp_t, automount_tmp_t)
+files_tmp_filetrans(automount_t, automount_tmp_t, { file dir })
+
+# Allow automount to create and delete directories in / and /home
+allow automount_t automount_tmp_t:dir manage_dir_perms;
+files_home_filetrans(automount_t, automount_tmp_t, dir)
+files_root_filetrans(automount_t, automount_tmp_t, dir)
+
+manage_files_pattern(automount_t, automount_var_run_t, automount_var_run_t)
+manage_fifo_files_pattern(automount_t, automount_var_run_t, automount_var_run_t)
+files_pid_filetrans(automount_t, automount_var_run_t, { file fifo_file })
+
+kernel_read_kernel_sysctls(automount_t)
+kernel_read_irq_sysctls(automount_t)
+kernel_read_fs_sysctls(automount_t)
+kernel_read_proc_symlinks(automount_t)
+kernel_read_system_state(automount_t)
+kernel_read_network_state(automount_t)
+kernel_list_proc(automount_t)
+kernel_dontaudit_search_xen_state(automount_t)
+
+files_search_boot(automount_t)
+# Automount is slowly adding all mount functionality internally
+files_search_all(automount_t)
+files_mounton_all_mountpoints(automount_t)
+files_mount_all_file_type_fs(automount_t)
+files_unmount_all_file_type_fs(automount_t)
+files_manage_non_security_dirs(automount_t)
+
+fs_mount_all_fs(automount_t)
+fs_unmount_all_fs(automount_t)
+fs_search_all(automount_t)
+
+corecmd_exec_bin(automount_t)
+corecmd_exec_shell(automount_t)
+
+corenet_all_recvfrom_unlabeled(automount_t)
+corenet_all_recvfrom_netlabel(automount_t)
+corenet_tcp_sendrecv_generic_if(automount_t)
+corenet_udp_sendrecv_generic_if(automount_t)
+corenet_tcp_sendrecv_generic_node(automount_t)
+corenet_udp_sendrecv_generic_node(automount_t)
+corenet_tcp_sendrecv_all_ports(automount_t)
+corenet_udp_sendrecv_all_ports(automount_t)
+corenet_tcp_bind_generic_node(automount_t)
+corenet_udp_bind_generic_node(automount_t)
+corenet_tcp_connect_portmap_port(automount_t)
+corenet_tcp_connect_all_ports(automount_t)
+corenet_dontaudit_tcp_connect_all_reserved_ports(automount_t)
+corenet_sendrecv_all_client_packets(automount_t)
+# Automount execs showmount when you browse /net. This is required until
+# Someone writes a showmount policy
+corenet_tcp_bind_reserved_port(automount_t)
+corenet_tcp_bind_all_rpc_ports(automount_t)
+corenet_udp_bind_reserved_port(automount_t)
+corenet_udp_bind_all_rpc_ports(automount_t)
+
+dev_read_sysfs(automount_t)
+dev_rw_autofs(automount_t)
+# for SSP
+dev_read_rand(automount_t)
+dev_read_urand(automount_t)
+
+domain_use_interactive_fds(automount_t)
+domain_dontaudit_read_all_domains_state(automount_t)
+
+files_dontaudit_write_var_dirs(automount_t)
+files_getattr_all_dirs(automount_t)
+files_list_mnt(automount_t)
+files_getattr_home_dir(automount_t)
+files_read_etc_files(automount_t)
+files_read_etc_runtime_files(automount_t)
+# for if the mount point is not labelled
+files_getattr_isid_type_dirs(automount_t)
+files_getattr_default_dirs(automount_t)
+# because config files can be shell scripts
+files_exec_etc_files(automount_t)
+files_mounton_mnt(automount_t)
+
+fs_getattr_all_fs(automount_t)
+fs_getattr_all_dirs(automount_t)
+fs_search_auto_mountpoints(automount_t)
+fs_manage_auto_mountpoints(automount_t)
+fs_unmount_autofs(automount_t)
+fs_mount_autofs(automount_t)
+fs_manage_autofs_symlinks(automount_t)
+fs_read_nfs_files(automount_t)
+
+storage_rw_fuse(automount_t)
+
+term_dontaudit_getattr_pty_dirs(automount_t)
+
+auth_use_nsswitch(automount_t)
+
+logging_send_syslog_msg(automount_t)
+logging_search_logs(automount_t)
+
+miscfiles_read_localization(automount_t)
+miscfiles_read_generic_certs(automount_t)
+
+# Run mount in the mount_t domain.
+mount_domtrans(automount_t)
+mount_domtrans_showmount(automount_t)
+mount_signal(automount_t)
+
+userdom_dontaudit_use_unpriv_user_fds(automount_t)
+userdom_dontaudit_search_user_home_dirs(automount_t)
+
+optional_policy(`
+ bind_search_cache(automount_t)
+')
+
+optional_policy(`
+ fstools_domtrans(automount_t)
+')
+
+optional_policy(`
+ kerberos_keytab_template(automount, automount_t)
+ kerberos_read_config(automount_t)
+ kerberos_dontaudit_write_config(automount_t)
+')
+
+optional_policy(`
+ rpc_search_nfs_state_data(automount_t)
+')
+
+optional_policy(`
+ samba_read_config(automount_t)
+ samba_manage_var_files(automount_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(automount_t)
+')
+
+optional_policy(`
+ udev_read_db(automount_t)
+')
diff --git a/policy/modules/services/avahi.fc b/policy/modules/services/avahi.fc
new file mode 100644
index 0000000..7e36549
--- /dev/null
+++ b/policy/modules/services/avahi.fc
@@ -0,0 +1,9 @@
+/etc/rc\.d/init\.d/avahi.* -- gen_context(system_u:object_r:avahi_initrc_exec_t,s0)
+
+/usr/sbin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0)
+/usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0)
+/usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0)
+
+/var/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0)
+
+/var/lib/avahi-autoipd(/.*)? gen_context(system_u:object_r:avahi_var_lib_t,s0)
diff --git a/policy/modules/services/avahi.if b/policy/modules/services/avahi.if
new file mode 100644
index 0000000..11e1ba9
--- /dev/null
+++ b/policy/modules/services/avahi.if
@@ -0,0 +1,167 @@
+## <summary>mDNS/DNS-SD daemon implementing Apple ZeroConf architecture</summary>
+
+########################################
+## <summary>
+## Execute avahi server in the avahi domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`avahi_domtrans',`
+ gen_require(`
+ type avahi_exec_t, avahi_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, avahi_exec_t, avahi_t)
+')
+
+########################################
+## <summary>
+## Send avahi a signal
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`avahi_signal',`
+ gen_require(`
+ type avahi_t;
+ ')
+
+ allow $1 avahi_t:process signal;
+')
+
+########################################
+## <summary>
+## Send avahi a kill signal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`avahi_kill',`
+ gen_require(`
+ type avahi_t;
+ ')
+
+ allow $1 avahi_t:process sigkill;
+')
+
+########################################
+## <summary>
+## Send avahi a signull
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`avahi_signull',`
+ gen_require(`
+ type avahi_t;
+ ')
+
+ allow $1 avahi_t:process signull;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## avahi over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`avahi_dbus_chat',`
+ gen_require(`
+ type avahi_t;
+ class dbus send_msg;
+ ')
+
+ allow avahi_t $1:file read;
+ allow $1 avahi_t:dbus send_msg;
+ allow avahi_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Connect to avahi using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`avahi_stream_connect',`
+ gen_require(`
+ type avahi_t, avahi_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, avahi_var_run_t, avahi_var_run_t, avahi_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the avahi pid directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`avahi_dontaudit_search_pid',`
+ gen_require(`
+ type avahi_var_run_t;
+ ')
+
+ dontaudit $1 avahi_var_run_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an avahi environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the avahi domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`avahi_admin',`
+ gen_require(`
+ type avahi_t, avahi_var_run_t, avahi_initrc_exec_t;
+ ')
+
+ allow $1 avahi_t:process { ptrace signal_perms };
+ ps_process_pattern($1, avahi_t)
+
+ init_labeled_script_domtrans($1, avahi_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 avahi_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_pids($1)
+ admin_pattern($1, avahi_var_run_t)
+')
diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
new file mode 100644
index 0000000..52dcf09
--- /dev/null
+++ b/policy/modules/services/avahi.te
@@ -0,0 +1,112 @@
+policy_module(avahi, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+type avahi_t;
+type avahi_exec_t;
+init_daemon_domain(avahi_t, avahi_exec_t)
+
+type avahi_initrc_exec_t;
+init_script_file(avahi_initrc_exec_t)
+
+type avahi_var_lib_t;
+files_pid_file(avahi_var_lib_t)
+
+type avahi_var_run_t;
+files_pid_file(avahi_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow avahi_t self:capability { dac_override setgid chown fowner kill net_admin net_raw setuid sys_chroot };
+dontaudit avahi_t self:capability sys_tty_config;
+allow avahi_t self:process { setrlimit signal_perms getcap setcap };
+allow avahi_t self:fifo_file rw_fifo_file_perms;
+allow avahi_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow avahi_t self:unix_dgram_socket create_socket_perms;
+allow avahi_t self:tcp_socket create_stream_socket_perms;
+allow avahi_t self:udp_socket create_socket_perms;
+allow avahi_t self:packet_socket create_socket_perms;
+
+manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
+manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
+files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file })
+
+manage_dirs_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
+manage_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
+manage_sock_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
+allow avahi_t avahi_var_run_t:dir setattr_dir_perms;
+files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file })
+
+kernel_read_system_state(avahi_t)
+kernel_read_kernel_sysctls(avahi_t)
+kernel_read_network_state(avahi_t)
+
+corecmd_exec_bin(avahi_t)
+corecmd_exec_shell(avahi_t)
+
+corenet_all_recvfrom_unlabeled(avahi_t)
+corenet_all_recvfrom_netlabel(avahi_t)
+corenet_tcp_sendrecv_generic_if(avahi_t)
+corenet_udp_sendrecv_generic_if(avahi_t)
+corenet_tcp_sendrecv_generic_node(avahi_t)
+corenet_udp_sendrecv_generic_node(avahi_t)
+corenet_tcp_sendrecv_all_ports(avahi_t)
+corenet_udp_sendrecv_all_ports(avahi_t)
+corenet_tcp_bind_generic_node(avahi_t)
+corenet_udp_bind_generic_node(avahi_t)
+corenet_tcp_bind_howl_port(avahi_t)
+corenet_udp_bind_howl_port(avahi_t)
+corenet_send_howl_client_packets(avahi_t)
+corenet_receive_howl_server_packets(avahi_t)
+
+dev_read_sysfs(avahi_t)
+dev_read_urand(avahi_t)
+
+fs_getattr_all_fs(avahi_t)
+fs_search_auto_mountpoints(avahi_t)
+fs_list_inotifyfs(avahi_t)
+
+domain_use_interactive_fds(avahi_t)
+
+files_read_etc_files(avahi_t)
+files_read_etc_runtime_files(avahi_t)
+files_read_usr_files(avahi_t)
+
+auth_use_nsswitch(avahi_t)
+
+init_signal_script(avahi_t)
+init_signull_script(avahi_t)
+
+logging_send_syslog_msg(avahi_t)
+
+miscfiles_read_localization(avahi_t)
+miscfiles_read_generic_certs(avahi_t)
+
+sysnet_domtrans_ifconfig(avahi_t)
+sysnet_manage_config(avahi_t)
+sysnet_etc_filetrans_config(avahi_t)
+
+userdom_dontaudit_use_unpriv_user_fds(avahi_t)
+userdom_dontaudit_search_user_home_dirs(avahi_t)
+
+optional_policy(`
+ dbus_system_domain(avahi_t, avahi_exec_t)
+ dbus_system_bus_client(avahi_t)
+ dbus_connect_system_bus(avahi_t)
+
+ init_dbus_chat_script(avahi_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(avahi_t)
+')
+
+optional_policy(`
+ udev_read_db(avahi_t)
+')
diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc
new file mode 100644
index 0000000..59aa54f
--- /dev/null
+++ b/policy/modules/services/bind.fc
@@ -0,0 +1,63 @@
+/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+
+/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
+
+/usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
+/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
+/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
+/usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0)
+
+/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
+
+/var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0)
+/var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+/var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
+
+ifdef(`distro_debian',`
+/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+/etc/bind/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/named\.conf\.local -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/named\.conf\.options -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+')
+
+ifdef(`distro_gentoo',`
+/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+/etc/bind/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/var/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+')
+
+ifdef(`distro_redhat',`
+/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/proc(/.*)? <<none>>
+/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
+/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
+/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+/var/named/chroot/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
+/var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
+/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
+')
diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
new file mode 100644
index 0000000..7e9d2fb
--- /dev/null
+++ b/policy/modules/services/bind.if
@@ -0,0 +1,418 @@
+## <summary>Berkeley internet name domain DNS server.</summary>
+
+########################################
+## <summary>
+## Execute bind server in the bind domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`bind_initrc_domtrans',`
+ gen_require(`
+ type named_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, named_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Execute ndc in the ndc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`bind_domtrans_ndc',`
+ gen_require(`
+ type ndc_t, ndc_exec_t;
+ ')
+
+ domtrans_pattern($1, ndc_exec_t, ndc_t)
+')
+
+########################################
+## <summary>
+## Send generic signals to BIND.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_signal',`
+ gen_require(`
+ type named_t;
+ ')
+
+ allow $1 named_t:process signal;
+')
+
+########################################
+## <summary>
+## Send null sigals to BIND.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_signull',`
+ gen_require(`
+ type named_t;
+ ')
+
+ allow $1 named_t:process signull;
+')
+
+########################################
+## <summary>
+## Send BIND the kill signal
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_kill',`
+ gen_require(`
+ type named_t;
+ ')
+
+ allow $1 named_t:process sigkill;
+')
+
+########################################
+## <summary>
+## Execute ndc in the ndc domain, and
+## allow the specified role the ndc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`bind_run_ndc',`
+ gen_require(`
+ type ndc_t;
+ ')
+
+ bind_domtrans_ndc($1)
+ role $2 types ndc_t;
+')
+
+########################################
+## <summary>
+## Execute bind in the named domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`bind_domtrans',`
+ gen_require(`
+ type named_t, named_exec_t;
+ ')
+
+ domtrans_pattern($1, named_exec_t, named_t)
+')
+
+########################################
+## <summary>
+## Read DNSSEC keys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_read_dnssec_keys',`
+ gen_require(`
+ type named_conf_t, named_zone_t, dnssec_t;
+ ')
+
+ read_files_pattern($1, { named_conf_t named_zone_t }, dnssec_t)
+')
+
+########################################
+## <summary>
+## Read BIND named configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_read_config',`
+ gen_require(`
+ type named_conf_t;
+ ')
+
+ read_files_pattern($1, named_conf_t, named_conf_t)
+')
+
+########################################
+## <summary>
+## Write BIND named configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_write_config',`
+ gen_require(`
+ type named_conf_t;
+ ')
+
+ write_files_pattern($1, named_conf_t, named_conf_t)
+ allow $1 named_conf_t:file setattr_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## BIND configuration directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_manage_config_dirs',`
+ gen_require(`
+ type named_conf_t;
+ ')
+
+ manage_dirs_pattern($1, named_conf_t, named_conf_t)
+')
+
+########################################
+## <summary>
+## Search the BIND cache directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_search_cache',`
+ gen_require(`
+ type named_conf_t, named_cache_t, named_zone_t;
+ ')
+
+ files_search_var($1)
+ allow $1 named_conf_t:dir search_dir_perms;
+ allow $1 named_zone_t:dir search_dir_perms;
+ allow $1 named_cache_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## BIND cache files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_manage_cache',`
+ gen_require(`
+ type named_cache_t, named_zone_t;
+ ')
+
+ files_search_var($1)
+ allow $1 named_zone_t:dir search_dir_perms;
+ manage_files_pattern($1, named_cache_t, named_cache_t)
+ manage_lnk_files_pattern($1, named_cache_t, named_cache_t)
+')
+
+########################################
+## <summary>
+## Set the attributes of the BIND pid directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_setattr_pid_dirs',`
+ gen_require(`
+ type named_var_run_t;
+ ')
+
+ allow $1 named_var_run_t:dir setattr_dir_perms;
+')
+
+########################################
+## <summary>
+## Set the attributes of the BIND zone directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_setattr_zone_dirs',`
+ gen_require(`
+ type named_zone_t;
+ ')
+
+ allow $1 named_zone_t:dir setattr_dir_perms;
+')
+
+########################################
+## <summary>
+## Read BIND zone files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_read_zone',`
+ gen_require(`
+ type named_zone_t;
+ ')
+
+ files_search_var($1)
+ read_files_pattern($1, named_zone_t, named_zone_t)
+')
+
+########################################
+## <summary>
+## Read BIND zone files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_read_log',`
+ gen_require(`
+ type named_zone_t;
+ type named_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 named_zone_t:dir search_dir_perms;
+ read_files_pattern($1, named_log_t, named_log_t)
+')
+
+########################################
+## <summary>
+## Manage BIND zone files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_manage_zone',`
+ gen_require(`
+ type named_zone_t;
+ ')
+
+ files_search_var($1)
+ manage_files_pattern($1, named_zone_t, named_zone_t)
+')
+
+########################################
+## <summary>
+## Send and receive datagrams to and from named. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bind_udp_chat_named',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an bind environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the bind domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`bind_admin',`
+ gen_require(`
+ type named_t, named_tmp_t, named_log_t;
+ type named_conf_t, named_var_run_t, named_cache_t;
+ type named_zone_t, named_initrc_exec_t;
+ type dnssec_t, ndc_t, named_keytab_t;
+ ')
+
+ allow $1 named_t:process { ptrace signal_perms };
+ ps_process_pattern($1, named_t)
+
+ allow $1 ndc_t:process { ptrace signal_perms };
+ ps_process_pattern($1, ndc_t)
+
+ bind_run_ndc($1, $2)
+
+ init_labeled_script_domtrans($1, named_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 named_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, named_tmp_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, named_log_t)
+
+ files_list_etc($1)
+ admin_pattern($1, named_conf_t)
+
+ admin_pattern($1, named_cache_t)
+ admin_pattern($1, named_zone_t)
+ admin_pattern($1, dnssec_t)
+
+ admin_pattern($1, named_keytab_t)
+
+ files_list_pids($1)
+ admin_pattern($1, named_var_run_t)
+')
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
new file mode 100644
index 0000000..0bde225
--- /dev/null
+++ b/policy/modules/services/bind.te
@@ -0,0 +1,261 @@
+policy_module(bind, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow BIND to write the master zone files.
+## Generally this is used for dynamic DNS or zone transfers.
+## </p>
+## </desc>
+gen_tunable(named_write_master_zones, false)
+
+# for DNSSEC key files
+type dnssec_t;
+files_security_file(dnssec_t)
+
+type named_t;
+type named_exec_t;
+init_daemon_domain(named_t, named_exec_t)
+role system_r types named_t;
+
+type named_checkconf_exec_t;
+init_system_domain(named_t, named_checkconf_exec_t)
+
+# A type for configuration files of named.
+type named_conf_t;
+files_type(named_conf_t)
+files_mountpoint(named_conf_t)
+
+# for secondary zone files
+type named_cache_t;
+files_type(named_cache_t)
+
+type named_initrc_exec_t;
+init_script_file(named_initrc_exec_t)
+
+type named_log_t;
+logging_log_file(named_log_t)
+
+type named_tmp_t;
+files_tmp_file(named_tmp_t)
+
+type named_var_run_t;
+files_pid_file(named_var_run_t)
+
+# for primary zone files
+type named_zone_t;
+files_type(named_zone_t)
+
+type ndc_t;
+type ndc_exec_t;
+init_system_domain(ndc_t, ndc_exec_t)
+role system_r types ndc_t;
+
+########################################
+#
+# Named local policy
+#
+
+allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
+dontaudit named_t self:capability sys_tty_config;
+allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
+allow named_t self:fifo_file rw_fifo_file_perms;
+allow named_t self:unix_stream_socket create_stream_socket_perms;
+allow named_t self:unix_dgram_socket create_socket_perms;
+allow named_t self:tcp_socket create_stream_socket_perms;
+allow named_t self:udp_socket create_socket_perms;
+
+allow named_t dnssec_t:file read_file_perms;
+
+# read configuration
+allow named_t named_conf_t:dir list_dir_perms;
+read_files_pattern(named_t, named_conf_t, named_conf_t)
+read_lnk_files_pattern(named_t, named_conf_t, named_conf_t)
+
+# write cache for secondary zones
+manage_files_pattern(named_t, named_cache_t, named_cache_t)
+manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t)
+
+can_exec(named_t, named_exec_t)
+
+manage_files_pattern(named_t, named_log_t, named_log_t)
+logging_log_filetrans(named_t, named_log_t, { file dir })
+
+manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
+manage_files_pattern(named_t, named_tmp_t, named_tmp_t)
+files_tmp_filetrans(named_t, named_tmp_t, { file dir })
+
+manage_dirs_pattern(named_t, named_var_run_t, named_var_run_t)
+manage_files_pattern(named_t, named_var_run_t, named_var_run_t)
+manage_sock_files_pattern(named_t, named_var_run_t, named_var_run_t)
+files_pid_filetrans(named_t, named_var_run_t, { file sock_file dir })
+
+# read zone files
+allow named_t named_zone_t:dir list_dir_perms;
+read_files_pattern(named_t, named_zone_t, named_zone_t)
+read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
+
+kernel_read_kernel_sysctls(named_t)
+kernel_read_system_state(named_t)
+kernel_read_network_state(named_t)
+
+corecmd_search_bin(named_t)
+
+corenet_all_recvfrom_unlabeled(named_t)
+corenet_all_recvfrom_netlabel(named_t)
+corenet_tcp_sendrecv_generic_if(named_t)
+corenet_udp_sendrecv_generic_if(named_t)
+corenet_tcp_sendrecv_generic_node(named_t)
+corenet_udp_sendrecv_generic_node(named_t)
+corenet_tcp_sendrecv_all_ports(named_t)
+corenet_udp_sendrecv_all_ports(named_t)
+corenet_tcp_bind_generic_node(named_t)
+corenet_udp_bind_generic_node(named_t)
+corenet_tcp_bind_dns_port(named_t)
+corenet_udp_bind_dns_port(named_t)
+corenet_tcp_bind_rndc_port(named_t)
+corenet_tcp_connect_all_ports(named_t)
+corenet_sendrecv_dns_server_packets(named_t)
+corenet_sendrecv_dns_client_packets(named_t)
+corenet_sendrecv_rndc_server_packets(named_t)
+corenet_sendrecv_rndc_client_packets(named_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(named_t)
+corenet_udp_bind_all_unreserved_ports(named_t)
+
+dev_read_sysfs(named_t)
+dev_read_rand(named_t)
+dev_read_urand(named_t)
+
+domain_use_interactive_fds(named_t)
+
+files_read_etc_files(named_t)
+files_read_etc_runtime_files(named_t)
+
+fs_getattr_all_fs(named_t)
+fs_search_auto_mountpoints(named_t)
+
+auth_use_nsswitch(named_t)
+
+logging_send_syslog_msg(named_t)
+
+miscfiles_read_localization(named_t)
+miscfiles_read_generic_certs(named_t)
+
+userdom_dontaudit_use_unpriv_user_fds(named_t)
+userdom_dontaudit_search_user_home_dirs(named_t)
+
+tunable_policy(`named_write_master_zones',`
+ manage_dirs_pattern(named_t, named_zone_t, named_zone_t)
+ manage_files_pattern(named_t, named_zone_t, named_zone_t)
+ manage_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
+')
+
+optional_policy(`
+ init_dbus_chat_script(named_t)
+
+ sysnet_dbus_chat_dhcpc(named_t)
+
+ dbus_system_bus_client(named_t)
+ dbus_connect_system_bus(named_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(named_t)
+ ')
+')
+
+optional_policy(`
+ kerberos_keytab_template(named, named_t)
+')
+
+optional_policy(`
+ # this seems like fds that arent being
+ # closed. these should probably be
+ # dontaudits instead.
+ networkmanager_rw_udp_sockets(named_t)
+ networkmanager_rw_packet_sockets(named_t)
+ networkmanager_rw_routing_sockets(named_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(named_t)
+')
+
+optional_policy(`
+ udev_read_db(named_t)
+')
+
+########################################
+#
+# NDC local policy
+#
+
+# cjp: why net_admin?!
+allow ndc_t self:capability { dac_override net_admin };
+allow ndc_t self:process { fork signal_perms };
+allow ndc_t self:fifo_file rw_fifo_file_perms;
+allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms };
+allow ndc_t self:tcp_socket create_socket_perms;
+allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow ndc_t dnssec_t:file read_file_perms;
+allow ndc_t dnssec_t:lnk_file read_lnk_file_perms;
+
+stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t)
+
+allow ndc_t named_conf_t:file read_file_perms;
+allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
+
+allow ndc_t named_zone_t:dir search_dir_perms;
+
+kernel_read_kernel_sysctls(ndc_t)
+
+corenet_all_recvfrom_unlabeled(ndc_t)
+corenet_all_recvfrom_netlabel(ndc_t)
+corenet_tcp_sendrecv_generic_if(ndc_t)
+corenet_tcp_sendrecv_generic_node(ndc_t)
+corenet_tcp_sendrecv_all_ports(ndc_t)
+corenet_tcp_bind_generic_node(ndc_t)
+corenet_tcp_connect_rndc_port(ndc_t)
+corenet_sendrecv_rndc_client_packets(ndc_t)
+
+domain_use_interactive_fds(ndc_t)
+
+files_read_etc_files(ndc_t)
+files_search_pids(ndc_t)
+
+fs_getattr_xattr_fs(ndc_t)
+
+init_use_fds(ndc_t)
+init_use_script_ptys(ndc_t)
+
+logging_send_syslog_msg(ndc_t)
+
+miscfiles_read_localization(ndc_t)
+
+sysnet_read_config(ndc_t)
+sysnet_dns_name_resolve(ndc_t)
+
+userdom_use_user_terminals(ndc_t)
+
+term_dontaudit_use_console(ndc_t)
+
+# for /etc/rndc.key
+ifdef(`distro_redhat',`
+ allow ndc_t named_conf_t:dir search_dir_perms;
+')
+
+optional_policy(`
+ nis_use_ypbind(ndc_t)
+')
+
+optional_policy(`
+ nscd_socket_use(ndc_t)
+')
+
+optional_policy(`
+ ppp_dontaudit_use_fds(ndc_t)
+')
diff --git a/policy/modules/services/bitlbee.fc b/policy/modules/services/bitlbee.fc
new file mode 100644
index 0000000..0197980
--- /dev/null
+++ b/policy/modules/services/bitlbee.fc
@@ -0,0 +1,6 @@
+/etc/rc\.d/init\.d/bitlbee -- gen_context(system_u:object_r:bitlbee_initrc_exec_t,s0)
+/etc/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_conf_t,s0)
+
+/usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0)
+
+/var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0)
diff --git a/policy/modules/services/bitlbee.if b/policy/modules/services/bitlbee.if
new file mode 100644
index 0000000..a64d94d
--- /dev/null
+++ b/policy/modules/services/bitlbee.if
@@ -0,0 +1,59 @@
+## <summary>Bitlbee service</summary>
+
+########################################
+## <summary>
+## Read bitlbee configuration files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed accesss.
+## </summary>
+## </param>
+#
+interface(`bitlbee_read_config',`
+ gen_require(`
+ type bitlbee_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 bitlbee_conf_t:dir list_dir_perms;
+ allow $1 bitlbee_conf_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an bitlbee environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the bitlbee domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`bitlbee_admin',`
+ gen_require(`
+ type bitlbee_t, bitlbee_conf_t, bitlbee_var_t;
+ type bitlbee_initrc_exec_t;
+ ')
+
+ allow $1 bitlbee_t:process { ptrace signal_perms };
+ ps_process_pattern($1, bitlbee_t)
+
+ init_labeled_script_domtrans($1, bitlbee_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 bitlbee_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, bitlbee_conf_t)
+
+ files_list_var($1)
+ admin_pattern($1, bitlbee_var_t)
+')
diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te
new file mode 100644
index 0000000..2ba2d1f
--- /dev/null
+++ b/policy/modules/services/bitlbee.te
@@ -0,0 +1,95 @@
+policy_module(bitlbee, 1.3.0)
+
+########################################
+#
+# Declarations
+#
+
+type bitlbee_t;
+type bitlbee_exec_t;
+init_daemon_domain(bitlbee_t, bitlbee_exec_t)
+inetd_tcp_service_domain(bitlbee_t, bitlbee_exec_t)
+
+type bitlbee_conf_t;
+files_config_file(bitlbee_conf_t)
+
+type bitlbee_initrc_exec_t;
+init_script_file(bitlbee_initrc_exec_t)
+
+type bitlbee_tmp_t;
+files_tmp_file(bitlbee_tmp_t)
+
+type bitlbee_var_t;
+files_type(bitlbee_var_t)
+
+########################################
+#
+# Local policy
+#
+
+allow bitlbee_t self:capability { setgid setuid };
+
+allow bitlbee_t self:udp_socket create_socket_perms;
+allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
+allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
+allow bitlbee_t self:fifo_file rw_fifo_file_perms;
+allow bitlbee_t self:process signal;
+
+bitlbee_read_config(bitlbee_t)
+
+# tmp files
+manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
+files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, file)
+
+# user account information is read and edited at runtime; give the usual
+# r/w access to bitlbee_var_t
+manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
+files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file)
+
+kernel_read_system_state(bitlbee_t)
+
+corenet_all_recvfrom_unlabeled(bitlbee_t)
+corenet_udp_sendrecv_generic_if(bitlbee_t)
+corenet_udp_sendrecv_generic_node(bitlbee_t)
+corenet_tcp_sendrecv_generic_if(bitlbee_t)
+corenet_tcp_sendrecv_generic_node(bitlbee_t)
+# Allow bitlbee to connect to jabber servers
+corenet_tcp_connect_jabber_client_port(bitlbee_t)
+corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)
+# to AIM servers:
+corenet_tcp_connect_aol_port(bitlbee_t)
+corenet_tcp_sendrecv_aol_port(bitlbee_t)
+# and to MMCC (Yahoo IM) servers:
+corenet_tcp_connect_mmcc_port(bitlbee_t)
+corenet_tcp_sendrecv_mmcc_port(bitlbee_t)
+# and to MSNP (MSN Messenger) servers:
+corenet_tcp_connect_msnp_port(bitlbee_t)
+corenet_tcp_sendrecv_msnp_port(bitlbee_t)
+# MSN can use passport auth, which is over http:
+corenet_tcp_connect_http_port(bitlbee_t)
+corenet_tcp_sendrecv_http_port(bitlbee_t)
+corenet_tcp_connect_http_cache_port(bitlbee_t)
+corenet_tcp_sendrecv_http_cache_port(bitlbee_t)
+
+dev_read_rand(bitlbee_t)
+dev_read_urand(bitlbee_t)
+
+files_read_etc_files(bitlbee_t)
+files_search_pids(bitlbee_t)
+# grant read-only access to the user help files
+files_read_usr_files(bitlbee_t)
+
+libs_legacy_use_shared_libs(bitlbee_t)
+
+auth_use_nsswitch(bitlbee_t)
+
+logging_send_syslog_msg(bitlbee_t)
+
+miscfiles_read_localization(bitlbee_t)
+
+sysnet_dns_name_resolve(bitlbee_t)
+
+optional_policy(`
+ # normally started from inetd using tcpwrappers, so use those entry points
+ tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t)
+')
diff --git a/policy/modules/services/bluetooth.fc b/policy/modules/services/bluetooth.fc
new file mode 100644
index 0000000..dc687e6
--- /dev/null
+++ b/policy/modules/services/bluetooth.fc
@@ -0,0 +1,30 @@
+#
+# /etc
+#
+/etc/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_conf_t,s0)
+/etc/bluetooth/link_key gen_context(system_u:object_r:bluetooth_conf_rw_t,s0)
+/etc/rc\.d/init\.d/bluetooth -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/dund -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/pand -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/blue.*pin -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
+/usr/bin/dund -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+
+/usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/sbin/hcid -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/sbin/hid2hci -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/sbin/sdpd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_var_lib_t,s0)
+
+/var/run/bluetoothd_address gen_context(system_u:object_r:bluetooth_var_run_t,s0)
+/var/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0)
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
new file mode 100644
index 0000000..fa57a6f
--- /dev/null
+++ b/policy/modules/services/bluetooth.if
@@ -0,0 +1,246 @@
+## <summary>Bluetooth tools and system services.</summary>
+
+########################################
+## <summary>
+## Role access for bluetooth
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`bluetooth_role',`
+ gen_require(`
+ type bluetooth_helper_t, bluetooth_helper_exec_t;
+ type bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t;
+ ')
+
+ role $1 types bluetooth_helper_t;
+
+ domtrans_pattern($2, bluetooth_helper_exec_t, bluetooth_helper_t)
+
+ # allow ps to show cdrecord and allow the user to kill it
+ ps_process_pattern($2, bluetooth_helper_t)
+ allow $2 bluetooth_helper_t:process { ptrace signal_perms };
+
+ manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
+ manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
+ manage_sock_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
+
+ manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
+ manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
+')
+
+#####################################
+## <summary>
+## Connect to bluetooth over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bluetooth_stream_connect',`
+ gen_require(`
+ type bluetooth_t, bluetooth_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 bluetooth_t:socket rw_socket_perms;
+ stream_connect_pattern($1, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t)
+')
+
+########################################
+## <summary>
+## Execute bluetooth in the bluetooth domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`bluetooth_domtrans',`
+ gen_require(`
+ type bluetooth_t, bluetooth_exec_t;
+ ')
+
+ domtrans_pattern($1, bluetooth_exec_t, bluetooth_t)
+')
+
+########################################
+## <summary>
+## Read bluetooth daemon configuration.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bluetooth_read_config',`
+ gen_require(`
+ type bluetooth_conf_t;
+ ')
+
+ allow $1 bluetooth_conf_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## bluetooth over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bluetooth_dbus_chat',`
+ gen_require(`
+ type bluetooth_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 bluetooth_t:dbus send_msg;
+ allow bluetooth_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## dontaudit Send and receive messages from
+## bluetooth over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bluetooth_dontaudit_dbus_chat',`
+ gen_require(`
+ type bluetooth_t;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 bluetooth_t:dbus send_msg;
+ dontaudit bluetooth_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`bluetooth_domtrans_helper',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+## Execute bluetooth_helper in the bluetooth_helper domain, and
+## allow the specified role the bluetooth_helper domain. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the bluetooth_helper domain to use.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`bluetooth_run_helper',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read bluetooth helper state files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`bluetooth_dontaudit_read_helper_state',`
+ gen_require(`
+ type bluetooth_helper_t;
+ ')
+
+ dontaudit $1 bluetooth_helper_t:dir search_dir_perms;
+ dontaudit $1 bluetooth_helper_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an bluetooth environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the bluetooth domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`bluetooth_admin',`
+ gen_require(`
+ type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
+ type bluetooth_var_lib_t, bluetooth_var_run_t, bluetooth_initrc_exec_t;
+ type bluetooth_conf_t, bluetooth_conf_rw_t;
+ ')
+
+ allow $1 bluetooth_t:process { ptrace signal_perms };
+ ps_process_pattern($1, bluetooth_t)
+
+ init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 bluetooth_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, bluetooth_tmp_t)
+
+ files_list_var($1)
+ admin_pattern($1, bluetooth_lock_t)
+
+ files_list_etc($1)
+ admin_pattern($1, bluetooth_conf_t)
+ admin_pattern($1, bluetooth_conf_rw_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, bluetooth_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, bluetooth_var_run_t)
+')
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
new file mode 100644
index 0000000..67818fe
--- /dev/null
+++ b/policy/modules/services/bluetooth.te
@@ -0,0 +1,253 @@
+policy_module(bluetooth, 3.3.0)
+
+########################################
+#
+# Declarations
+#
+
+type bluetooth_t;
+type bluetooth_exec_t;
+init_daemon_domain(bluetooth_t, bluetooth_exec_t)
+
+type bluetooth_conf_t;
+files_type(bluetooth_conf_t)
+
+type bluetooth_conf_rw_t;
+files_type(bluetooth_conf_rw_t)
+
+type bluetooth_helper_t;
+type bluetooth_helper_exec_t;
+typealias bluetooth_helper_t alias { user_bluetooth_helper_t staff_bluetooth_helper_t sysadm_bluetooth_helper_t };
+typealias bluetooth_helper_t alias { auditadm_bluetooth_helper_t secadm_bluetooth_helper_t };
+application_domain(bluetooth_helper_t, bluetooth_helper_exec_t)
+ubac_constrained(bluetooth_helper_t)
+
+type bluetooth_helper_tmp_t;
+typealias bluetooth_helper_tmp_t alias { user_bluetooth_helper_tmp_t staff_bluetooth_helper_tmp_t sysadm_bluetooth_helper_tmp_t };
+typealias bluetooth_helper_tmp_t alias { auditadm_bluetooth_helper_tmp_t secadm_bluetooth_helper_tmp_t };
+files_tmp_file(bluetooth_helper_tmp_t)
+ubac_constrained(bluetooth_helper_tmp_t)
+
+type bluetooth_helper_tmpfs_t;
+typealias bluetooth_helper_tmpfs_t alias { user_bluetooth_helper_tmpfs_t staff_bluetooth_helper_tmpfs_t sysadm_bluetooth_helper_tmpfs_t };
+typealias bluetooth_helper_tmpfs_t alias { auditadm_bluetooth_helper_tmpfs_t secadm_bluetooth_helper_tmpfs_t };
+files_tmpfs_file(bluetooth_helper_tmpfs_t)
+ubac_constrained(bluetooth_helper_tmpfs_t)
+
+type bluetooth_initrc_exec_t;
+init_script_file(bluetooth_initrc_exec_t)
+
+type bluetooth_lock_t;
+files_lock_file(bluetooth_lock_t)
+
+type bluetooth_tmp_t;
+files_tmp_file(bluetooth_tmp_t)
+
+type bluetooth_var_lib_t;
+files_type(bluetooth_var_lib_t)
+
+type bluetooth_var_run_t;
+files_pid_file(bluetooth_var_run_t)
+
+########################################
+#
+# Bluetooth services local policy
+#
+
+#sys_admin capability - redhat bug 573015
+allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw setpcap sys_admin sys_tty_config ipc_lock };
+dontaudit bluetooth_t self:capability sys_tty_config;
+allow bluetooth_t self:process { getcap setcap getsched signal_perms };
+allow bluetooth_t self:fifo_file rw_fifo_file_perms;
+allow bluetooth_t self:shm create_shm_perms;
+allow bluetooth_t self:socket create_stream_socket_perms;
+allow bluetooth_t self:unix_dgram_socket create_socket_perms;
+allow bluetooth_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow bluetooth_t self:tcp_socket create_stream_socket_perms;
+allow bluetooth_t self:udp_socket create_socket_perms;
+allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
+
+manage_dirs_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t)
+manage_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t)
+manage_lnk_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t)
+manage_fifo_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t)
+manage_sock_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t)
+filetrans_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t, { dir file lnk_file sock_file fifo_file })
+
+can_exec(bluetooth_t, bluetooth_helper_exec_t)
+
+allow bluetooth_t bluetooth_lock_t:file manage_file_perms;
+files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file)
+
+manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
+manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
+files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { file dir })
+
+manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
+manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
+files_var_lib_filetrans(bluetooth_t, bluetooth_var_lib_t, { dir file } )
+
+manage_files_pattern(bluetooth_t, bluetooth_var_run_t, bluetooth_var_run_t)
+manage_sock_files_pattern(bluetooth_t, bluetooth_var_run_t, bluetooth_var_run_t)
+files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctls(bluetooth_t)
+kernel_read_system_state(bluetooth_t)
+kernel_read_network_state(bluetooth_t)
+kernel_request_load_module(bluetooth_t)
+#search debugfs - redhat bug 548206
+kernel_search_debugfs(bluetooth_t)
+
+ifdef(`hide_broken_symptoms', `
+ kernel_rw_unlabeled_socket(bluetooth_t)
+')
+
+corenet_all_recvfrom_unlabeled(bluetooth_t)
+corenet_all_recvfrom_netlabel(bluetooth_t)
+corenet_tcp_sendrecv_generic_if(bluetooth_t)
+corenet_udp_sendrecv_generic_if(bluetooth_t)
+corenet_raw_sendrecv_generic_if(bluetooth_t)
+corenet_tcp_sendrecv_generic_node(bluetooth_t)
+corenet_udp_sendrecv_generic_node(bluetooth_t)
+corenet_raw_sendrecv_generic_node(bluetooth_t)
+corenet_tcp_sendrecv_all_ports(bluetooth_t)
+corenet_udp_sendrecv_all_ports(bluetooth_t)
+
+dev_read_sysfs(bluetooth_t)
+dev_rw_usbfs(bluetooth_t)
+dev_rw_generic_usb_dev(bluetooth_t)
+dev_read_urand(bluetooth_t)
+dev_rw_input_dev(bluetooth_t)
+dev_rw_wireless(bluetooth_t)
+
+fs_getattr_all_fs(bluetooth_t)
+fs_search_auto_mountpoints(bluetooth_t)
+fs_list_inotifyfs(bluetooth_t)
+
+#Handle bluetooth serial devices
+term_use_unallocated_ttys(bluetooth_t)
+
+corecmd_exec_bin(bluetooth_t)
+corecmd_exec_shell(bluetooth_t)
+
+domain_use_interactive_fds(bluetooth_t)
+domain_dontaudit_search_all_domains_state(bluetooth_t)
+
+files_read_etc_files(bluetooth_t)
+files_read_etc_runtime_files(bluetooth_t)
+files_read_usr_files(bluetooth_t)
+
+auth_use_nsswitch(bluetooth_t)
+
+logging_send_syslog_msg(bluetooth_t)
+
+miscfiles_read_localization(bluetooth_t)
+miscfiles_read_fonts(bluetooth_t)
+miscfiles_read_hwdata(bluetooth_t)
+
+userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
+userdom_dontaudit_use_user_terminals(bluetooth_t)
+userdom_dontaudit_search_user_home_dirs(bluetooth_t)
+
+optional_policy(`
+ devicekit_dbus_chat_power(bluetooth_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(bluetooth_t)
+ dbus_connect_system_bus(bluetooth_t)
+
+ optional_policy(`
+ cups_dbus_chat(bluetooth_t)
+ ')
+
+ optional_policy(`
+ hal_dbus_chat(bluetooth_t)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(bluetooth_t)
+ ')
+
+ optional_policy(`
+ pulseaudio_dbus_chat(bluetooth_t)
+ ')
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(bluetooth_t)
+')
+
+optional_policy(`
+ udev_read_db(bluetooth_t)
+')
+
+optional_policy(`
+ ppp_domtrans(bluetooth_t)
+')
+
+########################################
+#
+# Bluetooth helper programs local policy
+#
+
+allow bluetooth_helper_t self:capability sys_nice;
+allow bluetooth_helper_t self:process getsched;
+allow bluetooth_helper_t self:fifo_file rw_fifo_file_perms;
+allow bluetooth_helper_t self:shm create_shm_perms;
+allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow bluetooth_helper_t self:tcp_socket create_socket_perms;
+allow bluetooth_helper_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow bluetooth_helper_t bluetooth_t:socket { read write };
+
+manage_dirs_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
+manage_files_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
+manage_sock_files_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
+files_tmp_filetrans(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir sock_file })
+
+manage_dirs_pattern(bluetooth_helper_t, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
+manage_files_pattern(bluetooth_helper_t, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
+fs_tmpfs_filetrans(bluetooth_helper_t, bluetooth_helper_tmpfs_t, { dir file })
+
+kernel_read_system_state(bluetooth_helper_t)
+kernel_read_kernel_sysctls(bluetooth_helper_t)
+
+dev_read_urand(bluetooth_helper_t)
+
+term_dontaudit_use_all_ttys(bluetooth_helper_t)
+
+corecmd_exec_bin(bluetooth_helper_t)
+corecmd_exec_shell(bluetooth_helper_t)
+
+domain_read_all_domains_state(bluetooth_helper_t)
+
+files_read_etc_files(bluetooth_helper_t)
+files_read_etc_runtime_files(bluetooth_helper_t)
+files_read_usr_files(bluetooth_helper_t)
+files_dontaudit_list_default(bluetooth_helper_t)
+
+locallogin_dontaudit_use_fds(bluetooth_helper_t)
+
+logging_send_syslog_msg(bluetooth_helper_t)
+
+miscfiles_read_localization(bluetooth_helper_t)
+
+sysnet_read_config(bluetooth_helper_t)
+
+optional_policy(`
+ bluetooth_dbus_chat(bluetooth_helper_t)
+
+ dbus_system_bus_client(bluetooth_helper_t)
+ dbus_connect_system_bus(bluetooth_helper_t)
+')
+
+optional_policy(`
+ nscd_socket_use(bluetooth_helper_t)
+')
+
+optional_policy(`
+ xserver_user_x_domain_template(bluetooth_helper, bluetooth_helper_t, bluetooth_helper_tmpfs_t)
+')
diff --git a/policy/modules/services/boinc.fc b/policy/modules/services/boinc.fc
new file mode 100644
index 0000000..c095160
--- /dev/null
+++ b/policy/modules/services/boinc.fc
@@ -0,0 +1,8 @@
+
+/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
+
+/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
+
+/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
+/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
+/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
diff --git a/policy/modules/services/boinc.if b/policy/modules/services/boinc.if
new file mode 100644
index 0000000..fa9b95a
--- /dev/null
+++ b/policy/modules/services/boinc.if
@@ -0,0 +1,150 @@
+## <summary>policy for boinc</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run boinc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`boinc_domtrans',`
+ gen_require(`
+ type boinc_t, boinc_exec_t;
+ ')
+
+ domtrans_pattern($1, boinc_exec_t, boinc_t)
+')
+
+#######################################
+## <summary>
+## Execute boinc server in the boinc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`boinc_initrc_domtrans',`
+ gen_require(`
+ type boinc_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, boinc_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Search boinc lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`boinc_search_lib',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ allow $1 boinc_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read boinc lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`boinc_read_lib_files',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## boinc lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`boinc_manage_lib_files',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage boinc var_lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`boinc_manage_var_lib',`
+ gen_require(`
+ type boinc_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+ manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an boinc environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`boinc_admin',`
+ gen_require(`
+ type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t;
+ ')
+
+ allow $1 boinc_t:process { ptrace signal_perms };
+ ps_process_pattern($1, boinc_t)
+
+ boinc_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 boinc_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_var_lib($1)
+ admin_pattern($1, boinc_var_lib_t)
+')
diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
new file mode 100644
index 0000000..4bc3f06
--- /dev/null
+++ b/policy/modules/services/boinc.te
@@ -0,0 +1,167 @@
+policy_module(boinc, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type boinc_t;
+type boinc_exec_t;
+init_daemon_domain(boinc_t, boinc_exec_t)
+
+type boinc_initrc_exec_t;
+init_script_file(boinc_initrc_exec_t)
+
+type boinc_tmp_t;
+files_tmp_file(boinc_tmp_t)
+
+type boinc_tmpfs_t;
+files_tmpfs_file(boinc_tmpfs_t)
+
+type boinc_var_lib_t;
+files_type(boinc_var_lib_t)
+
+type boinc_project_t;
+domain_type(boinc_project_t)
+role system_r types boinc_project_t;
+
+permissive boinc_project_t;
+
+type boinc_project_tmp_t;
+files_tmp_file(boinc_project_tmp_t)
+
+type boinc_project_var_lib_t;
+files_type(boinc_project_var_lib_t)
+
+########################################
+#
+# boinc local policy
+#
+
+allow boinc_t self:capability { kill };
+allow boinc_t self:process { setsched sigkill };
+
+allow boinc_t self:fifo_file rw_fifo_file_perms;
+allow boinc_t self:unix_stream_socket create_stream_socket_perms;
+allow boinc_t self:tcp_socket create_stream_socket_perms;
+allow boinc_t self:sem create_sem_perms;
+allow boinc_t self:shm create_shm_perms;
+
+manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
+manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
+files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
+
+manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
+fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
+
+exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
+manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
+manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
+filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir)
+
+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+
+kernel_read_system_state(boinc_t)
+
+files_getattr_all_dirs(boinc_t)
+files_getattr_all_files(boinc_t)
+
+corecmd_exec_bin(boinc_t)
+corecmd_exec_shell(boinc_t)
+
+corenet_all_recvfrom_unlabeled(boinc_t)
+corenet_all_recvfrom_netlabel(boinc_t)
+corenet_tcp_sendrecv_generic_if(boinc_t)
+corenet_udp_sendrecv_generic_if(boinc_t)
+corenet_tcp_sendrecv_generic_node(boinc_t)
+corenet_udp_sendrecv_generic_node(boinc_t)
+corenet_tcp_sendrecv_all_ports(boinc_t)
+corenet_udp_sendrecv_all_ports(boinc_t)
+corenet_tcp_bind_generic_node(boinc_t)
+corenet_udp_bind_generic_node(boinc_t)
+corenet_tcp_bind_boinc_port(boinc_t)
+corenet_tcp_connect_boinc_port(boinc_t)
+corenet_tcp_connect_http_port(boinc_t)
+corenet_tcp_connect_http_cache_port(boinc_t)
+
+dev_list_sysfs(boinc_t)
+dev_read_rand(boinc_t)
+dev_read_urand(boinc_t)
+dev_read_sysfs(boinc_t)
+
+domain_read_all_domains_state(boinc_t)
+
+files_dontaudit_getattr_boot_dirs(boinc_t)
+
+files_read_etc_files(boinc_t)
+files_read_usr_files(boinc_t)
+
+fs_getattr_all_fs(boinc_t)
+
+term_dontaudit_getattr_ptmx(boinc_t)
+
+miscfiles_read_localization(boinc_t)
+miscfiles_read_generic_certs(boinc_t)
+
+logging_send_syslog_msg(boinc_t)
+
+sysnet_dns_name_resolve(boinc_t)
+
+mta_send_mail(boinc_t)
+
+########################################
+#
+# boinc-projects local policy
+#
+
+domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
+allow boinc_t boinc_project_t:process sigkill;
+
+allow boinc_project_t self:process { ptrace setsched signal signull sigkill sigstop };
+allow boinc_project_t self:process { execmem execstack };
+
+allow boinc_project_t self:fifo_file rw_fifo_file_perms;
+allow boinc_project_t self:sem create_sem_perms;
+
+manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
+manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
+files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file })
+
+allow boinc_project_t boinc_project_var_lib_t:file entrypoint;
+exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, { file dir })
+
+allow boinc_project_t boinc_project_var_lib_t:file execmod;
+
+allow boinc_project_t boinc_t:shm rw_shm_perms;
+allow boinc_project_t boinc_tmpfs_t:file rw_inherited_file_perms;
+
+list_dirs_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
+rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
+
+kernel_read_system_state(boinc_project_t)
+kernel_read_kernel_sysctls(boinc_project_t)
+kernel_search_vm_sysctl(boinc_project_t)
+kernel_read_network_state(boinc_project_t)
+
+corecmd_exec_bin(boinc_project_t)
+corecmd_exec_shell(boinc_project_t)
+
+corenet_tcp_connect_boinc_port(boinc_project_t)
+
+dev_read_rand(boinc_project_t)
+dev_read_urand(boinc_project_t)
+dev_read_sysfs(boinc_project_t)
+dev_rw_xserver_misc(boinc_project_t)
+
+files_read_etc_files(boinc_project_t)
+
+miscfiles_read_fonts(boinc_project_t)
+miscfiles_read_localization(boinc_project_t)
+
+optional_policy(`
+ java_exec(boinc_project_t)
+')
diff --git a/policy/modules/services/bugzilla.fc b/policy/modules/services/bugzilla.fc
new file mode 100644
index 0000000..18f37e2
--- /dev/null
+++ b/policy/modules/services/bugzilla.fc
@@ -0,0 +1,4 @@
+
+/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
+/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
+/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0)
diff --git a/policy/modules/services/bugzilla.if b/policy/modules/services/bugzilla.if
new file mode 100644
index 0000000..3964548
--- /dev/null
+++ b/policy/modules/services/bugzilla.if
@@ -0,0 +1,80 @@
+## <summary>Bugzilla server</summary>
+
+########################################
+## <summary>
+## Allow the specified domain to search
+## bugzilla directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bugzilla_search_dirs',`
+ gen_require(`
+ type httpd_bugzilla_content_t;
+ ')
+
+ allow $1 httpd_bugzilla_content_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## bugzilla script unix domain stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bugzilla_dontaudit_rw_script_stream_sockets',`
+ gen_require(`
+ type httpd_bugzilla_script_t;
+ ')
+
+ dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an bugzilla environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the bugzilla domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`bugzilla_admin',`
+ gen_require(`
+ type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
+ type httpd_bugzilla_rw_content_t, httpd_bugzilla_tmp_t, httpd_bugzilla_script_exec_t;
+ type httpd_bugzilla_htaccess_t;
+ ')
+
+ allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
+ ps_process_pattern($1, httpd_bugzilla_script_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, httpd_bugzilla_tmp_t)
+
+ files_list_var_lib(httpd_bugzilla_script_t)
+
+ apache_list_sys_content($1)
+ admin_pattern($1, httpd_bugzilla_script_exec_t)
+ admin_pattern($1, httpd_bugzilla_script_t)
+ admin_pattern($1, httpd_bugzilla_content_t)
+ admin_pattern($1, httpd_bugzilla_htaccess_t)
+ admin_pattern($1, httpd_bugzilla_rw_content_t)
+ admin_pattern($1, httpd_bugzilla_ra_content_t)
+')
diff --git a/policy/modules/services/bugzilla.te b/policy/modules/services/bugzilla.te
new file mode 100644
index 0000000..c63c8fa
--- /dev/null
+++ b/policy/modules/services/bugzilla.te
@@ -0,0 +1,55 @@
+policy_module(bugzilla, 1.0)
+
+########################################
+#
+# Declarations
+#
+
+apache_content_template(bugzilla)
+
+type httpd_bugzilla_tmp_t;
+files_tmp_file(httpd_bugzilla_tmp_t)
+
+########################################
+#
+# bugzilla local policy
+#
+
+allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms;
+allow httpd_bugzilla_script_t self:tcp_socket create_stream_socket_perms;
+allow httpd_bugzilla_script_t self:udp_socket create_socket_perms;
+
+corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t)
+corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_all_if(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_all_if(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_all_nodes(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_all_nodes(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_all_ports(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_all_ports(httpd_bugzilla_script_t)
+corenet_tcp_connect_postgresql_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_mysqld_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_http_port(httpd_bugzilla_script_t)
+corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
+corenet_sendrecv_postgresql_client_packets(httpd_bugzilla_script_t)
+corenet_sendrecv_mysqld_client_packets(httpd_bugzilla_script_t)
+
+manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
+manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
+files_tmp_filetrans(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, { file dir })
+
+files_search_var_lib(httpd_bugzilla_script_t)
+
+mta_send_mail(httpd_bugzilla_script_t)
+
+sysnet_read_config(httpd_bugzilla_script_t)
+sysnet_use_ldap(httpd_bugzilla_script_t)
+
+optional_policy(`
+ mysql_search_db(httpd_bugzilla_script_t)
+ mysql_stream_connect(httpd_bugzilla_script_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(httpd_bugzilla_script_t)
+')
diff --git a/policy/modules/services/cachefilesd.fc b/policy/modules/services/cachefilesd.fc
new file mode 100644
index 0000000..24d9837
--- /dev/null
+++ b/policy/modules/services/cachefilesd.fc
@@ -0,0 +1,29 @@
+###############################################################################
+#
+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+# Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# Define the contexts to be assigned to various files and directories of
+# importance to the CacheFiles kernel module and userspace management daemon.
+#
+
+# cachefilesd executable will have:
+# label: system_u:object_r:cachefilesd_exec_t
+# MLS sensitivity: s0
+# MCS categories: <none>
+
+/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
+/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_dev_t,s0)
+/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
+/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
+
+/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefiles_var_t,s0)
diff --git a/policy/modules/services/cachefilesd.if b/policy/modules/services/cachefilesd.if
new file mode 100644
index 0000000..3b41945
--- /dev/null
+++ b/policy/modules/services/cachefilesd.if
@@ -0,0 +1,35 @@
+###############################################################################
+#
+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+# Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# Define the policy interface for the CacheFiles userspace management daemon.
+#
+## <summary>policy for cachefilesd</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run cachefilesd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cachefilesd_domtrans',`
+ gen_require(`
+ type cachefilesd_t, cachefilesd_exec_t;
+ ')
+
+ domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t)
+')
diff --git a/policy/modules/services/cachefilesd.te b/policy/modules/services/cachefilesd.te
new file mode 100644
index 0000000..575c16e
--- /dev/null
+++ b/policy/modules/services/cachefilesd.te
@@ -0,0 +1,143 @@
+###############################################################################
+#
+# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+# Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# This security policy governs access by the CacheFiles kernel module and
+# userspace management daemon to the files and directories in the on-disk
+# cache, on behalf of the processes accessing the cache through a network
+# filesystem such as NFS
+#
+policy_module(cachefilesd, 1.0.17)
+
+###############################################################################
+#
+# Declarations
+#
+
+#
+# Files in the cache are created by the cachefiles module with security ID
+# cachefiles_var_t
+#
+type cachefiles_var_t;
+files_type(cachefiles_var_t)
+
+#
+# The /dev/cachefiles character device has security ID cachefiles_dev_t
+#
+type cachefiles_dev_t;
+dev_node(cachefiles_dev_t)
+
+#
+# The cachefilesd daemon normally runs with security ID cachefilesd_t
+#
+type cachefilesd_t;
+type cachefilesd_exec_t;
+init_daemon_domain(cachefilesd_t, cachefilesd_exec_t)
+
+#
+# The cachefilesd daemon pid file context
+#
+type cachefilesd_var_run_t;
+files_pid_file(cachefilesd_var_run_t)
+
+#
+# The CacheFiles kernel module causes processes accessing the cache files to do
+# so acting as security ID cachefiles_kernel_t
+#
+type cachefiles_kernel_t;
+domain_type(cachefiles_kernel_t)
+domain_obj_id_change_exemption(cachefiles_kernel_t)
+role system_r types cachefiles_kernel_t;
+
+###############################################################################
+#
+# Permit RPM to deal with files in the cache
+#
+rpm_use_script_fds(cachefilesd_t)
+
+###############################################################################
+#
+# cachefilesd local policy
+#
+# These define what cachefilesd is permitted to do. This doesn't include very
+# much: startup stuff, logging, pid file, scanning the cache superstructure and
+# deleting files from the cache. It is not permitted to read/write files in
+# the cache.
+#
+# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow
+# rules.
+#
+allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };
+
+# Allow manipulation of pid file
+allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
+manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
+manage_dirs_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
+files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file)
+files_create_as_is_all_files(cachefilesd_t)
+
+# Allow access to cachefiles device file
+allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms;
+
+# Allow access to cache superstructure
+allow cachefilesd_t cachefiles_var_t:dir { rw_dir_perms delete_dir_perms };
+allow cachefilesd_t cachefiles_var_t:file { rename delete_file_perms };
+
+# Permit statfs on the backing filesystem
+fs_getattr_xattr_fs(cachefilesd_t)
+
+# Basic access
+files_read_etc_files(cachefilesd_t)
+miscfiles_read_localization(cachefilesd_t)
+logging_send_syslog_msg(cachefilesd_t)
+init_dontaudit_use_script_ptys(cachefilesd_t)
+term_dontaudit_use_generic_ptys(cachefilesd_t)
+term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
+
+###############################################################################
+#
+# When cachefilesd invokes the kernel module to begin caching, it has to tell
+# the kernel module the security context in which it should act, and this
+# policy has to approve that.
+#
+# There are two parts to this:
+#
+# (1) the security context used by the module to access files in the cache,
+# as set by the 'secctx' command in /etc/cachefilesd.conf, and
+#
+allow cachefilesd_t cachefiles_kernel_t:kernel_service { use_as_override };
+
+#
+# (2) the label that will be assigned to new files and directories created in
+# the cache by the module, which will be the same as the label on the
+# directory pointed to by the 'dir' command.
+#
+allow cachefilesd_t cachefiles_var_t:kernel_service { create_files_as };
+
+###############################################################################
+#
+# cachefiles kernel module local policy
+#
+# This governs what the kernel module is allowed to do the contents of the
+# cache.
+#
+allow cachefiles_kernel_t self:capability { dac_override dac_read_search };
+
+manage_dirs_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
+manage_files_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
+
+fs_getattr_xattr_fs(cachefiles_kernel_t)
+
+dev_search_sysfs(cachefiles_kernel_t)
+
+init_sigchld_script(cachefiles_kernel_t)
diff --git a/policy/modules/services/canna.fc b/policy/modules/services/canna.fc
new file mode 100644
index 0000000..5432d0e
--- /dev/null
+++ b/policy/modules/services/canna.fc
@@ -0,0 +1,23 @@
+/etc/rc\.d/init\.d/canna -- gen_context(system_u:object_r:canna_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/cannaping -- gen_context(system_u:object_r:canna_exec_t,s0)
+/usr/bin/catdic -- gen_context(system_u:object_r:canna_exec_t,s0)
+
+/usr/sbin/cannaserver -- gen_context(system_u:object_r:canna_exec_t,s0)
+/usr/sbin/jserver -- gen_context(system_u:object_r:canna_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/canna/dic(/.*)? gen_context(system_u:object_r:canna_var_lib_t,s0)
+/var/lib/wnn/dic(/.*)? gen_context(system_u:object_r:canna_var_lib_t,s0)
+
+/var/log/canna(/.*)? gen_context(system_u:object_r:canna_log_t,s0)
+/var/log/wnn(/.*)? gen_context(system_u:object_r:canna_log_t,s0)
+
+/var/run/\.iroha_unix -d gen_context(system_u:object_r:canna_var_run_t,s0)
+/var/run/\.iroha_unix/.* -s gen_context(system_u:object_r:canna_var_run_t,s0)
+/var/run/wnn-unix(/.*) gen_context(system_u:object_r:canna_var_run_t,s0)
diff --git a/policy/modules/services/canna.if b/policy/modules/services/canna.if
new file mode 100644
index 0000000..4a26b0c
--- /dev/null
+++ b/policy/modules/services/canna.if
@@ -0,0 +1,61 @@
+## <summary>Canna - kana-kanji conversion server</summary>
+
+########################################
+## <summary>
+## Connect to Canna using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`canna_stream_connect',`
+ gen_require(`
+ type canna_t, canna_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, canna_var_run_t, canna_var_run_t, canna_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an canna environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the canna domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`canna_admin',`
+ gen_require(`
+ type canna_t, canna_log_t, canna_var_lib_t;
+ type canna_var_run_t, canna_initrc_exec_t;
+ ')
+
+ allow $1 canna_t:process { ptrace signal_perms };
+ ps_process_pattern($1, canna_t)
+
+ init_labeled_script_domtrans($1, canna_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 canna_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_list_logs($1)
+ admin_pattern($1, canna_log_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, canna_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, canna_var_run_t)
+')
diff --git a/policy/modules/services/canna.te b/policy/modules/services/canna.te
new file mode 100644
index 0000000..d60e2bf
--- /dev/null
+++ b/policy/modules/services/canna.te
@@ -0,0 +1,93 @@
+policy_module(canna, 1.10.1)
+
+########################################
+#
+# Declarations
+#
+
+type canna_t;
+type canna_exec_t;
+init_daemon_domain(canna_t, canna_exec_t)
+
+type canna_initrc_exec_t;
+init_script_file(canna_initrc_exec_t)
+
+type canna_log_t;
+logging_log_file(canna_log_t)
+
+type canna_var_lib_t;
+files_type(canna_var_lib_t)
+
+type canna_var_run_t;
+files_pid_file(canna_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow canna_t self:capability { setgid setuid net_bind_service };
+dontaudit canna_t self:capability sys_tty_config;
+allow canna_t self:process signal_perms;
+allow canna_t self:unix_stream_socket { connectto create_stream_socket_perms};
+allow canna_t self:unix_dgram_socket create_stream_socket_perms;
+allow canna_t self:tcp_socket create_stream_socket_perms;
+
+manage_files_pattern(canna_t, canna_log_t, canna_log_t)
+allow canna_t canna_log_t:dir setattr_dir_perms;
+logging_log_filetrans(canna_t, canna_log_t, { file dir })
+
+manage_dirs_pattern(canna_t, canna_var_lib_t, canna_var_lib_t)
+manage_files_pattern(canna_t, canna_var_lib_t, canna_var_lib_t)
+manage_lnk_files_pattern(canna_t, canna_var_lib_t, canna_var_lib_t)
+files_var_lib_filetrans(canna_t, canna_var_lib_t, file)
+
+manage_dirs_pattern(canna_t, canna_var_run_t, canna_var_run_t)
+manage_files_pattern(canna_t, canna_var_run_t, canna_var_run_t)
+manage_sock_files_pattern(canna_t, canna_var_run_t, canna_var_run_t)
+files_pid_filetrans(canna_t, canna_var_run_t, { dir file sock_file })
+
+kernel_read_kernel_sysctls(canna_t)
+kernel_read_system_state(canna_t)
+
+corenet_all_recvfrom_unlabeled(canna_t)
+corenet_all_recvfrom_netlabel(canna_t)
+corenet_tcp_sendrecv_generic_if(canna_t)
+corenet_tcp_sendrecv_generic_node(canna_t)
+corenet_tcp_sendrecv_all_ports(canna_t)
+corenet_tcp_connect_all_ports(canna_t)
+corenet_sendrecv_all_client_packets(canna_t)
+
+dev_read_sysfs(canna_t)
+
+fs_getattr_all_fs(canna_t)
+fs_search_auto_mountpoints(canna_t)
+
+domain_use_interactive_fds(canna_t)
+
+files_read_etc_files(canna_t)
+files_read_etc_runtime_files(canna_t)
+files_read_usr_files(canna_t)
+files_search_tmp(canna_t)
+files_dontaudit_read_root_files(canna_t)
+
+logging_send_syslog_msg(canna_t)
+
+miscfiles_read_localization(canna_t)
+
+sysnet_read_config(canna_t)
+
+userdom_dontaudit_use_unpriv_user_fds(canna_t)
+userdom_dontaudit_search_user_home_dirs(canna_t)
+
+optional_policy(`
+ nis_use_ypbind(canna_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(canna_t)
+')
+
+optional_policy(`
+ udev_read_db(canna_t)
+')
diff --git a/policy/modules/services/ccs.fc b/policy/modules/services/ccs.fc
new file mode 100644
index 0000000..8a7177d
--- /dev/null
+++ b/policy/modules/services/ccs.fc
@@ -0,0 +1,6 @@
+/etc/cluster(/.*)? gen_context(system_u:object_r:cluster_conf_t,s0)
+
+/sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0)
+
+/var/run/cluster/ccsd\.pid -- gen_context(system_u:object_r:ccs_var_run_t,s0)
+/var/run/cluster/ccsd\.sock -s gen_context(system_u:object_r:ccs_var_run_t,s0)
diff --git a/policy/modules/services/ccs.if b/policy/modules/services/ccs.if
new file mode 100644
index 0000000..3105b09
--- /dev/null
+++ b/policy/modules/services/ccs.if
@@ -0,0 +1,75 @@
+## <summary>Cluster Configuration System</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run ccs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ccs_domtrans',`
+ gen_require(`
+ type ccs_t, ccs_exec_t;
+ ')
+
+ domtrans_pattern($1, ccs_exec_t, ccs_t)
+')
+
+########################################
+## <summary>
+## Connect to ccs over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ccs_stream_connect',`
+ gen_require(`
+ type ccs_t, ccs_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, ccs_var_run_t, ccs_var_run_t, ccs_t)
+')
+
+########################################
+## <summary>
+## Read cluster configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ccs_read_config',`
+ gen_require(`
+ type cluster_conf_t;
+ ')
+
+ read_files_pattern($1, cluster_conf_t, cluster_conf_t)
+')
+
+########################################
+## <summary>
+## Manage cluster configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ccs_manage_config',`
+ gen_require(`
+ type cluster_conf_t;
+ ')
+
+ manage_dirs_pattern($1, cluster_conf_t, cluster_conf_t)
+ manage_files_pattern($1, cluster_conf_t, cluster_conf_t)
+')
diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te
new file mode 100644
index 0000000..8d7e14e
--- /dev/null
+++ b/policy/modules/services/ccs.te
@@ -0,0 +1,127 @@
+policy_module(ccs, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type ccs_t;
+type ccs_exec_t;
+init_daemon_domain(ccs_t, ccs_exec_t)
+
+type cluster_conf_t;
+files_type(cluster_conf_t)
+
+type ccs_tmp_t;
+files_tmp_file(ccs_tmp_t)
+
+type ccs_tmpfs_t;
+files_tmpfs_file(ccs_tmpfs_t)
+
+type ccs_var_lib_t;
+logging_log_file(ccs_var_lib_t)
+
+type ccs_var_log_t;
+logging_log_file(ccs_var_log_t)
+
+type ccs_var_run_t;
+files_pid_file(ccs_var_run_t)
+
+########################################
+#
+# ccs local policy
+#
+
+allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin };
+allow ccs_t self:process { signal setrlimit setsched };
+dontaudit ccs_t self:process ptrace;
+allow ccs_t self:fifo_file rw_fifo_file_perms;
+allow ccs_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow ccs_t self:unix_dgram_socket create_socket_perms;
+allow ccs_t self:netlink_route_socket r_netlink_socket_perms;
+allow ccs_t self:tcp_socket create_stream_socket_perms;
+allow ccs_t self:udp_socket { create_socket_perms listen recv_msg send_msg };
+# cjp: this needs to be fixed to be specific
+allow ccs_t self:socket create_socket_perms;
+
+manage_files_pattern(ccs_t, cluster_conf_t, cluster_conf_t)
+
+# tmp file
+allow ccs_t ccs_tmp_t:dir manage_dir_perms;
+manage_dirs_pattern(ccs_t, ccs_tmp_t, ccs_tmp_t)
+manage_files_pattern(ccs_t, ccs_tmp_t, ccs_tmp_t)
+files_tmp_filetrans(ccs_t, ccs_tmp_t, { file dir })
+
+manage_dirs_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t)
+manage_files_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t)
+fs_tmpfs_filetrans(ccs_t, ccs_tmpfs_t, { dir file })
+
+# var lib files
+manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
+manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
+files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { file dir })
+
+allow ccs_t ccs_var_log_t:dir setattr_dir_perms;
+manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
+manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
+logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir })
+
+# pid file
+manage_dirs_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t)
+manage_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t)
+manage_sock_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t)
+files_pid_filetrans(ccs_t, ccs_var_run_t, { dir file sock_file })
+
+kernel_read_kernel_sysctls(ccs_t)
+
+corecmd_list_bin(ccs_t)
+corecmd_exec_bin(ccs_t)
+
+corenet_all_recvfrom_unlabeled(ccs_t)
+corenet_all_recvfrom_netlabel(ccs_t)
+corenet_tcp_sendrecv_generic_if(ccs_t)
+corenet_udp_sendrecv_generic_if(ccs_t)
+corenet_tcp_sendrecv_generic_node(ccs_t)
+corenet_udp_sendrecv_generic_node(ccs_t)
+corenet_tcp_sendrecv_all_ports(ccs_t)
+corenet_udp_sendrecv_all_ports(ccs_t)
+corenet_tcp_bind_generic_node(ccs_t)
+corenet_udp_bind_generic_node(ccs_t)
+corenet_tcp_bind_cluster_port(ccs_t)
+corenet_udp_bind_cluster_port(ccs_t)
+corenet_udp_bind_netsupport_port(ccs_t)
+
+dev_read_urand(ccs_t)
+
+files_read_etc_files(ccs_t)
+files_read_etc_runtime_files(ccs_t)
+
+init_rw_script_tmp_files(ccs_t)
+
+logging_send_syslog_msg(ccs_t)
+
+miscfiles_read_localization(ccs_t)
+
+sysnet_dns_name_resolve(ccs_t)
+
+userdom_manage_unpriv_user_shared_mem(ccs_t)
+userdom_manage_unpriv_user_semaphores(ccs_t)
+
+ifdef(`hide_broken_symptoms',`
+ corecmd_dontaudit_write_bin_dirs(ccs_t)
+ files_manage_isid_type_files(ccs_t)
+')
+
+optional_policy(`
+ aisexec_stream_connect(ccs_t)
+ corosync_stream_connect(ccs_t)
+')
+
+optional_policy(`
+ qpidd_rw_semaphores(ccs_t)
+ qpidd_rw_shm(ccs_t)
+')
+
+optional_policy(`
+ unconfined_use_fds(ccs_t)
+')
diff --git a/policy/modules/services/certmaster.fc b/policy/modules/services/certmaster.fc
new file mode 100644
index 0000000..79295d6
--- /dev/null
+++ b/policy/modules/services/certmaster.fc
@@ -0,0 +1,8 @@
+/etc/certmaster(/.*)? gen_context(system_u:object_r:certmaster_etc_rw_t,s0)
+/etc/rc\.d/init\.d/certmaster -- gen_context(system_u:object_r:certmaster_initrc_exec_t,s0)
+
+/usr/bin/certmaster -- gen_context(system_u:object_r:certmaster_exec_t,s0)
+
+/var/lib/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_lib_t,s0)
+/var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0)
+/var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0)
diff --git a/policy/modules/services/certmaster.if b/policy/modules/services/certmaster.if
new file mode 100644
index 0000000..ffd0da5
--- /dev/null
+++ b/policy/modules/services/certmaster.if
@@ -0,0 +1,144 @@
+## <summary>Certmaster SSL certificate distribution service</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run certmaster.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`certmaster_domtrans',`
+ gen_require(`
+ type certmaster_t, certmaster_exec_t;
+ ')
+
+ domtrans_pattern($1, certmaster_exec_t, certmaster_t)
+')
+
+####################################
+## <summary>
+## Execute certmaster in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`certmaster_exec',`
+ gen_require(`
+ type certmaster_exec_t;
+ ')
+
+ can_exec($1, certmaster_exec_t)
+ corecmd_search_bin($1)
+')
+
+#######################################
+## <summary>
+## read certmaster logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`certmaster_read_log',`
+ gen_require(`
+ type certmaster_var_log_t;
+ ')
+
+ read_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
+ logging_search_logs($1)
+')
+
+#######################################
+## <summary>
+## Append to certmaster logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`certmaster_append_log',`
+ gen_require(`
+ type certmaster_var_log_t;
+ ')
+
+ append_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
+ logging_search_logs($1)
+')
+
+#######################################
+## <summary>
+## Create, read, write, and delete
+## certmaster logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`certmaster_manage_log',`
+ gen_require(`
+ type certmaster_var_log_t;
+ ')
+
+ manage_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
+ manage_lnk_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
+ logging_search_logs($1)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an snort environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`certmaster_admin',`
+ gen_require(`
+ type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t;
+ type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t;
+ ')
+
+ allow $1 certmaster_t:process { ptrace signal_perms };
+ ps_process_pattern($1, certmaster_t)
+
+ init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 certmaster_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ miscfiles_manage_generic_cert_dirs($1)
+ miscfiles_manage_generic_cert_files($1)
+
+ admin_pattern($1, certmaster_etc_rw_t)
+
+ files_list_pids($1)
+ admin_pattern($1, certmaster_var_run_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, certmaster_var_log_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, certmaster_var_lib_t)
+')
diff --git a/policy/modules/services/certmaster.te b/policy/modules/services/certmaster.te
new file mode 100644
index 0000000..dbfd0a6
--- /dev/null
+++ b/policy/modules/services/certmaster.te
@@ -0,0 +1,72 @@
+policy_module(certmaster, 1.1.2)
+
+########################################
+#
+# Declarations
+#
+
+type certmaster_t;
+type certmaster_exec_t;
+init_daemon_domain(certmaster_t, certmaster_exec_t)
+
+type certmaster_initrc_exec_t;
+init_script_file(certmaster_initrc_exec_t)
+
+type certmaster_etc_rw_t;
+files_type(certmaster_etc_rw_t)
+
+type certmaster_var_lib_t;
+files_type(certmaster_var_lib_t)
+
+type certmaster_var_log_t;
+logging_log_file(certmaster_var_log_t)
+
+type certmaster_var_run_t;
+files_pid_file(certmaster_var_run_t)
+
+###########################################
+#
+# certmaster local policy
+#
+
+allow certmaster_t self:capability { dac_read_search dac_override sys_tty_config };
+allow certmaster_t self:tcp_socket create_stream_socket_perms;
+
+# config files
+list_dirs_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t)
+manage_files_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t)
+
+# var/lib files for certmaster
+manage_files_pattern(certmaster_t, certmaster_var_lib_t, certmaster_var_lib_t)
+manage_dirs_pattern(certmaster_t, certmaster_var_lib_t, certmaster_var_lib_t)
+files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir })
+
+# log files
+manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t)
+logging_log_filetrans(certmaster_t, certmaster_var_log_t, file)
+
+# pid file
+manage_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t)
+manage_sock_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t)
+files_pid_filetrans(certmaster_t, certmaster_var_run_t, { file sock_file })
+
+# read meminfo
+kernel_read_system_state(certmaster_t)
+
+corecmd_search_bin(certmaster_t)
+corecmd_getattr_bin_files(certmaster_t)
+
+corenet_tcp_bind_generic_node(certmaster_t)
+corenet_tcp_bind_certmaster_port(certmaster_t)
+
+files_search_etc(certmaster_t)
+files_read_usr_files(certmaster_t)
+files_list_var(certmaster_t)
+files_search_var_lib(certmaster_t)
+
+auth_use_nsswitch(certmaster_t)
+
+miscfiles_read_localization(certmaster_t)
+
+miscfiles_manage_generic_cert_dirs(certmaster_t)
+miscfiles_manage_generic_cert_files(certmaster_t)
diff --git a/policy/modules/services/certmonger.fc b/policy/modules/services/certmonger.fc
new file mode 100644
index 0000000..5ad1a52
--- /dev/null
+++ b/policy/modules/services/certmonger.fc
@@ -0,0 +1,6 @@
+/etc/rc\.d/init\.d/certmonger -- gen_context(system_u:object_r:certmonger_initrc_exec_t,s0)
+
+/usr/sbin/certmonger -- gen_context(system_u:object_r:certmonger_exec_t,s0)
+
+/var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0)
+/var/run/certmonger.pid -- gen_context(system_u:object_r:certmonger_var_run_t,s0)
diff --git a/policy/modules/services/certmonger.if b/policy/modules/services/certmonger.if
new file mode 100644
index 0000000..d664be8
--- /dev/null
+++ b/policy/modules/services/certmonger.if
@@ -0,0 +1,174 @@
+## <summary>Certificate status monitor and PKI enrollment client</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run certmonger.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`certmonger_domtrans',`
+ gen_require(`
+ type certmonger_t, certmonger_exec_t;
+ ')
+
+ domtrans_pattern($1, certmonger_exec_t, certmonger_t)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## certmonger over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`certmonger_dbus_chat',`
+ gen_require(`
+ type certmonger_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 certmonger_t:dbus send_msg;
+ allow certmonger_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Execute certmonger server in the certmonger domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`certmonger_initrc_domtrans',`
+ gen_require(`
+ type certmonger_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, certmonger_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Read certmonger PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`certmonger_read_pid_files',`
+ gen_require(`
+ type certmonger_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 certmonger_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Search certmonger lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`certmonger_search_lib',`
+ gen_require(`
+ type certmonger_var_lib_t;
+ ')
+
+ allow $1 certmonger_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read certmonger lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`certmonger_read_lib_files',`
+ gen_require(`
+ type certmonger_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, certmonger_var_lib_t, certmonger_var_lib_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## certmonger lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`certmonger_manage_lib_files',`
+ gen_require(`
+ type certmonger_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, certmonger_var_lib_t, certmonger_var_lib_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an certmonger environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`certmonger_admin',`
+ gen_require(`
+ type certmonger_t, certmonger_initrc_exec_t;
+ type certmonger_var_lib_t, certmonger_var_run_t;
+ ')
+
+ ps_process_pattern($1, certmonger_t)
+ allow $1 certmonger_t:process { ptrace signal_perms };
+
+ # Allow certmonger_t to restart the apache service
+ certmonger_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 certmonger_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_var_lib($1)
+ admin_pattern($1, certmonger_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, certmonger_var_run_t)
+')
diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te
new file mode 100644
index 0000000..5595c96
--- /dev/null
+++ b/policy/modules/services/certmonger.te
@@ -0,0 +1,83 @@
+policy_module(certmonger, 1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type certmonger_t;
+type certmonger_exec_t;
+init_daemon_domain(certmonger_t, certmonger_exec_t)
+
+type certmonger_initrc_exec_t;
+init_script_file(certmonger_initrc_exec_t)
+
+type certmonger_var_run_t;
+files_pid_file(certmonger_var_run_t)
+
+type certmonger_var_lib_t;
+files_type(certmonger_var_lib_t)
+
+########################################
+#
+# certmonger local policy
+#
+
+allow certmonger_t self:capability { kill sys_nice };
+allow certmonger_t self:process { getsched setsched sigkill };
+allow certmonger_t self:fifo_file rw_file_perms;
+allow certmonger_t self:unix_stream_socket create_stream_socket_perms;
+allow certmonger_t self:tcp_socket create_stream_socket_perms;
+allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
+
+manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
+manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
+files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, { file dir })
+
+manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
+manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
+files_pid_filetrans(certmonger_t, certmonger_var_run_t, { file dir })
+
+corenet_tcp_sendrecv_generic_if(certmonger_t)
+corenet_tcp_sendrecv_generic_node(certmonger_t)
+corenet_tcp_sendrecv_all_ports(certmonger_t)
+corenet_tcp_connect_certmaster_port(certmonger_t)
+
+dev_read_urand(certmonger_t)
+
+domain_use_interactive_fds(certmonger_t)
+
+files_read_etc_files(certmonger_t)
+files_read_usr_files(certmonger_t)
+files_list_tmp(certmonger_t)
+
+logging_send_syslog_msg(certmonger_t)
+
+miscfiles_read_localization(certmonger_t)
+miscfiles_manage_generic_cert_files(certmonger_t)
+
+sysnet_dns_name_resolve(certmonger_t)
+
+userdom_search_user_home_content(certmonger_t)
+
+optional_policy(`
+ apache_search_config(certmonger_t)
+')
+
+optional_policy(`
+ bind_search_cache(certmonger_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(certmonger_t)
+ dbus_connect_system_bus(certmonger_t)
+')
+
+optional_policy(`
+ kerberos_use(certmonger_t)
+')
+
+optional_policy(`
+ pcscd_stream_connect(certmonger_t)
+')
+
diff --git a/policy/modules/services/cgroup.fc b/policy/modules/services/cgroup.fc
new file mode 100644
index 0000000..420c9d3
--- /dev/null
+++ b/policy/modules/services/cgroup.fc
@@ -0,0 +1,14 @@
+/etc/cgconfig.conf -- gen_context(system_u:object_r:cgconfig_etc_t,s0)
+/etc/cgrules.conf -- gen_context(system_u:object_r:cgrules_etc_t,s0)
+
+/etc/sysconfig/cgconfig -- gen_context(system_u:object_r:cgconfig_etc_t,s0)
+/etc/sysconfig/cgred.conf -- gen_context(system_u:object_r:cgrules_etc_t,s0)
+
+/etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t,s0)
+
+/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfig_exec_t,s0)
+/sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0)
+/sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0)
+
+/var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0)
diff --git a/policy/modules/services/cgroup.if b/policy/modules/services/cgroup.if
new file mode 100644
index 0000000..e5cbcef
--- /dev/null
+++ b/policy/modules/services/cgroup.if
@@ -0,0 +1,199 @@
+## <summary>libcg is a library that abstracts the control group file system in Linux.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run
+## CG Clear.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cgroup_domtrans_cgclear',`
+ gen_require(`
+ type cgclear_t, cgclear_exec_t;
+ ')
+
+ domtrans_pattern($1, cgclear_exec_t, cgclear_t)
+ corecmd_search_bin($1)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run
+## CG config parser.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cgroup_domtrans_cgconfig',`
+ gen_require(`
+ type cgconfig_t, cgconfig_exec_t;
+ ')
+
+ domtrans_pattern($1, cgconfig_exec_t, cgconfig_t)
+ corecmd_search_bin($1)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run
+## CG config parser.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cgroup_initrc_domtrans_cgconfig',`
+ gen_require(`
+ type cgconfig_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, cgconfig_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run
+## CG rules engine daemon.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cgroup_domtrans_cgred',`
+ gen_require(`
+ type cgred_t, cgred_exec_t;
+ ')
+
+ domtrans_pattern($1, cgred_exec_t, cgred_t)
+ corecmd_search_bin($1)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run
+## CG rules engine daemon.
+## domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cgroup_initrc_domtrans_cgred',`
+ gen_require(`
+ type cgred_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, cgred_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to
+## run CG Clear and allow the
+## specified role the CG Clear
+## domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`cgroup_run_cgclear',`
+ gen_require(`
+ type cgclear_t;
+ ')
+
+ cgroup_domtrans_cgclear($1)
+ role $2 types cgclear_t;
+')
+
+########################################
+## <summary>
+## Connect to CG rules engine daemon
+## over unix stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cgroup_stream_connect_cgred', `
+ gen_require(`
+ type cgred_var_run_t, cgred_t;
+ ')
+
+ stream_connect_pattern($1, cgred_var_run_t, cgred_var_run_t, cgred_t)
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an cgroup environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`cgroup_admin',`
+ gen_require(`
+ type cgred_t, cgconfig_t, cgred_var_run_t;
+ type cgconfig_etc_t, cgconfig_initrc_exec_t, cgred_initrc_exec_t;
+ type cgrules_etc_t, cgclear_t;
+ ')
+
+ allow $1 cgclear_t:process { ptrace signal_perms };
+ ps_process_pattern($1, cgclear_t)
+
+ allow $1 cgconfig_t:process { ptrace signal_perms };
+ ps_process_pattern($1, cgconfig_t)
+
+ allow $1 cgred_t:process { ptrace signal_perms };
+ ps_process_pattern($1, cgred_t)
+
+ admin_pattern($1, cgconfig_etc_t)
+ admin_pattern($1, cgrules_etc_t)
+ files_list_etc($1)
+
+ admin_pattern($1, cgred_var_run_t)
+ files_list_pids($1)
+
+ cgroup_initrc_domtrans_cgconfig($1)
+ domain_system_change_exemption($1)
+ role_transition $2 cgconfig_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ cgroup_initrc_domtrans_cgred($1)
+ role_transition $2 cgred_initrc_exec_t system_r;
+
+ cgroup_run_cgclear($1, $2)
+')
diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te
new file mode 100644
index 0000000..63a18fc
--- /dev/null
+++ b/policy/modules/services/cgroup.te
@@ -0,0 +1,102 @@
+policy_module(cgroup, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type cgclear_t;
+type cgclear_exec_t;
+init_daemon_domain(cgclear_t, cgclear_exec_t)
+
+type cgred_t;
+type cgred_exec_t;
+init_daemon_domain(cgred_t, cgred_exec_t)
+
+type cgred_initrc_exec_t;
+init_script_file(cgred_initrc_exec_t)
+
+type cgred_var_run_t;
+files_pid_file(cgred_var_run_t)
+
+type cgrules_etc_t;
+files_config_file(cgrules_etc_t)
+
+type cgconfig_t alias cgconfigparser_t;
+type cgconfig_exec_t alias cgconfigparser_exec_t;
+init_daemon_domain(cgconfig_t, cgconfig_exec_t)
+
+type cgconfig_initrc_exec_t;
+init_script_file(cgconfig_initrc_exec_t)
+
+type cgconfig_etc_t;
+files_config_file(cgconfig_etc_t)
+
+########################################
+#
+# cgclear personal policy.
+#
+
+allow cgclear_t self:capability sys_admin;
+
+kernel_read_system_state(cgclear_t)
+
+domain_setpriority_all_domains(cgclear_t)
+
+fs_manage_cgroup_dirs(cgclear_t)
+fs_manage_cgroup_files(cgclear_t)
+fs_unmount_cgroup(cgclear_t)
+
+########################################
+#
+# cgconfig personal policy.
+#
+
+allow cgconfig_t self:capability { dac_override fowner chown sys_admin };
+
+allow cgconfig_t cgconfig_etc_t:file read_file_perms;
+
+# search will do.
+kernel_list_unlabeled(cgconfig_t)
+kernel_read_system_state(cgconfig_t)
+
+# /etc/nsswitch.conf, /etc/passwd
+files_read_etc_files(cgconfig_t)
+
+fs_manage_cgroup_dirs(cgconfig_t)
+fs_manage_cgroup_files(cgconfig_t)
+fs_mount_cgroup(cgconfig_t)
+fs_mounton_cgroup(cgconfig_t)
+
+########################################
+#
+# cgred personal policy.
+#
+
+allow cgred_t self:capability { net_admin sys_admin sys_ptrace dac_override };
+allow cgred_t self:netlink_socket { write bind create read };
+allow cgred_t self:unix_dgram_socket { write create connect };
+
+allow cgred_t cgrules_etc_t:file read_file_perms;
+
+# rc script creates pid file
+manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
+manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
+files_pid_filetrans(cgred_t, cgred_var_run_t, { file sock_file })
+
+kernel_read_system_state(cgred_t)
+
+domain_read_all_domains_state(cgred_t)
+domain_setpriority_all_domains(cgred_t)
+
+files_getattr_all_files(cgred_t)
+files_getattr_all_sockets(cgred_t)
+files_read_all_symlinks(cgred_t)
+# /etc/group
+files_read_etc_files(cgred_t)
+
+fs_write_cgroup_files(cgred_t)
+
+logging_send_syslog_msg(cgred_t)
+
+miscfiles_read_localization(cgred_t)
diff --git a/policy/modules/services/chronyd.fc b/policy/modules/services/chronyd.fc
new file mode 100644
index 0000000..fd8cd0b
--- /dev/null
+++ b/policy/modules/services/chronyd.fc
@@ -0,0 +1,9 @@
+/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0)
+
+/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
+
+/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
+
+/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
+/var/log/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_log_t,s0)
+/var/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0)
diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if
new file mode 100644
index 0000000..2ede737
--- /dev/null
+++ b/policy/modules/services/chronyd.if
@@ -0,0 +1,180 @@
+## <summary>Chrony NTP background daemon</summary>
+
+#####################################
+## <summary>
+## Execute chronyd in the chronyd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`chronyd_domtrans',`
+ gen_require(`
+ type chronyd_t, chronyd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, chronyd_exec_t, chronyd_t)
+')
+
+########################################
+## <summary>
+## Execute chronyd server in the chronyd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`chronyd_initrc_domtrans',`
+ gen_require(`
+ type chronyd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
+')
+
+####################################
+## <summary>
+## Execute chronyd
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`chronyd_exec',`
+ gen_require(`
+ type chronyd_exec_t;
+ ')
+
+ can_exec($1, chronyd_exec_t)
+')
+
+#####################################
+## <summary>
+## Read chronyd logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`chronyd_read_log',`
+ gen_require(`
+ type chronyd_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t)
+')
+
+########################################
+## <summary>
+## Read and write chronyd shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`chronyd_rw_shm',`
+ gen_require(`
+ type chronyd_t, chronyd_tmpfs_t;
+ ')
+
+ allow $1 chronyd_t:shm rw_shm_perms;
+ allow $1 chronyd_tmpfs_t:dir list_dir_perms;
+ rw_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t)
+ read_lnk_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t)
+ fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
+## Read chronyd keys files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`chronyd_read_keys',`
+ gen_require(`
+ type chronyd_keys_t;
+ ')
+
+ read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
+')
+
+########################################
+## <summary>
+## Append chronyd keys files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`chronyd_append_keys',`
+ gen_require(`
+ type chronyd_keys_t;
+ ')
+
+ append_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
+')
+
+####################################
+## <summary>
+## All of the rules required to administrate
+## an chronyd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the chronyd domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`chronyd_admin',`
+ gen_require(`
+ type chronyd_t, chronyd_var_log_t, chronyd_var_run_t;
+ type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t;
+ type chronyd_keys_t;
+ ')
+
+ allow $1 chronyd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, chronyd_t)
+
+ init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 chronyd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, chronyd_keys_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, chronyd_var_log_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, chronyd_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, chronyd_var_run_t)
+
+ admin_pattern($1, chronyd_tmpfs_t)
+')
diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
new file mode 100644
index 0000000..7f4ca47
--- /dev/null
+++ b/policy/modules/services/chronyd.te
@@ -0,0 +1,76 @@
+policy_module(chronyd, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type chronyd_t;
+type chronyd_exec_t;
+init_daemon_domain(chronyd_t, chronyd_exec_t)
+
+type chronyd_initrc_exec_t;
+init_script_file(chronyd_initrc_exec_t)
+
+type chronyd_keys_t;
+files_type(chronyd_keys_t)
+
+type chronyd_tmpfs_t;
+files_tmpfs_file(chronyd_tmpfs_t)
+
+type chronyd_var_lib_t;
+files_type(chronyd_var_lib_t)
+
+type chronyd_var_log_t;
+logging_log_file(chronyd_var_log_t)
+
+type chronyd_var_run_t;
+files_pid_file(chronyd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
+allow chronyd_t self:process { getcap setcap setrlimit };
+allow chronyd_t self:shm create_shm_perms;
+allow chronyd_t self:udp_socket create_socket_perms;
+allow chronyd_t self:unix_dgram_socket create_socket_perms;
+
+allow chronyd_t chronyd_keys_t:file read_file_perms;
+
+manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
+manage_files_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
+fs_tmpfs_filetrans(chronyd_t, chronyd_tmpfs_t, { dir file })
+
+manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
+manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
+manage_sock_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
+files_var_lib_filetrans(chronyd_t, chronyd_var_lib_t, { file dir })
+
+manage_files_pattern(chronyd_t, chronyd_var_log_t, chronyd_var_log_t)
+manage_dirs_pattern(chronyd_t, chronyd_var_log_t, chronyd_var_log_t)
+logging_log_filetrans(chronyd_t, chronyd_var_log_t, { file dir })
+
+manage_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
+manage_dirs_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
+files_pid_filetrans(chronyd_t, chronyd_var_run_t, file)
+
+corenet_udp_bind_generic_node(chronyd_t)
+corenet_udp_bind_ntp_port(chronyd_t)
+# bind to udp/323
+corenet_udp_bind_chronyd_port(chronyd_t)
+
+# real time clock option
+dev_rw_realtime_clock(chronyd_t)
+
+auth_use_nsswitch(chronyd_t)
+
+logging_send_syslog_msg(chronyd_t)
+
+miscfiles_read_localization(chronyd_t)
+
+optional_policy(`
+ gpsd_rw_shm(chronyd_t)
+')
diff --git a/policy/modules/services/cipe.fc b/policy/modules/services/cipe.fc
new file mode 100644
index 0000000..afcdf02
--- /dev/null
+++ b/policy/modules/services/cipe.fc
@@ -0,0 +1,4 @@
+#
+# /usr
+#
+/usr/sbin/ciped.* -- gen_context(system_u:object_r:ciped_exec_t,s0)
diff --git a/policy/modules/services/cipe.if b/policy/modules/services/cipe.if
new file mode 100644
index 0000000..b5fd668
--- /dev/null
+++ b/policy/modules/services/cipe.if
@@ -0,0 +1 @@
+## <summary>Encrypted tunnel daemon</summary>
diff --git a/policy/modules/services/cipe.te b/policy/modules/services/cipe.te
new file mode 100644
index 0000000..8e1ef38
--- /dev/null
+++ b/policy/modules/services/cipe.te
@@ -0,0 +1,72 @@
+policy_module(cipe, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type ciped_t;
+type ciped_exec_t;
+init_daemon_domain(ciped_t, ciped_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow ciped_t self:capability { net_admin ipc_lock sys_tty_config };
+dontaudit ciped_t self:capability sys_tty_config;
+allow ciped_t self:process signal_perms;
+allow ciped_t self:fifo_file rw_fifo_file_perms;
+allow ciped_t self:unix_dgram_socket create_socket_perms;
+allow ciped_t self:unix_stream_socket create_socket_perms;
+allow ciped_t self:udp_socket create_socket_perms;
+
+kernel_read_kernel_sysctls(ciped_t)
+kernel_read_system_state(ciped_t)
+
+corecmd_exec_shell(ciped_t)
+corecmd_exec_bin(ciped_t)
+
+corenet_all_recvfrom_unlabeled(ciped_t)
+corenet_all_recvfrom_netlabel(ciped_t)
+corenet_udp_sendrecv_generic_if(ciped_t)
+corenet_udp_sendrecv_generic_node(ciped_t)
+corenet_udp_sendrecv_all_ports(ciped_t)
+corenet_udp_bind_generic_node(ciped_t)
+# cipe uses the afs3-bos port (udp 7007)
+corenet_udp_bind_afs_bos_port(ciped_t)
+corenet_sendrecv_afs_bos_server_packets(ciped_t)
+
+dev_read_sysfs(ciped_t)
+dev_read_rand(ciped_t)
+# for SSP
+dev_read_urand(ciped_t)
+
+domain_use_interactive_fds(ciped_t)
+
+files_read_etc_files(ciped_t)
+files_read_etc_runtime_files(ciped_t)
+files_dontaudit_search_var(ciped_t)
+
+fs_search_auto_mountpoints(ciped_t)
+
+logging_send_syslog_msg(ciped_t)
+
+miscfiles_read_localization(ciped_t)
+
+sysnet_read_config(ciped_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ciped_t)
+
+optional_policy(`
+ nis_use_ypbind(ciped_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(ciped_t)
+')
+
+optional_policy(`
+ udev_read_db(ciped_t)
+')
diff --git a/policy/modules/services/clamav.fc b/policy/modules/services/clamav.fc
new file mode 100644
index 0000000..e8e9a21
--- /dev/null
+++ b/policy/modules/services/clamav.fc
@@ -0,0 +1,20 @@
+/etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0)
+/etc/rc\.d/init\.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0)
+
+/usr/bin/clamscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
+/usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
+/usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0)
+
+/usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
+/usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0)
+
+/var/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
+/var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
+/var/log/clamav.* gen_context(system_u:object_r:clamd_var_log_t,s0)
+/var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0)
+/var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0)
+/var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0)
+/var/run/clamav.* gen_context(system_u:object_r:clamd_var_run_t,s0)
+/var/run/clamd.* gen_context(system_u:object_r:clamd_var_run_t,s0)
+/var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0)
+/var/spool/MailScanner(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0)
diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
new file mode 100644
index 0000000..01b02f3
--- /dev/null
+++ b/policy/modules/services/clamav.if
@@ -0,0 +1,192 @@
+## <summary>ClamAV Virus Scanner</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run clamd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`clamav_domtrans',`
+ gen_require(`
+ type clamd_t, clamd_exec_t;
+ ')
+
+ domtrans_pattern($1, clamd_exec_t, clamd_t)
+')
+
+########################################
+## <summary>
+## Connect to run clamd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`clamav_stream_connect',`
+ gen_require(`
+ type clamd_t, clamd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, clamd_var_run_t, clamd_var_run_t, clamd_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to append
+## to clamav log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`clamav_append_log',`
+ gen_require(`
+ type clamav_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 clamav_log_t:dir list_dir_perms;
+ append_files_pattern($1, clamav_log_t, clamav_log_t)
+')
+
+########################################
+## <summary>
+## Read clamav configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`clamav_read_config',`
+ gen_require(`
+ type clamd_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 clamd_etc_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Search clamav libraries directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`clamav_search_lib',`
+ gen_require(`
+ type clamd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 clamd_var_lib_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run clamscan.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`clamav_domtrans_clamscan',`
+ gen_require(`
+ type clamscan_t, clamscan_exec_t;
+ ')
+
+ domtrans_pattern($1, clamscan_exec_t, clamscan_t)
+')
+
+########################################
+## <summary>
+## Execute clamscan without a transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`clamav_exec_clamscan',`
+ gen_require(`
+ type clamscan_exec_t;
+ ')
+
+ can_exec($1, clamscan_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an clamav environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the clamav domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`clamav_admin',`
+ gen_require(`
+ type clamd_t, clamd_etc_t, clamd_tmp_t;
+ type clamd_var_log_t, clamd_var_lib_t, clamd_var_run_t;
+ type clamscan_t, clamscan_tmp_t, clamd_initrc_exec_t;
+ type freshclam_t, freshclam_var_log_t;
+ ')
+
+ allow $1 clamd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, clamd_t)
+
+ allow $1 clamscan_t:process { ptrace signal_perms };
+ ps_process_pattern($1, clamscan_t)
+
+ allow $1 freshclam_t:process { ptrace signal_perms };
+ ps_process_pattern($1, freshclam_t)
+
+ init_labeled_script_domtrans($1, clamd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 clamd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, clamd_etc_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, clamd_var_lib_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, clamd_var_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, clamd_var_run_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, clamd_tmp_t)
+
+ admin_pattern($1, clamscan_tmp_t)
+
+ admin_pattern($1, freshclam_var_log_t)
+')
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
new file mode 100644
index 0000000..532fa91
--- /dev/null
+++ b/policy/modules/services/clamav.te
@@ -0,0 +1,291 @@
+policy_module(clamav, 1.8.1)
+
+## <desc>
+## <p>
+## Allow clamd to use JIT compiler
+## </p>
+## </desc>
+gen_tunable(clamd_use_jit, false)
+
+########################################
+#
+# Declarations
+#
+
+# Main clamd domain
+type clamd_t;
+type clamd_exec_t;
+init_daemon_domain(clamd_t, clamd_exec_t)
+
+# configuration files
+type clamd_etc_t;
+files_config_file(clamd_etc_t)
+
+type clamd_initrc_exec_t;
+init_script_file(clamd_initrc_exec_t)
+
+# tmp files
+type clamd_tmp_t;
+files_tmp_file(clamd_tmp_t)
+
+# log files
+type clamd_var_log_t;
+logging_log_file(clamd_var_log_t)
+
+# var/lib files
+type clamd_var_lib_t;
+files_type(clamd_var_lib_t)
+
+# pid files
+type clamd_var_run_t;
+files_pid_file(clamd_var_run_t)
+typealias clamd_var_run_t alias clamd_sock_t;
+
+type clamscan_t;
+type clamscan_exec_t;
+init_daemon_domain(clamscan_t, clamscan_exec_t)
+
+# tmp files
+type clamscan_tmp_t;
+files_tmp_file(clamscan_tmp_t)
+
+type freshclam_t;
+type freshclam_exec_t;
+init_daemon_domain(freshclam_t, freshclam_exec_t)
+
+# log files
+type freshclam_var_log_t;
+logging_log_file(freshclam_var_log_t)
+
+########################################
+#
+# clamd local policy
+#
+
+allow clamd_t self:capability { kill setgid setuid dac_override };
+dontaudit clamd_t self:capability sys_tty_config;
+allow clamd_t self:process signal;
+
+allow clamd_t self:fifo_file rw_fifo_file_perms;
+allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow clamd_t self:unix_dgram_socket create_socket_perms;
+allow clamd_t self:tcp_socket { listen accept };
+
+# configuration files
+allow clamd_t clamd_etc_t:dir list_dir_perms;
+read_files_pattern(clamd_t, clamd_etc_t, clamd_etc_t)
+read_lnk_files_pattern(clamd_t, clamd_etc_t, clamd_etc_t)
+
+# tmp files
+manage_dirs_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
+manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
+files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
+
+# var/lib files for clamd
+manage_sock_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
+manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
+manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
+
+# log files
+manage_dirs_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t)
+manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t)
+logging_log_filetrans(clamd_t, clamd_var_log_t, { dir file })
+
+# pid file
+manage_dirs_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
+manage_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
+manage_sock_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
+files_pid_filetrans(clamd_t, clamd_var_run_t, { sock_file file dir })
+
+kernel_dontaudit_list_proc(clamd_t)
+kernel_read_sysctl(clamd_t)
+kernel_read_kernel_sysctls(clamd_t)
+kernel_read_system_state(clamd_t)
+
+corecmd_exec_shell(clamd_t)
+
+corenet_all_recvfrom_unlabeled(clamd_t)
+corenet_all_recvfrom_netlabel(clamd_t)
+corenet_tcp_sendrecv_generic_if(clamd_t)
+corenet_tcp_sendrecv_generic_node(clamd_t)
+corenet_tcp_sendrecv_all_ports(clamd_t)
+corenet_tcp_sendrecv_clamd_port(clamd_t)
+corenet_tcp_bind_generic_node(clamd_t)
+corenet_tcp_bind_clamd_port(clamd_t)
+corenet_tcp_bind_generic_port(clamd_t)
+corenet_tcp_connect_generic_port(clamd_t)
+corenet_sendrecv_clamd_server_packets(clamd_t)
+
+dev_read_rand(clamd_t)
+dev_read_urand(clamd_t)
+
+domain_use_interactive_fds(clamd_t)
+
+files_read_etc_files(clamd_t)
+files_read_etc_runtime_files(clamd_t)
+files_search_spool(clamd_t)
+
+auth_use_nsswitch(clamd_t)
+
+logging_send_syslog_msg(clamd_t)
+
+miscfiles_read_localization(clamd_t)
+
+cron_use_fds(clamd_t)
+cron_use_system_job_fds(clamd_t)
+cron_rw_pipes(clamd_t)
+
+mta_read_config(clamd_t)
+mta_send_mail(clamd_t)
+
+optional_policy(`
+ amavis_read_lib_files(clamd_t)
+ amavis_read_spool_files(clamd_t)
+ amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file)
+ amavis_create_pid_files(clamd_t)
+')
+
+optional_policy(`
+ exim_read_spool_files(clamd_t)
+')
+
+tunable_policy(`clamd_use_jit',`
+ allow clamd_t self:process execmem;
+ allow clamscan_t self:process execmem;
+',`
+ dontaudit clamd_t self:process execmem;
+ dontaudit clamscan_t self:process execmem;
+')
+
+########################################
+#
+# Freshclam local policy
+#
+
+allow freshclam_t self:capability { setgid setuid dac_override };
+allow freshclam_t self:fifo_file rw_fifo_file_perms;
+allow freshclam_t self:unix_stream_socket create_stream_socket_perms;
+allow freshclam_t self:unix_dgram_socket create_socket_perms;
+allow freshclam_t self:tcp_socket { listen accept };
+
+# configuration files
+allow freshclam_t clamd_etc_t:dir list_dir_perms;
+read_files_pattern(freshclam_t, clamd_etc_t, clamd_etc_t)
+read_lnk_files_pattern(freshclam_t, clamd_etc_t, clamd_etc_t)
+
+# var/lib files together with clamd
+manage_dirs_pattern(freshclam_t, clamd_var_lib_t, clamd_var_lib_t)
+manage_files_pattern(freshclam_t, clamd_var_lib_t, clamd_var_lib_t)
+
+# pidfiles- var/run together with clamd
+manage_files_pattern(freshclam_t, clamd_var_run_t, clamd_var_run_t)
+manage_sock_files_pattern(freshclam_t, clamd_var_run_t, clamd_var_run_t)
+files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
+
+# log files (own logfiles only)
+manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
+allow freshclam_t freshclam_var_log_t:dir setattr_dir_perms;
+read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t)
+logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)
+
+kernel_read_kernel_sysctls(freshclam_t)
+kernel_read_system_state(freshclam_t)
+
+corecmd_exec_shell(freshclam_t)
+corecmd_exec_bin(freshclam_t)
+
+corenet_all_recvfrom_unlabeled(freshclam_t)
+corenet_all_recvfrom_netlabel(freshclam_t)
+corenet_tcp_sendrecv_generic_if(freshclam_t)
+corenet_tcp_sendrecv_generic_node(freshclam_t)
+corenet_tcp_sendrecv_all_ports(freshclam_t)
+corenet_tcp_sendrecv_clamd_port(freshclam_t)
+corenet_tcp_connect_http_port(freshclam_t)
+corenet_tcp_connect_clamd_port(freshclam_t)
+corenet_sendrecv_http_client_packets(freshclam_t)
+
+dev_read_rand(freshclam_t)
+dev_read_urand(freshclam_t)
+
+domain_use_interactive_fds(freshclam_t)
+
+files_read_etc_files(freshclam_t)
+files_read_etc_runtime_files(freshclam_t)
+
+auth_use_nsswitch(freshclam_t)
+
+logging_send_syslog_msg(freshclam_t)
+
+miscfiles_read_localization(freshclam_t)
+
+clamav_stream_connect(freshclam_t)
+
+userdom_stream_connect(freshclam_t)
+
+tunable_policy(`clamd_use_jit',`
+ allow freshclam_t self:process execmem;
+',`
+ dontaudit freshclam_t self:process execmem;
+')
+
+optional_policy(`
+ cron_system_entry(freshclam_t, freshclam_exec_t)
+')
+
+########################################
+#
+# clamscam local policy
+#
+
+allow clamscan_t self:capability { setgid setuid dac_override };
+allow clamscan_t self:fifo_file rw_file_perms;
+allow clamscan_t self:unix_stream_socket create_stream_socket_perms;
+allow clamscan_t self:unix_dgram_socket create_socket_perms;
+allow clamscan_t self:tcp_socket create_stream_socket_perms;
+
+# configuration files
+allow clamscan_t clamd_etc_t:dir list_dir_perms;
+read_files_pattern(clamscan_t, clamd_etc_t, clamd_etc_t)
+read_lnk_files_pattern(clamscan_t, clamd_etc_t, clamd_etc_t)
+
+# tmp files
+manage_dirs_pattern(clamscan_t, clamscan_tmp_t, clamscan_tmp_t)
+manage_files_pattern(clamscan_t, clamscan_tmp_t, clamscan_tmp_t)
+files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
+
+# var/lib files together with clamd
+manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
+allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
+
+corenet_all_recvfrom_unlabeled(clamscan_t)
+corenet_all_recvfrom_netlabel(clamscan_t)
+corenet_tcp_sendrecv_generic_if(clamscan_t)
+corenet_tcp_sendrecv_generic_node(clamscan_t)
+corenet_tcp_sendrecv_all_ports(clamscan_t)
+corenet_tcp_sendrecv_clamd_port(clamscan_t)
+corenet_tcp_connect_clamd_port(clamscan_t)
+
+kernel_read_kernel_sysctls(clamscan_t)
+kernel_read_system_state(clamscan_t)
+
+files_read_etc_files(clamscan_t)
+files_read_etc_runtime_files(clamscan_t)
+files_search_var_lib(clamscan_t)
+
+init_read_utmp(clamscan_t)
+init_dontaudit_write_utmp(clamscan_t)
+
+miscfiles_read_localization(clamscan_t)
+miscfiles_read_public_files(clamscan_t)
+
+clamav_stream_connect(clamscan_t)
+
+mta_send_mail(clamscan_t)
+
+optional_policy(`
+ amavis_read_spool_files(clamscan_t)
+')
+
+optional_policy(`
+ apache_read_sys_content(clamscan_t)
+')
diff --git a/policy/modules/services/clockspeed.fc b/policy/modules/services/clockspeed.fc
new file mode 100644
index 0000000..a7aa385
--- /dev/null
+++ b/policy/modules/services/clockspeed.fc
@@ -0,0 +1,14 @@
+
+#
+# /usr
+#
+/usr/bin/clockadd -- gen_context(system_u:object_r:clockspeed_cli_exec_t,s0)
+/usr/bin/clockspeed -- gen_context(system_u:object_r:clockspeed_srv_exec_t,s0)
+/usr/bin/sntpclock -- gen_context(system_u:object_r:clockspeed_cli_exec_t,s0)
+/usr/bin/taiclock -- gen_context(system_u:object_r:clockspeed_cli_exec_t,s0)
+/usr/bin/taiclockd -- gen_context(system_u:object_r:clockspeed_srv_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/clockspeed(/.*)? gen_context(system_u:object_r:clockspeed_var_lib_t,s0)
diff --git a/policy/modules/services/clockspeed.if b/policy/modules/services/clockspeed.if
new file mode 100644
index 0000000..0797617
--- /dev/null
+++ b/policy/modules/services/clockspeed.if
@@ -0,0 +1,44 @@
+## <summary>Clockspeed simple network time protocol client</summary>
+
+########################################
+## <summary>
+## Execute clockspeed utilities in the clockspeed_cli domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`clockspeed_domtrans_cli',`
+ gen_require(`
+ type clockspeed_cli_t, clockspeed_cli_exec_t;
+ ')
+
+ domtrans_pattern($1, clockspeed_cli_exec_t, clockspeed_cli_t)
+')
+
+########################################
+## <summary>
+## Allow the specified role the clockspeed_cli domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`clockspeed_run_cli',`
+ gen_require(`
+ type clockspeed_cli_t;
+ ')
+
+ role $2 types clockspeed_cli_t;
+ clockspeed_domtrans_cli($1)
+')
diff --git a/policy/modules/services/clockspeed.te b/policy/modules/services/clockspeed.te
new file mode 100644
index 0000000..b40f3f7
--- /dev/null
+++ b/policy/modules/services/clockspeed.te
@@ -0,0 +1,72 @@
+policy_module(clockspeed, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type clockspeed_cli_t;
+type clockspeed_cli_exec_t;
+application_domain(clockspeed_cli_t, clockspeed_cli_exec_t)
+
+type clockspeed_srv_t;
+type clockspeed_srv_exec_t;
+init_daemon_domain(clockspeed_srv_t, clockspeed_srv_exec_t)
+
+type clockspeed_var_lib_t;
+files_type(clockspeed_var_lib_t)
+
+########################################
+#
+# Client local policy
+#
+
+allow clockspeed_cli_t self:capability sys_time;
+allow clockspeed_cli_t self:udp_socket create_socket_perms;
+
+read_files_pattern(clockspeed_cli_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
+
+corenet_all_recvfrom_unlabeled(clockspeed_cli_t)
+corenet_all_recvfrom_netlabel(clockspeed_cli_t)
+corenet_udp_sendrecv_generic_if(clockspeed_cli_t)
+corenet_udp_sendrecv_generic_node(clockspeed_cli_t)
+corenet_udp_sendrecv_ntp_port(clockspeed_cli_t)
+corenet_sendrecv_ntp_client_packets(clockspeed_cli_t)
+
+files_list_var_lib(clockspeed_cli_t)
+files_read_etc_files(clockspeed_cli_t)
+
+miscfiles_read_localization(clockspeed_cli_t)
+
+userdom_use_user_terminals(clockspeed_cli_t)
+
+########################################
+#
+# Server local policy
+#
+
+allow clockspeed_srv_t self:capability { sys_time net_bind_service };
+allow clockspeed_srv_t self:udp_socket create_socket_perms;
+allow clockspeed_srv_t self:unix_dgram_socket create_socket_perms;
+allow clockspeed_srv_t self:unix_stream_socket create_socket_perms;
+
+manage_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
+manage_fifo_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
+
+corenet_all_recvfrom_unlabeled(clockspeed_srv_t)
+corenet_all_recvfrom_netlabel(clockspeed_srv_t)
+corenet_udp_sendrecv_generic_if(clockspeed_srv_t)
+corenet_udp_sendrecv_generic_node(clockspeed_srv_t)
+corenet_udp_sendrecv_ntp_port(clockspeed_srv_t)
+corenet_udp_bind_generic_node(clockspeed_srv_t)
+corenet_udp_bind_clockspeed_port(clockspeed_srv_t)
+corenet_sendrecv_clockspeed_server_packets(clockspeed_srv_t)
+
+files_read_etc_files(clockspeed_srv_t)
+files_list_var_lib(clockspeed_srv_t)
+
+miscfiles_read_localization(clockspeed_srv_t)
+
+optional_policy(`
+ daemontools_service_domain(clockspeed_srv_t, clockspeed_srv_exec_t)
+')
diff --git a/policy/modules/services/clogd.fc b/policy/modules/services/clogd.fc
new file mode 100644
index 0000000..6793948
--- /dev/null
+++ b/policy/modules/services/clogd.fc
@@ -0,0 +1,3 @@
+/usr/sbin/clogd -- gen_context(system_u:object_r:clogd_exec_t,s0)
+
+/var/run/clogd\.pid -- gen_context(system_u:object_r:clogd_var_run_t,s0)
diff --git a/policy/modules/services/clogd.if b/policy/modules/services/clogd.if
new file mode 100644
index 0000000..e438c5f
--- /dev/null
+++ b/policy/modules/services/clogd.if
@@ -0,0 +1,79 @@
+## <summary>clogd - Clustered Mirror Log Server</summary>
+
+######################################
+## <summary>
+## Execute a domain transition to run clogd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`clogd_domtrans',`
+ gen_require(`
+ type clogd_t, clogd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, clogd_exec_t, clogd_t)
+')
+
+#####################################
+## <summary>
+## Connect to clogd over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`clogd_stream_connect',`
+ gen_require(`
+ type clogd_t, clogd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, clogd_var_run_t, clogd_var_run_t, clogd_t)
+')
+
+#####################################
+## <summary>
+## Allow read and write access to clogd semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`clogd_rw_semaphores',`
+ gen_require(`
+ type clogd_t;
+ ')
+
+ allow $1 clogd_t:sem rw_sem_perms;
+')
+
+########################################
+## <summary>
+## Read and write to group shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`clogd_rw_shm',`
+ gen_require(`
+ type clogd_t, clogd_tmpfs_t;
+ ')
+
+ allow $1 clogd_t:shm rw_shm_perms;
+ allow $1 clogd_tmpfs_t:dir list_dir_perms;
+ rw_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t)
+ fs_search_tmpfs($1)
+')
diff --git a/policy/modules/services/clogd.te b/policy/modules/services/clogd.te
new file mode 100644
index 0000000..d10acd2
--- /dev/null
+++ b/policy/modules/services/clogd.te
@@ -0,0 +1,53 @@
+policy_module(clogd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type clogd_t;
+type clogd_exec_t;
+init_daemon_domain(clogd_t, clogd_exec_t)
+
+type clogd_tmpfs_t;
+files_tmpfs_file(clogd_tmpfs_t)
+
+# pid files
+type clogd_var_run_t;
+files_pid_file(clogd_var_run_t)
+
+########################################
+#
+# clogd local policy
+#
+
+allow clogd_t self:capability { net_admin mknod };
+allow clogd_t self:process signal;
+allow clogd_t self:sem create_sem_perms;
+allow clogd_t self:shm create_shm_perms;
+allow clogd_t self:netlink_socket create_socket_perms;
+allow clogd_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(clogd_t, clogd_tmpfs_t, clogd_tmpfs_t)
+manage_files_pattern(clogd_t, clogd_tmpfs_t, clogd_tmpfs_t)
+fs_tmpfs_filetrans(clogd_t, clogd_tmpfs_t, { dir file })
+
+# pid files
+manage_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t)
+manage_sock_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t)
+files_pid_filetrans(clogd_t, clogd_var_run_t, file)
+
+dev_read_lvm_control(clogd_t)
+dev_manage_generic_blk_files(clogd_t)
+
+storage_raw_read_fixed_disk(clogd_t)
+storage_raw_write_fixed_disk(clogd_t)
+
+logging_send_syslog_msg(clogd_t)
+
+miscfiles_read_localization(clogd_t)
+
+optional_policy(`
+ aisexec_stream_connect(clogd_t)
+ corosync_stream_connect(clogd_t)
+')
diff --git a/policy/modules/services/cmirrord.fc b/policy/modules/services/cmirrord.fc
new file mode 100644
index 0000000..e500fa5
--- /dev/null
+++ b/policy/modules/services/cmirrord.fc
@@ -0,0 +1,6 @@
+
+/etc/rc\.d/init\.d/cmirrord -- gen_context(system_u:object_r:cmirrord_initrc_exec_t,s0)
+
+/usr/sbin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0)
+
+/var/run/cmirrord\.pid -- gen_context(system_u:object_r:cmirrord_var_run_t,s0)
diff --git a/policy/modules/services/cmirrord.if b/policy/modules/services/cmirrord.if
new file mode 100644
index 0000000..756ac91
--- /dev/null
+++ b/policy/modules/services/cmirrord.if
@@ -0,0 +1,113 @@
+## <summary>policy for cmirrord</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run cmirrord.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cmirrord_domtrans',`
+ gen_require(`
+ type cmirrord_t, cmirrord_exec_t;
+ ')
+
+ domtrans_pattern($1, cmirrord_exec_t, cmirrord_t)
+')
+
+########################################
+## <summary>
+## Execute cmirrord server in the cmirrord domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cmirrord_initrc_domtrans',`
+ gen_require(`
+ type cmirrord_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, cmirrord_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Read cmirrord PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cmirrord_read_pid_files',`
+ gen_require(`
+ type cmirrord_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 cmirrord_var_run_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+## Read and write to cmirrord shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cmirrord_rw_shm',`
+ gen_require(`
+ type cmirrord_t, cmirrord_tmpfs_t;
+ ')
+
+ allow $1 cmirrord_t:shm { rw_shm_perms destroy };
+ allow $1 cmirrord_tmpfs_t:dir list_dir_perms;
+ rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+ delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+ read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+ fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an cmirrord environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`cmirrord_admin',`
+ gen_require(`
+ type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t;
+ ')
+
+ allow $1 cmirrord_t:process { ptrace signal_perms };
+ ps_process_pattern($1, cmirrord_t)
+
+ cmirrord_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 cmirrord_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_pids($1)
+ admin_pattern($1, cmirrord_var_run_t)
+')
diff --git a/policy/modules/services/cmirrord.te b/policy/modules/services/cmirrord.te
new file mode 100644
index 0000000..a2c7134
--- /dev/null
+++ b/policy/modules/services/cmirrord.te
@@ -0,0 +1,53 @@
+policy_module(cmirrord, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type cmirrord_t;
+type cmirrord_exec_t;
+init_daemon_domain(cmirrord_t, cmirrord_exec_t)
+
+type cmirrord_initrc_exec_t;
+init_script_file(cmirrord_initrc_exec_t)
+
+type cmirrord_tmpfs_t;
+files_tmpfs_file(cmirrord_tmpfs_t)
+
+type cmirrord_var_run_t;
+files_pid_file(cmirrord_var_run_t)
+
+########################################
+#
+# cmirrord local policy
+#
+
+allow cmirrord_t self:capability { net_admin kill };
+dontaudit cmirrord_t self:capability sys_tty_config;
+allow cmirrord_t self:process signal;
+allow cmirrord_t self:fifo_file rw_fifo_file_perms;
+allow cmirrord_t self:sem create_sem_perms;
+allow cmirrord_t self:shm create_shm_perms;
+allow cmirrord_t self:netlink_socket create_socket_perms;
+allow cmirrord_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+manage_files_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
+fs_tmpfs_filetrans(cmirrord_t, cmirrord_tmpfs_t, { dir file })
+
+manage_dirs_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t)
+manage_files_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t)
+files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
+
+domain_use_interactive_fds(cmirrord_t)
+
+files_read_etc_files(cmirrord_t)
+
+logging_send_syslog_msg(cmirrord_t)
+
+miscfiles_read_localization(cmirrord_t)
+
+optional_policy(`
+ corosync_stream_connect(cmirrord_t)
+')
diff --git a/policy/modules/services/cobbler.fc b/policy/modules/services/cobbler.fc
new file mode 100644
index 0000000..90c60df
--- /dev/null
+++ b/policy/modules/services/cobbler.fc
@@ -0,0 +1,32 @@
+
+/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t,s0)
+
+/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t,s0)
+
+/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0)
+
+/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+
+/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/memdisk -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/menu\.c32 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/ppc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/pxelinux\.0 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/pxelinux\.cfg(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/s390x(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/yaboot -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+
+/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t,s0)
+
+# This should removable when cobbler package installs /var/www/cobbler/rendered
+/var/www/cobbler(/.*)? gen_context(system_u:object_r:httpd_cobbler_content_t,s0)
+
+/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/ks_mirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/links(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/localmirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/pub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/rendered(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/www/cobbler/repo_mirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+
diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if
new file mode 100644
index 0000000..e3787fb
--- /dev/null
+++ b/policy/modules/services/cobbler.if
@@ -0,0 +1,218 @@
+## <summary>Cobbler installation server.</summary>
+## <desc>
+## <p>
+## Cobbler is a Linux installation server that allows for
+## rapid setup of network installation environments. It
+## glues together and automates many associated Linux
+## tasks so you do not have to hop between lots of various
+## commands and applications when rolling out new systems,
+## and, in some cases, changing existing ones.
+## </p>
+## </desc>
+
+########################################
+## <summary>
+## Execute a domain transition to run cobblerd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cobblerd_domtrans',`
+ gen_require(`
+ type cobblerd_t, cobblerd_exec_t;
+ ')
+
+ domtrans_pattern($1, cobblerd_exec_t, cobblerd_t)
+ corecmd_search_bin($1)
+')
+
+########################################
+## <summary>
+## Execute cobblerd server in the cobblerd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cobblerd_initrc_domtrans',`
+ gen_require(`
+ type cobblerd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, cobblerd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## List Cobbler configuration.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cobbler_list_config',`
+ gen_require(`
+ type cobbler_etc_t;
+ ')
+
+ list_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
+## Read Cobbler configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`cobbler_read_config',`
+ gen_require(`
+ type cobbler_etc_t;
+ ')
+
+ read_files_pattern($1, cobbler_etc_t, cobbler_etc_t)
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
+## Search cobbler dirs in /var/lib
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cobbler_search_lib',`
+ gen_require(`
+ type cobbler_var_lib_t;
+ ')
+
+ search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read cobbler files in /var/lib
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cobbler_read_lib_files',`
+ gen_require(`
+ type cobbler_var_lib_t;
+ ')
+
+ read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Manage cobbler files in /var/lib
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cobbler_manage_lib_files',`
+ gen_require(`
+ type cobbler_var_lib_t;
+ ')
+
+ manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## Cobbler log files (leaked fd).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`cobbler_dontaudit_rw_log',`
+ gen_require(`
+ type cobbler_var_log_t;
+ ')
+
+ dontaudit $1 cobbler_var_log_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an cobblerd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`cobblerd_admin',`
+ gen_require(`
+ type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
+ type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t;
+ type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t;
+ ')
+
+ allow $1 cobblerd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, cobblerd_t)
+
+ files_list_etc($1)
+ admin_pattern($1, cobbler_etc_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, cobbler_var_lib_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, cobbler_var_log_t)
+
+ apache_list_sys_content($1)
+ admin_pattern($1, httpd_cobbler_content_t)
+ admin_pattern($1, httpd_cobbler_content_ra_t)
+ admin_pattern($1, httpd_cobbler_content_rw_t)
+
+ cobblerd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 cobblerd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ optional_policy(`
+ # traverse /var/lib/tftpdir to get to cobbler_var_lib_t there.
+ tftp_search_rw_content($1)
+ ')
+')
diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te
new file mode 100644
index 0000000..c4d678b
--- /dev/null
+++ b/policy/modules/services/cobbler.te
@@ -0,0 +1,235 @@
+policy_module(cobbler, 1.1.0)
+
+########################################
+#
+# Cobbler personal declarations.
+#
+
+## <desc>
+## <p>
+## Allow Cobbler to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(cobbler_anon_write, false)
+
+## <desc>
+## <p>
+## Allow Cobbler to connect to the
+## network using TCP.
+## </p>
+## </desc>
+gen_tunable(cobbler_can_network_connect, false)
+
+## <desc>
+## <p>
+## Allow Cobbler to access cifs file systems.
+## </p>
+## </desc>
+gen_tunable(cobbler_use_cifs, false)
+
+## <desc>
+## <p>
+## Allow Cobbler to access nfs file systems.
+## </p>
+## </desc>
+gen_tunable(cobbler_use_nfs, false)
+
+type cobblerd_t;
+type cobblerd_exec_t;
+init_daemon_domain(cobblerd_t, cobblerd_exec_t)
+
+type cobblerd_initrc_exec_t;
+init_script_file(cobblerd_initrc_exec_t)
+
+type cobbler_etc_t;
+files_config_file(cobbler_etc_t)
+
+type cobbler_var_log_t;
+logging_log_file(cobbler_var_log_t)
+
+type cobbler_var_lib_t alias cobbler_content_t;
+files_type(cobbler_var_lib_t)
+
+type cobbler_tmp_t;
+files_tmp_file(cobbler_tmp_t)
+
+########################################
+#
+# Cobbler personal policy.
+#
+
+allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice };
+dontaudit cobblerd_t self:capability { sys_ptrace sys_tty_config };
+
+allow cobblerd_t self:process { getsched setsched signal };
+allow cobblerd_t self:fifo_file rw_fifo_file_perms;
+allow cobblerd_t self:netlink_route_socket create_netlink_socket_perms;
+allow cobblerd_t self:tcp_socket create_stream_socket_perms;
+allow cobblerd_t self:udp_socket create_socket_perms;
+allow cobblerd_t self:unix_dgram_socket create_socket_perms;
+
+list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
+read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
+
+# Something that runs in the cobberd_t domain tries to relabelfrom cobbler_var_lib_t dir to httpd_sys_content_t.
+dontaudit cobblerd_t cobbler_var_lib_t:dir relabel_dir_perms;
+
+manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
+manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
+manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
+files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file lnk_file })
+
+# Something really needs to write to cobbler.log. Ideally this should not be happening.
+allow cobblerd_t cobbler_var_log_t:file write;
+
+append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
+
+manage_dirs_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t)
+manage_files_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t)
+files_tmp_filetrans(cobblerd_t, cobbler_tmp_t, { dir file })
+
+kernel_read_system_state(cobblerd_t)
+kernel_dontaudit_search_network_state(cobblerd_t)
+
+corecmd_exec_bin(cobblerd_t)
+corecmd_exec_shell(cobblerd_t)
+
+corenet_all_recvfrom_netlabel(cobblerd_t)
+corenet_all_recvfrom_unlabeled(cobblerd_t)
+corenet_sendrecv_cobbler_server_packets(cobblerd_t)
+corenet_tcp_bind_cobbler_port(cobblerd_t)
+corenet_tcp_bind_generic_node(cobblerd_t)
+corenet_tcp_sendrecv_generic_if(cobblerd_t)
+corenet_tcp_sendrecv_generic_node(cobblerd_t)
+corenet_tcp_sendrecv_generic_port(cobblerd_t)
+corenet_tcp_sendrecv_cobbler_port(cobblerd_t)
+# sync and rsync to ftp and http are permitted by default, for any other media use cobbler_can_network_connect.
+corenet_tcp_connect_ftp_port(cobblerd_t)
+corenet_tcp_sendrecv_ftp_port(cobblerd_t)
+corenet_sendrecv_ftp_client_packets(cobblerd_t)
+corenet_tcp_connect_http_port(cobblerd_t)
+corenet_tcp_sendrecv_http_port(cobblerd_t)
+corenet_sendrecv_http_client_packets(cobblerd_t)
+
+dev_read_urand(cobblerd_t)
+
+domain_dontaudit_exec_all_entry_files(cobblerd_t)
+domain_dontaudit_read_all_domains_state(cobblerd_t)
+
+files_read_etc_files(cobblerd_t)
+# mtab
+files_read_etc_runtime_files(cobblerd_t)
+files_read_usr_files(cobblerd_t)
+files_list_boot(cobblerd_t)
+files_read_boot_files(cobblerd_t)
+files_list_tmp(cobblerd_t)
+
+# read from mounted images (install media)
+fs_read_iso9660_files(cobblerd_t)
+
+init_dontaudit_read_all_script_files(cobblerd_t)
+
+term_use_console(cobblerd_t)
+
+miscfiles_read_localization(cobblerd_t)
+miscfiles_read_public_files(cobblerd_t)
+
+selinux_dontaudit_read_fs(cobblerd_t)
+
+sysnet_read_config(cobblerd_t)
+sysnet_rw_dhcp_config(cobblerd_t)
+sysnet_write_config(cobblerd_t)
+
+userdom_dontaudit_use_user_terminals(cobblerd_t)
+userdom_dontaudit_search_user_home_dirs(cobblerd_t)
+userdom_dontaudit_search_admin_dir(cobblerd_t)
+
+tunable_policy(`cobbler_anon_write',`
+ miscfiles_manage_public_files(cobblerd_t)
+')
+
+tunable_policy(`cobbler_can_network_connect',`
+ corenet_tcp_connect_all_ports(cobblerd_t)
+ corenet_tcp_sendrecv_all_ports(cobblerd_t)
+ corenet_sendrecv_all_client_packets(cobblerd_t)
+')
+
+tunable_policy(`cobbler_use_cifs',`
+ fs_manage_cifs_dirs(cobblerd_t)
+ fs_manage_cifs_files(cobblerd_t)
+ fs_manage_cifs_symlinks(cobblerd_t)
+')
+
+tunable_policy(`cobbler_use_nfs',`
+ fs_manage_nfs_dirs(cobblerd_t)
+ fs_manage_nfs_files(cobblerd_t)
+ fs_manage_nfs_symlinks(cobblerd_t)
+')
+
+optional_policy(`
+ # Cobbler traverses /var/www to get to /var/www/cobbler/*
+ apache_search_sys_content(cobblerd_t)
+')
+
+optional_policy(`
+ bind_read_config(cobblerd_t)
+ bind_write_config(cobblerd_t)
+ bind_domtrans_ndc(cobblerd_t)
+ bind_domtrans(cobblerd_t)
+ bind_initrc_domtrans(cobblerd_t)
+ bind_manage_zone(cobblerd_t)
+')
+
+optional_policy(`
+ certmaster_exec(cobblerd_t)
+')
+
+optional_policy(`
+ dhcpd_domtrans(cobblerd_t)
+ dhcpd_initrc_domtrans(cobblerd_t)
+')
+
+optional_policy(`
+ dnsmasq_domtrans(cobblerd_t)
+ dnsmasq_initrc_domtrans(cobblerd_t)
+ dnsmasq_write_config(cobblerd_t)
+')
+
+optional_policy(`
+ gnome_dontaudit_search_config(cobblerd_t)
+')
+
+optional_policy(`
+ rpm_exec(cobblerd_t)
+')
+
+optional_policy(`
+ rsync_exec(cobblerd_t)
+ rsync_manage_config(cobblerd_t)
+ # cobbler creates /etc/rsync.conf if its not there.
+ rsync_filetrans_config(cobblerd_t, file)
+')
+
+optional_policy(`
+ # Cobbler puts objects in both /var/lib/tftpdir as well as /var/lib/tftpdir/images.
+ # tftp_manage_rw_content(cobblerd_t) can be used instead if:
+ # 1. cobbler package installs /var/lib/tftpdir/images.
+ # 2. no FILES in /var/lib/TFTPDIR are hard linked.
+ # Cobbler also creates other directories in /var/lib/tftpdir (etc, s390x, ppc, pxelinux.cfg)
+ # are any of those hard linked?
+ tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file })
+')
+
+########################################
+#
+# Cobbler web local policy.
+#
+
+apache_content_template(cobbler)
+manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
+manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
diff --git a/policy/modules/services/comsat.fc b/policy/modules/services/comsat.fc
new file mode 100644
index 0000000..e7633fa
--- /dev/null
+++ b/policy/modules/services/comsat.fc
@@ -0,0 +1,2 @@
+
+/usr/sbin/in\.comsat -- gen_context(system_u:object_r:comsat_exec_t,s0)
diff --git a/policy/modules/services/comsat.if b/policy/modules/services/comsat.if
new file mode 100644
index 0000000..afc4dfe
--- /dev/null
+++ b/policy/modules/services/comsat.if
@@ -0,0 +1 @@
+## <summary>Comsat, a biff server.</summary>
diff --git a/policy/modules/services/comsat.te b/policy/modules/services/comsat.te
new file mode 100644
index 0000000..3d121fd
--- /dev/null
+++ b/policy/modules/services/comsat.te
@@ -0,0 +1,74 @@
+policy_module(comsat, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type comsat_t;
+type comsat_exec_t;
+inetd_udp_service_domain(comsat_t, comsat_exec_t)
+role system_r types comsat_t;
+
+type comsat_tmp_t;
+files_tmp_file(comsat_tmp_t)
+
+type comsat_var_run_t;
+files_pid_file(comsat_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow comsat_t self:capability { setuid setgid };
+allow comsat_t self:process signal_perms;
+allow comsat_t self:fifo_file rw_fifo_file_perms;
+allow comsat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow comsat_t self:tcp_socket connected_stream_socket_perms;
+allow comsat_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(comsat_t, comsat_tmp_t, comsat_tmp_t)
+manage_files_pattern(comsat_t, comsat_tmp_t, comsat_tmp_t)
+files_tmp_filetrans(comsat_t, comsat_tmp_t, { file dir })
+
+manage_files_pattern(comsat_t, comsat_var_run_t, comsat_var_run_t)
+files_pid_filetrans(comsat_t, comsat_var_run_t, file)
+
+kernel_read_kernel_sysctls(comsat_t)
+kernel_read_network_state(comsat_t)
+kernel_read_system_state(comsat_t)
+
+corenet_all_recvfrom_unlabeled(comsat_t)
+corenet_all_recvfrom_netlabel(comsat_t)
+corenet_tcp_sendrecv_generic_if(comsat_t)
+corenet_udp_sendrecv_generic_if(comsat_t)
+corenet_tcp_sendrecv_generic_node(comsat_t)
+corenet_udp_sendrecv_generic_node(comsat_t)
+corenet_udp_sendrecv_all_ports(comsat_t)
+
+dev_read_urand(comsat_t)
+
+fs_getattr_xattr_fs(comsat_t)
+
+files_read_etc_files(comsat_t)
+files_list_usr(comsat_t)
+files_search_spool(comsat_t)
+files_search_home(comsat_t)
+
+auth_use_nsswitch(comsat_t)
+
+init_read_utmp(comsat_t)
+init_dontaudit_write_utmp(comsat_t)
+
+logging_send_syslog_msg(comsat_t)
+
+miscfiles_read_localization(comsat_t)
+
+userdom_dontaudit_getattr_user_ttys(comsat_t)
+
+mta_getattr_spool(comsat_t)
+
+optional_policy(`
+ kerberos_use(comsat_t)
+')
diff --git a/policy/modules/services/consolekit.fc b/policy/modules/services/consolekit.fc
new file mode 100644
index 0000000..32233ab
--- /dev/null
+++ b/policy/modules/services/consolekit.fc
@@ -0,0 +1,7 @@
+/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
+
+/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
+
+/var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
+/var/run/console-kit-daemon\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
+/var/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0)
diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if
new file mode 100644
index 0000000..ac43a92
--- /dev/null
+++ b/policy/modules/services/consolekit.if
@@ -0,0 +1,134 @@
+## <summary>Framework for facilitating multiple user sessions on desktops.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run consolekit.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`consolekit_domtrans',`
+ gen_require(`
+ type consolekit_t, consolekit_exec_t;
+ ')
+
+ domtrans_pattern($1, consolekit_exec_t, consolekit_t)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## consolekit over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`consolekit_dbus_chat',`
+ gen_require(`
+ type consolekit_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 consolekit_t:dbus send_msg;
+ allow consolekit_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Dontaudit attempts to read consolekit log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`consolekit_dontaudit_read_log',`
+ gen_require(`
+ type consolekit_log_t;
+ ')
+
+ dontaudit $1 consolekit_log_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Read consolekit log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`consolekit_read_log',`
+ gen_require(`
+ type consolekit_log_t;
+ ')
+
+ read_files_pattern($1, consolekit_log_t, consolekit_log_t)
+ logging_search_logs($1)
+')
+
+########################################
+## <summary>
+## Manage consolekit log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`consolekit_manage_log',`
+ gen_require(`
+ type consolekit_log_t;
+ ')
+
+ manage_files_pattern($1, consolekit_log_t, consolekit_log_t)
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
+## Read consolekit PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`consolekit_read_pid_files',`
+ gen_require(`
+ type consolekit_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
+')
+
+########################################
+## <summary>
+## List consolekit PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`consolekit_list_pid_files',`
+ gen_require(`
+ type consolekit_var_run_t;
+ ')
+
+ files_search_pids($1)
+ list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
+')
diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te
new file mode 100644
index 0000000..16c0746
--- /dev/null
+++ b/policy/modules/services/consolekit.te
@@ -0,0 +1,145 @@
+policy_module(consolekit, 1.6.0)
+
+########################################
+#
+# Declarations
+#
+
+type consolekit_t;
+type consolekit_exec_t;
+init_daemon_domain(consolekit_t, consolekit_exec_t)
+
+type consolekit_log_t;
+logging_log_file(consolekit_log_t)
+
+type consolekit_var_run_t;
+files_pid_file(consolekit_var_run_t)
+
+type consolekit_tmpfs_t;
+files_tmpfs_file(consolekit_tmpfs_t)
+
+########################################
+#
+# consolekit local policy
+#
+
+allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
+allow consolekit_t self:process { getsched signal };
+allow consolekit_t self:fifo_file rw_fifo_file_perms;
+allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
+allow consolekit_t self:unix_dgram_socket create_socket_perms;
+
+manage_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+logging_log_filetrans(consolekit_t, consolekit_log_t, file)
+
+manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
+manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
+files_pid_filetrans(consolekit_t, consolekit_var_run_t, { file dir })
+
+kernel_read_system_state(consolekit_t)
+
+corecmd_exec_bin(consolekit_t)
+corecmd_exec_shell(consolekit_t)
+
+dev_read_urand(consolekit_t)
+dev_read_sysfs(consolekit_t)
+
+domain_read_all_domains_state(consolekit_t)
+domain_use_interactive_fds(consolekit_t)
+domain_dontaudit_ptrace_all_domains(consolekit_t)
+
+files_read_etc_files(consolekit_t)
+files_read_usr_files(consolekit_t)
+# needs to read /var/lib/dbus/machine-id
+files_read_var_lib_files(consolekit_t)
+files_search_all_mountpoints(consolekit_t)
+
+fs_list_inotifyfs(consolekit_t)
+
+mcs_ptrace_all(consolekit_t)
+
+term_use_all_terms(consolekit_t)
+
+auth_use_nsswitch(consolekit_t)
+auth_manage_pam_console_data(consolekit_t)
+auth_write_login_records(consolekit_t)
+
+init_telinit(consolekit_t)
+init_rw_utmp(consolekit_t)
+
+logging_send_syslog_msg(consolekit_t)
+logging_send_audit_msgs(consolekit_t)
+
+miscfiles_read_localization(consolekit_t)
+
+# consolekit needs to be able to ptrace all logged in users
+userdom_ptrace_all_users(consolekit_t)
+userdom_dontaudit_read_user_home_content_files(consolekit_t)
+userdom_dontaudit_getattr_admin_home_files(consolekit_t)
+userdom_read_user_tmp_files(consolekit_t)
+
+hal_ptrace(consolekit_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(consolekit_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files(consolekit_t)
+')
+
+optional_policy(`
+ cron_read_system_job_lib_files(consolekit_t)
+')
+
+optional_policy(`
+ dbus_system_domain(consolekit_t, consolekit_exec_t)
+
+ optional_policy(`
+ hal_dbus_chat(consolekit_t)
+ ')
+
+ optional_policy(`
+ rpm_dbus_chat(consolekit_t)
+ ')
+
+ optional_policy(`
+ unconfined_dbus_chat(consolekit_t)
+ ')
+')
+
+optional_policy(`
+ networkmanager_append_log(consolekit_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(consolekit_t)
+ policykit_domtrans_auth(consolekit_t)
+ policykit_read_lib(consolekit_t)
+ policykit_read_reload(consolekit_t)
+')
+
+optional_policy(`
+ shutdown_domtrans(consolekit_t)
+')
+
+optional_policy(`
+ xserver_read_xdm_pid(consolekit_t)
+ xserver_read_user_xauth(consolekit_t)
+ xserver_non_drawing_client(consolekit_t)
+ corenet_tcp_connect_xserver_port(consolekit_t)
+ xserver_stream_connect(consolekit_t)
+ xserver_user_x_domain_template(consolekit, consolekit_t, consolekit_tmpfs_t)
+')
+
+optional_policy(`
+ udev_domtrans(consolekit_t)
+ udev_read_db(consolekit_t)
+ udev_signal(consolekit_t)
+')
+
+optional_policy(`
+ #reading .Xauthity
+ unconfined_ptrace(consolekit_t)
+ unconfined_stream_connect(consolekit_t)
+')
diff --git a/policy/modules/services/corosync.fc b/policy/modules/services/corosync.fc
new file mode 100644
index 0000000..2098ee9
--- /dev/null
+++ b/policy/modules/services/corosync.fc
@@ -0,0 +1,13 @@
+/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
+
+/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
+
+/usr/sbin/ccs_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
+/usr/sbin/cman_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
+
+/var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0)
+
+/var/log/cluster/corosync\.log -- gen_context(system_u:object_r:corosync_var_log_t,s0)
+
+/var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0)
+/var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0)
diff --git a/policy/modules/services/corosync.if b/policy/modules/services/corosync.if
new file mode 100644
index 0000000..a2e6830
--- /dev/null
+++ b/policy/modules/services/corosync.if
@@ -0,0 +1,125 @@
+## <summary>Corosync Cluster Engine</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run corosync.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`corosync_domtrans',`
+ gen_require(`
+ type corosync_t, corosync_exec_t;
+ ')
+
+ domtrans_pattern($1, corosync_exec_t, corosync_t)
+')
+
+######################################
+## <summary>
+## Execute corosync in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corosync_exec',`
+ gen_require(`
+ type corosync_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, corosync_exec_t)
+')
+
+#######################################
+## <summary>
+## Allow the specified domain to read corosync's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corosync_read_log',`
+ gen_require(`
+ type corosync_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ list_dirs_pattern($1, corosync_var_log_t, corosync_var_log_t)
+ read_files_pattern($1, corosync_var_log_t, corosync_var_log_t)
+')
+
+#####################################
+## <summary>
+## Connect to corosync over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corosync_stream_connect',`
+ gen_require(`
+ type corosync_t, corosync_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t)
+')
+
+######################################
+## <summary>
+## All of the rules required to administrate
+## an corosync environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the corosyncd domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`corosyncd_admin',`
+ gen_require(`
+ type corosync_t, corosync_var_lib_t, corosync_var_log_t;
+ type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t;
+ type corosync_initrc_exec_t;
+ ')
+
+ allow $1 corosync_t:process { ptrace signal_perms };
+ ps_process_pattern($1, corosync_t)
+
+ init_labeled_script_domtrans($1, corosync_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 corosync_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, corosync_tmp_t)
+
+ admin_pattern($1, corosync_tmpfs_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, corosync_var_lib_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, corosync_var_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, corosync_var_run_t)
+')
diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te
new file mode 100644
index 0000000..c3620a0
--- /dev/null
+++ b/policy/modules/services/corosync.te
@@ -0,0 +1,121 @@
+policy_module(corosync, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type corosync_t;
+type corosync_exec_t;
+init_daemon_domain(corosync_t, corosync_exec_t)
+
+type corosync_initrc_exec_t;
+init_script_file(corosync_initrc_exec_t);
+
+type corosync_tmp_t;
+files_tmp_file(corosync_tmp_t)
+
+type corosync_tmpfs_t;
+files_tmpfs_file(corosync_tmpfs_t)
+
+type corosync_var_lib_t;
+files_type(corosync_var_lib_t)
+
+type corosync_var_log_t;
+logging_log_file(corosync_var_log_t)
+
+type corosync_var_run_t;
+files_pid_file(corosync_var_run_t)
+
+########################################
+#
+# corosync local policy
+#
+
+allow corosync_t self:capability { dac_override sys_nice sys_ptrace sys_resource ipc_lock };
+allow corosync_t self:process { setrlimit setsched signal signull };
+
+allow corosync_t self:fifo_file rw_fifo_file_perms;
+allow corosync_t self:sem create_sem_perms;
+allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow corosync_t self:unix_dgram_socket create_socket_perms;
+allow corosync_t self:udp_socket create_socket_perms;
+
+can_exec(corosync_t, corosync_exec_t)
+
+manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
+manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
+files_tmp_filetrans(corosync_t, corosync_tmp_t, { file dir })
+
+manage_dirs_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
+manage_files_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
+fs_tmpfs_filetrans(corosync_t, corosync_tmpfs_t, { dir file })
+
+manage_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t)
+manage_dirs_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t)
+manage_sock_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t)
+files_var_lib_filetrans(corosync_t, corosync_var_lib_t, { file dir sock_file })
+
+manage_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t)
+manage_sock_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t)
+logging_log_filetrans(corosync_t, corosync_var_log_t, { sock_file file })
+
+manage_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
+manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
+files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file })
+
+kernel_read_system_state(corosync_t)
+kernel_read_network_state(corosync_t)
+
+corecmd_exec_bin(corosync_t)
+corecmd_exec_shell(corosync_t)
+
+corenet_udp_bind_netsupport_port(corosync_t)
+
+dev_read_urand(corosync_t)
+
+domain_read_all_domains_state(corosync_t)
+
+files_manage_mounttab(corosync_t)
+files_read_usr_files(corosync_t)
+
+auth_use_nsswitch(corosync_t)
+
+init_read_script_state(corosync_t)
+init_rw_script_tmp_files(corosync_t)
+
+logging_send_syslog_msg(corosync_t)
+
+miscfiles_read_localization(corosync_t)
+
+userdom_delete_user_tmpfs_files(corosync_t)
+userdom_rw_user_tmpfs_files(corosync_t)
+
+optional_policy(`
+ fs_manage_tmpfs_files(corosync_t)
+ init_manage_script_status_files(corosync_t)
+')
+
+optional_policy(`
+ ccs_read_config(corosync_t)
+')
+
+optional_policy(`
+ cmirrord_rw_shm(corosync_t)
+')
+
+optional_policy(`
+ lvm_rw_clvmd_tmpfs_files(corosync_t)
+')
+
+optional_policy(`
+ # to communication with RHCS
+ rhcs_rw_cluster_shm(corosync_t)
+ rhcs_rw_cluster_semaphores(corosync_t)
+ rhcs_stream_connect_cluster(corosync_t)
+ rhcs_read_cluster_lib_files(corosync_t)
+')
+
+optional_policy(`
+ rgmanager_manage_tmpfs_files(corosync_t)
+')
diff --git a/policy/modules/services/courier.fc b/policy/modules/services/courier.fc
new file mode 100644
index 0000000..f1bf79a
--- /dev/null
+++ b/policy/modules/services/courier.fc
@@ -0,0 +1,24 @@
+/etc/courier(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
+
+/usr/bin/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+
+/usr/sbin/courierlogger -- gen_context(system_u:object_r:courier_exec_t,s0)
+/usr/sbin/courierldapaliasd -- gen_context(system_u:object_r:courier_exec_t,s0)
+/usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
+
+/usr/lib(64)?/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
+/usr/lib(64)?/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0)
+/usr/lib(64)?/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib(64)?/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib(64)?/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0)
+/usr/lib(64)?/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib(64)?/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib(64)?/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
+/usr/lib(64)?/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
+
+/var/lib/courier(/.*)? -- gen_context(system_u:object_r:courier_var_lib_t,s0)
+
+/var/run/courier(/.*)? -- gen_context(system_u:object_r:courier_var_run_t,s0)
+
+/var/spool/authdaemon(/.*)? gen_context(system_u:object_r:courier_spool_t,s0)
+/var/spool/courier(/.*)? gen_context(system_u:object_r:courier_spool_t,s0)
diff --git a/policy/modules/services/courier.if b/policy/modules/services/courier.if
new file mode 100644
index 0000000..f081899
--- /dev/null
+++ b/policy/modules/services/courier.if
@@ -0,0 +1,220 @@
+## <summary>Courier IMAP and POP3 email servers</summary>
+
+########################################
+## <summary>
+## Template for creating courier server processes.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix name of the server process.
+## </summary>
+## </param>
+#
+template(`courier_domain_template',`
+
+ ##############################
+ #
+ # Declarations
+ #
+
+ type courier_$1_t;
+ type courier_$1_exec_t;
+ init_daemon_domain(courier_$1_t, courier_$1_exec_t)
+
+ ##############################
+ #
+ # Declarations
+ #
+
+ allow courier_$1_t self:capability dac_override;
+ dontaudit courier_$1_t self:capability sys_tty_config;
+ allow courier_$1_t self:process { setpgid signal_perms };
+ allow courier_$1_t self:fifo_file { read write getattr };
+ allow courier_$1_t self:tcp_socket create_stream_socket_perms;
+ allow courier_$1_t self:udp_socket create_socket_perms;
+
+ can_exec(courier_$1_t, courier_$1_exec_t)
+
+ read_files_pattern(courier_$1_t, courier_etc_t, courier_etc_t)
+ allow courier_$1_t courier_etc_t:dir list_dir_perms;
+
+ manage_dirs_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t)
+ manage_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t)
+ manage_lnk_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t)
+ manage_sock_files_pattern(courier_$1_t, courier_var_run_t, courier_var_run_t)
+ files_search_pids(courier_$1_t)
+ files_pid_filetrans(courier_$1_t, courier_var_run_t, dir)
+
+ kernel_read_system_state(courier_$1_t)
+ kernel_read_kernel_sysctls(courier_$1_t)
+
+ corecmd_exec_bin(courier_$1_t)
+
+ corenet_all_recvfrom_unlabeled(courier_$1_t)
+ corenet_all_recvfrom_netlabel(courier_$1_t)
+ corenet_tcp_sendrecv_generic_if(courier_$1_t)
+ corenet_udp_sendrecv_generic_if(courier_$1_t)
+ corenet_tcp_sendrecv_generic_node(courier_$1_t)
+ corenet_udp_sendrecv_generic_node(courier_$1_t)
+ corenet_tcp_sendrecv_all_ports(courier_$1_t)
+ corenet_udp_sendrecv_all_ports(courier_$1_t)
+
+ dev_read_sysfs(courier_$1_t)
+
+ domain_use_interactive_fds(courier_$1_t)
+
+ files_read_etc_files(courier_$1_t)
+ files_read_etc_runtime_files(courier_$1_t)
+ files_read_usr_files(courier_$1_t)
+
+ fs_getattr_xattr_fs(courier_$1_t)
+ fs_search_auto_mountpoints(courier_$1_t)
+
+ logging_send_syslog_msg(courier_$1_t)
+
+ sysnet_read_config(courier_$1_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(courier_$1_t)
+
+ optional_policy(`
+ seutil_sigchld_newrole(courier_$1_t)
+ ')
+
+ optional_policy(`
+ udev_read_db(courier_$1_t)
+ ')
+')
+
+########################################
+## <summary>
+## Execute the courier authentication daemon with
+## a domain transition.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`courier_domtrans_authdaemon',`
+ gen_require(`
+ type courier_authdaemon_t, courier_authdaemon_exec_t;
+ ')
+
+ domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t)
+')
+
+########################################
+## <summary>
+## Execute the courier POP3 and IMAP server with
+## a domain transition.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`courier_domtrans_pop',`
+ gen_require(`
+ type courier_pop_t, courier_pop_exec_t;
+ ')
+
+ domtrans_pattern($1, courier_pop_exec_t, courier_pop_t)
+')
+
+########################################
+## <summary>
+## Read courier config files
+## </summary>
+## <param name="prefix">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`courier_read_config',`
+ gen_require(`
+ type courier_etc_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, courier_etc_t, courier_etc_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete courier
+## spool directories.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`courier_manage_spool_dirs',`
+ gen_require(`
+ type courier_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_dirs_pattern($1, courier_spool_t, courier_spool_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete courier
+## spool files.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`courier_manage_spool_files',`
+ gen_require(`
+ type courier_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_files_pattern($1, courier_spool_t, courier_spool_t)
+')
+
+########################################
+## <summary>
+## Read courier spool files.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`courier_read_spool',`
+ gen_require(`
+ type courier_spool_t;
+ ')
+
+ files_search_spool($1)
+ read_files_pattern($1, courier_spool_t, courier_spool_t)
+')
+
+########################################
+## <summary>
+## Read and write to courier spool pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`courier_rw_spool_pipes',`
+ gen_require(`
+ type courier_spool_t;
+ ')
+
+ allow $1 courier_spool_t:fifo_file rw_fifo_file_perms;
+')
diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te
new file mode 100644
index 0000000..cc93958
--- /dev/null
+++ b/policy/modules/services/courier.te
@@ -0,0 +1,146 @@
+policy_module(courier, 1.9.1)
+
+########################################
+#
+# Declarations
+#
+
+courier_domain_template(authdaemon)
+
+type courier_etc_t;
+files_config_file(courier_etc_t)
+
+courier_domain_template(pcp)
+
+courier_domain_template(pop)
+
+type courier_spool_t;
+files_type(courier_spool_t)
+
+courier_domain_template(tcpd)
+
+type courier_var_lib_t;
+files_type(courier_var_lib_t)
+
+type courier_var_run_t;
+files_pid_file(courier_var_run_t)
+
+type courier_exec_t;
+mta_agent_executable(courier_exec_t)
+
+courier_domain_template(sqwebmail)
+typealias courier_sqwebmail_exec_t alias sqwebmail_cron_exec_t;
+
+########################################
+#
+# Authdaemon local policy
+#
+
+allow courier_authdaemon_t self:capability { setuid setgid sys_tty_config };
+allow courier_authdaemon_t self:unix_stream_socket connectto;
+
+can_exec(courier_authdaemon_t, courier_exec_t)
+
+allow courier_authdaemon_t courier_tcpd_t:fd use;
+allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
+allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_fifo_file_perms;
+
+allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
+allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms;
+allow courier_authdaemon_t courier_tcpd_t:process sigchld;
+allow courier_authdaemon_t courier_tcpd_t:fd use;
+allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
+allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms;
+
+manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t)
+files_search_spool(courier_authdaemon_t)
+
+corecmd_search_bin(courier_authdaemon_t)
+
+# for SSP
+dev_read_urand(courier_authdaemon_t)
+
+files_getattr_tmp_dirs(courier_authdaemon_t)
+
+auth_domtrans_chk_passwd(courier_authdaemon_t)
+
+libs_read_lib_files(courier_authdaemon_t)
+
+miscfiles_read_localization(courier_authdaemon_t)
+
+# should not be needed!
+userdom_search_user_home_dirs(courier_authdaemon_t)
+
+courier_domtrans_pop(courier_authdaemon_t)
+
+########################################
+#
+# Calendar (PCP) local policy
+#
+
+allow courier_pcp_t self:capability { setuid setgid };
+
+dev_read_rand(courier_pcp_t)
+
+########################################
+#
+# POP3/IMAP local policy
+#
+
+allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
+allow courier_pop_t courier_authdaemon_t:process sigchld;
+
+allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
+
+# inherits file handle - should it?
+allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms;
+
+miscfiles_read_localization(courier_pop_t)
+
+courier_domtrans_authdaemon(courier_pop_t)
+
+# do the actual work (read the Maildir)
+userdom_manage_user_home_content_files(courier_pop_t)
+# cjp: the fact that this is different for pop vs imap means that
+# there should probably be a courier_pop_t and courier_imap_t
+# this should also probably be a separate type too instead of
+# the regular home dir
+userdom_manage_user_home_content_dirs(courier_pop_t)
+
+########################################
+#
+# TCPd local policy
+#
+
+allow courier_tcpd_t self:capability kill;
+
+can_exec(courier_tcpd_t, courier_exec_t)
+
+manage_files_pattern(courier_tcpd_t, courier_var_lib_t, courier_var_lib_t)
+manage_lnk_files_pattern(courier_tcpd_t, courier_var_lib_t, courier_var_lib_t)
+files_search_var_lib(courier_tcpd_t)
+
+corecmd_search_bin(courier_tcpd_t)
+
+corenet_tcp_bind_generic_node(courier_tcpd_t)
+corenet_tcp_bind_pop_port(courier_tcpd_t)
+corenet_sendrecv_pop_server_packets(courier_tcpd_t)
+
+# for TLS
+dev_read_rand(courier_tcpd_t)
+dev_read_urand(courier_tcpd_t)
+
+miscfiles_read_localization(courier_tcpd_t)
+
+courier_domtrans_pop(courier_tcpd_t)
+
+########################################
+#
+# Webmail local policy
+#
+
+kernel_read_kernel_sysctls(courier_sqwebmail_t)
+
+optional_policy(`
+ cron_system_entry(courier_sqwebmail_t, courier_sqwebmail_exec_t)
+')
diff --git a/policy/modules/services/cpucontrol.fc b/policy/modules/services/cpucontrol.fc
new file mode 100644
index 0000000..789c8c7
--- /dev/null
+++ b/policy/modules/services/cpucontrol.fc
@@ -0,0 +1,10 @@
+
+/etc/firmware/.* -- gen_context(system_u:object_r:cpucontrol_conf_t,s0)
+
+/sbin/microcode_ctl -- gen_context(system_u:object_r:cpucontrol_exec_t,s0)
+
+/usr/sbin/cpufreqd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
+/usr/sbin/cpuspeed -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
+/usr/sbin/powernowd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
+
+/var/run/cpufreqd\.pid -- gen_context(system_u:object_r:cpuspeed_var_run_t,s0)
diff --git a/policy/modules/services/cpucontrol.if b/policy/modules/services/cpucontrol.if
new file mode 100644
index 0000000..ff6310d
--- /dev/null
+++ b/policy/modules/services/cpucontrol.if
@@ -0,0 +1,17 @@
+## <summary>Services for loading CPU microcode and CPU frequency scaling.</summary>
+
+########################################
+## <summary>
+## CPUcontrol stub interface. No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cpucontrol_stub',`
+ gen_require(`
+ type cpucontrol_t;
+ ')
+')
diff --git a/policy/modules/services/cpucontrol.te b/policy/modules/services/cpucontrol.te
new file mode 100644
index 0000000..13d2f63
--- /dev/null
+++ b/policy/modules/services/cpucontrol.te
@@ -0,0 +1,122 @@
+policy_module(cpucontrol, 1.3.0)
+
+########################################
+#
+# Declarations
+#
+
+type cpucontrol_t;
+type cpucontrol_exec_t;
+init_system_domain(cpucontrol_t, cpucontrol_exec_t)
+
+type cpucontrol_conf_t;
+files_type(cpucontrol_conf_t)
+
+type cpuspeed_t;
+type cpuspeed_exec_t;
+init_system_domain(cpuspeed_t, cpuspeed_exec_t)
+
+type cpuspeed_var_run_t;
+files_pid_file(cpuspeed_var_run_t)
+
+########################################
+#
+# CPU microcode loader local policy
+#
+
+allow cpucontrol_t self:capability { ipc_lock sys_rawio };
+dontaudit cpucontrol_t self:capability sys_tty_config;
+allow cpucontrol_t self:process signal_perms;
+
+allow cpucontrol_t cpucontrol_conf_t:dir list_dir_perms;
+read_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t)
+read_lnk_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t)
+
+kernel_list_proc(cpucontrol_t)
+kernel_read_proc_symlinks(cpucontrol_t)
+kernel_read_kernel_sysctls(cpucontrol_t)
+
+dev_read_sysfs(cpucontrol_t)
+dev_rw_cpu_microcode(cpucontrol_t)
+
+fs_search_auto_mountpoints(cpucontrol_t)
+
+term_dontaudit_use_console(cpucontrol_t)
+
+domain_use_interactive_fds(cpucontrol_t)
+
+files_list_usr(cpucontrol_t)
+
+init_use_fds(cpucontrol_t)
+init_use_script_ptys(cpucontrol_t)
+
+logging_send_syslog_msg(cpucontrol_t)
+
+userdom_dontaudit_use_unpriv_user_fds(cpucontrol_t)
+
+optional_policy(`
+ nscd_socket_use(cpucontrol_t)
+')
+
+optional_policy(`
+ rhgb_use_ptys(cpucontrol_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(cpucontrol_t)
+')
+
+optional_policy(`
+ udev_read_db(cpucontrol_t)
+')
+
+########################################
+#
+# CPU frequency scaling daemons
+#
+
+dontaudit cpuspeed_t self:capability sys_tty_config;
+allow cpuspeed_t self:process { signal_perms setsched };
+allow cpuspeed_t self:unix_dgram_socket create_socket_perms;
+
+allow cpuspeed_t cpuspeed_var_run_t:file manage_file_perms;
+files_pid_filetrans(cpuspeed_t, cpuspeed_var_run_t, file)
+
+kernel_read_system_state(cpuspeed_t)
+kernel_read_kernel_sysctls(cpuspeed_t)
+
+dev_write_sysfs_dirs(cpuspeed_t)
+dev_rw_sysfs(cpuspeed_t)
+
+domain_use_interactive_fds(cpuspeed_t)
+# for demand/load-based scaling:
+domain_read_all_domains_state(cpuspeed_t)
+
+files_read_etc_files(cpuspeed_t)
+files_read_etc_runtime_files(cpuspeed_t)
+files_list_usr(cpuspeed_t)
+
+fs_search_auto_mountpoints(cpuspeed_t)
+
+term_dontaudit_use_console(cpuspeed_t)
+
+init_use_fds(cpuspeed_t)
+init_use_script_ptys(cpuspeed_t)
+
+logging_send_syslog_msg(cpuspeed_t)
+
+miscfiles_read_localization(cpuspeed_t)
+
+userdom_dontaudit_use_unpriv_user_fds(cpuspeed_t)
+
+optional_policy(`
+ nscd_socket_use(cpuspeed_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(cpuspeed_t)
+')
+
+optional_policy(`
+ udev_read_db(cpuspeed_t)
+')
diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
new file mode 100644
index 0000000..3e8ad69
--- /dev/null
+++ b/policy/modules/services/cron.fc
@@ -0,0 +1,51 @@
+/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
+
+/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
+/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+
+/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
+/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
+
+/usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0)
+/usr/sbin/atd -- gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
+
+/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/crond?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
+/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+
+/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
+/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
+
+/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
+#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
+/var/spool/cron/[^/]* -- <<none>>
+
+ifdef(`distro_gentoo',`
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
+/var/spool/cron/lastrun/[^/]* -- <<none>>
+')
+
+ifdef(`distro_suse', `
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
+/var/spool/cron/lastrun/[^/]* -- <<none>>
+/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
+')
+
+/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/crontabs/.* -- <<none>>
+#/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
+
+/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/fcron/.* <<none>>
+/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
+
+/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0)
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
new file mode 100644
index 0000000..b6402c9
--- /dev/null
+++ b/policy/modules/services/cron.if
@@ -0,0 +1,720 @@
+## <summary>Periodic execution of scheduled commands.</summary>
+
+#######################################
+## <summary>
+## The common rules for a crontab domain.
+## </summary>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+#
+template(`cron_common_crontab_template',`
+ gen_require(`
+ type crond_t, crond_var_run_t, crontab_exec_t;
+ type cron_spool_t, user_cron_spool_t;
+ ')
+
+ ##############################
+ #
+ # Declarations
+ #
+
+ type $1_t;
+ application_domain($1_t, crontab_exec_t)
+ ubac_constrained($1_t)
+
+ type $1_tmp_t;
+ files_tmp_file($1_tmp_t)
+
+ ##############################
+ #
+ # Local policy
+ #
+
+ # dac_override is to create the file in the directory under /tmp
+ allow $1_t self:capability { fowner setuid setgid chown dac_override };
+ allow $1_t self:process { setsched signal_perms };
+ allow $1_t self:fifo_file rw_fifo_file_perms;
+
+ allow $1_t crond_t:process signal;
+ allow $1_t crond_var_run_t:file read_file_perms;
+
+ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ files_tmp_filetrans($1_t, $1_tmp_t, { dir file })
+
+ # create files in /var/spool/cron
+ manage_files_pattern($1_t, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
+ filetrans_pattern($1_t, cron_spool_t, user_cron_spool_t, file)
+ files_list_spool($1_t)
+
+ # crontab signals crond by updating the mtime on the spooldir
+ allow $1_t cron_spool_t:dir setattr_dir_perms;
+
+ kernel_read_system_state($1_t)
+
+ # for the checks used by crontab -u
+ selinux_dontaudit_search_fs($1_t)
+
+ fs_getattr_xattr_fs($1_t)
+
+ domain_use_interactive_fds($1_t)
+
+ files_read_etc_files($1_t)
+ files_read_usr_files($1_t)
+ files_dontaudit_search_pids($1_t)
+
+ auth_domtrans_chk_passwd($1_t)
+
+ logging_send_syslog_msg($1_t)
+ logging_send_audit_msgs($1_t)
+ logging_set_loginuid($1_t)
+
+ init_dontaudit_write_utmp($1_t)
+ init_read_utmp($1_t)
+
+ miscfiles_read_localization($1_t)
+
+ seutil_read_config($1_t)
+
+ userdom_manage_user_tmp_dirs($1_t)
+ userdom_manage_user_tmp_files($1_t)
+ # Access terminals.
+ userdom_use_user_terminals($1_t)
+ # Read user crontabs
+ userdom_read_user_home_content_files($1_t)
+ userdom_read_user_home_content_symlinks($1_t)
+
+ tunable_policy(`fcron_crond',`
+ # fcron wants an instant update of a crontab change for the administrator
+ # also crontab does a security check for crontab -u
+ dontaudit $1_t crond_t:process signal;
+ ')
+
+ optional_policy(`
+ nscd_socket_use($1_t)
+ ')
+')
+
+########################################
+## <summary>
+## Role access for cron
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`cron_role',`
+ gen_require(`
+ type cronjob_t, crontab_t, crontab_exec_t;
+ type user_cron_spool_t, crond_t;
+ ')
+
+ role $1 types { cronjob_t crontab_t };
+
+ # cronjob shows up in user ps
+ ps_process_pattern($2, cronjob_t)
+
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, crontab_exec_t, crontab_t)
+
+ allow crond_t $2:process transition;
+ dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
+ allow $2 crond_t:process sigchld;
+
+ # needs to be authorized SELinux context for cron
+ allow $2 user_cron_spool_t:file entrypoint;
+
+ # crontab shows up in user ps
+ ps_process_pattern($2, crontab_t)
+ allow $2 crontab_t:process { ptrace signal_perms };
+
+ # Run helper programs as the user domain
+ #corecmd_bin_domtrans(crontab_t, $2)
+ #corecmd_shell_domtrans(crontab_t, $2)
+ corecmd_exec_bin(crontab_t)
+ corecmd_exec_shell(crontab_t)
+
+ optional_policy(`
+ gen_require(`
+ class dbus send_msg;
+ ')
+
+ dbus_stub(cronjob_t)
+ allow cronjob_t $2:dbus send_msg;
+ ')
+')
+
+########################################
+## <summary>
+## Role access for unconfined cronjobs
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`cron_unconfined_role',`
+ gen_require(`
+ type unconfined_cronjob_t;
+ ')
+
+ role $1 types unconfined_cronjob_t;
+
+ # cronjob shows up in user ps
+ ps_process_pattern($2, unconfined_cronjob_t)
+ allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
+
+ optional_policy(`
+ gen_require(`
+ class dbus send_msg;
+ ')
+
+ dbus_stub(unconfined_cronjob_t)
+ allow unconfined_cronjob_t $2:dbus send_msg;
+ ')
+')
+
+########################################
+## <summary>
+## Role access for cron
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`cron_admin_role',`
+ gen_require(`
+ type cronjob_t, crontab_exec_t, admin_crontab_t, admin_crontab_tmp_t;
+ class passwd crontab;
+ ')
+
+ role $1 types { cronjob_t admin_crontab_t admin_crontab_tmp_t };
+
+ # cronjob shows up in user ps
+ ps_process_pattern($2, cronjob_t)
+
+ # Manipulate other users crontab.
+ allow $2 self:passwd crontab;
+
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
+
+ # crontab shows up in user ps
+ ps_process_pattern($2, admin_crontab_t)
+ allow $2 admin_crontab_t:process { ptrace signal_perms };
+
+ # Run helper programs as the user domain
+ #corecmd_bin_domtrans(admin_crontab_t, $2)
+ #corecmd_shell_domtrans(admin_crontab_t, $2)
+ corecmd_exec_bin(admin_crontab_t)
+ corecmd_exec_shell(admin_crontab_t)
+
+ optional_policy(`
+ gen_require(`
+ class dbus send_msg;
+ ')
+
+ dbus_stub(admin_cronjob_t)
+ allow cronjob_t $2:dbus send_msg;
+ ')
+')
+
+########################################
+## <summary>
+## Make the specified program domain accessable
+## from the system cron jobs.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process to transition to.
+## </summary>
+## </param>
+## <param name="entrypoint">
+## <summary>
+## The type of the file used as an entrypoint to this domain.
+## </summary>
+## </param>
+#
+interface(`cron_system_entry',`
+ gen_require(`
+ type crond_t, system_cronjob_t;
+ ')
+
+ domtrans_pattern(system_cronjob_t, $2, $1)
+ domtrans_pattern(crond_t, $2, $1)
+
+ role system_r types $1;
+')
+
+########################################
+## <summary>
+## Execute cron in the cron system domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cron_domtrans',`
+ gen_require(`
+ type system_cronjob_t, crond_exec_t;
+ ')
+
+ domtrans_pattern($1, crond_exec_t, system_cronjob_t)
+')
+
+########################################
+## <summary>
+## Execute crond_exec_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_exec',`
+ gen_require(`
+ type crond_exec_t;
+ ')
+
+ can_exec($1, crond_exec_t)
+')
+
+########################################
+## <summary>
+## Execute crond server in the crond domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cron_initrc_domtrans',`
+ gen_require(`
+ type crond_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, crond_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Inherit and use a file descriptor
+## from the cron daemon.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_use_fds',`
+ gen_require(`
+ type crond_t;
+ ')
+
+ allow $1 crond_t:fd use;
+')
+
+########################################
+## <summary>
+## Send a SIGCHLD signal to the cron daemon.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_sigchld',`
+ gen_require(`
+ type crond_t;
+ ')
+
+ allow $1 crond_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Read a cron daemon unnamed pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_read_pipes',`
+ gen_require(`
+ type crond_t;
+ ')
+
+ allow $1 crond_t:fifo_file read_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write cron daemon unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`cron_dontaudit_write_pipes',`
+ gen_require(`
+ type crond_t;
+ ')
+
+ dontaudit $1 crond_t:fifo_file write;
+')
+
+########################################
+## <summary>
+## Read and write a cron daemon unnamed pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_rw_pipes',`
+ gen_require(`
+ type crond_t;
+ ')
+
+ allow $1 crond_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write inherited user spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_rw_inherited_user_spool_files',`
+ gen_require(`
+ type user_cron_spool_t;
+ ')
+
+ allow $1 user_cron_spool_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write inherited spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_rw_inherited_spool_files',`
+ gen_require(`
+ type cron_spool_t;
+ ')
+
+ allow $1 cron_spool_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Read, and write cron daemon TCP sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_rw_tcp_sockets',`
+ gen_require(`
+ type crond_t;
+ ')
+
+ allow $1 crond_t:tcp_socket { read write };
+')
+
+########################################
+## <summary>
+## Dontaudit Read, and write cron daemon TCP sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`cron_dontaudit_rw_tcp_sockets',`
+ gen_require(`
+ type crond_t;
+ ')
+
+ dontaudit $1 crond_t:tcp_socket { read write };
+')
+
+########################################
+## <summary>
+## Search the directory containing user cron tables.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_search_spool',`
+ gen_require(`
+ type cron_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 cron_spool_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Manage pid files used by cron
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_manage_pid_files',`
+ gen_require(`
+ type crond_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
+')
+
+########################################
+## <summary>
+## Execute anacron in the cron system domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cron_anacron_domtrans_system_job',`
+ gen_require(`
+ type system_cronjob_t, anacron_exec_t;
+ ')
+
+ domtrans_pattern($1, anacron_exec_t, system_cronjob_t)
+')
+
+########################################
+## <summary>
+## Inherit and use a file descriptor
+## from system cron jobs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_use_system_job_fds',`
+ gen_require(`
+ type system_cronjob_t;
+ ')
+
+ allow $1 system_cronjob_t:fd use;
+')
+
+########################################
+## <summary>
+## Write a system cron job unnamed pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_write_system_job_pipes',`
+ gen_require(`
+ type system_cronjob_t;
+ ')
+
+ allow $1 system_cronjob_t:fifo_file write;
+')
+
+########################################
+## <summary>
+## Read and write a system cron job unnamed pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_rw_system_job_pipes',`
+ gen_require(`
+ type system_cronjob_t;
+ ')
+
+ allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Allow read/write unix stream sockets from the system cron jobs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_rw_system_job_stream_sockets',`
+ gen_require(`
+ type system_cronjob_t;
+ ')
+
+ allow $1 system_cronjob_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+## Read temporary files from the system cron jobs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_read_system_job_tmp_files',`
+ gen_require(`
+ type system_cronjob_tmp_t, cron_var_run_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 system_cronjob_tmp_t:file read_file_perms;
+
+ files_search_pids($1)
+ allow $1 cron_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to append temporary
+## files from the system cron jobs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`cron_dontaudit_append_system_job_tmp_files',`
+ gen_require(`
+ type system_cronjob_tmp_t;
+ ')
+
+ dontaudit $1 system_cronjob_tmp_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write temporary
+## files from the system cron jobs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`cron_dontaudit_write_system_job_tmp_files',`
+ gen_require(`
+ type system_cronjob_tmp_t;
+ type cron_var_run_t;
+ ')
+
+ dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
+ dontaudit $1 cron_var_run_t:file write_file_perms;
+')
+
+########################################
+## <summary>
+## Read temporary files from the system cron jobs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_read_system_job_lib_files',`
+ gen_require(`
+ type system_cronjob_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage files from the system cron jobs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_manage_system_job_lib_files',`
+ gen_require(`
+ type system_cronjob_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
new file mode 100644
index 0000000..2a7f7f4
--- /dev/null
+++ b/policy/modules/services/cron.te
@@ -0,0 +1,718 @@
+policy_module(cron, 2.2.0)
+
+gen_require(`
+ class passwd rootok;
+')
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow system cron jobs to relabel filesystem
+## for restoring file contexts.
+## </p>
+## </desc>
+gen_tunable(cron_can_relabel, false)
+
+## <desc>
+## <p>
+## Enable extra rules in the cron domain
+## to support fcron.
+## </p>
+## </desc>
+gen_tunable(fcron_crond, false)
+
+attribute cron_spool_type;
+
+type anacron_exec_t;
+application_executable_file(anacron_exec_t)
+
+type cron_spool_t;
+files_type(cron_spool_t)
+
+# var/lib files
+type cron_var_lib_t;
+files_type(cron_var_lib_t)
+
+type cron_var_run_t;
+files_type(cron_var_run_t)
+
+# var/log files
+type cron_log_t;
+logging_log_file(cron_log_t)
+
+type cronjob_t;
+typealias cronjob_t alias { user_crond_t staff_crond_t sysadm_crond_t };
+typealias cronjob_t alias { auditadm_crond_t secadm_crond_t };
+domain_type(cronjob_t)
+domain_cron_exemption_target(cronjob_t)
+corecmd_shell_entry_type(cronjob_t)
+ubac_constrained(cronjob_t)
+
+type crond_t;
+type crond_exec_t;
+init_daemon_domain(crond_t, crond_exec_t)
+domain_interactive_fd(crond_t)
+domain_cron_exemption_source(crond_t)
+
+type crond_initrc_exec_t;
+init_script_file(crond_initrc_exec_t)
+
+type crond_tmp_t;
+files_tmp_file(crond_tmp_t)
+files_poly_parent(crond_tmp_t)
+mta_system_content(crond_tmp_t)
+
+type crond_var_run_t;
+files_pid_file(crond_var_run_t)
+mta_system_content(crond_var_run_t)
+
+type crontab_exec_t;
+application_executable_file(crontab_exec_t)
+
+cron_common_crontab_template(admin_crontab)
+typealias admin_crontab_t alias sysadm_crontab_t;
+typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t;
+
+cron_common_crontab_template(crontab)
+typealias crontab_t alias { user_crontab_t staff_crontab_t };
+typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
+typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
+typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
+allow admin_crontab_t crond_t:process signal;
+
+type system_cron_spool_t, cron_spool_type;
+files_type(system_cron_spool_t)
+
+type system_cronjob_t alias system_crond_t;
+init_daemon_domain(system_cronjob_t, anacron_exec_t)
+corecmd_shell_entry_type(system_cronjob_t)
+role system_r types system_cronjob_t;
+domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
+
+type system_cronjob_lock_t alias system_crond_lock_t;
+files_lock_file(system_cronjob_lock_t)
+
+type system_cronjob_tmp_t alias system_crond_tmp_t;
+files_tmp_file(system_cronjob_tmp_t)
+
+type unconfined_cronjob_t;
+domain_type(unconfined_cronjob_t)
+domain_cron_exemption_target(unconfined_cronjob_t)
+
+# Type of user crontabs once moved to cron spool.
+type user_cron_spool_t, cron_spool_type;
+typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
+typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
+files_type(user_cron_spool_t)
+ubac_constrained(user_cron_spool_t)
+mta_system_content(user_cron_spool_t)
+
+type system_cronjob_var_lib_t;
+files_type(system_cronjob_var_lib_t)
+typealias system_cronjob_var_lib_t alias system_crond_var_lib_t;
+
+type system_cronjob_var_run_t;
+files_pid_file(system_cronjob_var_run_t)
+
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
+')
+
+########################################
+#
+# Admin crontab local policy
+#
+
+# Allow our crontab domain to unlink a user cron spool file.
+allow admin_crontab_t user_cron_spool_t:file { read_file_perms delete_file_perms };
+
+# Manipulate other users crontab.
+selinux_get_fs_mount(admin_crontab_t)
+selinux_validate_context(admin_crontab_t)
+selinux_compute_access_vector(admin_crontab_t)
+selinux_compute_create_context(admin_crontab_t)
+selinux_compute_relabel_context(admin_crontab_t)
+selinux_compute_user_contexts(admin_crontab_t)
+
+tunable_policy(`fcron_crond',`
+ # fcron wants an instant update of a crontab change for the administrator
+ # also crontab does a security check for crontab -u
+ allow admin_crontab_t self:process setfscreate;
+')
+
+########################################
+#
+# Cron daemon local policy
+#
+
+allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
+dontaudit crond_t self:capability { sys_resource sys_tty_config };
+allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
+allow crond_t self:process { setexec setfscreate };
+allow crond_t self:fd use;
+allow crond_t self:fifo_file rw_fifo_file_perms;
+allow crond_t self:unix_dgram_socket create_socket_perms;
+allow crond_t self:unix_stream_socket create_stream_socket_perms;
+allow crond_t self:unix_dgram_socket sendto;
+allow crond_t self:unix_stream_socket connectto;
+allow crond_t self:shm create_shm_perms;
+allow crond_t self:sem create_sem_perms;
+allow crond_t self:msgq create_msgq_perms;
+allow crond_t self:msg { send receive };
+allow crond_t self:key { search write link };
+
+manage_files_pattern(crond_t, cron_log_t, cron_log_t)
+logging_log_filetrans(crond_t, cron_log_t, file)
+
+manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
+files_pid_filetrans(crond_t, crond_var_run_t, file)
+
+manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
+
+manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
+manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
+files_tmp_filetrans(crond_t, crond_tmp_t, { file dir })
+
+list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
+read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
+
+kernel_read_kernel_sysctls(crond_t)
+kernel_read_fs_sysctls(crond_t)
+kernel_search_key(crond_t)
+
+dev_read_sysfs(crond_t)
+selinux_get_fs_mount(crond_t)
+selinux_validate_context(crond_t)
+selinux_compute_access_vector(crond_t)
+selinux_compute_create_context(crond_t)
+selinux_compute_relabel_context(crond_t)
+selinux_compute_user_contexts(crond_t)
+
+dev_read_urand(crond_t)
+
+fs_getattr_all_fs(crond_t)
+fs_search_auto_mountpoints(crond_t)
+fs_list_inotifyfs(crond_t)
+
+# need auth_chkpwd to check for locked accounts.
+auth_domtrans_chk_passwd(crond_t)
+
+corecmd_exec_shell(crond_t)
+corecmd_list_bin(crond_t)
+corecmd_read_bin_symlinks(crond_t)
+
+domain_use_interactive_fds(crond_t)
+domain_subj_id_change_exemption(crond_t)
+domain_role_change_exemption(crond_t)
+
+files_read_usr_files(crond_t)
+files_read_etc_runtime_files(crond_t)
+files_read_etc_files(crond_t)
+files_read_generic_spool(crond_t)
+files_list_usr(crond_t)
+# Read from /var/spool/cron.
+files_search_var_lib(crond_t)
+files_search_default(crond_t)
+
+init_rw_utmp(crond_t)
+init_spec_domtrans_script(crond_t)
+
+auth_use_nsswitch(crond_t)
+
+logging_send_audit_msgs(crond_t)
+logging_send_syslog_msg(crond_t)
+logging_set_loginuid(crond_t)
+
+seutil_read_config(crond_t)
+seutil_read_default_contexts(crond_t)
+seutil_sigchld_newrole(crond_t)
+
+miscfiles_read_localization(crond_t)
+
+userdom_use_unpriv_users_fds(crond_t)
+# Not sure why this is needed
+userdom_list_user_home_dirs(crond_t)
+userdom_create_all_users_keys(crond_t)
+
+mta_send_mail(crond_t)
+mta_system_content(cron_spool_t)
+
+ifdef(`distro_debian',`
+ # pam_limits is used
+ allow crond_t self:process setrlimit;
+
+ optional_policy(`
+ # Debian logcheck has the home dir set to its cache
+ logwatch_search_cache_dir(crond_t)
+ ')
+')
+
+ifdef(`distro_redhat',`
+ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+ # via redirection of standard out.
+ optional_policy(`
+ rpm_manage_log(crond_t)
+ ')
+')
+
+tunable_policy(`allow_polyinstantiation',`
+ files_polyinstantiate_all(crond_t)
+')
+
+tunable_policy(`fcron_crond',`
+ allow crond_t system_cron_spool_t:file manage_file_perms;
+')
+
+optional_policy(`
+ apache_search_sys_content(crond_t)
+')
+
+optional_policy(`
+ djbdns_search_tinydns_keys(crond_t)
+ djbdns_link_tinydns_keys(crond_t)
+')
+
+optional_policy(`
+ locallogin_search_keys(crond_t)
+ locallogin_link_keys(crond_t)
+')
+
+optional_policy(`
+ # these should probably be unconfined_crond_t
+ dbus_system_bus_client(crond_t)
+ init_dbus_send_script(crond_t)
+')
+
+optional_policy(`
+ mono_domtrans(crond_t)
+')
+
+optional_policy(`
+ amanda_search_var_lib(crond_t)
+')
+
+optional_policy(`
+ amavis_search_lib(crond_t)
+')
+
+optional_policy(`
+ hal_dbus_chat(crond_t)
+ hal_write_log(crond_t)
+ hal_dbus_chat(system_cronjob_t)
+')
+
+optional_policy(`
+ # cjp: why?
+ munin_search_lib(crond_t)
+')
+
+optional_policy(`
+ rpc_search_nfs_state_data(crond_t)
+')
+
+optional_policy(`
+ # Commonly used from postinst scripts
+ rpm_read_pipes(crond_t)
+')
+
+optional_policy(`
+ # allow crond to find /usr/lib/postgresql/bin/do.maintenance
+ postgresql_search_db(crond_t)
+')
+
+optional_policy(`
+ udev_read_db(crond_t)
+')
+
+optional_policy(`
+ vnstatd_search_lib(crond_t)
+')
+
+########################################
+#
+# System cron process domain
+#
+
+allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
+dontaudit system_cronjob_t self:capability sys_ptrace;
+
+allow system_cronjob_t self:process { signal_perms getsched setsched };
+allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
+allow system_cronjob_t self:passwd rootok;
+
+# This is to handle creation of files in /var/log directory.
+# Used currently by rpm script log files
+allow system_cronjob_t cron_log_t:file manage_file_perms;
+logging_log_filetrans(system_cronjob_t, cron_log_t, file)
+
+# This is to handle /var/lib/misc directory. Used currently
+# by prelink var/lib files for cron
+allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
+files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
+
+allow system_cronjob_t cron_var_run_t:file manage_file_perms;
+files_pid_filetrans(system_cronjob_t, cron_var_run_t, file)
+
+allow system_cronjob_t system_cron_spool_t:file read_file_perms;
+
+# anacron forces the following
+manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
+
+# The entrypoint interface is not used as this is not
+# a regular entrypoint. Since crontab files are
+# not directly executed, crond must ensure that
+# the crontab file has a type that is appropriate
+# for the domain of the user cron job. It
+# performs an entrypoint permission check
+# for this purpose.
+allow system_cronjob_t system_cron_spool_t:file entrypoint;
+
+# Permit a transition from the crond_t domain to this domain.
+# The transition is requested explicitly by the modified crond
+# via setexeccon. There is no way to set up an automatic
+# transition, since crontabs are configuration files, not executables.
+allow crond_t system_cronjob_t:process transition;
+dontaudit crond_t system_cronjob_t:process { noatsecure siginh rlimitinh };
+allow crond_t system_cronjob_t:fd use;
+allow system_cronjob_t crond_t:fd use;
+allow system_cronjob_t crond_t:fifo_file rw_file_perms;
+allow system_cronjob_t crond_t:process sigchld;
+allow crond_t system_cronjob_t:key manage_key_perms;
+
+# Write /var/lock/makewhatis.lock.
+allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
+files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file)
+
+# write temporary files
+manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
+files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
+
+# var/lib files for system_crond
+files_search_var_lib(system_cronjob_t)
+manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
+
+# Read from /var/spool/cron.
+allow system_cronjob_t cron_spool_t:dir list_dir_perms;
+allow system_cronjob_t cron_spool_t:file rw_file_perms;
+
+kernel_read_kernel_sysctls(system_cronjob_t)
+kernel_read_system_state(system_cronjob_t)
+kernel_read_software_raid_state(system_cronjob_t)
+
+# ps does not need to access /boot when run from cron
+files_dontaudit_search_boot(system_cronjob_t)
+
+corecmd_exec_all_executables(system_cronjob_t)
+
+corenet_all_recvfrom_unlabeled(system_cronjob_t)
+corenet_all_recvfrom_netlabel(system_cronjob_t)
+corenet_tcp_sendrecv_generic_if(system_cronjob_t)
+corenet_udp_sendrecv_generic_if(system_cronjob_t)
+corenet_tcp_sendrecv_generic_node(system_cronjob_t)
+corenet_udp_sendrecv_generic_node(system_cronjob_t)
+corenet_tcp_sendrecv_all_ports(system_cronjob_t)
+corenet_udp_sendrecv_all_ports(system_cronjob_t)
+
+dev_getattr_all_blk_files(system_cronjob_t)
+dev_getattr_all_chr_files(system_cronjob_t)
+dev_read_urand(system_cronjob_t)
+dev_read_sysfs(system_cronjob_t)
+
+fs_getattr_all_fs(system_cronjob_t)
+fs_getattr_all_files(system_cronjob_t)
+fs_getattr_all_symlinks(system_cronjob_t)
+fs_getattr_all_pipes(system_cronjob_t)
+fs_getattr_all_sockets(system_cronjob_t)
+
+# quiet other ps operations
+domain_dontaudit_read_all_domains_state(system_cronjob_t)
+
+files_exec_etc_files(system_cronjob_t)
+files_read_etc_files(system_cronjob_t)
+files_read_etc_runtime_files(system_cronjob_t)
+files_list_all(system_cronjob_t)
+files_getattr_all_dirs(system_cronjob_t)
+files_getattr_all_files(system_cronjob_t)
+files_getattr_all_symlinks(system_cronjob_t)
+files_getattr_all_pipes(system_cronjob_t)
+files_getattr_all_sockets(system_cronjob_t)
+files_read_usr_files(system_cronjob_t)
+files_read_var_files(system_cronjob_t)
+# for nscd:
+files_dontaudit_search_pids(system_cronjob_t)
+# Access other spool directories like
+# /var/spool/anacron and /var/spool/slrnpull.
+files_manage_generic_spool(system_cronjob_t)
+files_create_boot_flag(system_cronjob_t)
+
+init_use_script_fds(system_cronjob_t)
+init_read_utmp(system_cronjob_t)
+init_dontaudit_rw_utmp(system_cronjob_t)
+# prelink tells init to restart it self, we either need to allow or dontaudit
+init_telinit(system_cronjob_t)
+init_domtrans_script(system_cronjob_t)
+
+auth_use_nsswitch(system_cronjob_t)
+
+libs_exec_lib_files(system_cronjob_t)
+libs_exec_ld_so(system_cronjob_t)
+
+logging_read_generic_logs(system_cronjob_t)
+logging_send_audit_msgs(system_cronjob_t)
+logging_send_syslog_msg(system_cronjob_t)
+
+miscfiles_read_localization(system_cronjob_t)
+miscfiles_manage_man_pages(system_cronjob_t)
+
+seutil_read_config(system_cronjob_t)
+
+ifdef(`distro_redhat',`
+ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
+ allow crond_t system_cron_spool_t:file manage_file_perms;
+
+ # via redirection of standard out.
+ optional_policy(`
+ rpm_manage_log(system_cronjob_t)
+ ')
+')
+
+tunable_policy(`cron_can_relabel',`
+ seutil_domtrans_setfiles(system_cronjob_t)
+',`
+ selinux_get_fs_mount(system_cronjob_t)
+ selinux_validate_context(system_cronjob_t)
+ selinux_compute_access_vector(system_cronjob_t)
+ selinux_compute_create_context(system_cronjob_t)
+ selinux_compute_relabel_context(system_cronjob_t)
+ selinux_compute_user_contexts(system_cronjob_t)
+ seutil_read_file_contexts(system_cronjob_t)
+')
+
+optional_policy(`
+ # Needed for certwatch
+ apache_exec_modules(system_cronjob_t)
+ apache_read_config(system_cronjob_t)
+ apache_read_log(system_cronjob_t)
+ apache_read_sys_content(system_cronjob_t)
+ apache_delete_cache_dirs(system_cronjob_t)
+ apache_delete_cache_files(system_cronjob_t)
+')
+
+optional_policy(`
+ cyrus_manage_data(system_cronjob_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(system_cronjob_t)
+')
+
+optional_policy(`
+ exim_read_spool_files(system_cronjob_t)
+')
+
+optional_policy(`
+ ftp_read_log(system_cronjob_t)
+')
+
+optional_policy(`
+ inn_manage_log(system_cronjob_t)
+ inn_manage_pid(system_cronjob_t)
+ inn_read_config(system_cronjob_t)
+')
+
+optional_policy(`
+ livecd_read_tmp_files(system_cronjob_t)
+')
+
+optional_policy(`
+ lpd_list_spool(system_cronjob_t)
+')
+
+optional_policy(`
+ mono_domtrans(system_cronjob_t)
+')
+
+optional_policy(`
+ mrtg_append_create_logs(system_cronjob_t)
+')
+
+optional_policy(`
+ mta_send_mail(system_cronjob_t)
+ mta_system_content(system_cron_spool_t)
+')
+
+optional_policy(`
+ mysql_read_config(system_cronjob_t)
+')
+
+optional_policy(`
+ postfix_read_config(system_cronjob_t)
+')
+
+optional_policy(`
+ prelink_delete_cache(system_cronjob_t)
+ prelink_manage_lib(system_cronjob_t)
+ prelink_manage_log(system_cronjob_t)
+ prelink_read_cache(system_cronjob_t)
+ prelink_relabel_lib(system_cronjob_t)
+')
+
+optional_policy(`
+ samba_read_config(system_cronjob_t)
+ samba_read_log(system_cronjob_t)
+ #samba_read_secrets(system_cronjob_t)
+')
+
+optional_policy(`
+ slocate_create_append_log(system_cronjob_t)
+')
+
+optional_policy(`
+ spamassassin_manage_lib_files(system_cronjob_t)
+ spamassassin_manage_home_client(system_cronjob_t)
+')
+
+optional_policy(`
+ sysstat_manage_log(system_cronjob_t)
+')
+
+optional_policy(`
+ unconfined_domain(crond_t)
+ unconfined_domain(system_cronjob_t)
+')
+
+optional_policy(`
+ unconfined_shell_domtrans(crond_t)
+ unconfined_dbus_send(crond_t)
+ userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
+')
+
+########################################
+#
+# User cronjobs local policy
+#
+
+allow cronjob_t self:process { signal_perms setsched };
+allow cronjob_t self:fifo_file rw_fifo_file_perms;
+allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
+allow cronjob_t self:unix_dgram_socket create_socket_perms;
+
+# The entrypoint interface is not used as this is not
+# a regular entrypoint. Since crontab files are
+# not directly executed, crond must ensure that
+# the crontab file has a type that is appropriate
+# for the domain of the user cron job. It
+# performs an entrypoint permission check
+# for this purpose.
+allow cronjob_t user_cron_spool_t:file entrypoint;
+
+# Permit a transition from the crond_t domain to this domain.
+# The transition is requested explicitly by the modified crond
+# via setexeccon. There is no way to set up an automatic
+# transition, since crontabs are configuration files, not executables.
+allow crond_t cronjob_t:process transition;
+dontaudit crond_t cronjob_t:process { noatsecure siginh rlimitinh };
+allow crond_t cronjob_t:fd use;
+allow cronjob_t crond_t:fd use;
+allow cronjob_t crond_t:fifo_file rw_file_perms;
+allow cronjob_t crond_t:process sigchld;
+
+kernel_read_system_state(cronjob_t)
+kernel_read_kernel_sysctls(cronjob_t)
+
+# ps does not need to access /boot when run from cron
+files_dontaudit_search_boot(cronjob_t)
+
+corenet_all_recvfrom_unlabeled(cronjob_t)
+corenet_all_recvfrom_netlabel(cronjob_t)
+corenet_tcp_sendrecv_generic_if(cronjob_t)
+corenet_udp_sendrecv_generic_if(cronjob_t)
+corenet_tcp_sendrecv_generic_node(cronjob_t)
+corenet_udp_sendrecv_generic_node(cronjob_t)
+corenet_tcp_sendrecv_all_ports(cronjob_t)
+corenet_udp_sendrecv_all_ports(cronjob_t)
+corenet_tcp_connect_all_ports(cronjob_t)
+corenet_sendrecv_all_client_packets(cronjob_t)
+
+dev_read_urand(cronjob_t)
+
+fs_getattr_all_fs(cronjob_t)
+
+corecmd_exec_all_executables(cronjob_t)
+
+# quiet other ps operations
+domain_dontaudit_read_all_domains_state(cronjob_t)
+domain_dontaudit_getattr_all_domains(cronjob_t)
+
+files_read_usr_files(cronjob_t)
+files_exec_etc_files(cronjob_t)
+# for nscd:
+files_dontaudit_search_pids(cronjob_t)
+
+libs_exec_lib_files(cronjob_t)
+libs_exec_ld_so(cronjob_t)
+
+files_read_etc_runtime_files(cronjob_t)
+files_read_var_files(cronjob_t)
+files_search_spool(cronjob_t)
+
+logging_search_logs(cronjob_t)
+
+seutil_read_config(cronjob_t)
+
+miscfiles_read_localization(cronjob_t)
+
+userdom_manage_user_tmp_files(cronjob_t)
+userdom_manage_user_tmp_symlinks(cronjob_t)
+userdom_manage_user_tmp_pipes(cronjob_t)
+userdom_manage_user_tmp_sockets(cronjob_t)
+# Run scripts in user home directory and access shared libs.
+userdom_exec_user_home_content_files(cronjob_t)
+# Access user files and dirs.
+userdom_manage_user_home_content_files(cronjob_t)
+userdom_manage_user_home_content_symlinks(cronjob_t)
+userdom_manage_user_home_content_pipes(cronjob_t)
+userdom_manage_user_home_content_sockets(cronjob_t)
+#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
+
+list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+allow crond_t user_cron_spool_t:file manage_lnk_file_perms;
+
+tunable_policy(`fcron_crond',`
+ allow crond_t user_cron_spool_t:file manage_file_perms;
+')
+
+# need a per-role version of this:
+#optional_policy(`
+# mono_domtrans(cronjob_t)
+#')
+
+optional_policy(`
+ nis_use_ypbind(cronjob_t)
+')
+
+########################################
+#
+# Unconfined cronjobs local policy
+#
+
+optional_policy(`
+ # Permit a transition from the crond_t domain to this domain.
+ # The transition is requested explicitly by the modified crond
+ # via setexeccon. There is no way to set up an automatic
+ # transition, since crontabs are configuration files, not executables.
+ allow crond_t unconfined_cronjob_t:process transition;
+ dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
+ allow crond_t unconfined_cronjob_t:fd use;
+
+ unconfined_domain(unconfined_cronjob_t)
+')
diff --git a/policy/modules/services/cups.fc b/policy/modules/services/cups.fc
new file mode 100644
index 0000000..286ec9e
--- /dev/null
+++ b/policy/modules/services/cups.fc
@@ -0,0 +1,79 @@
+
+/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
+/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
+
+/etc/cups/interfaces(/.*)? gen_context(system_u:object_r:cupsd_interface_t,s0)
+
+/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0)
+
+/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+
+/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0)
+
+# keep as separate lines to ensure proper sorting
+/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
+/usr/lib64/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
+/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
+/usr/lib64/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
+/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/lib64/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+
+/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+
+/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0)
+/usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0)
+/usr/sbin/ptal-photod -- gen_context(system_u:object_r:ptal_exec_t,s0)
+
+/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
+/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
+
+/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
+
+/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
+
+/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
+/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
+
+/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
+/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
+/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
+/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
+/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
+/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+
+/usr/local/Brother/fax/.*\.log gen_context(system_u:object_r:cupsd_log_t,s0)
+/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if
new file mode 100644
index 0000000..777091a
--- /dev/null
+++ b/policy/modules/services/cups.if
@@ -0,0 +1,358 @@
+## <summary>Common UNIX printing system</summary>
+
+########################################
+## <summary>
+## Setup cups to transtion to the cups backend domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cups_backend',`
+ gen_require(`
+ type cupsd_t;
+ ')
+
+ domain_type($1)
+ domain_entry_file($1, $2)
+ role system_r types $1;
+
+ domtrans_pattern(cupsd_t, $2, $1)
+ allow cupsd_t $1:process signal;
+ allow $1 cupsd_t:unix_stream_socket connected_stream_socket_perms;
+
+ cups_read_config($1)
+ cups_append_log($1)
+')
+
+########################################
+## <summary>
+## Execute cups in the cups domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cups_domtrans',`
+ gen_require(`
+ type cupsd_t, cupsd_exec_t;
+ ')
+
+ domtrans_pattern($1, cupsd_exec_t, cupsd_t)
+')
+
+########################################
+## <summary>
+## Connect to cupsd over an unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cups_stream_connect',`
+ gen_require(`
+ type cupsd_t, cupsd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+')
+
+########################################
+## <summary>
+## Connect to cups over TCP. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cups_tcp_connect',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## cups over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cups_dbus_chat',`
+ gen_require(`
+ type cupsd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 cupsd_t:dbus send_msg;
+ allow cupsd_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Read cups PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cups_read_pid_files',`
+ gen_require(`
+ type cupsd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 cupsd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Execute cups_config in the cups_config domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cups_domtrans_config',`
+ gen_require(`
+ type cupsd_config_t, cupsd_config_exec_t;
+ ')
+
+ domtrans_pattern($1, cupsd_config_exec_t, cupsd_config_t)
+')
+
+########################################
+## <summary>
+## Send generic signals to the cups
+## configuration daemon.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cups_signal_config',`
+ gen_require(`
+ type cupsd_config_t;
+ ')
+
+ allow $1 cupsd_config_t:process signal;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## cupsd_config over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cups_dbus_chat_config',`
+ gen_require(`
+ type cupsd_config_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 cupsd_config_t:dbus send_msg;
+ allow cupsd_config_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Read cups configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`cups_read_config',`
+ gen_require(`
+ type cupsd_etc_t, cupsd_rw_etc_t;
+ type hplip_etc_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, cupsd_etc_t, cupsd_etc_t)
+ read_files_pattern($1, hplip_etc_t, hplip_etc_t)
+ read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
+')
+
+########################################
+## <summary>
+## Read cups-writable configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`cups_read_rw_config',`
+ gen_require(`
+ type cupsd_etc_t, cupsd_rw_etc_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
+')
+
+########################################
+## <summary>
+## Read cups log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`cups_read_log',`
+ gen_require(`
+ type cupsd_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 cupsd_log_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Append cups log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cups_append_log',`
+ gen_require(`
+ type cupsd_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, cupsd_log_t, cupsd_log_t)
+')
+
+########################################
+## <summary>
+## Write cups log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cups_write_log',`
+ gen_require(`
+ type cupsd_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 cupsd_log_t:file write_file_perms;
+')
+
+########################################
+## <summary>
+## Connect to ptal over an unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cups_stream_connect_ptal',`
+ gen_require(`
+ type ptal_t, ptal_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, ptal_var_run_t, ptal_var_run_t, ptal_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an cups environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the cups domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`cups_admin',`
+ gen_require(`
+ type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
+ type cupsd_etc_t, cupsd_log_t, hplip_etc_t;
+ type cupsd_config_var_run_t, cupsd_lpd_var_run_t, cupsd_initrc_exec_t;
+ type cupsd_var_run_t, ptal_etc_t, hplip_var_run_t;
+ type ptal_var_run_t;
+ ')
+
+ allow $1 cupsd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, cupsd_t)
+
+ init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 cupsd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ admin_pattern($1, cupsd_etc_t)
+ files_list_etc($1)
+
+ admin_pattern($1, cupsd_config_var_run_t)
+
+ admin_pattern($1, cupsd_log_t)
+ logging_list_logs($1)
+
+ admin_pattern($1, cupsd_lpd_tmp_t)
+
+ admin_pattern($1, cupsd_lpd_var_run_t)
+
+ admin_pattern($1, cupsd_tmp_t)
+ files_list_tmp($1)
+
+ admin_pattern($1, cupsd_var_run_t)
+ files_list_pids($1)
+
+ admin_pattern($1, hplip_etc_t)
+
+ admin_pattern($1, hplip_var_run_t)
+
+ admin_pattern($1, ptal_etc_t)
+
+ admin_pattern($1, ptal_var_run_t)
+')
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
new file mode 100644
index 0000000..b3ab30f
--- /dev/null
+++ b/policy/modules/services/cups.te
@@ -0,0 +1,799 @@
+policy_module(cups, 1.14.0)
+
+########################################
+#
+# Declarations
+#
+
+type cupsd_config_t;
+type cupsd_config_exec_t;
+init_daemon_domain(cupsd_config_t, cupsd_config_exec_t)
+
+type cupsd_config_var_run_t;
+files_pid_file(cupsd_config_var_run_t)
+
+type cupsd_t;
+type cupsd_exec_t;
+init_daemon_domain(cupsd_t, cupsd_exec_t)
+mls_trusted_object(cupsd_t)
+
+type cupsd_etc_t;
+files_config_file(cupsd_etc_t)
+
+type cupsd_initrc_exec_t;
+init_script_file(cupsd_initrc_exec_t)
+
+type cupsd_interface_t;
+files_type(cupsd_interface_t)
+
+type cupsd_rw_etc_t;
+files_config_file(cupsd_rw_etc_t)
+
+type cupsd_lock_t;
+files_lock_file(cupsd_lock_t)
+
+type cupsd_log_t;
+logging_log_file(cupsd_log_t)
+
+type cupsd_lpd_t;
+type cupsd_lpd_exec_t;
+domain_type(cupsd_lpd_t)
+domain_entry_file(cupsd_lpd_t, cupsd_lpd_exec_t)
+role system_r types cupsd_lpd_t;
+
+type cupsd_lpd_tmp_t;
+files_tmp_file(cupsd_lpd_tmp_t)
+
+type cupsd_lpd_var_run_t;
+files_pid_file(cupsd_lpd_var_run_t)
+
+type cups_pdf_t;
+type cups_pdf_exec_t;
+cups_backend(cups_pdf_t, cups_pdf_exec_t)
+
+type cups_pdf_tmp_t;
+files_tmp_file(cups_pdf_tmp_t)
+
+type cupsd_tmp_t;
+files_tmp_file(cupsd_tmp_t)
+
+type cupsd_var_run_t;
+files_pid_file(cupsd_var_run_t)
+mls_trusted_object(cupsd_var_run_t)
+
+type hplip_t;
+type hplip_exec_t;
+init_daemon_domain(hplip_t, hplip_exec_t)
+# For CUPS to run as a backend
+cups_backend(hplip_t, hplip_exec_t)
+
+type hplip_etc_t;
+files_config_file(hplip_etc_t)
+
+type hplip_tmp_t;
+files_tmp_file(hplip_tmp_t)
+
+type hplip_var_lib_t;
+files_type(hplip_var_lib_t)
+
+type hplip_var_run_t;
+files_pid_file(hplip_var_run_t)
+
+type ptal_t;
+type ptal_exec_t;
+init_daemon_domain(ptal_t, ptal_exec_t)
+
+type ptal_etc_t;
+files_config_file(ptal_etc_t)
+
+type ptal_var_run_t;
+files_pid_file(ptal_var_run_t)
+
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, s0 - mcs_systemhigh)
+')
+
+ifdef(`enable_mls',`
+ init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh)
+')
+
+########################################
+#
+# Cups local policy
+#
+
+# /usr/lib/cups/backend/serial needs sys_admin(?!)
+allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_rawio sys_resource sys_tty_config };
+dontaudit cupsd_t self:capability { sys_tty_config net_admin };
+allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
+allow cupsd_t self:fifo_file rw_fifo_file_perms;
+allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow cupsd_t self:unix_dgram_socket create_socket_perms;
+allow cupsd_t self:netlink_selinux_socket create_socket_perms;
+allow cupsd_t self:shm create_shm_perms;
+allow cupsd_t self:sem create_sem_perms;
+allow cupsd_t self:tcp_socket create_stream_socket_perms;
+allow cupsd_t self:udp_socket create_socket_perms;
+allow cupsd_t self:appletalk_socket create_socket_perms;
+# generic socket here until appletalk socket is available in kernels
+allow cupsd_t self:socket create_socket_perms;
+
+allow cupsd_t cupsd_etc_t:{ dir file } setattr;
+read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
+read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
+files_search_etc(cupsd_t)
+
+manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
+can_exec(cupsd_t, cupsd_interface_t)
+
+manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
+manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
+filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
+files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file })
+
+# allow cups to execute its backend scripts
+can_exec(cupsd_t, cupsd_exec_t)
+allow cupsd_t cupsd_exec_t:dir search_dir_perms;
+allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
+
+allow cupsd_t cupsd_lock_t:file manage_file_perms;
+files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
+
+manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+allow cupsd_t cupsd_log_t:dir setattr;
+logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
+
+manage_dirs_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
+manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
+manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
+files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
+
+allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms;
+manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
+manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
+manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
+manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
+files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir file fifo_file })
+
+allow cupsd_t hplip_t:process { signal sigkill };
+
+read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
+
+allow cupsd_t hplip_var_run_t:file read_file_perms;
+
+stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
+allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
+
+kernel_read_system_state(cupsd_t)
+kernel_read_network_state(cupsd_t)
+kernel_read_all_sysctls(cupsd_t)
+kernel_request_load_module(cupsd_t)
+
+corenet_all_recvfrom_unlabeled(cupsd_t)
+corenet_all_recvfrom_netlabel(cupsd_t)
+corenet_tcp_sendrecv_generic_if(cupsd_t)
+corenet_udp_sendrecv_generic_if(cupsd_t)
+corenet_raw_sendrecv_generic_if(cupsd_t)
+corenet_tcp_sendrecv_generic_node(cupsd_t)
+corenet_udp_sendrecv_generic_node(cupsd_t)
+corenet_raw_sendrecv_generic_node(cupsd_t)
+corenet_tcp_sendrecv_all_ports(cupsd_t)
+corenet_udp_sendrecv_all_ports(cupsd_t)
+corenet_tcp_bind_generic_node(cupsd_t)
+corenet_udp_bind_generic_node(cupsd_t)
+corenet_tcp_bind_ipp_port(cupsd_t)
+corenet_udp_bind_ipp_port(cupsd_t)
+corenet_udp_bind_howl_port(cupsd_t)
+corenet_tcp_bind_reserved_port(cupsd_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
+corenet_tcp_bind_all_rpc_ports(cupsd_t)
+corenet_tcp_connect_all_ports(cupsd_t)
+corenet_sendrecv_hplip_client_packets(cupsd_t)
+corenet_sendrecv_ipp_client_packets(cupsd_t)
+corenet_sendrecv_ipp_server_packets(cupsd_t)
+
+dev_rw_printer(cupsd_t)
+dev_read_urand(cupsd_t)
+dev_read_sysfs(cupsd_t)
+dev_rw_input_dev(cupsd_t) #447878
+dev_rw_generic_usb_dev(cupsd_t)
+dev_rw_usbfs(cupsd_t)
+dev_getattr_printer_dev(cupsd_t)
+
+domain_read_all_domains_state(cupsd_t)
+
+fs_getattr_all_fs(cupsd_t)
+fs_search_auto_mountpoints(cupsd_t)
+fs_search_fusefs(cupsd_t)
+fs_read_anon_inodefs_files(cupsd_t)
+
+mls_file_downgrade(cupsd_t)
+mls_file_write_all_levels(cupsd_t)
+mls_file_read_all_levels(cupsd_t)
+mls_rangetrans_target(cupsd_t)
+mls_socket_write_all_levels(cupsd_t)
+mls_fd_use_all_levels(cupsd_t)
+
+term_use_unallocated_ttys(cupsd_t)
+term_search_ptys(cupsd_t)
+
+# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
+corecmd_exec_shell(cupsd_t)
+corecmd_exec_bin(cupsd_t)
+
+domain_use_interactive_fds(cupsd_t)
+
+files_list_spool(cupsd_t)
+files_read_etc_files(cupsd_t)
+files_read_etc_runtime_files(cupsd_t)
+# read python modules
+files_read_usr_files(cupsd_t)
+# for /var/lib/defoma
+files_read_var_lib_files(cupsd_t)
+files_list_world_readable(cupsd_t)
+files_read_world_readable_files(cupsd_t)
+files_read_world_readable_symlinks(cupsd_t)
+# Satisfy readahead
+files_read_var_files(cupsd_t)
+files_read_var_symlinks(cupsd_t)
+# for /etc/printcap
+files_dontaudit_write_etc_files(cupsd_t)
+# smbspool seems to be iterating through all existing tmp files.
+# redhat bug #214953
+# cjp: this might be a broken behavior
+files_dontaudit_getattr_all_tmp_files(cupsd_t)
+
+selinux_compute_access_vector(cupsd_t)
+selinux_validate_context(cupsd_t)
+
+init_exec_script_files(cupsd_t)
+init_read_utmp(cupsd_t)
+
+auth_domtrans_chk_passwd(cupsd_t)
+auth_dontaudit_read_pam_pid(cupsd_t)
+auth_rw_faillog(cupsd_t)
+auth_use_nsswitch(cupsd_t)
+
+# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
+libs_read_lib_files(cupsd_t)
+libs_exec_lib_files(cupsd_t)
+
+logging_send_audit_msgs(cupsd_t)
+logging_send_syslog_msg(cupsd_t)
+
+miscfiles_read_localization(cupsd_t)
+# invoking ghostscript needs to read fonts
+miscfiles_read_fonts(cupsd_t)
+miscfiles_setattr_fonts_cache_dirs(cupsd_t)
+
+seutil_read_config(cupsd_t)
+sysnet_exec_ifconfig(cupsd_t)
+
+files_dontaudit_list_home(cupsd_t)
+userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
+userdom_dontaudit_search_user_home_content(cupsd_t)
+
+# Write to /var/spool/cups.
+lpd_manage_spool(cupsd_t)
+lpd_read_config(cupsd_t)
+lpd_exec_lpr(cupsd_t)
+lpd_relabel_spool(cupsd_t)
+
+optional_policy(`
+ apm_domtrans_client(cupsd_t)
+')
+
+optional_policy(`
+ cron_system_entry(cupsd_t, cupsd_exec_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(cupsd_t)
+
+ userdom_dbus_send_all_users(cupsd_t)
+
+ optional_policy(`
+ avahi_dbus_chat(cupsd_t)
+ ')
+
+ optional_policy(`
+ hal_dbus_chat(cupsd_t)
+ ')
+
+ # talk to processes that do not have policy
+ optional_policy(`
+ unconfined_dbus_chat(cupsd_t)
+ files_write_generic_pid_pipes(cupsd_t)
+ ')
+')
+
+optional_policy(`
+ hostname_exec(cupsd_t)
+')
+
+optional_policy(`
+ inetd_core_service_domain(cupsd_t, cupsd_exec_t)
+')
+
+optional_policy(`
+ logrotate_domtrans(cupsd_t)
+')
+
+optional_policy(`
+ mta_send_mail(cupsd_t)
+')
+
+optional_policy(`
+ # cups execs smbtool which reads samba_etc_t files
+ samba_read_config(cupsd_t)
+ samba_rw_var_files(cupsd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(cupsd_t)
+')
+
+optional_policy(`
+ snmp_read_snmp_var_lib_files(cupsd_t)
+')
+
+optional_policy(`
+ udev_read_db(cupsd_t)
+')
+
+########################################
+#
+# Cups configuration daemon local policy
+#
+
+allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
+dontaudit cupsd_config_t self:capability sys_tty_config;
+allow cupsd_config_t self:process { getsched signal_perms };
+allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
+allow cupsd_config_t self:unix_stream_socket create_socket_perms;
+allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
+allow cupsd_config_t self:tcp_socket create_stream_socket_perms;
+
+allow cupsd_config_t cupsd_t:process signal;
+ps_process_pattern(cupsd_config_t, cupsd_t)
+
+manage_files_pattern(cupsd_config_t, cupsd_etc_t, cupsd_etc_t)
+manage_lnk_files_pattern(cupsd_config_t, cupsd_etc_t, cupsd_etc_t)
+filetrans_pattern(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file)
+
+manage_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
+manage_lnk_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
+files_var_filetrans(cupsd_config_t, cupsd_rw_etc_t, file)
+
+can_exec(cupsd_config_t, cupsd_config_exec_t)
+
+allow cupsd_config_t cupsd_log_t:file rw_file_perms;
+
+manage_lnk_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
+manage_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
+manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
+files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+
+allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
+
+manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
+manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
+files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
+
+domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
+
+read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
+
+kernel_read_system_state(cupsd_config_t)
+kernel_read_all_sysctls(cupsd_config_t)
+
+corenet_all_recvfrom_unlabeled(cupsd_config_t)
+corenet_all_recvfrom_netlabel(cupsd_config_t)
+corenet_tcp_sendrecv_generic_if(cupsd_config_t)
+corenet_tcp_sendrecv_generic_node(cupsd_config_t)
+corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+corenet_tcp_connect_all_ports(cupsd_config_t)
+corenet_sendrecv_all_client_packets(cupsd_config_t)
+
+dev_read_sysfs(cupsd_config_t)
+dev_read_urand(cupsd_config_t)
+dev_read_rand(cupsd_config_t)
+dev_rw_generic_usb_dev(cupsd_config_t)
+
+files_search_all_mountpoints(cupsd_config_t)
+
+fs_getattr_all_fs(cupsd_config_t)
+fs_search_auto_mountpoints(cupsd_config_t)
+
+corecmd_exec_bin(cupsd_config_t)
+corecmd_exec_shell(cupsd_config_t)
+
+domain_use_interactive_fds(cupsd_config_t)
+# killall causes the following
+domain_dontaudit_search_all_domains_state(cupsd_config_t)
+
+files_read_usr_files(cupsd_config_t)
+files_read_etc_files(cupsd_config_t)
+files_read_etc_runtime_files(cupsd_config_t)
+files_read_var_symlinks(cupsd_config_t)
+
+# Alternatives asks for this
+init_getattr_all_script_files(cupsd_config_t)
+
+auth_use_nsswitch(cupsd_config_t)
+
+logging_send_syslog_msg(cupsd_config_t)
+
+miscfiles_read_localization(cupsd_config_t)
+miscfiles_read_hwdata(cupsd_config_t)
+
+seutil_dontaudit_search_config(cupsd_config_t)
+
+userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
+userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
+userdom_rw_user_tmp_files(cupsd_config_t)
+
+cups_stream_connect(cupsd_config_t)
+
+lpd_read_config(cupsd_config_t)
+
+ifdef(`distro_redhat',`
+ optional_policy(`
+ rpm_read_db(cupsd_config_t)
+ ')
+')
+
+optional_policy(`
+ term_use_generic_ptys(cupsd_config_t)
+')
+
+optional_policy(`
+ cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
+')
+
+optional_policy(`
+ dbus_system_domain(cupsd_config_t, cupsd_config_exec_t)
+
+ optional_policy(`
+ hal_dbus_chat(cupsd_config_t)
+ ')
+')
+
+optional_policy(`
+ gnome_dontaudit_search_config(cupsd_config_t)
+')
+
+optional_policy(`
+ hal_domtrans(cupsd_config_t)
+ hal_read_tmp_files(cupsd_config_t)
+ hal_dontaudit_use_fds(hplip_t)
+')
+
+optional_policy(`
+ hostname_exec(cupsd_config_t)
+')
+
+optional_policy(`
+ logrotate_use_fds(cupsd_config_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(cupsd_config_t)
+ userdom_read_all_users_state(cupsd_config_t)
+')
+
+optional_policy(`
+ rpm_read_db(cupsd_config_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(cupsd_config_t)
+')
+
+optional_policy(`
+ udev_read_db(cupsd_config_t)
+')
+
+optional_policy(`
+ unconfined_stream_connect(cupsd_config_t)
+')
+
+########################################
+#
+# Cups lpd support
+#
+
+allow cupsd_lpd_t self:process signal_perms;
+allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms;
+allow cupsd_lpd_t self:tcp_socket connected_stream_socket_perms;
+allow cupsd_lpd_t self:udp_socket create_socket_perms;
+
+# for identd
+# cjp: this should probably only be inetd_child rules?
+allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow cupsd_lpd_t self:capability { setuid setgid };
+files_search_home(cupsd_lpd_t)
+optional_policy(`
+ kerberos_use(cupsd_lpd_t)
+')
+#end for identd
+
+allow cupsd_lpd_t cupsd_etc_t:dir list_dir_perms;
+read_files_pattern(cupsd_lpd_t, cupsd_etc_t, cupsd_etc_t)
+read_lnk_files_pattern(cupsd_lpd_t, cupsd_etc_t, cupsd_etc_t)
+
+allow cupsd_lpd_t cupsd_rw_etc_t:dir list_dir_perms;
+read_files_pattern(cupsd_lpd_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
+read_lnk_files_pattern(cupsd_lpd_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
+
+manage_dirs_pattern(cupsd_lpd_t, cupsd_lpd_tmp_t, cupsd_lpd_tmp_t)
+manage_files_pattern(cupsd_lpd_t, cupsd_lpd_tmp_t, cupsd_lpd_tmp_t)
+files_tmp_filetrans(cupsd_lpd_t, cupsd_lpd_tmp_t, { file dir })
+
+manage_files_pattern(cupsd_lpd_t, cupsd_lpd_var_run_t, cupsd_lpd_var_run_t)
+files_pid_filetrans(cupsd_lpd_t, cupsd_lpd_var_run_t, file)
+
+kernel_read_kernel_sysctls(cupsd_lpd_t)
+kernel_read_system_state(cupsd_lpd_t)
+kernel_read_network_state(cupsd_lpd_t)
+
+corenet_all_recvfrom_unlabeled(cupsd_lpd_t)
+corenet_all_recvfrom_netlabel(cupsd_lpd_t)
+corenet_tcp_sendrecv_generic_if(cupsd_lpd_t)
+corenet_udp_sendrecv_generic_if(cupsd_lpd_t)
+corenet_tcp_sendrecv_generic_node(cupsd_lpd_t)
+corenet_udp_sendrecv_generic_node(cupsd_lpd_t)
+corenet_tcp_sendrecv_all_ports(cupsd_lpd_t)
+corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
+corenet_tcp_bind_generic_node(cupsd_lpd_t)
+corenet_udp_bind_generic_node(cupsd_lpd_t)
+corenet_tcp_connect_ipp_port(cupsd_lpd_t)
+
+dev_read_urand(cupsd_lpd_t)
+dev_read_rand(cupsd_lpd_t)
+
+fs_getattr_xattr_fs(cupsd_lpd_t)
+
+files_read_etc_files(cupsd_lpd_t)
+
+auth_use_nsswitch(cupsd_lpd_t)
+
+logging_send_syslog_msg(cupsd_lpd_t)
+
+miscfiles_read_localization(cupsd_lpd_t)
+miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
+
+cups_stream_connect(cupsd_lpd_t)
+
+optional_policy(`
+ inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
+')
+
+########################################
+#
+# cups_pdf local policy
+#
+
+allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
+allow cups_pdf_t self:fifo_file rw_file_perms;
+allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
+
+manage_files_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
+manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
+files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
+
+fs_rw_anon_inodefs_files(cups_pdf_t)
+
+kernel_read_system_state(cups_pdf_t)
+
+files_read_etc_files(cups_pdf_t)
+files_read_usr_files(cups_pdf_t)
+
+corecmd_exec_shell(cups_pdf_t)
+corecmd_exec_bin(cups_pdf_t)
+
+auth_use_nsswitch(cups_pdf_t)
+
+miscfiles_read_localization(cups_pdf_t)
+miscfiles_read_fonts(cups_pdf_t)
+miscfiles_setattr_fonts_cache_dirs(cups_pdf_t)
+
+userdom_home_filetrans_user_home_dir(cups_pdf_t)
+userdom_user_home_dir_filetrans_pattern(cups_pdf_t, { file dir })
+userdom_manage_user_home_content_dirs(cups_pdf_t)
+userdom_manage_user_home_content_files(cups_pdf_t)
+userdom_dontaudit_search_admin_dir(cups_pdf_t)
+
+lpd_manage_spool(cups_pdf_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_search_auto_mountpoints(cups_pdf_t)
+ fs_manage_nfs_dirs(cups_pdf_t)
+ fs_manage_nfs_files(cups_pdf_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(cups_pdf_t)
+ fs_manage_cifs_files(cups_pdf_t)
+')
+
+optional_policy(`
+ gnome_read_config(cups_pdf_t)
+')
+
+########################################
+#
+# HPLIP local policy
+#
+
+# Needed for USB Scanneer and xsane
+allow hplip_t self:capability { dac_override dac_read_search net_raw };
+dontaudit hplip_t self:capability sys_tty_config;
+allow hplip_t self:fifo_file rw_fifo_file_perms;
+allow hplip_t self:process signal_perms;
+allow hplip_t self:unix_dgram_socket create_socket_perms;
+allow hplip_t self:unix_stream_socket create_socket_perms;
+allow hplip_t self:netlink_route_socket r_netlink_socket_perms;
+allow hplip_t self:tcp_socket create_stream_socket_perms;
+allow hplip_t self:udp_socket create_socket_perms;
+allow hplip_t self:rawip_socket create_socket_perms;
+
+allow hplip_t cupsd_etc_t:dir search_dir_perms;
+manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
+manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
+files_tmp_filetrans(hplip_t, cupsd_tmp_t, { file dir })
+
+cups_stream_connect(hplip_t)
+
+allow hplip_t hplip_etc_t:dir list_dir_perms;
+read_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
+read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
+files_search_etc(hplip_t)
+
+manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+
+manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
+files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file)
+
+manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
+files_pid_filetrans(hplip_t, hplip_var_run_t, file)
+
+kernel_read_system_state(hplip_t)
+kernel_read_kernel_sysctls(hplip_t)
+
+corenet_all_recvfrom_unlabeled(hplip_t)
+corenet_all_recvfrom_netlabel(hplip_t)
+corenet_tcp_sendrecv_generic_if(hplip_t)
+corenet_udp_sendrecv_generic_if(hplip_t)
+corenet_raw_sendrecv_generic_if(hplip_t)
+corenet_tcp_sendrecv_generic_node(hplip_t)
+corenet_udp_sendrecv_generic_node(hplip_t)
+corenet_raw_sendrecv_generic_node(hplip_t)
+corenet_tcp_sendrecv_all_ports(hplip_t)
+corenet_udp_sendrecv_all_ports(hplip_t)
+corenet_tcp_bind_generic_node(hplip_t)
+corenet_udp_bind_generic_node(hplip_t)
+corenet_tcp_bind_hplip_port(hplip_t)
+corenet_tcp_connect_hplip_port(hplip_t)
+corenet_tcp_connect_ipp_port(hplip_t)
+corenet_sendrecv_hplip_client_packets(hplip_t)
+corenet_receive_hplip_server_packets(hplip_t)
+corenet_udp_bind_howl_port(hplip_t)
+
+dev_read_sysfs(hplip_t)
+dev_rw_printer(hplip_t)
+dev_read_urand(hplip_t)
+dev_read_rand(hplip_t)
+dev_rw_generic_usb_dev(hplip_t)
+dev_rw_usbfs(hplip_t)
+
+fs_getattr_all_fs(hplip_t)
+fs_search_auto_mountpoints(hplip_t)
+fs_rw_anon_inodefs_files(hplip_t)
+
+# for python
+corecmd_exec_bin(hplip_t)
+
+domain_use_interactive_fds(hplip_t)
+
+files_read_etc_files(hplip_t)
+files_read_etc_runtime_files(hplip_t)
+files_read_usr_files(hplip_t)
+
+logging_send_syslog_msg(hplip_t)
+
+miscfiles_read_localization(hplip_t)
+
+sysnet_read_config(hplip_t)
+
+userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+userdom_dontaudit_search_user_home_dirs(hplip_t)
+userdom_dontaudit_search_user_home_content(hplip_t)
+
+lpd_read_config(hplip_t)
+lpd_manage_spool(hplip_t)
+
+optional_policy(`
+ dbus_system_bus_client(hplip_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(hplip_t)
+')
+
+optional_policy(`
+ snmp_read_snmp_var_lib_files(hplip_t)
+')
+
+optional_policy(`
+ udev_read_db(hplip_t)
+')
+
+########################################
+#
+# PTAL local policy
+#
+
+allow ptal_t self:capability { chown sys_rawio };
+dontaudit ptal_t self:capability sys_tty_config;
+allow ptal_t self:fifo_file rw_fifo_file_perms;
+allow ptal_t self:unix_dgram_socket create_socket_perms;
+allow ptal_t self:unix_stream_socket create_stream_socket_perms;
+allow ptal_t self:tcp_socket create_stream_socket_perms;
+
+allow ptal_t ptal_etc_t:dir list_dir_perms;
+read_files_pattern(ptal_t, ptal_etc_t, ptal_etc_t)
+read_lnk_files_pattern(ptal_t, ptal_etc_t, ptal_etc_t)
+files_search_etc(ptal_t)
+
+manage_dirs_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
+manage_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
+manage_lnk_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
+manage_fifo_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
+manage_sock_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
+files_pid_filetrans(ptal_t, ptal_var_run_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_read_kernel_sysctls(ptal_t)
+kernel_list_proc(ptal_t)
+kernel_read_proc_symlinks(ptal_t)
+
+corenet_all_recvfrom_unlabeled(ptal_t)
+corenet_all_recvfrom_netlabel(ptal_t)
+corenet_tcp_sendrecv_generic_if(ptal_t)
+corenet_tcp_sendrecv_generic_node(ptal_t)
+corenet_tcp_sendrecv_all_ports(ptal_t)
+corenet_tcp_bind_generic_node(ptal_t)
+corenet_tcp_bind_ptal_port(ptal_t)
+
+dev_read_sysfs(ptal_t)
+dev_read_usbfs(ptal_t)
+dev_rw_printer(ptal_t)
+
+fs_getattr_all_fs(ptal_t)
+fs_search_auto_mountpoints(ptal_t)
+
+domain_use_interactive_fds(ptal_t)
+
+files_read_etc_files(ptal_t)
+files_read_etc_runtime_files(ptal_t)
+
+logging_send_syslog_msg(ptal_t)
+
+miscfiles_read_localization(ptal_t)
+
+sysnet_read_config(ptal_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ptal_t)
+userdom_dontaudit_search_user_home_content(ptal_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(ptal_t)
+')
+
+optional_policy(`
+ udev_read_db(ptal_t)
+')
diff --git a/policy/modules/services/cvs.fc b/policy/modules/services/cvs.fc
new file mode 100644
index 0000000..48a30de
--- /dev/null
+++ b/policy/modules/services/cvs.fc
@@ -0,0 +1,10 @@
+
+/opt/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0)
+
+/usr/bin/cvs -- gen_context(system_u:object_r:cvs_exec_t,s0)
+
+/var/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0)
+
+#CVSWeb file context
+/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
+/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0)
diff --git a/policy/modules/services/cvs.if b/policy/modules/services/cvs.if
new file mode 100644
index 0000000..5bf3e60
--- /dev/null
+++ b/policy/modules/services/cvs.if
@@ -0,0 +1,81 @@
+## <summary>Concurrent versions system</summary>
+
+########################################
+## <summary>
+## Read the CVS data and metadata.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cvs_read_data',`
+ gen_require(`
+ type cvs_data_t;
+ ')
+
+ list_dirs_pattern($1, cvs_data_t, cvs_data_t)
+ read_files_pattern($1, cvs_data_t, cvs_data_t)
+ read_lnk_files_pattern($1, cvs_data_t, cvs_data_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to execute cvs
+## in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cvs_exec',`
+ gen_require(`
+ type cvs_exec_t;
+ ')
+
+ can_exec($1, cvs_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an cvs environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the cvs domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`cvs_admin',`
+ gen_require(`
+ type cvs_t, cvs_tmp_t, cvs_initrc_exec_t;
+ type cvs_data_t, cvs_var_run_t;
+ ')
+
+ allow $1 cvs_t:process { ptrace signal_perms };
+ ps_process_pattern($1, cvs_t)
+
+ # Allow cvs_t to restart the apache service
+ init_labeled_script_domtrans($1, cvs_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 cvs_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, cvs_tmp_t)
+
+ admin_pattern($1, cvs_data_t)
+
+ files_list_pids($1)
+ admin_pattern($1, cvs_var_run_t)
+')
diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te
new file mode 100644
index 0000000..e18dc0b
--- /dev/null
+++ b/policy/modules/services/cvs.te
@@ -0,0 +1,116 @@
+policy_module(cvs, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow cvs daemon to read shadow
+## </p>
+## </desc>
+gen_tunable(allow_cvs_read_shadow, false)
+
+type cvs_t;
+type cvs_exec_t;
+inetd_tcp_service_domain(cvs_t, cvs_exec_t)
+application_executable_file(cvs_exec_t)
+role system_r types cvs_t;
+
+type cvs_data_t; # customizable
+files_type(cvs_data_t)
+
+type cvs_initrc_exec_t;
+init_script_file(cvs_initrc_exec_t)
+
+type cvs_tmp_t;
+files_tmp_file(cvs_tmp_t)
+
+type cvs_var_run_t;
+files_pid_file(cvs_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow cvs_t self:capability { setuid setgid };
+allow cvs_t self:process signal_perms;
+allow cvs_t self:fifo_file rw_fifo_file_perms;
+allow cvs_t self:tcp_socket connected_stream_socket_perms;
+# for identd; cjp: this should probably only be inetd_child rules?
+allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+
+manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
+manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
+manage_lnk_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
+
+manage_dirs_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t)
+manage_files_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t)
+files_tmp_filetrans(cvs_t, cvs_tmp_t, { file dir })
+
+manage_files_pattern(cvs_t, cvs_var_run_t, cvs_var_run_t)
+files_pid_filetrans(cvs_t, cvs_var_run_t, file)
+
+kernel_read_kernel_sysctls(cvs_t)
+kernel_read_system_state(cvs_t)
+kernel_read_network_state(cvs_t)
+
+corenet_all_recvfrom_unlabeled(cvs_t)
+corenet_all_recvfrom_netlabel(cvs_t)
+corenet_tcp_sendrecv_generic_if(cvs_t)
+corenet_udp_sendrecv_generic_if(cvs_t)
+corenet_tcp_sendrecv_generic_node(cvs_t)
+corenet_udp_sendrecv_generic_node(cvs_t)
+corenet_tcp_sendrecv_all_ports(cvs_t)
+corenet_udp_sendrecv_all_ports(cvs_t)
+
+dev_read_urand(cvs_t)
+
+fs_getattr_xattr_fs(cvs_t)
+
+auth_domtrans_chk_passwd(cvs_t)
+auth_use_nsswitch(cvs_t)
+
+corecmd_exec_bin(cvs_t)
+corecmd_exec_shell(cvs_t)
+
+files_read_etc_files(cvs_t)
+files_read_etc_runtime_files(cvs_t)
+# for identd; cjp: this should probably only be inetd_child rules?
+files_search_home(cvs_t)
+
+logging_send_syslog_msg(cvs_t)
+logging_send_audit_msgs(cvs_t)
+
+miscfiles_read_localization(cvs_t)
+
+mta_send_mail(cvs_t)
+
+# cjp: typeattribute doesnt work in conditionals yet
+auth_can_read_shadow_passwords(cvs_t)
+tunable_policy(`allow_cvs_read_shadow',`
+ allow cvs_t self:capability dac_override;
+ auth_tunable_read_shadow(cvs_t)
+')
+
+optional_policy(`
+ kerberos_keytab_template(cvs, cvs_t)
+ kerberos_read_config(cvs_t)
+ kerberos_dontaudit_write_config(cvs_t)
+')
+
+########################################
+#
+# CVSWeb policy
+#
+
+optional_policy(`
+ apache_content_template(cvs)
+
+ read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
+ manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+ manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
+')
diff --git a/policy/modules/services/cyphesis.fc b/policy/modules/services/cyphesis.fc
new file mode 100644
index 0000000..c47a772
--- /dev/null
+++ b/policy/modules/services/cyphesis.fc
@@ -0,0 +1,5 @@
+/usr/bin/cyphesis -- gen_context(system_u:object_r:cyphesis_exec_t,s0)
+
+/var/log/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_log_t,s0)
+
+/var/run/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_var_run_t,s0)
diff --git a/policy/modules/services/cyphesis.if b/policy/modules/services/cyphesis.if
new file mode 100644
index 0000000..7e9057e
--- /dev/null
+++ b/policy/modules/services/cyphesis.if
@@ -0,0 +1,19 @@
+## <summary>Cyphesis WorldForge game server</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run cyphesis.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cyphesis_domtrans',`
+ gen_require(`
+ type cyphesis_t, cyphesis_exec_t;
+ ')
+
+ domtrans_pattern($1, cyphesis_exec_t, cyphesis_t)
+')
diff --git a/policy/modules/services/cyphesis.te b/policy/modules/services/cyphesis.te
new file mode 100644
index 0000000..1f789f8
--- /dev/null
+++ b/policy/modules/services/cyphesis.te
@@ -0,0 +1,85 @@
+policy_module(cyphesis, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type cyphesis_t;
+type cyphesis_exec_t;
+init_daemon_domain(cyphesis_t, cyphesis_exec_t)
+
+type cyphesis_log_t;
+logging_log_file(cyphesis_log_t)
+
+type cyphesis_tmp_t;
+files_tmp_file(cyphesis_tmp_t)
+
+type cyphesis_var_run_t;
+files_pid_file(cyphesis_var_run_t)
+
+########################################
+#
+# cyphesis local policy
+#
+
+allow cyphesis_t self:process { setfscreate setsched signal };
+allow cyphesis_t self:fifo_file rw_fifo_file_perms;
+allow cyphesis_t self:tcp_socket create_stream_socket_perms;
+allow cyphesis_t self:unix_stream_socket create_stream_socket_perms;
+allow cyphesis_t self:unix_dgram_socket create_socket_perms;
+
+manage_files_pattern(cyphesis_t, cyphesis_log_t, cyphesis_log_t)
+logging_log_filetrans(cyphesis_t, cyphesis_log_t, file)
+
+# DAN > Does cyphesis really create a sock_file in /tmp? Why?
+allow cyphesis_t cyphesis_tmp_t:sock_file manage_sock_file_perms;
+files_tmp_filetrans(cyphesis_t, cyphesis_tmp_t, file)
+
+manage_dirs_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t)
+manage_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t)
+manage_sock_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t)
+files_pid_filetrans(cyphesis_t, cyphesis_var_run_t, { dir file sock_file })
+
+kernel_read_system_state(cyphesis_t)
+kernel_read_kernel_sysctls(cyphesis_t)
+
+# DAN> What is cyphesis looking for in /bin?
+corecmd_search_bin(cyphesis_t)
+corecmd_getattr_bin_files(cyphesis_t)
+
+corenet_all_recvfrom_unlabeled(cyphesis_t)
+corenet_tcp_sendrecv_generic_if(cyphesis_t)
+corenet_tcp_sendrecv_generic_node(cyphesis_t)
+corenet_tcp_sendrecv_all_ports(cyphesis_t)
+corenet_tcp_bind_generic_node(cyphesis_t)
+corenet_tcp_bind_cyphesis_port(cyphesis_t)
+corenet_sendrecv_cyphesis_server_packets(cyphesis_t)
+
+dev_read_urand(cyphesis_t)
+
+# Init script handling
+domain_use_interactive_fds(cyphesis_t)
+
+files_read_etc_files(cyphesis_t)
+files_read_usr_files(cyphesis_t)
+
+logging_send_syslog_msg(cyphesis_t)
+
+miscfiles_read_localization(cyphesis_t)
+
+sysnet_dns_name_resolve(cyphesis_t)
+
+# cyphesis wants to talk to avahi via dbus
+optional_policy(`
+ avahi_dbus_chat(cyphesis_t)
+ dbus_system_bus_client(cyphesis_t)
+')
+
+optional_policy(`
+ kerberos_use(cyphesis_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(cyphesis_t)
+')
diff --git a/policy/modules/services/cyrus.fc b/policy/modules/services/cyrus.fc
new file mode 100644
index 0000000..445d93d
--- /dev/null
+++ b/policy/modules/services/cyrus.fc
@@ -0,0 +1,5 @@
+/etc/rc\.d/init\.d/cyrus -- gen_context(system_u:object_r:cyrus_initrc_exec_t,s0)
+
+/usr/lib(64)?/cyrus-imapd/cyrus-master -- gen_context(system_u:object_r:cyrus_exec_t,s0)
+
+/var/lib/imap(/.*)? gen_context(system_u:object_r:cyrus_var_lib_t,s0)
diff --git a/policy/modules/services/cyrus.if b/policy/modules/services/cyrus.if
new file mode 100644
index 0000000..e4e86d0
--- /dev/null
+++ b/policy/modules/services/cyrus.if
@@ -0,0 +1,81 @@
+## <summary>Cyrus is an IMAP service intended to be run on sealed servers</summary>
+
+########################################
+## <summary>
+## Allow caller to create, read, write,
+## and delete cyrus data files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cyrus_manage_data',`
+ gen_require(`
+ type cyrus_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t)
+')
+
+########################################
+## <summary>
+## Connect to Cyrus using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cyrus_stream_connect',`
+ gen_require(`
+ type cyrus_t, cyrus_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ stream_connect_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t, cyrus_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an cyrus environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the cyrus domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`cyrus_admin',`
+ gen_require(`
+ type cyrus_t, cyrus_tmp_t, cyrus_var_lib_t;
+ type cyrus_var_run_t, cyrus_initrc_exec_t;
+ ')
+
+ allow $1 cyrus_t:process { ptrace signal_perms };
+ ps_process_pattern($1, cyrus_t)
+
+ init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 cyrus_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, cyrus_tmp_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, cyrus_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, cyrus_var_run_t)
+')
diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te
new file mode 100644
index 0000000..f80e725
--- /dev/null
+++ b/policy/modules/services/cyrus.te
@@ -0,0 +1,146 @@
+policy_module(cyrus, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+
+type cyrus_t;
+type cyrus_exec_t;
+init_daemon_domain(cyrus_t, cyrus_exec_t)
+
+type cyrus_initrc_exec_t;
+init_script_file(cyrus_initrc_exec_t)
+
+type cyrus_tmp_t;
+files_tmp_file(cyrus_tmp_t)
+
+type cyrus_var_lib_t;
+files_type(cyrus_var_lib_t)
+
+type cyrus_var_run_t;
+files_pid_file(cyrus_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow cyrus_t self:capability { fsetid dac_override net_bind_service setgid setuid sys_resource };
+dontaudit cyrus_t self:capability sys_tty_config;
+allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow cyrus_t self:process setrlimit;
+allow cyrus_t self:fd use;
+allow cyrus_t self:fifo_file rw_fifo_file_perms;
+allow cyrus_t self:sock_file read_sock_file_perms;
+allow cyrus_t self:shm create_shm_perms;
+allow cyrus_t self:sem create_sem_perms;
+allow cyrus_t self:msgq create_msgq_perms;
+allow cyrus_t self:msg { send receive };
+allow cyrus_t self:unix_dgram_socket create_socket_perms;
+allow cyrus_t self:unix_stream_socket create_stream_socket_perms;
+allow cyrus_t self:unix_dgram_socket sendto;
+allow cyrus_t self:unix_stream_socket connectto;
+allow cyrus_t self:tcp_socket create_stream_socket_perms;
+allow cyrus_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(cyrus_t, cyrus_tmp_t, cyrus_tmp_t)
+manage_files_pattern(cyrus_t, cyrus_tmp_t, cyrus_tmp_t)
+files_tmp_filetrans(cyrus_t, cyrus_tmp_t, { file dir })
+
+manage_dirs_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t)
+manage_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t)
+manage_lnk_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t)
+manage_sock_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t)
+files_pid_filetrans(cyrus_t, cyrus_var_run_t, file)
+
+manage_files_pattern(cyrus_t, cyrus_var_run_t, cyrus_var_run_t)
+manage_sock_files_pattern(cyrus_t, cyrus_var_run_t, cyrus_var_run_t)
+files_pid_filetrans(cyrus_t, cyrus_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctls(cyrus_t)
+kernel_read_system_state(cyrus_t)
+kernel_read_all_sysctls(cyrus_t)
+
+corenet_all_recvfrom_unlabeled(cyrus_t)
+corenet_all_recvfrom_netlabel(cyrus_t)
+corenet_tcp_sendrecv_generic_if(cyrus_t)
+corenet_udp_sendrecv_generic_if(cyrus_t)
+corenet_tcp_sendrecv_generic_node(cyrus_t)
+corenet_udp_sendrecv_generic_node(cyrus_t)
+corenet_tcp_sendrecv_all_ports(cyrus_t)
+corenet_udp_sendrecv_all_ports(cyrus_t)
+corenet_tcp_bind_generic_node(cyrus_t)
+corenet_tcp_bind_mail_port(cyrus_t)
+corenet_tcp_bind_lmtp_port(cyrus_t)
+corenet_tcp_bind_pop_port(cyrus_t)
+corenet_tcp_bind_sieve_port(cyrus_t)
+corenet_tcp_connect_all_ports(cyrus_t)
+corenet_sendrecv_mail_server_packets(cyrus_t)
+corenet_sendrecv_pop_server_packets(cyrus_t)
+corenet_sendrecv_lmtp_server_packets(cyrus_t)
+corenet_sendrecv_all_client_packets(cyrus_t)
+
+dev_read_rand(cyrus_t)
+dev_read_urand(cyrus_t)
+dev_read_sysfs(cyrus_t)
+
+fs_getattr_all_fs(cyrus_t)
+fs_search_auto_mountpoints(cyrus_t)
+
+corecmd_exec_bin(cyrus_t)
+
+domain_use_interactive_fds(cyrus_t)
+
+files_list_var_lib(cyrus_t)
+files_read_etc_files(cyrus_t)
+files_read_etc_runtime_files(cyrus_t)
+files_read_usr_files(cyrus_t)
+
+auth_use_nsswitch(cyrus_t)
+
+libs_exec_lib_files(cyrus_t)
+
+logging_send_syslog_msg(cyrus_t)
+
+miscfiles_read_localization(cyrus_t)
+miscfiles_read_generic_certs(cyrus_t)
+
+sysnet_read_config(cyrus_t)
+
+userdom_use_unpriv_users_fds(cyrus_t)
+userdom_dontaudit_search_user_home_dirs(cyrus_t)
+
+mta_manage_spool(cyrus_t)
+mta_send_mail(cyrus_t)
+
+optional_policy(`
+ cron_system_entry(cyrus_t, cyrus_exec_t)
+')
+
+optional_policy(`
+ kerberos_keytab_template(cyrus, cyrus_t)
+')
+
+optional_policy(`
+ ldap_stream_connect(cyrus_t)
+')
+
+optional_policy(`
+ sasl_connect(cyrus_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(cyrus_t)
+')
+
+optional_policy(`
+ files_dontaudit_write_usr_dirs(cyrus_t)
+ snmp_read_snmp_var_lib_files(cyrus_t)
+ snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
+ snmp_stream_connect(cyrus_t)
+')
+
+optional_policy(`
+ udev_read_db(cyrus_t)
+')
diff --git a/policy/modules/services/dante.fc b/policy/modules/services/dante.fc
new file mode 100644
index 0000000..139171d
--- /dev/null
+++ b/policy/modules/services/dante.fc
@@ -0,0 +1,6 @@
+
+/etc/socks(/.*)? gen_context(system_u:object_r:dante_conf_t,s0)
+
+/usr/sbin/sockd -- gen_context(system_u:object_r:dante_exec_t,s0)
+
+/var/run/sockd\.pid -- gen_context(system_u:object_r:dante_var_run_t,s0)
diff --git a/policy/modules/services/dante.if b/policy/modules/services/dante.if
new file mode 100644
index 0000000..704661c
--- /dev/null
+++ b/policy/modules/services/dante.if
@@ -0,0 +1 @@
+## <summary>Dante msproxy and socks4/5 proxy server</summary>
diff --git a/policy/modules/services/dante.te b/policy/modules/services/dante.te
new file mode 100644
index 0000000..a8b93c0
--- /dev/null
+++ b/policy/modules/services/dante.te
@@ -0,0 +1,79 @@
+policy_module(dante, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type dante_t;
+type dante_exec_t;
+init_daemon_domain(dante_t, dante_exec_t)
+
+type dante_conf_t;
+files_type(dante_conf_t)
+
+type dante_var_run_t;
+files_pid_file(dante_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow dante_t self:capability { setuid setgid };
+dontaudit dante_t self:capability sys_tty_config;
+allow dante_t self:process signal_perms;
+allow dante_t self:fifo_file rw_fifo_file_perms;
+allow dante_t self:tcp_socket create_stream_socket_perms;
+allow dante_t self:udp_socket create_socket_perms;
+
+allow dante_t dante_conf_t:dir list_dir_perms;
+allow dante_t dante_conf_t:file read_file_perms;
+
+manage_files_pattern(dante_t, dante_var_run_t, dante_var_run_t)
+files_pid_filetrans(dante_t, dante_var_run_t, file)
+
+kernel_read_kernel_sysctls(dante_t)
+kernel_list_proc(dante_t)
+kernel_read_proc_symlinks(dante_t)
+
+corenet_all_recvfrom_unlabeled(dante_t)
+corenet_all_recvfrom_netlabel(dante_t)
+corenet_tcp_sendrecv_generic_if(dante_t)
+corenet_udp_sendrecv_generic_if(dante_t)
+corenet_tcp_sendrecv_generic_node(dante_t)
+corenet_udp_sendrecv_generic_node(dante_t)
+corenet_tcp_sendrecv_all_ports(dante_t)
+corenet_udp_sendrecv_all_ports(dante_t)
+corenet_tcp_bind_generic_node(dante_t)
+#TODO: no portcons for this type
+#allow dante_t socks_port_t:tcp_socket name_bind;
+
+dev_read_sysfs(dante_t)
+
+domain_use_interactive_fds(dante_t)
+
+files_read_etc_files(dante_t)
+files_read_etc_runtime_files(dante_t)
+
+fs_getattr_all_fs(dante_t)
+fs_search_auto_mountpoints(dante_t)
+
+init_write_utmp(dante_t)
+
+logging_send_syslog_msg(dante_t)
+
+miscfiles_read_localization(dante_t)
+
+sysnet_read_config(dante_t)
+
+userdom_dontaudit_use_unpriv_user_fds(dante_t)
+userdom_dontaudit_search_user_home_dirs(dante_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(dante_t)
+')
+
+optional_policy(`
+ udev_read_db(dante_t)
+')
diff --git a/policy/modules/services/dbskk.fc b/policy/modules/services/dbskk.fc
new file mode 100644
index 0000000..7af2590
--- /dev/null
+++ b/policy/modules/services/dbskk.fc
@@ -0,0 +1,2 @@
+
+/usr/sbin/dbskkd-cdb -- gen_context(system_u:object_r:dbskkd_exec_t,s0)
diff --git a/policy/modules/services/dbskk.if b/policy/modules/services/dbskk.if
new file mode 100644
index 0000000..9e71004
--- /dev/null
+++ b/policy/modules/services/dbskk.if
@@ -0,0 +1 @@
+## <summary>Dictionary server for the SKK Japanese input method system.</summary>
diff --git a/policy/modules/services/dbskk.te b/policy/modules/services/dbskk.te
new file mode 100644
index 0000000..1445f97
--- /dev/null
+++ b/policy/modules/services/dbskk.te
@@ -0,0 +1,69 @@
+policy_module(dbskk, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type dbskkd_t;
+type dbskkd_exec_t;
+inetd_service_domain(dbskkd_t, dbskkd_exec_t)
+role system_r types dbskkd_t;
+
+type dbskkd_tmp_t;
+files_tmp_file(dbskkd_tmp_t)
+
+type dbskkd_var_run_t;
+files_pid_file(dbskkd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow dbskkd_t self:process signal_perms;
+allow dbskkd_t self:fifo_file rw_fifo_file_perms;
+allow dbskkd_t self:tcp_socket connected_stream_socket_perms;
+allow dbskkd_t self:udp_socket create_socket_perms;
+
+# for identd
+# cjp: this should probably only be inetd_child rules?
+allow dbskkd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow dbskkd_t self:capability { setuid setgid };
+files_search_home(dbskkd_t)
+optional_policy(`
+ kerberos_use(dbskkd_t)
+')
+#end for identd
+
+manage_dirs_pattern(dbskkd_t, dbskkd_tmp_t, dbskkd_tmp_t)
+manage_files_pattern(dbskkd_t, dbskkd_tmp_t, dbskkd_tmp_t)
+files_tmp_filetrans(dbskkd_t, dbskkd_tmp_t, { file dir })
+
+manage_files_pattern(dbskkd_t, dbskkd_var_run_t, dbskkd_var_run_t)
+files_pid_filetrans(dbskkd_t, dbskkd_var_run_t, file)
+
+kernel_read_kernel_sysctls(dbskkd_t)
+kernel_read_system_state(dbskkd_t)
+kernel_read_network_state(dbskkd_t)
+
+corenet_all_recvfrom_unlabeled(dbskkd_t)
+corenet_all_recvfrom_netlabel(dbskkd_t)
+corenet_tcp_sendrecv_generic_if(dbskkd_t)
+corenet_udp_sendrecv_generic_if(dbskkd_t)
+corenet_tcp_sendrecv_generic_node(dbskkd_t)
+corenet_udp_sendrecv_generic_node(dbskkd_t)
+corenet_tcp_sendrecv_all_ports(dbskkd_t)
+corenet_udp_sendrecv_all_ports(dbskkd_t)
+
+dev_read_urand(dbskkd_t)
+
+fs_getattr_xattr_fs(dbskkd_t)
+
+files_read_etc_files(dbskkd_t)
+
+auth_use_nsswitch(dbskkd_t)
+
+logging_send_syslog_msg(dbskkd_t)
+
+miscfiles_read_localization(dbskkd_t)
diff --git a/policy/modules/services/dbus.fc b/policy/modules/services/dbus.fc
new file mode 100644
index 0000000..81eba14
--- /dev/null
+++ b/policy/modules/services/dbus.fc
@@ -0,0 +1,17 @@
+/etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0)
+
+/bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+
+/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+
+/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+
+/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
+
+/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+
+ifdef(`distro_redhat',`
+/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+')
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
new file mode 100644
index 0000000..74fa3d6
--- /dev/null
+++ b/policy/modules/services/dbus.if
@@ -0,0 +1,524 @@
+## <summary>Desktop messaging bus</summary>
+
+########################################
+## <summary>
+## DBUS stub interface. No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`dbus_stub',`
+ gen_require(`
+ type system_dbusd_t;
+ class dbus all_dbus_perms;
+ ')
+')
+
+########################################
+## <summary>
+## Role access for dbus
+## </summary>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+template(`dbus_role_template',`
+ gen_require(`
+ class dbus { send_msg acquire_svc };
+ attribute dbusd_unconfined, session_bus_type;
+ type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
+ type $1_t;
+ ')
+
+ ##############################
+ #
+ # Delcarations
+ #
+
+ type $1_dbusd_t, session_bus_type;
+ domain_type($1_dbusd_t)
+ domain_entry_file($1_dbusd_t, dbusd_exec_t)
+ ubac_constrained($1_dbusd_t)
+ role $2 types $1_dbusd_t;
+
+ ##############################
+ #
+ # Local policy
+ #
+
+ allow $1_dbusd_t self:process { getattr sigkill signal };
+ dontaudit $1_dbusd_t self:process ptrace;
+ allow $1_dbusd_t self:file { getattr read write };
+ allow $1_dbusd_t self:fifo_file rw_fifo_file_perms;
+ allow $1_dbusd_t self:dbus { send_msg acquire_svc };
+ allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
+ allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
+ allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
+
+ # For connecting to the bus
+ allow $3 $1_dbusd_t:unix_stream_socket connectto;
+
+ # SE-DBus specific permissions
+ allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc };
+ allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
+
+ allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
+ read_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
+ read_lnk_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
+
+ manage_dirs_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
+ manage_files_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
+ files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
+
+ domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
+
+ ps_process_pattern($3, $1_dbusd_t)
+ allow $3 $1_dbusd_t:process { ptrace signal_perms };
+
+ # cjp: this seems very broken
+ corecmd_bin_domtrans($1_dbusd_t, $1_t)
+ allow $1_dbusd_t $3:process sigkill;
+ allow $3 $1_dbusd_t:fd use;
+ allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
+
+ kernel_read_system_state($1_dbusd_t)
+ kernel_read_kernel_sysctls($1_dbusd_t)
+
+ corecmd_list_bin($1_dbusd_t)
+ corecmd_read_bin_symlinks($1_dbusd_t)
+ corecmd_read_bin_files($1_dbusd_t)
+ corecmd_read_bin_pipes($1_dbusd_t)
+ corecmd_read_bin_sockets($1_dbusd_t)
+
+ corenet_all_recvfrom_unlabeled($1_dbusd_t)
+ corenet_all_recvfrom_netlabel($1_dbusd_t)
+ corenet_tcp_sendrecv_generic_if($1_dbusd_t)
+ corenet_tcp_sendrecv_generic_node($1_dbusd_t)
+ corenet_tcp_sendrecv_all_ports($1_dbusd_t)
+ corenet_tcp_bind_generic_node($1_dbusd_t)
+ corenet_tcp_bind_reserved_port($1_dbusd_t)
+
+ dev_read_urand($1_dbusd_t)
+
+ domain_use_interactive_fds($1_dbusd_t)
+ domain_read_all_domains_state($1_dbusd_t)
+
+ files_read_etc_files($1_dbusd_t)
+ files_list_home($1_dbusd_t)
+ files_read_usr_files($1_dbusd_t)
+ files_dontaudit_search_var($1_dbusd_t)
+
+ fs_getattr_romfs($1_dbusd_t)
+ fs_getattr_xattr_fs($1_dbusd_t)
+ fs_list_inotifyfs($1_dbusd_t)
+ fs_dontaudit_list_nfs($1_dbusd_t)
+
+ selinux_get_fs_mount($1_dbusd_t)
+ selinux_validate_context($1_dbusd_t)
+ selinux_compute_access_vector($1_dbusd_t)
+ selinux_compute_create_context($1_dbusd_t)
+ selinux_compute_relabel_context($1_dbusd_t)
+ selinux_compute_user_contexts($1_dbusd_t)
+
+ auth_read_pam_console_data($1_dbusd_t)
+ auth_use_nsswitch($1_dbusd_t)
+
+ logging_send_audit_msgs($1_dbusd_t)
+ logging_send_syslog_msg($1_dbusd_t)
+
+ miscfiles_read_localization($1_dbusd_t)
+
+ seutil_read_config($1_dbusd_t)
+ seutil_read_default_contexts($1_dbusd_t)
+
+ term_use_all_terms($1_dbusd_t)
+
+ userdom_dontaudit_search_admin_dir($1_dbusd_t)
+ userdom_manage_user_home_content_dirs($1_dbusd_t)
+ userdom_manage_user_home_content_files($1_dbusd_t)
+ userdom_user_home_dir_filetrans_user_home_content($1_dbusd_t, { dir file })
+
+ ifdef(`hide_broken_symptoms',`
+ dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
+ ')
+
+ optional_policy(`
+ gnome_read_gconf_home_files($1_dbusd_t)
+ ')
+
+ optional_policy(`
+ hal_dbus_chat($1_dbusd_t)
+ ')
+
+ optional_policy(`
+ xserver_search_xdm_lib($1_dbusd_t)
+ xserver_use_xdm_fds($1_dbusd_t)
+ xserver_rw_xdm_pipes($1_dbusd_t)
+ ')
+')
+
+#######################################
+## <summary>
+## Template for creating connections to
+## the system DBUS.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_system_bus_client',`
+ gen_require(`
+ type system_dbusd_t, system_dbusd_t;
+ type system_dbusd_var_run_t, system_dbusd_var_lib_t;
+ class dbus send_msg;
+ attribute dbusd_unconfined;
+ ')
+
+ # SE-DBus specific permissions
+ allow $1 { system_dbusd_t self }:dbus send_msg;
+ allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg;
+
+ read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+ files_search_var_lib($1)
+
+ # For connecting to the bus
+ files_search_pids($1)
+ stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
+ dbus_read_config($1)
+')
+
+#######################################
+## <summary>
+## Template for creating connections to
+## a user DBUS.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_session_bus_client',`
+ gen_require(`
+ attribute session_bus_type;
+ class dbus send_msg;
+ ')
+
+ # SE-DBus specific permissions
+ allow $1 { session_bus_type self }:dbus send_msg;
+
+ # For connecting to the bus
+ allow $1 session_bus_type:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Send a message the session DBUS.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_send_session_bus',`
+ gen_require(`
+ attribute session_bus_type;
+ class dbus send_msg;
+ ')
+
+ allow $1 session_bus_type:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Read dbus configuration.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_read_config',`
+ gen_require(`
+ type dbusd_etc_t;
+ ')
+
+ allow $1 dbusd_etc_t:dir list_dir_perms;
+ allow $1 dbusd_etc_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Read system dbus lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_read_lib_files',`
+ gen_require(`
+ type system_dbusd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## system dbus lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_manage_lib_files',`
+ gen_require(`
+ type system_dbusd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Connect to the system DBUS
+## for service (acquire_svc).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_connect_session_bus',`
+ gen_require(`
+ attribute session_bus_type;
+ class dbus acquire_svc;
+ ')
+
+ allow $1 session_bus_type:dbus acquire_svc;
+')
+
+########################################
+## <summary>
+## Allow a application domain to be started
+## by the session dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## Type of the program to be used as an
+## entry point to this domain.
+## </summary>
+## </param>
+#
+interface(`dbus_session_domain',`
+ gen_require(`
+ attribute session_bus_type;
+ ')
+
+ domtrans_pattern(session_bus_type, $2, $1)
+
+ dbus_session_bus_client($1)
+ dbus_connect_session_bus($1)
+')
+
+########################################
+## <summary>
+## Connect to the system DBUS
+## for service (acquire_svc).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_connect_system_bus',`
+ gen_require(`
+ type system_dbusd_t;
+ class dbus acquire_svc;
+ ')
+
+ allow $1 system_dbusd_t:dbus acquire_svc;
+')
+
+########################################
+## <summary>
+## Send a message on the system DBUS.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_send_system_bus',`
+ gen_require(`
+ type system_dbusd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 system_dbusd_t:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Allow unconfined access to the system DBUS.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_system_bus_unconfined',`
+ gen_require(`
+ type system_dbusd_t;
+ class dbus all_dbus_perms;
+ ')
+
+ allow $1 system_dbusd_t:dbus *;
+')
+
+########################################
+## <summary>
+## Create a domain for processes
+## which can be started by the system dbus
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## Type of the program to be used as an entry point to this domain.
+## </summary>
+## </param>
+#
+interface(`dbus_system_domain',`
+ gen_require(`
+ type system_dbusd_t;
+ role system_r;
+ ')
+
+ domain_type($1)
+ domain_entry_file($1, $2)
+
+ role system_r types $1;
+
+ domtrans_pattern(system_dbusd_t, $2, $1)
+
+ fs_search_all($1)
+
+ dbus_system_bus_client($1)
+ dbus_connect_system_bus($1)
+
+ init_stream_connect($1)
+
+ ps_process_pattern(system_dbusd_t, $1)
+
+ userdom_dontaudit_search_admin_dir($1)
+ userdom_read_all_users_state($1)
+
+ optional_policy(`
+ rpm_script_dbus_chat($1)
+ ')
+
+ optional_policy(`
+ unconfined_dbus_send($1)
+ ')
+
+ ifdef(`hide_broken_symptoms',`
+ dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
+ ')
+')
+
+########################################
+## <summary>
+## Dontaudit Read, and write system dbus TCP sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+ gen_require(`
+ type system_dbusd_t;
+ ')
+
+ allow $1 system_dbusd_t:tcp_socket { read write };
+ allow $1 system_dbusd_t:fd use;
+')
+
+########################################
+## <summary>
+## Allow unconfined access to the system DBUS.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_unconfined',`
+ gen_require(`
+ attribute dbusd_unconfined;
+ ')
+
+ typeattribute $1 dbusd_unconfined;
+')
+
+########################################
+## <summary>
+## Delete all dbus pid files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_delete_pid_files',`
+ gen_require(`
+ type system_dbusd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
+')
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
new file mode 100644
index 0000000..d9416fc
--- /dev/null
+++ b/policy/modules/services/dbus.te
@@ -0,0 +1,180 @@
+policy_module(dbus, 1.13.0)
+
+gen_require(`
+ class dbus all_dbus_perms;
+')
+
+##############################
+#
+# Delcarations
+#
+
+attribute dbusd_unconfined;
+attribute session_bus_type;
+
+type dbusd_etc_t;
+files_config_file(dbusd_etc_t)
+
+type dbusd_exec_t;
+corecmd_executable_file(dbusd_exec_t)
+typealias dbusd_exec_t alias system_dbusd_exec_t;
+
+type session_dbusd_tmp_t;
+typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };
+typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t };
+files_tmp_file(session_dbusd_tmp_t)
+ubac_constrained(session_dbusd_tmp_t)
+
+type system_dbusd_t;
+init_system_domain(system_dbusd_t, dbusd_exec_t)
+
+type system_dbusd_tmp_t;
+files_tmp_file(system_dbusd_tmp_t)
+
+type system_dbusd_var_lib_t;
+files_type(system_dbusd_var_lib_t)
+
+type system_dbusd_var_run_t;
+files_pid_file(system_dbusd_var_run_t)
+
+ifdef(`enable_mcs',`
+ init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
+')
+
+ifdef(`enable_mls',`
+ init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh)
+')
+
+##############################
+#
+# System bus local policy
+#
+
+# dac_override: /var/run/dbus is owned by messagebus on Debian
+# cjp: dac_override should probably go in a distro_debian
+allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
+dontaudit system_dbusd_t self:capability sys_tty_config;
+allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
+allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
+allow system_dbusd_t self:dbus { send_msg acquire_svc };
+allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
+allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
+# Receive notifications of policy reloads and enforcing status changes.
+allow system_dbusd_t self:netlink_selinux_socket { create bind read };
+
+can_exec(system_dbusd_t, dbusd_exec_t)
+
+allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
+read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
+read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
+
+manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
+manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
+files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
+
+read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+
+manage_dirs_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
+manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
+manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
+files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { file dir })
+
+kernel_read_system_state(system_dbusd_t)
+kernel_read_kernel_sysctls(system_dbusd_t)
+
+dev_read_urand(system_dbusd_t)
+dev_read_sysfs(system_dbusd_t)
+
+fs_getattr_all_fs(system_dbusd_t)
+fs_list_inotifyfs(system_dbusd_t)
+fs_search_auto_mountpoints(system_dbusd_t)
+fs_dontaudit_list_nfs(system_dbusd_t)
+
+mls_fd_use_all_levels(system_dbusd_t)
+mls_rangetrans_target(system_dbusd_t)
+mls_file_read_all_levels(system_dbusd_t)
+mls_socket_write_all_levels(system_dbusd_t)
+mls_socket_read_to_clearance(system_dbusd_t)
+mls_dbus_recv_all_levels(system_dbusd_t)
+
+selinux_get_fs_mount(system_dbusd_t)
+selinux_validate_context(system_dbusd_t)
+selinux_compute_access_vector(system_dbusd_t)
+selinux_compute_create_context(system_dbusd_t)
+selinux_compute_relabel_context(system_dbusd_t)
+selinux_compute_user_contexts(system_dbusd_t)
+
+term_dontaudit_use_console(system_dbusd_t)
+
+auth_use_nsswitch(system_dbusd_t)
+auth_read_pam_console_data(system_dbusd_t)
+
+corecmd_list_bin(system_dbusd_t)
+corecmd_read_bin_pipes(system_dbusd_t)
+corecmd_read_bin_sockets(system_dbusd_t)
+
+domain_use_interactive_fds(system_dbusd_t)
+domain_read_all_domains_state(system_dbusd_t)
+
+files_read_etc_files(system_dbusd_t)
+files_list_home(system_dbusd_t)
+files_read_usr_files(system_dbusd_t)
+
+init_use_fds(system_dbusd_t)
+init_use_script_ptys(system_dbusd_t)
+init_bin_domtrans_spec(system_dbusd_t)
+init_domtrans_script(system_dbusd_t)
+init_rw_stream_sockets(system_dbusd_t)
+
+logging_send_audit_msgs(system_dbusd_t)
+logging_send_syslog_msg(system_dbusd_t)
+
+miscfiles_read_localization(system_dbusd_t)
+miscfiles_read_generic_certs(system_dbusd_t)
+
+seutil_read_config(system_dbusd_t)
+seutil_read_default_contexts(system_dbusd_t)
+seutil_sigchld_newrole(system_dbusd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
+userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
+
+optional_policy(`
+ bind_domtrans(system_dbusd_t)
+')
+
+optional_policy(`
+ gnome_exec_gconf(system_dbusd_t)
+')
+
+optional_policy(`
+ networkmanager_initrc_domtrans(system_dbusd_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(system_dbusd_t)
+ policykit_domtrans_auth(system_dbusd_t)
+ policykit_search_lib(system_dbusd_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_dhcpc(system_dbusd_t)
+')
+
+optional_policy(`
+ udev_read_db(system_dbusd_t)
+')
+
+########################################
+#
+# Unconfined access to this module
+#
+allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
+allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
+allow session_bus_type dbusd_unconfined:dbus send_msg;
+
+optional_policy(`
+ xserver_use_xdm_fds(session_bus_type)
+ xserver_rw_xdm_pipes(session_bus_type)
+ xserver_append_xdm_home_files(session_bus_type)
+')
diff --git a/policy/modules/services/dcc.fc b/policy/modules/services/dcc.fc
new file mode 100644
index 0000000..ecda170
--- /dev/null
+++ b/policy/modules/services/dcc.fc
@@ -0,0 +1,21 @@
+/etc/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
+/etc/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0)
+/etc/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
+
+/usr/bin/cdcc -- gen_context(system_u:object_r:cdcc_exec_t,s0)
+/usr/bin/dccproc -- gen_context(system_u:object_r:dcc_client_exec_t,s0)
+
+/usr/libexec/dcc/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
+/usr/libexec/dcc/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0)
+/usr/libexec/dcc/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
+/usr/libexec/dcc/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0)
+
+/var/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
+/var/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
+
+/var/lib/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
+/var/lib/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
+
+/var/run/dcc(/.*)? gen_context(system_u:object_r:dcc_var_run_t,s0)
+/var/run/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
+/var/run/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0)
diff --git a/policy/modules/services/dcc.if b/policy/modules/services/dcc.if
new file mode 100644
index 0000000..bf65e7d
--- /dev/null
+++ b/policy/modules/services/dcc.if
@@ -0,0 +1,173 @@
+## <summary>Distributed checksum clearinghouse spam filtering</summary>
+
+########################################
+## <summary>
+## Execute cdcc in the cdcc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dcc_domtrans_cdcc',`
+ gen_require(`
+ type cdcc_t, cdcc_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, cdcc_exec_t, cdcc_t)
+')
+
+########################################
+## <summary>
+## Execute cdcc in the cdcc domain, and
+## allow the specified role the cdcc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dcc_run_cdcc',`
+ gen_require(`
+ type cdcc_t;
+ ')
+
+ dcc_domtrans_cdcc($1)
+ role $2 types cdcc_t;
+')
+
+########################################
+## <summary>
+## Execute dcc_client in the dcc_client domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dcc_domtrans_client',`
+ gen_require(`
+ type dcc_client_t, dcc_client_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, dcc_client_exec_t, dcc_client_t)
+')
+
+########################################
+## <summary>
+## Send a signal to the dcc_client.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dcc_signal_client',`
+ gen_require(`
+ type dcc_client_t;
+ ')
+
+ allow $1 dcc_client_t:process signal;
+')
+
+########################################
+## <summary>
+## Execute dcc_client in the dcc_client domain, and
+## allow the specified role the dcc_client domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dcc_run_client',`
+ gen_require(`
+ type dcc_client_t;
+ ')
+
+ dcc_domtrans_client($1)
+ role $2 types dcc_client_t;
+')
+
+########################################
+## <summary>
+## Execute dbclean in the dcc_dbclean domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dcc_domtrans_dbclean',`
+ gen_require(`
+ type dcc_dbclean_t, dcc_dbclean_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, dcc_dbclean_exec_t, dcc_dbclean_t)
+')
+
+########################################
+## <summary>
+## Execute dbclean in the dcc_dbclean domain, and
+## allow the specified role the dcc_dbclean domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dcc_run_dbclean',`
+ gen_require(`
+ type dcc_dbclean_t;
+ ')
+
+ dcc_domtrans_dbclean($1)
+ role $2 types dcc_dbclean_t;
+')
+
+########################################
+## <summary>
+## Connect to dccifd over a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dcc_stream_connect_dccifd',`
+ gen_require(`
+ type dcc_var_t, dccifd_var_run_t, dccifd_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t)
+')
diff --git a/policy/modules/services/dcc.te b/policy/modules/services/dcc.te
new file mode 100644
index 0000000..8bab059
--- /dev/null
+++ b/policy/modules/services/dcc.te
@@ -0,0 +1,404 @@
+policy_module(dcc, 1.9.1)
+
+########################################
+#
+# Declarations
+#
+
+type cdcc_t;
+type cdcc_exec_t;
+application_domain(cdcc_t, cdcc_exec_t)
+role system_r types cdcc_t;
+
+type cdcc_tmp_t;
+files_tmp_file(cdcc_tmp_t)
+
+type dcc_client_t;
+type dcc_client_exec_t;
+application_domain(dcc_client_t, dcc_client_exec_t)
+role system_r types dcc_client_t;
+
+type dcc_client_map_t;
+files_type(dcc_client_map_t)
+
+type dcc_client_tmp_t;
+files_tmp_file(dcc_client_tmp_t)
+
+type dcc_dbclean_t;
+type dcc_dbclean_exec_t;
+application_domain(dcc_dbclean_t, dcc_dbclean_exec_t)
+role system_r types dcc_dbclean_t;
+
+type dcc_dbclean_tmp_t;
+files_tmp_file(dcc_dbclean_tmp_t)
+
+type dcc_var_t;
+files_type(dcc_var_t)
+
+type dcc_var_run_t;
+files_type(dcc_var_run_t)
+
+type dccd_t;
+type dccd_exec_t;
+init_daemon_domain(dccd_t, dccd_exec_t)
+
+type dccd_tmp_t;
+files_tmp_file(dccd_tmp_t)
+
+type dccd_var_run_t;
+files_pid_file(dccd_var_run_t)
+
+type dccifd_t;
+type dccifd_exec_t;
+init_daemon_domain(dccifd_t, dccifd_exec_t)
+
+type dccifd_tmp_t;
+files_tmp_file(dccifd_tmp_t)
+
+type dccifd_var_run_t;
+files_pid_file(dccifd_var_run_t)
+
+type dccm_t;
+type dccm_exec_t;
+init_daemon_domain(dccm_t, dccm_exec_t)
+
+type dccm_tmp_t;
+files_tmp_file(dccm_tmp_t)
+
+type dccm_var_run_t;
+files_pid_file(dccm_var_run_t)
+
+# NOTE: DCC has writeable files in /etc/dcc that should probably be in
+# /var/lib/dcc. For now this policy supports both directories being
+# writable.
+
+# cjp: dccifd and dccm should be merged, as
+# they have the same rules.
+
+########################################
+#
+# dcc daemon controller local policy
+#
+
+allow cdcc_t self:capability { setuid setgid };
+allow cdcc_t self:unix_dgram_socket create_socket_perms;
+allow cdcc_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(cdcc_t, cdcc_tmp_t, cdcc_tmp_t)
+manage_files_pattern(cdcc_t, cdcc_tmp_t, cdcc_tmp_t)
+files_tmp_filetrans(cdcc_t, cdcc_tmp_t, { file dir })
+
+allow cdcc_t dcc_client_map_t:file rw_file_perms;
+
+# Access files in /var/dcc. The map file can be updated
+allow cdcc_t dcc_var_t:dir list_dir_perms;
+read_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
+read_lnk_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
+
+corenet_all_recvfrom_unlabeled(cdcc_t)
+corenet_all_recvfrom_netlabel(cdcc_t)
+corenet_udp_sendrecv_generic_if(cdcc_t)
+corenet_udp_sendrecv_generic_node(cdcc_t)
+corenet_udp_sendrecv_all_ports(cdcc_t)
+
+files_read_etc_files(cdcc_t)
+files_read_etc_runtime_files(cdcc_t)
+
+auth_use_nsswitch(cdcc_t)
+
+logging_send_syslog_msg(cdcc_t)
+
+miscfiles_read_localization(cdcc_t)
+
+userdom_use_user_terminals(cdcc_t)
+
+########################################
+#
+# dcc procmail interface local policy
+#
+
+allow dcc_client_t self:capability { setuid setgid };
+allow dcc_client_t self:unix_dgram_socket create_socket_perms;
+allow dcc_client_t self:udp_socket create_socket_perms;
+
+allow dcc_client_t dcc_client_map_t:file rw_file_perms;
+
+manage_dirs_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t)
+manage_files_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t)
+files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir })
+
+# Access files in /var/dcc. The map file can be updated
+allow dcc_client_t dcc_var_t:dir list_dir_perms;
+manage_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
+read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
+
+kernel_read_system_state(dcc_client_t)
+
+corenet_all_recvfrom_unlabeled(dcc_client_t)
+corenet_all_recvfrom_netlabel(dcc_client_t)
+corenet_udp_sendrecv_generic_if(dcc_client_t)
+corenet_udp_sendrecv_generic_node(dcc_client_t)
+corenet_udp_sendrecv_all_ports(dcc_client_t)
+corenet_udp_bind_generic_node(dcc_client_t)
+
+files_read_etc_files(dcc_client_t)
+files_read_etc_runtime_files(dcc_client_t)
+
+fs_getattr_all_fs(dcc_client_t)
+
+auth_use_nsswitch(dcc_client_t)
+
+logging_send_syslog_msg(dcc_client_t)
+
+miscfiles_read_localization(dcc_client_t)
+
+userdom_use_user_terminals(dcc_client_t)
+
+optional_policy(`
+ amavis_read_spool_files(dcc_client_t)
+')
+
+optional_policy(`
+ spamassassin_read_spamd_tmp_files(dcc_client_t)
+')
+
+########################################
+#
+# Database cleanup tool local policy
+#
+
+allow dcc_dbclean_t self:unix_dgram_socket create_socket_perms;
+allow dcc_dbclean_t self:udp_socket create_socket_perms;
+
+allow dcc_dbclean_t dcc_client_map_t:file rw_file_perms;
+
+manage_dirs_pattern(dcc_dbclean_t, dcc_dbclean_tmp_t, dcc_dbclean_tmp_t)
+manage_files_pattern(dcc_dbclean_t, dcc_dbclean_tmp_t, dcc_dbclean_tmp_t)
+files_tmp_filetrans(dcc_dbclean_t, dcc_dbclean_tmp_t, { file dir })
+
+manage_dirs_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
+manage_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
+manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
+
+kernel_read_system_state(dcc_dbclean_t)
+
+corenet_all_recvfrom_unlabeled(dcc_dbclean_t)
+corenet_all_recvfrom_netlabel(dcc_dbclean_t)
+corenet_udp_sendrecv_generic_if(dcc_dbclean_t)
+corenet_udp_sendrecv_generic_node(dcc_dbclean_t)
+corenet_udp_sendrecv_all_ports(dcc_dbclean_t)
+
+files_read_etc_files(dcc_dbclean_t)
+files_read_etc_runtime_files(dcc_dbclean_t)
+
+auth_use_nsswitch(dcc_dbclean_t)
+
+logging_send_syslog_msg(dcc_dbclean_t)
+
+miscfiles_read_localization(dcc_dbclean_t)
+
+userdom_use_user_terminals(dcc_dbclean_t)
+
+########################################
+#
+# Server daemon local policy
+#
+
+allow dccd_t self:capability net_admin;
+dontaudit dccd_t self:capability sys_tty_config;
+allow dccd_t self:process signal_perms;
+allow dccd_t self:unix_stream_socket create_socket_perms;
+allow dccd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow dccd_t self:udp_socket create_socket_perms;
+
+allow dccd_t dcc_client_map_t:file rw_file_perms;
+
+# Access files in /var/dcc. The map file can be updated
+allow dccd_t dcc_var_t:dir list_dir_perms;
+read_files_pattern(dccd_t, dcc_var_t, dcc_var_t)
+read_lnk_files_pattern(dccd_t, dcc_var_t, dcc_var_t)
+
+# Runs the dbclean program
+domtrans_pattern(dccd_t, dcc_dbclean_exec_t, dcc_dbclean_t)
+corecmd_search_bin(dccd_t)
+
+# Updating dcc_db, flod, ...
+manage_dirs_pattern(dccd_t, dcc_var_t, dcc_var_t)
+manage_files_pattern(dccd_t, dcc_var_t, dcc_var_t)
+manage_lnk_files_pattern(dccd_t, dcc_var_t, dcc_var_t)
+
+manage_dirs_pattern(dccd_t, dccd_tmp_t, dccd_tmp_t)
+manage_files_pattern(dccd_t, dccd_tmp_t, dccd_tmp_t)
+files_tmp_filetrans(dccd_t, dccd_tmp_t, { file dir })
+
+manage_dirs_pattern(dccd_t, dccd_var_run_t, dccd_var_run_t)
+manage_files_pattern(dccd_t, dccd_var_run_t, dccd_var_run_t)
+files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file })
+
+kernel_read_system_state(dccd_t)
+kernel_read_kernel_sysctls(dccd_t)
+
+corenet_all_recvfrom_unlabeled(dccd_t)
+corenet_all_recvfrom_netlabel(dccd_t)
+corenet_udp_sendrecv_generic_if(dccd_t)
+corenet_udp_sendrecv_generic_node(dccd_t)
+corenet_udp_sendrecv_all_ports(dccd_t)
+corenet_udp_bind_generic_node(dccd_t)
+corenet_udp_bind_dcc_port(dccd_t)
+corenet_sendrecv_dcc_server_packets(dccd_t)
+
+dev_read_sysfs(dccd_t)
+
+domain_use_interactive_fds(dccd_t)
+
+files_read_etc_files(dccd_t)
+files_read_etc_runtime_files(dccd_t)
+
+fs_getattr_all_fs(dccd_t)
+fs_search_auto_mountpoints(dccd_t)
+
+auth_use_nsswitch(dccd_t)
+
+logging_send_syslog_msg(dccd_t)
+
+miscfiles_read_localization(dccd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(dccd_t)
+userdom_dontaudit_search_user_home_dirs(dccd_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(dccd_t)
+')
+
+optional_policy(`
+ udev_read_db(dccd_t)
+')
+
+########################################
+#
+# Spamassassin and general MTA persistent client local policy
+#
+
+dontaudit dccifd_t self:capability sys_tty_config;
+allow dccifd_t self:process signal_perms;
+allow dccifd_t self:unix_stream_socket create_stream_socket_perms;
+allow dccifd_t self:unix_dgram_socket create_socket_perms;
+allow dccifd_t self:udp_socket create_socket_perms;
+
+allow dccifd_t dcc_client_map_t:file rw_file_perms;
+
+# Updating dcc_db, flod, ...
+manage_dirs_pattern(dccifd_t, dcc_var_t, dcc_var_t)
+manage_files_pattern(dccifd_t, dcc_var_t, dcc_var_t)
+manage_lnk_files_pattern(dccifd_t, dcc_var_t, dcc_var_t)
+manage_fifo_files_pattern(dccifd_t, dcc_var_t, dcc_var_t)
+manage_sock_files_pattern(dccifd_t, dcc_var_t, dcc_var_t)
+
+manage_dirs_pattern(dccifd_t, dccifd_tmp_t, dccifd_tmp_t)
+manage_files_pattern(dccifd_t, dccifd_tmp_t, dccifd_tmp_t)
+files_tmp_filetrans(dccifd_t, dccifd_tmp_t, { file dir })
+
+manage_files_pattern(dccifd_t, dccifd_var_run_t, dccifd_var_run_t)
+manage_sock_files_pattern(dccifd_t, dccifd_var_run_t, dccifd_var_run_t)
+filetrans_pattern(dccifd_t, dcc_var_t, dccifd_var_run_t, { file sock_file })
+files_pid_filetrans(dccifd_t, dccifd_var_run_t, file)
+
+kernel_read_system_state(dccifd_t)
+kernel_read_kernel_sysctls(dccifd_t)
+
+corenet_all_recvfrom_unlabeled(dccifd_t)
+corenet_all_recvfrom_netlabel(dccifd_t)
+corenet_udp_sendrecv_generic_if(dccifd_t)
+corenet_udp_sendrecv_generic_node(dccifd_t)
+corenet_udp_sendrecv_all_ports(dccifd_t)
+
+dev_read_sysfs(dccifd_t)
+
+domain_use_interactive_fds(dccifd_t)
+
+files_read_etc_files(dccifd_t)
+files_read_etc_runtime_files(dccifd_t)
+
+fs_getattr_all_fs(dccifd_t)
+fs_search_auto_mountpoints(dccifd_t)
+
+auth_use_nsswitch(dccifd_t)
+
+logging_send_syslog_msg(dccifd_t)
+
+miscfiles_read_localization(dccifd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
+userdom_dontaudit_search_user_home_dirs(dccifd_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(dccifd_t)
+')
+
+optional_policy(`
+ udev_read_db(dccifd_t)
+')
+
+########################################
+#
+# sendmail milter client local policy
+#
+
+dontaudit dccm_t self:capability sys_tty_config;
+allow dccm_t self:process signal_perms;
+allow dccm_t self:unix_stream_socket create_stream_socket_perms;
+allow dccm_t self:unix_dgram_socket create_socket_perms;
+allow dccm_t self:udp_socket create_socket_perms;
+
+allow dccm_t dcc_client_map_t:file rw_file_perms;
+
+manage_dirs_pattern(dccm_t, dcc_var_t, dcc_var_t)
+manage_files_pattern(dccm_t, dcc_var_t, dcc_var_t)
+manage_lnk_files_pattern(dccm_t, dcc_var_t, dcc_var_t)
+manage_fifo_files_pattern(dccm_t, dcc_var_t, dcc_var_t)
+manage_sock_files_pattern(dccm_t, dcc_var_t, dcc_var_t)
+
+manage_dirs_pattern(dccm_t, dccm_tmp_t, dccm_tmp_t)
+manage_files_pattern(dccm_t, dccm_tmp_t, dccm_tmp_t)
+files_tmp_filetrans(dccm_t, dccm_tmp_t, { file dir })
+
+manage_files_pattern(dccm_t, dccm_var_run_t, dccm_var_run_t)
+manage_sock_files_pattern(dccm_t, dccm_var_run_t, dccm_var_run_t)
+filetrans_pattern(dccm_t, dcc_var_run_t, dccm_var_run_t, { file sock_file })
+files_pid_filetrans(dccm_t, dccm_var_run_t, file)
+
+kernel_read_system_state(dccm_t)
+kernel_read_kernel_sysctls(dccm_t)
+
+corenet_all_recvfrom_unlabeled(dccm_t)
+corenet_all_recvfrom_netlabel(dccm_t)
+corenet_udp_sendrecv_generic_if(dccm_t)
+corenet_udp_sendrecv_generic_node(dccm_t)
+corenet_udp_sendrecv_all_ports(dccm_t)
+
+dev_read_sysfs(dccm_t)
+
+domain_use_interactive_fds(dccm_t)
+
+files_read_etc_files(dccm_t)
+files_read_etc_runtime_files(dccm_t)
+
+fs_getattr_all_fs(dccm_t)
+fs_search_auto_mountpoints(dccm_t)
+
+auth_use_nsswitch(dccm_t)
+
+logging_send_syslog_msg(dccm_t)
+
+miscfiles_read_localization(dccm_t)
+
+userdom_dontaudit_use_unpriv_user_fds(dccm_t)
+userdom_dontaudit_search_user_home_dirs(dccm_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(dccm_t)
+')
+
+optional_policy(`
+ udev_read_db(dccm_t)
+')
diff --git a/policy/modules/services/ddclient.fc b/policy/modules/services/ddclient.fc
new file mode 100644
index 0000000..083c135
--- /dev/null
+++ b/policy/modules/services/ddclient.fc
@@ -0,0 +1,12 @@
+/etc/ddclient\.conf -- gen_context(system_u:object_r:ddclient_etc_t,s0)
+/etc/ddtcd\.conf -- gen_context(system_u:object_r:ddclient_etc_t,s0)
+/etc/rc\.d/init\.d/ddclient -- gen_context(system_u:object_r:ddclient_initrc_exec_t,s0)
+
+/usr/sbin/ddclient -- gen_context(system_u:object_r:ddclient_exec_t,s0)
+/usr/sbin/ddtcd -- gen_context(system_u:object_r:ddclient_exec_t,s0)
+
+/var/cache/ddclient(/.*)? gen_context(system_u:object_r:ddclient_var_t,s0)
+/var/lib/ddt-client(/.*)? gen_context(system_u:object_r:ddclient_var_lib_t,s0)
+/var/log/ddtcd\.log.* -- gen_context(system_u:object_r:ddclient_log_t,s0)
+/var/run/ddclient\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0)
+/var/run/ddtcd\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0)
diff --git a/policy/modules/services/ddclient.if b/policy/modules/services/ddclient.if
new file mode 100644
index 0000000..da508f4
--- /dev/null
+++ b/policy/modules/services/ddclient.if
@@ -0,0 +1,93 @@
+## <summary>Update dynamic IP address at DynDNS.org</summary>
+
+#######################################
+## <summary>
+## Execute ddclient in the ddclient domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ddclient_domtrans',`
+ gen_require(`
+ type ddclient_t, ddclient_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ddclient_exec_t, ddclient_t)
+')
+
+########################################
+## <summary>
+## Execute ddclient daemon on behalf of a user or staff type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ddclient_run',`
+ gen_require(`
+ type ddclient_t;
+ ')
+
+ ddclient_domtrans($1)
+ role $2 types ddclient_t;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an ddclient environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the ddclient domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ddclient_admin',`
+ gen_require(`
+ type ddclient_t, ddclient_etc_t, ddclient_log_t;
+ type ddclient_var_t, ddclient_var_lib_t, ddclient_initrc_exec_t;
+ type ddclient_var_run_t;
+ ')
+
+ allow $1 ddclient_t:process { ptrace signal_perms };
+ ps_process_pattern($1, ddclient_t)
+
+ init_labeled_script_domtrans($1, ddclient_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 ddclient_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, ddclient_etc_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, ddclient_log_t)
+
+ files_list_var($1)
+ admin_pattern($1, ddclient_var_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, ddclient_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, ddclient_var_run_t)
+')
diff --git a/policy/modules/services/ddclient.te b/policy/modules/services/ddclient.te
new file mode 100644
index 0000000..24ba98a
--- /dev/null
+++ b/policy/modules/services/ddclient.te
@@ -0,0 +1,108 @@
+policy_module(ddclient, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type ddclient_t;
+type ddclient_exec_t;
+init_daemon_domain(ddclient_t, ddclient_exec_t)
+
+type ddclient_etc_t;
+files_config_file(ddclient_etc_t)
+
+type ddclient_initrc_exec_t;
+init_script_file(ddclient_initrc_exec_t)
+
+type ddclient_log_t;
+logging_log_file(ddclient_log_t)
+
+type ddclient_var_t;
+files_type(ddclient_var_t)
+
+type ddclient_var_lib_t;
+files_type(ddclient_var_lib_t)
+
+type ddclient_var_run_t;
+files_pid_file(ddclient_var_run_t)
+
+########################################
+#
+# Declarations
+#
+
+dontaudit ddclient_t self:capability sys_tty_config;
+allow ddclient_t self:process signal_perms;
+allow ddclient_t self:fifo_file rw_fifo_file_perms;
+allow ddclient_t self:tcp_socket create_socket_perms;
+allow ddclient_t self:udp_socket create_socket_perms;
+
+allow ddclient_t ddclient_etc_t:file read_file_perms;
+
+allow ddclient_t ddclient_log_t:file manage_file_perms;
+logging_log_filetrans(ddclient_t, ddclient_log_t, file)
+
+manage_dirs_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
+manage_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
+manage_lnk_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
+manage_fifo_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
+manage_sock_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
+files_var_filetrans(ddclient_t, ddclient_var_t, { file lnk_file sock_file fifo_file })
+
+manage_files_pattern(ddclient_t, ddclient_var_lib_t, ddclient_var_lib_t)
+files_var_lib_filetrans(ddclient_t, ddclient_var_lib_t, file)
+
+manage_files_pattern(ddclient_t, ddclient_var_run_t, ddclient_var_run_t)
+files_pid_filetrans(ddclient_t, ddclient_var_run_t, file)
+
+kernel_read_system_state(ddclient_t)
+kernel_read_network_state(ddclient_t)
+kernel_read_software_raid_state(ddclient_t)
+kernel_getattr_core_if(ddclient_t)
+kernel_getattr_message_if(ddclient_t)
+kernel_read_kernel_sysctls(ddclient_t)
+
+corecmd_exec_shell(ddclient_t)
+corecmd_exec_bin(ddclient_t)
+
+corenet_all_recvfrom_unlabeled(ddclient_t)
+corenet_all_recvfrom_netlabel(ddclient_t)
+corenet_tcp_sendrecv_generic_if(ddclient_t)
+corenet_udp_sendrecv_generic_if(ddclient_t)
+corenet_tcp_sendrecv_generic_node(ddclient_t)
+corenet_udp_sendrecv_generic_node(ddclient_t)
+corenet_tcp_sendrecv_all_ports(ddclient_t)
+corenet_udp_sendrecv_all_ports(ddclient_t)
+corenet_tcp_connect_all_ports(ddclient_t)
+corenet_sendrecv_all_client_packets(ddclient_t)
+
+dev_read_sysfs(ddclient_t)
+dev_read_urand(ddclient_t)
+
+domain_use_interactive_fds(ddclient_t)
+
+files_read_etc_files(ddclient_t)
+files_read_etc_runtime_files(ddclient_t)
+files_read_usr_files(ddclient_t)
+
+fs_getattr_all_fs(ddclient_t)
+fs_search_auto_mountpoints(ddclient_t)
+
+logging_send_syslog_msg(ddclient_t)
+
+miscfiles_read_localization(ddclient_t)
+
+sysnet_exec_ifconfig(ddclient_t)
+sysnet_read_config(ddclient_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ddclient_t)
+userdom_dontaudit_search_user_home_dirs(ddclient_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(ddclient_t)
+')
+
+optional_policy(`
+ udev_read_db(ddclient_t)
+')
diff --git a/policy/modules/services/denyhosts.fc b/policy/modules/services/denyhosts.fc
new file mode 100644
index 0000000..257fef6
--- /dev/null
+++ b/policy/modules/services/denyhosts.fc
@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/denyhosts -- gen_context(system_u:object_r:denyhosts_initrc_exec_t,s0)
+
+/usr/bin/denyhosts\.py -- gen_context(system_u:object_r:denyhosts_exec_t,s0)
+
+/var/lib/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_lib_t,s0)
+/var/lock/subsys/denyhosts -- gen_context(system_u:object_r:denyhosts_var_lock_t,s0)
+/var/log/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_log_t,s0)
diff --git a/policy/modules/services/denyhosts.if b/policy/modules/services/denyhosts.if
new file mode 100644
index 0000000..9c9e65c
--- /dev/null
+++ b/policy/modules/services/denyhosts.if
@@ -0,0 +1,86 @@
+## <summary>DenyHosts SSH dictionary attack mitigation</summary>
+## <desc>
+## <p>
+## DenyHosts is a script intended to be run by Linux
+## system administrators to help thwart SSH server attacks
+## (also known as dictionary based attacks and brute force
+## attacks).
+## </p>
+## </desc>
+
+########################################
+## <summary>
+## Execute a domain transition to run denyhosts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`denyhosts_domtrans',`
+ gen_require(`
+ type denyhosts_t, denyhosts_exec_t;
+ ')
+
+ domtrans_pattern($1, denyhosts_exec_t, denyhosts_t)
+')
+
+########################################
+## <summary>
+## Execute denyhost server in the denyhost domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`denyhosts_initrc_domtrans',`
+ gen_require(`
+ type denyhosts_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, denyhosts_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an denyhosts environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`denyhosts_admin',`
+ gen_require(`
+ type denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lock_t;
+ type denyhosts_var_log_t, denyhosts_initrc_exec_t;
+ ')
+
+ allow $1 denyhosts_t:process { ptrace signal_perms };
+ ps_process_pattern($1, denyhosts_t)
+
+ denyhosts_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 denyhosts_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_var_lib($1)
+ admin_pattern($1, denyhosts_var_lib_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, denyhosts_var_log_t)
+
+ files_list_locks($1)
+ admin_pattern($1, denyhosts_var_lock_t)
+')
diff --git a/policy/modules/services/denyhosts.te b/policy/modules/services/denyhosts.te
new file mode 100644
index 0000000..b10da2c
--- /dev/null
+++ b/policy/modules/services/denyhosts.te
@@ -0,0 +1,81 @@
+policy_module(denyhosts, 1.0.0)
+
+########################################
+#
+# DenyHosts personal declarations.
+#
+
+type denyhosts_t;
+type denyhosts_exec_t;
+init_daemon_domain(denyhosts_t, denyhosts_exec_t)
+
+type denyhosts_initrc_exec_t;
+init_script_file(denyhosts_initrc_exec_t)
+
+type denyhosts_var_lib_t;
+files_type(denyhosts_var_lib_t)
+
+type denyhosts_var_lock_t;
+files_lock_file(denyhosts_var_lock_t)
+
+type denyhosts_var_log_t;
+logging_log_file(denyhosts_var_log_t)
+
+########################################
+#
+# DenyHosts personal policy.
+#
+# Bug #588563
+allow denyhosts_t self:capability sys_tty_config;
+allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms;
+allow denyhosts_t self:tcp_socket create_socket_perms;
+allow denyhosts_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lib_t)
+files_var_lib_filetrans(denyhosts_t, denyhosts_var_lib_t, file)
+
+manage_dirs_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t)
+manage_files_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t)
+files_lock_filetrans(denyhosts_t, denyhosts_var_lock_t, { dir file })
+
+append_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
+create_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
+read_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
+setattr_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
+logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file)
+
+kernel_read_system_state(denyhosts_t)
+
+corecmd_exec_bin(denyhosts_t)
+
+corenet_all_recvfrom_unlabeled(denyhosts_t)
+corenet_all_recvfrom_netlabel(denyhosts_t)
+corenet_tcp_sendrecv_generic_if(denyhosts_t)
+corenet_tcp_sendrecv_generic_node(denyhosts_t)
+corenet_tcp_bind_generic_node(denyhosts_t)
+corenet_tcp_connect_smtp_port(denyhosts_t)
+corenet_tcp_connect_sype_port(denyhosts_t)
+corenet_sendrecv_smtp_client_packets(denyhosts_t)
+
+dev_read_urand(denyhosts_t)
+
+files_read_etc_files(denyhosts_t)
+files_read_usr_files(denyhosts_t)
+
+# /var/log/secure
+logging_read_generic_logs(denyhosts_t)
+logging_send_syslog_msg(denyhosts_t)
+
+miscfiles_read_localization(denyhosts_t)
+
+sysnet_dns_name_resolve(denyhosts_t)
+sysnet_manage_config(denyhosts_t)
+sysnet_etc_filetrans_config(denyhosts_t)
+
+optional_policy(`
+ cron_system_entry(denyhosts_t, denyhosts_exec_t)
+')
+
+optional_policy(`
+ gnome_dontaudit_search_config(denyhosts_t)
+')
diff --git a/policy/modules/services/devicekit.fc b/policy/modules/services/devicekit.fc
new file mode 100644
index 0000000..418a5a0
--- /dev/null
+++ b/policy/modules/services/devicekit.fc
@@ -0,0 +1,14 @@
+/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0)
+/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
+/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
+/usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
+/usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
+
+/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
+/var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
+/var/lib/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
+
+/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+/var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
new file mode 100644
index 0000000..ab2edfc
--- /dev/null
+++ b/policy/modules/services/devicekit.if
@@ -0,0 +1,175 @@
+## <summary>Devicekit modular hardware abstraction layer</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run devicekit.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`devicekit_domtrans',`
+ gen_require(`
+ type devicekit_t, devicekit_exec_t;
+ ')
+
+ domtrans_pattern($1, devicekit_exec_t, devicekit_t)
+')
+
+########################################
+## <summary>
+## Send to devicekit over a unix domain
+## datagram socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`devicekit_dgram_send',`
+ gen_require(`
+ type devicekit_t;
+ ')
+
+ allow $1 devicekit_t:unix_dgram_socket sendto;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## devicekit over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`devicekit_dbus_chat',`
+ gen_require(`
+ type devicekit_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 devicekit_t:dbus send_msg;
+ allow devicekit_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## devicekit disk over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`devicekit_dbus_chat_disk',`
+ gen_require(`
+ type devicekit_disk_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 devicekit_disk_t:dbus send_msg;
+ allow devicekit_disk_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send signal devicekit power
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`devicekit_signal_power',`
+ gen_require(`
+ type devicekit_power_t;
+ ')
+
+ allow $1 devicekit_power_t:process signal;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## devicekit power over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`devicekit_dbus_chat_power',`
+ gen_require(`
+ type devicekit_power_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 devicekit_power_t:dbus send_msg;
+ allow devicekit_power_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Read devicekit PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`devicekit_read_pid_files',`
+ gen_require(`
+ type devicekit_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an devicekit environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`devicekit_admin',`
+ gen_require(`
+ type devicekit_t, devicekit_disk_t, devicekit_power_t;
+ type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
+ ')
+
+ allow $1 devicekit_t:process { ptrace signal_perms };
+ ps_process_pattern($1, devicekit_t)
+
+ allow $1 devicekit_disk_t:process { ptrace signal_perms };
+ ps_process_pattern($1, devicekit_disk_t)
+
+ allow $1 devicekit_power_t:process { ptrace signal_perms };
+ ps_process_pattern($1, devicekit_power_t)
+
+ admin_pattern($1, devicekit_tmp_t)
+ files_list_tmp($1)
+
+ admin_pattern($1, devicekit_var_lib_t)
+ files_list_var_lib($1)
+
+ admin_pattern($1, devicekit_var_run_t)
+ files_list_pids($1)
+')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
new file mode 100644
index 0000000..184b4b5
--- /dev/null
+++ b/policy/modules/services/devicekit.te
@@ -0,0 +1,315 @@
+policy_module(devicekit, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type devicekit_t;
+type devicekit_exec_t;
+dbus_system_domain(devicekit_t, devicekit_exec_t)
+
+type devicekit_power_t;
+type devicekit_power_exec_t;
+dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
+
+type devicekit_disk_t;
+type devicekit_disk_exec_t;
+dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t)
+
+type devicekit_tmp_t;
+files_tmp_file(devicekit_tmp_t)
+
+type devicekit_var_run_t;
+files_pid_file(devicekit_var_run_t)
+
+type devicekit_var_lib_t;
+files_type(devicekit_var_lib_t)
+
+########################################
+#
+# DeviceKit local policy
+#
+
+allow devicekit_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
+manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
+files_pid_filetrans(devicekit_t, devicekit_var_run_t, { file dir })
+
+kernel_read_system_state(devicekit_t)
+
+dev_read_sysfs(devicekit_t)
+dev_read_urand(devicekit_t)
+
+files_read_etc_files(devicekit_t)
+
+miscfiles_read_localization(devicekit_t)
+
+optional_policy(`
+ dbus_system_bus_client(devicekit_t)
+
+ allow devicekit_t devicekit_disk_t:dbus send_msg;
+ allow devicekit_t devicekit_power_t:dbus send_msg;
+')
+
+optional_policy(`
+ udev_read_db(devicekit_t)
+')
+
+########################################
+#
+# DeviceKit disk local policy
+#
+
+allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio };
+allow devicekit_disk_t self:process { getsched signal_perms };
+allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
+allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
+manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
+files_tmp_filetrans(devicekit_disk_t, devicekit_tmp_t, { file dir })
+
+manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
+manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
+files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
+
+allow devicekit_disk_t devicekit_var_run_t:dir mounton;
+manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
+manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
+files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { file dir })
+
+kernel_list_unlabeled(devicekit_disk_t)
+kernel_getattr_message_if(devicekit_disk_t)
+kernel_read_fs_sysctls(devicekit_disk_t)
+kernel_read_network_state(devicekit_disk_t)
+kernel_read_software_raid_state(devicekit_disk_t)
+kernel_read_system_state(devicekit_disk_t)
+kernel_request_load_module(devicekit_disk_t)
+kernel_setsched(devicekit_disk_t)
+
+corecmd_exec_bin(devicekit_disk_t)
+corecmd_exec_shell(devicekit_disk_t)
+corecmd_getattr_all_executables(devicekit_disk_t)
+
+dev_rw_sysfs(devicekit_disk_t)
+dev_read_urand(devicekit_disk_t)
+dev_getattr_usbfs_dirs(devicekit_disk_t)
+dev_manage_generic_files(devicekit_disk_t)
+dev_getattr_all_chr_files(devicekit_disk_t)
+dev_getattr_mtrr_dev(devicekit_disk_t)
+
+domain_getattr_all_pipes(devicekit_disk_t)
+domain_getattr_all_sockets(devicekit_disk_t)
+domain_getattr_all_stream_sockets(devicekit_disk_t)
+domain_read_all_domains_state(devicekit_disk_t)
+
+files_dontaudit_read_all_symlinks(devicekit_disk_t)
+files_getattr_all_sockets(devicekit_disk_t)
+files_getattr_all_dirs(devicekit_disk_t)
+files_getattr_all_files(devicekit_disk_t)
+files_getattr_all_pipes(devicekit_disk_t)
+files_manage_boot_dirs(devicekit_disk_t)
+files_manage_isid_type_dirs(devicekit_disk_t)
+files_manage_mnt_dirs(devicekit_disk_t)
+files_read_etc_files(devicekit_disk_t)
+files_read_etc_runtime_files(devicekit_disk_t)
+files_read_usr_files(devicekit_disk_t)
+
+fs_list_inotifyfs(devicekit_disk_t)
+fs_manage_fusefs_dirs(devicekit_disk_t)
+fs_mount_all_fs(devicekit_disk_t)
+fs_unmount_all_fs(devicekit_disk_t)
+fs_search_all(devicekit_disk_t)
+
+mls_file_read_all_levels(devicekit_disk_t)
+mls_file_write_to_clearance(devicekit_disk_t)
+
+storage_raw_read_fixed_disk(devicekit_disk_t)
+storage_raw_write_fixed_disk(devicekit_disk_t)
+storage_raw_read_removable_device(devicekit_disk_t)
+storage_raw_write_removable_device(devicekit_disk_t)
+
+term_use_all_terms(devicekit_disk_t)
+
+auth_use_nsswitch(devicekit_disk_t)
+
+miscfiles_read_localization(devicekit_disk_t)
+
+userdom_read_all_users_state(devicekit_disk_t)
+userdom_search_user_home_dirs(devicekit_disk_t)
+
+optional_policy(`
+ dbus_system_bus_client(devicekit_disk_t)
+
+ allow devicekit_disk_t devicekit_t:dbus send_msg;
+
+ optional_policy(`
+ consolekit_dbus_chat(devicekit_disk_t)
+ ')
+')
+
+optional_policy(`
+ fstools_domtrans(devicekit_disk_t)
+')
+
+optional_policy(`
+ lvm_domtrans(devicekit_disk_t)
+')
+
+optional_policy(`
+ mount_domtrans(devicekit_disk_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(devicekit_disk_t)
+ policykit_domtrans_auth(devicekit_disk_t)
+ policykit_read_lib(devicekit_disk_t)
+ policykit_read_reload(devicekit_disk_t)
+')
+
+optional_policy(`
+ raid_domtrans_mdadm(devicekit_disk_t)
+')
+
+optional_policy(`
+ udev_domtrans(devicekit_disk_t)
+ udev_read_db(devicekit_disk_t)
+')
+
+optional_policy(`
+ virt_manage_images(devicekit_disk_t)
+')
+
+optional_policy(`
+ unconfined_domain(devicekit_t)
+ unconfined_domain(devicekit_power_t)
+ unconfined_domain(devicekit_disk_t)
+')
+
+########################################
+#
+# DeviceKit-Power local policy
+#
+
+allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
+allow devicekit_power_t self:process { getsched signal_perms };
+allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
+allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
+allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+manage_dirs_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
+manage_files_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
+files_tmp_filetrans(devicekit_power_t, devicekit_tmp_t, { file dir })
+
+manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
+
+kernel_read_network_state(devicekit_power_t)
+kernel_read_system_state(devicekit_power_t)
+kernel_rw_hotplug_sysctls(devicekit_power_t)
+kernel_rw_kernel_sysctl(devicekit_power_t)
+kernel_search_debugfs(devicekit_power_t)
+kernel_write_proc_files(devicekit_power_t)
+
+corecmd_exec_bin(devicekit_power_t)
+corecmd_exec_shell(devicekit_power_t)
+
+consoletype_exec(devicekit_power_t)
+
+domain_read_all_domains_state(devicekit_power_t)
+
+dev_read_input(devicekit_power_t)
+dev_rw_generic_usb_dev(devicekit_power_t)
+dev_rw_generic_chr_files(devicekit_power_t)
+dev_rw_netcontrol(devicekit_power_t)
+dev_rw_sysfs(devicekit_power_t)
+dev_read_rand(devicekit_power_t)
+
+files_read_kernel_img(devicekit_power_t)
+files_read_etc_files(devicekit_power_t)
+files_read_usr_files(devicekit_power_t)
+
+fs_list_inotifyfs(devicekit_power_t)
+fs_getattr_all_fs(devicekit_power_t)
+
+term_use_all_terms(devicekit_power_t)
+
+auth_use_nsswitch(devicekit_power_t)
+
+miscfiles_read_localization(devicekit_power_t)
+
+modutils_domtrans_insmod(devicekit_power_t)
+
+sysnet_read_config(devicekit_power_t)
+sysnet_domtrans_ifconfig(devicekit_power_t)
+sysnet_domtrans_dhcpc(devicekit_power_t)
+
+userdom_read_all_users_state(devicekit_power_t)
+
+optional_policy(`
+ bootloader_domtrans(devicekit_power_t)
+')
+
+optional_policy(`
+ cron_initrc_domtrans(devicekit_power_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(devicekit_power_t)
+
+ allow devicekit_power_t devicekit_t:dbus send_msg;
+
+ optional_policy(`
+ consolekit_dbus_chat(devicekit_power_t)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(devicekit_power_t)
+ ')
+
+ optional_policy(`
+ rpm_dbus_chat(devicekit_power_t)
+ ')
+')
+
+optional_policy(`
+ fstools_domtrans(devicekit_power_t)
+')
+
+optional_policy(`
+ gnome_read_home_config(devicekit_power_t)
+')
+
+optional_policy(`
+ hal_domtrans_mac(devicekit_power_t)
+ hal_manage_log(devicekit_power_t)
+ hal_manage_pid_dirs(devicekit_power_t)
+ hal_manage_pid_files(devicekit_power_t)
+ hal_dbus_chat(devicekit_power_t)
+')
+
+optional_policy(`
+ networkmanager_domtrans(devicekit_power_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(devicekit_power_t)
+ policykit_domtrans_auth(devicekit_power_t)
+ policykit_read_lib(devicekit_power_t)
+ policykit_read_reload(devicekit_power_t)
+')
+
+optional_policy(`
+ udev_read_db(devicekit_power_t)
+')
+
+optional_policy(`
+ usbmuxd_stream_connect(devicekit_power_t)
+')
+
+optional_policy(`
+ vbetool_domtrans(devicekit_power_t)
+')
diff --git a/policy/modules/services/dhcp.fc b/policy/modules/services/dhcp.fc
new file mode 100644
index 0000000..767e0c7
--- /dev/null
+++ b/policy/modules/services/dhcp.fc
@@ -0,0 +1,8 @@
+/etc/rc\.d/init\.d/dhcpd -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
+
+/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
+
+/var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0)
+/var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0)
+
+/var/run/dhcpd\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
diff --git a/policy/modules/services/dhcp.if b/policy/modules/services/dhcp.if
new file mode 100644
index 0000000..7e129ff
--- /dev/null
+++ b/policy/modules/services/dhcp.if
@@ -0,0 +1,99 @@
+## <summary>Dynamic host configuration protocol (DHCP) server</summary>
+
+########################################
+## <summary>
+## Transition to dhcpd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dhcpd_domtrans',`
+ gen_require(`
+ type dhcpd_t, dhcpd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, dhcpd_exec_t, dhcpd_t)
+')
+
+########################################
+## <summary>
+## Set the attributes of the DCHP
+## server state files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dhcpd_setattr_state_files',`
+ gen_require(`
+ type dhcpd_state_t;
+ ')
+
+ sysnet_search_dhcp_state($1)
+ allow $1 dhcpd_state_t:file setattr_file_perms;
+')
+
+########################################
+## <summary>
+## Execute dhcp server in the dhcp domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+#
+interface(`dhcpd_initrc_domtrans',`
+ gen_require(`
+ type dhcpd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an dhcp environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the dhcp domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dhcpd_admin',`
+ gen_require(`
+ type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t;
+ type dhcpd_var_run_t, dhcpd_initrc_exec_t;
+ ')
+
+ allow $1 dhcpd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, dhcpd_t)
+
+ init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 dhcpd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, dhcpd_tmp_t)
+
+ admin_pattern($1, dhcpd_state_t)
+
+ files_list_pids($1)
+ admin_pattern($1, dhcpd_var_run_t)
+')
diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te
new file mode 100644
index 0000000..a307b51
--- /dev/null
+++ b/policy/modules/services/dhcp.te
@@ -0,0 +1,128 @@
+policy_module(dhcp, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type dhcpd_t;
+type dhcpd_exec_t;
+init_daemon_domain(dhcpd_t, dhcpd_exec_t)
+
+type dhcpd_initrc_exec_t;
+init_script_file(dhcpd_initrc_exec_t)
+
+type dhcpd_state_t;
+files_type(dhcpd_state_t)
+
+type dhcpd_tmp_t;
+files_tmp_file(dhcpd_tmp_t)
+
+type dhcpd_var_run_t;
+files_pid_file(dhcpd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow dhcpd_t self:capability { net_raw sys_resource };
+dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
+allow dhcpd_t self:process signal_perms;
+allow dhcpd_t self:fifo_file rw_fifo_file_perms;
+allow dhcpd_t self:unix_dgram_socket create_socket_perms;
+allow dhcpd_t self:unix_stream_socket create_socket_perms;
+allow dhcpd_t self:tcp_socket create_stream_socket_perms;
+allow dhcpd_t self:udp_socket create_socket_perms;
+# Allow dhcpd_t to use packet sockets
+allow dhcpd_t self:packet_socket create_socket_perms;
+allow dhcpd_t self:rawip_socket create_socket_perms;
+
+can_exec(dhcpd_t, dhcpd_exec_t)
+
+manage_files_pattern(dhcpd_t, dhcpd_state_t, dhcpd_state_t)
+sysnet_dhcp_state_filetrans(dhcpd_t, dhcpd_state_t, file)
+
+manage_dirs_pattern(dhcpd_t, dhcpd_tmp_t, dhcpd_tmp_t)
+manage_files_pattern(dhcpd_t, dhcpd_tmp_t, dhcpd_tmp_t)
+files_tmp_filetrans(dhcpd_t, dhcpd_tmp_t, { file dir })
+
+manage_files_pattern(dhcpd_t, dhcpd_var_run_t, dhcpd_var_run_t)
+files_pid_filetrans(dhcpd_t, dhcpd_var_run_t, file)
+
+kernel_read_system_state(dhcpd_t)
+kernel_read_kernel_sysctls(dhcpd_t)
+kernel_read_network_state(dhcpd_t)
+
+corenet_all_recvfrom_unlabeled(dhcpd_t)
+corenet_all_recvfrom_netlabel(dhcpd_t)
+corenet_tcp_sendrecv_generic_if(dhcpd_t)
+corenet_udp_sendrecv_generic_if(dhcpd_t)
+corenet_raw_sendrecv_generic_if(dhcpd_t)
+corenet_tcp_sendrecv_generic_node(dhcpd_t)
+corenet_udp_sendrecv_generic_node(dhcpd_t)
+corenet_raw_sendrecv_generic_node(dhcpd_t)
+corenet_tcp_sendrecv_all_ports(dhcpd_t)
+corenet_udp_sendrecv_all_ports(dhcpd_t)
+corenet_tcp_bind_generic_node(dhcpd_t)
+corenet_udp_bind_generic_node(dhcpd_t)
+corenet_tcp_bind_dhcpd_port(dhcpd_t)
+corenet_udp_bind_dhcpd_port(dhcpd_t)
+corenet_udp_bind_pxe_port(dhcpd_t)
+corenet_tcp_connect_all_ports(dhcpd_t)
+corenet_sendrecv_dhcpd_server_packets(dhcpd_t)
+corenet_sendrecv_pxe_server_packets(dhcpd_t)
+corenet_sendrecv_all_client_packets(dhcpd_t)
+
+dev_read_sysfs(dhcpd_t)
+dev_read_rand(dhcpd_t)
+dev_read_urand(dhcpd_t)
+
+fs_getattr_all_fs(dhcpd_t)
+fs_search_auto_mountpoints(dhcpd_t)
+
+corecmd_exec_bin(dhcpd_t)
+
+domain_use_interactive_fds(dhcpd_t)
+
+files_read_etc_files(dhcpd_t)
+files_read_usr_files(dhcpd_t)
+files_read_etc_runtime_files(dhcpd_t)
+files_search_var_lib(dhcpd_t)
+
+auth_use_nsswitch(dhcpd_t)
+
+logging_send_syslog_msg(dhcpd_t)
+
+miscfiles_read_localization(dhcpd_t)
+
+sysnet_read_dhcp_config(dhcpd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
+userdom_dontaudit_search_user_home_dirs(dhcpd_t)
+
+ifdef(`distro_gentoo',`
+ allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
+')
+
+optional_policy(`
+ # used for dynamic DNS
+ bind_read_dnssec_keys(dhcpd_t)
+')
+
+optional_policy(`
+ cobbler_dontaudit_rw_log(dhcpd_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(dhcpd_t)
+ dbus_connect_system_bus(dhcpd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(dhcpd_t)
+')
+
+optional_policy(`
+ udev_read_db(dhcpd_t)
+')
diff --git a/policy/modules/services/dictd.fc b/policy/modules/services/dictd.fc
new file mode 100644
index 0000000..54f88c8
--- /dev/null
+++ b/policy/modules/services/dictd.fc
@@ -0,0 +1,9 @@
+/etc/rc\.d/init\.d/dictd -- gen_context(system_u:object_r:dictd_initrc_exec_t,s0)
+
+/etc/dictd\.conf -- gen_context(system_u:object_r:dictd_etc_t,s0)
+
+/usr/sbin/dictd -- gen_context(system_u:object_r:dictd_exec_t,s0)
+
+/var/lib/dictd(/.*)? gen_context(system_u:object_r:dictd_var_lib_t,s0)
+
+/var/run/dictd\.pid -- gen_context(system_u:object_r:dictd_var_run_t,s0)
diff --git a/policy/modules/services/dictd.if b/policy/modules/services/dictd.if
new file mode 100644
index 0000000..a0d23ce
--- /dev/null
+++ b/policy/modules/services/dictd.if
@@ -0,0 +1,57 @@
+## <summary>Dictionary daemon</summary>
+
+########################################
+## <summary>
+## Use dictionary services by connecting
+## over TCP. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dictd_tcp_connect',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an dictd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the dictd domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dictd_admin',`
+ gen_require(`
+ type dictd_t, dictd_etc_t, dictd_var_lib_t;
+ type dictd_var_run_t, dictd_initrc_exec_t;
+ ')
+
+ allow $1 dictd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, dictd_t)
+
+ init_labeled_script_domtrans($1, dictd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 dictd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, dictd_etc_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, dictd_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, dictd_var_run_t)
+')
diff --git a/policy/modules/services/dictd.te b/policy/modules/services/dictd.te
new file mode 100644
index 0000000..d2d9359
--- /dev/null
+++ b/policy/modules/services/dictd.te
@@ -0,0 +1,98 @@
+policy_module(dictd, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type dictd_t;
+type dictd_exec_t;
+init_daemon_domain(dictd_t, dictd_exec_t)
+
+type dictd_etc_t;
+files_config_file(dictd_etc_t)
+
+type dictd_initrc_exec_t;
+init_script_file(dictd_initrc_exec_t)
+
+type dictd_var_lib_t alias var_lib_dictd_t;
+files_type(dictd_var_lib_t)
+
+type dictd_var_run_t;
+files_pid_file(dictd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow dictd_t self:capability { setuid setgid };
+dontaudit dictd_t self:capability sys_tty_config;
+allow dictd_t self:process { signal_perms setpgid };
+allow dictd_t self:unix_stream_socket create_stream_socket_perms;
+allow dictd_t self:tcp_socket create_stream_socket_perms;
+allow dictd_t self:udp_socket create_socket_perms;
+
+allow dictd_t dictd_etc_t:file read_file_perms;
+files_search_etc(dictd_t)
+
+allow dictd_t dictd_var_lib_t:dir list_dir_perms;
+allow dictd_t dictd_var_lib_t:file read_file_perms;
+
+manage_files_pattern(dictd_t, dictd_var_run_t, dictd_var_run_t)
+files_pid_filetrans(dictd_t, dictd_var_run_t, file)
+
+kernel_read_system_state(dictd_t)
+kernel_read_kernel_sysctls(dictd_t)
+
+corenet_all_recvfrom_unlabeled(dictd_t)
+corenet_all_recvfrom_netlabel(dictd_t)
+corenet_tcp_sendrecv_generic_if(dictd_t)
+corenet_raw_sendrecv_generic_if(dictd_t)
+corenet_udp_sendrecv_generic_if(dictd_t)
+corenet_tcp_sendrecv_generic_node(dictd_t)
+corenet_udp_sendrecv_generic_node(dictd_t)
+corenet_raw_sendrecv_generic_node(dictd_t)
+corenet_tcp_sendrecv_all_ports(dictd_t)
+corenet_udp_sendrecv_all_ports(dictd_t)
+corenet_tcp_bind_generic_node(dictd_t)
+corenet_tcp_bind_dict_port(dictd_t)
+corenet_sendrecv_dict_server_packets(dictd_t)
+
+dev_read_sysfs(dictd_t)
+
+fs_getattr_xattr_fs(dictd_t)
+fs_search_auto_mountpoints(dictd_t)
+
+domain_use_interactive_fds(dictd_t)
+
+files_read_etc_files(dictd_t)
+files_read_etc_runtime_files(dictd_t)
+files_read_usr_files(dictd_t)
+files_search_var_lib(dictd_t)
+# for checking for nscd
+files_dontaudit_search_pids(dictd_t)
+
+logging_send_syslog_msg(dictd_t)
+
+miscfiles_read_localization(dictd_t)
+
+sysnet_read_config(dictd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(dictd_t)
+
+optional_policy(`
+ nis_use_ypbind(dictd_t)
+')
+
+optional_policy(`
+ nscd_socket_use(dictd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(dictd_t)
+')
+
+optional_policy(`
+ udev_read_db(dictd_t)
+')
diff --git a/policy/modules/services/distcc.fc b/policy/modules/services/distcc.fc
new file mode 100644
index 0000000..6ce6b00
--- /dev/null
+++ b/policy/modules/services/distcc.fc
@@ -0,0 +1,2 @@
+
+/usr/bin/distccd -- gen_context(system_u:object_r:distccd_exec_t,s0)
diff --git a/policy/modules/services/distcc.if b/policy/modules/services/distcc.if
new file mode 100644
index 0000000..926e959
--- /dev/null
+++ b/policy/modules/services/distcc.if
@@ -0,0 +1 @@
+## <summary>Distributed compiler daemon</summary>
diff --git a/policy/modules/services/distcc.te b/policy/modules/services/distcc.te
new file mode 100644
index 0000000..54d93e8
--- /dev/null
+++ b/policy/modules/services/distcc.te
@@ -0,0 +1,93 @@
+policy_module(distcc, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type distccd_t;
+type distccd_exec_t;
+init_daemon_domain(distccd_t, distccd_exec_t)
+
+type distccd_log_t;
+logging_log_file(distccd_log_t)
+
+type distccd_tmp_t;
+files_tmp_file(distccd_tmp_t)
+
+type distccd_var_run_t;
+files_pid_file(distccd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow distccd_t self:capability { setgid setuid };
+dontaudit distccd_t self:capability sys_tty_config;
+allow distccd_t self:process { signal_perms setsched };
+allow distccd_t self:fifo_file rw_fifo_file_perms;
+allow distccd_t self:netlink_route_socket r_netlink_socket_perms;
+allow distccd_t self:tcp_socket create_stream_socket_perms;
+allow distccd_t self:udp_socket create_socket_perms;
+
+allow distccd_t distccd_log_t:file manage_file_perms;
+logging_log_filetrans(distccd_t, distccd_log_t, file)
+
+manage_dirs_pattern(distccd_t, distccd_tmp_t, distccd_tmp_t)
+manage_files_pattern(distccd_t, distccd_tmp_t, distccd_tmp_t)
+files_tmp_filetrans(distccd_t, distccd_tmp_t, { file dir })
+
+manage_files_pattern(distccd_t, distccd_var_run_t, distccd_var_run_t)
+files_pid_filetrans(distccd_t, distccd_var_run_t, file)
+
+kernel_read_system_state(distccd_t)
+kernel_read_kernel_sysctls(distccd_t)
+
+corenet_all_recvfrom_unlabeled(distccd_t)
+corenet_all_recvfrom_netlabel(distccd_t)
+corenet_tcp_sendrecv_generic_if(distccd_t)
+corenet_udp_sendrecv_generic_if(distccd_t)
+corenet_tcp_sendrecv_generic_node(distccd_t)
+corenet_udp_sendrecv_generic_node(distccd_t)
+corenet_tcp_sendrecv_all_ports(distccd_t)
+corenet_udp_sendrecv_all_ports(distccd_t)
+corenet_tcp_bind_generic_node(distccd_t)
+corenet_tcp_bind_distccd_port(distccd_t)
+corenet_sendrecv_distccd_server_packets(distccd_t)
+
+dev_read_sysfs(distccd_t)
+
+fs_getattr_all_fs(distccd_t)
+fs_search_auto_mountpoints(distccd_t)
+
+corecmd_exec_bin(distccd_t)
+corecmd_read_bin_symlinks(distccd_t)
+
+domain_use_interactive_fds(distccd_t)
+
+files_read_etc_files(distccd_t)
+files_read_etc_runtime_files(distccd_t)
+
+libs_exec_lib_files(distccd_t)
+
+logging_send_syslog_msg(distccd_t)
+
+miscfiles_read_localization(distccd_t)
+
+sysnet_read_config(distccd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(distccd_t)
+userdom_dontaudit_search_user_home_dirs(distccd_t)
+
+optional_policy(`
+ nis_use_ypbind(distccd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(distccd_t)
+')
+
+optional_policy(`
+ udev_read_db(distccd_t)
+')
diff --git a/policy/modules/services/djbdns.fc b/policy/modules/services/djbdns.fc
new file mode 100644
index 0000000..fdb6652
--- /dev/null
+++ b/policy/modules/services/djbdns.fc
@@ -0,0 +1,9 @@
+
+/usr/bin/axfrdns -- gen_context(system_u:object_r:djbdns_axfrdns_exec_t,s0)
+/usr/bin/dnscache -- gen_context(system_u:object_r:djbdns_dnscache_exec_t,s0)
+/usr/bin/tinydns -- gen_context(system_u:object_r:djbdns_tinydns_exec_t,s0)
+
+/var/axfrdns/root(/.*)? gen_context(system_u:object_r:djbdns_axfrdns_conf_t,s0)
+/var/dnscache/root(/.*)? gen_context(system_u:object_r:djbdns_dnscache_conf_t,s0)
+/var/tinydns/root(/.*)? gen_context(system_u:object_r:djbdns_tinydns_conf_t,s0)
+
diff --git a/policy/modules/services/djbdns.if b/policy/modules/services/djbdns.if
new file mode 100644
index 0000000..ade3079
--- /dev/null
+++ b/policy/modules/services/djbdns.if
@@ -0,0 +1,90 @@
+## <summary>small and secure DNS daemon</summary>
+
+########################################
+## <summary>
+## Create a set of derived types for djbdns
+## components that are directly supervised by daemontools.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix to be used for deriving type names.
+## </summary>
+## </param>
+#
+template(`djbdns_daemontools_domain_template',`
+
+ type djbdns_$1_t;
+ type djbdns_$1_exec_t;
+ type djbdns_$1_conf_t;
+ files_config_file(djbdns_$1_conf_t)
+
+ domain_type(djbdns_$1_t)
+ domain_entry_file(djbdns_$1_t, djbdns_$1_exec_t)
+ role system_r types djbdns_$1_t;
+
+ daemontools_service_domain(djbdns_$1_t, djbdns_$1_exec_t)
+ daemontools_read_svc(djbdns_$1_t)
+
+ allow djbdns_$1_t self:capability { net_bind_service setgid setuid sys_chroot };
+ allow djbdns_$1_t self:process signal;
+ allow djbdns_$1_t self:fifo_file rw_fifo_file_perms;
+ allow djbdns_$1_t self:tcp_socket create_stream_socket_perms;
+ allow djbdns_$1_t self:udp_socket create_socket_perms;
+
+ allow djbdns_$1_t djbdns_$1_conf_t:dir list_dir_perms;
+ allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms;
+
+ corenet_all_recvfrom_unlabeled(djbdns_$1_t)
+ corenet_all_recvfrom_netlabel(djbdns_$1_t)
+ corenet_tcp_sendrecv_generic_if(djbdns_$1_t)
+ corenet_udp_sendrecv_generic_if(djbdns_$1_t)
+ corenet_tcp_sendrecv_generic_node(djbdns_$1_t)
+ corenet_udp_sendrecv_generic_node(djbdns_$1_t)
+ corenet_tcp_sendrecv_all_ports(djbdns_$1_t)
+ corenet_udp_sendrecv_all_ports(djbdns_$1_t)
+ corenet_tcp_bind_generic_node(djbdns_$1_t)
+ corenet_udp_bind_generic_node(djbdns_$1_t)
+ corenet_tcp_bind_dns_port(djbdns_$1_t)
+ corenet_udp_bind_dns_port(djbdns_$1_t)
+ corenet_udp_bind_generic_port(djbdns_$1_t)
+ corenet_sendrecv_dns_server_packets(djbdns_$1_t)
+ corenet_sendrecv_generic_server_packets(djbdns_$1_t)
+
+ files_search_var(djbdns_$1_t)
+')
+
+#####################################
+## <summary>
+## Allow search the djbdns-tinydns key ring.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`djbdns_search_tinydns_keys',`
+ gen_require(`
+ type djbdns_tinydns_t;
+ ')
+
+ allow $1 djbdns_tinydns_t:key search;
+')
+
+#####################################
+## <summary>
+## Allow link to the djbdns-tinydns key ring.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`djbdns_link_tinydns_keys',`
+ gen_require(`
+ type djbdns_tinydn_t;
+ ')
+
+ allow $1 djbdns_tinydn_t:key link;
+')
diff --git a/policy/modules/services/djbdns.te b/policy/modules/services/djbdns.te
new file mode 100644
index 0000000..51e2ce8
--- /dev/null
+++ b/policy/modules/services/djbdns.te
@@ -0,0 +1,49 @@
+policy_module(djbdns, 1.4.1)
+
+########################################
+#
+# Declarations
+#
+
+type djbdns_axfrdns_t;
+type djbdns_axfrdns_exec_t;
+domain_type(djbdns_axfrdns_t)
+domain_entry_file(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
+role system_r types djbdns_axfrdns_t;
+
+type djbdns_axfrdns_conf_t;
+files_config_file(djbdns_axfrdns_conf_t)
+
+djbdns_daemontools_domain_template(dnscache)
+
+djbdns_daemontools_domain_template(tinydns)
+
+########################################
+#
+# Local policy for axfrdns component
+#
+
+allow djbdns_axfrdns_t self:capability { setuid setgid sys_chroot };
+
+allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:dir list_dir_perms;
+allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:file read_file_perms;
+
+allow djbdns_axfrdns_t djbdns_tinydns_t:dir list_dir_perms;
+allow djbdns_axfrdns_t djbdns_tinydns_t:file read_file_perms;
+
+allow djbdns_axfrdns_t djbdns_tinydns_conf_t:dir list_dir_perms;
+allow djbdns_axfrdns_t djbdns_tinydns_conf_t:file read_file_perms;
+
+files_search_var(djbdns_axfrdns_t)
+
+daemontools_ipc_domain(djbdns_axfrdns_t)
+daemontools_read_svc(djbdns_axfrdns_t)
+
+ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
+
+########################################
+#
+# Local policy for tinydns
+#
+
+init_dontaudit_use_script_fds(djbdns_tinydns_t)
diff --git a/policy/modules/services/dkim.fc b/policy/modules/services/dkim.fc
new file mode 100644
index 0000000..dc1056c
--- /dev/null
+++ b/policy/modules/services/dkim.fc
@@ -0,0 +1,9 @@
+/etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+
+/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+
+/var/db/dkim(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+
+/var/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/var/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0)
diff --git a/policy/modules/services/dkim.if b/policy/modules/services/dkim.if
new file mode 100644
index 0000000..32d108a
--- /dev/null
+++ b/policy/modules/services/dkim.if
@@ -0,0 +1 @@
+## <summary>DomainKeys Identified Mail milter.</summary>
diff --git a/policy/modules/services/dkim.te b/policy/modules/services/dkim.te
new file mode 100644
index 0000000..1b4983d
--- /dev/null
+++ b/policy/modules/services/dkim.te
@@ -0,0 +1,31 @@
+policy_module(dkim, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+milter_template(dkim)
+
+# Type for the private key of dkim-filter
+type dkim_milter_private_key_t;
+files_type(dkim_milter_private_key_t)
+
+########################################
+#
+# Local policy
+#
+
+allow dkim_milter_t self:capability { setgid setuid };
+
+read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
+
+kernel_read_kernel_sysctls(dkim_milter_t)
+
+dev_read_urand(dkim_milter_t)
+
+files_read_etc_files(dkim_milter_t)
+
+sysnet_dns_name_resolve(dkim_milter_t)
+
+mta_read_config(dkim_milter_t)
diff --git a/policy/modules/services/dnsmasq.fc b/policy/modules/services/dnsmasq.fc
new file mode 100644
index 0000000..b886676
--- /dev/null
+++ b/policy/modules/services/dnsmasq.fc
@@ -0,0 +1,12 @@
+/etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t, s0)
+/etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
+
+/usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)
+
+/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
+/var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0)
+
+/var/log/dnsmasq\.log gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
+
+/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
+/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if
new file mode 100644
index 0000000..c808b31
--- /dev/null
+++ b/policy/modules/services/dnsmasq.if
@@ -0,0 +1,212 @@
+## <summary>dnsmasq DNS forwarder and DHCP server</summary>
+
+########################################
+## <summary>
+## Execute dnsmasq server in the dnsmasq domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+#
+interface(`dnsmasq_domtrans',`
+ gen_require(`
+ type dnsmasq_exec_t, dnsmasq_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t)
+')
+
+########################################
+## <summary>
+## Execute the dnsmasq init script in the init script domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+#
+interface(`dnsmasq_initrc_domtrans',`
+ gen_require(`
+ type dnsmasq_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Send dnsmasq a signal
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+#
+interface(`dnsmasq_signal',`
+ gen_require(`
+ type dnsmasq_t;
+ ')
+
+ allow $1 dnsmasq_t:process signal;
+')
+
+########################################
+## <summary>
+## Send dnsmasq a signull
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+#
+interface(`dnsmasq_signull',`
+ gen_require(`
+ type dnsmasq_t;
+ ')
+
+ allow $1 dnsmasq_t:process signull;
+')
+
+########################################
+## <summary>
+## Send dnsmasq a kill signal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+#
+interface(`dnsmasq_kill',`
+ gen_require(`
+ type dnsmasq_t;
+ ')
+
+ allow $1 dnsmasq_t:process sigkill;
+')
+
+########################################
+## <summary>
+## Read dnsmasq config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dnsmasq_read_config',`
+ gen_require(`
+ type dnsmasq_etc_t;
+ ')
+
+ read_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t)
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
+## Write to dnsmasq config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dnsmasq_write_config',`
+ gen_require(`
+ type dnsmasq_etc_t;
+ ')
+
+ write_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t)
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
+## Delete dnsmasq pid files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dnsmasq_delete_pid_files',`
+ gen_require(`
+ type dnsmasq_var_run_t;
+ ')
+
+ files_search_pids($1)
+ delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
+')
+
+########################################
+## <summary>
+## Read dnsmasq pid files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+#
+interface(`dnsmasq_read_pid_files',`
+ gen_require(`
+ type dnsmasq_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an dnsmasq environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the dnsmasq domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dnsmasq_admin',`
+ gen_require(`
+ type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
+ type dnsmasq_initrc_exec_t;
+ ')
+
+ allow $1 dnsmasq_t:process { ptrace signal_perms };
+ ps_process_pattern($1, dnsmasq_t)
+
+ init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 dnsmasq_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_var_lib($1)
+ admin_pattern($1, dnsmasq_lease_t)
+
+ files_list_pids($1)
+ admin_pattern($1, dnsmasq_var_run_t)
+')
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
new file mode 100644
index 0000000..a50a8a7
--- /dev/null
+++ b/policy/modules/services/dnsmasq.te
@@ -0,0 +1,121 @@
+policy_module(dnsmasq, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type dnsmasq_t;
+type dnsmasq_exec_t;
+init_daemon_domain(dnsmasq_t, dnsmasq_exec_t)
+
+type dnsmasq_initrc_exec_t;
+init_script_file(dnsmasq_initrc_exec_t)
+
+type dnsmasq_etc_t;
+files_config_file(dnsmasq_etc_t)
+
+type dnsmasq_lease_t;
+files_type(dnsmasq_lease_t)
+
+type dnsmasq_var_log_t;
+logging_log_file(dnsmasq_var_log_t)
+
+type dnsmasq_var_run_t;
+files_pid_file(dnsmasq_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow dnsmasq_t self:capability { chown dac_override net_admin setgid setuid net_bind_service net_raw };
+dontaudit dnsmasq_t self:capability sys_tty_config;
+allow dnsmasq_t self:process { getcap setcap signal_perms };
+allow dnsmasq_t self:fifo_file rw_fifo_file_perms;
+allow dnsmasq_t self:netlink_route_socket { bind create nlmsg_read read write };
+allow dnsmasq_t self:tcp_socket create_stream_socket_perms;
+allow dnsmasq_t self:udp_socket create_socket_perms;
+allow dnsmasq_t self:packet_socket create_socket_perms;
+allow dnsmasq_t self:rawip_socket create_socket_perms;
+
+read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
+
+# dhcp leases
+manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t)
+files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
+
+manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t)
+logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file)
+
+manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
+files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file)
+
+kernel_read_kernel_sysctls(dnsmasq_t)
+kernel_read_system_state(dnsmasq_t)
+
+corenet_all_recvfrom_unlabeled(dnsmasq_t)
+corenet_all_recvfrom_netlabel(dnsmasq_t)
+corenet_tcp_sendrecv_generic_if(dnsmasq_t)
+corenet_udp_sendrecv_generic_if(dnsmasq_t)
+corenet_raw_sendrecv_generic_if(dnsmasq_t)
+corenet_tcp_sendrecv_generic_node(dnsmasq_t)
+corenet_udp_sendrecv_generic_node(dnsmasq_t)
+corenet_raw_sendrecv_generic_node(dnsmasq_t)
+corenet_tcp_sendrecv_all_ports(dnsmasq_t)
+corenet_udp_sendrecv_all_ports(dnsmasq_t)
+corenet_tcp_bind_generic_node(dnsmasq_t)
+corenet_udp_bind_generic_node(dnsmasq_t)
+corenet_tcp_bind_dns_port(dnsmasq_t)
+corenet_udp_bind_all_ports(dnsmasq_t)
+corenet_sendrecv_dns_server_packets(dnsmasq_t)
+corenet_sendrecv_dhcpd_server_packets(dnsmasq_t)
+
+dev_read_sysfs(dnsmasq_t)
+dev_read_urand(dnsmasq_t)
+
+domain_use_interactive_fds(dnsmasq_t)
+
+files_read_etc_files(dnsmasq_t)
+files_read_etc_runtime_files(dnsmasq_t)
+
+fs_getattr_all_fs(dnsmasq_t)
+fs_search_auto_mountpoints(dnsmasq_t)
+
+auth_use_nsswitch(dnsmasq_t)
+
+logging_send_syslog_msg(dnsmasq_t)
+
+miscfiles_read_localization(dnsmasq_t)
+
+userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
+userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
+
+optional_policy(`
+ cobbler_read_lib_files(dnsmasq_t)
+')
+
+optional_policy(`
+ cron_manage_pid_files(dnsmasq_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(dnsmasq_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(dnsmasq_t)
+')
+
+optional_policy(`
+ tftp_read_content(dnsmasq_t)
+')
+
+optional_policy(`
+ udev_read_db(dnsmasq_t)
+')
+
+optional_policy(`
+ virt_manage_lib_files(dnsmasq_t)
+ virt_read_pid_files(dnsmasq_t)
+')
diff --git a/policy/modules/services/dovecot.fc b/policy/modules/services/dovecot.fc
new file mode 100644
index 0000000..9a1dcba
--- /dev/null
+++ b/policy/modules/services/dovecot.fc
@@ -0,0 +1,43 @@
+
+#
+# /etc
+#
+/etc/dovecot(/.*)?* gen_context(system_u:object_r:dovecot_etc_t,s0)
+/etc/dovecot\.conf.* gen_context(system_u:object_r:dovecot_etc_t,s0)
+/etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0)
+
+/etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0)
+/etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/dovecot -- gen_context(system_u:object_r:dovecot_exec_t,s0)
+
+/usr/share/ssl/certs/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
+/usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
+
+ifdef(`distro_debian', `
+/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+')
+
+ifdef(`distro_redhat', `
+/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+/usr/libexec/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
+/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+')
+
+#
+# /var
+#
+/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
+/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+
+/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+
+/var/log/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_log_t,s0)
+/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0)
+
+/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
diff --git a/policy/modules/services/dovecot.if b/policy/modules/services/dovecot.if
new file mode 100644
index 0000000..ee51a19
--- /dev/null
+++ b/policy/modules/services/dovecot.if
@@ -0,0 +1,135 @@
+## <summary>Dovecot POP and IMAP mail server</summary>
+
+########################################
+## <summary>
+## Connect to dovecot auth unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dovecot_stream_connect_auth',`
+ gen_require(`
+ type dovecot_auth_t, dovecot_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_auth_t)
+')
+
+########################################
+## <summary>
+## Execute dovecot_deliver in the dovecot_deliver domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dovecot_domtrans_deliver',`
+ gen_require(`
+ type dovecot_deliver_t, dovecot_deliver_exec_t;
+ ')
+
+ domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete the dovecot spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dovecot_manage_spool',`
+ gen_require(`
+ type dovecot_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
+ manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to delete dovecot lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dovecot_dontaudit_unlink_lib_files',`
+ gen_require(`
+ type dovecot_var_lib_t;
+ ')
+
+ dontaudit $1 dovecot_var_lib_t:file unlink;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an dovecot environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the dovecot domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dovecot_admin',`
+ gen_require(`
+ type dovecot_t, dovecot_etc_t, dovecot_auth_tmp_t;
+ type dovecot_spool_t, dovecot_var_lib_t, dovecot_var_log_t;
+ type dovecot_var_run_t, dovecot_tmp_t, dovecot_keytab_t;
+ type dovecot_cert_t, dovecot_passwd_t, dovecot_initrc_exec_t;
+ ')
+
+ allow $1 dovecot_t:process { ptrace signal_perms };
+ ps_process_pattern($1, dovecot_t)
+
+ init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 dovecot_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, dovecot_etc_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, dovecot_auth_tmp_t)
+ admin_pattern($1, dovecot_tmp_t)
+
+ admin_pattern($1, dovecot_keytab_t)
+
+ files_list_spool($1)
+ admin_pattern($1, dovecot_spool_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, dovecot_var_lib_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, dovecot_var_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, dovecot_var_run_t)
+
+ admin_pattern($1, dovecot_cert_t)
+
+ admin_pattern($1, dovecot_passwd_t)
+')
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
new file mode 100644
index 0000000..396f956
--- /dev/null
+++ b/policy/modules/services/dovecot.te
@@ -0,0 +1,329 @@
+policy_module(dovecot, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+type dovecot_t;
+type dovecot_exec_t;
+init_daemon_domain(dovecot_t, dovecot_exec_t)
+
+type dovecot_auth_t;
+type dovecot_auth_exec_t;
+domain_type(dovecot_auth_t)
+domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
+role system_r types dovecot_auth_t;
+
+type dovecot_auth_tmp_t;
+files_tmp_file(dovecot_auth_tmp_t)
+
+type dovecot_cert_t;
+miscfiles_cert_type(dovecot_cert_t)
+
+type dovecot_deliver_t;
+type dovecot_deliver_exec_t;
+domain_type(dovecot_deliver_t)
+domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
+role system_r types dovecot_deliver_t;
+
+type dovecot_deliver_tmp_t;
+files_tmp_file(dovecot_deliver_tmp_t)
+
+type dovecot_etc_t;
+files_config_file(dovecot_etc_t)
+
+type dovecot_initrc_exec_t;
+init_script_file(dovecot_initrc_exec_t)
+
+type dovecot_passwd_t;
+files_type(dovecot_passwd_t)
+
+type dovecot_spool_t;
+files_type(dovecot_spool_t)
+
+type dovecot_tmp_t;
+files_tmp_file(dovecot_tmp_t)
+
+# /var/lib/dovecot holds SSL parameters file
+type dovecot_var_lib_t;
+files_type(dovecot_var_lib_t)
+
+type dovecot_var_log_t;
+logging_log_file(dovecot_var_log_t)
+
+type dovecot_var_run_t;
+files_pid_file(dovecot_var_run_t)
+
+########################################
+#
+# dovecot local policy
+#
+
+allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot };
+dontaudit dovecot_t self:capability sys_tty_config;
+allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
+allow dovecot_t self:fifo_file rw_fifo_file_perms;
+allow dovecot_t self:tcp_socket create_stream_socket_perms;
+allow dovecot_t self:unix_dgram_socket create_socket_perms;
+allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
+
+allow dovecot_t dovecot_auth_t:process signal;
+
+allow dovecot_t dovecot_cert_t:dir list_dir_perms;
+read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
+read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
+
+allow dovecot_t dovecot_etc_t:dir list_dir_perms;
+read_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
+files_search_etc(dovecot_t)
+
+can_exec(dovecot_t, dovecot_exec_t)
+
+manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
+manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
+files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
+
+# Allow dovecot to create and read SSL parameters file
+manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)
+files_search_var_lib(dovecot_t)
+files_read_var_symlinks(dovecot_t)
+
+manage_dirs_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
+manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
+logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir })
+
+manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+
+manage_dirs_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file })
+
+kernel_read_kernel_sysctls(dovecot_t)
+kernel_read_system_state(dovecot_t)
+
+corenet_all_recvfrom_unlabeled(dovecot_t)
+corenet_all_recvfrom_netlabel(dovecot_t)
+corenet_tcp_sendrecv_generic_if(dovecot_t)
+corenet_tcp_sendrecv_generic_node(dovecot_t)
+corenet_tcp_sendrecv_all_ports(dovecot_t)
+corenet_tcp_bind_generic_node(dovecot_t)
+corenet_tcp_bind_mail_port(dovecot_t)
+corenet_tcp_bind_pop_port(dovecot_t)
+corenet_tcp_connect_all_ports(dovecot_t)
+corenet_tcp_connect_postgresql_port(dovecot_t)
+corenet_sendrecv_pop_server_packets(dovecot_t)
+corenet_sendrecv_all_client_packets(dovecot_t)
+
+dev_read_sysfs(dovecot_t)
+dev_read_urand(dovecot_t)
+
+fs_getattr_all_fs(dovecot_t)
+fs_getattr_all_dirs(dovecot_t)
+fs_search_auto_mountpoints(dovecot_t)
+fs_list_inotifyfs(dovecot_t)
+
+corecmd_exec_bin(dovecot_t)
+
+domain_use_interactive_fds(dovecot_t)
+
+files_read_etc_files(dovecot_t)
+files_search_spool(dovecot_t)
+files_search_tmp(dovecot_t)
+files_dontaudit_list_default(dovecot_t)
+# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
+files_read_etc_runtime_files(dovecot_t)
+files_search_all_mountpoints(dovecot_t)
+
+init_getattr_utmp(dovecot_t)
+
+auth_use_nsswitch(dovecot_t)
+
+logging_send_syslog_msg(dovecot_t)
+
+miscfiles_read_generic_certs(dovecot_t)
+miscfiles_read_localization(dovecot_t)
+
+userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
+userdom_manage_user_home_content_dirs(dovecot_t)
+userdom_manage_user_home_content_files(dovecot_t)
+userdom_manage_user_home_content_symlinks(dovecot_t)
+userdom_manage_user_home_content_pipes(dovecot_t)
+userdom_manage_user_home_content_sockets(dovecot_t)
+userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file })
+
+mta_manage_spool(dovecot_t)
+
+optional_policy(`
+ kerberos_keytab_template(dovecot, dovecot_t)
+')
+
+optional_policy(`
+ postfix_manage_private_sockets(dovecot_t)
+ postfix_search_spool(dovecot_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(dovecot_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(dovecot_t)
+')
+
+optional_policy(`
+ squid_dontaudit_search_cache(dovecot_t)
+')
+
+optional_policy(`
+ udev_read_db(dovecot_t)
+')
+
+########################################
+#
+# dovecot auth local policy
+#
+
+allow dovecot_auth_t self:capability { chown dac_override setgid setuid };
+allow dovecot_auth_t self:process { signal_perms getcap setcap };
+allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
+allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
+allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
+
+allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
+
+read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
+
+manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
+manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
+files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
+
+allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
+manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
+dovecot_stream_connect_auth(dovecot_auth_t)
+
+kernel_read_all_sysctls(dovecot_auth_t)
+kernel_read_system_state(dovecot_auth_t)
+
+logging_send_audit_msgs(dovecot_auth_t)
+logging_send_syslog_msg(dovecot_auth_t)
+
+dev_read_urand(dovecot_auth_t)
+
+auth_domtrans_chk_passwd(dovecot_auth_t)
+auth_use_nsswitch(dovecot_auth_t)
+
+files_read_etc_files(dovecot_auth_t)
+files_read_etc_runtime_files(dovecot_auth_t)
+files_search_pids(dovecot_auth_t)
+files_read_usr_files(dovecot_auth_t)
+files_read_usr_symlinks(dovecot_auth_t)
+files_read_var_lib_files(dovecot_auth_t)
+files_search_tmp(dovecot_auth_t)
+files_read_var_lib_files(dovecot_t)
+
+init_rw_utmp(dovecot_auth_t)
+
+miscfiles_read_localization(dovecot_auth_t)
+
+seutil_dontaudit_search_config(dovecot_auth_t)
+
+optional_policy(`
+ kerberos_use(dovecot_auth_t)
+
+ # for gssapi (kerberos)
+ userdom_list_user_tmp(dovecot_auth_t)
+ userdom_read_user_tmp_files(dovecot_auth_t)
+ userdom_read_user_tmp_symlinks(dovecot_auth_t)
+')
+
+optional_policy(`
+ mysql_search_db(dovecot_auth_t)
+ mysql_stream_connect(dovecot_auth_t)
+')
+
+optional_policy(`
+ nis_authenticate(dovecot_auth_t)
+')
+
+optional_policy(`
+ postfix_manage_private_sockets(dovecot_auth_t)
+ postfix_search_spool(dovecot_auth_t)
+')
+
+########################################
+#
+# dovecot deliver local policy
+#
+allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
+
+allow dovecot_deliver_t dovecot_t:process signull;
+
+read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
+allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
+
+allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
+
+append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
+
+manage_dirs_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
+manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
+files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
+
+can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
+
+kernel_read_all_sysctls(dovecot_deliver_t)
+kernel_read_system_state(dovecot_deliver_t)
+
+corecmd_exec_bin(dovecot_deliver_t)
+
+files_read_etc_files(dovecot_deliver_t)
+files_read_etc_runtime_files(dovecot_deliver_t)
+
+auth_use_nsswitch(dovecot_deliver_t)
+
+logging_send_syslog_msg(dovecot_deliver_t)
+logging_append_all_logs(dovecot_deliver_t)
+
+miscfiles_read_localization(dovecot_deliver_t)
+
+dovecot_stream_connect_auth(dovecot_deliver_t)
+
+files_search_tmp(dovecot_deliver_t)
+
+fs_getattr_all_fs(dovecot_deliver_t)
+
+userdom_manage_user_home_content_dirs(dovecot_deliver_t)
+userdom_manage_user_home_content_files(dovecot_deliver_t)
+userdom_manage_user_home_content_symlinks(dovecot_deliver_t)
+userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+userdom_manage_user_home_content_sockets(dovecot_deliver_t)
+userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(dovecot_deliver_t)
+ fs_manage_nfs_files(dovecot_deliver_t)
+ fs_manage_nfs_symlinks(dovecot_deliver_t)
+ fs_manage_nfs_dirs(dovecot_t)
+ fs_manage_nfs_files(dovecot_t)
+ fs_manage_nfs_symlinks(dovecot_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(dovecot_deliver_t)
+ fs_manage_cifs_files(dovecot_deliver_t)
+ fs_manage_cifs_symlinks(dovecot_deliver_t)
+ fs_manage_cifs_dirs(dovecot_t)
+ fs_manage_cifs_files(dovecot_t)
+ fs_manage_cifs_symlinks(dovecot_t)
+')
+
+optional_policy(`
+ mta_manage_spool(dovecot_deliver_t)
+ mta_read_queue(dovecot_deliver_t)
+')
diff --git a/policy/modules/services/exim.fc b/policy/modules/services/exim.fc
new file mode 100644
index 0000000..c2570df
--- /dev/null
+++ b/policy/modules/services/exim.fc
@@ -0,0 +1,11 @@
+
+/etc/rc\.d/init\.d/exim -- gen_context(system_u:object_r:exim_initrc_exec_t,s0)
+
+/usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0)
+/var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
+/var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0)
+/var/spool/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0)
+
+ifdef(`distro_debian',`
+/var/run/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_var_run_t,s0)
+')
diff --git a/policy/modules/services/exim.if b/policy/modules/services/exim.if
new file mode 100644
index 0000000..464669c
--- /dev/null
+++ b/policy/modules/services/exim.if
@@ -0,0 +1,257 @@
+## <summary>Exim mail transfer agent</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run exim.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`exim_domtrans',`
+ gen_require(`
+ type exim_t, exim_exec_t;
+ ')
+
+ domtrans_pattern($1, exim_exec_t, exim_t)
+')
+
+########################################
+## <summary>
+## Execute exim in the exim domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`exim_initrc_domtrans',`
+ gen_require(`
+ type exim_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, exim_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read,
+## exim tmp files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`exim_dontaudit_read_tmp_files',`
+ gen_require(`
+ type exim_tmp_t;
+ ')
+
+ dontaudit $1 exim_tmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Allow domain to read, exim tmp files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`exim_read_tmp_files',`
+ gen_require(`
+ type exim_tmp_t;
+ ')
+
+ allow $1 exim_tmp_t:file read_file_perms;
+ files_search_tmp($1)
+')
+
+########################################
+## <summary>
+## Read exim PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`exim_read_pid_files',`
+ gen_require(`
+ type exim_var_run_t;
+ ')
+
+ allow $1 exim_var_run_t:file read_file_perms;
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read exim's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`exim_read_log',`
+ gen_require(`
+ type exim_log_t;
+ ')
+
+ read_files_pattern($1, exim_log_t, exim_log_t)
+ logging_search_logs($1)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to append
+## exim log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`exim_append_log',`
+ gen_require(`
+ type exim_log_t;
+ ')
+
+ append_files_pattern($1, exim_log_t, exim_log_t)
+ logging_search_logs($1)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to manage exim's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`exim_manage_log',`
+ gen_require(`
+ type exim_log_t;
+ ')
+
+ manage_files_pattern($1, exim_log_t, exim_log_t)
+ logging_search_logs($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## exim spool dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`exim_manage_spool_dirs',`
+ gen_require(`
+ type exim_spool_t;
+ ')
+
+ manage_dirs_pattern($1, exim_spool_t, exim_spool_t)
+ files_search_spool($1)
+')
+
+########################################
+## <summary>
+## Read exim spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`exim_read_spool_files',`
+ gen_require(`
+ type exim_spool_t;
+ ')
+
+ allow $1 exim_spool_t:file read_file_perms;
+ allow $1 exim_spool_t:dir list_dir_perms;
+ files_search_spool($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## exim spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`exim_manage_spool_files',`
+ gen_require(`
+ type exim_spool_t;
+ ')
+
+ manage_files_pattern($1, exim_spool_t, exim_spool_t)
+ files_search_spool($1)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an exim environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`exim_admin',`
+ gen_require(`
+ type exim_t, exim_initrc_exec_t, exim_log_t;
+ type exim_tmp_t, exim_spool_t, exim_var_run_t;
+ ')
+
+ allow $1 exim_t:process { ptrace signal_perms };
+ ps_process_pattern($1, exim_t)
+
+ exim_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 exim_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_list_logs($1)
+ admin_pattern($1, exim_log_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, exim_tmp_t)
+
+ files_list_spool($1)
+ admin_pattern($1, exim_spool_t)
+
+ files_list_pids($1)
+ admin_pattern($1, exim_var_run_t)
+')
diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
new file mode 100644
index 0000000..18c3c33
--- /dev/null
+++ b/policy/modules/services/exim.te
@@ -0,0 +1,211 @@
+policy_module(exim, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow exim to connect to databases (postgres, mysql)
+## </p>
+## </desc>
+gen_tunable(exim_can_connect_db, false)
+
+## <desc>
+## <p>
+## Allow exim to read unprivileged user files.
+## </p>
+## </desc>
+gen_tunable(exim_read_user_files, false)
+
+## <desc>
+## <p>
+## Allow exim to create, read, write, and delete
+## unprivileged user files.
+## </p>
+## </desc>
+gen_tunable(exim_manage_user_files, false)
+
+type exim_t;
+type exim_exec_t;
+init_daemon_domain(exim_t, exim_exec_t)
+mta_mailserver(exim_t, exim_exec_t)
+mta_mailserver_user_agent(exim_t)
+application_executable_file(exim_exec_t)
+mta_agent_executable(exim_exec_t)
+
+type exim_initrc_exec_t;
+init_script_file(exim_initrc_exec_t)
+
+type exim_log_t;
+logging_log_file(exim_log_t)
+
+type exim_spool_t;
+files_type(exim_spool_t)
+
+type exim_tmp_t;
+files_tmp_file(exim_tmp_t)
+
+type exim_var_run_t;
+files_pid_file(exim_var_run_t)
+
+########################################
+#
+# exim local policy
+#
+
+allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource };
+allow exim_t self:process { setrlimit setpgid };
+allow exim_t self:fifo_file rw_fifo_file_perms;
+allow exim_t self:unix_stream_socket create_stream_socket_perms;
+allow exim_t self:tcp_socket create_stream_socket_perms;
+allow exim_t self:udp_socket create_socket_perms;
+
+can_exec(exim_t, exim_exec_t)
+
+manage_files_pattern(exim_t, exim_log_t, exim_log_t)
+logging_log_filetrans(exim_t, exim_log_t, { file dir })
+
+manage_dirs_pattern(exim_t, exim_spool_t, exim_spool_t)
+manage_files_pattern(exim_t, exim_spool_t, exim_spool_t)
+manage_sock_files_pattern(exim_t, exim_spool_t, exim_spool_t)
+files_spool_filetrans(exim_t, exim_spool_t, { file dir sock_file })
+
+manage_dirs_pattern(exim_t, exim_tmp_t, exim_tmp_t)
+manage_files_pattern(exim_t, exim_tmp_t, exim_tmp_t)
+files_tmp_filetrans(exim_t, exim_tmp_t, { file dir })
+
+manage_dirs_pattern(exim_t, exim_var_run_t, exim_var_run_t)
+manage_files_pattern(exim_t, exim_var_run_t, exim_var_run_t)
+files_pid_filetrans(exim_t, exim_var_run_t, { file dir })
+
+kernel_read_kernel_sysctls(exim_t)
+kernel_read_network_state(exim_t)
+kernel_dontaudit_read_system_state(exim_t)
+
+corecmd_search_bin(exim_t)
+
+corenet_all_recvfrom_unlabeled(exim_t)
+corenet_all_recvfrom_netlabel(exim_t)
+corenet_tcp_sendrecv_generic_if(exim_t)
+corenet_udp_sendrecv_generic_if(exim_t)
+corenet_tcp_sendrecv_generic_node(exim_t)
+corenet_udp_sendrecv_generic_node(exim_t)
+corenet_tcp_sendrecv_all_ports(exim_t)
+corenet_tcp_bind_generic_node(exim_t)
+corenet_tcp_bind_smtp_port(exim_t)
+corenet_tcp_bind_amavisd_send_port(exim_t)
+corenet_tcp_connect_auth_port(exim_t)
+corenet_tcp_connect_smtp_port(exim_t)
+corenet_tcp_connect_ldap_port(exim_t)
+corenet_tcp_connect_inetd_child_port(exim_t)
+# connect to spamassassin
+corenet_tcp_connect_spamd_port(exim_t)
+
+dev_read_rand(exim_t)
+dev_read_urand(exim_t)
+
+# Init script handling
+domain_use_interactive_fds(exim_t)
+
+files_search_usr(exim_t)
+files_search_var(exim_t)
+files_read_etc_files(exim_t)
+files_read_etc_runtime_files(exim_t)
+files_getattr_all_mountpoints(exim_t)
+
+fs_getattr_xattr_fs(exim_t)
+fs_list_inotifyfs(exim_t)
+
+auth_use_nsswitch(exim_t)
+
+logging_send_syslog_msg(exim_t)
+
+miscfiles_read_localization(exim_t)
+miscfiles_read_generic_certs(exim_t)
+
+userdom_dontaudit_search_user_home_dirs(exim_t)
+
+mta_read_aliases(exim_t)
+mta_read_config(exim_t)
+mta_manage_spool(exim_t)
+mta_mailserver_delivery(exim_t)
+
+tunable_policy(`exim_can_connect_db',`
+ corenet_tcp_connect_mysqld_port(exim_t)
+ corenet_sendrecv_mysqld_client_packets(exim_t)
+ corenet_tcp_connect_postgresql_port(exim_t)
+ corenet_sendrecv_postgresql_client_packets(exim_t)
+')
+
+tunable_policy(`exim_read_user_files',`
+ userdom_read_user_home_content_files(exim_t)
+ userdom_read_user_tmp_files(exim_t)
+')
+
+tunable_policy(`exim_manage_user_files',`
+ userdom_manage_user_home_content_dirs(exim_t)
+ userdom_read_user_tmp_files(exim_t)
+ userdom_write_user_tmp_files(exim_t)
+')
+
+optional_policy(`
+ clamav_domtrans_clamscan(exim_t)
+ clamav_stream_connect(exim_t)
+')
+
+optional_policy(`
+ cron_read_pipes(exim_t)
+ cron_rw_system_job_pipes(exim_t)
+')
+
+optional_policy(`
+ cyrus_stream_connect(exim_t)
+')
+
+optional_policy(`
+ kerberos_keytab_template(exim, exim_t)
+')
+
+optional_policy(`
+ mailman_read_data_files(exim_t)
+ mailman_domtrans(exim_t)
+')
+
+optional_policy(`
+ nagios_search_spool(exim_t)
+')
+
+optional_policy(`
+ tunable_policy(`exim_can_connect_db',`
+ mysql_stream_connect(exim_t)
+ ')
+')
+
+optional_policy(`
+ tunable_policy(`exim_can_connect_db',`
+ postgresql_stream_connect(exim_t)
+ ')
+')
+
+optional_policy(`
+ procmail_domtrans(exim_t)
+ procmail_read_home_files(exim_t)
+')
+
+optional_policy(`
+ sasl_connect(exim_t)
+')
+
+optional_policy(`
+ # https://bugzilla.redhat.com/show_bug.cgi?id=512710
+ # uses sendmail for outgoing mail and exim
+ # for incoming mail
+ sendmail_manage_tmp_files(exim_t)
+')
+
+optional_policy(`
+ spamassassin_exec(exim_t)
+ spamassassin_exec_client(exim_t)
+')
diff --git a/policy/modules/services/fail2ban.fc b/policy/modules/services/fail2ban.fc
new file mode 100644
index 0000000..0de2b83
--- /dev/null
+++ b/policy/modules/services/fail2ban.fc
@@ -0,0 +1,8 @@
+/etc/rc\.d/init\.d/fail2ban -- gen_context(system_u:object_r:fail2ban_initrc_exec_t,s0)
+
+/usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
+/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
+
+/var/lib/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_lib_t,s0)
+/var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0)
+/var/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0)
diff --git a/policy/modules/services/fail2ban.if b/policy/modules/services/fail2ban.if
new file mode 100644
index 0000000..87f6bfb
--- /dev/null
+++ b/policy/modules/services/fail2ban.if
@@ -0,0 +1,195 @@
+## <summary>Update firewall filtering to ban IP addresses with too many password failures.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run fail2ban.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`fail2ban_domtrans',`
+ gen_require(`
+ type fail2ban_t, fail2ban_exec_t;
+ ')
+
+ domtrans_pattern($1, fail2ban_exec_t, fail2ban_t)
+')
+
+#####################################
+## <summary>
+## Connect to fail2ban over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fail2ban_stream_connect',`
+ gen_require(`
+ type fail2ban_t, fail2ban_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
+')
+
+########################################
+## <summary>
+## Read and write to an fail2ban unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fail2ban_rw_stream_sockets',`
+ gen_require(`
+ type fail2ban_t;
+ ')
+
+ allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms;
+')
+
+########################################
+## <summary>
+## Read fail2ban lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fail2ban_read_lib_files',`
+ gen_require(`
+ type fail2ban_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 fail2ban_var_lib_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read fail2ban's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fail2ban_read_log',`
+ gen_require(`
+ type fail2ban_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 fail2ban_log_t:dir list_dir_perms;
+ allow $1 fail2ban_log_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to append
+## fail2ban log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fail2ban_append_log',`
+ gen_require(`
+ type fail2ban_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 fail2ban_log_t:dir list_dir_perms;
+ allow $1 fail2ban_log_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+## Read fail2ban PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fail2ban_read_pid_files',`
+ gen_require(`
+ type fail2ban_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 fail2ban_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fail2ban_dontaudit_leaks',`
+ gen_require(`
+ type fail2ban_t;
+ ')
+
+ dontaudit $1 fail2ban_t:tcp_socket { read write };
+ dontaudit $1 fail2ban_t:unix_dgram_socket { read write };
+ dontaudit $1 fail2ban_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an fail2ban environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the fail2ban domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fail2ban_admin',`
+ gen_require(`
+ type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t;
+ type fail2ban_var_run_t;
+ ')
+
+ allow $1 fail2ban_t:process { ptrace signal_perms };
+ ps_process_pattern($1, fail2ban_t)
+
+ init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 fail2ban_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_list_logs($1)
+ admin_pattern($1, fail2ban_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, fail2ban_var_run_t)
+')
diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
new file mode 100644
index 0000000..0a4216c
--- /dev/null
+++ b/policy/modules/services/fail2ban.te
@@ -0,0 +1,102 @@
+policy_module(fail2ban, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+
+type fail2ban_t;
+type fail2ban_exec_t;
+init_daemon_domain(fail2ban_t, fail2ban_exec_t)
+
+type fail2ban_initrc_exec_t;
+init_script_file(fail2ban_initrc_exec_t)
+
+# log files
+type fail2ban_log_t;
+logging_log_file(fail2ban_log_t)
+
+type fail2ban_var_lib_t;
+files_type(fail2ban_var_lib_t)
+
+# pid files
+type fail2ban_var_run_t;
+files_pid_file(fail2ban_var_run_t)
+
+########################################
+#
+# fail2ban local policy
+#
+
+allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config };
+allow fail2ban_t self:process signal;
+allow fail2ban_t self:fifo_file rw_fifo_file_perms;
+allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow fail2ban_t self:unix_dgram_socket create_socket_perms;
+allow fail2ban_t self:tcp_socket create_stream_socket_perms;
+
+# log files
+allow fail2ban_t fail2ban_log_t:dir setattr_dir_perms;
+manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
+logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
+
+manage_dirs_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
+manage_files_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
+files_var_lib_filetrans(fail2ban_t, fail2ban_var_lib_t, { dir file })
+
+# pid file
+manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
+manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
+manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
+files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { dir file sock_file })
+
+kernel_read_system_state(fail2ban_t)
+
+corecmd_exec_bin(fail2ban_t)
+corecmd_exec_shell(fail2ban_t)
+
+corenet_all_recvfrom_unlabeled(fail2ban_t)
+corenet_all_recvfrom_netlabel(fail2ban_t)
+corenet_tcp_sendrecv_generic_if(fail2ban_t)
+corenet_tcp_sendrecv_generic_node(fail2ban_t)
+corenet_tcp_sendrecv_all_ports(fail2ban_t)
+corenet_tcp_connect_whois_port(fail2ban_t)
+corenet_sendrecv_whois_client_packets(fail2ban_t)
+
+dev_read_urand(fail2ban_t)
+
+domain_use_interactive_fds(fail2ban_t)
+
+files_read_etc_files(fail2ban_t)
+files_read_etc_runtime_files(fail2ban_t)
+files_read_usr_files(fail2ban_t)
+files_list_var(fail2ban_t)
+files_search_var_lib(fail2ban_t)
+
+fs_list_inotifyfs(fail2ban_t)
+fs_getattr_all_fs(fail2ban_t)
+
+auth_use_nsswitch(fail2ban_t)
+
+logging_read_all_logs(fail2ban_t)
+logging_send_syslog_msg(fail2ban_t)
+
+miscfiles_read_localization(fail2ban_t)
+
+mta_send_mail(fail2ban_t)
+
+optional_policy(`
+ apache_read_log(fail2ban_t)
+')
+
+optional_policy(`
+ ftp_read_log(fail2ban_t)
+')
+
+optional_policy(`
+ gnome_dontaudit_search_config(fail2ban_t)
+')
+
+optional_policy(`
+ iptables_domtrans(fail2ban_t)
+')
diff --git a/policy/modules/services/fetchmail.fc b/policy/modules/services/fetchmail.fc
new file mode 100644
index 0000000..455c620
--- /dev/null
+++ b/policy/modules/services/fetchmail.fc
@@ -0,0 +1,19 @@
+
+#
+# /etc
+#
+
+/etc/fetchmailrc -- gen_context(system_u:object_r:fetchmail_etc_t,s0)
+
+#
+# /usr
+#
+
+/usr/bin/fetchmail -- gen_context(system_u:object_r:fetchmail_exec_t,s0)
+
+#
+# /var
+#
+
+/var/run/fetchmail/.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0)
+/var/mail/\.fetchmail-UIDL-cache -- gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
diff --git a/policy/modules/services/fetchmail.if b/policy/modules/services/fetchmail.if
new file mode 100644
index 0000000..7d64c0a
--- /dev/null
+++ b/policy/modules/services/fetchmail.if
@@ -0,0 +1,31 @@
+## <summary>Remote-mail retrieval and forwarding utility</summary>
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an fetchmail environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fetchmail_admin',`
+ gen_require(`
+ type fetchmail_t, fetchmail_etc_t, fetchmail_uidl_cache_t;
+ type fetchmail_var_run_t;
+ ')
+
+ allow $1 fetchmail_t:process { ptrace signal_perms };
+ ps_process_pattern($1, fetchmail_t)
+
+ files_list_etc($1)
+ admin_pattern($1, fetchmail_etc_t)
+
+ admin_pattern($1, fetchmail_uidl_cache_t)
+
+ files_list_pids($1)
+ admin_pattern($1, fetchmail_var_run_t)
+')
diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te
new file mode 100644
index 0000000..870d101
--- /dev/null
+++ b/policy/modules/services/fetchmail.te
@@ -0,0 +1,104 @@
+policy_module(fetchmail, 1.10.1)
+
+########################################
+#
+# Declarations
+#
+
+type fetchmail_t;
+type fetchmail_exec_t;
+init_daemon_domain(fetchmail_t, fetchmail_exec_t)
+application_executable_file(fetchmail_exec_t)
+
+type fetchmail_var_run_t;
+files_pid_file(fetchmail_var_run_t)
+
+type fetchmail_etc_t;
+files_config_file(fetchmail_etc_t)
+
+type fetchmail_uidl_cache_t;
+files_type(fetchmail_uidl_cache_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit fetchmail_t self:capability sys_tty_config;
+allow fetchmail_t self:process { signal_perms setrlimit };
+allow fetchmail_t self:unix_dgram_socket create_socket_perms;
+allow fetchmail_t self:unix_stream_socket create_stream_socket_perms;
+allow fetchmail_t self:netlink_route_socket r_netlink_socket_perms;
+allow fetchmail_t self:tcp_socket create_socket_perms;
+allow fetchmail_t self:udp_socket create_socket_perms;
+
+allow fetchmail_t fetchmail_etc_t:file read_file_perms;
+
+allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms;
+mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file)
+
+manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
+manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
+files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, { dir file })
+
+kernel_read_kernel_sysctls(fetchmail_t)
+kernel_list_proc(fetchmail_t)
+kernel_getattr_proc_files(fetchmail_t)
+kernel_read_proc_symlinks(fetchmail_t)
+kernel_dontaudit_read_system_state(fetchmail_t)
+
+#looks like it uses system command - calls uname
+corecmd_exec_bin(fetchmail_t)
+corecmd_exec_shell(fetchmail_t)
+
+corenet_all_recvfrom_unlabeled(fetchmail_t)
+corenet_all_recvfrom_netlabel(fetchmail_t)
+corenet_tcp_sendrecv_generic_if(fetchmail_t)
+corenet_udp_sendrecv_generic_if(fetchmail_t)
+corenet_tcp_sendrecv_generic_node(fetchmail_t)
+corenet_udp_sendrecv_generic_node(fetchmail_t)
+corenet_tcp_sendrecv_dns_port(fetchmail_t)
+corenet_udp_sendrecv_dns_port(fetchmail_t)
+corenet_tcp_sendrecv_pop_port(fetchmail_t)
+corenet_tcp_sendrecv_smtp_port(fetchmail_t)
+corenet_tcp_connect_all_ports(fetchmail_t)
+corenet_sendrecv_all_client_packets(fetchmail_t)
+
+dev_read_sysfs(fetchmail_t)
+dev_read_rand(fetchmail_t)
+dev_read_urand(fetchmail_t)
+
+files_read_etc_files(fetchmail_t)
+files_read_etc_runtime_files(fetchmail_t)
+files_dontaudit_search_home(fetchmail_t)
+
+fs_getattr_all_fs(fetchmail_t)
+fs_search_auto_mountpoints(fetchmail_t)
+
+domain_use_interactive_fds(fetchmail_t)
+
+logging_send_syslog_msg(fetchmail_t)
+
+miscfiles_read_localization(fetchmail_t)
+miscfiles_read_generic_certs(fetchmail_t)
+
+sysnet_read_config(fetchmail_t)
+
+userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
+userdom_dontaudit_search_user_home_dirs(fetchmail_t)
+
+optional_policy(`
+ procmail_domtrans(fetchmail_t)
+')
+
+optional_policy(`
+ sendmail_manage_log(fetchmail_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(fetchmail_t)
+')
+
+optional_policy(`
+ udev_read_db(fetchmail_t)
+')
diff --git a/policy/modules/services/finger.fc b/policy/modules/services/finger.fc
new file mode 100644
index 0000000..c861192
--- /dev/null
+++ b/policy/modules/services/finger.fc
@@ -0,0 +1,19 @@
+# fingerd
+
+#
+# /etc
+#
+/etc/cfingerd(/.*)? gen_context(system_u:object_r:fingerd_etc_t,s0)
+
+/etc/cron\.weekly/(c)?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/in\.fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
+/usr/sbin/[cef]fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
+
+#
+# /var
+#
+/var/log/cfingerd\.log.* -- gen_context(system_u:object_r:fingerd_log_t,s0)
diff --git a/policy/modules/services/finger.if b/policy/modules/services/finger.if
new file mode 100644
index 0000000..b5dd671
--- /dev/null
+++ b/policy/modules/services/finger.if
@@ -0,0 +1,33 @@
+## <summary>Finger user information service.</summary>
+
+########################################
+## <summary>
+## Execute fingerd in the fingerd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`finger_domtrans',`
+ gen_require(`
+ type fingerd_t, fingerd_exec_t;
+ ')
+
+ domtrans_pattern($1, fingerd_exec_t, fingerd_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to connect to fingerd with a tcp socket. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`finger_tcp_connect',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
diff --git a/policy/modules/services/finger.te b/policy/modules/services/finger.te
new file mode 100644
index 0000000..9b7036a
--- /dev/null
+++ b/policy/modules/services/finger.te
@@ -0,0 +1,121 @@
+policy_module(finger, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type fingerd_t;
+type fingerd_exec_t;
+init_daemon_domain(fingerd_t, fingerd_exec_t)
+inetd_tcp_service_domain(fingerd_t, fingerd_exec_t)
+
+type fingerd_etc_t;
+files_config_file(fingerd_etc_t)
+
+type fingerd_log_t;
+logging_log_file(fingerd_log_t)
+
+type fingerd_var_run_t;
+files_pid_file(fingerd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow fingerd_t self:capability { setgid setuid };
+dontaudit fingerd_t self:capability { sys_tty_config fsetid };
+allow fingerd_t self:process signal_perms;
+allow fingerd_t self:fifo_file rw_fifo_file_perms;
+allow fingerd_t self:tcp_socket connected_stream_socket_perms;
+allow fingerd_t self:udp_socket create_socket_perms;
+allow fingerd_t self:unix_dgram_socket create_socket_perms;
+allow fingerd_t self:unix_stream_socket create_socket_perms;
+
+manage_files_pattern(fingerd_t, fingerd_var_run_t, fingerd_var_run_t)
+files_pid_filetrans(fingerd_t, fingerd_var_run_t, file)
+
+allow fingerd_t fingerd_etc_t:dir list_dir_perms;
+read_files_pattern(fingerd_t, fingerd_etc_t, fingerd_etc_t)
+read_lnk_files_pattern(fingerd_t, fingerd_etc_t, fingerd_etc_t)
+
+allow fingerd_t fingerd_log_t:file manage_file_perms;
+logging_log_filetrans(fingerd_t, fingerd_log_t, file)
+
+kernel_read_kernel_sysctls(fingerd_t)
+kernel_read_system_state(fingerd_t)
+
+corenet_all_recvfrom_unlabeled(fingerd_t)
+corenet_all_recvfrom_netlabel(fingerd_t)
+corenet_tcp_sendrecv_generic_if(fingerd_t)
+corenet_udp_sendrecv_generic_if(fingerd_t)
+corenet_tcp_sendrecv_generic_node(fingerd_t)
+corenet_udp_sendrecv_generic_node(fingerd_t)
+corenet_tcp_sendrecv_all_ports(fingerd_t)
+corenet_udp_sendrecv_all_ports(fingerd_t)
+corenet_tcp_bind_generic_node(fingerd_t)
+corenet_tcp_bind_fingerd_port(fingerd_t)
+
+dev_read_sysfs(fingerd_t)
+
+fs_getattr_all_fs(fingerd_t)
+fs_search_auto_mountpoints(fingerd_t)
+
+term_getattr_all_ttys(fingerd_t)
+term_getattr_all_ptys(fingerd_t)
+
+auth_read_lastlog(fingerd_t)
+
+corecmd_exec_bin(fingerd_t)
+corecmd_exec_shell(fingerd_t)
+
+domain_use_interactive_fds(fingerd_t)
+
+files_search_home(fingerd_t)
+files_read_etc_files(fingerd_t)
+files_read_etc_runtime_files(fingerd_t)
+
+init_read_utmp(fingerd_t)
+init_dontaudit_write_utmp(fingerd_t)
+
+logging_send_syslog_msg(fingerd_t)
+
+mta_getattr_spool(fingerd_t)
+
+sysnet_read_config(fingerd_t)
+
+miscfiles_read_localization(fingerd_t)
+
+# stop it accessing sub-directories, prevents checking a Maildir for new mail,
+# have to change this when we create a type for Maildir
+userdom_read_user_home_content_files(fingerd_t)
+userdom_dontaudit_use_unpriv_user_fds(fingerd_t)
+
+optional_policy(`
+ cron_system_entry(fingerd_t, fingerd_exec_t)
+')
+
+optional_policy(`
+ logrotate_exec(fingerd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(fingerd_t)
+')
+
+optional_policy(`
+ nscd_socket_use(fingerd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(fingerd_t)
+')
+
+optional_policy(`
+ tcpd_wrapped_domain(fingerd_t, fingerd_exec_t)
+')
+
+optional_policy(`
+ udev_read_db(fingerd_t)
+')
diff --git a/policy/modules/services/fprintd.fc b/policy/modules/services/fprintd.fc
new file mode 100644
index 0000000..a4f5fb1
--- /dev/null
+++ b/policy/modules/services/fprintd.fc
@@ -0,0 +1,2 @@
+/usr/libexec/fprintd -- gen_context(system_u:object_r:fprintd_exec_t,s0)
+/var/lib/fprint(/.*)? gen_context(system_u:object_r:fprintd_var_lib_t,s0)
diff --git a/policy/modules/services/fprintd.if b/policy/modules/services/fprintd.if
new file mode 100644
index 0000000..c02062c
--- /dev/null
+++ b/policy/modules/services/fprintd.if
@@ -0,0 +1,40 @@
+## <summary>DBus fingerprint reader service</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run fprintd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`fprintd_domtrans',`
+ gen_require(`
+ type fprintd_t, fprintd_exec_t;
+ ')
+
+ domtrans_pattern($1, fprintd_exec_t, fprintd_t)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## fprintd over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fprintd_dbus_chat',`
+ gen_require(`
+ type fprintd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 fprintd_t:dbus send_msg;
+ allow fprintd_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/fprintd.te b/policy/modules/services/fprintd.te
new file mode 100644
index 0000000..899feaf
--- /dev/null
+++ b/policy/modules/services/fprintd.te
@@ -0,0 +1,58 @@
+policy_module(fprintd, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type fprintd_t;
+type fprintd_exec_t;
+dbus_system_domain(fprintd_t, fprintd_exec_t)
+
+type fprintd_var_lib_t;
+files_type(fprintd_var_lib_t)
+
+########################################
+#
+# Local policy
+#
+
+allow fprintd_t self:capability { sys_nice sys_ptrace };
+allow fprintd_t self:fifo_file rw_fifo_file_perms;
+allow fprintd_t self:process { getsched setsched signal };
+
+manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
+manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
+files_var_lib_filetrans(fprintd_t, fprintd_var_lib_t, { dir file })
+
+kernel_read_system_state(fprintd_t)
+
+corecmd_search_bin(fprintd_t)
+
+dev_list_usbfs(fprintd_t)
+dev_rw_generic_usb_dev(fprintd_t)
+dev_read_sysfs(fprintd_t)
+
+files_read_etc_files(fprintd_t)
+files_read_usr_files(fprintd_t)
+
+fs_getattr_all_fs(fprintd_t)
+
+auth_use_nsswitch(fprintd_t)
+
+miscfiles_read_localization(fprintd_t)
+
+userdom_use_user_ptys(fprintd_t)
+userdom_read_all_users_state(fprintd_t)
+
+optional_policy(`
+ consolekit_dbus_chat(fprintd_t)
+')
+
+optional_policy(`
+ policykit_read_reload(fprintd_t)
+ policykit_read_lib(fprintd_t)
+ policykit_dbus_chat(fprintd_t)
+ policykit_domtrans_auth(fprintd_t)
+ policykit_dbus_chat_auth(fprintd_t)
+')
diff --git a/policy/modules/services/ftp.fc b/policy/modules/services/ftp.fc
new file mode 100644
index 0000000..a9a9116
--- /dev/null
+++ b/policy/modules/services/ftp.fc
@@ -0,0 +1,32 @@
+#
+# /etc
+#
+/etc/proftpd\.conf -- gen_context(system_u:object_r:ftpd_etc_t,s0)
+/etc/cron\.monthly/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+/etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/proftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/ftpdctl -- gen_context(system_u:object_r:ftpdctl_exec_t,s0)
+
+/usr/kerberos/sbin/ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+
+/usr/sbin/ftpwho -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+/usr/sbin/in\.ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+/usr/sbin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+/usr/sbin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+/usr/sbin/vsftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+
+#
+# /var
+#
+/var/run/proftpd.* gen_context(system_u:object_r:ftpd_var_run_t,s0)
+
+/var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0)
+/var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0)
+/var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0)
+/var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0)
+/var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0)
+/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0)
diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if
new file mode 100644
index 0000000..26cc64b
--- /dev/null
+++ b/policy/modules/services/ftp.if
@@ -0,0 +1,186 @@
+## <summary>File transfer protocol service</summary>
+
+#######################################
+## <summary>
+## Allow domain dyntransition to sftpd_anon domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ftp_dyntrans_anon_sftpd',`
+ gen_require(`
+ type anon_sftpd_t;
+ ')
+
+ dyntrans_pattern($1, anon_sftpd_t);
+')
+
+########################################
+## <summary>
+## Use ftp by connecting over TCP. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ftp_tcp_connect',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+## Read ftpd etc files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ftp_read_config',`
+ gen_require(`
+ type ftpd_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 ftpd_etc_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Read FTP transfer logs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ftp_read_log',`
+ gen_require(`
+ type xferlog_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 xferlog_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Execute the ftpdctl program in the ftpdctl domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ftp_domtrans_ftpdctl',`
+ gen_require(`
+ type ftpdctl_t, ftpdctl_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ftpdctl_exec_t, ftpdctl_t)
+')
+
+########################################
+## <summary>
+## Execute the ftpdctl program in the ftpdctl domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the ftpdctl domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ftp_run_ftpdctl',`
+ gen_require(`
+ type ftpdctl_t;
+ ')
+
+ ftp_domtrans_ftpdctl($1)
+ role $2 types ftpdctl_t;
+')
+
+#######################################
+## <summary>
+## Allow domain dyntransition to sftpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ftp_dyntrans_sftpd',`
+ gen_require(`
+ type sftpd_t;
+ ')
+
+ dyntrans_pattern($1, sftpd_t);
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an ftp environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the ftp domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ftp_admin',`
+ gen_require(`
+ type ftpd_t, ftpdctl_t, ftpd_tmp_t;
+ type ftpd_etc_t, ftpd_lock_t, ftpd_initrc_exec_t;
+ type ftpd_var_run_t, xferlog_t;
+ ')
+
+ allow $1 ftpd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, ftpd_t)
+
+ init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 ftpd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ ps_process_pattern($1, ftpdctl_t)
+ ftp_run_ftpdctl($1, $2)
+
+ miscfiles_manage_public_files($1)
+
+ files_list_tmp($1)
+ admin_pattern($1, ftpd_tmp_t)
+
+ files_list_etc($1)
+ admin_pattern($1, ftpd_etc_t)
+
+ files_list_var($1)
+ admin_pattern($1, ftpd_lock_t)
+
+ files_list_pids($1)
+ admin_pattern($1, ftpd_var_run_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, xferlog_t)
+')
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
new file mode 100644
index 0000000..2284f4e
--- /dev/null
+++ b/policy/modules/services/ftp.te
@@ -0,0 +1,464 @@
+policy_module(ftp, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow ftp servers to upload files, used for public file
+## transfer services. Directories must be labeled
+## public_content_rw_t.
+## </p>
+## </desc>
+gen_tunable(allow_ftpd_anon_write, false)
+
+## <desc>
+## <p>
+## Allow ftp servers to login to local users and
+## read/write all files on the system, governed by DAC.
+## </p>
+## </desc>
+gen_tunable(allow_ftpd_full_access, false)
+
+## <desc>
+## <p>
+## Allow ftp servers to use cifs
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(allow_ftpd_use_cifs, false)
+
+## <desc>
+## <p>
+## Allow ftp servers to use nfs
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(allow_ftpd_use_nfs, false)
+
+## <desc>
+## <p>
+## Allow ftp servers to use connect to mysql database
+## </p>
+## </desc>
+gen_tunable(ftpd_connect_db, false)
+
+## <desc>
+## <p>
+## Allow ftp to read and write files in the user home directories
+## </p>
+## </desc>
+gen_tunable(ftp_home_dir, false)
+
+## <desc>
+## <p>
+## Allow anon internal-sftp to upload files, used for
+## public file transfer services. Directories must be labeled
+## public_content_rw_t.
+## </p>
+## </desc>
+gen_tunable(sftpd_anon_write, false)
+
+## <desc>
+## <p>
+## Allow sftp-internal to read and write files
+## in the user home directories
+## </p>
+## </desc>
+gen_tunable(sftpd_enable_homedirs, false)
+
+## <desc>
+## <p>
+## Allow sftp-internal to login to local users and
+## read/write all files on the system, governed by DAC.
+## </p>
+## </desc>
+gen_tunable(sftpd_full_access, false)
+
+## <desc>
+## <p>
+## Allow interlnal-sftp to read and write files
+## in the user ssh home directories.
+## </p>
+## </desc>
+gen_tunable(sftpd_write_ssh_home, false)
+
+type anon_sftpd_t;
+typealias anon_sftpd_t alias sftpd_anon_t;
+domain_type(anon_sftpd_t)
+role system_r types anon_sftpd_t;
+
+type ftpd_t;
+type ftpd_exec_t;
+init_daemon_domain(ftpd_t, ftpd_exec_t)
+
+type ftpd_etc_t;
+files_config_file(ftpd_etc_t)
+
+type ftpd_initrc_exec_t;
+init_script_file(ftpd_initrc_exec_t)
+
+type ftpd_lock_t;
+files_lock_file(ftpd_lock_t)
+
+type ftpd_tmp_t;
+files_tmp_file(ftpd_tmp_t)
+
+type ftpd_tmpfs_t;
+files_tmpfs_file(ftpd_tmpfs_t)
+
+type ftpd_var_run_t;
+files_pid_file(ftpd_var_run_t)
+
+type ftpdctl_t;
+type ftpdctl_exec_t;
+init_system_domain(ftpdctl_t, ftpdctl_exec_t)
+
+type ftpdctl_tmp_t;
+files_tmp_file(ftpdctl_tmp_t)
+
+type sftpd_t;
+domain_type(sftpd_t)
+role system_r types sftpd_t;
+
+type xferlog_t;
+logging_log_file(xferlog_t)
+
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh)
+')
+
+ifdef(`enable_mls',`
+ init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, mls_systemhigh)
+')
+
+########################################
+#
+# anon-sftp local policy
+#
+
+files_read_etc_files(anon_sftpd_t)
+
+miscfiles_read_public_files(anon_sftpd_t)
+
+tunable_policy(`sftpd_anon_write',`
+ miscfiles_manage_public_files(anon_sftpd_t)
+')
+
+########################################
+#
+# ftpd local policy
+#
+
+allow ftpd_t self:capability { chown fowner fsetid ipc_lock setgid setuid sys_chroot sys_admin sys_nice sys_resource };
+dontaudit ftpd_t self:capability sys_tty_config;
+allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
+allow ftpd_t self:fifo_file rw_fifo_file_perms;
+allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
+allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
+allow ftpd_t self:tcp_socket create_stream_socket_perms;
+allow ftpd_t self:udp_socket create_socket_perms;
+allow ftpd_t self:shm create_shm_perms;
+allow ftpd_t self:key manage_key_perms;
+
+allow ftpd_t ftpd_etc_t:file read_file_perms;
+
+allow ftpd_t ftpd_lock_t:file manage_file_perms;
+files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
+
+manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
+manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
+
+manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
+manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
+manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
+manage_fifo_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
+manage_sock_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
+fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
+manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
+manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
+files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
+
+# proftpd requires the client side to bind a socket so that
+# it can stat the socket to perform access control decisions,
+# since getsockopt with SO_PEERCRED is not available on all
+# proftpd-supported OSs
+allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms;
+
+# Create and modify /var/log/xferlog.
+manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
+logging_log_filetrans(ftpd_t, xferlog_t, file)
+
+kernel_read_kernel_sysctls(ftpd_t)
+kernel_read_system_state(ftpd_t)
+kernel_search_network_state(ftpd_t)
+
+dev_read_sysfs(ftpd_t)
+dev_read_urand(ftpd_t)
+
+corecmd_exec_bin(ftpd_t)
+
+corenet_all_recvfrom_unlabeled(ftpd_t)
+corenet_all_recvfrom_netlabel(ftpd_t)
+corenet_tcp_sendrecv_generic_if(ftpd_t)
+corenet_udp_sendrecv_generic_if(ftpd_t)
+corenet_tcp_sendrecv_generic_node(ftpd_t)
+corenet_udp_sendrecv_generic_node(ftpd_t)
+corenet_tcp_sendrecv_all_ports(ftpd_t)
+corenet_udp_sendrecv_all_ports(ftpd_t)
+corenet_tcp_bind_generic_node(ftpd_t)
+corenet_tcp_bind_ftp_port(ftpd_t)
+corenet_tcp_bind_ftp_data_port(ftpd_t)
+corenet_tcp_bind_generic_port(ftpd_t)
+corenet_tcp_bind_all_unreserved_ports(ftpd_t)
+corenet_dontaudit_tcp_bind_all_ports(ftpd_t)
+corenet_tcp_connect_all_ports(ftpd_t)
+corenet_sendrecv_ftp_server_packets(ftpd_t)
+
+domain_use_interactive_fds(ftpd_t)
+
+files_search_etc(ftpd_t)
+files_read_etc_files(ftpd_t)
+files_read_etc_runtime_files(ftpd_t)
+files_search_var_lib(ftpd_t)
+
+fs_search_auto_mountpoints(ftpd_t)
+fs_getattr_all_fs(ftpd_t)
+fs_search_fusefs(ftpd_t)
+
+auth_use_nsswitch(ftpd_t)
+auth_domtrans_chk_passwd(ftpd_t)
+# Append to /var/log/wtmp.
+auth_append_login_records(ftpd_t)
+#kerberized ftp requires the following
+auth_write_login_records(ftpd_t)
+auth_rw_faillog(ftpd_t)
+
+init_rw_utmp(ftpd_t)
+
+logging_send_audit_msgs(ftpd_t)
+logging_send_syslog_msg(ftpd_t)
+logging_set_loginuid(ftpd_t)
+
+miscfiles_read_localization(ftpd_t)
+miscfiles_read_public_files(ftpd_t)
+
+seutil_dontaudit_search_config(ftpd_t)
+
+sysnet_read_config(ftpd_t)
+sysnet_use_ldap(ftpd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
+userdom_dontaudit_search_user_home_dirs(ftpd_t)
+
+tunable_policy(`allow_ftpd_anon_write',`
+ miscfiles_manage_public_files(ftpd_t)
+')
+
+tunable_policy(`allow_ftpd_use_cifs',`
+ fs_read_cifs_files(ftpd_t)
+ fs_read_cifs_symlinks(ftpd_t)
+')
+
+tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',`
+ fs_manage_cifs_files(ftpd_t)
+')
+
+tunable_policy(`allow_ftpd_use_nfs',`
+ fs_read_nfs_files(ftpd_t)
+ fs_read_nfs_symlinks(ftpd_t)
+')
+
+tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
+ fs_manage_nfs_files(ftpd_t)
+')
+
+tunable_policy(`allow_ftpd_full_access',`
+ allow ftpd_t self:capability { dac_override dac_read_search };
+ auth_manage_all_files_except_shadow(ftpd_t)
+')
+
+tunable_policy(`ftp_home_dir',`
+ allow ftpd_t self:capability { dac_override dac_read_search };
+
+ # allow access to /home
+ files_list_home(ftpd_t)
+ userdom_read_user_home_content_files(ftpd_t)
+ userdom_manage_user_home_content(ftpd_t)
+ userdom_manage_user_tmp_files(ftpd_t)
+ userdom_tmp_filetrans_user_tmp(ftpd_t, file)
+',`
+ # Needed for permissive mode, to make sure everything gets labeled correctly
+ userdom_user_home_dir_filetrans_pattern(ftpd_t, { dir file lnk_file })
+ files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir })
+')
+
+tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
+ fs_manage_nfs_files(ftpd_t)
+ fs_read_nfs_symlinks(ftpd_t)
+')
+
+tunable_policy(`ftp_home_dir && use_samba_home_dirs',`
+ fs_manage_cifs_files(ftpd_t)
+ fs_read_cifs_symlinks(ftpd_t)
+')
+
+optional_policy(`
+ tunable_policy(`ftp_home_dir',`
+ apache_search_sys_content(ftpd_t)
+ ')
+')
+
+optional_policy(`
+ corecmd_exec_shell(ftpd_t)
+
+ files_read_usr_files(ftpd_t)
+
+ cron_system_entry(ftpd_t, ftpd_exec_t)
+
+ optional_policy(`
+ logrotate_exec(ftpd_t)
+ ')
+')
+
+optional_policy(`
+ daemontools_service_domain(ftpd_t, ftpd_exec_t)
+')
+
+optional_policy(`
+ selinux_validate_context(ftpd_t)
+
+ kerberos_keytab_template(ftpd, ftpd_t)
+ kerberos_manage_host_rcache(ftpd_t)
+')
+
+optional_policy(`
+ tunable_policy(`ftpd_connect_db',`
+ mysql_stream_connect(ftpd_t)
+ ')
+')
+
+optional_policy(`
+ tunable_policy(`ftpd_connect_db',`
+ postgresql_stream_connect(ftpd_t)
+ ')
+')
+
+tunable_policy(`ftpd_connect_db',`
+ mysql_tcp_connect(ftpd_t)
+ postgresql_tcp_connect(ftpd_t)
+')
+
+optional_policy(`
+ inetd_tcp_service_domain(ftpd_t, ftpd_exec_t)
+
+ optional_policy(`
+ tcpd_domtrans(tcpd_t)
+ ')
+')
+
+optional_policy(`
+ dbus_system_bus_client(ftpd_t)
+
+ optional_policy(`
+ oddjob_dbus_chat(ftpd_t)
+ oddjob_domtrans_mkhomedir(ftpd_t)
+ ')
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(ftpd_t)
+')
+
+optional_policy(`
+ udev_read_db(ftpd_t)
+')
+
+########################################
+#
+# ftpdctl local policy
+#
+
+# Allow ftpdctl to talk to ftpd over a socket connection
+stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
+files_search_pids(ftpdctl_t)
+
+# ftpdctl creates a socket so that the daemon can perform
+# access control decisions (see comments in ftpd_t rules above)
+allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms;
+files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
+
+# Allow ftpdctl to read config files
+files_read_etc_files(ftpdctl_t)
+
+userdom_use_user_terminals(ftpdctl_t)
+
+########################################
+#
+# sftpd local policy
+#
+
+files_read_etc_files(sftpd_t)
+
+# allow read access to /home by default
+userdom_read_user_home_content_files(sftpd_t)
+userdom_read_user_home_content_symlinks(sftpd_t)
+userdom_dontaudit_list_admin_dir(sftpd_t)
+
+tunable_policy(`sftpd_full_access',`
+ allow sftpd_t self:capability { dac_override dac_read_search };
+ fs_read_noxattr_fs_files(sftpd_t)
+ auth_manage_all_files_except_shadow(sftpd_t)
+')
+
+tunable_policy(`sftpd_write_ssh_home',`
+ ssh_manage_home_files(sftpd_t)
+')
+
+tunable_policy(`sftpd_enable_homedirs',`
+ allow sftpd_t self:capability { dac_override dac_read_search };
+
+ # allow access to /home
+ files_list_home(sftpd_t)
+ userdom_read_user_home_content_files(sftpd_t)
+ userdom_manage_user_home_content(sftpd_t)
+',`
+ # Needed for permissive mode, to make sure everything gets labeled correctly
+ userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
+')
+
+tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(sftpd_t)
+ fs_manage_nfs_files(sftpd_t)
+ fs_manage_nfs_symlinks(sftpd_t)
+')
+
+tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
+ fs_manage_cifs_dirs(sftpd_t)
+ fs_manage_cifs_files(sftpd_t)
+ fs_manage_cifs_symlinks(sftpd_t)
+')
+
+tunable_policy(`sftpd_full_access',`
+ allow sftpd_t self:capability { dac_override dac_read_search };
+ fs_read_noxattr_fs_files(sftpd_t)
+ auth_manage_all_files_except_shadow(sftpd_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ # allow read access to /home by default
+ fs_list_cifs(sftpd_t)
+ fs_read_cifs_files(sftpd_t)
+ fs_read_cifs_symlinks(sftpd_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ # allow read access to /home by default
+ fs_list_nfs(sftpd_t)
+ fs_read_nfs_files(sftpd_t)
+ fs_read_nfs_symlinks(ftpd_t)
+')
diff --git a/policy/modules/services/gatekeeper.fc b/policy/modules/services/gatekeeper.fc
new file mode 100644
index 0000000..d6ef025
--- /dev/null
+++ b/policy/modules/services/gatekeeper.fc
@@ -0,0 +1,8 @@
+/etc/gatekeeper\.ini -- gen_context(system_u:object_r:gatekeeper_etc_t,s0)
+
+/usr/sbin/gk -- gen_context(system_u:object_r:gatekeeper_exec_t,s0)
+/usr/sbin/gnugk -- gen_context(system_u:object_r:gatekeeper_exec_t,s0)
+
+/var/log/gnugk(/.*)? gen_context(system_u:object_r:gatekeeper_log_t,s0)
+/var/run/gk\.pid -- gen_context(system_u:object_r:gatekeeper_var_run_t,s0)
+/var/run/gnugk(/.*)? gen_context(system_u:object_r:gatekeeper_var_run_t,s0)
diff --git a/policy/modules/services/gatekeeper.if b/policy/modules/services/gatekeeper.if
new file mode 100644
index 0000000..311cb06
--- /dev/null
+++ b/policy/modules/services/gatekeeper.if
@@ -0,0 +1 @@
+## <summary>OpenH.323 Voice-Over-IP Gatekeeper</summary>
diff --git a/policy/modules/services/gatekeeper.te b/policy/modules/services/gatekeeper.te
new file mode 100644
index 0000000..6dbc203
--- /dev/null
+++ b/policy/modules/services/gatekeeper.te
@@ -0,0 +1,99 @@
+policy_module(gatekeeper, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type gatekeeper_t;
+type gatekeeper_exec_t;
+init_daemon_domain(gatekeeper_t, gatekeeper_exec_t)
+
+type gatekeeper_etc_t;
+files_config_file(gatekeeper_etc_t)
+
+type gatekeeper_log_t;
+logging_log_file(gatekeeper_log_t)
+
+# for stupid symlinks
+type gatekeeper_tmp_t;
+files_tmp_file(gatekeeper_tmp_t)
+
+type gatekeeper_var_run_t;
+files_pid_file(gatekeeper_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit gatekeeper_t self:capability sys_tty_config;
+allow gatekeeper_t self:process { setsched signal_perms };
+allow gatekeeper_t self:fifo_file rw_fifo_file_perms;
+allow gatekeeper_t self:tcp_socket create_stream_socket_perms;
+allow gatekeeper_t self:udp_socket create_socket_perms;
+
+allow gatekeeper_t gatekeeper_etc_t:lnk_file read_lnk_file_perms;
+allow gatekeeper_t gatekeeper_etc_t:file read_file_perms;
+files_search_etc(gatekeeper_t)
+
+manage_files_pattern(gatekeeper_t, gatekeeper_log_t, gatekeeper_log_t)
+logging_log_filetrans(gatekeeper_t, gatekeeper_log_t, { file dir })
+
+manage_dirs_pattern(gatekeeper_t, gatekeeper_tmp_t, gatekeeper_tmp_t)
+manage_files_pattern(gatekeeper_t, gatekeeper_tmp_t, gatekeeper_tmp_t)
+files_tmp_filetrans(gatekeeper_t, gatekeeper_tmp_t, { file dir })
+
+manage_files_pattern(gatekeeper_t, gatekeeper_var_run_t, gatekeeper_var_run_t)
+files_pid_filetrans(gatekeeper_t, gatekeeper_var_run_t, file)
+
+kernel_read_system_state(gatekeeper_t)
+kernel_read_kernel_sysctls(gatekeeper_t)
+
+corecmd_list_bin(gatekeeper_t)
+
+corenet_all_recvfrom_unlabeled(gatekeeper_t)
+corenet_all_recvfrom_netlabel(gatekeeper_t)
+corenet_tcp_sendrecv_generic_if(gatekeeper_t)
+corenet_udp_sendrecv_generic_if(gatekeeper_t)
+corenet_tcp_sendrecv_generic_node(gatekeeper_t)
+corenet_udp_sendrecv_generic_node(gatekeeper_t)
+corenet_tcp_sendrecv_all_ports(gatekeeper_t)
+corenet_udp_sendrecv_all_ports(gatekeeper_t)
+corenet_tcp_bind_generic_node(gatekeeper_t)
+corenet_udp_bind_generic_node(gatekeeper_t)
+corenet_tcp_bind_gatekeeper_port(gatekeeper_t)
+corenet_udp_bind_gatekeeper_port(gatekeeper_t)
+corenet_sendrecv_gatekeeper_server_packets(gatekeeper_t)
+
+dev_read_sysfs(gatekeeper_t)
+# for SSP
+dev_read_urand(gatekeeper_t)
+
+domain_use_interactive_fds(gatekeeper_t)
+
+files_read_etc_files(gatekeeper_t)
+
+fs_getattr_all_fs(gatekeeper_t)
+fs_search_auto_mountpoints(gatekeeper_t)
+
+logging_send_syslog_msg(gatekeeper_t)
+
+miscfiles_read_localization(gatekeeper_t)
+
+sysnet_read_config(gatekeeper_t)
+
+userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t)
+userdom_dontaudit_search_user_home_dirs(gatekeeper_t)
+
+optional_policy(`
+ nis_use_ypbind(gatekeeper_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(gatekeeper_t)
+')
+
+optional_policy(`
+ udev_read_db(gatekeeper_t)
+')
diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
new file mode 100644
index 0000000..2b552c5
--- /dev/null
+++ b/policy/modules/services/git.fc
@@ -0,0 +1,13 @@
+HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_session_content_t,s0)
+HOME_DIR/\.gitaliases -- gen_context(system_u:object_r:git_session_content_t,s0)
+HOME_DIR/\.gitconfig -- gen_context(system_u:object_r:git_session_content_t,s0)
+
+/srv/git(/.*)? gen_context(system_u:object_r:git_system_content_t,s0)
+
+/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0)
+
+/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
+/var/lib/git(/.*)? gen_context(system_u:object_r:git_system_content_t,s0)
+/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
+/var/www/git/gitweb.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
new file mode 100644
index 0000000..3780650
--- /dev/null
+++ b/policy/modules/services/git.if
@@ -0,0 +1,520 @@
+## <summary>Fast Version Control System.</summary>
+## <desc>
+## <p>
+## A really simple TCP git daemon that normally listens on
+## port DEFAULT_GIT_PORT aka 9418. It waits for a
+## connection asking for a service, and will serve that
+## service if it is enabled.
+## </p>
+## </desc>
+
+#######################################
+## <summary>
+## Role access for Git daemon session.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+#
+interface(`git_session_role',`
+ gen_require(`
+ type git_session_t, gitd_exec_t, git_session_content_t;
+ ')
+
+ ########################################
+ #
+ # Git daemon session shared declarations.
+ #
+
+ role $1 types git_session_t;
+
+ ########################################
+ #
+ # Git daemon session shared policy.
+ #
+
+ domtrans_pattern($2, gitd_exec_t, git_session_t)
+
+ allow $2 git_session_t:process { ptrace signal_perms };
+ ps_process_pattern($2, git_session_t)
+')
+
+########################################
+## <summary>
+## Create a set of derived types for Git
+## daemon shared repository content.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix to be used for deriving type names.
+## </summary>
+## </param>
+#
+template(`git_content_template',`
+ gen_require(`
+ attribute git_system_content, git_content;
+ ')
+
+ ########################################
+ #
+ # Git daemon content shared declarations.
+ #
+
+ type git_$1_content_t, git_system_content, git_content;
+ files_type(git_$1_content_t)
+')
+
+########################################
+## <summary>
+## Create a set of derived types for Git
+## daemon shared repository roles.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix to be used for deriving type names.
+## </summary>
+## </param>
+#
+template(`git_role_template',`
+ gen_require(`
+ class context contains;
+ role system_r;
+ ')
+
+ ########################################
+ #
+ # Git daemon role shared declarations.
+ #
+
+ attribute $1_usertype;
+
+ type $1_t;
+ userdom_unpriv_usertype($1, $1_t)
+ domain_type($1_t)
+
+ role $1_r types $1_t;
+ allow system_r $1_r;
+
+ ########################################
+ #
+ # Git daemon role shared policy.
+ #
+
+ allow $1_t self:context contains;
+ allow $1_t self:fifo_file rw_fifo_file_perms;
+
+ corecmd_exec_bin($1_t)
+ corecmd_bin_entry_type($1_t)
+ corecmd_shell_entry_type($1_t)
+
+ domain_interactive_fd($1_t)
+ domain_user_exemption_target($1_t)
+
+ kernel_read_system_state($1_t)
+
+ files_read_etc_files($1_t)
+ files_dontaudit_search_home($1_t)
+
+ miscfiles_read_localization($1_t)
+
+ git_rwx_generic_system_content($1_t)
+
+ ssh_rw_stream_sockets($1_t)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_exec_cifs_files($1_t)
+ fs_manage_cifs_dirs($1_t)
+ fs_manage_cifs_files($1_t)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_exec_nfs_files($1_t)
+ fs_manage_nfs_dirs($1_t)
+ fs_manage_nfs_files($1_t)
+ ')
+
+ optional_policy(`
+ nscd_read_pid($1_t)
+ ')
+')
+
+#######################################
+## <summary>
+## Allow specified domain access to the
+## specified Git daemon content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## Type of the object that access is allowed to.
+## </summary>
+## </param>
+#
+interface(`git_content_delegation',`
+ gen_require(`
+ type $1, $2;
+ ')
+
+ exec_files_pattern($1, $2, $2)
+ manage_dirs_pattern($1, $2, $2)
+ manage_files_pattern($1, $2, $2)
+ files_search_var_lib($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_exec_cifs_files($1)
+ fs_manage_cifs_dirs($1)
+ fs_manage_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_exec_nfs_files($1)
+ fs_manage_nfs_dirs($1)
+ fs_manage_nfs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Allow the specified domain to manage
+## and execute all Git daemon content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_rwx_all_content',`
+ gen_require(`
+ attribute git_content;
+ ')
+
+ exec_files_pattern($1, git_content, git_content)
+ manage_dirs_pattern($1, git_content, git_content)
+ manage_files_pattern($1, git_content, git_content)
+ userdom_search_user_home_dirs($1)
+ files_search_var_lib($1)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_exec_nfs_files($1)
+ fs_manage_nfs_dirs($1)
+ fs_manage_nfs_files($1)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_exec_cifs_files($1)
+ fs_manage_cifs_dirs($1)
+ fs_manage_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_exec_cifs_files($1)
+ fs_manage_cifs_dirs($1)
+ fs_manage_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_exec_nfs_files($1)
+ fs_manage_nfs_dirs($1)
+ fs_manage_nfs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Allow the specified domain to manage
+## and execute all Git daemon system content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_rwx_all_system_content',`
+ gen_require(`
+ attribute git_system_content;
+ ')
+
+ exec_files_pattern($1, git_system_content, git_system_content)
+ manage_dirs_pattern($1, git_system_content, git_system_content)
+ manage_files_pattern($1, git_system_content, git_system_content)
+ files_search_var_lib($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_exec_cifs_files($1)
+ fs_manage_cifs_dirs($1)
+ fs_manage_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_exec_nfs_files($1)
+ fs_manage_nfs_dirs($1)
+ fs_manage_nfs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Allow the specified domain to manage
+## and execute Git daemon generic system content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_rwx_generic_system_content',`
+ gen_require(`
+ type git_system_content_t;
+ ')
+
+ exec_files_pattern($1, git_system_content_t, git_system_content_t)
+ manage_dirs_pattern($1, git_system_content_t, git_system_content_t)
+ manage_files_pattern($1, git_system_content_t, git_system_content_t)
+ files_search_var_lib($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_exec_cifs_files($1)
+ fs_manage_cifs_dirs($1)
+ fs_manage_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_exec_nfs_files($1)
+ fs_manage_nfs_dirs($1)
+ fs_manage_nfs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## all Git daemon content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_read_all_content_files',`
+ gen_require(`
+ attribute git_content;
+ ')
+
+ list_dirs_pattern($1, git_content, git_content)
+ read_files_pattern($1, git_content, git_content)
+ userdom_search_user_home_dirs($1)
+ files_search_var_lib($1)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs($1)
+ fs_read_nfs_files($1)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_list_nfs($1)
+ fs_read_nfs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## Git daemon session content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_read_session_content_files',`
+ gen_require(`
+ type git_session_content_t;
+ ')
+
+ list_dirs_pattern($1, git_session_content_t, git_session_content_t)
+ read_files_pattern($1, git_session_content_t, git_session_content_t)
+ userdom_search_user_home_dirs($1)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs($1)
+ fs_read_nfs_files($1)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## all Git daemon system content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_read_all_system_content_files',`
+ gen_require(`
+ attribute git_system_content;
+ ')
+
+ list_dirs_pattern($1, git_system_content, git_system_content)
+ read_files_pattern($1, git_system_content, git_system_content)
+ files_search_var_lib($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_list_nfs($1)
+ fs_read_nfs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## Git daemon generic system content files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_read_generic_system_content_files',`
+ gen_require(`
+ type git_system_content_t;
+ ')
+
+ list_dirs_pattern($1, git_system_content_t, git_system_content_t)
+ read_files_pattern($1, git_system_content_t, git_system_content_t)
+ files_search_var_lib($1)
+
+ tunable_policy(`git_system_use_cifs',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
+ ')
+
+ tunable_policy(`git_system_use_nfs',`
+ fs_list_nfs($1)
+ fs_read_nfs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Allow the specified domain to relabel
+## all Git daemon content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_relabel_all_content',`
+ gen_require(`
+ attribute git_content;
+ ')
+
+ relabel_dirs_pattern($1, git_content, git_content)
+ relabel_files_pattern($1, git_content, git_content)
+ userdom_search_user_home_dirs($1)
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to relabel
+## all Git daemon system content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_relabel_all_system_content',`
+ gen_require(`
+ attribute git_system_content;
+ ')
+
+ relabel_dirs_pattern($1, git_system_content, git_system_content)
+ relabel_files_pattern($1, git_system_content, git_system_content)
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to relabel
+## Git daemon generic system content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_relabel_generic_system_content',`
+ gen_require(`
+ type git_system_content_t;
+ ')
+
+ relabel_dirs_pattern($1, git_system_content_t, git_system_content_t)
+ relabel_files_pattern($1, git_system_content_t, git_system_content_t)
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to relabel
+## Git daemon session content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`git_relabel_session_content',`
+ gen_require(`
+ type git_session_content_t;
+ ')
+
+ relabel_dirs_pattern($1, git_session_content_t, git_session_content_t)
+ relabel_files_pattern($1, git_session_content_t, git_session_content_t)
+ userdom_search_user_home_dirs($1)
+')
diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
new file mode 100644
index 0000000..8d10fc5
--- /dev/null
+++ b/policy/modules/services/git.te
@@ -0,0 +1,192 @@
+policy_module(git, 1.0.3)
+
+## <desc>
+## <p>
+## Allow Git daemon system to search home directories.
+## </p>
+## </desc>
+gen_tunable(git_system_enable_homedirs, false)
+
+## <desc>
+## <p>
+## Allow Git daemon system to access cifs file systems.
+## </p>
+## </desc>
+gen_tunable(git_system_use_cifs, false)
+
+## <desc>
+## <p>
+## Allow Git daemon system to access nfs file systems.
+## </p>
+## </desc>
+gen_tunable(git_system_use_nfs, false)
+
+########################################
+#
+# Git daemon global private declarations.
+#
+
+attribute git_domains;
+attribute git_system_content;
+attribute git_content;
+
+type gitd_exec_t;
+application_executable_file(gitd_exec_t)
+
+########################################
+#
+# Git daemon system private declarations.
+#
+
+type git_system_t, git_domains;
+inetd_service_domain(git_system_t, gitd_exec_t)
+role system_r types git_system_t;
+
+type git_system_content_t, git_system_content, git_content;
+files_type(git_system_content_t)
+typealias git_system_content_t alias git_data_t;
+
+########################################
+#
+# Git daemon session private declarations.
+#
+
+## <desc>
+## <p>
+## Allow Git daemon session to bind
+## tcp sockets to all unreserved ports.
+## </p>
+## </desc>
+gen_tunable(git_session_bind_all_unreserved_ports, false)
+
+type git_session_t, git_domains;
+application_domain(git_session_t, gitd_exec_t)
+ubac_constrained(git_session_t)
+
+type git_session_content_t, git_content;
+userdom_user_home_content(git_session_content_t)
+
+########################################
+#
+# Git daemon global private policy.
+#
+
+allow git_domains self:fifo_file rw_fifo_file_perms;
+allow git_domains self:netlink_route_socket create_netlink_socket_perms;
+allow git_domains self:tcp_socket create_socket_perms;
+allow git_domains self:udp_socket create_socket_perms;
+allow git_domains self:unix_dgram_socket create_socket_perms;
+
+corenet_all_recvfrom_netlabel(git_domains)
+corenet_all_recvfrom_unlabeled(git_domains)
+corenet_tcp_bind_generic_node(git_domains)
+corenet_tcp_sendrecv_generic_if(git_domains)
+corenet_tcp_sendrecv_generic_node(git_domains)
+corenet_tcp_sendrecv_generic_port(git_domains)
+corenet_tcp_bind_git_port(git_domains)
+corenet_sendrecv_git_server_packets(git_domains)
+
+corecmd_exec_bin(git_domains)
+
+files_read_etc_files(git_domains)
+files_read_usr_files(git_domains)
+
+fs_search_auto_mountpoints(git_domains)
+
+kernel_read_system_state(git_domains)
+
+auth_use_nsswitch(git_domains)
+
+logging_send_syslog_msg(git_domains)
+
+miscfiles_read_localization(git_domains)
+
+sysnet_read_config(git_domains)
+
+optional_policy(`
+ automount_dontaudit_getattr_tmp_dirs(git_domains)
+')
+
+optional_policy(`
+ nis_use_ypbind(git_domains)
+')
+
+########################################
+#
+# Git daemon system repository private policy.
+#
+
+list_dirs_pattern(git_system_t, git_content, git_content)
+read_files_pattern(git_system_t, git_content, git_content)
+files_search_var_lib(git_system_t)
+
+tunable_policy(`git_system_enable_homedirs',`
+ userdom_search_user_home_dirs(git_system_t)
+')
+
+tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
+ fs_list_nfs(git_system_t)
+ fs_read_nfs_files(git_system_t)
+')
+
+tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs',`
+ fs_list_cifs(git_system_t)
+ fs_read_cifs_files(git_system_t)
+')
+
+tunable_policy(`git_system_use_cifs',`
+ fs_list_cifs(git_system_t)
+ fs_read_cifs_files(git_system_t)
+')
+
+tunable_policy(`git_system_use_nfs',`
+ fs_list_nfs(git_system_t)
+ fs_read_nfs_files(git_system_t)
+')
+
+########################################
+#
+# Git daemon session repository private policy.
+#
+
+allow git_session_t self:tcp_socket { accept listen };
+
+list_dirs_pattern(git_session_t, git_session_content_t, git_session_content_t)
+read_files_pattern(git_session_t, git_session_content_t, git_session_content_t)
+userdom_search_user_home_dirs(git_session_t)
+
+userdom_use_user_terminals(git_session_t)
+
+tunable_policy(`git_session_bind_all_unreserved_ports',`
+ corenet_tcp_bind_all_unreserved_ports(git_session_t)
+ corenet_sendrecv_generic_server_packets(git_session_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs(git_session_t)
+ fs_read_nfs_files(git_session_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_list_cifs(git_session_t)
+ fs_read_cifs_files(git_session_t)
+')
+
+########################################
+#
+# cgi git Declarations
+#
+
+optional_policy(`
+ apache_content_template(git)
+ git_read_all_content_files(httpd_git_script_t)
+ files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
+')
+
+########################################
+#
+# Git-shell private policy.
+#
+
+git_role_template(git_shell)
+gen_user(git_shell_u, user, git_shell_r, s0, s0)
diff --git a/policy/modules/services/gnomeclock.fc b/policy/modules/services/gnomeclock.fc
new file mode 100644
index 0000000..a8ce02e
--- /dev/null
+++ b/policy/modules/services/gnomeclock.fc
@@ -0,0 +1,4 @@
+/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+
+/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+
diff --git a/policy/modules/services/gnomeclock.if b/policy/modules/services/gnomeclock.if
new file mode 100644
index 0000000..b1f8f93
--- /dev/null
+++ b/policy/modules/services/gnomeclock.if
@@ -0,0 +1,86 @@
+## <summary>Gnome clock handler for setting the time.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run gnomeclock.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gnomeclock_domtrans',`
+ gen_require(`
+ type gnomeclock_t, gnomeclock_exec_t;
+ ')
+
+ domtrans_pattern($1, gnomeclock_exec_t, gnomeclock_t)
+')
+
+########################################
+## <summary>
+## Execute gnomeclock in the gnomeclock domain, and
+## allow the specified role the gnomeclock domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`gnomeclock_run',`
+ gen_require(`
+ type gnomeclock_t;
+ ')
+
+ gnomeclock_domtrans($1)
+ role $2 types gnomeclock_t;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## gnomeclock over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnomeclock_dbus_chat',`
+ gen_require(`
+ type gnomeclock_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 gnomeclock_t:dbus send_msg;
+ allow gnomeclock_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Do not audit send and receive messages from
+## gnomeclock over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`gnomeclock_dontaudit_dbus_chat',`
+ gen_require(`
+ type gnomeclock_t;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 gnomeclock_t:dbus send_msg;
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
new file mode 100644
index 0000000..4fde46b
--- /dev/null
+++ b/policy/modules/services/gnomeclock.te
@@ -0,0 +1,46 @@
+policy_module(gnomeclock, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type gnomeclock_t;
+type gnomeclock_exec_t;
+dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+
+########################################
+#
+# gnomeclock local policy
+#
+
+allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace };
+allow gnomeclock_t self:process { getattr getsched };
+allow gnomeclock_t self:fifo_file rw_fifo_file_perms;
+allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms;
+
+corecmd_exec_bin(gnomeclock_t)
+
+files_read_etc_files(gnomeclock_t)
+files_read_usr_files(gnomeclock_t)
+
+auth_use_nsswitch(gnomeclock_t)
+
+clock_domtrans(gnomeclock_t)
+
+miscfiles_read_localization(gnomeclock_t)
+miscfiles_manage_localization(gnomeclock_t)
+miscfiles_etc_filetrans_localization(gnomeclock_t)
+
+userdom_read_all_users_state(gnomeclock_t)
+
+optional_policy(`
+ consolekit_dbus_chat(gnomeclock_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(gnomeclock_t)
+ policykit_domtrans_auth(gnomeclock_t)
+ policykit_read_lib(gnomeclock_t)
+ policykit_read_reload(gnomeclock_t)
+')
diff --git a/policy/modules/services/gpm.fc b/policy/modules/services/gpm.fc
new file mode 100644
index 0000000..6fc9661
--- /dev/null
+++ b/policy/modules/services/gpm.fc
@@ -0,0 +1,7 @@
+
+/dev/gpmctl -s gen_context(system_u:object_r:gpmctl_t,s0)
+/dev/gpmdata -p gen_context(system_u:object_r:gpmctl_t,s0)
+
+/etc/gpm(/.*)? gen_context(system_u:object_r:gpm_conf_t,s0)
+
+/usr/sbin/gpm -- gen_context(system_u:object_r:gpm_exec_t,s0)
diff --git a/policy/modules/services/gpm.if b/policy/modules/services/gpm.if
new file mode 100644
index 0000000..d6b2959
--- /dev/null
+++ b/policy/modules/services/gpm.if
@@ -0,0 +1,81 @@
+## <summary>General Purpose Mouse driver</summary>
+
+########################################
+## <summary>
+## Connect to GPM over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpm_stream_connect',`
+ gen_require(`
+ type gpmctl_t, gpm_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ stream_connect_pattern($1, gpmctl_t, gpmctl_t, gpm_t)
+')
+
+########################################
+## <summary>
+## Get the attributes of the GPM
+## control channel named socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpm_getattr_gpmctl',`
+ gen_require(`
+ type gpmctl_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 gpmctl_t:sock_file getattr_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the
+## attributes of the GPM control channel
+## named socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`gpm_dontaudit_getattr_gpmctl',`
+ gen_require(`
+ type gpmctl_t;
+ ')
+
+ dontaudit $1 gpmctl_t:sock_file getattr_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Set the attributes of the GPM
+## control channel named socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpm_setattr_gpmctl',`
+ gen_require(`
+ type gpmctl_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 gpmctl_t:sock_file setattr_sock_file_perms;
+')
diff --git a/policy/modules/services/gpm.te b/policy/modules/services/gpm.te
new file mode 100644
index 0000000..a627b34
--- /dev/null
+++ b/policy/modules/services/gpm.te
@@ -0,0 +1,79 @@
+policy_module(gpm, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type gpm_t;
+type gpm_exec_t;
+init_daemon_domain(gpm_t, gpm_exec_t)
+
+type gpm_conf_t;
+files_type(gpm_conf_t)
+
+type gpm_tmp_t;
+files_tmp_file(gpm_tmp_t)
+
+type gpm_var_run_t;
+files_pid_file(gpm_var_run_t)
+
+type gpmctl_t;
+files_type(gpmctl_t)
+
+########################################
+#
+# Local policy
+#
+
+allow gpm_t self:capability { setpcap setuid dac_override sys_admin sys_tty_config };
+allow gpm_t self:process { getcap setcap };
+allow gpm_t self:unix_stream_socket create_stream_socket_perms;
+
+allow gpm_t gpm_conf_t:dir list_dir_perms;
+read_files_pattern(gpm_t, gpm_conf_t, gpm_conf_t)
+read_lnk_files_pattern(gpm_t, gpm_conf_t, gpm_conf_t)
+
+manage_dirs_pattern(gpm_t, gpm_tmp_t, gpm_tmp_t)
+manage_files_pattern(gpm_t, gpm_tmp_t, gpm_tmp_t)
+files_tmp_filetrans(gpm_t, gpm_tmp_t, { file dir })
+
+allow gpm_t gpm_var_run_t:file manage_file_perms;
+files_pid_filetrans(gpm_t, gpm_var_run_t, file)
+
+allow gpm_t gpmctl_t:sock_file manage_sock_file_perms;
+allow gpm_t gpmctl_t:fifo_file manage_fifo_file_perms;
+dev_filetrans(gpm_t, gpmctl_t, { sock_file fifo_file })
+
+kernel_read_kernel_sysctls(gpm_t)
+kernel_list_proc(gpm_t)
+kernel_read_proc_symlinks(gpm_t)
+
+dev_read_sysfs(gpm_t)
+# Access the mouse.
+dev_rw_input_dev(gpm_t)
+dev_rw_mouse(gpm_t)
+
+files_read_etc_files(gpm_t)
+
+fs_getattr_all_fs(gpm_t)
+fs_search_auto_mountpoints(gpm_t)
+
+term_use_unallocated_ttys(gpm_t)
+
+domain_use_interactive_fds(gpm_t)
+
+logging_send_syslog_msg(gpm_t)
+
+miscfiles_read_localization(gpm_t)
+
+userdom_dontaudit_use_unpriv_user_fds(gpm_t)
+userdom_dontaudit_search_user_home_dirs(gpm_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(gpm_t)
+')
+
+optional_policy(`
+ udev_read_db(gpm_t)
+')
diff --git a/policy/modules/services/gpsd.fc b/policy/modules/services/gpsd.fc
new file mode 100644
index 0000000..5e81e33
--- /dev/null
+++ b/policy/modules/services/gpsd.fc
@@ -0,0 +1,6 @@
+/etc/rc\.d/init\.d/gpsd -- gen_context(system_u:object_r:gpsd_initrc_exec_t,s0)
+
+/usr/sbin/gpsd -- gen_context(system_u:object_r:gpsd_exec_t,s0)
+
+/var/run/gpsd\.pid -- gen_context(system_u:object_r:gpsd_var_run_t,s0)
+/var/run/gpsd\.sock -s gen_context(system_u:object_r:gpsd_var_run_t,s0)
diff --git a/policy/modules/services/gpsd.if b/policy/modules/services/gpsd.if
new file mode 100644
index 0000000..c0ee676
--- /dev/null
+++ b/policy/modules/services/gpsd.if
@@ -0,0 +1,66 @@
+## <summary>gpsd monitor daemon</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run gpsd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gpsd_domtrans',`
+ gen_require(`
+ type gpsd_t, gpsd_exec_t;
+ ')
+
+ domtrans_pattern($1, gpsd_exec_t, gpsd_t)
+')
+
+########################################
+## <summary>
+## Execute gpsd in the gpsd domain, and
+## allow the specified role the gpsd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`gpsd_run',`
+ gen_require(`
+ type gpsd_t;
+ ')
+
+ gpsd_domtrans($1)
+ role $2 types gpsd_t;
+')
+
+########################################
+## <summary>
+## Read and write gpsd shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpsd_rw_shm',`
+ gen_require(`
+ type gpsd_t, gpsd_tmpfs_t;
+ ')
+
+ allow $1 gpsd_t:shm rw_shm_perms;
+ allow $1 gpsd_tmpfs_t:dir list_dir_perms;
+ rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
+ read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
+ fs_search_tmpfs($1)
+')
diff --git a/policy/modules/services/gpsd.te b/policy/modules/services/gpsd.te
new file mode 100644
index 0000000..7b9c543
--- /dev/null
+++ b/policy/modules/services/gpsd.te
@@ -0,0 +1,68 @@
+policy_module(gpsd, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type gpsd_t;
+type gpsd_exec_t;
+application_domain(gpsd_t, gpsd_exec_t)
+init_daemon_domain(gpsd_t, gpsd_exec_t)
+
+type gpsd_initrc_exec_t;
+init_script_file(gpsd_initrc_exec_t)
+
+type gpsd_tmpfs_t;
+files_tmpfs_file(gpsd_tmpfs_t)
+
+type gpsd_var_run_t;
+files_pid_file(gpsd_var_run_t)
+
+########################################
+#
+# gpsd local policy
+#
+
+allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_tty_config };
+allow gpsd_t self:process setsched;
+allow gpsd_t self:shm create_shm_perms;
+allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow gpsd_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t)
+manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t)
+fs_tmpfs_filetrans(gpsd_t, gpsd_tmpfs_t, { dir file })
+
+manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
+manage_sock_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
+files_pid_filetrans(gpsd_t, gpsd_var_run_t, { file sock_file })
+
+corenet_all_recvfrom_unlabeled(gpsd_t)
+corenet_all_recvfrom_netlabel(gpsd_t)
+corenet_tcp_sendrecv_generic_if(gpsd_t)
+corenet_tcp_sendrecv_generic_node(gpsd_t)
+corenet_tcp_sendrecv_all_ports(gpsd_t)
+corenet_tcp_bind_all_nodes(gpsd_t)
+corenet_tcp_bind_gpsd_port(gpsd_t)
+
+term_use_unallocated_ttys(gpsd_t)
+term_setattr_unallocated_ttys(gpsd_t)
+
+auth_use_nsswitch(gpsd_t)
+
+logging_send_syslog_msg(gpsd_t)
+
+miscfiles_read_localization(gpsd_t)
+
+optional_policy(`
+ chronyd_rw_shm(gpsd_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(gpsd_t)
+')
+
+optional_policy(`
+ ntp_rw_shm(gpsd_t)
+')
diff --git a/policy/modules/services/hal.fc b/policy/modules/services/hal.fc
new file mode 100644
index 0000000..c98b0df
--- /dev/null
+++ b/policy/modules/services/hal.fc
@@ -0,0 +1,33 @@
+
+/etc/hal/device\.d/printer_remove\.hal -- gen_context(system_u:object_r:hald_exec_t,s0)
+/etc/hal/capability\.d/printer_update\.hal -- gen_context(system_u:object_r:hald_exec_t,s0)
+
+/usr/bin/hal-setup-keymap -- gen_context(system_u:object_r:hald_keymap_exec_t,s0)
+
+/usr/libexec/hal-acl-tool -- gen_context(system_u:object_r:hald_acl_exec_t,s0)
+/usr/libexec/hal-dccm -- gen_context(system_u:object_r:hald_dccm_exec_t,s0)
+/usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0)
+/usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
+/usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
+/usr/libexec/hald-addon-macbook-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
+/usr/sbin/radeontool -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
+
+/usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0)
+
+/var/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0)
+
+/var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0)
+
+/var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0)
+/var/log/pm-.*\.log gen_context(system_u:object_r:hald_log_t,s0)
+
+/var/run/hald(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
+/var/run/haldaemon\.pid -- gen_context(system_u:object_r:hald_var_run_t,s0)
+/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
+/var/run/pm-utils(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
+/var/run/synce.* gen_context(system_u:object_r:hald_var_run_t,s0)
+/var/run/vbe.* -- gen_context(system_u:object_r:hald_var_run_t,s0)
+
+ifdef(`distro_gentoo',`
+/var/lib/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0)
+')
diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if
new file mode 100644
index 0000000..26de57a
--- /dev/null
+++ b/policy/modules/services/hal.if
@@ -0,0 +1,457 @@
+## <summary>Hardware abstraction layer</summary>
+
+########################################
+## <summary>
+## Execute hal in the hal domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`hal_domtrans',`
+ gen_require(`
+ type hald_t, hald_exec_t;
+ ')
+
+ domtrans_pattern($1, hald_exec_t, hald_t)
+')
+
+########################################
+## <summary>
+## Read hal system state
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hal_read_state',`
+ gen_require(`
+ type hald_t;
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, hald_t)
+')
+
+########################################
+## <summary>
+## Allow ptrace of hal domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hal_ptrace',`
+ gen_require(`
+ type hald_t;
+ ')
+
+ allow $1 hald_t:process ptrace;
+')
+
+########################################
+## <summary>
+## Allow domain to use file descriptors from hal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hal_use_fds',`
+ gen_require(`
+ type hald_t;
+ ')
+
+ allow $1 hald_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to use file descriptors from hal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`hal_dontaudit_use_fds',`
+ gen_require(`
+ type hald_t;
+ ')
+
+ dontaudit $1 hald_t:fd use;
+')
+
+########################################
+## <summary>
+## Allow attempts to read and write to
+## hald unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hal_rw_pipes',`
+ gen_require(`
+ type hald_t;
+ ')
+
+ allow $1 hald_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write to
+## hald unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`hal_dontaudit_rw_pipes',`
+ gen_require(`
+ type hald_t;
+ ')
+
+ dontaudit $1 hald_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Send to hal over a unix domain
+## datagram socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hal_dgram_send',`
+ gen_require(`
+ type hald_t;
+ ')
+
+ allow $1 hald_t:unix_dgram_socket sendto;
+')
+
+########################################
+## <summary>
+## Send to hal over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hal_stream_connect',`
+ gen_require(`
+ type hald_t;
+ ')
+
+ allow $1 hald_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Dontaudit read/write to a hal unix datagram socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`hal_dontaudit_rw_dgram_sockets',`
+ gen_require(`
+ type hald_t;
+ ')
+
+ dontaudit $1 hald_t:unix_dgram_socket { read write };
+')
+
+########################################
+## <summary>
+## Send a dbus message to hal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hal_dbus_send',`
+ gen_require(`
+ type hald_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 hald_t:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## hal over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hal_dbus_chat',`
+ gen_require(`
+ type hald_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 hald_t:dbus send_msg;
+ allow hald_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Execute hal mac in the hal mac domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`hal_domtrans_mac',`
+ gen_require(`
+ type hald_mac_t, hald_mac_exec_t;
+ ')
+
+ domtrans_pattern($1, hald_mac_exec_t, hald_mac_t)
+')
+
+########################################
+## <summary>
+## Allow attempts to write the hal
+## log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hal_write_log',`
+ gen_require(`
+ type hald_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 hald_log_t:file write_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write the hal
+## log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`hal_dontaudit_write_log',`
+ gen_require(`
+ type hald_log_t;
+ ')
+
+ dontaudit $1 hald_log_t:file { append write };
+')
+
+########################################
+## <summary>
+## Manage hald log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hal_manage_log',`
+ gen_require(`
+ type hald_log_t;
+ ')
+
+ # log files for hald
+ manage_files_pattern($1, hald_log_t, hald_log_t)
+ logging_log_filetrans($1, hald_log_t, file)
+')
+
+########################################
+## <summary>
+## Read hald tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hal_read_tmp_files',`
+ gen_require(`
+ type hald_tmp_t;
+ ')
+
+ allow $1 hald_tmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## HAL libraries files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`hal_dontaudit_append_lib_files',`
+ gen_require(`
+ type hald_var_lib_t;
+ ')
+
+ dontaudit $1 hald_var_lib_t:file { read_file_perms append_file_perms };
+')
+
+########################################
+## <summary>
+## Read hald PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hal_read_pid_files',`
+ gen_require(`
+ type hald_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 hald_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read
+## hald PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`hal_dontaudit_read_pid_files',`
+ gen_require(`
+ type hald_var_run_t;
+ ')
+
+ dontaudit $1 hald_var_run_t:file read_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Read/Write hald PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hal_rw_pid_files',`
+ gen_require(`
+ type hald_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 hald_var_run_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Manage hald PID dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hal_manage_pid_dirs',`
+ gen_require(`
+ type hald_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_dirs_pattern($1, hald_var_run_t, hald_var_run_t)
+')
+
+########################################
+## <summary>
+## Manage hald PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hal_manage_pid_files',`
+ gen_require(`
+ type hald_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, hald_var_run_t, hald_var_run_t)
+')
+
+########################################
+## <summary>
+## dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`hal_dontaudit_leaks',`
+ gen_require(`
+ type hald_log_t, hald_t, hald_var_run_t;
+ ')
+
+ dontaudit $1 hald_t:fd use;
+ dontaudit $1 hald_log_t:file rw_inherited_file_perms;
+ dontaudit $1 hald_t:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit hald_t $1:socket_class_set { read write };
+ dontaudit $1 hald_var_run_t:file read_inherited_file_perms;
+')
diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
new file mode 100644
index 0000000..ae0b05b
--- /dev/null
+++ b/policy/modules/services/hal.te
@@ -0,0 +1,557 @@
+policy_module(hal, 1.13.0)
+
+########################################
+#
+# Declarations
+#
+
+type hald_t;
+type hald_exec_t;
+init_daemon_domain(hald_t, hald_exec_t)
+
+type hald_acl_t;
+type hald_acl_exec_t;
+domain_type(hald_acl_t)
+domain_entry_file(hald_acl_t, hald_acl_exec_t)
+role system_r types hald_acl_t;
+
+type hald_cache_t;
+files_pid_file(hald_cache_t)
+
+type hald_dccm_t;
+type hald_dccm_exec_t;
+domain_type(hald_dccm_t)
+domain_entry_file(hald_dccm_t, hald_dccm_exec_t)
+role system_r types hald_dccm_t;
+
+type hald_keymap_t;
+type hald_keymap_exec_t;
+domain_type(hald_keymap_t)
+domain_entry_file(hald_keymap_t, hald_keymap_exec_t)
+role system_r types hald_keymap_t;
+
+type hald_log_t;
+logging_log_file(hald_log_t)
+
+type hald_mac_t;
+type hald_mac_exec_t;
+domain_type(hald_mac_t)
+domain_entry_file(hald_mac_t, hald_mac_exec_t)
+role system_r types hald_mac_t;
+
+type hald_sonypic_t;
+type hald_sonypic_exec_t;
+domain_type(hald_sonypic_t)
+domain_entry_file(hald_sonypic_t, hald_sonypic_exec_t)
+role system_r types hald_sonypic_t;
+
+type hald_tmp_t;
+files_tmp_file(hald_tmp_t)
+
+type hald_var_run_t;
+files_pid_file(hald_var_run_t)
+
+type hald_var_lib_t;
+files_type(hald_var_lib_t)
+
+typealias hald_log_t alias pmtools_log_t;
+typealias hald_var_run_t alias pmtools_var_run_t;
+
+########################################
+#
+# Local policy
+#
+
+# execute openvt which needs setuid
+allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
+dontaudit hald_t self:capability {sys_ptrace sys_tty_config };
+allow hald_t self:process { getsched getattr signal_perms };
+allow hald_t self:fifo_file rw_fifo_file_perms;
+allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow hald_t self:unix_dgram_socket create_socket_perms;
+allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow hald_t self:tcp_socket create_stream_socket_perms;
+allow hald_t self:udp_socket create_socket_perms;
+# For backwards compatibility with older kernels
+allow hald_t self:netlink_socket create_socket_perms;
+
+manage_files_pattern(hald_t, hald_cache_t, hald_cache_t)
+
+# log files for hald
+manage_files_pattern(hald_t, hald_log_t, hald_log_t)
+logging_log_filetrans(hald_t, hald_log_t, file)
+
+manage_dirs_pattern(hald_t, hald_tmp_t, hald_tmp_t)
+manage_files_pattern(hald_t, hald_tmp_t, hald_tmp_t)
+files_tmp_filetrans(hald_t, hald_tmp_t, { file dir })
+
+# var/lib files for hald
+manage_dirs_pattern(hald_t, hald_var_lib_t, hald_var_lib_t)
+manage_files_pattern(hald_t, hald_var_lib_t, hald_var_lib_t)
+manage_sock_files_pattern(hald_t, hald_var_lib_t, hald_var_lib_t)
+
+manage_dirs_pattern(hald_t, hald_var_run_t, hald_var_run_t)
+manage_files_pattern(hald_t, hald_var_run_t, hald_var_run_t)
+files_pid_filetrans(hald_t, hald_var_run_t, { dir file })
+
+kernel_read_system_state(hald_t)
+kernel_read_network_state(hald_t)
+kernel_read_software_raid_state(hald_t)
+kernel_rw_kernel_sysctl(hald_t)
+kernel_read_fs_sysctls(hald_t)
+kernel_rw_irq_sysctls(hald_t)
+kernel_rw_vm_sysctls(hald_t)
+kernel_write_proc_files(hald_t)
+kernel_rw_net_sysctls(hald_t)
+kernel_setsched(hald_t)
+kernel_request_load_module(hald_t)
+
+auth_read_pam_console_data(hald_t)
+
+corecmd_exec_all_executables(hald_t)
+
+corenet_all_recvfrom_unlabeled(hald_t)
+corenet_all_recvfrom_netlabel(hald_t)
+corenet_tcp_sendrecv_generic_if(hald_t)
+corenet_udp_sendrecv_generic_if(hald_t)
+corenet_tcp_sendrecv_generic_node(hald_t)
+corenet_udp_sendrecv_generic_node(hald_t)
+corenet_tcp_sendrecv_all_ports(hald_t)
+corenet_udp_sendrecv_all_ports(hald_t)
+
+dev_rw_usbfs(hald_t)
+dev_read_rand(hald_t)
+dev_read_urand(hald_t)
+dev_read_input(hald_t)
+dev_read_mouse(hald_t)
+dev_rw_printer(hald_t)
+dev_read_lvm_control(hald_t)
+dev_getattr_all_chr_files(hald_t)
+dev_manage_generic_chr_files(hald_t)
+dev_manage_generic_blk_files(hald_t)
+dev_rw_generic_usb_dev(hald_t)
+dev_setattr_generic_usb_dev(hald_t)
+dev_setattr_usbfs_files(hald_t)
+dev_rw_power_management(hald_t)
+dev_read_raw_memory(hald_t)
+# hal is now execing pm-suspend
+dev_rw_sysfs(hald_t)
+dev_read_video_dev(hald_t)
+
+domain_use_interactive_fds(hald_t)
+domain_read_all_domains_state(hald_t)
+domain_dontaudit_ptrace_all_domains(hald_t)
+
+files_exec_etc_files(hald_t)
+files_read_etc_files(hald_t)
+files_rw_etc_runtime_files(hald_t)
+files_manage_mnt_dirs(hald_t)
+files_manage_mnt_files(hald_t)
+files_manage_mnt_symlinks(hald_t)
+files_search_var_lib(hald_t)
+files_read_usr_files(hald_t)
+# hal is now execing pm-suspend
+files_create_boot_flag(hald_t)
+files_getattr_all_dirs(hald_t)
+files_getattr_all_files(hald_t)
+files_read_kernel_img(hald_t)
+files_rw_lock_dirs(hald_t)
+files_read_generic_pids(hald_t)
+
+fs_getattr_all_fs(hald_t)
+fs_search_all(hald_t)
+fs_list_inotifyfs(hald_t)
+fs_list_auto_mountpoints(hald_t)
+fs_mount_dos_fs(hald_t)
+fs_unmount_dos_fs(hald_t)
+fs_manage_dos_files(hald_t)
+fs_manage_fusefs_dirs(hald_t)
+fs_rw_removable_blk_files(hald_t)
+
+files_getattr_all_mountpoints(hald_t)
+
+mls_file_read_all_levels(hald_t)
+
+selinux_get_fs_mount(hald_t)
+selinux_validate_context(hald_t)
+selinux_compute_access_vector(hald_t)
+selinux_compute_create_context(hald_t)
+selinux_compute_relabel_context(hald_t)
+selinux_compute_user_contexts(hald_t)
+
+storage_raw_read_removable_device(hald_t)
+storage_raw_write_removable_device(hald_t)
+storage_raw_read_fixed_disk(hald_t)
+storage_raw_write_fixed_disk(hald_t)
+
+# hal_probe_serial causes these
+term_setattr_unallocated_ttys(hald_t)
+term_use_unallocated_ttys(hald_t)
+
+auth_use_nsswitch(hald_t)
+
+fstools_getattr_swap_files(hald_t)
+
+init_domtrans_script(hald_t)
+init_read_utmp(hald_t)
+#hal runs shutdown, probably need a shutdown domain
+init_rw_utmp(hald_t)
+init_telinit(hald_t)
+
+libs_exec_ld_so(hald_t)
+libs_exec_lib_files(hald_t)
+
+logging_send_audit_msgs(hald_t)
+logging_send_syslog_msg(hald_t)
+logging_search_logs(hald_t)
+
+miscfiles_read_localization(hald_t)
+miscfiles_read_hwdata(hald_t)
+
+modutils_domtrans_insmod(hald_t)
+modutils_read_module_deps(hald_t)
+
+seutil_read_config(hald_t)
+seutil_read_default_contexts(hald_t)
+seutil_read_file_contexts(hald_t)
+
+sysnet_delete_dhcpc_pid(hald_t)
+sysnet_domtrans_dhcpc(hald_t)
+sysnet_domtrans_ifconfig(hald_t)
+sysnet_read_config(hald_t)
+sysnet_read_dhcp_config(hald_t)
+sysnet_read_dhcpc_pid(hald_t)
+sysnet_signal_dhcpc(hald_t)
+
+userdom_dontaudit_use_unpriv_user_fds(hald_t)
+userdom_dontaudit_search_user_home_dirs(hald_t)
+userdom_stream_connect(hald_t)
+
+netutils_domtrans(hald_t)
+
+optional_policy(`
+ alsa_domtrans(hald_t)
+ alsa_read_rw_config(hald_t)
+')
+
+optional_policy(`
+ bootloader_domtrans(hald_t)
+')
+
+optional_policy(`
+ # For /usr/libexec/hald-addon-acpi
+ # writes to /var/run/acpid.socket
+ apm_stream_connect(hald_t)
+')
+
+optional_policy(`
+ bind_search_cache(hald_t)
+')
+
+optional_policy(`
+ bluetooth_domtrans(hald_t)
+')
+
+optional_policy(`
+ clock_domtrans(hald_t)
+')
+
+optional_policy(`
+ cups_domtrans_config(hald_t)
+ cups_signal_config(hald_t)
+')
+
+optional_policy(`
+ dbus_system_domain(hald_t, hald_exec_t)
+
+ init_dbus_chat_script(hald_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(hald_t)
+ ')
+')
+
+optional_policy(`
+ # For /usr/libexec/hald-probe-smbios
+ dmidecode_domtrans(hald_t)
+')
+
+optional_policy(`
+ gnome_read_config(hald_t)
+')
+
+optional_policy(`
+ gpm_dontaudit_getattr_gpmctl(hald_t)
+')
+
+optional_policy(`
+ hotplug_read_config(hald_t)
+')
+
+optional_policy(`
+ lvm_domtrans(hald_t)
+')
+
+optional_policy(`
+ mount_domtrans(hald_t)
+')
+
+optional_policy(`
+ ntp_domtrans(hald_t)
+')
+
+optional_policy(`
+ pcmcia_manage_pid(hald_t)
+ pcmcia_manage_pid_chr_files(hald_t)
+')
+
+optional_policy(`
+ podsleuth_domtrans(hald_t)
+')
+
+optional_policy(`
+ ppp_domtrans(hald_t)
+ ppp_read_rw_config(hald_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(hald_t)
+ policykit_domtrans_auth(hald_t)
+ policykit_domtrans_resolve(hald_t)
+ policykit_read_lib(hald_t)
+ policykit_read_reload(hald_t)
+')
+
+optional_policy(`
+ rpc_search_nfs_state_data(hald_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(hald_t)
+')
+
+optional_policy(`
+ shutdown_domtrans(hald_t)
+')
+
+optional_policy(`
+ udev_domtrans(hald_t)
+ udev_read_db(hald_t)
+')
+
+optional_policy(`
+ usbmuxd_stream_connect(hald_t)
+')
+
+optional_policy(`
+ updfstab_domtrans(hald_t)
+')
+
+optional_policy(`
+ vbetool_domtrans(hald_t)
+')
+
+optional_policy(`
+ virt_manage_images(hald_t)
+')
+
+optional_policy(`
+ xserver_read_pid(hald_t)
+')
+
+########################################
+#
+# Hal acl local policy
+#
+
+allow hald_acl_t self:capability { dac_override fowner sys_resource };
+allow hald_acl_t self:process { getattr signal };
+allow hald_acl_t self:fifo_file rw_fifo_file_perms;
+
+domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
+allow hald_t hald_acl_t:process signal;
+allow hald_acl_t hald_t:unix_stream_socket connectto;
+
+manage_dirs_pattern(hald_acl_t, hald_var_lib_t, hald_var_lib_t)
+manage_files_pattern(hald_acl_t, hald_var_lib_t, hald_var_lib_t)
+files_search_var_lib(hald_acl_t)
+
+manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
+manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
+files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
+allow hald_t hald_var_run_t:dir mounton;
+
+corecmd_exec_bin(hald_acl_t)
+
+dev_getattr_all_chr_files(hald_acl_t)
+dev_setattr_all_chr_files(hald_acl_t)
+dev_getattr_generic_usb_dev(hald_acl_t)
+dev_getattr_video_dev(hald_acl_t)
+dev_setattr_video_dev(hald_acl_t)
+dev_getattr_sound_dev(hald_acl_t)
+dev_setattr_sound_dev(hald_acl_t)
+dev_setattr_generic_usb_dev(hald_acl_t)
+dev_setattr_usbfs_files(hald_acl_t)
+
+files_read_usr_files(hald_acl_t)
+files_read_etc_files(hald_acl_t)
+
+fs_getattr_all_fs(hald_acl_t)
+
+storage_getattr_removable_dev(hald_acl_t)
+storage_setattr_removable_dev(hald_acl_t)
+storage_getattr_fixed_disk_dev(hald_acl_t)
+storage_setattr_fixed_disk_dev(hald_acl_t)
+
+auth_use_nsswitch(hald_acl_t)
+
+logging_send_syslog_msg(hald_acl_t)
+
+miscfiles_read_localization(hald_acl_t)
+
+optional_policy(`
+ policykit_dbus_chat(hald_acl_t)
+ policykit_domtrans_auth(hald_acl_t)
+ policykit_read_lib(hald_acl_t)
+ policykit_read_reload(hald_acl_t)
+')
+
+########################################
+#
+# Local hald mac policy
+#
+
+allow hald_mac_t self:capability { setgid setuid sys_admin };
+
+domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t)
+allow hald_t hald_mac_t:process signal;
+allow hald_mac_t hald_t:unix_stream_socket connectto;
+
+manage_dirs_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t)
+manage_files_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t)
+files_search_var_lib(hald_mac_t)
+
+write_files_pattern(hald_mac_t, hald_log_t, hald_log_t)
+
+kernel_read_system_state(hald_mac_t)
+
+dev_read_raw_memory(hald_mac_t)
+dev_write_raw_memory(hald_mac_t)
+dev_read_sysfs(hald_mac_t)
+
+files_read_usr_files(hald_mac_t)
+files_read_etc_files(hald_mac_t)
+
+auth_use_nsswitch(hald_mac_t)
+
+logging_send_syslog_msg(hald_mac_t)
+
+miscfiles_read_localization(hald_mac_t)
+
+########################################
+#
+# Local hald sonypic policy
+#
+
+domtrans_pattern(hald_t, hald_sonypic_exec_t, hald_sonypic_t)
+allow hald_t hald_sonypic_t:process signal;
+allow hald_sonypic_t hald_t:unix_stream_socket connectto;
+
+dev_read_video_dev(hald_sonypic_t)
+dev_write_video_dev(hald_sonypic_t)
+
+manage_dirs_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t)
+manage_files_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t)
+files_search_var_lib(hald_sonypic_t)
+
+write_files_pattern(hald_sonypic_t, hald_log_t, hald_log_t)
+
+files_read_usr_files(hald_sonypic_t)
+
+miscfiles_read_localization(hald_sonypic_t)
+
+########################################
+#
+# Hal keymap local policy
+#
+
+domtrans_pattern(hald_t, hald_keymap_exec_t, hald_keymap_t)
+allow hald_t hald_keymap_t:process signal;
+allow hald_keymap_t hald_t:unix_stream_socket connectto;
+
+manage_dirs_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t)
+manage_files_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t)
+files_search_var_lib(hald_keymap_t)
+
+write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t)
+
+dev_rw_input_dev(hald_keymap_t)
+
+files_read_etc_files(hald_keymap_t)
+files_read_usr_files(hald_keymap_t)
+
+miscfiles_read_localization(hald_keymap_t)
+
+# This is caused by a bug in hald and PolicyKit.
+# Should be removed when this is fixed
+cron_read_system_job_lib_files(hald_t)
+
+########################################
+#
+# Local hald dccm policy
+#
+
+allow hald_dccm_t self:capability { chown net_bind_service };
+allow hald_dccm_t self:process getsched;
+allow hald_dccm_t self:fifo_file rw_fifo_file_perms;
+allow hald_dccm_t self:tcp_socket create_stream_socket_perms;
+allow hald_dccm_t self:udp_socket create_socket_perms;
+allow hald_dccm_t self:netlink_route_socket rw_netlink_socket_perms;
+
+domtrans_pattern(hald_t, hald_dccm_exec_t, hald_dccm_t)
+allow hald_t hald_dccm_t:process signal;
+allow hald_dccm_t hald_t:unix_stream_socket connectto;
+
+manage_dirs_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t)
+manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t)
+files_search_var_lib(hald_dccm_t)
+
+manage_dirs_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t)
+manage_files_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t)
+manage_sock_files_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t)
+files_pid_filetrans(hald_dccm_t, hald_var_run_t, { dir file sock_file })
+
+manage_sock_files_pattern(hald_dccm_t, hald_tmp_t, hald_tmp_t)
+files_tmp_filetrans(hald_dccm_t, hald_tmp_t, sock_file)
+
+write_files_pattern(hald_dccm_t, hald_log_t, hald_log_t)
+
+kernel_search_network_sysctl(hald_dccm_t)
+
+dev_read_urand(hald_dccm_t)
+
+corenet_all_recvfrom_unlabeled(hald_dccm_t)
+corenet_all_recvfrom_netlabel(hald_dccm_t)
+corenet_tcp_sendrecv_generic_if(hald_dccm_t)
+corenet_udp_sendrecv_generic_if(hald_dccm_t)
+corenet_tcp_sendrecv_generic_node(hald_dccm_t)
+corenet_udp_sendrecv_generic_node(hald_dccm_t)
+corenet_tcp_sendrecv_all_ports(hald_dccm_t)
+corenet_udp_sendrecv_all_ports(hald_dccm_t)
+corenet_tcp_bind_generic_node(hald_dccm_t)
+corenet_udp_bind_generic_node(hald_dccm_t)
+corenet_udp_bind_dhcpc_port(hald_dccm_t)
+corenet_tcp_bind_ftp_port(hald_dccm_t)
+corenet_tcp_bind_dccm_port(hald_dccm_t)
+
+logging_send_syslog_msg(hald_dccm_t)
+
+files_read_usr_files(hald_dccm_t)
+
+miscfiles_read_localization(hald_dccm_t)
+
+hal_dontaudit_rw_dgram_sockets(hald_dccm_t)
+
+optional_policy(`
+ dbus_system_bus_client(hald_dccm_t)
+')
diff --git a/policy/modules/services/hddtemp.fc b/policy/modules/services/hddtemp.fc
new file mode 100644
index 0000000..1676612
--- /dev/null
+++ b/policy/modules/services/hddtemp.fc
@@ -0,0 +1,5 @@
+/etc/rc\.d/init\.d/hddtemp -- gen_context(system_u:object_r:hddtemp_initrc_exec_t,s0)
+
+/etc/sysconfig/hddtemp -- gen_context(system_u:object_r:hddtemp_etc_t,s0)
+
+/usr/sbin/hddtemp -- gen_context(system_u:object_r:hddtemp_exec_t,s0)
diff --git a/policy/modules/services/hddtemp.if b/policy/modules/services/hddtemp.if
new file mode 100644
index 0000000..db2d189
--- /dev/null
+++ b/policy/modules/services/hddtemp.if
@@ -0,0 +1,73 @@
+## <summary>hddtemp hard disk temperature tool running as a daemon.</summary>
+
+#######################################
+## <summary>
+## Execute a domain transition to run hddtemp.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`hddtemp_domtrans',`
+ gen_require(`
+ type hddtemp_t, hddtemp_exec_t;
+ ')
+
+ domtrans_pattern($1, hddtemp_exec_t, hddtemp_t)
+ corecmd_search_bin($1)
+')
+
+######################################
+## <summary>
+## Execute hddtemp.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hddtemp_exec',`
+ gen_require(`
+ type hddtemp_exec_t;
+ ')
+
+ can_exec($1, hddtemp_exec_t)
+ corecmd_search_bin($1)
+')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an hddtemp environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`hddtemp_admin',`
+ gen_require(`
+ type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t;
+ ')
+
+ allow $1 hddtemp_t:process { ptrace signal_perms };
+ ps_process_pattern($1, hddtemp_t)
+
+ init_labeled_script_domtrans($1, hddtemp_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 hddtemp_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ admin_pattern($1, hddtemp_etc_t)
+ files_list_etc($1)
+')
diff --git a/policy/modules/services/hddtemp.te b/policy/modules/services/hddtemp.te
new file mode 100644
index 0000000..1647fc4
--- /dev/null
+++ b/policy/modules/services/hddtemp.te
@@ -0,0 +1,48 @@
+policy_module(hddtemp, 1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type hddtemp_t;
+type hddtemp_exec_t;
+init_daemon_domain(hddtemp_t, hddtemp_exec_t)
+
+type hddtemp_initrc_exec_t;
+init_script_file(hddtemp_initrc_exec_t)
+
+type hddtemp_etc_t;
+files_config_file(hddtemp_etc_t)
+
+########################################
+#
+# hddtemp local policy
+#
+
+allow hddtemp_t self:capability sys_rawio;
+dontaudit hddtemp_t self:capability sys_admin;
+allow hddtemp_t self:netlink_route_socket r_netlink_socket_perms;
+allow hddtemp_t self:tcp_socket create_stream_socket_perms;
+allow hddtemp_t self:udp_socket create_socket_perms;
+
+allow hddtemp_t hddtemp_etc_t:file read_file_perms;
+
+corenet_all_recvfrom_unlabeled(hddtemp_t)
+corenet_all_recvfrom_netlabel(hddtemp_t)
+corenet_tcp_sendrecv_generic_if(hddtemp_t)
+corenet_tcp_sendrecv_generic_node(hddtemp_t)
+corenet_tcp_bind_generic_node(hddtemp_t)
+corenet_tcp_sendrecv_all_ports(hddtemp_t)
+corenet_tcp_bind_hddtemp_port(hddtemp_t)
+corenet_sendrecv_hddtemp_server_packets(hddtemp_t)
+corenet_tcp_sendrecv_hddtemp_port(hddtemp_t)
+
+files_search_etc(hddtemp_t)
+files_read_usr_files(hddtemp_t)
+
+storage_raw_read_fixed_disk(hddtemp_t)
+
+logging_send_syslog_msg(hddtemp_t)
+
+miscfiles_read_localization(hddtemp_t)
diff --git a/policy/modules/services/howl.fc b/policy/modules/services/howl.fc
new file mode 100644
index 0000000..faf9146
--- /dev/null
+++ b/policy/modules/services/howl.fc
@@ -0,0 +1,5 @@
+
+/usr/bin/mDNSResponder -- gen_context(system_u:object_r:howl_exec_t,s0)
+/usr/bin/nifd -- gen_context(system_u:object_r:howl_exec_t,s0)
+
+/var/run/nifd\.pid -- gen_context(system_u:object_r:howl_var_run_t,s0)
diff --git a/policy/modules/services/howl.if b/policy/modules/services/howl.if
new file mode 100644
index 0000000..9164dd2
--- /dev/null
+++ b/policy/modules/services/howl.if
@@ -0,0 +1,19 @@
+## <summary>Port of Apple Rendezvous multicast DNS</summary>
+
+########################################
+## <summary>
+## Send generic signals to howl.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`howl_signal',`
+ gen_require(`
+ type howl_t;
+ ')
+
+ allow $1 howl_t:process signal;
+')
diff --git a/policy/modules/services/howl.te b/policy/modules/services/howl.te
new file mode 100644
index 0000000..6ad2d3c
--- /dev/null
+++ b/policy/modules/services/howl.te
@@ -0,0 +1,80 @@
+policy_module(howl, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type howl_t;
+type howl_exec_t;
+init_daemon_domain(howl_t, howl_exec_t)
+
+type howl_var_run_t;
+files_pid_file(howl_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow howl_t self:capability { kill net_admin };
+dontaudit howl_t self:capability sys_tty_config;
+allow howl_t self:process signal_perms;
+allow howl_t self:fifo_file rw_fifo_file_perms;
+allow howl_t self:tcp_socket create_stream_socket_perms;
+allow howl_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(howl_t, howl_var_run_t, howl_var_run_t)
+files_pid_filetrans(howl_t, howl_var_run_t, file)
+
+kernel_read_network_state(howl_t)
+kernel_read_kernel_sysctls(howl_t)
+kernel_request_load_module(howl_t)
+kernel_list_proc(howl_t)
+kernel_read_proc_symlinks(howl_t)
+
+corenet_all_recvfrom_unlabeled(howl_t)
+corenet_all_recvfrom_netlabel(howl_t)
+corenet_tcp_sendrecv_generic_if(howl_t)
+corenet_udp_sendrecv_generic_if(howl_t)
+corenet_tcp_sendrecv_generic_node(howl_t)
+corenet_udp_sendrecv_generic_node(howl_t)
+corenet_tcp_sendrecv_all_ports(howl_t)
+corenet_udp_sendrecv_all_ports(howl_t)
+corenet_tcp_bind_generic_node(howl_t)
+corenet_udp_bind_generic_node(howl_t)
+corenet_tcp_bind_howl_port(howl_t)
+corenet_udp_bind_howl_port(howl_t)
+corenet_sendrecv_howl_server_packets(howl_t)
+
+dev_read_sysfs(howl_t)
+
+fs_getattr_all_fs(howl_t)
+fs_search_auto_mountpoints(howl_t)
+
+domain_use_interactive_fds(howl_t)
+
+files_read_etc_files(howl_t)
+
+init_rw_utmp(howl_t)
+
+logging_send_syslog_msg(howl_t)
+
+miscfiles_read_localization(howl_t)
+
+sysnet_read_config(howl_t)
+
+userdom_dontaudit_use_unpriv_user_fds(howl_t)
+userdom_dontaudit_search_user_home_dirs(howl_t)
+
+optional_policy(`
+ nis_use_ypbind(howl_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(howl_t)
+')
+
+optional_policy(`
+ udev_read_db(howl_t)
+')
diff --git a/policy/modules/services/i18n_input.fc b/policy/modules/services/i18n_input.fc
new file mode 100644
index 0000000..024eb18
--- /dev/null
+++ b/policy/modules/services/i18n_input.fc
@@ -0,0 +1,19 @@
+#
+# /usr
+#
+
+/usr/bin/iiimd\.bin -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
+/usr/bin/httx -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
+/usr/bin/htt_xbe -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
+/usr/bin/iiimx -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
+
+/usr/lib/iiim/iiim-xbe -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
+
+/usr/sbin/htt -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
+/usr/sbin/htt_server -- gen_context(system_u:object_r:i18n_input_exec_t,s0)
+
+#
+# /var
+#
+
+/var/run/iiim(/.*)? gen_context(system_u:object_r:i18n_input_var_run_t,s0)
diff --git a/policy/modules/services/i18n_input.if b/policy/modules/services/i18n_input.if
new file mode 100644
index 0000000..bc7de4f
--- /dev/null
+++ b/policy/modules/services/i18n_input.if
@@ -0,0 +1,15 @@
+## <summary>IIIMF htt server</summary>
+
+########################################
+## <summary>
+## Use i18n_input over a TCP connection. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`i18n_use',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
diff --git a/policy/modules/services/i18n_input.te b/policy/modules/services/i18n_input.te
new file mode 100644
index 0000000..5fc89c4
--- /dev/null
+++ b/policy/modules/services/i18n_input.te
@@ -0,0 +1,102 @@
+policy_module(i18n_input, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type i18n_input_t;
+type i18n_input_exec_t;
+init_daemon_domain(i18n_input_t, i18n_input_exec_t)
+
+type i18n_input_var_run_t;
+files_pid_file(i18n_input_var_run_t)
+
+########################################
+#
+# i18n_input local policy
+#
+
+allow i18n_input_t self:capability { kill setgid setuid };
+dontaudit i18n_input_t self:capability sys_tty_config;
+allow i18n_input_t self:process { signal_perms setsched setpgid };
+allow i18n_input_t self:fifo_file rw_fifo_file_perms;
+allow i18n_input_t self:unix_dgram_socket create_socket_perms;
+allow i18n_input_t self:unix_stream_socket create_stream_socket_perms;
+allow i18n_input_t self:tcp_socket create_stream_socket_perms;
+allow i18n_input_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(i18n_input_t, i18n_input_var_run_t, i18n_input_var_run_t)
+manage_files_pattern(i18n_input_t, i18n_input_var_run_t, i18n_input_var_run_t)
+manage_sock_files_pattern(i18n_input_t, i18n_input_var_run_t, i18n_input_var_run_t)
+files_pid_filetrans(i18n_input_t, i18n_input_var_run_t, file)
+
+can_exec(i18n_input_t, i18n_input_exec_t)
+
+kernel_read_kernel_sysctls(i18n_input_t)
+kernel_read_system_state(i18n_input_t)
+
+corenet_all_recvfrom_unlabeled(i18n_input_t)
+corenet_all_recvfrom_netlabel(i18n_input_t)
+corenet_tcp_sendrecv_generic_if(i18n_input_t)
+corenet_udp_sendrecv_generic_if(i18n_input_t)
+corenet_tcp_sendrecv_generic_node(i18n_input_t)
+corenet_udp_sendrecv_generic_node(i18n_input_t)
+corenet_tcp_sendrecv_all_ports(i18n_input_t)
+corenet_udp_sendrecv_all_ports(i18n_input_t)
+corenet_tcp_bind_generic_node(i18n_input_t)
+corenet_tcp_bind_i18n_input_port(i18n_input_t)
+corenet_tcp_connect_all_ports(i18n_input_t)
+corenet_sendrecv_i18n_input_server_packets(i18n_input_t)
+corenet_sendrecv_all_client_packets(i18n_input_t)
+
+dev_read_sysfs(i18n_input_t)
+
+fs_getattr_all_fs(i18n_input_t)
+fs_search_auto_mountpoints(i18n_input_t)
+
+corecmd_search_bin(i18n_input_t)
+corecmd_exec_bin(i18n_input_t)
+
+domain_use_interactive_fds(i18n_input_t)
+
+files_read_etc_files(i18n_input_t)
+files_read_etc_runtime_files(i18n_input_t)
+files_read_usr_files(i18n_input_t)
+
+init_stream_connect_script(i18n_input_t)
+
+logging_send_syslog_msg(i18n_input_t)
+
+miscfiles_read_localization(i18n_input_t)
+
+sysnet_read_config(i18n_input_t)
+
+userdom_dontaudit_use_unpriv_user_fds(i18n_input_t)
+userdom_read_user_home_content_files(i18n_input_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(i18n_input_t)
+ fs_read_nfs_symlinks(i18n_input_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files(i18n_input_t)
+ fs_read_cifs_symlinks(i18n_input_t)
+')
+
+optional_policy(`
+ canna_stream_connect(i18n_input_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(i18n_input_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(i18n_input_t)
+')
+
+optional_policy(`
+ udev_read_db(i18n_input_t)
+')
diff --git a/policy/modules/services/icecast.fc b/policy/modules/services/icecast.fc
new file mode 100644
index 0000000..a81e090
--- /dev/null
+++ b/policy/modules/services/icecast.fc
@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/icecast -- gen_context(system_u:object_r:icecast_initrc_exec_t,s0)
+
+/usr/bin/icecast -- gen_context(system_u:object_r:icecast_exec_t,s0)
+
+/var/log/icecast(/.*)? gen_context(system_u:object_r:icecast_log_t,s0)
+
+/var/run/icecast(/.*)? gen_context(system_u:object_r:icecast_var_run_t,s0)
diff --git a/policy/modules/services/icecast.if b/policy/modules/services/icecast.if
new file mode 100644
index 0000000..40affd8
--- /dev/null
+++ b/policy/modules/services/icecast.if
@@ -0,0 +1,187 @@
+## <summary> ShoutCast compatible streaming media server</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run icecast.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`icecast_domtrans',`
+ gen_require(`
+ type icecast_t, icecast_exec_t;
+ ')
+
+ domtrans_pattern($1, icecast_exec_t, icecast_t)
+')
+
+########################################
+## <summary>
+## Allow domain signal icecast
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`icecast_signal',`
+ gen_require(`
+ type icecast_t;
+ ')
+
+ allow $1 icecast_t:process signal;
+')
+
+########################################
+## <summary>
+## Execute icecast server in the icecast domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`icecast_initrc_domtrans',`
+ gen_require(`
+ type icecast_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, icecast_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Read icecast PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`icecast_read_pid_files',`
+ gen_require(`
+ type icecast_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 icecast_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Manage icecast pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`icecast_manage_pid_files',`
+ gen_require(`
+ type icecast_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, icecast_var_run_t, icecast_var_run_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read icecast's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`icecast_read_log',`
+ gen_require(`
+ type icecast_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, icecast_log_t, icecast_log_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to append
+## icecast log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`icecast_append_log',`
+ gen_require(`
+ type icecast_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, icecast_log_t, icecast_log_t)
+')
+
+########################################
+## <summary>
+## Allow domain to manage icecast log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allow access.
+## </summary>
+## </param>
+#
+interface(`icecast_manage_log',`
+ gen_require(`
+ type icecast_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_files_pattern($1, icecast_log_t, icecast_log_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an icecast environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`icecast_admin',`
+ gen_require(`
+ type icecast_t, icecast_initrc_exec_t;
+ ')
+
+ allow $1 icecast_t:process { ptrace signal_perms };
+ ps_process_pattern($1, icecast_t)
+
+ # Allow icecast_t to restart the apache service
+ icecast_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 icecast_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ icecast_manage_pid_files($1)
+ icecast_manage_log($1)
+')
diff --git a/policy/modules/services/icecast.te b/policy/modules/services/icecast.te
new file mode 100644
index 0000000..6bf7cc3
--- /dev/null
+++ b/policy/modules/services/icecast.te
@@ -0,0 +1,76 @@
+policy_module(icecast, 1.0.1)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow icecast to connect to all ports, not just
+## sound ports.
+## </p>
+## </desc>
+gen_tunable(icecast_connect_any, false)
+
+type icecast_t;
+type icecast_exec_t;
+init_daemon_domain(icecast_t, icecast_exec_t)
+
+type icecast_initrc_exec_t;
+init_script_file(icecast_initrc_exec_t)
+
+type icecast_var_run_t;
+files_pid_file(icecast_var_run_t)
+
+type icecast_log_t;
+logging_log_file(icecast_log_t)
+
+########################################
+#
+# icecast local policy
+#
+
+allow icecast_t self:capability { dac_override setgid setuid sys_nice };
+allow icecast_t self:process { getsched fork setsched signal };
+allow icecast_t self:fifo_file rw_fifo_file_perms;
+allow icecast_t self:unix_stream_socket create_stream_socket_perms;
+allow icecast_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(icecast_t, icecast_log_t, icecast_log_t)
+manage_files_pattern(icecast_t, icecast_log_t, icecast_log_t)
+logging_log_filetrans(icecast_t, icecast_log_t, { file dir })
+
+manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
+manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
+files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir })
+
+kernel_read_system_state(icecast_t)
+
+corenet_tcp_bind_soundd_port(icecast_t)
+corenet_tcp_connect_soundd_port(icecast_t)
+
+tunable_policy(`icecast_connect_any',`
+ corenet_tcp_connect_all_ports(icecast_t)
+ corenet_tcp_bind_all_ports(icecast_t)
+ corenet_sendrecv_all_packets(icecast_t)
+')
+
+# Init script handling
+domain_use_interactive_fds(icecast_t)
+
+files_read_etc_files(icecast_t)
+
+auth_use_nsswitch(icecast_t)
+
+miscfiles_read_localization(icecast_t)
+
+sysnet_dns_name_resolve(icecast_t)
+
+optional_policy(`
+ apache_read_sys_content(icecast_t)
+')
+
+optional_policy(`
+ rtkit_scheduled(icecast_t)
+')
diff --git a/policy/modules/services/ifplugd.fc b/policy/modules/services/ifplugd.fc
new file mode 100644
index 0000000..2eda96f
--- /dev/null
+++ b/policy/modules/services/ifplugd.fc
@@ -0,0 +1,7 @@
+/etc/ifplugd(/.*)? gen_context(system_u:object_r:ifplugd_etc_t,s0)
+
+/etc/rc\.d/init\.d/ifplugd -- gen_context(system_u:object_r:ifplugd_initrc_exec_t,s0)
+
+/usr/sbin/ifplugd -- gen_context(system_u:object_r:ifplugd_exec_t,s0)
+
+/var/run/ifplugd.* gen_context(system_u:object_r:ifplugd_var_run_t,s0)
diff --git a/policy/modules/services/ifplugd.if b/policy/modules/services/ifplugd.if
new file mode 100644
index 0000000..7665429
--- /dev/null
+++ b/policy/modules/services/ifplugd.if
@@ -0,0 +1,133 @@
+## <summary>Bring up/down ethernet interfaces based on cable detection.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run ifplugd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ifplugd_domtrans',`
+ gen_require(`
+ type ifplugd_t, ifplugd_exec_t;
+ ')
+
+ domtrans_pattern($1, ifplugd_exec_t, ifplugd_t)
+')
+
+########################################
+## <summary>
+## Send a generic signal to ifplugd
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ifplugd_signal',`
+ gen_require(`
+ type ifplugd_t;
+ ')
+
+ allow $1 ifplugd_t:process signal;
+')
+
+########################################
+## <summary>
+## Read ifplugd etc configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ifplugd_read_config',`
+ gen_require(`
+ type ifplugd_etc_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t)
+')
+
+########################################
+## <summary>
+## Manage ifplugd etc configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ifplugd_manage_config',`
+ gen_require(`
+ type ifplugd_etc_t;
+ ')
+
+ files_search_etc($1)
+ manage_dirs_pattern($1, ifplugd_etc_t, ifplugd_etc_t)
+ manage_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t)
+')
+
+########################################
+## <summary>
+## Read ifplugd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ifplugd_read_pid_files',`
+ gen_require(`
+ type ifplugd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 ifplugd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an ifplugd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the ifplugd domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ifplugd_admin',`
+ gen_require(`
+ type ifplugd_t, ifplugd_etc_t, ifplugd_var_run_t;
+ type ifplugd_initrc_exec_t;
+ ')
+
+ allow $1 ifplugd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, ifplugd_t)
+
+ init_labeled_script_domtrans($1, ifplugd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 ifplugd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, ifplugd_etc_t)
+
+ files_list_pids($1)
+ admin_pattern($1, ifplugd_var_run_t)
+')
diff --git a/policy/modules/services/ifplugd.te b/policy/modules/services/ifplugd.te
new file mode 100644
index 0000000..978c32f
--- /dev/null
+++ b/policy/modules/services/ifplugd.te
@@ -0,0 +1,76 @@
+policy_module(ifplugd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ifplugd_t;
+type ifplugd_exec_t;
+init_daemon_domain(ifplugd_t, ifplugd_exec_t)
+
+# config files
+type ifplugd_etc_t;
+files_type(ifplugd_etc_t)
+
+type ifplugd_initrc_exec_t;
+init_script_file(ifplugd_initrc_exec_t)
+
+# pid files
+type ifplugd_var_run_t;
+files_pid_file(ifplugd_var_run_t)
+
+########################################
+#
+# ifplugd local policy
+#
+
+allow ifplugd_t self:capability { net_admin sys_nice net_bind_service };
+dontaudit ifplugd_t self:capability { sys_tty_config sys_ptrace };
+allow ifplugd_t self:process { signal signull };
+allow ifplugd_t self:fifo_file rw_fifo_file_perms;
+allow ifplugd_t self:tcp_socket create_stream_socket_perms;
+allow ifplugd_t self:udp_socket create_socket_perms;
+allow ifplugd_t self:packet_socket create_socket_perms;
+allow ifplugd_t self:netlink_route_socket create_netlink_socket_perms;
+
+# pid file
+manage_files_pattern(ifplugd_t, ifplugd_var_run_t, ifplugd_var_run_t)
+manage_sock_files_pattern(ifplugd_t, ifplugd_var_run_t, ifplugd_var_run_t)
+files_pid_filetrans(ifplugd_t, ifplugd_var_run_t, { file sock_file })
+
+# config files
+read_files_pattern(ifplugd_t, ifplugd_etc_t, ifplugd_etc_t)
+exec_files_pattern(ifplugd_t, ifplugd_etc_t, ifplugd_etc_t)
+
+kernel_read_system_state(ifplugd_t)
+kernel_read_network_state(ifplugd_t)
+kernel_rw_net_sysctls(ifplugd_t)
+kernel_read_kernel_sysctls(ifplugd_t)
+
+corecmd_exec_shell(ifplugd_t)
+corecmd_exec_bin(ifplugd_t)
+
+# reading of hardware information
+dev_read_sysfs(ifplugd_t)
+
+domain_read_confined_domains_state(ifplugd_t)
+domain_dontaudit_read_all_domains_state(ifplugd_t)
+
+auth_use_nsswitch(ifplugd_t)
+
+logging_send_syslog_msg(ifplugd_t)
+
+miscfiles_read_localization(ifplugd_t)
+
+netutils_domtrans(ifplugd_t)
+# transition to ifconfig & dhcpc
+sysnet_domtrans_ifconfig(ifplugd_t)
+sysnet_domtrans_dhcpc(ifplugd_t)
+sysnet_delete_dhcpc_pid(ifplugd_t)
+sysnet_read_dhcpc_pid(ifplugd_t)
+sysnet_signal_dhcpc(ifplugd_t)
+
+optional_policy(`
+ consoletype_exec(ifplugd_t)
+')
diff --git a/policy/modules/services/imaze.fc b/policy/modules/services/imaze.fc
new file mode 100644
index 0000000..8d455ba
--- /dev/null
+++ b/policy/modules/services/imaze.fc
@@ -0,0 +1,4 @@
+/usr/games/imazesrv -- gen_context(system_u:object_r:imazesrv_exec_t,s0)
+/usr/share/games/imaze(/.*)? gen_context(system_u:object_r:imazesrv_data_t,s0)
+
+/var/log/imaze\.log -- gen_context(system_u:object_r:imazesrv_log_t,s0)
diff --git a/policy/modules/services/imaze.if b/policy/modules/services/imaze.if
new file mode 100644
index 0000000..8eb9ec3
--- /dev/null
+++ b/policy/modules/services/imaze.if
@@ -0,0 +1 @@
+## <summary>iMaze game server</summary>
diff --git a/policy/modules/services/imaze.te b/policy/modules/services/imaze.te
new file mode 100644
index 0000000..0778af8
--- /dev/null
+++ b/policy/modules/services/imaze.te
@@ -0,0 +1,99 @@
+policy_module(imaze, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type imazesrv_t;
+type imazesrv_exec_t;
+init_daemon_domain(imazesrv_t, imazesrv_exec_t)
+
+type imazesrv_data_t;
+files_type(imazesrv_data_t)
+
+type imazesrv_data_labs_t;
+files_type(imazesrv_data_labs_t)
+
+type imazesrv_log_t;
+logging_log_file(imazesrv_log_t)
+
+type imazesrv_var_run_t;
+files_pid_file(imazesrv_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit imazesrv_t self:capability sys_tty_config;
+allow imazesrv_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow imazesrv_t self:fd use;
+allow imazesrv_t self:fifo_file rw_fifo_file_perms;
+allow imazesrv_t self:unix_dgram_socket { create_socket_perms sendto };
+allow imazesrv_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow imazesrv_t self:shm create_shm_perms;
+allow imazesrv_t self:sem create_sem_perms;
+allow imazesrv_t self:msgq create_msgq_perms;
+allow imazesrv_t self:msg { send receive };
+allow imazesrv_t self:tcp_socket create_stream_socket_perms;
+allow imazesrv_t self:udp_socket create_socket_perms;
+
+allow imazesrv_t imazesrv_data_t:dir list_dir_perms;
+read_files_pattern(imazesrv_t, imazesrv_data_t, imazesrv_data_t)
+read_lnk_files_pattern(imazesrv_t, imazesrv_data_t, imazesrv_data_t)
+
+allow imazesrv_t imazesrv_log_t:file manage_file_perms;
+allow imazesrv_t imazesrv_log_t:dir add_entry_dir_perms;
+logging_log_filetrans(imazesrv_t, imazesrv_log_t, file)
+
+manage_files_pattern(imazesrv_t, imazesrv_var_run_t, imazesrv_var_run_t)
+files_pid_filetrans(imazesrv_t, imazesrv_var_run_t, file)
+
+kernel_read_kernel_sysctls(imazesrv_t)
+kernel_list_proc(imazesrv_t)
+kernel_read_proc_symlinks(imazesrv_t)
+
+corenet_all_recvfrom_unlabeled(imazesrv_t)
+corenet_all_recvfrom_netlabel(imazesrv_t)
+corenet_tcp_sendrecv_generic_if(imazesrv_t)
+corenet_udp_sendrecv_generic_if(imazesrv_t)
+corenet_tcp_sendrecv_generic_node(imazesrv_t)
+corenet_udp_sendrecv_generic_node(imazesrv_t)
+corenet_tcp_sendrecv_all_ports(imazesrv_t)
+corenet_udp_sendrecv_all_ports(imazesrv_t)
+corenet_tcp_bind_generic_node(imazesrv_t)
+corenet_udp_bind_generic_node(imazesrv_t)
+corenet_tcp_bind_imaze_port(imazesrv_t)
+corenet_udp_bind_imaze_port(imazesrv_t)
+corenet_sendrecv_imaze_server_packets(imazesrv_t)
+
+dev_read_sysfs(imazesrv_t)
+
+domain_use_interactive_fds(imazesrv_t)
+
+files_read_etc_files(imazesrv_t)
+
+fs_getattr_all_fs(imazesrv_t)
+fs_search_auto_mountpoints(imazesrv_t)
+
+logging_send_syslog_msg(imazesrv_t)
+
+miscfiles_read_localization(imazesrv_t)
+
+sysnet_read_config(imazesrv_t)
+
+userdom_use_unpriv_users_fds(imazesrv_t)
+userdom_dontaudit_search_user_home_dirs(imazesrv_t)
+
+optional_policy(`
+ nis_use_ypbind(imazesrv_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(imazesrv_t)
+')
+
+optional_policy(`
+ udev_read_db(imazesrv_t)
+')
diff --git a/policy/modules/services/inetd.fc b/policy/modules/services/inetd.fc
new file mode 100644
index 0000000..39d5baa
--- /dev/null
+++ b/policy/modules/services/inetd.fc
@@ -0,0 +1,12 @@
+
+/usr/sbin/identd -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
+/usr/sbin/in\..*d -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
+/usr/local/lib/pysieved/pysieved.*\.py -- gen_context(system_u:object_r:inetd_child_exec_t,s0)
+
+/usr/sbin/inetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
+/usr/sbin/rlinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
+/usr/sbin/xinetd -- gen_context(system_u:object_r:inetd_exec_t,s0)
+
+/var/log/(x)?inetd\.log -- gen_context(system_u:object_r:inetd_log_t,s0)
+
+/var/run/(x)?inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0)
diff --git a/policy/modules/services/inetd.if b/policy/modules/services/inetd.if
new file mode 100644
index 0000000..6985546
--- /dev/null
+++ b/policy/modules/services/inetd.if
@@ -0,0 +1,204 @@
+## <summary>Internet services daemon.</summary>
+
+########################################
+## <summary>
+## Define the specified domain as a inetd service.
+## </summary>
+## <desc>
+## <p>
+## Define the specified domain as a inetd service. The
+## inetd_service_domain(), inetd_tcp_service_domain(),
+## or inetd_udp_service_domain() interfaces should be used
+## instead of this interface, as this interface only provides
+## the common rules to these three interfaces.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## The type associated with the inetd service process.
+## </summary>
+## </param>
+## <param name="entrypoint">
+## <summary>
+## The type associated with the process program.
+## </summary>
+## </param>
+#
+interface(`inetd_core_service_domain',`
+ gen_require(`
+ type inetd_t;
+ role system_r;
+ ')
+
+ domain_type($1)
+ domain_entry_file($1, $2)
+
+ role system_r types $1;
+
+ domtrans_pattern(inetd_t, $2, $1)
+ allow inetd_t $1:process { siginh sigkill };
+')
+
+########################################
+## <summary>
+## Define the specified domain as a TCP inetd service.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type associated with the inetd service process.
+## </summary>
+## </param>
+## <param name="entrypoint">
+## <summary>
+## The type associated with the process program.
+## </summary>
+## </param>
+#
+interface(`inetd_tcp_service_domain',`
+ gen_require(`
+ type inetd_t;
+ ')
+
+ inetd_core_service_domain($1, $2)
+
+ allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
+')
+
+########################################
+## <summary>
+## Define the specified domain as a UDP inetd service.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type associated with the inetd service process.
+## </summary>
+## </param>
+## <param name="entrypoint">
+## <summary>
+## The type associated with the process program.
+## </summary>
+## </param>
+#
+interface(`inetd_udp_service_domain',`
+ gen_require(`
+ type inetd_t;
+ ')
+
+ inetd_core_service_domain($1, $2)
+
+ allow $1 inetd_t:udp_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+## Define the specified domain as a TCP and UDP inetd service.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type associated with the inetd service process.
+## </summary>
+## </param>
+## <param name="entrypoint">
+## <summary>
+## The type associated with the process program.
+## </summary>
+## </param>
+#
+interface(`inetd_service_domain',`
+ gen_require(`
+ type inetd_t;
+ ')
+
+ inetd_core_service_domain($1, $2)
+
+ allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
+ allow $1 inetd_t:udp_socket rw_socket_perms;
+
+ # encrypt the service through stunnel
+ optional_policy(`
+ stunnel_service_domain($1, $2)
+ ')
+')
+
+########################################
+## <summary>
+## Inherit and use file descriptors from inetd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`inetd_use_fds',`
+ gen_require(`
+ type inetd_t;
+ ')
+
+ allow $1 inetd_t:fd use;
+')
+
+########################################
+## <summary>
+## Connect to the inetd service using a TCP connection. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`inetd_tcp_connect',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+## Run inetd child process in the inet child domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`inetd_domtrans_child',`
+ gen_require(`
+ type inetd_child_t, inetd_child_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, inetd_child_exec_t, inetd_child_t)
+')
+
+########################################
+## <summary>
+## Send UDP network traffic to inetd. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`inetd_udp_send',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+## Read and write inetd TCP sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`inetd_rw_tcp_sockets',`
+ gen_require(`
+ type inetd_t;
+ ')
+
+ allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
+')
diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te
new file mode 100644
index 0000000..c51a7b2
--- /dev/null
+++ b/policy/modules/services/inetd.te
@@ -0,0 +1,242 @@
+policy_module(inetd, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+type inetd_t;
+type inetd_exec_t;
+init_daemon_domain(inetd_t, inetd_exec_t)
+
+type inetd_log_t;
+logging_log_file(inetd_log_t)
+
+type inetd_tmp_t;
+files_tmp_file(inetd_tmp_t)
+
+type inetd_var_run_t;
+files_pid_file(inetd_var_run_t)
+
+type inetd_child_t;
+type inetd_child_exec_t;
+inetd_service_domain(inetd_child_t, inetd_child_exec_t)
+role system_r types inetd_child_t;
+
+type inetd_child_tmp_t;
+files_tmp_file(inetd_child_tmp_t)
+
+type inetd_child_var_run_t;
+files_pid_file(inetd_child_var_run_t)
+
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(inetd_t, inetd_exec_t, s0 - mcs_systemhigh)
+')
+
+########################################
+#
+# Local policy
+#
+
+allow inetd_t self:capability { setuid setgid };
+dontaudit inetd_t self:capability sys_tty_config;
+allow inetd_t self:process { setsched setexec };
+allow inetd_t self:fifo_file rw_fifo_file_perms;
+allow inetd_t self:tcp_socket create_stream_socket_perms;
+allow inetd_t self:udp_socket create_socket_perms;
+allow inetd_t self:fd use;
+
+allow inetd_t inetd_log_t:file manage_file_perms;
+logging_log_filetrans(inetd_t, inetd_log_t, file)
+
+manage_dirs_pattern(inetd_t, inetd_tmp_t, inetd_tmp_t)
+manage_files_pattern(inetd_t, inetd_tmp_t, inetd_tmp_t)
+files_tmp_filetrans(inetd_t, inetd_tmp_t, { file dir })
+
+allow inetd_t inetd_var_run_t:file manage_file_perms;
+files_pid_filetrans(inetd_t, inetd_var_run_t, file)
+
+kernel_read_kernel_sysctls(inetd_t)
+kernel_list_proc(inetd_t)
+kernel_read_proc_symlinks(inetd_t)
+kernel_read_system_state(inetd_t)
+kernel_tcp_recvfrom_unlabeled(inetd_t)
+
+corecmd_bin_domtrans(inetd_t, inetd_child_t)
+
+# base networking:
+corenet_all_recvfrom_unlabeled(inetd_t)
+corenet_all_recvfrom_netlabel(inetd_t)
+corenet_tcp_sendrecv_generic_if(inetd_t)
+corenet_udp_sendrecv_generic_if(inetd_t)
+corenet_tcp_sendrecv_generic_node(inetd_t)
+corenet_udp_sendrecv_generic_node(inetd_t)
+corenet_tcp_sendrecv_all_ports(inetd_t)
+corenet_udp_sendrecv_all_ports(inetd_t)
+corenet_tcp_bind_generic_node(inetd_t)
+corenet_udp_bind_generic_node(inetd_t)
+corenet_tcp_connect_all_ports(inetd_t)
+corenet_sendrecv_all_client_packets(inetd_t)
+
+# listen on service ports:
+corenet_tcp_bind_amanda_port(inetd_t)
+corenet_udp_bind_amanda_port(inetd_t)
+corenet_tcp_bind_auth_port(inetd_t)
+corenet_udp_bind_comsat_port(inetd_t)
+corenet_tcp_bind_dbskkd_port(inetd_t)
+corenet_udp_bind_dbskkd_port(inetd_t)
+corenet_tcp_bind_ftp_port(inetd_t)
+corenet_udp_bind_ftp_port(inetd_t)
+corenet_tcp_bind_inetd_child_port(inetd_t)
+corenet_udp_bind_inetd_child_port(inetd_t)
+corenet_tcp_bind_ircd_port(inetd_t)
+corenet_udp_bind_ktalkd_port(inetd_t)
+corenet_tcp_bind_printer_port(inetd_t)
+corenet_udp_bind_rlogind_port(inetd_t)
+corenet_udp_bind_rsh_port(inetd_t)
+corenet_tcp_bind_rsh_port(inetd_t)
+corenet_tcp_bind_rsync_port(inetd_t)
+corenet_udp_bind_rsync_port(inetd_t)
+#corenet_tcp_bind_stunnel_port(inetd_t)
+corenet_tcp_bind_swat_port(inetd_t)
+corenet_udp_bind_swat_port(inetd_t)
+corenet_tcp_bind_telnetd_port(inetd_t)
+corenet_udp_bind_tftp_port(inetd_t)
+corenet_tcp_bind_ssh_port(inetd_t)
+corenet_tcp_bind_git_port(inetd_t)
+corenet_udp_bind_git_port(inetd_t)
+
+# service port packets:
+corenet_sendrecv_amanda_server_packets(inetd_t)
+corenet_sendrecv_auth_server_packets(inetd_t)
+corenet_sendrecv_comsat_server_packets(inetd_t)
+corenet_sendrecv_dbskkd_server_packets(inetd_t)
+corenet_sendrecv_ftp_server_packets(inetd_t)
+corenet_sendrecv_inetd_child_server_packets(inetd_t)
+corenet_sendrecv_ircd_server_packets(inetd_t)
+corenet_sendrecv_ktalkd_server_packets(inetd_t)
+corenet_sendrecv_printer_server_packets(inetd_t)
+corenet_sendrecv_rsh_server_packets(inetd_t)
+corenet_sendrecv_rsync_server_packets(inetd_t)
+#corenet_sendrecv_stunnel_server_packets(inetd_t)
+corenet_sendrecv_swat_server_packets(inetd_t)
+corenet_sendrecv_tftp_server_packets(inetd_t)
+
+dev_read_sysfs(inetd_t)
+
+fs_getattr_all_fs(inetd_t)
+fs_search_auto_mountpoints(inetd_t)
+
+selinux_validate_context(inetd_t)
+selinux_compute_create_context(inetd_t)
+
+# Run other daemons in the inetd_child_t domain.
+corecmd_search_bin(inetd_t)
+corecmd_read_bin_symlinks(inetd_t)
+
+domain_use_interactive_fds(inetd_t)
+
+files_read_etc_files(inetd_t)
+files_read_etc_runtime_files(inetd_t)
+
+auth_use_nsswitch(inetd_t)
+
+logging_send_syslog_msg(inetd_t)
+
+miscfiles_read_localization(inetd_t)
+
+# xinetd needs MLS override privileges to work
+mls_fd_share_all_levels(inetd_t)
+mls_socket_read_to_clearance(inetd_t)
+mls_socket_write_to_clearance(inetd_t)
+mls_process_set_level(inetd_t)
+
+sysnet_read_config(inetd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(inetd_t)
+userdom_dontaudit_search_user_home_dirs(inetd_t)
+
+ifdef(`distro_redhat',`
+ optional_policy(`
+ unconfined_domain(inetd_t)
+ ')
+')
+
+ifdef(`enable_mls',`
+ corenet_tcp_recvfrom_netlabel(inetd_t)
+ corenet_udp_recvfrom_netlabel(inetd_t)
+')
+
+optional_policy(`
+ amanda_search_lib(inetd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(inetd_t)
+')
+
+optional_policy(`
+ udev_read_db(inetd_t)
+')
+
+optional_policy(`
+ unconfined_domtrans(inetd_t)
+')
+
+########################################
+#
+# inetd child local_policy
+#
+
+allow inetd_child_t self:process signal_perms;
+allow inetd_child_t self:fifo_file rw_fifo_file_perms;
+allow inetd_child_t self:tcp_socket connected_stream_socket_perms;
+allow inetd_child_t self:udp_socket create_socket_perms;
+
+# for identd
+allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow inetd_child_t self:capability { setuid setgid };
+files_search_home(inetd_child_t)
+
+manage_dirs_pattern(inetd_child_t, inetd_child_tmp_t, inetd_child_tmp_t)
+manage_files_pattern(inetd_child_t, inetd_child_tmp_t, inetd_child_tmp_t)
+files_tmp_filetrans(inetd_child_t, inetd_child_tmp_t, { file dir })
+
+manage_files_pattern(inetd_child_t, inetd_child_var_run_t, inetd_child_var_run_t)
+files_pid_filetrans(inetd_child_t, inetd_child_var_run_t, file)
+
+kernel_read_kernel_sysctls(inetd_child_t)
+kernel_read_system_state(inetd_child_t)
+kernel_read_network_state(inetd_child_t)
+
+corenet_all_recvfrom_unlabeled(inetd_child_t)
+corenet_all_recvfrom_netlabel(inetd_child_t)
+corenet_tcp_sendrecv_generic_if(inetd_child_t)
+corenet_udp_sendrecv_generic_if(inetd_child_t)
+corenet_tcp_sendrecv_generic_node(inetd_child_t)
+corenet_udp_sendrecv_generic_node(inetd_child_t)
+corenet_tcp_sendrecv_all_ports(inetd_child_t)
+corenet_udp_sendrecv_all_ports(inetd_child_t)
+
+dev_read_urand(inetd_child_t)
+
+fs_getattr_xattr_fs(inetd_child_t)
+
+files_read_etc_files(inetd_child_t)
+files_read_etc_runtime_files(inetd_child_t)
+
+auth_use_nsswitch(inetd_child_t)
+
+logging_send_syslog_msg(inetd_child_t)
+
+miscfiles_read_localization(inetd_child_t)
+
+sysnet_read_config(inetd_child_t)
+
+optional_policy(`
+ kerberos_use(inetd_child_t)
+')
+
+optional_policy(`
+ unconfined_domain(inetd_child_t)
+')
diff --git a/policy/modules/services/inn.fc b/policy/modules/services/inn.fc
new file mode 100644
index 0000000..8ca038d
--- /dev/null
+++ b/policy/modules/services/inn.fc
@@ -0,0 +1,67 @@
+
+#
+# /etc
+#
+/etc/news(/.*)? gen_context(system_u:object_r:innd_etc_t,s0)
+/etc/news/boot -- gen_context(system_u:object_r:innd_exec_t,s0)
+/etc/rc\.d/init\.d/innd -- gen_context(system_u:object_r:innd_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/inews -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/bin/rnews -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/bin/rpost -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/bin/suck -- gen_context(system_u:object_r:innd_exec_t,s0)
+
+/usr/sbin/in\.nnrpd -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/sbin/innd.* -- gen_context(system_u:object_r:innd_exec_t,s0)
+
+/var/lib/news(/.*)? gen_context(system_u:object_r:innd_var_lib_t,s0)
+
+/usr/lib(64)?/news/bin/actsync -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/archive -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/batcher -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/buffchan -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/convdate -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/ctlinnd -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/cvtbatch -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/expire -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/expireover -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/fastrm -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/filechan -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/getlist -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/grephistory -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/inews -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/innconfval -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/inndf -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/inndstart -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/innfeed -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/innxbatch -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/innxmit -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/makedbz -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/makehistory -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/newsrequeue -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/nnrpd -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/nntpget -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/ovdb_recover -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/overchan -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/prunehistory -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/rnews -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/shlock -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/shrinkfile -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib(64)?/news/bin/startinnfeed -- gen_context(system_u:object_r:innd_exec_t,s0)
+
+# cjp: split these to fix an ordering
+# problem with a match in corecommands
+/usr/lib/news/bin/innd -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib/news/bin/sm -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib64/news/bin/innd -- gen_context(system_u:object_r:innd_exec_t,s0)
+/usr/lib64/news/bin/sm -- gen_context(system_u:object_r:innd_exec_t,s0)
+
+/var/log/news(/.*)? gen_context(system_u:object_r:innd_log_t,s0)
+
+/var/run/innd(/.*)? gen_context(system_u:object_r:innd_var_run_t,s0)
+/var/run/news(/.*)? gen_context(system_u:object_r:innd_var_run_t,s0)
+
+/var/spool/news(/.*)? gen_context(system_u:object_r:news_spool_t,s0)
diff --git a/policy/modules/services/inn.if b/policy/modules/services/inn.if
new file mode 100644
index 0000000..2f3d8dc
--- /dev/null
+++ b/policy/modules/services/inn.if
@@ -0,0 +1,227 @@
+## <summary>Internet News NNTP server</summary>
+
+########################################
+## <summary>
+## Allow the specified domain to execute innd
+## in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`inn_exec',`
+ gen_require(`
+ type innd_t;
+ ')
+
+ can_exec($1, innd_exec_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to execute
+## inn configuration files in /etc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`inn_exec_config',`
+ gen_require(`
+ type innd_etc_t;
+ ')
+
+ can_exec($1, innd_etc_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete the innd log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`inn_manage_log',`
+ gen_require(`
+ type innd_log_t;
+ ')
+
+ logging_rw_generic_log_dirs($1)
+ manage_files_pattern($1, innd_log_t, innd_log_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete the innd pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`inn_manage_pid',`
+ gen_require(`
+ type innd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, innd_var_run_t, innd_var_run_t)
+ manage_lnk_files_pattern($1, innd_var_run_t, innd_var_run_t)
+')
+
+########################################
+## <summary>
+## Read innd configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+
+#
+interface(`inn_read_config',`
+ gen_require(`
+ type innd_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 innd_etc_t:dir list_dir_perms;
+ allow $1 innd_etc_t:file read_file_perms;
+ allow $1 innd_etc_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Read innd news library files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`inn_read_news_lib',`
+ gen_require(`
+ type innd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 innd_var_lib_t:dir list_dir_perms;
+ allow $1 innd_var_lib_t:file read_file_perms;
+ allow $1 innd_var_lib_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Read innd news library files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`inn_read_news_spool',`
+ gen_require(`
+ type news_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 news_spool_t:dir list_dir_perms;
+ allow $1 news_spool_t:file read_file_perms;
+ allow $1 news_spool_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Send to a innd unix dgram socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`inn_dgram_send',`
+ gen_require(`
+ type innd_t;
+ ')
+
+ allow $1 innd_t:unix_dgram_socket sendto;
+')
+
+########################################
+## <summary>
+## Execute inn in the inn domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`inn_domtrans',`
+ gen_require(`
+ type innd_t, innd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, innd_exec_t, innd_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an inn environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the inn domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`inn_admin',`
+ gen_require(`
+ type innd_t, innd_etc_t, innd_log_t;
+ type news_spool_t, innd_var_lib_t, innd_var_run_t;
+ type innd_initrc_exec_t;
+ ')
+
+ allow $1 innd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, innd_t)
+
+ init_labeled_script_domtrans($1, innd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 innd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, innd_etc_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, innd_log_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, innd_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, innd_var_run_t)
+
+ files_list_spool($1)
+ admin_pattern($1, news_spool_t)
+')
diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te
new file mode 100644
index 0000000..dc7dd01
--- /dev/null
+++ b/policy/modules/services/inn.te
@@ -0,0 +1,132 @@
+policy_module(inn, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type innd_t;
+type innd_exec_t;
+init_daemon_domain(innd_t, innd_exec_t)
+
+type innd_etc_t;
+files_config_file(innd_etc_t)
+
+type innd_initrc_exec_t;
+init_script_file(innd_initrc_exec_t)
+
+type innd_log_t;
+logging_log_file(innd_log_t)
+
+type innd_var_lib_t;
+files_type(innd_var_lib_t)
+
+type innd_var_run_t;
+files_pid_file(innd_var_run_t)
+
+type news_spool_t;
+files_mountpoint(news_spool_t)
+
+########################################
+#
+# Local policy
+#
+
+allow innd_t self:capability { dac_override kill setgid setuid };
+dontaudit innd_t self:capability sys_tty_config;
+allow innd_t self:process { setsched signal_perms };
+allow innd_t self:fifo_file rw_fifo_file_perms;
+allow innd_t self:unix_dgram_socket { sendto create_socket_perms };
+allow innd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow innd_t self:tcp_socket create_stream_socket_perms;
+allow innd_t self:udp_socket create_socket_perms;
+allow innd_t self:netlink_route_socket r_netlink_socket_perms;
+
+read_files_pattern(innd_t, innd_etc_t, innd_etc_t)
+read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t)
+
+can_exec(innd_t, innd_exec_t)
+
+manage_files_pattern(innd_t, innd_log_t, innd_log_t)
+allow innd_t innd_log_t:dir setattr_dir_perms;
+logging_log_filetrans(innd_t, innd_log_t, file)
+
+manage_dirs_pattern(innd_t, innd_var_lib_t, innd_var_lib_t)
+manage_files_pattern(innd_t, innd_var_lib_t, innd_var_lib_t)
+files_var_lib_filetrans(innd_t, innd_var_lib_t, file)
+
+manage_dirs_pattern(innd_t, innd_var_run_t, innd_var_run_t)
+manage_files_pattern(innd_t, innd_var_run_t, innd_var_run_t)
+manage_sock_files_pattern(innd_t, innd_var_run_t, innd_var_run_t)
+files_pid_filetrans(innd_t, innd_var_run_t, { dir file })
+
+manage_dirs_pattern(innd_t, news_spool_t, news_spool_t)
+manage_files_pattern(innd_t, news_spool_t, news_spool_t)
+manage_lnk_files_pattern(innd_t, news_spool_t, news_spool_t)
+
+kernel_read_kernel_sysctls(innd_t)
+kernel_read_system_state(innd_t)
+
+corenet_all_recvfrom_unlabeled(innd_t)
+corenet_all_recvfrom_netlabel(innd_t)
+corenet_tcp_sendrecv_generic_if(innd_t)
+corenet_udp_sendrecv_generic_if(innd_t)
+corenet_tcp_sendrecv_generic_node(innd_t)
+corenet_udp_sendrecv_generic_node(innd_t)
+corenet_tcp_sendrecv_all_ports(innd_t)
+corenet_udp_sendrecv_all_ports(innd_t)
+corenet_tcp_bind_generic_node(innd_t)
+corenet_tcp_bind_innd_port(innd_t)
+corenet_tcp_connect_all_ports(innd_t)
+corenet_sendrecv_innd_server_packets(innd_t)
+corenet_sendrecv_all_client_packets(innd_t)
+
+dev_read_sysfs(innd_t)
+dev_read_urand(innd_t)
+
+fs_getattr_all_fs(innd_t)
+fs_search_auto_mountpoints(innd_t)
+
+corecmd_exec_bin(innd_t)
+corecmd_exec_shell(innd_t)
+
+domain_use_interactive_fds(innd_t)
+
+files_list_spool(innd_t)
+files_read_etc_files(innd_t)
+files_read_etc_runtime_files(innd_t)
+files_read_usr_files(innd_t)
+
+logging_send_syslog_msg(innd_t)
+
+miscfiles_read_localization(innd_t)
+
+seutil_dontaudit_search_config(innd_t)
+
+sysnet_read_config(innd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(innd_t)
+userdom_dontaudit_search_user_home_dirs(innd_t)
+userdom_dgram_send(innd_t)
+
+mta_send_mail(innd_t)
+
+optional_policy(`
+ cron_system_entry(innd_t, innd_exec_t)
+')
+
+optional_policy(`
+ hostname_exec(innd_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(innd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(innd_t)
+')
+
+optional_policy(`
+ udev_read_db(innd_t)
+')
diff --git a/policy/modules/services/ircd.fc b/policy/modules/services/ircd.fc
new file mode 100644
index 0000000..d733fa8
--- /dev/null
+++ b/policy/modules/services/ircd.fc
@@ -0,0 +1,7 @@
+/etc/(dancer-)?ircd(/.*)? gen_context(system_u:object_r:ircd_etc_t,s0)
+
+/usr/sbin/(dancer-)?ircd -- gen_context(system_u:object_r:ircd_exec_t,s0)
+
+/var/lib/dancer-ircd(/.*)? gen_context(system_u:object_r:ircd_var_lib_t,s0)
+/var/log/(dancer-)?ircd(/.*)? gen_context(system_u:object_r:ircd_log_t,s0)
+/var/run/dancer-ircd(/.*)? gen_context(system_u:object_r:ircd_var_run_t,s0)
diff --git a/policy/modules/services/ircd.if b/policy/modules/services/ircd.if
new file mode 100644
index 0000000..3f4de83
--- /dev/null
+++ b/policy/modules/services/ircd.if
@@ -0,0 +1 @@
+## <summary>IRC server</summary>
diff --git a/policy/modules/services/ircd.te b/policy/modules/services/ircd.te
new file mode 100644
index 0000000..75ab1e2
--- /dev/null
+++ b/policy/modules/services/ircd.te
@@ -0,0 +1,93 @@
+policy_module(ircd, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type ircd_t;
+type ircd_exec_t;
+init_daemon_domain(ircd_t, ircd_exec_t)
+
+type ircd_etc_t;
+files_config_file(ircd_etc_t)
+
+type ircd_log_t;
+logging_log_file(ircd_log_t)
+
+type ircd_var_lib_t;
+files_type(ircd_var_lib_t)
+
+type ircd_var_run_t;
+files_pid_file(ircd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit ircd_t self:capability sys_tty_config;
+allow ircd_t self:process signal_perms;
+allow ircd_t self:tcp_socket create_stream_socket_perms;
+allow ircd_t self:udp_socket create_socket_perms;
+
+read_files_pattern(ircd_t, ircd_etc_t, ircd_etc_t)
+read_lnk_files_pattern(ircd_t, ircd_etc_t, ircd_etc_t)
+files_search_etc(ircd_t)
+
+manage_files_pattern(ircd_t, ircd_log_t, ircd_log_t)
+logging_log_filetrans(ircd_t, ircd_log_t, { file dir })
+
+manage_files_pattern(ircd_t, ircd_var_lib_t, ircd_var_lib_t)
+files_var_lib_filetrans(ircd_t, ircd_var_lib_t, file)
+
+manage_files_pattern(ircd_t, ircd_var_run_t, ircd_var_run_t)
+files_pid_filetrans(ircd_t, ircd_var_run_t, file)
+
+kernel_read_system_state(ircd_t)
+kernel_read_kernel_sysctls(ircd_t)
+
+corecmd_search_bin(ircd_t)
+
+corenet_all_recvfrom_unlabeled(ircd_t)
+corenet_all_recvfrom_netlabel(ircd_t)
+corenet_tcp_sendrecv_generic_if(ircd_t)
+corenet_udp_sendrecv_generic_if(ircd_t)
+corenet_tcp_sendrecv_generic_node(ircd_t)
+corenet_udp_sendrecv_generic_node(ircd_t)
+corenet_tcp_sendrecv_all_ports(ircd_t)
+corenet_udp_sendrecv_all_ports(ircd_t)
+corenet_tcp_bind_generic_node(ircd_t)
+corenet_tcp_bind_ircd_port(ircd_t)
+corenet_sendrecv_ircd_server_packets(ircd_t)
+
+dev_read_sysfs(ircd_t)
+
+domain_use_interactive_fds(ircd_t)
+
+files_read_etc_files(ircd_t)
+files_read_etc_runtime_files(ircd_t)
+
+fs_getattr_all_fs(ircd_t)
+fs_search_auto_mountpoints(ircd_t)
+
+logging_send_syslog_msg(ircd_t)
+
+miscfiles_read_localization(ircd_t)
+
+sysnet_read_config(ircd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ircd_t)
+userdom_dontaudit_search_user_home_dirs(ircd_t)
+
+optional_policy(`
+ nis_use_ypbind(ircd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(ircd_t)
+')
+
+optional_policy(`
+ udev_read_db(ircd_t)
+')
diff --git a/policy/modules/services/irqbalance.fc b/policy/modules/services/irqbalance.fc
new file mode 100644
index 0000000..3831075
--- /dev/null
+++ b/policy/modules/services/irqbalance.fc
@@ -0,0 +1,2 @@
+
+/usr/sbin/irqbalance -- gen_context(system_u:object_r:irqbalance_exec_t,s0)
diff --git a/policy/modules/services/irqbalance.if b/policy/modules/services/irqbalance.if
new file mode 100644
index 0000000..058fb75
--- /dev/null
+++ b/policy/modules/services/irqbalance.if
@@ -0,0 +1 @@
+## <summary>IRQ balancing daemon</summary>
diff --git a/policy/modules/services/irqbalance.te b/policy/modules/services/irqbalance.te
new file mode 100644
index 0000000..9aeeaf9
--- /dev/null
+++ b/policy/modules/services/irqbalance.te
@@ -0,0 +1,56 @@
+policy_module(irqbalance, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type irqbalance_t;
+type irqbalance_exec_t;
+init_daemon_domain(irqbalance_t, irqbalance_exec_t)
+
+type irqbalance_var_run_t;
+files_pid_file(irqbalance_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow irqbalance_t self:capability { setpcap net_admin };
+dontaudit irqbalance_t self:capability sys_tty_config;
+allow irqbalance_t self:process { getcap setcap signal_perms };
+allow irqbalance_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t)
+files_pid_filetrans(irqbalance_t, irqbalance_var_run_t, file)
+
+kernel_read_network_state(irqbalance_t)
+kernel_read_system_state(irqbalance_t)
+kernel_read_kernel_sysctls(irqbalance_t)
+kernel_rw_irq_sysctls(irqbalance_t)
+
+dev_read_sysfs(irqbalance_t)
+
+files_read_etc_files(irqbalance_t)
+files_read_etc_runtime_files(irqbalance_t)
+
+fs_getattr_all_fs(irqbalance_t)
+fs_search_auto_mountpoints(irqbalance_t)
+
+domain_use_interactive_fds(irqbalance_t)
+
+logging_send_syslog_msg(irqbalance_t)
+
+miscfiles_read_localization(irqbalance_t)
+
+userdom_dontaudit_use_unpriv_user_fds(irqbalance_t)
+userdom_dontaudit_search_user_home_dirs(irqbalance_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(irqbalance_t)
+')
+
+optional_policy(`
+ udev_read_db(irqbalance_t)
+')
diff --git a/policy/modules/services/jabber.fc b/policy/modules/services/jabber.fc
new file mode 100644
index 0000000..deef4c7
--- /dev/null
+++ b/policy/modules/services/jabber.fc
@@ -0,0 +1,15 @@
+/etc/rc\.d/init\.d/jabber -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0)
+
+/usr/sbin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+
+# for new version of jabberd
+/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
+/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
+/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+
+/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
+
+
+/var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
+/var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
diff --git a/policy/modules/services/jabber.if b/policy/modules/services/jabber.if
new file mode 100644
index 0000000..9167dc9
--- /dev/null
+++ b/policy/modules/services/jabber.if
@@ -0,0 +1,138 @@
+## <summary>Jabber instant messaging server</summary>
+
+#######################################
+## <summary>
+## Execute a domain transition to run jabberd services
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`jabber_domtrans_jabberd',`
+ gen_require(`
+ type jabberd_t, jabberd_exec_t;
+ ')
+
+ domtrans_pattern($1, jabberd_exec_t, jabberd_t)
+')
+
+######################################
+## <summary>
+## Execute a domain transition to run jabberd router service
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`jabber_domtrans_jabberd_router',`
+ gen_require(`
+ type jabberd_router_t, jabberd_router_exec_t;
+ ')
+
+ domtrans_pattern($1, jabberd_router_exec_t, jabberd_router_t)
+')
+
+#######################################
+## <summary>
+## Read jabberd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`jabberd_read_lib_files',`
+ gen_require(`
+ type jabberd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
+')
+
+#######################################
+## <summary>
+## Dontaudit inherited read jabberd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`jabberd_dontaudit_read_lib_files',`
+ gen_require(`
+ type jabberd_var_lib_t;
+ ')
+
+ dontaudit $1 jabberd_var_lib_t:file read_inherited_file_perms;
+')
+
+#######################################
+## <summary>
+## Create, read, write, and delete
+## jabberd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`jabberd_manage_lib_files',`
+ gen_require(`
+ type jabberd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an jabber environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the jabber domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`jabber_admin',`
+ gen_require(`
+ type jabberd_t, jabberd_log_t, jabberd_var_lib_t;
+ type jabberd_var_run_t, jabberd_initrc_exec_t, jabberd_router_t;
+ ')
+
+ allow $1 jabberd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, jabberd_t)
+
+ allow $1 jabberd_router_t:process { ptrace signal_perms };
+ ps_process_pattern($1, jabberd_router_t)
+
+ init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 jabberd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_list_logs($1)
+ admin_pattern($1, jabberd_log_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, jabberd_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, jabberd_var_run_t)
+')
diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
new file mode 100644
index 0000000..e184dff
--- /dev/null
+++ b/policy/modules/services/jabber.te
@@ -0,0 +1,120 @@
+policy_module(jabber, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute jabberd_domain;
+
+type jabberd_t, jabberd_domain;
+type jabberd_exec_t;
+init_daemon_domain(jabberd_t, jabberd_exec_t)
+
+type jabberd_initrc_exec_t;
+init_script_file(jabberd_initrc_exec_t)
+
+type jabberd_router_t, jabberd_domain;
+type jabberd_router_exec_t;
+init_daemon_domain(jabberd_router_t, jabberd_router_exec_t)
+
+type jabberd_log_t;
+logging_log_file(jabberd_log_t)
+
+type jabberd_var_lib_t;
+files_type(jabberd_var_lib_t)
+
+type jabberd_var_run_t;
+files_pid_file(jabberd_var_run_t)
+
+permissive jabberd_router_t;
+permissive jabberd_t;
+
+######################################
+#
+# Local policy for jabberd-router and c2s components
+#
+
+allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms;
+
+corenet_tcp_bind_jabber_client_port(jabberd_router_t)
+corenet_tcp_bind_jabber_router_port(jabberd_router_t)
+corenet_tcp_connect_jabber_router_port(jabberd_router_t)
+corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
+corenet_sendrecv_jabber_client_server_packets(jabberd_router_t)
+
+fs_getattr_all_fs(jabberd_router_t)
+
+miscfiles_read_certs(jabberd_router_t)
+
+optional_policy(`
+ kerberos_use(jabberd_router_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(jabberd_router_t)
+')
+
+#####################################
+#
+# Local policy for other jabberd components
+#
+
+kernel_read_system_state(jabberd_t)
+
+corenet_tcp_bind_jabber_interserver_port(jabberd_t)
+corenet_tcp_connect_jabber_router_port(jabberd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
+userdom_dontaudit_search_user_home_dirs(jabberd_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(jabberd_t)
+')
+
+optional_policy(`
+ udev_read_db(jabberd_t)
+')
+
+#######################################
+#
+# Local policy for jabberd domains
+#
+
+allow jabberd_domain self:process signal_perms;
+allow jabberd_domain self:fifo_file read_fifo_file_perms;
+allow jabberd_domain self:tcp_socket create_stream_socket_perms;
+allow jabberd_domain self:udp_socket create_socket_perms;
+
+manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t)
+manage_dirs_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t)
+
+# log and pid files are moved into /var/lib/jabberd in the newer version of jabberd
+manage_files_pattern(jabberd_domain, jabberd_log_t, jabberd_log_t)
+logging_log_filetrans(jabberd_domain, jabberd_log_t, { file dir })
+
+manage_files_pattern(jabberd_domain, jabberd_var_run_t, jabberd_var_run_t)
+files_pid_filetrans(jabberd_domain, jabberd_var_run_t, file)
+
+corenet_all_recvfrom_unlabeled(jabberd_domain)
+corenet_all_recvfrom_netlabel(jabberd_domain)
+corenet_tcp_sendrecv_generic_if(jabberd_domain)
+corenet_udp_sendrecv_generic_if(jabberd_domain)
+corenet_tcp_sendrecv_generic_node(jabberd_domain)
+corenet_udp_sendrecv_generic_node(jabberd_domain)
+corenet_tcp_sendrecv_all_ports(jabberd_domain)
+corenet_udp_sendrecv_all_ports(jabberd_domain)
+corenet_tcp_bind_generic_node(jabberd_domain)
+
+dev_read_urand(jabberd_domain)
+dev_read_urand(jabberd_domain)
+dev_read_sysfs(jabberd_domain)
+
+files_read_etc_files(jabberd_domain)
+files_read_etc_runtime_files(jabberd_domain)
+
+logging_send_syslog_msg(jabberd_domain)
+
+miscfiles_read_localization(jabberd_domain)
+
+sysnet_read_config(jabberd_domain)
diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc
new file mode 100644
index 0000000..e5db539
--- /dev/null
+++ b/policy/modules/services/kerberos.fc
@@ -0,0 +1,33 @@
+HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+
+/etc/krb5\.conf -- gen_context(system_u:object_r:krb5_conf_t,s0)
+/etc/krb5\.keytab gen_context(system_u:object_r:krb5_keytab_t,s0)
+
+/etc/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+/etc/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
+/etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+
+/etc/rc\.d/init\.d/kadmin -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
+
+/usr/(local/)?(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
+/usr/(local/)?(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+/usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+/usr/kerberos/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0)
+
+/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+
+/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
+/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
+/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+
+/var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0)
+/var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0)
+
+/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
new file mode 100644
index 0000000..8c72504
--- /dev/null
+++ b/policy/modules/services/kerberos.if
@@ -0,0 +1,378 @@
+## <summary>MIT Kerberos admin and KDC</summary>
+## <desc>
+## <p>
+## This policy supports:
+## </p>
+## <p>
+## Servers:
+## <ul>
+## <li>kadmind</li>
+## <li>krb5kdc</li>
+## </ul>
+## </p>
+## <p>
+## Clients:
+## <ul>
+## <li>kinit</li>
+## <li>kdestroy</li>
+## <li>klist</li>
+## <li>ksu (incomplete)</li>
+## </ul>
+## </p>
+## </desc>
+
+########################################
+## <summary>
+## Execute kadmind in the current domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kerberos_exec_kadmind',`
+ gen_require(`
+ type kadmind_exec_t;
+ ')
+
+ can_exec($1, kadmind_exec_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run kpropd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`kerberos_domtrans_kpropd',`
+ gen_require(`
+ type kpropd_t, kpropd_exec_t;
+ ')
+
+ domtrans_pattern($1, kpropd_exec_t, kpropd_t)
+')
+
+########################################
+## <summary>
+## Use kerberos services
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kerberos_use',`
+ gen_require(`
+ type krb5_conf_t, krb5kdc_conf_t, krb5_host_rcache_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, krb5_conf_t, krb5_conf_t)
+ dontaudit $1 krb5_conf_t:file write;
+ dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
+ dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
+
+ #kerberos libraries are attempting to set the correct file context
+ dontaudit $1 self:process setfscreate;
+ selinux_dontaudit_validate_context($1)
+ seutil_dontaudit_read_file_contexts($1)
+
+ tunable_policy(`allow_kerberos',`
+ allow $1 self:tcp_socket create_socket_perms;
+ allow $1 self:udp_socket create_socket_perms;
+
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
+ corenet_tcp_sendrecv_generic_if($1)
+ corenet_udp_sendrecv_generic_if($1)
+ corenet_tcp_sendrecv_generic_node($1)
+ corenet_udp_sendrecv_generic_node($1)
+ corenet_tcp_sendrecv_kerberos_port($1)
+ corenet_udp_sendrecv_kerberos_port($1)
+ corenet_tcp_bind_generic_node($1)
+ corenet_udp_bind_generic_node($1)
+ corenet_tcp_connect_kerberos_port($1)
+ corenet_tcp_connect_ocsp_port($1)
+ corenet_sendrecv_kerberos_client_packets($1)
+ corenet_sendrecv_ocsp_client_packets($1)
+
+ allow $1 krb5_host_rcache_t:file getattr_file_perms;
+ ')
+
+ optional_policy(`
+ tunable_policy(`allow_kerberos',`
+ pcscd_stream_connect($1)
+ ')
+ ')
+
+ optional_policy(`
+ sssd_read_public_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Read the kerberos configuration file (/etc/krb5.conf).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kerberos_read_config',`
+ gen_require(`
+ type krb5_conf_t, krb5_home_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 krb5_conf_t:file read_file_perms;
+ allow $1 krb5_home_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write the kerberos
+## configuration file (/etc/krb5.conf).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kerberos_dontaudit_write_config',`
+ gen_require(`
+ type krb5_conf_t;
+ ')
+
+ dontaudit $1 krb5_conf_t:file write;
+')
+
+########################################
+## <summary>
+## Read and write the kerberos configuration file (/etc/krb5.conf).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kerberos_rw_config',`
+ gen_require(`
+ type krb5_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 krb5_conf_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Read the kerberos key table.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kerberos_read_keytab',`
+ gen_require(`
+ type krb5_keytab_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 krb5_keytab_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Read/Write the kerberos key table.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kerberos_rw_keytab',`
+ gen_require(`
+ type krb5_keytab_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 krb5_keytab_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Create a derived type for kerberos keytab
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix to be used for deriving type names.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`kerberos_keytab_template',`
+ type $1_keytab_t;
+ files_type($1_keytab_t)
+
+ allow $2 $1_keytab_t:file read_file_perms;
+
+ kerberos_read_keytab($2)
+ kerberos_use($2)
+')
+
+########################################
+## <summary>
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kerberos_read_kdc_config',`
+ gen_require(`
+ type krb5kdc_conf_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
+')
+
+########################################
+## <summary>
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kerberos_manage_host_rcache',`
+ gen_require(`
+ type krb5_host_rcache_t;
+ ')
+
+ # creates files as system_u no matter what the selinux user
+ # cjp: should be in the below tunable but typeattribute
+ # does not work in conditionals
+ domain_obj_id_change_exemption($1)
+
+ tunable_policy(`allow_kerberos',`
+ allow $1 self:process setfscreate;
+
+ selinux_validate_context($1)
+
+ seutil_read_file_contexts($1)
+
+ allow $1 krb5_host_rcache_t:file manage_file_perms;
+ files_search_tmp($1)
+ ')
+')
+
+########################################
+## <summary>
+## Connect to krb524 service
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kerberos_connect_524',`
+ tunable_policy(`allow_kerberos',`
+ allow $1 self:udp_socket create_socket_perms;
+
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_udp_sendrecv_generic_if($1)
+ corenet_udp_sendrecv_generic_node($1)
+ corenet_udp_sendrecv_kerberos_master_port($1)
+ corenet_sendrecv_kerberos_master_client_packets($1)
+ ')
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an kerberos environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the kerberos domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kerberos_admin',`
+ gen_require(`
+ type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
+ type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+ type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t;
+ type krb5kdc_var_run_t, krb5_host_rcache_t;
+ ')
+
+ allow $1 kadmind_t:process { ptrace signal_perms };
+ ps_process_pattern($1, kadmind_t)
+
+ allow $1 krb5kdc_t:process { ptrace signal_perms };
+ ps_process_pattern($1, krb5kdc_t)
+
+ allow $1 kpropd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, kpropd_t)
+
+ init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 kerberos_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_list_logs($1)
+ admin_pattern($1, kadmind_log_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, kadmind_tmp_t)
+
+ files_list_pids($1)
+ admin_pattern($1, kadmind_var_run_t)
+
+ admin_pattern($1, krb5_conf_t)
+
+ admin_pattern($1, krb5_host_rcache_t)
+
+ admin_pattern($1, krb5_keytab_t)
+
+ admin_pattern($1, krb5kdc_principal_t)
+
+ admin_pattern($1, krb5kdc_tmp_t)
+
+ admin_pattern($1, krb5kdc_var_run_t)
+')
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
new file mode 100644
index 0000000..744e7d6
--- /dev/null
+++ b/policy/modules/services/kerberos.te
@@ -0,0 +1,329 @@
+policy_module(kerberos, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow confined applications to run with kerberos.
+## </p>
+## </desc>
+gen_tunable(allow_kerberos, false)
+
+type kadmind_t;
+type kadmind_exec_t;
+init_daemon_domain(kadmind_t, kadmind_exec_t)
+domain_obj_id_change_exemption(kadmind_t)
+
+type kadmind_log_t;
+logging_log_file(kadmind_log_t)
+
+type kadmind_tmp_t;
+files_tmp_file(kadmind_tmp_t)
+
+type kadmind_var_run_t;
+files_pid_file(kadmind_var_run_t)
+
+type kerberos_initrc_exec_t;
+init_script_file(kerberos_initrc_exec_t)
+
+type kpropd_t;
+type kpropd_exec_t;
+init_daemon_domain(kpropd_t, kpropd_exec_t)
+domain_obj_id_change_exemption(kpropd_t)
+
+type krb5_conf_t;
+files_type(krb5_conf_t)
+
+type krb5_home_t;
+userdom_user_home_content(krb5_home_t)
+
+type krb5_host_rcache_t;
+files_tmp_file(krb5_host_rcache_t)
+
+# types for general configuration files in /etc
+type krb5_keytab_t;
+files_security_file(krb5_keytab_t)
+
+# types for KDC configs and principal file(s)
+type krb5kdc_conf_t;
+files_type(krb5kdc_conf_t)
+
+type krb5kdc_lock_t;
+files_type(krb5kdc_lock_t)
+
+# types for KDC principal file(s)
+type krb5kdc_principal_t;
+files_type(krb5kdc_principal_t)
+
+type krb5kdc_t;
+type krb5kdc_exec_t;
+init_daemon_domain(krb5kdc_t, krb5kdc_exec_t)
+domain_obj_id_change_exemption(krb5kdc_t)
+
+type krb5kdc_log_t;
+logging_log_file(krb5kdc_log_t)
+
+type krb5kdc_tmp_t;
+files_tmp_file(krb5kdc_tmp_t)
+
+type krb5kdc_var_run_t;
+files_pid_file(krb5kdc_var_run_t)
+
+########################################
+#
+# kadmind local policy
+#
+
+# Use capabilities. Surplus capabilities may be allowed.
+allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
+dontaudit kadmind_t self:capability sys_tty_config;
+allow kadmind_t self:process { setfscreate signal_perms };
+allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
+allow kadmind_t self:unix_dgram_socket { connect create write };
+allow kadmind_t self:tcp_socket connected_stream_socket_perms;
+allow kadmind_t self:udp_socket create_socket_perms;
+
+allow kadmind_t kadmind_log_t:file manage_file_perms;
+logging_log_filetrans(kadmind_t, kadmind_log_t, file)
+
+allow kadmind_t krb5_conf_t:file read_file_perms;
+dontaudit kadmind_t krb5_conf_t:file write;
+
+read_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t)
+dontaudit kadmind_t krb5kdc_conf_t:file { write_file_perms setattr_file_perms };
+
+allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms };
+
+allow kadmind_t krb5kdc_principal_t:file manage_file_perms;
+filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file)
+
+can_exec(kadmind_t, kadmind_exec_t)
+
+manage_dirs_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t)
+manage_files_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t)
+files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
+
+manage_files_pattern(kadmind_t, kadmind_var_run_t, kadmind_var_run_t)
+files_pid_filetrans(kadmind_t, kadmind_var_run_t, file)
+
+kernel_read_kernel_sysctls(kadmind_t)
+kernel_list_proc(kadmind_t)
+kernel_read_network_state(kadmind_t)
+kernel_read_proc_symlinks(kadmind_t)
+kernel_read_system_state(kadmind_t)
+
+corenet_all_recvfrom_unlabeled(kadmind_t)
+corenet_all_recvfrom_netlabel(kadmind_t)
+corenet_tcp_sendrecv_generic_if(kadmind_t)
+corenet_udp_sendrecv_generic_if(kadmind_t)
+corenet_tcp_sendrecv_generic_node(kadmind_t)
+corenet_udp_sendrecv_generic_node(kadmind_t)
+corenet_tcp_sendrecv_all_ports(kadmind_t)
+corenet_udp_sendrecv_all_ports(kadmind_t)
+corenet_tcp_bind_generic_node(kadmind_t)
+corenet_udp_bind_generic_node(kadmind_t)
+corenet_tcp_bind_kerberos_admin_port(kadmind_t)
+corenet_tcp_bind_kerberos_password_port(kadmind_t)
+corenet_udp_bind_kerberos_admin_port(kadmind_t)
+corenet_udp_bind_kerberos_password_port(kadmind_t)
+corenet_tcp_bind_reserved_port(kadmind_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(kadmind_t)
+corenet_sendrecv_kerberos_admin_server_packets(kadmind_t)
+corenet_sendrecv_kerberos_password_server_packets(kadmind_t)
+
+dev_read_sysfs(kadmind_t)
+dev_read_rand(kadmind_t)
+dev_read_urand(kadmind_t)
+
+fs_getattr_all_fs(kadmind_t)
+fs_search_auto_mountpoints(kadmind_t)
+
+domain_use_interactive_fds(kadmind_t)
+
+files_read_etc_files(kadmind_t)
+files_read_usr_symlinks(kadmind_t)
+files_read_usr_files(kadmind_t)
+files_read_var_files(kadmind_t)
+
+selinux_validate_context(kadmind_t)
+
+logging_send_syslog_msg(kadmind_t)
+
+miscfiles_read_generic_certs(kadmind_t)
+miscfiles_read_localization(kadmind_t)
+
+seutil_read_file_contexts(kadmind_t)
+
+sysnet_read_config(kadmind_t)
+sysnet_use_ldap(kadmind_t)
+
+userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
+userdom_dontaudit_search_user_home_dirs(kadmind_t)
+
+optional_policy(`
+ nis_use_ypbind(kadmind_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(kadmind_t)
+')
+
+optional_policy(`
+ udev_read_db(kadmind_t)
+')
+
+########################################
+#
+# Krb5kdc local policy
+#
+
+# Use capabilities. Surplus capabilities may be allowed.
+allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
+dontaudit krb5kdc_t self:capability sys_tty_config;
+allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms };
+allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
+allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
+allow krb5kdc_t self:udp_socket create_socket_perms;
+allow krb5kdc_t self:fifo_file rw_fifo_file_perms;
+
+allow krb5kdc_t krb5_conf_t:file read_file_perms;
+dontaudit krb5kdc_t krb5_conf_t:file write;
+
+can_exec(krb5kdc_t, krb5kdc_exec_t)
+
+read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t)
+dontaudit krb5kdc_t krb5kdc_conf_t:file write;
+
+allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms };
+
+allow krb5kdc_t krb5kdc_log_t:file manage_file_perms;
+logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
+
+allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms;
+
+manage_dirs_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
+
+manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
+files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file)
+
+kernel_read_system_state(krb5kdc_t)
+kernel_read_kernel_sysctls(krb5kdc_t)
+kernel_list_proc(krb5kdc_t)
+kernel_read_proc_symlinks(krb5kdc_t)
+kernel_read_network_state(krb5kdc_t)
+kernel_search_network_sysctl(krb5kdc_t)
+
+corecmd_exec_bin(krb5kdc_t)
+
+corenet_all_recvfrom_unlabeled(krb5kdc_t)
+corenet_all_recvfrom_netlabel(krb5kdc_t)
+corenet_tcp_sendrecv_generic_if(krb5kdc_t)
+corenet_udp_sendrecv_generic_if(krb5kdc_t)
+corenet_tcp_sendrecv_generic_node(krb5kdc_t)
+corenet_udp_sendrecv_generic_node(krb5kdc_t)
+corenet_tcp_sendrecv_all_ports(krb5kdc_t)
+corenet_udp_sendrecv_all_ports(krb5kdc_t)
+corenet_tcp_bind_generic_node(krb5kdc_t)
+corenet_udp_bind_generic_node(krb5kdc_t)
+corenet_tcp_bind_kerberos_port(krb5kdc_t)
+corenet_udp_bind_kerberos_port(krb5kdc_t)
+corenet_tcp_connect_ocsp_port(krb5kdc_t)
+corenet_sendrecv_kerberos_server_packets(krb5kdc_t)
+corenet_sendrecv_ocsp_client_packets(krb5kdc_t)
+
+dev_read_sysfs(krb5kdc_t)
+dev_read_urand(krb5kdc_t)
+
+fs_getattr_all_fs(krb5kdc_t)
+fs_search_auto_mountpoints(krb5kdc_t)
+
+domain_use_interactive_fds(krb5kdc_t)
+
+files_read_etc_files(krb5kdc_t)
+files_read_usr_symlinks(krb5kdc_t)
+files_read_var_files(krb5kdc_t)
+
+selinux_validate_context(krb5kdc_t)
+
+logging_send_syslog_msg(krb5kdc_t)
+
+miscfiles_read_generic_certs(krb5kdc_t)
+miscfiles_read_localization(krb5kdc_t)
+
+seutil_read_file_contexts(krb5kdc_t)
+
+sysnet_read_config(krb5kdc_t)
+sysnet_use_ldap(krb5kdc_t)
+
+userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
+userdom_dontaudit_search_user_home_dirs(krb5kdc_t)
+
+optional_policy(`
+ nis_use_ypbind(krb5kdc_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(krb5kdc_t)
+')
+
+optional_policy(`
+ udev_read_db(krb5kdc_t)
+')
+
+########################################
+#
+# kpropd local policy
+#
+
+allow kpropd_t self:capability net_bind_service;
+allow kpropd_t self:process setfscreate;
+
+allow kpropd_t self:fifo_file rw_file_perms;
+allow kpropd_t self:unix_stream_socket create_stream_socket_perms;
+allow kpropd_t self:tcp_socket create_stream_socket_perms;
+
+allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
+
+allow kpropd_t krb5_keytab_t:file read_file_perms;
+
+read_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_conf_t)
+
+manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t)
+filetrans_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t, file)
+
+manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_principal_t)
+
+manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+manage_files_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
+
+corecmd_exec_bin(kpropd_t)
+
+corenet_all_recvfrom_unlabeled(kpropd_t)
+corenet_tcp_sendrecv_generic_if(kpropd_t)
+corenet_tcp_sendrecv_generic_node(kpropd_t)
+corenet_tcp_sendrecv_all_ports(kpropd_t)
+corenet_tcp_bind_generic_node(kpropd_t)
+corenet_tcp_bind_kprop_port(kpropd_t)
+
+dev_read_urand(kpropd_t)
+
+files_read_etc_files(kpropd_t)
+files_search_tmp(kpropd_t)
+
+selinux_validate_context(kpropd_t)
+
+logging_send_syslog_msg(kpropd_t)
+
+miscfiles_read_localization(kpropd_t)
+
+seutil_read_file_contexts(kpropd_t)
+
+sysnet_dns_name_resolve(kpropd_t)
+
+kerberos_use(kpropd_t)
diff --git a/policy/modules/services/kerneloops.fc b/policy/modules/services/kerneloops.fc
new file mode 100644
index 0000000..5ef261a
--- /dev/null
+++ b/policy/modules/services/kerneloops.fc
@@ -0,0 +1,3 @@
+/etc/rc\.d/init\.d/kerneloops -- gen_context(system_u:object_r:kerneloops_initrc_exec_t,s0)
+
+/usr/sbin/kerneloops -- gen_context(system_u:object_r:kerneloops_exec_t,s0)
diff --git a/policy/modules/services/kerneloops.if b/policy/modules/services/kerneloops.if
new file mode 100644
index 0000000..dd32883
--- /dev/null
+++ b/policy/modules/services/kerneloops.if
@@ -0,0 +1,114 @@
+## <summary>Service for reporting kernel oopses to kerneloops.org</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run kerneloops.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`kerneloops_domtrans',`
+ gen_require(`
+ type kerneloops_t, kerneloops_exec_t;
+ ')
+
+ domtrans_pattern($1, kerneloops_exec_t, kerneloops_t)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## kerneloops over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kerneloops_dbus_chat',`
+ gen_require(`
+ type kerneloops_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 kerneloops_t:dbus send_msg;
+ allow kerneloops_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## dontaudit attempts to Send and receive messages from
+## kerneloops over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kerneloops_dontaudit_dbus_chat',`
+ gen_require(`
+ type kerneloops_t;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 kerneloops_t:dbus send_msg;
+ dontaudit kerneloops_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Allow domain to manage kerneloops tmp files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kerneloops_manage_tmp_files',`
+ gen_require(`
+ type kerneloops_tmp_t;
+ ')
+
+ manage_files_pattern($1, kerneloops_tmp_t, kerneloops_tmp_t)
+ files_search_tmp($1)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an kerneloops environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the kerneloops domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kerneloops_admin',`
+ gen_require(`
+ type kerneloops_t, kerneloops_initrc_exec_t, kerneloops_tmp_t;
+ ')
+
+ allow $1 kerneloops_t:process { ptrace signal_perms };
+ ps_process_pattern($1, kerneloops_t)
+
+ init_labeled_script_domtrans($1, kerneloops_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 kerneloops_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, kerneloops_tmp_t)
+')
diff --git a/policy/modules/services/kerneloops.te b/policy/modules/services/kerneloops.te
new file mode 100644
index 0000000..6b35547
--- /dev/null
+++ b/policy/modules/services/kerneloops.te
@@ -0,0 +1,54 @@
+policy_module(kerneloops, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+
+type kerneloops_t;
+type kerneloops_exec_t;
+init_daemon_domain(kerneloops_t, kerneloops_exec_t)
+
+type kerneloops_initrc_exec_t;
+init_script_file(kerneloops_initrc_exec_t)
+
+type kerneloops_tmp_t;
+files_tmp_file(kerneloops_tmp_t)
+
+########################################
+#
+# kerneloops local policy
+#
+
+allow kerneloops_t self:capability sys_nice;
+allow kerneloops_t self:process { getcap setcap setsched getsched signal };
+allow kerneloops_t self:fifo_file rw_file_perms;
+
+manage_files_pattern(kerneloops_t, kerneloops_tmp_t, kerneloops_tmp_t)
+files_tmp_filetrans(kerneloops_t, kerneloops_tmp_t, file)
+
+kernel_read_ring_buffer(kerneloops_t)
+
+# Init script handling
+domain_use_interactive_fds(kerneloops_t)
+
+corenet_all_recvfrom_unlabeled(kerneloops_t)
+corenet_all_recvfrom_netlabel(kerneloops_t)
+corenet_tcp_sendrecv_generic_if(kerneloops_t)
+corenet_tcp_sendrecv_generic_node(kerneloops_t)
+corenet_tcp_sendrecv_all_ports(kerneloops_t)
+corenet_tcp_bind_http_port(kerneloops_t)
+corenet_tcp_connect_http_port(kerneloops_t)
+
+files_read_etc_files(kerneloops_t)
+
+auth_use_nsswitch(kerneloops_t)
+
+logging_send_syslog_msg(kerneloops_t)
+logging_read_generic_logs(kerneloops_t)
+
+miscfiles_read_localization(kerneloops_t)
+
+optional_policy(`
+ dbus_system_domain(kerneloops_t, kerneloops_exec_t)
+')
diff --git a/policy/modules/services/ksmtuned.fc b/policy/modules/services/ksmtuned.fc
new file mode 100644
index 0000000..8360166
--- /dev/null
+++ b/policy/modules/services/ksmtuned.fc
@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/ksmtuned -- gen_context(system_u:object_r:ksmtuned_initrc_exec_t,s0)
+
+/usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0)
+
+/var/run/ksmtune\.pid -- gen_context(system_u:object_r:ksmtuned_var_run_t,s0)
+
+/var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0)
diff --git a/policy/modules/services/ksmtuned.if b/policy/modules/services/ksmtuned.if
new file mode 100644
index 0000000..b733e45
--- /dev/null
+++ b/policy/modules/services/ksmtuned.if
@@ -0,0 +1,72 @@
+## <summary>Kernel Samepage Merging (KSM) Tuning Daemon</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run ksmtuned.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ksmtuned_domtrans',`
+ gen_require(`
+ type ksmtuned_t, ksmtuned_exec_t;
+ ')
+
+ domtrans_pattern($1, ksmtuned_exec_t, ksmtuned_t)
+')
+
+########################################
+## <summary>
+## Execute ksmtuned server in the ksmtuned domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ksmtuned_initrc_domtrans',`
+ gen_require(`
+ type ksmtuned_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, ksmtuned_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an ksmtuned environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ksmtuned_admin',`
+ gen_require(`
+ type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t;
+ ')
+
+ allow $1 ksmtuned_t:process { ptrace signal_perms };
+ ps_process_pattern($1, ksmtuned_t)
+
+ files_list_pids($1)
+ admin_pattern($1, ksmtuned_var_run_t)
+
+ # Allow ksmtuned_t to restart the apache service
+ ksmtuned_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 ksmtuned_initrc_exec_t system_r;
+ allow $2 system_r;
+')
diff --git a/policy/modules/services/ksmtuned.te b/policy/modules/services/ksmtuned.te
new file mode 100644
index 0000000..01adbed
--- /dev/null
+++ b/policy/modules/services/ksmtuned.te
@@ -0,0 +1,51 @@
+policy_module(ksmtuned, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ksmtuned_t;
+type ksmtuned_exec_t;
+init_daemon_domain(ksmtuned_t, ksmtuned_exec_t)
+
+type ksmtuned_log_t;
+logging_log_file(ksmtuned_log_t)
+
+type ksmtuned_initrc_exec_t;
+init_script_file(ksmtuned_initrc_exec_t)
+
+type ksmtuned_var_run_t;
+files_pid_file(ksmtuned_var_run_t)
+
+########################################
+#
+# ksmtuned local policy
+#
+
+allow ksmtuned_t self:capability { sys_ptrace sys_tty_config };
+allow ksmtuned_t self:fifo_file rw_file_perms;
+
+manage_dirs_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t)
+manage_files_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t)
+logging_log_filetrans(ksmtuned_t, ksmtuned_log_t, { file dir })
+
+manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t)
+files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file)
+
+kernel_read_system_state(ksmtuned_t)
+
+dev_rw_sysfs(ksmtuned_t)
+
+domain_read_all_domains_state(ksmtuned_t)
+domain_dontaudit_read_all_domains_state(ksmtuned_t)
+
+corecmd_exec_bin(ksmtuned_t)
+
+files_read_etc_files(ksmtuned_t)
+
+mls_file_read_to_clearance(ksmtuned_t)
+
+term_use_all_terms(ksmtuned_t)
+
+miscfiles_read_localization(ksmtuned_t)
diff --git a/policy/modules/services/ktalk.fc b/policy/modules/services/ktalk.fc
new file mode 100644
index 0000000..47d0bf3
--- /dev/null
+++ b/policy/modules/services/ktalk.fc
@@ -0,0 +1,7 @@
+
+/usr/bin/ktalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
+
+/usr/sbin/in\.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
+/usr/sbin/in\.ntalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
+
+/var/log/talkd.* -- gen_context(system_u:object_r:ktalkd_log_t,s0)
diff --git a/policy/modules/services/ktalk.if b/policy/modules/services/ktalk.if
new file mode 100644
index 0000000..5ba36db
--- /dev/null
+++ b/policy/modules/services/ktalk.if
@@ -0,0 +1 @@
+## <summary>KDE Talk daemon</summary>
diff --git a/policy/modules/services/ktalk.te b/policy/modules/services/ktalk.te
new file mode 100644
index 0000000..ca5cfdf
--- /dev/null
+++ b/policy/modules/services/ktalk.te
@@ -0,0 +1,79 @@
+policy_module(ktalk, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type ktalkd_t;
+type ktalkd_exec_t;
+inetd_udp_service_domain(ktalkd_t, ktalkd_exec_t)
+role system_r types ktalkd_t;
+
+type ktalkd_log_t;
+logging_log_file(ktalkd_log_t)
+
+type ktalkd_tmp_t;
+files_tmp_file(ktalkd_tmp_t)
+
+type ktalkd_var_run_t;
+files_pid_file(ktalkd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow ktalkd_t self:process signal_perms;
+allow ktalkd_t self:fifo_file rw_fifo_file_perms;
+allow ktalkd_t self:tcp_socket connected_stream_socket_perms;
+allow ktalkd_t self:udp_socket create_socket_perms;
+# for identd
+# cjp: this should probably only be inetd_child rules?
+allow ktalkd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow ktalkd_t self:capability { setuid setgid };
+files_search_home(ktalkd_t)
+optional_policy(`
+ kerberos_use(ktalkd_t)
+')
+#end for identd
+
+allow ktalkd_t ktalkd_log_t:file manage_file_perms;
+logging_log_filetrans(ktalkd_t, ktalkd_log_t, file)
+
+manage_dirs_pattern(ktalkd_t, ktalkd_tmp_t, ktalkd_tmp_t)
+manage_files_pattern(ktalkd_t, ktalkd_tmp_t, ktalkd_tmp_t)
+files_tmp_filetrans(ktalkd_t, ktalkd_tmp_t, { file dir })
+
+manage_files_pattern(ktalkd_t, ktalkd_var_run_t, ktalkd_var_run_t)
+files_pid_filetrans(ktalkd_t, ktalkd_var_run_t, file)
+
+kernel_read_kernel_sysctls(ktalkd_t)
+kernel_read_system_state(ktalkd_t)
+kernel_read_network_state(ktalkd_t)
+
+corenet_all_recvfrom_unlabeled(ktalkd_t)
+corenet_all_recvfrom_netlabel(ktalkd_t)
+corenet_tcp_sendrecv_generic_if(ktalkd_t)
+corenet_udp_sendrecv_generic_if(ktalkd_t)
+corenet_tcp_sendrecv_generic_node(ktalkd_t)
+corenet_udp_sendrecv_generic_node(ktalkd_t)
+corenet_tcp_sendrecv_all_ports(ktalkd_t)
+corenet_udp_sendrecv_all_ports(ktalkd_t)
+
+dev_read_urand(ktalkd_t)
+
+fs_getattr_xattr_fs(ktalkd_t)
+
+files_read_etc_files(ktalkd_t)
+
+term_search_ptys(ktalkd_t)
+term_use_all_terms(ktalkd_t)
+
+auth_use_nsswitch(ktalkd_t)
+
+init_read_utmp(ktalkd_t)
+
+logging_send_syslog_msg(ktalkd_t)
+
+miscfiles_read_localization(ktalkd_t)
diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc
new file mode 100644
index 0000000..335fda1
--- /dev/null
+++ b/policy/modules/services/ldap.fc
@@ -0,0 +1,20 @@
+
+/etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
+/etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
+
+/etc/rc\.d/init\.d/sldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
+
+/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
+
+ifdef(`distro_debian',`
+/usr/lib/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
+')
+
+/var/lib/ldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
+/var/lib/ldap/replog(/.*)? gen_context(system_u:object_r:slapd_replog_t,s0)
+
+/var/run/ldapi -s gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if
new file mode 100644
index 0000000..c51c1f6
--- /dev/null
+++ b/policy/modules/services/ldap.if
@@ -0,0 +1,198 @@
+## <summary>OpenLDAP directory server</summary>
+
+#######################################
+## <summary>
+## Execute OpenLDAP in the ldap domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ldap_domtrans',`
+ gen_require(`
+ type slapd_t, slapd_exec_t;
+ ')
+
+ domtrans_pattern($1, slapd_exec_t, slapd_t)
+')
+
+#######################################
+## <summary>
+## Execute OpenLDAP server in the ldap domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ldap_initrc_domtrans',`
+ gen_require(`
+ type slapd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, slapd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Read the contents of the OpenLDAP
+## database directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ldap_list_db',`
+ gen_require(`
+ type slapd_db_t;
+ ')
+
+ allow $1 slapd_db_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Read the contents of the OpenLDAP
+## database files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ldap_read_db_files',`
+ gen_require(`
+ type slapd_db_t;
+ ')
+
+ read_files_pattern($1, slapd_db_t, slapd_db_t)
+')
+
+########################################
+## <summary>
+## Read the OpenLDAP configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ldap_read_config',`
+ gen_require(`
+ type slapd_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 slapd_etc_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Use LDAP over TCP connection. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ldap_use',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+## Connect to slapd over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ldap_stream_connect',`
+ gen_require(`
+ type slapd_t, slapd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t)
+
+ optional_policy(`
+ ldap_stream_connect_dirsrv($1)
+ ')
+')
+
+########################################
+## <summary>
+## Connect to dirsrv over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ldap_stream_connect_dirsrv',`
+ gen_require(`
+ type dirsrv_t, dirsrv_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, dirsrv_var_run_t, dirsrv_var_run_t, dirsrv_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an ldap environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the ldap domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ldap_admin',`
+ gen_require(`
+ type slapd_t, slapd_tmp_t, slapd_replog_t;
+ type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
+ type slapd_initrc_exec_t;
+ ')
+
+ allow $1 slapd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, slapd_t)
+
+ init_labeled_script_domtrans($1, slapd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 slapd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, slapd_etc_t)
+
+ admin_pattern($1, slapd_lock_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, slapd_replog_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, slapd_tmp_t)
+
+ files_list_pids($1)
+ admin_pattern($1, slapd_var_run_t)
+')
diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te
new file mode 100644
index 0000000..10c2d54
--- /dev/null
+++ b/policy/modules/services/ldap.te
@@ -0,0 +1,146 @@
+policy_module(ldap, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+
+type slapd_t;
+type slapd_exec_t;
+init_daemon_domain(slapd_t, slapd_exec_t)
+
+type slapd_cert_t;
+miscfiles_cert_type(slapd_cert_t)
+
+type slapd_db_t;
+files_type(slapd_db_t)
+
+type slapd_etc_t;
+files_config_file(slapd_etc_t)
+
+type slapd_initrc_exec_t;
+init_script_file(slapd_initrc_exec_t)
+
+type slapd_lock_t;
+files_lock_file(slapd_lock_t)
+
+type slapd_replog_t;
+files_type(slapd_replog_t)
+
+type slapd_log_t;
+logging_log_file(slapd_log_t)
+
+type slapd_tmp_t;
+files_tmp_file(slapd_tmp_t)
+
+type slapd_tmpfs_t;
+files_tmpfs_file(slapd_tmpfs_t)
+
+type slapd_var_run_t;
+files_pid_file(slapd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+# should not need kill
+# cjp: why net_raw?
+allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search };
+dontaudit slapd_t self:capability sys_tty_config;
+allow slapd_t self:process setsched;
+allow slapd_t self:fifo_file rw_fifo_file_perms;
+allow slapd_t self:udp_socket create_socket_perms;
+#slapd needs to listen and accept needed by ldapsearch (slapd needs to accept from ldapseach)
+allow slapd_t self:tcp_socket create_stream_socket_perms;
+
+allow slapd_t slapd_cert_t:dir list_dir_perms;
+read_files_pattern(slapd_t, slapd_cert_t, slapd_cert_t)
+read_lnk_files_pattern(slapd_t, slapd_cert_t, slapd_cert_t)
+
+# Allow access to the slapd databases
+manage_dirs_pattern(slapd_t, slapd_db_t, slapd_db_t)
+manage_files_pattern(slapd_t, slapd_db_t, slapd_db_t)
+manage_lnk_files_pattern(slapd_t, slapd_db_t, slapd_db_t)
+
+allow slapd_t slapd_etc_t:file read_file_perms;
+
+allow slapd_t slapd_lock_t:file manage_file_perms;
+files_lock_filetrans(slapd_t, slapd_lock_t, file)
+
+# Allow access to write the replication log (should tighten this)
+manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
+manage_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
+manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
+
+manage_dirs_pattern(slapd_t, slapd_log_t, slapd_log_t)
+manage_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
+logging_log_filetrans(slapd_t, slapd_log_t, { file dir })
+
+manage_dirs_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
+manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
+files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
+
+manage_files_pattern(slapd_t, slapd_tmpfs_t, slapd_tmpfs_t)
+fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t, file)
+
+manage_dirs_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
+manage_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
+manage_sock_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
+files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
+
+kernel_read_system_state(slapd_t)
+kernel_read_kernel_sysctls(slapd_t)
+
+corenet_all_recvfrom_unlabeled(slapd_t)
+corenet_all_recvfrom_netlabel(slapd_t)
+corenet_tcp_sendrecv_generic_if(slapd_t)
+corenet_udp_sendrecv_generic_if(slapd_t)
+corenet_tcp_sendrecv_generic_node(slapd_t)
+corenet_udp_sendrecv_generic_node(slapd_t)
+corenet_tcp_sendrecv_all_ports(slapd_t)
+corenet_udp_sendrecv_all_ports(slapd_t)
+corenet_tcp_bind_generic_node(slapd_t)
+corenet_tcp_bind_ldap_port(slapd_t)
+corenet_tcp_connect_all_ports(slapd_t)
+corenet_sendrecv_ldap_server_packets(slapd_t)
+corenet_sendrecv_all_client_packets(slapd_t)
+
+dev_read_urand(slapd_t)
+dev_read_sysfs(slapd_t)
+
+fs_getattr_all_fs(slapd_t)
+fs_search_auto_mountpoints(slapd_t)
+
+domain_use_interactive_fds(slapd_t)
+
+files_read_etc_files(slapd_t)
+files_read_etc_runtime_files(slapd_t)
+files_read_usr_files(slapd_t)
+files_list_var_lib(slapd_t)
+
+auth_use_nsswitch(slapd_t)
+
+logging_send_syslog_msg(slapd_t)
+
+miscfiles_read_generic_certs(slapd_t)
+miscfiles_read_localization(slapd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(slapd_t)
+userdom_dontaudit_search_user_home_dirs(slapd_t)
+
+optional_policy(`
+ kerberos_keytab_template(slapd, slapd_t)
+')
+
+optional_policy(`
+ sasl_connect(slapd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(slapd_t)
+')
+
+optional_policy(`
+ udev_read_db(slapd_t)
+')
diff --git a/policy/modules/services/likewise.fc b/policy/modules/services/likewise.fc
new file mode 100644
index 0000000..057a4e4
--- /dev/null
+++ b/policy/modules/services/likewise.fc
@@ -0,0 +1,54 @@
+/etc/likewise-open(/.*)? gen_context(system_u:object_r:likewise_etc_t,s0)
+/etc/likewise-open/.pstore.lock -- gen_context(system_u:object_r:likewise_pstore_lock_t,s0)
+/etc/likewise-open/likewise-krb5-ad.conf -- gen_context(system_u:object_r:likewise_krb5_ad_t,s0)
+
+/etc/rc\.d/init\.d/dcerpcd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/eventlogd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lsassd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lwiod -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lwregd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lwsmd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/netlogond -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/srvsvcd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+
+/usr/sbin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0)
+/usr/sbin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0)
+/usr/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0)
+/usr/sbin/lwiod -- gen_context(system_u:object_r:lwiod_exec_t,s0)
+/usr/sbin/lwregd -- gen_context(system_u:object_r:lwregd_exec_t,s0)
+/usr/sbin/lwsmd -- gen_context(system_u:object_r:lwsmd_exec_t,s0)
+/usr/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0)
+/usr/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0)
+
+/var/lib/likewise-open(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise-open/\.lsassd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0)
+/var/lib/likewise-open/\.lwiod -s gen_context(system_u:object_r:lwiod_var_socket_t,s0)
+/var/lib/likewise-open/\.regsd -s gen_context(system_u:object_r:lwregd_var_socket_t,s0)
+/var/lib/likewise-open/\.lwsm -s gen_context(system_u:object_r:lwsmd_var_socket_t,s0)
+/var/lib/likewise-open/\.netlogond -s gen_context(system_u:object_r:netlogond_var_socket_t,s0)
+/var/lib/likewise-open/\.ntlmd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0)
+/var/lib/likewise-open/krb5-affinity.conf -- gen_context(system_u:object_r:netlogond_var_lib_t, s0)
+/var/lib/likewise-open/krb5ccr_lsass -- gen_context(system_u:object_r:lsassd_var_lib_t, s0)
+/var/lib/likewise-open/LWNetsd\.err -- gen_context(system_u:object_r:netlogond_var_lib_t,s0)
+/var/lib/likewise-open/lsasd\.err -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise-open/regsd\.err -- gen_context(system_u:object_r:lwregd_var_lib_t,s0)
+/var/lib/likewise-open/db -d gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise-open/db/lwi_events.db -- gen_context(system_u:object_r:eventlogd_var_lib_t,s0)
+/var/lib/likewise-open/db/sam\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise-open/db/lsass-adcache\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise-open/db/lsass-adstate\.filedb -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise-open/db/registry\.db -- gen_context(system_u:object_r:lwregd_var_lib_t,s0)
+/var/lib/likewise-open/rpc -d gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise-open/rpc/epmapper -s gen_context(system_u:object_r:dcerpcd_var_socket_t, s0)
+/var/lib/likewise-open/rpc/lsass -s gen_context(system_u:object_r:lsassd_var_socket_t, s0)
+/var/lib/likewise-open/rpc/socket -s gen_context(system_u:object_r:eventlogd_var_socket_t, s0)
+/var/lib/likewise-open/run -d gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise-open/run/rpcdep.dat -- gen_context(system_u:object_r:dcerpcd_var_lib_t, s0)
+
+/var/run/eventlogd.pid -- gen_context(system_u:object_r:eventlogd_var_run_t,s0)
+/var/run/lsassd.pid -- gen_context(system_u:object_r:lsassd_var_run_t,s0)
+/var/run/lwiod.pid -- gen_context(system_u:object_r:lwiod_var_run_t,s0)
+/var/run/lwregd.pid -- gen_context(system_u:object_r:lwregd_var_run_t,s0)
+/var/run/netlogond.pid -- gen_context(system_u:object_r:netlogond_var_run_t,s0)
+/var/run/srvsvcd.pid -- gen_context(system_u:object_r:srvsvcd_var_run_t,s0)
+
diff --git a/policy/modules/services/likewise.if b/policy/modules/services/likewise.if
new file mode 100644
index 0000000..81d98b3
--- /dev/null
+++ b/policy/modules/services/likewise.if
@@ -0,0 +1,105 @@
+## <summary>Likewise Active Directory support for UNIX.</summary>
+## <desc>
+## <p>
+## Likewise Open is a free, open source application that joins Linux, Unix,
+## and Mac machines to Microsoft Active Directory to securely authenticate
+## users with their domain credentials.
+## </p>
+## </desc>
+
+#######################################
+## <summary>
+## The template to define a likewise domain.
+## </summary>
+## <desc>
+## <p>
+## This template creates a domain to be used for
+## a new likewise daemon.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The type of daemon to be used.
+## </summary>
+## </param>
+#
+template(`likewise_domain_template',`
+
+ gen_require(`
+ attribute likewise_domains;
+ type likewise_var_lib_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_t;
+ type $1_exec_t;
+ init_daemon_domain($1_t, $1_exec_t)
+ domain_use_interactive_fds($1_t)
+
+ typeattribute $1_t likewise_domains;
+
+ type $1_var_run_t;
+ files_pid_file($1_var_run_t)
+
+ type $1_var_socket_t;
+ files_type($1_var_socket_t)
+
+ type $1_var_lib_t;
+ files_type($1_var_lib_t)
+
+ ####################################
+ #
+ # Local Policy
+ #
+
+ allow $1_t self:process { signal_perms getsched setsched };
+ allow $1_t self:fifo_file rw_fifo_file_perms;
+ allow $1_t self:unix_dgram_socket create_socket_perms;
+ allow $1_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_t self:tcp_socket create_stream_socket_perms;
+ allow $1_t self:udp_socket create_socket_perms;
+
+ allow $1_t likewise_var_lib_t:dir setattr_dir_perms;
+
+ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ files_pid_filetrans($1_t, $1_var_run_t, file)
+
+ manage_files_pattern($1_t, likewise_var_lib_t, $1_var_lib_t)
+ filetrans_pattern($1_t, likewise_var_lib_t, $1_var_lib_t, file)
+
+ manage_sock_files_pattern($1_t, likewise_var_lib_t, $1_var_socket_t)
+ filetrans_pattern($1_t, likewise_var_lib_t, $1_var_socket_t, sock_file)
+
+ dev_read_rand($1_t)
+ dev_read_urand($1_t)
+
+ files_read_etc_files($1_t)
+ files_search_var_lib($1_t)
+
+ logging_send_syslog_msg($1_t)
+
+ miscfiles_read_localization($1_t)
+')
+
+########################################
+## <summary>
+## Connect to lsassd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`likewise_stream_connect_lsassd',`
+ gen_require(`
+ type likewise_var_lib_t, lsassd_var_socket_t, lsassd_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t)
+')
diff --git a/policy/modules/services/likewise.te b/policy/modules/services/likewise.te
new file mode 100644
index 0000000..65e6d81
--- /dev/null
+++ b/policy/modules/services/likewise.te
@@ -0,0 +1,238 @@
+policy_module(likewise, 1.0.1)
+
+#################################
+#
+# Declarations
+#
+
+attribute likewise_domains;
+
+type likewise_etc_t;
+files_config_file(likewise_etc_t)
+
+type likewise_initrc_exec_t;
+init_script_file(likewise_initrc_exec_t)
+
+type likewise_var_lib_t;
+files_type(likewise_var_lib_t)
+
+type likewise_pstore_lock_t;
+files_type(likewise_pstore_lock_t)
+
+type likewise_krb5_ad_t;
+files_type(likewise_krb5_ad_t)
+
+likewise_domain_template(dcerpcd)
+
+likewise_domain_template(eventlogd)
+
+likewise_domain_template(lsassd)
+
+type lsassd_tmp_t;
+files_tmp_file(lsassd_tmp_t)
+
+likewise_domain_template(lwiod)
+
+likewise_domain_template(lwregd)
+
+likewise_domain_template(lwsmd)
+
+likewise_domain_template(netlogond)
+
+likewise_domain_template(srvsvcd)
+
+#################################
+#
+# Likewise dcerpcd personal policy
+#
+
+stream_connect_pattern(dcerpcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+
+corenet_all_recvfrom_netlabel(dcerpcd_t)
+corenet_all_recvfrom_unlabeled(dcerpcd_t)
+corenet_sendrecv_generic_client_packets(dcerpcd_t)
+corenet_sendrecv_generic_server_packets(dcerpcd_t)
+corenet_tcp_sendrecv_generic_if(dcerpcd_t)
+corenet_tcp_sendrecv_generic_node(dcerpcd_t)
+corenet_tcp_sendrecv_generic_port(dcerpcd_t)
+corenet_tcp_bind_generic_node(dcerpcd_t)
+corenet_tcp_bind_epmap_port(dcerpcd_t)
+corenet_tcp_connect_generic_port(dcerpcd_t)
+corenet_udp_bind_generic_node(dcerpcd_t)
+corenet_udp_bind_epmap_port(dcerpcd_t)
+corenet_udp_sendrecv_generic_if(dcerpcd_t)
+corenet_udp_sendrecv_generic_node(dcerpcd_t)
+corenet_udp_sendrecv_generic_port(dcerpcd_t)
+
+#################################
+#
+# Likewise Auditing and Logging service policy
+#
+
+stream_connect_pattern(eventlogd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t)
+stream_connect_pattern(eventlogd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+
+corenet_all_recvfrom_netlabel(eventlogd_t)
+corenet_all_recvfrom_unlabeled(eventlogd_t)
+corenet_sendrecv_generic_server_packets(eventlogd_t)
+corenet_tcp_sendrecv_generic_if(eventlogd_t)
+corenet_tcp_sendrecv_generic_node(eventlogd_t)
+corenet_tcp_sendrecv_generic_port(eventlogd_t)
+corenet_tcp_bind_generic_node(eventlogd_t)
+corenet_udp_bind_generic_node(eventlogd_t)
+corenet_udp_sendrecv_generic_if(eventlogd_t)
+corenet_udp_sendrecv_generic_node(eventlogd_t)
+corenet_udp_sendrecv_generic_port(eventlogd_t)
+
+#################################
+#
+# Likewise Authentication service local policy
+#
+
+allow lsassd_t self:capability { fowner chown fsetid dac_override sys_time };
+allow lsassd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow lsassd_t self:netlink_route_socket rw_netlink_socket_perms;
+
+allow lsassd_t likewise_krb5_ad_t:file read_file_perms;
+allow lsassd_t netlogond_var_lib_t:file read_file_perms;
+
+manage_files_pattern(lsassd_t, likewise_etc_t, likewise_etc_t)
+
+manage_files_pattern(lsassd_t, lsassd_tmp_t, lsassd_tmp_t);
+files_tmp_filetrans(lsassd_t, lsassd_tmp_t, file)
+
+stream_connect_pattern(lsassd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t)
+stream_connect_pattern(lsassd_t, likewise_var_lib_t, eventlogd_var_socket_t, eventlogd_t)
+stream_connect_pattern(lsassd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t)
+stream_connect_pattern(lsassd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+stream_connect_pattern(lsassd_t, likewise_var_lib_t, netlogond_var_socket_t, netlogond_t)
+
+kernel_read_system_state(lsassd_t)
+kernel_getattr_proc_files(lsassd_t)
+kernel_list_all_proc(lsassd_t)
+kernel_list_proc(lsassd_t)
+
+corecmd_exec_bin(lsassd_t)
+corecmd_exec_shell(lsassd_t)
+
+corenet_all_recvfrom_netlabel(lsassd_t)
+corenet_all_recvfrom_unlabeled(lsassd_t)
+corenet_tcp_sendrecv_generic_if(lsassd_t)
+corenet_tcp_sendrecv_generic_node(lsassd_t)
+corenet_tcp_sendrecv_generic_port(lsassd_t)
+corenet_tcp_bind_generic_node(lsassd_t)
+corenet_tcp_connect_epmap_port(lsassd_t)
+corenet_tcp_sendrecv_epmap_port(lsassd_t)
+
+domain_obj_id_change_exemption(lsassd_t)
+
+files_manage_etc_files(lsassd_t)
+files_manage_etc_symlinks(lsassd_t)
+files_manage_etc_runtime_files(lsassd_t)
+files_relabelto_home(lsassd_t)
+
+selinux_get_fs_mount(lsassd_t)
+selinux_validate_context(lsassd_t)
+
+seutil_read_config(lsassd_t)
+seutil_read_default_contexts(lsassd_t)
+seutil_read_file_contexts(lsassd_t)
+seutil_run_semanage(lsassd_t, lsassd_t)
+
+sysnet_use_ldap(lsassd_t)
+sysnet_read_config(lsassd_t)
+
+userdom_home_filetrans_user_home_dir(lsassd_t)
+userdom_manage_user_home_content_files(lsassd_t)
+
+optional_policy(`
+ kerberos_rw_keytab(lsassd_t)
+ kerberos_use(lsassd_t)
+')
+
+#################################
+#
+# Likewise I/O service local policy
+#
+
+allow lwiod_t self:capability { fowner chown fsetid dac_override };
+allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms;
+
+allow lwiod_t likewise_krb5_ad_t:file read_file_perms;
+allow lwiod_t netlogond_var_lib_t:file read_file_perms;
+
+stream_connect_pattern(lwiod_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+stream_connect_pattern(lwiod_t, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t)
+
+corenet_all_recvfrom_netlabel(lwiod_t)
+corenet_all_recvfrom_unlabeled(lwiod_t)
+corenet_sendrecv_smbd_server_packets(lwiod_t)
+corenet_sendrecv_smbd_client_packets(lwiod_t)
+corenet_tcp_sendrecv_generic_if(lwiod_t)
+corenet_tcp_sendrecv_generic_node(lwiod_t)
+corenet_tcp_sendrecv_generic_port(lwiod_t)
+corenet_tcp_bind_generic_node(lwiod_t)
+corenet_tcp_bind_smbd_port(lwiod_t)
+corenet_tcp_connect_smbd_port(lwiod_t)
+
+sysnet_read_config(lwiod_t)
+
+optional_policy(`
+ kerberos_rw_config(lwiod_t)
+ kerberos_use(lwiod_t)
+')
+
+#################################
+#
+# Likewise Service Manager service local policy
+#
+
+allow lwsmd_t likewise_domains:process signal;
+
+domtrans_pattern(lwsmd_t, dcerpcd_exec_t, dcerpcd_t)
+domtrans_pattern(lwsmd_t, eventlogd_exec_t, eventlogd_t)
+domtrans_pattern(lwsmd_t, lsassd_exec_t, lsassd_t)
+domtrans_pattern(lwsmd_t, lwiod_exec_t, lwiod_t)
+domtrans_pattern(lwsmd_t, lwregd_exec_t, lwregd_t)
+domtrans_pattern(lwsmd_t, netlogond_exec_t, netlogond_t)
+domtrans_pattern(lwsmd_t, srvsvcd_exec_t, srvsvcd_t)
+
+stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t)
+stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+
+#################################
+#
+# Likewise DC location service local policy
+#
+
+allow netlogond_t self:capability dac_override;
+
+manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t)
+
+stream_connect_pattern(netlogond_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+
+sysnet_dns_name_resolve(netlogond_t)
+sysnet_use_ldap(netlogond_t)
+
+#################################
+#
+# Likewise Srv service local policy
+#
+
+allow srvsvcd_t likewise_etc_t:dir search_dir_perms;
+
+stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t)
+stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t)
+stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+
+corenet_all_recvfrom_netlabel(srvsvcd_t)
+corenet_all_recvfrom_unlabeled(srvsvcd_t)
+corenet_sendrecv_generic_server_packets(srvsvcd_t)
+corenet_tcp_sendrecv_generic_if(srvsvcd_t)
+corenet_tcp_sendrecv_generic_node(srvsvcd_t)
+corenet_tcp_sendrecv_generic_port(srvsvcd_t)
+corenet_tcp_bind_generic_node(srvsvcd_t)
+
+optional_policy(`
+ kerberos_use(srvsvcd_t)
+')
diff --git a/policy/modules/services/lircd.fc b/policy/modules/services/lircd.fc
new file mode 100644
index 0000000..49e04e5
--- /dev/null
+++ b/policy/modules/services/lircd.fc
@@ -0,0 +1,10 @@
+/dev/lircd -s gen_context(system_u:object_r:lircd_sock_t,s0)
+
+/etc/rc\.d/init\.d/lirc -- gen_context(system_u:object_r:lircd_initrc_exec_t,s0)
+/etc/lircd\.conf -- gen_context(system_u:object_r:lircd_etc_t,s0)
+
+/usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0)
+
+/var/run/lirc(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0)
+/var/run/lircd(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0)
+/var/run/lircd\.pid gen_context(system_u:object_r:lircd_var_run_t,s0)
diff --git a/policy/modules/services/lircd.if b/policy/modules/services/lircd.if
new file mode 100644
index 0000000..5cfe950
--- /dev/null
+++ b/policy/modules/services/lircd.if
@@ -0,0 +1,95 @@
+## <summary>Linux infared remote control daemon</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run lircd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`lircd_domtrans',`
+ gen_require(`
+ type lircd_t, lircd_exec_t;
+ ')
+
+ domain_auto_trans($1, lircd_exec_t, lircd_t)
+')
+
+######################################
+## <summary>
+## Connect to lircd over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lircd_stream_connect',`
+ gen_require(`
+ type lircd_var_run_t, lircd_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, lircd_var_run_t, lircd_var_run_t, lircd_t)
+')
+
+#######################################
+## <summary>
+## Read lircd etc file
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lircd_read_config',`
+ gen_require(`
+ type lircd_etc_t;
+ ')
+
+ read_files_pattern($1, lircd_etc_t, lircd_etc_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## a lircd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the syslog domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`lircd_admin',`
+ gen_require(`
+ type lircd_t, lircd_var_run_t, lircd_etc_t;
+ type lircd_initrc_exec_t;
+ ')
+
+ allow $1 lircd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, lircd_t)
+
+ init_labeled_script_domtrans($1, lircd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 lircd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, lircd_etc_t)
+
+ files_list_pids($1)
+ admin_pattern($1, lircd_var_run_t)
+')
diff --git a/policy/modules/services/lircd.te b/policy/modules/services/lircd.te
new file mode 100644
index 0000000..02f6985
--- /dev/null
+++ b/policy/modules/services/lircd.te
@@ -0,0 +1,65 @@
+policy_module(lircd, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type lircd_t;
+type lircd_exec_t;
+init_daemon_domain(lircd_t, lircd_exec_t)
+
+type lircd_initrc_exec_t;
+init_script_file(lircd_initrc_exec_t)
+
+type lircd_etc_t;
+files_type(lircd_etc_t)
+
+type lircd_var_run_t alias lircd_sock_t;
+files_pid_file(lircd_var_run_t)
+
+########################################
+#
+# lircd local policy
+#
+
+allow lircd_t self:capability { chown kill sys_admin };
+allow lircd_t self:process { fork signal };
+allow lircd_t self:fifo_file rw_fifo_file_perms;
+allow lircd_t self:unix_dgram_socket create_socket_perms;
+allow lircd_t self:tcp_socket create_stream_socket_perms;
+
+# etc file
+read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t)
+
+manage_dirs_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
+manage_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
+manage_sock_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t)
+files_pid_filetrans(lircd_t, lircd_var_run_t, { file dir })
+# /dev/lircd socket
+dev_filetrans(lircd_t, lircd_var_run_t, sock_file)
+
+corenet_tcp_sendrecv_generic_if(lircd_t)
+corenet_tcp_bind_generic_node(lircd_t)
+corenet_tcp_bind_lirc_port(lircd_t)
+corenet_tcp_sendrecv_all_ports(lircd_t)
+corenet_tcp_connect_lirc_port(lircd_t)
+
+dev_rw_generic_usb_dev(lircd_t)
+dev_read_mouse(lircd_t)
+dev_filetrans_lirc(lircd_t)
+dev_rw_lirc(lircd_t)
+dev_rw_input_dev(lircd_t)
+
+files_read_etc_files(lircd_t)
+files_list_var(lircd_t)
+files_manage_generic_locks(lircd_t)
+files_read_all_locks(lircd_t)
+
+term_use_ptmx(lircd_t)
+
+logging_send_syslog_msg(lircd_t)
+
+miscfiles_read_localization(lircd_t)
+
+sysnet_dns_name_resolve(lircd_t)
diff --git a/policy/modules/services/lpd.fc b/policy/modules/services/lpd.fc
new file mode 100644
index 0000000..5c9eb68
--- /dev/null
+++ b/policy/modules/services/lpd.fc
@@ -0,0 +1,37 @@
+#
+# /dev
+#
+/dev/printer -s gen_context(system_u:object_r:printer_t,s0)
+
+/opt/gutenprint/s?bin(/.*)? gen_context(system_u:object_r:lpr_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/cancel(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lp(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpoptions -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpq(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpr(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lprm(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpstat(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+
+/usr/sbin/accept -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/sbin/checkpc -- gen_context(system_u:object_r:checkpc_exec_t,s0)
+/usr/sbin/lpd -- gen_context(system_u:object_r:lpd_exec_t,s0)
+/usr/sbin/lpadmin -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/sbin/lpc(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0)
+
+/usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
+
+/usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0)
+
+#
+# /var
+#
+/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
+/var/spool/cups-pdf(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
+/var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0)
+/var/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0)
diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if
new file mode 100644
index 0000000..ea7dca0
--- /dev/null
+++ b/policy/modules/services/lpd.if
@@ -0,0 +1,215 @@
+## <summary>Line printer daemon</summary>
+
+########################################
+## <summary>
+## Role access for lpd
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`lpd_role',`
+ gen_require(`
+ type lpr_t, lpr_exec_t, print_spool_t;
+ ')
+
+ role $1 types lpr_t;
+
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, lpr_exec_t, lpr_t)
+ dontaudit lpr_t $2:unix_stream_socket { read write };
+
+ ps_process_pattern($2, lpr_t)
+ allow $2 lpr_t:process { ptrace signal_perms };
+
+ optional_policy(`
+ cups_read_config($2)
+ ')
+')
+
+########################################
+## <summary>
+## Execute lpd in the lpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`lpd_domtrans_checkpc',`
+ gen_require(`
+ type checkpc_t, checkpc_exec_t;
+ ')
+
+ domtrans_pattern($1, checkpc_exec_t, checkpc_t)
+')
+
+########################################
+## <summary>
+## Execute amrecover in the lpd domain, and
+## allow the specified role the lpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`lpd_run_checkpc',`
+ gen_require(`
+ type checkpc_t;
+ ')
+
+ lpd_domtrans_checkpc($1)
+ role $2 types checkpc_t;
+')
+
+########################################
+## <summary>
+## List the contents of the printer spool directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lpd_list_spool',`
+ gen_require(`
+ type print_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 print_spool_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Read the printer spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lpd_read_spool',`
+ gen_require(`
+ type print_spool_t;
+ ')
+
+ files_search_spool($1)
+ read_files_pattern($1, print_spool_t, print_spool_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete printer spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lpd_manage_spool',`
+ gen_require(`
+ type print_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_dirs_pattern($1, print_spool_t, print_spool_t)
+ manage_files_pattern($1, print_spool_t, print_spool_t)
+ manage_lnk_files_pattern($1, print_spool_t, print_spool_t)
+')
+
+########################################
+## <summary>
+## Relabel from and to the spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lpd_relabel_spool',`
+ gen_require(`
+ type print_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 print_spool_t:file relabel_file_perms;
+')
+
+########################################
+## <summary>
+## List the contents of the printer spool directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`lpd_read_config',`
+ gen_require(`
+ type printconf_t;
+ ')
+
+ allow $1 printconf_t:dir list_dir_perms;
+ read_files_pattern($1, printconf_t, printconf_t)
+')
+
+########################################
+## <summary>
+## Transition to a user lpr domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`lpd_domtrans_lpr',`
+ gen_require(`
+ type lpr_t, lpr_exec_t;
+ ')
+
+ domtrans_pattern($1, lpr_exec_t, lpr_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to execute lpr
+## in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lpd_exec_lpr',`
+ gen_require(`
+ type lpr_exec_t;
+ ')
+
+ can_exec($1, lpr_exec_t)
+')
diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
new file mode 100644
index 0000000..80671d9
--- /dev/null
+++ b/policy/modules/services/lpd.te
@@ -0,0 +1,333 @@
+policy_module(lpd, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Use lpd server instead of cups
+## </p>
+## </desc>
+gen_tunable(use_lpd_server, false)
+
+type checkpc_t;
+type checkpc_exec_t;
+init_system_domain(checkpc_t, checkpc_exec_t)
+role system_r types checkpc_t;
+
+type checkpc_log_t;
+logging_log_file(checkpc_log_t)
+
+type lpd_t;
+type lpd_exec_t;
+init_daemon_domain(lpd_t, lpd_exec_t)
+
+type lpd_tmp_t;
+files_tmp_file(lpd_tmp_t)
+
+type lpd_var_run_t;
+files_pid_file(lpd_var_run_t)
+
+type lpr_t;
+type lpr_exec_t;
+typealias lpr_t alias { user_lpr_t staff_lpr_t sysadm_lpr_t };
+typealias lpr_t alias { auditadm_lpr_t secadm_lpr_t };
+application_domain(lpr_t, lpr_exec_t)
+ubac_constrained(lpr_t)
+
+type lpr_tmp_t;
+typealias lpr_tmp_t alias { user_lpr_tmp_t staff_lpr_tmp_t sysadm_lpr_tmp_t };
+typealias lpr_tmp_t alias { auditadm_lpr_tmp_t secadm_lpr_tmp_t };
+files_tmp_file(lpr_tmp_t)
+ubac_constrained(lpr_tmp_t)
+
+# Type for spool files.
+type print_spool_t;
+typealias print_spool_t alias { user_print_spool_t staff_print_spool_t sysadm_print_spool_t };
+typealias print_spool_t alias { auditadm_print_spool_t secadm_print_spool_t };
+files_type(print_spool_t)
+ubac_constrained(print_spool_t)
+
+type printer_t;
+files_type(printer_t)
+
+type printconf_t;
+files_type(printconf_t)
+
+########################################
+#
+# Checkpc local policy
+#
+
+# Allow checkpc to access the lpd spool so it can check & fix it.
+# This requires that /usr/sbin/checkpc have type checkpc_t.
+
+allow checkpc_t self:capability { setgid setuid dac_override };
+allow checkpc_t self:process signal_perms;
+allow checkpc_t self:unix_stream_socket create_socket_perms;
+allow checkpc_t self:tcp_socket create_socket_perms;
+allow checkpc_t self:udp_socket create_socket_perms;
+
+allow checkpc_t checkpc_log_t:file manage_file_perms;
+logging_log_filetrans(checkpc_t, checkpc_log_t, file)
+
+allow checkpc_t lpd_var_run_t:dir search_dir_perms;
+files_search_pids(checkpc_t)
+
+rw_files_pattern(checkpc_t, print_spool_t, print_spool_t)
+delete_files_pattern(checkpc_t, print_spool_t, print_spool_t)
+files_search_spool(checkpc_t)
+
+allow checkpc_t printconf_t:file getattr_file_perms;
+allow checkpc_t printconf_t:dir list_dir_perms;
+
+kernel_read_system_state(checkpc_t)
+
+corenet_all_recvfrom_unlabeled(checkpc_t)
+corenet_all_recvfrom_netlabel(checkpc_t)
+corenet_tcp_sendrecv_generic_if(checkpc_t)
+corenet_udp_sendrecv_generic_if(checkpc_t)
+corenet_tcp_sendrecv_generic_node(checkpc_t)
+corenet_udp_sendrecv_generic_node(checkpc_t)
+corenet_tcp_sendrecv_all_ports(checkpc_t)
+corenet_udp_sendrecv_all_ports(checkpc_t)
+corenet_tcp_connect_all_ports(checkpc_t)
+corenet_sendrecv_all_client_packets(checkpc_t)
+
+dev_append_printer(checkpc_t)
+
+# This is less desirable, but checkpc demands /bin/bash and /bin/chown:
+corecmd_exec_shell(checkpc_t)
+corecmd_exec_bin(checkpc_t)
+
+domain_use_interactive_fds(checkpc_t)
+
+files_read_etc_files(checkpc_t)
+files_read_etc_runtime_files(checkpc_t)
+
+init_use_script_ptys(checkpc_t)
+# Allow access to /dev/console through the fd:
+init_use_fds(checkpc_t)
+
+sysnet_read_config(checkpc_t)
+
+userdom_use_user_terminals(checkpc_t)
+
+optional_policy(`
+ cron_system_entry(checkpc_t, checkpc_exec_t)
+')
+
+optional_policy(`
+ logging_send_syslog_msg(checkpc_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(checkpc_t)
+')
+
+########################################
+#
+# Lpd local policy
+#
+
+allow lpd_t self:capability { setgid setuid net_bind_service dac_read_search dac_override chown fowner };
+dontaudit lpd_t self:capability sys_tty_config;
+allow lpd_t self:process signal_perms;
+allow lpd_t self:fifo_file rw_fifo_file_perms;
+allow lpd_t self:unix_stream_socket create_stream_socket_perms;
+allow lpd_t self:unix_dgram_socket create_socket_perms;
+allow lpd_t self:tcp_socket create_stream_socket_perms;
+allow lpd_t self:udp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t)
+manage_files_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t)
+files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir })
+
+manage_dirs_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t)
+manage_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t)
+manage_sock_files_pattern(lpd_t, lpd_var_run_t, lpd_var_run_t)
+files_pid_filetrans(lpd_t, lpd_var_run_t, { dir file })
+
+# Write to /var/spool/lpd.
+manage_files_pattern(lpd_t, print_spool_t, print_spool_t)
+files_search_spool(lpd_t)
+
+# lpd must be able to execute the filter utilities in /usr/share/printconf.
+allow lpd_t printconf_t:dir list_dir_perms;
+can_exec(lpd_t, printconf_t)
+
+# Create and bind to /dev/printer.
+allow lpd_t printer_t:lnk_file manage_lnk_file_perms;
+dev_filetrans(lpd_t, printer_t, lnk_file)
+
+kernel_read_kernel_sysctls(lpd_t)
+# bash wants access to /proc/meminfo
+kernel_read_system_state(lpd_t)
+
+corenet_all_recvfrom_unlabeled(lpd_t)
+corenet_all_recvfrom_netlabel(lpd_t)
+corenet_tcp_sendrecv_generic_if(lpd_t)
+corenet_udp_sendrecv_generic_if(lpd_t)
+corenet_tcp_sendrecv_generic_node(lpd_t)
+corenet_udp_sendrecv_generic_node(lpd_t)
+corenet_tcp_sendrecv_all_ports(lpd_t)
+corenet_udp_sendrecv_all_ports(lpd_t)
+corenet_tcp_bind_generic_node(lpd_t)
+corenet_tcp_bind_printer_port(lpd_t)
+corenet_sendrecv_printer_server_packets(lpd_t)
+
+dev_read_sysfs(lpd_t)
+dev_rw_printer(lpd_t)
+
+fs_getattr_all_fs(lpd_t)
+fs_search_auto_mountpoints(lpd_t)
+
+# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
+corecmd_exec_bin(lpd_t)
+corecmd_exec_shell(lpd_t)
+
+domain_use_interactive_fds(lpd_t)
+
+files_read_etc_runtime_files(lpd_t)
+files_read_usr_files(lpd_t)
+# for defoma
+files_list_world_readable(lpd_t)
+files_read_world_readable_files(lpd_t)
+files_read_world_readable_symlinks(lpd_t)
+files_list_var_lib(lpd_t)
+files_read_var_lib_files(lpd_t)
+files_read_var_lib_symlinks(lpd_t)
+# config files for lpd are of type etc_t, probably should change this
+files_read_etc_files(lpd_t)
+
+logging_send_syslog_msg(lpd_t)
+
+miscfiles_read_fonts(lpd_t)
+miscfiles_read_localization(lpd_t)
+
+sysnet_read_config(lpd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(lpd_t)
+userdom_dontaudit_search_user_home_dirs(lpd_t)
+
+optional_policy(`
+ nis_use_ypbind(lpd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(lpd_t)
+')
+
+optional_policy(`
+ udev_read_db(lpd_t)
+')
+
+##############################
+#
+# Local policy
+#
+
+allow lpr_t self:capability { setuid dac_override net_bind_service chown };
+allow lpr_t self:unix_stream_socket create_stream_socket_perms;
+allow lpr_t self:tcp_socket create_socket_perms;
+allow lpr_t self:udp_socket create_socket_perms;
+
+can_exec(lpr_t, lpr_exec_t)
+
+# Allow lpd to read, rename, and unlink spool files.
+allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_perms };
+
+kernel_read_kernel_sysctls(lpr_t)
+
+corenet_all_recvfrom_unlabeled(lpr_t)
+corenet_all_recvfrom_netlabel(lpr_t)
+corenet_tcp_sendrecv_generic_if(lpr_t)
+corenet_udp_sendrecv_generic_if(lpr_t)
+corenet_tcp_sendrecv_generic_node(lpr_t)
+corenet_udp_sendrecv_generic_node(lpr_t)
+corenet_tcp_sendrecv_all_ports(lpr_t)
+corenet_udp_sendrecv_all_ports(lpr_t)
+corenet_tcp_connect_all_ports(lpr_t)
+corenet_sendrecv_all_client_packets(lpr_t)
+
+dev_read_rand(lpr_t)
+dev_read_urand(lpr_t)
+
+domain_use_interactive_fds(lpr_t)
+
+files_search_spool(lpr_t)
+# for lpd config files (should have a new type)
+files_read_etc_files(lpr_t)
+# for test print
+files_read_usr_files(lpr_t)
+#Added to cover read_content macro
+files_list_home(lpr_t)
+files_read_generic_tmp_files(lpr_t)
+
+fs_getattr_xattr_fs(lpr_t)
+
+# Access the terminal.
+term_use_controlling_term(lpr_t)
+term_use_generic_ptys(lpr_t)
+
+auth_use_nsswitch(lpr_t)
+
+miscfiles_read_localization(lpr_t)
+
+userdom_read_user_tmp_symlinks(lpr_t)
+# Write to the user domain tty.
+userdom_use_user_terminals(lpr_t)
+userdom_read_user_home_content_files(lpr_t)
+userdom_read_user_tmp_files(lpr_t)
+
+tunable_policy(`use_lpd_server',`
+ # lpr can run in lightweight mode, without a local print spooler.
+ allow lpr_t lpd_var_run_t:dir search_dir_perms;
+ allow lpr_t lpd_var_run_t:sock_file write_sock_file_perms;
+ files_read_var_files(lpr_t)
+
+ # Connect to lpd via a Unix domain socket.
+ allow lpr_t printer_t:sock_file read_sock_file_perms;
+ stream_connect_pattern(lpr_t, printer_t, printer_t, lpd_t)
+ # Send SIGHUP to lpd.
+ allow lpr_t lpd_t:process signal;
+
+ manage_dirs_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t)
+ manage_files_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t)
+ files_tmp_filetrans(lpr_t, lpr_tmp_t, { file dir })
+
+ manage_files_pattern(lpr_t, print_spool_t, print_spool_t)
+ filetrans_pattern(lpr_t, print_spool_t, print_spool_t, file)
+ # Read and write shared files in the spool directory.
+ allow lpr_t print_spool_t:file rw_file_perms;
+
+ allow lpr_t printconf_t:dir list_dir_perms;
+ read_files_pattern(lpr_t, printconf_t, printconf_t)
+ read_lnk_files_pattern(lpr_t, printconf_t, printconf_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ files_list_home(lpr_t)
+ fs_list_auto_mountpoints(lpr_t)
+ fs_read_nfs_files(lpr_t)
+ fs_read_nfs_symlinks(lpr_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ files_list_home(lpr_t)
+ fs_list_auto_mountpoints(lpr_t)
+ fs_read_cifs_files(lpr_t)
+ fs_read_cifs_symlinks(lpr_t)
+')
+
+optional_policy(`
+ cups_read_config(lpr_t)
+ cups_stream_connect(lpr_t)
+ cups_read_pid_files(lpr_t)
+')
+
+optional_policy(`
+ logging_send_syslog_msg(lpr_t)
+')
diff --git a/policy/modules/services/mailman.fc b/policy/modules/services/mailman.fc
new file mode 100644
index 0000000..14ad189
--- /dev/null
+++ b/policy/modules/services/mailman.fc
@@ -0,0 +1,34 @@
+/usr/lib(64)?/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib/mailman/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+
+/var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
+/var/lib/mailman/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0)
+/var/lock/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0)
+/var/log/mailman(/.*)? gen_context(system_u:object_r:mailman_log_t,s0)
+/var/run/mailman(/.*)? gen_context(system_u:object_r:mailman_lock_t,s0)
+
+#
+# distro_debian
+#
+ifdef(`distro_debian', `
+/etc/cron\.daily/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+/etc/cron\.monthly/mailman -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+
+/usr/lib/cgi-bin/mailman/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
+/usr/lib/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/mailman/mail/wrapper -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+')
+
+#
+# distro_redhat
+#
+ifdef(`distro_redhat', `
+/etc/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
+
+/usr/lib(64)?/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+/usr/lib(64)?/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
+/usr/lib(64)?/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib(64)?/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+
+/var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
+')
diff --git a/policy/modules/services/mailman.if b/policy/modules/services/mailman.if
new file mode 100644
index 0000000..84b7626
--- /dev/null
+++ b/policy/modules/services/mailman.if
@@ -0,0 +1,352 @@
+## <summary>Mailman is for managing electronic mail discussion and e-newsletter lists</summary>
+
+#######################################
+## <summary>
+## The template to define a mailmain domain.
+## </summary>
+## <desc>
+## <p>
+## This template creates a domain to be used for
+## a new mailman daemon.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The type of daemon to be used eg, cgi would give mailman_cgi_
+## </summary>
+## </param>
+#
+template(`mailman_domain_template',`
+ type mailman_$1_t;
+ domain_type(mailman_$1_t)
+ role system_r types mailman_$1_t;
+
+ type mailman_$1_exec_t;
+ domain_entry_file(mailman_$1_t, mailman_$1_exec_t)
+
+ type mailman_$1_tmp_t;
+ files_tmp_file(mailman_$1_tmp_t)
+
+ allow mailman_$1_t self:{ unix_stream_socket unix_dgram_socket } create_socket_perms;
+ allow mailman_$1_t self:tcp_socket create_stream_socket_perms;
+ allow mailman_$1_t self:udp_socket create_socket_perms;
+
+ files_search_spool(mailman_$1_t)
+
+ manage_dirs_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t)
+ manage_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t)
+ manage_lnk_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t)
+
+ manage_dirs_pattern(mailman_$1_t, mailman_data_t, mailman_data_t)
+ manage_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t)
+ manage_lnk_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t)
+
+ manage_files_pattern(mailman_$1_t, mailman_lock_t, mailman_lock_t)
+ files_lock_filetrans(mailman_$1_t, mailman_lock_t, file)
+
+ manage_files_pattern(mailman_$1_t, mailman_log_t, mailman_log_t)
+ logging_log_filetrans(mailman_$1_t, mailman_log_t, file)
+
+ manage_dirs_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t)
+ manage_files_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t)
+ files_tmp_filetrans(mailman_$1_t, mailman_$1_tmp_t, { file dir })
+
+ kernel_read_kernel_sysctls(mailman_$1_t)
+ kernel_read_system_state(mailman_$1_t)
+
+ corenet_all_recvfrom_unlabeled(mailman_$1_t)
+ corenet_all_recvfrom_netlabel(mailman_$1_t)
+ corenet_tcp_sendrecv_generic_if(mailman_$1_t)
+ corenet_udp_sendrecv_generic_if(mailman_$1_t)
+ corenet_raw_sendrecv_generic_if(mailman_$1_t)
+ corenet_tcp_sendrecv_generic_node(mailman_$1_t)
+ corenet_udp_sendrecv_generic_node(mailman_$1_t)
+ corenet_raw_sendrecv_generic_node(mailman_$1_t)
+ corenet_tcp_sendrecv_all_ports(mailman_$1_t)
+ corenet_udp_sendrecv_all_ports(mailman_$1_t)
+ corenet_tcp_bind_generic_node(mailman_$1_t)
+ corenet_udp_bind_generic_node(mailman_$1_t)
+ corenet_tcp_connect_smtp_port(mailman_$1_t)
+ corenet_sendrecv_smtp_client_packets(mailman_$1_t)
+
+ fs_getattr_xattr_fs(mailman_$1_t)
+
+ corecmd_exec_all_executables(mailman_$1_t)
+
+ files_exec_etc_files(mailman_$1_t)
+ files_read_usr_files(mailman_$1_t)
+ files_list_var(mailman_$1_t)
+ files_list_var_lib(mailman_$1_t)
+ files_read_var_lib_symlinks(mailman_$1_t)
+ files_read_etc_runtime_files(mailman_$1_t)
+
+ auth_use_nsswitch(mailman_$1_t)
+
+ libs_exec_ld_so(mailman_$1_t)
+ libs_exec_lib_files(mailman_$1_t)
+
+ logging_send_syslog_msg(mailman_$1_t)
+
+ miscfiles_read_localization(mailman_$1_t)
+')
+
+#######################################
+## <summary>
+## Execute mailman in the mailman domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mailman_domtrans',`
+ gen_require(`
+ type mailman_mail_exec_t, mailman_mail_t;
+ ')
+
+ domtrans_pattern($1, mailman_mail_exec_t, mailman_mail_t)
+')
+
+#######################################
+## <summary>
+## Execute mailman CGI scripts in the
+## mailman CGI domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mailman_domtrans_cgi',`
+ gen_require(`
+ type mailman_cgi_exec_t, mailman_cgi_t;
+ ')
+
+ domtrans_pattern($1, mailman_cgi_exec_t, mailman_cgi_t)
+')
+
+#######################################
+## <summary>
+## Execute mailman in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowd access.
+## </summary>
+## </param>
+#
+interface(`mailman_exec',`
+ gen_require(`
+ type mailman_mail_exec_t;
+ ')
+
+ can_exec($1, mailman_mail_exec_t)
+')
+
+#######################################
+## <summary>
+## Send generic signals to the mailman cgi domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mailman_signal_cgi',`
+ gen_require(`
+ type mailman_cgi_t;
+ ')
+
+ allow $1 mailman_cgi_t:process signal;
+')
+
+#######################################
+## <summary>
+## Allow domain to search data directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mailman_search_data',`
+ gen_require(`
+ type mailman_data_t;
+ ')
+
+ allow $1 mailman_data_t:dir search_dir_perms;
+')
+
+#######################################
+## <summary>
+## Allow domain to to read mailman data files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mailman_read_data_files',`
+ gen_require(`
+ type mailman_data_t;
+ ')
+
+ list_dirs_pattern($1, mailman_data_t, mailman_data_t)
+ read_files_pattern($1, mailman_data_t, mailman_data_t)
+ read_lnk_files_pattern($1, mailman_data_t, mailman_data_t)
+')
+
+#######################################
+## <summary>
+## Allow domain to to create mailman data files
+## and write the directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mailman_manage_data_files',`
+ gen_require(`
+ type mailman_data_t;
+ ')
+
+ manage_dirs_pattern($1, mailman_data_t, mailman_data_t)
+ manage_files_pattern($1, mailman_data_t, mailman_data_t)
+')
+
+#######################################
+## <summary>
+## List the contents of mailman data directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mailman_list_data',`
+ gen_require(`
+ type mailman_data_t;
+ ')
+
+ allow $1 mailman_data_t:dir list_dir_perms;
+')
+
+#######################################
+## <summary>
+## Allow read acces to mailman data symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mailman_read_data_symlinks',`
+ gen_require(`
+ type mailman_data_t;
+ ')
+
+ read_lnk_files_pattern($1, mailman_data_t, mailman_data_t)
+')
+
+#######################################
+## <summary>
+## Read mailman logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mailman_read_log',`
+ gen_require(`
+ type mailman_log_t;
+ ')
+
+ read_files_pattern($1, mailman_log_t, mailman_log_t)
+')
+
+#######################################
+## <summary>
+## Append to mailman logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mailman_append_log',`
+ gen_require(`
+ type mailman_log_t;
+ ')
+
+ append_files_pattern($1, mailman_log_t, mailman_log_t)
+')
+
+#######################################
+## <summary>
+## Create, read, write, and delete
+## mailman logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mailman_manage_log',`
+ gen_require(`
+ type mailman_log_t;
+ ')
+
+ manage_files_pattern($1, mailman_log_t, mailman_log_t)
+ manage_lnk_files_pattern($1, mailman_log_t, mailman_log_t)
+')
+
+#######################################
+## <summary>
+## Allow domain to read mailman archive files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mailman_read_archive',`
+ gen_require(`
+ type mailman_archive_t;
+ ')
+
+ allow $1 mailman_archive_t:dir list_dir_perms;
+ read_files_pattern($1, mailman_archive_t, mailman_archive_t)
+ read_lnk_files_pattern($1, mailman_archive_t, mailman_archive_t)
+')
+
+#######################################
+## <summary>
+## Execute mailman_queue in the mailman_queue domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mailman_domtrans_queue',`
+ gen_require(`
+ type mailman_queue_exec_t, mailman_queue_t;
+ ')
+
+ domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t)
+')
diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te
new file mode 100644
index 0000000..96e3c80
--- /dev/null
+++ b/policy/modules/services/mailman.te
@@ -0,0 +1,132 @@
+policy_module(mailman, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+mailman_domain_template(cgi)
+
+type mailman_data_t;
+files_type(mailman_data_t)
+
+type mailman_archive_t;
+files_type(mailman_archive_t)
+
+type mailman_log_t;
+logging_log_file(mailman_log_t)
+
+type mailman_lock_t;
+files_lock_file(mailman_lock_t)
+
+mailman_domain_template(mail)
+init_daemon_domain(mailman_mail_t, mailman_mail_exec_t)
+
+mailman_domain_template(queue)
+
+########################################
+#
+# Mailman CGI local policy
+#
+
+# cjp: the template invocation for cgi should be
+# in the below optional policy; however, there are no
+# optionals for file contexts yet, so it is promoted
+# to global scope until such facilities exist.
+
+optional_policy(`
+ dev_read_urand(mailman_cgi_t)
+
+ manage_dirs_pattern(mailman_cgi_t, mailman_archive_t, mailman_archive_t)
+ manage_files_pattern(mailman_cgi_t, mailman_archive_t, mailman_archive_t)
+ manage_lnk_files_pattern(mailman_cgi_t, mailman_archive_t, mailman_archive_t)
+
+ files_search_spool(mailman_cgi_t)
+
+ term_use_controlling_term(mailman_cgi_t)
+
+ # for python pre-compile foolishness
+ libs_dontaudit_write_lib_dirs(mailman_cgi_t)
+
+ apache_sigchld(mailman_cgi_t)
+ apache_use_fds(mailman_cgi_t)
+ apache_dontaudit_append_log(mailman_cgi_t)
+ apache_search_sys_script_state(mailman_cgi_t)
+ apache_read_config(mailman_cgi_t)
+ apache_dontaudit_rw_stream_sockets(mailman_cgi_t)
+')
+
+########################################
+#
+# Mailman mail local policy
+#
+
+allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config };
+allow mailman_mail_t self:process { signal signull };
+allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
+manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
+manage_lnk_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
+
+files_search_spool(mailman_mail_t)
+
+fs_rw_anon_inodefs_files(mailman_mail_t)
+
+mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
+mta_dontaudit_rw_queue(mailman_mail_t)
+
+optional_policy(`
+ courier_read_spool(mailman_mail_t)
+')
+
+optional_policy(`
+ gnome_dontaudit_search_config(mailman_mail_t)
+')
+
+optional_policy(`
+ cron_read_pipes(mailman_mail_t)
+')
+
+optional_policy(`
+ postfix_search_spool(mailman_mail_t)
+')
+
+########################################
+#
+# Mailman queue local policy
+#
+
+allow mailman_queue_t self:capability { setgid setuid };
+allow mailman_queue_t self:process signal;
+allow mailman_queue_t self:fifo_file rw_fifo_file_perms;
+allow mailman_queue_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t)
+manage_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t)
+manage_lnk_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t)
+
+kernel_read_proc_symlinks(mailman_queue_t)
+
+auth_domtrans_chk_passwd(mailman_queue_t)
+
+files_dontaudit_search_pids(mailman_queue_t)
+
+# for su
+seutil_dontaudit_search_config(mailman_queue_t)
+
+# some of the following could probably be changed to dontaudit, someone who
+# knows mailman well should test this out and send the changes
+userdom_search_user_home_dirs(mailman_queue_t)
+
+optional_policy(`
+ apache_read_config(mailman_queue_t)
+')
+
+optional_policy(`
+ cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
+')
+
+optional_policy(`
+ su_exec(mailman_queue_t)
+')
diff --git a/policy/modules/services/memcached.fc b/policy/modules/services/memcached.fc
new file mode 100644
index 0000000..4d69477
--- /dev/null
+++ b/policy/modules/services/memcached.fc
@@ -0,0 +1,5 @@
+/etc/rc\.d/init\.d/memcached -- gen_context(system_u:object_r:memcached_initrc_exec_t,s0)
+
+/usr/bin/memcached -- gen_context(system_u:object_r:memcached_exec_t,s0)
+
+/var/run/memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0)
diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if
new file mode 100644
index 0000000..5008a6c
--- /dev/null
+++ b/policy/modules/services/memcached.if
@@ -0,0 +1,72 @@
+## <summary>high-performance memory object caching system</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run memcached.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`memcached_domtrans',`
+ gen_require(`
+ type memcached_t, memcached_exec_t;
+ ')
+
+ domtrans_pattern($1, memcached_exec_t, memcached_t)
+')
+
+########################################
+## <summary>
+## Read memcached PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`memcached_read_pid_files',`
+ gen_require(`
+ type memcached_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 memcached_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an memcached environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the memcached domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`memcached_admin',`
+ gen_require(`
+ type memcached_t, memcached_initrc_exec_t, memcached_var_run_t;
+ ')
+
+ allow $1 memcached_t:process { ptrace signal_perms };
+ ps_process_pattern($1, memcached_t)
+
+ init_labeled_script_domtrans($1, memcached_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 memcached_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_pids($1)
+ admin_pattern($1, memcached_var_run_t)
+')
diff --git a/policy/modules/services/memcached.te b/policy/modules/services/memcached.te
new file mode 100644
index 0000000..b681608
--- /dev/null
+++ b/policy/modules/services/memcached.te
@@ -0,0 +1,58 @@
+policy_module(memcached, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type memcached_t;
+type memcached_exec_t;
+init_daemon_domain(memcached_t, memcached_exec_t)
+
+type memcached_initrc_exec_t;
+init_script_file(memcached_initrc_exec_t)
+
+type memcached_var_run_t;
+files_pid_file(memcached_var_run_t)
+
+########################################
+#
+# memcached local policy
+#
+
+allow memcached_t self:capability { setuid setgid };
+dontaudit memcached_t self:capability sys_tty_config;
+allow memcached_t self:process { setrlimit signal_perms };
+allow memcached_t self:tcp_socket create_stream_socket_perms;
+allow memcached_t self:udp_socket { create_socket_perms listen };
+allow memcached_t self:fifo_file rw_fifo_file_perms;
+allow memcached_t self:unix_stream_socket create_stream_socket_perms;
+
+corenet_all_recvfrom_unlabeled(memcached_t)
+corenet_udp_sendrecv_generic_if(memcached_t)
+corenet_udp_sendrecv_generic_node(memcached_t)
+corenet_udp_sendrecv_all_ports(memcached_t)
+corenet_udp_bind_generic_node(memcached_t)
+corenet_tcp_sendrecv_generic_if(memcached_t)
+corenet_tcp_sendrecv_generic_node(memcached_t)
+corenet_tcp_sendrecv_all_ports(memcached_t)
+corenet_tcp_bind_generic_node(memcached_t)
+corenet_tcp_bind_memcache_port(memcached_t)
+corenet_udp_bind_memcache_port(memcached_t)
+
+manage_dirs_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
+manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
+files_pid_filetrans(memcached_t, memcached_var_run_t, { file dir })
+
+kernel_read_kernel_sysctls(memcached_t)
+kernel_read_system_state(memcached_t)
+
+files_read_etc_files(memcached_t)
+
+term_dontaudit_use_all_ptys(memcached_t)
+term_dontaudit_use_all_ttys(memcached_t)
+term_dontaudit_use_console(memcached_t)
+
+auth_use_nsswitch(memcached_t)
+
+miscfiles_read_localization(memcached_t)
diff --git a/policy/modules/services/metadata.xml b/policy/modules/services/metadata.xml
new file mode 100644
index 0000000..4e6ec17
--- /dev/null
+++ b/policy/modules/services/metadata.xml
@@ -0,0 +1,4 @@
+<summary>
+ Policy modules for system services, like cron, and network services,
+ like sshd.
+</summary>
diff --git a/policy/modules/services/milter.fc b/policy/modules/services/milter.fc
new file mode 100644
index 0000000..613c69d
--- /dev/null
+++ b/policy/modules/services/milter.fc
@@ -0,0 +1,17 @@
+/etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+
+/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+/usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
+/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
+/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0)
+
+/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
+
+/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0)
+
+/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
diff --git a/policy/modules/services/milter.if b/policy/modules/services/milter.if
new file mode 100644
index 0000000..d7e81f3
--- /dev/null
+++ b/policy/modules/services/milter.if
@@ -0,0 +1,140 @@
+## <summary>Milter mail filters</summary>
+
+########################################
+## <summary>
+## Create a set of derived types for various
+## mail filter applications using the milter interface.
+## </summary>
+## <param name="milter_name">
+## <summary>
+## The name to be used for deriving type names.
+## </summary>
+## </param>
+#
+template(`milter_template',`
+ # attributes common to all milters
+ gen_require(`
+ attribute milter_data_type, milter_domains;
+ ')
+
+ type $1_milter_t, milter_domains;
+ type $1_milter_exec_t;
+ init_daemon_domain($1_milter_t, $1_milter_exec_t)
+ role system_r types $1_milter_t;
+
+ # Type for the milter data (e.g. the socket used to communicate with the MTA)
+ type $1_milter_data_t, milter_data_type;
+ files_type($1_milter_data_t)
+
+ allow $1_milter_t self:fifo_file rw_fifo_file_perms;
+
+ # Allow communication with MTA over a unix-domain socket
+ # Note: usage with TCP sockets requires additional policy
+ manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
+
+ # Create other data files and directories in the data directory
+ manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
+
+ files_read_etc_files($1_milter_t)
+
+ kernel_dontaudit_read_system_state($1_milter_t)
+
+ miscfiles_read_localization($1_milter_t)
+
+ logging_send_syslog_msg($1_milter_t)
+')
+
+########################################
+## <summary>
+## MTA communication with milter sockets
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`milter_stream_connect_all',`
+ gen_require(`
+ attribute milter_data_type, milter_domains;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains)
+')
+
+########################################
+## <summary>
+## Allow getattr of milter sockets
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`milter_getattr_all_sockets',`
+ gen_require(`
+ attribute milter_data_type;
+ ')
+
+ getattr_sock_files_pattern($1, milter_data_type, milter_data_type)
+')
+
+########################################
+## <summary>
+## Allow setattr of milter dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`milter_setattr_all_dirs',`
+ gen_require(`
+ attribute milter_data_type;
+ ')
+
+ setattr_dirs_pattern($1, milter_data_type, milter_data_type)
+')
+
+########################################
+## <summary>
+## Manage spamassassin milter state
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`milter_manage_spamass_state',`
+ gen_require(`
+ type spamass_milter_state_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
+ manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
+ manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
+')
+
+#######################################
+## <summary>
+## Delete dkim-milter PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`milter_delete_dkim_pid_files',`
+ gen_require(`
+ type dkim_milter_data_t;
+ ')
+
+ files_search_pids($1)
+ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
+')
diff --git a/policy/modules/services/milter.te b/policy/modules/services/milter.te
new file mode 100644
index 0000000..f42a489
--- /dev/null
+++ b/policy/modules/services/milter.te
@@ -0,0 +1,119 @@
+policy_module(milter, 1.2.1)
+
+########################################
+#
+# Declarations
+#
+
+# attributes common to all milters
+attribute milter_domains;
+attribute milter_data_type;
+
+# support for dkim-milter - domainKeys Identified Mail sender authentication sendmail milter
+milter_template(dkim)
+
+# type for the private key of dkim-milter
+type dkim_milter_private_key_t;
+files_type(dkim_milter_private_key_t)
+
+# currently-supported milters are milter-greylist, milter-regex and spamass-milter
+milter_template(greylist)
+milter_template(regex)
+milter_template(spamass)
+
+# Type for the spamass-milter home directory, under which spamassassin will
+# store system-wide preferences, bayes databases etc. if not configured to
+# use per-user configuration
+type spamass_milter_state_t;
+files_type(spamass_milter_state_t)
+
+#######################################
+#
+# dkim-milter local policy
+#
+
+allow dkim_milter_t self:capability { kill setgid setuid };
+allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
+
+read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
+
+auth_use_nsswitch(dkim_milter_t)
+
+sysnet_dns_name_resolve(dkim_milter_t)
+
+mta_read_config(dkim_milter_t)
+
+########################################
+#
+# milter-greylist local policy
+# ensure smtp clients retry mail like real MTAs and not spamware
+# http://hcpnet.free.fr/milter-greylist/
+#
+
+# It removes any existing socket (not owned by root) whilst running as root,
+# fixes permissions, renices itself and then calls setgid() and setuid() to
+# drop privileges
+allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
+allow greylist_milter_t self:process { setsched getsched };
+
+# It creates a pid file /var/run/milter-greylist.pid
+files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file)
+
+kernel_read_kernel_sysctls(greylist_milter_t)
+
+# Allow the milter to read a GeoIP database in /usr/share
+files_read_usr_files(greylist_milter_t)
+# The milter runs from /var/lib/milter-greylist and maintains files there
+files_search_var_lib(greylist_milter_t)
+
+# Look up username for dropping privs
+auth_use_nsswitch(greylist_milter_t)
+
+# Config is in /etc/mail/greylist.conf
+mta_read_config(greylist_milter_t)
+
+########################################
+#
+# milter-regex local policy
+# filter emails using regular expressions
+# http://www.benzedrine.cx/milter-regex.html
+#
+
+# It removes any existing socket (not owned by root) whilst running as root
+# and then calls setgid() and setuid() to drop privileges
+allow regex_milter_t self:capability { setuid setgid dac_override };
+
+# The milter's socket directory lives under /var/spool
+files_search_spool(regex_milter_t)
+
+# Look up username for dropping privs
+auth_use_nsswitch(regex_milter_t)
+
+# Config is in /etc/mail/milter-regex.conf
+mta_read_config(regex_milter_t)
+
+########################################
+#
+# spamass-milter local policy
+# pipe emails through SpamAssassin
+# http://savannah.nongnu.org/projects/spamass-milt/
+#
+
+# The milter runs from /var/lib/spamass-milter
+allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
+files_search_var_lib(spamass_milter_t)
+
+kernel_read_system_state(spamass_milter_t)
+
+# When used with -b or -B options, the milter invokes sendmail to send mail
+# to a spamtrap address, using popen()
+corecmd_exec_shell(spamass_milter_t)
+corecmd_read_bin_symlinks(spamass_milter_t)
+corecmd_search_bin(spamass_milter_t)
+
+mta_send_mail(spamass_milter_t)
+
+# The main job of the milter is to pipe spam through spamc and act on the result
+optional_policy(`
+ spamassassin_domtrans_client(spamass_milter_t)
+')
diff --git a/policy/modules/services/mock.fc b/policy/modules/services/mock.fc
new file mode 100644
index 0000000..42bb2a3
--- /dev/null
+++ b/policy/modules/services/mock.fc
@@ -0,0 +1,6 @@
+
+/usr/sbin/mock -- gen_context(system_u:object_r:mock_exec_t,s0)
+
+/var/lib/mock(/.*)? gen_context(system_u:object_r:mock_var_lib_t,s0)
+
+/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0)
diff --git a/policy/modules/services/mock.if b/policy/modules/services/mock.if
new file mode 100644
index 0000000..d76fb11
--- /dev/null
+++ b/policy/modules/services/mock.if
@@ -0,0 +1,236 @@
+## <summary>policy for mock</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run mock.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mock_domtrans',`
+ gen_require(`
+ type mock_t, mock_exec_t;
+ ')
+
+ domtrans_pattern($1, mock_exec_t, mock_t)
+')
+
+########################################
+## <summary>
+## Search mock lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mock_search_lib',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ allow $1 mock_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read mock lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mock_read_lib_files',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## mock lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mock_manage_lib_files',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage mock lib dirs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mock_manage_lib_dirs',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+#########################################
+## <summary>
+## Manage mock lib symlinks.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mock_manage_lib_symlinks',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_lnk_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage mock lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mock_manage_lib_chr_files',`
+ gen_require(`
+ type mock_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_chr_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
+')
+
+########################################
+## <summary>
+## Execute mock in the mock domain, and
+## allow the specified role the mock domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the mock domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mock_run',`
+ gen_require(`
+ type mock_t;
+ ')
+
+ mock_domtrans($1)
+ role $2 types mock_t;
+')
+
+########################################
+## <summary>
+## Role access for mock
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mock_role',`
+ gen_require(`
+ type mock_t;
+ ')
+
+ role $1 types mock_t;
+
+ mock_domtrans($2)
+
+ ps_process_pattern($2, mock_t)
+ allow $2 mock_t:process { ptrace signal_perms };
+')
+
+#######################################
+## <summary>
+## Send a generic signal to mock.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mock_signal',`
+ gen_require(`
+ type mock_t;
+ ')
+
+ allow $1 mock_t:process signal;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an mock environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mock_admin',`
+ gen_require(`
+ type mock_t, mock_var_lib_t;
+ ')
+
+ allow $1 mock_t:process { ptrace signal_perms };
+ ps_process_pattern($1, mock_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, mock_var_lib_t)
+')
diff --git a/policy/modules/services/mock.te b/policy/modules/services/mock.te
new file mode 100644
index 0000000..b05a9cd
--- /dev/null
+++ b/policy/modules/services/mock.te
@@ -0,0 +1,99 @@
+policy_module(mock,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type mock_t;
+type mock_exec_t;
+application_domain(mock_t, mock_exec_t)
+domain_role_change_exemption(mock_t)
+domain_system_change_exemption(mock_t)
+role system_r types mock_t;
+
+permissive mock_t;
+
+type mock_cache_t;
+files_type(mock_cache_t)
+
+type mock_tmp_t;
+files_tmp_file(mock_tmp_t)
+
+type mock_var_lib_t;
+files_type(mock_var_lib_t)
+
+########################################
+#
+# mock local policy
+#
+
+allow mock_t self:capability { sys_admin setfcap setuid sys_ptrace sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner };
+allow mock_t self:process { siginh noatsecure signull transition rlimitinh setsched setpgid sigkill };
+dontaudit mock_t self:process { siginh noatsecure rlimitinh };
+allow mock_t self:fifo_file manage_fifo_file_perms;
+allow mock_t self:unix_stream_socket create_stream_socket_perms;
+allow mock_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(mock_t, mock_cache_t, mock_cache_t)
+manage_files_pattern(mock_t, mock_cache_t, mock_cache_t)
+files_var_filetrans(mock_t, mock_cache_t, { dir file } )
+
+manage_dirs_pattern(mock_t, mock_tmp_t, mock_tmp_t)
+manage_files_pattern(mock_t, mock_tmp_t, mock_tmp_t)
+files_tmp_filetrans(mock_t, mock_tmp_t, { dir file })
+can_exec(mock_t, mock_tmp_t)
+
+manage_dirs_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_lnk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_chr_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+files_var_lib_filetrans(mock_t, mock_var_lib_t, { dir file })
+can_exec(mock_t, mock_var_lib_t)
+allow mock_t mock_var_lib_t:dir mounton;
+
+kernel_list_proc(mock_t)
+kernel_read_irq_sysctls(mock_t)
+kernel_read_system_state(mock_t)
+kernel_read_kernel_sysctls(mock_t)
+kernel_request_load_module(mock_t)
+
+corecmd_exec_bin(mock_t)
+corecmd_exec_shell(mock_t)
+
+corenet_tcp_connect_http_port(mock_t)
+
+dev_read_urand(mock_t)
+
+domain_read_all_domains_state(mock_t)
+domain_use_interactive_fds(mock_t)
+
+files_read_etc_files(mock_t)
+files_read_usr_files(mock_t)
+
+fs_getattr_all_fs(mock_t)
+
+selinux_get_enforce_mode(mock_t)
+
+auth_use_nsswitch(mock_t)
+
+init_exec(mock_t)
+
+libs_domtrans_ldconfig(mock_t)
+
+logging_send_audit_msgs(mock_t)
+logging_send_syslog_msg(mock_t)
+
+miscfiles_read_localization(mock_t)
+
+mount_domtrans(mock_t)
+
+optional_policy(`
+ rpm_exec(mock_t)
+ rpm_manage_db(mock_t)
+ rpm_entry_type(mock_t)
+')
+
+optional_policy(`
+ apache_read_sys_content_rw_files(mock_t)
+')
diff --git a/policy/modules/services/modemmanager.fc b/policy/modules/services/modemmanager.fc
new file mode 100644
index 0000000..a83894c
--- /dev/null
+++ b/policy/modules/services/modemmanager.fc
@@ -0,0 +1 @@
+/usr/sbin/modem-manager -- gen_context(system_u:object_r:modemmanager_exec_t,s0)
diff --git a/policy/modules/services/modemmanager.if b/policy/modules/services/modemmanager.if
new file mode 100644
index 0000000..7a7fc02
--- /dev/null
+++ b/policy/modules/services/modemmanager.if
@@ -0,0 +1,40 @@
+## <summary>Provides a DBus interface to communicate with mobile broadband (GSM, CDMA, UMTS, ...) cards.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run modemmanager.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`modemmanager_domtrans',`
+ gen_require(`
+ type modemmanager_t, modemmanager_exec_t;
+ ')
+
+ domtrans_pattern($1, modemmanager_exec_t, modemmanager_t)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## modemmanager over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`modemmanager_dbus_chat',`
+ gen_require(`
+ type modemmanager_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 modemmanager_t:dbus send_msg;
+ allow modemmanager_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/modemmanager.te b/policy/modules/services/modemmanager.te
new file mode 100644
index 0000000..7f18c33
--- /dev/null
+++ b/policy/modules/services/modemmanager.te
@@ -0,0 +1,51 @@
+policy_module(modemmanager, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type modemmanager_t;
+type modemmanager_exec_t;
+dbus_system_domain(modemmanager_t, modemmanager_exec_t)
+typealias modemmanager_t alias ModemManager_t;
+typealias modemmanager_exec_t alias ModemManager_exec_t;
+
+########################################
+#
+# ModemManager local policy
+#
+
+allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config };
+allow modemmanager_t self:process { getsched signal };
+allow modemmanager_t self:fifo_file rw_file_perms;
+allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
+allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+kernel_read_system_state(modemmanager_t)
+
+dev_read_sysfs(modemmanager_t)
+dev_rw_modem(modemmanager_t)
+
+files_read_etc_files(modemmanager_t)
+
+term_use_generic_ptys(modemmanager_t)
+term_use_unallocated_ttys(modemmanager_t)
+
+miscfiles_read_localization(modemmanager_t)
+
+logging_send_syslog_msg(modemmanager_t)
+
+networkmanager_dbus_chat(modemmanager_t)
+
+optional_policy(`
+ devicekit_dbus_chat_power(modemmanager_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(modemmanager_t)
+')
+
+optional_policy(`
+ udev_read_db(modemmanager_t)
+')
diff --git a/policy/modules/services/mojomojo.fc b/policy/modules/services/mojomojo.fc
new file mode 100644
index 0000000..824c979
--- /dev/null
+++ b/policy/modules/services/mojomojo.fc
@@ -0,0 +1,5 @@
+/usr/bin/mojomojo_fastcgi\.pl -- gen_context(system_u:object_r:httpd_mojomojo_script_exec_t,s0)
+
+/usr/share/mojomojo/root(/.*)? gen_context(system_u:object_r:httpd_mojomojo_content_t,s0)
+
+/var/lib/mojomojo(/.*)? gen_context(system_u:object_r:httpd_mojomojo_rw_content_t,s0)
diff --git a/policy/modules/services/mojomojo.if b/policy/modules/services/mojomojo.if
new file mode 100644
index 0000000..88e7330
--- /dev/null
+++ b/policy/modules/services/mojomojo.if
@@ -0,0 +1,42 @@
+## <summary>MojoMojo Wiki</summary>
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an mojomojo environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mojomojo_admin',`
+ gen_require(`
+ type httpd_mojomojo_script_t, httpd_mojomojo_content_t, httpd_mojomojo_ra_content_t;
+ type httpd_mojomojo_rw_content_t, httpd_mojomojo_tmp_t, httpd_mojomojo_htaccess_t;
+ type httpd_mojomojo_script_exec_t;
+ ')
+
+ allow $1 httpd_mojomojo_script_t:process { ptrace signal_perms };
+ ps_process_pattern($1, httpd_mojomojo_script_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, httpd_mojomojo_tmp_t)
+
+ files_list_var_lib(httpd_mojomojo_script_t)
+
+ apache_list_sys_content($1)
+ admin_pattern($1, httpd_mojomojo_script_exec_t)
+ admin_pattern($1, httpd_mojomojo_script_t)
+ admin_pattern($1, httpd_mojomojo_content_t)
+ admin_pattern($1, httpd_mojomojo_htaccess_t)
+ admin_pattern($1, httpd_mojomojo_rw_content_t)
+ admin_pattern($1, httpd_mojomojo_ra_content_t)
+')
diff --git a/policy/modules/services/mojomojo.te b/policy/modules/services/mojomojo.te
new file mode 100644
index 0000000..ed69996
--- /dev/null
+++ b/policy/modules/services/mojomojo.te
@@ -0,0 +1,43 @@
+policy_module(mojomojo, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+apache_content_template(mojomojo)
+
+type httpd_mojomojo_tmp_t;
+files_tmp_file(httpd_mojomojo_tmp_t)
+
+########################################
+#
+# mojomojo local policy
+#
+
+allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
+
+manage_dirs_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t)
+manage_files_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t)
+files_tmp_filetrans(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, { file dir })
+
+corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t)
+corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t)
+corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t)
+corenet_sendrecv_postgresql_client_packets(httpd_mojomojo_script_t)
+corenet_sendrecv_mysqld_client_packets(httpd_mojomojo_script_t)
+corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t)
+
+files_search_var_lib(httpd_mojomojo_script_t)
+
+sysnet_dns_name_resolve(httpd_mojomojo_script_t)
+
+mta_send_mail(httpd_mojomojo_script_t)
+
+optional_policy(`
+ mysql_stream_connect(httpd_mojomojo_script_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(httpd_mojomojo_script_t)
+')
diff --git a/policy/modules/services/monop.fc b/policy/modules/services/monop.fc
new file mode 100644
index 0000000..9ee4028
--- /dev/null
+++ b/policy/modules/services/monop.fc
@@ -0,0 +1,4 @@
+/etc/monopd\.conf -- gen_context(system_u:object_r:monopd_etc_t,s0)
+
+/usr/sbin/monopd -- gen_context(system_u:object_r:monopd_exec_t,s0)
+/usr/share/monopd/games(/.*)? gen_context(system_u:object_r:monopd_share_t,s0)
diff --git a/policy/modules/services/monop.if b/policy/modules/services/monop.if
new file mode 100644
index 0000000..2611351
--- /dev/null
+++ b/policy/modules/services/monop.if
@@ -0,0 +1 @@
+## <summary>Monopoly daemon</summary>
diff --git a/policy/modules/services/monop.te b/policy/modules/services/monop.te
new file mode 100644
index 0000000..6647a35
--- /dev/null
+++ b/policy/modules/services/monop.te
@@ -0,0 +1,85 @@
+policy_module(monop, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type monopd_t;
+type monopd_exec_t;
+init_daemon_domain(monopd_t, monopd_exec_t)
+
+type monopd_etc_t;
+files_config_file(monopd_etc_t)
+
+type monopd_share_t;
+files_type(monopd_share_t)
+
+type monopd_var_run_t;
+files_pid_file(monopd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit monopd_t self:capability sys_tty_config;
+allow monopd_t self:process signal_perms;
+allow monopd_t self:tcp_socket create_stream_socket_perms;
+allow monopd_t self:udp_socket create_socket_perms;
+
+allow monopd_t monopd_etc_t:file read_file_perms;
+files_search_etc(monopd_t)
+
+allow monopd_t monopd_share_t:dir list_dir_perms;
+read_files_pattern(monopd_t, monopd_share_t, monopd_share_t)
+read_lnk_files_pattern(monopd_t, monopd_share_t, monopd_share_t)
+
+manage_files_pattern(monopd_t, monopd_var_run_t, monopd_var_run_t)
+files_pid_filetrans(monopd_t, monopd_var_run_t, file)
+
+kernel_read_kernel_sysctls(monopd_t)
+kernel_list_proc(monopd_t)
+kernel_read_proc_symlinks(monopd_t)
+
+corenet_all_recvfrom_unlabeled(monopd_t)
+corenet_all_recvfrom_netlabel(monopd_t)
+corenet_tcp_sendrecv_generic_if(monopd_t)
+corenet_udp_sendrecv_generic_if(monopd_t)
+corenet_tcp_sendrecv_generic_node(monopd_t)
+corenet_udp_sendrecv_generic_node(monopd_t)
+corenet_tcp_sendrecv_all_ports(monopd_t)
+corenet_udp_sendrecv_all_ports(monopd_t)
+corenet_tcp_bind_generic_node(monopd_t)
+corenet_tcp_bind_monopd_port(monopd_t)
+corenet_sendrecv_monopd_server_packets(monopd_t)
+
+dev_read_sysfs(monopd_t)
+
+domain_use_interactive_fds(monopd_t)
+
+files_read_etc_files(monopd_t)
+
+fs_getattr_all_fs(monopd_t)
+fs_search_auto_mountpoints(monopd_t)
+
+logging_send_syslog_msg(monopd_t)
+
+miscfiles_read_localization(monopd_t)
+
+sysnet_read_config(monopd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(monopd_t)
+userdom_dontaudit_search_user_home_dirs(monopd_t)
+
+optional_policy(`
+ nis_use_ypbind(monopd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(monopd_t)
+')
+
+optional_policy(`
+ udev_read_db(monopd_t)
+')
diff --git a/policy/modules/services/mpd.fc b/policy/modules/services/mpd.fc
new file mode 100644
index 0000000..564b22d
--- /dev/null
+++ b/policy/modules/services/mpd.fc
@@ -0,0 +1,10 @@
+
+/etc/mpd\.conf -- gen_context(system_u:object_r:mpd_etc_t,s0)
+
+/etc/rc\.d/init\.d/mpd -- gen_context(system_u:object_r:mpd_initrc_exec_t,s0)
+
+/usr/bin/mpd -- gen_context(system_u:object_r:mpd_exec_t,s0)
+
+/var/lib/mpd(/.*)? gen_context(system_u:object_r:mpd_var_lib_t,s0)
+/var/lib/mpd/music(/.*)? gen_context(system_u:object_r:mpd_data_t,s0)
+/var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0)
diff --git a/policy/modules/services/mpd.if b/policy/modules/services/mpd.if
new file mode 100644
index 0000000..311aaed
--- /dev/null
+++ b/policy/modules/services/mpd.if
@@ -0,0 +1,267 @@
+## <summary>policy for daemon for playing music</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run mpd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mpd_domtrans',`
+ gen_require(`
+ type mpd_t, mpd_exec_t;
+ ')
+
+ domtrans_pattern($1, mpd_exec_t, mpd_t)
+')
+
+########################################
+## <summary>
+## Execute mpd server in the mpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mpd_initrc_domtrans',`
+ gen_require(`
+ type mpd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, mpd_initrc_exec_t)
+')
+
+#######################################
+## <summary>
+## Read mpd data files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mpd_read_data_files',`
+ gen_require(`
+ type mpd_data_t;
+ ')
+
+ mpd_search_lib($1)
+ read_files_pattern($1, mpd_data_t, mpd_data_t)
+')
+
+#######################################
+## <summary>
+## Read mpd tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mpd_read_tmpfs_files',`
+ gen_require(`
+ type mpd_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ read_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
+')
+
+###################################
+## <summary>
+## Manage mpd tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mpd_manage_tmpfs_files',`
+ gen_require(`
+ type mpd_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
+ manage_lnk_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
+')
+
+######################################
+## <summary>
+## Manage mpd data files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mpd_manage_data_files',`
+ gen_require(`
+ type mpd_data_t;
+ ')
+
+ mpd_search_lib($1)
+ manage_files_pattern($1, mpd_data_t, mpd_data_t)
+')
+
+########################################
+## <summary>
+## Search mpd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mpd_search_lib',`
+ gen_require(`
+ type mpd_var_lib_t;
+ ')
+
+ allow $1 mpd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read mpd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mpd_read_lib_files',`
+ gen_require(`
+ type mpd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## mpd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mpd_manage_lib_files',`
+ gen_require(`
+ type mpd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t)
+')
+
+#######################################
+## <summary>
+## Create an object in the root directory, with a private
+## type using a type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private type">
+## <summary>
+## The type of the object to be created.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+#
+interface(`mpd_var_lib_filetrans',`
+ gen_require(`
+ type mpd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ filetrans_pattern($1, mpd_var_lib_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Manage mpd lib dirs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mpd_manage_lib_dirs',`
+ gen_require(`
+ type mpd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, mpd_var_lib_t, mpd_var_lib_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an mpd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mpd_admin',`
+ gen_require(`
+ type mpd_t, mpd_initrc_exec_t, mpd_etc_t;
+ type mpd_data_t, mpd_log_t, mpd_var_lib_t;
+ type mpd_tmpfs_t;
+ ')
+
+ allow $1 mpd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, mpd_t)
+
+ mpd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 mpd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ admin_pattern($1, mpd_etc_t)
+ files_list_etc($1)
+
+ files_list_var_lib($1)
+ admin_pattern($1, mpd_var_lib_t)
+
+ admin_pattern($1, mpd_data_t)
+
+ admin_pattern($1, mpd_log_t)
+
+ fs_list_tmpfs($1)
+ admin_pattern($1, mpd_tmpfs_t)
+')
diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te
new file mode 100644
index 0000000..84bc8bb
--- /dev/null
+++ b/policy/modules/services/mpd.te
@@ -0,0 +1,110 @@
+policy_module(mpd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type mpd_t;
+type mpd_exec_t;
+init_daemon_domain(mpd_t, mpd_exec_t)
+
+permissive mpd_t;
+
+type mpd_initrc_exec_t;
+init_script_file(mpd_initrc_exec_t)
+
+type mpd_etc_t;
+files_config_file(mpd_etc_t)
+
+# type for music content
+type mpd_data_t;
+files_type(mpd_data_t)
+
+type mpd_log_t;
+logging_log_file(mpd_log_t)
+
+type mpd_tmp_t;
+files_tmp_file(mpd_tmp_t)
+
+type mpd_tmpfs_t;
+files_tmpfs_file(mpd_tmpfs_t)
+
+type mpd_var_lib_t;
+files_type(mpd_var_lib_t)
+
+########################################
+#
+# mpd local policy
+#
+
+#cjp: dac_override bug in mpd relating to mpd.log file
+allow mpd_t self:capability { dac_override kill setgid setuid };
+allow mpd_t self:process { getsched setsched setrlimit signal signull };
+allow mpd_t self:fifo_file rw_fifo_file_perms;
+allow mpd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow mpd_t self:tcp_socket create_stream_socket_perms;
+allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow mpd_t self:unix_dgram_socket { create_socket_perms sendto };
+
+read_files_pattern(mpd_t, mpd_etc_t, mpd_etc_t)
+
+manage_dirs_pattern(mpd_t, mpd_data_t, mpd_data_t)
+manage_files_pattern(mpd_t, mpd_data_t, mpd_data_t)
+
+manage_dirs_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
+manage_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
+manage_sock_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
+files_tmp_filetrans(mpd_t, mpd_tmp_t, { dir file sock_file })
+
+manage_files_pattern(mpd_t, mpd_tmpfs_t, mpd_tmpfs_t)
+manage_dirs_pattern(mpd_t, mpd_tmpfs_t, mpd_tmpfs_t)
+fs_tmpfs_filetrans(mpd_t, mpd_tmpfs_t, file )
+
+manage_dirs_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
+manage_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
+manage_lnk_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
+files_var_lib_filetrans(mpd_t, mpd_var_lib_t, { dir file lnk_file })
+
+kernel_read_system_state(mpd_t)
+kernel_read_kernel_sysctls(mpd_t)
+
+corecmd_exec_bin(mpd_t)
+
+corenet_sendrecv_pulseaudio_client_packets(mpd_t)
+corenet_tcp_connect_http_port(mpd_t)
+corenet_tcp_connect_http_cache_port(mpd_t)
+corenet_tcp_connect_pulseaudio_port(mpd_t)
+corenet_tcp_bind_mpd_port(mpd_t)
+corenet_tcp_bind_soundd_port(mpd_t)
+
+dev_read_sysfs(mpd_t)
+
+files_read_usr_files(mpd_t)
+
+fs_getattr_tmpfs(mpd_t)
+fs_list_inotifyfs(mpd_t)
+fs_rw_anon_inodefs_files(mpd_t)
+
+auth_use_nsswitch(mpd_t)
+
+logging_send_syslog_msg(mpd_t)
+
+miscfiles_read_localization(mpd_t)
+
+userdom_read_home_audio_files(mpd_t)
+userdom_read_user_tmpfs_files(mpd_t)
+
+optional_policy(`
+ dbus_system_bus_client(mpd_t)
+')
+
+optional_policy(`
+ pulseaudio_exec(mpd_t)
+ pulseaudio_stream_connect(mpd_t)
+ pulseaudio_signull(mpd_t)
+')
+
+optional_policy(`
+ udev_read_db(mpd_t)
+')
diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc
new file mode 100644
index 0000000..c526ce8
--- /dev/null
+++ b/policy/modules/services/mta.fc
@@ -0,0 +1,34 @@
+HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_home_t,s0)
+HOME_DIR/dead.letter -- gen_context(system_u:object_r:mail_home_t,s0)
+
+/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+
+/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
+/etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
+/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
+/etc/mail/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
+/etc/mail/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
+ifdef(`distro_redhat',`
+/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
+')
+
+/root/\.forward -- gen_context(system_u:object_r:mail_home_t,s0)
+/root/dead.letter -- gen_context(system_u:object_r:mail_home_t,s0)
+
+/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+
+/usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+
+/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+
+/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+
+/var/qmail/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+
+/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
+/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
new file mode 100644
index 0000000..2f948ad
--- /dev/null
+++ b/policy/modules/services/mta.if
@@ -0,0 +1,985 @@
+## <summary>Policy common to all email tranfer agents.</summary>
+
+########################################
+## <summary>
+## MTA stub interface. No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_stub',`
+ gen_require(`
+ type sendmail_exec_t;
+ ')
+')
+
+#######################################
+## <summary>
+## Basic mail transfer agent domain template.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domain which is
+## a email transfer agent, which sends mail on
+## behalf of the user.
+## </p>
+## <p>
+## This is the basic types and rules, common
+## to the system agent and user agents.
+## </p>
+## </desc>
+## <param name="domain_prefix">
+## <summary>
+## The prefix of the domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <rolecap/>
+#
+template(`mta_base_mail_template',`
+ gen_require(`
+ attribute user_mail_domain;
+ type sendmail_exec_t;
+ ')
+
+ ##############################
+ #
+ # $1_mail_t declarations
+ #
+
+ type $1_mail_t, user_mail_domain;
+ application_domain($1_mail_t, sendmail_exec_t)
+
+ type $1_mail_tmp_t;
+ files_tmp_file($1_mail_tmp_t)
+
+ ##############################
+ #
+ # $1_mail_t local policy
+ #
+
+ allow $1_mail_t self:capability { setuid setgid chown };
+ allow $1_mail_t self:process { signal_perms setrlimit };
+ allow $1_mail_t self:tcp_socket create_socket_perms;
+
+ # re-exec itself
+ can_exec($1_mail_t, sendmail_exec_t)
+ allow $1_mail_t sendmail_exec_t:lnk_file read_lnk_file_perms;
+
+ kernel_read_system_state($1_mail_t)
+ kernel_read_kernel_sysctls($1_mail_t)
+
+ corenet_all_recvfrom_unlabeled($1_mail_t)
+ corenet_all_recvfrom_netlabel($1_mail_t)
+ corenet_tcp_sendrecv_generic_if($1_mail_t)
+ corenet_tcp_sendrecv_generic_node($1_mail_t)
+ corenet_tcp_sendrecv_all_ports($1_mail_t)
+ corenet_tcp_connect_all_ports($1_mail_t)
+ corenet_tcp_connect_smtp_port($1_mail_t)
+ corenet_sendrecv_smtp_client_packets($1_mail_t)
+
+ corecmd_exec_bin($1_mail_t)
+
+ files_read_etc_files($1_mail_t)
+ files_search_spool($1_mail_t)
+ # It wants to check for nscd
+ files_dontaudit_search_pids($1_mail_t)
+
+ auth_use_nsswitch($1_mail_t)
+
+ init_dontaudit_rw_utmp($1_mail_t)
+
+ logging_send_syslog_msg($1_mail_t)
+
+ miscfiles_read_localization($1_mail_t)
+
+ optional_policy(`
+ exim_read_log($1_mail_t)
+ exim_append_log($1_mail_t)
+ exim_manage_spool_files($1_mail_t)
+ ')
+
+ optional_policy(`
+ postfix_domtrans_user_mail_handler($1_mail_t)
+ ')
+
+ optional_policy(`
+ procmail_exec($1_mail_t)
+ ')
+
+ optional_policy(`
+ qmail_domtrans_inject($1_mail_t)
+ ')
+
+ optional_policy(`
+ gen_require(`
+ type etc_mail_t, mail_spool_t, mqueue_spool_t;
+ ')
+
+ manage_dirs_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
+ manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
+ files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir })
+
+ allow $1_mail_t etc_mail_t:dir search_dir_perms;
+
+ # Write to /var/spool/mail and /var/spool/mqueue.
+ manage_files_pattern($1_mail_t, mail_spool_t, mail_spool_t)
+ manage_files_pattern($1_mail_t, mqueue_spool_t, mqueue_spool_t)
+
+ # Check available space.
+ fs_getattr_xattr_fs($1_mail_t)
+
+ files_read_etc_runtime_files($1_mail_t)
+
+ # Write to /var/log/sendmail.st
+ sendmail_manage_log($1_mail_t)
+ sendmail_create_log($1_mail_t)
+ ')
+
+ optional_policy(`
+ uucp_manage_spool($1_mail_t)
+ ')
+')
+
+########################################
+## <summary>
+## Role access for mta
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mta_role',`
+ gen_require(`
+ attribute mta_user_agent;
+ type user_mail_t, sendmail_exec_t;
+ ')
+
+ role $1 types { user_mail_t mta_user_agent };
+
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, sendmail_exec_t, user_mail_t)
+ allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms;
+
+ allow mta_user_agent $2:fd use;
+ allow mta_user_agent $2:process sigchld;
+ allow mta_user_agent $2:fifo_file { read write };
+')
+
+########################################
+## <summary>
+## Make the specified domain usable for a mail server.
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used as a mail server domain.
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## Type of the program to be used as an entry point to this domain.
+## </summary>
+## </param>
+#
+interface(`mta_mailserver',`
+ gen_require(`
+ attribute mailserver_domain;
+ ')
+
+ init_daemon_domain($1, $2)
+ typeattribute $1 mailserver_domain;
+')
+
+########################################
+## <summary>
+## Make the specified type a MTA executable file.
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used as a mail client.
+## </summary>
+## </param>
+#
+interface(`mta_agent_executable',`
+ gen_require(`
+ attribute mta_exec_type;
+ ')
+
+ typeattribute $1 mta_exec_type;
+
+ application_executable_file($1)
+')
+
+######################################
+## <summary>
+## Dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`mta_dontaudit_leaks_system_mail',`
+ gen_require(`
+ type system_mail_t;
+ ')
+
+ dontaudit $1 system_mail_t:fifo_file write;
+ dontaudit $1 system_mail_t:tcp_socket { read write };
+')
+
+########################################
+## <summary>
+## Make the specified type by a system MTA.
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used as a mail client.
+## </summary>
+## </param>
+#
+interface(`mta_system_content',`
+ gen_require(`
+ attribute mailcontent_type;
+ ')
+
+ typeattribute $1 mailcontent_type;
+')
+
+########################################
+## <summary>
+## Modified mailserver interface for
+## sendmail daemon use.
+## </summary>
+## <desc>
+## <p>
+## A modified MTA mail server interface for
+## the sendmail program. It's design does
+## not fit well with policy, and using the
+## regular interface causes a type_transition
+## conflict if direct running of init scripts
+## is enabled.
+## </p>
+## <p>
+## This interface should most likely only be used
+## by the sendmail policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## The type to be used for the mail server.
+## </summary>
+## </param>
+#
+interface(`mta_sendmail_mailserver',`
+ gen_require(`
+ attribute mailserver_domain;
+ type sendmail_exec_t;
+ ')
+
+ init_system_domain($1, sendmail_exec_t)
+ typeattribute $1 mailserver_domain;
+')
+
+#######################################
+## <summary>
+## Make a type a mailserver type used
+## for sending mail.
+## </summary>
+## <param name="domain">
+## <summary>
+## Mail server domain type used for sending mail.
+## </summary>
+## </param>
+#
+interface(`mta_mailserver_sender',`
+ gen_require(`
+ attribute mailserver_sender;
+ ')
+
+ typeattribute $1 mailserver_sender;
+')
+
+#######################################
+## <summary>
+## Make a type a mailserver type used
+## for delivering mail to local users.
+## </summary>
+## <param name="domain">
+## <summary>
+## Mail server domain type used for delivering mail.
+## </summary>
+## </param>
+#
+interface(`mta_mailserver_delivery',`
+ gen_require(`
+ attribute mailserver_delivery;
+ ')
+
+ typeattribute $1 mailserver_delivery;
+')
+
+#######################################
+## <summary>
+## Make a type a mailserver type used
+## for sending mail on behalf of local
+## users to the local mail spool.
+## </summary>
+## <param name="domain">
+## <summary>
+## Mail server domain type used for sending local mail.
+## </summary>
+## </param>
+#
+interface(`mta_mailserver_user_agent',`
+ gen_require(`
+ attribute mta_user_agent;
+ ')
+
+ typeattribute $1 mta_user_agent;
+')
+
+########################################
+## <summary>
+## Send mail from the system.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mta_send_mail',`
+ gen_require(`
+ attribute mta_user_agent, mta_exec_type;
+ type system_mail_t;
+ ')
+
+ allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
+ corecmd_read_bin_symlinks($1)
+ domtrans_pattern($1, mta_exec_type, system_mail_t)
+
+ allow mta_user_agent $1:fd use;
+ allow mta_user_agent $1:process sigchld;
+ allow mta_user_agent $1:fifo_file rw_fifo_file_perms;
+
+ ifdef(`hide_broken_symptoms',`
+ dontaudit system_mail_t $1:socket_class_set { read write };
+ ')
+')
+
+########################################
+## <summary>
+## Execute send mail in a specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute send mail in a specified domain.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="source_domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## Domain to transition to.
+## </summary>
+## </param>
+#
+interface(`mta_sendmail_domtrans',`
+ gen_require(`
+ attribute mta_exec_type;
+ ')
+
+ files_search_usr($1)
+ allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
+ corecmd_read_bin_symlinks($1)
+
+ allow $2 mta_exec_type:file entrypoint;
+ domtrans_pattern($1, mta_exec_type, $2)
+')
+
+########################################
+## <summary>
+## Send system mail client a signal
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_signal_system_mail',`
+ gen_require(`
+ type system_mail_t;
+ ')
+
+ allow $1 system_mail_t:process signal;
+')
+
+########################################
+## <summary>
+## Send system mail client a kill signal
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_kill_system_mail',`
+ gen_require(`
+ type system_mail_t;
+ ')
+
+ allow $1 system_mail_t:process sigkill;
+')
+
+########################################
+## <summary>
+## Execute sendmail in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_sendmail_exec',`
+ gen_require(`
+ type sendmail_exec_t;
+ ')
+
+ can_exec($1, sendmail_exec_t)
+')
+
+########################################
+## <summary>
+## Read mail server configuration.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mta_read_config',`
+ gen_require(`
+ type etc_mail_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 etc_mail_t:dir list_dir_perms;
+ read_files_pattern($1, etc_mail_t, etc_mail_t)
+ read_lnk_files_pattern($1, etc_mail_t, etc_mail_t)
+')
+
+########################################
+## <summary>
+## write mail server configuration.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mta_write_config',`
+ gen_require(`
+ type etc_mail_t;
+ ')
+
+ manage_files_pattern($1, etc_mail_t, etc_mail_t)
+ allow $1 etc_mail_t:file setattr_file_perms;
+')
+
+########################################
+## <summary>
+## Read mail address aliases.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_read_aliases',`
+ gen_require(`
+ type etc_aliases_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 etc_aliases_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete mail address aliases.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_manage_aliases',`
+ gen_require(`
+ type etc_aliases_t;
+ ')
+
+ files_search_etc($1)
+ manage_files_pattern($1, etc_aliases_t, etc_aliases_t)
+ manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t)
+')
+
+########################################
+## <summary>
+## Type transition files created in /etc
+## to the mail address aliases type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_etc_filetrans_aliases',`
+ gen_require(`
+ type etc_aliases_t;
+ ')
+
+ files_etc_filetrans($1, etc_aliases_t, file)
+')
+
+########################################
+## <summary>
+## Read and write mail aliases.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mta_rw_aliases',`
+ gen_require(`
+ type etc_aliases_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 etc_aliases_t:file { rw_file_perms setattr_file_perms };
+')
+
+#######################################
+## <summary>
+## Do not audit attempts to read and write TCP
+## sockets of mail delivery domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
+ gen_require(`
+ attribute mailserver_delivery;
+ ')
+
+ dontaudit $1 mailserver_delivery:tcp_socket { read write };
+')
+
+#######################################
+## <summary>
+## Connect to all mail servers over TCP. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_tcp_connect_all_mailservers',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+#######################################
+## <summary>
+## Do not audit attempts to read a symlink
+## in the mail spool.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`mta_dontaudit_read_spool_symlinks',`
+ gen_require(`
+ type mail_spool_t;
+ ')
+
+ dontaudit $1 mail_spool_t:lnk_file read;
+')
+
+########################################
+## <summary>
+## Get the attributes of mail spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_getattr_spool',`
+ gen_require(`
+ type mail_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 mail_spool_t:dir list_dir_perms;
+ getattr_files_pattern($1, mail_spool_t, mail_spool_t)
+ read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of mail spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`mta_dontaudit_getattr_spool_files',`
+ gen_require(`
+ type mail_spool_t;
+ ')
+
+ files_dontaudit_search_spool($1)
+ dontaudit $1 mail_spool_t:dir search_dir_perms;
+ dontaudit $1 mail_spool_t:lnk_file read_lnk_file_perms;
+ dontaudit $1 mail_spool_t:file getattr_file_perms;
+')
+
+#######################################
+## <summary>
+## Create private objects in the
+## mail spool directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private type">
+## <summary>
+## The type of the object to be created.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+#
+interface(`mta_spool_filetrans',`
+ gen_require(`
+ type mail_spool_t;
+ ')
+
+ files_search_spool($1)
+ filetrans_pattern($1, mail_spool_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Read and write the mail spool.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_rw_spool',`
+ gen_require(`
+ type mail_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 mail_spool_t:dir list_dir_perms;
+ allow $1 mail_spool_t:file setattr_file_perms;
+ manage_files_pattern($1, mail_spool_t, mail_spool_t)
+ read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
+')
+
+#######################################
+## <summary>
+## Create, read, and write the mail spool.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_append_spool',`
+ gen_require(`
+ type mail_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 mail_spool_t:dir list_dir_perms;
+ create_files_pattern($1, mail_spool_t, mail_spool_t)
+ write_files_pattern($1, mail_spool_t, mail_spool_t)
+ read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
+')
+
+#######################################
+## <summary>
+## Delete from the mail spool.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_delete_spool',`
+ gen_require(`
+ type mail_spool_t;
+ ')
+
+ files_search_spool($1)
+ delete_files_pattern($1, mail_spool_t, mail_spool_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete mail spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_manage_spool',`
+ gen_require(`
+ type mail_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_dirs_pattern($1, mail_spool_t, mail_spool_t)
+ manage_files_pattern($1, mail_spool_t, mail_spool_t)
+ manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
+')
+
+########################################
+## <summary>
+## Search mail queue dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_search_queue',`
+ gen_require(`
+ type mqueue_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 mqueue_spool_t:dir search_dir_perms;
+')
+
+#######################################
+## <summary>
+## List the mail queue.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_list_queue',`
+ gen_require(`
+ type mqueue_spool_t;
+ ')
+
+ allow $1 mqueue_spool_t:dir list_dir_perms;
+ files_search_spool($1)
+')
+
+#######################################
+## <summary>
+## Read the mail queue.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_read_queue',`
+ gen_require(`
+ type mqueue_spool_t;
+ ')
+
+ read_files_pattern($1, mqueue_spool_t, mqueue_spool_t)
+ files_search_spool($1)
+')
+
+#######################################
+## <summary>
+## Do not audit attempts to read and
+## write the mail queue.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`mta_dontaudit_rw_queue',`
+ gen_require(`
+ type mqueue_spool_t;
+ ')
+
+ dontaudit $1 mqueue_spool_t:dir search_dir_perms;
+ dontaudit $1 mqueue_spool_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## mail queue files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_manage_queue',`
+ gen_require(`
+ type mqueue_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_dirs_pattern($1, mqueue_spool_t, mqueue_spool_t)
+ manage_files_pattern($1, mqueue_spool_t, mqueue_spool_t)
+')
+
+#######################################
+## <summary>
+## Read sendmail binary.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for postfix
+interface(`mta_read_sendmail_bin',`
+ gen_require(`
+ type sendmail_exec_t;
+ ')
+
+ allow $1 sendmail_exec_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+## Read and write unix domain stream sockets
+## of user mail domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_rw_user_mail_stream_sockets',`
+ gen_require(`
+ attribute user_mail_domain;
+ ')
+
+ allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+## Type transition files created in calling dir
+## to the mail address aliases type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Directory to transition on.
+## </summary>
+## </param>
+#
+interface(`mta_filetrans_aliases',`
+ gen_require(`
+ type etc_aliases_t;
+ ')
+
+ filetrans_pattern($1, $2, etc_aliases_t, file)
+')
+
+######################################
+## <summary>
+## ALlow domain to read mail content in the homedir
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_read_home',`
+ gen_require(`
+ type mail_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ read_files_pattern($1, mail_home_t, mail_home_t)
+
+ ifdef(`distro_redhat',`
+ userdom_search_admin_dir($1)
+ ')
+')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
new file mode 100644
index 0000000..36e64e9
--- /dev/null
+++ b/policy/modules/services/mta.te
@@ -0,0 +1,334 @@
+policy_module(mta, 2.3.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute mailcontent_type;
+attribute mta_exec_type;
+attribute mta_user_agent;
+attribute mailserver_delivery;
+attribute mailserver_domain;
+attribute mailserver_sender;
+
+attribute user_mail_domain;
+
+type etc_aliases_t;
+files_type(etc_aliases_t)
+
+type etc_mail_t;
+files_config_file(etc_mail_t)
+
+type mail_home_t alias mail_forward_t;
+userdom_user_home_content(mail_home_t)
+
+type mqueue_spool_t;
+files_mountpoint(mqueue_spool_t)
+
+type mail_spool_t;
+files_mountpoint(mail_spool_t)
+
+type sendmail_exec_t;
+mta_agent_executable(sendmail_exec_t)
+
+mta_base_mail_template(system)
+role system_r types system_mail_t;
+
+mta_base_mail_template(user)
+typealias user_mail_t alias { staff_mail_t sysadm_mail_t };
+typealias user_mail_t alias { auditadm_mail_t secadm_mail_t };
+typealias user_mail_tmp_t alias { staff_mail_tmp_t sysadm_mail_tmp_t };
+typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t };
+ubac_constrained(user_mail_t)
+ubac_constrained(user_mail_tmp_t)
+
+########################################
+#
+# System mail local policy
+#
+
+# newalias required this, not sure if it is needed in 'if' file
+allow system_mail_t self:capability { dac_override fowner };
+
+read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
+
+dev_read_sysfs(system_mail_t)
+dev_read_rand(system_mail_t)
+dev_read_urand(system_mail_t)
+
+files_read_usr_files(system_mail_t)
+
+fs_rw_anon_inodefs_files(system_mail_t)
+
+selinux_getattr_fs(system_mail_t)
+
+term_dontaudit_use_unallocated_ttys(system_mail_t)
+
+init_use_script_ptys(system_mail_t)
+
+userdom_use_user_terminals(system_mail_t)
+userdom_dontaudit_search_user_home_dirs(system_mail_t)
+userdom_dontaudit_list_admin_dir(system_mail_t)
+
+logging_append_all_logs(system_mail_t)
+
+optional_policy(`
+ apache_read_squirrelmail_data(system_mail_t)
+ apache_append_squirrelmail_data(system_mail_t)
+
+ # apache should set close-on-exec
+ apache_dontaudit_append_log(system_mail_t)
+ apache_dontaudit_rw_stream_sockets(system_mail_t)
+ apache_dontaudit_rw_tcp_sockets(system_mail_t)
+ apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
+ apache_dontaudit_write_tmp_files(system_mail_t)
+
+ # apache should set close-on-exec
+ apache_dontaudit_rw_stream_sockets(mta_user_agent)
+ apache_dontaudit_rw_sys_script_stream_sockets(mta_user_agent)
+ apache_append_log(mta_user_agent)
+')
+
+optional_policy(`
+ arpwatch_manage_tmp_files(system_mail_t)
+
+ ifdef(`hide_broken_symptoms',`
+ arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
+ ')
+')
+
+optional_policy(`
+ bugzilla_search_dirs(system_mail_t)
+ bugzilla_dontaudit_rw_script_stream_sockets(system_mail_t)
+')
+
+optional_policy(`
+ clamav_stream_connect(system_mail_t)
+ clamav_append_log(system_mail_t)
+')
+
+optional_policy(`
+ cron_read_system_job_tmp_files(system_mail_t)
+ cron_dontaudit_write_pipes(system_mail_t)
+ cron_rw_system_job_stream_sockets(system_mail_t)
+ cron_rw_inherited_spool_files(system_mail_t)
+ cron_rw_inherited_user_spool_files(system_mail_t)
+')
+
+optional_policy(`
+ courier_manage_spool_dirs(system_mail_t)
+ courier_manage_spool_files(system_mail_t)
+ courier_rw_spool_pipes(system_mail_t)
+')
+
+optional_policy(`
+ cvs_read_data(system_mail_t)
+')
+
+optional_policy(`
+ fail2ban_append_log(system_mail_t)
+ fail2ban_dontaudit_leaks(system_mail_t)
+')
+
+optional_policy(`
+ logrotate_read_tmp_files(system_mail_t)
+')
+
+optional_policy(`
+ logwatch_read_tmp_files(system_mail_t)
+')
+
+optional_policy(`
+ # newaliases runs as system_mail_t when the sendmail initscript does a restart
+ milter_getattr_all_sockets(system_mail_t)
+')
+
+optional_policy(`
+ munin_dontaudit_leaks(system_mail_t)
+')
+
+optional_policy(`
+ nagios_read_tmp_files(system_mail_t)
+')
+
+optional_policy(`
+ manage_dirs_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
+ manage_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
+ manage_lnk_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
+ manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
+ manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
+ files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
+
+ domain_use_interactive_fds(system_mail_t)
+')
+
+optional_policy(`
+ qmail_domtrans_inject(system_mail_t)
+')
+
+optional_policy(`
+ sxid_read_log(system_mail_t)
+')
+
+optional_policy(`
+ userdom_dontaudit_use_user_ptys(system_mail_t)
+
+ optional_policy(`
+ cron_dontaudit_append_system_job_tmp_files(system_mail_t)
+ ')
+')
+
+optional_policy(`
+ spamd_stream_connect(system_mail_t)
+')
+
+optional_policy(`
+ smartmon_read_tmp_files(system_mail_t)
+')
+
+# should break this up among sections:
+
+optional_policy(`
+ # why is mail delivered to a directory of type arpwatch_data_t?
+ arpwatch_search_data(mailserver_delivery)
+ arpwatch_manage_tmp_files(mta_user_agent)
+
+ ifdef(`hide_broken_symptoms',`
+ arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
+ ')
+
+ optional_policy(`
+ cron_read_system_job_tmp_files(mta_user_agent)
+ ')
+')
+
+########################################
+#
+# Mailserver delivery local policy
+#
+
+allow mailserver_delivery mail_spool_t:dir list_dir_perms;
+create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+read_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+
+userdom_search_admin_dir(mailserver_delivery)
+read_files_pattern(mailserver_delivery, mail_home_t, mail_home_t)
+
+read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(mailserver_delivery)
+ fs_manage_cifs_files(mailserver_delivery)
+ fs_manage_cifs_symlinks(mailserver_delivery)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(mailserver_delivery)
+ fs_manage_nfs_files(mailserver_delivery)
+ fs_manage_nfs_symlinks(mailserver_delivery)
+')
+
+optional_policy(`
+ dovecot_manage_spool(mailserver_delivery)
+ dovecot_domtrans_deliver(mailserver_delivery)
+')
+
+optional_policy(`
+ # so MTA can access /var/lib/mailman/mail/wrapper
+ files_search_var_lib(mailserver_delivery)
+
+ mailman_domtrans(mailserver_delivery)
+ mailman_read_data_symlinks(mailserver_delivery)
+')
+
+optional_policy(`
+ uucp_domtrans_uux(mailserver_delivery)
+')
+
+########################################
+#
+# User send mail local policy
+#
+
+
+domain_use_interactive_fds(user_mail_t)
+
+userdom_use_user_terminals(user_mail_t)
+# Write to the user domain tty. cjp: why?
+userdom_use_user_terminals(mta_user_agent)
+# Create dead.letter in user home directories.
+userdom_manage_user_home_content_files(user_mail_t)
+userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
+# for reading .forward - maybe we need a new type for it?
+# also for delivering mail to maildir
+userdom_manage_user_home_content_dirs(mailserver_delivery)
+userdom_manage_user_home_content_files(mailserver_delivery)
+userdom_manage_user_home_content_symlinks(mailserver_delivery)
+userdom_manage_user_home_content_pipes(mailserver_delivery)
+userdom_manage_user_home_content_sockets(mailserver_delivery)
+userdom_user_home_dir_filetrans_user_home_content(mailserver_delivery, { dir file lnk_file fifo_file sock_file })
+# Read user temporary files.
+userdom_read_user_tmp_files(user_mail_t)
+userdom_dontaudit_append_user_tmp_files(user_mail_t)
+# cjp: this should probably be read all user tmp
+# files in an appropriate place for mta_user_agent
+userdom_read_user_tmp_files(mta_user_agent)
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files(user_mail_t)
+ fs_manage_cifs_symlinks(user_mail_t)
+')
+
+optional_policy(`
+ allow user_mail_t self:capability dac_override;
+
+ # Read user temporary files.
+ # postfix seems to need write access if the file handle is opened read/write
+ userdom_rw_user_tmp_files(user_mail_t)
+
+ postfix_read_config(user_mail_t)
+ postfix_list_spool(user_mail_t)
+')
+
+########################################
+#
+# Comman user_mail_domain policy
+#
+
+allow user_mail_domain self:fifo_file rw_fifo_file_perms;
+allow user_mail_domain mta_exec_type:file entrypoint;
+
+read_files_pattern(user_mail_domain, etc_aliases_t, etc_aliases_t)
+
+can_exec(user_mail_domain, mta_exec_type)
+
+allow system_mail_t user_mail_domain:file read_file_perms;
+
+read_files_pattern(user_mail_domain, etc_mail_t, etc_mail_t)
+
+kernel_read_system_state(user_mail_domain)
+kernel_read_network_state(user_mail_domain)
+kernel_request_load_module(user_mail_domain)
+
+optional_policy(`
+ # postfix needs this for newaliases
+ files_getattr_tmp_dirs(user_mail_domain)
+
+ postfix_exec_master(user_mail_domain)
+ postfix_read_config(user_mail_domain)
+ postfix_search_spool(user_mail_domain)
+
+ ifdef(`distro_redhat',`
+ # compatability for old default main.cf
+ postfix_config_filetrans(user_mail_domain, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
+ ')
+')
+
+optional_policy(`
+ exim_domtrans(user_mail_domain)
+ exim_manage_log(user_mail_domain)
+')
diff --git a/policy/modules/services/munin.fc b/policy/modules/services/munin.fc
new file mode 100644
index 0000000..bad9920
--- /dev/null
+++ b/policy/modules/services/munin.fc
@@ -0,0 +1,70 @@
+/etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0)
+/etc/rc\.d/init\.d/munin-node -- gen_context(system_u:object_r:munin_initrc_exec_t,s0)
+
+/usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
+/usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
+/usr/share/munin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
+/usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0)
+
+# disk plugins
+/usr/share/munin/plugins/diskstat.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/df.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/hddtemp.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/smart_.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
+
+# mail plugins
+/usr/share/munin/plugins/courier_mta_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/exim_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/mailman -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/mailscanner -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/postfix_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/sendmail_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/qmail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
+
+# services plugins
+/usr/share/munin/plugins/apache_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/asterisk_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/http_loadtime -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/fail2ban -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/lpstat -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/mysql_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/named -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/ntp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/nut.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/openvpn -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/ping_ -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/postgres_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/samba -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/slapd_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/snmp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/squid_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+
+# system plugins
+/usr/share/munin/plugins/acpi -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/cpu.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/forks -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/if_.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/iostat.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/interrupts -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/load -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/memory -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/proc_pri -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/processes -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/swap -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/threads -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/uptime -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/users -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/yum -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+
+/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
+/var/lib/munin/plugin-state(/.*)? gen_context(system_u:object_r:munin_plugin_state_t,s0)
+/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
+/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
+/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
+/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if
new file mode 100644
index 0000000..92c9dca
--- /dev/null
+++ b/policy/modules/services/munin.if
@@ -0,0 +1,210 @@
+## <summary>Munin network-wide load graphing (formerly LRRD)</summary>
+
+########################################
+## <summary>
+## Create a set of derived types for various
+## munin plugins,
+## </summary>
+## <param name="prefix">
+## <summary>
+## The name to be used for deriving type names.
+## </summary>
+## </param>
+#
+template(`munin_plugin_template',`
+ gen_require(`
+ type munin_t;
+ attribute munin_plugin_domain;
+ ')
+
+ type $1_munin_plugin_t, munin_plugin_domain;
+ type $1_munin_plugin_exec_t;
+ typealias $1_munin_plugin_t alias munin_$1_plugin_t;
+ typealias $1_munin_plugin_exec_t alias munin_$1_plugin_exec_t;
+ application_domain($1_munin_plugin_t, $1_munin_plugin_exec_t)
+ role system_r types $1_munin_plugin_t;
+
+ type $1_munin_plugin_tmp_t;
+ typealias $1_munin_plugin_tmp_t alias munin_$1_plugin_tmp_t;
+ files_tmp_file($1_munin_plugin_tmp_t)
+
+ allow $1_munin_plugin_t self:fifo_file rw_fifo_file_perms;
+
+ manage_files_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t)
+ manage_dirs_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t)
+ files_tmp_filetrans($1_munin_plugin_t, $1_munin_plugin_tmp_t, { dir file })
+
+ # automatic transition rules from munin domain
+ # to specific munin plugin domain
+ domtrans_pattern(munin_t, $1_munin_plugin_exec_t, $1_munin_plugin_t)
+ allow munin_t $1_munin_plugin_t:process signal;
+')
+
+########################################
+## <summary>
+## Connect to munin over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`munin_stream_connect',`
+ gen_require(`
+ type munin_var_run_t, munin_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, munin_var_run_t, munin_var_run_t, munin_t)
+')
+
+#######################################
+## <summary>
+## Read munin configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`munin_read_config',`
+ gen_require(`
+ type munin_etc_t;
+ ')
+
+ allow $1 munin_etc_t:dir list_dir_perms;
+ allow $1 munin_etc_t:file read_file_perms;
+ allow $1 munin_etc_t:lnk_file read_lnk_file_perms;
+ files_search_etc($1)
+')
+
+######################################
+## <summary>
+## dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`munin_dontaudit_leaks',`
+ gen_require(`
+ type munin_t;
+ ')
+
+ dontaudit $1 munin_t:tcp_socket { read write };
+')
+
+#######################################
+## <summary>
+## Append to the munin log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`munin_append_log',`
+ gen_require(`
+ type munin_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 munin_log_t:dir list_dir_perms;
+ append_files_pattern($1, munin_log_t, munin_log_t)
+')
+
+#######################################
+## <summary>
+## Search munin library directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`munin_search_lib',`
+ gen_require(`
+ type munin_var_lib_t;
+ ')
+
+ allow $1 munin_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+#######################################
+## <summary>
+## Do not audit attempts to search
+## munin library directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`munin_dontaudit_search_lib',`
+ gen_require(`
+ type munin_var_lib_t;
+ ')
+
+ dontaudit $1 munin_var_lib_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an munin environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the munin domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`munin_admin',`
+ gen_require(`
+ type munin_t, munin_etc_t, munin_tmp_t;
+ type munin_log_t, munin_var_lib_t, munin_var_run_t;
+ type httpd_munin_content_t, munin_initrc_exec_t;
+ ')
+
+ allow $1 munin_t:process { ptrace signal_perms };
+ ps_process_pattern($1, munin_t)
+
+ init_labeled_script_domtrans($1, munin_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 munin_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, munin_tmp_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, munin_log_t)
+
+ files_list_etc($1)
+ admin_pattern($1, munin_etc_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, munin_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, munin_var_run_t)
+
+ admin_pattern($1, httpd_munin_content_t)
+')
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
new file mode 100644
index 0000000..6f8b0fd
--- /dev/null
+++ b/policy/modules/services/munin.te
@@ -0,0 +1,345 @@
+policy_module(munin, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute munin_plugin_domain;
+
+type munin_t alias lrrd_t;
+type munin_exec_t alias lrrd_exec_t;
+init_daemon_domain(munin_t, munin_exec_t)
+
+type munin_etc_t alias lrrd_etc_t;
+files_config_file(munin_etc_t)
+
+type munin_initrc_exec_t;
+init_script_file(munin_initrc_exec_t)
+
+type munin_log_t alias lrrd_log_t;
+logging_log_file(munin_log_t)
+
+type munin_tmp_t alias lrrd_tmp_t;
+files_tmp_file(munin_tmp_t)
+
+type munin_var_lib_t alias lrrd_var_lib_t;
+files_type(munin_var_lib_t)
+
+type munin_plugin_state_t;
+files_type(munin_plugin_state_t)
+
+type munin_var_run_t alias lrrd_var_run_t;
+files_pid_file(munin_var_run_t)
+
+munin_plugin_template(disk)
+
+munin_plugin_template(mail)
+
+munin_plugin_template(services)
+
+munin_plugin_template(system)
+
+########################################
+#
+# Local policy
+#
+
+allow munin_t self:capability { chown dac_override setgid setuid sys_rawio };
+dontaudit munin_t self:capability sys_tty_config;
+allow munin_t self:process { getsched setsched signal_perms };
+allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow munin_t self:unix_dgram_socket { create_socket_perms sendto };
+allow munin_t self:tcp_socket create_stream_socket_perms;
+allow munin_t self:udp_socket create_socket_perms;
+allow munin_t self:fifo_file manage_fifo_file_perms;
+
+allow munin_t munin_etc_t:dir list_dir_perms;
+read_files_pattern(munin_t, munin_etc_t, munin_etc_t)
+read_lnk_files_pattern(munin_t, munin_etc_t, munin_etc_t)
+files_search_etc(munin_t)
+
+can_exec(munin_t, munin_exec_t)
+
+manage_dirs_pattern(munin_t, munin_log_t, munin_log_t)
+manage_files_pattern(munin_t, munin_log_t, munin_log_t)
+logging_log_filetrans(munin_t, munin_log_t, { file dir })
+
+manage_dirs_pattern(munin_t, munin_tmp_t, munin_tmp_t)
+manage_files_pattern(munin_t, munin_tmp_t, munin_tmp_t)
+manage_sock_files_pattern(munin_t, munin_tmp_t, munin_tmp_t)
+files_tmp_filetrans(munin_t, munin_tmp_t, { file dir sock_file })
+
+# Allow access to the munin databases
+manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
+manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
+manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
+files_search_var_lib(munin_t)
+
+manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t)
+manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
+manage_sock_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
+files_pid_filetrans(munin_t, munin_var_run_t, { file dir })
+
+read_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t)
+
+kernel_read_system_state(munin_t)
+kernel_read_network_state(munin_t)
+kernel_read_all_sysctls(munin_t)
+
+corecmd_exec_bin(munin_t)
+corecmd_exec_shell(munin_t)
+
+corenet_all_recvfrom_unlabeled(munin_t)
+corenet_all_recvfrom_netlabel(munin_t)
+corenet_tcp_sendrecv_generic_if(munin_t)
+corenet_udp_sendrecv_generic_if(munin_t)
+corenet_tcp_sendrecv_generic_node(munin_t)
+corenet_udp_sendrecv_generic_node(munin_t)
+corenet_tcp_sendrecv_all_ports(munin_t)
+corenet_udp_sendrecv_all_ports(munin_t)
+corenet_tcp_bind_generic_node(munin_t)
+corenet_tcp_bind_munin_port(munin_t)
+corenet_tcp_connect_munin_port(munin_t)
+corenet_tcp_connect_http_port(munin_t)
+
+dev_read_sysfs(munin_t)
+dev_read_urand(munin_t)
+
+domain_use_interactive_fds(munin_t)
+domain_read_all_domains_state(munin_t)
+
+files_read_etc_files(munin_t)
+files_read_etc_runtime_files(munin_t)
+files_read_usr_files(munin_t)
+files_list_spool(munin_t)
+
+fs_getattr_all_fs(munin_t)
+fs_search_auto_mountpoints(munin_t)
+
+auth_use_nsswitch(munin_t)
+
+logging_send_syslog_msg(munin_t)
+logging_read_all_logs(munin_t)
+
+miscfiles_read_fonts(munin_t)
+miscfiles_read_localization(munin_t)
+miscfiles_setattr_fonts_cache_dirs(munin_t)
+
+sysnet_exec_ifconfig(munin_t)
+
+userdom_dontaudit_use_unpriv_user_fds(munin_t)
+userdom_dontaudit_search_user_home_dirs(munin_t)
+
+optional_policy(`
+ apache_content_template(munin)
+
+ manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+ manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+ apache_search_sys_content(munin_t)
+')
+
+optional_policy(`
+ cron_system_entry(munin_t, munin_exec_t)
+')
+
+optional_policy(`
+ fstools_domtrans(munin_t)
+')
+
+optional_policy(`
+ lpd_domtrans_lpr(munin_t)
+')
+
+optional_policy(`
+ mta_read_config(munin_t)
+ mta_send_mail(munin_t)
+ mta_list_queue(munin_t)
+ mta_read_queue(munin_t)
+')
+
+optional_policy(`
+ mysql_read_config(munin_t)
+ mysql_stream_connect(munin_t)
+')
+
+optional_policy(`
+ netutils_domtrans_ping(munin_t)
+')
+
+optional_policy(`
+ postfix_list_spool(munin_t)
+ postfix_getattr_spool_files(munin_t)
+')
+
+optional_policy(`
+ rpc_search_nfs_state_data(munin_t)
+')
+
+optional_policy(`
+ sendmail_read_log(munin_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(munin_t)
+')
+
+optional_policy(`
+ udev_read_db(munin_t)
+')
+
+###################################
+#
+# local policy for disk plugins
+#
+
+allow munin_disk_plugin_t self:capability { sys_admin sys_rawio };
+allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+
+rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
+
+corecmd_exec_shell(disk_munin_plugin_t)
+
+corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
+
+files_read_etc_runtime_files(disk_munin_plugin_t)
+
+dev_getattr_lvm_control(disk_munin_plugin_t)
+dev_read_sysfs(disk_munin_plugin_t)
+dev_read_urand(disk_munin_plugin_t)
+
+storage_raw_read_fixed_disk(disk_munin_plugin_t)
+
+sysnet_read_config(disk_munin_plugin_t)
+
+optional_policy(`
+ hddtemp_exec(disk_munin_plugin_t)
+')
+
+optional_policy(`
+ fstools_exec(disk_munin_plugin_t)
+')
+
+####################################
+#
+# local policy for mail plugins
+#
+
+allow mail_munin_plugin_t self:capability dac_override;
+
+rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
+
+dev_read_urand(mail_munin_plugin_t)
+
+logging_read_generic_logs(mail_munin_plugin_t)
+
+mta_read_config(mail_munin_plugin_t)
+mta_send_mail(mail_munin_plugin_t)
+mta_list_queue(mail_munin_plugin_t)
+mta_read_queue(mail_munin_plugin_t)
+
+optional_policy(`
+ postfix_read_config(mail_munin_plugin_t)
+ postfix_list_spool(mail_munin_plugin_t)
+ postfix_getattr_spool_files(mail_munin_plugin_t)
+')
+
+optional_policy(`
+ sendmail_read_log(mail_munin_plugin_t)
+')
+
+###################################
+#
+# local policy for service plugins
+#
+
+allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+allow services_munin_plugin_t self:udp_socket create_socket_perms;
+allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+
+corenet_tcp_connect_all_ports(services_munin_plugin_t)
+corenet_tcp_connect_http_port(services_munin_plugin_t)
+
+dev_read_urand(services_munin_plugin_t)
+dev_read_rand(services_munin_plugin_t)
+
+sysnet_read_config(services_munin_plugin_t)
+
+optional_policy(`
+ cups_stream_connect(services_munin_plugin_t)
+')
+
+optional_policy(`
+ lpd_exec_lpr(services_munin_plugin_t)
+')
+
+optional_policy(`
+ mysql_read_config(services_munin_plugin_t)
+ mysql_stream_connect(services_munin_plugin_t)
+')
+
+optional_policy(`
+ netutils_domtrans_ping(services_munin_plugin_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(services_munin_plugin_t)
+')
+
+optional_policy(`
+ snmp_read_snmp_var_lib_files(services_munin_plugin_t)
+')
+
+optional_policy(`
+ varnishd_read_lib_files(services_munin_plugin_t)
+')
+
+##################################
+#
+# local policy for system plugins
+#
+
+allow system_munin_plugin_t self:udp_socket create_socket_perms;
+
+rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
+
+kernel_read_network_state(system_munin_plugin_t)
+kernel_read_all_sysctls(system_munin_plugin_t)
+
+dev_read_sysfs(system_munin_plugin_t)
+dev_read_urand(system_munin_plugin_t)
+
+domain_read_all_domains_state(system_munin_plugin_t)
+
+# needed by users plugin
+init_read_utmp(system_munin_plugin_t)
+
+sysnet_exec_ifconfig(system_munin_plugin_t)
+
+term_getattr_unallocated_ttys(system_munin_plugin_t)
+term_getattr_all_ptys(system_munin_plugin_t)
+
+################################
+#
+# local policy for munin plugin domains
+#
+
+allow munin_plugin_domain munin_exec_t:file read_file_perms;
+allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
+
+# creates plugin state files
+manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t)
+
+read_lnk_files_pattern(munin_plugin_domain, munin_etc_t, munin_etc_t)
+
+kernel_read_system_state(munin_plugin_domain)
+
+corecmd_exec_bin(munin_plugin_domain)
+corecmd_exec_shell(munin_plugin_domain)
+
+files_read_etc_files(munin_plugin_domain)
+files_read_usr_files(munin_plugin_domain)
+
+fs_getattr_all_fs(munin_plugin_domain)
+
+miscfiles_read_localization(munin_plugin_domain)
diff --git a/policy/modules/services/mysql.fc b/policy/modules/services/mysql.fc
new file mode 100644
index 0000000..cc7192c
--- /dev/null
+++ b/policy/modules/services/mysql.fc
@@ -0,0 +1,30 @@
+# mysql database server
+
+#
+# /etc
+#
+/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
+/etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0)
+/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
+
+/usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+
+/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0)
+/var/lib/mysql/mysql\.sock -s gen_context(system_u:object_r:mysqld_var_run_t,s0)
+
+/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0)
+
+/var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0)
+/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
new file mode 100644
index 0000000..4d3b208
--- /dev/null
+++ b/policy/modules/services/mysql.if
@@ -0,0 +1,359 @@
+## <summary>Policy for MySQL</summary>
+
+######################################
+## <summary>
+## Execute MySQL in the mysql domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mysql_domtrans',`
+ gen_require(`
+ type mysqld_t, mysqld_exec_t;
+ ')
+
+ domtrans_pattern($1, mysqld_exec_t, mysqld_t)
+')
+
+########################################
+## <summary>
+## Send a generic signal to MySQL.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_signal',`
+ gen_require(`
+ type mysqld_t;
+ ')
+
+ allow $1 mysqld_t:process signal;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to connect to postgresql with a tcp socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_tcp_connect',`
+ gen_require(`
+ type mysqld_t;
+ ')
+
+ corenet_tcp_recvfrom_labeled($1, mysqld_t)
+ corenet_tcp_sendrecv_mysqld_port($1)
+ corenet_tcp_connect_mysqld_port($1)
+ corenet_sendrecv_mysqld_client_packets($1)
+')
+
+########################################
+## <summary>
+## Connect to MySQL using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mysql_stream_connect',`
+ gen_require(`
+ type mysqld_t, mysqld_var_run_t, mysqld_db_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
+ stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
+')
+
+########################################
+## <summary>
+## Read MySQL configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mysql_read_config',`
+ gen_require(`
+ type mysqld_etc_t;
+ ')
+
+ allow $1 mysqld_etc_t:dir list_dir_perms;
+ allow $1 mysqld_etc_t:file read_file_perms;
+ allow $1 mysqld_etc_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Search the directories that contain MySQL
+## database storage.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: "_dir" in the name is added to clarify that this
+# is not searching the database itself.
+interface(`mysql_search_db',`
+ gen_require(`
+ type mysqld_db_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 mysqld_db_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read and write to the MySQL database directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_rw_db_dirs',`
+ gen_require(`
+ type mysqld_db_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 mysqld_db_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete MySQL database directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_manage_db_dirs',`
+ gen_require(`
+ type mysqld_db_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 mysqld_db_t:dir manage_dir_perms;
+')
+
+#######################################
+## <summary>
+## Append to the MySQL database directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_append_db_files',`
+ gen_require(`
+ type mysqld_db_t;
+ ')
+
+ files_search_var_lib($1)
+ append_files_pattern($1, mysqld_db_t, mysqld_db_t)
+')
+
+#######################################
+## <summary>
+## Read and write to the MySQL database directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_rw_db_files',`
+ gen_require(`
+ type mysqld_db_t;
+ ')
+
+ files_search_var_lib($1)
+ rw_files_pattern($1, mysqld_db_t, mysqld_db_t)
+')
+
+#######################################
+## <summary>
+## Create, read, write, and delete MySQL database files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_manage_db_files',`
+ gen_require(`
+ type mysqld_db_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, mysqld_db_t, mysqld_db_t)
+')
+
+########################################
+## <summary>
+## Read and write to the MySQL database
+## named socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_rw_db_sockets',`
+ gen_require(`
+ type mysqld_db_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 mysqld_db_t:dir search_dir_perms;
+ allow $1 mysqld_db_t:sock_file rw_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Write to the MySQL log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_write_log',`
+ gen_require(`
+ type mysqld_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 mysqld_log_t:file { write_file_perms setattr_file_perms };
+')
+
+######################################
+## <summary>
+## Execute MySQL server in the mysql domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mysql_domtrans_mysql_safe',`
+ gen_require(`
+ type mysqld_safe_t, mysqld_safe_exec_t;
+ ')
+
+ domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t)
+')
+
+#####################################
+## <summary>
+## Read MySQL PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_read_pid_files',`
+ gen_require(`
+ type mysqld_var_run_t;
+ ')
+
+ mysql_search_pid_files($1)
+ read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
+')
+
+#####################################
+## <summary>
+## Search MySQL PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+##
+#
+interface(`mysql_search_pid_files',`
+ gen_require(`
+ type mysqld_var_run_t;
+ ')
+
+ search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate an mysql environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the mysql domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mysql_admin',`
+ gen_require(`
+ type mysqld_t, mysqld_var_run_t, mysqld_initrc_exec_t;
+ type mysqld_tmp_t, mysqld_db_t, mysqld_log_t;
+ type mysqld_etc_t;
+ ')
+
+ allow $1 mysqld_t:process { ptrace signal_perms };
+ ps_process_pattern($1, mysqld_t)
+
+ init_labeled_script_domtrans($1, mysqld_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 mysqld_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_pids($1)
+ admin_pattern($1, mysqld_var_run_t)
+
+ admin_pattern($1, mysqld_db_t)
+
+ files_list_etc($1)
+ admin_pattern($1, mysqld_etc_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, mysqld_log_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, mysqld_tmp_t)
+')
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
new file mode 100644
index 0000000..086df22
--- /dev/null
+++ b/policy/modules/services/mysql.te
@@ -0,0 +1,242 @@
+policy_module(mysql, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow mysqld to connect to all ports
+## </p>
+## </desc>
+gen_tunable(mysql_connect_any, false)
+
+type mysqld_t;
+type mysqld_exec_t;
+init_daemon_domain(mysqld_t, mysqld_exec_t)
+
+type mysqld_safe_t;
+type mysqld_safe_exec_t;
+init_daemon_domain(mysqld_safe_t, mysqld_safe_exec_t)
+
+type mysqld_var_run_t;
+files_pid_file(mysqld_var_run_t)
+
+type mysqld_db_t;
+files_type(mysqld_db_t)
+
+type mysqld_etc_t alias etc_mysqld_t;
+files_config_file(mysqld_etc_t)
+
+type mysqld_initrc_exec_t;
+init_script_file(mysqld_initrc_exec_t)
+
+type mysqld_log_t;
+logging_log_file(mysqld_log_t)
+
+type mysqld_tmp_t;
+files_tmp_file(mysqld_tmp_t)
+
+type mysqlmanagerd_t;
+type mysqlmanagerd_exec_t;
+init_daemon_domain(mysqlmanagerd_t, mysqlmanagerd_exec_t)
+
+type mysqlmanagerd_initrc_exec_t;
+init_script_file(mysqlmanagerd_initrc_exec_t)
+
+type mysqlmanagerd_var_run_t;
+files_pid_file(mysqlmanagerd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource net_bind_service };
+dontaudit mysqld_t self:capability sys_tty_config;
+allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
+allow mysqld_t self:fifo_file rw_fifo_file_perms;
+allow mysqld_t self:shm create_shm_perms;
+allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
+allow mysqld_t self:tcp_socket create_stream_socket_perms;
+allow mysqld_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
+manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
+manage_sock_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
+manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
+files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
+
+allow mysqld_t mysqld_etc_t:file read_file_perms;
+allow mysqld_t mysqld_etc_t:lnk_file read_lnk_file_perms;
+allow mysqld_t mysqld_etc_t:dir list_dir_perms;
+
+allow mysqld_t mysqld_log_t:file manage_file_perms;
+logging_log_filetrans(mysqld_t, mysqld_log_t, file)
+
+manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
+manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
+files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
+
+manage_dirs_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
+manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
+manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
+files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
+
+kernel_read_system_state(mysqld_t)
+kernel_read_kernel_sysctls(mysqld_t)
+
+corenet_all_recvfrom_unlabeled(mysqld_t)
+corenet_all_recvfrom_netlabel(mysqld_t)
+corenet_tcp_sendrecv_generic_if(mysqld_t)
+corenet_udp_sendrecv_generic_if(mysqld_t)
+corenet_tcp_sendrecv_generic_node(mysqld_t)
+corenet_udp_sendrecv_generic_node(mysqld_t)
+corenet_tcp_sendrecv_all_ports(mysqld_t)
+corenet_udp_sendrecv_all_ports(mysqld_t)
+corenet_tcp_bind_generic_node(mysqld_t)
+corenet_tcp_bind_mysqld_port(mysqld_t)
+corenet_tcp_connect_mysqld_port(mysqld_t)
+corenet_sendrecv_mysqld_client_packets(mysqld_t)
+corenet_sendrecv_mysqld_server_packets(mysqld_t)
+
+dev_read_sysfs(mysqld_t)
+dev_read_urand(mysqld_t)
+
+fs_getattr_all_fs(mysqld_t)
+fs_search_auto_mountpoints(mysqld_t)
+fs_rw_hugetlbfs_files(mysqld_t)
+
+domain_use_interactive_fds(mysqld_t)
+
+files_getattr_var_lib_dirs(mysqld_t)
+files_read_etc_runtime_files(mysqld_t)
+files_read_etc_files(mysqld_t)
+files_read_usr_files(mysqld_t)
+files_search_var_lib(mysqld_t)
+
+auth_use_nsswitch(mysqld_t)
+
+logging_send_syslog_msg(mysqld_t)
+
+miscfiles_read_localization(mysqld_t)
+
+sysnet_read_config(mysqld_t)
+
+userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
+# for /root/.my.cnf - should not be needed:
+userdom_read_user_home_content_files(mysqld_t)
+
+ifdef(`distro_redhat',`
+ filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
+')
+
+tunable_policy(`mysql_connect_any',`
+ corenet_tcp_connect_all_ports(mysqld_t)
+ corenet_sendrecv_all_client_packets(mysqld_t)
+')
+
+optional_policy(`
+ daemontools_service_domain(mysqld_t, mysqld_exec_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(mysqld_t)
+')
+
+optional_policy(`
+ udev_read_db(mysqld_t)
+')
+
+#######################################
+#
+# Local mysqld_safe policy
+#
+
+allow mysqld_safe_t self:capability { chown dac_override fowner kill };
+dontaudit mysqld_safe_t self:capability sys_ptrace;
+allow mysqld_safe_t self:process { setsched getsched setrlimit };
+allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
+
+read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
+
+domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
+
+allow mysqld_safe_t mysqld_log_t:file manage_file_perms;
+
+manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
+delete_sock_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
+
+kernel_read_system_state(mysqld_safe_t)
+kernel_read_kernel_sysctls(mysqld_safe_t)
+
+corecmd_exec_bin(mysqld_safe_t)
+
+dev_list_sysfs(mysqld_safe_t)
+
+domain_read_all_domains_state(mysqld_safe_t)
+
+files_dontaudit_search_all_mountpoints(mysqld_safe_t)
+files_read_etc_files(mysqld_safe_t)
+files_read_usr_files(mysqld_safe_t)
+files_dontaudit_getattr_all_dirs(mysqld_safe_t)
+
+logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
+
+hostname_exec(mysqld_safe_t)
+
+miscfiles_read_localization(mysqld_safe_t)
+
+mysql_manage_db_files(mysqld_safe_t)
+mysql_read_config(mysqld_safe_t)
+mysql_search_pid_files(mysqld_safe_t)
+mysql_write_log(mysqld_safe_t)
+
+########################################
+#
+# MySQL Manager Policy
+#
+
+allow mysqlmanagerd_t self:capability { dac_override kill };
+allow mysqlmanagerd_t self:process signal;
+allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
+allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
+
+mysql_read_config(initrc_t)
+mysql_read_config(mysqlmanagerd_t)
+mysql_read_pid_files(mysqlmanagerd_t)
+mysql_search_db(mysqlmanagerd_t)
+mysql_signal(mysqlmanagerd_t)
+mysql_stream_connect(mysqlmanagerd_t)
+
+domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
+
+manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
+
+kernel_read_system_state(mysqlmanagerd_t)
+
+corecmd_exec_shell(mysqlmanagerd_t)
+
+corenet_all_recvfrom_unlabeled(mysqlmanagerd_t)
+corenet_all_recvfrom_netlabel(mysqlmanagerd_t)
+corenet_tcp_sendrecv_generic_if(mysqlmanagerd_t)
+corenet_tcp_sendrecv_generic_node(mysqlmanagerd_t)
+corenet_tcp_sendrecv_all_ports(mysqlmanagerd_t)
+corenet_tcp_bind_generic_node(mysqlmanagerd_t)
+corenet_tcp_bind_mysqlmanagerd_port(mysqlmanagerd_t)
+corenet_tcp_connect_mysqlmanagerd_port(mysqlmanagerd_t)
+corenet_sendrecv_mysqlmanagerd_server_packets(mysqlmanagerd_t)
+corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_t)
+
+dev_read_urand(mysqlmanagerd_t)
+
+files_read_etc_files(mysqlmanagerd_t)
+files_read_usr_files(mysqlmanagerd_t)
+
+miscfiles_read_localization(mysqlmanagerd_t)
+
+userdom_getattr_user_home_dirs(mysqlmanagerd_t)
diff --git a/policy/modules/services/nagios.fc b/policy/modules/services/nagios.fc
new file mode 100644
index 0000000..1fc9905
--- /dev/null
+++ b/policy/modules/services/nagios.fc
@@ -0,0 +1,88 @@
+/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
+/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
+/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
+
+/usr/s?bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
+/usr/s?bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
+
+/usr/lib(64)?/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+/usr/lib(64)?/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+
+/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
+/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
+
+/var/run/nagios.* gen_context(system_u:object_r:nagios_var_run_t,s0)
+
+/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
+
+ifdef(`distro_debian',`
+/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
+')
+/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+/usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+
+# admin plugins
+/usr/lib(64)?/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0)
+
+# check disk plugins
+/usr/lib(64)?/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+
+# mail plugins
+/usr/lib(64)?/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
+
+# system plugins
+/usr/lib(64)?/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+
+# services plugins
+/usr/lib(64)?/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+
+# unconfined plugins
+/usr/lib(64)?/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if
new file mode 100644
index 0000000..89e1edf
--- /dev/null
+++ b/policy/modules/services/nagios.if
@@ -0,0 +1,245 @@
+## <summary>Net Saint / NAGIOS - network monitoring server</summary>
+
+########################################
+## <summary>
+## Create a set of derived types for various
+## nagios plugins,
+## </summary>
+## <param name="plugins_group_name">
+## <summary>
+## The name to be used for deriving type names.
+## </summary>
+## </param>
+#
+template(`nagios_plugin_template',`
+ gen_require(`
+ type nagios_t, nrpe_t, nagios_log_t;
+ ')
+
+ type nagios_$1_plugin_t;
+ type nagios_$1_plugin_exec_t;
+ application_domain(nagios_$1_plugin_t, nagios_$1_plugin_exec_t)
+ role system_r types nagios_$1_plugin_t;
+
+ allow nagios_$1_plugin_t self:fifo_file rw_fifo_file_perms;
+
+ domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
+ allow nrpe_t nagios_$1_plugin_t:process { signal sigkill };
+
+ # needed by command.cfg
+ domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
+
+ allow nagios_t nagios_$1_plugin_t:process signal_perms;
+
+ # cjp: leaked file descriptor
+ dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write };
+ dontaudit nagios_$1_plugin_t nagios_log_t:file { read write };
+
+ miscfiles_read_localization(nagios_$1_plugin_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write nagios
+## unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`nagios_dontaudit_rw_pipes',`
+ gen_require(`
+ type nagios_t;
+ ')
+
+ dontaudit $1 nagios_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## nagios configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`nagios_read_config',`
+ gen_require(`
+ type nagios_etc_t;
+ ')
+
+ allow $1 nagios_etc_t:dir list_dir_perms;
+ allow $1 nagios_etc_t:file read_file_perms;
+ files_search_etc($1)
+')
+
+######################################
+## <summary>
+## Read nagios logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nagios_read_log',`
+ gen_require(`
+ type nagios_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, nagios_log_t, nagios_log_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write nagios logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`nagios_dontaudit_rw_log',`
+ gen_require(`
+ type nagios_log_t;
+ ')
+
+ dontaudit $1 nagios_log_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Search nagios spool directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nagios_search_spool',`
+ gen_require(`
+ type nagios_spool_t;
+ ')
+
+ allow $1 nagios_spool_t:dir search_dir_perms;
+ files_search_spool($1)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## nagios temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nagios_read_tmp_files',`
+ gen_require(`
+ type nagios_tmp_t;
+ ')
+
+ allow $1 nagios_tmp_t:file read_file_perms;
+ files_search_tmp($1)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## nagios temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nagios_rw_inerited_tmp_files',`
+ gen_require(`
+ type nagios_tmp_t;
+ ')
+
+ allow $1 nagios_tmp_t:file rw_inherited_file_perms;
+ files_search_tmp($1)
+')
+
+########################################
+## <summary>
+## Execute the nagios NRPE with
+## a domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`nagios_domtrans_nrpe',`
+ gen_require(`
+ type nrpe_t, nrpe_exec_t;
+ ')
+
+ domtrans_pattern($1, nrpe_exec_t, nrpe_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an nagios environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the nagios domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`nagios_admin',`
+ gen_require(`
+ type nagios_t, nrpe_t, nagios_initrc_exec_t;
+ type nagios_tmp_t, nagios_log_t, nagios_var_run_t;
+ type nagios_etc_t, nrpe_etc_t, nagios_spool_t;
+ ')
+
+ allow $1 nagios_t:process { ptrace signal_perms };
+ ps_process_pattern($1, nagios_t)
+
+ init_labeled_script_domtrans($1, nagios_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 nagios_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, nagios_tmp_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, nagios_log_t)
+
+ files_list_etc($1)
+ admin_pattern($1, nagios_etc_t)
+
+ files_list_spool($1)
+ admin_pattern($1, nagios_spool_t)
+
+ files_list_pids($1)
+ admin_pattern($1, nagios_var_run_t)
+
+ admin_pattern($1, nrpe_etc_t)
+')
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
new file mode 100644
index 0000000..3b620e3
--- /dev/null
+++ b/policy/modules/services/nagios.te
@@ -0,0 +1,390 @@
+policy_module(nagios, 1.9.1)
+
+########################################
+#
+# Declarations
+#
+
+type nagios_t;
+type nagios_exec_t;
+init_daemon_domain(nagios_t, nagios_exec_t)
+
+type nagios_etc_t;
+files_config_file(nagios_etc_t)
+
+type nagios_initrc_exec_t;
+init_script_file(nagios_initrc_exec_t)
+
+type nagios_log_t;
+logging_log_file(nagios_log_t)
+
+type nagios_tmp_t;
+files_tmp_file(nagios_tmp_t)
+
+type nagios_var_run_t;
+files_pid_file(nagios_var_run_t)
+
+type nagios_spool_t;
+files_type(nagios_spool_t)
+
+nagios_plugin_template(admin)
+nagios_plugin_template(checkdisk)
+nagios_plugin_template(mail)
+nagios_plugin_template(services)
+nagios_plugin_template(system)
+nagios_plugin_template(unconfined)
+
+type nagios_system_plugin_tmp_t;
+files_tmp_file(nagios_system_plugin_tmp_t)
+
+type nrpe_t;
+type nrpe_exec_t;
+init_daemon_domain(nrpe_t, nrpe_exec_t)
+
+type nrpe_etc_t;
+files_config_file(nrpe_etc_t)
+
+type nrpe_var_run_t;
+files_pid_file(nrpe_var_run_t)
+
+########################################
+#
+# Nagios local policy
+#
+
+allow nagios_t self:capability { dac_override setgid setuid };
+dontaudit nagios_t self:capability sys_tty_config;
+allow nagios_t self:process { setpgid signal_perms };
+allow nagios_t self:fifo_file rw_file_perms;
+allow nagios_t self:tcp_socket create_stream_socket_perms;
+allow nagios_t self:udp_socket create_socket_perms;
+
+read_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t)
+read_lnk_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t)
+allow nagios_t nagios_etc_t:dir list_dir_perms;
+
+manage_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
+manage_fifo_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
+logging_log_filetrans(nagios_t, nagios_log_t, { file dir })
+
+manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
+manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
+files_tmp_filetrans(nagios_t, nagios_tmp_t, { file dir })
+
+manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
+files_pid_filetrans(nagios_t, nagios_var_run_t, file)
+
+manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
+files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file)
+
+kernel_read_system_state(nagios_t)
+kernel_read_kernel_sysctls(nagios_t)
+
+corecmd_exec_bin(nagios_t)
+corecmd_exec_shell(nagios_t)
+
+corenet_all_recvfrom_unlabeled(nagios_t)
+corenet_all_recvfrom_netlabel(nagios_t)
+corenet_tcp_sendrecv_generic_if(nagios_t)
+corenet_udp_sendrecv_generic_if(nagios_t)
+corenet_tcp_sendrecv_generic_node(nagios_t)
+corenet_udp_sendrecv_generic_node(nagios_t)
+corenet_tcp_sendrecv_all_ports(nagios_t)
+corenet_udp_sendrecv_all_ports(nagios_t)
+corenet_tcp_connect_all_ports(nagios_t)
+
+corenet_dontaudit_tcp_bind_all_reserved_ports(nagios_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(nagios_t)
+
+dev_read_sysfs(nagios_t)
+dev_read_urand(nagios_t)
+
+domain_use_interactive_fds(nagios_t)
+# for ps
+domain_read_all_domains_state(nagios_t)
+
+files_read_etc_files(nagios_t)
+files_read_etc_runtime_files(nagios_t)
+files_read_kernel_symbol_table(nagios_t)
+files_search_spool(nagios_t)
+files_read_usr_files(nagios_t)
+
+fs_getattr_all_fs(nagios_t)
+fs_search_auto_mountpoints(nagios_t)
+
+auth_use_nsswitch(nagios_t)
+
+logging_send_syslog_msg(nagios_t)
+
+miscfiles_read_localization(nagios_t)
+
+userdom_dontaudit_use_unpriv_user_fds(nagios_t)
+userdom_dontaudit_search_user_home_dirs(nagios_t)
+
+mta_send_mail(nagios_t)
+mta_signal_system_mail(nagios_t)
+mta_kill_system_mail(nagios_t)
+
+optional_policy(`
+ netutils_kill_ping(nagios_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(nagios_t)
+')
+
+optional_policy(`
+ udev_read_db(nagios_t)
+')
+
+########################################
+#
+# Nagios CGI local policy
+#
+
+optional_policy(`
+ apache_content_template(nagios)
+ typealias httpd_nagios_script_t alias nagios_cgi_t;
+ typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t;
+
+ allow httpd_nagios_script_t self:process signal_perms;
+
+ read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
+ read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
+
+ files_search_spool(httpd_nagios_script_t)
+ rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t)
+
+ allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms;
+ read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t)
+ read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t)
+
+ allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms;
+ read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
+ read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
+
+ kernel_read_system_state(httpd_nagios_script_t)
+
+ domain_dontaudit_read_all_domains_state(httpd_nagios_script_t)
+
+ files_read_etc_runtime_files(httpd_nagios_script_t)
+ files_read_kernel_symbol_table(httpd_nagios_script_t)
+
+ logging_send_syslog_msg(httpd_nagios_script_t)
+')
+
+########################################
+#
+# Nagios remote plugin executor local policy
+#
+
+allow nrpe_t self:capability { setuid setgid };
+dontaudit nrpe_t self:capability { sys_tty_config sys_resource };
+allow nrpe_t self:process { setpgid signal_perms setsched setrlimit };
+allow nrpe_t self:fifo_file rw_fifo_file_perms;
+allow nrpe_t self:tcp_socket create_stream_socket_perms;
+
+domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
+
+read_files_pattern(nrpe_t, nagios_etc_t, nagios_etc_t)
+files_search_etc(nrpe_t)
+
+manage_files_pattern(nrpe_t, nrpe_var_run_t, nrpe_var_run_t)
+files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
+
+kernel_read_system_state(nrpe_t)
+kernel_read_kernel_sysctls(nrpe_t)
+
+corecmd_exec_bin(nrpe_t)
+corecmd_exec_shell(nrpe_t)
+
+corenet_tcp_bind_generic_node(nrpe_t)
+corenet_tcp_bind_inetd_child_port(nrpe_t)
+corenet_sendrecv_unlabeled_packets(nrpe_t)
+
+dev_read_sysfs(nrpe_t)
+dev_read_urand(nrpe_t)
+
+domain_use_interactive_fds(nrpe_t)
+domain_read_all_domains_state(nrpe_t)
+
+files_read_etc_runtime_files(nrpe_t)
+files_read_etc_files(nrpe_t)
+
+fs_getattr_all_fs(nrpe_t)
+fs_search_auto_mountpoints(nrpe_t)
+
+auth_use_nsswitch(nrpe_t)
+
+logging_send_syslog_msg(nrpe_t)
+
+miscfiles_read_localization(nrpe_t)
+
+userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
+
+optional_policy(`
+ inetd_tcp_service_domain(nrpe_t, nrpe_exec_t)
+')
+
+optional_policy(`
+ mta_send_mail(nrpe_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(nrpe_t)
+')
+
+optional_policy(`
+ tcpd_wrapped_domain(nrpe_t, nrpe_exec_t)
+')
+
+optional_policy(`
+ udev_read_db(nrpe_t)
+')
+
+#####################################
+#
+# local policy for admin check plugins
+#
+
+corecmd_read_bin_files(nagios_admin_plugin_t)
+corecmd_read_bin_symlinks(nagios_admin_plugin_t)
+
+dev_read_urand(nagios_admin_plugin_t)
+dev_getattr_all_chr_files(nagios_admin_plugin_t)
+dev_getattr_all_blk_files(nagios_admin_plugin_t)
+
+files_read_etc_files(nagios_admin_plugin_t)
+# for check_file_age plugin
+files_getattr_all_dirs(nagios_admin_plugin_t)
+files_getattr_all_files(nagios_admin_plugin_t)
+files_getattr_all_symlinks(nagios_admin_plugin_t)
+files_getattr_all_pipes(nagios_admin_plugin_t)
+files_getattr_all_sockets(nagios_admin_plugin_t)
+files_getattr_all_file_type_fs(nagios_admin_plugin_t)
+
+######################################
+#
+# local policy for mail check plugins
+#
+
+allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
+allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms;
+allow nagios_mail_plugin_t self:udp_socket create_socket_perms;
+
+kernel_read_system_state(nagios_mail_plugin_t)
+kernel_read_kernel_sysctls(nagios_mail_plugin_t)
+
+corecmd_read_bin_files(nagios_mail_plugin_t)
+corecmd_read_bin_symlinks(nagios_mail_plugin_t)
+
+dev_read_urand(nagios_mail_plugin_t)
+
+files_read_etc_files(nagios_mail_plugin_t)
+
+logging_send_syslog_msg(nagios_mail_plugin_t)
+
+sysnet_read_config(nagios_mail_plugin_t)
+
+optional_policy(`
+ mta_send_mail(nagios_mail_plugin_t)
+')
+
+optional_policy(`
+ nscd_dontaudit_search_pid(nagios_mail_plugin_t)
+')
+
+optional_policy(`
+ postfix_stream_connect_master(nagios_mail_plugin_t)
+ posftix_exec_postqueue(nagios_mail_plugin_t)
+')
+
+######################################
+#
+# local policy for disk check plugins
+#
+
+# needed by ioctl()
+allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
+
+files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
+
+fs_getattr_all_fs(nagios_checkdisk_plugin_t)
+
+storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+
+#######################################
+#
+# local policy for service check plugins
+#
+
+allow nagios_services_plugin_t self:capability { net_bind_service net_raw };
+allow nagios_services_plugin_t self:process { signal sigkill };
+allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
+allow nagios_services_plugin_t self:udp_socket create_socket_perms;
+
+corecmd_exec_bin(nagios_services_plugin_t)
+
+corenet_tcp_connect_all_ports(nagios_services_plugin_t)
+corenet_udp_bind_dhcpc_port(nagios_services_plugin_t)
+
+auth_use_nsswitch(nagios_services_plugin_t)
+
+domain_read_all_domains_state(nagios_services_plugin_t)
+
+files_read_usr_files(nagios_services_plugin_t)
+
+optional_policy(`
+ netutils_domtrans_ping(nagios_services_plugin_t)
+ netutils_signal_ping(nagios_services_plugin_t)
+ netutils_kill_ping(nagios_services_plugin_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(nagios_services_plugin_t)
+')
+
+optional_policy(`
+ snmp_read_snmp_var_lib_files(nagios_services_plugin_t)
+')
+
+######################################
+#
+# local policy for system check plugins
+#
+
+allow nagios_system_plugin_t self:capability dac_override;
+dontaudit nagios_system_plugin_t self:capability { setuid setgid };
+
+# check_log
+manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
+manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
+files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
+
+kernel_read_system_state(nagios_system_plugin_t)
+kernel_read_kernel_sysctls(nagios_system_plugin_t)
+
+corecmd_exec_bin(nagios_system_plugin_t)
+corecmd_exec_shell(nagios_system_plugin_t)
+
+dev_read_sysfs(nagios_system_plugin_t)
+dev_read_urand(nagios_system_plugin_t)
+
+domain_read_all_domains_state(nagios_system_plugin_t)
+
+files_read_etc_files(nagios_system_plugin_t)
+
+# needed by check_users plugin
+optional_policy(`
+ init_read_utmp(nagios_system_plugin_t)
+')
+
+########################################
+#
+# Unconfined plugin policy
+#
+
+optional_policy(`
+ unconfined_domain(nagios_unconfined_plugin_t)
+')
diff --git a/policy/modules/services/nessus.fc b/policy/modules/services/nessus.fc
new file mode 100644
index 0000000..74da57f
--- /dev/null
+++ b/policy/modules/services/nessus.fc
@@ -0,0 +1,10 @@
+
+/etc/nessus/nessusd\.conf -- gen_context(system_u:object_r:nessusd_etc_t,s0)
+
+/usr/lib(64)?/nessus/plugins/.* -- gen_context(system_u:object_r:nessusd_exec_t,s0)
+
+/usr/sbin/nessusd -- gen_context(system_u:object_r:nessusd_exec_t,s0)
+
+/var/lib/nessus(/.*)? gen_context(system_u:object_r:nessusd_db_t,s0)
+
+/var/log/nessus(/.*)? gen_context(system_u:object_r:nessusd_log_t,s0)
diff --git a/policy/modules/services/nessus.if b/policy/modules/services/nessus.if
new file mode 100644
index 0000000..6ec8003
--- /dev/null
+++ b/policy/modules/services/nessus.if
@@ -0,0 +1,15 @@
+## <summary>Nessus network scanning daemon</summary>
+
+########################################
+## <summary>
+## Connect to nessus over a TCP socket (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nessus_tcp_connect',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
diff --git a/policy/modules/services/nessus.te b/policy/modules/services/nessus.te
new file mode 100644
index 0000000..b16c387
--- /dev/null
+++ b/policy/modules/services/nessus.te
@@ -0,0 +1,105 @@
+policy_module(nessus, 1.7.0)
+
+########################################
+#
+# Local policy
+#
+
+type nessusd_t;
+type nessusd_exec_t;
+init_daemon_domain(nessusd_t, nessusd_exec_t)
+
+type nessusd_db_t;
+files_type(nessusd_db_t)
+
+type nessusd_etc_t;
+files_config_file(nessusd_etc_t)
+
+type nessusd_log_t;
+logging_log_file(nessusd_log_t)
+
+type nessusd_var_run_t;
+files_pid_file(nessusd_var_run_t)
+
+########################################
+#
+# Declarations
+#
+
+allow nessusd_t self:capability net_raw;
+dontaudit nessusd_t self:capability sys_tty_config;
+allow nessusd_t self:process { setsched signal_perms };
+allow nessusd_t self:fifo_file rw_fifo_file_perms;
+allow nessusd_t self:tcp_socket create_stream_socket_perms;
+allow nessusd_t self:udp_socket create_socket_perms;
+allow nessusd_t self:rawip_socket create_socket_perms;
+allow nessusd_t self:packet_socket create_socket_perms;
+
+# Allow access to the nessusd authentication database
+manage_dirs_pattern(nessusd_t, nessusd_db_t, nessusd_db_t)
+manage_files_pattern(nessusd_t, nessusd_db_t, nessusd_db_t)
+manage_lnk_files_pattern(nessusd_t, nessusd_db_t, nessusd_db_t)
+files_list_var_lib(nessusd_t)
+
+allow nessusd_t nessusd_etc_t:file read_file_perms;
+files_search_etc(nessusd_t)
+
+manage_files_pattern(nessusd_t, nessusd_log_t, nessusd_log_t)
+logging_log_filetrans(nessusd_t, nessusd_log_t, { file dir })
+
+manage_files_pattern(nessusd_t, nessusd_var_run_t, nessusd_var_run_t)
+files_pid_filetrans(nessusd_t, nessusd_var_run_t, file)
+
+kernel_read_system_state(nessusd_t)
+kernel_read_kernel_sysctls(nessusd_t)
+
+# for nmap etc
+corecmd_exec_bin(nessusd_t)
+
+corenet_all_recvfrom_unlabeled(nessusd_t)
+corenet_all_recvfrom_netlabel(nessusd_t)
+corenet_tcp_sendrecv_generic_if(nessusd_t)
+corenet_udp_sendrecv_generic_if(nessusd_t)
+corenet_raw_sendrecv_generic_if(nessusd_t)
+corenet_tcp_sendrecv_generic_node(nessusd_t)
+corenet_udp_sendrecv_generic_node(nessusd_t)
+corenet_raw_sendrecv_generic_node(nessusd_t)
+corenet_tcp_sendrecv_all_ports(nessusd_t)
+corenet_udp_sendrecv_all_ports(nessusd_t)
+corenet_tcp_bind_generic_node(nessusd_t)
+corenet_tcp_bind_nessus_port(nessusd_t)
+corenet_tcp_connect_all_ports(nessusd_t)
+corenet_sendrecv_all_client_packets(nessusd_t)
+corenet_sendrecv_nessus_server_packets(nessusd_t)
+
+dev_read_sysfs(nessusd_t)
+dev_read_urand(nessusd_t)
+
+domain_use_interactive_fds(nessusd_t)
+
+files_read_etc_files(nessusd_t)
+files_read_etc_runtime_files(nessusd_t)
+
+fs_getattr_all_fs(nessusd_t)
+fs_search_auto_mountpoints(nessusd_t)
+
+logging_send_syslog_msg(nessusd_t)
+
+miscfiles_read_localization(nessusd_t)
+
+sysnet_read_config(nessusd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(nessusd_t)
+userdom_dontaudit_search_user_home_dirs(nessusd_t)
+
+optional_policy(`
+ nis_use_ypbind(nessusd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(nessusd_t)
+')
+
+optional_policy(`
+ udev_read_db(nessusd_t)
+')
diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc
new file mode 100644
index 0000000..d15cc4b
--- /dev/null
+++ b/policy/modules/services/networkmanager.fc
@@ -0,0 +1,30 @@
+/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+
+/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+
+/etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/wicd/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+
+/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+
+/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
+/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+
+/usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+
+/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
+/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
+
+/var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0)
+/var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
+
+/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if
new file mode 100644
index 0000000..8069487
--- /dev/null
+++ b/policy/modules/services/networkmanager.if
@@ -0,0 +1,262 @@
+## <summary>Manager for dynamically switching between networks.</summary>
+
+########################################
+## <summary>
+## Read and write NetworkManager UDP sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for named.
+interface(`networkmanager_rw_udp_sockets',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:udp_socket { read write };
+')
+
+########################################
+## <summary>
+## Read and write NetworkManager packet sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for named.
+interface(`networkmanager_rw_packet_sockets',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:packet_socket { read write };
+')
+
+#######################################
+## <summary>
+## Allow caller to relabel tun_socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_attach_tun_iface',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:tun_socket relabelfrom;
+ allow $1 self:tun_socket relabelto;
+')
+
+########################################
+## <summary>
+## Read and write NetworkManager netlink
+## routing sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for named.
+interface(`networkmanager_rw_routing_sockets',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:netlink_route_socket { read write };
+')
+
+########################################
+## <summary>
+## Execute NetworkManager with a domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`networkmanager_domtrans',`
+ gen_require(`
+ type NetworkManager_t, NetworkManager_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, NetworkManager_exec_t, NetworkManager_t)
+')
+
+########################################
+## <summary>
+## Execute NetworkManager scripts with an automatic domain transition to initrc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`networkmanager_initrc_domtrans',`
+ gen_require(`
+ type NetworkManager_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## NetworkManager over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_dbus_chat',`
+ gen_require(`
+ type NetworkManager_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 NetworkManager_t:dbus send_msg;
+ allow NetworkManager_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to send and
+## receive messages from NetworkManager
+## over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`networkmanager_dontaudit_dbus_chat',`
+ gen_require(`
+ type NetworkManager_t;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 NetworkManager_t:dbus send_msg;
+ dontaudit NetworkManager_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send a generic signal to NetworkManager
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_signal',`
+ gen_require(`
+ type NetworkManager_t;
+ ')
+
+ allow $1 NetworkManager_t:process signal;
+')
+
+########################################
+## <summary>
+## Read NetworkManager lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_read_lib_files',`
+ gen_require(`
+ type NetworkManager_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+ read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+')
+
+########################################
+## <summary>
+## Read NetworkManager PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_read_pid_files',`
+ gen_require(`
+ type NetworkManager_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 NetworkManager_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Execute NetworkManager in the NetworkManager domain, and
+## allow the specified role the NetworkManager domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`networkmanager_run',`
+ gen_require(`
+ type NetworkManager_t, NetworkManager_exec_t;
+ ')
+
+ networkmanager_domtrans($1)
+ role $2 types NetworkManager_t;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to append
+## to Network Manager log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_append_log',`
+ gen_require(`
+ type NetworkManager_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 NetworkManager_log_t:dir list_dir_perms;
+ append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
+')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
new file mode 100644
index 0000000..02ae4e0
--- /dev/null
+++ b/policy/modules/services/networkmanager.te
@@ -0,0 +1,310 @@
+policy_module(networkmanager, 1.14.0)
+
+########################################
+#
+# Declarations
+#
+
+type NetworkManager_t;
+type NetworkManager_exec_t;
+init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
+
+type NetworkManager_initrc_exec_t;
+init_script_file(NetworkManager_initrc_exec_t)
+
+type NetworkManager_log_t;
+logging_log_file(NetworkManager_log_t)
+
+type NetworkManager_tmp_t;
+files_tmp_file(NetworkManager_tmp_t)
+
+type NetworkManager_var_lib_t;
+files_type(NetworkManager_var_lib_t)
+
+type NetworkManager_var_run_t;
+files_pid_file(NetworkManager_var_run_t)
+
+type wpa_cli_t;
+type wpa_cli_exec_t;
+init_system_domain(wpa_cli_t, wpa_cli_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+# networkmanager will ptrace itself if gdb is installed
+# and it receives a unexpected signal (rh bug #204161)
+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock };
+dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
+allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
+allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
+allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
+allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
+allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
+allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
+allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
+allow NetworkManager_t self:udp_socket create_socket_perms;
+allow NetworkManager_t self:packet_socket create_socket_perms;
+
+allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
+
+can_exec(NetworkManager_t, NetworkManager_exec_t)
+
+manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
+logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
+
+can_exec(NetworkManager_t, NetworkManager_tmp_t)
+manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
+manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
+files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
+
+manage_dirs_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+manage_files_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+files_var_lib_filetrans(NetworkManager_t, NetworkManager_var_lib_t, dir)
+
+manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
+manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
+manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
+files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
+
+kernel_read_system_state(NetworkManager_t)
+kernel_read_network_state(NetworkManager_t)
+kernel_read_kernel_sysctls(NetworkManager_t)
+kernel_request_load_module(NetworkManager_t)
+kernel_read_debugfs(NetworkManager_t)
+kernel_rw_net_sysctls(NetworkManager_t)
+
+corenet_all_recvfrom_unlabeled(NetworkManager_t)
+corenet_all_recvfrom_netlabel(NetworkManager_t)
+corenet_tcp_sendrecv_generic_if(NetworkManager_t)
+corenet_udp_sendrecv_generic_if(NetworkManager_t)
+corenet_raw_sendrecv_generic_if(NetworkManager_t)
+corenet_tcp_sendrecv_generic_node(NetworkManager_t)
+corenet_udp_sendrecv_generic_node(NetworkManager_t)
+corenet_raw_sendrecv_generic_node(NetworkManager_t)
+corenet_tcp_sendrecv_all_ports(NetworkManager_t)
+corenet_udp_sendrecv_all_ports(NetworkManager_t)
+corenet_udp_bind_generic_node(NetworkManager_t)
+corenet_udp_bind_isakmp_port(NetworkManager_t)
+corenet_udp_bind_dhcpc_port(NetworkManager_t)
+corenet_tcp_connect_all_ports(NetworkManager_t)
+corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
+corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
+corenet_sendrecv_all_client_packets(NetworkManager_t)
+corenet_rw_tun_tap_dev(NetworkManager_t)
+corenet_getattr_ppp_dev(NetworkManager_t)
+
+dev_read_sysfs(NetworkManager_t)
+dev_read_rand(NetworkManager_t)
+dev_read_urand(NetworkManager_t)
+dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
+dev_getattr_all_chr_files(NetworkManager_t)
+
+fs_getattr_all_fs(NetworkManager_t)
+fs_search_auto_mountpoints(NetworkManager_t)
+fs_list_inotifyfs(NetworkManager_t)
+
+mls_file_read_all_levels(NetworkManager_t)
+
+selinux_dontaudit_search_fs(NetworkManager_t)
+
+corecmd_exec_shell(NetworkManager_t)
+corecmd_exec_bin(NetworkManager_t)
+
+domain_use_interactive_fds(NetworkManager_t)
+domain_read_confined_domains_state(NetworkManager_t)
+
+files_read_etc_files(NetworkManager_t)
+files_read_etc_runtime_files(NetworkManager_t)
+files_read_usr_files(NetworkManager_t)
+files_read_usr_src_files(NetworkManager_t)
+
+storage_getattr_fixed_disk_dev(NetworkManager_t)
+
+init_read_utmp(NetworkManager_t)
+init_dontaudit_write_utmp(NetworkManager_t)
+init_domtrans_script(NetworkManager_t)
+
+auth_use_nsswitch(NetworkManager_t)
+
+logging_send_syslog_msg(NetworkManager_t)
+
+miscfiles_read_localization(NetworkManager_t)
+miscfiles_read_generic_certs(NetworkManager_t)
+
+modutils_domtrans_insmod(NetworkManager_t)
+
+seutil_read_config(NetworkManager_t)
+
+sysnet_domtrans_ifconfig(NetworkManager_t)
+sysnet_domtrans_dhcpc(NetworkManager_t)
+sysnet_signal_dhcpc(NetworkManager_t)
+sysnet_read_dhcpc_pid(NetworkManager_t)
+sysnet_read_dhcp_config(NetworkManager_t)
+sysnet_delete_dhcpc_pid(NetworkManager_t)
+sysnet_kill_dhcpc(NetworkManager_t)
+sysnet_read_dhcpc_state(NetworkManager_t)
+sysnet_delete_dhcpc_state(NetworkManager_t)
+sysnet_search_dhcp_state(NetworkManager_t)
+# in /etc created by NetworkManager will be labelled net_conf_t.
+sysnet_manage_config(NetworkManager_t)
+sysnet_etc_filetrans_config(NetworkManager_t)
+
+userdom_stream_connect(NetworkManager_t)
+userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
+userdom_dontaudit_use_user_ttys(NetworkManager_t)
+# Read gnome-keyring
+userdom_read_home_certs(NetworkManager_t)
+userdom_read_user_home_content_files(NetworkManager_t)
+userdom_dgram_send(NetworkManager_t)
+
+cron_read_system_job_lib_files(NetworkManager_t)
+
+optional_policy(`
+ avahi_domtrans(NetworkManager_t)
+ avahi_kill(NetworkManager_t)
+ avahi_signal(NetworkManager_t)
+ avahi_signull(NetworkManager_t)
+ avahi_dbus_chat(NetworkManager_t)
+')
+
+optional_policy(`
+ bind_domtrans(NetworkManager_t)
+ bind_manage_cache(NetworkManager_t)
+ bind_kill(NetworkManager_t)
+ bind_signal(NetworkManager_t)
+ bind_signull(NetworkManager_t)
+')
+
+optional_policy(`
+ bluetooth_dontaudit_read_helper_state(NetworkManager_t)
+')
+
+optional_policy(`
+ consoletype_domtrans(NetworkManager_t)
+')
+
+optional_policy(`
+ dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
+
+ init_dbus_chat(NetworkManager_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(NetworkManager_t)
+ ')
+')
+
+optional_policy(`
+ dnsmasq_read_pid_files(NetworkManager_t)
+ dnsmasq_delete_pid_files(NetworkManager_t)
+ dnsmasq_domtrans(NetworkManager_t)
+ dnsmasq_initrc_domtrans(NetworkManager_t)
+ dnsmasq_kill(NetworkManager_t)
+ dnsmasq_signal(NetworkManager_t)
+ dnsmasq_signull(NetworkManager_t)
+')
+
+optional_policy(`
+ hal_write_log(NetworkManager_t)
+')
+
+optional_policy(`
+ howl_signal(NetworkManager_t)
+')
+
+optional_policy(`
+ ipsec_domtrans_mgmt(NetworkManager_t)
+ ipsec_kill_mgmt(NetworkManager_t)
+ ipsec_signal_mgmt(NetworkManager_t)
+ ipsec_signull_mgmt(NetworkManager_t)
+')
+
+optional_policy(`
+ iptables_domtrans(NetworkManager_t)
+')
+
+optional_policy(`
+ nscd_domtrans(NetworkManager_t)
+ nscd_signal(NetworkManager_t)
+ nscd_signull(NetworkManager_t)
+ nscd_kill(NetworkManager_t)
+ nscd_initrc_domtrans(NetworkManager_t)
+')
+
+optional_policy(`
+ # Dispatcher starting and stoping ntp
+ ntp_initrc_domtrans(NetworkManager_t)
+')
+
+optional_policy(`
+ openvpn_domtrans(NetworkManager_t)
+ openvpn_kill(NetworkManager_t)
+ openvpn_signal(NetworkManager_t)
+ openvpn_signull(NetworkManager_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(NetworkManager_t)
+ policykit_domtrans_auth(NetworkManager_t)
+ policykit_read_lib(NetworkManager_t)
+ policykit_read_reload(NetworkManager_t)
+ userdom_read_all_users_state(NetworkManager_t)
+')
+
+optional_policy(`
+ ppp_initrc_domtrans(NetworkManager_t)
+ ppp_domtrans(NetworkManager_t)
+ ppp_manage_pid_files(NetworkManager_t)
+ ppp_kill(NetworkManager_t)
+ ppp_signal(NetworkManager_t)
+ ppp_signull(NetworkManager_t)
+ ppp_read_config(NetworkManager_t)
+')
+
+optional_policy(`
+ rpm_exec(NetworkManager_t)
+ rpm_read_db(NetworkManager_t)
+ rpm_dontaudit_manage_db(NetworkManager_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(NetworkManager_t)
+')
+
+optional_policy(`
+ udev_exec(NetworkManager_t)
+ udev_read_db(NetworkManager_t)
+')
+
+optional_policy(`
+ vpn_domtrans(NetworkManager_t)
+ vpn_kill(NetworkManager_t)
+ vpn_signal(NetworkManager_t)
+ vpn_signull(NetworkManager_t)
+ vpn_relabelfrom_tun_socket(NetworkManager_t)
+')
+
+########################################
+#
+# wpa_cli local policy
+#
+
+allow wpa_cli_t self:capability dac_override;
+allow wpa_cli_t self:unix_dgram_socket create_socket_perms;
+
+allow wpa_cli_t NetworkManager_t:unix_dgram_socket sendto;
+
+manage_sock_files_pattern(wpa_cli_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
+files_tmp_filetrans(wpa_cli_t, NetworkManager_tmp_t, sock_file)
+
+list_dirs_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
+rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
+
+init_dontaudit_use_fds(wpa_cli_t)
+init_use_script_ptys(wpa_cli_t)
+
+miscfiles_read_localization(wpa_cli_t)
+
+term_dontaudit_use_console(wpa_cli_t)
diff --git a/policy/modules/services/nis.fc b/policy/modules/services/nis.fc
new file mode 100644
index 0000000..0c97dab
--- /dev/null
+++ b/policy/modules/services/nis.fc
@@ -0,0 +1,22 @@
+/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/yppasswdd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ypserv -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ypxfrd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
+/etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0)
+
+/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
+
+/usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
+/usr/lib64/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
+
+/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
+/usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
+/usr/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
+/usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0)
+
+/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0)
+
+/var/run/ypxfrd.* -- gen_context(system_u:object_r:ypxfr_var_run_t,s0)
+/var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0)
+/var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0)
+/var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0)
diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if
new file mode 100644
index 0000000..995a6cb
--- /dev/null
+++ b/policy/modules/services/nis.if
@@ -0,0 +1,377 @@
+## <summary>Policy for NIS (YP) servers and clients</summary>
+
+########################################
+## <summary>
+## Use the ypbind service to access NIS services
+## unconditionally.
+## </summary>
+## <desc>
+## <p>
+## Use the ypbind service to access NIS services
+## unconditionally.
+## </p>
+## <p>
+## This interface was added because of apache and
+## spamassassin, to fix a nested conditionals problem.
+## When that support is added, this should be removed,
+## and the regular interface should be used.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nis_use_ypbind_uncond',`
+ gen_require(`
+ type var_yp_t;
+ ')
+
+ allow $1 self:capability net_bind_service;
+
+ allow $1 self:tcp_socket create_stream_socket_perms;
+ allow $1 self:udp_socket create_socket_perms;
+
+ allow $1 var_yp_t:dir list_dir_perms;
+ allow $1 var_yp_t:lnk_file read_lnk_file_perms;
+ allow $1 var_yp_t:file read_file_perms;
+
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
+ corenet_tcp_sendrecv_generic_if($1)
+ corenet_udp_sendrecv_generic_if($1)
+ corenet_tcp_sendrecv_generic_node($1)
+ corenet_udp_sendrecv_generic_node($1)
+ corenet_tcp_sendrecv_all_ports($1)
+ corenet_udp_sendrecv_all_ports($1)
+ corenet_tcp_bind_generic_node($1)
+ corenet_udp_bind_generic_node($1)
+ corenet_tcp_bind_generic_port($1)
+ corenet_udp_bind_generic_port($1)
+ corenet_tcp_bind_all_rpc_ports($1)
+ corenet_udp_bind_all_rpc_ports($1)
+ corenet_dontaudit_tcp_bind_all_ports($1)
+ corenet_dontaudit_udp_bind_all_ports($1)
+ corenet_tcp_connect_portmap_port($1)
+ corenet_tcp_connect_all_reserved_ports($1)
+ corenet_tcp_connect_generic_port($1)
+ corenet_dontaudit_tcp_connect_all_ports($1)
+ corenet_sendrecv_portmap_client_packets($1)
+ corenet_sendrecv_generic_client_packets($1)
+ corenet_sendrecv_generic_server_packets($1)
+
+ sysnet_read_config($1)
+')
+
+########################################
+## <summary>
+## Use the ypbind service to access NIS services.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to use the ypbind service
+## to access Network Information Service (NIS) services.
+## Information that can be retreived from NIS includes
+## usernames, passwords, home directories, and groups.
+## If the network is configured to have a single sign-on
+## using NIS, it is likely that any program that does
+## authentication will need this access.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+## <rolecap/>
+#
+interface(`nis_use_ypbind',`
+ tunable_policy(`allow_ypbind',`
+ nis_use_ypbind_uncond($1)
+ ')
+')
+
+########################################
+## <summary>
+## Use the nis to authenticate passwords
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`nis_authenticate',`
+ tunable_policy(`allow_ypbind',`
+ nis_use_ypbind_uncond($1)
+ corenet_tcp_bind_all_rpc_ports($1)
+ corenet_udp_bind_all_rpc_ports($1)
+ ')
+')
+
+########################################
+## <summary>
+## Execute ypbind in the ypbind domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`nis_domtrans_ypbind',`
+ gen_require(`
+ type ypbind_t, ypbind_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ypbind_exec_t, ypbind_t)
+')
+
+########################################
+## <summary>
+## Execute ypbind in the ypbind domain, and
+## allow the specified role the ypbind domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`nis_run_ypbind',`
+ gen_require(`
+ type ypbind_t;
+ ')
+
+ nis_domtrans_ypbind($1)
+ role $2 types ypbind_t;
+')
+
+########################################
+## <summary>
+## Send generic signals to ypbind.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nis_signal_ypbind',`
+ gen_require(`
+ type ypbind_t;
+ ')
+
+ allow $1 ypbind_t:process signal;
+')
+
+########################################
+## <summary>
+## List the contents of the NIS data directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nis_list_var_yp',`
+ gen_require(`
+ type var_yp_t;
+ ')
+
+ files_search_var($1)
+ allow $1 var_yp_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Send UDP network traffic to NIS clients. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nis_udp_send_ypbind',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+## Connect to ypbind over TCP. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nis_tcp_connect_ypbind',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+## Read ypbind pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nis_read_ypbind_pid',`
+ gen_require(`
+ type ypbind_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 ypbind_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Read ypserv configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nis_read_ypserv_config',`
+ gen_require(`
+ type ypserv_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 ypserv_conf_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Execute ypxfr in the ypxfr domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`nis_domtrans_ypxfr',`
+ gen_require(`
+ type ypxfr_t, ypxfr_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ypxfr_exec_t, ypxfr_t)
+')
+
+########################################
+## <summary>
+## Execute nis server in the nis domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+#
+interface(`nis_initrc_domtrans',`
+ gen_require(`
+ type nis_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, nis_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Execute nis server in the nis domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`nis_initrc_domtrans_ypbind',`
+ gen_require(`
+ type ypbind_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, ypbind_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an nis environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`nis_admin',`
+ gen_require(`
+ type ypbind_t, yppasswdd_t, ypserv_t;
+ type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t;
+ type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t;
+ type ypbind_initrc_exec_t, nis_initrc_exec_t, ypxfr_t;
+ ')
+
+ allow $1 ypbind_t:process { ptrace signal_perms };
+ ps_process_pattern($1, ypbind_t)
+
+ allow $1 yppasswdd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, yppasswdd_t)
+
+ allow $1 ypserv_t:process { ptrace signal_perms };
+ ps_process_pattern($1, ypserv_t)
+
+ allow $1 ypxfr_t:process { ptrace signal_perms };
+ ps_process_pattern($1, ypxfr_t)
+
+ nis_initrc_domtrans($1)
+ nis_initrc_domtrans_ypbind($1)
+ domain_system_change_exemption($1)
+ role_transition $2 nis_initrc_exec_t system_r;
+ role_transition $2 ypbind_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, ypbind_tmp_t)
+
+ files_list_pids($1)
+ admin_pattern($1, ypbind_var_run_t)
+
+ admin_pattern($1, yppasswdd_var_run_t)
+
+ files_list_etc($1)
+ admin_pattern($1, ypserv_conf_t)
+
+ admin_pattern($1, ypserv_tmp_t)
+
+ admin_pattern($1, ypserv_var_run_t)
+')
diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te
new file mode 100644
index 0000000..5f2ba87
--- /dev/null
+++ b/policy/modules/services/nis.te
@@ -0,0 +1,348 @@
+policy_module(nis, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+
+type nis_initrc_exec_t;
+init_script_file(nis_initrc_exec_t)
+
+type var_yp_t;
+files_type(var_yp_t)
+
+type ypbind_t;
+type ypbind_exec_t;
+init_daemon_domain(ypbind_t, ypbind_exec_t)
+
+type ypbind_initrc_exec_t;
+init_script_file(ypbind_initrc_exec_t)
+
+type ypbind_tmp_t;
+files_tmp_file(ypbind_tmp_t)
+
+type ypbind_var_run_t;
+files_pid_file(ypbind_var_run_t)
+
+type yppasswdd_t;
+type yppasswdd_exec_t;
+init_daemon_domain(yppasswdd_t, yppasswdd_exec_t)
+domain_obj_id_change_exemption(yppasswdd_t)
+
+type yppasswdd_var_run_t;
+files_pid_file(yppasswdd_var_run_t)
+
+type ypserv_t;
+type ypserv_exec_t;
+init_daemon_domain(ypserv_t, ypserv_exec_t)
+
+type ypserv_conf_t;
+files_type(ypserv_conf_t)
+
+type ypserv_tmp_t;
+files_tmp_file(ypserv_tmp_t)
+
+type ypserv_var_run_t;
+files_pid_file(ypserv_var_run_t)
+
+type ypxfr_t;
+type ypxfr_exec_t;
+init_daemon_domain(ypxfr_t, ypxfr_exec_t)
+
+type ypxfr_var_run_t;
+files_pid_file(ypxfr_var_run_t)
+
+########################################
+#
+# ypbind local policy
+#
+
+dontaudit ypbind_t self:capability { net_admin sys_tty_config };
+allow ypbind_t self:process signal_perms;
+allow ypbind_t self:fifo_file rw_fifo_file_perms;
+allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
+allow ypbind_t self:netlink_route_socket r_netlink_socket_perms;
+allow ypbind_t self:tcp_socket create_stream_socket_perms;
+allow ypbind_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(ypbind_t, ypbind_tmp_t, ypbind_tmp_t)
+manage_files_pattern(ypbind_t, ypbind_tmp_t, ypbind_tmp_t)
+files_tmp_filetrans(ypbind_t, ypbind_tmp_t, { file dir })
+
+manage_files_pattern(ypbind_t, ypbind_var_run_t, ypbind_var_run_t)
+files_pid_filetrans(ypbind_t, ypbind_var_run_t, file)
+
+manage_files_pattern(ypbind_t, var_yp_t, var_yp_t)
+
+kernel_read_system_state(ypbind_t)
+kernel_read_kernel_sysctls(ypbind_t)
+
+corenet_all_recvfrom_unlabeled(ypbind_t)
+corenet_all_recvfrom_netlabel(ypbind_t)
+corenet_tcp_sendrecv_generic_if(ypbind_t)
+corenet_udp_sendrecv_generic_if(ypbind_t)
+corenet_tcp_sendrecv_generic_node(ypbind_t)
+corenet_udp_sendrecv_generic_node(ypbind_t)
+corenet_tcp_sendrecv_all_ports(ypbind_t)
+corenet_udp_sendrecv_all_ports(ypbind_t)
+corenet_tcp_bind_generic_node(ypbind_t)
+corenet_udp_bind_generic_node(ypbind_t)
+corenet_tcp_bind_generic_port(ypbind_t)
+corenet_udp_bind_generic_port(ypbind_t)
+corenet_tcp_bind_reserved_port(ypbind_t)
+corenet_udp_bind_reserved_port(ypbind_t)
+corenet_tcp_bind_all_rpc_ports(ypbind_t)
+corenet_udp_bind_all_rpc_ports(ypbind_t)
+corenet_tcp_connect_all_ports(ypbind_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(ypbind_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t)
+corenet_sendrecv_all_client_packets(ypbind_t)
+corenet_sendrecv_generic_server_packets(ypbind_t)
+
+dev_read_sysfs(ypbind_t)
+
+fs_getattr_all_fs(ypbind_t)
+fs_search_auto_mountpoints(ypbind_t)
+
+domain_use_interactive_fds(ypbind_t)
+
+files_read_etc_files(ypbind_t)
+files_list_var(ypbind_t)
+
+logging_send_syslog_msg(ypbind_t)
+
+miscfiles_read_localization(ypbind_t)
+
+sysnet_read_config(ypbind_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ypbind_t)
+userdom_dontaudit_search_user_home_dirs(ypbind_t)
+
+optional_policy(`
+ dbus_system_bus_client(ypbind_t)
+ dbus_connect_system_bus(ypbind_t)
+ init_dbus_chat_script(ypbind_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(ypbind_t)
+ ')
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(ypbind_t)
+')
+
+optional_policy(`
+ udev_read_db(ypbind_t)
+')
+
+########################################
+#
+# yppasswdd local policy
+#
+
+allow yppasswdd_t self:capability dac_override;
+dontaudit yppasswdd_t self:capability sys_tty_config;
+allow yppasswdd_t self:process { getsched setfscreate signal_perms };
+allow yppasswdd_t self:fifo_file rw_fifo_file_perms;
+allow yppasswdd_t self:unix_dgram_socket create_socket_perms;
+allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms;
+allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms;
+allow yppasswdd_t self:tcp_socket create_stream_socket_perms;
+allow yppasswdd_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(yppasswdd_t, yppasswdd_var_run_t, yppasswdd_var_run_t)
+files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file)
+
+manage_files_pattern(yppasswdd_t, var_yp_t, var_yp_t)
+manage_lnk_files_pattern(yppasswdd_t, var_yp_t, var_yp_t)
+
+kernel_list_proc(yppasswdd_t)
+kernel_read_proc_symlinks(yppasswdd_t)
+kernel_getattr_proc_files(yppasswdd_t)
+kernel_read_kernel_sysctls(yppasswdd_t)
+
+corenet_all_recvfrom_unlabeled(yppasswdd_t)
+corenet_all_recvfrom_netlabel(yppasswdd_t)
+corenet_tcp_sendrecv_generic_if(yppasswdd_t)
+corenet_udp_sendrecv_generic_if(yppasswdd_t)
+corenet_tcp_sendrecv_generic_node(yppasswdd_t)
+corenet_udp_sendrecv_generic_node(yppasswdd_t)
+corenet_tcp_sendrecv_all_ports(yppasswdd_t)
+corenet_udp_sendrecv_all_ports(yppasswdd_t)
+corenet_tcp_bind_generic_node(yppasswdd_t)
+corenet_udp_bind_generic_node(yppasswdd_t)
+corenet_tcp_bind_all_rpc_ports(yppasswdd_t)
+corenet_udp_bind_all_rpc_ports(yppasswdd_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t)
+corenet_sendrecv_generic_server_packets(yppasswdd_t)
+
+dev_read_sysfs(yppasswdd_t)
+
+fs_getattr_all_fs(yppasswdd_t)
+fs_search_auto_mountpoints(yppasswdd_t)
+
+selinux_get_fs_mount(yppasswdd_t)
+
+auth_manage_shadow(yppasswdd_t)
+auth_relabel_shadow(yppasswdd_t)
+auth_etc_filetrans_shadow(yppasswdd_t)
+
+corecmd_exec_bin(yppasswdd_t)
+corecmd_exec_shell(yppasswdd_t)
+
+domain_use_interactive_fds(yppasswdd_t)
+
+files_read_etc_files(yppasswdd_t)
+files_read_etc_runtime_files(yppasswdd_t)
+files_relabel_etc_files(yppasswdd_t)
+
+logging_send_syslog_msg(yppasswdd_t)
+
+miscfiles_read_localization(yppasswdd_t)
+
+sysnet_read_config(yppasswdd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(yppasswdd_t)
+userdom_dontaudit_search_user_home_dirs(yppasswdd_t)
+
+optional_policy(`
+ hostname_exec(yppasswdd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(yppasswdd_t)
+')
+
+optional_policy(`
+ udev_read_db(yppasswdd_t)
+')
+
+########################################
+#
+# ypserv local policy
+#
+
+dontaudit ypserv_t self:capability sys_tty_config;
+allow ypserv_t self:process signal_perms;
+allow ypserv_t self:fifo_file rw_fifo_file_perms;
+allow ypserv_t self:unix_dgram_socket create_socket_perms;
+allow ypserv_t self:unix_stream_socket create_stream_socket_perms;
+allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
+allow ypserv_t self:tcp_socket connected_stream_socket_perms;
+allow ypserv_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(ypserv_t, var_yp_t, var_yp_t)
+
+allow ypserv_t ypserv_conf_t:file read_file_perms;
+
+manage_dirs_pattern(ypserv_t, ypserv_tmp_t, ypserv_tmp_t)
+manage_files_pattern(ypserv_t, ypserv_tmp_t, ypserv_tmp_t)
+files_tmp_filetrans(ypserv_t, ypserv_tmp_t, { file dir })
+
+manage_files_pattern(ypserv_t, ypserv_var_run_t, ypserv_var_run_t)
+files_pid_filetrans(ypserv_t, ypserv_var_run_t, file)
+
+kernel_read_kernel_sysctls(ypserv_t)
+kernel_list_proc(ypserv_t)
+kernel_read_proc_symlinks(ypserv_t)
+
+corenet_all_recvfrom_unlabeled(ypserv_t)
+corenet_all_recvfrom_netlabel(ypserv_t)
+corenet_tcp_sendrecv_generic_if(ypserv_t)
+corenet_udp_sendrecv_generic_if(ypserv_t)
+corenet_tcp_sendrecv_generic_node(ypserv_t)
+corenet_udp_sendrecv_generic_node(ypserv_t)
+corenet_tcp_sendrecv_all_ports(ypserv_t)
+corenet_udp_sendrecv_all_ports(ypserv_t)
+corenet_tcp_bind_generic_node(ypserv_t)
+corenet_udp_bind_generic_node(ypserv_t)
+corenet_tcp_bind_reserved_port(ypserv_t)
+corenet_udp_bind_reserved_port(ypserv_t)
+corenet_tcp_bind_all_rpc_ports(ypserv_t)
+corenet_udp_bind_all_rpc_ports(ypserv_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t)
+corenet_sendrecv_generic_server_packets(ypserv_t)
+
+dev_read_sysfs(ypserv_t)
+
+fs_getattr_all_fs(ypserv_t)
+fs_search_auto_mountpoints(ypserv_t)
+
+corecmd_exec_bin(ypserv_t)
+
+domain_use_interactive_fds(ypserv_t)
+
+files_read_var_files(ypserv_t)
+files_read_etc_files(ypserv_t)
+
+logging_send_syslog_msg(ypserv_t)
+
+miscfiles_read_localization(ypserv_t)
+
+nis_domtrans_ypxfr(ypserv_t)
+
+sysnet_read_config(ypserv_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ypserv_t)
+userdom_dontaudit_search_user_home_dirs(ypserv_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(ypserv_t)
+')
+
+optional_policy(`
+ udev_read_db(ypserv_t)
+')
+
+########################################
+#
+# ypxfr local policy
+#
+
+allow ypxfr_t self:unix_stream_socket create_stream_socket_perms;
+allow ypxfr_t self:unix_dgram_socket create_stream_socket_perms;
+allow ypxfr_t self:tcp_socket create_stream_socket_perms;
+allow ypxfr_t self:udp_socket create_socket_perms;
+allow ypxfr_t self:netlink_route_socket r_netlink_socket_perms;
+
+manage_files_pattern(ypxfr_t, var_yp_t, var_yp_t)
+
+allow ypxfr_t ypserv_t:tcp_socket { read write };
+allow ypxfr_t ypserv_t:udp_socket { read write };
+
+allow ypxfr_t ypserv_conf_t:file read_file_perms;
+
+manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t)
+files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file)
+
+corenet_all_recvfrom_unlabeled(ypxfr_t)
+corenet_all_recvfrom_netlabel(ypxfr_t)
+corenet_tcp_sendrecv_generic_if(ypxfr_t)
+corenet_udp_sendrecv_generic_if(ypxfr_t)
+corenet_tcp_sendrecv_generic_node(ypxfr_t)
+corenet_udp_sendrecv_generic_node(ypxfr_t)
+corenet_tcp_sendrecv_all_ports(ypxfr_t)
+corenet_udp_sendrecv_all_ports(ypxfr_t)
+corenet_tcp_bind_generic_node(ypxfr_t)
+corenet_udp_bind_generic_node(ypxfr_t)
+corenet_tcp_bind_reserved_port(ypxfr_t)
+corenet_udp_bind_reserved_port(ypxfr_t)
+corenet_tcp_bind_all_rpc_ports(ypxfr_t)
+corenet_udp_bind_all_rpc_ports(ypxfr_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t)
+corenet_tcp_connect_all_ports(ypxfr_t)
+corenet_sendrecv_generic_server_packets(ypxfr_t)
+corenet_sendrecv_all_client_packets(ypxfr_t)
+
+files_read_etc_files(ypxfr_t)
+files_search_usr(ypxfr_t)
+
+logging_send_syslog_msg(ypxfr_t)
+
+miscfiles_read_localization(ypxfr_t)
+
+sysnet_read_config(ypxfr_t)
diff --git a/policy/modules/services/nscd.fc b/policy/modules/services/nscd.fc
new file mode 100644
index 0000000..623b731
--- /dev/null
+++ b/policy/modules/services/nscd.fc
@@ -0,0 +1,13 @@
+/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0)
+
+/usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
+
+/var/db/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
+/var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
+
+/var/log/nscd\.log.* -- gen_context(system_u:object_r:nscd_log_t,s0)
+
+/var/run/nscd\.pid -- gen_context(system_u:object_r:nscd_var_run_t,s0)
+/var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0)
+
+/var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if
new file mode 100644
index 0000000..99cefb8
--- /dev/null
+++ b/policy/modules/services/nscd.if
@@ -0,0 +1,313 @@
+## <summary>Name service cache daemon</summary>
+
+########################################
+## <summary>
+## Send generic signals to NSCD.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nscd_signal',`
+ gen_require(`
+ type nscd_t;
+ ')
+
+ allow $1 nscd_t:process signal;
+')
+
+########################################
+## <summary>
+## Send NSCD the kill signal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nscd_kill',`
+ gen_require(`
+ type nscd_t;
+ ')
+
+ allow $1 nscd_t:process sigkill;
+')
+
+########################################
+## <summary>
+## Send signulls to NSCD.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nscd_signull',`
+ gen_require(`
+ type nscd_t;
+ ')
+
+ allow $1 nscd_t:process signull;
+')
+
+########################################
+## <summary>
+## Execute NSCD in the nscd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`nscd_domtrans',`
+ gen_require(`
+ type nscd_t, nscd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, nscd_exec_t, nscd_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to execute nscd
+## in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nscd_exec',`
+ gen_require(`
+ type nscd_exec_t;
+ ')
+
+ can_exec($1, nscd_exec_t)
+')
+
+########################################
+## <summary>
+## Use NSCD services by connecting using
+## a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nscd_socket_use',`
+ gen_require(`
+ type nscd_t, nscd_var_run_t;
+ class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv };
+ ')
+
+ allow $1 self:unix_stream_socket create_socket_perms;
+
+ allow $1 nscd_t:nscd { getpwd getgrp gethost };
+ dontaudit $1 nscd_t:fd use;
+ dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv };
+ files_search_pids($1)
+ stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
+ dontaudit $1 nscd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Use nscd services
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nscd_use',`
+ tunable_policy(`nscd_use_shm',`
+ nscd_shm_use($1)
+ ',`
+ nscd_socket_use($1)
+ ')
+')
+
+########################################
+## <summary>
+## Use NSCD services by mapping the database from
+## an inherited NSCD file descriptor.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nscd_shm_use',`
+ gen_require(`
+ type nscd_t, nscd_var_run_t;
+ class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
+ ')
+
+ allow $1 nscd_var_run_t:dir list_dir_perms;
+ allow $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
+
+ # Receive fd from nscd and map the backing file with read access.
+ allow $1 nscd_t:fd use;
+
+ # cjp: these were originally inherited from the
+ # nscd_socket_domain macro. need to investigate
+ # if they are all actually required
+ allow $1 self:unix_stream_socket create_stream_socket_perms;
+
+ # dg: This may not be required.
+ allow $1 nscd_var_run_t:sock_file read_sock_file_perms;
+
+ stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
+ files_search_pids($1)
+ allow $1 nscd_t:nscd { getpwd getgrp gethost };
+ dontaudit $1 nscd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the NSCD pid directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`nscd_dontaudit_search_pid',`
+ gen_require(`
+ type nscd_var_run_t;
+ ')
+
+ dontaudit $1 nscd_var_run_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read NSCD pid file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nscd_read_pid',`
+ gen_require(`
+ type nscd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, nscd_var_run_t, nscd_var_run_t)
+')
+
+########################################
+## <summary>
+## Unconfined access to NSCD services.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nscd_unconfined',`
+ gen_require(`
+ type nscd_t;
+ class nscd all_nscd_perms;
+ ')
+
+ allow $1 nscd_t:nscd *;
+')
+
+########################################
+## <summary>
+## Execute nscd in the nscd domain, and
+## allow the specified role the nscd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`nscd_run',`
+ gen_require(`
+ type nscd_t;
+ ')
+
+ nscd_domtrans($1)
+ role $2 types nscd_t;
+')
+
+########################################
+## <summary>
+## Execute the nscd server init script.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`nscd_initrc_domtrans',`
+ gen_require(`
+ type nscd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, nscd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an nscd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the nscd domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`nscd_admin',`
+ gen_require(`
+ type nscd_t, nscd_log_t, nscd_var_run_t;
+ type nscd_initrc_exec_t;
+ ')
+
+ allow $1 nscd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, nscd_t)
+
+ init_labeled_script_domtrans($1, nscd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 nscd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_list_logs($1)
+ admin_pattern($1, nscd_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, nscd_var_run_t)
+')
diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te
new file mode 100644
index 0000000..6b54db7
--- /dev/null
+++ b/policy/modules/services/nscd.te
@@ -0,0 +1,156 @@
+policy_module(nscd, 1.10.1)
+
+gen_require(`
+ class nscd all_nscd_perms;
+')
+
+## <desc>
+## <p>
+## Allow confined applications to use nscd shared memory.
+## </p>
+## </desc>
+gen_tunable(nscd_use_shm, false)
+
+########################################
+#
+# Declarations
+#
+
+# cjp: this is out of order because of an
+# ordering problem with loadable modules
+type nscd_var_run_t;
+files_pid_file(nscd_var_run_t)
+
+# nscd is both the client program and the daemon.
+type nscd_t;
+type nscd_exec_t;
+init_daemon_domain(nscd_t, nscd_exec_t)
+
+type nscd_initrc_exec_t;
+init_script_file(nscd_initrc_exec_t)
+
+type nscd_log_t;
+logging_log_file(nscd_log_t)
+
+########################################
+#
+# Local policy
+#
+
+allow nscd_t self:capability { kill setgid setuid sys_ptrace };
+dontaudit nscd_t self:capability sys_tty_config;
+allow nscd_t self:process { getattr getcap setcap setsched signal_perms };
+allow nscd_t self:fifo_file read_fifo_file_perms;
+allow nscd_t self:unix_stream_socket create_stream_socket_perms;
+allow nscd_t self:unix_dgram_socket create_socket_perms;
+allow nscd_t self:netlink_selinux_socket create_socket_perms;
+allow nscd_t self:tcp_socket create_socket_perms;
+allow nscd_t self:udp_socket create_socket_perms;
+
+# For client program operation, invoked from sysadm_t.
+# Transition occurs to nscd_t due to direct_sysadm_daemon.
+allow nscd_t self:nscd { admin getstat };
+
+allow nscd_t nscd_log_t:file manage_file_perms;
+logging_log_filetrans(nscd_t, nscd_log_t, file)
+
+manage_dirs_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
+manage_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
+manage_sock_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
+files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file dir })
+
+corecmd_search_bin(nscd_t)
+can_exec(nscd_t, nscd_exec_t)
+
+kernel_read_kernel_sysctls(nscd_t)
+kernel_list_proc(nscd_t)
+kernel_read_proc_symlinks(nscd_t)
+
+dev_read_sysfs(nscd_t)
+dev_read_rand(nscd_t)
+dev_read_urand(nscd_t)
+
+fs_getattr_all_fs(nscd_t)
+fs_search_auto_mountpoints(nscd_t)
+fs_list_inotifyfs(nscd_t)
+
+# for when /etc/passwd has just been updated and has the wrong type
+auth_getattr_shadow(nscd_t)
+auth_use_nsswitch(nscd_t)
+
+corenet_all_recvfrom_unlabeled(nscd_t)
+corenet_all_recvfrom_netlabel(nscd_t)
+corenet_tcp_sendrecv_generic_if(nscd_t)
+corenet_udp_sendrecv_generic_if(nscd_t)
+corenet_tcp_sendrecv_generic_node(nscd_t)
+corenet_udp_sendrecv_generic_node(nscd_t)
+corenet_tcp_sendrecv_all_ports(nscd_t)
+corenet_udp_sendrecv_all_ports(nscd_t)
+corenet_udp_bind_generic_node(nscd_t)
+corenet_tcp_connect_all_ports(nscd_t)
+corenet_sendrecv_all_client_packets(nscd_t)
+corenet_rw_tun_tap_dev(nscd_t)
+
+selinux_get_fs_mount(nscd_t)
+selinux_validate_context(nscd_t)
+selinux_compute_access_vector(nscd_t)
+selinux_compute_create_context(nscd_t)
+selinux_compute_relabel_context(nscd_t)
+selinux_compute_user_contexts(nscd_t)
+domain_use_interactive_fds(nscd_t)
+domain_search_all_domains_state(nscd_t)
+
+files_read_etc_files(nscd_t)
+files_read_generic_tmp_symlinks(nscd_t)
+# Needed to read files created by firstboot "/etc/hesiod.conf"
+files_read_etc_runtime_files(nscd_t)
+
+logging_send_audit_msgs(nscd_t)
+logging_send_syslog_msg(nscd_t)
+
+miscfiles_read_localization(nscd_t)
+
+seutil_read_config(nscd_t)
+seutil_read_default_contexts(nscd_t)
+seutil_sigchld_newrole(nscd_t)
+
+sysnet_read_config(nscd_t)
+
+userdom_dontaudit_use_user_terminals(nscd_t)
+userdom_dontaudit_use_unpriv_user_fds(nscd_t)
+userdom_dontaudit_search_user_home_dirs(nscd_t)
+
+optional_policy(`
+ accountsd_dontaudit_rw_fifo_file(nscd_t)
+')
+
+optional_policy(`
+ cron_read_system_job_tmp_files(nscd_t)
+')
+
+optional_policy(`
+ kerberos_use(nscd_t)
+')
+
+optional_policy(`
+ udev_read_db(nscd_t)
+')
+
+optional_policy(`
+ xen_dontaudit_rw_unix_stream_sockets(nscd_t)
+ xen_append_log(nscd_t)
+')
+
+optional_policy(`
+ tunable_policy(`samba_domain_controller',`
+ samba_append_log(nscd_t)
+ samba_dontaudit_use_fds(nscd_t)
+ ')
+
+ samba_read_config(nscd_t)
+ samba_read_var_files(nscd_t)
+')
+
+optional_policy(`
+ unconfined_dontaudit_rw_packet_sockets(nscd_t)
+')
diff --git a/policy/modules/services/nsd.fc b/policy/modules/services/nsd.fc
new file mode 100644
index 0000000..53cc800
--- /dev/null
+++ b/policy/modules/services/nsd.fc
@@ -0,0 +1,14 @@
+
+/etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0)
+/etc/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0)
+/etc/nsd/primary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
+/etc/nsd/secondary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
+
+/usr/sbin/nsd -- gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/sbin/nsdc -- gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/sbin/nsd-notify -- gen_context(system_u:object_r:nsd_exec_t,s0)
+/usr/sbin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0)
+
+/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
+/var/lib/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0)
+/var/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0)
diff --git a/policy/modules/services/nsd.if b/policy/modules/services/nsd.if
new file mode 100644
index 0000000..a1371d5
--- /dev/null
+++ b/policy/modules/services/nsd.if
@@ -0,0 +1,29 @@
+## <summary>Authoritative only name server</summary>
+
+########################################
+## <summary>
+## Send and receive datagrams from NSD. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsd_udp_chat',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+## Connect to NSD over a TCP socket (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nsd_tcp_connect',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
diff --git a/policy/modules/services/nsd.te b/policy/modules/services/nsd.te
new file mode 100644
index 0000000..4b15536
--- /dev/null
+++ b/policy/modules/services/nsd.te
@@ -0,0 +1,180 @@
+policy_module(nsd, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type nsd_t;
+type nsd_exec_t;
+init_daemon_domain(nsd_t, nsd_exec_t)
+
+# A type for configuration files of nsd
+type nsd_conf_t;
+files_type(nsd_conf_t)
+
+type nsd_crond_t;
+domain_type(nsd_crond_t)
+domain_entry_file(nsd_crond_t, nsd_exec_t)
+role system_r types nsd_crond_t;
+
+# a type for nsd.db
+type nsd_db_t;
+files_type(nsd_db_t)
+
+type nsd_var_run_t;
+files_pid_file(nsd_var_run_t)
+
+# A type for zone files
+type nsd_zone_t;
+files_type(nsd_zone_t)
+
+########################################
+#
+# NSD Local policy
+#
+
+allow nsd_t self:capability { dac_override chown setuid setgid };
+dontaudit nsd_t self:capability sys_tty_config;
+allow nsd_t self:process signal_perms;
+allow nsd_t self:tcp_socket create_stream_socket_perms;
+allow nsd_t self:udp_socket create_socket_perms;
+
+allow nsd_t nsd_conf_t:dir list_dir_perms;
+read_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t)
+read_lnk_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t)
+
+allow nsd_t nsd_db_t:file manage_file_perms;
+filetrans_pattern(nsd_t, nsd_zone_t, nsd_db_t, file)
+
+manage_files_pattern(nsd_t, nsd_var_run_t, nsd_var_run_t)
+files_pid_filetrans(nsd_t, nsd_var_run_t, file)
+
+allow nsd_t nsd_zone_t:dir list_dir_perms;
+read_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
+read_lnk_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t)
+
+can_exec(nsd_t, nsd_exec_t)
+
+kernel_read_system_state(nsd_t)
+kernel_read_kernel_sysctls(nsd_t)
+
+corecmd_exec_bin(nsd_t)
+
+corenet_all_recvfrom_unlabeled(nsd_t)
+corenet_all_recvfrom_netlabel(nsd_t)
+corenet_tcp_sendrecv_generic_if(nsd_t)
+corenet_udp_sendrecv_generic_if(nsd_t)
+corenet_tcp_sendrecv_generic_node(nsd_t)
+corenet_udp_sendrecv_generic_node(nsd_t)
+corenet_tcp_sendrecv_all_ports(nsd_t)
+corenet_udp_sendrecv_all_ports(nsd_t)
+corenet_tcp_bind_generic_node(nsd_t)
+corenet_udp_bind_generic_node(nsd_t)
+corenet_tcp_bind_dns_port(nsd_t)
+corenet_udp_bind_dns_port(nsd_t)
+corenet_sendrecv_dns_server_packets(nsd_t)
+
+dev_read_sysfs(nsd_t)
+
+domain_use_interactive_fds(nsd_t)
+
+files_read_etc_files(nsd_t)
+files_read_etc_runtime_files(nsd_t)
+
+fs_getattr_all_fs(nsd_t)
+fs_search_auto_mountpoints(nsd_t)
+
+logging_send_syslog_msg(nsd_t)
+
+miscfiles_read_localization(nsd_t)
+
+sysnet_read_config(nsd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(nsd_t)
+userdom_dontaudit_search_user_home_dirs(nsd_t)
+
+optional_policy(`
+ nis_use_ypbind(nsd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(nsd_t)
+')
+
+optional_policy(`
+ udev_read_db(nsd_t)
+')
+
+########################################
+#
+# Zone update cron job local policy
+#
+
+# kill capability for root cron job and non-root daemon
+allow nsd_crond_t self:capability { dac_override kill };
+dontaudit nsd_crond_t self:capability sys_nice;
+allow nsd_crond_t self:process { setsched signal_perms };
+allow nsd_crond_t self:fifo_file rw_fifo_file_perms;
+allow nsd_crond_t self:tcp_socket create_socket_perms;
+allow nsd_crond_t self:udp_socket create_socket_perms;
+
+allow nsd_crond_t nsd_conf_t:file read_file_perms;
+
+allow nsd_crond_t nsd_db_t:file manage_file_perms;
+filetrans_pattern(nsd_crond_t, nsd_zone_t, nsd_db_t, file)
+files_search_var_lib(nsd_crond_t)
+
+allow nsd_crond_t nsd_t:process signal;
+
+ps_process_pattern(nsd_crond_t, nsd_t)
+
+manage_files_pattern(nsd_crond_t, nsd_zone_t, nsd_zone_t)
+filetrans_pattern(nsd_crond_t, nsd_conf_t, nsd_zone_t, file)
+
+can_exec(nsd_crond_t, nsd_exec_t)
+
+kernel_read_system_state(nsd_crond_t)
+
+corecmd_exec_bin(nsd_crond_t)
+corecmd_exec_shell(nsd_crond_t)
+
+corenet_all_recvfrom_unlabeled(nsd_crond_t)
+corenet_all_recvfrom_netlabel(nsd_crond_t)
+corenet_tcp_sendrecv_generic_if(nsd_crond_t)
+corenet_udp_sendrecv_generic_if(nsd_crond_t)
+corenet_tcp_sendrecv_generic_node(nsd_crond_t)
+corenet_udp_sendrecv_generic_node(nsd_crond_t)
+corenet_tcp_sendrecv_all_ports(nsd_crond_t)
+corenet_udp_sendrecv_all_ports(nsd_crond_t)
+corenet_tcp_connect_all_ports(nsd_crond_t)
+corenet_sendrecv_all_client_packets(nsd_crond_t)
+
+# for SSP
+dev_read_urand(nsd_crond_t)
+
+domain_dontaudit_read_all_domains_state(nsd_crond_t)
+
+files_read_etc_files(nsd_crond_t)
+files_read_etc_runtime_files(nsd_crond_t)
+files_search_var_lib(nsd_t)
+
+logging_send_syslog_msg(nsd_crond_t)
+
+miscfiles_read_localization(nsd_crond_t)
+
+sysnet_read_config(nsd_crond_t)
+
+userdom_dontaudit_search_user_home_dirs(nsd_crond_t)
+
+optional_policy(`
+ cron_system_entry(nsd_crond_t, nsd_exec_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(nsd_crond_t)
+')
+
+optional_policy(`
+ nscd_read_pid(nsd_crond_t)
+')
diff --git a/policy/modules/services/nslcd.fc b/policy/modules/services/nslcd.fc
new file mode 100644
index 0000000..ce913b2
--- /dev/null
+++ b/policy/modules/services/nslcd.fc
@@ -0,0 +1,4 @@
+/etc/nss-ldapd.conf -- gen_context(system_u:object_r:nslcd_conf_t,s0)
+/etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0)
+/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0)
+/var/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0)
diff --git a/policy/modules/services/nslcd.if b/policy/modules/services/nslcd.if
new file mode 100644
index 0000000..be5a5b4
--- /dev/null
+++ b/policy/modules/services/nslcd.if
@@ -0,0 +1,114 @@
+## <summary>nslcd - local LDAP name service daemon.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run nslcd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`nslcd_domtrans',`
+ gen_require(`
+ type nslcd_t, nslcd_exec_t;
+ ')
+
+ domtrans_pattern($1, nslcd_exec_t, nslcd_t)
+')
+
+########################################
+## <summary>
+## Execute nslcd server in the nslcd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`nslcd_initrc_domtrans',`
+ gen_require(`
+ type nslcd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, nslcd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Read nslcd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nslcd_read_pid_files',`
+ gen_require(`
+ type nslcd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 nslcd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Connect to nslcd over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nslcd_stream_connect',`
+ gen_require(`
+ type nslcd_t, nslcd_var_run_t;
+ ')
+
+ stream_connect_pattern($1, nslcd_var_run_t, nslcd_var_run_t, nslcd_t)
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an nslcd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`nslcd_admin',`
+ gen_require(`
+ type nslcd_t, nslcd_initrc_exec_t, nslcd_var_run_t;
+ type nslcd_conf_t;
+ ')
+
+ ps_process_pattern($1, nslcd_t)
+ allow $1 nslcd_t:process { ptrace signal_perms };
+
+ # Allow nslcd_t to restart the apache service
+ nslcd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 nslcd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, nslcd_conf_t)
+
+ files_list_pids($1)
+ admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
+')
diff --git a/policy/modules/services/nslcd.te b/policy/modules/services/nslcd.te
new file mode 100644
index 0000000..34eee5f
--- /dev/null
+++ b/policy/modules/services/nslcd.te
@@ -0,0 +1,45 @@
+policy_module(nslcd, 1.1.1)
+
+########################################
+#
+# Declarations
+#
+
+type nslcd_t;
+type nslcd_exec_t;
+init_daemon_domain(nslcd_t, nslcd_exec_t)
+
+type nslcd_initrc_exec_t;
+init_script_file(nslcd_initrc_exec_t)
+
+type nslcd_var_run_t;
+files_pid_file(nslcd_var_run_t)
+
+type nslcd_conf_t;
+files_type(nslcd_conf_t)
+
+########################################
+#
+# nslcd local policy
+#
+
+allow nslcd_t self:capability { setgid setuid dac_override };
+allow nslcd_t self:process signal;
+allow nslcd_t self:unix_stream_socket create_stream_socket_perms;
+
+allow nslcd_t nslcd_conf_t:file read_file_perms;
+
+manage_dirs_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t)
+manage_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t)
+manage_sock_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t)
+files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir })
+
+kernel_read_system_state(nslcd_t)
+
+files_read_etc_files(nslcd_t)
+
+auth_use_nsswitch(nslcd_t)
+
+logging_send_syslog_msg(nslcd_t)
+
+miscfiles_read_localization(nslcd_t)
diff --git a/policy/modules/services/ntop.fc b/policy/modules/services/ntop.fc
new file mode 100644
index 0000000..1838432
--- /dev/null
+++ b/policy/modules/services/ntop.fc
@@ -0,0 +1,6 @@
+/etc/ntop(/.*)? gen_context(system_u:object_r:ntop_etc_t,s0)
+
+/usr/bin/ntop -- gen_context(system_u:object_r:ntop_exec_t,s0)
+
+/var/lib/ntop(/.*)? gen_context(system_u:object_r:ntop_var_lib_t,s0)
+/var/run/ntop\.pid -- gen_context(system_u:object_r:ntop_var_run_t,s0)
diff --git a/policy/modules/services/ntop.if b/policy/modules/services/ntop.if
new file mode 100644
index 0000000..4bf0a14
--- /dev/null
+++ b/policy/modules/services/ntop.if
@@ -0,0 +1 @@
+## <summary>Network Top</summary>
diff --git a/policy/modules/services/ntop.te b/policy/modules/services/ntop.te
new file mode 100644
index 0000000..9d1e60a
--- /dev/null
+++ b/policy/modules/services/ntop.te
@@ -0,0 +1,114 @@
+policy_module(ntop, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type ntop_t;
+type ntop_exec_t;
+init_daemon_domain(ntop_t, ntop_exec_t)
+application_domain(ntop_t, ntop_exec_t)
+
+type ntop_initrc_exec_t;
+init_script_file(ntop_initrc_exec_t)
+
+type ntop_etc_t;
+files_config_file(ntop_etc_t)
+
+type ntop_tmp_t;
+files_tmp_file(ntop_tmp_t)
+
+type ntop_var_lib_t;
+files_type(ntop_var_lib_t)
+
+type ntop_var_run_t;
+files_pid_file(ntop_var_run_t)
+
+########################################
+#
+# Local Policy
+#
+
+allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin };
+dontaudit ntop_t self:capability sys_tty_config;
+allow ntop_t self:process signal_perms;
+allow ntop_t self:fifo_file rw_fifo_file_perms;
+allow ntop_t self:tcp_socket create_stream_socket_perms;
+allow ntop_t self:udp_socket create_socket_perms;
+allow ntop_t self:unix_dgram_socket create_socket_perms;
+allow ntop_t self:unix_stream_socket create_stream_socket_perms;
+allow ntop_t self:packet_socket create_socket_perms;
+allow ntop_t self:socket create_socket_perms;
+
+allow ntop_t ntop_etc_t:dir list_dir_perms;
+read_files_pattern(ntop_t, ntop_etc_t, ntop_etc_t)
+read_lnk_files_pattern(ntop_t, ntop_etc_t, ntop_etc_t)
+
+manage_dirs_pattern(ntop_t, ntop_tmp_t, ntop_tmp_t)
+manage_files_pattern(ntop_t, ntop_tmp_t, ntop_tmp_t)
+files_tmp_filetrans(ntop_t, ntop_tmp_t, { file dir })
+
+manage_dirs_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t)
+manage_files_pattern(ntop_t, ntop_var_lib_t, ntop_var_lib_t)
+files_var_lib_filetrans(ntop_t, ntop_var_lib_t, { file dir })
+
+manage_files_pattern(ntop_t, ntop_var_run_t, ntop_var_run_t)
+files_pid_filetrans(ntop_t, ntop_var_run_t, file)
+
+kernel_request_load_module(ntop_t)
+kernel_read_system_state(ntop_t)
+kernel_read_network_state(ntop_t)
+kernel_read_kernel_sysctls(ntop_t)
+kernel_list_proc(ntop_t)
+kernel_read_proc_symlinks(ntop_t)
+
+corenet_all_recvfrom_unlabeled(ntop_t)
+corenet_all_recvfrom_netlabel(ntop_t)
+corenet_tcp_sendrecv_generic_if(ntop_t)
+corenet_udp_sendrecv_generic_if(ntop_t)
+corenet_raw_sendrecv_generic_if(ntop_t)
+corenet_tcp_sendrecv_generic_node(ntop_t)
+corenet_udp_sendrecv_generic_node(ntop_t)
+corenet_raw_sendrecv_generic_node(ntop_t)
+corenet_tcp_sendrecv_all_ports(ntop_t)
+corenet_udp_sendrecv_all_ports(ntop_t)
+corenet_tcp_bind_ntop_port(ntop_t)
+corenet_tcp_connect_ntop_port(ntop_t)
+corenet_tcp_connect_http_port(ntop_t)
+corenet_sendrecv_http_client_packets(ntop_t)
+corenet_sendrecv_ntop_client_packets(ntop_t)
+corenet_sendrecv_ntop_server_packets(ntop_t)
+
+dev_read_sysfs(ntop_t)
+dev_rw_generic_usb_dev(ntop_t)
+
+domain_use_interactive_fds(ntop_t)
+
+files_read_etc_files(ntop_t)
+files_read_usr_files(ntop_t)
+
+fs_getattr_all_fs(ntop_t)
+fs_search_auto_mountpoints(ntop_t)
+
+auth_use_nsswitch(ntop_t)
+
+logging_send_syslog_msg(ntop_t)
+
+miscfiles_read_localization(ntop_t)
+miscfiles_read_fonts(ntop_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ntop_t)
+userdom_dontaudit_search_user_home_dirs(ntop_t)
+
+optional_policy(`
+ apache_read_sys_content(ntop_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(ntop_t)
+')
+
+optional_policy(`
+ udev_read_db(ntop_t)
+')
diff --git a/policy/modules/services/ntp.fc b/policy/modules/services/ntp.fc
new file mode 100644
index 0000000..e79dccc
--- /dev/null
+++ b/policy/modules/services/ntp.fc
@@ -0,0 +1,22 @@
+
+/etc/cron\.(daily|weekly)/ntp-simple -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+/etc/cron\.(daily|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+
+/etc/ntpd?\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0)
+/etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0)
+/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:net_conf_t,s0)
+
+/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
+
+/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+
+/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+
+/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
+/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0)
+/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
+
+/var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
new file mode 100644
index 0000000..694b002
--- /dev/null
+++ b/policy/modules/services/ntp.if
@@ -0,0 +1,164 @@
+## <summary>Network time protocol daemon</summary>
+
+########################################
+## <summary>
+## NTP stub interface. No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ntp_stub',`
+ gen_require(`
+ type ntpd_t;
+ ')
+')
+
+########################################
+## <summary>
+## Execute ntp server in the ntpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ntp_domtrans',`
+ gen_require(`
+ type ntpd_t, ntpd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ntpd_exec_t, ntpd_t)
+')
+
+########################################
+## <summary>
+## Execute ntp in the ntp domain, and
+## allow the specified role the ntp domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ntp_run',`
+ gen_require(`
+ type ntpd_t;
+ ')
+
+ ntp_domtrans($1)
+ role $2 types ntpd_t;
+')
+
+########################################
+## <summary>
+## Execute ntp server in the ntpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ntp_domtrans_ntpdate',`
+ gen_require(`
+ type ntpd_t, ntpdate_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ntpdate_exec_t, ntpd_t)
+')
+
+########################################
+## <summary>
+## Execute ntp server in the ntpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ntp_initrc_domtrans',`
+ gen_require(`
+ type ntpd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Read and write ntpd shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ntp_rw_shm',`
+ gen_require(`
+ type ntpd_t, ntpd_tmpfs_t;
+ ')
+
+ allow $1 ntpd_t:shm rw_shm_perms;
+ list_dirs_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t)
+ rw_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t)
+ read_lnk_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t)
+ fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an ntp environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the ntp domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ntp_admin',`
+ gen_require(`
+ type ntpd_t, ntpd_tmp_t, ntpd_log_t;
+ type ntpd_key_t, ntpd_var_run_t, ntpd_initrc_exec_t;
+ ')
+
+ allow $1 ntpd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, ntpd_t)
+
+ init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 ntpd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ admin_pattern($1, ntpd_key_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, ntpd_log_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, ntpd_tmp_t)
+
+ files_list_pids($1)
+ admin_pattern($1, ntpd_var_run_t)
+')
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
new file mode 100644
index 0000000..b5b5992
--- /dev/null
+++ b/policy/modules/services/ntp.te
@@ -0,0 +1,159 @@
+policy_module(ntp, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+
+type ntp_drift_t;
+files_type(ntp_drift_t)
+
+type ntpd_t;
+type ntpd_exec_t;
+init_daemon_domain(ntpd_t, ntpd_exec_t)
+
+type ntpd_initrc_exec_t;
+init_script_file(ntpd_initrc_exec_t)
+
+type ntpd_key_t;
+files_type(ntpd_key_t)
+
+type ntpd_log_t;
+logging_log_file(ntpd_log_t)
+
+type ntpd_tmp_t;
+files_tmp_file(ntpd_tmp_t)
+
+type ntpd_tmpfs_t;
+files_tmpfs_file(ntpd_tmpfs_t)
+
+type ntpd_var_run_t;
+files_pid_file(ntpd_var_run_t)
+
+type ntpdate_exec_t;
+init_system_domain(ntpd_t, ntpdate_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+# sys_resource and setrlimit is for locking memory
+# ntpdate wants sys_nice
+allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource };
+dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
+allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
+allow ntpd_t self:fifo_file rw_fifo_file_perms;
+allow ntpd_t self:shm create_shm_perms;
+allow ntpd_t self:unix_dgram_socket create_socket_perms;
+allow ntpd_t self:unix_stream_socket create_socket_perms;
+allow ntpd_t self:tcp_socket create_stream_socket_perms;
+allow ntpd_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
+
+can_exec(ntpd_t, ntpd_exec_t)
+
+read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
+read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
+
+allow ntpd_t ntpd_log_t:dir setattr;
+manage_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
+logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir })
+
+# for some reason it creates a file in /tmp
+manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
+manage_files_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
+files_tmp_filetrans(ntpd_t, ntpd_tmp_t, { file dir })
+
+manage_dirs_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)
+manage_files_pattern(ntpd_t, ntpd_tmpfs_t, ntpd_tmpfs_t)
+fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file })
+
+manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
+files_pid_filetrans(ntpd_t, ntpd_var_run_t, file)
+
+kernel_read_kernel_sysctls(ntpd_t)
+kernel_read_system_state(ntpd_t)
+kernel_read_network_state(ntpd_t)
+kernel_request_load_module(ntpd_t)
+
+corenet_all_recvfrom_unlabeled(ntpd_t)
+corenet_all_recvfrom_netlabel(ntpd_t)
+corenet_tcp_sendrecv_generic_if(ntpd_t)
+corenet_udp_sendrecv_generic_if(ntpd_t)
+corenet_tcp_sendrecv_generic_node(ntpd_t)
+corenet_udp_sendrecv_generic_node(ntpd_t)
+corenet_tcp_sendrecv_all_ports(ntpd_t)
+corenet_udp_sendrecv_all_ports(ntpd_t)
+corenet_tcp_bind_generic_node(ntpd_t)
+corenet_udp_bind_generic_node(ntpd_t)
+corenet_udp_bind_ntp_port(ntpd_t)
+corenet_tcp_connect_ntp_port(ntpd_t)
+corenet_sendrecv_ntp_server_packets(ntpd_t)
+corenet_sendrecv_ntp_client_packets(ntpd_t)
+
+dev_read_sysfs(ntpd_t)
+# for SSP
+dev_read_urand(ntpd_t)
+dev_rw_realtime_clock(ntpd_t)
+
+fs_getattr_all_fs(ntpd_t)
+fs_search_auto_mountpoints(ntpd_t)
+# Necessary to communicate with gpsd devices
+fs_rw_tmpfs_files(ntpd_t)
+
+term_use_ptmx(ntpd_t)
+
+auth_use_nsswitch(ntpd_t)
+
+corecmd_exec_bin(ntpd_t)
+corecmd_exec_shell(ntpd_t)
+
+domain_use_interactive_fds(ntpd_t)
+domain_dontaudit_list_all_domains_state(ntpd_t)
+
+files_read_etc_files(ntpd_t)
+files_read_etc_runtime_files(ntpd_t)
+files_read_usr_files(ntpd_t)
+files_list_var_lib(ntpd_t)
+
+init_exec_script_files(ntpd_t)
+
+logging_send_syslog_msg(ntpd_t)
+
+miscfiles_read_localization(ntpd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
+userdom_list_user_home_dirs(ntpd_t)
+
+optional_policy(`
+ # for cron jobs
+ cron_system_entry(ntpd_t, ntpdate_exec_t)
+')
+
+optional_policy(`
+ gpsd_rw_shm(ntpd_t)
+')
+
+optional_policy(`
+ firstboot_dontaudit_use_fds(ntpd_t)
+ firstboot_dontaudit_rw_pipes(ntpd_t)
+ firstboot_dontaudit_rw_stream_sockets(ntpd_t)
+')
+
+optional_policy(`
+ hal_dontaudit_write_log(ntpd_t)
+')
+
+optional_policy(`
+ logrotate_exec(ntpd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(ntpd_t)
+')
+
+optional_policy(`
+ udev_read_db(ntpd_t)
+')
diff --git a/policy/modules/services/nut.fc b/policy/modules/services/nut.fc
new file mode 100644
index 0000000..0a929ef
--- /dev/null
+++ b/policy/modules/services/nut.fc
@@ -0,0 +1,12 @@
+/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0)
+
+/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
+
+/usr/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0)
+/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
+
+/var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0)
+
+/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
+/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
+/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
diff --git a/policy/modules/services/nut.if b/policy/modules/services/nut.if
new file mode 100644
index 0000000..56660c5
--- /dev/null
+++ b/policy/modules/services/nut.if
@@ -0,0 +1 @@
+## <summary>nut - Network UPS Tools </summary>
diff --git a/policy/modules/services/nut.te b/policy/modules/services/nut.te
new file mode 100644
index 0000000..b40e1e7
--- /dev/null
+++ b/policy/modules/services/nut.te
@@ -0,0 +1,171 @@
+policy_module(nut, 1.1.1)
+
+########################################
+#
+# Declarations
+#
+
+type nut_conf_t;
+files_config_file(nut_conf_t)
+
+type nut_upsd_t;
+type nut_upsd_exec_t;
+init_daemon_domain(nut_upsd_t, nut_upsd_exec_t)
+
+type nut_upsmon_t;
+type nut_upsmon_exec_t;
+init_daemon_domain(nut_upsmon_t, nut_upsmon_exec_t)
+
+type nut_upsdrvctl_t;
+type nut_upsdrvctl_exec_t;
+init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
+
+type nut_var_run_t;
+files_pid_file(nut_var_run_t)
+
+########################################
+#
+# Local policy for upsd
+#
+
+allow nut_upsd_t self:capability { setgid setuid dac_override };
+
+allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;
+
+allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto;
+
+read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t)
+
+# pid file
+manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
+manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
+manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
+files_pid_filetrans(nut_upsd_t, nut_var_run_t, { dir file sock_file })
+
+kernel_read_kernel_sysctls(nut_upsd_t)
+
+corenet_tcp_bind_ups_port(nut_upsd_t)
+corenet_tcp_bind_generic_port(nut_upsd_t)
+corenet_tcp_bind_all_nodes(nut_upsd_t)
+
+files_read_usr_files(nut_upsd_t)
+
+auth_use_nsswitch(nut_upsd_t)
+
+logging_send_syslog_msg(nut_upsd_t)
+
+miscfiles_read_localization(nut_upsd_t)
+
+########################################
+#
+# Local policy for upsmon
+#
+
+allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid };
+allow nut_upsmon_t self:fifo_file rw_fifo_file_perms;
+allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto };
+allow nut_upsmon_t self:tcp_socket create_socket_perms;
+
+read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
+
+# pid file
+manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
+manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
+files_pid_filetrans(nut_upsmon_t, nut_var_run_t, file)
+
+kernel_read_kernel_sysctls(nut_upsmon_t)
+kernel_read_system_state(nut_upsmon_t)
+
+corecmd_exec_bin(nut_upsmon_t)
+corecmd_exec_shell(nut_upsmon_t)
+
+corenet_tcp_connect_ups_port(nut_upsmon_t)
+corenet_tcp_connect_generic_port(nut_upsmon_t)
+
+# Creates /etc/killpower
+files_manage_etc_runtime_files(nut_upsmon_t)
+files_etc_filetrans_etc_runtime(nut_upsmon_t, file)
+files_search_usr(nut_upsmon_t)
+
+# /usr/bin/wall
+term_write_all_terms(nut_upsmon_t)
+
+# upsmon runs shutdown, probably need a shutdown domain
+init_rw_utmp(nut_upsmon_t)
+init_telinit(nut_upsmon_t)
+
+logging_send_syslog_msg(nut_upsmon_t)
+
+auth_use_nsswitch(nut_upsmon_t)
+
+miscfiles_read_localization(nut_upsmon_t)
+
+mta_send_mail(nut_upsmon_t)
+
+optional_policy(`
+ shutdown_domtrans(nut_upsmon_t)
+')
+
+########################################
+#
+# Local policy for upsdrvctl
+#
+
+allow nut_upsdrvctl_t self:capability { dac_override kill setgid setuid };
+allow nut_upsdrvctl_t self:process { sigchld signal signull };
+allow nut_upsdrvctl_t self:fd use;
+allow nut_upsdrvctl_t self:fifo_file rw_fifo_file_perms;
+allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nut_upsdrvctl_t self:udp_socket create_socket_perms;
+
+read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t)
+
+# pid file
+manage_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
+manage_dirs_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
+manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
+files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctls(nut_upsdrvctl_t)
+
+# /sbin/upsdrvctl executes other drivers
+corecmd_exec_bin(nut_upsdrvctl_t)
+
+dev_read_urand(nut_upsdrvctl_t)
+dev_rw_generic_usb_dev(nut_upsdrvctl_t)
+
+term_use_unallocated_ttys(nut_upsdrvctl_t)
+
+auth_use_nsswitch(nut_upsdrvctl_t)
+
+init_sigchld(nut_upsdrvctl_t)
+
+logging_send_syslog_msg(nut_upsdrvctl_t)
+
+miscfiles_read_localization(nut_upsdrvctl_t)
+
+#######################################
+#
+# Local policy for upscgi scripts
+# requires httpd_enable_cgi and httpd_can_network_connect
+#
+
+optional_policy(`
+ apache_content_template(nutups_cgi)
+
+ read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t)
+
+ corenet_all_recvfrom_unlabeled(httpd_nutups_cgi_script_t)
+ corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t)
+ corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
+ corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
+ corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
+ corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t)
+ corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
+ corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
+ corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
+
+ sysnet_dns_name_resolve(httpd_nutups_cgi_script_t)
+')
diff --git a/policy/modules/services/nx.fc b/policy/modules/services/nx.fc
new file mode 100644
index 0000000..c4d2dca
--- /dev/null
+++ b/policy/modules/services/nx.fc
@@ -0,0 +1,12 @@
+/opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
+/opt/NX/home(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0)
+/opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
+/opt/NX/var(/.*)? gen_context(system_u:object_r:nx_server_var_run_t,s0)
+
+/usr/libexec/nx/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
+/usr/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
+/usr/NX/home(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0)
+/usr/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
+
+/var/lib/nxserver(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0)
+/var/lib/nxserver/home/.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
diff --git a/policy/modules/services/nx.if b/policy/modules/services/nx.if
new file mode 100644
index 0000000..cbb2bce
--- /dev/null
+++ b/policy/modules/services/nx.if
@@ -0,0 +1,89 @@
+## <summary>NX remote desktop</summary>
+
+########################################
+## <summary>
+## Transition to NX server.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`nx_spec_domtrans_server',`
+ gen_require(`
+ type nx_server_t, nx_server_exec_t;
+ ')
+
+ spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t)
+')
+
+########################################
+## <summary>
+## Read nx home directory content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nx_read_home_files',`
+ gen_require(`
+ type nx_server_home_ssh_t, nx_server_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 nx_server_var_lib_t:dir search_dir_perms;
+ read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
+ read_lnk_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
+')
+
+########################################
+## <summary>
+## Read nx /var/lib content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nx_search_var_lib',`
+ gen_require(`
+ type nx_server_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 nx_server_var_lib_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Create an object in the root directory, with a private
+## type using a type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private type">
+## <summary>
+## The type of the object to be created.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+#
+interface(`nx_var_lib_filetrans',`
+ gen_require(`
+ type nx_server_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ filetrans_pattern($1, nx_server_var_lib_t, $2, $3)
+')
diff --git a/policy/modules/services/nx.te b/policy/modules/services/nx.te
new file mode 100644
index 0000000..1c72c6e
--- /dev/null
+++ b/policy/modules/services/nx.te
@@ -0,0 +1,103 @@
+policy_module(nx, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type nx_server_t;
+type nx_server_exec_t;
+domain_type(nx_server_t)
+domain_entry_file(nx_server_t, nx_server_exec_t)
+domain_user_exemption_target(nx_server_t)
+# we need an extra role because nxserver is called from sshd
+# cjp: do we really need this?
+role nx_server_r types nx_server_t;
+allow system_r nx_server_r;
+
+type nx_server_devpts_t;
+term_user_pty(nx_server_t, nx_server_devpts_t)
+
+type nx_server_tmp_t;
+files_tmp_file(nx_server_tmp_t)
+
+type nx_server_var_lib_t;
+files_type(nx_server_var_lib_t)
+
+type nx_server_var_run_t;
+files_pid_file(nx_server_var_run_t)
+
+type nx_server_home_ssh_t;
+files_type(nx_server_home_ssh_t)
+
+########################################
+#
+# NX server local policy
+#
+
+allow nx_server_t self:fifo_file rw_fifo_file_perms;
+allow nx_server_t self:tcp_socket create_socket_perms;
+allow nx_server_t self:udp_socket create_socket_perms;
+
+allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+term_create_pty(nx_server_t, nx_server_devpts_t)
+
+manage_dirs_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t)
+manage_files_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t)
+files_tmp_filetrans(nx_server_t, nx_server_tmp_t, { file dir })
+
+manage_files_pattern(nx_server_t, nx_server_var_lib_t, nx_server_var_lib_t)
+manage_dirs_pattern(nx_server_t, nx_server_var_lib_t, nx_server_var_lib_t)
+files_var_lib_filetrans(nx_server_t, nx_server_var_lib_t, { file dir })
+
+manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t)
+files_pid_filetrans(nx_server_t, nx_server_var_run_t, file)
+
+manage_dirs_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t)
+manage_files_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t)
+
+kernel_read_system_state(nx_server_t)
+kernel_read_kernel_sysctls(nx_server_t)
+
+# nxserver is a shell script --> call other programs
+corecmd_exec_shell(nx_server_t)
+corecmd_exec_bin(nx_server_t)
+
+corenet_all_recvfrom_unlabeled(nx_server_t)
+corenet_all_recvfrom_netlabel(nx_server_t)
+corenet_tcp_sendrecv_generic_if(nx_server_t)
+corenet_udp_sendrecv_generic_if(nx_server_t)
+corenet_tcp_sendrecv_generic_node(nx_server_t)
+corenet_udp_sendrecv_generic_node(nx_server_t)
+corenet_tcp_sendrecv_all_ports(nx_server_t)
+corenet_udp_sendrecv_all_ports(nx_server_t)
+corenet_tcp_connect_all_ports(nx_server_t)
+corenet_sendrecv_all_client_packets(nx_server_t)
+
+dev_read_urand(nx_server_t)
+
+files_read_etc_files(nx_server_t)
+files_read_etc_runtime_files(nx_server_t)
+# for reading the config files; maybe a separate type,
+# but users need to be able to also read the config
+files_read_usr_files(nx_server_t)
+
+miscfiles_read_localization(nx_server_t)
+
+seutil_dontaudit_search_config(nx_server_t)
+
+sysnet_read_config(nx_server_t)
+
+ifdef(`TODO',`
+ # clients already have create permissions; the nxclient wants to also have unlink rights
+ allow userdomain xdm_tmp_t:sock_file delete_sock_file_perms;
+ # for a lockfile created by the client process
+ allow nx_server_t user_tmpfile:file getattr_file_perms;
+')
+
+########################################
+#
+# SSH component local policy
+#
+
+ssh_basic_client_template(nx_server, nx_server_t, nx_server_r)
diff --git a/policy/modules/services/oav.fc b/policy/modules/services/oav.fc
new file mode 100644
index 0000000..0a66474
--- /dev/null
+++ b/policy/modules/services/oav.fc
@@ -0,0 +1,9 @@
+/etc/oav-update(/.*)? gen_context(system_u:object_r:oav_update_etc_t,s0)
+/etc/scannerdaemon/scannerdaemon\.conf -- gen_context(system_u:object_r:scannerdaemon_etc_t,s0)
+
+/usr/sbin/oav-update -- gen_context(system_u:object_r:oav_update_exec_t,s0)
+/usr/sbin/scannerdaemon -- gen_context(system_u:object_r:scannerdaemon_exec_t,s0)
+
+/var/lib/oav-virussignatures -- gen_context(system_u:object_r:oav_update_var_lib_t,s0)
+/var/lib/oav-update(/.*)? gen_context(system_u:object_r:oav_update_var_lib_t,s0)
+/var/log/scannerdaemon\.log -- gen_context(system_u:object_r:scannerdaemon_log_t,s0)
diff --git a/policy/modules/services/oav.if b/policy/modules/services/oav.if
new file mode 100644
index 0000000..7f0d644
--- /dev/null
+++ b/policy/modules/services/oav.if
@@ -0,0 +1,46 @@
+## <summary>Open AntiVirus scannerdaemon and signature update</summary>
+
+########################################
+## <summary>
+## Execute oav_update in the oav_update domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`oav_domtrans_update',`
+ gen_require(`
+ type oav_update_t, oav_update_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, oav_update_exec_t, oav_update_t)
+')
+
+########################################
+## <summary>
+## Execute oav_update in the oav_update domain, and
+## allow the specified role the oav_update domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`oav_run_update',`
+ gen_require(`
+ type oav_update_t;
+ ')
+
+ oav_domtrans_update($1)
+ role $2 types oav_update_t;
+')
diff --git a/policy/modules/services/oav.te b/policy/modules/services/oav.te
new file mode 100644
index 0000000..b4c5f86
--- /dev/null
+++ b/policy/modules/services/oav.te
@@ -0,0 +1,146 @@
+policy_module(oav, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type oav_update_t;
+type oav_update_exec_t;
+application_domain(oav_update_t, oav_update_exec_t)
+
+# cjp: may be collapsable to etc_t
+type oav_update_etc_t;
+files_config_file(oav_update_etc_t)
+
+type oav_update_var_lib_t;
+files_type(oav_update_var_lib_t)
+
+type scannerdaemon_t;
+type scannerdaemon_exec_t;
+init_daemon_domain(scannerdaemon_t, scannerdaemon_exec_t)
+
+type scannerdaemon_etc_t;
+files_config_file(scannerdaemon_etc_t)
+
+type scannerdaemon_log_t;
+logging_log_file(scannerdaemon_log_t)
+
+type scannerdaemon_var_run_t;
+files_pid_file(scannerdaemon_var_run_t)
+
+########################################
+#
+# OAV update local policy
+#
+
+allow oav_update_t self:tcp_socket create_stream_socket_perms;
+allow oav_update_t self:udp_socket create_socket_perms;
+
+# Can read /etc/oav-update/* files
+allow oav_update_t oav_update_etc_t:dir list_dir_perms;
+allow oav_update_t oav_update_etc_t:file read_file_perms;
+
+# Can read /var/lib/oav-update/current
+manage_dirs_pattern(oav_update_t, oav_update_var_lib_t, oav_update_var_lib_t)
+manage_files_pattern(oav_update_t, oav_update_var_lib_t, oav_update_var_lib_t)
+read_lnk_files_pattern(oav_update_t, oav_update_var_lib_t, oav_update_var_lib_t)
+
+corecmd_exec_all_executables(oav_update_t)
+
+corenet_all_recvfrom_unlabeled(oav_update_t)
+corenet_all_recvfrom_netlabel(oav_update_t)
+corenet_tcp_sendrecv_generic_if(oav_update_t)
+corenet_udp_sendrecv_generic_if(oav_update_t)
+corenet_tcp_sendrecv_generic_node(oav_update_t)
+corenet_udp_sendrecv_generic_node(oav_update_t)
+corenet_tcp_sendrecv_all_ports(oav_update_t)
+corenet_udp_sendrecv_all_ports(oav_update_t)
+
+files_exec_etc_files(oav_update_t)
+
+libs_exec_ld_so(oav_update_t)
+libs_exec_lib_files(oav_update_t)
+
+logging_send_syslog_msg(oav_update_t)
+
+sysnet_read_config(oav_update_t)
+
+userdom_use_user_terminals(oav_update_t)
+
+optional_policy(`
+ cron_system_entry(oav_update_t, oav_update_exec_t)
+')
+
+########################################
+#
+# Scannerdaemon local policy
+#
+
+dontaudit scannerdaemon_t self:capability sys_tty_config;
+allow scannerdaemon_t self:process signal_perms;
+allow scannerdaemon_t self:fifo_file rw_fifo_file_perms;
+allow scannerdaemon_t self:tcp_socket create_stream_socket_perms;
+allow scannerdaemon_t self:udp_socket create_socket_perms;
+
+allow scannerdaemon_t oav_update_var_lib_t:dir list_dir_perms;
+allow scannerdaemon_t oav_update_var_lib_t:file read_file_perms;
+files_search_var_lib(scannerdaemon_t)
+
+allow scannerdaemon_t scannerdaemon_etc_t:file read_file_perms;
+
+allow scannerdaemon_t scannerdaemon_log_t:file manage_file_perms;
+logging_log_filetrans(scannerdaemon_t, scannerdaemon_log_t, file)
+
+manage_files_pattern(scannerdaemon_t, scannerdaemon_var_run_t, scannerdaemon_var_run_t)
+files_pid_filetrans(scannerdaemon_t, scannerdaemon_var_run_t, file)
+
+kernel_read_system_state(scannerdaemon_t)
+kernel_read_kernel_sysctls(scannerdaemon_t)
+
+# Can run kaffe
+corecmd_exec_all_executables(scannerdaemon_t)
+
+corenet_all_recvfrom_unlabeled(scannerdaemon_t)
+corenet_all_recvfrom_netlabel(scannerdaemon_t)
+corenet_tcp_sendrecv_generic_if(scannerdaemon_t)
+corenet_udp_sendrecv_generic_if(scannerdaemon_t)
+corenet_tcp_sendrecv_generic_node(scannerdaemon_t)
+corenet_udp_sendrecv_generic_node(scannerdaemon_t)
+corenet_tcp_sendrecv_all_ports(scannerdaemon_t)
+corenet_udp_sendrecv_all_ports(scannerdaemon_t)
+
+dev_read_sysfs(scannerdaemon_t)
+
+domain_use_interactive_fds(scannerdaemon_t)
+
+files_read_etc_files(scannerdaemon_t)
+files_read_etc_runtime_files(scannerdaemon_t)
+# Can run kaffe
+files_exec_etc_files(scannerdaemon_t)
+
+fs_getattr_all_fs(scannerdaemon_t)
+fs_search_auto_mountpoints(scannerdaemon_t)
+
+auth_dontaudit_read_shadow(scannerdaemon_t)
+
+# Can run kaffe
+libs_exec_ld_so(scannerdaemon_t)
+libs_exec_lib_files(scannerdaemon_t)
+
+logging_send_syslog_msg(scannerdaemon_t)
+
+miscfiles_read_localization(scannerdaemon_t)
+
+sysnet_read_config(scannerdaemon_t)
+
+userdom_dontaudit_use_unpriv_user_fds(scannerdaemon_t)
+userdom_dontaudit_search_user_home_dirs(scannerdaemon_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(scannerdaemon_t)
+')
+
+optional_policy(`
+ udev_read_db(scannerdaemon_t)
+')
diff --git a/policy/modules/services/oddjob.fc b/policy/modules/services/oddjob.fc
new file mode 100644
index 0000000..5ee1598
--- /dev/null
+++ b/policy/modules/services/oddjob.fc
@@ -0,0 +1,6 @@
+/usr/lib(64)?/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+/usr/libexec/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+
+/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
+
+/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0)
diff --git a/policy/modules/services/oddjob.if b/policy/modules/services/oddjob.if
new file mode 100644
index 0000000..ca6517b
--- /dev/null
+++ b/policy/modules/services/oddjob.if
@@ -0,0 +1,149 @@
+## <summary>
+## Oddjob provides a mechanism by which unprivileged applications can
+## request that specified privileged operations be performed on their
+## behalf.
+## </summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run oddjob.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`oddjob_domtrans',`
+ gen_require(`
+ type oddjob_t, oddjob_exec_t;
+ ')
+
+ domtrans_pattern($1, oddjob_exec_t, oddjob_t)
+')
+
+#####################################
+## <summary>
+## Do not audit attempts to read and write
+## oddjob fifo file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`oddjob_dontaudit_rw_fifo_file',`
+ gen_require(`
+ type oddjob_t;
+ ')
+
+ dontaudit $1 oddjob_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Make the specified program domain accessable
+## from the oddjob.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process to transition to.
+## </summary>
+## </param>
+## <param name="entrypoint">
+## <summary>
+## The type of the file used as an entrypoint to this domain.
+## </summary>
+## </param>
+#
+interface(`oddjob_system_entry',`
+ gen_require(`
+ type oddjob_t;
+ ')
+
+ domtrans_pattern(oddjob_t, $2, $1)
+ domain_user_exemption_target($1)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## oddjob over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`oddjob_dbus_chat',`
+ gen_require(`
+ type oddjob_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 oddjob_t:dbus send_msg;
+ allow oddjob_t $1:dbus send_msg;
+')
+
+######################################
+## <summary>
+## Send a SIGCHLD signal to oddjob.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`oddjob_sigchld',`
+ gen_require(`
+ type oddjob_t;
+ ')
+
+ allow $1 oddjob_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run oddjob_mkhomedir.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`oddjob_domtrans_mkhomedir',`
+ gen_require(`
+ type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t;
+ ')
+
+ domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t)
+')
+
+########################################
+## <summary>
+## Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`oddjob_run_mkhomedir',`
+ gen_require(`
+ type oddjob_mkhomedir_t;
+ ')
+
+ oddjob_domtrans_mkhomedir($1)
+ role $2 types oddjob_mkhomedir_t;
+')
diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te
new file mode 100644
index 0000000..c8f4d64
--- /dev/null
+++ b/policy/modules/services/oddjob.te
@@ -0,0 +1,102 @@
+policy_module(oddjob, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type oddjob_t;
+type oddjob_exec_t;
+init_daemon_domain(oddjob_t, oddjob_exec_t)
+domain_obj_id_change_exemption(oddjob_t)
+domain_role_change_exemption(oddjob_t)
+domain_subj_id_change_exemption(oddjob_t)
+
+type oddjob_mkhomedir_t;
+type oddjob_mkhomedir_exec_t;
+domain_obj_id_change_exemption(oddjob_mkhomedir_t)
+init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
+oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
+
+# pid files
+type oddjob_var_run_t;
+files_pid_file(oddjob_var_run_t)
+
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(oddjob_t, oddjob_exec_t, s0 - mcs_systemhigh)
+')
+
+########################################
+#
+# oddjob local policy
+#
+
+allow oddjob_t self:capability setgid;
+allow oddjob_t self:process { setexec signal };
+allow oddjob_t self:fifo_file rw_fifo_file_perms;
+allow oddjob_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t)
+manage_sock_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t)
+files_pid_filetrans(oddjob_t, oddjob_var_run_t, { file sock_file })
+
+kernel_read_system_state(oddjob_t)
+
+corecmd_exec_bin(oddjob_t)
+corecmd_exec_shell(oddjob_t)
+
+mcs_process_set_categories(oddjob_t)
+
+selinux_compute_create_context(oddjob_t)
+
+files_read_etc_files(oddjob_t)
+
+miscfiles_read_localization(oddjob_t)
+
+locallogin_dontaudit_use_fds(oddjob_t)
+
+optional_policy(`
+ dbus_system_bus_client(oddjob_t)
+ dbus_connect_system_bus(oddjob_t)
+')
+
+optional_policy(`
+ unconfined_domtrans(oddjob_t)
+')
+
+########################################
+#
+# oddjob_mkhomedir local policy
+#
+
+allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override };
+allow oddjob_mkhomedir_t self:process setfscreate;
+allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms;
+allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_system_state(oddjob_mkhomedir_t)
+
+files_read_etc_files(oddjob_mkhomedir_t)
+
+auth_use_nsswitch(oddjob_mkhomedir_t)
+
+logging_send_syslog_msg(oddjob_mkhomedir_t)
+
+miscfiles_read_localization(oddjob_mkhomedir_t)
+
+selinux_get_fs_mount(oddjob_mkhomedir_t)
+selinux_validate_context(oddjob_mkhomedir_t)
+selinux_compute_access_vector(oddjob_mkhomedir_t)
+selinux_compute_create_context(oddjob_mkhomedir_t)
+selinux_compute_relabel_context(oddjob_mkhomedir_t)
+selinux_compute_user_contexts(oddjob_mkhomedir_t)
+
+seutil_read_config(oddjob_mkhomedir_t)
+seutil_read_file_contexts(oddjob_mkhomedir_t)
+seutil_read_default_contexts(oddjob_mkhomedir_t)
+
+# Add/remove user home directories
+userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t)
+userdom_manage_user_home_dirs(oddjob_mkhomedir_t)
+userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
+userdom_manage_user_home_content(oddjob_mkhomedir_t)
diff --git a/policy/modules/services/oident.fc b/policy/modules/services/oident.fc
new file mode 100644
index 0000000..5840ea8
--- /dev/null
+++ b/policy/modules/services/oident.fc
@@ -0,0 +1,8 @@
+HOME_DIR/\.oidentd.conf gen_context(system_u:object_r:oidentd_home_t, s0)
+
+/etc/oidentd\.conf -- gen_context(system_u:object_r:oidentd_config_t, s0)
+/etc/oidentd_masq\.conf -- gen_context(system_u:object_r:oidentd_config_t, s0)
+
+/etc/rc\.d/init\.d/oidentd -- gen_context(system_u:object_r:oidentd_initrc_exec_t, s0)
+
+/usr/sbin/oidentd -- gen_context(system_u:object_r:oidentd_exec_t, s0)
diff --git a/policy/modules/services/oident.if b/policy/modules/services/oident.if
new file mode 100644
index 0000000..b1b5e51
--- /dev/null
+++ b/policy/modules/services/oident.if
@@ -0,0 +1,102 @@
+## <summary>SELinux policy for Oident daemon.</summary>
+## <desc>
+## <p>
+## Oident daemon is a server that implements the TCP/IP
+## standard IDENT user identification protocol as
+## specified in the RFC 1413 document.
+## </p>
+## </desc>
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## Oidentd personal configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`oident_read_user_content',`
+ gen_require(`
+ type oidentd_home_t;
+ ')
+
+ allow $1 oidentd_home_t:file read_file_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to create, read, write, and delete
+## Oidentd personal configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`oident_manage_user_content',`
+ gen_require(`
+ type oidentd_home_t;
+ ')
+
+ allow $1 oidentd_home_t:file manage_file_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to relabel
+## Oidentd personal configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`oident_relabel_user_content',`
+ gen_require(`
+ type oidentd_home_t;
+ ')
+
+ allow $1 oidentd_home_t:file relabel_file_perms;
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an oident environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`oident_admin',`
+ gen_require(`
+ type oidentd_t, oidentd_initrc_exec_t, oidentd_config_t;
+ ')
+
+ allow $1 oidentd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, oidentd_t)
+
+ init_labeled_script_domtrans($1, oidentd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 oidentd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, oidentd_config_t)
+')
diff --git a/policy/modules/services/oident.te b/policy/modules/services/oident.te
new file mode 100644
index 0000000..73c1fa5
--- /dev/null
+++ b/policy/modules/services/oident.te
@@ -0,0 +1,73 @@
+policy_module(oident, 2.1.0)
+
+########################################
+#
+# Oident daemon private declarations
+#
+
+type oidentd_t;
+type oidentd_exec_t;
+init_daemon_domain(oidentd_t, oidentd_exec_t)
+
+type oidentd_home_t;
+typealias oidentd_home_t alias { oidentd_user_content_t oidentd_staff_content_t oidentd_sysadm_content_t };
+typealias oidentd_home_t alias { oidentd_secadm_content_t oidentd_auditadm_content_t };
+userdom_user_home_content(oidentd_home_t)
+
+type oidentd_initrc_exec_t;
+init_script_file(oidentd_initrc_exec_t)
+
+type oidentd_config_t;
+files_config_file(oidentd_config_t)
+
+########################################
+#
+# Oident daemon private policy
+#
+
+allow oidentd_t self:capability { setuid setgid };
+allow oidentd_t self:netlink_route_socket create_netlink_socket_perms;
+allow oidentd_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
+allow oidentd_t self:tcp_socket create_stream_socket_perms;
+allow oidentd_t self:udp_socket create_socket_perms;
+allow oidentd_t self:unix_dgram_socket { create connect };
+
+allow oidentd_t oidentd_config_t:file read_file_perms;
+
+corenet_all_recvfrom_unlabeled(oidentd_t)
+corenet_all_recvfrom_netlabel(oidentd_t)
+corenet_tcp_sendrecv_generic_if(oidentd_t)
+corenet_tcp_sendrecv_generic_node(oidentd_t)
+corenet_tcp_bind_generic_node(oidentd_t)
+corenet_tcp_bind_auth_port(oidentd_t)
+corenet_sendrecv_auth_server_packets(oidentd_t)
+
+files_read_etc_files(oidentd_t)
+
+kernel_read_kernel_sysctls(oidentd_t)
+kernel_read_network_state(oidentd_t)
+kernel_read_network_state_symlinks(oidentd_t)
+kernel_read_sysctl(oidentd_t)
+kernel_request_load_module(oidentd_t)
+
+logging_send_syslog_msg(oidentd_t)
+
+miscfiles_read_localization(oidentd_t)
+
+sysnet_read_config(oidentd_t)
+
+oident_read_user_content(oidentd_t)
+
+optional_policy(`
+ nis_use_ypbind(oidentd_t)
+')
+
+tunable_policy(`use_samba_home_dirs', `
+ fs_list_cifs(oidentd_t)
+ fs_read_cifs_files(oidentd_t)
+')
+
+tunable_policy(`use_nfs_home_dirs', `
+ fs_list_nfs(oidentd_t)
+ fs_read_nfs_files(oidentd_t)
+')
diff --git a/policy/modules/services/openca.fc b/policy/modules/services/openca.fc
new file mode 100644
index 0000000..72a2db6
--- /dev/null
+++ b/policy/modules/services/openca.fc
@@ -0,0 +1,9 @@
+/etc/openca(/.*)? gen_context(system_u:object_r:openca_etc_t,s0)
+/etc/openca/.*\.in(/.*)? gen_context(system_u:object_r:openca_etc_in_t,s0)
+/etc/openca/rbac(/.*)? gen_context(system_u:object_r:openca_etc_writeable_t,s0)
+
+/usr/share/openca(/.*)? gen_context(system_u:object_r:openca_usr_share_t,s0)
+/usr/share/openca/cgi-bin/ca/.+ -- gen_context(system_u:object_r:openca_ca_exec_t,s0)
+
+/var/lib/openca(/.*)? gen_context(system_u:object_r:openca_var_lib_t,s0)
+/var/lib/openca/crypto/keys(/.*)? gen_context(system_u:object_r:openca_var_lib_keys_t,s0)
diff --git a/policy/modules/services/openca.if b/policy/modules/services/openca.if
new file mode 100644
index 0000000..a8c1eef
--- /dev/null
+++ b/policy/modules/services/openca.if
@@ -0,0 +1,76 @@
+## <summary>OpenCA - Open Certificate Authority</summary>
+
+########################################
+## <summary>
+## Execute the OpenCA program with
+## a domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`openca_domtrans',`
+ gen_require(`
+ type openca_ca_t, openca_ca_exec_t, openca_usr_share_t;
+ ')
+
+ domtrans_pattern($1, openca_ca_exec_t, openca_ca_t)
+ allow $1 openca_usr_share_t:dir search_dir_perms;
+ files_search_usr($1)
+')
+
+########################################
+## <summary>
+## Send OpenCA generic signals.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openca_signal',`
+ gen_require(`
+ type openca_ca_t;
+ ')
+
+ allow $1 openca_ca_t:process signal;
+')
+
+########################################
+## <summary>
+## Send OpenCA stop signals.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openca_sigstop',`
+ gen_require(`
+ type openca_ca_t;
+ ')
+
+ allow $1 openca_ca_t:process sigstop;
+')
+
+########################################
+## <summary>
+## Kill OpenCA.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openca_kill',`
+ gen_require(`
+ type openca_ca_t;
+ ')
+
+ allow $1 openca_ca_t:process sigkill;
+')
diff --git a/policy/modules/services/openca.te b/policy/modules/services/openca.te
new file mode 100644
index 0000000..2df8170
--- /dev/null
+++ b/policy/modules/services/openca.te
@@ -0,0 +1,82 @@
+policy_module(openca, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type openca_ca_t;
+type openca_ca_exec_t;
+domain_type(openca_ca_t)
+domain_entry_file(openca_ca_t, openca_ca_exec_t)
+role system_r types openca_ca_t;
+
+# cjp: seems like some of these types
+# can be removed and replaced with generic
+# etc or usr files.
+
+# /etc/openca standard files
+type openca_etc_t;
+files_config_file(openca_etc_t)
+
+# /etc/openca template files
+type openca_etc_in_t;
+files_type(openca_etc_in_t)
+
+# /etc/openca writeable (from CGI script) files
+type openca_etc_writeable_t;
+files_type(openca_etc_writeable_t)
+
+# /usr/share/openca/crypto/keys
+type openca_usr_share_t;
+files_type(openca_usr_share_t)
+
+# /var/lib/openca
+type openca_var_lib_t;
+files_type(openca_var_lib_t)
+
+# /var/lib/openca/crypto/keys
+type openca_var_lib_keys_t;
+files_type(openca_var_lib_keys_t)
+
+########################################
+#
+# Local policy
+#
+
+# Allow access to other files under /etc/openca
+allow openca_ca_t openca_etc_t:file read_file_perms;
+allow openca_ca_t openca_etc_t:dir list_dir_perms;
+
+# Allow access to writeable files under /etc/openca
+manage_dirs_pattern(openca_ca_t, openca_etc_writeable_t, openca_etc_writeable_t)
+manage_files_pattern(openca_ca_t, openca_etc_writeable_t, openca_etc_writeable_t)
+
+# Allow access to other /var/lib/openca files
+manage_dirs_pattern(openca_ca_t, openca_var_lib_t, openca_var_lib_t)
+manage_files_pattern(openca_ca_t, openca_var_lib_t, openca_var_lib_t)
+
+# Allow access to private CA key
+manage_dirs_pattern(openca_ca_t, openca_var_lib_keys_t, openca_var_lib_keys_t)
+manage_files_pattern(openca_ca_t, openca_var_lib_keys_t, openca_var_lib_keys_t)
+
+# Allow access to other /usr/share/openca files
+read_files_pattern(openca_ca_t, openca_usr_share_t, openca_usr_share_t)
+read_lnk_files_pattern(openca_ca_t, openca_usr_share_t, openca_usr_share_t)
+allow openca_ca_t openca_usr_share_t:dir list_dir_perms;
+
+# the perl executable will be able to run a perl script
+corecmd_exec_bin(openca_ca_t)
+
+dev_read_rand(openca_ca_t)
+
+files_list_default(openca_ca_t)
+
+init_use_fds(openca_ca_t)
+init_use_script_fds(openca_ca_t)
+
+libs_exec_lib_files(openca_ca_t)
+
+apache_append_log(openca_ca_t)
+# Allow the script to return its output
+apache_rw_cache_files(openca_ca_t)
diff --git a/policy/modules/services/openct.fc b/policy/modules/services/openct.fc
new file mode 100644
index 0000000..58c8816
--- /dev/null
+++ b/policy/modules/services/openct.fc
@@ -0,0 +1,10 @@
+#
+# /usr
+#
+/usr/sbin/ifdhandler -- gen_context(system_u:object_r:openct_exec_t,s0)
+/usr/sbin/openct-control -- gen_context(system_u:object_r:openct_exec_t,s0)
+
+#
+# /var
+#
+/var/run/openct(/.*)? gen_context(system_u:object_r:openct_var_run_t,s0)
diff --git a/policy/modules/services/openct.if b/policy/modules/services/openct.if
new file mode 100644
index 0000000..9197ef0
--- /dev/null
+++ b/policy/modules/services/openct.if
@@ -0,0 +1,95 @@
+## <summary>Service for handling smart card readers.</summary>
+
+########################################
+## <summary>
+## Send openct a null signal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openct_signull',`
+ gen_require(`
+ type openct_t;
+ ')
+
+ allow $1 openct_t:process signull;
+')
+
+########################################
+## <summary>
+## Execute openct in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openct_exec',`
+ gen_require(`
+ type openct_t, openct_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, openct_exec_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run openct.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`openct_domtrans',`
+ gen_require(`
+ type openct_t, openct_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, openct_exec_t, openct_t)
+')
+
+########################################
+## <summary>
+## Read openct PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openct_read_pid_files',`
+ gen_require(`
+ type openct_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, openct_var_run_t, openct_var_run_t)
+')
+
+########################################
+## <summary>
+## Connect to openct over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openct_stream_connect',`
+ gen_require(`
+ type openct_t, openct_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, openct_var_run_t, openct_var_run_t, openct_t)
+')
diff --git a/policy/modules/services/openct.te b/policy/modules/services/openct.te
new file mode 100644
index 0000000..78722e7
--- /dev/null
+++ b/policy/modules/services/openct.te
@@ -0,0 +1,61 @@
+policy_module(openct, 1.4.1)
+
+########################################
+#
+# Declarations
+#
+
+type openct_t;
+type openct_exec_t;
+init_daemon_domain(openct_t, openct_exec_t)
+
+type openct_var_run_t;
+files_pid_file(openct_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit openct_t self:capability sys_tty_config;
+allow openct_t self:process signal_perms;
+
+manage_dirs_pattern(openct_t, openct_var_run_t, openct_var_run_t)
+manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
+manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
+files_pid_filetrans(openct_t, openct_var_run_t, { dir file sock_file })
+
+kernel_read_kernel_sysctls(openct_t)
+kernel_list_proc(openct_t)
+kernel_read_proc_symlinks(openct_t)
+
+dev_read_sysfs(openct_t)
+# openct asks for this
+dev_rw_usbfs(openct_t)
+dev_rw_smartcard(openct_t)
+dev_rw_generic_usb_dev(openct_t)
+
+domain_use_interactive_fds(openct_t)
+
+# openct asks for this
+files_read_etc_files(openct_t)
+
+fs_getattr_all_fs(openct_t)
+fs_search_auto_mountpoints(openct_t)
+
+logging_send_syslog_msg(openct_t)
+
+miscfiles_read_localization(openct_t)
+
+userdom_dontaudit_use_unpriv_user_fds(openct_t)
+userdom_dontaudit_search_user_home_dirs(openct_t)
+
+openct_exec(openct_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(openct_t)
+')
+
+optional_policy(`
+ udev_read_db(openct_t)
+')
diff --git a/policy/modules/services/openvpn.fc b/policy/modules/services/openvpn.fc
new file mode 100644
index 0000000..9c186d2
--- /dev/null
+++ b/policy/modules/services/openvpn.fc
@@ -0,0 +1,17 @@
+#
+# /etc
+#
+/etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0)
+/etc/openvpn/ipp.txt -- gen_context(system_u:object_r:openvpn_etc_rw_t,s0)
+/etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/openvpn -- gen_context(system_u:object_r:openvpn_exec_t,s0)
+
+#
+# /var
+#
+/var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0)
+/var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0)
diff --git a/policy/modules/services/openvpn.if b/policy/modules/services/openvpn.if
new file mode 100644
index 0000000..d883214
--- /dev/null
+++ b/policy/modules/services/openvpn.if
@@ -0,0 +1,163 @@
+## <summary>full-featured SSL VPN solution</summary>
+
+########################################
+## <summary>
+## Execute OPENVPN clients in the openvpn domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`openvpn_domtrans',`
+ gen_require(`
+ type openvpn_t, openvpn_exec_t;
+ ')
+
+ domtrans_pattern($1, openvpn_exec_t, openvpn_t)
+')
+
+########################################
+## <summary>
+## Execute OPENVPN clients in the openvpn domain, and
+## allow the specified role the openvpn domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`openvpn_run',`
+ gen_require(`
+ type openvpn_t;
+ ')
+
+ openvpn_domtrans($1)
+ role $2 types openvpn_t;
+')
+
+########################################
+## <summary>
+## Send OPENVPN clients the kill signal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openvpn_kill',`
+ gen_require(`
+ type openvpn_t;
+ ')
+
+ allow $1 openvpn_t:process sigkill;
+')
+
+########################################
+## <summary>
+## Send generic signals to OPENVPN clients.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openvpn_signal',`
+ gen_require(`
+ type openvpn_t;
+ ')
+
+ allow $1 openvpn_t:process signal;
+')
+
+########################################
+## <summary>
+## Send signulls to OPENVPN clients.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`openvpn_signull',`
+ gen_require(`
+ type openvpn_t;
+ ')
+
+ allow $1 openvpn_t:process signull;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## OpenVPN configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`openvpn_read_config',`
+ gen_require(`
+ type openvpn_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 openvpn_etc_t:dir list_dir_perms;
+ read_files_pattern($1, openvpn_etc_t, openvpn_etc_t)
+ read_lnk_files_pattern($1, openvpn_etc_t, openvpn_etc_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an openvpn environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the openvpn domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`openvpn_admin',`
+ gen_require(`
+ type openvpn_t, openvpn_etc_t, openvpn_var_log_t;
+ type openvpn_var_run_t, openvpn_initrc_exec_t;
+ ')
+
+ allow $1 openvpn_t:process { ptrace signal_perms };
+ ps_process_pattern($1, openvpn_t)
+
+ init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 openvpn_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, openvpn_etc_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, openvpn_var_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, openvpn_var_run_t)
+')
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
new file mode 100644
index 0000000..cb87bef
--- /dev/null
+++ b/policy/modules/services/openvpn.te
@@ -0,0 +1,151 @@
+policy_module(openvpn, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow openvpn to read home directories
+## </p>
+## </desc>
+gen_tunable(openvpn_enable_homedirs, false)
+
+# main openvpn domain
+type openvpn_t;
+type openvpn_exec_t;
+init_daemon_domain(openvpn_t, openvpn_exec_t)
+
+# configuration files
+type openvpn_etc_t;
+files_config_file(openvpn_etc_t)
+
+type openvpn_etc_rw_t;
+files_config_file(openvpn_etc_rw_t)
+
+type openvpn_tmp_t;
+files_tmp_file(openvpn_tmp_t)
+
+type openvpn_initrc_exec_t;
+init_script_file(openvpn_initrc_exec_t)
+
+# log files
+type openvpn_var_log_t;
+logging_log_file(openvpn_var_log_t)
+
+# pid files
+type openvpn_var_run_t;
+files_pid_file(openvpn_var_run_t)
+
+########################################
+#
+# openvpn local policy
+#
+
+allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config };
+allow openvpn_t self:process { signal getsched };
+allow openvpn_t self:fifo_file rw_fifo_file_perms;
+allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
+allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow openvpn_t self:udp_socket create_socket_perms;
+allow openvpn_t self:tcp_socket server_stream_socket_perms;
+allow openvpn_t self:tun_socket { create_socket_perms relabelfrom };
+allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
+
+can_exec(openvpn_t, openvpn_etc_t)
+read_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
+read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
+
+manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t)
+filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
+
+manage_files_pattern(openvpn_t, openvpn_tmp_t, openvpn_tmp_t)
+files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file)
+
+allow openvpn_t openvpn_var_log_t:file manage_file_perms;
+logging_log_filetrans(openvpn_t, openvpn_var_log_t, file)
+
+manage_dirs_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
+manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
+files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir })
+
+kernel_read_kernel_sysctls(openvpn_t)
+kernel_read_net_sysctls(openvpn_t)
+kernel_read_network_state(openvpn_t)
+kernel_read_system_state(openvpn_t)
+kernel_request_load_module(openvpn_t)
+
+corecmd_exec_bin(openvpn_t)
+corecmd_exec_shell(openvpn_t)
+
+corenet_all_recvfrom_unlabeled(openvpn_t)
+corenet_all_recvfrom_netlabel(openvpn_t)
+corenet_tcp_sendrecv_generic_if(openvpn_t)
+corenet_udp_sendrecv_generic_if(openvpn_t)
+corenet_tcp_sendrecv_generic_node(openvpn_t)
+corenet_udp_sendrecv_generic_node(openvpn_t)
+corenet_tcp_sendrecv_all_ports(openvpn_t)
+corenet_udp_sendrecv_all_ports(openvpn_t)
+corenet_tcp_bind_generic_node(openvpn_t)
+corenet_udp_bind_generic_node(openvpn_t)
+corenet_tcp_bind_openvpn_port(openvpn_t)
+corenet_udp_bind_openvpn_port(openvpn_t)
+corenet_tcp_bind_http_port(openvpn_t)
+corenet_tcp_connect_openvpn_port(openvpn_t)
+corenet_tcp_connect_http_port(openvpn_t)
+corenet_tcp_connect_http_cache_port(openvpn_t)
+corenet_rw_tun_tap_dev(openvpn_t)
+corenet_sendrecv_openvpn_server_packets(openvpn_t)
+corenet_sendrecv_openvpn_client_packets(openvpn_t)
+corenet_sendrecv_http_client_packets(openvpn_t)
+
+dev_search_sysfs(openvpn_t)
+dev_read_rand(openvpn_t)
+dev_read_urand(openvpn_t)
+
+files_read_etc_files(openvpn_t)
+files_read_etc_runtime_files(openvpn_t)
+
+auth_use_pam(openvpn_t)
+
+logging_send_syslog_msg(openvpn_t)
+
+miscfiles_read_localization(openvpn_t)
+miscfiles_read_all_certs(openvpn_t)
+
+sysnet_dns_name_resolve(openvpn_t)
+sysnet_exec_ifconfig(openvpn_t)
+sysnet_manage_config(openvpn_t)
+sysnet_etc_filetrans_config(openvpn_t)
+
+userdom_use_user_terminals(openvpn_t)
+userdom_read_home_certs(openvpn_t)
+userdom_attach_admin_tun_iface(openvpn_t)
+
+tunable_policy(`openvpn_enable_homedirs',`
+ userdom_search_user_home_dirs(openvpn_t)
+')
+
+tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
+ fs_read_nfs_files(openvpn_t)
+')
+
+tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(openvpn_t)
+')
+
+optional_policy(`
+ daemontools_service_domain(openvpn_t, openvpn_exec_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(openvpn_t)
+ dbus_connect_system_bus(openvpn_t)
+
+ networkmanager_dbus_chat(openvpn_t)
+')
+
+optional_policy(`
+ unconfined_attach_tun_iface(openvpn_t)
+')
diff --git a/policy/modules/services/pads.fc b/policy/modules/services/pads.fc
new file mode 100644
index 0000000..0870c56
--- /dev/null
+++ b/policy/modules/services/pads.fc
@@ -0,0 +1,10 @@
+/etc/pads-ether-codes -- gen_context(system_u:object_r:pads_config_t, s0)
+/etc/pads-signature-list -- gen_context(system_u:object_r:pads_config_t, s0)
+/etc/pads.conf -- gen_context(system_u:object_r:pads_config_t, s0)
+/etc/pads-assets.csv -- gen_context(system_u:object_r:pads_config_t, s0)
+
+/etc/rc\.d/init\.d/pads -- gen_context(system_u:object_r:pads_initrc_exec_t, s0)
+
+/usr/bin/pads -- gen_context(system_u:object_r:pads_exec_t, s0)
+
+/var/run/pads.pid -- gen_context(system_u:object_r:pads_var_run_t, s0)
diff --git a/policy/modules/services/pads.if b/policy/modules/services/pads.if
new file mode 100644
index 0000000..8235fb6
--- /dev/null
+++ b/policy/modules/services/pads.if
@@ -0,0 +1,47 @@
+## <summary>Passive Asset Detection System</summary>
+## <desc>
+## <p>
+## PADS is a libpcap based detection engine used to
+## passively detect network assets. It is designed to
+## complement IDS technology by providing context to IDS
+## alerts.
+## </p>
+## </desc>
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an pads environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`pads_admin',`
+ gen_require(`
+ type pads_t, pads_config_t, pads_initrc_exec_t;
+ type pads_var_run_t;
+ ')
+
+ allow $1 pads_t:process { ptrace signal_perms };
+ ps_process_pattern($1, pads_t)
+
+ init_labeled_script_domtrans($1, pads_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 pads_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_pids($1)
+ admin_pattern($1, pads_var_run_t)
+
+ files_list_etc($1)
+ admin_pattern($1, pads_config_t)
+')
diff --git a/policy/modules/services/pads.te b/policy/modules/services/pads.te
new file mode 100644
index 0000000..f414173
--- /dev/null
+++ b/policy/modules/services/pads.te
@@ -0,0 +1,62 @@
+policy_module(pads, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type pads_t;
+type pads_exec_t;
+init_daemon_domain(pads_t, pads_exec_t)
+
+type pads_initrc_exec_t;
+init_script_file(pads_initrc_exec_t)
+
+type pads_config_t;
+files_config_file(pads_config_t)
+
+type pads_var_run_t;
+files_pid_file(pads_var_run_t)
+
+########################################
+#
+# Declarations
+#
+
+allow pads_t self:capability { dac_override net_raw };
+allow pads_t self:netlink_route_socket create_netlink_socket_perms;
+allow pads_t self:packet_socket create_socket_perms;
+allow pads_t self:udp_socket create_socket_perms;
+allow pads_t self:unix_dgram_socket create_socket_perms;
+
+allow pads_t pads_config_t:file manage_file_perms;
+files_etc_filetrans(pads_t, pads_config_t, file)
+
+allow pads_t pads_var_run_t:file manage_file_perms;
+files_pid_filetrans(pads_t, pads_var_run_t, file)
+
+kernel_read_sysctl(pads_t)
+
+corecmd_search_bin(pads_t)
+
+corenet_all_recvfrom_unlabeled(pads_t)
+corenet_all_recvfrom_netlabel(pads_t)
+corenet_tcp_sendrecv_generic_if(pads_t)
+corenet_tcp_sendrecv_generic_node(pads_t)
+corenet_tcp_connect_prelude_port(pads_t)
+
+dev_read_rand(pads_t)
+dev_read_urand(pads_t)
+
+files_read_etc_files(pads_t)
+files_search_spool(pads_t)
+
+miscfiles_read_localization(pads_t)
+
+logging_send_syslog_msg(pads_t)
+
+sysnet_dns_name_resolve(pads_t)
+
+optional_policy(`
+ prelude_manage_spool(pads_t)
+')
diff --git a/policy/modules/services/passenger.fc b/policy/modules/services/passenger.fc
new file mode 100644
index 0000000..8d00972
--- /dev/null
+++ b/policy/modules/services/passenger.fc
@@ -0,0 +1,6 @@
+
+/usr/lib(64)?/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
+
+/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0)
+
+/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0)
diff --git a/policy/modules/services/passenger.if b/policy/modules/services/passenger.if
new file mode 100644
index 0000000..66f9799
--- /dev/null
+++ b/policy/modules/services/passenger.if
@@ -0,0 +1,67 @@
+## <summary>Passenger policy</summary>
+
+######################################
+## <summary>
+## Execute passenger in the passenger domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`passenger_domtrans',`
+ gen_require(`
+ type passenger_t, passenger_exec_t;
+ ')
+
+ allow $1 self:capability { fowner fsetid };
+
+ allow $1 passenger_t:process signal;
+
+ domtrans_pattern($1, passenger_exec_t, passenger_t)
+ allow $1 passenger_t:unix_stream_socket { read write shutdown };
+ allow passenger_t $1:unix_stream_socket { read write };
+')
+
+######################################
+## <summary>
+## Manage passenger var_run content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`passenger_manage_pid_content',`
+ gen_require(`
+ type passenger_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_dirs_pattern($1, passenger_var_run_t, passenger_var_run_t)
+ manage_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
+ manage_fifo_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
+ manage_sock_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
+')
+
+########################################
+## <summary>
+## Read passenger lib files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`passenger_read_lib_files',`
+ gen_require(`
+ type passenger_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
+ read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
+')
diff --git a/policy/modules/services/passenger.te b/policy/modules/services/passenger.te
new file mode 100644
index 0000000..ba9fdb9
--- /dev/null
+++ b/policy/modules/services/passenger.te
@@ -0,0 +1,66 @@
+policy_module(passanger, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type passenger_t;
+type passenger_exec_t;
+domain_type(passenger_t)
+domain_entry_file(passenger_t, passenger_exec_t)
+role system_r types passenger_t;
+
+type passenger_tmp_t;
+files_tmp_file(passenger_tmp_t)
+
+type passenger_var_lib_t;
+files_type(passenger_var_lib_t)
+
+type passenger_var_run_t;
+files_pid_file(passenger_var_run_t)
+
+permissive passenger_t;
+
+########################################
+#
+# passanger local policy
+#
+
+allow passenger_t self:capability { dac_override fsetid fowner chown setuid setgid };
+allow passenger_t self:process signal;
+allow passenger_t self:fifo_file rw_fifo_file_perms;
+allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+files_search_var_lib(passenger_t)
+manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
+manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
+
+manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
+manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
+manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
+manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
+files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file })
+
+kernel_read_system_state(passenger_t)
+kernel_read_kernel_sysctls(passenger_t)
+
+corenet_tcp_connect_http_port(passenger_t)
+
+corecmd_exec_bin(passenger_t)
+corecmd_exec_shell(passenger_t)
+
+dev_read_urand(passenger_t)
+
+files_read_etc_files(passenger_t)
+
+auth_use_nsswitch(passenger_t)
+
+miscfiles_read_localization(passenger_t)
+
+userdom_dontaudit_use_user_terminals(passenger_t)
+
+optional_policy(`
+ apache_append_log(passenger_t)
+ apache_read_sys_content(passenger_t)
+')
diff --git a/policy/modules/services/pcscd.fc b/policy/modules/services/pcscd.fc
new file mode 100644
index 0000000..87f17e8
--- /dev/null
+++ b/policy/modules/services/pcscd.fc
@@ -0,0 +1,6 @@
+/var/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0)
+/var/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
+/var/run/pcscd\.pub -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
+/var/run/pcscd\.events(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0)
+
+/usr/sbin/pcscd -- gen_context(system_u:object_r:pcscd_exec_t,s0)
diff --git a/policy/modules/services/pcscd.if b/policy/modules/services/pcscd.if
new file mode 100644
index 0000000..ea5ae69
--- /dev/null
+++ b/policy/modules/services/pcscd.if
@@ -0,0 +1,95 @@
+## <summary>PCSC smart card service</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run pcscd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pcscd_domtrans',`
+ gen_require(`
+ type pcscd_t, pcscd_exec_t;
+ ')
+
+ domtrans_pattern($1, pcscd_exec_t, pcscd_t)
+')
+
+########################################
+## <summary>
+## Read pcscd pub files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pcscd_read_pub_files',`
+ gen_require(`
+ type pcscd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 pcscd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Manage pcscd pub files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pcscd_manage_pub_files',`
+ gen_require(`
+ type pcscd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, pcscd_var_run_t, pcscd_var_run_t)
+')
+
+########################################
+## <summary>
+## Manage pcscd pub fifo files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pcscd_manage_pub_pipes',`
+ gen_require(`
+ type pcscd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_fifo_files_pattern($1, pcscd_var_run_t, pcscd_var_run_t)
+')
+
+########################################
+## <summary>
+## Connect to pcscd over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pcscd_stream_connect',`
+ gen_require(`
+ type pcscd_t, pcscd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, pcscd_var_run_t, pcscd_var_run_t, pcscd_t)
+')
diff --git a/policy/modules/services/pcscd.te b/policy/modules/services/pcscd.te
new file mode 100644
index 0000000..df751a6
--- /dev/null
+++ b/policy/modules/services/pcscd.te
@@ -0,0 +1,78 @@
+policy_module(pcscd, 1.6.1)
+
+########################################
+#
+# Declarations
+#
+
+type pcscd_t;
+type pcscd_exec_t;
+init_daemon_domain(pcscd_t, pcscd_exec_t)
+
+# pid files
+type pcscd_var_run_t;
+files_pid_file(pcscd_var_run_t)
+
+########################################
+#
+# pcscd local policy
+#
+
+allow pcscd_t self:capability { dac_override dac_read_search };
+allow pcscd_t self:process signal;
+allow pcscd_t self:fifo_file rw_fifo_file_perms;
+allow pcscd_t self:unix_stream_socket create_stream_socket_perms;
+allow pcscd_t self:unix_dgram_socket create_socket_perms;
+allow pcscd_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+manage_fifo_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+manage_sock_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir })
+
+kernel_read_system_state(pcscd_t)
+
+corenet_all_recvfrom_unlabeled(pcscd_t)
+corenet_all_recvfrom_netlabel(pcscd_t)
+corenet_tcp_sendrecv_generic_if(pcscd_t)
+corenet_tcp_sendrecv_generic_node(pcscd_t)
+corenet_tcp_sendrecv_all_ports(pcscd_t)
+corenet_tcp_connect_http_port(pcscd_t)
+
+dev_rw_generic_usb_dev(pcscd_t)
+dev_rw_smartcard(pcscd_t)
+dev_rw_usbfs(pcscd_t)
+dev_read_sysfs(pcscd_t)
+
+files_read_etc_files(pcscd_t)
+files_read_etc_runtime_files(pcscd_t)
+
+term_use_unallocated_ttys(pcscd_t)
+term_dontaudit_getattr_pty_dirs(pcscd_t)
+
+locallogin_use_fds(pcscd_t)
+
+logging_send_syslog_msg(pcscd_t)
+
+miscfiles_read_localization(pcscd_t)
+
+sysnet_dns_name_resolve(pcscd_t)
+
+optional_policy(`
+ dbus_system_bus_client(pcscd_t)
+
+ optional_policy(`
+ hal_dbus_chat(pcscd_t)
+ ')
+')
+
+optional_policy(`
+ openct_stream_connect(pcscd_t)
+ openct_read_pid_files(pcscd_t)
+ openct_signull(pcscd_t)
+')
+
+optional_policy(`
+ rpm_use_script_fds(pcscd_t)
+')
diff --git a/policy/modules/services/pegasus.fc b/policy/modules/services/pegasus.fc
new file mode 100644
index 0000000..9515043
--- /dev/null
+++ b/policy/modules/services/pegasus.fc
@@ -0,0 +1,12 @@
+
+/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
+/etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0)
+
+/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
+/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
+
+/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
+
+/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
+
+/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
diff --git a/policy/modules/services/pegasus.if b/policy/modules/services/pegasus.if
new file mode 100644
index 0000000..920b13f
--- /dev/null
+++ b/policy/modules/services/pegasus.if
@@ -0,0 +1 @@
+## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te
new file mode 100644
index 0000000..5322412
--- /dev/null
+++ b/policy/modules/services/pegasus.te
@@ -0,0 +1,157 @@
+policy_module(pegasus, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type pegasus_t;
+type pegasus_exec_t;
+init_daemon_domain(pegasus_t, pegasus_exec_t)
+
+type pegasus_data_t;
+files_type(pegasus_data_t)
+
+type pegasus_tmp_t;
+files_tmp_file(pegasus_tmp_t)
+
+type pegasus_conf_t;
+files_type(pegasus_conf_t)
+
+type pegasus_mof_t;
+files_type(pegasus_mof_t)
+
+type pegasus_var_run_t;
+files_pid_file(pegasus_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow pegasus_t self:capability { chown ipc_lock sys_nice setuid setgid dac_override net_bind_service };
+dontaudit pegasus_t self:capability sys_tty_config;
+allow pegasus_t self:process signal;
+allow pegasus_t self:fifo_file rw_fifo_file_perms;
+allow pegasus_t self:unix_dgram_socket create_socket_perms;
+allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
+allow pegasus_t self:tcp_socket create_stream_socket_perms;
+
+allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
+allow pegasus_t pegasus_conf_t:file { read_file_perms link delete_file_perms };
+allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
+
+manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
+manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
+manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
+filetrans_pattern(pegasus_t, pegasus_conf_t, pegasus_data_t, { file dir })
+
+can_exec(pegasus_t, pegasus_exec_t)
+
+allow pegasus_t pegasus_mof_t:dir list_dir_perms;
+read_files_pattern(pegasus_t, pegasus_mof_t, pegasus_mof_t)
+read_lnk_files_pattern(pegasus_t, pegasus_mof_t, pegasus_mof_t)
+
+manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
+manage_files_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
+files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir })
+
+allow pegasus_t pegasus_var_run_t:sock_file { create_sock_file_perms setattr_sock_file_perms delete_sock_file_perms };
+manage_dirs_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
+manage_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
+files_pid_filetrans(pegasus_t, pegasus_var_run_t, { file dir })
+
+kernel_read_kernel_sysctls(pegasus_t)
+kernel_read_fs_sysctls(pegasus_t)
+kernel_read_system_state(pegasus_t)
+kernel_search_vm_sysctl(pegasus_t)
+kernel_read_net_sysctls(pegasus_t)
+kernel_read_xen_state(pegasus_t)
+kernel_write_xen_state(pegasus_t)
+
+corenet_all_recvfrom_unlabeled(pegasus_t)
+corenet_all_recvfrom_netlabel(pegasus_t)
+corenet_tcp_sendrecv_generic_if(pegasus_t)
+corenet_tcp_sendrecv_generic_node(pegasus_t)
+corenet_tcp_sendrecv_all_ports(pegasus_t)
+corenet_tcp_bind_generic_node(pegasus_t)
+corenet_tcp_bind_pegasus_http_port(pegasus_t)
+corenet_tcp_bind_pegasus_https_port(pegasus_t)
+corenet_tcp_connect_pegasus_http_port(pegasus_t)
+corenet_tcp_connect_pegasus_https_port(pegasus_t)
+corenet_tcp_connect_generic_port(pegasus_t)
+corenet_sendrecv_generic_client_packets(pegasus_t)
+corenet_sendrecv_pegasus_http_client_packets(pegasus_t)
+corenet_sendrecv_pegasus_http_server_packets(pegasus_t)
+corenet_sendrecv_pegasus_https_client_packets(pegasus_t)
+corenet_sendrecv_pegasus_https_server_packets(pegasus_t)
+
+corecmd_exec_bin(pegasus_t)
+corecmd_exec_shell(pegasus_t)
+
+dev_read_sysfs(pegasus_t)
+dev_read_urand(pegasus_t)
+
+fs_getattr_all_fs(pegasus_t)
+fs_search_auto_mountpoints(pegasus_t)
+files_getattr_all_dirs(pegasus_t)
+
+auth_use_nsswitch(pegasus_t)
+auth_domtrans_chk_passwd(pegasus_t)
+auth_read_shadow(pegasus_t)
+
+domain_use_interactive_fds(pegasus_t)
+domain_read_all_domains_state(pegasus_t)
+
+files_read_all_files(pegasus_t)
+files_read_var_lib_symlinks(pegasus_t)
+
+hostname_exec(pegasus_t)
+
+init_rw_utmp(pegasus_t)
+init_stream_connect_script(pegasus_t)
+
+logging_send_audit_msgs(pegasus_t)
+logging_send_syslog_msg(pegasus_t)
+
+miscfiles_read_localization(pegasus_t)
+
+sysnet_domtrans_ifconfig(pegasus_t)
+
+userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
+userdom_dontaudit_search_user_home_dirs(pegasus_t)
+
+optional_policy(`
+ rpm_exec(pegasus_t)
+')
+
+optional_policy(`
+ samba_manage_config(pegasus_t)
+')
+
+optional_policy(`
+ ssh_exec(pegasus_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(pegasus_t)
+ seutil_dontaudit_read_config(pegasus_t)
+')
+
+optional_policy(`
+ udev_read_db(pegasus_t)
+')
+
+optional_policy(`
+ unconfined_signull(pegasus_t)
+')
+
+optional_policy(`
+ virt_domtrans(pegasus_t)
+ virt_manage_config(pegasus_t)
+')
+
+optional_policy(`
+ xen_stream_connect(pegasus_t)
+ xen_stream_connect_xenstore(pegasus_t)
+')
diff --git a/policy/modules/services/perdition.fc b/policy/modules/services/perdition.fc
new file mode 100644
index 0000000..bcdf89b
--- /dev/null
+++ b/policy/modules/services/perdition.fc
@@ -0,0 +1,3 @@
+/etc/perdition(/.*)? gen_context(system_u:object_r:perdition_etc_t,s0)
+
+/usr/sbin/perdition -- gen_context(system_u:object_r:perdition_exec_t,s0)
diff --git a/policy/modules/services/perdition.if b/policy/modules/services/perdition.if
new file mode 100644
index 0000000..2b0bd64
--- /dev/null
+++ b/policy/modules/services/perdition.if
@@ -0,0 +1,15 @@
+## <summary>Perdition POP and IMAP proxy</summary>
+
+########################################
+## <summary>
+## Connect to perdition over a TCP socket (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`perdition_tcp_connect',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
diff --git a/policy/modules/services/perdition.te b/policy/modules/services/perdition.te
new file mode 100644
index 0000000..3636277
--- /dev/null
+++ b/policy/modules/services/perdition.te
@@ -0,0 +1,75 @@
+policy_module(perdition, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type perdition_t;
+type perdition_exec_t;
+init_daemon_domain(perdition_t, perdition_exec_t)
+
+type perdition_etc_t;
+files_config_file(perdition_etc_t)
+
+type perdition_var_run_t;
+files_pid_file(perdition_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow perdition_t self:capability { setgid setuid };
+dontaudit perdition_t self:capability sys_tty_config;
+allow perdition_t self:process signal_perms;
+allow perdition_t self:tcp_socket create_stream_socket_perms;
+allow perdition_t self:udp_socket create_socket_perms;
+
+allow perdition_t perdition_etc_t:file read_file_perms;
+files_search_etc(perdition_t)
+
+manage_files_pattern(perdition_t, perdition_var_run_t, perdition_var_run_t)
+files_pid_filetrans(perdition_t, perdition_var_run_t, file)
+
+kernel_read_kernel_sysctls(perdition_t)
+kernel_list_proc(perdition_t)
+kernel_read_proc_symlinks(perdition_t)
+
+corenet_all_recvfrom_unlabeled(perdition_t)
+corenet_all_recvfrom_netlabel(perdition_t)
+corenet_tcp_sendrecv_generic_if(perdition_t)
+corenet_udp_sendrecv_generic_if(perdition_t)
+corenet_tcp_sendrecv_generic_node(perdition_t)
+corenet_udp_sendrecv_generic_node(perdition_t)
+corenet_tcp_sendrecv_all_ports(perdition_t)
+corenet_udp_sendrecv_all_ports(perdition_t)
+corenet_tcp_bind_generic_node(perdition_t)
+corenet_tcp_bind_pop_port(perdition_t)
+corenet_sendrecv_pop_server_packets(perdition_t)
+
+dev_read_sysfs(perdition_t)
+
+domain_use_interactive_fds(perdition_t)
+
+fs_getattr_all_fs(perdition_t)
+fs_search_auto_mountpoints(perdition_t)
+
+files_read_etc_files(perdition_t)
+
+logging_send_syslog_msg(perdition_t)
+
+miscfiles_read_localization(perdition_t)
+
+sysnet_read_config(perdition_t)
+
+userdom_dontaudit_use_unpriv_user_fds(perdition_t)
+userdom_dontaudit_search_user_home_dirs(perdition_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(perdition_t)
+')
+
+optional_policy(`
+ udev_read_db(perdition_t)
+')
diff --git a/policy/modules/services/pingd.fc b/policy/modules/services/pingd.fc
new file mode 100644
index 0000000..ea085f7
--- /dev/null
+++ b/policy/modules/services/pingd.fc
@@ -0,0 +1,6 @@
+/etc/pingd.conf -- gen_context(system_u:object_r:pingd_etc_t,s0)
+/etc/rc\.d/init\.d/whatsup-pingd -- gen_context(system_u:object_r:pingd_initrc_exec_t,s0)
+
+/usr/lib/pingd(/.*)? gen_context(system_u:object_r:pingd_modules_t,s0)
+
+/usr/sbin/pingd -- gen_context(system_u:object_r:pingd_exec_t,s0)
diff --git a/policy/modules/services/pingd.if b/policy/modules/services/pingd.if
new file mode 100644
index 0000000..1bfd8d2
--- /dev/null
+++ b/policy/modules/services/pingd.if
@@ -0,0 +1,96 @@
+## <summary>Pingd of the Whatsup cluster node up/down detection utility</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run pingd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pingd_domtrans',`
+ gen_require(`
+ type pingd_t, pingd_exec_t;
+ ')
+
+ domtrans_pattern($1, pingd_exec_t, pingd_t)
+')
+
+#######################################
+## <summary>
+## Read pingd etc configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pingd_read_config',`
+ gen_require(`
+ type pingd_etc_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, pingd_etc_t, pingd_etc_t)
+')
+
+#######################################
+## <summary>
+## Manage pingd etc configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pingd_manage_config',`
+ gen_require(`
+ type pingd_etc_t;
+ ')
+
+ files_search_etc($1)
+ manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t)
+ manage_files_pattern($1, pingd_etc_t, pingd_etc_t)
+')
+
+#######################################
+## <summary>
+## All of the rules required to administrate
+## an pingd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the pingd domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`pingd_admin',`
+ gen_require(`
+ type pingd_t, pingd_etc_t, pingd_modules_t;
+ type pingd_initrc_exec_t;
+ ')
+
+ allow $1 pingd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, pingd_t)
+
+ init_labeled_script_domtrans($1, pingd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 pingd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, pingd_etc_t)
+
+ files_list_usr($1)
+ admin_pattern($1, pingd_modules_t)
+')
diff --git a/policy/modules/services/pingd.te b/policy/modules/services/pingd.te
new file mode 100644
index 0000000..4a9d196
--- /dev/null
+++ b/policy/modules/services/pingd.te
@@ -0,0 +1,47 @@
+policy_module(pingd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type pingd_t;
+type pingd_exec_t;
+init_daemon_domain(pingd_t, pingd_exec_t)
+
+# type for config
+type pingd_etc_t;
+files_type(pingd_etc_t)
+
+type pingd_initrc_exec_t;
+init_script_file(pingd_initrc_exec_t)
+
+# type for pingd modules
+type pingd_modules_t;
+files_type(pingd_modules_t)
+
+########################################
+#
+# pingd local policy
+#
+
+allow pingd_t self:capability net_raw;
+allow pingd_t self:tcp_socket create_stream_socket_perms;
+allow pingd_t self:rawip_socket create_socket_perms;
+
+read_files_pattern(pingd_t, pingd_etc_t, pingd_etc_t)
+
+read_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t)
+mmap_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t)
+
+corenet_raw_bind_generic_node(pingd_t)
+corenet_tcp_bind_generic_node(pingd_t)
+corenet_tcp_bind_pingd_port(pingd_t)
+
+auth_use_nsswitch(pingd_t)
+
+files_search_usr(pingd_t)
+
+logging_send_syslog_msg(pingd_t)
+
+miscfiles_read_localization(pingd_t)
diff --git a/policy/modules/services/piranha.fc b/policy/modules/services/piranha.fc
new file mode 100644
index 0000000..2c7e06f
--- /dev/null
+++ b/policy/modules/services/piranha.fc
@@ -0,0 +1,26 @@
+
+/etc/rc\.d/init\.d/pulse -- gen_context(system_u:object_r:piranha_pulse_initrc_exec_t,s0)
+
+# RHEL6
+#/etc/sysconfig/ha/lvs\.cf -- gen_context(system_u:object_r:piranha_etc_rw_t,s0)
+
+/etc/piranha/lvs\.cf -- gen_context(system_u:object_r:piranha_etc_rw_t,s0)
+
+/usr/bin/paster -- gen_context(system_u:object_r:piranha_web_exec_t,s0)
+
+/usr/sbin/fos -- gen_context(system_u:object_r:piranha_fos_exec_t,s0)
+/usr/sbin/lvsd -- gen_context(system_u:object_r:piranha_lvs_exec_t,s0)
+/usr/sbin/piranha_gui -- gen_context(system_u:object_r:piranha_web_exec_t,s0)
+/usr/sbin/pulse -- gen_context(system_u:object_r:piranha_pulse_exec_t,s0)
+
+/var/lib/luci(/.*)? gen_context(system_u:object_r:piranha_web_data_t,s0)
+/var/lib/luci/cert(/.*)? gen_context(system_u:object_r:piranha_web_conf_t,s0)
+/var/lib/luci/etc(/.*)? gen_context(system_u:object_r:piranha_web_conf_t,s0)
+
+/var/log/piranha(/.*)? gen_context(system_u:object_r:piranha_log_t,s0)
+
+/var/run/fos\.pid -- gen_context(system_u:object_r:piranha_fos_var_run_t,s0)
+/var/run/lvs\.pid -- gen_context(system_u:object_r:piranha_lvs_var_run_t,s0)
+/var/run/piranha-httpd\.pid -- gen_context(system_u:object_r:piranha_web_var_run_t,s0)
+/var/run/pulse\.pid -- gen_context(system_u:object_r:piranha_pulse_var_run_t,s0)
+
diff --git a/policy/modules/services/piranha.if b/policy/modules/services/piranha.if
new file mode 100644
index 0000000..6403c17
--- /dev/null
+++ b/policy/modules/services/piranha.if
@@ -0,0 +1,173 @@
+## <summary>policy for piranha</summary>
+
+#######################################
+## <summary>
+## Creates types and rules for a basic
+## cluster init daemon domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`piranha_domain_template',`
+ gen_require(`
+ attribute piranha_domain;
+ ')
+
+ ##############################
+ #
+ # piranha_$1_t declarations
+ #
+
+ type piranha_$1_t, piranha_domain;
+ type piranha_$1_exec_t;
+ init_daemon_domain(piranha_$1_t, piranha_$1_exec_t)
+
+ # pid files
+ type piranha_$1_var_run_t;
+ files_pid_file(piranha_$1_var_run_t)
+
+ ##############################
+ #
+ # piranha_$1_t local policy
+ #
+
+ manage_files_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t)
+ manage_dirs_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t)
+ files_pid_filetrans(piranha_$1_t, piranha_$1_var_run_t, { dir file })
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run fos.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`piranha_domtrans_fos',`
+ gen_require(`
+ type piranha_fos_t, piranha_fos_exec_t;
+ ')
+
+ domtrans_pattern($1, piranha_fos_exec_t, piranha_fos_t)
+')
+
+#######################################
+## <summary>
+## Execute a domain transition to run lvsd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`piranha_domtrans_lvs',`
+ gen_require(`
+ type piranha_lvs_t, piranha_lvs_exec_t;
+ ')
+
+ domtrans_pattern($1, piranha_lvs_exec_t, piranha_lvs_t)
+')
+
+#######################################
+## <summary>
+## Execute a domain transition to run pulse.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`piranha_domtrans_pulse',`
+ gen_require(`
+ type piranha_pulse_t, piranha_pulse_exec_t;
+ ')
+
+ domtrans_pattern($1, piranha_pulse_exec_t, piranha_pulse_t)
+')
+
+#######################################
+## <summary>
+## Execute pulse server in the pulse domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`piranha_pulse_initrc_domtrans',`
+ gen_require(`
+ type piranha_pulse_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, piranha_pulse_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read piranha's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`piranha_read_log',`
+ gen_require(`
+ type piranha_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, piranha_log_t, piranha_log_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to append
+## piranha log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`piranha_append_log',`
+ gen_require(`
+ type piranha_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, piranha_log_t, piranha_log_t)
+')
+
+########################################
+## <summary>
+## Allow domain to manage piranha log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`piranha_manage_log',`
+ gen_require(`
+ type piranha_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, piranha_log_t, piranha_log_t)
+ manage_files_pattern($1, piranha_log_t, piranha_log_t)
+ manage_lnk_files_pattern($1, piranha_log_t, piranha_log_t)
+')
diff --git a/policy/modules/services/piranha.te b/policy/modules/services/piranha.te
new file mode 100644
index 0000000..6b69f38
--- /dev/null
+++ b/policy/modules/services/piranha.te
@@ -0,0 +1,214 @@
+policy_module(piranha, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow piranha-lvs domain to connect to the network using TCP.
+## </p>
+## </desc>
+gen_tunable(piranha_lvs_can_network_connect, false)
+
+attribute piranha_domain;
+
+piranha_domain_template(fos)
+
+piranha_domain_template(lvs)
+
+piranha_domain_template(pulse)
+
+type piranha_pulse_initrc_exec_t;
+init_script_file(piranha_pulse_initrc_exec_t)
+
+piranha_domain_template(web)
+
+type piranha_web_tmpfs_t;
+files_tmpfs_file(piranha_web_tmpfs_t)
+
+type piranha_web_conf_t;
+files_type(piranha_web_conf_t)
+
+type piranha_web_data_t;
+files_type(piranha_web_data_t)
+
+type piranha_web_tmp_t;
+files_tmp_file(piranha_web_tmp_t)
+
+type piranha_etc_rw_t;
+files_type(piranha_etc_rw_t)
+
+type piranha_log_t;
+logging_log_file(piranha_log_t)
+
+#######################################
+#
+# piranha-fos local policy
+#
+
+kernel_read_kernel_sysctls(piranha_fos_t)
+
+domain_read_all_domains_state(piranha_fos_t)
+
+consoletype_exec(piranha_fos_t)
+
+# start and stop services
+init_domtrans_script(piranha_fos_t)
+
+########################################
+#
+# piranha-gui local policy
+#
+
+allow piranha_web_t self:capability { setuid sys_nice kill setgid };
+allow piranha_web_t self:process { getsched setsched signal signull ptrace };
+allow piranha_web_t self:rawip_socket create_socket_perms;
+allow piranha_web_t self:netlink_route_socket r_netlink_socket_perms;
+allow piranha_web_t self:sem create_sem_perms;
+allow piranha_web_t self:shm create_shm_perms;
+
+manage_files_pattern(piranha_web_t, piranha_web_data_t, piranha_web_data_t)
+manage_dirs_pattern(piranha_web_t, piranha_web_data_t, piranha_web_data_t)
+files_var_lib_filetrans(piranha_web_t, piranha_web_data_t, file)
+
+read_files_pattern(piranha_web_t, piranha_web_conf_t, piranha_web_conf_t)
+
+rw_files_pattern(piranha_web_t, piranha_etc_rw_t, piranha_etc_rw_t)
+
+manage_dirs_pattern(piranha_web_t, piranha_log_t, piranha_log_t)
+manage_files_pattern(piranha_web_t, piranha_log_t, piranha_log_t)
+logging_log_filetrans(piranha_web_t, piranha_log_t, { dir file })
+
+can_exec(piranha_web_t, piranha_web_tmp_t)
+manage_dirs_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t)
+manage_files_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t)
+files_tmp_filetrans(piranha_web_t, piranha_web_tmp_t, { file dir })
+
+manage_dirs_pattern(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t)
+manage_files_pattern(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t)
+fs_tmpfs_filetrans(piranha_web_t, piranha_web_tmpfs_t, { dir file })
+
+piranha_pulse_initrc_domtrans(piranha_web_t)
+
+kernel_read_kernel_sysctls(piranha_web_t)
+
+corenet_tcp_bind_http_cache_port(piranha_web_t)
+corenet_tcp_bind_luci_port(piranha_web_t)
+corenet_tcp_bind_piranha_port(piranha_web_t)
+corenet_tcp_connect_ricci_port(piranha_web_t)
+
+dev_read_urand(piranha_web_t)
+
+domain_read_all_domains_state(piranha_web_t)
+
+files_read_usr_files(piranha_web_t)
+
+consoletype_exec(piranha_web_t)
+
+optional_policy(`
+ apache_read_config(piranha_web_t)
+ apache_exec_modules(piranha_web_t)
+ apache_exec(piranha_web_t)
+')
+
+optional_policy(`
+ gnome_dontaudit_search_config(piranha_web_t)
+')
+
+optional_policy(`
+ sasl_connect(piranha_web_t)
+')
+
+######################################
+#
+# piranha-lvs local policy
+#
+
+# neede by nanny
+allow piranha_lvs_t self:capability { net_raw sys_nice };
+allow piranha_lvs_t self:process signal;
+allow piranha_lvs_t self:unix_dgram_socket create_socket_perms;
+allow piranha_lvs_t self:rawip_socket create_socket_perms;
+
+kernel_read_kernel_sysctls(piranha_lvs_t)
+
+# needed by nanny
+corenet_tcp_connect_ftp_port(piranha_lvs_t)
+corenet_tcp_connect_http_port(piranha_lvs_t)
+
+sysnet_dns_name_resolve(piranha_lvs_t)
+
+# needed by nanny
+tunable_policy(`piranha_lvs_can_network_connect',`
+ corenet_tcp_connect_all_ports(piranha_lvs_t)
+')
+
+# needed by ipvsadm
+optional_policy(`
+ iptables_domtrans(piranha_lvs_t)
+')
+
+#######################################
+#
+# piranha-pulse local policy
+#
+
+allow piranha_pulse_t self:packet_socket create_socket_perms;
+
+# pulse starts fos and lvs daemon
+domtrans_pattern(piranha_fos_t, piranha_fos_exec_t, piranha_fos_t)
+allow piranha_pulse_t piranha_fos_t:process signal;
+
+domtrans_pattern(piranha_pulse_t, piranha_lvs_exec_t, piranha_lvs_t)
+allow piranha_pulse_t piranha_lvs_t:process signal;
+
+corenet_udp_bind_apertus_ldp_port(piranha_pulse_t)
+
+sysnet_dns_name_resolve(piranha_pulse_t)
+
+optional_policy(`
+ netutils_domtrans_ping(piranha_pulse_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_ifconfig(piranha_pulse_t)
+')
+
+####################################
+#
+# piranha domains common policy
+#
+
+allow piranha_domain self:fifo_file rw_fifo_file_perms;
+allow piranha_domain self:tcp_socket create_stream_socket_perms;
+allow piranha_domain self:udp_socket create_socket_perms;
+allow piranha_domain self:unix_stream_socket create_stream_socket_perms;
+
+read_files_pattern(piranha_domain, piranha_etc_rw_t, piranha_etc_rw_t)
+
+kernel_read_system_state(piranha_domain)
+kernel_read_network_state(piranha_domain)
+
+corenet_all_recvfrom_unlabeled(piranha_domain)
+corenet_all_recvfrom_netlabel(piranha_domain)
+corenet_tcp_sendrecv_generic_if(piranha_domain)
+corenet_udp_sendrecv_generic_if(piranha_domain)
+corenet_tcp_sendrecv_generic_node(piranha_domain)
+corenet_udp_sendrecv_generic_node(piranha_domain)
+corenet_tcp_sendrecv_all_ports(piranha_domain)
+corenet_udp_sendrecv_all_ports(piranha_domain)
+corenet_tcp_bind_generic_node(piranha_domain)
+corenet_udp_bind_generic_node(piranha_domain)
+
+files_read_etc_files(piranha_domain)
+
+corecmd_exec_bin(piranha_domain)
+corecmd_exec_shell(piranha_domain)
+
+logging_send_syslog_msg(piranha_domain)
+
+miscfiles_read_localization(piranha_domain)
+
+sysnet_read_config(piranha_domain)
diff --git a/policy/modules/services/plymouthd.fc b/policy/modules/services/plymouthd.fc
new file mode 100644
index 0000000..5702ca4
--- /dev/null
+++ b/policy/modules/services/plymouthd.fc
@@ -0,0 +1,7 @@
+/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
+
+/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
+
+/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0)
+/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0)
+/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0)
diff --git a/policy/modules/services/plymouthd.if b/policy/modules/services/plymouthd.if
new file mode 100644
index 0000000..07dd3ff
--- /dev/null
+++ b/policy/modules/services/plymouthd.if
@@ -0,0 +1,262 @@
+## <summary>Plymouth graphical boot</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run plymouthd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`plymouthd_domtrans',`
+ gen_require(`
+ type plymouthd_t, plymouthd_exec_t;
+ ')
+
+ domtrans_pattern($1, plymouthd_exec_t, plymouthd_t)
+')
+
+########################################
+## <summary>
+## Execute the plymoth daemon in the current domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_exec',`
+ gen_require(`
+ type plymouthd_exec_t;
+ ')
+
+ can_exec($1, plymouthd_exec_t)
+')
+
+########################################
+## <summary>
+## Allow domain to Stream socket connect
+## to Plymouth daemon.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_stream_connect',`
+ gen_require(`
+ type plymouthd_t;
+ ')
+
+ allow $1 plymouthd_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Execute the plymoth command in the current domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_exec_plymouth',`
+ gen_require(`
+ type plymouth_exec_t;
+ ')
+
+ can_exec($1, plymouth_exec_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run plymouthd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`plymouthd_domtrans_plymouth',`
+ gen_require(`
+ type plymouth_t, plymouth_exec_t;
+ ')
+
+ domtrans_pattern($1, plymouth_exec_t, plymouth_t)
+')
+
+########################################
+## <summary>
+## Search plymouthd spool directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_search_spool',`
+ gen_require(`
+ type plymouthd_spool_t;
+ ')
+
+ allow $1 plymouthd_spool_t:dir search_dir_perms;
+ files_search_spool($1)
+')
+
+########################################
+## <summary>
+## Read plymouthd spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_read_spool_files',`
+ gen_require(`
+ type plymouthd_spool_t;
+ ')
+
+ files_search_spool($1)
+ read_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## plymouthd spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_manage_spool_files',`
+ gen_require(`
+ type plymouthd_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t)
+')
+
+########################################
+## <summary>
+## Search plymouthd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_search_lib',`
+ gen_require(`
+ type plymouthd_var_lib_t;
+ ')
+
+ allow $1 plymouthd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read plymouthd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_read_lib_files',`
+ gen_require(`
+ type plymouthd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## plymouthd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_manage_lib_files',`
+ gen_require(`
+ type plymouthd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Read plymouthd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`plymouthd_read_pid_files',`
+ gen_require(`
+ type plymouthd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 plymouthd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an plymouthd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`plymouthd_admin',`
+ gen_require(`
+ type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t;
+ type plymouthd_var_run_t;
+ ')
+
+ allow $1 plymouthd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, plymouthd_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, plymouthd_spool_t)
+
+ admin_pattern($1, plymouthd_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, plymouthd_var_run_t)
+')
diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te
new file mode 100644
index 0000000..836e2e2
--- /dev/null
+++ b/policy/modules/services/plymouthd.te
@@ -0,0 +1,104 @@
+policy_module(plymouthd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type plymouth_t;
+type plymouth_exec_t;
+application_domain(plymouth_t, plymouth_exec_t)
+
+type plymouthd_t;
+type plymouthd_exec_t;
+init_daemon_domain(plymouthd_t, plymouthd_exec_t)
+
+type plymouthd_spool_t;
+files_type(plymouthd_spool_t)
+
+type plymouthd_var_lib_t;
+files_type(plymouthd_var_lib_t)
+
+type plymouthd_var_run_t;
+files_pid_file(plymouthd_var_run_t)
+
+########################################
+#
+# Plymouthd private policy
+#
+
+allow plymouthd_t self:capability { sys_admin sys_tty_config };
+dontaudit plymouthd_t self:capability dac_override;
+allow plymouthd_t self:process signal;
+allow plymouthd_t self:fifo_file rw_fifo_file_perms;
+allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
+manage_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
+manage_sock_files_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
+files_spool_filetrans(plymouthd_t, plymouthd_spool_t, { file dir sock_file })
+
+manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
+manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
+files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir })
+
+manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
+manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
+files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir })
+
+kernel_read_system_state(plymouthd_t)
+kernel_request_load_module(plymouthd_t)
+kernel_change_ring_buffer_level(plymouthd_t)
+
+dev_rw_dri(plymouthd_t)
+dev_read_sysfs(plymouthd_t)
+dev_read_framebuffer(plymouthd_t)
+dev_write_framebuffer(plymouthd_t)
+
+domain_use_interactive_fds(plymouthd_t)
+
+files_read_etc_files(plymouthd_t)
+files_read_usr_files(plymouthd_t)
+
+term_use_unallocated_ttys(plymouthd_t)
+
+miscfiles_read_localization(plymouthd_t)
+miscfiles_read_fonts(plymouthd_t)
+miscfiles_manage_fonts_cache(plymouthd_t)
+
+userdom_read_admin_home_files(plymouthd_t)
+
+########################################
+#
+# Plymouth private policy
+#
+
+allow plymouth_t self:process signal;
+allow plymouth_t self:fifo_file rw_file_perms;
+allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_read_system_state(plymouth_t)
+kernel_stream_connect(plymouth_t)
+
+domain_use_interactive_fds(plymouth_t)
+
+files_read_etc_files(plymouth_t)
+
+term_use_ptmx(plymouth_t)
+
+miscfiles_read_localization(plymouth_t)
+
+sysnet_read_config(plymouth_t)
+
+plymouthd_stream_connect(plymouth_t)
+
+ifdef(`hide_broken_symptoms',`
+ optional_policy(`
+ hal_dontaudit_write_log(plymouth_t)
+ hal_dontaudit_rw_pipes(plymouth_t)
+ ')
+')
+
+optional_policy(`
+ lvm_domtrans(plymouth_t)
+')
diff --git a/policy/modules/services/policykit.fc b/policy/modules/services/policykit.fc
new file mode 100644
index 0000000..c65d18f
--- /dev/null
+++ b/policy/modules/services/policykit.fc
@@ -0,0 +1,18 @@
+/usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
+/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
+/usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
+
+/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
+/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
+/usr/libexec/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/libexec/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+/usr/libexec/polkit-1/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
+
+/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0)
+/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
+/var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
+/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
+/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0)
+
diff --git a/policy/modules/services/policykit.if b/policy/modules/services/policykit.if
new file mode 100644
index 0000000..13cdc77
--- /dev/null
+++ b/policy/modules/services/policykit.if
@@ -0,0 +1,282 @@
+## <summary>Policy framework for controlling privileges for system-wide services.</summary>
+
+########################################
+## <summary>
+## Send and receive messages from
+## policykit over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`policykit_dbus_chat',`
+ gen_require(`
+ type policykit_t;
+ class dbus send_msg;
+ ')
+
+ ps_process_pattern(policykit_t, $1)
+
+ allow $1 policykit_t:dbus send_msg;
+ allow policykit_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## policykit over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`policykit_dbus_chat_auth',`
+ gen_require(`
+ type policykit_auth_t;
+ class dbus send_msg;
+ ')
+
+ ps_process_pattern(policykit_auth_t, $1)
+
+ allow $1 policykit_auth_t:dbus send_msg;
+ allow policykit_auth_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run polkit_auth.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`policykit_domtrans_auth',`
+ gen_require(`
+ type policykit_auth_t, policykit_auth_exec_t;
+ ')
+
+ domtrans_pattern($1, policykit_auth_exec_t, policykit_auth_t)
+')
+
+########################################
+## <summary>
+## Execute a policy_auth in the policy_auth domain, and
+## allow the specified role the policy_auth domain,
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`policykit_run_auth',`
+ gen_require(`
+ type policykit_auth_t;
+ ')
+
+ policykit_domtrans_auth($1)
+ role $2 types policykit_auth_t;
+
+ allow $1 policykit_auth_t:process signal;
+ ps_process_pattern(policykit_auth_t, $1)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run polkit_grant.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`policykit_domtrans_grant',`
+ gen_require(`
+ type policykit_grant_t, policykit_grant_exec_t;
+ ')
+
+ domtrans_pattern($1, policykit_grant_exec_t, policykit_grant_t)
+')
+
+########################################
+## <summary>
+## Execute a policy_grant in the policy_grant domain, and
+## allow the specified role the policy_grant domain,
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`policykit_run_grant',`
+ gen_require(`
+ type policykit_grant_t;
+ ')
+
+ policykit_domtrans_grant($1)
+ role $2 types policykit_grant_t;
+
+ allow $1 policykit_grant_t:process signal;
+
+ ps_process_pattern(policykit_grant_t, $1)
+')
+
+########################################
+## <summary>
+## read policykit reload files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`policykit_read_reload',`
+ gen_require(`
+ type policykit_reload_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, policykit_reload_t, policykit_reload_t)
+')
+
+########################################
+## <summary>
+## rw policykit reload files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`policykit_rw_reload',`
+ gen_require(`
+ type policykit_reload_t;
+ ')
+
+ files_search_var_lib($1)
+ rw_files_pattern($1, policykit_reload_t, policykit_reload_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run polkit_resolve.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`policykit_domtrans_resolve',`
+ gen_require(`
+ type policykit_resolve_t, policykit_resolve_exec_t;
+ ')
+
+ domtrans_pattern($1, policykit_resolve_exec_t, policykit_resolve_t)
+
+ ps_process_pattern(policykit_resolve_t, $1)
+')
+
+########################################
+## <summary>
+## Search policykit lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`policykit_search_lib',`
+ gen_require(`
+ type policykit_var_lib_t;
+ ')
+
+ allow $1 policykit_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## read policykit lib files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`policykit_read_lib',`
+ gen_require(`
+ type policykit_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t)
+
+ # Broken placement
+ cron_read_system_job_lib_files($1)
+')
+
+#######################################
+## <summary>
+## The per role template for the policykit module.
+## </summary>
+## <param name="user_role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+template(`policykit_role',`
+ policykit_run_auth($2, $1)
+ policykit_run_grant($2, $1)
+ policykit_read_lib($2)
+ policykit_read_reload($2)
+ policykit_dbus_chat($2)
+')
+
+########################################
+## <summary>
+## Send generic signal to policy_auth
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`policykit_signal_auth',`
+ gen_require(`
+ type policykit_auth_t;
+ ')
+
+ allow $1 policykit_auth_t:process signal;
+')
diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
new file mode 100644
index 0000000..7385ecf
--- /dev/null
+++ b/policy/modules/services/policykit.te
@@ -0,0 +1,276 @@
+policy_module(policykit, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type policykit_t alias polkit_t;
+type policykit_exec_t alias polkit_exec_t;
+init_daemon_domain(policykit_t, policykit_exec_t)
+
+type policykit_auth_t alias polkit_auth_t;
+type policykit_auth_exec_t alias polkit_auth_exec_t;
+init_daemon_domain(policykit_auth_t, policykit_auth_exec_t)
+
+type policykit_grant_t alias polkit_grant_t;
+type policykit_grant_exec_t alias polkit_grant_exec_t;
+init_system_domain(policykit_grant_t, policykit_grant_exec_t)
+
+type policykit_resolve_t alias polkit_resolve_t;
+type policykit_resolve_exec_t alias polkit_resolve_exec_t;
+init_system_domain(policykit_resolve_t, policykit_resolve_exec_t)
+
+type policykit_reload_t alias polkit_reload_t;
+files_type(policykit_reload_t)
+
+type policykit_tmp_t;
+files_tmp_file(policykit_tmp_t)
+
+type policykit_var_lib_t alias polkit_var_lib_t;
+files_type(policykit_var_lib_t)
+
+type policykit_var_run_t alias polkit_var_run_t;
+files_pid_file(policykit_var_run_t)
+
+########################################
+#
+# policykit local policy
+#
+
+allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_ptrace };
+allow policykit_t self:process { getsched getattr signal };
+allow policykit_t self:fifo_file rw_fifo_file_perms;
+allow policykit_t self:unix_dgram_socket create_socket_perms;
+allow policykit_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+policykit_domtrans_auth(policykit_t)
+
+can_exec(policykit_t, policykit_exec_t)
+corecmd_exec_bin(policykit_t)
+
+rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
+
+policykit_domtrans_resolve(policykit_t)
+
+manage_files_pattern(policykit_t, policykit_var_lib_t, policykit_var_lib_t)
+
+manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
+manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
+files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
+
+kernel_read_system_state(policykit_t)
+kernel_read_kernel_sysctls(policykit_t)
+
+domain_read_all_domains_state(policykit_t)
+
+files_read_etc_files(policykit_t)
+files_read_usr_files(policykit_t)
+files_dontaudit_search_all_mountpoints(policykit_t)
+
+fs_list_inotifyfs(policykit_t)
+
+auth_use_nsswitch(policykit_t)
+
+logging_send_syslog_msg(policykit_t)
+
+miscfiles_read_localization(policykit_t)
+
+userdom_getattr_all_users(policykit_t)
+userdom_read_all_users_state(policykit_t)
+userdom_dontaudit_search_admin_dir(policykit_t)
+
+optional_policy(`
+ dbus_system_domain(policykit_t, policykit_exec_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(policykit_t)
+ ')
+
+ optional_policy(`
+ rpm_dbus_chat(policykit_t)
+ ')
+')
+
+optional_policy(`
+ consolekit_list_pid_files(policykit_t)
+ consolekit_read_pid_files(policykit_t)
+')
+
+optional_policy(`
+ gnome_read_config(policykit_t)
+')
+
+########################################
+#
+# polkit_auth local policy
+#
+
+allow policykit_auth_t self:capability { ipc_lock setgid setuid };
+dontaudit policykit_auth_t self:capability sys_tty_config;
+allow policykit_auth_t self:process { getattr getsched signal };
+allow policykit_auth_t self:fifo_file rw_fifo_file_perms;
+
+allow policykit_auth_t self:unix_dgram_socket create_socket_perms;
+allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms;
+
+policykit_dbus_chat(policykit_auth_t)
+
+kernel_read_system_state(policykit_auth_t)
+
+can_exec(policykit_auth_t, policykit_auth_exec_t)
+corecmd_exec_bin(policykit_auth_t)
+
+rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
+
+manage_dirs_pattern(policykit_auth_t, policykit_tmp_t, policykit_tmp_t)
+manage_files_pattern(policykit_auth_t, policykit_tmp_t, policykit_tmp_t)
+files_tmp_filetrans(policykit_auth_t, policykit_tmp_t, { file dir })
+
+manage_files_pattern(policykit_auth_t, policykit_var_lib_t, policykit_var_lib_t)
+
+manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
+manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
+files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
+
+kernel_dontaudit_search_kernel_sysctl(policykit_auth_t)
+
+dev_read_video_dev(policykit_auth_t)
+
+files_read_etc_files(policykit_auth_t)
+files_read_usr_files(policykit_auth_t)
+files_search_home(policykit_auth_t)
+
+fs_getattr_all_fs(polkit_auth_t)
+fs_search_tmpfs(polkit_auth_t)
+
+auth_use_nsswitch(policykit_auth_t)
+auth_read_var_auth(policykit_auth_t)
+auth_domtrans_chk_passwd(policykit_auth_t)
+
+logging_send_syslog_msg(policykit_auth_t)
+
+miscfiles_read_localization(policykit_auth_t)
+miscfiles_read_fonts(policykit_auth_t)
+miscfiles_setattr_fonts_cache_dirs(policykit_auth_t)
+
+userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
+userdom_dontaudit_write_user_tmp_files(policykit_auth_t)
+userdom_read_admin_home_files(policykit_auth_t)
+
+optional_policy(`
+ dbus_system_domain( policykit_auth_t, policykit_auth_exec_t)
+ dbus_session_bus_client(policykit_auth_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(policykit_auth_t)
+ ')
+')
+
+optional_policy(`
+ kernel_search_proc(policykit_auth_t)
+ hal_read_state(policykit_auth_t)
+')
+
+optional_policy(`
+ xserver_stream_connect(policykit_auth_t)
+ xserver_xdm_append_log(policykit_auth_t)
+ xserver_read_xdm_pid(policykit_auth_t)
+ xserver_search_xdm_lib(policykit_auth_t)
+ xserver_create_xdm_tmp_sockets(policykit_auth_t)
+')
+
+########################################
+#
+# polkit_grant local policy
+#
+
+allow policykit_grant_t self:capability setuid;
+allow policykit_grant_t self:process getattr;
+allow policykit_grant_t self:fifo_file rw_fifo_file_perms;
+
+allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
+allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
+
+policykit_domtrans_auth(policykit_grant_t)
+
+policykit_domtrans_resolve(policykit_grant_t)
+
+can_exec(policykit_grant_t, policykit_grant_exec_t)
+corecmd_search_bin(policykit_grant_t)
+
+rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t)
+
+manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t)
+
+manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t)
+
+files_read_etc_files(policykit_grant_t)
+files_read_usr_files(policykit_grant_t)
+
+auth_use_nsswitch(policykit_grant_t)
+auth_domtrans_chk_passwd(policykit_grant_t)
+
+logging_send_syslog_msg(policykit_grant_t)
+
+miscfiles_read_localization(policykit_grant_t)
+
+userdom_read_all_users_state(policykit_grant_t)
+
+optional_policy(`
+ cron_manage_system_job_lib_files(policykit_grant_t)
+')
+
+ optional_policy(`
+ dbus_system_bus_client(policykit_grant_t)
+ optional_policy(`
+ consolekit_dbus_chat(policykit_grant_t)
+ ')
+')
+
+########################################
+#
+# polkit_resolve local policy
+#
+
+allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
+allow policykit_resolve_t self:process getattr;
+allow policykit_resolve_t self:fifo_file rw_fifo_file_perms;
+
+allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
+allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
+
+policykit_domtrans_auth(policykit_resolve_t)
+
+read_files_pattern(policykit_resolve_t, policykit_reload_t, policykit_reload_t)
+
+read_files_pattern(policykit_resolve_t, policykit_var_lib_t, policykit_var_lib_t)
+
+can_exec(policykit_resolve_t, policykit_resolve_exec_t)
+corecmd_search_bin(policykit_resolve_t)
+
+files_read_etc_files(policykit_resolve_t)
+files_read_usr_files(policykit_resolve_t)
+
+mcs_ptrace_all(policykit_resolve_t)
+
+auth_use_nsswitch(policykit_resolve_t)
+
+logging_send_syslog_msg(policykit_resolve_t)
+
+miscfiles_read_localization(policykit_resolve_t)
+
+userdom_read_all_users_state(policykit_resolve_t)
+
+optional_policy(`
+ dbus_system_bus_client(policykit_resolve_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(policykit_resolve_t)
+ ')
+')
+
+optional_policy(`
+ kernel_search_proc(policykit_resolve_t)
+ hal_read_state(policykit_resolve_t)
+')
diff --git a/policy/modules/services/portmap.fc b/policy/modules/services/portmap.fc
new file mode 100644
index 0000000..76f5834
--- /dev/null
+++ b/policy/modules/services/portmap.fc
@@ -0,0 +1,12 @@
+
+/sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0)
+
+ifdef(`distro_debian',`
+/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
+/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
+', `
+/usr/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
+/usr/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
+')
+
+/var/run/portmap\.upgrade-state -- gen_context(system_u:object_r:portmap_var_run_t,s0)
diff --git a/policy/modules/services/portmap.if b/policy/modules/services/portmap.if
new file mode 100644
index 0000000..374afcf
--- /dev/null
+++ b/policy/modules/services/portmap.if
@@ -0,0 +1,89 @@
+## <summary>RPC port mapping service.</summary>
+
+########################################
+## <summary>
+## Execute portmap_helper in the helper domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`portmap_domtrans_helper',`
+ gen_require(`
+ type portmap_helper_t, portmap_helper_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, portmap_helper_exec_t, portmap_helper_t)
+')
+
+########################################
+## <summary>
+## Execute portmap helper in the helper domain, and
+## allow the specified role the helper domain.
+## Communicate with portmap.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`portmap_run_helper',`
+ gen_require(`
+ type portmap_t, portmap_helper_t;
+ ')
+
+ portmap_domtrans_helper($1)
+ role $2 types portmap_helper_t;
+')
+
+########################################
+## <summary>
+## Send UDP network traffic to portmap. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`portmap_udp_send',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+## Send and receive UDP network traffic from portmap. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`portmap_udp_chat',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+## Connect to portmap over a TCP socket (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`portmap_tcp_connect',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
diff --git a/policy/modules/services/portmap.te b/policy/modules/services/portmap.te
new file mode 100644
index 0000000..d1cf513
--- /dev/null
+++ b/policy/modules/services/portmap.te
@@ -0,0 +1,149 @@
+policy_module(portmap, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type portmap_t;
+type portmap_exec_t;
+init_daemon_domain(portmap_t, portmap_exec_t)
+
+type portmap_helper_t;
+type portmap_helper_exec_t;
+init_system_domain(portmap_helper_t, portmap_helper_exec_t)
+
+type portmap_tmp_t;
+files_tmp_file(portmap_tmp_t)
+
+type portmap_var_run_t;
+files_pid_file(portmap_var_run_t)
+
+########################################
+#
+# Portmap local policy
+#
+
+allow portmap_t self:capability { setuid setgid };
+dontaudit portmap_t self:capability sys_tty_config;
+allow portmap_t self:netlink_route_socket r_netlink_socket_perms;
+allow portmap_t self:unix_dgram_socket create_socket_perms;
+allow portmap_t self:unix_stream_socket create_stream_socket_perms;
+allow portmap_t self:tcp_socket create_stream_socket_perms;
+allow portmap_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(portmap_t, portmap_tmp_t, portmap_tmp_t)
+manage_files_pattern(portmap_t, portmap_tmp_t, portmap_tmp_t)
+files_tmp_filetrans(portmap_t, portmap_tmp_t, { file dir })
+
+manage_files_pattern(portmap_t, portmap_var_run_t, portmap_var_run_t)
+files_pid_filetrans(portmap_t, portmap_var_run_t, file)
+
+kernel_read_system_state(portmap_t)
+kernel_read_kernel_sysctls(portmap_t)
+
+corenet_all_recvfrom_unlabeled(portmap_t)
+corenet_all_recvfrom_netlabel(portmap_t)
+corenet_tcp_sendrecv_generic_if(portmap_t)
+corenet_udp_sendrecv_generic_if(portmap_t)
+corenet_tcp_sendrecv_generic_node(portmap_t)
+corenet_udp_sendrecv_generic_node(portmap_t)
+corenet_tcp_sendrecv_all_ports(portmap_t)
+corenet_udp_sendrecv_all_ports(portmap_t)
+corenet_tcp_bind_generic_node(portmap_t)
+corenet_udp_bind_generic_node(portmap_t)
+corenet_tcp_bind_portmap_port(portmap_t)
+corenet_udp_bind_portmap_port(portmap_t)
+corenet_tcp_connect_all_ports(portmap_t)
+corenet_sendrecv_portmap_client_packets(portmap_t)
+corenet_sendrecv_portmap_server_packets(portmap_t)
+# portmap binds to arbitary ports
+corenet_tcp_bind_generic_port(portmap_t)
+corenet_udp_bind_generic_port(portmap_t)
+corenet_tcp_bind_reserved_port(portmap_t)
+corenet_udp_bind_reserved_port(portmap_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_t)
+corenet_dontaudit_udp_bind_all_ports(portmap_t)
+
+dev_read_sysfs(portmap_t)
+
+fs_getattr_all_fs(portmap_t)
+fs_search_auto_mountpoints(portmap_t)
+
+domain_use_interactive_fds(portmap_t)
+
+files_read_etc_files(portmap_t)
+
+logging_send_syslog_msg(portmap_t)
+
+miscfiles_read_localization(portmap_t)
+
+sysnet_read_config(portmap_t)
+
+userdom_dontaudit_use_unpriv_user_fds(portmap_t)
+userdom_dontaudit_search_user_home_dirs(portmap_t)
+
+optional_policy(`
+ nis_use_ypbind(portmap_t)
+')
+
+optional_policy(`
+ nscd_socket_use(portmap_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(portmap_t)
+')
+
+optional_policy(`
+ udev_read_db(portmap_t)
+')
+
+########################################
+#
+# Portmap helper local policy
+#
+
+dontaudit portmap_helper_t self:capability net_admin;
+allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
+allow portmap_helper_t self:tcp_socket create_stream_socket_perms;
+allow portmap_helper_t self:udp_socket create_socket_perms;
+
+allow portmap_helper_t portmap_var_run_t:file manage_file_perms;
+files_pid_filetrans(portmap_helper_t, portmap_var_run_t, file)
+
+corenet_all_recvfrom_unlabeled(portmap_helper_t)
+corenet_all_recvfrom_netlabel(portmap_helper_t)
+corenet_tcp_sendrecv_generic_if(portmap_helper_t)
+corenet_udp_sendrecv_generic_if(portmap_helper_t)
+corenet_raw_sendrecv_generic_if(portmap_helper_t)
+corenet_tcp_sendrecv_generic_node(portmap_helper_t)
+corenet_udp_sendrecv_generic_node(portmap_helper_t)
+corenet_raw_sendrecv_generic_node(portmap_helper_t)
+corenet_tcp_sendrecv_all_ports(portmap_helper_t)
+corenet_udp_sendrecv_all_ports(portmap_helper_t)
+corenet_tcp_bind_generic_node(portmap_helper_t)
+corenet_udp_bind_generic_node(portmap_helper_t)
+corenet_tcp_bind_reserved_port(portmap_helper_t)
+corenet_udp_bind_reserved_port(portmap_helper_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_helper_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(portmap_helper_t)
+corenet_tcp_connect_all_ports(portmap_helper_t)
+
+domain_dontaudit_use_interactive_fds(portmap_helper_t)
+
+files_read_etc_files(portmap_helper_t)
+files_rw_generic_pids(portmap_helper_t)
+
+init_rw_utmp(portmap_helper_t)
+
+logging_send_syslog_msg(portmap_helper_t)
+
+sysnet_read_config(portmap_helper_t)
+
+userdom_use_user_terminals(portmap_helper_t)
+userdom_dontaudit_use_all_users_fds(portmap_helper_t)
+
+optional_policy(`
+ nis_use_ypbind(portmap_helper_t)
+')
diff --git a/policy/modules/services/portreserve.fc b/policy/modules/services/portreserve.fc
new file mode 100644
index 0000000..1d9fa76
--- /dev/null
+++ b/policy/modules/services/portreserve.fc
@@ -0,0 +1,8 @@
+
+/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0)
+
+/etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0)
+
+/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
+
+/var/run/portreserve(/.*)? gen_context(system_u:object_r:portreserve_var_run_t,s0)
diff --git a/policy/modules/services/portreserve.if b/policy/modules/services/portreserve.if
new file mode 100644
index 0000000..7385056
--- /dev/null
+++ b/policy/modules/services/portreserve.if
@@ -0,0 +1,120 @@
+## <summary>Reserve well-known ports in the RPC port range.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run portreserve.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`portreserve_domtrans',`
+ gen_require(`
+ type portreserve_t, portreserve_exec_t;
+ ')
+
+ domtrans_pattern($1, portreserve_exec_t, portreserve_t)
+')
+
+########################################
+## <summary>
+## Execute portreserve in the portreserve domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`portreserve_initrc_domtrans',`
+ gen_require(`
+ type portreserve_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, portreserve_initrc_exec_t)
+')
+
+#######################################
+## <summary>
+## Allow the specified domain to read
+## portreserve etcuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`portreserve_read_config',`
+ gen_require(`
+ type portreserve_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 portreserve_etc_t:dir list_dir_perms;
+ read_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
+ read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
+')
+
+#######################################
+## <summary>
+## Allow the specified domain to manage
+## portreserve etcuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`portreserve_manage_config',`
+ gen_require(`
+ type portreserve_etc_t;
+ ')
+
+ files_search_etc($1)
+ manage_dirs_pattern($1, portreserve_etc_t, portreserve_etc_t)
+ manage_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
+ read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an portreserve environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`portreserve_admin',`
+ gen_require(`
+ type portreserve_t, portreserve_etc_t, portreserve_var_run_t;
+ type portreserve_initrc_exec_t;
+ ')
+
+ allow $1 portreserve_t:process { ptrace signal_perms };
+ ps_process_pattern($1, portreserve_t)
+
+ portreserve_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 portreserve_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, portreserve_etc_t)
+
+ files_list_pids($1)
+ admin_pattern($1, portreserve_var_run_t)
+')
diff --git a/policy/modules/services/portreserve.te b/policy/modules/services/portreserve.te
new file mode 100644
index 0000000..e091aba
--- /dev/null
+++ b/policy/modules/services/portreserve.te
@@ -0,0 +1,54 @@
+policy_module(portreserve, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type portreserve_t;
+type portreserve_exec_t;
+init_daemon_domain(portreserve_t, portreserve_exec_t)
+
+type portreserve_initrc_exec_t;
+init_script_file(portreserve_initrc_exec_t)
+
+type portreserve_etc_t;
+files_type(portreserve_etc_t)
+
+type portreserve_var_run_t;
+files_pid_file(portreserve_var_run_t)
+
+########################################
+#
+# Portreserve local policy
+#
+
+allow portreserve_t self:capability { dac_read_search dac_override };
+allow portreserve_t self:fifo_file rw_fifo_file_perms;
+allow portreserve_t self:unix_stream_socket create_stream_socket_perms;
+allow portreserve_t self:unix_dgram_socket { create_socket_perms sendto };
+allow portreserve_t self:tcp_socket create_socket_perms;
+allow portreserve_t self:udp_socket create_socket_perms;
+
+# Read etc files
+list_dirs_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t)
+read_files_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t)
+
+# Manage /var/run/portreserve/*
+manage_dirs_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
+manage_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
+manage_sock_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
+files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir })
+
+corecmd_getattr_bin_files(portreserve_t)
+
+corenet_all_recvfrom_unlabeled(portreserve_t)
+corenet_all_recvfrom_netlabel(portreserve_t)
+corenet_tcp_bind_generic_node(portreserve_t)
+corenet_udp_bind_generic_node(portreserve_t)
+corenet_tcp_bind_all_ports(portreserve_t)
+corenet_udp_bind_all_ports(portreserve_t)
+
+files_read_etc_files(portreserve_t)
+
+userdom_dontaudit_search_user_home_content(portreserve_t)
diff --git a/policy/modules/services/portslave.fc b/policy/modules/services/portslave.fc
new file mode 100644
index 0000000..2dd7786
--- /dev/null
+++ b/policy/modules/services/portslave.fc
@@ -0,0 +1,4 @@
+/etc/portslave(/.*)? gen_context(system_u:object_r:portslave_etc_t,s0)
+
+/usr/sbin/ctlportslave -- gen_context(system_u:object_r:portslave_exec_t,s0)
+/usr/sbin/portslave -- gen_context(system_u:object_r:portslave_exec_t,s0)
diff --git a/policy/modules/services/portslave.if b/policy/modules/services/portslave.if
new file mode 100644
index 0000000..b53ff77
--- /dev/null
+++ b/policy/modules/services/portslave.if
@@ -0,0 +1,19 @@
+## <summary>Portslave terminal server software</summary>
+
+########################################
+## <summary>
+## Execute portslave with a domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`portslave_domtrans',`
+ gen_require(`
+ type portslave_t, portslave_exec_t;
+ ')
+
+ domtrans_pattern($1, portslave_exec_t, portslave_t)
+')
diff --git a/policy/modules/services/portslave.te b/policy/modules/services/portslave.te
new file mode 100644
index 0000000..69c331e
--- /dev/null
+++ b/policy/modules/services/portslave.te
@@ -0,0 +1,125 @@
+policy_module(portslave, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type portslave_t;
+type portslave_exec_t;
+init_domain(portslave_t, portslave_exec_t)
+init_daemon_domain(portslave_t, portslave_exec_t)
+
+type portslave_etc_t;
+files_config_file(portslave_etc_t)
+
+type portslave_lock_t;
+files_lock_file(portslave_lock_t)
+
+########################################
+#
+# Local policy
+#
+
+# setuid setgid net_admin fsetid for pppd
+# sys_admin for ctlportslave
+# net_bind_service for rlogin
+allow portslave_t self:capability { setuid setgid net_admin fsetid net_bind_service sys_tty_config };
+dontaudit portslave_t self:capability sys_admin;
+allow portslave_t self:process signal_perms;
+allow portslave_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow portslave_t self:fd use;
+allow portslave_t self:fifo_file rw_fifo_file_perms;
+allow portslave_t self:unix_dgram_socket create_socket_perms;
+allow portslave_t self:unix_stream_socket create_stream_socket_perms;
+allow portslave_t self:unix_dgram_socket sendto;
+allow portslave_t self:unix_stream_socket connectto;
+allow portslave_t self:shm create_shm_perms;
+allow portslave_t self:sem create_sem_perms;
+allow portslave_t self:msgq create_msgq_perms;
+allow portslave_t self:msg { send receive };
+allow portslave_t self:tcp_socket create_stream_socket_perms;
+allow portslave_t self:udp_socket create_socket_perms;
+
+allow portslave_t portslave_etc_t:dir list_dir_perms;
+read_files_pattern(portslave_t, portslave_etc_t, portslave_etc_t)
+read_lnk_files_pattern(portslave_t, portslave_etc_t, portslave_etc_t)
+
+allow portslave_t portslave_lock_t:file manage_file_perms;
+files_lock_filetrans(portslave_t, portslave_lock_t, file)
+
+kernel_read_system_state(portslave_t)
+kernel_read_kernel_sysctls(portslave_t)
+
+corecmd_exec_bin(portslave_t)
+corecmd_exec_shell(portslave_t)
+
+corenet_all_recvfrom_unlabeled(portslave_t)
+corenet_all_recvfrom_netlabel(portslave_t)
+corenet_tcp_sendrecv_generic_if(portslave_t)
+corenet_udp_sendrecv_generic_if(portslave_t)
+corenet_tcp_sendrecv_generic_node(portslave_t)
+corenet_udp_sendrecv_generic_node(portslave_t)
+corenet_tcp_sendrecv_all_ports(portslave_t)
+corenet_udp_sendrecv_all_ports(portslave_t)
+corenet_rw_ppp_dev(portslave_t)
+
+dev_read_sysfs(portslave_t)
+# for ssh
+dev_read_urand(portslave_t)
+
+domain_use_interactive_fds(portslave_t)
+
+files_read_etc_files(portslave_t)
+files_read_etc_runtime_files(portslave_t)
+files_exec_etc_files(portslave_t)
+
+fs_search_auto_mountpoints(portslave_t)
+fs_getattr_xattr_fs(portslave_t)
+
+term_use_unallocated_ttys(portslave_t)
+term_setattr_unallocated_ttys(portslave_t)
+term_use_all_ttys(portslave_t)
+term_search_ptys(portslave_t)
+
+auth_rw_login_records(portslave_t)
+auth_domtrans_chk_passwd(portslave_t)
+
+init_rw_utmp(portslave_t)
+
+logging_send_syslog_msg(portslave_t)
+logging_search_logs(portslave_t)
+
+sysnet_read_config(portslave_t)
+
+userdom_use_unpriv_users_fds(portslave_t)
+# for ~/.ppprc - if it actually exists then you need some policy to read it
+userdom_search_user_home_dirs(portslave_t)
+
+mta_send_mail(portslave_t)
+
+# this should probably be a domtrans to pppd
+# instead of exec.
+ppp_read_rw_config(portslave_t)
+ppp_exec(portslave_t)
+ppp_read_secrets(portslave_t)
+ppp_manage_pid_files(portslave_t)
+ppp_pid_filetrans(portslave_t)
+
+ssh_exec(portslave_t)
+
+optional_policy(`
+ inetd_tcp_service_domain(portslave_t, portslave_exec_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(portslave_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(portslave_t)
+')
+
+optional_policy(`
+ udev_read_db(portslave_t)
+')
diff --git a/policy/modules/services/postfix.fc b/policy/modules/services/postfix.fc
new file mode 100644
index 0000000..c114a40
--- /dev/null
+++ b/policy/modules/services/postfix.fc
@@ -0,0 +1,54 @@
+# postfix
+/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
+/etc/postfix(/.*)? gen_context(system_u:object_r:postfix_etc_t,s0)
+ifdef(`distro_redhat', `
+/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+/usr/libexec/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/libexec/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
+/usr/libexec/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/libexec/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
+/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+/usr/libexec/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
+/usr/libexec/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/libexec/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
+/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
+/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+/usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
+', `
+/usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+/usr/lib/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
+/usr/lib/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/lib/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
+/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+/usr/lib/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
+/usr/lib/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
+/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
+/usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+')
+/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
+/usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
+/usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/sbin/postlock -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/sbin/postlog -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/sbin/postmap -- gen_context(system_u:object_r:postfix_map_exec_t,s0)
+/usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
+/usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+
+/var/lib/postfix(/.*)? gen_context(system_u:object_r:postfix_data_t,s0)
+
+/var/spool/postfix(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
+/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
+/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
+/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
+/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
+/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
+/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
new file mode 100644
index 0000000..7391f7e
--- /dev/null
+++ b/policy/modules/services/postfix.if
@@ -0,0 +1,758 @@
+## <summary>Postfix email server</summary>
+
+########################################
+## <summary>
+## Postfix stub interface. No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_stub',`
+ gen_require(`
+ type postfix_master_t;
+ ')
+')
+
+########################################
+## <summary>
+## Creates types and rules for a basic
+## postfix process domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`postfix_domain_template',`
+ type postfix_$1_t;
+ type postfix_$1_exec_t;
+ domain_type(postfix_$1_t)
+ domain_entry_file(postfix_$1_t, postfix_$1_exec_t)
+ role system_r types postfix_$1_t;
+
+ dontaudit postfix_$1_t self:capability sys_tty_config;
+ allow postfix_$1_t self:process { signal_perms setpgid };
+ allow postfix_$1_t self:unix_dgram_socket create_socket_perms;
+ allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms;
+ allow postfix_$1_t self:unix_stream_socket connectto;
+
+ allow postfix_master_t postfix_$1_t:process signal;
+ #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456
+ allow postfix_$1_t postfix_master_t:file read;
+
+ allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
+ read_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t)
+ read_lnk_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t)
+
+ can_exec(postfix_$1_t, postfix_$1_exec_t)
+
+ allow postfix_$1_t postfix_exec_t:file { mmap_file_perms lock };
+
+ allow postfix_$1_t postfix_master_t:process sigchld;
+
+ allow postfix_$1_t postfix_spool_t:dir list_dir_perms;
+
+ allow postfix_$1_t postfix_var_run_t:file manage_file_perms;
+ files_pid_filetrans(postfix_$1_t, postfix_var_run_t, file)
+
+ kernel_read_system_state(postfix_$1_t)
+ kernel_read_network_state(postfix_$1_t)
+ kernel_read_all_sysctls(postfix_$1_t)
+
+ dev_read_sysfs(postfix_$1_t)
+ dev_read_rand(postfix_$1_t)
+ dev_read_urand(postfix_$1_t)
+
+ fs_search_auto_mountpoints(postfix_$1_t)
+ fs_getattr_xattr_fs(postfix_$1_t)
+ fs_rw_anon_inodefs_files(postfix_$1_t)
+
+ term_dontaudit_use_console(postfix_$1_t)
+
+ corecmd_exec_shell(postfix_$1_t)
+
+ files_read_etc_files(postfix_$1_t)
+ files_read_etc_runtime_files(postfix_$1_t)
+ files_read_usr_files(postfix_$1_t)
+ files_read_usr_symlinks(postfix_$1_t)
+ files_search_spool(postfix_$1_t)
+ files_getattr_tmp_dirs(postfix_$1_t)
+ files_search_all_mountpoints(postfix_$1_t)
+
+ init_dontaudit_use_fds(postfix_$1_t)
+ init_sigchld(postfix_$1_t)
+
+ auth_use_nsswitch(postfix_$1_t)
+
+ logging_send_syslog_msg(postfix_$1_t)
+
+ miscfiles_read_localization(postfix_$1_t)
+ miscfiles_read_generic_certs(postfix_$1_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(postfix_$1_t)
+
+ optional_policy(`
+ udev_read_db(postfix_$1_t)
+ ')
+')
+
+########################################
+## <summary>
+## Creates a postfix server process domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix of the domain.
+## </summary>
+## </param>
+#
+template(`postfix_server_domain_template',`
+ postfix_domain_template($1)
+
+ type postfix_$1_tmp_t;
+ files_tmp_file(postfix_$1_tmp_t)
+
+ allow postfix_$1_t self:capability { setuid setgid dac_override };
+ allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
+ allow postfix_$1_t self:tcp_socket create_socket_perms;
+ allow postfix_$1_t self:udp_socket create_socket_perms;
+
+ manage_dirs_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t)
+ manage_files_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t)
+ files_tmp_filetrans(postfix_$1_t, postfix_$1_tmp_t, { file dir })
+
+ domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
+
+ corenet_all_recvfrom_unlabeled(postfix_$1_t)
+ corenet_all_recvfrom_netlabel(postfix_$1_t)
+ corenet_tcp_sendrecv_generic_if(postfix_$1_t)
+ corenet_udp_sendrecv_generic_if(postfix_$1_t)
+ corenet_tcp_sendrecv_generic_node(postfix_$1_t)
+ corenet_udp_sendrecv_generic_node(postfix_$1_t)
+ corenet_tcp_sendrecv_all_ports(postfix_$1_t)
+ corenet_udp_sendrecv_all_ports(postfix_$1_t)
+ corenet_tcp_bind_generic_node(postfix_$1_t)
+ corenet_udp_bind_generic_node(postfix_$1_t)
+ corenet_tcp_connect_all_ports(postfix_$1_t)
+ corenet_sendrecv_all_client_packets(postfix_$1_t)
+')
+
+########################################
+## <summary>
+## Creates a process domain for programs
+## that are ran by users.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix of the domain.
+## </summary>
+## </param>
+#
+template(`postfix_user_domain_template',`
+ gen_require(`
+ attribute postfix_user_domains, postfix_user_domtrans;
+ ')
+
+ postfix_domain_template($1)
+
+ typeattribute postfix_$1_t postfix_user_domains;
+
+ allow postfix_$1_t self:capability dac_override;
+
+ domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t)
+
+ domain_use_interactive_fds(postfix_$1_t)
+')
+
+########################################
+## <summary>
+## Read postfix configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`postfix_read_config',`
+ gen_require(`
+ type postfix_etc_t;
+ ')
+
+ read_files_pattern($1, postfix_etc_t, postfix_etc_t)
+ read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t)
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
+## Create files with the specified type in
+## the postfix configuration directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private type">
+## <summary>
+## The type of the object to be created.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+#
+interface(`postfix_config_filetrans',`
+ gen_require(`
+ type postfix_etc_t;
+ ')
+
+ files_search_etc($1)
+ filetrans_pattern($1, postfix_etc_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and
+## write postfix local delivery
+## TCP sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`postfix_dontaudit_rw_local_tcp_sockets',`
+ gen_require(`
+ type postfix_local_t;
+ ')
+
+ dontaudit $1 postfix_local_t:tcp_socket { read write };
+')
+
+########################################
+## <summary>
+## Allow read/write postfix local pipes
+## TCP sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_rw_local_pipes',`
+ gen_require(`
+ type postfix_local_t;
+ ')
+
+ allow $1 postfix_local_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Allow domain to read postfix local process state
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_read_local_state',`
+ gen_require(`
+ type postfix_local_t;
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, postfix_local_t)
+')
+
+########################################
+## <summary>
+## Allow domain to read postfix master process state
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_read_master_state',`
+ gen_require(`
+ type postfix_master_t;
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, postfix_master_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to use
+## postfix master process file
+## file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`postfix_dontaudit_use_fds',`
+ gen_require(`
+ type postfix_master_t;
+ ')
+
+ dontaudit $1 postfix_master_t:fd use;
+')
+
+########################################
+## <summary>
+## Execute postfix_map in the postfix_map domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`postfix_domtrans_map',`
+ gen_require(`
+ type postfix_map_t, postfix_map_exec_t;
+ ')
+
+ domtrans_pattern($1, postfix_map_exec_t, postfix_map_t)
+')
+
+########################################
+## <summary>
+## Execute postfix_map in the postfix_map domain, and
+## allow the specified role the postfix_map domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`postfix_run_map',`
+ gen_require(`
+ type postfix_map_t;
+ ')
+
+ postfix_domtrans_map($1)
+ role $2 types postfix_map_t;
+')
+
+########################################
+## <summary>
+## Execute the master postfix program in the
+## postfix_master domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`postfix_domtrans_master',`
+ gen_require(`
+ type postfix_master_t, postfix_master_exec_t;
+ ')
+
+ domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
+')
+
+
+########################################
+## <summary>
+## Execute the master postfix in the postfix master domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_initrc_domtrans',`
+ gen_require(`
+ type postfix_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, postfix_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Execute the master postfix program in the
+## caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_exec_master',`
+ gen_require(`
+ type postfix_master_exec_t;
+ ')
+
+ can_exec($1, postfix_master_exec_t)
+')
+
+#######################################
+## <summary>
+## Connect to postfix master process using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_stream_connect_master',`
+ gen_require(`
+ type postfix_master_t, postfix_public_t;
+ ')
+
+ stream_connect_pattern($1, postfix_public_t, postfix_public_t, postfix_master_t)
+')
+
+########################################
+## <summary>
+## Execute the master postdrop in the
+## postfix_postdrop domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`postfix_domtrans_postdrop',`
+ gen_require(`
+ type postfix_postdrop_t, postfix_postdrop_exec_t;
+ ')
+
+ domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t)
+')
+
+########################################
+## <summary>
+## Execute the master postqueue in the
+## postfix_postqueue domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`postfix_domtrans_postqueue',`
+ gen_require(`
+ type postfix_postqueue_t, postfix_postqueue_exec_t;
+ ')
+
+ domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t)
+')
+
+#######################################
+## <summary>
+## Execute the master postqueue in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`posftix_exec_postqueue',`
+ gen_require(`
+ type postfix_postqueue_exec_t;
+ ')
+
+ can_exec($1, postfix_postqueue_exec_t)
+')
+
+########################################
+## <summary>
+## Create a named socket in a postfix private directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_create_private_sockets',`
+ gen_require(`
+ type postfix_private_t;
+ ')
+
+ allow $1 postfix_private_t:dir list_dir_perms;
+ create_sock_files_pattern($1, postfix_private_t, postfix_private_t)
+')
+
+########################################
+## <summary>
+## manage named socket in a postfix private directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_manage_private_sockets',`
+ gen_require(`
+ type postfix_private_t;
+ ')
+
+ allow $1 postfix_private_t:dir list_dir_perms;
+ manage_sock_files_pattern($1, postfix_private_t, postfix_private_t)
+')
+
+########################################
+## <summary>
+## Execute the master postfix program in the
+## postfix_master domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`postfix_domtrans_smtp',`
+ gen_require(`
+ type postfix_smtp_t, postfix_smtp_exec_t;
+ ')
+
+ domtrans_pattern($1, postfix_smtp_exec_t, postfix_smtp_t)
+')
+
+########################################
+## <summary>
+## Getattr postfix mail spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_getattr_spool_files',`
+ gen_require(`
+ attribute postfix_spool_type;
+ ')
+
+ files_search_spool($1)
+ getattr_files_pattern($1, postfix_spool_type, postfix_spool_type)
+')
+
+########################################
+## <summary>
+## Search postfix mail spool directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_search_spool',`
+ gen_require(`
+ attribute postfix_spool_type;
+ ')
+
+ allow $1 postfix_spool_type:dir search_dir_perms;
+ files_search_spool($1)
+')
+
+########################################
+## <summary>
+## List postfix mail spool directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_list_spool',`
+ gen_require(`
+ attribute postfix_spool_type;
+ ')
+
+ allow $1 postfix_spool_type:dir list_dir_perms;
+ files_search_spool($1)
+')
+
+########################################
+## <summary>
+## Read postfix mail spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_read_spool_files',`
+ gen_require(`
+ attribute postfix_spool_type;
+ ')
+
+ files_search_spool($1)
+ read_files_pattern($1, postfix_spool_type, postfix_spool_type)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete postfix mail spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_manage_spool_files',`
+ gen_require(`
+ attribute postfix_spool_type;
+ ')
+
+ files_search_spool($1)
+ manage_files_pattern($1, postfix_spool_type, postfix_spool_type)
+')
+
+########################################
+## <summary>
+## Execute postfix user mail programs
+## in their respective domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postfix_domtrans_user_mail_handler',`
+ gen_require(`
+ attribute postfix_user_domtrans;
+ ')
+
+ typeattribute $1 postfix_user_domtrans;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an postfix environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`postfix_admin',`
+ gen_require(`
+ attribute postfix_spool_type;
+ type postfix_bounce_t, postfix_cleanup_t, postfix_local_t;
+ type postfix_master_t, postfix_pickup_t, postfix_qmgr_t;
+ type postfix_initrc_exec_t, postfix_data_t, postfix_etc_t;
+ type postfix_map_tmp_t, postfix_prng_t, postfix_public_t;
+ type postfix_smtpd_t, postfix_var_run_t;
+ ')
+
+ allow $1 postfix_bounce_t:process { ptrace signal_perms };
+ ps_process_pattern($1, postfix_bounce_t)
+
+ allow $1 postfix_cleanup_t:process { ptrace signal_perms };
+ ps_process_pattern($1, postfix_cleanup_t)
+
+ allow $1 postfix_local_t:process { ptrace signal_perms };
+ ps_process_pattern($1, postfix_local_t)
+
+ allow $1 postfix_master_t:process { ptrace signal_perms };
+ ps_process_pattern($1, postfix_master_t)
+
+ allow $1 postfix_pickup_t:process { ptrace signal_perms };
+ ps_process_pattern($1, postfix_pickup_t)
+
+ allow $1 postfix_qmgr_t:process { ptrace signal_perms };
+ ps_process_pattern($1, postfix_qmgr_t)
+
+ allow $1 postfix_smtpd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, postfix_smtpd_t)
+
+ postfix_run_map($1, $2)
+ postfix_run_postdrop($1, $2)
+
+ postfix_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 postfix_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ admin_pattern($1, postfix_data_t)
+
+ files_list_etc($1)
+ admin_pattern($1, postfix_etc_t)
+
+ files_list_spool($1)
+ admin_pattern($1, postfix_spool_type)
+
+ admin_pattern($1, postfix_var_run_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, postfix_map_tmp_t)
+
+ admin_pattern($1, postfix_prng_t)
+
+ admin_pattern($1, postfix_public_t)
+')
+
+########################################
+## <summary>
+## Execute the master postdrop in the
+## postfix_postdrop domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`postfix_run_postdrop',`
+ gen_require(`
+ type postfix_postdrop_t;
+ ')
+
+ postfix_domtrans_postdrop($1)
+ role $2 types postfix_postdrop_t;
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
new file mode 100644
index 0000000..628fcda
--- /dev/null
+++ b/policy/modules/services/postfix.te
@@ -0,0 +1,681 @@
+policy_module(postfix, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow postfix_local domain full write access to mail_spool directories
+## </p>
+## </desc>
+gen_tunable(allow_postfix_local_write_mail_spool, false)
+
+attribute postfix_spool_type;
+attribute postfix_user_domains;
+# domains that transition to the
+# postfix user domains
+attribute postfix_user_domtrans;
+
+postfix_server_domain_template(bounce)
+
+type postfix_spool_bounce_t, postfix_spool_type;
+files_type(postfix_spool_bounce_t)
+
+postfix_server_domain_template(cleanup)
+
+type postfix_etc_t;
+files_config_file(postfix_etc_t)
+
+type postfix_exec_t;
+application_executable_file(postfix_exec_t)
+
+postfix_server_domain_template(local)
+mta_mailserver_delivery(postfix_local_t)
+
+# Program for creating database files
+type postfix_map_t;
+type postfix_map_exec_t;
+application_domain(postfix_map_t, postfix_map_exec_t)
+role system_r types postfix_map_t;
+
+type postfix_map_tmp_t;
+files_tmp_file(postfix_map_tmp_t)
+
+postfix_domain_template(master)
+typealias postfix_master_t alias postfix_t;
+# alias is a hack to make the disable trans bool
+# generation macro work
+mta_mailserver(postfix_t, postfix_master_exec_t)
+
+type postfix_initrc_exec_t;
+init_script_file(postfix_initrc_exec_t)
+
+postfix_server_domain_template(pickup)
+
+postfix_server_domain_template(pipe)
+
+postfix_user_domain_template(postdrop)
+mta_mailserver_user_agent(postfix_postdrop_t)
+
+postfix_user_domain_template(postqueue)
+mta_mailserver_user_agent(postfix_postqueue_t)
+
+type postfix_private_t;
+files_type(postfix_private_t)
+
+type postfix_prng_t;
+files_type(postfix_prng_t)
+
+postfix_server_domain_template(qmgr)
+
+postfix_user_domain_template(showq)
+
+postfix_server_domain_template(smtp)
+mta_mailserver_sender(postfix_smtp_t)
+
+postfix_server_domain_template(smtpd)
+
+type postfix_spool_t, postfix_spool_type;
+files_type(postfix_spool_t)
+
+type postfix_spool_maildrop_t, postfix_spool_type;
+files_type(postfix_spool_maildrop_t)
+
+type postfix_spool_flush_t, postfix_spool_type;
+files_type(postfix_spool_flush_t)
+
+type postfix_public_t;
+files_type(postfix_public_t)
+
+type postfix_var_run_t;
+files_pid_file(postfix_var_run_t)
+
+# the data_directory config parameter
+type postfix_data_t;
+files_type(postfix_data_t)
+
+postfix_server_domain_template(virtual)
+mta_mailserver_delivery(postfix_virtual_t)
+
+########################################
+#
+# Postfix master process local policy
+#
+
+# chown is to set the correct ownership of queue dirs
+allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
+allow postfix_master_t self:process setrlimit;
+allow postfix_master_t self:fifo_file rw_fifo_file_perms;
+allow postfix_master_t self:tcp_socket create_stream_socket_perms;
+allow postfix_master_t self:udp_socket create_socket_perms;
+
+allow postfix_master_t postfix_etc_t:dir rw_dir_perms;
+allow postfix_master_t postfix_etc_t:file rw_file_perms;
+mta_filetrans_aliases(postfix_master_t, postfix_etc_t)
+
+can_exec(postfix_master_t, postfix_exec_t)
+
+allow postfix_master_t postfix_data_t:dir manage_dir_perms;
+allow postfix_master_t postfix_data_t:file manage_file_perms;
+
+allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms lock };
+
+allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms;
+
+allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms;
+
+manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+
+domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
+
+allow postfix_master_t postfix_prng_t:file rw_file_perms;
+
+manage_fifo_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
+manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
+
+domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
+
+# allow access to deferred queue and allow removing bogus incoming entries
+manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
+manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
+files_spool_filetrans(postfix_master_t, postfix_spool_t, dir)
+
+allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
+allow postfix_master_t postfix_spool_bounce_t:file getattr_file_perms;
+
+manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
+manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
+manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
+
+delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+
+kernel_read_all_sysctls(postfix_master_t)
+
+corenet_all_recvfrom_unlabeled(postfix_master_t)
+corenet_all_recvfrom_netlabel(postfix_master_t)
+corenet_tcp_sendrecv_generic_if(postfix_master_t)
+corenet_udp_sendrecv_generic_if(postfix_master_t)
+corenet_tcp_sendrecv_generic_node(postfix_master_t)
+corenet_udp_sendrecv_generic_node(postfix_master_t)
+corenet_tcp_sendrecv_all_ports(postfix_master_t)
+corenet_udp_sendrecv_all_ports(postfix_master_t)
+corenet_udp_bind_generic_node(postfix_master_t)
+corenet_udp_bind_all_unreserved_ports(postfix_master_t)
+corenet_dontaudit_udp_bind_all_ports(postfix_master_t)
+corenet_tcp_bind_generic_node(postfix_master_t)
+corenet_tcp_bind_amavisd_send_port(postfix_master_t)
+corenet_tcp_bind_smtp_port(postfix_master_t)
+corenet_tcp_connect_all_ports(postfix_master_t)
+corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
+corenet_sendrecv_smtp_server_packets(postfix_master_t)
+corenet_sendrecv_all_client_packets(postfix_master_t)
+
+# for a find command
+selinux_dontaudit_search_fs(postfix_master_t)
+
+corecmd_exec_shell(postfix_master_t)
+corecmd_exec_bin(postfix_master_t)
+
+domain_use_interactive_fds(postfix_master_t)
+
+files_read_usr_files(postfix_master_t)
+files_search_var_lib(postfix_master_t)
+files_search_tmp(postfix_master_t)
+
+term_dontaudit_search_ptys(postfix_master_t)
+
+miscfiles_read_man_pages(postfix_master_t)
+
+seutil_sigchld_newrole(postfix_master_t)
+# postfix does a "find" on startup for some reason - keep it quiet
+seutil_dontaudit_search_config(postfix_master_t)
+
+mta_rw_aliases(postfix_master_t)
+mta_read_sendmail_bin(postfix_master_t)
+mta_getattr_spool(postfix_master_t)
+
+ifdef(`distro_redhat',`
+ # for newer main.cf that uses /etc/aliases
+ mta_manage_aliases(postfix_master_t)
+ mta_etc_filetrans_aliases(postfix_master_t)
+')
+
+optional_policy(`
+ cyrus_stream_connect(postfix_master_t)
+')
+
+optional_policy(`
+ kerberos_keytab_template(postfix, postfix_t)
+')
+
+optional_policy(`
+# for postalias
+ mailman_manage_data_files(postfix_master_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(postfix_master_t)
+')
+
+optional_policy(`
+ postgrey_search_spool(postfix_master_t)
+')
+
+optional_policy(`
+ sendmail_signal(postfix_master_t)
+')
+
+########################################
+#
+# Postfix bounce local policy
+#
+
+allow postfix_bounce_t self:capability dac_read_search;
+allow postfix_bounce_t self:tcp_socket create_socket_perms;
+
+allow postfix_bounce_t postfix_public_t:sock_file write;
+allow postfix_bounce_t postfix_public_t:dir search_dir_perms;
+
+manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
+manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
+manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
+files_spool_filetrans(postfix_bounce_t, postfix_spool_t, dir)
+
+manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
+manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
+manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
+
+########################################
+#
+# Postfix cleanup local policy
+#
+
+allow postfix_cleanup_t self:process setrlimit;
+
+# connect to master process
+stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t, postfix_master_t)
+
+rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
+write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
+
+manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
+manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
+manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
+files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir)
+
+allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
+
+corecmd_exec_bin(postfix_cleanup_t)
+
+mta_read_aliases(postfix_cleanup_t)
+
+optional_policy(`
+ mailman_read_data_files(postfix_cleanup_t)
+')
+
+########################################
+#
+# Postfix local local policy
+#
+
+allow postfix_local_t self:process { setsched setrlimit };
+allow postfix_local_t self:fifo_file rw_fifo_file_perms;
+
+# connect to master process
+stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
+
+# for .forward - maybe we need a new type for it?
+rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
+
+domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t)
+
+allow postfix_local_t postfix_spool_t:file rw_file_perms;
+
+corecmd_exec_shell(postfix_local_t)
+corecmd_exec_bin(postfix_local_t)
+
+files_read_etc_files(postfix_local_t)
+
+logging_dontaudit_search_logs(postfix_local_t)
+
+mta_read_aliases(postfix_local_t)
+mta_delete_spool(postfix_local_t)
+# For reading spamassasin
+mta_read_config(postfix_local_t)
+# Handle vacation script
+mta_send_mail(postfix_local_t)
+
+userdom_read_user_home_content_files(postfix_local_t)
+
+tunable_policy(`allow_postfix_local_write_mail_spool',`
+ mta_manage_spool(postfix_local_t)
+')
+
+optional_policy(`
+ clamav_search_lib(postfix_local_t)
+ clamav_exec_clamscan(postfix_local_t)
+')
+
+optional_policy(`
+# for postalias
+ mailman_manage_data_files(postfix_local_t)
+ mailman_append_log(postfix_local_t)
+ mailman_read_log(postfix_local_t)
+')
+
+optional_policy(`
+ nagios_search_spool(postfix_local_t)
+')
+
+optional_policy(`
+ procmail_domtrans(postfix_local_t)
+')
+
+optional_policy(`
+ zarafa_deliver_domtrans(postfix_local_t)
+')
+
+########################################
+#
+# Postfix map local policy
+#
+allow postfix_map_t self:capability { dac_override setgid setuid };
+allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
+allow postfix_map_t self:unix_dgram_socket create_socket_perms;
+allow postfix_map_t self:tcp_socket create_stream_socket_perms;
+allow postfix_map_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t)
+manage_files_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t)
+manage_lnk_files_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t)
+
+manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
+manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
+files_tmp_filetrans(postfix_map_t, postfix_map_tmp_t, { file dir })
+
+kernel_read_kernel_sysctls(postfix_map_t)
+kernel_dontaudit_list_proc(postfix_map_t)
+kernel_dontaudit_read_system_state(postfix_map_t)
+
+corenet_all_recvfrom_unlabeled(postfix_map_t)
+corenet_all_recvfrom_netlabel(postfix_map_t)
+corenet_tcp_sendrecv_generic_if(postfix_map_t)
+corenet_udp_sendrecv_generic_if(postfix_map_t)
+corenet_tcp_sendrecv_generic_node(postfix_map_t)
+corenet_udp_sendrecv_generic_node(postfix_map_t)
+corenet_tcp_sendrecv_all_ports(postfix_map_t)
+corenet_udp_sendrecv_all_ports(postfix_map_t)
+corenet_tcp_connect_all_ports(postfix_map_t)
+corenet_sendrecv_all_client_packets(postfix_map_t)
+
+corecmd_list_bin(postfix_map_t)
+corecmd_read_bin_symlinks(postfix_map_t)
+corecmd_read_bin_files(postfix_map_t)
+corecmd_read_bin_pipes(postfix_map_t)
+corecmd_read_bin_sockets(postfix_map_t)
+
+files_list_home(postfix_map_t)
+files_read_usr_files(postfix_map_t)
+files_read_etc_files(postfix_map_t)
+files_read_etc_runtime_files(postfix_map_t)
+files_dontaudit_search_var(postfix_map_t)
+
+auth_use_nsswitch(postfix_map_t)
+
+logging_send_syslog_msg(postfix_map_t)
+
+miscfiles_read_localization(postfix_map_t)
+
+optional_policy(`
+ locallogin_dontaudit_use_fds(postfix_map_t)
+')
+
+optional_policy(`
+# for postalias
+ mailman_manage_data_files(postfix_map_t)
+')
+
+########################################
+#
+# Postfix pickup local policy
+#
+
+allow postfix_pickup_t self:tcp_socket create_socket_perms;
+
+stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
+
+rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
+rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
+
+postfix_list_spool(postfix_pickup_t)
+
+allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms;
+read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+
+########################################
+#
+# Postfix pipe local policy
+#
+
+allow postfix_pipe_t self:process setrlimit;
+allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
+
+write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
+
+write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
+
+rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+
+domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
+
+corecmd_exec_bin(postfix_pipe_t)
+
+optional_policy(`
+ dovecot_domtrans_deliver(postfix_pipe_t)
+')
+
+optional_policy(`
+ procmail_domtrans(postfix_pipe_t)
+')
+
+optional_policy(`
+ mailman_domtrans_queue(postfix_pipe_t)
+')
+
+optional_policy(`
+ mta_manage_spool(postfix_pipe_t)
+ mta_send_mail(postfix_pipe_t)
+')
+
+optional_policy(`
+ spamassassin_domtrans_client(postfix_pipe_t)
+ spamassassin_kill_client(postfix_pipe_t)
+')
+
+optional_policy(`
+ uucp_domtrans_uux(postfix_pipe_t)
+')
+
+########################################
+#
+# Postfix postdrop local policy
+#
+
+# usually it does not need a UDP socket
+allow postfix_postdrop_t self:capability sys_resource;
+allow postfix_postdrop_t self:tcp_socket create;
+allow postfix_postdrop_t self:udp_socket create_socket_perms;
+
+# Might be a leak, but I need a postfix expert to explain
+allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
+
+rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
+
+postfix_list_spool(postfix_postdrop_t)
+manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+
+corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
+corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
+
+term_dontaudit_use_all_ptys(postfix_postdrop_t)
+term_dontaudit_use_all_ttys(postfix_postdrop_t)
+
+mta_rw_user_mail_stream_sockets(postfix_postdrop_t)
+
+optional_policy(`
+ apache_dontaudit_rw_fifo_file(postfix_postdrop_t)
+')
+
+optional_policy(`
+ cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
+')
+
+# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=239951
+optional_policy(`
+ fstools_read_pipes(postfix_postdrop_t)
+')
+
+optional_policy(`
+ sendmail_rw_unix_stream_sockets(postfix_postdrop_t)
+')
+
+optional_policy(`
+ uucp_manage_spool(postfix_postdrop_t)
+')
+
+#######################################
+#
+# Postfix postqueue local policy
+#
+
+allow postfix_postqueue_t self:tcp_socket create;
+allow postfix_postqueue_t self:udp_socket { create ioctl };
+
+# wants to write to /var/spool/postfix/public/showq
+stream_connect_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t, postfix_master_t)
+
+# write to /var/spool/postfix/public/qmgr
+write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t)
+
+domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
+
+# to write the mailq output, it really should not need read access!
+term_use_all_ptys(postfix_postqueue_t)
+term_use_all_ttys(postfix_postqueue_t)
+
+init_sigchld_script(postfix_postqueue_t)
+init_use_script_fds(postfix_postqueue_t)
+
+optional_policy(`
+ cron_system_entry(postfix_postqueue_t, postfix_postqueue_exec_t)
+')
+
+optional_policy(`
+ ppp_use_fds(postfix_postqueue_t)
+ ppp_sigchld(postfix_postqueue_t)
+')
+
+########################################
+#
+# Postfix qmgr local policy
+#
+
+stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
+
+rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
+
+# for /var/spool/postfix/active
+manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
+manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
+manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
+files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+
+allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
+allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
+allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms;
+
+corecmd_exec_bin(postfix_qmgr_t)
+
+########################################
+#
+# Postfix showq local policy
+#
+
+allow postfix_showq_t self:capability { setuid setgid };
+allow postfix_showq_t self:tcp_socket create_socket_perms;
+
+allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
+
+allow postfix_showq_t postfix_spool_t:file read_file_perms;
+
+postfix_list_spool(postfix_showq_t)
+
+allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
+allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
+allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
+
+# to write the mailq output, it really should not need read access!
+term_use_all_ptys(postfix_showq_t)
+term_use_all_ttys(postfix_showq_t)
+
+########################################
+#
+# Postfix smtp delivery local policy
+#
+
+# connect to master process
+allow postfix_smtp_t self:capability sys_chroot;
+stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
+
+allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
+
+allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
+
+files_search_all_mountpoints(postfix_smtp_t)
+
+optional_policy(`
+ cyrus_stream_connect(postfix_smtp_t)
+')
+
+optional_policy(`
+ milter_stream_connect_all(postfix_smtp_t)
+')
+
+########################################
+#
+# Postfix smtpd local policy
+#
+allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
+
+# connect to master process
+stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
+
+# Connect to policy server
+corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
+
+# for prng_exch
+allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
+allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
+
+corecmd_exec_bin(postfix_smtpd_t)
+
+# for OpenSSL certificates
+files_read_usr_files(postfix_smtpd_t)
+
+# postfix checks the size of all mounted file systems
+fs_getattr_all_dirs(postfix_smtpd_t)
+fs_getattr_all_fs(postfix_smtpd_t)
+
+mta_read_aliases(postfix_smtpd_t)
+
+optional_policy(`
+ dovecot_stream_connect_auth(postfix_smtpd_t)
+')
+
+optional_policy(`
+ mailman_read_data_files(postfix_smtpd_t)
+')
+
+optional_policy(`
+ postgrey_stream_connect(postfix_smtpd_t)
+')
+
+optional_policy(`
+ sasl_connect(postfix_smtpd_t)
+')
+
+########################################
+#
+# Postfix virtual local policy
+#
+
+allow postfix_virtual_t self:process { setsched setrlimit };
+allow postfix_virtual_t self:fifo_file rw_fifo_file_perms;
+
+allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
+
+# connect to master process
+stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
+
+corecmd_exec_shell(postfix_virtual_t)
+corecmd_exec_bin(postfix_virtual_t)
+
+files_read_etc_files(postfix_virtual_t)
+files_read_usr_files(postfix_virtual_t)
+
+mta_read_aliases(postfix_virtual_t)
+mta_delete_spool(postfix_virtual_t)
+# For reading spamassasin
+mta_read_config(postfix_virtual_t)
+mta_manage_spool(postfix_virtual_t)
+
+userdom_manage_user_home_dirs(postfix_virtual_t)
+userdom_manage_user_home_content(postfix_virtual_t)
+userdom_home_filetrans_user_home_dir(postfix_virtual_t)
+userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir })
diff --git a/policy/modules/services/postfixpolicyd.fc b/policy/modules/services/postfixpolicyd.fc
new file mode 100644
index 0000000..4361cb6
--- /dev/null
+++ b/policy/modules/services/postfixpolicyd.fc
@@ -0,0 +1,6 @@
+/etc/policyd.conf -- gen_context(system_u:object_r:postfix_policyd_conf_t, s0)
+/etc/rc\.d/init\.d/postfixpolicyd -- gen_context(system_u:object_r:postfix_policyd_initrc_exec_t,s0)
+
+/usr/sbin/policyd -- gen_context(system_u:object_r:postfix_policyd_exec_t, s0)
+
+/var/run/policyd\.pid -- gen_context(system_u:object_r:postfix_policyd_var_run_t, s0)
diff --git a/policy/modules/services/postfixpolicyd.if b/policy/modules/services/postfixpolicyd.if
new file mode 100644
index 0000000..d960d3f
--- /dev/null
+++ b/policy/modules/services/postfixpolicyd.if
@@ -0,0 +1,39 @@
+## <summary>Postfix policy server</summary>
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an postfixpolicyd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the postfixpolicyd domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`postfixpolicyd_admin',`
+ gen_require(`
+ type postfix_policyd_t, postfix_policyd_conf_t;
+ type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t;
+ ')
+
+ allow $1 postfix_policyd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, postfix_policyd_t)
+
+ init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 postfix_policyd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, postfix_policyd_conf_t)
+
+ files_list_pids($1)
+ admin_pattern($1, postfix_policyd_var_run_t)
+')
diff --git a/policy/modules/services/postfixpolicyd.te b/policy/modules/services/postfixpolicyd.te
new file mode 100644
index 0000000..7d73656
--- /dev/null
+++ b/policy/modules/services/postfixpolicyd.te
@@ -0,0 +1,53 @@
+policy_module(postfixpolicyd, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type postfix_policyd_t;
+type postfix_policyd_exec_t;
+init_daemon_domain(postfix_policyd_t, postfix_policyd_exec_t)
+
+type postfix_policyd_conf_t;
+files_config_file(postfix_policyd_conf_t)
+
+type postfix_policyd_initrc_exec_t;
+init_script_file(postfix_policyd_initrc_exec_t)
+
+type postfix_policyd_var_run_t;
+files_pid_file(postfix_policyd_var_run_t)
+
+########################################
+#
+# Local Policy
+#
+
+allow postfix_policyd_t self:capability { sys_resource sys_chroot setgid setuid };
+allow postfix_policyd_t self:process setrlimit;
+allow postfix_policyd_t self:tcp_socket create_stream_socket_perms;
+allow postfix_policyd_t self:unix_dgram_socket create_socket_perms;
+
+allow postfix_policyd_t postfix_policyd_conf_t:dir list_dir_perms;
+allow postfix_policyd_t postfix_policyd_conf_t:file read_file_perms;
+allow postfix_policyd_t postfix_policyd_conf_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t)
+files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
+
+corenet_all_recvfrom_unlabeled(postfix_policyd_t)
+corenet_tcp_sendrecv_generic_if(postfix_policyd_t)
+corenet_tcp_sendrecv_generic_node(postfix_policyd_t)
+corenet_tcp_sendrecv_all_ports(postfix_policyd_t)
+corenet_tcp_bind_generic_node(postfix_policyd_t)
+corenet_tcp_bind_postfix_policyd_port(postfix_policyd_t)
+corenet_tcp_bind_mysqld_port(postfix_policyd_t)
+
+files_read_etc_files(postfix_policyd_t)
+files_read_usr_files(postfix_policyd_t)
+
+logging_send_syslog_msg(postfix_policyd_t)
+
+miscfiles_read_localization(postfix_policyd_t)
+
+sysnet_dns_name_resolve(postfix_policyd_t)
diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
new file mode 100644
index 0000000..f03fad4
--- /dev/null
+++ b/policy/modules/services/postgresql.fc
@@ -0,0 +1,48 @@
+#
+# /etc
+#
+/etc/postgresql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0)
+/etc/rc\.d/init\.d/(se)?postgresql -- gen_context(system_u:object_r:postgresql_initrc_exec_t,s0)
+/etc/sysconfig/pgsql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0)
+
+#
+# /usr
+#
+/usr/bin/initdb(\.sepgsql)? -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/bin/(se)?postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+
+/usr/lib(64)?/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
+/usr/lib(64)?/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib(64)?/postgresql/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+
+ifdef(`distro_debian', `
+/usr/lib/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+')
+
+ifdef(`distro_redhat', `
+/usr/share/jonas/pgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
+')
+
+#
+# /var
+#
+/var/lib/postgres(ql)?(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
+
+/var/lib/pgsql/data(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
+/var/lib/pgsql/logfile(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
+/var/lib/pgsql/pgstartup\.log gen_context(system_u:object_r:postgresql_log_t,s0)
+
+/var/lib/sepgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
+/var/lib/sepgsql/pgstartup\.log -- gen_context(system_u:object_r:postgresql_log_t,s0)
+
+/var/log/postgres\.log.* -- gen_context(system_u:object_r:postgresql_log_t,s0)
+/var/log/postgresql(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
+/var/log/sepostgresql\.log.* -- gen_context(system_u:object_r:postgresql_log_t,s0)
+
+ifdef(`distro_redhat', `
+/var/log/rhdb/rhdb(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
+')
+
+/var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
+
+/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0)
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
new file mode 100644
index 0000000..4782bdb
--- /dev/null
+++ b/policy/modules/services/postgresql.if
@@ -0,0 +1,454 @@
+## <summary>PostgreSQL relational database</summary>
+
+#######################################
+## <summary>
+## Role access for SE-PostgreSQL.
+## </summary>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+interface(`postgresql_role',`
+ gen_require(`
+ class db_database all_db_database_perms;
+ class db_table all_db_table_perms;
+ class db_procedure all_db_procedure_perms;
+ class db_column all_db_column_perms;
+ class db_tuple all_db_tuple_perms;
+ class db_blob all_db_blob_perms;
+
+ attribute sepgsql_client_type, sepgsql_database_type;
+ attribute sepgsql_sysobj_table_type;
+
+ type sepgsql_trusted_proc_exec_t, sepgsql_trusted_proc_t;
+ type user_sepgsql_blob_t, user_sepgsql_proc_exec_t;
+ type user_sepgsql_sysobj_t, user_sepgsql_table_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ typeattribute $2 sepgsql_client_type;
+ role $1 types sepgsql_trusted_proc_t;
+
+ ##############################
+ #
+ # Client local policy
+ #
+
+ allow $2 user_sepgsql_table_t:db_table { getattr use select update insert delete lock };
+ allow $2 user_sepgsql_table_t:db_column { getattr use select update insert };
+ allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete };
+ type_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t;
+
+ allow $2 user_sepgsql_sysobj_t:db_tuple { use select };
+ type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t;
+
+ allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute };
+ type_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t;
+
+ allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
+ type_transition $2 sepgsql_database_type:db_blob user_sepgsql_blob_t;
+
+ allow $2 sepgsql_trusted_proc_t:process transition;
+ type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
+
+ tunable_policy(`sepgsql_enable_users_ddl',`
+ allow $2 user_sepgsql_table_t:db_table { create drop setattr };
+ allow $2 user_sepgsql_table_t:db_column { create drop setattr };
+
+ allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
+ allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
+ ')
+')
+
+########################################
+## <summary>
+## Marks as a SE-PostgreSQL loadable shared library module
+## </summary>
+## <param name="type">
+## <summary>
+## Type marked as a database object type.
+## </summary>
+## </param>
+#
+interface(`postgresql_loadable_module',`
+ gen_require(`
+ attribute sepgsql_module_type;
+ ')
+
+ typeattribute $1 sepgsql_module_type;
+')
+
+########################################
+## <summary>
+## Marks as a SE-PostgreSQL database object type
+## </summary>
+## <param name="type">
+## <summary>
+## Type marked as a database object type.
+## </summary>
+## </param>
+#
+interface(`postgresql_database_object',`
+ gen_require(`
+ attribute sepgsql_database_type;
+ ')
+
+ typeattribute $1 sepgsql_database_type;
+')
+
+########################################
+## <summary>
+## Marks as a SE-PostgreSQL table/column/tuple object type
+## </summary>
+## <param name="type">
+## <summary>
+## Type marked as a table/column/tuple object type.
+## </summary>
+## </param>
+#
+interface(`postgresql_table_object',`
+ gen_require(`
+ attribute sepgsql_table_type;
+ ')
+
+ typeattribute $1 sepgsql_table_type;
+')
+
+########################################
+## <summary>
+## Marks as a SE-PostgreSQL system table/column/tuple object type
+## </summary>
+## <param name="type">
+## <summary>
+## Type marked as a table/column/tuple object type.
+## </summary>
+## </param>
+#
+interface(`postgresql_system_table_object',`
+ gen_require(`
+ attribute sepgsql_table_type, sepgsql_sysobj_table_type;
+ ')
+
+ typeattribute $1 sepgsql_table_type;
+ typeattribute $1 sepgsql_sysobj_table_type;
+')
+
+########################################
+## <summary>
+## Marks as a SE-PostgreSQL procedure object type
+## </summary>
+## <param name="type">
+## <summary>
+## Type marked as a database object type.
+## </summary>
+## </param>
+#
+interface(`postgresql_procedure_object',`
+ gen_require(`
+ attribute sepgsql_procedure_type;
+ ')
+
+ typeattribute $1 sepgsql_procedure_type;
+')
+
+########################################
+## <summary>
+## Marks as a SE-PostgreSQL binary large object type
+## </summary>
+## <param name="type">
+## <summary>
+## Type marked as a database binary large object type.
+## </summary>
+## </param>
+#
+interface(`postgresql_blob_object',`
+ gen_require(`
+ attribute sepgsql_blob_type;
+ ')
+
+ typeattribute $1 sepgsql_blob_type;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to search postgresql's database directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postgresql_search_db',`
+ gen_require(`
+ type postgresql_db_t;
+ ')
+
+ allow $1 postgresql_db_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to manage postgresql's database.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postgresql_manage_db',`
+ gen_require(`
+ type postgresql_db_t;
+ ')
+
+ allow $1 postgresql_db_t:dir rw_dir_perms;
+ allow $1 postgresql_db_t:file rw_file_perms;
+ allow $1 postgresql_db_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Execute postgresql in the postgresql domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`postgresql_domtrans',`
+ gen_require(`
+ type postgresql_t, postgresql_exec_t;
+ ')
+
+ domtrans_pattern($1, postgresql_exec_t, postgresql_t)
+')
+
+######################################
+## <summary>
+## Allow domain to signal postgresql
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postgresql_signal',`
+ gen_require(`
+ type postgresql_t;
+ ')
+ allow $1 postgresql_t:process signal;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read postgresql's etc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`postgresql_read_config',`
+ gen_require(`
+ type postgresql_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 postgresql_etc_t:dir list_dir_perms;
+ allow $1 postgresql_etc_t:file read_file_perms;
+ allow $1 postgresql_etc_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to connect to postgresql with a tcp socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postgresql_tcp_connect',`
+ gen_require(`
+ type postgresql_t;
+ ')
+
+ corenet_tcp_recvfrom_labeled($1, postgresql_t)
+ corenet_tcp_sendrecv_postgresql_port($1)
+ corenet_tcp_connect_postgresql_port($1)
+ corenet_sendrecv_postgresql_client_packets($1)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to connect to postgresql with a unix socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postgresql_stream_connect',`
+ gen_require(`
+ type postgresql_t, postgresql_var_run_t, postgresql_tmp_t;
+ ')
+
+ files_search_pids($1)
+ files_search_tmp($1)
+ stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t }, { postgresql_var_run_t postgresql_tmp_t }, postgresql_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain unprivileged accesses to unifined database objects
+## managed by SE-PostgreSQL,
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postgresql_unpriv_client',`
+ gen_require(`
+ class db_database all_db_database_perms;
+ class db_table all_db_table_perms;
+ class db_procedure all_db_procedure_perms;
+ class db_column all_db_column_perms;
+ class db_tuple all_db_tuple_perms;
+ class db_blob all_db_blob_perms;
+
+ attribute sepgsql_client_type;
+ attribute sepgsql_database_type, sepgsql_sysobj_table_type;
+
+ type sepgsql_trusted_proc_t, sepgsql_trusted_proc_exec_t;
+ type unpriv_sepgsql_blob_t, unpriv_sepgsql_proc_exec_t;
+ type unpriv_sepgsql_sysobj_t, unpriv_sepgsql_table_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ typeattribute $1 sepgsql_client_type;
+
+ ########################################
+ #
+ # Client local policy
+ #
+
+ type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
+ allow $1 sepgsql_trusted_proc_t:process transition;
+
+ allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock };
+ allow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert };
+ allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete };
+ type_transition $1 sepgsql_database_type:db_table unpriv_sepgsql_table_t;
+
+ allow $1 unpriv_sepgsql_sysobj_t:db_tuple { use select };
+ type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t;
+
+ allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute };
+ type_transition $1 sepgsql_database_type:db_procedure unpriv_sepgsql_proc_exec_t;
+
+ allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
+ type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;
+
+ tunable_policy(`sepgsql_enable_users_ddl',`
+ allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
+ allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr };
+ allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete };
+ allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr };
+ ')
+')
+
+########################################
+## <summary>
+## Allow the specified domain unconfined accesses to any database objects
+## managed by SE-PostgreSQL,
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postgresql_unconfined',`
+ gen_require(`
+ attribute sepgsql_unconfined_type;
+ ')
+
+ typeattribute $1 sepgsql_unconfined_type;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate an postgresql environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the postgresql domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`postgresql_admin',`
+ gen_require(`
+ attribute sepgsql_admin_type, sepgsql_client_type;
+ type postgresql_t, postgresql_var_run_t, postgresql_initrc_exec_t;
+ type postgresql_tmp_t, postgresql_db_t, postgresql_log_t;
+ type postgresql_etc_t;
+ ')
+
+ typeattribute $1 sepgsql_admin_type;
+
+ allow $1 postgresql_t:process { ptrace signal_perms };
+ ps_process_pattern($1, postgresql_t)
+
+ init_labeled_script_domtrans($1, postgresql_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 postgresql_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_pids($1)
+ admin_pattern($1, postgresql_var_run_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, postgresql_db_t)
+
+ files_list_etc($1)
+ admin_pattern($1, postgresql_etc_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, postgresql_log_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, postgresql_tmp_t)
+
+ postgresql_tcp_connect($1)
+ postgresql_stream_connect($1)
+')
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
new file mode 100644
index 0000000..b4101fa
--- /dev/null
+++ b/policy/modules/services/postgresql.te
@@ -0,0 +1,418 @@
+policy_module(postgresql, 1.11.1)
+
+gen_require(`
+ class db_database all_db_database_perms;
+ class db_table all_db_table_perms;
+ class db_procedure all_db_procedure_perms;
+ class db_column all_db_column_perms;
+ class db_tuple all_db_tuple_perms;
+ class db_blob all_db_blob_perms;
+')
+
+#################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow unprived users to execute DDL statement
+## </p>
+## </desc>
+gen_tunable(sepgsql_enable_users_ddl, true)
+
+## <desc>
+## <p>
+## Allow database admins to execute DML statement
+## </p>
+## </desc>
+gen_tunable(sepgsql_unconfined_dbadm, true)
+
+type postgresql_t;
+type postgresql_exec_t;
+init_daemon_domain(postgresql_t, postgresql_exec_t)
+
+type postgresql_db_t;
+files_type(postgresql_db_t)
+
+type postgresql_etc_t;
+files_config_file(postgresql_etc_t)
+
+type postgresql_initrc_exec_t;
+init_script_file(postgresql_initrc_exec_t)
+
+type postgresql_lock_t;
+files_lock_file(postgresql_lock_t)
+
+type postgresql_log_t;
+logging_log_file(postgresql_log_t)
+
+type postgresql_tmp_t;
+files_tmp_file(postgresql_tmp_t)
+
+type postgresql_var_run_t;
+files_pid_file(postgresql_var_run_t)
+
+# database clients attribute
+attribute sepgsql_admin_type;
+attribute sepgsql_client_type;
+attribute sepgsql_unconfined_type;
+
+# database objects attribute
+attribute sepgsql_database_type;
+attribute sepgsql_table_type;
+attribute sepgsql_sysobj_table_type;
+attribute sepgsql_procedure_type;
+attribute sepgsql_blob_type;
+attribute sepgsql_module_type;
+
+# database object types
+type sepgsql_blob_t;
+postgresql_blob_object(sepgsql_blob_t)
+
+type sepgsql_db_t;
+postgresql_database_object(sepgsql_db_t)
+
+type sepgsql_fixed_table_t;
+postgresql_table_object(sepgsql_fixed_table_t)
+
+type sepgsql_proc_exec_t;
+typealias sepgsql_proc_exec_t alias sepgsql_proc_t;
+postgresql_procedure_object(sepgsql_proc_exec_t)
+
+type sepgsql_ro_blob_t;
+postgresql_blob_object(sepgsql_ro_blob_t)
+
+type sepgsql_ro_table_t;
+postgresql_table_object(sepgsql_ro_table_t)
+
+type sepgsql_secret_blob_t;
+postgresql_blob_object(sepgsql_secret_blob_t)
+
+type sepgsql_secret_table_t;
+postgresql_table_object(sepgsql_secret_table_t)
+
+type sepgsql_sysobj_t;
+postgresql_system_table_object(sepgsql_sysobj_t)
+
+type sepgsql_table_t;
+postgresql_table_object(sepgsql_table_t)
+
+type sepgsql_trusted_proc_exec_t;
+postgresql_procedure_object(sepgsql_trusted_proc_exec_t)
+
+# Trusted Procedure Domain
+type sepgsql_trusted_proc_t;
+domain_type(sepgsql_trusted_proc_t)
+postgresql_unconfined(sepgsql_trusted_proc_t)
+role system_r types sepgsql_trusted_proc_t;
+
+# Types for unprivileged client
+type unpriv_sepgsql_blob_t;
+postgresql_blob_object(unpriv_sepgsql_blob_t)
+
+type unpriv_sepgsql_proc_exec_t;
+postgresql_procedure_object(unpriv_sepgsql_proc_exec_t)
+
+type unpriv_sepgsql_sysobj_t;
+postgresql_system_table_object(unpriv_sepgsql_sysobj_t)
+
+type unpriv_sepgsql_table_t;
+postgresql_table_object(unpriv_sepgsql_table_t)
+
+# Types for UBAC
+type user_sepgsql_blob_t;
+typealias user_sepgsql_blob_t alias { staff_sepgsql_blob_t sysadm_sepgsql_blob_t };
+typealias user_sepgsql_blob_t alias { auditadm_sepgsql_blob_t secadm_sepgsql_blob_t };
+postgresql_blob_object(user_sepgsql_blob_t)
+
+type user_sepgsql_proc_exec_t;
+typealias user_sepgsql_proc_exec_t alias { staff_sepgsql_proc_exec_t sysadm_sepgsql_proc_exec_t };
+typealias user_sepgsql_proc_exec_t alias { auditadm_sepgsql_proc_exec_t secadm_sepgsql_proc_exec_t };
+postgresql_procedure_object(user_sepgsql_proc_exec_t)
+
+type user_sepgsql_sysobj_t;
+typealias user_sepgsql_sysobj_t alias { staff_sepgsql_sysobj_t sysadm_sepgsql_sysobj_t };
+typealias user_sepgsql_sysobj_t alias { auditadm_sepgsql_sysobj_t secadm_sepgsql_sysobj_t };
+postgresql_system_table_object(user_sepgsql_sysobj_t)
+
+type user_sepgsql_table_t;
+typealias user_sepgsql_table_t alias { staff_sepgsql_table_t sysadm_sepgsql_table_t };
+typealias user_sepgsql_table_t alias { auditadm_sepgsql_table_t secadm_sepgsql_table_t };
+postgresql_table_object(user_sepgsql_table_t)
+
+########################################
+#
+# postgresql Local policy
+#
+allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin };
+dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
+allow postgresql_t self:process signal_perms;
+allow postgresql_t self:fifo_file rw_fifo_file_perms;
+allow postgresql_t self:file { getattr read };
+allow postgresql_t self:sem create_sem_perms;
+allow postgresql_t self:shm create_shm_perms;
+allow postgresql_t self:tcp_socket create_stream_socket_perms;
+allow postgresql_t self:udp_socket create_stream_socket_perms;
+allow postgresql_t self:unix_dgram_socket create_socket_perms;
+allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
+allow postgresql_t self:netlink_selinux_socket create_socket_perms;
+
+allow postgresql_t sepgsql_database_type:db_database *;
+type_transition postgresql_t postgresql_t:db_database sepgsql_db_t;
+
+allow postgresql_t sepgsql_module_type:db_database install_module;
+# Database/Loadable module
+allow sepgsql_database_type sepgsql_module_type:db_database load_module;
+
+allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *;
+type_transition postgresql_t sepgsql_database_type:db_table sepgsql_sysobj_t;
+
+allow postgresql_t sepgsql_procedure_type:db_procedure *;
+type_transition postgresql_t sepgsql_database_type:db_procedure sepgsql_proc_exec_t;
+
+allow postgresql_t sepgsql_blob_type:db_blob *;
+type_transition postgresql_t sepgsql_database_type:db_blob sepgsql_blob_t;
+
+manage_dirs_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
+manage_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
+manage_lnk_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
+manage_fifo_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
+manage_sock_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
+files_var_lib_filetrans(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file })
+
+allow postgresql_t postgresql_etc_t:dir list_dir_perms;
+read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
+read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
+
+allow postgresql_t postgresql_exec_t:lnk_file read_lnk_file_perms;
+can_exec(postgresql_t, postgresql_exec_t )
+
+allow postgresql_t postgresql_lock_t:file manage_file_perms;
+files_lock_filetrans(postgresql_t, postgresql_lock_t, file)
+
+manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t)
+logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir })
+
+manage_dirs_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
+manage_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
+manage_lnk_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
+manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
+manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
+files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file })
+fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file })
+
+manage_dirs_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
+manage_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
+manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
+files_pid_filetrans(postgresql_t, postgresql_var_run_t, { dir file })
+
+kernel_read_kernel_sysctls(postgresql_t)
+kernel_read_system_state(postgresql_t)
+kernel_list_proc(postgresql_t)
+kernel_read_all_sysctls(postgresql_t)
+kernel_read_proc_symlinks(postgresql_t)
+
+corenet_all_recvfrom_unlabeled(postgresql_t)
+corenet_all_recvfrom_netlabel(postgresql_t)
+corenet_tcp_sendrecv_generic_if(postgresql_t)
+corenet_udp_sendrecv_generic_if(postgresql_t)
+corenet_tcp_sendrecv_generic_node(postgresql_t)
+corenet_udp_sendrecv_generic_node(postgresql_t)
+corenet_tcp_sendrecv_all_ports(postgresql_t)
+corenet_udp_sendrecv_all_ports(postgresql_t)
+corenet_udp_bind_generic_node(postgresql_t)
+corenet_tcp_bind_generic_node(postgresql_t)
+corenet_tcp_bind_postgresql_port(postgresql_t)
+corenet_tcp_connect_auth_port(postgresql_t)
+corenet_tcp_connect_postgresql_port(postgresql_t)
+corenet_sendrecv_postgresql_server_packets(postgresql_t)
+corenet_sendrecv_auth_client_packets(postgresql_t)
+
+dev_read_sysfs(postgresql_t)
+dev_read_urand(postgresql_t)
+
+fs_getattr_all_fs(postgresql_t)
+fs_search_auto_mountpoints(postgresql_t)
+fs_rw_hugetlbfs_files(postgresql_t)
+
+selinux_get_enforce_mode(postgresql_t)
+selinux_validate_context(postgresql_t)
+selinux_compute_access_vector(postgresql_t)
+selinux_compute_create_context(postgresql_t)
+selinux_compute_relabel_context(postgresql_t)
+
+term_use_controlling_term(postgresql_t)
+
+corecmd_exec_bin(postgresql_t)
+corecmd_exec_shell(postgresql_t)
+
+domain_dontaudit_list_all_domains_state(postgresql_t)
+domain_use_interactive_fds(postgresql_t)
+
+files_dontaudit_search_home(postgresql_t)
+files_read_etc_files(postgresql_t)
+files_read_etc_runtime_files(postgresql_t)
+files_read_usr_files(postgresql_t)
+
+auth_use_pam(postgresql_t)
+
+init_read_utmp(postgresql_t)
+
+logging_send_syslog_msg(postgresql_t)
+logging_send_audit_msgs(postgresql_t)
+
+miscfiles_read_localization(postgresql_t)
+
+seutil_libselinux_linked(postgresql_t)
+
+userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
+userdom_dontaudit_search_user_home_dirs(postgresql_t)
+userdom_dontaudit_use_user_terminals(postgresql_t)
+
+mta_getattr_spool(postgresql_t)
+
+tunable_policy(`allow_execmem',`
+ allow postgresql_t self:process execmem;
+')
+
+optional_policy(`
+ consoletype_exec(postgresql_t)
+')
+
+optional_policy(`
+ cron_search_spool(postgresql_t)
+ cron_system_entry(postgresql_t, postgresql_exec_t)
+')
+
+optional_policy(`
+ hostname_exec(postgresql_t)
+')
+
+optional_policy(`
+ ipsec_match_default_spd(postgresql_t)
+')
+
+optional_policy(`
+ kerberos_use(postgresql_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(postgresql_t)
+')
+
+optional_policy(`
+ udev_read_db(postgresql_t)
+')
+
+########################################
+#
+# Rules common to all clients
+#
+
+allow sepgsql_client_type sepgsql_db_t:db_database { getattr access get_param set_param };
+type_transition sepgsql_client_type sepgsql_client_type:db_database sepgsql_db_t;
+
+allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr use select insert lock };
+allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr use select insert };
+allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert };
+
+allow sepgsql_client_type sepgsql_table_t:db_table { getattr use select update insert delete lock };
+allow sepgsql_client_type sepgsql_table_t:db_column { getattr use select update insert };
+allow sepgsql_client_type sepgsql_table_t:db_tuple { use select update insert delete };
+
+allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr use select lock };
+allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr use select };
+allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { use select };
+
+allow sepgsql_client_type sepgsql_secret_table_t:db_table getattr;
+allow sepgsql_client_type sepgsql_secret_table_t:db_column getattr;
+
+allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr use select lock };
+allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select };
+allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select };
+
+allow sepgsql_client_type sepgsql_proc_exec_t:db_procedure { getattr execute install };
+allow sepgsql_client_type sepgsql_trusted_proc_exec_t:db_procedure { getattr execute entrypoint };
+
+allow sepgsql_client_type sepgsql_blob_t:db_blob { create drop getattr setattr read write };
+allow sepgsql_client_type sepgsql_ro_blob_t:db_blob { getattr read };
+allow sepgsql_client_type sepgsql_secret_blob_t:db_blob getattr;
+
+# The purpose of the dontaudit rule in row-level access control is to prevent a flood of logs.
+# If a client tries to SELECT a table including violated tuples, these are filtered from
+# the result set as if not exist, but its access denied longs can be recorded within log files.
+# In generally, the number of tuples are much larger than the number of columns, tables and so on.
+# So, it makes a flood of logs when many tuples are violated.
+#
+# The default policy does not prevent anything for sepgsql_client_type sepgsql_unconfined_type,
+# so we don't need "dontaudit" rules in Type-Enforcement. However, MLS/MCS can prevent them
+# to access classified tuples and can make a audit record.
+#
+# Therefore, the following rule is applied for any domains which can connect SE-PostgreSQL.
+dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete };
+
+########################################
+#
+# Rules common to administrator clients
+#
+
+allow sepgsql_admin_type sepgsql_database_type:db_database { create drop getattr setattr relabelfrom relabelto access };
+type_transition sepgsql_admin_type sepgsql_admin_type:db_database sepgsql_db_t;
+
+allow sepgsql_admin_type sepgsql_table_type:db_table { create drop getattr setattr relabelfrom relabelto lock };
+allow sepgsql_admin_type sepgsql_table_type:db_column { create drop getattr setattr relabelfrom relabelto };
+allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { relabelfrom relabelto select update insert delete };
+
+type_transition sepgsql_admin_type sepgsql_database_type:db_table sepgsql_table_t;
+
+allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create drop getattr relabelfrom relabelto };
+allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure execute;
+
+type_transition sepgsql_admin_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t;
+
+allow sepgsql_admin_type sepgsql_blob_type:db_blob { create drop getattr setattr relabelfrom relabelto };
+
+type_transition sepgsql_admin_type sepgsql_database_type:db_blob sepgsql_blob_t;
+
+allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
+
+kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)
+
+tunable_policy(`sepgsql_unconfined_dbadm',`
+ allow sepgsql_admin_type sepgsql_database_type:db_database *;
+
+ allow sepgsql_admin_type sepgsql_table_type:{ db_table db_column db_tuple } *;
+
+ allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure *;
+ allow sepgsql_admin_type sepgsql_trusted_proc_exec_t:db_procedure ~install;
+ allow sepgsql_admin_type sepgsql_procedure_type:db_procedure ~{ execute install };
+
+ allow sepgsql_admin_type sepgsql_blob_type:db_blob *;
+')
+
+########################################
+#
+# Unconfined access to this module
+#
+
+allow sepgsql_unconfined_type sepgsql_database_type:db_database *;
+type_transition sepgsql_unconfined_type sepgsql_unconfined_type:db_database sepgsql_db_t;
+
+type_transition sepgsql_unconfined_type sepgsql_database_type:db_table sepgsql_table_t;
+type_transition sepgsql_unconfined_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t;
+type_transition sepgsql_unconfined_type sepgsql_database_type:db_blob sepgsql_blob_t;
+
+allow sepgsql_unconfined_type sepgsql_table_type:{ db_table db_column db_tuple } *;
+
+# unconfined domain is not allowed to invoke user defined procedure directly.
+# They have to confirm and relabel it at first.
+allow sepgsql_unconfined_type sepgsql_proc_exec_t:db_procedure *;
+allow sepgsql_unconfined_type sepgsql_trusted_proc_exec_t:db_procedure ~install;
+allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure ~{ execute install };
+
+allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
+
+allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
+
+kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)
diff --git a/policy/modules/services/postgrey.fc b/policy/modules/services/postgrey.fc
new file mode 100644
index 0000000..e731841
--- /dev/null
+++ b/policy/modules/services/postgrey.fc
@@ -0,0 +1,12 @@
+
+/etc/postgrey(/.*)? gen_context(system_u:object_r:postgrey_etc_t,s0)
+/etc/rc\.d/init\.d/postgrey -- gen_context(system_u:object_r:postgrey_initrc_exec_t,s0)
+
+/usr/sbin/postgrey -- gen_context(system_u:object_r:postgrey_exec_t,s0)
+
+/var/lib/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_lib_t,s0)
+
+/var/run/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_run_t,s0)
+/var/run/postgrey\.pid -- gen_context(system_u:object_r:postgrey_var_run_t,s0)
+
+/var/spool/postfix/postgrey(/.*)? gen_context(system_u:object_r:postgrey_spool_t,s0)
diff --git a/policy/modules/services/postgrey.if b/policy/modules/services/postgrey.if
new file mode 100644
index 0000000..6f55445
--- /dev/null
+++ b/policy/modules/services/postgrey.if
@@ -0,0 +1,81 @@
+## <summary>Postfix grey-listing server</summary>
+
+########################################
+## <summary>
+## Write to postgrey socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postgrey_stream_connect',`
+ gen_require(`
+ type postgrey_var_run_t, postgrey_t, postgrey_spool_t;
+ ')
+
+ stream_connect_pattern($1, { postgrey_spool_t postgrey_var_run_t }, { postgrey_spool_t postgrey_var_run_t }, postgrey_t)
+ files_search_pids($1)
+ files_search_spool($1)
+')
+
+########################################
+## <summary>
+## Search the spool directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`postgrey_search_spool',`
+ gen_require(`
+ type postgrey_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 postgrey_spool_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an postgrey environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the postgrey domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`postgrey_admin',`
+ gen_require(`
+ type postgrey_t, postgrey_etc_t, postgrey_initrc_exec_t;
+ type postgrey_var_lib_t, postgrey_var_run_t;
+ ')
+
+ allow $1 postgrey_t:process { ptrace signal_perms };
+ ps_process_pattern($1, postgrey_t)
+
+ init_labeled_script_domtrans($1, postgrey_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 postgrey_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, postgrey_etc_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, postgrey_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, postgrey_var_run_t)
+')
diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te
new file mode 100644
index 0000000..6e8c3c8
--- /dev/null
+++ b/policy/modules/services/postgrey.te
@@ -0,0 +1,107 @@
+policy_module(postgrey, 1.7.1)
+
+########################################
+#
+# Declarations
+#
+
+type postgrey_t;
+type postgrey_exec_t;
+init_daemon_domain(postgrey_t, postgrey_exec_t)
+
+type postgrey_etc_t;
+files_config_file(postgrey_etc_t)
+
+type postgrey_initrc_exec_t;
+init_script_file(postgrey_initrc_exec_t)
+
+type postgrey_spool_t;
+files_type(postgrey_spool_t)
+
+type postgrey_var_lib_t;
+files_type(postgrey_var_lib_t)
+
+type postgrey_var_run_t;
+files_pid_file(postgrey_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow postgrey_t self:capability { chown dac_override setgid setuid };
+dontaudit postgrey_t self:capability sys_tty_config;
+allow postgrey_t self:process signal_perms;
+allow postgrey_t self:tcp_socket create_stream_socket_perms;
+allow postgrey_t self:fifo_file create_fifo_file_perms;
+
+allow postgrey_t postgrey_etc_t:dir list_dir_perms;
+read_files_pattern(postgrey_t, postgrey_etc_t, postgrey_etc_t)
+read_lnk_files_pattern(postgrey_t, postgrey_etc_t, postgrey_etc_t)
+
+manage_dirs_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
+manage_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
+manage_fifo_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
+manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
+
+manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t)
+files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file)
+
+manage_dirs_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t)
+manage_files_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t)
+manage_sock_files_pattern(postgrey_t, postgrey_var_run_t, postgrey_var_run_t)
+files_pid_filetrans(postgrey_t, postgrey_var_run_t, { dir file sock_file })
+
+kernel_read_system_state(postgrey_t)
+kernel_read_kernel_sysctls(postgrey_t)
+
+# for perl
+corecmd_search_bin(postgrey_t)
+
+corenet_all_recvfrom_unlabeled(postgrey_t)
+corenet_all_recvfrom_netlabel(postgrey_t)
+corenet_tcp_sendrecv_generic_if(postgrey_t)
+corenet_tcp_sendrecv_generic_node(postgrey_t)
+corenet_tcp_sendrecv_all_ports(postgrey_t)
+corenet_tcp_bind_generic_node(postgrey_t)
+corenet_tcp_bind_postgrey_port(postgrey_t)
+corenet_sendrecv_postgrey_server_packets(postgrey_t)
+
+dev_read_urand(postgrey_t)
+dev_read_sysfs(postgrey_t)
+
+domain_use_interactive_fds(postgrey_t)
+
+files_read_etc_files(postgrey_t)
+files_read_etc_runtime_files(postgrey_t)
+files_read_usr_files(postgrey_t)
+files_getattr_tmp_dirs(postgrey_t)
+
+fs_getattr_all_fs(postgrey_t)
+fs_search_auto_mountpoints(postgrey_t)
+
+logging_send_syslog_msg(postgrey_t)
+
+miscfiles_read_localization(postgrey_t)
+
+sysnet_read_config(postgrey_t)
+
+userdom_dontaudit_use_unpriv_user_fds(postgrey_t)
+userdom_dontaudit_search_user_home_dirs(postgrey_t)
+
+optional_policy(`
+ nis_use_ypbind(postgrey_t)
+')
+
+optional_policy(`
+ postfix_read_config(postgrey_t)
+ postfix_manage_spool_files(postgrey_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(postgrey_t)
+')
+
+optional_policy(`
+ udev_read_db(postgrey_t)
+')
diff --git a/policy/modules/services/ppp.fc b/policy/modules/services/ppp.fc
new file mode 100644
index 0000000..2d82c6d
--- /dev/null
+++ b/policy/modules/services/ppp.fc
@@ -0,0 +1,38 @@
+#
+# /etc
+#
+/etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
+
+/etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0)
+/etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+/etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+/etc/ppp/.*secrets -- gen_context(system_u:object_r:pppd_secret_t,s0)
+/etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
+# Fix /etc/ppp {up,down} family scripts (see man pppd)
+/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
+
+/root/.ppprc -- gen_context(system_u:object_r:pppd_etc_t,s0)
+
+#
+# /sbin
+#
+/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/usr/sbin/pptp -- gen_context(system_u:object_r:pptp_exec_t,s0)
+/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
+
+#
+# /var
+#
+/var/run/(i)?ppp.*pid[^/]* -- gen_context(system_u:object_r:pppd_var_run_t,s0)
+/var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0)
+/var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0)
+# Fix pptp sockets
+/var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0)
+
+/var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0)
+/var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0)
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
new file mode 100644
index 0000000..09699d1
--- /dev/null
+++ b/policy/modules/services/ppp.if
@@ -0,0 +1,394 @@
+## <summary>Point to Point Protocol daemon creates links in ppp networks</summary>
+
+########################################
+## <summary>
+## Use PPP file discriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ppp_use_fds',`
+ gen_require(`
+ type pppd_t;
+ ')
+
+ allow $1 pppd_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to inherit
+## and use PPP file discriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`ppp_dontaudit_use_fds',`
+ gen_require(`
+ type pppd_t;
+ ')
+
+ dontaudit $1 pppd_t:fd use;
+')
+
+########################################
+## <summary>
+## Send a SIGCHLD signal to PPP.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ppp_sigchld',`
+ gen_require(`
+ type pppd_t;
+
+ ')
+
+ allow $1 pppd_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Send ppp a kill signal
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ppp_kill',`
+ gen_require(`
+ type pppd_t;
+ ')
+
+ allow $1 pppd_t:process sigkill;
+')
+
+########################################
+## <summary>
+## Send a generic signal to PPP.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ppp_signal',`
+ gen_require(`
+ type pppd_t;
+ ')
+
+ allow $1 pppd_t:process signal;
+')
+
+########################################
+## <summary>
+## Send a generic signull to PPP.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ppp_signull',`
+ gen_require(`
+ type pppd_t;
+ ')
+
+ allow $1 pppd_t:process signull;
+')
+
+########################################
+## <summary>
+## Execute domain in the ppp domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ppp_domtrans',`
+ gen_require(`
+ type pppd_t, pppd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, pppd_exec_t, pppd_t)
+')
+
+########################################
+## <summary>
+## Conditionally execute ppp daemon on behalf of a user or staff type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the ppp domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ppp_run_cond',`
+ gen_require(`
+ type pppd_t;
+ ')
+
+ role $2 types pppd_t;
+
+ tunable_policy(`pppd_for_user',`
+ ppp_domtrans($1)
+ ')
+')
+
+########################################
+## <summary>
+## Unconditionally execute ppp daemon on behalf of a user or staff type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the ppp domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ppp_run',`
+ gen_require(`
+ type pppd_t, pptp_t;
+ ')
+
+ ppp_domtrans($1)
+ role $2 types { pppd_t pptp_t };
+
+ optional_policy(`
+ ddclient_run(pppd_t, $2)
+ ')
+')
+
+########################################
+## <summary>
+## Execute domain in the ppp caller.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ppp_exec',`
+ gen_require(`
+ type pppd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, pppd_exec_t)
+')
+
+########################################
+## <summary>
+## Read ppp configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ppp_read_config',`
+ gen_require(`
+ type pppd_etc_t;
+ ')
+
+ read_files_pattern($1, pppd_etc_t, pppd_etc_t)
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
+## Read PPP-writable configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ppp_read_rw_config',`
+ gen_require(`
+ type pppd_etc_t, pppd_etc_rw_t;
+ ')
+
+ allow $1 pppd_etc_t:dir list_dir_perms;
+ allow $1 pppd_etc_rw_t:file read_file_perms;
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
+## Read PPP secrets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ppp_read_secrets',`
+ gen_require(`
+ type pppd_etc_t, pppd_secret_t;
+ ')
+
+ allow $1 pppd_etc_t:dir list_dir_perms;
+ allow $1 pppd_secret_t:file read_file_perms;
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
+## Read PPP pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ppp_read_pid_files',`
+ gen_require(`
+ type pppd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 pppd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete PPP pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ppp_manage_pid_files',`
+ gen_require(`
+ type pppd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 pppd_var_run_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete PPP pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ppp_pid_filetrans',`
+ gen_require(`
+ type pppd_var_run_t;
+ ')
+
+ files_pid_filetrans($1, pppd_var_run_t, file)
+')
+
+########################################
+## <summary>
+## Execute ppp server in the ntpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ppp_initrc_domtrans',`
+ gen_require(`
+ type pppd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, pppd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an ppp environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ppp_admin',`
+ gen_require(`
+ type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t;
+ type pppd_etc_t, pppd_secret_t, pppd_var_run_t;
+ type pptp_t, pptp_log_t, pptp_var_run_t;
+ type pppd_initrc_exec_t, pppd_etc_rw_t;
+ ')
+
+ allow $1 pppd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, pppd_t)
+
+ allow $1 pptp_t:process { ptrace signal_perms };
+ ps_process_pattern($1, pptp_t)
+
+ ppp_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 pppd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, pppd_tmp_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, pppd_log_t)
+
+ files_list_locks($1)
+ admin_pattern($1, pppd_lock_t)
+
+ files_list_etc($1)
+ admin_pattern($1, pppd_etc_t)
+
+ admin_pattern($1, pppd_etc_rw_t)
+
+ admin_pattern($1, pppd_secret_t)
+
+ files_list_pids($1)
+ admin_pattern($1, pppd_var_run_t)
+
+ admin_pattern($1, pptp_log_t)
+
+ admin_pattern($1, pptp_var_run_t)
+')
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
new file mode 100644
index 0000000..d32a0d2
--- /dev/null
+++ b/policy/modules/services/ppp.te
@@ -0,0 +1,325 @@
+policy_module(ppp, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow pppd to load kernel modules for certain modems
+## </p>
+## </desc>
+gen_tunable(pppd_can_insmod, false)
+
+## <desc>
+## <p>
+## Allow pppd to be run for a regular user
+## </p>
+## </desc>
+gen_tunable(pppd_for_user, false)
+
+# pppd_t is the domain for the pppd program.
+# pppd_exec_t is the type of the pppd executable.
+type pppd_t;
+type pppd_exec_t;
+init_daemon_domain(pppd_t, pppd_exec_t)
+
+type pppd_devpts_t;
+term_pty(pppd_devpts_t)
+
+# Define a separate type for /etc/ppp
+type pppd_etc_t;
+files_config_file(pppd_etc_t)
+
+# Define a separate type for writable files under /etc/ppp
+type pppd_etc_rw_t;
+files_type(pppd_etc_rw_t)
+
+type pppd_initrc_exec_t alias pppd_script_exec_t;
+init_script_file(pppd_initrc_exec_t)
+
+# pppd_secret_t is the type of the pap and chap password files
+type pppd_secret_t;
+files_type(pppd_secret_t)
+
+type pppd_log_t;
+logging_log_file(pppd_log_t)
+
+type pppd_lock_t;
+files_lock_file(pppd_lock_t)
+
+type pppd_tmp_t;
+files_tmp_file(pppd_tmp_t)
+
+type pppd_var_run_t;
+files_pid_file(pppd_var_run_t)
+
+type pptp_t;
+type pptp_exec_t;
+init_daemon_domain(pptp_t, pptp_exec_t)
+
+type pptp_log_t;
+logging_log_file(pptp_log_t)
+
+type pptp_var_run_t;
+files_pid_file(pptp_var_run_t)
+
+########################################
+#
+# PPPD Local policy
+#
+
+allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override };
+dontaudit pppd_t self:capability sys_tty_config;
+allow pppd_t self:process { getsched signal };
+allow pppd_t self:fifo_file rw_fifo_file_perms;
+allow pppd_t self:socket create_socket_perms;
+allow pppd_t self:unix_dgram_socket create_socket_perms;
+allow pppd_t self:unix_stream_socket create_socket_perms;
+allow pppd_t self:netlink_route_socket rw_netlink_socket_perms;
+allow pppd_t self:tcp_socket create_stream_socket_perms;
+allow pppd_t self:udp_socket { connect connected_socket_perms };
+allow pppd_t self:packet_socket create_socket_perms;
+
+domtrans_pattern(pppd_t, pptp_exec_t, pptp_t)
+
+allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+
+allow pppd_t pppd_etc_t:dir rw_dir_perms;
+allow pppd_t pppd_etc_t:file read_file_perms;
+allow pppd_t pppd_etc_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(pppd_t, pppd_etc_rw_t, pppd_etc_rw_t)
+# Automatically label newly created files under /etc/ppp with this type
+filetrans_pattern(pppd_t, pppd_etc_t, pppd_etc_rw_t, file)
+
+allow pppd_t pppd_lock_t:file manage_file_perms;
+files_lock_filetrans(pppd_t, pppd_lock_t, file)
+
+allow pppd_t pppd_log_t:file manage_file_perms;
+logging_log_filetrans(pppd_t, pppd_log_t, file)
+
+manage_dirs_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t)
+manage_files_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t)
+files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir })
+
+manage_dirs_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t)
+manage_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t)
+files_pid_filetrans(pppd_t, pppd_var_run_t, { dir file })
+
+allow pppd_t pptp_t:process signal;
+
+# for SSP
+# Access secret files
+allow pppd_t pppd_secret_t:file read_file_perms;
+
+ppp_initrc_domtrans(pppd_t)
+
+kernel_read_kernel_sysctls(pppd_t)
+kernel_read_system_state(pppd_t)
+kernel_rw_net_sysctls(pppd_t)
+kernel_read_network_state(pppd_t)
+kernel_request_load_module(pppd_t)
+
+dev_read_urand(pppd_t)
+dev_search_sysfs(pppd_t)
+dev_read_sysfs(pppd_t)
+dev_rw_modem(pppd_t)
+
+corenet_all_recvfrom_unlabeled(pppd_t)
+corenet_all_recvfrom_netlabel(pppd_t)
+corenet_tcp_sendrecv_generic_if(pppd_t)
+corenet_raw_sendrecv_generic_if(pppd_t)
+corenet_udp_sendrecv_generic_if(pppd_t)
+corenet_tcp_sendrecv_generic_node(pppd_t)
+corenet_raw_sendrecv_generic_node(pppd_t)
+corenet_udp_sendrecv_generic_node(pppd_t)
+corenet_tcp_sendrecv_all_ports(pppd_t)
+corenet_udp_sendrecv_all_ports(pppd_t)
+# Access /dev/ppp.
+corenet_rw_ppp_dev(pppd_t)
+
+fs_getattr_all_fs(pppd_t)
+fs_search_auto_mountpoints(pppd_t)
+
+term_use_unallocated_ttys(pppd_t)
+term_setattr_unallocated_ttys(pppd_t)
+term_ioctl_generic_ptys(pppd_t)
+# for pppoe
+term_create_pty(pppd_t, pppd_devpts_t)
+
+# allow running ip-up and ip-down scripts and running chat.
+corecmd_exec_bin(pppd_t)
+corecmd_exec_shell(pppd_t)
+
+domain_use_interactive_fds(pppd_t)
+
+files_exec_etc_files(pppd_t)
+files_manage_etc_runtime_files(pppd_t)
+files_dontaudit_write_etc_files(pppd_t)
+
+# for scripts
+files_read_etc_files(pppd_t)
+
+init_read_utmp(pppd_t)
+init_dontaudit_write_utmp(pppd_t)
+init_signal_script(pppd_t)
+
+auth_use_nsswitch(pppd_t)
+
+logging_send_syslog_msg(pppd_t)
+logging_send_audit_msgs(pppd_t)
+
+miscfiles_read_localization(pppd_t)
+
+sysnet_exec_ifconfig(pppd_t)
+sysnet_manage_config(pppd_t)
+sysnet_etc_filetrans_config(pppd_t)
+
+userdom_use_user_terminals(pppd_t)
+userdom_dontaudit_use_unpriv_user_fds(pppd_t)
+userdom_search_user_home_dirs(pppd_t)
+
+ppp_exec(pppd_t)
+
+optional_policy(`
+ ddclient_domtrans(pppd_t)
+')
+
+optional_policy(`
+ tunable_policy(`pppd_can_insmod && ! secure_mode_insmod',`
+ modutils_domtrans_insmod_uncond(pppd_t)
+ ')
+')
+
+optional_policy(`
+ mta_send_mail(pppd_t)
+ mta_system_content(pppd_etc_t)
+ mta_system_content(pppd_etc_rw_t)
+')
+
+optional_policy(`
+ networkmanager_signal(pppd_t)
+')
+
+optional_policy(`
+ postfix_domtrans_master(pppd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(pppd_t)
+')
+
+optional_policy(`
+ udev_read_db(pppd_t)
+')
+
+########################################
+#
+# PPTP Local policy
+#
+
+allow pptp_t self:capability { dac_override dac_read_search net_raw net_admin };
+dontaudit pptp_t self:capability sys_tty_config;
+allow pptp_t self:process signal;
+allow pptp_t self:fifo_file rw_fifo_file_perms;
+allow pptp_t self:unix_dgram_socket create_socket_perms;
+allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow pptp_t self:rawip_socket create_socket_perms;
+allow pptp_t self:tcp_socket create_socket_perms;
+allow pptp_t self:udp_socket create_socket_perms;
+allow pptp_t self:netlink_route_socket rw_netlink_socket_perms;
+
+allow pptp_t pppd_etc_t:dir list_dir_perms;
+allow pptp_t pppd_etc_t:file read_file_perms;
+allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
+
+allow pptp_t pppd_etc_rw_t:dir list_dir_perms;
+allow pptp_t pppd_etc_rw_t:file read_file_perms;
+allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms;
+can_exec(pptp_t, pppd_etc_rw_t)
+
+# Allow pptp to append to pppd log files
+allow pptp_t pppd_log_t:file append_file_perms;
+
+allow pptp_t pptp_log_t:file manage_file_perms;
+logging_log_filetrans(pptp_t, pptp_log_t, file)
+
+manage_dirs_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
+manage_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
+manage_sock_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
+files_pid_filetrans(pptp_t, pptp_var_run_t, { file dir })
+
+kernel_list_proc(pptp_t)
+kernel_read_kernel_sysctls(pptp_t)
+kernel_read_proc_symlinks(pptp_t)
+kernel_read_system_state(pptp_t)
+
+dev_read_sysfs(pptp_t)
+
+corecmd_exec_shell(pptp_t)
+corecmd_read_bin_symlinks(pptp_t)
+
+corenet_all_recvfrom_unlabeled(pptp_t)
+corenet_all_recvfrom_netlabel(pptp_t)
+corenet_tcp_sendrecv_generic_if(pptp_t)
+corenet_raw_sendrecv_generic_if(pptp_t)
+corenet_tcp_sendrecv_generic_node(pptp_t)
+corenet_raw_sendrecv_generic_node(pptp_t)
+corenet_tcp_sendrecv_all_ports(pptp_t)
+corenet_tcp_bind_generic_node(pptp_t)
+corenet_tcp_connect_generic_port(pptp_t)
+corenet_tcp_connect_all_reserved_ports(pptp_t)
+corenet_sendrecv_generic_client_packets(pptp_t)
+
+files_read_etc_files(pptp_t)
+
+fs_getattr_all_fs(pptp_t)
+fs_search_auto_mountpoints(pptp_t)
+
+term_ioctl_generic_ptys(pptp_t)
+term_search_ptys(pptp_t)
+term_use_ptmx(pptp_t)
+
+domain_use_interactive_fds(pptp_t)
+
+auth_use_nsswitch(pptp_t)
+
+logging_send_syslog_msg(pptp_t)
+
+miscfiles_read_localization(pptp_t)
+
+sysnet_exec_ifconfig(pptp_t)
+
+userdom_dontaudit_use_unpriv_user_fds(pptp_t)
+userdom_dontaudit_search_user_home_dirs(pptp_t)
+userdom_signal_unpriv_users(pptp_t)
+
+optional_policy(`
+ consoletype_exec(pppd_t)
+')
+
+optional_policy(`
+ dbus_system_domain(pppd_t, pppd_exec_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(pppd_t)
+ ')
+')
+
+optional_policy(`
+ hostname_exec(pptp_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(pptp_t)
+')
+
+optional_policy(`
+ udev_read_db(pptp_t)
+')
+
+optional_policy(`
+ postfix_read_config(pppd_t)
+')
diff --git a/policy/modules/services/prelude.fc b/policy/modules/services/prelude.fc
new file mode 100644
index 0000000..3bd847a
--- /dev/null
+++ b/policy/modules/services/prelude.fc
@@ -0,0 +1,18 @@
+/etc/prelude-correlator(/.*)? gen_context(system_u:object_r:prelude_correlator_config_t, s0)
+/etc/rc\.d/init\.d/prelude-correlator -- gen_context(system_u:object_r:prelude_initrc_exec_t, s0)
+/etc/rc\.d/init\.d/prelude-lml -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/prelude-manager -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0)
+
+/sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0)
+
+/usr/bin/prelude-correlator -- gen_context(system_u:object_r:prelude_correlator_exec_t, s0)
+/usr/bin/prelude-lml -- gen_context(system_u:object_r:prelude_lml_exec_t,s0)
+/usr/bin/prelude-manager -- gen_context(system_u:object_r:prelude_exec_t,s0)
+/usr/share/prewikka/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_prewikka_script_exec_t,s0)
+
+/var/lib/prelude-lml(/.*)? gen_context(system_u:object_r:prelude_var_lib_t,s0)
+/var/log/prelude.* gen_context(system_u:object_r:prelude_log_t,s0)
+/var/run/prelude-lml.pid -- gen_context(system_u:object_r:prelude_lml_var_run_t,s0)
+/var/run/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_var_run_t,s0)
+/var/spool/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0)
+/var/spool/prelude(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0)
diff --git a/policy/modules/services/prelude.if b/policy/modules/services/prelude.if
new file mode 100644
index 0000000..77ef768
--- /dev/null
+++ b/policy/modules/services/prelude.if
@@ -0,0 +1,148 @@
+## <summary>Prelude hybrid intrusion detection system</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run prelude.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`prelude_domtrans',`
+ gen_require(`
+ type prelude_t, prelude_exec_t;
+ ')
+
+ domtrans_pattern($1, prelude_exec_t, prelude_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run prelude_audisp.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`prelude_domtrans_audisp',`
+ gen_require(`
+ type prelude_audisp_t, prelude_audisp_exec_t;
+ ')
+
+ domtrans_pattern($1, prelude_audisp_exec_t, prelude_audisp_t)
+')
+
+########################################
+## <summary>
+## Signal the prelude_audisp domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed acccess.
+## </summary>
+## </param>
+#
+interface(`prelude_signal_audisp',`
+ gen_require(`
+ type prelude_audisp_t;
+ ')
+
+ allow $1 prelude_audisp_t:process signal;
+')
+
+########################################
+## <summary>
+## Read the prelude spool files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`prelude_read_spool',`
+ gen_require(`
+ type prelude_spool_t;
+ ')
+
+ files_search_spool($1)
+ read_files_pattern($1, prelude_spool_t, prelude_spool_t)
+')
+
+########################################
+## <summary>
+## Manage to prelude-manager spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`prelude_manage_spool',`
+ gen_require(`
+ type prelude_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_dirs_pattern($1, prelude_spool_t, prelude_spool_t)
+ manage_files_pattern($1, prelude_spool_t, prelude_spool_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an prelude environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`prelude_admin',`
+ gen_require(`
+ type prelude_t, prelude_spool_t, prelude_initrc_exec_t;
+ type prelude_var_run_t, prelude_var_lib_t, prelude_lml_var_run_t;
+ type prelude_audisp_t, prelude_audisp_var_run_t, prelude_lml_tmp_t;
+ type prelude_lml_t;
+ ')
+
+ allow $1 prelude_t:process { ptrace signal_perms };
+ ps_process_pattern($1, prelude_t)
+
+ allow $1 prelude_audisp_t:process { ptrace signal_perms };
+ ps_process_pattern($1, prelude_audisp_t)
+
+ allow $1 prelude_lml_t:process { ptrace signal_perms };
+ ps_process_pattern($1, prelude_lml_t)
+
+ init_labeled_script_domtrans($1, prelude_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 prelude_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_spool($1)
+ admin_pattern($1, prelude_spool_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, prelude_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, prelude_var_run_t)
+ admin_pattern($1, prelude_audisp_var_run_t)
+ admin_pattern($1, prelude_lml_var_run_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, prelude_lml_tmp_t)
+')
diff --git a/policy/modules/services/prelude.te b/policy/modules/services/prelude.te
new file mode 100644
index 0000000..7a7310d
--- /dev/null
+++ b/policy/modules/services/prelude.te
@@ -0,0 +1,307 @@
+policy_module(prelude, 1.2.1)
+
+########################################
+#
+# Declarations
+#
+
+type prelude_t;
+type prelude_exec_t;
+init_daemon_domain(prelude_t, prelude_exec_t)
+
+type prelude_initrc_exec_t;
+init_script_file(prelude_initrc_exec_t)
+
+type prelude_spool_t;
+files_type(prelude_spool_t)
+
+type prelude_log_t;
+logging_log_file(prelude_log_t)
+
+type prelude_var_run_t;
+files_pid_file(prelude_var_run_t)
+
+type prelude_var_lib_t;
+files_type(prelude_var_lib_t)
+
+type prelude_audisp_t;
+type prelude_audisp_exec_t;
+init_daemon_domain(prelude_audisp_t, prelude_audisp_exec_t)
+logging_dispatcher_domain(prelude_audisp_t, prelude_audisp_exec_t)
+
+type prelude_audisp_var_run_t;
+files_pid_file(prelude_audisp_var_run_t)
+
+type prelude_correlator_t;
+type prelude_correlator_exec_t;
+init_daemon_domain(prelude_correlator_t, prelude_correlator_exec_t)
+
+type prelude_correlator_config_t;
+files_config_file(prelude_correlator_config_t)
+
+type prelude_lml_t;
+type prelude_lml_exec_t;
+init_daemon_domain(prelude_lml_t, prelude_lml_exec_t)
+
+type prelude_lml_tmp_t;
+files_tmp_file(prelude_lml_tmp_t)
+
+type prelude_lml_var_run_t;
+files_pid_file(prelude_lml_var_run_t)
+
+########################################
+#
+# prelude local policy
+#
+
+allow prelude_t self:capability { dac_override sys_tty_config };
+allow prelude_t self:fifo_file rw_file_perms;
+allow prelude_t self:unix_stream_socket create_stream_socket_perms;
+allow prelude_t self:netlink_route_socket r_netlink_socket_perms;
+allow prelude_t self:tcp_socket create_stream_socket_perms;
+
+manage_files_pattern(prelude_t, prelude_log_t, prelude_log_t)
+logging_log_filetrans(prelude_t, prelude_log_t, file)
+
+manage_dirs_pattern(prelude_t, prelude_spool_t, prelude_spool_t)
+manage_files_pattern(prelude_t, prelude_spool_t, prelude_spool_t)
+files_search_spool(prelude_t)
+
+manage_dirs_pattern(prelude_t, prelude_var_lib_t, prelude_var_lib_t)
+manage_files_pattern(prelude_t, prelude_var_lib_t, prelude_var_lib_t)
+files_search_var_lib(prelude_t)
+
+manage_dirs_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t)
+manage_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t)
+manage_sock_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t)
+files_pid_filetrans(prelude_t, prelude_var_run_t, { dir file })
+
+kernel_read_system_state(prelude_t)
+kernel_read_sysctl(prelude_t)
+
+corecmd_search_bin(prelude_t)
+
+corenet_all_recvfrom_unlabeled(prelude_t)
+corenet_all_recvfrom_netlabel(prelude_t)
+corenet_tcp_sendrecv_generic_if(prelude_t)
+corenet_tcp_sendrecv_generic_node(prelude_t)
+corenet_tcp_bind_generic_node(prelude_t)
+corenet_tcp_bind_prelude_port(prelude_t)
+corenet_tcp_connect_prelude_port(prelude_t)
+corenet_tcp_connect_postgresql_port(prelude_t)
+corenet_tcp_connect_mysqld_port(prelude_t)
+
+dev_read_rand(prelude_t)
+dev_read_urand(prelude_t)
+
+files_read_etc_files(prelude_t)
+files_read_etc_runtime_files(prelude_t)
+files_read_usr_files(prelude_t)
+files_search_tmp(prelude_t)
+
+fs_rw_anon_inodefs_files(prelude_t)
+
+auth_use_nsswitch(prelude_t)
+
+logging_send_audit_msgs(prelude_t)
+logging_send_syslog_msg(prelude_t)
+
+miscfiles_read_localization(prelude_t)
+
+optional_policy(`
+ mysql_search_db(prelude_t)
+ mysql_stream_connect(prelude_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(prelude_t)
+')
+
+########################################
+#
+# prelude_audisp local policy
+#
+
+allow prelude_audisp_t self:capability { dac_override ipc_lock setpcap };
+allow prelude_audisp_t self:process { getcap setcap };
+allow prelude_audisp_t self:fifo_file rw_file_perms;
+allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms;
+allow prelude_audisp_t self:unix_dgram_socket create_socket_perms;
+allow prelude_audisp_t self:netlink_route_socket r_netlink_socket_perms;
+allow prelude_audisp_t self:tcp_socket create_socket_perms;
+
+manage_dirs_pattern(prelude_audisp_t, prelude_spool_t, prelude_spool_t)
+manage_files_pattern(prelude_audisp_t, prelude_spool_t, prelude_spool_t)
+files_search_spool(prelude_audisp_t)
+
+manage_sock_files_pattern(prelude_audisp_t, prelude_audisp_var_run_t, prelude_audisp_var_run_t)
+files_pid_filetrans(prelude_audisp_t, prelude_audisp_var_run_t, sock_file)
+
+kernel_read_sysctl(prelude_audisp_t)
+kernel_read_system_state(prelude_audisp_t)
+
+corecmd_search_bin(prelude_audisp_t)
+
+corenet_all_recvfrom_unlabeled(prelude_audisp_t)
+corenet_all_recvfrom_netlabel(prelude_audisp_t)
+corenet_tcp_sendrecv_generic_if(prelude_audisp_t)
+corenet_tcp_sendrecv_generic_node(prelude_audisp_t)
+corenet_tcp_bind_generic_node(prelude_audisp_t)
+corenet_tcp_connect_prelude_port(prelude_audisp_t)
+
+dev_read_rand(prelude_audisp_t)
+dev_read_urand(prelude_audisp_t)
+
+# Init script handling
+domain_use_interactive_fds(prelude_audisp_t)
+
+files_read_etc_files(prelude_audisp_t)
+files_read_etc_runtime_files(prelude_audisp_t)
+files_search_tmp(prelude_audisp_t)
+
+logging_send_syslog_msg(prelude_audisp_t)
+
+miscfiles_read_localization(prelude_audisp_t)
+
+sysnet_dns_name_resolve(prelude_audisp_t)
+
+########################################
+#
+# prelude_correlator local policy
+#
+
+allow prelude_correlator_t self:capability dac_override;
+allow prelude_correlator_t self:netlink_route_socket r_netlink_socket_perms;
+allow prelude_correlator_t self:tcp_socket create_stream_socket_perms;
+allow prelude_correlator_t self:unix_dgram_socket create_socket_perms;
+
+allow prelude_correlator_t prelude_correlator_config_t:dir list_dir_perms;
+read_files_pattern(prelude_correlator_t, prelude_correlator_config_t, prelude_correlator_config_t)
+
+kernel_read_sysctl(prelude_correlator_t)
+
+corecmd_search_bin(prelude_correlator_t)
+
+corenet_all_recvfrom_unlabeled(prelude_correlator_t)
+corenet_all_recvfrom_netlabel(prelude_correlator_t)
+corenet_tcp_sendrecv_generic_if(prelude_correlator_t)
+corenet_tcp_sendrecv_generic_node(prelude_correlator_t)
+corenet_tcp_connect_prelude_port(prelude_correlator_t)
+
+dev_read_rand(prelude_correlator_t)
+dev_read_urand(prelude_correlator_t)
+
+files_read_etc_files(prelude_correlator_t)
+files_read_usr_files(prelude_correlator_t)
+files_search_spool(prelude_correlator_t)
+
+logging_send_syslog_msg(prelude_correlator_t)
+
+miscfiles_read_localization(prelude_correlator_t)
+
+sysnet_dns_name_resolve(prelude_correlator_t)
+
+prelude_manage_spool(prelude_correlator_t)
+
+########################################
+#
+# prelude_lml local declarations
+#
+
+allow prelude_lml_t self:capability dac_override;
+allow prelude_lml_t self:tcp_socket { setopt create_socket_perms };
+allow prelude_lml_t self:unix_dgram_socket create_socket_perms;
+allow prelude_lml_t self:fifo_file rw_fifo_file_perms;
+allow prelude_lml_t self:unix_stream_socket connectto;
+
+manage_dirs_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t)
+manage_files_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t)
+files_tmp_filetrans(prelude_lml_t, prelude_lml_tmp_t, { file dir })
+files_list_tmp(prelude_lml_t)
+
+manage_dirs_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t)
+manage_files_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t)
+files_search_spool(prelude_lml_t)
+
+manage_dirs_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t)
+manage_files_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t)
+files_search_var_lib(prelude_lml_t)
+
+manage_files_pattern(prelude_lml_t, prelude_lml_var_run_t, prelude_lml_var_run_t)
+files_pid_filetrans(prelude_lml_t, prelude_lml_var_run_t, file)
+
+kernel_read_system_state(prelude_lml_t)
+kernel_read_sysctl(prelude_lml_t)
+
+corecmd_exec_bin(prelude_lml_t)
+
+corenet_tcp_sendrecv_generic_if(prelude_lml_t)
+corenet_tcp_sendrecv_generic_node(prelude_lml_t)
+corenet_tcp_recvfrom_netlabel(prelude_lml_t)
+corenet_tcp_recvfrom_unlabeled(prelude_lml_t)
+corenet_sendrecv_unlabeled_packets(prelude_lml_t)
+corenet_tcp_connect_prelude_port(prelude_lml_t)
+
+dev_read_rand(prelude_lml_t)
+dev_read_urand(prelude_lml_t)
+
+files_list_etc(prelude_lml_t)
+files_read_etc_files(prelude_lml_t)
+files_read_etc_runtime_files(prelude_lml_t)
+
+fs_getattr_all_fs(prelude_lml_t)
+fs_list_inotifyfs(prelude_lml_t)
+fs_rw_anon_inodefs_files(prelude_lml_t)
+
+auth_use_nsswitch(prelude_lml_t)
+
+libs_exec_lib_files(prelude_lml_t)
+libs_read_lib_files(prelude_lml_t)
+
+logging_send_syslog_msg(prelude_lml_t)
+logging_read_generic_logs(prelude_lml_t)
+
+miscfiles_read_localization(prelude_lml_t)
+
+sysnet_dns_name_resolve(prelude_lml_t)
+
+userdom_read_all_users_state(prelude_lml_t)
+
+optional_policy(`
+ apache_search_sys_content(prelude_lml_t)
+ apache_read_log(prelude_lml_t)
+')
+
+########################################
+#
+# prewikka_cgi Declarations
+#
+
+optional_policy(`
+ apache_content_template(prewikka)
+
+ can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t)
+
+ files_read_etc_files(httpd_prewikka_script_t)
+ files_search_tmp(httpd_prewikka_script_t)
+
+ kernel_read_sysctl(httpd_prewikka_script_t)
+ kernel_search_network_sysctl(httpd_prewikka_script_t)
+
+ corenet_tcp_connect_postgresql_port(httpd_prewikka_script_t)
+
+ auth_use_nsswitch(httpd_prewikka_script_t)
+
+ logging_send_syslog_msg(httpd_prewikka_script_t)
+
+ apache_search_sys_content(httpd_prewikka_script_t)
+
+ optional_policy(`
+ mysql_search_db(httpd_prewikka_script_t)
+ mysql_stream_connect(httpd_prewikka_script_t)
+ ')
+
+ optional_policy(`
+ postgresql_stream_connect(httpd_prewikka_script_t)
+ ')
+')
diff --git a/policy/modules/services/privoxy.fc b/policy/modules/services/privoxy.fc
new file mode 100644
index 0000000..be4998a
--- /dev/null
+++ b/policy/modules/services/privoxy.fc
@@ -0,0 +1,6 @@
+/etc/privoxy/[^/]*\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0)
+/etc/rc\.d/init\.d/privoxy -- gen_context(system_u:object_r:privoxy_initrc_exec_t,s0)
+
+/usr/sbin/privoxy -- gen_context(system_u:object_r:privoxy_exec_t,s0)
+
+/var/log/privoxy(/.*)? gen_context(system_u:object_r:privoxy_log_t,s0)
diff --git a/policy/modules/services/privoxy.if b/policy/modules/services/privoxy.if
new file mode 100644
index 0000000..7221526
--- /dev/null
+++ b/policy/modules/services/privoxy.if
@@ -0,0 +1,42 @@
+## <summary>Privacy enhancing web proxy.</summary>
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an privoxy environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`privoxy_admin',`
+ gen_require(`
+ type privoxy_t, privoxy_log_t, privoxy_initrc_exec_t;
+ type privoxy_etc_rw_t, privoxy_var_run_t;
+ ')
+
+ allow $1 privoxy_t:process { ptrace signal_perms };
+ ps_process_pattern($1, privoxy_t)
+
+ init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 privoxy_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_list_logs($1)
+ admin_pattern($1, privoxy_log_t)
+
+ files_list_etc($1)
+ admin_pattern($1, privoxy_etc_rw_t)
+
+ files_list_pids($1)
+ admin_pattern($1, privoxy_var_run_t)
+')
diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te
new file mode 100644
index 0000000..2404ddc
--- /dev/null
+++ b/policy/modules/services/privoxy.te
@@ -0,0 +1,103 @@
+policy_module(privoxy, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow privoxy to connect to all ports, not just
+## HTTP, FTP, and Gopher ports.
+## </p>
+## </desc>
+gen_tunable(privoxy_connect_any, false)
+
+type privoxy_t; # web_client_domain
+type privoxy_exec_t;
+init_daemon_domain(privoxy_t, privoxy_exec_t)
+
+type privoxy_initrc_exec_t;
+init_script_file(privoxy_initrc_exec_t)
+
+type privoxy_etc_rw_t;
+files_type(privoxy_etc_rw_t)
+
+type privoxy_log_t;
+logging_log_file(privoxy_log_t)
+
+type privoxy_var_run_t;
+files_pid_file(privoxy_var_run_t)
+
+########################################
+#
+# Local Policy
+#
+
+allow privoxy_t self:capability { setgid setuid };
+dontaudit privoxy_t self:capability sys_tty_config;
+allow privoxy_t self:tcp_socket create_stream_socket_perms;
+
+allow privoxy_t privoxy_etc_rw_t:file rw_file_perms;
+
+manage_files_pattern(privoxy_t, privoxy_log_t, privoxy_log_t)
+logging_log_filetrans(privoxy_t, privoxy_log_t, file)
+
+manage_files_pattern(privoxy_t, privoxy_var_run_t, privoxy_var_run_t)
+files_pid_filetrans(privoxy_t, privoxy_var_run_t, file)
+
+kernel_read_system_state(privoxy_t)
+kernel_read_kernel_sysctls(privoxy_t)
+
+corenet_all_recvfrom_unlabeled(privoxy_t)
+corenet_all_recvfrom_netlabel(privoxy_t)
+corenet_tcp_sendrecv_generic_if(privoxy_t)
+corenet_tcp_sendrecv_generic_node(privoxy_t)
+corenet_tcp_sendrecv_all_ports(privoxy_t)
+corenet_tcp_bind_generic_node(privoxy_t)
+corenet_tcp_bind_http_cache_port(privoxy_t)
+corenet_tcp_connect_http_port(privoxy_t)
+corenet_tcp_connect_http_cache_port(privoxy_t)
+corenet_tcp_connect_squid_port(privoxy_t)
+corenet_tcp_connect_ftp_port(privoxy_t)
+corenet_tcp_connect_pgpkeyserver_port(privoxy_t)
+corenet_tcp_connect_tor_port(privoxy_t)
+corenet_sendrecv_http_cache_client_packets(privoxy_t)
+corenet_sendrecv_squid_client_packets(privoxy_t)
+corenet_sendrecv_http_cache_server_packets(privoxy_t)
+corenet_sendrecv_http_client_packets(privoxy_t)
+corenet_sendrecv_ftp_client_packets(privoxy_t)
+corenet_sendrecv_tor_client_packets(privoxy_t)
+
+dev_read_sysfs(privoxy_t)
+
+fs_getattr_all_fs(privoxy_t)
+fs_search_auto_mountpoints(privoxy_t)
+
+domain_use_interactive_fds(privoxy_t)
+
+files_read_etc_files(privoxy_t)
+
+auth_use_nsswitch(privoxy_t)
+
+logging_send_syslog_msg(privoxy_t)
+
+miscfiles_read_localization(privoxy_t)
+
+userdom_dontaudit_use_unpriv_user_fds(privoxy_t)
+userdom_dontaudit_search_user_home_dirs(privoxy_t)
+# cjp: this should really not be needed
+userdom_use_user_terminals(privoxy_t)
+
+tunable_policy(`privoxy_connect_any',`
+ corenet_tcp_connect_all_ports(privoxy_t)
+ corenet_sendrecv_all_client_packets(privoxy_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(privoxy_t)
+')
+
+optional_policy(`
+ udev_read_db(privoxy_t)
+')
diff --git a/policy/modules/services/procmail.fc b/policy/modules/services/procmail.fc
new file mode 100644
index 0000000..4b36a13
--- /dev/null
+++ b/policy/modules/services/procmail.fc
@@ -0,0 +1,7 @@
+HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0)
+/root/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0)
+
+/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0)
+
+/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0)
+/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0)
diff --git a/policy/modules/services/procmail.if b/policy/modules/services/procmail.if
new file mode 100644
index 0000000..166e9c3
--- /dev/null
+++ b/policy/modules/services/procmail.if
@@ -0,0 +1,98 @@
+## <summary>Procmail mail delivery agent</summary>
+
+########################################
+## <summary>
+## Execute procmail with a domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`procmail_domtrans',`
+ gen_require(`
+ type procmail_exec_t, procmail_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, procmail_exec_t, procmail_t)
+')
+
+########################################
+## <summary>
+## Execute procmail in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`procmail_exec',`
+ gen_require(`
+ type procmail_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ can_exec($1, procmail_exec_t)
+')
+
+########################################
+## <summary>
+## Read procmail tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`procmail_read_tmp_files',`
+ gen_require(`
+ type procmail_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 procmail_tmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Read/write procmail tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`procmail_rw_tmp_files',`
+ gen_require(`
+ type procmail_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t)
+')
+
+########################################
+## <summary>
+## Read procmail home directory content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`procmail_read_home_files',`
+ gen_require(`
+ type procmail_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ read_files_pattern($1, procmail_home_t, procmail_home_t)
+')
diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
new file mode 100644
index 0000000..2a70dd1
--- /dev/null
+++ b/policy/modules/services/procmail.te
@@ -0,0 +1,163 @@
+policy_module(procmail, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+type procmail_t;
+type procmail_exec_t;
+application_domain(procmail_t, procmail_exec_t)
+role system_r types procmail_t;
+
+type procmail_home_t;
+userdom_user_home_content(procmail_home_t)
+
+type procmail_log_t;
+logging_log_file(procmail_log_t)
+
+type procmail_tmp_t;
+files_tmp_file(procmail_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_override };
+allow procmail_t self:process { setsched signal signull };
+allow procmail_t self:fifo_file rw_fifo_file_perms;
+allow procmail_t self:unix_stream_socket create_socket_perms;
+allow procmail_t self:unix_dgram_socket create_socket_perms;
+allow procmail_t self:tcp_socket create_stream_socket_perms;
+allow procmail_t self:udp_socket create_socket_perms;
+
+can_exec(procmail_t, procmail_exec_t)
+
+# Write log to /var/log/procmail.log or /var/log/procmail/.*
+allow procmail_t procmail_log_t:dir setattr_dir_perms;
+create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
+append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
+read_lnk_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
+logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
+
+allow procmail_t procmail_tmp_t:file manage_file_perms;
+files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
+
+kernel_read_system_state(procmail_t)
+kernel_read_kernel_sysctls(procmail_t)
+
+corenet_all_recvfrom_unlabeled(procmail_t)
+corenet_all_recvfrom_netlabel(procmail_t)
+corenet_tcp_sendrecv_generic_if(procmail_t)
+corenet_udp_sendrecv_generic_if(procmail_t)
+corenet_tcp_sendrecv_generic_node(procmail_t)
+corenet_udp_sendrecv_generic_node(procmail_t)
+corenet_tcp_sendrecv_all_ports(procmail_t)
+corenet_udp_sendrecv_all_ports(procmail_t)
+corenet_udp_bind_generic_node(procmail_t)
+corenet_tcp_connect_spamd_port(procmail_t)
+corenet_sendrecv_spamd_client_packets(procmail_t)
+corenet_sendrecv_comsat_client_packets(procmail_t)
+
+dev_read_urand(procmail_t)
+
+fs_getattr_xattr_fs(procmail_t)
+fs_search_auto_mountpoints(procmail_t)
+fs_rw_anon_inodefs_files(procmail_t)
+
+auth_use_nsswitch(procmail_t)
+
+corecmd_exec_bin(procmail_t)
+corecmd_exec_shell(procmail_t)
+corecmd_read_bin_symlinks(procmail_t)
+
+files_read_etc_files(procmail_t)
+files_read_etc_runtime_files(procmail_t)
+files_search_pids(procmail_t)
+# for spamassasin
+files_read_usr_files(procmail_t)
+
+logging_send_syslog_msg(procmail_t)
+logging_append_all_logs(procmail_t)
+
+miscfiles_read_localization(procmail_t)
+
+list_dirs_pattern(procmail_t, procmail_home_t, procmail_home_t)
+read_files_pattern(procmail_t, procmail_home_t, procmail_home_t)
+userdom_search_user_home_dirs(procmail_t)
+userdom_search_admin_dir(procmail_t)
+
+# only works until we define a different type for maildir
+userdom_manage_user_home_content_dirs(procmail_t)
+userdom_manage_user_home_content_files(procmail_t)
+userdom_manage_user_home_content_symlinks(procmail_t)
+userdom_manage_user_home_content_pipes(procmail_t)
+userdom_manage_user_home_content_sockets(procmail_t)
+userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file })
+
+# Execute user executables
+userdom_exec_user_bin_files(procmail_t)
+
+mta_manage_spool(procmail_t)
+mta_read_queue(procmail_t)
+
+ifdef(`hide_broken_symptoms',`
+ mta_dontaudit_rw_queue(procmail_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(procmail_t)
+ fs_manage_nfs_files(procmail_t)
+ fs_manage_nfs_symlinks(procmail_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(procmail_t)
+ fs_manage_cifs_files(procmail_t)
+ fs_manage_cifs_symlinks(procmail_t)
+')
+
+optional_policy(`
+ clamav_domtrans_clamscan(procmail_t)
+ clamav_search_lib(procmail_t)
+')
+
+optional_policy(`
+ munin_dontaudit_search_lib(procmail_t)
+')
+
+optional_policy(`
+ # for a bug in the postfix local program
+ postfix_dontaudit_rw_local_tcp_sockets(procmail_t)
+ postfix_dontaudit_use_fds(procmail_t)
+ postfix_read_spool_files(procmail_t)
+ postfix_read_local_state(procmail_t)
+ postfix_read_master_state(procmail_t)
+')
+
+optional_policy(`
+ nagios_search_spool(procmail_t)
+')
+
+optional_policy(`
+ pyzor_domtrans(procmail_t)
+ pyzor_signal(procmail_t)
+')
+
+optional_policy(`
+ mta_read_config(procmail_t)
+ sendmail_domtrans(procmail_t)
+ sendmail_signal(procmail_t)
+ sendmail_dontaudit_rw_tcp_sockets(procmail_t)
+ sendmail_dontaudit_rw_unix_stream_sockets(procmail_t)
+')
+
+optional_policy(`
+ corenet_udp_bind_generic_port(procmail_t)
+ corenet_dontaudit_udp_bind_all_ports(procmail_t)
+
+ spamassassin_domtrans_local_client(procmail_t)
+ spamassassin_domtrans_client(procmail_t)
+ spamassassin_read_lib_files(procmail_t)
+')
diff --git a/policy/modules/services/psad.fc b/policy/modules/services/psad.fc
new file mode 100644
index 0000000..6c66d44
--- /dev/null
+++ b/policy/modules/services/psad.fc
@@ -0,0 +1,8 @@
+/etc/rc\.d/init\.d/psad -- gen_context(system_u:object_r:psad_initrc_exec_t,s0)
+/etc/psad(/.*)? gen_context(system_u:object_r:psad_etc_t,s0)
+
+/usr/sbin/psad -- gen_context(system_u:object_r:psad_exec_t,s0)
+
+/var/lib/psad(/.*)? gen_context(system_u:object_r:psad_var_lib_t,s0)
+/var/log/psad(/.*)? gen_context(system_u:object_r:psad_var_log_t,s0)
+/var/run/psad(/.*)? gen_context(system_u:object_r:psad_var_run_t,s0)
diff --git a/policy/modules/services/psad.if b/policy/modules/services/psad.if
new file mode 100644
index 0000000..d1a3745
--- /dev/null
+++ b/policy/modules/services/psad.if
@@ -0,0 +1,281 @@
+## <summary>Intrusion Detection and Log Analysis with iptables</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run psad.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`psad_domtrans',`
+ gen_require(`
+ type psad_t, psad_exec_t;
+ ')
+
+ domtrans_pattern($1, psad_exec_t, psad_t)
+')
+
+########################################
+## <summary>
+## Send a generic signal to psad
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`psad_signal',`
+ gen_require(`
+ type psad_t;
+ ')
+
+ allow $1 psad_t:process signal;
+')
+
+#######################################
+## <summary>
+## Send a null signal to psad.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`psad_signull',`
+ gen_require(`
+ type psad_t;
+ ')
+
+ allow $1 psad_t:process signull;
+')
+
+########################################
+## <summary>
+## Read psad etc configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`psad_read_config',`
+ gen_require(`
+ type psad_etc_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, psad_etc_t, psad_etc_t)
+')
+
+########################################
+## <summary>
+## Manage psad etc configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`psad_manage_config',`
+ gen_require(`
+ type psad_etc_t;
+ ')
+
+ files_search_etc($1)
+ manage_dirs_pattern($1, psad_etc_t, psad_etc_t)
+ manage_files_pattern($1, psad_etc_t, psad_etc_t)
+')
+
+########################################
+## <summary>
+## Read psad PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`psad_read_pid_files',`
+ gen_require(`
+ type psad_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, psad_var_run_t, psad_var_run_t)
+')
+
+########################################
+## <summary>
+## Read and write psad PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`psad_rw_pid_files',`
+ gen_require(`
+ type psad_var_run_t;
+ ')
+
+ files_search_pids($1)
+ rw_files_pattern($1, psad_var_run_t, psad_var_run_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read psad's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`psad_read_log',`
+ gen_require(`
+ type psad_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ list_dirs_pattern($1, psad_var_log_t, psad_var_log_t)
+ read_files_pattern($1, psad_var_log_t, psad_var_log_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to append to psad's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`psad_append_log',`
+ gen_require(`
+ type psad_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ list_dirs_pattern($1, psad_var_log_t, psad_var_log_t)
+ append_files_pattern($1, psad_var_log_t, psad_var_log_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to write to psad's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`psad_write_log',`
+ gen_require(`
+ type psad_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ write_files_pattern($1, psad_var_log_t, psad_var_log_t)
+')
+
+########################################
+## <summary>
+## Read and write psad fifo files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`psad_rw_fifo_file',`
+ gen_require(`
+ type psad_t;
+ ')
+
+ files_search_var_lib($1)
+ search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t)
+ rw_fifo_files_pattern($1, psad_var_lib_t, psad_var_lib_t)
+')
+
+#######################################
+## <summary>
+## Read and write psad tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`psad_rw_tmp_files',`
+ gen_require(`
+ type psad_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ rw_files_pattern($1, psad_tmp_t, psad_tmp_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an psad environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the syslog domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`psad_admin',`
+ gen_require(`
+ type psad_t, psad_var_run_t, psad_var_log_t;
+ type psad_initrc_exec_t, psad_var_lib_t, psad_etc_t;
+ type psad_tmp_t;
+ ')
+
+ allow $1 psad_t:process { ptrace signal_perms };
+ ps_process_pattern($1, psad_t)
+
+ init_labeled_script_domtrans($1, psad_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 psad_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, psad_etc_t)
+
+ files_list_pids($1)
+ admin_pattern($1, psad_var_run_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, psad_var_log_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, psad_var_lib_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, psad_tmp_t)
+')
diff --git a/policy/modules/services/psad.te b/policy/modules/services/psad.te
new file mode 100644
index 0000000..c23cd14
--- /dev/null
+++ b/policy/modules/services/psad.te
@@ -0,0 +1,108 @@
+policy_module(psad, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type psad_t;
+type psad_exec_t;
+init_daemon_domain(psad_t, psad_exec_t)
+
+# config files
+type psad_etc_t;
+files_type(psad_etc_t)
+
+type psad_initrc_exec_t;
+init_script_file(psad_initrc_exec_t)
+
+# var/lib files
+type psad_var_lib_t;
+files_type(psad_var_lib_t)
+
+# log files
+type psad_var_log_t;
+logging_log_file(psad_var_log_t)
+
+# pid files
+type psad_var_run_t;
+files_pid_file(psad_var_run_t)
+
+# tmp files
+type psad_tmp_t;
+files_tmp_file(psad_tmp_t)
+
+########################################
+#
+# psad local policy
+#
+
+allow psad_t self:capability { net_admin net_raw setuid setgid dac_override };
+dontaudit psad_t self:capability sys_tty_config;
+allow psad_t self:process signull;
+allow psad_t self:fifo_file rw_fifo_file_perms;
+allow psad_t self:rawip_socket create_socket_perms;
+
+# config files
+read_files_pattern(psad_t, psad_etc_t, psad_etc_t)
+list_dirs_pattern(psad_t, psad_etc_t, psad_etc_t)
+
+# log files
+manage_files_pattern(psad_t, psad_var_log_t, psad_var_log_t)
+manage_dirs_pattern(psad_t, psad_var_log_t, psad_var_log_t)
+logging_log_filetrans(psad_t, psad_var_log_t, { file dir })
+
+# pid file
+manage_dirs_pattern(psad_t, psad_var_run_t, psad_var_run_t)
+manage_files_pattern(psad_t, psad_var_run_t, psad_var_run_t)
+manage_sock_files_pattern(psad_t, psad_var_run_t, psad_var_run_t)
+files_pid_filetrans(psad_t, psad_var_run_t, { dir file sock_file })
+
+# tmp files
+manage_dirs_pattern(psad_t, psad_tmp_t, psad_tmp_t)
+manage_files_pattern(psad_t, psad_tmp_t, psad_tmp_t)
+files_tmp_filetrans(psad_t, psad_tmp_t, { file dir })
+
+# /var/lib files
+search_dirs_pattern(psad_t, psad_var_lib_t, psad_var_lib_t)
+manage_fifo_files_pattern(psad_t, psad_var_lib_t, psad_var_lib_t)
+
+kernel_read_system_state(psad_t)
+kernel_read_network_state(psad_t)
+kernel_read_net_sysctls(psad_t)
+
+corecmd_exec_shell(psad_t)
+corecmd_exec_bin(psad_t)
+
+corenet_all_recvfrom_unlabeled(psad_t)
+corenet_all_recvfrom_netlabel(psad_t)
+corenet_tcp_sendrecv_generic_if(psad_t)
+corenet_tcp_sendrecv_generic_node(psad_t)
+corenet_tcp_bind_generic_node(psad_t)
+corenet_tcp_sendrecv_all_ports(psad_t)
+corenet_tcp_connect_whois_port(psad_t)
+corenet_sendrecv_whois_client_packets(psad_t)
+
+dev_read_urand(psad_t)
+
+files_read_etc_runtime_files(psad_t)
+files_read_usr_files(psad_t)
+
+fs_getattr_all_fs(psad_t)
+
+auth_use_nsswitch(psad_t)
+
+iptables_domtrans(psad_t)
+
+logging_read_generic_logs(psad_t)
+logging_read_syslog_config(psad_t)
+logging_send_syslog_msg(psad_t)
+
+miscfiles_read_localization(psad_t)
+
+sysnet_exec_ifconfig(psad_t)
+
+optional_policy(`
+ mta_send_mail(psad_t)
+ mta_read_queue(psad_t)
+')
diff --git a/policy/modules/services/publicfile.fc b/policy/modules/services/publicfile.fc
new file mode 100644
index 0000000..5b20b68
--- /dev/null
+++ b/policy/modules/services/publicfile.fc
@@ -0,0 +1,7 @@
+
+/usr/bin/ftpd -- gen_context(system_u:object_r:publicfile_exec_t,s0)
+/usr/bin/httpd -- gen_context(system_u:object_r:publicfile_exec_t,s0)
+
+# this is the place where online content located
+# set this to suit your needs
+#/var/www(/.*)? gen_context(system_u:object_r:publicfile_content_t,s0)
diff --git a/policy/modules/services/publicfile.if b/policy/modules/services/publicfile.if
new file mode 100644
index 0000000..5b07592
--- /dev/null
+++ b/policy/modules/services/publicfile.if
@@ -0,0 +1 @@
+## <summary>publicfile supplies files to the public through HTTP and FTP</summary>
diff --git a/policy/modules/services/publicfile.te b/policy/modules/services/publicfile.te
new file mode 100644
index 0000000..32edb73
--- /dev/null
+++ b/policy/modules/services/publicfile.te
@@ -0,0 +1,34 @@
+policy_module(publicfile, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type publicfile_t;
+type publicfile_exec_t;
+init_daemon_domain(publicfile_t, publicfile_exec_t)
+
+type publicfile_content_t;
+files_type(publicfile_content_t)
+
+########################################
+#
+# Local policy
+#
+
+allow publicfile_t self:capability { dac_override setgid setuid sys_chroot };
+allow publicfile_t publicfile_content_t:dir list_dir_perms;
+allow publicfile_t publicfile_content_t:file read_file_perms;
+
+files_search_var(publicfile_t)
+
+optional_policy(`
+ daemontools_ipc_domain(publicfile_t)
+')
+
+optional_policy(`
+ ucspitcp_service_domain(publicfile_t, publicfile_exec_t)
+')
+
+#allow publicfile_t initrc_t:tcp_socket { read write };
diff --git a/policy/modules/services/puppet.fc b/policy/modules/services/puppet.fc
new file mode 100644
index 0000000..2f1e529
--- /dev/null
+++ b/policy/modules/services/puppet.fc
@@ -0,0 +1,11 @@
+/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
+
+/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
+
+/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
+/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+
+/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
+/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
+/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0)
diff --git a/policy/modules/services/puppet.if b/policy/modules/services/puppet.if
new file mode 100644
index 0000000..0456b11
--- /dev/null
+++ b/policy/modules/services/puppet.if
@@ -0,0 +1,31 @@
+## <summary>Puppet client daemon</summary>
+## <desc>
+## <p>
+## Puppet is a configuration management system written in Ruby.
+## The client daemon is responsible for periodically requesting the
+## desired system state from the server and ensuring the state of
+## the client system matches.
+## </p>
+## </desc>
+
+################################################
+## <summary>
+## Read / Write to Puppet temp files. Puppet uses
+## some system binaries (groupadd, etc) that run in
+## a non-puppet domain and redirects output into temp
+## files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`puppet_rw_tmp',`
+ gen_require(`
+ type puppet_tmp_t;
+ ')
+
+ allow $1 puppet_tmp_t:file rw_file_perms;
+ files_search_tmp($1)
+')
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
new file mode 100644
index 0000000..80c1f5d
--- /dev/null
+++ b/policy/modules/services/puppet.te
@@ -0,0 +1,244 @@
+policy_module(puppet, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow Puppet client to manage all file
+## types.
+## </p>
+## </desc>
+gen_tunable(puppet_manage_all_files, false)
+
+type puppet_t;
+type puppet_exec_t;
+init_daemon_domain(puppet_t, puppet_exec_t)
+
+type puppet_etc_t;
+files_config_file(puppet_etc_t)
+
+type puppet_initrc_exec_t;
+init_script_file(puppet_initrc_exec_t)
+
+type puppet_log_t;
+logging_log_file(puppet_log_t)
+
+type puppet_tmp_t;
+files_tmp_file(puppet_tmp_t)
+
+type puppet_var_lib_t;
+files_type(puppet_var_lib_t)
+
+type puppet_var_run_t;
+files_pid_file(puppet_var_run_t)
+
+type puppetmaster_t;
+type puppetmaster_exec_t;
+init_daemon_domain(puppetmaster_t, puppetmaster_exec_t)
+
+type puppetmaster_initrc_exec_t;
+init_script_file(puppetmaster_initrc_exec_t)
+
+type puppetmaster_tmp_t;
+files_tmp_file(puppetmaster_tmp_t)
+
+########################################
+#
+# Puppet personal policy
+#
+
+allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config };
+allow puppet_t self:process { signal signull getsched setsched };
+allow puppet_t self:fifo_file rw_fifo_file_perms;
+allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
+allow puppet_t self:tcp_socket create_stream_socket_perms;
+allow puppet_t self:udp_socket create_socket_perms;
+
+read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
+
+manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
+manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
+files_search_var_lib(puppet_t)
+
+manage_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
+manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
+files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
+
+create_dirs_pattern(puppet_t, var_log_t, puppet_log_t)
+create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
+append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
+logging_log_filetrans(puppet_t, puppet_log_t, { file dir })
+
+manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
+manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
+files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
+
+kernel_dontaudit_search_sysctl(puppet_t)
+kernel_dontaudit_search_kernel_sysctl(puppet_t)
+kernel_read_system_state(puppet_t)
+kernel_read_crypto_sysctls(puppet_t)
+
+corecmd_exec_bin(puppet_t)
+corecmd_exec_shell(puppet_t)
+
+corenet_all_recvfrom_netlabel(puppet_t)
+corenet_all_recvfrom_unlabeled(puppet_t)
+corenet_tcp_sendrecv_generic_if(puppet_t)
+corenet_tcp_sendrecv_generic_node(puppet_t)
+corenet_tcp_bind_generic_node(puppet_t)
+corenet_tcp_connect_puppet_port(puppet_t)
+corenet_sendrecv_puppet_client_packets(puppet_t)
+
+dev_read_rand(puppet_t)
+dev_read_sysfs(puppet_t)
+dev_read_urand(puppet_t)
+
+domain_read_all_domains_state(puppet_t)
+domain_interactive_fd(puppet_t)
+
+files_manage_config_files(puppet_t)
+files_manage_config_dirs(puppet_t)
+files_manage_etc_dirs(puppet_t)
+files_manage_etc_files(puppet_t)
+files_read_usr_symlinks(puppet_t)
+files_relabel_config_dirs(puppet_t)
+files_relabel_config_files(puppet_t)
+
+selinux_search_fs(puppet_t)
+selinux_set_all_booleans(puppet_t)
+selinux_set_generic_booleans(puppet_t)
+selinux_validate_context(puppet_t)
+
+term_dontaudit_getattr_unallocated_ttys(puppet_t)
+term_dontaudit_getattr_all_ttys(puppet_t)
+
+init_all_labeled_script_domtrans(puppet_t)
+init_domtrans_script(puppet_t)
+init_read_utmp(puppet_t)
+init_signull_script(puppet_t)
+
+logging_send_syslog_msg(puppet_t)
+
+miscfiles_read_hwdata(puppet_t)
+miscfiles_read_localization(puppet_t)
+
+seutil_domtrans_setfiles(puppet_t)
+seutil_domtrans_semanage(puppet_t)
+
+sysnet_dns_name_resolve(puppet_t)
+sysnet_run_ifconfig(puppet_t, system_r)
+
+tunable_policy(`puppet_manage_all_files',`
+ auth_manage_all_files_except_shadow(puppet_t)
+')
+
+optional_policy(`
+ consoletype_domtrans(puppet_t)
+')
+
+optional_policy(`
+ hostname_exec(puppet_t)
+')
+
+optional_policy(`
+ files_rw_var_files(puppet_t)
+
+ rpm_domtrans(puppet_t)
+ rpm_manage_db(puppet_t)
+ rpm_manage_log(puppet_t)
+')
+
+optional_policy(`
+ unconfined_domain(puppet_t)
+')
+
+optional_policy(`
+ usermanage_domtrans_groupadd(puppet_t)
+ usermanage_domtrans_useradd(puppet_t)
+')
+
+########################################
+#
+# Pupper master personal policy
+#
+
+allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
+allow puppetmaster_t self:process { signal_perms getsched setsched };
+allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
+allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
+allow puppetmaster_t self:socket create;
+allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
+allow puppetmaster_t self:udp_socket create_socket_perms;
+
+list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
+read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
+
+allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr_dir_perms };
+allow puppetmaster_t puppet_log_t:file { rw_file_perms create_file_perms setattr_file_perms };
+logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
+allow puppetmaster_t puppet_log_t:file relabel_file_perms;
+
+manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
+manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
+allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms;
+
+setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
+manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
+files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
+allow puppetmaster_t puppet_var_run_t:dir relabel_dir_perms;
+
+manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
+manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
+files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
+allow puppetmaster_t puppet_tmp_t:dir relabel_dir_perms;
+
+kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
+kernel_read_system_state(puppetmaster_t)
+kernel_read_crypto_sysctls(puppetmaster_t)
+kernel_read_kernel_sysctls(puppetmaster_t)
+
+corecmd_exec_bin(puppetmaster_t)
+corecmd_exec_shell(puppetmaster_t)
+
+corenet_all_recvfrom_netlabel(puppetmaster_t)
+corenet_all_recvfrom_unlabeled(puppetmaster_t)
+corenet_tcp_sendrecv_generic_if(puppetmaster_t)
+corenet_tcp_sendrecv_generic_node(puppetmaster_t)
+corenet_tcp_bind_generic_node(puppetmaster_t)
+corenet_tcp_bind_puppet_port(puppetmaster_t)
+corenet_sendrecv_puppet_server_packets(puppetmaster_t)
+
+dev_read_rand(puppetmaster_t)
+dev_read_urand(puppetmaster_t)
+
+domain_read_all_domains_state(puppetmaster_t)
+
+files_read_etc_files(puppetmaster_t)
+files_search_var_lib(puppetmaster_t)
+
+selinux_validate_context(puppetmaster_t)
+
+logging_send_syslog_msg(puppetmaster_t)
+
+miscfiles_read_localization(puppetmaster_t)
+
+seutil_read_file_contexts(puppetmaster_t)
+
+sysnet_dns_name_resolve(puppetmaster_t)
+sysnet_run_ifconfig(puppetmaster_t, system_r)
+
+mta_send_mail(puppetmaster_t)
+
+optional_policy(`
+ hostname_exec(puppetmaster_t)
+')
+
+optional_policy(`
+ files_read_usr_symlinks(puppetmaster_t)
+
+ rpm_exec(puppetmaster_t)
+ rpm_read_db(puppetmaster_t)
+')
diff --git a/policy/modules/services/pxe.fc b/policy/modules/services/pxe.fc
new file mode 100644
index 0000000..44b3a0c
--- /dev/null
+++ b/policy/modules/services/pxe.fc
@@ -0,0 +1,6 @@
+
+/usr/sbin/pxe -- gen_context(system_u:object_r:pxe_exec_t,s0)
+
+/var/log/pxe\.log -- gen_context(system_u:object_r:pxe_log_t,s0)
+
+/var/run/pxe\.pid -- gen_context(system_u:object_r:pxe_var_run_t,s0)
diff --git a/policy/modules/services/pxe.if b/policy/modules/services/pxe.if
new file mode 100644
index 0000000..d3d6a6b
--- /dev/null
+++ b/policy/modules/services/pxe.if
@@ -0,0 +1 @@
+## <summary>Server for the PXE network boot protocol</summary>
diff --git a/policy/modules/services/pxe.te b/policy/modules/services/pxe.te
new file mode 100644
index 0000000..fec69eb
--- /dev/null
+++ b/policy/modules/services/pxe.te
@@ -0,0 +1,63 @@
+policy_module(pxe, 1.4.0)
+
+# cjp: policy seems incomplete
+
+########################################
+#
+# Declarations
+#
+
+type pxe_t;
+type pxe_exec_t;
+init_daemon_domain(pxe_t, pxe_exec_t)
+
+type pxe_log_t;
+logging_log_file(pxe_log_t)
+
+type pxe_var_run_t;
+files_pid_file(pxe_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow pxe_t self:capability { chown setgid setuid };
+dontaudit pxe_t self:capability sys_tty_config;
+allow pxe_t self:process signal_perms;
+
+allow pxe_t pxe_log_t:file manage_file_perms;
+logging_log_filetrans(pxe_t, pxe_log_t, file)
+
+manage_files_pattern(pxe_t, pxe_var_run_t, pxe_var_run_t)
+files_pid_filetrans(pxe_t, pxe_var_run_t, file)
+
+kernel_read_kernel_sysctls(pxe_t)
+kernel_list_proc(pxe_t)
+kernel_read_proc_symlinks(pxe_t)
+
+corenet_udp_bind_pxe_port(pxe_t)
+
+dev_read_sysfs(pxe_t)
+
+domain_use_interactive_fds(pxe_t)
+
+files_read_etc_files(pxe_t)
+
+fs_getattr_all_fs(pxe_t)
+fs_search_auto_mountpoints(pxe_t)
+
+logging_send_syslog_msg(pxe_t)
+
+miscfiles_read_localization(pxe_t)
+
+userdom_dontaudit_use_unpriv_user_fds(pxe_t)
+userdom_dontaudit_search_user_home_dirs(pxe_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(pxe_t)
+')
+
+optional_policy(`
+ udev_read_db(pxe_t)
+')
diff --git a/policy/modules/services/pyicqt.fc b/policy/modules/services/pyicqt.fc
new file mode 100644
index 0000000..491fe8f
--- /dev/null
+++ b/policy/modules/services/pyicqt.fc
@@ -0,0 +1,7 @@
+/etc/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_conf_t,s0)
+
+/usr/share/pyicq-t/PyICQt\.py -- gen_context(system_u:object_r:pyicqt_exec_t,s0)
+
+/var/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_run_t,s0)
+
+/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_spool_t,s0)
diff --git a/policy/modules/services/pyicqt.if b/policy/modules/services/pyicqt.if
new file mode 100644
index 0000000..9604b6a
--- /dev/null
+++ b/policy/modules/services/pyicqt.if
@@ -0,0 +1 @@
+## <summary>PyICQt is an ICQ transport for XMPP server.</summary>
diff --git a/policy/modules/services/pyicqt.te b/policy/modules/services/pyicqt.te
new file mode 100644
index 0000000..a841221
--- /dev/null
+++ b/policy/modules/services/pyicqt.te
@@ -0,0 +1,59 @@
+policy_module(pyicqt, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type pyicqt_t;
+type pyicqt_exec_t;
+init_daemon_domain(pyicqt_t, pyicqt_exec_t)
+
+type pyicqt_conf_t;
+files_config_file(pyicqt_conf_t)
+
+type pyicqt_spool_t;
+files_type(pyicqt_spool_t)
+
+type pyicqt_var_run_t;
+files_pid_file(pyicqt_var_run_t)
+
+########################################
+#
+# PyICQt policy
+#
+
+allow pyicqt_t self:fifo_file rw_fifo_file_perms;
+allow pyicqt_t self:tcp_socket create_socket_perms;
+allow pyicqt_t self:udp_socket create_socket_perms;
+
+read_files_pattern(pyicqt_t, pyicqt_conf_t, pyicqt_conf_t)
+
+manage_dirs_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t)
+manage_files_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t)
+files_spool_filetrans(pyicqt_t, pyicqt_spool_t, { dir file })
+
+manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t)
+files_pid_filetrans(pyicqt_t, pyicqt_var_run_t, file)
+
+kernel_read_system_state(pyicqt_t)
+
+corecmd_exec_bin(pyicqt_t)
+
+corenet_all_recvfrom_unlabeled(pyicqt_t)
+corenet_all_recvfrom_netlabel(pyicqt_t)
+corenet_tcp_sendrecv_generic_if(pyicqt_t)
+corenet_tcp_sendrecv_generic_node(pyicqt_t)
+corenet_tcp_connect_generic_port(pyicqt_t)
+corenet_sendrecv_generic_client_packets(pyicqt_t)
+
+dev_read_urand(pyicqt_t)
+
+files_read_etc_files(pyicqt_t)
+files_read_usr_files(pyicqt_t)
+
+libs_read_lib_files(pyicqt_t)
+
+miscfiles_read_localization(pyicqt_t)
+
+sysnet_read_config(pyicqt_t)
diff --git a/policy/modules/services/pyzor.fc b/policy/modules/services/pyzor.fc
new file mode 100644
index 0000000..705196e
--- /dev/null
+++ b/policy/modules/services/pyzor.fc
@@ -0,0 +1,13 @@
+/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
+/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0)
+
+HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
+HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
+/root/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
+/root/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
+
+/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
+/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
+
+/var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0)
+/var/log/pyzord\.log -- gen_context(system_u:object_r:pyzord_log_t,s0)
diff --git a/policy/modules/services/pyzor.if b/policy/modules/services/pyzor.if
new file mode 100644
index 0000000..aa3d0b4
--- /dev/null
+++ b/policy/modules/services/pyzor.if
@@ -0,0 +1,135 @@
+## <summary>Pyzor is a distributed, collaborative spam detection and filtering network.</summary>
+
+########################################
+## <summary>
+## Role access for pyzor
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`pyzor_role',`
+ gen_require(`
+ type pyzor_t, pyzor_exec_t;
+ type pyzor_home_t, pyzor_var_lib_t, pyzor_tmp_t;
+ ')
+
+ role $1 types pyzor_t;
+
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, pyzor_exec_t, pyzor_t)
+
+ # allow ps to show pyzor and allow the user to kill it
+ ps_process_pattern($2, pyzor_t)
+ allow $2 pyzor_t:process { ptrace signal_perms };
+')
+
+########################################
+## <summary>
+## Send generic signals to pyzor
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pyzor_signal',`
+ gen_require(`
+ type pyzor_t;
+ ')
+
+ allow $1 pyzor_t:process signal;
+')
+
+########################################
+## <summary>
+## Execute pyzor with a domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pyzor_domtrans',`
+ gen_require(`
+ type pyzor_exec_t, pyzor_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, pyzor_exec_t, pyzor_t)
+')
+
+########################################
+## <summary>
+## Execute pyzor in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pyzor_exec',`
+ gen_require(`
+ type pyzor_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ can_exec($1, pyzor_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an pyzor environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the pyzor domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`pyzor_admin',`
+ gen_require(`
+ type pyzord_t, pyzor_tmp_t, pyzord_log_t;
+ type pyzor_etc_t, pyzor_var_lib_t, pyzord_initrc_exec_t;
+ ')
+
+ allow $1 pyzord_t:process { ptrace signal_perms };
+ ps_process_pattern($1, pyzord_t)
+
+ init_labeled_script_domtrans($1, pyzord_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 pyzord_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, pyzor_tmp_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, pyzord_log_t)
+
+ files_list_etc($1)
+ admin_pattern($1, pyzor_etc_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, pyzor_var_lib_t)
+')
diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te
new file mode 100644
index 0000000..d455637
--- /dev/null
+++ b/policy/modules/services/pyzor.te
@@ -0,0 +1,174 @@
+policy_module(pyzor, 2.1.0)
+
+########################################
+#
+# Declarations
+#
+
+ifdef(`distro_redhat',`
+ gen_require(`
+ type spamc_t, spamc_exec_t, spamd_t;
+ type spamd_initrc_exec_t, spamd_exec_t, spamc_tmp_t;
+ type spamd_log_t, spamd_var_lib_t, spamd_etc_t;
+ type spamc_tmp_t, spamc_home_t;
+ ')
+
+ typealias spamc_t alias pyzor_t;
+ typealias spamc_exec_t alias pyzor_exec_t;
+ typealias spamd_t alias pyzord_t;
+ typealias spamd_initrc_exec_t alias pyzord_initrc_exec_t;
+ typealias spamd_exec_t alias pyzord_exec_t;
+ typealias spamc_tmp_t alias pyzor_tmp_t;
+ typealias spamd_log_t alias pyzor_log_t;
+ typealias spamd_log_t alias pyzord_log_t;
+ typealias spamd_var_lib_t alias pyzor_var_lib_t;
+ typealias spamd_etc_t alias pyzor_etc_t;
+ typealias spamc_home_t alias pyzor_home_t;
+ typealias spamc_home_t alias user_pyzor_home_t;
+',`
+ type pyzor_t;
+ type pyzor_exec_t;
+ typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t };
+ typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t };
+ application_domain(pyzor_t, pyzor_exec_t)
+ ubac_constrained(pyzor_t)
+ role system_r types pyzor_t;
+
+ type pyzor_etc_t;
+ files_type(pyzor_etc_t)
+
+ type pyzor_home_t;
+ typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t };
+ typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t };
+ userdom_user_home_content(pyzor_home_t)
+
+ type pyzor_tmp_t;
+ typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t };
+ typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t };
+ files_tmp_file(pyzor_tmp_t)
+ ubac_constrained(pyzor_tmp_t)
+
+ type pyzor_var_lib_t;
+ typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t };
+ typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t };
+ files_type(pyzor_var_lib_t)
+ ubac_constrained(pyzor_var_lib_t)
+
+ type pyzord_t;
+ type pyzord_exec_t;
+ init_daemon_domain(pyzord_t, pyzord_exec_t)
+
+ type pyzord_log_t;
+ logging_log_file(pyzord_log_t)
+')
+
+########################################
+#
+# Pyzor client local policy
+#
+
+allow pyzor_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(pyzor_t, pyzor_home_t, pyzor_home_t)
+manage_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t)
+manage_lnk_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t)
+userdom_user_home_dir_filetrans(pyzor_t, pyzor_home_t, { dir file lnk_file })
+
+allow pyzor_t pyzor_var_lib_t:dir list_dir_perms;
+read_files_pattern(pyzor_t, pyzor_var_lib_t, pyzor_var_lib_t)
+files_search_var_lib(pyzor_t)
+
+manage_files_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t)
+manage_dirs_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t)
+files_tmp_filetrans(pyzor_t, pyzor_tmp_t, { file dir })
+
+kernel_read_kernel_sysctls(pyzor_t)
+kernel_read_system_state(pyzor_t)
+
+corecmd_list_bin(pyzor_t)
+corecmd_getattr_bin_files(pyzor_t)
+
+corenet_tcp_sendrecv_generic_if(pyzor_t)
+corenet_udp_sendrecv_generic_if(pyzor_t)
+corenet_tcp_sendrecv_generic_node(pyzor_t)
+corenet_udp_sendrecv_generic_node(pyzor_t)
+corenet_tcp_sendrecv_all_ports(pyzor_t)
+corenet_udp_sendrecv_all_ports(pyzor_t)
+corenet_tcp_connect_http_port(pyzor_t)
+
+dev_read_urand(pyzor_t)
+
+fs_getattr_xattr_fs(pyzor_t)
+
+files_read_etc_files(pyzor_t)
+
+auth_use_nsswitch(pyzor_t)
+
+miscfiles_read_localization(pyzor_t)
+
+mta_read_queue(pyzor_t)
+
+userdom_dontaudit_search_user_home_dirs(pyzor_t)
+
+optional_policy(`
+ amavis_manage_lib_files(pyzor_t)
+ amavis_manage_spool_files(pyzor_t)
+')
+
+optional_policy(`
+ spamassassin_signal_spamd(pyzor_t)
+ spamassassin_read_spamd_tmp_files(pyzor_t)
+')
+
+########################################
+#
+# Pyzor server local policy
+#
+
+allow pyzord_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(pyzord_t, pyzor_var_lib_t, pyzor_var_lib_t)
+allow pyzord_t pyzor_var_lib_t:dir setattr;
+files_var_lib_filetrans(pyzord_t, pyzor_var_lib_t, { file dir })
+
+read_files_pattern(pyzord_t, pyzor_etc_t, pyzor_etc_t)
+allow pyzord_t pyzor_etc_t:dir list_dir_perms;
+
+can_exec(pyzord_t, pyzor_exec_t)
+
+manage_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t)
+allow pyzord_t pyzord_log_t:dir setattr_dir_perms;
+logging_log_filetrans(pyzord_t, pyzord_log_t, { file dir })
+
+kernel_read_kernel_sysctls(pyzord_t)
+kernel_read_system_state(pyzord_t)
+
+dev_read_urand(pyzord_t)
+
+corecmd_exec_bin(pyzord_t)
+
+corenet_all_recvfrom_unlabeled(pyzord_t)
+corenet_all_recvfrom_netlabel(pyzord_t)
+corenet_udp_sendrecv_generic_if(pyzord_t)
+corenet_udp_sendrecv_generic_node(pyzord_t)
+corenet_udp_sendrecv_all_ports(pyzord_t)
+corenet_udp_bind_generic_node(pyzord_t)
+corenet_udp_bind_pyzor_port(pyzord_t)
+corenet_sendrecv_pyzor_server_packets(pyzord_t)
+
+files_read_etc_files(pyzord_t)
+
+auth_use_nsswitch(pyzord_t)
+
+locallogin_dontaudit_use_fds(pyzord_t)
+
+miscfiles_read_localization(pyzord_t)
+
+# Do not audit attempts to access /root.
+userdom_dontaudit_search_user_home_dirs(pyzord_t)
+
+mta_manage_spool(pyzord_t)
+
+optional_policy(`
+ logging_send_syslog_msg(pyzord_t)
+')
diff --git a/policy/modules/services/qmail.fc b/policy/modules/services/qmail.fc
new file mode 100644
index 0000000..0055e54
--- /dev/null
+++ b/policy/modules/services/qmail.fc
@@ -0,0 +1,47 @@
+
+/var/qmail/alias -d gen_context(system_u:object_r:qmail_alias_home_t,s0)
+/var/qmail/alias(/.*)? gen_context(system_u:object_r:qmail_alias_home_t,s0)
+
+/var/qmail/bin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0)
+/var/qmail/bin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0)
+/var/qmail/bin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0)
+/var/qmail/bin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0)
+/var/qmail/bin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0)
+/var/qmail/bin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0)
+/var/qmail/bin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0)
+/var/qmail/bin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0)
+/var/qmail/bin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0)
+/var/qmail/bin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0)
+/var/qmail/bin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0)
+/var/qmail/bin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
+/var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
+
+/var/qmail/control(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
+
+/var/qmail/queue(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
+
+ifdef(`distro_debian', `
+/etc/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
+
+/usr/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
+
+#/usr/local/bin/serialmail/.* -- gen_context(system_u:object_r:qmail_serialmail_exec_t,s0)
+
+/usr/sbin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0)
+/usr/sbin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0)
+/usr/sbin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0)
+/usr/sbin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0)
+/usr/sbin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0)
+/usr/sbin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0)
+/usr/sbin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0)
+/usr/sbin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0)
+/usr/sbin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0)
+/usr/sbin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0)
+/usr/sbin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0)
+/usr/sbin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
+
+/var/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
+
+/var/spool/qmail(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
+')
+
diff --git a/policy/modules/services/qmail.if b/policy/modules/services/qmail.if
new file mode 100644
index 0000000..77a25f5
--- /dev/null
+++ b/policy/modules/services/qmail.if
@@ -0,0 +1,149 @@
+## <summary>Qmail Mail Server</summary>
+
+########################################
+## <summary>
+## Template for qmail parent/sub-domain pairs
+## </summary>
+## <param name="child_prefix">
+## <summary>
+## The prefix of the child domain
+## </summary>
+## </param>
+## <param name="parent_domain">
+## <summary>
+## The name of the parent domain.
+## </summary>
+## </param>
+#
+template(`qmail_child_domain_template',`
+ type $1_t;
+ domain_type($1_t)
+ type $1_exec_t;
+ domain_entry_file($1_t, $1_exec_t)
+ domain_auto_trans($2, $1_exec_t, $1_t)
+ role system_r types $1_t;
+
+ allow $1_t self:process signal_perms;
+
+ allow $1_t $2:fd use;
+ allow $1_t $2:fifo_file rw_file_perms;
+ allow $1_t $2:process sigchld;
+
+ allow $1_t qmail_etc_t:dir list_dir_perms;
+ allow $1_t qmail_etc_t:file read_file_perms;
+ allow $1_t qmail_etc_t:lnk_file read_lnk_file_perms;
+
+ allow $1_t qmail_start_t:fd use;
+
+ kernel_list_proc($2)
+ kernel_read_proc_symlinks($2)
+
+ corecmd_search_bin($1_t)
+
+ files_search_var($1_t)
+
+ fs_getattr_xattr_fs($1_t)
+
+ miscfiles_read_localization($1_t)
+')
+
+########################################
+## <summary>
+## Transition to qmail_inject_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`qmail_domtrans_inject',`
+ gen_require(`
+ type qmail_inject_t, qmail_inject_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, qmail_inject_exec_t, qmail_inject_t)
+
+ ifdef(`distro_debian',`
+ files_search_usr($1)
+ ',`
+ files_search_var($1)
+ ')
+')
+
+########################################
+## <summary>
+## Transition to qmail_queue_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`qmail_domtrans_queue',`
+ gen_require(`
+ type qmail_queue_t, qmail_queue_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, qmail_queue_exec_t, qmail_queue_t)
+
+ ifdef(`distro_debian',`
+ files_search_usr($1)
+ ',`
+ files_search_var($1)
+ ')
+')
+
+########################################
+## <summary>
+## Read qmail configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`qmail_read_config',`
+ gen_require(`
+ type qmail_etc_t;
+ ')
+
+ allow $1 qmail_etc_t:dir list_dir_perms;
+ allow $1 qmail_etc_t:file read_file_perms;
+ allow $1 qmail_etc_t:lnk_file read_lnk_file_perms;
+ files_search_var($1)
+
+ ifdef(`distro_debian',`
+ # handle /etc/qmail
+ files_search_etc($1)
+ ')
+')
+
+########################################
+## <summary>
+## Define the specified domain as a qmail-smtp service.
+## Needed by antivirus/antispam filters.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="entrypoint">
+## <summary>
+## The type associated with the process program.
+## </summary>
+## </param>
+#
+interface(`qmail_smtpd_service_domain',`
+ gen_require(`
+ type qmail_smtpd_t;
+ ')
+
+ domtrans_pattern(qmail_smtpd_t, $2, $1)
+')
diff --git a/policy/modules/services/qmail.te b/policy/modules/services/qmail.te
new file mode 100644
index 0000000..54329f9
--- /dev/null
+++ b/policy/modules/services/qmail.te
@@ -0,0 +1,325 @@
+policy_module(qmail, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute qmail_user_domains;
+
+type qmail_alias_home_t;
+files_type(qmail_alias_home_t)
+
+qmail_child_domain_template(qmail_clean, qmail_start_t)
+
+type qmail_etc_t;
+files_config_file(qmail_etc_t)
+
+type qmail_exec_t;
+files_type(qmail_exec_t)
+
+type qmail_inject_t, qmail_user_domains;
+type qmail_inject_exec_t;
+domain_type(qmail_inject_t)
+domain_entry_file(qmail_inject_t, qmail_inject_exec_t)
+mta_mailserver_user_agent(qmail_inject_t)
+role system_r types qmail_inject_t;
+
+qmail_child_domain_template(qmail_local, qmail_lspawn_t)
+mta_mailserver_delivery(qmail_local_t)
+
+qmail_child_domain_template(qmail_lspawn, qmail_start_t)
+mta_mailserver_delivery(qmail_lspawn_t)
+
+qmail_child_domain_template(qmail_queue, qmail_inject_t)
+typeattribute qmail_queue_t qmail_user_domains;
+mta_mailserver_user_agent(qmail_queue_t)
+
+qmail_child_domain_template(qmail_remote, qmail_rspawn_t)
+mta_mailserver_sender(qmail_remote_t)
+
+qmail_child_domain_template(qmail_rspawn, qmail_start_t)
+
+qmail_child_domain_template(qmail_send, qmail_start_t)
+
+qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t)
+
+qmail_child_domain_template(qmail_splogger, qmail_start_t)
+
+type qmail_spool_t;
+files_type(qmail_spool_t)
+
+type qmail_start_t;
+type qmail_start_exec_t;
+init_daemon_domain(qmail_start_t, qmail_start_exec_t)
+
+type qmail_tcp_env_t;
+type qmail_tcp_env_exec_t;
+application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
+
+########################################
+#
+# qmail-clean local policy
+# this component cleans up the queue directory
+#
+
+read_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
+delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
+
+########################################
+#
+# qmail-inject local policy
+# this component preprocesses mail from stdin and invokes qmail-queue
+#
+
+allow qmail_inject_t self:process signal_perms;
+allow qmail_inject_t self:fifo_file write_fifo_file_perms;
+
+allow qmail_inject_t qmail_queue_exec_t:file read_file_perms;
+
+corecmd_search_bin(qmail_inject_t)
+
+files_search_var(qmail_inject_t)
+
+miscfiles_read_localization(qmail_inject_t)
+
+qmail_read_config(qmail_inject_t)
+
+########################################
+#
+# qmail-local local policy
+# this component delivers a mail message
+#
+
+allow qmail_local_t self:process signal_perms;
+allow qmail_local_t self:fifo_file write_file_perms;
+allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
+manage_files_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
+
+can_exec(qmail_local_t, qmail_local_exec_t)
+
+allow qmail_local_t qmail_queue_exec_t:file read_file_perms;
+
+allow qmail_local_t qmail_spool_t:file read_file_perms;
+
+kernel_read_system_state(qmail_local_t)
+
+corecmd_exec_bin(qmail_local_t)
+corecmd_exec_shell(qmail_local_t)
+
+files_read_etc_files(qmail_local_t)
+files_read_etc_runtime_files(qmail_local_t)
+
+auth_use_nsswitch(qmail_local_t)
+
+logging_send_syslog_msg(qmail_local_t)
+
+mta_append_spool(qmail_local_t)
+
+qmail_domtrans_queue(qmail_local_t)
+
+optional_policy(`
+ uucp_domtrans(qmail_local_t)
+')
+
+optional_policy(`
+ spamassassin_domtrans_client(qmail_local_t)
+')
+
+########################################
+#
+# qmail-lspawn local policy
+# this component schedules local deliveries
+#
+
+allow qmail_lspawn_t self:capability { setuid setgid };
+allow qmail_lspawn_t self:process signal_perms;
+allow qmail_lspawn_t self:fifo_file rw_fifo_file_perms;
+allow qmail_lspawn_t self:unix_stream_socket create_socket_perms;
+
+can_exec(qmail_lspawn_t, qmail_exec_t)
+
+allow qmail_lspawn_t qmail_local_exec_t:file read_file_perms;
+
+read_files_pattern(qmail_lspawn_t, qmail_spool_t, qmail_spool_t)
+
+corecmd_search_bin(qmail_lspawn_t)
+
+files_read_etc_files(qmail_lspawn_t)
+files_search_pids(qmail_lspawn_t)
+files_search_tmp(qmail_lspawn_t)
+
+########################################
+#
+# qmail-queue local policy
+# this component places a mail in a delivery queue, later to be processed by qmail-send
+#
+
+allow qmail_queue_t qmail_lspawn_t:fd use;
+allow qmail_queue_t qmail_lspawn_t:fifo_file write_fifo_file_perms;
+
+allow qmail_queue_t qmail_smtpd_t:process sigchld;
+allow qmail_queue_t qmail_smtpd_t:fd use;
+allow qmail_queue_t qmail_smtpd_t:fifo_file read_fifo_file_perms;
+
+manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
+manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
+rw_fifo_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
+
+corecmd_exec_bin(qmail_queue_t)
+
+logging_send_syslog_msg(qmail_queue_t)
+
+optional_policy(`
+ daemontools_ipc_domain(qmail_queue_t)
+')
+
+########################################
+#
+# qmail-remote local policy
+# this component sends mail via SMTP
+#
+
+allow qmail_remote_t self:tcp_socket create_socket_perms;
+allow qmail_remote_t self:udp_socket create_socket_perms;
+
+rw_files_pattern(qmail_remote_t, qmail_spool_t, qmail_spool_t)
+
+corenet_all_recvfrom_unlabeled(qmail_remote_t)
+corenet_all_recvfrom_netlabel(qmail_remote_t)
+corenet_tcp_sendrecv_generic_if(qmail_remote_t)
+corenet_udp_sendrecv_generic_if(qmail_remote_t)
+corenet_tcp_sendrecv_generic_node(qmail_remote_t)
+corenet_udp_sendrecv_generic_node(qmail_remote_t)
+corenet_tcp_sendrecv_smtp_port(qmail_remote_t)
+corenet_udp_sendrecv_dns_port(qmail_remote_t)
+corenet_tcp_connect_smtp_port(qmail_remote_t)
+corenet_sendrecv_smtp_client_packets(qmail_remote_t)
+
+dev_read_rand(qmail_remote_t)
+dev_read_urand(qmail_remote_t)
+
+sysnet_read_config(qmail_remote_t)
+
+########################################
+#
+# qmail-rspawn local policy
+# this component scedules remote deliveries
+#
+
+allow qmail_rspawn_t self:process signal_perms;
+allow qmail_rspawn_t self:fifo_file read_fifo_file_perms;
+
+allow qmail_rspawn_t qmail_remote_exec_t:file read_file_perms;
+
+rw_files_pattern(qmail_rspawn_t, qmail_spool_t, qmail_spool_t)
+
+corecmd_search_bin(qmail_rspawn_t)
+
+########################################
+#
+# qmail-send local policy
+# this component delivers mail messages from the queue
+#
+
+allow qmail_send_t self:process signal_perms;
+allow qmail_send_t self:fifo_file write_fifo_file_perms;
+
+manage_dirs_pattern(qmail_send_t, qmail_spool_t, qmail_spool_t)
+manage_files_pattern(qmail_send_t, qmail_spool_t, qmail_spool_t)
+read_fifo_files_pattern(qmail_send_t, qmail_spool_t, qmail_spool_t)
+
+qmail_domtrans_queue(qmail_send_t)
+
+optional_policy(`
+ daemontools_ipc_domain(qmail_send_t)
+')
+
+########################################
+#
+# qmail-smtpd local policy
+# this component receives mails via SMTP
+#
+
+allow qmail_smtpd_t self:process signal_perms;
+allow qmail_smtpd_t self:fifo_file write_fifo_file_perms;
+allow qmail_smtpd_t self:tcp_socket create_socket_perms;
+
+allow qmail_smtpd_t qmail_queue_exec_t:file read_file_perms;
+
+dev_read_rand(qmail_smtpd_t)
+dev_read_urand(qmail_smtpd_t)
+
+qmail_domtrans_queue(qmail_smtpd_t)
+
+optional_policy(`
+ daemontools_ipc_domain(qmail_smtpd_t)
+')
+
+optional_policy(`
+ kerberos_keytab_template(qmail, qmail_smtpd_t)
+')
+
+optional_policy(`
+ ucspitcp_service_domain(qmail_smtpd_t, qmail_smtpd_exec_t)
+')
+
+########################################
+#
+# splogger local policy
+# this component creates entries in syslog
+#
+
+allow qmail_splogger_t self:unix_dgram_socket create_socket_perms;
+
+files_read_etc_files(qmail_splogger_t)
+
+init_dontaudit_use_script_fds(qmail_splogger_t)
+
+miscfiles_read_localization(qmail_splogger_t)
+
+########################################
+#
+# qmail-start local policy
+# this component starts up the mail delivery component
+#
+
+allow qmail_start_t self:capability { setgid setuid };
+dontaudit qmail_start_t self:capability sys_tty_config;
+allow qmail_start_t self:process signal_perms;
+allow qmail_start_t self:fifo_file rw_fifo_file_perms;
+
+can_exec(qmail_start_t, qmail_start_exec_t)
+
+corecmd_search_bin(qmail_start_t)
+
+files_search_var(qmail_start_t)
+
+qmail_read_config(qmail_start_t)
+
+optional_policy(`
+ daemontools_service_domain(qmail_start_t, qmail_start_exec_t)
+ daemontools_ipc_domain(qmail_start_t)
+')
+
+########################################
+#
+# tcp-env local policy
+# this component sets up TCP-related environment variables
+#
+
+allow qmail_tcp_env_t qmail_smtpd_exec_t:file read_file_perms;
+
+corecmd_search_bin(qmail_tcp_env_t)
+
+sysnet_read_config(qmail_tcp_env_t)
+
+optional_policy(`
+ inetd_tcp_service_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
+')
+
+optional_policy(`
+ ucspitcp_service_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
+')
diff --git a/policy/modules/services/qpidd.fc b/policy/modules/services/qpidd.fc
new file mode 100644
index 0000000..f3b89e4
--- /dev/null
+++ b/policy/modules/services/qpidd.fc
@@ -0,0 +1,9 @@
+
+/usr/sbin/qpidd -- gen_context(system_u:object_r:qpidd_exec_t,s0)
+
+/etc/rc\.d/init\.d/qpidd -- gen_context(system_u:object_r:qpidd_initrc_exec_t,s0)
+
+/var/lib/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_lib_t,s0)
+
+/var/run/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_run_t,s0)
+/var/run/qpidd\.pid gen_context(system_u:object_r:qpidd_var_run_t,s0)
diff --git a/policy/modules/services/qpidd.if b/policy/modules/services/qpidd.if
new file mode 100644
index 0000000..c403abc
--- /dev/null
+++ b/policy/modules/services/qpidd.if
@@ -0,0 +1,228 @@
+## <summary>policy for qpidd</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run qpidd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`qpidd_domtrans',`
+ gen_require(`
+ type qpidd_t, qpidd_exec_t;
+ ')
+
+ domtrans_pattern($1, qpidd_exec_t, qpidd_t)
+')
+
+########################################
+## <summary>
+## Execute qpidd server in the qpidd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qpidd_initrc_domtrans',`
+ gen_require(`
+ type qpidd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, qpidd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Read qpidd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qpidd_read_pid_files',`
+ gen_require(`
+ type qpidd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 qpidd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Manage qpidd var_run files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qpidd_manage_var_run',`
+ gen_require(`
+ type qpidd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_dirs_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
+ manage_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
+ manage_lnk_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
+')
+
+########################################
+## <summary>
+## Search qpidd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qpidd_search_lib',`
+ gen_require(`
+ type qpidd_var_lib_t;
+ ')
+
+ allow $1 qpidd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read qpidd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qpidd_read_lib_files',`
+ gen_require(`
+ type qpidd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## qpidd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qpidd_manage_lib_files',`
+ gen_require(`
+ type qpidd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage qpidd var_lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qpidd_manage_var_lib',`
+ gen_require(`
+ type qpidd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+ manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+ manage_lnk_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an qpidd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`qpidd_admin',`
+ gen_require(`
+ type qpidd_t, qpidd_initrc_exec_t;
+ ')
+
+ allow $1 qpidd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, qpidd_t)
+
+ # Allow qpidd_t to restart the apache service
+ qpidd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 qpidd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ qpidd_manage_var_run($1)
+
+ qpidd_manage_var_lib($1)
+')
+
+#####################################
+## <summary>
+## Allow read and write access to qpidd semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qpidd_rw_semaphores',`
+ gen_require(`
+ type qpidd_t;
+ ')
+
+ allow $1 qpidd_t:sem rw_sem_perms;
+')
+
+########################################
+## <summary>
+## Read and write to qpidd shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qpidd_rw_shm',`
+ gen_require(`
+ type qpidd_t;
+ ')
+
+ allow $1 qpidd_t:shm rw_shm_perms;
+')
diff --git a/policy/modules/services/qpidd.te b/policy/modules/services/qpidd.te
new file mode 100644
index 0000000..43639a0
--- /dev/null
+++ b/policy/modules/services/qpidd.te
@@ -0,0 +1,59 @@
+policy_module(qpidd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type qpidd_t;
+type qpidd_exec_t;
+init_daemon_domain(qpidd_t, qpidd_exec_t)
+
+type qpidd_initrc_exec_t;
+init_script_file(qpidd_initrc_exec_t)
+
+type qpidd_var_run_t;
+files_pid_file(qpidd_var_run_t)
+
+type qpidd_var_lib_t;
+files_type(qpidd_var_lib_t)
+
+########################################
+#
+# qpidd local policy
+#
+
+allow qpidd_t self:process { setsched signull };
+allow qpidd_t self:fifo_file rw_fifo_file_perms;
+allow qpidd_t self:sem create_sem_perms;
+allow qpidd_t self:shm create_shm_perms;
+allow qpidd_t self:tcp_socket create_stream_socket_perms;
+allow qpidd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
+manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
+files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir })
+
+manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
+manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
+files_pid_filetrans(qpidd_t, qpidd_var_run_t, { file dir })
+
+kernel_read_system_state(qpidd_t)
+
+corenet_all_recvfrom_unlabeled(qpidd_t)
+corenet_all_recvfrom_netlabel(qpidd_t)
+corenet_tcp_bind_generic_node(qpidd_t)
+corenet_tcp_sendrecv_generic_if(qpidd_t)
+corenet_tcp_sendrecv_generic_node(qpidd_t)
+corenet_tcp_sendrecv_all_ports(qpidd_t)
+corenet_tcp_bind_amqp_port(qpidd_t)
+
+dev_read_urand(qpidd_t)
+
+files_read_etc_files(qpidd_t)
+
+logging_send_syslog_msg(qpidd_t)
+
+miscfiles_read_localization(qpidd_t)
+
+sysnet_dns_name_resolve(qpidd_t)
diff --git a/policy/modules/services/radius.fc b/policy/modules/services/radius.fc
new file mode 100644
index 0000000..09f7b50
--- /dev/null
+++ b/policy/modules/services/radius.fc
@@ -0,0 +1,23 @@
+
+/etc/cron\.(daily|monthly)/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
+/etc/cron\.(daily|weekly|monthly)/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
+/etc/rc\.d/init\.d/radiusd -- gen_context(system_u:object_r:radiusd_initrc_exec_t,s0)
+
+/etc/raddb(/.*)? gen_context(system_u:object_r:radiusd_etc_t,s0)
+/etc/raddb/db\.daily -- gen_context(system_u:object_r:radiusd_etc_rw_t,s0)
+
+/usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
+/usr/sbin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
+
+/var/lib/radiousd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0)
+
+/var/log/freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
+/var/log/radacct(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
+/var/log/radius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
+/var/log/radius\.log.* -- gen_context(system_u:object_r:radiusd_log_t,s0)
+/var/log/radiusd-freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
+/var/log/radutmp -- gen_context(system_u:object_r:radiusd_log_t,s0)
+/var/log/radwtmp.* -- gen_context(system_u:object_r:radiusd_log_t,s0)
+
+/var/run/radiusd(/.*)? gen_context(system_u:object_r:radiusd_var_run_t,s0)
+/var/run/radiusd\.pid -- gen_context(system_u:object_r:radiusd_var_run_t,s0)
diff --git a/policy/modules/services/radius.if b/policy/modules/services/radius.if
new file mode 100644
index 0000000..8f132e7
--- /dev/null
+++ b/policy/modules/services/radius.if
@@ -0,0 +1,62 @@
+## <summary>RADIUS authentication and accounting server.</summary>
+
+########################################
+## <summary>
+## Use radius over a UDP connection. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`radius_use',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an radius environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`radius_admin',`
+ gen_require(`
+ type radiusd_t, radiusd_etc_t, radiusd_log_t;
+ type radiusd_etc_rw_t, radiusd_var_lib_t, radiusd_var_run_t;
+ type radiusd_initrc_exec_t;
+ ')
+
+ allow $1 radiusd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, radiusd_t)
+
+ init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 radiusd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, radiusd_etc_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, radiusd_log_t)
+
+ admin_pattern($1, radiusd_etc_rw_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, radiusd_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, radiusd_var_run_t)
+')
diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te
new file mode 100644
index 0000000..b3f1fd3
--- /dev/null
+++ b/policy/modules/services/radius.te
@@ -0,0 +1,143 @@
+policy_module(radius, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+type radiusd_t;
+type radiusd_exec_t;
+init_daemon_domain(radiusd_t, radiusd_exec_t)
+
+type radiusd_etc_t;
+files_config_file(radiusd_etc_t)
+
+type radiusd_etc_rw_t;
+files_type(radiusd_etc_rw_t)
+
+type radiusd_initrc_exec_t;
+init_script_file(radiusd_initrc_exec_t)
+
+type radiusd_log_t;
+logging_log_file(radiusd_log_t)
+
+type radiusd_var_lib_t;
+files_type(radiusd_var_lib_t)
+
+type radiusd_var_run_t;
+files_pid_file(radiusd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+# fsetid is for gzip which needs it when run from scripts
+# gzip also needs chown access to preserve GID for radwtmp files
+allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
+dontaudit radiusd_t self:capability sys_tty_config;
+allow radiusd_t self:process { getsched setrlimit setsched sigkill signal };
+allow radiusd_t self:fifo_file rw_fifo_file_perms;
+allow radiusd_t self:unix_stream_socket create_stream_socket_perms;
+allow radiusd_t self:tcp_socket create_stream_socket_perms;
+allow radiusd_t self:udp_socket create_socket_perms;
+
+allow radiusd_t radiusd_etc_t:dir list_dir_perms;
+read_files_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_t)
+read_lnk_files_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_t)
+files_search_etc(radiusd_t)
+
+manage_dirs_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t)
+manage_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t)
+manage_lnk_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t)
+filetrans_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_rw_t, { dir file lnk_file })
+
+manage_dirs_pattern(radiusd_t, radiusd_log_t, radiusd_log_t)
+manage_files_pattern(radiusd_t, radiusd_log_t, radiusd_log_t)
+logging_log_filetrans(radiusd_t, radiusd_log_t,{ file dir })
+
+manage_files_pattern(radiusd_t, radiusd_var_lib_t, radiusd_var_lib_t)
+
+manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
+manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
+manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
+files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir })
+
+kernel_read_kernel_sysctls(radiusd_t)
+kernel_read_system_state(radiusd_t)
+
+corenet_all_recvfrom_unlabeled(radiusd_t)
+corenet_all_recvfrom_netlabel(radiusd_t)
+corenet_tcp_sendrecv_generic_if(radiusd_t)
+corenet_udp_sendrecv_generic_if(radiusd_t)
+corenet_tcp_sendrecv_generic_node(radiusd_t)
+corenet_udp_sendrecv_generic_node(radiusd_t)
+corenet_tcp_sendrecv_all_ports(radiusd_t)
+corenet_udp_sendrecv_all_ports(radiusd_t)
+corenet_udp_bind_generic_node(radiusd_t)
+corenet_udp_bind_radacct_port(radiusd_t)
+corenet_udp_bind_radius_port(radiusd_t)
+corenet_tcp_connect_mysqld_port(radiusd_t)
+corenet_tcp_connect_snmp_port(radiusd_t)
+corenet_sendrecv_radius_server_packets(radiusd_t)
+corenet_sendrecv_radacct_server_packets(radiusd_t)
+corenet_sendrecv_mysqld_client_packets(radiusd_t)
+corenet_sendrecv_snmp_client_packets(radiusd_t)
+# for RADIUS proxy port
+corenet_udp_bind_generic_port(radiusd_t)
+corenet_dontaudit_udp_bind_all_ports(radiusd_t)
+corenet_sendrecv_generic_server_packets(radiusd_t)
+
+dev_read_sysfs(radiusd_t)
+
+fs_getattr_all_fs(radiusd_t)
+fs_search_auto_mountpoints(radiusd_t)
+
+corecmd_exec_bin(radiusd_t)
+corecmd_exec_shell(radiusd_t)
+
+domain_use_interactive_fds(radiusd_t)
+
+files_read_usr_files(radiusd_t)
+files_read_etc_files(radiusd_t)
+files_read_etc_runtime_files(radiusd_t)
+
+auth_use_nsswitch(radiusd_t)
+auth_read_shadow(radiusd_t)
+auth_domtrans_chk_passwd(radiusd_t)
+
+libs_exec_lib_files(radiusd_t)
+
+logging_send_syslog_msg(radiusd_t)
+
+miscfiles_read_localization(radiusd_t)
+miscfiles_read_generic_certs(radiusd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
+userdom_dontaudit_search_user_home_dirs(radiusd_t)
+
+optional_policy(`
+ cron_system_entry(radiusd_t, radiusd_exec_t)
+')
+
+optional_policy(`
+ logrotate_exec(radiusd_t)
+')
+
+optional_policy(`
+ mysql_read_config(radiusd_t)
+ mysql_stream_connect(radiusd_t)
+')
+
+optional_policy(`
+ samba_domtrans_winbind_helper(radiusd_t)
+ samba_read_var_files(radiusd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(radiusd_t)
+')
+
+optional_policy(`
+ udev_read_db(radiusd_t)
+')
diff --git a/policy/modules/services/radvd.fc b/policy/modules/services/radvd.fc
new file mode 100644
index 0000000..cc98d83
--- /dev/null
+++ b/policy/modules/services/radvd.fc
@@ -0,0 +1,7 @@
+/etc/radvd\.conf -- gen_context(system_u:object_r:radvd_etc_t,s0)
+/etc/rc\.d/init\.d/radvd -- gen_context(system_u:object_r:radvd_initrc_exec_t,s0)
+
+/usr/sbin/radvd -- gen_context(system_u:object_r:radvd_exec_t,s0)
+
+/var/run/radvd\.pid -- gen_context(system_u:object_r:radvd_var_run_t,s0)
+/var/run/radvd(/.*)? gen_context(system_u:object_r:radvd_var_run_t,s0)
diff --git a/policy/modules/services/radvd.if b/policy/modules/services/radvd.if
new file mode 100644
index 0000000..2bd662a
--- /dev/null
+++ b/policy/modules/services/radvd.if
@@ -0,0 +1,39 @@
+## <summary>IPv6 router advertisement daemon</summary>
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an radvd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`radvd_admin',`
+ gen_require(`
+ type radvd_t, radvd_etc_t, radvd_initrc_exec_t;
+ type radvd_var_run_t;
+ ')
+
+ allow $1 radvd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, radvd_t)
+
+ init_labeled_script_domtrans($1, radvd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 radvd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, radvd_etc_t)
+
+ files_list_pids($1)
+ admin_pattern($1, radvd_var_run_t)
+')
diff --git a/policy/modules/services/radvd.te b/policy/modules/services/radvd.te
new file mode 100644
index 0000000..54b3cd3
--- /dev/null
+++ b/policy/modules/services/radvd.te
@@ -0,0 +1,82 @@
+policy_module(radvd, 1.12.1)
+
+########################################
+#
+# Declarations
+#
+type radvd_t;
+type radvd_exec_t;
+init_daemon_domain(radvd_t, radvd_exec_t)
+
+type radvd_initrc_exec_t;
+init_script_file(radvd_initrc_exec_t)
+
+type radvd_var_run_t;
+files_pid_file(radvd_var_run_t)
+
+type radvd_etc_t;
+files_config_file(radvd_etc_t)
+
+########################################
+#
+# Local policy
+#
+allow radvd_t self:capability { kill setgid setuid net_raw net_admin };
+dontaudit radvd_t self:capability sys_tty_config;
+allow radvd_t self:process { fork signal_perms };
+allow radvd_t self:unix_dgram_socket create_socket_perms;
+allow radvd_t self:unix_stream_socket create_socket_perms;
+allow radvd_t self:rawip_socket create_socket_perms;
+allow radvd_t self:tcp_socket create_stream_socket_perms;
+allow radvd_t self:udp_socket create_socket_perms;
+allow radvd_t self:fifo_file rw_file_perms;
+
+allow radvd_t radvd_etc_t:file read_file_perms;
+
+manage_dirs_pattern(radvd_t, radvd_var_run_t, radvd_var_run_t)
+manage_files_pattern(radvd_t, radvd_var_run_t, radvd_var_run_t)
+files_pid_filetrans(radvd_t, radvd_var_run_t, { dir file })
+
+kernel_read_kernel_sysctls(radvd_t)
+kernel_rw_net_sysctls(radvd_t)
+kernel_read_network_state(radvd_t)
+kernel_read_system_state(radvd_t)
+kernel_request_load_module(radvd_t)
+
+corenet_all_recvfrom_unlabeled(radvd_t)
+corenet_all_recvfrom_netlabel(radvd_t)
+corenet_tcp_sendrecv_generic_if(radvd_t)
+corenet_udp_sendrecv_generic_if(radvd_t)
+corenet_raw_sendrecv_generic_if(radvd_t)
+corenet_tcp_sendrecv_generic_node(radvd_t)
+corenet_udp_sendrecv_generic_node(radvd_t)
+corenet_raw_sendrecv_generic_node(radvd_t)
+corenet_tcp_sendrecv_all_ports(radvd_t)
+corenet_udp_sendrecv_all_ports(radvd_t)
+
+dev_read_sysfs(radvd_t)
+
+fs_getattr_all_fs(radvd_t)
+fs_search_auto_mountpoints(radvd_t)
+
+domain_use_interactive_fds(radvd_t)
+
+files_read_etc_files(radvd_t)
+files_list_usr(radvd_t)
+
+auth_use_nsswitch(radvd_t)
+
+logging_send_syslog_msg(radvd_t)
+
+miscfiles_read_localization(radvd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(radvd_t)
+userdom_dontaudit_search_user_home_dirs(radvd_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(radvd_t)
+')
+
+optional_policy(`
+ udev_read_db(radvd_t)
+')
diff --git a/policy/modules/services/razor.fc b/policy/modules/services/razor.fc
new file mode 100644
index 0000000..71d657c
--- /dev/null
+++ b/policy/modules/services/razor.fc
@@ -0,0 +1,9 @@
+/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
+HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
+
+/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
+
+/usr/bin/razor.* -- gen_context(system_u:object_r:razor_exec_t,s0)
+
+/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0)
+/var/log/razor-agent\.log -- gen_context(system_u:object_r:razor_log_t,s0)
diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if
new file mode 100644
index 0000000..3203212
--- /dev/null
+++ b/policy/modules/services/razor.if
@@ -0,0 +1,201 @@
+## <summary>A distributed, collaborative, spam detection and filtering network.</summary>
+## <desc>
+## <p>
+## A distributed, collaborative, spam detection and filtering network.
+## </p>
+## <p>
+## This policy will work with either the ATrpms provided config
+## file in /etc/razor, or with the default of dumping everything into
+## $HOME/.razor.
+## </p>
+## </desc>
+
+#######################################
+## <summary>
+## Template to create types and rules common to
+## all razor domains.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix of the domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+#
+template(`razor_common_domain_template',`
+ gen_require(`
+ type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t;
+ ')
+
+ type $1_t;
+ domain_type($1_t)
+ domain_entry_file($1_t, razor_exec_t)
+
+ allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow $1_t self:fd use;
+ allow $1_t self:fifo_file rw_fifo_file_perms;
+ allow $1_t self:unix_dgram_socket create_socket_perms;
+ allow $1_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_t self:unix_dgram_socket sendto;
+ allow $1_t self:unix_stream_socket connectto;
+ allow $1_t self:shm create_shm_perms;
+ allow $1_t self:sem create_sem_perms;
+ allow $1_t self:msgq create_msgq_perms;
+ allow $1_t self:msg { send receive };
+ allow $1_t self:tcp_socket create_socket_perms;
+
+ # Read system config file
+ allow $1_t razor_etc_t:dir list_dir_perms;
+ allow $1_t razor_etc_t:file read_file_perms;
+ allow $1_t razor_etc_t:lnk_file read_lnk_file_perms;
+
+ manage_dirs_pattern($1_t, razor_log_t, razor_log_t)
+ manage_files_pattern($1_t, razor_log_t, razor_log_t)
+ manage_lnk_files_pattern($1_t, razor_log_t, razor_log_t)
+ logging_log_filetrans($1_t, razor_log_t, file)
+
+ manage_dirs_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
+ manage_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
+ manage_lnk_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
+ files_search_var_lib($1_t)
+
+ # Razor is one executable and several symlinks
+ allow $1_t razor_exec_t:file read_file_perms;
+ allow $1_t razor_exec_t:lnk_file read_lnk_file_perms;
+
+ kernel_read_system_state($1_t)
+ kernel_read_network_state($1_t)
+ kernel_read_software_raid_state($1_t)
+ kernel_getattr_core_if($1_t)
+ kernel_getattr_message_if($1_t)
+ kernel_read_kernel_sysctls($1_t)
+
+ corecmd_exec_bin($1_t)
+
+ corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
+ corenet_tcp_sendrecv_generic_if($1_t)
+ corenet_raw_sendrecv_generic_if($1_t)
+ corenet_tcp_sendrecv_generic_node($1_t)
+ corenet_raw_sendrecv_generic_node($1_t)
+ corenet_tcp_sendrecv_razor_port($1_t)
+
+ # mktemp and other randoms
+ dev_read_rand($1_t)
+ dev_read_urand($1_t)
+
+ files_search_pids($1_t)
+ # Allow access to various files in the /etc/directory including mtab
+ # and nsswitch
+ files_read_etc_files($1_t)
+ files_read_etc_runtime_files($1_t)
+
+ fs_search_auto_mountpoints($1_t)
+
+ libs_read_lib_files($1_t)
+
+ miscfiles_read_localization($1_t)
+
+ sysnet_read_config($1_t)
+ sysnet_dns_name_resolve($1_t)
+
+ optional_policy(`
+ nis_use_ypbind($1_t)
+ ')
+')
+
+########################################
+## <summary>
+## Role access for razor
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`razor_role',`
+ gen_require(`
+ type razor_t, razor_exec_t, razor_home_t;
+ ')
+
+ role $1 types razor_t;
+
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, razor_exec_t, razor_t)
+
+ # allow ps to show razor and allow the user to kill it
+ ps_process_pattern($2, razor_t)
+ allow $2 razor_t:process { ptrace signal_perms };
+
+ manage_dirs_pattern($2, razor_home_t, razor_home_t)
+ manage_files_pattern($2, razor_home_t, razor_home_t)
+ manage_lnk_files_pattern($2, razor_home_t, razor_home_t)
+ relabel_dirs_pattern($2, razor_home_t, razor_home_t)
+ relabel_files_pattern($2, razor_home_t, razor_home_t)
+ relabel_lnk_files_pattern($2, razor_home_t, razor_home_t)
+')
+
+########################################
+## <summary>
+## Execute razor in the system razor domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`razor_domtrans',`
+ gen_require(`
+ type razor_t, razor_exec_t;
+ ')
+
+ domtrans_pattern($1, razor_exec_t, razor_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete razor files
+## in a user home subdirectory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`razor_manage_user_home_files',`
+ gen_require(`
+ type razor_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ manage_files_pattern($1, razor_home_t, razor_home_t)
+ read_lnk_files_pattern($1, razor_home_t, razor_home_t)
+')
+
+########################################
+## <summary>
+## read razor lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`razor_read_lib_files',`
+ gen_require(`
+ type razor_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, razor_var_lib_t, razor_var_lib_t)
+')
diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te
new file mode 100644
index 0000000..f24c52e
--- /dev/null
+++ b/policy/modules/services/razor.te
@@ -0,0 +1,143 @@
+policy_module(razor, 2.1.1)
+
+########################################
+#
+# Declarations
+#
+
+ifdef(`distro_redhat',`
+ gen_require(`
+ type spamc_t, spamc_exec_t, spamd_log_t;
+ type spamd_spool_t, spamd_var_lib_t, spamd_etc_t;
+ type spamc_home_t, spamc_tmp_t;
+ ')
+
+ typealias spamc_t alias razor_t;
+ typealias spamc_exec_t alias razor_exec_t;
+ typealias spamd_log_t alias razor_log_t;
+ typealias spamd_var_lib_t alias razor_var_lib_t;
+ typealias spamd_etc_t alias razor_etc_t;
+ typealias spamc_home_t alias razor_home_t;
+ typealias spamc_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
+ typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
+ typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
+ typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
+',`
+ type razor_exec_t;
+ corecmd_executable_file(razor_exec_t)
+
+ type razor_etc_t;
+ files_config_file(razor_etc_t)
+
+ type razor_home_t;
+ typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
+ typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
+ userdom_user_home_content(razor_home_t)
+
+ type razor_log_t;
+ logging_log_file(razor_log_t)
+
+ type razor_tmp_t;
+ typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
+ typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
+ files_tmp_file(razor_tmp_t)
+ ubac_constrained(razor_tmp_t)
+
+ type razor_var_lib_t;
+ files_type(razor_var_lib_t)
+
+ # these are here due to ordering issues:
+ razor_common_domain_template(razor)
+ typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t };
+ typealias razor_t alias { auditadm_razor_t secadm_razor_t };
+ ubac_constrained(razor_t)
+
+ razor_common_domain_template(system_razor)
+ role system_r types system_razor_t;
+
+ ########################################
+ #
+ # System razor local policy
+ #
+
+ # this version of razor is invoked typically
+ # via the system spam filter
+
+ allow system_razor_t self:tcp_socket create_socket_perms;
+
+ manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+ manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+ manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
+ files_search_etc(system_razor_t)
+
+ allow system_razor_t razor_log_t:file manage_file_perms;
+ logging_log_filetrans(system_razor_t, razor_log_t, file)
+
+ manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
+ files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file)
+
+ corenet_all_recvfrom_unlabeled(system_razor_t)
+ corenet_all_recvfrom_netlabel(system_razor_t)
+ corenet_tcp_sendrecv_generic_if(system_razor_t)
+ corenet_raw_sendrecv_generic_if(system_razor_t)
+ corenet_tcp_sendrecv_generic_node(system_razor_t)
+ corenet_raw_sendrecv_generic_node(system_razor_t)
+ corenet_tcp_sendrecv_razor_port(system_razor_t)
+ corenet_tcp_connect_razor_port(system_razor_t)
+ corenet_sendrecv_razor_client_packets(system_razor_t)
+
+ sysnet_read_config(system_razor_t)
+
+ # cjp: this shouldn't be needed
+ userdom_use_unpriv_users_fds(system_razor_t)
+
+ optional_policy(`
+ logging_send_syslog_msg(system_razor_t)
+ ')
+
+ optional_policy(`
+ nscd_socket_use(system_razor_t)
+ ')
+
+ ########################################
+ #
+ # User razor local policy
+ #
+
+ # Allow razor to be run by hand. Needed by any action other than
+ # invocation from a spam filter.
+
+ allow razor_t self:unix_stream_socket create_stream_socket_perms;
+
+ manage_dirs_pattern(razor_t, razor_home_t, razor_home_t)
+ manage_files_pattern(razor_t, razor_home_t, razor_home_t)
+ manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t)
+ userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir)
+
+ manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t)
+ manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
+ files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
+
+ auth_use_nsswitch(razor_t)
+
+ logging_send_syslog_msg(razor_t)
+
+ userdom_search_user_home_dirs(razor_t)
+ userdom_use_user_terminals(razor_t)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(razor_t)
+ fs_manage_nfs_files(razor_t)
+ fs_manage_nfs_symlinks(razor_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(razor_t)
+ fs_manage_cifs_files(razor_t)
+ fs_manage_cifs_symlinks(razor_t)
+ ')
+
+ optional_policy(`
+ milter_manage_spamass_state(razor_t)
+ ')
+')
diff --git a/policy/modules/services/rdisc.fc b/policy/modules/services/rdisc.fc
new file mode 100644
index 0000000..dee4adc
--- /dev/null
+++ b/policy/modules/services/rdisc.fc
@@ -0,0 +1,2 @@
+
+/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0)
diff --git a/policy/modules/services/rdisc.if b/policy/modules/services/rdisc.if
new file mode 100644
index 0000000..fe24d25
--- /dev/null
+++ b/policy/modules/services/rdisc.if
@@ -0,0 +1,20 @@
+## <summary>Network router discovery daemon</summary>
+
+######################################
+## <summary>
+## Execute rdisc in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rdisc_exec',`
+ gen_require(`
+ type rdisc_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, rdisc_exec_t)
+')
diff --git a/policy/modules/services/rdisc.te b/policy/modules/services/rdisc.te
new file mode 100644
index 0000000..0f07685
--- /dev/null
+++ b/policy/modules/services/rdisc.te
@@ -0,0 +1,58 @@
+policy_module(rdisc, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type rdisc_t;
+type rdisc_exec_t;
+init_daemon_domain(rdisc_t, rdisc_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow rdisc_t self:capability net_raw;
+dontaudit rdisc_t self:capability sys_tty_config;
+allow rdisc_t self:process signal_perms;
+allow rdisc_t self:unix_stream_socket create_stream_socket_perms;
+allow rdisc_t self:udp_socket create_socket_perms;
+allow rdisc_t self:rawip_socket create_socket_perms;
+
+kernel_list_proc(rdisc_t)
+kernel_read_proc_symlinks(rdisc_t)
+kernel_read_kernel_sysctls(rdisc_t)
+
+corenet_all_recvfrom_unlabeled(rdisc_t)
+corenet_all_recvfrom_netlabel(rdisc_t)
+corenet_udp_sendrecv_generic_if(rdisc_t)
+corenet_raw_sendrecv_generic_if(rdisc_t)
+corenet_udp_sendrecv_generic_node(rdisc_t)
+corenet_raw_sendrecv_generic_node(rdisc_t)
+corenet_udp_sendrecv_all_ports(rdisc_t)
+
+dev_read_sysfs(rdisc_t)
+
+fs_search_auto_mountpoints(rdisc_t)
+
+domain_use_interactive_fds(rdisc_t)
+
+files_read_etc_files(rdisc_t)
+
+logging_send_syslog_msg(rdisc_t)
+
+miscfiles_read_localization(rdisc_t)
+
+sysnet_read_config(rdisc_t)
+
+userdom_dontaudit_use_unpriv_user_fds(rdisc_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(rdisc_t)
+')
+
+optional_policy(`
+ udev_read_db(rdisc_t)
+')
diff --git a/policy/modules/services/remotelogin.fc b/policy/modules/services/remotelogin.fc
new file mode 100644
index 0000000..d8691bd
--- /dev/null
+++ b/policy/modules/services/remotelogin.fc
@@ -0,0 +1,2 @@
+
+# Remote login currently has no file contexts.
diff --git a/policy/modules/services/remotelogin.if b/policy/modules/services/remotelogin.if
new file mode 100644
index 0000000..31be971
--- /dev/null
+++ b/policy/modules/services/remotelogin.if
@@ -0,0 +1,37 @@
+## <summary>Policy for rshd, rlogind, and telnetd.</summary>
+
+########################################
+## <summary>
+## Domain transition to the remote login domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`remotelogin_domtrans',`
+ gen_require(`
+ type remote_login_t;
+ ')
+
+ auth_domtrans_login_program($1, remote_login_t)
+')
+
+########################################
+## <summary>
+## allow Domain to signal remote login domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`remotelogin_signal',`
+ gen_require(`
+ type remote_login_t;
+ ')
+
+ allow $1 remote_login_t:process signal;
+')
diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te
new file mode 100644
index 0000000..cdd0542
--- /dev/null
+++ b/policy/modules/services/remotelogin.te
@@ -0,0 +1,122 @@
+policy_module(remotelogin, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type remote_login_t;
+domain_interactive_fd(remote_login_t)
+auth_login_pgm_domain(remote_login_t)
+auth_login_entry_type(remote_login_t)
+
+type remote_login_tmp_t;
+files_tmp_file(remote_login_tmp_t)
+
+########################################
+#
+# Remote login remote policy
+#
+
+allow remote_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
+allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow remote_login_t self:process { setrlimit setexec };
+allow remote_login_t self:fd use;
+allow remote_login_t self:fifo_file rw_fifo_file_perms;
+allow remote_login_t self:sock_file read_sock_file_perms;
+allow remote_login_t self:unix_dgram_socket create_socket_perms;
+allow remote_login_t self:unix_stream_socket create_stream_socket_perms;
+allow remote_login_t self:unix_dgram_socket sendto;
+allow remote_login_t self:unix_stream_socket connectto;
+allow remote_login_t self:shm create_shm_perms;
+allow remote_login_t self:sem create_sem_perms;
+allow remote_login_t self:msgq create_msgq_perms;
+allow remote_login_t self:msg { send receive };
+allow remote_login_t self:key write;
+
+manage_dirs_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t)
+manage_files_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t)
+files_tmp_filetrans(remote_login_t, remote_login_tmp_t, { file dir })
+
+kernel_read_system_state(remote_login_t)
+kernel_read_kernel_sysctls(remote_login_t)
+
+dev_getattr_mouse_dev(remote_login_t)
+dev_setattr_mouse_dev(remote_login_t)
+dev_dontaudit_search_sysfs(remote_login_t)
+
+fs_getattr_xattr_fs(remote_login_t)
+fs_search_auto_mountpoints(remote_login_t)
+
+term_relabel_all_ptys(remote_login_t)
+
+auth_rw_login_records(remote_login_t)
+auth_rw_faillog(remote_login_t)
+auth_manage_pam_console_data(remote_login_t)
+auth_domtrans_pam_console(remote_login_t)
+
+corecmd_list_bin(remote_login_t)
+corecmd_read_bin_symlinks(remote_login_t)
+# cjp: these are probably not needed:
+corecmd_read_bin_files(remote_login_t)
+corecmd_read_bin_pipes(remote_login_t)
+corecmd_read_bin_sockets(remote_login_t)
+
+domain_read_all_entry_files(remote_login_t)
+
+files_read_etc_files(remote_login_t)
+files_read_etc_runtime_files(remote_login_t)
+files_list_home(remote_login_t)
+files_read_usr_files(remote_login_t)
+files_list_world_readable(remote_login_t)
+files_read_world_readable_files(remote_login_t)
+files_read_world_readable_symlinks(remote_login_t)
+files_read_world_readable_pipes(remote_login_t)
+files_read_world_readable_sockets(remote_login_t)
+files_list_mnt(remote_login_t)
+# for when /var/mail is a sym-link
+files_read_var_symlinks(remote_login_t)
+
+sysnet_dns_name_resolve(remote_login_t)
+
+miscfiles_read_localization(remote_login_t)
+
+userdom_use_unpriv_users_fds(remote_login_t)
+userdom_search_user_home_content(remote_login_t)
+# Only permit unprivileged user domains to be entered via rlogin,
+# since very weak authentication is used.
+userdom_signal_unpriv_users(remote_login_t)
+userdom_spec_domtrans_unpriv_users(remote_login_t)
+
+# Search for mail spool file.
+mta_getattr_spool(remote_login_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(remote_login_t)
+ fs_read_nfs_symlinks(remote_login_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files(remote_login_t)
+ fs_read_cifs_symlinks(remote_login_t)
+')
+
+optional_policy(`
+ alsa_domtrans(remote_login_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(remote_login_t)
+')
+
+optional_policy(`
+ nscd_socket_use(remote_login_t)
+')
+
+optional_policy(`
+ unconfined_shell_domtrans(remote_login_t)
+')
+
+optional_policy(`
+ usermanage_read_crack_db(remote_login_t)
+')
diff --git a/policy/modules/services/resmgr.fc b/policy/modules/services/resmgr.fc
new file mode 100644
index 0000000..af810b9
--- /dev/null
+++ b/policy/modules/services/resmgr.fc
@@ -0,0 +1,7 @@
+
+/etc/resmgr\.conf -- gen_context(system_u:object_r:resmgrd_etc_t,s0)
+
+/sbin/resmgrd -- gen_context(system_u:object_r:resmgrd_exec_t,s0)
+
+/var/run/\.resmgr_socket -s gen_context(system_u:object_r:resmgrd_var_run_t,s0)
+/var/run/resmgr\.pid -- gen_context(system_u:object_r:resmgrd_var_run_t,s0)
diff --git a/policy/modules/services/resmgr.if b/policy/modules/services/resmgr.if
new file mode 100644
index 0000000..eabdd78
--- /dev/null
+++ b/policy/modules/services/resmgr.if
@@ -0,0 +1,21 @@
+## <summary>Resource management daemon</summary>
+
+########################################
+## <summary>
+## Connect to resmgrd over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`resmgr_stream_connect',`
+ gen_require(`
+ type resmgrd_var_run_t, resmgrd_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, resmgrd_var_run_t, resmgrd_var_run_t, resmgrd_t)
+')
diff --git a/policy/modules/services/resmgr.te b/policy/modules/services/resmgr.te
new file mode 100644
index 0000000..bf5efbf
--- /dev/null
+++ b/policy/modules/services/resmgr.te
@@ -0,0 +1,66 @@
+policy_module(resmgr, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type resmgrd_t;
+type resmgrd_exec_t;
+init_daemon_domain(resmgrd_t, resmgrd_exec_t)
+
+type resmgrd_etc_t;
+files_config_file(resmgrd_etc_t)
+
+type resmgrd_var_run_t;
+files_pid_file(resmgrd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow resmgrd_t self:capability { dac_override sys_admin sys_rawio };
+dontaudit resmgrd_t self:capability sys_tty_config;
+allow resmgrd_t self:process signal_perms;
+
+allow resmgrd_t resmgrd_etc_t:file read_file_perms;
+files_search_etc(resmgrd_t)
+
+allow resmgrd_t resmgrd_var_run_t:file manage_file_perms;
+allow resmgrd_t resmgrd_var_run_t:sock_file manage_sock_file_perms;
+files_pid_filetrans(resmgrd_t, resmgrd_var_run_t, { file sock_file })
+
+kernel_list_proc(resmgrd_t)
+kernel_read_proc_symlinks(resmgrd_t)
+kernel_read_kernel_sysctls(resmgrd_t)
+
+dev_read_sysfs(resmgrd_t)
+dev_getattr_scanner_dev(resmgrd_t)
+
+domain_use_interactive_fds(resmgrd_t)
+
+files_read_etc_files(resmgrd_t)
+
+fs_search_auto_mountpoints(resmgrd_t)
+
+storage_dontaudit_read_fixed_disk(resmgrd_t)
+storage_read_scsi_generic(resmgrd_t)
+storage_raw_read_removable_device(resmgrd_t)
+# not sure if it needs write access, needs to be investigated further...
+storage_write_scsi_generic(resmgrd_t)
+storage_raw_write_removable_device(resmgrd_t)
+
+logging_send_syslog_msg(resmgrd_t)
+
+miscfiles_read_localization(resmgrd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(resmgrd_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(resmgrd_t)
+')
+
+optional_policy(`
+ udev_read_db(resmgrd_t)
+')
diff --git a/policy/modules/services/rgmanager.fc b/policy/modules/services/rgmanager.fc
new file mode 100644
index 0000000..c025d59
--- /dev/null
+++ b/policy/modules/services/rgmanager.fc
@@ -0,0 +1,9 @@
+/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
+
+/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+
+/var/log/cluster/rgmanager\.log -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
+
+/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+
+/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
diff --git a/policy/modules/services/rgmanager.if b/policy/modules/services/rgmanager.if
new file mode 100644
index 0000000..9c2c963
--- /dev/null
+++ b/policy/modules/services/rgmanager.if
@@ -0,0 +1,138 @@
+## <summary>rgmanager - Resource Group Manager</summary>
+
+#######################################
+## <summary>
+## Execute a domain transition to run rgmanager.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rgmanager_domtrans',`
+ gen_require(`
+ type rgmanager_t, rgmanager_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, rgmanager_exec_t, rgmanager_t)
+')
+
+########################################
+## <summary>
+## Connect to rgmanager over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rgmanager_stream_connect',`
+ gen_require(`
+ type rgmanager_t, rgmanager_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t, rgmanager_t)
+')
+
+######################################
+## <summary>
+## Allow manage rgmanager tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rgmanager_manage_tmp_files',`
+ gen_require(`
+ type rgmanager_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ manage_files_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t)
+')
+
+######################################
+## <summary>
+## Allow manage rgmanager tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rgmanager_manage_tmpfs_files',`
+ gen_require(`
+ type rgmanager_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
+')
+
+#######################################
+## <summary>
+## Allow read and write access to rgmanager semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rgmanager_rw_semaphores',`
+ gen_require(`
+ type rgmanager_t;
+ ')
+
+ allow $1 rgmanager_t:sem rw_sem_perms;
+')
+
+######################################
+## <summary>
+## All of the rules required to administrate
+## an rgmanager environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the rgmanager domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`rgmanager_admin',`
+ gen_require(`
+ type rgmanager_t, rgmanager_initrc_exec_t, rgmanager_tmp_t;
+ type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t;
+ ')
+
+ allow $1 rgmanager_t:process { ptrace signal_perms };
+ ps_process_pattern($1, rgmanager_t)
+
+ init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 rgmanager_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, rgmanager_tmp_t)
+
+ admin_pattern($1, rgmanager_tmpfs_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, rgmanager_var_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, rgmanager_var_run_t)
+')
diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
new file mode 100644
index 0000000..612e4e4
--- /dev/null
+++ b/policy/modules/services/rgmanager.te
@@ -0,0 +1,217 @@
+policy_module(rgmanager, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow rgmanager domain to connect to the network using TCP.
+## </p>
+## </desc>
+gen_tunable(rgmanager_can_network_connect, false)
+
+type rgmanager_t;
+type rgmanager_exec_t;
+init_daemon_domain(rgmanager_t, rgmanager_exec_t)
+
+type rgmanager_initrc_exec_t;
+init_script_file(rgmanager_initrc_exec_t)
+
+type rgmanager_tmp_t;
+files_tmp_file(rgmanager_tmp_t)
+
+type rgmanager_tmpfs_t;
+files_tmpfs_file(rgmanager_tmpfs_t)
+
+type rgmanager_var_log_t;
+logging_log_file(rgmanager_var_log_t)
+
+type rgmanager_var_run_t;
+files_pid_file(rgmanager_var_run_t)
+
+########################################
+#
+# rgmanager local policy
+#
+
+allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
+dontaudit rgmanager_t self:capability { sys_ptrace };
+allow rgmanager_t self:process { setsched signal };
+dontaudit rgmanager_t self:process ptrace;
+
+allow rgmanager_t self:fifo_file rw_fifo_file_perms;
+allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms };
+allow rgmanager_t self:unix_dgram_socket create_socket_perms;
+allow rgmanager_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
+manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
+files_tmp_filetrans(rgmanager_t, rgmanager_tmp_t, { file dir })
+
+manage_dirs_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
+manage_files_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
+fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file })
+
+manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t)
+logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file })
+
+manage_dirs_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
+manage_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
+manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
+files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file dir })
+
+kernel_kill(rgmanager_t)
+kernel_read_kernel_sysctls(rgmanager_t)
+kernel_read_rpc_sysctls(rgmanager_t)
+kernel_read_system_state(rgmanager_t)
+kernel_rw_rpc_sysctls(rgmanager_t)
+kernel_search_debugfs(rgmanager_t)
+kernel_search_network_state(rgmanager_t)
+
+corecmd_exec_bin(rgmanager_t)
+corecmd_exec_shell(rgmanager_t)
+consoletype_exec(rgmanager_t)
+
+# need to write to /dev/misc/dlm-control
+dev_rw_dlm_control(rgmanager_t)
+dev_setattr_dlm_control(rgmanager_t)
+dev_search_sysfs(rgmanager_t)
+
+domain_read_all_domains_state(rgmanager_t)
+domain_getattr_all_domains(rgmanager_t)
+domain_dontaudit_ptrace_all_domains(rgmanager_t)
+
+files_create_var_run_dirs(rgmanager_t)
+files_getattr_all_symlinks(rgmanager_t)
+files_list_all(rgmanager_t)
+files_manage_mnt_dirs(rgmanager_t)
+files_manage_mnt_files(rgmanager_t)
+files_manage_mnt_symlinks(rgmanager_t)
+files_manage_isid_type_files(rgmanager_t)
+files_manage_isid_type_dirs(rgmanager_t)
+
+fs_getattr_xattr_fs(rgmanager_t)
+fs_getattr_all_fs(rgmanager_t)
+
+storage_raw_read_fixed_disk(rgmanager_t)
+storage_getattr_fixed_disk_dev(rgmanager_t)
+
+term_getattr_pty_fs(rgmanager_t)
+#term_use_ptmx(rgmanager_t)
+
+# needed by resources scripts
+auth_read_all_files_except_shadow(rgmanager_t)
+auth_dontaudit_getattr_shadow(rgmanager_t)
+auth_use_nsswitch(rgmanager_t)
+
+logging_send_syslog_msg(rgmanager_t)
+
+miscfiles_read_localization(rgmanager_t)
+
+mount_domtrans(rgmanager_t)
+
+tunable_policy(`rgmanager_can_network_connect',`
+ corenet_tcp_connect_all_ports(rgmanager_t)
+')
+
+# rgmanager can run resource scripts
+optional_policy(`
+ aisexec_stream_connect(rgmanager_t)
+ corosync_stream_connect(rgmanager_t)
+')
+
+optional_policy(`
+ apache_domtrans(rgmanager_t)
+ apache_signal(rgmanager_t)
+')
+
+optional_policy(`
+ fstools_domtrans(rgmanager_t)
+')
+
+optional_policy(`
+ rhcs_stream_connect_groupd(rgmanager_t)
+')
+
+optional_policy(`
+ hostname_exec(rgmanager_t)
+')
+
+optional_policy(`
+ ccs_manage_config(rgmanager_t)
+ ccs_stream_connect(rgmanager_t)
+ rhcs_stream_connect_gfs_controld(rgmanager_t)
+')
+
+optional_policy(`
+ lvm_domtrans(rgmanager_t)
+')
+
+optional_policy(`
+ ldap_initrc_domtrans(rgmanager_t)
+ ldap_domtrans(rgmanager_t)
+')
+
+optional_policy(`
+ mysql_domtrans_mysql_safe(rgmanager_t)
+ mysql_stream_connect(rgmanager_t)
+')
+
+optional_policy(`
+ netutils_domtrans(rgmanager_t)
+ netutils_domtrans_ping(rgmanager_t)
+')
+
+optional_policy(`
+ postgresql_domtrans(rgmanager_t)
+ postgresql_signal(rgmanager_t)
+')
+
+optional_policy(`
+ rdisc_exec(rgmanager_t)
+')
+
+optional_policy(`
+ ricci_dontaudit_rw_modcluster_pipes(rgmanager_t)
+')
+
+optional_policy(`
+ rpc_initrc_domtrans_nfsd(rgmanager_t)
+ rpc_initrc_domtrans_rpcd(rgmanager_t)
+
+ rpc_domtrans_nfsd(rgmanager_t)
+ rpc_domtrans_rpcd(rgmanager_t)
+ rpc_manage_nfs_state_data(rgmanager_t)
+')
+
+optional_policy(`
+ samba_initrc_domtrans(rgmanager_t)
+ samba_domtrans_smbd(rgmanager_t)
+ samba_domtrans_nmbd(rgmanager_t)
+ samba_manage_var_files(rgmanager_t)
+ samba_rw_config(rgmanager_t)
+ samba_signal_smbd(rgmanager_t)
+ samba_signal_nmbd(rgmanager_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_ifconfig(rgmanager_t)
+')
+
+optional_policy(`
+ udev_read_db(rgmanager_t)
+')
+
+optional_policy(`
+ virt_stream_connect(rgmanager_t)
+')
+
+optional_policy(`
+ unconfined_domain(rgmanager_t)
+')
+
+optional_policy(`
+ xen_domtrans_xm(rgmanager_t)
+')
diff --git a/policy/modules/services/rhcs.fc b/policy/modules/services/rhcs.fc
new file mode 100644
index 0000000..d862e7e
--- /dev/null
+++ b/policy/modules/services/rhcs.fc
@@ -0,0 +1,25 @@
+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
+/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
+/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
+/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
+
+/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0)
+
+/var/lib/cluster(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
+/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
+
+/var/log/cluster/.*\.*log <<none>>
+/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
+/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
+/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
+/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
+
+/var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0)
+/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
+/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0)
+/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
+/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0)
+/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)
diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if
new file mode 100644
index 0000000..229a3c7
--- /dev/null
+++ b/policy/modules/services/rhcs.if
@@ -0,0 +1,450 @@
+## <summary>RHCS - Red Hat Cluster Suite</summary>
+
+#######################################
+## <summary>
+## Creates types and rules for a basic
+## rhcs init daemon domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`rhcs_domain_template',`
+ gen_require(`
+ attribute cluster_domain, cluster_tmpfs, cluster_pid;
+ ')
+
+ ##############################
+ #
+ # Declarations
+ #
+
+ type $1_t, cluster_domain;
+ type $1_exec_t;
+ init_daemon_domain($1_t, $1_exec_t)
+
+ type $1_tmpfs_t, cluster_tmpfs;
+ files_tmpfs_file($1_tmpfs_t)
+
+ type $1_var_log_t;
+ logging_log_file($1_var_log_t)
+
+ type $1_var_run_t, cluster_pid;
+ files_pid_file($1_var_run_t)
+
+ ##############################
+ #
+ # Local policy
+ #
+
+ manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file })
+
+ manage_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
+ manage_sock_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
+ logging_log_filetrans($1_t, $1_var_log_t, { file sock_file })
+
+ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ files_pid_filetrans($1_t, $1_var_run_t, { file fifo_file })
+')
+
+######################################
+## <summary>
+## Execute a domain transition to run dlm_controld.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rhcs_domtrans_dlm_controld',`
+ gen_require(`
+ type dlm_controld_t, dlm_controld_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, dlm_controld_exec_t, dlm_controld_t)
+')
+
+#####################################
+## <summary>
+## Connect to dlm_controld over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_stream_connect_dlm_controld',`
+ gen_require(`
+ type dlm_controld_t, dlm_controld_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t)
+')
+
+#####################################
+## <summary>
+## Allow read and write access to dlm_controld semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_rw_dlm_controld_semaphores',`
+ gen_require(`
+ type dlm_controld_t, dlm_controld_tmpfs_t;
+ ')
+
+ allow $1 dlm_controld_t:sem { rw_sem_perms destroy };
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t)
+')
+
+######################################
+## <summary>
+## Execute a domain transition to run fenced.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rhcs_domtrans_fenced',`
+ gen_require(`
+ type fenced_t, fenced_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, fenced_exec_t, fenced_t)
+')
+
+######################################
+## <summary>
+## Allow read and write access to fenced semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_rw_fenced_semaphores',`
+ gen_require(`
+ type fenced_t, fenced_tmpfs_t;
+ ')
+
+ allow $1 fenced_t:sem { rw_sem_perms destroy };
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t)
+')
+
+######################################
+## <summary>
+## Connect to fenced over an unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_stream_connect_fenced',`
+ gen_require(`
+ type fenced_var_run_t, fenced_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, fenced_var_run_t, fenced_var_run_t, fenced_t)
+')
+
+#####################################
+## <summary>
+## Execute a domain transition to run gfs_controld.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rhcs_domtrans_gfs_controld',`
+ gen_require(`
+ type gfs_controld_t, gfs_controld_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, gfs_controld_exec_t, gfs_controld_t)
+')
+
+####################################
+## <summary>
+## Allow read and write access to gfs_controld semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_rw_gfs_controld_semaphores',`
+ gen_require(`
+ type gfs_controld_t, gfs_controld_tmpfs_t;
+ ')
+
+ allow $1 gfs_controld_t:sem { rw_sem_perms destroy };
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
+')
+
+########################################
+## <summary>
+## Read and write to gfs_controld_t shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_rw_gfs_controld_shm',`
+ gen_require(`
+ type gfs_controld_t, gfs_controld_tmpfs_t;
+ ')
+
+ allow $1 gfs_controld_t:shm { rw_shm_perms destroy };
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
+')
+
+#####################################
+## <summary>
+## Connect to gfs_controld_t over an unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_stream_connect_gfs_controld',`
+ gen_require(`
+ type gfs_controld_t, gfs_controld_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, gfs_controld_var_run_t, gfs_controld_var_run_t, gfs_controld_t)
+')
+
+######################################
+## <summary>
+## Execute a domain transition to run groupd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rhcs_domtrans_groupd',`
+ gen_require(`
+ type groupd_t, groupd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, groupd_exec_t, groupd_t)
+')
+
+#####################################
+## <summary>
+## Connect to groupd over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_stream_connect_groupd',`
+ gen_require(`
+ type groupd_t, groupd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t)
+')
+
+#####################################
+## <summary>
+## Allow read and write access to groupd semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_rw_groupd_semaphores',`
+ gen_require(`
+ type groupd_t, groupd_tmpfs_t;
+ ')
+
+ allow $1 groupd_t:sem { rw_sem_perms destroy };
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+')
+
+########################################
+## <summary>
+## Read and write to group shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_rw_groupd_shm',`
+ gen_require(`
+ type groupd_t, groupd_tmpfs_t;
+ ')
+
+ allow $1 groupd_t:shm { rw_shm_perms destroy };
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+')
+
+########################################
+## <summary>
+## Read and write to group shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_rw_cluster_shm',`
+ gen_require(`
+ attribute cluster_domain, cluster_tmpfs;
+ ')
+
+ allow $1 cluster_domain:shm { rw_shm_perms destroy };
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs)
+')
+
+####################################
+## <summary>
+## Read and write access to cluster domains semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_rw_cluster_semaphores',`
+ gen_require(`
+ attribute cluster_domain;
+ ')
+
+ allow $1 cluster_domain:sem { rw_sem_perms destroy };
+')
+
+####################################
+## <summary>
+## Connect to cluster domains over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_stream_connect_cluster',`
+ gen_require(`
+ attribute cluster_domain, cluster_pid;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain)
+')
+
+######################################
+## <summary>
+## Execute a domain transition to run qdiskd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rhcs_domtrans_qdiskd',`
+ gen_require(`
+ type qdiskd_t, qdiskd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, qdiskd_exec_t, qdiskd_t)
+')
+
+########################################
+## <summary>
+## Allow domain to read qdiskd tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_read_qdiskd_tmpfs_files',`
+ gen_require(`
+ type qdiskd_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ allow $1 qdiskd_tmpfs_t:file read_file_perms;
+')
+
+######################################
+## <summary>
+## Allow domain to read cluster lib files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhcs_read_cluster_lib_files',`
+ gen_require(`
+ type cluster_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te
new file mode 100644
index 0000000..8d40ec9
--- /dev/null
+++ b/policy/modules/services/rhcs.te
@@ -0,0 +1,244 @@
+policy_module(rhcs, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow fenced domain to connect to the network using TCP.
+## </p>
+## </desc>
+gen_tunable(fenced_can_network_connect, false)
+
+attribute cluster_domain;
+attribute cluster_tmpfs;
+attribute cluster_pid;
+
+rhcs_domain_template(dlm_controld)
+
+rhcs_domain_template(fenced)
+
+type fenced_lock_t;
+files_lock_file(fenced_lock_t)
+
+type fenced_tmp_t;
+files_tmp_file(fenced_tmp_t)
+
+rhcs_domain_template(gfs_controld)
+
+rhcs_domain_template(groupd)
+
+rhcs_domain_template(qdiskd)
+
+type qdiskd_var_lib_t;
+files_type(qdiskd_var_lib_t)
+
+# type for cluster lib files
+type cluster_var_lib_t;
+files_type(cluster_var_lib_t)
+
+#####################################
+#
+# dlm_controld local policy
+#
+
+allow dlm_controld_t self:capability { net_admin sys_admin sys_resource };
+
+allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
+stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
+
+kernel_read_system_state(dlm_controld_t)
+
+dev_rw_dlm_control(dlm_controld_t)
+dev_rw_sysfs(dlm_controld_t)
+
+fs_manage_configfs_files(dlm_controld_t)
+fs_manage_configfs_dirs(dlm_controld_t)
+
+init_rw_script_tmp_files(dlm_controld_t)
+
+#######################################
+#
+# fenced local policy
+#
+
+allow fenced_t self:capability { sys_rawio sys_resource };
+allow fenced_t self:process { getsched signal_perms };
+
+allow fenced_t self:tcp_socket create_stream_socket_perms;
+allow fenced_t self:udp_socket create_socket_perms;
+
+can_exec(fenced_t, fenced_exec_t)
+
+manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
+files_lock_filetrans(fenced_t, fenced_lock_t, file)
+
+manage_dirs_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
+manage_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
+manage_fifo_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
+files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+
+stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
+
+kernel_read_system_state(fenced_t)
+
+corecmd_exec_bin(fenced_t)
+corecmd_exec_shell(fenced_t)
+
+corenet_tcp_connect_http_port(fenced_t)
+
+dev_read_sysfs(fenced_t)
+dev_read_urand(fenced_t)
+
+files_read_usr_symlinks(fenced_t)
+
+storage_raw_read_fixed_disk(fenced_t)
+storage_raw_write_fixed_disk(fenced_t)
+storage_raw_read_removable_device(fenced_t)
+
+term_getattr_pty_fs(fenced_t)
+term_use_ptmx(fenced_t)
+
+auth_use_nsswitch(fenced_t)
+
+tunable_policy(`fenced_can_network_connect',`
+ corenet_tcp_connect_all_ports(fenced_t)
+')
+
+# needed by fence_scsi
+optional_policy(`
+ corosync_exec(fenced_t)
+')
+
+optional_policy(`
+ ccs_read_config(fenced_t)
+')
+
+optional_policy(`
+ lvm_domtrans(fenced_t)
+ lvm_read_config(fenced_t)
+')
+
+######################################
+#
+# gfs_controld local policy
+#
+
+allow gfs_controld_t self:capability { net_admin sys_resource };
+allow gfs_controld_t self:shm create_shm_perms;
+allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t)
+stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
+stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
+
+kernel_read_system_state(gfs_controld_t)
+
+dev_rw_dlm_control(gfs_controld_t)
+dev_setattr_dlm_control(gfs_controld_t)
+dev_rw_sysfs(gfs_controld_t)
+
+storage_getattr_removable_dev(gfs_controld_t)
+
+init_rw_script_tmp_files(gfs_controld_t)
+
+optional_policy(`
+ lvm_exec(gfs_controld_t)
+ dev_rw_lvm_control(gfs_controld_t)
+')
+
+#######################################
+#
+# groupd local policy
+#
+
+allow groupd_t self:capability { sys_nice sys_resource };
+allow groupd_t self:process setsched;
+allow groupd_t self:shm create_shm_perms;
+
+dev_list_sysfs(groupd_t)
+
+files_read_etc_files(groupd_t)
+
+init_rw_script_tmp_files(groupd_t)
+
+######################################
+#
+# qdiskd local policy
+#
+
+allow qdiskd_t self:capability { ipc_lock sys_boot };
+allow qdiskd_t self:tcp_socket create_stream_socket_perms;
+allow qdiskd_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
+manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
+manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
+files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file })
+
+kernel_read_system_state(qdiskd_t)
+kernel_read_software_raid_state(qdiskd_t)
+kernel_getattr_core_if(qdiskd_t)
+
+corecmd_getattr_bin_files(qdiskd_t)
+corecmd_exec_shell(qdiskd_t)
+
+dev_read_sysfs(qdiskd_t)
+dev_list_all_dev_nodes(qdiskd_t)
+dev_getattr_all_blk_files(qdiskd_t)
+dev_getattr_all_chr_files(qdiskd_t)
+dev_manage_generic_blk_files(qdiskd_t)
+dev_manage_generic_chr_files(qdiskd_t)
+
+domain_dontaudit_getattr_all_pipes(qdiskd_t)
+domain_dontaudit_getattr_all_sockets(qdiskd_t)
+
+files_dontaudit_getattr_all_sockets(qdiskd_t)
+files_dontaudit_getattr_all_pipes(qdiskd_t)
+files_read_etc_files(qdiskd_t)
+
+storage_raw_read_removable_device(qdiskd_t)
+storage_raw_write_removable_device(qdiskd_t)
+storage_raw_read_fixed_disk(qdiskd_t)
+storage_raw_write_fixed_disk(qdiskd_t)
+
+auth_use_nsswitch(qdiskd_t)
+
+optional_policy(`
+ netutils_domtrans_ping(qdiskd_t)
+')
+
+optional_policy(`
+ udev_read_db(qdiskd_t)
+')
+
+#####################################
+#
+# rhcs domains common policy
+#
+
+allow cluster_domain self:capability sys_nice;
+allow cluster_domain self:process setsched;
+allow cluster_domain self:sem create_sem_perms;
+allow cluster_domain self:fifo_file rw_fifo_file_perms;
+allow cluster_domain self:unix_stream_socket create_stream_socket_perms;
+allow cluster_domain self:unix_dgram_socket create_socket_perms;
+
+manage_files_pattern(cluster_domain, cluster_var_lib_t, cluster_var_lib_t)
+manage_dirs_pattern(cluster_domain, cluster_var_lib_t, cluster_var_lib_t)
+
+logging_send_syslog_msg(cluster_domain)
+
+miscfiles_read_localization(cluster_domain)
+
+optional_policy(`
+ ccs_stream_connect(cluster_domain)
+')
+
+optional_policy(`
+ corosync_stream_connect(cluster_domain)
+')
diff --git a/policy/modules/services/rhgb.fc b/policy/modules/services/rhgb.fc
new file mode 100644
index 0000000..9e5d31b
--- /dev/null
+++ b/policy/modules/services/rhgb.fc
@@ -0,0 +1,4 @@
+#
+# /usr
+#
+/usr/bin/rhgb -- gen_context(system_u:object_r:rhgb_exec_t,s0)
diff --git a/policy/modules/services/rhgb.if b/policy/modules/services/rhgb.if
new file mode 100644
index 0000000..793a29f
--- /dev/null
+++ b/policy/modules/services/rhgb.if
@@ -0,0 +1,199 @@
+## <summary> Red Hat Graphical Boot </summary>
+
+########################################
+## <summary>
+## RHGB stub interface. No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+## <summary>
+## N/A
+## </summary>
+## </param>
+#
+interface(`rhgb_stub',`
+ gen_require(`
+ type rhgb_t;
+ ')
+')
+
+########################################
+## <summary>
+## Use a rhgb file descriptor.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhgb_use_fds',`
+ gen_require(`
+ type rhgb_t;
+ ')
+
+ allow $1 rhgb_t:fd use;
+')
+
+########################################
+## <summary>
+## Get the process group of rhgb.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhgb_getpgid',`
+ gen_require(`
+ type rhgb_t;
+ ')
+
+ allow $1 rhgb_t:process getpgid;
+')
+
+########################################
+## <summary>
+## Send a signal to rhgb.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhgb_signal',`
+ gen_require(`
+ type rhgb_t;
+ ')
+
+ allow $1 rhgb_t:process signal;
+')
+
+########################################
+## <summary>
+## Read and write to unix stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhgb_rw_stream_sockets',`
+ gen_require(`
+ type rhgb_t;
+ ')
+
+ allow $1 rhgb_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## rhgb unix domain stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`rhgb_dontaudit_rw_stream_sockets',`
+ gen_require(`
+ type rhgb_t;
+ ')
+
+ dontaudit $1 rhgb_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+## Connected to rhgb unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhgb_stream_connect',`
+ gen_require(`
+ type rhgb_t;
+ ')
+
+ allow $1 rhgb_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Read and write to rhgb shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhgb_rw_shm',`
+ gen_require(`
+ type rhgb_t;
+ ')
+
+ allow $1 rhgb_t:shm rw_shm_perms;
+')
+
+########################################
+## <summary>
+## Read from and write to the rhgb devpts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhgb_use_ptys',`
+ gen_require(`
+ type rhgb_devpts_t;
+ ')
+
+ allow $1 rhgb_devpts_t:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## dontaudit Read from and write to the rhgb devpts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`rhgb_dontaudit_use_ptys',`
+ gen_require(`
+ type rhgb_devpts_t;
+ ')
+
+ dontaudit $1 rhgb_devpts_t:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Read and write to rhgb temporary file system.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rhgb_rw_tmpfs_files',`
+ gen_require(`
+ type rhgb_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ allow $1 rhgb_tmpfs_t:file rw_file_perms;
+')
diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te
new file mode 100644
index 0000000..4d10897
--- /dev/null
+++ b/policy/modules/services/rhgb.te
@@ -0,0 +1,142 @@
+policy_module(rhgb, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type rhgb_t;
+type rhgb_exec_t;
+init_daemon_domain(rhgb_t, rhgb_exec_t)
+
+type rhgb_tmpfs_t;
+files_tmpfs_file(rhgb_tmpfs_t)
+
+type rhgb_devpts_t;
+term_pty(rhgb_devpts_t)
+
+########################################
+#
+# Local policy
+#
+
+allow rhgb_t self:capability { fsetid setgid setuid sys_admin sys_tty_config };
+dontaudit rhgb_t self:capability sys_tty_config;
+allow rhgb_t self:process { setpgid signal_perms };
+allow rhgb_t self:shm create_shm_perms;
+allow rhgb_t self:unix_stream_socket create_stream_socket_perms;
+allow rhgb_t self:fifo_file rw_fifo_file_perms;
+allow rhgb_t self:tcp_socket create_socket_perms;
+allow rhgb_t self:udp_socket create_socket_perms;
+allow rhgb_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+term_create_pty(rhgb_t, rhgb_devpts_t)
+
+manage_dirs_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
+manage_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
+manage_lnk_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
+manage_fifo_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
+manage_sock_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
+fs_tmpfs_filetrans(rhgb_t, rhgb_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_read_kernel_sysctls(rhgb_t)
+kernel_read_system_state(rhgb_t)
+
+corecmd_exec_bin(rhgb_t)
+corecmd_exec_shell(rhgb_t)
+
+corenet_all_recvfrom_unlabeled(rhgb_t)
+corenet_all_recvfrom_netlabel(rhgb_t)
+corenet_tcp_sendrecv_generic_if(rhgb_t)
+corenet_udp_sendrecv_generic_if(rhgb_t)
+corenet_tcp_sendrecv_generic_node(rhgb_t)
+corenet_udp_sendrecv_generic_node(rhgb_t)
+corenet_tcp_sendrecv_all_ports(rhgb_t)
+corenet_udp_sendrecv_all_ports(rhgb_t)
+corenet_tcp_connect_all_ports(rhgb_t)
+corenet_sendrecv_all_client_packets(rhgb_t)
+
+dev_read_sysfs(rhgb_t)
+dev_read_urand(rhgb_t)
+
+domain_use_interactive_fds(rhgb_t)
+
+files_read_etc_files(rhgb_t)
+files_read_var_files(rhgb_t)
+files_read_etc_runtime_files(rhgb_t)
+files_search_tmp(rhgb_t)
+files_read_usr_files(rhgb_t)
+files_mounton_mnt(rhgb_t)
+files_dontaudit_rw_root_dir(rhgb_t)
+files_dontaudit_read_default_files(rhgb_t)
+files_dontaudit_search_pids(rhgb_t)
+# for nscd
+files_dontaudit_search_var(rhgb_t)
+
+fs_search_auto_mountpoints(rhgb_t)
+fs_mount_ramfs(rhgb_t)
+fs_unmount_ramfs(rhgb_t)
+fs_getattr_tmpfs(rhgb_t)
+# for ramfs file systems
+fs_manage_ramfs_dirs(rhgb_t)
+fs_manage_ramfs_files(rhgb_t)
+fs_manage_ramfs_pipes(rhgb_t)
+fs_manage_ramfs_sockets(rhgb_t)
+
+selinux_dontaudit_read_fs(rhgb_t)
+
+term_use_unallocated_ttys(rhgb_t)
+term_use_ptmx(rhgb_t)
+term_getattr_pty_fs(rhgb_t)
+
+init_write_initctl(rhgb_t)
+
+# for localization
+libs_read_lib_files(rhgb_t)
+
+logging_send_syslog_msg(rhgb_t)
+
+miscfiles_read_localization(rhgb_t)
+miscfiles_read_fonts(rhgb_t)
+miscfiles_dontaudit_write_fonts(rhgb_t)
+
+seutil_search_default_contexts(rhgb_t)
+seutil_read_config(rhgb_t)
+
+sysnet_read_config(rhgb_t)
+sysnet_domtrans_ifconfig(rhgb_t)
+
+userdom_dontaudit_use_unpriv_user_fds(rhgb_t)
+userdom_dontaudit_search_user_home_content(rhgb_t)
+
+xserver_read_tmp_files(rhgb_t)
+xserver_kill(rhgb_t)
+# for running setxkbmap
+xserver_read_xkb_libs(rhgb_t)
+xserver_domtrans(rhgb_t)
+xserver_signal(rhgb_t)
+xserver_read_xdm_tmp_files(rhgb_t)
+xserver_stream_connect(rhgb_t)
+
+optional_policy(`
+ consoletype_exec(rhgb_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(rhgb_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(rhgb_t)
+')
+
+optional_policy(`
+ udev_read_db(rhgb_t)
+')
+
+ifdef(`TODO',`
+ #this seems a bit much
+ allow domain rhgb_devpts_t:chr_file { read write };
+ allow initrc_t rhgb_gph_t:fd use;
+')
diff --git a/policy/modules/services/ricci.fc b/policy/modules/services/ricci.fc
new file mode 100644
index 0000000..ed5dc05
--- /dev/null
+++ b/policy/modules/services/ricci.fc
@@ -0,0 +1,19 @@
+
+/etc/rc\.d/init\.d/ricci -- gen_context(system_u:object_r:ricci_initrc_exec_t,s0)
+
+/usr/libexec/modcluster -- gen_context(system_u:object_r:ricci_modcluster_exec_t,s0)
+/usr/libexec/ricci-modlog -- gen_context(system_u:object_r:ricci_modlog_exec_t,s0)
+/usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0)
+/usr/libexec/ricci-modservice -- gen_context(system_u:object_r:ricci_modservice_exec_t,s0)
+/usr/libexec/ricci-modstorage -- gen_context(system_u:object_r:ricci_modstorage_exec_t,s0)
+
+/usr/sbin/modclusterd -- gen_context(system_u:object_r:ricci_modclusterd_exec_t,s0)
+/usr/sbin/ricci -- gen_context(system_u:object_r:ricci_exec_t,s0)
+
+/var/lib/ricci(/.*)? gen_context(system_u:object_r:ricci_var_lib_t,s0)
+
+/var/log/clumond\.log -- gen_context(system_u:object_r:ricci_modcluster_var_log_t,s0)
+
+/var/run/clumond\.sock -s gen_context(system_u:object_r:ricci_modcluster_var_run_t,s0)
+/var/run/modclusterd\.pid -- gen_context(system_u:object_r:ricci_modcluster_var_run_t,s0)
+/var/run/ricci\.pid -- gen_context(system_u:object_r:ricci_var_run_t,s0)
diff --git a/policy/modules/services/ricci.if b/policy/modules/services/ricci.if
new file mode 100644
index 0000000..3128dd8
--- /dev/null
+++ b/policy/modules/services/ricci.if
@@ -0,0 +1,267 @@
+## <summary>Ricci cluster management agent</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run ricci.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ricci_domtrans',`
+ gen_require(`
+ type ricci_t, ricci_exec_t;
+ ')
+
+ domtrans_pattern($1, ricci_exec_t, ricci_t)
+')
+
+#######################################
+## <summary>
+## Execute ricci server in the ricci domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ricci_initrc_domtrans',`
+ gen_require(`
+ type ricci_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, ricci_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run ricci_modcluster.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ricci_domtrans_modcluster',`
+ gen_require(`
+ type ricci_modcluster_t, ricci_modcluster_exec_t;
+ ')
+
+ domtrans_pattern($1, ricci_modcluster_exec_t, ricci_modcluster_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to use
+## ricci_modcluster file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`ricci_dontaudit_use_modcluster_fds',`
+ gen_require(`
+ type ricci_modcluster_t;
+ ')
+
+ dontaudit $1 ricci_modcluster_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read write
+## ricci_modcluster unamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`ricci_dontaudit_rw_modcluster_pipes',`
+ gen_require(`
+ type ricci_modcluster_t;
+ ')
+
+ dontaudit $1 ricci_modcluster_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Connect to ricci_modclusterd over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ricci_stream_connect_modclusterd',`
+ gen_require(`
+ type ricci_modclusterd_t, ricci_modcluster_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t, ricci_modclusterd_t)
+')
+
+########################################
+## <summary>
+## Read and write to ricci_modcluserd temporary file system.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ricci_rw_modclusterd_tmpfs_files',`
+ gen_require(`
+ type ricci_modcluserd_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ allow $1 ricci_modcluserd_tmpfs_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run ricci_modlog.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ricci_domtrans_modlog',`
+ gen_require(`
+ type ricci_modlog_t, ricci_modlog_exec_t;
+ ')
+
+ domtrans_pattern($1, ricci_modlog_exec_t, ricci_modlog_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run ricci_modrpm.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ricci_domtrans_modrpm',`
+ gen_require(`
+ type ricci_modrpm_t, ricci_modrpm_exec_t;
+ ')
+
+ domtrans_pattern($1, ricci_modrpm_exec_t, ricci_modrpm_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run ricci_modservice.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ricci_domtrans_modservice',`
+ gen_require(`
+ type ricci_modservice_t, ricci_modservice_exec_t;
+ ')
+
+ domtrans_pattern($1, ricci_modservice_exec_t, ricci_modservice_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run ricci_modstorage.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ricci_domtrans_modstorage',`
+ gen_require(`
+ type ricci_modstorage_t, ricci_modstorage_exec_t;
+ ')
+
+ domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t)
+')
+
+####################################
+## <summary>
+## Allow the specified domain to manage ricci's lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ricci_manage_lib_files',`
+ gen_require(`
+ type ricci_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
+ manage_files_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an ricci environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ricci_admin',`
+ gen_require(`
+ type ricci_t, ricci_initrc_exec_t, ricci_tmp_t;
+ type ricci_var_lib_t, ricci_var_log_t, ricci_var_run_t;
+ ')
+
+ allow $1 ricci_t:process { ptrace signal_perms };
+ ps_process_pattern($1, ricci_t)
+
+ ricci_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 ricci_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, ricci_tmp_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, ricci_var_lib_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, ricci_var_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, ricci_var_run_t)
+')
diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
new file mode 100644
index 0000000..29e7311
--- /dev/null
+++ b/policy/modules/services/ricci.te
@@ -0,0 +1,507 @@
+policy_module(ricci, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type ricci_t;
+type ricci_exec_t;
+init_daemon_domain(ricci_t, ricci_exec_t)
+
+type ricci_initrc_exec_t;
+init_script_file(ricci_initrc_exec_t)
+
+type ricci_tmp_t;
+files_tmp_file(ricci_tmp_t)
+
+type ricci_var_lib_t;
+files_type(ricci_var_lib_t)
+
+type ricci_var_log_t;
+logging_log_file(ricci_var_log_t)
+
+type ricci_var_run_t;
+files_pid_file(ricci_var_run_t)
+
+type ricci_modcluster_t;
+type ricci_modcluster_exec_t;
+domain_type(ricci_modcluster_t)
+domain_entry_file(ricci_modcluster_t, ricci_modcluster_exec_t)
+role system_r types ricci_modcluster_t;
+
+type ricci_modcluster_var_lib_t;
+files_type(ricci_modcluster_var_lib_t)
+
+type ricci_modcluster_var_log_t;
+logging_log_file(ricci_modcluster_var_log_t)
+
+type ricci_modcluster_var_run_t;
+files_pid_file(ricci_modcluster_var_run_t)
+
+type ricci_modclusterd_t;
+type ricci_modclusterd_exec_t;
+init_daemon_domain(ricci_modclusterd_t, ricci_modclusterd_exec_t)
+
+type ricci_modclusterd_tmpfs_t;
+files_tmpfs_file(ricci_modclusterd_tmpfs_t)
+
+type ricci_modlog_t;
+type ricci_modlog_exec_t;
+domain_type(ricci_modlog_t)
+domain_entry_file(ricci_modlog_t, ricci_modlog_exec_t)
+role system_r types ricci_modlog_t;
+
+type ricci_modrpm_t;
+type ricci_modrpm_exec_t;
+domain_type(ricci_modrpm_t)
+domain_entry_file(ricci_modrpm_t, ricci_modrpm_exec_t)
+role system_r types ricci_modrpm_t;
+
+type ricci_modservice_t;
+type ricci_modservice_exec_t;
+domain_type(ricci_modservice_t)
+domain_entry_file(ricci_modservice_t, ricci_modservice_exec_t)
+role system_r types ricci_modservice_t;
+
+type ricci_modstorage_t;
+type ricci_modstorage_exec_t;
+domain_type(ricci_modstorage_t)
+domain_entry_file(ricci_modstorage_t, ricci_modstorage_exec_t)
+role system_r types ricci_modstorage_t;
+
+type ricci_modstorage_lock_t;
+files_lock_file(ricci_modstorage_lock_t)
+
+########################################
+#
+# ricci local policy
+#
+
+allow ricci_t self:capability { setuid sys_nice sys_boot };
+allow ricci_t self:process setsched;
+allow ricci_t self:fifo_file rw_fifo_file_perms;
+allow ricci_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow ricci_t self:tcp_socket create_stream_socket_perms;
+
+domain_auto_trans(ricci_t, ricci_modcluster_exec_t, ricci_modcluster_t)
+domain_auto_trans(ricci_t, ricci_modlog_exec_t, ricci_modlog_t)
+domain_auto_trans(ricci_t, ricci_modrpm_exec_t, ricci_modrpm_t)
+domain_auto_trans(ricci_t, ricci_modservice_exec_t, ricci_modservice_t)
+domain_auto_trans(ricci_t, ricci_modstorage_exec_t, ricci_modstorage_t)
+
+manage_dirs_pattern(ricci_t, ricci_tmp_t, ricci_tmp_t)
+manage_files_pattern(ricci_t, ricci_tmp_t, ricci_tmp_t)
+files_tmp_filetrans(ricci_t, ricci_tmp_t, { file dir })
+
+manage_dirs_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
+manage_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
+manage_sock_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
+files_var_lib_filetrans(ricci_t, ricci_var_lib_t, { file dir sock_file })
+
+allow ricci_t ricci_var_log_t:dir setattr_dir_perms;
+manage_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
+manage_sock_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
+logging_log_filetrans(ricci_t, ricci_var_log_t, { sock_file file dir })
+
+manage_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t)
+manage_sock_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t)
+files_pid_filetrans(ricci_t, ricci_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctls(ricci_t)
+kernel_read_system_state(ricci_t)
+
+corecmd_exec_bin(ricci_t)
+
+corenet_all_recvfrom_unlabeled(ricci_t)
+corenet_all_recvfrom_netlabel(ricci_t)
+corenet_tcp_sendrecv_generic_if(ricci_t)
+corenet_tcp_sendrecv_generic_node(ricci_t)
+corenet_tcp_sendrecv_all_ports(ricci_t)
+corenet_tcp_bind_generic_node(ricci_t)
+corenet_udp_bind_generic_node(ricci_t)
+corenet_tcp_bind_ricci_port(ricci_t)
+corenet_udp_bind_ricci_port(ricci_t)
+corenet_tcp_connect_http_port(ricci_t)
+
+dev_read_urand(ricci_t)
+
+domain_read_all_domains_state(ricci_t)
+
+files_read_etc_files(ricci_t)
+files_read_etc_runtime_files(ricci_t)
+files_create_boot_flag(ricci_t)
+
+auth_domtrans_chk_passwd(ricci_t)
+auth_append_login_records(ricci_t)
+
+init_stream_connect_script(ricci_t)
+
+locallogin_dontaudit_use_fds(ricci_t)
+
+logging_send_syslog_msg(ricci_t)
+
+miscfiles_read_localization(ricci_t)
+
+sysnet_dns_name_resolve(ricci_t)
+
+optional_policy(`
+ ccs_read_config(ricci_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(ricci_t)
+
+ oddjob_dbus_chat(ricci_t)
+')
+
+optional_policy(`
+ # Needed so oddjob can run halt/reboot on behalf of ricci
+ corecmd_bin_entry_type(ricci_t)
+ term_dontaudit_search_ptys(ricci_t)
+ init_exec(ricci_t)
+ init_telinit(ricci_t)
+ init_rw_utmp(ricci_t)
+
+ oddjob_system_entry(ricci_t, ricci_exec_t)
+')
+
+optional_policy(`
+ rpm_use_script_fds(ricci_t)
+')
+
+optional_policy(`
+ sasl_connect(ricci_t)
+')
+
+optional_policy(`
+ shutdown_domtrans(ricci_t)
+')
+
+optional_policy(`
+ unconfined_use_fds(ricci_t)
+')
+
+optional_policy(`
+ xen_domtrans_xm(ricci_t)
+')
+
+########################################
+#
+# ricci_modcluster local policy
+#
+
+allow ricci_modcluster_t self:capability { net_bind_service sys_nice };
+allow ricci_modcluster_t self:process setsched;
+allow ricci_modcluster_t self:fifo_file rw_fifo_file_perms;
+
+kernel_read_kernel_sysctls(ricci_modcluster_t)
+kernel_read_system_state(ricci_modcluster_t)
+
+corecmd_exec_shell(ricci_modcluster_t)
+corecmd_exec_bin(ricci_modcluster_t)
+
+corenet_tcp_bind_cluster_port(ricci_modclusterd_t)
+corenet_tcp_bind_reserved_port(ricci_modclusterd_t)
+
+domain_read_all_domains_state(ricci_modcluster_t)
+
+files_search_locks(ricci_modcluster_t)
+files_read_etc_runtime_files(ricci_modcluster_t)
+files_read_etc_files(ricci_modcluster_t)
+files_search_usr(ricci_modcluster_t)
+
+init_exec(ricci_modcluster_t)
+init_domtrans_script(ricci_modcluster_t)
+
+logging_send_syslog_msg(ricci_modcluster_t)
+
+miscfiles_read_localization(ricci_modcluster_t)
+
+modutils_domtrans_insmod(ricci_modcluster_t)
+
+mount_domtrans(ricci_modcluster_t)
+
+consoletype_exec(ricci_modcluster_t)
+
+ricci_stream_connect_modclusterd(ricci_modcluster_t)
+
+optional_policy(`
+ aisexec_stream_connect(ricci_modcluster_t)
+ corosync_stream_connect(ricci_modcluster_t)
+')
+
+optional_policy(`
+ ccs_stream_connect(ricci_modcluster_t)
+ ccs_domtrans(ricci_modcluster_t)
+ ccs_manage_config(ricci_modcluster_t)
+')
+
+optional_policy(`
+ lvm_domtrans(ricci_modcluster_t)
+')
+
+optional_policy(`
+ nscd_socket_use(ricci_modcluster_t)
+')
+
+optional_policy(`
+ oddjob_system_entry(ricci_modcluster_t, ricci_modcluster_exec_t)
+')
+
+optional_policy(`
+ rgmanager_stream_connect(ricci_modclusterd_t)
+')
+
+########################################
+#
+# ricci_modclusterd local policy
+#
+
+allow ricci_modclusterd_t self:capability { sys_nice sys_tty_config };
+allow ricci_modclusterd_t self:process { signal sigkill setsched };
+allow ricci_modclusterd_t self:fifo_file rw_fifo_file_perms;
+allow ricci_modclusterd_t self:unix_stream_socket create_stream_socket_perms;
+allow ricci_modclusterd_t self:tcp_socket create_stream_socket_perms;
+# cjp: this needs to be fixed for a specific socket type:
+allow ricci_modclusterd_t self:socket create_socket_perms;
+
+allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
+allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms;
+
+manage_dirs_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, ricci_modclusterd_tmpfs_t)
+manage_files_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, ricci_modclusterd_tmpfs_t)
+fs_tmpfs_filetrans(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, { dir file })
+
+allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
+manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
+manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
+logging_log_filetrans(ricci_modclusterd_t, ricci_modcluster_var_log_t, { sock_file file dir })
+
+manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t)
+manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t)
+files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctls(ricci_modclusterd_t)
+kernel_read_system_state(ricci_modclusterd_t)
+kernel_request_load_module(ricci_modclusterd_t)
+
+corecmd_exec_bin(ricci_modclusterd_t)
+
+corenet_tcp_sendrecv_generic_if(ricci_modclusterd_t)
+corenet_tcp_sendrecv_all_ports(ricci_modclusterd_t)
+corenet_tcp_bind_generic_node(ricci_modclusterd_t)
+corenet_tcp_bind_ricci_modcluster_port(ricci_modclusterd_t)
+corenet_tcp_connect_ricci_modcluster_port(ricci_modclusterd_t)
+
+domain_read_all_domains_state(ricci_modclusterd_t)
+
+files_read_etc_files(ricci_modclusterd_t)
+files_read_etc_runtime_files(ricci_modclusterd_t)
+
+fs_getattr_xattr_fs(ricci_modclusterd_t)
+
+auth_use_nsswitch(ricci_modclusterd_t)
+
+init_stream_connect_script(ricci_modclusterd_t)
+
+locallogin_dontaudit_use_fds(ricci_modclusterd_t)
+
+logging_send_syslog_msg(ricci_modclusterd_t)
+
+miscfiles_read_localization(ricci_modclusterd_t)
+
+sysnet_domtrans_ifconfig(ricci_modclusterd_t)
+
+optional_policy(`
+ aisexec_stream_connect(ricci_modclusterd_t)
+ corosync_stream_connect(ricci_modclusterd_t)
+')
+
+optional_policy(`
+ ccs_domtrans(ricci_modclusterd_t)
+ ccs_stream_connect(ricci_modclusterd_t)
+ ccs_read_config(ricci_modclusterd_t)
+')
+
+optional_policy(`
+ rgmanager_stream_connect(ricci_modclusterd_t)
+')
+
+optional_policy(`
+ unconfined_use_fds(ricci_modclusterd_t)
+')
+
+########################################
+#
+# ricci_modlog local policy
+#
+
+allow ricci_modlog_t self:capability sys_nice;
+allow ricci_modlog_t self:process setsched;
+
+kernel_read_kernel_sysctls(ricci_modlog_t)
+kernel_read_system_state(ricci_modlog_t)
+
+corecmd_exec_bin(ricci_modlog_t)
+
+domain_read_all_domains_state(ricci_modlog_t)
+
+files_read_etc_files(ricci_modlog_t)
+files_search_usr(ricci_modlog_t)
+
+logging_read_generic_logs(ricci_modlog_t)
+
+miscfiles_read_localization(ricci_modlog_t)
+
+optional_policy(`
+ nscd_dontaudit_search_pid(ricci_modlog_t)
+')
+
+optional_policy(`
+ oddjob_system_entry(ricci_modlog_t, ricci_modlog_exec_t)
+')
+
+########################################
+#
+# ricci_modrpm local policy
+#
+
+allow ricci_modrpm_t self:fifo_file read_fifo_file_perms;
+
+kernel_read_kernel_sysctls(ricci_modrpm_t)
+
+corecmd_exec_bin(ricci_modrpm_t)
+
+files_search_usr(ricci_modrpm_t)
+files_read_etc_files(ricci_modrpm_t)
+
+miscfiles_read_localization(ricci_modrpm_t)
+
+optional_policy(`
+ oddjob_system_entry(ricci_modrpm_t, ricci_modrpm_exec_t)
+')
+
+optional_policy(`
+ rpm_domtrans(ricci_modrpm_t)
+')
+
+########################################
+#
+# ricci_modservice local policy
+#
+
+allow ricci_modservice_t self:capability { dac_override sys_nice };
+allow ricci_modservice_t self:fifo_file rw_fifo_file_perms;
+allow ricci_modservice_t self:process setsched;
+
+kernel_read_kernel_sysctls(ricci_modservice_t)
+kernel_read_system_state(ricci_modservice_t)
+
+corecmd_exec_bin(ricci_modservice_t)
+corecmd_exec_shell(ricci_modservice_t)
+
+files_read_etc_files(ricci_modservice_t)
+files_read_etc_runtime_files(ricci_modservice_t)
+files_search_usr(ricci_modservice_t)
+# Needed for running chkconfig
+files_manage_etc_symlinks(ricci_modservice_t)
+
+consoletype_exec(ricci_modservice_t)
+
+init_domtrans_script(ricci_modservice_t)
+
+miscfiles_read_localization(ricci_modservice_t)
+
+optional_policy(`
+ ccs_read_config(ricci_modservice_t)
+')
+
+optional_policy(`
+ nscd_dontaudit_search_pid(ricci_modservice_t)
+')
+
+optional_policy(`
+ oddjob_system_entry(ricci_modservice_t, ricci_modservice_exec_t)
+')
+
+########################################
+#
+# ricci_modstorage local policy
+#
+
+allow ricci_modstorage_t self:process { setsched signal };
+dontaudit ricci_modstorage_t self:process ptrace;
+allow ricci_modstorage_t self:capability { mknod sys_nice };
+allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms;
+allow ricci_modstorage_t self:unix_dgram_socket create_socket_perms;
+
+kernel_read_kernel_sysctls(ricci_modstorage_t)
+kernel_read_system_state(ricci_modstorage_t)
+
+create_files_pattern(ricci_modstorage_t, ricci_modstorage_lock_t, ricci_modstorage_lock_t)
+files_lock_filetrans(ricci_modstorage_t, ricci_modstorage_lock_t, file)
+
+corecmd_exec_shell(ricci_modstorage_t)
+corecmd_exec_bin(ricci_modstorage_t)
+
+dev_read_sysfs(ricci_modstorage_t)
+dev_read_urand(ricci_modstorage_t)
+dev_manage_generic_blk_files(ricci_modstorage_t)
+
+domain_read_all_domains_state(ricci_modstorage_t)
+
+#Needed for editing /etc/fstab
+files_manage_etc_files(ricci_modstorage_t)
+files_read_etc_runtime_files(ricci_modstorage_t)
+files_read_usr_files(ricci_modstorage_t)
+files_read_kernel_modules(ricci_modstorage_t)
+
+files_create_default_dir(ricci_modstorage_t)
+files_root_filetrans_default(ricci_modstorage_t, dir)
+files_mounton_default(ricci_modstorage_t)
+files_manage_default_dirs(ricci_modstorage_t)
+files_manage_default_files(ricci_modstorage_t)
+
+storage_raw_read_fixed_disk(ricci_modstorage_t)
+
+term_dontaudit_use_console(ricci_modstorage_t)
+
+fstools_domtrans(ricci_modstorage_t)
+
+logging_send_syslog_msg(ricci_modstorage_t)
+
+miscfiles_read_localization(ricci_modstorage_t)
+
+modutils_read_module_deps(ricci_modstorage_t)
+
+consoletype_exec(ricci_modstorage_t)
+
+mount_domtrans(ricci_modstorage_t)
+
+optional_policy(`
+ aisexec_stream_connect(ricci_modstorage_t)
+ corosync_stream_connect(ricci_modstorage_t)
+')
+
+optional_policy(`
+ ccs_stream_connect(ricci_modstorage_t)
+ ccs_read_config(ricci_modstorage_t)
+')
+
+optional_policy(`
+ lvm_domtrans(ricci_modstorage_t)
+ lvm_manage_config(ricci_modstorage_t)
+')
+
+optional_policy(`
+ nscd_socket_use(ricci_modstorage_t)
+')
+
+optional_policy(`
+ oddjob_system_entry(ricci_modstorage_t, ricci_modstorage_exec_t)
+')
+
+optional_policy(`
+ raid_domtrans_mdadm(ricci_modstorage_t)
+')
diff --git a/policy/modules/services/rlogin.fc b/policy/modules/services/rlogin.fc
new file mode 100644
index 0000000..c3c2775
--- /dev/null
+++ b/policy/modules/services/rlogin.fc
@@ -0,0 +1,10 @@
+HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0)
+HOME_DIR/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0)
+/root/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0)
+/root/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0)
+
+/usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0)
+
+/usr/lib(64)?/telnetlogin -- gen_context(system_u:object_r:rlogind_exec_t,s0)
+
+/usr/sbin/in\.rlogind -- gen_context(system_u:object_r:rlogind_exec_t,s0)
diff --git a/policy/modules/services/rlogin.if b/policy/modules/services/rlogin.if
new file mode 100644
index 0000000..63e78c6
--- /dev/null
+++ b/policy/modules/services/rlogin.if
@@ -0,0 +1,47 @@
+## <summary>Remote login daemon</summary>
+
+########################################
+## <summary>
+## Execute rlogind in the rlogin domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rlogin_domtrans',`
+ gen_require(`
+ type rlogind_t, rlogind_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, rlogind_exec_t, rlogind_t)
+')
+
+########################################
+## <summary>
+## read rlogin homedir content (.config)
+## </summary>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`rlogin_read_home_content',`
+ gen_require(`
+ type rlogind_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ list_dirs_pattern($1, rlogind_home_t, rlogind_home_t)
+ read_files_pattern($1, rlogind_home_t, rlogind_home_t)
+ read_lnk_files_pattern($1, rlogind_home_t, rlogind_home_t)
+')
diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te
new file mode 100644
index 0000000..0155ca7
--- /dev/null
+++ b/policy/modules/services/rlogin.te
@@ -0,0 +1,118 @@
+policy_module(rlogin, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type rlogind_t;
+type rlogind_exec_t;
+inetd_service_domain(rlogind_t, rlogind_exec_t)
+role system_r types rlogind_t;
+
+type rlogind_devpts_t; #, userpty_type;
+term_login_pty(rlogind_devpts_t)
+
+type rlogind_home_t;
+userdom_user_home_content(rlogind_home_t)
+
+type rlogind_tmp_t;
+files_tmp_file(rlogind_tmp_t)
+
+type rlogind_var_run_t;
+files_pid_file(rlogind_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
+allow rlogind_t self:process signal_perms;
+allow rlogind_t self:fifo_file rw_fifo_file_perms;
+allow rlogind_t self:tcp_socket connected_stream_socket_perms;
+# for identd; cjp: this should probably only be inetd_child rules?
+allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+
+allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+term_create_pty(rlogind_t, rlogind_devpts_t)
+
+# for /usr/lib/telnetlogin
+can_exec(rlogind_t, rlogind_exec_t)
+
+manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
+manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
+
+manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t)
+files_pid_filetrans(rlogind_t, rlogind_var_run_t, file)
+
+kernel_read_kernel_sysctls(rlogind_t)
+kernel_read_system_state(rlogind_t)
+kernel_read_network_state(rlogind_t)
+
+corenet_all_recvfrom_unlabeled(rlogind_t)
+corenet_all_recvfrom_netlabel(rlogind_t)
+corenet_tcp_sendrecv_generic_if(rlogind_t)
+corenet_udp_sendrecv_generic_if(rlogind_t)
+corenet_tcp_sendrecv_generic_node(rlogind_t)
+corenet_udp_sendrecv_generic_node(rlogind_t)
+corenet_tcp_sendrecv_all_ports(rlogind_t)
+corenet_udp_sendrecv_all_ports(rlogind_t)
+
+dev_read_urand(rlogind_t)
+
+domain_interactive_fd(rlogind_t)
+
+fs_getattr_xattr_fs(rlogind_t)
+fs_search_auto_mountpoints(rlogind_t)
+
+auth_domtrans_chk_passwd(rlogind_t)
+auth_rw_login_records(rlogind_t)
+auth_use_nsswitch(rlogind_t)
+auth_login_pgm_domain(rlogind_t)
+
+files_read_etc_files(rlogind_t)
+files_read_etc_runtime_files(rlogind_t)
+files_search_home(rlogind_t)
+files_search_default(rlogind_t)
+
+init_rw_utmp(rlogind_t)
+
+logging_send_syslog_msg(rlogind_t)
+
+miscfiles_read_localization(rlogind_t)
+
+seutil_read_config(rlogind_t)
+
+userdom_setattr_user_ptys(rlogind_t)
+# cjp: this is egregious
+userdom_read_user_home_content_files(rlogind_t)
+userdom_search_admin_dir(rlogind_t)
+userdom_manage_user_tmp_files(rlogind_t)
+userdom_tmp_filetrans_user_tmp(rlogind_t, file)
+
+remotelogin_domtrans(rlogind_t)
+remotelogin_signal(rlogind_t)
+
+rlogin_read_home_content(rlogind_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs(rlogind_t)
+ fs_read_nfs_files(rlogind_t)
+ fs_read_nfs_symlinks(rlogind_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_list_cifs(rlogind_t)
+ fs_read_cifs_files(rlogind_t)
+ fs_read_cifs_symlinks(rlogind_t)
+')
+
+optional_policy(`
+ kerberos_keytab_template(rlogind, rlogind_t)
+ kerberos_manage_host_rcache(rlogind_t)
+')
+
+optional_policy(`
+ tcpd_wrapped_domain(rlogind_t, rlogind_exec_t)
+')
diff --git a/policy/modules/services/roundup.fc b/policy/modules/services/roundup.fc
new file mode 100644
index 0000000..e4110e6
--- /dev/null
+++ b/policy/modules/services/roundup.fc
@@ -0,0 +1,11 @@
+/etc/rc\.d/init\.d/roundup -- gen_context(system_u:object_r:roundup_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/roundup-server -- gen_context(system_u:object_r:roundup_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/roundup(/.*)? -- gen_context(system_u:object_r:roundup_var_lib_t,s0)
diff --git a/policy/modules/services/roundup.if b/policy/modules/services/roundup.if
new file mode 100644
index 0000000..30c4b75
--- /dev/null
+++ b/policy/modules/services/roundup.if
@@ -0,0 +1,39 @@
+## <summary>Roundup Issue Tracking System policy</summary>
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an roundup environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the roundup domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`roundup_admin',`
+ gen_require(`
+ type roundup_t, roundup_var_lib_t, roundup_var_run_t;
+ type roundup_initrc_exec_t;
+ ')
+
+ allow $1 roundup_t:process { ptrace signal_perms };
+ ps_process_pattern($1, roundup_t)
+
+ init_labeled_script_domtrans($1, roundup_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 roundup_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_var_lib($1)
+ admin_pattern($1, roundup_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, roundup_var_run_t)
+')
diff --git a/policy/modules/services/roundup.te b/policy/modules/services/roundup.te
new file mode 100644
index 0000000..57f839f
--- /dev/null
+++ b/policy/modules/services/roundup.te
@@ -0,0 +1,96 @@
+policy_module(roundup, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type roundup_t;
+type roundup_exec_t;
+init_daemon_domain(roundup_t, roundup_exec_t)
+
+type roundup_initrc_exec_t;
+init_script_file(roundup_initrc_exec_t)
+
+type roundup_var_run_t;
+files_pid_file(roundup_var_run_t)
+
+type roundup_var_lib_t;
+files_type(roundup_var_lib_t)
+
+########################################
+#
+# Local policy
+#
+
+allow roundup_t self:capability { setgid setuid };
+dontaudit roundup_t self:capability sys_tty_config;
+allow roundup_t self:process signal_perms;
+allow roundup_t self:unix_stream_socket create_stream_socket_perms;
+allow roundup_t self:tcp_socket create_stream_socket_perms;
+allow roundup_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(roundup_t, roundup_var_lib_t, roundup_var_lib_t)
+files_var_lib_filetrans(roundup_t, roundup_var_lib_t, file)
+
+manage_files_pattern(roundup_t, roundup_var_run_t, roundup_var_run_t)
+files_pid_filetrans(roundup_t, roundup_var_run_t, file)
+
+kernel_read_kernel_sysctls(roundup_t)
+kernel_list_proc(roundup_t)
+kernel_read_proc_symlinks(roundup_t)
+
+dev_read_sysfs(roundup_t)
+
+# execute python
+corecmd_exec_bin(roundup_t)
+
+corenet_all_recvfrom_unlabeled(roundup_t)
+corenet_all_recvfrom_netlabel(roundup_t)
+corenet_tcp_sendrecv_generic_if(roundup_t)
+corenet_udp_sendrecv_generic_if(roundup_t)
+corenet_raw_sendrecv_generic_if(roundup_t)
+corenet_tcp_sendrecv_generic_node(roundup_t)
+corenet_udp_sendrecv_generic_node(roundup_t)
+corenet_raw_sendrecv_generic_node(roundup_t)
+corenet_tcp_sendrecv_all_ports(roundup_t)
+corenet_udp_sendrecv_all_ports(roundup_t)
+corenet_tcp_bind_generic_node(roundup_t)
+corenet_tcp_bind_http_cache_port(roundup_t)
+corenet_tcp_connect_smtp_port(roundup_t)
+corenet_sendrecv_http_cache_server_packets(roundup_t)
+corenet_sendrecv_smtp_client_packets(roundup_t)
+
+# /usr/share/mysql/charsets/Index.xml
+dev_read_urand(roundup_t)
+
+domain_use_interactive_fds(roundup_t)
+
+# /usr/share/mysql/charsets/Index.xml
+files_read_usr_files(roundup_t)
+files_read_etc_files(roundup_t)
+
+fs_getattr_all_fs(roundup_t)
+fs_search_auto_mountpoints(roundup_t)
+
+logging_send_syslog_msg(roundup_t)
+
+miscfiles_read_localization(roundup_t)
+
+sysnet_read_config(roundup_t)
+
+userdom_dontaudit_use_unpriv_user_fds(roundup_t)
+userdom_dontaudit_search_user_home_dirs(roundup_t)
+
+optional_policy(`
+ mysql_stream_connect(roundup_t)
+ mysql_search_db(roundup_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(roundup_t)
+')
+
+optional_policy(`
+ udev_read_db(roundup_t)
+')
diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc
new file mode 100644
index 0000000..5c70c0c
--- /dev/null
+++ b/policy/modules/services/rpc.fc
@@ -0,0 +1,31 @@
+#
+# /etc
+#
+/etc/exports -- gen_context(system_u:object_r:exports_t,s0)
+/etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+
+#
+# /sbin
+#
+/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+/usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
+/usr/sbin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
+/usr/sbin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
+/usr/sbin/rpc\.rquotad -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+/usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/nfs(/.*)? gen_context(system_u:object_r:var_lib_nfs_t,s0)
+
+/var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0)
+/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
new file mode 100644
index 0000000..28e7576
--- /dev/null
+++ b/policy/modules/services/rpc.if
@@ -0,0 +1,442 @@
+## <summary>Remote Procedure Call Daemon for managment of network based process communication</summary>
+
+########################################
+## <summary>
+## RPC stub interface. No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpc_stub',`
+ gen_require(`
+ type exports_t;
+ ')
+')
+
+#######################################
+## <summary>
+## The template to define a rpc domain.
+## </summary>
+## <desc>
+## <p>
+## This template creates a domain to be used for
+## a new rpc daemon.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The type of daemon to be used.
+## </summary>
+## </param>
+#
+template(`rpc_domain_template',`
+ gen_require(`
+ type var_lib_nfs_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_t;
+ type $1_exec_t;
+ init_daemon_domain($1_t, $1_exec_t)
+ domain_use_interactive_fds($1_t)
+
+ ####################################
+ #
+ # Local Policy
+ #
+
+ dontaudit $1_t self:capability { net_admin sys_tty_config };
+ allow $1_t self:capability net_bind_service;
+ allow $1_t self:process signal_perms;
+ allow $1_t self:unix_dgram_socket create_socket_perms;
+ allow $1_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_t self:tcp_socket create_stream_socket_perms;
+ allow $1_t self:udp_socket create_socket_perms;
+
+ manage_dirs_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t)
+ manage_files_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t)
+
+ kernel_list_proc($1_t)
+ kernel_read_proc_symlinks($1_t)
+ kernel_read_kernel_sysctls($1_t)
+ # bind to arbitary unused ports
+ kernel_rw_rpc_sysctls($1_t)
+
+ dev_read_sysfs($1_t)
+ dev_read_urand($1_t)
+ dev_read_rand($1_t)
+
+ corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
+ corenet_tcp_sendrecv_generic_if($1_t)
+ corenet_udp_sendrecv_generic_if($1_t)
+ corenet_tcp_sendrecv_generic_node($1_t)
+ corenet_udp_sendrecv_generic_node($1_t)
+ corenet_tcp_sendrecv_all_ports($1_t)
+ corenet_udp_sendrecv_all_ports($1_t)
+ corenet_tcp_bind_generic_node($1_t)
+ corenet_udp_bind_generic_node($1_t)
+ corenet_tcp_bind_reserved_port($1_t)
+ corenet_tcp_connect_all_ports($1_t)
+ corenet_sendrecv_portmap_client_packets($1_t)
+ # do not log when it tries to bind to a port belonging to another domain
+ corenet_dontaudit_tcp_bind_all_ports($1_t)
+ corenet_dontaudit_udp_bind_all_ports($1_t)
+ # bind to arbitary unused ports
+ corenet_tcp_bind_generic_port($1_t)
+ corenet_udp_bind_generic_port($1_t)
+ corenet_tcp_bind_all_rpc_ports($1_t)
+ corenet_udp_bind_all_rpc_ports($1_t)
+ corenet_sendrecv_generic_server_packets($1_t)
+
+ fs_rw_rpc_named_pipes($1_t)
+ fs_search_auto_mountpoints($1_t)
+
+ files_read_etc_files($1_t)
+ files_read_etc_runtime_files($1_t)
+ files_search_var($1_t)
+ files_search_var_lib($1_t)
+ files_list_home($1_t)
+
+ auth_use_nsswitch($1_t)
+
+ logging_send_syslog_msg($1_t)
+
+ miscfiles_read_localization($1_t)
+
+ userdom_dontaudit_use_unpriv_user_fds($1_t)
+
+ optional_policy(`
+ rpcbind_stream_connect($1_t)
+ ')
+
+ optional_policy(`
+ seutil_sigchld_newrole($1_t)
+ ')
+
+ optional_policy(`
+ udev_read_db($1_t)
+ ')
+')
+
+########################################
+## <summary>
+## Send UDP network traffic to rpc and recieve UDP traffic from rpc. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpc_udp_send',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of the NFS export file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`rpc_dontaudit_getattr_exports',`
+ gen_require(`
+ type exports_t;
+ ')
+
+ dontaudit $1 exports_t:file getattr_file_perms;
+')
+
+########################################
+## <summary>
+## Allow read access to exports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpc_read_exports',`
+ gen_require(`
+ type exports_t;
+ ')
+
+ allow $1 exports_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Allow write access to exports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpc_write_exports',`
+ gen_require(`
+ type exports_t;
+ ')
+
+ allow $1 exports_t:file write_file_perms;
+')
+
+########################################
+## <summary>
+## Execute domain in nfsd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rpc_domtrans_nfsd',`
+ gen_require(`
+ type nfsd_t, nfsd_exec_t;
+ ')
+
+ domtrans_pattern($1, nfsd_exec_t, nfsd_t)
+')
+
+#######################################
+## <summary>
+## Execute domain in nfsd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rpc_initrc_domtrans_nfsd',`
+ gen_require(`
+ type nfsd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, nfsd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Execute domain in rpcd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rpc_domtrans_rpcd',`
+ gen_require(`
+ type rpcd_t, rpcd_exec_t;
+ ')
+
+ domtrans_pattern($1, rpcd_exec_t, rpcd_t)
+ allow rpcd_t $1:process signal;
+')
+
+########################################
+## <summary>
+## Execute rpcd in the rcpd domain, and
+## allow the specified role the rpcd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The role to be allowed the rpcd domain.
+## </summary>
+## </param>
+#
+interface(`rpc_run_rpcd',`
+ gen_require(`
+ type rpcd_t;
+ ')
+
+ rpc_domtrans_rpcd($1)
+ role $2 types rpcd_t;
+')
+
+#######################################
+## <summary>
+## Execute domain in rpcd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rpc_initrc_domtrans_rpcd',`
+ gen_require(`
+ type rpcd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, rpcd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Read NFS exported content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`rpc_read_nfs_content',`
+ gen_require(`
+ type nfsd_ro_t, nfsd_rw_t;
+ ')
+
+ allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms;
+ allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms;
+ allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Allow domain to create read and write NFS directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`rpc_manage_nfs_rw_content',`
+ gen_require(`
+ type nfsd_rw_t;
+ ')
+
+ manage_dirs_pattern($1, nfsd_rw_t, nfsd_rw_t)
+ manage_files_pattern($1, nfsd_rw_t, nfsd_rw_t)
+ manage_lnk_files_pattern($1, nfsd_rw_t, nfsd_rw_t)
+')
+
+########################################
+## <summary>
+## Allow domain to create read and write NFS directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`rpc_manage_nfs_ro_content',`
+ gen_require(`
+ type nfsd_ro_t;
+ ')
+
+ manage_dirs_pattern($1, nfsd_ro_t, nfsd_ro_t)
+ manage_files_pattern($1, nfsd_ro_t, nfsd_ro_t)
+ manage_lnk_files_pattern($1, nfsd_ro_t, nfsd_ro_t)
+')
+
+########################################
+## <summary>
+## Allow domain to read and write to an NFS UDP socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpc_udp_rw_nfs_sockets',`
+ gen_require(`
+ type nfsd_t;
+ ')
+
+ allow $1 nfsd_t:udp_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+## Send UDP traffic to NFSd. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpc_udp_send_nfs',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+## Search NFS state data in /var/lib/nfs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpc_search_nfs_state_data',`
+ gen_require(`
+ type var_lib_nfs_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 var_lib_nfs_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read NFS state data in /var/lib/nfs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpc_read_nfs_state_data',`
+ gen_require(`
+ type var_lib_nfs_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
+')
+
+########################################
+## <summary>
+## Manage NFS state data in /var/lib/nfs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpc_manage_nfs_state_data',`
+ gen_require(`
+ type var_lib_nfs_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
+')
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
new file mode 100644
index 0000000..288e6cc
--- /dev/null
+++ b/policy/modules/services/rpc.te
@@ -0,0 +1,255 @@
+policy_module(rpc, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow gssd to read temp directory. For access to kerberos tgt.
+## </p>
+## </desc>
+gen_tunable(allow_gssd_read_tmp, true)
+
+## <desc>
+## <p>
+## Allow nfs servers to modify public files
+## used for public file transfer services. Files/Directories must be
+## labeled public_content_rw_t.
+## </p>
+## </desc>
+gen_tunable(allow_nfsd_anon_write, false)
+
+type exports_t;
+files_config_file(exports_t)
+
+rpc_domain_template(gssd)
+
+type gssd_tmp_t;
+files_tmp_file(gssd_tmp_t)
+
+type rpcd_var_run_t;
+files_pid_file(rpcd_var_run_t)
+
+# rpcd_t is the domain of rpc daemons.
+# rpc_exec_t is the type of rpc daemon programs.
+rpc_domain_template(rpcd)
+
+type rpcd_initrc_exec_t;
+init_script_file(rpcd_initrc_exec_t);
+
+rpc_domain_template(nfsd)
+
+type nfsd_initrc_exec_t;
+init_script_file(nfsd_initrc_exec_t);
+
+type nfsd_rw_t;
+files_type(nfsd_rw_t)
+
+type nfsd_ro_t;
+files_type(nfsd_ro_t)
+
+type var_lib_nfs_t;
+files_mountpoint(var_lib_nfs_t)
+
+########################################
+#
+# RPC local policy
+#
+
+allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid };
+allow rpcd_t self:process { getcap setcap };
+allow rpcd_t self:fifo_file rw_fifo_file_perms;
+
+allow rpcd_t rpcd_var_run_t:dir setattr_dir_perms;
+manage_dirs_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
+manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
+files_pid_filetrans(rpcd_t, rpcd_var_run_t, { file dir })
+
+# rpc.statd executes sm-notify
+can_exec(rpcd_t, rpcd_exec_t)
+
+kernel_read_system_state(rpcd_t)
+kernel_read_network_state(rpcd_t)
+# for rpc.rquotad
+kernel_read_sysctl(rpcd_t)
+kernel_rw_fs_sysctls(rpcd_t)
+kernel_dontaudit_getattr_core_if(rpcd_t)
+kernel_signal(rpcd_t)
+
+corecmd_exec_bin(rpcd_t)
+
+files_manage_mounttab(rpcd_t)
+files_getattr_all_dirs(rpcd_t)
+
+fs_list_rpc(rpcd_t)
+fs_read_rpc_files(rpcd_t)
+fs_read_rpc_symlinks(rpcd_t)
+fs_rw_rpc_sockets(rpcd_t)
+fs_get_all_fs_quotas(rpcd_t)
+fs_set_xattr_fs_quotas(rpcd_t)
+fs_getattr_all_fs(rpcd_t)
+
+storage_getattr_fixed_disk_dev(rpcd_t)
+
+selinux_dontaudit_read_fs(rpcd_t)
+
+miscfiles_read_generic_certs(rpcd_t)
+
+seutil_dontaudit_search_config(rpcd_t)
+
+userdom_signal_unpriv_users(rpcd_t)
+userdom_read_user_home_content_files(rpcd_t)
+
+optional_policy(`
+ automount_signal(rpcd_t)
+ automount_dontaudit_write_pipes(rpcd_t)
+')
+
+optional_policy(`
+ domain_unconfined_signal(rpcd_t)
+')
+
+optional_policy(`
+ nis_read_ypserv_config(rpcd_t)
+')
+
+optional_policy(`
+ rgmanager_manage_tmp_files(rpcd_t)
+')
+
+########################################
+#
+# NFSD local policy
+#
+
+allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
+
+allow nfsd_t exports_t:file read_file_perms;
+allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
+
+# for /proc/fs/nfs/exports - should we have a new type?
+kernel_read_system_state(nfsd_t)
+kernel_read_network_state(nfsd_t)
+kernel_dontaudit_getattr_core_if(nfsd_t)
+kernel_setsched(nfsd_t)
+
+corenet_tcp_bind_all_rpc_ports(nfsd_t)
+corenet_udp_bind_all_rpc_ports(nfsd_t)
+
+dev_dontaudit_getattr_all_blk_files(nfsd_t)
+dev_dontaudit_getattr_all_chr_files(nfsd_t)
+dev_rw_lvm_control(nfsd_t)
+
+# does not really need this, but it is easier to just allow it
+files_search_pids(nfsd_t)
+# for exportfs and rpc.mountd
+files_getattr_tmp_dirs(nfsd_t)
+# cjp: this should really have its own type
+files_manage_mounttab(nfsd_t)
+files_read_etc_runtime_files(nfsd_t)
+
+fs_mount_nfsd_fs(nfsd_t)
+fs_search_nfsd_fs(nfsd_t)
+fs_getattr_all_fs(nfsd_t)
+fs_getattr_all_dirs(nfsd_t)
+fs_rw_nfsd_fs(nfsd_t)
+
+storage_dontaudit_read_fixed_disk(nfsd_t)
+storage_raw_read_removable_device(nfsd_t)
+
+# Read access to public_content_t and public_content_rw_t
+miscfiles_read_public_files(nfsd_t)
+
+userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir })
+
+# Write access to public_content_t and public_content_rw_t
+tunable_policy(`allow_nfsd_anon_write',`
+ miscfiles_manage_public_files(nfsd_t)
+')
+
+tunable_policy(`nfs_export_all_rw',`
+ dev_getattr_all_blk_files(nfsd_t)
+ dev_getattr_all_chr_files(nfsd_t)
+
+ fs_read_noxattr_fs_files(nfsd_t)
+ auth_manage_all_files_except_shadow(nfsd_t)
+')
+
+tunable_policy(`nfs_export_all_ro',`
+ dev_getattr_all_blk_files(nfsd_t)
+ dev_getattr_all_chr_files(nfsd_t)
+
+ files_getattr_all_pipes(nfsd_t)
+ files_getattr_all_sockets(nfsd_t)
+
+ fs_read_noxattr_fs_files(nfsd_t)
+
+ auth_read_all_dirs_except_shadow(nfsd_t)
+ auth_read_all_files_except_shadow(nfsd_t)
+')
+
+########################################
+#
+# GSSD local policy
+#
+
+allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
+allow gssd_t self:process { getsched setsched };
+allow gssd_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
+
+kernel_read_system_state(gssd_t)
+kernel_read_network_state(gssd_t)
+kernel_read_network_state_symlinks(gssd_t)
+kernel_request_load_module(gssd_t)
+kernel_search_network_sysctl(gssd_t)
+kernel_signal(gssd_t)
+
+corecmd_exec_bin(gssd_t)
+
+fs_list_rpc(gssd_t)
+fs_rw_rpc_sockets(gssd_t)
+fs_read_rpc_files(gssd_t)
+
+fs_list_inotifyfs(gssd_t)
+files_list_tmp(gssd_t)
+files_read_usr_symlinks(gssd_t)
+files_dontaudit_write_var_dirs(gssd_t)
+
+auth_use_nsswitch(gssd_t)
+auth_manage_cache(gssd_t)
+
+miscfiles_read_generic_certs(gssd_t)
+
+mount_signal(gssd_t)
+
+userdom_signal_all_users(gssd_t)
+
+tunable_policy(`allow_gssd_read_tmp',`
+ userdom_list_user_tmp(gssd_t)
+ userdom_read_user_tmp_files(gssd_t)
+ userdom_read_user_tmp_symlinks(gssd_t)
+ userdom_write_user_tmp_files(gssd_t)
+ files_read_generic_tmp_files(gssd_t)
+')
+
+optional_policy(`
+ automount_signal(gssd_t)
+')
+
+optional_policy(`
+ kerberos_keytab_template(gssd, gssd_t)
+')
+
+optional_policy(`
+ pcscd_read_pub_files(gssd_t)
+')
+
+optional_policy(`
+ xserver_rw_xdm_tmp_files(gssd_t)
+')
diff --git a/policy/modules/services/rpcbind.fc b/policy/modules/services/rpcbind.fc
new file mode 100644
index 0000000..5a965e9
--- /dev/null
+++ b/policy/modules/services/rpcbind.fc
@@ -0,0 +1,10 @@
+/etc/rc\.d/init\.d/rpcbind -- gen_context(system_u:object_r:rpcbind_initrc_exec_t,s0)
+
+/sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
+
+/var/cache/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0)
+/var/lib/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0)
+
+/var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
+/var/run/rpcbind\.lock -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
+/var/run/rpcbind\.sock -s gen_context(system_u:object_r:rpcbind_var_run_t,s0)
diff --git a/policy/modules/services/rpcbind.if b/policy/modules/services/rpcbind.if
new file mode 100644
index 0000000..0458ba7
--- /dev/null
+++ b/policy/modules/services/rpcbind.if
@@ -0,0 +1,153 @@
+## <summary>Universal Addresses to RPC Program Number Mapper</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run rpcbind.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rpcbind_domtrans',`
+ gen_require(`
+ type rpcbind_t, rpcbind_exec_t;
+ ')
+
+ domtrans_pattern($1, rpcbind_exec_t, rpcbind_t)
+')
+
+########################################
+## <summary>
+## Connect to rpcbindd over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpcbind_stream_connect',`
+ gen_require(`
+ type rpcbind_t, rpcbind_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, rpcbind_var_run_t, rpcbind_var_run_t, rpcbind_t)
+')
+
+########################################
+## <summary>
+## Read rpcbind PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpcbind_read_pid_files',`
+ gen_require(`
+ type rpcbind_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 rpcbind_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Search rpcbind lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpcbind_search_lib',`
+ gen_require(`
+ type rpcbind_var_lib_t;
+ ')
+
+ allow $1 rpcbind_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read rpcbind lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpcbind_read_lib_files',`
+ gen_require(`
+ type rpcbind_var_lib_t;
+ ')
+
+ read_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t)
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## rpcbind lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpcbind_manage_lib_files',`
+ gen_require(`
+ type rpcbind_var_lib_t;
+ ')
+
+ manage_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t)
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an rpcbind environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the rpcbind domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`rpcbind_admin',`
+ gen_require(`
+ type rpcbind_t, rpcbind_var_lib_t, rpcbind_var_run_t;
+ type rpcbind_initrc_exec_t;
+ ')
+
+ allow $1 rpcbind_t:process { ptrace signal_perms };
+ ps_process_pattern($1, rpcbind_t)
+
+ init_labeled_script_domtrans($1, rpcbind_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 rpcbind_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_var_lib($1)
+ admin_pattern($1, rpcbind_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, rpcbind_var_run_t)
+')
diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
new file mode 100644
index 0000000..9cb5e25
--- /dev/null
+++ b/policy/modules/services/rpcbind.te
@@ -0,0 +1,79 @@
+policy_module(rpcbind, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+type rpcbind_t;
+type rpcbind_exec_t;
+init_daemon_domain(rpcbind_t, rpcbind_exec_t)
+
+type rpcbind_initrc_exec_t;
+init_script_file(rpcbind_initrc_exec_t)
+
+type rpcbind_var_run_t;
+files_pid_file(rpcbind_var_run_t)
+
+type rpcbind_var_lib_t;
+files_type(rpcbind_var_lib_t)
+
+########################################
+#
+# rpcbind local policy
+#
+
+allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config };
+allow rpcbind_t self:fifo_file rw_file_perms;
+allow rpcbind_t self:unix_stream_socket create_stream_socket_perms;
+allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms;
+allow rpcbind_t self:udp_socket create_socket_perms;
+allow rpcbind_t self:tcp_socket create_stream_socket_perms;
+
+manage_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t)
+manage_sock_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t)
+files_pid_filetrans(rpcbind_t, rpcbind_var_run_t, { file sock_file })
+
+manage_dirs_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t)
+manage_files_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t)
+manage_sock_files_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t)
+files_var_lib_filetrans(rpcbind_t, rpcbind_var_lib_t, { file dir sock_file })
+
+kernel_read_system_state(rpcbind_t)
+kernel_read_network_state(rpcbind_t)
+kernel_request_load_module(rpcbind_t)
+
+corecmd_exec_shell(rpcbind_t)
+
+corenet_all_recvfrom_unlabeled(rpcbind_t)
+corenet_all_recvfrom_netlabel(rpcbind_t)
+corenet_tcp_sendrecv_generic_if(rpcbind_t)
+corenet_udp_sendrecv_generic_if(rpcbind_t)
+corenet_tcp_sendrecv_generic_node(rpcbind_t)
+corenet_udp_sendrecv_generic_node(rpcbind_t)
+corenet_tcp_sendrecv_all_ports(rpcbind_t)
+corenet_udp_sendrecv_all_ports(rpcbind_t)
+corenet_tcp_bind_generic_node(rpcbind_t)
+corenet_udp_bind_generic_node(rpcbind_t)
+corenet_tcp_bind_portmap_port(rpcbind_t)
+corenet_udp_bind_portmap_port(rpcbind_t)
+corenet_udp_bind_all_rpc_ports(rpcbind_t)
+
+domain_use_interactive_fds(rpcbind_t)
+
+files_read_etc_files(rpcbind_t)
+files_read_etc_runtime_files(rpcbind_t)
+
+logging_send_syslog_msg(rpcbind_t)
+
+miscfiles_read_localization(rpcbind_t)
+
+sysnet_dns_name_resolve(rpcbind_t)
+
+ifdef(`hide_broken_symptoms',`
+ dontaudit rpcbind_t self:udp_socket listen;
+')
+
+optional_policy(`
+ nis_use_ypbind(rpcbind_t)
+')
diff --git a/policy/modules/services/rshd.fc b/policy/modules/services/rshd.fc
new file mode 100644
index 0000000..6a4db03
--- /dev/null
+++ b/policy/modules/services/rshd.fc
@@ -0,0 +1,5 @@
+
+/usr/kerberos/sbin/kshd -- gen_context(system_u:object_r:rshd_exec_t,s0)
+
+/usr/sbin/in\.rexecd -- gen_context(system_u:object_r:rshd_exec_t,s0)
+/usr/sbin/in\.rshd -- gen_context(system_u:object_r:rshd_exec_t,s0)
diff --git a/policy/modules/services/rshd.if b/policy/modules/services/rshd.if
new file mode 100644
index 0000000..2e87d76
--- /dev/null
+++ b/policy/modules/services/rshd.if
@@ -0,0 +1,21 @@
+## <summary>Remote shell service.</summary>
+
+########################################
+## <summary>
+## Domain transition to rshd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rshd_domtrans',`
+ gen_require(`
+ type rshd_exec_t, rshd_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, rshd_exec_t, rshd_t)
+')
diff --git a/policy/modules/services/rshd.te b/policy/modules/services/rshd.te
new file mode 100644
index 0000000..49a4283
--- /dev/null
+++ b/policy/modules/services/rshd.te
@@ -0,0 +1,97 @@
+policy_module(rshd, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+type rshd_t;
+type rshd_exec_t;
+inetd_tcp_service_domain(rshd_t, rshd_exec_t)
+domain_subj_id_change_exemption(rshd_t)
+domain_role_change_exemption(rshd_t)
+role system_r types rshd_t;
+
+########################################
+#
+# Local policy
+#
+allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override };
+allow rshd_t self:process { signal_perms fork setsched setpgid setexec };
+allow rshd_t self:fifo_file rw_fifo_file_perms;
+allow rshd_t self:tcp_socket create_stream_socket_perms;
+
+kernel_read_kernel_sysctls(rshd_t)
+
+corenet_all_recvfrom_unlabeled(rshd_t)
+corenet_all_recvfrom_netlabel(rshd_t)
+corenet_tcp_sendrecv_generic_if(rshd_t)
+corenet_udp_sendrecv_generic_if(rshd_t)
+corenet_tcp_sendrecv_generic_node(rshd_t)
+corenet_udp_sendrecv_generic_node(rshd_t)
+corenet_tcp_sendrecv_all_ports(rshd_t)
+corenet_udp_sendrecv_all_ports(rshd_t)
+corenet_tcp_bind_generic_node(rshd_t)
+corenet_tcp_bind_rsh_port(rshd_t)
+corenet_tcp_bind_all_rpc_ports(rshd_t)
+corenet_tcp_connect_all_ports(rshd_t)
+corenet_tcp_connect_all_rpc_ports(rshd_t)
+corenet_sendrecv_rsh_server_packets(rshd_t)
+
+dev_read_urand(rshd_t)
+
+selinux_get_fs_mount(rshd_t)
+selinux_validate_context(rshd_t)
+selinux_compute_access_vector(rshd_t)
+selinux_compute_create_context(rshd_t)
+selinux_compute_relabel_context(rshd_t)
+selinux_compute_user_contexts(rshd_t)
+
+corecmd_read_bin_symlinks(rshd_t)
+
+files_list_home(rshd_t)
+files_read_etc_files(rshd_t)
+files_search_tmp(rshd_t)
+
+auth_login_pgm_domain(rshd_t)
+auth_write_login_records(rshd_t)
+
+init_rw_utmp(rshd_t)
+
+logging_send_syslog_msg(rshd_t)
+logging_search_logs(rshd_t)
+
+miscfiles_read_localization(rshd_t)
+
+seutil_read_config(rshd_t)
+seutil_read_default_contexts(rshd_t)
+
+userdom_search_user_home_content(rshd_t)
+userdom_manage_tmp_role(system_r, rshd_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(rshd_t)
+ fs_read_nfs_symlinks(rshd_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files(rshd_t)
+ fs_read_cifs_symlinks(rshd_t)
+')
+
+optional_policy(`
+ kerberos_keytab_template(rshd, rshd_t)
+ kerberos_manage_host_rcache(rshd_t)
+')
+
+optional_policy(`
+ rlogin_read_home_content(rshd_t)
+')
+
+optional_policy(`
+ tcpd_wrapped_domain(rshd_t, rshd_exec_t)
+')
+
+optional_policy(`
+ unconfined_shell_domtrans(rshd_t)
+ unconfined_signal(rshd_t)
+')
diff --git a/policy/modules/services/rsync.fc b/policy/modules/services/rsync.fc
new file mode 100644
index 0000000..479615b
--- /dev/null
+++ b/policy/modules/services/rsync.fc
@@ -0,0 +1,7 @@
+/etc/rsyncd\.conf -- gen_context(system_u:object_r:rsync_etc_t, s0)
+
+/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0)
+
+/var/log/rsync\.log -- gen_context(system_u:object_r:rsync_log_t,s0)
+
+/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0)
diff --git a/policy/modules/services/rsync.if b/policy/modules/services/rsync.if
new file mode 100644
index 0000000..b28cae5
--- /dev/null
+++ b/policy/modules/services/rsync.if
@@ -0,0 +1,186 @@
+## <summary>Fast incremental file transfer for synchronization</summary>
+
+########################################
+## <summary>
+## Make rsync an entry point for
+## the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain for which init scripts are an entrypoint.
+## </summary>
+## </param>
+# cjp: added for portage
+interface(`rsync_entry_type',`
+ gen_require(`
+ type rsync_exec_t;
+ ')
+
+ domain_entry_file($1, rsync_exec_t)
+')
+
+########################################
+## <summary>
+## Execute a rsync in a specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a rsync in a specified domain.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="source_domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## Domain to transition to.
+## </summary>
+## </param>
+# cjp: added for portage
+interface(`rsync_entry_spec_domtrans',`
+ gen_require(`
+ type rsync_exec_t;
+ ')
+
+ domain_trans($1, rsync_exec_t, $2)
+')
+
+########################################
+## <summary>
+## Execute a rsync in a specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a rsync in a specified domain.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="source_domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## Domain to transition to.
+## </summary>
+## </param>
+# cjp: added for portage
+interface(`rsync_entry_domtrans',`
+ gen_require(`
+ type rsync_exec_t;
+ ')
+
+ domain_auto_trans($1, rsync_exec_t, $2)
+')
+
+########################################
+## <summary>
+## Execute rsync in the caller domain domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`rsync_exec',`
+ gen_require(`
+ type rsync_exec_t;
+ ')
+
+ can_exec($1, rsync_exec_t)
+')
+
+########################################
+## <summary>
+## Read rsync config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rsync_read_config',`
+ gen_require(`
+ type rsync_etc_t;
+ ')
+
+ read_files_pattern($1, rsync_etc_t, rsync_etc_t)
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
+## Write to rsync config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rsync_write_config',`
+ gen_require(`
+ type rsync_etc_t;
+ ')
+
+ write_files_pattern($1, rsync_etc_t, rsync_etc_t)
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
+## Manage rsync config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rsync_manage_config',`
+ gen_require(`
+ type rsync_etc_t;
+ ')
+
+ manage_files_pattern($1, rsync_etc_t, rsync_etc_t)
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
+## Create objects in etc directories
+## with rsync etc type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+#
+interface(`rsync_filetrans_config',`
+ gen_require(`
+ type rsync_etc_t;
+ ')
+
+ files_etc_filetrans($1, rsync_etc_t, $2)
+')
diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te
new file mode 100644
index 0000000..5e7b7cf
--- /dev/null
+++ b/policy/modules/services/rsync.te
@@ -0,0 +1,155 @@
+policy_module(rsync, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow rsync to run as a client
+## </p>
+## </desc>
+gen_tunable(rsync_client, false)
+
+## <desc>
+## <p>
+## Allow rsync to export any files/directories read only.
+## </p>
+## </desc>
+gen_tunable(rsync_export_all_ro, false)
+
+## <desc>
+## <p>
+## Allow rsync to modify public files
+## used for public file transfer services. Files/Directories must be
+## labeled public_content_rw_t.
+## </p>
+## </desc>
+gen_tunable(allow_rsync_anon_write, false)
+
+type rsync_t;
+type rsync_exec_t;
+application_executable_file(rsync_exec_t)
+role system_r types rsync_t;
+
+type rsync_etc_t;
+files_config_file(rsync_etc_t)
+
+type rsync_data_t;
+files_type(rsync_data_t)
+
+type rsync_log_t;
+logging_log_file(rsync_log_t)
+
+type rsync_tmp_t;
+files_tmp_file(rsync_tmp_t)
+
+type rsync_var_run_t;
+files_pid_file(rsync_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot };
+allow rsync_t self:process signal_perms;
+allow rsync_t self:fifo_file rw_fifo_file_perms;
+allow rsync_t self:tcp_socket create_stream_socket_perms;
+allow rsync_t self:udp_socket connected_socket_perms;
+
+# for identd
+# cjp: this should probably only be inetd_child_t rules?
+# search home and kerberos also.
+allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+#end for identd
+
+read_files_pattern(rsync_t, rsync_etc_t, rsync_etc_t)
+
+allow rsync_t rsync_data_t:dir list_dir_perms;
+read_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+read_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+
+manage_files_pattern(rsync_t, rsync_log_t, rsync_log_t)
+logging_log_filetrans(rsync_t, rsync_log_t, file)
+
+manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
+manage_files_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
+files_tmp_filetrans(rsync_t, rsync_tmp_t, { file dir })
+
+manage_files_pattern(rsync_t, rsync_var_run_t, rsync_var_run_t)
+files_pid_filetrans(rsync_t, rsync_var_run_t, file)
+
+kernel_read_kernel_sysctls(rsync_t)
+kernel_read_system_state(rsync_t)
+kernel_read_network_state(rsync_t)
+
+corenet_all_recvfrom_unlabeled(rsync_t)
+corenet_all_recvfrom_netlabel(rsync_t)
+corenet_tcp_sendrecv_generic_if(rsync_t)
+corenet_udp_sendrecv_generic_if(rsync_t)
+corenet_tcp_sendrecv_generic_node(rsync_t)
+corenet_udp_sendrecv_generic_node(rsync_t)
+corenet_tcp_sendrecv_all_ports(rsync_t)
+corenet_udp_sendrecv_all_ports(rsync_t)
+corenet_tcp_bind_generic_node(rsync_t)
+corenet_tcp_bind_rsync_port(rsync_t)
+corenet_sendrecv_rsync_server_packets(rsync_t)
+
+dev_read_urand(rsync_t)
+
+fs_getattr_xattr_fs(rsync_t)
+
+files_read_etc_files(rsync_t)
+files_search_home(rsync_t)
+
+auth_use_nsswitch(rsync_t)
+
+logging_send_syslog_msg(rsync_t)
+
+miscfiles_read_localization(rsync_t)
+miscfiles_read_public_files(rsync_t)
+
+tunable_policy(`allow_rsync_anon_write',`
+ miscfiles_manage_public_files(rsync_t)
+')
+
+optional_policy(`
+ daemontools_service_domain(rsync_t, rsync_exec_t)
+')
+
+optional_policy(`
+ kerberos_use(rsync_t)
+')
+
+optional_policy(`
+ inetd_service_domain(rsync_t, rsync_exec_t)
+')
+
+tunable_policy(`rsync_export_all_ro',`
+ files_getattr_all_pipes(rsync_t)
+ fs_read_noxattr_fs_files(rsync_t)
+ fs_read_nfs_files(rsync_t)
+ fs_read_cifs_files(rsync_t)
+ auth_read_all_dirs_except_shadow(rsync_t)
+ auth_read_all_files_except_shadow(rsync_t)
+ auth_read_all_symlinks_except_shadow(rsync_t)
+ auth_tunable_read_shadow(rsync_t)
+')
+
+tunable_policy(`rsync_client',`
+ corenet_tcp_connect_rsync_port(rsync_t)
+ corenet_tcp_connect_ssh_port(rsync_t)
+ manage_dirs_pattern(rsync_t, rsync_data_t, rsync_data_t)
+ manage_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+ manage_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+')
+
+optional_policy(`
+ tunable_policy(`rsync_client',`
+ ssh_exec(rsync_t)
+ ')
+')
+
+auth_can_read_shadow_passwords(rsync_t)
diff --git a/policy/modules/services/rtkit.fc b/policy/modules/services/rtkit.fc
new file mode 100644
index 0000000..52c441e
--- /dev/null
+++ b/policy/modules/services/rtkit.fc
@@ -0,0 +1 @@
+/usr/libexec/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0)
diff --git a/policy/modules/services/rtkit.if b/policy/modules/services/rtkit.if
new file mode 100644
index 0000000..d632bc0
--- /dev/null
+++ b/policy/modules/services/rtkit.if
@@ -0,0 +1,82 @@
+## <summary>Realtime scheduling for user processes.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run rtkit_daemon.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rtkit_daemon_domtrans',`
+ gen_require(`
+ type rtkit_daemon_t, rtkit_daemon_exec_t;
+ ')
+
+ domtrans_pattern($1, rtkit_daemon_exec_t, rtkit_daemon_t)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## rtkit_daemon over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rtkit_daemon_dbus_chat',`
+ gen_require(`
+ type rtkit_daemon_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 rtkit_daemon_t:dbus send_msg;
+ allow rtkit_daemon_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Do not audit send and receive messages from
+## rtkit_daemon over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`rtkit_daemon_dontaudit_dbus_chat',`
+ gen_require(`
+ type rtkit_daemon_t;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 rtkit_daemon_t:dbus send_msg;
+ dontaudit rtkit_daemon_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Allow rtkit to control scheduling for your process
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rtkit_scheduled',`
+ gen_require(`
+ type rtkit_daemon_t;
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern(rtkit_daemon_t, $1)
+ allow rtkit_daemon_t $1:process { getsched setsched };
+ rtkit_daemon_dbus_chat($1)
+')
diff --git a/policy/modules/services/rtkit.te b/policy/modules/services/rtkit.te
new file mode 100644
index 0000000..7d64285
--- /dev/null
+++ b/policy/modules/services/rtkit.te
@@ -0,0 +1,36 @@
+policy_module(rtkit, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type rtkit_daemon_t;
+type rtkit_daemon_exec_t;
+dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
+init_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
+
+########################################
+#
+# rtkit_daemon local policy
+#
+
+allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace };
+allow rtkit_daemon_t self:process { setsched getcap setcap setrlimit };
+
+kernel_read_system_state(rtkit_daemon_t)
+
+domain_getsched_all_domains(rtkit_daemon_t)
+domain_read_all_domains_state(rtkit_daemon_t)
+
+fs_rw_anon_inodefs_files(rtkit_daemon_t)
+
+auth_use_nsswitch(rtkit_daemon_t)
+
+logging_send_syslog_msg(rtkit_daemon_t)
+
+miscfiles_read_localization(rtkit_daemon_t)
+
+optional_policy(`
+ policykit_dbus_chat(rtkit_daemon_t)
+')
diff --git a/policy/modules/services/rwho.fc b/policy/modules/services/rwho.fc
new file mode 100644
index 0000000..bc048ce
--- /dev/null
+++ b/policy/modules/services/rwho.fc
@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/rwhod -- gen_context(system_u:object_r:rwho_initrc_exec_t,s0)
+
+/usr/sbin/rwhod -- gen_context(system_u:object_r:rwho_exec_t,s0)
+
+/var/spool/rwho(/.*)? gen_context(system_u:object_r:rwho_spool_t,s0)
+
+/var/log/rwhod(/.*)? gen_context(system_u:object_r:rwho_log_t,s0)
diff --git a/policy/modules/services/rwho.if b/policy/modules/services/rwho.if
new file mode 100644
index 0000000..664e68e
--- /dev/null
+++ b/policy/modules/services/rwho.if
@@ -0,0 +1,154 @@
+## <summary>Who is logged in on other machines?</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run rwho.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rwho_domtrans',`
+ gen_require(`
+ type rwho_t, rwho_exec_t;
+ ')
+
+ domtrans_pattern($1, rwho_exec_t, rwho_t)
+')
+
+########################################
+## <summary>
+## Search rwho log directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rwho_search_log',`
+ gen_require(`
+ type rwho_log_t;
+ ')
+
+ allow $1 rwho_log_t:dir search_dir_perms;
+ logging_search_logs($1)
+')
+
+########################################
+## <summary>
+## Read rwho log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rwho_read_log_files',`
+ gen_require(`
+ type rwho_log_t;
+ ')
+
+ allow $1 rwho_log_t:file read_file_perms;
+ allow $1 rwho_log_t:dir list_dir_perms;
+ logging_search_logs($1)
+')
+
+########################################
+## <summary>
+## Search rwho spool directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rwho_search_spool',`
+ gen_require(`
+ type rwho_spool_t;
+ ')
+
+ allow $1 rwho_spool_t:dir search_dir_perms;
+ files_search_spool($1)
+')
+
+########################################
+## <summary>
+## Read rwho spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rwho_read_spool_files',`
+ gen_require(`
+ type rwho_spool_t;
+ ')
+
+ read_files_pattern($1, rwho_spool_t, rwho_spool_t)
+ files_search_spool($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## rwho spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rwho_manage_spool_files',`
+ gen_require(`
+ type rwho_spool_t;
+ ')
+
+ manage_files_pattern($1, rwho_spool_t, rwho_spool_t)
+ files_search_spool($1)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an rwho environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`rwho_admin',`
+ gen_require(`
+ type rwho_t, rwho_log_t, rwho_spool_t;
+ type rwho_initrc_exec_t;
+ ')
+
+ allow $1 rwho_t:process { ptrace signal_perms };
+ ps_process_pattern($1, rwho_t)
+
+ init_labeled_script_domtrans($1, rwho_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 rwho_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_list_logs($1)
+ admin_pattern($1, rwho_log_t)
+
+ files_list_spool($1)
+ admin_pattern($1, rwho_spool_t)
+')
diff --git a/policy/modules/services/rwho.te b/policy/modules/services/rwho.te
new file mode 100644
index 0000000..d78daf4
--- /dev/null
+++ b/policy/modules/services/rwho.te
@@ -0,0 +1,63 @@
+policy_module(rwho, 1.6.0)
+
+########################################
+#
+# Declarations
+#
+
+type rwho_t;
+type rwho_exec_t;
+init_daemon_domain(rwho_t, rwho_exec_t)
+
+type rwho_initrc_exec_t;
+init_script_file(rwho_initrc_exec_t)
+
+type rwho_log_t;
+files_type(rwho_log_t)
+
+type rwho_spool_t;
+files_type(rwho_spool_t)
+
+########################################
+#
+# rwho local policy
+#
+
+allow rwho_t self:capability sys_chroot;
+allow rwho_t self:unix_dgram_socket create;
+allow rwho_t self:fifo_file rw_file_perms;
+allow rwho_t self:unix_stream_socket create_stream_socket_perms;
+allow rwho_t self:udp_socket create_socket_perms;
+
+allow rwho_t rwho_log_t:dir manage_dir_perms;
+allow rwho_t rwho_log_t:file manage_file_perms;
+logging_log_filetrans(rwho_t, rwho_log_t, { file dir })
+
+allow rwho_t rwho_spool_t:dir manage_dir_perms;
+allow rwho_t rwho_spool_t:file manage_file_perms;
+files_spool_filetrans(rwho_t, rwho_spool_t, { file dir })
+
+kernel_read_system_state(rwho_t)
+
+corenet_all_recvfrom_unlabeled(rwho_t)
+corenet_all_recvfrom_netlabel(rwho_t)
+corenet_udp_sendrecv_generic_if(rwho_t)
+corenet_udp_sendrecv_generic_node(rwho_t)
+corenet_udp_sendrecv_all_ports(rwho_t)
+corenet_udp_bind_generic_node(rwho_t)
+corenet_udp_bind_rwho_port(rwho_t)
+corenet_sendrecv_rwho_server_packets(rwho_t)
+
+domain_use_interactive_fds(rwho_t)
+
+files_read_etc_files(rwho_t)
+
+init_read_utmp(rwho_t)
+init_dontaudit_write_utmp(rwho_t)
+
+logging_send_syslog_msg(rwho_t)
+
+miscfiles_read_localization(rwho_t)
+
+sysnet_dns_name_resolve(rwho_t)
+
diff --git a/policy/modules/services/samba.fc b/policy/modules/services/samba.fc
new file mode 100644
index 0000000..73db5ba
--- /dev/null
+++ b/policy/modules/services/samba.fc
@@ -0,0 +1,57 @@
+
+#
+# /etc
+#
+/etc/rc\.d/init\.d/nmb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/smb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/winbind -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
+/etc/samba/MACHINE\.SID -- gen_context(system_u:object_r:samba_secrets_t,s0)
+/etc/samba/passdb\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0)
+/etc/samba/secrets\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0)
+/etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0)
+/etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0)
+
+#
+# /usr
+#
+/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0)
+/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
+/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
+/usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0)
+/usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0)
+
+/usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0)
+/usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0)
+/usr/sbin/smbd -- gen_context(system_u:object_r:smbd_exec_t,s0)
+/usr/sbin/winbindd -- gen_context(system_u:object_r:winbind_exec_t,s0)
+
+#
+# /var
+#
+/var/cache/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
+/var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
+
+/var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
+/var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
+
+/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
+
+/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba/locking\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba/messages\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
+/var/run/samba/namelist\.debug -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
+/var/run/samba/nmbd\.pid -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
+/var/run/samba/sessionid\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba/share_info\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
+
+/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
+
+/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
+
+ifndef(`enable_mls',`
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+')
diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if
new file mode 100644
index 0000000..9e72970
--- /dev/null
+++ b/policy/modules/services/samba.if
@@ -0,0 +1,814 @@
+## <summary>
+## SMB and CIFS client/server programs for UNIX and
+## name Service Switch daemon for resolving names
+## from Windows NT servers.
+## </summary>
+
+########################################
+## <summary>
+## Execute nmbd net in the nmbd_t domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`samba_domtrans_nmbd',`
+ gen_require(`
+ type nmbd_t, nmbd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, nmbd_exec_t, nmbd_t)
+')
+
+#######################################
+## <summary>
+## Allow domain to signal samba
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_signal_nmbd',`
+ gen_require(`
+ type nmbd_t;
+ ')
+ allow $1 nmbd_t:process signal;
+')
+
+########################################
+## <summary>
+## Execute samba server in the samba domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`samba_initrc_domtrans',`
+ gen_require(`
+ type samba_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, samba_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Execute samba net in the samba_net domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`samba_domtrans_net',`
+ gen_require(`
+ type samba_net_t, samba_net_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, samba_net_exec_t, samba_net_t)
+')
+
+########################################
+## <summary>
+## Execute samba net in the samba_unconfined_net domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`samba_domtrans_unconfined_net',`
+ gen_require(`
+ type samba_unconfined_net_t, samba_net_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, samba_net_exec_t, samba_unconfined_net_t)
+')
+
+########################################
+## <summary>
+## Execute samba net in the samba_net domain, and
+## allow the specified role the samba_net domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`samba_run_net',`
+ gen_require(`
+ type samba_net_t;
+ ')
+
+ samba_domtrans_net($1)
+ role $2 types samba_net_t;
+')
+
+#######################################
+## <summary>
+## The role for the samba module.
+## </summary>
+## <param name="role">
+## <summary>
+## The role to be allowed the samba_net domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`samba_role_notrans',`
+ gen_require(`
+ type smbd_t;
+ ')
+
+ role $1 types smbd_t;
+')
+
+########################################
+## <summary>
+## Execute samba net in the samba_unconfined_net domain, and
+## allow the specified role the samba_unconfined_net domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the samba_unconfined_net domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`samba_run_unconfined_net',`
+ gen_require(`
+ type samba_unconfined_net_t;
+ ')
+
+ samba_domtrans_unconfined_net($1)
+ role $2 types samba_unconfined_net_t;
+')
+
+########################################
+## <summary>
+## Execute smbmount in the smbmount domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`samba_domtrans_smbmount',`
+ gen_require(`
+ type smbmount_t, smbmount_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, smbmount_exec_t, smbmount_t)
+')
+
+########################################
+## <summary>
+## Execute smbmount interactively and do
+## a domain transition to the smbmount domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`samba_run_smbmount',`
+ gen_require(`
+ type smbmount_t;
+ ')
+
+ samba_domtrans_smbmount($1)
+ role $2 types smbmount_t;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## samba configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`samba_read_config',`
+ gen_require(`
+ type samba_etc_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, samba_etc_t, samba_etc_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## and write samba configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`samba_rw_config',`
+ gen_require(`
+ type samba_etc_t;
+ ')
+
+ files_search_etc($1)
+ rw_files_pattern($1, samba_etc_t, samba_etc_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## and write samba configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`samba_manage_config',`
+ gen_require(`
+ type samba_etc_t;
+ ')
+
+ files_search_etc($1)
+ manage_dirs_pattern($1, samba_etc_t, samba_etc_t)
+ manage_files_pattern($1, samba_etc_t, samba_etc_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read samba's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`samba_read_log',`
+ gen_require(`
+ type samba_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 samba_log_t:dir list_dir_perms;
+ read_files_pattern($1, samba_log_t, samba_log_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to append to samba's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`samba_append_log',`
+ gen_require(`
+ type samba_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 samba_log_t:dir list_dir_perms;
+ allow $1 samba_log_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+## Execute samba log in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_exec_log',`
+ gen_require(`
+ type samba_log_t;
+ ')
+
+ logging_search_logs($1)
+ can_exec($1, samba_log_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read samba's secrets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_read_secrets',`
+ gen_require(`
+ type samba_secrets_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 samba_secrets_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read samba's shares
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_read_share_files',`
+ gen_require(`
+ type samba_share_t;
+ ')
+
+ allow $1 samba_share_t:filesystem getattr;
+ read_files_pattern($1, samba_share_t, samba_share_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to search
+## samba /var directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_search_var',`
+ gen_require(`
+ type samba_var_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 samba_var_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to
+## read samba /var files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_read_var_files',`
+ gen_require(`
+ type samba_var_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, samba_var_t, samba_var_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write samba
+## /var files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`samba_dontaudit_write_var_files',`
+ gen_require(`
+ type samba_var_t;
+ ')
+
+ dontaudit $1 samba_var_t:file write;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to
+## read and write samba /var files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_rw_var_files',`
+ gen_require(`
+ type samba_var_t;
+ ')
+
+ files_search_var_lib($1)
+ rw_files_pattern($1, samba_var_t, samba_var_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to
+## read and write samba /var files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_manage_var_files',`
+ gen_require(`
+ type samba_var_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, samba_var_t, samba_var_t)
+ manage_lnk_files_pattern($1, samba_var_t, samba_var_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run smbcontrol.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`samba_domtrans_smbcontrol',`
+ gen_require(`
+ type smbcontrol_t, smbcontrol_exec_t;
+ ')
+
+ domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t)
+')
+
+########################################
+## <summary>
+## Execute smbcontrol in the smbcontrol domain, and
+## allow the specified role the smbcontrol domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_run_smbcontrol',`
+ gen_require(`
+ type smbcontrol_t;
+ ')
+
+ samba_domtrans_smbcontrol($1)
+ role $2 types smbcontrol_t;
+')
+
+########################################
+## <summary>
+## Execute smbd in the smbd_t domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`samba_domtrans_smbd',`
+ gen_require(`
+ type smbd_t, smbd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, smbd_exec_t, smbd_t)
+')
+
+######################################
+## <summary>
+## Allow domain to signal samba
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_signal_smbd',`
+ gen_require(`
+ type smbd_t;
+ ')
+ allow $1 smbd_t:process signal;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to use file descriptors from samba.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`samba_dontaudit_use_fds',`
+ gen_require(`
+ type smbd_t;
+ ')
+
+ dontaudit $1 smbd_t:fd use;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to write to smbmount tcp sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_write_smbmount_tcp_sockets',`
+ gen_require(`
+ type smbmount_t;
+ ')
+
+ allow $1 smbmount_t:tcp_socket write;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read and write to smbmount tcp sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_rw_smbmount_tcp_sockets',`
+ gen_require(`
+ type smbmount_t;
+ ')
+
+ allow $1 smbmount_t:tcp_socket { read write };
+')
+
+########################################
+## <summary>
+## Execute winbind_helper in the winbind_helper domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`samba_domtrans_winbind_helper',`
+ gen_require(`
+ type winbind_helper_t, winbind_helper_exec_t;
+ ')
+
+ domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
+ allow $1 winbind_helper_t:process signal;
+')
+
+########################################
+## <summary>
+## Execute winbind_helper in the winbind_helper domain, and
+## allow the specified role the winbind_helper domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`samba_run_winbind_helper',`
+ gen_require(`
+ type winbind_helper_t;
+ ')
+
+ samba_domtrans_winbind_helper($1)
+ role $2 types winbind_helper_t;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read the winbind pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_read_winbind_pid',`
+ gen_require(`
+ type winbind_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 winbind_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Connect to winbind.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_stream_connect_winbind',`
+ gen_require(`
+ type samba_var_t, winbind_t, winbind_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 samba_var_t:dir search_dir_perms;
+ stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t)
+
+ ifndef(`distro_redhat',`
+ gen_require(`
+ type winbind_tmp_t;
+ ')
+
+ # the default for the socket is (poorly named):
+ # /tmp/.winbindd/pipe
+ files_search_tmp($1)
+ stream_connect_pattern($1, winbind_tmp_t, winbind_tmp_t, winbind_t)
+ ')
+')
+
+########################################
+## <summary>
+## Create a set of derived types for apache
+## web content.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix to be used for deriving type names.
+## </summary>
+## </param>
+#
+template(`samba_helper_template',`
+ gen_require(`
+ type smbd_t;
+ role system_r;
+ ')
+
+ #This type is for samba helper scripts
+ type samba_$1_script_t;
+ domain_type(samba_$1_script_t)
+ role system_r types samba_$1_script_t;
+
+ # This type is used for executable scripts files
+ type samba_$1_script_exec_t;
+ corecmd_shell_entry_type(samba_$1_script_t)
+ domain_entry_file(samba_$1_script_t, samba_$1_script_exec_t)
+
+ domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t)
+ allow smbd_t samba_$1_script_exec_t:file ioctl;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an samba environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the samba domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`samba_admin',`
+ gen_require(`
+ type nmbd_t, nmbd_var_run_t, smbd_var_run_t;
+ type smbd_t, smbd_tmp_t, samba_secrets_t;
+ type samba_initrc_exec_t, samba_log_t, samba_var_t;
+ type samba_etc_t, samba_share_t, winbind_log_t;
+ type swat_var_run_t, swat_tmp_t, samba_unconfined_script_exec_t;
+ type winbind_var_run_t, winbind_tmp_t, samba_unconfined_script_t;
+ ')
+
+ allow $1 smbd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, smbd_t)
+
+ allow $1 nmbd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, nmbd_t)
+
+ allow $1 samba_unconfined_script_t:process { ptrace signal_perms };
+ ps_process_pattern($1, samba_unconfined_script_t)
+
+ samba_run_smbcontrol($1, $2, $3)
+ samba_run_winbind_helper($1, $2, $3)
+ samba_run_smbmount($1, $2, $3)
+ samba_run_net($1, $2, $3)
+
+ init_labeled_script_domtrans($1, samba_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 samba_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ admin_pattern($1, nmbd_var_run_t)
+
+ admin_pattern($1, samba_etc_t)
+ files_list_etc($1)
+
+ admin_pattern($1, samba_log_t)
+ logging_list_logs($1)
+
+ admin_pattern($1, samba_secrets_t)
+
+ admin_pattern($1, samba_share_t)
+
+ admin_pattern($1, samba_var_t)
+ files_list_var($1)
+
+ admin_pattern($1, smbd_var_run_t)
+ files_list_pids($1)
+
+ admin_pattern($1, smbd_tmp_t)
+ files_list_tmp($1)
+
+ admin_pattern($1, swat_var_run_t)
+
+ admin_pattern($1, swat_tmp_t)
+
+ admin_pattern($1, winbind_log_t)
+
+ admin_pattern($1, winbind_tmp_t)
+
+ admin_pattern($1, winbind_var_run_t)
+ admin_pattern($1, samba_unconfined_script_exec_t)
+')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
new file mode 100644
index 0000000..6e627d6
--- /dev/null
+++ b/policy/modules/services/samba.te
@@ -0,0 +1,957 @@
+policy_module(samba, 1.13.0)
+
+#################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow samba to modify public files used for public file
+## transfer services. Files/Directories must be labeled
+## public_content_rw_t.
+## </p>
+## </desc>
+gen_tunable(allow_smbd_anon_write, false)
+
+## <desc>
+## <p>
+## Allow samba to create new home directories (e.g. via PAM)
+## </p>
+## </desc>
+gen_tunable(samba_create_home_dirs, false)
+
+## <desc>
+## <p>
+## Allow samba to act as the domain controller, add users,
+## groups and change passwords.
+##
+## </p>
+## </desc>
+gen_tunable(samba_domain_controller, false)
+
+## <desc>
+## <p>
+## Allow samba to share users home directories.
+## </p>
+## </desc>
+gen_tunable(samba_enable_home_dirs, false)
+
+## <desc>
+## <p>
+## Allow samba to share any file/directory read only.
+## </p>
+## </desc>
+gen_tunable(samba_export_all_ro, false)
+
+## <desc>
+## <p>
+## Allow samba to share any file/directory read/write.
+## </p>
+## </desc>
+gen_tunable(samba_export_all_rw, false)
+
+## <desc>
+## <p>
+## Allow samba to run unconfined scripts
+## </p>
+## </desc>
+gen_tunable(samba_run_unconfined, false)
+
+## <desc>
+## <p>
+## Allow samba to export NFS volumes.
+## </p>
+## </desc>
+gen_tunable(samba_share_nfs, false)
+
+## <desc>
+## <p>
+## Allow samba to export ntfs/fusefs volumes.
+## </p>
+## </desc>
+gen_tunable(samba_share_fusefs, false)
+
+type nmbd_t;
+type nmbd_exec_t;
+init_daemon_domain(nmbd_t, nmbd_exec_t)
+
+type nmbd_var_run_t;
+files_pid_file(nmbd_var_run_t)
+
+type samba_etc_t;
+files_config_file(samba_etc_t)
+
+type samba_initrc_exec_t;
+init_script_file(samba_initrc_exec_t)
+
+type samba_log_t;
+logging_log_file(samba_log_t)
+
+type samba_net_t;
+type samba_net_exec_t;
+application_domain(samba_net_t, samba_net_exec_t)
+role system_r types samba_net_t;
+
+type samba_net_tmp_t;
+files_tmp_file(samba_net_tmp_t)
+
+type samba_secrets_t;
+files_type(samba_secrets_t)
+
+type samba_share_t; # customizable
+files_type(samba_share_t)
+
+type samba_var_t;
+files_type(samba_var_t)
+
+type smbcontrol_t;
+type smbcontrol_exec_t;
+application_domain(smbcontrol_t, smbcontrol_exec_t)
+role system_r types smbcontrol_t;
+
+type smbd_t;
+type smbd_exec_t;
+init_daemon_domain(smbd_t, smbd_exec_t)
+
+type smbd_tmp_t;
+files_tmp_file(smbd_tmp_t)
+
+type smbd_var_run_t;
+files_pid_file(smbd_var_run_t)
+
+type smbmount_t;
+domain_type(smbmount_t)
+
+type smbmount_exec_t;
+domain_entry_file(smbmount_t, smbmount_exec_t)
+
+type swat_t;
+type swat_exec_t;
+domain_type(swat_t)
+domain_entry_file(swat_t, swat_exec_t)
+role system_r types swat_t;
+
+type swat_tmp_t;
+files_tmp_file(swat_tmp_t)
+
+type swat_var_run_t;
+files_pid_file(swat_var_run_t)
+
+type winbind_t;
+type winbind_exec_t;
+init_daemon_domain(winbind_t, winbind_exec_t)
+
+type winbind_helper_t;
+domain_type(winbind_helper_t)
+role system_r types winbind_helper_t;
+
+type winbind_helper_exec_t;
+domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
+
+type winbind_log_t;
+logging_log_file(winbind_log_t)
+
+type winbind_var_run_t;
+files_pid_file(winbind_var_run_t)
+
+########################################
+#
+# Samba net local policy
+#
+allow samba_net_t self:capability { sys_chroot sys_nice dac_read_search dac_override };
+allow samba_net_t self:process { getsched setsched };
+allow samba_net_t self:unix_dgram_socket create_socket_perms;
+allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
+allow samba_net_t self:udp_socket create_socket_perms;
+allow samba_net_t self:tcp_socket create_socket_perms;
+
+allow samba_net_t samba_etc_t:file read_file_perms;
+
+manage_files_pattern(samba_net_t, samba_etc_t, samba_secrets_t)
+filetrans_pattern(samba_net_t, samba_etc_t, samba_secrets_t, file)
+
+manage_dirs_pattern(samba_net_t, samba_net_tmp_t, samba_net_tmp_t)
+manage_files_pattern(samba_net_t, samba_net_tmp_t, samba_net_tmp_t)
+files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
+
+manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t)
+manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
+manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
+
+kernel_read_proc_symlinks(samba_net_t)
+kernel_read_system_state(samba_net_t)
+
+corenet_all_recvfrom_unlabeled(samba_net_t)
+corenet_all_recvfrom_netlabel(samba_net_t)
+corenet_tcp_sendrecv_generic_if(samba_net_t)
+corenet_udp_sendrecv_generic_if(samba_net_t)
+corenet_raw_sendrecv_generic_if(samba_net_t)
+corenet_tcp_sendrecv_generic_node(samba_net_t)
+corenet_udp_sendrecv_generic_node(samba_net_t)
+corenet_raw_sendrecv_generic_node(samba_net_t)
+corenet_tcp_sendrecv_all_ports(samba_net_t)
+corenet_udp_sendrecv_all_ports(samba_net_t)
+corenet_tcp_bind_generic_node(samba_net_t)
+corenet_udp_bind_generic_node(samba_net_t)
+corenet_tcp_connect_smbd_port(samba_net_t)
+
+dev_read_urand(samba_net_t)
+
+domain_use_interactive_fds(samba_net_t)
+
+files_read_etc_files(samba_net_t)
+files_read_usr_symlinks(samba_net_t)
+
+auth_use_nsswitch(samba_net_t)
+auth_manage_cache(samba_net_t)
+
+logging_send_syslog_msg(samba_net_t)
+
+miscfiles_read_localization(samba_net_t)
+
+samba_read_var_files(samba_net_t)
+
+userdom_use_user_terminals(samba_net_t)
+userdom_list_user_home_dirs(samba_net_t)
+
+optional_policy(`
+ pcscd_read_pub_files(samba_net_t)
+')
+
+optional_policy(`
+ kerberos_use(samba_net_t)
+')
+
+########################################
+#
+# smbd Local policy
+#
+allow smbd_t self:capability { chown fowner kill setgid setuid sys_nice sys_admin sys_resource lease dac_override dac_read_search };
+dontaudit smbd_t self:capability sys_tty_config;
+allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow smbd_t self:process setrlimit;
+allow smbd_t self:fd use;
+allow smbd_t self:fifo_file rw_fifo_file_perms;
+allow smbd_t self:msg { send receive };
+allow smbd_t self:msgq create_msgq_perms;
+allow smbd_t self:sem create_sem_perms;
+allow smbd_t self:shm create_shm_perms;
+allow smbd_t self:sock_file read_sock_file_perms;
+allow smbd_t self:tcp_socket create_stream_socket_perms;
+allow smbd_t self:udp_socket create_socket_perms;
+allow smbd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+allow smbd_t nmbd_t:process { signal signull };
+
+allow smbd_t nmbd_var_run_t:file rw_file_perms;
+
+allow smbd_t samba_etc_t:file { rw_file_perms setattr };
+
+manage_dirs_pattern(smbd_t, samba_log_t, samba_log_t)
+manage_files_pattern(smbd_t, samba_log_t, samba_log_t)
+
+allow smbd_t samba_net_tmp_t:file getattr;
+
+manage_files_pattern(smbd_t, samba_secrets_t, samba_secrets_t)
+filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
+
+manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
+manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
+manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
+allow smbd_t samba_share_t:filesystem { getattr quotaget };
+
+manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
+manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
+manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
+manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
+
+allow smbd_t smbcontrol_t:process { signal signull };
+
+manage_dirs_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
+manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
+files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
+
+manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
+manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
+manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
+files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file })
+
+allow smbd_t swat_t:process signal;
+
+allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms;
+
+allow smbd_t winbind_t:process { signal signull };
+
+kernel_getattr_core_if(smbd_t)
+kernel_getattr_message_if(smbd_t)
+kernel_read_network_state(smbd_t)
+kernel_read_fs_sysctls(smbd_t)
+kernel_read_kernel_sysctls(smbd_t)
+kernel_read_software_raid_state(smbd_t)
+kernel_read_system_state(smbd_t)
+
+corecmd_exec_shell(smbd_t)
+corecmd_exec_bin(smbd_t)
+
+corenet_all_recvfrom_unlabeled(smbd_t)
+corenet_all_recvfrom_netlabel(smbd_t)
+corenet_tcp_sendrecv_generic_if(smbd_t)
+corenet_udp_sendrecv_generic_if(smbd_t)
+corenet_raw_sendrecv_generic_if(smbd_t)
+corenet_tcp_sendrecv_generic_node(smbd_t)
+corenet_udp_sendrecv_generic_node(smbd_t)
+corenet_raw_sendrecv_generic_node(smbd_t)
+corenet_tcp_sendrecv_all_ports(smbd_t)
+corenet_udp_sendrecv_all_ports(smbd_t)
+corenet_tcp_bind_generic_node(smbd_t)
+corenet_udp_bind_generic_node(smbd_t)
+corenet_tcp_bind_smbd_port(smbd_t)
+corenet_tcp_connect_ipp_port(smbd_t)
+corenet_tcp_connect_smbd_port(smbd_t)
+
+dev_read_sysfs(smbd_t)
+dev_read_urand(smbd_t)
+dev_getattr_mtrr_dev(smbd_t)
+dev_dontaudit_getattr_usbfs_dirs(smbd_t)
+# For redhat bug 566984
+dev_getattr_all_blk_files(smbd_t)
+dev_getattr_all_chr_files(smbd_t)
+
+fs_getattr_all_fs(smbd_t)
+fs_getattr_all_dirs(smbd_t)
+fs_get_xattr_fs_quotas(smbd_t)
+fs_search_auto_mountpoints(smbd_t)
+fs_getattr_rpc_dirs(smbd_t)
+fs_list_inotifyfs(smbd_t)
+fs_get_all_fs_quotas(smbd_t)
+
+auth_use_nsswitch(smbd_t)
+auth_domtrans_chk_passwd(smbd_t)
+auth_domtrans_upd_passwd(smbd_t)
+auth_manage_cache(smbd_t)
+
+domain_use_interactive_fds(smbd_t)
+domain_dontaudit_list_all_domains_state(smbd_t)
+
+files_list_var_lib(smbd_t)
+files_read_etc_files(smbd_t)
+files_read_etc_runtime_files(smbd_t)
+files_read_usr_files(smbd_t)
+files_search_spool(smbd_t)
+# smbd seems to getattr all mountpoints
+files_dontaudit_getattr_all_dirs(smbd_t)
+files_dontaudit_list_all_mountpoints(smbd_t)
+# Allow samba to list mnt_t for potential mounted dirs
+files_list_mnt(smbd_t)
+
+init_rw_utmp(smbd_t)
+
+logging_search_logs(smbd_t)
+logging_send_syslog_msg(smbd_t)
+
+miscfiles_read_localization(smbd_t)
+miscfiles_read_public_files(smbd_t)
+
+userdom_use_unpriv_users_fds(smbd_t)
+userdom_search_user_home_content(smbd_t)
+userdom_signal_all_users(smbd_t)
+
+usermanage_read_crack_db(smbd_t)
+
+term_use_ptmx(smbd_t)
+
+ifdef(`hide_broken_symptoms', `
+ files_dontaudit_getattr_default_dirs(smbd_t)
+ files_dontaudit_getattr_boot_dirs(smbd_t)
+ fs_dontaudit_getattr_tmpfs_dirs(smbd_t)
+')
+
+tunable_policy(`allow_smbd_anon_write',`
+ miscfiles_manage_public_files(smbd_t)
+')
+
+tunable_policy(`samba_domain_controller',`
+ gen_require(`
+ class passwd passwd;
+ ')
+
+ usermanage_domtrans_passwd(smbd_t)
+ usermanage_kill_passwd(smbd_t)
+ usermanage_domtrans_useradd(smbd_t)
+ usermanage_domtrans_groupadd(smbd_t)
+ allow smbd_t self:passwd passwd;
+')
+
+tunable_policy(`samba_enable_home_dirs',`
+ userdom_manage_user_home_content(smbd_t)
+')
+
+# Support Samba sharing of NFS mount points
+tunable_policy(`samba_share_nfs',`
+ fs_manage_nfs_dirs(smbd_t)
+ fs_manage_nfs_files(smbd_t)
+ fs_manage_nfs_symlinks(smbd_t)
+ fs_manage_nfs_named_pipes(smbd_t)
+ fs_manage_nfs_named_sockets(smbd_t)
+')
+
+# Support Samba sharing of ntfs/fusefs mount points
+tunable_policy(`samba_share_fusefs',`
+ fs_manage_fusefs_dirs(smbd_t)
+ fs_manage_fusefs_files(smbd_t)
+',`
+ fs_search_fusefs(smbd_t)
+')
+
+
+optional_policy(`
+ cups_read_rw_config(smbd_t)
+ cups_stream_connect(smbd_t)
+')
+
+optional_policy(`
+ kerberos_use(smbd_t)
+ kerberos_keytab_template(smbd, smbd_t)
+')
+
+optional_policy(`
+ lpd_exec_lpr(smbd_t)
+')
+
+optional_policy(`
+ qemu_manage_tmp_dirs(smbd_t)
+ qemu_manage_tmp_files(smbd_t)
+')
+
+optional_policy(`
+ rpc_search_nfs_state_data(smbd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(smbd_t)
+')
+
+optional_policy(`
+ udev_read_db(smbd_t)
+')
+
+tunable_policy(`samba_create_home_dirs',`
+ allow smbd_t self:capability chown;
+ userdom_create_user_home_dirs(smbd_t)
+')
+userdom_home_filetrans_user_home_dir(smbd_t)
+
+tunable_policy(`samba_export_all_ro',`
+ fs_read_noxattr_fs_files(smbd_t)
+ auth_read_all_dirs_except_shadow(smbd_t)
+ auth_read_all_files_except_shadow(smbd_t)
+ fs_read_noxattr_fs_files(nmbd_t)
+ auth_read_all_dirs_except_shadow(nmbd_t)
+ auth_read_all_files_except_shadow(nmbd_t)
+')
+
+tunable_policy(`samba_export_all_rw',`
+ fs_read_noxattr_fs_files(smbd_t)
+ auth_manage_all_files_except_shadow(smbd_t)
+ fs_read_noxattr_fs_files(nmbd_t)
+ auth_manage_all_files_except_shadow(nmbd_t)
+')
+userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
+
+########################################
+#
+# nmbd Local policy
+#
+
+dontaudit nmbd_t self:capability sys_tty_config;
+allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow nmbd_t self:fd use;
+allow nmbd_t self:fifo_file rw_fifo_file_perms;
+allow nmbd_t self:msg { send receive };
+allow nmbd_t self:msgq create_msgq_perms;
+allow nmbd_t self:sem create_sem_perms;
+allow nmbd_t self:shm create_shm_perms;
+allow nmbd_t self:sock_file read_sock_file_perms;
+allow nmbd_t self:tcp_socket create_stream_socket_perms;
+allow nmbd_t self:udp_socket create_socket_perms;
+allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+manage_dirs_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
+manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
+files_pid_filetrans(nmbd_t, nmbd_var_run_t, { dir file })
+
+read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+
+manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
+manage_files_pattern(nmbd_t, samba_log_t, samba_log_t)
+
+manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
+
+allow nmbd_t smbcontrol_t:process signal;
+
+allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
+
+kernel_getattr_core_if(nmbd_t)
+kernel_getattr_message_if(nmbd_t)
+kernel_read_kernel_sysctls(nmbd_t)
+kernel_read_network_state(nmbd_t)
+kernel_read_software_raid_state(nmbd_t)
+kernel_read_system_state(nmbd_t)
+
+corenet_all_recvfrom_unlabeled(nmbd_t)
+corenet_all_recvfrom_netlabel(nmbd_t)
+corenet_tcp_sendrecv_generic_if(nmbd_t)
+corenet_udp_sendrecv_generic_if(nmbd_t)
+corenet_tcp_sendrecv_generic_node(nmbd_t)
+corenet_udp_sendrecv_generic_node(nmbd_t)
+corenet_tcp_sendrecv_all_ports(nmbd_t)
+corenet_udp_sendrecv_all_ports(nmbd_t)
+corenet_udp_bind_generic_node(nmbd_t)
+corenet_udp_bind_nmbd_port(nmbd_t)
+corenet_sendrecv_nmbd_server_packets(nmbd_t)
+corenet_sendrecv_nmbd_client_packets(nmbd_t)
+corenet_tcp_connect_smbd_port(nmbd_t)
+
+dev_read_sysfs(nmbd_t)
+dev_getattr_mtrr_dev(nmbd_t)
+
+fs_getattr_all_fs(nmbd_t)
+fs_search_auto_mountpoints(nmbd_t)
+
+domain_use_interactive_fds(nmbd_t)
+
+files_read_usr_files(nmbd_t)
+files_read_etc_files(nmbd_t)
+files_list_var_lib(nmbd_t)
+
+auth_use_nsswitch(nmbd_t)
+
+logging_search_logs(nmbd_t)
+logging_send_syslog_msg(nmbd_t)
+
+miscfiles_read_localization(nmbd_t)
+
+userdom_use_unpriv_users_fds(nmbd_t)
+userdom_dontaudit_search_user_home_dirs(nmbd_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(nmbd_t)
+')
+
+optional_policy(`
+ udev_read_db(nmbd_t)
+')
+
+########################################
+#
+# smbcontrol local policy
+#
+
+# internal communication is often done using fifo and unix sockets.
+allow smbcontrol_t self:fifo_file rw_file_perms;
+allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
+
+allow smbcontrol_t nmbd_t:process { signal signull };
+read_files_pattern(smbcontrol_t, nmbd_var_run_t, nmbd_var_run_t)
+
+allow smbcontrol_t smbd_t:process { signal signull };
+read_files_pattern(smbcontrol_t, smbd_var_run_t, smbd_var_run_t)
+allow smbcontrol_t winbind_t:process { signal signull };
+
+files_search_var_lib(smbcontrol_t)
+samba_read_config(smbcontrol_t)
+samba_rw_var_files(smbcontrol_t)
+samba_search_var(smbcontrol_t)
+samba_read_winbind_pid(smbcontrol_t)
+
+domain_use_interactive_fds(smbcontrol_t)
+
+files_read_etc_files(smbcontrol_t)
+
+miscfiles_read_localization(smbcontrol_t)
+
+userdom_use_user_terminals(smbcontrol_t)
+
+########################################
+#
+# smbmount Local policy
+#
+
+allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown }; # FIXME: is all of this really necessary?
+allow smbmount_t self:process { fork signal_perms };
+allow smbmount_t self:tcp_socket create_stream_socket_perms;
+allow smbmount_t self:udp_socket connect;
+allow smbmount_t self:unix_dgram_socket create_socket_perms;
+allow smbmount_t self:unix_stream_socket create_socket_perms;
+
+allow smbmount_t samba_etc_t:dir list_dir_perms;
+allow smbmount_t samba_etc_t:file read_file_perms;
+
+can_exec(smbmount_t, smbmount_exec_t)
+
+allow smbmount_t samba_log_t:dir list_dir_perms;
+allow smbmount_t samba_log_t:file manage_file_perms;
+
+allow smbmount_t samba_secrets_t:file manage_file_perms;
+
+manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+files_list_var_lib(smbmount_t)
+
+kernel_read_system_state(smbmount_t)
+
+corenet_all_recvfrom_unlabeled(smbmount_t)
+corenet_all_recvfrom_netlabel(smbmount_t)
+corenet_tcp_sendrecv_generic_if(smbmount_t)
+corenet_raw_sendrecv_generic_if(smbmount_t)
+corenet_udp_sendrecv_generic_if(smbmount_t)
+corenet_tcp_sendrecv_generic_node(smbmount_t)
+corenet_raw_sendrecv_generic_node(smbmount_t)
+corenet_udp_sendrecv_generic_node(smbmount_t)
+corenet_tcp_sendrecv_all_ports(smbmount_t)
+corenet_udp_sendrecv_all_ports(smbmount_t)
+corenet_tcp_bind_generic_node(smbmount_t)
+corenet_udp_bind_generic_node(smbmount_t)
+corenet_tcp_connect_all_ports(smbmount_t)
+
+fs_getattr_cifs(smbmount_t)
+fs_mount_cifs(smbmount_t)
+fs_remount_cifs(smbmount_t)
+fs_unmount_cifs(smbmount_t)
+fs_list_cifs(smbmount_t)
+fs_read_cifs_files(smbmount_t)
+
+storage_raw_read_fixed_disk(smbmount_t)
+storage_raw_write_fixed_disk(smbmount_t)
+
+corecmd_list_bin(smbmount_t)
+
+files_list_mnt(smbmount_t)
+files_mounton_mnt(smbmount_t)
+files_manage_etc_runtime_files(smbmount_t)
+files_etc_filetrans_etc_runtime(smbmount_t, file)
+files_read_etc_files(smbmount_t)
+
+auth_use_nsswitch(smbmount_t)
+
+miscfiles_read_localization(smbmount_t)
+
+mount_use_fds(smbmount_t)
+
+locallogin_use_fds(smbmount_t)
+
+logging_search_logs(smbmount_t)
+
+userdom_use_user_terminals(smbmount_t)
+userdom_use_all_users_fds(smbmount_t)
+
+optional_policy(`
+ cups_read_rw_config(smbmount_t)
+')
+
+########################################
+#
+# SWAT Local policy
+#
+
+allow swat_t self:capability { dac_override setuid setgid sys_resource };
+allow swat_t self:process { setrlimit signal_perms };
+allow swat_t self:fifo_file rw_fifo_file_perms;
+allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow swat_t self:tcp_socket create_stream_socket_perms;
+allow swat_t self:udp_socket create_socket_perms;
+allow swat_t self:unix_stream_socket connectto;
+
+samba_domtrans_smbd(swat_t)
+allow swat_t smbd_t:process { signal signull };
+
+samba_domtrans_nmbd(swat_t)
+allow swat_t nmbd_t:process { signal signull };
+allow nmbd_t swat_t:process signal;
+
+allow swat_t nmbd_var_run_t:file read_file_perms;
+
+allow swat_t smbd_port_t:tcp_socket name_bind;
+
+allow swat_t nmbd_port_t:udp_socket name_bind;
+
+rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
+read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t)
+
+manage_dirs_pattern(swat_t, samba_log_t, samba_log_t)
+manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+
+manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
+
+manage_files_pattern(swat_t, samba_var_t, samba_var_t)
+files_list_var_lib(swat_t)
+
+allow swat_t smbd_exec_t:file mmap_file_perms ;
+
+allow swat_t smbd_t:process signull;
+
+allow swat_t smbd_var_run_t:file read_file_perms;
+allow swat_t smbd_var_run_t:file { lock unlink };
+
+manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
+manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
+files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+
+manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
+files_pid_filetrans(swat_t, swat_var_run_t, file)
+
+allow swat_t winbind_exec_t:file mmap_file_perms;
+domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
+allow swat_t winbind_t:process { signal signull };
+
+read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t)
+allow swat_t winbind_var_run_t:dir { write add_name remove_name };
+allow swat_t winbind_var_run_t:sock_file { create unlink };
+
+kernel_read_kernel_sysctls(swat_t)
+kernel_read_system_state(swat_t)
+kernel_read_network_state(swat_t)
+
+corecmd_search_bin(swat_t)
+
+corenet_all_recvfrom_unlabeled(swat_t)
+corenet_all_recvfrom_netlabel(swat_t)
+corenet_tcp_sendrecv_generic_if(swat_t)
+corenet_udp_sendrecv_generic_if(swat_t)
+corenet_raw_sendrecv_generic_if(swat_t)
+corenet_tcp_sendrecv_generic_node(swat_t)
+corenet_udp_sendrecv_generic_node(swat_t)
+corenet_raw_sendrecv_generic_node(swat_t)
+corenet_tcp_sendrecv_all_ports(swat_t)
+corenet_udp_sendrecv_all_ports(swat_t)
+corenet_tcp_connect_smbd_port(swat_t)
+corenet_tcp_connect_ipp_port(swat_t)
+corenet_sendrecv_smbd_client_packets(swat_t)
+corenet_sendrecv_ipp_client_packets(swat_t)
+
+dev_read_urand(swat_t)
+
+files_list_var_lib(swat_t)
+files_read_etc_files(swat_t)
+files_search_home(swat_t)
+files_read_usr_files(swat_t)
+fs_getattr_xattr_fs(swat_t)
+
+auth_domtrans_chk_passwd(swat_t)
+auth_use_nsswitch(swat_t)
+
+init_read_utmp(swat_t)
+init_dontaudit_write_utmp(swat_t)
+
+logging_send_syslog_msg(swat_t)
+logging_send_audit_msgs(swat_t)
+logging_search_logs(swat_t)
+
+miscfiles_read_localization(swat_t)
+
+userdom_dontaudit_search_admin_dir(swat_t)
+
+optional_policy(`
+ cups_read_rw_config(swat_t)
+ cups_stream_connect(swat_t)
+')
+
+optional_policy(`
+ inetd_service_domain(swat_t, swat_exec_t)
+')
+
+optional_policy(`
+ kerberos_use(swat_t)
+')
+
+########################################
+#
+# Winbind local policy
+#
+
+allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
+dontaudit winbind_t self:capability sys_tty_config;
+allow winbind_t self:process { signal_perms getsched setsched };
+allow winbind_t self:fifo_file rw_fifo_file_perms;
+allow winbind_t self:unix_dgram_socket create_socket_perms;
+allow winbind_t self:unix_stream_socket create_stream_socket_perms;
+allow winbind_t self:tcp_socket create_stream_socket_perms;
+allow winbind_t self:udp_socket create_socket_perms;
+
+allow winbind_t nmbd_t:process { signal signull };
+
+allow winbind_t nmbd_var_run_t:file read_file_perms;
+
+allow winbind_t samba_etc_t:dir list_dir_perms;
+read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
+read_lnk_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
+
+manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
+
+manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
+manage_files_pattern(winbind_t, samba_log_t, samba_log_t)
+manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
+
+manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
+manage_files_pattern(winbind_t, samba_var_t, samba_var_t)
+manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t)
+files_list_var_lib(winbind_t)
+
+rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+
+allow winbind_t winbind_log_t:file manage_file_perms;
+logging_log_filetrans(winbind_t, winbind_log_t, file)
+
+userdom_manage_user_tmp_dirs(winbind_t)
+userdom_manage_user_tmp_files(winbind_t)
+userdom_tmp_filetrans_user_tmp(winbind_t, { file dir })
+
+manage_dirs_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
+manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
+manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
+files_pid_filetrans(winbind_t, winbind_var_run_t, { file dir })
+
+kernel_read_kernel_sysctls(winbind_t)
+kernel_read_system_state(winbind_t)
+
+corecmd_exec_bin(winbind_t)
+
+corenet_all_recvfrom_unlabeled(winbind_t)
+corenet_all_recvfrom_netlabel(winbind_t)
+corenet_tcp_sendrecv_generic_if(winbind_t)
+corenet_udp_sendrecv_generic_if(winbind_t)
+corenet_raw_sendrecv_generic_if(winbind_t)
+corenet_tcp_sendrecv_generic_node(winbind_t)
+corenet_udp_sendrecv_generic_node(winbind_t)
+corenet_raw_sendrecv_generic_node(winbind_t)
+corenet_tcp_sendrecv_all_ports(winbind_t)
+corenet_udp_sendrecv_all_ports(winbind_t)
+corenet_tcp_bind_generic_node(winbind_t)
+corenet_udp_bind_generic_node(winbind_t)
+corenet_tcp_connect_smbd_port(winbind_t)
+corenet_tcp_connect_smbd_port(winbind_t)
+corenet_tcp_connect_epmap_port(winbind_t)
+corenet_tcp_connect_all_unreserved_ports(winbind_t)
+
+dev_read_sysfs(winbind_t)
+dev_read_urand(winbind_t)
+
+fs_getattr_all_fs(winbind_t)
+fs_search_auto_mountpoints(winbind_t)
+
+auth_domtrans_chk_passwd(winbind_t)
+auth_use_nsswitch(winbind_t)
+auth_manage_cache(winbind_t)
+
+domain_use_interactive_fds(winbind_t)
+
+files_read_etc_files(winbind_t)
+files_read_usr_symlinks(winbind_t)
+
+logging_send_syslog_msg(winbind_t)
+
+miscfiles_read_localization(winbind_t)
+
+userdom_dontaudit_use_unpriv_user_fds(winbind_t)
+userdom_manage_user_home_content_dirs(winbind_t)
+userdom_manage_user_home_content_files(winbind_t)
+userdom_manage_user_home_content_symlinks(winbind_t)
+userdom_manage_user_home_content_pipes(winbind_t)
+userdom_manage_user_home_content_sockets(winbind_t)
+userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
+
+optional_policy(`
+ kerberos_use(winbind_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(winbind_t)
+')
+
+optional_policy(`
+ udev_read_db(winbind_t)
+')
+
+########################################
+#
+# Winbind helper local policy
+#
+
+allow winbind_helper_t self:unix_dgram_socket create_socket_perms;
+allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms;
+
+allow winbind_helper_t samba_etc_t:dir list_dir_perms;
+read_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t)
+read_lnk_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t)
+
+allow winbind_helper_t samba_var_t:dir search_dir_perms;
+files_list_var_lib(winbind_helper_t)
+
+allow winbind_t smbcontrol_t:process signal;
+
+stream_connect_pattern(winbind_helper_t, winbind_var_run_t, winbind_var_run_t, winbind_t)
+
+term_list_ptys(winbind_helper_t)
+
+domain_use_interactive_fds(winbind_helper_t)
+
+auth_use_nsswitch(winbind_helper_t)
+
+logging_send_syslog_msg(winbind_helper_t)
+
+miscfiles_read_localization(winbind_helper_t)
+
+userdom_use_user_terminals(winbind_helper_t)
+
+optional_policy(`
+ apache_append_log(winbind_helper_t)
+')
+
+optional_policy(`
+ squid_read_log(winbind_helper_t)
+ squid_append_log(winbind_helper_t)
+ squid_rw_stream_sockets(winbind_helper_t)
+')
+
+########################################
+#
+# samba_unconfined_script_t local policy
+#
+
+optional_policy(`
+ type samba_unconfined_net_t;
+ domain_type(samba_unconfined_net_t)
+ domain_entry_file(samba_unconfined_net_t, samba_net_exec_t)
+ role system_r types samba_unconfined_net_t;
+
+ unconfined_domain(samba_unconfined_net_t)
+
+ manage_files_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t)
+ filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file)
+ userdom_use_user_terminals(samba_unconfined_net_t)
+')
+
+ type samba_unconfined_script_t;
+ type samba_unconfined_script_exec_t;
+ domain_type(samba_unconfined_script_t)
+ domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t)
+ corecmd_shell_entry_type(samba_unconfined_script_t)
+ role system_r types samba_unconfined_script_t;
+
+ allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
+ allow smbd_t samba_unconfined_script_exec_t:file ioctl;
+
+optional_policy(`
+ unconfined_domain(samba_unconfined_script_t)
+')
+
+ tunable_policy(`samba_run_unconfined',`
+ domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
+',`
+ can_exec(smbd_t, samba_unconfined_script_exec_t)
+')
diff --git a/policy/modules/services/sasl.fc b/policy/modules/services/sasl.fc
new file mode 100644
index 0000000..ff0ce69
--- /dev/null
+++ b/policy/modules/services/sasl.fc
@@ -0,0 +1,11 @@
+/etc/rc\.d/init\.d/sasl -- gen_context(system_u:object_r:saslauthd_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/saslauthd -- gen_context(system_u:object_r:saslauthd_exec_t,s0)
+
+#
+# /var
+#
+/var/run/saslauthd(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0)
diff --git a/policy/modules/services/sasl.if b/policy/modules/services/sasl.if
new file mode 100644
index 0000000..c3ffa9d
--- /dev/null
+++ b/policy/modules/services/sasl.if
@@ -0,0 +1,58 @@
+## <summary>SASL authentication server</summary>
+
+########################################
+## <summary>
+## Connect to SASL.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sasl_connect',`
+ gen_require(`
+ type saslauthd_t, saslauthd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, saslauthd_var_run_t, saslauthd_var_run_t, saslauthd_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an sasl environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sasl_admin',`
+ gen_require(`
+ type saslauthd_t, saslauthd_tmp_t, saslauthd_var_run_t;
+ type saslauthd_initrc_exec_t;
+ ')
+
+ allow $1 saslauthd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, saslauthd_t)
+
+ init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 saslauthd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, saslauthd_tmp_t)
+
+ files_list_pids($1)
+ admin_pattern($1, saslauthd_var_run_t)
+')
diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
new file mode 100644
index 0000000..87810ec
--- /dev/null
+++ b/policy/modules/services/sasl.te
@@ -0,0 +1,114 @@
+policy_module(sasl, 1.13.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow sasl to read shadow
+## </p>
+## </desc>
+gen_tunable(allow_saslauthd_read_shadow, false)
+
+type saslauthd_t;
+type saslauthd_exec_t;
+init_daemon_domain(saslauthd_t, saslauthd_exec_t)
+
+type saslauthd_initrc_exec_t;
+init_script_file(saslauthd_initrc_exec_t)
+
+type saslauthd_tmp_t;
+files_tmp_file(saslauthd_tmp_t)
+
+type saslauthd_var_run_t;
+files_pid_file(saslauthd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow saslauthd_t self:capability { setgid setuid };
+dontaudit saslauthd_t self:capability sys_tty_config;
+allow saslauthd_t self:process signal_perms;
+allow saslauthd_t self:fifo_file rw_fifo_file_perms;
+allow saslauthd_t self:unix_dgram_socket create_socket_perms;
+allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
+allow saslauthd_t self:tcp_socket create_socket_perms;
+
+allow saslauthd_t saslauthd_tmp_t:dir setattr;
+manage_files_pattern(saslauthd_t, saslauthd_tmp_t, saslauthd_tmp_t)
+files_tmp_filetrans(saslauthd_t, saslauthd_tmp_t, file)
+
+manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
+manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
+manage_sock_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
+files_pid_filetrans(saslauthd_t, saslauthd_var_run_t, { file dir })
+
+kernel_read_kernel_sysctls(saslauthd_t)
+kernel_read_system_state(saslauthd_t)
+
+#577519
+corecmd_exec_bin(saslauthd_t)
+
+corenet_all_recvfrom_unlabeled(saslauthd_t)
+corenet_all_recvfrom_netlabel(saslauthd_t)
+corenet_tcp_sendrecv_generic_if(saslauthd_t)
+corenet_tcp_sendrecv_generic_node(saslauthd_t)
+corenet_tcp_sendrecv_all_ports(saslauthd_t)
+corenet_tcp_connect_pop_port(saslauthd_t)
+corenet_sendrecv_pop_client_packets(saslauthd_t)
+
+dev_read_urand(saslauthd_t)
+
+fs_getattr_all_fs(saslauthd_t)
+fs_search_auto_mountpoints(saslauthd_t)
+
+selinux_compute_access_vector(saslauthd_t)
+
+auth_use_pam(saslauthd_t)
+
+domain_use_interactive_fds(saslauthd_t)
+
+files_read_etc_files(saslauthd_t)
+files_dontaudit_read_etc_runtime_files(saslauthd_t)
+files_search_var_lib(saslauthd_t)
+files_dontaudit_getattr_home_dir(saslauthd_t)
+files_dontaudit_getattr_tmp_dirs(saslauthd_t)
+
+init_dontaudit_stream_connect_script(saslauthd_t)
+
+logging_send_syslog_msg(saslauthd_t)
+
+miscfiles_read_localization(saslauthd_t)
+miscfiles_read_generic_certs(saslauthd_t)
+
+seutil_dontaudit_read_config(saslauthd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(saslauthd_t)
+userdom_dontaudit_search_user_home_dirs(saslauthd_t)
+
+# cjp: typeattribute doesnt work in conditionals
+auth_can_read_shadow_passwords(saslauthd_t)
+tunable_policy(`allow_saslauthd_read_shadow',`
+ auth_tunable_read_shadow(saslauthd_t)
+')
+
+optional_policy(`
+ kerberos_keytab_template(saslauthd, saslauthd_t)
+')
+
+optional_policy(`
+ mysql_search_db(saslauthd_t)
+ mysql_stream_connect(saslauthd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(saslauthd_t)
+')
+
+optional_policy(`
+ udev_read_db(saslauthd_t)
+')
diff --git a/policy/modules/services/sendmail.fc b/policy/modules/services/sendmail.fc
new file mode 100644
index 0000000..ef4199b
--- /dev/null
+++ b/policy/modules/services/sendmail.fc
@@ -0,0 +1,8 @@
+
+/etc/rc\.d/init\.d/sendmail -- gen_context(system_u:object_r:sendmail_initrc_exec_t,s0)
+
+/var/log/sendmail\.st -- gen_context(system_u:object_r:sendmail_log_t,s0)
+/var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0)
+
+/var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
+/var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
diff --git a/policy/modules/services/sendmail.if b/policy/modules/services/sendmail.if
new file mode 100644
index 0000000..5700fb8
--- /dev/null
+++ b/policy/modules/services/sendmail.if
@@ -0,0 +1,358 @@
+## <summary>Policy for sendmail.</summary>
+
+########################################
+## <summary>
+## Sendmail stub interface. No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sendmail_stub',`
+ gen_require(`
+ type sendmail_t;
+ ')
+')
+
+########################################
+## <summary>
+## Allow attempts to read and write to
+## sendmail unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sendmail_rw_pipes',`
+ gen_require(`
+ type sendmail_t;
+ ')
+
+ allow $1 sendmail_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Domain transition to sendmail.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`sendmail_domtrans',`
+ gen_require(`
+ type sendmail_t;
+ ')
+
+ mta_sendmail_domtrans($1, sendmail_t)
+')
+
+#######################################
+## <summary>
+## Execute sendmail in the sendmail domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sendmail_initrc_domtrans',`
+ gen_require(`
+ type sendmail_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Execute the sendmail program in the sendmail domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the sendmail domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sendmail_run',`
+ gen_require(`
+ type sendmail_t;
+ ')
+
+ sendmail_domtrans($1)
+ role $2 types sendmail_t;
+')
+
+########################################
+## <summary>
+## Send generic signals to sendmail.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sendmail_signal',`
+ gen_require(`
+ type sendmail_t;
+ ')
+
+ allow $1 sendmail_t:process signal;
+')
+
+########################################
+## <summary>
+## Read and write sendmail TCP sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sendmail_rw_tcp_sockets',`
+ gen_require(`
+ type sendmail_t;
+ ')
+
+ allow $1 sendmail_t:tcp_socket { read write };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## sendmail TCP sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`sendmail_dontaudit_rw_tcp_sockets',`
+ gen_require(`
+ type sendmail_t;
+ ')
+
+ dontaudit $1 sendmail_t:tcp_socket { read write };
+')
+
+########################################
+## <summary>
+## Read and write sendmail unix_stream_sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sendmail_rw_unix_stream_sockets',`
+ gen_require(`
+ type sendmail_t;
+ ')
+
+ allow $1 sendmail_t:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## sendmail unix_stream_sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`sendmail_dontaudit_rw_unix_stream_sockets',`
+ gen_require(`
+ type sendmail_t;
+ ')
+
+ dontaudit $1 sendmail_t:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+## Read sendmail logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sendmail_read_log',`
+ gen_require(`
+ type sendmail_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, sendmail_log_t, sendmail_log_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete sendmail logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sendmail_manage_log',`
+ gen_require(`
+ type sendmail_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_files_pattern($1, sendmail_log_t, sendmail_log_t)
+')
+
+########################################
+## <summary>
+## Create sendmail logs with the correct type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sendmail_create_log',`
+ gen_require(`
+ type sendmail_log_t;
+ ')
+
+ logging_log_filetrans($1, sendmail_log_t, file)
+')
+
+########################################
+## <summary>
+## Manage sendmail tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sendmail_manage_tmp_files',`
+ gen_require(`
+ type sendmail_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ manage_files_pattern($1, sendmail_tmp_t, sendmail_tmp_t)
+')
+
+########################################
+## <summary>
+## Execute sendmail in the unconfined sendmail domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`sendmail_domtrans_unconfined',`
+ gen_require(`
+ type unconfined_sendmail_t;
+ ')
+
+ mta_sendmail_domtrans($1, unconfined_sendmail_t)
+')
+
+########################################
+## <summary>
+## Execute sendmail in the unconfined sendmail domain, and
+## allow the specified role the unconfined sendmail domain,
+## and use the caller's terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sendmail_run_unconfined',`
+ gen_require(`
+ type unconfined_sendmail_t;
+ ')
+
+ sendmail_domtrans_unconfined($1)
+ role $2 types unconfined_sendmail_t;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an sendmail environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sendmail_admin',`
+ gen_require(`
+ type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t;
+ type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t;
+ type mail_spool_t;
+ ')
+
+ allow $1 sendmail_t:process { ptrace signal_perms };
+ ps_process_pattern($1, sendmail_t)
+
+ allow $1 unconfined_sendmail_t:process { ptrace signal_perms };
+ ps_process_pattern($1, unconfined_sendmail_t)
+
+ sendmail_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 sendmail_initrc_exec_t system_r;
+
+ logging_list_logs($1)
+ admin_pattern($1, sendmail_log_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, sendmail_tmp_t)
+
+ files_list_pids($1)
+ admin_pattern($1, sendmail_var_run_t)
+
+ files_list_spool($1)
+ admin_pattern($1, mail_spool_t)
+')
diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
new file mode 100644
index 0000000..b6781d5
--- /dev/null
+++ b/policy/modules/services/sendmail.te
@@ -0,0 +1,198 @@
+policy_module(sendmail, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+type sendmail_log_t;
+logging_log_file(sendmail_log_t)
+
+type sendmail_tmp_t;
+files_tmp_file(sendmail_tmp_t)
+
+type sendmail_var_run_t;
+files_pid_file(sendmail_var_run_t)
+
+type sendmail_t;
+mta_sendmail_mailserver(sendmail_t)
+mta_mailserver_delivery(sendmail_t)
+mta_mailserver_sender(sendmail_t)
+
+type sendmail_initrc_exec_t;
+init_script_file(sendmail_initrc_exec_t)
+
+type unconfined_sendmail_t;
+application_domain(unconfined_sendmail_t, sendmail_exec_t)
+role system_r types unconfined_sendmail_t;
+
+########################################
+#
+# Sendmail local policy
+#
+
+allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config };
+allow sendmail_t self:process { setsched setpgid setrlimit signal signull };
+allow sendmail_t self:fifo_file rw_fifo_file_perms;
+allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
+allow sendmail_t self:unix_dgram_socket create_socket_perms;
+allow sendmail_t self:tcp_socket create_stream_socket_perms;
+allow sendmail_t self:udp_socket create_socket_perms;
+
+allow sendmail_t sendmail_log_t:dir setattr;
+manage_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t)
+logging_log_filetrans(sendmail_t, sendmail_log_t, { file dir })
+
+manage_dirs_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t)
+manage_files_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t)
+files_tmp_filetrans(sendmail_t, sendmail_tmp_t, { file dir })
+
+allow sendmail_t sendmail_var_run_t:file manage_file_perms;
+files_pid_filetrans(sendmail_t, sendmail_var_run_t, file)
+
+kernel_read_network_state(sendmail_t)
+kernel_read_kernel_sysctls(sendmail_t)
+# for piping mail to a command
+kernel_read_system_state(sendmail_t)
+
+corenet_all_recvfrom_unlabeled(sendmail_t)
+corenet_all_recvfrom_netlabel(sendmail_t)
+corenet_tcp_sendrecv_generic_if(sendmail_t)
+corenet_tcp_sendrecv_generic_node(sendmail_t)
+corenet_tcp_sendrecv_all_ports(sendmail_t)
+corenet_tcp_bind_generic_node(sendmail_t)
+corenet_tcp_bind_smtp_port(sendmail_t)
+corenet_tcp_connect_all_ports(sendmail_t)
+corenet_sendrecv_smtp_server_packets(sendmail_t)
+corenet_sendrecv_smtp_client_packets(sendmail_t)
+
+dev_read_urand(sendmail_t)
+dev_read_sysfs(sendmail_t)
+
+fs_getattr_all_fs(sendmail_t)
+fs_search_auto_mountpoints(sendmail_t)
+fs_rw_anon_inodefs_files(sendmail_t)
+
+term_dontaudit_use_console(sendmail_t)
+term_dontaudit_use_generic_ptys(sendmail_t)
+
+# for piping mail to a command
+corecmd_exec_shell(sendmail_t)
+corecmd_exec_bin(sendmail_t)
+
+domain_use_interactive_fds(sendmail_t)
+
+files_read_etc_files(sendmail_t)
+files_read_usr_files(sendmail_t)
+files_search_spool(sendmail_t)
+# for piping mail to a command
+files_read_etc_runtime_files(sendmail_t)
+files_read_all_tmp_files(sendmail_t)
+
+init_use_fds(sendmail_t)
+init_use_script_ptys(sendmail_t)
+# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
+init_read_utmp(sendmail_t)
+init_dontaudit_write_utmp(sendmail_t)
+init_rw_script_tmp_files(sendmail_t)
+
+auth_use_nsswitch(sendmail_t)
+
+# Read /usr/lib/sasl2/.*
+libs_read_lib_files(sendmail_t)
+
+logging_send_syslog_msg(sendmail_t)
+logging_dontaudit_write_generic_logs(sendmail_t)
+
+miscfiles_read_generic_certs(sendmail_t)
+miscfiles_read_localization(sendmail_t)
+
+userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
+userdom_read_user_home_content_files(sendmail_t)
+
+mta_read_config(sendmail_t)
+mta_etc_filetrans_aliases(sendmail_t)
+# Write to /etc/aliases and /etc/mail.
+mta_manage_aliases(sendmail_t)
+# Write to /var/spool/mail and /var/spool/mqueue.
+mta_manage_queue(sendmail_t)
+mta_manage_spool(sendmail_t)
+mta_sendmail_exec(sendmail_t)
+
+optional_policy(`
+ cron_read_pipes(sendmail_t)
+')
+
+optional_policy(`
+ clamav_search_lib(sendmail_t)
+ clamav_stream_connect(sendmail_t)
+')
+
+optional_policy(`
+ cyrus_stream_connect(sendmail_t)
+')
+
+optional_policy(`
+ exim_domtrans(sendmail_t)
+')
+
+optional_policy(`
+ fail2ban_read_lib_files(sendmail_t)
+ fail2ban_rw_stream_sockets(sendmail_t)
+')
+
+optional_policy(`
+ kerberos_keytab_template(sendmail, sendmail_t)
+')
+
+optional_policy(`
+ milter_stream_connect_all(sendmail_t)
+')
+
+optional_policy(`
+ munin_dontaudit_search_lib(sendmail_t)
+')
+
+optional_policy(`
+ postfix_domtrans_postdrop(sendmail_t)
+ postfix_domtrans_master(sendmail_t)
+ postfix_domtrans_postqueue(sendmail_t)
+ postfix_read_config(sendmail_t)
+ postfix_search_spool(sendmail_t)
+')
+
+optional_policy(`
+ procmail_domtrans(sendmail_t)
+ procmail_rw_tmp_files(sendmail_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(sendmail_t)
+')
+
+optional_policy(`
+ sasl_connect(sendmail_t)
+')
+
+optional_policy(`
+ spamd_stream_connect(sendmail_t)
+')
+
+optional_policy(`
+ udev_read_db(sendmail_t)
+')
+
+optional_policy(`
+ uucp_domtrans_uux(sendmail_t)
+')
+
+########################################
+#
+# Unconfined sendmail local policy
+# Allow unconfined domain to run newalias and have transitions work
+#
+
+optional_policy(`
+ mta_etc_filetrans_aliases(unconfined_sendmail_t)
+ unconfined_domain_noaudit(unconfined_sendmail_t)
+')
diff --git a/policy/modules/services/setroubleshoot.fc b/policy/modules/services/setroubleshoot.fc
new file mode 100644
index 0000000..397a522
--- /dev/null
+++ b/policy/modules/services/setroubleshoot.fc
@@ -0,0 +1,9 @@
+/usr/sbin/setroubleshootd -- gen_context(system_u:object_r:setroubleshootd_exec_t,s0)
+
+/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
+
+/var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0)
+
+/var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0)
+
+/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0)
diff --git a/policy/modules/services/setroubleshoot.if b/policy/modules/services/setroubleshoot.if
new file mode 100644
index 0000000..d9f5dbc
--- /dev/null
+++ b/policy/modules/services/setroubleshoot.if
@@ -0,0 +1,154 @@
+## <summary>SELinux troubleshooting service</summary>
+
+########################################
+## <summary>
+## Connect to setroubleshootd over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`setroubleshoot_stream_connect',`
+ gen_require(`
+ type setroubleshootd_t, setroubleshoot_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, setroubleshoot_var_run_t, setroubleshoot_var_run_t, setroubleshootd_t)
+ allow $1 setroubleshoot_var_run_t:sock_file read;
+')
+
+########################################
+## <summary>
+## Dontaudit attempts to connect to setroubleshootd
+## over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`setroubleshoot_dontaudit_stream_connect',`
+ gen_require(`
+ type setroubleshootd_t, setroubleshoot_var_run_t;
+ ')
+
+ dontaudit $1 setroubleshoot_var_run_t:sock_file rw_sock_file_perms;
+ dontaudit $1 setroubleshootd_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## setroubleshoot over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`setroubleshoot_dbus_chat',`
+ gen_require(`
+ type setroubleshootd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 setroubleshootd_t:dbus send_msg;
+ allow setroubleshootd_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Do not audit send and receive messages from
+## setroubleshoot over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`setroubleshoot_dontaudit_dbus_chat',`
+ gen_require(`
+ type setroubleshootd_t;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 setroubleshootd_t:dbus send_msg;
+ dontaudit setroubleshootd_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## setroubleshoot over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`setroubleshoot_dbus_chat_fixit',`
+ gen_require(`
+ type setroubleshoot_fixit_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 setroubleshoot_fixit_t:dbus send_msg;
+ allow setroubleshoot_fixit_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Dontaudit read/write to a setroubleshoot leaked sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`setroubleshoot_fixit_dontaudit_leaks',`
+ gen_require(`
+ type setroubleshoot_fixit_t;
+ ')
+
+ dontaudit $1 setroubleshoot_fixit_t:unix_dgram_socket { read write };
+ dontaudit $1 setroubleshoot_fixit_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an setroubleshoot environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`setroubleshoot_admin',`
+ gen_require(`
+ type setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_run_t;
+ type setroubleshoot_var_lib_t;
+ ')
+
+ allow $1 setroubleshootd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, setroubleshootd_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, setroubleshoot_var_log_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, setroubleshoot_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, setroubleshoot_var_run_t)
+')
diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
new file mode 100644
index 0000000..679558c
--- /dev/null
+++ b/policy/modules/services/setroubleshoot.te
@@ -0,0 +1,194 @@
+policy_module(setroubleshoot, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+type setroubleshootd_t alias setroubleshoot_t;
+type setroubleshootd_exec_t;
+domain_type(setroubleshootd_t)
+init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
+
+type setroubleshoot_fixit_t;
+type setroubleshoot_fixit_exec_t;
+dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t)
+
+type setroubleshoot_var_lib_t;
+files_type(setroubleshoot_var_lib_t)
+
+# log files
+type setroubleshoot_var_log_t;
+logging_log_file(setroubleshoot_var_log_t)
+
+# pid files
+type setroubleshoot_var_run_t;
+files_pid_file(setroubleshoot_var_run_t)
+
+########################################
+#
+# setroubleshootd local policy
+#
+
+allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config };
+allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal };
+# if bad library causes setroubleshoot to require these, we want to give it so setroubleshoot can continue to run
+allow setroubleshootd_t self:process { execmem execstack };
+allow setroubleshootd_t self:fifo_file rw_fifo_file_perms;
+allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
+allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow setroubleshootd_t self:unix_dgram_socket create_socket_perms;
+
+# database files
+allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr;
+manage_files_pattern(setroubleshootd_t, setroubleshoot_var_lib_t, setroubleshoot_var_lib_t)
+files_var_lib_filetrans(setroubleshootd_t, setroubleshoot_var_lib_t, { file dir })
+
+# log files
+allow setroubleshootd_t setroubleshoot_var_log_t:dir setattr;
+manage_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t)
+manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t)
+logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir })
+
+# pid file
+manage_dirs_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
+manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
+manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
+files_pid_filetrans(setroubleshootd_t, setroubleshoot_var_run_t, { file sock_file dir })
+
+kernel_read_kernel_sysctls(setroubleshootd_t)
+kernel_read_system_state(setroubleshootd_t)
+kernel_read_net_sysctls(setroubleshootd_t)
+kernel_read_network_state(setroubleshootd_t)
+kernel_dontaudit_list_all_proc(setroubleshootd_t)
+kernel_read_unlabeled_state(setroubleshootd_t)
+
+corecmd_exec_bin(setroubleshootd_t)
+corecmd_exec_shell(setroubleshootd_t)
+
+corenet_all_recvfrom_unlabeled(setroubleshootd_t)
+corenet_all_recvfrom_netlabel(setroubleshootd_t)
+corenet_tcp_sendrecv_generic_if(setroubleshootd_t)
+corenet_tcp_sendrecv_generic_node(setroubleshootd_t)
+corenet_tcp_sendrecv_all_ports(setroubleshootd_t)
+corenet_tcp_bind_generic_node(setroubleshootd_t)
+corenet_tcp_connect_smtp_port(setroubleshootd_t)
+corenet_sendrecv_smtp_client_packets(setroubleshootd_t)
+
+dev_read_urand(setroubleshootd_t)
+dev_read_sysfs(setroubleshootd_t)
+dev_getattr_all_blk_files(setroubleshootd_t)
+dev_getattr_all_chr_files(setroubleshootd_t)
+
+domain_dontaudit_search_all_domains_state(setroubleshootd_t)
+domain_signull_all_domains(setroubleshootd_t)
+
+files_read_usr_files(setroubleshootd_t)
+files_read_etc_files(setroubleshootd_t)
+files_list_all(setroubleshootd_t)
+files_getattr_all_files(setroubleshootd_t)
+files_getattr_all_pipes(setroubleshootd_t)
+files_getattr_all_sockets(setroubleshootd_t)
+files_read_all_symlinks(setroubleshootd_t)
+
+fs_getattr_all_dirs(setroubleshootd_t)
+fs_getattr_all_files(setroubleshootd_t)
+fs_read_fusefs_symlinks(setroubleshootd_t)
+fs_list_inotifyfs(setroubleshootd_t)
+fs_dontaudit_read_nfs_files(setroubleshootd_t)
+fs_dontaudit_read_cifs_files(setroubleshootd_t)
+
+selinux_get_enforce_mode(setroubleshootd_t)
+selinux_validate_context(setroubleshootd_t)
+
+term_dontaudit_use_all_ptys(setroubleshootd_t)
+term_dontaudit_use_all_ttys(setroubleshootd_t)
+
+auth_use_nsswitch(setroubleshootd_t)
+
+init_read_utmp(setroubleshootd_t)
+init_dontaudit_write_utmp(setroubleshootd_t)
+
+miscfiles_read_localization(setroubleshootd_t)
+
+locallogin_dontaudit_use_fds(setroubleshootd_t)
+
+logging_send_audit_msgs(setroubleshootd_t)
+logging_send_syslog_msg(setroubleshootd_t)
+logging_stream_connect_dispatcher(setroubleshootd_t)
+
+modutils_read_module_config(setroubleshootd_t)
+
+seutil_read_config(setroubleshootd_t)
+seutil_read_file_contexts(setroubleshootd_t)
+seutil_read_bin_policy(setroubleshootd_t)
+
+userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
+
+optional_policy(`
+ locate_read_lib_files(setroubleshootd_t)
+')
+
+optional_policy(`
+ dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
+')
+
+optional_policy(`
+ rpm_signull(setroubleshootd_t)
+ rpm_read_db(setroubleshootd_t)
+ rpm_dontaudit_manage_db(setroubleshootd_t)
+ rpm_use_script_fds(setroubleshootd_t)
+')
+
+########################################
+#
+# setroubleshoot_fixit local policy
+#
+
+allow setroubleshoot_fixit_t self:capability sys_nice;
+allow setroubleshoot_fixit_t self:process { setsched getsched };
+allow setroubleshoot_fixit_t self:fifo_file rw_fifo_file_perms;
+allow setroubleshoot_fixit_t self:unix_dgram_socket create_socket_perms;
+
+allow setroubleshoot_fixit_t setroubleshootd_t:process signull;
+
+setroubleshoot_dbus_chat(setroubleshoot_fixit_t)
+setroubleshoot_stream_connect(setroubleshoot_fixit_t)
+
+kernel_read_system_state(setroubleshoot_fixit_t)
+
+corecmd_exec_bin(setroubleshoot_fixit_t)
+corecmd_exec_shell(setroubleshoot_fixit_t)
+
+seutil_domtrans_setfiles(setroubleshoot_fixit_t)
+seutil_domtrans_setsebool(setroubleshoot_fixit_t)
+
+files_read_usr_files(setroubleshoot_fixit_t)
+files_read_etc_files(setroubleshoot_fixit_t)
+files_list_tmp(setroubleshoot_fixit_t)
+
+auth_use_nsswitch(setroubleshoot_fixit_t)
+
+logging_send_audit_msgs(setroubleshoot_fixit_t)
+logging_send_syslog_msg(setroubleshoot_fixit_t)
+
+miscfiles_read_localization(setroubleshoot_fixit_t)
+
+userdom_dontaudit_search_admin_dir(setroubleshoot_fixit_t)
+userdom_signull_unpriv_users(setroubleshoot_fixit_t)
+
+optional_policy(`
+ gnome_dontaudit_search_config(setroubleshoot_fixit_t)
+')
+
+optional_policy(`
+ rpm_signull(setroubleshoot_fixit_t)
+ rpm_read_db(setroubleshoot_fixit_t)
+ rpm_dontaudit_manage_db(setroubleshoot_fixit_t)
+ rpm_use_script_fds(setroubleshoot_fixit_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(setroubleshoot_fixit_t)
+ userdom_read_all_users_state(setroubleshoot_fixit_t)
+')
diff --git a/policy/modules/services/slrnpull.fc b/policy/modules/services/slrnpull.fc
new file mode 100644
index 0000000..1714ce0
--- /dev/null
+++ b/policy/modules/services/slrnpull.fc
@@ -0,0 +1,10 @@
+#
+# /usr
+#
+
+/usr/bin/slrnpull -- gen_context(system_u:object_r:slrnpull_exec_t,s0)
+
+#
+# /var
+#
+/var/spool/slrnpull(/.*)? gen_context(system_u:object_r:slrnpull_spool_t,s0)
diff --git a/policy/modules/services/slrnpull.if b/policy/modules/services/slrnpull.if
new file mode 100644
index 0000000..d7e8289
--- /dev/null
+++ b/policy/modules/services/slrnpull.if
@@ -0,0 +1,42 @@
+## <summary>Service for downloading news feeds the slrn newsreader.</summary>
+
+########################################
+## <summary>
+## Allow the domain to search slrnpull spools.
+## </summary>
+## <param name="pty_type">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`slrnpull_search_spool',`
+ gen_require(`
+ type slrnpull_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 slrnpull_spool_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Allow the domain to create, read,
+## write, and delete slrnpull spools.
+## </summary>
+## <param name="pty_type">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`slrnpull_manage_spool',`
+ gen_require(`
+ type slrnpull_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_dirs_pattern($1, slrnpull_spool_t, slrnpull_spool_t)
+ manage_files_pattern($1, slrnpull_spool_t, slrnpull_spool_t)
+ manage_lnk_files_pattern($1, slrnpull_spool_t, slrnpull_spool_t)
+')
diff --git a/policy/modules/services/slrnpull.te b/policy/modules/services/slrnpull.te
new file mode 100644
index 0000000..e5e72fd
--- /dev/null
+++ b/policy/modules/services/slrnpull.te
@@ -0,0 +1,70 @@
+policy_module(slrnpull, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+
+type slrnpull_t;
+type slrnpull_exec_t;
+init_daemon_domain(slrnpull_t, slrnpull_exec_t)
+
+type slrnpull_var_run_t;
+files_pid_file(slrnpull_var_run_t)
+
+type slrnpull_spool_t;
+files_type(slrnpull_spool_t)
+
+type slrnpull_log_t;
+logging_log_file(slrnpull_log_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit slrnpull_t self:capability sys_tty_config;
+allow slrnpull_t self:process signal_perms;
+
+allow slrnpull_t slrnpull_log_t:file manage_file_perms;
+logging_log_filetrans(slrnpull_t, slrnpull_log_t, file)
+
+manage_dirs_pattern(slrnpull_t, slrnpull_spool_t, slrnpull_spool_t)
+manage_files_pattern(slrnpull_t, slrnpull_spool_t, slrnpull_spool_t)
+manage_lnk_files_pattern(slrnpull_t, slrnpull_spool_t, slrnpull_spool_t)
+files_search_spool(slrnpull_t)
+
+manage_files_pattern(slrnpull_t, slrnpull_var_run_t, slrnpull_var_run_t)
+files_pid_filetrans(slrnpull_t, slrnpull_var_run_t, file)
+
+kernel_list_proc(slrnpull_t)
+kernel_read_kernel_sysctls(slrnpull_t)
+kernel_read_proc_symlinks(slrnpull_t)
+
+dev_read_sysfs(slrnpull_t)
+
+domain_use_interactive_fds(slrnpull_t)
+
+files_read_etc_files(slrnpull_t)
+
+fs_getattr_all_fs(slrnpull_t)
+fs_search_auto_mountpoints(slrnpull_t)
+
+logging_send_syslog_msg(slrnpull_t)
+
+miscfiles_read_localization(slrnpull_t)
+
+userdom_dontaudit_use_unpriv_user_fds(slrnpull_t)
+userdom_dontaudit_search_user_home_dirs(slrnpull_t)
+
+optional_policy(`
+ cron_system_entry(slrnpull_t, slrnpull_exec_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(slrnpull_t)
+')
+
+optional_policy(`
+ udev_read_db(slrnpull_t)
+')
diff --git a/policy/modules/services/smartmon.fc b/policy/modules/services/smartmon.fc
new file mode 100644
index 0000000..268ae3d
--- /dev/null
+++ b/policy/modules/services/smartmon.fc
@@ -0,0 +1,12 @@
+/etc/rc\.d/init\.d/smartd -- gen_context(system_u:object_r:fsdaemon_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/smartd -- gen_context(system_u:object_r:fsdaemon_exec_t,s0)
+
+#
+# /var
+#
+/var/run/smartd\.pid -- gen_context(system_u:object_r:fsdaemon_var_run_t,s0)
+
diff --git a/policy/modules/services/smartmon.if b/policy/modules/services/smartmon.if
new file mode 100644
index 0000000..d5b2d93
--- /dev/null
+++ b/policy/modules/services/smartmon.if
@@ -0,0 +1,58 @@
+## <summary>Smart disk monitoring daemon policy</summary>
+
+#######################################
+## <summary>
+## Allow caller to read smartmon temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`smartmon_read_tmp_files',`
+ gen_require(`
+ type fsdaemon_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 fsdaemon_tmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an smartmon environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`smartmon_admin',`
+ gen_require(`
+ type fsdaemon_t, fsdaemon_tmp_t, fsdaemon_var_run_t;
+ type fsdaemon_initrc_exec_t;
+ ')
+
+ allow $1 fsdaemon_t:process { ptrace signal_perms };
+ ps_process_pattern($1, fsdaemon_t)
+
+ init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 fsdaemon_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, fsdaemon_tmp_t)
+
+ files_list_pids($1)
+ admin_pattern($1, fsdaemon_var_run_t)
+')
diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
new file mode 100644
index 0000000..6f49778
--- /dev/null
+++ b/policy/modules/services/smartmon.te
@@ -0,0 +1,123 @@
+policy_module(smartmon, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Enable additional permissions needed to support
+## devices on 3ware controllers.
+## </p>
+## </desc>
+gen_tunable(smartmon_3ware, false)
+
+type fsdaemon_t;
+type fsdaemon_exec_t;
+init_daemon_domain(fsdaemon_t, fsdaemon_exec_t)
+
+type fsdaemon_initrc_exec_t;
+init_script_file(fsdaemon_initrc_exec_t)
+
+type fsdaemon_var_run_t;
+files_pid_file(fsdaemon_var_run_t)
+
+type fsdaemon_tmp_t;
+files_tmp_file(fsdaemon_tmp_t)
+
+ifdef(`enable_mls',`
+ init_ranged_daemon_domain(fsdaemon_t, fsdaemon_exec_t, mls_systemhigh)
+')
+
+########################################
+#
+# Local policy
+#
+
+allow fsdaemon_t self:capability { setpcap setgid sys_rawio sys_admin };
+dontaudit fsdaemon_t self:capability sys_tty_config;
+allow fsdaemon_t self:process { getcap setcap signal_perms };
+allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
+allow fsdaemon_t self:unix_dgram_socket create_socket_perms;
+allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms;
+allow fsdaemon_t self:udp_socket create_socket_perms;
+allow fsdaemon_t self:netlink_route_socket r_netlink_socket_perms;
+
+manage_dirs_pattern(fsdaemon_t, fsdaemon_tmp_t, fsdaemon_tmp_t)
+manage_files_pattern(fsdaemon_t, fsdaemon_tmp_t, fsdaemon_tmp_t)
+files_tmp_filetrans(fsdaemon_t, fsdaemon_tmp_t, { file dir })
+
+manage_files_pattern(fsdaemon_t, fsdaemon_var_run_t, fsdaemon_var_run_t)
+files_pid_filetrans(fsdaemon_t, fsdaemon_var_run_t, file)
+
+kernel_read_kernel_sysctls(fsdaemon_t)
+kernel_read_software_raid_state(fsdaemon_t)
+kernel_read_system_state(fsdaemon_t)
+
+corecmd_exec_all_executables(fsdaemon_t)
+
+corenet_all_recvfrom_unlabeled(fsdaemon_t)
+corenet_all_recvfrom_netlabel(fsdaemon_t)
+corenet_udp_sendrecv_generic_if(fsdaemon_t)
+corenet_udp_sendrecv_generic_node(fsdaemon_t)
+corenet_udp_sendrecv_all_ports(fsdaemon_t)
+
+dev_read_sysfs(fsdaemon_t)
+dev_read_urand(fsdaemon_t)
+
+domain_use_interactive_fds(fsdaemon_t)
+
+files_exec_etc_files(fsdaemon_t)
+files_read_etc_runtime_files(fsdaemon_t)
+# for config
+files_read_etc_files(fsdaemon_t)
+files_read_usr_files(fsdaemon_t)
+
+fs_getattr_all_fs(fsdaemon_t)
+fs_search_auto_mountpoints(fsdaemon_t)
+
+mls_file_read_all_levels(fsdaemon_t)
+#mls_rangetrans_target(fsdaemon_t)
+
+storage_raw_read_fixed_disk(fsdaemon_t)
+storage_raw_write_fixed_disk(fsdaemon_t)
+storage_raw_read_removable_device(fsdaemon_t)
+storage_read_scsi_generic(fsdaemon_t)
+storage_write_scsi_generic(fsdaemon_t)
+
+term_dontaudit_search_ptys(fsdaemon_t)
+
+libs_exec_ld_so(fsdaemon_t)
+libs_exec_lib_files(fsdaemon_t)
+
+logging_send_syslog_msg(fsdaemon_t)
+
+miscfiles_read_localization(fsdaemon_t)
+
+seutil_sigchld_newrole(fsdaemon_t)
+
+sysnet_dns_name_resolve(fsdaemon_t)
+
+userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t)
+userdom_dontaudit_search_user_home_dirs(fsdaemon_t)
+
+tunable_policy(`smartmon_3ware',`
+ allow fsdaemon_t self:process setfscreate;
+
+ storage_create_fixed_disk_dev(fsdaemon_t)
+ storage_delete_fixed_disk_dev(fsdaemon_t)
+ storage_dev_filetrans_fixed_disk(fsdaemon_t)
+
+ selinux_validate_context(fsdaemon_t)
+
+ seutil_read_file_contexts(fsdaemon_t)
+')
+
+optional_policy(`
+ mta_send_mail(fsdaemon_t)
+')
+
+optional_policy(`
+ udev_read_db(fsdaemon_t)
+')
diff --git a/policy/modules/services/smokeping.fc b/policy/modules/services/smokeping.fc
new file mode 100644
index 0000000..9ff2d99
--- /dev/null
+++ b/policy/modules/services/smokeping.fc
@@ -0,0 +1,9 @@
+/etc/rc\.d/init\.d/smokeping -- gen_context(system_u:object_r:smokeping_initrc_exec_t,s0)
+
+/usr/sbin/smokeping -- gen_context(system_u:object_r:smokeping_exec_t,s0)
+
+/usr/share/smokeping/cgi(/.*)? gen_context(system_u:object_r:httpd_smokeping_cgi_script_exec_t,s0)
+
+/var/lib/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_lib_t,s0)
+
+/var/run/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_run_t,s0)
diff --git a/policy/modules/services/smokeping.if b/policy/modules/services/smokeping.if
new file mode 100644
index 0000000..8265278
--- /dev/null
+++ b/policy/modules/services/smokeping.if
@@ -0,0 +1,167 @@
+## <summary>Smokeping network latency measurement.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run smokeping.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`smokeping_domtrans',`
+ gen_require(`
+ type smokeping_t, smokeping_exec_t;
+ ')
+
+ domtrans_pattern($1, smokeping_exec_t, smokeping_t)
+')
+
+########################################
+## <summary>
+## Execute smokeping server in the smokeping domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`smokeping_initrc_domtrans',`
+ gen_require(`
+ type smokeping_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, smokeping_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Read smokeping PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`smokeping_read_pid_files',`
+ gen_require(`
+ type smokeping_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 smokeping_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Manage smokeping PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`smokeping_manage_pid_files',`
+ gen_require(`
+ type smokeping_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, smokeping_var_run_t, smokeping_var_run_t)
+')
+
+########################################
+## <summary>
+## Get attributes of smokeping lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`smokeping_getattr_lib_files',`
+ gen_require(`
+ type smokeping_var_lib_t;
+ ')
+
+ getattr_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t)
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read smokeping lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`smokeping_read_lib_files',`
+ gen_require(`
+ type smokeping_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage smokeping lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`smokeping_manage_lib_files',`
+ gen_require(`
+ type smokeping_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## a smokeping environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`smokeping_admin',`
+ gen_require(`
+ type smokeping_t, smokeping_initrc_exec_t;
+ ')
+
+ allow $1 smokeping_t:process { ptrace signal_perms };
+ ps_process_pattern($1, smokeping_t)
+
+ smokeping_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 smokeping_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ smokeping_manage_pid_files($1)
+
+ smokeping_manage_lib_files($1)
+')
diff --git a/policy/modules/services/smokeping.te b/policy/modules/services/smokeping.te
new file mode 100644
index 0000000..247beaf
--- /dev/null
+++ b/policy/modules/services/smokeping.te
@@ -0,0 +1,77 @@
+policy_module(smokeping, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type smokeping_t;
+type smokeping_exec_t;
+init_daemon_domain(smokeping_t, smokeping_exec_t)
+
+type smokeping_initrc_exec_t;
+init_script_file(smokeping_initrc_exec_t)
+
+type smokeping_var_run_t;
+files_pid_file(smokeping_var_run_t)
+
+type smokeping_var_lib_t;
+files_type(smokeping_var_lib_t)
+
+########################################
+#
+# smokeping local policy
+#
+
+dontaudit smokeping_t self:capability { dac_read_search dac_override };
+allow smokeping_t self:fifo_file rw_fifo_file_perms;
+allow smokeping_t self:udp_socket create_socket_perms;
+allow smokeping_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(smokeping_t, smokeping_var_run_t, smokeping_var_run_t)
+manage_files_pattern(smokeping_t, smokeping_var_run_t, smokeping_var_run_t)
+files_pid_filetrans(smokeping_t, smokeping_var_run_t, { file dir })
+
+manage_dirs_pattern(smokeping_t, smokeping_var_lib_t, smokeping_var_lib_t)
+manage_files_pattern(smokeping_t, smokeping_var_lib_t, smokeping_var_lib_t)
+files_var_lib_filetrans(smokeping_t, smokeping_var_lib_t, { file dir } )
+
+corecmd_read_bin_symlinks(smokeping_t)
+
+dev_read_urand(smokeping_t)
+
+files_read_etc_files(smokeping_t)
+files_read_usr_files(smokeping_t)
+files_search_tmp(smokeping_t)
+
+auth_use_nsswitch(smokeping_t)
+auth_dontaudit_read_shadow(smokeping_t)
+
+logging_send_syslog_msg(smokeping_t)
+
+miscfiles_read_localization(smokeping_t)
+
+mta_send_mail(smokeping_t)
+
+netutils_domtrans_ping(smokeping_t)
+
+#######################################
+#
+# local policy for smokeping cgi scripts
+#
+
+optional_policy(`
+ apache_content_template(smokeping_cgi)
+
+ allow httpd_smokeping_cgi_script_t self:udp_socket create_socket_perms;
+
+ manage_dirs_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
+ manage_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
+
+ getattr_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t)
+
+ files_search_tmp(httpd_smokeping_cgi_script_t)
+ files_search_var_lib(httpd_smokeping_cgi_script_t)
+
+ sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t)
+')
diff --git a/policy/modules/services/snmp.fc b/policy/modules/services/snmp.fc
new file mode 100644
index 0000000..ac10740
--- /dev/null
+++ b/policy/modules/services/snmp.fc
@@ -0,0 +1,24 @@
+/etc/rc\.d/init\.d/snmpd -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/snmptrapd -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/snmp(trap)?d -- gen_context(system_u:object_r:snmpd_exec_t,s0)
+
+/usr/share/snmp/mibs/\.index -- gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+
+#
+# /var
+#
+/var/agentx(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+
+/var/lib/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+/var/lib/snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+
+/var/log/snmpd\.log -- gen_context(system_u:object_r:snmpd_log_t,s0)
+
+/var/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+
+/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
+/var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0)
diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if
new file mode 100644
index 0000000..bfdf197
--- /dev/null
+++ b/policy/modules/services/snmp.if
@@ -0,0 +1,148 @@
+## <summary>Simple network management protocol services</summary>
+
+########################################
+## <summary>
+## Connect to snmpd using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`snmp_stream_connect',`
+ gen_require(`
+ type snmpd_t, snmpd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t)
+')
+
+########################################
+## <summary>
+## Use snmp over a TCP connection. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`snmp_tcp_connect',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+## Send and receive UDP traffic to SNMP (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`snmp_udp_chat',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+## Read snmpd libraries.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`snmp_read_snmp_var_lib_files',`
+ gen_require(`
+ type snmpd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 snmpd_var_lib_t:dir list_dir_perms;
+ read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
+ read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
+')
+
+########################################
+## <summary>
+## dontaudit Read snmpd libraries.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`snmp_dontaudit_read_snmp_var_lib_files',`
+ gen_require(`
+ type snmpd_var_lib_t;
+ ')
+
+ dontaudit $1 snmpd_var_lib_t:dir list_dir_perms;
+ dontaudit $1 snmpd_var_lib_t:file read_file_perms;
+ dontaudit $1 snmpd_var_lib_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## dontaudit write snmpd libraries files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`snmp_dontaudit_write_snmp_var_lib_files',`
+ gen_require(`
+ type snmpd_var_lib_t;
+ ')
+
+ dontaudit $1 snmpd_var_lib_t:file write;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an snmp environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the snmp domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`snmp_admin',`
+ gen_require(`
+ type snmpd_t, snmpd_log_t, snmpd_initrc_exec_t;
+ type snmpd_var_lib_t, snmpd_var_run_t;
+ ')
+
+ allow $1 snmpd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, snmpd_t)
+
+ init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 snmpd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_list_logs($1)
+ admin_pattern($1, snmpd_log_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, snmpd_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, snmpd_var_run_t)
+')
diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
new file mode 100644
index 0000000..0927db4
--- /dev/null
+++ b/policy/modules/services/snmp.te
@@ -0,0 +1,176 @@
+policy_module(snmp, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+type snmpd_t;
+type snmpd_exec_t;
+init_daemon_domain(snmpd_t, snmpd_exec_t)
+
+type snmpd_initrc_exec_t;
+init_script_file(snmpd_initrc_exec_t)
+
+type snmpd_log_t;
+logging_log_file(snmpd_log_t)
+
+type snmpd_var_run_t;
+files_pid_file(snmpd_var_run_t)
+
+type snmpd_var_lib_t;
+files_type(snmpd_var_lib_t)
+
+########################################
+#
+# Local policy
+#
+
+allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid sys_ptrace net_admin sys_nice sys_tty_config };
+dontaudit snmpd_t self:capability { sys_module sys_tty_config };
+allow snmpd_t self:process { signal_perms getsched setsched };
+allow snmpd_t self:fifo_file rw_fifo_file_perms;
+allow snmpd_t self:unix_dgram_socket create_socket_perms;
+allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
+allow snmpd_t self:tcp_socket create_stream_socket_perms;
+allow snmpd_t self:udp_socket connected_stream_socket_perms;
+
+allow snmpd_t snmpd_log_t:file manage_file_perms;
+logging_log_filetrans(snmpd_t, snmpd_log_t, file)
+
+manage_dirs_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
+manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
+manage_sock_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
+files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file)
+files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file })
+files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, file)
+
+manage_dirs_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t)
+manage_files_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t)
+files_pid_filetrans(snmpd_t, snmpd_var_run_t, { file dir })
+
+kernel_read_device_sysctls(snmpd_t)
+kernel_read_kernel_sysctls(snmpd_t)
+kernel_read_fs_sysctls(snmpd_t)
+kernel_read_net_sysctls(snmpd_t)
+kernel_read_proc_symlinks(snmpd_t)
+kernel_read_system_state(snmpd_t)
+kernel_read_network_state(snmpd_t)
+
+corecmd_exec_bin(snmpd_t)
+corecmd_exec_shell(snmpd_t)
+
+corenet_all_recvfrom_unlabeled(snmpd_t)
+corenet_all_recvfrom_netlabel(snmpd_t)
+corenet_tcp_sendrecv_generic_if(snmpd_t)
+corenet_udp_sendrecv_generic_if(snmpd_t)
+corenet_tcp_sendrecv_generic_node(snmpd_t)
+corenet_udp_sendrecv_generic_node(snmpd_t)
+corenet_tcp_sendrecv_all_ports(snmpd_t)
+corenet_udp_sendrecv_all_ports(snmpd_t)
+corenet_tcp_bind_generic_node(snmpd_t)
+corenet_udp_bind_generic_node(snmpd_t)
+corenet_tcp_bind_snmp_port(snmpd_t)
+corenet_udp_bind_snmp_port(snmpd_t)
+corenet_sendrecv_snmp_server_packets(snmpd_t)
+corenet_tcp_connect_agentx_port(snmpd_t)
+corenet_tcp_bind_agentx_port(snmpd_t)
+corenet_udp_bind_agentx_port(snmpd_t)
+
+dev_list_sysfs(snmpd_t)
+dev_read_sysfs(snmpd_t)
+dev_read_urand(snmpd_t)
+dev_read_rand(snmpd_t)
+dev_getattr_usbfs_dirs(snmpd_t)
+
+domain_use_interactive_fds(snmpd_t)
+domain_signull_all_domains(snmpd_t)
+domain_read_all_domains_state(snmpd_t)
+domain_dontaudit_ptrace_all_domains(snmpd_t)
+domain_exec_all_entry_files(snmpd_t)
+
+files_read_etc_files(snmpd_t)
+files_read_usr_files(snmpd_t)
+files_read_etc_runtime_files(snmpd_t)
+files_search_home(snmpd_t)
+
+fs_getattr_all_dirs(snmpd_t)
+fs_getattr_all_fs(snmpd_t)
+fs_search_auto_mountpoints(snmpd_t)
+
+storage_dontaudit_read_fixed_disk(snmpd_t)
+storage_dontaudit_read_removable_device(snmpd_t)
+storage_dontaudit_write_removable_device(snmpd_t)
+
+auth_use_nsswitch(snmpd_t)
+auth_read_all_dirs_except_shadow(snmpd_t)
+
+init_read_utmp(snmpd_t)
+init_dontaudit_write_utmp(snmpd_t)
+
+logging_send_syslog_msg(snmpd_t)
+
+miscfiles_read_localization(snmpd_t)
+
+seutil_dontaudit_search_config(snmpd_t)
+
+sysnet_read_config(snmpd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
+userdom_dontaudit_search_user_home_dirs(snmpd_t)
+
+ifdef(`distro_redhat',`
+ optional_policy(`
+ rpm_read_db(snmpd_t)
+ rpm_dontaudit_manage_db(snmpd_t)
+ ')
+')
+
+optional_policy(`
+ amanda_dontaudit_read_dumpdates(snmpd_t)
+')
+
+optional_policy(`
+ consoletype_exec(snmpd_t)
+')
+
+optional_policy(`
+ cups_read_rw_config(snmpd_t)
+')
+
+optional_policy(`
+ mta_read_config(snmpd_t)
+ mta_search_queue(snmpd_t)
+')
+
+optional_policy(`
+ rpc_search_nfs_state_data(snmpd_t)
+')
+
+optional_policy(`
+ sendmail_read_log(snmpd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(snmpd_t)
+')
+
+optional_policy(`
+ squid_read_config(snmpd_t)
+')
+
+optional_policy(`
+ udev_read_db(snmpd_t)
+')
+
+optional_policy(`
+ virt_stream_connect(snmpd_t)
+')
+
+optional_policy(`
+ kernel_read_xen_state(snmpd_t)
+ kernel_write_xen_state(snmpd_t)
+
+ xen_stream_connect(snmpd_t)
+ xen_stream_connect_xenstore(snmpd_t)
+')
diff --git a/policy/modules/services/snort.fc b/policy/modules/services/snort.fc
new file mode 100644
index 0000000..7bedd2f
--- /dev/null
+++ b/policy/modules/services/snort.fc
@@ -0,0 +1,9 @@
+/etc/rc\.d/init\.d/snortd -- gen_context(system_u:object_r:snort_initrc_exec_t,s0)
+/etc/snort(/.*)? gen_context(system_u:object_r:snort_etc_t,s0)
+
+/usr/s?bin/snort -- gen_context(system_u:object_r:snort_exec_t,s0)
+/usr/sbin/snort-plain -- gen_context(system_u:object_r:snort_exec_t,s0)
+
+/var/log/snort(/.*)? gen_context(system_u:object_r:snort_log_t,s0)
+
+/var/run/snort.* -- gen_context(system_u:object_r:snort_var_run_t,s0)
diff --git a/policy/modules/services/snort.if b/policy/modules/services/snort.if
new file mode 100644
index 0000000..88ebedb
--- /dev/null
+++ b/policy/modules/services/snort.if
@@ -0,0 +1,60 @@
+## <summary>Snort network intrusion detection system</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run snort.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`snort_domtrans',`
+ gen_require(`
+ type snort_t, snort_exec_t;
+ ')
+
+ domtrans_pattern($1, snort_exec_t, snort_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an snort environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the snort domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`snort_admin',`
+ gen_require(`
+ type snort_t, snort_var_run_t, snort_log_t;
+ type snort_etc_t, snort_initrc_exec_t;
+ ')
+
+ allow $1 snort_t:process { ptrace signal_perms };
+ ps_process_pattern($1, snort_t)
+
+ init_labeled_script_domtrans($1, snort_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 snort_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ admin_pattern($1, snort_etc_t)
+ files_list_etc($1)
+
+ admin_pattern($1, snort_log_t)
+ logging_list_logs($1)
+
+ admin_pattern($1, snort_var_run_t)
+ files_list_pids($1)
+')
diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te
new file mode 100644
index 0000000..012723c
--- /dev/null
+++ b/policy/modules/services/snort.te
@@ -0,0 +1,117 @@
+policy_module(snort, 1.9.1)
+
+########################################
+#
+# Declarations
+#
+
+type snort_t;
+type snort_exec_t;
+init_daemon_domain(snort_t, snort_exec_t)
+
+type snort_etc_t;
+files_config_file(snort_etc_t)
+
+type snort_initrc_exec_t;
+init_script_file(snort_initrc_exec_t)
+
+type snort_log_t;
+logging_log_file(snort_log_t)
+
+type snort_tmp_t;
+files_tmp_file(snort_tmp_t)
+
+type snort_var_run_t;
+files_pid_file(snort_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
+dontaudit snort_t self:capability sys_tty_config;
+allow snort_t self:process signal_perms;
+allow snort_t self:netlink_route_socket create_netlink_socket_perms;
+allow snort_t self:tcp_socket create_stream_socket_perms;
+allow snort_t self:udp_socket create_socket_perms;
+allow snort_t self:packet_socket create_socket_perms;
+allow snort_t self:socket create_socket_perms;
+# Snort IPS node. unverified.
+allow snort_t self:netlink_firewall_socket create_socket_perms;
+
+allow snort_t snort_etc_t:dir list_dir_perms;
+allow snort_t snort_etc_t:file read_file_perms;
+allow snort_t snort_etc_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(snort_t, snort_log_t, snort_log_t)
+create_dirs_pattern(snort_t, snort_log_t, snort_log_t)
+logging_log_filetrans(snort_t, snort_log_t, { file dir })
+
+manage_dirs_pattern(snort_t, snort_tmp_t, snort_tmp_t)
+manage_files_pattern(snort_t, snort_tmp_t, snort_tmp_t)
+files_tmp_filetrans(snort_t, snort_tmp_t, { file dir })
+
+manage_files_pattern(snort_t, snort_var_run_t, snort_var_run_t)
+files_pid_filetrans(snort_t, snort_var_run_t, file)
+
+kernel_read_kernel_sysctls(snort_t)
+kernel_read_sysctl(snort_t)
+kernel_list_proc(snort_t)
+kernel_read_proc_symlinks(snort_t)
+kernel_request_load_module(snort_t)
+kernel_dontaudit_read_system_state(snort_t)
+kernel_read_network_state(snort_t)
+
+corenet_all_recvfrom_unlabeled(snort_t)
+corenet_all_recvfrom_netlabel(snort_t)
+corenet_tcp_sendrecv_generic_if(snort_t)
+corenet_udp_sendrecv_generic_if(snort_t)
+corenet_raw_sendrecv_generic_if(snort_t)
+corenet_tcp_sendrecv_generic_node(snort_t)
+corenet_udp_sendrecv_generic_node(snort_t)
+corenet_raw_sendrecv_generic_node(snort_t)
+corenet_tcp_sendrecv_all_ports(snort_t)
+corenet_udp_sendrecv_all_ports(snort_t)
+corenet_tcp_connect_prelude_port(snort_t)
+
+dev_read_sysfs(snort_t)
+dev_read_rand(snort_t)
+dev_read_urand(snort_t)
+dev_read_usbmon_dev(snort_t)
+# Red Hat bug 559861: Snort wants read, write, and ioctl on /dev/usbmon
+# Snort uses libpcap, which can also monitor USB traffic. Maybe this is a side effect?
+dev_rw_generic_usb_dev(snort_t)
+
+domain_use_interactive_fds(snort_t)
+
+files_read_etc_files(snort_t)
+files_dontaudit_read_etc_runtime_files(snort_t)
+
+fs_getattr_all_fs(snort_t)
+fs_search_auto_mountpoints(snort_t)
+
+init_read_utmp(snort_t)
+
+logging_send_syslog_msg(snort_t)
+
+miscfiles_read_localization(snort_t)
+
+sysnet_read_config(snort_t)
+# snorts must be able to resolve dns in case it wants to relay to a remote prelude-manager
+sysnet_dns_name_resolve(snort_t)
+
+userdom_dontaudit_use_unpriv_user_fds(snort_t)
+userdom_dontaudit_search_user_home_dirs(snort_t)
+
+optional_policy(`
+ prelude_manage_spool(snort_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(snort_t)
+')
+
+optional_policy(`
+ udev_read_db(snort_t)
+')
diff --git a/policy/modules/services/soundserver.fc b/policy/modules/services/soundserver.fc
new file mode 100644
index 0000000..d89b2cb
--- /dev/null
+++ b/policy/modules/services/soundserver.fc
@@ -0,0 +1,13 @@
+/etc/nas(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0)
+/etc/rc\.d/init\.d/nasd -- gen_context(system_u:object_r:soundd_initrc_exec_t,s0)
+/etc/yiff(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0)
+
+/usr/bin/nasd -- gen_context(system_u:object_r:soundd_exec_t,s0)
+/usr/bin/gpe-soundserver -- gen_context(system_u:object_r:soundd_exec_t,s0)
+
+/usr/sbin/yiff -- gen_context(system_u:object_r:soundd_exec_t,s0)
+
+/var/run/nasd(/.*)? gen_context(system_u:object_r:soundd_var_run_t,s0)
+/var/run/yiff-[0-9]+\.pid -- gen_context(system_u:object_r:soundd_var_run_t,s0)
+
+/var/state/yiff(/.*)? gen_context(system_u:object_r:soundd_state_t,s0)
diff --git a/policy/modules/services/soundserver.if b/policy/modules/services/soundserver.if
new file mode 100644
index 0000000..4a15633
--- /dev/null
+++ b/policy/modules/services/soundserver.if
@@ -0,0 +1,56 @@
+## <summary>sound server for network audio server programs, nasd, yiff, etc</summary>
+
+########################################
+## <summary>
+## Connect to the sound server over a TCP socket (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`soundserver_tcp_connect',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an soundd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the soundd domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`soundserver_admin',`
+ gen_require(`
+ type soundd_t, soundd_etc_t, soundd_initrc_exec_t;
+ type soundd_tmp_t, soundd_var_run_t;
+ ')
+
+ allow $1 soundd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, soundd_t)
+
+ init_labeled_script_domtrans($1, soundd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 soundd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, soundd_etc_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, soundd_tmp_t)
+
+ files_list_pids($1)
+ admin_pattern($1, soundd_var_run_t)
+')
diff --git a/policy/modules/services/soundserver.te b/policy/modules/services/soundserver.te
new file mode 100644
index 0000000..3217605
--- /dev/null
+++ b/policy/modules/services/soundserver.te
@@ -0,0 +1,114 @@
+policy_module(soundserver, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type soundd_t;
+type soundd_exec_t;
+init_daemon_domain(soundd_t, soundd_exec_t)
+
+type soundd_etc_t alias etc_soundd_t;
+files_config_file(soundd_etc_t)
+
+type soundd_initrc_exec_t;
+init_script_file(soundd_initrc_exec_t)
+
+type soundd_state_t;
+files_type(soundd_state_t)
+
+type soundd_tmp_t;
+files_tmp_file(soundd_tmp_t)
+
+# for yiff - probably need some rules for the client support too
+type soundd_tmpfs_t;
+files_tmpfs_file(soundd_tmpfs_t)
+
+type soundd_var_run_t;
+files_pid_file(soundd_var_run_t)
+
+########################################
+#
+# Declarations
+#
+
+allow soundd_t self:capability dac_override;
+dontaudit soundd_t self:capability sys_tty_config;
+allow soundd_t self:process { setpgid signal_perms };
+allow soundd_t self:tcp_socket create_stream_socket_perms;
+allow soundd_t self:udp_socket create_socket_perms;
+allow soundd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+
+# for yiff
+allow soundd_t self:shm create_shm_perms;
+
+read_files_pattern(soundd_t, soundd_etc_t, soundd_etc_t)
+read_lnk_files_pattern(soundd_t, soundd_etc_t, soundd_etc_t)
+
+manage_files_pattern(soundd_t, soundd_state_t, soundd_state_t)
+manage_lnk_files_pattern(soundd_t, soundd_state_t, soundd_state_t)
+
+manage_dirs_pattern(soundd_t, soundd_tmp_t, soundd_tmp_t)
+manage_files_pattern(soundd_t, soundd_tmp_t, soundd_tmp_t)
+files_tmp_filetrans(soundd_t, soundd_tmp_t, { file dir })
+
+manage_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t)
+manage_lnk_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t)
+manage_fifo_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t)
+manage_sock_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t)
+fs_tmpfs_filetrans(soundd_t, soundd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+manage_sock_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t)
+manage_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t)
+manage_dirs_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t)
+files_pid_filetrans(soundd_t, soundd_var_run_t, { file dir })
+
+kernel_read_kernel_sysctls(soundd_t)
+kernel_list_proc(soundd_t)
+kernel_read_proc_symlinks(soundd_t)
+
+corenet_all_recvfrom_unlabeled(soundd_t)
+corenet_all_recvfrom_netlabel(soundd_t)
+corenet_tcp_sendrecv_generic_if(soundd_t)
+corenet_udp_sendrecv_generic_if(soundd_t)
+corenet_tcp_sendrecv_generic_node(soundd_t)
+corenet_udp_sendrecv_generic_node(soundd_t)
+corenet_tcp_sendrecv_all_ports(soundd_t)
+corenet_udp_sendrecv_all_ports(soundd_t)
+corenet_tcp_bind_generic_node(soundd_t)
+corenet_tcp_bind_soundd_port(soundd_t)
+corenet_sendrecv_soundd_server_packets(soundd_t)
+
+dev_read_sysfs(soundd_t)
+dev_read_sound(soundd_t)
+dev_write_sound(soundd_t)
+
+domain_use_interactive_fds(soundd_t)
+
+files_read_etc_files(soundd_t)
+files_read_etc_runtime_files(soundd_t)
+
+fs_getattr_all_fs(soundd_t)
+fs_search_auto_mountpoints(soundd_t)
+
+logging_send_syslog_msg(soundd_t)
+
+miscfiles_read_localization(soundd_t)
+
+sysnet_read_config(soundd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(soundd_t)
+userdom_dontaudit_search_user_home_dirs(soundd_t)
+
+optional_policy(`
+ alsa_domtrans(soundd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(soundd_t)
+')
+
+optional_policy(`
+ udev_read_db(soundd_t)
+')
diff --git a/policy/modules/services/spamassassin.fc b/policy/modules/services/spamassassin.fc
new file mode 100644
index 0000000..540981f
--- /dev/null
+++ b/policy/modules/services/spamassassin.fc
@@ -0,0 +1,26 @@
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+/root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+
+/etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
+
+/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0)
+/usr/bin/spamassassin -- gen_context(system_u:object_r:spamc_exec_t,s0)
+/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0)
+/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+
+/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0)
+
+/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
+/var/lib/spamassassin/compiled(/.*)? gen_context(system_u:object_r:spamd_compiled_t,s0)
+
+/var/log/spamd\.log -- gen_context(system_u:object_r:spamd_log_t,s0)
+/var/log/mimedefang -- gen_context(system_u:object_r:spamd_log_t,s0)
+
+/var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+
+/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
new file mode 100644
index 0000000..7f57f22
--- /dev/null
+++ b/policy/modules/services/spamassassin.if
@@ -0,0 +1,341 @@
+## <summary>Filter used for removing unsolicited email.</summary>
+
+########################################
+## <summary>
+## Role access for spamassassin
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`spamassassin_role',`
+ gen_require(`
+ type spamc_t, spamc_exec_t, spamc_tmp_t;
+ type spamassassin_t, spamassassin_exec_t;
+ type spamassassin_home_t, spamassassin_tmp_t;
+ ')
+
+ role $1 types { spamc_t spamassassin_t };
+
+ domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
+
+ allow $2 spamassassin_t:process { ptrace signal_perms };
+ ps_process_pattern($2, spamassassin_t)
+
+ domtrans_pattern($2, spamc_exec_t, spamc_t)
+
+ allow $2 spamc_t:process { ptrace signal_perms };
+ ps_process_pattern($2, spamc_t)
+
+ manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t)
+ manage_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
+ manage_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
+ relabel_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t)
+ relabel_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
+ relabel_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
+')
+
+########################################
+## <summary>
+## Execute the standalone spamassassin
+## program in the caller directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`spamassassin_exec',`
+ gen_require(`
+ type spamassassin_exec_t;
+ ')
+
+ can_exec($1, spamassassin_exec_t)
+')
+
+########################################
+## <summary>
+## Singnal the spam assassin daemon
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`spamassassin_signal_spamd',`
+ gen_require(`
+ type spamd_t;
+ ')
+
+ allow $1 spamd_t:process signal;
+')
+
+########################################
+## <summary>
+## Execute the spamassassin daemon
+## program in the caller directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`spamassassin_exec_spamd',`
+ gen_require(`
+ type spamd_exec_t;
+ ')
+
+ can_exec($1, spamd_exec_t)
+')
+
+########################################
+## <summary>
+## Execute spamassassin client in the spamassassin client domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`spamassassin_domtrans_client',`
+ gen_require(`
+ type spamc_t, spamc_exec_t;
+ ')
+
+ domtrans_pattern($1, spamc_exec_t, spamc_t)
+ allow $1 spamc_exec_t:file ioctl;
+')
+
+########################################
+## <summary>
+## Send kill signal to spamassassin client
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`spamassassin_kill_client',`
+ gen_require(`
+ type spamc_t;
+ ')
+
+ allow $1 spamc_t:process sigkill;
+')
+
+########################################
+## <summary>
+## Manage spamc home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`spamassassin_manage_home_client',`
+ gen_require(`
+ type spamc_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ manage_dirs_pattern($1, spamc_home_t, spamc_home_t)
+ manage_files_pattern($1, spamc_home_t, spamc_home_t)
+ manage_lnk_files_pattern($1, spamc_home_t, spamc_home_t)
+')
+
+########################################
+## <summary>
+## Execute the spamassassin client
+## program in the caller directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`spamassassin_exec_client',`
+ gen_require(`
+ type spamc_exec_t;
+ ')
+
+ can_exec($1, spamc_exec_t)
+')
+
+########################################
+## <summary>
+## Execute spamassassin standalone client in the user spamassassin domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`spamassassin_domtrans_local_client',`
+ gen_require(`
+ type spamassassin_t, spamassassin_exec_t;
+ ')
+
+ domtrans_pattern($1, spamassassin_exec_t, spamassassin_t)
+')
+
+########################################
+## <summary>
+## read spamd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`spamassassin_read_lib_files',`
+ gen_require(`
+ type spamd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ list_dirs_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
+ read_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
+ read_lnk_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## spamd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`spamassassin_manage_lib_files',`
+ gen_require(`
+ type spamd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Read temporary spamd file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`spamassassin_read_spamd_tmp_files',`
+ gen_require(`
+ type spamd_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 spamd_tmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get attributes of temporary
+## spamd sockets/
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
+ gen_require(`
+ type spamd_tmp_t;
+ ')
+
+ dontaudit $1 spamd_tmp_t:sock_file getattr_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Connect to run spamd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to connect.
+## </summary>
+## </param>
+#
+interface(`spamd_stream_connect',`
+ gen_require(`
+ type spamd_t, spamd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an spamassassin environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the spamassassin domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`spamassassin_spamd_admin',`
+ gen_require(`
+ type spamd_t, spamd_tmp_t, spamd_log_t;
+ type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t;
+ type spamd_initrc_exec_t;
+ ')
+
+ allow $1 spamd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, spamd_t)
+
+ init_labeled_script_domtrans($1, spamd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 spamd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, spamd_tmp_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, spamd_log_t)
+
+ files_list_spool($1)
+ admin_pattern($1, spamd_spool_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, spamd_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, spamd_var_run_t)
+')
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
new file mode 100644
index 0000000..56e4c2e
--- /dev/null
+++ b/policy/modules/services/spamassassin.te
@@ -0,0 +1,546 @@
+policy_module(spamassassin, 2.3.1)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow user spamassassin clients to use the network.
+## </p>
+## </desc>
+gen_tunable(spamassassin_can_network, false)
+
+## <desc>
+## <p>
+## Allow spamd to read/write user home directories.
+## </p>
+## </desc>
+gen_tunable(spamd_enable_home_dirs, true)
+
+ifdef(`distro_redhat',`
+ # spamassassin client executable
+ type spamc_t;
+ type spamc_exec_t;
+ application_domain(spamc_t, spamc_exec_t)
+ role system_r types spamc_t;
+
+ type spamd_etc_t;
+ files_config_file(spamd_etc_t)
+
+ typealias spamc_exec_t alias spamassassin_exec_t;
+ typealias spamc_t alias spamassassin_t;
+
+ type spamc_home_t;
+ userdom_user_home_content(spamc_home_t)
+ typealias spamc_home_t alias { spamassassin_home_t user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
+ typealias spamc_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
+ typealias spamc_home_t alias { user_spamc_home_t staff_spamc_home_t sysadm_spamc_home_t };
+ typealias spamc_home_t alias { auditadm_spamc_home_t secadm_spamc_home_t };
+
+ type spamc_tmp_t;
+ files_tmp_file(spamc_tmp_t)
+ typealias spamc_tmp_t alias spamassassin_tmp_t;
+ typealias spamc_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
+ typealias spamc_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
+
+ typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
+ typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
+',`
+ type spamassassin_t;
+ type spamassassin_exec_t;
+ typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
+ typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t };
+ application_domain(spamassassin_t, spamassassin_exec_t)
+ ubac_constrained(spamassassin_t)
+
+ type spamassassin_home_t;
+ typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
+ typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
+ userdom_user_home_content(spamassassin_home_t)
+
+ type spamassassin_tmp_t;
+ typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
+ typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
+ files_tmp_file(spamassassin_tmp_t)
+ ubac_constrained(spamassassin_tmp_t)
+
+ type spamc_t;
+ type spamc_exec_t;
+ typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
+ typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
+ application_domain(spamc_t, spamc_exec_t)
+ ubac_constrained(spamc_t)
+
+ type spamc_tmp_t;
+ typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
+ typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
+ files_tmp_file(spamc_tmp_t)
+ ubac_constrained(spamc_tmp_t)
+')
+
+type spamd_t;
+type spamd_exec_t;
+init_daemon_domain(spamd_t, spamd_exec_t)
+
+type spamd_compiled_t;
+files_type(spamd_compiled_t)
+
+type spamd_initrc_exec_t;
+init_script_file(spamd_initrc_exec_t)
+
+type spamd_log_t;
+logging_log_file(spamd_log_t)
+
+type spamd_spool_t;
+files_type(spamd_spool_t)
+
+type spamd_tmp_t;
+files_tmp_file(spamd_tmp_t)
+
+# var/lib files
+type spamd_var_lib_t;
+files_type(spamd_var_lib_t)
+
+type spamd_var_run_t;
+files_pid_file(spamd_var_run_t)
+
+##############################
+#
+# Standalone program local policy
+#
+
+allow spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow spamassassin_t self:fd use;
+allow spamassassin_t self:fifo_file rw_fifo_file_perms;
+allow spamassassin_t self:sock_file read_sock_file_perms;
+allow spamassassin_t self:unix_dgram_socket create_socket_perms;
+allow spamassassin_t self:unix_stream_socket create_stream_socket_perms;
+allow spamassassin_t self:unix_dgram_socket sendto;
+allow spamassassin_t self:unix_stream_socket connectto;
+allow spamassassin_t self:shm create_shm_perms;
+allow spamassassin_t self:sem create_sem_perms;
+allow spamassassin_t self:msgq create_msgq_perms;
+allow spamassassin_t self:msg { send receive };
+
+manage_dirs_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
+manage_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
+manage_lnk_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
+manage_fifo_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
+manage_sock_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
+userdom_user_home_dir_filetrans(spamassassin_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file })
+
+manage_dirs_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t)
+manage_files_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t)
+files_tmp_filetrans(spamassassin_t, spamassassin_tmp_t, { file dir })
+
+manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_read_kernel_sysctls(spamassassin_t)
+
+dev_read_urand(spamassassin_t)
+
+fs_search_auto_mountpoints(spamassassin_t)
+fs_getattr_all_fs(spamassassin_t)
+
+# this should probably be removed
+corecmd_list_bin(spamassassin_t)
+corecmd_read_bin_symlinks(spamassassin_t)
+corecmd_read_bin_files(spamassassin_t)
+corecmd_read_bin_pipes(spamassassin_t)
+corecmd_read_bin_sockets(spamassassin_t)
+
+domain_use_interactive_fds(spamassassin_t)
+
+files_read_etc_files(spamassassin_t)
+files_read_etc_runtime_files(spamassassin_t)
+files_list_home(spamassassin_t)
+files_read_usr_files(spamassassin_t)
+files_dontaudit_search_var(spamassassin_t)
+
+logging_send_syslog_msg(spamassassin_t)
+
+miscfiles_read_localization(spamassassin_t)
+
+# cjp: this could probably be removed
+seutil_read_config(spamassassin_t)
+
+sysnet_dns_name_resolve(spamassassin_t)
+
+# set tunable if you have spamassassin do DNS lookups
+tunable_policy(`spamassassin_can_network',`
+ allow spamassassin_t self:tcp_socket create_stream_socket_perms;
+ allow spamassassin_t self:udp_socket create_socket_perms;
+
+ corenet_all_recvfrom_unlabeled(spamassassin_t)
+ corenet_all_recvfrom_netlabel(spamassassin_t)
+ corenet_tcp_sendrecv_generic_if(spamassassin_t)
+ corenet_udp_sendrecv_generic_if(spamassassin_t)
+ corenet_tcp_sendrecv_generic_node(spamassassin_t)
+ corenet_udp_sendrecv_generic_node(spamassassin_t)
+ corenet_tcp_sendrecv_all_ports(spamassassin_t)
+ corenet_udp_sendrecv_all_ports(spamassassin_t)
+ corenet_tcp_connect_all_ports(spamassassin_t)
+ corenet_sendrecv_all_client_packets(spamassassin_t)
+ corenet_udp_bind_generic_node(spamassassin_t)
+ corenet_udp_bind_generic_port(spamassassin_t)
+ corenet_dontaudit_udp_bind_all_ports(spamassassin_t)
+
+ sysnet_read_config(spamassassin_t)
+')
+
+tunable_policy(`spamd_enable_home_dirs',`
+ userdom_manage_user_home_content_dirs(spamd_t)
+ userdom_manage_user_home_content_files(spamd_t)
+ userdom_manage_user_home_content_symlinks(spamd_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(spamassassin_t)
+ fs_manage_nfs_files(spamassassin_t)
+ fs_manage_nfs_symlinks(spamassassin_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(spamassassin_t)
+ fs_manage_cifs_files(spamassassin_t)
+ fs_manage_cifs_symlinks(spamassassin_t)
+')
+
+optional_policy(`
+ # Write pid file and socket in ~/.evolution/cache/tmp
+ evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file })
+')
+
+optional_policy(`
+ tunable_policy(`spamassassin_can_network && allow_ypbind',`
+ nis_use_ypbind_uncond(spamassassin_t)
+ ')
+')
+
+optional_policy(`
+ mta_read_config(spamassassin_t)
+ sendmail_stub(spamassassin_t)
+ sendmail_dontaudit_rw_unix_stream_sockets(spamassassin_t)
+ sendmail_dontaudit_rw_tcp_sockets(spamassassin_t)
+')
+
+########################################
+#
+# Client local policy
+#
+
+allow spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow spamc_t self:fd use;
+allow spamc_t self:fifo_file rw_fifo_file_perms;
+allow spamc_t self:sock_file read_sock_file_perms;
+allow spamc_t self:shm create_shm_perms;
+allow spamc_t self:sem create_sem_perms;
+allow spamc_t self:msgq create_msgq_perms;
+allow spamc_t self:msg { send receive };
+allow spamc_t self:unix_dgram_socket create_socket_perms;
+allow spamc_t self:unix_stream_socket create_stream_socket_perms;
+allow spamc_t self:unix_dgram_socket sendto;
+allow spamc_t self:unix_stream_socket connectto;
+allow spamc_t self:tcp_socket create_stream_socket_perms;
+allow spamc_t self:udp_socket create_socket_perms;
+
+can_exec(spamc_t, spamc_exec_t)
+
+manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
+manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
+files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir })
+
+manage_dirs_pattern(spamc_t, spamc_home_t, spamc_home_t)
+manage_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+manage_lnk_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+manage_fifo_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+userdom_user_home_dir_filetrans(spamc_t, spamc_home_t, { dir file lnk_file sock_file fifo_file })
+userdom_append_user_home_content_files(spamc_t)
+
+list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
+read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
+
+# Allow connecting to a local spamd
+allow spamc_t spamd_t:unix_stream_socket connectto;
+allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms;
+spamd_stream_connect(spamc_t)
+
+kernel_read_kernel_sysctls(spamc_t)
+kernel_read_system_state(spamc_t)
+
+corenet_all_recvfrom_unlabeled(spamc_t)
+corenet_all_recvfrom_netlabel(spamc_t)
+corenet_tcp_sendrecv_generic_if(spamc_t)
+corenet_udp_sendrecv_generic_if(spamc_t)
+corenet_tcp_sendrecv_generic_node(spamc_t)
+corenet_udp_sendrecv_generic_node(spamc_t)
+corenet_tcp_sendrecv_all_ports(spamc_t)
+corenet_udp_sendrecv_all_ports(spamc_t)
+corenet_tcp_connect_all_ports(spamc_t)
+corenet_sendrecv_all_client_packets(spamc_t)
+corenet_tcp_connect_spamd_port(spamc_t)
+
+fs_search_auto_mountpoints(spamc_t)
+
+# cjp: these should probably be removed:
+corecmd_list_bin(spamc_t)
+corecmd_read_bin_symlinks(spamc_t)
+corecmd_read_bin_files(spamc_t)
+corecmd_read_bin_pipes(spamc_t)
+corecmd_read_bin_sockets(spamc_t)
+
+domain_use_interactive_fds(spamc_t)
+
+files_read_etc_files(spamc_t)
+files_read_etc_runtime_files(spamc_t)
+files_read_usr_files(spamc_t)
+files_dontaudit_search_var(spamc_t)
+# cjp: this may be removable:
+files_list_home(spamc_t)
+files_list_var_lib(spamc_t)
+
+fs_search_auto_mountpoints(spamc_t)
+
+logging_send_syslog_msg(spamc_t)
+
+auth_use_nsswitch(spamc_t)
+
+miscfiles_read_localization(spamc_t)
+
+# cjp: this should probably be removed:
+seutil_read_config(spamc_t)
+
+sysnet_read_config(spamc_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(spamc_t)
+ fs_manage_nfs_files(spamc_t)
+ fs_manage_nfs_symlinks(spamc_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(spamc_t)
+ fs_manage_cifs_files(spamc_t)
+ fs_manage_cifs_symlinks(spamc_t)
+')
+
+optional_policy(`
+ # Allow connection to spamd socket above
+ evolution_stream_connect(spamc_t)
+')
+
+optional_policy(`
+ milter_manage_spamass_state(spamc_t)
+')
+
+optional_policy(`
+ postfix_domtrans_postdrop(spamc_t)
+ postfix_search_spool(spamc_t)
+ postfix_rw_local_pipes(spamc_t)
+')
+
+optional_policy(`
+ mta_send_mail(spamc_t)
+ mta_read_config(spamc_t)
+ mta_read_queue(spamc_t)
+ sendmail_stub(spamc_t)
+ sendmail_rw_pipes(spamc_t)
+ sendmail_dontaudit_rw_tcp_sockets(spamc_t)
+')
+
+########################################
+#
+# Server local policy
+#
+
+# Spamassassin, when run as root and using per-user config files,
+# setuids to the user running spamc. Comment this if you are not
+# using this ability.
+
+allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config };
+dontaudit spamd_t self:capability sys_tty_config;
+allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow spamd_t self:fd use;
+allow spamd_t self:fifo_file rw_fifo_file_perms;
+allow spamd_t self:sock_file read_sock_file_perms;
+allow spamd_t self:shm create_shm_perms;
+allow spamd_t self:sem create_sem_perms;
+allow spamd_t self:msgq create_msgq_perms;
+allow spamd_t self:msg { send receive };
+allow spamd_t self:unix_dgram_socket create_socket_perms;
+allow spamd_t self:unix_stream_socket create_stream_socket_perms;
+allow spamd_t self:unix_dgram_socket sendto;
+allow spamd_t self:unix_stream_socket connectto;
+allow spamd_t self:tcp_socket create_stream_socket_perms;
+allow spamd_t self:udp_socket create_socket_perms;
+
+can_exec(spamd_t, spamd_compiled_t)
+manage_dirs_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t)
+manage_files_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t)
+
+manage_files_pattern(spamd_t, spamd_log_t, spamd_log_t)
+logging_log_filetrans(spamd_t, spamd_log_t, file)
+
+manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
+manage_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
+manage_sock_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
+files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
+
+manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
+manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
+files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
+
+# var/lib files for spamd
+allow spamd_t spamd_var_lib_t:dir list_dir_perms;
+manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
+manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
+
+manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
+
+can_exec(spamd_t, spamd_exec_t)
+
+kernel_read_all_sysctls(spamd_t)
+kernel_read_system_state(spamd_t)
+
+corenet_all_recvfrom_unlabeled(spamd_t)
+corenet_all_recvfrom_netlabel(spamd_t)
+corenet_tcp_sendrecv_generic_if(spamd_t)
+corenet_udp_sendrecv_generic_if(spamd_t)
+corenet_tcp_sendrecv_generic_node(spamd_t)
+corenet_udp_sendrecv_generic_node(spamd_t)
+corenet_tcp_sendrecv_all_ports(spamd_t)
+corenet_udp_sendrecv_all_ports(spamd_t)
+corenet_tcp_bind_generic_node(spamd_t)
+corenet_tcp_bind_spamd_port(spamd_t)
+corenet_tcp_connect_razor_port(spamd_t)
+corenet_tcp_connect_smtp_port(spamd_t)
+corenet_sendrecv_razor_client_packets(spamd_t)
+corenet_sendrecv_spamd_server_packets(spamd_t)
+# spamassassin 3.1 needs this for its
+# DnsResolver.pm module which binds to
+# random ports >= 1024.
+corenet_udp_bind_generic_node(spamd_t)
+corenet_udp_bind_generic_port(spamd_t)
+corenet_udp_bind_imaze_port(spamd_t)
+corenet_dontaudit_udp_bind_all_ports(spamd_t)
+corenet_sendrecv_imaze_server_packets(spamd_t)
+corenet_sendrecv_generic_server_packets(spamd_t)
+
+dev_read_sysfs(spamd_t)
+dev_read_urand(spamd_t)
+
+fs_getattr_all_fs(spamd_t)
+fs_search_auto_mountpoints(spamd_t)
+
+auth_dontaudit_read_shadow(spamd_t)
+
+corecmd_exec_bin(spamd_t)
+
+domain_use_interactive_fds(spamd_t)
+
+files_read_usr_files(spamd_t)
+files_read_etc_files(spamd_t)
+files_read_etc_runtime_files(spamd_t)
+# /var/lib/spamassin
+files_read_var_lib_files(spamd_t)
+
+init_dontaudit_rw_utmp(spamd_t)
+
+auth_use_nsswitch(spamd_t)
+
+logging_send_syslog_msg(spamd_t)
+
+miscfiles_read_localization(spamd_t)
+
+userdom_use_unpriv_users_fds(spamd_t)
+userdom_search_user_home_dirs(spamd_t)
+
+optional_policy(`
+ exim_manage_spool_dirs(spamd_t)
+ exim_manage_spool_files(spamd_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(spamd_t)
+ fs_manage_nfs_files(spamd_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(spamd_t)
+ fs_manage_cifs_files(spamd_t)
+')
+
+optional_policy(`
+ amavis_manage_lib_files(spamd_t)
+')
+
+optional_policy(`
+ cron_system_entry(spamd_t, spamd_exec_t)
+')
+
+optional_policy(`
+ daemontools_service_domain(spamd_t, spamd_exec_t)
+')
+
+optional_policy(`
+ dcc_domtrans_cdcc(spamd_t)
+ dcc_domtrans_client(spamd_t)
+ dcc_signal_client(spamd_t)
+ dcc_stream_connect_dccifd(spamd_t)
+')
+
+optional_policy(`
+ milter_manage_spamass_state(spamd_t)
+')
+
+optional_policy(`
+ mysql_tcp_connect(spamd_t)
+ mysql_search_db(spamd_t)
+ mysql_stream_connect(spamd_t)
+')
+
+optional_policy(`
+ postfix_read_config(spamd_t)
+')
+
+optional_policy(`
+ postgresql_tcp_connect(spamd_t)
+ postgresql_stream_connect(spamd_t)
+')
+
+optional_policy(`
+ pyzor_domtrans(spamd_t)
+ pyzor_signal(spamd_t)
+')
+
+optional_policy(`
+ razor_domtrans(spamd_t)
+ razor_read_lib_files(spamd_t)
+ tunable_policy(`spamd_enable_home_dirs',`
+ razor_manage_user_home_files(spamd_t)
+ ')
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(spamd_t)
+')
+
+optional_policy(`
+ sendmail_stub(spamd_t)
+ mta_read_config(spamd_t)
+')
+
+optional_policy(`
+ udev_read_db(spamd_t)
+')
diff --git a/policy/modules/services/speedtouch.fc b/policy/modules/services/speedtouch.fc
new file mode 100644
index 0000000..9760d15
--- /dev/null
+++ b/policy/modules/services/speedtouch.fc
@@ -0,0 +1,2 @@
+/usr/sbin/speedmgmt -- gen_context(system_u:object_r:speedmgmt_exec_t,s0)
+
diff --git a/policy/modules/services/speedtouch.if b/policy/modules/services/speedtouch.if
new file mode 100644
index 0000000..826e2db
--- /dev/null
+++ b/policy/modules/services/speedtouch.if
@@ -0,0 +1 @@
+## <summary>Alcatel speedtouch USB ADSL modem</summary>
diff --git a/policy/modules/services/speedtouch.te b/policy/modules/services/speedtouch.te
new file mode 100644
index 0000000..ade10f5
--- /dev/null
+++ b/policy/modules/services/speedtouch.te
@@ -0,0 +1,61 @@
+policy_module(speedtouch, 1.4.0)
+
+#######################################
+#
+# Rules for the speedmgmt_t domain.
+#
+
+type speedmgmt_t;
+type speedmgmt_exec_t;
+init_daemon_domain(speedmgmt_t, speedmgmt_exec_t)
+
+type speedmgmt_tmp_t;
+files_tmp_file(speedmgmt_tmp_t)
+
+type speedmgmt_var_run_t;
+files_pid_file(speedmgmt_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit speedmgmt_t self:capability sys_tty_config;
+allow speedmgmt_t self:process signal_perms;
+
+manage_dirs_pattern(speedmgmt_t, speedmgmt_tmp_t, speedmgmt_tmp_t)
+manage_files_pattern(speedmgmt_t, speedmgmt_tmp_t, speedmgmt_tmp_t)
+files_tmp_filetrans(speedmgmt_t, speedmgmt_tmp_t, { file dir })
+
+manage_files_pattern(speedmgmt_t, speedmgmt_var_run_t, speedmgmt_var_run_t)
+files_pid_filetrans(speedmgmt_t, speedmgmt_var_run_t, file)
+
+kernel_read_kernel_sysctls(speedmgmt_t)
+kernel_list_proc(speedmgmt_t)
+kernel_read_proc_symlinks(speedmgmt_t)
+
+dev_read_sysfs(speedmgmt_t)
+dev_read_usbfs(speedmgmt_t)
+
+domain_use_interactive_fds(speedmgmt_t)
+
+files_read_etc_files(speedmgmt_t)
+files_read_usr_files(speedmgmt_t)
+
+fs_getattr_all_fs(speedmgmt_t)
+fs_search_auto_mountpoints(speedmgmt_t)
+
+logging_send_syslog_msg(speedmgmt_t)
+
+miscfiles_read_localization(speedmgmt_t)
+
+userdom_dontaudit_use_unpriv_user_fds(speedmgmt_t)
+userdom_dontaudit_search_user_home_dirs(speedmgmt_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(speedmgmt_t)
+')
+
+optional_policy(`
+ udev_read_db(speedmgmt_t)
+')
diff --git a/policy/modules/services/squid.fc b/policy/modules/services/squid.fc
new file mode 100644
index 0000000..6cc4a90
--- /dev/null
+++ b/policy/modules/services/squid.fc
@@ -0,0 +1,14 @@
+/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0)
+/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
+
+/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
+/usr/lib64/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
+/usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0)
+/usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
+
+/var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
+/var/log/squid(/.*)? gen_context(system_u:object_r:squid_log_t,s0)
+/var/log/squidGuard(/.*)? gen_context(system_u:object_r:squid_log_t,s0)
+/var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0)
+/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
+/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
diff --git a/policy/modules/services/squid.if b/policy/modules/services/squid.if
new file mode 100644
index 0000000..1d0c078
--- /dev/null
+++ b/policy/modules/services/squid.if
@@ -0,0 +1,231 @@
+## <summary>Squid caching http proxy server</summary>
+
+########################################
+## <summary>
+## Execute squid in the squid domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`squid_domtrans',`
+ gen_require(`
+ type squid_t, squid_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, squid_exec_t, squid_t)
+')
+
+########################################
+## <summary>
+## Execute squid
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`squid_exec',`
+ gen_require(`
+ type squid_exec_t;
+ ')
+
+ can_exec($1, squid_exec_t)
+')
+
+########################################
+## <summary>
+## Send generic signals to squid.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`squid_signal',`
+ gen_require(`
+ type squid_t;
+ ')
+
+ allow $1 squid_t:process signal;
+')
+
+########################################
+## <summary>
+## Allow read and write squid
+## unix domain stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`squid_rw_stream_sockets',`
+ gen_require(`
+ type squid_t;
+ ')
+
+ allow $1 squid_t:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search squid cache dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`squid_dontaudit_search_cache',`
+ gen_require(`
+ type squid_cache_t;
+ ')
+
+ dontaudit $1 squid_cache_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read squid configuration file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`squid_read_config',`
+ gen_require(`
+ type squid_conf_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, squid_conf_t, squid_conf_t)
+')
+
+########################################
+## <summary>
+## Append squid logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`squid_read_log',`
+ gen_require(`
+ type squid_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, squid_log_t, squid_log_t)
+')
+
+########################################
+## <summary>
+## Append squid logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`squid_append_log',`
+ gen_require(`
+ type squid_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, squid_log_t, squid_log_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## squid logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`squid_manage_logs',`
+ gen_require(`
+ type squid_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_files_pattern($1, squid_log_t, squid_log_t)
+')
+
+########################################
+## <summary>
+## Use squid services by connecting over TCP. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`squid_use',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an squid environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the squid domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`squid_admin',`
+ gen_require(`
+ type squid_t, squid_cache_t, squid_conf_t;
+ type squid_log_t, squid_var_run_t, squid_initrc_exec_t;
+ ')
+
+ allow $1 squid_t:process { ptrace signal_perms };
+ ps_process_pattern($1, squid_t)
+
+ init_labeled_script_domtrans($1, squid_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 squid_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_var($1)
+ admin_pattern($1, squid_cache_t)
+
+ files_list_etc($1)
+ admin_pattern($1, squid_conf_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, squid_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, squid_var_run_t)
+')
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
new file mode 100644
index 0000000..744b172
--- /dev/null
+++ b/policy/modules/services/squid.te
@@ -0,0 +1,208 @@
+policy_module(squid, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow squid to connect to all ports, not just
+## HTTP, FTP, and Gopher ports.
+## </p>
+## </desc>
+gen_tunable(squid_connect_any, false)
+
+## <desc>
+## <p>
+## Allow squid to run as a transparent proxy (TPROXY)
+## </p>
+## </desc>
+gen_tunable(squid_use_tproxy, false)
+
+type squid_t;
+type squid_exec_t;
+init_daemon_domain(squid_t, squid_exec_t)
+
+# type for /var/cache/squid
+type squid_cache_t;
+files_type(squid_cache_t)
+
+type squid_conf_t;
+files_type(squid_conf_t)
+
+type squid_initrc_exec_t;
+init_script_file(squid_initrc_exec_t)
+
+type squid_log_t;
+logging_log_file(squid_log_t)
+
+type squid_tmpfs_t;
+files_tmpfs_file(squid_tmpfs_t)
+
+type squid_var_run_t;
+files_pid_file(squid_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow squid_t self:capability { setgid kill setuid dac_override sys_resource };
+dontaudit squid_t self:capability sys_tty_config;
+allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
+allow squid_t self:fifo_file rw_fifo_file_perms;
+allow squid_t self:sock_file read_sock_file_perms;
+allow squid_t self:fd use;
+allow squid_t self:shm create_shm_perms;
+allow squid_t self:sem create_sem_perms;
+allow squid_t self:msgq create_msgq_perms;
+allow squid_t self:msg { send receive };
+allow squid_t self:unix_stream_socket create_stream_socket_perms;
+allow squid_t self:unix_dgram_socket create_socket_perms;
+allow squid_t self:unix_dgram_socket sendto;
+allow squid_t self:unix_stream_socket connectto;
+allow squid_t self:tcp_socket create_stream_socket_perms;
+allow squid_t self:udp_socket create_socket_perms;
+
+# Grant permissions to create, access, and delete cache files.
+manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t)
+manage_files_pattern(squid_t, squid_cache_t, squid_cache_t)
+manage_lnk_files_pattern(squid_t, squid_cache_t, squid_cache_t)
+
+allow squid_t squid_conf_t:dir list_dir_perms;
+read_files_pattern(squid_t, squid_conf_t, squid_conf_t)
+read_lnk_files_pattern(squid_t, squid_conf_t, squid_conf_t)
+
+can_exec(squid_t, squid_exec_t)
+
+manage_dirs_pattern(squid_t, squid_log_t, squid_log_t)
+manage_files_pattern(squid_t, squid_log_t, squid_log_t)
+manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t)
+logging_log_filetrans(squid_t, squid_log_t, { file dir })
+
+#squid requires the following when run in diskd mode, the recommended setting
+manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
+fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
+
+manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t)
+files_pid_filetrans(squid_t, squid_var_run_t, file)
+
+kernel_read_kernel_sysctls(squid_t)
+kernel_read_system_state(squid_t)
+
+files_dontaudit_getattr_boot_dirs(squid_t)
+
+corenet_all_recvfrom_unlabeled(squid_t)
+corenet_all_recvfrom_netlabel(squid_t)
+corenet_tcp_sendrecv_generic_if(squid_t)
+corenet_udp_sendrecv_generic_if(squid_t)
+corenet_tcp_sendrecv_generic_node(squid_t)
+corenet_udp_sendrecv_generic_node(squid_t)
+corenet_tcp_sendrecv_all_ports(squid_t)
+corenet_udp_sendrecv_all_ports(squid_t)
+corenet_tcp_bind_generic_node(squid_t)
+corenet_udp_bind_generic_node(squid_t)
+corenet_tcp_bind_http_port(squid_t)
+corenet_tcp_bind_http_cache_port(squid_t)
+corenet_udp_bind_http_cache_port(squid_t)
+corenet_tcp_bind_ftp_port(squid_t)
+corenet_tcp_bind_gopher_port(squid_t)
+corenet_udp_bind_gopher_port(squid_t)
+corenet_tcp_bind_squid_port(squid_t)
+corenet_udp_bind_squid_port(squid_t)
+corenet_udp_bind_wccp_port(squid_t)
+corenet_tcp_connect_ftp_port(squid_t)
+corenet_tcp_connect_gopher_port(squid_t)
+corenet_tcp_connect_http_port(squid_t)
+corenet_tcp_connect_http_cache_port(squid_t)
+corenet_tcp_connect_pgpkeyserver_port(squid_t)
+corenet_sendrecv_ftp_client_packets(squid_t)
+corenet_sendrecv_gopher_client_packets(squid_t)
+corenet_sendrecv_http_client_packets(squid_t)
+corenet_sendrecv_http_server_packets(squid_t)
+corenet_sendrecv_http_cache_server_packets(squid_t)
+corenet_sendrecv_http_cache_client_packets(squid_t)
+corenet_sendrecv_pgpkeyserver_client_packets(squid_t)
+corenet_sendrecv_squid_client_packets(squid_t)
+corenet_sendrecv_squid_server_packets(squid_t)
+corenet_sendrecv_wccp_server_packets(squid_t)
+
+dev_read_sysfs(squid_t)
+dev_read_urand(squid_t)
+
+fs_getattr_all_fs(squid_t)
+fs_search_auto_mountpoints(squid_t)
+fs_list_inotifyfs(squid_t)
+
+selinux_dontaudit_getattr_dir(squid_t)
+
+term_dontaudit_getattr_pty_dirs(squid_t)
+
+# to allow running programs from /usr/lib/squid (IE unlinkd)
+corecmd_exec_bin(squid_t)
+corecmd_exec_shell(squid_t)
+
+domain_use_interactive_fds(squid_t)
+
+files_read_etc_files(squid_t)
+files_read_etc_runtime_files(squid_t)
+files_read_usr_files(squid_t)
+files_search_spool(squid_t)
+files_dontaudit_getattr_tmp_dirs(squid_t)
+files_getattr_home_dir(squid_t)
+
+auth_use_nsswitch(squid_t)
+auth_domtrans_chk_passwd(squid_t)
+
+# to allow running programs from /usr/lib/squid (IE unlinkd)
+libs_exec_lib_files(squid_t)
+
+logging_send_syslog_msg(squid_t)
+
+miscfiles_read_generic_certs(squid_t)
+miscfiles_read_localization(squid_t)
+
+userdom_use_unpriv_users_fds(squid_t)
+userdom_dontaudit_search_user_home_dirs(squid_t)
+
+tunable_policy(`squid_connect_any',`
+ corenet_tcp_connect_all_ports(squid_t)
+ corenet_tcp_bind_all_ports(squid_t)
+ corenet_sendrecv_all_packets(squid_t)
+')
+
+tunable_policy(`squid_use_tproxy',`
+ allow squid_t self:capability net_admin;
+ corenet_tcp_bind_netport_port(squid_t)
+')
+
+optional_policy(`
+ apache_content_template(squid)
+
+ allow httpd_squid_script_t self:tcp_socket create_socket_perms;
+
+ corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
+ corenet_all_recvfrom_netlabel(httpd_squid_script_t)
+ corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
+
+ sysnet_dns_name_resolve(httpd_squid_script_t)
+
+ squid_read_config(httpd_squid_script_t)
+')
+
+optional_policy(`
+ cron_system_entry(squid_t, squid_exec_t)
+')
+
+optional_policy(`
+ samba_domtrans_winbind_helper(squid_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(squid_t)
+')
+
+optional_policy(`
+ udev_read_db(squid_t)
+')
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
new file mode 100644
index 0000000..06da5f7
--- /dev/null
+++ b/policy/modules/services/ssh.fc
@@ -0,0 +1,25 @@
+HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
+
+/var/lib/gitolite/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+
+/etc/rc\.d/init\.d/sshd -- gen_context(system_u:object_r:sshd_initrc_exec_t,s0)
+
+/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
+/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
+/etc/ssh/ssh_host_dsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
+/etc/ssh/ssh_host_rsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
+
+/usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
+/usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
+/usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
+
+/usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+
+/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
+
+/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
+/var/run/sshd\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
+
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
new file mode 100644
index 0000000..784c363
--- /dev/null
+++ b/policy/modules/services/ssh.if
@@ -0,0 +1,781 @@
+## <summary>Secure shell client and server policy.</summary>
+
+#######################################
+## <summary>
+## Basic SSH client template.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for ssh client sessions. A derived
+## type is also created to protect the user ssh keys.
+## </p>
+## <p>
+## This template was added for NX.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`ssh_basic_client_template',`
+ gen_require(`
+ attribute ssh_server;
+ type ssh_exec_t, sshd_key_t, sshd_tmp_t;
+ type ssh_home_t;
+ ')
+
+ ##############################
+ #
+ # Declarations
+ #
+
+ type $1_ssh_t;
+ application_domain($1_ssh_t, ssh_exec_t)
+ role $3 types $1_ssh_t;
+
+ ##############################
+ #
+ # Client local policy
+ #
+
+ allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };
+ allow $1_ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow $1_ssh_t self:fd use;
+ allow $1_ssh_t self:fifo_file rw_fifo_file_perms;
+ allow $1_ssh_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow $1_ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow $1_ssh_t self:shm create_shm_perms;
+ allow $1_ssh_t self:sem create_sem_perms;
+ allow $1_ssh_t self:msgq create_msgq_perms;
+ allow $1_ssh_t self:msg { send receive };
+ allow $1_ssh_t self:tcp_socket create_stream_socket_perms;
+
+ # for rsync
+ allow $1_ssh_t $2:unix_stream_socket rw_socket_perms;
+ allow $1_ssh_t $2:unix_stream_socket connectto;
+
+ # Read the ssh key file.
+ allow $1_ssh_t sshd_key_t:file read_file_perms;
+
+ # Access the ssh temporary files.
+ allow $1_ssh_t sshd_tmp_t:dir manage_dir_perms;
+ allow $1_ssh_t sshd_tmp_t:file manage_file_perms;
+ files_tmp_filetrans($1_ssh_t, sshd_tmp_t, { file dir })
+
+ # Transition from the domain to the derived domain.
+ domtrans_pattern($2, ssh_exec_t, $1_ssh_t)
+
+ # inheriting stream sockets is needed for "ssh host command" as no pty
+ # is allocated
+ # cjp: should probably fix target to be an attribute for ssh servers
+ # or "regular" (not special like sshd_extern_t) servers
+ allow $2 ssh_server:unix_stream_socket rw_stream_socket_perms;
+
+ # allow ps to show ssh
+ ps_process_pattern($2, $1_ssh_t)
+
+ # user can manage the keys and config
+ manage_files_pattern($2, ssh_home_t, ssh_home_t)
+ manage_lnk_files_pattern($2, ssh_home_t, ssh_home_t)
+ manage_sock_files_pattern($2, ssh_home_t, ssh_home_t)
+
+ # ssh client can manage the keys and config
+ manage_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t)
+ read_lnk_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t)
+
+ # ssh servers can read the user keys and config
+ allow ssh_server ssh_home_t:dir list_dir_perms;
+ read_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
+ read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
+
+ kernel_read_kernel_sysctls($1_ssh_t)
+ kernel_read_system_state($1_ssh_t)
+
+ corenet_all_recvfrom_unlabeled($1_ssh_t)
+ corenet_all_recvfrom_netlabel($1_ssh_t)
+ corenet_tcp_sendrecv_generic_if($1_ssh_t)
+ corenet_tcp_sendrecv_generic_node($1_ssh_t)
+ corenet_tcp_sendrecv_all_ports($1_ssh_t)
+ corenet_tcp_connect_ssh_port($1_ssh_t)
+ corenet_sendrecv_ssh_client_packets($1_ssh_t)
+ corenet_tcp_bind_generic_node($1_ssh_t)
+ corenet_tcp_bind_all_unreserved_ports($1_ssh_t)
+
+ dev_read_urand($1_ssh_t)
+
+ fs_getattr_all_fs($1_ssh_t)
+ fs_search_auto_mountpoints($1_ssh_t)
+
+ # run helper programs - needed eg for x11-ssh-askpass
+ corecmd_exec_shell($1_ssh_t)
+ corecmd_exec_bin($1_ssh_t)
+
+ domain_use_interactive_fds($1_ssh_t)
+
+ files_list_home($1_ssh_t)
+ files_read_usr_files($1_ssh_t)
+ files_read_etc_runtime_files($1_ssh_t)
+ files_read_etc_files($1_ssh_t)
+ files_read_var_files($1_ssh_t)
+
+ auth_use_nsswitch($1_ssh_t)
+
+ logging_send_syslog_msg($1_ssh_t)
+ logging_read_generic_logs($1_ssh_t)
+
+ miscfiles_read_localization($1_ssh_t)
+
+ seutil_read_config($1_ssh_t)
+
+ optional_policy(`
+ kerberos_use($1_ssh_t)
+ ')
+')
+
+#######################################
+## <summary>
+## The template to define a ssh server.
+## </summary>
+## <desc>
+## <p>
+## This template creates a domains to be used for
+## creating a ssh server. This is typically done
+## to have multiple ssh servers of different sensitivities,
+## such as for an internal network-facing ssh server, and
+## a external network-facing ssh server.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the server domain (e.g., sshd
+## is the prefix for sshd_t).
+## </summary>
+## </param>
+#
+template(`ssh_server_template',`
+ type $1_t, ssh_server;
+ auth_login_pgm_domain($1_t)
+
+ type $1_devpts_t;
+ term_login_pty($1_devpts_t)
+
+ type $1_tmpfs_t;
+ files_tmpfs_file($1_tmpfs_t)
+
+ type $1_var_run_t;
+ files_pid_file($1_var_run_t)
+
+ allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
+ allow $1_t self:fifo_file rw_fifo_file_perms;
+ allow $1_t self:process { signal getsched setsched setrlimit setexec };
+ allow $1_t self:tcp_socket create_stream_socket_perms;
+ allow $1_t self:udp_socket create_socket_perms;
+ # ssh agent connections:
+ allow $1_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_t self:shm create_shm_perms;
+
+ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom };
+ term_create_pty($1_t, $1_devpts_t)
+
+ manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file)
+
+ allow $1_t $1_var_run_t:file manage_file_perms;
+ files_pid_filetrans($1_t, $1_var_run_t, file)
+
+ can_exec($1_t, sshd_exec_t)
+
+ # Access key files
+ allow $1_t sshd_key_t:file read_file_perms;
+
+ kernel_read_kernel_sysctls($1_t)
+ kernel_read_network_state($1_t)
+ kernel_request_load_module(ssh_t)
+
+ corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
+ corenet_tcp_sendrecv_generic_if($1_t)
+ corenet_udp_sendrecv_generic_if($1_t)
+ corenet_raw_sendrecv_generic_if($1_t)
+ corenet_tcp_sendrecv_generic_node($1_t)
+ corenet_udp_sendrecv_generic_node($1_t)
+ corenet_raw_sendrecv_generic_node($1_t)
+ corenet_udp_sendrecv_all_ports($1_t)
+ corenet_tcp_sendrecv_all_ports($1_t)
+ corenet_tcp_bind_generic_node($1_t)
+ corenet_udp_bind_generic_node($1_t)
+ corenet_tcp_bind_ssh_port($1_t)
+ corenet_sendrecv_ssh_server_packets($1_t)
+ # -R qualifier
+ corenet_sendrecv_ssh_server_packets($1_t)
+ # tunnel feature and -w (net_admin capability also)
+ corenet_rw_tun_tap_dev($1_t)
+
+ fs_dontaudit_getattr_all_fs($1_t)
+
+ auth_rw_login_records($1_t)
+ auth_rw_faillog($1_t)
+
+ corecmd_read_bin_symlinks($1_t)
+ corecmd_getattr_bin_files($1_t)
+ # for sshd subsystems, such as sftp-server.
+ corecmd_getattr_bin_files($1_t)
+
+ domain_interactive_fd($1_t)
+ domain_dyntrans_type($1_t)
+
+ files_read_etc_files($1_t)
+ files_read_etc_runtime_files($1_t)
+ files_read_usr_files($1_t)
+
+ logging_search_logs($1_t)
+
+ miscfiles_read_localization($1_t)
+
+ userdom_dontaudit_relabelfrom_user_ptys($1_t)
+ userdom_read_user_home_content_files($1_t)
+
+ # Allow checking users mail at login
+ mta_getattr_spool($1_t)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files($1_t)
+ fs_read_nfs_symlinks($1_t)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files($1_t)
+ ')
+
+ optional_policy(`
+ kerberos_use($1_t)
+ kerberos_manage_host_rcache($1_t)
+ ')
+
+ optional_policy(`
+ files_read_var_lib_symlinks($1_t)
+ nx_spec_domtrans_server($1_t)
+ ')
+
+ optional_policy(`
+ rlogin_read_home_content($1_t)
+ ')
+
+ optional_policy(`
+ shutdown_getattr_exec_files($1_t)
+ ')
+')
+
+########################################
+## <summary>
+## Role access for ssh
+## </summary>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the role (e.g., user
+## is the prefix for user_r).
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+## <rolecap/>
+#
+template(`ssh_role_template',`
+ gen_require(`
+ attribute ssh_server, ssh_agent_type;
+ type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t;
+ type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t;
+ type ssh_agent_tmp_t;
+ ')
+
+ ##############################
+ #
+ # Declarations
+ #
+
+ role $2 types ssh_t;
+
+ type $1_ssh_agent_t, ssh_agent_type;
+ application_domain($1_ssh_agent_t, ssh_agent_exec_t)
+ domain_interactive_fd($1_ssh_agent_t)
+ ubac_constrained($1_ssh_agent_t)
+ role $2 types $1_ssh_agent_t;
+
+ ##############################
+ #
+ # Local policy
+ #
+
+ # Transition from the domain to the derived domain.
+ domtrans_pattern($3, ssh_exec_t, ssh_t)
+
+ # inheriting stream sockets is needed for "ssh host command" as no pty
+ # is allocated
+ allow $3 ssh_server:unix_stream_socket rw_stream_socket_perms;
+
+ # allow ps to show ssh
+ ps_process_pattern($3, ssh_t)
+ allow $3 ssh_t:process { ptrace signal_perms };
+
+ # for rsync
+ allow ssh_t $3:unix_stream_socket rw_socket_perms;
+ allow ssh_t $3:unix_stream_socket connectto;
+
+ # user can manage the keys and config
+ manage_files_pattern($3, ssh_home_t, ssh_home_t)
+ manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t)
+ manage_sock_files_pattern($3, ssh_home_t, ssh_home_t)
+ userdom_search_user_home_dirs($1_t)
+ userdom_manage_tmp_role($2, ssh_t)
+
+ ##############################
+ #
+ # SSH agent local policy
+ #
+
+ allow $1_ssh_agent_t self:process setrlimit;
+ allow $1_ssh_agent_t self:capability setgid;
+
+ allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull;
+
+ allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+ manage_dirs_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t)
+ manage_sock_files_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t)
+ files_tmp_filetrans($1_ssh_agent_t, ssh_agent_tmp_t, { dir sock_file })
+
+ # for ssh-add
+ stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
+
+ # Allow the user shell to signal the ssh program.
+ allow $3 $1_ssh_agent_t:process { ptrace signal_perms };
+
+ # allow ps to show ssh
+ ps_process_pattern($3, $1_ssh_agent_t)
+
+ domtrans_pattern($3, ssh_agent_exec_t, $1_ssh_agent_t)
+
+ kernel_read_kernel_sysctls($1_ssh_agent_t)
+
+ dev_read_urand($1_ssh_agent_t)
+ dev_read_rand($1_ssh_agent_t)
+
+ fs_search_auto_mountpoints($1_ssh_agent_t)
+
+ # transition back to normal privs upon exec
+ corecmd_shell_domtrans($1_ssh_agent_t, $3)
+ corecmd_bin_domtrans($1_ssh_agent_t, $3)
+
+ domain_use_interactive_fds($1_ssh_agent_t)
+
+ files_read_etc_files($1_ssh_agent_t)
+ files_read_etc_runtime_files($1_ssh_agent_t)
+
+ libs_read_lib_files($1_ssh_agent_t)
+
+ logging_send_syslog_msg($1_ssh_agent_t)
+
+ miscfiles_read_localization($1_ssh_agent_t)
+ miscfiles_read_generic_certs($1_ssh_agent_t)
+
+ seutil_dontaudit_read_config($1_ssh_agent_t)
+
+ # Write to the user domain tty.
+ userdom_use_user_terminals($1_ssh_agent_t)
+
+ # for the transition back to normal privs upon exec
+ userdom_search_user_home_content($1_ssh_agent_t)
+ userdom_user_home_domtrans($1_ssh_agent_t, $3)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files($1_ssh_agent_t)
+
+ # transition back to normal privs upon exec
+ fs_nfs_domtrans($1_ssh_agent_t, $3)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files($1_ssh_agent_t)
+
+ # transition back to normal privs upon exec
+ fs_cifs_domtrans($1_ssh_agent_t, $3)
+ ')
+
+ optional_policy(`
+ nis_use_ypbind($1_ssh_agent_t)
+ ')
+
+ optional_policy(`
+ xserver_use_xdm_fds($1_ssh_agent_t)
+ xserver_rw_xdm_pipes($1_ssh_agent_t)
+ ')
+')
+
+########################################
+## <summary>
+## Send a SIGCHLD signal to the ssh server.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_sigchld',`
+ gen_require(`
+ type sshd_t;
+ ')
+
+ allow $1 sshd_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Send a generic signal to the ssh server.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_signal',`
+ gen_require(`
+ type sshd_t;
+ ')
+
+ allow $1 sshd_t:process signal;
+')
+
+########################################
+## <summary>
+## Read a ssh server unnamed pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_read_pipes',`
+ gen_require(`
+ type sshd_t;
+ ')
+
+ allow $1 sshd_t:fifo_file read_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write a ssh server unnamed pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_rw_pipes',`
+ gen_require(`
+ type sshd_t;
+ ')
+
+ allow $1 sshd_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write ssh server unix domain stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_rw_stream_sockets',`
+ gen_require(`
+ type sshd_t;
+ ')
+
+ allow $1 sshd_t:unix_stream_socket rw_stream_socket_perms;
+')
+
+########################################
+## <summary>
+## Read and write ssh server TCP sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_rw_tcp_sockets',`
+ gen_require(`
+ type sshd_t;
+ ')
+
+ allow $1 sshd_t:tcp_socket rw_stream_socket_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## ssh server TCP sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`ssh_dontaudit_rw_tcp_sockets',`
+ gen_require(`
+ type sshd_t;
+ ')
+
+ dontaudit $1 sshd_t:tcp_socket { read write };
+')
+
+########################################
+## <summary>
+## Connect to SSH daemons over TCP sockets. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_tcp_connect',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+## Execute the ssh daemon sshd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ssh_domtrans',`
+ gen_require(`
+ type sshd_t, sshd_exec_t;
+ ')
+
+ domtrans_pattern($1, sshd_exec_t, sshd_t)
+')
+
+########################################
+## <summary>
+## Execute sshd server in the sshd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_initrc_domtrans',`
+ gen_require(`
+ type sshd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, sshd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Execute the ssh client in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_exec',`
+ gen_require(`
+ type ssh_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, ssh_exec_t)
+')
+
+########################################
+## <summary>
+## Set the attributes of sshd key files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_setattr_key_files',`
+ gen_require(`
+ type sshd_key_t;
+ ')
+
+ allow $1 sshd_key_t:file setattr_file_perms;
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
+## Execute the ssh agent client in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_agent_exec',`
+ gen_require(`
+ type ssh_agent_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, ssh_agent_exec_t)
+')
+
+########################################
+## <summary>
+## Read ssh home directory content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_read_user_home_files',`
+ gen_require(`
+ type ssh_home_t;
+ ')
+
+ allow $1 ssh_home_t:dir list_dir_perms;
+ read_files_pattern($1, ssh_home_t, ssh_home_t)
+ read_lnk_files_pattern($1, ssh_home_t, ssh_home_t)
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Execute the ssh key generator in the ssh keygen domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ssh_domtrans_keygen',`
+ gen_require(`
+ type ssh_keygen_t, ssh_keygen_exec_t;
+ ')
+
+ domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
+')
+
+########################################
+## <summary>
+## Read ssh server keys
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`ssh_dontaudit_read_server_keys',`
+ gen_require(`
+ type sshd_key_t;
+ ')
+
+ dontaudit $1 sshd_key_t:file read_file_perms;
+')
+
+######################################
+## <summary>
+## Manage ssh home directory content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_manage_home_files',`
+ gen_require(`
+ type ssh_home_t;
+ ')
+
+ manage_files_pattern($1, ssh_home_t, ssh_home_t)
+ userdom_search_user_home_dirs($1)
+')
+
+#######################################
+## <summary>
+## Delete from the ssh temp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_delete_tmp',`
+ gen_require(`
+ type sshd_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
+')
+
+########################################
+## <summary>
+## Send a null signal to sshd processes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_signull',`
+ gen_require(`
+ type sshd_t;
+ ')
+
+ allow $1 sshd_t:process signull;
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
new file mode 100644
index 0000000..c7efe5d
--- /dev/null
+++ b/policy/modules/services/ssh.te
@@ -0,0 +1,433 @@
+policy_module(ssh, 2.2.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## allow host key based authentication
+## </p>
+## </desc>
+gen_tunable(allow_ssh_keysign, false)
+
+## <desc>
+## <p>
+## Allow ssh logins as sysadm_r:sysadm_t
+## </p>
+## </desc>
+gen_tunable(ssh_sysadm_login, false)
+
+## <desc>
+## <p>
+## allow sshd to forward port connections
+## </p>
+## </desc>
+gen_tunable(sshd_forward_ports, false)
+
+attribute ssh_server;
+attribute ssh_agent_type;
+
+type ssh_keygen_t;
+type ssh_keygen_exec_t;
+init_system_domain(ssh_keygen_t, ssh_keygen_exec_t)
+
+type sshd_exec_t;
+corecmd_executable_file(sshd_exec_t)
+
+ssh_server_template(sshd)
+init_daemon_domain(sshd_t, sshd_exec_t)
+
+type sshd_initrc_exec_t;
+init_script_file(sshd_initrc_exec_t)
+
+type sshd_key_t;
+files_type(sshd_key_t)
+
+type ssh_t;
+type ssh_exec_t;
+typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t };
+typealias ssh_t alias { auditadm_ssh_t secadm_ssh_t };
+application_domain(ssh_t, ssh_exec_t)
+ubac_constrained(ssh_t)
+
+type ssh_agent_exec_t;
+corecmd_executable_file(ssh_agent_exec_t)
+
+type ssh_agent_tmp_t;
+typealias ssh_agent_tmp_t alias { user_ssh_agent_tmp_t staff_ssh_agent_tmp_t sysadm_ssh_agent_tmp_t };
+typealias ssh_agent_tmp_t alias { auditadm_ssh_agent_tmp_t secadm_ssh_agent_tmp_t };
+files_tmp_file(ssh_agent_tmp_t)
+ubac_constrained(ssh_agent_tmp_t)
+
+type ssh_keysign_t;
+type ssh_keysign_exec_t;
+typealias ssh_keysign_t alias { user_ssh_keysign_t staff_ssh_keysign_t sysadm_ssh_keysign_t };
+typealias ssh_keysign_t alias { auditadm_ssh_keysign_t secadm_ssh_keysign_t };
+application_domain(ssh_keysign_t, ssh_keysign_exec_t)
+ubac_constrained(ssh_keysign_t)
+
+type ssh_tmpfs_t;
+typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t };
+typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t };
+files_tmpfs_file(ssh_tmpfs_t)
+ubac_constrained(ssh_tmpfs_t)
+
+type ssh_home_t;
+typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
+typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
+userdom_user_home_content(ssh_home_t)
+
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
+')
+
+##############################
+#
+# SSH client local policy
+#
+
+allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
+allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow ssh_t self:fd use;
+allow ssh_t self:fifo_file rw_fifo_file_perms;
+allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
+allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow ssh_t self:shm create_shm_perms;
+allow ssh_t self:sem create_sem_perms;
+allow ssh_t self:msgq create_msgq_perms;
+allow ssh_t self:msg { send receive };
+allow ssh_t self:tcp_socket create_stream_socket_perms;
+
+# Read the ssh key file.
+allow ssh_t sshd_key_t:file read_file_perms;
+
+manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
+manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
+manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
+manage_sock_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
+fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
+manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
+userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
+userdom_stream_connect(ssh_t)
+
+# Allow the ssh program to communicate with ssh-agent.
+stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
+
+allow ssh_t sshd_t:unix_stream_socket connectto;
+
+# ssh client can manage the keys and config
+manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
+read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
+
+# ssh servers can read the user keys and config
+manage_dirs_pattern(ssh_server, ssh_home_t, ssh_home_t)
+manage_files_pattern(ssh_server, ssh_home_t, ssh_home_t)
+userdom_user_home_dir_filetrans(ssh_server, ssh_home_t, dir)
+userdom_admin_home_dir_filetrans(ssh_server, ssh_home_t, dir)
+
+kernel_read_kernel_sysctls(ssh_t)
+kernel_read_system_state(ssh_t)
+
+corenet_all_recvfrom_unlabeled(ssh_t)
+corenet_all_recvfrom_netlabel(ssh_t)
+corenet_tcp_sendrecv_generic_if(ssh_t)
+corenet_tcp_sendrecv_generic_node(ssh_t)
+corenet_tcp_sendrecv_all_ports(ssh_t)
+corenet_tcp_connect_ssh_port(ssh_t)
+corenet_sendrecv_ssh_client_packets(ssh_t)
+corenet_tcp_bind_generic_node(ssh_t)
+corenet_tcp_bind_all_unreserved_ports(ssh_t)
+
+dev_read_urand(ssh_t)
+
+fs_getattr_all_fs(ssh_t)
+fs_search_auto_mountpoints(ssh_t)
+
+# run helper programs - needed eg for x11-ssh-askpass
+corecmd_exec_shell(ssh_t)
+corecmd_exec_bin(ssh_t)
+
+domain_use_interactive_fds(ssh_t)
+
+files_list_home(ssh_t)
+files_read_usr_files(ssh_t)
+files_read_etc_runtime_files(ssh_t)
+files_read_etc_files(ssh_t)
+files_read_var_files(ssh_t)
+
+logging_send_syslog_msg(ssh_t)
+logging_read_generic_logs(ssh_t)
+
+auth_use_nsswitch(ssh_t)
+
+miscfiles_read_localization(ssh_t)
+
+seutil_read_config(ssh_t)
+
+userdom_dontaudit_list_user_home_dirs(ssh_t)
+userdom_search_user_home_dirs(ssh_t)
+# Write to the user domain tty.
+userdom_use_user_terminals(ssh_t)
+# needs to read krb/write tgt
+userdom_read_user_tmp_files(ssh_t)
+userdom_write_user_tmp_files(ssh_t)
+userdom_read_user_home_content_symlinks(ssh_t)
+
+tunable_policy(`allow_ssh_keysign',`
+ domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(ssh_t)
+ fs_manage_nfs_files(ssh_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(ssh_t)
+ fs_manage_cifs_files(ssh_t)
+')
+
+# for port forwarding
+tunable_policy(`user_tcp_server',`
+ corenet_tcp_bind_ssh_port(ssh_t)
+ corenet_tcp_bind_generic_node(ssh_t)
+')
+
+optional_policy(`
+ xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t)
+ xserver_domtrans_xauth(ssh_t)
+')
+
+########################################
+#
+# ssh_keygen local policy
+#
+
+# ssh_keygen_t is the type of the ssh-keygen program when run at install time
+# and by sysadm_t
+
+dontaudit ssh_keygen_t self:capability sys_tty_config;
+allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
+allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
+
+allow ssh_keygen_t sshd_key_t:file manage_file_perms;
+files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
+
+kernel_read_kernel_sysctls(ssh_keygen_t)
+
+fs_search_auto_mountpoints(ssh_keygen_t)
+
+dev_read_sysfs(ssh_keygen_t)
+dev_read_urand(ssh_keygen_t)
+
+term_dontaudit_use_console(ssh_keygen_t)
+
+domain_use_interactive_fds(ssh_keygen_t)
+
+files_read_etc_files(ssh_keygen_t)
+
+init_use_fds(ssh_keygen_t)
+init_use_script_ptys(ssh_keygen_t)
+
+logging_send_syslog_msg(ssh_keygen_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
+
+optional_policy(`
+ nscd_socket_use(ssh_keygen_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(ssh_keygen_t)
+')
+
+optional_policy(`
+ udev_read_db(ssh_keygen_t)
+')
+
+##############################
+#
+# ssh_keysign_t local policy
+#
+
+tunable_policy(`allow_ssh_keysign',`
+ allow ssh_keysign_t self:capability { setgid setuid };
+ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
+
+ allow ssh_keysign_t sshd_key_t:file read_file_perms;
+
+ dev_read_urand(ssh_keysign_t)
+
+ files_read_etc_files(ssh_keysign_t)
+')
+
+optional_policy(`
+ tunable_policy(`allow_ssh_keysign',`
+ nscd_socket_use(ssh_keysign_t)
+ ')
+')
+
+#################################
+#
+# sshd local policy
+#
+# sshd_t is the domain for the sshd program.
+#
+
+# so a tunnel can point to another ssh tunnel
+allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
+allow sshd_t self:key { search link write };
+allow sshd_t self:process setcurrent;
+
+kernel_search_key(sshd_t)
+kernel_link_key(sshd_t)
+
+term_use_all_ptys(sshd_t)
+term_setattr_all_ptys(sshd_t)
+term_setattr_all_ttys(sshd_t)
+term_relabelto_all_ptys(sshd_t)
+term_use_ptmx(sshd_t)
+
+# for X forwarding
+corenet_tcp_bind_xserver_port(sshd_t)
+corenet_sendrecv_xserver_server_packets(sshd_t)
+
+userdom_read_user_home_content_files(sshd_t)
+userdom_read_user_home_content_symlinks(sshd_t)
+userdom_search_admin_dir(sshd_t)
+userdom_manage_tmp_role(system_r, sshd_t)
+userdom_spec_domtrans_unpriv_users(sshd_t)
+userdom_signal_unpriv_users(sshd_t)
+
+tunable_policy(`sshd_forward_ports',`
+ corenet_tcp_bind_all_unreserved_ports(sshd_t)
+ corenet_tcp_connect_all_ports(sshd_t)
+')
+
+tunable_policy(`ssh_sysadm_login',`
+ # Relabel and access ptys created by sshd
+ # ioctl is necessary for logout() processing for utmp entry and for w to
+ # display the tty.
+ # some versions of sshd on the new SE Linux require setattr
+ userdom_signal_all_users(sshd_t)
+')
+
+optional_policy(`
+ daemontools_service_domain(sshd_t, sshd_exec_t)
+')
+
+optional_policy(`
+ kerberos_keytab_template(sshd, sshd_t)
+')
+
+optional_policy(`
+ ftp_dyntrans_sftpd(sshd_t)
+ ftp_dyntrans_anon_sftpd(sshd_t)
+')
+
+optional_policy(`
+ gitosis_manage_lib_files(sshd_t)
+')
+
+optional_policy(`
+ inetd_tcp_service_domain(sshd_t, sshd_exec_t)
+')
+
+optional_policy(`
+ nx_read_home_files(sshd_t)
+')
+
+optional_policy(`
+ rpm_use_script_fds(sshd_t)
+')
+
+optional_policy(`
+ rssh_spec_domtrans(sshd_t)
+ # For reading /home/user/.ssh
+ rssh_read_ro_content(sshd_t)
+')
+
+optional_policy(`
+ usermanage_domtrans_passwd(sshd_t)
+ usermanage_read_crack_db(sshd_t)
+')
+
+optional_policy(`
+ unconfined_shell_domtrans(sshd_t)
+')
+
+optional_policy(`
+ xserver_domtrans_xauth(sshd_t)
+')
+
+ifdef(`TODO',`
+ tunable_policy(`ssh_sysadm_login',`
+ # Relabel and access ptys created by sshd
+ # ioctl is necessary for logout() processing for utmp entry and for w to
+ # display the tty.
+ # some versions of sshd on the new SE Linux require setattr
+ allow sshd_t ptyfile:chr_file relabelto;
+
+ optional_policy(`
+ domain_trans(sshd_t, xauth_exec_t, userdomain)
+ ')
+ ',`
+ optional_policy(`
+ domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
+ ')
+ # Relabel and access ptys created by sshd
+ # ioctl is necessary for logout() processing for utmp entry and for w to
+ # display the tty.
+ # some versions of sshd on the new SE Linux require setattr
+ allow sshd_t userpty_type:chr_file { relabelto rw_inherited_chr_file_perms setattr_chr_file_perms };
+ ')
+') dnl endif TODO
+
+########################################
+#
+# ssh_keygen local policy
+#
+
+# ssh_keygen_t is the type of the ssh-keygen program when run at install time
+# and by sysadm_t
+
+dontaudit ssh_keygen_t self:capability sys_tty_config;
+allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
+allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
+
+allow ssh_keygen_t sshd_key_t:file manage_file_perms;
+files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
+
+kernel_read_kernel_sysctls(ssh_keygen_t)
+
+fs_search_auto_mountpoints(ssh_keygen_t)
+
+dev_read_sysfs(ssh_keygen_t)
+dev_read_urand(ssh_keygen_t)
+
+term_dontaudit_use_console(ssh_keygen_t)
+
+domain_use_interactive_fds(ssh_keygen_t)
+
+files_read_etc_files(ssh_keygen_t)
+
+init_use_fds(ssh_keygen_t)
+init_use_script_ptys(ssh_keygen_t)
+
+auth_use_nsswitch(ssh_keygen_t)
+
+logging_send_syslog_msg(ssh_keygen_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(ssh_keygen_t)
+')
+
+optional_policy(`
+ udev_read_db(ssh_keygen_t)
+')
diff --git a/policy/modules/services/sssd.fc b/policy/modules/services/sssd.fc
new file mode 100644
index 0000000..4271815
--- /dev/null
+++ b/policy/modules/services/sssd.fc
@@ -0,0 +1,11 @@
+/etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
+
+/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
+
+/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
+
+/var/lib/sss/pubconf(/.*)? gen_context(system_u:object_r:sssd_public_t,s0)
+
+/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0)
+
+/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if
new file mode 100644
index 0000000..6dbfc01
--- /dev/null
+++ b/policy/modules/services/sssd.if
@@ -0,0 +1,249 @@
+## <summary>System Security Services Daemon</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run sssd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`sssd_domtrans',`
+ gen_require(`
+ type sssd_t, sssd_exec_t;
+ ')
+
+ domtrans_pattern($1, sssd_exec_t, sssd_t)
+')
+
+########################################
+## <summary>
+## Execute sssd server in the sssd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`sssd_initrc_domtrans',`
+ gen_require(`
+ type sssd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, sssd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Read sssd public files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sssd_read_public_files',`
+ gen_require(`
+ type sssd_public_t;
+ ')
+
+ sssd_search_lib($1)
+ read_files_pattern($1, sssd_public_t, sssd_public_t)
+')
+
+########################################
+## <summary>
+## Read sssd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sssd_read_pid_files',`
+ gen_require(`
+ type sssd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 sssd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Manage sssd var_run files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sssd_manage_pids',`
+ gen_require(`
+ type sssd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
+ manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
+')
+
+########################################
+## <summary>
+## Search sssd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sssd_search_lib',`
+ gen_require(`
+ type sssd_var_lib_t;
+ ')
+
+ allow $1 sssd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search sssd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`sssd_dontaudit_search_lib',`
+ gen_require(`
+ type sssd_var_lib_t;
+ ')
+
+ dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read sssd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sssd_read_lib_files',`
+ gen_require(`
+ type sssd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## sssd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sssd_manage_lib_files',`
+ gen_require(`
+ type sssd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## sssd over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sssd_dbus_chat',`
+ gen_require(`
+ type sssd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 sssd_t:dbus send_msg;
+ allow sssd_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Connect to sssd over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sssd_stream_connect',`
+ gen_require(`
+ type sssd_t, sssd_var_lib_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, sssd_var_lib_t, sssd_var_lib_t, sssd_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an sssd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the sssd domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sssd_admin',`
+ gen_require(`
+ type sssd_t, sssd_public_t, sssd_initrc_exec_t;
+ ')
+
+ allow $1 sssd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, sssd_t)
+
+ # Allow sssd_t to restart the apache service
+ sssd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 sssd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ sssd_manage_pids($1)
+
+ sssd_manage_lib_files($1)
+
+ admin_pattern($1, sssd_public_t)
+')
diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
new file mode 100644
index 0000000..7113802
--- /dev/null
+++ b/policy/modules/services/sssd.te
@@ -0,0 +1,95 @@
+policy_module(sssd, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type sssd_t;
+type sssd_exec_t;
+init_daemon_domain(sssd_t, sssd_exec_t)
+
+type sssd_initrc_exec_t;
+init_script_file(sssd_initrc_exec_t)
+
+type sssd_public_t;
+files_pid_file(sssd_public_t)
+
+type sssd_var_lib_t;
+files_type(sssd_var_lib_t)
+
+type sssd_var_log_t;
+logging_log_file(sssd_var_log_t)
+
+type sssd_var_run_t;
+files_pid_file(sssd_var_run_t)
+
+########################################
+#
+# sssd local policy
+#
+
+allow sssd_t self:capability { chown dac_read_search dac_override kill sys_nice setgid setuid };
+allow sssd_t self:process { setfscreate setsched sigkill signal getsched };
+allow sssd_t self:fifo_file rw_fifo_file_perms;
+allow sssd_t self:key manage_key_perms;
+allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
+manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
+
+manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir })
+
+manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
+logging_log_filetrans(sssd_t, sssd_var_log_t, file)
+
+manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
+manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
+files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+
+kernel_read_network_state(sssd_t)
+kernel_read_system_state(sssd_t)
+
+corecmd_exec_bin(sssd_t)
+
+dev_read_urand(sssd_t)
+
+domain_read_all_domains_state(sssd_t)
+domain_obj_id_change_exemption(sssd_t)
+
+files_list_tmp(sssd_t)
+files_read_etc_files(sssd_t)
+files_read_usr_files(sssd_t)
+
+fs_list_inotifyfs(sssd_t)
+
+selinux_validate_context(sssd_t)
+
+seutil_read_file_contexts(sssd_t)
+
+mls_file_read_to_clearance(sssd_t)
+
+auth_use_nsswitch(sssd_t)
+auth_domtrans_chk_passwd(sssd_t)
+auth_domtrans_upd_passwd(sssd_t)
+
+init_read_utmp(sssd_t)
+
+logging_send_syslog_msg(sssd_t)
+logging_send_audit_msgs(sssd_t)
+
+miscfiles_read_localization(sssd_t)
+
+userdom_manage_tmp_role(system_r, sssd_t)
+
+optional_policy(`
+ dbus_system_bus_client(sssd_t)
+ dbus_connect_system_bus(sssd_t)
+')
+
+optional_policy(`
+ kerberos_manage_host_rcache(sssd_t)
+')
diff --git a/policy/modules/services/stunnel.fc b/policy/modules/services/stunnel.fc
new file mode 100644
index 0000000..50e29aa
--- /dev/null
+++ b/policy/modules/services/stunnel.fc
@@ -0,0 +1,7 @@
+/etc/stunnel(/.*)? gen_context(system_u:object_r:stunnel_etc_t,s0)
+
+/usr/bin/stunnel -- gen_context(system_u:object_r:stunnel_exec_t,s0)
+
+/usr/sbin/stunnel -- gen_context(system_u:object_r:stunnel_exec_t,s0)
+
+/var/run/stunnel(/.*)? gen_context(system_u:object_r:stunnel_var_run_t,s0)
diff --git a/policy/modules/services/stunnel.if b/policy/modules/services/stunnel.if
new file mode 100644
index 0000000..eaf49b2
--- /dev/null
+++ b/policy/modules/services/stunnel.if
@@ -0,0 +1,25 @@
+## <summary>SSL Tunneling Proxy</summary>
+
+########################################
+## <summary>
+## Define the specified domain as a stunnel inetd service.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type associated with the stunnel inetd service process.
+## </summary>
+## </param>
+## <param name="entrypoint">
+## <summary>
+## The type associated with the process program.
+## </summary>
+## </param>
+#
+interface(`stunnel_service_domain',`
+ gen_require(`
+ type stunnel_t;
+ ')
+
+ domtrans_pattern(stunnel_t, $2, $1)
+ allow $1 stunnel_t:tcp_socket rw_socket_perms;
+')
diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te
new file mode 100644
index 0000000..296e5ba
--- /dev/null
+++ b/policy/modules/services/stunnel.te
@@ -0,0 +1,120 @@
+policy_module(stunnel, 1.9.1)
+
+########################################
+#
+# Declarations
+#
+
+type stunnel_t;
+type stunnel_exec_t;
+
+type stunnel_etc_t;
+files_config_file(stunnel_etc_t)
+
+type stunnel_tmp_t;
+files_tmp_file(stunnel_tmp_t)
+
+type stunnel_var_run_t;
+files_pid_file(stunnel_var_run_t)
+
+ifdef(`distro_gentoo',`
+ init_daemon_domain(stunnel_t, stunnel_exec_t)
+',`
+ inetd_tcp_service_domain(stunnel_t, stunnel_exec_t)
+')
+
+########################################
+#
+# Local policy
+#
+
+allow stunnel_t self:capability { setgid setuid sys_chroot };
+allow stunnel_t self:process signal_perms;
+allow stunnel_t self:fifo_file rw_fifo_file_perms;
+allow stunnel_t self:tcp_socket create_stream_socket_perms;
+allow stunnel_t self:udp_socket create_socket_perms;
+
+allow stunnel_t stunnel_etc_t:dir list_dir_perms;
+allow stunnel_t stunnel_etc_t:file read_file_perms;
+allow stunnel_t stunnel_etc_t:lnk_file read_lnk_file_perms;
+
+manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
+manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
+files_tmp_filetrans(stunnel_t, stunnel_tmp_t, { file dir })
+
+manage_dirs_pattern(stunnel_t, stunnel_var_run_t, stunnel_var_run_t)
+manage_files_pattern(stunnel_t, stunnel_var_run_t, stunnel_var_run_t)
+files_pid_filetrans(stunnel_t, stunnel_var_run_t, { dir file })
+
+kernel_read_kernel_sysctls(stunnel_t)
+kernel_read_system_state(stunnel_t)
+kernel_read_network_state(stunnel_t)
+
+corecmd_exec_bin(stunnel_t)
+
+corenet_all_recvfrom_unlabeled(stunnel_t)
+corenet_all_recvfrom_netlabel(stunnel_t)
+corenet_tcp_sendrecv_generic_if(stunnel_t)
+corenet_udp_sendrecv_generic_if(stunnel_t)
+corenet_tcp_sendrecv_generic_node(stunnel_t)
+corenet_udp_sendrecv_generic_node(stunnel_t)
+corenet_tcp_sendrecv_all_ports(stunnel_t)
+corenet_udp_sendrecv_all_ports(stunnel_t)
+corenet_tcp_bind_generic_node(stunnel_t)
+corenet_tcp_connect_all_ports(stunnel_t)
+
+fs_getattr_all_fs(stunnel_t)
+
+auth_use_nsswitch(stunnel_t)
+
+logging_send_syslog_msg(stunnel_t)
+
+miscfiles_read_localization(stunnel_t)
+
+sysnet_read_config(stunnel_t)
+
+ifdef(`distro_gentoo',`
+ dontaudit stunnel_t self:capability sys_tty_config;
+ allow stunnel_t self:udp_socket create_socket_perms;
+
+ dev_read_sysfs(stunnel_t)
+
+ fs_search_auto_mountpoints(stunnel_t)
+
+ domain_use_interactive_fds(stunnel_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(stunnel_t)
+ userdom_dontaudit_search_user_home_dirs(stunnel_t)
+
+ optional_policy(`
+ daemontools_service_domain(stunnel_t, stunnel_exec_t)
+ ')
+
+ optional_policy(`
+ seutil_sigchld_newrole(stunnel_t)
+ ')
+
+ optional_policy(`
+ udev_read_db(stunnel_t)
+ ')
+',`
+ allow stunnel_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+
+ dev_read_urand(stunnel_t)
+
+ files_read_etc_files(stunnel_t)
+ files_read_etc_runtime_files(stunnel_t)
+ files_search_home(stunnel_t)
+
+ optional_policy(`
+ kerberos_use(stunnel_t)
+ ')
+')
+
+# hack since this port has no interfaces since it doesnt
+# have net_contexts
+gen_require(`
+ type stunnel_port_t;
+')
+
+allow stunnel_t stunnel_port_t:tcp_socket name_bind;
diff --git a/policy/modules/services/sysstat.fc b/policy/modules/services/sysstat.fc
new file mode 100644
index 0000000..08d999c
--- /dev/null
+++ b/policy/modules/services/sysstat.fc
@@ -0,0 +1,8 @@
+
+/usr/lib(64)?/atsar/atsa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0)
+/usr/lib(64)?/sa/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0)
+/usr/lib(64)?/sysstat/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0)
+
+/var/log/atsar(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0)
+/var/log/sa(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0)
+/var/log/sysstat(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0)
diff --git a/policy/modules/services/sysstat.if b/policy/modules/services/sysstat.if
new file mode 100644
index 0000000..7a23b3b
--- /dev/null
+++ b/policy/modules/services/sysstat.if
@@ -0,0 +1,21 @@
+## <summary>Policy for sysstat. Reports on various system states</summary>
+
+########################################
+## <summary>
+## Manage sysstat logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sysstat_manage_log',`
+ gen_require(`
+ type sysstat_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_files_pattern($1, sysstat_log_t, sysstat_log_t)
+')
diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te
new file mode 100644
index 0000000..3645a22
--- /dev/null
+++ b/policy/modules/services/sysstat.te
@@ -0,0 +1,72 @@
+policy_module(sysstat, 1.6.0)
+
+########################################
+#
+# Declarations
+#
+
+type sysstat_t;
+type sysstat_exec_t;
+init_system_domain(sysstat_t, sysstat_exec_t)
+
+type sysstat_log_t;
+logging_log_file(sysstat_log_t)
+
+########################################
+#
+# Local policy
+#
+
+allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_config };
+allow sysstat_t self:fifo_file rw_fifo_file_perms;
+
+can_exec(sysstat_t, sysstat_exec_t)
+
+manage_dirs_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
+manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
+manage_lnk_files_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
+logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir })
+
+# get info from /proc
+kernel_read_system_state(sysstat_t)
+kernel_read_network_state(sysstat_t)
+kernel_read_kernel_sysctls(sysstat_t)
+kernel_read_fs_sysctls(sysstat_t)
+kernel_read_rpc_sysctls(sysstat_t)
+
+corecmd_exec_bin(sysstat_t)
+
+dev_read_urand(sysstat_t)
+dev_read_sysfs(sysstat_t)
+
+files_search_var(sysstat_t)
+# for mtab
+files_read_etc_runtime_files(sysstat_t)
+#for fstab
+files_read_etc_files(sysstat_t)
+
+fs_getattr_xattr_fs(sysstat_t)
+fs_list_inotifyfs(sysstat_t)
+
+term_use_console(sysstat_t)
+term_use_all_terms(sysstat_t)
+
+init_use_fds(sysstat_t)
+
+locallogin_use_fds(sysstat_t)
+
+miscfiles_read_localization(sysstat_t)
+
+userdom_dontaudit_list_user_home_dirs(sysstat_t)
+
+optional_policy(`
+ cron_system_entry(sysstat_t, sysstat_exec_t)
+')
+
+optional_policy(`
+ logging_send_syslog_msg(sysstat_t)
+')
+
+optional_policy(`
+ nscd_socket_use(sysstat_t)
+')
diff --git a/policy/modules/services/tcpd.fc b/policy/modules/services/tcpd.fc
new file mode 100644
index 0000000..2e8d7a1
--- /dev/null
+++ b/policy/modules/services/tcpd.fc
@@ -0,0 +1,2 @@
+
+/usr/sbin/tcpd -- gen_context(system_u:object_r:tcpd_exec_t,s0)
diff --git a/policy/modules/services/tcpd.if b/policy/modules/services/tcpd.if
new file mode 100644
index 0000000..2075ebb
--- /dev/null
+++ b/policy/modules/services/tcpd.if
@@ -0,0 +1,45 @@
+## <summary>Policy for TCP daemon.</summary>
+
+########################################
+## <summary>
+## Execute tcpd in the tcpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`tcpd_domtrans',`
+ gen_require(`
+ type tcpd_t, tcpd_exec_t;
+ ')
+
+ domtrans_pattern($1, tcpd_exec_t, tcpd_t)
+')
+
+########################################
+## <summary>
+## Create a domain for services that
+## utilize tcp wrappers.
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## Type of the program to be used as an entry point to this domain.
+## </summary>
+## </param>
+#
+interface(`tcpd_wrapped_domain',`
+ gen_require(`
+ type tcpd_t;
+ role system_r;
+ ')
+
+ domtrans_pattern(tcpd_t, $2, $1)
+ role system_r types $1;
+')
diff --git a/policy/modules/services/tcpd.te b/policy/modules/services/tcpd.te
new file mode 100644
index 0000000..4e84f23
--- /dev/null
+++ b/policy/modules/services/tcpd.te
@@ -0,0 +1,49 @@
+policy_module(tcpd, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+type tcpd_t;
+type tcpd_exec_t;
+inetd_tcp_service_domain(tcpd_t, tcpd_exec_t)
+
+type tcpd_tmp_t;
+files_tmp_file(tcpd_tmp_t)
+
+########################################
+#
+# Local policy
+#
+allow tcpd_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t)
+manage_files_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t)
+files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir })
+
+corenet_all_recvfrom_unlabeled(tcpd_t)
+corenet_all_recvfrom_netlabel(tcpd_t)
+corenet_tcp_sendrecv_generic_if(tcpd_t)
+corenet_tcp_sendrecv_generic_node(tcpd_t)
+corenet_tcp_sendrecv_all_ports(tcpd_t)
+
+fs_getattr_xattr_fs(tcpd_t)
+
+# Run other daemons in the inetd child domain.
+corecmd_search_bin(tcpd_t)
+
+files_read_etc_files(tcpd_t)
+# no good reason for files_dontaudit_search_var, probably nscd
+files_dontaudit_search_var(tcpd_t)
+
+logging_send_syslog_msg(tcpd_t)
+
+miscfiles_read_localization(tcpd_t)
+
+sysnet_read_config(tcpd_t)
+
+inetd_domtrans_child(tcpd_t)
+
+optional_policy(`
+ nis_use_ypbind(tcpd_t)
+')
diff --git a/policy/modules/services/telnet.fc b/policy/modules/services/telnet.fc
new file mode 100644
index 0000000..7405170
--- /dev/null
+++ b/policy/modules/services/telnet.fc
@@ -0,0 +1,4 @@
+
+/usr/sbin/in\.telnetd -- gen_context(system_u:object_r:telnetd_exec_t,s0)
+
+/usr/kerberos/sbin/telnetd -- gen_context(system_u:object_r:telnetd_exec_t,s0)
diff --git a/policy/modules/services/telnet.if b/policy/modules/services/telnet.if
new file mode 100644
index 0000000..58e7ec0
--- /dev/null
+++ b/policy/modules/services/telnet.if
@@ -0,0 +1 @@
+## <summary>Telnet daemon</summary>
diff --git a/policy/modules/services/telnet.te b/policy/modules/services/telnet.te
new file mode 100644
index 0000000..34c4c57
--- /dev/null
+++ b/policy/modules/services/telnet.te
@@ -0,0 +1,98 @@
+policy_module(telnet, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+
+type telnetd_t;
+type telnetd_exec_t;
+inetd_service_domain(telnetd_t, telnetd_exec_t)
+
+type telnetd_devpts_t; #, userpty_type;
+term_login_pty(telnetd_devpts_t)
+
+type telnetd_tmp_t;
+files_tmp_file(telnetd_tmp_t)
+
+type telnetd_var_run_t;
+files_pid_file(telnetd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
+allow telnetd_t self:process signal_perms;
+allow telnetd_t self:fifo_file rw_fifo_file_perms;
+allow telnetd_t self:tcp_socket connected_stream_socket_perms;
+allow telnetd_t self:udp_socket create_socket_perms;
+# for identd; cjp: this should probably only be inetd_child rules?
+allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+
+allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+term_create_pty(telnetd_t, telnetd_devpts_t)
+
+manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
+manage_files_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
+
+manage_files_pattern(telnetd_t, telnetd_var_run_t, telnetd_var_run_t)
+files_pid_filetrans(telnetd_t, telnetd_var_run_t, file)
+
+kernel_read_kernel_sysctls(telnetd_t)
+kernel_read_system_state(telnetd_t)
+kernel_read_network_state(telnetd_t)
+
+corenet_all_recvfrom_unlabeled(telnetd_t)
+corenet_all_recvfrom_netlabel(telnetd_t)
+corenet_tcp_sendrecv_generic_if(telnetd_t)
+corenet_udp_sendrecv_generic_if(telnetd_t)
+corenet_tcp_sendrecv_generic_node(telnetd_t)
+corenet_udp_sendrecv_generic_node(telnetd_t)
+corenet_tcp_sendrecv_all_ports(telnetd_t)
+corenet_udp_sendrecv_all_ports(telnetd_t)
+
+dev_read_urand(telnetd_t)
+
+domain_interactive_fd(telnetd_t)
+
+fs_getattr_xattr_fs(telnetd_t)
+
+auth_rw_login_records(telnetd_t)
+auth_use_nsswitch(telnetd_t)
+
+corecmd_search_bin(telnetd_t)
+
+files_read_usr_files(telnetd_t)
+files_read_etc_files(telnetd_t)
+files_read_etc_runtime_files(telnetd_t)
+
+init_rw_utmp(telnetd_t)
+
+logging_send_syslog_msg(telnetd_t)
+
+miscfiles_read_localization(telnetd_t)
+
+seutil_read_config(telnetd_t)
+
+remotelogin_domtrans(telnetd_t)
+
+userdom_search_user_home_dirs(telnetd_t)
+userdom_setattr_user_ptys(telnetd_t)
+userdom_manage_user_tmp_files(telnetd_t)
+userdom_tmp_filetrans_user_tmp(telnetd_t, file)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_search_nfs(telnetd_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_search_cifs(telnetd_t)
+')
+
+optional_policy(`
+ kerberos_keytab_template(telnetd, telnetd_t)
+ kerberos_manage_host_rcache(telnetd_t)
+')
+
diff --git a/policy/modules/services/tftp.fc b/policy/modules/services/tftp.fc
new file mode 100644
index 0000000..25eee43
--- /dev/null
+++ b/policy/modules/services/tftp.fc
@@ -0,0 +1,8 @@
+
+/usr/sbin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
+/usr/sbin/in\.tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
+
+/tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0)
+/tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0)
+
+/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0)
diff --git a/policy/modules/services/tftp.if b/policy/modules/services/tftp.if
new file mode 100644
index 0000000..1427b54
--- /dev/null
+++ b/policy/modules/services/tftp.if
@@ -0,0 +1,118 @@
+## <summary>Trivial file transfer protocol daemon</summary>
+
+########################################
+## <summary>
+## Read tftp content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tftp_read_content',`
+ gen_require(`
+ type tftpdir_t;
+ ')
+
+ read_files_pattern($1, tftpdir_t, tftpdir_t)
+ read_lnk_files_pattern($1, tftpdir_t, tftpdir_t)
+')
+
+########################################
+## <summary>
+## Search tftp /var/lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tftp_search_rw_content',`
+ gen_require(`
+ type tftpdir_rw_t;
+ ')
+
+ search_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Manage tftp /var/lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tftp_manage_rw_content',`
+ gen_require(`
+ type tftpdir_rw_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+ manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
+')
+
+########################################
+## <summary>
+## Create objects in tftpdir directories
+## with specified types.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## Private file type.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+#
+interface(`tftp_filetrans_tftpdir',`
+ gen_require(`
+ type tftpdir_rw_t;
+ ')
+
+ filetrans_pattern($1, tftpdir_rw_t, $2, $3)
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an tftp environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`tftp_admin',`
+ gen_require(`
+ type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t;
+ ')
+
+ allow $1 tftpd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, tftpd_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, tftpdir_rw_t)
+
+ admin_pattern($1, tftpdir_t)
+
+ files_list_pids($1)
+ admin_pattern($1, tftpd_var_run_t)
+')
diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te
new file mode 100644
index 0000000..97ce79e
--- /dev/null
+++ b/policy/modules/services/tftp.te
@@ -0,0 +1,110 @@
+policy_module(tftp, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow tftp to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(tftp_anon_write, false)
+
+type tftpd_t;
+type tftpd_exec_t;
+init_daemon_domain(tftpd_t, tftpd_exec_t)
+
+type tftpd_var_run_t;
+files_pid_file(tftpd_var_run_t)
+
+type tftpdir_t;
+files_type(tftpdir_t)
+
+type tftpdir_rw_t;
+files_type(tftpdir_rw_t)
+
+########################################
+#
+# Local policy
+#
+
+allow tftpd_t self:capability { setgid setuid sys_chroot };
+dontaudit tftpd_t self:capability sys_tty_config;
+allow tftpd_t self:tcp_socket create_stream_socket_perms;
+allow tftpd_t self:udp_socket create_socket_perms;
+allow tftpd_t self:unix_dgram_socket create_socket_perms;
+allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
+
+allow tftpd_t tftpdir_t:dir list_dir_perms;
+allow tftpd_t tftpdir_t:file read_file_perms;
+allow tftpd_t tftpdir_t:lnk_file read_lnk_file_perms;
+
+manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
+manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
+manage_lnk_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
+
+manage_files_pattern(tftpd_t, tftpd_var_run_t, tftpd_var_run_t)
+files_pid_filetrans(tftpd_t, tftpd_var_run_t, file)
+
+kernel_read_system_state(tftpd_t)
+kernel_read_kernel_sysctls(tftpd_t)
+
+corenet_all_recvfrom_unlabeled(tftpd_t)
+corenet_all_recvfrom_netlabel(tftpd_t)
+corenet_tcp_sendrecv_generic_if(tftpd_t)
+corenet_udp_sendrecv_generic_if(tftpd_t)
+corenet_tcp_sendrecv_generic_node(tftpd_t)
+corenet_udp_sendrecv_generic_node(tftpd_t)
+corenet_tcp_sendrecv_all_ports(tftpd_t)
+corenet_udp_sendrecv_all_ports(tftpd_t)
+corenet_tcp_bind_generic_node(tftpd_t)
+corenet_udp_bind_generic_node(tftpd_t)
+corenet_udp_bind_tftp_port(tftpd_t)
+corenet_sendrecv_tftp_server_packets(tftpd_t)
+
+dev_read_sysfs(tftpd_t)
+
+fs_getattr_all_fs(tftpd_t)
+fs_search_auto_mountpoints(tftpd_t)
+
+domain_use_interactive_fds(tftpd_t)
+
+files_read_etc_files(tftpd_t)
+files_read_etc_runtime_files(tftpd_t)
+files_read_var_files(tftpd_t)
+files_read_var_symlinks(tftpd_t)
+files_search_var(tftpd_t)
+
+auth_use_nsswitch(tftpd_t)
+
+logging_send_syslog_msg(tftpd_t)
+
+miscfiles_read_localization(tftpd_t)
+miscfiles_read_public_files(tftpd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(tftpd_t)
+userdom_dontaudit_use_user_terminals(tftpd_t)
+userdom_dontaudit_search_user_home_dirs(tftpd_t)
+
+tunable_policy(`tftp_anon_write',`
+ miscfiles_manage_public_files(tftpd_t)
+')
+
+optional_policy(`
+ cobbler_read_lib_files(tftpd_t)
+')
+
+optional_policy(`
+ inetd_udp_service_domain(tftpd_t, tftpd_exec_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(tftpd_t)
+')
+
+optional_policy(`
+ udev_read_db(tftpd_t)
+')
diff --git a/policy/modules/services/tgtd.fc b/policy/modules/services/tgtd.fc
new file mode 100644
index 0000000..8294f6f
--- /dev/null
+++ b/policy/modules/services/tgtd.fc
@@ -0,0 +1,3 @@
+/etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t,s0)
+/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0)
+/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0)
diff --git a/policy/modules/services/tgtd.if b/policy/modules/services/tgtd.if
new file mode 100644
index 0000000..c2ed23a
--- /dev/null
+++ b/policy/modules/services/tgtd.if
@@ -0,0 +1,46 @@
+## <summary>Linux Target Framework Daemon.</summary>
+## <desc>
+## <p>
+## Linux target framework (tgt) aims to simplify various
+## SCSI target driver (iSCSI, Fibre Channel, SRP, etc) creation
+## and maintenance. Our key goals are the clean integration into
+## the scsi-mid layer and implementing a great portion of tgt
+## in user space.
+## </p>
+## </desc>
+
+#####################################
+## <summary>
+## Allow read and write access to tgtd semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tgtd_rw_semaphores',`
+ gen_require(`
+ type tgtd_t;
+ ')
+
+ allow $1 tgtd_t:sem rw_sem_perms;
+')
+
+######################################
+## <summary>
+## Manage tgtd sempaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tgtd_manage_semaphores',`
+ gen_require(`
+ type tgtd_t;
+ ')
+
+ allow $1 tgtd_t:sem create_sem_perms;
+')
diff --git a/policy/modules/services/tgtd.te b/policy/modules/services/tgtd.te
new file mode 100644
index 0000000..44dfdc8
--- /dev/null
+++ b/policy/modules/services/tgtd.te
@@ -0,0 +1,74 @@
+policy_module(tgtd, 1.1.0)
+
+########################################
+#
+# TGTD personal declarations.
+#
+
+type tgtd_t;
+type tgtd_exec_t;
+init_daemon_domain(tgtd_t, tgtd_exec_t)
+
+type tgtd_initrc_exec_t;
+init_script_file(tgtd_initrc_exec_t)
+
+type tgtd_tmp_t;
+files_tmp_file(tgtd_tmp_t)
+
+type tgtd_tmpfs_t;
+files_tmpfs_file(tgtd_tmpfs_t)
+
+type tgtd_var_lib_t;
+files_type(tgtd_var_lib_t)
+
+########################################
+#
+# TGTD personal policy.
+#
+
+allow tgtd_t self:capability sys_resource;
+allow tgtd_t self:process { setrlimit signal };
+allow tgtd_t self:fifo_file rw_fifo_file_perms;
+allow tgtd_t self:netlink_route_socket create_netlink_socket_perms;
+allow tgtd_t self:shm create_shm_perms;
+allow tgtd_t self:sem create_sem_perms;
+allow tgtd_t self:tcp_socket create_stream_socket_perms;
+allow tgtd_t self:udp_socket create_socket_perms;
+allow tgtd_t self:unix_dgram_socket create_socket_perms;
+
+manage_sock_files_pattern(tgtd_t, tgtd_tmp_t, tgtd_tmp_t)
+files_tmp_filetrans(tgtd_t, tgtd_tmp_t, { sock_file })
+
+manage_files_pattern(tgtd_t, tgtd_tmpfs_t, tgtd_tmpfs_t)
+fs_tmpfs_filetrans(tgtd_t, tgtd_tmpfs_t, file)
+
+manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
+manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
+files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file })
+
+kernel_read_fs_sysctls(tgtd_t)
+
+corenet_all_recvfrom_netlabel(tgtd_t)
+corenet_all_recvfrom_unlabeled(tgtd_t)
+corenet_tcp_sendrecv_generic_if(tgtd_t)
+corenet_tcp_sendrecv_generic_node(tgtd_t)
+corenet_tcp_sendrecv_iscsi_port(tgtd_t)
+corenet_tcp_bind_generic_node(tgtd_t)
+corenet_tcp_bind_iscsi_port(tgtd_t)
+corenet_sendrecv_iscsi_server_packets(tgtd_t)
+
+dev_search_sysfs(tgtd_t)
+
+files_read_etc_files(tgtd_t)
+
+fs_read_anon_inodefs_files(tgtd_t)
+
+storage_manage_fixed_disk(tgtd_t)
+
+logging_send_syslog_msg(tgtd_t)
+
+miscfiles_read_localization(tgtd_t)
+
+optional_policy(`
+ iscsi_manage_semaphores(tgtd_t)
+')
diff --git a/policy/modules/services/timidity.fc b/policy/modules/services/timidity.fc
new file mode 100644
index 0000000..ed5eef3
--- /dev/null
+++ b/policy/modules/services/timidity.fc
@@ -0,0 +1,2 @@
+
+/usr/bin/timidity -- gen_context(system_u:object_r:timidity_exec_t,s0)
diff --git a/policy/modules/services/timidity.if b/policy/modules/services/timidity.if
new file mode 100644
index 0000000..989b240
--- /dev/null
+++ b/policy/modules/services/timidity.if
@@ -0,0 +1 @@
+## <summary>MIDI to WAV converter and player configured as a service</summary>
diff --git a/policy/modules/services/timidity.te b/policy/modules/services/timidity.te
new file mode 100644
index 0000000..67b5592
--- /dev/null
+++ b/policy/modules/services/timidity.te
@@ -0,0 +1,85 @@
+policy_module(timidity, 1.9.0)
+
+# Note: You only need this policy if you want to run timidity as a server
+
+########################################
+#
+# Declarations
+#
+
+type timidity_t;
+type timidity_exec_t;
+init_daemon_domain(timidity_t, timidity_exec_t)
+application_domain(timidity_t, timidity_exec_t)
+
+type timidity_tmpfs_t;
+files_tmpfs_file(timidity_tmpfs_t)
+
+########################################
+#
+# Local policy
+#
+
+allow timidity_t self:capability { dac_override dac_read_search };
+dontaudit timidity_t self:capability sys_tty_config;
+allow timidity_t self:process { signal_perms getsched };
+allow timidity_t self:shm create_shm_perms;
+allow timidity_t self:unix_stream_socket create_stream_socket_perms;
+allow timidity_t self:tcp_socket create_stream_socket_perms;
+allow timidity_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t)
+manage_files_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t)
+manage_lnk_files_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t)
+manage_fifo_files_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t)
+manage_sock_files_pattern(timidity_t, timidity_tmpfs_t, timidity_tmpfs_t)
+fs_tmpfs_filetrans(timidity_t, timidity_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_read_kernel_sysctls(timidity_t)
+# read /proc/cpuinfo
+kernel_read_system_state(timidity_t)
+
+corenet_all_recvfrom_unlabeled(timidity_t)
+corenet_all_recvfrom_netlabel(timidity_t)
+corenet_tcp_sendrecv_generic_if(timidity_t)
+corenet_udp_sendrecv_generic_if(timidity_t)
+corenet_tcp_sendrecv_generic_node(timidity_t)
+corenet_udp_sendrecv_generic_node(timidity_t)
+corenet_tcp_sendrecv_all_ports(timidity_t)
+corenet_udp_sendrecv_all_ports(timidity_t)
+
+dev_read_sysfs(timidity_t)
+dev_read_sound(timidity_t)
+dev_write_sound(timidity_t)
+
+fs_search_auto_mountpoints(timidity_t)
+
+domain_use_interactive_fds(timidity_t)
+
+files_search_tmp(timidity_t)
+# read /usr/share/alsa/alsa.conf
+files_read_usr_files(timidity_t)
+# read /etc/esd.conf
+files_read_etc_files(timidity_t)
+
+# read libartscbackend.la
+libs_read_lib_files(timidity_t)
+
+logging_send_syslog_msg(timidity_t)
+
+sysnet_read_config(timidity_t)
+
+userdom_dontaudit_use_unpriv_user_fds(timidity_t)
+
+# stupid timidity won't start if it can't search its current directory.
+# allow this so /etc/init.d/alsasound start works from /root
+# cjp: this should be fixed if possible so this rule can be removed.
+userdom_search_user_home_dirs(timidity_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(timidity_t)
+')
+
+optional_policy(`
+ udev_read_db(timidity_t)
+')
diff --git a/policy/modules/services/tor.fc b/policy/modules/services/tor.fc
new file mode 100644
index 0000000..e2e06b2
--- /dev/null
+++ b/policy/modules/services/tor.fc
@@ -0,0 +1,12 @@
+/etc/rc\.d/init\.d/tor -- gen_context(system_u:object_r:tor_initrc_exec_t,s0)
+/etc/tor(/.*)? gen_context(system_u:object_r:tor_etc_t,s0)
+
+/usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
+/usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
+
+/var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
+/var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
+
+/var/log/tor(/.*)? gen_context(system_u:object_r:tor_var_log_t,s0)
+
+/var/run/tor(/.*)? gen_context(system_u:object_r:tor_var_run_t,s0)
diff --git a/policy/modules/services/tor.if b/policy/modules/services/tor.if
new file mode 100644
index 0000000..464347f
--- /dev/null
+++ b/policy/modules/services/tor.if
@@ -0,0 +1,64 @@
+## <summary>TOR, the onion router</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run TOR.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`tor_domtrans',`
+ gen_require(`
+ type tor_t, tor_exec_t;
+ ')
+
+ domtrans_pattern($1, tor_exec_t, tor_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an tor environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the tor domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`tor_admin',`
+ gen_require(`
+ type tor_t, tor_var_log_t, tor_etc_t;
+ type tor_var_lib_t, tor_var_run_t;
+ type tor_initrc_exec_t;
+ ')
+
+ allow $1 tor_t:process { ptrace signal_perms };
+ ps_process_pattern($1, tor_t)
+
+ init_labeled_script_domtrans($1, tor_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 tor_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, tor_etc_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, tor_var_lib_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, tor_var_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, tor_var_run_t)
+')
diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te
new file mode 100644
index 0000000..7f0d9a9
--- /dev/null
+++ b/policy/modules/services/tor.te
@@ -0,0 +1,116 @@
+policy_module(tor, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow tor daemon to bind
+## tcp sockets to all unreserved ports.
+## </p>
+## </desc>
+gen_tunable(tor_bind_all_unreserved_ports, false)
+
+type tor_t;
+type tor_exec_t;
+init_daemon_domain(tor_t, tor_exec_t)
+
+# etc/tor
+type tor_etc_t;
+files_config_file(tor_etc_t)
+
+type tor_initrc_exec_t;
+init_script_file(tor_initrc_exec_t)
+
+# var/lib/tor
+type tor_var_lib_t;
+files_type(tor_var_lib_t)
+
+# log files
+type tor_var_log_t;
+logging_log_file(tor_var_log_t)
+
+# pid files
+type tor_var_run_t;
+files_pid_file(tor_var_run_t)
+
+########################################
+#
+# tor local policy
+#
+
+allow tor_t self:capability { setgid setuid sys_tty_config };
+allow tor_t self:process signal;
+allow tor_t self:fifo_file rw_fifo_file_perms;
+allow tor_t self:unix_stream_socket create_stream_socket_perms;
+allow tor_t self:netlink_route_socket r_netlink_socket_perms;
+allow tor_t self:tcp_socket create_stream_socket_perms;
+
+# configuration files
+allow tor_t tor_etc_t:dir list_dir_perms;
+read_files_pattern(tor_t, tor_etc_t, tor_etc_t)
+read_lnk_files_pattern(tor_t, tor_etc_t, tor_etc_t)
+
+# var/lib/tor files
+manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
+manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
+manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
+files_usr_filetrans(tor_t, tor_var_lib_t, file)
+files_var_filetrans(tor_t, tor_var_lib_t, { file dir sock_file })
+files_var_lib_filetrans(tor_t, tor_var_lib_t, file)
+
+# log files
+allow tor_t tor_var_log_t:dir setattr;
+manage_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
+manage_sock_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
+logging_log_filetrans(tor_t, tor_var_log_t, { sock_file file dir })
+
+# pid file
+manage_dirs_pattern(tor_t, tor_var_run_t, tor_var_run_t)
+manage_files_pattern(tor_t, tor_var_run_t, tor_var_run_t)
+manage_sock_files_pattern(tor_t, tor_var_run_t, tor_var_run_t)
+files_pid_filetrans(tor_t, tor_var_run_t, { file sock_file dir })
+
+kernel_read_system_state(tor_t)
+
+# networking basics
+corenet_all_recvfrom_unlabeled(tor_t)
+corenet_all_recvfrom_netlabel(tor_t)
+corenet_tcp_sendrecv_generic_if(tor_t)
+corenet_tcp_sendrecv_generic_node(tor_t)
+corenet_tcp_sendrecv_all_ports(tor_t)
+corenet_tcp_sendrecv_all_reserved_ports(tor_t)
+corenet_tcp_bind_generic_node(tor_t)
+corenet_tcp_bind_tor_port(tor_t)
+corenet_sendrecv_tor_server_packets(tor_t)
+# TOR will need to connect to various ports
+corenet_tcp_connect_all_ports(tor_t)
+corenet_sendrecv_all_client_packets(tor_t)
+# ... especially including port 80 and other privileged ports
+corenet_tcp_connect_all_reserved_ports(tor_t)
+corenet_udp_bind_dns_port(tor_t)
+
+# tor uses crypto and needs random
+dev_read_urand(tor_t)
+
+domain_use_interactive_fds(tor_t)
+
+files_read_etc_files(tor_t)
+files_read_etc_runtime_files(tor_t)
+files_read_usr_files(tor_t)
+
+auth_use_nsswitch(tor_t)
+
+logging_send_syslog_msg(tor_t)
+
+miscfiles_read_localization(tor_t)
+
+tunable_policy(`tor_bind_all_unreserved_ports',`
+ corenet_tcp_bind_all_unreserved_ports(tor_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(tor_t)
+')
diff --git a/policy/modules/services/transproxy.fc b/policy/modules/services/transproxy.fc
new file mode 100644
index 0000000..ce33f17
--- /dev/null
+++ b/policy/modules/services/transproxy.fc
@@ -0,0 +1,3 @@
+/usr/sbin/tproxy -- gen_context(system_u:object_r:transproxy_exec_t,s0)
+
+/var/run/tproxy\.pid -- gen_context(system_u:object_r:transproxy_var_run_t,s0)
diff --git a/policy/modules/services/transproxy.if b/policy/modules/services/transproxy.if
new file mode 100644
index 0000000..23323f9
--- /dev/null
+++ b/policy/modules/services/transproxy.if
@@ -0,0 +1 @@
+## <summary>HTTP transperant proxy</summary>
diff --git a/policy/modules/services/transproxy.te b/policy/modules/services/transproxy.te
new file mode 100644
index 0000000..95cf0c0
--- /dev/null
+++ b/policy/modules/services/transproxy.te
@@ -0,0 +1,65 @@
+policy_module(transproxy, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type transproxy_t;
+type transproxy_exec_t;
+init_daemon_domain(transproxy_t, transproxy_exec_t)
+
+type transproxy_var_run_t;
+files_pid_file(transproxy_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow transproxy_t self:capability { setgid setuid };
+dontaudit transproxy_t self:capability sys_tty_config;
+allow transproxy_t self:process signal_perms;
+allow transproxy_t self:tcp_socket create_stream_socket_perms;
+
+manage_files_pattern(transproxy_t, transproxy_var_run_t, transproxy_var_run_t)
+files_pid_filetrans(transproxy_t, transproxy_var_run_t, file)
+
+kernel_read_kernel_sysctls(transproxy_t)
+kernel_list_proc(transproxy_t)
+kernel_read_proc_symlinks(transproxy_t)
+
+corenet_all_recvfrom_unlabeled(transproxy_t)
+corenet_all_recvfrom_netlabel(transproxy_t)
+corenet_tcp_sendrecv_generic_if(transproxy_t)
+corenet_tcp_sendrecv_generic_node(transproxy_t)
+corenet_tcp_sendrecv_all_ports(transproxy_t)
+corenet_tcp_bind_generic_node(transproxy_t)
+corenet_tcp_bind_transproxy_port(transproxy_t)
+corenet_sendrecv_transproxy_server_packets(transproxy_t)
+
+dev_read_sysfs(transproxy_t)
+
+domain_use_interactive_fds(transproxy_t)
+
+files_read_etc_files(transproxy_t)
+
+fs_getattr_all_fs(transproxy_t)
+fs_search_auto_mountpoints(transproxy_t)
+
+logging_send_syslog_msg(transproxy_t)
+
+miscfiles_read_localization(transproxy_t)
+
+sysnet_read_config(transproxy_t)
+
+userdom_dontaudit_use_unpriv_user_fds(transproxy_t)
+userdom_dontaudit_search_user_home_dirs(transproxy_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(transproxy_t)
+')
+
+optional_policy(`
+ udev_read_db(transproxy_t)
+')
diff --git a/policy/modules/services/tuned.fc b/policy/modules/services/tuned.fc
new file mode 100644
index 0000000..639c962
--- /dev/null
+++ b/policy/modules/services/tuned.fc
@@ -0,0 +1,8 @@
+/etc/rc\.d/init\.d/tuned -- gen_context(system_u:object_r:tuned_initrc_exec_t,s0)
+
+/usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0)
+
+/var/log/tuned(/.*)? gen_context(system_u:object_r:tuned_log_t,s0)
+/var/log/tuned\.log -- gen_context(system_u:object_r:tuned_log_t,s0)
+
+/var/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0)
diff --git a/policy/modules/services/tuned.if b/policy/modules/services/tuned.if
new file mode 100644
index 0000000..752697f
--- /dev/null
+++ b/policy/modules/services/tuned.if
@@ -0,0 +1,128 @@
+## <summary>Dynamic adaptive system tuning daemon</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run tuned.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`tuned_domtrans',`
+ gen_require(`
+ type tuned_t, tuned_exec_t;
+ ')
+
+ domtrans_pattern($1, tuned_exec_t, tuned_t)
+')
+
+#######################################
+## <summary>
+## Execute tuned in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tuned_exec',`
+ gen_require(`
+ type tuned_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, tuned_exec_t)
+')
+
+######################################
+## <summary>
+## Read tuned PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tuned_read_pid_files',`
+ gen_require(`
+ type tuned_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, tuned_var_run_t, tuned_var_run_t)
+')
+
+#######################################
+## <summary>
+## Manage tuned PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tuned_manage_pid_files',`
+ gen_require(`
+ type tuned_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, tuned_var_run_t, tuned_var_run_t)
+')
+
+########################################
+## <summary>
+## Execute tuned server in the tuned domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tuned_initrc_domtrans',`
+ gen_require(`
+ type tuned_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, tuned_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an tuned environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`tuned_admin',`
+ gen_require(`
+ type tuned_t, tuned_var_run_t, tuned_initrc_exec_t;
+ ')
+
+ allow $1 tuned_t:process { ptrace signal_perms };
+ ps_process_pattern($1, tuned_t)
+
+ tuned_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 tuned_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_pids($1)
+ admin_pattern($1, tuned_var_run_t)
+')
diff --git a/policy/modules/services/tuned.te b/policy/modules/services/tuned.te
new file mode 100644
index 0000000..b3983a9
--- /dev/null
+++ b/policy/modules/services/tuned.te
@@ -0,0 +1,69 @@
+policy_module(tuned, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type tuned_t;
+type tuned_exec_t;
+init_daemon_domain(tuned_t, tuned_exec_t)
+
+type tuned_initrc_exec_t;
+init_script_file(tuned_initrc_exec_t)
+
+type tuned_log_t;
+logging_log_file(tuned_log_t)
+
+type tuned_var_run_t;
+files_pid_file(tuned_var_run_t)
+
+########################################
+#
+# tuned local policy
+#
+
+dontaudit tuned_t self:capability { dac_override sys_tty_config };
+allow tuned_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
+manage_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
+logging_log_filetrans(tuned_t, tuned_log_t, file)
+
+manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
+files_pid_filetrans(tuned_t, tuned_var_run_t, file)
+
+corecmd_exec_shell(tuned_t)
+corecmd_exec_bin(tuned_t)
+
+kernel_read_system_state(tuned_t)
+kernel_read_network_state(tuned_t)
+
+dev_read_urand(tuned_t)
+dev_read_sysfs(tuned_t)
+# to allow cpu tuning
+dev_rw_netcontrol(tuned_t)
+
+files_read_etc_files(tuned_t)
+files_read_usr_files(tuned_t)
+files_dontaudit_search_home(tuned_t)
+
+logging_send_syslog_msg(tuned_t)
+
+miscfiles_read_localization(tuned_t)
+
+userdom_dontaudit_search_user_home_dirs(tuned_t)
+
+# to allow disk tuning
+optional_policy(`
+ fstools_domtrans(tuned_t)
+')
+
+optional_policy(`
+ gnome_dontaudit_search_config(tuned_t)
+')
+
+# to allow network interface tuning
+optional_policy(`
+ sysnet_domtrans_ifconfig(tuned_t)
+')
diff --git a/policy/modules/services/ucspitcp.fc b/policy/modules/services/ucspitcp.fc
new file mode 100644
index 0000000..667d0b5
--- /dev/null
+++ b/policy/modules/services/ucspitcp.fc
@@ -0,0 +1,3 @@
+
+/usr/bin/rblsmtpd -- gen_context(system_u:object_r:rblsmtpd_exec_t,s0)
+/usr/bin/tcpserver -- gen_context(system_u:object_r:ucspitcp_exec_t,s0)
diff --git a/policy/modules/services/ucspitcp.if b/policy/modules/services/ucspitcp.if
new file mode 100644
index 0000000..1f6f55b
--- /dev/null
+++ b/policy/modules/services/ucspitcp.if
@@ -0,0 +1,35 @@
+## <summary>ucspitcp policy</summary>
+## <desc>
+## <p>
+## Policy for DJB's ucspi-tcpd
+## </p>
+## </desc>
+
+########################################
+## <summary>
+## Define a specified domain as a ucspitcp service.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="entrypoint">
+## <summary>
+## The type associated with the process program.
+## </summary>
+## </param>
+#
+interface(`ucspitcp_service_domain',`
+ gen_require(`
+ type ucspitcp_t;
+ role system_r;
+ ')
+
+ domain_type($1)
+ domain_entry_file($1, $2)
+
+ role system_r types $1;
+
+ domtrans_pattern(ucspitcp_t, $2, $1)
+')
diff --git a/policy/modules/services/ucspitcp.te b/policy/modules/services/ucspitcp.te
new file mode 100644
index 0000000..37c056b
--- /dev/null
+++ b/policy/modules/services/ucspitcp.te
@@ -0,0 +1,93 @@
+policy_module(ucspitcp, 1.3.0)
+
+########################################
+#
+# Declarations
+#
+
+type rblsmtpd_t;
+type rblsmtpd_exec_t;
+init_system_domain(rblsmtpd_t, rblsmtpd_exec_t)
+
+type ucspitcp_t;
+type ucspitcp_exec_t;
+init_system_domain(ucspitcp_t, ucspitcp_exec_t)
+
+########################################
+#
+# Local policy for rblsmtpd
+#
+
+ucspitcp_service_domain(rblsmtpd_t, rblsmtpd_exec_t)
+
+corecmd_search_bin(rblsmtpd_t)
+
+corenet_all_recvfrom_unlabeled(rblsmtpd_t)
+corenet_all_recvfrom_netlabel(rblsmtpd_t)
+corenet_tcp_sendrecv_generic_if(rblsmtpd_t)
+corenet_udp_sendrecv_generic_if(rblsmtpd_t)
+corenet_tcp_sendrecv_generic_node(rblsmtpd_t)
+corenet_udp_sendrecv_generic_node(rblsmtpd_t)
+corenet_tcp_sendrecv_all_ports(rblsmtpd_t)
+corenet_udp_sendrecv_all_ports(rblsmtpd_t)
+corenet_tcp_bind_generic_node(rblsmtpd_t)
+corenet_udp_bind_generic_port(rblsmtpd_t)
+
+files_read_etc_files(rblsmtpd_t)
+files_search_var(rblsmtpd_t)
+
+optional_policy(`
+ daemontools_ipc_domain(rblsmtpd_t)
+')
+
+########################################
+#
+# Local policy for tcpserver
+#
+
+allow ucspitcp_t self:capability { setgid setuid };
+allow ucspitcp_t self:fifo_file rw_fifo_file_perms;
+allow ucspitcp_t self:tcp_socket create_stream_socket_perms;
+allow ucspitcp_t self:udp_socket create_socket_perms;
+
+corecmd_search_bin(ucspitcp_t)
+
+# base networking:
+corenet_all_recvfrom_unlabeled(ucspitcp_t)
+corenet_all_recvfrom_netlabel(ucspitcp_t)
+corenet_tcp_sendrecv_generic_if(ucspitcp_t)
+corenet_udp_sendrecv_generic_if(ucspitcp_t)
+corenet_tcp_sendrecv_generic_node(ucspitcp_t)
+corenet_udp_sendrecv_generic_node(ucspitcp_t)
+corenet_tcp_sendrecv_all_ports(ucspitcp_t)
+corenet_udp_sendrecv_all_ports(ucspitcp_t)
+corenet_tcp_bind_generic_node(ucspitcp_t)
+corenet_udp_bind_generic_node(ucspitcp_t)
+
+# server ports:
+corenet_tcp_bind_ftp_port(ucspitcp_t)
+corenet_tcp_bind_ftp_data_port(ucspitcp_t)
+corenet_tcp_bind_http_port(ucspitcp_t)
+corenet_tcp_bind_smtp_port(ucspitcp_t)
+corenet_tcp_bind_dns_port(ucspitcp_t)
+corenet_udp_bind_dns_port(ucspitcp_t)
+corenet_udp_bind_generic_port(ucspitcp_t)
+
+# server packets:
+corenet_sendrecv_ftp_server_packets(ucspitcp_t)
+corenet_sendrecv_http_server_packets(ucspitcp_t)
+corenet_sendrecv_smtp_server_packets(ucspitcp_t)
+corenet_sendrecv_dns_server_packets(ucspitcp_t)
+corenet_sendrecv_generic_server_packets(ucspitcp_t)
+
+files_search_var(ucspitcp_t)
+files_read_etc_files(ucspitcp_t)
+
+sysnet_read_config(ucspitcp_t)
+
+optional_policy(`
+ daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t)
+ daemontools_sigchld_run(ucspitcp_t)
+ daemontools_read_svc(ucspitcp_t)
+')
+
diff --git a/policy/modules/services/ulogd.fc b/policy/modules/services/ulogd.fc
new file mode 100644
index 0000000..831b4a3
--- /dev/null
+++ b/policy/modules/services/ulogd.fc
@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/ulogd -- gen_context(system_u:object_r:ulogd_initrc_exec_t,s0)
+/etc/ulogd.conf -- gen_context(system_u:object_r:ulogd_etc_t,s0)
+
+/usr/lib/ulogd(/.*)? gen_context(system_u:object_r:ulogd_modules_t,s0)
+/usr/sbin/ulogd -- gen_context(system_u:object_r:ulogd_exec_t,s0)
+
+/var/log/ulogd(/.*)? gen_context(system_u:object_r:ulogd_var_log_t,s0)
diff --git a/policy/modules/services/ulogd.if b/policy/modules/services/ulogd.if
new file mode 100644
index 0000000..fd72fe8
--- /dev/null
+++ b/policy/modules/services/ulogd.if
@@ -0,0 +1,142 @@
+## <summary>Iptables/netfilter userspace logging daemon.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run ulogd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ulogd_domtrans',`
+ gen_require(`
+ type ulogd_t, ulogd_exec_t;
+ ')
+
+ domtrans_pattern($1, ulogd_exec_t, ulogd_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## ulogd configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ulogd_read_config',`
+ gen_require(`
+ type ulogd_etc_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, ulogd_etc_t, ulogd_etc_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read ulogd's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ulogd_read_log',`
+ gen_require(`
+ type ulogd_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 ulogd_var_log_t:dir list_dir_perms;
+ read_files_pattern($1, ulogd_var_log_t, ulogd_var_log_t)
+')
+
+#######################################
+## <summary>
+## Allow the specified domain to search ulogd's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ulogd_search_log',`
+ gen_require(`
+ type ulogd_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 ulogd_var_log_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to append to ulogd's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ulogd_append_log',`
+ gen_require(`
+ type ulogd_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 ulogd_var_log_t:dir list_dir_perms;
+ allow $1 ulogd_var_log_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an ulogd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the syslog domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ulogd_admin',`
+ gen_require(`
+ type ulogd_t, ulogd_etc_t, ulogd_modules_t;
+ type ulogd_var_log_t, ulogd_initrc_exec_t;
+ ')
+
+ allow $1 ulogd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, ulogd_t)
+
+ init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 ulogd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, ulogd_etc_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, ulogd_var_log_t)
+
+ files_list_usr($1)
+ admin_pattern($1, ulogd_modules_t)
+')
diff --git a/policy/modules/services/ulogd.te b/policy/modules/services/ulogd.te
new file mode 100644
index 0000000..ef97cb3
--- /dev/null
+++ b/policy/modules/services/ulogd.te
@@ -0,0 +1,64 @@
+policy_module(ulogd, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type ulogd_t;
+type ulogd_exec_t;
+init_daemon_domain(ulogd_t, ulogd_exec_t)
+
+# config files
+type ulogd_etc_t;
+files_type(ulogd_etc_t)
+
+type ulogd_initrc_exec_t;
+init_script_file(ulogd_initrc_exec_t)
+
+# /usr/lib files
+type ulogd_modules_t;
+files_type(ulogd_modules_t)
+
+# log files
+type ulogd_var_log_t;
+logging_log_file(ulogd_var_log_t)
+
+########################################
+#
+# ulogd local policy
+#
+
+allow ulogd_t self:capability net_admin;
+allow ulogd_t self:netlink_nflog_socket create_socket_perms;
+allow ulogd_t self:netlink_route_socket r_netlink_socket_perms;
+allow ulogd_t self:tcp_socket { create_stream_socket_perms connect };
+allow ulogd_t self:udp_socket create_socket_perms;
+
+# config files
+read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t)
+
+# modules for ulogd
+list_dirs_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t)
+mmap_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t)
+
+# log files
+manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
+logging_log_filetrans(ulogd_t, ulogd_var_log_t, file)
+
+files_read_etc_files(ulogd_t)
+files_read_usr_files(ulogd_t)
+
+miscfiles_read_localization(ulogd_t)
+
+sysnet_dns_name_resolve(ulogd_t)
+
+optional_policy(`
+ mysql_stream_connect(ulogd_t)
+ mysql_tcp_connect(ulogd_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(ulogd_t)
+ postgresql_tcp_connect(ulogd_t)
+')
diff --git a/policy/modules/services/uptime.fc b/policy/modules/services/uptime.fc
new file mode 100644
index 0000000..e30d6fc
--- /dev/null
+++ b/policy/modules/services/uptime.fc
@@ -0,0 +1,6 @@
+
+/etc/uptimed\.conf -- gen_context(system_u:object_r:uptimed_etc_t,s0)
+
+/usr/sbin/uptimed -- gen_context(system_u:object_r:uptimed_exec_t,s0)
+
+/var/spool/uptimed(/.*)? gen_context(system_u:object_r:uptimed_spool_t,s0)
diff --git a/policy/modules/services/uptime.if b/policy/modules/services/uptime.if
new file mode 100644
index 0000000..447abf7
--- /dev/null
+++ b/policy/modules/services/uptime.if
@@ -0,0 +1 @@
+## <summary>Uptime daemon</summary>
diff --git a/policy/modules/services/uptime.te b/policy/modules/services/uptime.te
new file mode 100644
index 0000000..037a1e8
--- /dev/null
+++ b/policy/modules/services/uptime.te
@@ -0,0 +1,73 @@
+policy_module(uptime, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+
+type uptimed_t;
+type uptimed_exec_t;
+init_daemon_domain(uptimed_t, uptimed_exec_t)
+
+type uptimed_etc_t alias etc_uptimed_t;
+files_config_file(uptimed_etc_t)
+
+type uptimed_spool_t;
+files_type(uptimed_spool_t)
+
+type uptimed_var_run_t;
+files_pid_file(uptimed_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit uptimed_t self:capability sys_tty_config;
+allow uptimed_t self:process signal_perms;
+allow uptimed_t self:fifo_file write_fifo_file_perms;
+
+allow uptimed_t uptimed_etc_t:file read_file_perms;
+files_search_etc(uptimed_t)
+
+allow uptimed_t uptimed_spool_t:file manage_file_perms;
+
+manage_files_pattern(uptimed_t, uptimed_var_run_t, uptimed_var_run_t)
+files_pid_filetrans(uptimed_t, uptimed_var_run_t, file)
+
+manage_dirs_pattern(uptimed_t, uptimed_spool_t, uptimed_spool_t)
+manage_files_pattern(uptimed_t, uptimed_spool_t, uptimed_spool_t)
+files_spool_filetrans(uptimed_t, uptimed_spool_t, { dir file })
+
+kernel_read_system_state(uptimed_t)
+kernel_read_kernel_sysctls(uptimed_t)
+
+corecmd_exec_shell(uptimed_t)
+
+dev_read_sysfs(uptimed_t)
+
+domain_use_interactive_fds(uptimed_t)
+
+files_read_etc_runtime_files(uptimed_t)
+
+fs_getattr_all_fs(uptimed_t)
+fs_search_auto_mountpoints(uptimed_t)
+
+logging_send_syslog_msg(uptimed_t)
+
+miscfiles_read_localization(uptimed_t)
+
+userdom_dontaudit_use_unpriv_user_fds(uptimed_t)
+userdom_dontaudit_search_user_home_dirs(uptimed_t)
+
+optional_policy(`
+ mta_send_mail(uptimed_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(uptimed_t)
+')
+
+optional_policy(`
+ udev_read_db(uptimed_t)
+')
diff --git a/policy/modules/services/usbmuxd.fc b/policy/modules/services/usbmuxd.fc
new file mode 100644
index 0000000..40b8b8d
--- /dev/null
+++ b/policy/modules/services/usbmuxd.fc
@@ -0,0 +1,3 @@
+/usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0)
+
+/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
diff --git a/policy/modules/services/usbmuxd.if b/policy/modules/services/usbmuxd.if
new file mode 100644
index 0000000..53792d3
--- /dev/null
+++ b/policy/modules/services/usbmuxd.if
@@ -0,0 +1,39 @@
+## <summary>USB multiplexing daemon for communicating with Apple iPod Touch and iPhone</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run usbmuxd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`usbmuxd_domtrans',`
+ gen_require(`
+ type usbmuxd_t, usbmuxd_exec_t;
+ ')
+
+ domtrans_pattern($1, usbmuxd_exec_t, usbmuxd_t)
+')
+
+#####################################
+## <summary>
+## Connect to usbmuxd over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`usbmuxd_stream_connect',`
+ gen_require(`
+ type usbmuxd_t, usbmuxd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t)
+')
diff --git a/policy/modules/services/usbmuxd.te b/policy/modules/services/usbmuxd.te
new file mode 100644
index 0000000..edfbe55
--- /dev/null
+++ b/policy/modules/services/usbmuxd.te
@@ -0,0 +1,42 @@
+policy_module(usbmuxd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type usbmuxd_t;
+type usbmuxd_exec_t;
+application_domain(usbmuxd_t, usbmuxd_exec_t)
+role system_r types usbmuxd_t;
+
+type usbmuxd_var_run_t;
+files_pid_file(usbmuxd_var_run_t)
+
+########################################
+#
+# usbmuxd local policy
+#
+
+allow usbmuxd_t self:capability { kill setgid setuid };
+allow usbmuxd_t self:process { fork signal signull };
+allow usbmuxd_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
+manage_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
+manage_sock_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
+files_pid_filetrans(usbmuxd_t, usbmuxd_var_run_t, { file dir sock_file })
+
+kernel_read_kernel_sysctls(usbmuxd_t)
+kernel_read_system_state(usbmuxd_t)
+
+dev_read_sysfs(usbmuxd_t)
+dev_rw_generic_usb_dev(usbmuxd_t)
+
+files_read_etc_files(usbmuxd_t)
+
+miscfiles_read_localization(usbmuxd_t)
+
+auth_use_nsswitch(usbmuxd_t)
+
+logging_send_syslog_msg(usbmuxd_t)
diff --git a/policy/modules/services/uucp.fc b/policy/modules/services/uucp.fc
new file mode 100644
index 0000000..e1c0d8d
--- /dev/null
+++ b/policy/modules/services/uucp.fc
@@ -0,0 +1,11 @@
+
+/usr/bin/uux -- gen_context(system_u:object_r:uux_exec_t,s0)
+
+/usr/sbin/uucico -- gen_context(system_u:object_r:uucpd_exec_t,s0)
+
+/var/spool/uucp(/.*)? gen_context(system_u:object_r:uucpd_spool_t,s0)
+/var/spool/uucppublic(/.*)? gen_context(system_u:object_r:uucpd_spool_t,s0)
+
+/var/lock/uucp(/.*)? gen_context(system_u:object_r:uucpd_lock_t,s0)
+
+/var/log/uucp(/.*)? gen_context(system_u:object_r:uucpd_log_t,s0)
diff --git a/policy/modules/services/uucp.if b/policy/modules/services/uucp.if
new file mode 100644
index 0000000..a717e2d
--- /dev/null
+++ b/policy/modules/services/uucp.if
@@ -0,0 +1,120 @@
+## <summary>Unix to Unix Copy</summary>
+
+########################################
+## <summary>
+## Execute the uucico program in the
+## uucpd_t domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`uucp_domtrans',`
+ gen_require(`
+ type uucpd_t, uucpd_exec_t;
+ ')
+
+ domtrans_pattern($1, uucpd_exec_t, uucpd_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to append
+## to uucp log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`uucp_append_log',`
+ gen_require(`
+ type uucpd_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 uucpd_log_t:dir list_dir_perms;
+ append_files_pattern($1, uucpd_log_t, uucpd_log_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete uucp spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`uucp_manage_spool',`
+ gen_require(`
+ type uucpd_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_dirs_pattern($1, uucpd_spool_t, uucpd_spool_t)
+ manage_files_pattern($1, uucpd_spool_t, uucpd_spool_t)
+ manage_lnk_files_pattern($1, uucpd_spool_t, uucpd_spool_t)
+')
+
+########################################
+## <summary>
+## Execute the master uux program in the
+## uux_t domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`uucp_domtrans_uux',`
+ gen_require(`
+ type uux_t, uux_exec_t;
+ ')
+
+ domtrans_pattern($1, uux_exec_t, uux_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an uucp environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`uucp_admin',`
+ gen_require(`
+ type uucpd_t, uucpd_tmp_t, uucpd_log_t;
+ type uucpd_spool_t, uucpd_ro_t, uucpd_rw_t;
+ type uucpd_var_run_t;
+ ')
+
+ allow $1 uucpd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, uucpd_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, uucpd_log_t)
+
+ files_list_spool($1)
+ admin_pattern($1, uucpd_spool_t)
+
+ admin_pattern($1, uucpd_ro_t)
+
+ admin_pattern($1, uucpd_rw_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, uucpd_tmp_t)
+
+ files_list_pids($1)
+ admin_pattern($1, uucpd_var_run_t)
+')
diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te
new file mode 100644
index 0000000..1e40c2a
--- /dev/null
+++ b/policy/modules/services/uucp.te
@@ -0,0 +1,149 @@
+policy_module(uucp, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+type uucpd_t;
+type uucpd_exec_t;
+inetd_tcp_service_domain(uucpd_t, uucpd_exec_t)
+
+type uucpd_lock_t;
+files_lock_file(uucpd_lock_t)
+
+type uucpd_tmp_t;
+files_tmp_file(uucpd_tmp_t)
+
+type uucpd_var_run_t;
+files_pid_file(uucpd_var_run_t)
+
+type uucpd_rw_t;
+files_type(uucpd_rw_t)
+
+type uucpd_ro_t;
+files_type(uucpd_ro_t)
+
+type uucpd_spool_t;
+files_type(uucpd_spool_t)
+
+type uucpd_log_t;
+logging_log_file(uucpd_log_t)
+
+type uux_t;
+type uux_exec_t;
+application_domain(uux_t, uux_exec_t)
+role system_r types uux_t;
+
+########################################
+#
+# UUCPd Local policy
+#
+allow uucpd_t self:capability { setuid setgid };
+allow uucpd_t self:process signal_perms;
+allow uucpd_t self:fifo_file rw_fifo_file_perms;
+allow uucpd_t self:tcp_socket connected_stream_socket_perms;
+allow uucpd_t self:udp_socket create_socket_perms;
+allow uucpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+
+allow uucpd_t uucpd_log_t:dir setattr;
+manage_files_pattern(uucpd_t, uucpd_log_t, uucpd_log_t)
+logging_log_filetrans(uucpd_t, uucpd_log_t, { file dir })
+
+allow uucpd_t uucpd_ro_t:dir list_dir_perms;
+read_files_pattern(uucpd_t, uucpd_ro_t, uucpd_ro_t)
+read_lnk_files_pattern(uucpd_t, uucpd_ro_t, uucpd_ro_t)
+
+manage_dirs_pattern(uucpd_t, uucpd_rw_t, uucpd_rw_t)
+manage_files_pattern(uucpd_t, uucpd_rw_t, uucpd_rw_t)
+manage_lnk_files_pattern(uucpd_t, uucpd_rw_t, uucpd_rw_t)
+
+uucp_manage_spool(uucpd_t)
+
+manage_dirs_pattern(uucpd_t, uucpd_lock_t, uucpd_lock_t)
+manage_files_pattern(uucpd_t, uucpd_lock_t, uucpd_lock_t)
+files_search_locks(uucpd_t)
+
+manage_dirs_pattern(uucpd_t, uucpd_tmp_t, uucpd_tmp_t)
+manage_files_pattern(uucpd_t, uucpd_tmp_t, uucpd_tmp_t)
+files_tmp_filetrans(uucpd_t, uucpd_tmp_t, { file dir })
+
+manage_files_pattern(uucpd_t, uucpd_var_run_t, uucpd_var_run_t)
+files_pid_filetrans(uucpd_t, uucpd_var_run_t, file)
+
+kernel_read_kernel_sysctls(uucpd_t)
+kernel_read_system_state(uucpd_t)
+kernel_read_network_state(uucpd_t)
+
+corenet_all_recvfrom_unlabeled(uucpd_t)
+corenet_all_recvfrom_netlabel(uucpd_t)
+corenet_tcp_sendrecv_generic_if(uucpd_t)
+corenet_udp_sendrecv_generic_if(uucpd_t)
+corenet_tcp_sendrecv_generic_node(uucpd_t)
+corenet_udp_sendrecv_generic_node(uucpd_t)
+corenet_tcp_sendrecv_all_ports(uucpd_t)
+corenet_udp_sendrecv_all_ports(uucpd_t)
+corenet_tcp_connect_ssh_port(uucpd_t)
+
+dev_read_urand(uucpd_t)
+
+fs_getattr_xattr_fs(uucpd_t)
+
+corecmd_exec_bin(uucpd_t)
+corecmd_exec_shell(uucpd_t)
+
+files_read_etc_files(uucpd_t)
+files_search_home(uucpd_t)
+files_search_spool(uucpd_t)
+
+term_setattr_controlling_term(uucpd_t)
+
+auth_use_nsswitch(uucpd_t)
+
+logging_send_syslog_msg(uucpd_t)
+
+miscfiles_read_localization(uucpd_t)
+
+mta_send_mail(uucpd_t)
+
+optional_policy(`
+ cron_system_entry(uucpd_t, uucpd_exec_t)
+')
+
+optional_policy(`
+ kerberos_use(uucpd_t)
+')
+
+optional_policy(`
+ ssh_exec(uucpd_t)
+')
+
+########################################
+#
+# UUX Local policy
+#
+
+allow uux_t self:capability { setuid setgid };
+allow uux_t self:fifo_file write_fifo_file_perms;
+
+uucp_append_log(uux_t)
+uucp_manage_spool(uux_t)
+
+corecmd_exec_bin(uux_t)
+
+files_read_etc_files(uux_t)
+
+fs_rw_anon_inodefs_files(uux_t)
+
+logging_send_syslog_msg(uux_t)
+
+miscfiles_read_localization(uux_t)
+
+optional_policy(`
+ mta_send_mail(uux_t)
+ mta_read_queue(uux_t)
+ sendmail_dontaudit_rw_unix_stream_sockets(uux_t)
+')
+
+optional_policy(`
+ nscd_socket_use(uux_t)
+')
diff --git a/policy/modules/services/uwimap.fc b/policy/modules/services/uwimap.fc
new file mode 100644
index 0000000..43bdef0
--- /dev/null
+++ b/policy/modules/services/uwimap.fc
@@ -0,0 +1,2 @@
+
+/usr/sbin/imapd -- gen_context(system_u:object_r:imapd_exec_t,s0)
diff --git a/policy/modules/services/uwimap.if b/policy/modules/services/uwimap.if
new file mode 100644
index 0000000..8337684
--- /dev/null
+++ b/policy/modules/services/uwimap.if
@@ -0,0 +1,20 @@
+## <summary>University of Washington IMAP toolkit POP3 and IMAP mail server</summary>
+
+########################################
+## <summary>
+## Execute the UW IMAP/POP3 servers with a domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`uwimap_domtrans',`
+ gen_require(`
+ type imapd_t, imapd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, imapd_exec_t, imapd_t)
+')
diff --git a/policy/modules/services/uwimap.te b/policy/modules/services/uwimap.te
new file mode 100644
index 0000000..41fa663
--- /dev/null
+++ b/policy/modules/services/uwimap.te
@@ -0,0 +1,95 @@
+policy_module(uwimap, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type imapd_t;
+type imapd_exec_t;
+init_daemon_domain(imapd_t, imapd_exec_t)
+inetd_tcp_service_domain(imapd_t, imapd_exec_t)
+
+type imapd_tmp_t;
+files_tmp_file(imapd_tmp_t)
+
+type imapd_var_run_t;
+files_pid_file(imapd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow imapd_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
+dontaudit imapd_t self:capability sys_tty_config;
+allow imapd_t self:process signal_perms;
+allow imapd_t self:fifo_file rw_fifo_file_perms;
+allow imapd_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(imapd_t, imapd_tmp_t, imapd_tmp_t)
+manage_files_pattern(imapd_t, imapd_tmp_t, imapd_tmp_t)
+files_tmp_filetrans(imapd_t, imapd_tmp_t, { file dir })
+
+manage_files_pattern(imapd_t, imapd_var_run_t, imapd_var_run_t)
+files_pid_filetrans(imapd_t, imapd_var_run_t, file)
+
+kernel_read_kernel_sysctls(imapd_t)
+kernel_list_proc(imapd_t)
+kernel_read_proc_symlinks(imapd_t)
+
+corenet_all_recvfrom_unlabeled(imapd_t)
+corenet_all_recvfrom_netlabel(imapd_t)
+corenet_tcp_sendrecv_generic_if(imapd_t)
+corenet_tcp_sendrecv_generic_node(imapd_t)
+corenet_tcp_sendrecv_all_ports(imapd_t)
+corenet_tcp_bind_generic_node(imapd_t)
+corenet_tcp_bind_pop_port(imapd_t)
+corenet_tcp_connect_all_ports(imapd_t)
+corenet_sendrecv_pop_server_packets(imapd_t)
+corenet_sendrecv_all_client_packets(imapd_t)
+
+dev_read_sysfs(imapd_t)
+#urandom, for ssl
+dev_read_rand(imapd_t)
+dev_read_urand(imapd_t)
+
+domain_use_interactive_fds(imapd_t)
+
+#read /etc/ for hostname nsswitch.conf
+files_read_etc_files(imapd_t)
+
+fs_getattr_all_fs(imapd_t)
+fs_search_auto_mountpoints(imapd_t)
+
+auth_domtrans_chk_passwd(imapd_t)
+
+logging_send_syslog_msg(imapd_t)
+
+miscfiles_read_localization(imapd_t)
+
+sysnet_read_config(imapd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(imapd_t)
+# cjp: this is excessive, should be limited to the
+# mail directories
+userdom_manage_user_home_content_dirs(imapd_t)
+userdom_manage_user_home_content_files(imapd_t)
+userdom_manage_user_home_content_symlinks(imapd_t)
+userdom_manage_user_home_content_pipes(imapd_t)
+userdom_manage_user_home_content_sockets(imapd_t)
+userdom_user_home_dir_filetrans_user_home_content(imapd_t, { dir file lnk_file fifo_file sock_file })
+
+mta_rw_spool(imapd_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(imapd_t)
+')
+
+optional_policy(`
+ tcpd_wrapped_domain(imapd_t, imapd_exec_t)
+')
+
+optional_policy(`
+ udev_read_db(imapd_t)
+')
diff --git a/policy/modules/services/varnishd.fc b/policy/modules/services/varnishd.fc
new file mode 100644
index 0000000..194d123
--- /dev/null
+++ b/policy/modules/services/varnishd.fc
@@ -0,0 +1,18 @@
+/etc/rc\.d/init\.d/varnish -- gen_context(system_u:object_r:varnishd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/varnishlog -- gen_context(system_u:object_r:varnishlog_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/varnishncsa -- gen_context(system_u:object_r:varnishlog_initrc_exec_t,s0)
+
+/etc/varnish(/.*)? gen_context(system_u:object_r:varnishd_etc_t,s0)
+
+/usr/bin/varnishlog -- gen_context(system_u:object_r:varnishlog_exec_t,s0)
+/usr/bin/varnisncsa -- gen_context(system_u:object_r:varnishlog_exec_t,s0)
+
+/usr/sbin/varnishd -- gen_context(system_u:object_r:varnishd_exec_t,s0)
+
+/var/lib/varnish(/.*)? gen_context(system_u:object_r:varnishd_var_lib_t,s0)
+
+/var/log/varnish(/.*)? gen_context(system_u:object_r:varnishlog_log_t,s0)
+
+/var/run/varnish\.pid -- gen_context(system_u:object_r:varnishd_var_run_t,s0)
+/var/run/varnishlog\.pid -- gen_context(system_u:object_r:varnishlog_var_run_t,s0)
+/var/run/varnishncsa\.pid -- gen_context(system_u:object_r:varnishlog_var_run_t,s0)
diff --git a/policy/modules/services/varnishd.if b/policy/modules/services/varnishd.if
new file mode 100644
index 0000000..fe5ce10
--- /dev/null
+++ b/policy/modules/services/varnishd.if
@@ -0,0 +1,216 @@
+## <summary>Varnishd http accelerator daemon</summary>
+
+#######################################
+## <summary>
+## Execute varnishd in the varnishd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`varnishd_domtrans',`
+ gen_require(`
+ type varnishd_t, varnishd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, varnishd_exec_t, varnishd_t)
+')
+
+#######################################
+## <summary>
+## Execute varnishd
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`varnishd_exec',`
+ gen_require(`
+ type varnishd_exec_t;
+ ')
+
+ can_exec($1, varnishd_exec_t)
+')
+
+######################################
+## <summary>
+## Read varnishd configuration file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`varnishd_read_config',`
+ gen_require(`
+ type varnishd_etc_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, varnishd_etc_t, varnishd_etc_t)
+')
+
+#####################################
+## <summary>
+## Read varnish lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`varnishd_read_lib_files',`
+ gen_require(`
+ type varnishd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, varnishd_var_lib_t, varnishd_var_lib_t)
+')
+
+#######################################
+## <summary>
+## Read varnish logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`varnishd_read_log',`
+ gen_require(`
+ type varnishlog_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, varnishlog_log_t, varnishlog_log_t)
+')
+
+######################################
+## <summary>
+## Append varnish logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`varnishd_append_log',`
+ gen_require(`
+ type varnishlog_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, varnishlog_log_t, varnishlog_log_t)
+')
+
+#####################################
+## <summary>
+## Manage varnish logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`varnishd_manage_log',`
+ gen_require(`
+ type varnishlog_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_files_pattern($1, varnishlog_log_t, varnishlog_log_t)
+')
+
+######################################
+## <summary>
+## All of the rules required to administrate
+## an varnishlog environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the varnishlog domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`varnishd_admin_varnishlog',`
+ gen_require(`
+ type varnishlog_t, varnishlog_initrc_exec_t, varnishlog_log_t;
+ type varnishlog_var_run_t;
+ ')
+
+ allow $1 varnishlog_t:process { ptrace signal_perms };
+ ps_process_pattern($1, varnishlog_t)
+
+ init_labeled_script_domtrans($1, varnishlog_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 varnishlog_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_pids($1)
+ admin_pattern($1, varnishlog_var_run_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, varnishlog_log_t)
+')
+
+#######################################
+## <summary>
+## All of the rules required to administrate
+## an varnishd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the varnishd domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`varnishd_admin',`
+ gen_require(`
+ type varnishd_t, varnishd_var_lib_t, varnishd_etc_t;
+ type varnishd_var_run_t, varnishd_tmp_t;
+ type varnishd_initrc_exec_t;
+ ')
+
+ allow $1 varnishd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, varnishd_t)
+
+ init_labeled_script_domtrans($1, varnishd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 varnishd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_var_lib($1)
+ admin_pattern($1, varnishd_var_lib_t)
+
+ files_list_etc($1)
+ admin_pattern($1, varnishd_etc_t)
+
+ files_list_pids($1)
+ admin_pattern($1, varnishd_var_run_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, varnishd_tmp_t)
+')
diff --git a/policy/modules/services/varnishd.te b/policy/modules/services/varnishd.te
new file mode 100644
index 0000000..c6bf70e
--- /dev/null
+++ b/policy/modules/services/varnishd.te
@@ -0,0 +1,118 @@
+policy_module(varnishd, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow varnishd to connect to all ports,
+## not just HTTP.
+## </p>
+## </desc>
+gen_tunable(varnishd_connect_any, false)
+
+type varnishd_t;
+type varnishd_exec_t;
+init_daemon_domain(varnishd_t, varnishd_exec_t)
+
+type varnishd_initrc_exec_t;
+init_script_file(varnishd_initrc_exec_t)
+
+type varnishd_etc_t;
+files_type(varnishd_etc_t)
+
+type varnishd_tmp_t;
+files_tmp_file(varnishd_tmp_t)
+
+type varnishd_var_lib_t;
+files_type(varnishd_var_lib_t)
+
+type varnishd_var_run_t;
+files_pid_file(varnishd_var_run_t)
+
+type varnishlog_t;
+type varnishlog_exec_t;
+init_daemon_domain(varnishlog_t, varnishlog_exec_t)
+
+type varnishlog_initrc_exec_t;
+init_script_file(varnishlog_initrc_exec_t)
+
+type varnishlog_var_run_t;
+files_pid_file(varnishlog_var_run_t)
+
+type varnishlog_log_t;
+files_type(varnishlog_log_t)
+
+########################################
+#
+# varnishd local policy
+#
+
+allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid };
+dontaudit varnishd_t self:capability sys_tty_config;
+allow varnishd_t self:process signal;
+allow varnishd_t self:fifo_file rw_fifo_file_perms;
+allow varnishd_t self:tcp_socket create_stream_socket_perms;
+allow varnishd_t self:udp_socket create_socket_perms;
+
+read_files_pattern(varnishd_t, varnishd_etc_t, varnishd_etc_t)
+list_dirs_pattern(varnishd_t, varnishd_etc_t, varnishd_etc_t)
+
+manage_dirs_pattern(varnishd_t, varnishd_tmp_t, varnishd_tmp_t)
+manage_files_pattern(varnishd_t, varnishd_tmp_t, varnishd_tmp_t)
+files_tmp_filetrans(varnishd_t, varnishd_tmp_t, { file dir })
+
+exec_files_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t)
+manage_dirs_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t)
+manage_files_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t)
+files_var_lib_filetrans(varnishd_t, varnishd_var_lib_t, { dir file })
+
+manage_files_pattern(varnishd_t, varnishd_var_run_t, varnishd_var_run_t)
+files_pid_filetrans(varnishd_t, varnishd_var_run_t, file)
+
+kernel_read_system_state(varnishd_t)
+
+corecmd_exec_bin(varnishd_t)
+corecmd_exec_shell(varnishd_t)
+
+corenet_tcp_sendrecv_generic_if(varnishd_t)
+corenet_tcp_bind_generic_node(varnishd_t)
+corenet_tcp_bind_http_port(varnishd_t)
+corenet_tcp_bind_http_cache_port(varnishd_t)
+corenet_tcp_bind_varnishd_port(varnishd_t)
+corenet_tcp_connect_http_cache_port(varnishd_t)
+corenet_tcp_connect_http_port(varnishd_t)
+
+dev_read_urand(varnishd_t)
+
+fs_getattr_all_fs(varnishd_t)
+
+auth_use_nsswitch(varnishd_t)
+
+logging_send_syslog_msg(varnishd_t)
+
+miscfiles_read_localization(varnishd_t)
+
+sysnet_read_config(varnishd_t)
+
+tunable_policy(`varnishd_connect_any',`
+ corenet_tcp_connect_all_ports(varnishd_t)
+ corenet_tcp_bind_all_ports(varnishd_t)
+')
+
+#######################################
+#
+# varnishlog local policy
+#
+
+manage_files_pattern(varnishlog_t, varnishlog_var_run_t, varnishlog_var_run_t)
+files_pid_filetrans(varnishlog_t, varnishlog_var_run_t, file)
+
+manage_dirs_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t)
+manage_files_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t)
+logging_log_filetrans(varnishlog_t, varnishlog_log_t, { file dir })
+
+files_search_var_lib(varnishlog_t)
+read_files_pattern(varnishlog_t, varnishd_var_lib_t, varnishd_var_lib_t)
diff --git a/policy/modules/services/vhostmd.fc b/policy/modules/services/vhostmd.fc
new file mode 100644
index 0000000..c1fb329
--- /dev/null
+++ b/policy/modules/services/vhostmd.fc
@@ -0,0 +1,5 @@
+/etc/rc.d/init.d/vhostmd -- gen_context(system_u:object_r:vhostmd_initrc_exec_t,s0)
+
+/usr/sbin/vhostmd -- gen_context(system_u:object_r:vhostmd_exec_t,s0)
+
+/var/run/vhostmd.pid -- gen_context(system_u:object_r:vhostmd_var_run_t,s0)
diff --git a/policy/modules/services/vhostmd.if b/policy/modules/services/vhostmd.if
new file mode 100644
index 0000000..da605ba
--- /dev/null
+++ b/policy/modules/services/vhostmd.if
@@ -0,0 +1,224 @@
+## <summary>Virtual host metrics daemon</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run vhostmd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`vhostmd_domtrans',`
+ gen_require(`
+ type vhostmd_t, vhostmd_exec_t;
+ ')
+
+ domtrans_pattern($1, vhostmd_exec_t, vhostmd_t)
+')
+
+########################################
+## <summary>
+## Execute vhostmd server in the vhostmd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`vhostmd_initrc_domtrans',`
+ gen_require(`
+ type vhostmd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, vhostmd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Allow domain to read, vhostmd tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vhostmd_read_tmpfs_files',`
+ gen_require(`
+ type vhostmd_tmpfs_t;
+ ')
+
+ allow $1 vhostmd_tmpfs_t:file read_file_perms;
+ fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read,
+## vhostmd tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`vhostmd_dontaudit_read_tmpfs_files',`
+ gen_require(`
+ type vhostmd_tmpfs_t;
+ ')
+
+ dontaudit $1 vhostmd_tmpfs_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+## Allow domain to read and write vhostmd tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vhostmd_rw_tmpfs_files',`
+ gen_require(`
+ type vhostmd_tmpfs_t;
+ ')
+
+ rw_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
+ fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete vhostmd tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vhostmd_manage_tmpfs_files',`
+ gen_require(`
+ type vhostmd_tmpfs_t;
+ ')
+
+ manage_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
+ fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
+## Read vhostmd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vhostmd_read_pid_files',`
+ gen_require(`
+ type vhostmd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 vhostmd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Manage vhostmd var_run files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vhostmd_manage_pid_files',`
+ gen_require(`
+ type vhostmd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t)
+')
+
+########################################
+## <summary>
+## Connect to vhostmd over an unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vhostmd_stream_connect',`
+ gen_require(`
+ type vhostmd_t, vhostmd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t, vhostmd_t)
+')
+
+#######################################
+## <summary>
+## Dontaudit read and write to vhostmd
+## over an unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`vhostmd_dontaudit_rw_stream_connect',`
+ gen_require(`
+ type vhostmd_t;
+ ')
+
+ dontaudit $1 vhostmd_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an vhostmd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`vhostmd_admin',`
+ gen_require(`
+ type vhostmd_t, vhostmd_initrc_exec_t;
+ ')
+
+ allow $1 vhostmd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, vhostmd_t)
+
+ vhostmd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 vhostmd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ vhostmd_manage_tmpfs_files($1)
+
+ vhostmd_manage_pid_files($1)
+')
diff --git a/policy/modules/services/vhostmd.te b/policy/modules/services/vhostmd.te
new file mode 100644
index 0000000..7baeb6f
--- /dev/null
+++ b/policy/modules/services/vhostmd.te
@@ -0,0 +1,79 @@
+policy_module(vhostmd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type vhostmd_t;
+type vhostmd_exec_t;
+init_daemon_domain(vhostmd_t, vhostmd_exec_t)
+
+type vhostmd_initrc_exec_t;
+init_script_file(vhostmd_initrc_exec_t)
+
+type vhostmd_tmpfs_t;
+files_tmpfs_file(vhostmd_tmpfs_t)
+
+type vhostmd_var_run_t;
+files_pid_file(vhostmd_var_run_t)
+
+########################################
+#
+# vhostmd local policy
+#
+
+allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid };
+allow vhostmd_t self:process { setsched getsched };
+allow vhostmd_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
+manage_files_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
+fs_tmpfs_filetrans(vhostmd_t, vhostmd_tmpfs_t, { file dir })
+
+manage_dirs_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t)
+manage_files_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t)
+files_pid_filetrans(vhostmd_t, vhostmd_var_run_t, { file dir })
+
+kernel_read_system_state(vhostmd_t)
+kernel_read_network_state(vhostmd_t)
+kernel_write_xen_state(vhostmd_t)
+
+corecmd_exec_bin(vhostmd_t)
+corecmd_exec_shell(vhostmd_t)
+
+corenet_tcp_connect_soundd_port(vhostmd_t)
+
+# 579803
+files_list_tmp(vhostmd_t)
+files_read_etc_files(vhostmd_t)
+files_read_usr_files(vhostmd_t)
+
+dev_read_sysfs(vhostmd_t)
+
+auth_use_nsswitch(vhostmd_t)
+
+logging_send_syslog_msg(vhostmd_t)
+
+miscfiles_read_localization(vhostmd_t)
+
+optional_policy(`
+ hostname_exec(vhostmd_t)
+')
+
+optional_policy(`
+ rpm_exec(vhostmd_t)
+ rpm_read_db(vhostmd_t)
+')
+
+optional_policy(`
+ virt_stream_connect(vhostmd_t)
+ virt_write_content(vhostmd_t)
+')
+
+optional_policy(`
+ xen_domtrans_xm(vhostmd_t)
+ xen_stream_connect(vhostmd_t)
+ xen_stream_connect_xenstore(vhostmd_t)
+ xen_stream_connect_xm(vhostmd_t)
+')
diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc
new file mode 100644
index 0000000..be4b00f
--- /dev/null
+++ b/policy/modules/services/virt.fc
@@ -0,0 +1,32 @@
+HOME_DIR/.libvirt(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
+HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+
+/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
+/etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0)
+/etc/libvirt/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
+/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
+/etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
+/etc/xen -d gen_context(system_u:object_r:virt_etc_t,s0)
+/etc/xen/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0)
+/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
+/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
+
+/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
+/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0)
+
+/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
+
+/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
+/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
+/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
+
+/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
+/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
+
+/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
new file mode 100644
index 0000000..dbdc0e0
--- /dev/null
+++ b/policy/modules/services/virt.if
@@ -0,0 +1,610 @@
+## <summary>Libvirt virtualization API</summary>
+
+########################################
+## <summary>
+## Creates types and rules for a basic
+## qemu process domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`virt_domain_template',`
+ gen_require(`
+ type virtd_t;
+ attribute virt_image_type, virt_domain;
+ ')
+
+ type $1_t, virt_domain;
+ domain_type($1_t)
+ domain_user_exemption_target($1_t)
+ mls_rangetrans_target($1_t)
+ mcs_untrusted_proc($1_t)
+ role system_r types $1_t;
+
+ type $1_devpts_t;
+ term_pty($1_devpts_t)
+
+ type $1_tmp_t;
+ files_tmp_file($1_tmp_t)
+
+ type $1_tmpfs_t;
+ files_tmpfs_file($1_tmpfs_t)
+
+ type $1_image_t, virt_image_type;
+ files_type($1_image_t)
+ dev_node($1_image_t)
+ dev_associate_sysfs($1_image_t)
+
+ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+ term_create_pty($1_t, $1_devpts_t)
+
+ manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
+ manage_files_pattern($1_t, $1_image_t, $1_image_t)
+ manage_fifo_files_pattern($1_t, $1_image_t, $1_image_t)
+ read_lnk_files_pattern($1_t, $1_image_t, $1_image_t)
+ rw_chr_files_pattern($1_t, $1_image_t, $1_image_t)
+ rw_blk_files_pattern($1_t, $1_image_t, $1_image_t)
+ fs_hugetlbfs_filetrans($1_t, $1_image_t, file)
+
+ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ manage_lnk_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
+
+ manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
+
+ optional_policy(`
+ xserver_rw_shm($1_t)
+ ')
+')
+
+########################################
+## <summary>
+## Make the specified type usable as a virt image
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used as a virtual image
+## </summary>
+## </param>
+#
+interface(`virt_image',`
+ gen_require(`
+ attribute virt_image_type;
+ ')
+
+ typeattribute $1 virt_image_type;
+ files_type($1)
+
+ # virt images can be assigned to blk devices
+ dev_node($1)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run virt.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`virt_domtrans',`
+ gen_require(`
+ type virtd_t, virtd_exec_t;
+ ')
+
+ domtrans_pattern($1, virtd_exec_t, virtd_t)
+')
+
+#######################################
+## <summary>
+## Connect to virt over an unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_stream_connect',`
+ gen_require(`
+ type virtd_t, virt_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
+')
+
+########################################
+## <summary>
+## Allow domain to attach to virt TUN devices
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_attach_tun_iface',`
+ gen_require(`
+ type virtd_t;
+ ')
+
+ allow $1 virtd_t:tun_socket relabelfrom;
+ allow $1 self:tun_socket relabelto;
+')
+
+########################################
+## <summary>
+## Read virt config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_read_config',`
+ gen_require(`
+ type virt_etc_t, virt_etc_rw_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, virt_etc_t, virt_etc_t)
+ read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+ read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+')
+
+########################################
+## <summary>
+## manage virt config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_manage_config',`
+ gen_require(`
+ type virt_etc_t, virt_etc_rw_t;
+ ')
+
+ files_search_etc($1)
+ manage_files_pattern($1, virt_etc_t, virt_etc_t)
+ manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+ manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+')
+
+########################################
+## <summary>
+## Allow domain to manage virt image files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_read_content',`
+ gen_require(`
+ type virt_content_t;
+ ')
+
+ virt_search_lib($1)
+ allow $1 virt_content_t:dir list_dir_perms;
+ list_dirs_pattern($1, virt_content_t, virt_content_t)
+ read_files_pattern($1, virt_content_t, virt_content_t)
+ read_lnk_files_pattern($1, virt_content_t, virt_content_t)
+ read_blk_files_pattern($1, virt_content_t, virt_content_t)
+
+ tunable_policy(`virt_use_nfs',`
+ fs_list_nfs($1)
+ fs_read_nfs_files($1)
+ fs_read_nfs_symlinks($1)
+ ')
+
+ tunable_policy(`virt_use_samba',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
+ fs_read_cifs_symlinks($1)
+ ')
+')
+
+########################################
+## <summary>
+## Allow domain to write virt image files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_write_content',`
+ gen_require(`
+ type virt_content_t;
+ ')
+
+ allow $1 virt_content_t:file write_file_perms;
+')
+
+########################################
+## <summary>
+## Read virt PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_read_pid_files',`
+ gen_require(`
+ type virt_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, virt_var_run_t, virt_var_run_t)
+')
+
+########################################
+## <summary>
+## Manage virt pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_manage_pid_files',`
+ gen_require(`
+ type virt_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
+')
+
+########################################
+## <summary>
+## Search virt lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_search_lib',`
+ gen_require(`
+ type virt_var_lib_t;
+ ')
+
+ allow $1 virt_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read virt lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_read_lib_files',`
+ gen_require(`
+ type virt_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+ read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+')
+
+########################################
+## <summary>
+## Dontaudit inherited read virt lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_dontaudit_read_lib_files',`
+ gen_require(`
+ type virt_var_lib_t;
+ ')
+
+ dontaudit $1 virt_var_lib_t:file read_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## virt lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_manage_lib_files',`
+ gen_require(`
+ type virt_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read virt's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`virt_read_log',`
+ gen_require(`
+ type virt_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, virt_log_t, virt_log_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to append
+## virt log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_append_log',`
+ gen_require(`
+ type virt_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, virt_log_t, virt_log_t)
+')
+
+########################################
+## <summary>
+## Allow domain to manage virt log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_manage_log',`
+ gen_require(`
+ type virt_log_t;
+ ')
+
+ manage_dirs_pattern($1, virt_log_t, virt_log_t)
+ manage_files_pattern($1, virt_log_t, virt_log_t)
+ manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
+')
+
+########################################
+## <summary>
+## Allow domain to read virt image files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_read_images',`
+ gen_require(`
+ type virt_var_lib_t;
+ attribute virt_image_type;
+ ')
+
+ virt_search_lib($1)
+ allow $1 virt_image_type:dir list_dir_perms;
+ list_dirs_pattern($1, virt_image_type, virt_image_type)
+ read_files_pattern($1, virt_image_type, virt_image_type)
+ read_lnk_files_pattern($1, virt_image_type, virt_image_type)
+ read_blk_files_pattern($1, virt_image_type, virt_image_type)
+
+ tunable_policy(`virt_use_nfs',`
+ fs_list_nfs($1)
+ fs_read_nfs_files($1)
+ fs_read_nfs_symlinks($1)
+ ')
+
+ tunable_policy(`virt_use_samba',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
+ fs_read_cifs_symlinks($1)
+ ')
+')
+
+########################################
+## <summary>
+## Allow domain to read virt blk image files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_read_blk_images',`
+ gen_require(`
+ attribute virt_image_type;
+ ')
+
+ read_blk_files_pattern($1, virt_image_type, virt_image_type)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## svirt cache files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_manage_cache',`
+ gen_require(`
+ type virt_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
+ manage_files_pattern($1, virt_cache_t, virt_cache_t)
+ manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
+')
+
+########################################
+## <summary>
+## Allow domain to manage virt image files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_manage_images',`
+ gen_require(`
+ type virt_var_lib_t;
+ attribute virt_image_type;
+ ')
+
+ virt_search_lib($1)
+ allow $1 virt_image_type:dir list_dir_perms;
+ manage_dirs_pattern($1, virt_image_type, virt_image_type)
+ manage_files_pattern($1, virt_image_type, virt_image_type)
+ read_lnk_files_pattern($1, virt_image_type, virt_image_type)
+ rw_blk_files_pattern($1, virt_image_type, virt_image_type)
+
+ tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs($1)
+ fs_manage_nfs_files($1)
+ fs_read_nfs_symlinks($1)
+ ')
+
+ tunable_policy(`virt_use_samba',`
+ fs_manage_cifs_files($1)
+ fs_manage_cifs_files($1)
+ fs_read_cifs_symlinks($1)
+ ')
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an virt environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`virt_admin',`
+ gen_require(`
+ type virtd_t, virtd_initrc_exec_t;
+ ')
+
+ allow $1 virtd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, virtd_t)
+
+ init_labeled_script_domtrans($1, virtd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 virtd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ virt_manage_pid_files($1)
+
+ virt_manage_lib_files($1)
+
+ virt_manage_log($1)
+')
+
+########################################
+## <summary>
+## Execute qemu in the svirt domain, and
+## allow the specified role the svirt domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the sandbox domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`virt_transition_svirt',`
+ gen_require(`
+ type svirt_t;
+ ')
+
+ allow $1 svirt_t:process transition;
+ role $2 types svirt_t;
+
+ optional_policy(`
+ ptchown_run(svirt_t, $2)
+ ')
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write virt daemon unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`virt_dontaudit_write_pipes',`
+ gen_require(`
+ type virtd_t;
+ ')
+
+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
+')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
new file mode 100644
index 0000000..62e349a
--- /dev/null
+++ b/policy/modules/services/virt.te
@@ -0,0 +1,671 @@
+policy_module(virt, 1.4.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute virsh_transition_domain;
+
+## <desc>
+## <p>
+## Allow virt to use serial/parallell communication ports
+## </p>
+## </desc>
+gen_tunable(virt_use_comm, false)
+
+## <desc>
+## <p>
+## Allow virt to read fuse files
+## </p>
+## </desc>
+gen_tunable(virt_use_fusefs, false)
+
+## <desc>
+## <p>
+## Allow virt to manage nfs files
+## </p>
+## </desc>
+gen_tunable(virt_use_nfs, false)
+
+## <desc>
+## <p>
+## Allow virt to manage cifs files
+## </p>
+## </desc>
+gen_tunable(virt_use_samba, false)
+
+## <desc>
+## <p>
+## Allow virt to manage device configuration, (pci)
+## </p>
+## </desc>
+gen_tunable(virt_use_sysfs, false)
+
+## <desc>
+## <p>
+## Allow virtual machine to interact with the xserver
+## </p>
+## </desc>
+gen_tunable(virt_use_xserver, false)
+
+## <desc>
+## <p>
+## Allow virt to use usb devices
+## </p>
+## </desc>
+gen_tunable(virt_use_usb, true)
+
+virt_domain_template(svirt)
+role system_r types svirt_t;
+
+attribute virt_domain;
+attribute virt_image_type;
+
+type virt_cache_t alias svirt_cache_t;
+files_type(virt_cache_t)
+
+type virt_etc_t;
+files_config_file(virt_etc_t)
+
+type virt_etc_rw_t;
+files_type(virt_etc_rw_t)
+
+# virt Image files
+type virt_image_t; # customizable
+virt_image(virt_image_t)
+files_mountpoint(virt_image_t)
+
+# virt Image files
+type virt_content_t; # customizable
+virt_image(virt_content_t)
+userdom_user_home_content(virt_content_t)
+
+type virt_tmp_t;
+files_tmp_file(virt_tmp_t)
+
+type virt_log_t;
+logging_log_file(virt_log_t)
+mls_trusted_object(virt_log_t)
+
+type virt_var_run_t;
+files_pid_file(virt_var_run_t)
+
+type virt_var_lib_t;
+files_mountpoint(virt_var_lib_t)
+
+type virtd_t;
+type virtd_exec_t;
+init_daemon_domain(virtd_t, virtd_exec_t)
+domain_obj_id_change_exemption(virtd_t)
+domain_subj_id_change_exemption(virtd_t)
+
+type virtd_initrc_exec_t;
+init_script_file(virtd_initrc_exec_t)
+
+type qemu_var_run_t;
+typealias qemu_var_run_t alias svirt_var_run_t;
+files_pid_file(qemu_var_run_t)
+mls_trusted_object(qemu_var_run_t)
+
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
+')
+
+ifdef(`enable_mls',`
+ init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
+')
+
+########################################
+#
+# svirt local policy
+#
+
+allow svirt_t self:udp_socket create_socket_perms;
+
+read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t)
+
+allow svirt_t svirt_image_t:dir search_dir_perms;
+manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t)
+manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t)
+manage_fifo_files_pattern(svirt_t, svirt_image_t, svirt_image_t)
+fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
+
+list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
+read_files_pattern(svirt_t, virt_content_t, virt_content_t)
+dontaudit svirt_t virt_content_t:file write_file_perms;
+dontaudit svirt_t virt_content_t:dir write;
+
+corenet_udp_sendrecv_generic_if(svirt_t)
+corenet_udp_sendrecv_generic_node(svirt_t)
+corenet_udp_sendrecv_all_ports(svirt_t)
+corenet_udp_bind_generic_node(svirt_t)
+corenet_udp_bind_all_ports(svirt_t)
+corenet_tcp_bind_all_ports(svirt_t)
+corenet_tcp_connect_all_ports(svirt_t)
+
+dev_list_sysfs(svirt_t)
+
+userdom_search_user_home_content(svirt_t)
+userdom_read_user_home_content_symlinks(svirt_t)
+userdom_read_all_users_state(svirt_t)
+
+tunable_policy(`virt_use_comm',`
+ term_use_unallocated_ttys(svirt_t)
+ dev_rw_printer(svirt_t)
+')
+
+tunable_policy(`virt_use_fusefs',`
+ fs_read_fusefs_files(svirt_t)
+ fs_read_fusefs_symlinks(svirt_t)
+')
+
+tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs(svirt_t)
+ fs_manage_nfs_files(svirt_t)
+ fs_manage_nfs_named_sockets(svirt_t)
+ fs_read_nfs_symlinks(svirt_t)
+')
+
+tunable_policy(`virt_use_samba',`
+ fs_manage_cifs_dirs(svirt_t)
+ fs_manage_cifs_files(svirt_t)
+ fs_manage_cifs_named_sockets(svirt_t)
+ fs_read_cifs_symlinks(virtd_t)
+')
+
+tunable_policy(`virt_use_sysfs',`
+ dev_rw_sysfs(svirt_t)
+')
+
+tunable_policy(`virt_use_usb',`
+ dev_rw_usbfs(svirt_t)
+ dev_read_sysfs(svirt_t)
+ fs_manage_dos_dirs(svirt_t)
+ fs_manage_dos_files(svirt_t)
+')
+
+optional_policy(`
+ tunable_policy(`virt_use_xserver',`
+ xserver_stream_connect(svirt_t)
+ ')
+')
+
+optional_policy(`
+ xen_rw_image_files(svirt_t)
+')
+
+optional_policy(`
+ xen_rw_image_files(svirt_t)
+')
+
+########################################
+#
+# virtd local policy
+#
+
+allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
+allow virtd_t self:fifo_file rw_fifo_file_perms;
+allow virtd_t self:unix_stream_socket create_stream_socket_perms;
+allow virtd_t self:tcp_socket create_stream_socket_perms;
+allow virtd_t self:tun_socket create_socket_perms;
+allow virtd_t self:rawip_socket create_socket_perms;
+allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+manage_dirs_pattern(virtd_t, virt_cache_t, virt_cache_t)
+manage_files_pattern(virtd_t, virt_cache_t, virt_cache_t)
+
+manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t)
+manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
+
+allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
+
+allow virtd_t qemu_var_run_t:file relabel_file_perms;
+manage_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
+manage_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
+manage_sock_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
+stream_connect_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t, virt_domain)
+
+read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
+read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
+
+manage_dirs_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
+
+manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
+manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
+manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
+allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
+
+manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
+manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
+files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir })
+can_exec(virtd_t, virt_tmp_t)
+
+manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
+manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
+logging_log_filetrans(virtd_t, virt_log_t, { file dir })
+
+manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
+manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
+manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
+files_var_lib_filetrans(virtd_t, virt_var_lib_t, { file dir })
+
+manage_dirs_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
+
+kernel_read_system_state(virtd_t)
+kernel_read_network_state(virtd_t)
+kernel_rw_net_sysctls(virtd_t)
+kernel_read_kernel_sysctls(virtd_t)
+kernel_request_load_module(virtd_t)
+kernel_search_debugfs(virtd_t)
+
+corecmd_exec_bin(virtd_t)
+corecmd_exec_shell(virtd_t)
+
+corenet_all_recvfrom_unlabeled(virtd_t)
+corenet_all_recvfrom_netlabel(virtd_t)
+corenet_tcp_sendrecv_generic_if(virtd_t)
+corenet_tcp_sendrecv_generic_node(virtd_t)
+corenet_tcp_sendrecv_all_ports(virtd_t)
+corenet_tcp_bind_generic_node(virtd_t)
+corenet_tcp_bind_virt_port(virtd_t)
+corenet_tcp_bind_vnc_port(virtd_t)
+corenet_tcp_connect_vnc_port(virtd_t)
+corenet_tcp_connect_soundd_port(virtd_t)
+corenet_rw_tun_tap_dev(virtd_t)
+
+dev_rw_sysfs(virtd_t)
+dev_read_rand(virtd_t)
+dev_rw_kvm(virtd_t)
+dev_getattr_all_chr_files(virtd_t)
+dev_rw_mtrr(virtd_t)
+dev_rw_vhost(virtd_t)
+
+# Init script handling
+domain_use_interactive_fds(virtd_t)
+domain_read_all_domains_state(virtd_t)
+domain_read_all_domains_state(virtd_t)
+
+files_read_usr_files(virtd_t)
+files_read_etc_files(virtd_t)
+files_read_usr_files(virtd_t)
+files_read_etc_runtime_files(virtd_t)
+files_search_all(virtd_t)
+files_read_kernel_modules(virtd_t)
+files_read_usr_src_files(virtd_t)
+files_relabelto_system_conf_files(virtd_t)
+files_relabelfrom_system_conf_files(virtd_t)
+
+# Manages /etc/sysconfig/system-config-firewall
+files_manage_system_conf_files(virtd_t)
+files_manage_system_conf_files(virtd_t)
+files_etc_filetrans_system_conf(virtd_t)
+
+fs_list_auto_mountpoints(virtd_t)
+fs_getattr_xattr_fs(virtd_t)
+fs_rw_anon_inodefs_files(virtd_t)
+fs_list_inotifyfs(virtd_t)
+fs_manage_cgroup_dirs(virtd_t)
+fs_rw_cgroup_files(virtd_t)
+fs_manage_hugetlbfs_dirs(virtd_t)
+fs_rw_hugetlbfs_files(virtd_t)
+
+mls_fd_share_all_levels(virtd_t)
+mls_file_read_to_clearance(virtd_t)
+mls_file_write_to_clearance(virtd_t)
+mls_process_read_to_clearance(virtd_t)
+mls_process_write_to_clearance(virtd_t)
+mls_net_write_within_range(virtd_t)
+mls_socket_write_to_clearance(virtd_t)
+mls_socket_read_to_clearance(virtd_t)
+mls_rangetrans_source(virtd_t)
+
+mcs_process_set_categories(virtd_t)
+
+storage_manage_fixed_disk(virtd_t)
+storage_relabel_fixed_disk(virtd_t)
+storage_raw_write_removable_device(virtd_t)
+storage_raw_read_removable_device(virtd_t)
+
+term_getattr_pty_fs(virtd_t)
+term_use_generic_ptys(virtd_t)
+term_use_ptmx(virtd_t)
+
+auth_use_nsswitch(virtd_t)
+
+miscfiles_read_localization(virtd_t)
+miscfiles_read_generic_certs(virtd_t)
+miscfiles_read_hwdata(virtd_t)
+
+modutils_read_module_deps(virtd_t)
+modutils_read_module_config(virtd_t)
+modutils_manage_module_config(virtd_t)
+
+logging_send_syslog_msg(virtd_t)
+logging_send_audit_msgs(virtd_t)
+
+selinux_validate_context(virtd_t)
+
+seutil_read_config(virtd_t)
+seutil_read_default_contexts(virtd_t)
+seutil_read_file_contexts(virtd_t)
+
+sysnet_domtrans_ifconfig(virtd_t)
+sysnet_read_config(virtd_t)
+
+userdom_list_admin_dir(virtd_t)
+userdom_getattr_all_users(virtd_t)
+userdom_list_user_home_content(virtd_t)
+userdom_read_all_users_state(virtd_t)
+userdom_read_user_home_content_files(virtd_t)
+userdom_relabel_user_home_files(virtd_t)
+userdom_setattr_user_home_content_files(virtd_t)
+
+consoletype_exec(virtd_t)
+
+tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs(virtd_t)
+ fs_manage_nfs_files(virtd_t)
+ fs_read_nfs_symlinks(virtd_t)
+')
+
+tunable_policy(`virt_use_samba',`
+ fs_manage_nfs_files(virtd_t)
+ fs_manage_cifs_files(virtd_t)
+ fs_read_cifs_symlinks(virtd_t)
+')
+
+optional_policy(`
+ brctl_domtrans(virtd_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(virtd_t)
+
+ optional_policy(`
+ avahi_dbus_chat(virtd_t)
+ ')
+
+ optional_policy(`
+ consolekit_dbus_chat(virtd_t)
+ ')
+
+ optional_policy(`
+ hal_dbus_chat(virtd_t)
+ ')
+')
+
+optional_policy(`
+ dnsmasq_domtrans(virtd_t)
+ dnsmasq_signal(virtd_t)
+ dnsmasq_kill(virtd_t)
+ dnsmasq_read_pid_files(virtd_t)
+ dnsmasq_signull(virtd_t)
+')
+
+optional_policy(`
+ iptables_domtrans(virtd_t)
+ iptables_initrc_domtrans(virtd_t)
+
+ # Manages /etc/sysconfig/system-config-firewall
+ iptables_manage_config(virtd_t)
+')
+
+optional_policy(`
+ kerberos_keytab_template(virtd, virtd_t)
+')
+
+optional_policy(`
+ lvm_domtrans(virtd_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(virtd_t)
+ policykit_domtrans_auth(virtd_t)
+ policykit_domtrans_resolve(virtd_t)
+ policykit_read_lib(virtd_t)
+')
+
+optional_policy(`
+ qemu_domtrans(virtd_t)
+ qemu_read_state(virtd_t)
+ qemu_signal(virtd_t)
+ qemu_kill(virtd_t)
+ qemu_setsched(virtd_t)
+ qemu_entry_type(virt_domain)
+ qemu_exec(virt_domain)
+')
+
+optional_policy(`
+ sasl_connect(virtd_t)
+')
+
+optional_policy(`
+ kernel_read_xen_state(virtd_t)
+ kernel_write_xen_state(virtd_t)
+
+ xen_stream_connect(virtd_t)
+ xen_stream_connect_xenstore(virtd_t)
+ xen_read_image_files(virtd_t)
+')
+
+optional_policy(`
+ udev_domtrans(virtd_t)
+ udev_read_db(virtd_t)
+')
+
+optional_policy(`
+ unconfined_domain(virtd_t)
+')
+
+########################################
+#
+# virtual domains common policy
+#
+
+allow virt_domain self:capability { dac_read_search dac_override kill };
+allow virt_domain self:process { execmem execstack signal getsched signull };
+allow virt_domain self:fifo_file rw_fifo_file_perms;
+allow virt_domain self:shm create_shm_perms;
+allow virt_domain self:unix_stream_socket create_stream_socket_perms;
+allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
+allow virt_domain self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
+manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
+files_var_filetrans(virt_domain, virt_cache_t, { file dir })
+
+manage_dirs_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
+manage_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
+manage_sock_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
+manage_lnk_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
+files_pid_filetrans(virt_domain, qemu_var_run_t, { dir file })
+stream_connect_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t, virtd_t)
+
+dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
+
+append_files_pattern(virt_domain, virt_log_t, virt_log_t)
+
+append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
+
+kernel_read_system_state(virt_domain)
+
+corecmd_exec_bin(virt_domain)
+corecmd_exec_shell(virt_domain)
+
+corenet_all_recvfrom_unlabeled(virt_domain)
+corenet_all_recvfrom_netlabel(virt_domain)
+corenet_tcp_sendrecv_generic_if(virt_domain)
+corenet_tcp_sendrecv_generic_node(virt_domain)
+corenet_tcp_sendrecv_all_ports(virt_domain)
+corenet_tcp_bind_generic_node(virt_domain)
+corenet_tcp_bind_vnc_port(virt_domain)
+corenet_rw_tun_tap_dev(virt_domain)
+corenet_tcp_bind_virt_migration_port(virt_domain)
+corenet_tcp_connect_virt_migration_port(virt_domain)
+
+dev_read_generic_symlinks(virt_domain)
+dev_read_rand(virt_domain)
+dev_read_sound(virt_domain)
+dev_read_urand(virt_domain)
+dev_write_sound(virt_domain)
+dev_rw_ksm(virt_domain)
+dev_rw_kvm(virt_domain)
+dev_rw_qemu(virt_domain)
+dev_rw_vhost(virt_domain)
+
+domain_use_interactive_fds(virt_domain)
+
+files_read_etc_files(virt_domain)
+files_read_mnt_symlinks(virt_domain)
+files_read_usr_files(virt_domain)
+files_read_var_files(virt_domain)
+files_search_all(virt_domain)
+
+fs_getattr_tmpfs(virt_domain)
+fs_rw_anon_inodefs_files(virt_domain)
+fs_rw_tmpfs_files(virt_domain)
+fs_getattr_hugetlbfs(virt_domain)
+
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+storage_raw_read_removable_device(virt_domain)
+
+term_use_all_terms(virt_domain)
+term_getattr_pty_fs(virt_domain)
+term_use_generic_ptys(virt_domain)
+term_use_ptmx(virt_domain)
+
+auth_use_nsswitch(virt_domain)
+
+logging_send_syslog_msg(virt_domain)
+
+miscfiles_read_localization(virt_domain)
+
+optional_policy(`
+ ptchown_domtrans(virt_domain)
+')
+
+optional_policy(`
+ pulseaudio_dontaudit_exec(virt_domain)
+')
+
+optional_policy(`
+ virt_read_config(virt_domain)
+ virt_read_lib_files(virt_domain)
+ virt_read_content(virt_domain)
+ virt_stream_connect(virt_domain)
+')
+
+########################################
+#
+# xm local policy
+#
+type virsh_t;
+type virsh_exec_t;
+init_system_domain(virsh_t, virsh_exec_t)
+typealias virsh_t alias xm_t;
+typealias virsh_exec_t alias xm_exec_t;
+
+allow virsh_t self:capability { dac_override ipc_lock sys_tty_config };
+allow virsh_t self:process { getcap getsched setcap signal };
+allow virsh_t self:fifo_file rw_fifo_file_perms;
+allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow virsh_t self:tcp_socket create_stream_socket_perms;
+
+manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
+manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+
+dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms;
+
+kernel_read_system_state(virsh_t)
+kernel_read_network_state(virsh_t)
+kernel_read_kernel_sysctls(virsh_t)
+kernel_read_sysctl(virsh_t)
+kernel_read_xen_state(virsh_t)
+kernel_write_xen_state(virsh_t)
+
+corecmd_exec_bin(virsh_t)
+corecmd_exec_shell(virsh_t)
+
+corenet_tcp_sendrecv_generic_if(virsh_t)
+corenet_tcp_sendrecv_generic_node(virsh_t)
+corenet_tcp_connect_soundd_port(virsh_t)
+
+dev_read_urand(virsh_t)
+dev_read_sysfs(virsh_t)
+
+files_read_etc_runtime_files(virsh_t)
+files_read_usr_files(virsh_t)
+files_list_mnt(virsh_t)
+# Some common macros (you might be able to remove some)
+files_read_etc_files(virsh_t)
+
+fs_getattr_all_fs(virsh_t)
+fs_manage_xenfs_dirs(virsh_t)
+fs_manage_xenfs_files(virsh_t)
+fs_search_auto_mountpoints(virsh_t)
+
+storage_raw_read_fixed_disk(virsh_t)
+
+term_use_all_terms(virsh_t)
+
+init_stream_connect_script(virsh_t)
+init_rw_script_stream_sockets(virsh_t)
+init_use_fds(virsh_t)
+
+miscfiles_read_localization(virsh_t)
+
+sysnet_dns_name_resolve(virsh_t)
+
+optional_policy(`
+ xen_manage_image_dirs(virsh_t)
+ xen_append_log(virsh_t)
+ xen_stream_connect(virsh_t)
+ xen_stream_connect_xenstore(virsh_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(virsh_t)
+
+ optional_policy(`
+ hal_dbus_chat(virsh_t)
+ ')
+')
+
+optional_policy(`
+ vhostmd_rw_tmpfs_files(virsh_t)
+ vhostmd_stream_connect(virsh_t)
+ vhostmd_dontaudit_rw_stream_connect(virsh_t)
+')
+
+optional_policy(`
+ virt_domtrans(virsh_t)
+ virt_manage_images(virsh_t)
+ virt_manage_config(virsh_t)
+ virt_stream_connect(virsh_t)
+')
+
+optional_policy(`
+ ssh_basic_client_template(virsh, virsh_t, system_r)
+
+ kernel_read_xen_state(virsh_ssh_t)
+ kernel_write_xen_state(virsh_ssh_t)
+
+ dontaudit virsh_ssh_t virsh_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+ files_search_tmp(virsh_ssh_t)
+
+ fs_manage_xenfs_dirs(virsh_ssh_t)
+ fs_manage_xenfs_files(virsh_ssh_t)
+
+ userdom_search_admin_dir(virsh_ssh_t)
+')
diff --git a/policy/modules/services/vnstatd.fc b/policy/modules/services/vnstatd.fc
new file mode 100644
index 0000000..7667c31
--- /dev/null
+++ b/policy/modules/services/vnstatd.fc
@@ -0,0 +1,6 @@
+
+/usr/bin/vnstat -- gen_context(system_u:object_r:vnstat_exec_t,s0)
+
+/usr/sbin/vnstatd -- gen_context(system_u:object_r:vnstatd_exec_t,s0)
+
+/var/lib/vnstat(/.*)? gen_context(system_u:object_r:vnstatd_var_lib_t,s0)
diff --git a/policy/modules/services/vnstatd.if b/policy/modules/services/vnstatd.if
new file mode 100644
index 0000000..b9104b7
--- /dev/null
+++ b/policy/modules/services/vnstatd.if
@@ -0,0 +1,144 @@
+## <summary>policy for vnstatd</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run vnstatd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`vnstatd_domtrans',`
+ gen_require(`
+ type vnstatd_t, vnstatd_exec_t;
+ ')
+
+ domtrans_pattern($1, vnstatd_exec_t, vnstatd_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run vnstat.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`vnstatd_domtrans_vnstat',`
+ gen_require(`
+ type vnstat_t, vnstat_exec_t;
+ ')
+
+ domtrans_pattern($1, vnstat_exec_t, vnstat_t)
+')
+
+########################################
+## <summary>
+## Search vnstatd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vnstatd_search_lib',`
+ gen_require(`
+ type vnstatd_var_lib_t;
+ ')
+
+ allow $1 vnstatd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read vnstatd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vnstatd_read_lib_files',`
+ gen_require(`
+ type vnstatd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## vnstatd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vnstatd_manage_lib_files',`
+ gen_require(`
+ type vnstatd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage vnstatd lib dirs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`vnstatd_manage_lib_dirs',`
+ gen_require(`
+ type vnstatd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an vnstatd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`vnstatd_admin',`
+ gen_require(`
+ type vnstatd_t, vnstatd_var_lib_t;
+ ')
+
+ allow $1 vnstatd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, vnstatd_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, vnstatd_var_lib_t)
+')
diff --git a/policy/modules/services/vnstatd.te b/policy/modules/services/vnstatd.te
new file mode 100644
index 0000000..8ec07ff
--- /dev/null
+++ b/policy/modules/services/vnstatd.te
@@ -0,0 +1,65 @@
+policy_module(vnstatd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type vnstatd_t;
+type vnstatd_exec_t;
+init_daemon_domain(vnstatd_t, vnstatd_exec_t)
+
+permissive vnstatd_t;
+
+type vnstatd_var_lib_t;
+files_type(vnstatd_var_lib_t)
+
+type vnstat_t;
+type vnstat_exec_t;
+application_domain(vnstat_t, vnstat_exec_t)
+cron_system_entry(vnstat_t, vnstat_exec_t)
+
+########################################
+#
+# vnstatd local policy
+#
+allow vnstatd_t self:process { fork signal };
+allow vnstatd_t self:fifo_file rw_fifo_file_perms;
+allow vnstatd_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file })
+
+domain_use_interactive_fds(vnstatd_t)
+
+files_read_etc_files(vnstatd_t)
+
+logging_send_syslog_msg(vnstatd_t)
+
+miscfiles_read_localization(vnstatd_t)
+
+########################################
+#
+# vnstat local policy
+#
+allow vnstat_t self:process signal;
+allow vnstat_t self:fifo_file rw_fifo_file_perms;
+allow vnstat_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file })
+
+kernel_read_network_state(vnstat_t)
+kernel_read_system_state(vnstat_t)
+
+domain_use_interactive_fds(vnstat_t)
+
+files_read_etc_files(vnstat_t)
+
+fs_getattr_xattr_fs(vnstat_t)
+
+logging_send_syslog_msg(vnstat_t)
+
+miscfiles_read_localization(vnstat_t)
diff --git a/policy/modules/services/w3c.fc b/policy/modules/services/w3c.fc
new file mode 100644
index 0000000..a9cc9a8
--- /dev/null
+++ b/policy/modules/services/w3c.fc
@@ -0,0 +1,4 @@
+/usr/lib/cgi-bin/check gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
+
+/usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_content_t,s0)
+/usr/share/w3c-markup-validator/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
diff --git a/policy/modules/services/w3c.if b/policy/modules/services/w3c.if
new file mode 100644
index 0000000..8f678a9
--- /dev/null
+++ b/policy/modules/services/w3c.if
@@ -0,0 +1 @@
+## <summary>W3C Markup Validator</summary>
diff --git a/policy/modules/services/w3c.te b/policy/modules/services/w3c.te
new file mode 100644
index 0000000..f4c4c1b
--- /dev/null
+++ b/policy/modules/services/w3c.te
@@ -0,0 +1,33 @@
+policy_module(w3c, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+apache_content_template(w3c_validator)
+
+type httpd_w3c_validator_tmp_t;
+files_tmp_file(httpd_w3c_validator_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+manage_dirs_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t)
+manage_files_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t)
+files_tmp_filetrans(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, { file dir })
+
+corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t)
+corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t)
+corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
+corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t)
+corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t)
+corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t)
+
+miscfiles_read_generic_certs(httpd_w3c_validator_script_t)
+
+sysnet_dns_name_resolve(httpd_w3c_validator_script_t)
+
+apache_dontaudit_rw_tmp_files(httpd_w3c_validator_script_t)
diff --git a/policy/modules/services/watchdog.fc b/policy/modules/services/watchdog.fc
new file mode 100644
index 0000000..7551c51
--- /dev/null
+++ b/policy/modules/services/watchdog.fc
@@ -0,0 +1,5 @@
+/usr/sbin/watchdog -- gen_context(system_u:object_r:watchdog_exec_t,s0)
+
+/var/log/watchdog(/.*)? gen_context(system_u:object_r:watchdog_log_t,s0)
+
+/var/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0)
diff --git a/policy/modules/services/watchdog.if b/policy/modules/services/watchdog.if
new file mode 100644
index 0000000..f8acf10
--- /dev/null
+++ b/policy/modules/services/watchdog.if
@@ -0,0 +1 @@
+## <summary>Software watchdog</summary>
diff --git a/policy/modules/services/watchdog.te b/policy/modules/services/watchdog.te
new file mode 100644
index 0000000..b10bb05
--- /dev/null
+++ b/policy/modules/services/watchdog.te
@@ -0,0 +1,105 @@
+policy_module(watchdog, 1.7.0)
+
+#################################
+#
+# Rules for the watchdog_t domain.
+#
+
+type watchdog_t;
+type watchdog_exec_t;
+init_daemon_domain(watchdog_t, watchdog_exec_t)
+
+type watchdog_log_t;
+logging_log_file(watchdog_log_t)
+
+type watchdog_var_run_t;
+files_pid_file(watchdog_var_run_t)
+
+########################################
+#
+# Declarations
+#
+
+allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource };
+dontaudit watchdog_t self:capability sys_tty_config;
+allow watchdog_t self:process { setsched signal_perms };
+allow watchdog_t self:fifo_file rw_fifo_file_perms;
+allow watchdog_t self:unix_stream_socket create_socket_perms;
+allow watchdog_t self:tcp_socket create_stream_socket_perms;
+allow watchdog_t self:udp_socket create_socket_perms;
+
+allow watchdog_t watchdog_log_t:file manage_file_perms;
+logging_log_filetrans(watchdog_t, watchdog_log_t, file)
+
+manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t)
+files_pid_filetrans(watchdog_t, watchdog_var_run_t, file)
+
+kernel_read_system_state(watchdog_t)
+kernel_read_kernel_sysctls(watchdog_t)
+kernel_unmount_proc(watchdog_t)
+
+# for orderly shutdown
+corecmd_exec_shell(watchdog_t)
+
+# cjp: why networking?
+corenet_all_recvfrom_unlabeled(watchdog_t)
+corenet_all_recvfrom_netlabel(watchdog_t)
+corenet_tcp_sendrecv_generic_if(watchdog_t)
+corenet_udp_sendrecv_generic_if(watchdog_t)
+corenet_tcp_sendrecv_generic_node(watchdog_t)
+corenet_udp_sendrecv_generic_node(watchdog_t)
+corenet_tcp_sendrecv_all_ports(watchdog_t)
+corenet_udp_sendrecv_all_ports(watchdog_t)
+corenet_tcp_connect_all_ports(watchdog_t)
+corenet_sendrecv_all_client_packets(watchdog_t)
+
+dev_read_sysfs(watchdog_t)
+dev_write_watchdog(watchdog_t)
+# do not care about saving the random seed
+dev_dontaudit_read_rand(watchdog_t)
+dev_dontaudit_read_urand(watchdog_t)
+
+domain_use_interactive_fds(watchdog_t)
+domain_getsession_all_domains(watchdog_t)
+domain_sigchld_all_domains(watchdog_t)
+domain_sigstop_all_domains(watchdog_t)
+domain_signull_all_domains(watchdog_t)
+domain_signal_all_domains(watchdog_t)
+domain_kill_all_domains(watchdog_t)
+
+files_read_etc_files(watchdog_t)
+# for updating mtab on umount
+files_manage_etc_runtime_files(watchdog_t)
+files_etc_filetrans_etc_runtime(watchdog_t, file)
+
+fs_unmount_xattr_fs(watchdog_t)
+fs_getattr_all_fs(watchdog_t)
+fs_search_auto_mountpoints(watchdog_t)
+
+# record the fact that we are going down
+auth_append_login_records(watchdog_t)
+
+logging_send_syslog_msg(watchdog_t)
+
+miscfiles_read_localization(watchdog_t)
+
+sysnet_read_config(watchdog_t)
+
+userdom_dontaudit_use_unpriv_user_fds(watchdog_t)
+userdom_dontaudit_search_user_home_dirs(watchdog_t)
+
+optional_policy(`
+ mta_send_mail(watchdog_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(watchdog_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(watchdog_t)
+')
+
+optional_policy(`
+ udev_read_db(watchdog_t)
+')
diff --git a/policy/modules/services/xfs.fc b/policy/modules/services/xfs.fc
new file mode 100644
index 0000000..8e70038
--- /dev/null
+++ b/policy/modules/services/xfs.fc
@@ -0,0 +1,8 @@
+
+/tmp/\.font-unix(/.*)? gen_context(system_u:object_r:xfs_tmp_t,s0)
+
+/usr/bin/xfs -- gen_context(system_u:object_r:xfs_exec_t,s0)
+/usr/bin/xfstt -- gen_context(system_u:object_r:xfs_exec_t,s0)
+
+/usr/X11R6/bin/xfs -- gen_context(system_u:object_r:xfs_exec_t,s0)
+/usr/X11R6/bin/xfs-xtt -- gen_context(system_u:object_r:xfs_exec_t,s0)
diff --git a/policy/modules/services/xfs.if b/policy/modules/services/xfs.if
new file mode 100644
index 0000000..42a0efb
--- /dev/null
+++ b/policy/modules/services/xfs.if
@@ -0,0 +1,59 @@
+## <summary>X Windows Font Server</summary>
+
+########################################
+## <summary>
+## Read a X font server named socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xfs_read_sockets',`
+ gen_require(`
+ type xfs_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_sock_files_pattern($1, xfs_tmp_t, xfs_tmp_t)
+')
+
+########################################
+## <summary>
+## Connect to a X font server over
+## a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xfs_stream_connect',`
+ gen_require(`
+ type xfs_tmp_t, xfs_t;
+ ')
+
+ files_search_tmp($1)
+ stream_connect_pattern($1, xfs_tmp_t, xfs_tmp_t, xfs_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to execute xfs
+## in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xfs_exec',`
+ gen_require(`
+ type xfs_exec_t;
+ ')
+
+ can_exec($1, xfs_exec_t)
+')
diff --git a/policy/modules/services/xfs.te b/policy/modules/services/xfs.te
new file mode 100644
index 0000000..11c1b12
--- /dev/null
+++ b/policy/modules/services/xfs.te
@@ -0,0 +1,87 @@
+policy_module(xfs, 1.6.0)
+
+########################################
+#
+# Declarations
+#
+
+type xfs_t;
+type xfs_exec_t;
+init_daemon_domain(xfs_t, xfs_exec_t)
+
+type xfs_tmp_t;
+files_tmp_file(xfs_tmp_t)
+
+type xfs_var_run_t;
+files_pid_file(xfs_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow xfs_t self:capability { dac_override setgid setuid };
+dontaudit xfs_t self:capability sys_tty_config;
+allow xfs_t self:process { signal_perms setpgid };
+allow xfs_t self:unix_stream_socket create_stream_socket_perms;
+allow xfs_t self:unix_dgram_socket create_socket_perms;
+allow xfs_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(xfs_t, xfs_tmp_t, xfs_tmp_t)
+manage_sock_files_pattern(xfs_t, xfs_tmp_t, xfs_tmp_t)
+files_tmp_filetrans(xfs_t, xfs_tmp_t, { sock_file dir })
+
+manage_files_pattern(xfs_t, xfs_var_run_t, xfs_var_run_t)
+files_pid_filetrans(xfs_t, xfs_var_run_t, file)
+
+kernel_read_kernel_sysctls(xfs_t)
+kernel_read_system_state(xfs_t)
+
+corenet_all_recvfrom_unlabeled(xfs_t)
+corenet_all_recvfrom_netlabel(xfs_t)
+corenet_tcp_sendrecv_generic_if(xfs_t)
+corenet_tcp_sendrecv_generic_node(xfs_t)
+corenet_tcp_sendrecv_all_ports(xfs_t)
+corenet_tcp_bind_generic_node(xfs_t)
+corenet_tcp_bind_xfs_port(xfs_t)
+corenet_sendrecv_xfs_server_packets(xfs_t)
+
+corecmd_list_bin(xfs_t)
+
+dev_read_sysfs(xfs_t)
+dev_read_urand(xfs_t)
+dev_read_rand(xfs_t)
+
+fs_getattr_all_fs(xfs_t)
+fs_search_auto_mountpoints(xfs_t)
+
+domain_use_interactive_fds(xfs_t)
+
+files_read_etc_files(xfs_t)
+files_read_etc_runtime_files(xfs_t)
+files_read_usr_files(xfs_t)
+
+auth_use_nsswitch(xfs_t)
+
+logging_send_syslog_msg(xfs_t)
+
+miscfiles_read_localization(xfs_t)
+miscfiles_read_fonts(xfs_t)
+
+userdom_dontaudit_use_unpriv_user_fds(xfs_t)
+userdom_dontaudit_search_user_home_dirs(xfs_t)
+
+xfs_exec(xfs_t)
+
+ifdef(`distro_debian',`
+ # for /tmp/.font-unix/fs7100
+ init_script_tmp_filetrans(xfs_t, xfs_tmp_t, sock_file)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(xfs_t)
+')
+
+optional_policy(`
+ udev_read_db(xfs_t)
+')
diff --git a/policy/modules/services/xprint.fc b/policy/modules/services/xprint.fc
new file mode 100644
index 0000000..6a857ff
--- /dev/null
+++ b/policy/modules/services/xprint.fc
@@ -0,0 +1 @@
+/usr/bin/Xprt -- gen_context(system_u:object_r:xprint_exec_t,s0)
diff --git a/policy/modules/services/xprint.if b/policy/modules/services/xprint.if
new file mode 100644
index 0000000..e69a82a
--- /dev/null
+++ b/policy/modules/services/xprint.if
@@ -0,0 +1 @@
+## <summary>X print server</summary>
diff --git a/policy/modules/services/xprint.te b/policy/modules/services/xprint.te
new file mode 100644
index 0000000..68d13e5
--- /dev/null
+++ b/policy/modules/services/xprint.te
@@ -0,0 +1,82 @@
+policy_module(xprint, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type xprint_t;
+type xprint_exec_t;
+init_daemon_domain(xprint_t, xprint_exec_t)
+
+type xprint_var_run_t;
+files_pid_file(xprint_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit xprint_t self:capability sys_tty_config;
+allow xprint_t self:process signal_perms;
+allow xprint_t self:fifo_file rw_file_perms;
+allow xprint_t self:tcp_socket create_stream_socket_perms;
+allow xprint_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(xprint_t, xprint_var_run_t, xprint_var_run_t)
+files_pid_filetrans(xprint_t, xprint_var_run_t, file)
+
+kernel_read_system_state(xprint_t)
+kernel_read_kernel_sysctls(xprint_t)
+
+corecmd_exec_bin(xprint_t)
+corecmd_exec_shell(xprint_t)
+
+corenet_all_recvfrom_unlabeled(xprint_t)
+corenet_all_recvfrom_netlabel(xprint_t)
+corenet_tcp_sendrecv_generic_if(xprint_t)
+corenet_udp_sendrecv_generic_if(xprint_t)
+corenet_tcp_sendrecv_generic_node(xprint_t)
+corenet_udp_sendrecv_generic_node(xprint_t)
+corenet_tcp_sendrecv_all_ports(xprint_t)
+corenet_udp_sendrecv_all_ports(xprint_t)
+
+dev_read_sysfs(xprint_t)
+dev_read_urand(xprint_t)
+
+domain_use_interactive_fds(xprint_t)
+
+files_read_etc_files(xprint_t)
+files_read_etc_runtime_files(xprint_t)
+files_read_usr_files(xprint_t)
+files_search_var_lib(xprint_t)
+files_search_tmp(xprint_t)
+
+fs_getattr_all_fs(xprint_t)
+fs_search_auto_mountpoints(xprint_t)
+
+logging_send_syslog_msg(xprint_t)
+
+miscfiles_read_fonts(xprint_t)
+miscfiles_read_localization(xprint_t)
+
+sysnet_read_config(xprint_t)
+
+userdom_dontaudit_use_unpriv_user_fds(xprint_t)
+userdom_dontaudit_search_user_home_dirs(xprint_t)
+
+optional_policy(`
+ cups_read_config(xprint_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(xprint_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(xprint_t)
+')
+
+optional_policy(`
+ udev_read_db(xprint_t)
+')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
new file mode 100644
index 0000000..6a160b2
--- /dev/null
+++ b/policy/modules/services/xserver.fc
@@ -0,0 +1,141 @@
+#
+# HOME_DIR
+#
+HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
+HOME_DIR/\.fonts\.d(/.*)? gen_context(system_u:object_r:user_fonts_config_t,s0)
+HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
+HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
+HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0)
+HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0)
+HOME_DIR/\.DCOP.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
+HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
+HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
+HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0)
+HOME_DIR/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0)
+
+/root/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+/root/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+/root/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+#
+# /dev
+#
+/dev/xconsole -p gen_context(system_u:object_r:xconsole_device_t,s0)
+
+#
+# /etc
+#
+
+/etc/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0)
+
+/etc/gdm(/.*)? gen_context(system_u:object_r:xdm_etc_t,s0)
+
+/etc/kde3?/kdm/Xstartup -- gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/kde3?/kdm/Xreset -- gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/kde3?/kdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/kde3?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0)
+
+/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
+/etc/X11/wdm/Xsetup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0)
+
+#
+# /opt
+#
+
+/opt/kde3/bin/kdm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+
+#
+# /tmp
+#
+
+/tmp/\.X0-lock -- gen_context(system_u:object_r:xdm_tmp_t,s0)
+/tmp/\.X11-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0)
+/tmp/\.ICE-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0)
+
+#
+# /usr
+#
+
+/usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/(s)?bin/lxdm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/(s)?bin/lxdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
+/usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/bin/Xephyr -- gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
+/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
+ifdef(`distro_debian', `
+/usr/sbin/gdm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+')
+
+/usr/lib(64)?/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+
+/usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
+
+/usr/X11R6/bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/X11R6/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
+/usr/X11R6/bin/X -- gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/X11R6/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
+/usr/X11R6/bin/XFree86 -- gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/X11R6/bin/Xipaq -- gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/X11R6/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/X11R6/bin/Xwrapper -- gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/X11R6/lib/X11/xkb -d gen_context(system_u:object_r:xkb_var_lib_t,s0)
+/usr/X11R6/lib/X11/xkb/.* -- gen_context(system_u:object_r:xkb_var_lib_t,s0)
+
+#
+# /var
+#
+
+/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
+
+/var/lib/[gxkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
+/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0)
+
+/var/cache/gdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+
+/var/log/gdm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0)
+/var/log/slim\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
+/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
+/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+
+/var/spool/gdm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0)
+
+/var/run/slim(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/kdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/gdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/slim.* -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lxdm(/*.)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+
+/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0)
+/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0)
+
+ifdef(`distro_suse',`
+/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
+')
+
+/var/lib/nxserver/home/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+/var/lib/nxserver/home/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+/var/lib/pqsql/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
new file mode 100644
index 0000000..f963642
--- /dev/null
+++ b/policy/modules/services/xserver.if
@@ -0,0 +1,1713 @@
+## <summary>X Windows Server</summary>
+
+########################################
+## <summary>
+## Rules required for using the X Windows server
+## and environment, for restricted users.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_restricted_role',`
+ gen_require(`
+ type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t;
+ type user_fonts_t, user_fonts_cache_t, user_fonts_config_t, xdm_tmp_t;
+ type iceauth_t, iceauth_exec_t, iceauth_home_t;
+ type xauth_t, xauth_exec_t, xauth_home_t;
+ class dbus send_msg;
+ ')
+
+ role $1 types { xserver_t xauth_t iceauth_t };
+
+ # Xserver read/write client shm
+ allow xserver_t $2:fd use;
+ allow xserver_t $2:shm rw_shm_perms;
+
+ domtrans_pattern($2, xserver_exec_t, xserver_t)
+ allow xserver_t $2:process { getpgid signal };
+
+ allow xserver_t $2:shm rw_shm_perms;
+
+ allow $2 user_fonts_t:dir list_dir_perms;
+ allow $2 user_fonts_t:file read_file_perms;
+ allow $2 user_fonts_t:lnk_file read_lnk_file_perms;
+
+ allow $2 user_fonts_config_t:dir list_dir_perms;
+ allow $2 user_fonts_config_t:file read_file_perms;
+
+ manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+ manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+
+ stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
+ allow $2 xserver_tmp_t:sock_file delete_sock_file_perms;
+ files_search_tmp($2)
+
+ # Communicate via System V shared memory.
+ allow $2 xserver_t:shm r_shm_perms;
+ allow $2 xserver_tmpfs_t:file read_file_perms;
+
+ # allow ps to show iceauth
+ ps_process_pattern($2, iceauth_t)
+
+ domtrans_pattern($2, iceauth_exec_t, iceauth_t)
+
+ allow $2 iceauth_home_t:file read_file_perms;
+
+ domtrans_pattern($2, xauth_exec_t, xauth_t)
+
+ allow $2 xauth_t:process signal;
+
+ # allow ps to show xauth
+ ps_process_pattern($2, xauth_t)
+ allow $2 xserver_t:process signal;
+
+ allow $2 xauth_home_t:file read_file_perms;
+
+ # for when /tmp/.X11-unix is created by the system
+ allow $2 xdm_t:fd use;
+ allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
+ allow $2 xdm_tmp_t:dir search_dir_perms;
+ allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
+ dontaudit $2 xdm_t:tcp_socket { read write };
+ dontaudit $2 xdm_tmp_t:dir setattr_dir_perms;
+
+ allow $2 xdm_t:dbus send_msg;
+ allow xdm_t $2:dbus send_msg;
+
+ # Client read xserver shm
+ allow $2 xserver_t:fd use;
+ allow $2 xserver_tmpfs_t:file read_file_perms;
+
+ # Read /tmp/.X0-lock
+ allow $2 xserver_tmp_t:file read_inherited_file_perms;
+
+ dev_rw_xserver_misc($2)
+ dev_rw_power_management($2)
+ dev_read_input($2)
+ dev_read_misc($2)
+ dev_write_misc($2)
+ # open office is looking for the following
+ dev_getattr_agp_dev($2)
+
+ # GNOME checks for usb and other devices:
+ dev_rw_usbfs($2)
+
+ miscfiles_read_fonts($2)
+ miscfiles_setattr_fonts_cache_dirs($2)
+ miscfiles_read_hwdata($2)
+
+ xserver_common_x_domain_template(user, $2)
+ xserver_xsession_entry_type($2)
+ xserver_dontaudit_write_log($2)
+ xserver_stream_connect_xdm($2)
+ # certain apps want to read xdm.pid file
+ xserver_read_xdm_pid($2)
+ # gnome-session creates socket under /tmp/.ICE-unix/
+ xserver_create_xdm_tmp_sockets($2)
+ # Needed for escd, remove if we get escd policy
+ xserver_manage_xdm_tmp_files($2)
+ xserver_read_xdm_etc_files($2)
+
+ ifdef(`hide_broken_symptoms',`
+ dontaudit iceauth_t $2:socket_class_set { read write };
+ ')
+
+ # Client write xserver shm
+ tunable_policy(`allow_write_xshm',`
+ allow $2 xserver_t:shm rw_shm_perms;
+ allow $2 xserver_tmpfs_t:file rw_file_perms;
+ ')
+
+ tunable_policy(`user_direct_dri',`
+ dev_rw_dri($2)
+ ')
+
+ optional_policy(`
+ gnome_read_gconf_config($2)
+ ')
+')
+
+########################################
+## <summary>
+## Rules required for using the X Windows server
+## and environment.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_role',`
+ gen_require(`
+ type iceauth_home_t, xserver_t, xserver_tmpfs_t, xauth_home_t;
+ type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
+ ')
+
+ xserver_restricted_role($1, $2)
+
+ # Communicate via System V shared memory.
+ allow $2 xserver_t:shm rw_shm_perms;
+ allow $2 xserver_tmpfs_t:file rw_file_perms;
+
+ allow $2 iceauth_home_t:file manage_file_perms;
+ allow $2 iceauth_home_t:file relabel_file_perms;
+
+ allow $2 xauth_home_t:file manage_file_perms;
+ allow $2 xauth_home_t:file relabel_file_perms;
+
+ mls_xwin_read_to_clearance($2)
+ manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
+ manage_files_pattern($2, user_fonts_t, user_fonts_t)
+ allow $2 user_fonts_t:lnk_file read_lnk_file_perms;
+ relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
+ relabel_files_pattern($2, user_fonts_t, user_fonts_t)
+
+ manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+ manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+ relabel_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+ relabel_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
+
+ manage_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
+ manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
+ relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
+ relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
+')
+
+#######################################
+## <summary>
+## Create sessions on the X server, with read-only
+## access to the X server shared
+## memory segments.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="tmpfs_type">
+## <summary>
+## The type of the domain SYSV tmpfs files.
+## </summary>
+## </param>
+#
+interface(`xserver_ro_session',`
+ gen_require(`
+ type xserver_t, xserver_tmp_t, xserver_tmpfs_t;
+ ')
+
+ # Xserver read/write client shm
+ allow xserver_t $1:fd use;
+ allow xserver_t $1:shm rw_shm_perms;
+ allow xserver_t $2:file rw_file_perms;
+
+ # Connect to xserver
+ allow $1 xserver_t:unix_stream_socket connectto;
+ allow $1 xserver_t:process signal;
+
+ # Read /tmp/.X0-lock
+ allow $1 xserver_tmp_t:file read_file_perms;
+
+ # Client read xserver shm
+ allow $1 xserver_t:fd use;
+ allow $1 xserver_t:shm r_shm_perms;
+ allow $1 xserver_tmpfs_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+## Create sessions on the X server, with read and write
+## access to the X server shared
+## memory segments.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="tmpfs_type">
+## <summary>
+## The type of the domain SYSV tmpfs files.
+## </summary>
+## </param>
+#
+interface(`xserver_rw_session',`
+ gen_require(`
+ type xserver_t, xserver_tmpfs_t;
+ ')
+
+ xserver_ro_session($1, $2)
+ allow $1 xserver_t:shm rw_shm_perms;
+ allow $1 xserver_tmpfs_t:file rw_file_perms;
+')
+
+#######################################
+## <summary>
+## Create non-drawing client sessions on an X server.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_non_drawing_client',`
+ gen_require(`
+ class x_drawable { getattr get_property };
+ class x_extension { query use };
+ class x_gc { create setattr };
+ class x_property read;
+
+ type xserver_t, xdm_var_run_t;
+ type xextension_t, xproperty_t, root_xdrawable_t;
+ ')
+
+ allow $1 self:x_gc { create setattr };
+
+ allow $1 xdm_var_run_t:dir search_dir_perms;
+ allow $1 xserver_t:unix_stream_socket connectto;
+
+ allow $1 xextension_t:x_extension { query use };
+ allow $1 root_xdrawable_t:x_drawable { getattr get_property };
+ allow $1 xproperty_t:x_property read;
+')
+
+#######################################
+## <summary>
+## Create full client sessions
+## on a user X server.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="tmpfs_type">
+## <summary>
+## The type of the domain SYSV tmpfs files.
+## </summary>
+## </param>
+#
+interface(`xserver_user_client',`
+ refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
+ gen_require(`
+ type xdm_t, xdm_tmp_t;
+ type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
+ ')
+
+ allow $1 self:shm create_shm_perms;
+ allow $1 self:unix_dgram_socket create_socket_perms;
+ allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
+
+ # Read .Xauthority file
+ allow $1 xauth_home_t:file read_file_perms;
+ allow $1 iceauth_home_t:file read_file_perms;
+
+ # for when /tmp/.X11-unix is created by the system
+ allow $1 xdm_t:fd use;
+ allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
+ allow $1 xdm_tmp_t:dir search_dir_perms;
+ allow $1 xdm_tmp_t:sock_file { read write };
+ dontaudit $1 xdm_t:tcp_socket { read write };
+
+ # Allow connections to X server.
+ files_search_tmp($1)
+
+ miscfiles_read_fonts($1)
+
+ userdom_search_user_home_dirs($1)
+ # for .xsession-errors
+ userdom_dontaudit_write_user_home_content_files($1)
+
+ xserver_ro_session($1,$2)
+ xserver_use_user_fonts($1)
+
+ xserver_read_xdm_tmp_files($1)
+
+ # Client write xserver shm
+ tunable_policy(`allow_write_xshm',`
+ allow $1 xserver_t:shm rw_shm_perms;
+ allow $1 xserver_tmpfs_t:file rw_file_perms;
+ ')
+')
+
+#######################################
+## <summary>
+## Interface to provide X object permissions on a given X server to
+## an X client domain. Provides the minimal set required by a basic
+## X client application.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix of the X client domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Client domain allowed access.
+## </summary>
+## </param>
+#
+template(`xserver_common_x_domain_template',`
+ gen_require(`
+ type root_xdrawable_t, xdm_t, xserver_t;
+ type xproperty_t, $1_xproperty_t;
+ type xevent_t, client_xevent_t;
+ type input_xevent_t, $1_input_xevent_t;
+
+ attribute x_domain, input_xevent_type;
+ attribute xdrawable_type, xcolormap_type;
+
+ class x_drawable all_x_drawable_perms;
+ class x_property all_x_property_perms;
+ class x_event all_x_event_perms;
+ class x_synthetic_event all_x_synthetic_event_perms;
+ class x_client destroy;
+ class x_server manage;
+ class x_screen { saver_setattr saver_hide saver_show };
+ class x_pointer { get_property set_property manage };
+ class x_keyboard { read manage };
+ ')
+
+ ##############################
+ #
+ # Local Policy
+ #
+
+ # Type attributes
+ typeattribute $2 x_domain;
+ typeattribute $2 xdrawable_type, xcolormap_type;
+
+ # X Properties
+ # disable property transitions for the time being.
+# type_transition $2 xproperty_t:x_property $1_xproperty_t;
+
+ # X Windows
+ # new windows have the domain type
+ type_transition $2 root_xdrawable_t:x_drawable $2;
+
+ # X Input
+ # distinguish input events
+ type_transition $2 input_xevent_t:x_event $1_input_xevent_t;
+ # can send own events
+ allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } send;
+ # can receive own events
+ allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive;
+ # can receive default events
+ allow $2 client_xevent_t:{ x_event x_synthetic_event } receive;
+ allow $2 xevent_t:{ x_event x_synthetic_event } receive;
+ # dont audit send failures
+ dontaudit $2 input_xevent_type:x_event send;
+
+ allow $2 xdm_t:x_drawable { hide read add_child manage };
+ allow $2 xdm_t:x_client destroy;
+
+ allow $2 root_xdrawable_t:x_drawable write;
+ allow $2 xserver_t:x_server manage;
+ allow $2 xserver_t:x_screen { saver_setattr saver_hide saver_show };
+ allow $2 xserver_t:x_pointer { get_property set_property manage };
+ allow $2 xserver_t:x_keyboard { read manage };
+')
+
+#######################################
+## <summary>
+## Template for creating the set of types used
+## in an X windows domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix of the X client domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+#
+template(`xserver_object_types_template',`
+ gen_require(`
+ attribute xproperty_type, input_xevent_type, xevent_type;
+ ')
+
+ ##############################
+ #
+ # Declarations
+ #
+
+ # Types for properties
+ type $1_xproperty_t, xproperty_type;
+ ubac_constrained($1_xproperty_t)
+
+ # Types for events
+ type $1_input_xevent_t, input_xevent_type, xevent_type;
+ ubac_constrained($1_input_xevent_t)
+')
+
+#######################################
+## <summary>
+## Interface to provide X object permissions on a given X server to
+## an X client domain. Provides the minimal set required by a basic
+## X client application.
+## </summary>
+## <param name="prefix">
+## <summary>
+## The prefix of the X client domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Client domain allowed access.
+## </summary>
+## </param>
+## <param name="tmpfs_type">
+## <summary>
+## The type of the domain SYSV tmpfs files.
+## </summary>
+## </param>
+#
+template(`xserver_user_x_domain_template',`
+ gen_require(`
+ type xdm_t, xdm_tmp_t, xserver_tmpfs_t;
+ type xauth_home_t, iceauth_home_t, xserver_t;
+ ')
+
+ allow $2 self:shm create_shm_perms;
+ allow $2 self:unix_dgram_socket create_socket_perms;
+ allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
+
+ # Read .Xauthority file
+ allow $2 xauth_home_t:file read_file_perms;
+ allow $2 iceauth_home_t:file read_file_perms;
+
+ # for when /tmp/.X11-unix is created by the system
+ allow $2 xdm_t:fd use;
+ allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms;
+ allow $2 xdm_tmp_t:dir search_dir_perms;
+ allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms;
+ dontaudit $2 xdm_t:tcp_socket { read write };
+
+ # Allow connections to X server.
+ files_search_tmp($2)
+
+ miscfiles_read_fonts($2)
+
+ userdom_search_user_home_dirs($2)
+ # for .xsession-errors
+ userdom_dontaudit_write_user_home_content_files($2)
+
+ xserver_ro_session($2, $3)
+ xserver_use_user_fonts($2)
+
+ xserver_read_xdm_tmp_files($2)
+ xserver_read_xdm_pid($2)
+
+ # X object manager
+ xserver_object_types_template($1)
+ xserver_common_x_domain_template($1, $2)
+
+ # Client write xserver shm
+ tunable_policy(`allow_write_xshm',`
+ allow $2 xserver_t:shm rw_shm_perms;
+ allow $2 xserver_tmpfs_t:file rw_file_perms;
+ ')
+
+ tunable_policy(`user_direct_dri',`
+ dev_rw_dri($2)
+ ')
+')
+
+########################################
+## <summary>
+## Read user fonts, user font configuration,
+## and manage the user font cache.
+## </summary>
+## <desc>
+## <p>
+## Read user fonts, user font configuration,
+## and manage the user font cache.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_use_user_fonts',`
+ gen_require(`
+ type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
+ ')
+
+ # Read per user fonts
+ allow $1 user_fonts_t:dir list_dir_perms;
+ allow $1 user_fonts_t:file read_file_perms;
+ allow $1 user_fonts_t:lnk_file read_lnk_file_perms;
+
+ # Manipulate the global font cache
+ manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
+ manage_files_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
+
+ # Read per user font config
+ allow $1 user_fonts_config_t:dir list_dir_perms;
+ allow $1 user_fonts_config_t:file read_file_perms;
+
+ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
+## Transition to the Xauthority domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`xserver_domtrans_xauth',`
+ gen_require(`
+ type xauth_t, xauth_exec_t;
+ ')
+
+ domtrans_pattern($1, xauth_exec_t, xauth_t)
+
+ ifdef(`hide_broken_symptoms',`
+ dontaudit xauth_t $1:socket_class_set { read write };
+ ')
+')
+
+########################################
+## <summary>
+## Dontaudit exec of Xauthority program.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_dontaudit_exec_xauth',`
+ gen_require(`
+ type xauth_exec_t;
+ ')
+
+ dontaudit $1 xauth_exec_t:file execute;
+')
+
+########################################
+## <summary>
+## Create a Xauthority file in the user home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_user_home_dir_filetrans_user_xauth',`
+ gen_require(`
+ type xauth_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file)
+')
+
+########################################
+## <summary>
+## Read all users fonts, user font configurations,
+## and manage all users font caches.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_use_all_users_fonts',`
+ refpolicywarn(`$0() has been deprecated, please use xserver_use_user_fonts.')
+ xserver_use_user_fonts($1)
+')
+
+########################################
+## <summary>
+## Read all users .Xauthority.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_read_user_xauth',`
+ gen_require(`
+ type xauth_home_t;
+ ')
+
+ allow $1 xauth_home_t:file read_file_perms;
+ userdom_search_user_home_dirs($1)
+ xserver_read_xdm_pid($1)
+')
+
+########################################
+## <summary>
+## Set the attributes of the X windows console named pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_setattr_console_pipes',`
+ gen_require(`
+ type xconsole_device_t;
+ ')
+
+ allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write the X windows console named pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_rw_console',`
+ gen_require(`
+ type xconsole_device_t;
+ ')
+
+ allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Use file descriptors for xdm.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_use_xdm_fds',`
+ gen_require(`
+ type xdm_t;
+ ')
+
+ allow $1 xdm_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to inherit
+## XDM file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`xserver_dontaudit_use_xdm_fds',`
+ gen_require(`
+ type xdm_t;
+ ')
+
+ dontaudit $1 xdm_t:fd use;
+')
+
+########################################
+## <summary>
+## Read and write XDM unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_rw_xdm_pipes',`
+ gen_require(`
+ type xdm_t;
+ ')
+
+ allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## XDM unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`xserver_dontaudit_rw_xdm_pipes',`
+ gen_require(`
+ type xdm_t;
+ ')
+
+ dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Connect to XDM over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_stream_connect_xdm',`
+ gen_require(`
+ type xdm_t, xdm_tmp_t, xdm_var_run_t;
+ ')
+
+ files_search_tmp($1)
+ files_search_pids($1)
+ stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, xdm_t)
+')
+
+########################################
+## <summary>
+## Read xdm-writable configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_read_xdm_rw_config',`
+ gen_require(`
+ type xdm_rw_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 xdm_rw_etc_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Set the attributes of XDM temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_setattr_xdm_tmp_dirs',`
+ gen_require(`
+ type xdm_tmp_t;
+ ')
+
+ allow $1 xdm_tmp_t:dir setattr_dir_perms;
+')
+
+########################################
+## <summary>
+## Create a named socket in a XDM
+## temporary directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_create_xdm_tmp_sockets',`
+ gen_require(`
+ type xdm_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 xdm_tmp_t:dir list_dir_perms;
+ create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+')
+
+########################################
+## <summary>
+## Read XDM pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_read_xdm_pid',`
+ gen_require(`
+ type xdm_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, xdm_var_run_t, xdm_var_run_t)
+')
+
+########################################
+## <summary>
+## Read XDM var lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_read_xdm_lib_files',`
+ gen_require(`
+ type xdm_var_lib_t;
+ ')
+
+ allow $1 xdm_var_lib_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Make an X session script an entrypoint for the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain for which the shell is an entrypoint.
+## </summary>
+## </param>
+#
+interface(`xserver_xsession_entry_type',`
+ gen_require(`
+ type xsession_exec_t;
+ ')
+
+ domain_entry_file($1, xsession_exec_t)
+')
+
+########################################
+## <summary>
+## Execute an X session in the target domain. This
+## is an explicit transition, requiring the
+## caller to use setexeccon().
+## </summary>
+## <desc>
+## <p>
+## Execute an Xsession in the target domain. This
+## is an explicit transition, requiring the
+## caller to use setexeccon().
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the shell process.
+## </summary>
+## </param>
+#
+interface(`xserver_xsession_spec_domtrans',`
+ gen_require(`
+ type xsession_exec_t;
+ ')
+
+ domain_trans($1, xsession_exec_t, $2)
+')
+
+########################################
+## <summary>
+## Get the attributes of X server logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_getattr_log',`
+ gen_require(`
+ type xserver_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 xserver_log_t:file getattr_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write the X server
+## log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`xserver_dontaudit_write_log',`
+ gen_require(`
+ type xserver_log_t;
+ ')
+
+ dontaudit $1 xserver_log_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Delete X server log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_delete_log',`
+ gen_require(`
+ type xserver_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 xserver_log_t:dir list_dir_perms;
+ delete_files_pattern($1, xserver_log_t, xserver_log_t)
+ delete_fifo_files_pattern($1, xserver_log_t, xserver_log_t)
+')
+
+########################################
+## <summary>
+## Read X keyboard extension libraries.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_read_xkb_libs',`
+ gen_require(`
+ type xkb_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 xkb_var_lib_t:dir list_dir_perms;
+ read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
+ read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
+')
+
+########################################
+## <summary>
+## Read xdm config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit
+## </summary>
+## </param>
+#
+interface(`xserver_read_xdm_etc_files',`
+ gen_require(`
+ type xdm_etc_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, xdm_etc_t, xdm_etc_t)
+ read_lnk_files_pattern($1, xdm_etc_t, xdm_etc_t)
+')
+
+########################################
+## <summary>
+## Manage xdm config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit
+## </summary>
+## </param>
+#
+interface(`xserver_manage_xdm_etc_files',`
+ gen_require(`
+ type xdm_etc_t;
+ ')
+
+ files_search_etc($1)
+ manage_files_pattern($1, xdm_etc_t, xdm_etc_t)
+')
+
+########################################
+## <summary>
+## Read xdm temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_read_xdm_tmp_files',`
+ gen_require(`
+ type xdm_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read xdm temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`xserver_dontaudit_read_xdm_tmp_files',`
+ gen_require(`
+ type xdm_tmp_t;
+ ')
+
+ dontaudit $1 xdm_tmp_t:dir search_dir_perms;
+ dontaudit $1 xdm_tmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Read write xdm temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_rw_xdm_tmp_files',`
+ gen_require(`
+ type xdm_tmp_t;
+ ')
+
+ allow $1 xdm_tmp_t:dir search_dir_perms;
+ allow $1 xdm_tmp_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete xdm temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_manage_xdm_tmp_files',`
+ gen_require(`
+ type xdm_tmp_t;
+ ')
+
+ manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes of
+## xdm temporary named sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+ gen_require(`
+ type xdm_tmp_t;
+ ')
+
+ dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Execute the X server in the X server domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`xserver_domtrans',`
+ gen_require(`
+ type xserver_t, xserver_exec_t;
+ ')
+
+ allow $1 xserver_t:process siginh;
+ domtrans_pattern($1, xserver_exec_t, xserver_t)
+
+ allow xserver_t $1:process getpgid;
+')
+
+########################################
+## <summary>
+## Signal X servers
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_signal',`
+ gen_require(`
+ type xserver_t;
+ ')
+
+ allow $1 xserver_t:process signal;
+')
+
+########################################
+## <summary>
+## Kill X servers
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_kill',`
+ gen_require(`
+ type xserver_t;
+ ')
+
+ allow $1 xserver_t:process sigkill;
+')
+
+########################################
+## <summary>
+## Read and write X server Sys V Shared
+## memory segments.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_rw_shm',`
+ gen_require(`
+ type xserver_t;
+ ')
+
+ allow $1 xserver_t:shm rw_shm_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write to
+## X server sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`xserver_dontaudit_rw_tcp_sockets',`
+ gen_require(`
+ type xserver_t;
+ ')
+
+ dontaudit $1 xserver_t:tcp_socket { read write };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write X server
+## unix domain stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`xserver_dontaudit_rw_stream_sockets',`
+ gen_require(`
+ type xserver_t;
+ ')
+
+ dontaudit $1 xserver_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+## Connect to the X server over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_stream_connect',`
+ gen_require(`
+ type xserver_t, xserver_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
+ allow xserver_t $1:shm rw_shm_perms;
+')
+
+########################################
+## <summary>
+## Read X server temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_read_tmp_files',`
+ gen_require(`
+ type xserver_tmp_t;
+ ')
+
+ allow $1 xserver_tmp_t:file read_file_perms;
+ files_search_tmp($1)
+')
+
+########################################
+## <summary>
+## Interface to provide X object permissions on a given X server to
+## an X client domain. Gives the domain permission to read the
+## virtual core keyboard and virtual core pointer devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_manage_core_devices',`
+ gen_require(`
+ type xserver_t, root_xdrawable_t;
+ class x_device all_x_device_perms;
+ class x_pointer all_x_pointer_perms;
+ class x_keyboard all_x_keyboard_perms;
+ class x_screen all_x_screen_perms;
+ class x_drawable { manage };
+ attribute x_domain;
+ class x_drawable { read manage setattr show };
+ class x_resource { write read };
+ ')
+
+ allow $1 xserver_t:{ x_device x_pointer x_keyboard } *;
+ allow $1 xserver_t:{ x_screen } setattr;
+
+ allow $1 x_domain:x_drawable { read manage setattr show };
+ allow $1 x_domain:x_resource { write read };
+ allow $1 root_xdrawable_t:x_drawable { manage read };
+')
+
+########################################
+## <summary>
+## Interface to provide X object permissions on a given X server to
+## an X client domain. Gives the domain complete control over the
+## display.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_unconfined',`
+ gen_require(`
+ attribute x_domain, xserver_unconfined_type;
+ ')
+
+ typeattribute $1 x_domain;
+ typeattribute $1 xserver_unconfined_type;
+')
+
+########################################
+## <summary>
+## Dontaudit append to .xsession-errors file
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit
+## </summary>
+## </param>
+#
+interface(`xserver_dontaudit_append_xdm_home_files',`
+ gen_require(`
+ type xdm_home_t, xserver_tmp_t;
+ ')
+
+ dontaudit $1 xdm_home_t:file rw_inherited_file_perms;
+ dontaudit $1 xserver_tmp_t:file rw_inherited_file_perms;
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_dontaudit_rw_nfs_files($1)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_dontaudit_rw_cifs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## append to .xsession-errors file
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit
+## </summary>
+## </param>
+#
+interface(`xserver_append_xdm_home_files',`
+ gen_require(`
+ type xdm_home_t, xserver_tmp_t;
+ ')
+
+ allow $1 xdm_home_t:file append_file_perms;
+ allow $1 xserver_tmp_t:file append_file_perms;
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_append_nfs_files($1)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_append_cifs_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Manage the xdm_spool files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_xdm_manage_spool',`
+ gen_require(`
+ type xdm_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_files_pattern($1, xdm_spool_t, xdm_spool_t)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## xdm over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_dbus_chat_xdm',`
+ gen_require(`
+ type xdm_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 xdm_t:dbus send_msg;
+ allow xdm_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Read xserver files created in /var/run
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_read_pid',`
+ gen_require(`
+ type xserver_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
+')
+
+########################################
+## <summary>
+## Execute xserver files created in /var/run
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_exec_pid',`
+ gen_require(`
+ type xserver_var_run_t;
+ ')
+
+ files_search_pids($1)
+ exec_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
+')
+
+########################################
+## <summary>
+## Write xserver files created in /var/run
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_write_pid',`
+ gen_require(`
+ type xserver_var_run_t;
+ ')
+
+ files_search_pids($1)
+ write_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
+')
+
+########################################
+## <summary>
+## Allow append the xdm
+## log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit
+## </summary>
+## </param>
+#
+interface(`xserver_xdm_append_log',`
+ gen_require(`
+ type xdm_log_t;
+ attribute xdmhomewriter;
+ ')
+
+ typeattribute $1 xdmhomewriter;
+ append_files_pattern($1, xdm_log_t, xdm_log_t)
+')
+
+########################################
+## <summary>
+## Read a user Iceauthority domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_read_user_iceauth',`
+ gen_require(`
+ type iceauth_home_t;
+ ')
+
+ # Read .Iceauthority file
+ allow $1 iceauth_home_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Read/write inherited user homedir fonts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_rw_inherited_user_fonts',`
+ gen_require(`
+ type user_fonts_t, user_fonts_config_t;
+ ')
+
+ allow $1 user_fonts_t:file rw_inherited_file_perms;
+ allow $1 user_fonts_t:file read_lnk_file_perms;
+
+ allow $1 user_fonts_config_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Search XDM var lib dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_search_xdm_lib',`
+ gen_require(`
+ type xdm_var_lib_t;
+ ')
+
+ allow $1 xdm_var_lib_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Make an X executable an entrypoint for the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain for which the shell is an entrypoint.
+## </summary>
+## </param>
+#
+interface(`xserver_entry_type',`
+ gen_require(`
+ type xserver_exec_t;
+ ')
+
+ domain_entry_file($1, xserver_exec_t)
+')
+
+########################################
+## <summary>
+## Execute xsever in the xserver domain, and
+## allow the specified role the xserver domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the xserver domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`xserver_run',`
+ gen_require(`
+ type xserver_t;
+ ')
+
+ xserver_domtrans($1)
+ role $2 types xserver_t;
+')
+
+########################################
+## <summary>
+## Execute xsever in the xserver domain, and
+## allow the specified role the xserver domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the xserver domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`xserver_run_xauth',`
+ gen_require(`
+ type xauth_t;
+ ')
+
+ xserver_domtrans_xauth($1)
+ role $2 types xauth_t;
+')
+
+########################################
+## <summary>
+## Read user homedir fonts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`xserver_read_home_fonts',`
+ gen_require(`
+ type user_fonts_t, user_fonts_config_t;
+ ')
+
+ list_dirs_pattern($1, user_fonts_t, user_fonts_t)
+ read_files_pattern($1, user_fonts_t, user_fonts_t)
+ read_lnk_files_pattern($1, user_fonts_t, user_fonts_t)
+
+ read_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+')
+
+########################################
+## <summary>
+## Manage user homedir fonts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`xserver_manage_home_fonts',`
+ gen_require(`
+ type user_fonts_t, user_fonts_config_t;
+ ')
+
+ manage_dirs_pattern($1, user_fonts_t, user_fonts_t)
+ manage_files_pattern($1, user_fonts_t, user_fonts_t)
+ manage_lnk_files_pattern($1, user_fonts_t, user_fonts_t)
+
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
new file mode 100644
index 0000000..edd7260
--- /dev/null
+++ b/policy/modules/services/xserver.te
@@ -0,0 +1,1370 @@
+policy_module(xserver, 3.4.2)
+
+gen_require(`
+ class x_drawable all_x_drawable_perms;
+ class x_screen all_x_screen_perms;
+ class x_gc all_x_gc_perms;
+ class x_font all_x_font_perms;
+ class x_colormap all_x_colormap_perms;
+ class x_property all_x_property_perms;
+ class x_selection all_x_selection_perms;
+ class x_cursor all_x_cursor_perms;
+ class x_client all_x_client_perms;
+ class x_device all_x_device_perms;
+ class x_pointer all_x_pointer_perms;
+ class x_keyboard all_x_keyboard_perms;
+ class x_server all_x_server_perms;
+ class x_extension all_x_extension_perms;
+ class x_resource all_x_resource_perms;
+ class x_event all_x_event_perms;
+ class x_synthetic_event all_x_synthetic_event_perms;
+')
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allows clients to write to the X server shared
+## memory segments.
+## </p>
+## </desc>
+gen_tunable(allow_write_xshm, false)
+
+## <desc>
+## <p>
+## Allows XServer to execute writable memory
+## </p>
+## </desc>
+gen_tunable(allow_xserver_execmem, false)
+
+## <desc>
+## <p>
+## Allow xdm logins as sysadm
+## </p>
+## </desc>
+gen_tunable(xdm_sysadm_login, false)
+
+## <desc>
+## <p>
+## Support X userspace object manager
+## </p>
+## </desc>
+gen_tunable(xserver_object_manager, false)
+
+## <desc>
+## <p>
+## Allow regular users direct dri device access
+## </p>
+## </desc>
+gen_tunable(user_direct_dri, false)
+
+attribute xdmhomewriter;
+attribute x_userdomain;
+attribute x_domain;
+
+# X Events
+attribute xevent_type;
+attribute input_xevent_type;
+type xevent_t, xevent_type;
+typealias xevent_t alias { user_property_xevent_t staff_property_xevent_t sysadm_property_xevent_t };
+typealias xevent_t alias { auditadm_property_xevent_t secadm_property_xevent_t };
+typealias xevent_t alias { user_focus_xevent_t staff_focus_xevent_t sysadm_focus_xevent_t };
+typealias xevent_t alias { auditadm_focus_xevent_t secadm_focus_xevent_t };
+typealias xevent_t alias { user_manage_xevent_t staff_manage_xevent_t sysadm_manage_xevent_t };
+typealias xevent_t alias { auditadm_manage_xevent_t secadm_manage_xevent_t };
+typealias xevent_t alias { user_default_xevent_t staff_default_xevent_t sysadm_default_xevent_t };
+typealias xevent_t alias { auditadm_default_xevent_t secadm_default_xevent_t };
+
+type client_xevent_t, xevent_type;
+typealias client_xevent_t alias { user_client_xevent_t staff_client_xevent_t sysadm_client_xevent_t };
+typealias client_xevent_t alias { auditadm_client_xevent_t secadm_client_xevent_t };
+
+type input_xevent_t, xevent_type, input_xevent_type;
+
+# X Extensions
+attribute xextension_type;
+type xextension_t, xextension_type;
+type security_xextension_t, xextension_type;
+
+# X Properties
+attribute xproperty_type;
+type xproperty_t, xproperty_type;
+type seclabel_xproperty_t, xproperty_type;
+type clipboard_xproperty_t, xproperty_type;
+
+# X Selections
+attribute xselection_type;
+type xselection_t, xselection_type;
+type clipboard_xselection_t, xselection_type;
+#type settings_xselection_t, xselection_type;
+#type dbus_xselection_t, xselection_type;
+
+# X Drawables
+attribute xdrawable_type;
+attribute xcolormap_type;
+type root_xdrawable_t, xdrawable_type;
+type root_xcolormap_t, xcolormap_type;
+
+attribute xserver_unconfined_type;
+
+xserver_object_types_template(root)
+xserver_object_types_template(user)
+
+typealias user_xproperty_t alias { staff_xproperty_t sysadm_xproperty_t };
+typealias user_xproperty_t alias { auditadm_xproperty_t secadm_xproperty_t };
+typealias user_input_xevent_t alias { staff_input_xevent_t sysadm_input_xevent_t };
+typealias user_input_xevent_t alias { auditadm_input_xevent_t secadm_input_xevent_t };
+
+type remote_t;
+xserver_object_types_template(remote)
+xserver_common_x_domain_template(remote, remote_t)
+
+type user_fonts_t;
+typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t };
+typealias user_fonts_t alias { auditadm_fonts_t secadm_fonts_t };
+typealias user_fonts_t alias { xguest_fonts_t unconfined_fonts_t user_fonts_home_t };
+userdom_user_home_content(user_fonts_t)
+
+type user_fonts_cache_t;
+typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t };
+typealias user_fonts_cache_t alias { auditadm_fonts_cache_t secadm_fonts_cache_t };
+typealias user_fonts_cache_t alias { xguest_fonts_cache_t unconfined_fonts_cache_t };
+userdom_user_home_content(user_fonts_cache_t)
+
+type user_fonts_config_t;
+typealias user_fonts_config_t alias { staff_fonts_config_t sysadm_fonts_config_t };
+typealias user_fonts_config_t alias { auditadm_fonts_config_t secadm_fonts_config_t };
+typealias user_fonts_config_t alias { fonts_config_home_t xguest_fonts_config_t unconfined_fonts_config_t };
+userdom_user_home_content(user_fonts_config_t)
+
+type iceauth_t;
+type iceauth_exec_t;
+typealias iceauth_t alias { user_iceauth_t staff_iceauth_t sysadm_iceauth_t };
+typealias iceauth_t alias { xguest_iceauth_t };
+typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t };
+application_domain(iceauth_t, iceauth_exec_t)
+ubac_constrained(iceauth_t)
+
+type iceauth_home_t;
+typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t };
+typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t };
+typealias iceauth_home_t alias { xguest_iceauth_home_t };
+userdom_user_home_content(iceauth_home_t)
+
+type xauth_t;
+type xauth_exec_t;
+typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t };
+typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t };
+typealias xauth_t alias { xguest_xauth_t unconfined_xauth_t };
+application_domain(xauth_t, xauth_exec_t)
+ubac_constrained(xauth_t)
+
+type xauth_home_t;
+typealias xauth_home_t alias { user_xauth_home_t staff_xauth_home_t sysadm_xauth_home_t };
+typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t };
+typealias xauth_home_t alias { xguest_xauth_home_t unconfined_xauth_home_t };
+userdom_user_home_content(xauth_home_t)
+
+type xauth_tmp_t;
+typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t };
+typealias xauth_tmp_t alias { xguest_xauth_tmp_t unconfined_xauth_tmp_t };
+typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
+files_tmp_file(xauth_tmp_t)
+ubac_constrained(xauth_tmp_t)
+
+# this is not actually a device, its a pipe
+type xconsole_device_t;
+files_type(xconsole_device_t)
+fs_associate_tmpfs(xconsole_device_t)
+files_associate_tmp(xconsole_device_t)
+
+type xdm_t;
+type xdm_exec_t;
+auth_login_pgm_domain(xdm_t)
+init_domain(xdm_t, xdm_exec_t)
+init_system_domain(xdm_t, xdm_exec_t)
+xserver_object_types_template(xdm)
+xserver_common_x_domain_template(xdm, xdm_t)
+
+type xdm_lock_t;
+files_lock_file(xdm_lock_t)
+
+type xdm_etc_t;
+files_config_file(xdm_etc_t)
+
+type xdm_rw_etc_t;
+files_config_file(xdm_rw_etc_t)
+
+type xdm_spool_t;
+files_type(xdm_spool_t)
+
+type xdm_var_lib_t;
+files_type(xdm_var_lib_t)
+
+type xdm_var_run_t;
+files_pid_file(xdm_var_run_t)
+
+type xserver_var_lib_t;
+files_type(xserver_var_lib_t)
+
+type xserver_var_run_t;
+files_pid_file(xserver_var_run_t)
+
+type xdm_tmp_t;
+files_tmp_file(xdm_tmp_t)
+typealias xdm_tmp_t alias { xserver_tmp_t user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t ice_tmp_t };
+typealias xdm_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t };
+ubac_constrained(xdm_tmp_t)
+
+type xdm_tmpfs_t;
+files_tmpfs_file(xdm_tmpfs_t)
+
+type xdm_home_t;
+userdom_user_home_content(xdm_home_t)
+
+type xdm_log_t;
+logging_log_file(xdm_log_t)
+
+# type for /var/lib/xkb
+type xkb_var_lib_t;
+files_type(xkb_var_lib_t)
+
+# Type for the executable used to start the X server, e.g. Xwrapper.
+type xserver_t;
+type xserver_exec_t;
+typealias xserver_t alias { user_xserver_t staff_xserver_t sysadm_xserver_t };
+typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
+init_system_domain(xserver_t, xserver_exec_t)
+ubac_constrained(xserver_t)
+
+type xserver_tmpfs_t;
+typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t xguest_xserver_tmpfs_t unconfined_xserver_tmpfs_t xdm_xserver_tmpfs_t };
+typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t };
+files_tmpfs_file(xserver_tmpfs_t)
+ubac_constrained(xserver_tmpfs_t)
+
+type xsession_exec_t;
+corecmd_executable_file(xsession_exec_t)
+
+# Type for the X server log file.
+type xserver_log_t;
+logging_log_file(xserver_log_t)
+
+ifdef(`enable_mcs',`
+ init_ranged_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh)
+ init_ranged_daemon_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh)
+')
+
+optional_policy(`
+ prelink_object_file(xkb_var_lib_t)
+')
+
+########################################
+#
+# Iceauth local policy
+#
+
+allow iceauth_t iceauth_home_t:file manage_file_perms;
+userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
+
+allow xdm_t iceauth_home_t:file read_file_perms;
+
+dev_read_rand(iceauth_t)
+
+fs_search_auto_mountpoints(iceauth_t)
+
+userdom_use_user_terminals(iceauth_t)
+userdom_read_user_tmp_files(iceauth_t)
+userdom_read_all_users_state(iceauth_t)
+
+tunable_policy(`use_fusefs_home_dirs',`
+ fs_manage_fusefs_files(iceauth_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files(iceauth_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files(iceauth_t)
+')
+
+ifdef(`hide_broken_symptoms',`
+ dev_dontaudit_read_urand(iceauth_t)
+ dev_dontaudit_rw_dri(iceauth_t)
+ dev_dontaudit_rw_generic_dev_nodes(iceauth_t)
+ fs_dontaudit_list_inotifyfs(iceauth_t)
+ fs_dontaudit_rw_anon_inodefs_files(iceauth_t)
+ term_dontaudit_use_unallocated_ttys(iceauth_t)
+
+ userdom_dontaudit_read_user_home_content_files(iceauth_t)
+ userdom_dontaudit_write_user_home_content_files(iceauth_t)
+ userdom_dontaudit_write_user_tmp_files(iceauth_t)
+
+ optional_policy(`
+ mozilla_dontaudit_rw_user_home_files(iceauth_t)
+ ')
+')
+
+########################################
+#
+# Xauth local policy
+#
+
+allow xauth_t self:capability dac_override;
+allow xauth_t self:process signal;
+allow xauth_t self:unix_stream_socket create_stream_socket_perms;
+
+allow xauth_t xdm_t:process sigchld;
+allow xauth_t xserver_t:unix_stream_socket connectto;
+
+corenet_tcp_connect_xserver_port(xauth_t)
+
+allow xauth_t xauth_home_t:file manage_file_perms;
+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file)
+userdom_admin_home_dir_filetrans(xauth_t, xauth_home_t, file)
+
+manage_dirs_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t)
+manage_files_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t)
+
+manage_dirs_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
+manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
+files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
+
+stream_connect_pattern(xauth_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+
+kernel_read_system_state(xauth_t)
+
+domain_use_interactive_fds(xauth_t)
+domain_dontaudit_leaks(xauth_t)
+
+files_read_etc_files(xauth_t)
+files_read_usr_files(xauth_t)
+files_search_pids(xauth_t)
+files_dontaudit_getattr_all_dirs(xauth_t)
+files_dontaudit_leaks(xauth_t)
+files_var_lib_filetrans(xauth_t, xauth_home_t, file)
+
+fs_dontaudit_leaks(xauth_t)
+fs_getattr_all_fs(xauth_t)
+fs_search_auto_mountpoints(xauth_t)
+
+# Probably a leak
+term_dontaudit_use_ptmx(xauth_t)
+term_dontaudit_use_console(xauth_t)
+
+auth_use_nsswitch(xauth_t)
+
+userdom_use_user_terminals(xauth_t)
+userdom_read_user_tmp_files(xauth_t)
+userdom_read_all_users_state(xauth_t)
+
+xserver_rw_xdm_tmp_files(xauth_t)
+
+ifdef(`hide_broken_symptoms',`
+ fs_dontaudit_rw_anon_inodefs_files(xauth_t)
+ fs_dontaudit_list_inotifyfs(xauth_t)
+ userdom_manage_user_home_content_files(xauth_t)
+ userdom_manage_user_tmp_files(xauth_t)
+ dev_dontaudit_rw_generic_dev_nodes(xauth_t)
+ miscfiles_read_fonts(xauth_t)
+')
+
+tunable_policy(`use_fusefs_home_dirs',`
+ fs_manage_fusefs_files(xauth_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files(xauth_t)
+ fs_read_nfs_symlinks(xauth_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files(xauth_t)
+')
+
+ifdef(`hide_broken_symptoms',`
+ term_dontaudit_use_unallocated_ttys(xauth_t)
+ dev_dontaudit_rw_dri(xauth_t)
+')
+
+optional_policy(`
+ nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
+')
+
+optional_policy(`
+ ssh_sigchld(xauth_t)
+ ssh_read_pipes(xauth_t)
+ ssh_dontaudit_rw_tcp_sockets(xauth_t)
+')
+
+########################################
+#
+# XDM Local policy
+#
+
+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace };
+allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched setsched setrlimit signal_perms setkeycreate ptrace };
+allow xdm_t self:fifo_file rw_fifo_file_perms;
+allow xdm_t self:shm create_shm_perms;
+allow xdm_t self:sem create_sem_perms;
+allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow xdm_t self:unix_dgram_socket { create_socket_perms sendto };
+allow xdm_t self:tcp_socket create_stream_socket_perms;
+allow xdm_t self:udp_socket create_socket_perms;
+allow xdm_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow xdm_t self:socket create_socket_perms;
+allow xdm_t self:appletalk_socket create_socket_perms;
+allow xdm_t self:key { search link write };
+
+allow xdm_t xauth_home_t:file manage_file_perms;
+
+allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms };
+manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
+manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
+
+manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t)
+userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file)
+#Handle mislabeled files in homedir
+userdom_delete_user_home_content_files(xdm_t)
+userdom_signull_unpriv_users(xdm_t)
+userdom_dontaudit_read_admin_home_lnk_files(xdm_t)
+
+# Allow gdm to run gdm-binary
+can_exec(xdm_t, xdm_exec_t)
+
+allow xdm_t xdm_lock_t:file manage_file_perms;
+files_lock_filetrans(xdm_t, xdm_lock_t, file)
+
+read_lnk_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t)
+read_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t)
+# wdm has its own config dir /etc/X11/wdm
+# this is ugly, daemons should not create files under /etc!
+manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t)
+
+manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+manage_lnk_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file lnk_file })
+relabelfrom_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+relabelfrom_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+
+manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
+manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
+manage_lnk_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
+manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
+manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
+
+fs_getattr_all_fs(xdm_t)
+fs_list_inotifyfs(xdm_t)
+fs_read_noxattr_fs_files(xdm_t)
+fs_dontaudit_list_fusefs(xdm_t)
+fs_manage_cgroup_dirs(xdm_t)
+fs_manage_cgroup_files(xdm_t)
+
+manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t)
+
+files_search_spool(xdm_t)
+manage_dirs_pattern(xdm_t, xdm_spool_t, xdm_spool_t)
+manage_files_pattern(xdm_t, xdm_spool_t, xdm_spool_t)
+files_spool_filetrans(xdm_t, xdm_spool_t, { file dir })
+
+manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
+manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
+manage_lnk_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
+manage_sock_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
+files_var_lib_filetrans(xdm_t, xdm_var_lib_t, { file dir })
+# Read machine-id
+files_read_var_lib_files(xdm_t)
+
+manage_dirs_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
+manage_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
+manage_fifo_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
+manage_sock_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
+files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file sock_file })
+
+allow xdm_t xserver_t:process { signal signull };
+allow xdm_t xserver_t:unix_stream_socket connectto;
+
+allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
+allow xdm_t xserver_tmp_t:dir { setattr_dir_perms list_dir_perms };
+
+# transition to the xdm xserver
+domtrans_pattern(xdm_t, xserver_exec_t, xserver_t)
+
+ps_process_pattern(xserver_t, xdm_t)
+allow xserver_t xdm_t:process signal;
+allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
+
+allow xdm_t xserver_t:shm rw_shm_perms;
+read_files_pattern(xdm_t, xserver_t, xserver_t)
+
+# connect to xdm xserver over stream socket
+stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+
+# Remove /tmp/.X11-unix/X0.
+delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
+delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
+
+manage_dirs_pattern(xdm_t, xdm_log_t, xdm_log_t)
+manage_files_pattern(xdm_t, xdm_log_t, xdm_log_t)
+manage_fifo_files_pattern(xdm_t, xdm_log_t, xdm_log_t)
+logging_log_filetrans(xdm_t, xdm_log_t, { dir file })
+
+manage_dirs_pattern(xdm_t, xserver_log_t, xserver_log_t)
+manage_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
+manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
+
+kernel_read_system_state(xdm_t)
+kernel_read_device_sysctls(xdm_t)
+kernel_read_kernel_sysctls(xdm_t)
+kernel_read_net_sysctls(xdm_t)
+kernel_read_network_state(xdm_t)
+kernel_request_load_module(xdm_t)
+kernel_stream_connect(xdm_t)
+
+corecmd_exec_shell(xdm_t)
+corecmd_exec_bin(xdm_t)
+corecmd_dontaudit_write_bin_files(xdm_t)
+
+corenet_all_recvfrom_unlabeled(xdm_t)
+corenet_all_recvfrom_netlabel(xdm_t)
+corenet_tcp_sendrecv_generic_if(xdm_t)
+corenet_udp_sendrecv_generic_if(xdm_t)
+corenet_tcp_sendrecv_generic_node(xdm_t)
+corenet_udp_sendrecv_generic_node(xdm_t)
+corenet_tcp_sendrecv_all_ports(xdm_t)
+corenet_udp_sendrecv_all_ports(xdm_t)
+corenet_tcp_bind_generic_node(xdm_t)
+corenet_udp_bind_generic_node(xdm_t)
+corenet_udp_bind_ipp_port(xdm_t)
+corenet_udp_bind_xdmcp_port(xdm_t)
+corenet_tcp_connect_all_ports(xdm_t)
+corenet_sendrecv_all_client_packets(xdm_t)
+# xdm tries to bind to biff_port_t
+corenet_dontaudit_tcp_bind_all_ports(xdm_t)
+
+dev_rwx_zero(xdm_t)
+dev_read_rand(xdm_t)
+dev_rw_sysfs(xdm_t)
+dev_getattr_framebuffer_dev(xdm_t)
+dev_setattr_framebuffer_dev(xdm_t)
+dev_getattr_mouse_dev(xdm_t)
+dev_setattr_mouse_dev(xdm_t)
+dev_rw_apm_bios(xdm_t)
+dev_rw_input_dev(xdm_t)
+dev_setattr_apm_bios_dev(xdm_t)
+dev_rw_dri(xdm_t)
+dev_rw_agp(xdm_t)
+dev_getattr_xserver_misc_dev(xdm_t)
+dev_setattr_xserver_misc_dev(xdm_t)
+dev_getattr_misc_dev(xdm_t)
+dev_setattr_misc_dev(xdm_t)
+dev_dontaudit_rw_misc(xdm_t)
+dev_read_video_dev(xdm_t)
+dev_write_video_dev(xdm_t)
+dev_setattr_video_dev(xdm_t)
+dev_getattr_scanner_dev(xdm_t)
+dev_setattr_scanner_dev(xdm_t)
+dev_read_sound(xdm_t)
+dev_write_sound(xdm_t)
+dev_getattr_power_mgmt_dev(xdm_t)
+dev_setattr_power_mgmt_dev(xdm_t)
+dev_getattr_null_dev(xdm_t)
+dev_setattr_null_dev(xdm_t)
+
+domain_use_interactive_fds(xdm_t)
+# Do not audit denied probes of /proc.
+domain_dontaudit_read_all_domains_state(xdm_t)
+domain_dontaudit_ptrace_all_domains(xdm_t)
+domain_dontaudit_signal_all_domains(xdm_t)
+
+files_read_etc_files(xdm_t)
+files_read_var_files(xdm_t)
+files_read_etc_runtime_files(xdm_t)
+files_exec_etc_files(xdm_t)
+files_list_mnt(xdm_t)
+# Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme...
+files_read_usr_files(xdm_t)
+# Poweroff wants to create the /poweroff file when run from xdm
+files_create_boot_flag(xdm_t)
+files_dontaudit_getattr_boot_dirs(xdm_t)
+files_dontaudit_write_usr_files(xdm_t)
+files_dontaudit_getattr_all_dirs(xdm_t)
+files_dontaudit_getattr_all_symlinks(xdm_t)
+
+fs_getattr_all_fs(xdm_t)
+fs_search_auto_mountpoints(xdm_t)
+fs_rw_anon_inodefs_files(xdm_t)
+fs_mount_tmpfs(xdm_t)
+
+mls_socket_write_to_clearance(xdm_t)
+
+storage_dontaudit_read_fixed_disk(xdm_t)
+storage_dontaudit_write_fixed_disk(xdm_t)
+storage_dontaudit_setattr_fixed_disk_dev(xdm_t)
+storage_dontaudit_raw_read_removable_device(xdm_t)
+storage_dontaudit_raw_write_removable_device(xdm_t)
+storage_dontaudit_setattr_removable_dev(xdm_t)
+storage_dontaudit_rw_scsi_generic(xdm_t)
+storage_dontaudit_rw_fuse(xdm_t)
+
+term_setattr_console(xdm_t)
+term_use_console(xdm_t)
+term_use_unallocated_ttys(xdm_t)
+term_setattr_unallocated_ttys(xdm_t)
+term_relabel_all_ttys(xdm_t)
+term_relabel_unallocated_ttys(xdm_t)
+
+auth_domtrans_pam_console(xdm_t)
+auth_manage_pam_pid(xdm_t)
+auth_manage_pam_console_data(xdm_t)
+auth_signal_pam(xdm_t)
+auth_rw_faillog(xdm_t)
+auth_write_login_records(xdm_t)
+
+# Run telinit->init to shutdown.
+init_telinit(xdm_t)
+init_dbus_chat(xdm_t)
+
+libs_exec_lib_files(xdm_t)
+
+logging_read_generic_logs(xdm_t)
+
+miscfiles_search_man_pages(xdm_t)
+miscfiles_read_localization(xdm_t)
+miscfiles_read_fonts(xdm_t)
+miscfiles_manage_fonts_cache(xdm_t)
+miscfiles_manage_localization(xdm_t)
+miscfiles_read_hwdata(xdm_t)
+
+userdom_dontaudit_use_unpriv_user_fds(xdm_t)
+userdom_create_all_users_keys(xdm_t)
+# for .dmrc
+userdom_read_user_home_content_files(xdm_t)
+# Search /proc for any user domain processes.
+userdom_read_all_users_state(xdm_t)
+userdom_signal_all_users(xdm_t)
+userdom_stream_connect(xdm_t)
+userdom_manage_user_tmp_dirs(xdm_t)
+userdom_manage_user_tmp_files(xdm_t)
+userdom_manage_user_tmp_sockets(xdm_t)
+userdom_manage_tmpfs_role(system_r, xdm_t)
+
+application_signal(xdm_t)
+
+xserver_rw_session(xdm_t, xdm_tmpfs_t)
+xserver_unconfined(xdm_t)
+xserver_domtrans_xauth(xdm_t)
+
+ifndef(`distro_redhat',`
+ allow xdm_t self:process { execheap execmem };
+')
+
+ifdef(`distro_rhel4',`
+ allow xdm_t self:process { execheap execmem };
+')
+
+tunable_policy(`use_fusefs_home_dirs',`
+ fs_manage_fusefs_dirs(xdm_t)
+ fs_manage_fusefs_files(xdm_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(xdm_t)
+ fs_manage_nfs_files(xdm_t)
+ fs_manage_nfs_symlinks(xdm_t)
+ fs_exec_nfs_files(xdm_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(xdm_t)
+ fs_manage_cifs_files(xdm_t)
+ fs_manage_cifs_symlinks(xdm_t)
+ fs_exec_cifs_files(xdm_t)
+')
+
+tunable_policy(`xdm_sysadm_login',`
+ userdom_xsession_spec_domtrans_all_users(xdm_t)
+ # FIXME:
+# xserver_rw_session_template(xdm,userdomain)
+',`
+ userdom_xsession_spec_domtrans_unpriv_users(xdm_t)
+ # FIXME:
+# xserver_rw_session_template(xdm,unpriv_userdomain)
+# dontaudit xserver_t sysadm_t:shm { unix_read unix_write };
+# allow xserver_t xdm_tmpfs_t:file rw_file_perms;
+')
+
+optional_policy(`
+ accountsd_read_lib_files(xdm_t)
+')
+
+optional_policy(`
+ alsa_domtrans(xdm_t)
+ alsa_read_rw_config(xdm_t)
+')
+
+optional_policy(`
+ consolekit_dbus_chat(xdm_t)
+ consolekit_read_log(xdm_t)
+')
+
+optional_policy(`
+ consoletype_exec(xdm_t)
+')
+
+optional_policy(`
+ # Use dbus to start other processes as xdm_t
+ dbus_role_template(xdm, system_r, xdm_t)
+
+ dontaudit xdm_dbusd_t xdm_var_lib_t:dir search_dir_perms;
+ xserver_xdm_append_log(xdm_dbusd_t)
+ xserver_read_xdm_pid(xdm_dbusd_t)
+
+ corecmd_bin_entry_type(xdm_t)
+
+ dbus_system_bus_client(xdm_t)
+
+ optional_policy(`
+ bluetooth_dbus_chat(xdm_t)
+ ')
+
+ optional_policy(`
+ devicekit_dbus_chat_disk(xdm_t)
+ devicekit_dbus_chat_power(xdm_t)
+ ')
+
+ optional_policy(`
+ hal_dbus_chat(xdm_t)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(xdm_t)
+ ')
+')
+
+optional_policy(`
+ # Talk to the console mouse server.
+ gpm_stream_connect(xdm_t)
+ gpm_setattr_gpmctl(xdm_t)
+')
+
+optional_policy(`
+ gnome_manage_config(xdm_t)
+ gnome_manage_gconf_home_files(xdm_t)
+ gnome_read_config(xdm_t)
+ gnome_read_gconf_config(xdm_t)
+')
+
+optional_policy(`
+ hostname_exec(xdm_t)
+')
+
+optional_policy(`
+ loadkeys_exec(xdm_t)
+')
+
+optional_policy(`
+ locallogin_signull(xdm_t)
+')
+
+optional_policy(`
+ # Do not audit attempts to check whether user root has email
+ mta_dontaudit_getattr_spool_files(xdm_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(xdm_t)
+ policykit_domtrans_auth(xdm_t)
+ policykit_read_lib(xdm_t)
+ policykit_read_reload(xdm_t)
+ policykit_signal_auth(xdm_t)
+')
+
+optional_policy(`
+ pcscd_stream_connect(xdm_t)
+')
+
+optional_policy(`
+ plymouthd_search_spool(xdm_t)
+ plymouthd_exec_plymouth(xdm_t)
+ plymouthd_stream_connect(xdm_t)
+')
+
+optional_policy(`
+ pulseaudio_exec(xdm_t)
+ pulseaudio_dbus_chat(xdm_t)
+ pulseaudio_stream_connect(xdm_t)
+')
+
+optional_policy(`
+ resmgr_stream_connect(xdm_t)
+')
+
+# On crash gdm execs gdb to dump stack
+optional_policy(`
+ rpm_exec(xdm_t)
+ rpm_read_db(xdm_t)
+ rpm_dontaudit_manage_db(xdm_t)
+')
+
+optional_policy(`
+ rtkit_scheduled(xdm_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(xdm_t)
+')
+
+optional_policy(`
+ ssh_signull(xdm_t)
+')
+
+optional_policy(`
+ shutdown_domtrans(xdm_t)
+')
+
+optional_policy(`
+ udev_read_db(xdm_t)
+')
+
+optional_policy(`
+ unconfined_shell_domtrans(xdm_t)
+ unconfined_signal(xdm_t)
+')
+
+optional_policy(`
+ userhelper_dontaudit_search_config(xdm_t)
+')
+
+optional_policy(`
+ usermanage_read_crack_db(xdm_t)
+')
+
+optional_policy(`
+ wm_exec(xdm_t)
+')
+
+optional_policy(`
+ xfs_stream_connect(xdm_t)
+')
+
+########################################
+#
+# X server local policy
+#
+
+# X Object Manager rules
+type_transition xserver_t xserver_t:x_drawable root_xdrawable_t;
+type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
+
+allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
+allow xserver_t input_xevent_t:x_event send;
+
+# setuid/setgid for the wrapper program to change UID
+# sys_rawio is for iopl access - should not be needed for frame-buffer
+# sys_admin, locking shared mem? chowning IPC message queues or semaphores?
+# admin of APM bios?
+# sys_nice is so that the X server can set a negative nice value
+# execheap needed until the X module loader is fixed.
+# NVIDIA Needs execstack
+
+allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_ptrace sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
+dontaudit xserver_t self:capability chown;
+allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow xserver_t self:fd use;
+allow xserver_t self:fifo_file rw_fifo_file_perms;
+allow xserver_t self:sock_file read_sock_file_perms;
+allow xserver_t self:shm create_shm_perms;
+allow xserver_t self:sem create_sem_perms;
+allow xserver_t self:msgq create_msgq_perms;
+allow xserver_t self:msg { send receive };
+allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow xserver_t self:tcp_socket create_stream_socket_perms;
+allow xserver_t self:udp_socket create_socket_perms;
+allow xserver_t self:netlink_selinux_socket create_socket_perms;
+allow xserver_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
+
+domtrans_pattern(xserver_t, xauth_exec_t, xauth_t)
+
+allow xserver_t xauth_home_t:file read_file_perms;
+
+manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
+manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
+manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
+files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+
+filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
+
+manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
+manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
+manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
+manage_fifo_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
+manage_sock_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
+fs_tmpfs_filetrans(xserver_t, xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+files_search_var_lib(xserver_t)
+
+manage_dirs_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t)
+manage_files_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t)
+files_var_lib_filetrans(xserver_t, xserver_var_lib_t, dir)
+
+manage_dirs_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t)
+manage_files_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t)
+manage_sock_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
+files_pid_filetrans(xserver_t, xserver_var_run_t, { file dir })
+
+# Create files in /var/log with the xserver_log_t type.
+manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
+logging_log_filetrans(xserver_t, xserver_log_t, file)
+manage_files_pattern(xserver_t, xdm_log_t, xdm_log_t)
+
+kernel_read_system_state(xserver_t)
+kernel_read_device_sysctls(xserver_t)
+kernel_read_modprobe_sysctls(xserver_t)
+# Xorg wants to check if kernel is tainted
+kernel_read_kernel_sysctls(xserver_t)
+kernel_write_proc_files(xserver_t)
+kernel_request_load_module(xserver_t)
+
+# Run helper programs in xserver_t.
+corecmd_exec_bin(xserver_t)
+corecmd_exec_shell(xserver_t)
+
+corenet_all_recvfrom_unlabeled(xserver_t)
+corenet_all_recvfrom_netlabel(xserver_t)
+corenet_tcp_sendrecv_generic_if(xserver_t)
+corenet_udp_sendrecv_generic_if(xserver_t)
+corenet_tcp_sendrecv_generic_node(xserver_t)
+corenet_udp_sendrecv_generic_node(xserver_t)
+corenet_tcp_sendrecv_all_ports(xserver_t)
+corenet_udp_sendrecv_all_ports(xserver_t)
+corenet_tcp_bind_generic_node(xserver_t)
+corenet_tcp_bind_xserver_port(xserver_t)
+corenet_tcp_connect_all_ports(xserver_t)
+corenet_sendrecv_xserver_server_packets(xserver_t)
+corenet_sendrecv_all_client_packets(xserver_t)
+
+dev_rw_sysfs(xserver_t)
+dev_rw_mouse(xserver_t)
+dev_rw_mtrr(xserver_t)
+dev_rw_apm_bios(xserver_t)
+dev_rw_agp(xserver_t)
+dev_rw_framebuffer(xserver_t)
+dev_manage_dri_dev(xserver_t)
+dev_create_generic_dirs(xserver_t)
+dev_setattr_generic_dirs(xserver_t)
+# raw memory access is needed if not using the frame buffer
+dev_read_raw_memory(xserver_t)
+dev_wx_raw_memory(xserver_t)
+# for other device nodes such as the NVidia binary-only driver
+dev_rw_xserver_misc(xserver_t)
+# read events - the synaptics touchpad driver reads raw events
+dev_rw_input_dev(xserver_t)
+dev_read_raw_memory(xserver_t)
+dev_write_raw_memory(xserver_t)
+dev_rwx_zero(xserver_t)
+
+domain_dontaudit_read_all_domains_state(xserver_t)
+domain_signal_all_domains(xserver_t)
+
+files_read_etc_files(xserver_t)
+files_read_etc_runtime_files(xserver_t)
+files_read_usr_files(xserver_t)
+files_rw_tmpfs_files(xserver_t)
+
+# brought on by rhgb
+files_search_mnt(xserver_t)
+# for nscd
+files_dontaudit_search_pids(xserver_t)
+
+fs_getattr_xattr_fs(xserver_t)
+fs_search_nfs(xserver_t)
+fs_search_auto_mountpoints(xserver_t)
+fs_search_ramfs(xserver_t)
+fs_rw_tmpfs_files(xserver_t)
+
+mls_xwin_read_to_clearance(xserver_t)
+mls_process_write_to_clearance(xserver_t)
+mls_file_read_to_clearance(xserver_t)
+mls_file_write_all_levels(xserver_t)
+mls_file_upgrade(xserver_t)
+
+selinux_validate_context(xserver_t)
+selinux_compute_access_vector(xserver_t)
+selinux_compute_create_context(xserver_t)
+
+auth_use_nsswitch(xserver_t)
+
+init_getpgid(xserver_t)
+
+term_setattr_unallocated_ttys(xserver_t)
+term_use_unallocated_ttys(xserver_t)
+
+getty_use_fds(xserver_t)
+
+locallogin_use_fds(xserver_t)
+
+logging_send_syslog_msg(xserver_t)
+logging_send_audit_msgs(xserver_t)
+
+miscfiles_read_localization(xserver_t)
+miscfiles_read_fonts(xserver_t)
+miscfiles_read_hwdata(xserver_t)
+
+modutils_domtrans_insmod(xserver_t)
+
+# read x_contexts
+seutil_read_default_contexts(xserver_t)
+seutil_read_config(xserver_t)
+seutil_read_file_contexts(xserver_t)
+
+userdom_search_user_home_dirs(xserver_t)
+userdom_use_user_ttys(xserver_t)
+userdom_setattr_user_ttys(xserver_t)
+userdom_rw_user_tmpfs_files(xserver_t)
+
+xserver_use_user_fonts(xserver_t)
+
+ifndef(`distro_redhat',`
+ allow xserver_t self:process { execmem execheap execstack };
+ domain_mmap_low_uncond(xserver_t)
+')
+
+ifdef(`distro_rhel4',`
+ allow xserver_t self:process { execmem execheap execstack };
+')
+
+ifdef(`enable_mls',`
+ range_transition xserver_t xserver_tmp_t:sock_file s0 - mls_systemhigh;
+ range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
+')
+
+tunable_policy(`!xserver_object_manager',`
+ # should be xserver_unconfined(xserver_t),
+ # but typeattribute doesnt work in conditionals
+
+ allow xserver_t xserver_t:x_server *;
+ allow xserver_t { x_domain root_xdrawable_t }:x_drawable *;
+ allow xserver_t xserver_t:x_screen *;
+ allow xserver_t x_domain:x_gc *;
+ allow xserver_t { x_domain root_xcolormap_t }:x_colormap *;
+ allow xserver_t xproperty_type:x_property *;
+ allow xserver_t xselection_type:x_selection *;
+ allow xserver_t x_domain:x_cursor *;
+ allow xserver_t x_domain:x_client *;
+ allow xserver_t { x_domain xserver_t }:x_device *;
+ allow xserver_t { x_domain xserver_t }:x_pointer *;
+ allow xserver_t { x_domain xserver_t }:x_keyboard *;
+ allow xserver_t xextension_type:x_extension *;
+ allow xserver_t { x_domain xserver_t }:x_resource *;
+ allow xserver_t xevent_type:{ x_event x_synthetic_event } *;
+')
+
+optional_policy(`
+ apm_stream_connect(xserver_t)
+')
+
+optional_policy(`
+ auth_search_pam_console_data(xserver_t)
+')
+
+optional_policy(`
+ devicekit_signal_power(xserver_t)
+')
+
+optional_policy(`
+ rhgb_getpgid(xserver_t)
+ rhgb_signal(xserver_t)
+')
+
+optional_policy(`
+ setrans_translate_context(xserver_t)
+')
+
+optional_policy(`
+ sandbox_rw_xserver_tmpfs_files(xserver_t)
+')
+
+optional_policy(`
+ udev_read_db(xserver_t)
+')
+
+optional_policy(`
+ unconfined_domain(xserver_t)
+ unconfined_domtrans(xserver_t)
+')
+
+optional_policy(`
+ userhelper_search_config(xserver_t)
+')
+
+optional_policy(`
+ wine_rw_shm(xserver_t)
+')
+
+optional_policy(`
+ xfs_stream_connect(xserver_t)
+')
+
+########################################
+#
+# XDM Xserver local policy
+#
+# cjp: when xdm is configurable via tunable these
+# rules will be enabled only when xdm is enabled
+
+allow xserver_t xdm_t:process { signal getpgid };
+allow xserver_t xdm_t:shm rw_shm_perms;
+
+# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
+# handle of a file inside the dir!!!
+allow xserver_t xdm_var_lib_t:file read_file_perms;
+dontaudit xserver_t xdm_var_lib_t:dir search_dir_perms;
+
+read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
+
+# Label pid and temporary files with derived types.
+manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+
+# Run xkbcomp.
+allow xserver_t xkb_var_lib_t:lnk_file read_lnk_file_perms;
+can_exec(xserver_t, xkb_var_lib_t)
+
+# VNC v4 module in X server
+corenet_tcp_bind_vnc_port(xserver_t)
+
+init_use_fds(xserver_t)
+
+# FIXME: After per user fonts are properly working
+# xserver_t may no longer have any reason
+# to read ROLE_home_t - examine this in more detail
+# (xauth?)
+userdom_read_user_home_content_files(xserver_t)
+userdom_read_all_users_state(xserver_t)
+
+xserver_use_user_fonts(xserver_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(xserver_t)
+ fs_manage_nfs_files(xserver_t)
+ fs_manage_nfs_symlinks(xserver_t)
+')
+
+tunable_policy(`use_fusefs_home_dirs',`
+ fs_manage_fusefs_dirs(xserver_t)
+ fs_manage_fusefs_files(xserver_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(xserver_t)
+ fs_manage_cifs_files(xserver_t)
+ fs_manage_cifs_symlinks(xserver_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(xserver_t)
+
+ optional_policy(`
+ hal_dbus_chat(xserver_t)
+ ')
+')
+
+optional_policy(`
+ mono_rw_shm(xserver_t)
+')
+
+optional_policy(`
+ rhgb_rw_shm(xserver_t)
+ rhgb_rw_tmpfs_files(xserver_t)
+')
+
+optional_policy(`
+ userhelper_search_config(xserver_t)
+')
+
+########################################
+#
+# Rules common to all X window domains
+#
+
+# Hacks
+# everyone can do override-redirect windows.
+# this could be used to spoof labels
+allow x_domain self:x_drawable override;
+# firefox gets nosy with other people's windows
+allow x_domain x_domain:x_drawable { list_child receive };
+
+# X Server
+# can get X server attributes
+allow x_domain xserver_t:x_server getattr;
+# can grab the server
+allow x_domain xserver_t:x_server grab;
+# can read and write server-owned generic resources
+allow x_domain xserver_t:x_resource { read write };
+# can mess with own clients
+allow x_domain self:x_client { getattr manage destroy };
+
+# X Protocol Extensions
+allow x_domain xextension_t:x_extension { query use };
+allow x_domain security_xextension_t:x_extension { query use };
+
+# X Properties
+# can change properties of root window
+allow x_domain root_xdrawable_t:x_drawable { list_property get_property set_property };
+# can change properties of my own windows
+allow x_domain self:x_drawable { list_property get_property set_property };
+# can read and write cut buffers
+allow x_domain clipboard_xproperty_t:x_property { create read write append };
+# can read security labels
+allow x_domain seclabel_xproperty_t:x_property { getattr read };
+# can change all other properties
+allow x_domain xproperty_t:x_property { getattr create read write append destroy };
+
+# X Windows
+# operations allowed on root windows
+allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
+# operations allowed on my windows
+allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
+allow x_domain self:x_drawable blend;
+# operations allowed on all windows
+allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
+
+# X Colormaps
+# can use the default colormap
+allow x_domain root_xcolormap_t:x_colormap { read use add_color remove_color install uninstall };
+# can create and use colormaps
+allow x_domain self:x_colormap *;
+
+# X Devices
+# operations allowed on my own devices
+allow x_domain self:{ x_device x_pointer x_keyboard } *;
+# operations allowed on generic devices
+allow x_domain xserver_t:x_device { use getattr setattr getfocus setfocus bell grab freeze force_cursor };
+# operations allowed on core keyboard
+allow x_domain xserver_t:x_keyboard { use getattr setattr getfocus setfocus bell grab };
+# operations allowed on core pointer
+allow x_domain xserver_t:x_pointer { read use getattr setattr getfocus setfocus bell grab freeze force_cursor };
+
+# all devices can generate input events
+allow x_domain root_xdrawable_t:x_drawable send;
+allow x_domain x_domain:x_drawable send;
+allow x_domain input_xevent_t:x_event send;
+
+# dontaudit keyloggers repeatedly polling
+#dontaudit x_domain xserver_t:x_keyboard read;
+
+# X Input
+# can receive default events
+allow x_domain xevent_t:{ x_event x_synthetic_event } receive;
+# can receive ICCCM events
+allow x_domain client_xevent_t:{ x_event x_synthetic_event } receive;
+# can send ICCCM events to the root window
+allow x_domain client_xevent_t:x_synthetic_event send;
+# can receive root window input events
+allow x_domain root_input_xevent_t:x_event receive;
+
+# X Selections
+# can use the clipboard
+allow x_domain clipboard_xselection_t:x_selection { getattr setattr read };
+# can use default selections
+allow x_domain xselection_t:x_selection { getattr setattr read };
+
+# Other X Objects
+# can create and use cursors
+allow x_domain self:x_cursor *;
+# can create and use graphics contexts
+allow x_domain self:x_gc *;
+# can read and write own objects
+allow x_domain self:x_resource { read write };
+# can mess with the screensaver
+allow x_domain xserver_t:x_screen { getattr saver_getattr };
+
+# Device rules
+allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell };
+allow x_domain xserver_t:x_screen getattr;
+
+########################################
+#
+# Rules for unconfined access to this module
+#
+
+allow xserver_unconfined_type xserver_t:x_server *;
+allow xserver_unconfined_type xdrawable_type:x_drawable *;
+allow xserver_unconfined_type xserver_t:x_screen *;
+allow xserver_unconfined_type x_domain:x_gc *;
+allow xserver_unconfined_type xcolormap_type:x_colormap *;
+allow xserver_unconfined_type xproperty_type:x_property *;
+allow xserver_unconfined_type xselection_type:x_selection *;
+allow xserver_unconfined_type x_domain:x_cursor *;
+allow xserver_unconfined_type x_domain:x_client *;
+allow xserver_unconfined_type { x_domain xserver_t }:x_device *;
+allow xserver_unconfined_type { x_domain xserver_t }:x_pointer *;
+allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
+allow xserver_unconfined_type xextension_type:x_extension *;
+allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
+allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
+
+tunable_policy(`! xserver_object_manager',`
+ # should be xserver_unconfined(x_domain),
+ # but typeattribute doesnt work in conditionals
+
+ allow x_domain xserver_t:x_server *;
+ allow x_domain xdrawable_type:x_drawable *;
+ allow x_domain xserver_t:x_screen *;
+ allow x_domain x_domain:x_gc *;
+ allow x_domain xcolormap_type:x_colormap *;
+ allow x_domain xproperty_type:x_property *;
+ allow x_domain xselection_type:x_selection *;
+ allow x_domain x_domain:x_cursor *;
+ allow x_domain x_domain:x_client *;
+ allow x_domain { x_domain xserver_t }:x_device *;
+ allow x_domain { x_domain xserver_t }:x_pointer *;
+ allow x_domain { x_domain xserver_t }:x_keyboard *;
+ allow x_domain xextension_type:x_extension *;
+ allow x_domain { x_domain xserver_t }:x_resource *;
+ allow x_domain xevent_type:{ x_event x_synthetic_event } *;
+')
+
+tunable_policy(`allow_xserver_execmem',`
+ allow xserver_t self:process { execheap execmem execstack };
+')
+
+# Hack to handle the problem of using the nvidia blobs
+tunable_policy(`allow_execmem',`
+ allow xdm_t self:process execmem;
+')
+
+tunable_policy(`allow_execstack',`
+ allow xdm_t self:process { execstack execmem };
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_append_nfs_files(xdmhomewriter)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_append_nfs_files(xdmhomewriter)
+')
+
+optional_policy(`
+ unconfined_rw_shm(xserver_t)
+ unconfined_execmem_rw_shm(xserver_t)
+
+ # xserver signals unconfined user on startx
+ unconfined_signal(xserver_t)
+ unconfined_getpgid(xserver_t)
+')
diff --git a/policy/modules/services/zabbix.fc b/policy/modules/services/zabbix.fc
new file mode 100644
index 0000000..3102286
--- /dev/null
+++ b/policy/modules/services/zabbix.fc
@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/zabbix -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0)
+
+/usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
+
+/var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0)
+
+/var/run/zabbix(/.*)? gen_context(system_u:object_r:zabbix_var_run_t,s0)
diff --git a/policy/modules/services/zabbix.if b/policy/modules/services/zabbix.if
new file mode 100644
index 0000000..4776863
--- /dev/null
+++ b/policy/modules/services/zabbix.if
@@ -0,0 +1,116 @@
+## <summary>Distributed infrastructure monitoring</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run zabbix.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`zabbix_domtrans',`
+ gen_require(`
+ type zabbix_t, zabbix_exec_t;
+ ')
+
+ domtrans_pattern($1, zabbix_exec_t, zabbix_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read zabbix's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`zabbix_read_log',`
+ gen_require(`
+ type zabbix_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, zabbix_log_t, zabbix_log_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to append
+## zabbix log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`zabbix_append_log',`
+ gen_require(`
+ type zabbix_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, zabbix_log_t, zabbix_log_t)
+')
+
+########################################
+## <summary>
+## Read zabbix PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`zabbix_read_pid_files',`
+ gen_require(`
+ type zabbix_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 zabbix_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an zabbix environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the zabbix domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`zabbix_admin',`
+ gen_require(`
+ type zabbix_t, zabbix_log_t, zabbix_var_run_t;
+ type zabbix_initrc_exec_t;
+ ')
+
+ allow $1 zabbix_t:process { ptrace signal_perms };
+ ps_process_pattern($1, zabbix_t)
+
+ init_labeled_script_domtrans($1, zabbix_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 zabbix_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_list_logs($1)
+ admin_pattern($1, zabbix_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, zabbix_var_run_t)
+')
diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te
new file mode 100644
index 0000000..20d7cde
--- /dev/null
+++ b/policy/modules/services/zabbix.te
@@ -0,0 +1,52 @@
+policy_module(zabbix, 1.2.1)
+
+########################################
+#
+# Declarations
+#
+
+type zabbix_t;
+type zabbix_exec_t;
+init_daemon_domain(zabbix_t, zabbix_exec_t)
+
+type zabbix_initrc_exec_t;
+init_script_file(zabbix_initrc_exec_t)
+
+# log files
+type zabbix_log_t;
+logging_log_file(zabbix_log_t)
+
+# pid files
+type zabbix_var_run_t;
+files_pid_file(zabbix_var_run_t)
+
+########################################
+#
+# zabbix local policy
+#
+
+allow zabbix_t self:capability { setuid setgid };
+allow zabbix_t self:fifo_file rw_fifo_file_perms;
+allow zabbix_t self:unix_stream_socket create_stream_socket_perms;
+
+# log files
+allow zabbix_t zabbix_log_t:dir setattr_dir_perms;
+manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
+logging_log_filetrans(zabbix_t, zabbix_log_t, file)
+
+# pid file
+manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
+manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
+files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
+
+files_read_etc_files(zabbix_t)
+
+miscfiles_read_localization(zabbix_t)
+
+optional_policy(`
+ mysql_stream_connect(zabbix_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(zabbix_t)
+')
diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc
new file mode 100644
index 0000000..56cb5af
--- /dev/null
+++ b/policy/modules/services/zarafa.fc
@@ -0,0 +1,27 @@
+
+/etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0)
+
+/usr/bin/zarafa-dagent -- gen_context(system_u:object_r:zarafa_deliver_exec_t,s0)
+
+/usr/bin/zarafa-server -- gen_context(system_u:object_r:zarafa_server_exec_t,s0)
+
+/usr/bin/zarafa-gateway -- gen_context(system_u:object_r:zarafa_gateway_exec_t,s0)
+
+/usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0)
+
+/usr/bin/zarafa-ical -- gen_context(system_u:object_r:zarafa_ical_exec_t,s0)
+
+/usr/bin/zarafa-monitor -- gen_context(system_u:object_r:zarafa_monitor_exec_t,s0)
+
+/var/log/zarafa/server\.log -- gen_context(system_u:object_r:zarafa_server_log_t,s0)
+/var/log/zarafa/spooler\.log -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0)
+/var/log/zarafa/gateway\.log -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0)
+/var/log/zarafa/ical\.log -- gen_context(system_u:object_r:zarafa_ical_log_t,s0)
+/var/log/zarafa/monitor\.log -- gen_context(system_u:object_r:zarafa_monitor_log_t,s0)
+
+/var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
+/var/run/zarafa-gateway\.pid -- gen_context(system_u:object_r:zarafa_gateway_var_run_t,s0)
+/var/run/zarafa-server\.pid -- gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
+/var/run/zarafa-spooler\.pid -- gen_context(system_u:object_r:zarafa_spooler_var_run_t,s0)
+/var/run/zarafa-ical\.pid -- gen_context(system_u:object_r:zarafa_ical_var_run_t,s0)
+/var/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0)
diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if
new file mode 100644
index 0000000..4f2dde8
--- /dev/null
+++ b/policy/modules/services/zarafa.if
@@ -0,0 +1,102 @@
+## <summary>policy for zarafa services</summary>
+
+######################################
+## <summary>
+## Creates types and rules for a basic
+## zararfa init daemon domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`zarafa_domain_template',`
+ gen_require(`
+ attribute zarafa_domain;
+ ')
+
+ ##############################
+ #
+ # $1_t declarations
+ #
+
+ type zarafa_$1_t, zarafa_domain;
+ type zarafa_$1_exec_t;
+ init_daemon_domain(zarafa_$1_t, zarafa_$1_exec_t)
+
+ type zarafa_$1_log_t;
+ logging_log_file(zarafa_$1_log_t)
+
+ type zarafa_$1_var_run_t;
+ files_pid_file(zarafa_$1_var_run_t)
+
+ ##############################
+ #
+ # $1_t local policy
+ #
+
+ manage_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t)
+ manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t)
+ files_pid_filetrans(zarafa_$1_t, zarafa_$1_var_run_t, { file sock_file })
+ #stream_connect_pattern(zarafa_$1_t, $1_var_run_t, $1_var_run_t, virtd_t)
+
+ manage_files_pattern(zarafa_$1_t, zarafa_$1_log_t,zarafa_$1_log_t)
+ #manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_log_t,zarafa_$1_log_t)
+ logging_log_filetrans(zarafa_$1_t,zarafa_$1_log_t,{ file })
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run zarafa_server.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`zarafa_server_domtrans',`
+ gen_require(`
+ type zarafa_server_t, zarafa_server_exec_t;
+ ')
+
+ domtrans_pattern($1, zarafa_server_exec_t, zarafa_server_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run zarafa_deliver.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`zarafa_deliver_domtrans',`
+ gen_require(`
+ type zarafa_deliver_t, zarafa_deliver_exec_t;
+ ')
+
+ domtrans_pattern($1, zarafa_deliver_exec_t, zarafa_deliver_t)
+')
+
+#######################################
+## <summary>
+## Connect to zarafa-server unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`zarafa_stream_connect_server',`
+ gen_require(`
+ type zarafa_server_t, zarafa_server_var_run_t;
+ ')
+
+ files_search_var_lib($1)
+ stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
+')
diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te
new file mode 100644
index 0000000..3ce4d86
--- /dev/null
+++ b/policy/modules/services/zarafa.te
@@ -0,0 +1,132 @@
+policy_module(zarafa, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute zarafa_domain;
+
+zarafa_domain_template(monitor)
+zarafa_domain_template(ical)
+zarafa_domain_template(server)
+zarafa_domain_template(spooler)
+zarafa_domain_template(gateway)
+zarafa_domain_template(deliver)
+
+type zarafa_deliver_tmp_t;
+files_tmp_file(zarafa_deliver_tmp_t)
+
+type zarafa_etc_t;
+files_config_file(zarafa_etc_t)
+
+type zarafa_share_t;
+files_type(zarafa_share_t)
+
+permissive zarafa_server_t;
+permissive zarafa_spooler_t;
+permissive zarafa_gateway_t;
+permissive zarafa_deliver_t;
+permissive zarafa_ical_t;
+permissive zarafa_monitor_t;
+
+########################################
+#
+# zarafa-deliver local policy
+#
+
+manage_dirs_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t)
+manage_files_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t)
+files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir })
+
+#temporary
+#allow zarafa_deliver_t port_t:tcp_socket name_bind;
+
+########################################
+#
+# zarafa_server local policy
+#
+
+allow zarafa_server_t self:capability { chown kill net_bind_service };
+allow zarafa_server_t self:process { setrlimit signal };
+
+corenet_tcp_bind_zarafa_port(zarafa_server_t)
+
+files_read_usr_files(zarafa_server_t)
+
+logging_send_syslog_msg(zarafa_server_t)
+logging_send_audit_msgs(zarafa_server_t)
+
+sysnet_dns_name_resolve(zarafa_server_t)
+
+optional_policy(`
+ mysql_stream_connect(zarafa_server_t)
+')
+
+optional_policy(`
+ kerberos_use(zarafa_server_t)
+')
+
+########################################
+#
+# zarafa_spooler local policy
+#
+
+allow zarafa_spooler_t self:capability { chown kill };
+allow zarafa_spooler_t self:process signal;
+
+corenet_tcp_connect_smtp_port(zarafa_spooler_t)
+
+########################################
+#
+# zarafa_gateway local policy
+#
+
+allow zarafa_gateway_t self:capability { chown kill };
+allow zarafa_gateway_t self:process { setrlimit signal };
+
+corenet_tcp_bind_pop_port(zarafa_gateway_t)
+
+#######################################
+#
+# zarafa-ical local policy
+#
+
+allow zarafa_ical_t self:capability chown;
+
+corenet_tcp_bind_http_cache_port(zarafa_ical_t)
+
+######################################
+#
+# zarafa-monitor local policy
+#
+
+allow zarafa_monitor_t self:capability chown;
+
+########################################
+#
+# zarafa domains local policy
+#
+
+# bad permission on /etc/zarafa
+allow zarafa_domain self:capability { dac_override setgid setuid };
+allow zarafa_domain self:fifo_file rw_fifo_file_perms;
+allow zarafa_domain self:tcp_socket create_stream_socket_perms;
+allow zarafa_domain self:unix_stream_socket create_stream_socket_perms;
+
+stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
+
+read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t)
+
+kernel_read_system_state(zarafa_domain)
+
+files_read_etc_files(zarafa_domain)
+
+auth_use_nsswitch(zarafa_domain)
+
+miscfiles_read_localization(zarafa_domain)
+
+# temporary rules
+optional_policy(`
+ apache_content_template(zarafa)
+')
diff --git a/policy/modules/services/zebra.fc b/policy/modules/services/zebra.fc
new file mode 100644
index 0000000..e1b30b2
--- /dev/null
+++ b/policy/modules/services/zebra.fc
@@ -0,0 +1,22 @@
+/etc/rc\.d/init\.d/bgpd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ospf6d -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ospfd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ripd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ripngd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/zebra -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+
+/usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0)
+/usr/sbin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0)
+
+/etc/quagga(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0)
+/etc/zebra(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0)
+
+/usr/sbin/ospf.* -- gen_context(system_u:object_r:zebra_exec_t,s0)
+/usr/sbin/rip.* -- gen_context(system_u:object_r:zebra_exec_t,s0)
+
+/var/log/quagga(/.*)? gen_context(system_u:object_r:zebra_log_t,s0)
+/var/log/zebra(/.*)? gen_context(system_u:object_r:zebra_log_t,s0)
+
+/var/run/\.zebra -s gen_context(system_u:object_r:zebra_var_run_t,s0)
+/var/run/\.zserv -s gen_context(system_u:object_r:zebra_var_run_t,s0)
+/var/run/quagga(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0)
diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if
new file mode 100644
index 0000000..347f754
--- /dev/null
+++ b/policy/modules/services/zebra.if
@@ -0,0 +1,86 @@
+## <summary>Zebra border gateway protocol network routing service</summary>
+
+########################################
+## <summary>
+## Read the configuration files for zebra.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`zebra_read_config',`
+ gen_require(`
+ type zebra_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 zebra_conf_t:dir list_dir_perms;
+ read_files_pattern($1, zebra_conf_t, zebra_conf_t)
+ read_lnk_files_pattern($1, zebra_conf_t, zebra_conf_t)
+')
+
+########################################
+## <summary>
+## Connect to zebra over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`zebra_stream_connect',`
+ gen_require(`
+ type zebra_t, zebra_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, zebra_var_run_t, zebra_var_run_t, zebra_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an zebra environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the zebra domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`zebra_admin',`
+ gen_require(`
+ type zebra_t, zebra_tmp_t, zebra_log_t;
+ type zebra_conf_t, zebra_var_run_t, zebra_initrc_exec_t;
+ ')
+
+ allow $1 zebra_t:process { ptrace signal_perms };
+ ps_process_pattern($1, zebra_t)
+
+ init_labeled_script_domtrans($1, zebra_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 zebra_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, zebra_conf_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, zebra_log_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, zebra_tmp_t)
+
+ files_list_pids($1)
+ admin_pattern($1, zebra_var_run_t)
+')
diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te
new file mode 100644
index 0000000..f0b1201
--- /dev/null
+++ b/policy/modules/services/zebra.te
@@ -0,0 +1,139 @@
+policy_module(zebra, 1.11.1)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow zebra daemon to write it configuration files
+## </p>
+## </desc>
+gen_tunable(allow_zebra_write_config, false)
+
+type zebra_t;
+type zebra_exec_t;
+init_daemon_domain(zebra_t, zebra_exec_t)
+
+type zebra_conf_t;
+files_type(zebra_conf_t)
+
+type zebra_initrc_exec_t;
+init_script_file(zebra_initrc_exec_t)
+
+type zebra_log_t;
+logging_log_file(zebra_log_t)
+
+type zebra_tmp_t;
+files_tmp_file(zebra_tmp_t)
+
+type zebra_var_run_t;
+files_pid_file(zebra_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow zebra_t self:capability { setgid setuid net_admin net_raw };
+dontaudit zebra_t self:capability sys_tty_config;
+allow zebra_t self:process { signal_perms getcap setcap };
+allow zebra_t self:file rw_file_perms;
+allow zebra_t self:unix_dgram_socket create_socket_perms;
+allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow zebra_t self:netlink_route_socket rw_netlink_socket_perms;
+allow zebra_t self:tcp_socket { connect connected_stream_socket_perms };
+allow zebra_t self:udp_socket create_socket_perms;
+allow zebra_t self:rawip_socket create_socket_perms;
+
+allow zebra_t zebra_conf_t:dir list_dir_perms;
+read_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
+read_lnk_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
+
+allow zebra_t zebra_log_t:dir setattr_dir_perms;
+manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
+manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
+logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir })
+
+# /tmp/.bgpd is such a bad idea!
+allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms;
+files_tmp_filetrans(zebra_t, zebra_tmp_t, sock_file)
+
+manage_dirs_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
+manage_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
+manage_sock_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
+files_pid_filetrans(zebra_t, zebra_var_run_t, { dir file sock_file })
+
+kernel_read_system_state(zebra_t)
+kernel_read_network_state(zebra_t)
+kernel_read_kernel_sysctls(zebra_t)
+kernel_rw_net_sysctls(zebra_t)
+
+corenet_all_recvfrom_unlabeled(zebra_t)
+corenet_all_recvfrom_netlabel(zebra_t)
+corenet_tcp_sendrecv_generic_if(zebra_t)
+corenet_udp_sendrecv_generic_if(zebra_t)
+corenet_raw_sendrecv_generic_if(zebra_t)
+corenet_tcp_sendrecv_generic_node(zebra_t)
+corenet_udp_sendrecv_generic_node(zebra_t)
+corenet_raw_sendrecv_generic_node(zebra_t)
+corenet_tcp_sendrecv_all_ports(zebra_t)
+corenet_udp_sendrecv_all_ports(zebra_t)
+corenet_tcp_bind_generic_node(zebra_t)
+corenet_udp_bind_generic_node(zebra_t)
+corenet_tcp_bind_bgp_port(zebra_t)
+corenet_tcp_bind_zebra_port(zebra_t)
+corenet_udp_bind_router_port(zebra_t)
+corenet_tcp_connect_bgp_port(zebra_t)
+corenet_sendrecv_zebra_server_packets(zebra_t)
+corenet_sendrecv_router_server_packets(zebra_t)
+
+dev_associate_usbfs(zebra_var_run_t)
+dev_list_all_dev_nodes(zebra_t)
+dev_read_sysfs(zebra_t)
+dev_rw_zero(zebra_t)
+
+fs_getattr_all_fs(zebra_t)
+fs_search_auto_mountpoints(zebra_t)
+
+term_list_ptys(zebra_t)
+
+domain_use_interactive_fds(zebra_t)
+
+files_search_etc(zebra_t)
+files_read_etc_files(zebra_t)
+files_read_etc_runtime_files(zebra_t)
+
+logging_send_syslog_msg(zebra_t)
+
+miscfiles_read_localization(zebra_t)
+
+sysnet_read_config(zebra_t)
+
+userdom_dontaudit_use_unpriv_user_fds(zebra_t)
+userdom_dontaudit_search_user_home_dirs(zebra_t)
+
+tunable_policy(`allow_zebra_write_config',`
+ manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(zebra_t)
+')
+
+optional_policy(`
+ rpm_read_pipes(zebra_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(zebra_t)
+')
+
+optional_policy(`
+ udev_read_db(zebra_t)
+')
+
+optional_policy(`
+ unconfined_sigchld(zebra_t)
+')
diff --git a/policy/modules/services/zosremote.fc b/policy/modules/services/zosremote.fc
new file mode 100644
index 0000000..d719d0b
--- /dev/null
+++ b/policy/modules/services/zosremote.fc
@@ -0,0 +1 @@
+/sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0)
diff --git a/policy/modules/services/zosremote.if b/policy/modules/services/zosremote.if
new file mode 100644
index 0000000..13f0eef
--- /dev/null
+++ b/policy/modules/services/zosremote.if
@@ -0,0 +1,46 @@
+## <summary>policy for z/OS Remote-services Audit dispatcher plugin</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run audispd-zos-remote.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`zosremote_domtrans',`
+ gen_require(`
+ type zos_remote_t, zos_remote_exec_t;
+ ')
+
+ domtrans_pattern($1, zos_remote_exec_t, zos_remote_t)
+')
+
+########################################
+## <summary>
+## Allow specified type and role to transition and
+## run in the zos_remote_t domain. Allow specified type
+## to use zos_remote_t terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`zosremote_run',`
+ gen_require(`
+ type zos_remote_t;
+ ')
+
+ zosremote_domtrans($1)
+ role $2 types zos_remote_t;
+')
diff --git a/policy/modules/services/zosremote.te b/policy/modules/services/zosremote.te
new file mode 100644
index 0000000..3d407c6
--- /dev/null
+++ b/policy/modules/services/zosremote.te
@@ -0,0 +1,28 @@
+policy_module(zosremote, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type zos_remote_t;
+type zos_remote_exec_t;
+init_system_domain(zos_remote_t, zos_remote_exec_t)
+logging_dispatcher_domain(zos_remote_t, zos_remote_exec_t)
+
+########################################
+#
+# zos_remote local policy
+#
+
+allow zos_remote_t self:process signal;
+allow zos_remote_t self:fifo_file rw_fifo_file_perms;
+allow zos_remote_t self:unix_stream_socket create_stream_socket_perms;
+
+files_read_etc_files(zos_remote_t)
+
+auth_use_nsswitch(zos_remote_t)
+
+miscfiles_read_localization(zos_remote_t)
+
+logging_send_syslog_msg(zos_remote_t)
diff --git a/policy/modules/system/application.fc b/policy/modules/system/application.fc
new file mode 100644
index 0000000..08133f3
--- /dev/null
+++ b/policy/modules/system/application.fc
@@ -0,0 +1 @@
+# No application file contexts.
diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if
new file mode 100644
index 0000000..108595b
--- /dev/null
+++ b/policy/modules/system/application.if
@@ -0,0 +1,150 @@
+## <summary>Policy for user executable applications.</summary>
+
+########################################
+## <summary>
+## Make the specified type usable as an application domain.
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used as a domain type.
+## </summary>
+## </param>
+#
+interface(`application_type',`
+ gen_require(`
+ attribute application_domain_type;
+ ')
+
+ typeattribute $1 application_domain_type;
+
+ # start with basic domain
+ domain_type($1)
+')
+
+########################################
+## <summary>
+## Make the specified type usable for files
+## that are exectuables, such as binary programs.
+## This does not include shared libraries.
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used for files.
+## </summary>
+## </param>
+#
+interface(`application_executable_file',`
+ gen_require(`
+ attribute application_exec_type;
+ ')
+
+ typeattribute $1 application_exec_type;
+
+ corecmd_executable_file($1)
+')
+
+########################################
+## <summary>
+## Execute application executables in the caller domain.
+## </summary>
+## <param name="type">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`application_exec',`
+ gen_require(`
+ attribute application_exec_type;
+ ')
+
+ can_exec($1, application_exec_type)
+')
+
+########################################
+## <summary>
+## Execute all executable files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`application_exec_all',`
+ corecmd_dontaudit_exec_all_executables($1)
+ corecmd_exec_bin($1)
+ corecmd_exec_shell($1)
+ corecmd_exec_chroot($1)
+
+ application_exec($1)
+')
+
+########################################
+## <summary>
+## Create a domain for applications.
+## </summary>
+## <desc>
+## <p>
+## Create a domain for applications. Typically these are
+## programs that are run interactively.
+## </p>
+## <p>
+## The types will be made usable as a domain and file, making
+## calls to domain_type() and files_type() redundant.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Type to be used as an application domain.
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## Type of the program to be used as an entry point to this domain.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`application_domain',`
+ application_type($1)
+ application_executable_file($2)
+ domain_entry_file($1, $2)
+')
+
+########################################
+## <summary>
+## Send signull to all application domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`application_signull',`
+ gen_require(`
+ attribute application_domain_type;
+ ')
+
+ allow $1 application_domain_type:process signull;
+')
+
+########################################
+## <summary>
+## Send signal to all application domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`application_signal',`
+ gen_require(`
+ attribute application_domain_type;
+ ')
+
+ allow $1 application_domain_type:process signal;
+')
diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te
new file mode 100644
index 0000000..2fa3974
--- /dev/null
+++ b/policy/modules/system/application.te
@@ -0,0 +1,32 @@
+policy_module(application, 1.2.0)
+
+# Attribute of user applications
+attribute application_domain_type;
+
+# Executables to be run by user
+attribute application_exec_type;
+
+userdom_inherit_append_user_home_content_files(application_domain_type)
+userdom_inherit_append_admin_home_files(application_domain_type)
+userdom_inherit_append_user_tmp_files(application_domain_type)
+logging_inherit_append_all_logs(application_domain_type)
+
+files_dontaudit_search_all_dirs(application_domain_type)
+
+optional_policy(`
+ afs_rw_udp_sockets(application_domain_type)
+')
+
+optional_policy(`
+ cron_rw_inherited_user_spool_files(application_domain_type)
+ cron_sigchld(application_domain_type)
+')
+
+optional_policy(`
+ ssh_sigchld(application_domain_type)
+ ssh_rw_stream_sockets(application_domain_type)
+')
+
+optional_policy(`
+ sudo_sigchld(application_domain_type)
+')
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
new file mode 100644
index 0000000..2997dd7
--- /dev/null
+++ b/policy/modules/system/authlogin.fc
@@ -0,0 +1,47 @@
+
+/bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
+
+/etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
+/etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0)
+/etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0)
+/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
+/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
+
+/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
+/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
+/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
+/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ifdef(`distro_suse', `
+/sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+')
+
+/usr/kerberos/sbin/login\.krb5 -- gen_context(system_u:object_r:login_exec_t,s0)
+
+/usr/sbin/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0)
+ifdef(`distro_gentoo', `
+/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+')
+
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
+
+/var/db/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
+
+/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+/var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+
+/var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0)
+/var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
+/var/log/faillog -- gen_context(system_u:object_r:faillog_t,s0)
+/var/log/lastlog -- gen_context(system_u:object_r:lastlog_t,s0)
+/var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0)
+/var/log/tallylog -- gen_context(system_u:object_r:faillog_t,s0)
+/var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0)
+
+/var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0)
+/var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
new file mode 100644
index 0000000..c411b5e
--- /dev/null
+++ b/policy/modules/system/authlogin.if
@@ -0,0 +1,1670 @@
+## <summary>Common policy for authentication and user login.</summary>
+
+########################################
+## <summary>
+## Role access for password authentication.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_role',`
+ gen_require(`
+ type chkpwd_t, chkpwd_exec_t, shadow_t;
+ ')
+
+ role $1 types chkpwd_t;
+
+ # Transition from the user domain to this domain.
+ domtrans_pattern($2, chkpwd_exec_t, chkpwd_t)
+
+ ps_process_pattern($2, chkpwd_t)
+
+ dontaudit $2 shadow_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Use PAM for authentication.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_use_pam',`
+
+ # for SSP/ProPolice
+ dev_read_urand($1)
+ # for encrypted homedir
+ dev_read_sysfs($1)
+
+ auth_domtrans_chk_passwd($1)
+ auth_domtrans_upd_passwd($1)
+ auth_dontaudit_read_shadow($1)
+ auth_read_login_records($1)
+ auth_append_login_records($1)
+ auth_rw_lastlog($1)
+ auth_rw_faillog($1)
+ auth_exec_pam($1)
+ auth_use_nsswitch($1)
+
+ init_rw_stream_sockets($1)
+
+ logging_send_audit_msgs($1)
+ logging_send_syslog_msg($1)
+
+ optional_policy(`
+ dbus_system_bus_client($1)
+
+ optional_policy(`
+ consolekit_dbus_chat($1)
+ ')
+
+ optional_policy(`
+ fprintd_dbus_chat($1)
+ ')
+ ')
+
+ optional_policy(`
+ kerberos_manage_host_rcache($1)
+ kerberos_read_config($1)
+ ')
+
+ optional_policy(`
+ nis_authenticate($1)
+ ')
+')
+
+########################################
+## <summary>
+## Make the specified domain used for a login program.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain type used for a login program domain.
+## </summary>
+## </param>
+#
+interface(`auth_login_pgm_domain',`
+ gen_require(`
+ type var_auth_t, auth_cache_t;
+ attribute polydomain;
+ ')
+
+ domain_type($1)
+ typeattribute $1 polydomain;
+
+ domain_subj_id_change_exemption($1)
+ domain_role_change_exemption($1)
+ domain_obj_id_change_exemption($1)
+ role system_r types $1;
+
+ # Needed for pam_selinux_permit to cleanup properly
+ domain_read_all_domains_state($1)
+ domain_kill_all_domains($1)
+
+ # pam_keyring
+ allow $1 self:capability ipc_lock;
+ allow $1 self:process setkeycreate;
+ allow $1 self:key manage_key_perms;
+ userdom_manage_all_users_keys($1)
+
+ files_list_var_lib($1)
+ manage_dirs_pattern($1, var_auth_t, var_auth_t)
+ manage_files_pattern($1, var_auth_t, var_auth_t)
+
+ manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
+ manage_files_pattern($1, auth_cache_t, auth_cache_t)
+ manage_sock_files_pattern($1, auth_cache_t, auth_cache_t)
+ files_var_filetrans($1, auth_cache_t, dir)
+
+ # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
+ kernel_rw_afs_state($1)
+
+ # for fingerprint readers
+ dev_rw_input_dev($1)
+ dev_rw_generic_usb_dev($1)
+
+ files_read_etc_files($1)
+
+ fs_list_auto_mountpoints($1)
+ fs_manage_cgroup_dirs($1)
+ fs_manage_cgroup_files($1)
+
+ selinux_get_fs_mount($1)
+ selinux_validate_context($1)
+ selinux_compute_access_vector($1)
+ selinux_compute_create_context($1)
+ selinux_compute_relabel_context($1)
+ selinux_compute_user_contexts($1)
+
+ mls_file_read_all_levels($1)
+ mls_file_write_all_levels($1)
+ mls_file_upgrade($1)
+ mls_file_downgrade($1)
+ mls_process_set_level($1)
+ mls_fd_share_all_levels($1)
+
+ auth_manage_pam_pid($1)
+ auth_use_pam($1)
+
+ init_rw_utmp($1)
+
+ logging_set_loginuid($1)
+ logging_set_tty_audit($1)
+
+ seutil_read_config($1)
+ seutil_read_default_contexts($1)
+
+ userdom_set_rlimitnh($1)
+ userdom_read_user_home_content_symlinks($1)
+ userdom_delete_user_tmp_files($1)
+ userdom_search_admin_dir($1)
+
+ optional_policy(`
+ afs_rw_udp_sockets($1)
+ ')
+
+ optional_policy(`
+ kerberos_read_config($1)
+ ')
+
+ optional_policy(`
+ oddjob_dbus_chat($1)
+ oddjob_domtrans_mkhomedir($1)
+ ')
+
+ optional_policy(`
+ corecmd_exec_bin($1)
+ storage_getattr_fixed_disk_dev($1)
+ mount_domtrans($1)
+ ')
+
+ optional_policy(`
+ fprintd_dbus_chat($1)
+ ')
+
+ optional_policy(`
+ ssh_agent_exec($1)
+ ssh_read_user_home_files($1)
+ userdom_read_user_home_content_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Use the login program as an entry point program.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_login_entry_type',`
+ gen_require(`
+ type login_exec_t;
+ ')
+
+ domain_entry_file($1, login_exec_t)
+')
+
+########################################
+## <summary>
+## Execute a login_program in the target domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the login_program process.
+## </summary>
+## </param>
+#
+interface(`auth_domtrans_login_program',`
+ gen_require(`
+ type login_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, login_exec_t,$2)
+')
+
+########################################
+## <summary>
+## Execute a login_program in the target domain,
+## with a range transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the login_program process.
+## </summary>
+## </param>
+## <param name="range">
+## <summary>
+## Range of the login program.
+## </summary>
+## </param>
+#
+interface(`auth_ranged_domtrans_login_program',`
+ gen_require(`
+ type login_exec_t;
+ ')
+
+ auth_domtrans_login_program($1,$2)
+
+ ifdef(`enable_mcs',`
+ range_transition $1 login_exec_t:process $3;
+ ')
+
+ ifdef(`enable_mls',`
+ range_transition $1 login_exec_t:process $3;
+ ')
+')
+
+########################################
+## <summary>
+## Search authentication cache
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_search_cache',`
+ gen_require(`
+ type auth_cache_t;
+ ')
+
+ allow $1 auth_cache_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read authentication cache
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_read_cache',`
+ gen_require(`
+ type auth_cache_t;
+ ')
+
+ read_files_pattern($1, auth_cache_t, auth_cache_t)
+')
+
+########################################
+## <summary>
+## Read/Write authentication cache
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_rw_cache',`
+ gen_require(`
+ type auth_cache_t;
+ ')
+
+ rw_files_pattern($1, auth_cache_t, auth_cache_t)
+')
+
+########################################
+## <summary>
+## Manage authentication cache
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_manage_cache',`
+ gen_require(`
+ type auth_cache_t;
+ ')
+
+ manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
+ manage_files_pattern($1, auth_cache_t, auth_cache_t)
+')
+
+#######################################
+## <summary>
+## Automatic transition from cache_t to cache.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_var_filetrans_cache',`
+ gen_require(`
+ type auth_cache_t;
+ ')
+
+ files_var_filetrans($1, auth_cache_t, { file dir } )
+')
+
+########################################
+## <summary>
+## Run unix_chkpwd to check a password.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`auth_domtrans_chk_passwd',`
+ gen_require(`
+ type chkpwd_t, chkpwd_exec_t, shadow_t;
+ type auth_cache_t;
+ ')
+
+ allow $1 auth_cache_t:dir search_dir_perms;
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, chkpwd_exec_t, chkpwd_t)
+
+ dontaudit $1 shadow_t:file read_file_perms;
+
+ dev_read_rand($1)
+ dev_read_urand($1)
+
+ auth_use_nsswitch($1)
+ auth_rw_faillog($1)
+
+ logging_send_audit_msgs($1)
+
+ miscfiles_read_generic_certs($1)
+
+ optional_policy(`
+ kerberos_read_keytab($1)
+ kerberos_connect_524($1)
+ ')
+
+ optional_policy(`
+ pcscd_manage_pub_files($1)
+ pcscd_manage_pub_pipes($1)
+ pcscd_stream_connect($1)
+ ')
+
+ optional_policy(`
+ samba_stream_connect_winbind($1)
+ ')
+ auth_domtrans_upd_passwd($1)
+')
+
+########################################
+## <summary>
+## Run unix_chkpwd to check a password.
+## Stripped down version to be called within boolean
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`auth_domtrans_chkpwd',`
+ gen_require(`
+ type chkpwd_t, chkpwd_exec_t, shadow_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, chkpwd_exec_t, chkpwd_t)
+ dontaudit $1 shadow_t:file { getattr read };
+ auth_domtrans_upd_passwd($1)
+')
+
+########################################
+## <summary>
+## Execute chkpwd programs in the chkpwd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the chkpwd domain.
+## </summary>
+## </param>
+#
+interface(`auth_run_chk_passwd',`
+ gen_require(`
+ type chkpwd_t;
+ ')
+
+ auth_domtrans_chk_passwd($1)
+ role $2 types chkpwd_t;
+ auth_run_upd_passwd($1, $2)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run unix_update.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`auth_domtrans_upd_passwd',`
+ gen_require(`
+ type updpwd_t, updpwd_exec_t;
+ ')
+
+ domtrans_pattern($1, updpwd_exec_t, updpwd_t)
+ auth_dontaudit_read_shadow($1)
+
+')
+
+########################################
+## <summary>
+## Execute updpwd programs in the updpwd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the updpwd domain.
+## </summary>
+## </param>
+#
+interface(`auth_run_upd_passwd',`
+ gen_require(`
+ type updpwd_t;
+ ')
+
+ auth_domtrans_upd_passwd($1)
+ role $2 types updpwd_t;
+')
+
+########################################
+## <summary>
+## Get the attributes of the shadow passwords file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_getattr_shadow',`
+ gen_require(`
+ type shadow_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 shadow_t:file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of the shadow passwords file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`auth_dontaudit_getattr_shadow',`
+ gen_require(`
+ type shadow_t;
+ ')
+
+ dontaudit $1 shadow_t:file getattr;
+')
+
+########################################
+## <summary>
+## Read the shadow passwords file (/etc/shadow)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: these next three interfaces are split
+# since typeattribute does not work in conditionals
+# yet, otherwise they should be one interface.
+#
+interface(`auth_read_shadow',`
+ auth_can_read_shadow_passwords($1)
+ auth_tunable_read_shadow($1)
+')
+
+########################################
+## <summary>
+## Pass shadow assertion for reading.
+## </summary>
+## <desc>
+## <p>
+## Pass shadow assertion for reading.
+## This should only be used with
+## auth_tunable_read_shadow(), and
+## only exists because typeattribute
+## does not work in conditionals.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_can_read_shadow_passwords',`
+ gen_require(`
+ attribute can_read_shadow_passwords;
+ ')
+
+ typeattribute $1 can_read_shadow_passwords;
+')
+
+########################################
+## <summary>
+## Read the shadow password file.
+## </summary>
+## <desc>
+## <p>
+## Read the shadow password file. This
+## should only be used in a conditional;
+## it does not pass the reading shadow
+## assertion.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_tunable_read_shadow',`
+ gen_require(`
+ type shadow_t;
+ ')
+
+ files_list_etc($1)
+ allow $1 shadow_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read the shadow
+## password file (/etc/shadow).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`auth_dontaudit_read_shadow',`
+ gen_require(`
+ type shadow_t;
+ ')
+
+ dontaudit $1 shadow_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write the shadow password file (/etc/shadow).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_rw_shadow',`
+ gen_require(`
+ attribute can_read_shadow_passwords, can_write_shadow_passwords;
+ type shadow_t;
+ ')
+
+ files_list_etc($1)
+ allow $1 shadow_t:file rw_file_perms;
+ typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete the shadow
+## password file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_manage_shadow',`
+ gen_require(`
+ attribute can_read_shadow_passwords, can_write_shadow_passwords;
+ type shadow_t;
+ ')
+
+ allow $1 shadow_t:file manage_file_perms;
+ typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
+')
+
+#######################################
+## <summary>
+## Automatic transition from etc to shadow.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_etc_filetrans_shadow',`
+ gen_require(`
+ type shadow_t;
+ ')
+
+ files_etc_filetrans($1, shadow_t, file)
+')
+
+#######################################
+## <summary>
+## Relabel to the shadow
+## password file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_relabelto_shadow',`
+ gen_require(`
+ attribute can_relabelto_shadow_passwords;
+ type shadow_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 shadow_t:file relabelto;
+ typeattribute $1 can_relabelto_shadow_passwords;
+')
+
+#######################################
+## <summary>
+## Relabel from and to the shadow
+## password file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_relabel_shadow',`
+ gen_require(`
+ attribute can_relabelto_shadow_passwords;
+ type shadow_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 shadow_t:file relabel_file_perms;
+ typeattribute $1 can_relabelto_shadow_passwords;
+')
+
+#######################################
+## <summary>
+## Append to the login failure log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_append_faillog',`
+ gen_require(`
+ type faillog_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 faillog_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write the login failure log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_rw_faillog',`
+ gen_require(`
+ type faillog_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 faillog_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Manage the login failure log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_manage_faillog',`
+ gen_require(`
+ type faillog_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 faillog_t:file manage_file_perms;
+')
+
+#######################################
+## <summary>
+## Read the last logins log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`auth_read_lastlog',`
+ gen_require(`
+ type lastlog_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 lastlog_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+## Append only to the last logins log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_append_lastlog',`
+ gen_require(`
+ type lastlog_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 lastlog_t:file { append_file_perms lock };
+')
+
+#######################################
+## <summary>
+## Read and write to the last logins log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_rw_lastlog',`
+ gen_require(`
+ type lastlog_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 lastlog_t:file { rw_file_perms lock setattr };
+')
+
+########################################
+## <summary>
+## Execute pam programs in the pam domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`auth_domtrans_pam',`
+ gen_require(`
+ type pam_t, pam_exec_t;
+ ')
+
+ domtrans_pattern($1, pam_exec_t, pam_t)
+')
+
+########################################
+## <summary>
+## Send generic signals to pam processes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_signal_pam',`
+ gen_require(`
+ type pam_t;
+ ')
+
+ allow $1 pam_t:process signal;
+')
+
+########################################
+## <summary>
+## Execute pam programs in the PAM domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the PAM domain.
+## </summary>
+## </param>
+#
+interface(`auth_run_pam',`
+ gen_require(`
+ type pam_t;
+ ')
+
+ auth_domtrans_pam($1)
+ role $2 types pam_t;
+')
+
+########################################
+## <summary>
+## Execute the pam program.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_exec_pam',`
+ gen_require(`
+ type pam_exec_t;
+ ')
+
+ can_exec($1, pam_exec_t)
+')
+
+########################################
+## <summary>
+## Read var auth files. Used by various other applications
+## and pam applets etc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_read_var_auth',`
+ gen_require(`
+ type var_auth_t;
+ ')
+
+ files_search_var($1)
+ read_files_pattern($1, var_auth_t, var_auth_t)
+')
+
+########################################
+## <summary>
+## Manage var auth files. Used by various other applications
+## and pam applets etc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_manage_var_auth',`
+ gen_require(`
+ type var_auth_t;
+ ')
+
+ files_search_var($1)
+ allow $1 var_auth_t:dir manage_dir_perms;
+ allow $1 var_auth_t:file rw_file_perms;
+ allow $1 var_auth_t:lnk_file rw_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Read PAM PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_read_pam_pid',`
+ gen_require(`
+ type pam_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 pam_var_run_t:dir list_dir_perms;
+ allow $1 pam_var_run_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+## Do not audit attemps to read PAM PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`auth_dontaudit_read_pam_pid',`
+ gen_require(`
+ type pam_var_run_t;
+ ')
+
+ dontaudit $1 pam_var_run_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Delete pam PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_delete_pam_pid',`
+ gen_require(`
+ type pam_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 pam_var_run_t:dir del_entry_dir_perms;
+ allow $1 pam_var_run_t:file delete_file_perms;
+')
+
+########################################
+## <summary>
+## Manage pam PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_manage_pam_pid',`
+ gen_require(`
+ type pam_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 pam_var_run_t:dir manage_dir_perms;
+ allow $1 pam_var_run_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Execute pam_console with a domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`auth_domtrans_pam_console',`
+ gen_require(`
+ type pam_console_t, pam_console_exec_t;
+ ')
+
+ domtrans_pattern($1, pam_console_exec_t, pam_console_t)
+')
+
+########################################
+## <summary>
+## Search the contents of the
+## pam_console data directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_search_pam_console_data',`
+ gen_require(`
+ type pam_var_console_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 pam_var_console_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## List the contents of the pam_console
+## data directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_list_pam_console_data',`
+ gen_require(`
+ type pam_var_console_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 pam_var_console_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Read pam_console data files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_read_pam_console_data',`
+ gen_require(`
+ type pam_var_console_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 pam_var_console_t:dir list_dir_perms;
+ allow $1 pam_var_console_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## pam_console data files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_manage_pam_console_data',`
+ gen_require(`
+ type pam_var_console_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
+ manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
+')
+
+#######################################
+## <summary>
+## Delete pam_console data.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_delete_pam_console_data',`
+ gen_require(`
+ type pam_var_console_t;
+ ')
+
+ files_search_var($1)
+ files_search_pids($1)
+ delete_files_pattern($1, pam_var_console_t, pam_var_console_t)
+')
+
+########################################
+## <summary>
+## Read all directories on the filesystem, except
+## the shadow passwords and listed exceptions.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="exception_types" optional="true">
+## <summary>
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+## </summary>
+## </param>
+#
+interface(`auth_read_all_dirs_except_shadow',`
+ gen_require(`
+ type shadow_t;
+ ')
+
+ files_read_all_dirs_except($1,$2 -shadow_t)
+')
+
+########################################
+## <summary>
+## Read all files on the filesystem, except
+## the shadow passwords and listed exceptions.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="exception_types" optional="true">
+## <summary>
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`auth_read_all_files_except_shadow',`
+ gen_require(`
+ type shadow_t;
+ ')
+
+ files_read_all_files_except($1,$2 -shadow_t)
+')
+
+########################################
+## <summary>
+## Read all symbolic links on the filesystem, except
+## the shadow passwords and listed exceptions.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="exception_types" optional="true">
+## <summary>
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+## </summary>
+## </param>
+#
+interface(`auth_read_all_symlinks_except_shadow',`
+ gen_require(`
+ type shadow_t;
+ ')
+
+ files_read_all_symlinks_except($1,$2 -shadow_t)
+')
+
+########################################
+## <summary>
+## Relabel all files on the filesystem, except
+## the shadow passwords and listed exceptions.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="exception_types" optional="true">
+## <summary>
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+## </summary>
+## </param>
+#
+
+interface(`auth_relabel_all_files_except_shadow',`
+ gen_require(`
+ type shadow_t;
+ ')
+
+ files_relabel_all_files($1,$2 -shadow_t)
+')
+
+########################################
+## <summary>
+## Read and write all files on the filesystem, except
+## the shadow passwords and listed exceptions.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="exception_types" optional="true">
+## <summary>
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+## </summary>
+## </param>
+#
+
+interface(`auth_rw_all_files_except_shadow',`
+ gen_require(`
+ type shadow_t;
+ ')
+
+ files_rw_all_files($1,$2 -shadow_t)
+')
+
+########################################
+## <summary>
+## Manage all files on the filesystem, except
+## the shadow passwords and listed exceptions.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="exception_types" optional="true">
+## <summary>
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+## </summary>
+## </param>
+#
+
+interface(`auth_manage_all_files_except_shadow',`
+ gen_require(`
+ type shadow_t;
+ ')
+
+ files_manage_all_files($1,$2 -shadow_t)
+')
+
+########################################
+## <summary>
+## Execute utempter programs in the utempter domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`auth_domtrans_utempter',`
+ gen_require(`
+ type utempter_t, utempter_exec_t;
+ ')
+
+ domtrans_pattern($1, utempter_exec_t, utempter_t)
+')
+
+########################################
+## <summary>
+## Execute utempter programs in the utempter domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the utempter domain.
+## </summary>
+## </param>
+#
+interface(`auth_run_utempter',`
+ gen_require(`
+ type utempter_t;
+ ')
+
+ auth_domtrans_utempter($1)
+ role $2 types utempter_t;
+')
+
+#######################################
+## <summary>
+## Do not audit attemps to execute utempter executable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`auth_dontaudit_exec_utempter',`
+ gen_require(`
+ type utempter_exec_t;
+ ')
+
+ dontaudit $1 utempter_exec_t:file { execute execute_no_trans };
+')
+
+########################################
+## <summary>
+## Set the attributes of login record files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_setattr_login_records',`
+ gen_require(`
+ type wtmp_t;
+ ')
+
+ allow $1 wtmp_t:file setattr;
+ logging_search_logs($1)
+')
+
+########################################
+## <summary>
+## Read login records files (/var/log/wtmp).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`auth_read_login_records',`
+ gen_require(`
+ type wtmp_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 wtmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read login records
+## files (/var/log/wtmp).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`auth_dontaudit_read_login_records',`
+ gen_require(`
+ type wtmp_t;
+ ')
+
+ dontaudit $1 wtmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write to
+## login records files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`auth_dontaudit_write_login_records',`
+ gen_require(`
+ type wtmp_t;
+ ')
+
+ dontaudit $1 wtmp_t:file write;
+')
+
+#######################################
+## <summary>
+## Append to login records (wtmp).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_append_login_records',`
+ gen_require(`
+ type wtmp_t;
+ ')
+
+ allow $1 wtmp_t:file append_file_perms;
+ logging_search_logs($1)
+')
+
+#######################################
+## <summary>
+## Write to login records (wtmp).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_write_login_records',`
+ gen_require(`
+ type wtmp_t;
+ ')
+
+ allow $1 wtmp_t:file { write_file_perms lock };
+')
+
+########################################
+## <summary>
+## Read and write login records.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_rw_login_records',`
+ gen_require(`
+ type wtmp_t;
+ ')
+
+ allow $1 wtmp_t:file rw_file_perms;
+ logging_search_logs($1)
+')
+
+########################################
+## <summary>
+## Create a login records in the log directory
+## using a type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_log_filetrans_login_records',`
+ gen_require(`
+ type wtmp_t;
+ ')
+
+ logging_log_filetrans($1, wtmp_t, file)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete login
+## records files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_manage_login_records',`
+ gen_require(`
+ type wtmp_t;
+ ')
+
+ logging_rw_generic_log_dirs($1)
+ allow $1 wtmp_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Use nsswitch to look up user, password, group, or
+## host information.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to look up user, password,
+## group, or host information using the name service.
+## The most common use of this interface is for services
+## that do host name resolution (usually DNS resolution).
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`auth_use_nsswitch',`
+
+ allow $1 self:netlink_route_socket r_netlink_socket_perms;
+
+ files_list_var_lib($1)
+
+ # read /etc/nsswitch.conf
+ files_read_etc_files($1)
+
+ miscfiles_read_generic_certs($1)
+
+ sysnet_dns_name_resolve($1)
+ sysnet_use_ldap($1)
+
+ optional_policy(`
+ avahi_stream_connect($1)
+ ')
+
+ optional_policy(`
+ ldap_stream_connect($1)
+ ')
+
+ optional_policy(`
+ likewise_stream_connect_lsassd($1)
+ ')
+
+ optional_policy(`
+ kerberos_use($1)
+ ')
+
+ optional_policy(`
+ nis_use_ypbind($1)
+ ')
+
+ optional_policy(`
+ nscd_use($1)
+ ')
+
+ optional_policy(`
+ nslcd_stream_connect($1)
+ ')
+
+ optional_policy(`
+ sssd_stream_connect($1)
+ ')
+
+ optional_policy(`
+ samba_stream_connect_winbind($1)
+ samba_read_var_files($1)
+ samba_dontaudit_write_var_files($1)
+ ')
+')
+
+########################################
+## <summary>
+## Unconfined access to the authlogin module.
+## </summary>
+## <desc>
+## <p>
+## Unconfined access to the authlogin module.
+## </p>
+## <p>
+## Currently, this only allows assertions for
+## the shadow passwords file (/etc/shadow) to
+## be passed. No access is granted yet.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_unconfined',`
+ gen_require(`
+ attribute can_read_shadow_passwords;
+ attribute can_write_shadow_passwords;
+ attribute can_relabelto_shadow_passwords;
+ ')
+
+ typeattribute $1 can_read_shadow_passwords;
+ typeattribute $1 can_write_shadow_passwords;
+ typeattribute $1 can_relabelto_shadow_passwords;
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
new file mode 100644
index 0000000..ee0fe55
--- /dev/null
+++ b/policy/modules/system/authlogin.te
@@ -0,0 +1,405 @@
+policy_module(authlogin, 2.2.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute can_read_shadow_passwords;
+attribute can_write_shadow_passwords;
+attribute can_relabelto_shadow_passwords;
+attribute polydomain;
+
+type auth_cache_t;
+logging_log_file(auth_cache_t)
+
+type chkpwd_t, can_read_shadow_passwords;
+type chkpwd_exec_t;
+typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t };
+typealias chkpwd_t alias { auditadm_chkpwd_t secadm_chkpwd_t };
+application_domain(chkpwd_t, chkpwd_exec_t)
+role system_r types chkpwd_t;
+
+type faillog_t;
+logging_log_file(faillog_t)
+
+type lastlog_t;
+logging_log_file(lastlog_t)
+
+type login_exec_t;
+application_executable_file(login_exec_t)
+
+type pam_console_t;
+type pam_console_exec_t;
+init_system_domain(pam_console_t, pam_console_exec_t)
+role system_r types pam_console_t;
+
+type pam_t;
+domain_type(pam_t)
+role system_r types pam_t;
+
+type pam_exec_t;
+domain_entry_file(pam_t, pam_exec_t)
+
+type pam_tmp_t;
+files_tmp_file(pam_tmp_t)
+
+type pam_var_console_t;
+files_type(pam_var_console_t)
+
+type pam_var_run_t;
+files_pid_file(pam_var_run_t)
+
+type shadow_t;
+files_security_file(shadow_t)
+neverallow ~can_read_shadow_passwords shadow_t:file read;
+neverallow ~can_write_shadow_passwords shadow_t:file { create write };
+neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
+
+type updpwd_t;
+type updpwd_exec_t;
+domain_type(updpwd_t)
+domain_entry_file(updpwd_t, updpwd_exec_t)
+domain_obj_id_change_exemption(updpwd_t)
+role system_r types updpwd_t;
+
+type utempter_t;
+type utempter_exec_t;
+application_domain(utempter_t, utempter_exec_t)
+
+#
+# var_auth_t is the type of /var/lib/auth, usually
+# used for auth data in pam_able
+#
+type var_auth_t;
+files_type(var_auth_t)
+
+type wtmp_t;
+logging_log_file(wtmp_t)
+
+########################################
+#
+# Check password local policy
+#
+
+allow chkpwd_t self:capability { dac_override setuid };
+dontaudit chkpwd_t self:capability sys_tty_config;
+allow chkpwd_t self:process { getattr signal };
+
+allow chkpwd_t shadow_t:file read_file_perms;
+files_list_etc(chkpwd_t)
+
+# is_selinux_enabled
+kernel_read_system_state(chkpwd_t)
+
+domain_dontaudit_use_interactive_fds(chkpwd_t)
+
+dev_read_rand(chkpwd_t)
+dev_read_urand(chkpwd_t)
+
+files_read_etc_files(chkpwd_t)
+# for nscd
+files_dontaudit_search_var(chkpwd_t)
+
+fs_dontaudit_getattr_xattr_fs(chkpwd_t)
+
+term_dontaudit_use_console(chkpwd_t)
+term_dontaudit_use_unallocated_ttys(chkpwd_t)
+term_dontaudit_use_generic_ptys(chkpwd_t)
+term_dontaudit_use_all_ptys(chkpwd_t)
+
+auth_use_nsswitch(chkpwd_t)
+
+logging_send_audit_msgs(chkpwd_t)
+logging_send_syslog_msg(chkpwd_t)
+
+miscfiles_read_localization(chkpwd_t)
+
+seutil_read_config(chkpwd_t)
+seutil_dontaudit_use_newrole_fds(chkpwd_t)
+
+userdom_use_user_terminals(chkpwd_t)
+
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(chkpwd_t)
+ ')
+')
+
+optional_policy(`
+ # apache leaks file descriptors
+ apache_dontaudit_rw_tcp_sockets(chkpwd_t)
+')
+
+optional_policy(`
+ kerberos_use(chkpwd_t)
+')
+
+optional_policy(`
+ nis_authenticate(chkpwd_t)
+')
+
+########################################
+#
+# PAM local policy
+#
+
+allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+dontaudit pam_t self:capability sys_tty_config;
+
+allow pam_t self:fd use;
+allow pam_t self:fifo_file rw_file_perms;
+allow pam_t self:unix_dgram_socket create_socket_perms;
+allow pam_t self:unix_stream_socket rw_stream_socket_perms;
+allow pam_t self:unix_dgram_socket sendto;
+allow pam_t self:unix_stream_socket connectto;
+allow pam_t self:shm create_shm_perms;
+allow pam_t self:sem create_sem_perms;
+allow pam_t self:msgq create_msgq_perms;
+allow pam_t self:msg { send receive };
+
+delete_files_pattern(pam_t, pam_var_run_t, pam_var_run_t)
+read_files_pattern(pam_t, pam_var_run_t, pam_var_run_t)
+files_list_pids(pam_t)
+
+allow pam_t pam_tmp_t:dir manage_dir_perms;
+allow pam_t pam_tmp_t:file manage_file_perms;
+files_tmp_filetrans(pam_t, pam_tmp_t, { file dir })
+
+auth_use_nsswitch(pam_t)
+
+kernel_read_system_state(pam_t)
+
+files_read_etc_files(pam_t)
+
+fs_search_auto_mountpoints(pam_t)
+
+miscfiles_read_localization(pam_t)
+
+term_use_all_ttys(pam_t)
+term_use_all_ptys(pam_t)
+
+init_dontaudit_rw_utmp(pam_t)
+
+logging_send_syslog_msg(pam_t)
+
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(pam_t)
+ ')
+')
+
+optional_policy(`
+ locallogin_use_fds(pam_t)
+')
+
+########################################
+#
+# PAM console local policy
+#
+
+allow pam_console_t self:capability { chown fowner fsetid };
+dontaudit pam_console_t self:capability sys_tty_config;
+
+allow pam_console_t self:process { sigchld sigkill sigstop signull signal };
+
+# for /var/run/console.lock checking
+read_files_pattern(pam_console_t, pam_var_console_t, pam_var_console_t)
+read_lnk_files_pattern(pam_console_t, pam_var_console_t, pam_var_console_t)
+dontaudit pam_console_t pam_var_console_t:file write;
+
+kernel_read_kernel_sysctls(pam_console_t)
+kernel_use_fds(pam_console_t)
+# Read /proc/meminfo
+kernel_read_system_state(pam_console_t)
+
+dev_read_sysfs(pam_console_t)
+dev_getattr_apm_bios_dev(pam_console_t)
+dev_setattr_apm_bios_dev(pam_console_t)
+dev_getattr_dri_dev(pam_console_t)
+dev_setattr_dri_dev(pam_console_t)
+dev_getattr_input_dev(pam_console_t)
+dev_setattr_input_dev(pam_console_t)
+dev_getattr_framebuffer_dev(pam_console_t)
+dev_setattr_framebuffer_dev(pam_console_t)
+dev_getattr_generic_usb_dev(pam_console_t)
+dev_setattr_generic_usb_dev(pam_console_t)
+dev_getattr_misc_dev(pam_console_t)
+dev_setattr_misc_dev(pam_console_t)
+dev_getattr_mouse_dev(pam_console_t)
+dev_setattr_mouse_dev(pam_console_t)
+dev_getattr_power_mgmt_dev(pam_console_t)
+dev_setattr_power_mgmt_dev(pam_console_t)
+dev_getattr_printer_dev(pam_console_t)
+dev_setattr_printer_dev(pam_console_t)
+dev_getattr_scanner_dev(pam_console_t)
+dev_setattr_scanner_dev(pam_console_t)
+dev_getattr_sound_dev(pam_console_t)
+dev_setattr_sound_dev(pam_console_t)
+dev_getattr_video_dev(pam_console_t)
+dev_setattr_video_dev(pam_console_t)
+dev_getattr_xserver_misc_dev(pam_console_t)
+dev_setattr_xserver_misc_dev(pam_console_t)
+dev_read_urand(pam_console_t)
+
+files_read_etc_files(pam_console_t)
+files_search_pids(pam_console_t)
+files_list_mnt(pam_console_t)
+files_dontaudit_search_isid_type_dirs(pam_console_t)
+# read /etc/mtab
+files_read_etc_runtime_files(pam_console_t)
+
+fs_list_auto_mountpoints(pam_console_t)
+fs_list_noxattr_fs(pam_console_t)
+fs_getattr_all_fs(pam_console_t)
+
+mls_file_read_all_levels(pam_console_t)
+mls_file_write_all_levels(pam_console_t)
+
+storage_getattr_fixed_disk_dev(pam_console_t)
+storage_setattr_fixed_disk_dev(pam_console_t)
+storage_getattr_removable_dev(pam_console_t)
+storage_setattr_removable_dev(pam_console_t)
+storage_getattr_scsi_generic_dev(pam_console_t)
+storage_setattr_scsi_generic_dev(pam_console_t)
+
+term_use_console(pam_console_t)
+term_use_all_ttys(pam_console_t)
+term_use_all_ptys(pam_console_t)
+term_setattr_console(pam_console_t)
+term_getattr_unallocated_ttys(pam_console_t)
+term_setattr_unallocated_ttys(pam_console_t)
+term_use_unallocated_ttys(pam_console_t)
+
+auth_use_nsswitch(pam_console_t)
+
+domain_use_interactive_fds(pam_console_t)
+
+init_use_fds(pam_console_t)
+init_use_script_ptys(pam_console_t)
+
+logging_send_syslog_msg(pam_console_t)
+
+miscfiles_read_localization(pam_console_t)
+miscfiles_read_generic_certs(pam_console_t)
+
+seutil_read_file_contexts(pam_console_t)
+
+userdom_dontaudit_use_unpriv_user_fds(pam_console_t)
+
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(pam_console_t)
+ ')
+')
+
+optional_policy(`
+ gpm_getattr_gpmctl(pam_console_t)
+ gpm_setattr_gpmctl(pam_console_t)
+')
+
+optional_policy(`
+ hotplug_use_fds(pam_console_t)
+ hotplug_dontaudit_search_config(pam_console_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(pam_console_t)
+')
+
+optional_policy(`
+ udev_read_db(pam_console_t)
+')
+
+optional_policy(`
+ xserver_read_xdm_pid(pam_console_t)
+ xserver_dontaudit_write_log(pam_console_t)
+')
+
+########################################
+#
+# updpwd local policy
+#
+
+allow updpwd_t self:capability { chown dac_override };
+allow updpwd_t self:process setfscreate;
+allow updpwd_t self:fifo_file rw_fifo_file_perms;
+allow updpwd_t self:unix_stream_socket create_stream_socket_perms;
+allow updpwd_t self:unix_dgram_socket create_socket_perms;
+
+kernel_read_system_state(updpwd_t)
+
+dev_read_urand(updpwd_t)
+
+files_manage_etc_files(updpwd_t)
+
+term_dontaudit_use_console(updpwd_t)
+term_dontaudit_use_unallocated_ttys(updpwd_t)
+
+auth_manage_shadow(updpwd_t)
+auth_use_nsswitch(updpwd_t)
+
+logging_send_syslog_msg(updpwd_t)
+
+miscfiles_read_localization(updpwd_t)
+
+userdom_use_user_terminals(updpwd_t)
+
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(updpwd_t)
+ ')
+')
+
+########################################
+#
+# Utempter local policy
+#
+
+allow utempter_t self:capability setgid;
+allow utempter_t self:unix_stream_socket create_stream_socket_perms;
+
+allow utempter_t wtmp_t:file rw_file_perms;
+
+dev_read_urand(utempter_t)
+
+files_read_etc_files(utempter_t)
+
+term_getattr_all_ttys(utempter_t)
+term_getattr_all_ptys(utempter_t)
+term_dontaudit_use_all_ttys(utempter_t)
+term_dontaudit_use_all_ptys(utempter_t)
+term_dontaudit_use_ptmx(utempter_t)
+
+init_rw_utmp(utempter_t)
+
+domain_use_interactive_fds(utempter_t)
+
+logging_search_logs(utempter_t)
+
+userdom_use_user_terminals(utempter_t)
+# Allow utemper to write to /tmp/.xses-*
+userdom_write_user_tmp_files(utempter_t)
+
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(utempter_t)
+ ')
+')
+
+optional_policy(`
+ nscd_socket_use(utempter_t)
+')
+
+optional_policy(`
+ xserver_use_xdm_fds(utempter_t)
+ xserver_rw_xdm_pipes(utempter_t)
+')
+
+tunable_policy(`allow_polyinstantiation',`
+ files_polyinstantiate_all(polydomain)
+ userdom_manage_user_home_content_dirs(polydomain)
+ userdom_manage_user_home_content_files(polydomain)
+ userdom_relabelto_user_home_dirs(polydomain)
+ userdom_relabelto_user_home_files(polydomain)
+')
diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc
new file mode 100644
index 0000000..c5e05ca
--- /dev/null
+++ b/policy/modules/system/clock.fc
@@ -0,0 +1,5 @@
+
+/etc/adjtime -- gen_context(system_u:object_r:adjtime_t,s0)
+
+/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
+
diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if
new file mode 100644
index 0000000..e2f6d93
--- /dev/null
+++ b/policy/modules/system/clock.if
@@ -0,0 +1,100 @@
+## <summary>Policy for reading and setting the hardware clock.</summary>
+
+########################################
+## <summary>
+## Execute hwclock in the clock domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`clock_domtrans',`
+ gen_require(`
+ type hwclock_t, hwclock_exec_t;
+ ')
+
+ domtrans_pattern($1, hwclock_exec_t, hwclock_t)
+')
+
+########################################
+## <summary>
+## Execute hwclock in the clock domain, and
+## allow the specified role the hwclock domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`clock_run',`
+ gen_require(`
+ type hwclock_t;
+ ')
+
+ clock_domtrans($1)
+ role $2 types hwclock_t;
+')
+
+########################################
+## <summary>
+## Execute hwclock in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`clock_exec',`
+ gen_require(`
+ type hwclock_exec_t;
+ ')
+
+ can_exec($1, hwclock_exec_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write clock drift adjustments.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`clock_dontaudit_write_adjtime',`
+ gen_require(`
+ type adjtime_t;
+ ')
+
+ dontaudit $1 adjtime_t:file write;
+')
+
+########################################
+## <summary>
+## Read and write clock drift adjustments.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`clock_rw_adjtime',`
+ gen_require(`
+ type adjtime_t;
+ ')
+
+ allow $1 adjtime_t:file rw_file_perms;
+ files_list_etc($1)
+')
diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te
new file mode 100644
index 0000000..b9ed25b
--- /dev/null
+++ b/policy/modules/system/clock.te
@@ -0,0 +1,81 @@
+policy_module(clock, 1.6.0)
+
+########################################
+#
+# Declarations
+#
+
+type adjtime_t;
+files_type(adjtime_t)
+
+type hwclock_t;
+type hwclock_exec_t;
+init_system_domain(hwclock_t, hwclock_exec_t)
+role system_r types hwclock_t;
+
+########################################
+#
+# Local policy
+#
+
+# Give hwclock the capabilities it requires. dac_override is a surprise,
+# but hwclock does require it.
+allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config };
+dontaudit hwclock_t self:capability sys_tty_config;
+allow hwclock_t self:process signal_perms;
+allow hwclock_t self:fifo_file rw_fifo_file_perms;
+
+# Allow hwclock to store & retrieve correction factors.
+allow hwclock_t adjtime_t:file { rw_file_perms setattr };
+
+kernel_read_kernel_sysctls(hwclock_t)
+kernel_read_system_state(hwclock_t)
+
+corecmd_exec_bin(hwclock_t)
+corecmd_exec_shell(hwclock_t)
+
+dev_read_sysfs(hwclock_t)
+dev_rw_realtime_clock(hwclock_t)
+
+files_read_etc_files(hwclock_t)
+# for when /usr is not mounted:
+files_dontaudit_search_isid_type_dirs(hwclock_t)
+
+fs_getattr_xattr_fs(hwclock_t)
+fs_search_auto_mountpoints(hwclock_t)
+
+term_dontaudit_use_console(hwclock_t)
+term_use_unallocated_ttys(hwclock_t)
+term_use_all_ttys(hwclock_t)
+term_use_all_ptys(hwclock_t)
+
+domain_use_interactive_fds(hwclock_t)
+
+init_use_fds(hwclock_t)
+init_use_script_ptys(hwclock_t)
+
+logging_send_audit_msgs(hwclock_t)
+logging_send_syslog_msg(hwclock_t)
+
+miscfiles_read_localization(hwclock_t)
+
+optional_policy(`
+ apm_append_log(hwclock_t)
+ apm_rw_stream_sockets(hwclock_t)
+')
+
+optional_policy(`
+ nscd_socket_use(hwclock_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(hwclock_t)
+')
+
+optional_policy(`
+ udev_read_db(hwclock_t)
+')
+
+optional_policy(`
+ userdom_dontaudit_use_unpriv_user_fds(hwclock_t)
+')
diff --git a/policy/modules/system/daemontools.fc b/policy/modules/system/daemontools.fc
new file mode 100644
index 0000000..26df050
--- /dev/null
+++ b/policy/modules/system/daemontools.fc
@@ -0,0 +1,53 @@
+#
+# /service
+#
+
+/service -d gen_context(system_u:object_r:svc_svc_t,s0)
+/service/.* gen_context(system_u:object_r:svc_svc_t,s0)
+
+#
+# /usr
+#
+
+/usr/bin/envdir -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/envuidgid -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/fghack -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/multilog -- gen_context(system_u:object_r:svc_multilog_exec_t,s0)
+/usr/bin/pgrphack -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/setlock -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/setuidgid -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/softlimit -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/usr/bin/svc -- gen_context(system_u:object_r:svc_start_exec_t,s0)
+/usr/bin/svok -- gen_context(system_u:object_r:svc_start_exec_t,s0)
+/usr/bin/svscan -- gen_context(system_u:object_r:svc_start_exec_t,s0)
+/usr/bin/svscanboot -- gen_context(system_u:object_r:svc_start_exec_t,s0)
+/usr/bin/supervise -- gen_context(system_u:object_r:svc_start_exec_t,s0)
+
+#
+# /var
+#
+
+/var/axfrdns(/.*)? gen_context(system_u:object_r:svc_svc_t,s0)
+/var/axfrdns/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/axfrdns/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/axfrdns/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0)
+
+/var/dnscache(/.*)? gen_context(system_u:object_r:svc_svc_t,s0)
+/var/dnscache/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0)
+/var/dnscache/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/dnscache/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+
+/var/qmail/supervise(/.*)? gen_context(system_u:object_r:svc_svc_t,s0)
+/var/qmail/supervise/.*/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/qmail/supervise/.*/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+
+/var/service/.* gen_context(system_u:object_r:svc_svc_t,s0)
+/var/service/.*/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0)
+/var/service/.*/log/main(/.*)? gen_context(system_u:object_r:svc_log_t,s0)
+/var/service/.*/log/run gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/service/.*/run.* gen_context(system_u:object_r:svc_run_exec_t,s0)
+
+/var/tinydns(/.*)? gen_context(system_u:object_r:svc_svc_t,s0)
+/var/tinydns/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/tinydns/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/tinydns/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0)
diff --git a/policy/modules/system/daemontools.if b/policy/modules/system/daemontools.if
new file mode 100644
index 0000000..81e5ed4
--- /dev/null
+++ b/policy/modules/system/daemontools.if
@@ -0,0 +1,212 @@
+## <summary>Collection of tools for managing UNIX services</summary>
+## <desc>
+## <p>
+## Policy for DJB's daemontools
+## </p>
+## </desc>
+
+########################################
+## <summary>
+## An ipc channel between the supervised domain and svc_start_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`daemontools_ipc_domain',`
+ gen_require(`
+ type svc_start_t;
+ ')
+
+ allow $1 svc_start_t:process sigchld;
+ allow $1 svc_start_t:fd use;
+ allow $1 svc_start_t:fifo_file { read write getattr };
+ allow svc_start_t $1:process signal;
+')
+
+########################################
+## <summary>
+## Define a specified domain as a supervised service.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="entrypoint">
+## <summary>
+## The type associated with the process program.
+## </summary>
+## </param>
+#
+interface(`daemontools_service_domain',`
+ gen_require(`
+ type svc_run_t;
+ ')
+
+ domain_auto_trans(svc_run_t, $2, $1)
+ daemontools_ipc_domain($1)
+
+ allow svc_run_t $1:process signal;
+ allow $1 svc_run_t:fd use;
+')
+
+########################################
+## <summary>
+## Execute in the svc_start_t domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`daemontools_domtrans_start',`
+ gen_require(`
+ type svc_start_t, svc_start_exec_t;
+ ')
+
+ domtrans_pattern($1, svc_start_exec_t, svc_start_t)
+')
+
+######################################
+## <summary>
+## Execute svc_start in the svc_start domain, and
+## allow the specified role the svc_start domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the svc_start domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`daemonstools_run_start',`
+ gen_require(`
+ type svc_start_t;
+ ')
+
+ daemontools_domtrans_start($1)
+ role $2 types svc_start_t;
+')
+
+########################################
+## <summary>
+## Execute in the svc_run_t domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`daemontools_domtrans_run',`
+ gen_require(`
+ type svc_run_t, svc_run_exec_t;
+ ')
+
+ domtrans_pattern($1, svc_run_exec_t, svc_run_t)
+')
+
+########################################
+## <summary>
+## Execute in the svc_multilog_t domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`daemontools_domtrans_multilog',`
+ gen_require(`
+ type svc_multilog_t, svc_multilog_exec_t;
+ ')
+
+ domtrans_pattern($1, svc_multilog_exec_t, svc_multilog_t)
+')
+
+########################################
+## <summary>
+## Allow a domain to read svc_svc_t files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`daemontools_read_svc',`
+ gen_require(`
+ type svc_svc_t;
+ ')
+
+ allow $1 svc_svc_t:dir list_dir_perms;
+ allow $1 svc_svc_t:file read_file_perms;
+')
+
+######################################
+## <summary>
+## Search svc_svc_t directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`daemontools_search_svc_dir',`
+ gen_require(`
+ type svc_svc_t;
+ ')
+
+ allow $1 svc_svc_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Allow a domain to create svc_svc_t files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`daemontools_manage_svc',`
+ gen_require(`
+ type svc_svc_t;
+ ')
+
+ allow $1 svc_svc_t:dir manage_dir_perms;
+ allow $1 svc_svc_t:fifo_file manage_fifo_file_perms;
+ allow $1 svc_svc_t:file manage_file_perms;
+ allow $1 svc_svc_t:lnk_file { read create };
+')
+
+######################################
+## <summary>
+## Send a SIGCHLD signal to svc_run domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`daemontools_sigchld_run',`
+ gen_require(`
+ type svc_run_t;
+ ')
+
+ allow $1 svc_run_t:process sigchld;
+')
diff --git a/policy/modules/system/daemontools.te b/policy/modules/system/daemontools.te
new file mode 100644
index 0000000..699451c
--- /dev/null
+++ b/policy/modules/system/daemontools.te
@@ -0,0 +1,130 @@
+policy_module(daemontools, 1.2.0)
+
+########################################
+#
+# Declarations
+#
+
+type svc_conf_t;
+files_type(svc_conf_t)
+
+type svc_log_t;
+files_type(svc_log_t)
+
+type svc_multilog_t;
+type svc_multilog_exec_t;
+application_domain(svc_multilog_t, svc_multilog_exec_t)
+role system_r types svc_multilog_t;
+
+type svc_run_t;
+type svc_run_exec_t;
+application_domain(svc_run_t, svc_run_exec_t)
+role system_r types svc_run_t;
+
+type svc_start_t;
+type svc_start_exec_t;
+init_domain(svc_start_t, svc_start_exec_t)
+init_system_domain(svc_start_t, svc_start_exec_t)
+role system_r types svc_start_t;
+
+type svc_svc_t;
+files_type(svc_svc_t)
+
+########################################
+#
+# multilog local policy
+#
+
+# multilog creates /service/*/log/status
+manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t)
+
+term_write_console(svc_multilog_t)
+
+init_use_fds(svc_multilog_t)
+init_dontaudit_use_script_fds(svc_multilog_t)
+
+# writes to /var/log/*/*
+logging_manage_generic_logs(svc_multilog_t)
+
+daemontools_ipc_domain(svc_multilog_t)
+
+########################################
+#
+# local policy for binaries that impose
+# a given environment to supervised daemons
+# ie. softlimit, setuidgid, envuidgid, envdir, fghack ..
+#
+
+allow svc_run_t self:capability { setgid setuid chown fsetid sys_resource };
+allow svc_run_t self:process setrlimit;
+allow svc_run_t self:fifo_file rw_fifo_file_perms;
+allow svc_run_t self:unix_stream_socket create_stream_socket_perms;
+
+allow svc_run_t svc_conf_t:dir list_dir_perms;
+allow svc_run_t svc_conf_t:file read_file_perms;
+
+can_exec(svc_run_t, svc_run_exec_t)
+
+kernel_read_system_state(svc_run_t)
+
+dev_read_urand(svc_run_t)
+
+corecmd_exec_bin(svc_run_t)
+corecmd_exec_shell(svc_run_t)
+
+term_write_console(svc_run_t)
+
+files_read_etc_files(svc_run_t)
+files_read_etc_runtime_files(svc_run_t)
+files_search_pids(svc_run_t)
+files_search_var_lib(svc_run_t)
+
+init_use_script_fds(svc_run_t)
+init_use_fds(svc_run_t)
+
+daemontools_domtrans_multilog(svc_run_t)
+daemontools_read_svc(svc_run_t)
+
+optional_policy(`
+ qmail_read_config(svc_run_t)
+')
+
+########################################
+#
+# local policy for service monitoring programs
+# ie svc, svscan, supervise ...
+#
+
+allow svc_start_t svc_run_t:process { signal setrlimit };
+
+allow svc_start_t self:fifo_file rw_fifo_file_perms;
+allow svc_start_t self:capability kill;
+allow svc_start_t self:tcp_socket create_stream_socket_perms;
+allow svc_start_t self:unix_stream_socket create_socket_perms;
+
+can_exec(svc_start_t, svc_start_exec_t)
+
+mmap_files_pattern(svc_start_t, svc_svc_t, svc_svc_t)
+
+kernel_read_kernel_sysctls(svc_start_t)
+kernel_read_system_state(svc_start_t)
+
+corecmd_exec_bin(svc_start_t)
+corecmd_exec_shell(svc_start_t)
+
+corenet_tcp_bind_generic_node(svc_start_t)
+corenet_tcp_bind_generic_port(svc_start_t)
+
+term_write_console(svc_start_t)
+
+files_read_etc_files(svc_start_t)
+files_read_etc_runtime_files(svc_start_t)
+files_search_var(svc_start_t)
+files_search_pids(svc_start_t)
+
+logging_send_syslog_msg(svc_start_t)
+
+miscfiles_read_localization(svc_start_t)
+
+daemontools_domtrans_run(svc_start_t)
+daemontools_manage_svc(svc_start_t)
diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
new file mode 100644
index 0000000..dd65c15
--- /dev/null
+++ b/policy/modules/system/fstools.fc
@@ -0,0 +1,45 @@
+/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/dumpe2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/e2fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/lsraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/mkdosfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/mke2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+
+/usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+
+/usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+
+/var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0)
diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if
new file mode 100644
index 0000000..016a770
--- /dev/null
+++ b/policy/modules/system/fstools.if
@@ -0,0 +1,156 @@
+## <summary>Tools for filesystem management, such as mkfs and fsck.</summary>
+
+########################################
+## <summary>
+## Execute fs tools in the fstools domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`fstools_domtrans',`
+ gen_require(`
+ type fsadm_t, fsadm_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, fsadm_exec_t, fsadm_t)
+')
+
+########################################
+## <summary>
+## Execute fs tools in the fstools domain, and
+## allow the specified role the fs tools domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fstools_run',`
+ gen_require(`
+ type fsadm_t;
+ ')
+
+ fstools_domtrans($1)
+ role $2 types fsadm_t;
+')
+
+########################################
+## <summary>
+## Execute fsadm in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fstools_exec',`
+ gen_require(`
+ type fsadm_exec_t;
+ ')
+
+ can_exec($1, fsadm_exec_t)
+')
+
+########################################
+## <summary>
+## Send signal to fsadm process
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fstools_signal',`
+ gen_require(`
+ type fsadm_t;
+ ')
+
+ allow $1 fsadm_t:process signal;
+')
+
+########################################
+## <summary>
+## Read fstools unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fstools_read_pipes',`
+ gen_require(`
+ type fsadm_t;
+ ')
+
+ allow $1 fsadm_t:fifo_file read_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Relabel a file to the type used by the
+## filesystem tools programs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fstools_relabelto_entry_files',`
+ gen_require(`
+ type fsadm_exec_t;
+ ')
+
+ allow $1 fsadm_exec_t:file relabelto;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete a file used by the
+## filesystem tools programs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fstools_manage_entry_files',`
+ gen_require(`
+ type fsadm_exec_t;
+ ')
+
+ allow $1 fsadm_exec_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Getattr swapfile
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fstools_getattr_swap_files',`
+ gen_require(`
+ type swapfile_t;
+ ')
+
+ allow $1 swapfile_t:file getattr;
+')
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
new file mode 100644
index 0000000..7cb7582
--- /dev/null
+++ b/policy/modules/system/fstools.te
@@ -0,0 +1,196 @@
+policy_module(fstools, 1.14.0)
+
+########################################
+#
+# Declarations
+#
+
+type fsadm_t;
+type fsadm_exec_t;
+init_system_domain(fsadm_t, fsadm_exec_t)
+role system_r types fsadm_t;
+
+type fsadm_log_t;
+logging_log_file(fsadm_log_t)
+
+type fsadm_tmp_t;
+files_tmp_file(fsadm_tmp_t)
+
+type swapfile_t; # customizable
+files_type(swapfile_t)
+
+########################################
+#
+# local policy
+#
+
+# ipc_lock is for losetup
+allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_resource sys_tty_config dac_override dac_read_search };
+allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap };
+allow fsadm_t self:fd use;
+allow fsadm_t self:fifo_file rw_fifo_file_perms;
+allow fsadm_t self:sock_file read_sock_file_perms;
+allow fsadm_t self:unix_dgram_socket create_socket_perms;
+allow fsadm_t self:unix_stream_socket create_stream_socket_perms;
+allow fsadm_t self:unix_dgram_socket sendto;
+allow fsadm_t self:unix_stream_socket connectto;
+allow fsadm_t self:shm create_shm_perms;
+allow fsadm_t self:sem create_sem_perms;
+allow fsadm_t self:msgq create_msgq_perms;
+allow fsadm_t self:msg { send receive };
+
+can_exec(fsadm_t, fsadm_exec_t)
+
+allow fsadm_t fsadm_tmp_t:dir manage_dir_perms;
+allow fsadm_t fsadm_tmp_t:file manage_file_perms;
+files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir })
+
+# log files
+allow fsadm_t fsadm_log_t:dir setattr;
+manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t)
+logging_log_filetrans(fsadm_t, fsadm_log_t, file)
+
+# Enable swapping to files
+allow fsadm_t swapfile_t:file { rw_file_perms swapon };
+
+kernel_read_system_state(fsadm_t)
+kernel_read_kernel_sysctls(fsadm_t)
+kernel_request_load_module(fsadm_t)
+# Allow console log change (updfstab)
+kernel_change_ring_buffer_level(fsadm_t)
+# mkreiserfs needs this
+kernel_getattr_proc(fsadm_t)
+kernel_getattr_core_if(fsadm_t)
+# Access to /initrd devices
+kernel_rw_unlabeled_dirs(fsadm_t)
+kernel_rw_unlabeled_blk_files(fsadm_t)
+
+corecmd_exec_bin(fsadm_t)
+#RedHat bug #201164
+corecmd_exec_shell(fsadm_t)
+# cjp: these are probably not needed:
+corecmd_read_bin_files(fsadm_t)
+corecmd_read_bin_pipes(fsadm_t)
+corecmd_read_bin_sockets(fsadm_t)
+
+dev_getattr_all_chr_files(fsadm_t)
+dev_dontaudit_getattr_all_blk_files(fsadm_t)
+dev_dontaudit_getattr_generic_files(fsadm_t)
+# mkreiserfs and other programs need this for UUID
+dev_read_rand(fsadm_t)
+dev_read_urand(fsadm_t)
+# Recreate /dev/cdrom.
+dev_manage_generic_symlinks(fsadm_t)
+# fdisk needs this for early boot
+dev_manage_generic_blk_files(fsadm_t)
+# Access to /initrd devices
+dev_search_usbfs(fsadm_t)
+# for swapon
+dev_read_sysfs(fsadm_t)
+# Access to /initrd devices
+dev_getattr_usbfs_dirs(fsadm_t)
+# Access to /dev/mapper/control
+dev_rw_lvm_control(fsadm_t)
+
+domain_use_interactive_fds(fsadm_t)
+
+files_getattr_boot_dirs(fsadm_t)
+files_list_home(fsadm_t)
+files_read_usr_files(fsadm_t)
+files_read_etc_files(fsadm_t)
+files_manage_lost_found(fsadm_t)
+files_manage_isid_type_dirs(fsadm_t)
+# Write to /etc/mtab.
+files_manage_etc_runtime_files(fsadm_t)
+files_etc_filetrans_etc_runtime(fsadm_t, file)
+# Access to /initrd devices
+files_rw_isid_type_dirs(fsadm_t)
+files_rw_isid_type_blk_files(fsadm_t)
+files_read_isid_type_files(fsadm_t)
+
+fs_search_auto_mountpoints(fsadm_t)
+fs_getattr_xattr_fs(fsadm_t)
+fs_rw_ramfs_pipes(fsadm_t)
+fs_rw_tmpfs_files(fsadm_t)
+# remount file system to apply changes
+fs_remount_xattr_fs(fsadm_t)
+# for /dev/shm
+fs_search_tmpfs(fsadm_t)
+fs_getattr_tmpfs_dirs(fsadm_t)
+fs_read_tmpfs_symlinks(fsadm_t)
+fs_manage_nfs_files(fsadm_t)
+fs_manage_cifs_files(fsadm_t)
+fs_rw_hugetlbfs_files(fsadm_t)
+# Recreate /mnt/cdrom.
+files_manage_mnt_dirs(fsadm_t)
+# for tune2fs
+files_search_all(fsadm_t)
+
+mls_file_read_all_levels(fsadm_t)
+mls_file_write_all_levels(fsadm_t)
+
+storage_raw_read_fixed_disk(fsadm_t)
+storage_raw_write_fixed_disk(fsadm_t)
+storage_raw_read_removable_device(fsadm_t)
+storage_raw_write_removable_device(fsadm_t)
+storage_read_scsi_generic(fsadm_t)
+storage_swapon_fixed_disk(fsadm_t)
+
+term_use_console(fsadm_t)
+
+init_use_fds(fsadm_t)
+init_use_script_ptys(fsadm_t)
+init_dontaudit_getattr_initctl(fsadm_t)
+
+logging_send_syslog_msg(fsadm_t)
+
+miscfiles_read_localization(fsadm_t)
+
+modutils_read_module_config(fsadm_t)
+modutils_read_module_deps(fsadm_t)
+
+seutil_read_config(fsadm_t)
+
+term_use_all_terms(fsadm_t)
+
+ifdef(`distro_redhat',`
+ optional_policy(`
+ unconfined_domain(fsadm_t)
+ ')
+')
+
+optional_policy(`
+ amanda_rw_dumpdates_files(fsadm_t)
+ amanda_append_log_files(fsadm_t)
+')
+
+optional_policy(`
+ # for smartctl cron jobs
+ cron_system_entry(fsadm_t, fsadm_exec_t)
+')
+
+optional_policy(`
+ hal_dontaudit_write_log(fsadm_t)
+')
+
+optional_policy(`
+ livecd_rw_tmp_files(fsadm_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(fsadm_t)
+')
+
+optional_policy(`
+ fs_dontaudit_write_ramfs_pipes(fsadm_t)
+ rhgb_stub(fsadm_t)
+')
+
+optional_policy(`
+ virt_read_blk_images(fsadm_t)
+')
+
+optional_policy(`
+ xen_append_log(fsadm_t)
+ xen_rw_image_files(fsadm_t)
+')
diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc
new file mode 100644
index 0000000..e1a1848
--- /dev/null
+++ b/policy/modules/system/getty.fc
@@ -0,0 +1,12 @@
+
+/etc/mgetty(/.*)? gen_context(system_u:object_r:getty_etc_t,s0)
+
+/sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0)
+
+/var/log/mgetty\.log.* -- gen_context(system_u:object_r:getty_log_t,s0)
+/var/log/vgetty\.log\..* -- gen_context(system_u:object_r:getty_log_t,s0)
+
+/var/run/mgetty\.pid.* -- gen_context(system_u:object_r:getty_var_run_t,s0)
+
+/var/spool/fax(/.*)? gen_context(system_u:object_r:getty_var_run_t,s0)
+/var/spool/voice(/.*)? gen_context(system_u:object_r:getty_var_run_t,s0)
diff --git a/policy/modules/system/getty.if b/policy/modules/system/getty.if
new file mode 100644
index 0000000..e4376aa
--- /dev/null
+++ b/policy/modules/system/getty.if
@@ -0,0 +1,98 @@
+## <summary>Policy for getty.</summary>
+
+########################################
+## <summary>
+## Execute gettys in the getty domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`getty_domtrans',`
+ gen_require(`
+ type getty_t, getty_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, getty_exec_t, getty_t)
+')
+
+########################################
+## <summary>
+## Inherit and use getty file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`getty_use_fds',`
+ gen_require(`
+ type getty_t;
+ ')
+
+ allow $1 getty_t:fd use;
+')
+
+########################################
+## <summary>
+## Allow process to read getty log file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`getty_read_log',`
+ gen_require(`
+ type getty_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 getty_log_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Allow process to read getty config file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`getty_read_config',`
+ gen_require(`
+ type getty_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 getty_etc_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Allow process to edit getty config file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`getty_rw_config',`
+ gen_require(`
+ type getty_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 getty_etc_t:file rw_file_perms;
+')
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
new file mode 100644
index 0000000..55c2d03
--- /dev/null
+++ b/policy/modules/system/getty.te
@@ -0,0 +1,135 @@
+policy_module(getty, 1.8.0)
+
+########################################
+#
+# Declarations
+#
+
+type getty_t;
+type getty_exec_t;
+init_domain(getty_t, getty_exec_t)
+init_system_domain(getty_t, getty_exec_t)
+domain_interactive_fd(getty_t)
+
+type getty_etc_t;
+typealias getty_etc_t alias etc_getty_t;
+files_config_file(getty_etc_t)
+
+type getty_lock_t;
+files_lock_file(getty_lock_t)
+
+type getty_log_t;
+logging_log_file(getty_log_t)
+
+type getty_tmp_t;
+files_tmp_file(getty_tmp_t)
+
+type getty_var_run_t;
+files_pid_file(getty_var_run_t)
+
+########################################
+#
+# Getty local policy
+#
+
+# Use capabilities.
+allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
+dontaudit getty_t self:capability sys_tty_config;
+allow getty_t self:process { getpgid setpgid getsession signal_perms };
+allow getty_t self:fifo_file rw_fifo_file_perms;
+
+read_files_pattern(getty_t, getty_etc_t, getty_etc_t)
+read_lnk_files_pattern(getty_t, getty_etc_t, getty_etc_t)
+files_etc_filetrans(getty_t, getty_etc_t,{ file dir })
+
+allow getty_t getty_lock_t:file manage_file_perms;
+files_lock_filetrans(getty_t, getty_lock_t, file)
+
+allow getty_t getty_log_t:file manage_file_perms;
+logging_log_filetrans(getty_t, getty_log_t, file)
+
+allow getty_t getty_tmp_t:file manage_file_perms;
+allow getty_t getty_tmp_t:dir manage_dir_perms;
+files_tmp_filetrans(getty_t, getty_tmp_t, { file dir })
+
+manage_files_pattern(getty_t, getty_var_run_t, getty_var_run_t)
+files_pid_filetrans(getty_t, getty_var_run_t, file)
+
+kernel_read_system_state(getty_t)
+
+# these two needed for receiving faxes
+corecmd_exec_bin(getty_t)
+corecmd_exec_shell(getty_t)
+
+dev_read_sysfs(getty_t)
+
+files_rw_generic_pids(getty_t)
+files_read_etc_runtime_files(getty_t)
+files_read_etc_files(getty_t)
+files_search_spool(getty_t)
+
+fs_search_auto_mountpoints(getty_t)
+# for error condition handling
+fs_getattr_xattr_fs(getty_t)
+
+mcs_process_set_categories(getty_t)
+
+mls_file_read_all_levels(getty_t)
+mls_file_write_all_levels(getty_t)
+
+# Chown, chmod, read and write ttys.
+term_use_all_ttys(getty_t)
+term_use_unallocated_ttys(getty_t)
+term_setattr_all_ttys(getty_t)
+term_setattr_unallocated_ttys(getty_t)
+term_setattr_console(getty_t)
+term_use_console(getty_t)
+
+auth_rw_login_records(getty_t)
+
+init_rw_utmp(getty_t)
+init_use_script_ptys(getty_t)
+init_dontaudit_use_script_ptys(getty_t)
+
+locallogin_domtrans(getty_t)
+
+logging_send_syslog_msg(getty_t)
+
+miscfiles_read_localization(getty_t)
+
+ifdef(`distro_gentoo',`
+ # Gentoo default /etc/issue makes agetty
+ # do a DNS lookup for the hostname
+ sysnet_dns_name_resolve(getty_t)
+')
+
+ifdef(`distro_redhat',`
+ # getty requires sys_admin #209426
+ allow getty_t self:capability sys_admin;
+')
+
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(getty_t)
+ ')
+')
+
+optional_policy(`
+ mta_send_mail(getty_t)
+')
+
+optional_policy(`
+ nscd_socket_use(getty_t)
+')
+
+optional_policy(`
+ ppp_domtrans(getty_t)
+')
+
+optional_policy(`
+ rhgb_dontaudit_use_ptys(getty_t)
+')
+
+optional_policy(`
+ udev_read_db(getty_t)
+')
diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc
new file mode 100644
index 0000000..9dfecf7
--- /dev/null
+++ b/policy/modules/system/hostname.fc
@@ -0,0 +1,2 @@
+
+/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
diff --git a/policy/modules/system/hostname.if b/policy/modules/system/hostname.if
new file mode 100644
index 0000000..187f04f
--- /dev/null
+++ b/policy/modules/system/hostname.if
@@ -0,0 +1,65 @@
+## <summary>Policy for changing the system host name.</summary>
+
+########################################
+## <summary>
+## Execute hostname in the hostname domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`hostname_domtrans',`
+ gen_require(`
+ type hostname_t, hostname_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, hostname_exec_t, hostname_t)
+')
+
+########################################
+## <summary>
+## Execute hostname in the hostname domain, and
+## allow the specified role the hostname domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`hostname_run',`
+ gen_require(`
+ type hostname_t;
+ ')
+
+ hostname_domtrans($1)
+ role $2 types hostname_t;
+')
+
+########################################
+## <summary>
+## Execute hostname in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`hostname_exec',`
+ gen_require(`
+ type hostname_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, hostname_exec_t)
+')
diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
new file mode 100644
index 0000000..683494c
--- /dev/null
+++ b/policy/modules/system/hostname.te
@@ -0,0 +1,71 @@
+policy_module(hostname, 1.6.1)
+
+########################################
+#
+# Declarations
+#
+
+type hostname_t;
+type hostname_exec_t;
+init_system_domain(hostname_t, hostname_exec_t)
+role system_r types hostname_t;
+
+########################################
+#
+# Local policy
+#
+
+# for setting the hostname
+allow hostname_t self:process { sigchld sigkill sigstop signull signal };
+allow hostname_t self:capability sys_admin;
+allow hostname_t self:unix_stream_socket create_stream_socket_perms;
+dontaudit hostname_t self:capability sys_tty_config;
+
+kernel_list_proc(hostname_t)
+kernel_read_proc_symlinks(hostname_t)
+
+dev_read_sysfs(hostname_t)
+# Early devtmpfs, before udev relabel
+dev_dontaudit_rw_generic_chr_files(hostname_t)
+
+domain_dontaudit_leaks(hostname_t)
+domain_use_interactive_fds(hostname_t)
+
+files_read_etc_files(hostname_t)
+files_dontaudit_leaks(hostname_t)
+files_dontaudit_search_var(hostname_t)
+# for when /usr is not mounted:
+files_dontaudit_search_isid_type_dirs(hostname_t)
+
+fs_getattr_xattr_fs(hostname_t)
+fs_search_auto_mountpoints(hostname_t)
+fs_dontaudit_leaks(hostname_t)
+fs_dontaudit_use_tmpfs_chr_dev(hostname_t)
+
+term_dontaudit_use_console(hostname_t)
+term_use_all_ttys(hostname_t)
+term_use_all_ptys(hostname_t)
+
+init_use_fds(hostname_t)
+init_use_script_fds(hostname_t)
+init_use_script_ptys(hostname_t)
+
+logging_send_syslog_msg(hostname_t)
+
+miscfiles_read_localization(hostname_t)
+
+sysnet_read_config(hostname_t)
+sysnet_dns_name_resolve(hostname_t)
+
+optional_policy(`
+ nis_use_ypbind(hostname_t)
+')
+
+optional_policy(`
+ xen_append_log(hostname_t)
+ xen_dontaudit_use_fds(hostname_t)
+')
+
+optional_policy(`
+ unconfined_dontaudit_rw_pipes(hostname_t)
+')
diff --git a/policy/modules/system/hotplug.fc b/policy/modules/system/hotplug.fc
new file mode 100644
index 0000000..caf736b
--- /dev/null
+++ b/policy/modules/system/hotplug.fc
@@ -0,0 +1,11 @@
+
+/etc/hotplug(/.*)? gen_context(system_u:object_r:hotplug_etc_t,s0)
+/etc/hotplug/firmware\.agent -- gen_context(system_u:object_r:hotplug_exec_t,s0)
+
+/etc/hotplug\.d/.* -- gen_context(system_u:object_r:hotplug_exec_t,s0)
+
+/sbin/hotplug -- gen_context(system_u:object_r:hotplug_exec_t,s0)
+/sbin/netplugd -- gen_context(system_u:object_r:hotplug_exec_t,s0)
+
+/var/run/usb(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0)
+/var/run/hotplug(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0)
diff --git a/policy/modules/system/hotplug.if b/policy/modules/system/hotplug.if
new file mode 100644
index 0000000..40eb10c
--- /dev/null
+++ b/policy/modules/system/hotplug.if
@@ -0,0 +1,175 @@
+## <summary>
+## Policy for hotplug system, for supporting the
+## connection and disconnection of devices at runtime.
+## </summary>
+
+########################################
+## <summary>
+## Execute hotplug with a domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`hotplug_domtrans',`
+ gen_require(`
+ type hotplug_t, hotplug_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, hotplug_exec_t, hotplug_t)
+')
+
+########################################
+## <summary>
+## Execute hotplug in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hotplug_exec',`
+ gen_require(`
+ type hotplug_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, hotplug_exec_t)
+')
+
+########################################
+## <summary>
+## Inherit and use hotplug file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hotplug_use_fds',`
+ gen_require(`
+ type hotplug_t;
+ ')
+
+ allow $1 hotplug_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to inherit
+## hotplug file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`hotplug_dontaudit_use_fds',`
+ gen_require(`
+ type hotplug_t;
+ ')
+
+ dontaudit $1 hotplug_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the
+## hotplug configuration directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`hotplug_dontaudit_search_config',`
+ gen_require(`
+ type hotplug_etc_t;
+ ')
+
+ dontaudit $1 hotplug_etc_t:dir search;
+')
+
+########################################
+## <summary>
+## Get the attributes of the hotplug configuration directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hotplug_getattr_config_dirs',`
+ gen_require(`
+ type hotplug_etc_t;
+ ')
+
+ allow $1 hotplug_etc_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Search the hotplug configuration directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hotplug_search_config',`
+ gen_require(`
+ type hotplug_etc_t;
+ ')
+
+ allow $1 hotplug_etc_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read the configuration files for hotplug.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`hotplug_read_config',`
+ gen_require(`
+ type hotplug_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 hotplug_etc_t:dir list_dir_perms;
+ read_files_pattern($1, hotplug_etc_t, hotplug_etc_t)
+ read_lnk_files_pattern($1, hotplug_etc_t, hotplug_etc_t)
+')
+
+########################################
+## <summary>
+## Search the hotplug PIDs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hotplug_search_pids',`
+ gen_require(`
+ type hotplug_var_run_t;
+ ')
+
+ allow $1 hotplug_var_run_t:dir search_dir_perms;
+ files_search_pids($1)
+')
diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
new file mode 100644
index 0000000..7c6933f
--- /dev/null
+++ b/policy/modules/system/hotplug.te
@@ -0,0 +1,201 @@
+policy_module(hotplug, 1.13.0)
+
+########################################
+#
+# Declarations
+#
+
+type hotplug_t;
+type hotplug_exec_t;
+kernel_domtrans_to(hotplug_t, hotplug_exec_t)
+init_daemon_domain(hotplug_t, hotplug_exec_t)
+
+type hotplug_etc_t;
+files_config_file(hotplug_etc_t)
+init_daemon_domain(hotplug_t, hotplug_etc_t)
+
+type hotplug_var_run_t;
+files_pid_file(hotplug_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
+dontaudit hotplug_t self:capability { sys_module sys_admin sys_ptrace sys_tty_config };
+# for access("/etc/bashrc", X_OK) on Red Hat
+dontaudit hotplug_t self:capability { dac_override dac_read_search };
+allow hotplug_t self:process { setpgid getsession getattr signal_perms };
+allow hotplug_t self:fifo_file rw_file_perms;
+allow hotplug_t self:netlink_route_socket r_netlink_socket_perms;
+allow hotplug_t self:udp_socket create_socket_perms;
+allow hotplug_t self:tcp_socket connected_stream_socket_perms;
+
+read_files_pattern(hotplug_t, hotplug_etc_t, hotplug_etc_t)
+read_lnk_files_pattern(hotplug_t, hotplug_etc_t, hotplug_etc_t)
+can_exec(hotplug_t, hotplug_etc_t)
+allow hotplug_t hotplug_etc_t:dir list_dir_perms;
+
+can_exec(hotplug_t, hotplug_exec_t)
+
+manage_dirs_pattern(hotplug_t, hotplug_var_run_t, hotplug_var_run_t)
+manage_files_pattern(hotplug_t, hotplug_var_run_t, hotplug_var_run_t)
+files_pid_filetrans(hotplug_t, hotplug_var_run_t, { dir file })
+
+kernel_sigchld(hotplug_t)
+kernel_setpgid(hotplug_t)
+kernel_read_system_state(hotplug_t)
+kernel_read_network_state(hotplug_t)
+kernel_read_kernel_sysctls(hotplug_t)
+kernel_rw_net_sysctls(hotplug_t)
+
+files_read_kernel_modules(hotplug_t)
+
+corenet_all_recvfrom_unlabeled(hotplug_t)
+corenet_all_recvfrom_netlabel(hotplug_t)
+corenet_tcp_sendrecv_generic_if(hotplug_t)
+corenet_udp_sendrecv_generic_if(hotplug_t)
+corenet_tcp_sendrecv_generic_node(hotplug_t)
+corenet_udp_sendrecv_generic_node(hotplug_t)
+corenet_tcp_sendrecv_all_ports(hotplug_t)
+corenet_udp_sendrecv_all_ports(hotplug_t)
+
+dev_rw_sysfs(hotplug_t)
+dev_read_usbfs(hotplug_t)
+dev_setattr_printer_dev(hotplug_t)
+dev_setattr_sound_dev(hotplug_t)
+# for SSP:
+dev_read_urand(hotplug_t)
+
+fs_getattr_all_fs(hotplug_t)
+fs_search_auto_mountpoints(hotplug_t)
+
+storage_setattr_fixed_disk_dev(hotplug_t)
+storage_setattr_removable_dev(hotplug_t)
+
+corecmd_exec_bin(hotplug_t)
+corecmd_exec_shell(hotplug_t)
+
+domain_use_interactive_fds(hotplug_t)
+# for ps
+domain_dontaudit_read_all_domains_state(hotplug_t)
+domain_dontaudit_getattr_all_domains(hotplug_t)
+
+files_read_etc_files(hotplug_t)
+files_manage_etc_runtime_files(hotplug_t)
+files_etc_filetrans_etc_runtime(hotplug_t, file)
+files_exec_etc_files(hotplug_t)
+# for when filesystems are not mounted early in the boot:
+files_dontaudit_search_isid_type_dirs(hotplug_t)
+
+init_read_script_state(hotplug_t)
+# Allow hotplug (including /sbin/ifup-local) to start/stop services and
+# run sendmail -q
+init_domtrans_script(hotplug_t)
+# kernel threads inherit from shared descriptor table used by init
+init_dontaudit_rw_initctl(hotplug_t)
+
+logging_send_syslog_msg(hotplug_t)
+logging_search_logs(hotplug_t)
+
+# Read /usr/lib/gconv/.*
+libs_read_lib_files(hotplug_t)
+
+miscfiles_read_hwdata(hotplug_t)
+miscfiles_read_localization(hotplug_t)
+
+modutils_domtrans_insmod(hotplug_t)
+modutils_read_module_deps(hotplug_t)
+
+seutil_dontaudit_search_config(hotplug_t)
+
+sysnet_read_config(hotplug_t)
+
+userdom_dontaudit_use_unpriv_user_fds(hotplug_t)
+userdom_dontaudit_search_user_home_dirs(hotplug_t)
+
+ifdef(`distro_redhat', `
+ optional_policy(`
+ # for arping used for static IP addresses on PCMCIA ethernet
+ netutils_domtrans(hotplug_t)
+ netutils_signal(hotplug_t)
+ fs_rw_tmpfs_chr_files(hotplug_t)
+ ')
+ files_getattr_generic_locks(hotplug_t)
+')
+
+optional_policy(`
+ brctl_domtrans(hotplug_t)
+')
+
+optional_policy(`
+ consoletype_exec(hotplug_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(hotplug_t)
+')
+
+optional_policy(`
+ fstools_domtrans(hotplug_t)
+')
+
+optional_policy(`
+ hal_dgram_send(hotplug_t)
+')
+
+optional_policy(`
+ hostname_exec(hotplug_t)
+')
+
+optional_policy(`
+ iptables_domtrans(hotplug_t)
+')
+
+optional_policy(`
+ mount_domtrans(hotplug_t)
+')
+
+optional_policy(`
+ mta_send_mail(hotplug_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(hotplug_t)
+')
+
+optional_policy(`
+ nscd_socket_use(hotplug_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(hotplug_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_dhcpc(hotplug_t)
+ sysnet_signal_dhcpc(hotplug_t)
+ sysnet_kill_dhcpc(hotplug_t)
+ sysnet_signull_dhcpc(hotplug_t)
+ sysnet_sigstop_dhcpc(hotplug_t)
+ sysnet_sigchld_dhcpc(hotplug_t)
+ sysnet_read_dhcpc_pid(hotplug_t)
+ sysnet_rw_dhcp_config(hotplug_t)
+ sysnet_domtrans_ifconfig(hotplug_t)
+ sysnet_signal_ifconfig(hotplug_t)
+')
+
+optional_policy(`
+ udev_domtrans(hotplug_t)
+ udev_helper_domtrans(hotplug_t)
+ udev_read_db(hotplug_t)
+')
+
+optional_policy(`
+ updfstab_domtrans(hotplug_t)
+')
+
+optional_policy(`
+ usbmodules_domtrans(hotplug_t)
+')
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
new file mode 100644
index 0000000..b338481
--- /dev/null
+++ b/policy/modules/system/init.fc
@@ -0,0 +1,77 @@
+#
+# /etc
+#
+/etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
+/etc/rc\.d/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/etc/rc\.d/rc\.[^/]+ -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
+/etc/rc\.d/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/etc/sysconfig/network-scripts/ifup-ipsec -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
+/etc/X11/prefdm -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+/etc/vmware/init\.d/vmware -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/etc/x11/startDM\.sh -- gen_context(system_u:object_r:initrc_exec_t,s0)
+')
+
+#
+# /dev
+#
+/dev/initctl -p gen_context(system_u:object_r:initctl_t,s0)
+
+#
+# /sbin
+#
+/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
+
+#
+# /sbin
+#
+/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
+/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
+
+ifdef(`distro_gentoo', `
+/sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/sbin/runscript -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/sbin/runscript\.sh -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/sbin/runsvcscript\.sh -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/sbin/svcinit -- gen_context(system_u:object_r:initrc_exec_t,s0)
+')
+
+#
+# /usr
+#
+/usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
+/usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
+/usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/sbin/startx -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
+/usr/share/system-config-services/system-config-services-mechanism\.py -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
+#
+# /var
+#
+ifdef(`distro_gentoo', `
+/var/lib/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0)
+/var/run/svscan\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+')
+
+/var/run/utmp -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/setmixer_flag -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+
+ifdef(`distro_suse', `
+/var/run/bootsplashctl -p gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/keymap -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/numlock-on -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/setleds-on -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/sysconfig(/.*)? gen_context(system_u:object_r:initrc_var_run_t,s0)
+')
+
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
new file mode 100644
index 0000000..666a58f
--- /dev/null
+++ b/policy/modules/system/init.if
@@ -0,0 +1,1936 @@
+## <summary>System initialization programs (init and init scripts).</summary>
+
+########################################
+## <summary>
+## Create a file type used for init scripts.
+## </summary>
+## <desc>
+## <p>
+## Create a file type used for init scripts. It can not be
+## used in conjunction with init_script_domain(). These
+## script files are typically stored in the /etc/init.d directory.
+## </p>
+## <p>
+## Typically this is used to constrain what services an
+## admin can start/stop. For example, a policy writer may want
+## to constrain a web administrator to only being able to
+## restart the web server, not other services. This special type
+## will help address that goal.
+## </p>
+## <p>
+## This also makes the type usable for files; thus an
+## explicit call to files_type() is redundant.
+## </p>
+## </desc>
+## <param name="script_file">
+## <summary>
+## Type to be used for a script file.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`init_script_file',`
+ gen_require(`
+ type initrc_t;
+ attribute init_script_file_type, init_run_all_scripts_domain;
+ ')
+
+ typeattribute $1 init_script_file_type;
+
+ domain_entry_file(initrc_t, $1)
+
+ domtrans_pattern(init_run_all_scripts_domain, $1, initrc_t)
+')
+
+########################################
+## <summary>
+## Create a domain used for init scripts.
+## </summary>
+## <desc>
+## <p>
+## Create a domain used for init scripts.
+## Can not be used in conjunction with
+## init_script_file().
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Type to be used as an init script domain.
+## </summary>
+## </param>
+## <param name="script_file">
+## <summary>
+## Type of the script file used as an entry point to this domain.
+## </summary>
+## </param>
+#
+interface(`init_script_domain',`
+ gen_require(`
+ attribute init_script_domain_type, init_script_file_type;
+ attribute init_run_all_scripts_domain;
+ ')
+
+ typeattribute $1 init_script_domain_type;
+ typeattribute $2 init_script_file_type;
+
+ domain_type($1)
+ domain_entry_file($1, $2)
+
+ domtrans_pattern(init_run_all_scripts_domain, $2, $1)
+')
+
+########################################
+## <summary>
+## Create a domain which can be started by init.
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## Type of the program to be used as an entry point to this domain.
+## </summary>
+## </param>
+#
+interface(`init_domain',`
+ gen_require(`
+ type init_t;
+ role system_r;
+ ')
+
+ domain_type($1)
+ domain_entry_file($1,$2)
+
+ role system_r types $1;
+
+ tunable_policy(`init_systemd',`', `
+ domtrans_pattern(init_t,$2,$1)
+ allow init_t $1:unix_stream_socket create_stream_socket_perms;
+ allow $1 init_t:unix_dgram_socket sendto;
+ ')
+
+ ifdef(`hide_broken_symptoms',`
+ # RHEL4 systems seem to have a stray
+ # fds open from the initrd
+ ifdef(`distro_rhel4',`
+ kernel_dontaudit_use_fds($1)
+ ')
+ ')
+')
+
+########################################
+## <summary>
+## Create a domain which can be started by init,
+## with a range transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## Type of the program to be used as an entry point to this domain.
+## </summary>
+## </param>
+## <param name="range">
+## <summary>
+## Range for the domain.
+## </summary>
+## </param>
+#
+interface(`init_ranged_domain',`
+ gen_require(`
+ type init_t;
+ ')
+
+ init_domain($1,$2)
+
+ ifdef(`enable_mcs',`
+ range_transition init_t $2:process $3;
+ ')
+
+ ifdef(`enable_mls',`
+ range_transition init_t $2:process $3;
+ mls_rangetrans_target($1)
+ ')
+')
+
+########################################
+## <summary>
+## Create a domain for long running processes
+## (daemons/services) which are started by init scripts.
+## </summary>
+## <desc>
+## <p>
+## Create a domain for long running processes (daemons/services)
+## which are started by init scripts. Short running processes
+## should use the init_system_domain() interface instead.
+## Typically all long running processes started by an init
+## script (usually in /etc/init.d) will need to use this
+## interface.
+## </p>
+## <p>
+## The types will be made usable as a domain and file, making
+## calls to domain_type() and files_type() redundant.
+## </p>
+## <p>
+## If the process must also run in a specific MLS/MCS level,
+## the init_ranged_daemon_domain() should be used instead.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Type to be used as a daemon domain.
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## Type of the program to be used as an entry point to this domain.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`init_daemon_domain',`
+ gen_require(`
+ attribute direct_run_init, direct_init, direct_init_entry;
+ type initrc_t;
+ type init_t;
+ role system_r;
+ attribute daemon;
+ attribute initrc_transition_domain;
+ ')
+
+ typeattribute $1 daemon;
+
+ domain_type($1)
+ domain_entry_file($1,$2)
+
+ role system_r types $1;
+
+ domtrans_pattern(initrc_t,$2,$1)
+ allow initrc_t $1:process siginh;
+ allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+ allow $1 initrc_transition_domain:fd use;
+
+ tunable_policy(`init_upstart || init_systemd',`
+ # Handle upstart direct transition to a executable
+ domtrans_pattern(init_t,$2,$1)
+ allow init_t $1:process siginh;
+ ')
+
+ tunable_policy(`init_systemd',`
+ allow init_t $1:unix_stream_socket create_stream_socket_perms;
+ allow $1 init_t:unix_dgram_socket sendto;
+ ')
+
+ # daemons started from init will
+ # inherit fds from init for the console
+ init_dontaudit_use_fds($1)
+ term_dontaudit_use_console($1)
+
+ # init script ptys are the stdin/out/err
+ # when using run_init
+ init_use_script_ptys($1)
+
+ ifdef(`direct_sysadm_daemon',`
+ domtrans_pattern(direct_run_init,$2,$1)
+ allow direct_run_init $1:process { noatsecure siginh rlimitinh };
+
+ typeattribute $1 direct_init;
+ typeattribute $2 direct_init_entry;
+
+ userdom_dontaudit_use_user_terminals($1)
+ ')
+
+ ifdef(`hide_broken_symptoms',`
+ # RHEL4 systems seem to have a stray
+ # fds open from the initrd
+ ifdef(`distro_rhel4',`
+ kernel_dontaudit_use_fds($1)
+ ')
+ ')
+
+ optional_policy(`
+ nscd_socket_use($1)
+ ')
+')
+
+########################################
+## <summary>
+## Create a domain for long running processes
+## (daemons/services) which are started by init scripts,
+## running at a specified MLS/MCS range.
+## </summary>
+## <desc>
+## <p>
+## Create a domain for long running processes (daemons/services)
+## which are started by init scripts, running at a specified
+## MLS/MCS range. Short running processes
+## should use the init_ranged_system_domain() interface instead.
+## Typically all long running processes started by an init
+## script (usually in /etc/init.d) will need to use this
+## interface if they need to run in a specific MLS/MCS range.
+## </p>
+## <p>
+## The types will be made usable as a domain and file, making
+## calls to domain_type() and files_type() redundant.
+## </p>
+## <p>
+## If the policy build option TYPE is standard (MLS and MCS disabled),
+## this interface has the same behavior as init_daemon_domain().
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Type to be used as a daemon domain.
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## Type of the program to be used as an entry point to this domain.
+## </summary>
+## </param>
+## <param name="range">
+## <summary>
+## MLS/MCS range for the domain.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`init_ranged_daemon_domain',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+# init_daemon_domain($1,$2)
+
+ ifdef(`enable_mcs',`
+ range_transition initrc_t $2:process $3;
+ ')
+
+ ifdef(`enable_mls',`
+ range_transition initrc_t $2:process $3;
+ mls_rangetrans_target($1)
+ ')
+')
+
+########################################
+## <summary>
+## Create a domain for short running processes
+## which are started by init scripts.
+## </summary>
+## <desc>
+## <p>
+## Create a domain for long running processes (daemons/services)
+## which are started by init scripts. These are generally applications that
+## are used to initialize the system during boot.
+## Long running processes
+## should use the init_daemon_domain() interface instead.
+## Typically all short running processes started by an init
+## script (usually in /etc/init.d) will need to use this
+## interface.
+## </p>
+## <p>
+## The types will be made usable as a domain and file, making
+## calls to domain_type() and files_type() redundant.
+## </p>
+## <p>
+## If the process must also run in a specific MLS/MCS level,
+## the init_ranged_system_domain() should be used instead.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Type to be used as a system domain.
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## Type of the program to be used as an entry point to this domain.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`init_system_domain',`
+ gen_require(`
+ type init_t;
+ type initrc_t;
+ role system_r;
+ attribute initrc_transition_domain;
+ ')
+
+ application_domain($1,$2)
+
+ role system_r types $1;
+
+ domtrans_pattern(initrc_t,$2,$1)
+ allow initrc_t $1:process siginh;
+ allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+ allow $1 initrc_transition_domain:fd use;
+
+ tunable_policy(`init_systemd',`
+ # Handle upstart/systemd direct transition to a executable
+ domtrans_pattern(init_t,$2,$1)
+ allow init_t $1:process siginh;
+ allow init_t $1:unix_stream_socket create_stream_socket_perms;
+ allow $1 init_t:unix_dgram_socket sendto;
+ ')
+
+ ifdef(`hide_broken_symptoms',`
+ # RHEL4 systems seem to have a stray
+ # fds open from the initrd
+ ifdef(`distro_rhel4',`
+ kernel_dontaudit_use_fds($1)
+ ')
+ ')
+
+ userdom_dontaudit_search_user_home_dirs($1)
+ userdom_dontaudit_rw_stream($1)
+ userdom_dontaudit_write_user_tmp_files($1)
+
+ tunable_policy(`allow_daemons_use_tty',`
+ term_use_all_ttys($1)
+ term_use_all_ptys($1)
+ ',`
+ term_dontaudit_use_all_ttys($1)
+ term_dontaudit_use_all_ptys($1)
+ ')
+
+ # these apps are often redirect output to random log files
+ logging_inherit_append_all_logs($1)
+
+ optional_policy(`
+ cron_rw_pipes($1)
+ ')
+
+ optional_policy(`
+ xserver_dontaudit_append_xdm_home_files($1)
+ ')
+
+ optional_policy(`
+ unconfined_dontaudit_rw_pipes($1)
+ unconfined_dontaudit_rw_stream($1)
+ userdom_dontaudit_read_user_tmp_files($1)
+ ')
+
+ init_rw_script_stream_sockets($1)
+')
+
+########################################
+## <summary>
+## Create a domain for short running processes
+## which are started by init scripts.
+## </summary>
+## <desc>
+## <p>
+## Create a domain for long running processes (daemons/services)
+## which are started by init scripts.
+## These are generally applications that
+## are used to initialize the system during boot.
+## Long running processes
+## should use the init_ranged_system_domain() interface instead.
+## Typically all short running processes started by an init
+## script (usually in /etc/init.d) will need to use this
+## interface if they need to run in a specific MLS/MCS range.
+## </p>
+## <p>
+## The types will be made usable as a domain and file, making
+## calls to domain_type() and files_type() redundant.
+## </p>
+## <p>
+## If the policy build option TYPE is standard (MLS and MCS disabled),
+## this interface has the same behavior as init_system_domain().
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Type to be used as a system domain.
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## Type of the program to be used as an entry point to this domain.
+## </summary>
+## </param>
+## <param name="range">
+## <summary>
+## Range for the domain.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`init_ranged_system_domain',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ init_system_domain($1,$2)
+
+ ifdef(`enable_mcs',`
+ range_transition initrc_t $2:process $3;
+ ')
+
+ ifdef(`enable_mls',`
+ range_transition initrc_t $2:process $3;
+ ')
+')
+
+########################################
+## <summary>
+## Execute init (/sbin/init) with a domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`init_domtrans',`
+ gen_require(`
+ type init_t, init_exec_t;
+ ')
+
+ domtrans_pattern($1, init_exec_t, init_t)
+')
+
+########################################
+## <summary>
+## Execute the init program in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`init_exec',`
+ gen_require(`
+ type init_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, init_exec_t)
+')
+
+########################################
+## <summary>
+## Get the process group of init.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_getpgid',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:process getpgid;
+')
+
+########################################
+## <summary>
+## Send init a null signal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_signull',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:process signull;
+')
+
+########################################
+## <summary>
+## Send init a SIGCHLD signal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_sigchld',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Inherit and use file descriptors from init.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to inherit file
+## descriptors from the init program (process ID 1).
+## Typically the only file descriptors to be
+## inherited from init are for the console.
+## This does not allow the domain any access to
+## the object to which the file descriptors references.
+## </p>
+## <p>
+## Related interfaces:
+## </p>
+## <ul>
+## <li>init_dontaudit_use_fds()</li>
+## <li>term_dontaudit_use_console()</li>
+## <li>term_use_console()</li>
+## </ul>
+## <p>
+## Example usage:
+## </p>
+## <p>
+## init_use_fds(mydomain_t)
+## term_use_console(mydomain_t)
+## </p>
+## <p>
+## Normally, processes that can inherit these file
+## descriptors (usually services) write messages to the
+## system log instead of writing to the console.
+## Therefore, in many cases, this access should
+## dontaudited instead.
+## </p>
+## <p>
+## Example dontaudit usage:
+## </p>
+## <p>
+## init_dontaudit_use_fds(mydomain_t)
+## term_dontaudit_use_console(mydomain_t)
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="1"/>
+#
+interface(`init_use_fds',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to inherit file
+## descriptors from init.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_use_fds',`
+ gen_require(`
+ type init_t;
+ ')
+
+ dontaudit $1 init_t:fd use;
+')
+
+########################################
+## <summary>
+## Send UDP network traffic to init. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_udp_send',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+## Get the attributes of initctl.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_getattr_initctl',`
+ gen_require(`
+ type initctl_t;
+ ')
+
+ allow $1 initctl_t:fifo_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the
+## attributes of initctl.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_getattr_initctl',`
+ gen_require(`
+ type initctl_t;
+ ')
+
+ dontaudit $1 initctl_t:fifo_file getattr;
+')
+
+########################################
+## <summary>
+## Write to initctl.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_write_initctl',`
+ gen_require(`
+ type initctl_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 initctl_t:fifo_file write;
+')
+
+########################################
+## <summary>
+## Use telinit (Read and write initctl).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`init_telinit',`
+ gen_require(`
+ type initctl_t;
+ ')
+
+ corecmd_exec_bin($1)
+
+ dev_list_all_dev_nodes($1)
+ allow $1 initctl_t:fifo_file rw_fifo_file_perms;
+
+ init_exec($1)
+
+ tunable_policy(`init_upstart || init_systemd',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:process signal;
+ # upstart uses a datagram socket instead of initctl pipe
+ allow $1 self:unix_dgram_socket create_socket_perms;
+ allow $1 init_t:unix_dgram_socket sendto;
+ #576913
+ allow $1 init_t:unix_stream_socket connectto;
+ ')
+')
+
+########################################
+## <summary>
+## Read and write initctl.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_rw_initctl',`
+ gen_require(`
+ type initctl_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 initctl_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and
+## write initctl.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_rw_initctl',`
+ gen_require(`
+ type initctl_t;
+ ')
+
+ dontaudit $1 initctl_t:fifo_file { read write };
+')
+
+########################################
+## <summary>
+## Make init scripts an entry point for
+## the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+# cjp: added for gentoo integrated run_init
+interface(`init_script_file_entry_type',`
+ gen_require(`
+ type initrc_exec_t;
+ ')
+
+ domain_entry_file($1, initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Execute init scripts with a specified domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`init_spec_domtrans_script',`
+ gen_require(`
+ type initrc_t;
+ attribute init_script_file_type;
+ ')
+
+ files_list_etc($1)
+ spec_domtrans_pattern($1, init_script_file_type, initrc_t)
+
+ ifdef(`enable_mcs',`
+ range_transition $1 init_script_file_type:process s0;
+ ')
+
+ ifdef(`enable_mls',`
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
+ ')
+')
+
+########################################
+## <summary>
+## Execute init scripts with an automatic domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`init_domtrans_script',`
+ gen_require(`
+ type initrc_t;
+ attribute init_script_file_type;
+ attribute initrc_transition_domain;
+ ')
+ typeattribute $1 initrc_transition_domain;
+
+ files_list_etc($1)
+ domtrans_pattern($1, init_script_file_type, initrc_t)
+
+ ifdef(`enable_mcs',`
+ range_transition $1 init_script_file_type:process s0;
+ ')
+
+ ifdef(`enable_mls',`
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
+ ')
+')
+
+########################################
+## <summary>
+## Execute a file in a bin directory
+## in the initrc_t domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_bin_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ corecmd_bin_domtrans($1, initrc_t)
+')
+
+########################################
+## <summary>
+## Execute a init script in a specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a init script in a specified domain.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="source_domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## Domain to transition to.
+## </summary>
+## </param>
+# cjp: added for gentoo integrated run_init
+interface(`init_script_file_domtrans',`
+ gen_require(`
+ type initrc_exec_t;
+ ')
+
+ files_list_etc($1)
+ domain_auto_trans($1, initrc_exec_t,$2)
+')
+
+########################################
+## <summary>
+## Transition to the init script domain
+## on a specified labeled init script.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="init_script_file">
+## <summary>
+## Labeled init script file.
+## </summary>
+## </param>
+#
+interface(`init_labeled_script_domtrans',`
+ gen_require(`
+ type initrc_t;
+ attribute initrc_transition_domain;
+ ')
+
+ typeattribute $1 initrc_transition_domain;
+ # service script searches all filesystems via mountpoint
+ fs_search_all($1)
+ domtrans_pattern($1, $2, initrc_t)
+ files_search_etc($1)
+')
+
+#########################################
+## <summary>
+## Transition to the init script domain
+## for all labeled init script types
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`init_all_labeled_script_domtrans',`
+ gen_require(`
+ attribute init_script_file_type;
+ ')
+
+ init_labeled_script_domtrans($1, init_script_file_type)
+')
+
+########################################
+## <summary>
+## Start and stop daemon programs directly.
+## </summary>
+## <desc>
+## <p>
+## Start and stop daemon programs directly
+## in the traditional "/etc/init.d/daemon start"
+## style, and do not require run_init.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be performing this action.
+## </summary>
+## </param>
+#
+interface(`init_run_daemon',`
+ gen_require(`
+ attribute direct_run_init, direct_init, direct_init_entry;
+ role system_r;
+ ')
+
+ typeattribute $1 direct_run_init;
+ role_transition $2 direct_init_entry system_r;
+')
+
+########################################
+## <summary>
+## Read the process state (/proc/pid) of init.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_read_state',`
+ gen_require(`
+ attribute init_t;
+ ')
+
+ allow $1 init_t:dir search_dir_perms;
+ allow $1 init_t:file read_file_perms;
+ allow $1 init_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Ptrace init
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`init_ptrace',`
+ gen_require(`
+ attribute init_t;
+ ')
+
+ allow $1 init_t:process ptrace;
+')
+
+########################################
+## <summary>
+## Write an init script unnamed pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_write_script_pipes',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:fifo_file write;
+')
+
+########################################
+## <summary>
+## Get the attribute of init script entrypoint files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_getattr_script_files',`
+ gen_require(`
+ type initrc_exec_t;
+ ')
+
+ files_list_etc($1)
+ allow $1 initrc_exec_t:file getattr;
+')
+
+########################################
+## <summary>
+## Read init scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_read_script_files',`
+ gen_require(`
+ type initrc_exec_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 initrc_exec_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Execute init scripts in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_exec_script_files',`
+ gen_require(`
+ type initrc_exec_t;
+ ')
+
+ files_list_etc($1)
+ can_exec($1, initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Get the attribute of all init script entrypoint files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_getattr_all_script_files',`
+ gen_require(`
+ attribute init_script_file_type;
+ ')
+
+ files_list_etc($1)
+ allow $1 init_script_file_type:file getattr;
+')
+
+########################################
+## <summary>
+## Read all init script files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_read_all_script_files',`
+ gen_require(`
+ attribute init_script_file_type;
+ ')
+
+ files_search_etc($1)
+ allow $1 init_script_file_type:file read_file_perms;
+')
+
+#######################################
+## <summary>
+## Dontaudit read all init script files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_read_all_script_files',`
+ gen_require(`
+ attribute init_script_file_type;
+ ')
+
+ dontaudit $1 init_script_file_type:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Execute all init scripts in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_exec_all_script_files',`
+ gen_require(`
+ attribute init_script_file_type;
+ ')
+
+ files_list_etc($1)
+ can_exec($1, init_script_file_type)
+')
+
+########################################
+## <summary>
+## Read the process state (/proc/pid) of the init scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_read_script_state',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, initrc_t)
+')
+
+########################################
+## <summary>
+## Inherit and use init script file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_use_script_fds',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to inherit
+## init script file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_use_script_fds',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ dontaudit $1 initrc_t:fd use;
+')
+
+########################################
+## <summary>
+## Get the process group ID of init scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_getpgid_script',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:process getpgid;
+')
+
+########################################
+## <summary>
+## Send SIGCHLD signals to init scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_sigchld_script',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Send generic signals to init scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_signal_script',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:process signal;
+')
+
+########################################
+## <summary>
+## Send null signals to init scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_signull_script',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:process signull;
+')
+
+########################################
+## <summary>
+## Read and write init script unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_rw_script_pipes',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:fifo_file { read write };
+')
+
+########################################
+## <summary>
+## Send UDP network traffic to init scripts. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_udp_send_script',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+## Allow the specified domain to connect to
+## init scripts with a unix socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_stream_connect_script',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read/write to
+## init scripts with a unix domain stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_rw_script_stream_sockets',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+## Dont audit the specified domain connecting to
+## init scripts with a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_stream_connect_script',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ dontaudit $1 initrc_t:unix_stream_socket connectto;
+')
+########################################
+## <summary>
+## Send messages to init scripts over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_dbus_send_script',`
+ gen_require(`
+ type initrc_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 initrc_t:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## init over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_dbus_chat',`
+ gen_require(`
+ type init_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 init_t:dbus send_msg;
+ allow init_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## init scripts over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_dbus_chat_script',`
+ gen_require(`
+ type initrc_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 initrc_t:dbus send_msg;
+ allow initrc_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Read and write the init script pty.
+## </summary>
+## <desc>
+## <p>
+## Read and write the init script pty. This
+## pty is generally opened by the open_init_pty
+## portion of the run_init program so that the
+## daemon does not require direct access to
+## the administrator terminal.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_use_script_ptys',`
+ gen_require(`
+ type initrc_devpts_t;
+ ')
+
+ term_list_ptys($1)
+ allow $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and
+## write the init script pty.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_use_script_ptys',`
+ gen_require(`
+ type initrc_devpts_t;
+ ')
+
+ dontaudit $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
+')
+
+########################################
+## <summary>
+## Get the attributes of init script
+## status files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_getattr_script_status_files',`
+ gen_require(`
+ type initrc_state_t;
+ ')
+
+ getattr_files_pattern($1, initrc_state_t, initrc_state_t)
+')
+
+########################################
+## <summary>
+## Manage init script
+## status files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_manage_script_status_files',`
+ gen_require(`
+ type initrc_state_t;
+ ')
+
+ manage_files_pattern($1, initrc_state_t, initrc_state_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read init script
+## status files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_read_script_status_files',`
+ gen_require(`
+ type initrc_state_t;
+ ')
+
+ dontaudit $1 initrc_state_t:dir search_dir_perms;
+ dontaudit $1 initrc_state_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Read init script temporary data.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_read_script_tmp_files',`
+ gen_require(`
+ type initrc_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_files_pattern($1, initrc_tmp_t, initrc_tmp_t)
+')
+
+########################################
+## <summary>
+## Read and write init script temporary data.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_rw_script_tmp_files',`
+ gen_require(`
+ type initrc_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ rw_files_pattern($1, initrc_tmp_t, initrc_tmp_t)
+')
+
+########################################
+## <summary>
+## Create files in a init script
+## temporary data directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## The type of the object to be created
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The object class.
+## </summary>
+## </param>
+#
+interface(`init_script_tmp_filetrans',`
+ gen_require(`
+ type initrc_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ filetrans_pattern($1, initrc_tmp_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Get the attributes of init script process id files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_getattr_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ allow $1 initrc_var_run_t:file getattr;
+')
+
+########################################
+## <summary>
+## Read utmp.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_read_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ files_list_pids($1)
+ allow $1 initrc_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write utmp.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_write_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ dontaudit $1 initrc_var_run_t:file { write lock };
+')
+
+########################################
+## <summary>
+## Write to utmp.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_write_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ files_list_pids($1)
+ allow $1 initrc_var_run_t:file { getattr open write };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to lock
+## init script pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_lock_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ dontaudit $1 initrc_var_run_t:file lock;
+')
+
+########################################
+## <summary>
+## Read and write utmp.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_rw_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ files_list_pids($1)
+ allow $1 initrc_var_run_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write utmp.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_rw_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ dontaudit $1 initrc_var_run_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete utmp.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_manage_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 initrc_var_run_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Create files in /var/run with the
+## utmp file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_pid_filetrans_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ files_pid_filetrans($1, initrc_var_run_t, file)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to connect to daemon with a tcp socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_tcp_recvfrom_all_daemons',`
+ gen_require(`
+ attribute daemon;
+ ')
+
+ corenet_tcp_recvfrom_labeled($1, daemon)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to connect to daemon with a udp socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_udp_recvfrom_all_daemons',`
+ gen_require(`
+ attribute daemon;
+ ')
+ corenet_udp_recvfrom_labeled($1, daemon)
+')
+
+########################################
+## <summary>
+## Transition to system_r when execute an init script
+## </summary>
+## <desc>
+## <p>
+## Execute a init script in a specified role
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="source_role">
+## <summary>
+## Role to transition from.
+## </summary>
+## </param>
+#
+interface(`init_script_role_transition',`
+ gen_require(`
+ attribute init_script_file_type;
+ ')
+
+ role_transition $1 init_script_file_type system_r;
+')
+
+########################################
+## <summary>
+## dontaudit read and write an leaked init scrip file descriptors
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_script_leaks',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ dontaudit $1 initrc_t:tcp_socket { read write };
+ dontaudit $1 initrc_t:udp_socket { read write };
+ dontaudit $1 initrc_t:unix_dgram_socket { read write };
+ dontaudit $1 initrc_t:unix_stream_socket { read write };
+ dontaudit $1 initrc_t:shm rw_shm_perms;
+ init_dontaudit_use_script_ptys($1)
+ init_dontaudit_use_script_fds($1)
+')
+
+
+########################################
+## <summary>
+## Allow the specified domain to connect to
+## the init process with a unix socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_stream_connect',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read/write to
+## init with a unix domain stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_rw_stream_sockets',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
new file mode 100644
index 0000000..e90e509
--- /dev/null
+++ b/policy/modules/system/init.te
@@ -0,0 +1,1133 @@
+policy_module(init, 1.15.3)
+
+gen_require(`
+ class passwd rootok;
+')
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Enable support for upstart as the init program.
+## </p>
+## </desc>
+gen_tunable(init_upstart, false)
+
+## <desc>
+## <p>
+## Enable support for systemd as the init program.
+## </p>
+## </desc>
+gen_tunable(init_systemd, false)
+
+## <desc>
+## <p>
+## Allow all daemons the ability to read/write terminals
+## </p>
+## </desc>
+gen_tunable(allow_daemons_use_tty, false)
+
+## <desc>
+## <p>
+## Allow all daemons to write corefiles to /
+## </p>
+## </desc>
+gen_tunable(allow_daemons_dump_core, false)
+
+# used for direct running of init scripts
+# by admin domains
+attribute direct_run_init;
+attribute direct_init;
+attribute direct_init_entry;
+
+attribute init_script_domain_type;
+attribute init_script_file_type;
+attribute init_run_all_scripts_domain;
+attribute initrc_transition_domain;
+
+# Mark process types as daemons
+attribute daemon;
+
+#
+# init_t is the domain of the init process.
+#
+type init_t, initrc_transition_domain;
+type init_exec_t;
+domain_type(init_t)
+domain_entry_file(init_t, init_exec_t)
+kernel_domtrans_to(init_t, init_exec_t)
+role system_r types init_t;
+
+#
+# init_var_run_t is the type for /var/run/shutdown.pid.
+#
+type init_var_run_t;
+files_pid_file(init_var_run_t)
+
+#
+# initctl_t is the type of the named pipe created
+# by init during initialization. This pipe is used
+# to communicate with init.
+#
+type initctl_t;
+files_type(initctl_t)
+mls_trusted_object(initctl_t)
+
+type initrc_t, init_script_domain_type, init_run_all_scripts_domain;
+type initrc_exec_t, init_script_file_type;
+domain_type(initrc_t)
+domain_entry_file(initrc_t, initrc_exec_t)
+role system_r types initrc_t;
+# should be part of the true block
+# of the below init_upstart tunable
+# but this has a typeattribute in it
+corecmd_shell_entry_type(initrc_t)
+corecmd_bin_entry_type(initrc_t)
+
+type initrc_devpts_t;
+term_pty(initrc_devpts_t)
+files_type(initrc_devpts_t)
+
+type initrc_state_t;
+files_type(initrc_state_t)
+
+type initrc_tmp_t;
+files_tmp_file(initrc_tmp_t)
+
+type initrc_var_run_t;
+files_pid_file(initrc_var_run_t)
+
+ifdef(`enable_mls',`
+ kernel_ranged_domtrans_to(init_t, init_exec_t, s0 - mls_systemhigh)
+')
+
+########################################
+#
+# Init local policy
+#
+
+# Use capabilities. old rule:
+allow init_t self:capability ~{ audit_control audit_write sys_module };
+# is ~sys_module really needed? observed:
+# sys_boot
+# sys_tty_config
+# kill: now provided by domain_kill_all_domains()
+# setuid (from /sbin/shutdown)
+# sys_chroot (from /usr/bin/chroot): now provided by corecmd_chroot_exec_chroot()
+
+allow init_t self:fifo_file rw_fifo_file_perms;
+
+# Re-exec itself
+can_exec(init_t, init_exec_t)
+
+allow init_t initrc_t:unix_stream_socket { connectto rw_stream_socket_perms };
+allow initrc_t init_t:unix_stream_socket { connectto rw_stream_socket_perms };
+allow initrc_t init_t:fifo_file rw_fifo_file_perms;
+
+# For /var/run/shutdown.pid.
+allow init_t init_var_run_t:file manage_file_perms;
+files_pid_filetrans(init_t, init_var_run_t, file)
+
+allow init_t initctl_t:fifo_file manage_fifo_file_perms;
+dev_filetrans(init_t, initctl_t, fifo_file)
+
+# Modify utmp.
+allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+
+kernel_read_system_state(init_t)
+kernel_share_state(init_t)
+kernel_stream_connect(init_t)
+
+corecmd_exec_chroot(init_t)
+corecmd_exec_bin(init_t)
+
+dev_read_sysfs(init_t)
+dev_read_urand(init_t)
+# Early devtmpfs
+dev_rw_generic_chr_files(init_t)
+
+domain_getpgid_all_domains(init_t)
+domain_kill_all_domains(init_t)
+domain_signal_all_domains(init_t)
+domain_signull_all_domains(init_t)
+domain_sigstop_all_domains(init_t)
+domain_sigstop_all_domains(init_t)
+domain_sigchld_all_domains(init_t)
+domain_read_all_domains_state(init_t)
+
+files_read_etc_files(init_t)
+files_read_all_pids(init_t)
+files_rw_generic_pids(init_t)
+files_dontaudit_search_isid_type_dirs(init_t)
+files_manage_etc_runtime_files(init_t)
+files_etc_filetrans_etc_runtime(init_t, file)
+# Run /etc/X11/prefdm:
+files_exec_etc_files(init_t)
+# file descriptors inherited from the rootfs:
+files_dontaudit_rw_root_files(init_t)
+files_dontaudit_rw_root_chr_files(init_t)
+
+fs_list_inotifyfs(init_t)
+# cjp: this may be related to /dev/log
+fs_write_ramfs_sockets(init_t)
+
+mcs_process_set_categories(init_t)
+mcs_killall(init_t)
+
+mls_file_read_all_levels(init_t)
+mls_file_write_all_levels(init_t)
+mls_process_write_down(init_t)
+mls_fd_use_all_levels(init_t)
+
+selinux_set_all_booleans(init_t)
+
+term_use_all_terms(init_t)
+
+# Run init scripts.
+init_domtrans_script(init_t)
+
+libs_rw_ld_so_cache(init_t)
+
+logging_send_syslog_msg(init_t)
+logging_send_audit_msgs(init_t)
+logging_rw_generic_logs(init_t)
+
+seutil_read_config(init_t)
+
+miscfiles_read_localization(init_t)
+
+allow init_t self:process setsched;
+
+ifdef(`distro_gentoo',`
+ allow init_t self:process { getcap setcap };
+')
+
+ifdef(`distro_redhat',`
+ fs_read_tmpfs_symlinks(init_t)
+ fs_rw_tmpfs_chr_files(init_t)
+ fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
+')
+
+tunable_policy(`init_upstart || init_systemd',`
+ corecmd_shell_domtrans(init_t, initrc_t)
+',`
+ # Run the shell in the sysadm role for single-user mode.
+ # causes problems with upstart
+ sysadm_shell_domtrans(init_t)
+')
+
+storage_raw_rw_fixed_disk(init_t)
+modutils_domtrans_insmod(init_t)
+
+tunable_policy(`init_systemd',`
+ allow init_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow init_t self:process { setsockcreate setfscreate };
+ allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
+ # Until systemd is fixed
+ allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
+ allow init_t self:netlink_route_socket create_netlink_socket_perms;
+
+ kernel_list_unlabeled(init_t)
+ kernel_read_network_state(init_t)
+ kernel_unmount_debugfs(init_t)
+
+ dev_write_kmsg(init_t)
+ dev_rw_autofs(init_t)
+ dev_manage_generic_dirs(init_t)
+ dev_manage_generic_files(init_t)
+ dev_read_generic_chr_files(init_t)
+ dev_relabelfrom_generic_chr_files(init_t)
+ dev_relabel_autofs_dev(init_t)
+ dev_manage_sysfs_dirs(init_t)
+
+ files_mounton_all_mountpoints(init_t)
+ files_manage_all_pids_dirs(init_t)
+
+ fs_manage_cgroup_dirs(init_t)
+ fs_manage_hugetlbfs_dirs(init_t)
+ fs_manage_tmpfs_dirs(init_t)
+ fs_mount_all_fs(init_t)
+ fs_list_auto_mountpoints(init_t)
+ fs_read_cgroup_files(init_t)
+ fs_write_cgroup_files(init_t)
+ fs_search_cgroup_dirs(daemon)
+
+ selinux_compute_create_context(init_t)
+ selinux_validate_context(init_t)
+ selinux_unmount_fs(init_t)
+
+ storage_getattr_removable_dev(init_t)
+
+ init_read_script_state(init_t)
+
+ seutil_read_file_contexts(init_t)
+')
+
+optional_policy(`
+ auth_rw_login_records(init_t)
+')
+
+optional_policy(`
+ consolekit_manage_log(init_t)
+')
+
+optional_policy(`
+ dbus_connect_system_bus(init_t)
+ dbus_system_bus_client(init_t)
+ dbus_delete_pid_files(init_t)
+')
+
+optional_policy(`
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+ # the directory. But we do not want to allow this.
+ # The master process of dovecot will manage this file.
+ dovecot_dontaudit_unlink_lib_files(initrc_t)
+')
+
+optional_policy(`
+ nscd_socket_use(init_t)
+')
+
+optional_policy(`
+ plymouthd_stream_connect(init_t)
+ plymouthd_exec_plymouth(init_t)
+')
+
+optional_policy(`
+ sssd_stream_connect(init_t)
+')
+
+optional_policy(`
+ udev_read_db(init_t)
+')
+
+optional_policy(`
+ unconfined_domain(init_t)
+')
+
+########################################
+#
+# Init script local policy
+#
+
+allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
+allow initrc_t self:capability ~{ audit_control audit_write sys_admin sys_module };
+dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
+allow initrc_t self:passwd rootok;
+allow initrc_t self:key manage_key_perms;
+
+# Allow IPC with self
+allow initrc_t self:unix_dgram_socket create_socket_perms;
+allow initrc_t self:unix_stream_socket { create listen accept ioctl read getattr write setattr append bind connect getopt setopt shutdown connectto };
+allow initrc_t self:tcp_socket create_stream_socket_perms;
+allow initrc_t self:udp_socket create_socket_perms;
+allow initrc_t self:fifo_file rw_file_perms;
+
+allow initrc_t initrc_devpts_t:chr_file rw_term_perms;
+term_create_pty(initrc_t, initrc_devpts_t)
+
+# Going to single user mode
+init_telinit(initrc_t)
+
+can_exec(initrc_t, init_script_file_type)
+
+domtrans_pattern(init_run_all_scripts_domain, initrc_exec_t, initrc_t)
+
+manage_dirs_pattern(initrc_t, initrc_state_t, initrc_state_t)
+manage_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+manage_lnk_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+
+allow initrc_t initrc_var_run_t:file manage_file_perms;
+files_pid_filetrans(initrc_t, initrc_var_run_t, file)
+files_manage_generic_pids_symlinks(initrc_t)
+
+can_exec(initrc_t, initrc_tmp_t)
+manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
+manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
+manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
+files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
+
+init_write_initctl(initrc_t)
+
+kernel_read_system_state(initrc_t)
+kernel_read_software_raid_state(initrc_t)
+kernel_read_network_state(initrc_t)
+kernel_read_ring_buffer(initrc_t)
+kernel_change_ring_buffer_level(initrc_t)
+kernel_clear_ring_buffer(initrc_t)
+kernel_get_sysvipc_info(initrc_t)
+kernel_read_all_sysctls(initrc_t)
+kernel_request_load_module(initrc_t)
+kernel_rw_all_sysctls(initrc_t)
+# for lsof which is used by alsa shutdown:
+kernel_dontaudit_getattr_message_if(initrc_t)
+kernel_stream_connect(initrc_t)
+files_read_kernel_modules(initrc_t)
+files_read_config_files(initrc_t)
+files_read_var_lib_symlinks(initrc_t)
+files_setattr_pid_dirs(initrc_t)
+
+files_read_kernel_symbol_table(initrc_t)
+files_exec_etc_files(initrc_t)
+files_manage_etc_symlinks(initrc_t)
+files_manage_system_conf_files(initrc_t)
+
+fs_manage_tmpfs_dirs(initrc_t)
+fs_tmpfs_filetrans(initrc_t, initrc_state_t, file)
+
+corecmd_exec_all_executables(initrc_t)
+
+corenet_all_recvfrom_unlabeled(initrc_t)
+corenet_all_recvfrom_netlabel(initrc_t)
+corenet_tcp_sendrecv_all_if(initrc_t)
+corenet_udp_sendrecv_all_if(initrc_t)
+corenet_tcp_sendrecv_all_nodes(initrc_t)
+corenet_udp_sendrecv_all_nodes(initrc_t)
+corenet_tcp_sendrecv_all_ports(initrc_t)
+corenet_udp_sendrecv_all_ports(initrc_t)
+corenet_tcp_connect_all_ports(initrc_t)
+corenet_sendrecv_all_client_packets(initrc_t)
+
+dev_read_rand(initrc_t)
+dev_read_urand(initrc_t)
+dev_write_kmsg(initrc_t)
+dev_write_rand(initrc_t)
+dev_write_urand(initrc_t)
+dev_rw_sysfs(initrc_t)
+dev_list_usbfs(initrc_t)
+dev_read_framebuffer(initrc_t)
+dev_write_framebuffer(initrc_t)
+dev_read_realtime_clock(initrc_t)
+dev_read_sound_mixer(initrc_t)
+dev_write_sound_mixer(initrc_t)
+dev_setattr_all_chr_files(initrc_t)
+dev_rw_lvm_control(initrc_t)
+dev_rw_generic_chr_files(initrc_t)
+dev_delete_lvm_control_dev(initrc_t)
+dev_manage_generic_symlinks(initrc_t)
+dev_manage_generic_files(initrc_t)
+# Wants to remove udev.tbl:
+dev_delete_generic_symlinks(initrc_t)
+dev_getattr_all_blk_files(initrc_t)
+dev_getattr_all_chr_files(initrc_t)
+dev_rw_xserver_misc(initrc_t)
+
+domain_kill_all_domains(initrc_t)
+domain_signal_all_domains(initrc_t)
+domain_signull_all_domains(initrc_t)
+domain_sigstop_all_domains(initrc_t)
+domain_sigstop_all_domains(initrc_t)
+domain_sigchld_all_domains(initrc_t)
+domain_read_all_domains_state(initrc_t)
+domain_getattr_all_domains(initrc_t)
+domain_dontaudit_ptrace_all_domains(initrc_t)
+domain_getsession_all_domains(initrc_t)
+domain_use_interactive_fds(initrc_t)
+# for lsof which is used by alsa shutdown:
+domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
+domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
+domain_dontaudit_getattr_all_pipes(initrc_t)
+
+files_getattr_all_dirs(initrc_t)
+files_getattr_all_files(initrc_t)
+files_getattr_all_symlinks(initrc_t)
+files_getattr_all_pipes(initrc_t)
+files_getattr_all_sockets(initrc_t)
+files_purge_tmp(initrc_t)
+files_manage_all_locks(initrc_t)
+files_manage_boot_files(initrc_t)
+files_read_all_pids(initrc_t)
+files_delete_root_files(initrc_t)
+files_delete_all_pids(initrc_t)
+files_delete_all_pid_dirs(initrc_t)
+files_read_etc_files(initrc_t)
+files_manage_etc_runtime_files(initrc_t)
+files_etc_filetrans_etc_runtime(initrc_t, file)
+files_exec_etc_files(initrc_t)
+files_read_usr_files(initrc_t)
+files_manage_urandom_seed(initrc_t)
+files_manage_generic_spool(initrc_t)
+# Mount and unmount file systems.
+# cjp: not sure why these are here; should use mount policy
+files_list_isid_type_dirs(initrc_t)
+files_mounton_isid_type_dirs(initrc_t)
+files_list_default(initrc_t)
+files_mounton_default(initrc_t)
+files_manage_mnt_dirs(initrc_t)
+files_manage_mnt_files(initrc_t)
+
+fs_delete_cgroup_dirs(initrc_t)
+fs_list_cgroup_dirs(initrc_t)
+fs_rw_cgroup_files(initrc_t)
+fs_list_inotifyfs(initrc_t)
+fs_register_binary_executable_type(initrc_t)
+# rhgb-console writes to ramfs
+fs_write_ramfs_pipes(initrc_t)
+# cjp: not sure why these are here; should use mount policy
+fs_mount_all_fs(initrc_t)
+fs_unmount_all_fs(initrc_t)
+fs_remount_all_fs(initrc_t)
+fs_getattr_all_fs(initrc_t)
+fs_search_all(initrc_t)
+fs_getattr_nfsd_files(initrc_t)
+
+# initrc_t needs to do a pidof which requires ptrace
+mcs_ptrace_all(initrc_t)
+mcs_killall(initrc_t)
+mcs_process_set_categories(initrc_t)
+
+mls_file_read_all_levels(initrc_t)
+mls_file_write_all_levels(initrc_t)
+mls_process_read_up(initrc_t)
+mls_process_write_down(initrc_t)
+mls_rangetrans_source(initrc_t)
+mls_fd_share_all_levels(initrc_t)
+mls_socket_write_to_clearance(initrc_t)
+
+selinux_get_enforce_mode(initrc_t)
+
+storage_getattr_fixed_disk_dev(initrc_t)
+storage_setattr_fixed_disk_dev(initrc_t)
+storage_setattr_removable_dev(initrc_t)
+
+term_use_all_terms(initrc_t)
+term_reset_tty_labels(initrc_t)
+
+auth_rw_login_records(initrc_t)
+auth_setattr_login_records(initrc_t)
+auth_rw_lastlog(initrc_t)
+auth_read_pam_pid(initrc_t)
+auth_delete_pam_pid(initrc_t)
+auth_delete_pam_console_data(initrc_t)
+auth_use_nsswitch(initrc_t)
+auth_manage_faillog(initrc_t)
+
+libs_rw_ld_so_cache(initrc_t)
+libs_exec_lib_files(initrc_t)
+libs_exec_ld_so(initrc_t)
+
+logging_send_audit_msgs(initrc_t)
+logging_send_syslog_msg(initrc_t)
+logging_manage_generic_logs(initrc_t)
+logging_read_all_logs(initrc_t)
+logging_append_all_logs(initrc_t)
+logging_read_audit_config(initrc_t)
+
+miscfiles_read_localization(initrc_t)
+# slapd needs to read cert files from its initscript
+miscfiles_manage_generic_cert_files(initrc_t)
+
+modutils_read_module_config(initrc_t)
+modutils_domtrans_insmod(initrc_t)
+
+seutil_read_config(initrc_t)
+
+userdom_read_admin_home_files(initrc_t)
+userdom_read_user_home_content_files(initrc_t)
+# Allow access to the sysadm TTYs. Note that this will give access to the
+# TTYs to any process in the initrc_t domain. Therefore, daemons and such
+# started from init should be placed in their own domain.
+userdom_use_user_terminals(initrc_t)
+
+ifdef(`distro_debian',`
+ dev_setattr_generic_dirs(initrc_t)
+
+ fs_tmpfs_filetrans(initrc_t, initrc_var_run_t, dir)
+
+ # for storing state under /dev/shm
+ fs_setattr_tmpfs_dirs(initrc_t)
+ storage_manage_fixed_disk(initrc_t)
+ storage_tmpfs_filetrans_fixed_disk(initrc_t)
+
+ files_setattr_etc_dirs(initrc_t)
+')
+
+ifdef(`distro_gentoo',`
+ kernel_dontaudit_getattr_core_if(initrc_t)
+
+ # seed udev /dev
+ allow initrc_t self:process setfscreate;
+ dev_create_null_dev(initrc_t)
+ dev_create_zero_dev(initrc_t)
+ dev_create_generic_dirs(initrc_t)
+ term_create_console_dev(initrc_t)
+
+ # unfortunately /sbin/rc does stupid tricks
+ # with /dev/.rcboot to decide if we are in
+ # early init
+ dev_create_generic_dirs(initrc_t)
+ dev_delete_generic_dirs(initrc_t)
+
+ # allow bootmisc to create /var/lock/.keep.
+ files_manage_generic_locks(initrc_t)
+
+ # openrc uses tmpfs for its state data
+ fs_tmpfs_filetrans(initrc_t, initrc_state_t, { dir file fifo_file lnk_file })
+
+ # init scripts touch this
+ clock_dontaudit_write_adjtime(initrc_t)
+
+ logging_send_audit_msgs(initrc_t)
+
+ # for integrated run_init to read run_init_type.
+ # happens during boot (/sbin/rc execs init scripts)
+ seutil_read_default_contexts(initrc_t)
+
+ # /lib/rcscripts/net/system.sh rewrites resolv.conf :(
+ sysnet_create_config(initrc_t)
+ sysnet_write_config(initrc_t)
+ sysnet_setattr_config(initrc_t)
+
+ optional_policy(`
+ arpwatch_manage_data_files(initrc_t)
+ ')
+
+ optional_policy(`
+ dhcpd_setattr_state_files(initrc_t)
+ ')
+')
+
+ifdef(`distro_redhat',`
+ # this is from kmodule, which should get its own policy:
+ allow initrc_t self:capability sys_admin;
+
+ allow initrc_t self:process setfscreate;
+
+ # Red Hat systems seem to have a stray
+ # fd open from the initrd
+ kernel_use_fds(initrc_t)
+ files_dontaudit_read_root_files(initrc_t)
+
+ # These seem to be from the initrd
+ # during device initialization:
+ dev_create_generic_dirs(initrc_t)
+ dev_rwx_zero(initrc_t)
+ dev_rx_raw_memory(initrc_t)
+ dev_wx_raw_memory(initrc_t)
+ storage_raw_read_fixed_disk(initrc_t)
+ storage_raw_write_fixed_disk(initrc_t)
+
+ files_create_boot_dirs(initrc_t)
+ files_create_boot_flag(initrc_t)
+ files_rw_boot_symlinks(initrc_t)
+ # wants to read /.fonts directory
+ files_read_default_files(initrc_t)
+ files_mountpoint(initrc_tmp_t)
+ # Needs to cp localtime to /var dirs
+ files_write_var_dirs(initrc_t)
+
+ fs_read_tmpfs_symlinks(initrc_t)
+ fs_rw_tmpfs_chr_files(initrc_t)
+
+ storage_manage_fixed_disk(initrc_t)
+ storage_dev_filetrans_fixed_disk(initrc_t)
+ storage_getattr_removable_dev(initrc_t)
+
+ # readahead asks for these
+ auth_dontaudit_read_shadow(initrc_t)
+
+ # init scripts cp /etc/localtime over other directories localtime
+ miscfiles_rw_localization(initrc_t)
+ miscfiles_setattr_localization(initrc_t)
+ miscfiles_relabel_localization(initrc_t)
+
+ miscfiles_read_fonts(initrc_t)
+ miscfiles_read_hwdata(initrc_t)
+
+ optional_policy(`
+ alsa_manage_rw_config(initrc_t)
+ ')
+
+ optional_policy(`
+ bind_manage_config_dirs(initrc_t)
+ bind_write_config(initrc_t)
+ bind_setattr_zone_dirs(initrc_t)
+ ')
+
+ optional_policy(`
+ gnome_manage_gconf_config(initrc_t)
+ ')
+
+ optional_policy(`
+ ldap_read_db_files(initrc_t)
+ ')
+
+ optional_policy(`
+ pulseaudio_stream_connect(initrc_t)
+ ')
+
+ optional_policy(`
+ #for /etc/rc.d/init.d/nfs to create /etc/exports
+ rpc_write_exports(initrc_t)
+ rpc_manage_nfs_state_data(initrc_t)
+ ')
+ optional_policy(`
+ rpcbind_stream_connect(initrc_t)
+ ')
+
+ optional_policy(`
+ sysnet_rw_dhcp_config(initrc_t)
+ sysnet_manage_config(initrc_t)
+ sysnet_manage_dhcpc_state(initrc_t)
+ sysnet_relabelfrom_dhcpc_state(initrc_t)
+ sysnet_relabelfrom_net_conf(initrc_t)
+ sysnet_relabelto_net_conf(initrc_t)
+ ')
+
+ optional_policy(`
+ xserver_delete_log(initrc_t)
+ ')
+')
+
+ifdef(`distro_suse',`
+ optional_policy(`
+ # set permissions on /tmp/.X11-unix
+ xserver_setattr_xdm_tmp_dirs(initrc_t)
+ ')
+')
+
+domain_dontaudit_use_interactive_fds(daemon)
+
+userdom_dontaudit_list_admin_dir(daemon)
+userdom_dontaudit_search_user_tmp(daemon)
+
+tunable_policy(`allow_daemons_use_tty',`
+ term_use_unallocated_ttys(daemon)
+ term_use_generic_ptys(daemon)
+ term_use_all_ttys(daemon)
+ term_use_all_ptys(daemon)
+',`
+ term_dontaudit_use_unallocated_ttys(daemon)
+ term_dontaudit_use_generic_ptys(daemon)
+ term_dontaudit_use_all_ttys(daemon)
+ term_dontaudit_use_all_ptys(daemon)
+ ')
+
+# system-config-services causes avc messages that should be dontaudited
+tunable_policy(`allow_daemons_dump_core',`
+ files_manage_root_files(daemon)
+')
+
+optional_policy(`
+ unconfined_dontaudit_rw_pipes(daemon)
+ unconfined_dontaudit_rw_stream(daemon)
+ userdom_dontaudit_read_user_tmp_files(daemon)
+ userdom_dontaudit_write_user_tmp_files(daemon)
+')
+
+optional_policy(`
+ amavis_search_lib(initrc_t)
+ amavis_setattr_pid_files(initrc_t)
+')
+
+optional_policy(`
+ dev_rw_apm_bios(initrc_t)
+')
+
+optional_policy(`
+ apache_read_config(initrc_t)
+ apache_list_modules(initrc_t)
+ # webmin seems to cause this.
+ apache_search_sys_content(daemon)
+')
+
+optional_policy(`
+ bind_read_config(initrc_t)
+
+ # for chmod in start script
+ bind_setattr_pid_dirs(initrc_t)
+')
+
+optional_policy(`
+ dev_read_usbfs(initrc_t)
+ bluetooth_read_config(initrc_t)
+')
+
+optional_policy(`
+ cgroup_stream_connect_cgred(initrc_t)
+ domain_setpriority_all_domains(initrc_t)
+')
+
+optional_policy(`
+ clamav_read_config(initrc_t)
+')
+
+optional_policy(`
+ cpucontrol_stub(initrc_t)
+ dev_getattr_cpu_dev(initrc_t)
+')
+
+optional_policy(`
+ chronyd_append_keys(initrc_t)
+ chronyd_read_keys(initrc_t)
+')
+
+optional_policy(`
+ dev_getattr_printer_dev(initrc_t)
+
+ cups_read_log(initrc_t)
+ cups_read_rw_config(initrc_t)
+#cups init script clears error log
+ cups_write_log(initrc_t)
+')
+
+optional_policy(`
+ daemontools_manage_svc(initrc_t)
+')
+
+optional_policy(`
+ dbus_connect_system_bus(initrc_t)
+ dbus_system_bus_client(initrc_t)
+ dbus_read_config(initrc_t)
+ dbus_manage_lib_files(initrc_t)
+
+ init_dbus_chat(initrc_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(initrc_t)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(initrc_t)
+ ')
+
+ optional_policy(`
+ policykit_dbus_chat(initrc_t)
+ ')
+')
+
+optional_policy(`
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+ # the directory. But we do not want to allow this.
+ # The master process of dovecot will manage this file.
+ dovecot_dontaudit_unlink_lib_files(initrc_t)
+')
+
+optional_policy(`
+ ftp_read_config(initrc_t)
+')
+
+optional_policy(`
+ gpm_setattr_gpmctl(initrc_t)
+')
+
+optional_policy(`
+ hal_write_log(initrc_t)
+')
+
+optional_policy(`
+ dev_read_usbfs(initrc_t)
+
+ # init scripts run /etc/hotplug/usb.rc
+ hotplug_read_config(initrc_t)
+
+ modutils_read_module_deps(initrc_t)
+')
+
+optional_policy(`
+ inn_exec_config(initrc_t)
+')
+
+optional_policy(`
+ ipsec_read_config(initrc_t)
+ ipsec_manage_pid(initrc_t)
+')
+
+optional_policy(`
+ iscsi_stream_connect(initrc_t)
+ iscsi_read_lib_files(initrc_t)
+')
+
+optional_policy(`
+ kerberos_use(initrc_t)
+')
+
+optional_policy(`
+ ldap_read_config(initrc_t)
+ ldap_list_db(initrc_t)
+')
+
+optional_policy(`
+ loadkeys_exec(initrc_t)
+')
+
+optional_policy(`
+ # in emergency/recovery situations use sulogin
+ locallogin_domtrans_sulogin(initrc_t)
+')
+
+optional_policy(`
+ # This is needed to permit chown to read /var/spool/lpd/lp.
+ # This is opens up security more than necessary; this means that ANYTHING
+ # running in the initrc_t domain can read the printer spool directory.
+ # Perhaps executing /etc/rc.d/init.d/lpd should transition
+ # to domain lpd_t, instead of waiting for executing lpd.
+ lpd_list_spool(initrc_t)
+
+ lpd_read_config(initrc_t)
+')
+
+optional_policy(`
+ #allow initrc_t lvm_control_t:chr_file unlink;
+
+ dev_read_lvm_control(initrc_t)
+ dev_create_generic_chr_files(initrc_t)
+
+ lvm_read_config(initrc_t)
+')
+
+optional_policy(`
+ mailman_list_data(initrc_t)
+ mailman_read_data_symlinks(initrc_t)
+')
+
+optional_policy(`
+ milter_delete_dkim_pid_files(initrc_t)
+ milter_setattr_all_dirs(initrc_t)
+')
+
+optional_policy(`
+ mta_read_config(initrc_t)
+ mta_write_config(initrc_t)
+ mta_dontaudit_read_spool_symlinks(initrc_t)
+')
+
+optional_policy(`
+ ifdef(`distro_redhat',`
+ mysql_manage_db_dirs(initrc_t)
+ ')
+
+ mysql_stream_connect(initrc_t)
+ mysql_write_log(initrc_t)
+ mysql_read_config(initrc_t)
+')
+
+optional_policy(`
+ nis_list_var_yp(initrc_t)
+')
+
+optional_policy(`
+ openvpn_read_config(initrc_t)
+')
+
+optional_policy(`
+ plymouthd_stream_connect(initrc_t)
+')
+
+optional_policy(`
+ postgresql_manage_db(initrc_t)
+ postgresql_read_config(initrc_t)
+')
+
+optional_policy(`
+ postfix_list_spool(initrc_t)
+')
+
+optional_policy(`
+ puppet_rw_tmp(initrc_t)
+')
+
+optional_policy(`
+ quota_manage_flags(initrc_t)
+')
+
+optional_policy(`
+ raid_manage_mdadm_pid(initrc_t)
+')
+
+optional_policy(`
+ ricci_manage_lib_files(initrc_t)
+')
+
+optional_policy(`
+ fs_write_ramfs_sockets(initrc_t)
+ fs_search_ramfs(initrc_t)
+
+ rhgb_rw_stream_sockets(initrc_t)
+ rhgb_stream_connect(initrc_t)
+')
+
+optional_policy(`
+ rpc_read_exports(initrc_t)
+')
+
+optional_policy(`
+ # bash tries to access a block device in the initrd
+ kernel_dontaudit_getattr_unlabeled_blk_files(initrc_t)
+
+ # for a bug in rm
+ files_dontaudit_write_all_pids(initrc_t)
+
+ # bash tries ioctl for some reason
+ files_dontaudit_ioctl_all_pids(initrc_t)
+
+')
+
+optional_policy(`
+ samba_rw_config(initrc_t)
+ samba_read_winbind_pid(initrc_t)
+')
+
+optional_policy(`
+ # shorewall-init script run /var/lib/shorewall/firewall
+ shorewall_domtrans_lib(initrc_t)
+')
+
+optional_policy(`
+ squid_read_config(initrc_t)
+ squid_manage_logs(initrc_t)
+')
+
+ifdef(`enabled_mls',`
+optional_policy(`
+ # allow init scripts to su
+ su_restricted_domain_template(initrc, initrc_t, system_r)
+')
+')
+
+optional_policy(`
+ ssh_dontaudit_read_server_keys(initrc_t)
+ ssh_setattr_key_files(initrc_t)
+')
+
+optional_policy(`
+ sysnet_read_dhcpc_state(initrc_t)
+')
+
+optional_policy(`
+ udev_rw_db(initrc_t)
+ udev_manage_pid_files(initrc_t)
+ udev_manage_rules_files(initrc_t)
+')
+
+optional_policy(`
+ uml_setattr_util_sockets(initrc_t)
+')
+
+optional_policy(`
+ virt_manage_cache(initrc_t)
+ virt_manage_lib_files(initrc_t)
+')
+
+# Cron jobs used to start and stop services
+optional_policy(`
+ cron_rw_pipes(daemon)
+ cron_rw_inherited_user_spool_files(daemon)
+')
+
+optional_policy(`
+ unconfined_domain(initrc_t)
+ domain_role_change_exemption(initrc_t)
+
+ ifdef(`distro_redhat',`
+ # system-config-services causes avc messages that should be dontaudited
+ unconfined_dontaudit_rw_pipes(daemon)
+ ')
+
+ optional_policy(`
+ mono_domtrans(initrc_t)
+ ')
+
+ # Allow SELinux aware applications to request rpm_script_t execution
+ rpm_transition_script(initrc_t)
+
+
+ optional_policy(`
+ gen_require(`
+ type unconfined_execmem_t, execmem_exec_t;
+ ')
+ init_system_domain(unconfined_execmem_t, execmem_exec_t)
+ ')
+
+ optional_policy(`
+ rtkit_scheduled(initrc_t)
+ ')
+')
+
+optional_policy(`
+ rpm_delete_db(initrc_t)
+')
+
+optional_policy(`
+ vmware_read_system_config(initrc_t)
+ vmware_append_system_config(initrc_t)
+')
+
+optional_policy(`
+ miscfiles_manage_fonts(initrc_t)
+
+ # cjp: is this really needed?
+ xfs_read_sockets(initrc_t)
+')
+
+optional_policy(`
+ # Set device ownerships/modes.
+ xserver_setattr_console_pipes(initrc_t)
+
+ # init script wants to check if it needs to update windowmanagerlist
+ xserver_read_xdm_rw_config(initrc_t)
+')
+
+optional_policy(`
+ zebra_read_config(initrc_t)
+')
+
+userdom_inherit_append_user_home_content_files(daemon)
+userdom_inherit_append_user_tmp_files(daemon)
+userdom_dontaudit_rw_stream(daemon)
+
+logging_append_all_logs(daemon)
+
+optional_policy(`
+ # sudo service restart causes this
+ unconfined_signull(daemon)
+')
+
+
+optional_policy(`
+ xserver_dontaudit_append_xdm_home_files(daemon)
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_dontaudit_rw_nfs_files(daemon)
+ ')
+ tunable_policy(`use_samba_home_dirs',`
+ fs_dontaudit_rw_cifs_files(daemon)
+ ')
+')
+
+init_rw_script_stream_sockets(daemon)
+
+optional_policy(`
+ fail2ban_read_lib_files(daemon)
+')
+
+init_rw_stream_sockets(daemon)
+
+ifdef(`hide_broken_symptoms',`
+optional_policy(`
+gen_require(`
+ type system_dbusd_var_run_t;
+ type fsadm_t;
+ type avahi_var_run_t;
+')
+
+fs_list_auto_mountpoints(fsadm_t)
+
+fs_list_auto_mountpoints(lvm_t)
+fs_list_hugetlbfs(lvm_t)
+
+allow init_t avahi_var_run_t:dir { write add_name };
+allow init_t avahi_var_run_t:sock_file create;
+
+allow init_t system_dbusd_var_run_t:dir { write add_name };
+allow init_t system_dbusd_var_run_t:sock_file create;
+
+')
+')
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
new file mode 100644
index 0000000..942bea1
--- /dev/null
+++ b/policy/modules/system/ipsec.fc
@@ -0,0 +1,46 @@
+/etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
+
+/etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
+/etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+/etc/racoon/psk\.txt -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
+
+/etc/racoon(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+/etc/racoon/certs(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
+
+/etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
+
+/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
+
+/usr/lib(64)?/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+/usr/lib(64)?/ipsec/_plutorun -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+/usr/lib(64)?/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/lib(64)?/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/lib(64)?/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+
+/usr/libexec/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+/usr/libexec/ipsec/_plutorun -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+/usr/libexec/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+
+/usr/local/lib(64)?/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/local/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/local/lib(64)?/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/local/lib(64)?/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+
+/usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+/usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0)
+/usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
+
+/var/lock/subsys/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
+
+/var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0)
+
+/var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
+
+/var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
+/var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
new file mode 100644
index 0000000..cba1b30
--- /dev/null
+++ b/policy/modules/system/ipsec.if
@@ -0,0 +1,371 @@
+## <summary>TCP/IP encryption</summary>
+
+########################################
+## <summary>
+## Execute ipsec in the ipsec domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ipsec_domtrans',`
+ gen_require(`
+ type ipsec_t, ipsec_exec_t;
+ ')
+
+ domtrans_pattern($1, ipsec_exec_t, ipsec_t)
+')
+
+########################################
+## <summary>
+## Execute ipsec in the ipsec mgmt domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipsec_domtrans_mgmt',`
+ gen_require(`
+ type ipsec_mgmt_t, ipsec_mgmt_exec_t;
+ ')
+
+ domtrans_pattern($1, ipsec_mgmt_exec_t, ipsec_mgmt_t)
+')
+
+########################################
+## <summary>
+## Connect to IPSEC using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipsec_stream_connect',`
+ gen_require(`
+ type ipsec_t, ipsec_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
+')
+
+########################################
+## <summary>
+## Connect to racoon using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipsec_stream_connect_racoon',`
+ gen_require(`
+ type racoon_t, ipsec_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, ipsec_var_run_t, ipsec_var_run_t, racoon_t)
+')
+
+########################################
+## <summary>
+## Get the attributes of an IPSEC key socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipsec_getattr_key_sockets',`
+ gen_require(`
+ type ipsec_t;
+ ')
+
+ allow $1 ipsec_t:key_socket getattr;
+')
+
+########################################
+## <summary>
+## Execute the IPSEC management program in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipsec_exec_mgmt',`
+ gen_require(`
+ type ipsec_exec_t;
+ ')
+
+ can_exec($1, ipsec_exec_t)
+')
+
+########################################
+## <summary>
+## Read the IPSEC configuration
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ipsec_read_config',`
+ gen_require(`
+ type ipsec_conf_file_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 ipsec_conf_file_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Match the default SPD entry.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipsec_match_default_spd',`
+ gen_require(`
+ type ipsec_spd_t;
+ ')
+
+ allow $1 ipsec_spd_t:association polmatch;
+ allow $1 self:association sendto;
+')
+
+########################################
+## <summary>
+## Set the context of a SPD entry to
+## the default context.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipsec_setcontext_default_spd',`
+ gen_require(`
+ type ipsec_spd_t;
+ ')
+
+ allow $1 ipsec_spd_t:association setcontext;
+')
+
+########################################
+## <summary>
+## write the ipsec_var_run_t files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipsec_write_pid',`
+ gen_require(`
+ type ipsec_var_run_t;
+ ')
+
+ files_search_pids($1)
+ write_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete the IPSEC pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipsec_manage_pid',`
+ gen_require(`
+ type ipsec_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t)
+')
+
+########################################
+## <summary>
+## Execute racoon in the racoon domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ipsec_domtrans_racoon',`
+ gen_require(`
+ type racoon_t, racoon_exec_t;
+ ')
+
+ domtrans_pattern($1, racoon_exec_t, racoon_t)
+')
+
+########################################
+## <summary>
+## Execute racoon and allow the specified role the domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ipsec_run_racoon',`
+ gen_require(`
+ type racoon_t;
+ ')
+
+ ipsec_domtrans_racoon($1)
+ role $2 types racoon_t;
+')
+
+########################################
+## <summary>
+## Execute setkey in the setkey domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ipsec_domtrans_setkey',`
+ gen_require(`
+ type setkey_t, setkey_exec_t;
+ ')
+
+ domtrans_pattern($1, setkey_exec_t, setkey_t)
+')
+
+########################################
+## <summary>
+## Execute setkey and allow the specified role the domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access..
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ipsec_run_setkey',`
+ gen_require(`
+ type setkey_t;
+ ')
+
+ ipsec_domtrans_setkey($1)
+ role $2 types setkey_t;
+')
+
+########################################
+## <summary>
+## Send ipsec mgmt a signal
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+#
+interface(`ipsec_signal_mgmt',`
+ gen_require(`
+ type ipsec_mgmt_t;
+ ')
+
+ allow $1 ipsec_mgmt_t:process signal;
+')
+
+########################################
+## <summary>
+## Send ipsec mgmt a signull
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+#
+interface(`ipsec_signull_mgmt',`
+ gen_require(`
+ type ipsec_mgmt_t;
+ ')
+
+ allow $1 ipsec_mgmt_t:process signull;
+')
+
+########################################
+## <summary>
+## Send ipsec mgmt a kill signal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+#
+interface(`ipsec_kill_mgmt',`
+ gen_require(`
+ type ipsec_mgmt_t;
+ ')
+
+ allow $1 ipsec_mgmt_t:process sigkill;
+')
+
+######################################
+## <summary>
+## Send and receive messages from
+## ipsec-mgmt over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipsec_mgmt_dbus_chat',`
+ gen_require(`
+ type ipsec_mgmt_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 ipsec_mgmt_t:dbus send_msg;
+ allow ipsec_mgmt_t $1:dbus send_msg;
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
new file mode 100644
index 0000000..6de1ab4
--- /dev/null
+++ b/policy/modules/system/ipsec.te
@@ -0,0 +1,464 @@
+policy_module(ipsec, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow racoon to read shadow
+## </p>
+## </desc>
+gen_tunable(racoon_read_shadow, false)
+
+type ipsec_t;
+type ipsec_exec_t;
+init_daemon_domain(ipsec_t, ipsec_exec_t)
+role system_r types ipsec_t;
+
+# type for ipsec configuration file(s) - not for keys
+type ipsec_conf_file_t;
+files_type(ipsec_conf_file_t)
+
+type ipsec_initrc_exec_t;
+init_script_file(ipsec_initrc_exec_t)
+
+# type for file(s) containing ipsec keys - RSA or preshared
+type ipsec_key_file_t;
+files_type(ipsec_key_file_t)
+
+type ipsec_log_t;
+logging_log_file(ipsec_log_t)
+
+# Default type for IPSEC SPD entries
+type ipsec_spd_t;
+
+type ipsec_tmp_t;
+files_tmp_file(ipsec_tmp_t)
+
+# type for runtime files, including pluto.ctl
+type ipsec_var_run_t;
+files_pid_file(ipsec_var_run_t)
+
+type ipsec_mgmt_t;
+type ipsec_mgmt_exec_t;
+init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
+corecmd_shell_entry_type(ipsec_mgmt_t)
+role system_r types ipsec_mgmt_t;
+
+type ipsec_mgmt_lock_t;
+files_lock_file(ipsec_mgmt_lock_t)
+
+type ipsec_mgmt_var_run_t;
+files_pid_file(ipsec_mgmt_var_run_t)
+
+type racoon_t;
+type racoon_exec_t;
+init_daemon_domain(racoon_t, racoon_exec_t)
+role system_r types racoon_t;
+
+type racoon_tmp_t;
+files_tmp_file(racoon_tmp_t)
+
+type setkey_t;
+type setkey_exec_t;
+init_system_domain(setkey_t, setkey_exec_t)
+role system_r types setkey_t;
+
+########################################
+#
+# ipsec Local policy
+#
+
+allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
+dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
+allow ipsec_t self:process { getcap setcap getsched signal setsched };
+allow ipsec_t self:tcp_socket create_stream_socket_perms;
+allow ipsec_t self:udp_socket create_socket_perms;
+allow ipsec_t self:key_socket create_socket_perms;
+allow ipsec_t self:fifo_file read_fifo_file_perms;
+allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
+
+allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
+
+allow ipsec_t ipsec_conf_file_t:dir list_dir_perms;
+read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
+read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
+
+allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
+manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
+read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
+
+manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
+manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
+files_tmp_filetrans(ipsec_t, ipsec_tmp_t, { dir file })
+
+manage_dirs_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
+manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
+manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
+files_pid_filetrans(ipsec_t, ipsec_var_run_t, { dir file sock_file })
+
+can_exec(ipsec_t, ipsec_mgmt_exec_t)
+
+# pluto runs an updown script (by calling popen()!) as this is by default
+# a shell script, we need to find a way to make things work without
+# letting all sorts of stuff possibly be run...
+# so try flipping back into the ipsec_mgmt_t domain
+corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
+allow ipsec_mgmt_t ipsec_t:fd use;
+allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
+allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
+allow ipsec_mgmt_t ipsec_t:process sigchld;
+
+kernel_read_kernel_sysctls(ipsec_t)
+kernel_list_proc(ipsec_t)
+kernel_read_proc_symlinks(ipsec_t)
+# allow pluto to access /proc/net/ipsec_eroute;
+kernel_read_system_state(ipsec_t)
+kernel_read_network_state(ipsec_t)
+kernel_read_software_raid_state(ipsec_t)
+kernel_request_load_module(ipsec_t)
+kernel_getattr_core_if(ipsec_t)
+kernel_getattr_message_if(ipsec_t)
+
+corecmd_exec_shell(ipsec_t)
+corecmd_exec_bin(ipsec_t)
+
+# Pluto needs network access
+corenet_all_recvfrom_unlabeled(ipsec_t)
+corenet_tcp_sendrecv_all_if(ipsec_t)
+corenet_raw_sendrecv_all_if(ipsec_t)
+corenet_tcp_sendrecv_all_nodes(ipsec_t)
+corenet_raw_sendrecv_all_nodes(ipsec_t)
+corenet_tcp_sendrecv_all_ports(ipsec_t)
+corenet_tcp_bind_all_nodes(ipsec_t)
+corenet_udp_bind_all_nodes(ipsec_t)
+corenet_tcp_bind_reserved_port(ipsec_t)
+corenet_tcp_bind_isakmp_port(ipsec_t)
+corenet_udp_bind_isakmp_port(ipsec_t)
+corenet_udp_bind_ipsecnat_port(ipsec_t)
+corenet_sendrecv_generic_server_packets(ipsec_t)
+corenet_sendrecv_isakmp_server_packets(ipsec_t)
+
+dev_read_sysfs(ipsec_t)
+dev_read_rand(ipsec_t)
+dev_read_urand(ipsec_t)
+
+domain_use_interactive_fds(ipsec_t)
+
+files_list_tmp(ipsec_t)
+files_read_etc_files(ipsec_t)
+files_read_usr_files(ipsec_t)
+files_dontaudit_search_home(ipsec_t)
+
+fs_getattr_all_fs(ipsec_t)
+fs_search_auto_mountpoints(ipsec_t)
+
+term_use_console(ipsec_t)
+term_dontaudit_use_all_ttys(ipsec_t)
+
+auth_use_nsswitch(ipsec_t)
+
+init_use_fds(ipsec_t)
+init_use_script_ptys(ipsec_t)
+
+logging_send_syslog_msg(ipsec_t)
+
+miscfiles_read_localization(ipsec_t)
+
+sysnet_domtrans_ifconfig(ipsec_t)
+sysnet_manage_config(ipsec_t)
+sysnet_etc_filetrans_config(ipsec_t)
+
+userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
+userdom_dontaudit_search_user_home_dirs(ipsec_t)
+
+optional_policy(`
+ seutil_sigchld_newrole(ipsec_t)
+')
+
+optional_policy(`
+ udev_read_db(ipsec_t)
+')
+
+########################################
+#
+# ipsec_mgmt Local policy
+#
+
+allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
+dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config };
+allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal };
+allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
+allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
+allow ipsec_mgmt_t self:udp_socket create_socket_perms;
+allow ipsec_mgmt_t self:key_socket create_socket_perms;
+allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
+
+allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
+files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
+
+manage_dirs_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t)
+manage_files_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t)
+files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file })
+
+manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t)
+logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
+
+allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
+files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
+
+manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
+manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
+
+allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms;
+files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, sock_file)
+
+# _realsetup needs to be able to cat /var/run/pluto.pid,
+# run ps on that pid, and delete the file
+read_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t)
+read_lnk_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t)
+
+# logger, running in ipsec_mgmt_t needs to use sockets
+allow ipsec_mgmt_t self:unix_dgram_socket { create connect write };
+allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write };
+
+allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;
+
+manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
+manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
+
+# whack needs to connect to pluto
+stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
+
+can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
+allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
+
+domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
+
+kernel_rw_net_sysctls(ipsec_mgmt_t)
+# allow pluto to access /proc/net/ipsec_eroute;
+kernel_read_system_state(ipsec_mgmt_t)
+kernel_read_network_state(ipsec_mgmt_t)
+kernel_read_software_raid_state(ipsec_mgmt_t)
+kernel_read_kernel_sysctls(ipsec_mgmt_t)
+kernel_getattr_core_if(ipsec_mgmt_t)
+kernel_getattr_message_if(ipsec_mgmt_t)
+
+# don't audit using of lsof
+dontaudit ipsec_mgmt_t self:capability sys_ptrace;
+
+domain_dontaudit_getattr_all_sockets(ipsec_mgmt_t)
+domain_dontaudit_getattr_all_pipes(ipsec_mgmt_t)
+
+dev_dontaudit_getattr_all_blk_files(ipsec_mgmt_t)
+dev_dontaudit_getattr_all_chr_files(ipsec_mgmt_t)
+
+files_dontaudit_getattr_all_files(ipsec_mgmt_t)
+files_dontaudit_getattr_all_sockets(ipsec_mgmt_t)
+files_read_kernel_symbol_table(ipsec_mgmt_t)
+files_getattr_kernel_modules(ipsec_mgmt_t)
+
+# the default updown script wants to run route
+# the ipsec wrapper wants to run /usr/bin/logger (should we put
+# it in its own domain?)
+corecmd_exec_bin(ipsec_mgmt_t)
+corecmd_exec_shell(ipsec_mgmt_t)
+
+dev_read_rand(ipsec_mgmt_t)
+dev_read_urand(ipsec_mgmt_t)
+
+domain_use_interactive_fds(ipsec_mgmt_t)
+# denials when ps tries to search /proc. Do not audit these denials.
+domain_dontaudit_read_all_domains_state(ipsec_mgmt_t)
+# suppress audit messages about unnecessary socket access
+# cjp: this seems excessive
+domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
+domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
+
+files_read_etc_files(ipsec_mgmt_t)
+files_exec_etc_files(ipsec_mgmt_t)
+files_read_etc_runtime_files(ipsec_mgmt_t)
+files_read_usr_files(ipsec_mgmt_t)
+files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
+files_dontaudit_getattr_default_files(ipsec_mgmt_t)
+files_list_tmp(ipsec_mgmt_t)
+
+fs_getattr_xattr_fs(ipsec_mgmt_t)
+fs_list_tmpfs(ipsec_mgmt_t)
+
+term_use_console(ipsec_mgmt_t)
+term_use_all_terms(ipsec_mgmt_t)
+
+auth_dontaudit_read_login_records(ipsec_mgmt_t)
+
+init_read_utmp(ipsec_mgmt_t)
+init_use_script_ptys(ipsec_mgmt_t)
+init_exec_script_files(ipsec_mgmt_t)
+init_use_fds(ipsec_mgmt_t)
+init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
+
+logging_send_syslog_msg(ipsec_mgmt_t)
+
+miscfiles_read_localization(ipsec_mgmt_t)
+
+modutils_domtrans_insmod(ipsec_mgmt_t)
+
+seutil_dontaudit_search_config(ipsec_mgmt_t)
+
+sysnet_manage_config(ipsec_mgmt_t)
+sysnet_domtrans_ifconfig(ipsec_mgmt_t)
+sysnet_etc_filetrans_config(ipsec_mgmt_t)
+
+userdom_use_user_terminals(ipsec_mgmt_t)
+
+optional_policy(`
+ consoletype_exec(ipsec_mgmt_t)
+')
+
+optional_policy(`
+ hostname_exec(ipsec_mgmt_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(ipsec_mgmt_t)
+ dbus_connect_system_bus(ipsec_mgmt_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(ipsec_mgmt_t)
+ ')
+')
+
+optional_policy(`
+ iptables_domtrans(ipsec_mgmt_t)
+')
+
+optional_policy(`
+ nscd_socket_use(ipsec_mgmt_t)
+')
+
+ifdef(`TODO',`
+# ideally it would not need this. It wants to write to /root/.rnd
+file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file)
+
+allow ipsec_mgmt_t dev_fs:file_class_set getattr;
+') dnl end TODO
+
+########################################
+#
+# Racoon local policy
+#
+
+allow racoon_t self:capability { net_admin net_bind_service };
+allow racoon_t self:netlink_route_socket create_netlink_socket_perms;
+allow racoon_t self:unix_dgram_socket { connect create ioctl write };
+allow racoon_t self:netlink_selinux_socket { bind create read };
+allow racoon_t self:udp_socket create_socket_perms;
+allow racoon_t self:key_socket create_socket_perms;
+allow racoon_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
+manage_files_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
+files_tmp_filetrans(racoon_t, racoon_tmp_t, { dir file })
+
+can_exec(racoon_t, racoon_exec_t)
+
+can_exec(racoon_t, setkey_exec_t)
+
+# manage pid file
+manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
+manage_sock_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
+files_pid_filetrans(racoon_t, ipsec_var_run_t, file)
+
+allow racoon_t ipsec_conf_file_t:dir list_dir_perms;
+read_files_pattern(racoon_t, ipsec_conf_file_t, ipsec_conf_file_t)
+read_lnk_files_pattern(racoon_t, ipsec_conf_file_t, ipsec_conf_file_t)
+
+allow racoon_t ipsec_key_file_t:dir list_dir_perms;
+read_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t)
+read_lnk_files_pattern(racoon_t, ipsec_key_file_t, ipsec_key_file_t)
+
+kernel_read_system_state(racoon_t)
+kernel_read_network_state(racoon_t)
+kernel_request_load_module(racoon_t)
+
+corecmd_exec_shell(racoon_t)
+corecmd_exec_bin(racoon_t)
+
+corenet_all_recvfrom_unlabeled(racoon_t)
+corenet_tcp_sendrecv_all_if(racoon_t)
+corenet_udp_sendrecv_all_if(racoon_t)
+corenet_tcp_sendrecv_all_nodes(racoon_t)
+corenet_udp_sendrecv_all_nodes(racoon_t)
+corenet_tcp_bind_all_nodes(racoon_t)
+corenet_udp_bind_all_nodes(racoon_t)
+corenet_udp_bind_isakmp_port(racoon_t)
+corenet_udp_bind_ipsecnat_port(racoon_t)
+
+dev_read_urand(racoon_t)
+
+# allow racoon to set contexts on ipsec policy and SAs
+domain_ipsec_setcontext_all_domains(racoon_t)
+
+files_read_etc_files(racoon_t)
+
+fs_dontaudit_getattr_xattr_fs(racoon_t)
+
+# allow racoon to use avc_has_perm to check context on proposed SA
+selinux_compute_access_vector(racoon_t)
+
+auth_use_nsswitch(racoon_t)
+
+ipsec_setcontext_default_spd(racoon_t)
+
+locallogin_use_fds(racoon_t)
+
+logging_send_syslog_msg(racoon_t)
+logging_send_audit_msgs(racoon_t)
+
+miscfiles_read_localization(racoon_t)
+
+sysnet_exec_ifconfig(racoon_t)
+
+auth_use_pam(racoon_t)
+
+auth_can_read_shadow_passwords(racoon_t)
+tunable_policy(`racoon_read_shadow',`
+ auth_tunable_read_shadow(racoon_t)
+')
+
+########################################
+#
+# Setkey local policy
+#
+
+allow setkey_t self:capability net_admin;
+allow setkey_t self:key_socket create_socket_perms;
+allow setkey_t self:netlink_route_socket create_netlink_socket_perms;
+
+allow setkey_t ipsec_conf_file_t:dir list_dir_perms;
+read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
+read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
+
+kernel_request_load_module(setkey_t)
+
+# allow setkey utility to set contexts on SA's and policy
+domain_ipsec_setcontext_all_domains(setkey_t)
+
+files_read_etc_files(setkey_t)
+
+init_dontaudit_use_fds(setkey_t)
+init_read_script_tmp_files(setkey_t)
+
+# allow setkey to set the context for ipsec SAs and policy.
+ipsec_setcontext_default_spd(setkey_t)
+
+locallogin_use_fds(setkey_t)
+
+miscfiles_read_localization(setkey_t)
+
+seutil_read_config(setkey_t)
+
+userdom_use_user_terminals(setkey_t)
+userdom_read_user_tmp_files(setkey_t)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
new file mode 100644
index 0000000..fd99a6e
--- /dev/null
+++ b/policy/modules/system/iptables.fc
@@ -0,0 +1,20 @@
+/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
+
+/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ip6?tables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
+
+/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+
+/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
+
+
+/usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
new file mode 100644
index 0000000..59bfb17
--- /dev/null
+++ b/policy/modules/system/iptables.if
@@ -0,0 +1,171 @@
+## <summary>Policy for iptables.</summary>
+
+########################################
+## <summary>
+## Execute iptables in the iptables domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`iptables_domtrans',`
+ gen_require(`
+ type iptables_t, iptables_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, iptables_exec_t, iptables_t)
+
+ ifdef(`hide_broken_symptoms', `
+ dontaudit iptables_t $1:socket_class_set { read write };
+ ')
+')
+
+########################################
+## <summary>
+## Execute iptables in the iptables domain, and
+## allow the specified role the iptables domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`iptables_run',`
+ gen_require(`
+ type iptables_t;
+ ')
+
+ iptables_domtrans($1)
+ role $2 types iptables_t;
+
+ sysnet_run_ifconfig(iptables_t, $2)
+
+ optional_policy(`
+ modutils_run_insmod(iptables_t, $2)
+ ')
+')
+
+########################################
+## <summary>
+## Execute iptables in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`iptables_exec',`
+ gen_require(`
+ type iptables_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, iptables_exec_t)
+')
+
+#####################################
+## <summary>
+## Execute iptables in the iptables domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`iptables_initrc_domtrans',`
+ gen_require(`
+ type iptables_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, iptables_initrc_exec_t)
+')
+
+#####################################
+## <summary>
+## Set the attributes of iptables config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`iptables_setattr_config',`
+ gen_require(`
+ type iptables_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 iptables_conf_t:file setattr;
+')
+
+#####################################
+## <summary>
+## Read iptables config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`iptables_read_config',`
+ gen_require(`
+ type iptables_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 iptables_conf_t:dir list_dir_perms;
+ read_files_pattern($1, iptables_conf_t, iptables_conf_t)
+')
+
+#####################################
+## <summary>
+## Create files in /etc with the type used for
+## the iptables config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`iptables_etc_filetrans_config',`
+ gen_require(`
+ type iptables_conf_t;
+ ')
+
+ files_etc_filetrans($1, iptables_conf_t, file)
+')
+
+###################################
+## <summary>
+## Manage iptables config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`iptables_manage_config',`
+ gen_require(`
+ type iptables_conf_t;
+ type etc_t;
+ ')
+
+ files_search_etc($1)
+ manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
+')
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
new file mode 100644
index 0000000..bce3aea
--- /dev/null
+++ b/policy/modules/system/iptables.te
@@ -0,0 +1,143 @@
+policy_module(iptables, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+type iptables_t;
+type iptables_exec_t;
+init_system_domain(iptables_t, iptables_exec_t)
+role system_r types iptables_t;
+
+type iptables_initrc_exec_t;
+init_script_file(iptables_initrc_exec_t)
+
+type iptables_tmp_t;
+files_tmp_file(iptables_tmp_t)
+
+type iptables_var_run_t;
+files_pid_file(iptables_var_run_t)
+
+########################################
+#
+# Iptables local policy
+#
+
+allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw };
+dontaudit iptables_t self:capability sys_tty_config;
+allow iptables_t self:fifo_file rw_fifo_file_perms;
+allow iptables_t self:process { sigchld sigkill sigstop signull signal };
+# needed by ipvsadm
+allow iptables_t self:netlink_socket create_socket_perms;
+allow iptables_t self:rawip_socket create_socket_perms;
+
+files_manage_system_conf_files(iptables_t)
+files_etc_filetrans_system_conf(iptables_t)
+
+manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
+files_pid_filetrans(iptables_t, iptables_var_run_t, file)
+
+can_exec(iptables_t, iptables_exec_t)
+
+allow iptables_t iptables_tmp_t:dir manage_dir_perms;
+allow iptables_t iptables_tmp_t:file manage_file_perms;
+files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
+
+kernel_request_load_module(iptables_t)
+kernel_read_system_state(iptables_t)
+kernel_read_network_state(iptables_t)
+kernel_read_kernel_sysctls(iptables_t)
+kernel_read_modprobe_sysctls(iptables_t)
+kernel_use_fds(iptables_t)
+
+# needed by ipvsadm
+corecmd_exec_bin(iptables_t)
+corecmd_exec_shell(iptables_t)
+
+corenet_relabelto_all_packets(iptables_t)
+corenet_dontaudit_rw_tun_tap_dev(iptables_t)
+
+dev_read_sysfs(iptables_t)
+ifdef(`hide_broken_symptoms',`
+ dev_dontaudit_write_mtrr(iptables_t)
+')
+
+fs_getattr_xattr_fs(iptables_t)
+fs_search_auto_mountpoints(iptables_t)
+fs_list_inotifyfs(iptables_t)
+
+mls_file_read_all_levels(iptables_t)
+
+term_dontaudit_use_console(iptables_t)
+term_use_all_terms(iptables_t)
+
+domain_use_interactive_fds(iptables_t)
+
+files_read_etc_files(iptables_t)
+files_read_etc_runtime_files(iptables_t)
+files_read_usr_files(iptables_t)
+
+auth_use_nsswitch(iptables_t)
+
+init_use_fds(iptables_t)
+init_use_script_ptys(iptables_t)
+# to allow rules to be saved on reboot:
+init_rw_script_tmp_files(iptables_t)
+init_rw_script_stream_sockets(iptables_t)
+init_dontaudit_script_leaks(iptables_t)
+
+logging_send_syslog_msg(iptables_t)
+
+miscfiles_read_localization(iptables_t)
+
+sysnet_domtrans_ifconfig(iptables_t)
+sysnet_dns_name_resolve(iptables_t)
+
+userdom_use_user_terminals(iptables_t)
+userdom_use_all_users_fds(iptables_t)
+
+optional_policy(`
+ fail2ban_append_log(iptables_t)
+ fail2ban_dontaudit_leaks(iptables_t)
+')
+
+optional_policy(`
+ firstboot_use_fds(iptables_t)
+ firstboot_rw_pipes(iptables_t)
+')
+
+optional_policy(`
+ modutils_domtrans_insmod(iptables_t)
+')
+
+optional_policy(`
+ # for iptables -L
+ nis_use_ypbind(iptables_t)
+')
+
+optional_policy(`
+ ppp_dontaudit_use_fds(iptables_t)
+')
+
+optional_policy(`
+ psad_rw_tmp_files(iptables_t)
+ psad_write_log(iptables_t)
+')
+
+optional_policy(`
+ rhgb_dontaudit_use_ptys(iptables_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(iptables_t)
+')
+
+optional_policy(`
+ shorewall_rw_lib_files(iptables_t)
+ shorewall_read_tmp_files(iptables_t)
+')
+
+optional_policy(`
+ udev_read_db(iptables_t)
+')
diff --git a/policy/modules/system/iscsi.fc b/policy/modules/system/iscsi.fc
new file mode 100644
index 0000000..14d9670
--- /dev/null
+++ b/policy/modules/system/iscsi.fc
@@ -0,0 +1,7 @@
+/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+
+/var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0)
+/var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0)
+/var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_log_t,s0)
+/var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
diff --git a/policy/modules/system/iscsi.if b/policy/modules/system/iscsi.if
new file mode 100644
index 0000000..ad0b864
--- /dev/null
+++ b/policy/modules/system/iscsi.if
@@ -0,0 +1,76 @@
+## <summary>Establish connections to iSCSI devices</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run iscsid.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`iscsid_domtrans',`
+ gen_require(`
+ type iscsid_t, iscsid_exec_t;
+ ')
+
+ domtrans_pattern($1, iscsid_exec_t, iscsid_t)
+')
+
+########################################
+## <summary>
+## Connect to ISCSI using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`iscsi_stream_connect',`
+ gen_require(`
+ type iscsid_t, iscsi_var_lib_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, iscsi_var_lib_t, iscsi_var_lib_t, iscsid_t)
+')
+
+########################################
+## <summary>
+## Read iscsi lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`iscsi_read_lib_files',`
+ gen_require(`
+ type iscsi_var_lib_t;
+ ')
+
+ read_files_pattern($1, iscsi_var_lib_t, iscsi_var_lib_t)
+ allow $1 iscsi_var_lib_t:dir list_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Manage iscsid sempaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`iscsi_manage_semaphores',`
+ gen_require(`
+ type iscsid_t;
+ ')
+
+ allow $1 iscsid_t:sem create_sem_perms;
+')
diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te
new file mode 100644
index 0000000..3ab3a47
--- /dev/null
+++ b/policy/modules/system/iscsi.te
@@ -0,0 +1,97 @@
+policy_module(iscsi, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+type iscsid_t;
+type iscsid_exec_t;
+domain_type(iscsid_t)
+init_daemon_domain(iscsid_t, iscsid_exec_t)
+
+type iscsi_lock_t;
+files_lock_file(iscsi_lock_t)
+
+type iscsi_log_t;
+logging_log_file(iscsi_log_t)
+
+type iscsi_tmp_t;
+files_tmp_file(iscsi_tmp_t)
+
+type iscsi_var_lib_t;
+files_type(iscsi_var_lib_t)
+
+type iscsi_var_run_t;
+files_pid_file(iscsi_var_run_t)
+
+########################################
+#
+# iscsid local policy
+#
+
+allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource };
+allow iscsid_t self:process { setrlimit setsched signal };
+allow iscsid_t self:fifo_file rw_fifo_file_perms;
+allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow iscsid_t self:unix_dgram_socket create_socket_perms;
+allow iscsid_t self:sem create_sem_perms;
+allow iscsid_t self:shm create_shm_perms;
+allow iscsid_t self:netlink_socket create_socket_perms;
+allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow iscsid_t self:netlink_route_socket rw_netlink_socket_perms;
+allow iscsid_t self:tcp_socket create_stream_socket_perms;
+
+can_exec(iscsid_t, iscsid_exec_t)
+
+manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t)
+files_lock_filetrans(iscsid_t, iscsi_lock_t, file)
+
+manage_files_pattern(iscsid_t, iscsi_log_t, iscsi_log_t)
+logging_log_filetrans(iscsid_t, iscsi_log_t, file)
+
+manage_dirs_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
+manage_files_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
+fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, { dir file } )
+
+allow iscsid_t iscsi_var_lib_t:dir list_dir_perms;
+read_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
+read_lnk_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
+files_search_var_lib(iscsid_t)
+
+manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t)
+files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
+
+kernel_read_network_state(iscsid_t)
+kernel_read_system_state(iscsid_t)
+
+corenet_all_recvfrom_unlabeled(iscsid_t)
+corenet_all_recvfrom_netlabel(iscsid_t)
+corenet_tcp_sendrecv_generic_if(iscsid_t)
+corenet_tcp_sendrecv_generic_node(iscsid_t)
+corenet_tcp_sendrecv_all_ports(iscsid_t)
+corenet_tcp_connect_http_port(iscsid_t)
+corenet_tcp_connect_iscsi_port(iscsid_t)
+corenet_tcp_connect_isns_port(iscsid_t)
+
+dev_rw_sysfs(iscsid_t)
+dev_rw_userio_dev(iscsid_t)
+dev_read_raw_memory(iscsid_t)
+dev_write_raw_memory(iscsid_t)
+
+domain_use_interactive_fds(iscsid_t)
+domain_dontaudit_read_all_domains_state(iscsid_t)
+
+files_read_etc_files(iscsid_t)
+
+auth_use_nsswitch(iscsid_t)
+
+init_stream_connect_script(iscsid_t)
+
+logging_send_syslog_msg(iscsid_t)
+
+miscfiles_read_localization(iscsid_t)
+
+optional_policy(`
+ tgtd_manage_semaphores(iscsid_t)
+')
diff --git a/policy/modules/system/kdump.fc b/policy/modules/system/kdump.fc
new file mode 100644
index 0000000..c66934f
--- /dev/null
+++ b/policy/modules/system/kdump.fc
@@ -0,0 +1,5 @@
+/etc/kdump\.conf -- gen_context(system_u:object_r:kdump_etc_t,s0)
+/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0)
+
+/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
+/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
diff --git a/policy/modules/system/kdump.if b/policy/modules/system/kdump.if
new file mode 100644
index 0000000..672d323
--- /dev/null
+++ b/policy/modules/system/kdump.if
@@ -0,0 +1,111 @@
+## <summary>Kernel crash dumping mechanism</summary>
+
+######################################
+## <summary>
+## Execute kdump in the kdump domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`kdump_domtrans',`
+ gen_require(`
+ type kdump_t, kdump_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, kdump_exec_t, kdump_t)
+')
+
+#######################################
+## <summary>
+## Execute kdump in the kdump domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`kdump_initrc_domtrans',`
+ gen_require(`
+ type kdump_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, kdump_initrc_exec_t)
+')
+
+#####################################
+## <summary>
+## Read kdump configuration file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kdump_read_config',`
+ gen_require(`
+ type kdump_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 kdump_etc_t:file read_file_perms;
+')
+
+####################################
+## <summary>
+## Manage kdump configuration file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kdump_manage_config',`
+ gen_require(`
+ type kdump_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 kdump_etc_t:file manage_file_perms;
+')
+
+######################################
+## <summary>
+## All of the rules required to administrate
+## an kdump environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the kdump domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kdump_admin',`
+ gen_require(`
+ type kdump_t, kdump_etc_t;
+ type kdump_initrc_exec_t;
+ ')
+
+ allow $1 kdump_t:process { ptrace signal_perms };
+ ps_process_pattern($1, kdump_t)
+
+ init_labeled_script_domtrans($1, kdump_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 kdump_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, kdump_etc_t)
+')
diff --git a/policy/modules/system/kdump.te b/policy/modules/system/kdump.te
new file mode 100644
index 0000000..7682697
--- /dev/null
+++ b/policy/modules/system/kdump.te
@@ -0,0 +1,38 @@
+policy_module(kdump, 1.1.0)
+
+#######################################
+#
+# Declarations
+#
+
+type kdump_t;
+type kdump_exec_t;
+init_system_domain(kdump_t, kdump_exec_t)
+
+type kdump_etc_t;
+files_config_file(kdump_etc_t)
+
+type kdump_initrc_exec_t;
+init_script_file(kdump_initrc_exec_t)
+
+#####################################
+#
+# kdump local policy
+#
+
+allow kdump_t self:capability { sys_boot dac_override };
+
+read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t)
+
+files_read_etc_runtime_files(kdump_t)
+files_read_kernel_img(kdump_t)
+
+kernel_read_system_state(kdump_t)
+kernel_read_core_if(kdump_t)
+kernel_read_debugfs(kdump_t)
+kernel_request_load_module(kdump_t)
+
+dev_read_framebuffer(kdump_t)
+dev_read_sysfs(kdump_t)
+
+term_use_console(kdump_t)
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
new file mode 100644
index 0000000..1d2236b
--- /dev/null
+++ b/policy/modules/system/libraries.fc
@@ -0,0 +1,463 @@
+#
+# /emul
+#
+ifdef(`distro_debian',`
+/emul/ia32-linux/usr(/.*)?/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
+/emul/ia32-linux/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
+')
+
+ifdef(`distro_gentoo',`
+/emul/linux/x86/usr(/.*)?/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/emul/linux/x86/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/emul/linux/x86/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
+')
+
+ifdef(`distro_redhat',`
+/emul/ia32-linux/usr(/.*)?/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/emul/ia32-linux/usr(/.*)?/java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
+/emul/ia32-linux/usr(/.*)?/java/.*\.jar -- gen_context(system_u:object_r:lib_t,s0)
+/emul/ia32-linux/usr(/.*)?/java/.*\.jsa -- gen_context(system_u:object_r:lib_t,s0)
+/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
+/emul/ia32-linux/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
+')
+
+#
+# /etc
+#
+/etc/ld\.so\.cache -- gen_context(system_u:object_r:ld_so_cache_t,s0)
+/etc/ld\.so\.preload -- gen_context(system_u:object_r:ld_so_cache_t,s0)
+
+/etc/ppp/plugins/rp-pppoe\.so -- gen_context(system_u:object_r:lib_t,s0)
+
+#
+# /lib(64)?
+#
+/lib -d gen_context(system_u:object_r:lib_t,s0)
+/lib/.* gen_context(system_u:object_r:lib_t,s0)
+/lib64 -d gen_context(system_u:object_r:lib_t,s0)
+/lib64/.* gen_context(system_u:object_r:lib_t,s0)
+/lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
+/lib64/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
+
+/lib/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/lib64/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ifdef(`distro_debian',`
+/lib32 -l gen_context(system_u:object_r:lib_t,s0)
+/lib64 -l gen_context(system_u:object_r:lib_t,s0)
+')
+
+ifdef(`distro_gentoo',`
+/lib -l gen_context(system_u:object_r:lib_t,s0)
+/lib32 -d gen_context(system_u:object_r:lib_t,s0)
+/lib32/.* gen_context(system_u:object_r:lib_t,s0)
+/lib32/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
+')
+
+#
+# /opt
+#
+/opt/.*\.so gen_context(system_u:object_r:lib_t,s0)
+/opt/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/opt/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
+/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
+
+/opt/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+# despite the extensions, they are actually libs
+/opt/Acrobat[5-9]/Reader/intellinux/plugins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)
+
+/opt/Komodo-Edit-5/lib/python/lib/python2.6/lib-dynload/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ifdef(`distro_gentoo',`
+# despite the extensions, they are actually libs
+/opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)
+/opt/Acrobat[5-9]/Reader/intellinux/plug_ins3d/.*\.x3d -- gen_context(system_u:object_r:lib_t,s0)
+/opt/Acrobat[5-9]/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0)
+
+/opt/netscape/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/opt/netscape/plugins/libflashplayer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/netscape/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/RealPlayer/codecs(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/opt/RealPlayer/common(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/opt/RealPlayer/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/opt/RealPlayer/mozilla(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/opt/RealPlayer/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0)
+')
+
+ifdef(`distro_redhat',`
+/opt/Adobe(/.*?)/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/Adobe/Reader.?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/Adobe/Reader.?/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0)
+/opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/cx.*/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/ibm/java.*/jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
+/opt/ibm/java.*/jre/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/ibm/java.*/jre/bin/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+')
+
+#
+# /sbin
+#
+/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0)
+
+#
+# /usr
+#
+/usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/(.*/)?java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
+/usr/(.*/)?java/.+\.jsa -- gen_context(system_u:object_r:lib_t,s0)
+
+/usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/usr/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
+
+/usr/(.*/)?lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
+
+/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib64/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/vlc/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libtfmessbsp\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/catalyst/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/win32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/ADM_plugins/videoFilter/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libzita-convolver\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/nvidia/libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
+/usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/xorg/modules/drivers/fglrx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xorg/modules/drivers/nvidia_drv\.o -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ifdef(`distro_debian',`
+/usr/lib32 -l gen_context(system_u:object_r:lib_t,s0)
+')
+
+ifdef(`distro_gentoo',`
+/usr/lib -l gen_context(system_u:object_r:lib_t,s0)
+')
+
+ifdef(`distro_redhat',`
+/usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- gen_context(system_u:object_r:lib_t,s0)
+
+# The following are libraries with text relocations in need of execmod permissions
+# Some of them should be fixed and removed from this list
+
+# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
+# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
+HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/allegro/(.*/)?alleg-vga\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/firefox-[^/]*/extensions(/.*)?/libqfaservices.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/firefox/plugins/libractrl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib64/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/nx/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/VBoxVMM\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib64/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libgpac\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/X11R6/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libHermes\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/valgrind/hp2ps -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/valgrind/stage2 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/valgrind/vg.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/program/libicudata\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/program/libsts645li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/program/libvclplug_gen645li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/program/libwrp645li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/program/libswd680li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/program/librecentfile\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/program/libsvx680li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/program/libsoffice\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?pcsc/drivers(/.*)?/lib(cm2020|cm4000|SCR24x)\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+# Fedora Extras packages: ladspa, imlib2, ocaml
+/usr/lib(64)?/ladspa/analogue_osc_1416\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/bandpass_a_iir_1893\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/bandpass_iir_1892\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/butterworth_1902\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/fm_osc_1415\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/gsm_1215\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/gverb_1216\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/hermes_filter_1200\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/highpass_iir_1890\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/lowpass_iir_1891\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/notch_iir_1894\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/pitch_scale_1193\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/pitch_scale_1194\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/sc1_1425\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/sc2_1426\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/sane/libsane-epkowa\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ocaml/stublibs/dllnums\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
+/usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local(/.*)?/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+# Jai, Sun Microsystems (Jpackage SPRM)
+/usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libdivxdecore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libdivxencore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libdvdcss\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+# vmware
+/usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/vmware/lib(/.*)?/libvmware-gksu.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/(virtualbox(-ose)?/)?(components/)?VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/virtualbox/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+# Java, Sun Microsystems (JPackage SRPM)
+/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/(local/)?acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?Adobe/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?lib/xchat/plugins/systray\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?matlab.*/bin/glnx86/(libmw(lapack|mathutil|services)|lapack|libmkl)\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?matlab.*/sys/os/glnx86/libtermcap\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/acroread/(.*/)?sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/acroread/(.*/)?nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0)
+/usr/lib64/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0)
+') dnl end distro_redhat
+
+#
+# /var
+#
+/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
+
+/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
+
+/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
+
+/usr/lib(64)?/pgsql/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
+/usr/lib(64)?/pgsql/test/regress/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
+/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
+
+ifdef(`distro_suse',`
+/var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0)
+')
+
+/usr/share/hplip/prnt/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/usr/share/squeezeboxserver/CPAN/arch/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
+
+/usr/lib(64)?/libmyth[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/mythtv/filters/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/jvm/java(.*/)bin(/.*)?/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib64/jvm/java(.*/)bin(/.*)?/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/oracle/.*/lib/libnnz10\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/opt/altera9.1/quartus/linux/libccl_err\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/opt/novell/groupwise/client/lib/libgwapijni\.so\.1 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/sse2/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/i686/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/googleearth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/nspluginwrapper/np.*\.so -- gen_context(system_u:object_r:lib_t,s0)
+
+/usr/lib/oracle/.*/lib/libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/oracle(64)?/.*/lib/libclntsh\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/opt/(.*/)?oracle/(.*/)?libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libnnz11.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+
+/opt/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/local/Zend/lib/ZendExtensionManager\.so gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/libcncpmslld328\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/ICAClient/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/midori/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libav.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/xine/plugins/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/yafaray/libDarkSky.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/libADM.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+HOME_DIR/\.gstreamer-.*/plugins/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ifdef(`fixed',`
+/usr/lib(64)?/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libavformat.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libavcodec.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libavutil.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libImlib2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/X11R6/lib/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+# Flash plugin, Macromedia
+HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/php/modules/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/httpd/modules/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+')
+/opt/VBoxGuestAdditions.*/lib/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/nmm/liba52\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/lampp/lib/libct\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/lampp/lib/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/VirtualBox(/.*)?/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/chromium-browser/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/zend/lib/apache2/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/python.*/site-packages/pymedia/muxer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/games/darwinia/lib/libSDL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ocp-.*/mixclip\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/AutoScan/usr/lib/libvte\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/bin/bsnes -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/firefox/plugins/libractrl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libGLcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libkmplayercommon\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/opt/Unify/SQLBase/libgptsblmsui11\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/opt/real/RealPlayer/plugins(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/opt/real/RealPlayer/codecs(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/vdpau/libvdpau_nvidia\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/nsr/(.*/)?.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/lgtonmc/bin/.*\.so(\.[0-9])? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
new file mode 100644
index 0000000..8b174c8
--- /dev/null
+++ b/policy/modules/system/libraries.if
@@ -0,0 +1,518 @@
+## <summary>Policy for system libraries.</summary>
+
+########################################
+## <summary>
+## Execute ldconfig in the ldconfig domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`libs_domtrans_ldconfig',`
+ gen_require(`
+ type ldconfig_t, ldconfig_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ldconfig_exec_t, ldconfig_t)
+')
+
+########################################
+## <summary>
+## Execute ldconfig in the ldconfig domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the ldconfig domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`libs_run_ldconfig',`
+ gen_require(`
+ type ldconfig_t;
+ ')
+
+ libs_domtrans_ldconfig($1)
+ role $2 types ldconfig_t;
+')
+
+########################################
+## <summary>
+## Execute ldconfig in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`libs_exec_ldconfig',`
+ gen_require(`
+ type ldconfig_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, ldconfig_exec_t)
+')
+
+########################################
+## <summary>
+## Use the dynamic link/loader for automatic loading
+## of shared libraries.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`libs_use_ld_so',`
+ gen_require(`
+ type lib_t, ld_so_t, ld_so_cache_t;
+ ')
+
+ files_list_etc($1)
+ allow $1 lib_t:dir list_dir_perms;
+
+ read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t })
+ mmap_files_pattern($1, lib_t, ld_so_t)
+
+ allow $1 ld_so_cache_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Use the dynamic link/loader for automatic loading
+## of shared libraries with legacy support.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`libs_legacy_use_ld_so',`
+ gen_require(`
+ type ld_so_t, ld_so_cache_t;
+ ')
+
+ libs_use_ld_so($1)
+ allow $1 ld_so_t:file execmod;
+ allow $1 ld_so_cache_t:file execute;
+')
+
+########################################
+## <summary>
+## Execute the dynamic link/loader in the caller's domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`libs_exec_ld_so',`
+ gen_require(`
+ type lib_t, ld_so_t;
+ ')
+
+ allow $1 lib_t:dir list_dir_perms;
+ read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t })
+ exec_files_pattern($1, lib_t, ld_so_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete the
+## dynamic link/loader.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for prelink
+interface(`libs_manage_ld_so',`
+ gen_require(`
+ type lib_t, ld_so_t;
+ ')
+
+ manage_files_pattern($1, lib_t, ld_so_t)
+')
+
+########################################
+## <summary>
+## Relabel to and from the type used for
+## the dynamic link/loader.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for prelink
+interface(`libs_relabel_ld_so',`
+ gen_require(`
+ type lib_t, ld_so_t;
+ ')
+
+ relabel_files_pattern($1, lib_t, ld_so_t)
+')
+
+########################################
+## <summary>
+## Modify the dynamic link/loader's cached listing
+## of shared libraries.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`libs_rw_ld_so_cache',`
+ gen_require(`
+ type ld_so_cache_t;
+ ')
+
+ files_list_etc($1)
+ allow $1 ld_so_cache_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Search library directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`libs_search_lib',`
+ gen_require(`
+ type lib_t;
+ ')
+
+ allow $1 lib_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write to library directories.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to write to library directories.
+## Typically this is used to quiet attempts to recompile
+## python byte code.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`libs_dontaudit_write_lib_dirs',`
+ gen_require(`
+ type lib_t;
+ ')
+
+ dontaudit $1 lib_t:dir write;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete library directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`libs_manage_lib_dirs',`
+ gen_require(`
+ type lib_t;
+ ')
+
+ allow $1 lib_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Read files in the library directories, such
+## as static libraries.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`libs_read_lib_files',`
+ gen_require(`
+ type lib_t;
+ ')
+
+ files_list_usr($1)
+ list_dirs_pattern($1, lib_t, lib_t)
+ read_files_pattern($1, lib_t, lib_t)
+ read_lnk_files_pattern($1, lib_t, lib_t)
+')
+
+########################################
+## <summary>
+## Execute library scripts in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`libs_exec_lib_files',`
+ gen_require(`
+ type lib_t;
+ ')
+
+ files_search_usr($1)
+ allow $1 lib_t:dir list_dir_perms;
+ read_lnk_files_pattern($1, lib_t, lib_t)
+ exec_files_pattern($1, lib_t, lib_t)
+')
+
+########################################
+## <summary>
+## Load and execute functions from generic
+## lib files as shared libraries.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`libs_use_lib_files',`
+ refpolicywarn(`$0($*) has been deprecated, use libs_use_shared_libs() instead.')
+ libs_use_shared_libs($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete generic
+## files in library directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for prelink
+interface(`libs_manage_lib_files',`
+ gen_require(`
+ type lib_t;
+ ')
+
+ manage_files_pattern($1, lib_t, lib_t)
+')
+
+########################################
+## <summary>
+## Relabel files to the type used in library directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`libs_relabelto_lib_files',`
+ gen_require(`
+ type lib_t;
+ ')
+
+ relabelto_files_pattern($1, lib_t, lib_t)
+')
+
+########################################
+## <summary>
+## Relabel to and from the type used
+## for generic lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for prelink
+interface(`libs_relabel_lib_files',`
+ gen_require(`
+ type lib_t;
+ ')
+
+ relabel_files_pattern($1, lib_t, lib_t)
+')
+
+########################################
+## <summary>
+## Delete generic symlinks in library directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for prelink
+interface(`libs_delete_lib_symlinks',`
+ gen_require(`
+ type lib_t;
+ ')
+
+ delete_lnk_files_pattern($1, lib_t, lib_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete shared libraries.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for prelink
+interface(`libs_manage_shared_libs',`
+ gen_require(`
+ type lib_t, textrel_shlib_t;
+ ')
+
+ manage_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
+')
+
+########################################
+## <summary>
+## Load and execute functions from shared libraries.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`libs_use_shared_libs',`
+ gen_require(`
+ type lib_t, textrel_shlib_t;
+ ')
+
+ files_search_usr($1)
+ allow $1 lib_t:dir list_dir_perms;
+ read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
+ mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
+ allow $1 textrel_shlib_t:file execmod;
+')
+
+########################################
+## <summary>
+## Load and execute functions from shared libraries,
+## with legacy support.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`libs_legacy_use_shared_libs',`
+ gen_require(`
+ type lib_t;
+ ')
+
+ libs_use_shared_libs($1)
+ allow $1 lib_t:file execmod;
+')
+
+########################################
+## <summary>
+## Relabel to and from the type used for
+## shared libraries.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: added for prelink
+interface(`libs_relabel_shared_libs',`
+ gen_require(`
+ type lib_t, textrel_shlib_t;
+ ')
+
+ relabel_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
+')
+
+########################################
+## <summary>
+## Create an object in lib directories, with
+## the shared libraries type using a type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+#
+interface(`lib_filetrans_shared_lib',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+## Create an object in lib directories, with
+## the shared libraries type using a type transition. (Deprecated)
+## </summary>
+## <desc>
+## <p>
+## Create an object in lib directories, with
+## the shared libraries type using a type transition. (Deprecated)
+## </p>
+## <p>
+## lib_filetrans_shared_lib() should be used instead.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+#
+interface(`files_lib_filetrans_shared_lib',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
new file mode 100644
index 0000000..99d7f60
--- /dev/null
+++ b/policy/modules/system/libraries.te
@@ -0,0 +1,157 @@
+policy_module(libraries, 2.7.0)
+
+########################################
+#
+# Declarations
+#
+
+#
+# ld_so_cache_t is the type of /etc/ld.so.cache.
+#
+type ld_so_cache_t;
+files_type(ld_so_cache_t)
+
+#
+# ld_so_t is the type of the system dynamic loaders.
+#
+type ld_so_t;
+files_type(ld_so_t)
+
+type ldconfig_t;
+type ldconfig_exec_t;
+init_system_domain(ldconfig_t, ldconfig_exec_t)
+role system_r types ldconfig_t;
+
+type ldconfig_cache_t;
+files_type(ldconfig_cache_t)
+
+type ldconfig_tmp_t;
+files_tmp_file(ldconfig_tmp_t)
+
+#
+# lib_t is the type of files in the system lib directories.
+#
+type lib_t alias shlib_t;
+files_type(lib_t)
+
+#
+# textrel_shlib_t is the type of shared objects in the system lib
+# directories, which require text relocation.
+#
+type textrel_shlib_t alias texrel_shlib_t;
+files_type(textrel_shlib_t)
+
+ifdef(`distro_gentoo',`
+ # openrc unfortunately mounts a tmpfs
+ # at /lib/rc/
+ files_mountpoint(lib_t)
+')
+
+optional_policy(`
+ postgresql_loadable_module(lib_t)
+ postgresql_loadable_module(textrel_shlib_t)
+')
+
+########################################
+#
+# ldconfig local policy
+#
+
+allow ldconfig_t self:capability { dac_override sys_chroot };
+
+manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
+
+manage_files_pattern(ldconfig_t, ld_so_cache_t, ld_so_cache_t)
+files_etc_filetrans(ldconfig_t, ld_so_cache_t, file)
+
+manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t)
+manage_files_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t)
+manage_lnk_files_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t)
+files_tmp_filetrans(ldconfig_t, ldconfig_tmp_t, { file dir lnk_file })
+
+manage_lnk_files_pattern(ldconfig_t, lib_t, lib_t)
+
+kernel_read_system_state(ldconfig_t)
+
+fs_getattr_xattr_fs(ldconfig_t)
+
+corecmd_search_bin(ldconfig_t)
+
+domain_use_interactive_fds(ldconfig_t)
+
+files_search_home(ldconfig_t)
+files_search_var_lib(ldconfig_t)
+files_read_etc_files(ldconfig_t)
+files_read_usr_files(ldconfig_t)
+files_search_tmp(ldconfig_t)
+files_search_usr(ldconfig_t)
+# for when /etc/ld.so.cache is mislabeled:
+files_delete_etc_files(ldconfig_t)
+
+init_use_script_ptys(ldconfig_t)
+init_read_script_tmp_files(ldconfig_t)
+
+miscfiles_read_localization(ldconfig_t)
+
+logging_send_syslog_msg(ldconfig_t)
+
+term_use_console(ldconfig_t)
+userdom_use_user_terminals(ldconfig_t)
+userdom_use_all_users_fds(ldconfig_t)
+
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(ldconfig_t)
+ ')
+')
+
+userdom_manage_user_home_content_files(ldconfig_t)
+userdom_manage_user_tmp_files(ldconfig_t)
+userdom_manage_user_tmp_symlinks(ldconfig_t)
+
+ifdef(`hide_broken_symptoms',`
+ ifdef(`distro_gentoo',`
+ # leaked fds from portage
+ files_dontaudit_rw_var_files(ldconfig_t)
+
+ optional_policy(`
+ portage_dontaudit_search_tmp(ldconfig_t)
+ portage_dontaudit_rw_tmp_files(ldconfig_t)
+ ')
+ ')
+
+ optional_policy(`
+ unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
+ ')
+')
+
+optional_policy(`
+ # dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
+ apache_dontaudit_search_modules(ldconfig_t)
+')
+
+optional_policy(`
+ apt_rw_pipes(ldconfig_t)
+ apt_use_fds(ldconfig_t)
+ apt_use_ptys(ldconfig_t)
+')
+
+optional_policy(`
+ gnome_append_generic_cache_files(ldconfig_t)
+')
+
+optional_policy(`
+ puppet_rw_tmp(ldconfig_t)
+')
+
+optional_policy(`
+ # When you install a kernel the postinstall builds a initrd image in tmp
+ # and executes ldconfig on it. If you dont allow this kernel installs
+ # blow up.
+ rpm_manage_script_tmp_files(ldconfig_t)
+')
+
+optional_policy(`
+ unconfined_domain(ldconfig_t)
+')
+
diff --git a/policy/modules/system/locallogin.fc b/policy/modules/system/locallogin.fc
new file mode 100644
index 0000000..be6a81b
--- /dev/null
+++ b/policy/modules/system/locallogin.fc
@@ -0,0 +1,3 @@
+
+/sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0)
+/sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0)
diff --git a/policy/modules/system/locallogin.if b/policy/modules/system/locallogin.if
new file mode 100644
index 0000000..0e3c2a9
--- /dev/null
+++ b/policy/modules/system/locallogin.if
@@ -0,0 +1,131 @@
+## <summary>Policy for local logins.</summary>
+
+########################################
+## <summary>
+## Execute local logins in the local login domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`locallogin_domtrans',`
+ gen_require(`
+ type local_login_t;
+ ')
+
+ auth_domtrans_login_program($1, local_login_t)
+
+ ifdef(`enable_mcs',`
+ auth_ranged_domtrans_login_program($1, local_login_t, s0 - mcs_systemhigh)
+ ')
+')
+
+########################################
+## <summary>
+## Allow processes to inherit local login file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`locallogin_use_fds',`
+ gen_require(`
+ type local_login_t;
+ ')
+
+ allow $1 local_login_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to inherit local login file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`locallogin_dontaudit_use_fds',`
+ gen_require(`
+ type local_login_t;
+ ')
+
+ dontaudit $1 local_login_t:fd use;
+')
+
+########################################
+## <summary>
+## Send a null signal to local login processes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`locallogin_signull',`
+ gen_require(`
+ type local_login_t;
+ ')
+
+ allow $1 local_login_t:process signull;
+')
+
+########################################
+## <summary>
+## Search for key.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`locallogin_search_keys',`
+ gen_require(`
+ type local_login_t;
+ ')
+
+ allow $1 local_login_t:key search;
+')
+
+########################################
+## <summary>
+## Allow link to the local_login key ring.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`locallogin_link_keys',`
+ gen_require(`
+ type local_login_t;
+ ')
+
+ allow $1 local_login_t:key link;
+')
+
+########################################
+## <summary>
+## Execute local logins in the local login domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`locallogin_domtrans_sulogin',`
+ gen_require(`
+ type sulogin_exec_t, sulogin_t;
+ ')
+
+ domtrans_pattern($1, sulogin_exec_t, sulogin_t)
+')
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
new file mode 100644
index 0000000..26e9f79
--- /dev/null
+++ b/policy/modules/system/locallogin.te
@@ -0,0 +1,271 @@
+policy_module(locallogin, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+
+type local_login_t;
+domain_interactive_fd(local_login_t)
+auth_login_pgm_domain(local_login_t)
+auth_login_entry_type(local_login_t)
+
+type local_login_lock_t;
+files_lock_file(local_login_lock_t)
+
+type local_login_tmp_t;
+files_tmp_file(local_login_tmp_t)
+files_poly_parent(local_login_tmp_t)
+
+type sulogin_t;
+type sulogin_exec_t;
+domain_obj_id_change_exemption(sulogin_t)
+domain_subj_id_change_exemption(sulogin_t)
+domain_role_change_exemption(sulogin_t)
+domain_interactive_fd(sulogin_t)
+init_domain(sulogin_t, sulogin_exec_t)
+init_system_domain(sulogin_t, sulogin_exec_t)
+role system_r types sulogin_t;
+
+########################################
+#
+# Local login local policy
+#
+
+allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_ptrace sys_resource sys_tty_config };
+allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap };
+allow local_login_t self:fd use;
+allow local_login_t self:fifo_file rw_fifo_file_perms;
+allow local_login_t self:sock_file read_sock_file_perms;
+allow local_login_t self:unix_dgram_socket create_socket_perms;
+allow local_login_t self:unix_stream_socket create_stream_socket_perms;
+allow local_login_t self:unix_dgram_socket sendto;
+allow local_login_t self:unix_stream_socket connectto;
+allow local_login_t self:shm create_shm_perms;
+allow local_login_t self:sem create_sem_perms;
+allow local_login_t self:msgq create_msgq_perms;
+allow local_login_t self:msg { send receive };
+allow local_login_t self:key { search write link };
+
+allow local_login_t local_login_lock_t:file manage_file_perms;
+files_lock_filetrans(local_login_t, local_login_lock_t, file)
+
+allow local_login_t local_login_tmp_t:dir manage_dir_perms;
+allow local_login_t local_login_tmp_t:file manage_file_perms;
+files_tmp_filetrans(local_login_t, local_login_tmp_t, { file dir })
+
+kernel_read_system_state(local_login_t)
+kernel_read_kernel_sysctls(local_login_t)
+kernel_search_key(local_login_t)
+kernel_link_key(local_login_t)
+
+corecmd_list_bin(local_login_t)
+corecmd_read_bin_symlinks(local_login_t)
+# cjp: these are probably not needed:
+corecmd_read_bin_files(local_login_t)
+corecmd_read_bin_pipes(local_login_t)
+corecmd_read_bin_sockets(local_login_t)
+
+dev_setattr_mouse_dev(local_login_t)
+dev_getattr_mouse_dev(local_login_t)
+dev_getattr_power_mgmt_dev(local_login_t)
+dev_setattr_power_mgmt_dev(local_login_t)
+dev_getattr_sound_dev(local_login_t)
+dev_setattr_sound_dev(local_login_t)
+dev_rw_generic_usb_dev(local_login_t)
+dev_read_video_dev(local_login_t)
+dev_dontaudit_getattr_apm_bios_dev(local_login_t)
+dev_dontaudit_setattr_apm_bios_dev(local_login_t)
+dev_dontaudit_read_framebuffer(local_login_t)
+dev_dontaudit_setattr_framebuffer_dev(local_login_t)
+dev_dontaudit_getattr_generic_blk_files(local_login_t)
+dev_dontaudit_setattr_generic_blk_files(local_login_t)
+dev_dontaudit_getattr_generic_chr_files(local_login_t)
+dev_dontaudit_setattr_generic_chr_files(local_login_t)
+dev_dontaudit_setattr_generic_symlinks(local_login_t)
+dev_dontaudit_getattr_misc_dev(local_login_t)
+dev_dontaudit_setattr_misc_dev(local_login_t)
+dev_dontaudit_getattr_scanner_dev(local_login_t)
+dev_dontaudit_setattr_scanner_dev(local_login_t)
+dev_dontaudit_search_sysfs(local_login_t)
+dev_dontaudit_getattr_video_dev(local_login_t)
+dev_dontaudit_setattr_video_dev(local_login_t)
+
+domain_read_all_entry_files(local_login_t)
+
+files_read_etc_files(local_login_t)
+files_read_etc_runtime_files(local_login_t)
+files_read_usr_files(local_login_t)
+files_list_mnt(local_login_t)
+files_list_world_readable(local_login_t)
+files_read_world_readable_files(local_login_t)
+files_read_world_readable_symlinks(local_login_t)
+files_read_world_readable_pipes(local_login_t)
+files_read_world_readable_sockets(local_login_t)
+# for when /var/mail is a symlink
+files_read_var_symlinks(local_login_t)
+
+fs_search_auto_mountpoints(local_login_t)
+
+storage_dontaudit_getattr_fixed_disk_dev(local_login_t)
+storage_dontaudit_setattr_fixed_disk_dev(local_login_t)
+storage_dontaudit_getattr_removable_dev(local_login_t)
+storage_dontaudit_setattr_removable_dev(local_login_t)
+
+term_use_all_ttys(local_login_t)
+term_use_unallocated_ttys(local_login_t)
+term_relabel_unallocated_ttys(local_login_t)
+term_relabel_all_ttys(local_login_t)
+term_setattr_all_ttys(local_login_t)
+term_setattr_unallocated_ttys(local_login_t)
+
+auth_rw_login_records(local_login_t)
+auth_rw_faillog(local_login_t)
+auth_manage_pam_pid(local_login_t)
+auth_manage_pam_console_data(local_login_t)
+auth_domtrans_pam_console(local_login_t)
+
+init_dontaudit_use_fds(local_login_t)
+init_stream_connect(local_login_t)
+
+miscfiles_read_localization(local_login_t)
+
+userdom_spec_domtrans_all_users(local_login_t)
+userdom_signal_all_users(local_login_t)
+userdom_search_user_home_content(local_login_t)
+userdom_use_unpriv_users_fds(local_login_t)
+userdom_sigchld_all_users(local_login_t)
+userdom_create_all_users_keys(local_login_t)
+
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(local_login_t)
+ ')
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(local_login_t)
+ fs_read_nfs_symlinks(local_login_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files(local_login_t)
+ fs_read_cifs_symlinks(local_login_t)
+')
+
+tunable_policy(`allow_console_login',`
+ term_use_console(local_login_t)
+ term_relabel_console(local_login_t)
+ term_setattr_console(local_login_t)
+')
+
+optional_policy(`
+ alsa_domtrans(local_login_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(local_login_t)
+
+ consolekit_dbus_chat(local_login_t)
+')
+
+optional_policy(`
+ gpm_getattr_gpmctl(local_login_t)
+ gpm_setattr_gpmctl(local_login_t)
+')
+
+optional_policy(`
+ # Search for mail spool file.
+ mta_getattr_spool(local_login_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(local_login_t)
+')
+
+optional_policy(`
+ nscd_socket_use(local_login_t)
+')
+
+optional_policy(`
+ unconfined_shell_domtrans(local_login_t)
+')
+
+optional_policy(`
+ usermanage_read_crack_db(local_login_t)
+')
+
+optional_policy(`
+ xserver_read_xdm_tmp_files(local_login_t)
+ xserver_rw_xdm_tmp_files(local_login_t)
+')
+
+#################################
+#
+# Sulogin local policy
+#
+
+allow sulogin_t self:capability dac_override;
+allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow sulogin_t self:fd use;
+allow sulogin_t self:fifo_file rw_fifo_file_perms;
+allow sulogin_t self:unix_dgram_socket create_socket_perms;
+allow sulogin_t self:unix_stream_socket create_stream_socket_perms;
+allow sulogin_t self:unix_dgram_socket sendto;
+allow sulogin_t self:unix_stream_socket connectto;
+allow sulogin_t self:shm create_shm_perms;
+allow sulogin_t self:sem create_sem_perms;
+allow sulogin_t self:msgq create_msgq_perms;
+allow sulogin_t self:msg { send receive };
+
+kernel_read_system_state(sulogin_t)
+
+fs_search_auto_mountpoints(sulogin_t)
+fs_rw_tmpfs_chr_files(sulogin_t)
+
+files_read_etc_files(sulogin_t)
+# because file systems are not mounted:
+files_dontaudit_search_isid_type_dirs(sulogin_t)
+
+auth_read_shadow(sulogin_t)
+auth_use_nsswitch(sulogin_t)
+
+init_getpgid_script(sulogin_t)
+
+logging_send_syslog_msg(sulogin_t)
+
+seutil_read_config(sulogin_t)
+seutil_read_default_contexts(sulogin_t)
+
+userdom_use_unpriv_users_fds(sulogin_t)
+
+userdom_search_user_home_dirs(sulogin_t)
+userdom_use_user_ptys(sulogin_t)
+
+term_use_console(sulogin_t)
+term_use_unallocated_ttys(sulogin_t)
+
+ifdef(`enable_mls',`
+ sysadm_shell_domtrans(sulogin_t)
+',`
+ optional_policy(`
+ unconfined_shell_domtrans(sulogin_t)
+ ')
+')
+
+# suse and debian do not use pam with sulogin...
+ifdef(`distro_suse', `define(`sulogin_no_pam')')
+ifdef(`distro_debian', `define(`sulogin_no_pam')')
+
+allow sulogin_t self:capability sys_tty_config;
+ifdef(`sulogin_no_pam', `
+ init_getpgid(sulogin_t)
+', `
+ allow sulogin_t self:process setexec;
+ selinux_get_fs_mount(sulogin_t)
+ selinux_validate_context(sulogin_t)
+ selinux_compute_access_vector(sulogin_t)
+ selinux_compute_create_context(sulogin_t)
+ selinux_compute_relabel_context(sulogin_t)
+ selinux_compute_user_contexts(sulogin_t)
+')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
new file mode 100644
index 0000000..ca6409c
--- /dev/null
+++ b/policy/modules/system/logging.fc
@@ -0,0 +1,80 @@
+/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
+
+/etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
+/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
+/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
+/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
+
+/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
+/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
+/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
+/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
+/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
+/sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
+/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+
+/opt/zimbra/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+/usr/local/centreon/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+/usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
+/usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+/usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
+/usr/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+/usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+
+/var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
+/var/lib/syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
+/var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
+
+ifdef(`distro_suse', `
+/var/lib/stunnel/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
+')
+
+/var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+/var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
+/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
+/var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+/var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+/var/log/cron[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+/var/log/maillog[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+/var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
+/var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
+
+ifndef(`distro_gentoo',`
+/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
+')
+
+ifdef(`distro_redhat',`
+/var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0)
+/var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
+')
+
+/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
+/var/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,mls_systemhigh)
+/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
+/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
+/var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0)
+/var/run/log -s gen_context(system_u:object_r:devlog_t,s0)
+/var/run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
+/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
+/var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
+/var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
+
+/var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+/var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
+/var/spool/plymouth/boot.log gen_context(system_u:object_r:var_log_t,s0)
+/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
new file mode 100644
index 0000000..453377e
--- /dev/null
+++ b/policy/modules/system/logging.if
@@ -0,0 +1,1065 @@
+## <summary>Policy for the kernel message logger and system logging daemon.</summary>
+
+########################################
+## <summary>
+## Make the specified type usable for log files
+## in a filesystem.
+## </summary>
+## <desc>
+## <p>
+## Make the specified type usable for log files in a filesystem.
+## This will also make the type usable for files, making
+## calls to files_type() redundant. Failure to use this interface
+## for a log file type may result in problems with log
+## rotation, log analysis, and log monitoring programs.
+## </p>
+## <p>
+## Related interfaces:
+## </p>
+## <ul>
+## <li>logging_log_filetrans()</li>
+## </ul>
+## <p>
+## Example usage with a domain that can create
+## and append to a private log file stored in the
+## general directories (e.g., /var/log):
+## </p>
+## <p>
+## type mylogfile_t;
+## logging_log_file(mylogfile_t)
+## allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms };
+## logging_log_filetrans(mydomain_t, mylogfile_t, file)
+## </p>
+## </desc>
+## <param name="type">
+## <summary>
+## Type to be used for files.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`logging_log_file',`
+ gen_require(`
+ attribute logfile;
+ ')
+
+ files_type($1)
+ files_associate_tmp($1)
+ fs_associate_tmpfs($1)
+ typeattribute $1 logfile;
+')
+
+#######################################
+## <summary>
+## Send audit messages.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_send_audit_msgs',`
+ allow $1 self:capability audit_write;
+ allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
+')
+
+#######################################
+## <summary>
+## dontaudit attempts to send audit messages.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`logging_dontaudit_send_audit_msgs',`
+ dontaudit $1 self:capability audit_write;
+ dontaudit $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
+')
+
+########################################
+## <summary>
+## Set login uid
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_set_loginuid',`
+ allow $1 self:capability audit_control;
+ allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
+')
+
+########################################
+## <summary>
+## Set tty auditing
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_set_tty_audit',`
+ allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_tty_audit };
+')
+
+########################################
+## <summary>
+## Set up audit
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_set_audit_parameters',`
+ allow $1 self:capability { audit_write audit_control };
+ allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+')
+
+########################################
+## <summary>
+## Read the audit log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_read_audit_log',`
+ gen_require(`
+ type auditd_log_t;
+ ')
+
+ files_search_var($1)
+ read_files_pattern($1, auditd_log_t, auditd_log_t)
+ allow $1 auditd_log_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Execute auditctl in the auditctl domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`logging_domtrans_auditctl',`
+ gen_require(`
+ type auditctl_t, auditctl_exec_t;
+ ')
+
+ domtrans_pattern($1, auditctl_exec_t, auditctl_t)
+')
+
+########################################
+## <summary>
+## Execute auditctl in the auditctl domain, and
+## allow the specified role the auditctl domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_run_auditctl',`
+ gen_require(`
+ type auditctl_t;
+ ')
+
+ logging_domtrans_auditctl($1)
+ role $2 types auditctl_t;
+')
+
+########################################
+## <summary>
+## Execute auditd in the auditd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`logging_domtrans_auditd',`
+ gen_require(`
+ type auditd_t, auditd_exec_t;
+ ')
+
+ domtrans_pattern($1, auditd_exec_t, auditd_t)
+')
+
+########################################
+## <summary>
+## Execute auditd in the auditd domain, and
+## allow the specified role the auditd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_run_auditd',`
+ gen_require(`
+ type auditd_t;
+ ')
+
+ logging_domtrans_auditd($1)
+ role $2 types auditd_t;
+')
+
+########################################
+## <summary>
+## Connect to auditdstored over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_stream_connect_auditd',`
+ refpolicywarn(`$0($*) has been deprecated, logging_stream_connect_dispatcher() should be used instead.')
+ logging_stream_connect_dispatcher($1)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run the audit dispatcher.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`logging_domtrans_dispatcher',`
+ gen_require(`
+ type audisp_t, audisp_exec_t;
+ ')
+
+ domtrans_pattern($1, audisp_exec_t, audisp_t)
+')
+
+########################################
+## <summary>
+## Signal the audit dispatcher.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_signal_dispatcher',`
+ gen_require(`
+ type audisp_t;
+ ')
+
+ allow $1 audisp_t:process signal;
+')
+
+########################################
+## <summary>
+## Create a domain for processes
+## which can be started by the system audit dispatcher
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## Type of the program to be used as an entry point to this domain.
+## </summary>
+## </param>
+#
+interface(`logging_dispatcher_domain',`
+ gen_require(`
+ type audisp_t;
+ role system_r;
+ ')
+
+ domain_type($1)
+ domain_entry_file($1, $2)
+
+ role system_r types $1;
+
+ domtrans_pattern(audisp_t, $2, $1)
+ allow audisp_t $1:process { sigkill sigstop signull signal };
+
+ allow audisp_t $2:file getattr;
+ allow $1 audisp_t:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+## Connect to the audit dispatcher over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_stream_connect_dispatcher',`
+ gen_require(`
+ type audisp_t, audisp_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, audisp_var_run_t, audisp_var_run_t, audisp_t)
+')
+
+########################################
+## <summary>
+## Manage the auditd configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_manage_audit_config',`
+ gen_require(`
+ type auditd_etc_t;
+ ')
+
+ files_search_etc($1)
+ manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
+')
+
+########################################
+## <summary>
+## Manage the audit log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_manage_audit_log',`
+ gen_require(`
+ type auditd_log_t;
+ ')
+
+ files_search_var($1)
+ manage_dirs_pattern($1, auditd_log_t, auditd_log_t)
+ manage_files_pattern($1, auditd_log_t, auditd_log_t)
+')
+
+########################################
+## <summary>
+## Execute klogd in the klog domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`logging_domtrans_klog',`
+ gen_require(`
+ type klogd_t, klogd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, klogd_exec_t, klogd_t)
+')
+
+########################################
+## <summary>
+## Check if syslogd is executable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_check_exec_syslog',`
+ gen_require(`
+ type syslogd_exec_t;
+ ')
+
+ corecmd_list_bin($1)
+ corecmd_read_bin_symlinks($1)
+ allow $1 syslogd_exec_t:file execute;
+')
+
+########################################
+## <summary>
+## Execute syslogd in the syslog domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`logging_domtrans_syslog',`
+ gen_require(`
+ type syslogd_t, syslogd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, syslogd_exec_t, syslogd_t)
+')
+
+########################################
+## <summary>
+## Create an object in the log directory, with a private type.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to create an object
+## in the general system log directories (e.g., /var/log)
+## with a private type. Typically this is used for creating
+## private log files in /var/log with the private type instead
+## of the general system log type. To accomplish this goal,
+## either the program must be SELinux-aware, or use this interface.
+## </p>
+## <p>
+## Related interfaces:
+## </p>
+## <ul>
+## <li>logging_log_file()</li>
+## </ul>
+## <p>
+## Example usage with a domain that can create
+## and append to a private log file stored in the
+## general directories (e.g., /var/log):
+## </p>
+## <p>
+## type mylogfile_t;
+## logging_log_file(mylogfile_t)
+## allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms };
+## logging_log_filetrans(mydomain_t, mylogfile_t, file)
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private type">
+## <summary>
+## The type of the object to be created.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`logging_log_filetrans',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ files_search_var($1)
+ filetrans_pattern($1, var_log_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Send system log messages.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to connect to the
+## system log service (syslog), to send messages be added to
+## the system logs. Typically this is used by services
+## that do not have their own log file in /var/log.
+## </p>
+## <p>
+## This does not allow messages to be sent to
+## the auditing system.
+## </p>
+## <p>
+## Programs which use the libc function syslog() will
+## require this access.
+## </p>
+## <p>
+## Related interfaces:
+## </p>
+## <ul>
+## <li>logging_send_audit_msgs()</li>
+## </ul>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_send_syslog_msg',`
+ gen_require(`
+ type syslogd_t, devlog_t;
+ ')
+
+ allow $1 devlog_t:lnk_file read_lnk_file_perms;
+ allow $1 devlog_t:sock_file write_sock_file_perms;
+
+ # the type of socket depends on the syslog daemon
+ allow $1 syslogd_t:unix_dgram_socket sendto;
+ allow $1 syslogd_t:unix_stream_socket connectto;
+ allow $1 self:unix_dgram_socket create_socket_perms;
+ allow $1 self:unix_stream_socket create_socket_perms;
+
+ # If syslog is down, the glibc syslog() function
+ # will write to the console.
+ term_write_console($1)
+ term_dontaudit_read_console($1)
+')
+
+########################################
+## <summary>
+## Connect to the syslog control unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_stream_connect_syslog',`
+ gen_require(`
+ type syslogd_t, syslogd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t)
+')
+
+########################################
+## <summary>
+## Read the auditd configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_read_audit_config',`
+ gen_require(`
+ type auditd_etc_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, auditd_etc_t, auditd_etc_t)
+ allow $1 auditd_etc_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## dontaudit search of auditd configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_dontaudit_search_audit_config',`
+ gen_require(`
+ type auditd_etc_t;
+ ')
+
+ dontaudit $1 auditd_etc_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read syslog configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_read_syslog_config',`
+ gen_require(`
+ type syslog_conf_t;
+ ')
+
+ allow $1 syslog_conf_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Allows the domain to open a file in the
+## log directory, but does not allow the listing
+## of the contents of the log directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_search_logs',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 var_log_t:dir search_dir_perms;
+')
+
+#######################################
+## <summary>
+## Do not audit attempts to search the var log directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain not to audit.
+## </summary>
+## </param>
+#
+interface(`logging_dontaudit_search_logs',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ dontaudit $1 var_log_t:dir search_dir_perms;
+')
+
+#######################################
+## <summary>
+## List the contents of the generic log directory (/var/log).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_list_logs',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 var_log_t:dir list_dir_perms;
+')
+
+#######################################
+## <summary>
+## Read and write the generic log directory (/var/log).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_rw_generic_log_dirs',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 var_log_t:dir rw_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the atttributes
+## of any log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`logging_dontaudit_getattr_all_logs',`
+ gen_require(`
+ attribute logfile;
+ ')
+
+ dontaudit $1 logfile:file getattr;
+')
+
+########################################
+## <summary>
+## Append to all log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_append_all_logs',`
+ gen_require(`
+ attribute logfile;
+ type var_log_t;
+ ')
+
+ files_search_var($1)
+ append_files_pattern($1, logfile, logfile)
+')
+
+########################################
+## <summary>
+## Append to all log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_inherit_append_all_logs',`
+ gen_require(`
+ attribute logfile;
+ ')
+
+ allow $1 logfile:file { getattr append };
+')
+
+########################################
+## <summary>
+## Read all log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_read_all_logs',`
+ gen_require(`
+ attribute logfile;
+ ')
+
+ files_search_var($1)
+ allow $1 logfile:dir list_dir_perms;
+ read_files_pattern($1, logfile, logfile)
+')
+
+########################################
+## <summary>
+## Execute all log files in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+# cjp: not sure why this is needed. This was added
+# because of logrotate.
+interface(`logging_exec_all_logs',`
+ gen_require(`
+ attribute logfile;
+ ')
+
+ files_search_var($1)
+ allow $1 logfile:dir list_dir_perms;
+ can_exec($1, logfile)
+')
+
+########################################
+## <summary>
+## read/write to all log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_rw_all_logs',`
+ gen_require(`
+ attribute logfile;
+ ')
+
+ files_search_var($1)
+ rw_files_pattern($1, logfile, logfile)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete all log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_manage_all_logs',`
+ gen_require(`
+ attribute logfile;
+ ')
+
+ files_search_var($1)
+ manage_files_pattern($1, logfile, logfile)
+ manage_lnk_files_pattern($1, logfile, logfile)
+')
+
+########################################
+## <summary>
+## Read generic log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_read_generic_logs',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 var_log_t:dir list_dir_perms;
+ read_files_pattern($1, var_log_t, var_log_t)
+')
+
+########################################
+## <summary>
+## Write generic log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_write_generic_logs',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 var_log_t:dir list_dir_perms;
+ write_files_pattern($1, var_log_t, var_log_t)
+')
+
+########################################
+## <summary>
+## Dontaudit Write generic log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`logging_dontaudit_write_generic_logs',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ dontaudit $1 var_log_t:file write;
+')
+
+########################################
+## <summary>
+## Read and write generic log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_rw_generic_logs',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 var_log_t:dir list_dir_perms;
+ rw_files_pattern($1, var_log_t, var_log_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## generic log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_manage_generic_logs',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ files_search_var($1)
+ manage_files_pattern($1, var_log_t, var_log_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## the audit environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## User role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_admin_audit',`
+ gen_require(`
+ type auditd_t, auditd_etc_t, auditd_log_t;
+ type auditd_var_run_t;
+ type auditd_initrc_exec_t;
+ ')
+
+ allow $1 auditd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, auditd_t)
+
+ manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
+ manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
+
+ manage_dirs_pattern($1, auditd_log_t, auditd_log_t)
+ manage_files_pattern($1, auditd_log_t, auditd_log_t)
+
+ manage_dirs_pattern($1, auditd_var_run_t, auditd_var_run_t)
+ manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t)
+
+ logging_run_auditctl($1, $2)
+
+ init_labeled_script_domtrans($1, auditd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 auditd_initrc_exec_t system_r;
+ allow $2 system_r;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## the syslog environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## User role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_admin_syslog',`
+ gen_require(`
+ type syslogd_t, klogd_t, syslog_conf_t;
+ type syslogd_tmp_t, syslogd_var_lib_t;
+ type syslogd_var_run_t, klogd_var_run_t;
+ type klogd_tmp_t, var_log_t;
+ type syslogd_initrc_exec_t;
+ ')
+
+ allow $1 syslogd_t:process { ptrace signal_perms };
+ allow $1 klogd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, syslogd_t)
+ ps_process_pattern($1, klogd_t)
+
+ manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
+ manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
+
+ manage_dirs_pattern($1, klogd_tmp_t, klogd_tmp_t)
+ manage_files_pattern($1, klogd_tmp_t, klogd_tmp_t)
+
+ manage_dirs_pattern($1, syslogd_tmp_t, syslogd_tmp_t)
+ manage_files_pattern($1, syslogd_tmp_t, syslogd_tmp_t)
+
+ manage_dirs_pattern($1, syslog_conf_t, syslog_conf_t)
+ manage_files_pattern($1, syslog_conf_t, syslog_conf_t)
+ files_etc_filetrans($1, syslog_conf_t, file)
+
+ manage_dirs_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t)
+ manage_files_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t)
+
+ manage_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
+ manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
+
+ logging_manage_all_logs($1)
+ allow $1 logfile:dir relabel_dir_perms;
+ allow $1 logfile:file relabel_file_perms;
+
+ init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 syslogd_initrc_exec_t system_r;
+ allow $2 system_r;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## the logging environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## User role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_admin',`
+ logging_admin_audit($1, $2)
+ logging_admin_syslog($1, $2)
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
new file mode 100644
index 0000000..4762f02
--- /dev/null
+++ b/policy/modules/system/logging.te
@@ -0,0 +1,531 @@
+policy_module(logging, 1.16.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute logfile;
+
+type auditctl_t;
+type auditctl_exec_t;
+init_system_domain(auditctl_t, auditctl_exec_t)
+role system_r types auditctl_t;
+
+type auditd_etc_t;
+files_security_file(auditd_etc_t)
+
+type auditd_log_t;
+files_security_file(auditd_log_t)
+files_security_mountpoint(auditd_log_t)
+
+type auditd_t;
+type auditd_exec_t;
+init_daemon_domain(auditd_t, auditd_exec_t)
+
+type auditd_initrc_exec_t;
+init_script_file(auditd_initrc_exec_t)
+
+type auditd_var_run_t;
+files_pid_file(auditd_var_run_t)
+
+type audisp_t;
+type audisp_exec_t;
+init_system_domain(audisp_t, audisp_exec_t)
+
+type audisp_var_run_t;
+files_pid_file(audisp_var_run_t)
+
+type audisp_remote_t;
+type audisp_remote_exec_t;
+logging_dispatcher_domain(audisp_remote_t, audisp_remote_exec_t)
+
+type devlog_t;
+files_type(devlog_t)
+mls_trusted_object(devlog_t)
+
+type klogd_t;
+type klogd_exec_t;
+init_daemon_domain(klogd_t, klogd_exec_t)
+
+type klogd_tmp_t;
+files_tmp_file(klogd_tmp_t)
+
+type klogd_var_run_t;
+files_pid_file(klogd_var_run_t)
+
+type syslog_conf_t;
+files_type(syslog_conf_t)
+
+type syslogd_t;
+type syslogd_exec_t;
+init_daemon_domain(syslogd_t, syslogd_exec_t)
+mls_trusted_object(syslogd_t)
+
+type syslogd_initrc_exec_t;
+init_script_file(syslogd_initrc_exec_t)
+
+type syslogd_tmp_t;
+files_tmp_file(syslogd_tmp_t)
+
+type syslogd_var_lib_t;
+files_type(syslogd_var_lib_t)
+
+type syslogd_var_run_t;
+files_pid_file(syslogd_var_run_t)
+
+type var_log_t;
+logging_log_file(var_log_t)
+files_mountpoint(var_log_t)
+
+ifdef(`enable_mls',`
+ init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh)
+ init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
+')
+
+########################################
+#
+# Auditctl local policy
+#
+
+allow auditctl_t self:capability { fsetid dac_read_search dac_override };
+allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
+
+read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
+allow auditctl_t auditd_etc_t:dir list_dir_perms;
+
+# Needed for adding watches
+files_getattr_all_dirs(auditctl_t)
+files_getattr_all_files(auditctl_t)
+files_read_etc_files(auditctl_t)
+
+kernel_read_kernel_sysctls(auditctl_t)
+kernel_read_proc_symlinks(auditctl_t)
+kernel_setsched(auditctl_t)
+
+domain_read_all_domains_state(auditctl_t)
+domain_use_interactive_fds(auditctl_t)
+
+mls_file_read_all_levels(auditctl_t)
+
+term_use_all_terms(auditctl_t)
+
+init_dontaudit_use_fds(auditctl_t)
+
+locallogin_dontaudit_use_fds(auditctl_t)
+
+logging_set_audit_parameters(auditctl_t)
+logging_send_syslog_msg(auditctl_t)
+
+########################################
+#
+# Auditd local policy
+#
+
+allow auditd_t self:capability { chown fsetid sys_nice sys_resource };
+dontaudit auditd_t self:capability sys_tty_config;
+allow auditd_t self:process { getcap signal_perms setcap setpgid setsched };
+allow auditd_t self:file rw_file_perms;
+allow auditd_t self:unix_dgram_socket create_socket_perms;
+allow auditd_t self:fifo_file rw_fifo_file_perms;
+allow auditd_t self:tcp_socket create_stream_socket_perms;
+
+allow auditd_t auditd_etc_t:dir list_dir_perms;
+allow auditd_t auditd_etc_t:file read_file_perms;
+
+manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+allow auditd_t var_log_t:dir search_dir_perms;
+
+manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
+manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
+files_pid_filetrans(auditd_t, auditd_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctls(auditd_t)
+# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
+# Probably want a transition, and a new auditd_helper app
+kernel_read_system_state(auditd_t)
+
+dev_read_sysfs(auditd_t)
+
+fs_getattr_all_fs(auditd_t)
+fs_search_auto_mountpoints(auditd_t)
+fs_rw_anon_inodefs_files(auditd_t)
+
+selinux_search_fs(auditctl_t)
+
+corenet_all_recvfrom_unlabeled(auditd_t)
+corenet_all_recvfrom_netlabel(auditd_t)
+corenet_tcp_sendrecv_generic_if(auditd_t)
+corenet_tcp_sendrecv_generic_node(auditd_t)
+corenet_tcp_sendrecv_all_ports(auditd_t)
+corenet_tcp_bind_generic_node(auditd_t)
+corenet_tcp_bind_audit_port(auditd_t)
+corenet_sendrecv_audit_server_packets(auditd_t)
+
+# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
+# Probably want a transition, and a new auditd_helper app
+corecmd_exec_bin(auditd_t)
+corecmd_exec_shell(auditd_t)
+
+domain_use_interactive_fds(auditd_t)
+
+files_read_etc_files(auditd_t)
+files_list_usr(auditd_t)
+
+init_telinit(auditd_t)
+
+logging_set_audit_parameters(auditd_t)
+logging_send_syslog_msg(auditd_t)
+logging_domtrans_dispatcher(auditd_t)
+logging_signal_dispatcher(auditd_t)
+
+auth_use_nsswitch(auditd_t)
+
+miscfiles_read_localization(auditd_t)
+
+mls_file_read_all_levels(auditd_t)
+mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
+
+seutil_dontaudit_read_config(auditd_t)
+
+sysnet_dns_name_resolve(auditd_t)
+
+userdom_use_user_terminals(auditd_t)
+userdom_dontaudit_use_unpriv_user_fds(auditd_t)
+userdom_dontaudit_search_user_home_dirs(auditd_t)
+
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(auditd_t)
+ ')
+')
+
+optional_policy(`
+ mta_send_mail(auditd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(auditd_t)
+')
+
+optional_policy(`
+ udev_read_db(auditd_t)
+')
+
+########################################
+#
+# audit dispatcher local policy
+#
+
+allow audisp_t self:capability { dac_override setpcap sys_nice };
+allow audisp_t self:process { getcap signal_perms setcap setsched };
+allow audisp_t self:fifo_file rw_fifo_file_perms;
+allow audisp_t self:unix_stream_socket create_stream_socket_perms;
+allow audisp_t self:unix_dgram_socket create_socket_perms;
+
+allow audisp_t auditd_t:unix_stream_socket rw_socket_perms;
+
+manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
+files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
+
+corecmd_exec_bin(audisp_t)
+corecmd_exec_shell(audisp_t)
+
+domain_use_interactive_fds(audisp_t)
+
+files_read_etc_files(audisp_t)
+files_read_etc_runtime_files(audisp_t)
+
+mls_file_read_all_levels(audisp_t)
+mls_file_write_all_levels(audisp_t)
+mls_socket_write_all_levels(audisp_t)
+mls_dbus_send_all_levels(audisp_t)
+
+auth_use_nsswitch(audisp_t)
+
+logging_send_syslog_msg(audisp_t)
+
+miscfiles_read_localization(audisp_t)
+
+sysnet_dns_name_resolve(audisp_t)
+
+optional_policy(`
+ dbus_system_bus_client(audisp_t)
+
+ optional_policy(`
+ setroubleshoot_dbus_chat(audisp_t)
+ ')
+')
+
+########################################
+#
+# Audit remote logger local policy
+#
+allow audisp_remote_t self:capability { setuid setpcap };
+allow audisp_remote_t self:process { getcap setcap };
+allow audisp_remote_t self:tcp_socket create_socket_perms;
+allow audisp_remote_t var_log_t:dir search_dir_perms;
+
+corecmd_exec_bin(audisp_remote_t)
+
+corenet_all_recvfrom_unlabeled(audisp_remote_t)
+corenet_all_recvfrom_netlabel(audisp_remote_t)
+corenet_tcp_sendrecv_generic_if(audisp_remote_t)
+corenet_tcp_sendrecv_generic_node(audisp_remote_t)
+corenet_tcp_sendrecv_all_ports(audisp_remote_t)
+corenet_tcp_bind_audit_port(audisp_remote_t)
+corenet_tcp_bind_generic_node(audisp_remote_t)
+corenet_tcp_connect_audit_port(audisp_remote_t)
+corenet_sendrecv_audit_client_packets(audisp_remote_t)
+
+files_read_etc_files(audisp_remote_t)
+
+logging_send_syslog_msg(audisp_remote_t)
+logging_send_audit_msgs(audisp_remote_t)
+
+auth_use_nsswitch(audisp_remote_t)
+
+miscfiles_read_localization(audisp_remote_t)
+
+init_telinit(audisp_remote_t)
+init_read_utmp(audisp_remote_t)
+init_dontaudit_write_utmp(audisp_remote_t)
+
+sysnet_dns_name_resolve(audisp_remote_t)
+
+########################################
+#
+# klogd local policy
+#
+
+allow klogd_t self:capability sys_admin;
+dontaudit klogd_t self:capability { sys_resource sys_tty_config };
+allow klogd_t self:process signal_perms;
+
+manage_dirs_pattern(klogd_t, klogd_tmp_t, klogd_tmp_t)
+manage_files_pattern(klogd_t, klogd_tmp_t, klogd_tmp_t)
+files_tmp_filetrans(klogd_t, klogd_tmp_t,{ file dir })
+
+manage_files_pattern(klogd_t, klogd_var_run_t, klogd_var_run_t)
+files_pid_filetrans(klogd_t, klogd_var_run_t, file)
+
+kernel_read_system_state(klogd_t)
+kernel_read_messages(klogd_t)
+kernel_read_kernel_sysctls(klogd_t)
+# Control syslog and console logging
+kernel_clear_ring_buffer(klogd_t)
+kernel_change_ring_buffer_level(klogd_t)
+
+files_read_kernel_symbol_table(klogd_t)
+
+dev_read_raw_memory(klogd_t)
+dev_read_sysfs(klogd_t)
+
+fs_getattr_all_fs(klogd_t)
+fs_search_auto_mountpoints(klogd_t)
+
+domain_use_interactive_fds(klogd_t)
+
+files_read_etc_runtime_files(klogd_t)
+# read /etc/nsswitch.conf
+files_read_etc_files(klogd_t)
+
+logging_send_syslog_msg(klogd_t)
+
+miscfiles_read_localization(klogd_t)
+
+mls_file_read_all_levels(klogd_t)
+
+userdom_dontaudit_search_user_home_dirs(klogd_t)
+
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(klogd_t)
+ ')
+')
+
+optional_policy(`
+ udev_read_db(klogd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(klogd_t)
+')
+
+########################################
+#
+# syslogd local policy
+#
+
+# chown fsetid for syslog-ng
+# sys_admin for the integrated klog of syslog-ng and metalog
+# cjp: why net_admin!
+allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
+dontaudit syslogd_t self:capability sys_tty_config;
+# setpgid for metalog
+# setrlimit for syslog-ng
+allow syslogd_t self:process { signal_perms setpgid setrlimit };
+# receive messages to be logged
+allow syslogd_t self:unix_dgram_socket create_socket_perms;
+allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
+allow syslogd_t self:unix_dgram_socket sendto;
+allow syslogd_t self:fifo_file rw_fifo_file_perms;
+allow syslogd_t self:udp_socket create_socket_perms;
+allow syslogd_t self:tcp_socket create_stream_socket_perms;
+
+allow syslogd_t syslog_conf_t:file read_file_perms;
+
+# Create and bind to /dev/log or /var/run/log.
+allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
+files_pid_filetrans(syslogd_t, devlog_t, sock_file)
+
+# create/append log files.
+manage_files_pattern(syslogd_t, var_log_t, var_log_t)
+rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
+
+# Allow access for syslog-ng
+allow syslogd_t var_log_t:dir { create setattr };
+
+# manage temporary files
+manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
+
+manage_sock_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
+manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
+files_search_var_lib(syslogd_t)
+
+manage_dirs_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
+manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
+manage_sock_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
+files_pid_filetrans(syslogd_t, syslogd_var_run_t, { file dir })
+
+# manage pid file
+manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
+files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
+
+kernel_read_system_state(syslogd_t)
+kernel_read_kernel_sysctls(syslogd_t)
+kernel_read_proc_symlinks(syslogd_t)
+# Allow access to /proc/kmsg for syslog-ng
+kernel_read_messages(syslogd_t)
+kernel_clear_ring_buffer(syslogd_t)
+kernel_change_ring_buffer_level(syslogd_t)
+
+corenet_all_recvfrom_unlabeled(syslogd_t)
+corenet_all_recvfrom_netlabel(syslogd_t)
+corenet_udp_sendrecv_generic_if(syslogd_t)
+corenet_udp_sendrecv_generic_node(syslogd_t)
+corenet_udp_sendrecv_all_ports(syslogd_t)
+corenet_udp_bind_generic_node(syslogd_t)
+corenet_udp_bind_syslogd_port(syslogd_t)
+# syslog-ng can listen and connect on tcp port 514 (rsh)
+corenet_tcp_sendrecv_generic_if(syslogd_t)
+corenet_tcp_sendrecv_generic_node(syslogd_t)
+corenet_tcp_sendrecv_all_ports(syslogd_t)
+corenet_tcp_bind_generic_node(syslogd_t)
+corenet_tcp_bind_rsh_port(syslogd_t)
+corenet_tcp_connect_rsh_port(syslogd_t)
+# Allow users to define additional syslog ports to connect to
+corenet_tcp_bind_syslogd_port(syslogd_t)
+corenet_tcp_connect_syslogd_port(syslogd_t)
+corenet_tcp_connect_postgresql_port(syslogd_t)
+corenet_tcp_connect_mysqld_port(syslogd_t)
+
+# syslog-ng can send or receive logs
+corenet_sendrecv_syslogd_client_packets(syslogd_t)
+corenet_sendrecv_syslogd_server_packets(syslogd_t)
+corenet_sendrecv_postgresql_client_packets(syslogd_t)
+corenet_sendrecv_mysqld_client_packets(syslogd_t)
+
+dev_filetrans(syslogd_t, devlog_t, sock_file)
+dev_read_sysfs(syslogd_t)
+dev_read_rand(syslogd_t)
+
+domain_use_interactive_fds(syslogd_t)
+
+files_read_etc_files(syslogd_t)
+files_read_usr_files(syslogd_t)
+files_read_var_files(syslogd_t)
+files_read_etc_runtime_files(syslogd_t)
+# /initrd is not umounted before minilog starts
+files_dontaudit_search_isid_type_dirs(syslogd_t)
+files_read_kernel_symbol_table(syslogd_t)
+
+fs_getattr_all_fs(syslogd_t)
+fs_search_auto_mountpoints(syslogd_t)
+
+mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
+
+term_write_console(syslogd_t)
+# Allow syslog to a terminal
+term_write_unallocated_ttys(syslogd_t)
+
+# for sending messages to logged in users
+init_read_utmp(syslogd_t)
+init_dontaudit_write_utmp(syslogd_t)
+term_write_all_ttys(syslogd_t)
+
+auth_use_nsswitch(syslogd_t)
+
+init_use_fds(syslogd_t)
+
+# cjp: this doesnt make sense
+logging_send_syslog_msg(syslogd_t)
+
+miscfiles_read_localization(syslogd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
+userdom_dontaudit_search_user_home_dirs(syslogd_t)
+
+ifdef(`distro_gentoo',`
+ # default gentoo syslog-ng config appends kernel
+ # and high priority messages to /dev/tty12
+ term_append_unallocated_ttys(syslogd_t)
+ term_dontaudit_setattr_unallocated_ttys(syslogd_t)
+')
+
+ifdef(`distro_suse',`
+ # suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
+ files_var_lib_filetrans(syslogd_t, devlog_t, sock_file)
+')
+
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(syslogd_t)
+ ')
+')
+
+optional_policy(`
+ bind_search_cache(syslogd_t)
+')
+
+optional_policy(`
+ inn_manage_log(syslogd_t)
+')
+
+optional_policy(`
+ mysql_stream_connect(syslogd_t)
+')
+
+optional_policy(`
+ postgresql_stream_connect(syslogd_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(syslogd_t)
+')
+
+optional_policy(`
+ daemontools_search_svc_dir(syslogd_t)
+')
+
+optional_policy(`
+ udev_read_db(syslogd_t)
+')
+
+optional_policy(`
+ # log to the xconsole
+ xserver_rw_console(syslogd_t)
+')
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
new file mode 100644
index 0000000..31efcb2
--- /dev/null
+++ b/policy/modules/system/lvm.fc
@@ -0,0 +1,103 @@
+
+# LVM creates lock files in /var before /var is mounted
+# configure LVM to put lockfiles in /etc/lvm/lock instead
+# for this policy to work (unless you have no separate /var)
+
+#
+# /bin
+#
+ifdef(`distro_gentoo',`
+/bin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
+')
+
+#
+# /etc
+#
+/etc/lvm(/.*)? gen_context(system_u:object_r:lvm_etc_t,s0)
+/etc/lvm/\.cache -- gen_context(system_u:object_r:lvm_metadata_t,s0)
+/etc/lvm/cache(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
+/etc/lvm/archive(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
+/etc/lvm/backup(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
+/etc/lvm/lock(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
+
+/etc/lvmtab(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
+/etc/lvmtab\.d(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
+
+#
+# /lib
+#
+/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/lib/udev/udisks-lvm-pv-export -- gen_context(system_u:object_r:lvm_exec_t,s0)
+
+#
+# /sbin
+#
+/sbin/mount\.crypt -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/dmsetup\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/e2fsadm -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvextend -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvm\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvmchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvmdiskscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvreduce -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvremove -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvrename -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvresize -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvs -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/lvscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/multipathd -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/multipath\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/pvchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/pvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/pvdata -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/pvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/pvmove -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/pvremove -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/pvs -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/pvscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgcfgbackup -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgcfgrestore -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgchange\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgck -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgcreate -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgexport -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgextend -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgimport -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgmerge -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgmknodes -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgreduce -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgremove -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgrename -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgs -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgscan\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgsplit -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/sbin/vgwrapper -- gen_context(system_u:object_r:lvm_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/clvmd -- gen_context(system_u:object_r:clvmd_exec_t,s0)
+/usr/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0)
+
+#
+# /var
+#
+/var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
+/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
+/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
+/var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0)
+/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
new file mode 100644
index 0000000..b4f0663
--- /dev/null
+++ b/policy/modules/system/lvm.if
@@ -0,0 +1,143 @@
+## <summary>Policy for logical volume management programs.</summary>
+
+########################################
+## <summary>
+## Execute lvm programs in the lvm domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`lvm_domtrans',`
+ gen_require(`
+ type lvm_t, lvm_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, lvm_exec_t, lvm_t)
+')
+
+########################################
+## <summary>
+## Execute lvm programs in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lvm_exec',`
+ gen_require(`
+ type lvm_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, lvm_exec_t)
+')
+
+########################################
+## <summary>
+## Execute lvm programs in the lvm domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the LVM domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`lvm_run',`
+ gen_require(`
+ type lvm_t;
+ ')
+
+ lvm_domtrans($1)
+ role $2 types lvm_t;
+')
+
+########################################
+## <summary>
+## Read LVM configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`lvm_read_config',`
+ gen_require(`
+ type lvm_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 lvm_etc_t:dir list_dir_perms;
+ read_files_pattern($1, lvm_etc_t, lvm_etc_t)
+')
+
+########################################
+## <summary>
+## Manage LVM configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`lvm_manage_config',`
+ gen_require(`
+ type lvm_etc_t;
+ ')
+
+ files_search_etc($1)
+ manage_dirs_pattern($1, lvm_etc_t, lvm_etc_t)
+ manage_files_pattern($1, lvm_etc_t, lvm_etc_t)
+')
+
+######################################
+## <summary>
+## Execute a domain transition to run clvmd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`lvm_domtrans_clvmd',`
+ gen_require(`
+ type clvmd_t, clvmd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, clvmd_exec_t, clvmd_t)
+')
+
+########################################
+## <summary>
+## Read and write to lvm temporary file system.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lvm_rw_clvmd_tmpfs_files',`
+ gen_require(`
+ type clvmd_tmpfs_t;
+ ')
+
+ allow $1 clvmd_tmpfs_t:file rw_file_perms;
+')
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
new file mode 100644
index 0000000..7f649d5
--- /dev/null
+++ b/policy/modules/system/lvm.te
@@ -0,0 +1,378 @@
+policy_module(lvm, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+type clvmd_t;
+type clvmd_exec_t;
+init_daemon_domain(clvmd_t, clvmd_exec_t)
+
+type clvmd_initrc_exec_t;
+init_script_file(clvmd_initrc_exec_t)
+
+type clmvd_tmpfs_t;
+files_tmpfs_file(clmvd_tmpfs_t)
+
+type clvmd_var_run_t;
+files_pid_file(clvmd_var_run_t)
+
+type lvm_t;
+type lvm_exec_t;
+init_system_domain(lvm_t, lvm_exec_t)
+# needs privowner because it assigns the identity system_u to device nodes
+# but runs as the identity of the sysadmin
+domain_obj_id_change_exemption(lvm_t)
+role system_r types lvm_t;
+
+type lvm_etc_t;
+files_type(lvm_etc_t)
+
+type lvm_lock_t;
+files_lock_file(lvm_lock_t)
+
+type lvm_metadata_t;
+files_type(lvm_metadata_t)
+
+type lvm_var_lib_t;
+files_type(lvm_var_lib_t)
+
+type lvm_var_run_t;
+files_pid_file(lvm_var_run_t)
+
+type lvm_tmp_t;
+files_tmp_file(lvm_tmp_t)
+
+########################################
+#
+# Cluster LVM daemon local policy
+#
+
+allow clvmd_t self:capability { sys_nice chown ipc_lock sys_admin mknod };
+dontaudit clvmd_t self:capability sys_tty_config;
+allow clvmd_t self:process { signal_perms setsched };
+dontaudit clvmd_t self:process ptrace;
+allow clvmd_t self:socket create_socket_perms;
+allow clvmd_t self:fifo_file rw_fifo_file_perms;
+allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow clvmd_t self:tcp_socket create_stream_socket_perms;
+allow clvmd_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(clvmd_t, clmvd_tmpfs_t, clmvd_tmpfs_t)
+manage_files_pattern(clvmd_t, clmvd_tmpfs_t,clmvd_tmpfs_t)
+fs_tmpfs_filetrans(clvmd_t, clmvd_tmpfs_t, { dir file })
+
+manage_files_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t)
+files_pid_filetrans(clvmd_t, clvmd_var_run_t, file)
+
+read_files_pattern(clvmd_t, lvm_metadata_t, lvm_metadata_t)
+
+kernel_read_kernel_sysctls(clvmd_t)
+kernel_read_system_state(clvmd_t)
+kernel_list_proc(clvmd_t)
+kernel_read_proc_symlinks(clvmd_t)
+kernel_search_debugfs(clvmd_t)
+kernel_dontaudit_getattr_core_if(clvmd_t)
+
+corecmd_exec_shell(clvmd_t)
+corecmd_getattr_bin_files(clvmd_t)
+
+corenet_all_recvfrom_unlabeled(clvmd_t)
+corenet_all_recvfrom_netlabel(clvmd_t)
+corenet_tcp_sendrecv_generic_if(clvmd_t)
+corenet_udp_sendrecv_generic_if(clvmd_t)
+corenet_raw_sendrecv_generic_if(clvmd_t)
+corenet_tcp_sendrecv_generic_node(clvmd_t)
+corenet_udp_sendrecv_generic_node(clvmd_t)
+corenet_raw_sendrecv_generic_node(clvmd_t)
+corenet_tcp_sendrecv_all_ports(clvmd_t)
+corenet_udp_sendrecv_all_ports(clvmd_t)
+corenet_tcp_bind_generic_node(clvmd_t)
+corenet_tcp_bind_reserved_port(clvmd_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(clvmd_t)
+corenet_sendrecv_generic_server_packets(clvmd_t)
+
+dev_read_sysfs(clvmd_t)
+dev_manage_generic_symlinks(clvmd_t)
+dev_relabel_generic_dev_dirs(clvmd_t)
+dev_manage_generic_blk_files(clvmd_t)
+dev_manage_generic_chr_files(clvmd_t)
+dev_rw_lvm_control(clvmd_t)
+dev_dontaudit_getattr_all_blk_files(clvmd_t)
+dev_dontaudit_getattr_all_chr_files(clvmd_t)
+dev_create_generic_dirs(clvmd_t)
+dev_delete_generic_dirs(clvmd_t)
+
+files_read_etc_files(clvmd_t)
+files_list_usr(clvmd_t)
+
+fs_getattr_all_fs(clvmd_t)
+fs_search_auto_mountpoints(clvmd_t)
+fs_dontaudit_list_tmpfs(clvmd_t)
+fs_dontaudit_read_removable_files(clvmd_t)
+fs_rw_anon_inodefs_files(clvmd_t)
+
+storage_dontaudit_getattr_removable_dev(clvmd_t)
+storage_manage_fixed_disk(clvmd_t)
+storage_dev_filetrans_fixed_disk(clvmd_t)
+storage_relabel_fixed_disk(clvmd_t)
+storage_raw_read_fixed_disk(clvmd_t)
+
+domain_use_interactive_fds(clvmd_t)
+
+auth_use_nsswitch(clvmd_t)
+
+init_dontaudit_getattr_initctl(clvmd_t)
+
+logging_send_syslog_msg(clvmd_t)
+
+miscfiles_read_localization(clvmd_t)
+
+seutil_dontaudit_search_config(clvmd_t)
+seutil_sigchld_newrole(clvmd_t)
+seutil_read_config(clvmd_t)
+seutil_read_file_contexts(clvmd_t)
+seutil_search_default_contexts(clvmd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(clvmd_t)
+userdom_dontaudit_search_user_home_dirs(clvmd_t)
+
+lvm_domtrans(clvmd_t)
+lvm_read_config(clvmd_t)
+
+ifdef(`distro_redhat',`
+ optional_policy(`
+ unconfined_domain(clvmd_t)
+ ')
+')
+
+optional_policy(`
+ aisexec_stream_connect(clvmd_t)
+ corosync_stream_connect(clvmd_t)
+')
+
+optional_policy(`
+ ccs_stream_connect(clvmd_t)
+')
+
+optional_policy(`
+ gpm_dontaudit_getattr_gpmctl(clvmd_t)
+')
+
+optional_policy(`
+ ricci_dontaudit_rw_modcluster_pipes(clvmd_t)
+ ricci_dontaudit_use_modcluster_fds(clvmd_t)
+')
+
+optional_policy(`
+ udev_read_db(clvmd_t)
+')
+
+########################################
+#
+# LVM Local policy
+#
+
+# DAC overrides and mknod for modifying /dev entries (vgmknodes)
+# rawio needed for dmraid
+# net_admin for multipath
+allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin };
+dontaudit lvm_t self:capability sys_tty_config;
+allow lvm_t self:process { sigchld sigkill sigstop signull signal };
+# LVM will complain a lot if it cannot set its priority.
+allow lvm_t self:process setsched;
+allow lvm_t self:sem create_sem_perms;
+allow lvm_t self:file rw_file_perms;
+allow lvm_t self:fifo_file manage_fifo_file_perms;
+allow lvm_t self:unix_dgram_socket create_socket_perms;
+allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms };
+
+manage_dirs_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t)
+manage_files_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t)
+files_tmp_filetrans(lvm_t, lvm_tmp_t, { file dir })
+
+# /lib/lvm-<version> holds the actual LVM binaries (and symlinks)
+read_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t)
+read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t)
+
+# LVM is split into many individual binaries
+can_exec(lvm_t, lvm_exec_t)
+
+# Creating lock files
+manage_files_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
+files_lock_filetrans(lvm_t, lvm_lock_t, file)
+
+manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
+manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
+files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
+
+manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
+manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
+manage_sock_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
+files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file })
+
+read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
+read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
+# Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d
+manage_files_pattern(lvm_t, lvm_metadata_t, lvm_metadata_t)
+filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file)
+files_etc_filetrans(lvm_t, lvm_metadata_t, file)
+files_search_mnt(lvm_t)
+
+kernel_get_sysvipc_info(lvm_t)
+kernel_read_system_state(lvm_t)
+kernel_read_kernel_sysctls(lvm_t)
+# Read system variables in /proc/sys
+kernel_read_kernel_sysctls(lvm_t)
+# it has no reason to need this
+kernel_dontaudit_getattr_core_if(lvm_t)
+kernel_use_fds(lvm_t)
+kernel_request_load_module(lvm_t)
+kernel_search_debugfs(lvm_t)
+
+corecmd_exec_bin(lvm_t)
+corecmd_exec_shell(lvm_t)
+
+dev_create_generic_chr_files(lvm_t)
+dev_delete_generic_dirs(lvm_t)
+dev_read_rand(lvm_t)
+dev_read_urand(lvm_t)
+dev_rw_lvm_control(lvm_t)
+dev_manage_generic_symlinks(lvm_t)
+dev_relabel_generic_dev_dirs(lvm_t)
+dev_manage_generic_blk_files(lvm_t)
+# Read /sys/block. Device mapper metadata is kept there.
+dev_read_sysfs(lvm_t)
+# cjp: this has no effect since LVM does not
+# have lnk_file relabelto for anything else.
+# perhaps this should be blk_files?
+dev_relabel_generic_symlinks(lvm_t)
+# LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
+dev_dontaudit_read_all_chr_files(lvm_t)
+dev_dontaudit_read_all_blk_files(lvm_t)
+dev_dontaudit_getattr_generic_chr_files(lvm_t)
+dev_dontaudit_getattr_generic_blk_files(lvm_t)
+dev_dontaudit_getattr_generic_pipes(lvm_t)
+dev_create_generic_dirs(lvm_t)
+dev_rw_generic_files(lvm_t)
+
+domain_use_interactive_fds(lvm_t)
+domain_read_all_domains_state(lvm_t)
+
+files_read_usr_files(lvm_t)
+files_read_etc_files(lvm_t)
+files_read_etc_runtime_files(lvm_t)
+# for when /usr is not mounted:
+files_dontaudit_search_isid_type_dirs(lvm_t)
+files_dontaudit_getattr_tmpfs_files(lvm_t)
+
+fs_getattr_all_fs(lvm_t)
+fs_search_auto_mountpoints(lvm_t)
+fs_list_tmpfs(lvm_t)
+fs_read_tmpfs_symlinks(lvm_t)
+fs_dontaudit_read_removable_files(lvm_t)
+fs_dontaudit_getattr_tmpfs_files(lvm_t)
+fs_rw_anon_inodefs_files(lvm_t)
+
+mls_file_read_all_levels(lvm_t)
+mls_file_write_to_clearance(lvm_t)
+mls_file_upgrade(lvm_t)
+
+selinux_get_fs_mount(lvm_t)
+selinux_validate_context(lvm_t)
+selinux_compute_access_vector(lvm_t)
+selinux_compute_create_context(lvm_t)
+selinux_compute_relabel_context(lvm_t)
+selinux_compute_user_contexts(lvm_t)
+
+storage_relabel_fixed_disk(lvm_t)
+storage_dontaudit_read_removable_device(lvm_t)
+# LVM creates block devices in /dev/mapper or /dev/<vg>
+# depending on its version
+# LVM(2) needs to create directores (/dev/mapper, /dev/<vg>)
+# and links from /dev/<vg> to /dev/mapper/<vg>-<lv>
+# cjp: need create interface here for fixed disk create
+storage_dev_filetrans_fixed_disk(lvm_t)
+# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
+storage_manage_fixed_disk(lvm_t)
+
+term_use_all_terms(lvm_t)
+
+init_use_fds(lvm_t)
+init_dontaudit_getattr_initctl(lvm_t)
+init_use_script_ptys(lvm_t)
+init_read_script_state(lvm_t)
+
+logging_send_syslog_msg(lvm_t)
+
+miscfiles_read_localization(lvm_t)
+
+seutil_read_config(lvm_t)
+seutil_read_file_contexts(lvm_t)
+seutil_search_default_contexts(lvm_t)
+seutil_sigchld_newrole(lvm_t)
+
+userdom_use_user_terminals(lvm_t)
+
+ifdef(`distro_redhat',`
+ # this is from the initrd:
+ files_rw_isid_type_dirs(lvm_t)
+
+ optional_policy(`
+ unconfined_domain(lvm_t)
+ ')
+')
+
+optional_policy(`
+ aisexec_stream_connect(lvm_t)
+ corosync_stream_connect(lvm_t)
+')
+
+optional_policy(`
+ bootloader_rw_tmp_files(lvm_t)
+')
+
+optional_policy(`
+ ccs_stream_connect(lvm_t)
+')
+
+optional_policy(`
+ gpm_dontaudit_getattr_gpmctl(lvm_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(lvm_t)
+
+ optional_policy(`
+ hal_dbus_chat(lvm_t)
+ ')
+')
+
+optional_policy(`
+ livecd_rw_semaphores(lvm_t)
+')
+
+optional_policy(`
+ modutils_domtrans_insmod(lvm_t)
+')
+
+optional_policy(`
+ rpm_manage_script_tmp_files(lvm_t)
+')
+
+optional_policy(`
+ udev_read_db(lvm_t)
+')
+
+optional_policy(`
+ virt_manage_images(lvm_t)
+')
+
+optional_policy(`
+ xen_append_log(lvm_t)
+ xen_dontaudit_rw_unix_stream_sockets(lvm_t)
+')
diff --git a/policy/modules/system/metadata.xml b/policy/modules/system/metadata.xml
new file mode 100644
index 0000000..4866e97
--- /dev/null
+++ b/policy/modules/system/metadata.xml
@@ -0,0 +1,3 @@
+<summary>
+ Policy modules for system functions from init to multi-user login.
+</summary>
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
new file mode 100644
index 0000000..a8bd9fe
--- /dev/null
+++ b/policy/modules/system/miscfiles.fc
@@ -0,0 +1,94 @@
+#
+# /emul
+#
+ifdef(`distro_gentoo',`
+/emul/linux/x86/usr/(X11R6/)?lib/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
+')
+
+#
+# /etc
+#
+/etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
+/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
+/etc/timezone -- gen_context(system_u:object_r:locale_t,s0)
+/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
+/etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
+
+ifdef(`distro_redhat',`
+/etc/sysconfig/clock -- gen_context(system_u:object_r:locale_t,s0)
+')
+
+#
+# /opt
+#
+/opt/(.*/)?man(/.*)? gen_context(system_u:object_r:man_t,s0)
+
+#
+# /srv
+#
+/srv/([^/]*/)?ftp(/.*)? gen_context(system_u:object_r:public_content_t,s0)
+/srv/([^/]*/)?rsync(/.*)? gen_context(system_u:object_r:public_content_t,s0)
+
+#
+# /usr
+#
+/usr/lib/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
+
+/usr/lib(64)?/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+
+/usr/local/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+/usr/local/share/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+
+/usr/local/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+
+/usr/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+
+/usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+/usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+/usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+/usr/share/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
+/usr/share/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+/usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
+/usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0)
+
+/usr/share/ssl/certs(/.*)? gen_context(system_u:object_r:cert_t,s0)
+/usr/share/ssl/private(/.*)? gen_context(system_u:object_r:cert_t,s0)
+
+/usr/X11R6/lib/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+
+/usr/X11R6/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+
+ifdef(`distro_gentoo',`
+/usr/share/misc/(pci|usb)\.ids -- gen_context(system_u:object_r:hwdata_t,s0)
+')
+
+ifdef(`distro_redhat',`
+/usr/share/hwdata(/.*)? gen_context(system_u:object_r:hwdata_t,s0)
+')
+
+#
+# /var
+#
+/var/ftp(/.*)? gen_context(system_u:object_r:public_content_t,s0)
+
+/var/lib/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
+
+/var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0)
+/var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
+/var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+
+/var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
+
+/var/spool/abrt-upload(/.*)? gen_context(system_u:object_r:public_content_rw_t,s0)
+
+/var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
+
+ifdef(`distro_debian',`
+/var/lib/msttcorefonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+/var/lib/usbutils(/.*)? gen_context(system_u:object_r:hwdata_t,s0)
+')
+
+ifdef(`distro_redhat',`
+/var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
+/var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
+')
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
new file mode 100644
index 0000000..926ba65
--- /dev/null
+++ b/policy/modules/system/miscfiles.if
@@ -0,0 +1,771 @@
+## <summary>Miscelaneous files.</summary>
+
+########################################
+## <summary>
+## Make the specified type usable as a cert file.
+## </summary>
+## <desc>
+## <p>
+## Make the specified type usable for cert files.
+## This will also make the type usable for files, making
+## calls to files_type() redundant. Failure to use this interface
+## for a temporary file may result in problems with
+## cert management tools.
+## </p>
+## <p>
+## Related interfaces:
+## </p>
+## <ul>
+## <li>files_type()</li>
+## </ul>
+## <p>
+## Example:
+## </p>
+## <p>
+## type mycertfile_t;
+## cert_type(mycertfile_t)
+## allow mydomain_t mycertfile_t:file read_file_perms;
+## files_search_etc(mydomain_t)
+## </p>
+## </desc>
+## <param name="type">
+## <summary>
+## Type to be used for files.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`miscfiles_cert_type',`
+ gen_require(`
+ attribute cert_type;
+ ')
+
+ typeattribute $1 cert_type;
+ files_type($1)
+')
+
+########################################
+## <summary>
+## Read all SSL certificates.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_read_all_certs',`
+ gen_require(`
+ attribute cert_type;
+ ')
+
+ allow $1 cert_type:dir list_dir_perms;
+ read_files_pattern($1, cert_type, cert_type)
+ read_lnk_files_pattern($1, cert_type, cert_type)
+')
+
+########################################
+## <summary>
+## Read generic SSL certificates.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_read_generic_certs',`
+ gen_require(`
+ type cert_t;
+ ')
+
+ allow $1 cert_t:dir list_dir_perms;
+ read_files_pattern($1, cert_t, cert_t)
+ read_lnk_files_pattern($1, cert_t, cert_t)
+')
+
+########################################
+## <summary>
+## Manage generic SSL certificates.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_manage_generic_cert_dirs',`
+ gen_require(`
+ type cert_t;
+ ')
+
+ manage_dirs_pattern($1, cert_t, cert_t)
+')
+
+########################################
+## <summary>
+## Manage generic SSL certificates.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_manage_generic_cert_files',`
+ gen_require(`
+ type cert_t;
+ ')
+
+ manage_files_pattern($1, cert_t, cert_t)
+ read_lnk_files_pattern($1, cert_t, cert_t)
+')
+
+########################################
+## <summary>
+## Read SSL certificates.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_read_certs',`
+ miscfiles_read_generic_certs($1)
+ refpolicywarn(`$0() has been deprecated, please use miscfiles_read_generic_certs() instead.')
+')
+
+########################################
+## <summary>
+## Manage SSL certificates.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_manage_cert_dirs',`
+ miscfiles_manage_generic_cert_dirs($1)
+ refpolicywarn(`$0() has been deprecated, please use miscfiles_manage_generic_cert_dirs() instead.')
+')
+
+########################################
+## <summary>
+## Manage SSL certificates.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_manage_cert_files',`
+ miscfiles_manage_generic_cert_files($1)
+ refpolicywarn(`$0() has been deprecated, please use miscfiles_manage_generic_cert_files() instead.')
+')
+
+########################################
+## <summary>
+## Read fonts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_read_fonts',`
+ gen_require(`
+ type fonts_t, fonts_cache_t;
+ ')
+
+ # cjp: fonts can be in either of these dirs
+ files_search_usr($1)
+ libs_search_lib($1)
+
+ allow $1 fonts_t:dir list_dir_perms;
+ read_files_pattern($1, fonts_t, fonts_t)
+ read_lnk_files_pattern($1, fonts_t, fonts_t)
+
+ allow $1 fonts_cache_t:dir list_dir_perms;
+ read_files_pattern($1, fonts_cache_t, fonts_cache_t)
+ read_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t)
+')
+
+########################################
+## <summary>
+## Set the attributes on a fonts directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_setattr_fonts_dirs',`
+ gen_require(`
+ type fonts_t;
+ ')
+
+ allow $1 fonts_t:dir setattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to set the attributes
+## on a fonts directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_dontaudit_setattr_fonts_dirs',`
+ gen_require(`
+ type fonts_t;
+ ')
+
+ dontaudit $1 fonts_t:dir setattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write fonts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_dontaudit_write_fonts',`
+ gen_require(`
+ type fonts_t;
+ ')
+
+ dontaudit $1 fonts_t:dir { write setattr };
+ dontaudit $1 fonts_t:file write;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete fonts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_manage_fonts',`
+ gen_require(`
+ type fonts_t;
+ ')
+
+ # cjp: fonts can be in either of these dirs
+ files_search_usr($1)
+ libs_search_lib($1)
+
+ manage_dirs_pattern($1, fonts_t, fonts_t)
+ manage_files_pattern($1, fonts_t, fonts_t)
+ manage_lnk_files_pattern($1, fonts_t, fonts_t)
+')
+
+########################################
+## <summary>
+## Set the attributes on a fonts cache directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_setattr_fonts_cache_dirs',`
+ gen_require(`
+ type fonts_cache_t;
+ ')
+
+ allow $1 fonts_cache_t:dir setattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to set the attributes
+## on a fonts cache directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`miscfiles_dontaudit_setattr_fonts_cache_dirs',`
+ gen_require(`
+ type fonts_cache_t;
+ ')
+
+ dontaudit $1 fonts_cache_t:dir setattr;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete fonts cache.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_manage_fonts_cache',`
+ gen_require(`
+ type fonts_cache_t;
+ ')
+
+ files_search_var($1)
+
+ manage_dirs_pattern($1, fonts_cache_t, fonts_cache_t)
+ manage_files_pattern($1, fonts_cache_t, fonts_cache_t)
+ manage_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t)
+')
+
+########################################
+## <summary>
+## Read hardware identification data.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_read_hwdata',`
+ gen_require(`
+ type hwdata_t;
+ ')
+
+ allow $1 hwdata_t:dir list_dir_perms;
+ read_files_pattern($1, hwdata_t, hwdata_t)
+ read_lnk_files_pattern($1, hwdata_t, hwdata_t)
+')
+
+########################################
+## <summary>
+## Allow process to setattr localization info
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_setattr_localization',`
+ gen_require(`
+ type locale_t;
+ ')
+
+ files_search_usr($1)
+ allow $1 locale_t:dir list_dir_perms;
+ allow $1 locale_t:file setattr;
+')
+
+########################################
+## <summary>
+## Allow process to read localization information.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to read the localization files.
+## This is typically for time zone configuration files, such as
+## /etc/localtime and files in /usr/share/zoneinfo.
+## Typically, any domain which needs to know the GMT/UTC
+## offset of the current timezone will need access
+## to these files. Generally, it should be safe for any
+## domain to read these files.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`miscfiles_read_localization',`
+ gen_require(`
+ type locale_t;
+ ')
+
+ files_read_etc_symlinks($1)
+ files_search_usr($1)
+ allow $1 locale_t:dir list_dir_perms;
+ read_files_pattern($1, locale_t, locale_t)
+ read_lnk_files_pattern($1, locale_t, locale_t)
+')
+
+########################################
+## <summary>
+## Allow process to write localization info
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_rw_localization',`
+ gen_require(`
+ type locale_t;
+ ')
+
+ files_search_usr($1)
+ allow $1 locale_t:dir list_dir_perms;
+ rw_files_pattern($1, locale_t, locale_t)
+')
+
+########################################
+## <summary>
+## Allow process to relabel localization info
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_relabel_localization',`
+ gen_require(`
+ type locale_t;
+ ')
+
+ files_search_usr($1)
+ relabel_files_pattern($1, locale_t, locale_t)
+')
+
+########################################
+## <summary>
+## Allow process to read legacy time localization info
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_legacy_read_localization',`
+ gen_require(`
+ type locale_t;
+ ')
+
+ miscfiles_read_localization($1)
+ allow $1 locale_t:file execute;
+')
+
+########################################
+## <summary>
+## Search man pages.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_search_man_pages',`
+ gen_require(`
+ type man_t;
+ ')
+
+ allow $1 man_t:dir search_dir_perms;
+ files_search_usr($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search man pages.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`miscfiles_dontaudit_search_man_pages',`
+ gen_require(`
+ type man_t;
+ ')
+
+ dontaudit $1 man_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read man pages
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_read_man_pages',`
+ gen_require(`
+ type man_t;
+ ')
+
+ files_search_usr($1)
+ allow $1 man_t:dir list_dir_perms;
+ read_files_pattern($1, man_t, man_t)
+ read_lnk_files_pattern($1, man_t, man_t)
+')
+
+########################################
+## <summary>
+## Delete man pages
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+# cjp: added for tmpreaper
+#
+interface(`miscfiles_delete_man_pages',`
+ gen_require(`
+ type man_t;
+ ')
+
+ files_search_usr($1)
+
+ allow $1 man_t:dir setattr;
+ # RH bug #309351
+ allow $1 man_t:dir list_dir_perms;
+ delete_dirs_pattern($1, man_t, man_t)
+ delete_files_pattern($1, man_t, man_t)
+ delete_lnk_files_pattern($1, man_t, man_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete man pages
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_manage_man_pages',`
+ gen_require(`
+ type man_t;
+ ')
+
+ files_search_usr($1)
+ manage_dirs_pattern($1, man_t, man_t)
+ manage_files_pattern($1, man_t, man_t)
+ read_lnk_files_pattern($1, man_t, man_t)
+')
+
+########################################
+## <summary>
+## Read public files used for file
+## transfer services.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_read_public_files',`
+ gen_require(`
+ type public_content_t, public_content_rw_t;
+ ')
+
+ allow $1 { public_content_t public_content_rw_t }:dir list_dir_perms;
+ read_files_pattern($1, { public_content_t public_content_rw_t }, { public_content_t public_content_rw_t })
+ read_lnk_files_pattern($1, { public_content_t public_content_rw_t }, { public_content_t public_content_rw_t })
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete public files
+## and directories used for file transfer services.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_manage_public_files',`
+ gen_require(`
+ type public_content_rw_t;
+ ')
+
+ manage_dirs_pattern($1, public_content_rw_t, public_content_rw_t)
+ manage_files_pattern($1, public_content_rw_t, public_content_rw_t)
+ manage_lnk_files_pattern($1, public_content_rw_t, public_content_rw_t)
+')
+
+########################################
+## <summary>
+## Read TeX data
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_read_tetex_data',`
+ gen_require(`
+ type tetex_data_t;
+ ')
+
+ files_search_var($1)
+ files_search_var_lib($1)
+
+ # cjp: TeX data can be in either of the above dirs
+ allow $1 tetex_data_t:dir list_dir_perms;
+ read_files_pattern($1, tetex_data_t, tetex_data_t)
+ read_lnk_files_pattern($1, tetex_data_t, tetex_data_t)
+')
+
+########################################
+## <summary>
+## Execute TeX data programs in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_exec_tetex_data',`
+ gen_require(`
+ type fonts_t;
+ type tetex_data_t;
+ ')
+
+ files_search_var($1)
+ files_search_var_lib($1)
+
+ # cjp: TeX data can be in either of the above dirs
+ allow $1 tetex_data_t:dir list_dir_perms;
+ exec_files_pattern($1, tetex_data_t, tetex_data_t)
+')
+
+########################################
+## <summary>
+## Let test files be an entry point for
+## a specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_domain_entry_test_files',`
+ gen_require(`
+ type test_file_t;
+ ')
+
+ domain_entry_file($1, test_file_t)
+')
+
+########################################
+## <summary>
+## Read test files and directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_read_test_files',`
+ gen_require(`
+ type test_file_t;
+ ')
+
+ read_files_pattern($1, test_file_t, test_file_t)
+ read_lnk_files_pattern($1, test_file_t, test_file_t)
+')
+
+########################################
+## <summary>
+## Execute test files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_exec_test_files',`
+ gen_require(`
+ type test_file_t;
+ ')
+
+ exec_files_pattern($1, test_file_t, test_file_t)
+ read_lnk_files_pattern($1, test_file_t, test_file_t)
+')
+
+########################################
+## <summary>
+## Execute test files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_etc_filetrans_localization',`
+ gen_require(`
+ type locale_t;
+ ')
+
+ files_etc_filetrans($1, locale_t, file)
+
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete localization
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_manage_localization',`
+ gen_require(`
+ type locale_t;
+ ')
+
+ manage_dirs_pattern($1, locale_t, locale_t)
+ manage_files_pattern($1, locale_t, locale_t)
+ manage_lnk_files_pattern($1, locale_t, locale_t)
+')
+
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
new file mode 100644
index 0000000..59c70bf
--- /dev/null
+++ b/policy/modules/system/miscfiles.te
@@ -0,0 +1,62 @@
+policy_module(miscfiles, 1.8.1)
+
+########################################
+#
+# Declarations
+#
+attribute cert_type;
+
+#
+# cert_t is the type of files in the system certs directories.
+#
+type cert_t;
+miscfiles_cert_type(cert_t)
+
+#
+# fonts_t is the type of various font
+# files in /usr
+#
+type fonts_t;
+files_type(fonts_t)
+
+type fonts_cache_t;
+files_type(fonts_cache_t)
+
+#
+# type for /usr/share/hwdata
+#
+type hwdata_t;
+files_type(hwdata_t)
+
+#
+# locale_t is the type for system localization
+#
+type locale_t;
+files_type(locale_t)
+
+#
+# man_t is the type for the man directories.
+#
+type man_t alias catman_t;
+files_type(man_t)
+
+#
+# Types for public content
+#
+type public_content_t; #, customizable;
+files_type(public_content_t)
+
+type public_content_rw_t; #, customizable;
+files_type(public_content_rw_t)
+
+#
+# Base type for the tests directory.
+#
+type test_file_t;
+files_type(test_file_t)
+
+#
+# for /var/{spool,lib}/texmf index files
+#
+type tetex_data_t;
+files_tmp_file(tetex_data_t)
diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc
new file mode 100644
index 0000000..532181a
--- /dev/null
+++ b/policy/modules/system/modutils.fc
@@ -0,0 +1,24 @@
+
+/etc/modules\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0)
+/etc/modprobe\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0)
+/etc/modprobe\.d(/.*)? gen_context(system_u:object_r:modules_conf_t,s0)
+
+ifdef(`distro_gentoo',`
+# gentoo init scripts still manage this file
+# even if devfs is off
+/etc/modprobe.devfs.* -- gen_context(system_u:object_r:modules_conf_t,s0)
+')
+
+/lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
+/lib64/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
+
+/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
+/lib64/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
+
+/sbin/depmod.* -- gen_context(system_u:object_r:depmod_exec_t,s0)
+/sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0)
+/sbin/insmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
+/sbin/modprobe.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
+/sbin/modules-update -- gen_context(system_u:object_r:update_modules_exec_t,s0)
+/sbin/rmmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
+/sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0)
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
new file mode 100644
index 0000000..def8d5a
--- /dev/null
+++ b/policy/modules/system/modutils.if
@@ -0,0 +1,357 @@
+## <summary>Policy for kernel module utilities</summary>
+
+######################################
+## <summary>
+## Getattr the dependencies of kernel modules.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`modutils_getattr_module_deps',`
+ gen_require(`
+ type modules_dep_t;
+ ')
+
+ getattr_files_pattern($1, modules_object_t, modules_dep_t)
+')
+
+########################################
+## <summary>
+## Read the dependencies of kernel modules.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`modutils_read_module_deps',`
+ gen_require(`
+ type modules_dep_t;
+ ')
+
+ files_list_kernel_modules($1)
+ allow $1 modules_dep_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## list the configuration options used when
+## loading modules.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`modutils_list_module_config',`
+ gen_require(`
+ type modules_conf_t;
+ ')
+
+ list_dirs_pattern($1, modules_conf_t, modules_conf_t)
+')
+
+########################################
+## <summary>
+## Read the configuration options used when
+## loading modules.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`modutils_read_module_config',`
+ gen_require(`
+ type modules_conf_t;
+ ')
+
+ # This file type can be in /etc or
+ # /lib(64)?/modules
+ files_search_etc($1)
+ files_search_boot($1)
+
+ read_files_pattern($1, modules_conf_t, modules_conf_t)
+ read_lnk_files_pattern($1, modules_conf_t, modules_conf_t)
+')
+
+########################################
+## <summary>
+## Rename a file with the configuration options used when
+## loading modules.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`modutils_rename_module_config',`
+ gen_require(`
+ type modules_conf_t;
+ ')
+
+ rename_files_pattern($1, modules_conf_t, modules_conf_t)
+')
+
+########################################
+## <summary>
+## Unlink a file with the configuration options used when
+## loading modules.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`modutils_delete_module_config',`
+ gen_require(`
+ type modules_conf_t;
+ ')
+
+ delete_files_pattern($1, modules_conf_t, modules_conf_t)
+')
+
+########################################
+## <summary>
+## Manage files with the configuration options used when
+## loading modules.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`modutils_manage_module_config',`
+ gen_require(`
+ type modules_conf_t;
+ ')
+
+ manage_files_pattern($1, modules_conf_t, modules_conf_t)
+')
+
+########################################
+## <summary>
+## Unconditionally execute insmod in the insmod domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+# cjp: this is added for pppd, due to nested
+# conditionals not working.
+interface(`modutils_domtrans_insmod_uncond',`
+ gen_require(`
+ type insmod_t, insmod_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, insmod_exec_t, insmod_t)
+')
+
+########################################
+## <summary>
+## Execute insmod in the insmod domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`modutils_domtrans_insmod',`
+ gen_require(`
+ bool secure_mode_insmod;
+ ')
+
+ if (!secure_mode_insmod) {
+ modutils_domtrans_insmod_uncond($1)
+ }
+')
+
+########################################
+## <summary>
+## Execute insmod in the insmod domain, and
+## allow the specified role the insmod domain,
+## and use the caller's terminal. Has a sigchld
+## backchannel.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`modutils_run_insmod',`
+ gen_require(`
+ type insmod_t;
+ ')
+
+ modutils_domtrans_insmod($1)
+ role $2 types insmod_t;
+')
+
+########################################
+## <summary>
+## Execute insmod in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`modutils_exec_insmod',`
+ gen_require(`
+ type insmod_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, insmod_exec_t)
+')
+
+########################################
+## <summary>
+## Execute depmod in the depmod domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`modutils_domtrans_depmod',`
+ gen_require(`
+ type depmod_t, depmod_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, depmod_exec_t, depmod_t)
+')
+
+########################################
+## <summary>
+## Execute depmod in the depmod domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`modutils_run_depmod',`
+ gen_require(`
+ type depmod_t, insmod_t;
+ ')
+
+ modutils_domtrans_depmod($1)
+ role $2 types depmod_t;
+')
+
+########################################
+## <summary>
+## Execute depmod in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`modutils_exec_depmod',`
+ gen_require(`
+ type depmod_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, depmod_exec_t)
+')
+
+########################################
+## <summary>
+## Execute depmod in the depmod domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`modutils_domtrans_update_mods',`
+ gen_require(`
+ type update_modules_t, update_modules_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, update_modules_exec_t, update_modules_t)
+')
+
+########################################
+## <summary>
+## Execute update_modules in the update_modules domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`modutils_run_update_mods',`
+ gen_require(`
+ type update_modules_t;
+ ')
+
+ modutils_domtrans_update_mods($1)
+ role $2 types update_modules_t;
+
+ modutils_run_insmod(update_modules_t, $2)
+')
+
+########################################
+## <summary>
+## Execute update_modules in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`modutils_exec_update_mods',`
+ gen_require(`
+ type update_modules_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, update_modules_exec_t)
+')
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
new file mode 100644
index 0000000..9abf3b1
--- /dev/null
+++ b/policy/modules/system/modutils.te
@@ -0,0 +1,340 @@
+policy_module(modutils, 1.10.0)
+
+gen_require(`
+ bool secure_mode_insmod;
+')
+
+########################################
+#
+# Declarations
+#
+
+type depmod_t;
+type depmod_exec_t;
+init_system_domain(depmod_t, depmod_exec_t)
+role system_r types depmod_t;
+
+type insmod_t;
+type insmod_exec_t;
+application_domain(insmod_t, insmod_exec_t)
+mls_file_write_all_levels(insmod_t)
+mls_process_write_down(insmod_t)
+role system_r types insmod_t;
+
+# module loading config
+type modules_conf_t;
+files_type(modules_conf_t)
+
+# module dependencies
+type modules_dep_t;
+files_type(modules_dep_t)
+
+type update_modules_t;
+type update_modules_exec_t;
+init_system_domain(update_modules_t, update_modules_exec_t)
+role system_r types update_modules_t;
+
+type update_modules_tmp_t;
+files_tmp_file(update_modules_tmp_t)
+
+########################################
+#
+# depmod local policy
+#
+
+can_exec(depmod_t, depmod_exec_t)
+
+# Read conf.modules.
+read_files_pattern(depmod_t, modules_conf_t, modules_conf_t)
+
+allow depmod_t modules_dep_t:file manage_file_perms;
+files_kernel_modules_filetrans(depmod_t, modules_dep_t, file)
+
+kernel_read_system_state(depmod_t)
+
+corecmd_search_bin(depmod_t)
+
+domain_use_interactive_fds(depmod_t)
+
+files_delete_kernel_modules(depmod_t)
+files_read_kernel_symbol_table(depmod_t)
+files_read_kernel_modules(depmod_t)
+files_read_etc_runtime_files(depmod_t)
+files_read_etc_files(depmod_t)
+files_read_usr_src_files(depmod_t)
+files_list_usr(depmod_t)
+files_append_var_files(depmod_t)
+files_read_boot_files(depmod_t)
+
+fs_getattr_xattr_fs(depmod_t)
+
+term_use_console(depmod_t)
+
+init_use_fds(depmod_t)
+init_use_script_fds(depmod_t)
+init_use_script_ptys(depmod_t)
+
+userdom_use_user_terminals(depmod_t)
+# Read System.map from home directories.
+files_list_home(depmod_t)
+userdom_read_user_home_content_files(depmod_t)
+userdom_manage_user_tmp_files(depmod_t)
+
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(depmod_t)
+ ')
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(depmod_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files(depmod_t)
+')
+
+optional_policy(`
+ rpm_rw_pipes(depmod_t)
+ rpm_manage_script_tmp_files(depmod_t)
+')
+
+optional_policy(`
+ # Read System.map from home directories.
+ unconfined_domain(depmod_t)
+')
+
+########################################
+#
+# insmod local policy
+#
+
+allow insmod_t self:capability { dac_override mknod net_raw sys_nice sys_tty_config };
+allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
+
+allow insmod_t self:udp_socket create_socket_perms;
+allow insmod_t self:rawip_socket create_socket_perms;
+
+# Read module config and dependency information
+list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t)
+read_files_pattern(insmod_t, modules_conf_t, modules_conf_t)
+list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t)
+read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
+
+can_exec(insmod_t, insmod_exec_t)
+
+kernel_load_module(insmod_t)
+kernel_read_system_state(insmod_t)
+kernel_read_network_state(insmod_t)
+kernel_write_proc_files(insmod_t)
+kernel_mount_debugfs(insmod_t)
+kernel_mount_kvmfs(insmod_t)
+kernel_read_debugfs(insmod_t)
+kernel_request_load_module(insmod_t)
+# Rules for /proc/sys/kernel/tainted
+kernel_read_kernel_sysctls(insmod_t)
+kernel_rw_kernel_sysctl(insmod_t)
+kernel_read_hotplug_sysctls(insmod_t)
+kernel_setsched(insmod_t)
+
+corecmd_exec_bin(insmod_t)
+corecmd_exec_shell(insmod_t)
+
+dev_rw_sysfs(insmod_t)
+dev_search_usbfs(insmod_t)
+dev_rw_mtrr(insmod_t)
+dev_read_urand(insmod_t)
+dev_rw_agp(insmod_t)
+dev_read_sound(insmod_t)
+dev_write_sound(insmod_t)
+dev_rw_apm_bios(insmod_t)
+dev_create_generic_chr_files(insmod_t)
+
+domain_signal_all_domains(insmod_t)
+domain_use_interactive_fds(insmod_t)
+
+files_read_kernel_modules(insmod_t)
+files_read_etc_runtime_files(insmod_t)
+files_read_etc_files(insmod_t)
+files_read_usr_files(insmod_t)
+files_exec_etc_files(insmod_t)
+# for nscd:
+files_dontaudit_search_pids(insmod_t)
+# for when /var is not mounted early in the boot:
+files_dontaudit_search_isid_type_dirs(insmod_t)
+# for locking: (cjp: ????)
+files_write_kernel_modules(insmod_t)
+
+fs_getattr_xattr_fs(insmod_t)
+fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
+fs_mount_rpc_pipefs(insmod_t)
+fs_search_rpc(insmod_t)
+
+init_rw_initctl(insmod_t)
+init_use_fds(insmod_t)
+init_use_script_fds(insmod_t)
+init_use_script_ptys(insmod_t)
+init_spec_domtrans_script(insmod_t)
+init_rw_script_tmp_files(insmod_t)
+
+logging_send_syslog_msg(insmod_t)
+logging_search_logs(insmod_t)
+
+miscfiles_read_localization(insmod_t)
+
+seutil_read_file_contexts(insmod_t)
+
+term_use_all_terms(insmod_t)
+userdom_dontaudit_search_user_home_dirs(insmod_t)
+
+if( ! secure_mode_insmod ) {
+ kernel_domtrans_to(insmod_t, insmod_exec_t)
+}
+
+optional_policy(`
+ alsa_domtrans(insmod_t)
+')
+
+optional_policy(`
+ firstboot_dontaudit_rw_pipes(insmod_t)
+ firstboot_dontaudit_rw_stream_sockets(insmod_t)
+')
+
+optional_policy(`
+ firewallgui_dontaudit_rw_pipes(insmod_t)
+')
+
+optional_policy(`
+ hal_write_log(insmod_t)
+')
+
+optional_policy(`
+ hotplug_search_config(insmod_t)
+')
+
+optional_policy(`
+ mount_domtrans(insmod_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(insmod_t)
+')
+
+optional_policy(`
+ nscd_socket_use(insmod_t)
+')
+
+optional_policy(`
+ fs_manage_ramfs_files(insmod_t)
+
+ rhgb_use_fds(insmod_t)
+ rhgb_dontaudit_use_ptys(insmod_t)
+
+ xserver_dontaudit_write_log(insmod_t)
+ xserver_stream_connect(insmod_t)
+ xserver_dontaudit_rw_stream_sockets(insmod_t)
+
+ ifdef(`hide_broken_symptoms',`
+ xserver_dontaudit_rw_tcp_sockets(insmod_t)
+ ')
+')
+
+optional_policy(`
+ rpm_rw_pipes(insmod_t)
+')
+
+optional_policy(`
+ unconfined_domain(insmod_t)
+ unconfined_dontaudit_rw_pipes(insmod_t)
+')
+
+optional_policy(`
+ virt_dontaudit_write_pipes(insmod_t)
+')
+
+optional_policy(`
+ # cjp: why is this needed:
+ dev_rw_xserver_misc(insmod_t)
+
+ xserver_getattr_log(insmod_t)
+')
+
+#################################
+#
+# update-modules local policy
+#
+
+allow update_modules_t self:fifo_file rw_fifo_file_perms;
+
+allow update_modules_t modules_dep_t:file rw_file_perms;
+
+can_exec(update_modules_t, insmod_exec_t)
+can_exec(update_modules_t, update_modules_exec_t)
+
+# manage module loading configuration
+manage_files_pattern(update_modules_t, modules_conf_t, modules_conf_t)
+files_kernel_modules_filetrans(update_modules_t, modules_conf_t, file)
+files_etc_filetrans(update_modules_t, modules_conf_t, file)
+
+# transition to depmod
+domain_auto_trans(update_modules_t, depmod_exec_t, depmod_t)
+allow update_modules_t depmod_t:fd use;
+allow depmod_t update_modules_t:fd use;
+allow depmod_t update_modules_t:fifo_file rw_file_perms;
+allow depmod_t update_modules_t:process sigchld;
+
+manage_dirs_pattern(update_modules_t, update_modules_tmp_t, update_modules_tmp_t)
+manage_files_pattern(update_modules_t, update_modules_tmp_t, update_modules_tmp_t)
+files_tmp_filetrans(update_modules_t, update_modules_tmp_t, { file dir })
+
+kernel_read_kernel_sysctls(update_modules_t)
+kernel_read_system_state(update_modules_t)
+
+corecmd_exec_bin(update_modules_t)
+corecmd_exec_shell(update_modules_t)
+
+dev_read_urand(update_modules_t)
+
+domain_use_interactive_fds(update_modules_t)
+
+files_read_etc_runtime_files(update_modules_t)
+files_read_etc_files(update_modules_t)
+files_exec_etc_files(update_modules_t)
+
+fs_getattr_xattr_fs(update_modules_t)
+
+term_use_console(update_modules_t)
+
+init_use_fds(update_modules_t)
+init_use_script_fds(update_modules_t)
+init_use_script_ptys(update_modules_t)
+
+logging_send_syslog_msg(update_modules_t)
+
+miscfiles_read_localization(update_modules_t)
+
+userdom_use_user_terminals(update_modules_t)
+userdom_dontaudit_search_user_home_dirs(update_modules_t)
+
+ifdef(`distro_gentoo',`
+ files_search_pids(update_modules_t)
+ files_getattr_usr_src_files(update_modules_t)
+ files_list_isid_type_dirs(update_modules_t) # /var
+
+ # update-modules on Gentoo throws errors when run because it
+ # sources /etc/init.d/functions.sh, which always scans
+ # /var/lib/init.d to set SOFTLEVEL environment var.
+ # This is never used by update-modules.
+ files_dontaudit_search_var_lib(update_modules_t)
+ init_dontaudit_read_script_status_files(update_modules_t)
+
+ optional_policy(`
+ consoletype_exec(update_modules_t)
+ ')
+')
+
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(update_modules_t)
+ ')
+')
diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
new file mode 100644
index 0000000..e3d06fd
--- /dev/null
+++ b/policy/modules/system/mount.fc
@@ -0,0 +1,10 @@
+/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
+/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
+/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
+/usr/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
+/usr/sbin/showmount -- gen_context(system_u:object_r:showmount_exec_t,s0)
+
+/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
new file mode 100644
index 0000000..3490497
--- /dev/null
+++ b/policy/modules/system/mount.if
@@ -0,0 +1,340 @@
+## <summary>Policy for mount.</summary>
+
+########################################
+## <summary>
+## Execute mount in the mount domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mount_domtrans',`
+ gen_require(`
+ type mount_t, mount_exec_t;
+ ')
+
+ domtrans_pattern($1, mount_exec_t, mount_t)
+ mount_domtrans_fusermount($1)
+
+ifdef(`hide_broken_symptoms', `
+ dontaudit mount_t $1:unix_stream_socket { read write };
+ dontaudit mount_t $1:tcp_socket { read write };
+ dontaudit mount_t $1:udp_socket { read write };
+')
+
+')
+
+########################################
+## <summary>
+## Execute mount in the mount domain, and
+## allow the specified role the mount domain,
+## and use the caller's terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mount_run',`
+ gen_require(`
+ type mount_t;
+ ')
+
+ mount_domtrans($1)
+ role $2 types mount_t;
+
+ optional_policy(`
+ fstools_run(mount_t, $2)
+ ')
+
+ # Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711
+ optional_policy(`
+ lvm_run(mount_t, $2)
+ ')
+
+ optional_policy(`
+ modutils_run_insmod(mount_t, $2)
+ ')
+
+ optional_policy(`
+ rpc_run_rpcd(mount_t, $2)
+ ')
+
+ optional_policy(`
+ samba_run_smbmount(mount_t, $2)
+ ')
+')
+
+########################################
+## <summary>
+## Execute fusermount in the mount domain, and
+## allow the specified role the mount domain,
+## and use the caller's terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the mount domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mount_run_fusermount',`
+ gen_require(`
+ type mount_t;
+ ')
+
+ mount_domtrans_fusermount($1)
+ role $2 types mount_t;
+
+ fstools_run(mount_t, $2)
+')
+
+########################################
+## <summary>
+## Execute mount in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mount_exec',`
+ gen_require(`
+ type mount_exec_t;
+ ')
+
+ # cjp: this should be removed:
+ allow $1 mount_exec_t:dir list_dir_perms;
+
+ allow $1 mount_exec_t:lnk_file read_lnk_file_perms;
+ can_exec($1, mount_exec_t)
+')
+
+########################################
+## <summary>
+## Send a generic signal to mount.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mount_signal',`
+ gen_require(`
+ type mount_t;
+ type unconfined_mount_t;
+ ')
+
+ allow $1 mount_t:process signal;
+ allow $1 unconfined_mount_t:process signal;
+')
+
+########################################
+## <summary>
+## Use file descriptors for mount.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mount_use_fds',`
+ gen_require(`
+ type mount_t;
+ ')
+
+ allow $1 mount_t:fd use;
+')
+
+########################################
+## <summary>
+## Allow the mount domain to send nfs requests for mounting
+## network drives
+## </summary>
+## <desc>
+## <p>
+## Allow the mount domain to send nfs requests for mounting
+## network drives
+## </p>
+## <p>
+## This interface has been deprecated as these rules were
+## a side effect of leaked mount file descriptors. This
+## interface has no effect.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mount_send_nfs_client_request',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+## Execute mount in the unconfined mount domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mount_domtrans_unconfined',`
+ gen_require(`
+ type unconfined_mount_t, mount_exec_t;
+ ')
+
+ domtrans_pattern($1, mount_exec_t, unconfined_mount_t)
+')
+
+########################################
+## <summary>
+## Execute mount in the unconfined mount domain, and
+## allow the specified role the unconfined mount domain,
+## and use the caller's terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mount_run_unconfined',`
+ gen_require(`
+ type unconfined_mount_t;
+ ')
+
+ mount_domtrans_unconfined($1)
+ role $2 types unconfined_mount_t;
+
+ optional_policy(`
+ rpc_run_rpcd(unconfined_mount_t, $2)
+ ')
+
+ optional_policy(`
+ samba_run_smbmount(unconfined_mount_t, $2)
+ ')
+')
+
+########################################
+## <summary>
+## Execute fusermount in the mount domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mount_domtrans_fusermount',`
+ gen_require(`
+ type mount_t, fusermount_exec_t;
+ ')
+
+ domtrans_pattern($1, fusermount_exec_t, mount_t)
+')
+
+########################################
+## <summary>
+## Execute fusermount.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mount_exec_fusermount',`
+ gen_require(`
+ type fusermount_exec_t;
+ ')
+
+ can_exec($1, fusermount_exec_t)
+')
+
+########################################
+## <summary>
+## dontaudit Execute fusermount.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mount_dontaudit_exec_fusermount',`
+ gen_require(`
+ type fusermount_exec_t;
+ ')
+
+ dontaudit $1 fusermount_exec_t:file exec_file_perms;
+')
+
+######################################
+## <summary>
+## Execute a domain transition to run showmount.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mount_domtrans_showmount',`
+ gen_require(`
+ type showmount_t, showmount_exec_t;
+ ')
+
+ domtrans_pattern($1, showmount_exec_t, showmount_t)
+')
+
+######################################
+## <summary>
+## Execute showmount in the showmount domain, and
+## allow the specified role the showmount domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the showmount domain.
+## </summary>
+## </param>
+#
+interface(`mount_run_showmount',`
+ gen_require(`
+ type showmount_t;
+ ')
+
+ mount_domtrans_showmount($1)
+ role $2 types showmount_t;
+')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
new file mode 100644
index 0000000..8848e14
--- /dev/null
+++ b/policy/modules/system/mount.te
@@ -0,0 +1,351 @@
+policy_module(mount, 1.11.1)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow the mount command to mount any directory or file.
+## </p>
+## </desc>
+gen_tunable(allow_mount_anyfile, false)
+
+type mount_t;
+type mount_exec_t;
+init_system_domain(mount_t, mount_exec_t)
+role system_r types mount_t;
+
+type fusermount_exec_t;
+domain_entry_file(mount_t, fusermount_exec_t)
+
+typealias mount_t alias mount_ntfs_t;
+typealias mount_exec_t alias mount_ntfs_exec_t;
+
+type mount_loopback_t; # customizable
+files_type(mount_loopback_t)
+typealias mount_loopback_t alias mount_loop_t;
+
+type mount_tmp_t;
+files_tmp_file(mount_tmp_t)
+
+# causes problems with interfaces when
+# this is optionally declared in monolithic
+# policy--duplicate type declaration
+type unconfined_mount_t;
+application_domain(unconfined_mount_t, mount_exec_t)
+role system_r types unconfined_mount_t;
+
+type mount_var_run_t;
+files_pid_file(mount_var_run_t)
+
+# showmount - show mount information for an NFS server
+
+type showmount_t;
+type showmount_exec_t;
+application_domain(showmount_t, showmount_exec_t)
+role system_r types showmount_t;
+
+########################################
+#
+# mount local policy
+#
+
+# setuid/setgid needed to mount cifs
+allow mount_t self:capability { fsetid ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid };
+allow mount_t self:process { getcap getsched ptrace setcap setrlimit signal };
+allow mount_t self:fifo_file rw_fifo_file_perms;
+allow mount_t self:unix_stream_socket create_stream_socket_perms;
+allow mount_t self:unix_dgram_socket create_socket_perms;
+
+allow mount_t mount_loopback_t:file read_file_perms;
+
+allow mount_t mount_tmp_t:file manage_file_perms;
+allow mount_t mount_tmp_t:dir manage_dir_perms;
+
+can_exec(mount_t, mount_exec_t)
+
+files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
+
+manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t)
+manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t)
+files_pid_filetrans(mount_t,mount_var_run_t,dir)
+files_var_filetrans(mount_t,mount_var_run_t,dir)
+
+# In order to mount reiserfs_t
+kernel_dontaudit_getattr_core_if(mount_t)
+kernel_list_unlabeled(mount_t)
+kernel_mount_unlabeled(mount_t)
+kernel_unmount_unlabeled(mount_t)
+kernel_read_system_state(mount_t)
+kernel_read_network_state(mount_t)
+kernel_read_kernel_sysctls(mount_t)
+kernel_manage_debugfs(mount_t)
+kernel_setsched(mount_t)
+kernel_use_fds(mount_t)
+kernel_request_load_module(mount_t)
+
+# required for mount.smbfs
+corecmd_exec_bin(mount_t)
+
+dev_getattr_generic_blk_files(mount_t)
+dev_getattr_all_blk_files(mount_t)
+dev_list_all_dev_nodes(mount_t)
+dev_read_usbfs(mount_t)
+dev_read_rand(mount_t)
+dev_read_sysfs(mount_t)
+dev_rw_lvm_control(mount_t)
+dev_dontaudit_getattr_all_chr_files(mount_t)
+dev_dontaudit_getattr_memory_dev(mount_t)
+dev_getattr_sound_dev(mount_t)
+ifdef(`hide_broken_symptoms',`
+ dev_rw_generic_blk_files(mount_t)
+')
+# Early devtmpfs, before udev relabel
+dev_dontaudit_rw_generic_chr_files(mount_t)
+
+domain_use_interactive_fds(mount_t)
+domain_dontaudit_search_all_domains_state(mount_t)
+
+files_search_all(mount_t)
+files_read_etc_files(mount_t)
+files_manage_etc_runtime_files(mount_t)
+files_etc_filetrans_etc_runtime(mount_t, file)
+# for when /etc/mtab loses its type
+files_delete_etc_files(mount_t)
+files_mounton_all_mountpoints(mount_t)
+# ntfs-3g checks whether the mountpoint is writable before mounting
+files_write_all_mountpoints(mount_t)
+files_unmount_rootfs(mount_t)
+
+# These rules need to be generalized. Only admin, initrc should have it:
+files_relabel_all_file_type_fs(mount_t)
+files_mount_all_file_type_fs(mount_t)
+files_unmount_all_file_type_fs(mount_t)
+files_read_isid_type_files(mount_t)
+# For reading cert files
+files_read_usr_files(mount_t)
+files_list_mnt(mount_t)
+
+fs_list_all(mount_t)
+fs_getattr_all_fs(mount_t)
+fs_mount_all_fs(mount_t)
+fs_unmount_all_fs(mount_t)
+fs_remount_all_fs(mount_t)
+fs_relabelfrom_all_fs(mount_t)
+fs_rw_anon_inodefs_files(mount_t)
+fs_rw_tmpfs_chr_files(mount_t)
+fs_rw_nfsd_fs(mount_t)
+fs_manage_tmpfs_dirs(mount_t)
+fs_read_tmpfs_symlinks(mount_t)
+fs_read_fusefs_files(mount_t)
+fs_manage_nfs_dirs(mount_t)
+fs_read_nfs_symlinks(mount_t)
+fs_manage_cgroup_dirs(mount_t)
+fs_manage_cgroup_files(mount_t)
+
+mls_file_read_all_levels(mount_t)
+mls_file_write_all_levels(mount_t)
+
+selinux_get_enforce_mode(mount_t)
+selinux_dontaudit_write_fs(mount_t)
+
+storage_raw_read_fixed_disk(mount_t)
+storage_raw_write_fixed_disk(mount_t)
+storage_raw_read_removable_device(mount_t)
+storage_raw_write_removable_device(mount_t)
+storage_rw_fuse(mount_t)
+
+term_use_all_terms(mount_t)
+
+auth_use_nsswitch(mount_t)
+
+init_use_fds(mount_t)
+init_use_script_ptys(mount_t)
+init_dontaudit_getattr_initctl(mount_t)
+init_stream_connect_script(mount_t)
+init_rw_script_stream_sockets(mount_t)
+
+logging_send_syslog_msg(mount_t)
+
+miscfiles_read_localization(mount_t)
+
+sysnet_use_portmap(mount_t)
+
+seutil_read_config(mount_t)
+
+userdom_use_all_users_fds(mount_t)
+userdom_manage_user_home_content_dirs(mount_t)
+userdom_read_user_home_content_symlinks(mount_t)
+
+optional_policy(`
+ abrt_rw_fifo_file(mount_t)
+')
+
+ifdef(`distro_redhat',`
+ optional_policy(`
+ auth_read_pam_console_data(mount_t)
+ # mount config by default sets fscontext=removable_t
+ fs_relabelfrom_dos_fs(mount_t)
+ ')
+')
+
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(mount_t)
+ ')
+')
+
+corecmd_exec_shell(mount_t)
+
+modutils_domtrans_insmod(mount_t)
+
+fstools_domtrans(mount_t)
+
+tunable_policy(`allow_mount_anyfile',`
+ auth_read_all_dirs_except_shadow(mount_t)
+ auth_read_all_files_except_shadow(mount_t)
+ files_mounton_non_security(mount_t)
+ files_rw_all_inherited_files(mount_t)
+')
+
+optional_policy(`
+ # for nfs
+ corenet_all_recvfrom_unlabeled(mount_t)
+ corenet_all_recvfrom_netlabel(mount_t)
+ corenet_tcp_sendrecv_all_if(mount_t)
+ corenet_raw_sendrecv_all_if(mount_t)
+ corenet_udp_sendrecv_all_if(mount_t)
+ corenet_tcp_sendrecv_all_nodes(mount_t)
+ corenet_raw_sendrecv_all_nodes(mount_t)
+ corenet_udp_sendrecv_all_nodes(mount_t)
+ corenet_tcp_sendrecv_all_ports(mount_t)
+ corenet_udp_sendrecv_all_ports(mount_t)
+ corenet_tcp_bind_all_nodes(mount_t)
+ corenet_udp_bind_all_nodes(mount_t)
+ corenet_tcp_bind_generic_port(mount_t)
+ corenet_udp_bind_generic_port(mount_t)
+ corenet_tcp_bind_reserved_port(mount_t)
+ corenet_udp_bind_reserved_port(mount_t)
+ corenet_tcp_bind_all_rpc_ports(mount_t)
+ corenet_udp_bind_all_rpc_ports(mount_t)
+ corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t)
+ corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
+ corenet_tcp_connect_all_ports(mount_t)
+
+ fs_search_rpc(mount_t)
+
+ rpc_stub(mount_t)
+
+ rpc_domtrans_rpcd(mount_t)
+')
+
+optional_policy(`
+ apm_use_fds(mount_t)
+')
+
+optional_policy(`
+ cron_system_entry(mount_t, mount_exec_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(mount_t)
+
+ optional_policy(`
+ hal_dbus_chat(mount_t)
+ ')
+')
+
+
+optional_policy(`
+ hal_write_log(mount_t)
+ hal_use_fds(mount_t)
+ hal_dontaudit_rw_pipes(mount_t)
+')
+
+optional_policy(`
+ ifdef(`hide_broken_symptoms',`
+ # for a bug in the X server
+ rhgb_dontaudit_rw_stream_sockets(mount_t)
+ term_dontaudit_use_ptmx(mount_t)
+ ')
+')
+
+optional_policy(`
+ livecd_rw_tmp_files(mount_t)
+')
+
+# Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711
+optional_policy(`
+ lvm_domtrans(mount_t)
+')
+
+# for kernel package installation
+optional_policy(`
+ rpm_rw_pipes(mount_t)
+ rpm_dontaudit_leaks(mount_t)
+')
+
+optional_policy(`
+ samba_domtrans_smbmount(mount_t)
+ samba_read_config(mount_t)
+')
+
+optional_policy(`
+ ssh_exec(mount_t)
+')
+
+optional_policy(`
+ usbmuxd_stream_connect(mount_t)
+')
+
+optional_policy(`
+ vmware_exec_host(mount_t)
+')
+
+########################################
+#
+# Unconfined mount local policy
+#
+
+optional_policy(`
+ unconfined_domain_noaudit(unconfined_mount_t)
+')
+
+optional_policy(`
+ userdom_unpriv_usertype(unconfined, unconfined_mount_t)
+ files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
+')
+
+######################################
+#
+# showmount local policy
+#
+
+allow showmount_t self:tcp_socket create_stream_socket_perms;
+allow showmount_t self:udp_socket create_socket_perms;
+
+kernel_read_system_state(showmount_t)
+
+corenet_all_recvfrom_unlabeled(showmount_t)
+corenet_all_recvfrom_netlabel(showmount_t)
+corenet_tcp_sendrecv_generic_if(showmount_t)
+corenet_udp_sendrecv_generic_if(showmount_t)
+corenet_tcp_sendrecv_generic_node(showmount_t)
+corenet_udp_sendrecv_generic_node(showmount_t)
+corenet_tcp_sendrecv_all_ports(showmount_t)
+corenet_udp_sendrecv_all_ports(showmount_t)
+corenet_tcp_bind_generic_node(showmount_t)
+corenet_udp_bind_generic_node(showmount_t)
+corenet_tcp_bind_all_rpc_ports(showmount_t)
+corenet_udp_bind_all_rpc_ports(showmount_t)
+corenet_tcp_connect_all_ports(showmount_t)
+
+files_read_etc_files(showmount_t)
+
+miscfiles_read_localization(showmount_t)
+
+sysnet_dns_name_resolve(showmount_t)
+
+userdom_use_user_terminals(showmount_t)
diff --git a/policy/modules/system/netlabel.fc b/policy/modules/system/netlabel.fc
new file mode 100644
index 0000000..b263a8a
--- /dev/null
+++ b/policy/modules/system/netlabel.fc
@@ -0,0 +1 @@
+/sbin/netlabelctl -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0)
diff --git a/policy/modules/system/netlabel.if b/policy/modules/system/netlabel.if
new file mode 100644
index 0000000..8cfaa75
--- /dev/null
+++ b/policy/modules/system/netlabel.if
@@ -0,0 +1,46 @@
+## <summary>NetLabel/CIPSO labeled networking management</summary>
+
+########################################
+## <summary>
+## Execute netlabel_mgmt in the netlabel_mgmt domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`netlabel_domtrans_mgmt',`
+ gen_require(`
+ type netlabel_mgmt_t, netlabel_mgmt_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, netlabel_mgmt_exec_t, netlabel_mgmt_t)
+')
+
+########################################
+## <summary>
+## Execute netlabel_mgmt in the netlabel_mgmt domain, and
+## allow the specified role the netlabel_mgmt domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`netlabel_run_mgmt',`
+ gen_require(`
+ type netlabel_mgmt_t;
+ ')
+
+ netlabel_domtrans_mgmt($1)
+ role $2 types netlabel_mgmt_t;
+')
diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te
new file mode 100644
index 0000000..cbbda4a
--- /dev/null
+++ b/policy/modules/system/netlabel.te
@@ -0,0 +1,28 @@
+policy_module(netlabel, 1.3.0)
+
+########################################
+#
+# Declarations
+#
+
+type netlabel_mgmt_t;
+type netlabel_mgmt_exec_t;
+application_domain(netlabel_mgmt_t, netlabel_mgmt_exec_t)
+role system_r types netlabel_mgmt_t;
+
+########################################
+#
+# NetLabel Management Tools Local policy
+#
+
+# modify the network subsystem configuration
+allow netlabel_mgmt_t self:capability net_admin;
+allow netlabel_mgmt_t self:netlink_socket create_socket_perms;
+
+kernel_read_network_state(netlabel_mgmt_t)
+
+files_read_etc_files(netlabel_mgmt_t)
+
+seutil_use_newrole_fds(netlabel_mgmt_t)
+
+userdom_use_user_terminals(netlabel_mgmt_t)
diff --git a/policy/modules/system/pcmcia.fc b/policy/modules/system/pcmcia.fc
new file mode 100644
index 0000000..9cf0e56
--- /dev/null
+++ b/policy/modules/system/pcmcia.fc
@@ -0,0 +1,10 @@
+
+/etc/apm/event\.d/pcmcia -- gen_context(system_u:object_r:cardmgr_exec_t,s0)
+
+/sbin/cardctl -- gen_context(system_u:object_r:cardctl_exec_t,s0)
+/sbin/cardmgr -- gen_context(system_u:object_r:cardmgr_exec_t,s0)
+
+/var/lib/pcmcia(/.*)? gen_context(system_u:object_r:cardmgr_var_run_t,s0)
+
+/var/run/cardmgr\.pid -- gen_context(system_u:object_r:cardmgr_var_run_t,s0)
+/var/run/stab -- gen_context(system_u:object_r:cardmgr_var_run_t,s0)
diff --git a/policy/modules/system/pcmcia.if b/policy/modules/system/pcmcia.if
new file mode 100644
index 0000000..aef445d
--- /dev/null
+++ b/policy/modules/system/pcmcia.if
@@ -0,0 +1,156 @@
+## <summary>PCMCIA card management services</summary>
+
+########################################
+## <summary>
+## PCMCIA stub interface. No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pcmcia_stub',`
+ gen_require(`
+ type cardmgr_t;
+ ')
+')
+
+########################################
+## <summary>
+## Execute cardmgr in the cardmgr domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pcmcia_domtrans_cardmgr',`
+ gen_require(`
+ type cardmgr_t, cardmgr_exec_t;
+ ')
+
+ domtrans_pattern($1, cardmgr_exec_t, cardmgr_t)
+')
+
+########################################
+## <summary>
+## Inherit and use file descriptors from cardmgr.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pcmcia_use_cardmgr_fds',`
+ gen_require(`
+ type cardmgr_t;
+ ')
+
+ allow $1 cardmgr_t:fd use;
+')
+
+########################################
+## <summary>
+## Execute cardctl in the cardmgr domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pcmcia_domtrans_cardctl',`
+ gen_require(`
+ type cardmgr_t, cardctl_exec_t;
+ ')
+
+ domtrans_pattern($1, cardctl_exec_t, cardmgr_t)
+')
+
+########################################
+## <summary>
+## Execute cardmgr in the cardctl domain, and
+## allow the specified role the cardmgr domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`pcmcia_run_cardctl',`
+ gen_require(`
+ type cardmgr_t;
+ ')
+
+ pcmcia_domtrans_cardctl($1)
+ role $2 types cardmgr_t;
+')
+
+########################################
+## <summary>
+## Read cardmgr pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pcmcia_read_pid',`
+ gen_require(`
+ type cardmgr_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, cardmgr_var_run_t, cardmgr_var_run_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## cardmgr pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pcmcia_manage_pid',`
+ gen_require(`
+ type cardmgr_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, cardmgr_var_run_t, cardmgr_var_run_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## cardmgr runtime character nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pcmcia_manage_pid_chr_files',`
+ gen_require(`
+ type cardmgr_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_chr_files_pattern($1, cardmgr_var_run_t, cardmgr_var_run_t)
+')
diff --git a/policy/modules/system/pcmcia.te b/policy/modules/system/pcmcia.te
new file mode 100644
index 0000000..4d06ae3
--- /dev/null
+++ b/policy/modules/system/pcmcia.te
@@ -0,0 +1,137 @@
+policy_module(pcmcia, 1.6.0)
+
+########################################
+#
+# Declarations
+#
+
+type cardmgr_t;
+type cardmgr_exec_t;
+init_daemon_domain(cardmgr_t, cardmgr_exec_t)
+
+# Create symbolic links in /dev.
+# cjp: this should probably be eliminated
+type cardmgr_lnk_t;
+files_type(cardmgr_lnk_t)
+
+type cardmgr_var_lib_t;
+files_type(cardmgr_var_lib_t)
+
+type cardmgr_var_run_t;
+files_pid_file(cardmgr_var_run_t)
+
+type cardctl_exec_t;
+application_domain(cardmgr_t, cardctl_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+# Use capabilities (net_admin for route), setuid for cardctl
+allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod };
+dontaudit cardmgr_t self:capability sys_tty_config;
+allow cardmgr_t self:process signal_perms;
+allow cardmgr_t self:fifo_file rw_fifo_file_perms;
+allow cardmgr_t self:unix_dgram_socket create_socket_perms;
+allow cardmgr_t self:unix_stream_socket create_socket_perms;
+
+allow cardmgr_t cardmgr_lnk_t:lnk_file manage_lnk_file_perms;
+dev_filetrans(cardmgr_t, cardmgr_lnk_t, lnk_file)
+
+# Create stab file
+manage_files_pattern(cardmgr_t, cardmgr_var_lib_t, cardmgr_var_lib_t)
+files_var_lib_filetrans(cardmgr_t, cardmgr_var_lib_t, file)
+
+allow cardmgr_t cardmgr_var_run_t:file manage_file_perms;
+files_pid_filetrans(cardmgr_t, cardmgr_var_run_t, file)
+
+kernel_read_system_state(cardmgr_t)
+kernel_read_kernel_sysctls(cardmgr_t)
+kernel_dontaudit_getattr_message_if(cardmgr_t)
+
+corecmd_exec_all_executables(cardmgr_t)
+
+dev_read_sysfs(cardmgr_t)
+dev_manage_cardmgr_dev(cardmgr_t)
+dev_filetrans_cardmgr(cardmgr_t)
+dev_getattr_all_chr_files(cardmgr_t)
+dev_getattr_all_blk_files(cardmgr_t)
+# for SSP
+dev_read_urand(cardmgr_t)
+
+domain_use_interactive_fds(cardmgr_t)
+# Read /proc/PID directories for all domains (for fuser).
+domain_read_confined_domains_state(cardmgr_t)
+domain_getattr_confined_domains(cardmgr_t)
+domain_dontaudit_ptrace_confined_domains(cardmgr_t)
+# cjp: these look excessive:
+domain_dontaudit_getattr_all_pipes(cardmgr_t)
+domain_dontaudit_getattr_all_sockets(cardmgr_t)
+
+files_search_kernel_modules(cardmgr_t)
+files_list_usr(cardmgr_t)
+files_search_home(cardmgr_t)
+files_read_etc_runtime_files(cardmgr_t)
+files_exec_etc_files(cardmgr_t)
+# for /var/lib/misc/pcmcia-scheme
+# would be better to have it in a different type if I knew how it was created..
+files_read_var_lib_files(cardmgr_t)
+# cjp: these look excessive:
+files_dontaudit_getattr_all_dirs(cardmgr_t)
+files_dontaudit_getattr_all_files(cardmgr_t)
+files_dontaudit_getattr_all_symlinks(cardmgr_t)
+files_dontaudit_getattr_all_pipes(cardmgr_t)
+files_dontaudit_getattr_all_sockets(cardmgr_t)
+
+fs_getattr_all_fs(cardmgr_t)
+fs_search_auto_mountpoints(cardmgr_t)
+
+term_use_unallocated_ttys(cardmgr_t)
+term_getattr_all_ttys(cardmgr_t)
+term_dontaudit_getattr_all_ptys(cardmgr_t)
+
+libs_exec_ld_so(cardmgr_t)
+libs_exec_lib_files(cardmgr_t)
+
+logging_send_syslog_msg(cardmgr_t)
+
+miscfiles_read_localization(cardmgr_t)
+
+modutils_domtrans_insmod(cardmgr_t)
+
+sysnet_domtrans_ifconfig(cardmgr_t)
+# for /etc/resolv.conf
+sysnet_etc_filetrans_config(cardmgr_t)
+sysnet_manage_config(cardmgr_t)
+
+userdom_use_user_terminals(cardmgr_t)
+userdom_dontaudit_use_unpriv_user_fds(cardmgr_t)
+userdom_dontaudit_search_user_home_dirs(cardmgr_t)
+
+optional_policy(`
+ seutil_dontaudit_read_config(cardmgr_t)
+ seutil_sigchld_newrole(cardmgr_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_dhcpc(cardmgr_t)
+
+ sysnet_read_dhcpc_pid(cardmgr_t)
+ sysnet_delete_dhcpc_pid(cardmgr_t)
+ sysnet_kill_dhcpc(cardmgr_t)
+ sysnet_sigchld_dhcpc(cardmgr_t)
+ sysnet_signal_dhcpc(cardmgr_t)
+ sysnet_signull_dhcpc(cardmgr_t)
+ sysnet_sigstop_dhcpc(cardmgr_t)
+')
+
+optional_policy(`
+ udev_read_db(cardmgr_t)
+')
+
+# Create device files in /tmp.
+# cjp: why is this created all over the place?
+files_pid_filetrans(cardmgr_t, cardmgr_dev_t, { chr_file blk_file })
+files_tmp_filetrans(cardmgr_t, cardmgr_dev_t, { chr_file blk_file })
+filetrans_pattern(cardmgr_t, cardmgr_var_run_t, cardmgr_dev_t, { chr_file blk_file })
diff --git a/policy/modules/system/raid.fc b/policy/modules/system/raid.fc
new file mode 100644
index 0000000..42d3890
--- /dev/null
+++ b/policy/modules/system/raid.fc
@@ -0,0 +1,7 @@
+/dev/.mdadm\.map -- gen_context(system_u:object_r:mdadm_var_run_t,s0)
+/dev/md(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
+
+/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+
+/var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
diff --git a/policy/modules/system/raid.if b/policy/modules/system/raid.if
new file mode 100644
index 0000000..c817fda
--- /dev/null
+++ b/policy/modules/system/raid.if
@@ -0,0 +1,49 @@
+## <summary>RAID array management tools</summary>
+
+########################################
+## <summary>
+## Execute software raid tools in the mdadm domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`raid_domtrans_mdadm',`
+ gen_require(`
+ type mdadm_t, mdadm_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, mdadm_exec_t, mdadm_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete the mdadm pid files.
+## </summary>
+## <desc>
+## <p>
+## Create, read, write, and delete the mdadm pid files.
+## </p>
+## <p>
+## Added for use in the init module.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`raid_manage_mdadm_pid',`
+ gen_require(`
+ type mdadm_var_run_t;
+ ')
+
+ # FIXME: maybe should have a type_transition. not
+ # clear what this is doing, from the original
+ # mdadm policy
+ allow $1 mdadm_var_run_t:file manage_file_perms;
+')
diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
new file mode 100644
index 0000000..6500830
--- /dev/null
+++ b/policy/modules/system/raid.te
@@ -0,0 +1,100 @@
+policy_module(raid, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+
+type mdadm_t;
+type mdadm_exec_t;
+init_daemon_domain(mdadm_t, mdadm_exec_t)
+role system_r types mdadm_t;
+
+type mdadm_var_run_t alias mdadm_map_t;
+files_pid_file(mdadm_var_run_t)
+dev_associate(mdadm_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
+dontaudit mdadm_t self:capability sys_tty_config;
+allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
+allow mdadm_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
+manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
+manage_sock_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
+files_pid_filetrans(mdadm_t, mdadm_var_run_t, { file dir })
+dev_filetrans(mdadm_t, mdadm_var_run_t, { file dir sock_file })
+
+kernel_read_system_state(mdadm_t)
+kernel_read_kernel_sysctls(mdadm_t)
+kernel_rw_software_raid_state(mdadm_t)
+kernel_getattr_core_if(mdadm_t)
+
+# Helper program access
+corecmd_exec_bin(mdadm_t)
+corecmd_exec_shell(mdadm_t)
+
+dev_read_sysfs(mdadm_t)
+# Ignore attempts to read every device file
+dev_dontaudit_getattr_all_blk_files(mdadm_t)
+dev_dontaudit_getattr_all_chr_files(mdadm_t)
+dev_dontaudit_getattr_generic_files(mdadm_t)
+dev_dontaudit_getattr_generic_chr_files(mdadm_t)
+dev_dontaudit_getattr_generic_blk_files(mdadm_t)
+dev_read_realtime_clock(mdadm_t)
+# unfortunately needed for DMI decoding:
+dev_read_raw_memory(mdadm_t)
+dev_read_generic_files(mdadm_t)
+
+domain_use_interactive_fds(mdadm_t)
+
+files_read_etc_files(mdadm_t)
+files_read_etc_runtime_files(mdadm_t)
+files_dontaudit_getattr_tmpfs_files(mdadm_t)
+
+fs_list_hugetlbfs(mdadm_t)
+fs_list_auto_mountpoints(mdadm_t)
+fs_dontaudit_list_tmpfs(mdadm_t)
+
+mls_file_read_all_levels(mdadm_t)
+mls_file_write_all_levels(mdadm_t)
+
+# RAID block device access
+storage_manage_fixed_disk(mdadm_t)
+storage_dev_filetrans_fixed_disk(mdadm_t)
+storage_read_scsi_generic(mdadm_t)
+
+term_dontaudit_list_ptys(mdadm_t)
+
+init_dontaudit_getattr_initctl(mdadm_t)
+
+logging_send_syslog_msg(mdadm_t)
+
+miscfiles_read_localization(mdadm_t)
+
+userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
+userdom_dontaudit_search_user_home_content(mdadm_t)
+userdom_dontaudit_use_user_terminals(mdadm_t)
+
+mta_send_mail(mdadm_t)
+
+optional_policy(`
+ gpm_dontaudit_getattr_gpmctl(mdadm_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(mdadm_t)
+')
+
+optional_policy(`
+ udev_read_db(mdadm_t)
+')
+
+optional_policy(`
+ unconfined_domain(mdadm_t)
+')
diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
new file mode 100644
index 0000000..9e81136
--- /dev/null
+++ b/policy/modules/system/selinuxutil.fc
@@ -0,0 +1,57 @@
+# SELinux userland utilities
+
+#
+# /etc
+#
+/etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
+/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
+/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
+/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/selinux/([^/]*/)?setrans\.conf -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
+/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,s0)
+/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
+/etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
+/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,s0)
+
+#
+# /root
+#
+/root/\.default_contexts -- gen_context(system_u:object_r:default_context_t,s0)
+
+#
+# /sbin
+#
+/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
+/sbin/restorecon -- gen_context(system_u:object_r:setfiles_exec_t,s0)
+/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/checkpolicy -- gen_context(system_u:object_r:checkpolicy_exec_t,s0)
+/usr/bin/newrole -- gen_context(system_u:object_r:newrole_exec_t,s0)
+
+/usr/lib(64)?/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0)
+
+/usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
+/usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0)
+/usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0)
+/usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
+/usr/sbin/setsebool -- gen_context(system_u:object_r:setsebool_exec_t,s0)
+/usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/share/system-config-selinux/system-config-selinux-dbus\.py -- gen_context(system_u:object_r:semanage_exec_t,s0)
+
+#
+# /var/run
+#
+/var/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0)
+
+#
+# /var/lib
+#
+/var/lib/selinux(/.*)? gen_context(system_u:object_r:selinux_var_lib_t,s0)
+
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
new file mode 100644
index 0000000..bbaa8cf
--- /dev/null
+++ b/policy/modules/system/selinuxutil.if
@@ -0,0 +1,1491 @@
+## <summary>Policy for SELinux policy and userland applications.</summary>
+
+#######################################
+## <summary>
+## Execute checkpolicy in the checkpolicy domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`seutil_domtrans_checkpolicy',`
+ gen_require(`
+ type checkpolicy_t, checkpolicy_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, checkpolicy_exec_t, checkpolicy_t)
+')
+
+########################################
+## <summary>
+## Execute checkpolicy in the checkpolicy domain, and
+## allow the specified role the checkpolicy domain,
+## and use the caller's terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_run_checkpolicy',`
+ gen_require(`
+ type checkpolicy_t;
+ ')
+
+ seutil_domtrans_checkpolicy($1)
+ role $2 types checkpolicy_t;
+')
+
+########################################
+## <summary>
+## Execute checkpolicy in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_exec_checkpolicy',`
+ gen_require(`
+ type checkpolicy_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ can_exec($1, checkpolicy_exec_t)
+')
+
+#######################################
+## <summary>
+## Execute load_policy in the load_policy domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`seutil_domtrans_loadpolicy',`
+ gen_require(`
+ type load_policy_t, load_policy_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, load_policy_exec_t, load_policy_t)
+
+ ifdef(`hide_broken_symptoms', `
+ dontaudit load_policy_t $1:socket_class_set { read write };
+ ')
+')
+
+########################################
+## <summary>
+## Execute load_policy in the load_policy domain, and
+## allow the specified role the load_policy domain,
+## and use the caller's terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_run_loadpolicy',`
+ gen_require(`
+ type load_policy_t;
+ ')
+
+ seutil_domtrans_loadpolicy($1)
+ role $2 types load_policy_t;
+')
+
+########################################
+## <summary>
+## Execute load_policy in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_exec_loadpolicy',`
+ gen_require(`
+ type load_policy_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, load_policy_exec_t)
+')
+
+########################################
+## <summary>
+## Read the load_policy program file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_read_loadpolicy',`
+ gen_require(`
+ type load_policy_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ allow $1 load_policy_exec_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+## Execute newrole in the newole domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`seutil_domtrans_newrole',`
+ gen_require(`
+ type newrole_t, newrole_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, newrole_exec_t, newrole_t)
+')
+
+########################################
+## <summary>
+## Execute newrole in the newrole domain, and
+## allow the specified role the newrole domain,
+## and use the caller's terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_run_newrole',`
+ gen_require(`
+ type newrole_t;
+ ')
+
+ seutil_domtrans_newrole($1)
+ role $2 types newrole_t;
+
+ auth_run_upd_passwd(newrole_t, $2)
+')
+
+########################################
+## <summary>
+## Execute newrole in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_exec_newrole',`
+ gen_require(`
+ type newrole_t, newrole_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ can_exec($1, newrole_exec_t)
+')
+
+########################################
+## <summary>
+## Do not audit the caller attempts to send
+## a signal to newrole.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`seutil_dontaudit_signal_newrole',`
+ gen_require(`
+ type newrole_t;
+ ')
+
+ dontaudit $1 newrole_t:process signal;
+')
+
+########################################
+## <summary>
+## Send a SIGCHLD signal to newrole.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to send a SIGCHLD
+## signal to newrole. This signal is automatically
+## sent from a process that is terminating to
+## its parent. This may be needed by domains
+## that are executed from newrole.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="write" weight="1"/>
+#
+interface(`seutil_sigchld_newrole',`
+ gen_require(`
+ type newrole_t;
+ ')
+
+ allow $1 newrole_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Inherit and use newrole file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_use_newrole_fds',`
+ gen_require(`
+ type newrole_t;
+ ')
+
+ allow $1 newrole_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to inherit and use
+## newrole file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`seutil_dontaudit_use_newrole_fds',`
+ gen_require(`
+ type newrole_t;
+ ')
+
+ dontaudit $1 newrole_t:fd use;
+')
+
+#######################################
+## <summary>
+## Execute restorecon in the restorecon domain. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`seutil_domtrans_restorecon',`
+ refpolicywarn(`$0($*) has been deprecated, please use seutil_domtrans_setfiles() instead.')
+ seutil_domtrans_setfiles($1)
+')
+
+########################################
+## <summary>
+## Execute restorecon in the restorecon domain, and
+## allow the specified role the restorecon domain,
+## and use the caller's terminal. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_run_restorecon',`
+ refpolicywarn(`$0($*) has been deprecated, please use seutil_run_setfiles() instead.')
+ seutil_run_setfiles($1,$2)
+')
+
+########################################
+## <summary>
+## Execute restorecon in the caller domain. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_exec_restorecon',`
+ refpolicywarn(`$0($*) has been deprecated, please use seutil_exec_setfiles() instead.')
+ seutil_exec_setfiles($1)
+')
+
+########################################
+## <summary>
+## Execute restorecond in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_exec_restorecond',`
+ gen_require(`
+ type restorecond_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ can_exec($1, restorecond_exec_t)
+')
+
+########################################
+## <summary>
+## Execute run_init in the run_init domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`seutil_domtrans_runinit',`
+ gen_require(`
+ type run_init_t, run_init_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, run_init_exec_t, run_init_t)
+')
+
+########################################
+## <summary>
+## Execute init scripts in the run_init domain.
+## </summary>
+## <desc>
+## <p>
+## Execute init scripts in the run_init domain.
+## This is used for the Gentoo integrated run_init.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`seutil_init_script_domtrans_runinit',`
+ gen_require(`
+ type run_init_t;
+ ')
+
+ init_script_file_domtrans($1, run_init_t)
+
+ allow run_init_t $1:fd use;
+ allow run_init_t $1:fifo_file rw_file_perms;
+ allow run_init_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute run_init in the run_init domain, and
+## allow the specified role the run_init domain,
+## and use the caller's terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_run_runinit',`
+ gen_require(`
+ type run_init_t;
+ role system_r;
+ ')
+
+ auth_run_chk_passwd(run_init_t, $2)
+ seutil_domtrans_runinit($1)
+ role $2 types run_init_t;
+
+ allow $2 system_r;
+')
+
+########################################
+## <summary>
+## Execute init scripts in the run_init domain, and
+## allow the specified role the run_init domain,
+## and use the caller's terminal.
+## </summary>
+## <desc>
+## <p>
+## Execute init scripts in the run_init domain, and
+## allow the specified role the run_init domain,
+## and use the caller's terminal.
+## </p>
+## <p>
+## This is used for the Gentoo integrated run_init.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_init_script_run_runinit',`
+ gen_require(`
+ type run_init_t;
+ role system_r;
+ ')
+
+ auth_run_chk_passwd(run_init_t, $2)
+ seutil_init_script_domtrans_runinit($1)
+ role $2 types run_init_t;
+
+ allow $2 system_r;
+')
+
+########################################
+## <summary>
+## Inherit and use run_init file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_use_runinit_fds',`
+ gen_require(`
+ type run_init_t;
+ ')
+
+ allow $1 run_init_t:fd use;
+')
+
+########################################
+## <summary>
+## Execute setfiles in the setfiles domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`seutil_domtrans_setfiles',`
+ gen_require(`
+ type setfiles_t, setfiles_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, setfiles_exec_t, setfiles_t)
+
+ ifdef(`hide_broken_symptoms', `
+ dontaudit setfiles_t $1:socket_class_set { read write };
+ ')
+')
+
+########################################
+## <summary>
+## Execute setfiles in the setfiles domain, and
+## allow the specified role the setfiles domain,
+## and use the caller's terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_run_setfiles',`
+ gen_require(`
+ type setfiles_t;
+ ')
+
+ seutil_domtrans_setfiles($1)
+ role $2 types setfiles_t;
+')
+
+########################################
+## <summary>
+## Execute setfiles in the setfiles domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_domtrans_setfiles_mac',`
+ gen_require(`
+ type setfiles_mac_t, setfiles_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, setfiles_exec_t, setfiles_mac_t)
+')
+
+########################################
+## <summary>
+## Execute setfiles in the setfiles_mac domain, and
+## allow the specified role the setfiles_mac domain,
+## and use the caller's terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the setfiles_mac domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_run_setfiles_mac',`
+ gen_require(`
+ type setfiles_mac_t;
+ ')
+
+ seutil_domtrans_setfiles_mac($1)
+ role $2 types setfiles_mac_t;
+')
+
+########################################
+## <summary>
+## Execute setfiles in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_exec_setfiles',`
+ gen_require(`
+ type setfiles_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ can_exec($1, setfiles_exec_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the SELinux
+## configuration directory (/etc/selinux).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`seutil_dontaudit_search_config',`
+ gen_require(`
+ type selinux_config_t;
+ ')
+
+ dontaudit $1 selinux_config_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read the SELinux
+## userland configuration (/etc/selinux).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`seutil_dontaudit_read_config',`
+ gen_require(`
+ type selinux_config_t;
+ ')
+
+ dontaudit $1 selinux_config_t:dir search_dir_perms;
+ dontaudit $1 selinux_config_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Read the general SELinux configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_read_config',`
+ gen_require(`
+ type selinux_config_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 selinux_config_t:dir list_dir_perms;
+ read_files_pattern($1, selinux_config_t, selinux_config_t)
+ read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
+')
+
+########################################
+## <summary>
+## Read and write the general SELinux configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_rw_config',`
+ gen_require(`
+ type selinux_config_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 selinux_config_t:dir list_dir_perms;
+ rw_files_pattern($1, selinux_config_t, selinux_config_t)
+')
+
+#######################################
+## <summary>
+## Create, read, write, and delete
+## the general selinux configuration files. (Deprecated)
+## </summary>
+## <desc>
+## <p>
+## Create, read, write, and delete
+## the general selinux configuration files.
+## </p>
+## <p>
+## This interface has been deprecated, please
+## use the seutil_manage_config() interface instead.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_manage_selinux_config',`
+ refpolicywarn(`$0($*) has been deprecated. Please use seutil_manage_config() instead.')
+ seutil_manage_config($1)
+')
+
+#######################################
+## <summary>
+## Create, read, write, and delete
+## the general selinux configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_manage_config',`
+ gen_require(`
+ type selinux_config_t;
+ ')
+
+ files_search_etc($1)
+ manage_dirs_pattern($1, selinux_config_t, selinux_config_t)
+ manage_files_pattern($1, selinux_config_t, selinux_config_t)
+ read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
+')
+
+#######################################
+## <summary>
+## Create, read, write, and delete
+## the general selinux configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_manage_config_dirs',`
+ gen_require(`
+ type selinux_config_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 selinux_config_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Search the policy directory with default_context files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_search_default_contexts',`
+ gen_require(`
+ type selinux_config_t, default_context_t;
+ ')
+
+ files_search_etc($1)
+ search_dirs_pattern($1, selinux_config_t, default_context_t)
+')
+
+########################################
+## <summary>
+## Read the default_contexts files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_read_default_contexts',`
+ gen_require(`
+ type selinux_config_t, default_context_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 selinux_config_t:dir search_dir_perms;
+ allow $1 default_context_t:dir list_dir_perms;
+ read_files_pattern($1, default_context_t, default_context_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete the default_contexts files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_manage_default_contexts',`
+ gen_require(`
+ type selinux_config_t, default_context_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 selinux_config_t:dir search_dir_perms;
+ manage_files_pattern($1, default_context_t, default_context_t)
+')
+
+########################################
+## <summary>
+## Read the file_contexts files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_read_file_contexts',`
+ gen_require(`
+ type selinux_config_t, default_context_t, file_context_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
+ read_files_pattern($1, file_context_t, file_context_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read the file_contexts files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_dontaudit_read_file_contexts',`
+ gen_require(`
+ type selinux_config_t, default_context_t, file_context_t;
+ ')
+
+ dontaudit $1 { selinux_config_t default_context_t file_context_t }:dir search_dir_perms;
+ dontaudit $1 file_context_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write the file_contexts files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_rw_file_contexts',`
+ gen_require(`
+ type selinux_config_t, file_context_t, default_context_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
+ rw_files_pattern($1, file_context_t, file_context_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete the file_contexts files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_manage_file_contexts',`
+ gen_require(`
+ type selinux_config_t, file_context_t, default_context_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
+ manage_files_pattern($1, file_context_t, file_context_t)
+')
+
+########################################
+## <summary>
+## Read the SELinux binary policy.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_read_bin_policy',`
+ gen_require(`
+ type selinux_config_t, policy_config_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 selinux_config_t:dir search_dir_perms;
+ read_files_pattern($1, policy_config_t, policy_config_t)
+')
+
+########################################
+## <summary>
+## Create the SELinux binary policy.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_create_bin_policy',`
+ gen_require(`
+# attribute can_write_binary_policy;
+ type selinux_config_t, policy_config_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 selinux_config_t:dir search_dir_perms;
+ create_files_pattern($1, policy_config_t, policy_config_t)
+ write_files_pattern($1, policy_config_t, policy_config_t)
+# typeattribute $1 can_write_binary_policy;
+')
+
+########################################
+## <summary>
+## Allow the caller to relabel a file to the binary policy type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_relabelto_bin_policy',`
+ gen_require(`
+ attribute can_relabelto_binary_policy;
+ type policy_config_t;
+ ')
+
+ allow $1 policy_config_t:file relabelto;
+ typeattribute $1 can_relabelto_binary_policy;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete the SELinux
+## binary policy.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_manage_bin_policy',`
+ gen_require(`
+ attribute can_write_binary_policy;
+ type selinux_config_t, policy_config_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 selinux_config_t:dir search_dir_perms;
+ manage_files_pattern($1, policy_config_t, policy_config_t)
+ typeattribute $1 can_write_binary_policy;
+')
+
+########################################
+## <summary>
+## Read SELinux policy source files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_read_src_policy',`
+ gen_require(`
+ type selinux_config_t, policy_src_t;
+ ')
+
+ files_search_etc($1)
+ list_dirs_pattern($1, selinux_config_t, policy_src_t)
+ read_files_pattern($1, policy_src_t, policy_src_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete SELinux
+## policy source files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_manage_src_policy',`
+ gen_require(`
+ type selinux_config_t, policy_src_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 selinux_config_t:dir search_dir_perms;
+ manage_dirs_pattern($1, policy_src_t, policy_src_t)
+ manage_files_pattern($1, policy_src_t, policy_src_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run semanage.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`seutil_domtrans_semanage',`
+ gen_require(`
+ type semanage_t, semanage_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, semanage_exec_t, semanage_t)
+
+ ifdef(`hide_broken_symptoms', `
+ dontaudit semanage_t $1:socket_class_set { read write };
+ ')
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run setsebool.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`seutil_domtrans_setsebool',`
+ gen_require(`
+ type setsebool_t, setsebool_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, setsebool_exec_t, setsebool_t)
+')
+
+########################################
+## <summary>
+## Execute semanage in the semanage domain, and
+## allow the specified role the semanage domain,
+## and use the caller's terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_run_semanage',`
+ gen_require(`
+ type semanage_t;
+ ')
+
+ seutil_domtrans_semanage($1)
+ seutil_run_setfiles(semanage_t, $2)
+ seutil_run_loadpolicy(semanage_t, $2)
+ role $2 types semanage_t;
+')
+
+########################################
+## <summary>
+## Execute setsebool in the semanage domain, and
+## allow the specified role the semanage domain,
+## and use the caller's terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the setsebool domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_run_setsebool',`
+ gen_require(`
+ type semanage_t;
+ ')
+
+ seutil_domtrans_setsebool($1)
+ role $2 types setsebool_t;
+')
+
+########################################
+## <summary>
+## Full management of the semanage
+## module store.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_read_module_store',`
+ gen_require(`
+ type selinux_config_t, semanage_store_t;
+ ')
+
+ files_search_etc($1)
+ list_dirs_pattern($1, selinux_config_t, semanage_store_t)
+ read_files_pattern($1, semanage_store_t, semanage_store_t)
+')
+
+########################################
+## <summary>
+## Full management of the semanage
+## module store.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_manage_module_store',`
+ gen_require(`
+ type selinux_config_t, semanage_store_t;
+ ')
+
+ files_search_etc($1)
+ manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
+ manage_files_pattern($1, semanage_store_t, semanage_store_t)
+ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir)
+')
+
+#######################################
+## <summary>
+## Get read lock on module store
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_get_semanage_read_lock',`
+ gen_require(`
+ type selinux_config_t, semanage_read_lock_t;
+ ')
+
+ files_search_etc($1)
+ rw_files_pattern($1, selinux_config_t, semanage_read_lock_t)
+')
+
+#######################################
+## <summary>
+## Get trans lock on module store
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_get_semanage_trans_lock',`
+ gen_require(`
+ type selinux_config_t, semanage_trans_lock_t;
+ ')
+
+ files_search_etc($1)
+ rw_files_pattern($1, selinux_config_t, semanage_trans_lock_t)
+')
+
+########################################
+## <summary>
+## SELinux-enabled program access for
+## libselinux-linked programs.
+## </summary>
+## <desc>
+## <p>
+## SELinux-enabled programs are typically
+## linked to the libselinux library. This
+## interface will allow access required for
+## the libselinux constructor to function.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_libselinux_linked',`
+ selinux_get_fs_mount($1)
+ seutil_read_config($1)
+')
+
+########################################
+## <summary>
+## Do not audit SELinux-enabled program access for
+## libselinux-linked programs.
+## </summary>
+## <desc>
+## <p>
+## SELinux-enabled programs are typically
+## linked to the libselinux library. This
+## interface will dontaudit access required for
+## the libselinux constructor to function.
+## </p>
+## <p>
+## Generally this should not be used on anything
+## but simple SELinux-enabled programs that do not
+## rely on data initialized by the libselinux
+## constructor.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`seutil_dontaudit_libselinux_linked',`
+ selinux_dontaudit_get_fs_mount($1)
+ seutil_dontaudit_read_config($1)
+')
+
+#######################################
+## <summary>
+## All rules necessary to run semanage command
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_semanage_policy',`
+ gen_require(`
+ type semanage_tmp_t;
+ type policy_config_t;
+ ')
+ allow $1 self:capability { dac_override sys_resource };
+ dontaudit $1 self:capability sys_tty_config;
+ allow $1 self:process signal;
+ allow $1 self:unix_stream_socket create_stream_socket_perms;
+ allow $1 self:unix_dgram_socket create_socket_perms;
+ logging_send_audit_msgs($1)
+
+ # Running genhomedircon requires this for finding all users
+ auth_use_nsswitch($1)
+
+ allow $1 policy_config_t:file { read write };
+
+ allow $1 semanage_tmp_t:dir manage_dir_perms;
+ allow $1 semanage_tmp_t:file manage_file_perms;
+ files_tmp_filetrans($1, semanage_tmp_t, { file dir })
+
+ kernel_read_system_state($1)
+ kernel_read_kernel_sysctls($1)
+
+ corecmd_exec_bin($1)
+ corecmd_exec_shell($1)
+
+ dev_read_urand($1)
+
+ domain_use_interactive_fds($1)
+
+ files_read_etc_files($1)
+ files_read_etc_runtime_files($1)
+ files_read_usr_files($1)
+ files_list_pids($1)
+ fs_list_inotifyfs($1)
+ fs_getattr_all_fs($1)
+
+ mls_file_write_all_levels($1)
+ mls_file_read_all_levels($1)
+
+ selinux_getattr_fs($1)
+ selinux_validate_context($1)
+ selinux_get_enforce_mode($1)
+
+ term_use_all_terms($1)
+
+ locallogin_use_fds($1)
+
+ logging_send_syslog_msg($1)
+
+ miscfiles_read_localization($1)
+
+ seutil_search_default_contexts($1)
+ seutil_domtrans_loadpolicy($1)
+ seutil_read_config($1)
+ seutil_manage_bin_policy($1)
+ seutil_use_newrole_fds($1)
+ seutil_manage_module_store($1)
+ seutil_get_semanage_trans_lock($1)
+ seutil_get_semanage_read_lock($1)
+
+ userdom_dontaudit_write_user_home_content_files($1)
+
+')
+
+
+#######################################
+## <summary>
+## All rules necessary to run setfiles command
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_setfiles',`
+
+allow $1 self:capability { dac_override dac_read_search fowner };
+dontaudit $1 self:capability sys_tty_config;
+allow $1 self:fifo_file rw_file_perms;
+dontaudit $1 self:dir relabelfrom;
+dontaudit $1 self:file relabelfrom;
+dontaudit $1 self:lnk_file relabelfrom;
+
+
+allow $1 { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
+allow $1 { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;
+allow $1 { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
+
+logging_send_audit_msgs($1)
+
+kernel_read_system_state($1)
+kernel_relabelfrom_unlabeled_dirs($1)
+kernel_relabelfrom_unlabeled_files($1)
+kernel_relabelfrom_unlabeled_symlinks($1)
+kernel_relabelfrom_unlabeled_pipes($1)
+kernel_relabelfrom_unlabeled_sockets($1)
+kernel_use_fds($1)
+kernel_rw_pipes($1)
+kernel_rw_unix_dgram_sockets($1)
+kernel_dontaudit_list_all_proc($1)
+kernel_read_all_sysctls($1)
+kernel_read_network_state_symlinks($1)
+
+dev_relabel_all_dev_nodes($1)
+
+domain_use_interactive_fds($1)
+domain_read_all_domains_state($1)
+
+files_read_etc_runtime_files($1)
+files_read_etc_files($1)
+files_list_all($1)
+files_relabel_all_files($1)
+files_list_isid_type_dirs($1)
+files_read_isid_type_files($1)
+files_dontaudit_read_all_symlinks($1)
+
+fs_getattr_xattr_fs($1)
+fs_list_all($1)
+fs_getattr_all_files($1)
+fs_search_auto_mountpoints($1)
+fs_relabelfrom_noxattr_fs($1)
+
+mls_file_read_all_levels($1)
+mls_file_write_all_levels($1)
+mls_file_upgrade($1)
+mls_file_downgrade($1)
+
+selinux_validate_context($1)
+selinux_compute_access_vector($1)
+selinux_compute_create_context($1)
+selinux_compute_relabel_context($1)
+selinux_compute_user_contexts($1)
+
+term_use_all_terms($1)
+
+# this is to satisfy the assertion:
+auth_relabelto_shadow($1)
+
+init_use_fds($1)
+init_use_script_fds($1)
+init_use_script_ptys($1)
+init_exec_script_files($1)
+
+logging_send_syslog_msg($1)
+
+miscfiles_read_localization($1)
+
+seutil_libselinux_linked($1)
+
+userdom_use_all_users_fds($1)
+# for config files in a home directory
+userdom_read_user_home_content_files($1)
+
+ifdef(`distro_debian',`
+ # udev tmpfs is populated with static device nodes
+ # and then relabeled afterwards; thus
+ # /dev/console has the tmpfs type
+ fs_rw_tmpfs_chr_files($1)
+')
+
+ifdef(`distro_redhat',`
+ fs_rw_tmpfs_chr_files($1)
+ fs_rw_tmpfs_blk_files($1)
+ fs_relabel_tmpfs_blk_file($1)
+ fs_relabel_tmpfs_chr_file($1)
+')
+
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain($1)
+ ')
+')
+
+optional_policy(`
+ hotplug_use_fds($1)
+')
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
new file mode 100644
index 0000000..edee963
--- /dev/null
+++ b/policy/modules/system/selinuxutil.te
@@ -0,0 +1,541 @@
+policy_module(selinuxutil, 1.14.0)
+
+gen_require(`
+ bool secure_mode;
+')
+
+########################################
+#
+# Declarations
+#
+
+attribute can_write_binary_policy;
+attribute can_relabelto_binary_policy;
+
+#
+# selinux_config_t is the type applied to
+# /etc/selinux/config
+#
+# cjp: this is out of order due to rules
+# in the domain_type interface
+# (fix dup decl)
+type selinux_config_t;
+files_type(selinux_config_t)
+
+type selinux_var_lib_t;
+files_type(selinux_var_lib_t)
+
+type checkpolicy_t, can_write_binary_policy;
+type checkpolicy_exec_t;
+application_domain(checkpolicy_t, checkpolicy_exec_t)
+role system_r types checkpolicy_t;
+
+#
+# default_context_t is the type applied to
+# /etc/selinux/*/contexts/*
+#
+type default_context_t;
+files_type(default_context_t)
+
+#
+# file_context_t is the type applied to
+# /etc/selinux/*/contexts/files
+#
+type file_context_t;
+files_type(file_context_t)
+
+type load_policy_t;
+type load_policy_exec_t;
+application_domain(load_policy_t, load_policy_exec_t)
+role system_r types load_policy_t;
+
+type newrole_t;
+type newrole_exec_t;
+application_domain(newrole_t, newrole_exec_t)
+domain_role_change_exemption(newrole_t)
+domain_obj_id_change_exemption(newrole_t)
+domain_interactive_fd(newrole_t)
+
+#
+# policy_config_t is the type of /etc/security/selinux/*
+# the security server policy configuration.
+#
+#type policy_config_t;
+#files_type(policy_config_t)
+typealias semanage_store_t alias policy_config_t;
+
+neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
+#neverallow ~can_write_binary_policy policy_config_t:file { write append };
+
+#
+# policy_src_t is the type of the policy source
+# files.
+#
+type policy_src_t;
+files_type(policy_src_t)
+
+type restorecond_t;
+type restorecond_exec_t;
+init_daemon_domain(restorecond_t, restorecond_exec_t)
+domain_obj_id_change_exemption(restorecond_t)
+
+type restorecond_var_run_t;
+files_pid_file(restorecond_var_run_t)
+
+type run_init_t;
+type run_init_exec_t;
+application_domain(run_init_t, run_init_exec_t)
+domain_system_change_exemption(run_init_t)
+role system_r types run_init_t;
+
+type semanage_t;
+type semanage_exec_t;
+application_domain(semanage_t, semanage_exec_t)
+dbus_system_domain(semanage_t, semanage_exec_t)
+domain_interactive_fd(semanage_t)
+role system_r types semanage_t;
+
+type setsebool_t;
+type setsebool_exec_t;
+init_system_domain(setsebool_t, setsebool_exec_t)
+
+type semanage_store_t;
+files_type(semanage_store_t)
+
+type semanage_read_lock_t;
+files_type(semanage_read_lock_t)
+
+type semanage_tmp_t;
+files_tmp_file(semanage_tmp_t)
+
+type semanage_trans_lock_t;
+files_type(semanage_trans_lock_t)
+
+type setfiles_t alias restorecon_t, can_relabelto_binary_policy;
+type setfiles_exec_t alias restorecon_exec_t;
+init_system_domain(setfiles_t, setfiles_exec_t)
+domain_obj_id_change_exemption(setfiles_t)
+
+type setfiles_mac_t;
+domain_type(setfiles_mac_t)
+domain_entry_file(setfiles_mac_t, setfiles_exec_t)
+domain_obj_id_change_exemption(setfiles_mac_t)
+
+########################################
+#
+# Checkpolicy local policy
+#
+
+allow checkpolicy_t self:capability dac_override;
+
+# able to create and modify binary policy files
+manage_files_pattern(checkpolicy_t, policy_config_t, policy_config_t)
+
+# allow test policies to be created in src directories
+filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file)
+
+# only allow read of policy source files
+read_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
+read_lnk_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
+allow checkpolicy_t selinux_config_t:dir search_dir_perms;
+
+domain_use_interactive_fds(checkpolicy_t)
+
+files_list_usr(checkpolicy_t)
+# directory search permissions for path to source and binary policy files
+files_search_etc(checkpolicy_t)
+
+fs_getattr_xattr_fs(checkpolicy_t)
+
+term_use_console(checkpolicy_t)
+
+init_use_fds(checkpolicy_t)
+init_use_script_ptys(checkpolicy_t)
+
+userdom_use_user_terminals(checkpolicy_t)
+userdom_use_all_users_fds(checkpolicy_t)
+
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(checkpolicy_t)
+ ')
+')
+
+########################################
+#
+# Load_policy local policy
+#
+
+allow load_policy_t self:capability dac_override;
+
+# only allow read of policy config files
+read_files_pattern(load_policy_t,{ policy_src_t policy_config_t },policy_config_t)
+
+domain_use_interactive_fds(load_policy_t)
+
+# for mcs.conf
+files_read_etc_files(load_policy_t)
+files_read_etc_runtime_files(load_policy_t)
+
+fs_getattr_xattr_fs(load_policy_t)
+
+mls_file_read_all_levels(load_policy_t)
+
+selinux_load_policy(load_policy_t)
+selinux_set_all_booleans(load_policy_t)
+
+term_use_console(load_policy_t)
+term_list_ptys(load_policy_t)
+
+init_use_script_fds(load_policy_t)
+init_use_script_ptys(load_policy_t)
+init_write_script_pipes(load_policy_t)
+
+miscfiles_read_localization(load_policy_t)
+
+seutil_libselinux_linked(load_policy_t)
+
+userdom_use_user_terminals(load_policy_t)
+userdom_use_all_users_fds(load_policy_t)
+
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(load_policy_t)
+ ')
+')
+
+ifdef(`hide_broken_symptoms',`
+ # cjp: cover up stray file descriptors.
+ dontaudit load_policy_t selinux_config_t:file write;
+
+ optional_policy(`
+ unconfined_dontaudit_read_pipes(load_policy_t)
+ ')
+')
+
+########################################
+#
+# Newrole local policy
+#
+
+allow newrole_t self:capability { fowner setuid setgid dac_override };
+allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
+allow newrole_t self:process setexec;
+allow newrole_t self:fd use;
+allow newrole_t self:fifo_file rw_fifo_file_perms;
+allow newrole_t self:sock_file read_sock_file_perms;
+allow newrole_t self:shm create_shm_perms;
+allow newrole_t self:sem create_sem_perms;
+allow newrole_t self:msgq create_msgq_perms;
+allow newrole_t self:msg { send receive };
+allow newrole_t self:unix_dgram_socket sendto;
+allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
+logging_send_audit_msgs(newrole_t)
+
+read_files_pattern(newrole_t, default_context_t, default_context_t)
+read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
+
+kernel_read_system_state(newrole_t)
+kernel_read_kernel_sysctls(newrole_t)
+
+corecmd_list_bin(newrole_t)
+corecmd_read_bin_symlinks(newrole_t)
+
+dev_read_urand(newrole_t)
+
+domain_use_interactive_fds(newrole_t)
+# for when the user types "exec newrole" at the command line:
+domain_sigchld_interactive_fds(newrole_t)
+
+files_read_etc_files(newrole_t)
+files_read_var_files(newrole_t)
+files_read_var_symlinks(newrole_t)
+
+fs_getattr_xattr_fs(newrole_t)
+fs_search_auto_mountpoints(newrole_t)
+
+mls_file_read_all_levels(newrole_t)
+mls_file_write_all_levels(newrole_t)
+mls_file_upgrade(newrole_t)
+mls_file_downgrade(newrole_t)
+mls_process_set_level(newrole_t)
+mls_fd_share_all_levels(newrole_t)
+
+selinux_validate_context(newrole_t)
+selinux_compute_access_vector(newrole_t)
+selinux_compute_create_context(newrole_t)
+selinux_compute_relabel_context(newrole_t)
+selinux_compute_user_contexts(newrole_t)
+
+term_use_all_ttys(newrole_t)
+term_use_all_ptys(newrole_t)
+term_relabel_all_ttys(newrole_t)
+term_relabel_all_ptys(newrole_t)
+term_getattr_unallocated_ttys(newrole_t)
+term_dontaudit_use_unallocated_ttys(newrole_t)
+
+auth_use_pam(newrole_t)
+
+# Write to utmp.
+init_rw_utmp(newrole_t)
+init_use_fds(newrole_t)
+
+miscfiles_read_localization(newrole_t)
+
+seutil_libselinux_linked(newrole_t)
+
+userdom_use_unpriv_users_fds(newrole_t)
+# for some PAM modules and for cwd
+userdom_dontaudit_search_user_home_content(newrole_t)
+userdom_search_user_home_dirs(newrole_t)
+
+optional_policy(`
+ xserver_dontaudit_exec_xauth(newrole_t)
+')
+
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(newrole_t)
+ ')
+')
+
+# if secure mode is enabled, then newrole
+# can only transition to unprivileged users
+if(secure_mode) {
+ userdom_spec_domtrans_unpriv_users(newrole_t)
+} else {
+ userdom_spec_domtrans_all_users(newrole_t)
+}
+
+tunable_policy(`allow_polyinstantiation',`
+ files_polyinstantiate_all(newrole_t)
+')
+
+########################################
+#
+# Restorecond local policy
+#
+
+allow restorecond_t self:capability { dac_override dac_read_search fowner };
+allow restorecond_t self:fifo_file rw_fifo_file_perms;
+
+allow restorecond_t restorecond_var_run_t:file manage_file_perms;
+files_pid_filetrans(restorecond_t, restorecond_var_run_t, file)
+
+kernel_use_fds(restorecond_t)
+kernel_rw_pipes(restorecond_t)
+kernel_read_system_state(restorecond_t)
+
+files_dontaudit_read_all_symlinks(restorecond_t)
+
+fs_relabelfrom_noxattr_fs(restorecond_t)
+fs_dontaudit_list_nfs(restorecond_t)
+fs_getattr_xattr_fs(restorecond_t)
+fs_list_inotifyfs(restorecond_t)
+
+selinux_validate_context(restorecond_t)
+selinux_compute_access_vector(restorecond_t)
+selinux_compute_create_context(restorecond_t)
+selinux_compute_relabel_context(restorecond_t)
+selinux_compute_user_contexts(restorecond_t)
+
+auth_relabel_all_files_except_shadow(restorecond_t )
+auth_read_all_files_except_shadow(restorecond_t)
+auth_use_nsswitch(restorecond_t)
+
+locallogin_dontaudit_use_fds(restorecond_t)
+
+logging_send_syslog_msg(restorecond_t)
+
+miscfiles_read_localization(restorecond_t)
+
+seutil_libselinux_linked(restorecond_t)
+
+userdom_read_user_home_content_symlinks(restorecond_t)
+
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(restorecond_t)
+ ')
+')
+
+optional_policy(`
+ rpm_use_script_fds(restorecond_t)
+')
+
+#################################
+#
+# Run_init local policy
+#
+
+allow run_init_t self:process setexec;
+allow run_init_t self:capability setuid;
+allow run_init_t self:fifo_file rw_file_perms;
+logging_send_audit_msgs(run_init_t)
+
+# often the administrator runs such programs from a directory that is owned
+# by a different user or has restrictive SE permissions, do not want to audit
+# the failed access to the current directory
+dontaudit run_init_t self:capability { dac_override dac_read_search };
+
+corecmd_exec_bin(run_init_t)
+corecmd_exec_shell(run_init_t)
+
+dev_dontaudit_list_all_dev_nodes(run_init_t)
+
+domain_use_interactive_fds(run_init_t)
+
+files_read_etc_files(run_init_t)
+files_dontaudit_search_all_dirs(run_init_t)
+
+fs_getattr_xattr_fs(run_init_t)
+
+mls_rangetrans_source(run_init_t)
+
+selinux_validate_context(run_init_t)
+selinux_compute_access_vector(run_init_t)
+selinux_compute_create_context(run_init_t)
+selinux_compute_relabel_context(run_init_t)
+selinux_compute_user_contexts(run_init_t)
+
+auth_use_nsswitch(run_init_t)
+auth_domtrans_chk_passwd(run_init_t)
+auth_domtrans_upd_passwd(run_init_t)
+auth_dontaudit_read_shadow(run_init_t)
+
+init_spec_domtrans_script(run_init_t)
+# for utmp
+init_rw_utmp(run_init_t)
+
+logging_send_syslog_msg(run_init_t)
+
+miscfiles_read_localization(run_init_t)
+
+seutil_libselinux_linked(run_init_t)
+seutil_read_default_contexts(run_init_t)
+
+userdom_use_user_terminals(run_init_t)
+
+ifndef(`direct_sysadm_daemon',`
+ ifdef(`distro_gentoo',`
+ # Gentoo integrated run_init:
+ init_script_file_entry_type(run_init_t)
+ ')
+')
+
+optional_policy(`
+ rpm_domtrans(run_init_t)
+')
+
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(run_init_t)
+ ')
+')
+
+optional_policy(`
+ daemontools_domtrans_start(run_init_t)
+')
+
+########################################
+#
+# semodule local policy
+#
+
+seutil_semanage_policy(semanage_t)
+allow semanage_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+
+selinux_set_all_booleans(semanage_t)
+can_exec(semanage_t, semanage_exec_t)
+
+# Admins are creating pp files in random locations
+auth_read_all_files_except_shadow(semanage_t)
+
+seutil_manage_file_contexts(semanage_t)
+seutil_manage_config(semanage_t)
+seutil_domtrans_setfiles(semanage_t)
+
+# netfilter_contexts:
+seutil_manage_default_contexts(semanage_t)
+
+ifdef(`distro_debian',`
+ files_read_var_lib_files(semanage_t)
+ files_read_var_lib_symlinks(semanage_t)
+')
+
+optional_policy(`
+ setrans_initrc_domtrans(semanage_t)
+ domain_system_change_exemption(semanage_t)
+ consoletype_exec(semanage_t)
+')
+
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(semanage_t)
+ ')
+')
+
+optional_policy(`
+ #signal mcstrans on reload
+ init_spec_domtrans_script(semanage_t)
+')
+
+# cjp: need a more general way to handle this:
+ifdef(`enable_mls',`
+ # read secadm tmp files
+',`
+ # Handle pp files created in homedir and /tmp
+ userdom_read_user_home_content_files(semanage_t)
+ userdom_read_user_tmp_files(semanage_t)
+')
+
+userdom_search_admin_dir(semanage_t)
+
+####################################n####
+#
+# setsebool local policy
+#
+seutil_semanage_policy(setsebool_t)
+selinux_set_all_booleans(setsebool_t)
+
+init_dontaudit_use_fds(setsebool_t)
+
+# Bug in semanage
+seutil_domtrans_setfiles(setsebool_t)
+seutil_manage_file_contexts(setsebool_t)
+seutil_manage_default_contexts(setsebool_t)
+seutil_manage_config(setsebool_t)
+
+########################################
+#
+# Setfiles local policy
+#
+
+seutil_setfiles(setfiles_t)
+# During boot in Rawhide
+term_use_generic_ptys(setfiles_t)
+
+seutil_setfiles(setfiles_mac_t)
+allow setfiles_mac_t self:capability2 mac_admin;
+kernel_relabelto_unlabeled(setfiles_mac_t)
+
+optional_policy(`
+ files_dontaudit_write_isid_chr_files(setfiles_mac_t)
+ livecd_dontaudit_leaks(setfiles_mac_t)
+ livecd_rw_tmp_files(setfiles_mac_t)
+ dev_dontaudit_write_all_chr_files(setfiles_mac_t)
+')
+
+ifdef(`hide_broken_symptoms',`
+ optional_policy(`
+ setroubleshoot_fixit_dontaudit_leaks(setfiles_t)
+ setroubleshoot_fixit_dontaudit_leaks(setsebool_t)
+ ')
+')
+
+optional_policy(`
+ unconfined_domain(setfiles_mac_t)
+')
diff --git a/policy/modules/system/setrans.fc b/policy/modules/system/setrans.fc
new file mode 100644
index 0000000..bea4629
--- /dev/null
+++ b/policy/modules/system/setrans.fc
@@ -0,0 +1,5 @@
+/etc/rc\.d/init\.d/mcstrans -- gen_context(system_u:object_r:setrans_initrc_exec_t,s0)
+
+/sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0)
+
+/var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh)
diff --git a/policy/modules/system/setrans.if b/policy/modules/system/setrans.if
new file mode 100644
index 0000000..efa9c27
--- /dev/null
+++ b/policy/modules/system/setrans.if
@@ -0,0 +1,42 @@
+## <summary>SELinux MLS/MCS label translation service.</summary>
+
+########################################
+## <summary>
+## Execute setrans server in the setrans domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+#
+interface(`setrans_initrc_domtrans',`
+ gen_require(`
+ type setrans_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, setrans_initrc_exec_t)
+')
+
+#######################################
+## <summary>
+## Allow a domain to translate contexts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`setrans_translate_context',`
+ gen_require(`
+ type setrans_t, setrans_var_run_t;
+ class context translate;
+ ')
+
+ allow $1 self:unix_stream_socket create_stream_socket_perms;
+ allow $1 setrans_t:context translate;
+ stream_connect_pattern($1, setrans_var_run_t, setrans_var_run_t, setrans_t)
+ files_list_pids($1)
+')
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
new file mode 100644
index 0000000..4488c6d
--- /dev/null
+++ b/policy/modules/system/setrans.te
@@ -0,0 +1,88 @@
+policy_module(setrans, 1.7.0)
+
+gen_require(`
+ class context contains;
+')
+
+########################################
+#
+# Declarations
+#
+
+type setrans_t;
+type setrans_exec_t;
+init_daemon_domain(setrans_t, setrans_exec_t)
+mls_trusted_object(setrans_t)
+
+type setrans_initrc_exec_t;
+init_script_file(setrans_initrc_exec_t)
+
+type setrans_var_run_t;
+files_pid_file(setrans_var_run_t)
+mls_trusted_object(setrans_var_run_t)
+
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(setrans_t, setrans_exec_t, s0 - mcs_systemhigh)
+')
+
+ifdef(`enable_mls',`
+ init_ranged_daemon_domain(setrans_t, setrans_exec_t, mls_systemhigh)
+')
+
+########################################
+#
+# setrans local policy
+#
+
+allow setrans_t self:capability sys_resource;
+allow setrans_t self:process { setrlimit getcap setcap signal_perms };
+allow setrans_t self:unix_stream_socket create_stream_socket_perms;
+allow setrans_t self:unix_dgram_socket create_socket_perms;
+allow setrans_t self:netlink_selinux_socket create_socket_perms;
+allow setrans_t self:context contains;
+
+can_exec(setrans_t, setrans_exec_t)
+corecmd_search_bin(setrans_t)
+
+# create unix domain socket in /var
+manage_dirs_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t)
+manage_files_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t)
+manage_sock_files_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t)
+files_pid_filetrans(setrans_t, setrans_var_run_t, { file dir })
+
+kernel_read_kernel_sysctls(setrans_t)
+kernel_read_proc_symlinks(setrans_t)
+
+# allow performing getpidcon() on all processes
+domain_read_all_domains_state(setrans_t)
+domain_dontaudit_search_all_domains_state(setrans_t)
+domain_getattr_all_domains(setrans_t)
+domain_getsession_all_domains(setrans_t)
+
+files_read_etc_runtime_files(setrans_t)
+
+mls_file_read_all_levels(setrans_t)
+mls_file_write_all_levels(setrans_t)
+mls_net_receive_all_levels(setrans_t)
+mls_socket_write_all_levels(setrans_t)
+mls_process_read_up(setrans_t)
+mls_socket_read_all_levels(setrans_t)
+
+selinux_compute_access_vector(setrans_t)
+
+term_dontaudit_use_generic_ptys(setrans_t)
+term_dontaudit_use_unallocated_ttys(setrans_t)
+
+init_dontaudit_use_script_ptys(setrans_t)
+
+locallogin_dontaudit_use_fds(setrans_t)
+
+logging_send_syslog_msg(setrans_t)
+
+miscfiles_read_localization(setrans_t)
+
+seutil_read_config(setrans_t)
+
+optional_policy(`
+ rpm_use_script_fds(setrans_t)
+')
diff --git a/policy/modules/system/sosreport.fc b/policy/modules/system/sosreport.fc
new file mode 100644
index 0000000..0928140
--- /dev/null
+++ b/policy/modules/system/sosreport.fc
@@ -0,0 +1,2 @@
+
+/usr/sbin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0)
diff --git a/policy/modules/system/sosreport.if b/policy/modules/system/sosreport.if
new file mode 100644
index 0000000..fec3374
--- /dev/null
+++ b/policy/modules/system/sosreport.if
@@ -0,0 +1,131 @@
+
+## <summary>policy for sosreport</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run sosreport.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`sosreport_domtrans',`
+ gen_require(`
+ type sosreport_t, sosreport_exec_t;
+ ')
+
+ domtrans_pattern($1, sosreport_exec_t, sosreport_t)
+')
+
+
+########################################
+## <summary>
+## Execute sosreport in the sosreport domain, and
+## allow the specified role the sosreport domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the sosreport domain.
+## </summary>
+## </param>
+#
+interface(`sosreport_run',`
+ gen_require(`
+ type sosreport_t;
+ ')
+
+ sosreport_domtrans($1)
+ role $2 types sosreport_t;
+')
+
+########################################
+## <summary>
+## Role access for sosreport
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`sosreport_role',`
+ gen_require(`
+ type sosreport_t;
+ ')
+
+ role $1 types sosreport_t;
+
+ sosreport_domtrans($2)
+
+ ps_process_pattern($2, sosreport_t)
+ allow $2 sosreport_t:process signal;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## sosreport tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sosreport_read_tmp_files',`
+ gen_require(`
+ type sosreport_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t)
+')
+
+########################################
+## <summary>
+## Delete sosreport tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sosreport_delete_tmp_files',`
+ gen_require(`
+ type sosreport_tmp_t;
+ ')
+
+ files_delete_tmp_dir_entry($1)
+ delete_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t)
+')
+
+########################################
+## <summary>
+## Append sosreport tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sosreport_append_tmp_files',`
+ gen_require(`
+ type sosreport_tmp_t;
+ ')
+
+ allow $1 sosreport_tmp_t:file append;
+')
diff --git a/policy/modules/system/sosreport.te b/policy/modules/system/sosreport.te
new file mode 100644
index 0000000..c15bcea
--- /dev/null
+++ b/policy/modules/system/sosreport.te
@@ -0,0 +1,154 @@
+policy_module(sosreport,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type sosreport_t;
+type sosreport_exec_t;
+application_domain(sosreport_t, sosreport_exec_t)
+role system_r types sosreport_t;
+
+type sosreport_tmp_t;
+files_tmp_file(sosreport_tmp_t)
+
+type sosreport_tmpfs_t;
+files_tmpfs_file(sosreport_tmpfs_t)
+
+########################################
+#
+# sosreport local policy
+#
+
+allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice sys_ptrace dac_override };
+allow sosreport_t self:process { setsched signull };
+
+allow sosreport_t self:fifo_file rw_fifo_file_perms;
+allow sosreport_t self:tcp_socket create_stream_socket_perms;
+allow sosreport_t self:udp_socket create_socket_perms;
+allow sosreport_t self:unix_dgram_socket create_socket_perms;
+allow sosreport_t self:netlink_route_socket r_netlink_socket_perms;
+allow sosreport_t self:unix_stream_socket create_stream_socket_perms;
+
+# sosreport tmp files
+manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
+manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
+manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
+files_tmp_filetrans(sosreport_t, sosreport_tmp_t, { file dir })
+
+manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t)
+fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t,file)
+
+kernel_read_network_state(sosreport_t)
+kernel_read_all_sysctls(sosreport_t)
+kernel_read_software_raid_state(sosreport_t)
+kernel_search_debugfs(sosreport_t)
+kernel_read_messages(sosreport_t)
+
+corecmd_exec_all_executables(sosreport_t)
+
+dev_getattr_all_chr_files(sosreport_t)
+dev_getattr_all_blk_files(sosreport_t)
+dev_getattr_generic_chr_files(sosreport_t)
+dev_getattr_generic_blk_files(sosreport_t)
+dev_getattr_mtrr_dev(sosreport_t)
+
+dev_read_rand(sosreport_t)
+dev_read_urand(sosreport_t)
+dev_read_raw_memory(sosreport_t)
+dev_read_sysfs(sosreport_t)
+
+domain_getattr_all_domains(sosreport_t)
+domain_read_all_domains_state(sosreport_t)
+domain_getattr_all_sockets(sosreport_t)
+domain_getattr_all_pipes(sosreport_t)
+domain_signull_all_domains(sosreport_t)
+
+# for blkid.tab
+files_manage_etc_runtime_files(sosreport_t)
+files_etc_filetrans_etc_runtime(sosreport_t, file)
+
+files_getattr_all_sockets(sosreport_t)
+files_exec_etc_files(sosreport_t)
+files_list_all(sosreport_t)
+files_read_config_files(sosreport_t)
+files_read_etc_files(sosreport_t)
+files_read_generic_tmp_files(sosreport_t)
+files_read_usr_files(sosreport_t)
+files_read_var_lib_files(sosreport_t)
+files_read_var_symlinks(sosreport_t)
+files_read_kernel_modules(sosreport_t)
+files_read_all_symlinks(sosreport_t)
+
+fs_getattr_all_fs(sosreport_t)
+fs_list_inotifyfs(sosreport_t)
+
+# cjp: some config files do not have configfile attribute
+# sosreport needs to read various files on system
+auth_read_all_files_except_shadow(sosreport_t)
+auth_use_nsswitch(sosreport_t)
+
+init_domtrans_script(sosreport_t)
+
+libs_domtrans_ldconfig(sosreport_t)
+
+logging_read_all_logs(sosreport_t)
+logging_send_syslog_msg(sosreport_t)
+
+miscfiles_read_localization(sosreport_t)
+
+# needed by modinfo
+modutils_read_module_deps(sosreport_t)
+
+sysnet_read_config(sosreport_t)
+
+optional_policy(`
+ abrt_manage_pid_files(sosreport_t)
+')
+
+optional_policy(`
+ cups_stream_connect(sosreport_t)
+')
+
+optional_policy(`
+ dmesg_domtrans(sosreport_t)
+')
+
+optional_policy(`
+ fstools_domtrans(sosreport_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(sosreport_t)
+
+ optional_policy(`
+ hal_dbus_chat(sosreport_t)
+ ')
+')
+
+optional_policy(`
+ lvm_domtrans(sosreport_t)
+')
+
+optional_policy(`
+ mount_domtrans(sosreport_t)
+')
+
+optional_policy(`
+ pulseaudio_stream_connect(sosreport_t)
+')
+
+optional_policy(`
+ rpm_exec(sosreport_t)
+ rpm_dontaudit_manage_db(sosreport_t)
+ rpm_read_db(sosreport_t)
+')
+
+optional_policy(`
+ xserver_stream_connect(sosreport_t)
+')
+
+optional_policy(`
+ unconfined_domain(sosreport_t)
+')
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
new file mode 100644
index 0000000..4bb3158
--- /dev/null
+++ b/policy/modules/system/sysnetwork.fc
@@ -0,0 +1,68 @@
+
+#
+# /bin
+#
+/bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+
+#
+# /etc
+#
+/etc/dhclient.*conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
+/etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
+/etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
+/etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
+/etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
+/etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+
+/etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
+/etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)
+
+ifdef(`distro_redhat',`
+/etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/sysconfig/networking(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+/etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+')
+
+#
+# /sbin
+#
+/sbin/dhclient.* -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
+/sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
+/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
+/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
+/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/dhcp3? -d gen_context(system_u:object_r:dhcp_state_t,s0)
+/var/lib/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcpc_state_t,s0)
+/var/lib/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
+/var/lib/dhclient(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
+/var/lib/wifiroamd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
+
+/var/run/dhclient.* -- gen_context(system_u:object_r:dhcpc_var_run_t,s0)
+
+ifdef(`distro_gentoo',`
+/var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
+')
+
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
new file mode 100644
index 0000000..350d003
--- /dev/null
+++ b/policy/modules/system/sysnetwork.if
@@ -0,0 +1,877 @@
+## <summary>Policy for network configuration: ifconfig and dhcp client.</summary>
+
+#######################################
+## <summary>
+## Execute dhcp client in dhcpc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`sysnet_domtrans_dhcpc',`
+ gen_require(`
+ type dhcpc_t, dhcpc_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, dhcpc_exec_t, dhcpc_t)
+')
+
+########################################
+## <summary>
+## Execute DHCP clients in the dhcpc domain, and
+## allow the specified role the dhcpc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sysnet_run_dhcpc',`
+ gen_require(`
+ type dhcpc_t;
+ ')
+
+ sysnet_domtrans_dhcpc($1)
+ role $2 types dhcpc_t;
+
+ modutils_run_insmod(dhcpc_t, $2)
+
+ sysnet_run_ifconfig(dhcpc_t, $2)
+
+ optional_policy(`
+ consoletype_run(dhcpc_t, $2)
+ ')
+
+ optional_policy(`
+ hostname_run(dhcpc_t, $2)
+ ')
+
+ optional_policy(`
+ netutils_run(dhcpc_t, $2)
+ netutils_run_ping(dhcpc_t, $2)
+ ')
+
+ optional_policy(`
+ networkmanager_run(dhcpc_t, $2)
+ ')
+
+ optional_policy(`
+ nis_run_ypbind(dhcpc_t, $2)
+ ')
+
+ optional_policy(`
+ nscd_run(dhcpc_t, $2)
+ ')
+
+ optional_policy(`
+ ntp_run(dhcpc_t, $2)
+ ')
+
+ seutil_run_setfiles(dhcpc_t, $2)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to use
+## the dhcp file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`sysnet_dontaudit_use_dhcpc_fds',`
+ gen_require(`
+ type dhcpc_t;
+ ')
+
+ dontaudit $1 dhcpc_t:fd use;
+')
+
+########################################
+## <summary>
+## Send a SIGCHLD signal to the dhcp client.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_sigchld_dhcpc',`
+ gen_require(`
+ type dhcpc_t;
+ ')
+
+ allow $1 dhcpc_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Send a kill signal to the dhcp client.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sysnet_kill_dhcpc',`
+ gen_require(`
+ type dhcpc_t;
+ ')
+
+ allow $1 dhcpc_t:process sigkill;
+')
+
+########################################
+## <summary>
+## Send a SIGSTOP signal to the dhcp client.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_sigstop_dhcpc',`
+ gen_require(`
+ type dhcpc_t;
+ ')
+
+ allow $1 dhcpc_t:process sigstop;
+')
+
+########################################
+## <summary>
+## Send a null signal to the dhcp client.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_signull_dhcpc',`
+ gen_require(`
+ type dhcpc_t;
+ ')
+
+ allow $1 dhcpc_t:process signull;
+')
+
+########################################
+## <summary>
+## Send a generic signal to the dhcp client.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sysnet_signal_dhcpc',`
+ gen_require(`
+ type dhcpc_t;
+ ')
+
+ allow $1 dhcpc_t:process signal;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## dhcpc over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_dbus_chat_dhcpc',`
+ gen_require(`
+ type dhcpc_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 dhcpc_t:dbus send_msg;
+ allow dhcpc_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Read and write dhcp configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_rw_dhcp_config',`
+ gen_require(`
+ type dhcp_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 dhcp_etc_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Read dhcp client state files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_read_dhcpc_state',`
+ gen_require(`
+ type dhcpc_state_t;
+ ')
+
+ read_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
+')
+
+#######################################
+## <summary>
+## Delete the dhcp client state files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_delete_dhcpc_state',`
+ gen_require(`
+ type dhcpc_state_t;
+ ')
+
+ delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
+')
+
+########################################
+## <summary>
+## Allow caller to relabel dhcpc_state files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_relabelfrom_dhcpc_state',`
+
+ gen_require(`
+ type dhcpc_state_t;
+ ')
+
+ allow $1 dhcpc_state_t:file relabelfrom;
+')
+
+#######################################
+## <summary>
+## Manage the dhcp client state files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_manage_dhcpc_state',`
+ gen_require(`
+ type dhcpc_state_t;
+ ')
+
+ manage_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
+')
+
+#######################################
+## <summary>
+## Set the attributes of network config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_setattr_config',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 net_conf_t:file setattr;
+')
+
+#######################################
+## <summary>
+## Allow caller to relabel net_conf files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_relabelfrom_net_conf',`
+
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ allow $1 net_conf_t:file relabelfrom;
+')
+
+######################################
+## <summary>
+## Allow caller to relabel net_conf files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_relabelto_net_conf',`
+
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ allow $1 net_conf_t:file relabelto;
+')
+
+#######################################
+## <summary>
+## Read network config files.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to read the
+## general network configuration files. A
+## common example of this is the
+## /etc/resolv.conf file, which has domain
+## name system (DNS) server IP addresses.
+## Typically, most networking processes will
+## require the access provided by this interface.
+## </p>
+## <p>
+## Higher-level interfaces which involve
+## networking will generally call this interface,
+## for example:
+## </p>
+## <ul>
+## <li>sysnet_dns_name_resolve()</li>
+## <li>sysnet_use_ldap()</li>
+## <li>sysnet_use_portmap()</li>
+## </ul>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_read_config',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 net_conf_t:file read_file_perms;
+
+ ifdef(`distro_redhat',`
+ allow $1 net_conf_t:dir list_dir_perms;
+ read_files_pattern($1, net_conf_t, net_conf_t)
+ ')
+')
+
+#######################################
+## <summary>
+## Do not audit attempts to read network config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`sysnet_dontaudit_read_config',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ dontaudit $1 net_conf_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+## Write network config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_write_config',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 net_conf_t:file write_file_perms;
+')
+
+#######################################
+## <summary>
+## Create network config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_create_config',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 net_conf_t:file create_file_perms;
+')
+
+#######################################
+## <summary>
+## Create files in /etc with the type used for
+## the network config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_etc_filetrans_config',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ files_etc_filetrans($1, net_conf_t, file)
+')
+
+#######################################
+## <summary>
+## Create, read, write, and delete network config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_manage_config',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ allow $1 net_conf_t:dir list_dir_perms;
+ manage_files_pattern($1, net_conf_t, net_conf_t)
+')
+
+#######################################
+## <summary>
+## Read the dhcp client pid file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_read_dhcpc_pid',`
+ gen_require(`
+ type dhcpc_var_run_t;
+ ')
+
+ files_list_pids($1)
+ allow $1 dhcpc_var_run_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+## Delete the dhcp client pid file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_delete_dhcpc_pid',`
+ gen_require(`
+ type dhcpc_var_run_t;
+ ')
+
+ files_rw_pid_dirs($1)
+ allow $1 dhcpc_var_run_t:file unlink;
+')
+
+#######################################
+## <summary>
+## Execute ifconfig in the ifconfig domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`sysnet_domtrans_ifconfig',`
+ gen_require(`
+ type ifconfig_t, ifconfig_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ifconfig_exec_t, ifconfig_t)
+ ifdef(`hide_broken_symptoms', `
+ dontaudit ifconfig_t $1:socket_class_set { read write };
+ ')
+
+')
+
+########################################
+## <summary>
+## Execute ifconfig in the ifconfig domain, and
+## allow the specified role the ifconfig domain,
+## and use the caller's terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sysnet_run_ifconfig',`
+ gen_require(`
+ type ifconfig_t;
+ ')
+
+ corecmd_search_bin($1)
+ sysnet_domtrans_ifconfig($1)
+ role $2 types ifconfig_t;
+')
+
+#######################################
+## <summary>
+## Execute ifconfig in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_exec_ifconfig',`
+ gen_require(`
+ type ifconfig_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, ifconfig_exec_t)
+')
+
+########################################
+## <summary>
+## Send a generic signal to ifconfig.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sysnet_signal_ifconfig',`
+ gen_require(`
+ type ifconfig_t;
+ ')
+
+ allow $1 ifconfig_t:process signal;
+')
+
+########################################
+## <summary>
+## Send a kill signal to iconfig.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sysnet_kill_ifconfig',`
+ gen_require(`
+ type ifconfig_t;
+ ')
+
+ allow $1 ifconfig_t:process sigkill;
+')
+
+########################################
+## <summary>
+## Read the DHCP configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_read_dhcp_config',`
+ gen_require(`
+ type dhcp_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 dhcp_etc_t:dir list_dir_perms;
+ read_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
+')
+
+########################################
+## <summary>
+## Search the DHCP state data directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_search_dhcp_state',`
+ gen_require(`
+ type dhcp_state_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 dhcp_state_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Create DHCP state data.
+## </summary>
+## <desc>
+## <p>
+## Create DHCP state data.
+## </p>
+## <p>
+## This is added for DHCP server, as
+## the server and client put their state
+## files in the same directory.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## The type of the object to be created
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The object class.
+## </summary>
+## </param>
+#
+interface(`sysnet_dhcp_state_filetrans',`
+ gen_require(`
+ type dhcp_state_t;
+ ')
+
+ files_search_var_lib($1)
+ filetrans_pattern($1, dhcp_state_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Perform a DNS name resolution.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sysnet_dns_name_resolve',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ allow $1 self:tcp_socket create_socket_perms;
+ allow $1 self:udp_socket create_socket_perms;
+ allow $1 self:netlink_route_socket r_netlink_socket_perms;
+
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
+ corenet_tcp_sendrecv_generic_if($1)
+ corenet_udp_sendrecv_generic_if($1)
+ corenet_tcp_sendrecv_generic_node($1)
+ corenet_udp_sendrecv_generic_node($1)
+ corenet_tcp_sendrecv_dns_port($1)
+ corenet_udp_sendrecv_dns_port($1)
+ corenet_tcp_connect_dns_port($1)
+ corenet_sendrecv_dns_client_packets($1)
+
+ sysnet_read_config($1)
+
+ optional_policy(`
+ avahi_stream_connect($1)
+ ')
+
+ optional_policy(`
+ nscd_socket_use($1)
+ ')
+')
+
+########################################
+## <summary>
+## Connect and use a LDAP server.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_use_ldap',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ allow $1 self:tcp_socket create_socket_perms;
+
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
+ corenet_tcp_sendrecv_generic_if($1)
+ corenet_tcp_sendrecv_generic_node($1)
+ corenet_tcp_sendrecv_ldap_port($1)
+ corenet_tcp_connect_ldap_port($1)
+ corenet_sendrecv_ldap_client_packets($1)
+
+ files_search_etc($1)
+ allow $1 net_conf_t:file read_file_perms;
+ # LDAP Configuration using encrypted requires
+ dev_read_urand($1)
+')
+
+########################################
+## <summary>
+## Connect and use remote port mappers.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_use_portmap',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ allow $1 self:tcp_socket create_socket_perms;
+ allow $1 self:udp_socket create_socket_perms;
+
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
+ corenet_tcp_sendrecv_generic_if($1)
+ corenet_udp_sendrecv_generic_if($1)
+ corenet_tcp_sendrecv_generic_node($1)
+ corenet_udp_sendrecv_generic_node($1)
+ corenet_tcp_sendrecv_portmap_port($1)
+ corenet_udp_sendrecv_portmap_port($1)
+ corenet_tcp_connect_portmap_port($1)
+ corenet_sendrecv_portmap_client_packets($1)
+
+ files_search_etc($1)
+ allow $1 net_conf_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to use
+## the dhcp file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain sending the SIGCHLD.
+## </summary>
+## </param>
+#
+interface(`sysnet_dontaudit_dhcpc_use_fds',`
+ gen_require(`
+ type dhcpc_t;
+ ')
+
+ dontaudit $1 dhcpc_t:fd use;
+')
+
+########################################
+## <summary>
+## Transition to system_r when execute an dhclient script
+## </summary>
+## <desc>
+## <p>
+## Execute dhclient script in a specified role
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="source_role">
+## <summary>
+## Role to transition from.
+## </summary>
+## </param>
+interface(`sysnet_role_transition_dhcpc',`
+ gen_require(`
+ type dhcpc_exec_t;
+ ')
+
+ role_transition $1 dhcpc_exec_t system_r;
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
new file mode 100644
index 0000000..3663802
--- /dev/null
+++ b/policy/modules/system/sysnetwork.te
@@ -0,0 +1,411 @@
+policy_module(sysnetwork, 1.11.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow dhcpc client applications to execute iptables commands
+## </p>
+## </desc>
+gen_tunable(dhcpc_exec_iptables, false)
+
+# this is shared between dhcpc and dhcpd:
+type dhcp_etc_t;
+typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
+files_config_file(dhcp_etc_t)
+
+# this is shared between dhcpc and dhcpd:
+type dhcp_state_t;
+files_type(dhcp_state_t)
+
+type dhcpc_t;
+type dhcpc_exec_t;
+init_daemon_domain(dhcpc_t, dhcpc_exec_t)
+role system_r types dhcpc_t;
+
+type dhcpc_helper_exec_t;
+init_script_file(dhcpc_helper_exec_t)
+
+type dhcpc_state_t;
+files_type(dhcpc_state_t)
+
+type dhcpc_tmp_t;
+files_tmp_file(dhcpc_tmp_t)
+
+type dhcpc_var_run_t;
+files_pid_file(dhcpc_var_run_t)
+
+type ifconfig_t;
+type ifconfig_exec_t;
+init_system_domain(ifconfig_t, ifconfig_exec_t)
+role system_r types ifconfig_t;
+
+type net_conf_t alias resolv_conf_t;
+files_type(net_conf_t)
+
+########################################
+#
+# DHCP client local policy
+#
+allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
+dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace };
+# for access("/etc/bashrc", X_OK) on Red Hat
+dontaudit dhcpc_t self:capability { dac_read_search sys_module };
+allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
+
+allow dhcpc_t self:fifo_file rw_fifo_file_perms;
+allow dhcpc_t self:tcp_socket create_stream_socket_perms;
+allow dhcpc_t self:udp_socket create_socket_perms;
+allow dhcpc_t self:packet_socket create_socket_perms;
+allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read };
+
+allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
+read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
+exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
+
+allow dhcpc_t dhcp_state_t:file read_file_perms;
+allow dhcpc_t dhcp_state_t:file relabel_file_perms;
+
+manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t)
+filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
+allow dhcpc_t dhcpc_state_t:file relabel_file_perms;
+
+# create pid file
+manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
+files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, file)
+
+# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
+# in /etc created by dhcpcd will be labelled net_conf_t.
+allow dhcpc_t net_conf_t:file manage_file_perms;
+allow dhcpc_t net_conf_t:file relabel_file_perms;
+sysnet_manage_config(dhcpc_t)
+files_etc_filetrans(dhcpc_t, net_conf_t, file)
+
+# create temp files
+manage_dirs_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
+manage_files_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
+files_tmp_filetrans(dhcpc_t, dhcpc_tmp_t, { file dir })
+
+can_exec(dhcpc_t, dhcpc_exec_t)
+
+# transition to ifconfig
+domtrans_pattern(dhcpc_t, ifconfig_exec_t, ifconfig_t)
+
+kernel_read_system_state(dhcpc_t)
+kernel_read_network_state(dhcpc_t)
+kernel_search_network_sysctl(dhcpc_t)
+kernel_read_kernel_sysctls(dhcpc_t)
+kernel_request_load_module(dhcpc_t)
+kernel_use_fds(dhcpc_t)
+
+corecmd_exec_bin(dhcpc_t)
+corecmd_exec_shell(dhcpc_t)
+
+corenet_all_recvfrom_unlabeled(dhcpc_t)
+corenet_all_recvfrom_netlabel(dhcpc_t)
+corenet_tcp_sendrecv_all_if(dhcpc_t)
+corenet_raw_sendrecv_all_if(dhcpc_t)
+corenet_udp_sendrecv_all_if(dhcpc_t)
+corenet_tcp_sendrecv_all_nodes(dhcpc_t)
+corenet_raw_sendrecv_all_nodes(dhcpc_t)
+corenet_udp_sendrecv_all_nodes(dhcpc_t)
+corenet_tcp_sendrecv_all_ports(dhcpc_t)
+corenet_udp_sendrecv_all_ports(dhcpc_t)
+corenet_tcp_bind_all_nodes(dhcpc_t)
+corenet_udp_bind_all_nodes(dhcpc_t)
+corenet_udp_bind_dhcpc_port(dhcpc_t)
+corenet_tcp_connect_all_ports(dhcpc_t)
+corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
+corenet_sendrecv_dhcpc_server_packets(dhcpc_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(dhcpc_t)
+corenet_udp_bind_all_unreserved_ports(dhcpc_t)
+
+dev_read_sysfs(dhcpc_t)
+# for SSP:
+dev_read_urand(dhcpc_t)
+
+domain_obj_id_change_exemption(dhcpc_t)
+domain_use_interactive_fds(dhcpc_t)
+domain_dontaudit_read_all_domains_state(dhcpc_t)
+
+files_read_etc_files(dhcpc_t)
+files_read_etc_runtime_files(dhcpc_t)
+files_read_usr_files(dhcpc_t)
+files_search_home(dhcpc_t)
+files_search_var_lib(dhcpc_t)
+files_dontaudit_search_locks(dhcpc_t)
+files_getattr_generic_locks(dhcpc_t)
+
+fs_getattr_all_fs(dhcpc_t)
+fs_search_auto_mountpoints(dhcpc_t)
+
+term_dontaudit_use_all_ttys(dhcpc_t)
+term_dontaudit_use_all_ptys(dhcpc_t)
+term_dontaudit_use_unallocated_ttys(dhcpc_t)
+term_dontaudit_use_generic_ptys(dhcpc_t)
+
+init_rw_utmp(dhcpc_t)
+init_stream_connect(dhcpc_t)
+
+logging_send_syslog_msg(dhcpc_t)
+
+miscfiles_read_localization(dhcpc_t)
+
+modutils_domtrans_insmod(dhcpc_t)
+
+userdom_use_user_terminals(dhcpc_t)
+userdom_dontaudit_search_user_home_dirs(dhcpc_t)
+
+ifdef(`distro_redhat', `
+ files_exec_etc_files(dhcpc_t)
+')
+
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(dhcpc_t)
+ ')
+')
+
+optional_policy(`
+ consoletype_domtrans(dhcpc_t)
+')
+
+optional_policy(`
+ chronyd_initrc_domtrans(dhcpc_t)
+')
+
+optional_policy(`
+ init_dbus_chat_script(dhcpc_t)
+
+ dbus_system_bus_client(dhcpc_t)
+ dbus_connect_system_bus(dhcpc_t)
+
+ optional_policy(`
+ networkmanager_dbus_chat(dhcpc_t)
+ ')
+')
+
+optional_policy(`
+ hostname_domtrans(dhcpc_t)
+')
+
+optional_policy(`
+ hal_dontaudit_rw_dgram_sockets(dhcpc_t)
+ hal_dontaudit_read_pid_files(dhcpc_t)
+ hal_dontaudit_write_log(dhcpc_t)
+')
+
+optional_policy(`
+ hotplug_getattr_config_dirs(dhcpc_t)
+ hotplug_search_config(dhcpc_t)
+
+ ifdef(`distro_redhat',`
+ logging_domtrans_syslog(dhcpc_t)
+ ')
+')
+
+# for the dhcp client to run ping to check IP addresses
+optional_policy(`
+ netutils_domtrans_ping(dhcpc_t)
+ netutils_domtrans(dhcpc_t)
+',`
+ allow dhcpc_t self:capability setuid;
+ allow dhcpc_t self:rawip_socket create_socket_perms;
+')
+
+optional_policy(`
+ networkmanager_domtrans(dhcpc_t)
+ networkmanager_read_pid_files(dhcpc_t)
+ networkmanager_read_lib_files(dhcpc_t)
+')
+
+optional_policy(`
+ nis_initrc_domtrans_ypbind(dhcpc_t)
+ nis_read_ypbind_pid(dhcpc_t)
+')
+
+optional_policy(`
+ nscd_initrc_domtrans(dhcpc_t)
+ nscd_domtrans(dhcpc_t)
+ nscd_read_pid(dhcpc_t)
+')
+
+optional_policy(`
+ ntp_initrc_domtrans(dhcpc_t)
+')
+
+optional_policy(`
+ pcmcia_stub(dhcpc_t)
+ dev_rw_cardmgr(dhcpc_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(dhcpc_t)
+ seutil_dontaudit_search_config(dhcpc_t)
+ seutil_domtrans_setfiles(dhcpc_t)
+')
+
+optional_policy(`
+ udev_read_db(dhcpc_t)
+')
+
+optional_policy(`
+ userdom_use_all_users_fds(dhcpc_t)
+')
+
+optional_policy(`
+ vmware_append_log(dhcpc_t)
+')
+
+optional_policy(`
+ kernel_read_xen_state(dhcpc_t)
+ kernel_write_xen_state(dhcpc_t)
+ xen_append_log(dhcpc_t)
+ xen_dontaudit_rw_unix_stream_sockets(dhcpc_t)
+')
+
+########################################
+#
+# Ifconfig local policy
+#
+
+allow ifconfig_t self:capability { net_raw net_admin sys_tty_config };
+allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
+allow ifconfig_t self:fd use;
+allow ifconfig_t self:fifo_file rw_fifo_file_perms;
+allow ifconfig_t self:sock_file read_sock_file_perms;
+allow ifconfig_t self:socket create_socket_perms;
+allow ifconfig_t self:unix_dgram_socket create_socket_perms;
+allow ifconfig_t self:unix_stream_socket create_stream_socket_perms;
+allow ifconfig_t self:unix_dgram_socket sendto;
+allow ifconfig_t self:unix_stream_socket connectto;
+allow ifconfig_t self:shm create_shm_perms;
+allow ifconfig_t self:sem create_sem_perms;
+allow ifconfig_t self:msgq create_msgq_perms;
+allow ifconfig_t self:msg { send receive };
+# Create UDP sockets, necessary when called from dhcpc
+allow ifconfig_t self:udp_socket create_socket_perms;
+# for /sbin/ip
+allow ifconfig_t self:packet_socket create_socket_perms;
+allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
+allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
+allow ifconfig_t self:tcp_socket { create ioctl };
+
+kernel_use_fds(ifconfig_t)
+kernel_read_system_state(ifconfig_t)
+kernel_read_network_state(ifconfig_t)
+kernel_request_load_module(ifconfig_t)
+kernel_search_network_sysctl(ifconfig_t)
+kernel_rw_net_sysctls(ifconfig_t)
+
+corenet_rw_tun_tap_dev(ifconfig_t)
+
+dev_read_sysfs(ifconfig_t)
+# for IPSEC setup:
+dev_read_urand(ifconfig_t)
+
+domain_use_interactive_fds(ifconfig_t)
+
+read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t)
+
+files_read_etc_files(ifconfig_t)
+files_read_etc_runtime_files(ifconfig_t)
+files_read_usr_files(ifconfig_t)
+
+fs_getattr_xattr_fs(ifconfig_t)
+fs_search_auto_mountpoints(ifconfig_t)
+
+selinux_dontaudit_getattr_fs(ifconfig_t)
+
+term_dontaudit_use_console(ifconfig_t)
+term_dontaudit_use_all_ttys(ifconfig_t)
+term_dontaudit_use_all_ptys(ifconfig_t)
+term_dontaudit_use_ptmx(ifconfig_t)
+term_dontaudit_use_generic_ptys(ifconfig_t)
+
+files_dontaudit_read_root_files(ifconfig_t)
+
+init_use_fds(ifconfig_t)
+init_use_script_ptys(ifconfig_t)
+
+libs_read_lib_files(ifconfig_t)
+
+logging_send_syslog_msg(ifconfig_t)
+
+miscfiles_read_localization(ifconfig_t)
+
+modutils_domtrans_insmod(ifconfig_t)
+
+seutil_use_runinit_fds(ifconfig_t)
+
+sysnet_dns_name_resolve(ifconfig_t)
+
+userdom_use_user_terminals(ifconfig_t)
+userdom_use_all_users_fds(ifconfig_t)
+
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(ifconfig_t)
+ ')
+')
+
+optional_policy(`
+ brctl_domtrans(ifconfig_t)
+')
+
+ifdef(`hide_broken_symptoms',`
+ optional_policy(`
+ dev_dontaudit_rw_cardmgr(ifconfig_t)
+ ')
+
+ optional_policy(`
+ udev_dontaudit_rw_dgram_sockets(ifconfig_t)
+ ')
+')
+
+optional_policy(`
+ hal_dontaudit_rw_pipes(ifconfig_t)
+ hal_dontaudit_rw_dgram_sockets(ifconfig_t)
+ hal_dontaudit_read_pid_files(ifconfig_t)
+ hal_write_log(ifconfig_t)
+')
+
+optional_policy(`
+ ipsec_write_pid(ifconfig_t)
+')
+
+optional_policy(`
+ netutils_domtrans(dhcpc_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(ifconfig_t)
+')
+
+optional_policy(`
+ ppp_use_fds(ifconfig_t)
+')
+
+optional_policy(`
+ unconfined_dontaudit_rw_pipes(ifconfig_t)
+')
+
+optional_policy(`
+ vmware_append_log(ifconfig_t)
+')
+
+optional_policy(`
+ kernel_read_xen_state(ifconfig_t)
+ kernel_write_xen_state(ifconfig_t)
+ xen_append_log(ifconfig_t)
+ xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
+')
+
+optional_policy(`
+ tunable_policy(`dhcpc_exec_iptables',`
+ iptables_domtrans(dhcpc_t)
+ ')
+')
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
new file mode 100644
index 0000000..44fe366
--- /dev/null
+++ b/policy/modules/system/udev.fc
@@ -0,0 +1,25 @@
+/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0)
+/dev/\.udevdb -- gen_context(system_u:object_r:udev_tbl_t,s0)
+/dev/udev\.tbl -- gen_context(system_u:object_r:udev_tbl_t,s0)
+
+/etc/dev\.d/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
+
+/etc/hotplug\.d/default/udev.* -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
+
+/etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_rules_t,s0)
+/etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
+
+/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
+
+/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
+/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
+/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
+/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
+/sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0)
+/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0)
+/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0)
+
+/usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
+
+/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
+/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
new file mode 100644
index 0000000..5b277ea
--- /dev/null
+++ b/policy/modules/system/udev.if
@@ -0,0 +1,233 @@
+## <summary>Policy for udev.</summary>
+
+########################################
+## <summary>
+## Send generic signals to udev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udev_signal',`
+ gen_require(`
+ type udev_t;
+ ')
+
+ allow $1 udev_t:process signal;
+')
+
+########################################
+## <summary>
+## Execute udev in the udev domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`udev_domtrans',`
+ gen_require(`
+ type udev_t, udev_exec_t;
+ ')
+
+ domtrans_pattern($1, udev_exec_t, udev_t)
+ allow $1 udev_t:process noatsecure;
+')
+
+########################################
+## <summary>
+## Execute udev in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udev_exec',`
+ gen_require(`
+ type udev_exec_t;
+ ')
+
+ can_exec($1, udev_exec_t)
+')
+
+########################################
+## <summary>
+## Execute a udev helper in the udev domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`udev_helper_domtrans',`
+ gen_require(`
+ type udev_t, udev_helper_exec_t;
+ ')
+
+ domtrans_pattern($1, udev_helper_exec_t, udev_t)
+')
+
+########################################
+## <summary>
+## Allow process to read udev process state.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udev_read_state',`
+ gen_require(`
+ type udev_t;
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, udev_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to inherit a
+## udev file descriptor.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`udev_dontaudit_use_fds',`
+ gen_require(`
+ type udev_t;
+ ')
+
+ dontaudit $1 udev_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read or write
+## to a udev unix datagram socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`udev_dontaudit_rw_dgram_sockets',`
+ gen_require(`
+ type udev_t;
+ ')
+
+ dontaudit $1 udev_t:unix_dgram_socket { read write };
+')
+
+########################################
+## <summary>
+## Manage udev rules files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udev_manage_rules_files',`
+ gen_require(`
+ type udev_rules_t;
+ ')
+
+ manage_files_pattern($1, udev_rules_t, udev_rules_t)
+')
+
+########################################
+## <summary>
+## Do not audit search of udev database directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`udev_dontaudit_search_db',`
+ gen_require(`
+ type udev_tbl_t;
+ ')
+
+ dontaudit $1 udev_tbl_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read the udev device table.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to read the udev device table.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`udev_read_db',`
+ gen_require(`
+ type udev_tbl_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 udev_tbl_t:dir list_dir_perms;
+ read_files_pattern($1, udev_tbl_t, udev_tbl_t)
+ read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
+')
+
+########################################
+## <summary>
+## Allow process to modify list of devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udev_rw_db',`
+ gen_require(`
+ type udev_tbl_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 udev_tbl_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## udev pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udev_manage_pid_files',`
+ gen_require(`
+ type udev_var_run_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
+')
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
new file mode 100644
index 0000000..4867243
--- /dev/null
+++ b/policy/modules/system/udev.te
@@ -0,0 +1,317 @@
+policy_module(udev, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+type udev_t;
+type udev_exec_t;
+type udev_helper_exec_t;
+kernel_domtrans_to(udev_t, udev_exec_t)
+domain_obj_id_change_exemption(udev_t)
+domain_entry_file(udev_t, udev_helper_exec_t)
+domain_interactive_fd(udev_t)
+init_daemon_domain(udev_t, udev_exec_t)
+
+type udev_etc_t alias etc_udev_t;
+files_config_file(udev_etc_t)
+
+type udev_tbl_t alias udev_tdb_t;
+files_type(udev_tbl_t)
+
+type udev_rules_t;
+files_type(udev_rules_t)
+
+type udev_var_run_t;
+files_pid_file(udev_var_run_t)
+
+ifdef(`enable_mcs',`
+ kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
+ init_ranged_daemon_domain(udev_t, udev_exec_t, s0 - mcs_systemhigh)
+')
+
+########################################
+#
+# Local policy
+#
+
+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
+dontaudit udev_t self:capability sys_tty_config;
+allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow udev_t self:process { execmem setfscreate };
+allow udev_t self:fd use;
+allow udev_t self:fifo_file rw_fifo_file_perms;
+allow udev_t self:sock_file read_sock_file_perms;
+allow udev_t self:shm create_shm_perms;
+allow udev_t self:sem create_sem_perms;
+allow udev_t self:msgq create_msgq_perms;
+allow udev_t self:msg { send receive };
+allow udev_t self:unix_stream_socket { listen accept };
+allow udev_t self:unix_dgram_socket sendto;
+allow udev_t self:unix_stream_socket connectto;
+allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow udev_t self:rawip_socket create_socket_perms;
+allow udev_t self:netlink_socket create_socket_perms;
+
+allow udev_t udev_exec_t:file write;
+can_exec(udev_t, udev_exec_t)
+
+allow udev_t udev_helper_exec_t:dir list_dir_perms;
+can_exec(udev_t, udev_helper_exec_t)
+
+# read udev config
+allow udev_t udev_etc_t:file read_file_perms;
+
+# create udev database in /dev/.udevdb
+allow udev_t udev_tbl_t:file manage_file_perms;
+dev_filetrans(udev_t, udev_tbl_t, file)
+
+list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t)
+read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
+
+manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
+manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
+manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
+files_pid_filetrans(udev_t, udev_var_run_t, { file dir })
+
+kernel_read_system_state(udev_t)
+kernel_request_load_module(udev_t)
+kernel_getattr_core_if(udev_t)
+kernel_use_fds(udev_t)
+kernel_read_device_sysctls(udev_t)
+kernel_read_hotplug_sysctls(udev_t)
+kernel_read_modprobe_sysctls(udev_t)
+kernel_read_kernel_sysctls(udev_t)
+kernel_rw_hotplug_sysctls(udev_t)
+kernel_rw_unix_dgram_sockets(udev_t)
+kernel_dgram_send(udev_t)
+kernel_signal(udev_t)
+kernel_search_debugfs(udev_t)
+
+#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
+kernel_rw_net_sysctls(udev_t)
+kernel_read_network_state(udev_t)
+kernel_read_software_raid_state(udev_t)
+
+corecmd_exec_all_executables(udev_t)
+
+dev_rw_sysfs(udev_t)
+dev_manage_all_dev_nodes(udev_t)
+dev_rw_generic_files(udev_t)
+dev_delete_generic_files(udev_t)
+dev_search_usbfs(udev_t)
+dev_relabel_all_dev_nodes(udev_t)
+# udev_node.c/node_symlink() symlink labels are explicitly
+# preserved, instead of short circuiting the relabel
+dev_relabel_generic_symlinks(udev_t)
+dev_manage_generic_symlinks(udev_t)
+
+domain_read_all_domains_state(udev_t)
+domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
+
+files_read_usr_files(udev_t)
+files_read_etc_runtime_files(udev_t)
+
+# console_init manages files in /etc/sysconfig
+files_manage_etc_files(udev_t)
+files_exec_etc_files(udev_t)
+files_dontaudit_search_isid_type_dirs(udev_t)
+files_getattr_generic_locks(udev_t)
+files_search_mnt(udev_t)
+files_list_tmp(udev_t)
+
+fs_getattr_all_fs(udev_t)
+fs_list_inotifyfs(udev_t)
+fs_rw_anon_inodefs_files(udev_t)
+fs_list_auto_mountpoints(udev_t)
+fs_list_hugetlbfs(udev_t)
+
+mcs_ptrace_all(udev_t)
+
+mls_file_read_all_levels(udev_t)
+mls_file_write_all_levels(udev_t)
+mls_file_upgrade(udev_t)
+mls_file_downgrade(udev_t)
+mls_process_write_down(udev_t)
+
+selinux_get_fs_mount(udev_t)
+selinux_validate_context(udev_t)
+selinux_compute_access_vector(udev_t)
+selinux_compute_create_context(udev_t)
+selinux_compute_relabel_context(udev_t)
+selinux_compute_user_contexts(udev_t)
+
+auth_read_pam_console_data(udev_t)
+auth_domtrans_pam_console(udev_t)
+auth_use_nsswitch(udev_t)
+
+init_read_utmp(udev_t)
+init_dontaudit_write_utmp(udev_t)
+init_getattr_initctl(udev_t)
+
+logging_search_logs(udev_t)
+logging_send_syslog_msg(udev_t)
+logging_send_audit_msgs(udev_t)
+
+miscfiles_read_localization(udev_t)
+miscfiles_read_hwdata(udev_t)
+
+modutils_domtrans_insmod(udev_t)
+# read modules.inputmap:
+modutils_read_module_deps(udev_t)
+
+seutil_read_config(udev_t)
+seutil_read_default_contexts(udev_t)
+seutil_read_file_contexts(udev_t)
+seutil_domtrans_setfiles(udev_t)
+
+sysnet_domtrans_ifconfig(udev_t)
+sysnet_domtrans_dhcpc(udev_t)
+sysnet_rw_dhcp_config(udev_t)
+sysnet_read_dhcpc_pid(udev_t)
+sysnet_delete_dhcpc_pid(udev_t)
+sysnet_signal_dhcpc(udev_t)
+sysnet_manage_config(udev_t)
+sysnet_etc_filetrans_config(udev_t)
+
+userdom_dontaudit_search_user_home_content(udev_t)
+
+ifdef(`distro_gentoo',`
+ # during boot, init scripts use /dev/.rcsysinit
+ # existance to determine if we are in early booting
+ init_getattr_script_status_files(udev_t)
+')
+
+ifdef(`distro_redhat',`
+ fs_manage_tmpfs_dirs(udev_t)
+ fs_manage_tmpfs_files(udev_t)
+ fs_manage_tmpfs_symlinks(udev_t)
+ fs_manage_tmpfs_sockets(udev_t)
+ fs_manage_tmpfs_blk_files(udev_t)
+ fs_manage_tmpfs_chr_files(udev_t)
+ fs_relabel_tmpfs_blk_file(udev_t)
+ fs_relabel_tmpfs_chr_file(udev_t)
+ fs_manage_hugetlbfs_dirs(udev_t)
+
+ term_search_ptys(udev_t)
+
+ # for arping used for static IP addresses on PCMCIA ethernet
+ netutils_domtrans(udev_t)
+
+ optional_policy(`
+ unconfined_domain(udev_t)
+ ')
+')
+
+optional_policy(`
+ alsa_domtrans(udev_t)
+ alsa_read_lib(udev_t)
+ alsa_read_rw_config(udev_t)
+')
+
+optional_policy(`
+ bluetooth_domtrans(udev_t)
+')
+
+optional_policy(`
+ brctl_domtrans(udev_t)
+')
+
+optional_policy(`
+ clock_domtrans(udev_t)
+')
+
+optional_policy(`
+ consolekit_read_pid_files(udev_t)
+')
+
+optional_policy(`
+ consoletype_exec(udev_t)
+')
+
+optional_policy(`
+ cups_domtrans_config(udev_t)
+ cups_read_config(udev_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(udev_t)
+')
+
+optional_policy(`
+ devicekit_read_pid_files(udev_t)
+ devicekit_dgram_send(udev_t)
+')
+
+optional_policy(`
+ gnome_read_home_config(udev_t)
+')
+
+optional_policy(`
+ lvm_domtrans(udev_t)
+')
+
+optional_policy(`
+ fstools_domtrans(udev_t)
+')
+
+optional_policy(`
+ hal_dgram_send(udev_t)
+
+ ifdef(`hide_broken_symptoms',`
+ hal_dontaudit_rw_dgram_sockets(udev_t)
+ ')
+')
+
+optional_policy(`
+ hotplug_read_config(udev_t)
+ # usb.agent searches /var/run/usb
+ hotplug_search_pids(udev_t)
+')
+
+optional_policy(`
+ mount_domtrans(udev_t)
+')
+
+optional_policy(`
+ networkmanager_dbus_chat(udev_t)
+')
+
+optional_policy(`
+ openct_read_pid_files(udev_t)
+ openct_domtrans(udev_t)
+')
+
+optional_policy(`
+ pcscd_read_pub_files(udev_t)
+ pcscd_domtrans(udev_t)
+')
+
+optional_policy(`
+ raid_domtrans_mdadm(udev_t)
+')
+
+optional_policy(`
+ usbmuxd_domtrans(udev_t)
+ usbmuxd_stream_connect(udev_t)
+')
+
+optional_policy(`
+ unconfined_signal(udev_t)
+')
+
+optional_policy(`
+ vbetool_domtrans(udev_t)
+')
+
+optional_policy(`
+ kernel_write_xen_state(udev_t)
+ kernel_read_xen_state(udev_t)
+ xen_manage_log(udev_t)
+ xen_read_image_files(udev_t)
+')
+
+optional_policy(`
+ xserver_read_xdm_pid(udev_t)
+')
diff --git a/policy/modules/system/unconfined.fc b/policy/modules/system/unconfined.fc
new file mode 100644
index 0000000..8b34dbc
--- /dev/null
+++ b/policy/modules/system/unconfined.fc
@@ -0,0 +1 @@
+# Add programs here which should not be confined by SELinux
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
new file mode 100644
index 0000000..c6e8ffe
--- /dev/null
+++ b/policy/modules/system/unconfined.if
@@ -0,0 +1,192 @@
+## <summary>The unconfined domain.</summary>
+
+########################################
+## <summary>
+## Make the specified domain unconfined.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to make unconfined.
+## </summary>
+## </param>
+#
+interface(`unconfined_domain_noaudit',`
+ gen_require(`
+ class dbus all_dbus_perms;
+ class nscd all_nscd_perms;
+ class passwd all_passwd_perms;
+ ')
+
+ # Use any Linux capability.
+ allow $1 self:capability all_capabilities;
+ allow $1 self:fifo_file manage_fifo_file_perms;
+
+ # Transition to myself, to make get_ordered_context_list happy.
+ allow $1 self:process transition;
+
+ # Write access is for setting attributes under /proc/self/attr.
+ allow $1 self:file rw_file_perms;
+ allow $1 self:dir rw_dir_perms;
+
+ # Userland object managers
+ allow $1 self:nscd all_nscd_perms;
+ allow $1 self:dbus all_dbus_perms;
+ allow $1 self:passwd all_passwd_perms;
+ allow $1 self:association all_association_perms;
+ allow $1 self:socket_class_set create_socket_perms;
+
+ kernel_unconfined($1)
+ corenet_unconfined($1)
+ dev_unconfined($1)
+ domain_unconfined($1)
+ domain_dontaudit_read_all_domains_state($1)
+ domain_dontaudit_ptrace_all_domains($1)
+ files_unconfined($1)
+ fs_unconfined($1)
+ selinux_unconfined($1)
+
+ domain_mmap_low($1)
+
+ mls_file_read_all_levels($1)
+
+ ubac_process_exempt($1)
+
+ tunable_policy(`allow_execheap',`
+ # Allow making the stack executable via mprotect.
+ allow $1 self:process execheap;
+ ')
+
+ tunable_policy(`allow_execmem',`
+ # Allow making anonymous memory executable, e.g.
+ # for runtime-code generation or executable stack.
+ allow $1 self:process execmem;
+ ')
+
+ tunable_policy(`allow_execstack',`
+ # Allow making the stack executable via mprotect;
+ # execstack implies execmem;
+ allow $1 self:process { execstack execmem };
+# auditallow $1 self:process execstack;
+ ')
+
+ optional_policy(`
+ auth_unconfined($1)
+ ')
+
+ optional_policy(`
+ # Communicate via dbusd.
+ dbus_system_bus_unconfined($1)
+ dbus_unconfined($1)
+ ')
+
+ optional_policy(`
+ ipsec_setcontext_default_spd($1)
+ ipsec_match_default_spd($1)
+ ')
+
+ optional_policy(`
+ nscd_unconfined($1)
+ ')
+
+ optional_policy(`
+ postgresql_unconfined($1)
+ ')
+
+ optional_policy(`
+ seutil_create_bin_policy($1)
+ seutil_relabelto_bin_policy($1)
+ ')
+
+ optional_policy(`
+ storage_unconfined($1)
+ ')
+
+ optional_policy(`
+ xserver_unconfined($1)
+ ')
+')
+
+########################################
+## <summary>
+## Make the specified domain unconfined and
+## audit executable heap usage.
+## </summary>
+## <desc>
+## <p>
+## Make the specified domain unconfined and
+## audit executable heap usage. With exception
+## of memory protections, usage of this interface
+## will result in the level of access the domain has
+## is like SELinux was not being used.
+## </p>
+## <p>
+## Only completely trusted domains should use this interface.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to make unconfined.
+## </summary>
+## </param>
+#
+interface(`unconfined_domain',`
+ gen_require(`
+ attribute unconfined_services;
+ ')
+
+ unconfined_domain_noaudit($1)
+
+ tunable_policy(`allow_execheap',`
+ auditallow $1 self:process execheap;
+ ')
+')
+
+########################################
+## <summary>
+## Add an alias type to the unconfined domain. (Deprecated)
+## </summary>
+## <desc>
+## <p>
+## Add an alias type to the unconfined domain. (Deprecated)
+## </p>
+## <p>
+## This is added to support targeted policy. Its
+## use should be limited. It has no effect
+## on the strict policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## New alias of the unconfined domain.
+## </summary>
+## </param>
+#
+interface(`unconfined_alias_domain',`
+ refpolicywarn(`$0($1) has been deprecated.')
+')
+
+########################################
+## <summary>
+## Add an alias type to the unconfined execmem
+## program file type. (Deprecated)
+## </summary>
+## <desc>
+## <p>
+## Add an alias type to the unconfined execmem
+## program file type. (Deprecated)
+## </p>
+## <p>
+## This is added to support targeted policy. Its
+## use should be limited. It has no effect
+## on the strict policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## New alias of the unconfined execmem program type.
+## </summary>
+## </param>
+#
+interface(`unconfined_execmem_alias_program',`
+ refpolicywarn(`$0($1) has been deprecated.')
+')
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
new file mode 100644
index 0000000..4474379
--- /dev/null
+++ b/policy/modules/system/unconfined.te
@@ -0,0 +1,8 @@
+policy_module(unconfined, 3.2.0)
+
+########################################
+#
+# Declarations
+#
+attribute unconfined_services;
+
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
new file mode 100644
index 0000000..392d1ee
--- /dev/null
+++ b/policy/modules/system/userdomain.fc
@@ -0,0 +1,17 @@
+HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
+/tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0)
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
+/root/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+/root/\.debug(/.*)? <<none>>
+/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0)
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
+HOME_DIR/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0)
+HOME_DIR/local/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0)
+HOME_DIR/Audio(/.*)? gen_context(system_u:object_r:audio_home_t,s0)
+HOME_DIR/Music(/.*)? gen_context(system_u:object_r:audio_home_t,s0)
+HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.gvfs(/.*)? <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
new file mode 100644
index 0000000..54365f8
--- /dev/null
+++ b/policy/modules/system/userdomain.if
@@ -0,0 +1,4324 @@
+## <summary>Policy for user domains</summary>
+
+#######################################
+## <summary>
+## The template containing the most basic rules common to all users.
+## </summary>
+## <desc>
+## <p>
+## The template containing the most basic rules common to all users.
+## </p>
+## <p>
+## This template creates a user domain, types, and
+## rules for the user's tty and pty.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <rolebase/>
+#
+template(`userdom_base_user_template',`
+
+ gen_require(`
+ attribute userdomain;
+ type user_devpts_t, user_tty_device_t;
+ class context contains;
+ ')
+
+ attribute $1_file_type;
+ attribute $1_usertype;
+
+ type $1_t, userdomain, $1_usertype;
+ domain_type($1_t)
+ corecmd_shell_entry_type($1_t)
+ corecmd_bin_entry_type($1_t)
+ domain_user_exemption_target($1_t)
+ ubac_constrained($1_t)
+ role $1_r types $1_t;
+ allow system_r $1_r;
+
+ term_user_pty($1_t, user_devpts_t)
+
+ term_user_tty($1_t, user_tty_device_t)
+ term_dontaudit_getattr_generic_ptys($1_t)
+
+ allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
+ allow $1_usertype $1_usertype:fd use;
+ allow $1_usertype $1_t:key { create view read write search link setattr };
+
+ allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms;
+ allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto };
+ allow $1_usertype $1_usertype:unix_stream_socket { create_stream_socket_perms connectto };
+ allow $1_usertype $1_usertype:shm create_shm_perms;
+ allow $1_usertype $1_usertype:sem create_sem_perms;
+ allow $1_usertype $1_usertype:msgq create_msgq_perms;
+ allow $1_usertype $1_usertype:msg { send receive };
+ allow $1_usertype $1_usertype:context contains;
+ dontaudit $1_usertype $1_usertype:socket create;
+
+ allow $1_usertype user_devpts_t:chr_file { setattr rw_chr_file_perms };
+ term_create_pty($1_usertype, user_devpts_t)
+ # avoid annoying messages on terminal hangup on role change
+ dontaudit $1_usertype user_devpts_t:chr_file ioctl;
+
+ allow $1_usertype user_tty_device_t:chr_file { setattr rw_chr_file_perms };
+ # avoid annoying messages on terminal hangup on role change
+ dontaudit $1_usertype user_tty_device_t:chr_file ioctl;
+
+ application_exec_all($1_usertype)
+
+ kernel_read_kernel_sysctls($1_usertype)
+ kernel_read_all_sysctls($1_usertype)
+ kernel_dontaudit_list_unlabeled($1_usertype)
+ kernel_dontaudit_getattr_unlabeled_files($1_usertype)
+ kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype)
+ kernel_dontaudit_getattr_unlabeled_pipes($1_usertype)
+ kernel_dontaudit_getattr_unlabeled_sockets($1_usertype)
+ kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype)
+ kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype)
+ kernel_dontaudit_list_proc($1_usertype)
+
+ dev_dontaudit_getattr_all_blk_files($1_usertype)
+ dev_dontaudit_getattr_all_chr_files($1_usertype)
+ dev_getattr_mtrr_dev($1_t)
+
+ # When the user domain runs ps, there will be a number of access
+ # denials when ps tries to search /proc. Do not audit these denials.
+ domain_dontaudit_read_all_domains_state($1_usertype)
+ domain_dontaudit_getattr_all_domains($1_usertype)
+ domain_dontaudit_getsession_all_domains($1_usertype)
+
+ files_read_etc_files($1_usertype)
+ files_list_mnt($1_usertype)
+ files_read_mnt_files($1_usertype)
+ files_read_etc_runtime_files($1_usertype)
+ files_read_usr_files($1_usertype)
+ files_read_usr_src_files($1_usertype)
+ # Read directories and files with the readable_t type.
+ # This type is a general type for "world"-readable files.
+ files_list_world_readable($1_usertype)
+ files_read_world_readable_files($1_usertype)
+ files_read_world_readable_symlinks($1_usertype)
+ files_read_world_readable_pipes($1_usertype)
+ files_read_world_readable_sockets($1_usertype)
+ # old broswer_domain():
+ files_dontaudit_getattr_all_dirs($1_usertype)
+ files_dontaudit_list_non_security($1_usertype)
+ files_dontaudit_getattr_all_files($1_usertype)
+ files_dontaudit_getattr_non_security_symlinks($1_usertype)
+ files_dontaudit_getattr_non_security_pipes($1_usertype)
+ files_dontaudit_getattr_non_security_sockets($1_usertype)
+
+ files_exec_usr_files($1_t)
+
+ fs_list_cgroup_dirs($1_usertype)
+ fs_dontaudit_rw_cgroup_files($1_usertype)
+
+ storage_rw_fuse($1_usertype)
+
+ auth_use_nsswitch($1_usertype)
+
+ init_stream_connect($1_usertype)
+ # The library functions always try to open read-write first,
+ # then fall back to read-only if it fails.
+ init_dontaudit_rw_utmp($1_usertype)
+
+ libs_exec_ld_so($1_usertype)
+
+ miscfiles_read_localization($1_t)
+ miscfiles_read_generic_certs($1_t)
+
+ miscfiles_read_all_certs($1_usertype)
+ miscfiles_read_localization($1_usertype)
+ miscfiles_read_man_pages($1_usertype)
+ miscfiles_read_public_files($1_usertype)
+
+ tunable_policy(`allow_execmem',`
+ # Allow loading DSOs that require executable stack.
+ allow $1_t self:process execmem;
+ ')
+
+ tunable_policy(`allow_execmem && allow_execstack',`
+ # Allow making the stack executable via mprotect.
+ allow $1_t self:process execstack;
+ ')
+
+ optional_policy(`
+ fs_list_cgroup_dirs($1_usertype)
+ ')
+
+ optional_policy(`
+ ssh_rw_stream_sockets($1_usertype)
+ ssh_delete_tmp($1_t)
+ ssh_signal($1_t)
+ ')
+')
+
+#######################################
+## <summary>
+## Allow a home directory for which the
+## role has read-only access.
+## </summary>
+## <desc>
+## <p>
+## Allow a home directory for which the
+## role has read-only access.
+## </p>
+## <p>
+## This does not allow execute access.
+## </p>
+## </desc>
+## <param name="role">
+## <summary>
+## The user role
+## </summary>
+## </param>
+## <param name="userdomain">
+## <summary>
+## The user domain
+## </summary>
+## </param>
+## <rolebase/>
+#
+interface(`userdom_ro_home_role',`
+ gen_require(`
+ type user_home_t, user_home_dir_t;
+ ')
+
+ role $1 types { user_home_t user_home_dir_t };
+
+ ##############################
+ #
+ # Domain access to home dir
+ #
+
+ type_member $2 user_home_dir_t:dir user_home_dir_t;
+
+ # read-only home directory
+ allow $2 user_home_dir_t:dir list_dir_perms;
+ allow $2 user_home_t:dir list_dir_perms;
+ allow $2 user_home_t:file entrypoint;
+ read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
+ read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
+ read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
+ read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
+ files_list_home($2)
+
+')
+
+#######################################
+## <summary>
+## Allow a home directory for which the
+## role has full access.
+## </summary>
+## <desc>
+## <p>
+## Allow a home directory for which the
+## role has full access.
+## </p>
+## <p>
+## This does not allow execute access.
+## </p>
+## </desc>
+## <param name="role">
+## <summary>
+## The user role
+## </summary>
+## </param>
+## <param name="userdomain">
+## <summary>
+## The user domain
+## </summary>
+## </param>
+## <rolebase/>
+#
+interface(`userdom_manage_home_role',`
+ gen_require(`
+ type user_home_t, user_home_dir_t;
+ attribute user_home_type;
+ ')
+
+ role $1 types { user_home_type user_home_dir_t };
+
+ ##############################
+ #
+ # Domain access to home dir
+ #
+
+ type_member $2 user_home_dir_t:dir user_home_dir_t;
+
+ # full control of the home directory
+ allow $2 user_home_t:dir mounton;
+ allow $2 user_home_t:file entrypoint;
+
+ allow $2 user_home_type:dir_file_class_set { relabelto relabelfrom };
+ allow $2 user_home_dir_t:lnk_file read_lnk_file_perms;
+ manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+ filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
+ files_list_home($2)
+
+ # cjp: this should probably be removed:
+ allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_mount_nfs($2)
+ fs_mounton_nfs($2)
+ fs_manage_nfs_dirs($2)
+ fs_manage_nfs_files($2)
+ fs_manage_nfs_symlinks($2)
+ fs_manage_nfs_named_sockets($2)
+ fs_manage_nfs_named_pipes($2)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_mount_cifs($2)
+ fs_mounton_cifs($2)
+ fs_manage_cifs_dirs($2)
+ fs_manage_cifs_files($2)
+ fs_manage_cifs_symlinks($2)
+ fs_manage_cifs_named_sockets($2)
+ fs_manage_cifs_named_pipes($2)
+ ')
+')
+
+#######################################
+## <summary>
+## Manage user temporary files
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolebase/>
+#
+interface(`userdom_manage_tmp_role',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ role $1 types user_tmp_t;
+
+ files_poly_member_tmp($2, user_tmp_t)
+
+ manage_dirs_pattern($2, user_tmp_t, user_tmp_t)
+ manage_files_pattern($2, user_tmp_t, user_tmp_t)
+ manage_lnk_files_pattern($2, user_tmp_t, user_tmp_t)
+ manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
+ manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
+ files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
+ relabel_files_pattern($2, user_tmp_t, user_tmp_t)
+')
+
+#######################################
+## <summary>
+## Dontaudit search of user bin dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_search_user_bin_dirs',`
+ gen_require(`
+ type home_bin_t;
+ ')
+
+ dontaudit $1 home_bin_t:dir search_dir_perms;
+')
+
+#######################################
+## <summary>
+## Execute user bin files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_exec_user_bin_files',`
+ gen_require(`
+ attribute user_home_type;
+ type home_bin_t, user_home_dir_t;
+ ')
+
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, home_bin_t)
+ files_search_home($1)
+')
+
+#######################################
+## <summary>
+## The execute access user temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolebase/>
+#
+interface(`userdom_exec_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ exec_files_pattern($1, user_tmp_t, user_tmp_t)
+ dontaudit $1 user_tmp_t:sock_file execute;
+ files_search_tmp($1)
+')
+
+#######################################
+## <summary>
+## Role access for the user tmpfs type
+## that the user has full access.
+## </summary>
+## <desc>
+## <p>
+## Role access for the user tmpfs type
+## that the user has full access.
+## </p>
+## <p>
+## This does not allow execute access.
+## </p>
+## </desc>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_manage_tmpfs_role',`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
+
+ role $1 types user_tmpfs_t;
+
+ manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t)
+ manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
+ manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
+ manage_sock_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
+ manage_fifo_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
+ fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+')
+
+#######################################
+## <summary>
+## The interface allowing the user basic
+## network permissions
+## </summary>
+## <param name="userdomain">
+## <summary>
+## The user domain
+## </summary>
+## </param>
+## <rolebase/>
+#
+interface(`userdom_basic_networking',`
+
+ allow $1 self:tcp_socket create_stream_socket_perms;
+ allow $1 self:udp_socket create_socket_perms;
+
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
+ corenet_tcp_sendrecv_generic_if($1)
+ corenet_udp_sendrecv_generic_if($1)
+ corenet_tcp_sendrecv_generic_node($1)
+ corenet_udp_sendrecv_generic_node($1)
+ corenet_tcp_sendrecv_all_ports($1)
+ corenet_udp_sendrecv_all_ports($1)
+ corenet_tcp_connect_all_ports($1)
+ corenet_sendrecv_all_client_packets($1)
+
+ optional_policy(`
+ init_tcp_recvfrom_all_daemons($1)
+ init_udp_recvfrom_all_daemons($1)
+ ')
+
+ optional_policy(`
+ ipsec_match_default_spd($1)
+ ')
+
+')
+
+#######################################
+## <summary>
+## The template for creating a user xwindows client. (Deprecated)
+## </summary>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <rolebase/>
+#
+template(`userdom_xwindows_client_template',`
+ refpolicywarn(`$0() has been deprecated, please use xserver_role() instead.')
+ gen_require(`
+ type $1_t, user_tmpfs_t;
+ ')
+
+ dev_rw_xserver_misc($1_t)
+ dev_rw_power_management($1_t)
+ dev_read_input($1_t)
+ dev_read_misc($1_t)
+ dev_write_misc($1_t)
+ # open office is looking for the following
+ dev_getattr_agp_dev($1_t)
+ dev_dontaudit_rw_dri($1_t)
+ # GNOME checks for usb and other devices:
+ dev_rw_usbfs($1_t)
+ dev_rw_generic_usb_dev($1_t)
+
+ xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
+ xserver_xsession_entry_type($1_t)
+ xserver_dontaudit_write_log($1_t)
+ xserver_stream_connect_xdm($1_t)
+ # certain apps want to read xdm.pid file
+ xserver_read_xdm_pid($1_t)
+ # gnome-session creates socket under /tmp/.ICE-unix/
+ xserver_create_xdm_tmp_sockets($1_t)
+ # Needed for escd, remove if we get escd policy
+ xserver_manage_xdm_tmp_files($1_t)
+')
+
+#######################################
+## <summary>
+## The template for allowing the user to change passwords.
+## </summary>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <rolebase/>
+#
+template(`userdom_change_password_template',`
+ gen_require(`
+ type $1_t;
+ role $1_r;
+ ')
+
+ optional_policy(`
+ usermanage_run_chfn($1_t,$1_r)
+ usermanage_run_passwd($1_t,$1_r)
+ ')
+')
+
+#######################################
+## <summary>
+## The template containing rules common to unprivileged
+## users and administrative users.
+## </summary>
+## <desc>
+## <p>
+## This template creates a user domain, types, and
+## rules for the user's tty, pty, tmp, and tmpfs files.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+#
+template(`userdom_common_user_template',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ userdom_basic_networking($1_usertype)
+
+ ##############################
+ #
+ # User domain Local policy
+ #
+
+ # evolution and gnome-session try to create a netlink socket
+ dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+ dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
+ allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
+ allow $1_t self:socket create_socket_perms;
+
+ allow $1_usertype unpriv_userdomain:fd use;
+
+ kernel_read_system_state($1_usertype)
+ kernel_read_network_state($1_usertype)
+ kernel_read_net_sysctls($1_usertype)
+ # Very permissive allowing every domain to see every type:
+ kernel_get_sysvipc_info($1_usertype)
+ # Find CDROM devices:
+ kernel_read_device_sysctls($1_usertype)
+ kernel_request_load_module($1_usertype)
+
+ corenet_udp_bind_generic_node($1_usertype)
+ corenet_udp_bind_generic_port($1_usertype)
+
+ dev_read_rand($1_usertype)
+ dev_write_sound($1_usertype)
+ dev_read_sound($1_usertype)
+ dev_read_sound_mixer($1_usertype)
+ dev_write_sound_mixer($1_usertype)
+
+ files_exec_etc_files($1_usertype)
+ files_search_locks($1_usertype)
+ # Check to see if cdrom is mounted
+ files_search_mnt($1_usertype)
+ # cjp: perhaps should cut back on file reads:
+ files_read_var_files($1_usertype)
+ files_read_var_symlinks($1_usertype)
+ files_read_generic_spool($1_usertype)
+ files_read_var_lib_files($1_usertype)
+ # Stat lost+found.
+ files_getattr_lost_found_dirs($1_usertype)
+ files_read_config_files($1_usertype)
+ fs_read_noxattr_fs_files($1_usertype)
+ fs_read_noxattr_fs_symlinks($1_usertype)
+ fs_rw_cgroup_files($1_usertype)
+
+ logging_send_syslog_msg($1_usertype)
+ logging_send_audit_msgs($1_usertype)
+ selinux_get_enforce_mode($1_usertype)
+
+ # cjp: some of this probably can be removed
+ selinux_get_fs_mount($1_usertype)
+ selinux_validate_context($1_usertype)
+ selinux_compute_access_vector($1_usertype)
+ selinux_compute_create_context($1_usertype)
+ selinux_compute_relabel_context($1_usertype)
+ selinux_compute_user_contexts($1_usertype)
+
+ # for eject
+ storage_getattr_fixed_disk_dev($1_usertype)
+
+ auth_read_login_records($1_usertype)
+ auth_run_pam($1_t,$1_r)
+ auth_run_utempter($1_t,$1_r)
+
+ init_read_utmp($1_usertype)
+
+ seutil_read_file_contexts($1_usertype)
+ seutil_read_default_contexts($1_usertype)
+ seutil_run_newrole($1_t,$1_r)
+ seutil_exec_checkpolicy($1_t)
+ seutil_exec_setfiles($1_usertype)
+ # for when the network connection is killed
+ # this is needed when a login role can change
+ # to this one.
+ seutil_dontaudit_signal_newrole($1_t)
+
+ tunable_policy(`user_direct_mouse',`
+ dev_read_mouse($1_usertype)
+ ')
+
+ tunable_policy(`user_ttyfile_stat',`
+ term_getattr_all_ttys($1_t)
+ ')
+
+ optional_policy(`
+ alsa_read_rw_config($1_usertype)
+ ')
+
+ optional_policy(`
+ # Allow graphical boot to check battery lifespan
+ apm_stream_connect($1_usertype)
+ ')
+
+ optional_policy(`
+ canna_stream_connect($1_usertype)
+ ')
+
+ optional_policy(`
+ chrome_role($1_r, $1_usertype)
+ ')
+
+ optional_policy(`
+ dbus_system_bus_client($1_usertype)
+
+ allow $1_usertype $1_usertype:dbus send_msg;
+
+ optional_policy(`
+ avahi_dbus_chat($1_usertype)
+ ')
+
+ optional_policy(`
+ policykit_dbus_chat($1_usertype)
+ ')
+
+ optional_policy(`
+ bluetooth_dbus_chat($1_usertype)
+ ')
+
+ optional_policy(`
+ consolekit_dbus_chat($1_usertype)
+ consolekit_read_log($1_usertype)
+ ')
+
+ optional_policy(`
+ devicekit_dbus_chat($1_usertype)
+ devicekit_dbus_chat_power($1_usertype)
+ devicekit_dbus_chat_disk($1_usertype)
+ ')
+
+ optional_policy(`
+ evolution_dbus_chat($1_usertype)
+ evolution_alarm_dbus_chat($1_usertype)
+ ')
+
+ optional_policy(`
+ gnome_dbus_chat_gconfdefault($1_usertype)
+ ')
+
+ optional_policy(`
+ hal_dbus_chat($1_usertype)
+ ')
+
+ optional_policy(`
+ modemmanager_dbus_chat($1_usertype)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat($1_usertype)
+ networkmanager_read_lib_files($1_usertype)
+ ')
+
+ optional_policy(`
+ vpn_dbus_chat($1_usertype)
+ ')
+ ')
+
+ optional_policy(`
+ git_session_role($1_r, $1_usertype)
+ ')
+
+ optional_policy(`
+ inetd_use_fds($1_usertype)
+ inetd_rw_tcp_sockets($1_usertype)
+ ')
+
+ optional_policy(`
+ inn_read_config($1_usertype)
+ inn_read_news_lib($1_usertype)
+ inn_read_news_spool($1_usertype)
+ ')
+
+ optional_policy(`
+ locate_read_lib_files($1_usertype)
+ ')
+
+ # for running depmod as part of the kernel packaging process
+ optional_policy(`
+ modutils_read_module_config($1_usertype)
+ ')
+
+ optional_policy(`
+ mta_rw_spool($1_usertype)
+ mta_manage_queue($1_usertype)
+ ')
+
+ optional_policy(`
+ nsplugin_role($1_r, $1_usertype)
+ ')
+
+ optional_policy(`
+ tunable_policy(`allow_user_mysql_connect',`
+ mysql_stream_connect($1_t)
+ ')
+ ')
+
+ optional_policy(`
+ # to allow monitoring of pcmcia status
+ pcmcia_read_pid($1_usertype)
+ ')
+
+ optional_policy(`
+ pcscd_read_pub_files($1_usertype)
+ pcscd_stream_connect($1_usertype)
+ ')
+
+ optional_policy(`
+ tunable_policy(`allow_user_postgresql_connect',`
+ postgresql_stream_connect($1_usertype)
+ postgresql_tcp_connect($1_usertype)
+ ')
+ ')
+
+ optional_policy(`
+ resmgr_stream_connect($1_usertype)
+ ')
+
+ optional_policy(`
+ rpc_dontaudit_getattr_exports($1_usertype)
+ rpc_manage_nfs_rw_content($1_usertype)
+ ')
+
+ optional_policy(`
+ rpcbind_stream_connect($1_usertype)
+ ')
+
+ optional_policy(`
+ samba_stream_connect_winbind($1_usertype)
+ ')
+
+ optional_policy(`
+ sandbox_transition($1_usertype, $1_r)
+ ')
+
+ optional_policy(`
+ seunshare_role_template($1, $1_r, $1_t)
+ ')
+
+ optional_policy(`
+ slrnpull_search_spool($1_usertype)
+ ')
+
+')
+
+#######################################
+## <summary>
+## The template for creating a login user.
+## </summary>
+## <desc>
+## <p>
+## This template creates a user domain, types, and
+## rules for the user's tty, pty, home directories,
+## tmp, and tmpfs files.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+#
+template(`userdom_login_user_template', `
+ gen_require(`
+ class context contains;
+ ')
+
+ userdom_base_user_template($1)
+
+ userdom_manage_home_role($1_r, $1_usertype)
+
+ userdom_manage_tmp_role($1_r, $1_usertype)
+ userdom_manage_tmpfs_role($1_r, $1_usertype)
+
+ ifelse(`$1',`unconfined',`',`
+ gen_tunable(allow_$1_exec_content, true)
+
+ tunable_policy(`allow_$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype)
+ ')
+ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
+ fs_exec_nfs_files($1_usertype)
+ ')
+
+ tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
+ fs_exec_cifs_files($1_usertype)
+ ')
+ ')
+
+ userdom_change_password_template($1)
+
+ ##############################
+ #
+ # User domain Local policy
+ #
+
+ allow $1_t self:capability { setgid chown fowner };
+ dontaudit $1_t self:capability { sys_nice fsetid };
+
+ allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
+ dontaudit $1_t self:process setrlimit;
+ dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
+
+ allow $1_t self:context contains;
+
+ kernel_dontaudit_read_system_state($1_usertype)
+ kernel_dontaudit_list_all_proc($1_usertype)
+
+ dev_read_sysfs($1_usertype)
+ dev_read_urand($1_usertype)
+
+ domain_use_interactive_fds($1_usertype)
+ # Command completion can fire hundreds of denials
+ domain_dontaudit_exec_all_entry_files($1_usertype)
+
+ files_dontaudit_list_default($1_usertype)
+ files_dontaudit_read_default_files($1_usertype)
+ # Stat lost+found.
+ files_getattr_lost_found_dirs($1_usertype)
+
+ fs_get_all_fs_quotas($1_usertype)
+ fs_getattr_all_fs($1_usertype)
+ fs_search_all($1_usertype)
+ fs_list_inotifyfs($1_usertype)
+ fs_rw_anon_inodefs_files($1_usertype)
+
+ auth_dontaudit_write_login_records($1_t)
+ auth_rw_cache($1_t)
+
+ # Stop warnings about access to /dev/console
+ init_dontaudit_use_fds($1_usertype)
+ init_dontaudit_use_script_fds($1_usertype)
+
+ libs_exec_lib_files($1_usertype)
+
+ logging_dontaudit_getattr_all_logs($1_usertype)
+
+ # for running TeX programs
+ miscfiles_read_tetex_data($1_usertype)
+ miscfiles_exec_tetex_data($1_usertype)
+
+ seutil_read_config($1_usertype)
+
+ optional_policy(`
+ cups_read_config($1_usertype)
+ cups_stream_connect($1_usertype)
+ cups_stream_connect_ptal($1_usertype)
+ ')
+
+ optional_policy(`
+ kerberos_use($1_usertype)
+ kerberos_connect_524($1_usertype)
+ ')
+
+ optional_policy(`
+ mta_dontaudit_read_spool_symlinks($1_usertype)
+ ')
+
+ optional_policy(`
+ quota_dontaudit_getattr_db($1_usertype)
+ ')
+
+ optional_policy(`
+ rpm_read_db($1_usertype)
+ rpm_dontaudit_manage_db($1_usertype)
+ rpm_read_cache($1_usertype)
+ ')
+
+ optional_policy(`
+ oddjob_run_mkhomedir($1_t, $1_r)
+ ')
+')
+
+#######################################
+## <summary>
+## The template for creating a unprivileged login user.
+## </summary>
+## <desc>
+## <p>
+## This template creates a user domain, types, and
+## rules for the user's tty, pty, home directories,
+## tmp, and tmpfs files.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+#
+template(`userdom_restricted_user_template',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ userdom_login_user_template($1)
+
+ typeattribute $1_t unpriv_userdomain;
+ domain_interactive_fd($1_t)
+
+ allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms;
+ dontaudit $1_usertype self:netlink_audit_socket create_socket_perms;
+
+ ##############################
+ #
+ # Local policy
+ #
+
+ optional_policy(`
+ loadkeys_run($1_t,$1_r)
+ ')
+')
+
+#######################################
+## <summary>
+## The template for creating a unprivileged xwindows login user.
+## </summary>
+## <desc>
+## <p>
+## The template for creating a unprivileged xwindows login user.
+## </p>
+## <p>
+## This template creates a user domain, types, and
+## rules for the user's tty, pty, home directories,
+## tmp, and tmpfs files.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+#
+template(`userdom_restricted_xwindows_user_template',`
+
+ userdom_restricted_user_template($1)
+
+ ##############################
+ #
+ # Local policy
+ #
+
+ auth_role($1_r, $1_t)
+ auth_search_pam_console_data($1_usertype)
+ auth_dontaudit_read_login_records($1_usertype)
+
+ dev_read_sound($1_usertype)
+ dev_write_sound($1_usertype)
+ # gnome keyring wants to read this.
+ dev_dontaudit_read_rand($1_usertype)
+ # temporarily allow since openoffice requires this
+ dev_read_rand($1_usertype)
+
+ dev_read_video_dev($1_usertype)
+ dev_write_video_dev($1_usertype)
+ dev_rw_wireless($1_usertype)
+
+ tunable_policy(`user_rw_noexattrfile',`
+ dev_rw_usbfs($1_t)
+ dev_rw_generic_usb_dev($1_usertype)
+
+ fs_manage_noxattr_fs_files($1_usertype)
+ fs_manage_noxattr_fs_dirs($1_usertype)
+ fs_manage_dos_dirs($1_usertype)
+ fs_manage_dos_files($1_usertype)
+ storage_raw_read_removable_device($1_usertype)
+ storage_raw_write_removable_device($1_usertype)
+ ')
+
+ logging_send_syslog_msg($1_usertype)
+ logging_dontaudit_send_audit_msgs($1_t)
+
+ # Need to to this just so screensaver will work. Should be moved to screensaver domain
+ logging_send_audit_msgs($1_t)
+ selinux_get_enforce_mode($1_t)
+ seutil_exec_restorecond($1_t)
+ seutil_read_file_contexts($1_t)
+ seutil_read_default_contexts($1_t)
+
+ xserver_restricted_role($1_r, $1_t)
+
+ optional_policy(`
+ alsa_read_rw_config($1_usertype)
+ ')
+
+ optional_policy(`
+ dbus_role_template($1, $1_r, $1_usertype)
+ dbus_system_bus_client($1_usertype)
+ allow $1_usertype $1_usertype:dbus send_msg;
+
+ optional_policy(`
+ abrt_dbus_chat($1_usertype)
+ abrt_run_helper($1_usertype, $1_r)
+ ')
+
+ optional_policy(`
+ consolekit_dontaudit_read_log($1_usertype)
+ consolekit_dbus_chat($1_usertype)
+ ')
+
+ optional_policy(`
+ cups_dbus_chat($1_usertype)
+ cups_dbus_chat_config($1_usertype)
+ ')
+
+ optional_policy(`
+ devicekit_dbus_chat($1_usertype)
+ devicekit_dbus_chat_disk($1_usertype)
+ devicekit_dbus_chat_power($1_usertype)
+ ')
+
+ optional_policy(`
+ fprintd_dbus_chat($1_t)
+ ')
+ ')
+
+ optional_policy(`
+ openoffice_role_template($1, $1_r, $1_usertype)
+ ')
+
+ optional_policy(`
+ policykit_role($1_r, $1_usertype)
+ ')
+
+ optional_policy(`
+ pulseaudio_role($1_r, $1_usertype)
+ ')
+
+ optional_policy(`
+ rtkit_scheduled($1_usertype)
+ ')
+
+ optional_policy(`
+ setroubleshoot_dontaudit_stream_connect($1_t)
+ ')
+
+ optional_policy(`
+ udev_read_db($1_usertype)
+ ')
+
+ optional_policy(`
+ wm_role_template($1, $1_r, $1_t)
+ ')
+')
+
+#######################################
+## <summary>
+## The template for creating a unprivileged user roughly
+## equivalent to a regular linux user.
+## </summary>
+## <desc>
+## <p>
+## The template for creating a unprivileged user roughly
+## equivalent to a regular linux user.
+## </p>
+## <p>
+## This template creates a user domain, types, and
+## rules for the user's tty, pty, home directories,
+## tmp, and tmpfs files.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+#
+template(`userdom_unpriv_user_template', `
+
+ ##############################
+ #
+ # Declarations
+ #
+
+ # Inherit rules for ordinary users.
+ userdom_restricted_xwindows_user_template($1)
+ userdom_common_user_template($1)
+
+ ##############################
+ #
+ # Local policy
+ #
+
+ # port access is audited even if dac would not have allowed it, so dontaudit it here
+# corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
+ # Need the following rule to allow users to run vpnc
+ corenet_tcp_bind_xserver_port($1_t)
+ corenet_tcp_bind_all_nodes($1_usertype)
+
+ storage_rw_fuse($1_t)
+
+ miscfiles_read_hwdata($1_usertype)
+
+ # Allow users to run TCP servers (bind to ports and accept connection from
+ # the same domain and outside users) disabling this forces FTP passive mode
+ # and may change other protocols
+ tunable_policy(`user_tcp_server',`
+ corenet_tcp_bind_all_unreserved_ports($1_usertype)
+ ')
+
+ tunable_policy(`user_setrlimit',`
+ allow $1_usertype self:process setrlimit;
+ ')
+
+ optional_policy(`
+ cdrecord_role($1_r, $1_t)
+ ')
+
+ optional_policy(`
+ cron_role($1_r, $1_t)
+ ')
+
+ optional_policy(`
+ games_rw_data($1_usertype)
+ ')
+
+ optional_policy(`
+ gpg_role($1_r, $1_usertype)
+ ')
+
+ optional_policy(`
+ gnomeclock_dbus_chat($1_t)
+ ')
+
+ optional_policy(`
+ gpm_stream_connect($1_usertype)
+ ')
+
+ optional_policy(`
+ execmem_role_template($1, $1_r, $1_t)
+ ')
+
+ optional_policy(`
+ java_role_template($1, $1_r, $1_t)
+ ')
+
+ optional_policy(`
+ mono_role_template($1, $1_r, $1_t)
+ ')
+
+ optional_policy(`
+ mount_run_fusermount($1_t, $1_r)
+ ')
+
+ optional_policy(`
+ wine_role_template($1, $1_r, $1_t)
+ ')
+
+ optional_policy(`
+ postfix_run_postdrop($1_t, $1_r)
+ ')
+
+ # Run pppd in pppd_t by default for user
+ optional_policy(`
+ ppp_run_cond($1_t, $1_r)
+ ')
+')
+
+#######################################
+## <summary>
+## The template for creating an administrative user.
+## </summary>
+## <desc>
+## <p>
+## This template creates a user domain, types, and
+## rules for the user's tty, pty, home directories,
+## tmp, and tmpfs files.
+## </p>
+## <p>
+## The privileges given to administrative users are:
+## <ul>
+## <li>Raw disk access</li>
+## <li>Set all sysctls</li>
+## <li>All kernel ring buffer controls</li>
+## <li>Create, read, write, and delete all files but shadow</li>
+## <li>Manage source and binary format SELinux policy</li>
+## <li>Run insmod</li>
+## </ul>
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., sysadm
+## is the prefix for sysadm_t).
+## </summary>
+## </param>
+#
+template(`userdom_admin_user_template',`
+ gen_require(`
+ attribute admindomain;
+ class passwd { passwd chfn chsh rootok crontab };
+ ')
+
+ ##############################
+ #
+ # Declarations
+ #
+
+ # Inherit rules for ordinary users.
+ userdom_login_user_template($1)
+ userdom_common_user_template($1)
+
+ domain_obj_id_change_exemption($1_t)
+ role system_r types $1_t;
+
+ typeattribute $1_t admindomain;
+
+ ifdef(`direct_sysadm_daemon',`
+ domain_system_change_exemption($1_t)
+ ')
+
+ ##############################
+ #
+ # $1_t local policy
+ #
+
+ allow $1_t self:capability ~{ sys_module audit_control audit_write };
+ allow $1_t self:process { setexec setfscreate };
+ allow $1_t self:netlink_audit_socket nlmsg_readpriv;
+ allow $1_t self:tun_socket create;
+ # Set password information for other users.
+ allow $1_t self:passwd { passwd chfn chsh };
+ # Skip authentication when pam_rootok is specified.
+ allow $1_t self:passwd rootok;
+
+ # Manipulate other users crontab.
+ allow $1_t self:passwd crontab;
+
+ kernel_read_software_raid_state($1_t)
+ kernel_getattr_core_if($1_t)
+ kernel_getattr_message_if($1_t)
+ kernel_change_ring_buffer_level($1_t)
+ kernel_clear_ring_buffer($1_t)
+ kernel_read_ring_buffer($1_t)
+ kernel_get_sysvipc_info($1_t)
+ kernel_rw_all_sysctls($1_t)
+ # signal unlabeled processes:
+ kernel_kill_unlabeled($1_t)
+ kernel_signal_unlabeled($1_t)
+ kernel_sigstop_unlabeled($1_t)
+ kernel_signull_unlabeled($1_t)
+ kernel_sigchld_unlabeled($1_t)
+ kernel_signal($1_t)
+
+ corenet_tcp_bind_generic_port($1_t)
+ # allow setting up tunnels
+ corenet_rw_tun_tap_dev($1_t)
+
+ dev_getattr_generic_blk_files($1_t)
+ dev_getattr_generic_chr_files($1_t)
+ # for lsof
+ dev_getattr_mtrr_dev($1_t)
+ # Allow MAKEDEV to work
+ dev_create_all_blk_files($1_t)
+ dev_create_all_chr_files($1_t)
+ dev_delete_all_blk_files($1_t)
+ dev_delete_all_chr_files($1_t)
+ dev_rename_all_blk_files($1_t)
+ dev_rename_all_chr_files($1_t)
+ dev_create_generic_symlinks($1_t)
+
+ domain_setpriority_all_domains($1_t)
+ domain_read_all_domains_state($1_t)
+ domain_getattr_all_domains($1_t)
+ domain_dontaudit_ptrace_all_domains($1_t)
+ # signal all domains:
+ domain_kill_all_domains($1_t)
+ domain_signal_all_domains($1_t)
+ domain_signull_all_domains($1_t)
+ domain_sigstop_all_domains($1_t)
+ domain_sigstop_all_domains($1_t)
+ domain_sigchld_all_domains($1_t)
+ # for lsof
+ domain_getattr_all_sockets($1_t)
+ domain_dontaudit_getattr_all_sockets($1_t)
+
+ files_exec_usr_src_files($1_t)
+
+ fs_getattr_all_fs($1_t)
+ fs_getattr_all_files($1_t)
+ fs_list_all($1_t)
+ fs_set_all_quotas($1_t)
+ fs_exec_noxattr($1_t)
+
+ storage_raw_read_removable_device($1_t)
+ storage_raw_write_removable_device($1_t)
+
+ term_use_all_terms($1_t)
+
+ auth_getattr_shadow($1_t)
+ # Manage almost all files
+ auth_manage_all_files_except_shadow($1_t)
+ # Relabel almost all files
+ auth_relabel_all_files_except_shadow($1_t)
+
+ init_telinit($1_t)
+
+ logging_send_syslog_msg($1_t)
+
+ modutils_domtrans_insmod($1_t)
+ modutils_domtrans_depmod($1_t)
+
+ # The following rule is temporary until such time that a complete
+ # policy management infrastructure is in place so that an administrator
+ # cannot directly manipulate policy files with arbitrary programs.
+ seutil_manage_src_policy($1_t)
+ # Violates the goal of limiting write access to checkpolicy.
+ # But presently necessary for installing the file_contexts file.
+ seutil_manage_bin_policy($1_t)
+
+ userdom_manage_user_home_content_dirs($1_t)
+ userdom_manage_user_home_content_files($1_t)
+ userdom_manage_user_home_content_symlinks($1_t)
+ userdom_manage_user_home_content_pipes($1_t)
+ userdom_manage_user_home_content_sockets($1_t)
+ userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
+
+ tunable_policy(`user_rw_noexattrfile',`
+ fs_manage_noxattr_fs_files($1_t)
+ fs_manage_noxattr_fs_dirs($1_t)
+ ',`
+ fs_read_noxattr_fs_files($1_t)
+ ')
+
+ optional_policy(`
+ postgresql_unconfined($1_t)
+ ')
+
+ optional_policy(`
+ userhelper_exec($1_t)
+ ')
+')
+
+########################################
+## <summary>
+## Allow user to run as a secadm
+## </summary>
+## <desc>
+## <p>
+## Create objects in a user home directory
+## with an automatic type transition to
+## a specified private type.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role of the object to create.
+## </summary>
+## </param>
+#
+template(`userdom_security_admin_template',`
+ allow $1 self:capability { dac_read_search dac_override };
+
+ corecmd_exec_shell($1)
+
+ domain_obj_id_change_exemption($1)
+
+ dev_relabel_all_dev_nodes($1)
+
+ files_create_boot_flag($1)
+ files_create_default_dir($1)
+ files_root_filetrans_default($1, dir)
+
+ # Necessary for managing /boot/efi
+ fs_manage_dos_files($1)
+
+ mls_process_read_up($1)
+ mls_file_read_all_levels($1)
+ mls_file_upgrade($1)
+ mls_file_downgrade($1)
+
+ selinux_set_enforce_mode($1)
+ selinux_set_all_booleans($1)
+ selinux_set_parameters($1)
+
+ auth_relabel_all_files_except_shadow($1)
+ auth_relabel_shadow($1)
+
+ init_exec($1)
+
+ logging_send_syslog_msg($1)
+ logging_read_audit_log($1)
+ logging_read_generic_logs($1)
+ logging_read_audit_config($1)
+
+ seutil_manage_bin_policy($1)
+ seutil_run_checkpolicy($1,$2)
+ seutil_run_loadpolicy($1,$2)
+ seutil_run_semanage($1,$2)
+ seutil_run_setsebool($1,$2)
+ seutil_run_setfiles($1, $2)
+
+ optional_policy(`
+ aide_run($1,$2)
+ ')
+
+ optional_policy(`
+ consoletype_exec($1)
+ ')
+
+ optional_policy(`
+ dmesg_exec($1)
+ ')
+
+ optional_policy(`
+ ipsec_run_setkey($1,$2)
+ ')
+
+ optional_policy(`
+ netlabel_run_mgmt($1,$2)
+ ')
+')
+
+########################################
+## <summary>
+## Make the specified type usable in a
+## user home directory.
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used as a file in the
+## user home directory.
+## </summary>
+## </param>
+#
+interface(`userdom_user_home_content',`
+ gen_require(`
+ type user_home_t;
+ attribute user_home_type;
+ ')
+
+ allow $1 user_home_t:filesystem associate;
+ files_type($1)
+ ubac_constrained($1)
+
+ files_poly_member($1)
+ typeattribute $1 user_home_type;
+')
+
+########################################
+## <summary>
+## Allow domain to attach to TUN devices created by administrative users.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_attach_admin_tun_iface',`
+ gen_require(`
+ attribute admindomain;
+ ')
+
+ allow $1 admindomain:tun_socket relabelfrom;
+ allow $1 self:tun_socket relabelto;
+')
+
+########################################
+## <summary>
+## Set the attributes of a user pty.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_setattr_user_ptys',`
+ gen_require(`
+ type user_devpts_t;
+ ')
+
+ allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Create a user pty.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_create_user_pty',`
+ gen_require(`
+ type user_devpts_t;
+ ')
+
+ term_create_pty($1, user_devpts_t)
+')
+
+########################################
+## <summary>
+## Get the attributes of user home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_getattr_user_home_dirs',`
+ gen_require(`
+ type user_home_dir_t;
+ ')
+
+ allow $1 user_home_dir_t:dir getattr_dir_perms;
+ files_search_home($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes of user home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_getattr_user_home_dirs',`
+ gen_require(`
+ type user_home_dir_t;
+ ')
+
+ dontaudit $1 user_home_dir_t:dir getattr_dir_perms;
+')
+
+########################################
+## <summary>
+## Search user home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_search_user_home_dirs',`
+ gen_require(`
+ type user_home_dir_t;
+ ')
+
+ allow $1 user_home_dir_t:dir search_dir_perms;
+ allow $1 user_home_dir_t:lnk_file read_lnk_file_perms;
+ files_search_home($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search user home directories.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to search user home directories.
+## This will supress SELinux denial messages when the specified
+## domain is denied the permission to search these directories.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`userdom_dontaudit_search_user_home_dirs',`
+ gen_require(`
+ type user_home_dir_t;
+ ')
+
+ dontaudit $1 user_home_dir_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## List user home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_list_user_home_dirs',`
+ gen_require(`
+ type user_home_dir_t;
+ ')
+
+ allow $1 user_home_dir_t:dir list_dir_perms;
+ files_search_home($1)
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs($1)
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
+ fs_list_cifs($1)
+ ')
+')
+
+########################################
+## <summary>
+## Do not audit attempts to list user home subdirectories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_list_user_home_dirs',`
+ gen_require(`
+ type user_home_dir_t;
+ type user_home_t;
+ ')
+
+ dontaudit $1 user_home_dir_t:dir list_dir_perms;
+ dontaudit $1 user_home_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Create user home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_create_user_home_dirs',`
+ gen_require(`
+ type user_home_dir_t;
+ ')
+
+ allow $1 user_home_dir_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Create user home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_user_home_dirs',`
+ gen_require(`
+ type user_home_dir_t;
+ ')
+
+ allow $1 user_home_dir_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Relabel to user home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_relabelto_user_home_dirs',`
+ gen_require(`
+ type user_home_dir_t;
+ ')
+
+ allow $1 user_home_dir_t:dir relabelto;
+')
+
+
+########################################
+## <summary>
+## Relabel to user home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_relabelto_user_home_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ allow $1 user_home_t:file relabelto;
+')
+########################################
+## <summary>
+## Relabel user home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_relabel_user_home_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ allow $1 user_home_t:file relabel_file_perms;
+')
+
+########################################
+## <summary>
+## Create directories in the home dir root with
+## the user home directory type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_home_filetrans_user_home_dir',`
+ gen_require(`
+ type user_home_dir_t;
+ ')
+
+ files_home_filetrans($1, user_home_dir_t, dir)
+')
+
+########################################
+## <summary>
+## Do a domain transition to the specified
+## domain when executing a program in the
+## user home directory.
+## </summary>
+## <desc>
+## <p>
+## Do a domain transition to the specified
+## domain when executing a program in the
+## user home directory.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="source_domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## Domain to transition to.
+## </summary>
+## </param>
+#
+interface(`userdom_user_home_domtrans',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ domain_auto_trans($1, user_home_t, $2)
+ allow $1 user_home_dir_t:dir search_dir_perms;
+ files_search_home($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search user home content directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_search_user_home_content',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ dontaudit $1 user_home_t:dir search_dir_perms;
+ fs_dontaudit_list_nfs($1)
+ fs_dontaudit_list_cifs($1)
+')
+
+########################################
+## <summary>
+## List contents of users home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_list_user_home_content',`
+ gen_require(`
+ type user_home_dir_t;
+ attribute user_home_type;
+ ')
+
+ files_list_home($1)
+ allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete directories
+## in a user home subdirectory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_user_home_content_dirs',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ manage_dirs_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+ files_search_home($1)
+')
+
+########################################
+## <summary>
+## Delete directories in a user home subdirectory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_delete_user_home_content_dirs',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ allow $1 user_home_t:dir delete_dir_perms;
+')
+
+########################################
+## <summary>
+## Set the attributes of user home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_setattr_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ allow $1 user_home_t:file setattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to set the
+## attributes of user home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_setattr_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ dontaudit $1 user_home_t:file setattr_file_perms;
+')
+
+########################################
+## <summary>
+## Mmap user home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_mmap_user_home_content_files',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+ files_search_home($1)
+')
+
+########################################
+## <summary>
+## Read user home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_read_user_home_content_files',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ list_dirs_pattern($1, { user_home_dir_t user_home_t }, { user_home_dir_t user_home_t })
+ read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+ files_search_home($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to getattr user home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_getattr_user_home_content',`
+ gen_require(`
+ attribute user_home_type;
+ ')
+
+ dontaudit $1 user_home_type:dir getattr;
+ dontaudit $1 user_home_type:file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read user home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_read_user_home_content_files',`
+ gen_require(`
+ attribute user_home_type;
+ type user_home_dir_t;
+ ')
+
+ dontaudit $1 user_home_dir_t:dir list_dir_perms;
+ dontaudit $1 user_home_type:dir list_dir_perms;
+ dontaudit $1 user_home_type:file read_file_perms;
+ dontaudit $1 user_home_type:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to append user home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_append_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ dontaudit $1 user_home_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write user home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_write_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ dontaudit $1 user_home_t:file write_file_perms;
+')
+
+########################################
+## <summary>
+## Delete files in a user home subdirectory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_delete_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ allow $1 user_home_t:file delete_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write user home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_relabel_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ dontaudit $1 user_home_t:file relabel_file_perms;
+')
+
+########################################
+## <summary>
+## Read user home subdirectory symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_read_user_home_content_symlinks',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Execute user home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_exec_user_home_content_files',`
+ gen_require(`
+ type user_home_dir_t;
+ attribute user_home_type;
+ ')
+
+ files_search_home($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
+ ')
+
+########################################
+## <summary>
+## Do not audit attempts to execute user home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_exec_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ dontaudit $1 user_home_t:file exec_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete files
+## in a user home subdirectory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_user_home_content_files',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ manage_files_pattern($1, user_home_t, user_home_t)
+ allow $1 user_home_dir_t:dir search_dir_perms;
+ files_search_home($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to create, read, write, and delete directories
+## in a user home subdirectory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_manage_user_home_content_dirs',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ dontaudit $1 user_home_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete symbolic links
+## in a user home subdirectory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_user_home_content_symlinks',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ manage_lnk_files_pattern($1, user_home_t, user_home_t)
+ allow $1 user_home_dir_t:dir search_dir_perms;
+ files_search_home($1)
+')
+
+########################################
+## <summary>
+## Delete symbolic links in a user home directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_delete_user_home_content_symlinks',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ allow $1 user_home_t:lnk_file delete_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete named pipes
+## in a user home subdirectory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_user_home_content_pipes',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ manage_fifo_files_pattern($1, user_home_t, user_home_t)
+ allow $1 user_home_dir_t:dir search_dir_perms;
+ files_search_home($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete named sockets
+## in a user home subdirectory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_user_home_content_sockets',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ allow $1 user_home_dir_t:dir search_dir_perms;
+ manage_sock_files_pattern($1, user_home_t, user_home_t)
+ files_search_home($1)
+')
+
+########################################
+## <summary>
+## Create objects in a user home directory
+## with an automatic type transition to
+## a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+#
+interface(`userdom_user_home_dir_filetrans',`
+ gen_require(`
+ type user_home_dir_t;
+ ')
+
+ filetrans_pattern($1, user_home_dir_t, $2, $3)
+ files_search_home($1)
+')
+
+########################################
+## <summary>
+## Create objects in a user home directory
+## with an automatic type transition to
+## a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+#
+interface(`userdom_user_home_content_filetrans',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ filetrans_pattern($1, user_home_t, $2, $3)
+ allow $1 user_home_dir_t:dir search_dir_perms;
+ files_search_home($1)
+')
+
+########################################
+## <summary>
+## Create objects in a user home directory
+## with an automatic type transition to
+## the user home file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+#
+interface(`userdom_user_home_dir_filetrans_user_home_content',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ filetrans_pattern($1, user_home_dir_t, user_home_t, $2)
+ files_search_home($1)
+')
+
+########################################
+## <summary>
+## Write to user temporary named sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_write_user_tmp_sockets',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ allow $1 user_tmp_t:sock_file write_sock_file_perms;
+ files_search_tmp($1)
+')
+
+########################################
+## <summary>
+## List user temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_list_user_tmp',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ allow $1 user_tmp_t:dir list_dir_perms;
+ files_search_tmp($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to list user
+## temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_list_user_tmp',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ dontaudit $1 user_tmp_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to manage users
+## temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ dontaudit $1 user_tmp_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Read user temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_read_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ read_files_pattern($1, user_tmp_t, user_tmp_t)
+ allow $1 user_tmp_t:dir list_dir_perms;
+ files_search_tmp($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read users
+## temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_read_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ dontaudit $1 user_tmp_t:file read_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to append users
+## temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_append_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ dontaudit $1 user_tmp_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write user temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_rw_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ allow $1 user_tmp_t:dir list_dir_perms;
+ rw_files_pattern($1, user_tmp_t, user_tmp_t)
+ files_search_tmp($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to manage users
+## temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_manage_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ dontaudit $1 user_tmp_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Read user temporary symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_read_user_tmp_symlinks',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
+ allow $1 user_tmp_t:dir list_dir_perms;
+ files_search_tmp($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete user
+## temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_user_tmp_dirs',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ manage_dirs_pattern($1, user_tmp_t, user_tmp_t)
+ files_search_tmp($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete user
+## temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ manage_files_pattern($1, user_tmp_t, user_tmp_t)
+ files_search_tmp($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete user
+## temporary symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_user_tmp_symlinks',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
+ files_search_tmp($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete user
+## temporary named pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_user_tmp_pipes',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
+ files_search_tmp($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete user
+## temporary named sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_user_tmp_sockets',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
+ files_search_tmp($1)
+')
+
+########################################
+## <summary>
+## Create objects in a user temporary directory
+## with an automatic type transition to
+## a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+#
+interface(`userdom_user_tmp_filetrans',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ filetrans_pattern($1, user_tmp_t, $2, $3)
+ files_search_tmp($1)
+')
+
+########################################
+## <summary>
+## Create objects in the temporary directory
+## with an automatic type transition to
+## the user temporary type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+#
+interface(`userdom_tmp_filetrans_user_tmp',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ files_tmp_filetrans($1, user_tmp_t, $2)
+')
+
+########################################
+## <summary>
+## Read user tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_read_user_tmpfs_files',`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
+
+ read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+ read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+ allow $1 user_tmpfs_t:dir list_dir_perms;
+ fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
+## Read/Write user tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_rw_user_tmpfs_files',`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
+
+ rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+ read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+ allow $1 user_tmpfs_t:dir list_dir_perms;
+ fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
+## Get the attributes of a user domain tty.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_getattr_user_ttys',`
+ gen_require(`
+ type user_tty_device_t;
+ ')
+
+ allow $1 user_tty_device_t:chr_file getattr_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes of a user domain tty.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_getattr_user_ttys',`
+ gen_require(`
+ type user_tty_device_t;
+ ')
+
+ dontaudit $1 user_tty_device_t:chr_file getattr_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Set the attributes of a user domain tty.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_setattr_user_ttys',`
+ gen_require(`
+ type user_tty_device_t;
+ ')
+
+ allow $1 user_tty_device_t:chr_file setattr_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to set the attributes of a user domain tty.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_setattr_user_ttys',`
+ gen_require(`
+ type user_tty_device_t;
+ ')
+
+ dontaudit $1 user_tty_device_t:chr_file setattr_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write a user domain tty.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_use_user_ttys',`
+ gen_require(`
+ type user_tty_device_t;
+ ')
+
+ allow $1 user_tty_device_t:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Read and write a user domain pty.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_use_user_ptys',`
+ gen_require(`
+ type user_devpts_t;
+ ')
+
+ allow $1 user_devpts_t:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Read and write a user TTYs and PTYs.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to read and write user
+## TTYs and PTYs. This will allow the domain to
+## interact with the user via the terminal. Typically
+## all interactive applications will require this
+## access.
+## </p>
+## <p>
+## However, this also allows the applications to spy
+## on user sessions or inject information into the
+## user session. Thus, this access should likely
+## not be allowed for non-interactive domains.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`userdom_use_user_terminals',`
+ gen_require(`
+ type user_tty_device_t, user_devpts_t;
+ ')
+
+ allow $1 user_tty_device_t:chr_file rw_term_perms;
+ allow $1 user_devpts_t:chr_file rw_term_perms;
+ term_list_ptys($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## a user domain tty and pty.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_use_user_terminals',`
+ gen_require(`
+ type user_tty_device_t, user_devpts_t;
+ ')
+
+ dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
+ dontaudit $1 user_devpts_t:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Execute a shell in all user domains. This
+## is an explicit transition, requiring the
+## caller to use setexeccon().
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`userdom_spec_domtrans_all_users',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ corecmd_shell_spec_domtrans($1, userdomain)
+ allow userdomain $1:fd use;
+ allow userdomain $1:fifo_file rw_file_perms;
+ allow userdomain $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute an Xserver session in all unprivileged user domains. This
+## is an explicit transition, requiring the
+## caller to use setexeccon().
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`userdom_xsession_spec_domtrans_all_users',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ xserver_xsession_spec_domtrans($1, userdomain)
+ allow userdomain $1:fd use;
+ allow userdomain $1:fifo_file rw_file_perms;
+ allow userdomain $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute a shell in all unprivileged user domains. This
+## is an explicit transition, requiring the
+## caller to use setexeccon().
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`userdom_spec_domtrans_unpriv_users',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ corecmd_shell_spec_domtrans($1, unpriv_userdomain)
+ allow unpriv_userdomain $1:fd use;
+ allow unpriv_userdomain $1:fifo_file rw_file_perms;
+ allow unpriv_userdomain $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute an Xserver session in all unprivileged user domains. This
+## is an explicit transition, requiring the
+## caller to use setexeccon().
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ xserver_xsession_spec_domtrans($1, unpriv_userdomain)
+ allow unpriv_userdomain $1:fd use;
+ allow unpriv_userdomain $1:fifo_file rw_file_perms;
+ allow unpriv_userdomain $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Manage unpriviledged user SysV sempaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_unpriv_user_semaphores',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ allow $1 unpriv_userdomain:sem create_sem_perms;
+')
+
+########################################
+## <summary>
+## Manage unpriviledged user SysV shared
+## memory segments.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_unpriv_user_shared_mem',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ allow $1 unpriv_userdomain:shm create_shm_perms;
+')
+
+########################################
+## <summary>
+## Execute bin_t in the unprivileged user domains. This
+## is an explicit transition, requiring the
+## caller to use setexeccon().
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`userdom_bin_spec_domtrans_unpriv_users',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ corecmd_bin_spec_domtrans($1, unpriv_userdomain)
+ allow unpriv_userdomain $1:fd use;
+ allow unpriv_userdomain $1:fifo_file rw_file_perms;
+ allow unpriv_userdomain $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute all entrypoint files in unprivileged user
+## domains. This is an explicit transition, requiring the
+## caller to use setexeccon().
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_entry_spec_domtrans_unpriv_users',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ domain_entry_file_spec_domtrans($1, unpriv_userdomain)
+ allow unpriv_userdomain $1:fd use;
+ allow unpriv_userdomain $1:fifo_file rw_fifo_file_perms;
+ allow unpriv_userdomain $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Search users home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_search_user_home_content',`
+ gen_require(`
+ type user_home_dir_t;
+ attribute user_home_type;
+ ')
+
+ files_list_home($1)
+ allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms;
+ allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Send general signals to unprivileged user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_signal_unpriv_users',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ allow $1 unpriv_userdomain:process signal;
+')
+
+########################################
+## <summary>
+## Inherit the file descriptors from unprivileged user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_use_unpriv_users_fds',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ allow $1 unpriv_userdomain:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to inherit the file descriptors
+## from unprivileged user domains.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to inherit the file descriptors
+## from unprivileged user domains. This will supress
+## SELinux denial messages when the specified domain is denied
+## the permission to inherit these file descriptors.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`userdom_dontaudit_use_unpriv_user_fds',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ dontaudit $1 unpriv_userdomain:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to use user ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_use_user_ptys',`
+ gen_require(`
+ type user_devpts_t;
+ ')
+
+ dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Relabel files to unprivileged user pty types.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_relabelto_user_ptys',`
+ gen_require(`
+ type user_devpts_t;
+ ')
+
+ allow $1 user_devpts_t:chr_file relabelto;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to relabel files from
+## user pty types.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_relabelfrom_user_ptys',`
+ gen_require(`
+ type user_devpts_t;
+ ')
+
+ dontaudit $1 user_devpts_t:chr_file relabelfrom;
+')
+
+########################################
+## <summary>
+## Write all users files in /tmp
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_write_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ write_files_pattern($1, user_tmp_t, user_tmp_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write users
+## temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_write_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ dontaudit $1 user_tmp_t:file write;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read/write users
+## temporary fifo files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_rw_user_tmp_pipes',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to use user ttys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_use_user_ttys',`
+ gen_require(`
+ type user_tty_device_t;
+ ')
+
+ dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Read the process state of all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_read_all_users_state',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ read_files_pattern($1, userdomain, userdomain)
+ read_lnk_files_pattern($1,userdomain,userdomain)
+ kernel_search_proc($1)
+')
+
+########################################
+## <summary>
+## Get the attributes of all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_getattr_all_users',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:process getattr;
+')
+
+########################################
+## <summary>
+## Inherit the file descriptors from all user domains
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_use_all_users_fds',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to inherit the file
+## descriptors from any user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_use_all_users_fds',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ dontaudit $1 userdomain:fd use;
+')
+
+########################################
+## <summary>
+## Send general signals to all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_signal_all_users',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:process signal;
+')
+
+########################################
+## <summary>
+## Send a SIGCHLD signal to all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_sigchld_all_users',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:process sigchld;
+')
+
+########################################
+## <summary>
+## Create keys for all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_create_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:key create;
+')
+
+########################################
+## <summary>
+## Send a dbus message to all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dbus_send_all_users',`
+ gen_require(`
+ attribute userdomain;
+ class dbus send_msg;
+ ')
+
+ allow $1 userdomain:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Allow apps to set rlimits on userdomain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_set_rlimitnh',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:process rlimitinh;
+')
+
+########################################
+## <summary>
+## Define this type as a Allow apps to set rlimits on userdomain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+template(`userdom_unpriv_usertype',`
+ gen_require(`
+ attribute unpriv_userdomain, userdomain;
+ attribute $1_usertype;
+ ')
+ typeattribute $2 $1_usertype;
+ typeattribute $2 unpriv_userdomain;
+ typeattribute $2 userdomain;
+
+ ubac_constrained($2)
+')
+
+########################################
+## <summary>
+## Connect to users over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_stream_connect',`
+ gen_require(`
+ type user_tmp_t;
+ attribute userdomain;
+ ')
+
+ stream_connect_pattern($1, user_tmp_t, user_tmp_t, userdomain)
+')
+
+########################################
+## <summary>
+## Ptrace user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_ptrace_all_users',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:process ptrace;
+')
+
+########################################
+## <summary>
+## dontaudit Search /root
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_search_admin_dir',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ dontaudit $1 admin_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## dontaudit list /root
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_list_admin_dir',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ dontaudit $1 admin_home_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Allow domain to list /root
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_list_admin_dir',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ allow $1 admin_home_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Allow Search /root
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_search_admin_dir',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ allow $1 admin_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## RW unpriviledged user SysV sempaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_rw_semaphores',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ allow $1 unpriv_userdomain:sem rw_sem_perms;
+')
+
+########################################
+## <summary>
+## Send a message to unpriv users over a unix domain
+## datagram socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dgram_send',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ allow $1 unpriv_userdomain:unix_dgram_socket sendto;
+')
+
+######################################
+## <summary>
+## Send a message to users over a unix domain
+## datagram socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_users_dgram_send',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:unix_dgram_socket sendto;
+')
+
+#######################################
+## <summary>
+## Allow execmod on files in homedirectory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolebase/>
+#
+interface(`userdom_execmod_user_home_files',`
+ gen_require(`
+ type user_home_type;
+ ')
+
+ allow $1 user_home_type:file execmod;
+')
+
+########################################
+## <summary>
+## Read admin home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_read_admin_home_files',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ read_files_pattern($1, admin_home_t, admin_home_t)
+')
+
+########################################
+## <summary>
+## Execute admin home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_exec_admin_home_files',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ exec_files_pattern($1, admin_home_t, admin_home_t)
+')
+
+########################################
+## <summary>
+## Append files inherited
+## in the /root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_inherit_append_admin_home_files',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ allow $1 admin_home_t:file { getattr append };
+')
+
+
+#######################################
+## <summary>
+## Manage all files/directories in the homedir
+## </summary>
+## <param name="userdomain">
+## <summary>
+## The user domain
+## </summary>
+## </param>
+## <rolebase/>
+#
+interface(`userdom_manage_user_home_content',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ attribute user_home_type;
+ ')
+
+ files_list_home($1)
+ manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ manage_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ manage_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ filetrans_pattern($1, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
+
+')
+
+
+########################################
+## <summary>
+## Create objects in a user home directory
+## with an automatic type transition to
+## the user home file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+#
+interface(`userdom_user_home_dir_filetrans_pattern',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ type_transition $1 user_home_dir_t:$2 user_home_t;
+')
+
+########################################
+## <summary>
+## Create objects in the /root directory
+## with an automatic type transition to
+## a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+#
+interface(`userdom_admin_home_dir_filetrans',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ filetrans_pattern($1, admin_home_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Send signull to unprivileged user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_signull_unpriv_users',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ allow $1 unpriv_userdomain:process signull;
+')
+
+########################################
+## <summary>
+## Write all users files in /tmp
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_write_user_tmp_dirs',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ write_files_pattern($1, user_tmp_t, user_tmp_t)
+')
+
+########################################
+## <summary>
+## Manage keys for all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:key manage_key_perms;
+')
+
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## unserdomain stream.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_rw_stream',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ dontaudit $1 userdomain:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+## Append files
+## in a user home subdirectory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_append_user_home_content_files',`
+ gen_require(`
+ type user_home_dir_t, user_home_t;
+ ')
+
+ append_files_pattern($1, user_home_t, user_home_t)
+ allow $1 user_home_dir_t:dir search_dir_perms;
+ files_search_home($1)
+')
+
+########################################
+## <summary>
+## Read files inherited
+## in a user home subdirectory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_read_inherited_user_home_content_files',`
+ gen_require(`
+ attribute user_home_type;
+ ')
+
+ allow $1 user_home_type:file { getattr read };
+')
+
+########################################
+## <summary>
+## Append files inherited
+## in a user home subdirectory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_inherit_append_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ allow $1 user_home_t:file { getattr append };
+')
+
+########################################
+## <summary>
+## Append files inherited
+## in a user tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_inherit_append_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ allow $1 user_tmp_t:file { getattr append };
+')
+
+######################################
+## <summary>
+## Read audio files in the users homedir.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_read_home_audio_files',`
+ gen_require(`
+ type audio_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 audio_home_t:dir list_dir_perms;
+ read_files_pattern($1, audio_home_t, audio_home_t)
+ read_lnk_files_pattern($1, audio_home_t, audio_home_t)
+')
+
+########################################
+## <summary>
+## Read system SSL certificates in the users homedir.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_read_home_certs',`
+ gen_require(`
+ type home_cert_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 home_cert_t:dir list_dir_perms;
+ read_files_pattern($1, home_cert_t, home_cert_t)
+ read_lnk_files_pattern($1, home_cert_t, home_cert_t)
+')
+
+########################################
+## <summary>
+## dontaudit Search getatrr /root files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_getattr_admin_home_files',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ dontaudit $1 admin_home_t:file getattr;
+')
+
+########################################
+## <summary>
+## dontaudit read /root lnk files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_read_admin_home_lnk_files',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ dontaudit $1 admin_home_t:lnk_file read;
+')
+
+########################################
+## <summary>
+## dontaudit read /root files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_read_admin_home_files',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ dontaudit $1 admin_home_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete user
+## temporary chr files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_user_tmp_chr_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ manage_chr_files_pattern($1, user_tmp_t, user_tmp_t)
+ files_search_tmp($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete user
+## temporary blk files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_user_tmp_blk_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ manage_blk_files_pattern($1, user_tmp_t, user_tmp_t)
+ files_search_tmp($1)
+')
+
+########################################
+## <summary>
+## Dontaudit attempt to set attributes on user temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_setattr_user_tmp',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ dontaudit $1 user_tmp_t:dir setattr;
+')
+
+########################################
+## <summary>
+## Write all inherited users files in /tmp
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_write_inherited_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ allow $1 user_tmp_t:file write;
+')
+
+########################################
+## <summary>
+## Delete all users files in /tmp
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_delete_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ allow $1 user_tmp_t:file delete_file_perms;
+')
+
+########################################
+## <summary>
+## Delete user tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_delete_user_tmpfs_files',`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
+
+ allow $1 user_tmpfs_t:file delete_file_perms;
+')
+
+########################################
+## <summary>
+## Read/Write unpriviledged user SysV shared
+## memory segments.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_rw_unpriv_user_shared_mem',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+ allow $1 unpriv_userdomain:shm rw_shm_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search user
+## temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_search_user_tmp',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ dontaudit $1 user_tmp_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Execute a file in a user home directory
+## in the specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a file in a user home directory
+## in the specified domain.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`userdom_domtrans_user_home',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ read_lnk_files_pattern($1, user_home_t, user_home_t)
+ domain_transition_pattern($1, user_home_t, $2)
+ type_transition $1 user_home_t:process $2;
+')
+
+########################################
+## <summary>
+## Execute a file in a user tmp directory
+## in the specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a file in a user tmp directory
+## in the specified domain.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`userdom_domtrans_user_tmp',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
+ domain_transition_pattern($1, user_tmp_t, $2)
+ type_transition $1 user_tmp_t:process $2;
+')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
new file mode 100644
index 0000000..0aa5ce3
--- /dev/null
+++ b/policy/modules/system/userdomain.te
@@ -0,0 +1,137 @@
+policy_module(userdomain, 4.4.3)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow users to connect to mysql
+## </p>
+## </desc>
+gen_tunable(allow_user_mysql_connect, false)
+
+## <desc>
+## <p>
+## Allow users to connect to PostgreSQL
+## </p>
+## </desc>
+gen_tunable(allow_user_postgresql_connect, false)
+
+## <desc>
+## <p>
+## Allow regular users direct mouse access
+## </p>
+## </desc>
+gen_tunable(user_direct_mouse, false)
+
+## <desc>
+## <p>
+## Allow users to read system messages.
+## </p>
+## </desc>
+gen_tunable(user_dmesg, false)
+
+## <desc>
+## <p>
+## Allow user to r/w files on filesystems
+## that do not have extended attributes (FAT, CDROM, FLOPPY)
+## </p>
+## </desc>
+gen_tunable(user_rw_noexattrfile, false)
+
+## <desc>
+## <p>
+## Allow user processes to change their priority
+## </p>
+## </desc>
+gen_tunable(user_setrlimit, false)
+
+## <desc>
+## <p>
+## Allow w to display everyone
+## </p>
+## </desc>
+gen_tunable(user_ttyfile_stat, false)
+
+attribute admindomain;
+
+# all user domains
+attribute userdomain;
+
+# unprivileged user domains
+attribute unpriv_userdomain;
+
+attribute untrusted_content_type;
+attribute untrusted_content_tmp_type;
+
+# unprivileged user domains
+attribute user_home_type;
+
+type admin_home_t;
+files_type(admin_home_t)
+files_associate_tmp(admin_home_t)
+fs_associate_tmpfs(admin_home_t)
+files_mountpoint(admin_home_t)
+
+type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
+fs_associate_tmpfs(user_home_dir_t)
+files_type(user_home_dir_t)
+files_mountpoint(user_home_dir_t)
+files_associate_tmp(user_home_dir_t)
+files_poly(user_home_dir_t)
+files_poly_member(user_home_dir_t)
+files_poly_parent(user_home_dir_t)
+ubac_constrained(user_home_dir_t)
+
+type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
+typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
+typeattribute user_home_t user_home_type;
+userdom_user_home_content(user_home_t)
+fs_associate_tmpfs(user_home_t)
+files_associate_tmp(user_home_t)
+files_poly_member(user_home_t)
+files_poly_parent(user_home_t)
+files_mountpoint(user_home_t)
+ubac_constrained(user_home_t)
+
+type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t };
+dev_node(user_devpts_t)
+files_type(user_devpts_t)
+ubac_constrained(user_devpts_t)
+
+type user_tmp_t alias { winbind_tmp_t sshd_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
+typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t };
+files_tmp_file(user_tmp_t)
+userdom_user_home_content(user_tmp_t)
+
+type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
+files_tmpfs_file(user_tmpfs_t)
+userdom_user_home_content(user_tmpfs_t)
+
+type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
+dev_node(user_tty_device_t)
+ubac_constrained(user_tty_device_t)
+
+type audio_home_t;
+userdom_user_home_content(audio_home_t)
+ubac_constrained(audio_home_t)
+
+type home_bin_t;
+userdom_user_home_content(home_bin_t)
+ubac_constrained(home_bin_t)
+
+type home_cert_t;
+miscfiles_cert_type(home_cert_t)
+userdom_user_home_content(home_cert_t)
+ubac_constrained(home_cert_t)
+
+tunable_policy(`allow_console_login',`
+ term_use_console(userdomain)
+')
+
+allow userdomain userdomain:process signull;
+
+# Nautilus causes this avc
+dontaudit unpriv_userdomain self:dir setattr;
diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc
new file mode 100644
index 0000000..744fa64
--- /dev/null
+++ b/policy/modules/system/xen.fc
@@ -0,0 +1,37 @@
+/dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0)
+
+/usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0)
+
+ifdef(`distro_debian',`
+/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
+/usr/lib/xen-[^/]*/bin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
+/usr/lib/xen-[^/]*/bin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
+/usr/lib/xen-[^/]*/bin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
+',`
+/usr/sbin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
+/usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
+/usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
+/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
+')
+
+/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
+/var/lib/xen/images(/.*)? gen_context(system_u:object_r:xen_image_t,s0)
+/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
+/var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0)
+
+/var/log/evtchnd\.log -- gen_context(system_u:object_r:evtchnd_var_log_t,s0)
+/var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0)
+/var/log/xen-hotplug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
+/var/log/xend\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
+/var/log/xend-debug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
+
+/var/run/evtchnd -s gen_context(system_u:object_r:evtchnd_var_run_t,s0)
+/var/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0)
+/var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
+/var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
+/var/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0)
+/var/run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
+/var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0)
+/var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0)
+
+/xen(/.*)? gen_context(system_u:object_r:xen_image_t,s0)
diff --git a/policy/modules/system/xen.if b/policy/modules/system/xen.if
new file mode 100644
index 0000000..4aa96c6
--- /dev/null
+++ b/policy/modules/system/xen.if
@@ -0,0 +1,259 @@
+## <summary>Xen hypervisor</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run xend.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`xen_domtrans',`
+ gen_require(`
+ type xend_t, xend_exec_t;
+ ')
+
+ domtrans_pattern($1, xend_exec_t, xend_t)
+')
+
+########################################
+## <summary>
+## Inherit and use xen file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xen_use_fds',`
+ gen_require(`
+ type xend_t;
+ ')
+
+ allow $1 xend_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to inherit
+## xen file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`xen_dontaudit_use_fds',`
+ gen_require(`
+ type xend_t;
+ ')
+
+ dontaudit $1 xend_t:fd use;
+')
+
+########################################
+## <summary>
+## Read xend image files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xen_read_image_files',`
+ gen_require(`
+ type xen_image_t, xend_var_lib_t;
+ ')
+
+ files_list_var_lib($1)
+
+ list_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t)
+ read_files_pattern($1, { xend_var_lib_t xen_image_t }, xen_image_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read/write
+## xend image files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xen_manage_image_dirs',`
+ gen_require(`
+ type xend_var_lib_t;
+ ')
+
+ files_list_var_lib($1)
+ manage_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read/write
+## xend image files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`xen_rw_image_files',`
+ gen_require(`
+ type xen_image_t, xend_var_lib_t;
+ ')
+
+ files_list_var_lib($1)
+ allow $1 xend_var_lib_t:dir search_dir_perms;
+ rw_files_pattern($1, xen_image_t, xen_image_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to append
+## xend log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xen_append_log',`
+ gen_require(`
+ type xend_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, xend_var_log_t, xend_var_log_t)
+ dontaudit $1 xend_var_log_t:file write;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete the
+## xend log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xen_manage_log',`
+ gen_require(`
+ type xend_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ manage_dirs_pattern($1, xend_var_log_t, xend_var_log_t)
+ manage_files_pattern($1, xend_var_log_t, xend_var_log_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## Xen unix domain stream sockets. These
+## are leaked file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`xen_dontaudit_rw_unix_stream_sockets',`
+ gen_require(`
+ type xend_t;
+ ')
+
+ dontaudit $1 xend_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+## Connect to xenstored over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xen_stream_connect_xenstore',`
+ gen_require(`
+ type xenstored_t, xenstored_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, xenstored_var_run_t, xenstored_var_run_t, xenstored_t)
+')
+
+########################################
+## <summary>
+## Connect to xend over an unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xen_stream_connect',`
+ gen_require(`
+ type xend_t, xend_var_run_t, xend_var_lib_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, xend_var_run_t, xend_var_run_t, xend_t)
+
+ files_search_var_lib($1)
+ stream_connect_pattern($1, xend_var_lib_t, xend_var_lib_t, xend_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run xm.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`xen_domtrans_xm',`
+ gen_require(`
+ type xm_t, xm_exec_t;
+ attribute virsh_transition_domain;
+ ')
+ typeattribute $1 virsh_transition_domain;
+ domtrans_pattern($1, xm_exec_t, xm_t)
+')
+
+########################################
+## <summary>
+## Connect to xm over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xen_stream_connect_xm',`
+ gen_require(`
+ type xm_t, xenstored_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, xenstored_var_run_t, xenstored_var_run_t, xm_t)
+')
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
new file mode 100644
index 0000000..600d43f
--- /dev/null
+++ b/policy/modules/system/xen.te
@@ -0,0 +1,386 @@
+policy_module(xen, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+attribute xm_transition_domain;
+
+## <desc>
+## <p>
+## Allow xen to manage nfs files
+## </p>
+## </desc>
+gen_tunable(xen_use_nfs, false)
+
+type evtchnd_t;
+type evtchnd_exec_t;
+init_daemon_domain(evtchnd_t, evtchnd_exec_t)
+
+# log files
+type evtchnd_var_log_t;
+logging_log_file(evtchnd_var_log_t)
+
+# pid files
+type evtchnd_var_run_t;
+files_pid_file(evtchnd_var_run_t)
+
+# console ptys
+type xen_devpts_t;
+term_pty(xen_devpts_t)
+files_type(xen_devpts_t)
+
+# Xen Image files
+type xen_image_t; # customizable
+files_type(xen_image_t)
+# xen_image_t can be assigned to blk devices
+dev_node(xen_image_t)
+virt_image(xen_image_t)
+
+type xenctl_t;
+files_type(xenctl_t)
+
+type xend_t;
+type xend_exec_t;
+domain_type(xend_t)
+init_daemon_domain(xend_t, xend_exec_t)
+
+# tmp files
+type xend_tmp_t;
+files_tmp_file(xend_tmp_t)
+
+# var/lib files
+type xend_var_lib_t;
+files_type(xend_var_lib_t)
+# for mounting an NFS store
+files_mountpoint(xend_var_lib_t)
+
+# log files
+type xend_var_log_t;
+logging_log_file(xend_var_log_t)
+
+# pid files
+type xend_var_run_t;
+files_pid_file(xend_var_run_t)
+files_mountpoint(xend_var_run_t)
+
+type xenstored_t;
+type xenstored_exec_t;
+init_daemon_domain(xenstored_t, xenstored_exec_t)
+
+type xenstored_tmp_t;
+files_tmp_file(xenstored_tmp_t)
+
+# var/lib files
+type xenstored_var_lib_t;
+files_type(xenstored_var_lib_t)
+
+# log files
+type xenstored_var_log_t;
+logging_log_file(xenstored_var_log_t)
+
+# pid files
+type xenstored_var_run_t;
+files_pid_file(xenstored_var_run_t)
+
+type xenconsoled_t;
+type xenconsoled_exec_t;
+init_daemon_domain(xenconsoled_t, xenconsoled_exec_t)
+
+# pid files
+type xenconsoled_var_run_t;
+files_pid_file(xenconsoled_var_run_t)
+
+#######################################
+#
+# evtchnd local policy
+#
+
+manage_dirs_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t)
+manage_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t)
+logging_log_filetrans(evtchnd_t, evtchnd_var_log_t, { file dir })
+
+manage_dirs_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t)
+manage_files_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t)
+manage_sock_files_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t)
+files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir })
+
+########################################
+#
+# xend local policy
+#
+
+allow xend_t self:capability { mknod dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_ptrace sys_tty_config net_raw };
+dontaudit xend_t self:capability { sys_ptrace };
+allow xend_t self:process { signal sigkill };
+dontaudit xend_t self:process ptrace;
+# internal communication is often done using fifo and unix sockets.
+allow xend_t self:fifo_file rw_fifo_file_perms;
+allow xend_t self:unix_stream_socket create_stream_socket_perms;
+allow xend_t self:unix_dgram_socket create_socket_perms;
+allow xend_t self:netlink_route_socket r_netlink_socket_perms;
+allow xend_t self:tcp_socket create_stream_socket_perms;
+allow xend_t self:packet_socket create_socket_perms;
+
+allow xend_t xen_image_t:dir list_dir_perms;
+manage_dirs_pattern(xend_t, xen_image_t, xen_image_t)
+manage_files_pattern(xend_t, xen_image_t, xen_image_t)
+read_lnk_files_pattern(xend_t, xen_image_t, xen_image_t)
+rw_blk_files_pattern(xend_t, xen_image_t, xen_image_t)
+
+allow xend_t xenctl_t:fifo_file manage_fifo_file_perms;
+dev_filetrans(xend_t, xenctl_t, fifo_file)
+
+manage_files_pattern(xend_t, xend_tmp_t, xend_tmp_t)
+manage_dirs_pattern(xend_t, xend_tmp_t, xend_tmp_t)
+files_tmp_filetrans(xend_t, xend_tmp_t, { file dir })
+
+# pid file
+manage_dirs_pattern(xend_t, xend_var_run_t, xend_var_run_t)
+manage_files_pattern(xend_t, xend_var_run_t, xend_var_run_t)
+manage_sock_files_pattern(xend_t, xend_var_run_t, xend_var_run_t)
+manage_fifo_files_pattern(xend_t, xend_var_run_t, xend_var_run_t)
+files_pid_filetrans(xend_t, xend_var_run_t, { file sock_file fifo_file dir })
+
+# log files
+manage_dirs_pattern(xend_t, xend_var_log_t, xend_var_log_t)
+manage_files_pattern(xend_t, xend_var_log_t, xend_var_log_t)
+manage_sock_files_pattern(xend_t, xend_var_log_t, xend_var_log_t)
+logging_log_filetrans(xend_t, xend_var_log_t, { sock_file file dir })
+
+# var/lib files for xend
+manage_dirs_pattern(xend_t, xend_var_lib_t, xend_var_lib_t)
+manage_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t)
+manage_sock_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t)
+manage_fifo_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t)
+files_var_lib_filetrans(xend_t, xend_var_lib_t, { file dir })
+
+# transition to store
+domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t)
+
+# transition to console
+domtrans_pattern(xend_t, xenconsoled_exec_t, xenconsoled_t)
+
+kernel_read_kernel_sysctls(xend_t)
+kernel_read_system_state(xend_t)
+kernel_write_xen_state(xend_t)
+kernel_read_xen_state(xend_t)
+kernel_rw_net_sysctls(xend_t)
+kernel_read_network_state(xend_t)
+
+corecmd_exec_bin(xend_t)
+corecmd_exec_shell(xend_t)
+
+corenet_all_recvfrom_unlabeled(xend_t)
+corenet_all_recvfrom_netlabel(xend_t)
+corenet_tcp_sendrecv_generic_if(xend_t)
+corenet_tcp_sendrecv_generic_node(xend_t)
+corenet_tcp_sendrecv_all_ports(xend_t)
+corenet_tcp_bind_generic_node(xend_t)
+corenet_tcp_bind_xen_port(xend_t)
+corenet_tcp_bind_soundd_port(xend_t)
+corenet_tcp_bind_generic_port(xend_t)
+corenet_tcp_bind_vnc_port(xend_t)
+corenet_tcp_connect_xserver_port(xend_t)
+corenet_tcp_connect_xen_port(xend_t)
+corenet_sendrecv_xserver_client_packets(xend_t)
+corenet_sendrecv_xen_server_packets(xend_t)
+corenet_sendrecv_xen_client_packets(xend_t)
+corenet_sendrecv_soundd_server_packets(xend_t)
+corenet_rw_tun_tap_dev(xend_t)
+
+dev_read_urand(xend_t)
+dev_manage_xen(xend_t)
+dev_filetrans_xen(xend_t)
+dev_rw_sysfs(xend_t)
+dev_rw_xen(xend_t)
+
+domain_read_all_domains_state(xend_t)
+domain_dontaudit_read_all_domains_state(xend_t)
+domain_dontaudit_ptrace_all_domains(xend_t)
+
+files_read_etc_files(xend_t)
+files_read_kernel_symbol_table(xend_t)
+files_read_kernel_img(xend_t)
+files_manage_etc_runtime_files(xend_t)
+files_etc_filetrans_etc_runtime(xend_t, file)
+files_read_usr_files(xend_t)
+files_read_default_symlinks(xend_t)
+
+storage_raw_read_fixed_disk(xend_t)
+storage_raw_write_fixed_disk(xend_t)
+storage_raw_read_removable_device(xend_t)
+
+term_getattr_all_ptys(xend_t)
+term_use_generic_ptys(xend_t)
+term_use_ptmx(xend_t)
+term_getattr_pty_fs(xend_t)
+
+init_stream_connect_script(xend_t)
+
+locallogin_dontaudit_use_fds(xend_t)
+
+logging_send_syslog_msg(xend_t)
+
+lvm_domtrans(xend_t)
+
+miscfiles_read_localization(xend_t)
+miscfiles_read_hwdata(xend_t)
+
+mount_domtrans(xend_t)
+
+sysnet_domtrans_dhcpc(xend_t)
+sysnet_signal_dhcpc(xend_t)
+sysnet_domtrans_ifconfig(xend_t)
+sysnet_dns_name_resolve(xend_t)
+sysnet_delete_dhcpc_pid(xend_t)
+sysnet_read_dhcpc_pid(xend_t)
+sysnet_rw_dhcp_config(xend_t)
+
+userdom_dontaudit_search_user_home_dirs(xend_t)
+
+xen_stream_connect_xenstore(xend_t)
+
+netutils_domtrans(xend_t)
+
+virt_read_config(xend_t)
+
+optional_policy(`
+ brctl_domtrans(xend_t)
+')
+
+optional_policy(`
+ consoletype_exec(xend_t)
+')
+
+########################################
+#
+# Xen console local policy
+#
+
+allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
+allow xenconsoled_t self:process setrlimit;
+allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
+allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
+
+allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
+
+# pid file
+manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t)
+manage_sock_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t)
+files_pid_filetrans(xenconsoled_t, xenconsoled_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctls(xenconsoled_t)
+kernel_write_xen_state(xenconsoled_t)
+kernel_read_xen_state(xenconsoled_t)
+
+dev_manage_xen(xenconsoled_t)
+dev_filetrans_xen(xenconsoled_t)
+dev_rw_sysfs(xenconsoled_t)
+
+domain_dontaudit_ptrace_all_domains(xenconsoled_t)
+
+files_read_etc_files(xenconsoled_t)
+files_read_usr_files(xenconsoled_t)
+
+fs_list_tmpfs(xenconsoled_t)
+fs_manage_xenfs_dirs(xenconsoled_t)
+fs_manage_xenfs_files(xenconsoled_t)
+
+term_create_pty(xenconsoled_t, xen_devpts_t)
+term_use_generic_ptys(xenconsoled_t)
+term_use_console(xenconsoled_t)
+
+init_use_fds(xenconsoled_t)
+init_use_script_ptys(xenconsoled_t)
+
+miscfiles_read_localization(xenconsoled_t)
+
+xen_manage_log(xenconsoled_t)
+xen_stream_connect_xenstore(xenconsoled_t)
+
+optional_policy(`
+ ptchown_domtrans(xenconsoled_t)
+')
+
+########################################
+#
+# Xen store local policy
+#
+
+allow xenstored_t self:capability { dac_override mknod ipc_lock sys_resource };
+allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
+allow xenstored_t self:unix_dgram_socket create_socket_perms;
+
+manage_files_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
+manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
+files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir })
+
+# pid file
+manage_dirs_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t)
+manage_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t)
+manage_sock_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t)
+files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file dir })
+
+# log files
+manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
+manage_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
+manage_sock_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
+logging_log_filetrans(xenstored_t, xenstored_var_log_t, { sock_file file dir })
+
+# var/lib files for xenstored
+manage_dirs_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
+manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
+manage_sock_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
+files_var_lib_filetrans(xenstored_t, xenstored_var_lib_t, { file dir sock_file })
+
+stream_connect_pattern(xenstored_t, evtchnd_var_run_t, evtchnd_var_run_t, evtchnd_t)
+
+kernel_write_xen_state(xenstored_t)
+kernel_read_xen_state(xenstored_t)
+
+dev_create_generic_dirs(xenstored_t)
+dev_manage_xen(xenstored_t)
+dev_filetrans_xen(xenstored_t)
+dev_rw_xen(xenstored_t)
+dev_read_sysfs(xenstored_t)
+
+files_read_usr_files(xenstored_t)
+
+fs_search_xenfs(xenstored_t)
+fs_manage_xenfs_files(xenstored_t)
+
+storage_raw_read_fixed_disk(xenstored_t)
+storage_raw_write_fixed_disk(xenstored_t)
+storage_raw_read_removable_device(xenstored_t)
+
+term_use_generic_ptys(xenstored_t)
+term_use_console(xenconsoled_t)
+
+init_use_fds(xenstored_t)
+init_use_script_ptys(xenstored_t)
+
+logging_send_syslog_msg(xenstored_t)
+
+miscfiles_read_localization(xenstored_t)
+
+xen_append_log(xenstored_t)
+
+########################################
+#
+# SSH component local policy
+#
+optional_policy(`
+ #Should have a boolean wrapping these
+ fs_list_auto_mountpoints(xend_t)
+ files_search_mnt(xend_t)
+ fs_getattr_all_fs(xend_t)
+ fs_read_dos_files(xend_t)
+ fs_manage_xenfs_dirs(xend_t)
+ fs_manage_xenfs_files(xend_t)
+
+ tunable_policy(`xen_use_nfs',`
+ fs_manage_nfs_files(xend_t)
+ fs_read_nfs_symlinks(xend_t)
+ ')
+')
diff --git a/policy/policy_capabilities b/policy/policy_capabilities
new file mode 100644
index 0000000..db3cbca
--- /dev/null
+++ b/policy/policy_capabilities
@@ -0,0 +1,33 @@
+#
+# This file contains the policy capabilites
+# that are enabled in this policy, not a
+# declaration of DAC capabilites such as
+# dac_override.
+#
+# The affected object classes and their
+# permissions should also be listed in
+# the comments for each capability.
+#
+
+# Enable additional networking access control for
+# labeled networking peers.
+#
+# Checks enabled:
+# node: sendto recvfrom
+# netif: ingress egress
+# peer: recv
+#
+policycap network_peer_controls;
+
+# Enable additional access controls for opening
+# a file (and similar objects).
+#
+# Checks enabled:
+# dir: open
+# file: open
+# fifo_file: open
+# sock_file: open
+# chr_file: open
+# blk_file: open
+#
+policycap open_perms;
diff --git a/policy/rolemap b/policy/rolemap
new file mode 100644
index 0000000..c1de37e
--- /dev/null
+++ b/policy/rolemap
@@ -0,0 +1,13 @@
+#
+# This file contains the mappings
+# used for per-role template
+# infrastructure. Each line describes
+# the prefix and user domain type
+# corresponding to each role.
+#
+# syntax: role prefix user_domain
+#
+
+# This support has been deprecated and
+# will be removed in the future. Note: No
+# per-role templates exist in refpolicy.
diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt
new file mode 100644
index 0000000..bdd500c
--- /dev/null
+++ b/policy/support/file_patterns.spt
@@ -0,0 +1,553 @@
+#
+# Directory patterns (dir)
+#
+# Parameters:
+# 1. domain type
+# 2. container (directory) type
+# 3. directory type
+#
+define(`getattr_dirs_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:dir getattr_dir_perms;
+')
+
+define(`setattr_dirs_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:dir setattr_dir_perms;
+')
+
+define(`search_dirs_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:dir search_dir_perms;
+')
+
+define(`list_dirs_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:dir list_dir_perms;
+')
+
+define(`add_entry_dirs_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:dir add_entry_dir_perms;
+')
+
+define(`del_entry_dirs_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:dir del_entry_dir_perms;
+')
+
+define(`rw_dirs_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:dir { add_entry_dir_perms del_entry_dir_perms };
+')
+
+define(`create_dirs_pattern',`
+ allow $1 $2:dir add_entry_dir_perms;
+ allow $1 $3:dir create_dir_perms;
+')
+
+define(`delete_dirs_pattern',`
+ allow $1 $2:dir del_entry_dir_perms;
+ allow $1 $3:dir delete_dir_perms;
+')
+
+define(`rename_dirs_pattern',`
+ allow $1 $2:dir rw_dir_perms;
+ allow $1 $3:dir rename_dir_perms;
+')
+
+define(`manage_dirs_pattern',`
+ allow $1 $2:dir rw_dir_perms;
+ allow $1 $3:dir manage_dir_perms;
+')
+
+define(`relabelfrom_dirs_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:dir relabelfrom_dir_perms;
+')
+
+define(`relabelto_dirs_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:dir relabelto_dir_perms;
+')
+
+define(`relabel_dirs_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:dir relabel_dir_perms;
+')
+
+#
+# Regular file patterns (file)
+#
+# Parameters:
+# 1. domain type
+# 2. container (directory) type
+# 3. file type
+#
+define(`getattr_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:file getattr_file_perms;
+')
+
+define(`setattr_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:file setattr_file_perms;
+')
+
+define(`read_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:file read_file_perms;
+')
+
+define(`mmap_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:file mmap_file_perms;
+')
+
+define(`exec_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:file exec_file_perms;
+')
+
+define(`append_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:file append_file_perms;
+')
+
+define(`write_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:file write_file_perms;
+')
+
+define(`rw_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:file rw_file_perms;
+')
+
+define(`create_files_pattern',`
+ allow $1 $2:dir add_entry_dir_perms;
+ allow $1 $3:file create_file_perms;
+')
+
+define(`delete_files_pattern',`
+ allow $1 $2:dir del_entry_dir_perms;
+ allow $1 $3:file delete_file_perms;
+')
+
+define(`rename_files_pattern',`
+ allow $1 $2:dir rw_dir_perms;
+ allow $1 $3:file rename_file_perms;
+')
+
+define(`manage_files_pattern',`
+ allow $1 $2:dir rw_dir_perms;
+ allow $1 $3:file manage_file_perms;
+')
+
+define(`relabelfrom_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:file relabelfrom_file_perms;
+')
+
+define(`relabelto_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:file relabelto_file_perms;
+')
+
+define(`relabel_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:file relabel_file_perms;
+')
+
+#
+# Symbolic link patterns (lnk_file)
+#
+# Parameters:
+# 1. domain type
+# 2. container (directory) type
+# 3. file type
+#
+define(`getattr_lnk_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:lnk_file getattr_lnk_file_perms;
+')
+
+define(`setattr_lnk_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:lnk_file setattr_lnk_file_perms;
+')
+
+define(`read_lnk_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:lnk_file read_lnk_file_perms;
+')
+
+define(`append_lnk_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:lnk_file append_lnk_file_perms;
+')
+
+define(`write_lnk_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:lnk_file write_lnk_file_perms;
+')
+
+define(`rw_lnk_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:lnk_file rw_lnk_file_perms;
+')
+
+define(`create_lnk_files_pattern',`
+ allow $1 $2:dir add_entry_dir_perms;
+ allow $1 $3:lnk_file create_lnk_file_perms;
+')
+
+define(`delete_lnk_files_pattern',`
+ allow $1 $2:dir del_entry_dir_perms;
+ allow $1 $3:lnk_file delete_lnk_file_perms;
+')
+
+define(`rename_lnk_files_pattern',`
+ allow $1 $2:dir rw_dir_perms;
+ allow $1 $3:lnk_file rename_lnk_file_perms;
+')
+
+define(`manage_lnk_files_pattern',`
+ allow $1 $2:dir rw_dir_perms;
+ allow $1 $3:lnk_file manage_lnk_file_perms;
+')
+
+define(`relabelfrom_lnk_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:lnk_file relabelfrom_lnk_file_perms;
+')
+
+define(`relabelto_lnk_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:lnk_file relabelto_lnk_file_perms;
+')
+
+define(`relabel_lnk_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:lnk_file relabel_lnk_file_perms;
+')
+
+#
+# (Un)named Pipes/FIFO patterns (fifo_file)
+#
+# Parameters:
+# 1. domain type
+# 2. container (directory) type
+# 3. file type
+#
+define(`getattr_fifo_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:fifo_file getattr_fifo_file_perms;
+')
+
+define(`setattr_fifo_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:fifo_file setattr_fifo_file_perms;
+')
+
+define(`read_fifo_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:fifo_file read_fifo_file_perms;
+')
+
+define(`append_fifo_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:fifo_file append_fifo_file_perms;
+')
+
+define(`write_fifo_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:fifo_file write_fifo_file_perms;
+')
+
+define(`rw_fifo_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:fifo_file rw_fifo_file_perms;
+')
+
+define(`create_fifo_files_pattern',`
+ allow $1 $2:dir add_entry_dir_perms;
+ allow $1 $3:fifo_file create_fifo_file_perms;
+')
+
+define(`delete_fifo_files_pattern',`
+ allow $1 $2:dir del_entry_dir_perms;
+ allow $1 $3:fifo_file delete_fifo_file_perms;
+')
+
+define(`rename_fifo_files_pattern',`
+ allow $1 $2:dir rw_dir_perms;
+ allow $1 $3:fifo_file rename_fifo_file_perms;
+')
+
+define(`manage_fifo_files_pattern',`
+ allow $1 $2:dir rw_dir_perms;
+ allow $1 $3:fifo_file manage_fifo_file_perms;
+')
+
+define(`relabelfrom_fifo_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:fifo_file relabelfrom_fifo_file_perms;
+')
+
+define(`relabelto_fifo_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:fifo_file relabelto_fifo_file_perms;
+')
+
+define(`relabel_fifo_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:fifo_file relabel_fifo_file_perms;
+')
+
+#
+# (Un)named sockets patterns (sock_file)
+#
+# Parameters:
+# 1. domain type
+# 2. container (directory) type
+# 3. file type
+#
+define(`getattr_sock_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:sock_file getattr_sock_file_perms;
+')
+
+define(`setattr_sock_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:sock_file setattr_sock_file_perms;
+')
+
+define(`read_sock_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:sock_file read_sock_file_perms;
+')
+
+define(`write_sock_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:sock_file write_sock_file_perms;
+')
+
+define(`rw_sock_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:sock_file rw_sock_file_perms;
+')
+
+define(`create_sock_files_pattern',`
+ allow $1 $2:dir add_entry_dir_perms;
+ allow $1 $3:sock_file create_sock_file_perms;
+')
+
+define(`delete_sock_files_pattern',`
+ allow $1 $2:dir del_entry_dir_perms;
+ allow $1 $3:sock_file delete_sock_file_perms;
+')
+
+define(`rename_sock_files_pattern',`
+ allow $1 $2:dir rw_dir_perms;
+ allow $1 $3:sock_file rename_sock_file_perms;
+')
+
+define(`manage_sock_files_pattern',`
+ allow $1 $2:dir rw_dir_perms;
+ allow $1 $3:sock_file manage_sock_file_perms;
+')
+
+define(`relabelfrom_sock_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:sock_file relabelfrom_sock_file_perms;
+')
+
+define(`relabelto_sock_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:sock_file relabelto_sock_file_perms;
+')
+
+define(`relabel_sock_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:sock_file relabel_sock_file_perms;
+')
+
+#
+# Block device node patterns (blk_file)
+#
+# Parameters:
+# 1. domain type
+# 2. container (directory) type
+# 3. file type
+#
+define(`getattr_blk_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:blk_file getattr_blk_file_perms;
+')
+
+define(`setattr_blk_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:blk_file setattr_blk_file_perms;
+')
+
+define(`read_blk_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:blk_file read_blk_file_perms;
+')
+
+define(`append_blk_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:blk_file append_blk_file_perms;
+')
+
+define(`write_blk_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:blk_file write_blk_file_perms;
+')
+
+define(`rw_blk_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:blk_file rw_blk_file_perms;
+')
+
+define(`create_blk_files_pattern',`
+ allow $1 self:capability mknod;
+ allow $1 $2:dir add_entry_dir_perms;
+ allow $1 $3:blk_file create_blk_file_perms;
+')
+
+define(`delete_blk_files_pattern',`
+ allow $1 $2:dir del_entry_dir_perms;
+ allow $1 $3:blk_file delete_blk_file_perms;
+')
+
+define(`rename_blk_files_pattern',`
+ allow $1 $2:dir rw_dir_perms;
+ allow $1 $3:blk_file rename_blk_file_perms;
+')
+
+define(`manage_blk_files_pattern',`
+ allow $1 self:capability mknod;
+ allow $1 $2:dir rw_dir_perms;
+ allow $1 $3:blk_file manage_blk_file_perms;
+')
+
+define(`relabelfrom_blk_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:blk_file relabelfrom_blk_file_perms;
+')
+
+define(`relabelto_blk_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:blk_file relabelto_blk_file_perms;
+')
+
+define(`relabel_blk_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:blk_file relabel_blk_file_perms;
+')
+
+#
+# Character device node patterns (chr_file)
+#
+# Parameters:
+# 1. domain type
+# 2. container (directory) type
+# 3. file type
+#
+define(`getattr_chr_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:chr_file getattr_chr_file_perms;
+')
+
+define(`setattr_chr_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:chr_file setattr_chr_file_perms;
+')
+
+define(`read_chr_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:chr_file read_chr_file_perms;
+')
+
+define(`append_chr_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:chr_file append_chr_file_perms;
+')
+
+define(`write_chr_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:chr_file write_chr_file_perms;
+')
+
+define(`rw_chr_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:chr_file rw_chr_file_perms;
+')
+
+define(`create_chr_files_pattern',`
+ allow $1 self:capability mknod;
+ allow $1 $2:dir add_entry_dir_perms;
+ allow $1 $3:chr_file create_chr_file_perms;
+')
+
+define(`delete_chr_files_pattern',`
+ allow $1 $2:dir del_entry_dir_perms;
+ allow $1 $3:chr_file delete_chr_file_perms;
+')
+
+define(`rename_chr_files_pattern',`
+ allow $1 $2:dir rw_dir_perms;
+ allow $1 $3:chr_file rename_chr_file_perms;
+')
+
+define(`manage_chr_files_pattern',`
+ allow $1 self:capability mknod;
+ allow $1 $2:dir rw_dir_perms;
+ allow $1 $3:chr_file manage_chr_file_perms;
+')
+
+define(`relabelfrom_chr_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:chr_file relabelfrom_chr_file_perms;
+')
+
+define(`relabelto_chr_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:chr_file relabelto_chr_file_perms;
+')
+
+define(`relabel_chr_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:chr_file relabel_chr_file_perms;
+')
+
+#
+# File type_transition patterns
+#
+# pattern(domain,dirtype,newtype,class(es))
+#
+define(`filetrans_add_pattern',`
+ allow $1 $2:dir { list_dir_perms add_entry_dir_perms };
+ type_transition $1 $2:$4 $3;
+')
+
+define(`filetrans_pattern',`
+ allow $1 $2:dir rw_dir_perms;
+ type_transition $1 $2:$4 $3;
+')
+
+define(`admin_pattern',`
+ manage_dirs_pattern($1,$2,$2)
+ manage_files_pattern($1,$2,$2)
+ manage_lnk_files_pattern($1,$2,$2)
+ manage_fifo_files_pattern($1,$2,$2)
+ manage_sock_files_pattern($1,$2,$2)
+
+ relabel_dirs_pattern($1,$2,$2)
+ relabel_files_pattern($1,$2,$2)
+ relabel_lnk_files_pattern($1,$2,$2)
+ relabel_fifo_files_pattern($1,$2,$2)
+ relabel_sock_files_pattern($1,$2,$2)
+')
diff --git a/policy/support/ipc_patterns.spt b/policy/support/ipc_patterns.spt
new file mode 100644
index 0000000..310f9ef
--- /dev/null
+++ b/policy/support/ipc_patterns.spt
@@ -0,0 +1,14 @@
+#
+# unix domain socket patterns
+#
+define(`stream_connect_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:sock_file write_sock_file_perms;
+ allow $1 $4:unix_stream_socket connectto;
+')
+
+define(`dgram_send_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:sock_file write_sock_file_perms;
+ allow $1 $4:unix_dgram_socket sendto;
+')
diff --git a/policy/support/loadable_module.spt b/policy/support/loadable_module.spt
new file mode 100644
index 0000000..1fe3ab3
--- /dev/null
+++ b/policy/support/loadable_module.spt
@@ -0,0 +1,151 @@
+########################################
+#
+# Macros for switching between source policy
+# and loadable policy module support
+#
+
+##############################
+#
+# For adding the module statement
+#
+define(`policy_module',`
+ ifndef(`self_contained_policy',`
+ module $1 $2;
+
+ require {
+ role system_r;
+ all_kernel_class_perms
+
+ ifdef(`enable_mcs',`
+ decl_sens(0,0)
+ decl_cats(0,decr(mcs_num_cats))
+ ')
+
+ ifdef(`enable_mls',`
+ decl_sens(0,decr(mls_num_sens))
+ decl_cats(0,decr(mls_num_cats))
+ ')
+ }
+ ')
+')
+
+##############################
+#
+# For use in interfaces, to optionally insert a require block
+#
+define(`gen_require',`
+ ifdef(`self_contained_policy',`
+ ifdef(`__in_optional_policy',`
+ require {
+ $1
+ } # end require
+ ')
+ ',`
+ require {
+ $1
+ } # end require
+ ')
+')
+
+# helper function, since m4 wont expand macros
+# if a line is a comment (#):
+define(`policy_m4_comment',`
+##### $2 depth: $1
+')dnl
+
+##############################
+#
+# In the future interfaces should be in loadable modules
+#
+# template(name,rules)
+#
+define(`template',` dnl
+ ifdef(`$1',`refpolicyerr(`duplicate definition of $1(). Original definition on '$1.) define(`__if_error')',`define(`$1',__line__)') dnl
+ `define(`$1',` dnl
+ pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
+ policy_m4_comment(policy_call_depth,begin `$1'(dollarsstar)) dnl
+ $2 dnl
+ popdef(`policy_call_depth') dnl
+ policy_m4_comment(policy_call_depth,end `$1'(dollarsstar)) dnl
+ '')
+')
+
+##############################
+#
+# In the future interfaces should be in loadable modules
+#
+# interface(name,rules)
+#
+define(`interface',` dnl
+ ifdef(`$1',`refpolicyerr(`duplicate definition of $1(). Original definition on '$1.) define(`__if_error')',`define(`$1',__line__)') dnl
+ `define(`$1',` dnl
+ pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
+ policy_m4_comment(policy_call_depth,begin `$1'(dollarsstar)) dnl
+ $2
+ popdef(`policy_call_depth') dnl
+ policy_m4_comment(policy_call_depth,end `$1'(dollarsstar)) dnl
+ '')
+')
+
+define(`policy_call_depth',0)
+
+##############################
+#
+# Optional policy handling
+#
+define(`optional_policy',`
+ ifelse(regexp(`$1',`\W'),`-1',`
+ refpolicywarn(`deprecated use of module name ($1) as first parameter of optional_policy() block.')
+ optional_policy(shift($*))
+ ',`
+ optional {`'pushdef(`__in_optional_policy')
+ $1
+ ifelse(`$2',`',`',`} else {
+ $2
+ ')}`'popdef(`__in_optional_policy')`'ifndef(`__in_optional_policy',` # end optional')
+ ')
+')
+
+##############################
+#
+# Determine if we should use the default
+# tunable value as specified by the policy
+# or if the override value should be used
+#
+define(`dflt_or_overr',`ifdef(`$1',$1,$2)')
+
+##############################
+#
+# Extract booleans out of an expression.
+# This needs to be reworked so expressions
+# with parentheses can work.
+
+define(`declare_required_symbols',`
+ifelse(regexp($1, `\w'), -1, `', `dnl
+bool regexp($1, `\(\w+\)', `\1');
+declare_required_symbols(regexp($1, `\w+\(.*\)', `\1'))dnl
+') dnl
+')
+
+##############################
+#
+# Tunable declaration
+#
+define(`gen_tunable',`
+ bool $1 dflt_or_overr(`$1'_conf,$2);
+')
+
+##############################
+#
+# Tunable policy handling
+#
+define(`tunable_policy',`
+ gen_require(`
+ declare_required_symbols(`$1')
+ ')
+ if (`$1') {
+ $2
+ ifelse(`$3',`',`',`} else {
+ $3
+ ')}
+')
diff --git a/policy/support/misc_macros.spt b/policy/support/misc_macros.spt
new file mode 100644
index 0000000..4ca5688
--- /dev/null
+++ b/policy/support/misc_macros.spt
@@ -0,0 +1,78 @@
+
+########################################
+#
+# Helper macros
+#
+
+#
+# shiftn(num,list...)
+#
+# shift the list num times
+#
+define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')')
+
+#
+# ifndef(expr,true_block,false_block)
+#
+# m4 does not have this.
+#
+define(`ifndef',`ifdef(`$1',`$3',`$2')')
+
+#
+# __endline__
+#
+# dummy macro to insert a newline. used for
+# errprint, so the close parentheses can be
+# indented correctly.
+#
+define(`__endline__',`
+')
+
+########################################
+#
+# refpolwarn(message)
+#
+# print a warning message
+#
+define(`refpolicywarn',`errprint(__file__:__line__: Warning: `$1'__endline__)')
+
+########################################
+#
+# refpolerr(message)
+#
+# print an error message. does not
+# make anything fail.
+#
+define(`refpolicyerr',`errprint(__file__:__line__: Error: `$1'__endline__)')
+
+########################################
+#
+# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_categories])
+#
+define(`gen_user',`dnl
+ifdef(`users_extra',`dnl
+ifelse(`$2',,,`user $1 prefix $2;')
+',`dnl
+user $1 roles { $3 }`'ifdef(`enable_mls', ` level $4 range $5')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$6',,,` - s0:$6')');
+')dnl
+')
+
+########################################
+#
+# gen_context(context,mls_sensitivity,[mcs_categories])
+#
+define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')')dnl
+
+########################################
+#
+# can_exec(domain,executable)
+#
+define(`can_exec',`allow $1 $2:file { mmap_file_perms ioctl lock execute_no_trans };')
+
+########################################
+#
+# gen_bool(name,default_value)
+#
+define(`gen_bool',`
+ bool $1 dflt_or_overr(`$1'_conf,$2);
+')
diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
new file mode 100644
index 0000000..df6b5de
--- /dev/null
+++ b/policy/support/misc_patterns.spt
@@ -0,0 +1,68 @@
+#
+# Specified domain transition patterns
+#
+define(`domain_transition_pattern',`
+ allow $1 $2:file { getattr open read execute };
+ allow $1 $3:process transition;
+ dontaudit $1 $3:process { noatsecure siginh rlimitinh };
+')
+
+# compatibility:
+define(`domain_trans',`domain_transition_pattern($*)')
+
+define(`spec_domtrans_pattern',`
+ allow $1 self:process setexec;
+ domain_transition_pattern($1,$2,$3)
+
+ allow $3 $1:fd use;
+ allow $3 $1:fifo_file rw_inherited_fifo_file_perms;
+ allow $3 $1:process sigchld;
+')
+
+#
+# Automatic domain transition patterns
+#
+define(`domain_auto_transition_pattern',`
+ domain_transition_pattern($1,$2,$3)
+ type_transition $1 $2:process $3;
+')
+
+# compatibility:
+define(`domain_auto_trans',`domain_auto_transition_pattern($*)')
+
+define(`domtrans_pattern',`
+ domain_auto_transition_pattern($1,$2,$3)
+
+ allow $3 $1:fd use;
+ allow $3 $1:fifo_file rw_inherited_fifo_file_perms;
+ allow $3 $1:process sigchld;
+
+ ifdef(`hide_broken_symptoms', `
+ dontaudit $3 $1:socket_class_set { read write };
+ ')
+')
+
+#
+# Dynamic transition pattern
+#
+define(`dyntrans_pattern',`
+ allow $1 self:process setcurrent;
+ allow $1 $2:process dyntransition;
+ allow $2 $1:process sigchld;
+')
+
+#
+# Other process permissions
+#
+define(`send_audit_msgs_pattern',`
+ refpolicywarn(`$0($*) has been deprecated, please use logging_send_audit_msgs($1) instead.')
+ allow $1 self:capability audit_write;
+ allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+')
+
+define(`ps_process_pattern',`
+ allow $1 $2:dir list_dir_perms;
+ allow $1 $2:file read_file_perms;
+ allow $1 $2:lnk_file read_lnk_file_perms;
+ allow $1 $2:process getattr;
+')
diff --git a/policy/support/mls_mcs_macros.spt b/policy/support/mls_mcs_macros.spt
new file mode 100644
index 0000000..7593e20
--- /dev/null
+++ b/policy/support/mls_mcs_macros.spt
@@ -0,0 +1,57 @@
+########################################
+#
+# gen_cats(N)
+#
+# declares categores c0 to c(N-1)
+#
+define(`decl_cats',`dnl
+category c$1;
+ifelse(`$1',`$2',,`decl_cats(incr($1),$2)')dnl
+')
+
+define(`gen_cats',`decl_cats(0,decr($1))')
+
+########################################
+#
+# gen_sens(N)
+#
+# declares sensitivites s0 to s(N-1) with dominance
+# in increasing numeric order with s0 lowest, s(N-1) highest
+#
+define(`decl_sens',`dnl
+sensitivity s$1;
+ifelse(`$1',`$2',,`decl_sens(incr($1),$2)')dnl
+')
+
+define(`gen_dominance',`s$1 ifelse(`$1',`$2',,`gen_dominance(incr($1),$2)')')
+
+define(`gen_sens',`
+# Each sensitivity has a name and zero or more aliases.
+decl_sens(0,decr($1))
+
+# Define the ordering of the sensitivity levels (least to greatest)
+dominance { gen_dominance(0,decr($1)) }
+')
+
+########################################
+#
+# gen_levels(N,M)
+#
+# levels from s0 to (N-1) with categories c0 to (M-1)
+#
+define(`decl_levels',`dnl
+level s$1:c0.c$3;
+ifelse(`$1',`$2',,`decl_levels(incr($1),$2,$3)')dnl
+')
+
+define(`gen_levels',`decl_levels(0,decr($1),decr($2))')
+
+########################################
+#
+# Basic level names for system low and high
+#
+define(`mls_systemlow',`s0')
+define(`mls_systemhigh',`s`'decr(mls_num_sens):c0.c`'decr(mls_num_cats)')
+define(`mcs_systemlow',`s0')
+define(`mcs_systemhigh',`s0:c0.c`'decr(mcs_num_cats)')
+define(`mcs_allcats',`c0.c`'decr(mcs_num_cats)')
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
new file mode 100644
index 0000000..d9b0868
--- /dev/null
+++ b/policy/support/obj_perm_sets.spt
@@ -0,0 +1,337 @@
+########################################
+#
+# Support macros for sets of object classes and permissions
+#
+# This file should only have object class and permission set macros - they
+# can only reference object classes and/or permissions.
+
+#
+# All directory and file classes
+#
+define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }')
+
+#
+# All non-directory file classes.
+#
+define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }')
+
+#
+# Non-device file classes.
+#
+define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
+
+#
+# Device file classes.
+#
+define(`devfile_class_set', `{ chr_file blk_file }')
+
+#
+# All socket classes.
+#
+define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
+
+
+#
+# Datagram socket classes.
+#
+define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
+
+#
+# Stream socket classes.
+#
+define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
+
+#
+# Unprivileged socket classes (exclude rawip, netlink, packet).
+#
+define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
+
+########################################
+#
+# Macros for sets of permissions
+#
+
+#
+# Permissions for getting file attributes.
+#
+define(`stat_file_perms', `{ getattr } refpolicywarn(`$0 is deprecated please use getattr_file_perms instead.')')
+
+#
+# Permissions for executing files.
+#
+define(`x_file_perms', `{ getattr open execute } refpolicywarn(`$0 is deprecated please use { getattr execute } instead.')')
+
+#
+# Permissions for reading files and their attributes.
+#
+define(`r_file_perms', `{ open read getattr lock ioctl } refpolicywarn(`$0 is deprecated please use read_file_perms instead.')')
+
+#
+# Permissions for reading and executing files.
+#
+define(`rx_file_perms', `{ open read getattr lock execute ioctl } refpolicywarn(`$0 is deprecated please use { mmap_file_perms ioctl lock } instead.')')
+
+#
+# Permissions for reading and appending to files.
+#
+define(`ra_file_perms', `{ open ioctl read getattr lock append } refpolicywarn(`$0 is deprecated please use { read_file_perms append_file_perms } instead.')')
+
+#
+# Permissions for linking, unlinking and renaming files.
+#
+define(`link_file_perms', `{ getattr link unlink rename } refpolicywarn(`$0 is deprecated please use { getattr link unlink rename } instead.')')
+
+#
+# Permissions for creating lnk_files.
+#
+define(`create_lnk_perms', `{ create read write getattr setattr link unlink rename } refpolicywarn(`$0 is deprecated please use manage_lnk_file_perms instead.')')
+
+#
+# Permissions for reading directories and their attributes.
+#
+define(`r_dir_perms', `{ open read getattr lock search ioctl } refpolicywarn(`$0 is deprecated please use list_dir_perms instead.')')
+
+#
+# Permissions for reading and adding names to directories.
+#
+define(`ra_dir_perms', `{ open read getattr lock search ioctl add_name write } refpolicywarn(`$0 is deprecated please use { list_dir_perms add_entry_dir_perms } instead.')')
+
+
+#
+# Permissions to mount and unmount file systems.
+#
+define(`mount_fs_perms', `{ mount remount unmount getattr }')
+
+#
+# Permissions for using sockets.
+#
+define(`rw_socket_perms', `{ ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }')
+
+#
+# Permissions for creating and using sockets.
+#
+define(`create_socket_perms', `{ create rw_socket_perms }')
+
+#
+# Permissions for using stream sockets.
+#
+define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
+
+#
+# Permissions for creating and using stream sockets.
+#
+define(`create_stream_socket_perms', `{ create_socket_perms listen accept }')
+
+#
+# Permissions for creating and using sockets.
+#
+define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
+
+#
+# Permissions for creating and using sockets.
+#
+define(`connected_stream_socket_perms', `{ connected_socket_perms listen accept }')
+
+
+#
+# Permissions for creating and using netlink sockets.
+#
+define(`create_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
+
+#
+# Permissions for using netlink sockets for operations that modify state.
+#
+define(`rw_netlink_socket_perms', `{ create_socket_perms nlmsg_read nlmsg_write }')
+
+#
+# Permissions for using netlink sockets for operations that observe state.
+#
+define(`r_netlink_socket_perms', `{ create_socket_perms nlmsg_read }')
+
+#
+# Permissions for sending all signals.
+#
+define(`signal_perms', `{ sigchld sigkill sigstop signull signal }')
+
+#
+# Permissions for sending and receiving network packets.
+#
+define(`packet_perms', `{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }')
+
+#
+# Permissions for using System V IPC
+#
+define(`r_sem_perms', `{ associate getattr read unix_read }')
+define(`rw_sem_perms', `{ associate getattr read write unix_read unix_write }')
+define(`create_sem_perms', `{ associate getattr setattr create destroy read write unix_read unix_write }')
+define(`r_msgq_perms', `{ associate getattr read unix_read }')
+define(`rw_msgq_perms', `{ associate getattr read write enqueue unix_read unix_write }')
+define(`create_msgq_perms', `{ associate getattr setattr create destroy read write enqueue unix_read unix_write }')
+define(`r_shm_perms', `{ associate getattr read unix_read }')
+define(`rw_shm_perms', `{ associate getattr read write lock unix_read unix_write }')
+define(`create_shm_perms', `{ associate getattr setattr create destroy read write lock unix_read unix_write }')
+
+########################################
+#
+# New permission sets
+#
+
+#
+# Directory (dir)
+#
+define(`getattr_dir_perms',`{ getattr }')
+define(`setattr_dir_perms',`{ setattr }')
+define(`search_dir_perms',`{ getattr search open }')
+define(`list_dir_perms',`{ getattr search open read lock ioctl }')
+define(`add_entry_dir_perms',`{ getattr search open lock ioctl write add_name }')
+define(`del_entry_dir_perms',`{ getattr search open lock ioctl write remove_name }')
+define(`rw_dir_perms', `{ open read getattr lock search ioctl add_name remove_name write }')
+define(`create_dir_perms',`{ getattr create }')
+define(`rename_dir_perms',`{ getattr rename }')
+define(`delete_dir_perms',`{ getattr rmdir }')
+define(`manage_dir_perms',`{ create open getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }')
+define(`relabelfrom_dir_perms',`{ getattr relabelfrom }')
+define(`relabelto_dir_perms',`{ getattr relabelto }')
+define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
+
+#
+# Regular file (file)
+#
+define(`getattr_file_perms',`{ getattr }')
+define(`setattr_file_perms',`{ setattr }')
+define(`read_inherited_file_perms',`{ getattr read ioctl lock }')
+define(`read_file_perms',`{ open read_inherited_file_perms }')
+define(`mmap_file_perms',`{ getattr open read execute ioctl }')
+define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }')
+define(`append_file_perms',`{ getattr open append lock ioctl }')
+define(`write_file_perms',`{ getattr open write append lock ioctl }')
+define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }')
+define(`rw_file_perms',`{ open rw_inherited_file_perms }')
+define(`create_file_perms',`{ getattr create open }')
+define(`rename_file_perms',`{ getattr rename }')
+define(`delete_file_perms',`{ getattr unlink }')
+define(`manage_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }')
+define(`relabelfrom_file_perms',`{ getattr relabelfrom }')
+define(`relabelto_file_perms',`{ getattr relabelto }')
+define(`relabel_file_perms',`{ getattr relabelfrom relabelto }')
+
+#
+# Symbolic link (lnk_file)
+#
+define(`getattr_lnk_file_perms',`{ getattr }')
+define(`setattr_lnk_file_perms',`{ setattr }')
+define(`read_lnk_file_perms',`{ getattr read }')
+define(`append_lnk_file_perms',`{ getattr append lock ioctl }')
+define(`write_lnk_file_perms',`{ getattr append write lock ioctl }')
+define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }')
+define(`create_lnk_file_perms',`{ create getattr }')
+define(`rename_lnk_file_perms',`{ getattr rename }')
+define(`delete_lnk_file_perms',`{ getattr unlink }')
+define(`manage_lnk_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }')
+define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }')
+define(`relabelto_lnk_file_perms',`{ getattr relabelto }')
+define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')
+
+#
+# (Un)named Pipes/FIFOs (fifo_file)
+#
+define(`getattr_fifo_file_perms',`{ getattr }')
+define(`setattr_fifo_file_perms',`{ setattr }')
+define(`read_fifo_file_perms',`{ getattr open read lock ioctl }')
+define(`append_fifo_file_perms',`{ getattr open append lock ioctl }')
+define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }')
+define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }')
+define(`rw_fifo_file_perms',`{ open rw_inherited_fifo_file_perms }')
+define(`create_fifo_file_perms',`{ getattr create open }')
+define(`rename_fifo_file_perms',`{ getattr rename }')
+define(`delete_fifo_file_perms',`{ getattr unlink }')
+define(`manage_fifo_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }')
+define(`relabelfrom_fifo_file_perms',`{ getattr relabelfrom }')
+define(`relabelto_fifo_file_perms',`{ getattr relabelto }')
+define(`relabel_fifo_file_perms',`{ getattr relabelfrom relabelto }')
+
+#
+# (Un)named Sockets (sock_file)
+#
+define(`getattr_sock_file_perms',`{ getattr }')
+define(`setattr_sock_file_perms',`{ setattr }')
+define(`read_sock_file_perms',`{ getattr open read }')
+define(`write_sock_file_perms',`{ getattr write open append }')
+define(`rw_inherited_sock_file_perms',`{ getattr read write append }')
+define(`rw_sock_file_perms',`{ open rw_inherited_sock_file_perms }')
+define(`create_sock_file_perms',`{ getattr create open }')
+define(`rename_sock_file_perms',`{ getattr rename }')
+define(`delete_sock_file_perms',`{ getattr unlink }')
+define(`manage_sock_file_perms',`{ create open getattr setattr read write rename link unlink ioctl lock append }')
+define(`relabelfrom_sock_file_perms',`{ getattr relabelfrom }')
+define(`relabelto_sock_file_perms',`{ getattr relabelto }')
+define(`relabel_sock_file_perms',`{ getattr relabelfrom relabelto }')
+
+#
+# Block device nodes (blk_file)
+#
+define(`getattr_blk_file_perms',`{ getattr }')
+define(`setattr_blk_file_perms',`{ setattr }')
+define(`read_blk_file_perms',`{ getattr open read lock ioctl }')
+define(`append_blk_file_perms',`{ getattr open append lock ioctl }')
+define(`write_blk_file_perms',`{ getattr open write append lock ioctl }')
+define(`rw_inherited_blk_file_perms',`{ getattr read write append ioctl lock }')
+define(`rw_blk_file_perms',`{ open rw_inherited_blk_file_perms }')
+define(`create_blk_file_perms',`{ getattr create }')
+define(`rename_blk_file_perms',`{ getattr rename }')
+define(`delete_blk_file_perms',`{ getattr unlink }')
+define(`manage_blk_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }')
+define(`relabelfrom_blk_file_perms',`{ getattr relabelfrom }')
+define(`relabelto_blk_file_perms',`{ getattr relabelto }')
+define(`relabel_blk_file_perms',`{ getattr relabelfrom relabelto }')
+
+#
+# Character device nodes (chr_file)
+#
+define(`getattr_chr_file_perms',`{ getattr }')
+define(`setattr_chr_file_perms',`{ setattr }')
+define(`read_chr_file_perms',`{ getattr open read lock ioctl }')
+define(`append_chr_file_perms',`{ getattr open append lock ioctl }')
+define(`write_chr_file_perms',`{ getattr open write append lock ioctl }')
+define(`rw_inherited_chr_file_perms',`{ getattr read write append ioctl lock }')
+define(`rw_chr_file_perms',`{ open rw_inherited_chr_file_perms }')
+define(`create_chr_file_perms',`{ getattr create }')
+define(`rename_chr_file_perms',`{ getattr rename }')
+define(`delete_chr_file_perms',`{ getattr unlink }')
+define(`manage_chr_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }')
+define(`relabelfrom_chr_file_perms',`{ getattr relabelfrom }')
+define(`relabelto_chr_file_perms',`{ getattr relabelto }')
+define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }')
+
+########################################
+#
+# Special permission sets
+#
+
+#
+# Use (read and write) terminals
+#
+define(`rw_inherited_term_perms', `{ getattr open read write ioctl append }')
+define(`rw_term_perms', `{ open rw_inherited_term_perms }')
+
+#
+# Sockets
+#
+define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
+define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept }')
+
+#
+# Keys
+#
+define(`manage_key_perms', `{ create link read search setattr view write } ')
+
+#
+# All
+#
+define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }
+')
+
+define(`all_nscd_perms', `{ getserv getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost shmemserv } ')
+define(`all_dbus_perms', `{ acquire_svc send_msg } ')
+define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ')
+define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ')
diff --git a/policy/users b/policy/users
new file mode 100644
index 0000000..be2a04c
--- /dev/null
+++ b/policy/users
@@ -0,0 +1,38 @@
+##################################
+#
+# Core User configuration.
+#
+
+#
+# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
+#
+# Note: Identities without a prefix will not be listed
+# in the users_extra file used by genhomedircon.
+
+#
+# system_u is the user identity for system processes and objects.
+# There should be no corresponding Unix user identity for system,
+# and a user process should never be assigned the system user
+# identity.
+#
+gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
+#
+# user_u is a generic user identity for Linux users who have no
+# SELinux user identity defined. The modified daemons will use
+# this user identity in the security context if there is no matching
+# SELinux user identity for a Linux user. If you do not want to
+# permit any access to such users, then remove this entry.
+#
+gen_user(user_u, user, user_r, s0, s0)
+gen_user(staff_u, user, staff_r system_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
+#
+# The following users correspond to Unix identities.
+# These identities are typically assigned as the user attribute
+# when login starts the user shell. Users with access to the sysadm_r
+# role should use the staff_r role instead of the user_r role when
+# not in the sysadm_r.
+#
+gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
diff --git a/support/Makefile.devel b/support/Makefile.devel
new file mode 100644
index 0000000..c5e3ef3
--- /dev/null
+++ b/support/Makefile.devel
@@ -0,0 +1,255 @@
+
+# helper tools
+AWK ?= gawk
+INSTALL ?= install
+M4 ?= m4
+SED ?= sed
+EINFO ?= echo
+PYTHON ?= python
+CUT ?= cut
+
+NAME ?= $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config)
+SHAREDIR ?= /usr/share/selinux
+HEADERDIR ?= $(SHAREDIR)/$(NAME)/include
+
+include $(HEADERDIR)/build.conf
+
+# executables
+PREFIX := /usr
+BINDIR := $(PREFIX)/bin
+SBINDIR := $(PREFIX)/sbin
+CHECKMODULE := $(BINDIR)/checkmodule
+SEMODULE := $(SBINDIR)/semodule
+SEMOD_PKG := $(BINDIR)/semodule_package
+XMLLINT := $(BINDIR)/xmllint
+
+# set default build options if missing
+TYPE ?= standard
+DIRECT_INITRC ?= n
+POLY ?= n
+QUIET ?= y
+
+genxml := $(PYTHON) $(HEADERDIR)/support/segenxml.py
+
+docs := doc
+polxml := $(docs)/policy.xml
+xmldtd := $(HEADERDIR)/support/policy.dtd
+metaxml := metadata.xml
+
+globaltun = $(HEADERDIR)/global_tunables.xml
+globalbool = $(HEADERDIR)/global_booleans.xml
+
+# enable MLS if requested.
+ifeq "$(TYPE)" "mls"
+ M4PARAM += -D enable_mls
+ CHECKPOLICY += -M
+ CHECKMODULE += -M
+endif
+
+# enable MLS if MCS requested.
+ifeq "$(TYPE)" "mcs"
+ M4PARAM += -D enable_mcs
+ CHECKPOLICY += -M
+ CHECKMODULE += -M
+endif
+
+# enable distribution-specific policy
+ifneq ($(DISTRO),)
+ M4PARAM += -D distro_$(DISTRO)
+endif
+
+ifeq ($(DIRECT_INITRC),y)
+ M4PARAM += -D direct_sysadm_daemon
+endif
+
+ifeq "$(UBAC)" "y"
+ M4PARAM += -D enable_ubac
+endif
+
+# default MLS/MCS sensitivity and category settings.
+MLS_SENS ?= 16
+MLS_CATS ?= 1024
+MCS_CATS ?= 1024
+
+ifeq ($(QUIET),y)
+ verbose := @
+endif
+
+M4PARAM += -D hide_broken_symptoms -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D mcs_num_cats=$(MCS_CATS)
+
+# policy headers
+m4support = $(wildcard $(HEADERDIR)/support/*.spt)
+
+header_layers := $(filter-out $(HEADERDIR)/support,$(shell find $(wildcard $(HEADERDIR)/*) -maxdepth 0 -type d))
+header_xml := $(addsuffix .xml,$(header_layers))
+header_interfaces := $(foreach layer,$(header_layers),$(wildcard $(layer)/*.if))
+
+rolemap := $(HEADERDIR)/rolemap
+
+local_layers := $(filter-out CVS tmp $(docs),$(shell find $(wildcard *) -maxdepth 0 -type d))
+local_xml := $(addprefix tmp/, $(addsuffix .xml,$(local_layers)))
+
+all_layer_names := $(sort $(notdir $(header_layers) $(local_layers)))
+
+3rd_party_mods := $(wildcard *.te)
+detected_mods := $(3rd_party_mods) $(foreach layer,$(local_layers),$(wildcard $(layer)/*.te))
+
+detected_ifs := $(detected_mods:.te=.if)
+detected_fcs := $(detected_mods:.te=.fc)
+all_packages := $(notdir $(detected_mods:.te=.pp))
+
+# figure out what modules we may want to reload
+loaded_mods = $(addsuffix .pp,$(shell $(SEMODULE) -l | $(CUT) -f1))
+sys_mods = $(wildcard $(SHAREDIR)/$(NAME)/*.pp)
+match_sys = $(filter $(addprefix $(SHAREDIR)/$(NAME)/,$(loaded_mods)),$(sys_mods))
+match_loc = $(filter $(all_packages),$(loaded_mods))
+
+vpath %.te $(local_layers)
+vpath %.if $(local_layers)
+vpath %.fc $(local_layers)
+
+########################################
+#
+# Functions
+#
+
+# parse-rolemap-compat modulename,outputfile
+define parse-rolemap-compat
+ $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
+ $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+endef
+
+# parse-rolemap modulename,outputfile
+define parse-rolemap
+ $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
+ $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+endef
+
+# peruser-expansion modulename,outputfile
+define peruser-expansion
+ $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
+ $(call parse-rolemap,$1,$2)
+ $(verbose) echo "')" >> $2
+
+ $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
+ $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
+ $(call parse-rolemap-compat,$1,$2)
+ $(verbose) echo "')" >> $2
+endef
+
+.PHONY: clean all xml load reload
+.SUFFIXES:
+.SUFFIXES: .pp
+# broken in make 3.81:
+#.SECONDARY:
+
+########################################
+#
+# Main targets
+#
+
+all: $(all_packages)
+
+xml: $(polxml)
+
+########################################
+#
+# Attempt to reinstall all installed packages
+#
+refresh:
+ @$(EINFO) "Refreshing $(NAME) modules"
+ $(verbose) $(SEMODULE) -b $(SHAREDIR)/$(NAME)/base.pp $(foreach mod,$(match_sys) $(match_loc),-i $(mod))
+
+########################################
+#
+# Load module packages
+#
+
+load: tmp/loaded
+tmp/loaded: $(all_packages)
+ @$(EINFO) "Loading $(NAME) modules: $(basename $(notdir $?))"
+ $(verbose) $(SEMODULE) $(foreach mod,$?,-i $(mod))
+ @mkdir -p tmp
+ @touch tmp/loaded
+
+reload: $(all_packages)
+ @$(EINFO) "Loading $(NAME) modules: $(basename $(notdir $^))"
+ $(verbose) $(SEMODULE) $(foreach mod,$^,-i $(mod))
+ @mkdir -p tmp
+ @touch tmp/loaded
+
+########################################
+#
+# Build module packages
+#
+tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te
+ @$(EINFO) "Compiling $(NAME) $(basename $(@F)) module"
+ @test -d $(@D) || mkdir -p $(@D)
+ $(call peruser-expansion,$(basename $(@F)),$@.role)
+ $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
+ $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
+
+tmp/%.mod.fc: $(m4support) %.fc
+ $(verbose) $(M4) $(M4PARAM) $^ > $@
+
+%.pp: tmp/%.mod tmp/%.mod.fc
+ @echo "Creating $(NAME) $(@F) policy package"
+ $(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc
+
+tmp/all_interfaces.conf: $(m4support) $(header_interfaces) $(detected_ifs)
+ @test -d $(@D) || mkdir -p $(@D)
+ @echo "ifdef(\`__if_error',\`m4exit(1)')" > tmp/iferror.m4
+ @echo "divert(-1)" > $@
+ $(verbose) $(M4) $^ tmp/iferror.m4 | sed -e s/dollarsstar/\$$\*/g >> $@
+ @echo "divert" >> $@
+
+# so users dont have to make empty .fc and .if files
+$(detected_fcs):
+ @touch $@
+
+$(detected_ifs):
+ @echo "## <summary>$(basename $(@D))</summary>" > $@
+
+########################################
+#
+# Documentation generation
+#
+tmp/%.xml: %/*.te %/*.if
+ @test -d $(@D) || mkdir -p $(@D)
+ $(verbose) test -f $(HEADERDIR)/$*.xml || cat $*/$(metaxml) > $@
+ $(verbose) $(genxml) -w -m $(sort $(basename $^)) >> $@
+
+vars: $(local_xml)
+
+$(polxml): $(header_xml) $(local_xml) $(globaltun) $(globalbool) $(detected_mods) $(detected_ifs)
+ @echo "Creating $(@F)"
+ @test -d $(@D) || mkdir -p $(@D)
+ $(verbose) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
+ $(verbose) echo '<!DOCTYPE policy SYSTEM "$(notdir $(xmldtd))">' >> $@
+ $(verbose) echo '<policy>' >> $@
+ $(verbose) for i in $(all_layer_names); do \
+ echo "<layer name=\"$$i\">" >> $@ ;\
+ test -f $(HEADERDIR)/$$i.xml && cat $(HEADERDIR)/$$i.xml >> $@ ;\
+ test -f tmp/$$i.xml && cat tmp/$$i.xml >> $@ ;\
+ echo "</layer>" >> $@ ;\
+ done
+ifneq "$(strip $(3rd_party_mods))" ""
+ $(verbose) echo "<layer name=\"third_party\">" >> $@
+ $(verbose) echo "<summary>These are all third-party modules.</summary>" >> $@
+ $(verbose) $(genxml) -w -m $(addprefix ./,$(basename $(3rd_party_mods))) >> $@
+ $(verbose) echo "</layer>" >> $@
+endif
+ $(verbose) cat $(globaltun) $(globalbool) >> $@
+ $(verbose) echo '</policy>' >> $@
+ $(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
+ $(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\
+ fi
+
+########################################
+#
+# Clean the environment
+#
+
+clean:
+ rm -fR tmp
+ rm -f *.pp
diff --git a/support/comment_move_decl.sed b/support/comment_move_decl.sed
new file mode 100644
index 0000000..20ffa6c
--- /dev/null
+++ b/support/comment_move_decl.sed
@@ -0,0 +1,14 @@
+# comment out lines that are moved by the build
+# process, so line numbers provided by m4 are preserved.
+
+# lines in require and optional blocks are not moved
+/require \{/,/} # end require/b nextline
+/optional \{/,/} # end optional/b nextline
+
+/^[[:blank:]]*(attribute|type(alias)?) /s/^/# this line was moved by the build process: &/
+/^[[:blank:]]*(port|node|netif|genfs)con /s/^/# this line was moved by the build process: &/
+/^[[:blank:]]*fs_use_(xattr|task|trans) /s/^/# this line was moved by the build process: &/
+/^[[:blank:]]*sid /s/^/# this line was moved by the build process: &/
+/^[[:blank:]]*bool /s/^/# this line was moved by the build process: &/
+
+:nextline
diff --git a/support/divert.m4 b/support/divert.m4
new file mode 100644
index 0000000..7ce2db3
--- /dev/null
+++ b/support/divert.m4
@@ -0,0 +1 @@
+divert(`-1')
\ No newline at end of file
diff --git a/support/fc_sort.c b/support/fc_sort.c
new file mode 100644
index 0000000..6c43035
--- /dev/null
+++ b/support/fc_sort.c
@@ -0,0 +1,558 @@
+/* Copyright 2005, Tresys Technology
+ *
+ * Some parts of this came from matchpathcon.c in libselinux
+ */
+
+/* PURPOSE OF THIS PROGRAM
+ * The original setfiles sorting algorithm did not take into
+ * account regular expression specificity. With the current
+ * strict and targeted policies this is not an issue because
+ * the file contexts are partially hand sorted and concatenated
+ * in the right order so that the matches are generally correct.
+ * The way reference policy and loadable policy modules handle
+ * file contexts makes them come out in an unpredictable order
+ * and therefore setfiles (or this standalone tool) need to sort
+ * the regular expressions in a deterministic and stable way.
+ */
+
+#define BUF_SIZE 4096;
+#define _GNU_SOURCE
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+
+typedef unsigned char bool_t;
+
+/* file_context_node
+ * A node used in a linked list of file contexts.c
+ * Each node contains the regular expression, the type and
+ * the context, as well as information about the regular
+ * expression. The regular expression data (meta, stem_len
+ * and str_len) can be filled in by using the fc_fill_data
+ * function after the regular expression has been loaded.
+ * next points to the next node in the linked list.
+ */
+typedef struct file_context_node {
+ char *path;
+ char *file_type;
+ char *context;
+ bool_t meta;
+ int stem_len;
+ int str_len;
+ struct file_context_node *next;
+} file_context_node_t;
+
+void file_context_node_destroy(file_context_node_t *x)
+{
+ free(x->path);
+ free(x->file_type);
+ free(x->context);
+}
+
+
+
+/* file_context_bucket
+ * A node used in a linked list of buckets that contain
+ * file_context_node's.
+ * Each node contains a pointer to a file_context_node which
+ * is the header of its linked list. This linked list is the
+ * content of this bucket.
+ * next points to the next bucket in the linked list.
+ */
+typedef struct file_context_bucket {
+ file_context_node_t *data;
+ struct file_context_bucket *next;
+} file_context_bucket_t;
+
+
+
+/* fc_compare
+ * Compares two file contexts' regular expressions and returns:
+ * -1 if a is less specific than b
+ * 0 if a and be are equally specific
+ * 1 if a is more specific than b
+ * The comparison is based on the following statements,
+ * in order from most important to least important, given a and b:
+ * If a is a regular expression and b is not,
+ * -> a is less specific than b.
+ * If a's stem length is shorter than b's stem length,
+ * -> a is less specific than b.
+ * If a's string length is shorter than b's string length,
+ * -> a is less specific than b.
+ * If a does not have a specified type and b does not,
+ * -> a is less specific than b.
+ */
+int fc_compare(file_context_node_t *a, file_context_node_t *b)
+{
+ /* Check to see if either a or b have meta characters
+ * and the other doesn't. */
+ if (a->meta && !b->meta)
+ return -1;
+ if (b->meta && !a->meta)
+ return 1;
+
+ /* Check to see if either a or b have a shorter stem
+ * length than the other. */
+ if (a->stem_len < b->stem_len)
+ return -1;
+ if (b->stem_len < a->stem_len)
+ return 1;
+
+ /* Check to see if either a or b have a shorter string
+ * length than the other. */
+ if (a->str_len < b->str_len)
+ return -1;
+ if (b->str_len < a->str_len)
+ return 1;
+
+ /* Check to see if either a or b has a specified type
+ * and the other doesn't. */
+ if (!a->file_type && b->file_type)
+ return -1;
+ if (!b->file_type && a->file_type)
+ return 1;
+
+ /* If none of the above conditions were satisfied,
+ * then a and b are equally specific. */
+ return 0;
+}
+
+
+
+/* fc_merge
+ * Merges two sorted file context linked lists into one
+ * sorted one.
+ * Pass two lists a and b, and after the completion of fc_merge,
+ * the final list is contained in a, and b is empty.
+ */
+file_context_node_t *fc_merge(file_context_node_t *a,
+ file_context_node_t *b)
+{
+ file_context_node_t *a_current;
+ file_context_node_t *b_current;
+ file_context_node_t *temp;
+ file_context_node_t *jumpto;
+
+
+
+ /* If a is a empty list, and b is not,
+ * set a as b and proceed to the end. */
+ if (!a && b)
+ a = b;
+ /* If b is an empty list, leave a as it is. */
+ else if (!b) {
+ } else {
+ /* Make it so the list a has the lesser
+ * first element always. */
+ if (fc_compare(a, b) == 1) {
+ temp = a;
+ a = b;
+ b = temp;
+ }
+ a_current = a;
+ b_current = b;
+
+ /* Merge by inserting b's nodes in between a's nodes. */
+ while (a_current->next && b_current) {
+ jumpto = a_current->next;
+
+ /* Insert b's nodes in between the current a node
+ * and the next a node.*/
+ while (b_current && a_current->next &&
+ fc_compare(a_current->next,
+ b_current) != -1) {
+
+
+ temp = a_current->next;
+ a_current->next = b_current;
+ b_current = b_current->next;
+ a_current->next->next = temp;
+ a_current = a_current->next;
+ }
+
+ /* Skip all the inserted node from b to the
+ * next node in the original a. */
+ a_current = jumpto;
+ }
+
+
+ /* if there is anything left in b to be inserted,
+ put it on the end */
+ if (b_current) {
+ a_current->next = b_current;
+ }
+ }
+
+ return a;
+}
+
+
+
+/* fc_merge_sort
+ * Sorts file contexts from least specific to more specific.
+ * The bucket linked list is passed and after the completion
+ * of the fc_merge_sort function, there is only one bucket
+ * (pointed to by master) that contains a linked list
+ * of all the file contexts, in sorted order.
+ * Explanation of the algorithm:
+ * The algorithm implemented in fc_merge_sort is an iterative
+ * implementation of merge sort.
+ * At first, each bucket has a linked list of file contexts
+ * that are 1 element each.
+ * Each pass, each odd numbered bucket is merged into the bucket
+ * before it. This halves the number of buckets each pass.
+ * It will continue passing over the buckets (as described above)
+ * until there is only one bucket left, containing the list of
+ * file contexts, sorted.
+ */
+void fc_merge_sort(file_context_bucket_t *master)
+{
+
+
+ file_context_bucket_t *current;
+ file_context_bucket_t *temp;
+
+ /* Loop until master is the only bucket left
+ * so that this will stop when master contains
+ * the sorted list. */
+ while (master->next) {
+ current = master;
+
+ /* This loop merges buckets two-by-two. */
+ while (current) {
+
+ if (current->next) {
+
+ current->data =
+ fc_merge(current->data,
+ current->next->data);
+
+
+
+ temp = current->next;
+ current->next = current->next->next;
+
+ free(temp);
+
+ }
+
+
+ current = current->next;
+ }
+ }
+
+
+}
+
+
+
+/* fc_fill_data
+ * This processes a regular expression in a file context
+ * and sets the data held in file_context_node, namely
+ * meta, str_len and stem_len.
+ * The following changes are made to fc_node after the
+ * the completion of the function:
+ * fc_node->meta = 1 if path has a meta character, 0 if not.
+ * fc_node->str_len = The string length of the entire path
+ * fc_node->stem_len = The number of characters up until
+ * the first meta character.
+ */
+void fc_fill_data(file_context_node_t *fc_node)
+{
+ int c = 0;
+
+ fc_node->meta = 0;
+ fc_node->stem_len = 0;
+ fc_node->str_len = 0;
+
+ /* Process until the string termination character
+ * has been reached.
+ * Note: this while loop has been adapted from
+ * spec_hasMetaChars in matchpathcon.c from
+ * libselinux-1.22. */
+ while (fc_node->path[c] != '\0') {
+ switch (fc_node->path[c]) {
+ case '.':
+ case '^':
+ case '$':
+ case '?':
+ case '*':
+ case '+':
+ case '|':
+ case '[':
+ case '(':
+ case '{':
+ /* If a meta character is found,
+ * set meta to one */
+ fc_node->meta = 1;
+ break;
+ case '\\':
+ /* If a escape character is found,
+ * skip the next character. */
+ c++;
+ default:
+ /* If no meta character has been found yet,
+ * add one to the stem length. */
+ if (!fc_node->meta)
+ fc_node->stem_len++;
+ break;
+ }
+
+ fc_node->str_len++;
+ c++;
+ }
+}
+
+/* main
+ * This program takes in two arguments, the input filename and the
+ * output filename. The input file should be syntactically correct.
+ * Overall what is done in the main is read in the file and store each
+ * line of code, sort it, then output it to the output file.
+ */
+int main(int argc, char *argv[])
+{
+ int lines;
+ size_t start, finish, regex_len, context_len;
+ size_t line_len, buf_len, i, j;
+ char *input_name, *output_name, *line_buf;
+
+ file_context_node_t *temp;
+ file_context_node_t *head;
+ file_context_node_t *current;
+ file_context_bucket_t *master;
+ file_context_bucket_t *bcurrent;
+
+ FILE *in_file, *out_file;
+
+
+ /* Check for the correct number of command line arguments. */
+ if (argc != 3) {
+ fprintf(stderr, "Usage: %s <infile> <outfile>\n",argv[0]);
+ return 1;
+ }
+
+ input_name = argv[1];
+ output_name = argv[2];
+
+ i = j = lines = 0;
+
+ /* Open the input file. */
+ if (!(in_file = fopen(input_name, "r"))) {
+ fprintf(stderr, "Error: failure opening input file for read.\n");
+ return 1;
+ }
+
+ /* Initialize the head of the linked list. */
+ head = current = (file_context_node_t*)malloc(sizeof(file_context_node_t));
+
+ /* Parse the file into a file_context linked list. */
+ line_buf = NULL;
+
+ while ( getline(&line_buf, &buf_len, in_file) != -1 ){
+ line_len = strlen(line_buf);
+ if( line_len == 0 || line_len == 1)
+ continue;
+ /* Get rid of whitespace from the front of the line. */
+ for (i = 0; i < line_len; i++) {
+ if (!isspace(line_buf[i]))
+ break;
+ }
+
+
+ if (i >= line_len)
+ continue;
+ /* Check if the line isn't empty and isn't a comment */
+ if (line_buf[i] == '#')
+ continue;
+
+ /* We have a valid line - allocate a new node. */
+ temp = (file_context_node_t *)malloc(sizeof(file_context_node_t));
+ if (!temp) {
+ fprintf(stderr, "Error: failure allocating memory.\n");
+ return 1;
+ }
+ temp->next = NULL;
+ memset(temp, 0, sizeof(file_context_node_t));
+
+ /* Parse out the regular expression from the line. */
+ start = i;
+
+
+ while (i < line_len && (!isspace(line_buf[i])))
+ i++;
+ finish = i;
+
+
+ regex_len = finish - start;
+
+ if (regex_len == 0) {
+ file_context_node_destroy(temp);
+ free(temp);
+
+
+ continue;
+ }
+
+ temp->path = (char*)strndup(&line_buf[start], regex_len);
+ if (!temp->path) {
+ file_context_node_destroy(temp);
+ free(temp);
+ fprintf(stderr, "Error: failure allocating memory.\n");
+ return 1;
+ }
+
+ /* Get rid of whitespace after the regular expression. */
+ for (; i < line_len; i++) {
+
+ if (!isspace(line_buf[i]))
+ break;
+ }
+
+ if (i == line_len) {
+ file_context_node_destroy(temp);
+ free(temp);
+ continue;
+ }
+
+ /* Parse out the type from the line (if it
+ * is there). */
+ if (line_buf[i] == '-') {
+ temp->file_type = (char *)malloc(sizeof(char) * 3);
+ if (!(temp->file_type)) {
+ fprintf(stderr, "Error: failure allocating memory.\n");
+ return 1;
+ }
+
+ if( i + 2 >= line_len ) {
+ file_context_node_destroy(temp);
+ free(temp);
+
+ continue;
+ }
+
+ /* Fill the type into the array. */
+ temp->file_type[0] = line_buf[i];
+ temp->file_type[1] = line_buf[i + 1];
+ i += 2;
+ temp->file_type[2] = 0;
+
+ /* Get rid of whitespace after the type. */
+ for (; i < line_len; i++) {
+ if (!isspace(line_buf[i]))
+ break;
+ }
+
+ if (i == line_len) {
+
+ file_context_node_destroy(temp);
+ free(temp);
+ continue;
+ }
+ }
+
+ /* Parse out the context from the line. */
+ start = i;
+ while (i < line_len && (!isspace(line_buf[i])))
+ i++;
+ finish = i;
+
+ context_len = finish - start;
+
+ temp->context = (char*)strndup(&line_buf[start], context_len);
+ if (!temp->context) {
+ file_context_node_destroy(temp);
+ free(temp);
+ fprintf(stderr, "Error: failure allocating memory.\n");
+ return 1;
+ }
+
+ /* Set all the data about the regular
+ * expression. */
+ fc_fill_data(temp);
+
+ /* Link this line of code at the end of
+ * the linked list. */
+ current->next = temp;
+ current = current->next;
+ lines++;
+
+
+ free(line_buf);
+ line_buf = NULL;
+ }
+ fclose(in_file);
+
+ /* Create the bucket linked list from the earlier linked list. */
+ current = head->next;
+ bcurrent = master =
+ (file_context_bucket_t *)
+ malloc(sizeof(file_context_bucket_t));
+
+ /* Go until all the nodes have been put in individual buckets. */
+ while (current) {
+ /* Copy over the file context line into the bucket. */
+ bcurrent->data = current;
+ current = current->next;
+
+ /* Detatch the node in the bucket from the old list. */
+ bcurrent->data->next = NULL;
+
+ /* If there should be another bucket, put one at the end. */
+ if (current) {
+ bcurrent->next =
+ (file_context_bucket_t *)
+ malloc(sizeof(file_context_bucket_t));
+ if (!(bcurrent->next)) {
+ printf
+ ("Error: failure allocating memory.\n");
+ return -1;
+ }
+
+ /* Make sure the new bucket thinks it's the end of the
+ * list. */
+ bcurrent->next->next = NULL;
+
+ bcurrent = bcurrent->next;
+ }
+
+ }
+
+ /* Sort the bucket list. */
+ fc_merge_sort(master);
+
+ /* Open the output file. */
+ if (!(out_file = fopen(argv[2], "w"))) {
+ printf("Error: failure opening output file for write.\n");
+ return -1;
+ }
+
+ /* Output the sorted file_context linked list to the output file. */
+ current = master->data;
+ while (current) {
+ /* Output the path. */
+ fprintf(out_file, "%s\t\t", current->path);
+
+ /* Output the type, if there is one. */
+ if (current->file_type) {
+ fprintf(out_file, "%s\t", current->file_type);
+ }
+
+ /* Output the context. */
+ fprintf(out_file, "%s\n", current->context);
+
+ /* Remove the node. */
+ temp = current;
+ current = current->next;
+
+ file_context_node_destroy(temp);
+ free(temp);
+
+ }
+ free(master);
+
+ fclose(out_file);
+
+ return 0;
+}
diff --git a/support/genclassperms.py b/support/genclassperms.py
new file mode 100644
index 0000000..732d645
--- /dev/null
+++ b/support/genclassperms.py
@@ -0,0 +1,308 @@
+#!/usr/bin/python
+
+# Author: Donald Miner <dminer@tresys.com>
+#
+# Copyright (C) 2005 Tresys Technology, LLC
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 2.
+
+
+"""
+ This script generates an object class perm definition file.
+"""
+
+import sys
+
+USERSPACE_CLASS = "userspace"
+
+class Class:
+ """
+ This object stores an access vector class.
+ """
+
+ def __init__(self, name, perms, common):
+ # The name of the class.
+ self.name = name
+
+ # A list of permissions the class contains.
+ self.perms = perms
+
+ # True if the class is declared as common, False if not.
+ self.common = common
+
+def get_perms(name, av_db, common):
+ """
+ Returns the list of permissions contained within an access vector
+ class that is stored in the access vector database av_db.
+ Returns an empty list if the object name is not found.
+ Specifiy whether get_perms is to return the class or the
+ common set of permissions with the boolean value 'common',
+ which is important in the case of having duplicate names (such as
+ class file and common file).
+ """
+
+ # Traverse through the access vector database and try to find the
+ # object with the name passed.
+ for obj in av_db:
+ if obj.name == name and obj.common == common:
+ return obj.perms
+
+ return []
+
+def get_av_db(file_name):
+ """
+ Returns an access vector database generated from the file file_name.
+ """
+ # This function takes a file, reads the data, parses it and returns
+ # a list of access vector classes.
+ # Reading into av_data:
+ # The file specified will be read line by line. Each line will have
+ # its comments removed. Once comments are removed, each 'word' (text
+ # seperated by whitespace) and braces will be split up into seperate
+ # strings and appended to the av_data list, in the order they were
+ # read.
+ # Parsing av_data:
+ # Parsing is done using a queue implementation of the av_data list.
+ # Each time a word is used, it is dequeued afterwards. Each loop in
+ # the while loop below will read in key words and dequeue expected
+ # words and values. At the end of each loop, a Class containing the
+ # name, permissions and whether it is a common or not will be appended
+ # to the database. Lots of errors are caught here, almost all checking
+ # if a token is expected but EOF is reached.
+ # Now the list of Class objects is returned.
+
+ av_file = open(file_name, "r")
+ av_data = []
+ # Read the file and strip out comments on the way.
+ # At the end of the loop, av_data will contain a list of individual
+ # words. i.e. ['common', 'file', '{', ...]. All comments and whitespace
+ # will be gone.
+ while True:
+ av_line = av_file.readline()
+
+ # If EOF has been reached:
+ if not av_line:
+ break
+
+ # Check if there is a comment, and if there is, remove it.
+ comment_index = av_line.find("#")
+ if comment_index != -1:
+ av_line = av_line[:comment_index]
+
+ # Pad the braces with whitespace so that they are split into
+ # their own word. It doesn't matter if there will be extra
+ # white space, it'll get thrown away when the string is split.
+ av_line.replace("{"," { ")
+ av_line.replace("}"," } ")
+
+ # Split up the words on the line and add it to av_data.
+ av_data += av_line.split()
+
+ av_file.close()
+
+ # Parsing the file:
+ # The implementation of this parse is a queue. We use the list of words
+ # from av_data and use the front element, then dequeue it. Each
+ # loop of this while is a common or class declaration. Several
+ # expected tokens are parsed and dequeued out of av_data for each loop.
+ # At the end of the loop, database will contain a list of Class objects.
+ # i.e. [Class('name',['perm1','perm2',...],'True'), ...]
+ # Dequeue from the beginning of the list until av_data is empty:
+ database = []
+ while len(av_data) != 0:
+ # At the beginning of every loop, the next word should be
+ # "common" or "class", meaning that each loop is a common
+ # or class declaration.
+ # av_data = av_data[1:] removes the first element in the
+ # list, this is what is dequeueing data.
+
+ # Figure out whether the next class will be a common or a class.
+ if av_data[0] == "class":
+ common = False
+ elif av_data[0] == "common":
+ common = True
+ else:
+ error("Unexpected token in file " + file_name + ": "\
+ + av_data[0] + ".")
+
+ # Dequeue the "class" or "common" key word.
+ av_data = av_data[1:]
+
+ if len(av_data) == 0:
+ error("Missing token in file " + file_name + ".")
+
+ # Get and dequeue the name of the class or common.
+ name = av_data[0]
+ av_data = av_data[1:]
+
+ # Retrieve the permissions inherited from a common set:
+ perms = []
+ # If the object we are working with is a class, since only
+ # classes inherit:
+ if common == False:
+ if len(av_data) == 0:
+ error("Missing token in file " + file_name + ".")
+
+ # If the class inherits from something else:
+ if av_data[0] == "inherits":
+ # Dequeue the "inherits" key word.
+ av_data = av_data[1:]
+
+ if len(av_data) == 0:
+ error("Missing token in file "\
+ + file_name + " for " +\
+ keyword + " " + name + ".")
+
+ # av_data[0] is the name of the parent.
+ # Append the permissions of the parent to
+ # the current class' permissions.
+ perms += get_perms(av_data[0], database, True)
+
+ # Dequeue the name of the parent.
+ av_data = av_data[1:]
+
+ # Retrieve the permissions defined with this set.
+ if len(av_data) > 0 and av_data[0] == "{":
+ # Dequeue the "{"
+ av_data = av_data[1:]
+
+ # Keep appending permissions until a close brace is
+ # found.
+ while av_data[0] != "}":
+ if av_data[0] == "{":
+ error("Extra '{' in file " +\
+ file_name + ".")
+
+ # Add the permission name.
+ perms.append(av_data[0])
+
+ # Dequeue the permission name.
+ av_data = av_data[1:]
+
+ if len(av_data) == 0:
+ error("Missing token '}' in file "\
+ + file_name + ".")
+
+ # Dequeue the "}"
+ av_data = av_data[1:]
+
+ # Add the new access vector class to the database.
+ database.append(Class(name, perms, common))
+
+ return database
+
+def get_sc_db(file_name):
+ """
+ Returns a security class database generated from the file file_name.
+ """
+
+ # Read the file then close it.
+ sc_file = open(file_name)
+ sc_data = sc_file.readlines()
+ sc_file.close()
+
+ # For each line in the security classes file, add the name of the class
+ # and whether it is a userspace class or not to the security class
+ # database.
+ database = []
+ for line in sc_data:
+ line = line.lstrip()
+ # If the line is empty or the entire line is a comment, skip.
+ if line == "" or line[0] == "#":
+ continue
+
+ # Check if the comment to the right of the permission matches
+ # USERSPACE_CLASS.
+ comment_index = line.find("#")
+ if comment_index != -1 and line[comment_index+1:].strip() == USERSPACE_CLASS:
+ userspace = True
+ else:
+ userspace = False
+
+ # All lines should be in the format "class NAME", meaning
+ # it should have two tokens and the first token should be
+ # "class".
+ split_line = line.split()
+ if len(split_line) < 2 or split_line[0] != "class":
+ error("Wrong syntax: " + line)
+
+ # Add the class's name (split_line[1]) and whether it is a
+ # userspace class or not to the database.
+ # This is appending a tuple of (NAME,USERSPACE), where NAME is
+ # the name of the security class and USERSPACE is True if
+ # if it has "# USERSPACE_CLASS" on the end of the line, False
+ # if not.
+ database.append((split_line[1], userspace))
+
+ return database
+
+def gen_class_perms(av_db, sc_db):
+ """
+ Generates a class permissions document and returns it.
+ """
+
+ # Define class template:
+ class_perms_line = "define(`all_%s_perms',`{ %s}')\n"
+
+ # Generate the defines for the individual class permissions.
+ class_perms = ""
+ for obj in av_db:
+ # Don't output commons
+ if obj.common == True:
+ continue
+
+ # Get the list of permissions from the specified class.
+ perms = get_perms(obj.name, av_db, False)
+
+ # Merge all the permissions into one string with one space
+ # padding.
+ perm_str = ""
+ for perm in perms:
+ perm_str += perm + " "
+
+ # Add the line to the class_perms
+ class_perms += class_perms_line % (obj.name, perm_str)
+ class_perms += "\n"
+
+ # Generate the kernel_class_perms and userspace_class_perms sets.
+ class_line = "\tclass %s all_%s_perms;\n"
+ kernel_class_perms = "define(`all_kernel_class_perms',`\n"
+ userspace_class_perms = "define(`all_userspace_class_perms',`\n"
+ # For each (NAME,USERSPACE) tuple, add the class to the appropriate
+ # class permission set.
+ for name, userspace in sc_db:
+ if userspace:
+ userspace_class_perms += class_line % (name, name)
+ else:
+ kernel_class_perms += class_line % (name, name)
+ kernel_class_perms += "')\n\n"
+ userspace_class_perms += "')\n"
+
+ # Throw all the strings together and return the string.
+ return class_perms + kernel_class_perms + userspace_class_perms
+
+def error(error):
+ """
+ Print an error message and exit.
+ """
+
+ sys.stderr.write("%s exiting for: " % sys.argv[0])
+ sys.stderr.write("%s\n" % error)
+ sys.stderr.flush()
+ sys.exit(1)
+
+# MAIN PROGRAM
+app_name = sys.argv[0]
+
+if len(sys.argv) != 3:
+ error("Incorrect input.\nUsage: " + sys.argv[0] + " access_vectors security_classes" )
+
+# argv[1] is the access vector file.
+av_file = sys.argv[1]
+
+# argv[2] is the security class file.
+sc_file = sys.argv[2]
+
+# Output the class permissions document.
+sys.stdout.write(gen_class_perms(get_av_db(av_file), get_sc_db(sc_file)))
diff --git a/support/genhomedircon b/support/genhomedircon
new file mode 100644
index 0000000..01ef91d
--- /dev/null
+++ b/support/genhomedircon
@@ -0,0 +1,481 @@
+#! /usr/bin/env python
+# Copyright (C) 2004 Tresys Technology, LLC
+# see file 'COPYING' for use and warranty information
+#
+# genhomedircon - this script is used to generate file context
+# configuration entries for user home directories based on their
+# default roles and is run when building the policy. Specifically, we
+# replace HOME_ROOT, HOME_DIR, and ROLE macros in .fc files with
+# generic and user-specific values.
+#
+# Based off original script by Dan Walsh, <dwalsh@redhat.com>
+#
+# ASSUMPTIONS:
+#
+# The file CONTEXTDIR/files/homedir_template exists. This file is used to
+# set up the home directory context for each real user.
+#
+# If a user has more than one role in CONTEXTDIR/local.users, genhomedircon uses
+# the first role in the list.
+#
+# If a user is not listed in CONTEXTDIR/local.users, he will default to user_u, role user
+#
+# "Real" users (as opposed to system users) are those whose UID is greater than
+# or equal STARTING_UID (usually 500) and whose login is not a member of
+# EXCLUDE_LOGINS. Users who are explicitly defined in CONTEXTDIR/local.users
+# are always "real" (including root, in the default configuration).
+#
+#
+# Old ASSUMPTIONS:
+#
+# If a user has more than one role in FILECONTEXTDIR/users, genhomedircon uses
+# the first role in the list.
+#
+# If a user is not listed in FILECONTEXTDIR/users, genhomedircon assumes that
+# the user's home dir will be found in one of the HOME_ROOTs.
+#
+# "Real" users (as opposed to system users) are those whose UID is greater than
+# or equal STARTING_UID (usually 500) and whose login is not a member of
+# EXCLUDE_LOGINS. Users who are explicitly defined in FILECONTEXTDIR/users
+# are always "real" (including root, in the default configuration).
+#
+
+import commands, sys, os, pwd, string, getopt, re
+
+EXCLUDE_LOGINS=["/sbin/nologin", "/bin/false"]
+
+def getStartingUID():
+ starting_uid = sys.maxint
+ rc=commands.getstatusoutput("grep -h '^UID_MIN' /etc/login.defs")
+ if rc[0] == 0:
+ uid_min = re.sub("^UID_MIN[^0-9]*", "", rc[1])
+ #stip any comment from the end of the line
+ uid_min = uid_min.split("#")[0]
+ uid_min = uid_min.strip()
+ if int(uid_min) < starting_uid:
+ starting_uid = int(uid_min)
+ rc=commands.getstatusoutput("grep -h '^LU_UIDNUMBER' /etc/libuser.conf")
+ if rc[0] == 0:
+ lu_uidnumber = re.sub("^LU_UIDNUMBER[^0-9]*", "", rc[1])
+ #stip any comment from the end of the line
+ lu_uidnumber = re.sub("[ \t].*", "", lu_uidnumber)
+ lu_uidnumber = lu_uidnumber.split("#")[0]
+ lu_uidnumber = lu_uidnumber.strip()
+ if int(lu_uidnumber) < starting_uid:
+ starting_uid = int(lu_uidnumber)
+ if starting_uid == sys.maxint:
+ starting_uid = 500
+ return starting_uid
+
+#############################################################################
+#
+# This section is just for backwards compatability
+#
+#############################################################################
+def getPrefixes():
+ ulist = pwd.getpwall()
+ STARTING_UID=getStartingUID()
+ prefixes = {}
+ for u in ulist:
+ if u[2] >= STARTING_UID and \
+ not u[6] in EXCLUDE_LOGINS and \
+ u[5] != "/" and \
+ string.count(u[5], "/") > 1:
+ prefix = u[5][:string.rfind(u[5], "/")]
+ if not prefixes.has_key(prefix):
+ prefixes[prefix] = ""
+ return prefixes
+
+def getUsers(filecontextdir):
+ rc = commands.getstatusoutput("grep ^user %s/users" % filecontextdir)
+ udict = {}
+ if rc[0] == 0:
+ ulist = rc[1].strip().split("\n")
+ for u in ulist:
+ user = u.split()
+ try:
+ if user[1] == "user_u" or user[1] == "system_u":
+ continue
+ # !!! chooses first role in the list to use in the file context !!!
+ role = user[3]
+ if role == "{":
+ role = user[4]
+ role = role.split("_r")[0]
+ home = pwd.getpwnam(user[1])[5]
+ if home == "/":
+ continue
+ prefs = {}
+ prefs["role"] = role
+ prefs["home"] = home
+ udict[user[1]] = prefs
+ except KeyError:
+ sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user[1])
+ return udict
+
+def update(filecontext, user, prefs):
+ rc=commands.getstatusoutput("grep -h '^HOME_DIR' %s | grep -v vmware | sed -e 's|HOME_DIR|%s|' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (filecontext, prefs["home"], prefs["role"], user))
+ if rc[0] == 0:
+ print rc[1]
+ else:
+ errorExit(string.join("grep/sed error ", rc[1]))
+ return rc
+
+def oldgenhomedircon(filecontextdir, filecontext):
+ sys.stderr.flush()
+
+ if os.path.isdir(filecontextdir) == 0:
+ sys.stderr.write("New usage is the following\n")
+ usage()
+ #We are going to define home directory used by libuser and show-utils as a home directory root
+ prefixes = {}
+ rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd")
+ if rc[0] == 0:
+ homedir = rc[1].split("=")[1]
+ homedir = homedir.split("#")[0]
+ homedir = homedir.strip()
+ if not prefixes.has_key(homedir):
+ prefixes[homedir] = ""
+ else:
+ #rc[0] == 256 means the file was there, we read it, but the grep didn't match
+ if rc[0] != 256:
+ sys.stderr.write("%s\n" % rc[1])
+ sys.stderr.write("You do not have access to /etc/default/useradd HOME=\n")
+ sys.stderr.flush()
+
+
+ rc=commands.getstatusoutput("grep -h '^LU_HOMEDIRECTORY' /etc/libuser.conf")
+ if rc[0] == 0:
+ homedir = rc[1].split("=")[1]
+ homedir = homedir.split("#")[0]
+ homedir = homedir.strip()
+ homedir = re.sub(r"[^/a-zA-Z0-9].*$", "", homedir)
+ if not prefixes.has_key(homedir):
+ prefixes[homedir] = ""
+
+ #the idea is that we need to find all of the home_root_t directories we do this by just accepting
+ #any default home directory defined by either /etc/libuser.conf or /etc/default/useradd
+ #we then get the potential home directory roots from /etc/passwd or nis or wherever and look at
+ #the defined homedir for all users with UID > STARTING_UID. This list of possible root homedirs
+ #is then checked to see if it has an explicite context defined in the file_contexts. Explicit
+ #is any regex that would match it which does not end with .*$ or .+$ since those are general
+ #recursive matches. We then take any regex which ends with [pattern](/.*)?$ and just check against
+ #[pattern]
+ potential_prefixes = getPrefixes()
+ prefix_regex = {}
+ #this works by grepping the file_contexts for
+ # 1. ^/ makes sure this is not a comment
+ # 2. prints only the regex in the first column first cut on \t then on space
+ rc=commands.getstatusoutput("grep \"^/\" %s | cut -f 1 | cut -f 1 -d \" \" " % (sys.argv[2]) )
+ if rc[0] == 0:
+ prefix_regex = rc[1].split("\n")
+ else:
+ sys.stderr.write("%s\n" % rc[1])
+ sys.stderr.write("You do not have access to grep/cut/the file contexts\n")
+ sys.stderr.flush()
+ for potential in potential_prefixes.keys():
+ addme = 1
+ for regex in prefix_regex:
+ #match a trailing (/*)? which is actually a bug in rpc_pipefs
+ regex = re.sub("\(/\*\)\?$", "", regex)
+ #match a trailing .+
+ regex = re.sub("\.+$", "", regex)
+ #match a trailing .*
+ regex = re.sub("\.\*$", "", regex)
+ #strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s
+ regex = re.sub("\(\/\.\*\)\?", "", regex)
+ regex = regex + "/*$"
+ if re.search(regex, potential, 0):
+ addme = 0
+ if addme == 1:
+ if not prefixes.has_key(potential):
+ prefixes[potential] = ""
+
+
+ if prefixes.__eq__({}):
+ sys.stderr.write("LU_HOMEDIRECTORY not set in /etc/libuser.conf\n")
+ sys.stderr.write("HOME= not set in /etc/default/useradd\n")
+ sys.stderr.write("And no users with a reasonable homedir found in passwd/nis/ldap/etc...\n")
+ sys.stderr.write("Assuming /home is the root of home directories\n")
+ sys.stderr.flush()
+ prefixes["/home"] = ""
+
+ # There may be a more elegant sed script to expand a macro to multiple lines, but this works
+ sed_root = "h; s|^HOME_ROOT|%s|" % (string.join(prefixes.keys(), "|; p; g; s|^HOME_ROOT|"),)
+ sed_dir = "h; s|^HOME_DIR|%s/[^/]+|; s|ROLE_|user_|" % (string.join(prefixes.keys(), "/[^/]+|; s|ROLE_|user_|; p; g; s|^HOME_DIR|"),)
+
+ # Fill in HOME_ROOT, HOME_DIR, and ROLE for users not explicitly defined in /etc/security/selinux/src/policy/users
+ rc=commands.getstatusoutput("sed -e \"/^HOME_ROOT/{%s}\" -e \"/^HOME_DIR/{%s}\" %s" % (sed_root, sed_dir, filecontext))
+ if rc[0] == 0:
+ print rc[1]
+ else:
+ errorExit(string.join("sed error ", rc[1]))
+
+ users = getUsers(filecontextdir)
+ print "\n#\n# User-specific file contexts\n#\n"
+
+ # Fill in HOME and ROLE for users that are defined
+ for u in users.keys():
+ update(filecontext, u, users[u])
+
+#############################################################################
+#
+# End of backwards compatability section
+#
+#############################################################################
+
+def getDefaultHomeDir():
+ ret = []
+ rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd")
+ if rc[0] == 0:
+ homedir = rc[1].split("=")[1]
+ homedir = homedir.split("#")[0]
+ homedir = homedir.strip()
+ if not homedir in ret:
+ ret.append(homedir)
+ else:
+ #rc[0] == 256 means the file was there, we read it, but the grep didn't match
+ if rc[0] != 256:
+ sys.stderr.write("%s\n" % rc[1])
+ sys.stderr.write("You do not have access to /etc/default/useradd HOME=\n")
+ sys.stderr.flush()
+ rc=commands.getstatusoutput("grep -h '^LU_HOMEDIRECTORY' /etc/libuser.conf")
+ if rc[0] == 0:
+ homedir = rc[1].split("=")[1]
+ homedir = homedir.split("#")[0]
+ homedir = homedir.strip()
+ if not homedir in ret:
+ ret.append(homedir)
+ else:
+ #rc[0] == 256 means the file was there, we read it, but the grep didn't match
+ if rc[0] != 256:
+ sys.stderr.write("%s\n" % rc[1])
+ sys.stderr.write("You do not have access to /etc/libuser.conf LU_HOMEDIRECTORY=\n")
+ sys.stderr.flush()
+ if ret == []:
+ ret.append("/home")
+ return ret
+
+def getSELinuxType(directory):
+ rc=commands.getstatusoutput("grep ^SELINUXTYPE= %s/config" % directory)
+ if rc[0]==0:
+ return rc[1].split("=")[-1].strip()
+ return "targeted"
+
+def usage(error = ""):
+ if error != "":
+ sys.stderr.write("%s\n" % error)
+ sys.stderr.write("Usage: %s [ -d selinuxdir ] [-n | --nopasswd] [-t selinuxtype ]\n" % sys.argv[0])
+ sys.stderr.flush()
+ sys.exit(1)
+
+def warning(warning = ""):
+ sys.stderr.write("%s\n" % warning)
+ sys.stderr.flush()
+
+def errorExit(error):
+ sys.stderr.write("%s exiting for: " % sys.argv[0])
+ sys.stderr.write("%s\n" % error)
+ sys.stderr.flush()
+ sys.exit(1)
+
+class selinuxConfig:
+ def __init__(self, selinuxdir="/etc/selinux", type="targeted", usepwd=1):
+ self.type=type
+ self.selinuxdir=selinuxdir +"/"
+ self.contextdir="/contexts"
+ self.filecontextdir=self.contextdir+"/files"
+ self.usepwd=usepwd
+
+ def getFileContextDir(self):
+ return self.selinuxdir+self.type+self.filecontextdir
+
+ def getFileContextFile(self):
+ return self.getFileContextDir()+"/file_contexts"
+
+ def getContextDir(self):
+ return self.selinuxdir+self.type+self.contextdir
+
+ def getHomeDirTemplate(self):
+ return self.getFileContextDir()+"/homedir_template"
+
+ def getHomeRootContext(self, homedir):
+ rc=commands.getstatusoutput("grep HOME_ROOT %s | sed -e \"s|^HOME_ROOT|%s|\"" % ( self.getHomeDirTemplate(), homedir))
+ if rc[0] == 0:
+ return rc[1]+"\n"
+ else:
+ errorExit(string.join("sed error ", rc[1]))
+
+ def getUsersFile(self):
+ return self.selinuxdir+self.type+"/users/local.users"
+
+ def getSystemUsersFile(self):
+ return self.selinuxdir+self.type+"/users/system.users"
+
+ def heading(self):
+ ret = "\n#\n#\n# User-specific file contexts, generated via %s\n" % sys.argv[0]
+ ret += "# edit %s to change file_context\n#\n#\n" % self.getUsersFile()
+ return ret
+
+ def getUsers(self):
+ users=""
+ rc = commands.getstatusoutput('grep "^user" %s' % self.getSystemUsersFile())
+ if rc[0] == 0:
+ users+=rc[1]+"\n"
+ rc = commands.getstatusoutput("grep ^user %s" % self.getUsersFile())
+ if rc[0] == 0:
+ users+=rc[1]
+ udict = {}
+ prefs = {}
+ if users != "":
+ ulist = users.split("\n")
+ for u in ulist:
+ user = u.split()
+ try:
+ if len(user)==0 or user[1] == "user_u" or user[1] == "system_u":
+ continue
+ # !!! chooses first role in the list to use in the file context !!!
+ role = user[3]
+ if role == "{":
+ role = user[4]
+ role = role.split("_r")[0]
+ home = pwd.getpwnam(user[1])[5]
+ if home == "/":
+ continue
+ prefs = {}
+ prefs["role"] = role
+ prefs["home"] = home
+ udict[user[1]] = prefs
+ except KeyError:
+ sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user[1])
+ return udict
+
+ def getHomeDirContext(self, user, home, role):
+ ret="\n\n#\n# Context for user %s\n#\n\n" % user
+ rc=commands.getstatusoutput("grep '^HOME_DIR' %s | sed -e 's|HOME_DIR|%s|' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (self.getHomeDirTemplate(), home, role, user))
+ return ret + rc[1] + "\n"
+
+ def genHomeDirContext(self):
+ users = self.getUsers()
+ ret=""
+ # Fill in HOME and ROLE for users that are defined
+ for u in users.keys():
+ ret += self.getHomeDirContext (u, users[u]["home"], users[u]["role"])
+ return ret+"\n"
+
+ def checkExists(self, home):
+ if commands.getstatusoutput("grep -E '^%s[^[:alnum:]_-]' %s" % (home, self.getFileContextFile()))[0] == 0:
+ return 0
+ #this works by grepping the file_contexts for
+ # 1. ^/ makes sure this is not a comment
+ # 2. prints only the regex in the first column first cut on \t then on space
+ rc=commands.getstatusoutput("grep \"^/\" %s | cut -f 1 | cut -f 1 -d \" \" " % self.getFileContextFile() )
+ if rc[0] == 0:
+ prefix_regex = rc[1].split("\n")
+ else:
+ sys.stderr.write("%s\n" % rc[1])
+ sys.stderr.write("You do not have access to grep/cut/the file contexts\n")
+ sys.stderr.flush()
+ exists=1
+ for regex in prefix_regex:
+ #match a trailing (/*)? which is actually a bug in rpc_pipefs
+ regex = re.sub("\(/\*\)\?$", "", regex)
+ #match a trailing .+
+ regex = re.sub("\.+$", "", regex)
+ #match a trailing .*
+ regex = re.sub("\.\*$", "", regex)
+ #strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s
+ regex = re.sub("\(\/\.\*\)\?", "", regex)
+ regex = regex + "/*$"
+ if re.search(regex, home, 0):
+ exists = 0
+ break
+ if exists == 1:
+ return 1
+ else:
+ return 0
+
+
+ def getHomeDirs(self):
+ homedirs = []
+ homedirs = homedirs + getDefaultHomeDir()
+ starting_uid=getStartingUID()
+ if self.usepwd==0:
+ return homedirs
+ ulist = pwd.getpwall()
+ for u in ulist:
+ if u[2] >= starting_uid and \
+ not u[6] in EXCLUDE_LOGINS and \
+ u[5] != "/" and \
+ string.count(u[5], "/") > 1:
+ homedir = u[5][:string.rfind(u[5], "/")]
+ if not homedir in homedirs:
+ if self.checkExists(homedir)==0:
+ warning("%s is already defined in %s,\n%s will not create a new context." % (homedir, self.getFileContextFile(), sys.argv[0]))
+ else:
+ homedirs.append(homedir)
+
+ homedirs.sort()
+ return homedirs
+
+ def genoutput(self):
+ ret= self.heading()
+ for h in self.getHomeDirs():
+ ret += self.getHomeDirContext ("user_u" , h+'/[^/]*', "user")
+ ret += self.getHomeRootContext(h)
+ ret += self.genHomeDirContext()
+ return ret
+
+ def printout(self):
+ print self.genoutput()
+
+ def write(self):
+ try:
+ fd = open(self.getFileContextDir()+"/file_contexts.homedirs", "w")
+ fd.write(self.genoutput())
+ fd.close()
+ except IOError, error:
+ sys.stderr.write("%s: %s\n" % ( sys.argv[0], error ))
+
+
+
+#
+# This script will generate home dir file context
+# based off the homedir_template file, entries in the password file, and
+#
+try:
+ usepwd=1
+ directory="/etc/selinux"
+ type=None
+ gopts, cmds = getopt.getopt(sys.argv[1:], 'nd:t:', ['help',
+ 'type=',
+ 'nopasswd',
+ 'dir='])
+ for o,a in gopts:
+ if o == '--type' or o == "-t":
+ type=a
+ if o == '--nopasswd' or o == "-n":
+ usepwd=0
+ if o == '--dir' or o == "-d":
+ directory=a
+ if o == '--help':
+ usage()
+
+
+ if type==None:
+ type=getSELinuxType(directory)
+
+ if len(cmds) == 2:
+ oldgenhomedircon(cmds[0], cmds[1])
+ sys.exit(0)
+
+ if len(cmds) != 0:
+ usage()
+ selconf=selinuxConfig(directory, type, usepwd)
+ selconf.write()
+
+except getopt.error, error:
+ errorExit(string.join("Options Error ", error))
+except ValueError, error:
+ errorExit(string.join("ValueError ", error))
+except IndexError, error:
+ errorExit("IndexError")
diff --git a/support/gennetfilter.py b/support/gennetfilter.py
new file mode 100644
index 0000000..866db91
--- /dev/null
+++ b/support/gennetfilter.py
@@ -0,0 +1,163 @@
+#!/usr/bin/python
+
+# Author: Chris PeBenito <cpebenito@tresys.com>
+#
+# Copyright (C) 2006 Tresys Technology, LLC
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 2.
+
+import sys,string,getopt,re
+
+NETPORT = re.compile("^network_port\(\s*\w+\s*(\s*,\s*\w+\s*,\s*\w+\s*,\s*\w+\s*)+\s*\)\s*(#|$)")
+
+DEFAULT_INPUT_PACKET = "server_packet_t"
+DEFAULT_OUTPUT_PACKET = "client_packet_t"
+DEFAULT_MCS = "s0"
+DEFAULT_MLS = "s0"
+
+PACKET_INPUT = "_server_packet_t"
+PACKET_OUTPUT = "_client_packet_t"
+
+class Port:
+ def __init__(self, proto, num, mls_sens, mcs_cats=""):
+ # protocol of the port
+ self.proto = proto
+
+ # port number
+ self.num = num
+
+ # MLS sensitivity
+ self.mls_sens = mls_sens
+
+ # MCS categories
+ # not currently supported, so we always get s0
+ self.mcs_cats = DEFAULT_MCS
+
+class Packet:
+ def __init__(self, prefix, ports):
+ # prefix
+ self.prefix = prefix
+
+ # A list of Ports
+ self.ports = ports
+
+def print_input_rules(packets,mls,mcs):
+ line = "base -A selinux_new_input -j SECMARK --selctx system_u:object_r:"+DEFAULT_INPUT_PACKET
+ if mls:
+ line += ":"+DEFAULT_MLS
+ elif mcs:
+ line += ":"+DEFAULT_MCS
+
+ print line
+
+ for i in packets:
+ for j in i.ports:
+ line="base -A selinux_new_input -p "+j.proto+" --dport "+j.num+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_INPUT
+ if mls:
+ line += ":"+j.mls_sens
+ elif mcs:
+ line += ":"+j.mcs_cats
+ print line
+
+ print "post -A selinux_new_input -j CONNSECMARK --save"
+ print "post -A selinux_new_input -j RETURN"
+
+def print_output_rules(packets,mls,mcs):
+ line = "base -A selinux_new_output -j SECMARK --selctx system_u:object_r:"+DEFAULT_OUTPUT_PACKET
+ if mls:
+ line += ":"+DEFAULT_MLS
+ elif mcs:
+ line += ":"+DEFAULT_MCS
+ print line
+
+ for i in packets:
+ for j in i.ports:
+ line = "base -A selinux_new_output -p "+j.proto+" --dport "+j.num+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_OUTPUT
+ if mls:
+ line += ":"+j.mls_sens
+ elif mcs:
+ line += ":"+j.mcs_cats
+ print line
+
+ print "post -A selinux_new_output -j CONNSECMARK --save"
+ print "post -A selinux_new_output -j RETURN"
+
+def parse_corenet(file_name):
+ packets = []
+
+ corenet_te_in = open(file_name, "r")
+
+ while True:
+ corenet_line = corenet_te_in.readline()
+
+ # If EOF has been reached:
+ if not corenet_line:
+ break
+
+ if NETPORT.match(corenet_line):
+ corenet_line = corenet_line.strip();
+
+ # parse out the parameters
+ openparen = string.find(corenet_line,'(')+1
+ closeparen = string.find(corenet_line,')',openparen)
+ parms = re.split('\W+',corenet_line[openparen:closeparen])
+ name = parms[0]
+ del parms[0];
+
+ ports = []
+ while len(parms) > 0:
+ # add a port combination.
+ ports.append(Port(parms[0],parms[1],parms[2]))
+ del parms[:3]
+
+ packets.append(Packet(name,ports))
+
+ corenet_te_in.close()
+
+ return packets
+
+def print_netfilter_config(packets,mls,mcs):
+ print "pre *mangle"
+ print "pre :PREROUTING ACCEPT [0:0]"
+ print "pre :INPUT ACCEPT [0:0]"
+ print "pre :FORWARD ACCEPT [0:0]"
+ print "pre :OUTPUT ACCEPT [0:0]"
+ print "pre :POSTROUTING ACCEPT [0:0]"
+ print "pre :selinux_input - [0:0]"
+ print "pre :selinux_output - [0:0]"
+ print "pre :selinux_new_input - [0:0]"
+ print "pre :selinux_new_output - [0:0]"
+ print "pre -A INPUT -j selinux_input"
+ print "pre -A OUTPUT -j selinux_output"
+ print "pre -A selinux_input -m state --state NEW -j selinux_new_input"
+ print "pre -A selinux_input -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore"
+ print "pre -A selinux_output -m state --state NEW -j selinux_new_output"
+ print "pre -A selinux_output -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore"
+ print_input_rules(packets,mls,mcs)
+ print_output_rules(packets,mls,mcs)
+ print "post COMMIT"
+
+mls = False
+mcs = False
+
+try:
+ opts, paths = getopt.getopt(sys.argv[1:],'mc',['mls','mcs'])
+except getopt.GetoptError, error:
+ print "Invalid options."
+ sys.exit(1)
+
+for o, a in opts:
+ if o in ("-c","--mcs"):
+ mcs = True
+ if o in ("-m","--mls"):
+ mls = True
+
+if len(paths) == 0:
+ sys.stderr.write("Need a path for corenetwork.te.in!\n")
+ sys.exit(1)
+elif len(paths) > 1:
+ sys.stderr.write("Ignoring extra specified paths\n")
+
+packets=parse_corenet(paths[0])
+print_netfilter_config(packets,mls,mcs)
diff --git a/support/get_type_attr_decl.sed b/support/get_type_attr_decl.sed
new file mode 100644
index 0000000..a113f21
--- /dev/null
+++ b/support/get_type_attr_decl.sed
@@ -0,0 +1,13 @@
+#n
+# print out type and attribute declarations that
+# are not inside require and optional blocks.
+
+/require \{/,/} # end require/b nextline
+/optional \{/,/} # end optional/b nextline
+
+/^[[:blank:]]*(attribute|type(alias)?|bool) /{
+ s/^[[:blank:]]+//
+ p
+}
+
+:nextline
diff --git a/support/iferror.m4 b/support/iferror.m4
new file mode 100644
index 0000000..a3f36f8
--- /dev/null
+++ b/support/iferror.m4
@@ -0,0 +1 @@
+ifdef(`__if_error',`m4exit(1)')
diff --git a/support/pyplate.py b/support/pyplate.py
new file mode 100644
index 0000000..c7532cc
--- /dev/null
+++ b/support/pyplate.py
@@ -0,0 +1,364 @@
+"""PyPlate : a simple Python-based templating program
+
+PyPlate parses a file and replaces directives (in double square brackets [[ ... ]])
+by various means using a given dictionary of variables. Arbitrary Python code
+can be run inside many of the directives, making this system highly flexible.
+
+Usage:
+# Load and parse template file
+template = pyplate.Template("output") (filename or string)
+# Execute it with a dictionary of variables
+template.execute_file(output_stream, locals())
+
+PyPlate defines the following directives:
+ [[...]] evaluate the arbitrary Python expression and insert the
+ result into the output
+
+ [[# ... #]] comment.
+
+ [[exec ...]] execute arbitrary Python code in the sandbox namespace
+
+ [[if ...]] conditional expressions with usual Python semantics
+ [[elif ...]]
+ [[else]]
+ [[end]]
+
+ [[for ... in ...]] for-loop with usual Python semantics
+ [[end]]
+
+ [[def ...(...)]] define a "function" out of other templating elements
+ [[end]]
+
+ [[call ...]] call a templating function (not a regular Python function)
+"""
+
+#
+# Copyright (C) 2002 Michael Droettboom
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+#
+
+from __future__ import nested_scopes
+import sys, string, re, cStringIO
+
+re_directive = re.compile("\[\[(.*)\]\]")
+re_for_loop = re.compile("for (.*) in (.*)")
+re_if = re.compile("if (.*)")
+re_elif = re.compile("elif (.*)")
+re_def = re.compile("def (.*?)\((.*)\)")
+re_call = re.compile("call (.*?)\((.*)\)")
+re_exec = re.compile("exec (.*)")
+re_comment = re.compile("#(.*)#")
+
+############################################################
+# Template parser
+class ParserException(Exception):
+ def __init__(self, lineno, s):
+ Exception.__init__(self, "line %d: %s" % (lineno, s))
+
+class Template:
+ def __init__(self, filename=None):
+ if filename != None:
+ try:
+ self.parse_file(filename)
+ except:
+ self.parse_string(filename)
+
+ def parse_file(self, filename):
+ file = open(filename, 'r')
+ self.parse(file)
+ file.close()
+
+ def parse_string(self, template):
+ file = cStringIO.StringIO(template)
+ self.parse(file)
+ file.close()
+
+ def parse(self, file):
+ self.file = file
+ self.line = self.file.read()
+ self.lineno = 0
+ self.functions = {}
+ self.tree = TopLevelTemplateNode(self)
+
+ def parser_get(self):
+ if self.line == '':
+ return None
+ return self.line
+
+ def parser_eat(self, chars):
+ self.lineno = self.lineno + self.line[:chars].count("\n")
+ self.line = self.line[chars:]
+
+ def parser_exception(self, s):
+ raise ParserException(self.lineno, s)
+
+ def execute_file(self, filename, data):
+ file = open(filename, 'w')
+ self.execute(file, data)
+ file.close()
+
+ def execute_string(self, data):
+ s = cStringIO.StringIO()
+ self.execute(s, data)
+ return s.getvalue()
+
+ def execute_stdout(self, data):
+ self.execute(sys.stdout, data)
+
+ def execute(self, stream=sys.stdout, data={}):
+ self.tree.execute(stream, data)
+
+ def __repr__(self):
+ return repr(self.tree)
+
+
+############################################################
+# NODES
+class TemplateNode:
+ def __init__(self, parent, s):
+ self.parent = parent
+ self.s = s
+ self.node_list = []
+ while 1:
+ new_node = TemplateNodeFactory(parent)
+ if self.add_node(new_node):
+ break
+
+ def add_node(self, node):
+ if node == 'end':
+ return 1
+ elif node != None:
+ self.node_list.append(node)
+ else:
+ raise self.parent.parser_exception(
+ "[[%s]] does not have a matching [[end]]" % self.s)
+
+ def execute(self, stream, data):
+ for node in self.node_list:
+ node.execute(stream, data)
+
+ def __repr__(self):
+ r = "<" + self.__class__.__name__ + " "
+ for i in self.node_list:
+ r = r + repr(i)
+ r = r + ">"
+ return r
+
+class TopLevelTemplateNode(TemplateNode):
+ def __init__(self, parent):
+ TemplateNode.__init__(self, parent, '')
+
+ def add_node(self, node):
+ if node != None:
+ self.node_list.append(node)
+ else:
+ return 1
+
+class ForTemplateNode(TemplateNode):
+ def __init__(self, parent, s):
+ TemplateNode.__init__(self, parent, s)
+ match = re_for_loop.match(s)
+ if match == None:
+ raise self.parent.parser_exception(
+ "[[%s]] is not a valid for-loop expression" % self.s)
+ else:
+ self.vars_temp = match.group(1).split(",")
+ self.vars = []
+ for v in self.vars_temp:
+ self.vars.append(v.strip())
+ #print self.vars
+ self.expression = match.group(2)
+
+ def execute(self, stream, data):
+ remember_vars = {}
+ for var in self.vars:
+ if data.has_key(var):
+ remember_vars[var] = data[var]
+ for list in eval(self.expression, globals(), data):
+ if is_sequence(list):
+ for index, value in enumerate(list):
+ data[self.vars[index]] = value
+ else:
+ data[self.vars[0]] = list
+ TemplateNode.execute(self, stream, data)
+ for key, value in remember_vars.items():
+ data[key] = value
+
+class IfTemplateNode(TemplateNode):
+ def __init__(self, parent, s):
+ self.else_node = None
+ TemplateNode.__init__(self, parent, s)
+ match = re_if.match(s)
+ if match == None:
+ raise self.parent.parser_exception(
+ "[[%s]] is not a valid if expression" % self.s)
+ else:
+ self.expression = match.group(1)
+
+ def add_node(self, node):
+ if node == 'end':
+ return 1
+ elif isinstance(node, ElseTemplateNode):
+ self.else_node = node
+ return 1
+ elif isinstance(node, ElifTemplateNode):
+ self.else_node = node
+ return 1
+ elif node != None:
+ self.node_list.append(node)
+ else:
+ raise self.parent.parser_exception(
+ "[[%s]] does not have a matching [[end]]" % self.s)
+
+ def execute(self, stream, data):
+ if eval(self.expression, globals(), data):
+ TemplateNode.execute(self, stream, data)
+ elif self.else_node != None:
+ self.else_node.execute(stream, data)
+
+class ElifTemplateNode(IfTemplateNode):
+ def __init__(self, parent, s):
+ self.else_node = None
+ TemplateNode.__init__(self, parent, s)
+ match = re_elif.match(s)
+ if match == None:
+ self.parent.parser_exception(
+ "[[%s]] is not a valid elif expression" % self.s)
+ else:
+ self.expression = match.group(1)
+
+class ElseTemplateNode(TemplateNode):
+ pass
+
+class FunctionTemplateNode(TemplateNode):
+ def __init__(self, parent, s):
+ TemplateNode.__init__(self, parent, s)
+ match = re_def.match(s)
+ if match == None:
+ self.parent.parser_exception(
+ "[[%s]] is not a valid function definition" % self.s)
+ self.function_name = match.group(1)
+ self.vars_temp = match.group(2).split(",")
+ self.vars = []
+ for v in self.vars_temp:
+ self.vars.append(v.strip())
+ #print self.vars
+ self.parent.functions[self.function_name] = self
+
+ def execute(self, stream, data):
+ pass
+
+ def call(self, args, stream, data):
+ remember_vars = {}
+ for index, var in enumerate(self.vars):
+ if data.has_key(var):
+ remember_vars[var] = data[var]
+ data[var] = args[index]
+ TemplateNode.execute(self, stream, data)
+ for key, value in remember_vars.items():
+ data[key] = value
+
+class LeafTemplateNode(TemplateNode):
+ def __init__(self, parent, s):
+ self.parent = parent
+ self.s = s
+
+ def execute(self, stream, data):
+ stream.write(self.s)
+
+ def __repr__(self):
+ return "<" + self.__class__.__name__ + ">"
+
+class CommentTemplateNode(LeafTemplateNode):
+ def execute(self, stream, data):
+ pass
+
+class ExpressionTemplateNode(LeafTemplateNode):
+ def execute(self, stream, data):
+ stream.write(str(eval(self.s, globals(), data)))
+
+class ExecTemplateNode(LeafTemplateNode):
+ def __init__(self, parent, s):
+ LeafTemplateNode.__init__(self, parent, s)
+ match = re_exec.match(s)
+ if match == None:
+ self.parent.parser_exception(
+ "[[%s]] is not a valid statement" % self.s)
+ self.s = match.group(1)
+
+ def execute(self, stream, data):
+ exec(self.s, globals(), data)
+ pass
+
+class CallTemplateNode(LeafTemplateNode):
+ def __init__(self, parent, s):
+ LeafTemplateNode.__init__(self, parent, s)
+ match = re_call.match(s)
+ if match == None:
+ self.parent.parser_exception(
+ "[[%s]] is not a valid function call" % self.s)
+ self.function_name = match.group(1)
+ self.vars = "(" + match.group(2).strip() + ",)"
+
+ def execute(self, stream, data):
+ self.parent.functions[self.function_name].call(
+ eval(self.vars, globals(), data), stream, data)
+
+
+############################################################
+# Node factory
+template_factory_type_map = {
+ 'if' : IfTemplateNode,
+ 'for' : ForTemplateNode,
+ 'elif' : ElifTemplateNode,
+ 'else' : ElseTemplateNode,
+ 'def' : FunctionTemplateNode,
+ 'call' : CallTemplateNode,
+ 'exec' : ExecTemplateNode }
+template_factory_types = template_factory_type_map.keys()
+
+def TemplateNodeFactory(parent):
+ src = parent.parser_get()
+
+ if src == None:
+ return None
+ match = re_directive.search(src)
+ if match == None:
+ parent.parser_eat(len(src))
+ return LeafTemplateNode(parent, src)
+ elif src == '' or match.start() != 0:
+ parent.parser_eat(match.start())
+ return LeafTemplateNode(parent, src[:match.start()])
+ else:
+ directive = match.group()[2:-2].strip()
+ parent.parser_eat(match.end())
+ if directive == 'end':
+ return 'end'
+ elif re_comment.match(directive):
+ return CommentTemplateNode(parent, directive)
+ else:
+ for i in template_factory_types:
+ if directive[0:len(i)] == i:
+ return template_factory_type_map[i](parent, directive)
+ return ExpressionTemplateNode(parent, directive)
+
+def is_sequence(object):
+ try:
+ test = object[0:0]
+ except:
+ return False
+ else:
+ return True
diff --git a/support/sedoctool.py b/support/sedoctool.py
new file mode 100644
index 0000000..5bbaf76
--- /dev/null
+++ b/support/sedoctool.py
@@ -0,0 +1,847 @@
+#!/usr/bin/python
+
+# Author: Joshua Brindle <jbrindle@tresys.com>
+# Caleb Case <ccase@tresys.com>
+#
+# Copyright (C) 2005 - 2006 Tresys Technology, LLC
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 2.
+
+"""
+ This module generates configuration files and documentation from the
+ SELinux reference policy XML format.
+"""
+
+import sys
+import getopt
+import pyplate
+import os
+import string
+from xml.dom.minidom import parse, parseString
+
+#modules enabled and disabled values
+MOD_BASE = "base"
+MOD_ENABLED = "module"
+MOD_DISABLED = "off"
+
+#booleans enabled and disabled values
+BOOL_ENABLED = "true"
+BOOL_DISABLED = "false"
+
+#tunables enabled and disabled values
+TUN_ENABLED = "true"
+TUN_DISABLED = "false"
+
+
+def read_policy_xml(filename):
+ """
+ Takes in XML from a file and returns a parsed file.
+ """
+
+ try:
+ xml_fh = open(filename)
+ except:
+ error("error opening " + filename)
+
+ try:
+ doc = parseString(xml_fh.read())
+ except:
+ xml_fh.close()
+ error("Error while parsing xml")
+
+ xml_fh.close()
+ return doc
+
+def gen_booleans_conf(doc, file_name, namevalue_list):
+ """
+ Generates the booleans configuration file using the XML provided and the
+ previous booleans configuration.
+ """
+
+ for node in doc.getElementsByTagName("bool"):
+ for desc in node.getElementsByTagName("desc"):
+ bool_desc = format_txt_desc(desc)
+ s = string.split(bool_desc, "\n")
+ file_name.write("#\n")
+ for line in s:
+ file_name.write("# %s\n" % line)
+
+ bool_name = bool_val = None
+ for (name, value) in node.attributes.items():
+ if name == "name":
+ bool_name = value
+ elif name == "dftval":
+ bool_val = value
+
+ if [bool_name,BOOL_ENABLED] in namevalue_list:
+ bool_val = BOOL_ENABLED
+ elif [bool_name,BOOL_DISABLED] in namevalue_list:
+ bool_val = BOOL_DISABLED
+
+ if bool_name and bool_val:
+ file_name.write("%s = %s\n\n" % (bool_name, bool_val))
+ bool_name = bool_val = None
+
+ # tunables are currently implemented as booleans
+ for node in doc.getElementsByTagName("tunable"):
+ for desc in node.getElementsByTagName("desc"):
+ bool_desc = format_txt_desc(desc)
+ s = string.split(bool_desc, "\n")
+ file_name.write("#\n")
+ for line in s:
+ file_name.write("# %s\n" % line)
+
+ bool_name = bool_val = None
+ for (name, value) in node.attributes.items():
+ if name == "name":
+ bool_name = value
+ elif name == "dftval":
+ bool_val = value
+
+ if [bool_name,BOOL_ENABLED] in namevalue_list:
+ bool_val = BOOL_ENABLED
+ elif [bool_name,BOOL_DISABLED] in namevalue_list:
+ bool_val = BOOL_DISABLED
+
+ if bool_name and bool_val:
+ file_name.write("%s = %s\n\n" % (bool_name, bool_val))
+ bool_name = bool_val = None
+
+def gen_module_conf(doc, file_name, namevalue_list):
+ """
+ Generates the module configuration file using the XML provided and the
+ previous module configuration.
+ """
+ # If file exists, preserve settings and modify if needed.
+ # Otherwise, create it.
+
+ file_name.write("#\n# This file contains a listing of available modules.\n")
+ file_name.write("# To prevent a module from being used in policy\n")
+ file_name.write("# creation, set the module name to \"%s\".\n#\n" % MOD_DISABLED)
+ file_name.write("# For monolithic policies, modules set to \"%s\" and \"%s\"\n" % (MOD_BASE, MOD_ENABLED))
+ file_name.write("# will be built into the policy.\n#\n")
+ file_name.write("# For modular policies, modules set to \"%s\" will be\n" % MOD_BASE)
+ file_name.write("# included in the base module. \"%s\" will be compiled\n" % MOD_ENABLED)
+ file_name.write("# as individual loadable modules.\n#\n\n")
+
+ # For required in [True,False] is present so that the requiered modules
+ # are at the top of the config file.
+ for required in [True,False]:
+ for node in doc.getElementsByTagName("module"):
+ mod_req = False
+ for req in node.getElementsByTagName("required"):
+ if req.getAttribute("val") == "true":
+ mod_req = True
+
+ # Skip if we arnt working on the right set of modules.
+ if mod_req and not required or not mod_req and required:
+ continue
+
+
+ mod_name = mod_layer = None
+
+ mod_name = node.getAttribute("name")
+ mod_layer = node.parentNode.getAttribute("name")
+
+ if mod_name and mod_layer:
+ file_name.write("# Layer: %s\n# Module: %s\n" % (mod_layer,mod_name))
+ if required:
+ file_name.write("# Required in base\n")
+ file_name.write("#\n")
+
+ for desc in node.getElementsByTagName("summary"):
+ if not desc.parentNode == node:
+ continue
+ s = string.split(format_txt_desc(desc), "\n")
+ for line in s:
+ file_name.write("# %s\n" % line)
+
+ # If the module is set as disabled.
+ if [mod_name, MOD_DISABLED] in namevalue_list:
+ file_name.write("%s = %s\n\n" % (mod_name, MOD_DISABLED))
+ # If the module is set as enabled.
+ elif [mod_name, MOD_ENABLED] in namevalue_list:
+ file_name.write("%s = %s\n\n" % (mod_name, MOD_ENABLED))
+ # If the module is set as base.
+ elif [mod_name, MOD_BASE] in namevalue_list:
+ file_name.write("%s = %s\n\n" % (mod_name, MOD_BASE))
+ # If the module is a new module.
+ else:
+ # Set the module to base if it is marked as required.
+ if mod_req:
+ file_name.write("%s = %s\n\n" % (mod_name, MOD_BASE))
+ # Set the module to enabled if it is not required.
+ else:
+ file_name.write("%s = %s\n\n" % (mod_name, MOD_ENABLED))
+
+def get_conf(conf):
+ """
+ Returns a list of [name, value] pairs from a config file with the format
+ name = value
+ """
+
+ conf_lines = conf.readlines()
+
+ namevalue_list = []
+ for i in range(0,len(conf_lines)):
+ line = conf_lines[i]
+ if line.strip() != '' and line.strip()[0] != "#":
+ namevalue = line.strip().split("=")
+ if len(namevalue) != 2:
+ warning("line %d: \"%s\" is not a valid line, skipping"\
+ % (i, line.strip()))
+ continue
+
+ namevalue[0] = namevalue[0].strip()
+ if len(namevalue[0].split()) > 1:
+ warning("line %d: \"%s\" is not a valid line, skipping"\
+ % (i, line.strip()))
+ continue
+
+ namevalue[1] = namevalue[1].strip()
+ if len(namevalue[1].split()) > 1:
+ warning("line %d: \"%s\" is not a valid line, skipping"\
+ % (i, line.strip()))
+ continue
+
+ namevalue_list.append(namevalue)
+
+ return namevalue_list
+
+def first_cmp(a, b):
+ """
+ Compares the two first elements of a list instead of the entire list.
+ """
+
+ return cmp(a[0], b[0])
+
+def int_cmp(a, b):
+ """
+ Compares two interfaces.
+ """
+
+ return cmp(a["interface_name"], b["interface_name"])
+
+def temp_cmp(a, b):
+ """
+ Compares two templates.
+ """
+
+ return cmp(a["template_name"], b["template_name"])
+
+def tun_cmp(a, b):
+ """
+ Compares two tunables.
+ """
+
+ return cmp(a["tun_name"], b["tun_name"])
+def bool_cmp(a, b):
+ """
+ Compares two booleans.
+ """
+
+ return cmp(a["bool_name"], b["bool_name"])
+
+def gen_doc_menu(mod_layer, module_list):
+ """
+ Generates the HTML document menu.
+ """
+
+ menu = []
+ for layer, value in module_list.iteritems():
+ cur_menu = (layer, [])
+ menu.append(cur_menu)
+ if layer != mod_layer and mod_layer != None:
+ continue
+ #we are in our layer so fill in the other modules or we want them all
+ for mod, desc in value.iteritems():
+ cur_menu[1].append((mod, desc))
+
+ menu.sort(first_cmp)
+ for x in menu:
+ x[1].sort(first_cmp)
+ return menu
+
+def format_html_desc(node):
+ """
+ Formats a XML node into a HTML format.
+ """
+
+ desc_buf = ''
+ for desc in node.childNodes:
+ if desc.nodeName == "#text":
+ if desc.data is not '':
+ if desc.parentNode.nodeName != "p":
+ desc_buf += "<p>" + desc.data + "</p>"
+ else:
+ desc_buf += desc.data
+ else:
+ desc_buf += "<" + desc.nodeName + ">" \
+ + format_html_desc(desc) \
+ + "</" + desc.nodeName +">"
+
+ return desc_buf
+
+def format_txt_desc(node):
+ """
+ Formats a XML node into a plain text format.
+ """
+
+ desc_buf = ''
+ for desc in node.childNodes:
+ if desc.nodeName == "#text":
+ desc_buf += desc.data + "\n"
+ elif desc.nodeName == "p":
+ desc_buf += desc.firstChild.data + "\n"
+ for chld in desc.childNodes:
+ if chld.nodeName == "ul":
+ desc_buf += "\n"
+ for li in chld.getElementsByTagName("li"):
+ desc_buf += "\t -" + li.firstChild.data + "\n"
+
+ return desc_buf.strip() + "\n"
+
+def gen_docs(doc, working_dir, templatedir):
+ """
+ Generates all the documentation.
+ """
+
+ try:
+ #get the template data ahead of time so we don't reopen them over and over
+ bodyfile = open(templatedir + "/header.html", "r")
+ bodydata = bodyfile.read()
+ bodyfile.close()
+ intfile = open(templatedir + "/interface.html", "r")
+ intdata = intfile.read()
+ intfile.close()
+ templatefile = open(templatedir + "/template.html", "r")
+ templatedata = templatefile.read()
+ templatefile.close()
+ tunfile = open(templatedir + "/tunable.html", "r")
+ tundata = tunfile.read()
+ tunfile.close()
+ boolfile = open(templatedir + "/boolean.html", "r")
+ booldata = boolfile.read()
+ boolfile.close()
+ menufile = open(templatedir + "/menu.html", "r")
+ menudata = menufile.read()
+ menufile.close()
+ indexfile = open(templatedir + "/module_list.html","r")
+ indexdata = indexfile.read()
+ indexfile.close()
+ modulefile = open(templatedir + "/module.html","r")
+ moduledata = modulefile.read()
+ modulefile.close()
+ intlistfile = open(templatedir + "/int_list.html", "r")
+ intlistdata = intlistfile.read()
+ intlistfile.close()
+ templistfile = open(templatedir + "/temp_list.html", "r")
+ templistdata = templistfile.read()
+ templistfile.close()
+ tunlistfile = open(templatedir + "/tun_list.html", "r")
+ tunlistdata = tunlistfile.read()
+ tunlistfile.close()
+ boollistfile = open(templatedir + "/bool_list.html", "r")
+ boollistdata = boollistfile.read()
+ boollistfile.close()
+ gboollistfile = open(templatedir + "/global_bool_list.html", "r")
+ gboollistdata = gboollistfile.read()
+ gboollistfile.close()
+ gtunlistfile = open(templatedir + "/global_tun_list.html", "r")
+ gtunlistdata = gtunlistfile.read()
+ gtunlistfile.close()
+ except:
+ error("Could not open templates")
+
+
+ try:
+ os.chdir(working_dir)
+ except:
+ error("Could not chdir to target directory")
+
+
+#arg, i have to go through this dom tree ahead of time to build up the menus
+ module_list = {}
+ for node in doc.getElementsByTagName("module"):
+ mod_name = mod_layer = interface_buf = ''
+
+ mod_name = node.getAttribute("name")
+ mod_layer = node.parentNode.getAttribute("name")
+
+ for desc in node.getElementsByTagName("summary"):
+ if desc.parentNode == node and desc:
+ mod_summary = format_html_desc(desc)
+ if not module_list.has_key(mod_layer):
+ module_list[mod_layer] = {}
+
+ module_list[mod_layer][mod_name] = mod_summary
+
+#generate index pages
+ main_content_buf = ''
+ for mod_layer,modules in module_list.iteritems():
+ menu = gen_doc_menu(mod_layer, module_list)
+
+ layer_summary = None
+ for desc in doc.getElementsByTagName("summary"):
+ if desc.parentNode.getAttribute("name") == mod_layer:
+ layer_summary = format_html_desc(desc)
+
+ menu_args = { "menulist" : menu,
+ "mod_layer" : mod_layer,
+ "layer_summary" : layer_summary }
+ menu_tpl = pyplate.Template(menudata)
+ menu_buf = menu_tpl.execute_string(menu_args)
+
+ content_tpl = pyplate.Template(indexdata)
+ content_buf = content_tpl.execute_string(menu_args)
+
+ main_content_buf += content_buf
+
+ body_args = { "menu" : menu_buf,
+ "content" : content_buf }
+
+ index_file = mod_layer + ".html"
+ index_fh = open(index_file, "w")
+ body_tpl = pyplate.Template(bodydata)
+ body_tpl.execute(index_fh, body_args)
+ index_fh.close()
+
+ menu = gen_doc_menu(None, module_list)
+ menu_args = { "menulist" : menu,
+ "mod_layer" : None }
+ menu_tpl = pyplate.Template(menudata)
+ menu_buf = menu_tpl.execute_string(menu_args)
+
+ body_args = { "menu" : menu_buf,
+ "content" : main_content_buf }
+
+ index_file = "index.html"
+ index_fh = open(index_file, "w")
+ body_tpl = pyplate.Template(bodydata)
+ body_tpl.execute(index_fh, body_args)
+ index_fh.close()
+#now generate the individual module pages
+
+ all_interfaces = []
+ all_templates = []
+ all_tunables = []
+ all_booleans = []
+ for node in doc.getElementsByTagName("module"):
+ mod_name = mod_layer = mod_desc = interface_buf = ''
+
+ mod_name = node.getAttribute("name")
+ mod_layer = node.parentNode.getAttribute("name")
+
+ mod_req = None
+ for req in node.getElementsByTagName("required"):
+ if req.getAttribute("val") == "true":
+ mod_req = True
+
+ for desc in node.getElementsByTagName("summary"):
+ if desc.parentNode == node:
+ mod_summary = format_html_desc(desc)
+ for desc in node.getElementsByTagName("desc"):
+ if desc.parentNode == node:
+ mod_desc = format_html_desc(desc)
+
+ interfaces = []
+ for interface in node.getElementsByTagName("interface"):
+ interface_parameters = []
+ interface_desc = interface_summary = None
+ interface_name = interface.getAttribute("name")
+ interface_line = interface.getAttribute("lineno")
+ for desc in interface.childNodes:
+ if desc.nodeName == "desc":
+ interface_desc = format_html_desc(desc)
+ elif desc.nodeName == "summary":
+ interface_summary = format_html_desc(desc)
+
+ for args in interface.getElementsByTagName("param"):
+ for desc in args.getElementsByTagName("summary"):
+ paramdesc = format_html_desc(desc)
+ paramname = args.getAttribute("name")
+ if args.getAttribute("optional") == "true":
+ paramopt = "Yes"
+ else:
+ paramopt = "No"
+ if args.getAttribute("unused") == "true":
+ paramunused = "Yes"
+ else:
+ paramunused = "No"
+ parameter = { "name" : paramname,
+ "desc" : paramdesc,
+ "optional" : paramopt,
+ "unused" : paramunused }
+ interface_parameters.append(parameter)
+ interfaces.append( { "interface_name" : interface_name,
+ "interface_summary" : interface_summary,
+ "interface_desc" : interface_desc,
+ "interface_parameters" : interface_parameters })
+ #all_interfaces is for the main interface index with all interfaces
+ all_interfaces.append( { "interface_name" : interface_name,
+ "interface_summary" : interface_summary,
+ "interface_desc" : interface_desc,
+ "interface_parameters" : interface_parameters,
+ "mod_name": mod_name,
+ "mod_layer" : mod_layer })
+ interfaces.sort(int_cmp)
+ interface_tpl = pyplate.Template(intdata)
+ interface_buf = interface_tpl.execute_string({"interfaces" : interfaces})
+
+
+# now generate individual template pages
+ templates = []
+ for template in node.getElementsByTagName("template"):
+ template_parameters = []
+ template_desc = template_summary = None
+ template_name = template.getAttribute("name")
+ template_line = template.getAttribute("lineno")
+ for desc in template.childNodes:
+ if desc.nodeName == "desc":
+ template_desc = format_html_desc(desc)
+ elif desc.nodeName == "summary":
+ template_summary = format_html_desc(desc)
+
+ for args in template.getElementsByTagName("param"):
+ for desc in args.getElementsByTagName("summary"):
+ paramdesc = format_html_desc(desc)
+ paramname = args.getAttribute("name")
+ if args.getAttribute("optional") == "true":
+ paramopt = "Yes"
+ else:
+ paramopt = "No"
+ if args.getAttribute("unused") == "true":
+ paramunused = "Yes"
+ else:
+ paramunused = "No"
+ parameter = { "name" : paramname,
+ "desc" : paramdesc,
+ "optional" : paramopt,
+ "unused": paramunused }
+ template_parameters.append(parameter)
+ templates.append( { "template_name" : template_name,
+ "template_summary" : template_summary,
+ "template_desc" : template_desc,
+ "template_parameters" : template_parameters })
+ #all_templates is for the main interface index with all templates
+ all_templates.append( { "template_name" : template_name,
+ "template_summary" : template_summary,
+ "template_desc" : template_desc,
+ "template_parameters" : template_parameters,
+ "mod_name": mod_name,
+ "mod_layer" : mod_layer })
+
+ templates.sort(temp_cmp)
+ template_tpl = pyplate.Template(templatedata)
+ template_buf = template_tpl.execute_string({"templates" : templates})
+
+ #generate 'boolean' pages
+ booleans = []
+ for boolean in node.getElementsByTagName("bool"):
+ boolean_parameters = []
+ boolean_desc = None
+ boolean_name = boolean.getAttribute("name")
+ boolean_dftval = boolean.getAttribute("dftval")
+ for desc in boolean.childNodes:
+ if desc.nodeName == "desc":
+ boolean_desc = format_html_desc(desc)
+
+ booleans.append({ "bool_name" : boolean_name,
+ "desc" : boolean_desc,
+ "def_val" : boolean_dftval })
+ #all_booleans is for the main boolean index with all booleans
+ all_booleans.append({ "bool_name" : boolean_name,
+ "desc" : boolean_desc,
+ "def_val" : boolean_dftval,
+ "mod_name": mod_name,
+ "mod_layer" : mod_layer })
+ booleans.sort(bool_cmp)
+ boolean_tpl = pyplate.Template(booldata)
+ boolean_buf = boolean_tpl.execute_string({"booleans" : booleans})
+
+ #generate 'tunable' pages
+ tunables = []
+ for tunable in node.getElementsByTagName("tunable"):
+ tunable_parameters = []
+ tunable_desc = None
+ tunable_name = tunable.getAttribute("name")
+ tunable_dftval = tunable.getAttribute("dftval")
+ for desc in tunable.childNodes:
+ if desc.nodeName == "desc":
+ tunable_desc = format_html_desc(desc)
+
+ tunables.append({ "tun_name" : tunable_name,
+ "desc" : tunable_desc,
+ "def_val" : tunable_dftval })
+ #all_tunables is for the main tunable index with all tunables
+ all_tunables.append({ "tun_name" : tunable_name,
+ "desc" : tunable_desc,
+ "def_val" : tunable_dftval,
+ "mod_name": mod_name,
+ "mod_layer" : mod_layer })
+ tunables.sort(tun_cmp)
+ tunable_tpl = pyplate.Template(tundata)
+ tunable_buf = tunable_tpl.execute_string({"tunables" : tunables})
+
+
+ menu = gen_doc_menu(mod_layer, module_list)
+
+ menu_tpl = pyplate.Template(menudata)
+ menu_buf = menu_tpl.execute_string({ "menulist" : menu })
+
+
+ # pyplate's execute_string gives us a line of whitespace in
+ # template_buf or interface_buf if there are no interfaces or
+ # templates for this module. This is problematic because the
+ # HTML templates use a conditional if on interface_buf or
+ # template_buf being 'None' to decide if the "Template:" or
+ # "Interface:" headers need to be printed in the module pages.
+ # This detects if either of these are just whitespace, and sets
+ # their values to 'None' so that when applying it to the
+ # templates, they are properly recognized as not existing.
+ if not interface_buf.strip():
+ interface_buf = None
+ if not template_buf.strip():
+ template_buf = None
+ if not tunable_buf.strip():
+ tunable_buf = None
+ if not boolean_buf.strip():
+ boolean_buf = None
+
+ module_args = { "mod_layer" : mod_layer,
+ "mod_name" : mod_name,
+ "mod_summary" : mod_summary,
+ "mod_desc" : mod_desc,
+ "mod_req" : mod_req,
+ "interfaces" : interface_buf,
+ "templates" : template_buf,
+ "tunables" : tunable_buf,
+ "booleans" : boolean_buf }
+
+ module_tpl = pyplate.Template(moduledata)
+ module_buf = module_tpl.execute_string(module_args)
+
+ body_args = { "menu" : menu_buf,
+ "content" : module_buf }
+
+ module_file = mod_layer + "_" + mod_name + ".html"
+ module_fh = open(module_file, "w")
+ body_tpl = pyplate.Template(bodydata)
+ body_tpl.execute(module_fh, body_args)
+ module_fh.close()
+
+
+ menu = gen_doc_menu(None, module_list)
+ menu_args = { "menulist" : menu,
+ "mod_layer" : None }
+ menu_tpl = pyplate.Template(menudata)
+ menu_buf = menu_tpl.execute_string(menu_args)
+
+ #build the interface index
+ all_interfaces.sort(int_cmp)
+ interface_tpl = pyplate.Template(intlistdata)
+ interface_buf = interface_tpl.execute_string({"interfaces" : all_interfaces})
+ int_file = "interfaces.html"
+ int_fh = open(int_file, "w")
+ body_tpl = pyplate.Template(bodydata)
+
+ body_args = { "menu" : menu_buf,
+ "content" : interface_buf }
+
+ body_tpl.execute(int_fh, body_args)
+ int_fh.close()
+
+
+ #build the template index
+ all_templates.sort(temp_cmp)
+ template_tpl = pyplate.Template(templistdata)
+ template_buf = template_tpl.execute_string({"templates" : all_templates})
+ temp_file = "templates.html"
+ temp_fh = open(temp_file, "w")
+ body_tpl = pyplate.Template(bodydata)
+
+ body_args = { "menu" : menu_buf,
+ "content" : template_buf }
+
+ body_tpl.execute(temp_fh, body_args)
+ temp_fh.close()
+
+
+ #build the global tunable index
+ global_tun = []
+ for tunable in doc.getElementsByTagName("tunable"):
+ if tunable.parentNode.nodeName == "policy":
+ tunable_name = tunable.getAttribute("name")
+ default_value = tunable.getAttribute("dftval")
+ for desc in tunable.getElementsByTagName("desc"):
+ description = format_html_desc(desc)
+ global_tun.append( { "tun_name" : tunable_name,
+ "def_val" : default_value,
+ "desc" : description } )
+ global_tun.sort(tun_cmp)
+ global_tun_tpl = pyplate.Template(gtunlistdata)
+ global_tun_buf = global_tun_tpl.execute_string({"tunables" : global_tun})
+ global_tun_file = "global_tunables.html"
+ global_tun_fh = open(global_tun_file, "w")
+ body_tpl = pyplate.Template(bodydata)
+
+ body_args = { "menu" : menu_buf,
+ "content" : global_tun_buf }
+
+ body_tpl.execute(global_tun_fh, body_args)
+ global_tun_fh.close()
+
+ #build the tunable index
+ all_tunables = all_tunables + global_tun
+ all_tunables.sort(tun_cmp)
+ tunable_tpl = pyplate.Template(tunlistdata)
+ tunable_buf = tunable_tpl.execute_string({"tunables" : all_tunables})
+ temp_file = "tunables.html"
+ temp_fh = open(temp_file, "w")
+ body_tpl = pyplate.Template(bodydata)
+
+ body_args = { "menu" : menu_buf,
+ "content" : tunable_buf }
+
+ body_tpl.execute(temp_fh, body_args)
+ temp_fh.close()
+
+ #build the global boolean index
+ global_bool = []
+ for boolean in doc.getElementsByTagName("bool"):
+ if boolean.parentNode.nodeName == "policy":
+ bool_name = boolean.getAttribute("name")
+ default_value = boolean.getAttribute("dftval")
+ for desc in boolean.getElementsByTagName("desc"):
+ description = format_html_desc(desc)
+ global_bool.append( { "bool_name" : bool_name,
+ "def_val" : default_value,
+ "desc" : description } )
+ global_bool.sort(bool_cmp)
+ global_bool_tpl = pyplate.Template(gboollistdata)
+ global_bool_buf = global_bool_tpl.execute_string({"booleans" : global_bool})
+ global_bool_file = "global_booleans.html"
+ global_bool_fh = open(global_bool_file, "w")
+ body_tpl = pyplate.Template(bodydata)
+
+ body_args = { "menu" : menu_buf,
+ "content" : global_bool_buf }
+
+ body_tpl.execute(global_bool_fh, body_args)
+ global_bool_fh.close()
+
+ #build the boolean index
+ all_booleans = all_booleans + global_bool
+ all_booleans.sort(bool_cmp)
+ boolean_tpl = pyplate.Template(boollistdata)
+ boolean_buf = boolean_tpl.execute_string({"booleans" : all_booleans})
+ temp_file = "booleans.html"
+ temp_fh = open(temp_file, "w")
+ body_tpl = pyplate.Template(bodydata)
+
+ body_args = { "menu" : menu_buf,
+ "content" : boolean_buf }
+
+ body_tpl.execute(temp_fh, body_args)
+ temp_fh.close()
+
+
+
+def error(error):
+ """
+ Print an error message and exit.
+ """
+
+ sys.stderr.write("%s exiting for: " % sys.argv[0])
+ sys.stderr.write("%s\n" % error)
+ sys.stderr.flush()
+ sys.exit(1)
+
+def warning(warn):
+ """
+ Print a warning message.
+ """
+
+ sys.stderr.write("%s warning: " % sys.argv[0])
+ sys.stderr.write("%s\n" % warn)
+
+def usage():
+ """
+ Describes the proper usage of this tool.
+ """
+
+ sys.stdout.write("%s [-tmdT] -x <xmlfile>\n\n" % sys.argv[0])
+ sys.stdout.write("Options:\n")
+ sys.stdout.write("-b --booleans <file> -- write boolean config to <file>\n")
+ sys.stdout.write("-m --modules <file> -- write module config to <file>\n")
+ sys.stdout.write("-d --docs <dir> -- write interface documentation to <dir>\n")
+ sys.stdout.write("-x --xml <file> -- filename to read xml data from\n")
+ sys.stdout.write("-T --templates <dir> -- template directory for documents\n")
+
+
+# MAIN PROGRAM
+try:
+ opts, args = getopt.getopt(sys.argv[1:], "b:m:d:x:T:", ["booleans","modules","docs","xml", "templates"])
+except getopt.GetoptError:
+ usage()
+ sys.exit(1)
+
+booleans = modules = docsdir = None
+templatedir = "templates/"
+xmlfile = "policy.xml"
+
+for opt, val in opts:
+ if opt in ("-b", "--booleans"):
+ booleans = val
+ if opt in ("-m", "--modules"):
+ modules = val
+ if opt in ("-d", "--docs"):
+ docsdir = val
+ if opt in ("-x", "--xml"):
+ xmlfile = val
+ if opt in ("-T", "--templates"):
+ templatedir = val
+
+doc = read_policy_xml(xmlfile)
+
+if booleans:
+ namevalue_list = []
+ if os.path.exists(booleans):
+ try:
+ conf = open(booleans, 'r')
+ except:
+ error("Could not open booleans file for reading")
+
+ namevalue_list = get_conf(conf)
+
+ conf.close()
+
+ try:
+ conf = open(booleans, 'w')
+ except:
+ error("Could not open booleans file for writing")
+
+ gen_booleans_conf(doc, conf, namevalue_list)
+ conf.close()
+
+
+if modules:
+ namevalue_list = []
+ if os.path.exists(modules):
+ try:
+ conf = open(modules, 'r')
+ except:
+ error("Could not open modules file for reading")
+ namevalue_list = get_conf(conf)
+ conf.close()
+
+ try:
+ conf = open(modules, 'w')
+ except:
+ error("Could not open modules file for writing")
+ gen_module_conf(doc, conf, namevalue_list)
+ conf.close()
+
+if docsdir:
+ gen_docs(doc, docsdir, templatedir)
diff --git a/support/segenxml.py b/support/segenxml.py
new file mode 100644
index 0000000..d6c4fd5
--- /dev/null
+++ b/support/segenxml.py
@@ -0,0 +1,391 @@
+#!/usr/bin/python
+
+# Author(s): Donald Miner <dminer@tresys.com>
+# Dave Sugar <dsugar@tresys.com>
+# Brian Williams <bwilliams@tresys.com>
+# Caleb Case <ccase@tresys.com>
+#
+# Copyright (C) 2005 - 2006 Tresys Technology, LLC
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 2.
+
+"""
+ This script generates XML documentation information for layers specified
+ by the user.
+"""
+
+import sys
+import os
+import glob
+import re
+import getopt
+
+# GLOBALS
+
+# Default values of command line arguments:
+warn = False
+meta = "metadata"
+third_party = "third-party"
+layers = {}
+tunable_files = []
+bool_files = []
+xml_tunable_files = []
+xml_bool_files = []
+output_dir = ""
+
+# Pre compiled regular expressions:
+
+# Matches either an interface or a template declaration. Will give the tuple:
+# ("interface" or "template", name)
+# Some examples:
+# "interface(`kernel_read_system_state',`"
+# -> ("interface", "kernel_read_system_state")
+# "template(`base_user_template',`"
+# -> ("template", "base_user_template")
+INTERFACE = re.compile("^\s*(interface|template)\(`(\w*)'")
+
+# Matches either a gen_bool or a gen_tunable statement. Will give the tuple:
+# ("tunable" or "bool", name, "true" or "false")
+# Some examples:
+# "gen_bool(secure_mode, false)"
+# -> ("bool", "secure_mode", "false")
+# "gen_tunable(allow_kerberos, false)"
+# -> ("tunable", "allow_kerberos", "false")
+BOOLEAN = re.compile("^\s*gen_(tunable|bool)\(\s*(\w*)\s*,\s*(true|false)\s*\)")
+
+# Matches a XML comment in the policy, which is defined as any line starting
+# with two # and at least one character of white space. Will give the single
+# valued tuple:
+# ("comment")
+# Some Examples:
+# "## <summary>"
+# -> ("<summary>")
+# "## The domain allowed access. "
+# -> ("The domain allowed access.")
+XML_COMMENT = re.compile("^##\s+(.*?)\s*$")
+
+
+# FUNCTIONS
+def getModuleXML(file_name):
+ '''
+ Returns the XML data for a module in a list, one line per list item.
+ '''
+
+ # Gather information.
+ module_dir = os.path.dirname(file_name)
+ module_name = os.path.basename(file_name)
+ module_te = "%s/%s.te" % (module_dir, module_name)
+ module_if = "%s/%s.if" % (module_dir, module_name)
+
+ # Try to open the file, if it cant, just ignore it.
+ try:
+ module_file = open(module_if, "r")
+ module_code = module_file.readlines()
+ module_file.close()
+ except:
+ warning("cannot open file %s for read, skipping" % file_name)
+ return []
+
+ module_buf = []
+
+ # Infer the module name, which is the base of the file name.
+ module_buf.append("<module name=\"%s\" filename=\"%s\">\n"
+ % (os.path.splitext(os.path.split(file_name)[-1])[0], module_if))
+
+ temp_buf = []
+ interface = None
+
+ # finding_header is a flag to denote whether we are still looking
+ # for the XML documentation at the head of the file.
+ finding_header = True
+
+ # Get rid of whitespace at top of file
+ while(module_code and module_code[0].isspace()):
+ module_code = module_code[1:]
+
+ # Go line by line and figure out what to do with it.
+ line_num = 0
+ for line in module_code:
+ line_num += 1
+ if finding_header:
+ # If there is a XML comment, add it to the temp buffer.
+ comment = XML_COMMENT.match(line)
+ if comment:
+ temp_buf.append(comment.group(1) + "\n")
+ continue
+
+ # Once a line that is not an XML comment is reached,
+ # either put the XML out to module buffer as the
+ # module's documentation, or attribute it to an
+ # interface/template.
+ elif temp_buf:
+ finding_header = False
+ interface = INTERFACE.match(line)
+ if not interface:
+ module_buf += temp_buf
+ temp_buf = []
+ continue
+
+ # Skip over empty lines
+ if line.isspace():
+ continue
+
+ # Grab a comment and add it to the temprorary buffer, if it
+ # is there.
+ comment = XML_COMMENT.match(line)
+ if comment:
+ temp_buf.append(comment.group(1) + "\n")
+ continue
+
+ # Grab the interface information. This is only not true when
+ # the interface is at the top of the file and there is no
+ # documentation for the module.
+ if not interface:
+ interface = INTERFACE.match(line)
+ if interface:
+ # Add the opening tag for the interface/template
+ groups = interface.groups()
+ module_buf.append("<%s name=\"%s\" lineno=\"%s\">\n" % (groups[0], groups[1], line_num))
+
+ # Add all the comments attributed to this interface to
+ # the module buffer.
+ if temp_buf:
+ module_buf += temp_buf
+ temp_buf = []
+
+ # Add default summaries and parameters so that the
+ # DTD is happy.
+ else:
+ warning ("unable to find XML for %s %s()" % (groups[0], groups[1]))
+ module_buf.append("<summary>\n")
+ module_buf.append("Summary is missing!\n")
+ module_buf.append("</summary>\n")
+ module_buf.append("<param name=\"?\">\n")
+ module_buf.append("<summary>\n")
+ module_buf.append("Parameter descriptions are missing!\n")
+ module_buf.append("</summary>\n")
+ module_buf.append("</param>\n")
+
+ # Close the interface/template tag.
+ module_buf.append("</%s>\n" % interface.group(1))
+
+ interface = None
+ continue
+
+
+
+ # If the file just had a header, add the comments to the module buffer.
+ if finding_header:
+ module_buf += temp_buf
+ # Otherwise there are some lingering XML comments at the bottom, warn
+ # the user.
+ elif temp_buf:
+ warning("orphan XML comments at bottom of file %s" % file_name)
+
+ # Process the TE file if it exists.
+ module_buf = module_buf + getTunableXML(module_te, "both")
+
+ module_buf.append("</module>\n")
+
+ return module_buf
+
+def getTunableXML(file_name, kind):
+ '''
+ Return all the XML for the tunables/bools in the file specified.
+ '''
+
+ # Try to open the file, if it cant, just ignore it.
+ try:
+ tunable_file = open(file_name, "r")
+ tunable_code = tunable_file.readlines()
+ tunable_file.close()
+ except:
+ warning("cannot open file %s for read, skipping" % file_name)
+ return []
+
+ tunable_buf = []
+ temp_buf = []
+
+ # Find tunables and booleans line by line and use the comments above
+ # them.
+ for line in tunable_code:
+ # If it is an XML comment, add it to the buffer and go on.
+ comment = XML_COMMENT.match(line)
+ if comment:
+ temp_buf.append(comment.group(1) + "\n")
+ continue
+
+ # Get the boolean/tunable data.
+ boolean = BOOLEAN.match(line)
+
+ # If we reach a boolean/tunable declaration, attribute all XML
+ # in the temp buffer to it and add XML to the tunable buffer.
+ if boolean:
+ # If there is a gen_bool in a tunable file or a
+ # gen_tunable in a boolean file, error and exit.
+ # Skip if both kinds are valid.
+ if kind != "both":
+ if boolean.group(1) != kind:
+ error("%s in a %s file." % (boolean.group(1), kind))
+
+ tunable_buf.append("<%s name=\"%s\" dftval=\"%s\">\n" % boolean.groups())
+ tunable_buf += temp_buf
+ temp_buf = []
+ tunable_buf.append("</%s>\n" % boolean.group(1))
+
+ # If there are XML comments at the end of the file, they arn't
+ # attributed to anything. These are ignored.
+ if len(temp_buf):
+ warning("orphan XML comments at bottom of file %s" % file_name)
+
+
+ # If the caller requested a the global_tunables and global_booleans to be
+ # output to a file output them now
+ if len(output_dir) > 0:
+ xmlfile = os.path.split(file_name)[1] + ".xml"
+
+ try:
+ xml_outfile = open(output_dir + "/" + xmlfile, "w")
+ for tunable_line in tunable_buf:
+ xml_outfile.write (tunable_line)
+ xml_outfile.close()
+ except:
+ warning ("cannot write to file %s, skipping creation" % xmlfile)
+
+ return tunable_buf
+
+def getXMLFileContents (file_name):
+ '''
+ Return all the XML in the file specified.
+ '''
+
+ tunable_buf = []
+ # Try to open the xml file for this type of file
+ # append the contents to the buffer.
+ try:
+ tunable_xml = open(file_name, "r")
+ tunable_buf += tunable_xml.readlines()
+ tunable_xml.close()
+ except:
+ warning("cannot open file %s for read, assuming no data" % file_name)
+
+ return tunable_buf
+
+def getPolicyXML():
+ '''
+ Return the compelete reference policy XML documentation through a list,
+ one line per item.
+ '''
+
+ policy_buf = []
+ policy_buf.append("<policy>\n")
+
+ # Add to the XML each layer specified by the user.
+ for layer in layers.keys ():
+ policy_buf += getLayerXML(layer, layers[layer])
+
+ # Add to the XML each tunable file specified by the user.
+ for tunable_file in tunable_files:
+ policy_buf += getTunableXML(tunable_file, "tunable")
+
+ # Add to the XML each XML tunable file specified by the user.
+ for tunable_file in xml_tunable_files:
+ policy_buf += getXMLFileContents (tunable_file)
+
+ # Add to the XML each bool file specified by the user.
+ for bool_file in bool_files:
+ policy_buf += getTunableXML(bool_file, "bool")
+
+ # Add to the XML each XML bool file specified by the user.
+ for bool_file in xml_bool_files:
+ policy_buf += getXMLFileContents (bool_file)
+
+ policy_buf.append("</policy>\n")
+
+ return policy_buf
+
+def usage():
+ """
+ Displays a message describing the proper usage of this script.
+ """
+
+ sys.stdout.write("usage: %s [-w] [-mtb] <file>\n\n" % sys.argv[0])
+ sys.stdout.write("-w --warn\t\t\tshow warnings\n"+\
+ "-m --module <file>\t\tname of module to process\n"+\
+ "-t --tunable <file>\t\tname of global tunable file to process\n"+\
+ "-b --boolean <file>\t\tname of global boolean file to process\n\n")
+
+ sys.stdout.write("examples:\n")
+ sys.stdout.write("> %s -w -m policy/modules/apache\n" % sys.argv[0])
+ sys.stdout.write("> %s -t policy/global_tunables\n" % sys.argv[0])
+
+def warning(description):
+ '''
+ Warns the user of a non-critical error.
+ '''
+
+ if warn:
+ sys.stderr.write("%s: " % sys.argv[0] )
+ sys.stderr.write("warning: " + description + "\n")
+
+def error(description):
+ '''
+ Describes an error and exists the program.
+ '''
+
+ sys.stderr.write("%s: " % sys.argv[0] )
+ sys.stderr.write("error: " + description + "\n")
+ sys.stderr.flush()
+ sys.exit(1)
+
+
+
+# MAIN PROGRAM
+
+# Defaults
+warn = False
+module = False
+tunable = False
+boolean = False
+
+# Check that there are command line arguments.
+if len(sys.argv) <= 1:
+ usage()
+ sys.exit(1)
+
+# Parse command line args
+try:
+ opts, args = getopt.getopt(sys.argv[1:], 'whm:t:b:', ['warn', 'help', 'module=', 'tunable=', 'boolean='])
+except getopt.GetoptError:
+ usage()
+ sys.exit(2)
+for o, a in opts:
+ if o in ('-w', '--warn'):
+ warn = True
+ elif o in ('-h', '--help'):
+ usage()
+ sys.exit(0)
+ elif o in ('-m', '--module'):
+ module = a
+ break
+ elif o in ('-t', '--tunable'):
+ tunable = a
+ break
+ elif o in ('-b', '--boolean'):
+ boolean = a
+ break
+ else:
+ usage()
+ sys.exit(2)
+
+if module:
+ sys.stdout.writelines(getModuleXML(module))
+elif tunable:
+ sys.stdout.writelines(getTunableXML(tunable, "tunable"))
+elif boolean:
+ sys.stdout.writelines(getTunableXML(boolean, "bool"))
+else:
+ usage()
+ sys.exit(2)
+
diff --git a/support/selinux-policy-refpolicy.spec b/support/selinux-policy-refpolicy.spec
new file mode 100644
index 0000000..b5c5d61
--- /dev/null
+++ b/support/selinux-policy-refpolicy.spec
@@ -0,0 +1,435 @@
+%define distro redhat
+%define direct_initrc y
+%define monolithic n
+%define polname1 targeted
+%define type1 targeted-mcs
+%define polname2 strict
+%define type2 strict-mcs
+Summary: SELinux policy configuration
+Name: selinux-policy
+Version: 20051019
+Release: 1
+License: GPL
+Group: System Environment/Base
+Source: refpolicy-%{version}.tar.bz2
+Url: http://serefpolicy.sourceforge.net
+BuildRoot: %{_tmppath}/refpolicy-buildroot
+BuildArch: noarch
+# FIXME Need to ensure these have correct versions
+BuildRequires: checkpolicy m4 policycoreutils python make gcc
+PreReq: kernel >= 2.6.4-1.300 policycoreutils >= %{POLICYCOREUTILSVER}
+Obsoletes: policy
+
+%description
+SELinux Reference Policy - modular.
+
+%prep
+%setup -q
+make conf
+
+%build
+
+%install
+%{__rm} -fR $RPM_BUILD_ROOT
+make NAME=%{polname1} TYPE=%{type1} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} base.pp
+make NAME=%{polname1} TYPE=%{type1} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} modules
+%{__mkdir} -p $RPM_BUILD_ROOT/%{_usr}/share/selinux/%{polname1}/%{type1}
+%{__cp} *.pp $RPM_BUILD_ROOT/%{_usr}/share/selinux/%{polname1}/%{type1}
+%{__mkdir} -p $RPM_BUILD_ROOT/%{_sysconfdir}/selinux/%{polname1}/policy
+%{__mkdir} -p $RPM_BUILD_ROOT/%{_sysconfdir}/selinux/%{polname1}/contexts/files
+make NAME=%{polname1} TYPE=%{type1} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=y DESTDIR=$RPM_BUILD_ROOT install-appconfig
+make NAME=%{polname1} TYPE=%{type1} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} DESTDIR=$RPM_BUILD_ROOT $RPM_BUILD_ROOT%{_sysconfdir}/selinux/%{polname1}/users/local.users
+make NAME=%{polname1} TYPE=%{type1} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} DESTDIR=$RPM_BUILD_ROOT $RPM_BUILD_ROOT%{_sysconfdir}/selinux/%{polname1}/users/system.users
+make NAME=%{polname2} TYPE=%{type2} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} base.pp
+make NAME=%{polname2} TYPE=%{type2} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} modules
+%{__mkdir} -p $RPM_BUILD_ROOT/%{_usr}/share/selinux/%{polname2}/%{type2}
+%{__cp} *.pp $RPM_BUILD_ROOT/%{_usr}/share/selinux/%{polname2}/%{type2}
+%{__mkdir} -p $RPM_BUILD_ROOT/%{_sysconfdir}/selinux/%{polname2}/policy
+%{__mkdir} -p $RPM_BUILD_ROOT/%{_sysconfdir}/selinux/%{polname2}/contexts/files
+make NAME=%{polname2} TYPE=%{type2} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=y DESTDIR=$RPM_BUILD_ROOT install-appconfig
+make NAME=%{polname2} TYPE=%{type2} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} DESTDIR=$RPM_BUILD_ROOT $RPM_BUILD_ROOT%{_sysconfdir}/selinux/%{polname2}/users/local.users
+make NAME=%{polname2} TYPE=%{type2} DISTRO=%{distro} DIRECT_INITRC=%{direct_initrc} MONOLITHIC=%{monolithic} DESTDIR=$RPM_BUILD_ROOT $RPM_BUILD_ROOT%{_sysconfdir}/selinux/%{polname2}/users/system.users
+
+%clean
+%{__rm} -fR $RPM_BUILD_ROOT
+
+%files
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_sysconfdir}/selinux
+%dir %{_usr}/share/selinux/*
+%dir %{_usr}/share/selinux/*/*
+%config %{_usr}/share/selinux/*/*/*.pp
+#%ghost %config(noreplace) %{_sysconfdir}/selinux/config
+%dir %{_sysconfdir}/selinux/*
+%ghost %config %{_sysconfdir}/selinux/*/booleans
+%dir %{_sysconfdir}/selinux/*/policy
+#%ghost %config %{_sysconfdir}/selinux/*/policy/policy.*
+%dir %{_sysconfdir}/selinux/*/contexts
+%config(noreplace) %{_sysconfdir}/selinux/*/contexts/customizable_types
+%config(noreplace) %{_sysconfdir}/selinux/*/contexts/dbus_contexts
+%config(noreplace) %{_sysconfdir}/selinux/*/contexts/default_contexts
+%config(noreplace) %{_sysconfdir}/selinux/*/contexts/default_type
+%config(noreplace) %{_sysconfdir}/selinux/*/contexts/failsafe_context
+%config(noreplace) %{_sysconfdir}/selinux/*/contexts/initrc_context
+%config(noreplace) %{_sysconfdir}/selinux/*/contexts/removable_context
+%config(noreplace) %{_sysconfdir}/selinux/*/contexts/userhelper_context
+%config(noreplace) %{_sysconfdir}/selinux/*/contexts/x_contexts
+%dir %{_sysconfdir}/selinux/*/contexts/files
+#%ghost %config %{_sysconfdir}/selinux/*/contexts/files/file_contexts
+#%ghost %config %{_sysconfdir}/selinux/*/contexts/files/homedir_template
+#%ghost %config %{_sysconfdir}/selinux/*/contexts/files/file_contexts.homedirs
+%config %{_sysconfdir}/selinux/*/contexts/files/media
+%dir %{_sysconfdir}/selinux/*/users
+%config %{_sysconfdir}/selinux/*/users/system.users
+%config %{_sysconfdir}/selinux/*/users/local.users
+#%ghost %dir %{_sysconfdir}/selinux/*/modules
+
+%pre
+
+%post
+
+%package base-targeted
+Summary: SELinux %{polname1} base policy
+Group: System Environment/Base
+Provides: selinux-policy-base
+
+%description base-targeted
+SELinux Reference policy targeted base module.
+
+%files base-targeted
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/%{polname1}
+%dir %{_usr}/share/selinux/%{polname1}/%{type1}
+%config %{_usr}/share/selinux/%{polname1}/%{type1}/base.pp
+%dir %{_sysconfdir}/selinux
+#%ghost %config(noreplace) %{_sysconfdir}/selinux/config
+%dir %{_sysconfdir}/selinux/%{polname1}
+%ghost %config %{_sysconfdir}/selinux/%{polname1}/booleans
+%dir %{_sysconfdir}/selinux/%{polname1}/policy
+#%ghost %config %{_sysconfdir}/selinux/%{polname1}/policy/policy.*
+%dir %{_sysconfdir}/selinux/%{polname1}/contexts
+%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/customizable_types
+%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/dbus_contexts
+%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/default_contexts
+%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/default_type
+%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/failsafe_context
+%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/initrc_context
+%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/removable_context
+%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/userhelper_context
+%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/x_contexts
+%dir %{_sysconfdir}/selinux/%{polname1}/contexts/files
+#%ghost %config %{_sysconfdir}/selinux/%{polname1}/contexts/files/file_contexts
+#%ghost %config %{_sysconfdir}/selinux/%{polname1}/contexts/files/homedir_template
+#%ghost %config %{_sysconfdir}/selinux/%{polname1}/contexts/files/file_contexts.homedirs
+%config %{_sysconfdir}/selinux/%{polname1}/contexts/files/media
+%dir %{_sysconfdir}/selinux/%{polname1}/users
+%config %{_sysconfdir}/selinux/%{polname1}/users/system.users
+%config %{_sysconfdir}/selinux/%{polname1}/users/local.users
+#%ghost %dir %{_sysconfdir}/selinux/%{polname1}/modules
+
+%post base-targeted
+semodule -b /usr/share/selinux/%{polname1}/%{type1}/base.pp -s %{_sysconfdir}/selinux/%{polname1}
+for file in $(ls /usr/share/selinux/%{polname1}/%{type1} | grep -v base.pp)
+do semodule -i /usr/share/selinux/%{polname1}/%{type1}/$file -s %{_sysconfdir}/selinux/%{polname1}
+done
+
+%package base-strict
+Summary: SELinux %{polname2} base policy
+Group: System Environment/Base
+Provides: selinux-policy-base
+
+%description base-strict
+SELinux Reference policy strict base module.
+
+%files base-strict
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/%{polname2}
+%dir %{_usr}/share/selinux/%{polname2}/%{type2}
+%config %{_usr}/share/selinux/%{polname2}/%{type2}/base.pp
+%dir %{_sysconfdir}/selinux
+#%ghost %config(noreplace) %{_sysconfdir}/selinux/config
+%dir %{_sysconfdir}/selinux/%{polname2}
+%ghost %config %{_sysconfdir}/selinux/%{polname2}/booleans
+%dir %{_sysconfdir}/selinux/%{polname2}/policy
+#%ghost %config %{_sysconfdir}/selinux/%{polname2}/policy/policy.*
+%dir %{_sysconfdir}/selinux/%{polname2}/contexts
+%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/customizable_types
+%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/dbus_contexts
+%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/default_contexts
+%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/default_type
+%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/failsafe_context
+%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/initrc_context
+%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/removable_context
+%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/userhelper_context
+%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/x_contexts
+%dir %{_sysconfdir}/selinux/%{polname2}/contexts/files
+#%ghost %config %{_sysconfdir}/selinux/%{polname2}/contexts/files/file_contexts
+#%ghost %config %{_sysconfdir}/selinux/%{polname2}/contexts/files/homedir_template
+#%ghost %config %{_sysconfdir}/selinux/%{polname2}/contexts/files/file_contexts.homedirs
+%config %{_sysconfdir}/selinux/%{polname2}/contexts/files/media
+%dir %{_sysconfdir}/selinux/%{polname2}/users
+%config %{_sysconfdir}/selinux/%{polname2}/users/system.users
+%config %{_sysconfdir}/selinux/%{polname2}/users/local.users
+#%ghost %dir %{_sysconfdir}/selinux/%{polname2}/modules
+
+%post base-strict
+semodule -b /usr/share/selinux/%{polname2}/%{type2}/base.pp -s %{_sysconfdir}/selinux/%{polname2}
+for file in $(ls /usr/share/selinux/%{polname2}/%{type2} | grep -v base.pp)
+do semodule -i /usr/share/selinux/%{polname2}/%{type2}/$file -s %{_sysconfdir}/selinux/%{polname2}
+done
+
+%package apache
+Summary: SELinux apache policy
+Group: System Environment/Base
+Requires: selinux-policy-base
+
+%description apache
+SELinux Reference policy apache module.
+
+%files apache
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/*
+%dir %{_usr}/share/selinux/*/*
+%config %{_usr}/share/selinux/*/*/apache.pp
+
+%post apache
+if [ -d %{_sysconfdir}/selinux/%{polname1}/modules ] ; then
+semodule -n -i %{_usr}/share/selinux/%{polname1}/%{type1}/apache.pp -s %{_sysconfdir}/selinux/%{polname1}
+fi
+if [ -d %{_sysconfdir}/selinux/%{polname2}/modules ] ; then
+semodule -i %{_usr}/share/selinux/%{polname2}/%{type2}/apache.pp -s %{_sysconfdir}/selinux/%{polname2}
+fi
+
+%preun apache
+if [ -d %{_sysconfdir}/selinux/%{polname1}/modules ]
+then semodule -n -r apache -s %{_sysconfdir}/selinux/%{polname1}
+fi
+if [ -d %{_sysconfdir}/selinux/%{polname2}/modules ]
+then semodule -n -r apache -s %{_sysconfdir}/selinux/%{polname2}
+fi
+
+%package bind
+Summary: SELinux bind policy
+Group: System Environment/Base
+
+%description bind
+SELinux Reference policy bind module.
+
+%files bind
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/*
+%dir %{_usr}/share/selinux/*/*
+%config %{_usr}/share/selinux/*/*/bind.pp
+
+%post bind
+semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/bind.pp
+
+%preun bind
+semodule -r bind
+
+%package dhcp
+Summary: SELinux dhcp policy
+Group: System Environment/Base
+
+%description dhcp
+SELinux Reference policy dhcp module.
+
+%files dhcp
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/*
+%dir %{_usr}/share/selinux/*/*
+%config %{_usr}/share/selinux/*/*/dhcp.pp
+
+%post dhcp
+semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/dhcp.pp
+
+%preun dhcp
+semodule -r dhcp
+
+%package ldap
+Summary: SELinux ldap policy
+Group: System Environment/Base
+
+%description ldap
+SELinux Reference policy ldap module.
+
+%files ldap
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/*
+%dir %{_usr}/share/selinux/*/*
+%config %{_usr}/share/selinux/*/*/ldap.pp
+
+%post ldap
+semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/ldap.pp
+
+%preun ldap
+semodule -r ldap
+
+%package mailman
+Summary: SELinux mailman policy
+Group: System Environment/Base
+
+%description mailman
+SELinux Reference policy mailman module.
+
+%files mailman
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/*
+%dir %{_usr}/share/selinux/*/*
+%config %{_usr}/share/selinux/*/*/mailman.pp
+
+%post mailman
+semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/mailman.pp
+
+%preun mailman
+semodule -r mailman
+
+%package mysql
+Summary: SELinux mysql policy
+Group: System Environment/Base
+
+%description mysql
+SELinux Reference policy mysql module.
+
+%files mysql
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/*
+%dir %{_usr}/share/selinux/*/*
+%config %{_usr}/share/selinux/*/*/mysql.pp
+
+%post mysql
+semodule -i %{_usr}/share/selinux/targeted/targeted-mcsmysql.pp
+
+%preun mysql
+semodule -r mysql
+
+%package portmap
+Summary: SELinux portmap policy
+Group: System Environment/Base
+
+%description portmap
+SELinux Reference policy portmap module.
+
+%files portmap
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/*
+%dir %{_usr}/share/selinux/*/*
+%config %{_usr}/share/selinux/*/*/portmap.pp
+
+%post portmap
+semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/portmap.pp
+
+%preun portmap
+semodule -r portmap
+
+%package postgresql
+Summary: SELinux postgresql policy
+Group: System Environment/Base
+
+%description postgresql
+SELinux Reference policy postgresql module.
+
+%files postgresql
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/*
+%dir %{_usr}/share/selinux/*/*
+%config %{_usr}/share/selinux/*/*/postgresql.pp
+
+%post postgresql
+semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/postgresql.pp
+
+%preun postgresql
+semodule -r postgresql
+
+%package samba
+Summary: SELinux samba policy
+Group: System Environment/Base
+
+%description samba
+SELinux Reference policy samba module.
+
+%files samba
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/*
+%dir %{_usr}/share/selinux/*/*
+%config %{_usr}/share/selinux/*/*/samba.pp
+
+%post samba
+semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/samba.pp
+
+%preun samba
+semodule -r samba
+
+%package snmp
+Summary: SELinux snmp policy
+Group: System Environment/Base
+
+%description snmp
+SELinux Reference policy snmp module.
+
+%files snmp
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/*
+%dir %{_usr}/share/selinux/*/*
+%config %{_usr}/share/selinux/*/*/snmp.pp
+
+%post snmp
+semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/snmp.pp
+
+%preun snmp
+semodule -r snmp
+
+%package squid
+Summary: SELinux squid policy
+Group: System Environment/Base
+
+%description squid
+SELinux Reference policy squid module.
+
+%files squid
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/*
+%dir %{_usr}/share/selinux/*/*
+%config %{_usr}/share/selinux/*/*/squid.pp
+
+%post squid
+semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/squid.pp
+
+%preun squid
+semodule -r squid
+
+%package webalizer
+Summary: SELinux webalizer policy
+Group: System Environment/Base
+
+%description webalizer
+SELinux Reference policy webalizer module.
+
+%files webalizer
+%defattr(-,root,root)
+%dir %{_usr}/share/selinux
+%dir %{_usr}/share/selinux/*
+%dir %{_usr}/share/selinux/*/*
+%config %{_usr}/share/selinux/*/*/webalizer.pp
+
+%post webalizer
+semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/webalizer.pp
+
+%preun webalizer
+semodule -r webalizer
+
+%changelog
diff --git a/support/selinux-refpolicy-sources.spec.skel b/support/selinux-refpolicy-sources.spec.skel
new file mode 100644
index 0000000..8973bc7
--- /dev/null
+++ b/support/selinux-refpolicy-sources.spec.skel
@@ -0,0 +1,49 @@
+%define type refpolicy
+%define POLICYDIR /etc/selinux/%{type}
+%define FILE_CON ${POLICYDIR}/contexts/files/file_contexts
+%define FC_PRE ${FILE_CON}.pre
+
+Summary: SELinux Reference Policy configuration source files
+Name: selinux-refpolicy-sources
+Version: REFPOL_VERSION
+Release: 1
+License: GPL
+Group: System Environment/Base
+PreReq: m4 make policycoreutils kernel gcc
+Requires: checkpolicy >= 1.33.1
+Requires: python make m4
+BuildRequires: make m4 python
+Obsoletes: policy-sources
+Source: refpolicy-%{version}.tar.bz2
+Url: http://oss.tresys.com/projects/refpolicy
+BuildArch: noarch
+BuildRoot: /tmp/rpmbuild/%{name}
+
+%description
+This subpackage includes the SELinux Reference Policy
+source files, which can be used to build a targeted policy
+or strict policy configuration.
+
+%prep
+%setup -q -n refpolicy
+
+%build
+sed -i -e '/^TYPE/s/strict/targeted/' Makefile
+sed -i -e 's/^#DISTRO/DISTRO/' Makefile
+sed -i -e '/^DIRECT_INITRC/s/n/y/' Makefile
+make conf
+make clean
+rm -f support/*.pyc
+
+%install
+rm -fR $RPM_BUILD_ROOT
+make DESTDIR=$RPM_BUILD_ROOT install-src
+
+%clean
+rm -fR $RPM_BUILD_ROOT
+
+%files
+%defattr(-,root,root,-)
+%{_sysconfdir}/selinux/%{type}/src/policy/
+
+%changelog
diff --git a/support/set_bools_tuns.awk b/support/set_bools_tuns.awk
new file mode 100644
index 0000000..cedc19b
--- /dev/null
+++ b/support/set_bools_tuns.awk
@@ -0,0 +1,11 @@
+# Read booleans.conf and output M4 directives to
+# override default settings in global_booleans
+
+BEGIN {
+ FS="="
+}
+
+/^[[:blank:]]*[[:alpha:]]+/{
+ gsub(/[[:blank:]]*/,"")
+ print "define(`"$1"_conf',`"$2"')"
+}
diff --git a/support/undivert.m4 b/support/undivert.m4
new file mode 100644
index 0000000..8545e47
--- /dev/null
+++ b/support/undivert.m4
@@ -0,0 +1 @@
+divert
\ No newline at end of file